A Solution for Assessing and Managing Information Security Risks in e-Government

Authors

  • Phùng Văn Ổn Ổn
  • Lê Việt Hà
  • Nguyễn Ngọc Hóa

DOI:

https://doi.org/10.54654/isj.v1i13.144

Keywords:

security risk management, security risk assessment, vulnerable scan, source code scan

Tóm tắt

Abstract— This article presents the results of building a solution to access and manage security risks for the e-Government information system. We focus on building a process and software system UET.SRA to manage and assess security risks. The process was developed using a combination of international and domestic standards including ISO/IEC 27005:2011 and NIST SP 800-39, but customized to match the practice of government agencies. UET.SRA evaluates security risks based on CVEs vulnerability testing; quantitative risk based on CVSS and OWASP standards. In addition, UET.SRA also provides the function of detecting vulnerabilities and webshell in the source code of web applications using deep learning algorithms. The experimental results of UET.SRA at the Ministry of Natural Resources and Environment have initially demonstrated practical effectiveness in managing security risks for a number of critical systems.

Downloads

Download data is not yet available.

References

R. M. Savola and P. Heinonen (2011), “A visualization and modeling tool for security metrics and measurements management,” doi:10.1109/ISA.2011.6027518. Information Security for South Africa (ISSA) Conference, pp. 1-8.

Himanshu Kumar (2014), “Learning Nessus for Penetration Testing”, Packt Publishing.

Sagar Rahalkar (2018), “Network Vulnerability Assessment: Identify security loopholes in your network's infrastructure”, Packt Publishing.

https://www.greenbone.net/en/live-demo/ (Truy cập ngày 10/3/2021).

https://www.tenable.com/plugins/newest (Truy cập ngày 10/3/2021).

Open Vulnerability Assessment Language (OVAL) scans- https://oval.cisecurity.org/ (Truy cập ngày 15/3/2021).

NIST (2013), “NIST SP 800-40r3 Guide to Enterprise Patch Management Technologies”. http://dx.doi.org/10.6028/NIST.SP.800-40r3.

Web Application Attack and Audit Framework – w3af- http://w3af.org/. Truy cập ngày 20/3/2021.

Ngoc-Hoa NGUYEN, Viet-Ha LE, Van-On PHUNG, Phuong-Hanh DU (2019): “Toward a Deep Learning Approach for Detecting PHP Webshell”. Proceedings of the Tenth International Symposium on Information and Communication Technology 2019 (SoICT 2019), ACM, New York, NY, USA. Pages 514–521. https://doi.org/10.1145/3368926.3369733.

Lv ZH., Yan HB., Mei R. (2019), “Automatic and Accurate Detection of Webshell Based on Convolutional Neural Network”. In Yun X. et al. (eds) Cyber Security. CNCERT 2018. Communications in Computer and Information Science, vol 970. Springer, Singapore. pp 73-85. https://doi.org/10.1007/978-981-13-6621-5_6.

Yifan Tian, Jiabao Wang, Zhenji Zhou, and Shengli Zhou (2017). “CNN-Webshell: Malicious Web Shell Detection with Convolutional Neural Network”. In Proceedings of the 2017 VI International Conference on Network, Communication and Computing (ICNCC 2017). ACM, New York, NY, USA, pp. 75-79.

Ha LE Viet, On PHUNG Van and Hoa NGUYEN Ngoc (2020): “Information Security Risk Management by a Holistic Approach: a Case Study for Vietnamese e-Government”. IJCSNS- International Journal of Computer Science and Network Security. VOL 20 No.6, June 2020. pp. 72-82.

Nguyễn Ngọc Hóa (2021), “Báo cáo tổng hợp kết quả đề tài KC01.19/16-20”.

ISO/IEC 27005:2018 Information technology - Security techniques - Information security risk management (third edition). https://www.iso.org/standard/75281.html (Truy cập ngày 22/3/2021).

NIST (2012), “NIST SP 800-30r, Guide for Conducting Risk Assessments”. https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final (Truy cập ngày 25/3/2021).

NIST (2011), “NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View”. https://csrc.nist.gov/publications/detail/sp/800-39/final (Truy cập ngày 25/3/2021).

ISO/IEC 15408-1:2009 Information technology - Security techniques - Evaluation criteria for IT security. https://www.iso.org/standard/50341.html (Truy cập ngày 22/3/2021).

NIST (2018), “NIST Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework)”. https://www.nist.gov/cyberframework (Truy cập ngày 25/3/2021).

NIST (2020), “NIST SP 800-53r4, Security and Privacy Controls for Federal Information Systemsand Organizations”. https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final (Truy cập ngày 25/3/2021).

“Common Vulnerability Scoring System v3.1: Specification Document”, https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf (Truy cập ngày 28/3/2021).

“OWASP Risk Rating Methodology”, https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology (Truy cập ngày 28/3/2021).

Downloads

Abstract views: 4182 / PDF downloads: 167

Published

2022-01-12 — Updated on 2023-06-27

Versions

How to Cite

Ổn, P. V., Hà, L. V., & Hóa, N. N. (2023). A Solution for Assessing and Managing Information Security Risks in e-Government . Journal of Science and Technology on Information Security, 1(13), 35-48. https://doi.org/10.54654/isj.v1i13.144 (Original work published January 12, 2022)

Issue

No 1. CS (13) 2021

Section

Papers

License

Proposed Policy for Journals That Offer Open Access

Authors who publish with this journal agree to the following terms:

1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).

Proposed Policy for Journals That Offer Delayed Open Access

Authors who publish with this journal agree to the following terms:

1. Authors retain copyright and grant the journal right of first publication, with the work [SPECIFY PERIOD OF TIME] after publication simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).

Most read articles by the same author(s)