Information Security Trend, Knowledge and Promising Career Medan, 12 Juni 2010
Delivering Quality and Competence 1
TRAINING, HIRING & INCREASE CAREER
By: Ir. Hogan Kusnadi, MSc, CISSP-ISSAP, CISA (Certified Information Systems Security Professional) (Information Systems Security Architecture Professional) (Certified Information Systems Auditor) Certified Consultant for ISO 27001/27002 Founder and Director PT. UniPro Nuansa Indonesia E-mail:
[email protected] www.unipro.co.id blog.unipro.co.id •
Kegiatan dan Keanggotaan Terkait Keamanan Informasi • Ketua Sub Panitia Teknis Kementrian Kominfo dan BSN, untuk Keamanan Informasi, mengadopsi ISO 27001, ISO 27002 seri lain dari ISO 27000. • MASPI (Masyarakat Sandi dan Keamanan Informasi). Anggota Pendiri dan Ketua Bidang Pengembangan Kompetensi (2006). • (ISC)2 International Information Systems Security Certification Consortium • ISACA (Information Systems Audit and Control Association), Member. • Mantan anggota Menkominfo “Task Force Pengamanan dan Perlindungan Infrastruktur Strategis Berbasis Teknologi Informasi” (2004) • Mantan Anggota Pokja EVATIK DETIKNAS (2007)
Klien UniPro
Holistic Information Security People – Process - Technology
Piagam Penghargaan MURI
Partner UniPro Training Partner
Service Partner
Technology Partner
7
Kegiatan Seminar
8
Kegiatan Seminar
9
Kegiatan Seminar
10
Kegiatan Seminar
11
Digital Lifestyle & Workstyle
Akses dan Transaksi • Dimana saja • Kapan Saja • Siapa Saja
Dua Sisi Teknologi
Manfaat vs Risiko Multi Fungsi Fleksibel Mudah digunakan
Manfaat Kerahasiaan Integritas Ketersediaan Otentisitas Nir Sangkal
Risiko
Database Application Web Application Client Server Networking Integration Cloud Computing
Identity Theft Information Theft Information Theft Industrial/State Espionage Distributed Denial of Service
Fastest Malware Outbreak
INFORMATION SECURITY RISK
R I Bussiness Process
S K
Information Assets
SAFE
P R O T E C T I O N 18
Information Security Attack / Incident
Serangan Keamanan Informasi di Indonesia • Malicious Ware (Virus, Worm, Spyware, Keylogger, DOS, DDOS, etc) • Spam, Phising • Pencurian Identitas * • Data Leakage/Theft • Web Defaced • Web Transaction Attack • Misuse of IT Resources * Pencurian via ATM (Jan 2010)
Serangan Terhadap Website Indonesia Domain .id 1998 – 2009
792
.go.id 2138
846
.co.id .or.id
1463
.ac.id
Source: www.zone-h.org
Serangan Terhadap Website Government Domain 1998 - 2009
711
17 .go.id .gov.my .gov.sg 2138
Source: www.zone-h.org
CISSP 2002 - 2010 1200 1000 800
3-Oct-02 30-Mar-10
600 400 200 0 Indonesia
Malaysia
Singapore
Competency vs Incident (Government Website 2010) 2500
2000
1500 Number of CISSP Number of Incident
1000
500
0 Indonesia
Malaysia
Singapore 26
As of Aug 2009
Number of (ISC)² Members in Various Asian Economies
2500 2000 1500 1000 500 am etn Vi d an ail Th e or ap ng Si es pin ilip Ph sia lay Ma a re Ko ia es on Ind
ia Ind ng Ko ng Ho
a ali
ina Ch
str Au
0
CISSP In the World 1000+
United States
Canada United Kingdom Hong Kong Korea, South Singapore
500+
Switzerland
Mexico
Brazil
France
Denmark
Netherlands
Australia
Japan
Germany
China
South Africa
Spain
Sweden
Russia
Saudi Arabia
Belgium
Malaysia
200+ Ireland
100+
Finland
Poland
Israel New Zealand
Thailand
Taiwan
Italy
United Arab Emirates
India
Facts about IT Security
Pencurian Data WORLD RECORD
140,000,000
2009 Heartland Payment System 2008 T-Mobile, Deutche Telecom 2007 TJX Companies Inc 2006 US Dept of Veteran Affairs 2005 CardSystem 2004 American Online
120,000,000 100,000,000 80,000,000 60,000,000 40,000,000 20,000,000 2003
2004
2005
2006
2007
2008
2009
2010
INDONESIA World
2008 Total Incident Reported
Indonesia
32
Largest Incidents
CardSystems - Hacking Incident • Hackers had stolen 263,000 customer credit card numbers and exposed 40 million more. • In September 2004, hackers dropped a malicious script on the CardSystems application platform, injecting it via the Web application that customers use to access account information. The script, programmed to run every four days, extracted records, zipped them and exported them to an FTP site. • Visa and MasterCard threatened to terminate it as a transactions processor. • CardSystems acquire by PayByTouch, in October 2005.
