Eryk BP Project Portfolio

ERYK BUDI PRATAMA, CEH, OSWP

PROJECT PORTFOLIO

No. Project Name Client Description / Scope Time

1

Penetration Testing -

Pension Payment

Bank Scope of penetration testing:

(+) Core Banking

(+) Middleware

(+) Pension Payment System

September 2014

2

IT Audit - General Controls Telecommu

nication

IT General Control for 3 subsidiaries of

Telkom

Platform:

(+) AIX

(+) Oracle10g

September 2014

3

Bank Wide Security

Assessment

Bank Scope of Bank Wide penetration testing:

(+) Wireless Network

(+) Application and Infrastructure

(+) Network device

(+) Server Farm

(+) DMZ server

November 2014

4


Mobile Enterprise

Application Platform

Bank Scope of Mobile Enterprise Application

Platform penetration testing:

(+) Sybase Unwired Platform (SUP)

(+) SAP Afaria

(+) Middleware (SAP NetWeaver Gateway)

December 2014

5

Delivery Channel Audit

and Penetration Testing

Bank Scope of audit:

SE BI No.9/30/DPNP: (E-Bank)

(+) Security Control (Confidentiality, Integrity,

Availability, Accountability,Non Repudiation)

(+) IT Operations Management (Data Center;

Policy and Procedure implementation)

(+) Data Center Review

Scope of penetration testing:

(+) E-Bank Individu & Business (Internet

Bank)

(+) Infrastructure: App, DB, Soft & Hard

Token, Web/SSL, Middleware

(+) Mobile Bank App (Android)

(+) ATM Switching

(+) ATM & CDM Machine

January 2015

6

ATM System Audit and

Penetration Testing


(+) PBI No. 11/11/PBI/2009 (VII. Operational

Risk Management)

February 2015


- Security System

- Audit Trail

- Internal Policy and Procedure

- BCP and DRP

(+) PBI No. 14/2/PBI/2012 (VII.Operational

Risk Management)

- IT Security Control

- Policy and Procedure

- BCP and DRP


(+) ATM Switching

(+) ATM Machine (Machine: NCR;

Application: F-ATMC based on NCR APTRA)

7

Financial Supply Chain

Management Audit and

Penetration Testing


(+) PBI No. 9/15/PBI/2007

(+) DC Review

Scope of penetration testing

(+) Front-end & Back-end system(DC, Server

Farm, DMZ)

(+) Token server

(+) Middleware

February 2015

8


Salesforce System


(+) Agent Management System

(+) GIS system

(+) Mobile Device Management (MDM) server

(+) Salesforce Mobile App (Android)

March 2015

9


Electronic Form System


- Web Admin portal

- SAP Mobile Enterprise Application Platforms

MEAP

- Web Sevice

- Infrastructure (Application & Database)

- Mobile App (Android)

March 2015

10

Delivery Channel System

Audit and Penetration

Testing


(+)ICT management and governance

practices

- Management oversight

- General ICT management (Acquisition and

development, Operation, Network,

Information security)

(+) Risk management

(+) Incident, problem, and change

management

(+) Disaster Recovery Plan (DRP)

April 2015



(+) Internet Bank web application for

individual customer (Application, DB,

SoftToken, Middleware, SSL, Web Admin)

(+) Mobile Bank application servers

(Application, DB, SoftToken, Middleware,

SSL, Web Admin)

(+) Mobile Bank app (Android)

(+) ATM Machine

(+) ATM Switching & Controller

(+) Temenos Core Banking

(+) Biller, EDC

(+) Card Management System & ATM

Controller System

11

Penetration Testing - Daily

Monitoring System


(+) Mobile application (Android)

(+) Web application

(+) Infrastrucure (app & DB server)

April 2015

12

Penetration Testing - Bank

Wide


(+) Infrastructure, Web Portal, and Web

Server

(+) System: Core Banking, LBU, Web

Application, Biller TELKOM, Biller PLN,

PABX, SVS, FCS, DATABASE, EMAIL,

PROXY, DNS, SWIFT, ANTIVIRUS, POLGD,

FTP + MIS, NMS, Fingerscan, Web Portal

App/Platform: IBM i Navigator, HP System

Management, Oracle Glassfish, Mdaemon

Mail Server, Ipswitch WhatsUp Professional

(Network Monitoring)

