Bisnis Perbankan Berbasis Teknologi Info

(1)

Prof. Richardus Eko Indrajit

Chairman of ID‐SIRTII and APTIKOM

[email protected] www.eko‐indrajit.com

Bisnis Perbankan Berbasis Teknologi Informasi

Mencerma� Tantangan dari Sisi Legal dan Manajemen Risiko

(2)

About ID‐SIRTII and APTIKOM

; The Na�onal CSIRT/CERT of Indonesia (quasi government ins�tu�on)

; Conduc�ng traﬃc monitoring and log management of the country’s

internet infrastructure

;  Coordina�ng more than 300 ISPs all over the na�on

; Responsible for safeguarding internet infrastructure used by mission cri�cal ins�tu�ons

; Associa�on of IT colleges and universi�es in Indonesia

; Consist of 750 higher‐learning ins�tu�ons (more than 1,500 study programs)

;  Approximately 600,000 ac�ve student body, with 50,000 graduates per year

; Join collabora�on for curriculum development and shared‐

resources/services ini�a�ves

(3)

(4)

(5)

(6)

(7)

Knowledge Domain: The Cyber Six

Cyber Space

Cyber Threat

Cyber A�ack

Cyber Security Cyber

(8)

1

Cyberspace.

;  A reality community between PHYSICAL WORLD and

ABSTRACTION WORLD

; 1.4 billion of real human popula�on (internet users)

;  Trillion US$ of poten�al commerce value

; Billion business transac�ons per hour in 24/7 mode

Internet is a VALUABLE thing indeed. Risk is embedded within.

(9)

Informa�on Roles

;

Why informa�on?

–

 

It consists of important data and facts (news, reports,

sta�s�cs, transac�on, logs, etc.)

–

 

It can create percep�on to the public (market, poli�cs,

image, marke�ng, etc.)

–

 

It represents valuable assets (money, documents,

password, secret code, etc.)

–

 

It is a raw material of knowledge (strategy, plan,

(10)

What is Internet ?

;

 

A giant network of networks where people exchange

informa�on through various diﬀerent digital‐based ways:

Email Mailing List Website

Cha�ng Newsgroup Blogging

E‐commerce E‐marke�ng E‐government

“

(11)

2

Cyberthreat.

  The trend has increased in an exponential rate mode

  Motives are vary from recreational to criminal purposes

  Can caused significant economic losses and political suffers

  Difficult to mitigate

Threats are there to stay.

Can’t do so much about it.

web defacement information leakage phishing intrusion Dos/DDoS SMTP relay virus infection hoax malware distribution botnet open proxy root access theft sql injection trojan horse worms password cracking

spamming malicious software spoofing blended attack

(12)

Interna�onal Issues

;

 

What Does FBI Say About Companies:

–  91% have detected employee abuse

–  70% indicate the Internet as a frequent a�ack point –  64% have suﬀered ﬁnancial losses

–  40% have detected a�acks from outside –  36% have reported security incidents

Source: FBI Computer Crime and Security

(13)

(14)

Growing Vulnerabili�es

* Gartner CIO Alert: Follow Gartner’s Guidelines for Upda�ng Security on Internet Servers, Reduce Risks.” J. Pescatore, February 2003 ** As of 2004, CERT/CC no longer tracks Security Incident sta�s�cs.

Incidents and Vulnerabilities Reported to CERT/CC

0

1995 1996 1997 1998 1999 2000 2001 2002 2003 2004

T

Vulnerabilities Security Incidents

“

“Through 2008, 90 percent of

successful hacker attacks will exploit well-known software

(15)

Poten�al Threats

Unstructured Threats

  Insiders

  Recrea�onal Hackers   Ins�tu�onal Hackers

Structured Threats

  Organized Crime   Industrial Espionage   Hack�vists

Na�onal Security Threats

  Terrorists

  Intelligence Agencies

(16)

3

Cybera�ack.

;  Too many a�acks have been

performed within the cyberspace.

;  Most are triggered by the cases in the real world.

; The eternal wars and ba�les have been in towns lately.

;  Estonia notorious case has opened the eyes of all people in the world.

(17)

(18)

(19)

(20)

(21)

(22)

A�acks Sophis�ca�on

High

Low

1980 1985 1990 1995 2005

Intruder Knowledge

Attack

Sophistication

Cross site scripting

password guessing

self-replicating code password cracking

exploiting known vulnerabilities disabling audits

back doors

hijacking sessions sweepers

sniffers packet spoofing

GUI automated probes/scans denial of service

www attacks

Tools

stealth”” / advanced

scanning techniques

burglaries

network mgmt. diagnostics

distributed attack tools

Staged Auto

(23)

Vulnerabili�es Exploit Cycle

Advanced Intruders Discover New Vulnerability

Crude Exploit Tools Distributed

Novice Intruders Use Crude Exploit Tools

Automated

Scanning/Exploit Tools Developed

Widespread Use of Automated Scanning/Exploit Tools

Intruders Begin Using New Types of Exploits

Highest Exposure

Time # Of

(24)

4

Cybersecurity.

Educa�on, value, and ethics are the best defense approaches.

