新たに発生するサイバーセキュリティの脅威： 今後の展望

新たに発生するサイバーセキュリティの脅威：
今後の展望
Leonard Ong, CISA, CISM, CRISC, CGEIT, CoBIT 5 Implementer & Assessor
19 June 2016
AGENDA：
1. サイバーセキュリティの現在
2. 2018年の脅威の展望
3. その後の展開
4. 重要なポイント
サイバー
セキュリティの現
在
重大な経済的損失を引き起こすサイバーインシデント
IP Theft in United States
>$ 300 Billion
IP Commission Report
Ponemon Institute
Singapore
$ 1 Billion
Losses from Cybercrime
$ 575 Billion
Symantec
McAfee
2015
GLOBAL
CYBERSEC
URITY
STATUS
REPORT
８３％
世界中で3,400以上の被害
の人がサイバー攻撃はビジネスに与える脅威のトップ3であると認識している。にもかかわらず
３８％
の人しか洗練された攻撃への準備ができていないと回答。
VISIT : WWW.ISACA.ORG/CYBERSECURITYREPORT
2015
GLOBAL
CYBERSEC
URITY
STATUS
REPORT
８６％
の人がサイバーセキュリティのスキル不足を感じている
VISIT WWW.ISACA.ORG/CYBERSECURITYREPORT
世界中で3,400以上の被害
経営者の視点から見るサイバーセキュリティ
>経営者の65%が、サイバーリスクが高いレベルに到達し
た、もしくは、上昇したと証言しました。
58%が以前からもっと策を講じておくべきだったとする中で
、実際に行動を起こしたのは14%に過ぎません。
2018年の
脅威の展望
T
L
IC
CH
economic
approaches.
This could
result
in social
unrest,
withcountries.
highly fluid
and
6
Persistent
deflation
and austerity
will
continue
to impact
many
For
some,
NO OG
L set to further fuel a move from free market capitalism towards alternative
using
the
model (see Figure 1). ISF
could
well be
set out
in PESTLE
this report.
8
far-reaching
consequences
for
organisations
around
the
world.
this will create
increased
mobility
seekinwork,
at what
cost?
7
Members are encouraged to consider these
economic
approaches.
This
could to
result
socialbut
unrest,
withsocial
highly
fluidThe
andconditions
could well beconsequences
set to furtherfor
fuelorganisations
a move fromaround
free market
capitalism
towards alternative
8
far-reaching
the world.
factors and add others from their own
7
economic approaches. This could result in social unrest, with highly fluid and
Significant
of terrorism will continue, with
varying responses from leading
experience when considering
the acts
threats
far-reachingN Oconsequences
for organisations around the world.8
1
O G remain restrictions
Lintroduce
maywill
Technology
an area of rapid change and thus features in many of the threats
set out in this report. countries. As a result, politically motivated changes
on the movement of people and goods across
making
international
in borders
this report.
During
the next two years, it is feasible that the first cyber-related deaths
Technology will remain an area of rapid change and thus features in many
of the threats
9
business more difficult and expensive. An increasingly
fraught
political
situation
will
occur,
especially
as
new
health
or
transport
systems
are
hacked.
A
severedeaths
and
in this report. During the next two years, it is feasible that the first cyber-related
Significant
acts
of
terrorism
will
continue,
with
varying
responses
from
leading
Technology
will
remain
anattack
areaTreaty
ofwill
rapid
change and thus features
in9many
of the threats
couldoffers
worsen between
world powers – particularly
NATO
(North
Atlantic
widely
publicised
insider
either
due
to
ignorance,
This section
non-information
security
will
occur,
especially
as
new
health
orbecome
transportinevitable,
systems are
hacked.
A severe
and worker
Figure
1:
The
1
10
countries.
As
a
result,
politically
motivated
changes
may
introduce
restrictions
in this
During
the
next two
years,party.
it is feasible
that the first
cyber-related
deaths
Organisation) and Russia – with a return to the
Coldreport.
War, possibly
hastened
disenchantment
or
coercion
abythird
Organisations
should
thereforeworker
already be
widely
publicised
insider
attackbywill
become inevitable,
either due
to9ignorance,
context against
which
the
threats
in
this
PESTLE
model
will
occur,
especially
as
new
health
or
transport
systems
are
hacked.
A
severe
and
on
the movement
of peopleinand
across
borders
making
a change
of administration
the goods
USA which
may
wish
to
redress
balance
of party.
asking
themselves;
‘Ifthe
Edward
can10severely
disrupt
the workings
governments,
disenchantment
or international
coercion
by Snowden
a third
Organisations
should
thereforeofalready
be
O
2
O
widely
publicised
insider
attack
will
become
inevitable,
either
due
to
ignorance,
worker
A
business
more
difficult
and
expensive.
