KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on Interface Security Enhancement

조직의 실시간 보안관리 체계 확립을 위한 '인터페이스 보안' 강화에 대한 연구

  • Received : 2015.01.12
  • Accepted : 2015.02.28
  • Published : 2015.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

Because the specific security technology alone can not cope with sophisticated attacks, various security management models are applied. But, they do not focus on the vulnerability of the highest part because they offer so many common security management criteria. By analyzing the main information and confidential leakage cases inflicting enormous damage to our society, we found that attackers are using mainly an interface vulnerabilities - the paths that connect the internal and external of the organization, such as e-mail, web server, portable devices, and subcontractor employees. Considering the reality that time and resources to invest in security domain are limited, we point out the interface security vulnerabilities the possibility of attackers to exploit and present a convergence method of security measures. Finally, based of ROI(Return on Investment), we propose the real-time security management system through the intensive and continuous management.

특정 보안 기술만으로는 나날이 치밀해지는 공격을 방어할 수 없기 때문에 ISMS(Information Security Management System) 등 다양한 보안관리 모델 등이 적용되고 있지만, 너무 많은 항목에 대한 일반적인 보안관리 방안을 제시하고 있어 취약점이 높은 부분에 집중하지 못하는 단점이 있다. 최근 수년간 우리 사회에 막대한 피해를 입힌 주요 정보 및 기밀 유출 관련 사건을 분석한 결과, 공격자는 주로 이메일, 웹 서버, 휴대용 저장매체, 외주업체 직원 등 조직의 내부와 외부를 연결해주는 통로인 '인터페이스(interface)' 취약점을 이용하였음을 발견하였다. 이를 통해 우리는 보안에 투자해야 할 시간과 자원이 제한되는 현실을 고려하여 공격자가 악용할 가능성이 높은 인터페이스에 대한 현재 보안 실태를 적시한 후 관리적 기술적 물리적 측면을 융합한 보안대책을 제시하고, 해당 인터페이스에 대한 중점적이고 지속적인 관리(continuous management)를 통해 투자 비용 대비 효과적으로 조직의 실시간 보안관리를 가능하게 하는 체계를 제안하고자 한다.

Keywords

References

  1. Ji-sook Kim et al., "Comparison of The ISMS Difference for Private and Public Sector," Journal of Korea Institute of Information Security and Cryptology, Vol.20, No.2, pp. 117-129, Apr., 2010.
  2. Hyewon Shin, "Methodology to Analyze Insider Risk for the Prevention of Corporate Data Leakage," Korea Computer Congress 2012, Vol.39, No.1, pp.295-297, Jun., 2012.
  3. Oh-Hun Kwon et al., "A Persistent and Real Time Security Management System for Korea Military Network," Journal of Korea Institute of Information Security and Cryptology, Vol.23, No.6, pp.54-66, Dec., 2013.
  4. Song-young Kim et al., "A study on the security policy improvement using the big data," Journal of Korea Institute of Information Security and Cryptology, Vol.23, No.5, pp. 969-976, Oct., 2013. https://doi.org/10.13089/JKIISC.2013.23.5.969
  5. National Industrial Security Center [Internet], http://service12.nis.go.kr/servlet/page?cmd=preservation&cd_code=outflow_1&menu=AAA00#.VD47J01xlZQ, 2014.
  6. Munhwailbo [Internet], http://www.munhwa.com/news/viewhtml?no=20141008010710231730020, 2014.
  7. Joon-Jeong Park, Kwangjo Kim, "A Compensation Method to the Deliberate Military Secret Leakers," Conference on Information Security and Cryptology-Winter 2014, Dec. 2014.
  8. YounhapnewsTV [Internet], http://www.news-y.co.kr/MYH20140822016200038, 2014.
  9. Ministry of Science, ICT and Future Planning [Internet], http://www.msip.go.kr/www/brd/m_211/view.do?seq=1251, 2014.
  10. Prosecution Service [Internet], http://www.spo.go.kr/seoul/notice/notice/notice01.jsp?mode=view&board_no=116&article_no=579011, 2014.
  11. SBS [Internet], http://news.sbs.co.kr/news/endPage.do?news_id=N1002623091&plink=ORI, 2014.
  12. YTN [Internet], http://www.ytn.co.kr/_ln/0103201310141055339751, 2014.
  13. AJU Business Daily[Internet], http://www.ajunews.com/common/redirect.jsp?newsId=20121023000324, 2012.
  14. Ministry of Trade, Industry & Energy [Internet], http://www.motie.go.kr/motie/ne/presse/press2/bbs/bbsView.do?bbs_cd_n=81&bbs_seq_n=156671, 2014.
  15. R. West, "The Psychology of Security : why do good users make bad decisions?," Communications of the ACM, Vol.51, No.4, pp.34-40, Apr., 2008. https://doi.org/10.1145/1330311.1330320
  16. Boannews [Internet], http://www.boannews.com/media/view.asp?idx=40482&kind=1, 2014.
  17. Ministry of Science, ICT and Future Planning [Internet], http://www.msip.go.kr/www/brd/m_211/view.do?seq=1228, 2014.
  18. AJUnews [Internet], http://www.ajunews.com/view/20141016093217871, 2014.
  19. National Cyber Security Center, "Introduction to G-ISMS," Journal of Korea Institute of Information Security and Cryptology, Vol.23, No.5, pp.9-11. Oct., 2013.
  20. Korea Internet and Security Agency [Internet], http://isms.kisa.or.kr/kor/intro/intro02.jsp, 2014.
  21. Korea Internet and Security Agency [Internet], http://isms.kisa.or.kr/kor/notice/dataView.jsp?p_No=48&b_No=48&d_No=114&cgubun=&cPage=1&searchType=ALL&searchKeyword=, 2013.
  22. NIST, "Critical Success Factors" in Special Publication 800-55 Revision1: Performance Measurement Guide for Information Security, 2008.
  23. Chae-ho Lim, "Cyber attack strategy(NaverCast)," [Internet] http://navercast.naver.com/author_contents_list.nhn?acknowledgeType=author&acknowledgeId=au1337, 2014.
  24. C. Herley, "Security, Cybercrime, and Scale," Communications of the ACM, Vol.57, No.9, pp.64-71, Sep., 2014. https://doi.org/10.1145/2654847