...i A 1....2 1.1...2 1.2...2 1.3...2 2....3 2.1...4 2.1.1...4 2.1.2...4 2.1.3...6 2.1.4...7 2.1.5...7 2.1.6...8 2.2...8 2.2.1...8 2.2.2...9 2.3...10 3.... 11 3.1...12 3.2...12 3.2.1...13 3.2.2...18 3.2.3...20 4....23 4.1...24 4.1.1...26 4.1.2...31 4.1.3...33 4.2...36 4.2.1...38 i
4.2.2...38 4.2.3...39 4.3...40 4.3.1...40 4.3.2...41 4.3.3...43 5....44 5.1...44 5.1.1...44 5.1.2...48 5.1.3...49 5.2...50 6....51 6.1...51 6.2...51 6.3...52 BIT 1....55 1.1...55 1.2...55 1.3...55 2....56 2.1...57 2.1.1...57 2.2...58 2.3 ISO/IEC 15408...59 2.4...61 2.5...63 2.5.1...63 2.5.2...63 2.5.3...63 2.5.4...64 2.6...66 ii
2.6.1...67 2.6.2...68 2.6.3...68 2.6.4...69 2.6.5...69 2.7...70 3. IT...71 3.1...71 3.2 ISO ISO9000...71 3.2.1...71 3.2.2...72 3.3...72 3.3.1...72 3.3.2...72 3.3.3...73 3.3.4...74 3.3.5...74 4....75 4.1...75 4.2...75 4.2.1...75 4.2.2...76 4.3...76 4.3.1...76 4.4...76 4.4.1 ISO9000...76 4.4.2 ISO14000...77 4.5 IT...77 4.5.1...78 4.5.2...79 iii
A 1
1. 1.1 2001 3 xdsl 1.2 1.3 36 Web 115 233 2
2. 3 3
2.1 2.1.1 2002 5 7 2.1 2002 (2002 8 29 ) 2.1.2 4
2.2 2001 (2002 8 29 ) 1997 6%2001 61% 10 12% 68% 5 300 1997 68% 2001 100% 2.3 2001 (2002 8 29 ) 5
2.1.3 BtoB 1998 8 2001 34 4 2.4 BtoB ECOMNTT 13 (2002 2 18 ) BtoC BtoB 1998 645 2001 14,840 23 2.5 BtoC ECOMNTT 13 (2002 2 18 ) 6
2.1.4 2002 1998 4 10 2003 1 W32/SQLSlammer Sapphire 2.6 IPA/ISEC (IPA/ISEC) 2.1.5 IPA/ISEC 1997 25 2002 619 25 JPCERT/CC http://www.jpcert.or.jp/stat/reports.html 7
2.7 IPA/ISEC (IPA/ISEC) 2.1.6 1 2000 CATV 60 2001 ADSL 2002 800 2 12 2.8 14 12 (2003 1 31 ) 2.2 2.2.1 2001 8
2002 5 10 2.2.2 9
2.3 2.9 3 2.9 10
3. 3.1 3.1 11
3.1 OS 3.2 Web IP ADSL 12
3.2 20022003 (2002 12 16 ) 3.2.1 VPN(Virtual Private Network) (1) 952 2000 12 28 13
3.3 3.4 (2) IDSIntrusion Detection System 14
3.5 SI System Integrator 3 3.6 15
(3) VPN(Virtual Private Network) 3 VPN VPN VPN 3.7 VPN ADSL 3.8 VPN (4) IC PKIPublic Key Infrastructure 16
3.9 IC 15% GPKIGovernment Public Key Infrastructure 3.10 (5) 2 RSA DES 17
Web Web 3.11 1 5 3.12 3.2.2 (1) 18
3.13 3.14 (2) VPN 3.15 ISP(Internet Service Provider) 4 19
3.16 (3) ISO/IEC 15408 BS7799ISMS Information Security Management System 3.17 3.18 3.2.3 20
(1) DoS Denial of Service attack 3.19 (2) 2 SI OEM 21
3.20 3.21 (3) 10% 15% 70% 3.22 22
4. 11 11. 1 2 3VPNVirtual Private Network 4 5. 1 2 3. 1 2 3 23
4.1 2001 990 1,856 108 2,953 5 2006 3,836 6,135 346 1 318 15% (2)(5) 1 BS7799 ISMS ISO/IEC 15408 2002 3 57.2% (4) 24
2002 12 781 16.6% (2)(3) 1 10 50 510 / 6 30% xdslftthcatv 2000 10 4,700 ADSLISP (1)IT N-+I Network Guide 2003 2 (2)2003 1 31 (3)2001 10 (4) 2002 3 4.1 12,000 10,000 8,000 6,000 4,000 2,000 0 2001 2002 2003 2004 2005 2006 25
