This document discusses information security trends, knowledge, and career opportunities. It provides an overview of the speaker's qualifications and certifications in information security. It also outlines some common information security risks and incidents seen in Indonesia, such as malware, spam, identity theft, and website defacement. The document promotes training in information security standards like ISO 27001 to help mitigate risks. It argues that information security is a growing field with promising career prospects, especially for those with international certifications.
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Hogan Kusnadi - Information Security
1. Information Security
Trend, Knowledge and Promising Career
Medan, 12 Juni 2010
Delivering Quality and Competence
1 TRAINING, HIRING & INCREASE CAREER
2. By: Ir. Hogan Kusnadi, MSc, CISSP-ISSAP, CISA
(Certified Information Systems Security Professional)
(Information Systems Security Architecture Professional)
(Certified Information Systems Auditor)
Certified Consultant for ISO 27001/27002
Founder and Director
PT. UniPro Nuansa Indonesia
E-mail: hogan@unipro.co.id
www.unipro.co.id
blog.unipro.co.id
•
3. Kegiatan dan Keanggotaan
Terkait Keamanan Informasi
• Ketua Sub Panitia Teknis Kementrian Kominfo dan BSN, untuk
Keamanan Informasi, mengadopsi ISO 27001, ISO 27002 seri
lain dari ISO 27000.
• MASPI (Masyarakat Sandi dan Keamanan Informasi). Anggota
Pendiri dan Ketua Bidang Pengembangan Kompetensi (2006).
• (ISC)2 International Information Systems Security Certification
Consortium
• ISACA (Information Systems Audit and Control Association),
Member.
• Mantan anggota Menkominfo “Task Force Pengamanan dan
Perlindungan Infrastruktur Strategis Berbasis Teknologi
Informasi” (2004)
• Mantan Anggota Pokja EVATIK DETIKNAS (2007)
16. Manfaat vs Risiko
Multi Fungsi Database Application
Web Application
Fleksibel Client Server
Mudah digunakan Networking Integration
Manfaat Cloud Computing
Kerahasiaan
Integritas Risiko Identity Theft
Information Theft
Ketersediaan Information Theft
Otentisitas Industrial/State Espionage
Distributed Denial of Service
Nir Sangkal
20. Serangan Keamanan Informasi di Indonesia
• Malicious Ware (Virus, Worm, Spyware,
Keylogger, DOS, DDOS, etc)
• Spam, Phising
• Pencurian Identitas *
• Data Leakage/Theft
• Web Defaced
• Web Transaction Attack
• Misuse of IT Resources
* Pencurian via ATM (Jan 2010)
21. Serangan Terhadap Website Indonesia
Domain .id 1998 – 2009
792 .go.id
2138
846 .co.id
.or.id
1463 .ac.id
Source: www.zone-h.org
25. CISSP 2002 - 2010
1200
1000
800
3-Oct-02
30-Mar-10
600
400
200
0
Indonesia Malaysia Singapore
26. Competency vs Incident
(Government Website 2010)
2500
2000
1500
Number of CISSP
Number of Incident
1000
500
0
Indonesia Malaysia Singapore
26
27. As of Aug 2009
Number of (ISC)² Members in Various Asian
Economies
2500
2000
1500
1000
500
0
Ho
Ph
Si
Ind
Au
Ma
Th
Vi
Ch
Ko
Ind
ng
etn
ilip
ng
ail
str
on
lay
re
ina
ia
ap
an
pin
a
am
ali
es
Ko
sia
or
d
a
ia
es
ng
e
28. CISSP In the World
1000+ United States Canada United Kingdom Hong Kong Korea, South Singapore Australia Japan India
500+ Switzerland France Netherlands Germany
Mexico Brazil Denmark China South Africa Belgium Malaysia
200+
Ireland Finland Spain Sweden Taiwan United Arab
Emirates
100+ Poland Russia Saudi Arabia Italy
Israel New Zealand Thailand
32. Pencurian Data
WORLD RECORD
140,000,000
2009 Heartland Payment
120,000,000 System
2008 T-Mobile, Deutche
100,000,000 Telecom
80,000,000 2007 TJX Companies Inc
2006 US Dept of Veteran Affairs
60,000,000 2005 CardSystem
40,000,000 2004 American Online
20,000,000
-
2003 2004 2005 2006 2007 2008 2009 2010
INDONESIA
World 2008 Total Incident Reported
Indonesia
32
34. CardSystems - Hacking Incident
• Hackers had stolen 263,000 customer credit card
numbers and exposed 40 million more.
• In September 2004, hackers dropped a malicious
script on the CardSystems application platform,
injecting it via the Web application that customers
use to access account information. The script,
programmed to run every four days, extracted
records, zipped them and exported them to an FTP
site.
• Visa and MasterCard threatened to terminate it as a
transactions processor.
• CardSystems acquire by PayByTouch, in October
2005.
36. GhostNet – Cyber Espionage
(Report: 29 March 2009)
• Infected 1.295 Computers
Targeted at:
– Ministries of foreign affairs,
– Embassies,
– International organizations,
– News media,
– and NGOs.
