Method and device for determining security level of network information system
阅读说明:本技术 一种网络信息系统的安全等级确定方法和装置 (Method and device for determining security level of network information system ) 是由 张治兵 倪平 周开波 于 2018-08-15 设计创作,主要内容包括:本申请提供了一种网络信息系统的安全等级确定方法和装置,该方法包括:获取一类网络信息系统每个风险点的风险等级;根据每个风险点的风险等级确定该类网络信息系统的M个脆弱性的脆弱性等级;根据M个脆弱性及脆弱性等级确定该类网络信息系统中的任一网络信息系统存在的R个脆弱性,以及R个脆弱性分别对应的脆弱性等级,其中,R为不大于M的整数;根据确定的R个脆弱性,以及对应的脆弱性等级确定该网络信息系统的安全等级。该方法能够基于风险和脆弱性评估整个网络信息系统的安全等级。(The application provides a method and a device for determining the security level of a network information system, wherein the method comprises the following steps: acquiring the risk level of each risk point of a network information system; determining the vulnerability grades of M vulnerabilities of the network information system according to the risk grade of each risk point; determining R vulnerabilities existing in any network information system in the network information system according to the M vulnerabilities and the vulnerability grades, and the vulnerability grades corresponding to the R vulnerabilities respectively, wherein R is an integer not greater than M; and determining the security level of the network information system according to the determined R vulnerabilities and the corresponding vulnerability levels. The method can evaluate the security level of the whole network information system based on the risk and the vulnerability.)
1. A method for determining a security level of a network information system, the method comprising:
acquiring the risk level of each risk point of a network information system;
determining the vulnerability grades of M vulnerabilities of the network information system according to the risk grade of each risk point;
determining R vulnerabilities existing in any network information system in the network information system according to the M vulnerabilities and the vulnerability grades, and the vulnerability grades corresponding to the R vulnerabilities respectively, wherein R is an integer not greater than M;
and determining the security level of the network information system according to the determined R vulnerabilities and the corresponding vulnerability levels.
2. The method according to claim 1, wherein determining the vulnerability classes of the M vulnerabilities of the type of network information system according to the risk class of each risk point comprises:
when any vulnerability corresponds to a risk point, determining the vulnerability grade of the vulnerability as the risk grade of the risk point;
when any vulnerability corresponds to a plurality of risk points, determining the vulnerability grade of the vulnerability as the risk grade of the risk point with the highest risk grade value in the plurality of risk points.
3. The method of claim 1, wherein determining the security level of the network information system based on the determined R vulnerabilities and corresponding vulnerability levels comprises:
when N-i exists in the values of the vulnerability levels of the R vulnerabilities and a value larger than the N-i does not exist, determining that the value of the security level of the information system is i + 1; wherein, N is the total number of the security levels of the network information system configured by the system; i is an integer from 0 to N-1;
when R is 0, the security level of the system is the highest level.
4. The method of claim 1,
when the risk level value is larger and the system risk is higher, the system vulnerability value is larger and the system vulnerability is higher; the larger the value of the system security level is, the higher the system security is;
when the risk level value is larger and the system risk is lower, the system vulnerability value is larger and the system vulnerability is lower; the larger the value of the system security level, the lower the system security.
5. The method according to any one of claims 1 to 4, wherein the determining, according to the M vulnerabilities and the vulnerability levels, R vulnerabilities existing in any one of the network information systems of the class, and the vulnerability levels corresponding to the R vulnerabilities respectively comprises:
the method comprises the steps of filtering the vulnerability of corresponding vulnerability measures in an information system by using M vulnerabilities in the information system, taking R vulnerabilities existing in the information system after filtering as the vulnerability of the information system, and determining the vulnerability level of the R vulnerabilities according to the M vulnerabilities.
6. An apparatus for determining a security level of a network information system, the apparatus comprising: the device comprises an acquisition unit, a first determination unit, a second determination unit and a third determination unit;
the acquiring unit is used for acquiring the risk level of each risk point of the network information system;
the first determining unit is configured to determine, according to the risk level of each risk point, vulnerability levels of M vulnerabilities of the network information system of the type obtained by the obtaining unit;
the second determining unit is configured to determine, according to the M vulnerabilities and the vulnerability levels determined by the first determining unit, R vulnerabilities existing in any one of the network information systems of the type and vulnerability levels corresponding to the R vulnerabilities, where R is an integer not greater than M;
and the third determining unit is used for determining the security level of the network information system according to the R vulnerabilities determined by the second determining unit and the corresponding vulnerability levels.
7. The apparatus of claim 6,
the first determining unit is specifically configured to, when determining vulnerability levels of M vulnerabilities of the network information system of the type according to the risk level of each risk point: when any vulnerability corresponds to a risk point, determining the vulnerability grade of the vulnerability as the risk grade of the risk point; when any vulnerability corresponds to a plurality of risk points, determining the vulnerability grade of the vulnerability as the risk grade of the risk point with the highest risk grade value in the plurality of risk points.
8. The apparatus of claim 6,
the third determining unit is specifically configured to, when determining the security level of the network information system according to the determined R vulnerabilities and the corresponding vulnerability levels: when N-i exists in the values of the vulnerability levels of the R vulnerabilities and a value larger than the N-i does not exist, determining that the value of the security level of the information system is i + 1; when R is 0, determining the security level of the system as the highest level; wherein, N is the total number of the security levels of the network information system configured by the system; i is an integer from 0 to N-1.
9. The apparatus of claim 6,
when the risk level value is larger and the system risk is higher, the system vulnerability value is larger and the system vulnerability is higher; the larger the value of the system security level is, the higher the system security is;
when the risk level value is larger and the system risk is lower, the system vulnerability value is larger and the system vulnerability is lower; the greater the value of the system security level, the lower the security.
10. The apparatus according to any one of claims 6 to 9,
the second determining unit is specifically configured to, when R vulnerabilities existing in any one of the network information systems of the category are determined according to the M vulnerabilities and the vulnerability levels, and the vulnerability levels corresponding to the R vulnerabilities respectively: the method comprises the steps of filtering the vulnerability of corresponding vulnerability measures in an information system by using M vulnerabilities in the information system, taking R vulnerabilities existing in the information system after filtering as the vulnerability of the information system, and determining the vulnerability level of the R vulnerabilities according to the M vulnerabilities.
Technical Field
The invention relates to the technical field of network security and internet service, in particular to a method and a device for determining the security level of an internetwork information system.
Background
The internet service range is wide, and includes various services provided to users through the internet, such as internet access services (broadband, 4G/5G, etc.), cloud computing services (IaaS, PaaS, SaaS, etc.), social network services (microblog, wechat, etc.), electronic commerce services (naobao, kyoto, etc.), internet financial services, and the like.
A cloud computing service is a typical internet service. Cloud computing is a mode of accessing an extensible, flexible physical or virtual shared resource pool through a network, and obtaining and managing resources by self as needed. A cloud computing service is the ability to provide one or more resources via cloud computing using a defined interface.
Cloud computing services can be classified into public clouds, private clouds, and hybrid clouds according to the object of resource sharing. Public clouds generally refer to available clouds provided by third party providers for users, and are generally available via the Internet. Different users, referred to as tenants, share cloud computing resources. Private clouds are built for individual use by a user who owns the cloud computing infrastructure and can control the manner in which applications are deployed on that infrastructure. The private cloud can be deployed in a firewall of an enterprise data center, or can be deployed in a safe host hosting place, and the core attribute of the private cloud is a proprietary resource. The hybrid cloud integrates a public cloud and a private cloud, and a user generally stores data in the private cloud and uses computing resources of the public cloud.
The safety evaluation of the current universal network information system in China comprises information system grade evaluation and information safety risk evaluation. The information system grade evaluation process comprises the steps of system grading, system filing, auditing, protection evaluation and the like. The main criteria followed are as follows:
(1) the security level protection division criterion of the computer information system (GB 17859-;
(2) the safety level protection implementation guide (GB/T25058-2010) of the information system (basic standard);
(3) the information system safety protection level grading guide (GB/T22240-;
(4) the basic requirements (GB/T22239-;
(5) the general safety technical requirement (GB/T20271-2006) of the information system (application type construction standard);
(6) the technical requirements of information system level protection safety design (GB/T25070-;
(7) the safety level protection evaluation requirement (GB/T28448) of the information system (application class evaluation standard);
(8) the safety level protection evaluation process guide (GB/T28449-2012) of the information system (application class evaluation standard);
(9) the information system safety management requirement (GB/T20269-2006) (application class management standard);
(10) and information system safety engineering management requirements (GB/T20282-2006) (application class management standard).