Data Loss 2000-2009
GhostNet – Cyber Espionage (Report: 29 March 2009)
• Infected 1.295 Computers Targeted at: – Ministries of foreign affairs, – Embassies, – International organizations, – News media, – and NGOs.
• 103 Countries (Indonesia Included)
Motivation Behind Cyber Attacks • • • • • • • • •
Just for FUN Fame and popularity Challenging activities Ideological/political Jealousy, anger Revenge Random attack Personal financial gain Organized crime for financial gain (FUND)
Change in the Security Landscape 5 Years Ago
Now
• • • • •
• • • • • •
Vandalism Incident is known Attack System Broad base Individual
Profit Oriented Stealthy mode Attack Application and Data Targeted Organized crime (State) Sponsored Attack/ Espionage/Sabotage
Hacking itu Mudah
41
How to Mitigate Information Security Risk
Practical Personal Protection AIDS Acquired InfoSec Deficiency Syndrome
Regulation & Best Practice • Government & Industry Regulation – – – – – – –
UU ITE 2008 (PP pendukung - 2010) PP 60/2008 PBI (Peraturan Bank Indonesia) 2007 Basell II (Banking Industry) PCI-DSS (Payment Card Industry Data Security Standard) SOX (Sarbanes-Oxley Act) JSOX (Japan SOX)
• Best Practice / Standard / Framework – – – –
COBIT Framework COSO Enterprise Risk Management Framework ISO 27001 (SNI-ISO 27001 - Oct 2009), ISO 27002 HISA Framework
47
HISA Framework Hogan Information Security Architecture Framework
Fractal
Risk Equation Risk = Threat X Vulnerability x Asset
Risk Factor = T x V x A
Minimum level of protection Risk Factor = T x V x A
Threat Level
Risk Factor = T x V x A
Potential Future Threat
Current Threat
MV Dumai Express-18 dari Dumai tujuan Batam bocor dan tenggelam di Pulau Terkulai, Batupanjang, Dumai, 15 menit setelah bertolak dari Pelabuhan Dumai, Senin (28/9) sekitar pukul 10.00 WIB.
False Sense of Security
Non Effective Enforcement
Situ Gintung, Before and After 27 March 2009
Where is ISO 27001 Position in IT Governance?
UU ITE, PP60/2008, PBI
COSO
COBIT / ISO 38500
ISO 20000 / ITIL V3
SNI-ISO 27001
UniPro Public Training Top Management Manager Umum End User IT Manager IT Application IT Network
Managerial IT Server
IT Security Manager
IT Security Personnel
Physical Security
Information Security Governance for Top Executive Information Security Governance for General Management
Information Security Awareness & Security Policy Socialization Holistic Information Security ISO 27001 Introduction Security Policy Formulation
Holistic Information Security Web Application Hacking & Countermeasures Secure SDLC/CSSLP (Certified Secure Software Lifecycle Professional) Holistic Information Security Hacking Insight through Penetration Testing Wireless Hacking & Defense Packet Analysis & Troubleshoot Holistic Information Security Hacking Insight through Penetration Testing
Holistic Information Security ISO 27001 Introduction ISO 27001 Implementation Security Policy Formulation BCP / DRP CISSP (Certified Information Systems Security Professional) Holistic Information Security Incident Response & Handling Log Management & Analysis Hacking Insight through Penetration Testing Wireless Hacking & Defense Packet Analysis & Troubleshoot Forensic Investigation Analysis SSCP (Systems Security Certified Practitioner) Information Security for Physical Security Personnel
ISO 27001 Series: International Standard for Information Security Management System • Based on British Standard BS7799 that provide comprehensive guidance on various controls for implementing information security. • ISMS Best Practice Pair: Criteria for Certification – ISO 27001: 2005 (was BS 7799 - 2: 2005) Guideline for Best Practice
– ISO 27002 (was17799: 2005)
It include the following: 1. Security Policy 2. Organizing Information Security 3. Asset Management 4. Human Resources Security 5. Physical and Environmental Security 6. Communications and Operations Management 7. Access Control 8. Information Systems Acquisition, Development and Maintenance 9. Information Security Incident Management 10. Business Continuity Management 11. Compliance.
ISO 27002
ISO 27001 Certificates in The World (Jan 2010) ISO 27001 Statistic: 81 Negara Japan 55% 4 Negara Asia di Top 5 5 Negara Asia di Top 10 Indonesia di posisi no. 42, terrendah diantara negara awal ASEAN.
http://www.iso27001certificates.com
Information Security Solution
7 Flagship DETIKNAS • • • • • • •
e-Education e-Budgeting e-Procurement National Identity Number National Single Window Palapa Ring Legalisasi Software
66
Tenaga Ahli Keamanan Indonesia
High Level Skill of InfoSec
International Certification
Medium Level of InfoSec
Care / Awareness
The Economic of Supply and Demand
Red Ocean vs Blue Ocean
Job
APPLICANT
Applicant
JOB
Applicant >> Job
Job >> Applicant
Many Other IT Skill
InfoSec Skill
Job Posting (Required CISSP Certification. From www.isc2.org)
Manager/Analyst/Engineer • Computer Systems Security • Cyber Network Operations Planning Specialist - $75K • Cyber Security Specialist • Data & System Security Specialist • Digital Forensics Analyst • Functional Security/Penetration Testers/Telecommute • Information Security Analyst • Information System Security (ISS) Project/Program Manager • IT Security Specialist • Manager, Security Policy, Compliance, and Risk Management
• Manager, Security Program Management • Network Security Manager • Project Manager Data Center • Security Operations Center Analyst • Security System Administrator - $95K • Senior Computer Forensic Examiner • Technical Manager of Applications Security Consulting • Technology Risk Analyst • Vulnerability Management Engineer
Job Posting (Required CISSP Certification. From www.isc2.org)
Consultant/Auditor • Consulting Partner • Entry Level IT Security Consultant • Information Technology (IT) Auditor • Senior IT Auditor
Critical Infrastructure • Critical Infrastructure Protection Specialist • NATO Cyber Defence Coordinator
Others • Recruiter • Sales Engineer • Senior Technical Recruiter, Human Resources • Technical Writer
Job Posting (Required CISSP Certification. From www.isc2.org)
Business Function
Executive Management
• Analyst, Business Analysis (Security Due Diligence) • Business Continuity and Operational Quality Assurance Role • Identity Management Architect/Developer • Senior Enterprise Architect • Senior Information Assurance Engineer • Senior Security Architect
• Chief Information Security Officer • Director of Security • Director, Information Security • VP Governance, Risk and Compliance • VP Security Engineering • VP, Enterprise Security • VP/Information Assurance
US Department of Defense Directive 8570 Information Security Certification Required for 2010 IAT Level II
IAT Level I SSCP A+ Network +
GSE SCNA
IAM Level II CAP
CISM
IASAE I
CISSP (or Associate) CISM GSLC
GSLC IASAE II
CISSP (or Associate)
IASAE III
CISSP (or Associate)
CISSP – ISSAP CISSP – ISSEP
CND Infrastructure CND Incident Support Reporter CND Auditor SSCP CEH
GCIH CSIH CEH
CISA GSNA CEH
IAT : Information Assurance Technical
GCIH
IAM Level III
CISSP (or Associate)
CAP GISF GSLC Security +
GCIA CEH
CISSP (or Associate) CISA
SSCP GSEC Security + SCNP
IAM Level I
CND Analyst
IAT Level III
CND-SP Manager CISSP-ISSMP
CISM
IAM : Information Assurance Management IASAE : Information Assurance Security Architecture and Engineering CND : Computer Network Defense Level I : Junior Level Level II : Middle Level Level III : Senior Level
72
FBI Recruit CISSP
Tenaga Ahli Keamanan Indonesia
High Level Skill of InfoSec
International Certification
Medium Level of InfoSec
Care / Awareness
Technology Partner
Training Partner
Certification
Experience
Competence
Why UniPro ?
Regulation & Standard : UU ITE , PBI, SNI ISO 27001 Customer Requirement, Career Opportunities
Expert Advance
Professional Essential
Fundamental
International Certification e.g. SSCP, CISSP-ISSAP
Your InfoSec Learning Path
TRAINING, HIRING & INCREASE CAREER PROGRAM
77
Special Note: Program THINC juga mendapat dukungan Balitbang SDM Kementerian Kominfo sebagai pengakuan kualitas serta seiring dengan VISI & MISI pemerintah. Program ini akan menjadi bagian dari SKKNI (Standar Kompetensi Kerja Nasional Indonesia) 78
Silver Program (Promo) • • • •
Essential Information Security (4 Days) Enterprise Information Security Technology (6 Days) Exam (1 Day) Total (11 Days)
79
Essential Information Security No Training Module 1 Essential Information Security Foundation 2 Essential Packet Analysis 3 Essential Web Application Security
Day 2 1 1 80
Essential Information Security Foundation Day I • • • • •
Introduction InfoSec Management Concept InfoSec Practical Concept Threat and Attack Firewall
Day II • • • •
Firewall IDS/IPS VPN Data Protection
81
Essential Packet Analysis • TCP/IP Security • TCP/IP Header • Stimulus and Response • Tcpdump • Wireshark
82
Essential Web Application Security • Introduction to Web Threat • Assessment Method • Top 10 OWASP Vulnerability • Web Application Firewall
83
Enterprise InfoSec Technology No 1 2 3 4 5 6
Training Module Firewall Fundamental Firewall 1 ( Check Point ) Firewall 2 ( Juniper ) IPS (TippingPoint) Proxy (Blue Coat) Load Balancer (F5)
Day 1 1 1 1 1 1 84
Firewall Fundamental (1 Day). • • • •
Basic TCP/IP Firewall Technology Firewall Design & Rules Firewall Rules & Discussion
85
Firewall 1 – Checkpoint (1 Day) • Checkpoint FW Secure Platform • Checkpoint FW Smart Management • Checkpoint FW Installation • Checkpoint FW Smart Management Installation • Policy Implementation 86
Firewall 2 - Juniper (1 Day) • • • •
Juniper Firewall Introduction Juniper FW Installation Policy Implementation Multiple Layers Policy Implementation
87
Intrusion Prevention System (1 Day) • IPS Architecture • Tippingpoint IPS Introduction • Tippingpoint IPS Installation • Configuring Tippingpoint IPS • Customize Policy & Monitoring Log
88
Proxy (1 Day) • • • • • •
Bluecoat Introduction Proxy Features & Topology Bluecoat Proxy Installation Configuring Bluecoat Proxy Visual Policy Manager Customize Policy & Monitoring log
89
Load Balancer (1 Day) • • • • • •
F5 Introduction Load Balancer Introduction F5 Installation Configuring F5 LTM Load Balancing Methodology Monitoring Log & Performance
90
Pre-Requisite • Bahan/mata kuliah yang perlu dipelajari sebagai persiapan sebelum mengambil kelas THINC Silver: – Kelas Komunikasi Data – Kelas Jaringan Komputer – Sistem Operasi Komputer
Package
Modules
Day(s)
Bronze A
Essential Information Security Foundation
2
Rp. 1.300.000,-
Essential Packet Analysis
1
Rp.
650.000,-
Essential Web Application Security
1
Rp.
650.000,-
Bronze A Package
4
Rp. 2.200.000-
Firewall Fundamental
1
Rp.
750.000,-
Bronze B
Firewall 1 ( Check Point )
1
Rp.
750.000,-
Enterprise InfoSec Technology
Firewall 2 ( Juniper )
1
Rp.
750.000,-
IPS (TippingPoint)
1
Rp.
750.000,-
Proxy (Blue Coat)
1
Rp.
750.000,-
Load Balancer (F5)
1
Rp.
750.000,-
Bronze B Package
6
Rp. 4.000.000-
EXAM
1
Rp.
Total Individual Modules + Exam
11
Rp. 7.600.000,-
Essential Information Security
Price
500.000,92
Note: Minimum participant 32 student, maximum 40 per Class
Package Essential Information Security
Enterprise InfoSec Technology
Modules
Day(s)
Essential Information Security Foundation
2
Rp. 1.300.000,-
Essential Packet Analysis
1
Rp.
650.000,-
Essential Web Application Security
1
Rp.
650.000,-
Firewall Fundamental
1
Rp.
750.000,-
Firewall 1 ( Check Point )
1
Rp.
750.000,-
Firewall 2 ( Juniper )
1
Rp.
750.000,-
IPS (TippingPoint)
1
Rp.
750.000,-
Proxy (Blue Coat)
1
Rp.
750.000,-
Load Balancer (F5)
1
Rp.
750.000,-
EXAM
1
Rp.
500.000,-
Silver Package
11
Price
Rp. 5.000.000,93
Note: Minimum participant 32 student, maximum 40 per Class
SILVER PROMO !!!
PROGRAM
Training
Total Class Exam
PRICE
SILVER PROMO 10 Days 1 Day
IDR 5 Million/Student 32 - 40 Students Per Class 94
INTEGRATION SIMULATION (2 Days With Real Lab IN JAKARTA) 95
Integration Simulation
96
Invest Your Future NOW !!
Seat Limited
A journey of a thousand miles begins with a single step Lao Tzu, Chinese Philosopher (6th Centuries BC)