;  Lead by ITU for interna�onal domain, while some standards are introduced by diﬀerent ins�tu�on (ISO, ITGI, ISACA, etc.)

; Your security is my security”

(25)

Risk Management Aspect

Risk

Vulnerabilities Threats

Controls

Security

Requirements

Asset Values

Assets

Protect against

(26)

Strategies for Protec�on

Protecting Information

(27)

Mandatory Requirements

;

Cri�cal infrastructures are those physical and cyber‐

based systems essen�al to the minimum opera�ons of

the economy and government. These systems are so

vital, that their incapacity or destruc�on would have a

debilita�ng impact on the defense or economic

security of the na�on.

”

;

Agriculture & Food, Banking & Finance, Chemical,

Defense Industrial Base, Drinking Water and

(28)

Informa�on Security Disciplines

;

Physical security

;

Procedural security

;

Personnel security

;

Compromising emana�ons security

;

Opera�ng system security

;

Communica�ons security



a failure in any of these areas can undermine the

(29)

Best Prac�ce Standard

BS7799/ISO17799

Access Controls

Asset Classification

Controls Information

Security Policy

Security Organisation

Personnel Security

Physical Security Communication

& Operations Mgmt System

Development & Maint. Bus. Continuity

Planning

Compliance

Informa�on

Integrity Conﬁden�ality

(30)

5

Cybercrime.

  Globally defined as INTERCEPTION, INTERRUPTION, MODIFICATION, and FABRICATION

  Virtually involving inter national boundaries and multi resources

  Intentionally targeting to fulfill special objective(s)

  Convergence in nature with intelligence efforts.

Crime has inten�onal objec�ves.

(31)

(32)

(33)

Mo�ves of Ac�vi�es

1. Thrill Seekers

2. Organized Crime

3. Terrorist Groups

(34)

6

Cyberlaw.

  Difficult to keep updated as technology trend moves

  Different stories between the rules and enforcement efforts

  Require various infrastructure, superstructure, and resources

  Can be easily out-tracked” by law practitioners

(35)

The Crime Scenes

IT as a Tool

(36)

First Cyber Law in Indonesia.

Range of penalty:

;  Rp 600 million - Rp 12 billion (equal to US$ 60,000 to US$ 1,2 million)

;  6 to 12 years in prison (jail)

starting from

25 March 2008

(37)

Main Challenge.

ILLEGAL

… the distribution of

illegal materials within the internet …”

ILLEGAL

“… the existence of

(38)

ID‐SIRTII Mission and Objec�ves.

To expedite the economic growth of the country through providing

the society with secure internet environment within the nation””

1. Monitoring internet traffic for incident handling purposes.

2. Managing log files to support law enforcement.

3. Educating public for security awareness.

4. Assisting institutions in managing security.

5. Providing training to constituency and stakeholders.

6. Running laboratory for simulation practices.

(39)

Cons�tuents and Stakeholders.

ID-SIRTII ISPs

NAPs

IXs

Law Enforcement

National Security Communities

International CSIRTs/CERTs

Government of Indonesia

(40)

Coordina�on Structure.

ID-SIRTII (CC)

as National CSIRT

Sector CERT Internal CERT Vendor CERT Commercial CERT

Bank CERT

Airport CERT

University CERT

GOV CERT

Military CERT

SOE CERT

SME CERT

Telkom CERT

BI CERT

Police CERT

KPK CERT

Lippo CERT

KPU CERT

Pertamina CERT

Hospital CERT UGM CERT

Cisco CERT

Microsoft CERT

Oracle CERT

SUN CERT

IBM CERT

SAP CERT

Yahoo CERT

Google CERT

A CERT

(41)

Major Tasks.

INCIDENT HANDLING DOMAIN and ID-SIRTII MAIN TASKS

Reactive Services Proactive Services Security Quality Management Services

1. Monitoring traffic Alerts and Warnings Announcements

Technology Watch

Intrusion Detection Services

x

2. Managing log files Artifact Handling x x

3. Educating public x x Awareness Building

4. Assisting institutions Security-Related Information

Dissemnination

Vulnerability Handling

Intrusion Detection Services

Security Audit and Assessment

Configuration and Maintenenace of Security Tools, Applications,

and Infrastructure

Security Consulting

5. Provide training x X Education Training

6. Running laboratory x x Risk Analysis

BCP and DRP

(42)

Incidents Deﬁni�on and Samples.

“one or more intrusion events that you suspect are involved in a

possible violation of your security policies““

“

“an event that has caused or has the potential to cause damage

to an organization's business systems, facilities, or personnel““

“

“any occurrence or series of occurrences having the same

origin that results in the discharge or substantial threat““

“

“an undesired event that could have resulted in harm to people,

(43)

Priori�es on Handling Incidents.

TYPE OF INCIDENT AND ITS PRIORITY

Public Safety and National Defense

(Very Priority)

Economic Welfare

(High Priority)

Political Matters

(Medium Priority)

Social and Culture Threats

(Low Priority)

1. Interception Many to One One to Many Many to Many Automated Tool (KM-Based Website)

2. Interruption Many to One One to Many Many to Many Automated Tool (KM-Based Website)

3. Modification Many to One One to Many Many to Many Automated Tool (KM-Based Website)

(44)

Core Chain of Processes.

Monitor Internet Traffic

Manage Log Files

Response and Handle Incidents

Establish External and International Collaborations Run Laboratory for Simulation Practices Provide Training to Constituency and Stakeholders

Assist Institutions in Managing Security Educate Public for Security Awareness

Deliver Required Log Files Analyse Incidents

Report on Incident Handling Management Process and

Research Vital Statistics

(45)

Legal Framework.

Undang-Undang No.36/1999

regarding National Telecommunication Industry

Peraturan Pemerintah No.52/2000

regarding Telecommunication Practices

Peraturan Menteri Kominfo No.27/PER/M.KOMINFO/9/2006

regarding Security on IP-Based Telecommunication Network Management

Peraturan Menteri No.26/PER/M.KOMINFO/2007

regarding Indonesian Security Incident Response Team on Internet Infrastructure

(46)

Challenges to ID‐SIRTII Ac�vi�es.

;

 

Preven�on

–  Securing” internet‐based transac�ons

–  Reducing the possibili�es of successful a�acks

–  Working together with ISP to inhibit the distribu�on of illegal

materials

;

 

Reac�on

–  Preserving digital evidence for law enforcement purposes –  Providing technical advisory for further mi�ga�on process

;

 

Quality Management

–  Increasing public awareness level

(47)

Work Philosophy.

Why does a car have BRAKES ???

The car have BRAKES so that it can go FAST … !!!

(48)

Holis�c Framework.

SECURE INTERNET INFRASTRUCTURE

ENVIRONMENT

People Process Technology

Log File Management

System Traffic Monitoring

System Incident

Indication Analysis

Incident Response. Management Advisory

Board

Executive Board

MONITOR - ANALYSIS - YELL - DETECT - ALERT - YIELD

STAKEHOLDERS COLLABORATION AND SUPPORT

NATIONAL REGULATION AND GOVERNANCE

(49)

Two Way Rela�onship

Cyber

Space

Real

World

(50)

Two Way Rela�onship

relate relate

Cyber

Space

Real

World

real interaction real transaction

real resources real people

flow of information flow of product/services

(51)

Two Way Rela�onship

Cyber

Space

Real

World

Ethics

Law

Rule of Conduct Mechanism

Cyber Law

(52)

Classic Deﬁni�on of War

WAR is here to stay…

“

“Can Cyber Law alone

become the weapon for modern defense against 21st_century

(53)

impact

Two Way Rela�onship

Cyber

Space

impact

(54)

Two Way Rela�onship

threaten

attack

crime

blackmail

destroy

penetrate

destroy

disrupt terminate

(55)

Two Way Rela�onship

investigate

suspect

sabotage

inspect

examine

spy

gossip justify

(56)

The Paradox of Increasing Internet Value

internet

users transac�on value interac�on frequency communi�es spectrum usage objec�ves

+

=

The Internet Value

threats it means…

(57)

Internet Security Issues Domain

INTERNET SECURITY

T

ECHNICAL

ISSUES

B

USINESS

ISSUES

S

OCIAL

ISSUES

;  Internet is formed through connec�ng

;  All technical components

;  It is a part of business system as transac�ons and interac�ons are being conducted accordingly

;  As technology mimic, enable, drive, and transform the business, internet dependency is high

;  For the ac�vi�es that rely on �me and space – where resources and processes can be digitalized ‐ the

network is the business

;  What are interac�ng in the net are real people, not just a bunch of intellectual machines” – by the end of the day,

human mind, characters, behaviors, and values ma�er

;  It is not an “isolated world” that does not have any

(58)

Technical Trend Perspec�ve

malicious

code vulnerabili�es spam and spyware phishing and iden�fy the� �me to exploita�on

the phenomena…

the eﬀorts…

Firewalls

An�spyware

An�Virus

So�ware Patches

Web and Email Security

Malware Blocking

Network Access Control

Intrusion Preven�on

Applica�on and Device Control

(59)

(60)

Social Trend Perspec�ve

policy vs. design enforcement vs. culture

regula�on vs. ethical behavior

preven�on vs. reac�on

top‐down vs. bo�om‐up

pressure vs. educa�on

(61)

The Core Rela�onships

People

(Social Aspects)

Technology

(Technical Aspects)

Context/Content

Applica�ons

(62)

Converging Trend

T

ECHNICAL

ISSUES

B

USINESS

ISSUES

S

OCIAL

(63)

Internetworking Dependency

Since the

strength

of a chain

depends on the

weakest

link,

(64)

Things to Do

1. Iden�fy your valuable assets 2. Deﬁne your security perimeter

3. Recognize all related par�es involved

4.  Conduct risk analysis and mi�ga�on strategy 5.  Ensure standard security system intact

6.  Ins�tu�onalize the procedures and mechanism 7. Share the experiences among others

8. Con�nue improving security quality

Key ac�vi�es: use the THEORY OF CONSTRAINTS ! (Find the weakest link, and help them to