An
increasingly
fraught
political
situation
LL I T I CC A
what
could
a
commercial
counterpart
do
to
us?’
world
power.
Other
events,
such
as
an
unravelling
of
the
Iranian
nuclear
deal
asking themselves; ‘If Edward Snowden can severely
disrupt the workings of governments,
report may be viewed.
3Atlantic
disenchantment
or coercion
byTreaty
a third party.10 Organisations should therefore already be
could
worsen actions
between
– particularly
NATO
(North
or aggressive
byworld
Northpowers
Korea, could
add
to
the
instability.
what could a commercial counterpart do to us?’
asking
‘If Edward
Snowden
can severely disrupt the workings of governments,
Organisation) and Russia – with a return to the
Coldthemselves;
War, possibly
hastened
by
couldto
a commercial
It describes
a world
where uncertainty
a change
of administration
in the USA whichwhat
may wish
redress thecounterpart
balance of do to us?’
The
pipeline
of
legislation
and regulation will continue to grow. While much of this change
2
world
power.
Other
events,
such
as
an
unravelling
of
the
Iranian
nuclear
deal R
C
Economic
growth
will
continue
to
be
unevenly
spread
across
the
major
economic
ONOM
is pervasive and change is likely to be The
maypipeline
be viewed
by organisations
as burdensome,
it will
still require
so, when
of legislation
and
regulation
will
to grow.
While compliance:
much of this change
E continue
ONM
3
or
aggressive
actions
by
North
Korea,
could
add
to
the
instability.
powers, resulting in unpredictable outcomesmay
as many
tryhefty
toby
keep
pace
withas
a burdensome,
be viewed
organisations
it will stillinrequire
compliance:
so, when
will
the
first
fines
be imposed
for non-compliance
the face
of these changing
accompanied
by
significant
and
swift
impact.
The
of
legislation
and
regulation
will
continue
to
grow.
While
much
of
this
change
4 pipeline
11
growing US economy and rising interest rates.
Of
equal
concern
are
the
potential
will
the first hefty
fines
be time,
imposed
non-compliance
in the
of these
demands?
At the
same
thefor
reaction
of the public
andface
media
may changing
be unpredictable.
may be
viewed
bylead
organisations
asreaction
burdensome,
will still
compliance:
so, when
11
effects of sustained
loware
commodity
prices,
may
inAtturn
thetofailure
demands?
the
sametotime,
the
ofsecurity
theitpublic
andrequire
media
maythey
be unpredictable.
These potential
changes
set out
aswhich
ideas
Will
they
become
apathetic
information
incidents,
or will
bring legal action
will
the
first
hefty
fines
be
imposed
for non-compliance
in theor
face
these
changing
Economic
growth
will continue
to be unevenly
spread
across
the
major
economic
of one or more
political
administrations
thatWill
rely
heavily
on high
oil
prices,
they
become
apathetic
to
information
security
incidents,
willofthey
bring
legal action
against
organisations
that
fail
tothus
protect their
data?
11
demands?
At the same
time,
the
reaction
ofdata?
the public and media may be unpredictable.
to challenge
the
reader,
and
5are described
against
organisations
that
fail
to
protect
their
powers,
resulting
unpredictable
outcomes
as many
try to
with
jeopardising
futureinsupplies.
The next
two years
may see
thekeep
firstpace
failure
of a large
Will
4 they become apathetic to information security incidents, or will they bring legal action
US economy
and
rising
interest 1).
rates.
Ofincident.
equal concern
thecustomer
potential
organisation
due to a major
information
security
Loss ofare
trust,
using the growing
PESTLE
model
(see
Figure
ISF
against
organisations that fail to protect their data?
effects
of sustained
prices,
whichinmay
in price
turn lead
to the failure
and media
backlash,low
andcommodity
a substantial
reduction
share
will combine
to
Despite the seemingly positive
outcome from the 2015 United Nations Climate Change
MembersPersistent
are
encouraged
to
consider
these
6
SO
LEGAL
of
onethat
or more
political
administrations
thatposition.
rely
on high
oil
prices,outcome
thus
place
organisation
an unrecoverable
deflation
andin
austerity
will continue
to heavily
impact
many
countries.
For
some,
CIAL
Despite
the seemingly
positive
from
the 2015
United
NationsonClimate
Change
Conference
(COP21),
global
warming
will
continue
to
wreak
havoc
weather
systems,
5
this
will create
increased
mobility
seek
work,
but
at what
social
cost?
The
jeopardising
future
supplies.
The to
next
two
years
may
see
the
first
failure
of conditions
a large
Conference
(COP21),
global
factors and
add
others
from
their
own
12 warming will continue to wreak havoc on weather systems,
people
and
economies.
