Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ユーザー企業における情報システムとセキュリティ #seccamp2019

ユーザー企業における情報システムとセキュリティ #seccamp2019

ユーザー企業ではユーザーとビジネスを守る(Protect)ため、様々なリスク管理を実施しています。それ自体の変化はありませんが、業務システムやサービスをホスティングする環境が多様化するかたわら、新しいリスクが生まれてきているのも事実です。 本講義では、ビジネスを継続成長させていく中で、経営的なお話、新しいセキュリティの概念「ゼロトラスト」、サイバーセキュリティフレームワークなどをまじえて、どのようにユーザー企業内でのセキュリティ体制を構築・運用していくか学んでいきます。最終的なゴールはユーザー企業にセキュリティ担当で入った場合の動き方をイメージできるようになっていることを目標にします。

Kengo Suzuki

August 16, 2019
Tweet

More Decks by Kengo Suzuki

Other Decks in Technology

Transcript

  1. ࣗݾ঺հ - ࣗݾ঺հ: @ken5scal (ླ໦ݚޗ) - ޷͖ͳٕज़ελοΫ: ೝূɾೝՄ - ۚ༥ܥɾFintechܥͰେاۀɾελʔτΞοϓ྆ํͰηΩϡϦςΟΛ୲౰

    - 2011: NRIηΩϡΞ - SIer - ূ݊ձࣾ޲͚MSS αʔϏεͷఏڙ - 2014: Money Forward - Ϣʔβʔاۀ - ࢿ࢈؅ཧɾΫϥ΢υձܭܥFintechελʔτΞοϓ - 2018: FOLIO - Ϣʔβʔاۀ - ূ݊ܥFintechελʔτΞοϓ
  2. - Who: “ੈͷதΛࣗ෼ͨͪͷྗͰม͍͖͍͑ͯͨͱࢥ͍ͬͯΔํ” - What: “ࠓճ͸ʮ͖ͪΜͱӡ༻͢Δʯͱ͍͏ࣄΛςʔϚ” - Howᶃ: “ߴ౓ͳ৘ใηΩϡϦςΟٕज़ͷशಘ” -

    Howᶄ: “Ϟϥϧ΍๏཯९कͷҙࣝɺηΩϡϦςΟҙࣝɺ৬ۀҙ ࣝɺཱࣗతͳֶशҙࣝʢٕज़Ҏ֎ʹඞཁͳٕೳʣʹ͍ͭͯ΋޲্ ͷͨΊͷػձΛఏڙ” ӡ༻ͱ։ൃτϥοΫ IUUQTXXXJQBHPKQKJO[BJDBNQ[FOLPLV@DIBSBDUFSJTUJDIUNM IUUQTXXXJQBHPKQKJO[BJDBNQ[FOLPLV@BCPVUIUNM
  3. - Who: “ੈͷதΛࣗ෼ͨͪͷྗͰม͍͖͍͑ͯͨͱࢥ͍ͬͯΔํ” - What: “ࠓճ͸ʮ͖ͪΜͱӡ༻͢Δʯͱ͍͏ࣄΛςʔϚ” - Howᶃ: “ߴ౓ͳ৘ใηΩϡϦςΟٕज़ͷशಘ” -

    Howᶄ: “Ϟϥϧ΍๏཯९कͷҙࣝɺηΩϡϦςΟҙࣝɺ৬ۀҙ ࣝɺཱࣗతͳֶशҙࣝʢٕज़Ҏ֎ʹඞཁͳٕೳʣʹ͍ͭͯ΋޲্ ͷͨΊͷػձΛఏڙ” ӡ༻ͱ։ൃτϥοΫ IUUQTXXXJQBHPKQKJO[BJDBNQ[FOLPLV@DIBSBDUFSJTUJDIUNM IUUQTXXXJQBHPKQKJO[BJDBNQ[FOLPLV@BCPVUIUNM
  4. Typical concern about platform markets is that people will coordinate

    on a “dominant” platform. IUUQTXFCTUBOGPSEFEVdKEMFWJO&DPO-FDUVSF&DPOPNJDTPG1MBUGPSNTQQUY
  5. - 2011: - Playstation Networkʹର͢ΔSQL InjectionʹΑΔݸਓ৘ใྲྀग़ - 2012: - ΦϯϥΠϯόϯΫʹର͢ΔϚϯΠϯβϒϥ΢βʹΑΔෆਖ਼ૹۚ

    - 2014: - ϕωοη ͷ಺෦൜ߦʹΑΔݸਓ৘ใྲྀग़ - 2015: - ೥ۚ؅ཧγεςϜαΠόʔ߈ܸ ʹΑΔݸਓ৘ใྲྀग़ - 2018: - Ծ૝௨՟औҾॴ͔Βͷ҉߸ࢿ࢈ྲྀग़ - 2019: - ΩϟογϡϨεαʔϏεʹ͓͚Δෆਖ਼ߪೖ ৽͍͠Ձ஋ͱϦεΫݦࡏԽͷྫ
  6. - 2011: - Playstation Networkʹର͢ΔSQL InjectionʹΑΔݸਓ৘ใྲྀग़ - 2012: - ΦϯϥΠϯόϯΫʹର͢ΔϚϯΠϯβϒϥ΢βʹΑΔෆਖ਼ૹۚ

    - 2014: - ϕωοη ͷ಺෦൜ߦʹΑΔݸਓ৘ใྲྀग़ - 2015: - ೥ۚ؅ཧγεςϜαΠόʔ߈ܸ ʹΑΔݸਓ৘ใྲྀग़ - 2018: - Ծ૝௨՟औҾॴ͔Βͷ҉߸ࢿ࢈ྲྀग़ - 2019: - ΩϟογϡϨεαʔϏεʹ͓͚Δෆਖ਼ߪೖ ৽͍͠Ձ஋ͱϦεΫݦࡏԽͷྫ ݦࡏԽ·Ͱͷεϐʔυ૿Ճ
  7. ͱݴ͓ͬͨ࿩Λ͍͖ͤͯͨͩ͞·͢ - ࣗݾ঺հ: @ken5scal (ླ໦ݚޗ) - ޷͖ͳٕज़ελοΫ: ೝূɾೝՄ - ۚ༥ܥɾFintechܥͰେاۀɾελʔτΞοϓ྆ํͰηΩϡϦςΟΛ୲౰

    - 2011: NRIηΩϡΞ - SIer - ূ݊ձࣾ޲͚MSS αʔϏεͷఏڙ - 2014: Money Forward - Ϣʔβʔاۀ - ࢿ࢈؅ཧɾΫϥ΢υձܭܥFintechελʔτΞοϓ - 2018: FOLIO - Ϣʔβʔاۀ - ূ݊ܥFintechελʔτΞοϓ
  8. - ࣗݾ঺հ: @ken5scal (ླ໦ݚޗ) - ޷͖ͳٕज़ελοΫ: ೝূɾೝՄ - ۚ༥ܥɾFintechܥͰେاۀɾελʔτΞοϓ྆ํͰηΩϡϦςΟΛ୲౰ -

