Comments
Description
Transcript
新たに発生するサイバーセキュリティの脅威: 今後の展望
新たに発生するサイバーセキュリティの脅威: 今後の展望 Leonard Ong, CISA, CISM, CRISC, CGEIT, CoBIT 5 Implementer & Assessor 19 June 2016 AGENDA: 1. サイバーセキュリティの現在 2. 2018年の脅威の展望 3. その後の展開 4. 重要なポイント サイバー セキュリティの現 在 重大な経済的損失を引き起こすサイバーインシデント IP Theft in United States >$ 300 Billion IP Commission Report Ponemon Institute Singapore $ 1 Billion Losses from Cybercrime $ 575 Billion Symantec McAfee 2015 GLOBAL CYBERSEC URITY STATUS REPORT 83% 世界中で3,400以上の被害 の人がサイバー攻撃はビジネスに与える脅威のトップ3であると認識している。にもかかわらず 38% の人しか洗練された攻撃への準備ができていないと回答。 VISIT : WWW.ISACA.ORG/CYBERSECURITYREPORT 2015 GLOBAL CYBERSEC URITY STATUS REPORT 86% の人がサイバーセキュリティのスキル不足を感じている VISIT WWW.ISACA.ORG/CYBERSECURITYREPORT 世界中で3,400以上の被害 経営者の視点から見るサイバーセキュリティ >経営者の65%が、サイバーリスクが高いレベルに到達し た、もしくは、上昇したと証言しました。 58%が以前からもっと策を講じておくべきだったとする中で 、実際に行動を起こしたのは14%に過ぎません。 2018年の 脅威の展望 T L IC CH economic approaches. This could result in social unrest, withcountries. highly fluid and 6 Persistent deflation and austerity will continue to impact many For some, NO OG L set to further fuel a move from free market capitalism towards alternative using the model (see Figure 1). ISF could well be set out in PESTLE this report. 8 far-reaching consequences for organisations around the world. this will create increased mobility seekinwork, at what cost? 7 Members are encouraged to consider these economic approaches. This could to result socialbut unrest, withsocial highly fluidThe andconditions could well beconsequences set to furtherfor fuelorganisations a move fromaround free market capitalism towards alternative 8 far-reaching the world. factors and add others from their own 7 economic approaches. This could result in social unrest, with highly fluid and Significant of terrorism will continue, with varying responses from leading experience when considering the acts threats far-reachingN Oconsequences for organisations around the world.8 1 O G remain restrictions Lintroduce maywill Technology an area of rapid change and thus features in many of the threats set out in this report. countries. As a result, politically motivated changes on the movement of people and goods across making international in borders this report. During the next two years, it is feasible that the first cyber-related deaths Technology will remain an area of rapid change and thus features in many of the threats 9 business more difficult and expensive. An increasingly fraught political situation will occur, especially as new health or transport systems are hacked. A severedeaths and in this report. During the next two years, it is feasible that the first cyber-related Significant acts of terrorism will continue, with varying responses from leading Technology will remain anattack areaTreaty ofwill rapid change and thus features in9many of the threats couldoffers worsen between world powers – particularly NATO (North Atlantic widely publicised insider either due to ignorance, This section non-information security will occur, especially as new health orbecome transportinevitable, systems are hacked. A severe and worker Figure 1: The 1 10 countries. As a result, politically motivated changes may introduce restrictions in this During the next two years,party. it is feasible that the first cyber-related deaths Organisation) and Russia – with a return to the Coldreport. War, possibly hastened disenchantment or coercion abythird Organisations should thereforeworker already be widely publicised insider attackbywill become inevitable, either due to9ignorance, context against which the threats in this PESTLE model will occur, especially