Information Security Management

December 9th 2009
International Organization
on Computer Evidence
Antarctica
Kastuya UCHIDA, Professor Ph.D.
Institute of Information Security (Graduate School in Japan)
1
INTRODUCTION
1. Definition of Information Forensics

The application of science to the identification, collection, examination, and
analysis of data while preserving the integrity of the information and
maintaining a strict chain of custody for the data.
情報の完全性を保持し、厳密な証拠保管の連続性を維持しながら、データの識別、収集、検査、分析に科学的
情報の完全性を保持し、厳密な証拠保管の連続性を維持しながら、デ
タの識別、収集、検査、分析に科学的
手法を適用すること
2. Four major categories of data sources: ４つの主要データソース
1.
2.
3.
4.
Files
Operating systems
Network traffic
Applications
Non Digital
Evidence ?
NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response
ページ
2
Institute of Information Security
Katsuya Uchida
[email protected]
INTRODUCTION
3. The process for performing information forensics:
Collection
収集
フォーレンジックスの実施プロセス
identifying, labeling, recording, and acquiring data from the possible sources of
relevant data, while following procedures that preserve the integrity of the data.
データの完全性を保護する手続きに従いながら、関連するデータを識別し、ラベル付けし、記録し、ソースの候補から
取得する
forensically processing collected data using a combination of automated and manual
Examination methods, and assessing and extracting data of particular interest, while preserving the
integrity of the data.
検査
データの完全性を保護しながら、収集したデータを自動的手法および手動的手法の組み合わせを使ってフォレンジック的に処
理することにより、特に注目に値するデータを見定めて抽出する
Analysis
分析
Reporting
報告
analyzing the results of the examination, using legally justifiable methods and techniques, to
derive useful information that addresses the questions that were the impetus for performing
the collection and examination.
法的に正当と認められる手法および技法を使用して検査結果を分析することにより、収集と検査を行う契機となった疑問を解
決するのに役立つ情報を導き出す
reporting the results of the analysis, which may include describing the actions used,
explaining how tools and procedures were selected, determining what other actions
need to be performed (e.g., forensic examination of additional data sources, securing
identified vulnerabilities, improving existing security controls), and providing
recommendations for improvement to policies, procedures, tools, and other aspects of
the forensic process.
分析結果の報告。これには、使用された措置の記述、ツールや手続きの選択方法の説明、実行する必要があるそのほかの措置
（追加のデータソースのフォレンジック検査、識別された脆弱性の安全対策、既存のセキュリティ管理策の改善など）の特定、フォレン
ジックプロセスのポリシー、手続き、ツール、およびそのほかの側面の改善に関する推奨事項の提示などが含まれる可能性がある
ページ
3
Institute of Information Security
2
Katsuya Uchida
[email protected]
INTRODUCTION
4. Procedure of Forensics
US Department of Justice
“Forensic Examination of Digital Evidence: A Guide for Law Enforcement”
When dealing with digital evidence, the following general forensic and procedural
principles should be applied:
デジタルな証拠を扱う場合には、以下のような一般的な法科学や手順に従わなければならない

Actions
A
i
taken
k to secure and
d collect
ll digital
di i l evidence
id
should
h ld not affect
ff the
h integrity
i
i off
that evidence
安全に処理を行い、デジタルな証拠の収集には、証拠の完全性に影響を及ぼしてはならない

Persons conducting an examination of digital evidence should be trained for that
purpose
デジタルな証拠を扱う者は、その目的に対する訓練を受けていなければならない

