Keamanan Informasi Keamanan Informasi (1)
Keamanan Informasi
Seminar – PETA HIMATIF Universitas Siliwangi
30 Mei 2013 , Oleh Nur Widiyasono
Agenda:
• Latar Belakang
• Masalah
• Keamanan Infrastruktur Sistem & Jaringan
– MikroTik
– Cisco System
• Contoh Kasus
Latar Belakang
•Information-based society
•Security Holes
•Multi Product / Multi-System / Multi Vendor
•Direct Connect to Internet
•Application System base on Web like as : ebanking, e-commerce, Electronic Data
Interchange (EDI)
Latar Belakang
Computer Security is preventing attackers from
achieving objectives through unauthorized access or
unauthorized use of computers and networks. (John
D. Howard, “An Analysis Of Security Incidents On
The Internet 1989 - 1995”)
Masalah
• Penyalahgunaan Teknologi Informasi ;
– Seperti ; Hacking , Cracking, Anti Piracy ,
Worm Virus, Defamation, Spammers ,
DoS/DDoS
• Masalah Internal / External Organisasi
• Tidak ada Kebijakan Organisasi tentang
Keamanan Informasi
• Kurangnya pemahaman/pengetahuan
tentang implementasi teknologi keamanan
informasi sehingga terjadi salah setting &
konfigurasi
Keamanan Infrastruktur Sistem
dan Jaringan Komputer
Aspek yang harus diperhatikan:
• Sisi Klien PC :
– Anti Virus + Reguler Updated
– Anti Spyware
– Updated Patch – Security holes
– Applications Updated Patch
Kebijakan terhadap penggunaan teknologi
Informasi
Lanjutan
• Sisi Server:
– The right Setting & Configurations system
– Anti Virus + Regular Updated
– Access Control Levels (ACL’s)
– Updated Patch Security holes
– untuk server tertentu seperti web server, ftp ,
flaxes hared, DNS
Lanjutan
• Keamanan untuk Web Server
Reference :
http://httpd.apache.org/docs/current/misc/sec
urity_tips.html
http://technet.microsoft.com/enus/library/bb727096.aspx
http://msdn.microsoft.com/enus/library/ff648653.aspx
Lanjutan
• Keamanan untuk DNS Server:
– References:
• http://www.nist.gov/cgibin/exit_nist.cgi?url=http://www.microsoft.com/ntse
rver/nts/downloads/recommended/
• http://linuxadministrator.pro/blog/?p=396
• http://www.windowsecurity.com/articlestutorials/windows_server_2008_security/DNSSecurity-Part2.html
Lanjutan
• Keamanan untuk Database Server;
– References :
• http://msdn.microsoft.com/en-us/library/bb283235.aspx
• http://blog.opensecurityresearch.com/2012/03/top-10-oraclesteps-to-secure-oracle.html
• http://www.databasesecurity.com/db2/secdb2-2.htm
• http://www.sans.org/score/checklists/Oracle_Database_Checklist
.pdf
• http://searchsecurity.techtarget.com/tip/How-simple-stepsensure-database-security
• http://www.linuxforu.com/2011/05/securing-database-servers/
• http://www.appsecinc.com/techdocs/whitepapers/right_nav/Datab
ase-Security-Best-Practices.pdf
Lanjutan
Security methodologies for various layers
Lanjutan
• Keamanan untuk Development /
Programming
– References:
• http://softwaresecurity.sans.org/resources/paper/cissp/definingunderstanding-security-software-development-lifecycle
• http://searchsecurity.techtarget.com/tip/Steps-inthe-information-security-program-life-cycle
• https://security.berkeley.edu/content/applicationsoftware-security-guidelines?destination=node/403
– References :
• http://www.oe.netl.doe.gov/docs/prepare/21stepsb
ooklet.pdf
• http://www.wikihow.com/Write-Secure-Softwarefor-the-Web
• http://www.sans.edu/studentfiles/projects/jumpstart-web-app-code-program.pdf
ISO Standard for Security
ISO 27001
This is the specification for an
information security management
system (an ISMS) which replaced the
old BS7799-2 standard
ISO 27002
This is the 27000 series standard
number of what was originally the ISO
17799 standard (which itself was
formerly known as BS7799-1)..
ISO 27003
This will be the official number of a
new standard intended to offer
guidance for the implementation of an
ISMS (IS Management System) .
ISO 27004
This standard covers information
security system management
measurement and metrics, including
suggested ISO27002 aligned
controls..
ISO 27005
This is the methodology independent
ISO standard for information security
risk management..
ISO 27006
This standard provides guidelines for
the accreditation of organizations
offering ISMS certification.
