Pengamanan Berlapis

IDS
detect
intrusions

Customer
(with authentication device)

core
banking
applications

Internet

Firewal
protect access
to web server
Jan 2005

Web server(s)

Internet
banking
Firewall
protect access gateway
to SQL

INTRODUCTION TO SECURITY

27

Contoh Implementasi:
Osaka Bank

Jan 2005

INTRODUCTION TO SECURITY

28

Jan 2005

INTRODUCTION TO SECURITY

25

Pengamanan Menyeluruh
Harus menyeluruh - holistic approach
awareness, skill
...

PEOPLE

security as part of
business process
...

PROCESS

TECHNOLOGY
Jan 2005

implementation
...

INTRODUCTION TO SECURITY

26

INTRODUCTION TO SECURITY

IT SECURITY FRAMEWORK

24

refsnar t eno z SND

siohw N IR A
siohw ot e cretni be W
si o h w
hcraes ecruos nep O

edapS maS ,d- sl pukoolsn ,gid

si o h w/ t e n. ni r a. w w w //: p tt h
siohw/moc.snoi tulos krowten.www //:p tth
tneilc XINU yn A
ragdE ,senigne hcraes , teNESU

noi tceteD S O
trop PDU /PC T
peews gni P

nohpis ,oseuq ,pamN

nacs f ,nacSrepuS ,pamn
kcaPorP gni P_S W munepm ci ,gnipf

snoi tacilppa yfi tned I

serahs elif tsiL
stnuocca resu tsiL

of ni c p r
,tac ten ro tenle t h tiw gnibbarg rennab
noigeL , T AN ,tnuomwohs
nimd A e ti SnO
,resu2dis ,LC ApmuD ,snoisses llun

swolfre vo ref fu B
ba rg eli f drowssa P
gni crof e turb erahs eli F
gnippordse vae drowssa P

L L D. M SI / R T H . S II , d ni b , b d tt
) TN( 2pmudwp ,pt ft
noigel , T AN
bmsdaer kcar cthp0L ,pmudpct

s tiolp xe nwon K
gnik ca rc drowssa P

elohces ,nimdateg ,segassem_cl

kca rcthp0L ,nhoj

sd rowssap t xetraelc rof h crae S

stsu rt e taula v E

yrtsigeR ,selif noitarugifno c ,a tad resu

sterce S A SL ,stsohr

sloo t ediH
s g ol r a el C

gnimaer ts elif ,s tiktoor

, IUG goL tne v E pa z

snajor T h tiw sppa ecalpeR

smsinahcem gni rotinom llatsn I
seci v res lortnoce tomer tnal P
seli f putra ts tcefn I
sboj hc tab eludehc S
stnuocca resu eguor e taerC

lld .tnlcwnpf ,nigol

sesaila liam
nimdaces ot .t cca dda ,sreggol ekor ts yek
K2 OB ,CN V ,e xe .etomer , tacten
s ye k yr tsigeR , redlof putra tS ,cr
T A , n or c
srotar tsinimd A ,leehw fo srebmem

SoDD
) B O O(
snoitpo PCT sdnuob fo tu O
sgub
tes ffo/ tnemgarf gnippalre v O
stseuqer N YS tsd /crs laci tned I
s e u qi n h c et P M C I
dool f N Y S

thardlehc ts /NF T/oonirt

e xe.ekunrepus
r a et w e n , k n o b , p o r d r a et
arreital ,dnal
frums ,h taed fo gnip
4kn ys

INTRODUCTION TO SECURITY

23

slooT ehT

seuq inhceT ehT

e ci v r e S f o l ai n e D

s rood
k c a b g nit a e r C

srood kcab
gni taerCskcar t
gni re voC

g ni r efli P

egeli virp
gnitalacsE

s s e c c a g ni ni a G

noi ta remunE

gninnac S

g nit ni r pt o o F

. troser tsal a sa tegra t a elbasid

ot edoc tiolp xe elbalia va ylidae r
esu yam yeh t ,ssecca gniniag
ni lufsseccusnu si rekca tta na f I

