Resiko Keamanan Dalam Kemudahan Ekonomi Digital

“Building Security Awareness in Digital Economy”- Avinanta Tarigan – Gunadarma University
Resiko Keamanan
Dalam Kemudahan Ekonomi Digital
Dr. rer. nat. Avinanta Tarigan

Pusat Studi Kriptografi dan Keamanan Sistem
UNIVERSITAS GUNADARMA
http://ps-sekuriti.gunadarma.ac.id
avinanta@staff.gunadarma.ac.id
Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Tentang Saya
●
Dosen @Universitas Gunadarma
●
Kepala Pusat Studi Kriptografi dan Keamanan Sistem
●
Penelitian: Cryptography, PKI, Network & Distributed
System, Socio-Technical System, Digital Forensics
●
Past Projects:
●
Certification Authority System
●
IPTV / OTT Backend
●
Payment Gateway
●
Audit and Digital Forensics

Penelitian Pusat Studi

● S3 : Pengembangan metode Baru
– SVO-CP (Pardede, 2012) → Non-Repudiation Protocol
– Cipher dg Chaos Theory, Golden Crypto

– Decentralized Transactions (alternatif to BlockChain - BitCoin)
● S2 : Verifikasi Protocol dan Pembetulannya
– Analisis ISP protocol dg BAN Logic
– Analisis OTP protocol dg BAN Logic
– Aplikasi SVO-CP Non-Rep

– Aplikasi Blind-Signature untuk Mobile Based Electronic Voting
● S1 : Verifikasi Protocol dan Tools
– Automated Theorem Prover : General Logic, Khusus untuk BAN
Logic
– PKI Enabled Applications, Secure Chat Apps, Crypto Based
Watermarking
Digital Economy → Financial Technology

●
Pemanfaatan TIK Artificial
Artificial Intelligence
Intelligence
P2P
P2P Lending
●
Kreatifitas Big
Big Data
Data
Lending
●
Agility The
B2B
B2B Gateway
Gateway
The Cloud
Cloud
(Kelincahan) Digital
Digital Insurance
Insurance
Internet
Internet of
of Things
Things
●
Berbasis Digital
Digital Banking
Banking
Komunitas Mobile
Mobile Applications
Applications
Digital
Digital Investment
Investment
●
Memungkinkan Digital
Digital ID
ID
Sistem Crypto
Crypto Currency
Currency
BlockChain
Terdesentralisasi BlockChain


Security Incidents Trend
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2017

Vulnerabilities Growth
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2017

Dibalik 1 Transaksi → Kompleksitas

Pengguna Telekom Data Center
– HW – OS – Infrastruktur – Infrastruktur
– Apps jaringan – Pengelolaan
– Middleware – Tata Kelola data center
– Manusia – Pengelola – Pengelola
Server Bank Merchant

– OS & Libs – Switching – HW – OS
– Database
– HW / SW – Apps
– Web & Apps
– Tata Kelola – Middleware
– Vendor /
Pengembang – Pengelola – Manusia
Prinsip Chain of Trust

●
Keamanan sistem seperti
rantai dimana kekuatannya
ada pada mata rantai
terlemah
●
Mata rantai terlemah bisa
ada dimana saja di dalam
sistem
●
Mata rantai terlemah → sub
sistem yang mengandung
kerentanan keamanan

ATM Hacks
●
ATM Hacks:
1)Skimmers dan
SpyCamera
2)Backdoor pada
Remote
Management
3)Malware :
●
Ploutus Trojan
●
Tyupkin

Malware: Man-in-the-Browser

SS7 Vulnerability
●
Signalling System 7 digunakan oleh Switch pada operator telko
untuk berkomunikasi satu dengan lainnya
●
Kerentanan pada desain menyebabkan data SMS, suara, dan
lokasi dapat disadap dan dimanipulasi

Malware
●
Jalan penyerang yang tidak dapat diduga sebelumnya
●
Teknik infeksi canggih & Anti-Forensics
●
Spyware, Cyberespionage, (Ro)Bot, Control Target Machine, DoS
(Disruption of Service), Ransomware, Man-in-the-Middle
●
Ada di platform apa saja (PC, smartphones, smartwatch, IoT, etc)

Social Engineering
“Mama Minta Password”
●
Mengeksploitasi
kelemahan atau
kerentanan pada pengguna
●
Budaya keamanan yang
rendah dan pengambil
resiko tinggi
●
Target penyerang sebagai
jembatan untuk masuk ke
dalam sistem
Source: Hermansson, 2005

Carbanak Attack

Bangladesh Incident
Source: http://thehackernews.com/2016/04/swift-bank-hack.html

Digital Economy & Risk
Private Data on the Cloud Unauthorized Access
Global Digital-ID Compromised PKI Systems
BlockChain based Transaction Malware controlling Peers
Online Agents Man in the Middle
The Need of Agility Uncompleted Security Testing
Digital Claim Management Fraud & System Manipulation

Tantangan
Kompleksitas Serangan Kendala
●
Perubahan Cepat ●
Kerentanan ●
Kuranganya
Dalam Infrastruktur Keamanan Semakin Kesadaran Pada Level
Perangkat Lunak Banyak Ditemukan Manajemen
●
Melibatkan banyak ●
Serangan Semakin ●
Kuranganya
sistem untuk Canggih Kesadaran Pada Sisi
penyelesaian transaksi
User
●
Dari Individual ke
●
Ketergantungan Pada
Organisasi ●
Kemampuan dan Skill
Vendor
Kejahantan Keamanan
●
Adopsi Teknologi Baru ●
Senjata Penyusup : ●
Ketergantungan Pada
Malware Pihak Ketiga

