GREEN HYPERSCALE

DATA
CENTER
INDONESIA NEXT LEADING NEUTRAL
CARRIER DATA CENTER PROVIDER

www.mettadc.com
Enlighten Your Business
at Our Future-Ready Data Center
Table of Content

Sukoco Halim Profile 04 MettaDC ID01 Secure Critical Facility 15

Control

05 The Data
Milestone 17

MettaDC Team 06 Scope of Our Security System 17

What are the most common 07 Pentest Type 18

causes of Data Breach?

08
Pentest Method 19
World Secure Data Center Sample

MettaDC Facility And Infrastructure 11 Risk Method

20

MettaDC ID01 Overview

12 Special Offer 53

MettaDC ID01 Security & Protection 12

Layer Data Center
Security Touchless System 14

3
 SUKOCO HALIM

Education Background Organization Experience

Head of Section Member Head of Section

Binus University – Information Technology APJII Regional Jakarta Member APJATEL
Strong Knowledge on Data Center (2021 – 2024) (2021 – 2024)
4
Milestone

PT Inet Globalindo Telkom Sigma

(Become TOP Management at (The career continued to rise to the
Internet Service Provider company) position of Senior Vice President)

2000
2008 2020

2005 2018

PT Insyde Solusindo Cyber Data Center International MettaDC Teknologi Indonesia

(Started business in (Become TOP Management at (Successfully established an
Hardware & Solutions) Internet Service Provider company) international Data Center)
5
 MettaDC team
Sukoco Halim
CEO
Founder of MettaDC, Sukoco leads directly the
development of the data center, bringing with
him more than 20 years of experience in the
data center and critical infrastructure industries.
Sukoco has a proven reputation and track
record of driving technology innovation and
delivering resilient, efficient and cost-effective
designs.
Aprisza Dharmayanti
Director Sales & Marketing
Aprisza brings over 17 years of proven
performance and experience in sales and
marketing in the IT and data center industry.
She runs the commercial arms of the
business covering sales, customer account
management and marketing. Her experience
includes managing and developing high
performing teams in International Data
center players in Malaysia and Indonesia.
Deep marketing and sales experience, with
executive -level roles for China IDC, Alliance
SE Asia and SG Tech's Data and Cloud
Chapter. Prior customer relationships large
global corporates such as Google, Alibaba,
Tencent, Bloomberg and many more.
Regional relationships with KEB Hana Bank,
Darta Media Indonesia (KASKUS), Maybank
Indonesia, CIMB Niaga, Aliansi Teknology
Indonesia (Alipay/Dana).
Zul Harry Ricky Setiadi
Head of Facility Chief Information
Zul runs all operations within Indonesia and Ricky, CEO of PT Digital Inti Garuda, Sister
oversees the complete operations team. He Company of MettaDC that handling security
brings with him more than 15 years of services and product. With the experience
experience in the Telco/ICT industry covering more than 20 years across industry from e-
operations, projects, business, budgeting, commerce, banking, financial technology,
cost, resources and data development and mining
management, ensuring the highest level of
performance.
Team has deep domain experience delivering
DCs and major projects across Asia, covering
International BFSI, global cloud provider and
international Telco providers.
6
What are the most common
causes of Data Breach?
Sutcliffe & Co. Insurance Brokers recently outlined
the most common causes of data breach, as follows:

1. Weak and Stolen Credentials – A.K.A. Passwords

2. Back Doors, Application Vulnerabilities
3. Malware
4. Social Engineering
5. Too Many Permissions
6. Insider Threats (Physical)
7. Physical Attacks (Physical)
8. Improper Configuration, User Error

“When selecting a data center partner, security is of one the most important features of
any data center. After all, your mission-critical infrastructure will be housed within
someone else’s facility. Today, securing the data center has never been more important.
Data breaches and other cyberattacks are a growing threat for any businesses. Learn
how and more importantly why it’s important to secure and protect your data center.”
World secure data center sample 1

Ocean Yacht Data Center

Located on a yacht floating on a barge at the Port of Stockton in
California. Nautilus Data Technologies has won multiple awards
for their water-cooling technology, including, 2016 Startup of the
year, 2017 Data Centre Cutting Edge Breakthrough award, and
was nominated for an Edison Award in 2018. Nautilus uses the
power of the ocean water to cool down its 230 ft. long and 55 ft.
wide data center yacht ( 1.120 sqm )

Underwater Submarine Data Center

Microsoft’s Project Natick is another data center using the
power and benefits of the sea, but takes it a step further
and has completely placed the servers underwater. This
40 ft. long submarine looking data center holds 12 racks
containing 864 servers. Project Natick was built in France
and shipped to Scotland where it is currently. This data
center is powered by the renewable energy generating
electricity from the movement of the sea
World secure data center sample 2

Bahnhof Pionen data centre in Stockholm, Sweden is a former Cold War

bunker located 30 metres under solid bedrock. It is said to be able to
withstand the blast from a hydrogen bomb, and if, for any reason, the
power goes out, a back-up supply is provided by two German submarine
engines.

