基于CORAS的信息安全风险评估技术研究与应用
|
摘要
信息安全风险评估是考察信息系统安全性的一个重要环节。在国家深入推进信息安全风险评估工作,并将颁布国家标准《信息安全风险评估规范》以指导风险评估工作实施的背景下,研究国外成熟的风险评估框架结合国家标准的应用问题,特别是研究探讨中小型组织风险自评估技术及其应用,对信息安全风险评估的广泛开展具有重要意义。
论文首先分析比较了国内外主要风险评估方法和工具,从不同的角度重点分析了基于模型的信息安全风险评估CORAS框架的理论技术特征,比较研究了CORAS框架和《信息安全风险评估规范》的兼容性,说明了国内中小型组织应用CORAS框架实施风险评估的可行性;针对CORAS框架应用时存在的风险计算的主观性问题,分析总结了风险要素中威胁、脆弱性和资产的结合关系,提出和定义了元风险及资产风险树等相关概念,解决了确定风险计算粒度和区分不同性质风险对资产的重要程度问题,在此基础上,优化设计了适用于中小型组织的基于元风险和资产风险树的风险评估算法;同时,设计和开发了基于CORAS的风险评估辅助系统e-CORAS,从系统包图、类图、用例图和系统时序图等方面阐述了系统建模分析与设计,给出了风险评估算法的详细设计,从数据库访问模式、结构模型图和表结构等方面对系统数据库进行了详细设计和实现;最后通过具体的评估实例说明了算法和系统应用过程及有效性。
Information security risk assessment is an important tache for evaluation of information system security. With strengthening on information security risk assessment sector by our nation, the national standard will be enacted in the near future and all risk evaluation will be exercised with its guide. The research of application of famous risk framework worldwide with guidance of the national standard, especially application research of risk self-evaluation for small and medium organizations, are of significance for the widespread practice of information security risk assessment.
Firstly this paper analyses and compares different methods and tools internally and aboard, focusing on the analysis of theory and technology of model-based information security risk assessment CORAS framework by E.U., and the conformance of CORAS framework to is studied and compared , which is basis for the application of CORAS framework by internal small and medium organizations; then, for subjectivity of risk computation in CORAS' application, the relations between risk factors threat, vulnerability and asset are generalized , and meta-risk , asset risk tree and other related concepts are set forth and defined , which are solutions for identifying granularity of risk computation and distinguishing influence level of risk on asset's importance, then based that a computation algorithm is designed; thirdly a risk assessment supportive tool e-CORAS is analyzed and implemented, the system modeling analysis and design is exemplified by the system package diagrams, class diagrams, use-case diagrams and sequence diagrams, and the detailed design of risk assessment algorithm is presented, also the system database design and implementation are presented for database general structure, structure model diagram and list structure; at last an example that illustrates the use of algorithm and tool is also presented.
论文首先分析比较了国内外主要风险评估方法和工具,从不同的角度重点分析了基于模型的信息安全风险评估CORAS框架的理论技术特征,比较研究了CORAS框架和《信息安全风险评估规范》的兼容性,说明了国内中小型组织应用CORAS框架实施风险评估的可行性;针对CORAS框架应用时存在的风险计算的主观性问题,分析总结了风险要素中威胁、脆弱性和资产的结合关系,提出和定义了元风险及资产风险树等相关概念,解决了确定风险计算粒度和区分不同性质风险对资产的重要程度问题,在此基础上,优化设计了适用于中小型组织的基于元风险和资产风险树的风险评估算法;同时,设计和开发了基于CORAS的风险评估辅助系统e-CORAS,从系统包图、类图、用例图和系统时序图等方面阐述了系统建模分析与设计,给出了风险评估算法的详细设计,从数据库访问模式、结构模型图和表结构等方面对系统数据库进行了详细设计和实现;最后通过具体的评估实例说明了算法和系统应用过程及有效性。
Information security risk assessment is an important tache for evaluation of information system security. With strengthening on information security risk assessment sector by our nation, the national standard
Firstly this paper analyses and compares different methods and tools internally and aboard, focusing on the analysis of theory and technology of model-based information security risk assessment CORAS framework by E.U., and the conformance of CORAS framework to
引文
[1].范红等.信息安全风险评估方法与应用[M].北京;清华大学出版社,2006;1-2.
