PRESENTATION TO ADOBE - PDF Free Download

2018 Website Security 동향 DigiCert Ireland Limited, Korea Branch 나정주이사 James.nah@digicert.com 한국전자인증 ( 주 ) 김현주리더 marketing@crosscert.com

안건 SSL 인증서란무엇인가? 변화하는브라우저시장 SSL 시장동향 CA/B 포럼이란? Fishing 업데이트 통합솔루션의필요성 회사소개 (DigiCert와한국전자인증 )

SSL 인증서란무엇인가?

SSL(Secure Socket Layer) 인증서란? First release of NextGen UX 사용자와웹서버간의데이터는암호화되어있기때문에중간자가공격하여 data CSAT 를보더라도 from 내용을 4.7 to 알6.4 수없음 (7 scale) 4

신뢰 (Trust) 수준에따른 SSL 인증서종류 DOMAIN VALIDATION ORGANIZATION VALIDATION EXTENDED VALIDATION 암호화 도메인에대한권한심사 주소창에자물쇠구현 빠른발급 기업 ( 조직 ) 에대한심사 인증서신청자확인 도메인에대한권한심사 인증서에기업정보표기 1-2일내발급 기업 ( 조직 ) 확장심사 주소창에 Green Bar 기업조직명주소창표기 가장강력한 Trust 제공 3-7일내발급 Encryption Organization name Green bar More Trust 5

신뢰 (Trust) 수준에따른 SSL 인증서종류 (2) DV SSL OV SSL EV SSL 6

CA/B(Certificate Authority & Browser) 포럼

CA/B 포럼소개 CA(Certificate Authority) / Browser Forum 인터넷브라우저소프트웨어공급업체, 운영체제및기타 PKI 지원응용프로그램과관련된업계의자발적컨소시엄 X.509 기반의인증서발급및관리를규제하는업계지침을공표 SSL/TLS인증서, Code Sign인증서등 System과 Network 보안에사용되는인증서지침 SSL의경우 DV( 도메인확인 ), OV( 조직유효성검사 ), EV( 확장유효성검사 ) 로분류되며유형을구분하기위한방법으로정의 https://cabforum.org/ 8

브라우저시장동향

Quiz. 어떤브라우저를? First release of NextGen UX Task completion time cut in half CSAT from 4.7 to 6.4 (7 scale) 10

브라우저시장점유율 - 전세계 11

브라우저시장점유율 - 한국 12

지난해브라우저변화 HTTPS가아닌연결에대해브라우저가경고메시지표기 정부기관의 Website는 HTTP에서 HTTPS로전환추세 (Global 기준 ) 브라우저의주요기능들이 HTTPS에서만구현예정 HTTP2는 HTTPS에서만구현가능 Referrer Data는 HTTPS를통해서만가능 SSL http CSAT from 4.7 to 6.4 (7 scale) https 13

현재우리는 >75% HTTPS 를통한 Chrome 접속 >50% HTTPS 를통한 Android 접속 14

Chrome 브라우저를통한데이터량비교 2016 년 1 월 2017 년 5 월 39% 24% 60% 56% 주요 100대주요 100대 Site에서 Task completion Site에서 time cut in HTTPS half 를 Default로 HTTPS를구현하는비율구현하는비율 주요 100 대 Site 에서 HTTPS 를구현하는비율 주요 100대 Site에서 CSAT HTTPS from 를4.7 Default to 6.4 로(7 scale) 구현하는비율 15

SSL 인증서시장동향

전세계시장점유율 Entrust 6% Other 9% February 2017 OV & EV Symantec (WS) 33% GlobalSign 5% Entrust 6% Other 9% February 2018 OV & EV DigiCert 55% Comodo 15% DigiCert 18% Comodo 13% 출처 : Netcraft 17

한국시장점유율 Comodo 16% GlobalSign 2% Comodo 21% [CATEGORY NAME] [PERCENT AGE] DigiCert 49% February 2017 OV & EV Symantec (WS) 53% February 2018 OV & EV Other 28% Other 27% 18

Korea CA 별점유율 (2018-03 기준 ) GlobalSign7.4% Comodo 19.67% Digicert 48.51% Comodo 26.68% Digicert 65.06% GPKI 29.30% OV SSL EV SSL 출처 : NETCRAFT LTD March 2018 https://ssl.netcraft.com/surveys/analysis/https/2018/mar/cmatch/certs_kr.html 19

