All Rights Reserved, Copyright © FUJITSU LTD. 2003 1 Information Security Measures and FUJITSU’s...

All Rights Reserved, Copyright © FUJITSU LTD. 20031

Information Security Measures and FUJITSU’s Solutions

19 Nov 2003FUJITSU 　 LIMITED


FUJITSU Corporate Profile

Current Situation of Cyber Space

Case Study of Unauthorized Access

How to maintain IT security Conclusion

Example of FUJITSU’s Solutions and Dem

onstration

CONTENTS


FUJITSU Corporate Profile


Fujitsu at a Glance

Fujitsu is a leading provider of customer-focused IT and communications solutions for the global marketplace. Comprising more than 500 subsidiaries and affiliates, the Fujitsu Group operates in over 60 countries across the globe.

Established: June 1935 Stock Exchange Listings: Tokyo, Osaka, Nagoya, Frankfurt,

London, Swiss Consolidated Revenues: 4.6 trillion yen (US$38.3 billion) Employees: 157,000 worldwide R&D Expenditure: 286 billion yen (US$2.4 billion) Principal Business Areas: Software & Services, Platforms,

Electronic DevicesNote: FY2002 consolidated net sales; US$1=¥120; WW employees as of March 31, 2003


Global Scale, Local Presence

Fujitsu employees the world over take pride in providing high-quality products and services, and they are committed to solving customers’ problems and contributing to their business success. * Not including employees of Fujitsu Siemens Computers.

Europe, Middle East

& Africa*

Americas

Asia-Pacific

Japan

19,000

21,000

108,5008,500


• Company Name Fujitsu Systems Business(Thailand) Ltd.• Address 12th Floor, Olympia Thai Tower,

444 Rachadapisek Rd.,Samsennok, Huay Kwang, Bangkok 10310, THAILAND

• Registered Capital 50 Million Baht• Establishment September 1990• Organization Mr. Takafumi Mikuni as Managing Director• Employees about 200 persons• Business Field

Solutions: ERP/CRM /System Management/ E-commerce/Banking/ Retail /Personnel Management /Office Workflow/ Business Intelligence etc.

Products:IA Server and Unix Server/PC and Notebook/ATM Terminal/POS Terminal/Storage/Network/Peripheral Products (Scanner, Hard Disk, Magneto Optical Disk Drive, Dot Matrix Printer, Plasma Display,Handheld Terminal etc.)

FSBT Profile


Current Situation of Cyber SpaceCurrent Situation of Cyber Space


Successive Occurrences of Security Incidents

Damage caused by virus, highest no. of cases ever reported 　

Damage caused by virus, highest no. of cases ever reported 　

leak customer data from UFJ Securities 　

leak customer data from UFJ Securities 　

Worst security hole for

Windows XP ever seen

Worst security hole for

Windows XP ever seen

Hacker intrusion caused confidential and customer data to leak at New York Times.

Hacker intrusion caused confidential and customer data to leak at New York Times.

Hacking disaster at AOL, targeting

member’s personal data

Hacking disaster at AOL, targeting

member’s personal data

the Ministry of Health and Welfare cracks

down on virus-infected mail spam of

120,000 mails.the Ministry of Health and Welfare cracks

down on virus-infected mail spam of

120,000 mails.

Several times that the

Japanese government

website has been defaced

by hacker

Several times that the

Japanese government

website has been defaced

by hacker

　 Tokyo Stock Exchange sent out virus-infected emails to about 8000 people

　 Tokyo Stock Exchange sent out virus-infected emails to about 8000 people

The most

damaging virus

ever seen,

W32/Nimda

The most

damaging virus

ever seen,

W32/Nimda


Current Situation of Information Security

90% of the corporate in the world experienced unauthorized access

85% experienced harm caused by computer virus

Cyber spying targeting companies is on the rise

Threat from Cyber Terrorism

Source ： FBI/CSI Research ｢ Computer Crime and Security Survey 」


■Increasing illegal accessCases reported to CERT/CC （ Computer Emergency Response Team ） Jan 2003 ～ Sep 2002: 114,855 cases

■Worst virus incident ever took place Cases reported to IPA (IT Promotion Agency, Japan) between Jan and Dec 2002: 20,352 cases 　

Route taken by computer virus

1998

2000

External source mail download miscellaneousYear

97.1%

1.7%0.6%

4.1%

67.0% 5.9%

0.9%

34.4% 40.6% 21.2%3.8%

20020.6%

No. of virus incidents

0

5,000

10,000

15,000

20,000

19951996199719981999 年2000

2,0353,6452,640

11,109

700688

24,261

2001

Threats on Network ComputingThreats on Network Computing

1

10

100

1,000

10,000

100,000

8889 90919293 949596 97989900 0102

2002

20,352


012345678910

1

2

3

4

56

7

8

9

系列1系列2

組織

運用

教育

物理管理

利用者管理( )ｻｰﾊﾞﾎｽﾄﾃﾞｰﾀ管理

監査

ﾃﾞｰﾀ管理

管理

PC/ WS

ﾈｯﾄﾜｰｸ

平均値

国際標準

How likely that your corporation would face cyber attack

主な企業の業種レベル４以上残存

/製造流通 91 147 社/公共自治体 79 92 社( / )文教学校研究所 43 55 社/情報通信 30 43 社/金融証券 15 25 社

医療 1 3 社エネルギー 2 2 社

母数

■Users who conduced attack test （ Fujitsu’s customer data ）

■Mentality on security management （ Fujitsu survey ； 450 companies ）

While server data management is always a concern, not many pay enough attention to terminal data management, education and network management.

70% of each company is prone to cyber attackLevel １：－Level ２： AlertLevel ３： Alarmed

Level ４： High RiskLevel ５： Fatal

Manufacturing/Retail

PublicEducation

IT/Telecommunication

Finance

Hospital

Energy

Organization

Operation

Education

Physical

User Manage.Server Manage.

PC/WS Manage.

Network

Audit

Business FieldNo. of

Organization

International averageJapan

Higher than Level 4


CodeRed ／ Nimda Virus

Resource : www.security.nl/misc/codered-stats/

CodeRed/Nimda Effect

※Researched by Symantec

Loss due to CodeRed ： approx. 325 billion yen Nimda ：approx. 65 billion yen※


Case Study of Unauthorized AccessCase Study of Unauthorized Access


Case Study: ＳＣＭ of Company A (1)

Inventory Management System

Intra Network

Receipt and Shipping

Division Ａ

Inventory Management Host Computer

Regional Server

•Parts list•Inventory data•Delivery data

etc


Server went down Recreate DB Server went down Sign of clacking

Check by an expertCheck by an expertSomething is strange with the server.

Intra Network

Receipt and Shipping

Regional Server

Division A

How a trouble starts?



Intra Network

Division A

Unauthorized access from the company inside Data on a regional server is deleted. Fake data is sent to a host server. An malicious program is implanted.

malicious Program

Fake data

Monitoring device

Stocktaking of relevant stock Shipping instruction by fax

Unauthorized access using common IDUnauthorized access using common ID

Altering Operation Data



How to Deal with Moral Hazard

Set up “Mental Barrier” Individual Identification （ ID/Password Biometrics ） Obtaining access log and regular check Setting penalty Education Third party audit （ e.g., other division ）


１． To decide security policy （ clarify basic principles ）２． To carry out security audit３． To specify security provision in a contract４． To pay extra attention to contract wording５． To observe regular regulation

６． To consider subscribing to an exclusive

insurance services

７． To be aware of the activities of other companies

from the same industry

A Lawyer’s Suggestions

7 rules to follow if your company wants to avoid a security-related trial （ Daniel Rangin ）


１． To decide security policy （ clarify basic principles ）２． To carry out security audit３． To specify security provision in a contract４． To pay extra attention to contract wording５． To observe regular regulation

６． To consider subscribing to an exclusive

insurance services

７． To be aware of the activities of other companies

from the same industry

A Lawyer’s Suggestions

7 rules to follow if your company wants to avoid a security-related trial （ Daniel Rangin ）

The company itself must seriously review their current IT policies to determine

whether there is a need to strengthen their security tactics in order to avoid indictment

risk.


Latest Trends-higher technique to attack-

Random attack regardless of

industry and company size

Firewall isn’t perfect

Blended Threat

Amazing spreading speed

Infection coming from intranet


Increasing threats to be expected from now on

Attack targeting mobile phone

Attack targeting PDA

Attack on internet Appliance(IPv6)

Attack via game machine

Intrusion/bugging through wireless

LAN

～ Full-time connection, New media ～


How to maintain IT securityHow to maintain IT security


To maintain IT security

The following 3 criteria must be satisfied in terms of information and service.

C onfidentiality

I ntegrity

A vailability


Balancing between Information Systems

HR and Admin System

Basic System

Accounting System

Development SystemManagement

System

HR and AdminSystem

Basic System

Accounting System

Development System

OA System

Management System

It is absolutely necessary to have a plan to centralize thesecurity policy.

It is absolutely necessary to have a plan to centralize thesecurity policy.

OA System


It is absolutely necessary to centralize the security policyIt is absolutely necessary to centralize the security policy

User security

If security policies are centralized

Equipment Management

Information

Infomation

System Management

Education

Equipment Management

User security

Operation Management（ User management ）

Security function（ ID/password etc ）

System Management

Education

Promoting Security Policy

Promoting Security Policy

If security policies are NOT centralized

Balancing between each Security Policy

Operation Management（ Managing users etc ）

Security functions（ ID/password etc ）


Enforcement of the counter measurements

Enforcement of the counter measurements

Security auditSecurity auditPlanning security strategyPlanning security strategy

・ Adopt Information Technology・ Organization/training arrangements・ Arrangement of the operation flow outline

・ Security operation audit・ Detect new threats

・ Planning of the corporate security policy・ Planning of the counter measurements

Improvement cycle for the IT security strategy


To consolidate ways of protection

Security Policy

Anti-virus

End-user training

Anti-unauthorized Access

Secu

rity

Team

ApplicationLayer

InfrastructureLayer

Organization Layer

Security Certification

Anti-information leakingDatacenter

ID ManagementElectric Document GuaranteeSecure Application

Contents Protection


Organization Measures

・ Security Policy

・ Security check and assessment

・ Obtain official recognition on security profile ISO15408 ISO17799(BS7799) Privacy Mark

・ Training and education for end-user

■ Infrastructure■ Infrastructure

■ Organization■ Organization

■ Application■ Application


If no security plan existsIf no security plan exists If a security plan existsIf a security plan exists

Impossible to explain security level of own company

Security Plan Document

Security Plan Document

From networking companies; “Security is fine despite network connection.”

Norm of joint companies; “We will maintain the security the same way with our own company.”

Conditions of providing network service; “What is the security level of your company ？”

A request from government agency; “How does industry tackle security”

Lawsuit related to security incidents; “Is the security level appropriate for a particular industry?”

Could get ISO recognition in the future

Necessity of Security PolicyNecessity of Security Policy

What should we do?

We have a security plan!

Certified


Operation Security PlanOperation Security Plan System Security PlanSystem Security Plan

Company security planning

Information security basic regulation

Information security measure standard

Basic regulation

Baseline

Operation

Manual

Operation

ManualAll kinds of

manual

All kinds of

manualSystem

implementation

System

implementation System operation

manual

System operation

manualSystem operation

manual

System operation

manual

Steps of security planning

Steps of planning

Set up environmentSteps of Implementation

Security CheckSteps of Checking

IS015408

recognition

IS015408

recognition

ISO17799/BS7799

recognition

ISO17799/BS7799

recognition

Steps to obtain official

recognition

Co

mp

an

y u

nit

Syste

m/o

pe

ratio

n

un

it

To prescribe a framework that includes: maintain information security／ structure organization to promote／ organization／ penalty regulations／ staff security／maintaintraining as part of security policy.

To promote information security policy, We must prescribe: system access restrictions To combat against potential threat, ／ resource access restriction／memory mediummanagement／ network management／data exchange management／document management etc

Security Policy StructureSecurity Policy Structure


◆IT security basic information

◆Information security measure standard

Cp1 information management securityCp2 documentation managementCp3 Memory medium managementCp4　 office managementCp5　 info system equipment managementCp6　 standard to protect personal dataCp7 study information securityCp8 operating continuation plan

Cp9 Staff managementCp10 Outsourcing contractCp11 Facilities management

Cp12 Design security functionCp13 Product quality managementCp14 Development environment managementCp15 Use delegation security

IT Security DeclarationChapter 1　 General RulesChapter 2　 Information asset management classifiedChapter 3　 IT Security PolicyChapter 4　 Info security organization/role

Chapter 5　 Reviewing information securityChapter 6 Legal terms to followChapter 7　 PenaltyChapter 8　 RevisionAdditional Rule

Cp29 User securityCp30 Email securityCp31　 PC management securityCp32　 Mobile securityCp33　 Training standard on IT security

Cp16 IT system operation managementCp17 System change managementCp18　 IT security accident managementCp19　 Backup managementCp20　 User registration managementCp21 External data exchange managementCp22 Host/Server managementCp23 Computer virus policiesCp24 Software managementCp25 Machine room management

Cp26 Network managementCp27 Remote access managementCp28 Network connecting affiliated companies management

2 HR Department　

１ Shared Section

3 IT System ImplementationRule　

４ IT System Operation

５ Network

６ User Management

Rule　Appendix　

Sample of Security Policy Sample of Security Policy Documents


Security Policy Promotion Team

Security team should be given

authority

Assignment of network/security

officer

Defining security policy and

auditing

Daily comprehensive security

monitoring

Education/Training on security

etc


Infrastructure Measures

Data Center

Secure network

Anti earthquake structure, monitoring camera, in-out control, installation of security areas etc.

・ Measurements to information leaking Burglary protection, encryption, IPR protection

・ Contents Protection Long term digital data back-up

Secure contents

・ Barrier segment(Zone defense, VPN)・ Virus protection・ Intrusion monitoring(24x365)・ High quality/density security attack

■Infrastructure■Infrastructure

■ Organization■ Organization

■ ■ ApplicationApplication■ ■ ApplicationApplication


Barrier Segment Method

Router

Firewall

Operation administration

server

ExternalProxy

Public WWW

External Mail

server

RADIUSServer

Internet

DMZ

Corporate network

Intrusion detection(IDS)

PublicISDN

ExternalDNS

Internal DNS

Internal Proxy

CorporateWWW

Internal Mail

serverDuplication

Network Server・ Suspend unused services・ Periodic Software upgrade, patching・ Delete unused CGI・ Measurements to SPAM mail・ Set appropriate access limit

Monitoring and logging・ Save & check various logs・ Delete log files, prevent alter・ Detection of unauthorized attack・ Mail/URL filtering and audit

Administration・ Installation of the software/setting・ Physical/Logical protection of Servers & network devices・ Password for administrator・ Documentation of System administrator’s job and Service level agreement

Virus protection・ Protection from Internet intrusion・ Protection for Clients and servers

Others

Network configuration/firewall・ Minimize security risk/Install firewall・ Adopt DMZ configuration・ Prohibit external access though Telnet and FTP

・ Internal firewall/Filtering・ Prohibit internal dial-up connection・Ａｔｔａｃｋ　ｔｅｓｔ

Virus Check


Application Measures

■ Organizationguideline■ Organizationguideline

■ Infrastructure■ Infrastructure

・ Application development guideline- Regulation of Web application source code

(Check function/factor and input characters)- Java application development guideline

・ Application authentication/access control- Selection of authentication method　　（ ID/password, onetime password, Biometric, electronic certificate and so on)

- Study ＰＫＩ implementation　 Decide target business　　 Decide to self operate or outsource CA　　 Decide the operation guideline of the certificates

(Issue/invalidation/reissue) PKI products (CA, RA, repository, smartcard etc.) Outsourcing (Verisign, JCSI)

・ Electric Document Guarantee

Application


Classification of security holesNo of case

Things to consider when it comes to coding

346162138

2987

Things to consider when it comes to design196178

Things to consider when it comes to operation6617

Things to refer to 50

Other144

Total 1341UnknownUnknown

Error when checking input data size

Error in verifying input data content

processing error of input data outside specified range

a dangerous competitive state will occurthe atomic nature of processing is not guaranteedprocessing procedure is not guaranteed

error in granting access restrictionthings left out at designing stage

problem in default configurationError in considering user environment

Bug from the original source managed to spread across

Environment ErrorConfiguration Error

Origin Validation Error

Atomicity ErrorSerialization Error

Access Validation ErrorDesign Error

Input Validation ErrorBoundary Condition Error

Failure to HandleRace Condition Error

コーディング上51%

設計上28%

運用上6%

参照元4%

不明11%

Coding error is seen as the source of theProblem in 50% of all cases

690cases374cases

Classification of security holes reported to Bugtraq


Conclusion


1)Awareness2)Responsibility3)Response4)Ethics5)Democracy6)Risk Assessment7)Security design and

implementation8)Security Management9)ReassessmentGuideline on Information System Security (OECD: ２００２ )

Principles in IT Security


Fujitsu’s Attack Test Service Logical Protection of PCs (Safetywin)Biometric (Palm Vein Pattern Recognition)

Examples of FUJITSU’s Solutionsand Demonstration


Customer Internet site

Firewall

WWW serverMail server etc

Scanning

Apply forIP address

(US and Europe)Scanning server

Cooperation

　 Provide high reputation Qualys (USA) QualysGuard™ service first in Japan. 　 Rapid countermeasurements to security holes. When a new security hole 　 was discovered, reflects the attack pattern which detects the corresponded 　 security hole generally in one day.　 High speed scanning (15-20min/server)

　 Provide high reputation Qualys (USA) QualysGuard™ service first in Japan. 　 Rapid countermeasurements to security holes. When a new security hole 　 was discovered, reflects the attack pattern which detects the corresponded 　 security hole generally in one day.　 High speed scanning (15-20min/server)

Fujitsu’s Attack Test Service (1)

Results report


Reference : Example of result report （ 1 ）

High speed diagnosis : 1 server only 15 to 20 minutes.High speed diagnosis : 1 server only 15 to 20 minutes.

