Security Management in the Internet Era

Jun Murai Keio University

Suguru Yamaguchi Nara Institute of Science and Technology

1st: Course Description September 22, 2011

1

2

Course Description

3

Professor

Suguru Yamaguchi Graduate School of Information Science,

Nara Institute of Science and Technology

Information Security Advisor, National Information Security Center

Management Advisor of e-Government, Government Program Management Office

Jun Murai Graduate School of Media and Governance,

Keio University

Dean, Faculty of Environment and Information Studies, Keio University

4

Staff

TAs Yuki Uehara（Keio University）

Kunihiko Shigematsu（Keio University）

Hirotaka Sato（Keio University）

Masatoshi Enomoto （ Nara Institute of Science and Technology ）

Noppawat Chaisamran（ Nara Institute of Science and Technology ）

Questions about course content the ML to

sig2011@sfc.wide.ad.jp

5

Schedule 01st (09/22) Course Description 02nd (09/29) Cloud Security (1) 03rd (10/06) Cloud Security (2) 04th (10/13) Military use of the cyber security technology and its issues 05th (10/20) IPv6 Security 06th (10/27) Guest Lecture(Joichi Ito) 07th (10/27) Midterm Presentation(1) 08th (11/10) Midterm Presentation(2) 09th (11/17) Disaster Recovery Internet(1) 10th (12/01) Disaster Recovery Internet(2) 11th (12/08) Personal Information and Security(1) 12th (12/15) Personal Information and Security(2) 13th (12/22) Evaluation of Security Risk 14th (1/12) Final Presentation(1) 15th (1/19) Final Presentation(2)

6

Grading Policy

Homework Report

• Several times

Group work • Midterm presentation: 7th,8th

• Final presentation: 14th,15th

Participation Evaluate the questions and discussions

7

What`s SOI?

SOI (School Of Internet)

University on the Internet

Anyone can join SOI

Not only for Keio University

http://www.soi.wide.ad.jp/

8

The SOI of this class

You can watch the class videos in SOI

This class is published in SOI

You have to register SOI to submit a homework

We explain how to join SOI in next several slides

9

School of Internet

http://www.soi.wide.ad.jp/

10

Security management in the Internet era Top Page

http://www.soi.wide.ad.jp/class/20110020/

11

SOI Registration

学生登録 履修登録

You have to register SOI account or will

not be evaluated (you’ll fail a class)

12

Submitting Homework You can submit the homework several ways

Text

Create Web Page & Register URL

SFC students have to submit it using CNS account, or you are not evaluated

Submitted reports will not disclose

Refer & reply to friends

You can modify your report as many times as needed by the deadline

Submission page will be announced at a later date

About this class

Course Hour AM11:05-12:35

It is anomalistic both SFC & Nara

Guest Lecture 6th Class (October 27th)

Joi Ito

Post：Director of MIT Media Lab

18:10～19:40

Notes： We take a roll call in the day of guest lecture

13

About 2nd Class

This class is delivered not only GC

but also iTunes U

If it presents inconvenience to you, please contact TA in advance

14

15

Message from Professor Murai

Internet society

16

The Internet as social infrastructure

17

The Internet

IC Card Cellular

Furniture Vehicle

Medical instruments

Aircraft

Person

Ticket reservation

Power station

Generator management

traffic control

ID tag

Bank

ATM Online banking

In the future connected things many more

18

The Internet

Business

Home Social Infrastructure

Education

Spaceship

Government

Industry

The characteristics of Internet Seen from security

19

1．Global Infrastructure Digital network connecting Global area，

Agreement on the Internet ・Operation is essential cooperation beyond among nations . It is also the infrastructure to support services a variety of , it is important to maintain reachability

2．Open Connectivity Internet is not only private line but also line

available structure to everyone．Government，Corporate，Voluntary related to each other People in various positions

3．Variety of Internet device Internet is composed of variety of connecting device and software,and

it has been achieved Interconnection. It is different from every type of device and software as well as measures

Global infrastructure(1/2)

Infrastructure Digital Connecting the world Problems in various situations such as personal business and

government loss of reachability network

Case： Failure Worldwide network • Failure of BGPRouting

• 1hour from 17, February 2009 1:23 (JSP)

• Cause:Miss Operations Provider in Czech Republic • DNS failure

• 23, September 2010

• Cause: Miss Operations of DNSSEC KEY Update failed

→Whose responsibility，Should the loss be guaranteed all the time？

When a failure occurs , who should take responsibility • Ex. National organizations , Carriers , Business , Personal

• who should take responsibility ？who someone

20

Global infrastructure(2/2)

Issues enforcement by Law

Crime across Interstate • how to investment

• What is indicated law in countries?

• Depending on the law can not be

seized criminal

effect on Convention ・System？

21

domestic foreign

Servers in domestic User who attack several servers in domestic

Attack

Judged by

National lows？

Foreign law ？

Can file extradition

requests for criminal

Open Connectivity

22

Trusted?

Trusted?

Trusted?

Various users on the internet Everyone use one network Attackable any host from anywhere, at anytime

• Non-patched Windows XP SP1 connecting to the internet is compromised in about 4 minutes (Avantgarde, 2004)

Difficult to build trust relationship by only online communication

• Hosts don’t need strict authorization and limitation for connecting the internet

• IP address don’t give assurance completely uniqueness

Various Internet Devices

23

Different specialty from devices to devices Who has responsibility of management?

