Protection of Human Subjects of Research https://www.hhs.gov/ohrp/sites/default/files/the-belmont-report-508c_FINAL.pdf 倫理3原則 Respect for Persons … 人格の尊重(本人の自由意志の尊重) Beneficence … 恩恵(世の中に対して) Justice … 正義(平等・公平な取り扱い) 11/10/2018 7
Technology Research https://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCORE-20120803_1.pdf 倫理原則(Belmont Reportから追加されたもの) Respect for Law and Public Interest … 法令遵守&公共の利益を尊重 Responsible Disclosure(説明責任)と評価/実行手順の透明性 11/10/2018 8
Full Disclosure is the basis The first half of the 2000s Responsible Disclosure / Coordinated Disclosure are mainstream The discovery of the vulnerability had been used as a marketing tool Rapid development of the analysis environment After the late 2000s The rise of the bug boundary system High cost of vulnerability discovery The rise of underground business 11/10/2018 11
Disclosure / Coordinated Disclosure are still mainstream Security vendors are not proactively looking for vulnerabilities They are correcting vulnerabilities without reporting There is almost no reason to take the risk of receiving social criticism through vulnerability disclosure Security researchers can not wait until the vendor responds, disclose the vulnerability information 11/10/2018 12
illegal gaps vary by country and region Besides Japan Japan Low level of understanding of state power Atrophy due to unjust arrest or false arrest 11/10/2018 18 White Black Gray White Black Gray
ウクライナのサイバー攻撃が示す本当の脅威 https://blogs.mcafee.jp/post-748a さらに強力になったトロイの木馬BlackEnergy ~ウクライナの電力システムへのサイバー攻撃の 裏側~ https://blogs.mcafee.jp/blackenergy-cb6d それは「ウクライナを標的としたロシア発の攻撃」なのか? - THE ZERO/ONE https://the01.jp/p0005386/ TeleBots are back: supply-chain attacks against Ukraine https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/ Petya: “I Want To Believe” | News from the Lab https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/ 産業制御システムに最大級の脅威をもたらすマルウェア「インダストロイヤー」 https://eset-info.canon-its.jp/malware_info/trend/detail/170620.html New TeleBots backdoor links Industroyer to NotPetya for first time https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/ 11/10/2018 25
New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure | FireEye Inc https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework- triton.html 産業プラントを狙ったマルウェアの脅威、その手口が明らかに──迫り来る「インフラ危機」の実態 https://wired.jp/2018/02/22/triton-malware/ Russia Linked to Triton Industrial Control Malware | WIRED https://www.wired.com/story/triton-malware-russia-industrial-controls/ One Year After Triton: Building Ongoing, Industry-Wide Cyber Resilience - https://blog.schneider-electric.com/cyber-security/2018/08/07/one-year-after-triton-building-ongoing- industry-wide-cyber-resilience/ Triton Malware Spearheads Latest Generation of Attacks on Industrial Systems https://securingtomorrow.mcafee.com/mcafee-labs/triton-malware-spearheads-latest-generation-of- attacks-on-industrial-systems/ The Top 20 Cyber Attacks Against Industrial Control Systems https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_17/Waterfall_top-20-attacks- article-d2%20-%20Article_S508NC.pdf etc. ※TRITON Schneider Electronic社製Triconex Safety Instrumented System (SIS、安全計装システム) controllersを標的 としたマルウェアあるいは一連の攻撃キャンペーン 11/10/2018 27