meti realizing a world-class “highly reliable society” november 25, 2004 yutaka hayami director,...
TRANSCRIPT
METI
Realizing a World-ClassRealizing a World-Class
“Highly Reliable Society”“Highly Reliable Society”
November 25, 2004
Yutaka HayamiDirector, Office of IT Security Policy
Ministry of Economy, Trade and Industry (METI)JAPAN
2
METIContents
BackgroundComprehensive Strategy on Information
SecurityMETI Cyber-Security Policy
– Improving Security Technology– Improving Security Management– Information Security Early Warning
Partnership– Critical Infrastructure Protection
Closing
4
METIBackground
Efficient work style,competitiveness
2000
Use
rs
National security,calculation use
Reliability of systems
E-commerceEconomic infrastructure
Lifelines for society, economy, and daily life
Exclusive systems Big, host types C/S types PC, Internet Broadband
Government
Banking, transportation, energy sectors
Large enterprises
Small/mediumenterprises
Personal useRole of information systems
Direction of IT security
Protection of military data.
Availability for critical infrastructure
Availability for IT systems in corporations
Network security for e-commerce
Security for e-government
Safe/reliable society
1950
5
METI
# of Vulnerability# of Vulnerability
Release of Release of vulnerability vulnerability information information and remedyand remedy
Appearance Appearance of Exploit of Exploit
CodeCode
Attack day of Attack day of virus, etc.virus, etc.
MS02-039 2002/7/29 2 months 2002/9/254
months2003/1/25
SQL Slammer
MS03-026 2003/7/17 10 days 2003/7/27 16 days2003/8/12
Blaster
MS03-039 2003/9/11 4 days 2003/9/155
months2004/2/11Welchia.B
MS03-043 2003/10/16 3 days 2003/10/19 ? ?
MS03-049 2003/11/12 1 day 2003/11/132
months2004/2/11Welchia.B
MS04-007 2004/2/11 3 days 2004/2/14 ? ?
MS04-011 2004/4/14 11 days 2004/4/25 6 days2004/5/1Sasser
Attacks targeting vulnerabilities happen more and more rapidly.
Background
6
METIBackground
【 Source: Information-Technology Promotion Agency, Japan ( IPA)】
0
5,000
10,000
15,000
20,000
25,000
1998
1999
2000
2001
2002
2003 2004( through August
)
30,000
Number of Virus Reports
Sasser,Netsky, et
c.
Blaster, etc.
7
METI
0
1000
2000
3000
4000
1998 1999 2000 2001 2002 2003 2004
Background
【 Source: Japan Computer Emergency Response Team Coordination Center ( JPCERT/CC )】
( through September )
Number of Unauthorized Access Reports
8
METIBackground In recent years, IT has developed rapidly and diffused
widely. The economy and society are highly dependent on IT
systems, which are becoming increasingly complex, global, and interdependent.
IT has already become the ““nervous systemnervous system”” of the economy and society.
We need to make extensive efforts: (1)(1) to prevent IT incidentsto prevent IT incidents(2)(2) to keep damage to a minimumto keep damage to a minimum (3)(3) to implement immediate recovery measuresto implement immediate recovery measures
“IT incidents will inevitably occur”
10
METIWhere does it come from?
【 June 2003 】 “Information Security Committee” established under Industrial
Structure Council (METI’s Advisory Council), and began discussions on realizing a “Highly Reliable Society.”
【 October 2003 】 Information Security Committee concluded its “Comprehensive
Strategy on Information Security.”
