Upload
dinhthuan
View
226
Download
0
Embed Size (px)
Citation preview
1Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved.
February 3, 2003
Kei HaradaIT Security Center (ISEC)
Information-technology Promotion Agency, Japan (IPA)
Japanese Information Security Status- Environment and Policies -
? This document is based on public information, including the site of the Prime Minister of Japan and his Cabinet (http://www.kantei.go.jp/), etc. ? This translation is not official, but provisional.
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 2
Presentation Contents
u Introductionu Japan’s Information Security Environmentu Japan’s Government Policiesu Conclusion and Next Stepu Reference, Contact Information
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 3
Safety and Security
“AN-ZEN”
Known Problems/Threats
Before……..
•“Security” = “Safety” ???……
•Safety is FREE like Water or Air……
•Nobody pays for “Safety” or “Security”
•Low Awareness………
Now……..
•Internet, Virus, Cyber Crime…….
•Threats - “Unknown”, “Unpredictable”
•Protect by yourself…….
•Growing Awareness……..
Unknown Problems/Threats
Security
Safety
“security”
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 4
IPA Overview
IPAIPA Information-technology Promotion Agency, JapanQuasi-governmental organization under Ministry of Economy, Trade and Industry (METI),
IPA will be restructured into “Independent Administrative Institution” Established: October, 1970
Mission: Information processing technology promotion Personnel: About 170
¦ R&D and Support²IT Security Technology²Advanced Software Technology²E-Commerce Technology²E-Government Support
¦ Credit Guarantee²To Information Technology Company²Development, equipment purchase
¦ Education & Training²Develop Training Materials
²Educational Support
¦ IT Security Center²Mission : IT Security Enhancement²Established in 1997²Current personnel 35
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 5
Japan’s Information Security Environment
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 6
0
5000
10000
15000
20000
25000
30000
1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002
Computer Virus Reported to IPA /ISEC (1)
897
Number of Reports
1,12714 57 253 668 755
Year
2,3912,035
3,645
11,109
24,261
Widespread of Macro Viruses
E-mail systems ( Ska)
E-mail systems ( LOVELETTER? MTX?Navidad)
E-mail systems ( Hybris? MTX? Sircam)Security holes ( Nimda, Aliz, Badtrans)
E-mail systems ( Klez)Japanese Subject ( Fbound)
20,352
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 7
Computer Virus Reported to IPA /ISEC (2)
20%
54%
80%
Year
2,035 3,645 11,109 24,261
19%
Number of ReportInfection
0%
20%
40%
60%
80%
100%
1998 1999 2000 2001 2002InfectedDetection Only
20,352
80%
54%
20% 19% 8%
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 8
Unauthorized Access Reported to JPCERT/CC
0
500
1000
1500
2000
2500
3000
1997 1998 1999 2000 2001 2002
Number of Report
YearFrom JPCERT/CC HP http://www.jpcert.or.jp/stat/reports.html
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 9
2585
110
7997
176
83
179
262
116
299
415
247
110
35713
484
44
55931
712
63
810
0
100
200
300
400
500
600
700
800
900
1995 1996 1997 1998 1999 2000 2001
V iolation of the Unauthorized C om puter Access Law
C rim e against PC or electronic form at
C rim e com m itted over Internet
Current Status of Cyber Crime
35
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 10
C ategory Year 2000 Year 2001Internet Facilitated C rim e 484 712
C hild Prostitution and C hild Pornography 121 245D istribution of O bscene O bject 154 103Fraud 53 103D efam ation 30 42Infringem ent of C opyright 29 28Intim idiation 17 40O thers 80 151
C rim e against C om puter or Data 44 63U nauthorizec C om puter Access 31 35
559 810Total
Breakdown of Cyber Crime
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 11
Security Policy, Private Company
Current Status
Established
Preparing
Planning
No Plan
No Answer
Trend
Large
Small
3-5 Years 1-3 YearsMore than
5 Years
Less than
1 Years
large Small
From MPHP HP http://www.soumu.go.jp/s-news/2002/pdf/020913_5_02.pdf
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 12
Security Audit, Private Company
Large Company
Small Company
Current Status
Trend
Yes
No
No Answer
Yes
No
No Answer
Large Small
More than
3Years1-3Years
Less than
1Years
From MPHP HP http://www.soumu.go.jp/s-news/2002/pdf/020913_5_02.pdf
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 13
Usage of Cryptography
Using
Planning
No Plan
No Answer
Current Status
large Small large Small
Application
intranet
extranet
EDI
EC
Others
No Answer
From MPHP HP http://www.soumu.go.jp/s-news/2002/pdf/020913_5_02.pdf
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 14
Japanese Government’s IT Security Policies
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 15
•Deputy Chief Cabinet Secretary for Crisis Management
•Assistant Chief Cabinet Secretary(National Security and Crisis Mgmt)
IT Security Office(Cabinet Secretariat)
•Plan, design, integrate coordinate IT Security Policy
•Information collection, warning advisory, and emergency response support
Prime MinisterCabinet
IT Strategy HeadquartersChief: Prime Minister
(Cabinet Ministers and Private Sector Experts)
IT Strategy HeadquartersChief: Prime Minister
(Cabinet Ministers and Private Sector Experts)
National Police AgencyJapanese Defense Agency
Ministry of Public Management, Home Affairs, Posts and TelecommunicationsMinistry of Economy, Trade and Industry
Etc.
