Result of the Attitude Survey on Information Security

Transcription

1 Presentation Result of the Attitude Survey on Information Security Conducted toward the companies Operating in Thailand February, 2009 Center of the International Cooperation for Computerization of Japan 1

2 About the Survey The survey period : Oct. Nov Target organizations: Companies in Thailand Number of answers received : 512 2

3 Agenda 1. About the Company Profile of the survey 2. The Current Situation of the Information Security Management 3. Recommended Security Controls 3

4 1. About the Company Profile of the Survey 1.1 About the company profile 1.2 About IT system of the companies 4

5 1.1 About the company profile The companies originally coming from A. Local (include majority of JV) :296 B. Japan (include majority of JV) :153 C. Other Asian (include majority of JV) :17 D. America or Europe (include majority of JV) : 38 E. Other country (include majority of JV) : 6 D, 7% E, 1% C, 3% B, 30% A, 58% A B C D E 5

6 1.1 About the company profile The ratio of security vendor, IT vendor, and company using IT A. Company specializing in providing security-related related products or services B. Company specializing in providing IT products or services C. Company using IT A, 3% B, 22% A B C C, 75% 6

7 1.1 About the company profile Number of employee that companies own A. 20 or less B. 21 to 50 9% 10% Small C. 51 to % Medium D. 101 to % The ratio of large, medium, and small sized companies E. 301 to 1,000 27% F. 1,001 to 5,000 G. 5,001 or more 6% 12% Large Small, 19% 0% 5% 10% 15% 20% 25% 30% Large, 44% Small Medium Large Medium, 37% 7

8 1.1 About the company profile The ratio of large, medium, and small sized companies comparing with the number of their administrator LARGE sized companies 1% 17% 81% MEDIUM sized companies 18% 39% 44% A. Have full-time administrators B. Administrators are double as other post C. None SMALL sized companies 19% 33% 47% 0% 20% 40% 60% 80% 100% 8

9 1.1 About the company profile The ratio of large, medium, and small sized companies comparing with the custom of password changing Servers Password Clients Password 58% 57% LARGE sized companies 10% 30% LARGE sized companies 4% 36% 2% 3% MEDIUM sized companies 3% 13% 35% 49% A. Change them frequently B. Use passwords, but do MEDIUM not change sized C. companies Passwords are shared 9% among members D. Not use 11% 29% 50% A. Change them frequently B. Use passwords, but do not change C. Passwords are shared among members D. Not use 16% 16% SMALL sized companies 16% 56% SMALL sized companies 6% 54% 13% 24% 0% 20% 40% 60% 80% 0% 10% 20% 30% 40% 50% 60% 9

10 1.1 About the company profile The ratio of large, medium, and small sized companies comparing with the physical security control LARGE sized companies 14% 19% 30% 37% MEDIUM sized companies 6% 21% 22% 51% A. Use biometrics B. Use ID cards C. Other D. Not controlled SMALL sized companies 2% 13% 13% 72% 0% 10% 20% 30% 40% 50% 60% 70% 80% 10

11 1.1 About the company profile The ratio of large, medium, and small sized companies comparing with establishing their information security policy LARGE sized companies 2% 14% 21% 64% A. Established MEDIUM sized companies 6% 27% 26% 41% B. Planning C. Have no plan, but understand it is important D. Not necessary SMALL sized companies 22% 18% 18% 42% 0% 10% 20% 30% 40% 50% 60% 70% 11

12 1.2 About IT system of the companies Do you have servers in place? No servers, 10% Have their own servers No servers Have their own servers, 90% 12

13 1.2 About IT system of the companies The location of their servers In-house 93% External sites in domestic 16% External sites in overseas 11% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 13

14 1.2 About IT system of the companies The methods of control to enter or exit of the rooms where important equipment such as servers and storages installed A. Use biometrics 9% B. Use ID cards 28% C. Other 25% D. Not controlled 41% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 14

15 1.2 About IT system of the companies Threat due to lack of physical security is still high in Japan Cause of Security Incidents Internal dishonest act 0.9% Taking out without allow 7.9% Loss or Mislay 20.5% Virus 8.3% Lack of Control 20.4% Theft 16.6% Operation Error 18.2% Source: Information Security Incident Survey Japan Network Security Association 15

