비대면시대의웹사이트보안과 · 2020-05-28 · Utilizing digital certificates for...

비대면시대의웹사이트보안과

안전한재택근무방안

DigiCert Ireland Limited, Korea Branch

나 정주 지사장

(Country Manager for Korea, Indonesia, Pakistan and Vietnam)

[email protected]

안 건

Identity동향과업계흐름

TLS / SSL 인증서의변화

CA/B 포럼

재택근무시, 사이버공격을최소화하는제안

Five Tips for Secure Remote Email Access

회사소개 – DigiCert

회사소개 –써트코리아

IDENTITY(신원혹은정체성) 동향과업계흐름

Average number of attacks on IoT devices

per month

Of malware(악성코드)infection happens via phishing scams over

email

Average bot visits per site per week

Of businesses experienced DoS(denial

of service) attacks

Websites have malware(악성코드)

at any given time

Of breaches(침해)took months or

longer to discover

5,200

68%

94%

2,354

17.6MILLION

51%

ANOTHER YEAR OF ATTACKS

“THE COST OF COMPROMISING THE SYSTEM AROUND

CRYPTOGRAPHY IS MUCH LOWER THAN THAT OF

RUNNING A 2^80 TIME ATTACK, BE IT BY ATTACKING

THE SOFTWARE, HARDWARE, PROCESSES, OR PEOPLE.

RED TEAMERS, MILITARY CNA/CNE, AND CYBER-

CRIMINALS DON’T NEED TO BREAK THE CRYPTO TO

GET YOUR SECRET KEYS.”

-JP AUMASSON

• Our digital presence is intertwined with our daily lives.

• Every day, we generate more data, and more data is generated about us.

IDENTITY IS DATA

• Getting smaller: from bag phones to flip phones to smart phones

• Getting more with less: the consolidation of many devices into one

MINIATURIZATION &CONSOLIDATION

• No more video tapes or DVDs

• Online and on-demand via high-speed broadband

VIDEO STREAMING

• More than simple storage

• Powerful computing resources on-demand

• Pay as you use

CLOUD COMPUTING

• The generation of big data through constant monitoring of medical conditions.• Apple Watch (EKG), Medical tests online,

Smart continuous glucose monitoring systems

• Do we trust those holding the data?

BIG DATA BIOLOGY

• How do we keep data secure and private?

• How do we know what’s being done with our data?

• Who has the access to correct, delete and destroy data?

• What are the trends in privacy acts across states and countries?

BIG DATA:MY DATA IS NOT YOUR DATA

• We might want to be anonymous.

• Should websites we transact with be anonymous?

• How do we assure we are dealing with the right entity online?

• How do we assure ourselves we are downloading safe code?

• How do we know the email we received is genuine?

• How do we know the device that joined our network is authorized?

ANONYMITY(익명성)

ON THE WEB

Targets:Businesses, the elderly

How:Social Engineering, phishing, fake recommendations

ONLINE SCAMS(사기)

TLS / SSL 인증서의변화

TLS(Transport Layer Security) / SSL(Secure Socket Layer) 인증서란?

First release of NextGen UX

CSAT from 4.7 to 6.4 (7 scale)

사용자와 웹 서버 간의 데이터는 암호화되어 있기 때문에

중간자가 공격하여 Data를 보더라도 내용을 알 수 없음

TLS / SSL 인증서종류

DV(Domain Validation)Basic Validation

OV(Organizational

Validation)Standard Validation

EV(Extended Validation)

Enterprise Validation

Lowest level of authentication

Anonymous entities can get a certificate

Provide additional checks to ensure brand protection

Highest standard of brand protections

Shows customers that transactions are secure

TLS/SSL 인증서의차이

DVDomain Validation

Basic Validation

OVOrganizational Validation

Standard Validation

EVExtended Validation

Enterprise Validation

TLS / SSL 인증서의추세

Task completion time cut in half


20

40

0

60

80

2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020

What happened to EV at Safari and Chrome?

