Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
TUGAS AKHIR
SECURITY TESTING DENGAN MENGGUNAKAN
METODE OSSTMM PADA WEB INSTITUT
TEKNOLOGI TELKOM PURWOKERTO
EDY SURMANA PUTRA TARIGAN
14102058
PROGRAM STUDI S1 INFORMATIKA
FAKULTAS TEKNOLOGI INDUSTRI DAN INFORMATIKA
INSTITUT TEKNOLOGI TELKOM PURWOKERTO
2018
ii
TUGAS AKHIR
SECURITY TESTING DENGAN MENGGUNAKAN
METODE OSSTMM PADA WEB INSTITUT
TEKNOLOGI TELKOM PURWOKERTO
SECURITY TESTING USING OSSTMM METHOD AT
INSTITUT TEKNOLOGI TELKOM PURWOKERTO WEB
Disusun Sebagai Salah Satu Syarat untuk Memperoleh Gelar Sarjana Komputer
EDY SURMANA PUTRA TARIGAN
14102058
PROGRAM STUDI S1 INFORMATIKA
FAKULTAS TEKNOLOGI INDUSTRI DAN INFORMATIKA
INSTITUT TEKNOLOGI TELKOM PURWOKERTO
2018
ii
ii
iii
iv
KATA PENGANTAR
Segala Puji syukur penulis panjatkan kehadirat Tuhan Yang Maha Esa atas
karuniaNya dan atas segala limpahan rahmatNya kepada penyusun sehingga
penyusun dapat menyelesaikan laporan proposal penelitian ini dengan baik.
Penulis secara langsung ingin mengucapkan terima kasih kepada pihak yang
telah membantu dalam penelitian ini, antara lain.
1. Tuhan Yesus Kristus yang telah memberikan rencana yang terbaik-Nya kepada
penulis.
2. Bapak Dr. Ali Rokhman, M.Si., M.Kom selaku Ketua Institut Teknologi
Telkom Purwokerto.
3. Bapak Muhammad Fajar Sidiq, S.T., M.T. dan Bapak Ipam Fuaddina Adam,
S.T., M.Kom. Selaku dosen pembimbing yang telah diberikan untuk
mengarahkan dan membimbing penulis dalam penyusunan skripsi.
4. Bapak Muhammad Zidny Naf’an, Lc., M.Kom selaku Ketua Program Studi
Teknik Informatika Institut Teknologi Telkom Purwokerto.
5. Ibu saya tercinta yang telah banyak memberikan doa dan memberi dukungan
sehingga saya dapat menyelesaikan laporan ini.
6. Evi, Elisabet, Grace, Nancy, Kadut, Opek dan teman- teman saya di Perumahan
Griya Safira yang telah memberi dukungan, saran dan doa sehingga saya
terbantu dalam penyusunan proposal tugas akhir ini.
Purwokerto, 13 Agustus 2018
Edy Surmana Putra Tarigan
v
DAFTAR ISI
HALAMAN JUDUL .......................................................................................... i
HALAMAN PENGESAHAN PEMBIMBING ................................................ iii
HALAMAN PENETAPAN PENGUJI ............................................................. iv
HALAMAN PERNYATAAN ORISINALITAS ............................................. v
KATA PENGANTAR ........................................................................................ vi
ABSTRAK .......................................................................................................... vii
ABSTRACT ......................................................................................................... viii
DAFTAR ISI ....................................................................................................... ix
DAFTAR GAMBAR .......................................................................................... xi
DAFTAR TABEL .............................................................................................. xii
BAB I PENDAHULUAN ................................................................................... 1
1.1 Latar Belakang ......................................................................................... 1
1.2 Rumusan Masalah .................................................................................... 2
1.3 Tujuan Masalah ........................................................................................ 3
1.4 Batasan Masalah ....................................................................................... 3
BAB II TINJAUAN PUSTAKA ........................................................................ 4
2.1 Penelitian Sebelumnya ............................................................................. 4
2.2 Dasar Teori ............................................................................................... 9
2.2.1 Sistem Informasi .................................................................................... 9
2.2.2 Website ................................................................................................... 9
2.2.3 Keamanan Informasi .............................................................................. 9
2.2.4 Security Testing ...................................................................................... 10
2.2.5 Manajemen Resiko................................................................................. 10
2.2.6 Open Source Security Testing Methodology Manual (OSSTMM) ........ 10
2.2.6.1 Risk Assesment Value (RAV) .............................................................. 12
2.2.6.2 Security Testing Audit Report (STAR) ................................................ 17
BAB III METODOLOGI PENELITIAN ........................................................ 18
3.1 Metode Penelitian..................................................................................... 18
3.1.1 Study Literature ..................................................................................... 19
vi
3.1.2 Pengumpulan Data ................................................................................. 19
3.1.3 Analisis Data .......................................................................................... 19
3.1.4 Perancangan Metode OSSTMM ............................................................ 19
3.1.5 Pengujian Metode .................................................................................. 21
3.1.6 Analisis Hasil ......................................................................................... 22
3.1.7 Penulisan Laporan .................................................................................. 22