Outstanding security
Commitment to manufacturing and qualityIndustrial infrastructure with device technologies
Society founded on outstanding ethics and uniform and smooth communication
Highly reliable ITinfrastructure & IT use
Reinforcement of economic competitiveness
Improvement in general security of Japan
as economic and cultural power
“Highly Reliable Society ”
Outstanding security
Commitment to manufacturing and qualityIndustrial infrastructure with device technologies
Society founded on outstanding ethics and uniform and smooth communication
Highly reliable ITinfrastructure & IT use
Reinforcement of economic competitiveness
Improvement in general security of Japan
as economic and cultural power
“Highly Reliable Society ”
11
METI“Comprehensive Strategy on Information Security”
Basic Goal: Development of world-class “Highly Reliable Society”Strategy 1: Development of self-recoverable “social system prepared for
accident/incident occurrences" (assurance of outstanding recoverability and localization of damage)
Reinforcement of preventive measures Exhaustive reinforcement of measures to address accidents/incidents
Strategy 2: Public-sector action aimed at taking advantage of "High Reliability" as strength
Strategy 3: Coordinated action to empower the Cabinet Office
Basic goal: Development of world-class “highly reliable society”
Strategy 1Development of self-recoverable
“social system prepared for accident/incident occurrences”( assurance of outstanding recoverability & localization
of damage)
Strategy 2Public-sector action aimed at taking advantage of “high
reliability” as strength
Strategy 3Coordinated action to empower Cabinet
Office
12
METI
Relationship between Past and Future Measures
Preventive measures
Measures to address
accidents/ incidents
Foundation for general support
National/local governments
Critical infrastructure
Businesses and private individuals
Existing preventive measures
Reinforcement of foundation supporting entire nation from the national-interest perspective
Exhaustive reinforcement of measures to prevent “impending accidents” in national/local govts. and key i
nfrastructures
New preventive measures for businesses and private
individuals
Reinforcement of preventive measures of
international/local governments and key
infrastructures
Exhaustive reinforcement of measures to prevent “impending
accidents” for business and private individuals
Enrichment and reinforcement
Strategy Strategy 1(1)1(1)
Strategy Strategy 1(1)1(1)
Strategy Strategy 1(2)1(2)
Strategy Strategy 1(2)1(2)
Strategy Strategy 22Strategy Strategy 22
Segments
14
METI
Normal Status
Emergency Status
Computer Viruses, Unauthorized Access, DoS Attack…
METI Cyber-Security Policy
4. Critical Infrastructure ProtectionInformation Security Measures in the Electricity Sector Plan to execute a cyber-exercise to prevent cyber-terrorism in the electricity sector.
2. Improving Security Management Conformity Assessment Scheme for Information Security Management System (ISMS)Information Security AuditPromotion of IT Security Governance within companies
1. Improving Security TechnologyISO/IEC15408 (IT Security Evaluation)Cryptography Evaluation & PKIR&D
3. Information Security Early Warning Partnership (1) Incident Response, (2) Traffic Monitoring, and (3) Vulnerability Handling
Development of a world-class “highly reliable society”Development of a world-class “highly reliable society”
(1) Prevent IT incidents
(2) keep damage to a minimum, and (3) implement immediate recovery measures
16
METISecurity Technology
ISO/IEC 15408 IT Security Evaluation/Certification scheme– Member of CCRA since October 2003– Recommendation of evaluated/certified products for gov’t procurem
ent Cryptography Research and Evaluation Committee
s (CRYPTREC)– Maintain a list of recommended cryptographic algorithms for gov’t pr
ocurement.– Discuss CMVP scheme (Cryptographic Module Validation Program)
PKI (Public Key Infrastructure), etc.– Verification experiments on actual services– Study of authentication gateway
R&D– Next-generation technology (forecasting incidents, new access cont
rol methods, etc.)
18
METIISMS Conformity Assessment Scheme
ISMS: Information Security Management System
JIPDEC: Japan Information Processing Development Corporation
Promotes continuous improvement to information security management of organizations
Based on ISO/IEC 17799:2000 and BS 7799-2
JIPDEC began Conformity Assessment Scheme in April 2002
Certified organizations: 522 (as of 5 October 2004)
19
METIIT Security Audits
Independent auditors audit IT security measures in a company.