May 2015

13

Cybersecurity

Transformation - Owned-

state Bank (I)

Bank Scope of Cybersecurity Transformation

Assessement:

(+) Governance & Organization

(+) Strategy

(+) Policy & Standards

(+) Architecture

(+) Awareness

(+) Operations

(+)Technology Platforms (Network Security,

Software Security, Host Security, Data

Protection)

(+) Functional Operations (Identity & Access

Management, Asset Management, Third

Party Management, Business Continuity

Management, Privacy)

October 2015


(+) Cyber Threat Management (Incident

Response, Vulnerability Identification &

Remediation, Security Monitoring, Threat

Intelligence )

(+) Metrics & Reporting

14

IT Security Audit Guideline

and Technical Design

Government +) Develop Information Security Audit

Strategy and Technical Guideline

(+) Data Center & Disaster Recovery Center

Review

October 2015

15


Cloud Document Sharing


(+) Web application

(+) Infastructure (OS and DB)

November 2015

16


Islamic Bank Internet

Banking


(+) Web application

(+) Infastructure (OS and DB)

December 2015

17


Digital Banking


(+) Web application

(+) Infastructure (OS and DB

December 2015

18

Payment Gateway System

Review


(+) PBI No. 9/15/PBI/2007

(+) DC Review

March 2016

19

Third Party Security

Assessment - ATM

Switching

Bank Scope of TPSA:

(+) Identify data flow

(+) Identify Test of Design (TOD) and Test of

Effectiveness (TOE) which covers:

- Risk Assessment and Treatment

- Organisational Security

- Security Policy

- Asset Management

- Physical and Environmental Security

- Access Control

- Communications and Operations

Management

- Information Systems Acquisition

Development & Maintenance

- Compliance

(+) Perform risk assessment based on DFD,

TOD, and TOE

Client: Bank (Multinational)

Third Party: ATM Switching

Februari 2016

20

Cybersecurity

Transformation - Owned-

state Bank (II)

Bank Scope of Cybersecurity Transformation

Assessement:


(+) Strategy

(+) Policy & Standards

March 2016


(+) Architecture

(+) Awareness

(+) Operations

(+)Technology Platforms (Network Security,

Software Security, Host Security, Data

Protection)

(+) Functional Operations (Identity & Access

Management, Asset Management, Third

Party Management, Business Continuity

Management, Privacy)

(+) Cyber Threat Management (Incident

Response, Vulnerability Identification &

Remediation, Security Monitoring, Threat

Intelligence )

(+) Metrics & Reporting

21

Debit Card System

Review


(+) PBI No. 9/15/PBI/2007

(+) DC Review

March 2016

22

Digital Banking Audit and

Penetration Testing


(+) PBI No. 9/15/PBI/2007

(+) DC Review

Scope of penetration testing

(+) Digital Banking Web Application

(+) Digital Banking Mobile Application

April 2016

23


Assessment - Cash

Collection service

Bank Scope of TPSA:






- Security Policy

- Asset Management


- Access Control


Management



- Compliance


TOD, and TOE

May 2016

24


Assessment - Record

Management

Bank Scope of TPSA:




May 2016




- Security Policy

- Asset Management


- Access Control


Management



- Compliance


TOD, and TOE

25

ISO 27001 & 27002

Maturity Assessment (I)

Insurance

Scope of ISO 27001 & 27002 maturity

assessment:

(+) Identify current state maturity of PDCA in

ISO 27001

(+) Identify current state maturity of security

controls in ISO 27002

(+) Identify and recommend future state

maturity strategy

June 2016

26

ISO 27001 & 27002

Maturity Assessment (II)

Insurance Scope of ISO 27001 & 27002 maturity

assessment:

(+) Identify current state maturity of PDCA in

ISO 27001

(+) Identify current state maturity of security

controls in ISO 27002

(+) Identify and recommend future state

maturity strategy

July 2016

27


Digital Banking (II)

Bank Scope of penetration testing

(+) Digital Banking Web Application

(+) Digital Banking Mobile Application

May 2016

28


Customer Relationship

Management System

Bank Scope of penetration testing

(+) CRM Web Application

(+) CRM Mobile Application

June 2016

29


Assessment - Managed

Service

Bank Scope of TPSA:






- Security Policy

- Asset Management


- Access Control


June 2016


Management



- Compliance


TOD, and TOE

30


Digital Banking (BlackBox)


(+) Web application

(+) Infrastructure

(+) Wireless Network

July 2016

31

Technology Architecture Bank (+) Identify and analyzecurrent technology

architecture

(+) Develop guiding principle and common

practice for DevOps operating model and

tools implementation

(+) Develop guiding principle and common

practice for IT Security tools (penetration

testing, forensics, IT Safe Deposit Box)

implementation

(+) Conduct gap and fit gap analysis

(+) Develop RFI and TOR for DevOps and IT

Security implementation

(+) Develop PoC strategy for DevOps and IT

Security implementation

(+) Determine standard specification

(+) Develop implementation strategy

(+) Develop implementation risk

August 2016

32

Cybersecurity

Transformation - Port

Services

Port Area of Cybersecurity Ttransformation:


(+) Policy & Standards Framework

(+) Network Security

(+) Threat and Vulnerability Management

(+) Security & Monitoring

(+) Identity & Access Management

Scope of Cybersecurity Ttransformation

assessment:

(+) Identify current state

(+) Define future state

(+) Gap analysis

(+) Develop initiatives and implementation

roadmap


(+) Application: E-Procurement,

Car/Container Terminal Operating System,

December 2015


Port and Ship Management System,

Operational Information System

Management, Oracle EBS, E-Office, Gate

Inspection System

(+) Network: Router and Firewall (Cisco &

Mikrotik)

Scope of User Access Review:

(+) Gate Inspection System

(+) Operational Information System

Management

33

Wireless Security

Assessment and

Penetration Testing (I)

Bank (+) Identify wireless network vulnerabilities

(+) Exploit vulnerabilities and breach the

wireless network system to gather sensitive

information

(+) Determine exploitability, impact, and risk

based on founded vulnerabilities

(+) Advise remediation action to improve

technical security control

November 2016

34

Money Transfer System

Review

Fintech Scope of audit:

(+) PBI No. 9/15/PBI/2007

(+) DC Review

December 2016

35

Firewall Security

Assessment (I)

Bank (+) Identify and develop baseline

configuration

(+) Implement firewall analysis tools

(+) Perform firewall security configuration

analysis

(+) Optimize firewall rule

January 2017

36

F5 Load Balancer

Implementation

Insurance Develop high level and low level (detail)

design for F5 BIG-IP platform which

implement the following modules:

> Local Traffic Manager (High Traffic Load

Balancer & Monitoring, L7 Intelligent Traffic

Management, Protocol Optimization – HTTP,

TCP, SPDY, SSL, Caching, Compression,

Bandwidth Controller, SYN Flood DdoS, SSL

Offload and SSL Inspection

> Global Traffic Manager (Global Server Load

Balancing, Active-Active DC, DNS Services,

and DNSSEC)

> Application Security Manager (Web

Application Firewall, L5-L7 App DdoS, Traffic

Anomaly Detection, Anti-Web Scrapping,

Reverse Proxy)

> Application Acceleration Manager

(Compression, Caching, Minification)

> IP Intelligence (Black Listing IP)

December 2016


37

IT Audit and IT

Governance Maturity

Assessment

Bank (+) Perform IT Audit based on PBI No.

9/15/PBI/2007

(+) Perform DC and DRC audit

(+) Perform IT Governance maturity

assessment based on COBIT 4.1

February 2017

38

Intrusion Prevention

System (IPS)

Implementation

Manufacture Develop high level and low level (detail)

design for McAfee NSP and NSM platform

which cover:

(+) Existing and proposed topology

(+) Solution implementation

(+) Deployment setting

(+) Physical and logical mapping

(+) IP addressing

(+) Open port requirements

March 2017

39

Vulnerability Management

Solution Implementation

Bank Develop high level and low level (detail)

design for vulnerability management solution

below.

(+) Rapid7 Nexpose (network/infrastructure

vulnerability scanner)

(+) Rapid7 AppSpider (web application

vulnerability scanner)

(+) Skybox Vulnerability Control (vulnerability

management)

April 2017

Career

Eryk BP Project Portfolio