Presentation is loading. Please wait.

Presentation is loading. Please wait.

All Rights Reserved, Copyright © FUJITSU LTD. 2003 1 Information Security Measures and FUJITSU’s Solutions 19 Nov 2003 FUJITSU LIMITED.

Similar presentations


Presentation on theme: "All Rights Reserved, Copyright © FUJITSU LTD. 2003 1 Information Security Measures and FUJITSU’s Solutions 19 Nov 2003 FUJITSU LIMITED."— Presentation transcript:

1 All Rights Reserved, Copyright © FUJITSU LTD. 2003 1 Information Security Measures and FUJITSU’s Solutions 19 Nov 2003 FUJITSU LIMITED

2 All Rights Reserved, Copyright © FUJITSU LTD. 2003 2 FUJITSU Corporate Profile Current Situation of Cyber Space Case Study of Unauthorized Access How to maintain IT security Conclusion Example of FUJITSU’s Solutions and Demonstration CONTENTS

3 All Rights Reserved, Copyright © FUJITSU LTD. 2003 3 FUJITSU Corporate Profile

4 All Rights Reserved, Copyright © FUJITSU LTD. 2003 4 Fujitsu at a Glance Fujitsu is a leading provider of customer-focused IT and communications solutions for the global marketplace. Comprising more than 500 subsidiaries and affiliates, the Fujitsu Group operates in over 60 countries across the globe. Established: June 1935 Stock Exchange Listings: Tokyo, Osaka, Nagoya, Frankfurt, London, Swiss Consolidated Revenues: 4.6 trillion yen (US$38.3 billion) Employees: 157,000 worldwide R&D Expenditure: 286 billion yen (US$2.4 billion) Principal Business Areas: Software & Services, Platforms, Electronic Devices Note: FY2002 consolidated net sales; US$1=¥120; WW employees as of March 31, 2003

5 All Rights Reserved, Copyright © FUJITSU LTD. 2003 5 Global Scale, Local Presence Fujitsu employees the world over take pride in providing high-quality products and services, and they are committed to solving customers’ problems and contributing to their business success. * Not including employees of Fujitsu Siemens Computers. Europe, Middle East & Africa* Americas Asia-Pacific Japan 19,000 21,000 108,500 8,500

6 All Rights Reserved, Copyright © FUJITSU LTD. 2003 6 Company NameFujitsu Systems Business(Thailand) Ltd. Address 12th Floor, Olympia Thai Tower, 444 Rachadapisek Rd., Samsennok, Huay Kwang, Bangkok 10310, THAILAND Registered Capital50 Million Baht EstablishmentSeptember 1990 OrganizationMr. Takafumi Mikuni as Managing Director Employeesabout 200 persons Business Field Solutions: ERP/CRM /System Management/ E-commerce/Banking/ Retail /Personnel Management /Office Workflow/ Business Intelligence etc. Products: IA Server and Unix Server/PC and Notebook/ATM Terminal/POS Terminal/Storage/Network/Peripheral Products (Scanner, Hard Disk, Magneto Optical Disk Drive, Dot Matrix Printer, Plasma Display,Handheld Terminal etc.) FSBT Profile

7 All Rights Reserved, Copyright © FUJITSU LTD. 2003 7 Current Situation of Cyber Space

8 All Rights Reserved, Copyright © FUJITSU LTD. 2003 8 Successive Occurrences of Security Incidents Damage caused by virus, highest no. of cases ever reported leak customer data from UFJ Securities Worst security hole for Windows XP ever seen Hacker intrusion caused confidential and customer data to leak at New York Times. Hacking disaster at AOL, targeting member ’ s personal data the Ministry of Health and Welfare cracks down on virus-infected mail spam of 120,000 mails. Several times that the Japanese government website has been defaced by hacker Tokyo Stock Exchange sent out virus-infected emails to about 8000 people The most damaging virus ever seen, W32/Nimda

9 All Rights Reserved, Copyright © FUJITSU LTD. 2003 9 Current Situation of Information Security 90% of the corporate in the world experienced unauthorized access 85% experienced harm caused by computer virus Cyber spying targeting companies is on the rise Threat from Cyber Terrorism Source : FBI/CSI Research 「 Computer Crime and Security Survey 」

