# Cybersecurity operation and management bird's-eye view from Japanese financial industry experience. - Keisuke Kamata {%hackmd @HITCON/r1cl60dRc %} > 從這開始 [TOC] ### Brief 1.銀行遇到的資安挑戰 2.釣魚的挑戰 ### Agenda - Introduction - Case study - Lessons learned - Conslusion ### Japanese financial industry cyber security - Regulator/Polic / Financial Services agency Bank of Japan NICS - Guideline / Associations for Bank Securities Insurance Credit card etc - FISC - Operational - Financials ISAC Japan ### Concept from history:自助、共助、公助 - With Sequence - Self -> Mutual -> Public ### Trend: Cyber Threat Landscape in jp financial industry - Sophisticated attach (APT) to cryptocurrency industry - Fraud money transfer - Business / Service suspension by DDos etc - information leakage through cloud services - Miss configuration - Ransomware incidents ? - Small portion in Japan ### Case Study ### 1.Phishing - Attackers launch phishing site to steal customer information from financial institution(FIs) - Bank.... ### Phishing site analysis - Over 10000 phishing site obersverd per month - Mobile companies,large bank,credit card companies are major target - Top 3 is like 80% of 1000 - Domain registraton companies - 4. hosting comanies are use 80% of the phishing site ### Phishin site analysis (cont.) - major top level domains are "org com cn top xyz - jp is very littels than 1% - most of phishing site is using https lets encrypt is 99% - Why mobile companies are major target ? - large customer volume - their own payment service - eSIM? - easier to steal money from online site ### Phishin site analysis (cont.) - using dynamic DNS service to crete unlimited nymbers of URLS - redirect to same IP address phishing site - we see like bit.ly-> Dynamic DNS url - phishing site redirection ### Phishin site analysis (cont.) - the phishing you may input a fake random email and random password to login ### Phishin site analysis (cont.) - You go phishing site,input ID/pw and login - asking you to go to ATM to make payment - Some might have Customer support chat ### 2.Ransomware incident - Their initial plan did not use the internet - Chagne the network configuration - Wrongly open RDP without proper access control ### 3. Cloud Service access control - Notice configuration change ### 1.Phishing - Create small technical group to develop and distribute phishing site detection tool for F-ISAC Japan members - provide hands-on training for in-hose monitoring - Tor node server list to monitor suspicious ip access - Daily/Timely information sharing in the community - about new phishing site - how we respond to it? ### 2.Ransomware - it is recongized serious case but we don't see many victim cases like other industries - keep gathering global trend - Business view point - can we pay or not? - what we do if the business suspended(BCP)? ### 3.Cloud Service access control - Discuss and create guideline for cloud service access control. - Discuss with cloud service provider what and how we should have done - Organize technical seminar for members ### Con ### People - is security team understand 'current situation' ? - Do they have enough knowledge and experience? - Do they have "good" information source and peers? - how is corporate internal communication? - we do "mis-configuration" ### Process(Organization) - Corporate security policy and enforcement - Do we really know our "IT assets" thought company - how strong is the it/security division? - is your CxO really...... ### Technology - Small thing cause big problem like RDP case - in-house vs OutSource - daily operation.devsecops,agile - Technical people can help non-technical people ### People again - need more ? - technical vs management? - Communication with CxO - help each other and sharing helps industry ### QA how to share IoC attack 1.Sample 2.Methodology 3.Event ###### tags: `HITCON2022`,`HITCON`