The information security risk assessment is the fundamental work and important link of information security guarantee, and runs through the whole process of network and information system construction and operation. The service provider provides a risk evaluation service for the information system, systematically analyzes threats faced by the network and the information system and the vulnerability of the threats, evaluates the possible damage degree once a security event occurs, provides a protection countermeasure and a security rectification measure for resisting the threats in a targeted manner, prevents and eliminates the information security risk, or controls the risk to an acceptable level, and provides a scientific basis for the network and the information security guarantee. The main standard is GB/T20984-2007 information security technology information security risk assessment specification.
The existing standard analyzes and evaluates the risk of the information system, and does not determine and quantify the security level of the information system.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for determining a security level of a network information system, which can evaluate the security level of the entire network information system based on risk and vulnerability.
In order to solve the technical problem, the technical scheme of the application is realized as follows:
a method for determining a security level of a network information system, the method comprising:
acquiring the risk level of each risk point of a network information system;
determining the vulnerability grades of M vulnerabilities of the network information system according to the risk grade of each risk point;
determining R vulnerabilities existing in any network information system in the network information system according to the M vulnerabilities and the vulnerability grades, and the vulnerability grades corresponding to the R vulnerabilities respectively, wherein R is an integer not greater than M;
and determining the security level of the network information system according to the determined R vulnerabilities and the corresponding vulnerability levels.
A security level determination apparatus of a network information system, the apparatus comprising: the device comprises an acquisition unit, a first determination unit, a second determination unit and a third determination unit;
the acquiring unit is used for acquiring the risk level of each risk point of the network information system;
the first determining unit is configured to determine, according to the risk level of each risk point, vulnerability levels of M vulnerabilities of the network information system of the type obtained by the obtaining unit;
the second determining unit is configured to determine, according to the M vulnerabilities and the vulnerability levels determined by the first determining unit, R vulnerabilities existing in any one of the network information systems of the type and vulnerability levels corresponding to the R vulnerabilities, where R is an integer not greater than M;
and the third determining unit is used for determining the security level of the network information system according to the R vulnerabilities determined by the second determining unit and the corresponding vulnerability levels.
According to the technical scheme, the existing process for determining the risk level is cited to reversely determine the vulnerability level of the vulnerability, and then the determined vulnerability level is used for further determining the security level of the network information system. The scheme can evaluate the security level of the whole network information system based on risk and vulnerability.
Drawings
FIG. 1 is a schematic flow chart illustrating the implementation of security levels of an information system in an embodiment of the present application;
fig. 2 is a schematic structural diagram of an apparatus applied to the above-described technology in the embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clearly apparent, the technical solutions of the present invention are described in detail below with reference to the accompanying drawings and examples.
The embodiment of the application provides a security level determination method of a network information system, which reversely determines the vulnerability level of the vulnerability by citing the existing process of determining the risk level and further determines the security level of the network information system by using the determined vulnerability level. The scheme can evaluate the security level of the whole network information system based on risk and vulnerability.
The following describes in detail a security level determination process implemented in a network information system in an embodiment of the present application with reference to the accompanying drawings.
For convenience of description, a device that performs determining the security level of the network information system is referred to as a device, and the device may perform all the steps of fig. 1 described below, or may perform each step as one device, and in this embodiment of the present application, all the steps of fig. 1 are performed as 1 device as an example.
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a security level of an information system implemented in an embodiment of the present application. The method comprises the following specific steps:
step 101, the equipment obtains the risk level of each risk point of a network information system.
The implementation of this step may be to obtain the risk level of each risk point of the network information system of the same type determined by any implementation method in the prior art, or may be to directly obtain the risk level from a database stored after being determined in a certain manner, and a description is given below of a process for briefly determining the risk level of each risk point of the network information system of the same type:
the information security risk assessment is to systematically analyze threats faced by an information system and the existing vulnerabilities of the threats from the perspective of risk management by applying scientific methods and means and assess the degree of possible damage once a security event occurs.
