Hogan Kusnadi - Information Security

TRAINING, HIRING & INCREASE CAREER

Delivering Quality and Competence

1

Information SecurityTrend, Knowledge and Promising Career

Medan, 12 Juni 2010

By: Ir. Hogan Kusnadi, MSc, CISSP-ISSAP, CISA(Certified Information Systems Security Professional)

(Information Systems Security Architecture Professional)

(Certified Information Systems Auditor)

Certified Consultant for ISO 27001/27002

Founder and Director

PT. UniPro Nuansa Indonesia

E-mail: [email protected]

www.unipro.co.id

blog.unipro.co.id

•

mailto:[email protected]

http://www.unipro.co.id/

Kegiatan dan Keanggotaan

Terkait Keamanan Informasi• Ketua Sub Panitia Teknis Kementrian Kominfo dan BSN, untuk

Keamanan Informasi, mengadopsi ISO 27001, ISO 27002 seri lain dari ISO 27000.

• MASPI (Masyarakat Sandi dan Keamanan Informasi). Anggota Pendiri dan Ketua Bidang Pengembangan Kompetensi (2006).

• (ISC)2 International Information Systems Security Certification Consortium

• ISACA (Information Systems Audit and Control Association), Member.

• Mantan anggota Menkominfo “Task Force Pengamanan dan Perlindungan Infrastruktur Strategis Berbasis Teknologi Informasi” (2004)

• Mantan Anggota Pokja EVATIK DETIKNAS (2007)

Klien UniPro

Holistic Information SecurityPeople – Process - Technology

Piagam Penghargaan MURI

Technology Partner

Training Partner Service Partner

Partner UniPro

7

Kegiatan Seminar

8

Kegiatan Seminar

9

Kegiatan Seminar

10

Kegiatan Seminar

11

Digital Lifestyle & Workstyle

..\..\..\Documents and Settings\Jackline\Local Settings\Temp\''Computers Of The Future''.flv

Akses dan Transaksi

• Dimana saja

• Kapan Saja

• Siapa Saja

Dua Sisi Teknologi

Manfaat vs Risiko

Multi Fungsi

Fleksibel

Mudah digunakan

Kerahasiaan

Integritas

Ketersediaan

Otentisitas

Nir Sangkal

Manfaat

Risiko

Database Application

Web Application

Client Server

Networking Integration

Cloud Computing

Identity Theft

Information Theft

Information Theft

Industrial/State Espionage

Distributed Denial of Service

Fastest Malware Outbreak

INFORMATION SECURITY RISK

Bussiness Process

Information Assets

R

I

S

K

P

R

O

T

E

C

T

I

O

NSAFE

18

Information Security

Attack / Incident

Serangan Keamanan Informasi di Indonesia

• Malicious Ware (Virus, Worm, Spyware, Keylogger, DOS, DDOS, etc)

• Spam, Phising

• Pencurian Identitas *

• Data Leakage/Theft

• Web Defaced

• Web Transaction Attack

• Misuse of IT Resources

* Pencurian via ATM (Jan 2010)

Serangan Terhadap Website Indonesia

Domain .id 1998 – 2009

Source: www.zone-h.org

2138

1463

846

792 .go.id

.co.id

.or.id

.ac.id

Serangan Terhadap WebsiteGovernment Domain 1998 - 2009

2138

71117

.go.id

.gov.my

.gov.sg

Source: www.zone-h.org

CISSP 2002 - 2010

0

200

400

600

800

1000

1200

Indonesia Malaysia Singapore

3-Oct-02

30-Mar-10

Competency vs Incident (Government Website 2010)

0

500

1000

1500

2000

2500

Indonesia Malaysia Singapore

Number of CISSP

Number of Incident

26

As of Aug 2009

Number of (ISC)² Members in Various Asian

Economies

0

500

1000

1500

2000

2500

Australia

China

Hong K

ongIndia

Indonesia

Korea

Malaysia

Philippin

esSingapore

Thailand

Vietnam

Canada Hong KongUnited KingdomUnited States Korea, South1000+

500+

200+

100+

Singapore Australia

Netherlands

China

Germany

Japan

South Africa

Finland United Arab

Emirates

Saudi Arabia

Taiwan

Belgium

Ireland Sweden

France

BrazilMexico

Italy

Denmark

Spain

Malaysia

Israel New Zealand

RussiaPoland

CISSP In the World

India

Switzerland

Thailand

Facts about IT Security

Pencurian DataWORLD RECORD2009 Heartland Payment

System

2008 T-Mobile, Deutche Telecom

2007 TJX Companies Inc

2006 US Dept of Veteran Affairs

2005 CardSystem

2004 American Online

INDONESIA2008 Total Incident Reported

-

20,000,000

40,000,000

60,000,000

80,000,000

100,000,000

120,000,000

140,000,000

2003 2004 2005 2006 2007 2008 2009 2010

World

Indonesia

32

Largest Incidents

CardSystems - Hacking Incident

• Hackers had stolen 263,000 customer credit card numbers and exposed 40 million more.

