Ujian Tengah Semester

(Individual Take Home Exam)

Matakuliah: S2 Keamanan Jaringan Informasi
1. Salah satu aktifitas yang digunakan untuk melakukan assesment terhadap keamanan suatu
jaringan adalah dengan melakukan Information Gathering. Aktifitas ini diantaranya dilakukan
untuk mengetahui seberapa banyak informasi dan kelemahan dari suatu jaringan yang ter-ekspose
di internet, termasuk diantaranya adalah melakukan port scanning, penetration testing dan
vulnerability analysis. (Bobot 20%)

a. Bagaimana pendapat anda mengenai information gathering ini, apakah ini termasuk
tindakan attack? Sejauh mana aktifitas ini boleh atau tidak boleh dilakukan?

Information gathering is the act of gathering different kinds of information against targeted
victim, system, a company, a server or IP address etc. Information gathering is the first step of hacking
and most of the time hacker spends in this process. Information gathering plays crucial role for both,
investigating and attacking purposes. Now, the question about to which extent information gathering
is allowed and legal depends on the nature of hacking activity. If the hacking activity is led by
authorised individual (white hat hacker) then it is allowed and it is called ethical hacking. In this case
information gathering is not considered as an attack. However, if the information gathering is done by
unauthorised individual (black hat hacker) then it is not permissible and it is called cracking. In this
case information gathering is part of an attack or cybercrime.

b. Bagaimana halnya pengumpulan data customer sebagai bagian dari mekanisme KYC (know
your customer) yang dilakukan banyak aplikasi saat ini termasuk data pribadi, foto hingga aktifitas
customer, apakah ini bagian dari intervensi terhadap privasi? Sejauh mana aktifitas ini boleh atau
tidak boleh dilakukan?

Know your customer (KYC) is a set of wide range of regulations that requires businesses to
practice due diligence on their customers. The businesses verify identity of their customers to assess
their credibility and risk related to them. In my opinion KYC generally speaking is not an intervention
on privacy. It is the initative to keep the business safe and developing. Imagine having a customer
wearing a black mask and with a mysterious outlook. Would you be allright about it? OF course not.
You would be worried and suspicious, maybe even might consider to report them to the authorities.
People can hide their identity by numerous other methods that seamlessly get them into a business
ecosystem.
The world has evolved into a global village. Thanks to the internet and e-commerce, a business
in the far east end of the world is selling goods and services to a customer in the far west corner of
the world. Due to high anonymity in today’s global market, the risk of fraud and financial crime is high.
That’s why businesses are required to verify the identity of their customers to ensure that the
customer is actually who he claims to be.That’s why KYC regulations are implemented on businesses
of all types and sizes. However, in order to KYC work well and under legal conditions, KYC compliance
is crucial, but it doesn’t mean that KYC regulations are imposed only on e-commerce businesses
because people with fake identities are everywhere. People use fake or stolen ID cards to enjoy the
perks entitled to original owner of the ID card. Also credit card fraud is another major risk posing
towards global business entities. Other than that, money laundering and terrorist financing are
bringing chaos in the world’s economy. Businesses are used for seamless movement of money from
one place to the other. Commonly used businesses for money laundering are banks, insurance
companies, virtual assets dealers, gaming and gambling websites, payment solutions, etc. So these
businesses run KYC verification on their customers to meet KYC compliance obligations, fraud
prevention, customer onboarding and risk management.

c. Sebutkan 2 (dua) contoh tools atau aplikasi yang dapat digunakan untuk melakukan
information gathering di jaringan! Berikan screen-shot dan jelaskan fitur serta prinsip kerjanya.
I choose to explain about:
i) Wireshark and
ii) Nmap

i) Wireshark is open source software for the analysis of network traffic. Wireshark can be used
for solving network problems, designing software solutions, network security analysis as well as for
educational purposes. The best way to describe working principle of Wireshark is through the
example:

Screenshot1 of network monitoring via Wireshark

Wireshark uses the pcap files to capture packages. From the screenshot above I will provide
analysis of the network behaviour when the client makes simple request to google server to deliver
web page google.com. We can see in the screenshot1 that there are 26 frames listed which represent
“conversation” between the client and the server. So basically, just simple attempt by user client to
access one web page (google.com) will result in this case in 26 frames exchange between two
network devices. We can notice that first two frames are blue, and the rest is green. That is because
Wireshark uses colours to label different layer levels of protocol communication. For DNS protocol is
used blue colour and for HTTP and TCP protocol green colour.
In the frame number 1 the client initiates communication sending IP request to get the IP
address of google web page. In the frame 2, DNS server replies to the initial client’s request by
offering three IP addresses of 3 Google servers that can provide web page google.com. After that, in
frames 3-5 happens three-way handshake which means that the communication between the client
and chosen google server is established. Now when the communication channel is established, client
is ready to send request to google server for URI of google web page, which happens in frame 6. In
frame 7, server sends back acknowledgment to the client acknowledging successful reception of
frame 6. frame 8 is used to manage flow control. In frame 9, acknowledge for frame 8 is sent from the
server to the client. In frame 10, server sends requested URI to the client. Frame 11 is again
acknowledgment of the client for the server that he successfully received frame 10. From frame 12 to
frame 26, server delivers the rest of the elements (image and favicon) of google web page to the
client in order to display the web page in its original format.
In this way a white hat hacker for example, can monitor network traffic without network clients
even knowing that they are tracked. Of course, such operation is legal only if the white hacker has
explicit authorization to monitor the network of the client.

ii) Nmap is short for Network Mapper. It is a free and open source utility for net security audits,
host and network discovery, port scanning, version detection, OS detection and scriptable
interactions with a target. Nmap can also give you info on DNS names, device types, MAC addresses
and even more. It’s usually used for auditing the security of a device or identifying open ports or
network inventory. It can also be used to identify servers as well. Of course, Nmap can be used for
black or white hat hacking and is widely used strictly for system administration. Nmap is available for
a variety of platforms and the most popular is Linux.

Screenshot2 - Simple example using Nmap

Now to start using nmap to scan a single target (just one computer or one server) the command
in the format ‘nmap target’ can be used. So for example, from the Screenshot 2, by using the
command: nmap 10.73.31.74 we are able to scan server’s IP address 10.73.31.74 (in the case we
know server’s IP address which is easy to discover). The scan is going to show the status of different
ports detected so it can be noticed that there are three different columns and they appear whenever
the scan process is initiated. First column represents “port”, the second one is called “state” and
“service” is the last column. So, the first column is going to show the list of port numbers that certain
services are running on and what protocol they are using. From screenshot we see that port 21 has a
protocol TCP running on it. The “state” is the status of the service and it can be open, closed, filtered,
unfiltered, open and filtered, or closed and filtered. The “service” is the software that is running on
that server. Here we see the different kind of software that we are using on this server including FTP,
HTTP, printer, something unknown, postgres SQL etc. Paying attention to what processes are running
on your servers can be crucial to keeping your network secure.
2. Di dalam network security dikenal prinsip Confidentiality, Integrity, Availability dan
Non-Repudiation. Berikan contoh implementasinya dari masing-masing prinsip tersebut dalam
suatu aplikasi yang anda pilih. (Bobot 15%)

CIA triad or security triad as it sometimes referred to, is a model that represents three core
principles of information security: confidentiality, integrity and availability. They are the goal of
information security.

In terms of information security, confidentiality is all about protecting data from unauthorised
access. Ensuring only authorised access to the data, and unauthorised individuals don’t. It’s also
important to keep in mind that confidentiality applies to data that is static (data on HDD for example),
as well as the data that is being processed or on the move such as email communication.

