what is security
DESCRIPTION
Workshop Keamanan jaringanTRANSCRIPT
What is SecurityNetwork Security Workshop
Dedi Dwianto, C|EH, OSCPDaftar ISI
Workshop Keamanan Jaringan
2
Contents
Information Security
Confidentiality
Integrity
Availability
Authentication
Network Security
Workshop Keamanan Jaringan
3
Security
SECURITY
DETEC
TION
RESPONSE
PREVENTION
Workshop Keamanan Jaringan
4
Prevention
The foundation of the security trinity is prevention. To provide some level of security, it is necessary to implement measures to prevent the exploitation of vulnerabilities.
In developing network security schemes, organizations should emphasize preventative measures over detection and response: It is easier, more efficient, and much more cost-effective to prevent a security breach than to detect or respond to one.
Workshop Keamanan Jaringan
5
PP No 12 tahun 2012
Pasal 20 Penyelenggara Sistem Elektronik wajib memiliki dan
menjalankan prosedur dan sarana untuk pengamanan Sistem Elektronik dalam menghindari gangguan, kegagalan, dan kerugian.
Penyelenggara Sistem Elektronik wajib menyediakan sistem pengamanan yang mencakup prosedur dan sistem pencegahan dan penanggulangan terhadap ancaman dan serangan yang menimbulkan gangguan, kegagalan, dan kerugian.
Workshop Keamanan Jaringan
6
Detection
Once preventative measures are implemented, procedures need to be put in place to detect potential problems or security breaches, in the event preventative measures fail.
Workshop Keamanan Jaringan
7
PP No 12 tahun 2012
Pasal 18 Penyelenggara Sistem Elektronik wajib menyediakan
rekam jejak audit terhadap seluruh kegiatan Penyelenggaraan Sistem Elektronik.
Rekam jejak audit sebagaimana dimaksud pada ayat (1) digunakan untuk keperluan pengawasan, penegakan hukum, penyelesaian sengketa, verifikasi, pengujian, dan pemeriksaan lainnya.
Workshop Keamanan Jaringan
8
Response
Organizations need to develop a plan that identifies the appropriate response to a security breach.
The plan should be in writing and should identify who is responsible for what actions and the varying responses and levels of escalation.
Before beginning a meaningful discussion on computer and network security, we need to define what it entails.
Workshop Keamanan Jaringan
9
Response
First, network security is not a technical problem; it is a business and people problem.
The technology is the easy part.
The difficult part is developing a security plan that fits the organization's business operation and getting people to comply with the plan.
Workshop Keamanan Jaringan
10
Response
Next, companies need to answer some fundamental questions, including the following. How do you define network security? How do you determine what is an adequate level of
security?
Workshop Keamanan Jaringan
11
PP No 12 tahun 2012
Pasal 17 Penyelenggara Sistem Elektronik untuk pelayanan publik
wajib memiliki rencana keberlangsungan kegiatan untuk menanggulangi gangguan atau bencana sesuai dengan risiko dari dampak yang ditimbulkannya.
Pasal 20 Dalam hal terjadi kegagalan atau gangguan sistem yang
berdampak serius sebagai akibat perbuatan dari pihak lain terhadap Sistem Elektronik, Penyelenggara Sistem Elektronik wajib mengamankan data dan segera melaporkan dalam kesempatan pertama kepada aparat penegak hukum atau Instansi Pengawas dan Pengatur Sektor terkait.
Workshop Keamanan Jaringan
12
Information Security
Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected.
Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.
Workshop Keamanan Jaringan
13
Information Security
Workshop Keamanan Jaringan
14
Information Security
The Information Security paradigm consists of Confidentiality, Integrity and Availability (CIA) construct.
Information Systems security consists of hardware, software and communications security.
The Information Security standards apply information security to protect at three levels: physical, personal and organizational. Essentially, procedures or policies are implemented to tell people how to use products to ensure information security within organizations.
Workshop Keamanan Jaringan
15
PP No 12 tahun 2012
Pasal 38 Dalam penyelenggaraan Agen Elektronik, penyelenggara
Agen Elektronik wajib memperhatikan prinsip: kehati-hatian; pengamanan dan terintegrasinya sistem Teknologi
informasi pengendalian pengamanan atas aktivitas Transaksi Elektronik; efektivitas dan efisiensi biaya; dan perlindungan konsumen sesuai dengan ketentuan peraturan perundang-undangan.
Workshop Keamanan Jaringan
16
PP No 12 tahun 2012
Pasal 38 Prinsip pengendalian pengamanan data pengguna
dan Transaksi Elektronik sebagaimana dimaksud pada ayat (2) meliputi: kerahasiaan; integritas; ketersediaan; keautentikan; otorisasi; dan kenirsangkalan.
Workshop Keamanan Jaringan
17
Confidentiality
The property that information is not made available or disclosed to unauthorized individuals, entities, or processes [ISO/IEC 13335-1:2004]
Workshop Keamanan Jaringan
18
Confidentiality agreements
Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms.
To identify requirements for confidentiality or non- disclosure agreements, the following elements should be considered:
Workshop Keamanan Jaringan
19
Confidentiality agreements
a definition of the information to be protected (e.g. confidential information);
expected duration of an agreement, including cases where confidentiality might need to be maintained indefinitely;
required actions when an agreement is terminated;
responsibilities and actions of signatories to avoid unauthorized information disclosure (such as ‘need to know’);
ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information;
the permitted use of confidential information, and rights of the signatory to use information;
the right to audit and monitor activities that involve confidential information;
Workshop Keamanan Jaringan
20
Confidentiality agreements
Confidentiality and non-disclosure agreements should comply with all applicable laws and regulations for the jurisdiction to which it applies
Workshop Keamanan Jaringan
21
Integrity
the property of safeguarding the accuracy and completeness of assets [ISO/IEC 13335-1:2004]
Workshop Keamanan Jaringan
22
Controls against malicious code
To protect the integrity of software and information.
Software and information processing facilities are vulnerable to the introduction of malicious code, such as computer viruses, network worms, Trojan horses, and logic bombs.
Users should be made aware of the dangers of malicious code
Workshop Keamanan Jaringan
23
Controls against malicious code
The following guidance should be considered: establishing a formal policy prohibiting the use of unauthorized
software establishing a formal policy to protect against risks associated with
obtaining files and software either from or via external networks, or on any other medium, indicating what protective measures should be taken;
conducting regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated;
installation and regular update of malicious code detection and repair software to scan computers and media as a precautionary control, or on a routine basis
Workshop Keamanan Jaringan
24
PP No 12 tahun 2012
Pasal 29 ayat 1.d menyusun dan melaksanakan metode dan prosedur
untuk melindungi dan/atau merahasiakan integritas data, catatan, dan informasi terkait Transaksi Elektronik;
Workshop Keamanan Jaringan
25
Availability
the property of being accessible and usable upon demand by an authorized entity [ISO/IEC 13335-1:2004]
Workshop Keamanan Jaringan
26
PP No 12 tahun 2012
Pasal 51 ayat 1 Dalam penyelenggaraan Transaksi Elektronik para
pihak wajib menjamin: pemberian data dan informasi yang benar; dan ketersediaan sarana dan layanan serta penyelesaian pengaduan.
Workshop Keamanan Jaringan
27
Equipment maintenance
Equipment should be correctly maintained to ensure its continued availability and integrity.
Workshop Keamanan Jaringan
28
Implementation guidance
equipment should be maintained in accordance with the supplier’s recommended service intervals and specifications;
only authorized maintenance personnel should carry out repairs and service equipment;
records should be kept of all suspected or actual faults, and all preventive and corrective maintenance;
appropriate controls should be implemented when equipment is scheduled for maintenance, taking into account whether this maintenance is performed by personnel on site or external to the organization; where necessary, sensitive information should be cleared from the equipment, or the maintenance personnel should be sufficiently cleared;
Workshop Keamanan Jaringan
29
Capacity management
The use of resources should be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance.
For each new and ongoing activity, capacity requirements should be identified.
System tuning and monitoring should be applied to ensure and, where necessary, improve the availability and efficiency of systems
Workshop Keamanan Jaringan
30
System acceptance
Acceptance criteria for new information systems, upgrades, and new versions should be established and suitable tests of the system(s) carried out during development and prior to acceptance.
Managers should ensure that the requirements and criteria for acceptance of new systems are clearly defined, agreed, documented, and tested.
New information systems, upgrades, and new versions should only be migrated into production after obtaining formal acceptance
Workshop Keamanan Jaringan
31
Backup
To maintain the integrity and availability of information and information processing facilities.
Adequate back-up facilities should be provided to ensure that all essential information and software can be recovered following a disaster or media failure.
Workshop Keamanan Jaringan
32
Authentication
the process of proving one's identity to someone else.
As humans, we authenticate each other in many ways: we recognize each others' faces when we meet; we recognize each others' voices on the telephone; we are authenticated by the customs official who checks us against the picture on our passport
Workshop Keamanan Jaringan
33
Authentication
What you Have
What you Know
What you are
Workshop Keamanan Jaringan
34
PP No 12 tahun 2012
Pasal 39 ayat 1 Penyelenggara Agen Elektronik wajib:
melakukan pengujian keautentikan identitas dan memeriksa otorisasi Pengguna Sistem Elektronik yang melakukan Transaksi Elektronik
memastikan pengendalian terhadap otorisasi dan hak akses terhadap sistem, database, dan aplikasi Transaksi Elektronik;
Workshop Keamanan Jaringan
35
PP No 12 tahun 2012
Pasal 39 ayat 1 Penyelenggara Agen Elektronik wajib:
melakukan pengujian keautentikan identitas dan memeriksa otorisasi Pengguna Sistem Elektronik yang melakukan Transaksi Elektronik
memastikan pengendalian terhadap otorisasi dan hak akses terhadap sistem, database, dan aplikasi Transaksi Elektronik;
Workshop Keamanan Jaringan
36
PP No 12 tahun 2012
Dalam melakukan pengujian keautentikan identitas dan memeriksa otorisasi
Pengguna Sistem Elektronik, perlu memperhatikan antara lain: kebijakan dan prosedur tertulis untuk memastikan kemampuan untuk menguji keautentikan identitas dan memeriksa kewenangan Pengguna Sistem Elektronik; metode untuk menguji keautentikan; dan kombinasi paling sedikit 2 (dua) faktor autentikasi (two
factor authentication) adalah “what you know” (PIN/password), “what you have” (kartu magnetis dengan chip,
token, digital signature), “what you are” atau “biometrik” (retina dan sidik jari).
Workshop Keamanan Jaringan
37
PP No 12 tahun 2012
Pasal 50 ayat 1 Tanda Tangan Elektronik berfungsi sebagai alat
autentikasi dan verifikasi atas: identitas Penanda Tangan; dan keutuhan dan keautentikan Informasi Elektronik.
Workshop Keamanan Jaringan
38
PP No 12 tahun 2012
Pasal 50 ayat 1 Tanda Tangan Elektronik berfungsi sebagai alat
autentikasi dan verifikasi atas: identitas Penanda Tangan; dan keutuhan dan keautentikan Informasi Elektronik.
Workshop Keamanan Jaringan
39
PP No 12 tahun 2012
Faktor autentikasi yang dapat dipilih untuk dikombinasikan dapat dibedakan dalam 3 (tiga) jenis, yakni:a. sesuatu yang dimiliki secara individu (what you have) misalnya kartu ATM atau smart card;b. sesuatu yang diketahui secara individu (what you know) misalnya PIN/password atau kunci kriptografi; danc. sesuatu yang merupakan ciri/karakteristik seorang individu (what you are) misalnya pola suara (voice pattern), dinamika tulisan tangan (handwriting dynamics), atau sidik jari (fingerprint).
Workshop Keamanan Jaringan
40
Network Security
consist of communications security.
Workshop Keamanan Jaringan
41
Developing network and host-based security policies
Policy on use of network services Users should only be provided with access to the
services that they have been specifically authorized to use.
A policy should be formulated concerning the use of networks and network services. This policy should cover:
Workshop Keamanan Jaringan
42
Policy on use of network services
the networks and network services which are allowed to be accessed;
authorization procedures for determining who is allowed to access which networks and networked services;
management controls and procedures to protect access to network connections and network services;
the means used to access networks and network services (e.g. the conditions for allowing dial-up access to an Internet service provider or remote system).
Workshop Keamanan Jaringan
43
User authentication for external connections
Appropriate authentication methods should be used to control access by remote users.
Authentication of remote users can be achieved using, for example, a cryptographic based technique, hardware tokens, or a challenge/response protocol.
Possible implementations of such techniques can be found in various virtual private network (VPN) solutions.
Dedicated private lines can also be used to provide assurance of the source of connections.
Workshop Keamanan Jaringan
44
Equipment identification in networks
Automatic equipment identification should be considered as a means to authenticate connections from specific locations and equipment.
Equipment identification can be used if it is important that the communication can only be initiated from a specific location or equipment.
An identifier in or attached to, the equipment can be used to indicate whether this equipment is permitted to connect to the network.
Workshop Keamanan Jaringan
45
Remote diagnostic and configuration port protection
Physical and logical access to diagnostic and configuration ports should be controlled.
Potential controls for the access to diagnostic and configuration ports include the use of a key lock and supporting procedures to control physical access to the port.
Ports, services, and similar facilities installed on a computer or network facility, which are not specifically required for business functionality, should be disabled or removed.
Workshop Keamanan Jaringan
46
Secure log-on procedures
Access to operating systems should be controlled by a secure log-on procedure.
The procedure for logging into an operating system should be designed to minimize the opportunity for unauthorized access.
The log-on procedure should therefore disclose the minimum of information about the system, in order to avoid providing an unauthorized user with any unnecessary assistance
Workshop Keamanan Jaringan
47
Segregation in networks
Groups of information services, users, and information systems should be segregated on networks.
One method of controlling the security of large networks is to divide them into separate logical network domains, e.g. an organization’s internal network domains and external network domains, each protected by a defined security perimeter
Workshop Keamanan Jaringan
48
Segregation in networks
Such a network perimeter can be implemented by installing a secure gateway between the two networks to be interconnected to control access and information flow between the two domains. This gateway should be configured to filter traffic between these domains and to block unauthorized access in accordance with the organization’s access control policy .
Workshop Keamanan Jaringan
49
Network connection control
For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network should be restricted, in line with the access control policy and requirements of the business applications
Workshop Keamanan Jaringan
50
User identification and authentication
All users should have a unique identifier (user ID) for their personal use only, and a suitable authentication technique should be chosen to substantiate the claimed identity of a user.
This control should be applied for all types of users (including technical support personnel, operators, network administrators, system programmers, and database administrators).
Workshop Keamanan Jaringan
51
Access Control Policy
An access control policy should be established, documented, and reviewed based on business and security requirements for access.
Access control rules and rights for each user or group of users should be clearly stated in an access control policy.
Access controls are both logical and physical and these should be considered together. Users and service providers should be given a clear statement of the business requirements to be met by access controls.
Workshop Keamanan Jaringan
52
Access Control Policy
security requirements of individual business applications;
identification of all information related to the business applications and the risks the information is facing;
policies for information dissemination and authorization, e.g. the need to know principle and security levels and classification of information
Workshop Keamanan Jaringan
53
Access Control Policy
consistency between the access control and information classification policies of different systems and networks;
relevant legislation and any contractual obligations regarding protection of access to data or services
management of access rights in a distributed and networked environment which recognizes all types of connections available;
segregation of access control roles, e.g. access request, access authorization, access administration;
requirements for formal authorization of access requests
Workshop Keamanan Jaringan
54
Access Control Policy
requirements for periodic review of access controls ;
relevant legislation and any contractual obligations regarding protection of access to data or services
removal of access rights
standard user access profiles for common job roles in the organization;
Workshop Keamanan Jaringan
55
Access Control Policy
requirements for periodic review of access controls ;
relevant legislation and any contractual obligations regarding protection of access to data or services
removal of access rights
standard user access profiles for common job roles in the organization;
Workshop Keamanan Jaringan
56
User access management
To ensure authorized user access and to prevent unauthorized access to information systems.
The procedures should cover all stages in the life-cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services. Special attention should be given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.
Workshop Keamanan Jaringan
57
User registration
using unique user IDs to enable users to be linked to and held responsible for their actions; the use of group IDs should only be permitted where they are necessary for business or operational reasons, and should be approved and documented
checking that the user has authorization from the system owner for the use of the information system or service; separate approval for access rights from management may also be appropriate
checking that the level of access granted is appropriate to the business purpose
Workshop Keamanan Jaringan
58
Privilege management
The allocation and use of privileges should be restricted and controlled.
Multi-user systems that require protection against unauthorized access should have the allocation of privileges controlled through a formal authorization process.
Workshop Keamanan Jaringan
59
Privilege management
the access privileges associated with each system product, e.g. operating system, database management system and each application, and the users to which they need to be allocated should be identified;
privileges should be allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy
an authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete;
the development and use of system routines should be promoted to avoid the need to grant privileges to users;
Workshop Keamanan Jaringan
60
Security of network services
Security features, service levels, and management requirements of all network services should be identified and included in any network services agreement, whether these services are provided in- house or outsourced.
The ability of the network service provider to manage agreed services in a secure way should be determined and regularly monitored, and the right to audit should be agreed.
The security arrangements necessary for particular services, such as security features, service levels, and management requirements, should be identified.
Workshop Keamanan Jaringan
61
Network Security Audit Processes
Identification of potential vulnerabilities in operating practices on the physical network, on connected servers and network devices, and in combination
Identification and assessment of current network vulnerability controls
Prioritization of the vulnerabilities into categories of severity based on potential consequences, and in the light of common industry practice
Recommendations of tools, processes, and standards based on common industry practice to appropriately manage vulnerabilities.
Workshop Keamanan Jaringan
62
Network Security Audit Processes
The approach followed was: Through discussion with relevant personnel, obtain an
understanding of key business processes supported and associated areas of risk
Discuss the network history, architecture, future direction, and concerns with IT staff
Obtain and review current documents, including policies and procedures, architecture specifications, management reports, etc
Perform control analysis in light of industry ‘best practices’
Workshop Keamanan Jaringan
63
Network Security Audit Processes
The audit was segmented into the following areas of examination: Policy and Management Practices Outsourcing Architecture Logical Security Monitoring Incident Response Change Control Remote Access.
Workshop Keamanan Jaringan
64
Audit Logging
To detect unauthorized information processing activities.
Audit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed period to assist in future investigations and access control monitoring.
Workshop Keamanan Jaringan
65
Audit Logging
Audit logs should include, when relevant: userIDs; dates, times, and details of key events, e.g. log-on and log-off; terminal identity or location if possible; records of successful and rejected system access attempts; records of successful and rejected data and other resource
access attempts; changes to system configuration;
Workshop Keamanan Jaringan
66
Operational procedures and responsibilities
To ensure the correct and secure operation of information processing facilities.
Responsibilities and procedures for the management and operation of all information processing facilities should be established. This includes the development of appropriate operating procedures.
Segregation of duties should be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.
Workshop Keamanan Jaringan
67
Operational procedures and responsibilities
The operating procedures should specify the instructions for the detailed execution of each job including : processing and handling of information; backup scheduling requirements, including interdependencies with
other systems, earliest job start and latest job completion times;
instructions for handling errors or other exceptional conditions, which might arise during job execution, including restrictions on the use of system utilities
Workshop Keamanan Jaringan
68
Operational procedures and responsibilities
support contacts in the event of unexpected operational or technical difficulties;
special output and media handling instructions, such as the use of special stationery or the management of confidential output including procedures for secure disposal of output from failed jobs
system restart and recovery procedures for use in the event of system failure;
the management of audit-trail and system log information
Workshop Keamanan Jaringan
69
Policy on the use of cryptographic controls
When developing a cryptographic policy the following should be considered: the use of encryption for protection of sensitive information
transported by mobile or removable media, devices or across communication lines;
the approach to key management, including methods to deal with the protection of cryptographic keys and the recovery of encrypted information in the case of lost, compromised or damaged keys;
Workshop Keamanan Jaringan
70
Policy on the use of cryptographic controls
A policy on the use of cryptographic controls for protection of information should be developed and implemented.
When developing a cryptographic policy the following should be considered: the management approach towards the use of cryptographic
controls across the organization, based on a risk assessment, the required level of protection
should be identified taking into account the type, strength, and quality of the encryption algorithm required;