Safari Chrome

EV IS NOT GOING AWAY– IT’S MOVED

Firefox

What happened to EV at Edge?

Edge EV Treatment –Inherited from Chromium

EV SSL 인증서확인

GPKI Chrome & Safari mobile 의경고문구

How much do you manage certs in your organization?

Task completion time cut in half CSAT from 4.7 to 6.4 (7 scale)

- Do you have SSL/TLS certificates from multiple vendors in your infrastructure?

- Do you know how much to budget on an annual basis for your SSL/TLS certificate management?

- Do you know how much of your time you spend manually trying to process certificate renewals and installations?

- Do you know how much it costs your organization to administer your SSL/TLS certificates?

- Do you know exactly who is procuring certificates within your organization and how they are managing the certificates?

- Do you know the expiry dates of every certificate under management?

Cisco estimated that it takes some four hours of management time, at a cost of $288 per certificate to manually administer your SSL/TLS certificates

(Case Study: Scalable Key and Certificate Lifecycle Management with Cisco Systems,” Session ID: SPO1-303, RSA Conference 2011, Cisco Systems Inc.)

Where are we going?

• Certificate trends: # websites will increase --> cert usage will increase

• DMARC(Domain-based Message Authentication, Reporting and Conformance) adoption will grow as companies

see value in VMCs

• Quantum safe cryptography will debut in TLS certs within the next 5 years(PQC)

• Privacy laws will morph from states to countries to regions, eventually global

• It’s more than the lock! --> users must take extra precautions

• Encryption and Identity go hand in hand

• Automation in managing certificates will increase

• EV is not going away --> it’s moved

• Globally governments except Korea prefer EV

CA/B(Certificate Authority & Browser) 포럼

CA/B 포럼소개

• CA(Certificate Authority) / Browser Forum

• 인터넷브라우저소프트웨어공급업체, 운영체제및기타 PKI 지원응용프로그램과관련된

업계의자발적컨소시엄

• X.509기반의인증서발급및관리를규제하는업계지침을공표

• TLS/SSL인증서 , Code Sign인증서등 System과 Network 보안에사용되는인증서지침

https://cabforum.org/

재택근무시, 사이버공격을최소화하는제안- ”HOW TO AVOID CYBERATTACKS DURING AN EXTENDED PERIOD OF WORKING FROM HOME”

by Dean CoclinSenior Director of Business Development at DigiCert

from the article of Analytics Insight

Hackers will take advantage of any vulnerability they can find. Amidst the pandemic of COVID-19, attackers are taking advantage of the alertness of the world population with phishing emails, social media posts, apps and text messages containing malware. These scams typically involve fraudsters impersonating healthcare officials.

In fact, CERT-In (Computer Emergency Response Team of India) in its latest advisory to internet users said that cyber criminals are exploiting the COVID-19 outbreak as an opportunity to send phishing emails claiming to have important updates or encouraging donations, impersonating trustworthy organizations. The phenomenon has been witnessed as many organizations have asked their staff to work from home to help stop the spread of the coronavirus that has claimed thousands of live worldwide and infected millions

As these cyberattacks continue to spread, we recommend these six best practices to help protect ourselves.

In the pandemic of COVID-19…

Check common signs(상식을이용해라)


If a form of communication asks you to click a link, download an attachment or give any personal or financial information, this should be a red flag

Do not exchange information or do financial transactions with entities that you are not familiar with

Look for common signs of fraudulent sites/ emails including:

- Poor design

- Poor grammar or spelling

- Unreliable contact information

- No Terms and Conditions listed

- Deals that seem too good to be true

- Suspicious forms of payment (like sending money to a random PayPal account)

Treat Emails about COVID-19 with Suspicion(“코로나”관련…의심먼저)


Sample phishing email:

The attachment contains malware

Reading carefully reveals that the fraudster spelled

Israel “Isreal,” which is a clear red flag

Pay attention when browsing (웹사이트인증서등활용)


It’s also important to be careful when browsing, whether on websites, social media or apps. You can check the sites you visit for TLS (Transport Layer Security) /SSL (Secure Sockets Layer), the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems. Different browsers have unique identifiers to show if a website is secure. You can view our blog on how to identify authorized sites to know how to distinguish authorized from unsecured sites.

