Escolar Documentos
Profissional Documentos
Cultura Documentos
IDS
detect
intrusions
Customer
(with authentication device)
core
banking
applications
Internet
Firewal
protect access
to web server
Jan 2005
Web server(s)
Internet
banking
Firewall
protect access gateway
to SQL
INTRODUCTION TO SECURITY
27
Contoh Implementasi:
Osaka Bank
Jan 2005
INTRODUCTION TO SECURITY
28
Jan 2005
INTRODUCTION TO SECURITY
25
Pengamanan Menyeluruh
Harus menyeluruh - holistic approach
awareness, skill
...
PEOPLE
security as part of
business process
...
PROCESS
TECHNOLOGY
Jan 2005
implementation
...
INTRODUCTION TO SECURITY
26
INTRODUCTION TO SECURITY
IT SECURITY FRAMEWORK
24
noi tceteD S O
trop PDU /PC T
peews gni P
of ni c p r
,tac ten ro tenle t h tiw gnibbarg rennab
noigeL , T AN ,tnuomwohs
nimd A e ti SnO
,resu2dis ,LC ApmuD ,snoisses llun
swolfre vo ref fu B
ba rg eli f drowssa P
gni crof e turb erahs eli F
gnippordse vae drowssa P
L L D. M SI / R T H . S II , d ni b , b d tt
) TN( 2pmudwp ,pt ft
noigel , T AN
bmsdaer kcar cthp0L ,pmudpct
s tiolp xe nwon K
gnik ca rc drowssa P
sloo t ediH
s g ol r a el C
SoDD
) B O O(
snoitpo PCT sdnuob fo tu O
sgub
tes ffo/ tnemgarf gnippalre v O
stseuqer N YS tsd /crs laci tned I
s e u qi n h c et P M C I
dool f N Y S
INTRODUCTION TO SECURITY
23
slooT ehT
e ci v r e S f o l ai n e D
s rood
k c a b g nit a e r C
srood kcab
gni taerCskcar t
gni re voC
g ni r efli P
egeli virp
gnitalacsE
s s e c c a g ni ni a G
noi ta remunE
gninnac S
g nit ni r pt o o F
Jan 2005
Jan 2005
redur tni
eh t fo mihw eh t ta deniager
ylisae si ssecca degele vi rp tah t
erusne ot mets ys eht fo st rap
suoira v ni dial eb lliw srood par T
.pmor eh t dne yl kciuq
yeh t tsel , tnuomarap semo ceb
srota rtsinimda me ts ys mor f
tcaf siht gnidih ,deruses si tegrat
eht fo pihsrenwo lato t ecn O
.smets ys de tsurt
ot ssec ca niag ot smsinahcem
y fitnedi ot niaga snigeb sseccorp
gnirehtag-noitam ro fni ehT
me ts ys eht fo lor tno c etelpmoc
niag o t kees won lliw rekca tta
eh t ,pets tsal eh t ni deniatbo
saw ssec ca le vel -resu ylno fI
tegrat eht ssecca ot tpme tta
demrofni na ekam o t tniop siht ta
dereh tag neeb sah a tad hguonE
.serahs
ecruoser detce torp ylroop
ro s tnuocca resu dila v gni yfitnedi
nigeb srek ca tta sa snigeb
won gnibo rp e visurtni e ro M
y rt n e f o
seune va gnisimo rp tsom eh t no
noitnet ta s 'rekca tta eh t sesu co f
seci vres gnine tsil fo noi tacifitnedi
dna tnemssessa tegrat kluB
.sliated
yna ssim o t ton si ereh yek eh T
.kca tta lacigrus a ot lai tnesse
e r a g ni r e ht a g n oit a m r of ni
dna ,noi tisiuqca ecaps
eman ,egnar sserdda tegra T
KCAH A FO YMOTANA
Mempelajari crackers
Mempelajari:
Perilaku perusak
Siapakah mereka?
Apa motifnya?
Bagaimana cara masuk?
Apa yang dilakukan setelah masuk?