as new health or transport systems are hacked. A severe and on the movement of peopleinand across borders making a change of administration the goods USA which may wish to redress balance of party. asking themselves; ‘Ifthe Edward can10severely disrupt the workings governments, disenchantment or international coercion by Snowden a third Organisations should thereforeofalready be O 2 O widely publicised insider attack will become inevitable, either due to ignorance, worker A business more difficult and expensive. An increasingly fraught political situation LL I T I CC A what could a commercial counterpart do to us?’ world power. Other events, such as an unravelling of the Iranian nuclear deal asking themselves; ‘If Edward Snowden can severely disrupt the workings of governments, report may be viewed. 3Atlantic disenchantment or coercion byTreaty a third party.10 Organisations should therefore already be could worsen actions between – particularly NATO (North or aggressive byworld Northpowers Korea, could add to the instability. what could a commercial counterpart do to us?’ asking ‘If Edward Snowden can severely disrupt the workings of governments, Organisation) and Russia – with a return to the Coldthemselves; War, possibly hastened by couldto a commercial It describes a world where uncertainty a change of administration in the USA whichwhat may wish redress thecounterpart balance of do to us?’ The pipeline of legislation and regulation will continue to grow. While much of this change 2 world power. Other events, such as an unravelling of the Iranian nuclear deal R C Economic growth will continue to be unevenly spread across the major economic ONOM is pervasive and change is likely to be The maypipeline be viewed by organisations as burdensome, it will still require so, when of legislation and regulation will to grow. While compliance: much of this change E continue ONM 3 or aggressive actions by North Korea, could add to the instability. powers, resulting in unpredictable outcomesmay as many tryhefty toby keep pace withas a burdensome, be viewed organisations it will stillinrequire compliance: so, when will the first fines be imposed for non-compliance the face of these changing accompanied by significant and swift impact. The of legislation and regulation will continue to grow. While much of this change 4 pipeline 11 growing US economy and rising interest rates. Of equal concern are the potential will the first hefty fines be time, imposed non-compliance in the of these demands? At the same thefor reaction of the public andface media may changing be unpredictable. may be viewed bylead organisations asreaction burdensome, will still compliance: so, when 11 effects of sustained loware commodity prices, may inAtturn thetofailure demands? the sametotime, the ofsecurity theitpublic andrequire media maythey be unpredictable. These potential changes set out aswhich ideas Will they become apathetic information incidents, or will bring legal action will the first hefty fines be imposed for non-compliance in theor face these changing Economic growth will continue to be unevenly spread across the major economic of one or more political administrations thatWill rely heavily on high oil prices, they become apathetic to information security incidents, willofthey bring legal action against organisations that fail tothus protect their data? 11 demands? At the same time, the reaction ofdata? the public and media may be unpredictable. to challenge the reader, and 5are described against organisations that fail to protect their powers, resulting unpredictable