View
0
Download
0
Category
Preview:
Citation preview
비대면시대의웹사이트보안과
안전한재택근무방안
DigiCert Ireland Limited, Korea Branch
나 정주 지사장
(Country Manager for Korea, Indonesia, Pakistan and Vietnam)
James.Nah@digicert.com
안 건
Identity동향과업계흐름
TLS / SSL 인증서의변화
CA/B 포럼
재택근무시, 사이버공격을최소화하는제안
Five Tips for Secure Remote Email Access
회사소개 – DigiCert
회사소개 –써트코리아
IDENTITY(신원혹은정체성) 동향과업계흐름
Average number of attacks on IoT devices
per month
Of malware(악성코드)infection happens via phishing scams over
Average bot visits per site per week
Of businesses experienced DoS(denial
of service) attacks
Websites have malware(악성코드)
at any given time
Of breaches(침해)took months or
longer to discover
5,200
68%
94%
2,354
17.6MILLION
51%
ANOTHER YEAR OF ATTACKS
“THE COST OF COMPROMISING THE SYSTEM AROUND
CRYPTOGRAPHY IS MUCH LOWER THAN THAT OF
RUNNING A 2^80 TIME ATTACK, BE IT BY ATTACKING
THE SOFTWARE, HARDWARE, PROCESSES, OR PEOPLE.
RED TEAMERS, MILITARY CNA/CNE, AND CYBER-
CRIMINALS DON’T NEED TO BREAK THE CRYPTO TO
GET YOUR SECRET KEYS.”
-JP AUMASSON
• Our digital presence is intertwined with our daily lives.
• Every day, we generate more data, and more data is generated about us.
IDENTITY IS DATA
• Getting smaller: from bag phones to flip phones to smart phones
• Getting more with less: the consolidation of many devices into one
MINIATURIZATION &CONSOLIDATION
• No more video tapes or DVDs
• Online and on-demand via high-speed broadband
VIDEO STREAMING
• More than simple storage
• Powerful computing resources on-demand
• Pay as you use
CLOUD COMPUTING
• The generation of big data through constant monitoring of medical conditions.• Apple Watch (EKG), Medical tests online,
Smart continuous glucose monitoring systems
• Do we trust those holding the data?
BIG DATA BIOLOGY
• How do we keep data secure and private?
• How do we know what’s being done with our data?
• Who has the access to correct, delete and destroy data?
• What are the trends in privacy acts across states and countries?
BIG DATA:MY DATA IS NOT YOUR DATA
• We might want to be anonymous.
• Should websites we transact with be anonymous?
• How do we assure we are dealing with the right entity online?
• How do we assure ourselves we are downloading safe code?
• How do we know the email we received is genuine?
• How do we know the device that joined our network is authorized?
ANONYMITY(익명성)
ON THE WEB
Targets:Businesses, the elderly
How:Social Engineering, phishing, fake recommendations
ONLINE SCAMS(사기)
TLS / SSL 인증서의변화
TLS(Transport Layer Security) / SSL(Secure Socket Layer) 인증서란?
First release of NextGen UX
CSAT from 4.7 to 6.4 (7 scale)
사용자와 웹 서버 간의 데이터는 암호화되어 있기 때문에
중간자가 공격하여 Data를 보더라도 내용을 알 수 없음
TLS / SSL 인증서종류
DV(Domain Validation)Basic Validation
OV(Organizational
Validation)Standard Validation
EV(Extended Validation)
Enterprise Validation
Lowest level of authentication
Anonymous entities can get a certificate
Provide additional checks to ensure brand protection
Highest standard of brand protections
Shows customers that transactions are secure
TLS/SSL 인증서의차이
DVDomain Validation
Basic Validation
OVOrganizational Validation
Standard Validation
EVExtended Validation
Enterprise Validation
TLS / SSL 인증서의추세
Task completion time cut in half
CSAT from 4.7 to 6.4 (7 scale)
20
40
0
60
80
2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020
What happened to EV at Safari and Chrome?
Safari Chrome
EV IS NOT GOING AWAY– IT’S MOVED
Firefox
What happened to EV at Edge?