16 1.2 About IT system of the companies How many client PCs are installed approximately? Client PCs (Average) LARGE sized companies 15% 10% 23% 20% 33% MEDIUM sized companies 3% 0% 17% 31% 49% 49 or less clients 50 to 99 clients 100 to 299 clients 300 to 999 clients 1000 or more clients SMALL sized companies 2% 0% 1% 2% 95% 0% 20% 40% 60% 80% 100% 16

17 1.2 About IT system of the companies About client PCs Which OS are used in the client PCs? Windows 98 17% Windows ME 5% Windows 2000 Windows Vista 25% 26% Windows XP 94% Mac OS 4% Linux 10% Other 4% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 17

18 1.2 About IT system of the companies About Firewall installation Servers with Firewall installed Clients with Personal Firewall No, 12% Yes No Yes, 88% 18

19 1.2 About IT system of the companies 95% of companies use Windows XP. They don t install personal firewall? Anti-Virus Firewall Windows Firewall (the control panel of Windows XP) 19

20 1.2 About IT system of the companies About applying security patch If the Windows Update or new version is released, are they installed? Servers with security patch Clients with security patch No, 22% Yes, 78% Yes No No, 30% Yes, 70% Yes No 20

21 1.2 About IT system of the companies The problem is that security and IT vendor are not fully controlled. led. There is a result that their security situation is worse than general company using IT. Servers with security patch A. Company specializing in providing security-related products or services 30% 70% B. Company specializing in providing IT products or services 14% 86% If the Windows Update or new version is released, they are installed If the Windows Update or new version is released, they are NOT installed C. Company using IT 23% 77% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Clients with security patch A. Company specializing in providing security-related products or services 31% 69% B. Company specializing in providing IT products or services 17% 83% If the Windows Update or new version is released, they are installed If the Windows Update or new version is released, they are NOT installed C. Company using IT 33% 67% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 21

22 1.2 About IT system of the companies If applying the security patches are delayed, the possibility of security incident will be higher. Infection rate You would be infected with a virus You could protect from virus Security patch released Epidemic (Virus) Time 22

23 1.2 About IT system of the companies About the policy of using password A. Change them frequently B. Use passwords, but do not change C. Passwords are shared among members D. Not use Servers with the password Clients with the password C, 12% D, 4% C, 7% D, 10% A, 43% A, 39% B, 41% B, 44% 23

24 1.2 About IT system of the companies Hacker can easily decode your password if they have some time. With 1,000,000 attacks per second.the problem is CPU will be still faster. 6 Characters 7 Characters 8 Characters Alphabet Only 5 minutes 2 hours 2.4 days Alphabet +Number 36 minutes 22 hours 32 days Alphabet +Number +Symbol 27 hours 78 days 14 years 24

25 1.2 About IT system of the companies Strong Password A lot of characters (Ex. 8 characters) Difficult to guess Using Alphabet and Number at the same time Using Capital and Small letters at the same time Using Symbolic letters (Ex. #, $, %, &) Weak Password The same of user ID Easy to guess (Ex. Birthday, Telephone number) A few characters Not Changing frequently 25

26 1.2 About IT system of the companies About servers Are the routines to synchronize the correct date and time in all systems installed? A. Yes B. No B, 29% A B A, 71% 26

27 1.2 About IT system of the companies About servers Are the logging facilities or logging tools installed? A. Yes B. No B, 23% A B A, 77% 27

28 1.2 About IT system of the companies In order to get effective logs chasing attacker, those time stamps must be accurate. They includes network facilities like Gateway, Firewall, IDS, and several kind of servers. You might be able to get evidence where the attacker come from, when he crack the server, and how it is like.. etc. Internet Attacker Attack Route External network Mobile Gateway Attacker s Logs WEB Attack Internal Network FW IDS DNS Mail DMZ Internal Server Clients Wireless LAN 28

29 2. The Current Situation of the Information Security Management 2.1 About company's attitude to the information security management 2.2 About information security policy 2.3 Measures against threats to information 2.4 Others 29