outcomes as many try to with jeopardising futureinsupplies. The next two years may see thekeep firstpace failure of a large Will 4 they become apathetic to information security incidents, or will they bring legal action US economy and rising interest 1). rates. Ofincident. equal concern thecustomer potential organisation due to a major information security Loss ofare trust, using the growing PESTLE model (see Figure ISF against organisations that fail to protect their data? effects of sustained prices, whichinmay in price turn lead to the failure and media backlash,low andcommodity a substantial reduction share will combine to Despite the seemingly positive outcome from the 2015 United Nations Climate Change MembersPersistent are encouraged to consider these 6 SO LEGAL of onethat or more political administrations thatposition. rely on high oil prices,outcome thus place organisation an unrecoverable deflation andin austerity will continue to heavily impact many countries. For some, CIAL Despite the seemingly positive from the 2015 United NationsonClimate Change Conference (COP21), global warming will continue to wreak havoc weather systems, 5 this will create increased mobility seek work, but at what social cost? The jeopardising future supplies. The to next two years may see the first failure of conditions a large Conference (COP21), global factors and add others from their own 12 warming will continue to wreak havoc on weather systems, people and economies. Unwanted sidefrom effects may include major outages inChange power and Despite the seemingly positive outcome the 2015 United Nations Climate 12 towards could well bedue set to further a move from free incident. market capitalism alternative organisation a majorfuel information security Loss of trust, customer people and economies. Unwanted side effects may include major outages in power and shortages of other key resources such ascontinue clean water. Businesses with plans systems, and initiatives 7 Conference global warming to Businesses wreak havoc on weather experience considering the threats economic This could result in social unrest, with fluid andsuch andwhen mediaapproaches. backlash, and a substantial reduction in share pricehighly will combine to will shortages of(COP21), other key resources as clean water. with plans and initiatives 12 severe weather will suffer. The future of alternative energy in regions susceptible to people and economies. Unwanted sidewill effects may include N O O Goutages in power and consequences forunrecoverable organisations position. around the world.8 to severe place organisation in an in regions susceptible weather suffer. The futuremajor of Lalternative energy set out infar-reaching thisthat report. sources such as wind farms, tidal lagoons and solar arrays are expected toand faceinitiatives continued shortages of other key resources such as clean water. Businesses with plans sources such as wind farms, tidal lagoons and solar arrays are expected to face continued 13 opposition, possibly jeopardising their future. in regions susceptible to severe weather will suffer. The future of alternative energy 13 opposition, possibly jeopardising their future. 1 P. Wintour, “G20 to discuss threat of Isis infiltrators among EU migrants after Paris attacks”, The Guardian, 15 November 2015, sources such as wind farms, tidal lagoons and solar arrays are expected to face continued www.theguardian.com/world/2015/nov/15/g20-cameron-world-leaders-turkey-paris-attacks-syria Technology will remain an area of rapid change and thus featuresjeopardising in many of their the threats future.13 2 N. MacFarquhar and S. Erlanger, “NATO-Russia Tensions Rise After Turkey Downs Jet”, The New York Times, 24opposition, November 2015, possibly www.nytimes.com/2015/11/25/world/europe/turkey-syria-russia-military-plane.html?