Jan 2005
Jan 2005

redur tni
eh t fo mihw eh t ta deniager
ylisae si ssecca degele vi rp tah t
erusne ot mets ys eht fo st rap
suoira v ni dial eb lliw srood par T
.pmor eh t dne yl kciuq
yeh t tsel , tnuomarap semo ceb
srota rtsinimda me ts ys mor f
tcaf siht gnidih ,deruses si tegrat
eht fo pihsrenwo lato t ecn O
.smets ys de tsurt
ot ssec ca niag ot smsinahcem
y fitnedi ot niaga snigeb sseccorp
gnirehtag-noitam ro fni ehT
me ts ys eht fo lor tno c etelpmoc
niag o t kees won lliw rekca tta
eh t ,pets tsal eh t ni deniatbo
saw ssec ca le vel -resu ylno fI
tegrat eht ssecca ot tpme tta
demrofni na ekam o t tniop siht ta
dereh tag neeb sah a tad hguonE
.serahs
ecruoser detce torp ylroop
ro s tnuocca resu dila v gni yfitnedi
nigeb srek ca tta sa snigeb
won gnibo rp e visurtni e ro M
y rt n e f o
seune va gnisimo rp tsom eh t no
noitnet ta s 'rekca tta eh t sesu co f
seci vres gnine tsil fo noi tacifitnedi
dna tnemssessa tegrat kluB
.sliated
yna ssim o t ton si ereh yek eh T
.kca tta lacigrus a ot lai tnesse
e r a g ni r e ht a g n oit a m r of ni
dna ,noi tisiuqca ecaps
eman ,egnar sserdda tegra T

ygolodoh teM ehT

KCAH A FO YMOTANA

evitce jbO ehT

Mempelajari crackers
Mempelajari:
Perilaku perusak
Siapakah mereka?
Apa motifnya?
Bagaimana cara masuk?
Apa yang dilakukan setelah masuk?

Tools: honeypoy, honeynet

Jan 2005

INTRODUCTION TO SECURITY

21

Crackers SOP / Methodology

Dari Hacking Exposed:
Target acquisition and information gathering
Initial access
Privilege escalation
Covering tracks
Install backdoor
Jika semua gagal, lakukan DoS attack
Jan 2005

INTRODUCTION TO SECURITY

22

More on Interruption Attack

(cont.)
Distributed Denial of Service (DDoS) attack
Flood your network with spoofed packets from
many sources
Based on SubSeven trojan, phone home via
IRC once installed on a machine. Attacker knows
how many agents ready to attack.
Then, ready to exhaust your bandwidth
See Steve Gibsons paper http://grc.com
Jan 2005

INTRODUCTION TO SECURITY

19

Teknologi Kriptografi
Penggunaan enkripsi (kriptografi) untuk
meningkatkan keamanan
Private key vs public key
Contoh: DES, IDEA, RSA, ECC
Lebih detail, akan dijelaskan pada bagian
terpisah

Jan 2005

INTRODUCTION TO SECURITY

20

Modification Attack
Modify, change information/programs
Examples: Virus, Trojan, attached with email
or web sites
Protection: anti virus, filter at mail server,
integrity checker (eg. tripwire)

Jan 2005

INTRODUCTION TO SECURITY

17

Fabrication Attack
Spoofing address is easy
Examples:
Fake mails: virus sends emails from fake users
(often combined with DoS attack)
spoofed packets

Tools: various packet construction kit

Protection: filter outgoing packets at router

Jan 2005

INTRODUCTION TO SECURITY

18

Interruption Attack
Denial of Service (DoS) attack
Menghabiskan bandwith, network flooding
Memungkinkan untuk spoofed originating address
Tools: ping broadcast, smurf, synk4, macof,
various flood utilities

Proteksi:
Sukar jika kita sudah diserang
Filter at router for outgoing packet, filter attack
orginiating from our site
Jan 2005

INTRODUCTION TO SECURITY

15

Interception Attack
Sniffer to capture password and other
sensitive information
Tools: tcpdump, ngrep, linux sniffer, dsniff,
trojan (BO, Netbus, Subseven)
Protection: segmentation, switched hub,
promiscuous detection (anti sniff)

Jan 2005

INTRODUCTION TO SECURITY

16

Access Control
Mekanisme untuk mengatur siapa boleh
melakukan apa
biasanya menggunakan password, token
adanya kelas / klasifikasi pengguna dan data,
misalnya:
Publik
Private
Confidential
Top Secret
Jan 2005

INTRODUCTION TO SECURITY

13

Jenis Serangan (attack)