Edge EV Treatment –Inherited from Chromium
EV SSL 인증서확인
GPKI Chrome & Safari mobile 의경고문구
How much do you manage certs in your organization?
Task completion time cut in half CSAT from 4.7 to 6.4 (7 scale)
- Do you have SSL/TLS certificates from multiple vendors in your infrastructure?
- Do you know how much to budget on an annual basis for your SSL/TLS certificate management?
- Do you know how much of your time you spend manually trying to process certificate renewals and installations?
- Do you know how much it costs your organization to administer your SSL/TLS certificates?
- Do you know exactly who is procuring certificates within your organization and how they are managing the certificates?
- Do you know the expiry dates of every certificate under management?
Cisco estimated that it takes some four hours of management time, at a cost of $288 per certificate to manually administer your SSL/TLS certificates
(Case Study: Scalable Key and Certificate Lifecycle Management with Cisco Systems,” Session ID: SPO1-303, RSA Conference 2011, Cisco Systems Inc.)
Where are we going?
• Certificate trends: # websites will increase --> cert usage will increase
• DMARC(Domain-based Message Authentication, Reporting and Conformance) adoption will grow as companies
see value in VMCs
• Quantum safe cryptography will debut in TLS certs within the next 5 years(PQC)
• Privacy laws will morph from states to countries to regions, eventually global
• It’s more than the lock! --> users must take extra precautions
• Encryption and Identity go hand in hand
• Automation in managing certificates will increase
• EV is not going away --> it’s moved
• Globally governments except Korea prefer EV
CA/B(Certificate Authority & Browser) 포럼
CA/B 포럼소개
• CA(Certificate Authority) / Browser Forum
• 인터넷브라우저소프트웨어공급업체, 운영체제및기타 PKI 지원응용프로그램과관련된
업계의자발적컨소시엄
• X.509기반의인증서발급및관리를규제하는업계지침을공표
• TLS/SSL인증서 , Code Sign인증서등 System과 Network 보안에사용되는인증서지침
https://cabforum.org/
재택근무시, 사이버공격을최소화하는제안- ”HOW TO AVOID CYBERATTACKS DURING AN EXTENDED PERIOD OF WORKING FROM HOME”
by Dean CoclinSenior Director of Business Development at DigiCert
from the article of Analytics Insight
Hackers will take advantage of any vulnerability they can find. Amidst the pandemic of COVID-19, attackers are taking advantage of the alertness of the world population with phishing emails, social media posts, apps and text messages containing malware. These scams typically involve fraudsters impersonating healthcare officials.
In fact, CERT-In (Computer Emergency Response Team of India) in its latest advisory to internet users said that cyber criminals are exploiting the COVID-19 outbreak as an opportunity to send phishing emails claiming to have important updates or encouraging donations, impersonating trustworthy organizations. The phenomenon has been witnessed as many organizations have asked their staff to work from home to help stop the spread of the coronavirus that has claimed thousands of live worldwide and infected millions
As these cyberattacks continue to spread, we recommend these six best practices to help protect ourselves.
In the pandemic of COVID-19…
Check common signs(상식을이용해라)
Task completion time cut in half CSAT from 4.7 to 6.4 (7 scale)
If a form of communication asks you to click a link, download an attachment or give any personal or financial information, this should be a red flag
Do not exchange information or do financial transactions with entities that you are not familiar with
Look for common signs of fraudulent sites/ emails including:
- Poor design
- Poor grammar or spelling
- Unreliable contact information
- No Terms and Conditions listed
- Deals that seem too good to be true
- Suspicious forms of payment (like sending money to a random PayPal account)
Treat Emails about COVID-19 with Suspicion(“코로나”관련…의심먼저)
CSAT from 4.7 to 6.4 (7 scale)
Sample phishing email:
The attachment contains malware
Reading carefully reveals that the fraudster spelled
Israel “Isreal,” which is a clear red flag
Pay attention when browsing (웹사이트인증서등활용)
Task completion time cut in half CSAT from 4.7 to 6.4 (7 scale)
It’s also important to be careful when browsing, whether on websites, social media or apps. You can check the sites you visit for TLS (Transport Layer Security) /SSL (Secure Sockets Layer), the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems. Different browsers have unique identifiers to show if a website is secure. You can view our blog on how to identify authorized sites to know how to distinguish authorized from unsecured sites.