[2].Kevin J Soo Hoo.How Much Is Enough? A Risk-Management Approach to Computer Security[D].USA;Stanford University,2002;11-12.
[3].GB/Txxxx—xxxx.信息安全风险管理指南(征求意见稿)[S].北京;国家质量监督检验检疫总局,2004;2-4.
[4].GB/Txxxx—xxxx.信息安全技术·信息安全风险评估规范(报批稿)[S].北京;国家质量监督检验检疫总局,2006;24-26.
[5].赵战生.国外信息安全风险评估发展概要[R].北京;国务院信息化办公室信息安全风险评估课题组,2004;1.
[6].李鹤田、何德全等.信息系统安全风险评估研究综述[J].中国安全科学学报,2006,1;109-120.
[7].COBRA Corp.C&A Systems Security;The COBRA Risk Consultant Methodology[EB/OL].;COBRA网站,2005-6-14;1-3.
[8].National Institute of Standard and Technology.Automated Security Self-Evaluation Tool[EB/OL].;NIST网站,2005-9-10;1-4.
[9].International Security Technology Inc.Cost-of-Risk Analysis(CORA)[EB/OL].;国际安全技术有限公司网,2005-9-10;9-10.
[10].Central Computer and Telecommunications Agency.CCRA Risk Analysis and Management Method(CRAMM)[EB/OL].;英国政府中央计算机与电信局,2005-9-10.
[11].Albert C J.OCTAVE[SM]Criteria,Version2.0[R].CMU/SEI-2001-TR-016ESC-TR-2001-016,2001;7-8.
[12].B Core Inc.Reactive System Design Support[EB/OL].;英国伦敦王子学院,2005-9-18.
[13].Frensis.Security Risk Assessment CORAS Framework[EB/OL].;CORAS网站,2006-11-2;6-7.
[14].Aagedal,den Braber,Dimitrakos.Model-based Risk Assessment to Improve Enterprise Security[A].In;Proc EDOC2002,2002 IEEE Computer Society[M],2002;51-62.
[15].国务院信息化办公室信息安全风险评估课题组.国家信息安全风险评估标准化工作情况介绍[EB/OL].;信息安全风险评估网,2006-11-2;1-4.
[16].中国信息安全技术测评中心。国内网络安全风险评估市场与技术操作[EB/OL].;信息安全风险评估网,2006-11-2;2-3.
[17].宁家骏.信息安全风险评估技术简介[EB/OL].;信息安全风险评估网2006-11-2;1-3.
[18].科飞管理咨询公司.信息安全管理概论-BS7799理解与实施[M].北京,机械工业出版社,2001;18-43.
[19].刘华.风险评估技术研究与应用.国防科技大学硕士学位论文,长沙,2004年11月.
[20].T Dimitrakos,B Ritchie.Model based Security Risk Analysis for Web Applications;The CORAS approach[EB/OL].;CORAS网2006-11-2;4-7.
[21].ISO/IEC17799;2000.Information technology-Code of practice for information security management[S].International Organization for Standardization,2000.
[22].Mass Soldal Lund,A UML profile for the identification and analysis of securitydsks during structured brainstorming[EB/OL].;CORAS网2006-11-2;11;1-3.
[23].Alexander.Misuse cases;Use cases with hostile intent.[J].IEEE Software,2003,20(1);58-66.
[24].Lund M,S Hogganvik.the CORAS framework,the CORAS UML profile for security assessment,and the CORAS library of reusable elements.CORAS public deliverable[EB/OL].;CORAS网2006-11-2.
[25].沈昌祥.信息安全等级保护的焦点[J].信息安全与通信保密,2004,4;16-18.
[26].蒋蒴,胡华平,王奕.计算机信息系统安全体系设计[J].计算机工程与科学,2003,25(1);38-41.
