kominfo solo - standar keamanan informasi v 1-1.1
TRANSCRIPT
1
Standar Keamanan Informasi
Solo, 28 Juni 2012
Hogan Kusnadi
CISSP-ISSAP, SSCP, CISA, CISM
Ir. Hogan Kusnadi, MSc,
CISSP-ISSAP, SSCP, CISA, CISM(Certified Information Systems Security Professional)
(Information Systems Security Architecture Professional)
(System Security Certified Practitioner)
(Certified Information Systems Auditor)
(Certified Information Security Manager)
Certified Consultant for ISO 27001/27002
Founder and Director
PT. UniPro Nuansa Indonesia
E-mail: [email protected]
www.unipro.co.id
blog.unipro.co.id
•
2
Kegiatan dan Keanggotaan
Terkait Keamanan Informasi• Ketua Workgroup Kementerian Kominfo dan BSN, untuk
Keamanan Informasi, mengadopsi berbagai ISO 27000 series menjadi SNI (2012).
• MASPI (Masyarakat Sandi dan Keamanan Informasi). AnggotaPendiri dan Ketua Bidang Pengembangan Kompetensi (2006).
• (ISC)2 International Information Systems Security Certification Consortium
• ISACA (Information Systems Audit and Control Association), Member.
• Mantan anggota Menkominfo “Task Force Pengamanan danPerlindungan Infrastruktur Strategis Berbasis TeknologiInformasi” (2004)
• Mantan Anggota Pokja EVATIK DETIKNAS (2007)
Peresmian SNI-ISO 20000 & 27001
Kominfo & BSN, Oktober 2009
3
Pelatihan Keamanan Informasi
4
Secure Asia Singapore July 2010
5
Penerima ISLA Awards 2011 (Indonesia)
6
Perkembangan Pesat ICT(Information Communication Technology)
Akses dan Transaksi
• Dimana saja
• Kapan Saja
• Siapa Saja
7
e and Mobile Commerce
Electronic Transaction is
Everywhere
• Commerce
• Micropayment
• Auction
• Government
• Learning
• Game
• etc
8
Pentingnya Memahami Risiko
Keamanan Informasi
9
10
Dua Sisi Teknologi
Manfaat vs Risiko
Multi Fungsi
Fleksibel
Mudah digunakan
Kerahasiaan
Integritas
Ketersediaan
Otentisitas
Nir Sangkal
Manfaat
Risiko
Database Application
Web Application
Client Server
Networking Integration
Cloud Computing
Identity Theft
Information Theft
Industrial/State Espionage
Distributed Denial of Service
Sabotage, Cyber Weapon
Cyber War
11
Cyber Attack(Affecting Individual, Corporation & Country)
• Malicious Ware (Virus, Worm, Key logger, Spyware, Trojan, BotNet, etc)
• DOS, DDOS• Account Hijack• Misuse of IT Resources• Web Defaced• Spam, Phishing, Typosite• Identity Theft• Data Leakage/Information Theft• Web Transaction Attack• Cyber Espionage• Attack Control System• Cyber Weapon / Cyber War• Country/National Security
Bagaimana Memitigasi Risiko?
22
12
INFORMATION SECURITY RISK
Bussiness Process
Information Assets
R
I
S
K
P
R
O
T
E
C
T
I
O
NSAFE
23
Dimension of Information Security
• People
– Hiring, Awareness, Training/Education, Compliance, Relocation,Termination.
• Process (Information Security Management System)
– Information Security Policy, Security Management Implementations & Practices, and Assurance Controls
• Technology
– Hardware, Software, Networking, Telecommunication
13
Regulation & Best Practice• Government & Industry Regulation
– UU ITE 2008 (PP pendukung - 2010)
– PP 60/2008
– PBI (Peraturan Bank Indonesia) 2007
– SNI-ISO 27001
– Basell II (Banking Industry)
– PCI-DSS (Payment Card Industry Data Security Standard)
– SOX (Sarbanes-Oxley Act), JSOX (Japan SOX)
• Best Practice / Standard / Framework– COBIT Framework
– COSO Enterprise Risk Management Framework
– ISO 27001 (SNI-ISO 27001 - Oct 2009), ISO 27002
– HISA Framework26
14
Information Security
GovernanceInformation security governance is a
subset of enterprise governance that
provides strategic direction, ensures that
objectives are achieved, manages risks
appropriately, uses organisational
resources responsibly, and monitors the
success or failure of the enterprise
security programme.
Peran Penting
Manajemen
15
Peran Manajemen
Adalah sangat penting bagi manajemen
untuk memastikan bahwa sumber daya
(Organisasi, SDM, Budget & Waktu) yang
memadai dialokasikan untuk mendukung
strategi keamanan informasi secara
menyeluruh.
Tanggung Jawab Manajemen
Komitmen Manajemen
• Mengkomunikasikan pentingnya mencapaitarget/sasaran keamanan informasi, baik untukbisnis, maupun ketentuan hukum danperundangan yang berlaku, serta terusmengupayakan perbaikan yang berkesinambungan.
