Tugas besar 1 kelompok 9 SIM (sistem informasi manajemen)
Proposal Cyber Security Assessment Roadmap dan Penetration Testing (Madhava Technology).pptx
1. 0877 7291 8863 info@madhava.id
Proposal Penawaran Jasa
Penetration Testing &
Penyusunan Cyber Security
Maturity Assessment Blueprint
and Roadmap Plan
2. Company profile PT Madhava Dwikarya Teknologi
Company Profile & Expertise
01
Layanan Perusahaan
Our Services
02
Penyusunan Blueprint, Architecture and Roadmap
Cyber Security Assessment & Roadmap Plan
03
Tools dan metodologi yang digunakan di dalam project Pentest
Penetration Testing
04
IT General Control, Appication Control, Network Control
IT Audit
05
3. Madhava Technology adalah perusahaan yang bergerak
dibidang sistem manajemen dan teknologi informasi yang
akan memberikan solusi terkait pengelolaan sistem
manajemen dan teknologi informasi.
Madhava didirikan oleh profesional muda berpengalaman
lebih dari 10 tahun di bidangnya. Kompetensi personil
kami ahli berbagai bidang sistem manajemen berdasarkan
ISO serta memiliki sertifikasi kompetensi. Kami bekerja
sama dengan beberapa lembaga sertifikasi untuk
mempercepat proses sertifikasi perusahaan.
• Tim Profesional
• Kepuasan Pelanggan
• Full Support
Kenapa
Memilih Kami?
5. Company profile PT Madhava Dwikarya Teknologi
Company Profile & Expertise
01
Layanan Perusahaan
Our Services
02
Penyusunan Blueprint, Architecture and Roadmap
Cyber Security Assessment & Roadmap Plan
03
Tools dan metodologi yang digunakan di dalam project Pentest
Penetration Testing
04
IT General Control, Appication Control, Network Control
IT Audit
05
6.
7. • ISO 27001:2022 : Information
Security Management System
• ISO 20000-1:2018 : IT Service
Management System
• ISO 27701:2019 : Privacy
Information Management System
• ISO 27018:2019 : Protection of PII
in Public Clouds
• ISO 27017:2015 : Cloud Security
• ISO 22301:2012 : Business
Continuity Management
• IT Governance
• IT Strategic Plan
• IT Master Plan
• IT Audit
8. • Penetration Testing
• Vulnerability Assessment
• Digital Forensic & Incident Response
• Threat Hunting & Compromise Assessment
• Security Awareness
• Cyber Drill Test
• Security Training
• Purple Teaming
• System Hardening
9. • Website Application Development
• Risk Management System
• Compliance Management System
• Document Management System
• Project Management System
• Human Resource Management System
• Mobile Application Development
10. Our Expertise
Lead Auditor ISO 27001:2013
Lead Auditor ISO 27001:2022
Lead Implementor ISO 27001:2022
Information Security Certified from BNSP
Implementor ISMS from BSSN
Auditor ISMS from BSSN
Certified Information System Auditor
Certified Ethical Hacker
Licensed Penetration Test Master
Certified Secure Computer User
Cobit 2019
Qualified Risk Governance Professional
AWS Security
PCI DSS Fundamental
Scrum Master Professional Certification
Cyber Security Foundation Professional
Certification
Certified Exploit Developer
Certified Red Team Operator
Computer Hacking Forensic Investigator
12. Company profile PT Madhava Dwikarya Teknologi
Company Profile & Expertise
01
Layanan Perusahaan
Our Services
02
Penyusunan Blueprint, Architecture and Roadmap
Cyber Security Assessment & Roadmap Plan
03
Tools dan metodologi yang digunakan di dalam project Pentest
Penetration Testing
04
IT General Control, Appication Control, Network Control
IT Audit
05
13. Which causes of business interruption does your company fear most?
Mengapa Cyber Security Penting?
52%
Cyber risk is the cause
of business interruption
businesses fear most.
(Source : Allianz Risk Barometer
2022)
34
%
57
%
57
%
Contents_Here
Ransomware
Attacks
Data Breaches
IT vulnerability due
to growth in
remote working
33
%
Disruption from
failure of digital
supply chain, cloud
technology service
platforms
CYBER RISK
DLP
SIEM
MFA
INTUNE
FIREWALL PAM
A ransomware attack & Data
Breaches are the most
concerning cyber exposure for
companies
(figures do not add up to 100% as up to three
risks could be selected.)