[27].TL Satty.The Analytic Hierarchy Process[M].NewYork;McGraw-Hill,1980.;235-267.
[28].LAZadeh.FuzzySets[J].Informationand Control,1965,8(3);338-353.
[29].JPan,YTeklu,SRahman,etal.AnInterval-Based MADM Approach to the Identification of Candidate allrnatives in Strategic Resource Planning[J].IEEE Transition Power Systems,2000,15(4);1441-1446.
[30].徐泽水.AHP中两类标度的关系研究[J].系统工程理论与实践,1999,19(7);98-101.
[31].徐泽水.模糊互补判断矩阵排序的最小方差法[J].系统工程理论与实践,2001,21(10);93-96.
[32].应力等.一种用于信息系统风险评估的资产风险计算方法[J].信息技术与标准化,2005.3;14-16.
[33].葛瑞金等.信息安全风险评估量化模型的研究[J].信息网络安全,2005,9;33-34.
[34].徐诚,张玉清等.企业信息安全风险的自评估及其流程设计[J].计算机应用研究,2005 7;108-109.
[35].Christopher Alberts,Audrey Dorofee.Managing Information Security Risks;The OCTAVE Approach[M].Addison Wesley Inc,2002.
[36].Saaty T L.The analytic hierarchy process[M].New York;McGraw-Hill,1980.
[37].许树柏.层次分析法原理[M].天津;天津大学出版社,1993;30-26.
[38].蒋蘋,胡华平.王奕计算机信息系统安全体系设计[J].计算机工程与科学,2003-25(1);38-41.
[39].Yacov Y Haimes.Risk Modeling,Assessment and Managemen[t M].Wiley & Sons Inc.2002;24-98.
[40].Gary Stoneburner,Alice Goguen,Alexis Feringa.Risk Management Guide for Information Technology Systems[R].NISTSP800-30,2001;26-38.
[41].Mariane Wanson.Security Self-Assessment Guide for Information Technology System[R].NIST SP800-26,2001;14-19.
[42].裴尔明,刘宝旭.一种有效的风险评估模型、算法及流程[J],计算机工程,2006-12;15-16.
[2].Kevin J Soo Hoo.How Much Is Enough? A Risk-Management Approach to Computer Security[D].USA;Stanford University,2002;11-12.
[3].GB/Txxxx—xxxx.信息安全风险管理指南(征求意见稿)[S].北京;国家质量监督检验检疫总局,2004;2-4.
[4].GB/Txxxx—xxxx.信息安全技术·信息安全风险评估规范(报批稿)[S].北京;国家质量监督检验检疫总局,2006;24-26.
[5].赵战生.国外信息安全风险评估发展概要[R].北京;国务院信息化办公室信息安全风险评估课题组,2004;1.
[6].李鹤田、何德全等.信息系统安全风险评估研究综述[J].中国安全科学学报,2006,1;109-120.
[7].COBRA Corp.C&A Systems Security;The COBRA Risk Consultant Methodology[EB/OL].;COBRA网站,2005-6-14;1-3.
[8].National Institute of Standard and Technology.Automated Security Self-Evaluation Tool[EB/OL].;NIST网站,2005-9-10;1-4.
[9].International Security Technology Inc.Cost-of-Risk Analysis(CORA)[EB/OL].;国际安全技术有限公司网,2005-9-10;9-10.
[10].Central Computer and Telecommunications Agency.CCRA Risk Analysis and Management Method(CRAMM)[EB/OL].;英国政府中央计算机与电信局,2005-9-10.
[11].Albert C J.OCTAVE[SM]Criteria,Version2.0[R].CMU/SEI-2001-TR-016ESC-TR-2001-016,2001;7-8.
[12].B Core Inc.Reactive System Design Support[EB/OL].;英国伦敦王子学院,2005-9-18.
[13].Frensis.Security Risk Assessment CORAS Framework[EB/OL].;CORAS网站,2006-11-2;6-7.