Additionally, web users can check the safety of a site by copying and pasting the URL into the Google Safe Browsing Transparency Report. If a suspicious or fraudulent site is found, it can be reported to Google’s Safe Browsing or Mozilla’s Protect the Fox

Do not download unknown attachments


Malware is currently spreading through cybercriminals distributing via email a map similar to the one by Johns Hopkins University. The map often includes links to malicious sites disguised as official communication

Fight technology with technology (눈에는눈, 이에는이~~기술에는기술)


To prevent attacks always update your software and browser with the latest versions of Microsoft Edge, Mozilla Firefox and other vendors’ browsers that come equipped with anti-phishing filters.

Existing technologies such as PKI (Public Key Infrastructure), which provides encryption and cryptographic identity guarantee in each data flow and verifies all network users, can play a key role in protecting homes, businesses and connected networks. Email attacks are common forms of phishing and social engineering, and companies can also help protect users and other people who trust their email systems by using digital certificates to assure the identity and authentication and encryption of the client.

Overall, rely on legitimate health services and government websites for information. Do not give out personal or financial information and verify that a charity is legitimate before making donations. You may want to review the FTC guidelines for vetting a charity and avoiding scams before making any donations.

During this global pandemic, not only do we need to reexamine our social habits, but also our digital ones. Following these tips can protect against hacker attacks and data leakage, keeping your network and devices safe

원격 이메일 접속을 보호하기 위한 5가지 제안(Five Tips for Secure Remote Email Access)

by Dean CoclinSenior Director of Business Development at DigiCert

from DigiCert Blog at:https://www.digicert.com/5-tips-for-secure-remote-email-access/

Best practices to help your organization send and receive secure messages


How many emails do you receive every day? How do you know the emails you are sending and receiving are secure? How do you know that your employees’ emails are secure, especially when they are working remotely and sending emails from home or unknown locations?

Furthermore, how do users know that an email is actually from your organization? When a hacker pretends to be from an organization, it not only costs companies millions of dollars each year but also damages trust between a company and its customers. Building trust through secure email access is critical to ensuring that information remains secure and private.

To combat compromised email attacks, several protocols were created. These, combined with other best practices, can help your organization secure your remote workforce’s email. This is especially important as attackers are currently spoofing emails and messages to take advantage of the current global crisis. For example, some malware was spread in March through an email attachment spoof of the John Hopkins University map.

1. Use S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol


S/MIME is a method for sending digitally signed and/or encrypted messages. Using S/MIME in email reassures receivers that the message in their inbox is the exact same message from the sender. It also validates the identity of senders, so receivers know that the message is coming from the real sender and not an imposter. Thus, S/MIME provides authentication, message integrity, privacy and data security.

Within organizations, your IT department will be responsible for setting up S/MIME by providing digital certificates to users or by using a third-party platform to enforce security on email messages.For non-corporate users, you would need to obtain a digital certificate from a certificate authority to enable S/MIME. Google Gmail supports a few different secure email methods as outlined in this support article: Gmail Help. Here’s an example of what secure email looks like in your Gmail inbox:

https://www.digicert.com/client-certificates/

https://support.google.com/mail/answer/6330403

2. Work towards DMARC certification


DMARC (Domain-based Message Authentication, Reporting and Conformance) ensures that others cannot pretend to be from a legitimate corporate domain so that your emails can’t be spoofed. For example, if an organization like PayPal has DMARC, then fraudsters cannot send emails from the PayPal domain because the receiving email provider will either quarantine or reject messages from unauthorized accounts. Thus, only authenticated messages are accepted into email users’ inboxes.

After your organization has this protocol, you can also configure alerts for your organization when an unauthorized email is sent from your domain, helping you increase visibility and monitor suspicious activities.