Data breach average cost increased 2.6% from USD 4.24 million in 2021 to USD 4.35 million in 2022. The
average cost has climbed 12.7% from USD 3.86 million in the 2020 report. (Source : IBM Report 2022)
19. Cyber Security Transformation Roadmap
Identify
Protect
Detect
Respond/Recover Done
In-Progress / Ontrack
Not Started/New Initiative
Delayed
Cybersecurity
Transformation
Roadmap
2022-2025
Cyber Resilience in
2025
(Gold Standard)
2022 2023 2024 2025+
50% Meet Goal 70% Meet Goal 95% Meet Goal
NIST Cybersecurity Framework
Penetration Testing Program
TPSA Policy
Vulnerability Management Policy
Establish Data Classification
Establish Asset Inventory
List Authorized Software
Procure DLP Solution
USB Access Restrictions
MDM Implementation
Log Management Policy
Tanium Pilotting Phase
Reduce Antivirus Threat Detection
Update Asset Inventory (1x in a year)
Create AccountInventory
Security Awareness Program (4x in a year)
Annual Vulnerability Assessment
Regular Pentest & Secure Code Test
DLP Implementation
Revamp network segmentation
Oracle TDE
OS Patching
SIEM & SOC Implementation
Tanium Full Implementation & Monitoring
Create CSIRT Policy
Create Table Top Scenario
Security Incident Simulation
Establish DPO Function
ITSM phase 1 (2024) & Phase 2 (2025)
Update and Maintain Asset Inventory
Review rules in SOC
Conduct Regular VA & Pentest
COBIT Assessment (2025)
MFA Implementation Phase 1 & Phase 2 (2025)
Identity Access Management (IDM)
Antivirus Replacement
Zscaler Internet Access Protection
Tune security event alerting threshold
User Access Recertification
Establish DevSecOps Process (2025)
Regular Security Incident Simulation
Update CSIRT Policy
20. Account
Management
Log
Management
Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Q3
2023
Cyber Security Roadmap Timeline
2024
Maintain Account Inventory
DataTeam
Security Team
App Team
Infra Team
Legend
Today
Implement MFA (MS 365 E3)
Strengthen Admin Authentication
Minimize Malware Detection
Increase Malware Scan Frequency
$ Require Budget
$
Malware
Protection
Anti Malware Updates
Malware Response Procedure
EMM & Antivirus on BYOD (MS 365 E3) $
Disable Dormant Account
Implement PAM $
Q4
Aggregate & Protect Logs $ SOC & SIEM Solution $
Login Behaviour $
Incident
Response
Incident Meanagement Process
Information Labelling & Classification
Data Protection Policy
Data
Protection
Upgrade MS 365 Version DLP Implementation
$
2025
21. Future Cyber Security Architecture
Information Security Office
Asset Management Disaster Recovery Plan
Vulnerability Management Security Governance
Penetration Testing Risk Assessment/Compliance
Incident Response Network Security
Patch Management Malware Protection
SIEM & SOC Configuration Management
Clients Hybrid Infrastructure
On Premises & Mobile On-Premises Disaster Recovery Center Public Cloud Software as a Service (SaaS)
Managed Clients
Panda End Point Protection
DLP *
Bit Locker
VPN Client
EDR (Tanium)
Browser Isolation
MDM
MFA *
Privilege Access Management
Identity Access Management / IAM Governance
Log Collection / Monitoring
Tanium / Panda Asset Management
Qualys Vulnerability
2022-2025
Zero Trust Cyber Security
Architecture
Extranet
/
DMZ
Firewall
Web Filtering
DLP *
SSL
Antimalware
Intranet
EP
DLP *
EDR
FIM
DB Encrypt.
Firewall
EP
DLP *
FIM
Antimalware
EP
DLP *
EDR
FIM
DB Encrypt.