• 103 Countries (Indonesia Included)
37.
38. Motivation Behind Cyber Attacks
• Just for FUN
• Fame and popularity
• Challenging activities
• Ideological/political
• Jealousy, anger
• Revenge
• Random attack
• Personal financial gain
• Organized crime for
financial gain (FUND)
39. Change in the Security
Landscape
5 Years Ago Now
• Vandalism • Profit Oriented
• Incident is known • Stealthy mode
• Attack System • Attack Application and Data
• Broad base • Targeted
• Individual • Organized crime
• (State) Sponsored Attack/
Espionage/Sabotage
51. Minimum level of protection
Risk Factor = T x V x A
Threat Level
52. Risk Factor = T x V x A
Potential
Future Threat
Current
Threat
53. MV Dumai Express-18 dari Dumai tujuan Batam bocor dan tenggelam di Pulau
Terkulai, Batupanjang, Dumai, 15 menit setelah bertolak dari Pelabuhan Dumai, Senin
(28/9) sekitar pukul 10.00 WIB.
57. Where is ISO 27001 Position in IT Governance?
UU ITE, PP60/2008, PBI
COSO
COBIT / ISO 38500
ISO 20000 / ITIL V3 SNI-ISO 27001
58. UniPro Public Training
Top Management Information Security Governance for Top Executive
Manager Umum Information Security Governance for General Management
End User Information Security Awareness & Security Policy Socialization
Holistic Information Security
IT Manager ISO 27001 Introduction
Security Policy Formulation
Holistic Information Security
IT Application Web Application Hacking & Countermeasures
Secure SDLC/CSSLP (Certified Secure Software Lifecycle Professional)
Holistic Information Security
Hacking Insight through Penetration Testing
IT Network Wireless Hacking & Defense
Packet Analysis & Troubleshoot
Managerial
Holistic Information Security
IT Server Hacking Insight through Penetration Testing
Holistic Information Security
ISO 27001 Introduction
ISO 27001 Implementation
IT Security Manager Security Policy Formulation
BCP / DRP
CISSP (Certified Information Systems Security Professional)
Holistic Information Security
Incident Response & Handling
Log Management & Analysis
Hacking Insight through Penetration Testing
IT Security Personnel Wireless Hacking & Defense
Packet Analysis & Troubleshoot
Forensic Investigation Analysis
SSCP (Systems Security Certified Practitioner)
Physical Security Information Security for Physical Security Personnel
59. ISO 27001 Series: International Standard for
Information Security Management System
• Based on British It include the following:
Standard BS7799 that 1. Security Policy
provide comprehensive 2. Organizing Information Security
guidance on various 3. Asset Management
controls for implementing 4. Human Resources Security
information security. 5. Physical and Environmental Security
6. Communications and Operations
• ISMS Best Practice Pair: Management
7. Access Control
Criteria for Certification
– ISO 27001: 2005 8. Information Systems Acquisition,
Development and Maintenance
(was BS 7799 - 2: 2005)
Guideline for Best Practice 9. Information Security Incident
Management
– ISO 27002
10. Business Continuity Management
(was17799: 2005)
11. Compliance.
62. ISO 27001 Certificates in The World (Jan 2010)
ISO 27001 Statistic:
81 Negara
Japan 55%
4 Negara Asia di Top 5
5 Negara Asia di Top 10
Indonesia di posisi no. 42,
terrendah diantara
negara awal ASEAN.
http://www.iso27001certificates.com
65. 7 Flagship DETIKNAS
• e-Education
• e-Budgeting
• e-Procurement
• National Identity Number
• National Single Window
• Palapa Ring
• Legalisasi Software
66
66. Tenaga Ahli Keamanan Indonesia
High Level
International Certification
Skill of InfoSec
Medium Level of InfoSec
Care / Awareness
67. The Economic of Supply and Demand
Red Ocean vs Blue Ocean
Applicant
Job
APPLICANT JOB
Applicant >> Job Job >> Applicant
Many Other IT Skill InfoSec Skill
68. Job Posting
(Required CISSP Certification. From www.isc2.org)
Manager/Analyst/Engineer
• Computer Systems Security • Manager, Security Program
• Cyber Network Operations Management
Planning Specialist - $75K • Network Security Manager
• Cyber Security Specialist • Project Manager Data Center
• Data & System Security • Security Operations Center
Specialist Analyst
• Digital Forensics Analyst • Security System
• Functional Security/Penetration Administrator - $95K
Testers/Telecommute • Senior Computer Forensic
• Information Security Analyst Examiner
• Information System Security • Technical Manager of
(ISS) Project/Program Manager Applications Security