• Menetapkan Kebijakan Keamanan Informasi, Sasaran dan Rencananya
• Melakukan kajian manajemen
• Menentukan tingkat risiko yang bisa diterima
16
Tanggung Jawab Manajemen
Menyediakan Sumber Daya
• Organisasi yang menjalankan SMKI
• Kecukupan dari kendali untuk keamanan
informasi
• Menyediakan budget yang memadai
• Memperhatikan keseimbangan antara
sumber daya yang dibutuhkan serta waktu
dan tingkat keamanan yang ditargetkan.
Tanggung Jawab Manajemen
Pelatihan, kepedulian dan kompetensi
• Orang yang ditunjuk untuk mengelola
SMKI harus mempunyai kompetensi
dalam bidang keamanan informasi.
• Menyediakan pelatihan
• Memastikan karyawan peduli terhadap
keamanan informasi
17
SNI-ISO 27001
Sistem Manajemen Keamanan Informasi
1. Kebijakan Keamanan Informasi
2. Organisasi Keamanan Informasi
3. Pengelolaan Aset
4. Keamanan Sumber Daya Manusia
5. Keamanan Fisik dan Lingkungan
6. Manajemen Komunikasi dan Operasi
7. Pengendalian Akses
8. Akuisisi, Pengembangan dan Pemeliharaan Sistem Informasi
9. Manajemen Insiden Keamanan Infomasi
10.Manajemen Keberlanjutan Bisnis
11.Kesesuaian (Compliance).
34
http://sisni.bsn.go.id/index.php/sni_main/sni/detail_sni/10233
18
11 Domain dari ISO 27001 & 27002
Security Policy
Organizational
Security
Asset Classification
and Control
Compliance
Personnel Security
Business Continuity
Management
Organizational
Aspect
Access Control
Communication and
Operation Management
System Development
and Maintenance
Information Security
Incident Management
Physical and Environmental
Security
Technical Aspect Physical Aspect
Legend
11 Domains
39 Control Objectives
133 Controls
ISO 27000 Series• 27001: 2005 - Attainable certification (Sudah ada SNI-nya)
• 27002: 2005 - Code of practice 27006: 2007 - Certification vendor process
• 27011: 2008 – Information Security Management for Telecommunication
Organizations
• 27799: 2008 - Health care organizations
• 27000: 2009 - Glossary of terms
• 27004: 2009 - Information security measurement
• 27033-1: 2009 Network Security
• 27003: 2010 – Implementation Guide
• 27007: 2011 – ISMS Auditing Guide
• 27008: 2011 – Technical Auditing [TR-Technical Report]
• 27005: 2011- Risk management
• 27031: 2011 - Business Continuity
• 27034-1: 2011 Application Security
• 27035: 2011 Incident Management
• 27010: 2012 - For Inter-Organization Communications (Critical Infrastructure)
19
Perlindungan Berlapis (Teknikal)
Host SecurityPatches Accounts Ports
Services Files / directories Registry
Protocols Auditing / logging Shares
Software SecurityInput validation Session management
Authentication Parameter manipulation
Authorization Cryptography
Sensitive data protection Exception management
Configuration management Auditing / Logging
Fir
ew
all
Fir
ew
all
Network Security
Routers
Firewalls
Switches
Web Server Database Server
Host
Network
20
LinkedIn confirms
hack, over 60% of
stolen passwords
already cracked
(6 june 2012)
All but two of the
Conficker passwords
were used by
someone in the 6.5
million user
password dump. The
two passwords that
weren't found were
'mypc123' and
'ihavenopass'http://nakedsecurity.sophos.com/2012/06/06/linkedin-confirms-hack-over-60-of-stolen-passwords-already-cracked/
Conficker passwords(Note: First Conficker variant appear in Nov 2008 )
21
http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-analyzing_70M_anonymized_passwords-slides.pdf
Joseph Bonneau Password Research Finding(University of Cambridge Computer Scientist)
• Experiment run May 23–25, 2011
• Around 70 million passwords from yahoo users
• Too many users were using words found in the
typical dictionary
• Indonesians were the worst offenders in relying on
common dictionary words. Bonneau found he
could find the correct password for 15 per cent of
Indonesian users, after 1,000 attempts at each one
using the most common words in the dictionary.
22
23
http://nasional.kompas.com/read/2012/06/04/17545317/Soal.Password..Indonesia.Negara.Terlemah
Password Tips
• Minimum 8 digit
• Alpha Numeric
• Huruf BESAR dan kecil
• Special Karakter
24
Transpose & Transform (1)
Transpose & Transform (2)
25
Matrix 9 x 9
Kendali Password di SNI-ISO 27001
• 11 Pengendalian Akses
– 11.2 Manajemen Akses Pengguna
• 11.2.3 Manajemen Password Pengguna
– 11.3 Tanggung Jawab Pengguna
• 11.3.1 Penggunaan Password
– Pengendalian Akses Sistem Operasi
• 11.5.3 Sistem Manajemen Password
26
Ancaman dan Proteksi (Multi Layer)
27
ISO 27001 Statistic:
85 Negara
Japan 52%
4 Negara Asia di Top 5
5 Negara Asia di Top 10
Indonesia di posisi no.
41,
terendah diantara negara
awal pendiri ASEAN dan
sudah disusul Vietnam.
ISO 27001 Certificates in The World (April 2012)
http://www.iso27001certificates.com
http://sisni.bsn.go.id/index.php/sni_main/sni/detail_sni/10233
28