PKI と Proxy Server の SSL/TLS 通信フロー

パターン1: 通常のSSL/TLS通信（Proxyなし）

[Client]                    [Server]                    [CA (Certificate Authority)]
   |                           |                                    |
   |--- (1) ClientHello ------>|                                    |
   |                           |                                    |
   |<--- (2) ServerHello ------|                                    |
   |<--- (3) Certificate ------|                                    |
   |    (サーバ証明書送信)        |                                    |
   |                           |                                    |
   |--- (4) 証明書検証 -------->|                                    |
   |  ・発行者(Issuer)確認      |                                    |
   |  ・有効期限チェック         |                                    |
   |  ・失効リスト(CRL/OCSP)    |---(5) 証明書ステータス確認----------->|
   |                           |<---(6) ステータス応答-----------------|
   |  ・デジタル署名検証         |                                    |
   |    (CA公開鍵で検証)        |                                    |
   |                           |                                    |
   |--- (7) ClientKeyExchange ->|                                    |
   |    (暗号化されたPreMasterSecret)                               |
   |                           |                                    |
   |--- (8) ChangeCipherSpec ->|                                    |
   |--- (9) Finished ---------->|                                    |
   |                           |                                    |
   |<-- (10) ChangeCipherSpec -|                                    |
   |<-- (11) Finished ---------|                                    |
   |                           |                                    |
   |=== (12) 暗号化通信開始 ====|                                    |
   |                           |                                    |

パターン2: Forward Proxy経由のSSL/TLS通信

[Client]              [Forward Proxy]              [Server]              [CA]
   |                        |                         |                    |
   |-(1) CONNECT要求------->|                         |                    |
   | (例: CONNECT server:443)|                        |                    |
   |                        |                         |                    |
   |<-(2) 200 Connection----|                         |                    |
   |     Established         |                         |                    |
   |                        |                         |                    |
   |===(3) SSL Tunnel確立====|                         |                    |
   |                        |                         |                    |
   |-(4) ClientHello------->|-(転送)----------------->|                    |
   |                        |                         |                    |
   |<-(5) ServerHello-------|<-(転送)-----------------|                    |
   |<-(6) Certificate-------|<-(転送)-----------------|                    |
   |                        |                         |                    |
   |-(7) 証明書検証----------|--(透過的転送)---------->|                    |
   |    (Clientが直接実行)   |                         |                    |
   |                        |                         |                    |
   |-(8) KeyExchange------->|-(転送)----------------->|                    |
   |                        |                         |                    |
   |===(9) 暗号化通信========|===(透過的転送)==========|                    |
   |   (Proxyは内容を見れない)|                        |                    |

パターン3: SSL Inspection Proxy（中間者型）

[Client]              [Inspection Proxy]           [Server]              [CA]
   |                        |                         |                    |
   |-(1) ClientHello------->|                         |                    |
   |                        |-(2) ClientHello-------->|                    |
   |                        |                         |                    |
   |                        |<-(3) ServerHello--------|                    |
   |                        |<-(4) Server証明書-------|                    |
   |                        |                         |                    |
   |                        |-(5) 証明書検証--------->|---(CRL/OCSP)----->|
   |                        |                         |<-------------------|
   |                        |                         |                    |
   |<-(6) ServerHello------|                         |                    |
   |<-(7) Proxy発行の--------|                         |                    |
   |     代理証明書          |                         |                    |
   |  (Proxyの秘密鍵で署名)  |                         |                    |
   |                        |                         |                    |
   |-(8) 証明書検証:         |                         |                    |
   |  ★Proxy CAが信頼済み  |                         |                    |
   |    ストアに必要         |                         |                    |
   |                        |                         |                    |
   |-(9) KeyExchange------->|                         |                    |
   |                        |-(10) KeyExchange------->|                    |
   |                        |                         |                    |
   |===(11)暗号化通信=======|===(12)暗号化通信========|                    |
   | (Proxy-Client間)       | (Proxy-Server間)        |                    |
   |                        |                         |                    |
   |                        |--(13) 通信内容を--------                     |
   |                        |      復号化・検査                             |
   |                        |      (ウイルススキャン等)                      |

PKI証明書チェーンの検証フロー

[サーバ証明書]
      |
      | (1) 発行者(Issuer)を確認
      ↓
[中間CA証明書]
      |
      | (2) 発行者を確認
      ↓
[ルートCA証明書]
      |
      | (3) 信頼されたルート証明書
      |     ストアに存在するか確認
      ↓
[検証成功] → SSL/TLS通信続行

検証項目:
├─ (A) 証明書の有効期限
├─ (B) デジタル署名の検証
├─ (C) ドメイン名の一致(CN/SAN)
├─ (D) 証明書失効リスト(CRL)
└─ (E) OCSPレスポンス確認

重要なセキュリティポイント

[証明書検証失敗のケース]

1. 期限切れ
   証明書の有効期限 < 現在時刻 → エラー

2. 自己署名証明書
   発行者 = サブジェクト → 警告
   (信頼されたストアになし)

3. ドメイン不一致
   証明書のCN/SAN ≠ アクセス先ドメイン → エラー

4. 失効された証明書
   CRL/OCSPで失効確認 → エラー

5. 証明書チェーン不完全
   中間CA証明書が欠落 → エラー

このフローチャートは情報処理安全確保支援士試験の出題範囲に基づいています。ご質問があればお気軽にどうぞ！

PKI System - Text-Based Flowchart

1. PKI Overall Structure

┌─────────────────────────────────────────────────────────────┐
│                      Root CA (認証局)                         │
│                  [最上位認証局]                               │
│            - 自己署名証明書を発行                              │
│            - 下位CAの証明書に署名                              │
└──────────────────┬──────────────────────────────────────────┘
                   │
                   ├─────────────────┬─────────────────┐
                   ▼                 ▼                 ▼
          ┌────────────────┐ ┌────────────────┐ ┌────────────────┐
          │  中間CA        │ │  中間CA        │ │  中間CA        │
          │ (Intermediate) │ │ (Intermediate) │ │ (Intermediate) │
          └────────┬───────┘ └────────┬───────┘ └────────┬───────┘
                   │                  │                  │
                   ▼                  ▼                  ▼
          ┌────────────────┐ ┌────────────────┐ ┌────────────────┐
          │  発行CA        │ │  発行CA        │ │  発行CA        │
          │   (Issuing)    │ │   (Issuing)    │ │   (Issuing)    │
          └────────┬───────┘ └────────┬───────┘ └────────┬───────┘
                   │                  │                  │
                   └──────────┬───────┴──────────────────┘
                              ▼
                   ┌────────────────────┐
                   │  エンドエンティティ  │
                   │  (End Entity)      │
                   │  - ユーザー         │
                   │  - サーバー         │
                   │  - デバイス         │
                   └────────────────────┘

2. Certificate Issuance Process (証明書発行フロー)

【申請者】                【RA】              【CA】              【リポジトリ】
   │                     │                   │                    │
   │ ①鍵ペア生成          │                   │                    │
   │ (公開鍵/秘密鍵)       │                   │                    │
   │                     │                   │                    │
   │ ②証明書申請(CSR)     │                   │                    │
   │ + 本人確認書類        │                   │                    │
   ├────────────────────>│                   │                    │
   │                     │                   │                    │
   │                     │ ③本人確認         │                    │
   │                     │   申請内容審査     │                    │
   │                     │                   │                    │
   │                     │ ④証明書発行要求   │                    │
   │                     ├──────────────────>│                    │
   │                     │                   │                    │
   │                     │                   │ ⑤証明書生成       │
   │                     │                   │  - CAの秘密鍵で署名│
   │                     │                   │                    │
   │                     │  ⑥証明書発行      │                    │
   │                     │<──────────────────┤                    │
   │  ⑦証明書交付        │                   │                    │
   │<────────────────────┤                   │                    │
   │                     │                   │                    │
   │                     │                   │ ⑧証明書公開       │
   │                     │                   ├───────────────────>│
   │                     │                   │                    │
   │ ⑨秘密鍵保管          │                   │                    │
   │  (厳重管理)          │                   │                    │
   │                     │                   │                    │