Visual display of security risks.Visual display of security risks.



Easy to further analyze why the administrator judged the particular security fragileness by providing diagnosis logs

Easy to further analyze why the administrator judged the particular security fragileness by providing diagnosis logs

High quality and easy diagnosis report in Japanese (Only Fujitsu)High quality and easy diagnosis report in Japanese (Only Fujitsu)

Display diagnosis result and proposed measurements separatelyDisplay diagnosis result and proposed measurements separately

Reference : Example of the result report （ 2 ）



Attack Test Service Express EnhanceAttack Test Service Express’s system is enhanced in the following manner: 　・ On top of the conventional scanning using the internet as a media, Fujitsu can also provide you now with intranet scanning. Using the latest knowledge, this is an extensive intranet server scanning service. With 1 appliance server, it is possible to scan up to 5000 units within one day. 　・ Consultation on test report is an additional option.

Remote Scanner

Database Server

Remote Scanner

Web Application Server

FirewallInternet

Intranet

Servers

BrowserQualys Data Center

Intranet Scanner

Customer’s site


Logical Protection of PCs (Safetywin) Logical Protection of PCs (Safetywin)

•Practical measures to prevent system problems by

setting restrictions to the basic functions of Windows

OS.

•A reduction in the time spent on trouble-shooting and

maintenance.

•Practical system environment to suit each user’s PC

skill.


Protects PCs by setting restrictions on the functions of Windows OS.

Provides a higher level of security by setting access authorities.

Applicable to various system environments.

• Protects the system from unsuitable operations.

• Applications which are not Windows standard can also be controlled.

• Restrictions can be easily set by clicking the check boxes on the screen.

• Prohibits the installation of software

• Guards specified drives/folders/files

• Limits the applications which can be performed.

• Each client machine environment can be easily set by clicking the icon on the server machine (Server option required).• A change of the guard settings can be automatically dispatched from the server to clients (Server option required).

A suitable environment can be provided for each user.

System administrator

The number of telephone calls will

be reduced.

Safetywin Key features– for system administratorsSafetywin Key features– for system administrators


Users can operate PCs without concern for system environment

Safetywin is a preventive measure for system problems.

• No need to worry about changing the control panel

settings accidentally.

• No need to worry about destroying valuable

system assets accidentally.

• No confusing windows or applications appear on

the screen.

Users

Users cannot feel secure when restoration is the only solution.

Safetywin Key features – for usersSafetywin Key features – for users


Safetywin setting example 1: Public terminal


Only necessary icons will be displayed on the

Desktop

Only necessary icons will be displayed on the

Desktop

Safetywin setting example 1: Public terminal


Safetywin setting example 2: School computer


Access to the specified control panel item will

be prohibited.

Access to the specified control panel item will

be prohibited.

Safetywin setting example 2: School computer


Safetywin setting example 3: Internet access


Access to the URL which contains the specified

keyword will be prohibited.

Access to the URL which contains the specified

keyword will be prohibited.

Safetywin setting example 3: Internet access


Biometric (Palm Vein Pattern Recognition)

Palm vein pattern recognition is one

of biometric authentication. This is a

technology to confirm that person’s

identity based on palm vein pattern.

A palm vein pattern is extracted from

a picture taken by an infrared light

A palm vein pattern is checked

against patterns stored in the system.Infrared image

Vein and hand contour image


Merits of Palm Vein Pattern

The palm vein pattern…

will not vary over the course of person’s

lifetime after setting while still in the mother’s

womb, apart from size.

lies under the skin makes it that much harder

for others to read.

is unique to every individual even in twins.


The World’s First Contactless Method

High precision of individual’s identification

Tested with the cooperation of 700 people

aged 10 to 70 from different walks of life, a

total of 1,400 palm profiles were collected.

The system had a false rejection rate of

1% and a false acceptance rate of 0.5%, in

case that two vein patterns are used in

registration.Contactless palm vein recognitio

n unit

All Rights Reserved, Copyright © FUJITSU LTD. 2003 1 Information Security Measures and FUJITSU’s...

Documents

Transcript of All Rights Reserved, Copyright © FUJITSU LTD. 2003 1 Information Security Measures and FUJITSU’s...