SlideShare a Scribd company logo

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (4) by Hiroyuki Itabashi

CODE BLUE
CODE BLUE

While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior. ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues. This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions. The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US. In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced. From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue. The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.

Presentations & Public Speaking
1 of 13
Download to read offline
Introduction of the Information Security Early Warning Partnership October 28, 2022 Information-technology Promotion Agency, Japan Security Center Vulnerability Countermeasures Group, Security Promotion Dept. Hiroyuki Itabashi
2 What is the Information Security Partnership? The purpose of this regulation is stipulated by the Ministry of Economy, Trade and Industry's "Regulations for Handling Vulnerability-Related Information on Software Products, etc.". Objective: The purpose of these rules is to prevent damage caused by computer viruses, unauthorized computer access, etc. to unspecified persons or large numbers of persons, to take countermeasures against such damage, and to contribute to the realization of a society in which citizens can live safely and securely, by defining recommended acts for those who handle vulnerability-related information of software products, etc., in order to ensure cybersecurity. The purpose of this document is to promote the appropriate distribution of information, to improve the vitality and sustainable development of the economy and society, and to contribute to the realization of a society in which citizens can live safely and with peace of mind. Information Security Early Warning Partnership (Vulnerability Reporting System) -About the System (1)
3 What is the Information Security Partnership Guideline? ■Origin of the System The "Information Security Early Warning Partnership Guideline" is a compilation of recommended actions to be taken by concerned parties in order to realize the appropriate distribution of vulnerability- related information(*) , based on the aforementioned public notice. Specifically, the Guidelines describe the process of addressing vulnerabilities in cooperation with the discoverers of vulnerability-related information, software product developers, and website operators, with the Information-technology Promotion Agency, Japan, acting as the receiving organization, and the JPCERT Coordination Center, a general incorporated association, acting as the coordinating organization. (*) Vulnerability-related information, which refers to any of the following: vulnerability information (nature and characteristics of the vulnerability), verification methods, and attack methods. ■ Scope of Application The guideline covers vulnerabilities that may affect a large number of people; specifically, software products widely used in Japan and web applications that run on websites presumed to be accessed primarily from Japan (for example, websites written in Japanese, URLs that use the “jp” domain and so on.). Information Security Early Warning Partnership (Vulnerability Reporting System) -About the System (2)
4 The parties and benefits of the "Information Security Partnership Guide Line" are as follows Relevant Parties Advantages of Information Security Early Warning Partnership Discoverer • Can prompt software developers and website operators to take countermeasures against vulnerabilities through a public entity. • May be publicly credited on a document when the vulnerability countermeasure is published. Product Developers • Can learn about non-public vulnerabilities that may affect their own products. • Can make users publicly aware of how to address vulnerabilities. • Can demonstrate that they are seriously engaged in addressing vulnerabilities. Website operators • Can address their websites before the existence of a vulnerability becomes widely known. • Can check for and address previously unnoticed vulnerabilities. • Can improve user safety on their websites. Information Security Early Warning Partnership (Vulnerability Reporting System) -About the System (3)
