INCIDENT RESPONSE

Situasi Resiko Keamanan Security ≠ Technological Security Keamanan itu Socio-technical & Physical!

Perspektif Keamanan Strategi Keamanan = Preventif + Deteksi + Respon

Strategi Keamanan Preventif Deteksi Respon Melindungi komputer atau informasi dari pengganggu dan kesalahan. Idealnya prosedur & kebijakan keamanan dapat menutup kesempatan untuk diserang, tapi paling tidak meminimalisasi serangan yang berhasil Deteksi Dapat mengukur kapan, bagaimana dan oleh siapa aset dapat dirusak Membutuhkan alat bantu yang rumit atau sekedar file log sederhana yang dapat dianalisa. Respon Membangun strategi dan teknik untuk menghadapi serangan atau kehilangan Lebih baik memiliki rencana pemulihan (recovery plan) daripada ‘on the fly’ atau bagaimana nanti

Example: Private Property Prevention: locks at doors, window bars, walls round the property Detection: stolen items are missing, burglar alarms, closed circuit TV Reaction: call the police, replace stolen items, make an insurance claim … Example: E‐Commerce Prevention: encrypt your orders, rely on the merchant to perform checks on the caller, don’t use the Internet (?) …

Lingkup Keamanan SI Keamanan adalah Suatu Proses

Konsep Keamanan SI Keamanan sistem sebagai satu konsep terpadu

Konsep Keamanan SI

Fokus Utama Keamanan SI Tiga Fokus Utama Physical Security Operational Security Management and Policies Segitiga Keamanan

Keamanan Fisik Perlindungan aset dan informasi dari akses fisik oleh personal yang tidak diizinkan (unauthorized personnel) 3 Komponen : Membuat lokasi fisik tidak menarik dijadikan target serangan Deteksi penetrasi atau pencuri Pemulihan dari pencurian atau kehilangan informasi kritis atau sistem.

Keamanan Operasional Bagaimana organisasi memperlakukan komputer, network, sistem komunikasi dan manajemen informasi Termasuk access control, authentication, security topologies, back up dan recovery plan Hal efektif untuk meningkatkan operational security → pelatihan keamanan SI (security training)

Manajemen dan Kebijakan Keamanan Akan menghasilkan tuntunan, aturan dan prosedur untuk implementasi Kebijakan agar efektif harus memiliki dukungan penuh dan tidak dapat dikompromikan dari tim manajemen Beberapa contoh kebijakan : Administrative policies Design Requirement Disaster Recovery Plan Information Policies Security Policies Usage Policies User Management Policies

Standar Kualitas Keamanan SI ISO 17799 / 27001 / 27002 Business Continuity Planning System Access Control System Development and Maintenance Physical and Environmental Security Compliance Personnel Security Security Organization Computer & Network Management Asset Classification and Control Security Policy

Kualifikasi Profesional Keamanan SI SANS Institute Certified Engineers. CISSP Certified and Trained Engineers. ISO 27001:2005 Lead Auditors. Certified Ethical Hackers. Product related engineers with extensive knowledge of various security products. …dan lain‐lain.

Kualifikasi Profesional Keamanan SI Modal dasar : Mengetahui Bahasa Pemrograman Menguasai pengetahuan perangkat keras dan perangkat lunak pengontrolnya (logika interfacing). Menguasai pengelolaan instalasi komputer. Menguasai dengan baik teori jaringan komputer ; protokol, infrastruktur, media komunikasi. Memahami cara kerja sistem operasi. Memiliki ‘pikiran jahat’ ;‐p

Kualifikasi Profesional Keamanan SI Cara belajar : Memantau perkembangan teknologi keamanan komputer : Cari buku‐buku mengenai keamanan komputer cetakan, e‐book, majalahmajalah/tabloid komputer edisi cetak maupun edisi online. Akses ke situs‐situs review keamanan (contoh: www.cert.org ), situs‐situs underground (silahkan cari via search engine). Pelajari review atau manual book perangkat keras dan perangkat lunak untuk memahami cara kerja dengan baik atau ikuti pelatihan sertifikasi

Kualifikasi Profesional Keamanan SI Is Certification for You? Yes, if: You’re a large corporation You’re publicly owned You offer IT-based services to clients You have legal obligations You’re comfortable with formal processes No, if: You have a small, manageable infrastructure You’re only responsibility is to yourself You have an informal culture and strong skills You believe certification will make you secure

Incident Response

Definisi Incident: event (kejadian) yang mengancam keamanan sistem komputer dan jaringan. Event adalah semua hal yang bisa diobservasi (diukur) Contoh event: connect ke sistem lain dalam jaringan, mengakses file, mengirim paket, sistem shutdown, dsb. Event yang mengancam antara lain, system crashes, packet flood, penggunaan akun oleh orang yang tidak berhak, web deface, bencana alam, dan hal-hal lain yang membahayakan kinerja sistem

Incident Types CIA related incidents: Other Types Confidentiality: Upaya masuk ke dalam sistem rahasia militer Integrity Availability Other Types Reconnaissance Attacks Repudiation Someone takes action and denies it later on.

Kenapa perlu incident response? Bagi Organisasi Respon yang sistematis terhadap insiden Recover quickly Mencegah insiden serupa di masa depan Menyiapkan langkah-langkah yang berkaitan dengan hukum

Incident Response Scope Technical: Incident detection and investigation tools and procedures Management-related Policy Formation of incident response capability In-house vs. out-sourced

Incident Handling Preparation Detection and Analysis Post-incident activity Containment, Eradication and Recovery

PDCERF incident response method

Preparation

Incident Handling: Preparation Incident Handler Communications and Facilities Contact information On-call information for other teams within the organization, including escalation information Incident reporting mechanisms Pagers or cell phones to be carried by team members for off-hour support, onsite communications Encryption software War room for central communication and coordination Secure storage facility for securing evidence and other sensitive materials

Incident Handling: Preparation Incident Analysis Hardware and Software Computer forensic workstations and/or backup devices to create disk images, preserve log files, and save other relevant incident data Blank portable media Easily portable printer Packet sniffers and protocol analyzers Computer forensic software Floppies and CDs with trusted versions of programs to be used to gather evidence from systems Evidence gathering accessories hard-bound notebooks digital cameras audio recorders chain of custody forms evidence storage bags and tags evidence tape

Incident Handling: Preparation Incident Analysis Resources Port lists, including commonly used ports and Trojan horse ports Documentation for OSs, applications, protocols, and intrusion detection and antivirus signatures Network diagrams and lists of critical assets, such as Web, e-mail, and File Transfer Protocol (FTP) servers Baselines of expected network, system and application activity Cryptographic hashes of critical files to speed the analysis, verification, and eradication of incidents

Incident Handling: Preparation Incident Mitigation Software Media, including OS boot disks and CD-ROMs, OS media, and application media Security patches from OS and application vendors Backup images of OS, applications, and data stored on secondary media

Incident Handling: Detection and Analysis Incident Categories Denial of Service Malicious code Unauthorized access Inappropriate usage Multiple component incidents

Incident Handling: Detection and Analysis Signs of an incident Intrusion detection systems Antivirus software Log analyzers File integrity checking Third-party monitoring of critical services Incident indications vs. precursors Precursor is a sign that an incident may occur in the future E.g. scanning Indication is a sign that an incident is occurring or has occurred

Incident Handling: Detection and Analysis Incident documentation If incident is suspected, start recording facts Incident Prioritization based on Current and potential technical effects Criticality of affected resources Incident notification CIO Head of information system Local information security officer Other incident teams Other agency departments such as HR, public affairs, legal department

Incident Handling: Containment, Eradication, Recovery Containment strategies Vary based on type of incident Criteria for choosing strategy include Potential damage / theft of resources Need for evidence information Service availability Resource consumption of strategy Effectiveness of strategy Duration of solution

Incident Handling: Containment, Eradication, Recovery Evidence gathering For incident analysis For legal proceedings Chain of custody Authentication of evidence

Incident Handling: Containment, Eradication, Recovery Attacker identification Validation of attacker IP address Scanning attacker’s system Research attacker through search engines Using Incident Databases Monitoring possible attacker communication channels

Incident Handling: Containment, Eradication, Recovery Deleting malicious code Disabling breached user accounts Recovery Restoration of system(s) to normal operations Restoring from clean backups Rebuilding systems from scratch Replacing compromised files Installing patches Changing passwords Tighten perimeter security Strengthen logging

Incident Handling: Post-Incident Activity Evidence Retention Prosecution of attacker Data retention policies Cost

Next : BCP and DRP