Firewall
EP
CASB
MFA
Cloud DLP
EE
Firewall
EP
CASB
MFA *
MS. Defender
SSO
Currently Implemented
In-Progress
Not Yet Implemented
* Partially
22. Company profile PT Madhava Dwikarya Teknologi
Company Profile & Expertise
01
Layanan Perusahaan
Our Services
02
Penyusunan Blueprint, Architecture and Roadmap
Cyber Security Assessment & Roadmap Plan
03
Tools dan metodologi yang digunakan di dalam project Pentest
Penetration Testing
04
IT General Control, Appication Control, Network Control
IT Audit
05
23. Ruang Lingkup Pentest
Aktivitas Pemenuhan/
Deliverables
1 Melakukan proses
pengecekan fungsi
melakukan pentest
interview
aplikasi
atau
sebelum
2 Melakukan pentest terhadap aplikasi yang
sudah disepakati
Laporan hasil kegiatan
Penetration Test & Security
Assessment (Draft & Final
Report)
3 Memberikan update secara berkala ke tim
Perusahaan saat menemukan kerentanan
pada
aplikasi
4 Memberikan solusi perbaikan kepada tim
perusahaan untuk setiap temuan yang ada
5 Memberikan garansi jika terdapat temuan
kerentanan setelah fixing dilakukan
Ruang Lingkup & Rencana Pemenuhan
Tujuan
1. Memastikan seluruh aplikasi sudah melalui
proses penetration test sebelum berjalan pada
server production.
2. Mengurangi kerentanan yang ada pada aplikasi
milik perusahaan.
3. Memberikan hasil analisa kerentanan secara
men-detail untuk menilai dengan tepat
ketahanan dari aplikasi.
4. Memberikan solusi perbaikan terhadap
kerentanan yang ada.
24. No Phase Description
1 Engagement Scope Validation and methodology discussion
2 Information
Gathering
Object or target identification
3 Footprinting &
Scanning
Scanning the target, get specific information
about hosts, services, ports, firewall rules, policy,
etc.
4 Vulnerability
Assessment
Explore the vulnerable target, miss-configuration,
security patch, etc.
5 Exploitation Verify and exploit the vulnerability to get the
higher access into the system.
6 Retest & Reporting Risk analysis, recommendation to remediate the
findings, and conduct the retest activities.
Membutuhkan informasi IPAddress atau URL Link dari masing-masing objek. Dapat
dilakukan melalui internet (IP Public) maupun jaringan intranet.
Black Box
Membutuhkan informasi IP Address atau URL Link dari masing-masing objek. Selain itu,
dibutuhkan user credential dari setiap objek yang diuji minimal 2 credential. 1 credential
dengan hak akses tertinggi, 1
lagi credential user dengan akses terendah.
Grey Box
Metodologi Pengujian (PenetrationTest)
Kami menggunakan Framework OWASP (The Open Worldwide Application Security Project) sebagai landasan pengujian,
dengan Black Box & Grey Box, dan White Box sebagai metodenya.
White Box
Merupakan tingkat pengujian yang lebih detail dibandingkan Black box
& Grey box. Metode ini mendeteksi kerentanan sekecil apapun di dalam
sistem yang diuji.
25. Tools yang digunakan – OWASPZAP [1]
OWASP ZAP (Zed Attack Proxy) adalah security scanner tools untuk web
aplikasi yang membantu menemukan dan mengeksploitasi
kerentanan pada web seperti SQL Injection, XSS (cross-site scripting), broken
authentication, dan lainnya.
Extensive API
Memungkinkan untuk mengotomasi aspek
pengujian aplikasi dan mengintegrasikan dengan
tools lain
ZAP Fuzzer
Dapat membuat custom payload untuk dikirim ke
aplikasi yang diuji.Memiliki 4 mode: safe,protected,
standard,dan attack
Access Control
Dapat membatasi akses ke resource tertentu
pada server
Intercept Proxy
Memungkinkan pengguna untuk mencegah request
& response yang dibuat oleh browser mereka
5
2
3
4
7
6
Port Scan
Melakukan scanning port terhadap target untuk
mengidentifikasi open port yang rentan terhadap
serangan
Active and Passive Scan
Active, melakukan VA yang menyelidiki network
untuk potensi ancaman keamanan. Passive, me-
monitor network traffic untuk potensi ancaman
keamanan
Scan Policy Control
Memungkinkan pengguna untuk membuat scan
policy yang dapat digunakan kembali di waktu
mendatang sesuai dengan kebutuhan pengguna
1
ZAP Core
Features
26. Tools yang digunakan – Burp Suite Professional Edition [2]
Intruder
Dapat melakukan brute-force
attack pada web apps
sehingga dapat menguji
keamanan password,
mencari kerentanan input
dan melakukan serangan
lainnya
Decoder
Mengubah data yang
dienkripsi atau terenkripsi ke
dalam bentuk yang dapat
dibaca sehingga dapat
memeriksa data & mencari
kerentanan keamanan
Proxy
Pengguna dapat memeriksa
request & response HTTP,
memodifikasi request &
response,dan mencari
kerentanan keamanan
Scanner
Dapat menemukan
kerentanan keamanan pada
aplikasi web seperti SQL
Injection, XSS, dan kerentanan
lain
Repeater
Dapat mengirim ulang
permintaan HTTP ke server
sehingga pengguna dapat
menguji kerentanan
keamanan yang spesifikdan
memodifikasi request HTTP
secara manual
Burp Suite merupakan tools yang digunakan untuk melakukan pengujian keamanan
pada aplikasi web. Terdapat 2 (dua) versi yaitu Community Edition (open-source)
dan Professional Edition (lisensi).
