trend, knowledge and promising career medan, 12...
TRANSCRIPT
TRAINING, HIRING & INCREASE CAREER
Delivering Quality and Competence
1
Information SecurityTrend, Knowledge and Promising Career
Medan, 12 Juni 2010
By: Ir. Hogan Kusnadi, MSc, CISSP-ISSAP, CISA(Certified Information Systems Security Professional)
(Information Systems Security Architecture Professional)
(Certified Information Systems Auditor)
Certified Consultant for ISO 27001/27002
Founder and Director
PT. UniPro Nuansa Indonesia
E-mail: [email protected]
www.unipro.co.id
blog.unipro.co.id
•
Kegiatan dan Keanggotaan
Terkait Keamanan Informasi• Ketua Sub Panitia Teknis Kementrian Kominfo dan BSN, untuk
Keamanan Informasi, mengadopsi ISO 27001, ISO 27002 seri lain dari ISO 27000.
• MASPI (Masyarakat Sandi dan Keamanan Informasi). Anggota Pendiri dan Ketua Bidang Pengembangan Kompetensi (2006).
• (ISC)2 International Information Systems Security Certification Consortium
• ISACA (Information Systems Audit and Control Association), Member.
• Mantan anggota Menkominfo “Task Force Pengamanan dan Perlindungan Infrastruktur Strategis Berbasis Teknologi Informasi” (2004)
• Mantan Anggota Pokja EVATIK DETIKNAS (2007)
Klien UniPro
Holistic Information SecurityPeople – Process - Technology
Piagam Penghargaan MURI
Technology Partner
Training Partner Service Partner
Partner UniPro
7
Kegiatan Seminar
8
Kegiatan Seminar
9
Kegiatan Seminar
10
Kegiatan Seminar
11
Digital Lifestyle & Workstyle
Akses dan Transaksi
• Dimana saja
• Kapan Saja
• Siapa Saja
Dua Sisi Teknologi
Manfaat vs Risiko
Multi Fungsi
Fleksibel
Mudah digunakan
Kerahasiaan
Integritas
Ketersediaan
Otentisitas
Nir Sangkal
Manfaat
Risiko
Database Application
Web Application
Client Server
Networking Integration
Cloud Computing
Identity Theft
Information Theft
Information Theft
Industrial/State Espionage
Distributed Denial of Service
Fastest Malware Outbreak
INFORMATION SECURITY RISK
Bussiness Process
Information Assets
R
I
S
K
P
R
O
T
E
C
T
I
O
NSAFE
18
Information Security
Attack / Incident
Serangan Keamanan Informasi di Indonesia
• Malicious Ware (Virus, Worm, Spyware, Keylogger, DOS, DDOS, etc)
• Spam, Phising
• Pencurian Identitas *
• Data Leakage/Theft
• Web Defaced
• Web Transaction Attack
• Misuse of IT Resources
* Pencurian via ATM (Jan 2010)
Serangan Terhadap Website Indonesia
Domain .id 1998 – 2009
Source: www.zone-h.org
2138
1463
846
792 .go.id
.co.id
.or.id
.ac.id
Serangan Terhadap WebsiteGovernment Domain 1998 - 2009
2138
71117
.go.id
.gov.my
.gov.sg
Source: www.zone-h.org
CISSP 2002 - 2010
0
200
400
600
800
1000
1200
Indonesia Malaysia Singapore
3-Oct-02
30-Mar-10
Competency vs Incident (Government Website 2010)
0
500
1000
1500
2000
2500
Indonesia Malaysia Singapore
Number of CISSP
Number of Incident
26
As of Aug 2009
Number of (ISC)² Members in Various Asian
Economies
0
500
1000
1500
2000
2500
Australia
China
Hong K
ongIndia
Indonesia
Korea
Malaysia
Philippin
esSingapore
Thailand
Vietnam
Canada Hong KongUnited KingdomUnited States Korea, South1000+
500+
200+
100+
Singapore Australia
Netherlands
China
Germany
Japan
South Africa
Finland United Arab
Emirates
Saudi Arabia
Taiwan
Belgium
Ireland Sweden
France
BrazilMexico
Italy
Denmark
Spain
Malaysia
Israel New Zealand
RussiaPoland
CISSP In the World
India
Switzerland
Thailand
Facts about IT Security
Pencurian DataWORLD RECORD2009 Heartland Payment
System
2008 T-Mobile, Deutche Telecom
2007 TJX Companies Inc
2006 US Dept of Veteran Affairs
2005 CardSystem
2004 American Online
INDONESIA2008 Total Incident Reported
-
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
120,000,000
140,000,000
2003 2004 2005 2006 2007 2008 2009 2010
World
Indonesia
32
Largest Incidents
CardSystems - Hacking Incident
• Hackers had stolen 263,000 customer credit card numbers and exposed 40 million more.
• In September 2004, hackers dropped a malicious script on the CardSystems application platform, injecting it via the Web application that customers use to access account information. The script, programmed to run every four days, extracted records, zipped them and exported them to an FTP site.
• Visa and MasterCard threatened to terminate it as a transactions processor.
• CardSystems acquire by PayByTouch, in October 2005.
Data Loss 2000-2009
GhostNet – Cyber Espionage(Report: 29 March 2009)
• Infected 1.295 Computers
Targeted at:
– Ministries of foreign affairs,
– Embassies,
– International organizations,
– News media,
– and NGOs.
• 103 Countries (Indonesia Included)
Motivation Behind Cyber Attacks
• Just for FUN
• Fame and popularity
• Challenging activities
• Ideological/political
• Jealousy, anger
• Revenge
• Random attack
• Personal financial gain
• Organized crime for financial gain (FUND)
Change in the Security
Landscape
5 Years Ago
• Vandalism
• Incident is known
• Attack System
• Broad base
• Individual
Now
• Profit Oriented
• Stealthy mode
• Attack Application and Data
• Targeted
• Organized crime
• (State) Sponsored Attack/
Espionage/Sabotage
Hacking itu Mudah
41
How to Mitigate Information
Security Risk
Practical Personal Protection
AIDS
Acquired
InfoSec
Deficiency
Syndrome
Regulation & Best Practice• Government & Industry Regulation
– UU ITE 2008 (PP pendukung - 2010)
– PP 60/2008
– PBI (Peraturan Bank Indonesia) 2007
– Basell II (Banking Industry)
– PCI-DSS (Payment Card Industry Data Security Standard)
– SOX (Sarbanes-Oxley Act)
– JSOX (Japan SOX)
• Best Practice / Standard / Framework– COBIT Framework
– COSO Enterprise Risk Management Framework
– ISO 27001 (SNI-ISO 27001 - Oct 2009), ISO 27002
– HISA Framework 47
HISA FrameworkHogan Information Security Architecture Framework
Fractal
Risk Equation
Risk = Threat X Vulnerability x Asset
Risk Factor = T x V x A
Minimum level of protection
Risk Factor = T x V x A
Threat Level
Risk Factor = T x V x A
Current
Threat
Potential
Future Threat
MV Dumai Express-18 dari Dumai tujuan Batam bocor dan tenggelam di Pulau
Terkulai, Batupanjang, Dumai, 15 menit setelah bertolak dari Pelabuhan Dumai, Senin
(28/9) sekitar pukul 10.00 WIB.
False Sense of Security
Non Effective Enforcement
Situ Gintung,
Before and After 27 March 2009
Where is ISO 27001 Position in IT Governance?
ISO 20000 / ITIL V3 SNI-ISO 27001
COBIT / ISO 38500
UU ITE, PP60/2008, PBI
COSO
UniPro Public Training
Managerial
Holistic Information Security
ISO 27001 Introduction
ISO 27001 Implementation
Security Policy Formulation
BCP / DRP
CISSP (Certified Information Systems Security Professional)
Top Management Information Security Governance for Top Executive
Manager Umum Information Security Governance for General Management
End User Information Security Awareness & Security Policy Socialization
IT ManagerHolistic Information Security
ISO 27001 Introduction
Security Policy Formulation
IT ApplicationHolistic Information Security
Web Application Hacking & Countermeasures
Secure SDLC/CSSLP (Certified Secure Software Lifecycle Professional)
IT Network
Holistic Information Security
Hacking Insight through Penetration Testing
Wireless Hacking & Defense
Packet Analysis & Troubleshoot
IT Security Manager
IT ServerHolistic Information Security
Hacking Insight through Penetration Testing
Holistic Information Security
Incident Response & Handling
Log Management & Analysis
Hacking Insight through Penetration Testing
Wireless Hacking & Defense
Packet Analysis & Troubleshoot
Forensic Investigation Analysis
SSCP (Systems Security Certified Practitioner)
IT Security Personnel
Physical Security Information Security for Physical Security Personnel
ISO 27001 Series: International Standard for
Information Security Management System
• Based on British Standard BS7799 that provide comprehensive guidance on various controls for implementing information security.
• ISMS Best Practice Pair:
Criteria for Certification
– ISO 27001: 2005
(was BS 7799 - 2: 2005)
Guideline for Best Practice
– ISO 27002
(was17799: 2005)
It include the following:
1. Security Policy
2. Organizing Information Security
3. Asset Management
4. Human Resources Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Information Systems Acquisition, Development and Maintenance
9. Information Security Incident Management
10. Business Continuity Management
11. Compliance.
ISO 27002
ISO 27001 Certificates in The World (Jan 2010)
ISO 27001 Statistic:
81 Negara
Japan 55%
4 Negara Asia di Top 5
5 Negara Asia di Top 10
Indonesia di posisi no. 42,
terrendah diantara
negara awal ASEAN.
http://www.iso27001certificates.com
Information Security
Solution
7 Flagship DETIKNAS
• e-Education
• e-Budgeting
• e-Procurement
• National Identity Number
• National Single Window
• Palapa Ring
• Legalisasi Software
66
Tenaga Ahli Keamanan Indonesia
International Certification
Care / Awareness
High Level
Skill of InfoSec
Medium Level of InfoSec
Red Ocean vs Blue Ocean
Applicant >> Job Job >> Applicant
The Economic of Supply and Demand
Many Other IT Skill InfoSec Skill
Job
APPLICANT JOB
Applicant
Manager/Analyst/Engineer• Computer Systems Security
• Cyber Network Operations Planning Specialist - $75K
• Cyber Security Specialist
• Data & System Security Specialist
• Digital Forensics Analyst
• Functional Security/Penetration Testers/Telecommute
• Information Security Analyst
• Information System Security (ISS) Project/Program Manager
• IT Security Specialist
• Manager, Security Policy, Compliance, and Risk Management
• Manager, Security Program Management
• Network Security Manager
• Project Manager Data Center
• Security Operations Center Analyst
• Security System Administrator - $95K
• Senior Computer Forensic Examiner
• Technical Manager of Applications Security Consulting
• Technology Risk Analyst
• Vulnerability Management Engineer
Job Posting(Required CISSP Certification. From www.isc2.org)
Consultant/Auditor
• Consulting Partner
• Entry Level IT Security Consultant
• Information Technology (IT) Auditor
• Senior IT Auditor
Critical Infrastructure• Critical Infrastructure
Protection Specialist
• NATO Cyber Defence Coordinator
Others
• Recruiter
• Sales Engineer
• Senior Technical Recruiter, Human Resources
• Technical Writer
Job Posting(Required CISSP Certification. From www.isc2.org)
Job Posting(Required CISSP Certification. From www.isc2.org)
Executive Management• Chief Information
Security Officer
• Director of Security
• Director, Information Security
• VP Governance, Risk and Compliance
• VP Security Engineering
• VP, Enterprise Security
• VP/Information Assurance
Business Function• Analyst, Business
Analysis (Security Due Diligence)
• Business Continuity and Operational Quality Assurance Role
• Identity Management Architect/Developer
• Senior Enterprise Architect
• Senior Information Assurance Engineer
• Senior Security Architect
US Department of Defense Directive 8570 Information Security Certification Required for 2010
IAT :
Information Assurance Technical
IAM :
Information Assurance Management
IASAE :
Information Assurance Security Architecture and Engineering
CND :
Computer Network Defense
Level I : Junior Level
Level II : Middle Level
Level III : Senior Level
SSCP
A+
Network +
SSCP
GSEC
Security +
SCNP
CISSP (or Associate)
CISAGSE GCIH
SCNA
CAP
GISF
GSLC
Security +
CISSP (or Associate)
IAT Level I IAT Level II IAT Level III
IAM Level I
CISSP (or Associate)
CAP
CISMGSLC
CISSP (or Associate)
CISMGSLC
CISSP (or Associate) CISSP – ISSAPCISSP – ISSEP
IAM Level II IAM Level III
IASAE I IASAE II IASAE III
GCIA
CEH
SSCP
CEH
GCIH
CSIH
CEH
CISAGSNA
CEH
CISSP-ISSMP
CISM
CND Analyst Support Reporter CND Auditor ManagerCND Infrastructure CND Incident CND-SP
72
FBI Recruit CISSP
Tenaga Ahli Keamanan Indonesia
International Certification
Care / Awareness
High Level
Skill of InfoSec
Medium Level of InfoSec
Tra
inin
g P
art
ner
Co
mp
ete
nce
Exp
eri
en
ce
Ce
rtif
ica
tio
n
Tech
no
log
y
Part
ner
Regulation & Standard : UU ITE , PBI, SNI ISO 27001
Customer Requirement, Career Opportunities
Why UniPro ?
Fundamental
Expert
Advance
Professional
Essential
Inte
rnati
on
al C
ert
ific
ati
on
e.g
. S
SC
P, C
ISS
P-I
SS
AP
Your InfoSec Learning Path
TRAINING, HIRING & INCREASE CAREER
PROGRAM
77
Special Note:
Program THINC juga mendapat dukungan
Balitbang SDM Kementerian Kominfo
sebagai pengakuan kualitas
serta seiring dengan VISI & MISI pemerintah.
Program ini akan menjadi bagian dari
SKKNI (Standar Kompetensi Kerja Nasional Indonesia)78
Silver Program (Promo)
• Essential Information Security (4 Days)
• Enterprise Information Security Technology (6 Days)
• Exam (1 Day)
• Total (11 Days)
79
Essential Information Security
No Training Module Day
1 Essential Information Security Foundation
2
2 Essential Packet Analysis 1
3 Essential Web Application Security
1
80
Essential Information Security Foundation
Day I• Introduction
• InfoSec Management Concept
• InfoSec Practical Concept
• Threat and Attack
• Firewall
Day II• Firewall
• IDS/IPS
• VPN
• Data Protection
81
Essential Packet Analysis
• TCP/IP Security
• TCP/IP Header
• Stimulus and Response
• Tcpdump
• Wireshark
82
Essential Web Application Security
• Introduction to Web Threat
• Assessment Method
• Top 10 OWASP Vulnerability
• Web Application Firewall
83
84
No Training Module Day
1 Firewall Fundamental 1
2 Firewall 1 ( Check Point ) 1
3 Firewall 2 ( Juniper ) 1
4 IPS (TippingPoint) 1
5 Proxy (Blue Coat) 1
6 Load Balancer (F5) 1
Enterprise InfoSec Technology
Firewall Fundamental (1 Day).
• Basic TCP/IP
• Firewall Technology
• Firewall Design & Rules
• Firewall Rules & Discussion
85
Firewall 1 – Checkpoint (1 Day)
• Checkpoint FW Secure Platform
• Checkpoint FW Smart Management
• Checkpoint FW Installation
• Checkpoint FW Smart Management Installation
• Policy Implementation
86
Firewall 2 - Juniper (1 Day)
• Juniper Firewall Introduction
• Juniper FW Installation
• Policy Implementation
• Multiple Layers Policy Implementation
87
Intrusion Prevention System (1 Day)
• IPS Architecture
• Tippingpoint IPS Introduction
• Tippingpoint IPS Installation
• Configuring Tippingpoint IPS
• Customize Policy & Monitoring Log
88
Proxy (1 Day)
• Bluecoat Introduction
• Proxy Features & Topology
• Bluecoat Proxy Installation
• Configuring Bluecoat Proxy
• Visual Policy Manager
• Customize Policy & Monitoring log
89
Load Balancer (1 Day)
• F5 Introduction
• Load Balancer Introduction
• F5 Installation
• Configuring F5 LTM
• Load Balancing Methodology
• Monitoring Log & Performance
90
Pre-Requisite
• Bahan/mata kuliah yang perlu dipelajari
sebagai persiapan sebelum mengambil
kelas THINC Silver:
– Kelas Komunikasi Data
– Kelas Jaringan Komputer
– Sistem Operasi Komputer
92
Package Modules Day(s) Price
Bronze A
Essential
Information
Security
Essential Information Security
Foundation
2 Rp. 1.300.000,-
Essential Packet Analysis 1 Rp. 650.000,-
Essential Web Application Security 1 Rp. 650.000,-
Bronze A Package 4 Rp. 2.200.000-
Bronze B
Enterprise
InfoSec
Technology
Firewall Fundamental 1 Rp. 750.000,-
Firewall 1 ( Check Point ) 1 Rp. 750.000,-
Firewall 2 ( Juniper ) 1 Rp. 750.000,-
IPS (TippingPoint) 1 Rp. 750.000,-
Proxy (Blue Coat) 1 Rp. 750.000,-
Load Balancer (F5) 1 Rp. 750.000,-
Bronze B Package 6 Rp. 4.000.000-
EXAM 1 Rp. 500.000,-
Total Individual Modules + Exam 11 Rp. 7.600.000,-
Note: Minimum participant 32 student, maximum 40 per Class
93
Package Modules Day(s) Price
Essential
Information
Security
Essential Information Security
Foundation
2 Rp. 1.300.000,-
Essential Packet Analysis 1 Rp. 650.000,-
Essential Web Application Security 1 Rp. 650.000,-
Enterprise
InfoSec
Technology
Firewall Fundamental 1 Rp. 750.000,-
Firewall 1 ( Check Point ) 1 Rp. 750.000,-
Firewall 2 ( Juniper ) 1 Rp. 750.000,-
IPS (TippingPoint) 1 Rp. 750.000,-
Proxy (Blue Coat) 1 Rp. 750.000,-
Load Balancer (F5) 1 Rp. 750.000,-
EXAM 1 Rp. 500.000,-
Silver Package 11 Rp. 5.000.000,-
Note: Minimum participant 32 student, maximum 40 per Class
SILVER PROMO !!!
SILVER PROMOPROGRAM
10 Days
1 DayTraining
Total Class
Exam
IDR 5 Million/Student
32 - 40 Students Per
ClassPRICE
94
INTEGRATION SIMULATION
(2 Days With Real Lab IN JAKARTA)95
Integration Simulation
96
Invest Your Future NOW !!
A journey of a thousand miles begins with a
single stepLao Tzu, Chinese Philosopher (6th Centuries BC)
Seat
Limited
