Special
 Presenta�on
 on
 

KEAMANAN
 INFORMASI
 DAN
 INTERNET
 
Konsep
 –
 Prinsip
 –
 Strategi
 –
 Implementasi
 –
 Tata
 Kelola
 

Prof.
 Richardus
 Eko
 Indrajit
 
indrajit@post.harvard.edu
 

Apa
 yang
 harus
 DILAKUKAN
 ?
 

Apa
 yang
 harus
 DILAKUKAN

 ?
 

Apa
 yang
 harus
 DILAKUKAN
 ?
 

Apa
 yang
 harus
 DILAKUKAN
 ?
 

Apa
 yang
 harus

 DILAKUKAN
 ?
 

Apa
 yang
 harus
 DILAKUKAN
 ?
 

Fenomena
 LAMA,
 Perilaku
 BARU
 

 
 
 

 
 
 
 

Anak
 pertama
 lahir
 
Anak
 gadis
 dimarahin
 orang
 tua
 
Suami
 bertengkar
 dengan
 istri
 

Komputer
 dan
 telpon
 rusak
 
Pegawai
 naik
 pangkat
 
Pergi
 ke
 toilet
 di
 tempat
 publik
 
Silaturahmi
 keluarga
 saat
 hari

 raya
 

 dan
 lain
 sebagainya
 

FUNGSI VERTIKAL : pengambilan keputusan

Fungsi
 Strategis
 TI
 

FUNGSI HORISONTAL: transaksi

Prinsip
 Pemanfaatan
 Teknologi

 Informasi
 #1
 
  TI
 sebagai
 penunjang
 kegiatan
 operasional
 atau
 
transaksional
 
–  Mengirimkan
 uang
 antar
 bank
 
–  Memesan
 karcis
 pesawat

 
–  Mengambil
 mata
 kuliah
 per
 semester
 
–  Membeli
 pulsa
 telepon
 
–  Mengak��an
 peralatan
 elektronik
 
dan
 lain
 sebagainya
 

Prinsip
 Pemanfaatan
 Teknologi
 Informasi
 #2
 
  TI
 sebagai
 penunjang
 proses
 pengambilan
 keputusan
 
–  Menyimpan
 dan
 mengorganisasikan
 data
 
–  Mengolah
 dan

 merepresentasikan
 data
 
–  Membuat
 laporan
 berkala
 maupun
 ad-­‐hoc
 
–  Menjalankan
 skenario
 dan
 simulasi
 kompleks
 
–  Mengelola
 informasi
 dan
 pengetahuan
 

dan
 lain
 sebagainya
 

Prinsip
 Pemanfaatan
 Teknologi
 Informasi
 #3
 
  TI
 sebagai
 penunjang
 ak�vitas
 komunikasi
 dan
 
kolaborasi
 
–  Mengirimkan
 dokumen
 dan
 berkas
 digital
 
–  Melakukan
 pembicaraan
 lintas
 batas
 
–  Menjalankan
 ak�vitas
 kooperasi
 virtual
 
–  Mengunduh
 data
 dari
 beragam
 sumber
 
–  Mengunggah
 informasi
 ke
 berbagai
 tempat
 
dan
 lain
 sebagainya
 

Kenyataan
 Tak
 Terabaikan
 
  Dunia
 nyata
 dan
 dunia
 cyber
 telah
 saling
 berkonvergensi
 
saling
 melengkapi
 
  Ak�vitas
 kegiatan
 sehari-­‐hari
 terjadi
 di
 kedua
 dunia
 tersebut
 
  Jumlah
 interaksi
 antar
 individu
 dan
 ins�tusi/organisasi
 
meningkat
 secara
 signifikan
 
  Jenis
 teknologi
 semakin
 beragam
 dan
 manusiawi
 

 
è
 Potensi
 melakukan
 kegiatan
 intelijen
 berbasis
 digital
 semakin
 
besar
 (e.g.
 sudah
 dijalankan)
 

Knowledge
 Domain:
 The
 Cyber
 Six
 

Cyber
 
Space
 
Cyber
 
Law
 

Cyber
 
Threat
 

Cyber
 
Crime
 

Cyber
 
A�ack
 
Cyber
 
Security
 

1
 Cyberspace.
 
  A
 reality
 community
 between
 
PHYSICAL
 WORLD
 and
 
ABSTRACTION
 WORLD
 
  1.4
 billion
 of
 real
 human
 
popula�on
 (internet
 users)
 
  Trillion
 US$
 of
 poten�al
 
commerce
 value
 
  Billion
 business
 transac�ons
 
per
 hour
 in
 24/7
 mode
 

Internet
 is
 a
 VALUABLE
 thing
 indeed.
 
Risk
 is
 embedded
 within.
 
15
 

Informa�on
 Roles
 
  Why
 informa�on?
 
–  It
 consists
 of
 important
 data
 and
 facts
 (news,
 reports,
 
sta�s�cs,
 transac�on,
 logs,
 etc.)
 
–  It
 can
 create
 percep�on
 to
 the
 public
 (market,
 poli�cs,
 
image,
 marke�ng,
 etc.)
 
–  It
 represents
 valuable
 assets
 (money,
 documents,
 
password,
 secret
 code,
 etc.)
 
–  It
 is
 a
 raw
 material
 of
 knowledge
 (strategy,
 plan,
 
intelligence,
 etc.)
 
 

What
 is
 Internet
 ?
 
  A
 giant
 network
 of
 networks
 where
 people
 exchange
 
informa�on
 through
 various
 different
 digital-­‐based
 ways:
 

Email
 

Mailing
 List
 

Website
 

Cha�ng
 

Newsgroup
 

Blogging
 

E-­‐commerce
 

E-­‐marke�ng
 

E-­‐government
 

“… what is the value of internet ???”

2
 Cyberthreat.
 
n 

The trend has increased in
an exponential rate mode

n 

Motives are vary from
recreational to criminal
purposes

n 

Can caused significant
economic losses and
political suffers

n 

Difficult to mitigate
web defacement

Threats
 are
 there
 to
 stay.
 
Can’t
 do
 so
 much
 about
 it.
 

SMTP relay
root access

information leakage

virus infection
theft
spamming

hoax

sql injection

phishing

intrusion

malware distribution
trojan horse

malicious software

spoofing

Dos/DDoS

botnet

worms

open proxy

password cracking

blended attack

18
 

Interna�onal
 Issues
 
  What
 Does
 FBI
 Say
 About
 Companies:
 
– 
– 
– 
– 
– 

91%
 have
 detected
 employee
 abuse
 
70%
 indicate
 the
 Internet
 as
 a
 frequent
 a�ack
 point
 
64%
 have
 suffered
 financial
 losses
 
40%
 have
 detected
 a�acks
 from
 outside
 
36%
 have
 reported
 security
 incidents
 


 
 

 Source:
 FBI
 Computer
 Crime
 and
 Security
 

Survey
 2001
 

Professions
 Threat
 

Knowledge
 Threats
 

So�ware
 Tools
 Threat
 

Vulnerabili�es-­‐dBase
 Threat
 

Hacking-­‐dBase
 Threat
 

Underground
 Economy
 

Growing
 Vulnerabili�es
 
Incidents and Vulnerabilities Reported to CERT/CC
4500

2500

“Through 2008, 90 percent of
successful hacker attacks
will exploit well-known software
vulnerabilities.”
”

2000

- Gartner*

3500
3000

140,000
120,000
100,000
80,000
60,000

1500
1000

40,000

500

20,000

0

0
1995

1996

1997

1998

1999

Vulnerabilities

2000

2001

2002

2003

2004

Security Incidents

*
 Gartner
 “CIO
 Alert:
 Follow
 Gartner’s
 Guidelines
 for
 Upda�ng
 Security
 on
 Internet
 Servers,
 Reduce
 Risks.”
 J.
 Pescatore,
 February
 2003
 
**
 As
 of
 
 2004,
 CERT/CC
 no
 longer
 tracks
 Security
 Incident
 sta�s�cs.
 

