Forum Disksusi BRTI

Information Security Governance

Bali, 19 Mei 2010

Ir. Hogan Kusnadi, MSc, CISSP-ISSAP, CISA
(Certified Information Systems Security Professional)
(Information Systems Security Architecture Professional)
(Certified Information Systems Auditor)
Certified Consultant for ISO 27001/27002
Founder and Director
PT. UniPro Nuansa Indonesia
E-mail: hogan@unipro.co.id
www.unipro.co.id
blog.unipro.co.id
 Kegiatan dan Keanggotaan
Terkait Keamanan Informasi
• Ketua Sub Panitia Teknis Kementrian Kominfo dan BSN, untuk
Keamanan Informasi, mengadopsi ISO 27001, ISO 27002 seri
lain dari ISO 27000.
• MASPI (Masyarakat Sandi dan Keamanan Informasi). Anggota
Pendiri dan Ketua Bidang Pengembangan Kompetensi (2006).
• (ISC)2 International Information Systems Security Certification
Consortium
• ISACA (Information Systems Audit and Control Association),
Member.
• Mantan anggota Menkominfo “Task Force Pengamanan dan
Perlindungan Infrastruktur Strategis Berbasis Teknologi
Informasi” (2004)
• Mantan Anggota Pokja EVATIK DETIKNAS (2007)
Serangan Terhadap Website Indonesia
Domain .id 1998 – 2009

792 .go.id
2138
846 .co.id
.or.id
1463 .ac.id

Source: www.zone-h.org
 CardSystems - Hacking Incident
• Hackers had stolen 263,000 customer credit card
numbers and exposed 40 million more.
• In September 2004, hackers dropped a malicious
script on the CardSystems application platform,
injecting it via the Web application that customers
use to access account information. The script,
programmed to run every four days, extracted
records, zipped them and exported them to an FTP
site.
• Visa and MasterCard threatened to terminate it as a
transactions processor.
• CardSystems acquire by PayByTouch, in October
2005.
Data Loss 2000-2009
 GhostNet – Cyber Espionage
(Report: 29 March 2009)

• Infected 1.295 Computers

Targeted at:
– Ministries of foreign affairs,
– Embassies,
– International organizations,
– News media,
– and NGOs.
• 103 Countries (Indonesia Included)
US & Korea Cyber Attack July 09
• Federal Trade • Blue House
Commission • Defense Ministry
• Transportation • Shinhan Bank
Department • Korea Exchange
• White House
• Pentagon
• New York Stock
Exchange
• NASDAQ
Worm behind US & Korea
Cyber Attack

Source: Symantec
Facts about IT Security

15
 Changing Threat Landscape
6600

National Vulnerability Database 1995 – 2006

 24 new Vulnerabilities are released per day – NVD 05/09/2007

 Of the 24, 12.5 Vulnerabilities are considered serious enough for

IT staff to address each day – NVD workload index 05/09/2007 4894

2372
1963
1672
1289
1015
790

251 243
24 75
Motivation Behind Cyber Attacks
• Just for FUN
• Fame and popularity
• Challenging activities
• Ideological/political
• Jealousy, anger
• Revenge
• Random attack
• Personal financial gain
• Underground activity for
financial gain (FUND)
 Change in the Security
Landscape
5 Years Ago Now
• Vandalism • Profit Oriented
• Incident is known • Stealthy mode
• Attack System • Attack Application and Data
• Broad base • Targeted
• Individual • Organized crime
• (State) Sponsored Attack/
Espionage/Sabotage
e and Mobile Commerce
How to Mitigate Information
Security Risk
 UU ITE, PP60/2008, PBI

COSO

COBIT / ISO 38500

ISO 20000 / ITIL V3 SNI-ISO 27001

 Regulation & Best Practice
• Government & Industry Regulation
– UU ITE 2008 (PP pendukung - 2010)
– PP 60/2008
– PBI (Peraturan Bank Indonesia) 2007
– Basell II (Banking Industry)
– PCI-DSS (Payment Card Industry Data Security Standard)
– SOX (Sarbanes-Oxley Act)
– JSOX (Japan SOX)
• Best Practice / Standard / Framework
– COBIT Framework
– COSO Enterprise Risk Management Framework
– ISO 27001 (SNI-ISO 27001 - Oct 2009), ISO 27002
– HISA Framework 22
 Management Responsibility
(ISO 27001)