3. Digital Signature & Verification (デジタル署名・検証フロー)

【送信者】                                      【受信者】

┌──────────────┐                           ┌──────────────┐
│  ①メッセージ  │                           │              │
└──────┬───────┘                           │              │
       │                                   │              │
       ▼                                   │              │
┌──────────────┐                           │              │
│ ②ハッシュ計算 │                           │              │
│  (SHA-256等)  │                           │              │
└──────┬───────┘                           │              │
       │                                   │              │
       ▼                                   │              │
┌──────────────┐                           │              │
│③送信者の秘密鍵│                           │              │
│  で暗号化     │                           │              │
│ =デジタル署名 │                           │              │
└──────┬───────┘                           │              │
       │                                   │              │
       ▼                                   │              │
┌──────────────────────┐                   │              │
│④メッセージ+デジタル署名│                   │              │
│   +証明書を送信      │                   │              │
└──────┬───────────────┘                   │              │
       │                                   │              │
       └──────────────────────────────────>│              │
                                           │              │
                                           ▼              │
                                    ┌──────────────┐     │
                                    │⑤証明書検証    │     │
                                    │ - CA署名確認  │     │
                                    │ - 有効期限確認│     │
                                    │ - CRL確認     │     │
                                    └──────┬───────┘     │
                                           ▼              │
                                    ┌──────────────┐     │
                                    │⑥証明書から   │     │
                                    │ 公開鍵取得   │     │
                                    └──────┬───────┘     │
                                           ▼              │
                                    ┌──────────────┐     │
                                    │⑦デジタル署名 │     │
                                    │ を公開鍵で復号│     │
                                    └──────┬───────┘     │
                                           ▼              │
                                    ┌──────────────┐     │
                                    │⑧メッセージの │     │
                                    │ ハッシュ計算 │     │
                                    └──────┬───────┘     │
                                           ▼              │
                                    ┌──────────────┐     │
                                    │⑨ハッシュ値   │     │
                                    │  比較        │     │
                                    │ 一致→検証OK  │     │
                                    └──────────────┘     │
                                                          │

4. Certificate Revocation Process (証明書失効フロー)

┌─────────────────────────────────────────────────────────────┐
│               証明書失効が必要な場合                          │
│  - 秘密鍵の漏洩・紛失                                        │
│  - 証明書記載内容の変更                                      │
│  - CAの秘密鍵漏洩                                            │
└──────────────────┬──────────────────────────────────────────┘
                   ▼
          ┌────────────────┐
          │  ①失効申請     │
          │  (証明書保有者) │
          └────────┬───────┘
                   ▼
          ┌────────────────┐
          │  ②本人確認     │
          │  失効理由確認  │
          │     (RA)       │
          └────────┬───────┘
                   ▼
          ┌────────────────┐
          │  ③失効処理     │
          │  シリアル番号  │
          │  登録 (CA)     │
          └────────┬───────┘
                   │
         ┌─────────┴─────────┐
         ▼                   ▼
┌─────────────────┐  ┌─────────────────┐
│ ④CRL発行        │  │ ④OCSPレスポンダ │
│ (Certificate    │  │   更新          │
│  Revocation     │  │ (Online         │
│  List)          │  │  Certificate    │
│                 │  │  Status         │
│ - 定期的に更新  │  │  Protocol)      │
│ - 失効証明書    │  │                 │
│   リスト公開    │  │ - リアルタイム  │
└────────┬────────┘  │   状態確認      │
         │            └────────┬────────┘
         │                     │
         └──────────┬──────────┘
                    ▼
           ┌────────────────┐
           │ ⑤リポジトリ    │
           │   に公開       │
           └────────────────┘

5. Certificate Validation (証明書検証フロー)

    開始
     │
     ▼
┌─────────────────┐
│ 証明書の署名検証 │
│ (CAの公開鍵使用) │
└────┬────────────┘
     │
     ▼
  署名OK?──No──> 【検証失敗】
     │Yes
     ▼
┌─────────────────┐
│ 有効期限確認    │
│ (notBefore/     │
│  notAfter)      │
└────┬────────────┘
     │
     ▼
  期限内?──No──> 【検証失敗】
     │Yes
     ▼
┌─────────────────┐
│ 証明書の用途確認 │
│ (Key Usage/     │
│  Extended Key   │
│  Usage)         │
└────┬────────────┘
     │
     ▼
  用途OK?──No──> 【検証失敗】
     │Yes
     ▼
┌─────────────────┐
│ 失効状態確認    │
│ ①CRLチェック   │
│ または          │
│ ②OCSPクエリ    │
└────┬────────────┘
     │
     ▼
  失効なし?──No──> 【検証失敗】
     │Yes
     ▼
┌─────────────────┐
│ 証明書チェーン  │
│ 検証            │
│ (Root CAまで)   │
└────┬────────────┘
     │
     ▼
  チェーンOK?──No──> 【検証失敗】
     │Yes
     ▼
  【検証成功】

6. Key PKI Components (主要コンポーネント)

┌──────────────────────────────────────────────────────────┐
│                  PKI構成要素                              │
├──────────────────────────────────────────────────────────┤
│                                                           │
│  ┌────────────┐    ┌────────────┐    ┌────────────┐    │
│  │    CA      │    │    RA      │    │リポジトリ   │    │
│  │  認証局    │    │  登録局    │    │            │    │
│  │            │    │            │    │ - 証明書   │    │
│  │ - 証明書発行│   │ - 本人確認 │    │ - CRL      │    │
│  │ - 証明書署名│   │ - 申請審査 │    │ - ARL      │    │
│  │ - CRL発行  │    │            │    │            │    │
│  └────────────┘    └────────────┘    └────────────┘    │
│                                                           │
│  ┌────────────┐    ┌────────────┐    ┌────────────┐    │
│  │   OCSP     │    │タイムスタンプ│   │  VA        │    │
│  │ レスポンダ  │    │  局 (TSA)  │    │ 検証局     │    │
│  │            │    │            │    │            │    │
│  │ - リアル   │    │ - 時刻証明 │    │ - 証明書   │    │
│  │   タイム   │    │ - 長期署名 │    │   検証     │    │
│  │   失効確認 │    │            │    │            │    │
│  └────────────┘    └────────────┘    └────────────┘    │
│                                                           │
└──────────────────────────────────────────────────────────┘

この図は情報セキュリティスペシャリスト/情報安全支援士試験で重要なPKIの基本的な流れを示しています。

PKI: Theory vs Real-World Operations - Text-Based Flowchart Comparison

1. Certificate Issuance Process

📘 PKI Theory (Textbook)

START
  ↓
[User generates key pair]
  ↓
[Create CSR with public key]
  ↓
[Submit CSR to RA]
  ↓
[RA validates identity]
  ↓
[RA forwards to CA]
  ↓
[CA signs certificate]
  ↓
[Certificate issued instantly]
  ↓
[User installs certificate]
  ↓
END (Success)

🌍 Real-World Operation

START
  ↓
[User tries to generate key pair]
  ↓
[Wrong key size selected] ───→ [Regenerate]
  ↓                              ↑
[Create CSR]                     |
  ↓                              |
[Missing required fields] ───────┘
  ↓
[Submit to RA web portal]
  ↓
[Portal timeout/error] ───→ [Retry 3 times]
  ↓                          ↓
[RA manual review]      [Call support]
  ↓                          ↓
[Additional documents] ←─────┘
  ↓
[Wait 2-5 business days]
  ↓
[CA processing queue]
  ↓
[Certificate issued]
  ↓
[Email notification goes to spam]
  ↓
[Find certificate 3 days later]
  ↓
[Installation fails - wrong format]
  ↓
[Convert PEM to DER]
  ↓
[Finally installed]
  ↓
END (Success after 1 week)

2. Certificate Validation Process

📘 PKI Theory

START: Client connects to server
  ↓
[Receive server certificate]
  ↓
[Check validity period] ─── Valid? ─── No ──→ [REJECT]
  ↓ Yes
[Verify signature with CA public key]
  ↓
[Check revocation status (CRL/OCSP)]
  ↓
[Build certificate chain to root]
  ↓
[All checks pass]
  ↓
[ACCEPT - Establish connection]
  ↓
END

