2015. 6. 23
Wan S. Yi
Ph.D., CISSP. ISC2 APAC Korea Internet & Security Agency
Promotion on Information Security
Certification Programs
2 Certification Concept
1
KISA Introduction1. Introduction
–
History2009. 07 2002. 01 1999. 06 1996. 04
Korea Internet & Security Agency (merger of KISA, NIDA and KIICA) Korea IT International Cooperation Agency (KIICA)
National Internet Development Agency (NIDA) Korea Information Security Agency (KISA)
History
Responsibility
• Internet Development
• Information Security on Public and Private sector
2. Internet Security Framework
Senior Secretary to the President for National Crisis
Management
National Intelligence
Service
Ministry of Science, ICT & Future Planning Ministry of National Defense National Cyber Security Center Public Korea Internet & Security Agency Private Military Cyber Command & Control Center National Defense
2. Internet Security Framework
Share incident analysis
Block malicious site, notify zombie PC and request treatment
Share malicious codes and produce dedicated vaccines
IDC service provider (ex. KIDC) Control organization (ex. SK Infosec)
Communications ISAC, finance ISAC
IGLOOSECURITY AhnLab (V3)
Security Global Alliance REDBC
Hauri (Virobot) Eastoft(AlYac)
SG advantec (virus chaser)
Share security incident information request to check failure of network
KT LG U+ SK broadband Dreamline Onse telecom, 112 others
Share malicious codes & analysis result, Remove zombie PC, Block C&C server access
Raise public awareness and treat malicious codes
Related organizations in Korea
Responsible Organization NIS MND Investigative Agency Supreme Prosecutor’s office National Police Agency
CERT abroad FIRST APCERT Organizations abroad MS Symantec McAfee FireEye Checkpoint
Related organizations abroad
Cyber crisis response cooperation system
Monitor internet network in Korea for abnormal signs 24/7 Check 2.3 million Korean websites for malicious codes
Inspect information security vulnerability and take measures for protection Information protection inspection on ICT service providers
Make remote inspection on website vulnerability and take protection measure
Operate KrCERT for rapid response of cyber security incident and cooperate at home and abroad
Cyber exercise for security incident response with AP regional CERT and related agencies in Korea twice a year
Public Key Infrastructure(PKI) for user identification & authentication
More than 32million people uses for e-trade, e-bank, stock exchange, public service, etc.
Critical Information Infrastructure Protection
’14 : 292 facilities are identified(99 are in private sector), ’17 : targeting 400 facilities
Information Security Product Evaluation
CC Testing Facilities are evaluating against Common Criteria
Information Security Management System(ISMS), G-ISMS
272 organizations received ISMS or G-ISMS
Information Security Training & Education
In-class, cyber range, on-line training on Financial security, Forensic, etc.
Run national campaign for healthy cyber culture
Set up national association √ Established in August, 2010
√ With 65 organizations including the government, internet companies and private organizations
√ Initiated campaign and signed a MOU for good replies for 100 days Korea Internet Star(KIS)
√ Comprised of elementary and middle school students to lead healthy cyber culture
Internet ethics education
Educate teenagers, parents, teachers and children on internet ethics
Produce and distribute Internet ethics B.I(Brand Identity)
Develop and utilize character and logo song for Internet ethics to give impression on people
Support ICT business to advance into the global market
Global Market for Digital Convergence √ Roadshow, showcase, government consulting service
Support ICT strategic items
√ Items: Smart 4G, media contents, broadband, information protection, mobile TV, IPTV, etc
ICT Expert Training Program
(K-LINK: Korea-Global ICT Leaders Information Network) 12 courses, 330 trainees in 2013
√ Provide education for overseas experts (about 4,300 officials, 145 countries) since 1998
International conference and international organization activities
WICS
ITU-PP 14, Telecom World OECD
World Bank
Run call center to provide consulting service related to the Internet
Receive complaints and provide consulting service
related to the Internet (hacking, virus, spam, PI disclosure) Q&A and counseling service for PI protection act
Easy to remember, anytime/anywhere
Call : free consulting service 24/7
√ the average number of call per day in 2011: 1,300
Website : www.118.or.kr
Twitter & Facebook ID : kisa118
Connect to related agencies
6 Illegal spam Others Personal information Hacking, virus 5 4 3 1 2 Loss of certificate
Internet Users Company ISP PC Smart Phone Tablet PC ISP ISP
ISP Web hard, P2P
App security system
Mobile office, Cloud service provider
Kr DNS DNS
Notebook
⑥
ISP
Vul. Check for web site SME website
MC collection System
9개 VoIP service monitoring VoIP service provider
C&C
X
Domain Security System
DDoS system At IX node
Zombie PC Zombie Notebook
DNS cyber shelter Wireless network
Security verification
1. Type of Certification
ISMS → Organization and companies
CC Evaluation → Information Security Products
Professional Certification → People
Public Key Infrastructure Certificate → Device and users
Objective
To secure stability in an information communications network and
reliability of information by assessing the ISMS of a certain organization to determine whether or not it meets the certification criteria.
