Date post: | 03-May-2023 |
Category: |
Documents |
Upload: | perbanasinstitute |
View: | 0 times |
Download: | 0 times |
Indonesia Security Incidents Response Team on Internet Infrastructure
sponsored by:
The Training Program on Information Security for Asian Countries 1
The Establishment Process of ID-SIRTII Indonesia Security Incidents Response Team on Internet Infrastructure
Lessons Learned from the ASIS Program Tokyo, 19 March – 26 March 2008 presented by
The Indonesian Delegation: Richardus Eko Indrajit Muhammad Salahuddien
Lessons Learned
The Training Program on Information Security for Asian Countries 2
The Format of Presentation Slides Agenda of Today
INTRODUCTION
PRESENTATION
Management Aspects of ID-SIRTII by R. Eko Indrajit
Technical Aspects of ID-SIRTII by Muh. Salahuddien
Q&A AND DISCUSSION
CLOSING
Lessons learned by Indonesian delegation from ASIS Program of JPCERT/AOTS
The implementation of knowledge acquired within the Indonesian ID-SIRTII setting
Related reference(s) used as background knowledge
Page number Program name
Main theme of managerial and/or technical aspect
ID-SIRTII official logo
1
2
3
4
Lessons Learned
The Training Program on Information Security for Asian Countries 3
Outline of the Strategic Plan Implement the knowledge learnt from the ASIS program to adjust and to enhance the existing profile of ID-SIRTII
Differentiate the issues on two main domain: management and technical matters – and identify the things that should be considered and taken into attentions
Focus on the main important aspects of the national level CSIRT to ensure the success of the establishment effort
Make certain that all mandatory and necessary aspects of building the national CSIRT have been addressed and prepared in a holistic and integrated way
MANAGEMENT ASPECTs of ID-SIRTII as the Indonesian National CSIRT/CC
1 Philosophy, Principles, and Strategy
2 Roles, Services, and Responsibilities
3 Constituents, Management, and Resources
4 Legal, Communication, and Coordination
TECHNICAL ASPECTs of ID-SIRTII as the Indonesian National CSIRT/CC
1 Incident Components of Vulnerabilities, Threats, and Attacks (Exploitations)
2 Monitoring, Analysis, and Response Activities
3 Range of Tools and Technology
4 Cases of CSIRTs/CERTs in Action
&
Learning from ASIS Course
Issues of CSIRT Creation and
Possible Solutions
Plan and Schedule of Promoting
CSIRT Creation
Lessons Learned
The Training Program on Information Security for Asian Countries 4
ID-SIRTII Establishment Status Develop national’s capability CSIRT should be done in stages
Start from small, grow, and scale fast
Build the capabilities along with the readiness of the resources
Work professionally to build trust among the stakeholders
Collaborate with stakeholders to deliver services
Manage expectation of the constituency so that no misunderstanding on organisation roles and responsibilities
Remember the fact that every CSIRT is unique in tasks & activities covered
Stage 1: Initialising and educating stakeholders on the need of national CSIRT
Stage 2: Planning on the establishment of Indonesian National CSIRT (ID-SIRTII)
Stage 3: Developing core infrastructure and superstructure of ID-SIRTII
Stage 4: Operating the facilities
Stage 5: Conducting collaboration with other parties
Stage 6: Evaluating and enhancing the system and capabilities
We are here !
Lessons Learned
The Training Program on Information Security for Asian Countries 5
The Profile of Indonesia Form National CSIRTs that matches with the posture and profile of the country through understanding the requirements of the main sponsors and the expectations of related constituents
Consider all the complexities and difficulties in running national level CSIRTs for the purpose of building effective strategy on developing and implementing it
Learn from the other established CSIRTs/ CERTs to give the ideas on how to develop such institution successfully
Think about the CC or “Coordination Center” role for the institution to ease them in building the scope and image of the national CSIRT without being misunderstood by related partners, constituents, customers, and other stakeholders.
