Seminar Nasional Network Security di Gorontalo

Fakultas Ilmu Komputer Universitas Ichsan Gorontalo Kembali mengadakan Seminar Nasional dengan Tema :” Learn & Protect Your Network Security”. Seminar Nasional Merupakan Agenda tahunan yang rutin dI adakan Oleh Fakultas ilmu Komputer Tiap tahunnya, adapun seminar kali ini akan dilakssanakan pada Tanggal 29 Oktober 2016 di Gedung Grand Palace Convention Center dan yang menjadi pembicara adalah bapak Josua M. Sinambela yang merupakan pakar IT Nasional di bidang Network Security.

Registrasi/Biaya Pendaftaran adalah:

mahasiswa/siswa : Rp.70.000
Umum : Rp.100.000

Untuk Registrasi dan Pendaftaran Silahkan Hubungi Ibu. Kartika Candra Pelangi.M.Kom/082136054667[Ruang Dosen Fakultas Ilmu Komputer],

Seminar-UNISAN

Seminar Keamanan Informasi “Lock ‘n Lock” STMI Jakarta

Politeknik STMI Jakarta akan menyelenggarakan seminar di Jakarta pada tanggal 30 April 2016. Bertempat di Aula Lt. 7 Gedung A Politeknik STMI Jakarta, yang bertajuk “Keamanan Sistem Informasi“. dan ada kompetisi poster yang bertemakan “Save Our System“. Acara ini akan diisi oleh pembicara terkemuka seperti:

  • Josua M Sinambela, S.T, M.Eng – Pakar System & Networking Security and CyberSecurity Lecturer
  • Muhammad Nur Arifin, Indonesian Backtrack Team

Fasilitas yang disediakan untuk peserta seminar antara lain Modul, Goodie Bag, Lunch, Snack, Sertifikat. Untuk info lebih lengkap silahkan hubungi:

Salim Balqis -085776044101
Sofyan Sauri – 081536647873

seminar-security-stmi

Sumber:  http://stmi.ac.id/berita/tentang/berita_ukm/1/gelar-seminar-dan-kompetis

FGD Antisipasi Kejahatan Dunia Maya (Cyber Crime) oleh LEMHANAS RI

Direktur RootBrain, Josua Sinambela menjadi salah satu Narasumber pada Focus Group Discussion (FGD) yang dilaksanakan oleh LEMHANAS RI bekerja sama dengan Pemerintah Provinsi D.I.Y di Gedung Pracimosono, Kepatihan, Yogyakarta pada Rabu, 25 Juni 2014. Tema dari FGD tersebut adalah “Antisipasi Kejahatan Dunia Maya (Cyber Crime) guna memantapkan keamanan dan ketertiban Masyarakat dalam rangka Ketahanan Nasional”
Selain Josua Sinambela, dua narasumber lain adalah Direktur Reserse Kriminal Khusus Polda DIY Kombes Pol Kokot Indarto dan Kepala Dinas Perhubungan, Komunikasi dan Informatika DIY Budi Antono.

Pada FGD tersebut hadir dan turut berdiskusi berbagai kalangan mulai dari Akademisi (UGM, UPN, UII, UAJY), Corporate (BCA, BTN, Provider (APJII, TELKOM) , Pemerintah Daerah dan para penggiat Teknologi Informasi di wilayah Provinsi DIY.

Josua Sinambela membawakan materi tentang keamanan dalam social networking, dimana masyarakat umumnya sudah sangat familiar dan banyak yang tergantung pada media social tersebut. Keamanan dalam pemanfaatan social networking saat ini perlu menjadi perhatian serius setiap pengguna Internet umumnya dan media social pada khususnya. Banyak sekali kejadian kejahatan cyber maupun kejahatan non-cyber lain berawal dari layanan social networking seperti facebook, twitter, path dll.

Josua sendiri sering mendapat aduan dan permintaan bantuan dari para pengguna media social yang menjadi korban cyber crime, mulai dari pencurian identitas, pencurian/publikasi foto hingga penipuan dan pemerasan.

Kejahatan cyber biasanya lebih dipicu karena kurang awarenya para pengguna tentang resiko-resiko saat menggunakan berbagai media social online tersebut. Kurang sadarnya akan keamanan diri sendiri, keluarga maupun orang lain menjadi faktor yang paling utama menjadi deretan korban di dunia cyber.

Materi presentasi dari tentang keamanan pada Social Networking yang berisi Tips-Trik keamanan dalam bersocial networking dapat didownload pada url berikut ini

Sumber informasi terkait berita diatas juga dapat dibaca pada:
http://jogja.tribunnews.com/2014/06/26/waspada-penipuan-online-di-diy-marak/
http://www.harianjogja.com/baca/2014/06/26/cyber-crime-meningkat-diy-bakal-bentuk-lembaga-penanganan-kejahatan-dunia-maya-515528

Seminar Nasional Network Security: Cloud Computing Security & UU ITE

Sesuai dengan rencana kerja UKM Paskamras pada tahun 2013, bertempat di Aula STIKOM Bali telah diadakan Seminar Nasional Network Security “Cloud Computing Security & Undang – Undang ITE” oleh UKM PASKAMRAS (Pasukan Keamanan Acara STIKOM BALI) dengan pembicara Bapak Josua M. Sinambela, S.T., M.Eng., CEH, CHFI, ECSA |LPT, ACE, CCNP, CCNA ,CompTIA Security+ (RootBrain.Com) yang membawakan materi dan demo Cloud Computing Security dan Bapak Kompol Slamet Achwan (Kanit IV Cyber Crime Subid II dit. Rescrime Source Polda Bali ) memaparkan materi tentang UU ITE. Acara Seminar ini dihadiri oleh  perwakilan dari Pembantu Ketua III STMIK STKOM Bali, perwakilan dari BALMA STMIK STIKOM Bali, perwakilan dari Senat Mahasiswa STMIK STIKOM Bali, Staff Manajement STMIK STIKOM Bali dan para sponsor  serta para perserta seminar yang berasal dari 3 kota yaitu Bali, Jogja dan juga Surabaya.
Image
Jam 9 pagi Acara Seminar dibuka oleh MC dengan membacakan susunan acara setelah itu dilanjutkan dengan doa bersama oleh peserta seminar, undangan dan juga para pembicara. kemudian dilanjutkan dengan sambutan dan laporan dari Ketua Panitia Yande Tegar Yudha. Acara selanjutnya dibawakan oleh moderator dengan pengenalan dari kedua narasumber. Sesi pertama, Bapak Josua M. Sinambela, memaparkan materinya yakni, apa itu cloud computing, keamanan dari Cloud Computing dan juga demo dari materi itu sendiri. Di akhir sesi pertama terdapat sesi tanya jawab. Selanjutnya sesi kedua di paparkan materi mengenai UU No.11 Tahun 2008 tentang Informasi dan Transaksi Elektonik (ITE) oleh Kompol Slamet Achwan. Dan di akhir sesi kedua pun di berikan sesi untuk bertanya.
Image
Sebagai acara penutup, selanjutnya adalah pemberian piagam untuk Para Pembicara,Moderator, serta para sponsor yang telah mendukung acara seminar ini. Dengan adanya acara Seminar Nasional Network Security “Cloud Computing Security dan UU ITE” ini diharapkan semakin menyadarkan masyarakat terutama mahasiswa STIKOM Bali akan pentingnya keamanan data digital dan UU ITE yang melingkupinya.
Sumber: http://www.stikom-bali.ac.id/berita/kemahasiswaan/seminar-nasional-network-security.html

Seminar Komputer Forensik di UNRIYO 23 November 2011

Fakultas Sains dan Teknologi Unriyo bekerja sama dengan RootBrain IT Training & Consulting kembali menggelar seminar rutin dengan tema “Komputer Forensik” dengan pembicara Josua M. Sinambela M.Eng, pendiri perusahaan di bidang IT yaitu RootBrain dan Novizal Evendi seorang pemuda yang mahir di bidang forensik, seminar ini wajib diikuti oleh seluruh mahasiswa FST Unriyo diadakan setiap semester baik genap maupun ganjil. Kamis 23 November 2011 diadakan di gedung Penerbit Erlangga Kota gede Yogyakarta, dalam acara ini pun dihadiri oleh tamu undangan guru-guru SMA/SMK di yogyakarta.
Dalam sambutan Rektor Unriyo, Prof.DR.dr. Santoso MS,SpOK mengatakan bahwa selama ini diketahui oleh awam. “forensik adalah berkaitan dengan dunia kesehatan manusia yaitu sering dikaitkan dengan olah TKP pada kecelakaan kendaraan yang digunakan oleh pihak kepolisian dan perlu diingat hasil forensik diatur oleh undang-undang , namun yang sebenarnya mempunyai makna yang sangat luas, yang nanti akan dijelaskan oleh pembicara”. Jelas rektor sekaligus membuka acara dengan pemukulan gong.
Dilanjutkan sambutan oleh dekan FST, Sri Hasta Mulyani S.kom,M.kom menyatakan tema yang diangkat kali ini menyangkut matakuliah semua jurusan, sehingga hasta berharap kesempatan ini bisa diambil manfaatnya sebaik mungkin.

Top Ten Web Hacking Techniques of 2008

Security experts put the latest Web hacking techniques to the test to identify the Top 10 most effective hacking techniques. The results will indicate the state of Web security and the implications for businesses that may be hit by hacks.

By Robert Mullins

Hackers were just as busy as ever in 2008, coming up with ways to thwart the best Web site, browser and application security efforts. The Top Ten hacks — some actual, others theoretical — were acknowledged at RSA® Conference 2009.

“Every year it’s surprising the new types of hacks we discover,” said Jeremiah Grossman, CEO of WhiteHat Security, who hosted the breakout session “Top Ten Web Hacking Techniques of 2008.”

Many of the hacks were discovered by the good guys, security experts who saw a flaw in a browser or application and alerted other good guys in an effort to close that vulnerability, Grossman explained.

Sharing news of these vulnerabilities isn’t meant to give hackers a blueprint for how to be malicious, but to “democratize the playing field,” he said, giving security experts a heads-up to build defenses to possible attacks.

The following hacking techniques were ranked by a panel of four security experts based on their “novelty, impact and pervasiveness,” Grossman explained. The comments from security experts on each hack are from blogs or reports they wrote on the subject:

  1. GIFAR. A contraction of the GIF image file and the Java Archive (JAR) that contains class files for a Java Applet. GIFAR allows a potentially malicious file to be accepted as a valid image by a browser, wrote Nathan McFeters, one of four researchers who discovered GIFAR. “[GIFAR] will allow the execution of arbitrary applet code in the victim’s browser under the context of the web application it was loaded from.”
  2. Breaking Google Gears’ Cross-Origin Communication Model. Google Gears is a browser extension that helps create rich Internet applications (RIAs). The risk is in how Gears “worker” code — JavaScript that can access Gears capabilities such as Local Server, HTTP communication and Database — performs. Researcher Yair Amit discovered that the worker loader disregards the headers of the Gears worker files it loads. “That fact opens an aperture for malicious attacks and significantly broadens the options an attacker has for planting malicious code in a target website,” Amit said.
  3. Safari Carpet Bomb. Security expert Nitesh Dhanjani discovered a vulnerability in Apple’s Safari Web browser that allows a rogue website to litter the user’s desktop, when a Safari is running in Windows, or the download directory in OSX, with unwanted and potentially malicious files. “This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource,” Dhanjani explained.
  4. Clickjacking. Cross-site request forgeries (CSRFs) on websites are supposed to be thwarted by onetime tokens, or “nonces,” on a web page that legitimize access. But WhiteHat’s Grossman and colleague Robert Hansen discovered what they called nonce evasion, in which “the browser somehow gains access to data in another domain. Clickjacking, however, evades the need for this cross domain reading,” they wrote. Clickjacking also can thwart click fraud prevention efforts.
  5. A Different Opera. The Opera Web browser is vulnerable to cross-site scripting, noted Stefano Di Paola. A malicious attacker can inject arbitrary browser content through the websites visited with the Opera browser. The code injection is rendered into the Opera History Search page.
  6. Abusing HTML 5 Structured Client-side Storage. HTML code is stored in the client’s browser while the user is visiting a particular site. If a so-called “session storage object” is saved and not deleted when necessary, that object will still be there many hours or even days after it’s no longer needed. “It could cause an unwanted leak of data,” wrote Alberto Trivero, who added that current versions of Firefox, Internet Explorer and Safari don’t adequately deal with unneeded session storage objects. “You can’t easily see or delete it.”
  7. Cross-domain leaks of site logins via Authenticated CSS. This hack thwarts security intended to determine whether an authenticated user is signed into a site or not. “The attack relies on the target site hosting an image at a known URL for authenticated users only,” explained Chris Evans and Michal Zalewski, who discovered the vulnerability. Browsers generally closed that leak for local filesystem URLs but not more widely. “Browsers suck,” Evans added. “We’re building our fortified web apps on foundations of sand.”
  8. Tunneling TCP over HTTP over SQL Injection. Creating a TCP circuit through validly formed HTTP requests can enable tunnelling of data in and out of networks,” explained researchers Glenn Wilkinson, Marco Slaviero and Haroon Meer. If a hacker can upload a Java Server Page, a PHP hypertext protocol or an ASP page on a server, he can connect to hosts behind that server, the trio explained.
  9. ActiveX Repurposing. An ActiveX control automatically upgrades itself if the server informed it of a new software version. By launching a fake upgrade, a hacker “could cause the client to download a possible malicious file,” explained Meer.
  10. Flash Parameter Injection. When an attacker is able to access and control global Flash parameters, he can achieve attacks such as cross-site scripting through Flash, cross-site flashing, and changing the flow of the Flash video, explained three members of IBM Rational’s security team.
All List Hacking Techniques :

  1. CUPS Detection
  2. CSRFing the uTorrent plugin
  3. Clickjacking / Videojacking
  4. Bypassing URL Authentication and Authorization with HTTP Verb Tampering
  5. I used to know what you watched, on YouTube (CSRF + Crossdomain.xml)
  6. Safari Carpet Bomb
  7. Flash clipboard Hijack
  8. Flash Internet Explorer security model bug
  9. Frame Injection Fun
  10. Free MacWorld Platinum Pass? Yes in 2008!
  11. Diminutive Worm, 161 byte Web Worm
  12. SNMP XSS Attack (1)
  13. Res Timing File Enumeration Without JavaScript in IE7.0
  14. Stealing Basic Auth with Persistent XSS
  15. Smuggling SMTP through open HTTP proxies
  16. Collecting Lots of Free ‘Micro-Deposits’
  17. Using your browser URL history to estimate gender
  18. Cross-site File Upload Attacks
  19. Same Origin Bypassing Using Image Dimensions
  20. HTTP Proxies Bypass Firewalls
  21. Join a Religion Via CSRF
  22. Cross-domain leaks of site logins via Authenticated CSS
  23. JavaScript Global Namespace Pollution
  24. GIFAR
  25. HTML/CSS Injections – Primitive Malicious Code
  26. Hacking Intranets Through Web Interfaces
  27. Cookie Path Traversal
  28. Racing to downgrade users to cookie-less authentication
  29. MySQL and SQL Column Truncation Vulnerabilities
  30. Building Subversive File Sharing With Client Side Applications
  31. Firefox XML injection into parse of remote XML
  32. Firefox cross-domain information theft (simple text strings, some CSV)
  33. Firefox 2 and WebKit nightly cross-domain image theft
  34. Browser’s Ghost Busters
  35. Exploiting XSS vulnerabilities on cookies
  36. Breaking Google Gears’ Cross-Origin Communication Model
  37. Flash Parameter Injection
  38. Cross Environment Hopping
  39. Exploiting Logged Out XSS Vulnerabilities
  40. Exploiting CSRF Protected XSS
  41. ActiveX Repurposing, (1, 2)
  42. Tunneling tcp over http over sql-injection
  43. Arbitrary TCP over uploaded pages
  44. Local DoS on CUPS to a remote exploit via specially-crafted webpage (1)
  45. JavaScript Code Flow Manipulation
  46. Common localhost dns misconfiguration can lead to “same site” scripting
  47. Pulling system32 out over blind SQL Injection
  48. Dialog Spoofing – Firefox Basic Authentication
  49. Skype cross-zone scripting vulnerability
  50. Safari pwns Internet Explorer
  51. IE “Print Table of Links” Cross-Zone Scripting Vulnerability
  52. A different Opera
  53. Abusing HTML 5 Structured Client-side Storage
  54. SSID Script Injection
  55. DHCP Script Injection
  56. File Download Injection
  57. Navigation Hijacking (Frame/Tab Injection Attacks)
  58. UPnP Hacking via Flash
  59. Total surveillance made easy with VoIP phone
  60. Social Networks Evil Twin Attacks
  61. Recursive File Include DoS
  62. Multi-pass filters bypass
  63. Session Extending
  64. Code Execution via XSS (1)
  65. Redirector’s hell
  66. Persistent SQL Injection
  67. JSON Hijacking with UTF-7
  68. SQL Smuggling
  69. Abusing PHP Sockets (1, 2)
  70. CSRF on Novell GroupWise WebAccess
Source:
https://365.rsaconference.com/blogs/articles/2009/04/21/top-ten-web-hacking-techniques-of-2008
http://jeremiahgrossman.blogspot.com/2009/02/top-ten-web-hacking-techniques-of-2008.html

The Security Certification Directory

Certifications provide a way to expand and/or demonstrate professional expertise. A wide variety of certifications are available in security and related disciplines. This directory will compile brief descriptions of certs in information and physical security, business continuity, audit and other areas, with links to details from the issuing organizations.

INFORMATION SECURITY CERTIFICATIONS

Certified Information Systems Professional, CISSP
Issuing Org.: Information Systems Security Certification Consortium (ISC)2
Description: “The CISSP is a certification for information security professionals&for the purpose of recognizing individuals who have distinguished themselves as an experienced, knowledgeable, and proficient information security practitioner. The CISSP certificate also provides a means of identifying those persons who subscribe to a rigorous requirement for maintaining their knowledge and proficiency in the information security profession.”
Requirements: “Certification is awarded to those individuals who achieve a prescribed level of information security experience, comply with a professional code of ethics, and pass a rigorous examination on the Common Body of Knowledge of information security. In order to maintain currency in the field, each CISSP must be recertified every three years by participation in research or study, attendance at recognized subject-matter training and professional educational programs, presentation or publication of information security papers, contributions to the information security Common Body of Knowledge, and service in professional organizations.”
More information: www.isc2.org/cissp/default.aspx

Systems Security Certification Practitioner (SSCP)
Issuing Org.: (ISC)2
Description: “SSCP Certification was designed to recognize an international standard for practitioners of information security [IS] and understanding of a Common Body of Knowledge (CBK). It focuses on practices, roles and responsibilities as defined by experts from major IS industries. Certification can enhance an IS career and provide added credibility. Seven SSCP information systems security test domains are covered in the examination pertaining to the Common Body of Knowledge: Access Controls, Administration, Audit and Monitoring, Risk, Response and Recovery, Cryptography, Data Communications, Malicious Code/Malware
Requirements: Examination, Certification, Endorsement, Audit
To be issued a certificate, a candidate must:
-Pass the SSCP examination with a scaled score of 700 points or greater
-Submit a properly completed and executed Endorsement Form
-Successfully pass an audit of their assertions regarding professional experience, if the candidate is selected for audit
Endorsement – Once a candidate has been notified they have successfully passed the SSCP examination, he or she will be required to have his or her application endorsed before the credential can be awarded. The endorser attests that the candidate’s assertions regarding professional experience are true to the best of their knowledge, and that the candidate is in good standing within the information security industry.
Audit Passing candidates will be randomly selected and audited by (ISC)² Services prior to issuance of any certificate. Multiple certifications may result in a candidate being audited more than once.”
More information: www.isc2.org

Global Information Assurance Certification (GIAC)
Issuing Org.: SANS Institute
Description: “Designed to serve the people who are or will be responsible for managing and protecting important information systems and networks. GIAC course specifications & combine the opinions, knowledge, and expertise of many of the world’s most experienced front-line security and system administrators, intrusion detection analysts, consultants, auditors, and managers.
The GIAC certification program consists of:
-Information Security KickStart
-LevelOne Security Essentials
-LevelTwo subject area modules”
Requirements: “There are no official prerequisites to take the GIAC certifications. Any candidate who feels that he or she has the knowledge and ability to pass the certification requirements may take the certification. However, students should be aware of the technical level of the course they wish to take. The 500 level courses are more advanced than the 400 and the 400 more advanced than the 300. Be certain you are not starting at a level that is more difficult than you are prepared for. Some class descriptions provide a “quiz” to make sure you are prepared for that level course, such as Sec-502 and Sec-503 which assume that the student has a working knowledge of the technology in question and a firm grasp of TCP/IP.”
More information: www.giac.org

CompTIA Security+ Certification
Issuing Org.: CompTIA
Description: “CompTIA Security+ validates knowledge of systems security, network infrastructure, access control, assessments and audits, cryptography and organizational security.”
Requirements: “Although not a prerequisite, it is recommended that CompTIA Security+ candidates have at least two years of on-the-job technical networking experience, with an emphasis on security. The CompTIA Network+ certification is also recommended.”
More information: certification.comptia.org/security/default.aspx

Certified Ethical Hacker (CEH)
Issuing Org.: EC Council
Description: “The goal of the ethical hacker is to help the organization take preemptive measures against malicious attacks by attacking the system himself; all the while staying within legal limits. This philosophy stems from the proven practice of trying to catch a thief, by thinking like a thief. If hacking involves creativity and thinking ‘out-of-the-box’, then vulnerability testing and security audits will not ensure the security proofing of an organization. The CEH Program certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.”
Requirements: Pass the CEH exam 312-50
More information: www.eccouncil.org/CEH.htm

EC-Council Certified Security Analyst (ECSA)
Issuing Org.: EC Council
Description: “EC-Council Certified Security Analyst (ECSA) complements the Certified Ethical Hacker (CEH) certification by exploring the analytical phase of ethical hacking. While CEH exposes the learner to hacking tools and technologies, ECSA takes it a step further by exploring how to analyze the outcome from these tools and technologies. Through groundbreaking penetration testing methods and techniques, ECSA class helps students perform the intensive assessments required to effectively identify and mitigate risks to the security of the infrastructure.”
More information:www.eccouncil.org

Licensed Penetration Tester (LPT)
Issuing Org.: EC Council
Description: “EC-Councils Licensed Penetration Tester (LPT) is a natural evolution and extended value addition to its series of security related professional certifications. The Licensed Penetration Tester standardizes the knowledge base for penetration testing professionals by incorporating the best practices followed by experienced experts in the field. ”
Requirements:
-Achieve Certified Ethical Hacker (CEH) Certification.
-Achieve EC-Council Certified Security Analyst (ECSA) certification.
-Complete LPT Training Criteria:
— Submit LPT Application form
— Documentation on criminal background check, or an authentication from an investigation agency absolving a criminal history.
— Resume with detailed professional experience, previous certification /certificates and references for verification to be submitted.
— Agree to EC-Council Code of Ethics.
-Attend LPT Workshop at selected EC-Councils Accredited Training Centers
More information: www.eccouncil.org/lpt/Licensed_Penetration_Tester.htm

Professional in Critical Infrastructure Protection (PCIP) (formerly CCISP)
Issuing Org.: Critical Infrastructure Insitute
Description:
“Critical infrastructure is defined by the office of Homeland Security as those assets, facilities, industries, and capabilities that are needed to support commerce and our daily lives. This includes SCADA, energy, utility, oil & gas, financial, communications, and transportation to name a few. Since the birth of the internet, the threats that these industries face are becoming increasingly more complex, and alarmingly more common, as these, once isolated, environments are now faced with viruses, hackers, cyber terrorists, and remote threats of high available system outages. Securing the systems and network environments that support this critical infrastructure is more important in today’s world now more than ever and requires an extended set of specialized skills.
Professionals carrying the PCIP designation will have demonstrated the necessary knowledge and professional skills required for designing, maintaining, and managing security architectures for critical infrastructure, SCADA, and high-availability environments. These skills range from security architecture design & management to highly advanced technical skills such as those used by hackers to circumvent security measures as well as countermeasure techniques all specific to these critical infrastructure, SCADA, and high availability environments.”
Requirements: “The PCIP certification is divided into three (3) seperate Classes. PCIP Class 1: CIP Program Course, PCIP Class 2: CIP Technical Course, and PCIP Class 3: CIP Applied Course. Individual class certificates will be award upon completion of each class but the PCIP certification is only awarded upon successful completion of all three (3) classes. Each class is small in size ensuring maximum personalization, a challenging hands on training environment, and follows a specifically designed curriculum focusing on critical infrastructure.
For authenticity purposes, each PCIP recipient carries a PCIP certification card displaying the PCIP recipients’ names, PCIP number, and date of certification, which is also kept in a secure database for reference on the CI-INSTITUTE.ORG website. Recipients must recertify every 2 years or maintain their certification with approved CPE credits (Continued Professional Education). This ensures the PCIP holder maintains current knowledge of security threats and solutions.”
More information: www.ci-institute.org

Anti-Hacking Certification
Issuing Org.: Security University
Description: “The Anti-Hacking Certification offers the basics of performance based computer security education. From building a blueprint of your critical assets with Network Penetration Testing class, to knowing how a hacker thinks, and where the compromise happened inside your network, this certification exceeds users expectations for labs and experience.”
More information: www.securityuniversity.net

Advanced Information Security Certification (AIS)
Issuing Org.: Security University
Description: “The AIS Certification (Advanced Information Security) includes advanced information security classes. These classes include PKI & certificate management, Security Policies and Services Oriented Architecture and IDS monitoring classes.
Requirements: “In order to qualify for the AIS certification you have to complete the 4 Anti-Hacking Certification classes and the 4 AIS classes. The AIS classes are hands-on classes with performance based testing, the labs and experience exceed users expectations.”
More information: www.securityuniversity.net

APPLICATION SECURITY AND SOFTWARE SECURITY CERTIFICATIONS

GIAC Secure Software Programmer (GSSP)
Issuing Org: SANS Institute
Description: Various GSSP certifications specify expertise in C, Java, or .NET.
Requirements:
More information: www.giac.org/certifications/software

Certified Secure Software Lifecycle Professional (CSSLP)
Issuing Org: ISC2
Description:
“The following domains make up the CSSLP CBK.
* Secure Software Concepts – security implications in software development
* Secure Software Requirements – capturing security requirements in the requirements gathering phase
* Secure Software Design – translating security requirements into application design elements CSSLP Man
* Secure Software Implementation/Coding – unit testing for security functionality and resiliency to attack, and developing secure code and exploit mitigation
* Secure Software Testing – integrated QA testing for security functionality and resiliency to attack * Software Acceptance – security implication in the software acceptance phase
* Software Deployment, Operations, Maintenance and Disposal – security issues around steady state operations and management of software”
Requirements:
More information: www.isc2.org/csslp-certification.aspx

Software Security Engineering Certification
Issuing Org.: Security University
Description: “Security University Software Security Engineer Certification is a number of classes that make a Software Security Engineer Certification. This certification is for anyone interested in securing software from flaws and bugs, with how to break code, and best practices for checking your code, to penetration testing your code. These classes and certification are new and will provide consistent, extreme hands-on software security labs and classes with trademarked escalating workshops and performance based training for security, IT professionals and now coding /developers.”

More information: www.securityuniversity.net

AUDIT CERTIFICATIONS

Certified Information Systems Auditor (CISA)
Issuing Org.: Institute of Internal Auditors
Description: “Awarded by the Information Systems Audit and Control Association to those individuals with an interest in information systems auditing, control, and security who have met and continue to meet specific requirements.”
Requirements:
-Successfully complete the CISA Examination
-Adhere to the Information Systems Audit and Control Association’s Code of Professional Ethics
-Submit evidence of a minimum of five (5) years of professional information systems (IS) auditing, control or security work experience. Substitution and waivers of such experience applies
-Adhere to a continuing education program.”
More information: www.isaca.org

Certified Information Security Manager (CISM)
Issuing Org.: Institute of Internal Auditors
Description: “Awarded by the Information Systems Audit and Control Association& a new certification and is specifically geared toward experienced information security professionals. CISM is business-oriented and focused on information risk management while addressing management, design and technical security issues at the conceptual level. It is for the individual who must maintain a view of the big picture by managing, designing, overseeing and assessing an enterprise’s information security.”
Requirements:
-Successfully complete the CISM Examination
-Adhere to the Information Systems Audit and Control Association’s Code of Professional Ethics
-Submit verified evidence of a minimum of five (5) years of information security work experience, with a minimum of three (3) years of information security management work experience in three or more the CISM job practice areas
More information: www.isaca.org

Certification in Control Self-Assessment (CCSA)
Issuing Org.: Institute of Internal Auditors
Description: “The Certification in Control Self-Assessment (CCSA) is The Institute of Internal Auditors first specialty certification and second certification to be offered by the Board of Regents in the history of the Institute of Internal Auditors. The new CCSA certification program will identify the skill sets needed by successful CSA practitioners, measure proficiency in CSA, and provide guidance for CSA initiatives.”
Requirements: Experience plus a certification exam.
More information: www.theiia.org

Certified Internal Auditor (CIA)
Issuing Org.: Institute of Internal Auditors
Description: “The Institute of Internal Auditors (IIA) offers Certified Internal Auditor (CIA) certification which requires candidates to master their ability to identify risks, examine alternative remedies, and prescribe the best initiatives to control these risks. CIAs master auditing standards and practices as well as management principles and controls, information technology, and emerging strategies to improve business and government. CIAs learn the best ways to manage business. The CIA exam tests a candidate’s knowledge and ability regarding the current practice of internal auditing. It enables candidates and prospective managers to adapt to professional changes and challenges by:
-Addressing nearly all management skills.
-Focusing on the principles of management control.
-Measuring a candidate’s understanding of risk management and internal controls.”
Requirements:
More information: www.theiia.org

Certification in Control Self-Assessment (CCSA)
Issuing Org.: Institute of Internal Auditors
Description: “Gaining the required knowledge of areas such as risk and control models—often considered the realm of auditors only—exposes CSA practitioners from all backgrounds to concepts that are vital in effectively using CSA to help clients achieve their objectives.”
Requirements: “Candidates must complete 54 CPD (continuing professional development) hours in the following manner: 18 CPD hours for Introduction to Control Self-Assessment; 18 CPD hours for either Value-Added Business Controls: The Right Way to Manage Risk or Evaluating Internal Controls: A COSO-Based Approach; and 18 CPD hours for either Assessing Risk: A Better Way to Audit or CSA Facilitation Techniques for Auditors.” More information:

PHYSICAL SECURITY AND LOSS PREVENTION CERTIFICATIONS

Cert: Certified Protection Professional (CPP)
Issuing Org: ASIS International
Description: “As the emphasis on protecting people, property, and information increases, it has strengthened the demand for professional managers&. Nearly 10,000 professionals have earned the designation of CPP. This group of professionals has demonstrated its competency in the areas of security solutions and best-business.”
Requirements:
– Education: Bachelor’s degree or higher from an accredited institution, and seven years of security experience, including at least three years in responsible charge of a security function
OR
– Work Experience: Nine years of security experience, including at least three years in responsible charge of a security function.
– All applicants must pass CPP examination
– Also requires no prior conviction of significant criminal offense
More information: ASIS International

Name: Physical Security Professional (PSP)
Issuing Org.: ASIS International
Description: “The physical security examination is targeted to security professionals whose primary responsibility is to conduct threat surveys; design integrated security systems that include equipment, procedures, and people; or install, operate, and maintain those systems.”
Requirements:
Experience and Education
1. Five years of experience in the physical security field
2. High school diploma or GED
3. The applicant must not have been convicted of significant criminal
Must adhere to PSP Code of Professional Responsibility.
More information: ASIS International

Cert: Loss Prevention Qualified (LPQ)
Issuing Org:Loss Prevention Foundation
Description:“Designed to be a benchmark education for entry level loss prevention associates.”
Requirements:Coursework and exam
More information: http://www.losspreventioncertification.com/INDX-LearnMore.htm

Cert: Loss Prevention Certified (LPC)
Issuing Org:Loss Prevention Foundation
Description:“Designed as advanced education for loss prevention management and executives who hope to further their career in the loss prevention field.” Available Spring 2009.
Requirements:Online coursework and proctored exam
More information: http://www.losspreventioncertification.com/INDX-LearnMore.htm

FRAUD, INVESTIGATION AND FORENSICS CERTIFICATIONS

Certified Fraud Examiner (CFE)
Issuing Org.: Association of Certified Fraud Examiners
Description: “Since 1988, the Association has been dedicated to educating and certifying qualified individuals (Certified Fraud Examiners) in the highly specialized aspects of fraud detection and prevention. The diverse membership of the Association includes auditors, accountants, fraud investigators, loss prevention specialists, attorneys, educators, criminologists, and other anti-fraud professionals.
The Certified Fraud Examiner program is an accrediting process for individuals with the specialized skills to detect, investigate, and deter fraud. Certified Fraud Examiners have the expertise to resolve allegations of fraud from inception to disposition, gather evidence, take statements, write reports, testify to findings, and assist in the prevention and detection of fraud.”
Requirements: “Before applying to become a CFE, candidates must first become Associate Members of the Association of Certified Fraud Examiners. Further requirements include the equivalent of a bachelors degree from a recognized institution of higher learning, two years of professional experience related directly or indirectly to the detection and deterrence of fraud, and successful completion of the Uniform CFE Examination. ”
More information: www.cfenet.com

Certified Identity Theft Risk Management Specialist (CITRMS)
Issuing Org.: Institute of Consumer Financial Education
Description: “The Certified Identity Theft Risk Management Specialist (CITRMS) certification program is the nations only training program specifically developed for professionals who are dedicated to educating and assisting clients, customers, businesses, and the general public in combating the epidemic of Identity Theft and related fraud. CITRMS-qualified professionals are employed by a wide range of organizations including financial institutions; mortgage, real estate, and financial services firms; law enforcement, and other government agencies. Many others are private practitioners including attorneys, CPAs, financial advisors, counselors, and consultants.”
More information: www.icfe.org

Professional Certified Investigator (PCI)
Topic: Investigations
Issuing Org.: ASIS International
Description:. The PCI certification will help employers identify those professionals who have the specific, in-depth competency and knowledge required not only to get the job done – but to get it done right. Examination consists of multiple-choice questions covering tasks, knowledge, and skills in case management, evidence collection, and case presentation
Requirements:
– Experience and Education
1. Five years’ investigations experience, with at least two in case management.
2. A high school diploma or GED equivalent.
3. Adherance to PCI Code of Professional Responsibility
More information: ASIS International

Computer Hacking Forensic Investigator Certification (CHFI)
Issuing Org.: EC Council
Description: “Computer hacking forensic investigation is the process of detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to prevent future attacks. Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. CHFI investigators can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information.” Requirements: More information: www.eccouncil.org”>

PRIVACY CERTIFICATIONS

Certified Information Privacy Professional (CIPP)
Issuing Org.: International Association of Privacy Professionals, IAPP
Description: “The Certified Information Privacy Professional (CIPP) debuted in 2004 and has since become the industry-standard certification in corporate compliance with U.S. privacy laws and regulations as well as European requirements for transfers of personal data.
Requirements: Successful candidates have become IAPP members and also have completed and passed the Certification Foundation Examination and the CIPP Examination.
More information: IAPP

BUSINESS CONTINUITY CERTIFICATIONS

Associate Business Continuity Planner (ABCP)
Issuing Org.: DRI International
Description: “The Associate Business Continuity Planner (ABCP) or Associate level, is for individuals with at least a specified minimum level of knowledge in business continuity/disaster recovery planning, but who have not yet attained the two years of experience required for CBCP. Individuals can also qualify if they work in positions related to–but not actually in–business continuity/disaster recovery planning.”
More information: DRII

Certified Business Continuity Professional (CBCP)
Issuing Org.: DRI International
Description: “DRII’s CBCP certification is reserved for individuals who have demonstrated their knowledge and experience in the business continuity / disaster recovery industry.”
Requirements: A minimum of two years of experience as a business continuity/disaster recovery planner.
More information: DRII

Master Business Continuity Professional (MBCP)
Issuing Org.: DRI International
Description: “The Master Business Continuity Professional (MBCP) or Master level, targets an individual with a minimum of five years of experience as a business continuity/disaster recovery planner. In addition, the MBCP must attain a higher score on the CBCP Examination, and either successfully complete a case-study examination or complete a directed research project and paper. An additional prerequisite for the CBCP and MBCP certification levels is the demonstration of proficiency in a specific number of Subject Areas of the Professional Practices for Business Continuity Planners.”
More information: DRII

Business Continuity Certified Planner (BCCP)
Issuing Org.: BCM Institute
Description: “The BCCP recognizes practitioners who are involved in developing, implementing and maintaining BC procedures and processes for their business sub-units; as well as for senior and middle management involved in BCM. ”
More information: BCM Institute

Business Continuity Certified Specialist (BCCS)
Issuing Org.: BCM Institute
Description: “The specialist’s role as it implies are designed to recognised individuals who are participating as department coordinators in the BCP project. The BCCS caters to coordinators supporting business users. The DRCS caters to individuals who are participating in the DR planning stages; usually, overseeing specific areas in the IT infrastructure, application, software and hardware.”
Requirements: One year of relevant experience, plus four days of training coursework (or equivalent certification) and an examination. More information: BCM Institute

Business Continuity Certified Expert (BCCE)
Issuing Org.: BCM Institute
Description: “The Business Continuity Certified Expert (BCCE) certification is designed and developed to instill pertinent concepts and knowledge in BCM practitioners; which will enable them to drive organizational-wide BCM programs; develop business continuity and recovery strategies; develop and implement comprehensive BC plans; develop and implement BCM awareness and training programs; conduct exercises and tests; implement BCM audit and assessment programs to ensure BC plan effectiveness. This course is designed and developed to train BC managers, planners, and project managers.”
Requirements:
More information: BCM Institute

Disaster Recovery Certified Specialist (DRCS)
Issuing Org.: BCM Institute
Description:
Requirements: Training course and a certification exam.
More information:

Disaster Recovery Certificate Expert (DRCE)
Issuing Org.: BCM Institute
Description: “Individuals intending to qualify for the expert level are expected to manage and drive organizational-wide BCP/DRP projects. Such individuals are expected to assist organizations to sustain BCM programs. This will involve developing and conducting integrated tests and exercises; which should also assess the coordination between inter and intra-dependent business and support units (including IT). The BCCE is targeted at individuals involved in BCM. The DRCE is targeted at individuals involved in DRP.”
Requirements: Training and a certification exam, plus three years’ experience in BCP and/or DRP
More information: BCM Institute

Sumber: http://www.csoonline.com/article/485071