Total Security Incidents

Total Vulnerabilities

4000

160,000

Poten�al
 Threats
 

Unstructured
 Threats
 
w 
w 
w 


 Insiders
 

 Recrea�onal
 Hackers
 

 Ins�tu�onal
 Hackers
 

Structured
 Threats
 
w 
w 
w 

Organized
 Crime
 
Industrial
 Espionage
 
Hack�vists
 

Na�onal
 Security
 Threats
 
w  Terrorists
 
w  Intelligence
 Agencies
 
 
w  Informa�on
 Warriors
 

3
 Cybera�ack.
 
  Too
 many
 a�acks
 have
 been
 
performed
 within
 the
 cyberspace.
 
  Most
 are
 triggered
 by
 the
 cases
 in
 the
 
real
 world.
 
  The
 eternal
 wars
 and
 ba�les
 have
 
been
 in
 towns
 lately.
 
  Estonia
 notorious
 case
 has
 opened
 the
 
eyes
 of
 all
 people
 in
 the
 world.
 

A�ack
 can
 occur
 any�me
 and
 
anyplace
 without
 no�ce.
 

Internet
 and
 Crimes
 

MENINGKAT
 
SIGNIFIKAN
 !!!
 

ID-­‐SIRTII
 Monitoring
 Analysis
 

Case
 #1
 

Case
 #2
 

Case
 #3
 

Case
 #4
 

Case
 #5
 

A�acks
 Sophis�ca�on
 

Auto
Coordinated

Tools

Cross site scripting
“stealth”” / advanced
scanning techniques

High

packet spoofing denial of service

Intruder
Knowledge

sniffers
sweepers
GUI

Staged

distributed
attack tools
www attacks
automated probes/scans

back doors
network mgmt. diagnostics

disabling audits

hijacking
sessions

burglaries

exploiting known vulnerabilities

Attack
Sophistication

password cracking
self-replicating code
password guessing

Low
1980

1985

1990

1995

2005

Vulnerabili�es
 Exploit
 Cycle
 

Novice Intruders
Use Crude
Exploit Tools

Crude
Exploit Tools
Distributed

Automated
Scanning/Exploit
Tools Developed
Widespread Use
of Automated
Scanning/Exploit
Tools

Advanced
Intruders
Discover New
Vulnerability
#
 Of
 
Incidents
 

Time
 

Highest Exposure

Intruders
Begin
Using New
Types
of Exploits

File
 Management
 

Microsoft Excel

URL
 Management
 

URL

Directory
 Traversal
 Management
 

Directory Traversal

Mailing
 List
 Management
 

Email Reply

Live
 Camera
 Management
 

Java Applet

Surveillance
 Camera
 Management
 

Web Monitor

Security
 Camera
 Management
 

Sony

Mul�ple
 Camera
 Management
 

Multi Frame

4
 Cybersecurity.
 
  Lead
 by
 ITU
 for
 interna�onal
 
domain,
 while
 some
 standards
 
are
 introduced
 by
 different
 
ins�tu�on
 (ISO,
 ITGI,
 ISACA,
 
etc.)
 
  “Your
 security
 is
 my
 security”
 
–
 individual
 behavior
 counts
 
while
 various
 collabora�ons
 
are
 needed
 

Educa�on,
 value,
 and
 ethics
 
 
are
 the
 best
 defense
 approaches.
 

Risk
 Management
 Aspect
 

Threats

Exploi
t

Vulnerabilities

Protect
against

Controls

Expose

Reduce

Risk
 

Assets

Met
by

Have

Security
Requirements

Asset
Values

Impact on
Organisation

Strategies
 for
 Protec�on
 

Protecting Interactions

Protecting Information

Protecting Infrastructure

Physical
 Security
 Checklist
 

Informa�on
 Security
 Checklist
 

Mandatory
 Requirements
 
  “Cri�cal
 infrastructures
 are
 those
 physical
 and
 cyber-­‐

based
 systems
 essen�al
 to
 the
 minimum
 opera�ons
 of
 
the
 economy
 and
 government.
 