Lessons Learned
The Training Program on Information Security for Asian Countries 6
Missions and Objectives Define organisation’s mission that relates with sponsor’s expectation
Link the mission with the objectives and main tasks that share the common interests with other stakeholders
Help the institution in scoping its roles and responsibilities in incident response management
Use as a baseline in creating policies, determining quality, conducting services, and developing procedures within the institution
““To expedite the economic growth of the country through providing the society with secure internet environment within the nation””
1. Monitoring internet traffic for incident handling purposes.
2. Managing log files to support law enforcement.
3. Educating public for security awareness.
4. Assisting institutions in managing security.
5. Providing training to constituency and stakeholders.
6. Running laboratory for simulation practices.
7. Establishing external and international collaborations.
Lessons Learned
The Training Program on Information Security for Asian Countries 7
Constituency Domain Define and determine constituencies should be done to get clear picture on who are the customers
Differentiate between direct customers and indirect customers
Map the constituents help the organisation to build collaboration strategy to leverage its the limited resources
Make sure to build trust to all constituents to help organisation fulfilling its missions
State to all constituents regarding “your security is my security” paradigm to build shared mission among the communities
ID-SIRTII
ISPs
NAPs
IXs
Law Enforcement
National Security
Communities
International CSIRTs/CERTs
Government of Indonesia
Lessons Learned
The Training Program on Information Security for Asian Countries 8
Coordination Structure
ID-SIRTII (CC) as National CSIRT
Sector CERT Internal CERT Vendor CERT Commercial CERT
Know and position yourself among other CSIRTs/CERTs to manage expectation of your constituency
Determine the scope on the coordination role you are playing to manage stakeholders expectation
Categorise the other CSIRTs/CERTs to easily conduct coordination and cooperation activities
Build partnerships with other related institutions to safeguarding internet
Bank CERT
Airport CERT
University CERT
GOV CERT
Military CERT
SOE CERT
SME CERT
Telkom CERT
BI CERT
Police CERT
KPK CERT
Lippo CERT
KPU CERT
Pertamina CERT
Hospital CERT UGM CERT
Cisco CERT
Microsoft CERT
Oracle CERT
SUN CERT
IBM CERT
SAP CERT
Yahoo CERT
Google CERT
A CERT
B CERT
C CERT
D CERT
E CERT
F CERT
G CERT
H CERT
Other CERTs Other CERTs Other CERTs Other CERTs
Lessons Learned
The Training Program on Information Security for Asian Countries 9
Institution Main Tasks Determine the scope of your institution is important
Map the missions and objectives into CSIRT’s type of major services
Prepare the resources based on required capabilities to conduct such various services
Help the constituents to understand the roles and responsibilities of your organisation
Develop procedures and mechanism to deliver each service to related stakeholders
INCIDENT HANDLING DOMAIN and ID-SIRTII
MAIN TASKS
Reactive Services
Proactive Services Security Quality Management
Services
1. Monitoring traffic Alerts and Warnings Announcements Technology Watch Intrusion Detection
Services
x
2. Managing log files Artifact Handling x x
3. Educating public x x Awareness Building
4. Assisting institutions Security-Related Information
Dissemnination Vulnerability
Handling Intrusion Detection
Services
Security Audit and Assessment
Configuration and Maintenenace of Security Tools, Applications, and
Infrastructure
Security Consulting
5. Provide training x X Education Training
6. Running laboratory x x Risk Analysis BCP and DRP
7. Establish collaborations Incident Handling x Product Evaluation
Lessons Learned
The Training Program on Information Security for Asian Countries 10
web defacement information leakage phishing intrusion Dos/DDoS
SMTP relay virus infection hoax malware distribution botnet open proxy
root access theft sql injection trojan horse worms password cracking
spamming malicious software spoofing blended attack
Incident Definitions and Examples Define what “incident” means can give clear picture on the scope and services offered by the institution
Beware that there are various definitions of “incident” with a good number of existing incident samples happening in internet
Study the nature and characteristics of every type of incidents will help the institution in preparing or developing strategy for incident response
Analyse incidents is really time consuming so that some necessary tools are required to ease and fasten the effort
““one or more intrusion events that you suspect are involved in a possible violation of your security policies””
““an event that has caused or has the potential to cause damage to an organization's business systems, facilities, or personnel””
““any occurrence or series of occurrences having the same origin that results in the discharge or substantial threat””
““an undesired event that could have resulted in harm to people, damage to property, loss to process, or harm to the
environment.””