Additionally, web users can check the safety of a site by copying and pasting the URL into the Google Safe Browsing Transparency Report. If a suspicious or fraudulent site is found, it can be reported to Google’s Safe Browsing or Mozilla’s Protect the Fox
Do not download unknown attachments
Task completion time cut in half CSAT from 4.7 to 6.4 (7 scale)
Malware is currently spreading through cybercriminals distributing via email a map similar to the one by Johns Hopkins University. The map often includes links to malicious sites disguised as official communication
Fight technology with technology (눈에는눈, 이에는이~~기술에는기술)
Task completion time cut in half CSAT from 4.7 to 6.4 (7 scale)
To prevent attacks always update your software and browser with the latest versions of Microsoft Edge, Mozilla Firefox and other vendors’ browsers that come equipped with anti-phishing filters.
Existing technologies such as PKI (Public Key Infrastructure), which provides encryption and cryptographic identity guarantee in each data flow and verifies all network users, can play a key role in protecting homes, businesses and connected networks. Email attacks are common forms of phishing and social engineering, and companies can also help protect users and other people who trust their email systems by using digital certificates to assure the identity and authentication and encryption of the client.
Overall, rely on legitimate health services and government websites for information. Do not give out personal or financial information and verify that a charity is legitimate before making donations. You may want to review the FTC guidelines for vetting a charity and avoiding scams before making any donations.
During this global pandemic, not only do we need to reexamine our social habits, but also our digital ones. Following these tips can protect against hacker attacks and data leakage, keeping your network and devices safe
원격 이메일 접속을 보호하기 위한 5가지 제안(Five Tips for Secure Remote Email Access)
by Dean CoclinSenior Director of Business Development at DigiCert
from DigiCert Blog at:https://www.digicert.com/5-tips-for-secure-remote-email-access/
Best practices to help your organization send and receive secure messages
Task completion time cut in half CSAT from 4.7 to 6.4 (7 scale)
How many emails do you receive every day? How do you know the emails you are sending and receiving are secure? How do you know that your employees’ emails are secure, especially when they are working remotely and sending emails from home or unknown locations?
Furthermore, how do users know that an email is actually from your organization? When a hacker pretends to be from an organization, it not only costs companies millions of dollars each year but also damages trust between a company and its customers. Building trust through secure email access is critical to ensuring that information remains secure and private.
To combat compromised email attacks, several protocols were created. These, combined with other best practices, can help your organization secure your remote workforce’s email. This is especially important as attackers are currently spoofing emails and messages to take advantage of the current global crisis. For example, some malware was spread in March through an email attachment spoof of the John Hopkins University map.
1. Use S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol
Task completion time cut in half CSAT from 4.7 to 6.4 (7 scale)
S/MIME is a method for sending digitally signed and/or encrypted messages. Using S/MIME in email reassures receivers that the message in their inbox is the exact same message from the sender. It also validates the identity of senders, so receivers know that the message is coming from the real sender and not an imposter. Thus, S/MIME provides authentication, message integrity, privacy and data security.
Within organizations, your IT department will be responsible for setting up S/MIME by providing digital certificates to users or by using a third-party platform to enforce security on email messages.For non-corporate users, you would need to obtain a digital certificate from a certificate authority to enable S/MIME. Google Gmail supports a few different secure email methods as outlined in this support article: Gmail Help. Here’s an example of what secure email looks like in your Gmail inbox:
2. Work towards DMARC certification
Task completion time cut in half CSAT from 4.7 to 6.4 (7 scale)
DMARC (Domain-based Message Authentication, Reporting and Conformance) ensures that others cannot pretend to be from a legitimate corporate domain so that your emails can’t be spoofed. For example, if an organization like PayPal has DMARC, then fraudsters cannot send emails from the PayPal domain because the receiving email provider will either quarantine or reject messages from unauthorized accounts. Thus, only authenticated messages are accepted into email users’ inboxes.
