2. Introduction to
Information Security Hot Security Issues 2010
• Mulai populernya social network (web 2.0)
– Facebook, 4sq, twitter, ...
• Masalah
– Pencurian identitas (identity theft)
– Penurunan produktivitas kerja
– Masalah etika dan legal
Juni 2010 Security Awareness 2
3. Juni 2010
Introduction to
Information Security
Phishing
From: <USbank-Notification-Urgecq@UsBank.com>
To: …
Subject: USBank.com Account Update URGEgb
Date: Thu, 13 May 2004 17:56:45 -0500
USBank.com
Dear US Bank Customer,
During our regular update and verification of the Internet Banking Accounts, we
could not verify your current information. Either your information has been
changed or incomplete, as a result your access to use our services has been
limited. Please update your information.
To update your account information and start using our services please click on
the link below:
http://www.usbank.com/internetBanking/RequestRouter?requestCmdId=DisplayLoginPage
Note: Requests for information will be initiated by US Bank Business Development;
this process cannot be externally requested through Customer Support.
Security Awareness 3
4. Introduction to
Information Security Security 2010: regulatory
• Kepatuhan kepada peraturan (regulatory
compliance)
– ISO 27000 (series), SOX, Basel II, ...
– Peraturan Bank Indonesia (PBI) untuk
Perbankan
Juni 2010 Security Awareness 4
5. Introduction to
Information Security Security 2010: environment
• Ketergantungan kepada sistem IT makin
meningkat
– Masalah availability menjadi semakin penting
– Becana alam, gangguan manusia, teroris, ...
– Risk analysis, business impact analysis,
business continuity planning, ...
Juni 2010 Security Awareness 5
6. Juni 2010
Introduction to
Security 2010:
Information Security
technology
• Device trend • Bagaimana membatasi
– Smaller penggunaannya?
– Portable • Ada risiko dalam
– Wireless penggunaannya
Security Awareness 6
7. Introduction to
Information Security Security 2010: human
• Masalah utama tetap: manusia!
– Social engineering masih mudah dilakukan
– Phishing masih merupakan ancaman
– Tidak mematuhi aturan (tidak mengubah
password, password terlalu mudah ditebak,
berbagi password, ...)
Juni 2010 Security Awareness 7
8. Juni 2010
Introduction to
Type of Fraud Experienced During the
Information Security
Prior 12 Months (Percentages)
KPMG survey
Security Awareness 8
9. Introduction to
Information Security Orang Dalam!
• 1999 Computer Security Institute (CSI) / FBI Computer
Crime Survey menunjukkan beberapa statistik yang menarik,
seperti misalnya ditunjukkan bahwa “disgruntled worker” (orang
dalam) merupakan potensi attack / abuse.
http://www.gocsi.com
Disgruntled workers 86%
Independent hackers 74%
US competitors 53%
Foreign corporation 30%
Foreign government 21%
Juni 2010 Security Awareness 9
10. Juni 2010
Introduction to
Information Security
Virus
Worm
Malware
Security Awareness 10
11. Introduction to
Information Security Spam
• Email yang berisi sampah (umumnya iklan)
• Menghabiskan jaringan, disk, waktu pekerja
• Spam merugikan bisnis
Juni 2010 Security Awareness 11
12. Juni 2010
Introduction to
Information Security Security Lifecycle
Security Awareness 12
13. Introduction to
Information Security Aspek Keamanan
• Con`identiality • Authetication
• Integrity • Non‐repudiation
• Availability
Juni 2010 Security Awareness 13
14. Introduction to
Information Security Con`identiality
• Proteksi data [hak pribadi] yang sensitif
– Nama, tempat tanggal lahir, agama, hobby, penyakit yang pernah
diderita, status perkawinan, nama anggota keluarga, ...
– Data pelanggan. Customer protection harus diperhatikan
– Trade secrets
– Sangat sensitif dalam e‐commerce, healthcare
• Serangan: sniffer (penyadap), keylogger (penyadap kunci),
social engineering, kebijakan yang tidak jelas
• Proteksi: `irewall, kriptogra`i / enkripsi, segregation of
duties, segementasi jaringan, kebijakan
Juni 2010 Security Awareness 14
15. Introduction to
Information Security Integrity
• Informasi tidak berubah tanpa ijin
– (tampered, altered, modi9ied)
• Serangan:
– Spoof (pemalsuan), virus (mengubah berkas), manin
themiddle attack
• Proteksi:
– message authentication code (MAC), (digital) signature,
(digital) certi`icate, hash function, logging
Juni 2010 Security Awareness 15
17. Introduction to
Information Security Availability
• Informasi harus dapat tersedia ketika dibutuhkan
– Serangan terhadap server: dibuat hang, down, crash,
lambat
– Biaya jika server web (transaction) down di Indonesia
• Menghidupkan kembali: Rp 25 juta
• Kerugian (tangible) yang ditimbulkan: Rp 300 juta
• Serangan: Denial of Service (DoS) attack
• Proteksi: backup, redundancy, DRC, BCP, `irewall
untuk proteksi serangan
Juni 2010 Security Awareness 17
18. Introduction to
Information Security Authentication
• Meyakinkan keaslian data, sumber data, orang yang
mengakses data, server yang digunakan
– Bagaimana mengenali nasabah pada servis berbasis
Internet? Lack of physical contact
– Menggunakan:
what you have (identity card)
what you know (password, PIN)
what you are (biometric identity)
Claimant is at a particular place (and time)
Authentication is established by a trusted third party
• Serangan: identitas palsu, password palsu, terminal
palsu, situs web gadungan
• Proteksi: digital certi`icates
Juni 2010 Security Awareness 18
20. Juni 2010
Introduction to
Information Security
Menyadap PIN dengan
wireless camera
Security Awareness 20
21. Introduction to
Information Security Non‐repudiation
• Tidak dapat menyangkal (telah melakukan
transaksi)
– Menggunakan digital signature / certi`icates
– Adanya pengaturan masalah hukum (bahwa digital
signature sama seperti tanda tangan konvensional)
Juni 2010 Security Awareness 21
22. Juni 2010
Introduction to
IT Security Framework
Information Security
Security Awareness 22
23. Introduction to
Information Security Security Culture
• Keamanan harus menjadi bagian dari
kebiasaan kita
– Mengunci pintu rumah, kendaraan
– Meninggalkan komputer dalam keadaan
terkunci (screen lock)
– Tidak membiarkan barang berharga berserakan
di rumah
– Membiasakan membersikan meja kerja (clean
desk)
Juni 2010 Security Awareness 23