December 9th 2009 International Organization on Computer Evidence Antarctica Kastuya UCHIDA, Professor Ph.D. Institute of Information Security (Graduate School in Japan) 1 INTRODUCTION 1. Definition of Information Forensics The application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. 情報の完全性を保持し、厳密な証拠保管の連続性を維持しながら、データの識別、収集、検査、分析に科学的 情報の完全性を保持し、厳密な証拠保管の連続性を維持しながら、デ タの識別、収集、検査、分析に科学的 手法を適用すること 2. Four major categories of data sources: 4つの主要データソース 1. 2. 3. 4. Files Operating systems Network traffic Applications Non Digital Evidence ? NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response ページ 2 Institute of Information Security Katsuya Uchida [email protected] INTRODUCTION 3. The process for performing information forensics: Collection 収 集 フォーレンジックスの実施プロセス identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data. データの完全性を保護する手続きに従いながら、関連するデータを識別し、ラベル付けし、記録し、ソースの候補から 取得する forensically processing collected data using a combination of automated and manual Examination methods, and assessing and extracting data of particular interest, while preserving the integrity of the data. 検査 データの完全性を保護しながら、収集したデータを自動的手法および手動的手法の組み合わせを使ってフォレンジック的に処 理することにより、特に注目に値するデータを見定めて抽出する Analysis 分 析 Reporting 報 告 analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination. 法的に正当と認められる手法および技法を使用して検査結果を分析することにより、収集と検査を行う契機となった疑問を解 決するのに役立つ情報を導き出す reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process. 分析結果の報告。 これには、使用された措置の記述、ツールや手続きの選択方法の説明、実行する必要があるそのほかの措置 (追加のデータソースのフォレンジック検査、識別された脆弱性の安全対策、既存のセキュリティ管理策の改善など)の特定、フォレン ジックプロセスのポリシー、手続き、ツール、およびそのほかの側面の改善に関する推奨事項の提示などが含まれる可能性がある ページ 3 Institute of Information Security 2 Katsuya Uchida [email protected] INTRODUCTION 4. Procedure of Forensics US Department of Justice “Forensic Examination of Digital Evidence: A Guide for Law Enforcement” When dealing with digital evidence, the following general forensic and procedural principles should be applied: デジタルな証拠を扱う場合には、以下のような一般的な法科学や手順に従わなければならない Actions A i taken k to secure and d collect ll digital di i l evidence id should h ld not affect ff the h integrity i i off that evidence 安全に処理を行い、デジタルな証拠の収集には、証拠の完全性に影響を及ぼしてはならない Persons conducting an examination of digital evidence should be trained for that purpose デジタルな証拠を扱う者は、その目的に対する訓練を受けていなければならない Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, p preserved, and available for review. デジタルな証拠の押収物、検査、保管、移送等に関する行為は記録、保持され、再調査可能な状況にしてお かなければならない Through all of this, the examiner should be cognizant of the need to conduct an accurate and impartial examination of the digital evidence. これらの全てを通し、検査者はデジタルな証拠に対して、正確かつ公正な調査を行う必要があることを認識しなけれ ばならない ページ 4 Institute of Information Security Katsuya Uchida [email protected] INTRODUCTION 4. Incident Response or Information Forensics インシデントレスポンスかフォーレンジックスか? Incident Response : Recovery First 復旧が主、証拠収集は従 Information Forensics : Evidence First 証拠収集が主、復旧は従 INCIDENT Incident Response IR or IF Incident Response Recovery First Information Forensics Information Forensics Evidence First Technical Analysis Incident Response Technologies ページ Management (CIO/CEO) Decision 5 Institute of Information Security 3 Katsuya Uchida [email protected] Information Security Management Challenges from Info. Sec. Management セキュリティマネジメントからみた課題 Information Security Management In-Source Incident Response or Information Forensics (Intranet) There are a few challenges of Information forensic technologies Outsource Data is stored at Data Center (D t C (Data Center) t ) D Depend d on SLA(S SLA(Service i L Levell A Agreement)) Technologies of Forensics and E-Discovery are not useful on the cloud computing ForensicsやE-Discovery技術では、Cloud Computing に殆ど対応できない Multi-Party Cloud Agreements: To make more difficult to determine 複数業者が関係することによる困難さが存在する可能性がある Data retention or transfer restrictions; US Patriot Act, EU Data Protection Directive, etc. Outsource データの保有や転送制限を考慮する必要がある Cloud computing has many Information Security management issues; (Cloud Data location, Data backups, Operators qualities, External audit to Cloud computing, etc. Computing ) 情報セキュリティマネジメント的な課題が多々ある: データ保存場所(国) デ タ保存場所(国)、バックアップ、オペレ バックアップ オペレータの質 タの質、外部監査の可能性等 外部監査の可能性等 Forensics challenges from Info. Sec. Management are Traceability issues クラウドコンピューティングでの課題は、データの「追跡可能性」と考えられる Cloud Computing Models Deployment Models Service Delivery Models サービス形態 1. Private cloud 1. SaaS (Software as a Service) 2. PaaS (Platform as a Service) 3. IaaS (Infrastructure as a Service) ページ 2. Community cloud 3. Public cloud 4. Hybrid cloud 6 利用形態 http://csrc.nist.gov/groups/SNS/cloud-computing/ http://www.cloudsecurityalliance.org/csaguide.pdf Institute of Information Security Katsuya Uchida [email protected] Reputation Fate Sharing The US & EU Acts have an impact on cloud security: 各国の法制度がばらばら Core IP Networks LLC: On 2 April 2009, a colocation facility owned by Core IP Networks LLC was raided by the FBI and the entire datacenter was shut down. "Millions of dollars' worth" of computers, many owned by other companies colocated in the datacenter that had no connection to the companies being investigated by the FBI, were confiscated and those sites went offline. Some of the companies subsequently went out of business. 2009年4月2日の午前6時、米国テキサス州のデータセンター企業 年 月 日の午前 時 米国テキサス州のデ タセンタ 企業 Core IP Networks LLC はFBIに予告なしに急襲され、全 は に予告なしに急襲され 全 データセンターのシャットダウンを命令されました。その後、機材すべてが令状によって押収された The Pirate Bay: On 31 May 2006, Swedish police officers shut down the website and confiscated its servers, as well as all other servers hosted by The Pirate Bay's Internet service provider, PRQ. PtoPによる違法なダウンロードの情報源となっていたWebサイト「The Pirate Bay」の機材をスウェーデン警察がデータセン ターから押収した際に、同じようにまったく関係ない数多くのWebサイトが巻き添えを食ってダウンするという事象があった The U.S. Patriot Act and EU Data Protection Directive have an impact on cloud security: http://www.networkworld.com/newsletters/vpn/2009/092909cloudsec1.html?source=NWWNLE_nlt_security_2009-09-30 カナダや英国政府は、クラウドコンピューティングでのデータ保存を自国内に保持する方針を決めている。 International Convention for the Regulation of Cloud computing クラウドコンピューティングにおける共通の法制度の運用 ページ 7 Institute of Information Security 4 Katsuya Uchida [email protected] Antarctic Treaty System The Main Antarctic Treaty The main treaty was opened for signature on December 1, 1959, and officially entered into force on June 23, 1961. The original signatories were the 12 countries active in Antarctica during the International Geophysical Year (IGY) of 1957-58 and willing to accept a US invitation to the conference at which the treaty was negotiated negotiated. These countries were the ones with significant interests in Antarctica at the time: Argentina, Australia, Belgium, Chile, France, Japan, New Zealand, Norway, South Africa, the Soviet Union, the United Kingdom and the United States. Between them, the signatories had established over 50 Antarctic stations for the IGY. The treaty was a diplomatic expression of the operational and scientific cooperation that had been achieved "on the ice". Virtual Cloud Continent Treaty System On a Cloudy Day You Can See Forensics ページ 8 Institute of Information Security Katsuya Uchida [email protected] Security Guidance for Critical Areas of Focus in Cloud Computing Section I. Cloud Architecture Domain 1: Cloud Computing Architectural Framework Section II. Governing in the Cloud Domain 2: Governance and Enterprise Risk Management Domain 3: Legal Domain 4: Electronic Discovery Domain 5: Compliance and Audit Domain 6: Information Lifecycle Management Domain 7: Portability and Interoperability Section III. Operating in the Cloud Domain 8: Traditional Security, Business Continuity and Disaster Recovery Domain 9: Data Center Operations Domain 10: Incident Response, Response Notification and Remediation Domain 11: Application Security Domain 12: Encryption and Key Management Domain 13: Identity and Access Management Domain 14: Storage Domain 15: Virtualization the Cloud Security Alliance April 2009 http://www.cloudsecurityalliance.org/ ページ 9 Institute of Information Security 5 Katsuya Uchida [email protected] U.S. Patriot Act The U.S. Patriot Act has an impact on cloud security Cloud Security Alert By Tim Greene , Network World , 09/29/2009 Cloud security includes the obligation to meet regulations about where data is actually stored, something that is having unforeseen consequences for U.S. firms trying to do business in Canada. Recently several U.S. companies that wanted contracts to help a Canadian program to relocate 18,000 public workers were excluded from consideration because of Canadian law about where ppersonallyy identifiable information about its citizens can be stored. The rule is that no matter the location of the database that houses the information, it cannot place the data in danger of exposure. From a Canadian perspective, any data stored in the U.S. is considered potentially exposed because of the U.S. Patriot Act, which says that if the U.S. government wants data stored in the U.S., it can pretty much get it. That effectively rules out cloud service providers with data centers only in the U.S. from doing business in Canada. Checking out where data physically resides in a service-provider cloud is part of the due diligence regulated businesses anywhere have to perform. In clouds that rely almost exclusively on virtual environments, this can be a difficult task to document. This is particularly true if the data is automatically replicated to other host machines in the cloud environment and the cloud hasn’t been designed with this parameter in mind. The implications for cloud service customers is apparent. For providers that want to woo international customers, these geographic restrictions will have an impact on how their networks are designed and segmented. They must build in assurances that data meant for only one sector of the political map stays there. Presumably they will also make it possible to document this segmentation for customers that need to comply. ページ 10 Institute of Information Security Katsuya Uchida [email protected] EU Data Protection Directive EU指令 EU 指令 The Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is a European Union directive which regulates the processing of personal data within the European Union. It is an important component of EU privacy and human rights law. The directive was implemented in 1995 by the European Commission. CHAPTER IV TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES Article 25 Principles 1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection, Article 26 Derogations 1. By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2) may take place on condition that: (a) the data subject has given his consent unambiguously to the proposed transfer; or (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or (d) the th transfer t f is i necessary or legally l ll required i d on iimportant t t public bli iinterest t t grounds, d or ffor th the establishment, t bli h t exercise i or defence d f off legal claims; or (e) the transfer is necessary in order to protect the vital interests of the data subject; or (f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation" are fulfilled in the particular case. 2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses. ページ 11 Institute of Information Security 6 Katsuya Uchida [email protected] Information Security Management Information S Security i Management Legal Regulation Technologies Management/ Operation ページ Encryption Virtualization ID Management Risk Management Education/Training BCM/BCP 12 Personal Data Protection Act SOX/J--SOX SOX/J Compliance Institute of Information Security Katsuya Uchida [email protected] Thank You ! Katsuya Uchida, Professor Ph.D. Institute of Information Security (Graduate School in Japan) http://www iisec ac jp/ http://www.iisec.ac.jp/ [email protected] http://lab.iisec.ac.jp/~uchida_lab/ [email protected] http://www.uchidak.com/ You can find this presentation file at http://www.uchidak.com/ (English Site) ページ 13 Institute of Information Security 7 Katsuya Uchida [email protected]
© Copyright 2024 Paperzz