• In September 2004, hackers dropped a malicious script on the CardSystems application platform, injecting it via the Web application that customers use to access account information. The script, programmed to run every four days, extracted records, zipped them and exported them to an FTP site.

• Visa and MasterCard threatened to terminate it as a transactions processor.

• CardSystems acquire by PayByTouch, in October 2005.

Data Loss 2000-2009

GhostNet – Cyber Espionage(Report: 29 March 2009)

• Infected 1.295 Computers

Targeted at:

– Ministries of foreign affairs,

– Embassies,

– International organizations,

– News media,

– and NGOs.

• 103 Countries (Indonesia Included)

Motivation Behind Cyber Attacks

• Just for FUN

• Fame and popularity

• Challenging activities

• Ideological/political

• Jealousy, anger

• Revenge

• Random attack

• Personal financial gain

• Organized crime for financial gain (FUND)

Change in the Security

Landscape

5 Years Ago

• Vandalism

• Incident is known

• Attack System

• Broad base

• Individual

Now

• Profit Oriented

• Stealthy mode

• Attack Application and Data

• Targeted

• Organized crime

• (State) Sponsored Attack/

Espionage/Sabotage

Hacking itu Mudah

41

How to Mitigate Information

Security Risk

Practical Personal Protection

AIDS

Acquired

InfoSec

Deficiency

Syndrome

Regulation & Best Practice• Government & Industry Regulation

– UU ITE 2008 (PP pendukung - 2010)

– PP 60/2008

– PBI (Peraturan Bank Indonesia) 2007

– Basell II (Banking Industry)

– PCI-DSS (Payment Card Industry Data Security Standard)

– SOX (Sarbanes-Oxley Act)

– JSOX (Japan SOX)

• Best Practice / Standard / Framework– COBIT Framework

– COSO Enterprise Risk Management Framework

– ISO 27001 (SNI-ISO 27001 - Oct 2009), ISO 27002

– HISA Framework 47

HISA FrameworkHogan Information Security Architecture Framework

Fractal

Risk Equation

Risk = Threat X Vulnerability x Asset

Risk Factor = T x V x A

Minimum level of protection


Threat Level


Current

Threat

Potential

Future Threat

MV Dumai Express-18 dari Dumai tujuan Batam bocor dan tenggelam di Pulau

Terkulai, Batupanjang, Dumai, 15 menit setelah bertolak dari Pelabuhan Dumai, Senin

(28/9) sekitar pukul 10.00 WIB.

False Sense of Security

Non Effective Enforcement

Situ Gintung,

Before and After 27 March 2009

Where is ISO 27001 Position in IT Governance?

ISO 20000 / ITIL V3 SNI-ISO 27001

COBIT / ISO 38500

UU ITE, PP60/2008, PBI

COSO

UniPro Public Training

Managerial

Holistic Information Security

ISO 27001 Introduction

ISO 27001 Implementation

Security Policy Formulation

BCP / DRP

CISSP (Certified Information Systems Security Professional)

Top Management Information Security Governance for Top Executive

Manager Umum Information Security Governance for General Management

End User Information Security Awareness & Security Policy Socialization

IT ManagerHolistic Information Security

ISO 27001 Introduction

Security Policy Formulation

IT ApplicationHolistic Information Security

Web Application Hacking & Countermeasures

Secure SDLC/CSSLP (Certified Secure Software Lifecycle Professional)

IT Network


Hacking Insight through Penetration Testing

Wireless Hacking & Defense

Packet Analysis & Troubleshoot

IT Security Manager

IT ServerHolistic Information Security



Incident Response & Handling

Log Management & Analysis


Wireless Hacking & Defense

Packet Analysis & Troubleshoot

Forensic Investigation Analysis

SSCP (Systems Security Certified Practitioner)

IT Security Personnel

Physical Security Information Security for Physical Security Personnel

ISO 27001 Series: International Standard for

Information Security Management System

• Based on British Standard BS7799 that provide comprehensive guidance on various controls for implementing information security.

