Post on 25-Apr-2018
transcript
Security Management in the Internet Era
Jun Murai Keio University
Suguru Yamaguchi Nara Institute of Science and Technology
1st: Course Description September 22, 2011
1
3
Professor
Suguru Yamaguchi Graduate School of Information Science,
Nara Institute of Science and Technology
Information Security Advisor, National Information Security Center
Management Advisor of e-Government, Government Program Management Office
Jun Murai Graduate School of Media and Governance,
Keio University
Dean, Faculty of Environment and Information Studies, Keio University
4
Staff
TAs Yuki Uehara(Keio University)
Kunihiko Shigematsu(Keio University)
Hirotaka Sato(Keio University)
Masatoshi Enomoto ( Nara Institute of Science and Technology )
Noppawat Chaisamran( Nara Institute of Science and Technology )
Questions about course content the ML to
sig2011@sfc.wide.ad.jp
5
Schedule 01st (09/22) Course Description 02nd (09/29) Cloud Security (1) 03rd (10/06) Cloud Security (2) 04th (10/13) Military use of the cyber security technology and its issues 05th (10/20) IPv6 Security 06th (10/27) Guest Lecture(Joichi Ito) 07th (10/27) Midterm Presentation(1) 08th (11/10) Midterm Presentation(2) 09th (11/17) Disaster Recovery Internet(1) 10th (12/01) Disaster Recovery Internet(2) 11th (12/08) Personal Information and Security(1) 12th (12/15) Personal Information and Security(2) 13th (12/22) Evaluation of Security Risk 14th (1/12) Final Presentation(1) 15th (1/19) Final Presentation(2)
6
Grading Policy
Homework Report
• Several times
Group work • Midterm presentation: 7th,8th
• Final presentation: 14th,15th
Participation Evaluate the questions and discussions
7
What`s SOI?
SOI (School Of Internet)
University on the Internet
Anyone can join SOI
Not only for Keio University
http://www.soi.wide.ad.jp/
8
The SOI of this class
You can watch the class videos in SOI
This class is published in SOI
You have to register SOI to submit a homework
We explain how to join SOI in next several slides
11
SOI Registration
学生登録 履修登録
You have to register SOI account or will
not be evaluated (you’ll fail a class)
12
Submitting Homework You can submit the homework several ways
Text
Create Web Page & Register URL
SFC students have to submit it using CNS account, or you are not evaluated
Submitted reports will not disclose
Refer & reply to friends
You can modify your report as many times as needed by the deadline
Submission page will be announced at a later date
About this class
Course Hour AM11:05-12:35
It is anomalistic both SFC & Nara
Guest Lecture 6th Class (October 27th)
Joi Ito
Post:Director of MIT Media Lab
18:10~19:40
Notes: We take a roll call in the day of guest lecture
13
About 2nd Class
This class is delivered not only GC
but also iTunes U
If it presents inconvenience to you, please contact TA in advance
14
The Internet as social infrastructure
17
The Internet
IC Card Cellular
Furniture Vehicle
Medical instruments
Aircraft
Person
Ticket reservation
Power station
Generator management
traffic control
ID tag
Bank
ATM Online banking
In the future connected things many more
18
The Internet
Business
Home Social Infrastructure
Education
Spaceship
Government
Industry
The characteristics of Internet Seen from security
19
1.Global Infrastructure Digital network connecting Global area,
Agreement on the Internet ・Operation is essential cooperation beyond among nations . It is also the infrastructure to support services a variety of , it is important to maintain reachability
2.Open Connectivity Internet is not only private line but also line
available structure to everyone.Government,Corporate,Voluntary related to each other People in various positions
3.Variety of Internet device Internet is composed of variety of connecting device and software,and
it has been achieved Interconnection. It is different from every type of device and software as well as measures
Global infrastructure(1/2)
Infrastructure Digital Connecting the world Problems in various situations such as personal business and
government loss of reachability network
Case: Failure Worldwide network • Failure of BGPRouting
• 1hour from 17, February 2009 1:23 (JSP)
• Cause:Miss Operations Provider in Czech Republic • DNS failure
• 23, September 2010
• Cause: Miss Operations of DNSSEC KEY Update failed
→Whose responsibility,Should the loss be guaranteed all the time?
When a failure occurs , who should take responsibility • Ex. National organizations , Carriers , Business , Personal
• who should take responsibility ?who someone
20
Global infrastructure(2/2)
Issues enforcement by Law
Crime across Interstate • how to investment
• What is indicated law in countries?
• Depending on the law can not be
seized criminal
effect on Convention ・System?
21
domestic foreign
Servers in domestic User who attack several servers in domestic
Attack
Judged by
National lows?
Foreign law ?
Can file extradition
requests for criminal
Open Connectivity
22
Trusted?
Trusted?
Trusted?
Various users on the internet Everyone use one network Attackable any host from anywhere, at anytime
• Non-patched Windows XP SP1 connecting to the internet is compromised in about 4 minutes (Avantgarde, 2004)
Difficult to build trust relationship by only online communication
• Hosts don’t need strict authorization and limitation for connecting the internet
• IP address don’t give assurance completely uniqueness
Various Internet Devices
23
Different specialty from devices to devices Who has responsibility of management?
Risk of individual utilization
Internet connection format, type of vulnerability, repair method
Information Home Electronics e.g.) Television, Video/DVD recorder
Personal Computer Each Operation System has open platform for
executable software
Cell Phone Most function is limited Available for reading e-mail and browsing web
Smart Phone More rich functions than traditional cell phone
Disconnections of network
Disconnections of network
Natural disaster(earthquake・tsunami・ typhoon ・etc...)
Instrument fault・Human error・Software problem
Cyber attack・DDoS attack from botnet
Foreign relation ・Legal actions・Maintenance of security
Problems about culture & manner
25
Intentional Information Control Control for protecting country
Terrorism, Interior crime, Crackdown of international crime (deter criminals from communication)
Spill prevention of information about technology & politics Control of religion & thought
Control for protecting individual Information blocking
• Individuals can use it for crime / Individuals can be taken in on crime
Protection of privacy & privilege • Control of spilled information / defamation information
26
Globalization of Services
Expanding of cloud computing service
From where the data and services provided?
Users have difficulty to see who operates data & services because of outsourcing
Belief of company & country-specific law affect risk evaluation
27
?
?
Places the server is really set & companies that operates server influence user’s risks
Users are in various countries
Dependence for Online Services
Dependencies are concentrated on specified online service Search engine, web mail, twitter, etc…
Many service businesses go online Reservation system, payment system, data keeping, etc…
28
Think about the impact when they stopped. Who & How assume the responsibilities?
The effect of privacy due to associations of information
Until now
Databases are existing individually. Information about individuals have restrictive meanings.
Record of digital money & credit card
Boarding record of transportation facility
Phone call record of cell phone
Now
Databases are linked. Information about individuals can easily associated. So action history ,pattern and taste are easy-to-guess.
Boarding record of transportation facility
Phone call record of cell phone
Record of digital money & credit card
Video of security camera
Video of security camera
29
Business processes and ICT
31
Business Platform built on ICT
Implementation of businesses on ICT platforms = visualization of business “know-how”
Sales Order
Management
Business
Design
Factory
Management
Outsourcing
Company Operation
QA/QC
Delivery
Marketing
settlement
Executive Decision Support
Customer Support
Financial
management
Connected World & Shared Responsibility
The Internet
IC Card Cellular Phone
Home Appliances Automobile
Medical Service
Aviations
Individuals
Ticket Reservations
Power Supply
Plant Management
Traffic mgmt.
RFID
Finance Services
ATM
Online banking
32
Supply Chain Management (SCM), today
suppliers Stock mgt factories logistics customers
ICT platform
Production Optimization
Financial Management
Integrated Business Management & ERP
33
Roles of Information Systems
Information storage & repository Process reuse with economic efficiency Handling “money” Parallel process to manage many devices (e.g. sensor
networks)
“Business Enabler” Implement their business model on information systems.
• Agile development for quick more turnover.
Direct improvement on economic efficiency through integration and interconnection of the systems.
New style of “value creation”
34
Where we are heading? Widely ICT deployment to social
infrastructures.
We are living in “Connected world” where more information are exchanged and processed among vast number of computers and ICT devices.
True ICT society
Covers our whole globe.
Knowledge based economy.
Global optimization.
High mobility of users, information processing and assets.
35
Security is our #1 priority
Information systems are also “business enabler” for criminals. Information systems are adding power for criminals in many
ways, such as APT and attacks using cloud computing. Global collaboration for making malwares, composing attacks
and getting $$$.
We have to change this game! Good scheme to strengthen information security
management. More efficient measures against criminals. Need changes on the structure.
36
8 Controllers around the world.
BOT
Attacker in UK
170K BOT nodes in 74 countries.
1 Korea 2 USA 3 China 4 Japan 5 Canada 6 Australia 7 Philippine 8 New Zealand 9 UK 10 Vietnam (top 10 countries)
DDoS attacks Ref:http://blog.bkis.com/en/korea-and-us-ddos-attacks-the-attacking-source-located-in-united-kingdom/
BOTnet attacks to KR and US in July 2009
37
Cloud computing is much better than BOTnet!
38
Rental cost [1]
About 30,000 yen
Illegal to use this.
BOTnet Cloud Computing
• Rental cost [2]
About 10,000 yen
• Legal to use
• Anyone can borrow this.
[1] http://www.gdata.co.jp/press/WP_UndergroundEconomy.pdf
[2] http://aws.amazon.com/jp/ec2/
Purchased system profile : per 1000 instances and 1 hour
Password Crack on Cloud Computing
The case using Amazon EC2
Ref: Electric Alchemy Inc. http://itpro.nikkeibp.co.jp/article/COLUMN/20100412/346976/
Target Cost (USD)
Only alphabets 8 char password 3
Alphabets + number 8 char password 45
Only alphabets 12 char password 1,529,310
Alphabets + number 12 char password 75,935,598
39
Reference for next class
Theme: Cloud Computing 1. クラウドコンピューティング社会の基盤に関する研
究報告書の概要 http://www.ipa.go.jp/about/research/2009cloud/pdf/10
0324_cloud_extract.pdf
2. グローバルクラウドの法的課題克服に向けた展望 http://www.itmedia.co.jp/enterprise/articles/1005/11/n
ews004.html
3. NIST Definition of Cloud Computing v15 http://csrc.nist.gov/groups/SNS/cloud-
computing/cloud-def-v15.doc
42