Lessons Learned
The Training Program on Information Security for Asian Countries 11
Incident Classifications Categorise the incident can help stakeholders in understanding the issues and responding to it in an effective manner
Study the trend of internet incidents and comprehend the nature of those activities for the purpose of knowing the magnitude of impacts and the level of complexities surrounding them
Analyse the incident types occurred in the territory based on its probability to occur and its impact to the victim(s) as a part of risk management activities
Understand and comprehend deeply the various approach used by hackers to harm computer and internet system
Come out with a good number of potential solutions to hinder several incidents to occur within the territory due to the understanding of its behaviors
INTERCEPTION
INTERRUPTION
MODIFICATION
FABRICATION
phising social engineering
blackmail
web defacement
SQL injection
trojan horse
scanning
spyware spoofing
DDoS virus
worms
Lessons Learned
The Training Program on Information Security for Asian Countries 12
Priorities on Handling Incidents Analyse the nature of incidents before set up the response team and approach
Map incidents category based on CSIRT’s view to constituent’s context
Assign priority level requirement to every constituency-based classification
Deploy incident handling team resources based on the associate form required to face the case
Procure or develop KM-Based Website to take care of “low priority” consumers oriented enquiries on handling their incidents
TYPE OF
INCIDENT AND ITS PRIORITY
Public Safety and National Defense
(Very Priority)
Economic Welfare
(High Priority)
Political Matters
(Medium Priority)
Social and Culture Threats
(Low Priority)
1. Interception
Many to One
One to Many
Many to Many
Automated Tool (KM-Based Website)
2. Interruption
Many to One
One to Many
Many to Many
Automated Tool
(KM-Based Website)
3. Modification
Many to One
One to Many
Many to Many
Automated Tool
(KM-Based Website)
4. Fabrication
Many to One
One to Many
Many to Many
Automated Tool
(KM-Based Website)
Lessons Learned
The Training Program on Information Security for Asian Countries 13
Chain of Processes Manage incidents should be handled through a series of activities
Develop a holistic framework can help CSIRT in managing its daily processes and activities
Concentrate on conducting core processes more than supporting activities can help the institution in set up its priorities
Allocate resources should be done based on their competencies and skills
Monitor Internet Traffic
Manage Log Files
Response and Handle Incidents
Establish External and International Collaborations
Run Laboratory for Simulation Practices
Provide Training to Constituency and Stakeholders
Assist Institutions in Managing Security
Educate Public for Security Awareness
Deliver Required Log Files
Analyse Incidents
Report on Incident Handling
Management Process and
Research Vital
Statistics
Supporting Activities
Core Process
Lessons Learned
The Training Program on Information Security for Asian Countries 14
Detail of Activity Procedures Develop detail procedures on managing all CSIRT’s activities is a very important to do for ensuring the quality of services delivered
Fulfill the expectations of constituents can only be done if the institution can give them valuable values on responding to incidents reported
Consider of following the international standard(s) on managing the institution (ex. ISO270001, ISO17799, ISO2001:9000, etc.) can be the approach for conducting quality services
Ensure that all activities define has covered the main roles and responsibilities of the national CSIRT assigned to the institution
Benchmark the activities with the other similar institutions is worth the effort to make certain that enough coverage and details have been in place
