IntroductiontoInformationSecurity

BudiRahardjobudi@indocisc.com

IntroductiontoInformationSecurity HotSecurityIssues2010

• Mulaipopulernyasocialnetwork(web2.0)– Facebook,4sq,twitter,...

• Masalah– Pencurianidentitas(identitytheft)– Penurunanproduktivitaskerja– Masalahetikadanlegal

Juni2010 SecurityAwareness 2

IntroductiontoInformationSecurity

Phishing

Juni2010

SecurityAwareness 3

From: <USbank-Notification-Urgecq@UsBank.com> To: … Subject: USBank.com Account Update URGEgb Date: Thu, 13 May 2004 17:56:45 -0500

USBank.com Dear US Bank Customer, During our regular update and verification of the Internet Banking Accounts, we could not verify your current information. Either your information has been changed or incomplete, as a result your access to use our services has been limited. Please update your information.

To update your account information and start using our services please click on the link below: http://www.usbank.com/internetBanking/RequestRouter?requestCmdId=DisplayLoginPage

Note: Requests for information will be initiated by US Bank Business Development; this process cannot be externally requested through Customer Support.

IntroductiontoInformationSecurity Security2010:regulatory

•  Kepatuhankepadaperaturan(regulatorycompliance)– ISO27000(series),SOX,BaselII,...– PeraturanBankIndonesia(PBI)untukPerbankan

Juni2010 SecurityAwareness 4

IntroductiontoInformationSecurity Security2010:environment

•  KetergantungankepadasistemITmakinmeningkat– Masalahavailabilitymenjadisemakinpenting– Becanaalam,gangguanmanusia,teroris,...– Riskanalysis,businessimpactanalysis,businesscontinuityplanning,...

Juni2010 SecurityAwareness 5

IntroductiontoInformationSecurity

Security2010:technology

•  Devicetrend– Smaller– Portable– Wireless

•  Bagaimanamembatasipenggunaannya?

•  Adarisikodalampenggunaannya

Juni2010

SecurityAwareness 6

IntroductiontoInformationSecurity Security2010:human

• Masalahutamatetap:manusia!– Socialengineeringmasihmudahdilakukan– Phishingmasihmerupakanancaman– Tidakmematuhiaturan(tidakmengubahpassword,passwordterlalumudahditebak,berbagipassword,...)

Juni2010 SecurityAwareness 7

IntroductiontoInformationSecurity

TypeofFraudExperiencedDuringthePrior12Months(Percentages)

Juni2010

SecurityAwareness 8

KPMGsurvey

IntroductiontoInformationSecurity OrangDalam!

•  1999 Computer Security Institute (CSI) / FBI Computer Crime Survey menunjukkan beberapa statistik yang menarik, seperti misalnya ditunjukkan bahwa “disgruntled worker” (orang dalam) merupakan potensi attack / abuse. http://www.gocsi.com

Juni2010 SecurityAwareness 9

Disgruntled workers 86% Independent hackers 74% US competitors 53% Foreign corporation 30% Foreign government 21%

IntroductiontoInformationSecurity

Juni2010

SecurityAwareness 10

VirusWorm

Malware

IntroductiontoInformationSecurity Spam

•  Emailyangberisisampah(umumnyaiklan)• Menghabiskanjaringan,disk,waktupekerja•  Spammerugikanbisnis

Juni2010 SecurityAwareness 11

IntroductiontoInformationSecurity SecurityLifecycle

Juni2010

SecurityAwareness 12

IntroductiontoInformationSecurity AspekKeamanan

• Con`identiality•  Integrity• Availability

• Authetication• Non‐repudiation

Juni2010 SecurityAwareness 13

IntroductiontoInformationSecurity Con`identiality

•  Proteksidata[hakpribadi]yangsensitif–  Nama,tempattanggallahir,agama,hobby,penyakityangpernahdiderita,statusperkawinan,namaanggotakeluarga,...

–  Datapelanggan.Customerprotectionharusdiperhatikan–  Tradesecrets–  Sangatsensitifdalame‐commerce,healthcare

•  Serangan:sniffer(penyadap),keylogger(penyadapkunci),socialengineering,kebijakanyangtidakjelas

•  Proteksi:`irewall,kriptogra`i/enkripsi,segregationofduties,segementasijaringan,kebijakan

Juni2010 SecurityAwareness 14

IntroductiontoInformationSecurity Integrity

•  Informasitidakberubahtanpaijin– (tampered,altered,modi9ied)

•  Serangan:– Spoof(pemalsuan),virus(mengubahberkas),man­in­the­middleattack

•  Proteksi:– messageauthenticationcode(MAC),(digital)signature,(digital)certi`icate,hashfunction,logging

Juni2010 SecurityAwareness 15

IntroductiontoInformationSecurity KPU2004

SecurityAwareness 16

IntroductiontoInformationSecurity Availability

•  Informasiharusdapattersediaketikadibutuhkan– Seranganterhadapserver:dibuathang,down,crash,lambat

– Biayajikaserverweb(transaction)downdiIndonesia•  Menghidupkankembali:Rp25juta•  Kerugian(tangible)yangditimbulkan:Rp300juta

•  Serangan:DenialofService(DoS)attack•  Proteksi:backup,redundancy,DRC,BCP,`irewalluntukproteksiserangan

Juni2010 SecurityAwareness 17

IntroductiontoInformationSecurity Authentication

•  Meyakinkankeasliandata,sumberdata,orangyangmengaksesdata,serveryangdigunakan–  Bagaimanamengenalinasabahpadaservisberbasis

Internet?Lackofphysicalcontact–  Menggunakan:

whatyouhave(identitycard)whatyouknow(password,PIN)whatyouare(biometricidentity)Claimantisataparticularplace(andtime)Authenticationisestablishedbyatrustedthirdparty

•  Serangan:identitaspalsu,passwordpalsu,terminalpalsu,situswebgadungan

•  Proteksi:digitalcerti`icates

Juni2010 SecurityAwareness 18

IntroductiontoInformationSecurity KejahatanATM

•  MesinATMbiasa? •  Perhatikanlebihbaik:skimmer

SecurityAwareness 19

IntroductiontoInformationSecurity

Juni2010

SecurityAwareness 20

Menyadap PIN dengan wireless camera

IntroductiontoInformationSecurity Non‐repudiation

•  Tidakdapatmenyangkal(telahmelakukantransaksi)– Menggunakandigitalsignature/certi`icates– Adanyapengaturanmasalahhukum(bahwadigitalsignaturesamasepertitandatangankonvensional)

Juni2010 SecurityAwareness 21

IntroductiontoInformationSecurity

ITSecurityFrameworkJuni2010

SecurityAwareness 22

IntroductiontoInformationSecurity SecurityCulture

•  Keamananharusmenjadibagiandarikebiasaankita– Menguncipinturumah,kendaraan– Meninggalkankomputerdalamkeadaanterkunci(screenlock)

– Tidakmembiarkanbarangberhargaberserakandirumah

– Membiasakanmembersikanmejakerja(cleandesk)

Juni2010 SecurityAwareness 23