 These
 systems
 are
 so
 
vital,
 that
 their
 incapacity
 or
 destruc�on
 would
 have
 a
 
debilita�ng
 impact
 on
 the
 defense
 or
 economic
 
security
 of
 the
 na�on.”
 
  Agriculture
 &
 Food,
 Banking
 &
 Finance,
 Chemical,
 
Defense
 Industrial
 Base,
 Drinking
 Water
 and
 
Wastewater
 Treatment
 Systems,
 Emergency
 Services,
 
Energy,
 Informa�on
 Technology,
 Postal
 &
 Shipping,
 
Public
 Health
 &
 Healthcare,
 Telecommunica�ons,
 
Transporta�on
 Systems
 

Informa�on
 Security
 Disciplines
 
  Physical
 security
 
  Procedural
 security
 
  Personnel
 security
 
  Compromising
 emana�ons
 security
 
  Opera�ng
 system
 security
 
  Communica�ons
 security
 

 

 a
 failure
 in
 any
 of
 these
 areas
 can
 undermine
 the
 
security
 of
 a
 system
 
 

Best
 Prac�ce
 Standard
 

BS7799/ISO17799

1
 

Information
Security Policy

10
 

Security
Organisation

Compliance

2
 

9
 

Bus. Continuity
Planning
8
 

Integrity
 

Confiden�ality
 

Asset
Classification
Controls

3
 

Informa�on
 

System
Development &
Maint.

7
 

Access
Controls

Personnel
Security

Availability
 

Communication
& Operations
Mgmt

Physical
Security
6
 

5
 

4
 

These
 Two
 Guys
 …..
 

versus

5
 Cybercrime.
 
n 

Globally defined as INTERCEPTION,
INTERRUPTION, MODIFICATION, and
FABRICATION

n 

Virtually involving inter national
boundaries and multi resources

n 

Intentionally targeting to fulfill
special objective(s)

n 

Convergence in nature with
intelligence efforts.
Crime
 has
 inten�onal
 objec�ves.
 
Stay
 away
 from
 the
 bull’s
 eye.
 

Type
 of
 A�acks
 

Malicious
 Ac�vi�es
 

Mo�ves
 of
 Ac�vi�es
 
1. 
2. 
3. 
4. 

Thrill
 Seekers
 
 
Organized
 Crime
 
 
Terrorist
 Groups
 
Na�on-­‐States
 

6
 Cyberlaw.
 
n 

Difficult to keep updated as
technology trend moves

n 

Different stories between the
rules and enforcement efforts

n 

Require various infrastructure,
superstructure, and resources

n 

Can be easily “out-tracked” by
law practitioners

Cyberlaw
 is
 here
 to
 protect
 you.
 
At
 least
 playing
 role
 in
 mi�ga�on.
 

The
 Crime
 Scenes
 

IT as a Tool

IT as a Storage Device

IT as a Target

First
 Cyber
 Law
 in
 Indonesia.
 

Range of penalty:
  Rp 600 million - Rp 12 billion (equal to US$ 60,000 to US$ 1,2 million)
  6 to 12 years in prison (jail)

starting from

25 March 2008

Picture: Indonesia Parliament in Session

Main
 Challenge.
 

ILLEGAL
“… the distribution of
illegal materials within
the internet …”

ILLEGAL
“… the existence of
source with illegal
materials that can be
accessed through
the internet …”

Two
 Way
 Rela�onship
 

Real
 
World
 

“Physical War””

Cyber
 
Space
 

“Virtual War””

Two
 Way
 Rela�onship
 

Real
 
World
 

relate
 

relate
 

real interaction
real transaction
real resources
real people
flow of information
flow of product/services
flow of money

Cyber
 
Space
 

Two
 Way
 Rela�onship
 

Ethics
Law

Real
 
World
 

Cyber
 
Space
 

Rule of Conduct
Mechanism

Cyber Law
“Ruling Cyber Space interaction with Real World Penalty”
”

Classic
 Defini�on
 of
 War
 

WAR is here to stay…
“Can Cyber Law alone
become the weapon
for modern defense
against 21st century
Cyber Warfare & Cyber
Crime?”