ID-SIRTII
1. CORE PROCESS 2. SUPPORTING ACTIVITIES
1.1 LOG FILE MANAGEMENT
1.2 INTERNET TRAFFIC MNGT.
2.1 TRAINING CONDCUT
2.2 RESEARCH AND DEVELOPMENT
2.3 INFO SUPPORT SERVICES
2.4 EXTERNAL COLLABORATION
1.1.1 Collect
1.1.2 Organise
1.1.3 Store
1.1.4 Retrieve
1.1.5 Transfer
1.1.6 Distribute
1.1.7 Archieve
1.2.1 Gather
1.2.2 Monitor
1.2.3 Analyse
1.2.4 Detect
1.2.5 Inform
1.2.6 Distribute
1.2.7 Archieve
2.1.1 Plan
2.1.2 Offer
2.1.3 Register
2.1.4 Execute
2.1.5 Evaluate
2.2.1 Propose
2.2.2 Study
2.2.3 Report
2.2.4 Plan
2.2.5 Execute
2.2.6 Evaluate
2.3.1 Require
2.3.2 Prepare
2.3.3 Inform
2.3.4 Execute
2.3.5 Evaluate
2.3.6 Learn
2.4.1 Explore
2.4.2 Propose
2.4.3 Correspond
2.4.4 Engage
2.4.5 Plan
2.4.6 Execute
2.4.7 Evaluate
ACTIVITIES
1. CORE PROCESS 2. SUPPORTING ACTIVITIES
1.1 LOG FILE MANAGEMENT
1.2 INTERNET TRAFFIC MNGT.
2.1 TRAINING CONDCUT
2.2 RESEARCH AND DEVELOPMENT
2.3 INFO SUPPORT SERVICES
2.4 EXTERNAL COLLABORATION
1.1.1 Collect
1.1.2 Organise
1.1.3 Store
1.1.4 Retrieve
1.1.5 Transfer
1.1.6 Distribute
1.1.7 Archieve
1.2.1 Gather
1.2.2 Monitor
1.2.3 Analyse
1.2.4 Detect
1.2.5 Inform
1.2.6 Distribute
1.2.7 Archieve
2.1.1 Plan
2.1.2 Offer
2.1.3 Register
2.1.4 Execute
2.1.5 Evaluate
2.2.1 Propose
2.2.2 Study
2.2.3 Report
2.2.4 Plan
2.2.5 Execute
2.2.6 Evaluate
2.3.1 Require
2.3.2 Prepare
2.3.3 Inform
2.3.4 Execute
2.3.5 Evaluate
2.3.6 Learn
2.4.1 Explore
2.4.2 Propose
2.4.3 Correspond
2.4.4 Engage
2.4.5 Plan
2.4.6 Execute
2.4.7 Evaluate
Lessons Learned
The Training Program on Information Security for Asian Countries 15
People and Structure Form the organisation structure that can support the management of core activities of the national level CSIRT
Ensure that the team consists of people who have range of competencies w.r.t. managerial and technical aspects
Assess the competencies and expertise requirements for every job title for the purpose of recruitment the right people
Map the person based on his/her expertise and competencies to the related job title within the institution
Make certain the professionalism of the persons recruited to the institution by signing special agreement letter as the binding contract
Develop job descriptions and SOPs related to every job title exist within the institution
Deputy of Operation and Security
Deputy of Data Center, Applications & Database
Deputy of Research and Development
Deputy of Education and Public Affairs
Deputy of External Collaborations
Chairman
Vice Chairman General Secretary
Inspection Board Advisory Board
Ministry of ICT Directorate of
Telco & Communication
Lessons Learned
The Training Program on Information Security for Asian Countries 16
Holistic Framework Communicate the roles and responsibilities of CSIRT institution in a simple way to make other stakeholders understand its main functions
Illustrate all important components of the institution by using an “easy-to-understand” strategic framework
Position each component of the institution within the framework so that it shows the relationships among them
Introduce “MAYDAY” as the marketing gimmick of the institution (ID-SIRTII) to educate and inform public at large
Socialise the institution profile to all constituents by using different media channels that reach as many communities as possible within the large archipelago of Indonesia
Build intensive communication with respected stakeholders and constituents
SECURE INTERNET INFRASTRUCTURE
ENVIRONMENT
People
Process
Technology
Log File Management
System
Traffic Monitoring
System
Incident Indication Analysis
Incident Response.