After your organization has this protocol, you can also configure alerts for your organization when an unauthorized email is sent from your domain, helping you increase visibility and monitor suspicious activities.
DMARC implementation requires that your organization inventory all domain senders authorized to send messages on behalf of your organization and whitelist them. Outsourcing emails to third-party senders can make this process more complicated, but it’s certainly doable.
A DMARC policy can be configured in three ways: none, quarantine or reject. When organizations initially create a DMARC record, they set the policy=none. But this wouldn’t result in any enforcement. Once the policy is set to quarantine or reject, they will see the benefit of DMARC. In 2018, the U.S. Department of Homeland Security issued a directive to get all U.S. government domains DMARC enforced (see https://cyber.dhs.gov/bod/18-01/). In record time, government domains implemented DMARC. Businesses should also work towards DMARC certification and enforcement to protect their brand from being used in false messaging.
3. Use a VPN for your workforce
Task completion time cut in half CSAT from 4.7 to 6.4 (7 scale)
A Virtual Private Network (VPN) adds a layer of security and privacy to email by encrypting traffic through a server, so it is more difficult for hackers to intercept it. Utilizing digital certificates for authentication to VPNs provides an extra layer of security for sensitive communication.
4. Look forward to BIMI(Brand Indicators for Message Identification)
BIMI(Brand Indicators for Message Identification)
is an email specification that enables brand-
controlled, validated logos in supporting
email providers
This emerging standard will build on DMARC
authentication by displaying brand logos on
email messages verified with DMARC. Logos will
be validated by certificate authorities, who will
issue VMC(Verified Mark Certificates)
A pilot is planned for Q2 with general availability
later this year. The first Verified Mark
Certificate was issued by DigiCert to CNN in
October 2019
5. Remember email management best practices
Task completion time cut in half CSAT from 4.7 to 6.4 (7 scale)
On top of having good security tools, you should also do what you can to encourage employees to keep
their email safe, especially when they are working remotely and cannot authenticate messages in person.
Organizations should implement and enforce a company-wide email policy if they do not already have
one. For instance, close former employees’ email accounts so that they cannot access them and forward
correspondence to a current employee. You may also consider offering security awareness training to
employees since helping employees practice good security habits is just as important as implementing
security protocols. Testing employee awareness with crafty emails to see if they click on suspicious links
is a good way to ensure proper email hygiene.
In sum, securing your email, especially from home or unknown locations, helps to ensure the email
content cannot be read by third parties and that the integrity of the message is intact.
회사소개 -
DigiCert & 써트코리아
VeriSign becomes the first Certificate Authority
DigiCert founded based on the question, ”Isn’t there a better way?”
DigiCert partners with Microsoft to develop first Multi-Domain certificate
DigiCert builds first CT log accepted by Google
DigiCert acquires Verizon SSL/TLS business
DigiCert’s trusted roots become encryption foundation for enterprises worldwide
VeriSign becomes first international CA
DigiCert becomes founding member of the CA/Browser Forum
Symantec acquires Verisign Authentication
DigiCert launches scalable IoT platform
DigiCert acquires Symantec’s Website Security business
DigiCert - A Combined History of Innovation & Leadership
DigiCert acquires QuoVadis CA
1995 2003 2007 2013 2016 2018
1997 2005 2010 2015 2017 2019
.
“Based on Forbes Global 2000 list published in 2017/Fortune 500 2017 and internal customer analysis conducted in October 2017 , Frost & Sullivan 2019
45
• 1등 Enterprizes TLS/SSL 인증서 업체
• “Frost & Sullivan” awarded as “2020 Global TLS Certificate
Company of the Year”
• “Fortune 500”의 89%와 Top 100 banks의 97%가 선호
• 매일 280억 개의 Web connection의 안전한 연결 보장
• SSL, PKI & IoT 솔루션을 전세계 180여개국에서 제공
• Automation platform 인 “CertCentral” 발표
• 2018년 10월 DigiCert-Gemalto-Isara 등 3사가 양자 컴퓨팅
시대의 미래 사물인터넷(IoT) 보안을 위한 파트너십 체결
• 세계 최초 “PQC test kit” 발표(DigiCert Secure Site Pro)
DigiCert – TLS/SSL인증서와 IoT 보안 선도 기업
“CertCentral” Enterprise, all certificate types in one place
CertCentral Enterprise
A single console to manage all
types of certificates through an
intuitive, modern UI.
