what is security

What is SecurityNetwork Security Workshop

Dedi Dwianto, C|EH, OSCPDaftar ISI

Workshop Keamanan Jaringan

2

Contents

Information Security

Confidentiality

Integrity

Availability

Authentication

Network Security


3

Security

SECURITY

DETEC

TION

RESPONSE

PREVENTION


4

Prevention

The foundation of the security trinity is prevention. To provide some level of security, it is necessary to implement measures to prevent the exploitation of vulnerabilities.

In developing network security schemes, organizations should emphasize preventative measures over detection and response: It is easier, more efficient, and much more cost-effective to prevent a security breach than to detect or respond to one.


5

PP No 12 tahun 2012

Pasal 20 Penyelenggara Sistem Elektronik wajib memiliki dan

menjalankan prosedur dan sarana untuk pengamanan Sistem Elektronik dalam menghindari gangguan, kegagalan, dan kerugian.

Penyelenggara Sistem Elektronik wajib menyediakan sistem pengamanan yang mencakup prosedur dan sistem pencegahan dan penanggulangan terhadap ancaman dan serangan yang menimbulkan gangguan, kegagalan, dan kerugian.


6

Detection

Once preventative measures are implemented, procedures need to be put in place to detect potential problems or security breaches, in the event preventative measures fail.


7

PP No 12 tahun 2012

Pasal 18 Penyelenggara Sistem Elektronik wajib menyediakan

rekam jejak audit terhadap seluruh kegiatan Penyelenggaraan Sistem Elektronik.

Rekam jejak audit sebagaimana dimaksud pada ayat (1) digunakan untuk keperluan pengawasan, penegakan hukum, penyelesaian sengketa, verifikasi, pengujian, dan pemeriksaan lainnya.


8

Response

Organizations need to develop a plan that identifies the appropriate response to a security breach.

The plan should be in writing and should identify who is responsible for what actions and the varying responses and levels of escalation.

Before beginning a meaningful discussion on computer and network security, we need to define what it entails.


9

Response

First, network security is not a technical problem; it is a business and people problem.

The technology is the easy part.

The difficult part is developing a security plan that fits the organization's business operation and getting people to comply with the plan.


10

Response

Next, companies need to answer some fundamental questions, including the following. How do you define network security? How do you determine what is an adequate level of

security?


11

PP No 12 tahun 2012

Pasal 17 Penyelenggara Sistem Elektronik untuk pelayanan publik

wajib memiliki rencana keberlangsungan kegiatan untuk menanggulangi gangguan atau bencana sesuai dengan risiko dari dampak yang ditimbulkannya.

Pasal 20 Dalam hal terjadi kegagalan atau gangguan sistem yang

berdampak serius sebagai akibat perbuatan dari pihak lain terhadap Sistem Elektronik, Penyelenggara Sistem Elektronik wajib mengamankan data dan segera melaporkan dalam kesempatan pertama kepada aparat penegak hukum atau Instansi Pengawas dan Pengatur Sektor terkait.


12


Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected.

Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.


13



14


The Information Security paradigm consists of Confidentiality, Integrity and Availability (CIA) construct.

Information Systems security consists of hardware, software and communications security.

The Information Security standards apply information security to protect at three levels: physical, personal and organizational. Essentially, procedures or policies are implemented to tell people how to use products to ensure information security within organizations.


15

PP No 12 tahun 2012

Pasal 38 Dalam penyelenggaraan Agen Elektronik, penyelenggara

Agen Elektronik wajib memperhatikan prinsip: kehati-hatian; pengamanan dan terintegrasinya sistem Teknologi

informasi pengendalian pengamanan atas aktivitas Transaksi Elektronik; efektivitas dan efisiensi biaya; dan perlindungan konsumen sesuai dengan ketentuan peraturan perundang-undangan.


16

PP No 12 tahun 2012

Pasal 38 Prinsip pengendalian pengamanan data pengguna

dan Transaksi Elektronik sebagaimana dimaksud pada ayat (2) meliputi: kerahasiaan; integritas; ketersediaan; keautentikan; otorisasi; dan kenirsangkalan.


17

Confidentiality

The property that information is not made available or disclosed to unauthorized individuals, entities, or processes [ISO/IEC 13335-1:2004]


18

Confidentiality agreements

Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms.

To identify requirements for confidentiality or non- disclosure agreements, the following elements should be considered:


19


a definition of the information to be protected (e.g. confidential information);

expected duration of an agreement, including cases where confidentiality might need to be maintained indefinitely;

required actions when an agreement is terminated;

responsibilities and actions of signatories to avoid unauthorized information disclosure (such as ‘need to know’);

ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information;

the permitted use of confidential information, and rights of the signatory to use information;

the right to audit and monitor activities that involve confidential information;


20


Confidentiality and non-disclosure agreements should comply with all applicable laws and regulations for the jurisdiction to which it applies


21

Integrity

the property of safeguarding the accuracy and completeness of assets [ISO/IEC 13335-1:2004]


22

Controls against malicious code

To protect the integrity of software and information.

Software and information processing facilities are vulnerable to the introduction of malicious code, such as computer viruses, network worms, Trojan horses, and logic bombs.

Users should be made aware of the dangers of malicious code


23

Controls against malicious code

The following guidance should be considered: establishing a formal policy prohibiting the use of unauthorized

software establishing a formal policy to protect against risks associated with

obtaining files and software either from or via external networks, or on any other medium, indicating what protective measures should be taken;

conducting regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated;

installation and regular update of malicious code detection and repair software to scan computers and media as a precautionary control, or on a routine basis


24

PP No 12 tahun 2012

Pasal 29 ayat 1.d menyusun dan melaksanakan metode dan prosedur

untuk melindungi dan/atau merahasiakan integritas data, catatan, dan informasi terkait Transaksi Elektronik;


25

Availability

the property of being accessible and usable upon demand by an authorized entity [ISO/IEC 13335-1:2004]


26

PP No 12 tahun 2012

Pasal 51 ayat 1 Dalam penyelenggaraan Transaksi Elektronik para

pihak wajib menjamin: pemberian data dan informasi yang benar; dan ketersediaan sarana dan layanan serta penyelesaian pengaduan.


27

Equipment maintenance

Equipment should be correctly maintained to ensure its continued availability and integrity.


28

Implementation guidance

equipment should be maintained in accordance with the supplier’s recommended service intervals and specifications;

only authorized maintenance personnel should carry out repairs and service equipment;

records should be kept of all suspected or actual faults, and all preventive and corrective maintenance;

appropriate controls should be implemented when equipment is scheduled for maintenance, taking into account whether this maintenance is performed by personnel on site or external to the organization; where necessary, sensitive information should be cleared from the equipment, or the maintenance personnel should be sufficiently cleared;


29

Capacity management

The use of resources should be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance.

For each new and ongoing activity, capacity requirements should be identified.

System tuning and monitoring should be applied to ensure and, where necessary, improve the availability and efficiency of systems


30

System acceptance

Acceptance criteria for new information systems, upgrades, and new versions should be established and suitable tests of the system(s) carried out during development and prior to acceptance.

Managers should ensure that the requirements and criteria for acceptance of new systems are clearly defined, agreed, documented, and tested.

New information systems, upgrades, and new versions should only be migrated into production after obtaining formal acceptance


31

Backup

To maintain the integrity and availability of information and information processing facilities.

Adequate back-up facilities should be provided to ensure that all essential information and software can be recovered following a disaster or media failure.


32

Authentication

the process of proving one's identity to someone else.

As humans, we authenticate each other in many ways: we recognize each others' faces when we meet; we recognize each others' voices on the telephone; we are authenticated by the customs official who checks us against the picture on our passport


33

Authentication

What you Have

What you Know

What you are


34

PP No 12 tahun 2012

Pasal 39 ayat 1 Penyelenggara Agen Elektronik wajib:

melakukan pengujian keautentikan identitas dan memeriksa otorisasi Pengguna Sistem Elektronik yang melakukan Transaksi Elektronik

memastikan pengendalian terhadap otorisasi dan hak akses terhadap sistem, database, dan aplikasi Transaksi Elektronik;


35

PP No 12 tahun 2012

Pasal 39 ayat 1 Penyelenggara Agen Elektronik wajib:

melakukan pengujian keautentikan identitas dan memeriksa otorisasi Pengguna Sistem Elektronik yang melakukan Transaksi Elektronik

memastikan pengendalian terhadap otorisasi dan hak akses terhadap sistem, database, dan aplikasi Transaksi Elektronik;


36

PP No 12 tahun 2012

Dalam melakukan pengujian keautentikan identitas dan memeriksa otorisasi

Pengguna Sistem Elektronik, perlu memperhatikan antara lain: kebijakan dan prosedur tertulis untuk memastikan kemampuan untuk menguji keautentikan identitas dan memeriksa kewenangan Pengguna Sistem Elektronik; metode untuk menguji keautentikan; dan kombinasi paling sedikit 2 (dua) faktor autentikasi (two

factor authentication) adalah “what you know” (PIN/password), “what you have” (kartu magnetis dengan chip,

token, digital signature), “what you are” atau “biometrik” (retina dan sidik jari).


37

PP No 12 tahun 2012

Pasal 50 ayat 1 Tanda Tangan Elektronik berfungsi sebagai alat

autentikasi dan verifikasi atas: identitas Penanda Tangan; dan keutuhan dan keautentikan Informasi Elektronik.


38

PP No 12 tahun 2012

Pasal 50 ayat 1 Tanda Tangan Elektronik berfungsi sebagai alat

autentikasi dan verifikasi atas: identitas Penanda Tangan; dan keutuhan dan keautentikan Informasi Elektronik.


39

PP No 12 tahun 2012

Faktor autentikasi yang dapat dipilih untuk dikombinasikan dapat dibedakan dalam 3 (tiga) jenis, yakni:a. sesuatu yang dimiliki secara individu (what you have) misalnya kartu ATM atau smart card;b. sesuatu yang diketahui secara individu (what you know) misalnya PIN/password atau kunci kriptografi; danc. sesuatu yang merupakan ciri/karakteristik seorang individu (what you are) misalnya pola suara (voice pattern), dinamika tulisan tangan (handwriting dynamics), atau sidik jari (fingerprint).


40

Network Security

consist of communications security.


41

Developing network and host-based security policies

Policy on use of network services Users should only be provided with access to the

services that they have been specifically authorized to use.

A policy should be formulated concerning the use of networks and network services. This policy should cover:


42

Policy on use of network services

the networks and network services which are allowed to be accessed;

authorization procedures for determining who is allowed to access which networks and networked services;

management controls and procedures to protect access to network connections and network services;

the means used to access networks and network services (e.g. the conditions for allowing dial-up access to an Internet service provider or remote system).


43

User authentication for external connections

Appropriate authentication methods should be used to control access by remote users.

Authentication of remote users can be achieved using, for example, a cryptographic based technique, hardware tokens, or a challenge/response protocol.

Possible implementations of such techniques can be found in various virtual private network (VPN) solutions.

Dedicated private lines can also be used to provide assurance of the source of connections.


44

Equipment identification in networks

Automatic equipment identification should be considered as a means to authenticate connections from specific locations and equipment.

Equipment identification can be used if it is important that the communication can only be initiated from a specific location or equipment.

An identifier in or attached to, the equipment can be used to indicate whether this equipment is permitted to connect to the network.


45

Remote diagnostic and configuration port protection

Physical and logical access to diagnostic and configuration ports should be controlled.

Potential controls for the access to diagnostic and configuration ports include the use of a key lock and supporting procedures to control physical access to the port.

Ports, services, and similar facilities installed on a computer or network facility, which are not specifically required for business functionality, should be disabled or removed.


46

Secure log-on procedures

Access to operating systems should be controlled by a secure log-on procedure.

The procedure for logging into an operating system should be designed to minimize the opportunity for unauthorized access.

The log-on procedure should therefore disclose the minimum of information about the system, in order to avoid providing an unauthorized user with any unnecessary assistance


47

Segregation in networks

Groups of information services, users, and information systems should be segregated on networks.

One method of controlling the security of large networks is to divide them into separate logical network domains, e.g. an organization’s internal network domains and external network domains, each protected by a defined security perimeter


48

Segregation in networks

Such a network perimeter can be implemented by installing a secure gateway between the two networks to be interconnected to control access and information flow between the two domains. This gateway should be configured to filter traffic between these domains and to block unauthorized access in accordance with the organization’s access control policy .


49

Network connection control

For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network should be restricted, in line with the access control policy and requirements of the business applications


50

User identification and authentication

All users should have a unique identifier (user ID) for their personal use only, and a suitable authentication technique should be chosen to substantiate the claimed identity of a user.

This control should be applied for all types of users (including technical support personnel, operators, network administrators, system programmers, and database administrators).


51

Access Control Policy

An access control policy should be established, documented, and reviewed based on business and security requirements for access.

Access control rules and rights for each user or group of users should be clearly stated in an access control policy.

Access controls are both logical and physical and these should be considered together. Users and service providers should be given a clear statement of the business requirements to be met by access controls.


52


security requirements of individual business applications;

identification of all information related to the business applications and the risks the information is facing;

policies for information dissemination and authorization, e.g. the need to know principle and security levels and classification of information


53


consistency between the access control and information classification policies of different systems and networks;

relevant legislation and any contractual obligations regarding protection of access to data or services

management of access rights in a distributed and networked environment which recognizes all types of connections available;

segregation of access control roles, e.g. access request, access authorization, access administration;

requirements for formal authorization of access requests


54


requirements for periodic review of access controls ;


removal of access rights

standard user access profiles for common job roles in the organization;


55


requirements for periodic review of access controls ;


removal of access rights

standard user access profiles for common job roles in the organization;


56

User access management

To ensure authorized user access and to prevent unauthorized access to information systems.

The procedures should cover all stages in the life-cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services. Special attention should be given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.


57

User registration

using unique user IDs to enable users to be linked to and held responsible for their actions; the use of group IDs should only be permitted where they are necessary for business or operational reasons, and should be approved and documented

checking that the user has authorization from the system owner for the use of the information system or service; separate approval for access rights from management may also be appropriate

checking that the level of access granted is appropriate to the business purpose


58

Privilege management

The allocation and use of privileges should be restricted and controlled.

Multi-user systems that require protection against unauthorized access should have the allocation of privileges controlled through a formal authorization process.


59

Privilege management

the access privileges associated with each system product, e.g. operating system, database management system and each application, and the users to which they need to be allocated should be identified;

privileges should be allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy

an authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete;

the development and use of system routines should be promoted to avoid the need to grant privileges to users;


60

Security of network services

Security features, service levels, and management requirements of all network services should be identified and included in any network services agreement, whether these services are provided in- house or outsourced.

The ability of the network service provider to manage agreed services in a secure way should be determined and regularly monitored, and the right to audit should be agreed.

The security arrangements necessary for particular services, such as security features, service levels, and management requirements, should be identified.


61

Network Security Audit Processes

Identification of potential vulnerabilities in operating practices on the physical network, on connected servers and network devices, and in combination

Identification and assessment of current network vulnerability controls

Prioritization of the vulnerabilities into categories of severity based on potential consequences, and in the light of common industry practice

Recommendations of tools, processes, and standards based on common industry practice to appropriately manage vulnerabilities.


62


The approach followed was: Through discussion with relevant personnel, obtain an

understanding of key business processes supported and associated areas of risk

Discuss the network history, architecture, future direction, and concerns with IT staff

Obtain and review current documents, including policies and procedures, architecture specifications, management reports, etc

Perform control analysis in light of industry ‘best practices’


63


The audit was segmented into the following areas of examination: Policy and Management Practices Outsourcing Architecture Logical Security Monitoring Incident Response Change Control Remote Access.


64

Audit Logging

To detect unauthorized information processing activities.

Audit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed period to assist in future investigations and access control monitoring.


65

Audit Logging

Audit logs should include, when relevant: userIDs; dates, times, and details of key events, e.g. log-on and log-off; terminal identity or location if possible; records of successful and rejected system access attempts; records of successful and rejected data and other resource

access attempts; changes to system configuration;


66

Operational procedures and responsibilities

To ensure the correct and secure operation of information processing facilities.

Responsibilities and procedures for the management and operation of all information processing facilities should be established. This includes the development of appropriate operating procedures.

Segregation of duties should be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.


67


The operating procedures should specify the instructions for the detailed execution of each job including : processing and handling of information; backup scheduling requirements, including interdependencies with

other systems, earliest job start and latest job completion times;

instructions for handling errors or other exceptional conditions, which might arise during job execution, including restrictions on the use of system utilities


68


support contacts in the event of unexpected operational or technical difficulties;

special output and media handling instructions, such as the use of special stationery or the management of confidential output including procedures for secure disposal of output from failed jobs

system restart and recovery procedures for use in the event of system failure;

the management of audit-trail and system log information


69

Policy on the use of cryptographic controls

When developing a cryptographic policy the following should be considered: the use of encryption for protection of sensitive information

transported by mobile or removable media, devices or across communication lines;

the approach to key management, including methods to deal with the protection of cryptographic keys and the recovery of encrypted information in the case of lost, compromised or damaged keys;


70

Policy on the use of cryptographic controls

A policy on the use of cryptographic controls for protection of information should be developed and implemented.

When developing a cryptographic policy the following should be considered: the management approach towards the use of cryptographic

controls across the organization, based on a risk assessment, the required level of protection

should be identified taking into account the type, strength, and quality of the encryption algorithm required;

what is security

Documents

security breach

security trinity

communications security

information security

information systems

information security

security plan thatfits

adequate level of security