Management
Advisory Board
Executive Board
MONITOR - ANALYSIS - YELL - DETECT - ALERT - YIELD
STAKEHOLDERS COLLABORATION AND SUPPORT
NATIONAL REGULATION AND GOVERNANCE
STRONG INSTITUTIONAL RELATIONSHIPS AND COMMITMENT
Lessons Learned
The Training Program on Information Security for Asian Countries 17
Legal Framework Ensure that there are regulations existed to back up the CSIRT activities within the nation
Understand carefully the regulation types and coverage with regards to the main tasks the institution is operating
Make certain that there is system incentive and “punishment” to get all related partners of the institution follow such governance model
Work with other countries in some cases will require another legal framework or agreement besides the international law; it is important to have some kind of umbrella agreement among the nations which want to work together in combating cyber crime
Learn the law and legal system of the other countries should be done by the institution to get the picture on how to develop the effective way on solving international-based cases
Undang-Undang No.36/1999 regarding National Telecommunication Industry
Peraturan Pemerintah No.52/2000 regarding Telecommunication Practices
Peraturan Menteri Kominfo No.27/PER/M.KOMINFO/9/2006 regarding Security on IP-Based Telecommunication Network Management
Peraturan Menteri No.26/PER/M.KOMINFO/2007 regarding Indonesian Security Incident Response Team on Internet Infrastructure
Lessons Learned
The Training Program on Information Security for Asian Countries 18
Starting Topology Develop the technology required to operate CSIRT in stages, which can be done from small technology set up with several sensors
Build the effective collaboration and coordination between the institution and the external parties (ex. Internet service providers, network access points, and internet exchanges) to enable services offered by CSIRT
Map the capabilities of the technology installed with the services that can be delivered by the institution to manage the expectations of the public and stakeholders
Collaborate with the external parties should be well institutionalised by developing together all necessary documents (ex. agreement, policy, SOPs, etc.) to operate all sensors and other devices placed in their possession’s territories
““… start with 9 sensors installed in major ISPs/NAPs/IXs…””
Lessons Learned
The Training Program on Information Security for Asian Countries 19
Core Application Procure the right software and tools to help CSIRT operation in delivering the incident analysis and response process properly
Learn on how different software, applications, and tools can be done to help the CSIRT operation can give better picture to the managerial and technical staff in developing the strategy to deliver their services to constituents
Study the strengths and weakness of every tools can bring value to the CSIRT’s management in terms of deciding the right tools portfolio to be used within the institution
Benchmark related applications that are ready in the market can also be done by the institution to get the feeling on how every application perform in features and capabilities they claim to have in their products Source: Sourcefire
Lessons Learned
The Training Program on Information Security for Asian Countries 20
Software Main Functionalities Ensure that the main or core tools the institution have can bring values to the constituents and stakeholders
Determine the values can be done by studying and analysing the features and capabilities of the tools
Fail to understand internal capabilities can bring some negative impacts to the public with regards to their unmatched expectations on CSIRT main roles and functions
Source: Sourcefire
Lessons Learned
The Training Program on Information Security for Asian Countries 21
Plan on People Development
Lessons Learned
The Training Program on Information Security for Asian Countries 22
Plan on Process Development
Lessons Learned
The Training Program on Information Security for Asian Countries 23
Plan on Technology Development
Lessons Learned
The Training Program on Information Security for Asian Countries 24
Marketing Gimmick Embrace the public, societies, constituents, and other stakeholders with an effective marketing strategy that may trigger them to promote and to support the initiatives
Develop the community spirit to protect cyber security by using the language that is easy to understand and reflecting the shared mission of relates stakeholders
Understand the philosophy stating that by the end of the day, the effective internet security will depend on every individual behavior toward the effort on safeguarding internet
Work together with the team or partner who are expert on sending the right message to the right people can help the institution in building its image to the public
Learn how “perception is reality” paradigm will reflect the image of the institution in public’s eye
Why does a car have BRAKES??? The car have BRAKES so that it can go FAST … !!!
Why should we have regulation? Why should we establish institution? Why should we collaborate with others? Why should we agree upon mechanism? Why should we develop procedures? Why should we have standard? Why should we protect our safety? Why should we manage risks? Why should we form response team?
Lessons Learned
The Training Program on Information Security for Asian Countries 25
Thank You
Id-SIRTII
Menara Sudirman 14th Floor Jalan Jendral Sudirman Kav.60, Jakarta 12190, Indonesia
Phone. +62 21 383 5893 Fax. +62 21 386 2873 Website. http://www.idsirtii.or.id
Email. [email protected] & [email protected] Cell. +62 818 925 926 & +62 818 600 081