🌍 Real-World Operation

START: Client connects to server
  ↓
[Receive server certificate]
  ↓
[Check validity period]
  ↓
Valid? ──No──→ [Certificate expired]
  ↓ Yes              ↓
[Verify signature]   [Show warning]
  ↓                  ↓
[Check revocation]   [User clicks "Continue Anyway"]
  ↓                  ↓
[OCSP responder]     [Connection established with expired cert]
  ↓                  ↓
[Timeout after]      END (Insecure)
[30 seconds]
  ↓
[Fallback to CRL]
  ↓
[CRL download: 50MB file]
  ↓
[Network congestion]
  ↓
[CRL 2 days old - stale]
  ↓
[Skip revocation check]
  ↓                    [Clock skew on client]
[Build cert chain]           ↓
  ↓                    [Validation fails]
[Missing intermediate]       ↓
  ↓                    [User ignores error]
[Fetch from AIA]            ↓
  ↓                    [Proceeds anyway]
[Server slow response]
  ↓
[Use cached intermediate cert]
  ↓
[Certificate pinning fails]
  ↓
[Developer disabled pinning for testing]
  ↓
[ACCEPT despite multiple issues]
  ↓
END (Connected with warnings ignored)

3. Certificate Revocation Handling

📘 PKI Theory

START: Private key compromised
  ↓
[Immediately notify CA]
  ↓
[CA revokes certificate]
  ↓
[Add to CRL instantly]
  ↓
[Update OCSP responder]
  ↓
[All clients check revocation]
  ↓
[Revoked cert rejected everywhere]
  ↓
END (Security maintained)

🌍 Real-World Operation

START: Private key compromised
  ↓
[Discover breach 3 months later]
  ↓
[Security team meeting]
  ↓
[Debate severity]
  ↓
[Wait for management approval]
  ↓
[2 weeks later: Contact CA]
  ↓
[CA support ticket created]
  ↓
[Priority: "Normal" - 5 day SLA]
  ↓
[Escalate to "Urgent"]
  ↓
[CA revokes certificate]
  ↓
[Add to CRL] ────────────────┐
  ↓                           ↓
[CRL published every 24hrs]   [Update OCSP]
  ↓                           ↓
[CDN propagation delay]       [OCSP cache: 7 days]
  ↓                           ↓
[Some clients using]          [Stale responses]
[week-old cached CRL]         ↓
  ↓                           [Soft-fail mode enabled]
[Client A: Checks CRL]        ↓
  ↓                           [OCSP timeout = allow]
[Rejects cert] ✓              ↓
  ↓                    [Client B: OCSP check]
[Client C: No revocation]     ↓
[check implemented]    [Gets cached "Good" response]
  ↓                           ↓
[Accepts revoked cert] ✗      [Accepts revoked cert] ✗
  ↓                           ↓
[Breach continues on]  [Breach continues on]
[legacy systems]       [mobile apps]
  ↓
END (Partial security - 60% coverage)

4. Key Management Lifecycle

📘 PKI Theory

START
  ↓
[Generate key pair]
  ↓
[Store private key securely in HSM]
  ↓
[Use key for operations]
  ↓
[Key rotation at scheduled interval]
  ↓
[Secure key destruction]
  ↓
END (Clean lifecycle)

🌍 Real-World Operation

START
  ↓
[Generate key pair on developer laptop]
  ↓
[Copy private key to multiple servers]
  ↓                         ↓
[Email key to coworker]    [Store in Git repo]
  ↓                         ↓
[Key in backup files]      [Accidentally public]
  ↓                              ↓
[HSM too expensive]        [Commit reverted]
  ↓                              ↓
[Store on file share]      [But in Git history]
  ↓                              ↓
[Share drive permissions]       ↓
[misconfigured - world readable]
  ↓
[Key rotation policy: "Annually"]
  ↓
[Year passes]
  ↓
[No one remembers policy]
  ↓
[Key now 5 years old]
  ↓
[Finally rotate key]
  ↓
[Old key "securely deleted"]
  ↓
[Still in 47 backup locations]
  ↓
[Still in VM snapshots]
  ↓
[Still on decommissioned servers]
  ↓
[Still on USB drive in drawer]
  ↓
END (Key lifecycle unclear)

5. TLS Handshake Process

📘 PKI Theory

START
  ↓
[Client Hello]
  ↓
[Server Hello + Certificate]
  ↓
[Client validates certificate]
  ↓
[Key exchange]
  ↓
[Generate session keys]
  ↓
[Encrypted communication begins]
  ↓
END (Secure channel established - 100ms)

🌍 Real-World Operation

START
  ↓
[Client Hello]
  ↓
[Server Hello]
  ↓
[Certificate chain transmission]
  ↓
[Chain has 5 intermediates - not 3]
  ↓
[Extra 200ms latency]
  ↓
[Client validates certificate]
  ↓
[OCSP check] ────→ [Timeout after 5sec]
  ↓                      ↓
[Continue anyway]  [Soft-fail allows]
  ↓
[Key exchange]
  ↓
[Weak cipher selected]
  ↓
[TLS 1.0 fallback due to]
[legacy system compatibility]
  ↓
[Security scan flags weak cipher]
  ↓
[WAF in front adds extra handshake]
  ↓
[Load balancer terminates TLS]
  ↓
[Re-encrypts to backend]
  ↓
[Backend uses self-signed cert]
  ↓
[Certificate validation disabled]
[between LB and backend]
  ↓
[Application finally receives request]
  ↓
END (Connected after 3 seconds, 
     multiple security compromises)

6. Multi-Domain Certificate Deployment

📘 PKI Theory

START
  ↓
[Purchase wildcard cert]
  ↓
[Install on all servers]
  ↓
[All domains secured]
  ↓
END (Simple deployment)

🌍 Real-World Operation

START
  ↓
[Purchase wildcard cert for *.company.com]
  ↓
[Deploy to web servers]
  ↓
[Need cert for *.internal.company.com] ─→ [Wildcard doesn't cover]
  ↓                                         ↓
[Buy separate cert]                   [Exception request]
  ↓                                         ↓
[Deploy to app servers]               [Use self-signed for now]
  ↓                                         ↓
[Need cert for mail.company.com]      [6 months pass]
  ↓                                         ↓
[Wildcard covers this]                ["Temporary" cert still in use]
  ↓
[But mail server uses different vendor]
  ↓
[Vendor requires their CA]
  ↓
[Now managing 3 different CAs]
  ↓
[Renewal dates all different]
  ↓
[Server 1: Cert expires]
  ↓
[Monitoring missed alert]
  ↓
[Users report SSL errors]
  ↓
[Emergency renewal]
  ↓
[Deploy to 47 servers]
  ↓
[Forget server #23]
  ↓
[Errors continue]
  ↓
[Track down missing server]
  ↓
[Deploy to server #23]
  ↓
[But cert has wrong SAN entries]
  ↓
[Re-issue certificate]
  ↓
[Deploy again to 47 servers]
  ↓
[Create spreadsheet to track all certs]
  ↓
[Spreadsheet immediately out of date]
  ↓
END (Eventually working, fragile state)

7. Certificate Monitoring & Renewal

📘 PKI Theory

START
  ↓
[Automated monitoring system]
  ↓
[Alert 30 days before expiry]
  ↓
[Auto-renewal via ACME protocol]
  ↓
[New cert deployed automatically]
  ↓
[Zero downtime]
  ↓
END (Seamless renewal)

🌍 Real-World Operation

START
  ↓
[Manual spreadsheet tracking]
  ↓
[Spreadsheet on someone's laptop]
  ↓
[That person left company]
  ↓
[Cert expires on Saturday night]
  ↓
[Website down]
  ↓
[On-call engineer paged at 2 AM]
  ↓
[Engineer doesn't have CA credentials]
  ↓
[Call manager]
  ↓
[Manager on vacation]
  ↓
[Find alternate contact]
  ↓
[Emergency purchase authority]
  ↓
[CA portal down for maintenance]
  ↓
[Wait 4 hours]
  ↓
[Portal back up]
  ↓
[Purchase new cert]
  ↓
[Validation email sent to]
[former employee's address]
  ↓
[Request email resend]
  ↓
[IT scrambles to create alias]
  ↓
[Validation complete 6 hours later]
  ↓
[Deploy new cert]
  ↓
[Deployment script fails]
  ↓
[Manual deployment to each server]
  ↓
[Website back up 14 hours later]
  ↓
[Post-mortem meeting scheduled]
  ↓
[Action item: Implement monitoring]
  ↓
[Monitoring project added to backlog]
  ↓
[Priority: "Medium"]
  ↓
[Never implemented]
  ↓
END (Ready for next outage)