    2011: NRIηΩϡΞ - SIer - ূ݊ձࣾ޲͚MSS αʔϏεͷఏڙ - 2014: Money Forward - Ϣʔβʔاۀ - ࢿ࢈؅ཧɾΫϥ΢υձܭܥFintechελʔτΞοϓ - 2018: FOLIO - Ϣʔβʔاۀ - ূ݊ܥFintechελʔτΞοϓ ͱݴ͓ͬͨ࿩Λ͍͖ͤͯͨͩ͞·͢ ূ݊ۀքͷཱ৔͔Βɺ Ͳ͏ελʔτΞοϓͰʮͪΌΜͱӡ༻͢Δʯ͔ ͓࿩͍͖ͤͯͨͩ͞·͢ɻ
  9. - ࣗݾ঺հ: @ken5scal (ླ໦ݚޗ) - ۚ༥ܥɾFintechܥͰେاۀɾελʔτΞοϓ྆ํͰηΩϡϦςΟΛ୲౰ - 2011: - NRIηΩϡΞ

    ূ݊ձࣾ޲͚MSS - 2014: Money Forward - ࢿ࢈؅ཧɾΫϥ΢υձܭܥFintechελʔτΞοϓ - 2018: FOLIOʢݱ৬ʣ - ূ݊ܥFintechελʔτΞοϓ ٕज़ॻయͳͲͰಉਓࢽग़ͯ͠·͢
  10. - ๏ྩ: - ٞձ੍͕ఆ͢Δ๏نൣʢ๏཯ʣ + ߦ੓ػ੍͕ؔఆ͢Δ๏نൣʢ໋ྩʣ - ๏త߆ଋྗ͸͋Δ - ج४:

    - ࠷௿ݶຬͨ͢΂͖ϧʔϧ - ९कΛਪ঑͞ΕΔʮΨΠυϥΠϯʯ΍ʮࢦ਑ʯ΋ؚ·ΕΔ͜ͱ͕͋Δ - ๏త߆ଋྗ͸ͳ͍ʢ͋Δʣ - ͜ΕΛຬͨͯ͠ͳ͍ͱ͖ʹɺى͜Γ͏Δ͜ͱ͸… ๏ྩɾΨΠυϥΠϯͱ͸ IUUQTKBXJLJQFEJBPSHXJLJ๏ྩ
  11. - ๏ྩɾ๏཯ - ۚ༥঎඼औҾ๏ - ൜ࡑऩӹҠస๷ࢭ๏ - ݸਓ৘ใอޢ๏ - ΨΠυϥΠϯ

    - ۚ༥঎඼औҾۀऀ౳޲͚ͷ૯߹తͳ؂ಜࢦ਑ - ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ - ϚωʔϩʔϯμϦϯάٴͼςϩࢿۚڙ༩ରࡦʹؔ͢ΔΨΠυϥΠϯ - ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ - ۚ༥ۀ຿ʹ͓͚Δಛఆݸਓ৘ใͷదਖ਼ͳऔѻ͍ - ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻ - தখاۀBCPࡦఆӡ༻ํ਑ ূ݊ձࣾʹ͓͚Δ๏ྩɾ๏཯ʢҰ෦ʣ
  12. - ๏ྩɾ๏཯ - ۚ༥঎඼औҾ๏ - ൜ࡑऩӹҠస๷ࢭ๏ - ݸਓ৘ใอޢ๏ - ΨΠυϥΠϯ

    - ۚ༥঎඼औҾۀऀ౳޲͚ͷ૯߹తͳ؂ಜࢦ਑ - ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ - ϚωʔϩʔϯμϦϯάٴͼςϩࢿۚڙ༩ରࡦʹؔ͢ΔΨΠυϥΠϯ - ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ - ۚ༥ۀ຿ʹ͓͚Δಛఆݸਓ৘ใͷదਖ਼ͳऔѻ͍ - ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻ - தখاۀBCPࡦఆӡ༻ํ਑ ূ݊ձࣾʹ͓͚Δ๏ྩɾ๏཯ʢҰ෦ʣ
  13. - ๏ྩɾ๏཯ - ۚ༥঎඼औҾ๏ - ൜ࡑऩӹҠస๷ࢭ๏ - ݸਓ৘ใอޢ๏ - ΨΠυϥΠϯ

    - ۚ༥঎඼औҾۀऀ౳޲͚ͷ૯߹తͳ؂ಜࢦ਑ - ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ - ϚωʔϩʔϯμϦϯάٴͼςϩࢿۚڙ༩ରࡦʹؔ͢ΔΨΠυϥΠϯ - ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ - ۚ༥ۀ຿ʹ͓͚Δಛఆݸਓ৘ใͷదਖ਼ͳऔѻ͍ - ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻ - தখاۀBCPࡦఆӡ༻ํ਑ ূ݊ձࣾʹ͓͚Δ๏ྩɾ๏཯ʢҰ෦ʣ
  14. - ๏ྩɾ๏཯ - ۚ༥঎඼औҾ๏ - ൜ࡑऩӹҠస๷ࢭ๏ - ݸਓ৘ใอޢ๏ - ΨΠυϥΠϯ

    - ۚ༥঎඼औҾۀऀ౳޲͚ͷ૯߹తͳ؂ಜࢦ਑ - ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ - ϚωʔϩʔϯμϦϯάٴͼςϩࢿۚڙ༩ରࡦʹؔ͢ΔΨΠυϥΠϯ - ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ - ۚ༥ۀ຿ʹ͓͚Δಛఆݸਓ৘ใͷదਖ਼ͳऔѻ͍ - ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻ - தখاۀBCPࡦఆӡ༻ํ਑ ূ݊ձࣾʹ͓͚Δ๏ྩɾ๏཯ʢҰ෦ʣ
  15. - ๏ྩɾ๏཯ - ۚ༥঎඼औҾ๏ - ൜ࡑऩӹҠస๷ࢭ๏ - ݸਓ৘ใอޢ๏ - ΨΠυϥΠϯ

    - ۚ༥঎඼औҾۀऀ౳޲͚ͷ૯߹తͳ؂ಜࢦ਑ - ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ - ϚωʔϩʔϯμϦϯάٴͼςϩࢿۚڙ༩ରࡦʹؔ͢ΔΨΠυϥΠϯ - ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ - ۚ༥ۀ຿ʹ͓͚Δಛఆݸਓ৘ใͷదਖ਼ͳऔѻ͍ - ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻ - தখاۀBCPࡦఆӡ༻ํ਑ ূ݊ձࣾʹ͓͚Δ๏ྩɾ๏཯ʢҰ෦ʣ
  16. - ๏ྩɾ๏཯ - ۚ༥঎඼औҾ๏ʢ಺෦౷੍ʣ - ൜ࡑऩӹҠస๷ࢭ๏ - ݸਓ৘ใอޢ๏ - etc

    - ΨΠυϥΠϯ - ۚ༥঎඼औҾۀऀ౳޲͚ͷ૯߹తͳ؂ಜࢦ਑ - ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ - ϚωʔϩʔϯμϦϯάٴͼςϩࢿۚڙ༩ରࡦʹؔ͢ΔΨΠυϥΠϯ - ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ - ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻʢࣄۀܧଓʣ - தখاۀBCPࡦఆӡ༻ํ਑ʢࣄۀܧଓʣ - etc ؂ಜࢦ਑Λओ࣠ʹਾ͑ͨ๏ྩରԠ
  17. - ๏ྩɾ๏཯ - ۚ༥঎඼औҾ๏ʢ಺෦౷੍ʣ - ൜ࡑऩӹҠస๷ࢭ๏ - ݸਓ৘ใอޢ๏ - etc