• The data center has an IT usable capacity of 800 kW.

• There are 140 cabinets with a power density of 5.7 kW average per
cabinet. There is no particular maximum.
• Cooling, organized cabling, and electrical wiring are fitted under a 3.3
ft (1 m) deep raised flooring.
• The facility is located in a site that was initially an army bunker and
nuclear shelter during the Cold War.
• The shelter was designed to withstand
a hydrogen bomb explosion.
World secure data center sample 3

A mission-critical campus for purpose-built data The World’s Largest Underground

centres, Subtropolis is one of the most secure
Business Complex.®
underground centres in the world with armed
SubTropolis was created through the mining of a 270-
security, monitored video surveillance, card and PIN
million-year-old limestone deposit. In the mining
access, and a solid limestone structure six times
process, limestone is removed by the room and pillar
stranger than concrete. It offers customers 400,000
method, leaving 25-foot square pillars that are on 65-
square feet of available underground space.
foot centers and 40 feet apart.
MettaDC ID01 - Overview
Purpose Built Data Center
Location Bekasi Area (Outer Jakarta) – Jababeka
ID01 (30 MW) Industrial
Power source 2N (Bekasi Power & PLN)
DC Level Tier 4 Ready Design
PUE 1.45
DC Certification ISO 9001
ISO 27001
Uptime Tier III Design
On progress: Uptime Tier III TCCF & TCOS,
PCI-DSS & TVRA
Live Date September 2022

Service Descriptions
MettaDC ID01
Data Center Building Facility • 3 Storey building
Jababeka - Bekasi • 10,000 sqm total IT Hall
• Earthquake sustainability until 9RS
Data Hall • 500 racks per data hall
• Average rack density 5 kW
• Maximum high density 15kW
• Rack dimension: 48U, 600mmx1200mm
Connectivity • Carrier neutral
• 4 MMR Room each floor
• Multiple entry points and diverse
underground cable pathways
Mechanical & Electrical • 2N Generators Configuration
• 2N Power Distribution
11
• 2 Blocks with @2N UPS configurations
 MettaDC ID01 Security & Protection
Layer Data Center
Antiblastic gate
Surrounding Surveillance perimeter entrance
Roof Top double layer
System construction building

9 Richter Scale Earthquake

With dilatation in every
function building

2.5 Ton sqm Floor Load of

Building Structure

Data Hall double layer Antiblastic gate

Surrounding wall parameter
concrete construction wall perimeter number 2
with movement sensor
 7 Layer Security
Touchless System

Anti Crash
Steel Car Trap
Car Plate with UVSS Face Recognition Biometric
Recognition (Under Vehicle Gate Access Contactless
Surveillance System) Door Fingerprint

Face & Temp QR Code OTP Iris Retina

Recognition Visitor Biometric
Authentication Recognition

Touchless Security Process to provide best world class security data center

MettaDC Company Profile 2022 03

 MettaDC ID01
Secure Critical Facility Control

Perimeter
01
Gates | Surveillance (CCTV) | Plate recognition| UVSS| QR System| Face recognition |

Building 02 Manned | Flap barrier| Face recognition| Access Card | Iris Recognition | Fingerprint Scanner |
Turnstile gate| Air Lock| Monitoring & Control | Alarm Management

Building Maintenance | Grey Space Maintenance | White Space Maintenance | Consumable

Maintenance | Move/Add/Change (MAC’s)
Infrastructure
03 Change Management | Security | Site Access | People Management | Operations Staff Training |
Vendor Management | Event Management | Reporting | Maintenance Scheduling | Procedures |
System Training | Assets Control | Spares Management