National Police AgencyJapanese Defense Agency
Ministry of Public Management, Home Affairs, Posts and TelecommunicationsMinistry of Economy, Trade and Industry
Etc.
Government Cooperation
IT Security Promotion Committee
Chief: Dep. Chief Cabinet Sec.(Ministry Director Generals)
IT Security Promotion Committee
Chief: Dep. Chief Cabinet Sec.(Ministry Director Generals)
IT Security Expert Meeting
(Private Sector Experts)
IT Security Expert Meeting
(Private Sector Experts)
Government Structure for IT Security
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 16
Special Action Plan on Countermeasures
to Cyber-terrorism of Critical Infrastructure( December 2000)
Special Action Plan on Countermeasures
to Cyber-terrorism of Critical Infrastructure( December 2000)
Guidelines for IT Security Policies
( July 2000)
Guidelines for IT Security Policies
( July 2000)
Secure GovernmentIT Security
Secure GovernmentIT Security
Critical Infrastructure Cyber-terrorismCountermeasures
Critical Infrastructure Cyber-terrorismCountermeasures
Action Plan for
Information Systems
Protection against
Cyber-threats
( January 2000)
Action Plan for
Information Systems
Protection against
Cyber-threats
( January 2000)
Year 2000
Basic IT Security Policies
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 17
e-Japan Priority Policy Program ( March 2001)
“Ensuring of Security and Reliability over Advanced Information and Telecommunications networks”
e-Japan Priority Policy Program ( March 2001)
“Ensuring of Security and Reliability over Advanced Information and Telecommunications networks”
Preparation of Regulatory Frameworks and an Infrastructure
Preparation of Regulatory Frameworks and an Infrastructure
IT Security Measures and Raising of Public Awareness in the Private Sector
IT Security Measures and Raising of Public Awareness in the Private Sector
R&D,Human Resource Development,and Strengthening of International Collaboration
R&D,Human Resource Development,and Strengthening of International Collaboration
Year 2001
Establishment of IT Security Measures within the Government
Establishment of IT Security Measures within the Government
Action Plan to Secure IT Security of e-Government ( October 2001)
Action Plan to Secure IT Security of e-Government ( October 2001)
e-Japan Priority Policy Program2002 ( July 2002)
Countermeasures against Cyber-terrorism for Critical Infrastructure
Countermeasures against Cyber-terrorism for Critical Infrastructure
EstablishedGovernment-Private Sector Partnership ( October 2001)
EstablishedGovernment-Private Sector Partnership ( October 2001)
Basic IT Security Policies (cont’d)
EstablishedNational Incident Response Team(NIRT) ( April 2002)
EstablishedNational Incident Response Team(NIRT) ( April 2002)
Enhance
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 18
E-government is scheduled to start from FY 2003? Network Security is essential for a secure e-government
E-government is scheduled to start from FY 2003? Network Security is essential for a secure e-government
Key Contents• Implementation of Effective IT Security Policy at each Governmental Organization
• Standardization of cryptographic technology regarding e-gov.
•Plan to establish effective monitoring system for e-gov. network
•Preparing emergency response system especially at the Cabinet Secretariat by establishing a CIRT
•Human resource development on IT security
•R&D for IT security key technology
Key Contents• Implementation of Effective IT Security Policy at each Governmental Organization
• Standardization of cryptographic technology regarding e-gov.