OV & EV OV & EV DV DV 시장성장율 GLOBAL KOREA 2018 26.9M 2018 54K 2017 15.4M 2017 26K 2016 3.4M 2016 18K 2018 1.6M 2018 14K 2017 1.2M 2017 13K 2016 1.1M 2016 13K 20

GPKI Chrome & Safari mobile 의경고문구 21

GPKI Firefox 의경고문구 22

브라우저의변화

Chrome 의변화 24

Chrome 의변화 (2) Google s Chrome68 _ 2018 년 7 월출시예정 HTTPS(Hypertext Transfer Protocol over Secure Socket Layer) 보안을사용하지않는모든웹사이트에플래그를지정하고 2018 년 7 월부터 ' 안전하지않음 ' 이라는메시지를표시할예정 출처 : https://blog.chromium.org/2018/02/a-secure-web-is-here-to-stay.html http://www.dailysecu.com/?mod=news&act=articleview&idxno=29907 25

타브라우저변화 Firefox사는 HTTP에서위치정보서비스제공중단 (Version 55) https://bugzilla.mozilla.org/show_bug.cgi?id=1072859 Apple 사는 CT(Certificate Transparency, 인증서 유효성 ) 확인시작 https://developer.apple.com/library/content/document ation/general/reference/infoplistkeyreference/articl es/cocoakeys.html Microsoft 사는위험 Site 의 DV 인증서에 대해폐기진행예정 26

Phishing 업데이트

한국전자인증짂짜웹사이트는? < DV SSL > < EV SSL > 28 28

BLOCKED PHISHING CERTIFICATES Let s Encrypt Comodo Let's Encrypt and Comodo are attractive to fraudsters as both offer automated, domainvalidated certificates at no cost to end users. Let's Encrypt's ACME protocol allows for free automated issuance, while Comodo offers no-cost certificates via its trial certificates, cpanel AutoSSL, and its Cloudflare partnership. Source: https://toolbar.netcraft.com/stats/certificate_authorities 29

Phishing Sites 에노출된인증서 # Comodo 2100 건 Let's Encrypt 3109 건 0 GoDaddy 69 TrustAsia 4 Symantec 50 STRATO AG 9 StartCom 6 Amazon 3 GlobalSign 15 Actalis 19 출처 : Netcraft 2017 30

DV 인증서만있으면안전한가? 이 Site가안전한가? 이 Site가내가찾는 Site가맞을까? 이 Site는보안취약성이없는가? 이 Site는 Malware가없는가? 전자상거래시, 이 Site를믿을수있을까? SORRY DV 인증서는최소한의보안조치로, 해당 URL 에서 Client 와 Server 간에 암호화된연결을의미 31

IoT 동향

NO. ORGANIZATIONS HIT BY TARGETED ATTACKS TOP 10 COUNTRIES AFFECTED BY TARGETED ATTACKS 532 528 U.S. India Japan Taiwan Ukraine South Korea 479 Brunei Russia Vietnam Pakistan 2015 2016 2017 Source: Symantec 2018 ISTR

MOTIVES OF TARGETED ATTACK GROUPS TOP 10 COUNTRIES AFFECTED BY TARGETED ATTACKS Financial Disruption Intelligence Gathering 9.3% 11.4% 90.0% Rank Country Total 1 U.S. 303 2 India 133 3 Japan 87 4 Taiwan 59 5 Ukraine 49 6 South Korea 45 7 Brunei 34 8 Russia 32 9 Vietnam 29 10 Pakistan 22 Source: Symantec 2018 ISTR

MOST COMMON APP CATEGORIES FOR MALWARE SENSITIVE INFORMATION LEAKED BY APPS Rank Category Percent Malware 1 Lifestyle 27.3 2 Music & Audio 19.7 3 Books & Reference 9.9 4 Entertainment 6.2 5 Tools 5.5 6 House & Home 4.5 7 Education 3.9 8 Art & Design 3.7 9 Photography 2.7 10 Casual Games 2.2 Installed App Ino Location Info Phone Number 35 37 63 Source: Symantec 2018 ISTR

MOST COMMON APP CATEGORIES FOR MALWARE Rank Category Percent Malware 1 Router 33.6 2 DVR (Digital Video Recorder) 23.2 3 Network 9.3 4 Satellite Dish 7.3 5 DSL/Cable Modem 7 Increase in IoT attacks from 2016 to 2017 6 SOHO Router 4.7 7 NAS (Network Attached Storage) 3.6 8 Camera 3.5 9 PLC (Programmable Logic Controller) 3.4 10 Alarm System 1.9 Source: Symantec 2018 ISTR

