Internet Security in the Broadband Age

1
Internet Security in the Broadband Age

• August 2003
• Advanced Information Systems and Software
  Division
• Information and Communications Policy Bureau,
  MPHPT

2
Trends in Internet Security

• Spread and wide use of the Internet
• Rapid growth of the InternetGrowth in always-on
  connections and broadband, through ADSL
  etc.Development of mobile IP-services through
  mobilephone and wireless LAN etc.
• Development of a variety of e-businesses using
  the Internet, such as e-commerce and ASP etc.
  Development of the electronic use of public
  services such as e-government.
• Threats to the Internet becoming more Serious
• Threats, such as illegal access, DoS attacks and
  viruses etc. grow ever more complicated, their
  scope of influence and damage continues to
  increase.
• Attacks on sites have changed from simple
  attacks, such as password cracking to attacks
  on security holes and DOS attacks. Malicious
  code has grown in seriousness from simple virus
  that give damage to individual sites to
  replicating worms that disrupt and paralyze the
  Internet widely.
• According to a survey by the MPHPT (2002), 75 of
  enterprise user and 30 of home users in Japan
  had experienced some kind of security incidents.

3
Issues concerning Internet Security Measures

• (1) Protection Critical Infrastructures
• As the use of information technology in the
  critical infrastructure such as
  telecommunications, finance, electrical power and
  transportation continues to develop, there is a
  significat threat to these infrastructure by
  cyber-terrorism.
• Each industry has particular characteristics
  in relation to threats to information systems and
  incident response. ISAC (Information Sharing and
  Analysis Center), organized for each industry,
  are an effective system for the critical
  infrastructure protection.
• Currently in Japan, Telecom-ISAC is the
  first and only ISAC. The strengthening and
  enrichment of Telecom-ISAC Japan is an urgent
  topic.
• (2) Response to the Sophisticated and Diversified
  Attack Methods
• Methods of cyber-attacks, such as viruses and
  illegal access, increase in diversity and
  sophistication day by day. Responses to these
  incidents is required.
• (3) Raising Awareness of the User
• In order to keep network secure, all
  participants to the network society, including
  home users, should take an appropriate security
  measures. It is required to raise security
  awareness and knowledge of users, especially home
  users. (refer to OECD Security Guidelines ,
  August 2002).
• (4) Treatment of potential vulnerability inherent
  to Internet
• Many vulnerability exist within the
  architecture of the Internet itself. It is
  necessary to reduce those vulnerability, such as
  protocols, DNS etc.

4
Telecom Carriers and Security

• Telephone Network
• The main focus is physical security against
  natural disasters, reliability of network
  equipment.
• IP-Network
• In addition to the above, Information security
  is critical issue
• Telecom Carriers (ISP) should play an important
  role to secure the Internet
• Telecommunications sector is one of the critical
  infrastructures, and the infrastructure of other
  critical infrastructures.
• The ISPs that manage network infrastructure and
  support the users should have a important role.
• Strengthening of ISP network security by reducing
  vulnerability
• Support for user security measures (providing
  security information, checking viruses on the
  network side etc.)

5
MPHPTs Approach to Internet Security

• 1. Strengthening security in telecom carriers
  (ISP)
• Network safety and reliability standards
• Security mark system
• Establishment of an incident response system
  (Telecom-ISAC)
• 2. Improve security on the user side
• 3. Promotion of research and development
• 4. Secure communications through Encryption
  technology
• 5. Human Resource Development
• 6. Laws

6
Further Effort to strength Internet Security

• After the global-wide incidents caused by the
  Slammer-worm last January, MPHPT organized
  Security WG consisting of experts from the
  private sector this March. The WG has discussed
  the way forward to be taken to reinforce
  Internet security and submitted an interim report
  in July.
• Strengthening the activities of Telecom-ISAC
• Collection, sharing, analysis and provision of
  information on incident (Incident Handling
  System)
• The experience of attacks in one ISP will be
  shared by the ISAC members as a whole.
• Early Detection and Warning system of incidents
  through Wide-Area Monitoring
• Response to the incidents that are hard to handle
  by individual ISP.
• Protect users from large-scale indiscriminate
  cyber-attacks
• Cooperation with domestic institutions and
  overseas T-ISAC
• Research and development of Secure Network
  Systems
• Enrichment of the RD organization of network
  security technology

7
Overview of Telecom-ISAC Japan

• ?Objectives? Secure the telecom infrastructure,
  that is the one of the critical infrastructure.
• Collect and analyze the various incidents that
  interfere with the communications services, and
  build up a protection structure for incidents,
  through the sharing of analysis results between
  all of the members.
• ?Members? Currently 7 major ISPs (Japan-Telecom,
  NEC, NTT-Com, KDDI, IIJ, PoweredCom, Nifty)
• ?Activities? Established in July 2002.
• An information service (vulnerability
  information, alert information) was initiated
  from March 2003. https//www.telecom-isac.jp/

Source X
Source Y
Source Z
Collection of information
Analysis Storing
Immediate actions
Telecom-ISAC Japan
Preventive measures
Collection and provision of information
Contribution to the industry security
Subject for protection
Member A
Member C
Member B
Incident
Threat
Threat
Incident
8
Overview of Telecom-ISAC Japan
Telecom-ISAC Japan
National Incident Response Team
NIRT
Portal site ?Security information Links
Whats new Events information
Glossary
Information Management on Wide-area
monitoringsystem
1. Provision of vulnerability and alerts
information
Function of information collection
2. Operation of a portal site (Provision of
general security information, etc)
Information Management on Incident Handling
E-mail, fax, etc.
3. Cooperation and coordina- tion with other
organizations (JPCERT, NIRT, etc.)
Members
General user
For members Vulnerability info Industry
info Technical info
Sensors
Database of vulnerability and alerts information
4. Incident Collecting Systems Incident
handling system Wide-area monitoring
system
5. Construction and operation of Analysis
Center and ISAC Operations Center
Information Management on Controls and Analyses
Domestic related sites (JPCERT, IPA, etc.)
Delivery of urgent information
6. Establishment of technical forum
E-mail, fax, etc.
Member
Foreign related sites(CERT, ISAC, etc.)
9
Services Offered by Telecom-ISAC JapanNow and
Future
(1) Provision of vulnerability and alerts
information since March 2003 Investigate
and collect vulnerability information, which
greatly affect the telecommunication system
infrastructure, and helpful alerts to the telecom
industry. These information can be shared within
Members through ISACs portal site below.
(2) Operation of a portal site (to provide
security information, etc.) (Phase-in operation
has been started in conjunction the
above.) Establish and operate our own portal
site to provide information mentioned in (1)
above, other security information (about
products, seminars, etc.), and information about
Telecom-ISAC Japan. (3) Coordination and
cooperation with other organizations (Studies
are planed in FY2003.) Coordinate with
JPCERT/CC, NIRT, and Telecom-ISACs abroad to
exchange and share information and work together.
10

• Construction of Incident Collecting Systems
• (Study for the set-up began in
  FY2002.)
• Design and implement an Incident handling system
  that collects and analyzes Incidents occurred by
  Members, and a Wide-area monitoring system that
  provides global analysis on ISP security and
  traffic information automatically monitored by
  the network sensors placed at ISPs widely
  spreading across Japan.
• (5) Construction and operation of an analysis
  center and an operation center (Study on the plan
  will begin in FY2003.)
• Design and implement an analysis center to
  analyze the trends, frequencies, and effects of
  the Incidents recorded through the systems
  described (4) above, and also a test bed to
  verify the results of analyses. In addition,
  build and operate an operation center to manage
  all the systems/center above.
• (6) Establishment of a technical forum
• (Phase-in operation will begin in FY2003.)
• Establish a technical forum to let telecom
  companies share technologies and information,
  discuss and study their requirements for ISAC to
  satisfactorily improve ISAC functions among the
  members.

11
Telecom-ISAC JapanServices currently
providedPortal Site

• Vulnerability Information deeply affected to
  Telecom Communication Infrastructure, and
  valuable Alert Information are both timely
  collected and provided through the ISAC portal
  site to the members.
• Two Services have been operated since March 2003
• Vulnerability Information Database Service
• World-wide Vulnerability Information are
  collected, and translated into Japanese nearly
  real-time based.
• Alert Information Service
• Information on Vulnerability and malicious
  software are timely alerted to the members

