Standar Keamanan Informasi

Solo, 28 Juni 2012

Hogan Kusnadi CISSP-ISSAP, SSCP, CISA, CISM
hogan@unipro.co.id

Ir. Hogan Kusnadi, MSc, CISSP-ISSAP, SSCP, CISA, CISM

(Certified Information Systems Security Professional) (Information Systems Security Architecture Professional) (System Security Certified Practitioner) (Certified Information Systems Auditor) (Certified Information Security Manager) Certified Consultant for ISO 27001/27002 Founder and Director PT. UniPro Nuansa Indonesia E-mail: hogan@unipro.co.id www.unipro.co.id blog.unipro.co.id

Kegiatan dan Keanggotaan Terkait Keamanan Informasi

Ketua Workgroup Kementerian Kominfo dan BSN, untuk Keamanan Informasi, mengadopsi berbagai ISO 27000 series menjadi SNI (2012). MASPI (Masyarakat Sandi dan Keamanan Informasi). Anggota Pendiri dan Ketua Bidang Pengembangan Kompetensi (2006). (ISC)2 International Information Systems Security Certification Consortium ISACA (Information Systems Audit and Control Association), Member. Mantan anggota Menkominfo Task Force Pengamanan dan Perlindungan Infrastruktur Strategis Berbasis Teknologi Informasi (2004) Mantan Anggota Pokja EVATIK DETIKNAS (2007)

Peresmian SNI-ISO 20000 & 27001 Kominfo & BSN, Oktober 2009

Pelatihan Keamanan Informasi

Secure Asia Singapore July 2010

Penerima ISLA Awards 2011 (Indonesia)

Perkembangan Pesat ICT

(Information Communication Technology)

Akses dan Transaksi

Dimana saja Kapan Saja Siapa Saja

e and Mobile Commerce

Electronic Transaction is Everywhere

Commerce Micropayment Auction Government Learning Game etc

Pentingnya Memahami Risiko Keamanan Informasi

Dua Sisi Teknologi

Manfaat vs Risiko
Multi Fungsi Fleksibel Mudah digunakan
Database Application Web Application Client Server Networking Integration Cloud Computing

Manfaat
Kerahasiaan Integritas Ketersediaan Otentisitas Nir Sangkal

Risiko

Identity Theft Information Theft Industrial/State Espionage Distributed Denial of Service Sabotage, Cyber Weapon Cyber War

10

Cyber Attack
(Affecting Individual, Corporation & Country)
Malicious Ware (Virus, Worm, Key logger, Spyware, Trojan, BotNet, etc) DOS, DDOS Account Hijack Misuse of IT Resources Web Defaced Spam, Phishing, Typosite Identity Theft Data Leakage/Information Theft Web Transaction Attack Cyber Espionage Attack Control System Cyber Weapon / Cyber War Country/National Security

Bagaimana Memitigasi Risiko?

22

11

INFORMATION SECURITY RISK

R I
Bussiness Process

S K

Information Assets

SAFE

P R O T E C T I O N

23

Dimension of Information Security

People
Hiring, Awareness, Training/Education, Compliance, Relocation,Termination. Process (Information Security Management System) Information Security Policy, Security Management Implementations & Practices, and Assurance Controls

Technology
Hardware, Software, Networking, Telecommunication

12

Regulation & Best Practice

Government & Industry Regulation
UU ITE 2008 (PP pendukung - 2010) PP 60/2008 PBI (Peraturan Bank Indonesia) 2007 SNI-ISO 27001 Basell II (Banking Industry) PCI-DSS (Payment Card Industry Data Security Standard) SOX (Sarbanes-Oxley Act), JSOX (Japan SOX) COBIT Framework COSO Enterprise Risk Management Framework ISO 27001 (SNI-ISO 27001 - Oct 2009), ISO 27002 HISA Framework
26

Best Practice / Standard / Framework

13

Information Security Governance

Information security governance is a subset of enterprise governance that provides strategic direction, ensures that objectives are achieved, manages risks appropriately, uses organisational resources responsibly, and monitors the success or failure of the enterprise security programme.

Peran Penting Manajemen

14

Peran Manajemen
Adalah sangat penting bagi manajemen untuk memastikan bahwa sumber daya (Organisasi, SDM, Budget & Waktu) yang memadai dialokasikan untuk mendukung strategi keamanan informasi secara menyeluruh.

Tanggung Jawab Manajemen

Komitmen Manajemen Mengkomunikasikan pentingnya mencapai target/sasaran keamanan informasi, baik untuk bisnis, maupun ketentuan hukum dan perundangan yang berlaku, serta terus mengupayakan perbaikan yang berkesinambungan. Menetapkan Kebijakan Keamanan Informasi, Sasaran dan Rencananya Melakukan kajian manajemen Menentukan tingkat risiko yang bisa diterima

15

Tanggung Jawab Manajemen

Menyediakan Sumber Daya Organisasi yang menjalankan SMKI Kecukupan dari kendali untuk keamanan informasi Menyediakan budget yang memadai Memperhatikan keseimbangan antara sumber daya yang dibutuhkan serta waktu dan tingkat keamanan yang ditargetkan.