Implementasi Policies
•
•
•
•
•
•
•
•
Internet Security Policy
Internet/Intranet/Extranet Access Policy
Internet mail (Email) Policy
Web Security Policy
Database Access Policy
Wireless Access Policy
Remote Access Policy
Software Applications Used Policy
A Security Standard Framework
MikroTik RouterOS
• Fitur-fitur Security yang dimiliki adalah:
– Firewalls
– VLAN
– Access List
– VPN
– Lain2……
Firewalls MikroTik
VPN
RouterOS supports various VPN
methods and tunnel protocols:
• Ipsec – tunnel and transport mode,
certificate or PSK, AH and ESP
security protocols
• Point to point tunneling (OpenVPN,
PPTP, PPPoE, L2TP)
• Advanced PPP features (MLPPP,
BCP)
• Simple tunnels (IPIP, EoIP)
• 6to4 tunnel support (IPv6 over IPv4
network)
• VLAN – IEEE802.1q Virtual LAN
support, Q-in-Q support
• MPLS based VPNs
Wireless
•
•
•
•
•
•
•
•
•
•
•
•
IEEE802.11a/b/g/n wireless client and access point
Nstreme and Nstreme2 proprietary protocols
Client polling
RTS/CTS
Wireless Distribution System (WDS)
Virtual AP
WEP, WPA, WPA2 encryption
Access control list
Wireless client roaming
WMM
HWMP+ Wireless MESH protocol
MME wireless routing protocol
Web Proxy
• Regular HTTP proxy
• Transparent proxy
• Access list by source, destination,
URL and requested method (HTTP
firewall)
• Cache access list to specify which
objects to cache, and which not.
• Direct Access List to specify which
resources should be accessed
directly, and which - through another
proxy server
• Logging facility
• SOCKS proxy support
• Parent proxy support
• Cache storage on external drives
Case :
• Hacking Situs SBY
– Ref :
http://www.tempo.co/read/news/2013/04/12/0
72472937/Begini-Cara-Wildan-Meretas-SitusPresiden-SBY
• Sql Injections
• Illegal DNS Redirections
Case:
• Defamation : (Pencemaran Nama Baik)
– Prita Laura Vs RS Omni
• Ref :
– http://www.tribunnews.com/2012/09/17/ma-e-mail-pritake-rs-omni-bukan-pencemaran-nama-baik
– http://hukum.kompasiana.com/2009/06/03/kronologikasus-prita-mulyasari-13940.html
Cisco – PIX Firewalls
• http://www.cisco.com/en/US/docs/security/
pix/pix63/command/reference/intro.html
Kesimpulan
Seminar – PETA HIMATIF Universitas Siliwangi
30 Mei 2013 , Oleh Nur Widiyasono
Agenda:
• Latar Belakang
• Masalah
• Keamanan Infrastruktur Sistem & Jaringan
– MikroTik
– Cisco System
• Contoh Kasus
Latar Belakang
•Information-based society
•Security Holes
•Multi Product / Multi-System / Multi Vendor
•Direct Connect to Internet
•Application System base on Web like as : ebanking, e-commerce, Electronic Data
Interchange (EDI)
Latar Belakang
Computer Security is preventing attackers from
achieving objectives through unauthorized access or
unauthorized use of computers and networks. (John
D. Howard, “An Analysis Of Security Incidents On
The Internet 1989 - 1995”)
Masalah
• Penyalahgunaan Teknologi Informasi ;
– Seperti ; Hacking , Cracking, Anti Piracy ,
Worm Virus, Defamation, Spammers ,
DoS/DDoS
• Masalah Internal / External Organisasi
• Tidak ada Kebijakan Organisasi tentang
Keamanan Informasi
• Kurangnya pemahaman/pengetahuan
tentang implementasi teknologi keamanan
informasi sehingga terjadi salah setting &
konfigurasi
Keamanan Infrastruktur Sistem
dan Jaringan Komputer
Aspek yang harus diperhatikan:
• Sisi Klien PC :
– Anti Virus + Reguler Updated
– Anti Spyware
– Updated Patch – Security holes
– Applications Updated Patch
Kebijakan terhadap penggunaan teknologi
Informasi
Lanjutan
• Sisi Server:
– The right Setting & Configurations system
– Anti Virus + Regular Updated
– Access Control Levels (ACL’s)
– Updated Patch Security holes
– untuk server tertentu seperti web server, ftp ,
flaxes hared, DNS
Lanjutan
• Keamanan untuk Web Server
Reference :
http://httpd.apache.org/docs/current/misc/sec
urity_tips.html
http://technet.microsoft.com/enus/library/bb727096.aspx
http://msdn.microsoft.com/enus/library/ff648653.aspx
Lanjutan
• Keamanan untuk DNS Server:
– References:
• http://www.nist.gov/cgibin/exit_nist.cgi?url=http://www.microsoft.com/ntse
rver/nts/downloads/recommended/
• http://linuxadministrator.pro/blog/?p=396
• http://www.windowsecurity.com/articlestutorials/windows_server_2008_security/DNSSecurity-Part2.html
