Beruflich Dokumente
Kultur Dokumente
792 .go.id
2138
846 .co.id
.or.id
1463 .ac.id
Source: www.zone-h.org
CardSystems - Hacking Incident
• Hackers had stolen 263,000 customer credit card
numbers and exposed 40 million more.
• In September 2004, hackers dropped a malicious
script on the CardSystems application platform,
injecting it via the Web application that customers
use to access account information. The script,
programmed to run every four days, extracted
records, zipped them and exported them to an FTP
site.
• Visa and MasterCard threatened to terminate it as a
transactions processor.
• CardSystems acquire by PayByTouch, in October
2005.
Data Loss 2000-2009
GhostNet – Cyber Espionage
(Report: 29 March 2009)
Source: Symantec
Facts about IT Security
15
Changing Threat Landscape
6600
2372
1963
1672
1289
1015
790
251 243
24 75
Motivation Behind Cyber Attacks
• Just for FUN
• Fame and popularity
• Challenging activities
• Ideological/political
• Jealousy, anger
• Revenge
• Random attack
• Personal financial gain
• Underground activity for
financial gain (FUND)
Change in the Security
Landscape
5 Years Ago Now
• Vandalism • Profit Oriented
• Incident is known • Stealthy mode
• Attack System • Attack Application and Data
• Broad base • Targeted
• Individual • Organized crime
• (State) Sponsored Attack/
Espionage/Sabotage
e and Mobile Commerce
How to Mitigate Information
Security Risk
UU ITE, PP60/2008, PBI
COSO
Management commitment
Management shall provide evidence of its
commitment by:
• Communicating the importance of meeting
security objectives, legal & regulatory
requirements and continual improvement
• Establishing – security policy, objectives & plans
• Conducting management reviews
• Deciding the level of residual risk
Management Responsibility
(ISO 27001)
Provision of resources
• Set up and maintain the ISMS
• Security procedures support the business
requirements
• Identify & address legal, regulatory and
contractual requirements
• Adequate security of implemented controls
• Carry out reviews
• Improve the process
Management Responsibility
(ISO 27001)
Training, awareness and competency
• Personnel assigned responsibilities in the
ISMS shall be competent
• Provide training
• Evaluate effectiveness of training
• Ensure employees are aware
• Maintain records of education, experience
and qualifications
ISO 27001 Series: International Standard for
Information Security Management System
• Based on British It include the following:
Standard BS7799 that 1. Security Policy
provide comprehensive 2. Organizing Information Security
guidance on various 3. Asset Management
controls for implementing 4. Human Resources Security
information security. 5. Physical and Environmental Security
6. Communications and Operations
• ISMS Best Practice Pair: Management
7. Access Control
Criteria for Certification
– ISO 27001: 2005 8. Information Systems Acquisition,
Development and Maintenance
(was BS 7799 - 2: 2005)
Guideline for Best Practice 9. Information Security Incident
Management
– ISO 27002
10. Business Continuity Management
(was17799: 2005)
11. Compliance.
ISO 27002
ISO/IEC 27000 Series
• 27000 - Glossary of terms
• 27001:2005 - Attainable certification
• 27002:2005 - Code of practice
• 27003:2010 – Implementation Guide
• 27004 - Information security measurement
• 27005 - Risk management
• 27006:2007 - Certification vendor process
• 27011:2008 – Information Security Management
for Telecommunication Organizations
• 27799:2008 - Health care organizations
HISA Framework
Hogan Information Security Architecture Framework
Holistic Information Security
People – Process - Technology
Who Need InfoSec Training?
Top Management Information Security Governance for Top Executive
33
CISSP 2002 - 2010
1200
1000
800
3-Oct-02
30-Mar-10
600
400
200
0
Indonesia Malaysia Singapore
Competency vs Incident
(Government Website)
2500
2000
1500
Number of Incident
Number of CISSP
1000
500
0
Indonesia Malaysia Singapore
As of Aug 2009
2500
2000
1500
1000
500
0
Ho
Ph
Si
Ind
Au
Ma
Th
Vi
Ch
Ko
Ind
ng
etn
ilip
ng
ail
str
on
lay
re
ina
ia
ap
an
pin
a
am
ali
es
Ko
sia
or
d
a
ia
es
ng
e
CISSP In the World
1000+ United States Canada United Kingdom Hong Kong Korea, South Singapore Australia Japan India
200+
Ireland Finland Spain Sweden Taiwan United Arab
Emirates
Firewall
Firewall
Network Security
Routers
Firewalls
Switches Host Security
Patches Accounts Ports
Network Services Files / directories Registry
Protocols Auditing / logging Shares
Host
The Need for Secure Design
Secure SDLC
SDLC Phase Built In Security
Requirements Gathering Secure Requirements
Design Secure Design
Development Secure Implementation/Coding
Testing Secure Testing
Deployment Software Acceptance
Maintenance Software Deployment, Operations,
Operations Maintenance
Disposal Secure Disposal
Review Methodology
Assessment and Penetration
ISSAF Test
Information System Security Assessment Framework
OSSTMM
Open Source Security Testing Methodology Manual
NIST 800-42
Technical Guideline on Network Security Testing
NIST 800-115
Technical Guide to Information Security Testing
OWASP
Open Web Application Security Project
Penetration Framework 0.52