Risk of individual utilization

Internet connection format, type of vulnerability, repair method

Information Home Electronics e.g.) Television, Video/DVD recorder

Personal Computer Each Operation System has open platform for

executable software

Cell Phone Most function is limited Available for reading e-mail and browsing web

Smart Phone More rich functions than traditional cell phone

New Risks

24

Disconnections of network

Disconnections of network

Natural disaster（earthquake・tsunami・ typhoon ・etc...）

Instrument fault・Human error・Software problem

Cyber attack・DDoS attack from botnet

Foreign relation ・Legal actions・Maintenance of security

Problems about culture & manner

25

Intentional Information Control Control for protecting country

Terrorism, Interior crime, Crackdown of international crime (deter criminals from communication)

Spill prevention of information about technology & politics Control of religion & thought

Control for protecting individual Information blocking

• Individuals can use it for crime / Individuals can be taken in on crime

Protection of privacy & privilege • Control of spilled information / defamation information

26

Globalization of Services

Expanding of cloud computing service

From where the data and services provided?

Users have difficulty to see who operates data & services because of outsourcing

Belief of company & country-specific law affect risk evaluation

27

?

?

Places the server is really set & companies that operates server influence user’s risks

Users are in various countries

Dependence for Online Services

Dependencies are concentrated on specified online service Search engine, web mail, twitter, etc…

Many service businesses go online Reservation system, payment system, data keeping, etc…

28

Think about the impact when they stopped. Who & How assume the responsibilities?

The effect of privacy due to associations of information

Until now

Databases are existing individually. Information about individuals have restrictive meanings.

Record of digital money & credit card

Boarding record of transportation facility

Phone call record of cell phone

Now

Databases are linked. Information about individuals can easily associated. So action history ,pattern and taste are easy-to-guess.

Boarding record of transportation facility

Phone call record of cell phone

Record of digital money & credit card

Video of security camera

Video of security camera

29

Message from Prof. Yamaguchi

30

Business processes and ICT

31

Business Platform built on ICT

Implementation of businesses on ICT platforms = visualization of business “know-how”

Sales Order

Management

Business

Design

Factory

Management

Outsourcing

Company Operation

QA/QC

Delivery

Marketing

settlement

Executive Decision Support

Customer Support

Financial

management

Connected World & Shared Responsibility

The Internet

IC Card Cellular Phone

Home Appliances Automobile

Medical Service

Aviations

Individuals

Ticket Reservations

Power Supply

Plant Management

Traffic mgmt.

RFID

Finance Services

ATM

Online banking

32

Supply Chain Management (SCM), today

suppliers Stock mgt factories logistics customers

ICT platform

Production Optimization

Financial Management

Integrated Business Management & ERP

33

Roles of Information Systems

Information storage & repository Process reuse with economic efficiency Handling “money” Parallel process to manage many devices (e.g. sensor

networks)

“Business Enabler” Implement their business model on information systems.

• Agile development for quick more turnover.

Direct improvement on economic efficiency through integration and interconnection of the systems.

New style of “value creation”

34

Where we are heading? Widely ICT deployment to social

infrastructures.

We are living in “Connected world” where more information are exchanged and processed among vast number of computers and ICT devices.

True ICT society

Covers our whole globe.

Knowledge based economy.

Global optimization.

High mobility of users, information processing and assets.

35

Security is our #1 priority

Information systems are also “business enabler” for criminals. Information systems are adding power for criminals in many

ways, such as APT and attacks using cloud computing. Global collaboration for making malwares, composing attacks

and getting $$$.

We have to change this game! Good scheme to strengthen information security

management. More efficient measures against criminals. Need changes on the structure.

36

8 Controllers around the world.

BOT

Attacker in UK

170K BOT nodes in 74 countries.

1 Korea 2 USA 3 China 4 Japan 5 Canada 6 Australia 7 Philippine 8 New Zealand 9 UK 10 Vietnam (top 10 countries)

DDoS attacks Ref：http://blog.bkis.com/en/korea-and-us-ddos-attacks-the-attacking-source-located-in-united-kingdom/

BOTnet attacks to KR and US in July 2009

37

Cloud computing is much better than BOTnet!

38

Rental cost [1]

About 30,000 yen

Illegal to use this.

BOTnet Cloud Computing

• Rental cost [2]

About 10,000 yen

• Legal to use

• Anyone can borrow this.

[1] http://www.gdata.co.jp/press/WP_UndergroundEconomy.pdf

[2] http://aws.amazon.com/jp/ec2/

Purchased system profile : per 1000 instances and 1 hour

Password Crack on Cloud Computing

The case using Amazon EC2

Ref： Electric Alchemy Inc. http://itpro.nikkeibp.co.jp/article/COLUMN/20100412/346976/

Target Cost (USD)

Only alphabets 8 char password 3

Alphabets + number 8 char password 45

Only alphabets 12 char password 1,529,310

Alphabets + number 12 char password 75,935,598

39

Economics of Cyber Crimes, Today

Risk Effort Reward

40

Economics of Cyber Crimes, Tomorrow

Risk Effort Reward

?

41

Reference for next class

Theme: Cloud Computing 1. クラウドコンピューティング社会の基盤に関する研

究報告書の概要 http://www.ipa.go.jp/about/research/2009cloud/pdf/10

0324_cloud_extract.pdf

2. グローバルクラウドの法的課題克服に向けた展望 http://www.itmedia.co.jp/enterprise/articles/1005/11/n

ews004.html

3. NIST Definition of Cloud Computing v15 http://csrc.nist.gov/groups/SNS/cloud-

computing/cloud-def-v15.doc

42