•Plan to establish effective monitoring system for e-gov. network
•Preparing emergency response system especially at the Cabinet Secretariat by establishing a CIRT
•Human resource development on IT security
•R&D for IT security key technology
Action Plan to Secure IT Security of e-Government
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 19
METI’s IT Security Policy (1)
1 enhancing security of the e-government· IT security evaluation( ISO/IEC15408)(NITE, IPA)· evaluation of cryptography(IPA, TAO)· supporting the cabinet office(policy advice, helping NIRT, etc.)· GPKI
2 supporting the private sector activities· information sharing/analysis on computer virus & hacking(JPCERT/CC, IPA)· promoting security management(ISO/IEC17799)· promoting PKI(voluntary accreditation scheme, etc.)· training experts(national exam., etc.)· awareness raising of IT security(seminar, etc.)· promoting R&D· establishing guidelines(against computer virus & hacking, etc.)
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 20
3 countermeasures against cyber-terrorism
4 international cooperation
· measures based on “Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure” (communication and coordination schemewith private sectors such as electric power and gas, etc.)· promoting R&D
· cooperation with OECD, APEC, G8 Lyon Group, etc.· promoting info-share network of CSIRTs
METI’s IT Security Policy (2)
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 21
Conclusion and the Next Steps
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 22
Conclusion
1 Government Cooperation· Japanese Government Organizations are cooperating to establish the most
advanced and secure Information technology oriented society and e-Government.
2 Improving and enforcing Laws· Computer Crimes Criminal Law Revised· Unauthorized Access Prohibition Law· Digital Signature Law
3 Established Schemes and Structures· Cyber-Police Force (National Police Agency)· National Incident Response Team (NIRT, Cabinet Secretariat)· IT Security Evaluation and Certification Scheme (Based on ISO 15408, METI)· Conformity Assessment Scheme for Information Security Management Systems
(ISMS, Based on ISO 17799, supported by METI)
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 23
Next Steps
1 Secure Reliability of e-Government
· Promoting security audit(establishing model standard)· List of e-Government recommended Ciphers and Procurement Guide
2 Improving and enforcing Laws· legislation for personal information protection· cyber-crime legislation(ratifying the convention)
3 Enhance Human and Technological Resources· training experts(establishing skill standard) · promoting electronic authentication
4 International Collaboration· participating in CCRA· APEC/CERT Collaboration
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 24
References and Contact information
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 25
References (1)
Japan's IT security policies
wIT Security Office (Cabinet Secretariat) http://www.bits.go.jp/en/index.html
wMinistry of Economy, Trade and Industry (METI) http://www.meti.go.jp/english/
wMinistry of Public Management, Home Affairs, Posts and Telecommunications (MPHP) http://www.soumu.go.jp/english/
wNational Police Agency http://www.npa.go.jp/police_e.htm
wJapanese Defense Agency http://www.jda.go.jp/e/index_.htm
METI's IT security policy
http://www.meti.go.jp/english/policy/index_other.html
http://www.meti.go.jp/english/special/CyberSecurity/index.html
MPHP - Information & Communications Statistics Database
http://www.johotsusintokei.soumu.go.jp/english/index.html
- White Paper 2002 - Information and Communications in Japan (Summary) (July 2002)
- Number of Internet Users(As of January 31,2002)
- Information about the Spread of DSL services(May 2002)
- Information Security Countermeasure Survey (Sep. 2002) *Japanese Only*
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 26
References (2)
wIPA / IT Security Center (ISEC)
http://www.ipa.go.jp/security/index-e.html
wInformation Security Survey 2001 (Summary)
http://www.ipa.go.jp/security/fy13/report/security_survey/survey2001en.pdf
wComputer virus incident reports
http://www.ipa.go.jp/security/english/anti-virus-e.html
wIndependent Administrative Institutions (IAI)
wNational Institute of Advanced Industrial Science and Technology (AIST)
http://www.aist.go.jp/index_en.html
wNational Institute of Technology and Evaluation(NITE)
http://www.nite.go.jp/index-e.htm
Japan IT Security Evaluation & Certification Scheme
http://www.nite.go.jp/asse/english/its/index.htm
wCommunications Research Laboratory (CRL)
http://www.crl.go.jp/overview/index.html
Copyright(C) 2003 Information-technology Promotion Agency, Japan All rights reserved. 27
Contact Information
? IPA/ISEC
http://www.ipa.go.jp/security/index-e.html
Email: [email protected]
2-28-8 HonKomagome, Bunkyo-ku, Tokyo 113-6591 Japan
Tel: +81-3-5978-7508 Fax: +81-3-5978-7518
Kei Harada,
Senior Researcher
IT Security Center (ISEC),
Information-technology Promotion Agency, Japan (IPA)