• ISMS Best Practice Pair:

Criteria for Certification

– ISO 27001: 2005

(was BS 7799 - 2: 2005)

Guideline for Best Practice

– ISO 27002

(was17799: 2005)

It include the following:

1. Security Policy

2. Organizing Information Security

3. Asset Management

4. Human Resources Security

5. Physical and Environmental Security

6. Communications and Operations Management

7. Access Control

8. Information Systems Acquisition, Development and Maintenance

9. Information Security Incident Management

10. Business Continuity Management

11. Compliance.

ISO 27002

ISO 27001 Certificates in The World (Jan 2010)

ISO 27001 Statistic:

81 Negara

Japan 55%

4 Negara Asia di Top 5

5 Negara Asia di Top 10

Indonesia di posisi no. 42,

terrendah diantara

negara awal ASEAN.

http://www.iso27001certificates.com

Information Security

Solution

7 Flagship DETIKNAS

• e-Education

• e-Budgeting

• e-Procurement

• National Identity Number

• National Single Window

• Palapa Ring

• Legalisasi Software

66

Tenaga Ahli Keamanan Indonesia

International Certification

Care / Awareness

High Level

Skill of InfoSec

Medium Level of InfoSec

Red Ocean vs Blue Ocean

Applicant >> Job Job >> Applicant

The Economic of Supply and Demand

Many Other IT Skill InfoSec Skill

Job

APPLICANT JOB

Applicant

Manager/Analyst/Engineer• Computer Systems Security

• Cyber Network Operations Planning Specialist - $75K

• Cyber Security Specialist

• Data & System Security Specialist

• Digital Forensics Analyst

• Functional Security/Penetration Testers/Telecommute

• Information Security Analyst

• Information System Security (ISS) Project/Program Manager

• IT Security Specialist

• Manager, Security Policy, Compliance, and Risk Management

• Manager, Security Program Management

• Network Security Manager

• Project Manager Data Center

• Security Operations Center Analyst

• Security System Administrator - $95K

• Senior Computer Forensic Examiner

• Technical Manager of Applications Security Consulting

• Technology Risk Analyst

• Vulnerability Management Engineer

Job Posting(Required CISSP Certification. From www.isc2.org)

Consultant/Auditor

• Consulting Partner

• Entry Level IT Security Consultant

• Information Technology (IT) Auditor

• Senior IT Auditor

Critical Infrastructure• Critical Infrastructure

Protection Specialist

• NATO Cyber Defence Coordinator

Others

• Recruiter

• Sales Engineer

• Senior Technical Recruiter, Human Resources

• Technical Writer



Executive Management• Chief Information

Security Officer

• Director of Security

• Director, Information Security

• VP Governance, Risk and Compliance

• VP Security Engineering

• VP, Enterprise Security

• VP/Information Assurance

Business Function• Analyst, Business

Analysis (Security Due Diligence)

• Business Continuity and Operational Quality Assurance Role

• Identity Management Architect/Developer

• Senior Enterprise Architect

• Senior Information Assurance Engineer

• Senior Security Architect

US Department of Defense Directive 8570 Information Security Certification Required for 2010

IAT :

Information Assurance Technical

IAM :

Information Assurance Management

IASAE :

Information Assurance Security Architecture and Engineering

CND :

Computer Network Defense

Level I : Junior Level

Level II : Middle Level

Level III : Senior Level

SSCP

A+

Network +

SSCP

GSEC

Security +

SCNP

CISSP (or Associate)

CISAGSE GCIH

SCNA

CAP

GISF

GSLC

Security +


IAT Level I IAT Level II IAT Level III

IAM Level I


CAP

CISMGSLC


CISMGSLC

CISSP (or Associate) CISSP – ISSAPCISSP – ISSEP

IAM Level II IAM Level III

IASAE I IASAE II IASAE III

GCIA

CEH

SSCP

CEH

GCIH

CSIH

CEH

CISAGSNA

CEH

CISSP-ISSMP

CISM

CND Analyst Support Reporter CND Auditor ManagerCND Infrastructure CND Incident CND-SP

72

FBI Recruit CISSP

Tenaga Ahli Keamanan Indonesia

International Certification

Care / Awareness

High Level

Skill of InfoSec

Medium Level of InfoSec

Tra

inin

g P

art

ner

Co

mp

ete

nce

Exp

eri

en

ce

Ce

rtif

ica

tio

n

Tech

no

log

y

Part

ner

Regulation & Standard : UU ITE , PBI, SNI ISO 27001

Customer Requirement, Career Opportunities

Why UniPro ?

Fundamental

Expert

Advance

Professional

Essential

Inte

rnati

on

al C

ert

ific

ati

on

e.g

. S

SC

P, C

ISS

P-I

SS

AP

Your InfoSec Learning Path

TRAINING, HIRING & INCREASE CAREER

PROGRAM

77

Special Note:

Program THINC juga mendapat dukungan

Balitbang SDM Kementerian Kominfo

sebagai pengakuan kualitas

serta seiring dengan VISI & MISI pemerintah.

