The document provides an overview of Fujitsu's risk-based approach to security management. It discusses the evolving security landscape and challenges organizations face. Fujitsu's approach involves 3 steps: 1) Conducting risk and vulnerability assessments to understand threats. 2) Visualizing security data through logs consolidation and SIEM solutions to provide situational awareness. 3) Using investigation tools to gain visibility into system behavior and provide intelligence to inform security operations. The approach is aligned with security frameworks like COBIT and ISO and aims to balance security, compliance, and business needs through a coordinated and layered enterprise security architecture.

1. Risk Base Approach Security
Management
15th August 2011
Lam Kwok Wing – CISSP, CISM
lam.kwokwing@sg.fujitsu.com

2. Agenda
 Today’s Security Situation
 Organization’s Challenges
 Fujitsu Approach
2

3. Before 2006
3

4. 2006 - The Year Hacking Became A Business
2006 was the year hacking stopped being a hobby and
became a lucrative profession practiced by underground
of computer software developers and sellers.
It was the year when cyber-criminals targeted everything
from MySpace to Facebook.
Are you one of the victim in June?
4

5. We archived 1,419,202 web-sites deface-ments
Attacks by month Year 2010
Jan 53,915
Feb 57,867
Mar 73,712
Apr 95,078
May 83,182
Jun 81,865
Jul 87,364
Aug 63,367
Sep 185,741
Oct 194,692
Nov 258,355
Dec 184,064
Total 1,419,202
5

6. After 2006
6

7. Zombie Hacker Will Hack No More
Associated Press 01.23.06
SAN FRANCISCO -- A 20-year-old hacker pleaded guilty Monday to surreptitiously seizing control
of hundreds of thousands of internet-connected computers, using the zombie network to
serve pop-up ads and renting it to people who mounted attacks on websites and sent out spam.
Jeanson James Ancheta, of Downey, California, pleaded guilty in Los Angeles federal court to four
felony charges for crimes, including infecting machines at two U.S. military sites, that earned him
earned him more than $61,000,
more than $61,000, said federal prosecutor James Aquilina said.
Prosecutors called the case the first to target profits derived from use of "botnets," large
numbers of computers that hackers commandeer and marshal for various nefarious deeds, their
owners unaware that parasitic programs have been installed are being run by remote control.
profits derived from use of "botnets,“
Botnets are being used increasingly to overwhelm websites with streams of data, often by
extortionists. They feed off of vulnerabilities in computers that run Microsoft's Windows operating
system, typically machines whose owners haven't bothered to install security patches.
A website Ancheta maintained included a schedule of prices he charged people who
hundreds of thousands of
wanted to rent out the machines, along with guidelines on how many bots were required to
bring down a particular type of website.
internet-connected computers,
Prosecutors say Ancheta and SoBe then installed the ad software from the two companies --
Gamma Entertainment of Montreal, Quebec, and Loudcash, whose parent company was acquired
last year by 180 Solutions of Bellevue, Washington -- on the bots they controlled, pocketing more
than $58,000 in 13 months.
7

8. Hacking as Business
Hacking isn't a kid's game anymore
It had price …$$$...
The Black Market USD
Trojan program to steal online account information $980-$4,900
Credit card number with PIN $490
Billing data, including account number, address, $78-$294
Social Security number, home address, and birth date
Driver's license $147
Birth certificate $147
Social Security card $98
Credit card number with security code and expiration $6-$24
date
PayPal account logon and password $6
Data source: Trend Micro
8

9. Hacking as Services
 DDoS attacks
The price usually depends on the attack time:
1 hour - US$10-20 (depends on the seller)
2 hours - US$20-40
1 day - US$100
+ 1 day - From US$200 (depends on the complexity of the job)
It is worth highlighting that they normally offer 10 minutes testing, this means that if you are
interested, you tell them the server and they will perform a DoS attack for 10 minutes, so that you can
evaluate the ‘service’.
 Spam Hosting: US$200
Dedicated spam server US$500
10,000,000 Mails per day US$600
SMS spam (per message) US$0.2
ICQ (1,000,000) US$150
 Hiding of executable files. To avoid antivirus programs and firewalls
(They guarantee that the files won’t be detected even by the antivirus updates of the date of purchase):
From US$1 to US$5 per executable file (cheap, isn’t it?)
 RapidShare premium accounts: (Server hosting)
1 month - US$5, 2 months - US$8, 3 months - US$12, 6 months - US$18, 1 year - US$28
9