Jan 2005
INTRODUCTION TO SECURITY
21
INTRODUCTION TO SECURITY
22
INTRODUCTION TO SECURITY
19
Teknologi Kriptografi
Penggunaan enkripsi (kriptografi) untuk
meningkatkan keamanan
Private key vs public key
Contoh: DES, IDEA, RSA, ECC
Lebih detail, akan dijelaskan pada bagian
terpisah
Jan 2005
INTRODUCTION TO SECURITY
20
Modification Attack
Modify, change information/programs
Examples: Virus, Trojan, attached with email
or web sites
Protection: anti virus, filter at mail server,
integrity checker (eg. tripwire)
Jan 2005
INTRODUCTION TO SECURITY
17
Fabrication Attack
Spoofing address is easy
Examples:
Fake mails: virus sends emails from fake users
(often combined with DoS attack)
spoofed packets
Jan 2005
INTRODUCTION TO SECURITY
18
Interruption Attack
Denial of Service (DoS) attack
Menghabiskan bandwith, network flooding
Memungkinkan untuk spoofed originating address
Tools: ping broadcast, smurf, synk4, macof,
various flood utilities
Proteksi:
Sukar jika kita sudah diserang
Filter at router for outgoing packet, filter attack
orginiating from our site
Jan 2005
INTRODUCTION TO SECURITY
15
Interception Attack
Sniffer to capture password and other
sensitive information
Tools: tcpdump, ngrep, linux sniffer, dsniff,
trojan (BO, Netbus, Subseven)
Protection: segmentation, switched hub,
promiscuous detection (anti sniff)
Jan 2005
INTRODUCTION TO SECURITY
16
Access Control
Mekanisme untuk mengatur siapa boleh
melakukan apa
biasanya menggunakan password, token
adanya kelas / klasifikasi pengguna dan data,
misalnya:
Publik
Private
Confidential
Top Secret
Jan 2005
INTRODUCTION TO SECURITY
13
Interception
Password sniffing
Modification
Virus, trojan horse
Fabrication
spoffed packets
Jan 2005
INTRODUCTION TO SECURITY
14
Availability
Informasi harus dapat tersedia ketika dibutuhkan
Serangan terhadap server: dibuat hang, down, crash,
lambat
Biaya jika server web (transaction) down di Indonesia
Menghidupkan kembali: Rp 25 juta
Kerugian (tangible) yang ditimbulkan: Rp 300 juta
Jan 2005
INTRODUCTION TO SECURITY
11
Non-repudiation
Tidak dapat menyangkal (telah melakukan
transaksi)
menggunakan digital signature / certificates
perlu pengaturan masalah hukum (bahwa digital
signature sama seperti tanda tangan
konvensional)
Jan 2005
INTRODUCTION TO SECURITY
12
Jan 2005
INTRODUCTION TO SECURITY
Authentication Terpadu
Terlalu banyak
authentication:
membingungkan
Jan 2005
INTRODUCTION TO SECURITY
10
Integrity
Informasi tidak berubah tanpa ijin (tampered,
altered, modified)
Serangan:
spoof (pemalsuan), virus (mengubah berkas),
trojan horse, man-in-the-middle attack
Proteksi:
message authentication code (MAC), (digital)
signature, (digital) certificate, hash function
Jan 2005
INTRODUCTION TO SECURITY
Authentication
Meyakinkan keaslian data, sumber data, orang
yang mengakses data, server yang digunakan
Bagaimana mengenali nasabah bank pada servis Internet
Banking? Lack of physical contact
Menggunakan:
1. what you have (identity card)
2. what you know (password, PIN)
3. what you are (biometric identity)
4. Claimant is at a particular place (and time)
5. Authentication is established by a trusted third party
INTRODUCTION TO SECURITY
Privacy / confidentiality
Integrity
Authentication
Availability
Non-repudiation
Access control
Jan 2005
INTRODUCTION TO SECURITY
Privacy / confidentiality
Proteksi data [hak pribadi] yang sensitif
Nama, tempat tanggal lahir, agama, hobby, penyakit yang
pernah diderita, status perkawinan, nama anggota
keluarga, nama orang tua
Data pelanggan. Customer Protection harus diperhatikan
Sangat sensitif dalam e-commerce, healthcare
INTRODUCTION TO SECURITY
Application security
fokus kepada aplikasinya sendiri, termasuk di
dalamnya adalah database
Computer security
fokus kepada keamanan dari komputer (end
system), termasuk operating system (OS)
Jan 2005
INTRODUCTION TO SECURITY
ISP
Holes
1.
2.
3.
Internet
Network
sniffed, attacked
System (OS)
Network
Applications (db)
Network
sniffed,
attacked
Users
Web Site
Trojan horse
Userid, Password,
PIN, credit card #
Jan 2005
www.bank.co.id
INTRODUCTION TO SECURITY
- Applications
(database,
Web server)
hacked
-OS hacked
Prisip Keamanan
Security Principles
Jan 2005
INTRODUCTION TO SECURITY
Biasanya orang
terfokus kepada
masalah data,
media, teknik
komunikasi.
Padahal kebijakan
(policy) sangat
penting!