Two
 Way
 Rela�onship
 

Real
 
World
 

impact
 

impact
 

Cyber
 
Space
 

Two
 Way
 Rela�onship
 

blackmail
threaten
destroy
attack

mess up

ruin

Real
 
World
 

penetrate

crime

destroy
terminate


 

 

 

 

 

 
Poli�cal
 
Incidents
 


 

 

 

 

 

 
Interna�onal
 
Events
 


 

 

 

 

 

 
Published
 
Books
 

Cyber
 
Space
 

disrupt


 

 

 

 

 

 
Training
 
Materials
 


 

 

 

 

 

 
Pirated
 
 
 
 
 
 
 
 
 
Tools
 


 

 

 

 

 

 
Community
 of
 
Interests
 

Two
 Way
 Rela�onship
 

justify

suspect

sue
investigate

Real
 
World
 


 

 

 

 

 

 
Personal
 
 
 
 
 
 
 
Blogs
 


 

 

 

 

 

 
Ci�zen
 
Journalism
 

inspect

sabotage

condemn
examine

spy

gossip


 

 

 

 

 

 
Anonymous
 
Interac�on
 

Cyber
 
Space
 

perceive


 

 

 

 

 

 
Phishing
 and
 
Forgery
 


 

 

 

 

 

 
Campaign
 and
 
Provoca�on
 


 

 

 

 

 

 
Communi�es
 
Reviews
 

The
 Paradox
 of
 Increasing
 Internet
 Value
 

internet
 
 
users
 

+
 

+
 

transac�on
 
value
 

+
 

interac�on
 
frequency
 

+
 

communi�es
 
spectrum
 

usage
 
objec�ves
 

=
 

The
 Internet
 Value
 
it
 means…
 

threats
 

a�acks
 

crimes
 

Internet
 Security
 Issues
 Domain
 

 
 Internet
 is
 formed
 
through
 connec�ng
 
a
 set
 of
 digital-­‐
based
 physical
 
technology
 that
 
follows
 a
 good
 
number
 of
 
standards
 and
 
protocols
 
 
 All
 technical
 
components
 
(hardware
 and
 
so�ware)
 interact
 
to
 each
 other
 
within
 a
 complex
 
dependent…
 

TECHNICAL
 
ISSUES
 

INTERNET
 
SECURITY
 

BUSINESS
 
ISSUES
 

SOCIAL
 
ISSUES
 

 
 What
 are
 interac�ng
 in
 the
 net
 are
 real
 people,
 not
 just
 a
 
bunch
 of
 “intellectual
 machines”
 –
 by
 the
 end
 of
 the
 day,
 
human
 mind,
 characters,
 behaviors,
 and
 values
 ma�er
 
 
 It
 is
 not
 an
 “isolated
 world”
 that
 does
 not
 have
 any
 
rela�onship
 with
 the
 real
 physical
 world
 

 
 It
 is
 a
 part
 of
 
business
 system
 as
 
transac�ons
 and
 
interac�ons
 are
 
being
 conducted
 
accordingly
 
 
 As
 technology
 
mimic,
 enable,
 
drive,
 and
 
transform
 the
 
business,
 internet
 
dependency
 is
 high
 
 
 For
 the
 ac�vi�es
 
that
 rely
 on
 �me
 
and
 space
 –
 where
 
resources
 and
 
processes
 can
 be
 
digitalized
 -­‐
 the
 
network
 is
 the
 
business
 

Technical
 Trend
 Perspec�ve
 
the
 phenomena…
 

malicious
 
code
 

vulnerabili�es
 

spam
 and
 
spyware
 

phishing
 and
 
iden�fy
 the�
 

�me
 to
 
exploita�on
 

the
 efforts…
 

Intrusion
 Preven�on
 
So�ware
 Patches
 
Firewalls
 
Malware
 Blocking
 
Encryp�on
 and
 PKI
 
An�spyware
 
Network
 Access
 Control
 
An�Virus
 
Applica�on
 and
 Device
 Control
 
Web
 and
 Email
 Security
 

Business
 Trend
 Perspec�ve
 
the
 context…
 

 