Risk assessment is developed around basic elements such as assets, threats, vulnerabilities and safety measures, and various attributes related to the basic elements such as business strategy, asset value, safety requirements, safety events, participation risks and the like need to be fully considered in the assessment process of the basic elements.
Three basic elements of assets, threats and vulnerabilities are involved in risk analysis. Each element has a respective attribute, and the attribute of the asset is an asset value; the attribute of the threat may be the threat subject, the influencing object, the frequency of occurrence, the motivation, etc.; the attribute of vulnerability is the severity of asset vulnerability.
The main contents of the risk analysis are:
a) identifying assets and assigning values to the value of the assets;
b) identifying the threat, describing the attribute of the threat, and assigning a value to the frequency of the threat;
c) identifying the vulnerability and assigning a value to the severity of the vulnerability of the specific asset;
d) judging the possibility of occurrence of the security event according to the threat and the difficulty level of the threat utilization vulnerability;
e) calculating the loss caused by the security event according to the severity of the vulnerability and the asset value acted by the security event;
f) and calculating the influence of the security event on the organization once occurring, namely a risk value according to the possibility of the security event occurring and the loss after the security event occurs.
Carrying out risk analysis on a network information system, and establishing a mapping relation model of risk and elements such as vulnerability, assets and the like; a plurality of risk points may exist in one type of network information system, and a model established for each risk point may be denoted as formula R ═ E (a, V, T), where a represents asset value, V represents vulnerability severity, T represents threat level, E represents a risk analysis model, and R represents a risk level of each risk point.
As for the risk grade fractions, etc., they can be determined according to the specific implementation adopted, and are not limited in the embodiments of the present application. Generally, a ranked class of network information system risk values may be formed based on current international and domestic standards, expert experience, and the like.
In a specific implementation, the relationship between the value of the risk level and the risk level may be as follows:
when the value of the risk grade is larger, the system risk is higher;
or the like, or, alternatively,
the system risk is lower when the value of the risk level is larger.
The present application does not limit this, if some existing way to achieve the risk level is: high, medium, low, which may be quantified as 1, 2, 3, or 3, 2, 1, corresponding to a particular implementation of the present application.
And 102, determining the vulnerability grades of the M vulnerabilities of the network information system according to the risk grade of each risk point by the equipment.
In this step, the vulnerability grades of M vulnerabilities of the network information system are determined according to the determined risk grade of each risk point, and specifically include:
when any vulnerability corresponds to a risk point, determining the vulnerability grade of the vulnerability as the risk grade of the risk point;
when any vulnerability corresponds to a plurality of risk points, determining the vulnerability grade of the vulnerability as the risk grade of the risk point with the highest risk grade value in the plurality of risk points.
M is an integer greater than 0.
In the following, M is 3, and the total number of security levels configured by the system is 4.
The number of corresponding vulnerabilities of the network information system is determined to be 3, namely V1, V2 and V3, and the system security levels are respectively a first level, a second level, a third level and a fourth level. The value for the first level is 1, the value for the second level is 2, the value for the third level is 3, and the value for the fourth level is 4. The greater the value corresponding to the vulnerability class of the vulnerability, the greater the harm to the information system.
If the V1 corresponds to a risk point, the safety level of the V1 is the risk level corresponding to the risk point; if the corresponding risk level is of the second level, the value of the vulnerability level of V1 is 2;
if V2 corresponds to a plurality of risk points, the safety level of V2 is the risk level of the risk point with the highest risk level value in the plurality of risk levels; if the corresponding risk level is third level, the value of the vulnerability level of V1 is 3;
if the V3 corresponds to a risk point, the safety level of the V3 is the risk level corresponding to the risk point; if the corresponding risk level is level three, the vulnerability level of V1 has a value of 3.
The embodiment of the application is applied to a scene that a network information system provides the same type of service, and in the scene, the threats faced by the service provider are consistent no matter who the service provider is, so that the threat degrees are consistent; since the vulnerability is the property of the asset itself, there is a functional relationship between the vulnerability and the asset, which can be transformed, i.e. the vulnerability can be used to represent the asset, so that it is a completely feasible solution to consider only the vulnerability when making the security level determination.
Thus, the established risk model R ═ E (a, V, T) can be simplified to R ═ E (V (a), c (T));
where T is a constant and may be denoted as C (T), vulnerability V is the property of the asset itself, V and A are related quantities and are denoted as V (A).