30 2.1 About company's attitude to the information security management ent Do you have something to worry about information security measure? A. Nothing 16% B. Loss or leak of in-house information (trade secrets, personal information and so on) 61% C. Loss or leak of information (trade secrets, personal information and so on) that you received from your business partner (company that outsourced its job to your company) 38% D. Your business partner (your outsourcer) is making (or likely to make) strenuous demands on your company regarding information security measures. 16% E. Loss or leak of information (trade secrets, personal information and so on) that you gave to your business partner (company that outsourced its job to your company) 30% F. Loss of information you hold due to system failure or other accidents 57% G. Negative effects on your business that can be brought by system halt 43% H. Failure of remote application services (SaaS (Software as a Service), ASP and so on) or leak of information through the failure of those services 18% I. Other things to worry 3% 0% 10% 20% 30% 40% 50% 60% 70% 30

31 2.1 About company's attitude to the information security management ent Cause of Security Incidents with the number of personal information leakage in Japan Internal dishonest act 1,234,700 Lack of Control 114,400 Hacking 23,500 According to Cause of Security Incidents, Internal dishonest act accounts for only 0.9%. Comparing with the report, the fact explains that the damage of internal dishonest act becomes extremely high. Bug 19,900 Taking out without allow 9,900 Source: Information Security Incident Survey Japan Network Security Association 31

32 2.1 About company's attitude to the information security management ent What do you think is the challenge for your company in implementing information security? A. No problem 18% B. High installation cost of security-related software and hardware products 57% C. Cannot afford personnel in charge of implementing security measures 17% D. Have no personnel specializing in information security 38% E. Because operation and maintenance control of internal system is outsourced to external company, security measures are not actively implemented by employees within your company 13% F. Difficult to confirm the implementation status of security measures undertaken by the external company where you outsource your job. 17% G. Management is scarcely aware of the need of information security 16% H. Do not know what measures should be taken as regards information security 15% I. Other elements 3% 0% 10% 20% 30% 40% 50% 60% 32

33 2.1 About company's attitude to the information security management ent the total expenditure of information technology for a company in Japan Exchanges Rate 0.39 THB = 1 JPY, Jan Not answered 17.9% Less than 20,000, % More than 400,000, % 20,000,000~ 49,999, % 100,000,000~ 399,999, % 50,000,000~ 99,999, % Source: Information Security Incident Survey IPA 33

34 2.1 About company's attitude to the information security management ent What do you think is necessary for implementing appropriate information security measures? A. Guideline on minimum-required security measures 62% B. Best practices of security measures that are being implemented by other companies in the similar industry and similar size C. Check list on information security measures that can be used to satisfy requests from multiple companies that outsourced their job to your company D. Self-assessment tool that can be used to diagnose where the problems lie within security measures 33% 52% 50% E. Guide on how to make information-security-related technical settings on major software products 44% F. Educational materials on information security that are targeted for your employees 46% G. Others 1% 0% 10% 20% 30% 40% 50% 60% 70% 34

35 2.1 About company's attitude to the information security management ent Recognition on guideline for protection against computer virus in i Japan Not sure 1.0% Understand 7.1% Don t Know 36.5% Read 22.4% Know it 33.0% Source: Information Security Incident Survey IPA 35

36 2.1 About company's attitude to the information security management ent What are the ways for staff training on information security? Internal training External training Seminar None Persons in charge of information security 42% 61% 51% 14% General staff 62% 12% 16% 22% 36

37 2.2 About information security policy Does your company establish information security policy? A. Yes B. Planned C. Have no plan, but understand it is important D. Not necessary D, 6% C, 23% A, 48% A B C D B, 23% 37

38 2.2 About information security policy What are the reference rules to make your information security policy? A. ISO/IEC 27001(ISMS requirements specification (used for certification)) 15% B. ISO/IEC Code of Practice (pragmatic ISMS advice) 10% C. National standard or national guideline 30% D. Standard of IT vendors 17% E. Measures that are requested by the business partner 11% F. Company s own rule 64% G. Other 10% 0% 10% 20% 30% 40% 50% 60% 70% 38

39 2.2 About information security policy How does your company treat a staff who offences the security policy? A. Punish the person as explicitly described in the security policy 18% B. Punish the person based on the company's general rules 45% C. A supervisor warns the person 32% D. Don't do anything special 5% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 39