Menurut W. Stallings
Interruption
B

DoS attack, network flooding

Interception
Password sniffing

Modification
Virus, trojan horse

Fabrication
spoffed packets
Jan 2005

INTRODUCTION TO SECURITY

14

Availability
Informasi harus dapat tersedia ketika dibutuhkan
Serangan terhadap server: dibuat hang, down, crash,
lambat
Biaya jika server web (transaction) down di Indonesia
Menghidupkan kembali: Rp 25 juta
Kerugian (tangible) yang ditimbulkan: Rp 300 juta

Serangan: Denial of Service (DoS) attack

Proteksi: backup, redundancy, DRC, BCP, IDS,
filtering router, firewall untuk proteksi serangan

Jan 2005

INTRODUCTION TO SECURITY

11

Non-repudiation
Tidak dapat menyangkal (telah melakukan
transaksi)
menggunakan digital signature / certificates
perlu pengaturan masalah hukum (bahwa digital
signature sama seperti tanda tangan
konvensional)

Jan 2005

INTRODUCTION TO SECURITY

12

On the Internet nobody knows youre a dog

Jan 2005

INTRODUCTION TO SECURITY

Authentication Terpadu
Terlalu banyak
authentication:
membingungkan

Jan 2005

INTRODUCTION TO SECURITY

10

Integrity
Informasi tidak berubah tanpa ijin (tampered,
altered, modified)
Serangan:
spoof (pemalsuan), virus (mengubah berkas),
trojan horse, man-in-the-middle attack

Proteksi:
message authentication code (MAC), (digital)
signature, (digital) certificate, hash function
Jan 2005

INTRODUCTION TO SECURITY

Authentication
Meyakinkan keaslian data, sumber data, orang
yang mengakses data, server yang digunakan
Bagaimana mengenali nasabah bank pada servis Internet
Banking? Lack of physical contact
Menggunakan:
1. what you have (identity card)
2. what you know (password, PIN)
3. what you are (biometric identity)
4. Claimant is at a particular place (and time)
5. Authentication is established by a trusted third party

Serangan: identitas palsu, password palsu,

terminal palsu, situs web gadungan
Proteksi: digital certificates
Jan 2005

INTRODUCTION TO SECURITY

Aspek / Servis Keamanan

(Security Control)

Privacy / confidentiality
Integrity
Authentication
Availability
Non-repudiation
Access control

Jan 2005

INTRODUCTION TO SECURITY

Privacy / confidentiality
Proteksi data [hak pribadi] yang sensitif
Nama, tempat tanggal lahir, agama, hobby, penyakit yang
pernah diderita, status perkawinan, nama anggota
keluarga, nama orang tua
Data pelanggan. Customer Protection harus diperhatikan
Sangat sensitif dalam e-commerce, healthcare

Serangan: sniffer (penyadap), keylogger (penyadap

kunci), social engineering, kebijakan yang tidak jelas
Proteksi: firewall, kriptografi / enkripsi, policy
Electronic Privacy Information Center http://www.epic.org
Electronic Frontier Foundartion http://www.eff.org
Jan 2005

INTRODUCTION TO SECURITY

Klasifikasi Berdasarkan Elemen

Sistem
Network security
fokus kepada saluran (media) pembawa
informasi

Application security
fokus kepada aplikasinya sendiri, termasuk di
dalamnya adalah database

Computer security
fokus kepada keamanan dari komputer (end
system), termasuk operating system (OS)
Jan 2005

INTRODUCTION TO SECURITY

Letak potensi lubang keamanan

Network
sniffed,
attacked

ISP

Holes
1.
2.
3.

Internet
Network
sniffed, attacked

System (OS)
Network
Applications (db)

Network
sniffed,
attacked

Users

Web Site
Trojan horse

Userid, Password,
PIN, credit card #
Jan 2005

www.bank.co.id
INTRODUCTION TO SECURITY

- Applications
(database,
Web server)
hacked
-OS hacked

Prisip Keamanan

Security Principles

Klasifikasi Keamanan Sisinfo

[menurut David Icove]

Fisik (physical security)

Manusia (people /
personel security)
Data, media, teknik
komunikasi
Kebijakan dan prosedur
(policy and procedures)

Jan 2005

INTRODUCTION TO SECURITY

Biasanya orang
terfokus kepada
masalah data,
media, teknik
komunikasi.
Padahal kebijakan
(policy) sangat
penting!