    - ΨΠυϥΠϯ - ۚ༥঎඼औҾۀऀ౳޲͚ͷ૯߹తͳ؂ಜࢦ਑ - ۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ - ϚωʔϩʔϯμϦϯάٴͼςϩࢿۚڙ༩ରࡦʹؔ͢ΔΨΠυϥΠϯ - ۚ༥෼໺ʹ͓͚Δݸਓ৘ใอޢʹؔ͢ΔΨΠυϥΠϯ - ۚ༥ػؔ౳ʹ͓͚ΔίϯςΟϯδΣϯγʔϓϥϯࡦఆͷͨΊͷखҾॻʢࣄۀܧଓʣ - தখاۀBCPࡦఆӡ༻ํ਑ʢࣄۀܧଓʣ - etc ؂ಜࢦ਑Λओ࣠ʹਾ͑ͨ๏ྩରԠ ☓ߦ੓ॲ෼Λ͏͚ͳ͍ͨΊͷରԠ ˓ϢʔβʔͷอޢͱՁ஋ͷఏڙΛܧଓ͢ΔͨΊͷରԠ
  18. - ۚ༥௕ͷݕࠪ෦ہʹΑΔΦϯαΠτݕࠪ - ͦͷใࠂॻͷ݁ՌɺώΞϦϯάɺվળɾରԠࡦͷ࣮ࢪঢ়گɺࢦఠࣄ߲ͷվળঢ়گͳ Ͳ͔Βɺূ݊औҾ౳؂ࢹҕһձΑΓקࠂ to ۚ༥ி؂ࠪ෦ہ - ۚ༥ிઃஔใ20্ୈ߲̍ -

    ؂ࠪ෦ہ͸ͦͷ಺༰Λݕ౼ͯ͠ߦ੓ॲ෼ͷݕ౼ - ۚ঎๏ୈ56৚ͷ̎ୈ߲̍ - ۚ঎๏ୈ51৚~52৚ͷ̎ - ݕ౼࣌͸ʮຊ؂ಜࢦ਑ʹܝ͛ͨධՁ߲໨౳ʹরΒͯ͠ʯݕ౼͠ɺ಺༰Λܾఆ ߦ੓ॲ෼͸؂ಜࢦ਑ͷධՁ߲໨Λιʔεͱ͢Δ IUUQTXXXGTBHPKQDPNNPOMBXHVJEFLJOZVTIPIJOIUNM IUUQTXXXGTBHPKQDPNNPOMBXHVJEFLJOZVTIPIJOIUNM
  19. - γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ -

    αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html
  20. - γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ -

    αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html
  21. - γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ -

    αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html
  22. - γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ -

    αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html
  23. - γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ -

    αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html
  24. - γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ -

    αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html
  25. - γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ -

    αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html
  26. - γεςϜϦεΫʹର͢Δೝࣝ - ద੾ͳϦεΫ؅ཧମ੍ͷ֬ ཱ - γεςϜϦεΫධՁ - ৘ใηΩϡϦςΟ؅ཧ -

    αΠόʔηΩϡϦςΟ؅ཧ - γεςϜ؂ࠪ - ֎෦ҕୗ؅ཧ - ίϯςΟϯδΣϯγʔϓϥϯ - γεςϜ౷߹ϦεΫ - ো֐ൃੜ࣌ͷରԠ III-2-8 γεςϜϦεΫ؅ཧଶ੎ https://www.fsa.go.jp/common/law/guide/kinyushohin/03.html
  27. Cybersecurity Framework(CSF) - NIST: ถࠃཱඪ४ٕज़ݚڀॴ - AESͳͲ҉߸ٕज़ͷબఆͱඪ४ԽͳͲ - ॏཁΠϯϑϥΛѻ͏اۀɾ૊৫ͷαΠόʔϦ εΫͷ؅ཧΛࢧԉ͢ΔͨΊͷɺϦεΫϕʔ

    εɾΞϓϩʔνʹجͮ͘൚༻తͳFW - ̏ཁૉ͔Β੒Γཱͭ - CoreɺTierɺProfile IUUQTOWMQVCTOJTUHPWOJTUQVCT$481/*45$481QEG
  28. - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations:

    Enhanced Security Requirements for Critical Programs and High Value Assets - APT͔Βॏཁͳࢿ࢈ͷػີੑɾ׬શੑΛकΔͨΊਪ঑͞ΕΔηΩϡϦςΟରࡦू - ྫ: ϓϥΠόγʔɺ੫ɺۚ༥৘ใɺಛݖͳͲ - ཁ݅ྫ - ΞΫηε੍ޚɺҙࣝ෇͚ɾ܇࿅ɺ؂ࠪɺߏ੒؅ཧɺࣝผͱೝূͳͲͳͲ - Cyber Security Frameworkͱඥ෇͚ΒΕ͍ͯΔ NIST SP 800-171 IUUQTXXXOJTUHPWTJUFTEFGBVMUpMFTEPDVNFOUTDVJPDUDVJ@PWFSWJFXDBTFZQEG
  29. - Adversarial Tactics, Techniques, and Common Knowledge - CVEΛ؅ཧ͍ͯ͠ΔMITREࣾͷφϨοδϕʔεͱϑϨʔϜϫʔΫ -

    ߈ܸऀɾ߈ܸάϧʔϓɺઓज़త໨ඪɺٕज़తͳߦಈɺ߈ܸπʔϧ ΛϦετԽɾϝτϦΫεԽ - ۩ମతͳ๷ޚࡦͷ࣮૷ʹ໾ཱͭ - STIX/TAXIIͰͷΠϯςϦδΣϯεڞ༗ ATT&CK IUUQTBUUBDLNJUSFPSH
  30. 1. ΞΫηε੍ޚ 2. ҙࣝ޲্ͱ܇࿅ 3. ؂ࠪͱ੹೚௥ೝੑ 4. ߏ੒؅ཧ 5. ࣝผͱೝূ

    6. ΠϯγσϯτରԠ 7. ϝϯςφϯε 8. ϝσΟΞอޢ 9. ਓతηΩϡϦςΟ 10. ෺ཧతอޢ 11. ϦεΫΞηεϝϯτ 12. ηΩϡϦςΟΞηεϝϯτ 13. γεςϜͱ௨৴ͷอޢ 14. γεςϜͱ৘ใͷ׬શੑ SP800-171:ɹຽؒاۀ͕ߨ͡Δ΂͖ηΩϡϦςΟରࡦͷཁ݅
  31. 1. ΞΫηε੍ޚ 2. ҙࣝ޲্ͱ܇࿅ 3. ؂ࠪͱ੹೚௥ೝੑ 4. ߏ੒؅ཧ 5. ࣝผͱೝূ

    6. ΠϯγσϯτରԠ 7. ϝϯςφϯε 8. ϝσΟΞอޢ 9. ਓతηΩϡϦςΟ 10. ෺ཧతอޢ 11. ϦεΫΞηεϝϯτ 12. ηΩϡϦςΟΞηεϝϯτ 13. γεςϜͱ௨৴ͷอޢ 14. γεςϜͱ৘ใͷ׬શੑ SP800-171: ຽؒاۀ͕ߨ͡Δ΂͖ηΩϡϦςΟରࡦͷཁ݅
  32. - Ϣʔβʔೝূ - Ϣʔβʔ౷੍ - σόΠε౷੍ - ϚεσϓϩΠ - ετϨʔδ

    - ೝূہ - DNS - DHCP Active Directory͕༗͢Δػೳ
  33. - ~2005: ސ٬؅ཧͱ͍ͬͨಛఆͷػೳʹಛԽͨ͠SaaSͷ૿Ճ - 2006: ΑΓίΞͳγεςϜͷΫϥ΢υԽ - 2010?: iPhoneͷϏδωε্Ͱͷ׆༻ -

