Click here to load reader
Upload
eryk-budi-pratama
View
78
Download
1
Embed Size (px)
Citation preview
ERYK BUDI PRATAMA, CEH, OSWP
PROJECT PORTFOLIO
No. Project Name Client Description / Scope Time
1
Penetration Testing -
Pension Payment
Bank Scope of penetration testing:
(+) Core Banking
(+) Middleware
(+) Pension Payment System
September 2014
2
IT Audit - General Controls Telecommu
nication
IT General Control for 3 subsidiaries of
Telkom
Platform:
(+) AIX
(+) Oracle10g
September 2014
3
Bank Wide Security
Assessment
Bank Scope of Bank Wide penetration testing:
(+) Wireless Network
(+) Application and Infrastructure
(+) Network device
(+) Server Farm
(+) DMZ server
November 2014
4
Penetration Testing -
Mobile Enterprise
Application Platform
Bank Scope of Mobile Enterprise Application
Platform penetration testing:
(+) Sybase Unwired Platform (SUP)
(+) SAP Afaria
(+) Middleware (SAP NetWeaver Gateway)
December 2014
5
Delivery Channel Audit
and Penetration Testing
Bank Scope of audit:
SE BI No.9/30/DPNP: (E-Bank)
(+) Security Control (Confidentiality, Integrity,
Availability, Accountability,Non Repudiation)
(+) IT Operations Management (Data Center;
Policy and Procedure implementation)
(+) Data Center Review
Scope of penetration testing:
(+) E-Bank Individu & Business (Internet
Bank)
(+) Infrastructure: App, DB, Soft & Hard
Token, Web/SSL, Middleware
(+) Mobile Bank App (Android)
(+) ATM Switching
(+) ATM & CDM Machine
January 2015
6
ATM System Audit and
Penetration Testing
Bank Scope of audit:
(+) PBI No. 11/11/PBI/2009 (VII. Operational
Risk Management)
February 2015
No. Project Name Client Description / Scope Time
- Security System
- Audit Trail
- Internal Policy and Procedure
- BCP and DRP
(+) PBI No. 14/2/PBI/2012 (VII.Operational
Risk Management)
- IT Security Control
- Policy and Procedure
- BCP and DRP
Scope of penetration testing:
(+) ATM Switching
(+) ATM Machine (Machine: NCR;
Application: F-ATMC based on NCR APTRA)
7
Financial Supply Chain
Management Audit and
Penetration Testing
Bank Scope of audit:
(+) PBI No. 9/15/PBI/2007
(+) DC Review
Scope of penetration testing
(+) Front-end & Back-end system(DC, Server
Farm, DMZ)
(+) Token server
(+) Middleware
February 2015
8
Penetration Testing -
Salesforce System
Bank Scope of penetration testing:
(+) Agent Management System
(+) GIS system
(+) Mobile Device Management (MDM) server
(+) Salesforce Mobile App (Android)
March 2015
9
Penetration Testing -
Electronic Form System
Bank Scope of penetration testing:
- Web Admin portal
- SAP Mobile Enterprise Application Platforms
MEAP
- Web Sevice
- Infrastructure (Application & Database)
- Mobile App (Android)
March 2015
10
Delivery Channel System
Audit and Penetration
Testing
Bank Scope of audit:
(+)ICT management and governance
practices
- Management oversight
- General ICT management (Acquisition and
development, Operation, Network,
Information security)
(+) Risk management
(+) Incident, problem, and change
management
(+) Disaster Recovery Plan (DRP)
April 2015
No. Project Name Client Description / Scope Time
Scope of penetration testing:
(+) Internet Bank web application for
individual customer (Application, DB,
SoftToken, Middleware, SSL, Web Admin)
(+) Mobile Bank application servers
(Application, DB, SoftToken, Middleware,
SSL, Web Admin)
(+) Mobile Bank app (Android)
(+) ATM Machine
(+) ATM Switching & Controller
(+) Temenos Core Banking
(+) Biller, EDC
(+) Card Management System & ATM
Controller System
11
Penetration Testing - Daily
Monitoring System
Bank Scope of penetration testing:
(+) Mobile application (Android)
(+) Web application
(+) Infrastrucure (app & DB server)
April 2015
12
Penetration Testing - Bank
Wide
Bank Scope of penetration testing:
(+) Infrastructure, Web Portal, and Web
Server
(+) System: Core Banking, LBU, Web
Application, Biller TELKOM, Biller PLN,
PABX, SVS, FCS, DATABASE, EMAIL,
PROXY, DNS, SWIFT, ANTIVIRUS, POLGD,
FTP + MIS, NMS, Fingerscan, Web Portal
App/Platform: IBM i Navigator, HP System
Management, Oracle Glassfish, Mdaemon
Mail Server, Ipswitch WhatsUp Professional
(Network Monitoring)
May 2015
13
Cybersecurity
Transformation - Owned-
state Bank (I)
Bank Scope of Cybersecurity Transformation
Assessement:
(+) Governance & Organization
(+) Strategy
(+) Policy & Standards
(+) Architecture
(+) Awareness
(+) Operations
(+)Technology Platforms (Network Security,
Software Security, Host Security, Data
Protection)
(+) Functional Operations (Identity & Access
Management, Asset Management, Third
Party Management, Business Continuity
Management, Privacy)
October 2015
No. Project Name Client Description / Scope Time
(+) Cyber Threat Management (Incident
Response, Vulnerability Identification &
Remediation, Security Monitoring, Threat
Intelligence )
(+) Metrics & Reporting
14
IT Security Audit Guideline
and Technical Design
Government +) Develop Information Security Audit
Strategy and Technical Guideline
(+) Data Center & Disaster Recovery Center
Review
October 2015
15
Penetration Testing -
Cloud Document Sharing
Bank Scope of penetration testing:
(+) Web application
(+) Infastructure (OS and DB)
November 2015
16
Penetration Testing -
Islamic Bank Internet
Banking
Bank Scope of penetration testing:
(+) Web application
(+) Infastructure (OS and DB)
December 2015
17
Penetration Testing -
Digital Banking
Bank Scope of penetration testing:
(+) Web application
(+) Infastructure (OS and DB
December 2015
18
Payment Gateway System
Review
Bank Scope of audit:
(+) PBI No. 9/15/PBI/2007
(+) DC Review
March 2016
19
Third Party Security
Assessment - ATM
Switching
Bank Scope of TPSA:
(+) Identify data flow
(+) Identify Test of Design (TOD) and Test of
Effectiveness (TOE) which covers:
- Risk Assessment and Treatment
- Organisational Security
- Security Policy
- Asset Management
- Physical and Environmental Security
- Access Control
- Communications and Operations
Management
- Information Systems Acquisition
Development & Maintenance
- Compliance
(+) Perform risk assessment based on DFD,
TOD, and TOE
Client: Bank (Multinational)
Third Party: ATM Switching
Februari 2016
20
Cybersecurity
Transformation - Owned-
state Bank (II)
Bank Scope of Cybersecurity Transformation
Assessement:
(+) Governance & Organization
(+) Strategy
(+) Policy & Standards
March 2016
No. Project Name Client Description / Scope Time
(+) Architecture
(+) Awareness
(+) Operations
(+)Technology Platforms (Network Security,
Software Security, Host Security, Data
Protection)
(+) Functional Operations (Identity & Access
Management, Asset Management, Third
Party Management, Business Continuity
Management, Privacy)
(+) Cyber Threat Management (Incident
Response, Vulnerability Identification &
Remediation, Security Monitoring, Threat
Intelligence )
(+) Metrics & Reporting
21
Debit Card System
Review
Bank Scope of audit:
(+) PBI No. 9/15/PBI/2007
(+) DC Review
March 2016
22
Digital Banking Audit and
Penetration Testing
Bank Scope of audit:
(+) PBI No. 9/15/PBI/2007
(+) DC Review
Scope of penetration testing
(+) Digital Banking Web Application
(+) Digital Banking Mobile Application
April 2016
23
Third Party Security
Assessment - Cash
Collection service
Bank Scope of TPSA:
(+) Identify data flow
(+) Identify Test of Design (TOD) and Test of
Effectiveness (TOE) which covers:
- Risk Assessment and Treatment
- Organisational Security
- Security Policy
- Asset Management
- Physical and Environmental Security
- Access Control
- Communications and Operations
Management
- Information Systems Acquisition
Development & Maintenance
- Compliance
(+) Perform risk assessment based on DFD,
TOD, and TOE
May 2016
24
Third Party Security
Assessment - Record
Management
Bank Scope of TPSA:
(+) Identify data flow
(+) Identify Test of Design (TOD) and Test of
Effectiveness (TOE) which covers:
May 2016
No. Project Name Client Description / Scope Time
- Risk Assessment and Treatment
- Organisational Security
- Security Policy
- Asset Management
- Physical and Environmental Security
- Access Control
- Communications and Operations
Management
- Information Systems Acquisition
Development & Maintenance
- Compliance
(+) Perform risk assessment based on DFD,
TOD, and TOE
25
ISO 27001 & 27002
Maturity Assessment (I)
Insurance
Scope of ISO 27001 & 27002 maturity
assessment:
(+) Identify current state maturity of PDCA in
ISO 27001
(+) Identify current state maturity of security
controls in ISO 27002
(+) Identify and recommend future state
maturity strategy
June 2016
26
ISO 27001 & 27002
Maturity Assessment (II)
Insurance Scope of ISO 27001 & 27002 maturity
assessment:
(+) Identify current state maturity of PDCA in
ISO 27001
(+) Identify current state maturity of security
controls in ISO 27002
(+) Identify and recommend future state
maturity strategy
July 2016
27
Penetration Testing -
Digital Banking (II)
Bank Scope of penetration testing
(+) Digital Banking Web Application
(+) Digital Banking Mobile Application
May 2016
28
Penetration Testing -
Customer Relationship
Management System
Bank Scope of penetration testing
(+) CRM Web Application
(+) CRM Mobile Application
June 2016
29
Third Party Security
Assessment - Managed
Service
Bank Scope of TPSA:
(+) Identify data flow
(+) Identify Test of Design (TOD) and Test of
Effectiveness (TOE) which covers:
- Risk Assessment and Treatment
- Organisational Security
- Security Policy
- Asset Management
- Physical and Environmental Security
- Access Control
- Communications and Operations
June 2016
No. Project Name Client Description / Scope Time
Management
- Information Systems Acquisition
Development & Maintenance
- Compliance
(+) Perform risk assessment based on DFD,
TOD, and TOE
30
Penetration Testing -
Digital Banking (BlackBox)
Bank Scope of penetration testing:
(+) Web application
(+) Infrastructure
(+) Wireless Network
July 2016
31
Technology Architecture Bank (+) Identify and analyzecurrent technology
architecture
(+) Develop guiding principle and common
practice for DevOps operating model and
tools implementation
(+) Develop guiding principle and common
practice for IT Security tools (penetration
testing, forensics, IT Safe Deposit Box)
implementation
(+) Conduct gap and fit gap analysis
(+) Develop RFI and TOR for DevOps and IT
Security implementation
(+) Develop PoC strategy for DevOps and IT
Security implementation
(+) Determine standard specification
(+) Develop implementation strategy
(+) Develop implementation risk
August 2016
32
Cybersecurity
Transformation - Port
Services
Port Area of Cybersecurity Ttransformation:
(+) Governance & Organization
(+) Policy & Standards Framework
(+) Network Security
(+) Threat and Vulnerability Management
(+) Security & Monitoring
(+) Identity & Access Management
Scope of Cybersecurity Ttransformation
assessment:
(+) Identify current state
(+) Define future state
(+) Gap analysis
(+) Develop initiatives and implementation
roadmap
Scope of penetration testing:
(+) Application: E-Procurement,
Car/Container Terminal Operating System,
December 2015
No. Project Name Client Description / Scope Time
Port and Ship Management System,
Operational Information System
Management, Oracle EBS, E-Office, Gate
Inspection System
(+) Network: Router and Firewall (Cisco &
Mikrotik)
Scope of User Access Review:
(+) Gate Inspection System
(+) Operational Information System
Management
33
Wireless Security
Assessment and
Penetration Testing (I)
Bank (+) Identify wireless network vulnerabilities
(+) Exploit vulnerabilities and breach the
wireless network system to gather sensitive
information
(+) Determine exploitability, impact, and risk
based on founded vulnerabilities
(+) Advise remediation action to improve
technical security control
November 2016
34
Money Transfer System
Review
Fintech Scope of audit:
(+) PBI No. 9/15/PBI/2007
(+) DC Review
December 2016
35
Firewall Security
Assessment (I)
Bank (+) Identify and develop baseline
configuration
(+) Implement firewall analysis tools
(+) Perform firewall security configuration
analysis
(+) Optimize firewall rule
January 2017
36
F5 Load Balancer
Implementation
Insurance Develop high level and low level (detail)
design for F5 BIG-IP platform which
implement the following modules:
> Local Traffic Manager (High Traffic Load
Balancer & Monitoring, L7 Intelligent Traffic
Management, Protocol Optimization – HTTP,
TCP, SPDY, SSL, Caching, Compression,
Bandwidth Controller, SYN Flood DdoS, SSL
Offload and SSL Inspection
> Global Traffic Manager (Global Server Load
Balancing, Active-Active DC, DNS Services,
and DNSSEC)
> Application Security Manager (Web
Application Firewall, L5-L7 App DdoS, Traffic
Anomaly Detection, Anti-Web Scrapping,
Reverse Proxy)
> Application Acceleration Manager
(Compression, Caching, Minification)
> IP Intelligence (Black Listing IP)
December 2016
No. Project Name Client Description / Scope Time
37
IT Audit and IT
Governance Maturity
Assessment
Bank (+) Perform IT Audit based on PBI No.
9/15/PBI/2007
(+) Perform DC and DRC audit
(+) Perform IT Governance maturity
assessment based on COBIT 4.1
February 2017
38
Intrusion Prevention
System (IPS)
Implementation
Manufacture Develop high level and low level (detail)
design for McAfee NSP and NSM platform
which cover:
(+) Existing and proposed topology
(+) Solution implementation
(+) Deployment setting
(+) Physical and logical mapping
(+) IP addressing
(+) Open port requirements
March 2017
39
Vulnerability Management
Solution Implementation
Bank Develop high level and low level (detail)
design for vulnerability management solution
below.
(+) Rapid7 Nexpose (network/infrastructure
vulnerability scanner)
(+) Rapid7 AppSpider (web application
vulnerability scanner)
(+) Skybox Vulnerability Control (vulnerability
management)
April 2017