[14].Aagedal,den Braber,Dimitrakos.Model-based Risk Assessment to Improve Enterprise Security[A].In;Proc EDOC2002,2002 IEEE Computer Society[M],2002;51-62.
[15].国务院信息化办公室信息安全风险评估课题组.国家信息安全风险评估标准化工作情况介绍[EB/OL].;信息安全风险评估网,2006-11-2;1-4.
[16].中国信息安全技术测评中心。国内网络安全风险评估市场与技术操作[EB/OL].;信息安全风险评估网,2006-11-2;2-3.
[17].宁家骏.信息安全风险评估技术简介[EB/OL].;信息安全风险评估网2006-11-2;1-3.
[18].科飞管理咨询公司.信息安全管理概论-BS7799理解与实施[M].北京,机械工业出版社,2001;18-43.
[19].刘华.风险评估技术研究与应用.国防科技大学硕士学位论文,长沙,2004年11月.
[20].T Dimitrakos,B Ritchie.Model based Security Risk Analysis for Web Applications;The CORAS approach[EB/OL].;CORAS网2006-11-2;4-7.
[21].ISO/IEC17799;2000.Information technology-Code of practice for information security management[S].International Organization for Standardization,2000.
[22].Mass Soldal Lund,A UML profile for the identification and analysis of securitydsks during structured brainstorming[EB/OL].;CORAS网2006-11-2;11;1-3.
[23].Alexander.Misuse cases;Use cases with hostile intent.[J].IEEE Software,2003,20(1);58-66.
[24].Lund M,S Hogganvik.the CORAS framework,the CORAS UML profile for security assessment,and the CORAS library of reusable elements.CORAS public deliverable[EB/OL].;CORAS网2006-11-2.
[25].沈昌祥.信息安全等级保护的焦点[J].信息安全与通信保密,2004,4;16-18.
[26].蒋蒴,胡华平,王奕.计算机信息系统安全体系设计[J].计算机工程与科学,2003,25(1);38-41.
[27].TL Satty.The Analytic Hierarchy Process[M].NewYork;McGraw-Hill,1980.;235-267.
[28].LAZadeh.FuzzySets[J].Informationand Control,1965,8(3);338-353.
[29].JPan,YTeklu,SRahman,etal.AnInterval-Based MADM Approach to the Identification of Candidate allrnatives in Strategic Resource Planning[J].IEEE Transition Power Systems,2000,15(4);1441-1446.
[30].徐泽水.AHP中两类标度的关系研究[J].系统工程理论与实践,1999,19(7);98-101.
[31].徐泽水.模糊互补判断矩阵排序的最小方差法[J].系统工程理论与实践,2001,21(10);93-96.
[32].应力等.一种用于信息系统风险评估的资产风险计算方法[J].信息技术与标准化,2005.3;14-16.
[33].葛瑞金等.信息安全风险评估量化模型的研究[J].信息网络安全,2005,9;33-34.
[34].徐诚,张玉清等.企业信息安全风险的自评估及其流程设计[J].计算机应用研究,2005 7;108-109.
[35].Christopher Alberts,Audrey Dorofee.Managing Information Security Risks;The OCTAVE Approach[M].Addison Wesley Inc,2002.
[36].Saaty T L.The analytic hierarchy process[M].New York;McGraw-Hill,1980.
[37].许树柏.层次分析法原理[M].天津;天津大学出版社,1993;30-26.
[38].蒋蘋,胡华平.王奕计算机信息系统安全体系设计[J].计算机工程与科学,2003-25(1);38-41.
[39].Yacov Y Haimes.Risk Modeling,Assessment and Managemen[t M].Wiley & Sons Inc.2002;24-98.
[40].Gary Stoneburner,Alice Goguen,Alexis Feringa.Risk Management Guide for Information Technology Systems[R].NISTSP800-30,2001;26-38.
[41].Mariane Wanson.Security Self-Assessment Guide for Information Technology System[R].NIST SP800-26,2001;14-19.
[42].裴尔明,刘宝旭.一种有效的风险评估模型、算法及流程[J],计算机工程,2006-12;15-16.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |