Pemaparan Software Security System di Telkom Sigma oleh Teddy Setiawan (Associate Director Finance Non Banking Solution-Telkom Indonesia)
disampaikan pada Diskusi Publik Tata Kelola Pengamanan Perangkat Lunak
Hotel Sahid Jaya Jakarta, 7 November 2013
6. Firewall
1. Software Firewall
a. Pros; cheap, ease to configure
b. Cons; high consume resources, limited O/S version
2. Hardware Firewall
a. Pros; more features, independent
b. Cons; more expensive
6
7. Network Security Methods
1. Access restrictions over a network
a.
b.
c.
d.
Internet Password Authentication
Server-based Password Authentication
Server-based token Authentication
Firewall and Routing Control
2. Using the method and specific mechanisms
a. Encryption
b. Digital signature
c. Algorithm Checksum / Hash
3. Scheduled monitoring of the network
7
Information Security Domains, Supporting Protocols and Procedures
The University at Albany’s Information Security policy identifies ten domains which serve as a basis for protocol development and controls management. Examples of other domains include: Asset Classification, Access Control, and Incident Detection and Management. Protocols may be established for each Domain to provide direction and a framework for related companion documents.
Asset Classification
An enterprise-wide program designed to identify critical information and physical assets and develop a comprehensive approach to their protection and management.
Protocol: Asset Classification
Data Classification Standard
Category I Storage Guidelines
Risk Assessment and Analysis
Management processes conducted on a periodic basis to identify, report, and analyze reasonably foreseeable internal and external risks and vulnerabilities, likely threats, impacts, and potential losses using standard risk assessment methodologies for the purpose of recommending appropriate controls to mitigate unacceptable levels of exposure.
Identity Management
A comprehensive and unified approach to managing the identities of persons and processes issued by the University for the purpose of granting and controlling access to campus information resources. This includes exercising due care in the areas of identity assurance, issuance, authentication, authorization, revocation, and recovery of identity elements (NetIDs, tokens, etc.).
Protocol: Protection and Use of Faculty, Staff and Student Identifiers
Protection_of_Identifiers_Standards_Procedures.pdf
Protection and Use of Faculty, Staff and Student Identifiers Glossary
Access Control
Standards and procedures governed by the principle of “least privilege” and employing industry-accepted access control and authorization frameworks to ensure that external and internal computer applications and persons have only such access as is appropriate to information resources, and to facilities and devices containing and displaying information.
Protocol: Access to Electronic Records Held in Accounts Subsequent to Termination, Departure or Death
FORM:Request_Form_Access_to_UA_Personal_Account_and_Compliance_Agreement.pdf
FORM: Employee Access and Compliance Agreement
Third Party Management of UAlbany Website Agreement MOU
Infrastructure Management
Standards and procedures to create and maintain prioritized, reasonable, and appropriate safeguards and controls for the University’s information infrastructure (databases, storage media, workstations, PDAs, mobile and hand held devices, servers, network devices, wireless access points, firewalls, etc.), along with measures to insure compliance.
Protocol: Media Disposal, Destruction, and Redeployment
NIST Guidelines for Media Sanitization (table)
Media Sanitization, Disposal and Redeployment Procedures
OGS Memorandum from June 2005
Software Assurance
Consists of appropriate reviews and controls used to validate the performance and security of software before it is purchased or developed and put into production.
Incident Response
Establishes procedures and assigns responsibilities for detecting, reporting, and responding to suspected and known information security incidents that result in unauthorized access or alteration of University business records, or attempts to deny or impede legitimate access to those records.
Protocol: Information Security Incident Response
Information Security Awareness Program
The Awareness Program promotes and promulgates best practices at all levels (including management), and informs and safeguards University staff.
Oversight of Service Providers
Take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for sensitive information and require service providers by contract to implement and maintain such safeguards.
Documentation
Maintain, make appropriately available, and periodically review information security policies and procedures in written (which may be electronic) form; and keep written records of any action, activity or assessment that requires documentation.
The Elements of Security
Vulnerability (Kerentanan)
It is a software, hardware, or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.
Vulnerability characterizes the absence or weakness of a safeguard that could be exploited.
E.g.: a service running on a server, unpatched applications or operating system software, unrestricted modem dial-in access, an open port on a firewall, lack of physical security etc.
Threat (Ancaman)
Any potential danger to information or systems.
A threat is a possibility that someone (person, s/w) would identify and exploit the vulnerability.
The entity that takes advantage of vulnerability is referred to as a threat agent. E.g.: A threat agent could be an intruder accessing the network through a port on the firewall
Risk (Resiko)
Risk is the likelihood of a threat agent taking advantage of vulnerability and the corresponding business impact.
Reducing vulnerability and/or threat reduces the risk.
E.g.: If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method.
Exposure (Pencahayaan)
An exposure is an instance of being exposed to losses from a threat agent.
Vulnerability exposes an organization to possible damages.
E.g.:If password management is weak and password rules are not enforced, the company is exposed to the possibility of having users' passwords captured and used in an unauthorized manner.
Countermeasure or Safeguard
It is an application or a s/w configuration or h/w or a procedure that mitigates the risk.
E.g.: strong password management, a security guard, access control mechanisms within an operating system, the implementation of basic input/output system (BIOS) passwords, and security-awareness training.
The Relation Between the Security Elements
Example: If a company has antivirus software but does not keep the virus signatures up-to-date, this is vulnerability. The company is vulnerable to virus attacks.
The threat is that a virus will show up in the environment and disrupt productivity.
The likelihood of a virus showing up in the environment and causing damage is the risk.
If a virus infiltrates the company's environment, then vulnerability has been exploited and the company is exposed to loss.
The countermeasures in this situation are to update the signatures and install the antivirus software on all computers
Network Topology [1/2]
1. Encryption Enkripsi yang pernah digunakan dalam proyek-proyek di telkomsigma biasanya menggunakan enkripsi dari Java Cryptography. - Enkripsi password: MD5 - Enkirpsi data: * Data signature: RSA With SHA1 (public-key cryptosystem) * Data: AES (Advanced Encryption Standard) Java Cryptography: http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html RSA-SHA1: http://www.w3.org/PICS/DSig/RSA-SHA1_1_0.html AES (Advanced Encryption Standard): http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Network Topology [2/2]
1. Encryption :
Secara umum metode enkripsinya sama yaitu menggunakan standar JAVA (AES, 3DES, SHA, dsb). Namun yang membedakan adalah Key atau Seeds nya.
Setiap proyek juga selalu menerapkan enkripsi tersebut untuk data yang confidential. Minimal untuk nyimpan password. Kalau Web biasanya encryption menggunakan SSL (biasanya butuh sertifikat
security misal dari VeriSign).
Kasus Pertamina menerapkan double encryption saat pengiriman data. Key disimpan dalam SmartCard (Public dan Secret Key). Data utama di encrypt menggunakan AES. Kemudian public key diencrypt
menggunakan 3DES. 2 encrypted data ini dikirimkan ke server dengan menyertakan MD5 untuk verifikasi kebenaran data yang diterima.
2. Firewall
Biasanya metode yang digunakan untuk melindungi Area Server disamping firewall, biasanya dilakukan NAT (Network Address Translation) via Router juga DMZ.
NAT disini berfungsi untuk bridging Public IP ke Internal IP server (ada IP satu lagi diantara 2 IP tersebut). Sehingga pihak luar tidak tahu berapa IP sebenarnya didalam lingkungan Server.
Ada juga yang disebut DMZ (Demilitarized Zone) —> http://en.wikipedia.org/wiki/DMZ_(computing)
Network Security Methods
Access restrictions over a network
Internet Password Authentication
Server-based Password Authentication
Server-based token Authentication
Firewall and Routing Control
Using the method and specific mechanisms
Encryption
Digital signature
Algorithm Checksum / Hash
Scheduled monitoring of the network
Organizational Security Models
Some of the best practices that facilitate the implementation of security controls include Control Objectives for Information and Related Technology (COBIT), ISO/IEC 17799/BS 7799, Information Technology Infrastructure Library (ITIL), and Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE).
COSO
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems.
Key concepts of the COSO framework
Internal control is a process. It is a means to an end, not an end in itself.
Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board.
Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
The COSO framework defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regardingthe achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations.
COSO Internal Control Framework: the five components
According to the COSO framework, internal control consists of five interrelated components. These components provide an effective framework for describing and analyzing the internal control system implemented in an organization. The five components are the following:
Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management's operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.
Risk assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and Separation of duties/segregation of duties.
Information and communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders.
Monitoring: Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.
ITIL
The Information Technology Infrastructure Library (ITIL) is a set of concepts and techniques for managing information technology (IT) infrastructure, development, and operations.
ITIL is published in a series of books, each of which cover an IT management topic
Overview and Benefits
ITIL provides a systematic and professional approach to the management of IT service provision. Adopting its guidance offers users a huge range of benefits that include:
reduced costs;
improved IT services through the use of proven best practice processes;
improved customer satisfaction through a more professional approach to service delivery;
standards and guidance;
improved productivity;
improved use of skills and experience; and
improved delivery of third party services through the specification of ITIL or ISO 20000 as the standard for service delivery in services procurements.
ITIL v3
The ITIL v3 which was published in May 2007, comprises 5 key volumes:
. Service Strategy
. Service Design
. Service Transition
. Service Operation
. Continual Service Improvement
COBIT
The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.
Overview
COBIT has 34 high level processes that cover 210 control objectives categorized in four domains:
Planning and Organization
Acquisition and Implementation
Delivery and Support
Monitoring
COBIT provides benefits to managers, IT users, and auditors
Managers benefit from COBIT because it provides them with a foundation upon which IT related decisions and investments can be based. Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system.
IT users benefit from COBIT because of the assurance provided to them by COBIT's defined controls, security, and process governance.
COBIT benefits auditors because it helps them identify IT control issues within a company's IT infrastructure. It also helps them corroborate their audit findings.
COBIT structure
Plan and Organize: The Planning and Organization domain covers the use of information & technology and how best it can be used in a company to help achieve the company's goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT.
Acquire and Implement: The Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company's current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.
Delivery and Support: The Delivery and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training.
Monitor and Evaluate: The Monitoring and Evaluation domain deals with a company's strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company's control processes by internal and external auditors.
ISO/IEC 27000 Series (Formerly BS 7799/ISO 17799)[edit]
Tracking the history of the ISO/IEC 27000-series of standards is somewhat of a challenge. This section provides the history of the ISO standard for information security management that began with BS 7799 and later resulted in ISO 17799 and eventually the ISO 27000 "family of standards" for Information Security Management Systems (ISMS). Like the other control and governance models, the ISO 27000 series provides a set of guidelines and best practices for information security management. The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27 (Sub Committee 27), an international body that meets in person twice a year. The International Standards Organization (ISO) also develops standards for quality control, environmental protection, product usability, manufacturing, etc.
BS 7799
The BS 7799 is basically divided into 3 Parts
BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards Institute (BSI) in 1995.
It was eventually adopted by ISO as ISO/IEC 17799, "Information Technology - Code of practice for information security management." in 2000.
ISO/IEC 17799 was most recently revised in June 2005 and was renamed to ISO/IEC 27002 in July 2007.
BS 7799 Part 2 of BS7799 was first published by BSI in 1999, known as BS 7799 Part 2, titled "Information Security Management Systems - Specification with guidance for use." It is focused on how to implement an Information security management system (ISMS)
The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) (Deming quality assurance model), aligning it with quality standards such as ISO 9000.
BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.
BS 7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with ISO/IEC 27001.
ISO 17799[edit]
Derived from BS 7799
It is an internationally recognized ISM standard that provide high level, conceptual recommendations on enterprise security
ISO 17799 has 2 parts
Part-I is an implementation guide with guidelines on how to build a comprehensive information security infrastructure.
Part-II is an auditing guide based on requirements that must be met for an organization to be deemed complaint with ISO 17799
ISO 17799 domains
Information security policy for the organization: Map of business objectives to security, management's support, security goals, and responsibilities.
Creation of information security infrastructure: Create and maintain an organizational security structure through the use of security forum, security officer, defining security responsibilities, authorization process, outsourcing, and independent review.
Asset classification and control: Develop a security infrastructure to protect organizational assets through accountability and inventory, classification, and handling procedures.
Personnel security: Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly, and documenting the ramifications of not meeting expectations.
Physical and environmental security: Protect the organization's assets by properly choosing a facility location, erecting and maintaining a security perimeter, implementing access control, and protecting equipment.
Communications and operations management: Carry out operations security through operational procedures, proper change control, incident handling, separation of duties, capacity planning, network management, and media handling.
Access control: Control access to assets based on business requirements, user management, authentication methods, and monitoring.
System development and maintenance: Implement security in all phases of a system's lifetime through development of security requirements, cryptography, integrity, and software development procedures.
Business continuity management: Counter disruptions of normal operations by using continuity planning and testing.
Compliance: Comply with regulatory, contractual, and statutory requirements by using technical controls, system audits, and legal awareness.
ISO 27000 Series[edit]
The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
The series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).
The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organizations of all shapes and sizes. All organizations are encouraged to assess their information security risks, then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.
The following are the currently published 27000-series standards:
ISO 27000 Overview and vocabulary overview and glossary of terms.
ISO 27001 Information security management systems -- Requirements. This is the specification/requirements for an information security management system (an ISMS) which replaced the old BS7799-2 standard
ISO 27002 Code of practice for information security management. This is the 27000 series standard number of what was originally the ISO 17799 standard (which itself was formerly known as BS7799-1).
ISO 27003 Information security management system implementation guidance.This will be the official number of a new standard intended to offer guidance for the implementation of an ISMS (IS Management System) .
ISO 27004 Information security management -- Measurement. This standard covers information security system management measurement and metrics, including suggested ISO27002 aligned controls..
ISO 27005 Information security risk management.This is the methodology independent ISO standard for information security risk management..
ISO 27006 Requirements for bodies providing audit and certification of information security management systems. This standard provides guidelines for the accreditation of organizations offering ISMS certification.
Other 27000-series ISO publications:
ISO 27011 Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
ISO 27033 Network security -- Part 1: Overview and concepts
ISO 27799 Health informatics -- Information security management in health using ISO/IEC 27002
Although the list of ISO 27000-series standards for information security management continues to grow in number. ISO/IEC 27002 and ISO/IEC 27001 remain the most used standards, because they provide the most basic guidance for an enterprise information security program practices and processes and also because they are the most current versions of their popular predecessors (BS 7799 and ISO 17799).