Management commitment
Management shall provide evidence of its
commitment by:
• Communicating the importance of meeting
security objectives, legal & regulatory
requirements and continual improvement
• Establishing – security policy, objectives & plans
• Conducting management reviews
• Deciding the level of residual risk
 Management Responsibility
(ISO 27001)
Provision of resources
• Set up and maintain the ISMS
• Security procedures support the business
requirements
• Identify & address legal, regulatory and
contractual requirements
• Adequate security of implemented controls
• Carry out reviews
• Improve the process
 Management Responsibility
(ISO 27001)
Training, awareness and competency
• Personnel assigned responsibilities in the
ISMS shall be competent
• Provide training
• Evaluate effectiveness of training
• Ensure employees are aware
• Maintain records of education, experience
and qualifications
ISO 27001 Series: International Standard for
Information Security Management System
• Based on British
Standard BS7799 that
provide comprehensive
guidance on various
controls for implementing
information security.
• ISMS Best Practice Pair:
Criteria for Certification
– ISO 27001: 2005
(was BS 7799 - 2: 2005)
Guideline for Best Practice
– ISO 27002
(was17799: 2005)
It include the following:
1. Security Policy
2. Organizing Information Security
3. Asset Management
4. Human Resources Security
5. Physical and Environmental Security
6. Communications and Operations
Management
7. Access Control
8. Information Systems Acquisition,
Development and Maintenance
9. Information Security Incident
Management
10. Business Continuity Management
11. Compliance.
ISO 27002
 ISO/IEC 27000 Series
• 27000 - Glossary of terms
• 27001:2005 - Attainable certification
• 27002:2005 - Code of practice
• 27003:2010 – Implementation Guide
• 27004 - Information security measurement
• 27005 - Risk management
• 27006:2007 - Certification vendor process
• 27011:2008 – Information Security Management
for Telecommunication Organizations
• 27799:2008 - Health care organizations
 HISA Framework
Hogan Information Security Architecture Framework
Holistic Information Security
People – Process - Technology
 Who Need InfoSec Training?
Top Management Information Security Governance for Top Executive

Manager Umum Information Security Governance for General Management

End User Information Security Awareness & Security Policy Socialization

Holistic Information Security

IT Manager ISO 27001 Introduction
Security Policy Formulation
Holistic Information Security
IT Application Web Application Hacking & Countermeasures
Secure SDLC/CSSLP
Holistic Information Security
Hacking Insight through Penetration Testing
IT Network Wireless Hacking & Defense
Packet Analysis & Troubleshoot
Managerial
Holistic Information Security
IT Server Hacking Insight through Penetration Testing

Holistic Information Security

ISO 27001 Introduction
ISO 27001 Implementation
IT Security Manager Security Policy Formulation
BCP / DRP
CISSP
Holistic Information Security
Incident Response & Handling
Log Management & Analysis
Hacking Insight through Penetration Testing
IT Security Personnel Wireless Hacking & Defense
Packet Analysis & Troubleshoot
Forensic Investigation Analysis
SSCP

Physical Security Information Security for Physical Security Personnel

US Department of Defense Directive 8570
Information Security Certification Required for 2010
IAT Level I IAT Level II IAT Level III
GSEC CISA GCIH
A+
Security + GSE
Network +
SCNP SCNA
SSCP
SSCP CISSP (or Associate)

IAM Level I IAM Level II IAM Level III

CAP CAP
GSLC
GISF GSLC
CISM
GSLC CISM
CISSP (or Associate)
Security + CISSP (or Associate)

IASAE I IASAE II IASAE III

CISSP (or Associate) CISSP – ISSEP

CISSP (or Associate)
CISSP - ISSAP

CND Infrastructure CND Incident CND-SP

CND Analyst Support Reporter CND Auditor Manager
GCIH CISA
GCIA SSCP CISSP-ISSMP
CSIH GSNA
CEH CEH CISM
CEH CEH

33
 CISSP 2002 - 2010
1200

1000

800
3-Oct-02
30-Mar-10
600

400

200

0
Indonesia Malaysia Singapore
 Competency vs Incident
(Government Website)
2500

2000

1500
Number of Incident
Number of CISSP
1000

500

0
Indonesia Malaysia Singapore
 As of Aug 2009

Number of (ISC)² Members in Various Asian

Economies

2500

2000

1500

1000

500

0
Ho

Ph

Si
Ind
Au

Ma

Th

Vi
Ch

Ko
Ind

ng

etn
ilip
ng

ail
str

on

lay
re
ina

ia

ap

an
pin
a

am
ali

es
Ko

sia

or

d
a

ia

es
ng

e
 CISSP In the World
1000+ United States Canada United Kingdom Hong Kong Korea, South Singapore Australia Japan India

500+ Switzerland France Netherlands Germany

Mexico Brazil Denmark China South Africa Belgium Malaysia

200+
Ireland Finland Spain Sweden Taiwan United Arab
Emirates

100+ Poland Russia Saudi Arabia Italy

Israel New Zealand Thailand

 Holistic Security
Software Security
Input validation Session management
Authentication Parameter manipulation
Authorization Cryptography
Sensitive data protection Exception management
Configuration management Auditing / Logging
Web Server Database Server

Firewall
Firewall

Network Security
Routers
Firewalls
Switches Host Security
Patches Accounts Ports
Network Services Files / directories Registry
Protocols Auditing / logging Shares

Host
The Need for Secure Design
 Secure SDLC
SDLC Phase Built In Security
Requirements Gathering Secure Requirements
Design Secure Design
Development Secure Implementation/Coding
Testing Secure Testing
Deployment Software Acceptance
Maintenance Software Deployment, Operations,
Operations Maintenance
Disposal Secure Disposal
Review Methodology
 Assessment and Penetration
 ISSAF Test
 Information System Security Assessment Framework

 OSSTMM
 Open Source Security Testing Methodology Manual
 NIST 800-42
 Technical Guideline on Network Security Testing
 NIST 800-115
 Technical Guide to Information Security Testing
 OWASP
 Open Web Application Security Project
 Penetration Framework 0.52