11-Incident-Response - elista:.
advertisement
INCIDENT RESPONSE Situasi Resiko Keamanan Security ≠ Technological Security Keamanan itu Socio-technical & Physical! Perspektif Keamanan • Strategi Keamanan = Preventif + Deteksi + Respon Strategi Keamanan • Preventif – Melindungi komputer atau informasi dari pengganggu dan kesalahan. – Idealnya prosedur & kebijakan keamanan dapat menutup kesempatan untuk diserang, tapi paling tidak meminimalisasi serangan yang berhasil • Deteksi – Dapat mengukur kapan, bagaimana dan oleh siapa aset dapat dirusak – Membutuhkan alat bantu yang rumit atau sekedar file log sederhana yang dapat dianalisa. • Respon – Membangun strategi dan teknik untuk menghadapi serangan atau kehilangan – Lebih baik memiliki rencana pemulihan (recovery plan) daripada ‘on the fly’ atau bagaimana nanti • Example: Private Property – Prevention: locks at doors, window bars, walls round the property – Detection: stolen items are missing, burglar alarms, closed circuit TV – Reaction: call the police, replace stolen items, make an insurance claim … • Example: E‐Commerce – Prevention: encrypt your orders, rely on the merchant to perform checks on the caller, don’t use the Internet (?) … Lingkup Keamanan SI • Keamanan adalah Suatu Proses Konsep Keamanan SI • Keamanan sistem sebagai satu konsep terpadu Konsep Keamanan SI Fokus Utama Keamanan SI • Fokus Utama Keamanan SI – Tiga Fokus Utama • Physical Security • Operational Security • Management and Policies – Segitiga Keamanan • Keamanan Fisik – Perlindungan aset dan informasi dari akses fisik oleh personal yang tidak diizinkan (unauthorized personnel) – 3 Komponen : • Membuat lokasi fisik tidak menarik dijadikan target serangan • Deteksi penetrasi atau pencuri • Pemulihan dari pencurian atau kehilangan informasi kritis atau sistem. • Keamanan Operasional – Bagaimana organisasi memperlakukan komputer, network, sistem komunikasi dan manajemen informasi – Termasuk access control, authentication, security topologies, back up dan recovery plan – Hal efektif untuk meningkatkan operational security → pelatihan keamanan SI (security training) • Manajemen dan Kebijakan Keamanan – Akan menghasilkan tuntunan, aturan dan prosedur untuk implementasi – Kebijakan agar efektif harus memiliki dukungan penuh dan tidak dapat dikompromikan dari tim manajemen – Beberapa contoh kebijakan : • Administrative policies • Design Requirement • Disaster Recovery Plan • Information Policies • Security Policies • Usage Policies • User Management Policies Standar Kualitas Keamanan SI • ISO 17799 / 27001 / 27002 – – – – – – – – – – Business Continuity Planning System Access Control System Development and Maintenance Physical and Environmental Security Compliance Personnel Security Security Organization Computer & Network Management Asset Classification and Control Security Policy Kualifikasi Profesional Keamanan SI • • • • • SANS Institute Certified Engineers. CISSP Certified and Trained Engineers. ISO 27001:2005 Lead Auditors. Certified Ethical Hackers. Product related engineers with extensive knowledge of various security products. • …dan lain‐lain. Kualifikasi Profesional Keamanan SI • Modal dasar : – Mengetahui Bahasa Pemrograman – Menguasai pengetahuan perangkat keras dan perangkat lunak pengontrolnya (logika interfacing). – Menguasai pengelolaan instalasi komputer. – Menguasai dengan baik teori jaringan komputer ; protokol, infrastruktur, media komunikasi. – Memahami cara kerja sistem operasi. – Memiliki ‘pikiran jahat’ ;‐p Kualifikasi Profesional Keamanan SI • Cara belajar : – Memantau perkembangan teknologi keamanan komputer : – Cari buku‐buku mengenai keamanan komputer cetakan, e‐book, majalahmajalah/tabloid komputer edisi cetak maupun edisi online. – Akses ke situs‐situs review keamanan (contoh: www.cert.org ), situs‐situs underground (silahkan cari via search engine). – Pelajari review atau manual book perangkat keras dan perangkat lunak untuk memahami cara kerja dengan baik atau ikuti pelatihan sertifikasi Kualifikasi Profesional Keamanan SI Is Certification for You? • Yes, if: – – – – – • You’re a large corporation You’re publicly owned You offer IT-based services to clients You have legal obligations You’re comfortable with formal processes No, if: – – – – You have a small, manageable infrastructure You’re only responsibility is to yourself You have an informal culture and strong skills You believe certification will make you secure Incident Response Definisi • Incident: event (kejadian) yang mengancam keamanan sistem komputer dan jaringan. • Event adalah semua hal yang bisa diobservasi (diukur) • Contoh event: connect ke sistem lain dalam jaringan, mengakses file, mengirim paket, sistem shutdown, dsb. • Event yang mengancam antara lain, system crashes, packet flood, penggunaan akun oleh orang yang tidak berhak, web deface, bencana alam, dan hal-hal lain yang membahayakan kinerja sistem