Keamanan Informasi Keamanan Informasi (1)

(1)

Keamanan Informasi

Seminar – PETA HIMATIF Universitas Siliwangi 30 Mei 2013 , Oleh Nur Widiyasono

(2)

Agenda:

• Latar Belakang

• Masalah

• Keamanan Infrastruktur Sistem & Jaringan

– MikroTik

– Cisco System

(3)

Latar Belakang

• Information-based society

• Security Holes

• Multi Product / Multi-System / Multi Vendor

• Direct Connect to Internet

• Application System base on Web like as :

e-banking, e-commerce, Electronic Data

(4)

Latar Belakang

(5)

Masalah

• Penyalahgunaan Teknologi Informasi ;

– Seperti ; Hacking , Cracking, Anti Piracy ,

Worm Virus, Defamation, Spammers ,

DoS/DDoS

• Masalah Internal / External Organisasi

• Tidak ada Kebijakan Organisasi tentang

(6)

• Kurangnya pemahaman/pengetahuan

tentang implementasi teknologi keamanan

informasi sehingga terjadi salah setting &

konfigurasi

(7)

Keamanan Infrastruktur Sistem

dan Jaringan Komputer

(8)

Aspek yang harus diperhatikan:

• Sisi Klien PC :

– Anti Virus + Reguler Updated

– Anti Spyware

– Updated Patch – Security holes

– Applications Updated Patch

(9)

Lanjutan

• Sisi Server:

– The right Setting & Configurations system

– Anti Virus + Regular Updated

– Access Control Levels (ACL’s)

– Updated Patch Security holes

(10)

Lanjutan

• Keamanan untuk Web Server

Reference :

http://httpd.apache.org/docs/current/misc/sec

urity_tips.html

http://technet.microsoft.com/en-us/library/bb727096.aspx

(11)

Lanjutan

• Keamanan untuk DNS Server:

– References:

•

http://www.nist.gov/cgi-bin/exit_nist.cgi?url=http://www.microsoft.com/ntse bin/exit_nist.cgi?url=http://www.microsoft.com/ntse rver/nts/downloads/recommended/

• http://linuxadministrator.pro/blog/?p=396

•

(12)

Lanjutan

• Keamanan untuk Database Server;

– References :

• http://msdn.microsoft.com/en-us/library/bb283235.aspx

• http://blog.opensecurityresearch.com/2012/03/top-10-oracle-steps-to-secure-oracle.html

steps-to-secure-oracle.html

• http://www.databasesecurity.com/db2/secdb2-2.htm

• http://www.sans.org/score/checklists/Oracle_Database_Checklist .pdf

• http://searchsecurity.techtarget.com/tip/How-simple-steps-ensure-database-security

• http://www.linuxforu.com/2011/05/securing-database-servers/

(13)

Lanjutan

(14)

Lanjutan

• Keamanan untuk Development /

Programming

– References:

•

http://software-•

http://software- security.sans.org/resources/paper/cissp/defining- understanding-security-software-development-life-cycle

• http://searchsecurity.techtarget.com/tip/Steps-in-the-information-security-program-life-cycle

(15)

– References :

• http://www.oe.netl.doe.gov/docs/prepare/21stepsb ooklet.pdf

• http://www.wikihow.com/Write-Secure-Software-for-the-Web

for-the-Web

•

(16)

ISO Standard for Security

ISO 27001

This is the specification for an information security management system (an ISMS) which replaced the old BS7799-2 standard

ISO 27002

This is the 27000 series standard

number of what was originally the ISO 17799 standard (which itself was

formerly known as BS7799-1)..

ISO 27003 ISO 27004 ISO 27003

This will be the official number of a new standard intended to offer

guidance for the implementation of an ISMS (IS Management System) .

ISO 27004

This standard covers information security system management

measurement and metrics, including suggested ISO27002 aligned

controls..

ISO 27005

This is the methodology independent ISO standard for information security risk management..

ISO 27006

(17)

Implementasi Policies

• Internet Security Policy

• Internet/Intranet/Extranet Access Policy

• Internet mail (Email) Policy

• Web Security Policy

• Database Access Policy

• Wireless Access Policy

• Remote Access Policy

(18)

(19)

(20)

MikroTik RouterOS

• Fitur-fitur Security yang dimiliki adalah:

– Firewalls

– VLAN

– Access List

– VPN

(21)

(22)

VPN

RouterOS supports various VPN methods and tunnel protocols:

• Ipsec – tunnel and transport mode, certificate or PSK, AH and ESP

security protocols

• Point to point tunneling (OpenVPN, PPTP, PPPoE, L2TP)

PPTP, PPPoE, L2TP)

• Advanced PPP features (MLPPP, BCP)

• Simple tunnels (IPIP, EoIP)

• 6to4 tunnel support (IPv6 over IPv4 network)

• VLAN – IEEE802.1q Virtual LAN support, Q-in-Q support

(23)

Wireless

• IEEE802.11a/b/g/n wireless client and access point • Nstreme and Nstreme2 proprietary protocols

• Client polling • RTS/CTS

• Wireless Distribution System (WDS) • Virtual AP

• WEP, WPA, WPA2 encryption • Access control list

• Wireless client roaming

• WMM

(24)

Web Proxy

• Regular HTTP proxy • Transparent proxy

• Access list by source, destination, URL and requested method (HTTP firewall)

• Cache access list to specify which • Cache access list to specify which

objects to cache, and which not. • Direct Access List to specify which

resources should be accessed

directly, and which - through another proxy server

• Logging facility

• SOCKS proxy support • Parent proxy support

(25)

Case :

• Hacking Situs SBY

– Ref :

http://www.tempo.co/read/news/2013/04/12/0

72472937/Begini-Cara-Wildan-Meretas-Situs-Presiden-SBY

• Sql Injections

(26)

Case:

• Defamation : (Pencemaran Nama Baik)

– Prita Laura Vs RS Omni

• Ref :

–

http://www.tribunnews.com/2012/09/17/ma-e-mail-prita-– http://www.tribunnews.com/2012/09/17/ma-e-mail-prita-ke-rs-omni-bukan-pencemaran-nama-baik