The development of information technology in the 21st century has provided practicality for modern society to carry out various electronic communication activities, one of them in fields such as education and banking. This electronic business activity is known as e-commerce. With information technology, especially with wide computer networks such as the internet. Goods and services can be widely promoted on a global scale. Prospective customers are also given facilities that allow them to access and buy the intended products and services practically. Urian For example, credit card services. This development apparently brought with it a negative impact in terms of security. Crime practices in computer networks often occur and cause public unrest, such as theft of passwords and credit card secret numbers. As a result of this kind of aspect the security and use of computer networks are crucial.
There are attack techniques that base on sounds produced from equipment such as PC keyboards. Namely by distinguishing sounds issued. So this method can find out the buttons pressed. In further applications it can be applied to notebook computer machines, telephones, to ATM machines. Attacks using this method are inexpensive and indirect. Cheap because in addition to additional computers, all it takes is a parabolic microphone. Called indirect because it does not require a physical attack directly to the sound system can be recorded using additional equipment. According to G. J. Simons, information security is how we can prevent fraud (cheating) or, at least, detect fraud in an information-based system, where the information itself has no physical meaning. In addition information system security can be interpreted as policies, procedures, and technical measurements used to prevent unauthorized access, program changes, theft, or physical damage to information systems. Security systems for information technology can be improved by using techniques and equipment to secure computer hardware and software, communication networks, and data.
Internet network security is security management that aims to prevent, overcome, and protect various information systems from the risk of illegal actions such as unauthorized use, intrusion, and destruction of various information held. Risks to information system security include two main things, namely threats to information system security and information system security weaknesses. These problems in turn have an impact on 6 main things in the information system, namely :
To guarantee this, the security of the new information system can be criticized properly. The criteria that need to be considered in the problem of information system security require 10 security domains that need attention :
- Access control system used
- Telecommunications and networks used
- Practical management in use
- Development of the application system used
- Cryptographs that are applied
- Architecture of the information system applied
- Existing operations
- Busineess Continuity Plan (BCP) and Disaster Recovery Plan (DRP)
- Legal Needs, forms of investigation and codes of ethics applied
- The physical layout of the existing system
From this domain, we can classify information system security issues based on threats and weaknesses of the system.
An information system security threat is an action that occurs both inside and outside the system that can upset the balance of the information system. Threats to information security come from individuals, organizations, mechanisms, or events that have the potential to cause damage to information sources. In reality the threat can be internal, that is, comes from within the company, or external or comes from outside the company. Threats can also occur intentionally or unintentionally. Threats have so far only been discussed among academics. Not many people understand about the threats to the security of their information systems. Society only recognizes technology and cyberspace crimes only when there has been an “attack”. One thing that needs to be socialized in the discussion about system security towards the community is to introduce “threats” and then introduce “attacks” to the community. It is important to know that the attack begins with a threat, and there will be no attack before the threat. Attacks can be minimized if the threat has been predicted and prepared in advance or may have been calculated in advance through the methods of risk assessment of a threat. There are several methods used in classifying threats, one of which is the Stride Method. STRIDE stands for:
- Spoofing is using access rights / Accessing the system by using another person’s identity.
- Tampering that is without having access rights but can change the data in the database.
- Repudiation is to make a system or database intentionally wrong, or deliberately insert bugs, or include certain viruses in the application so that it can be used to access the system at any time.
- Information disclosure, that is opening or reading information without having access rights or reading something without authorization rights.
- Denial of service is to make a system not work or cannot be used by others.
- Elevation of priviledge that is misusing the authority possessed to access a system for personal interests.
In the case of this threat can be given an example in the real world if someone is known to carry a sharp weapon wherever he goes then it can be said that person can be a threat to others. Another thing in the real world is that when someone is found carrying a T key in his pocket, it can be concluded that the person is a threat to others who carry motorized vehicles. In the world of system security or the world of information technology, a person can be said to be a potential threat if he has the following :
- High authority to log into a system.
- Have access rights (passwords) for someone he knows from various sources.
- Has a large collection of tools to hack a system and expertise in that field.
- People who build a system can also be a threat to the system.
The most well-known threat in information system security is a virus. Virus is a computer program that can replicate itself without the user’s knowledge. Threats in information systems are attacks that can appear on the system used. Attack can be interpreted as “actions taken by using certain methods and techniques with a variety of tools that are needed in accordance with the needs that are adapted to the object of a particular attack using both directed and random attacks”. Attacks that occur against a network system among practitioners are commonly known as penetration. In the material security system is known to be very many and diverse techniques of attacks on a system according to their nature and characteristics. Attack techniques are increasingly sophisticated and are very difficult to predict and detect.
The broad set of concepts and basis for information system security procedures are :
- Information security systems are the business and responsibility of all employees
- Determination of the owner of the information system
- Security measures must comply with regulations and laws
- Anticipate mistakes
- Accessing to the system must be based on functional requirements
- Only business data occupied by a company is allowed to be processed in the information system
- Workings carried out by third parties
- Separation of activities between system developers, system operations, and end users of information systems
- Implementation of new systems or requests for changes to existing systems must go through strict control through the acceptance of system procedures and change requests
- The system to be developed must be in accordance with the standard system development methods carried out by the organization
- The user is fully responsible for all activities carried out using his identity code (user-ID)