Security problems in software products, web applications, etc., where unauthorized computer access, computer viruses, or other attacks can impair their functionality and performance. vulnerability 5 Vulnerability Information Distribution Framework Information Security Early Warning Partnership (Vulnerability Reporting System) -Operational Structure, etc. Receive Vulnerability and Analyze Advanced Industrial Science and Technology Supporting Analysis Security Promotion Realizing Security Measures Distribution and others Determine announcement date, coordinate with developers and overseas agencies Verify Vulnerability reports Software and other product vulnerabilities Website vulnerabilities DiscoverVulnerability reports Pass on vulnerability reports Notification of vulnerability information Aggregate vulnerability handling situation, arrange announcement dates Announce in incident involving personal information disclosure Announce- ment of counter- measure Users Government Vulnerability reports Website operators verify and implement countermeasures Coordinate Vulnerability Information Portal Site Company Individual Software Developers System Integrators IPA: Information-technology Promotion Agency, Japan, JPCERT/CC: Japan Computer Emergency Response Team Coordination Center AIST: National Institute of Advanced Industrial Science and Technology
Information Security Early Warning Partnership (Vulnerability Reporting System) -Operational Status (1) 6 ■Japanese version: https://www.ipa.go.jp/security/vuln/report/vuln2022q2.html ■English version: https://www.ipa.go.jp/files/000100344.pdf Operation Status of the Information Security Partnership (Number of Notifications Received: End of December 2021) 33 112 288 197 231 154 128 141 185 271 209 442 1,045 462 326 232 244 309 140 294 315 374 2,391 1,446 379 691 671 884 1,118 413 370 142 238 905 754 605 173 579 1,182 1,753 4,375 5,9756,4827,314 8,170 9,325 10,652 11,507 12,922 13,526 14,090 15,227 16,225 17,139 0 2,000 4,000 6,000 8,000 10,000 12,000 14,000 16,000 18,000 0 500 1,000 1,500 2,000 2,500 3,000 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 Software Products Websites Cumulative Annually Reported Number Cumulative Number Reported
7 Q2 2022 Number of vulnerability reports Classification. Number of cases in this quarter cumulative total Software Products 75 cases 5,157 cases Website 88 cases 12,308 cases total amount 163 cases 17,465 cases Q2 2022 Number of corrections completed (JVN announced) Classification. Number of cases in this quarter cumulative total Software Products 27 cases 2,417 cases Website 29 cases 8,290 total amount 56 cases 10,707 cases Information Security Early Warning Partnership (Vulnerability Reporting System) -Operational Status (2) For the last three years, there has been no significant change in the number of software filings, but the number of website filings has begun to decline since 2021. 61 67 61 52 58 73 71 80 93 63 75 75 284 105 200 136 188 230 180 223 109 85 98 88 4,389 4,456 4,517 4,569 4,627 4,700 4,771 4,851 4,944 5,007 5,082 5,157 10,666 10,771 10,971 11,107 11,295 11,525 11,705 11,928 12,037 12,122 12,220 12,308 0 2,000 4,000 6,000 8,000 10,000 12,000 14,000 0 100 200 300 400 500 600 700 800 3Q 2019 4Q 1Q 2020 2Q 3Q 4Q 1Q 2021 2Q 3Q 4Q 1Q 2022 2Q Cumulative Number Reported Annually Reported Number Software Products Websites Cumulative for Software Products Cumulative for Websites Quarterly number of vulnerability report 16 17 30 19 22 20 35 32 27 22 25 24 22 30 30 73 75 69 75 85 73 92 58 97 1,732 1,749 1,779 1,798 1,820 1,840 1,875 1,907 1,934 1,956 1,981 2,005 1,711 1,741 1,771 1,844 1,919 1,988 2,063 2,148 2,221 2,313 2,371 2,468 0 200 400 600 800 1,000 1,200 1,400 1,600 1,800 2,000 2,200 2,400 2,600 0 20 40 60 80 100 120 140 3Q 2019 4Q 1Q 2020 2Q 3Q 4Q 1Q 2021 2Q 3Q 4Q 1Q 2022 2Q Reported from domestic and foreign finder Contact from an overseas CSIRT Reported from domestic and foreign finder Contact from an overseas CSIRT Quarterly Number Cumulative Number Number of software product vulnerability countermeasure information released
8 Reporting Website : Handling Status Reporting Software Products: Handling Status Information Security Early Warning Partnership (Vulnerability Reporting System) -Operational Status (3) Situation: The situation 40% of all filings are still being handled. Situation: The situation The number of terminated cases was 86% of all notifications, which is a higher percentage of terminations than for software products. Publicized, 2417 Handing, 2087 Not Accepted 506 Total 5157 0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 5500 Software Products Vendor-Handled, 40 Non Vulnerability, 107 4651 Fixed, 8290 Securty Alert, 1130 Total 12308 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 11000 12000 13000 Website Unable to Handle, 231 Not Accepted, 285 Handling, 1662 Non Vulnerability, 710 12023
Information Security Early Warning Partnership (Vulnerability Reporting System) -Operational Status (4) 9  Type of product to be reported • Majority of "Web Application" and "Router" notifications. • Notifications of "applications for smartphones" also increased.  Impact on notifiable products • Majority of the notifications for "Execution of arbitrary scripts," "Execution of arbitrary commands," and "Leakage of information". Software Products Number of Notifications by Impact Software Products Number of Notifications by Product Type 43% 9% 8% 5% 4% 4% 3% 2% 2% 2% 18% WebApplication Routers Smartphone Application Groupware Development/Runtime Smarthomeappliance WebBrowser FileManagement Software SystemAdm.Software OS Misc. 35% 12% 10% 8% 8% 5% 4% 4% 3% 11% Run arbitrary scripts Execute arbitrary command Information leak spoofing Execution of arbitrary code Access Restriction Bypass
Information Security Early Warning Partnership (Vulnerability Reporting System) -Operation Status (5) 10  Type of product to be reported • Majority with a "Cross Site Scripting" notification. • 80% of the notifications were for "Incomplete configuration of DNS information" and "SQL injection".  Impact on notifiable products • Majority of the respondents filed a "Display of false information on a genuine website" report. Website Number of reports by impact Website Number of notifications by type of vulnerability 58% 11% 11% 4% 2% 2% 12% Cross-site Scripting Lamed DNS zone SQL injection Uninteded file disclosure Directory Traversal Inadvisability HTTPS handle Misc. 57% 12% 11% 4% 4% 3% 2% 7% Display a phony web page on the legitimate website Falsify and/or delete data Insert domain information Leakage of files in the server Leakage of personal information spoofing Leakage of cookie information
11 Information Security Early Warning Partnership (Vulnerability Reporting System) -Challenges in Operation (1) Reporting Software Products  Time-consuming for developers to respond to vulnerabilities The range of software products to be reported has expanded (smartphone apps, control software, etc.), and vulnerabilities. Even if you contact the product developer with the information, the product developer may not be able to investigate the vulnerability information (e.g., many types of target products), or may not be able to provide the information to the product developer. In some cases, it takes time to take action.  Losing contact with the developer in the middle of coordination There is a wide variety of software products that are reported, including software products created by individual product developers, and even if vulnerability information is reported to the product developer, the product developer may not be reachable during the coordination process during the coordination process.  Negative attitude toward the publication of vulnerability countermeasure information. Since the public disclosure of vulnerability information is perceived by product users to mean that software products have many vulnerabilities (i.e., poor quality), the situation has not fostered a climate of proactive disclosure of vulnerability information.
12 Information Security Early Warning Partnership (Vulnerability Reporting System) -Challenges in Operation (2) Reporting Website  Time-consuming to contact the website operator For websites to be reported, the contact information of the website operator will be investigated when contacting them with vulnerability information. Since the website does not clearly indicate a contact person (security-related contact person), we will investigate the the contact information. It takes time to reach to the right contacts.  Vulnerability response takes time The actual operators of the reported websites vary widely (from large corporations to individuals, etc.), and even if the website operator is notified of the vulnerability, it may take some time for the website operator to investigate the vulnerability information (due to lack of countermeasure personnel, etc.) and take countermeasures.
13 Information Security Early Warning Partnership (Vulnerability Reporting System) -Measures to Address Operational Issues Reporting Software Products  Recognizing product developers who are proactive in taking vulnerability countermeasures The system will also consider a mechanism to evaluate product developers who proactively take vulnerability countermeasures and disclose vulnerability countermeasure information for software product vulnerabilities that are reported.  Spreading the word about the need for vulnerability countermeasures to product developers Continue to provide educational materials on the necessity of vulnerability countermeasures for software developers with the cooperation of related organizations. Reporting Website  Dissemination of clear contact information for website vulnerability information, etc. The "Establishment of a Security Contact Point" is available to website operators, and we will continue to spread the information and raise awareness. Continue to disseminate and raise awareness Continue to raise awareness  Spreading the word about the need for vulnerability countermeasures to website operators We will continue to disseminate educational materials and videos to website operators to raise awareness of the need for vulnerability countermeasures. Continue to provide educational materials, videos, etc.