8. Internal CA vs Public CA Decision

📘 PKI Theory

START
  ↓
[Internal services] → [Use Internal CA]
  ↓
[External services] → [Use Public CA]
  ↓
END (Clear separation)

🌍 Real-World Operation

START
  ↓
[Use Internal CA for internal services]
  ↓
[Deploy root cert to all employee devices]
  ↓
[Mobile devices not included]
  ↓
[Mobile users get cert errors]
  ↓
[Train users to click "Accept"]
  ↓
[Users now trained to ignore cert warnings]
  ↓
[Partner company needs access]
  ↓
[Can't deploy internal CA to partners]
  ↓
[Create exception with public cert]
  ↓
[Now maintaining two systems]
  ↓
[Contractor laptops not managed]
  ↓
[More exceptions needed]
  ↓
[VPN requires client cert]
  ↓
[But uses public CA for web interface]
  ↓
[And internal CA for auth]
  ↓
[Certificate management nightmare]
  ↓
[Team proposes: "Use public CA for everything"]
  ↓
[Finance rejects due to cost]
  ↓
[Team proposes: "Use Let's Encrypt"]
  ↓
[Security rejects: "Not approved vendor"]
  ↓
[Continue with hybrid mess]
  ↓
[Create 200-page documentation]
  ↓
[No one reads it]
  ↓
END (Complicated, inconsistent state)

Key Differences Summary

Aspect	Theory	Reality
Timeline	Minutes	Days to weeks
Success Rate	100%	60-80% on first attempt
Automation	Fully automated	Mostly manual with scripts
Errors	None	Multiple retries common
Documentation	Up to date	Outdated or missing
Human Factor	Perfect execution	Mistakes, delays, politics
Security	No compromises	Multiple workarounds
Cost	Planned budget	Exceeds budget + emergency costs

Common Real-World Issues Not in Theory

[Certificate Pinning]
  ↓
[App update impossible] → [Hardcoded pin expired]
  ↓
[Emergency bypass] → [Security weakened]

[Cross-Platform Issues]
  ↓
[Works on Windows] → [Fails on Linux]
  ↓
[Different cert formats] → [Conversion errors]

[Legacy System Integration]
  ↓
[Old system requires MD5] → [Incompatible with modern certs]
  ↓
[Security exception granted] → [Vulnerability remains]

[Vendor Lock-in]
  ↓
[CA switch needed] → [Apps hardcoded to old CA]
  ↓
[Cannot migrate] → [Paying for two CAs]

This comparison highlights why the Information Security Support Professional exam includes practical scenarios—theory alone doesn't prepare you for real-world PKI operations!

Information Security Professional Exam - PKI Keyword

1. Basic Concepts of PKI

Public Key Infrastructure (PKI) definition and purpose
Difference between Public Key Cryptography and Symmetric Key Cryptography
Hybrid Cryptosystem
Digital Signature mechanism and purpose
Non-repudiation
Use cases for Encryption vs Signature

Sub-keywords:

Asymmetric encryption algorithms
Key pair generation (public/private keys)
Authentication vs confidentiality objectives

2. Digital Certificates

X.509 Certificate structure
Information contained in certificates (Issuer, Subject, Public Key, Validity Period, Serial Number, etc.)
Server Certificate, Client Certificate
Root Certificate
Intermediate Certificate
Certificate Chain
Cross Certification
EV Certificate (Extended Validation)
DV Certificate (Domain Validation)
OV Certificate (Organization Validation)
Wildcard Certificate
SAN Certificate (Subject Alternative Name)

Sub-keywords:

Certificate attributes and extensions
Distinguished Name (DN) format
Certificate fingerprint verification

3. Certificate Authority (CA)

Role and responsibilities of Certificate Authority
Root CA and Intermediate CA
Registration Authority (RA)
CA Hierarchical Structure
Private CA vs Public CA
CP (Certificate Policy)
CPS (Certificate Practice Statement)

Sub-keywords:

Trusted third-party model
CA key management practices
Audit and compliance requirements

4. Certificate Lifecycle Management

Certificate Issuance
Certificate Renewal
Certificate Revocation
CRL (Certificate Revocation List)
OCSP (Online Certificate Status Protocol)
OCSP Stapling
Validity Period management
Key Escrow
Key Renewal and Key Recovery

Sub-keywords:

Certificate enrollment process
Grace period and expiration handling
Emergency revocation procedures

5. Cryptographic Algorithms

Public Key Cryptography

RSA (Key lengths: 2048-bit, 4096-bit)
Elliptic Curve Cryptography (ECC)
DSA (Digital Signature Algorithm)
ECDSA (Elliptic Curve DSA)
ElGamal Cryptosystem

Hash Functions

SHA-2 (SHA-256, SHA-384, SHA-512)
SHA-3
MD5 (deprecated)
SHA-1 (deprecated)
Hash Value, Message Digest

Sub-keywords:

Algorithm strength and key size recommendations
Collision resistance properties
Migration from deprecated algorithms

6. SSL/TLS

SSL (Secure Sockets Layer)
TLS (Transport Layer Security)
TLS 1.2, TLS 1.3
TLS Handshake process flow
Server Authentication and Client Authentication
Cipher Suite
HTTPS
HSTS (HTTP Strict Transport Security)
Man-in-the-Middle (MITM) Attack countermeasures

Sub-keywords:

Perfect Forward Secrecy (PFS)
Session resumption mechanisms
Protocol downgrade attack prevention

7. Trust Models

Hierarchical Trust Model
Cross-Certification Trust Model
Web of Trust (PGP model)
Trust Anchor
Chain of Trust

Sub-keywords:

Trust store management
Bridge CA architecture
Trust propagation mechanisms

8. PKI Threats and Countermeasures

Man-in-the-Middle Attack
Certificate Forgery
Spoofing/Impersonation
Private Key Leakage
Timing Attack
Rainbow Table Attack
CA Compromise
Importance of Certificate Validity Verification

Sub-keywords:

Key compromise detection
Incident response procedures
Cryptographic algorithm weaknesses

9. PKI-Related Protocols & Technologies

S/MIME (Secure/MIME): Email encryption and signing
IPsec: Certificate usage in VPN
Code Signing Certificate
Timestamp
PKCS (Public-Key Cryptography Standards)
- PKCS#7, PKCS#10, PKCS#12, etc.
PEM Format, DER Format

Sub-keywords:

Certificate enrollment protocols (SCEP, EST)
Timestamping Authority (TSA)
Certificate format conversion

10. Implementation & Operational Considerations

Secure Storage of Private Keys
HSM (Hardware Security Module)
Appropriate Key Length Selection
Certificate Inventory Management
Revocation Checking Implementation
Certificate Pinning
CT (Certificate Transparency)
CAA (Certification Authority Authorization) record

Sub-keywords:

Key backup and disaster recovery
Certificate lifecycle automation
Monitoring and alerting systems

11. Related Electronic Signature Laws & Regulations

Electronic Signature Act
Qualified Certificate Services
CRYPTREC (Cryptography Research and Evaluation Committees)
Accredited Certification Business
Time Business Trust and Security Accreditation System

Sub-keywords:

Legal recognition of digital signatures
Compliance requirements for CAs
International standards (eIDAS, etc.)

12. Frequently Tested Calculations & Mechanisms

RSA encryption calculation principles (prime factorization)
Digital signature verification process
Hash value calculation and tampering detection
Certificate chain verification procedure
Key exchange flow (Diffie-Hellman key exchange, etc.)

Sub-keywords:

Modular arithmetic operations
Signature generation vs verification steps
Certificate path validation algorithm

Study Tips

Be able to diagram the certificate verification process
Understand the differences and use cases between CRL and OCSP
Be able to explain each step of the TLS handshake
Clearly distinguish between keys used for encryption vs signing
Review PKI-related attack methods and countermeasures from past exams

In afternoon (practical) exam questions, scenarios frequently appear where you analyze system architecture diagrams to determine PKI application points, or identify flaws in certificate verification processes. Both theoretical understanding and practical operational knowledge are required.

Information Security Professional Exam - Server Security Keywords

1. Server Hardening (Fortification)

Basic Concepts

Principle of Least Privilege, Principle of Least Functionality
Attack Surface Reduction
Defense in Depth (Multi-layered Defense)
Sub-keywords: Risk Assessment, Baseline Configuration, Security Posture

Specific Countermeasures

Disabling Unnecessary Services and Closing Ports
Patch Management, Security Updates
Access Control (Firewall, ACL)
Sub-keywords: Change Management, Vulnerability Scanning, Configuration Hardening

Account Management

Deleting Unnecessary Accounts, Password Policy
Prohibiting Root Login, Proper sudo Configuration
Sub-keywords: Password Complexity, Account Lockout, Privilege Escalation Prevention

Advanced Security

Log Configuration and Monitoring
Mandatory Access Control (SELinux, AppArmor)
chroot Environment, Sandboxing
Sub-keywords: Container Security, Kernel Hardening, System Integrity

2. Web Server Security

Major Vulnerabilities

SQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Sub-keywords: Reflected XSS, Stored XSS, DOM-based XSS

Path and Session Attacks

Directory Traversal
Session Management Vulnerabilities (Session Hijacking, Fixation)
HTTP Header Injection
Sub-keywords: Path Manipulation, Session Timeout, Token-based Authentication

File Upload Vulnerabilities

Unrestricted File Upload
Remote Code Execution
Sub-keywords: File Type Validation, MIME Type Checking, Upload Directory Permissions

Countermeasure Technologies

WAF (Web Application Firewall)
Input Validation, Sanitization
HTTPS Implementation (SSL/TLS)
Sub-keywords: Certificate Management, Perfect Forward Secrecy, TLS 1.3

Secure Headers and Cookies

Secure HTTP Headers (HSTS, CSP, X-Frame-Options)
Cookie Security Attributes (Secure, HttpOnly, SameSite)
Sub-keywords: Clickjacking Prevention, Content Security Policy, CORS

Error Handling

Proper Error Handling (Concealing Detailed Information)
Disabling Directory Listing
Sub-keywords: Custom Error Pages, Information Disclosure Prevention, Stack Trace Suppression

3. DNS Server Security

Major Threats

DNS Cache Poisoning
DNS Spoofing
DNS Amplification Attack (DDoS)
Sub-keywords: Kaminsky Attack, Birthday Attack, Reflection Attack

Zone Transfer Issues

Unauthorized Zone Transfer Exploitation
DNS Tunneling
Sub-keywords: AXFR Restriction, Data Exfiltration, Covert Channels

Countermeasures

DNSSEC (DNS Security Extensions) Implementation
Zone Transfer Restrictions
Recursive Query Limitations
Sub-keywords: Chain of Trust, Key Signing Key (KSK), Zone Signing Key (ZSK)

Rate Limiting and Architecture

Rate Limiting, Response Rate Limiting (RRL)
Separation of Authoritative and Cache Servers
Source Port Randomization
Sub-keywords: Query Flooding, Anycast, Split DNS

Maintenance

Regular Patch Application
Sub-keywords: Version Disclosure Prevention, BIND Alternatives, DNS Monitoring

4. Proxy Server Security

Types and Roles

Forward Proxy vs Reverse Proxy
Transparent Proxy vs Non-transparent Proxy
Sub-keywords: Load Balancing, SSL Offloading, Caching Strategy

Security Countermeasures

Access Control (Authentication, ACL)
Content Filtering
Logging and Monitoring
Sub-keywords: URL Filtering, Category-based Blocking, Whitelist/Blacklist

SSL/TLS Inspection

SSL/TLS Inspection
Cache Poisoning Countermeasures
Sub-keywords: Certificate Pinning, Man-in-the-Middle Detection, Encrypted Traffic Analysis

Prevention Measures

Open Proxy Prevention
Rate Limiting, Bandwidth Control
Virus Scanning Integration
Sub-keywords: Anonymous Proxy Detection, Connection Pooling, Request Throttling

Threats

Unauthorized Proxy Usage
Man-in-the-Middle Attack (MITM)
Information Leakage via Proxy
Sub-keywords: Proxy Chaining, Header Manipulation, Request Smuggling

5. Database Server Security

Major Threats

SQL Injection
Privilege Escalation Attack
Unauthorized Database Access
Sub-keywords: Second-order SQL Injection, Time-based Blind SQLi, Out-of-band SQLi

Data Protection Threats

Data Leakage
Backup Data Theft
Sub-keywords: Insider Threats, Data Exfiltration, Shadow IT

Countermeasures - Query Security

Prepared Statements (Parameterized Queries)
Stored Procedure Usage
Sub-keywords: ORM Frameworks, Query Whitelisting, Input Sanitization

Access Control

Principle of Least Privilege (User Privilege Management)
Deleting/Changing Default Accounts
Network-level Access Restrictions
Sub-keywords: Role-based Access Control (RBAC), Attribute-based Access Control (ABAC), Connection Pooling

Encryption

Database Encryption (Transparent Encryption, Column-level Encryption)
Communication Encryption (SSL/TLS Connection)
Backup Encryption and Secure Storage
Sub-keywords: Key Management, Data-at-rest Encryption, Tokenization

Monitoring and Protection

Audit Log Recording
Database Firewall
Database Activity Monitoring (DAM)
Sub-keywords: Anomaly Detection, Real-time Alerting, Compliance Reporting

Other Important Items

Blind SQL Injection
NoSQL Injection
Data Masking
Sub-keywords: Dynamic Data Masking, Static Data Masking, Synthetic Test Data

Study Tips: It's important to understand these keywords and concepts, and memorize the principles and implementation methods of countermeasures for each threat. I especially recommend learning each attack technique together with its corresponding countermeasures as a set.

Information Security Specialist Exam - Physical Security

1. Access Control Management

Authentication methods (biometric, IC card, PIN)
Anti-passback
Interlock (double door system)
Server room/data center access logs
Tailgating prevention

Sub-keywords:

Multi-factor authentication (MFA)
Badge readers and proximity cards
Access control lists (ACL)

2. Facility & Equipment Security

Security zoning (area segregation)
Clear desk/clear screen policy
CCTV (surveillance cameras)
Manned and automated security
Perimeter security and boundary protection
Uninterruptible Power Supply (UPS)
Emergency generator systems

Sub-keywords:

Security guards and patrol schedules
Bollards and barriers
Visitor management systems

3. Environmental Security

HVAC management (temperature/humidity control)
Water leak detection systems
Dust prevention measures
Power redundancy
Seismic and earthquake-resistant structures

Sub-keywords:

Hot aisle/cold aisle containment
Environmental monitoring sensors
Raised floor systems

4. Disaster Preparedness

Fire suppression systems (gas suppression, sprinklers)
Fire alarms and smoke detectors
Fire compartmentalization
Emergency lighting
Evacuation route planning
BCP (Business Continuity Plan) physical measures

Sub-keywords:

Fire drills and evacuation procedures
Emergency response teams (ERT)
Disaster recovery site (hot/cold/warm site)

5. Device & Media Management

Locked storage (cabinets, safes)
Media checkout/check-in procedures
Data destruction (physical destruction, degaussing)
Shredding procedures
Cable locks and theft prevention

Sub-keywords:

Asset tracking and inventory
Chain of custody documentation
Secure disposal certification

6. Eavesdropping & Visual Hacking Prevention

TEMPEST (electromagnetic emanation protection)
Privacy filters/screen protectors
Soundproofing for conference rooms
Shoulder surfing prevention

Sub-keywords:

White noise generators
Faraday cage implementation
Visual privacy zones

7. Standards & Guidelines

ISO/IEC 27001/27002 (physical security controls)
Data center facility standards
Tier classification (data center reliability levels)

Sub-keywords:

NIST SP 800-53 physical controls
TIA-942 data center standards
ANSI/TIA standards for physical security

Key study points: Understand the purpose, implementation methods, and relationship to risk mitigation for each measure.

情報処理安全確保支援士試験 - 科目の概要と項目別詳細

試験構成

科目	時間	形式	問題数	合格基準
午前Ⅰ	50分	多肢選択式（4肢択一）	30問	60点以上/100点
午前Ⅱ	40分	多肢選択式（4肢択一）	25問	60点以上/100点
午後Ⅰ	90分	記述式	3問中2問選択	60点以上/100点
午後Ⅱ	120分	記述式	2問中1問選択	60点以上/100点

午前Ⅰ（基礎知識）

出題範囲

応用情報技術者試験レベルの幅広いIT知識

主な出題分野：

1. テクノロジ系（技術分野）

基礎理論（離散数学、アルゴリズム、プログラミング）
コンピュータシステム（アーキテクチャ、OS、ハードウェア）
データベース（SQL、正規化、トランザクション）
ネットワーク（TCP/IP、ルーティング、プロトコル）
セキュリティ（暗号、認証、攻撃手法の基礎）

2. マネジメント系

プロジェクトマネジメント
サービスマネジメント（ITIL）
システム監査

3. ストラテジ系

システム戦略
経営戦略
企業と法務

免除制度：

応用情報技術者試験合格者
他の高度試験合格者
午前Ⅰ通過後2年以内の再受験者

午前Ⅱ（専門知識）

セキュリティ分野に特化した専門知識

主な出題項目：

1. 情報セキュリティマネジメント

セキュリティポリシー策定
リスクアセスメント・リスク対応
ISMS（ISO/IEC 27001）
CSIRT構築・運用
インシデント対応プロセス

2. セキュリティ技術

暗号技術

共通鍵暗号（AES、DESなど）
公開鍵暗号（RSA、楕円曲線暗号）
ハッシュ関数（SHA-256など）
デジタル署名、PKI

認証・アクセス制御

パスワード認証、生体認証
シングルサインオン（SSO）
多要素認証（MFA）
OAuth、SAML
アクセス制御モデル（DAC、MAC、RBAC）

ネットワークセキュリティ

ファイアウォール
IDS/IPS（侵入検知・防御システム）
VPN（IPsec、SSL-VPN）
無線LANセキュリティ（WPA3など）
DMZ構成

3. 脅威と脆弱性

攻撃手法

マルウェア（ウイルス、ランサムウェア、トロイの木馬）
Webアプリケーション攻撃
- SQLインジェクション
- XSS（クロスサイトスクリプティング）
- CSRF（クロスサイトリクエストフォージェリ）
- ディレクトリトラバーサル
DoS/DDoS攻撃
標的型攻撃
ソーシャルエンジニアリング

脆弱性対策

セキュアプログラミング
脆弱性診断
ペネトレーションテスト
パッチマネジメント

4. セキュリティ実装

セキュアOS
データベースセキュリティ
メールセキュリティ（SPF、DKIM、DMARC）
ログ管理・監視
バックアップ・BCP/DR

5. 法律・標準

個人情報保護法
不正アクセス禁止法
サイバーセキュリティ基本法
ISO/IEC 27001、27002
JIS Q 15001（プライバシーマーク）

午後Ⅰ（応用力・記述式）

試験形式

3問中2問を選択して解答
シナリオベースの事例問題
穴埋め、短文記述（20〜50字程度）

主な出題テーマ

1. Webアプリケーションセキュリティ

脆弱性診断結果の分析
SQLインジェクション対策の実装
セッション管理の安全性評価
セキュアコーディング

2. ネットワークセキュリティ設計

ファイアウォールルールの設定
ネットワーク構成の評価
VPN設計
不正アクセス検知の仕組み

3. インシデント対応

ログ解析による攻撃の特定
インシデント対応手順の策定
マルウェア感染時の対処
フォレンジック調査

4. セキュリティ対策の企画・評価

リスクアセスメントの実施
セキュリティ対策の優先順位付け
費用対効果の分析
セキュリティポリシーの策定

5. システム開発におけるセキュリティ

要件定義段階のセキュリティ要件
設計レビュー
テスト計画
脆弱性の修正方針

求められる能力：

技術的な仕組みの理解
問題点の発見・分析
適切な対策の提案
論理的な説明能力

午後Ⅱ（実践力・論述的記述式）

試験形式

2問中1問を選択して解答
より長文の事例問題
詳細な記述が求められる（100〜200字程度の設問も）

主な出題テーマ

1. 組織全体のセキュリティマネジメント

企業のセキュリティ体制構築
ISMS構築・運用
セキュリティ教育・訓練計画
経営層への報告・提案

2. 大規模インシデント対応

複雑なインシデントの調査・分析
被害範囲の特定
復旧計画の策定
再発防止策の立案
ステークホルダーへの対応

3. システム全体のセキュリティ設計

エンタープライズシステムのセキュリティアーキテクチャ
クラウド環境のセキュリティ設計
認証基盤の構築
ゼロトラストアーキテクチャ

4. 新技術への対応

IoTシステムのセキュリティ
クラウドサービス利用時のセキュリティ
テレワーク環境のセキュリティ
DevSecOpsの実践

5. セキュリティ監査・評価

内部監査の実施
第三者評価への対応
ペネトレーションテストの計画・実施
継続的な改善活動

求められる能力：

包括的な視点での問題解決
実務経験に基づく判断
複数の関係者を考慮した提案
コスト・リスク・効果のバランス
詳細かつ論理的な説明

学習のポイント

午前対策

過去問を繰り返し解く（頻出問題の把握）
用語・技術の正確な理解
計算問題の解法習得

午後対策

実務経験の整理
技術文書の読解力向上
論理的な文章作成の練習
時間配分の訓練
過去問の模範解答の研究

午後試験は単なる知識ではなく、実務での応用力が問われるため、技術的な理解を深めることが重要です。

Information Security Specialist Exam: Incident Response - Keywords

1. Incident Response Lifecycle

Main Keywords:

Preparation
- Incident response plan development
- Tool and resource readiness
- Training and awareness programs
Detection & Analysis
- Log monitoring and correlation
- Alert validation and prioritization
- Threat intelligence integration
Containment, Eradication, Recovery
- Isolation strategies and network segmentation
- Malware removal and vulnerability patching
- System restoration and validation testing
Post-Incident Activity
- Lessons learned documentation
- Process improvement recommendations
- Metrics and reporting analysis

2. Organizational Structure & Roles

Main Keywords:

CSIRT (Computer Security Incident Response Team)
- Team composition and skill requirements
- 24/7 on-call rotation schedules
- Authority and decision-making scope
SOC (Security Operation Center)
- Tier-based analyst structure
- Tool stack and SIEM platforms
- Shift handoff procedures
Incident Responder/Handler
- Technical investigation capabilities
- Communication and coordination skills
- Documentation and reporting duties
Escalation Framework
- Severity level criteria
- Escalation paths and timelines
- Executive notification thresholds
Chain of Command
- Decision authority matrix
- Cross-functional coordination protocols
- External stakeholder communication

3. Incident Classification

Main Incident Types:

Malware Infection
- Virus, worm, and trojan variants
- Propagation methods and vectors
- Behavioral indicators and signatures
Unauthorized Access
- Credential compromise scenarios
- Privilege escalation techniques
- Lateral movement patterns
DDoS Attack
- Volumetric, protocol, and application-layer attacks
- Botnet and amplification methods
- Traffic pattern analysis
Data Breach/Information Leakage
- Exfiltration techniques and channels
- PII/PHI exposure assessment
- Regulatory notification requirements
Insider Threats
- Malicious vs. negligent actors
- Data access anomaly detection
- User behavior analytics (UBA)
Phishing/Targeted Attacks
- Spear phishing and whaling campaigns
- Social engineering tactics
- Payload delivery mechanisms
Ransomware
- Encryption algorithms and variants
- Payment and negotiation considerations
- Decryption and recovery options
Website Defacement
- Attack surface and entry points
- Content integrity monitoring
- Restoration and hardening procedures
Service Disruption
- Availability impact assessment
- Root cause identification
- Service restoration priorities

4. Detection & Analysis

Main Keywords:

Log Analysis
- Centralized log aggregation
- Retention policies and compliance
- Correlation rules and patterns
SIEM (Security Information and Event Management)
- Real-time event correlation
- Use case development
- Dashboard and alerting configuration
IDS/IPS (Intrusion Detection/Prevention System)
- Signature-based vs. anomaly-based detection
- False positive tuning
- Inline vs. passive deployment
Alert Triage
- Priority scoring algorithms
- Context enrichment processes
- Queue management workflows
Anomaly Detection
- Baseline establishment methods
- Statistical deviation analysis
- Machine learning models
Impact & Urgency Assessment
- Business criticality mapping
- Data classification levels
- SLA/RTO considerations
IoC (Indicator of Compromise)
- Hash values and file signatures
- IP addresses and domains
- Threat feed integration
Forensic Investigation
- Evidence collection procedures
- Timeline reconstruction techniques
- Expert witness preparation

5. Initial Response

Main Keywords:

First Report
- Incident ticket creation
- Initial notification workflows
- Situation assessment documentation
Initial Containment
- Network isolation and segmentation
- Account suspension procedures
- Emergency change management
Evidence Preservation
- Chain of custody documentation
- Forensic imaging standards
- Legal hold procedures
Scope Determination
- Affected system inventory
- Data impact assessment
- Geographic and business unit mapping
Timeline Creation
- Event chronology construction
- Time synchronization verification
- Gap analysis and reconstruction
Stakeholder Communication
- Internal notification templates
- Status update cadence
- Confidentiality and need-to-know

6. Containment, Eradication & Recovery

Containment:

Short-term Containment
- Emergency system isolation
- Access control list (ACL) modifications
- Traffic filtering and blocking
Long-term Containment
- Temporary system rebuilding
- Compensating control implementation
- Monitoring enhancement deployment

Eradication:

Malware Removal
- Anti-malware scanning and cleaning
- Registry and file system cleanup
- Persistence mechanism elimination
Vulnerability Remediation
- Emergency patch deployment
- Configuration hardening
- Security baseline enforcement
Malicious Account Deletion
- Privileged access review
- Password reset campaigns
- Authentication mechanism strengthening
Backdoor Removal
- Hidden service identification
- Network connection auditing
- Code review and integrity checking

Recovery:

System Recovery Planning
- Restoration priority matrix
- Resource allocation strategy
- Dependency mapping
Backup Restoration
- Clean backup verification
- Point-in-time recovery selection
- Incremental vs. full restore
Validation & Enhanced Monitoring
- Functionality testing procedures
- Performance baseline comparison
- Heightened surveillance period

7. Reporting & Notification

Main Keywords:

Incident Report Documentation
- Executive summary format
- Technical details and evidence
- Timeline and impact analysis
Management Reporting
- Business impact quantification
- Risk assessment communication
- Remediation status updates
Regulatory Notifications
- Mandatory disclosure requirements
- Timeframe compliance (72-hour rules)
- Regulatory body submission formats
IPA (Information-technology Promotion Agency)
- Vulnerability reporting portal
- Incident statistics contribution
- Advisory subscription services
JPCERT/CC (Japan Computer Emergency Response Team)
- Incident coordination services
- Threat intelligence sharing
- International liaison functions
Law Enforcement
- Cybercrime reporting procedures
- Evidence handover protocols
- Investigation cooperation requirements
Data Protection Authority
- GDPR/PIPL breach notification
- Personal data impact assessment
- Documentation requirements
Customer/Victim Notification
- Transparent communication strategy
- Credit monitoring offerings
- FAQ and support resources

8. Post-Incident Activities

Main Keywords:

Post-Mortem Analysis
- Blameless retrospective approach
- What went well/wrong framework
- Action item tracking
Root Cause Analysis (RCA)
- 5 Whys methodology
- Fishbone diagram analysis
- Contributing factor identification
Prevention Strategy Development
- Technical control improvements
- Process enhancement recommendations
- People and training initiatives
Lessons Learned Documentation
- Knowledge base updates
- Playbook refinement
- Best practice sharing
Procedure Improvement
- Gap analysis findings
- Workflow optimization
- Tool enhancement requests
Training & Exercises
- Scenario-based drill planning
- Skills gap assessment
- Tabletop exercise scheduling

9. Important Related Concepts

Technical Aspects:

Digital Forensics
- Disk, memory, network forensics
- Mobile and cloud forensics
- Forensic tool validation
Hash Values
- MD5, SHA-1, SHA-256 algorithms
- File integrity verification
- Rainbow table considerations
Chain of Custody
- Evidence handling documentation
- Transfer and storage records
- Audit trail maintenance
Timestamp
- NTP synchronization importance
- Time zone considerations
- Clock skew analysis
Log Integrity Protection
- Write-once storage solutions
- Digital signature implementation
- Tamper-evident mechanisms
Baseline
- Normal behavior profiling
- Configuration management database
- Performance metrics benchmarking
Attack Methodologies
- Cyber Kill Chain model
- MITRE ATT&CK framework
- Diamond Model of intrusion

Management Aspects:

Incident Response Plan (IRP)
- Roles and responsibilities matrix
- Contact list maintenance
- Playbook development
BCP/DRP (Business Continuity/Disaster Recovery Plan)
- RTO/RPO objectives
- Failover procedures
- Crisis management integration
Escalation Rules
- Severity classification criteria
- Time-based escalation triggers
- Authority delegation model
SLA (Service Level Agreement)
- Response time commitments
- Resolution targets
- Penalty clauses
Information Sharing Framework
- ISAC participation
- TLP (Traffic Light Protocol)
- NDAs and trusted communities

10. Legal & Regulatory Requirements

Main Keywords:

Computer Fraud and Abuse Act / Unauthorized Access Laws
- Criminal penalties and liabilities
- Authorized access definitions
- Cross-border jurisdiction issues
Data Protection Laws (GDPR, CCPA, PIPL, etc.)
- Breach notification timelines
- Individual rights and obligations
- Fines and enforcement actions
Criminal Procedure Law
- Search and seizure procedures
- Evidence admissibility standards
- Expert testimony requirements
Cybersecurity Legislation
- Critical infrastructure protection
- Security baseline mandates
- Incident reporting obligations
Electronic Signature Laws
- Digital evidence authentication
- Non-repudiation requirements
- Certificate authority roles

11. Exercises & Training

Main Keywords:

Tabletop Exercise (TTX)
- Scenario-based discussion format
- Decision-making practice
- Process validation objectives
Cyber Range Exercises
- Realistic attack simulation
- Hands-on technical training
- Performance metrics collection
Red Team / Blue Team Exercises
- Adversarial simulation approach
- Detection capability testing
- Purple team integration benefits
Playbook Development
- Step-by-step response procedures
- Decision trees and flowcharts
- Regular review and updates

Exam Preparation Tips:

Understand phase-specific actions - Know what to do in each incident response phase
Master CSIRT structure - Understand roles, responsibilities, and coordination
Know legal obligations - Be clear on mandatory reporting requirements and timelines
Evidence preservation techniques - Understand forensic best practices and chain of custody
Practice scenario analysis - Work through incident response scenarios end-to-end

Information Security Specialist Exam: Keywords for Firewall, IDS, IPS, UTM

Firewall

Basic Concepts

Packet Filtering Type
- Header inspection, Rule-based filtering, Stateless operation
Application Gateway Type (Proxy Type)
- Deep packet inspection, Protocol-specific proxies, Content filtering
Circuit Level Gateway Type
- Session-level control, SOCKS protocol, Connection validation
Stateful Inspection (Dynamic Packet Filtering)
- Connection state tracking, Session table, Context-aware filtering
DMZ (Demilitarized Zone) Configuration
- Three-legged architecture, Dual firewall setup, Bastion hosts
Screening Router
- Border router security, Basic ACL filtering, Perimeter defense

Technical Elements

ACL (Access Control List)
- Rule priority, Implicit deny, Sequential processing
Port Number Filtering
- Well-known ports, Service identification, Port range blocking
IP Address Filtering
- Source/destination filtering, Whitelist/blacklist, Geolocation blocking
Protocol Filtering
- TCP/UDP/ICMP control, Protocol anomaly detection, Layer 4 inspection
NAT/NAPT (IP Masquerading)
- Address translation, Port address translation, Private IP hiding
Default Policy (deny all / permit all)
- Least privilege principle, Implicit deny rule, Security baseline
Inbound/Outbound Control
- Directional rules, Egress filtering, Ingress filtering