10 All Rights Reserved, Copyright © FUJITSU LTD. 2003 10 ■Increasing illegal access Cases reported to CERT/CC ( Computer Emergency Response Team ) Jan 2003 ~ Sep 2002: 114,855 cases ■Worst virus incident ever took place Cases reported to IPA (IT Promotion Agency, Japan) between Jan and Dec 2002: 20,352 cases Route taken by computer virus 1998 2000 External source maildownload miscellaneous Year 97.1% 1.7% 0.6% 4.1 % 67.0% 5.9% 0.9% 34.4%40.6% 21.2% 3.8% 2002 0.6% No. of virus incidents 0 5,000 10,000 15,000 20,000 1995 19961997 1998 1999 年 2000 2,035 3,645 2,640 11,109 700 688 24,261 2001 Threats on Network Computing 2002 20,352

11 All Rights Reserved, Copyright © FUJITSU LTD. 2003 11 How likely that your corporation would face cyber attack ■Users who conduced attack test ( Fujitsu’s customer data ) ■ Mentality on security management ( Fujitsu survey ; 450 companies ) While server data management is always a concern, not many pay enough attention to terminal data management, education and network management. 70% of each company is prone to cyber attack Level 1:- Level 2: Alert Level 3: Alarmed Level 4: High Risk Level 5: Fatal Manufacturing/Retail Public Education IT/Telecommunication Finance Hospital Energy Organization Operation Education Physical User Manage. Server Manage. PC/WS Manage. Network Audit Business Field No. of Organization International average Japan Higher than Level 4

12 All Rights Reserved, Copyright © FUJITSU LTD. 2003 12 CodeRed / Nimda Virus Resource : www.security.nl/misc/codered-stats/ CodeRed/Nimda Effect ※ Researched by Symantec Loss due to CodeRed : approx. 325 billion yen Nimda : approx. 65 billion yen ※

13 All Rights Reserved, Copyright © FUJITSU LTD. 2003 13 Case Study of Unauthorized Access

14 All Rights Reserved, Copyright © FUJITSU LTD. 2003 14 Case Study: SCM of Company A (1) Inventory Management System Intra Network Receipt and Shipping Division A Inventory Management Host Computer Regional Server Parts list Inventory data Delivery data etc

15 All Rights Reserved, Copyright © FUJITSU LTD. 2003 15 Server went down Recreate DB Server went down Sign of clacking Check by an expert Something is strange with the server. Intra Network Receipt and Shipping Regional Server Division A How a trouble starts? Case Study: SCM of Company A (2)

16 All Rights Reserved, Copyright © FUJITSU LTD. 2003 16 Intra Network Division A Unauthorized access from the company inside Data on a regional server is deleted. Fake data is sent to a host server. An malicious program is implanted. malicious Program Fake data Monitoring device Stocktaking of relevant stock Shipping instruction by fax Unauthorized access using common ID Unauthorized access using common ID Altering Operation Data Case Study: SCM of Company A (3)

17 All Rights Reserved, Copyright © FUJITSU LTD. 2003 17 How to Deal with Moral Hazard Set up “Mental Barrier” Individual Identification ( ID/Password Biometrics ) Obtaining access log and regular check Setting penalty Education Third party audit ( e.g., other division )

18 All Rights Reserved, Copyright © FUJITSU LTD. 2003 18 1. To decide security policy ( clarify basic principles ) 2. To carry out security audit 3. To specify security provision in a contract 4. To pay extra attention to contract wording 5. To observe regular regulation 6. To consider subscribing to an exclusive insurance services 7. To be aware of the activities of other companies from the same industry A Lawyer’s Suggestions 7 rules to follow if your company wants to avoid a security-related trial ( Daniel Rangin )

19 All Rights Reserved, Copyright © FUJITSU LTD. 2003 19 1. To decide security policy ( clarify basic principles ) 2. To carry out security audit 3. To specify security provision in a contract 4. To pay extra attention to contract wording 5. To observe regular regulation 6. To consider subscribing to an exclusive insurance services 7. To be aware of the activities of other companies from the same industry A Lawyer’s Suggestions 7 rules to follow if your company wants to avoid a security-related trial ( Daniel Rangin ) The company itself must seriously review their current IT policies to determine whether there is a need to strengthen their security tactics in order to avoid indictment risk.

20 All Rights Reserved, Copyright © FUJITSU LTD. 2003 20 Latest Trends -higher technique to attack- Random attack regardless of industry and company size Firewall isn’t perfect Blended Threat Amazing spreading speed Infection coming from intranet

21 All Rights Reserved, Copyright © FUJITSU LTD. 2003 21 Increasing threats to be expected from now on Attack targeting mobile phone Attack targeting PDA Attack on internet Appliance(IPv6) Attack via game machine Intrusion/bugging through wireless LAN ~ Full-time connection, New media ~

22 All Rights Reserved, Copyright © FUJITSU LTD. 2003 22 How to maintain IT security

23 All Rights Reserved, Copyright © FUJITSU LTD. 2003 23 To maintain IT security The following 3 criteria must be satisfied in terms of information and service. C onfidentiality I ntegrity A vailability

24 All Rights Reserved, Copyright © FUJITSU LTD. 2003 24 Balancing between Information Systems HR and Admin System Basic System Accounting System Development System Management System HR and Admin System Basic System Accounting System Development System OA System Management System It is absolutely necessary to have a plan to centralize the security policy. It is absolutely necessary to have a plan to centralize the security policy. OA System

25 All Rights Reserved, Copyright © FUJITSU LTD. 2003 25 It is absolutely necessary to centralize the security policy User security If security policies are centralized Equipment Management Information Info ma ti on System Management Education Equipment Management User security Operation Management ( User management ) Security function ( ID/password etc ) System Management Education Promoting Security Policy Promoting Security Policy If security policies are NOT centralized Balancing between each Security Policy Operation Management ( Managing users etc ) Security functions ( ID/password etc )

26 All Rights Reserved, Copyright © FUJITSU LTD. 2003 26 Enforcement of the counter measurements Enforcement of the counter measurements Security audit Planning security strategy ・ Adopt Information Technology ・ Organization/training arrangements ・ Arrangement of the operation flow outline ・ Security operation audit ・ Detect new threats ・ Planning of the corporate security policy ・ Planning of the counter measurements Improvement cycle for the IT security strategy

27 All Rights Reserved, Copyright © FUJITSU LTD. 2003 27 To consolidate ways of protection Security Policy Anti-virus End-user training Anti-unauthorized Access Security Team Application Layer Infrastructure Layer Organization Layer Security Certification Anti-information leaking Datacenter ID Management Electric Document Guarantee Secure Application Contents Protection

28 All Rights Reserved, Copyright © FUJITSU LTD. 2003 28 Organization Measures ・ Security Policy ・ Security check and assessment ・ Obtain official recognition on security profile ISO15408 ISO17799(BS7799) Privacy Mark ・ Training and education for end-user ■ Infrastructure ■ Organization ■ Application

29 All Rights Reserved, Copyright © FUJITSU LTD. 2003 29 If no security plan exists If a security plan exists Impossible to explain security level of own company Security Plan Document Security Plan Document From networking companies; “ Security is fine despite network connection. ” Norm of joint companies; “ We will maintain the security the same way with our own company. ” Conditions of providing network service; “ What is the security level of your company ? ” A request from government agency; “ How does industry tackle security ” Lawsuit related to security incidents; “ Is the security level appropriate for a particular industry? ” Could get ISO recognition in the future Necessity of Security Policy What should we do? We have a security plan! Certified

30 All Rights Reserved, Copyright © FUJITSU LTD. 2003 30 Operation Security Plan System Security Plan Company security planning Information security basic regulation Information security measure standard Basic regulation Baseline Operation Manual Operation Manual All kinds of manual All kinds of manual System implementation System implementation System operation manual System operation manual System operation manual System operation manual Steps of security planning Steps of planning Set up environment Steps of Implementation Security Check Steps of Checking IS015408 recognition IS015408 recognition ISO17799/BS7799 recognition ISO17799/BS7799 recognition Steps to obtain official recognition Company unit System/operation unit To prescribe a framework that includes: maintain information security / structure organization to promote / organization / penalty regulations / staff security / maintain training as part of security policy. To promote information security policy, We must prescribe: system access restrictions To combat against potential threat, / resource access restriction / memory medium management / network management / data exchange management / document management etc Security Policy Structure

31 All Rights Reserved, Copyright © FUJITSU LTD. 2003 31 ◆ IT security basic information ◆ Information security measure standard Cp1 information management security Cp2 documentation management Cp3 Memory medium management Cp4 office management Cp5 info system equipment management Cp6 standard to protect personal data Cp7 study information security Cp8 operating continuation plan Cp9 Staff management Cp10 Outsourcing contract Cp11 Facilities management Cp12 Design security function Cp13 Product quality management Cp14 Development environment management Cp15 Use delegation security IT Security Declaration Chapter 1 General Rules Chapter 2 Information asset management classified Chapter 3 IT Security Policy Chapter 4 Info security organization/role Chapter 5 Reviewing information security Chapter 6 Legal terms to follow Chapter 7 Penalty Chapter 8 Revision Additional Rule Cp29 User security Cp30 Email security Cp31 PC management security Cp32 Mobile security Cp33 Training standard on IT security Cp16 IT system operation management Cp17 System change management Cp18 IT security accident management Cp19 Backup management Cp20 User registration management Cp21 External data exchange management Cp22 Host/Server management Cp23 Computer virus policies Cp24 Software management Cp25 Machine room management Cp26 Network management Cp27 Remote access management Cp28 Network connecting affiliated companies management 2 HR Department 1 Shared Section 3 IT System Implementation Rule 4 IT System Operation 5 Network 6 User Management Rule Appendix Sample of Security Policy Sample of Security Policy Documents

32 All Rights Reserved, Copyright © FUJITSU LTD. 2003 32 Security Policy Promotion Team Security team should be given authority Assignment of network/security officer Defining security policy and auditing Daily comprehensive security monitoring Education/Training on security etc

33 All Rights Reserved, Copyright © FUJITSU LTD. 2003 33 Infrastructure Measures Data Center Secure network Anti earthquake structure, monitoring camera, in-out control, installation of security areas etc. ・ Measurements to information leaking Burglary protection, encryption, IPR protection ・ Contents Protection Long term digital data back-up Secure contents ・ Barrier segment(Zone defense, VPN) ・ Virus protection ・ Intrusion monitoring(24x365) ・ High quality/density security attack ■Infrastructure ■ Organization ■ Application

34 All Rights Reserved, Copyright © FUJITSU LTD. 2003 34 Barrier Segment Method Router Firewall Operation administration server External Proxy Public WWW External Mail server RADIUS Server Internet DMZ Corporate network Intrusion detection(IDS) Public ISDN External DNS Interna l DNS Internal Proxy Corporate WWW Internal Mail server Duplication Network Server ・ Suspend unused services ・ Periodic Software upgrade, patching ・ Delete unused CGI ・ Measurements to SPAM mail ・ Set appropriate access limit Monitoring and logging ・ Save & check various logs ・ Delete log files, prevent alter ・ Detection of unauthorized attack ・ Mail/URL filtering and audit Administration ・ Installation of the software/setting ・ Physical/Logical protection of Servers & network devices ・ Password for administrator ・ Documentation of System administrator’s job and Service level agreement Virus protection ・ Protection from Internet intrusion ・ Protection for Clients and servers Others Network configuration/firewall ・ Minimize security risk/Install firewall ・ Adopt DMZ configuration ・ Prohibit external access though Telnet and FTP ・ Internal firewall/Filtering ・ Prohibit internal dial-up connection ・Attack test Virus Check

35 All Rights Reserved, Copyright © FUJITSU LTD. 2003 35 Application Measures ■ Organization guideline ■ Organization guideline ■ Infrastructure ・ Application development guideline - Regulation of Web application source code (Check function/factor and input characters) - Java application development guideline ・ Application authentication/access control - Selection of authentication method ( ID/password, onetime password, Biometric, electronic certificate and so on) - Study PKI implementation Decide target business Decide to self operate or outsource CA Decide the operation guideline of the certificates (Issue/invalidation/reissue) PKI products (CA, RA, repository, smartcard etc.) Outsourcing (Verisign, JCSI) ・ Electric Document Guarantee Application

36 All Rights Reserved, Copyright © FUJITSU LTD. 2003 36 Classification of security holes Coding error is seen as the source of the Problem in 50% of all cases 690cases 374cases Classification of security holes reported to Bugtraq

37 All Rights Reserved, Copyright © FUJITSU LTD. 2003 37 Conclusion

38 All Rights Reserved, Copyright © FUJITSU LTD. 2003 38 1)Awareness 2)Responsibility 3)Response 4)Ethics 5)Democracy 6)Risk Assessment 7)Security design and implementation 8)Security Management 9)Reassessment Guideline on Information System Security (OECD: 2002 ) Principles in IT Security

39 All Rights Reserved, Copyright © FUJITSU LTD. 2003 39 Fujitsu ’ s Attack Test Service Logical Protection of PCs (Safetywin) Biometric (Palm Vein Pattern Recognition) Examples of FUJITSU’s Solutions and Demonstration

40 All Rights Reserved, Copyright © FUJITSU LTD. 2003 40 Customer Internet site Firewall WWW server Mail server etc Scanning Apply for IP address (US and Europe) Scanning server Cooperation Provide high reputation Qualys (USA) QualysGuard ™ service first in Japan. Rapid countermeasurements to security holes. When a new security hole was discovered, reflects the attack pattern which detects the corresponded security hole generally in one day. High speed scanning (15-20min/server) Fujitsu’s Attack Test Service (1) Results report

41 All Rights Reserved, Copyright © FUJITSU LTD. 2003 41 Reference : Example of result report ( 1 ) High speed diagnosis : 1 server only 15 to 20 minutes. Visual display of security risks. Fujitsu’s Attack Test Service (2)

42 All Rights Reserved, Copyright © FUJITSU LTD. 2003 42 Easy to further analyze why the administrator judged the particular security fragileness by providing diagnosis logs High quality and easy diagnosis report in Japanese (Only Fujitsu) Display diagnosis result and proposed measurements separately Reference : Example of the result report ( 2 ) Fujitsu’s Attack Test Service (3)

43 All Rights Reserved, Copyright © FUJITSU LTD. 2003 43 Attack Test Service Express Enhance Attack Test Service Express’s system is enhanced in the following manner: ・ On top of the conventional scanning using the internet as a media, Fujitsu can also provide you now with intranet scanning. Using the latest knowledge, this is an extensive intranet server scanning service. With 1 appliance server, it is possible to scan up to 5000 units within one day. ・ Consultation on test report is an additional option. Remote Scanner Database Server Remote Scanner Web Application Server Firewall Internet Intranet Servers Browser Qualys Data Center Intranet Scanner Customer’s site

44 All Rights Reserved, Copyright © FUJITSU LTD. 2003 44 Logical Protection of PCs (Safetywin) Practical measures to prevent system problems by setting restrictions to the basic functions of Windows OS. A reduction in the time spent on trouble-shooting and maintenance. Practical system environment to suit each user’s PC skill.

45 All Rights Reserved, Copyright © FUJITSU LTD. 2003 45 Protects PCs by setting restrictions on the functions of Windows OS. Provides a higher level of security by setting access authorities. Applicable to various system environments. Protects the system from unsuitable operations. Applications which are not Windows standard can also be controlled. Restrictions can be easily set by clicking the check boxes on the screen. Prohibits the installation of software Guards specified drives/folders/files Limits the applications which can be performed. Each client machine environment can be easily set by clicking the icon on the server machine (Server option required). A change of the guard settings can be automatically dispatched from the server to clients (Server option required). A suitable environment can be provided for each user. System administrator The number of telephone calls will be reduced. Safetywin Key features – for system administrators

46 All Rights Reserved, Copyright © FUJITSU LTD. 2003 46 Users can operate PCs without concern for system environment Safetywin is a preventive measure for system problems. No need to worry about changing the control panel settings accidentally. No need to worry about destroying valuable system assets accidentally. No confusing windows or applications appear on the screen. Users Users cannot feel secure when restoration is the only solution. Safetywin Key features – for users

47 All Rights Reserved, Copyright © FUJITSU LTD. 2003 47 Safetywin setting example 1: Public terminal

48 All Rights Reserved, Copyright © FUJITSU LTD. 2003 48 Only necessary icons will be displayed on the Desktop Safetywin setting example 1: Public terminal

49 All Rights Reserved, Copyright © FUJITSU LTD. 2003 49 Safetywin setting example 2: School computer

50 All Rights Reserved, Copyright © FUJITSU LTD. 2003 50 Access to the specified control panel item will be prohibited. Safetywin setting example 2: School computer

51 All Rights Reserved, Copyright © FUJITSU LTD. 2003 51 Safetywin setting example 3: Internet access

52 All Rights Reserved, Copyright © FUJITSU LTD. 2003 52 Access to the URL which contains the specified keyword will be prohibited. Safetywin setting example 3: Internet access

53 All Rights Reserved, Copyright © FUJITSU LTD. 2003 53 Biometric (Palm Vein Pattern Recognition) Palm vein pattern recognition is one of biometric authentication. This is a technology to confirm that person’s identity based on palm vein pattern. A palm vein pattern is extracted from a picture taken by an infrared light A palm vein pattern is checked against patterns stored in the system. Infrared image Vein and hand contour image

54 All Rights Reserved, Copyright © FUJITSU LTD. 2003 54 Merits of Palm Vein Pattern The palm vein pattern… will not vary over the course of person’s lifetime after setting while still in the mother’s womb, apart from size. lies under the skin makes it that much harder for others to read. is unique to every individual even in twins.

55 All Rights Reserved, Copyright © FUJITSU LTD. 2003 55 The World’s First Contactless Method High precision of individual’s identification Tested with the cooperation of 700 people aged 10 to 70 from different walks of life, a total of 1,400 palm profiles were collected. The system had a false rejection rate of 1% and a false acceptance rate of 0.5%, in case that two vein patterns are used in registration. Contactless palm vein recognition unit

56 All Rights Reserved, Copyright © FUJITSU LTD. 2003 56


Download ppt "All Rights Reserved, Copyright © FUJITSU LTD. 2003 1 Information Security Measures and FUJITSU’s Solutions 19 Nov 2003 FUJITSU LIMITED."

Similar presentations


Ads by Google