信息网络安全 ›› 2015, Vol. 15 ›› Issue (2): 7-8.doi: 10.3969/j.issn.1671-1122.2015.02.002

• 技术研究 • 上一篇    下一篇

信息安全风险评估关键技术研究与实现

文伟平1(), 郭荣华2, 孟正1, 柏皛1   

  1. 1.北京大学软件与微电子学院,北京 102600
    2. 洛阳电子装备试验中心,河南洛阳 471003
  • 收稿日期:2014-12-17 出版日期:2015-02-10 发布日期:2015-07-05
  • 作者简介:

    作者简介: 文伟平(1976-),男,湖南,副教授,博士,主要研究方向:网络攻击与防范、恶意代码研究、信息系统逆向工程和可信计算技术等;郭荣华(1972-),男,湖北,副研究员,博士,主要研究方向:信息安全;孟正(1990-),男,河北,硕士研究生,主要研究方向:系统与网络安全、漏洞分析;柏皛(1987-),女,四川,硕士研究生,主要研究方向:信息安全风险评估、系统与网络安全。

  • 基金资助:
    国家自然科学基金[61170282]

Research and Implementation on Information Security Risk Assessment Key Technology

WEN Wei-ping1(), GUO Rong-hua2, MENG Zheng1, BAI Xiao1   

  1. 1. School of Software & Microelectronics, Peking University, Beijing 102600, China
    2. LEETC, Luoyang Henan 471003, China
  • Received:2014-12-17 Online:2015-02-10 Published:2015-07-05

摘要:

信息安全问题是全球信息化发展最关注的问题,随着各机构逐渐进入信息化办公时代,机构的信息资产几乎全部保存在信息系统中,一旦面临威胁和遭遇攻击,造成的危害和损失将难以想象。信息安全风险评估理论最早由国外提出,目前广泛应用于信息安全领域。文章首先研究风险评估的基础理论和流程,对风险评估的定义、风险评估要素之间的关联关系、安全风险模型和常见的风险评估方法进行介绍。然后对风险评估与控制软件进行架构设计和功能模块设计,该软件涉及资产识别、威胁分析、脆弱性分析、现有安全策略的确认与评估、综合风险评估、评估报告输出等多个环节。接下来结合SQL Server数据库和Tomcat中间件技术完成系统的实现,并在测试平台上对其进行测试。文章在评估软件的设计过程中加入了漏洞检测功能,为评估工作的准确性提供了进一步的保障。系统模块结构简洁清晰,评估功能完善强大,效果突出。

关键词: 风险评估, 资产识别, 脆弱性分析, 威胁分析, 漏洞检测

Abstract:

Information security is the most concerned problem in the development of global information. As organizations get into the era of information office, almost all the information of organizations is stored in the information systems. Once the information system encounters threats and attacks, it will be hard to imagine the damage and loss. The rules for safety risk assessment were initially put forward abroad, now are applied widely in the area of information security. The article firstly introduces the theoretical basis and process of risk assessment, including the definition of risk assessment, the relationship between risk assessment factors, safety risk model, and the common risk assessment methods. Then the article introduces the structure design and function modules design of risk assessment and control software. The software involves asset identification, threats analysis, vulnerabilities analysis, confirmation and assessment of the existing security strategies, comprehensive risk assessment and assessment report output. Combining with the SQL server database and Tomcat middleware technology, the risk assessment system is implemented and tested in the test platform. In the process of designing the assessment software, the vulnerability detection function is added, which provides further security safeguard for assessment. The modular structure of the system is simple and clear and the assessment function is strong, achieving the prominent effect.

Key words: risk assessment, asset identification, vulnerability analysis, threats analysis, vulnerabilities detection

中图分类号: