How To Protect Your Computer From Attack

Transcription

1 Internet Security Topics JPCERT/CC Japan Computer Emergency Response Team Coordination Center Yurie Ito, Director Technical Operation 1

2 Today s Agenda 1. Incident Trends Purpose/motivation, methods 2. Security Trends Countermeasures, organization 3. Moves to Protect Critical Infrastructure 4. Trends in the CSIRT Community 2

3 1. Incident Trends 3

4 Strongly motivated and Winning is Everything" Attacks Spyware, botnets, phishing, Trojan horses, etc. Social Engineering Attacks targeting security weaknesses, etc. Tools & Methods Assets Perpetrators Technology 4

5 Incident Trends Perpetrators are no longer just script kiddies or thrill-seekers Perpetrators are organized, have clear objectives, links to underground organizations with great technological expertise Large-scale attacks targeting specific sites Motives vary: money, politics, malice 5

6 Incidents ー Botnets Botnets Botnets are used for SPAM and DDoS attacks. Unlike worms and viruses, which spread over a wide area, bots tend to be localized. Many varieties ー Bots are easy to create. Hard to spot ー Botnets operate secretly. Hard to detect ー Limitations of pattern matching Botnets are becoming ever more sophisticated. 6

7 Incidents ー Botnets More than 80 new varieties of bot are born every day. Unprotected PCs are infected in an average of 4 minutes after connecting to the Internet % of ISP users in Japan are infected by bots. Assuming 20 million broadband subscribers, this means ,000 infected PCs. Source: Joint research by JPCERT/CC and Telecom-ISAC Japan 7

8 Incidents ー Phishing Phishing: The number of phishing sites is growing rapidly across the world. Phishing attacks targeting Japanese consumers have occurred. The number of incidents reported to JPCERT/CC is also rising. Number of new phishing sites Number of incidents reported to JPCERT Number of new sites サイト 数 Number of sites Source: Phishing Activity Trends Report, September Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 8

9 Incidents ー Phishing Sophisticated methods Fakes can not be detected at a glance Web browser address bars have been falsified. Domain names similar to genuine ones have been used. There are even cases in which an SSL server certificate was obtained. 9

10 10

11 Incidents ー Phishing Phishing: Phishing can cause extensive damage. Banks are implementing their own countermeasures. Software vendors have begun to offer phishing protection measures. Microsoft Enhances Phishing Protection for Windows, MSN and Microsoft Windows Live Customers Legislative measures against phishing have been slow. 11

12 Incident Trends ー Information Leaks Information leaks: If a worm infects a PC which P2P software has been installed, it will cause a series of information leakage. Leakage of customer information, critical system information, etc. is becoming a major social issue. Once the information leaks, it is effectively irretrievable. Even where internal rules exist, information leaks remain numerous. 12

13 Vulnerability in a Wide Range of Products Vulnerability has been discovered in a wide range of products and is likely to continue to grow. Vulnerability in client applications MS Internet Explorer, MS Office, security software (AV, FW), etc. Vulnerability in server applications Web servers, authentication services, library applications, etc. Vulnerability in Internet protocols TCP/IP, IPSec, ISAKMP, etc. Vulnerability in network devices Routers, FW, IDS, etc. Vulnerability in consumer electronics, mobile phone handsets DVD recorders, portable game machines, mobile phones 13

14 Target of Attacks Widely used for daily purposes ICMP DNS Easy to use, with convenient functions MS Outlook Chat servers (IRC servers) P2P file-sharing software MS Internet Explorer If a product is widely used, the other side of the coin is that it can also be used for malicious purposes. 14

15 Next Threat Home users The tools used by end users are becoming more complex. Environments: hardware and networks are becoming more powerful. About 100,000 users are connected to a 100 Mbit network. Home users machines Systems not properly managed No incident response measures in place Insufficient knowledge of PCs. 15

16 2. Security Trends 16

17 Defense in Depth The need for defense in depth Attackers and defenders are playing catand-mouse. Security policies need to be reviewed to protect information. In companies, it is vital that both security managers AND all users should receive training and education. Authentication systems using IDs and passwords alone should be shifted to systems using multiple ones. 17

18 Involving Top Management Without involving top management, it is impossible to ensure an adequate response to incidents. The response must be at the organizational level, rather than the shop-floor level. Trend towards the establishment of organizational CSIRTs Involving top management is essential. Decision-making processes used in incident response must be established in advance. Incident response requires timely decision-making in many areas. 18

19 Security from the Development Stage Security policy for application developments Establishment of security policies Checking for security policy violation when modifying specifications Removing debugging functions from products Console ports, debugging commands, etc. should not be embedded into products. Security policy reviews Reviewing security policies other than debugging and testing 19

20 Security Mainstream Despite the technological development of attacking methods, security side is still using the oldfashioned methods Protection: use of firewalls, anti-virus software Detection: use of IDS Response to weaknesses: updating software to latest versions, applying patches Policy: minimum use of authority 20

21 Security Mainstream Check again that basic security procedures are being followed! Apply patches to keep equipment fully up-to-date. Use anti-virus software. Use broadband routers and firewalls. Do not access suspicious websites. Do not open attached files without caution 21

22 3. Moves to Protect Critical Infrastructure 22

23 What is Critical Infrastructure? Critical infrastructure provides irreplaceable services that support social and economic activities. Any functional failures can greatly influence civil lives. Government of Japan Committee on Basic Problems of Information Security, 2nd Proposals (main text) 23

24 10 Infrastructures Defined as Critical 7 existing areas 3 additional areas Information & telecommunications Railways Gas Airlines Financial services Electrical power Government & administrative services Logistics Water Medical care 24

25 Government Initiatives Domestic information security system Information Security Policy Council established within IT Strategy Headquarter (Head: Prime Minister of Japan) 3 expert committees established as subcommittees of ISPC: Security Culture Expert Committee Technology Strategy Expert Committee Critical Infrastructure Expert Committee (established in September 2005) 25

26 Critical Infrastructure Expert Committee The mission of the Critical Infrastructure Expert Committee is to protect critical infrastructure from attacks that cause IT failures, and set out directions for countermeasures. The Committee is examining the following possible measures: Cross-area assessment (dependency analysis, etc.) Create and evaluate security standards and guidelines Increase information sharing with critical infrastructures Cyber security drills, etc. 26

27 4. Trends in the CSIRT Community 27

28 The CSIRT Community FIRST: Membership increases to 186 teams SC contribute as board director 18th Annual FIRST Conference on Computer Security Incident Handling June 25 30, 2006 Baltimore, Maryland, United States APCERT: 17 teams, 14 regions APCERT AGM: March 28, 2006 Beijing 28

29 Trends in the CSIRT Community Provide more security support to users Early warning information services Information is gathered through an international CSIRT network: vulnerability, incident, and traffic monitoring information Collected information is analyzed and early warning information is reported. JPCERT/CC also provides alerts, an early warning information service. Approaches to top management Worldwide trend of forming CIO and CEO forums FIRST:Corporate Executive Programme (CEP) January 10, 2006: Asia-Pacific CEP Programme Hong Kong 29

30 Trends in the CSIRT Community Provide more security support to users (contd.) Implementation of cyber security drills As specialists in incident response and information handling, CSIRTs are drawing on their track record and experience to date to create scenarios and acting as drill implementers. JPCERT/CC has also begun offering services of this type. Vulnerability priorities The scale of the threat to any system presented by a vulnerability depends on the user. Vulnerability threat to systems differs from user to user Know your system. CERT/CC & JPCERT/CC are in the process of creating metrics. 30

31 Trends in the CSIRT Community (2) Information-sharing with a view to incident response will require multi-level cooperative relationships. Responding to incidents and vulnerability requires the information sharing between a number of different players. Difficulty of information sharing of high confidentiality Between government institutions and private sector Between different function levels - CSIRTs, policy makers, law enforcement agencies Between competitive players Between international players To date, CSIRTs have played a bridging role, facilitating coordination of information between parties and players where communication is usually difficult. The CSIRT community has started networking not only with telecommunications carriers but with a range of players including infrastructure providers, top management, vendors, the Government, and judicial institutions. 31

32 Summary Attacks becoming more organized, sophisticated, and complex User environments becoming more complex and powerful All users and players are responsible for protecting the Internet. CSIRTs, vendors, users, systems managers, Government, ISPs, the Media Cooperation between those concerned is becoming ever more important. 32

33 Inquiries JPCERT Coordination Center Tel: Yurie Ito 33