한국컴퓨터정보학회논문지 (Journal of the Korea Society of Computer and Information)

  • 제29권11호
  • /
  • Pages.173-185
  • /
  • 2024
  • /
  • 1598-849X(pISSN)
  • /
  • 2383-9945(eISSN)
한국컴퓨터정보학회 (Korean Society of Computer Information)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Importance of Control Items of NIST SP 800-53 by Mapping CVE and STIG/SRG

  • Se-Eun Kim (Division of Artificial Intelligence, Kongju National University) ;
  • Hyo-Beom Ahn (Division of Artificial Intelligence, Kongju National University)
  • 투고 : 2024.09.30
  • 심사 : 2024.10.28
  • 발행 : 2024.11.29
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

취약성 관리의 필요성에 따라 미국 연방 정부는 NIST SP 800-53을 마련했고, MITRE는 CVE 번호를 통해 보안 취약점을 관리하고 있다. NIST SP 800-53과 CVE 간의 연관성은 취약성 관리에 중요한 요소지만, 명확히 정의되어 있지 않아 보안 관리자들이 최신 취약점에 맞는 통제항목을 파악하기 어렵다. 본 연구는 NIST SP 800-53과 CVE 간의 연관성을 분석하여 보안 통제항목의 평가 우선순위를 설정하는 데 목적이 있다. CVE와 많이 연결된 통제항목을 우선 평가하고 개선해야 한다. 연구는 CVE와 STIG/SRG 간 매핑을 통해 NIST SP 800-53 보안 통제와의 관련성을 도출하였으며, SecBERT, CyBERT, RankT5 모델을 사용해 매핑을 자동화하였다. 결과적으로, 특정 보안 통제를 우선적으로 개선해야 할 필요성을 확인하였다.

The U.S. federal government has established NIST SP 800-53 in response to the need for vulnerability management, and MITRE manages security vulnerabilities through CVE numbers. Although the relationship between NIST SP 800-53 and CVE is a crucial factor in vulnerability management, it is not clearly defined, making it challenging for security managers to identify control items that address the latest vulnerabilities. This study aims to analyze the relationship between NIST SP 800-53 and CVE to establish prioritization for evaluating security control items. Controls that are frequently associated with CVE should be prioritized for evaluation and improvement. The study derived the relevance between NIST SP 800-53 security controls through mapping CVE to STIG/SRG and used SecBERT, CyBERT, and RankT5 models to automate this mapping. The results confirmed the need to prioritize the improvement of specific security controls.

키워드

과제정보

This work was supported by the research grant of the Kongju National University in 2023.

참고문헌

  1. CVE Details. "Vulnerabilities By Types/Categories". https://www.cvedetails.com/vulnerabilities-by-types.php. 
  2. National Institute of Standards and Technology (NIST). Security and Privacy Controls for Information Systems and Organizations: NIST Special Publication 800-53, Revision 5. Gaithersburg, MD: National Institute of Standards and Technology, September 2020. DOI: 10.6028/NIST.SP.800-53r5. 
  3. H. Na and H. Jung. "A Theoretical Comparative Study of Human Resource Security Based on Korean and Int'l Information Security Management Systems." Journal of Convergence for Information Technology, Vol. 6, No. 3, pp. 13?19, September 2016. DOI: 10.22156/CS4SMB.2016.6.3.013. 
  4. S. Kim. "A Comparative Study on Information Security Management Activity of Public Sector in USA & Korea." The KIPS Transactions: Part C, Vol. 13C, No. 1, pp. 69?74, February 2006. DOI: 10.3745/KIPSTC.2006.13C.1.069. 
  5. "Control Correlation Identifier(CCI) Process," version 1 release 0.1, pp. 1-5, February 2011. https://dl.dod.cyber.mil/wp-content/uploads/stigs/pdf/u_cci_process_v1r0.1.pdf. 
  6. "Control Correlation Identifier," DoD Cyber Exchange Public. https://public.cyber.mil/stigs/cci/.\
  7. National Institute of Standards and Technology. "Control Correlation Identifier (CCI)." NIST Computer Security Resource Center. https://csrc.nist.gov/glossary/term/CCI. 
  8. Security Requirements Guide. NIST Computer Security Resource Center. https://csrc.nist.gov/glossary/term/security_requirements_guide. 
  9. Efense Information Systems Agency. "Security Technical Implementation Guides (STIGs)." DoD Cyber Exchange. https://public.cyber.mil/stigs/. 
  10. MITRE Corporation. "CVE Numbering Authorities (CNAs)." CVE Program. https://cve.mitre.org/cve/cna.html. 
  11. ational Institute of Standards and Technology. OVAL Language Specification, Version 5.11.3. MITRE Corporation, 2020. https://oval.mitre.org/language/about/specification.html. 
  12. Hamdani, S. W. "Framework for Assessing Information System Security Posture Risks." Master's thesis, The University of Western Ontario, June 2023. 
  13. Branescu, I., Grigorescu, O., and Dascalu, M. "Automated Mapping of Common Vulnerabilities and Exposures to MITRE ATT&CK Tactics." Information, Vol. 15, No. 4, pp. 214, 2024. DOI: 10.3390/info15040214. 
  14. Haddad, A., Aaraj, N., Nakov, P., and Mare, S. F. "Automated Mapping of CVE Vulnerability Records to MITRE CWE Weaknesses." arXiv, April 2023. https://arxiv.org/abs/2304.11130. 
  15. Red Hat, Inc. "OVAL Repository." https://access.redhat.com/security/data/oval/. 
  16. Canonical Ltd. "Ubuntu OVAL Data." Ubuntu Security. https://ubuntu.com/security/oval. 
  17. National Institute of Standards and Technology. "National Checklist Program Repository." NIST. https://nvd.nist.gov/ncp/repository. 
  18. Cui, Y, Jia, M.l Lin, T, Song, Y. and Belongie, S. "Class-Balanced Loss Based on Effective Number of Samples." arXiv preprint arXiv:1901.05555, 2019. https://ar5iv.labs.arxiv.org/html/1901.05555.