    2014: ୈ̐ελʔτΞοϓϒʔϜ - 2016: ϦϞʔτϫʔΫͷ޿͕Γ ΤϯλʔϓϥΠζʹ͓͚Δ؀ڥมԽ
  34. - ~2005: ސ٬؅ཧͱ͍ͬͨಛఆͷػೳʹಛԽͨ͠SaaSͷ૿Ճ - SalesforceͷϝΨώοτ - 2006: ΑΓίΞͳγεςϜͷΫϥ΢υԽ - 2010?:

    iPhoneͷϏδωε্ͷ׆༻ - 2014: ୈ̐ελʔτΞοϓϒʔϜ - 2016: ϦϞʔτϫʔΫͷ޿͕Γ ΤϯλʔϓϥΠζʹ͓͚Δ؀ڥมԽ
  35. - ~2005: ސ٬؅ཧͱ͍ͬͨಛఆͷػೳʹಛԽͨ͠SaaSͷ૿Ճ - 2006: ΑΓίΞͳγεςϜͷΫϥ΢υԽ - Google Apps For

    YourDomain ʢݱGSuiteʣͷొ৔ - AWSͷొ৔: αʔϏεఏڙ؀ڥͷPaaSԽ - 2010?: iPhoneͷϏδωε্ͷ׆༻ - 2014: ୈ̐ελʔτΞοϓϒʔϜ - 2016: ϦϞʔτϫʔΫͷ޿͕Γ ΤϯλʔϓϥΠζʹ͓͚Δ؀ڥมԽ "84೥ͷาΈdԊֵdIUUQTBXTBNB[PODPNKQBXT@IJTUPSZEFUBJMT 8JLJQFEJBIUUQTFOXJLJQFEJBPSHXJLJ(@4VJUF
  36. - ~2005: ސ٬؅ཧͱ͍ͬͨಛఆͷػೳʹಛԽͨ͠SaaSͷ૿Ճ - 2006: ΑΓίΞͳγεςϜͷΫϥ΢υԽ - 2010?: iPhoneͷϏδωε্ͷ׆༻ -

    ۀ຿ͰͷεϚϗ׆༻ࣄྫ૿Ճ - 2014: ୈ̐ελʔτΞοϓϒʔϜ - 2016: ϦϞʔτϫʔΫͷ޿͕Γ ΤϯλʔϓϥΠζʹ͓͚Δ؀ڥมԽ
  37. - ~2005: ސ٬؅ཧͱ͍ͬͨಛఆͷػೳʹಛԽͨ͠SaaSͷ૿Ճ - 2006: ΑΓίΞͳγεςϜͷΫϥ΢υԽ - 2010?: iPhoneͷϏδωε্ͷ׆༻ -

    2014: ୈ̐ελʔτΞοϓϒʔϜ - ن੍࢈ۀʹ͓͚ΔελʔτΞοϓͷ૿Ճʢྫ: Fintechʣ - 2016: ϦϞʔτϫʔΫͷ޿͕Γ ΤϯλʔϓϥΠζʹ͓͚Δ؀ڥมԽ վળ͢ΔΘ͕ࠃͷελʔτΞοϓࣄۀ؀ڥIUUQTXXXKSJDPKQ.FEJB-JCSBSZpMFSFQPSUKSJSFWJFXQEGQEG
  38. - ~2005: ސ٬؅ཧͱ͍ͬͨಛఆͷػೳʹಛԽͨ͠SaaSͷ૿Ճ - 2006: ΑΓίΞͳγεςϜͷΫϥ΢υԽ - 2010?: iPhoneͷϏδωε্ͷ׆༻ -

    2014: ୈ̐ελʔτΞοϓϒʔϜ - 2016: ϦϞʔτϫʔΫͷ޿͕Γ ΤϯλʔϓϥΠζʹ͓͚Δ؀ڥมԽ վળ͢ΔΘ͕ࠃͷελʔτΞοϓࣄۀ؀ڥIUUQTXXXKSJDPKQ.FEJB-JCSBSZpMFSFQPSUKSJSFWJFXQEGQEG
  39. ॏཁͳσʔλ 0Oαʔόʔ ࣾձ৘੎΍αʔϏεͷมԽʹ൐͏ۀ຿σʔλͷ෼ࢄͱܦ࿏ͷଟ༷Խ ॏཁͳσʔλ 0Oαʔόʔ ϙϦγʔɾϧʔϧͷఠཁ ॏ ۀ຿Ξ ϓϦ ۀ຿Ξ

    ϓϦ ۀ຿Ξ ϓϦ ۀ຿Ξ ϓϦ ॏཁͳ σʔλ ॏཁͳ σʔλ ॏཁͳ σʔλ ॏཁͳ σʔλ ۀ຿ ΞϓϦ ۀ຿ ΞϓϦ جװ σʔλ جװ σʔλ
  40. ඪతܕ߈ܸʢڴҖʣ - ಛఆͷ૊৫಺ͷ৘ใΛૂͬͯ ߦΘΕΔαΠόʔ߈ܸ(2009~) - ࠃ಺ࣄྫ - 2011: ࡾඛॏ޻ -

    2015: ೔ຊ೥ۚػߏ - 2018: CoinCheckʁ 5IF$ZCFS,JMM$IBJOIUUQTXXXMPDLIFFENBSUJODPNFOVTDBQBCJMJUJFTDZCFSDZCFSLJMMDIBJOIUNM
  41. αϓϥΠνΣʔϯ - ੡඼ʹର͢Δෆਖ਼ϓϩάϥϜͷຒΊࠐΈɺϋʔυ΢ΣΞͷෆਖ਼վ଄ ͳͲʹΑͬͯੜ͡Δ৘ใηΩϡϦςΟ্ͷϦεΫ - ࣄྫ - NPMͷਓؾϥΠϒϥϦ΁ͷѱੑίʔυ஫ೖ - GEMͷ”

    strong_password”΁ͷѱੑίʔυ஫ೖ - ϑΝΠϧγΣΞ֦ுػೳͷ৐ͬऔΓ - 7Pay͕ґଘ͢Δomni7ʹ͓͚Δ੬ऑੑ - ถࠃͷϑΝʔ΢ΣΠ੡඼ഉআ IUUQTXXXTFDVSJUZXFFLDPNNBMJDJPVTDPEFQMBOUFETUSPOHQBTTXPSESVCZHFN IUUQTXXXXJSFEDPNTUPSZHPPHMFDISPNFFYUFOTJPOTTFDVSJUZDIBOHFT
  42. Trustκʔϯͷ৴པੑͷ௿Լ - ඪతܕ߈ܸ - Drive by Download΍ਫҿΈ৔߈ܸ - ExploitޙͷC2CʹΑΔ৘ใऩूɾԣஅత৵֐ -

    αϓϥΠνΣʔϯϦεΫ - ґଘઌͷOSSʹ͓͚Δ੬ऑੑ - ಺෦൜ߦ - ૊৫಺ͷ൜ߦ
  43. function CanWeTrust ( device, user interface, zone string) int {

    // return value from 0~1 return someAlgorithm(device, user, zone) } function AuthorizationDecision( device, user interface, score int) bool{ return AllowOrDisAllow(device, user, zone) } ෳ਺ͷม਺͔Β৴པ͕ܭࢉ͞ΕΔੈք
  44. LDAP - Lightweight Directory Access Protocol - σΟϨΫτϦαʔϏεʹΞΫηε͢Δϓϩτίϧ - ػೳ

    - ݕࡧ: ldapsearch, ߋ৽: ldapmodify, ௥Ճ: ldapadd - Active Directory͕༗໊͕ͩɺ࠷ۙ͸GSuite΋࣮૷ͨ͠ - ঎༻Ͱ΋OSSͰ΋࢖ΘΕ๛෋ͳ࣮੷͕͋Δ - Ϋϥ΢υɾWebΞϓϦͰ͸ϝδϟʔΑΓͷϚΠφʔ
  45. LDAP $ - * & / 5 4 & 3

    7 & 3 IUUQTISPVIBOJPSHMEBQTFSWFSPQFOMEBQDFOUPT
  46. LDAPྫ: ݕࡧ $ - * & / 5 4 &

    3 7 & 3 CJOE DODMJFOU PVTFSWFST EDFYBNQMF EDDPNF 1BTTXPSE\QBTTXPSE^ SFTVMUTVDDFTT TFBSDIPCKFDUDMBTT BMM-%"10CKFDU ˈldapsearch -D “cn=admin” -w {password} -b “dc=example,dc=com” "(objectclass=*)"
  47. LDAPྫ: ݕࡧ $ - * & / 5 4 &

    3 7 & 3 CJOE DODMJFOU PVTFSWFST EDFYBNQMF EDDPNF 1BTTXPSE\QBTTXPSE^ SFTVMUTVDDFTT TFBSDIPCKFDUDMBTT BMM-%"10CKFDU ˈldapsearch -D “cn=admin” -w {password} -b “dc=example,dc=com” "(objectclass=*)"
  48. LDAPྫ: ݕࡧ $ - * & / 5 4 &

    3 7 & 3 CJOE DODMJFOU PVTFSWFST EDFYBNQMF EDDPNF 1BTTXPSE\QBTTXPSE^ SFTVMUTVDDFTT TFBSDIPCKFDUDMBTT BMM-%"10CKFDU ˈldapsearch -D “cn=admin” -w {password} -b “dc=example,dc=com” "(objectclass=*)"
  49. SCIMɹʢ͖͢Ήʣ - System for Cross-domain Identity Management - “Ϋϥ΢υϕʔεͷΞϓϦέʔγϣϯ͓ΑͼαʔϏεʹ͓͚Δ ϢʔβʔIDͷ؅ཧΛ༰қʹ͢ΔΑ͏ʹઃܭ”

    - Ұݩ؅ཧ͞ΕͨσΟϨΫτϦ͔Βɺར༻͢ΔαʔϏε΁ͷϓϩ Ϗδϣχϯά - JSON/XMLܗࣜ - REST APIʹΑΔϞσϧૢ࡞ - LDAPΑΓϚΠφʔ IUUQXXXTJNQMFDMPVEJOGP
  50. { "schemas": ["urn:ietf:params:scim:schemas:core: 2.0:User"], "id":"2819c223-7f76-453a-919d-413861904646", "externalId":"bjensen", "meta":{ "resourceType": "User", "created":"2011-08-01T18:29:49.793Z",

    "lastModified":"2011-08-01T18:29:49.793Z", "location":"https://example.com/v2/Users/ 2819c223...", "version":"W\/\"f250dd84f0671c3\"" }, "name":{ "formatted": "Ms. Barbara J Jensen, III", "familyName": "Jensen", "givenName": "Barbara", "middleName": "Jane", "honorificPrefix": "Ms.", "honorificSuffix": "III" }, "userName":"bjensen", "phoneNumbers":[ { "value":"555-555-8377", "type":"work" } ], "emails":[ { "value":"[email protected]", "type":"work", "primary": true } ] } IUUQXXXTJNQMFDMPVEJOGP
  51. SCIM Protocols - ࡞੒ɿ POST /{version}/{resource} - ಡऔɿ GET /{v}/{resource}/{id}

    - ஔ׵ɿ PUT /{v}/{resource}/{id} - ࡟আɿ DELETE /{v}/{resource}/{id} - ෦෼ஔ׵ɿ PATCH /{v}/{resource}/{id} - ݕࡧ: GET /{v}/{resource}?ϑΟϧλʔ= {ଐੑ} {ΦϖϨʔλ} {஋}ˍ SORTBY = {attributeName}ˍsortOrder={ঢॱ|߱ॱ} - Ұׅ࡞੒ɿ POST /{v}/Bulk IUUQXXXTJNQMFDMPVEJOGP
  52. ೝূͱγϯάϧɾαΠϯΦϯͷҧ͍ - ೝূ - ϢʔβͷΞΠσϯςΟςΟ͕͔֬ͳ΋ͷͰ͋Δ͜ͱΛΫϨ σϯγϟϧΛఏࣔͯ͠ূ໌͢Δϓϩηε - ୅දతͳϓϩτίϧ: FIDO (WebAuthn

    + CTAP) - Single Sign On - γεςϜΛލ͍ͰΞΠσϯςΟςΟ΍ೝূ৘ใΛ఻ൖ͢Δ ͨΊͷϓϩηε - ୅දతͳϓϩτίϧ: Kerberos, SAML, OIDC IUUQTPQFOJEGPVOEBUJPOKBQBOHJUIVCJPTQCKBIUNMTFD
  53. - 1961: ύεϫʔυͷొ৔ at MIT - 1983: ICΧʔυϚΠίϯ - ????:

    ΫϨδοτΧʔυ with ICνοϓ - 2000~: - SMS΍ϝʔϧʹΑΔ௥Ճೝূίʔυͷૹ৴ - TOTPΛ࢖ͬͨ௥Ճೝূ - εϚʔτΧʔυΛ࢖ͬͨActive Directoryೝূ - ੜମೝূΛ࢖ͬͨ௥Ճೝূ - Yubicoࣾઃཱ - 2018: - FIDO2 ೝূํࣜͷભҠ IUUQTFOXJLJQFEJBPSHXJLJ1BTTXPSE
  54. 8FC"VUIO CFDPNFT XDQSPQPTFE SFDDFPNFOEBUJPO HNTpEPpEP 'FC 'FC +BO 8FC"VUIO CFDPNFT

    XDQSPQPTFE SFDDFPNFOEBUJPO .BSDI .BZ 8FC"VUIO XDDBOEJEBUF SFDDFPNFOEBUJPO 8FC"VUIO XDQSPQPTFE SFDDFPNFOEBUJPO +VOF .BS 8FC"VUI XD TUBOEBSJ[FE
  55. <AttributeStatement> <Attribute Name="http://schemas.microsoft.com/identity/claims/ tenantid"> <AttributeValue>xxxx-xxxx</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/identity/claims/ objectidentifier"> <AttributeValue>xxxx-xxxx/AttributeValue>

    </Attribute> <Attribute Name="http://schemas.microsoft.com/identity/claims/ displayname"> <AttributeValue>Kengo Suzuki</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/identity/claims/ identityprovider"> <AttributeValue>https://sts.windows.net/xxxx-xxxx/</ AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/claims/ authnmethodsreferences"> <AttributeValue>http://schemas.microsoft.com/ws/2008/06/ identity/authenticationmethod/password</AttributeValue> <AttributeValue>http://schemas.microsoft.com/claims/ multipleauthn</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/ claims/role"> <AttributeValue>arn:aws:iam::1111:role/xxx-role,arn:aws:iam:: 1111:saml-provider/Azure</AttributeValue> <AttributeValue>arn:aws:iam::1111:role/xxx-role,arn:aws:iam:: 1111:saml-provider/Azure</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/identity/claims/ agegroup"> <AttributeValue>3</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/ claims/givenname"> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/ claims/surname"> <AttributeValue>Suzuki</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/ claims/emailaddress"> <AttributeValue>[email protected]</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/ claims/name"> <AttributeValue>[email protected]</AttributeValue> </Attribute> <Attribute Name="https://aws.amazon.com/SAML/Attributes/ RoleSessionName"> <AttributeValue>[email protected]</AttributeValue> </Attribute> <Attribute Name="https://aws.amazon.com/ SAML/Attributes/Role"> <AttributeValue>arn:aws:iam::xxxxxxxx:role/xxx- role,arn:aws:iam::1111:saml-provider/Azure</ AttributeValue> <AttributeValue>arn:aws:iam::xxxx:role/ yyy-role,arn:aws:iam::1111:saml-provider/ Azure</AttributeValue> </Attribute> <Attribute Name="https://aws.amazon.com/SAML/Attributes/ SessionDuration"> <AttributeValue>14400</AttributeValue> </Attribute> </AttributeStatement> ৬ೳ৘ใͷ࿈ܞ ྫϑϩϯτΤϯυ 4".- "TTFSUJPO
  56. { "ver": "2.0", "iss": “https://login.microsoftonline.com/ xxxxxx-xxxxx-xxxxx-xxxx/v2.0", "sub": "Axxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "aud": "xxxxxx-xxxxx-xxxxx-xxxx",

    "exp": 1536361411, "iat": 1536274711, "nbf": 1536274711, "name": “Kengo Suzuki", "preferred_username": “[email protected]“, "oid": "xxxxxx-xxxxx-xxxxx-xxxx", "tid": "xxxxxx-xxxxx-xxxxx-xxxx", "nonce": "111111", "aio": “!eGbIDakyp5mnOrcdqHeYSnltepQmRp6AIZ8jY” “roles": "frontend", } ৬ೳ৘ใͷ࿈ܞ ྫϑϩϯτΤϯυ 0*%$ *%5PLFO
  57. σόΠεͷߏ੒؅ཧ - ج४ɾϙϦγʔʹैͬͯߏ੒ - ۀ຿ར༻ΞϓϦ/CAͷΠϯετʔϧ - ݹ͍ΞϓϦͷར༻ - OSɾΞϓϦͷ࠷৽Խ -

    σΟεΫ҉߸Խ - ϩʔΧϧAdminͷύεϫʔυมߋ - ऑ͍ύεϫʔυͷېࢭ - ฆࣦ୺຤ͷϩοΫɾॳظԽ - ߏ੒ঢ়گ΍୺຤ͷϝτϦΫεΛχΞɾϦΞϧλΠϜͰ ऩू - ࣾ಺NWʹݶఆ͞Εͣܧଓతʹద༻ ॏ ॏཁͳ σʔλ ॏཁͳ σʔλ ॏཁͳ σʔλ ॏཁͳ σʔλ
  58. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    ୺຤ΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF
  59. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    σόΠεΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w ࢿ࢈؅ཧ w ʮࢿ࢈ʯͱͯ͠ͷσόΠε%# w ϋʔυ΢ΣΞ΍ͦͷதͰಈ͘ιϑτ΢ΣΞ΍ϥΠηϯε΋؅ཧ w ͦΕΒʹՃ͑ͯϥΠϑαΠΫϧ΋؅ཧ w ૯຿ɾܦཧ͕؅ཧͯ͠Δ͜ͱ΋͋Δ
  60. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    σόΠεΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w σΟϨΫτϦɾαʔϏε w Ϣʔβʔɾάϧʔϓ%#ͱಉ͡ w 8JOEPXTΛར༻͍ͯ͠ΔاۀͰ͸ɺ"DUJWF%JSFDUPSZ͕ط ʹ͋ΔͷͰɺ͔ͦ͜ΒσʔλΛΠϯϙʔτ͢Δ
  61. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    σόΠεΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w ωοτϫʔΫػث w %)$1΍"31ςʔϒϧͷ࿈ܞ w ωοτϫʔΫػث͸ελϯυΞϩϯͳঢ়ଶͰଘࡏ͢Δ͜ͱ͕ ଟ͍
  62. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    σόΠεΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w ੬ऑੑεΩϟφ w /FTVT΍/NBQͳͲΛఆظతʹ࣮ࢪͯ͠ɺ੬ऑੑ͕ͳ͍͔ νΣοΫ w ͦͷ݁Ռͷ࿈ܞ
  63. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    σόΠεΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w $" w ୺຤ʹຒΊࠐ·Εͨূ໌ॻͷτϥετΞ ϯΧʔ w ূ໌ॻ͕ਖ਼౰͔ͳͲΛ࿈ܞ
  64. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    σόΠεΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w ߏ੒؅ཧαʔϏε w σόΠεͷߏ੒ঢ়گΛ࿈ܞ
  65. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    σόΠεΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w ύον؅ཧαʔϏε w 04΍Πϯετʔϧ͞ΕͨΫϥΠΞϯτΞ ϓϦͷύον؅ཧ w ద༻ঢ়گͳͲͷ࿈ܞ
  66. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    ୺຤ΠϯϕϯτϦͷσʔλιʔε #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF w ʢϝλʣΠϯϕϯτϦαʔϏε w ͜ΕΒͷσʔλΛऔΓࠐΈɺؔ࿈෇͚ͨ ୯ҰͷΠϯϕϯτϦ
  67. ݟग़͠ PS C:\> Get-TpmEndorsementKeyInfo -Hash "Sha256" IsPresent : True PublicKey

    : System.Security.Cryptography.AsnEncodedData PublicKeyHash : 70769c52b6e24ef683693c2a0208da68d77e94192e1f4080ae 7c9b97c6caa681 ManufacturerCertificates : {[Subject] OID.2.23.133.2.3=1.2, OID.2.23.133.2.2=C4T8SOX3.5, OID.2.23.133.2.1=id:782F345A [Issuer] CN=Contoso TPM CA1, OU=Contoso Certification Authority, O=Contoso, C=KR [Serial Number] 77A120A [Not Before] 6/4/2012 6:35:58 PM [Not After] 6/4/2022 6:35:57 PM [Thumbprint] 77378D1480AB48FEA2D4E610B2C7EEF648FEA2 } AdditionalCertificates : {} IUUQTHJUIVCDPN.JDSPTPGU%PDTXJOEPXTQPXFSTIFMMEPDTCMPCNBTUFSEPDTFUXJOEPXTUSVTUFEQMBUGPSNN
  68. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    σόΠεͷΤʔδΣϯτʢUEMʣ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF
  69. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    macOS, iOSฤ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF
  70. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    ূ໌ॻΠϯετʔϧ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF $FOTPSFE
  71. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    ߏ੒؅ཧʢྫ: ϩʔΧϧAdminͷύεϫʔυ೔࣍มߋʣ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF $FOTPSFE
  72. ##################################################################################### ############### # Decode API user Password apiPass="$( decryptString "$apiEncryptedPass"

    "$saltAPI" "$passAPI" )" if [ -z "$apiPass" ]; then scriptLogging "Failed to decrypt API user's password" 2 exit 1 fi ##################################################################################### ############### # Retrieve LAPS user password from Extent Attribute previousEncryptedPassword="$( retrievePassword "$apiUser" "$apiPass" "$HWUUID" "$extAttName" )" if [ -n "$previousEncryptedPassword" ]; then scriptLogging "Retrieved previous password is $previousEncryptedPassword (encrypted)." retrievedPassword="$( decryptString "$previousEncryptedPassword" "$laSalt" "$laPass" )" else scriptLogging "Could not get previous password. Try initial password for $ {laUserName}." scriptLogging "Try to use initial password for ${laUserName}: $initialEncryptedPassForLadminUser (encrypted)." retrievedPassword="$( decryptString "$initialEncryptedPassForLadminUser" "$initLaSalt" "$initLaPass" )" fi if [ -z "$retrievedPassword" ]; then scriptLogging "Failed to decrypt previous password of $laUserName" 2 exit 1 fi ##################################################################################### ############### # Check current password with Retrieved password /usr/bin/dscl /Local/Default -authonly "$laUserName" "$retrievedPassword" 2> /dev/ null returnCode=$? if [ "$returnCode" -eq 0 ]; then scriptLogging "Current password has match with Retrieved password." else scriptLogging "Retrieved password for $laUserName is not match current password. dserr: $returnCode" 2 exit $returnCode fi ##################################################################################### ############### # Change password with new one. newpassword="$( /usr/bin/openssl rand -base64 48 | /usr/bin/tr -d OoIi1lLS | /usr/ bin/head -c 12 )" changePassword "$laUserName" "$retrievedPassword" "$newpassword" ##################################################################################### ############### # Encrypt New Password encryptedPassword="$( echo "$newpassword" | /usr/bin/openssl enc -aes256 -a -A -S "$laSalt" -k "$laPass" )" if [ -n "$encryptedPassword" ]; then # If you want to log new password, remove ':' at start of next line. : scriptLogging "New password: $encryptedPassword (Encrypted)" else scriptLogging "Failed to encrypt new password. Why?" 2 scriptLogging "Roll back with previous one." changePassword "$laUserName" "$newpassword" "$retrievedPassword" exit 1 fi ##################################################################################### ############### # Update Extent Attribute with New Password uploadPassword "$apiUser" "$apiPass" "$HWUUID" "$extAttName" "$encryptedPassword" returnCode=$? if [ "$returnCode" -ne 0 ]; then scriptLogging "Failed to upload." 2 scriptLogging "Roll back with previous one." changePassword "$laUserName" "$newpassword" "$retrievedPassword" exit 1 fi try="$( retrievePassword "$apiUser" "$apiPass" "$HWUUID" "$extAttName" )" if [ "$try" = "$encryptedPassword" ]; then scriptLogging "Retrieve test passed." scriptLogging "Done." exit 0 else scriptLogging "Retrieve test failed. Get unexpected string." 2 scriptLogging "Retrieved String: $try" 2 scriptLogging "Expected String: $encryptedPassword" 2 scriptLogging "Done in error." 2 exit 1 fi $FOTPSFE
  73. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    ύον؅ཧʢྫ: Chromeͷ࠷৽Խʣ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF $FOTPSFE
  74. shlogger "Mount dmg file: $dmgfile" devfile="$( /usr/bin/hdiutil attach -nobrowse "$

    {workdir}/${dmgfile}" | /usr/bin/grep Chrome | / usr/bin/awk '{print $1}' )" check_result="$( checkapp "$dl_chromapp" "$developerid" )" if [ "$check_result" = ok ]; then shlogger "Codesign check passed." runstate="$( /usr/bin/pgrep Chrome | /usr/bin/ wc -l )" shlogger "Chrome run state: $runstate" if [ "$runstate" -ne 0 ]; then notification=yes ; fi tmpdir="/tmp/$( /usr/bin/uuidgen )" /bin/mkdir -m 755 "$tmpdir" /bin/mv "$CHROME" "$tmpdir" /bin/cp -af "$dl_chromapp" /Applications shlogger "Install Chrome into /Applications" /usr/bin/xattr -r -d com.apple.quarantine "$CHROME" shlogger "Remove com.apple.quarantine from $CHROME" else shlgger "$check_result" 2 shlogger "Codesign check failed." 2 fi /usr/bin/hdiutil detach -quiet "$devfile" rm -rf "$workdir" shlogger "Show notification: $notification" if [ "$notification" = yes ]; then show_notification "Googole Chrome has updated!" "Restart Google Chrome now." fi shlogger "Done." exit 0 w $ISPNFͷࣗಈΞοϓσʔτεΫϦϓτ
  75. #!/bin/bash RESULT="Not Installed" CHROME="/Applications/Google Chrome.app" if [ -e "$CHROME" ];

    then installed_version="$( /usr/libexec/PlistBuddy -c "print CFBundleShortVersionString" "$CHROME/ Contents/Info.plist" )" current_stable_version="$( /usr/bin/curl -s https://omahaproxy.appspot.com/all | /usr/bin/awk -F, '/mac,stable/ {print $3}' )" if [ "$installed_version" = "$current_stable_version" ]; then RESULT="UptoDate" else RESULT="Old" fi fi echo "<result>$RESULT</result>" w Πϯετʔϧ͞Ε͍ͯΔ$ISPNFͷόʔδϣϯνΣοΫͱଐੑઃఆ
  76. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    Windows, Androidฤ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF
  77. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    ߏ੒؅ཧ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF $FOTPSFE
  78. { "@odata.context": "https://graph.microsoft.com/ v1.0/$metadata#deviceManagement/managedDevices/$entity", "id": "xxxxx", "userId": "xxxxx", "deviceName": "xxxx",

    "managedDeviceOwnerType": "company", "enrolledDateTime": "2019-07-18T12:17:53.0413033Z", "lastSyncDateTime": "2019-08-15T02:34:53.7572148Z", "operatingSystem": "Windows", "complianceState": "compliant", "jailBroken": "Unknown", "managementAgent": "mdm", "osVersion": "10.0.18362.295", "easActivated": true, "easDeviceId": "xxxxx", "easActivationDateTime": "2019-07-18T12:25:05.2874123Z", "azureADRegistered": true, "deviceEnrollmentType": "windowsCoManagement", "activationLockBypassCode": null, "emailAddress": “[email protected]”, "azureADDeviceId": "xxxxx", "deviceRegistrationState": "registered", "deviceCategoryDisplayName": "Windows", "isSupervised": false, "exchangeLastSuccessfulSyncDateTime": "0001-01-01T00:00:00Z", "exchangeAccessState": "none", "exchangeAccessStateReason": "none", "remoteAssistanceSessionUrl": "", "remoteAssistanceSessionErrorDetails": "", "isEncrypted": true, "userPrincipalName": “[email protected]", "model": "xxxxx", "manufacturer": "xxxxx", "imei": null, "complianceGracePeriodExpirationDateTime": "9999-12-31T23:59:59.9999999Z", "serialNumber": "xxxxx", "phoneNumber": null, "androidSecurityPatchLevel": null, "userDisplayName": "Kengo Suzuki", "wiFiMacAddress": "xxxxx", "deviceHealthAttestationState": null, "subscriberCarrier": "", "meid": "", "totalStorageSpaceInBytes": -1638924288, "freeStorageSpaceInBytes": -822083584, "managedDeviceName": "xxxx/18/2019_12:17 PM", "partnerReportedThreatState": "secured", "deviceActionResults": [], "configurationManagerClientEnabledFeatures": { "inventory": false, "modernApps": false, "resourceAccess": false, "deviceConfiguration": false, "compliancePolicy": false, "windowsUpdateForBusiness": false } } w "1*Λ͔ͭͬͯߏ੒৘ใΛऔಘ w IUUQTHSBQINJDSPTPGUDPN WEFWJDF.BOBHFNFOU NBOBHFE%FWJDFTEFWJDF*%
  79. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    ύον؅ཧʢWindows Defenderʣ #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF $FOTPSFE
  80. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF ੬ऑੑεΩϟϯʢWindows Defenderʣ $FOTPSFE
  81. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF σΟϨΫτϦʢActive Directoryʣ
  82. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF Network
  83. - Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ

    #FZPOE$PSQ%FTJHOUP%FQMPZNFOUBU(PPHMF ࢿ࢈؅ཧπʔϧ
  84. - Access Proxy: - શHTTP/SSHϦΫΤετͷड෇ - Access Control Engine(ACE): -

    ΞΫηε੍ޚΛෳ਺ͷσʔλιʔε͔Βܾఆ͢ΔϙϦγʔΤϯδϯɻ - Trust Inference: - Ϣʔβʔ΍σόΠεͷ৴པείΞΛࢉग़͢ΔΤϯδϯ - Pipleline: - ACEʹσʔλΛfeed͢ΔύΠϓϥΠϯ - Resource: - ΞΫηε੍ޚͷର৅ʹͳΔΞϓϦɺαʔϏεɺΠϯϑϥ ΞΫηε੍ޚͷ֓ཁʢొ৔ਓ෺ʣ
  85. function userTrustInference (user, app interface) int { // isUserVulnerable(user) //

    isUserAccessingFromNewLocation(user) // hasTakenSecurityTraining(user) // isAppCritical(app) return userTrustTier(userInfo, appInfo) } function deviceTrustInference (device, app interface) int { // isDeviceVulnerable(device) // isDevieLatest(device) // isBrowserLatest(device) // isDeviceManaged(device) // isDeviceEncrypted(device) // isDeviceActive(device) return deviceTrustTier(deviceInfo, app) }
  86. - Ϣʔβʔͷ৴པ౓ΛαΠϯΠϯঢ়ଶ͔Βܭଌ - αΠϯΠϯΠϕϯτͦͷ΋ͷͱɺαΠϯΠϯޙͷߦಈ͔Βܭଌ - Πϕϯτྫ: TorΛ࢖ͬͨϩάΠϯࢪߦ - ߦಈྫ: ෆՄೳͳཱྀߦ

    - ৴པ౓ʢϦεΫ஋ʣ͸Low, Medium, HighͰ෼ྨ - ୹ॴ: ϦεΫ஋ͷࢉग़ࠜڌ͕Θ͔Γʹ͍͘ Trust Inference - AzureAD Identity Protection
  87. { "@odata.type": "#microsoft.graph.unfamiliarLocationRiskEvent", "id": “xxxx-xxxx", "riskEventStatus": "dismissedAsFixed", "riskLevel": "medium", "riskEventType":

    "UnfamiliarLocationRiskEvent", "riskEventDateTime": "2019-xx-xxT06:30:45", "closedDateTime": “2019-xx-xxT09:18:43", "createdDateTime": "2019-xx-xxT09:18:43", "userId": “xxxx-xxxx", "userDisplayName": “Kengo Suzuki", "userPrincipalName": “[email protected]", "ipAddress": "18.205.93.232", "location": { "city": "Ashburn", "state": "VA", "countryOrRegion": "United States", "geoCoordinates": { "latitude": 39.0437, "longitude": -77.4742 } w 4JHO*O3JTL&WFOU
  88. { "id": "xxxx-Xxxx-xxxx", "isDeleted": null, "isGuest": null, "isProcessing": false, “riskLevel":

    "none", "riskState": "remediated", "riskDetail": "userPerformedSecuredPasswordReset", "riskLastUpdatedDateTime": "2018-xx-xxT01:33:06", "userDisplayName": [email protected], "userPrincipalName": null } w 6TFS3JTL
  89. ɹɹɹɹɹ{ "id": "xxxxx", "computerDnsName": “xxxxxxxxxxx”, "firstSeen": "2019-xx-xxT09:18:43", ɹɹɹɹɹ"lastSeen": "2019-xx-xxT09:18:43", "osPlatform":

    "Windows10", "osVersion": "10.0.0.0", "lastIpAddress": “xxx.xxx.xxx.xxx”, "lastExternalIpAddress": "xxx.xxx.xxx.xxx", "agentVersion": "10.5830.18209.1001", "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, ɹɹɹ "rbacGroupName": "The-A-Team", "riskScore": "Low", ɹɹɹɹ"isAadJoined": true, "aadDeviceId": “xxxx-xxxx", ɹɹɹɹ "machineTags": [ "test tag 1", "test tag 2" ] }, w %FWJDF3JTL
  90. - Ϋϥ΢υαʔϏεʹର͢ΔΞΫηε੍ޚΛෳ਺ͷ৚݅ʹج͍ͮ ܾͯఆɾద༻͢ΔαʔϏε - ৚݅ͷྫ - ୺຤ͷϙϦγʔ४ڌঢ়گ - ϢʔβʔͷϦεΫ஋ -

    ΫϥΠΞϯτΞϓϦछผ - ΞΫηεઌͷΫϥ΢υαʔϏε - Ґஔ৘ใ ৚݅෇͖ΞΫηε IUUQTEPDTNJDSPTPGUDPNFOVTB[VSFBDUJWFEJSFDUPSZDPOEJUJPOBMBDDFTTPWFSWJFX
  91. - ؅ཧ͞ΕͨσόΠεͰϙϦγʔ४ڌͨ͠΋ͷͷΈΞΫηεՄೳ - ؅ཧ͞ΕͨσόΠε: ProfileΛΠϯετʔϧ͞ΕͨBYOD୺຤΋ؚΉ - ४ڌ͞Εͨঢ়ଶ - σΟεΫ͕Full Encryption͞Ε͍ͯΔ

    - σόΠεͷϦεΫ஋͕LowҎԼͰ͋Δ - OS͕ಛఆͷόʔδϣϯҎ্Ͱ͋Δ - TPMΛඋ͍͑ͯΔ - BIOSϨϕϧͷ ৚݅෇͖ΞΫηεྫ: ؅ཧσόΠεͷΈڐՄ
  92. - ϛογϣϯܾఆͱܦӦਞͱͷ߹ҙ - ༏ઌॱҐʹର͢ΔܦӦਞͱͷ߹ҙ - ಥવ;ͬͯ͘ΔʢଞࣾΛؚΊͨʣΠϯγσϯτରԠ - ιϦϡʔγϣϯͷͨΊͷ༧ࢉ֬อ - ϨΨγʔͳपลγεςϜͱͷ౷߹

    - ৽͍͠ϓϩμΫτ΁ͷίϛοτ - ʢ΍ͬͱ…ʣ࣮૷ɾӡ༻ - ࠾༻ɾνʔϜϏϧσΟϯά - Etc, etc Զͨͪͷઓ͍͸·ͩ࢝·ͬͨ͹͔Γͩ
  93. - ׬શ/ඪ४తͳΧϦΩϡϥϜͳͲͳ͍ - खΛಈ͔ͦ͏ɻ࣮ફ͋ΔͷΈɻ - ίϛϡχέʔγϣϯΛଵΒͳ͍ - ਏ͍͜ͱ΋ࣦഊ΋͋Δ - ָ؍ऀͰ͍Α͏

    - ॿ͚ΛٻΊΑ͏ - ஌ࣝΛڞ༗͠Α͏ So, you want to work in security? ݪจ4P ZPVXBOUUPXPSLJOTFDVSJUZ ೔ຊޠ໿ηΩϡϦςΟͰ൧৯͍͍ͨਓ޲͚ͷ৺ͷ࣋