Thus simplified, the level of each risk point is related only to the variable vulnerability, and it is therefore reasonable to use the risk level to determine the vulnerability level of the vulnerability.
And 103, determining R vulnerabilities existing in any one of the network information systems and vulnerability grades respectively corresponding to the R vulnerabilities according to the M vulnerabilities and the vulnerability grades, wherein R is an integer not greater than M.
In this step, R vulnerabilities existing in any network information system of the network information systems are determined according to M vulnerabilities and vulnerability grades, and the vulnerability grades corresponding to the R vulnerabilities respectively include:
the method comprises the steps of filtering the vulnerability of corresponding vulnerability measures in an information system by using M vulnerabilities in the information system, taking R vulnerabilities existing in the information system after filtering as the vulnerability of the information system, and determining the vulnerability level of the R vulnerabilities according to the M vulnerabilities.
Namely, the vulnerability of the corresponding security measure existing in one information system is filtered, and only the vulnerability which is matched with the information system of the type and does not have the security measure is left.
If M is 100, 80 vulnerabilities out of 100 exist in the network information system, and security measures exist in 30 vulnerabilities, then after filtering, 50 vulnerabilities exist in the network information system.
And step 104, the equipment determines the security level of the network information system according to the determined R vulnerabilities and the corresponding vulnerability levels.
In this step, determining the security level of the network information system according to the determined R vulnerabilities and the corresponding vulnerability levels includes:
when N-i exists in the values of the vulnerability levels of the R vulnerabilities and a value larger than the N-i does not exist, determining that the value of the security level of the information system is i + 1; wherein N is the total number of the security levels configured by the system; i is an integer from 0 to N-1; when R is 0, the security level of the system is the highest level. And when the R is equal to 0, the network information system is proved to have no vulnerability, and the security of the network information system is the highest.
As an example in step 102, assuming that M is 3 and R is 3, the values of the vulnerability classes corresponding to the three vulnerabilities are: 2. 3 and 3.
In this step, when N is equal to 4, the maximum value is 3, which corresponds to a case where i is 1, and the security level of the information system is determined to be i +1, that is, 1+1 is 2.
In the embodiment of the application, when the value of the risk grade is larger and the system risk is higher, the value of the system vulnerability is larger, the system vulnerability is higher, namely the system vulnerability is larger; the larger the value of the system security level is, the higher the system security is;
when the risk level value is larger and the system risk is lower, the system vulnerability value is larger and the system vulnerability is lower; the larger the value of the system security level, the lower the system security.
Based on the same inventive concept, the embodiment of the application also provides a security level determination device of the network information system. Referring to fig. 2, fig. 2 is a schematic structural diagram of an apparatus applied to the above technology in the embodiment of the present application. The device includes: an
an obtaining
a first determining
a second determining
a third determining
Preferably, the first and second liquid crystal films are made of a polymer,
the first determining
Preferably, the first and second liquid crystal films are made of a polymer,
the third determining
Preferably, the first and second liquid crystal films are made of a polymer,
when the risk level value is larger and the system risk is higher, the system vulnerability value is larger and the system vulnerability is higher; the larger the value of the system security level is, the higher the system security is;
when the risk level value is larger and the system risk is lower, the system vulnerability value is larger and the system vulnerability is lower; the greater the value of the system security level, the lower the security.
Preferably, the first and second liquid crystal films are made of a polymer,
the second determining
The units of the above embodiments may be integrated into one body, or may be separately deployed; may be combined into one unit or further divided into a plurality of sub-units.
In summary, the present application reversely determines the vulnerability level of the vulnerability by referring to the existing process of determining the risk level, and then further determines the security level of the network information system using the determined vulnerability level. The scheme can evaluate the security level of the whole network information system based on risk and vulnerability.
The security of the whole internet service is evaluated from the perspective of risks, and is not purely restricted to some specific technical requirements. The method has the advantages that the method can relate to aspects of Internet service, and can take the security of the whole system into full consideration; secondly, the method can adapt to the development of technology, when the internet has new technology, the safety requirement of the internet is necessarily updated, and the risk-based internet service safety evaluation model is adopted and is not influenced by the new technology.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
- 上一篇:一种医用注射器针头装配设备
- 下一篇:批量文件的处理装置、方法、设备和介质