INCIDENT RESPONSE - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

INCIDENT RESPONSE

Description:

... to normal operations Restoring from clean backups Rebuilding systems from scratch Replacing compromised ... (security training) ... CISSP Certified and Trained ... – PowerPoint PPT presentation

Number of Views:241
Avg rating:3.0/5.0
Slides: 40
Provided by: Asw80
Category:

less

Transcript and Presenter's Notes

Title: INCIDENT RESPONSE


1
INCIDENT RESPONSE
2
Situasi Resiko Keamanan
Security ? Technological Security Keamanan itu
Socio-technical Physical!
3
Perspektif Keamanan
  • Strategi Keamanan Preventif Deteksi Respon

4
Strategi Keamanan
  • Preventif
  • Melindungi komputer atau informasi dari
    pengganggu dan kesalahan.
  • Idealnya prosedur kebijakan keamanan dapat
    menutup kesempatan untuk diserang, tapi paling
    tidak meminimalisasi serangan yang berhasil
  • Deteksi
  • Dapat mengukur kapan, bagaimana dan oleh siapa
    aset dapat dirusak
  • Membutuhkan alat bantu yang rumit atau sekedar
    file log sederhana yang dapat dianalisa.
  • Respon
  • Membangun strategi dan teknik untuk menghadapi
    serangan atau kehilangan
  • Lebih baik memiliki rencana pemulihan (recovery
    plan) daripada on the fly atau bagaimana nanti

5
  • Example Private Property
  • Prevention locks at doors, window bars, walls
    round the property
  • Detection stolen items are missing, burglar
    alarms, closed circuit TV
  • Reaction call the police, replace stolen items,
    make an insurance claim
  • Example E-Commerce
  • Prevention encrypt your orders, rely on the
    merchant to perform checks on the caller, dont
    use the Internet (?)

6
Lingkup Keamanan SI
  • Keamanan adalah Suatu Proses

7
Konsep Keamanan SI
  • Keamanan sistem sebagai satu konsep terpadu

8
Konsep Keamanan SI
9
(No Transcript)
10
Fokus Utama Keamanan SI
  • Fokus Utama Keamanan SI
  • Tiga Fokus Utama
  • Physical Security
  • Operational Security
  • Management and Policies
  • Segitiga Keamanan

11
  • Keamanan Fisik
  • Perlindungan aset dan informasi dari akses fisik
    oleh personal yang tidak diizinkan (unauthorized
    personnel)
  • 3 Komponen
  • Membuat lokasi fisik tidak menarik dijadikan
    target serangan
  • Deteksi penetrasi atau pencuri
  • Pemulihan dari pencurian atau kehilangan
    informasi kritis atau sistem.

12
  • Keamanan Operasional
  • Bagaimana organisasi memperlakukan komputer,
    network, sistem komunikasi dan manajemen
    informasi
  • Termasuk access control, authentication, security
    topologies, back up dan recovery plan
  • Hal efektif untuk meningkatkan operational
    security ? pelatihan keamanan SI (security
    training)

13
  • Manajemen dan Kebijakan Keamanan
  • Akan menghasilkan tuntunan, aturan dan prosedur
    untuk implementasi
  • Kebijakan agar efektif harus memiliki dukungan
    penuh dan tidak dapat dikompromikan dari tim
    manajemen
  • Beberapa contoh kebijakan
  • Administrative policies
  • Design Requirement
  • Disaster Recovery Plan
  • Information Policies
  • Security Policies
  • Usage Policies
  • User Management Policies

14
Standar Kualitas Keamanan SI
  • ISO 17799 / 27001 / 27002
  • Business Continuity Planning
  • System Access Control
  • System Development and Maintenance
  • Physical and Environmental Security
  • Compliance
  • Personnel Security
  • Security Organization
  • Computer Network Management
  • Asset Classification and Control
  • Security Policy

15
Kualifikasi Profesional Keamanan SI
  • SANS Institute Certified Engineers.
  • CISSP Certified and Trained Engineers.
  • ISO 270012005 Lead Auditors.
  • Certified Ethical Hackers.
  • Product related engineers with extensive
    knowledge of various security products.
  • dan lain-lain.

16
Kualifikasi Profesional Keamanan SI
  • Modal dasar
  • Mengetahui Bahasa Pemrograman
  • Menguasai pengetahuan perangkat keras dan
    perangkat lunak pengontrolnya (logika
    interfacing).
  • Menguasai pengelolaan instalasi komputer.
  • Menguasai dengan baik teori jaringan komputer
    protokol, infrastruktur, media komunikasi.
  • Memahami cara kerja sistem operasi.
  • Memiliki pikiran jahat -p

17
Kualifikasi Profesional Keamanan SI
  • Cara belajar
  • Memantau perkembangan teknologi keamanan komputer
  • Cari buku-buku mengenai keamanan komputer
    cetakan, e-book, majalahmajalah/tabloid komputer
    edisi cetak maupun edisi online.
  • Akses ke situs-situs review keamanan (contoh
    www.cert.org ), situs-situs underground (silahkan
    cari via search engine).
  • Pelajari review atau manual book perangkat keras
    dan perangkat lunak untuk memahami cara kerja
    dengan baik atau ikuti pelatihan sertifikasi

18
Kualifikasi Profesional Keamanan SI
  • Is Certification for You?
  • Yes, if
  • Youre a large corporation
  • Youre publicly owned
  • You offer IT-based services to clients
  • You have legal obligations
  • Youre comfortable with formal processes
  • No, if
  • You have a small, manageable infrastructure
  • Youre only responsibility is to yourself
  • You have an informal culture and strong skills
  • You believe certification will make you secure

19
Incident Response
20
Definisi
  • Incident event (kejadian) yang mengancam
    keamanan sistem komputer dan jaringan.
  • Event adalah semua hal yang bisa diobservasi
    (diukur)
  • Contoh event connect ke sistem lain dalam
    jaringan, mengakses file, mengirim paket, sistem
    shutdown, dsb.
  • Event yang mengancam antara lain, system crashes,
    packet flood, penggunaan akun oleh orang yang
    tidak berhak, web deface, bencana alam, dan
    hal-hal lain yang membahayakan kinerja sistem

21
Incident Types
  • CIA related incidents
  • Confidentiality Upaya masuk ke dalam sistem
    rahasia militer
  • Integrity
  • Availability
  • Other Types
  • Reconnaissance Attacks
  • Repudiation
  • Someone takes action and denies it later on.

22
Kenapa perlu incident response?
  • Bagi Organisasi
  • Respon yang sistematis terhadap insiden
  • Recover quickly
  • Mencegah insiden serupa di masa depan
  • Menyiapkan langkah-langkah yang berkaitan dengan
    hukum

23
Incident Response Scope
  • Technical
  • Incident detection and investigation tools and
    procedures
  • Management-related
  • Policy
  • Formation of incident response capability
  • In-house vs. out-sourced

24
Incident Handling
Preparation
Detection and Analysis
Post-incident activity
Containment, Eradication and Recovery
25
PDCERF incident response method
26
Preparation
27
Incident Handling Preparation
  • Incident Handler Communications and Facilities
  • Contact information On-call information for other
    teams within the organization, including
    escalation information Incident reporting
    mechanisms
  • Pagers or cell phones to be carried by team
    members for off-hour support, onsite
    communications
  • Encryption software
  • War room for central communication and
    coordination
  • Secure storage facility for securing evidence and
    other sensitive materials

28
Incident Handling Preparation
  • Incident Analysis Hardware and Software
  • Computer forensic workstations and/or backup
    devices to create disk images, preserve log
    files, and save other relevant incident data
  • Blank portable media
  • Easily portable printer
  • Packet sniffers and protocol analyzers
  • Computer forensic software
  • Floppies and CDs with trusted versions of
    programs to be used to gather evidence from
    systems
  • Evidence gathering accessories
  • hard-bound notebooks
  • digital cameras
  • audio recorders
  • chain of custody forms
  • evidence storage bags and tags
  • evidence tape

29
Incident Handling Preparation
  • Incident Analysis Resources
  • Port lists, including commonly used ports and
    Trojan horse ports
  • Documentation for OSs, applications, protocols,
    and intrusion detection and antivirus signatures
  • Network diagrams and lists of critical assets,
    such as Web, e-mail, and File Transfer Protocol
    (FTP) servers
  • Baselines of expected network, system and
    application activity
  • Cryptographic hashes of critical files to speed
    the analysis, verification, and eradication of
    incidents

30
Incident Handling Preparation
  • Incident Mitigation Software
  • Media, including OS boot disks and CD-ROMs, OS
    media, and application media
  • Security patches from OS and application vendors
  • Backup images of OS, applications, and data
    stored on secondary media

31
Incident Handling Detection and Analysis
  • Incident Categories
  • Denial of Service
  • Malicious code
  • Unauthorized access
  • Inappropriate usage
  • Multiple component incidents

32
Incident Handling Detection and Analysis
  • Signs of an incident
  • Intrusion detection systems
  • Antivirus software
  • Log analyzers
  • File integrity checking
  • Third-party monitoring of critical services
  • Incident indications vs. precursors
  • Precursor is a sign that an incident may occur in
    the future
  • E.g. scanning
  • Indication is a sign that an incident is
    occurring or has occurred

33
Incident Handling Detection and Analysis
  • Incident documentation
  • If incident is suspected, start recording facts
  • Incident Prioritization based on
  • Current and potential technical effects
  • Criticality of affected resources
  • Incident notification
  • CIO
  • Head of information system
  • Local information security officer
  • Other incident teams
  • Other agency departments such as HR, public
    affairs, legal department

34
Incident Handling Containment, Eradication,
Recovery
  • Containment strategies
  • Vary based on type of incident
  • Criteria for choosing strategy include
  • Potential damage / theft of resources
  • Need for evidence information
  • Service availability
  • Resource consumption of strategy
  • Effectiveness of strategy
  • Duration of solution

35
Incident Handling Containment, Eradication,
Recovery
  • Evidence gathering
  • For incident analysis
  • For legal proceedings
  • Chain of custody
  • Authentication of evidence

36
Incident Handling Containment, Eradication,
Recovery
  • Attacker identification
  • Validation of attacker IP address
  • Scanning attackers system
  • Research attacker through search engines
  • Using Incident Databases
  • Monitoring possible attacker communication
    channels

37
Incident Handling Containment, Eradication,
Recovery
  • Eradication
  • Deleting malicious code
  • Disabling breached user accounts
  • Recovery
  • Restoration of system(s) to normal operations
  • Restoring from clean backups
  • Rebuilding systems from scratch
  • Replacing compromised files
  • Installing patches
  • Changing passwords
  • Tighten perimeter security
  • Strengthen logging

38
Incident Handling Post-Incident Activity
  • Evidence Retention
  • Prosecution of attacker
  • Data retention policies
  • Cost

39
Next BCP and DRP
Write a Comment
User Comments (0)
About PowerShow.com