40 2.3 Measures against threats to information If an incident of the information security occurs, to whom do you report to? A. ThaiCERT (in Thailand) 7% B. IT vendor 24% C. Management top in the company 49% D. Do not report especially 2% E. Other 5% 0% 10% 20% 30% 40% 50% 60% 40

41 2.3 Measures against threats to information Do you know the police unit responsible for computer crime A. Yes B. No B, 39% A, 61% A B 41

42 2.3 Measures against threats to information Were there any information security problems in the company? A. Yes B. No C. Not sure C, 29% A, 21% A B C B, 49% 42

43 2.3 Measures against threats to information What type of incident was it? A. System holt that caused stoppage in business operation and services 14% B. Unauthorized access (such as defacing web pages) 8% C. Leak of information 11% D. Infected by virus or spyware 41% E. Other 2% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 43

44 2.3 Measures against threats to information Experience about computer virus Not Answer 0.6% Infected by virus 12.4% Never found virus nor infected 41.6% Found virus but not infected 45.4% Source: Information Security Incident Survey IPA 44

45 2.3 Measures against threats to information If a company staff takes out files in the mobile PC or USB memory, how does your company handle it? A. Allow if they are encrypted 12% B. Require password authentication when they are opened 15% C. No any special control 56% D. Others 15% 0% 10% 20% 30% 40% 50% 60% 45

46 2.3 Measures against threats to information Cause of Security Incidents with the number of personal information ion leakage in Japan by media/ channel in Japan Because of the big incident (14,430,000) Normally media like USB is the most dangerous cause in Japan PC 790,000 Other 40,000 Not sure 320,000 Document 16,950,000 (2,520,000) Media like USB 11,810,000 Source: Information Security Incident Survey Japan Network Security Association 46

47 2.4 Others Relation with business partners Has your company checked with business partners about their status of information security measures? A. Yes B. No A, 30% A B B, 70% 47

48 2.4 Others Relation with business partners Have your business partners checked with your company about your status of information security measures? A. Yes B. No A, 35% A B B, 65% 48

49 2.4 Others Cause of Security Incidents by channel in Japan Person s own PC 60.5% Business Partner 31.6% retired employee or ex-partner 13.2% Company s own PC 2.6% Other 5.3% Source: The report about information security governance - Ministry of Economy, Trade and Industry 49

50 2.4 Others Evaluation method for the company status of information security In Japan, benchmark testing method is established and open to public. Companies are able to assess their own security level and it is free of charge. Do you want to receive such benchmark testing if it is made available in your country? A. Yes B. Want to know about it more C. Not necessary D. Not interested C, 8% D, 7% A, 26% A B C D More than 85% of companies are interested in security benchmark testing B, 59% 50

51 2.4 Others CSIRT (Computer Security Incident Response Team) is an organization to deal with information security incidents. Recently company s s own CSIRT becomes famous managing these incidents inside and outside of the company. What do you think of company's own CSIRT? More than 70% of companies think CSIRT is necessary A. Already have Company's own CSIRT 19% B. Planning 16% C. Necessary, but not planning 38% D. No Need 27% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 51

52 About CSIRT National CSIRT Dealing with information security incidents National CSIRT Dealing with information security incidents Internet Dealing with information security incidents Internal CSIRT National CSIRT Account Section Sales Section Executive Section Attack 52

53 3. Recommended Security Controls Physical Security For example.. Make clear rules how to deal with physical security area Make appropriate entry controls to ensure that only authorized personnel are allowed access Recognize your staff from the outside Record logs when they come in/ out in your office Source: Benchmark of Information Security Control - IPA 53

54 3. Recommended Security Controls Human resources Security For example.. Make clear sense of responsibility they have to realize Contract confidentiality agreements Make a formal discipline for employees who have break your security rules Return all of their assets including IDs and remove all of access light when employee retire Source: Benchmark of Information Security Control - IPA 54

55 3. Recommended Security Controls System Security For example.. Make clear security requirements for information facilities and systems Monitor system activities and review regularly Get security related logs Protect logging facility and log information Synchronize the clock of all relevant information processing systems with an accurate time source Source: Benchmark of Information Security Control - IPA 55

56 Thank you! ขอบค ณคร บ 56