Activity relating to the seizure, examination, storage, or transfer of digital evidence
should be documented, p
preserved, and available for review.
デジタルな証拠の押収物、検査、保管、移送等に関する行為は記録、保持され、再調査可能な状況にしてお
かなければならない
Through all of this, the examiner should be cognizant of the need to conduct an accurate
and impartial examination of the digital evidence.
これらの全てを通し、検査者はデジタルな証拠に対して、正確かつ公正な調査を行う必要があることを認識しなけれ
ばならない
ページ
4
Institute of Information Security
Katsuya Uchida
[email protected]
INTRODUCTION
4. Incident Response or Information Forensics
インシデントレスポンスかフォーレンジックスか？
 Incident Response : Recovery First
復旧が主、証拠収集は従
 Information Forensics : Evidence First 証拠収集が主、復旧は従
INCIDENT
Incident
Response
IR or IF
Incident Response
 Recovery First
Information
Forensics
Information Forensics
 Evidence First
Technical
Analysis
Incident Response
Technologies
ページ
Management (CIO/CEO)
Decision
5
Institute of Information Security
3
Katsuya Uchida
[email protected]
Information Security
Management
Challenges from Info. Sec. Management セキュリティマネジメントからみた課題
Information Security Management
In-Source Incident Response or Information Forensics
(Intranet) There are a few challenges of Information forensic technologies
Outsource Data is stored at Data Center
(D t C
(Data
Center)
t ) D
Depend
d on SLA(S
SLA(Service
i L
Levell A
Agreement))
Technologies of Forensics and E-Discovery are not useful on the cloud computing
ForensicsやE-Discovery技術では、Cloud Computing に殆ど対応できない
Multi-Party Cloud Agreements: To make more difficult to determine
複数業者が関係することによる困難さが存在する可能性がある
Data retention or transfer restrictions; US Patriot Act, EU Data Protection Directive, etc.
Outsource
データの保有や転送制限を考慮する必要がある
Cloud computing has many Information Security management issues;
(Cloud
Data location, Data backups, Operators qualities, External audit to Cloud computing, etc.
Computing )
情報セキュリティマネジメント的な課題が多々ある：
データ保存場所（国）
デ
タ保存場所（国）、バックアップ、オペレ
バックアップオペレータの質
タの質、外部監査の可能性等
外部監査の可能性等
Forensics challenges from Info. Sec. Management are Traceability issues
クラウドコンピューティングでの課題は、データの「追跡可能性」と考えられる
Cloud Computing Models
Deployment Models
Service Delivery Models サービス形態 1. Private cloud
1. SaaS (Software as a Service)
2. PaaS (Platform as a Service)
3. IaaS (Infrastructure as a Service)
ページ
2. Community cloud
3. Public cloud
4. Hybrid cloud
6
利用形態
http://csrc.nist.gov/groups/SNS/cloud-computing/
http://www.cloudsecurityalliance.org/csaguide.pdf
Institute of Information Security
Katsuya Uchida
[email protected]
Reputation Fate Sharing
The US & EU Acts have an impact on cloud security: 各国の法制度がばらばら
 Core IP Networks LLC: On 2 April 2009, a colocation facility owned by Core IP Networks LLC
was raided by the FBI and the entire datacenter was shut down. "Millions of dollars' worth" of
computers, many owned by other companies colocated in the datacenter that had no connection
to the companies being investigated by the FBI, were confiscated and those sites went offline.
Some of the companies subsequently went out of business.
2009年4月2日の午前6時、米国テキサス州のデータセンター企業
年月日の午前時米国テキサス州のデタセンタ企業 Core IP Networks LLC はFBIに予告なしに急襲され、全
は
に予告なしに急襲され全
データセンターのシャットダウンを命令されました。その後、機材すべてが令状によって押収された
 The Pirate Bay: On 31 May 2006, Swedish police officers shut down the website and confiscated
its servers, as well as all other servers hosted by The Pirate Bay's Internet service provider, PRQ.
PtoPによる違法なダウンロードの情報源となっていたWebサイト「The Pirate Bay」の機材をスウェーデン警察がデータセン
ターから押収した際に、同じようにまったく関係ない数多くのWebサイトが巻き添えを食ってダウンするという事象があった
 The U.S. Patriot Act and EU Data Protection Directive have an impact on cloud security:
http://www.networkworld.com/newsletters/vpn/2009/092909cloudsec1.html?source=NWWNLE_nlt_security_2009-09-30
カナダや英国政府は、クラウドコンピューティングでのデータ保存を自国内に保持する方針を決めている。
International Convention for the Regulation
of Cloud computing
クラウドコンピューティングにおける共通の法制度の運用
ページ
7
Institute of Information Security
4
Katsuya Uchida
[email protected]
Antarctic Treaty System
The Main Antarctic Treaty
The main treaty was opened for signature on December 1, 1959, and officially entered into
force on June 23, 1961. The original signatories were the 12 countries active in Antarctica
during the International Geophysical Year (IGY) of 1957-58 and willing to accept a US
invitation to the conference at which the treaty was negotiated
negotiated. These countries were the
ones with significant interests in Antarctica at the time: Argentina, Australia, Belgium, Chile,
France, Japan, New Zealand, Norway, South Africa, the Soviet Union, the United Kingdom
and the United States. Between them, the signatories had established over 50 Antarctic
stations for the IGY. The treaty was a diplomatic expression of the operational and scientific
cooperation that had been achieved "on the ice".
Virtual Cloud Continent Treaty System
On a Cloudy Day You Can See Forensics
ページ
8
Institute of Information Security
Katsuya Uchida
[email protected]
Security Guidance for Critical Areas
of Focus in Cloud Computing
Section I. Cloud Architecture
Domain 1: Cloud Computing Architectural Framework
Section II. Governing in the Cloud
Domain 2: Governance and Enterprise Risk Management
Domain 3: Legal
Domain 4: Electronic Discovery
Domain 5: Compliance and Audit
Domain 6: Information Lifecycle Management
Domain 7: Portability and Interoperability
Section III. Operating in the Cloud
