INCIDENT RESPONSE

1
INCIDENT RESPONSE
2
Situasi Resiko Keamanan
Security ? Technological Security Keamanan itu
Socio-technical Physical!
3
Perspektif Keamanan

• Strategi Keamanan Preventif Deteksi Respon

4
Strategi Keamanan

• Preventif
• Melindungi komputer atau informasi dari
  pengganggu dan kesalahan.
• Idealnya prosedur kebijakan keamanan dapat
  menutup kesempatan untuk diserang, tapi paling
  tidak meminimalisasi serangan yang berhasil
• Deteksi
• Dapat mengukur kapan, bagaimana dan oleh siapa
  aset dapat dirusak
• Membutuhkan alat bantu yang rumit atau sekedar
  file log sederhana yang dapat dianalisa.
• Respon
• Membangun strategi dan teknik untuk menghadapi
  serangan atau kehilangan
• Lebih baik memiliki rencana pemulihan (recovery
  plan) daripada on the fly atau bagaimana nanti

5

• Example Private Property
• Prevention locks at doors, window bars, walls
  round the property
• Detection stolen items are missing, burglar
  alarms, closed circuit TV
• Reaction call the police, replace stolen items,
  make an insurance claim
• Example E-Commerce
• Prevention encrypt your orders, rely on the
  merchant to perform checks on the caller, dont
  use the Internet (?)

6
Lingkup Keamanan SI

• Keamanan adalah Suatu Proses

7
Konsep Keamanan SI

• Keamanan sistem sebagai satu konsep terpadu

8
Konsep Keamanan SI
9
(No Transcript)
10
Fokus Utama Keamanan SI

• Fokus Utama Keamanan SI
• Tiga Fokus Utama
• Physical Security
• Operational Security
• Management and Policies
• Segitiga Keamanan

11

• Keamanan Fisik
• Perlindungan aset dan informasi dari akses fisik
  oleh personal yang tidak diizinkan (unauthorized
  personnel)
• 3 Komponen
• Membuat lokasi fisik tidak menarik dijadikan
  target serangan
• Deteksi penetrasi atau pencuri
• Pemulihan dari pencurian atau kehilangan
  informasi kritis atau sistem.

12

• Keamanan Operasional
• Bagaimana organisasi memperlakukan komputer,
  network, sistem komunikasi dan manajemen
  informasi
• Termasuk access control, authentication, security
  topologies, back up dan recovery plan
• Hal efektif untuk meningkatkan operational
  security ? pelatihan keamanan SI (security
  training)

13

• Manajemen dan Kebijakan Keamanan
• Akan menghasilkan tuntunan, aturan dan prosedur
  untuk implementasi
• Kebijakan agar efektif harus memiliki dukungan
  penuh dan tidak dapat dikompromikan dari tim
  manajemen
• Beberapa contoh kebijakan
• Administrative policies
• Design Requirement
• Disaster Recovery Plan
• Information Policies
• Security Policies
• Usage Policies
• User Management Policies

14
Standar Kualitas Keamanan SI

• ISO 17799 / 27001 / 27002
• Business Continuity Planning
• System Access Control
• System Development and Maintenance
• Physical and Environmental Security
• Compliance
• Personnel Security
• Security Organization
• Computer Network Management
• Asset Classification and Control
• Security Policy

15
Kualifikasi Profesional Keamanan SI

• SANS Institute Certified Engineers.
• CISSP Certified and Trained Engineers.
• ISO 270012005 Lead Auditors.
• Certified Ethical Hackers.
• Product related engineers with extensive
  knowledge of various security products.
• dan lain-lain.

16
Kualifikasi Profesional Keamanan SI

• Modal dasar
• Mengetahui Bahasa Pemrograman
• Menguasai pengetahuan perangkat keras dan
  perangkat lunak pengontrolnya (logika
  interfacing).
• Menguasai pengelolaan instalasi komputer.
• Menguasai dengan baik teori jaringan komputer
  protokol, infrastruktur, media komunikasi.
• Memahami cara kerja sistem operasi.
• Memiliki pikiran jahat -p

17
Kualifikasi Profesional Keamanan SI

• Cara belajar
• Memantau perkembangan teknologi keamanan komputer
  
• Cari buku-buku mengenai keamanan komputer
  cetakan, e-book, majalahmajalah/tabloid komputer
  edisi cetak maupun edisi online.
• Akses ke situs-situs review keamanan (contoh
  www.cert.org ), situs-situs underground (silahkan
  cari via search engine).
• Pelajari review atau manual book perangkat keras
  dan perangkat lunak untuk memahami cara kerja
  dengan baik atau ikuti pelatihan sertifikasi

18
Kualifikasi Profesional Keamanan SI

• Is Certification for You?
• Yes, if
• Youre a large corporation
• Youre publicly owned
• You offer IT-based services to clients
• You have legal obligations
• Youre comfortable with formal processes
• No, if
• You have a small, manageable infrastructure
• Youre only responsibility is to yourself
• You have an informal culture and strong skills
• You believe certification will make you secure

19
Incident Response
20
Definisi

• Incident event (kejadian) yang mengancam
  keamanan sistem komputer dan jaringan.
• Event adalah semua hal yang bisa diobservasi
  (diukur)
• Contoh event connect ke sistem lain dalam
  jaringan, mengakses file, mengirim paket, sistem
  shutdown, dsb.
• Event yang mengancam antara lain, system crashes,
  packet flood, penggunaan akun oleh orang yang
  tidak berhak, web deface, bencana alam, dan
  hal-hal lain yang membahayakan kinerja sistem

21
Incident Types

• CIA related incidents
• Confidentiality Upaya masuk ke dalam sistem
  rahasia militer
• Integrity
• Availability
• Other Types
• Reconnaissance Attacks
• Repudiation
• Someone takes action and denies it later on.

22
Kenapa perlu incident response?

• Bagi Organisasi
• Respon yang sistematis terhadap insiden
• Recover quickly
• Mencegah insiden serupa di masa depan
• Menyiapkan langkah-langkah yang berkaitan dengan
  hukum

23
Incident Response Scope

• Technical
• Incident detection and investigation tools and
  procedures
• Management-related
• Policy
• Formation of incident response capability
• In-house vs. out-sourced

24
Incident Handling
Preparation
Detection and Analysis
Post-incident activity
Containment, Eradication and Recovery
25
PDCERF incident response method
26
Preparation
27
Incident Handling Preparation

• Incident Handler Communications and Facilities
• Contact information On-call information for other
  teams within the organization, including
  escalation information Incident reporting
  mechanisms
• Pagers or cell phones to be carried by team
  members for off-hour support, onsite
  communications
• Encryption software
• War room for central communication and
  coordination
• Secure storage facility for securing evidence and
  other sensitive materials

28
Incident Handling Preparation

• Incident Analysis Hardware and Software
• Computer forensic workstations and/or backup
  devices to create disk images, preserve log
  files, and save other relevant incident data
• Blank portable media
• Easily portable printer
• Packet sniffers and protocol analyzers
• Computer forensic software
• Floppies and CDs with trusted versions of
  programs to be used to gather evidence from
  systems
• Evidence gathering accessories
• hard-bound notebooks
• digital cameras
• audio recorders
• chain of custody forms
• evidence storage bags and tags
• evidence tape

29
Incident Handling Preparation

• Incident Analysis Resources
• Port lists, including commonly used ports and
  Trojan horse ports
• Documentation for OSs, applications, protocols,
  and intrusion detection and antivirus signatures
• Network diagrams and lists of critical assets,
  such as Web, e-mail, and File Transfer Protocol
  (FTP) servers
• Baselines of expected network, system and
  application activity
• Cryptographic hashes of critical files to speed
  the analysis, verification, and eradication of
  incidents

30
Incident Handling Preparation

• Incident Mitigation Software
• Media, including OS boot disks and CD-ROMs, OS
  media, and application media
• Security patches from OS and application vendors
• Backup images of OS, applications, and data
  stored on secondary media

31
Incident Handling Detection and Analysis

• Incident Categories
• Denial of Service
• Malicious code
• Unauthorized access
• Inappropriate usage
• Multiple component incidents

32
Incident Handling Detection and Analysis

• Signs of an incident
• Intrusion detection systems
• Antivirus software
• Log analyzers
• File integrity checking
• Third-party monitoring of critical services
• Incident indications vs. precursors
• Precursor is a sign that an incident may occur in
  the future
• E.g. scanning
• Indication is a sign that an incident is
  occurring or has occurred

33
Incident Handling Detection and Analysis

• Incident documentation
• If incident is suspected, start recording facts
• Incident Prioritization based on
• Current and potential technical effects
• Criticality of affected resources
• Incident notification
• CIO
• Head of information system
• Local information security officer
• Other incident teams
• Other agency departments such as HR, public
  affairs, legal department

34
Incident Handling Containment, Eradication,
Recovery

• Containment strategies
• Vary based on type of incident
• Criteria for choosing strategy include
• Potential damage / theft of resources
• Need for evidence information
• Service availability
• Resource consumption of strategy
• Effectiveness of strategy
• Duration of solution

35
Incident Handling Containment, Eradication,
Recovery

• Evidence gathering
• For incident analysis
• For legal proceedings
• Chain of custody
• Authentication of evidence

36
Incident Handling Containment, Eradication,
Recovery

• Attacker identification
• Validation of attacker IP address
• Scanning attackers system
• Research attacker through search engines
• Using Incident Databases
• Monitoring possible attacker communication
  channels

37
Incident Handling Containment, Eradication,
Recovery

• Eradication
• Deleting malicious code
• Disabling breached user accounts
• Recovery
• Restoration of system(s) to normal operations
• Restoring from clean backups
• Rebuilding systems from scratch
• Replacing compromised files
• Installing patches
• Changing passwords
• Tighten perimeter security
• Strengthen logging

38
Incident Handling Post-Incident Activity

• Evidence Retention
• Prosecution of attacker
• Data retention policies
• Cost

39
Next BCP and DRP