Number of methods is used to maintain confidentiality. One extremely good method is

encryption, the use of cryptography. If we take a look at diagram below:

we can notice that encryption involves taking some data that is usually readable by humans called
clear text (for example text of an email). Email message then goes through special process known as
encryption algorithm. Encryption algorithm uses complex mathematical calculations and a secrete key
known only to the sender or recipient or both. In order to access the data once encrypted, an
individual must have correct key to be able to decrypt the data and make it readable again. Internet
e-mail relies primarily upon Simple Mail Transfer Protocol (SMTP). SMTP provides no security services.
The only means to provide protection for e-mail is to add encryption to the client applications used.
That is why one of e-mail security solutions lies in Secure Multipurpose Internet Mail Extensions
(S/MIME). S/MIME secures the transmission of e-mail and attachments. S/MIME provides protection
through public key encryption and digital signatures. Two types of messages can be formed using
S/MIME—signed messages and enveloped messages. A signed message provides integrity and sender
authentication. An enveloped message provides integrity, sender authentication, and confidentiality.
So with S/MIME not just confidentiality is ensured, but also integrity of an email message.

Integrity is the second CIA triad principle. Maintaining integrity is about ensuring that the data
has not been altered or changed by unauthorised individuals. To help maintain integrity, the
technique called Digital Signature is oftenly used. The digital signature can be compared to a real
world individual’s handwritten signature. Handwritten signature validates the identity of the
individual. Digital signature uses the same principle, but it uses electronic means to accomplish the
same task. The digital signature is created by using combination of hashing, certificates and keys.
 In the example above, User 1 sends an email that he has digitally signed to User 2. The digital
signature not only identifies the sender of the email, but it also contains a hash of the message itself.
Therefore, if the message is altered, the hash value will not match at the other end and therefore
integrity is being lost. Digital signature also provides something called non-repudiation. This means
that the sender of the email in the example cannot deny he has sent the message.

The third CiA triad security principle is Availability. Availability is about ensusring systems, data
and services are open-running and available when needed. There is a number of factrors that can
cause loss of availability which include things like faults and hardwre breakdown, software bugs,
deletion of data by human error, poor design and lack of scalability, power failure, fires and natural
disasters like floods, earthquake & hurricanes. Hardware fault tolerance & redundancy is one of the
methods used to help maintain availability. Hardware fault tolerance means the system is able to
tolerate a critical fault, but continue to operate. This is achieved by using redundant hardware (extra
hardware that is available to take over in the event of failure). One example is RAID - Redundant
Array of Independent Disks. It’s a technology used in many services to provide disk fault tolerance.
RAID involves combining disks to function like a single disk. RAID for example can tolerate the loss of a
single disk drive and continue to function.

3. Pada satu sessi kuliah dijelaskan bahwa terdapat network vulnerability dalam mekaniseme
kerja protokol pada setiap layer suatu jaringan, seperti ARP Spoofing, Sync Flood dsb. Salah satu
protokol yang memiliki peran sangat signifikan dalam internet adalah DNS (Domain Name System)
yang bekerja melalui port 53. (Bobot 25%)

a. Jelaskan secara rinci tahapan cara kerja DNS dan kaitannya dengan struktur hirarki internet

The way of how DNS works is iterative step-by-step process. It can be explained through the
following simple example:

Example scenario: Let’s say DNS client (UI student for example) needs to access web page
‘emas.ui.ac.id’

STEP 1: After typing the mentioned web address in web browser, the web browser will check if it can
find IP address for the requested website in its own cache memory. If yes, then the web page will be
delivered immediately to the client. However, if the answer is no, then Domain Name Server is
needed.

STEP 2: DNS client will send query request to the Resolver Server (client’s local ISP Server). When
Resolver receives the query, it will first check its own cache memory to find an IP address for
‘emas.ui.ac.id’. If Resolver can’t find the IP address in its cache memory, then goes STEP 3.
STEP 3: The Resolver Server will send the query to the next level which is The Root Server. Root
servers themselves do not map IP addresses to domain names. Instead, they hold the information
about all top-level domain (TLD) Name Servers and point to their location. So basically The Root
Server knows how to direct The Resolver Server to the TLD Name Server for the ‘.id’ domain.

STEP 4: Once The Resolver Server gets reply with the location of TLD Name Server, it will ask TLD
Name Server for the IP address of ‘emas.ui.ac.id’. TLD Name Server manages ‘.id’ domain and it
doesn’t know IP address of ‘emas.ui.ac.id’, but it can direct the Resolver Server to the second-level
domain Name Server that manages subdomain ‘ac.id’ which is the subdomain of the top level domain
‘.id’.

STEP 5: The Resolver Server will again send request for the sought IP address but now to the
second-level domain Name Server responsible for subdomain ‘ac.id’. Second-level domain Name
Server will direct the Resolver Server to the third-level domain Name Server responsible for
subdomain ‘ui.ac.id’ (‘ui.ac.id’ is subdomain of ‘ac.id’).

STEP 6: The same IP address request for ‘emas.ui.ac.id’ will be sent to the third-level domain Name
Server responsible for the domain ‘ui.ac.id’. Third-level Name Server will direct the Resolver Server to
the last Name Server (fourth-level Name Server) which is Authoritative Name Server for the webpage
‘emas.ui.ac.id’.

STEP 7: The Resolver Server sends IP request ‘emas.ui.ac.id’ to the Authoritative Name Server. This
fourth-level domain server is the server which finally knows what is the ip address of the requested
web page ‘emas.ui.ac.id’ and sends the response back to the Resolver Server with the requested IP
address.

STEP 8: Now, when the Resolver Server knows what is the requested IP address, what is left is to
forward the address to the DNS client (UI student) who initially asked for it. Now, the browser of the
client is ready to display the webpage ‘emas.ui.ac.id’.

The fact that web domains are hierarchically organised (top level domain ‘.id’ contains second-level
domain ‘ac.id’, second-level domain contains third-level domain ‘ui.ac.id’ etc) is actually good
example of hierarchical structure of the Internet.

b. Sebutkan 3 (tiga) jenis attack yang menjadi fenomena serius belakangan ini yang melibatkan
DNS, dan jelaskan prinsip kerjanya

DNS spoofing is a type of DNS attack in which attacker can trick (poison) DNS Resolver (DNS
Local Server) by storing a malicious site in DNS Resolver cache memory instead of the one you want to
visit. All traffic from the attacked server and all hierarchically lower servers will be redirected where
the attacker wants. How is this attack carried out? Simultaneously sending a large number of queries
and false answers, where the attacker presents himself as an authoritative server for the selected
domain. For a DNS server to accept a response as valid, it must contain the same port number that is
randomly generated during the query. This is exactly the target of the attacker - if he manages to
guess the port number and send a false answer to the query before the authoritative server sends the
right answer, he will successfully poison the cache. That's why attackers send a large number of
queries - thus increasing their chances of guessing the port number, but also slowing down the DNS
Resolver enough for their false answer to arrive first.

Next common DNS attack is SYN flood attack waged by breaking the standard three-way
handshake used by TCP/IP to initiate communication sessions. Normally, a client sends a SYN packet
to the DNS server, the DNS server responds with a SYN/ACK packet to the client, and the client then
responds with an ACK packet back to the DNS server. This three-way handshake establishes a
communication session that is used for data transfer until the session is terminated (using a
three-way handshake with FIN and ACK packets). A SYN flood occurs when numerous SYN packets are
sent to the DNS server but the sender never replies to the server’s SYN/ACK packets with the final
ACK.
Next type of attack, although much more effective, is called DRDoS - reflected DDoS. The idea is
to force infected devices to send legitimate requests to the service being attacked. For example, a site
that sells some products offers the option of sending price lists in PDF format. The request to get that
price list is "heavy" a few bytes, but the site's response is more than a megabyte. When the number
of these requests is multiplied by the number of infected devices, the effect is much more destructive
than with ordinary DDoS attacks.

c. Jelaskan, apa yang anda ketahui mengenai OpenDNS, dan seberapa jauh kaitannya dengan
vulnerability di jaringan

