This document discusses why security management is difficult by addressing several challenges:
- Incidents will likely occur when malicious emails are sent to many employees due to human errors. For example, there is a 63% probability of an incident if emails are sent to 100 employees.
- It is important to have proper processes for responding to incidents, including identifying compromised devices, analyzing logs and root causes, and documenting reports.
- Ongoing maintenance is required as new vulnerabilities are discovered and environments change. Legacy systems also require continuous management.
- Incident visibility and information sharing can be limited, making coordinated response difficult.
2. About me
• inaz2
• https://twitter.com/inaz2
• Security engineer & Python programmer
• Blog: ももいろテクノロジー
• http://inaz2.hatenablog.com/
2
3. Question
• You are an incident responder in the company
• There’s nobody who doesn’t make a mistake
• Assume each employee makes a mistake with a 1% possibility
• One day, the attacker sent malicious mails to 100 employees
• What is the probability of one or more incidents occurring?
3
5. Make it zero?
• There’s nobody who doesn’t make a mistake
• Even if the mistake rate goes 1% -> 0.1%, it occurs with a 9.5%
probability
• But if the number of mails was one, it occurs only with a 1%
probability
• It is important to reduce attack surfaces
• Network separation also reduces the risk of severe incidents
5
6. Who responds to the incident?
• Employee will open a malicious mail in the near future
• The most important is how we handle it
• How to find it? What to do with the suspicious PCs? What kind of
logs are there? What is the root cause of infection? How to mitigate
it? Who writes a report?
• Do you throw all things away to someone?
• IPA サイバーセキュリティ経営ガイドライン解説書
• http://www.ipa.go.jp/security/economics/csmgl-kaisetsusho.html
6
8. Maintenance
• OK, the system is completed. Then, who supports it?
• New vulnerability will be found
• Network environment will be changed
• The responsible person will be moved
• We need to manage all of our systems continuously
• Even if there are legacy systems
• Security management is like a fixed cost
8
9. Incident invisibility
• The detail of incidents is often not shared with other groups
• It is difficult to let them take care of it
• But it is real that someone handles incidents day by day
9
12. Secrets
• We must keep other’s privacy
• We shouldn’t publish found issues until it is fixed
• Information disclosure is a sensitive matter
• Furthermore, you may receive no acknowledgement
• Requires a high sense of ethics and high stress tolerance
• Like a soldier
12
13. Recap
• It is important to think about how we handle incidents
• It is not so easy to manage all of our systems continuously
• Have an imagination about incidents just you don’t know
13