Operational
04

14
MettaDC ID01 - Facility and Infrastructure
Independent Dedicated Facility per Data Hall

Double Layer Wall Building for Data Hall

Power Data Hall/Data
House Utility Center Office

3 Storey Purpose Built Data Center with 2 IT Hall Each Floor

Independence Dedicated Facility per Data Hall

Service Corridor separate IT Hall and utilities area

Independence Power for Office Building & Data Hall

15
MettaDC Team Certifications

16
$6 Trillion USD Direct losses from cyberattacks are the tip of the
iceberg. Unidentified losses is bigger than the
Global Cybercrime Damage Cost existing cost.
Source: Cybersecurity ventures

Rp. 93.000 Triliun

39 x Pendapatan RI Tahun 2022 (2,443 T)
 Financial Industry
Financial Loss
$ 18,3Mio
Over the past year,
financial institution
reported an increase
about 67% for cyber
attacks. According to
Accenture, the cost of
cyberattack is highest in
the banking / financial
industry.
It reach about USD 18,3
million annually per
company.
Attacks Types Attack Motivated
45,7% 71%
Global attack types and Of financial institutions
sources on financial sectors said they are most
are Web attacks about concerned about
46%, Service-specific financially motivated
attacks about 28%, and attackers.
about 8% DoS/DDoS is the
third attack type to be Credential / data leaks
executed. experienced a similar
increase of 129% over the
25% of all malware attacks year. And malicious apps
hit banks and other increase 102%.
financial industries, more
than any other industry.
Impact Data Breach For Industry
Indonesia Regulation Related to Data Protection

1. UNDANG-UNDANG REPUBLIK INDONESIA NOMOR 27 TAHUN 2022 TENTANG

PERLINDUNGAN DATA PRIBADI (PDP)

2. UNDANG-UNDANG REPUBLIK INDONESIA NOMOR 19 TAHUN 2016 TENTANG

PERUBAHAN ATAS UNDANG-UNDANG NOMOR 11 TAHUN 2OO8 TENTANG
INFORMASI DAN TRANSAKSI ELEKTRONIK (ITE)

“Untuk denda administratif yang dikenakan besarnya maksimal 2 persen dari

pendapatan atau penerimaan tahunan terhadap variabel pelanggaran.”

Source: Dirjen Aptika Kominfo

Impact Data Breach For Industry
Others Regulation Related to Data Protection

1. General Data Protection Regulation (GDPR)

2. Personal Data Protection Act (PDPA) From Others Country
Like Singapore, Thailand, Malaysia, etc
Impact Data Breach For Industry
Impact if there is data leaked of electronic

1. Indonesia 2% of annually of gross income based previous year financial report

2. GDPR if (company process EU Citizen, up to €20 million (roughly $20,372,000),
or 4% of worldwide turnover for the preceding financial year
3. Damage reputation of company, it will be impacted to companies
performance and engagement to customers
Source: NCSI - https://ncsi.ega.ee/ncsi-index/?order=rank
Source: Direktorat Operasi Keamanan Siber
Source: Direktorat Operasi Keamanan Siber
Security Landscape

1 Attack Target
Trade Secret 4
More than 70% target infrastructure,
20% target web. 90% of web attacks
In accordance with data use Social Engineering.
privacy, a trade secret is
another motive of cybercrime
during the last 3 years.
Cyber
Security in
Nutshell

2 Attack Increasement
3
Data Privacy Attack increase 25% YoY comparison.
Most of attacks utilized vulnerability
During 2018 – 2019, data privacy addressed by code development
breaches in increase significantly. (almost 75%).
More than 90% of breach utilized
web vulnerability.
Our Services

01
SA2T

Security Assessment
and Testing
We assist businesses in gaining a clear picture of their
security resilience by properly measuring and managing
potential threats.

We assess comprehensively by running a series of security

tests on infrastructure, applications, and user vulnerabilities.
Our Services

02
CSC2

Cyber Security and

Compliance Consulting

We facilitate the development, innovation, and

improvement of operational resilience and continuity in
both normal and emergency situations.

Furthermore, through this service, we empower in

asserting your company's maturity level in relation to
applicable security standards such as PCI DSS, ISO 27001,
and NIST.
Our Services

03
CORS

Cybersecurity Operations
and Resilience Service

This service is designed to help an organization manage

day-to-day operations, such as establishing Vulnerability
Management and Threat Management.