(5)2002 2002 7 30 4.1.1 (1) 2001 241 VPN 2 2001 2000 11,109 2001 24,261 90% 72% 7 e-japan 26
e-japan 23 8 (2) IDSIntrusion Detection System 2001 80 23 ISMS ASPApplication Service Provider 27
ISMS VPN Web (3) VPN 8 VPN ISPInternet Service Provider VPN xdsl IP-VPN VPN VPN VPN 28
VPN ADSL VPN (4) IC PKI PKI GPKI PKI ISMS GPKI 1 IC 29
1 PKI PKI (5) OS 2 e-japan ISMS OS 30
4.1.2 (1) 2001 1,700 SISystem Integration e-japan (2) 31
111 10 VPNADSL (3) 2001 45 32
ISMS ISMS 4.1.3 (1) 7% SI 33
(2) IT 2001 2001 23,778 2,111 2002 34,352 2,788 2 34
(3) OS 35
4.2 2001 45 47 92 5 2006 120 92 212 2001 9 IT IT 2% 4 CSIFBI 2001 85% 1 64% 2003 2004 2005 2004 2006 VPN administration authorizationauthentication 3 e 1 36
25,000 20,000 15,000 10,000 4.2 5,000 0 2001 2002 2003 2004 2005 2006 37
4.2.1 CSI 90% 93% IDS IDS 2000 11 6,000 2005 29 VPN PKI LAN IC 4.2.2 VPN 2007 9 3,100 VPN IDS 2001 38
1 2001 9 2003 4.2.3 2,000 100 2005 25 1 39
4.3 4.3.1 2001 4.3 33.69% 51.09% 48.91% 66.31% VPN 40
4.3.2 2001 2006 IT 1US 120 4.4 30,000 25,000 20,000 15,000 10,000 5,000 0 2001 3.76 11,040 5.46 2.89 5,400 5,640 1,948 990 2,938 30,000 25,000 20,000 15,000 10,000 5,000 2006 3.75 14,400 3,836 6,421 1.72 11,040 10,258 2.48 25,440 0 41
2001 3.76 2006 2.48 IT 1.96 IT IT 3.28 4.5 IT 2001 50.0% 40.0% 30.0% 20.0% 17.1% 1.96 33.6% 10.0% 0.0% WITSADigital Planet20022002.02 42
4.3.3 4.6 21% 27% 25% 58% 29% 60% 79% 89% 90% 90% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% CSIComputer Security Issue & Trend Vol. VIII, No.1 Spring2002 43
5. 5.1 5.1.1 (1) a) Windows Windows 44
Macintosh b) WindowsUNIX OS Macintosh (2) ISP 26% 45
(3) VPN ISP VPN VPN (4) PKI 70% 2001 46
PKI 2 OS PKI e-japan (5) IC LAN GPKI 47
5.1.2 (1) (2) ISP (3) 48
SI ISMS 5.1.3 (1) (2) (3) 49
IT IT IT ISMS 5.2 50
6. 6.1 (1) 5 3.5 (2) (3) 6.2 (1) IT ITSSIT 51
(2) 6.3 (1) ISMS (2) IT ISMS ISMS 100 ISO BS7799 ISMS IT (3) e-japan ISMS (4) IT 52
Web 53
B IT 54
1. 1.1 2001 2 IT IT IT IT 1.2 IT IT 5 1.3 21 ISO ISMS Web 275 55
2. 2001 4 NITE 1998 10 CCCommon Criteria IPA 2 56
2.1 2.1.1 1985 TCSECTrusted Computer System Evaluation Criteria TCSEC DC1C2B1B2B3A1 7 1991 EC ITSECInformation Technology Security Evaluation CriteriaITSEC 8 7 1993 6 CC 1996 CCCommon Criteria 1.0 1996 ISO 1999 6 ISO/IEC 15408 2.1 57
TCSECITSECISO/IEC 15408 2.2 2.2 2002 11 TCSEC ITSEC CCISO/IEC 15408 1990 20 1 21 91 4 0 4 92 6 1 7 93 5 7 12 94 19 25 44 95 11 17 28 96 4 18 22 97 7 28 1 36 98 5 32 3 40 99 2 41 14 57 2000 3 31 31 65 01 0 34 26 60 02 0 17 44 61 0 9 68 77 86 261 187 534 (IPA/ISEC)IT 2002 12 2.2 1998 10 CC CC MRA MRA 5 CCEAL1EAL4 5 58