Legal Background
Created in 2001 and first certificate was issued in 2002
Until 2013, it was recommendation but became mandatory for companies sales over 10 million dollars a year or has one million visitors a day
In 2014, 482 organizations and companies received certificates
Comprehensive system that ensures a consistent management and operation of information security, by putting proper procedures and processes in place.
With Management System
Integrated
Evaluated Level <Security
Level>
ㆍ Partialㆍ One time ㆍ Sporatic
Without Management System
ㆍ Balanced ㆍ Sustained ㆍ Systematic
Orga nizat ion Faci
lity Policy Facility Policy
Orga nizati on
Equip
ment Doc. Equipment Doc.
Islanded <Security Level> Evaluated Level
1. ISMS
- DefinitionISMS
External Audit Outsourcing Company
Major Assets Bidding
Companies
participating in public or private bidding
Companies who needs IT
management evaluation, credit evaluation or financial audit.
Contracted companies to manage and operate customer’s critical assets Finance : Account, Transaction Info. Education : Student info.
Medical : Diagnose Info.
Communication : Customer info. Portal : Member info.
Etc. : Industrial Tech. Info.
assessment team ⑦ request to deliberate
assessment result ⑧ notify the deliberation
result
certification applicant ② pre-assessment and contract
③ compose assessment team ⑥ certification assessment report certification body certification committee ④ certification assessment ⑤ supplement deficiency ⑨ issue certification ① certification application
1. ISMS
- ProcedureObjective
Gain global trust and reliability of IT security system
Contribute to the realization of a sound information society Improve IT security level of national communication networks Improve international competitiveness of IT products
Legal Background
CC : Common Criteria for Information Technology Security Evaluation
CEM : Common Evaluation Methodology for Information Technology Security CCRA : Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security
•
Background
– Provide secure products, proven by 3rd party, for the people to use to
build safe and secure information society
•
Evaluation
– Act of analyzing and testing of an IT product security against evaluation criteria using evaluation methodology
•
Certification
– Act of oversight evaluation process and reviewing final evaluation
report thus result in issuing certificate
•
Accreditation
– Act of testing certified products in real environment and decide whether the product is suitable for operation or not
Consumers -
as a guide for the
procurement
of
products with IT security features
Product Developers and Integrators
- as a
basis for the
development
of products with IT
security features
Evaluators
- as the basis for the
evaluation
of IT
security products
Auditors, Certifiers, Accreditors
- to support
their specific needs
23 Document Mission Regis tration Negotia tion Agree ment SSAA SSAA System Develop Certi.
Analysis Acceptable ReadyFor Eval. SSAA SSAA Eval & Cert. Certify System Develop Recom. Accredit ation Change Requir. Verifi cation
Phase 1 Definition Phase 2 Verification
Phase 3 Validation Phase 4 Accreditation
Yes No Yes Yes No No Reanalysis Yes Yes Yes Yes No No No No Revision System Operation
24 • Apply for Evaluation • Review deliverables • Sign Contract 01 • Validate Deliverables • Validate TOE FR • Validate Vulnerability 02 • Certification Board •Issue Certificate •Register TOE in CL 03 •Maintain Certificate •Reevaluation 04
25 인증서발행국(CAP) : 17개국 미국 (’98) (’05) (’03) (’10) (’04) (’00) (’02) (’00) (’00) (’06) (’98) 캐나다 (’98) 영국 (’98) 독일 (’99) 호주 (’03) 일본 (’06) 노르웨이 (’06) 한국 (’06) 스페인 (’09) 이탈리아 그리스 핀란드 이스라엘 오스트리아 헝가리 터키 체코 싱가폴 덴마크 말레이시아 (’08) 스웨덴 (’99) 뉴질랜드 파키스탄 (’08) (’98) 프랑스 (’06) 네덜란드 (’11) 인증서수용국(CCP) : 9개국 (’13) 인도
3. Information System Security Professional
•
ISC2
(International Information System Security Certification Consortium)– CAP – Certified Authorization Professional
– CCFP – Certified Cyber Forensics Professional
– CCSP – Certified Cloud Security Professional
– CISSP – Certified Information System Security Professional(#3)
– CCLP – Certified Secure Software Lifecycle Professional
– HCISPP – HealthCare Information Security and Privacy Practitioner
– SSCP – Systems Security Certified Practitioner
•
Information Security Professional
Encryption Digital Signature Digital Signature Digital Signature Data Leakage Data Forgery Unauthorized User Repudiation Threat Security Services Solution Certificate
Issue Revoke Renew
Registrarion
Registration Authority (RA) Root-CA
Corporation Server S/MiME Individual
Certificate Authority (CA)
Operation Management CRL Management Confidentiality Integrity Authenticity Non-repudiation Certificate Management C R Y T O G R A P Y P U B L I C K E Y
4. PKI Certificate
– ObjectiveA system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction.
ID/Pass i-PIN Certs. OTP BIO Human Device Internet Banking, Log-in SSL Server, ETC RFID/USN Environment U-City Environment
U-home Environment U-health Environment Broadcasting Telecommunication
Environment
