Giải pháp đánh giá và quản lý rủi ro an toàn thông tin trong Chính phủ điện tử
DOI:
https://doi.org/10.54654/isj.v1i13.144Keywords:
security risk management, security risk assessment, vulnerable scan, source code scanTóm tắt
Tóm tắt—Bài báo này trình bày kết quả nghiên cứu xây dựng giải pháp đánh giá và quản lý rủi ro an toàn hệ thống thông tin trong Chính phủ điện tử. Trong bài toán này, chúng tôi tập chung vào xây dựng (i) quy trình đánh giá, quản lý rủi ro an toàn thông tin (ATTT), và (ii) hệ thống phần mềm UET.SRA (Security Risk Assessment System) hỗ trợ đánh giá, quản lý rủi ro theo quy trình đã xây dựng. Việc quản lý và đánh giá rủi ro ATTT được kết hợp theo các tiêu chuẩn trong nước và quốc tế bao gồm các quy trình trong ISO/IEC 27005:2011 và NIST SP 800-39, nhưng được tuỳ biến để phù hợp với thực tiễn của các cơ quan chính phủ. Hệ thống phần mềm UET.SRA đánh giá rủi ro ATTT dựa theo phương pháp kiểm tra các lỗ hổng và sự phơi nhiễm phổ biến (Common Vulnerabilities and Exposures – CVE); việc ước lượng rủi ro định lượng theo Hệ thống chấm điểm lỗ hổng phổ biến (Common Vulnerability Scoring System - CVSS) và Dự án mở về bảo mật ứng dụng web (Open Web Application Security Project - OWASP). Ngoài ra, UET.SRA còn cung cấp chức năng phân tích, phát hiện các lỗ hổng, các đoạn mã độc trong mã nguồn ứng dụng Web sử dụng công nghệ học sâu (deep learning). Kết quả thử nghiệm giải pháp UET.SRA tại Bộ Tài nguyên và Môi trường (TN&MT) bước đầu đã minh chứng được ý nghĩa thực tiễn và cho phép quản lý được các rủi ro ATTT đối với một số hệ thống trọng yếu của Bộ TN&MT.
Abstract—This article presents the results of building a solution to access and manage security risks for the e-Government information system. We focus on building a process and software system UET.SRA to manage and assess security risks. The process was developed using a combination of international and domestic standards including ISO/IEC 27005:2011 and NIST SP 800-39, but customized to match the practice of government agencies. UET.SRA evaluates security risks based on CVEs vulnerability testing; quantitative risk based on CVSS and OWASP standards. In addition, UET.SRA also provides the function of detecting vulnerabilities and webshell in the source code of web applications using deep learning algorithms. The experimental results of UET.SRA at the Ministry of Natural Resources and Environment have initially demonstrated practical effectiveness in managing security risks for a number of critical systems.
Downloads
References
R. M. Savola and P. Heinonen (2011), “A visualization and modeling tool for security metrics and measurements management,” doi:10.1109/ISA.2011.6027518. Information Security for South Africa (ISSA) Conference, pp. 1-8.
Himanshu Kumar (2014), “Learning Nessus for Penetration Testing”, Packt Publishing.
Sagar Rahalkar (2018), “Network Vulnerability Assessment: Identify security loopholes in your network's infrastructure”, Packt Publishing.
https://www.greenbone.net/en/live-demo/ (Truy cập ngày 10/3/2021).
https://www.tenable.com/plugins/newest (Truy cập ngày 10/3/2021).
Open Vulnerability Assessment Language (OVAL) scans- https://oval.cisecurity.org/ (Truy cập ngày 15/3/2021).
NIST (2013), “NIST SP 800-40r3 Guide to Enterprise Patch Management Technologies”. http://dx.doi.org/10.6028/NIST.SP.800-40r3.
Web Application Attack and Audit Framework – w3af- http://w3af.org/. Truy cập ngày 20/3/2021.
Ngoc-Hoa NGUYEN, Viet-Ha LE, Van-On PHUNG, Phuong-Hanh DU (2019): “Toward a Deep Learning Approach for Detecting PHP Webshell”. Proceedings of the Tenth International Symposium on Information and Communication Technology 2019 (SoICT 2019), ACM, New York, NY, USA. Pages 514–521. https://doi.org/10.1145/3368926.3369733.
Lv ZH., Yan HB., Mei R. (2019), “Automatic and Accurate Detection of Webshell Based on Convolutional Neural Network”. In Yun X. et al. (eds) Cyber Security. CNCERT 2018. Communications in Computer and Information Science, vol 970. Springer, Singapore. pp 73-85. https://doi.org/10.1007/978-981-13-6621-5_6.
Yifan Tian, Jiabao Wang, Zhenji Zhou, and Shengli Zhou (2017). “CNN-Webshell: Malicious Web Shell Detection with Convolutional Neural Network”. In Proceedings of the 2017 VI International Conference on Network, Communication and Computing (ICNCC 2017). ACM, New York, NY, USA, pp. 75-79.
Ha LE Viet, On PHUNG Van and Hoa NGUYEN Ngoc (2020): “Information Security Risk Management by a Holistic Approach: a Case Study for Vietnamese e-Government”. IJCSNS- International Journal of Computer Science and Network Security. VOL 20 No.6, June 2020. pp. 72-82.
Nguyễn Ngọc Hóa (2021), “Báo cáo tổng hợp kết quả đề tài KC01.19/16-20”.
ISO/IEC 27005:2018 Information technology - Security techniques - Information security risk management (third edition). https://www.iso.org/standard/75281.html (Truy cập ngày 22/3/2021).
NIST (2012), “NIST SP 800-30r, Guide for Conducting Risk Assessments”. https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final (Truy cập ngày 25/3/2021).
NIST (2011), “NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View”. https://csrc.nist.gov/publications/detail/sp/800-39/final (Truy cập ngày 25/3/2021).
ISO/IEC 15408-1:2009 Information technology - Security techniques - Evaluation criteria for IT security. https://www.iso.org/standard/50341.html (Truy cập ngày 22/3/2021).
NIST (2018), “NIST Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework)”. https://www.nist.gov/cyberframework (Truy cập ngày 25/3/2021).
NIST (2020), “NIST SP 800-53r4, Security and Privacy Controls for Federal Information Systemsand Organizations”. https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final (Truy cập ngày 25/3/2021).
“Common Vulnerability Scoring System v3.1: Specification Document”, https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf (Truy cập ngày 28/3/2021).
“OWASP Risk Rating Methodology”, https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology (Truy cập ngày 28/3/2021).
Downloads
Published
How to Cite
Issue
Section
License
Proposed Policy for Journals That Offer Open Access
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
Proposed Policy for Journals That Offer Delayed Open Access
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication, with the work [SPECIFY PERIOD OF TIME] after publication simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
