Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Real World Internet Security: Rakuten Fights Against Cybercrime
Search
OWASP Japan
March 11, 2017
0
200
Real World Internet Security: Rakuten Fights Against Cybercrime
3/11にラック社において開催されたOWASP Dayにおける楽天福本さんからの発表資料です
OWASP Japan
March 11, 2017
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
300
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
830
20190107_AbuseCaseCheatSheet
owaspjapan
0
150
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
770
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
2.9k
Shifting Left Like a Boss
owaspjapan
2
270
OWASP Top 10 and Your Web Apps
owaspjapan
2
360
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
200
elegance_of_OWASP_Top10_2017
owaspjapan
2
480
Featured
See All Featured
Being A Developer After 40
akosma
57
580k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
Side Projects
sachag
451
41k
What's in a price? How to price your products and services
michaelherold
237
11k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
125
32k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Product Roadmaps are Hard
iamctodd
44
9.7k
BBQ
matthewcrist
80
8.8k
Fantastic passwords and where to find them - at NoRuKo
philnash
37
2.5k
A designer walks into a library…
pauljervisheath
200
23k
Optimising Largest Contentful Paint
csswizardry
8
2.4k
Transcript
Real World Internet Security: Rakuten Fights Against Cybercrime Rakuten, Inc
Tech & Div : Jack Fukumoto 2017/03/11
About Rakuten
Global Rakuten
Case Studies of Cyber Attacks in Rakuten
1. Taiwan Ichiba Persistent Phishing Attack ‘rakuten’ ‘rakutens’ Real Fake
Browser based phishing protection Input phishing URLs into the APWG
database. Some browser vendors blocked the phishing sites on the browser.
2. Case study of Man in the Browser Malware Login
form was overwritten by the malware in order to get cards credentials.
3. DDoS Attacks
4. Massive Login Attacks
ID Hacking Tools Criminals are buying attacking tools on the
“Dark net”. The tools are customized to attack specifically Rakuten IDs. Distributed at the underground site.
Security Measures of Rakuten
Global Security Team 70 members from 13 countries
Security Countermeasures Response Incident Handing, Forensic, Malware Analysis Monitoring SOC
Operations Vulnerability Advisory, Regular Scanning Secure Development Static Analysis, Coding Guide Security Guidelines Dynamic Scan, Security Audit Security Review, Consulting Design Requirements Verification Implementation Training Secure Coding, Security Operations Training Security Operations
Security Countermeasures Response Incident Handing, Forensic, Malware Analysis Monitoring SOC
Operations Vulnerability Advisory, Regular Scanning Static Analysis, Coding Guide Security Guidelines Dynamic Scan, Security Audit Security Review, Consulting Design Requirements Verification Implementation Training Secure Coding, Security Operations Training Security Operations Secure Development
Training : Secure Coding Training No Training 2003 Criteria for
risk evaluation 5 :Critical 4 :High 3 :Middle 2 :Low 1 :No problem 2005 2008 20% reduction of additional audit cost Improved
Verification : Security Audit (In-house) Vulnerability Assessment/Penetration Testing targeting web,
mobile, servers. Pre-release Audit • Before the release of application • Developers needs to fix it before release Annual Regular Audit • Like the recent health check Security Due Diligence • Security status evaluation prior to acquisition
Security Countermeasures Response Incident Handing, Forensic, Malware Analysis Monitoring SOC
Operations Vulnerability Advisory, Regular Scanning Secure Development Static Analysis, Coding Guide Security Guidelines Dynamic Scan, Security Audit Security Review, Consulting Design Requirements Verification Implementation Training Secure Coding, Security Operations Training Security Operations
Response : Rakuten-CERT (Established in 2007)
OWASP: Contributing Corporate Members
None