Recommended

Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment Tools
IRJET Journal
 
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET Journal
 
Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...
Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...
Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...
IRJET Journal
 
Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...
Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...
Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...
IRJET Journal
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs Provided
Tiffany Graham
 
The Mobile Device Security Bible 2014-2020
The Mobile Device Security Bible 2014-2020The Mobile Device Security Bible 2014-2020
The Mobile Device Security Bible 2014-2020
QYResearchReports
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
IRJET Journal
 
Whitepaper | Network Security - How to defend your Plant against the threats ...
Whitepaper | Network Security - How to defend your Plant against the threats ...Whitepaper | Network Security - How to defend your Plant against the threats ...
Whitepaper | Network Security - How to defend your Plant against the threats ...
Yokogawa
 

Recommended

Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment Tools
IRJET Journal
 
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET Journal
 
Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...
Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...
Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...
IRJET Journal
 
Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...
Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...
Effects of Backdoor Awareness on Cyber Hygiene Culture of Nigeria’s Civil Ser...
IRJET Journal
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs Provided
Tiffany Graham
 
The Mobile Device Security Bible 2014-2020
The Mobile Device Security Bible 2014-2020The Mobile Device Security Bible 2014-2020
The Mobile Device Security Bible 2014-2020
QYResearchReports
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
IRJET Journal
 
Whitepaper | Network Security - How to defend your Plant against the threats ...
Whitepaper | Network Security - How to defend your Plant against the threats ...Whitepaper | Network Security - How to defend your Plant against the threats ...
Whitepaper | Network Security - How to defend your Plant against the threats ...
Yokogawa
 
EY-Performance-Products
EY-Performance-ProductsEY-Performance-Products
EY-Performance-ProductsAnton Bossenbroek
 
Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...
SolarWinds
 
Cyber Attacks and Crimes in Cyber Security: A Comparative Analysis
Cyber Attacks and Crimes in Cyber Security: A Comparative AnalysisCyber Attacks and Crimes in Cyber Security: A Comparative Analysis
Cyber Attacks and Crimes in Cyber Security: A Comparative Analysis
IRJET Journal
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
IRJET Journal
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Luca Moroni ✔✔
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
Cyber Security Alliance
 
IMPLEMENTATION OF IDS (INTRUDER DETECTION SYSTEM)
IMPLEMENTATION OF IDS (INTRUDER DETECTION SYSTEM)IMPLEMENTATION OF IDS (INTRUDER DETECTION SYSTEM)
IMPLEMENTATION OF IDS (INTRUDER DETECTION SYSTEM)
IRJET Journal
 
Iot cyber security
Iot cyber securityIot cyber security
Iot cyber security
sajid mehmood
 
The Present and Future of IoT Cybersecurity
The Present and Future of IoT CybersecurityThe Present and Future of IoT Cybersecurity
The Present and Future of IoT Cybersecurity
Onward Security
 
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1Clay Melugin
 
Security and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical SystemsSecurity and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical Systems
Bob Marcus
 
Research of Intrusion Preventio System based on Snort
Research of Intrusion Preventio System based on SnortResearch of Intrusion Preventio System based on Snort
Research of Intrusion Preventio System based on SnortFrancis Yang
 
White paper surveillancepointmarket
White paper surveillancepointmarketWhite paper surveillancepointmarket
White paper surveillancepointmarket
Finite Moments
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability Management
Ivanti
 
IRJET- A Review on Honeypots
IRJET- A Review on HoneypotsIRJET- A Review on Honeypots
IRJET- A Review on Honeypots
IRJET Journal
 
Cyber Investigation Portal
Cyber Investigation PortalCyber Investigation Portal
Cyber Investigation Portal
IRJET Journal
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
Dinesh O Bareja
 
Marlink IMO 2021 Guide to Cyber Risk Management
Marlink IMO 2021 Guide to Cyber Risk ManagementMarlink IMO 2021 Guide to Cyber Risk Management
Marlink IMO 2021 Guide to Cyber Risk Management
CHRIS CLIFFORD
 
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachThe 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
Protected Harbor
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
CODE BLUE
 

More Related Content

Similar to [cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (4) by Hiroyuki Itabashi

Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...
SolarWinds
 
Cyber Attacks and Crimes in Cyber Security: A Comparative Analysis
Cyber Attacks and Crimes in Cyber Security: A Comparative AnalysisCyber Attacks and Crimes in Cyber Security: A Comparative Analysis
Cyber Attacks and Crimes in Cyber Security: A Comparative Analysis
IRJET Journal
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
IRJET Journal
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Luca Moroni ✔✔
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
Cyber Security Alliance
 