27. Tools yang digunakan – Kali Linux (Wireshark & Nmap) [3]
Kali linux merupakan Linux berbasis Debian yang dilengkapi dengan sejumlah tool
pre-installed seperti Wireshark, Nmap, dan tools lainnya untuk melakukan aktivitas
keamanan informasi seperti penetration test dan ethical hacker.
Capture network traffic secara offline dan
secara langsung
Multi-platform
Dapat melakukan Analisa mendalam
terhadap protocol
Mendukung dekripsi protocol
Dapat menyimpan read
operation dalam format file
and write
Host discovery
Scan techniques
Port specification & scan order
Service or version detection
Script scan
OS detection
Evasion and spoofing
Target specification
28. Company profile PT Madhava Dwikarya Teknologi
Company Profile & Expertise
01
Layanan Perusahaan
Our Services
02
Penyusunan Blueprint, Architecture and Roadmap
Cyber Security Assessment & Roadmap Plan
03
Tools dan metodologi yang digunakan di dalam project Pentest
Penetration Testing
04
IT General Control, Appication Control, Network Control
IT Audit
05
29. IT AUDIT SERVICES
Planning
Definition of Audit
Objective & Scope
Evidence
Collection and
Evaluation
Documentation &
Reporting
Audit TI adalah pemeriksaan dan evaluasi infrastruktur,
kebijakan, dan operasi teknologi informasi suatu organisasi.
Audit TI dapat dianggap sebagai proses pengumpulan dan
evaluasi bukti untuk menentukan apakah sistem komputer
melindungi aset, menjaga integritas data, memungkinkan tujuan
organisasi tercapai secara efektif, dan menggunakan sumber
daya secara efisien. Audit Phases
IT Audit Standard & Framework refers to :
1. SE OJK No.21/3/2017 - MRTI
2. COBIT 2019
3. ISO 27001
4. ISO 20000
5. ISO 38500
6. NIST
7. Indeks KAMI BSSN
30. DETAIL AUDIT PHASE
Planning
•Preliminary assessment & Information Gathering
•Understanding the Organization
Audit
Objectives &
Scope
•Risk Assessment
•Determine the Scope of Risk Assessment
Evidence
Collection
•Types of Audit Evidence (Observation, Documentary, Interview, Analysis
Documentation
& Reporting
•Structure the Report (Audit Findings, Recommendation, Rating Audit)
•Exit Meeting
Skala Penilaian
31. AUDIT METHODOLOGY
IT GENERAL CONTROL
•IT Operation Control (Capacity Planning, Performance Monitoring, Job Scheduling, Backup, Helpdesk &
Problem Management, Maintenance, Network Monitoring)
•Physical Control (Access & Environment, BCP, DRP)
•Logical Access Control (User Access, Log User Activity, Information Classification)
•Program Change Control
•Policy and Standard Control
APPLICATION CONTROL
•Input Control
•Processing Control
•Output Control
NETWORK & INTERNET
CONTROL
•Network Segmentation
•Network Security Policy
•Data Transport Security
•Firewall
•Internet Password Policy
Skala Penilaian
32. RSNB No.18 Grand Galaxy City, RT.001/RW.002,
Jaka Setia, Bekasi Selatan, Bekasi, Jawa Barat 17147
fandi.permana@madhava.id
Fandi
+62 877 7291 8863