3.1.8 Publikasi ................................................................................................. 22
BAB IV HASIL PENGUJIAN DAN ANALISIS ............................................. 23
4.1 Hasil Pengujian ........................................................................................ 23
4.1.1 Wawancara ............................................................................................. 23
4.1.2 Analisis OSSTMM................................................................................. 23
4.1.3 Perhitungan Manual RAV...................................................................... 34
4.2 Rekomendasi ............................................................................................ 41
BAB V PENUTUP .............................................................................................. 59
5.1 Kesimpulan .............................................................................................. 59
5.2 Saran ......................................................................................................... 59
DAFTAR PUSTAKA ......................................................................................... 60
vii
DAFTAR GAMBAR
Gambar 2.1 Kategori RAV .................................................................................. 12
Gambar 2.2 Rumus Kategori Limitations ............................................................ 16
Gambar 3.1 Tahapan Metode Penelitian .............................................................. 18
Gambar 3.2 Tahapan metode OSSTMM ............................................................. 20
Gambar 4.1 Hasil Pengujian nmap Menggunakan Jaringan Publik ..................... 26
Gambar 4.2 Hasil pengujian dari Teknik Brute Force 1 ...................................... 27
Gambar 4.3 Hasil pengujian dari Teknik Brute Force 2 ...................................... 28
Gambar 4.4 Hasil pengujian dari Teknik Brute Force 3 ...................................... 28
Gambar 4.5 Hasil pengujian dari Teknik Brute Force 4 ...................................... 29
Gambar 4.6 Hasil pengujian dari Teknik Brute Force 5 ...................................... 29
Gambar 4.7 Hasil Pengujian IP ID Sequence Generation ................................... 30
Gambar 4.8 Hasil Pengujian nikto Anti-clickjacking x-frame option header ...... 32
Gambar 4.9 Hasil Pengujian nikto OSVDB ......................................................... 32
Gambar 4.10 Hasil Pengujian OWASP ZAP untuk Cross Site Scripting ............ 33
Gambar 4.11Hasil Pengujian OWASP ZAP untuk Cookie ................................. 33
Gambar 4.12 Nilai RAV ...................................................................................... 39
Gambar 4.13 Pelaporan Audit STAR................................................................... 40
viii
DAFTAR TABEL
Tabel 2.1 Perbandingan Referensi ....................................................................... 6
Tabel 2.2 Nilai Risk Assesment Value (RAV) ...................................................... 12
Tabel 4.1 Rangkuman Visibility ........................................................................... 25
Tabel 4.2 Rangkuman Access .............................................................................. 25
Tabel 4.3 Rangkuman Authentication .................................................................. 26
Tabel 4.4 Rangkuman Non-Repudiation .............................................................. 30
Tabel 4.5 Rangkuman Confidentiality ................................................................. 30
Tabel 4.6 Rangkuman Vulnerability .................................................................... 31
Tabel 4.7 Rangkuman Weakness.......................................................................... 34
Tabel 4.8 Rangkuman Concern ........................................................................... 34
Tabel 4.9 Posture Review ..................................................................................... 42
Tabel 4.10 Logistics ............................................................................................. 43
Tabel 4.11 Active Detection Verification ............................................................. 44
Tabel 4.12 Visibility Audit ................................................................................... 44
Tabel 4.13 Access Verification ............................................................................. 45
Tabel 4.14 Trust Verification ............................................................................... 45
Tabel 4.15 Controls Verification ......................................................................... 47
Tabel 4.16 Process Verification ........................................................................... 48
Tabel 4.17 Configuration And Training Verification .......................................... 49
Tabel 4.18 Property Vadidation ........................................................................... 50
Tabel 4.19 Segregation Review ............................................................................ 50
Tabel 4.20 Exposure Verification ........................................................................ 51
Tabel 4.21 Competitive Intelligence Scouting ..................................................... 53
Tabel 4.22 Quarantine Verification ..................................................................... 54
Tabel 4.23 Privileges Audit .................................................................................. 55
Tabel 4.24 Survivability Validation And Service Continuity ............................... 57
Tabel 4.25 End Survey, Alert And Log Review .................................................... 57
ix