IMPLEMENTATION OF IDS (INTRUDER DETECTION SYSTEM)
IMPLEMENTATION OF IDS (INTRUDER DETECTION SYSTEM)IMPLEMENTATION OF IDS (INTRUDER DETECTION SYSTEM)
IMPLEMENTATION OF IDS (INTRUDER DETECTION SYSTEM)
IRJET Journal
 
Iot cyber security
Iot cyber securityIot cyber security
Iot cyber security
sajid mehmood
 
The Present and Future of IoT Cybersecurity
The Present and Future of IoT CybersecurityThe Present and Future of IoT Cybersecurity
The Present and Future of IoT Cybersecurity
Onward Security
 
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1Clay Melugin
 
Security and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical SystemsSecurity and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical Systems
Bob Marcus
 
Research of Intrusion Preventio System based on Snort
Research of Intrusion Preventio System based on SnortResearch of Intrusion Preventio System based on Snort
Research of Intrusion Preventio System based on SnortFrancis Yang
 
White paper surveillancepointmarket
White paper surveillancepointmarketWhite paper surveillancepointmarket
White paper surveillancepointmarket
Finite Moments
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability Management
Ivanti
 
IRJET- A Review on Honeypots
IRJET- A Review on HoneypotsIRJET- A Review on Honeypots
IRJET- A Review on Honeypots
IRJET Journal
 
Cyber Investigation Portal
Cyber Investigation PortalCyber Investigation Portal
Cyber Investigation Portal
IRJET Journal
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
Dinesh O Bareja
 
Marlink IMO 2021 Guide to Cyber Risk Management
Marlink IMO 2021 Guide to Cyber Risk ManagementMarlink IMO 2021 Guide to Cyber Risk Management
Marlink IMO 2021 Guide to Cyber Risk Management
CHRIS CLIFFORD
 
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachThe 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
Protected Harbor
 

Similar to [cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (4) by Hiroyuki Itabashi (20)

EY-Performance-Products
EY-Performance-ProductsEY-Performance-Products
EY-Performance-Products
 
Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...
 
Cyber Attacks and Crimes in Cyber Security: A Comparative Analysis
Cyber Attacks and Crimes in Cyber Security: A Comparative AnalysisCyber Attacks and Crimes in Cyber Security: A Comparative Analysis
Cyber Attacks and Crimes in Cyber Security: A Comparative Analysis
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
 
IMPLEMENTATION OF IDS (INTRUDER DETECTION SYSTEM)
IMPLEMENTATION OF IDS (INTRUDER DETECTION SYSTEM)IMPLEMENTATION OF IDS (INTRUDER DETECTION SYSTEM)
IMPLEMENTATION OF IDS (INTRUDER DETECTION SYSTEM)
 
Iot cyber security
Iot cyber securityIot cyber security
Iot cyber security
 
The Present and Future of IoT Cybersecurity
The Present and Future of IoT CybersecurityThe Present and Future of IoT Cybersecurity
The Present and Future of IoT Cybersecurity
 
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1
 
Security and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical SystemsSecurity and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical Systems
 
Research of Intrusion Preventio System based on Snort
Research of Intrusion Preventio System based on SnortResearch of Intrusion Preventio System based on Snort
Research of Intrusion Preventio System based on Snort
 
White paper surveillancepointmarket
White paper surveillancepointmarketWhite paper surveillancepointmarket
White paper surveillancepointmarket
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability Management
 
IRJET- A Review on Honeypots
IRJET- A Review on HoneypotsIRJET- A Review on Honeypots
IRJET- A Review on Honeypots
 
Cyber Investigation Portal
Cyber Investigation PortalCyber Investigation Portal
Cyber Investigation Portal
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
 
Marlink IMO 2021 Guide to Cyber Risk Management
Marlink IMO 2021 Guide to Cyber Risk ManagementMarlink IMO 2021 Guide to Cyber Risk Management
Marlink IMO 2021 Guide to Cyber Risk Management
 
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachThe 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
CODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
CODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
CODE BLUE
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...
CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...
 