 

 

 

 
Risk
 Management
 
Prac�ces
 


 

 

 

 

 
Cost
 Benefit
 
Analysis
 


 

 

 

 

 
Regulatory
 
Compliance
 


 

 

 

 

 
Governance
 
Requirements
 


 

 

 

 

 
Digital
 Asset
 
Management
 


 

 

 

 

 
Standard
 and
 
 
Policy
 
Enforcement
 

the
 strategy…
 

Archiving
 and
 Reten�on
 Management
 
IT
 Audit
 
 

Business
 Con�ngency
 Plan
 
Chief
 Security
 Officer
 

Security
 Management
 
Technology
 Compliance
 

Disaster
 Recovery
 Center
 

ISO
 Compliance
 

Standard
 Cer�fica�on
 

Storage
 and
 Backup
 Management
 

Backup
 and
 Recovery
 

Applica�on
 and
 Device
 Control
 

Social
 Trend
 Perspec�ve
 
the
 characteris�cs…
 


 

 

 
Computer
 
Savvy
 Society
 


 

 

 
Digital
 System
 
Everywhere
 


 

 

 
Free
 World,
 
Open
 Market
 

the
 choices…
 

policy
 vs.
 design
 

enforcement
 vs.
 culture
 


 

 

 
Internet
 as
 
New
 Fron�er
 

pressure
 vs.
 educa�on
 
reward
 vs.
 punishment
 

standard
 vs.
 self
 control
 
regula�on
 vs.
 ethical
 behavior
 


 

 

 
Borderless
 
Geography
 

top-­‐down
 vs.
 bo�om-­‐up
 

preven�on
 vs.
 reac�on
 

The
 Core
 Rela�onships
 
People
 

(Social
 Aspects)
 

Context/Content
 
Applica�ons
 
(Business
 Aspects)
 

Technology
 

(Technical
 Aspects)
 

Converging
 Trend
 

BUSINESS
 

TECHNICAL
 

ISSUES
 

ISSUES
 

SOCIAL
 
ISSUES
 

Internetworking
 Dependency
 

Since
 the
 strength
 of
 a
 chain
 
 

 
 depends
 on
 the
 weakest
 link,
 

 

 
 
 
 
 
 then
 YOUR
 SECURITY
 is
 MY
 SECURITY…
 

Things
 to
 Do
 
1. 
2. 
3. 
4. 
5. 
6. 
7. 
8. 

Iden�fy
 your
 valuable
 assets
 
Define
 your
 security
 perimeter
 
 
Recognize
 all
 related
 par�es
 involved
 
Conduct
 risk
 analysis
 and
 mi�ga�on
 strategy
 
Ensure
 standard
 security
 system
 intact
 
Ins�tu�onalize
 the
 procedures
 and
 mechanism
 
Share
 the
 experiences
 among
 others
 
Con�nue
 improving
 security
 quality
 

Key
 ac�vi�es:
 use
 the
 THEORY
 OF
 CONSTRAINTS
 !
 
(Find
 the
 weakest
 link,
 and
 help
 them
 to
 
increase
 their
 security
 performance
 and
 
capabili�es…)
 

Beware
 …
 

Work
 Philosophy
 

Why does a car have BRAKES ???

The car have BRAKES so that it can go FAST … !!!

Why should we have regulation?
Why should we establish institution?
Why should we collaborate with others?
Why should we agree upon mechanism?
Why should we develop procedures?
Why should we have standard?
Why should we protect our safety?
Why should we manage risks?
Why should we form response team?

Thank
 You
 

Prof.
 Richardus
 Eko
 Indrajit
 

Chairman
 of
 ID-­‐SIRTII
 and
 APTIKOM
 


 

indrajit@post.harvard.edu
 
 
www.eko-­‐indrajit.com