OpenDNS is a very interesting service that improves the speed of address translation and
increases the security of Internet surfing. The basic purpose of OpenDNS servers is to offer a huge
amount of memory with a handy DNS entry. Internet users who use OpenDNS servers, they store
significantly more data in their memory. In addition to offering a huge amount of handy memory,
improving performance, OpenDNS also offers a number of other, useful features. For example, the
service provides alert information about fraud websites created by the attackers for the purpose of
obtaining sensitive data through phishing. When a user tries to log in to such a site, the OpenDNS
service sends its own IP address in response to the request, which directs the user to the security
page.

d. Belakangan ini muncul perkembangan baru terkait mekanisme akses melalui DNS over HTTP
(DoH) yang telah menjadi tantangan baru dalam pengamanan jaringan terhadap anonymous
activities. Jelaskan cara kerja DoH ini dan alternatif solusi apa yang dapat dilakukan untuk
mengurangi resiko keamanannya.

DNS over HTTPS is standard developed for encrypting plaintext DNS traffic so as to stop
malicious parties, advertisers and ISPs from having the ability to interpret the data. With DoH, DNS
queries and responses are encrypted, but they're sent via HTTPS protocols rather than directly over
UDP. DoH ensures that attackers can't copy or change DNS traffic. DoH traffic appears like other
HTTPS traffic, like for example normal user-driven interactions with websites and web apps.

As alternative to DoH, DoT (DNS over TLS) is arguably better. It gives network administrators the
power to observe and block DNS queries, which is very important for identifying and stopping
malicious traffic. Despite this, from a privacy point of view, DoH is better. With DoH, DNS queries are
hidden within the larger flow of HTTPS traffic. This provides network administrators less visibility but
provides users with more privacy.

4. Sebagaimana anda ketahui di dalam arsitektur keamanan jaringan terdapat 10 (sepuluh)

security principle strategies yang dapat dipilih untuk diterapkan, sesuai dengan policy di tiap
organisasi/instansi (atau bahkan pada scope yang lebih luas, seperti halnya di tingkat negara).
(Bobot 20%)

a. Menurut anda, security principle strategis yang mana sajakah yang paling tepat diterapkan di
organisasa/instansi anda, dan berikan alasannya!

The most suitable security principle for the company I was working in could be the principle of
Least Privilege. This principle states how the privileges are to be granted to a subject. A subject
should be given only those privileges that it requires for completing a task. I can explain this on the
example of the company I was working in. I was working for two years in the company with main
purpose of providing data entry services for the clients with need for data digitalization. The
organization of the company is strictly hierarchical. One team is divided into 3 levels: first level for
agents whose task is simple data entry; second level for data entry control agent; and third level for
quality control agents. The team is lead by a team leader. There are more projects in the company
and therefore more teams where each team is responsible for one project. Those teams that focus on
projects of similar nature are put into one group. Every group of teams is led by project manager. At
the end, project managers are responsible to Operations Director.
This hierarchical organization structure gives different responsibilities to different job roles in the
company. Network administrator of that company needs to focus on data security against possible
attacks that might eventually come from the party outside the company. In order to maximize the
focus, the network system of the company should be organized the same as employee roles in
company, which means hierarchically. In such way to network administrator simplifies management
of the network by eliminating any unauthorised activity from any employee. The second reason lies in
reasonable usage of network resources of the company. If the network administrator ensures every
employee can use the network only inside the scope of his work obligations, then the network
administrator will be able to maximize his focus on outside attacks. Efficient solutions can be achieved
easier only with good focus and that is the reason why I choose the principle of Least Privilege.

b. Salah satu contoh penerapan di level negara adalah seperti halnya yang diterapkan di China,
yaitu strategi “Choke-Point” yang disebut sebagai “The Great Firewall of China”. Bagaimana
pendapat anda dengan strategi ini? Jelaskan secara ringkas seperti apa mekanisme ini diterapkan
di China? Apakah menurut anda strategi ini cocok diterapkan di Indonesia?