2001 2.3 ISO/IEC 15408 ISO/IEC 15408 ISO/IEC 15408 ISO/IEC 15408 CC 2.0 1999 6 3 1Introduction and general model 2Security functional requirements 3Security assurance requirements ISO/IEC 15408 1 Protection ProfilePPSecurity TargetSTST PP 2 3 ST PP ST PP PP ST ST PP 2 59
3 10 PP ST ISO/IEC 15408 2000 7 JIS X 5070 JIS ISO/IEC 15408 2.3 60
2.3 TOE Target of Evaluation PP 2.3 2.4 ISO/IEC 15408 NITE 1-4 NITE NITE NITE TOE PP ST 61
TOE PP PPProtection Profile TOE 2 STSecurity Target 7 2003 2 NITE PP TOE ST ST ST TOE TOE ST TOE 2 ST 3 NITE 2003 2 2.4 IPA IT 62
2.5 2.5.1 2 2.5.2 2.5.3 (1) PPSTTOE (2) IT IT PPSTTOE IT IT IT IT IT 63
2.5.4 (1) A IC Protection ProfilePP PP2 2 1PPST 2 3 4 B IC Security TargetST 4 2 15~20 5 2 300 1 2 3 4 5 C 64
Security TargetST Protection Profile PP Target of Evaluation TOE 1 2 3 IC Security TargetSTProtection ProfilePP Target of EvaluationTOE 10 NITE 1 1 2,500 3 1 1 2 3 E Target of EvaluationTOE 1 2 3ISO/IEC 15408 65
(2) 2.5 1 IT 28 30 29 N=275 20 23 21 N=80 27 66% 28% N=35 IT 33% 33% 33 275 27 35 29 N=275 IT 50 62 52 N=275 10% 72 73 73 N=144 N=275 50% 50% 50% 2.6 2.6 2.6 A B C D E PPTOE PPTOE ST 66
2.7 A.B.C. BE ABC. ACDE. 2.6.1 (1) PP ST ST PPSTTOE ST 2 3 (2) PP ST PPSTTOE NITEST PP TOE ISO9000 ISMS 67
2.6.2 (1) 2 ST 7 NITE 12 ST (2) (3) (4) EAL4 2003 2 EAL3 2 EAL4 IT EAL4 2.6.3 (1) ISO/IEC 15408 ISO/IEC 15408 68
PP ST PPST PP ST PP ST 2.6.4 (1) ST 2 3 TOE (2) PP ST PP ST IC ST 1 300 2.6.5 (1) ST ISO/IEC 15408 PP TOE ST ST ST ISO/IEC 15408 ST ISO/IEC 15408 (2) Linux Sendmail 69
ISO/IEC 15408 2.7 2.8 ST 2.8 A B C D E ST 70
3. IT 3.1 1 1 3.2 ISO ISO9000 3.2.1 ISO9000 3.1 3.1 ISO9000 ISO 71
3.2.2 ISO 3.3 3.3.1 ISO/IEC 15408 ISO e 3.3.2 (1) 2 (2) 72
(3) ISMS PR 3.3.3 (1) (2) EAL4 (3) 73
3.3.4 ISO9000 1/2 3.3.5 74
4. 4.1 NITE 20 ECSEC JEITA 3 10 1 1 NITE 1 JEITA ECSEC ECSEC 4.2 4.2.1 4.1 2 IT N=275 IT N=80 N=275 IT N=275 10% N=144 28 30 29 20 23 21 27 35 29 50 62 52 72 73 73 3 IT 3 75
10% 7 10% 4.2.2 ST 4.3 4.3.1 1 1~2 4.4 ISO 4.4.1 ISO9000 ISO9000 1990 76
1994 1998 4 826 6,627 1.7 1992 1 200 1992 1994 3 4 ISO9000 4.4.2 ISO14000 ISO14001 1996 1996 2000 4 106 4,019 2.5 ISO9000 ISO9000 ISO14001 4.5 IT 2 1 A 1 B 77
4.5.1 (1) A NITE 20 20 3 ECSEC 2 4 2 (2) B VPNIC PKI VPNIC PKI VPN9 IC 8 19 PKI 7 5 1/3 78
1 1 1.5 4.5.2 4.2 A 2002 2003 2004 2005 2006 5 7 8 16 32 68 5 17 32 48 70 172 B 1 3 6 9 13 33 9 8 1 3 6 8 12 30 7 1 2 4 7 10 25 0 6 12 19 28 65 19 5 2 3 4 5 7 10 A 3 2004 2005 B 2003 2006 22 172 8 1.7 ISO9000 1994 1998 2005 79