10. Hacking as Organized Crime
Cyber Criminals have become an organized bunch.
they use peer-to-peer payment systems just like they're buying and selling
on eBay, and they're not afraid to work together.
Software as a Service for criminals
Attackers use sophisticated trading interfaces to classify the stolen accounts
by the FTP server’s country of origin and the compromised site’s Google
page ranking. This information enables attackers to determine cost of the
compromised FTP credentials for resale to cybercriminals or to leverage
themselves in an attack against the more prominent Web sites.
Malware that encrypts data and then demands money to
provide the decryption key – FileFixPro
10

11. Federal websites knocked out by online botnet
attack
Computerworld UK - July 08, 2009
By Robert McMillan
A botnet comprised of about 50,000 infected computers has knocked out the
50,000 Infected Computers
websites of several government agencies, and caused headaches for
businesses in the US and South Korea.
The attack started 20 - 40and security experts have credited it with
Saturday, Gps Bandwidth
knocking the US Federal Trade Commission's (FTC's) website offline for
parts of Monday and Tuesday. Several other government websites have
also been targeted, including the US Department of Transportation (DOT).
Consuming 20 to 40 gigabytes of bandwidth per second
On Saturday and Sunday the attack was consuming 20 to 40 gigabytes of
bandwidth per second, about 10 times the rate of a typical DDoS attack.
Security experts estimate the size of the botnet at somewhere between
30,000 and 60,000 computers.
11

12. Date Site
Year 2011
2011-04-04
2011-04-20
Anonymous Engages in Sony DDoS Attacks Over GeoHot PS3 Lawsuit
Sony PSN Offline
2011-04-26 PSN Outage caused by Rebug Firmware
2011-04-26 PlayStation Network (PSN) Hacked
2011-04-27 Ars readers report credit card fraud, blame Sony
2011-04-28 Sony PSN hack triggers lawsuit Sony says SOE Customer Data Safe
SONY Cases - April-June 2011
2011-05-02
2011-05-03
Sony Online Entertainment (SOE) hacked SOE Network Taken Offline
Sony Online Entertainment (SOE) issues breach notification letter
2011-05-05 Sony Brings In Forensic Experts On Data Breaches
Anonymous leaks Bank of America
2011-05-06
2011-05-07
2011-05-14
Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony
Sony succumbs to another hack leaking 2,500 "old records"
Sony resuming PlayStation Network, Qriocity services
e-mails
2011-05-17
2011-05-18
PSN Accounts still subject to a vulnerability
Prolexic rumored to consult with Sony on security
2011-05-20 Phishing site found on a Sony server
2011-05-21 Hack on Sony-owned ISP steals $1,220 in virtual cash
2011-05-22 Sony BMG Greece the latest hacked Sony site
2011-05-23 LulzSec leak Sony's Japanese Websites
2011-05-23 PSN breach and restoration to cost $171M, Sony estimates
2011-05-24 Sony says hacker stole 2,000 records from Canadian site (Sony Erricson)
2011-06-02 LulzSec versus Sony Pictures
2011-06-02 Sony BMG Belgium (sonybmg.be) database exposed
2011-06-02 Sony BMG Netherlands (sonybmg.nl) database exposed
Lulz Security hackers target Sun website
2011-06-02
2011-06-03
Sony, Epsilon Testify Before Congress
Sony Europe database leaked
2011-06-05 Latest Hack Shows Sony Didn't Plug Holes
2011-06-05 Sony Pictures Russia (www.sonypictures.ru) databases leaked
Hong Kong Stock Exchange Website
2011-06-06
2011-06-06
2011-06-08
LulzSec Hackers Post Sony Computer Entertainment Developer Network (SCE Devnet)
LulzSec hits Sony BMG, leaks internal network maps>
Sony Portugal latest to fall to hackers
Hacked, Impacts Trades
2011-06-08
2011-06-11
2011-06-20
Spoofing lead to fraud via shopping coupons at Sonisutoa / My Sony Club (Google Translation)
Spain Arrests 3 Suspects in Sony Hacking Case
SQLI on sonypictures.fr
2011-06-23 Class Action Lawsuit Filed Against Sony/SCEA
2011-06-28 Sony CEO asked to step down on heels of hacking fiasco
12