25 Billion connected devices by 2020 1 Billion IoT devices in Japan by 2020 China: 27% global M2M connections Europe: 29%, US: 19% China gov. spend for M2M: USD 603B Global IoT Security Market (includes IAM, IPS, UTP, DLP, Analytics) 2015: USD 6.89 Billion 2020: USD 28.9 Billion CAGR: 33.2% from 2015 2020 NAM: Largest market Security & Privacy Concerns Ubiquitous data collection Unintended data use Global internet device installed base forecast Wearables Smart TVs Internet of Things Tablets Smartphones PCs Source: Gartner, IDC, Strategy Analytics, Machina research, company filings, BII estimates

IoT 공격은 공격자 (Hacker) 들이새로운종류의디바이스를찾고있어, 더욱 다변화될것으로예상 패스워드의상당기간유지와취약점들에대한정기적인패치 (Patch) 등기본적인사항들이지켜지지않는문제점들로인하여, IoT는계속시달리게될것으로보임 공격자 (Hacker) 들은이미라우터를넘어다양한 Connected device들을심각한수준의목표로보고있음 Source: Symantec 2018 ISTR

회사소개 - DigiCert 와한국전자인증 ( 주 )

DigiCert Global Leader 높은신뢰도를보장하는 SSL, PKI, & IoT solutions* 선도 업체 웹사이트와 IoT 를위한신원확인, 인증, 암호화솔루션제공 매일 260 억개웹사이트의안전한연결보장 Preferred provider of the Global 2,000 (83% and 97/100 top global banks) 2017 년 10 월 Symantec SSL 사업부문인수를통해업계최정상의기술력확보를통하여보다간편한 SSL, PKI & IoT 솔루션제공 #1 SSL Provider FOR ENTERPRISE 1,000+ EMPLOYEES 180+ COUNTRIES SERVED 24/7/365 CUSTOMER SUPPORT *according to Netcraft and 451 Group analysis. Offices: Lehi, Utah; St. George, Utah; Tokyo, Japan; Mountain View, California; Cape Town, South Africa; Dublin, Ireland; Melbourne, Australia; Pune, India & many others CSAT from 4.7 to 6.4 (7 scale) 40

2017.10: DigiCert 의 Symantec s WSS 사업부문인수완료 VeriSign becomes first CA VeriSign Japan founded First International CA First enterprise certificate management platform First partner program VeriSign checkmark seal launched Founding Member of CAB Forum VeriSign acquired by Symantec The VeriSign checkmark seal becomes Norton Secured First to partner with Microsoft in enabling EV Code Signing VeriSign Japan acquired by Symantec Founding member of the CA Security Council (CASC) First to offer cloudbased code signing and certificates as a service Launches Norton Shopping Guarantee Launches Encryption Everywhere DigiCert begins Founding Member of CAB Forum DigiCert partners with Microsoft to develop first Multi-Domain (SAN) Certificate First to partner with Microsoft in enabling EV Code Signing Founding member of the CA Security Council (CASC) First CA to launch Certificate Transparency log server DigiCert launches IoT platform Digicert acquires Verizon SSL/TLS business DigiCert leads with full integration with Microsoft Azure Key Vault John Merrill named CEO of DigiCert DigiCert acquires Symantec s Website Security business and related PKI solutions DigiCert integrates all of Symantec WSS backend 41

DigiCert 검증된엔터프라즈솔루션 5.7 million PKI seats loaded to accounts at Symantec last year Millions of PKI seats loaded to Processing Centers and CLPs 11,500 secure online transactions enabled every second 5 billion certificates validated every day >1 billion device certificates issued to date Simplified Transparent Automated Flexible Cross-platform Applications Browsers Devices Scalable Reliable Efficient Extensible 42

한국전자인증 SSL 시장의가장믿을수있는선도기업 글로벌인증기관, 도메인서비스, AIBrain First release of NextGen UX AIBrain Inc, Palo Alto, CA AIBrain AG, Berlin, Germany AIBrain Shenzhen, China AIBrain Korea Turing AI Holdings GmbH Berlin, Germany Task completion time cut in half CSAT from 4.7 to 6.4 (7 scale) 43

감사합니다. DigiCert Ireland Limited, Korea Branch 나정주이사 James.nah@digicert.com 한국전자인증 ( 주 ) 김현주리더 marketing@crosscert.com