Program ini akan menjadi bagian dari

SKKNI (Standar Kompetensi Kerja Nasional Indonesia)78

Silver Program (Promo)

• Essential Information Security (4 Days)

• Enterprise Information Security Technology (6 Days)

• Exam (1 Day)

• Total (11 Days)

79

Essential Information Security

No Training Module Day

1 Essential Information Security Foundation

2

2 Essential Packet Analysis 1

3 Essential Web Application Security

1

80

Essential Information Security Foundation

Day I• Introduction

• InfoSec Management Concept

• InfoSec Practical Concept

• Threat and Attack

• Firewall

Day II• Firewall

• IDS/IPS

• VPN

• Data Protection

81

Essential Packet Analysis

• TCP/IP Security

• TCP/IP Header

• Stimulus and Response

• Tcpdump

• Wireshark

82

Essential Web Application Security

• Introduction to Web Threat

• Assessment Method

• Top 10 OWASP Vulnerability

• Web Application Firewall

83

84

No Training Module Day

1 Firewall Fundamental 1

2 Firewall 1 ( Check Point ) 1

3 Firewall 2 ( Juniper ) 1

4 IPS (TippingPoint) 1

5 Proxy (Blue Coat) 1

6 Load Balancer (F5) 1

Enterprise InfoSec Technology

Firewall Fundamental (1 Day).

• Basic TCP/IP

• Firewall Technology

• Firewall Design & Rules

• Firewall Rules & Discussion

85

Firewall 1 – Checkpoint (1 Day)

• Checkpoint FW Secure Platform

• Checkpoint FW Smart Management

• Checkpoint FW Installation

• Checkpoint FW Smart Management Installation

• Policy Implementation

86

Firewall 2 - Juniper (1 Day)

• Juniper Firewall Introduction

• Juniper FW Installation

• Policy Implementation

• Multiple Layers Policy Implementation

87

Intrusion Prevention System (1 Day)

• IPS Architecture

• Tippingpoint IPS Introduction

• Tippingpoint IPS Installation

• Configuring Tippingpoint IPS

• Customize Policy & Monitoring Log

88

Proxy (1 Day)

• Bluecoat Introduction

• Proxy Features & Topology

• Bluecoat Proxy Installation

• Configuring Bluecoat Proxy

• Visual Policy Manager

• Customize Policy & Monitoring log

89

Load Balancer (1 Day)

• F5 Introduction

• Load Balancer Introduction

• F5 Installation

• Configuring F5 LTM

• Load Balancing Methodology

• Monitoring Log & Performance

90

Pre-Requisite

• Bahan/mata kuliah yang perlu dipelajari

sebagai persiapan sebelum mengambil

kelas THINC Silver:

– Kelas Komunikasi Data

– Kelas Jaringan Komputer

– Sistem Operasi Komputer

92

Package Modules Day(s) Price

Bronze A

Essential

Information

Security


Foundation

2 Rp. 1.300.000,-

Essential Packet Analysis 1 Rp. 650.000,-

Essential Web Application Security 1 Rp. 650.000,-

Bronze A Package 4 Rp. 2.200.000-

Bronze B

Enterprise

InfoSec

Technology

Firewall Fundamental 1 Rp. 750.000,-

Firewall 1 ( Check Point ) 1 Rp. 750.000,-

Firewall 2 ( Juniper ) 1 Rp. 750.000,-

IPS (TippingPoint) 1 Rp. 750.000,-

Proxy (Blue Coat) 1 Rp. 750.000,-

Load Balancer (F5) 1 Rp. 750.000,-

Bronze B Package 6 Rp. 4.000.000-

EXAM 1 Rp. 500.000,-

Total Individual Modules + Exam 11 Rp. 7.600.000,-

Note: Minimum participant 32 student, maximum 40 per Class

93

Package Modules Day(s) Price

Essential

Information

Security


Foundation

2 Rp. 1.300.000,-

Essential Packet Analysis 1 Rp. 650.000,-

Essential Web Application Security 1 Rp. 650.000,-

Enterprise

InfoSec

Technology

Firewall Fundamental 1 Rp. 750.000,-

Firewall 1 ( Check Point ) 1 Rp. 750.000,-

Firewall 2 ( Juniper ) 1 Rp. 750.000,-

IPS (TippingPoint) 1 Rp. 750.000,-

Proxy (Blue Coat) 1 Rp. 750.000,-

Load Balancer (F5) 1 Rp. 750.000,-

EXAM 1 Rp. 500.000,-

Silver Package 11 Rp. 5.000.000,-

Note: Minimum participant 32 student, maximum 40 per Class

SILVER PROMO !!!

SILVER PROMOPROGRAM

10 Days

1 DayTraining

Total Class

Exam

IDR 5 Million/Student

32 - 40 Students Per

ClassPRICE

94

INTEGRATION SIMULATION

(2 Days With Real Lab IN JAKARTA)95

Integration Simulation

96

Invest Your Future NOW !!

A journey of a thousand miles begins with a

single stepLao Tzu, Chinese Philosopher (6th Centuries BC)

Seat

Limited