Tanggung Jawab Manajemen

Pelatihan, kepedulian dan kompetensi Orang yang ditunjuk untuk mengelola SMKI harus mempunyai kompetensi dalam bidang keamanan informasi. Menyediakan pelatihan Memastikan karyawan peduli terhadap keamanan informasi

16

SNI-ISO 27001 Sistem Manajemen Keamanan Informasi

1. 2. 3. 4. 5. 6. 7. 8. Kebijakan Keamanan Informasi Organisasi Keamanan Informasi Pengelolaan Aset Keamanan Sumber Daya Manusia Keamanan Fisik dan Lingkungan Manajemen Komunikasi dan Operasi Pengendalian Akses Akuisisi, Pengembangan dan Pemeliharaan Sistem Informasi 9. Manajemen Insiden Keamanan Infomasi 10. Manajemen Keberlanjutan Bisnis 11. Kesesuaian (Compliance).
http://sisni.bsn.go.id/index.php/sni_main/sni/detail_sni/10233
34

17

11 Domain dari ISO 27001 & 27002

11 Domains
Security Policy

39 Control Objectives
Organizational Security

133 Controls

Asset Classification and Control

Access Control

Compliance

Personnel Security

Physical and Environmental Security

System Development and Maintenance

Communication and Operation Management

Information Security Incident Management

Business Continuity Management

Legend Organizational Aspect Technical Aspect Physical Aspect

ISO 27000 Series

27001: 2005 - Attainable certification (Sudah ada SNI-nya) 27002: 2005 - Code of practice 27006: 2007 - Certification vendor process 27011: 2008 Information Security Management for Telecommunication Organizations 27799: 2008 - Health care organizations 27000: 2009 - Glossary of terms 27004: 2009 - Information security measurement 27033-1: 2009 Network Security 27003: 2010 Implementation Guide 27007: 2011 ISMS Auditing Guide 27008: 2011 Technical Auditing [TR-Technical Report] 27005: 2011- Risk management 27031: 2011 - Business Continuity 27034-1: 2011 Application Security 27035: 2011 Incident Management 27010: 2012 - For Inter-Organization Communications (Critical Infrastructure)

18

Perlindungan Berlapis (Teknikal)

Software Security
Input validation Authentication Authorization Sensitive data protection Configuration management Session management Parameter manipulation Cryptography Exception management Auditing / Logging

Web Server Firewall Firewall Host Security

Patches Services Protocols Accounts Files / directories Auditing / logging

Database Server

Network Security Routers Firewalls Switches Network

Ports Registry Shares

Host

19

LinkedIn confirms hack, over 60% of stolen passwords already cracked (6 june 2012) All but two of the Conficker passwords were used by someone in the 6.5 million user password dump. The two passwords that weren't found were 'mypc123' and 'ihavenopass'

Conficker passwords
(Note: First Conficker variant appear in Nov 2008 )

http://nakedsecurity.sophos.com/2012/06/06/linkedin-confirms-hack-over-60-of-stolen-passwords-already-cracked/

20

http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-analyzing_70M_anonymized_passwords-slides.pdf

Joseph Bonneau Password Research Finding

(University of Cambridge Computer Scientist)

Experiment run May 2325, 2011 Around 70 million passwords from yahoo users Too many users were using words found in the typical dictionary Indonesians were the worst offenders in relying on common dictionary words. Bonneau found he could find the correct password for 15 per cent of Indonesian users, after 1,000 attempts at each one using the most common words in the dictionary.

21

22

http://nasional.kompas.com/read/2012/06/04/17545317/Soal.Password..Indonesia.Negara.Terlemah

Password Tips
Minimum 8 digit Alpha Numeric Huruf BESAR dan kecil Special Karakter

23

Transpose & Transform (1)

Transpose & Transform (2)

24

Matrix 9 x 9

Kendali Password di SNI-ISO 27001

11 Pengendalian Akses
11.2 Manajemen Akses Pengguna
11.2.3 Manajemen Password Pengguna

11.3 Tanggung Jawab Pengguna

11.3.1 Penggunaan Password

Pengendalian Akses Sistem Operasi

11.5.3 Sistem Manajemen Password

25

Ancaman dan Proteksi (Multi Layer)

26

ISO 27001 Certificates in The World (April 2012)

ISO 27001 Statistic:
85 Negara Japan 52% 4 Negara Asia di Top 5 5 Negara Asia di Top 10

Indonesia di posisi no.

41, terendah diantara negara awal pendiri ASEAN dan sudah disusul Vietnam.

http://www.iso27001certificates.com

http://sisni.bsn.go.id/index.php/sni_main/sni/detail_sni/10233

27

28