This document discusses why security management is difficult by addressing several challenges: - Incidents will likely occur when malicious emails are sent to many employees due to human errors. For example, there is a 63% probability of an incident if emails are sent to 100 employees. - It is important to have proper processes for responding to incidents, including identifying compromised devices, analyzing logs and root causes, and documenting reports. - Ongoing maintenance is required as new vulnerabilities are discovered and environments change. Legacy systems also require continuous management. - Incident visibility and information sharing can be limited, making coordinated response difficult.

1. Why is Security
Management So Hard?
inaz2
2016/12/09
第1回 セキュリティ共有勉強会

2. About me
• inaz2
• https://twitter.com/inaz2
• Security engineer & Python programmer
• Blog: ももいろテクノロジー
• http://inaz2.hatenablog.com/
2

3. Question
• You are an incident responder in the company
• There’s nobody who doesn’t make a mistake
• Assume each employee makes a mistake with a 1% possibility
• One day, the attacker sent malicious mails to 100 employees
• What is the probability of one or more incidents occurring?
3

4. Answer
63%
4

5. Make it zero?
• There’s nobody who doesn’t make a mistake
• Even if the mistake rate goes 1% -> 0.1%, it occurs with a 9.5%
probability
• But if the number of mails was one, it occurs only with a 1%
probability
• It is important to reduce attack surfaces
• Network separation also reduces the risk of severe incidents
5

6. Who responds to the incident?
• Employee will open a malicious mail in the near future
• The most important is how we handle it
• How to find it? What to do with the suspicious PCs? What kind of
logs are there? What is the root cause of infection? How to mitigate
it? Who writes a report?
• Do you throw all things away to someone?
• IPA サイバーセキュリティ経営ガイドライン解説書
• http://www.ipa.go.jp/security/economics/csmgl-kaisetsusho.html
6

7. More issues
7

8. Maintenance
• OK, the system is completed. Then, who supports it?
• New vulnerability will be found
• Network environment will be changed
• The responsible person will be moved
• We need to manage all of our systems continuously
• Even if there are legacy systems
• Security management is like a fixed cost
8

9. Incident invisibility
• The detail of incidents is often not shared with other groups
• It is difficult to let them take care of it
• But it is real that someone handles incidents day by day
9

10. Cloud services are secure?
• Yes, if all of us never make a mistake
10

11. Cloud services are secure?
• Yes, if all of us never make a mistake
11

12. Secrets
• We must keep other’s privacy
• We shouldn’t publish found issues until it is fixed
• Information disclosure is a sensitive matter
• Furthermore, you may receive no acknowledgement
• Requires a high sense of ethics and high stress tolerance
• Like a soldier
12

13. Recap
• It is important to think about how we handle incidents
• It is not so easy to manage all of our systems continuously
• Have an imagination about incidents just you don’t know
13

14. Reference
• AWS で不正アクセスされて凄い額の請求が来ていた件 -
yoyaのメモ
• http://d.hatena.ne.jp/yoya/20150404/aws
• 初心者がAWSでミスって不正利用されて$6,000請求、泣き
そうになったお話。 - Qiita
• http://qiita.com/mochizukikotaro/items/a0e98ff0063a77e7b694
• AWSアカウントに関する不正使用を整理してみた
• http://www.slideshare.net/naotokatsumi/20150221-aws-
accountsabuse-44977667
14

15. Thank you!
inaz2
15