Standards are prescribed objectively. IT security audits have two types of evaluation:
assurance and suggestion. Started in April 2003. JASA (Japan Association of Security Audits) will provide
qualified auditors to maintain high quality of audits.
AuditorAuditor
Audit report
Info Security Mgmt. Std.Info Security Audit Std.
AssuranceAuditees (natl. govt., local govt., companies)Auditees (natl. govt., local govt., companies)
Clients
Customers
GeneralPublic
Trust
Improvements
Improved IT security measures
Suggestion
Standards
20
METIIT security standards (METI’s notice)
Standards which include management items and details on the improvement process when auditors perform audit. Information Security Management Standards
Standards which prescribe rules for auditors such as independence, evaluation of audit trails, and so on.
Information Security Audit Standards
•Although they are not legal rules like audits for financial accounting, METI provides “standards,” which help promote the reliability of audit results.
•These standards facilitate accumulation of IT security audit practices, and help clarify legal responsibilities.
21
METIInformation Security Governance
Information Security Governance “To develop and promote a coherent governance framework to
drive implementation of effective information security programs” (Corporate Governance Task Force Report, April 2004)
The Committee of Information Security Governance at METI (established September 2004)– Goal: To promote information security governance within corpo
rate management– Measures (under discussion):
• IT security benchmarks for effective security investment by CIOs/CEOs
• A guideline for Business Continuity Plan to prevent security incidents/unauthorized access
• An appropriate format for Information Security Report to stakeholders
etc.
23
METIInformation Security Early Warning Partnership
METI has responded to security breaches in cooperation with IPA & JPCERT/cc since 1990.
However, Exploit Codes come out in a shorter time after disclosure of vulnerability information than before. Therefore, just keeping the damage to a minimum is not enough.
(1) Incident Response: Computer viruses and unauthorized access reports (begun in 1990s)
Keep damage to a minimum
Need to prevent damage proactively
(2) Traffic Monitoring (begun in 2003)
Gather information about damage caused by computer viruses, and announce it to the public right after the incident
Grasp the current situation by observing traffic on the Internet, and detecting trouble on a network simultaneously
(3) Vulnerability Handling Framework (begun in July 2004)
Information Security Early Warning Partnership
24
METIOutline of the Partnership
ReportingReporting
ReceivingReceivingOrganizationOrganizationDiscovererDiscoverer
(JPCERT/CC)(JPCERT/CC)
CoordinatingCoordinatingOrganizationsOrganizations
NotificationNotification UsersUsers
[Web Applications][Web Applications]
ReportingReporting NotificationNotification
[Software Products][Software Products]
VendorsVendors
Coordination
Website Website Operation Operation ManagerManager
ForeignCERTs
SystemSystemIntegratorsIntegrators
CoordinateCoordinate SPREADSPREAD
PublicityPublicity
Portal Site Portal Site (JPN: JP Vendor (JPN: JP Vendor
Status Notes) Status Notes)
Publicity*Publicity*
(IPA)(IPA)
(IPA)(IPA)
AnalysisAnalysis
AnalyzingAnalyzingOrganizationOrganization
- Governments- Governments- Companies- Companies- Individuals- Individuals
*:When personal data has leaked.
26
METIInformation Security Measures in Electricity Sector
The Federation of Electric Power Companies (FEPC) and the Central Research Institute of the Electric Power Industry (CRIEPI) will conduct simulated cyber-attacks on the information systems of electric companies starting in November 2004.
Construct a model office network system including interfaces with control systems for electric power plants.
Create scenarios of attacks on the model system.
Try to access the model system to see whether the interface with the control systems can be reached, according to the scenarios.
Accumulate expertise to protect electric power infrastructure systems.
Construct a model office network system including interfaces with control systems for electric power plants.
Create scenarios of attacks on the model system.
Try to access the model system to see whether the interface with the control systems can be reached, according to the scenarios.
Accumulate expertise to protect electric power infrastructure systems.