Lanjutan
• Keamanan untuk Database Server;
– References :
• http://msdn.microsoft.com/en-us/library/bb283235.aspx
• http://blog.opensecurityresearch.com/2012/03/top-10-oraclesteps-to-secure-oracle.html
• http://www.databasesecurity.com/db2/secdb2-2.htm
• http://www.sans.org/score/checklists/Oracle_Database_Checklist
• http://searchsecurity.techtarget.com/tip/How-simple-stepsensure-database-security
• http://www.linuxforu.com/2011/05/securing-database-servers/
• http://www.appsecinc.com/techdocs/whitepapers/right_nav/Datab
ase-Security-Best-Practices.pdf
Lanjutan
Security methodologies for various layers
Lanjutan
• Keamanan untuk Development /
Programming
– References:
• http://softwaresecurity.sans.org/resources/paper/cissp/definingunderstanding-security-software-development-lifecycle
• http://searchsecurity.techtarget.com/tip/Steps-inthe-information-security-program-life-cycle
• https://security.berkeley.edu/content/applicationsoftware-security-guidelines?destination=node/403
– References :
• http://www.oe.netl.doe.gov/docs/prepare/21stepsb
ooklet.pdf
• http://www.wikihow.com/Write-Secure-Softwarefor-the-Web
• http://www.sans.edu/studentfiles/projects/jumpstart-web-app-code-program.pdf
ISO Standard for Security
ISO 27001
This is the specification for an
information security management
system (an ISMS) which replaced the
old BS7799-2 standard
ISO 27002
This is the 27000 series standard
number of what was originally the ISO
17799 standard (which itself was
formerly known as BS7799-1)..
ISO 27003
This will be the official number of a
new standard intended to offer
guidance for the implementation of an
ISMS (IS Management System) .
ISO 27004
This standard covers information
security system management
measurement and metrics, including
suggested ISO27002 aligned
controls..
ISO 27005
This is the methodology independent
ISO standard for information security
risk management..
ISO 27006
This standard provides guidelines for
the accreditation of organizations
offering ISMS certification.
Implementasi Policies
•
•
•
•
•
•
•
•
Internet Security Policy
Internet/Intranet/Extranet Access Policy
Internet mail (Email) Policy
Web Security Policy
Database Access Policy
Wireless Access Policy
Remote Access Policy
Software Applications Used Policy
A Security Standard Framework
MikroTik RouterOS
• Fitur-fitur Security yang dimiliki adalah:
– Firewalls
– VLAN
– Access List
– VPN
– Lain2……
Firewalls MikroTik
VPN
RouterOS supports various VPN
methods and tunnel protocols:
• Ipsec – tunnel and transport mode,
certificate or PSK, AH and ESP
security protocols
• Point to point tunneling (OpenVPN,
PPTP, PPPoE, L2TP)
• Advanced PPP features (MLPPP,
BCP)
• Simple tunnels (IPIP, EoIP)
• 6to4 tunnel support (IPv6 over IPv4
network)
• VLAN – IEEE802.1q Virtual LAN
support, Q-in-Q support
• MPLS based VPNs
Wireless
•
•
•
•
•
•
•
•
•
•
•
•
IEEE802.11a/b/g/n wireless client and access point
Nstreme and Nstreme2 proprietary protocols
Client polling
RTS/CTS
Wireless Distribution System (WDS)
Virtual AP
WEP, WPA, WPA2 encryption
Access control list
Wireless client roaming
WMM
HWMP+ Wireless MESH protocol
MME wireless routing protocol
Web Proxy
• Regular HTTP proxy
• Transparent proxy
• Access list by source, destination,
URL and requested method (HTTP
firewall)
• Cache access list to specify which
objects to cache, and which not.
• Direct Access List to specify which
resources should be accessed
directly, and which - through another
proxy server
• Logging facility
• SOCKS proxy support
• Parent proxy support
• Cache storage on external drives
Case :
• Hacking Situs SBY
– Ref :
http://www.tempo.co/read/news/2013/04/12/0
72472937/Begini-Cara-Wildan-Meretas-SitusPresiden-SBY
• Sql Injections
• Illegal DNS Redirections
Case:
• Defamation : (Pencemaran Nama Baik)
– Prita Laura Vs RS Omni
• Ref :
– http://www.tribunnews.com/2012/09/17/ma-e-mail-pritake-rs-omni-bukan-pencemaran-nama-baik
– http://hukum.kompasiana.com/2009/06/03/kronologikasus-prita-mulyasari-13940.html
Cisco – PIX Firewalls
• http://www.cisco.com/en/US/docs/security/
pix/pix63/command/reference/intro.html
Kesimpulan