Recently uploaded

Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
OECD Directorate for Financial and Enterprise Affairs
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
Sebastiano Panichella
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
khadija278284
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Sebastiano Panichella
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
OWASP Beja
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Sebastiano Panichella
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
IP ServerOne
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
Access Innovations, Inc.
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
Howard Spence
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Matjaž Lipuš
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
Faculty of Medicine And Health Sciences
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
Vladimir Samoylov
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Orkestra
 

Recently uploaded (13)

Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
 

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (4) by Hiroyuki Itabashi

  • 1. Introduction of the Information Security Early Warning Partnership October 28, 2022 Information-technology Promotion Agency, Japan Security Center Vulnerability Countermeasures Group, Security Promotion Dept. Hiroyuki Itabashi
  • 2. 2 What is the Information Security Partnership? The purpose of this regulation is stipulated by the Ministry of Economy, Trade and Industry's "Regulations for Handling Vulnerability-Related Information on Software Products, etc.". Objective: The purpose of these rules is to prevent damage caused by computer viruses, unauthorized computer access, etc. to unspecified persons or large numbers of persons, to take countermeasures against such damage, and to contribute to the realization of a society in which citizens can live safely and securely, by defining recommended acts for those who handle vulnerability-related information of software products, etc., in order to ensure cybersecurity. The purpose of this document is to promote the appropriate distribution of information, to improve the vitality and sustainable development of the economy and society, and to contribute to the realization of a society in which citizens can live safely and with peace of mind. Information Security Early Warning Partnership (Vulnerability Reporting System) -About the System (1)
  • 3. 3 What is the Information Security Partnership Guideline? ■Origin of the System The "Information Security Early Warning Partnership Guideline" is a compilation of recommended actions to be taken by concerned parties in order to realize the appropriate distribution of vulnerability- related information(*) , based on the aforementioned public notice. Specifically, the Guidelines describe the process of addressing vulnerabilities in cooperation with the discoverers of vulnerability-related information, software product developers, and website operators, with the Information-technology Promotion Agency, Japan, acting as the receiving organization, and the JPCERT Coordination Center, a general incorporated association, acting as the coordinating organization. (*) Vulnerability-related information, which refers to any of the following: vulnerability information (nature and characteristics of the vulnerability), verification methods, and attack methods. ■ Scope of Application The guideline covers vulnerabilities that may affect a large number of people; specifically, software products widely used in Japan and web applications that run on websites presumed to be accessed primarily from Japan (for example, websites written in Japanese, URLs that use the “jp” domain and so on.). Information Security Early Warning Partnership (Vulnerability Reporting System) -About the System (2)
  • 4. 4 The parties and benefits of the "Information Security Partnership Guide Line" are as follows Relevant Parties Advantages of Information Security Early Warning Partnership Discoverer • Can prompt software developers and website operators to take countermeasures against vulnerabilities through a public entity. • May be publicly credited on a document when the vulnerability countermeasure is published. Product Developers • Can learn about non-public vulnerabilities that may affect their own products. • Can make users publicly aware of how to address vulnerabilities. • Can demonstrate that they are seriously engaged in addressing vulnerabilities. Website operators • Can address their websites before the existence of a vulnerability becomes widely known. • Can check for and address previously unnoticed vulnerabilities. • Can improve user safety on their websites. Information Security Early Warning Partnership (Vulnerability Reporting System) -About the System (3)
  • 5. Security problems in software products, web applications, etc., where unauthorized computer access, computer viruses, or other attacks can impair their functionality and performance. vulnerability 5 Vulnerability Information Distribution Framework Information Security Early Warning Partnership (Vulnerability Reporting System) -Operational Structure, etc. Receive Vulnerability and Analyze Advanced Industrial Science and Technology Supporting Analysis Security Promotion Realizing Security Measures Distribution and others Determine announcement date, coordinate with developers and overseas agencies Verify Vulnerability reports Software and other product vulnerabilities Website vulnerabilities DiscoverVulnerability reports Pass on vulnerability reports Notification of vulnerability information Aggregate vulnerability handling situation, arrange announcement dates Announce in incident involving personal information disclosure Announce- ment of counter- measure Users Government Vulnerability reports Website operators verify and implement countermeasures Coordinate Vulnerability Information Portal Site Company Individual Software Developers System Integrators IPA: Information-technology Promotion Agency, Japan, JPCERT/CC: Japan Computer Emergency Response Team Coordination Center AIST: National Institute of Advanced Industrial Science and Technology
  • 6. Information Security Early Warning Partnership (Vulnerability Reporting System) -Operational Status (1) 6 ■Japanese version: https://www.ipa.go.jp/security/vuln/report/vuln2022q2.html ■English version: https://www.ipa.go.jp/files/000100344.pdf Operation Status of the Information Security Partnership (Number of Notifications Received: End of December 2021) 33 112 288 197 231 154 128 141 185 271 209 442 1,045 462 326 232 244 309 140 294 315 374 2,391 1,446 379 691 671 884 1,118 413 370 142 238 905 754 605 173 579 1,182 1,753 4,375 5,9756,4827,314 8,170 9,325 10,652 11,507 12,922 13,526 14,090 15,227 16,225 17,139 0 2,000 4,000 6,000 8,000 10,000 12,000 14,000 16,000 18,000 0 500 1,000 1,500 2,000 2,500 3,000 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 Software Products Websites Cumulative Annually Reported Number Cumulative Number Reported
  • 7. 7 Q2 2022 Number of vulnerability reports Classification. Number of cases in this quarter cumulative total Software Products 75 cases 5,157 cases Website 88 cases 12,308 cases total amount 163 cases 17,465 cases Q2 2022 Number of corrections completed (JVN announced) Classification. Number of cases in this quarter cumulative total Software Products 27 cases 2,417 cases Website 29 cases 8,290 total amount 56 cases 10,707 cases Information Security Early Warning Partnership (Vulnerability Reporting System) -Operational Status (2) For the last three years, there has been no significant change in the number of software filings, but the number of website filings has begun to decline since 2021. 61 67 61 52 58 73 71 80 93 63 75 75 284 105 200 136 188 230 180 223 109 85 98 88 4,389 4,456 4,517 4,569 4,627 4,700 4,771 4,851 4,944 5,007 5,082 5,157 10,666 10,771 10,971 11,107 11,295 11,525 11,705 11,928 12,037 12,122 12,220 12,308 0 2,000 4,000 6,000 8,000 10,000 12,000 14,000 0 100 200 300 400 500 600 700 800 3Q 2019 4Q 1Q 2020 2Q 3Q 4Q 1Q 2021 2Q 3Q 4Q 1Q 2022 2Q Cumulative Number Reported Annually Reported Number Software Products Websites Cumulative for Software Products Cumulative for Websites Quarterly number of vulnerability report 16 17 30 19 22 20 35 32 27 22 25 24 22 30 30 73 75 69 75 85 73 92 58 97 1,732 1,749 1,779 1,798 1,820 1,840 1,875 1,907 1,934 1,956 1,981 2,005 1,711 1,741 1,771 1,844 1,919 1,988 2,063 2,148 2,221 2,313 2,371 2,468 0 200 400 600 800 1,000 1,200 1,400 1,600 1,800 2,000 2,200 2,400 2,600 0 20 40 60 80 100 120 140 3Q 2019 4Q 1Q 2020 2Q 3Q 4Q 1Q 2021 2Q 3Q 4Q 1Q 2022 2Q Reported from domestic and foreign finder Contact from an overseas CSIRT Reported from domestic and foreign finder Contact from an overseas CSIRT Quarterly Number Cumulative Number Number of software product vulnerability countermeasure information released
  • 8. 8 Reporting Website : Handling Status Reporting Software Products: Handling Status Information Security Early Warning Partnership (Vulnerability Reporting System) -Operational Status (3) Situation: The situation 40% of all filings are still being handled. Situation: The situation The number of terminated cases was 86% of all notifications, which is a higher percentage of terminations than for software products. Publicized, 2417 Handing, 2087 Not Accepted 506 Total 5157 0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 5500 Software Products Vendor-Handled, 40 Non Vulnerability, 107 4651 Fixed, 8290 Securty Alert, 1130 Total 12308 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 11000 12000 13000 Website Unable to Handle, 231 Not Accepted, 285 Handling, 1662 Non Vulnerability, 710 12023
  • 9. Information Security Early Warning Partnership (Vulnerability Reporting System) -Operational Status (4) 9  Type of product to be reported • Majority of "Web Application" and "Router" notifications. • Notifications of "applications for smartphones" also increased.  Impact on notifiable products • Majority of the notifications for "Execution of arbitrary scripts," "Execution of arbitrary commands," and "Leakage of information". Software Products Number of Notifications by Impact Software Products Number of Notifications by Product Type 43% 9% 8% 5% 4% 4% 3% 2% 2% 2% 18% WebApplication Routers Smartphone Application Groupware Development/Runtime Smarthomeappliance WebBrowser FileManagement Software SystemAdm.Software OS Misc. 35% 12% 10% 8% 8% 5% 4% 4% 3% 11% Run arbitrary scripts Execute arbitrary command Information leak spoofing Execution of arbitrary code Access Restriction Bypass
  • 10. Information Security Early Warning Partnership (Vulnerability Reporting System) -Operation Status (5) 10  Type of product to be reported • Majority with a "Cross Site Scripting" notification. • 80% of the notifications were for "Incomplete configuration of DNS information" and "SQL injection".  Impact on notifiable products • Majority of the respondents filed a "Display of false information on a genuine website" report. Website Number of reports by impact Website Number of notifications by type of vulnerability 58% 11% 11% 4% 2% 2% 12% Cross-site Scripting Lamed DNS zone SQL injection Uninteded file disclosure Directory Traversal Inadvisability HTTPS handle Misc. 57% 12% 11% 4% 4% 3% 2% 7% Display a phony web page on the legitimate website Falsify and/or delete data Insert domain information Leakage of files in the server Leakage of personal information spoofing Leakage of cookie information
  • 11. 11 Information Security Early Warning Partnership (Vulnerability Reporting System) -Challenges in Operation (1) Reporting Software Products  Time-consuming for developers to respond to vulnerabilities The range of software products to be reported has expanded (smartphone apps, control software, etc.), and vulnerabilities. Even if you contact the product developer with the information, the product developer may not be able to investigate the vulnerability information (e.g., many types of target products), or may not be able to provide the information to the product developer. In some cases, it takes time to take action.  Losing contact with the developer in the middle of coordination There is a wide variety of software products that are reported, including software products created by individual product developers, and even if vulnerability information is reported to the product developer, the product developer may not be reachable during the coordination process during the coordination process.  Negative attitude toward the publication of vulnerability countermeasure information. Since the public disclosure of vulnerability information is perceived by product users to mean that software products have many vulnerabilities (i.e., poor quality), the situation has not fostered a climate of proactive disclosure of vulnerability information.
  • 12. 12 Information Security Early Warning Partnership (Vulnerability Reporting System) -Challenges in Operation (2) Reporting Website  Time-consuming to contact the website operator For websites to be reported, the contact information of the website operator will be investigated when contacting them with vulnerability information. Since the website does not clearly indicate a contact person (security-related contact person), we will investigate the the contact information. It takes time to reach to the right contacts.  Vulnerability response takes time The actual operators of the reported websites vary widely (from large corporations to individuals, etc.), and even if the website operator is notified of the vulnerability, it may take some time for the website operator to investigate the vulnerability information (due to lack of countermeasure personnel, etc.) and take countermeasures.
  • 13. 13 Information Security Early Warning Partnership (Vulnerability Reporting System) -Measures to Address Operational Issues Reporting Software Products  Recognizing product developers who are proactive in taking vulnerability countermeasures The system will also consider a mechanism to evaluate product developers who proactively take vulnerability countermeasures and disclose vulnerability countermeasure information for software product vulnerabilities that are reported.  Spreading the word about the need for vulnerability countermeasures to product developers Continue to provide educational materials on the necessity of vulnerability countermeasures for software developers with the cooperation of related organizations. Reporting Website  Dissemination of clear contact information for website vulnerability information, etc. The "Establishment of a Security Contact Point" is available to website operators, and we will continue to spread the information and raise awareness. Continue to disseminate and raise awareness Continue to raise awareness  Spreading the word about the need for vulnerability countermeasures to website operators We will continue to disseminate educational materials and videos to website operators to raise awareness of the need for vulnerability countermeasures. Continue to provide educational materials, videos, etc.