DMARC implementation requires that your organization inventory all domain senders authorized to send messages on behalf of your organization and whitelist them. Outsourcing emails to third-party senders can make this process more complicated, but it’s certainly doable.

A DMARC policy can be configured in three ways: none, quarantine or reject. When organizations initially create a DMARC record, they set the policy=none. But this wouldn’t result in any enforcement. Once the policy is set to quarantine or reject, they will see the benefit of DMARC. In 2018, the U.S. Department of Homeland Security issued a directive to get all U.S. government domains DMARC enforced (see https://cyber.dhs.gov/bod/18-01/). In record time, government domains implemented DMARC. Businesses should also work towards DMARC certification and enforcement to protect their brand from being used in false messaging.

3. Use a VPN for your workforce


A Virtual Private Network (VPN) adds a layer of security and privacy to email by encrypting traffic through a server, so it is more difficult for hackers to intercept it. Utilizing digital certificates for authentication to VPNs provides an extra layer of security for sensitive communication.

4. Look forward to BIMI(Brand Indicators for Message Identification)

BIMI(Brand Indicators for Message Identification)

is an email specification that enables brand-

controlled, validated logos in supporting

email providers

This emerging standard will build on DMARC

authentication by displaying brand logos on

email messages verified with DMARC. Logos will

be validated by certificate authorities, who will

issue VMC(Verified Mark Certificates)

A pilot is planned for Q2 with general availability

later this year. The first Verified Mark

Certificate was issued by DigiCert to CNN in

October 2019

https://www.mediapost.com/publications/article/341886/bimi-boom-cnn-is-issued-the-first-validation-cert.html

5. Remember email management best practices


On top of having good security tools, you should also do what you can to encourage employees to keep

their email safe, especially when they are working remotely and cannot authenticate messages in person.

Organizations should implement and enforce a company-wide email policy if they do not already have

one. For instance, close former employees’ email accounts so that they cannot access them and forward

correspondence to a current employee. You may also consider offering security awareness training to

employees since helping employees practice good security habits is just as important as implementing

security protocols. Testing employee awareness with crafty emails to see if they click on suspicious links

is a good way to ensure proper email hygiene.

In sum, securing your email, especially from home or unknown locations, helps to ensure the email

content cannot be read by third parties and that the integrity of the message is intact.

회사소개 -

DigiCert & 써트코리아

VeriSign becomes the first Certificate Authority

DigiCert founded based on the question, ”Isn’t there a better way?”

DigiCert partners with Microsoft to develop first Multi-Domain certificate

DigiCert builds first CT log accepted by Google

DigiCert acquires Verizon SSL/TLS business

DigiCert’s trusted roots become encryption foundation for enterprises worldwide

VeriSign becomes first international CA

DigiCert becomes founding member of the CA/Browser Forum

Symantec acquires Verisign Authentication

DigiCert launches scalable IoT platform

DigiCert acquires Symantec’s Website Security business

DigiCert - A Combined History of Innovation & Leadership

DigiCert acquires QuoVadis CA

1995 2003 2007 2013 2016 2018

1997 2005 2010 2015 2017 2019

.

“Based on Forbes Global 2000 list published in 2017/Fortune 500 2017 and internal customer analysis conducted in October 2017 , Frost & Sullivan 2019

45

• 1등 Enterprizes TLS/SSL 인증서 업체

• “Frost & Sullivan” awarded as “2020 Global TLS Certificate

Company of the Year”

• “Fortune 500”의 89%와 Top 100 banks의 97%가 선호

• 매일 280억 개의 Web connection의 안전한 연결 보장

• SSL, PKI & IoT 솔루션을 전세계 180여개국에서 제공

• Automation platform 인 “CertCentral” 발표

• 2018년 10월 DigiCert-Gemalto-Isara 등 3사가 양자 컴퓨팅

시대의 미래 사물인터넷(IoT) 보안을 위한 파트너십 체결

• 세계 최초 “PQC test kit” 발표(DigiCert Secure Site Pro)

DigiCert – TLS/SSL인증서와 IoT 보안 선도 기업

“CertCentral” Enterprise, all certificate types in one place

CertCentral Enterprise

A single console to manage all

types of certificates through an

intuitive, modern UI.