Through 24x7 monitoring, organizations are expected to be

able to easily identify vulnerabilities and respond to threats
that target their systems by using this service.
Our Services

04
SARS

Security Architecture
Review Service

This service is provided to assist an organization in

assessing and reviewing of the architecture and design,
system configuration, log review and network architecture
of communication flows and relationships between devices
including identification of inappropriate communication
flows.
Our Services

05
vCISO

Virtual Chief Information

Security Office

Lead to the enhancement of an extensive transformation,

including increased annual risk assessments and scalability
to adapt to business needs by consolidating and translating
into an effective and efficient security strategy, along with
the design, development, and preservation of security
programs.
Pentest Type

BLACKBOX GRAY BOX WHITE BOX

0 KNOWLEDGE SEMI KNOWLEDGE FULL KNOWLEDGE

31
Pentest Method

03 Vulnerability 05 Report
01 Planning & Preparation Assessment

06 Remediation &
04 Intrusion & Closing
02 Reconnaissance
exploitation

32
Risk Method

Vulnerable and Outdated

Criticality Score CVSS Broken Access
Control
1 6 Components

Identification and
Critical 16 – 25 9.0 - 10.0 Cryptography
2 7 Authentication Flaws
Failure

High 12 - 15 7.0 - 8.9

Injection 3 OWASP TOP 10
8 Software & Data Integrity
Failures
2021
Medium 8 - 10 4.0 - 6.9
Insecure Security Logging
Design 4 9 & Monitoring Failure
Low 4-6 0.1 - 3.9
Very Low Security
5 10 Server-Side
1-3 N/A Misconfigure Request Forgery
(informational)

33
Our Competencies

… and many other more …

Team Portfolio
Security is always too much
until the day
it is not enough.
William H. Webster
FINDING OF RECONNAISSANCE

TEMUAN SEVERITY

Credential information leak from System Database Critical (8.6)

IDOR On Several API Endpoints Lead To Data Leak Critical (8.6)

Leaked Guest Account Credentials Medium (5.8)

FINDING OF RECONNAISSANCE

TEMUAN SEVERITY

Credential information leak from System Database Critical (8.6)

IDOR On Several API Endpoints Lead To Data Leak Critical (8.6)

Leaked Guest Account Credentials Medium (5.8)

HACKING CASE

TEMUAN SEVERITY

Take over the mobile application account Critical (10)

Credential information leak from System Database

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

The .git/config disclosure bug is a security vulnerability in the Git version control system. This happens when
a Git configuration file (.git/config) that should be accessed only by users who have access rights to the
Root Cause repository and accidentally published to the public. This configuration file contains important information
such as the username and password used to access the Git repository, so that unauthorized users can access
the repository using that information.

Threat actors can access sensitive information in the repository such as source code or
Impact credentials on the system.
Credential information leak from System Database
 IDOR On Several API Endpoints Lead To Patient Data Leak

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

There is no session validation on some of the following endpoints:

/api/getMember
/api/editU**r
Root Cause /ApiV2/getListN*****n
/api/getApp*****PID
/api/getA****PEID
/ApiV2/past***t

Impact The impact of this is leakage from patients who register and book on the mobile app. Some of the data
leaked because of this issue are names, telephone numbers, email addresses, addresses, etc
IDOR On Several API Endpoints Lead To Data Leak

/Api/getMember
IDOR On Several API Endpoints Lead To Data Leak

/ApiV2/getList*****on
IDOR On Several API Endpoints Lead To Data Leak
/api/get*****tPID
Leaked Guest Account Credentials

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

To be able to access the application, credentials are needed to login. In

Root Cause this finding, hardcoded credentials for logging in as a guest were
obtained on the mobile app.

With access as a guest, threat actors can carry out further exploitation
Impact of the system
Leaked Guest Account Credentials

assets/index.android.js
HACKING CASE EXAMPLE
Take over the mobile application account
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

The takeover of the user account can occur because there is an IDOR
Root issue in the endpoint to change the user data. By changing the email
from a particular user, then the Threat Actor resets the password
Cause from the account. In this way, the account of the mobile application
user can be taken completely.

Impact Account take over can reduce trust in organization.

Take over the mobile application account

1 3
Hacker analyze Hacker get guest Find out endpoint that Change email user
mobile app credential hard coded affected IDOR vulnerability using IDOR vulnerability

2 4
Take over the mobile application account

Access user data using endpoint /API

/Getmember. The ID parameter in the request
is the parameter of the user ID on the system
which if we replace it will provide existing user
data
Take over the mobile application account

Change the email from the user on the

endpoint /Api/editUser. The user email is
changed to an email threat actor.
Take over the mobile application account
Forgot the password with an email that has been
replaced and then change password.
081310293831 [email protected]
Thank You

www.mettadc.com