Bahan presentasi utama Track 1C pada Seminar Nasional Internal Audit 2015 di Solo 14-16 April 2015 Hotel Sunan Solo. Bahan dikembangkan dari hasil studi CSX ISACA dan intinya pernah dipresentasikan pada Cyber Resilience in Financial Institution di Singapur 9-11 Maret 2015 di Hilton Hotel Singapur. Tautan video berisi demo hacking oleh Yoko Acc ada di slide presentasi. Inti presentasi adalah semua jaringan data dapat ditembus selanjutnya CSX ISACA memperkenalkan PIRT (Prepare, Investigate, Respond dan Transform) dalam kajian berjudul Transforming Cybersecurity using COBIT 5. Konsep Three lines of defence diterangkan dalam beberapa konteks dari studi ISACA, a.l. Securing Mobile Devices, Transforming Cybersecurity using COBIT 5 dan Cobit 5 for Risk. Conoth tersebut memberikan ilustrasi untuk Komite Audit, Komisaris, para direktur dan Tim Manajemen Risiko untuk memahami dan menerakan risiko dan kontrol dalam kontek perusahaan atau instansi masing-masing.

1. TRANSFORMINGCYBERSECURITY,RISKANDCONTROL
FOREVOLVINGTHREATS
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM
Cybersecurity Nexus Liaison
ISACA, Indonesia
Seminar Nasional Internal Audit
Solo, 14-16 April 2015

2. 2
Current:
• Cybersecurity Nexus Liaison, ISACA Indonesia Chapter
• ISACA Academic Advocate at ITB
• SME for Information Security Standard for ISO at ISACA HQ
• Associate Professor at School of Electrical Engineering and Informatics, Institut Teknologi Bandung
• Ketua WG Layanan dan Tata Kelola TI, anggota WG Keamanan Informasi serta Anggota Panitia Teknis 35-01 Program
Nasional Penetapan Standar bidang Teknologi Informasi, BSN – Kominfo.
Past:
• Ketua Kelompok Kerja Evaluasi TIK Nasional, Dewan TIK Nasional (2007-2008)
• Plt Direktur Operasi Sistem PPATK (Indonesia Financial Transaction Reports and Analysis Center, INTRAC), April 2009 –
May 2011
Professional Certification:
• Professional Engineering (PE), the Principles and Practice of Electrical Engineering, College of Engineering, the University
of Texas at Austin. 2000
• IRCA Information Security Management System Lead Auditor Course, 2004
• ISACA Certified Information System Auditor (CISA). CISA Number: 0540859, 2005
• Brainbench Computer Forensic, 2006
• (ISC)2 Certified Information Systems Security Professional (CISSP), No: 118113, 2007
• ISACA Certified Information Security Manager (CISM). CISM Number: 0707414, 2007
Award:
• (ISC)2 Asia Pacific Information Security Leadership Achievements (ISLA) 2011 award in category Senior Information
Security Professional. http://isc2.org/ISLA
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM

4. DEMOCASE
BYYOKOACC
YOKO@KAMINFO.ID

5. SCENARIO
• Attacker: 131.107.1.101
• Victim 1: 131.107.1.200
• Victim 2: 172.101.101.3
• Victim 1: Weak Password
• Victim 2: Jboss default Installation
• Video Access:
http://kaminfo.id/demo/1-weak-password.mp4
http://kaminfo.id/demo/2-Jboss.mp4
http://kaminfo.id/demo/3-sshkey.mp4

6. First Scenario:
• Attacker do a dictionary attack to the 1st victim. The victim has a weak password quality problem.
• Attacker take a look of victim’s data / information after take over the server.
• Attacker get the web server information (which is Jboss).
Second Scenario:
• Attacker use the victim’s machine to exploit jboss’s server (since the Attacker doesn’t know the
password)
• Attacker gain the access and could take a look the content of the server.
Third Scenario:
• SSH-key
Fourth Scenario: Anti virus AVG2014 bypass https://youtu.be/d948ICBKee8
SCENARIO

7. Q and A:
• Q: How if the victim (on Linux Machine with root:toor) change their password?
• A:
MANAGINGACCESS

8. Q and A:
• Q: How if the victim (on Linux Machine with root:toor) change their password?
• A: The Attacker just need to:
1. Change .ssh’s target.
2. Generate authorize key on our machine and paste it into .ssh’s target.
If we do this, every time we would like to connect into the target’s machine via ssh, we
don’t need to input the password anymore even the target already changed their
password.
MANAGINGACCESS

9. Q: Do you have change your password?
Q: Is it possible that the 2nd scenario happened in the Internet area (not internal?)
Q: Do you ever see your authorized SSH keys on your server?
TEASERQ&A

10. NETWORKISCOMPROMISED

11. APTLIFECYCLE

12. HOWFAST

13. TENASSESSEMENTSCENARIOS

14. THREAT

15. ADAPTIVEATTACKVECTOR
Security Issue Security Solution Adaptive Attack Vector
Single-factor authentication Multifactor authentication Break into token vendor
Malware writer, masquerade Digital certificate Break into a credible vendor
Antivirus approach -
blacklisting
whitelisting Break into application
whitelisting vendor (Bit9)

16. RESPONSE

17. CYBERVULNERABILITIES,THREATANDRISK
Vulnerability Threat Risk and Impact
Spear phising Attacker may gain access through phish
phish payload or combined social-technical
technical follow-up
Initial data loss or leakage leading to secondary
secondary impact
Water holing Attacker may gain control of websites and
and subsequent control of visitor
Initial behavior errors leading to secondary
impact
Wireless/Mobile APT Compromise wireless channel to enable
enable control
Partial or full control of wireless or mobile;
direct/indirect impact on service and application
Zero-day Use zero-day to circumvent defences Partial / full control of application and underlying
underlying system
Excessive priviledge Inside attack Full and (technically) legitimate control outsite
outsite GRC, secondary impacts
Home user APT Attack use home environment may less well
well protected than organization
environment
Partial or full control of wireless or mobile;
direct/indirect impact on service and application

18. CYBERVULNERABILITIESINCONTEXT
Vulnerability Motive Opportunity Effort
Spear phising Financial, espinage, data theft, prepratory to
prepratory to main attack
Email access to target Mediumtohigh, depending on
on quality of phish
Water holing Financial, espinage, data theft, prepratory to
prepratory to main attack
Email access to target,
control of web sites
High, depending on precision
precision of targeting
Wireless/Mobile APT Financial, espionage, extortion, theft of
personally identifiable information
Proximity to target Low to medium
Zero-day Financial, operational, data theft, extortion,
extortion, control of technical infrastructure
Availability of suitable
zero-day exploits,
organized handling of
exploit
Medium to high
Excessive priviledge Financial, personal, data theft, extortion,
reputational
Deficiencies in IDM,
corruption
Low to medium
Home user APT Financial, espionage, extortion, theft of
personally identifiable information
Physical or logical access to
access to target
Low to high, depending on
level of protection of target
environment

19. PIRT

22. The CSX Liaison reports to the chapter president.

23. RISK-BASEDCATEGORIZATIONCONTROL

25. COBIT
ISO 38500
Internal Control
Framework COSO
HUBUNGANANTAR KERANGKA
PP60/2008
Sistem Pengendalian Intern
Pemerintah
TataKelola
TataKelolaTI
ManajemenTI
Panduan Umum Tata Kelola TIK Nas
+
Kuesioner Evaluasi Pengendalian Intern TIK
SNI ISO 27001SNI ISO 20000

26. •Q&A
•isaca.org/cyber
•ISACA Cybersecurity Teaching Materials