13. Agenda
 Today’s Security Situation
 Organization’s Challenges
 Fujitsu Approach
14

14. Security – A Confusing Picture
Data Loss Protection Multi Layer Firewall
Network Security Host IDS Content Monitoring and Filtering
is the first Line of Network Infrastructure Load Balancer
Defense NAC
Incident Management System
Security policies File Access Control List
fine-grain access control System Infrastructure Government regulations
operational process System compliance
central log server from a single console
Security Standards
Operation/ Password Management
visibility to Administration Authorization API
security threats
AD Authentication Access Control Keystore Management
policy-based authorization
Web Services Manager Engine
Security Breaches Alert
ID lifecycle management
Delegated administration
Entitlements Server
Middleware & compliance Breaches Alert
4A’s Security Services
System Services
delegated administration Application Security
approval workflows is the last Line of
Role-base access Business Services Defense
2FA Authentication Independent 3rd Party Audit
15

15. The Military Model for Security Issues
Threat Avoidance:
Security is the IT department’s business
- Security is the Security Expert’s Jobs
Security is an absolute
- Figure out what the threats are, and avoid them
- Either you’re secure or you’re not
Follows a computer engineering mentality
- Find and solve it
- Deploy point solution
Security becomes a barrier to business
16

16. Visibility of Malware vs. Malicious Intent
-- Invisible --
Source from : Douwe.Leguit@govcert.nl April 2007
17

17. Fujitsu Coordinated & Layered Approach
Enterprise Security Architecture
End Point Security
Network System Data Application
Security Security Security Security
Operational Security
Physical / Data Center Security
Personnel Security
Security Management
18

18. Security Management Framework
CobiT
ITIL
ISO/IEC 27001
NIST SP800-53A
19

19. PPT for Security Triad
Confidentiality
Security
Triad
Integrity Availability
20

20. ISACA–Business Model for Information
PPTX is the latest version today?
Security
Source: Adapted from the USC Marshall School of Business Institute for Critical Information Infrastructure Protection
http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/An_Introduction_to_the_Business_Model_for_Information_Security1.htm
21

21. Risk Base Approach for Security Management
Risk Management : The Business Model
 Security is relative:
- Many risks and Many solutions
 Security is everyone’s Business
 Security is a process
- Things fail all the time
 Variety of options:
- Accept the risk
- Mitigate the risk with People/Procedure/Technology
- Transfer the risk
22

22. Agenda
 Today’s Security Situation
 Organization’s Challenges
 Fujitsu Approach
23

23. Fujitsu Approach - 3 Steps for Better Security
Step 1 : Know your risks
Internal Regulatory
And And
External Compliance
Threats Force
Business
ROSI System
Data Cost of Doing
(Return on Security Asset Business
Investment)
Application
and Process
Vulnerability
- Risk Assessment / Compliance Assessment
- Vulnerability Assessment
- Web Application Assessment / PenTest
24

24. Fujitsu Approach - 3 Steps for Better Security
Step 2 : Visualize your situation
25

25. Fujitsu Approach - 3 Steps for Better Security
 The Enterprise Today - Mountains of data, many stakeholders
Malicious Code Detection Real-Time Monitoring
Spyware detection Troubleshooting
Access Control Enforcement Configuration Control
Privileged User Management Lockdown enforcement
Unauthorized False Positive
Service Detection Reduction
IP Leakage
Web server Web cache & proxy logs
User Monitoring SLA Monitoring
activity logs
Content management logs
Switch logs IDS/IDP logs
VA Scan logs Router logs
Windows Windows logs VPN logs
domain
logins
Firewall logs
Wireless
access
logs Linux, Unix,
Oracle Financial Windows OS logs
Logs
Mainframe Client & file
DHCP logs
logs server logs
San File VLAN Access
Database Logs
Access & Control logs
Logs Sources from RSA
26

26. Fujitsu Approach - 3 Steps for Better Security
Step 2 : Visualize your situation
System
Monitoring
Intelligent
Logs
and
Consolidation
Correlation
SIEM Security Information &
Solution Event Management
SOC
Security Operation Center
Incident Management
ITIL Process
27

27. Fujitsu Approach - 3 Steps for Better Security
Step 3 : Knowing your enemy’s behavior
You need an
Investigation Tools
• for pervasive
visibility into
content and behavior
• Providing precise
and actionable
intelligence
28

28. Arts of War (Sun Zi)
Section III: Investigation
Attack by Stratagem
If you know yourself
and know the Visualization
enemy, you need not
fear the result of a
hundred battles.
孫子兵法 謀攻第三:
知己知彼，百戰不殆 Remediation
29

29. Thank you
30