Domain 8: Traditional Security, Business Continuity and Disaster Recovery
Domain 9: Data Center Operations
Domain 10: Incident Response,
Response Notification and Remediation
Domain 11: Application Security
Domain 12: Encryption and Key Management
Domain 13: Identity and Access Management
Domain 14: Storage
Domain 15: Virtualization
the Cloud Security Alliance April 2009
http://www.cloudsecurityalliance.org/
ページ
9
Institute of Information Security
5
Katsuya Uchida
[email protected]
U.S. Patriot Act
The U.S. Patriot Act has an impact on cloud security
Cloud Security Alert By Tim Greene , Network World , 09/29/2009
Cloud security includes the obligation to meet regulations about where data is actually stored, something that is
having unforeseen consequences for U.S. firms trying to do business in Canada.
Recently several U.S. companies that wanted contracts to help a Canadian program to relocate 18,000 public workers
were excluded from consideration because of Canadian law about where ppersonallyy identifiable information about its
citizens can be stored.
The rule is that no matter the location of the database that houses the information, it cannot place the data in danger
of exposure. From a Canadian perspective, any data stored in the U.S. is considered potentially exposed because of
the U.S. Patriot Act, which says that if the U.S. government wants data stored in the U.S., it can pretty much get it.
That effectively rules out cloud service providers with data centers only in the U.S. from doing business in Canada.
Checking out where data physically resides in a service-provider cloud is part of the due diligence regulated
businesses anywhere have to perform. In clouds that rely almost exclusively on virtual environments, this can be a
difficult task to document.
This is particularly true if the data is automatically replicated to other host machines in the cloud environment and the
cloud hasn’t been designed with this parameter in mind. The implications for cloud service customers is apparent.
For providers that want to woo international customers, these geographic restrictions will have an impact on how
their networks are designed and segmented. They must build in assurances that data meant for only one sector of the
political map stays there. Presumably they will also make it possible to document this segmentation for customers
that need to comply.
ページ
10
Institute of Information Security
Katsuya Uchida
[email protected]
EU Data Protection Directive
EU指令
EU
指令
The Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the
processing of personal data and on the free movement of such data) is a European Union directive which
regulates the processing of personal data within the European Union. It is an important component of EU
privacy and human rights law. The directive was implemented in 1995 by the European Commission.
CHAPTER IV TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
Article 25 Principles
1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are
intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted
pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection,
Article 26 Derogations
1. By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member
States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level
of protection within the meaning of Article 25 (2) may take place on condition that:
(a) the data subject has given his consent unambiguously to the proposed transfer; or
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of
precontractual measures taken in response to the data subject's request; or
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between
the controller and a third party; or
(d) the
th transfer
t
f is
i necessary or legally
l
ll required
i d on iimportant
t t public
bli iinterest
t
t grounds,
d or ffor th
the establishment,
t bli h
t exercise
i or defence
d f
off
legal claims; or
(e) the transfer is necessary in order to protect the vital interests of the data subject; or
(f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and
which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the
extent that the conditions laid down in law for consultation" are fulfilled in the particular case.
2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country
which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate
safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the
exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.
ページ
11
Institute of Information Security
6
Katsuya Uchida
[email protected]
Information Security Management
Information
S
Security
i
Management
Legal
Regulation
Technologies Management/
Operation




ページ
Encryption
Virtualization
ID Management



Risk Management
Education/Training
BCM/BCP
12


Personal Data
Protection Act
SOX/J--SOX
SOX/J
Compliance
Institute of Information Security
Katsuya Uchida
[email protected]
Thank You !
Katsuya Uchida, Professor Ph.D.
Institute of Information Security
(Graduate School in Japan)
http://www iisec ac jp/
http://www.iisec.ac.jp/
[email protected]
http://lab.iisec.ac.jp/~uchida_lab/
[email protected]
http://www.uchidak.com/
You can find this presentation file at
http://www.uchidak.com/ (English Site)
ページ
13
Institute of Information Security
7
Katsuya Uchida
[email protected]