Professional Documents
Culture Documents
Tujuan domain
Topik bahasan
Who?
University of Indonesia – University of Budi Luhur
Magister of Information Technology
How?
University of Indonesia – University of Budi Luhur
Magister of Information Technology
7
University of Indonesia – University of Budi Luhur
Magister of Information Technology
• Administrative controls
– Policies
– Procedures
• Logical controls
– Passwords
• Physical controls
– Electric door
8
University of Indonesia – University of Budi Luhur
Magister of Information Technology
• Awareness training
• Background checks
• Separation of duties
• Split knowledge
• Policies
• Data classification
• Effective user registration
• Termination procedures
• Change control procedures
10
University of Indonesia – University of Budi Luhur
Magister of Information Technology
• Guards
• Locks
• Mantraps
• ID badges
• CCTV, sensors, alarms
• Biometrics
• Fences - the higher the voltage the better
• Card-key and tokens
• Guard dogs
11
University of Indonesia – University of Budi Luhur
Magister of Information Technology
Man Trap
1. Memeasukkan
kartu identifikasi
(what you have)
2. Mengetikkan 12
digit angka rahasia
(what you know)
3. Komputer secara
acak akan
memilihkan kata-
kata yang harus
diucapkan ulang
(who you are)
University of Indonesia – University of Budi Luhur
Magister of Information Technology
Execute only
Mandatory vs Discretionary
Access Control
• Mandatory
– “The system decided how the data will be shared”
– Enforces corporate security policy
– Compares sensitivity of information resources
• Discretionary
– “You decided how you want to protect and share
your data”
– Enforces data-owner-defined sharing of
information resources
University of Indonesia – University of Budi Luhur
Magister of Information Technology
• Downgrade in performance
• Relies on the system to control access
• Example: If a file is classified as confidential,
MAC will prevent anyone from writing secret
or top secret information into that file.
• All output, i.e., print jobs, floppies, other
magnetic media must have be labeled as to the
sensitivity level
16
University of Indonesia – University of Budi Luhur
Magister of Information Technology
17
University of Indonesia – University of Budi Luhur
Magister of Information Technology
18
University of Indonesia – University of Budi Luhur
Magister of Information Technology
19
University of Indonesia – University of Budi Luhur
Magister of Information Technology
20
University of Indonesia – University of Budi Luhur
Magister of Information Technology
Authentication
3 types of authentication:
Something you know - Password, PIN,
mother‟s maiden name, passcode, fraternity
chant
Something you have - ATM card, smart card,
token, key, ID Badge, driver license, passport
Something you are - Fingerprint, voice scan,
iris scan, retina scan, body odor, DNA
21
University of Indonesia – University of Budi Luhur
Magister of Information Technology
Multi-factor authentication
2-factor authentication. To increase the level of
security, many systems will require a user to provide 2
of the 3 types of authentication.
ATM card + PIN
Credit card + signature
PIN + fingerprint
Username + Password (NetWare, Unix, NT default)
22
University of Indonesia – University of Budi Luhur
Magister of Information Technology
23
University of Indonesia – University of Budi Luhur
Magister of Information Technology
Kerugian Password
• Eavesdropper mencuri password saat sedang
diucapkan
• Maling bisa mencuri daftar password di server
• Password mungkin mudah ditebak
• Guna meningkatkan keamanan penggunaan password,
mungkin komputer justru malah meningkatkan
ketidaknyamanan penggunaan komputer. Mis:
komputer yang memilihkan password, harus ganti
password setelah sekian lama
University of Indonesia – University of Budi Luhur
Magister of Information Technology
Password distribution
• User datang ke administrator. Kalo ada orang
menyamar?
• Pakai KTP/SIM/KTM yang ada fotonya
• User di depan terminal khusus memilih passwordnya.
• Atau user diberi password yang dipakai untuk login
pertama kali, habis itu dipaksa mengganti password.
Disebut pre-expired password
• Cara yang tidak tepat: passwordnya adalah NPM, dan
memberitahu dengan cara broadcast (misalnya posting
di papan pengumuman).
• Kalau di bank, kita akan dikirimi surat yang isinya PIN
kita. Pendapat anda?
University of Indonesia – University of Budi Luhur
Magister of Information Technology
Authentication Token
Smart Card
Ukuran kartu kredit, tapi di dalamnya ada processor. Ada macam-
macam:
• PIN protected memory card: isi hanya bisa dibuka kalau PIN-nya
benar
• Cryptographic challenge & response cards
• Contactless smart card
Kegunaannya:
– Bank Cards: debit & credit
– ID-card, termasuk untuk login.
One card for all access Bank Card
– Wallet for e-cash
– Payphone Dr. John Tralala
– Loyality program
4532 1234 8321 3912
– Ticket parkir exp 04/03
– Health-card: bisa jaga rahasia
University of Indonesia – University of Budi Luhur
Magister of Information Technology
Biometrics
Fingerprint scan
Hand Signature
Hand Geometry
University of Indonesia – University of Budi Luhur
Magister of Information Technology
Advantages of fingerprint-based
biometrics
Can‟t be lent like a physical key or token and can‟t be
forgotten like a password
Good compromise between ease of use, template size,
cost and accuracy
Fingerprint contains enough inherent variability to
enable unique identification even in very large (millions
of records) databases
Basically lasts forever -- or at least until amputation or
dismemberment
Makes network login & authentication effortless
33
University of Indonesia – University of Budi Luhur
Magister of Information Technology
Biometric Disadvantages
34
University of Indonesia – University of Budi Luhur
Magister of Information Technology
Performance Issues
• False Rejection Rate (type 1 error): prosentase
subjek yang benar, tapi ditolak
• False Acceptance Rate (type 2 error):
prosentase subjek yang invalid, tapi diakui
sistem
• Cross Error Rate (CER): FRR sama dengan FAR
• Masalahnya kalau sensitifitas dinaikkan, FRR
naik, FAR turun. Perlu dicarititik optimum,
yakni CER
University of Indonesia – University of Budi Luhur
Magister of Information Technology
%
CER
Sensitifitas
University of Indonesia – University of Budi Luhur
Magister of Information Technology
• Misalnya KeyBCA
• Challenge & respond
• Termasuk apa?
– What you know?
– What you have?
– Who you are?
University of Indonesia
Magister of Information Technology
Single Sign On
University of Indonesia – University of Budi Luhur
Magister of Information Technology
Objek Kerberos
• Authentication: Token yang dibuat oleh client dan
dikirim ke server untuk membuktikan jati diri user
• Ticket: diterbitkan oleh TGS (ticket granting service),
yang dapat “ditunjukkan” oleh klien kepada suatu
server layanan tertentu (misalnya database server).
• Session key: kunci random yang dibuat oleh
Kerberos dan diberikan kepada klien saat ingin
berkomunikasi dengan server tertentu.
Catatan:
• Klien membutuhkan „ticket‟ dan session key untuk
berhubungan dg server tertentu, dimana ticket
tersebut memiliki periode pemakaian beberapa jam.
University of Indonesia – University of Budi Luhur
Magister of Information Technology
University of Indonesia – University of Budi Luhur
Magister of Information Technology
52
University of Indonesia – University of Budi Luhur
Magister of Information Technology