Browse > Article
http://dx.doi.org/10.13089/JKIISC.2021.31.4.779

A Study on Web Vulnerability Risk Assessment Model Based on Attack Results: Focused on Cyber Kill Chain  

Jin, Hui Hun (Korea University)
Kim, Huy Kang (Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.31, no.4, 2021 , pp. 779-791 More about this Journal
Abstract
Common web services have been continuously targeted by hackers due to an access control policy that must be allowed to an unspecified number of people. In order to cope with this situation, companies regularly check web vulnerabilities and take measures according to the risk of discovered vulnerabilities. The risk of these web vulnerabilities is calculated through preliminary statistics and self-evaluation of domestic and foreign related organizations. However, unlike static diagnosis such as security setting and source code, web vulnerability check is performed through dynamic diagnosis. Even with the same vulnerability item, various attack results can be derived, and the degree of risk may vary depending on the subject of diagnosis and the environment. In this respect, the predefined risk level may be different from that of the actual vulnerability. In this paper, to improve this point, we present a web vulnerability risk assessment model based on the attack result centering on the cyber kill chain.
Keywords
Web vulnerability; Risk assessment; Cyber Kill Chain;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 Kwang-Je Kim, Tae-Shin Kang, Jae-Hong Kim, Seunghoon Jung and Jong-Bae Kim, "Cyber Defense Development Plan based on Cyber Kill Chain," Asia-pacific Journal of Multimedia Services Convergent with Art, Humanities, and Sociology (AJMAHS), 7(1), pp. 277-285, Jan. 2017.   DOI
2 Dafydd Stuttard and Marcus Pinto, "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws," Wiley, pp. 999-1078, Sep. 2011.
3 Wilson Bautista, "Practical Cyber Intelligence," Packt, pp. 64-65, Mar. 2018.
4 Kyuyong Shin, Kyoung Min Kim and Jongkwan Lee, "A Study on the Concept of Social Engineering Cyber Kill Chain for Social Engineering based Cyber Operations," Journal of The Korea Institute of Information Security and Cryptology (JKIISC), 28(5), pp. 1247-1258, Oct. 2018.   DOI
5 Korea Internet & Security Agency(KISA), "Guide to Homepage Vulnerability Diagnosis and Removal for Information System Developers and Operators," Dec. 2013.
6 OWASP, "OWASP Top 10 - 2017," Apr. 2017.
7 Ministry of Science and ICT, "Detailed Guide to Analysis and Evaluation Method of Technical Vulnerability of Major Information and Communication Infrastructure," Mar. 2021.
8 Autumn Byeon, Jong In Lim and Kyong-Ho Lee, "A Study On Advanced Model of Web Vulnerability Scoring Technique," Journal of The Korea Institute of Information Security and Cryptology (JKIISC), 25(5), pp. 1217-1224, Oct. 2015.   DOI
9 National Cyber Security Center(NCSC), "Homepage Security Management Manual," May. 2005.
10 Eric M Hutchins, Michael J Cloppert and Rohan M Amin, "Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains," Leading Issues in Information Warfare & Security Research. vol. 1, no. 1, pp. 113-125, Apr. 2011.
11 Eun-hye Han and Kim In-Seok, "Efficient Operation Model for Effective APT Defense," Journal of The Korea Institute of Information Security and Cryptology (JKIISC), 27(3), pp. 501-519, Jun. 2017.   DOI
12 Jung-sik Lee, Sung-young Cho, Heang-rok Oh and Myung-mook Han, "A Study on Defense and Attack Model for Cyber Command Control System based Cyber Kill Chain," Journal of Internet Computing and Services (JICS), 22(1), pp. 41-50, Feb. 2021.   DOI
13 Sungyoung Cho, Suyeon Yoo, Sang-hun Jeon, Chae-ho Lim and Sehun Kim, "A Web application vulnerability scoring framework by categorizing vulnerabilities according to privilege acquisition." Journal of The Korea Institute of Information Security and Cryptology (JKIISC), 22(3), pp. 601-613, Jun. 2012.   DOI
14 European Union Agency for Network and Information Security(ENISA), "ENISA Threat Landscape 2020 - List of top 15 threats," Oct. 2020.
15 Korean Statistical Information Service(KOSIS), "Status of Informatization Statistics Survey Websites (Homepage, etc.)," May. 2020.