• IT Security Specialist Consulting
• Manager, Security Policy, • Technology Risk Analyst
Compliance, and Risk • Vulnerability Management
Management Engineer
69. Job Posting
(Required CISSP Certification. From www.isc2.org)
Consultant/Auditor Critical Infrastructure
• Consulting Partner • Critical Infrastructure
Protection Specialist
• Entry Level IT • NATO Cyber Defence
Security Consultant Coordinator
• Information Others
Technology (IT) • Recruiter
Auditor • Sales Engineer
• Senior IT Auditor • Senior Technical Recruiter,
Human Resources
• Technical Writer
70. Job Posting
(Required CISSP Certification. From www.isc2.org)
Business Function Executive Management
• Analyst, Business • Chief Information
Analysis (Security Due Security Officer
Diligence) • Director of Security
• Business Continuity and • Director, Information
Operational Quality Security
Assurance Role • VP Governance, Risk
• Identity Management and Compliance
Architect/Developer • VP Security Engineering
• Senior Enterprise • VP, Enterprise Security
Architect
• VP/Information
• Senior Information Assurance
Assurance Engineer
• Senior Security Architect
71. US Department of Defense Directive 8570
Information Security Certification Required for 2010
IAT Level I IAT Level II IAT Level III IAT :
SSCP SSCP CISSP (or Associate) Information Assurance
A+ GSEC CISA Technical
Network + Security + GSE GCIH
SCNP SCNA IAM :
Information Assurance
IAM Level I IAM Level II IAM Level III
Management
CAP CISSP (or Associate)
CAP
CISSP (or Associate)
GISF
GSLC CISM IASAE :
CISM
Security + GSLC
GSLC Information Assurance
Security Architecture
IASAE I IASAE II IASAE III and Engineering
CISSP (or Associate) CISSP – ISSAP CND :
CISSP (or Associate) Computer Network
CISSP – ISSEP
Defense
CND Infrastructure CND Incident CND-SP
CND Analyst Support Reporter CND Auditor Manager Level I : Junior Level
GCIH CISA Level II : Middle Level
GCIA SSCP CISSP-ISSMP
CSIH GSNA Level III : Senior Level
CEH CEH
CEH
CISM
CEH
72
77. Special Note:
Program THINC juga mendapat dukungan
Balitbang SDM Kementerian Kominfo
sebagai pengakuan kualitas
serta seiring dengan VISI & MISI pemerintah.
Program ini akan menjadi bagian dari
SKKNI (Standar Kompetensi Kerja Nasional Indonesia)
78
78. Silver Program (Promo)
• Essential Information Security (4 Days)
• Enterprise Information Security Technology (6 Days)
• Exam (1 Day)
• Total (11 Days)
79
79. Essential Information Security
No Training Module Day
1 Essential Information 2
Security Foundation
2 Essential Packet Analysis 1
3 Essential Web Application 1
Security
80
80. Essential Information Security Foundation
Day I
• Introduction
• InfoSec Management Concept
• InfoSec Practical Concept
• Threat and Attack
• Firewall
Day II
• Firewall
• IDS/IPS
• VPN
• Data Protection
81
90. Pre-Requisite
• Bahan/mata kuliah yang perlu dipelajari
sebagai persiapan sebelum mengambil
kelas THINC Silver:
– Kelas Komunikasi Data
– Kelas Jaringan Komputer
– Sistem Operasi Komputer
91. Package Modules Day(s) Price
Bronze A Essential Information Security 2 Rp. 1.300.000,-
Foundation
Essential
Essential Packet Analysis 1 Rp. 650.000,-
Information
Security Essential Web Application Security 1 Rp. 650.000,-
Bronze A Package 4 Rp. 2.200.000-
Firewall Fundamental 1 Rp. 750.000,-
Bronze B Firewall 1 ( Check Point ) 1 Rp. 750.000,-
Enterprise Firewall 2 ( Juniper ) 1 Rp. 750.000,-
InfoSec IPS (TippingPoint) 1 Rp. 750.000,-
Technology
Proxy (Blue Coat) 1 Rp. 750.000,-
Load Balancer (F5) 1 Rp. 750.000,-
Bronze B Package 6 Rp. 4.000.000-
EXAM 1 Rp. 500.000,-
Total Individual Modules + Exam 11 Rp. 7.600.000,-
92
Note: Minimum participant 32 student, maximum 40 per Class
92. Package Modules Day(s) Price
Essential Information Security 2 Rp. 1.300.000,-
Essential
Foundation
Information
Security Essential Packet Analysis 1 Rp. 650.000,-
Essential Web Application Security 1 Rp. 650.000,-
Firewall Fundamental 1 Rp. 750.000,-
Enterprise Firewall 1 ( Check Point ) 1 Rp. 750.000,-
InfoSec
Firewall 2 ( Juniper ) 1 Rp. 750.000,-
Technology
IPS (TippingPoint) 1 Rp. 750.000,-
Proxy (Blue Coat) 1 Rp. 750.000,-
Load Balancer (F5) 1 Rp. 750.000,-
EXAM 1 Rp. 500.000,-
Silver Package 11 Rp. 5.000.000,-
93
Note: Minimum participant 32 student, maximum 40 per Class
93. SILVER PROMO !!!
PROGRAM SILVER PROMO
Total Class 10 Days
Training Exam 1 Day
IDR 5 Million/Student
PRICE 32 - 40 Students Per
Class
94