Secure Site Pro TLS certificate
Certificate
Transparency (CT)
Log Monitoring
Gain visibility of your
certificates with the
only transparency
monitoring feature
on the market
Blacklist Check
Ensure your
domains are free
and clear with
blacklist and
malware searches
Priority Support and
Validation
Get your queries
resolved faster with
preferential access to
support and validation
« « «
Trust Mark
Boost consumer
confidence with the
world’s most-
recognized SSL
« «
Post Quantum
Cryptography
(PQC)
Get ahead of
quantum computing
by testing hybrid
certificates safely
Also available as Extended Validation (EV) certificates
«
Server Certificate
1. Subject : www.digicert.com2. Valid from 7/11/2018 to 13/11/20203. Issuer : Digicert SHA2 Extended Validation Server CA
Intermediate Certificate Authority
1. Subject : Digicert SHA2 Extended Validation Server CA2. Valid from 10/Nov/2006 to 10/Nov/20313. Issuer : Digicert High Assurance EV Root CA
Server Certificate
1. Subject : www.digicert.com2. Valid from 7/11/2018 to 13/11/20203. Issuer : DigiCert Secure Site Korea EV CA
Intermediate Certificate Authority
1. Subject : DigiCert Secure Site Korea EV CA2. Valid from 25/March/2019 to 25/March/20293. Issuer : Digicert High Assurance EV Root CA
Root Certificate
1. Subject : Digicert High Assurance EV Root CA2. Valid from 10/Nov/2006 to 10/Nov/20313. Issuer : Digicert High Assurance EV Root CA
Launched “Korea ICA” – “DigiCert Secure Site Korea EV CA”
GeoTrsut Inc. 파트너 제휴 체결
써트코리아는
Symantec 플래티넘
파트너 체결
세계1위 인증기관Verisign Inc. 파트너 제휴 체결
2018
웹사이트 개인정보보호를 위한 SSL 인증서비스의 “선도업체” 입니다
201020002000
DigiCert 플래티넘파트너 선정
• 첨단 부설연구소 인가
• KAIST첨단기술사업화센터(HTC) 입주기업
• 정보통신부 장관상 (우수IP상수상)
Thawte Inc. 파트너 제휴 체결
2012
20년간의 발급및 기술노하우
DigiCert 국내유일플래티넘 파트너
1000대 기업의꾸준한 신뢰
01.
✓ 20년 동안 축적된 경험을 통한전문적인 노하우를 가지고 있습니다.
✓ 오랜 경험을 통해 급격히 변화하고있는 인증서 동향을 빠르게 파악하고원활한 처리가 가능합니다
✓ DigiCert 파트너 최고 레벨인 프리미엄파트너사로써 하이퀄리티 기술지원 및마케팅 지원을 받고 있습니다.
✓ 국내 인증시장이 형성이 시작된2001년에 국제 인증기관과 제휴를통해 인증사업을 시작한 선두주자입니다.
02. 03.
✓ 국내 인증시장의 오랜 경험과 노하우를통해 국내 1000대 기업에 신뢰를 받고있습니다.
✓ 현재 인증서발급 4만건 이상 달성
* 국내1위 10,000여개 고객사가 써트코리아를 선택했습니다.주요 고객사
감사합니다.
DigiCert Ireland Limited, Korea Branch
나 정주지사장
(Country Manager for Korea, Indonesia, Pakistan and Vietnam)
James.Nah@digicert.com
써트코리아
허 명옥총괄팀장
cert@certkorea.co.kr
Recommended