The strategy known as “The Great Firewall of China” has its advantages and disadvantages. This
strategy is beneficial for the development of Chinese national economy, but in the same time it
undermines the idea about the global nature of Internet. People in China are experiencing lack of
access to the same websites that people normally visit around the world (google, youtube, facebook
etc.). The access is restricted by the government policy, but in the same time it offers alternative
Chinese solutions (baidu, wechat etc.). On the other hand such restrictive policy led to development
of Chinese digital economy, placing it to very high level. In my opinion, the example of “The Great
Firewall” might inspire other countries as well to create their own governed independent internet.
This leads us to the idea that internet in the future might not have anymore fully global feature which
would decrease opportunities for trading economies around the world. I think China has acquired
such strategy in order to focus on their own economy development, but such model is not applicable
for big majority of the rest of the world. The idea when Internet was born was that it should offer free
exchange of knowledge accross the world. However, if the other world developed countries would
follow the strategy of “The Great Firewall” the capacity for exchange of knowledge would be radically
limited. Therefore, I wouldn’t like the idea of global nature of Internet to disappear. As for Indonesia,
it is the country in development. Therefore, Indonesia should concentrate on upgrading its internet
infrastructure and for that is needed cooperation with other countries. Having said this, I would
conclude that this strategy shouldn’t be applied in Indonesia.

“The Great Firewall of China” is achieved by 3 methods. First one is IP blocking. For a typical PC
setup on the Internet in USA, the computer requiring access to the website will send download
request to the destination server. This server will then ping back to the user’s computer with
response data that includes its own IP address and also the data requested along with it.
 1st method: IP blocking

With IP blocking enabled, this functions much differently. In China, The Great Firewall sits in between
Chinese Telco Provider and the external foreign server that the user is attempting to access. This
firewall is able to filter the data that moves between the local servers and overseas servers and block
data coming from IPs which are disallowed.

The second method used by The Great Firewall to restrict data is known as DNS poisoning or
DNS spoofing. This method is described in the second question (question about DNS) in the part
about DNS attacks. The third way that China manages to catch non-authorized content is by self
censorship and manual enforcement. According to Chinese laws and regulations, Chinese firms are
completely and wholly responsible for their content. As such, Chinese firms employ thousands of
workers to control their own sites and pull down content that is deemed inappropriate. These
workers monitor social media sites, message boards, instant messages and more. Additionally, the
Chinese government itself is estimated to employ several hundred thousands or even millions of
people according to some reports, to examine through the Web and report unauthorized content.

5. Dari perspektif pengendalian terhadap keamanan jaringan maka diantara aspek Vulnerability,
Threat dan Risk, yang berada di luar kendali adalah Threat (ancaman, serangan dsb) karena
merupakan kondisi yang berada di luar sistem. Dengan demikian dinamika dari trend berbagai
perkembangan Threat haruslah senantiasa diamati, diikuti dan dipelajari. Diantara sumber
informasi yang bisa dijadikan acuan adalah dari perangkat sensor monitoring yang dimiliki sendiri
(SOC atau Security Operation Center); platform information sharing yang berbasis CTI (Cyber Threat
Intelligence) dan juga dari publikasi Threat Landscape yang banyak dikeluarkan oleh berbagai
institusi yang terkait dengan keamanan siber, baik itu institusi CERT/CSIRT, Lembaga negara,
Lembaga riset, atau bahkan yang diterbitkan secara periodik oleh berbagai vendor yang
berreputasi. (Bobot 20%)

a. Lakukan penelusuran melalui literatur atau referensi berbagai Threat Landscape report untuk
menetapkan Top 5 (Five) Security Threat yang paling update (saat ini tahun 2020 posisi Q3).
Analyzing the diagram above from McAfee Labs Threats Report (November 2020) we could make
conclustion that top five threats in 2020 are: 1. Malware, 2. Account Hijacking, 3. Targeted Attack, 4.
Vulnerability attack and 5. DDos.

b. Jelaskan analisa anda, apa kondisi yang menyebabkan hal ini terjadi, apa resiko dan antisipasi
yang harus dilakukan untuk menghadapi threat ini. Dari temuan anda, Threat apa saja yang
terbaru? Apakah masih terdapat Threat lama yang masih menjadi ancaman?

From the diagram of MacAfee Report above, we could conclude that threats that are type of Business
Email Threats or Malicious Script Threats are the newest kinds of threats.