Hobby vs Profesi
Hacker Insan IT Biasa
●
Passionate Hobbyst, Self- ●
Profesi, bukan lifestyle
Taught, Master and
●
Terbiasa mengikuti SOP
Apprentice
●
Berpikir di luar kebiasaan,
●
Membutuhkan Training
Kreatif ●
Kurang Kreatif
●
Persaingan individu maupun ●
Kompetisi dalam karir,
group
bukan dalam mengasah
●
Dari Kegiatan Individu → kemampuan
Kejahatan Terorganisir

Building Cyber Security Awareness

ATTITUDE / CHARACTER
●
Sustainable cyber security attitude and behavior
●
Very Low Risk taking attitude
●
Agent of change in environment
SKILLS
●
How to deal with cyber threats
●
How to tackle the attack
●
How to handle security incidents
KNOWLEDGE
●
Understanding the risk
●
Aware of cyber threats
●
Know how to avoid cyber threats

Secure System Development Life Cycle
Idea Design Code Test Production
Security Penetration
Risk Analysis Design Review
Code Review Testing
Audit
ISO 27001 PCI DSS OWASP

Development ↔ Operation
●
Proses Yang Berkelanjutan
●
Jendela Pengembangan dan Implementasi Sangat Kecil
– Amazon : Setiap 12 detik
– Facebook : Setiap 20 detik

Integrate Security into DevOps

CTI
Monitor Operate
IDS Patch Management
●
Tata Laksana
Plan Release
Risk Analysis
●
Individu
Versioning
●
Tools & Teknologi
●
Operasi Berkelanjutan
Code Deploy
Static Analsisr Pentest
Fuzz Testing
Build Test
Secure Compiler Dynamic Analysis

Mengapa Pengujian Keamanan Itu Susah ?

●
Untuk membuktikan bahwa sistem software
yang kompleks tidak mengandung Bug adalah
Hampir Tidak Mungkin → “The State Space
Explosion Problem”
●
Membutuhkan Pihak Ketiga
●
Pengujian terbatas pada kerentanan yang
diketahui (Known Vulnerability)
“Test can only show you that vulnerability exists,
but it can not show you its absence ”
Why Standard is not Enough ?

●
ISO 27001 ●
Attack focus on anomalies
●
PCI DSS (Payment Card and discover new
Industry) vulnerabilities
●
It provides a framework for
●
Being certified sometimes
makes you overconfidence
the management of
→ weakest link
security
●
Attack techniques and
●
Compliance means you are
vector continous to develop
managing security in line
– but standard is only
with standard, but it
updated every 2 years
doesn't mean you are
secure
Cyber Threat Intelligence

CTI HoneyPot Sensor
●
Analisis Keadaan Terkini ●
Komputer Host Yang
Ancaman Siber Berpura-pura sebagai
●
Pemetaan Teknik, Tools, host yang rentan
Prosedur untuk ●
Menjebak Serangan
Melakukan Serangan
●
Sumber Informasi:
Sensors, SocMed,
Underground Group, etc

Cyber Threat Intelligence

The HoneyNet Project
http://updates.ihpcon.id/2017/07/24/
ihpcon-hasil-pemantauan-ancaman-siber-ke-arah-indonesia-tahun-2017/

“You are not alone”
Building Security Through Colaboration

National Level
C
Y Monitoring and Command Center
B
E
R Threat
Analysis Mitigation Global Cyber State
S And Analysis Attack Analysis
E Pattern
C Cyber Risk
U &
R Mitigation
I
T Coordination
Y CTI & Security
IT Asset Incident
I Posture Response Repository
N
T
E
L
L
I Incident Response Local Security Officers
G
E
N
C Firewall,
E IT Asset Reactive IDS
IDS
& Honey SOP
Vulnerability
Configuration Pot
Scanner IT Asset
Management
Organizational Level

Penutup
●
Digital Economy membawa Permasalahan Keamanan
ke level yang lebih tinggi
●
Siapkan diri Anda
– Membangun kesadaran dan budaya Keamanan Informasi
serta tim yang solid
– Metodologi dan Proses
●
Strenghten Security Through Collaboration
– Sharing Sumber Daya dan Informasi
– Cyber Threat Intelligence
– Stakeholder : Universitas, Vendors, Regulator, Asosiasi

Terimakasih

Resiko Keamanan Dalam Kemudahan Ekonomi Digital

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Resiko Keamanan Dalam Kemudahan Ekonomi Digital

Hochgeladen von

Copyright:

Verfügbare Formate

“Building Security Awareness in Digital Economy”- Avinanta Tarigan – Gunadarma University

Dr. rer. nat. Avinanta Tarigan

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Penelitian Pusat Studi

– Cipher dg Chaos Theory, Golden Crypto

– Aplikasi SVO-CP Non-Rep

Digital Economy → Financial Technology

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Security Incidents Trend

Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2017

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2017

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Dibalik 1 Transaksi → Kompleksitas

Server Bank Merchant

Prinsip Chain of Trust

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Digital Economy & Risk

Private Data on the Cloud Unauthorized Access

Global Digital-ID Compromised PKI Systems

BlockChain based Transaction Malware controlling Peers

Online Agents Man in the Middle

The Need of Agility Uncompleted Security Testing

Digital Claim Management Fraud & System Manipulation

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Building Cyber Security Awareness

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Secure System Development Life Cycle

Idea Design Code Test Production

ISO 27001 PCI DSS OWASP

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Integrate Security into DevOps

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Mengapa Pengujian Keamanan Itu Susah ?

Why Standard is not Enough ?

Cyber Threat Intelligence

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Cyber Threat Intelligence

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

“You are not alone”

Building Security Through Colaboration

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Seminar on CyberSecurity Awareness in Digital Economy – Born 2 Protect – Kampus K UG

Das könnte Ihnen auch gefallen