Unwanted
sidefrom
effects
may
include
major outages
inChange
power and
Despite
the
seemingly
positive
outcome
the
2015
United
Nations
Climate
12 towards
could
well bedue
set to further
a move from
free incident.
market
capitalism
alternative
organisation
a majorfuel
information
security
Loss of trust,
customer
people
and economies.
Unwanted
side effects
may
include
major
outages
in power
and
shortages
of other key
resources
such ascontinue
clean water.
Businesses
with
plans systems,
and initiatives
7
Conference
global
warming
to Businesses
wreak
havoc
on
weather
experience
considering
the
threats
economic
This
could
result
in social
unrest,
with
fluid
andsuch
andwhen
mediaapproaches.
backlash,
and
a substantial
reduction
in
share
pricehighly
will
combine
to will
shortages
of(COP21),
other
key
resources
as
clean
water.
with
plans
and
initiatives
12 severe weather will suffer. The future of alternative energy
in
regions
susceptible
to
people
and
economies.
Unwanted
sidewill
effects
may
include
N O O Goutages in power and
consequences
forunrecoverable
organisations position.
around
the
world.8 to severe
place
organisation
in an
in
regions
susceptible
weather
suffer.
The
futuremajor
of Lalternative energy
set out infar-reaching
thisthat
report.
sources
such
as
wind
farms,
tidal
lagoons
and
solar
arrays
are
expected
toand
faceinitiatives
continued
shortages
of
other
key
resources
such
as
clean
water.
Businesses
with plans
sources such as wind farms, tidal lagoons and solar
arrays are expected
to face
continued
13
opposition,
possibly jeopardising
their future.
in regions susceptible
to severe weather
will suffer.
The future of alternative energy
13
opposition,
possibly jeopardising
their future.
1 P. Wintour, “G20 to discuss threat of Isis infiltrators among EU migrants after Paris attacks”, The Guardian, 15 November
2015,
sources such as wind farms, tidal lagoons and solar arrays are expected to face continued
www.theguardian.com/world/2015/nov/15/g20-cameron-world-leaders-turkey-paris-attacks-syria
Technology
will
remain
an
area
of
rapid
change
and thus
featuresjeopardising
in many of their
the threats
future.13
2 N. MacFarquhar and S. Erlanger, “NATO-Russia Tensions Rise After Turkey Downs Jet”, The New York Times, 24opposition,
November
2015, possibly
www.nytimes.com/2015/11/25/world/europe/turkey-syria-russia-military-plane.html?_r=0
in this report. DuringSignificant
the next two years,
it isof
feasible
that the first
cyber-related
deaths
acts
terrorism
will
continue,
with varying responses from leading
3 R. Gladstone and T. Erdbrink, “Tensions in Iran After Nuclear Deal Grow in Hostility”, The New York Times, 15 November 2015,
9
www.nytimes.com/2015/11/16/world/middleeast/tensions-in-iran-after-nuclear-deal-grow-in-hostility.html
will occur, especially as new health or
transport
systems
are
hacked.
A
severe
and
1
S
THE NEXT TWO TYEARS
SO
N
I
経済動向
E
ENV
E
P
TA L
PP
技術動向
法律・制
度動向
L
環境影響
TEC
H
T
AL
S
IC
社会動向
E
IC
H
政治動向
LL
TEC
PESTLE MODEL
CIAL
AL
GAL
IC
LE
countries. As a result, politically motivated changes may introduce restrictions
4 L. Phillips, “Forex focus: Fed’s first rate rise in 10 years will have a global impact”, The Telegraph, 1 December 2015,
脅威 1.1
IoT（Internet of Things）による機密情報漏洩
影響：
• 被害の発生に伴う罰金や法的費用の高まり
• 法的責任の増加
• 信用リスク
推奨：
•
•
•
•
IoT導入に先立つ、同意の獲得とデータ保護策の導入
ポリシー、利用規約の透明性と準拠性を確認
IoTを単なるデバイスの一分類と判断しない
ポリシー、基準、指針、プロセスをアップデート
Source: PerfectCloud.io
脅威 1.2
不透明な アルゴリズムが安全性の欠如につながる
影響：
• 維持メンテナンスされないアルゴリズムが収益の損失や遅延につながる
• 専門能力の欠如から、基幹システムの不具合が増加
• インシデント発生により信用に傷がつく
推奨：
•
•
•
•
脆弱性なアルゴリズムを利用するシステムの識別、法的責任の理解
コード管理ポリシーをアップデート
アルゴリズム関連インシデントに起因するリスク対処方法の代替手段を識別
堅牢な事業継続、復旧計画を指揮
Source: The Hacker News
脅威 1.3
ならず者政府がテロリストグループをサイバー攻撃に使用
影響：
• ブランドのダメージ、収益の減退や破産も
• SIEM (Security Information and Event Management)システムが度重なる
攻撃にさらされることによる事業の中断
推奨：
• リスク管理プロセスを採用し、新たな能力にて脅威に対処
• 既存のコントロールを評価、上昇しているレジリエンシーに集中
• 同様の脅威に直面する政府や組織との協力による脅威情報の共有を模索
Source: Security Intelligence
脅威 2.1
主要インシデントにより露見する経営陣の期待への相反
影響：
• 不完全なリスクアセスメントに起因する費用のかかるインシデント
• 意思決定の妨げとなる脅威とインシデントに対する能力欠如
推奨：
• 経営幹部と連動し信頼性の高いサイバーリスクを定期的に提供
• CISOと情報セキュリティ部門の現在と未来の能力に基づき、セキュリティ向上について
経営陣の期待と歩調を合わせる
• CISOおよび情報セキュリティ部門を専門家から信頼できるビジネスパートナーへと移管
するタレントプログラムの開始
• 他者から学習
Source: Slash Gear
脅威 2.2
研究者がセキュリティの脆弱性を隠蔽
影響：
• 修正が加えられるべき危険なソフトウェアに起因する、事業の中断
• 脆弱性をもみ消した行為が公になった時に、製造者の販売が減退
• 死亡事例の発生につながる脆弱性をもみ消した製造者へのダメージ
推奨：
• 責任感のある仕事をする研究者に経済的報酬を検討
• 仲介業者を採用し満足度の高い情報公開への合意を取り付ける
• 調達プロセスにおける高いレベルでの透明性を追求
Source: LinkedIn
脅威 2.3
サイバー保険セーフーティネットの消失
影響：
• 組織のリスク移管へのアクセス消失
• 代替策適用に伴う高いコスト
• 信用性評価によるサイバー保険市場の減速
推奨：
• 事前にリスク管理戦略を再評価、サイバー保険を通じて移管されるリスクを把握
• 潜在的に高費用な例外事象へのサイバー保険を精査
Source: Business Insider
脅威 3.1
破壊的な企業が政府の怒りをかう
影響：
• 政府と恊働せず反発する組織への莫大な罰金
• IT分野の企業はより厳しい監視の対象に
推奨：
• 地元での製品およびサービス提供の状況を理解し、政治的反発を回避
• 原理に基づく規則システムに特化した、政治的影響への明確なる戦略を考案
• 集約した影響についての可能性を検討
Source: Euractiv
脅威 3.2
規制がクラウドを分断
影響：
• クラウドサービスが複数の国に分断されることでオペレーションや製造に滞りが発生
• クラウドのコンプライアンス遵守のために追加のリソースが必要
• 組織自身がデータ保護関連の基準に適合する必要性
推奨：
• 規制は変容していくことを理解
• 先を見越し、後の祭りになる前に戦略を考案
Source: Security Intelligence
脅威 3.3
犯罪者の能力と国際警察とのギャップ
影響：
• 組織の技術的能力不足がサイバー犯罪の抑止に失敗しブランドが毀損
• eコマースの成長と不十分な国際法執行機関との協力により、発生した損失が
より一層悪化
• 海外でビジネスを行なう能力の低下
推奨：
• 脅威情報の充足と障害回復力の向上
• 先を見越して行動、政府に働きかけ国際的枠組みを構築
その後の展開
安全をデザイン、プライバシーをデザイン
1. テクノロジーは十分なセキュリティ機能を有し、顧客の手に渡る前に確実に設定され
なければなりません。
2. 個人データ保護の原則は、製品の機能や動作と一体化したものであることが重要
です。
3. ほんの少し努力すれば、専門的な知識がなくても顧客が製品を安全にできることが
求められます。
4. 製品の安全性を確保する上での負担は、販売側よりも顧客側において軽減される
べきです。
倫理的テクノロジーの開発
1. 製薬、医療、法律業界には厳しい検査と認可制度があり
ます。不意の事故や質の悪い薬の削減は、専門的人材の
削減にも繋がります。
2. 技術開発は社会、安全、プライバシーといった項目において
適切な検査を経るべきでしょう。
3. 安全なデザインとプライバシー保護のデザインは、それぞれ
別々に検査することが重要です。
重要なポイント
1. サイバー攻撃の被害と頻度は今後も増加
2. 知的財産の盗難から生じる損失は、サイバー犯罪のコストを圧倒的
に上回る
3. サイバー犯罪はビジネスや革新への“税金”
4. 堅牢なセキュリティとプライバシー保護を持たない崩壊的テクノロジー
5. 技術開発における倫理規定の必要性
DISCUSSIONS