IDS (Intrusion Detection System)

Basic Functions

Unauthorized Access Detection and Notification
- Alert generation, Event correlation, Threat intelligence integration
Real-time Monitoring
- Continuous surveillance, Traffic analysis, Behavioral monitoring
Log Collection and Analysis
- Event aggregation, Forensic analysis, Audit trail maintenance
Alert Generation
- Severity classification, Alert prioritization, Notification mechanisms

Detection Methods

Signature-based Detection (Pattern Matching)
- Known attack patterns, Signature database, Regular expression matching
Anomaly-based Detection
- Baseline establishment, Statistical analysis, Machine learning models
Heuristic Detection
- Behavioral analysis, Rule-based logic, Hybrid approach

Deployment Types

NIDS (Network-based IDS)
- Promiscuous mode, Tap/SPAN monitoring, Network segment coverage
HIDS (Host-based IDS)
- System call monitoring, File integrity checking, Log file analysis

Important Terms

False Positive
- Benign traffic flagged, Alert fatigue, Tuning requirements
False Negative
- Missed attacks, Detection gaps, Evasion techniques
Signature File Updates
- Regular updates, Zero-day coverage, Custom signatures
Sensor Placement
- Strategic positioning, Traffic visibility, Choke points

IPS (Intrusion Prevention System)

Differences from IDS

Active Defense (Detection + Blocking)
- Automated response, Prevention capability, Real-time protection
Inline Deployment (In the communication path)
- Bridge mode, Transparent operation, Fail-open/fail-close
Real-time Blocking
- Immediate action, Packet dropping, Session termination
Automatic Response Function
- Adaptive security, Dynamic rules, Countermeasure execution

Defense Functions

Malicious Packet Blocking
- Signature matching, Protocol validation, Payload inspection
Session Termination
- TCP reset, Connection teardown, Force disconnection
Attack Source IP Blocking
- Temporary blacklisting, Shunning, Rate limiting
Traffic Normalization
- Protocol standardization, Fragmentation handling, Ambiguity removal

Implementation Considerations

Risk of Blocking Legitimate Traffic due to False Positives
- Business impact, Whitelist management, Testing requirements
Network Latency
- Processing delay, Throughput impact, Performance degradation
Single Point of Failure Risk
- High availability, Redundancy planning, Failover mechanisms

UTM (Unified Threat Management)

Integrated Functions

Firewall
- Stateful inspection, NAT/VPN, Zone-based policies
IDS/IPS
- Threat prevention, Signature updates, Behavioral analysis
Antivirus/Antispam
- Malware scanning, Email filtering, Content sanitization
Web Filtering
- URL categorization, Content blocking, SSL inspection
VPN Function
- Site-to-site tunnels, Remote access, Encryption
Application Control
- Layer 7 filtering, Application visibility, Bandwidth management
Content Filtering
- Data loss prevention, Keyword blocking, File type restrictions

Characteristics

All-in-One Security
- Consolidated platform, Simplified architecture, Single vendor solution
Centralized Management
- Unified console, Single pane of glass, Simplified administration
For Small to Medium Networks
- Cost-effective solution, Resource optimization, Scalability limits
Cost Reduction
- Lower CapEx, Reduced OpEx, License consolidation

Considerations

Single Point of Failure (SPOF) Risk
- Availability concerns, Redundancy requirements, Disaster recovery
Processing Capacity Limitations
- Performance bottleneck, Throughput constraints, Resource contention
Performance Degradation with Added Features
- Feature overload, CPU utilization, Memory constraints

Common Important Keywords

Attack Techniques

DoS/DDoS Attacks
- Volumetric attacks, Resource exhaustion, Botnet operations
Port Scanning
- Reconnaissance activity, Service enumeration, Vulnerability discovery
SQL Injection
- Database manipulation, Input validation bypass, Query manipulation
Cross-Site Scripting (XSS)
- Script injection, Session hijacking, Client-side attacks
Buffer Overflow
- Memory corruption, Code execution, Stack smashing
Zero-Day Attack
- Unknown vulnerabilities, No available patch, Advanced threats

Operations Management

Log Management and SIEM Integration
- Event correlation, Threat intelligence, Compliance reporting
Security Policy Configuration
- Rule optimization, Policy review, Change management
Regular Signature Updates
- Automated updates, Threat intelligence feeds, Vendor notifications
Patch Management
- Vulnerability remediation, Update scheduling, Testing procedures
Incident Response
- Incident handling, Forensic investigation, Recovery procedures

Performance Metrics

Throughput
- Bandwidth capacity, Data transfer rate, Maximum performance
Latency (Delay)
- Processing time, Response delay, User experience impact
Concurrent Sessions
- Connection limit, Session table size, Capacity planning
Processing Power (pps: packets per second)
- Packet rate, Frame processing, Hardware acceleration

Information Security Specialist Exam - VPN keywords

1. VPN Basic Concepts

VPN (Virtual Private Network) - Virtual private line
Tunneling - Secure communication path through encapsulation
Encrypted Communication - Data confidentiality protection
Authentication - Verification of legitimate users/devices
Private Addresses - Internal network usage

Sub-keywords: End-to-end encryption, Network isolation, Secure gateway

2. VPN Types

Internet VPN - Uses public internet connections
IP-VPN - Uses carrier's closed network
Entry VPN - Wide area Ethernet connection
Remote Access VPN - Individual devices to corporate network
Site-to-Site VPN (LAN-to-LAN) - Multi-location connections

Sub-keywords: Cloud VPN, Mobile VPN, Hybrid VPN

3. Key Protocols

IPsec - IP layer security protocol
- Transport Mode / Tunnel Mode
- AH (Authentication Header) - Authentication & integrity
- ESP (Encapsulating Security Payload) - Encryption & authentication
- IKE (Internet Key Exchange) - Key exchange
- SA (Security Association) - Security parameters
SSL/TLS-VPN - Application layer
- Clientless connection
- Web browser-based access
PPTP - Point-to-Point Tunneling Protocol (legacy)
L2TP - Layer 2 Tunneling Protocol
L2TP/IPsec - Combination of L2TP and IPsec

Sub-keywords: WireGuard protocol, OpenVPN, IKEv2

4. Security Elements

Confidentiality - Encryption
Integrity - Tamper detection
Authentication - Prevents impersonation
Non-repudiation - Proof of action

Sub-keywords: CIA triad, Access control, Data protection

5. Encryption Technologies

Symmetric Encryption - AES, 3DES
Public Key Encryption - RSA
Hash Functions - SHA-256, MD5
Digital Certificates - PKI infrastructure

Sub-keywords: Key length, Cipher suites, Perfect forward secrecy

6. Authentication Methods

Pre-Shared Key (PSK) - Shared secret
Digital Certificate Authentication
RADIUS Authentication
Two-Factor Authentication (2FA)
One-Time Password (OTP)

Sub-keywords: Biometric authentication, Smart card, LDAP integration

7. Risks and Countermeasures

Eavesdropping Prevention - Strong encryption
Man-in-the-Middle (MITM) - Certificate verification
Split Tunneling - Security risks
Log Management - Access record retention
Vulnerability Management - Software updates

Sub-keywords: DNS leaks, Kill switch, Zero-trust architecture

8. Related Technologies/Terms

Firewall - Integration with VPN
NAT Traversal - Communication through NAT
Split Tunnel - Traffic distribution
VPN Concentrator - Dedicated VPN device
Always-On VPN - Persistent connection

Sub-keywords: SD-WAN, Load balancing, Endpoint security

9. Operations Management

Access Log Monitoring
Bandwidth Control
Redundancy & Availability
Failover Switching
Performance Monitoring

Sub-keywords: SLA monitoring, Capacity planning, Incident response

10. Laws & Guidelines

Unauthorized Access Prevention Act
Personal Information Protection Act - Data handling via VPN
ISMS - Information Security Management System

Sub-keywords: GDPR compliance, Data sovereignty, Audit requirements