12
Telecom-ISAC JapanConfiguration on Portal Site
Alert information by E-mail
Alert Sub-System
The Internet
Telecom-ISAC Japan Portal Site
Access to the Web site to get informationon
Vulnerability and Alert
V-DB Sub-Sytem
Telecom-ISAC Members
13
Incident Information Collection and Analysis
System ( under development )
Incident Handling System Incident Information
reported from Members are analyzed and replied to
the Members. Wide-Area Monitoring
System Cooperating among the national ISPs,
Traffic information as well as Incident
information are widely monitored and collected
through Sensors.
14
Concept on Incident Handling System
Telecom-ISAC JapanMembers
Telecom-ISAC Japan
Operation Center
Incident Analysis Request
Incident Analysis Reply
Member
Sharing Incident Information
??
??
Member
15
Concept on Wide-area Monitoring System
Firewall sensors
Portal site for information services
Log archive
ISP networks
Log analysis system
S
D
Monitors
D
Monitors
Wide-area monitoring system
Operation Center
S
D
Monitors
16
Wide-area Monitoring System
1. Install probe devices (traffic monitors, IDS,
virus detection systems etc.) for collecting
security information from networks, mainly ISPs.
2. Log information on traffic flow and security
is collected swiftly at the Center and analyzed.
3. Using log analysis technologies, monitor the
network situation, in order to swiftly grasp the
state of deterioration and damage caused by
cyber-attack in real-time and respond to the
urgent situation.

• lt Grasp overall trends in the network gt
• By monitoring locations where the network traffic
  is concentrated, it is possible to grasp trends
  in the network as a whole from a few measurement
  points.
• It will be possible to confirm the overall
  situation, that cannot be grasped from individual
  ISP
• lt Grasp signs of serious incidents such as DDoS
  attacks gt
• Grasp up-to-date information on attacks
• For example, detect sign of DDoS(port scan) ?
  improve warning system

17
Expected Goal on Telecom-ISAC Japan
Member - ANetwork
Incident Reports
Government
General Advisory
Portal Sitewww.telecomisac.jp
Protect Advisory for Members
Non-Members
Member - BNetwork
Wide-area MonitoringSystem
Incident Handling System
Members
ISAC Operation Center
Member - CNetwork
ISAC Incident Analysis Center
MonitoringSensors
18
Research and development into secure
communications technology Realize a secure
network using identity confirmation functionality

19
Secure Communications Networks Research and
development into secure network using identity
confirmation functionality
ltCurrent situationgt
Are you really A? Lets check.
X
Internet
A

• Currently on the Internet, there is no
  functionality that allows you to confirm the
  identity of the other party you are communicating
  with.
• It is possible for impersonation to occur, and
  it is necessary to confirm identity on an
  individual basis.

ltObjectivegt
Not A so not accepted.
Communicate with A
X
Secure network foundation
A

• Secure network using identity confirmation
  functions
• Confirmation of the identity of the other party
  can occur in real-time over the network, and
  impersonation can be avoided.

20
Annex 1 MPHPTs Approach to Internet Security

• 1. Strengthening Security of Telecom Carriers
  (ISP)
• 2. Improve Security on the User side
• 3. Promotion of Research and Development
• 4. Secure-Communications with Encryption
  technology
• 5. Promotion of Human Resources Development
• 6. Laws

21
Government Structure forCritical Infrastructure
Protection

• - February, 2000 Establish IT Security Office
  within the Cabinet Secretariat
• - April, 2002 Establish NIRT (National Incident
  Response Team)

Chairman Deputy Chief Cabinet Secretary
IT Security Promotion Committee
Cabinet Secretariat ( IT Security Office )
NIRT
Expert Team within the secretariat
Critical Infrastructure
?Related Ministries and Agencies?
Financial Services Agency
MPHPT
MPHPT
MLIT
METI
NPA
Local government
Electricity Gas
Finance
Civil Aviation, Railways
Telecom
JDA
MPHPT
METI
22
1. Strengthening Security of Telecom Carriers
(ISP)
(1) Safety and Reliability Standards for the
Information and Communications Networks
MPHPTs recommended-standards concerning safety
and reliability measures for Information and
communications systems, including information
security
(2) Security Mark System
Industry organizations (Japan Internet Provider
Association and Telecom Service Association)
grant a Safe-Secure ISP Mark to an ISP that
meets a determined security requirements and
customer service requirements. So far, 52
services of 50 ISPs have been granted this mark .
(3) Promote introduction of security measures
through tax system
Tax incentive measures for introduction of
security equipments for carriers.
(4) Establish incidents response system
Telecom-ISAC Japan was established in July of
last year. Currently, 7 major ISPs are members.
Information Services (vulnerabilities DB, alert
information) were started from this March.
https//www.telecom-isac.jp/ Incident Information
Collection and Analysis System and Wide-area
Monitoring System are currently under
development.
23
2. Improve Security on User side
(1) Enhancing Security Awareness of users
An information security site has been added to
the MPHPT home page in order to enhance the
consciousness of users and spread accurate
knowledge on information security.
http//www.soumu.co.jp/joho_tsusin/security/index.
htm (Japanese only)
(2) Promoting the provision of security
information from ISPs
Security Mark System requires ISPs to implement
those activities providing security information
to customers, establishing user support center
etc.
(3) Enriching security support service of ISPs
Many ISPs recently offers security support
service, such as virus-check-service by which
even home users not familiar to PC and
software-install can use the Internet safely.
(4) Promote the introduction of security
equipment through tax system
Promote the introduction of firewalls in
enterprise, through tax relief measures on the
necessary equipments and software for
implementing information security countermeasures.
24
3. Promotion of Research and Development
Techniques of attacking side, such as Illegal
access techniques, virus threats and encryption
decipherment, continues to evolve day by day, it
is essential for the protecting side to promote
research and development. As for RDs with less
business incentive and high-risk, it is necessary
for the government to carry out those RD
directly and indirectly.
(1) Major Research and Development projects by
the MPHPT ? Basic research and development of
network security 2.6 billion yen In order to
respond to all of the current potential threats,
there is baseic research and development in
information security in the four fields of (1)
Network-related, (2) Access-related, (3)
Content-related, (4) Security common elemental
technologies / evaluation and verification
technology. ? Construction of research
foundations into computer viruses etc 180
million yen ? Survey research concerning the
network architecture for next-generation Internet
160 million yen. (2) Communications
Research Laboratory The Communications Research
Laboratory has established facilities on research
and development for communications risk
management, and research into cyber-terrorism
simulations and analysis of methods. There is
also research and development of encryption
technologies.
25
4. Secure Communications Through the Use of
Encryption Technology
? Promote implementation of digital signature
(PKI) From April 2001, the Law on digital
signature and certificate service was
implemented, applying the same legal significance
as to conventional signatures and
seals. ? Evaluation of Encryption Technology In
order to evaluate various encryption
technologies, Encryption Technology Study Group
was held by MPHPT and METI. The two Ministries
drew up the Recommended Encryption list for
e-government on February 20th of this year.
26
5. Promotion of Human Resources Development
? MPHPTs Qualification Examination From 2001, an
information security section was added to the
Chief Telecommunications Engineer Qualification
examination (national examination). ? Industry
organizations qualification The Network
Information Security Manager qualification
system was created as a private qualification for
information security from 2001, by seven
organizations including the Telecommunications
Carrier Association ? Support for human resource
development program From 2001, MPHPT provide
support for organizations carrying out human
resource development project for specialist in
the telecommunications field.
6. Laws
? Law prohibiting illegal access ? Law on digital
signature and certification services ? Establishin
g domestic laws promoting Council of European
Convention on Cybercrime
27
Annex 2 Security WG Interim Report the
way forward (1)
1 Strengthening the activities of Telecom-ISAC
Japan (1) Services to provide by Telecom-ISAC
Japan Telecom-ISAC Japan was established in
July 2002 and opened its portal site, providing
vulnerability and alert information March 2003.
Telecom-ISAC Japan is now developing -
incident handling system - wide area
monitoring system - incident analysis center
- Telecom-ISAC Japan operation center -
Technical consulting service concerning patching
of network vulnerabilities (2) Cooperation with
other organizations In order to increase the
effectiveness of Telecom-ISAC Japan activities,
it is necessary to promote the coopperation with
other organizations such as NIRT, JPCERT/CC etc.
and foreign T-ISACs. Through the
development of the incident analysis center,
specialized expert team wil be organized in the
Communications Research Laboratory (CRL) and the
joint research will be conducted.
28
Security WG Interim Report the way forward (2)
2 Promotion of Research and Development
(1) Technology for countering cyber-attack It is
necessary to continue research and development of
technology to prevent cyber-terrorism, technology
to detect cyber-terrorism at an early stage and
technology to combat cyber-terrorism. -
Technology for wide-area monitoring - Alert
log analysis technology, such as wide-area
monitors, firewalls, IDS etc. - High
precision trace-back technology - Technology
to detect unknown cyber attacks - Secure the
basic components of the Internet (2) Technology
to improve the safety and reliability of the
Internet itself and develop the foundations of
e-commerce. It is necessary to promote research
and development into the improvement of the
safety and reliability of the Internet itself,
such as realizing a network structure with
identity confirmation built in. - Technology
to enable identity confirmation functionality in
the network. - Technology to establish a safe
communications environment in the network
through identity confirmation functionality. -
Technology for the use of IC chips to allow safe
communications. - Technology to allow safety for
user terminals - Establish an operations
management system for the network using identity
confirmation technology and conduct
verification testing and standardization.
29
Security WG Interim Report the way forward (3)
3 Strengthening the research and development
organization for security technology
- In order to promote the wide-range information
security technology, it is necessary to construct
focal points for specialized research and
development dealing with information security
technologies.