The document discusses the IT infrastructure and security measures implemented for the Asian Games 2018, detailing aspects such as the network systems, data flow, and security protocols. Key components include various hardware and software systems integrated into command centers and game management, with a focus on layered security strategies, cyber drills, and compliance testing. The overall aim is to ensure a secure and efficient technological environment for managing the events.

1. Protecting National Critical Infrastructure
Case Study: Asiangames 2018
Yusuf Hadiwinata Sutandar
OWASP Jakarta Night Q4 2018

2. From IT Perspective.. Asiangames 2018 is..about
100+ Router
100+ L3 Switch
500+ L2 Switch
300+ UPS
300+ Rack
4200+ Laptop
2000+ HT
250+ Virtual Machine
500+ CCTV
+/- 11 Km UTP Cable
1000+ Printer
200+ QR Code Scanner
300+ LED TV
152+ All-In-One PC INFO
50+ Server
500+ FIrewall
>100 NAC >100 Database Instance
128 Venue Jkt & Palembang
>100 NAC
And more...

3. AsianGames 2018 – IIKN - PPKGBK
ILAB - Integration LAB
- Facilities for Testing, Debugging,
Improving GMS Environment
ITCC = IT Command Center
Infrastruktur Informasi
Kritikal Nasional (IIKN)

4. AsianGames 2018 – IIKN - WSG
COC (Command &
Operation Center)
- Top Level Decision
Making
MOC (Main Operation
Center)
- Monitoring of Activities
Ag2018
Infrastruktur Informasi
Kritikal Nasional (IIKN)

5. AsianGames 2018 – IIKN - INASGOC Office FX
Infrastruktur Informasi
Kritikal Nasional (IIKN)

6. Very High...High..high level
Game Management System
Infrastructure
Infrastruktur Informasi
Kritikal Nasional (IIKN)

7. AsianGames 2018 – Website asiangames2018.id
Technology and Data Flow

8. AsianGames 2018 - Game Management System
Cloud Data Center Architecture

9. Games Management System

10. Asiangames 2018 – IT Information Security
3 Layer Foundation Infomation Security:
– Layer 1 : Planning, Development and Operation
– Layer 2 : Risk Management
– Layer 3 : Internal Audit

11. Asiangames 2018 – IT Information Security Implementation
• Thread Modeling – Security as a Quality Attribute
• Project Configuration Review – Security Perspective
• Security Focused Code Review
• Security Testing
– Static Application Security Testing (SAST)
– Dynamic Application Security Testing (DAST)
– More Security Testing – Pentesting, Fuzz Testing
• Security Review Acceptance Test
• Security Perimeter – DDos Protection, WAF, Firewall, ETC
• Security Operation Center
• Cyber Drill / Security Drill

12. Asiangames 2018 – Security
(1) Thread Modeling
(2) Project Configuration Review

13. Row 1 Row 2 Row 3 Row 4
0
2
4
6
8
10
12
Column 1
Column 2
Column 3
Visibility to Software Architecture

14. Ex: myinfo.asiangames2018.id
Visibility for Data Input Flow

15. Software & Technology
Visibility for Software & Technology

16. Visibility for Application Logic & Business Process

17. Asiangames 2018 – Security
(3) Security Focus Code Review

18. Asiangames 2018 – Security Code Review
- Code Bugs
- Code Smell
- Vulnerability Code
- Code Compliance

19. Asiangames 2018 – Security Code Review & Compliane
• Integration with
developer IDEs
• Integration with
transfer control
system
• Integration with
Build System

20. Asiangames 2018 – Security Code Review & Compliane
• Integration with
developer IDEs -->
• Integration with
transfer control
system
• Integration with
Build System

21. Asiangames 2018 – Security Code Review & Compliane
• Integration with
developer IDEs
• Integration with
transfer control
system -->
• Integration with
Build System

22. Asiangames 2018 – Security Code Review & Compliane
• Integration with
developer IDEs
• Integration with
transfer control
system
• Integration with
Build System -->

23. Asiangames 2018 – Security

24. Asiangames 2018 – Security
(4) Security Testing ,Hardening,
Compliance
(5) Security Review Acceptance Test

25. OS Compliance & Hardening

26. OS Compliance & Hardening

27. Application Security Compliance

28. Stress Testing & Capacity
Planning

29. Manual Penetration Testing

30. Asiangames 2018 – Security
(5) Security Perimeter &
Monitoring

31. AsianGames 2018 – Website asiangames2018.id Perimeter
Ddos + WAF Akamai
- Kona Site Defender
- Web Application Protector
- Bot Manager
- Kona Ddos Protector
- Client Reputation
- Site Shield
Azure Application Gateway
- OWASP ModSecurity Core Rule
Azure Security
Center

32. AsianGames 2018
Game Management System
External Service / Public
Accessible, Like:
Ex: myinfo.asiangames2018.id
← DDos + WAF
← WAF
← WAF
Asiangames 2018 – GMS Perimeter
OWASP ModSecurity Core Rule
Comodo RuleSet
Secret RuleSec

33. DDos Protection by CloudFlare

34. Web Application Firewall
w/ OWASP Top 10 RuleSet

35. Service Avability Monitoring

36. Monitor and Analyze Application
Performance at all stages

38. Asiangames 2018 – Security
(6) Security Operation Center

39. Asiangames 2018 – SOC
• Collecting Log and Information
• Parsing & Normalize
• Alerting & Notification
• Monitor
• Incident Detection

41. Asiangames 2018 – Security
(6) Cyber Drill

42. Asiangames 2018 – Cyber Drill
• Cyber Drill Purpose
– Testing and Review Standard Operational Procedure for Incident Handling
– Strengthen the Readiness to Respond Cyber Attacks
– Cyber Attack Simulation, Identifying Attacks, & Responding Attacks
• Parties Include
– INASGOC ITTD
– BSSN
– BNPT
– Pusat Intelijen TNI Angkatan Darat (Pusintelad)
– Satuan Siber Tentara Nasional Indonesia (Satsiber TNI)
– Infrastructure & Software Vendor
– And more..

43. Asiangames 2018 – Cyber Drill

44. Asiangames 2018 – Cyber Drill
• Example Scenarios to be ready to respond in the event of a cyber security
incident:
– Phishing Emails to Inasgoc Employee
– Malicious Attachments Inasgoc Employee
– Password and Other Suspicious Requests from Vendor or Partner
– Unauthorized Computers and Devices on Network
– DDos and Defacing Website
– Arp Spoofing from Venue

47. Asiangames 2018 – Security
Question??

48. https://id.linkedin.com/in/yusufhadiwinata
https://www.meetup.com/meetup-group-XxqLdaeY/
http://www.owasp.or.id
http://jakarta.owasp.org
https://www.owasp.org/index.php/Indonesia
Thank you
Keep Contact: 0856 920 910 09