You are on page 1of 16

Security Incident Handling @Telkomnet

PT. Telekomunikasi Indonesia. Tbk.
Wartono Purwanto (AVP IT Policy & Standard) wartono@telkom.co.id

Bandung, 13 Juni 2012

Objective to be Pursued
 Obtain excellent mechanism/procedure against abuse of internet  How to detect effectively for every attempt regards to copyright on infrastructure  Sharing experience to minimize impact of misuse internet  Content Body Policy :
 Menentukan kelayakan konten atas masukan masyarakat  Memiliki legitimasi untuk lobby kepada konten raksasa atas nama komunitas internet Indonesia

Topologi Telkomnet
Legend : Optical Eksisting Optical In Progress
SATUN

BNA

LSM

PENANG

Internet

MDN
TAR SBG PBR DMI PD JB BN LT KTP TJN
SINGAPORE

SBS SGT
M320 M320

MDO
M320

BTM PTK STG PLK

SMR BPP TGT
M320 320 M

TMB

TT SOR MW BIA

PAL

PRG LWK

SMI JAP

M320

PG
BTA BDL JKT BDG PWT YK CKP PKL CRB SM MN SLO ML SB DPR JR BW
M320

PRE BJM

KDI

M320

AB

FF TMK

UP

PGL BMA KP
M320

MTR

DLI

MRK

General Condition @Telkomnet

 Separated area :
  Internal IT infrastructure & service Production infrastructure for commercial

 Structural human resources  Available sensor :
    Koordinasi bersama ID-SIRTII & APH Traffic monitoring tools abuse@telkom.net.id Customer complain

Security Incident Category
 Content Threat
     Spam Copyright Hijacking Pornographic Gambling Malware

 Banking/Financial Threat
 Phishing  Carding

 Hacking  Attack
 Denial of Service Attacks  DNS Attacks  Routing Attacks

Portion of Abuse Internet & Security Incident

Spam Copyright Virus Open Proxy
1.94%

Scam / Carding Phising
1.62%

Hacking DoS Attack
0.03% 0.02% 0.00% 0.01%

91.21%

8.79%

5.17%

Common Incident Handling
 CSR DNS Nawala  Compliance DNS Produksi Telkomnet dengan Trust+Positif  Implementasi anti spam  Phishing; Hacking; DoS as a Zombie :
1 2 3

• Complain via abuse@telkom.net.id
• Prosedur alert ke pelanggan • Pemblokiran suspect port pelanggan

 Permintaan Aparat Penegak Hukum (APH) :
1 2 3

• Request APH • Log system check procedure • Laporan kepada APH

Penanganan SPAM di Network SPEEDY
Blocking Port 25 outgoing di BRAS kecuali ke smtp.telkom.net

Volume Spam : Before & After
Februari akhir

Posisi : 10 April 2012

Sumber : http://www.uceprotect.net/

Denial of Service Attacks
• Monitoring System

1

2

• Spike traffic indication

3

• Analyse spike pattern • Escalate to upstream provider • Prefix de-advertise

4

Internet Resources Role Map
INTERNAL
Design Kebutuhan IP / ASN Request IP / ASN Debogonize Register Reverse DNS Distribution / Allocation IP (/ASN) Assignment Maintain RIR Database

EKSTERNAL

APNIC / IDNIC

PE

Radius

BRAS

SMTP

DNS

etc

IT Tools

Data Warehaouse

APH Aparat Penegak Hukum

UCEPROTECT

Internet Misuses

IRT Incident Response Team

Block List ID-SIRTII

ISO27001:2005 Annex A.10
A10 Communication and Operations Management
• A.10.1 Operational Procedures and Responsibilities
-

• A.10.7 Media Handling
A.10.7.1 management of removable media A.10.7.2 disposal of media A.10.7.3 information handling procedures

A.10.1.1 documented operating procedures A.10.1.2 change management A.10.1.3 segragation of duties A.10.1.4 separation of development, test and operational facilities A.10.2.1 service delivery A.10.2.2 monitoring and review of third party services A.10.2.3 managing changes to third party services A.10.3.1 capacity management A.10.3.2 system acceptance A.10.4.1 control against malicious code A.10.4.2 control against mobile code A.10.5.1 information backup A.10.6.1 network controls A.10.6.2 security of network services

A.10.7.4 security of system documentation

• A.10.8 Exchange of Information
A.10.8.1 Information exchange policies and procedures A.10.8.2 Exchange Agreements A.10.8.3 Physical media in transit A.10.8.4 electronic messaging A.10.8.5 business information system

• A.10.2 Third Party Service Delivery Management
-

• A.10.3 System Planning and Acceptance
-

• A.10.9 Electronic Commerce Service
A.10.9.1 electronic commerce A.10.9.2 online transaction A.10.9.3 publicy available information

• A.10.4 Protection Against Malicious and Mobile Code
-

• A.10.10 Monitoring
A.10.10.1 Audit logging A.10.10.2 Monitoring system use A.10.10.3 protection of log system information A.10.10.4 Administrator and operator logs A.10.10.5 Fault Logging A.10.10.6 Clock synchronization

• A.10.5 BackUp
-

• A.10.6 Network Security Management
-

ISO27001:2005 Annex A.13
• A.13 Information Security Incident Management • A.13.1 Reporting Information Security Events and Weaknesses • A.13.1.1 reporting information security events • A.13.1.2 reporting security weaknesses • A.13.2 Management of Information Security Incident and Improvements • A.13.2.1 Responsibilites and procedures • A.13.2.2 learning from information security incident • A.13.2.3 collection of evidence

Framework ISO20000-1:2011

Framework ITILv3