Incident Types • CIA related incidents: – Confidentiality: Upaya masuk ke dalam sistem rahasia militer – Integrity – Availability • Other Types – Reconnaissance Attacks – Repudiation • Someone takes action and denies it later on. Kenapa perlu incident response? • Bagi Organisasi Respon yang sistematis terhadap insiden Recover quickly Mencegah insiden serupa di masa depan Menyiapkan langkah-langkah yang berkaitan dengan hukum Incident Response Scope • Technical: – Incident detection and investigation tools and procedures • Management-related – Policy – Formation of incident response capability • In-house vs. out-sourced Incident Handling Preparation Post-incident activity Detection and Analysis Containment, Eradication and Recovery PDCERF incident response method Preparation Incident Handling: Preparation • Incident Handler Communications and Facilities – Contact information On-call information for other teams within the organization, including escalation information Incident reporting mechanisms – Pagers or cell phones to be carried by team members for off-hour support, onsite communications – Encryption software – War room for central communication and coordination – Secure storage facility for securing evidence and other sensitive materials Incident Handling: Preparation • Incident Analysis Hardware and Software – Computer forensic workstations and/or backup devices to create disk images, preserve log files, and save other relevant incident data – Blank portable media – Easily portable printer – Packet sniffers and protocol analyzers – Computer forensic software – Floppies and CDs with trusted versions of programs to be used to gather evidence from systems – Evidence gathering accessories • hard-bound notebooks • digital cameras • audio recorders • chain of custody forms • evidence storage bags and tags • evidence tape Incident Handling: Preparation • Incident Analysis Resources – Port lists, including commonly used ports and Trojan horse ports – Documentation for OSs, applications, protocols, and intrusion detection and antivirus signatures – Network diagrams and lists of critical assets, such as Web, e-mail, and File Transfer Protocol (FTP) servers – Baselines of expected network, system and application activity – Cryptographic hashes of critical files to speed the analysis, verification, and eradication of incidents Incident Handling: Preparation • Incident Mitigation Software – Media, including OS boot disks and CD-ROMs, OS media, and application media – Security patches from OS and application vendors – Backup images of OS, applications, and data stored on secondary media Incident Handling: Detection and Analysis • Incident Categories – – – – – Denial of Service Malicious code Unauthorized access Inappropriate usage Multiple component incidents Incident Handling: Detection and Analysis • Signs of an incident – – – – – Intrusion detection systems Antivirus software Log analyzers File integrity checking Third-party monitoring of critical services • Incident indications vs. precursors – Precursor is a sign that an incident may occur in the future • E.g. scanning – Indication is a sign that an incident is occurring or has occurred Incident Handling: Detection and Analysis • Incident documentation – If incident is suspected, start recording facts • Incident Prioritization based on – Current and potential technical effects – Criticality of affected resources • Incident notification – – – – – CIO Head of information system Local information security officer Other incident teams Other agency departments such as HR, public affairs, legal department Incident Handling: Containment, Eradication, Recovery • Containment strategies – Vary based on type of incident – Criteria for choosing strategy include • Potential damage / theft of resources • Need for evidence information • Service availability • Resource consumption of strategy • Effectiveness of strategy • Duration of solution Incident Handling: Containment, Eradication, Recovery • Evidence gathering – For incident analysis – For legal proceedings • Chain of custody • Authentication of evidence Incident Handling: Containment, Eradication, Recovery • Attacker identification – – – – – Validation of attacker IP address Scanning attacker’s system Research attacker through search engines Using Incident Databases Monitoring possible attacker communication channels Incident Handling: Containment, Eradication, Recovery • Eradication – Deleting malicious code – Disabling breached user accounts • Recovery – Restoration of system(s) to normal operations • • • • • • • Restoring from clean backups Rebuilding systems from scratch Replacing compromised files Installing patches Changing passwords Tighten perimeter security Strengthen logging Incident Handling: Post-Incident Activity • Evidence Retention – Prosecution of attacker – Data retention policies – Cost Next : BCP and DRP
