課題Ⅱ 第１編① 情報セキュリティの基礎と脅威

Information security refers to efforts to protect the information assets held by organizations and individuals from various threats. The foundation of information security is composed of three elements known as the CIA triad.

Confidentiality is ensuring that only authorized persons can access information. Specifically, it prevents unauthorized viewing and leakage through access control, encryption, and authentication technologies. Integrity is guaranteeing that information is accurate and complete, and has not been tampered with or destroyed by unauthorized persons. Hash value verification and digital signatures are representative means. Availability is maintaining a state where authorized users can reliably access information and systems when needed. Redundancy, backups, and disaster recovery plans (DRP) are means to enhance availability.

In addition to the three CIA elements, four more properties are defined for information security. Authenticity is the property of confirming that a user or system is genuine, realized through multi-factor authentication and electronic certificates. Accountability is the property of being able to trace who did what, with access logs and audit trails being important. Non-repudiation is the property that prevents denying an act after it occurred, guaranteed by digital signatures and timestamps. Reliability is the property that a system operates consistently as intended.

Among technical threats, malware is a general term for malicious software. A virus parasitizes other programs and spreads infection through self-replication. A worm does not need a host program and propagates autonomously through networks. A Trojan horse pretends to be normal software while performing unauthorized operations behind the scenes. Ransomware encrypts data on infected devices and demands a ransom in exchange for decryption. Spyware secretly transmits user operation information and personal data externally. Adware forcibly displays advertisements, and some also serve as spyware. A bot is malware remotely controlled by an attacker's commands; large volumes of bots form botnets used for DDoS attacks.

Technical threats also include web and network attacks. Phishing steals personal information through emails or websites disguised as legitimate services. Spear phishing is an elaborate form of phishing targeting specific individuals or organizations, with a high success rate. SQL injection inserts malicious SQL statements into web application input fields to manipulate databases. Cross-site scripting (XSS) embeds malicious scripts in web pages to execute them in viewers' browsers. Cross-site request forgery (CSRF) forces users to send unintended requests to websites where they are already authenticated. DDoS attacks overload servers with massive volumes of communication, shutting down services. Zero-day attacks exploit vulnerabilities before fix patches are provided. Watering hole attacks plant malware on websites frequently visited by the target. Drive-by downloads automatically download malware just by browsing a website. DNS cache poisoning tampers with DNS server information to redirect users to fake sites. Buffer overflow is an attack that sends data exceeding a program's memory area to execute unauthorized code.

Phishing has derivative types corresponding to delivery means and methods, and the exam sets questions aimed at causing confusion. Smishing (SMiShing) uses SMS (mobile phone short messages) to redirect to fake sites, often impersonating delivery companies or financial institutions. Vishing (voice phishing) uses phone calls (voice), impersonating banks, police, or public institutions to extract PIN numbers and account information. Pharming is an attack where users are redirected to fake sites via DNS cache poisoning or device hosts file tampering even when entering correct URLs; users find it hard to notice. Skimming is a physical technique that steals magnetic information and IC chip information from credit cards and cash cards using a reader device (skimmer); small devices are installed on ATMs or POS terminals to duplicate card information.

Human threats are threats caused by human behavior. Social engineering is a general term for techniques that exploit human psychological vulnerabilities, with multiple methods. Shoulder hacking steals passwords by peeking at screens or keyboard input over someone's shoulder. Trashing (dumpster diving) collects confidential information from discarded documents and storage media. Impersonation phone calls pretend to be IT department or superiors to extract passwords and confidential information. Tailgating (piggybacking) follows authorized entrants to enter rooms without authentication. Internal crimes involve employees or former employees taking information out or engaging in unauthorized access. Accidental information leakage from operational errors is also a human threat, with misdirected emails being a typical example. Unauthorized access is the act of external persons intruding into systems without authorization.

A privacy filter (anti-peeking film) is a physical sheet attached to a screen, designed so that the screen displays normally when viewed from the front, but appears dark and indecipherable from diagonal angles. It is a physical countermeasure to prevent information leakage in environments where third-party gazes can reach, such as cafes, bullet trains, and shared spaces, and is particularly effective for telework and mobile work. Use is recommended for work handling personal information, and it is positioned as part of physical safety management measures.

Physical threats are threats that affect the physical environment of information systems. Natural disasters include earthquakes, typhoons, floods, and lightning. Power outages stop entire systems and directly threaten availability. Fire physically destroys equipment and data. Unauthorized intrusion is physical entry into buildings or server rooms. Theft is the physical taking of PCs, storage media, and documents. Destruction includes intentional equipment damage.

Vulnerabilities are weaknesses against threats. Software bugs are a representative technical vulnerability; unfixed bugs are exploited by attackers. Configuration mistakes are also serious vulnerabilities, with typical examples including unchanged default passwords, inadequate firewall settings, and leaving unnecessary services open. Human factor vulnerabilities include lack of security awareness, insufficient education and training, and inadequate internal rules. Physical factor vulnerabilities include inadequate lock management, lack of entry/exit management, and uninstalled surveillance cameras.

In recent years, there are threat trends that receive particular attention in exams. Targeted attacks (APT: Advanced Persistent Threat) aim at specific organizations and persistently continue attacks over long periods. Spear phishing emails are frequently used for initial intrusion. Supply chain attacks intrude on the original target via vulnerabilities in business partners or outsourcing partners. Ransomware damage is rapidly increasing, with double extortion (data encryption + threat of information disclosure) becoming mainstream. Business email compromise (BEC) instructs money transfers through emails impersonating executives or business partners. IoT security is also an important issue, as IoT devices often have insufficient security countermeasures and are easily used as stepping stones for botnets.

Risk in information security is generally expressed as "Risk = Threat x Vulnerability x Asset Value." Even if a threat exists, if there is no vulnerability, the risk is low. Conversely, even if there is a vulnerability, if no threat exists, the risk does not materialize. The higher the asset value, the greater the risk even with the same threat and vulnerability. There are four risk responses: risk reduction (implementing countermeasures), risk avoidance (discontinuing activities), risk transfer (insurance or outsourcing), and risk retention (acceptance).