_r=0 in this report. DuringSignificant the next two years, it isof feasible that the first cyber-related deaths acts terrorism will continue, with varying responses from leading 3 R. Gladstone and T. Erdbrink, “Tensions in Iran After Nuclear Deal Grow in Hostility”, The New York Times, 15 November 2015, 9 www.nytimes.com/2015/11/16/world/middleeast/tensions-in-iran-after-nuclear-deal-grow-in-hostility.html will occur, especially as new health or transport systems are hacked. A severe and 1 S THE NEXT TWO TYEARS SO N I 経済動向 E ENV E P TA L PP 技術動向 法律・制 度動向 L 環境影響 TEC H T AL S IC 社会動向 E IC H 政治動向 LL TEC PESTLE MODEL CIAL AL GAL IC LE countries. As a result, politically motivated changes may introduce restrictions 4 L. Phillips, “Forex focus: Fed’s first rate rise in 10 years will have a global impact”, The Telegraph, 1 December 2015, 脅威 1.1 IoT(Internet of Things)による機密情報漏洩 影響: • 被害の発生に伴う罰金や法的費用の高まり • 法的責任の増加 • 信用リスク 推奨: • • • • IoT導入に先立つ、同意の獲得とデータ保護策の導入 ポリシー、利用規約の透明性と準拠性を確認 IoTを単なるデバイスの一分類と判断しない ポリシー、基準、指針、プロセスをアップデート Source: PerfectCloud.io 脅威 1.2 不透明な アルゴリズムが安全性の欠如につながる 影響: • 維持メンテナンスされないアルゴリズムが収益の損失や遅延につながる • 専門能力の欠如から、基幹システムの不具合が増加 • インシデント発生により信用に傷がつく 推奨: • • • • 脆弱性なアルゴリズムを利用するシステムの識別、法的責任の理解 コード管理ポリシーをアップデート アルゴリズム関連インシデントに起因するリスク対処方法の代替手段を識別 堅牢な事業継続、復旧計画を指揮 Source: The Hacker News 脅威 1.3 ならず者政府がテロリストグループをサイバー攻撃に使用 影響: • ブランドのダメージ、収益の減退や破産も • SIEM (Security Information and Event Management)システムが度重なる 攻撃にさらされることによる事業の中断 推奨: • リスク管理プロセスを採用し、新たな能力にて脅威に対処 • 既存のコントロールを評価、上昇しているレジリエンシーに集中 • 同様の脅威に直面する政府や組織との協力による脅威情報の共有を模索 Source: Security Intelligence 脅威 2.1 主要インシデントにより露見する経営陣の期待への相反 影響: • 不完全なリスクアセスメントに起因する費用のかかるインシデント • 意思決定の妨げとなる脅威とインシデントに対する能力欠如 推奨: • 経営幹部と連動し信頼性の高いサイバーリスクを定期的に提供 • CISOと情報セキュリティ部門の現在と未来の能力に基づき、セキュリティ向上について 経営陣の期待と歩調を合わせる • CISOおよび情報セキュリティ部門を専門家から信頼できるビジネスパートナーへと移管 するタレントプログラムの開始 • 他者から学習 Source: Slash Gear 脅威 2.2 研究者がセキュリティの脆弱性を隠蔽 影響: • 修正が加えられるべき危険なソフトウェアに起因する、事業の中断 • 脆弱性をもみ消した行為が公になった時に、製造者の販売が減退 • 死亡事例の発生につながる脆弱性をもみ消した製造者へのダメージ 推奨: • 責任感のある仕事をする研究者に経済的報酬を検討 • 仲介業者を採用し満足度の高い情報公開への合意を取り付ける • 調達プロセスにおける高いレベルでの透明性を追求 Source: LinkedIn 脅威 2.3 サイバー保険セーフーティネットの消失 影響: • 組織のリスク移管へのアクセス消失 • 代替策適用に伴う高いコスト • 信用性評価によるサイバー保険市場の減速 推奨: • 事前にリスク管理戦略を再評価、サイバー保険を通じて移管されるリスクを把握 • 潜在的に高費用な例外事象へのサイバー保険を精査 Source: Business Insider 脅威 3.1 破壊的な企業が政府の怒りをかう 影響: • 政府と恊働せず反発する組織への莫大な罰金 • IT分野の企業はより厳しい監視の対象に 推奨: • 地元での製品およびサービス提供の状況を理解し、政治的反発を回避 • 原理に基づく規則システムに特化した、政治的影響への明確なる戦略を考案 • 集約した影響についての可能性を検討 Source: Euractiv 脅威 3.2 規制がクラウドを分断 影響: • クラウドサービスが複数の国に分断されることでオペレーションや製造に滞りが発生 • クラウドのコンプライアンス遵守のために追加のリソースが必要 • 組織自身がデータ保護関連の基準に適合する必要性 推奨: • 規制は変容していくことを理解 • 先を見越し、後の祭りになる前に戦略を考案 Source: Security Intelligence 脅威 3.3 犯罪者の能力と国際警察とのギャップ 影響: • 組織の技術的能力不足がサイバー犯罪の抑止に失敗しブランドが毀損 • eコマースの成長と不十分な国際法執行機関との協力により、発生した損失が より一層悪化 • 海外でビジネスを行なう能力の低下 推奨: • 脅威情報の充足と障害回復力の向上 • 先を見越して行動、政府に働きかけ国際的枠組みを構築 その後の展開 安全をデザイン、プライバシーをデザイン 1. テクノロジーは十分なセキュリティ機能を有し、顧客の手に渡る前に確実に設定され なければなりません。 2. 個人データ保護の原則は、製品の機能や動作と一体化したものであることが重要 です。 3. ほんの少し努力すれば、専門的な知識がなくても顧客が製品を安全にできることが 求められます。 4. 製品の安全性を確保する上での負担は、販売側よりも顧客側において軽減される べきです。 倫理的テクノロジーの開発 1. 製薬、医療、法律業界には厳しい検査と認可制度があり ます。不意の事故や質の悪い薬の削減は、専門的人材の 削減にも繋がります。 2. 技術開発は社会、安全、プライバシーといった項目において 適切な検査を経るべきでしょう。 3. 安全なデザインとプライバシー保護のデザインは、それぞれ 別々に検査することが重要です。 重要なポイント 1. サイバー攻撃の被害と頻度は今後も増加 2. 知的財産の盗難から生じる損失は、サイバー犯罪のコストを圧倒的 に上回る 3. サイバー犯罪はビジネスや革新への“税金” 4. 堅牢なセキュリティとプライバシー保護を持たない崩壊的テクノロジー 5. 技術開発における倫理規定の必要性 DISCUSSIONS