Secure Site Pro TLS certificate

Certificate

Transparency (CT)

Log Monitoring

Gain visibility of your

certificates with the

only transparency

monitoring feature

on the market

Blacklist Check

Ensure your

domains are free

and clear with

blacklist and

malware searches

Priority Support and

Validation

Get your queries

resolved faster with

preferential access to

support and validation

« « «

Trust Mark

Boost consumer

confidence with the

world’s most-

recognized SSL

« «

Post Quantum

Cryptography

(PQC)

Get ahead of

quantum computing

by testing hybrid

certificates safely

Also available as Extended Validation (EV) certificates

«

Server Certificate

1. Subject : www.digicert.com2. Valid from 7/11/2018 to 13/11/20203. Issuer : Digicert SHA2 Extended Validation Server CA

Intermediate Certificate Authority

1. Subject : Digicert SHA2 Extended Validation Server CA2. Valid from 10/Nov/2006 to 10/Nov/20313. Issuer : Digicert High Assurance EV Root CA

Server Certificate

1. Subject : www.digicert.com2. Valid from 7/11/2018 to 13/11/20203. Issuer : DigiCert Secure Site Korea EV CA

Intermediate Certificate Authority

1. Subject : DigiCert Secure Site Korea EV CA2. Valid from 25/March/2019 to 25/March/20293. Issuer : Digicert High Assurance EV Root CA

Root Certificate

1. Subject : Digicert High Assurance EV Root CA2. Valid from 10/Nov/2006 to 10/Nov/20313. Issuer : Digicert High Assurance EV Root CA

Launched “Korea ICA” – “DigiCert Secure Site Korea EV CA”

GeoTrsut Inc. 파트너 제휴 체결

써트코리아는

Symantec 플래티넘

파트너 체결

세계1위 인증기관Verisign Inc. 파트너 제휴 체결

2018

웹사이트 개인정보보호를 위한 SSL 인증서비스의 “선도업체” 입니다

201020002000

DigiCert 플래티넘파트너 선정

• 첨단 부설연구소 인가

• KAIST첨단기술사업화센터(HTC) 입주기업

• 정보통신부 장관상 (우수IP상수상)

Thawte Inc. 파트너 제휴 체결

2012

20년간의 발급및 기술노하우

DigiCert 국내유일플래티넘 파트너

1000대 기업의꾸준한 신뢰

01.

✓ 20년 동안 축적된 경험을 통한전문적인 노하우를 가지고 있습니다.

✓ 오랜 경험을 통해 급격히 변화하고있는 인증서 동향을 빠르게 파악하고원활한 처리가 가능합니다

✓ DigiCert 파트너 최고 레벨인 프리미엄파트너사로써 하이퀄리티 기술지원 및마케팅 지원을 받고 있습니다.

✓ 국내 인증시장이 형성이 시작된2001년에 국제 인증기관과 제휴를통해 인증사업을 시작한 선두주자입니다.

02. 03.

✓ 국내 인증시장의 오랜 경험과 노하우를통해 국내 1000대 기업에 신뢰를 받고있습니다.

✓ 현재 인증서발급 4만건 이상 달성

* 국내1위 10,000여개 고객사가 써트코리아를 선택했습니다.주요 고객사

감사합니다.

DigiCert Ireland Limited, Korea Branch

나 정주지사장

(Country Manager for Korea, Indonesia, Pakistan and Vietnam)

[email protected]

써트코리아

허 명옥총괄팀장

[email protected]

비대면시대의웹사이트보안과 · 2020-05-28 · Utilizing digital certificates for...

Documents

Transcript of 비대면시대의웹사이트보안과 · 2020-05-28 · Utilizing digital certificates for...