• ETRI Journal
• /
• 제31권5호
• /
• pp.554-564
• /
• 2009

In information security and network management, attacks based on vulnerabilities have grown in importance. Malicious attackers break into hosts using a variety of techniques. The most common method is to exploit known vulnerabilities. Although patches have long been available for vulnerabilities, system administrators have generally been reluctant to patch their hosts immediately because they perceive the patches to be annoying and complex. To solve these problems, we propose a security vulnerability evaluation and patch framework called PKG-VUL, which evaluates the software installed on hosts to decide whether the hosts are vulnerable and then applies patches to vulnerable hosts. All these operations are accomplished by the widely used simple network management protocol (SNMP). Therefore, system administrators can easily manage their vulnerable hosts through PKG-VUL included in the SNMP-based network management systems as a module. The evaluation results demonstrate the applicability of PKG-VUL and its performance in terms of devised criteria.

• Proceedings of the Korea Information Processing Society Conference
• /
• 한국정보처리학회 2003년도 춘계학술발표논문집 (하)
• /
• pp.2121-2124
• /
• 2003

정보보호시스템의 국제공통평가기준인 CC(또는 ISO/IEC 1540B)에서는 평가용 문서(즉, 제출물)에 대한 세부지침을 포함하지 않고 있으므로, CC기반 평가체계를 구축하기 위해서는 문서 스키마(즉, 목차와 내용요구사항)를 개발해야 한다. 본 논문에서는 CC기반 평가체계에서 활용할 수 있는 문서 스키마를 개발하였다. CC내의 보증클래스로부터 Weakest precondition함수, 문서량 축소규칙, 문서 종속성 분석방법을 적용하여 문서스키마와 DTD를 개발하였다. 본 연구의 접근방법은 소프트웨어 품질의 평가체계에서 사용할 문서스키마 또는 DTD를 개발하는데 응용될 수 있다.

• The Journal of Society for e-Business Studies
• /
• 제20권4호
• /
• pp.241-256
• /
• 2015

In order to ensure that all firms are cyber-secure, many governments have started to enforce the implementation of various security measures on firms. Prior to the implementation, however, it is vague whether government enforced security measures will be effective for mitigating cyber-security risks. By applying a method for estimating the effectiveness of a mandatory seatbelt law in reducing fatalities from motor vehicle accidents, this study develops an ex ante evaluation method that can approximate the effectiveness of a government enforced security measure in reducing country-wide or industry-wide cyber-security risks. Using data obtained from the Korean Internet and Security Agency, this study then explores how to employ the developed method to assess the effectiveness of a specific security measure in mitigating cyber-security risks, if enforced by the government, and compares the effectiveness of various security measures. The comparison shows that compulsory security training has the highest effectiveness.

• Korean Management Science Review
• /
• 제13권2호
• /
• pp.49-59
• /
• 1996

The use of advanced electronic security system is growing quickly to protect properties and life. However, customers cannot select appropriate configuration of the system because there are no objective evaluation methods to measure the security ability of the system. Furthermore, the system suppliers cannot propose quantitative value of security ability of the system. This study suggests an objective evaluation and selection method that customers and suppliers can use to base his or her decision when choosing the most appropriate configuration of the system. Our method identifies 6 characteristics and 20 sub- characteristics of the electronic security system, calculates their weights, and decides the best configuration. We use AHP (Analytic Hierarchy Process) to assign the weights of characteristics. Finally, this paper gives an example to compare four alternative configurations of the system.

• Journal of Advanced Navigation Technology
• /
• 제15권6호
• /
• pp.1098-1103
• /
• 2011

In spite of many advantages of cloud computing, security concerns are a barrier in users' adopting the cloud service. In this paper, we evaluate relative priorities between security attributes of ISO 7498-2 standards affecting overall security quality in cloud computing. For an objective evaluation, the fuzzy AHP(Analytic hierarchical process) is applied. The evaluation results represented the relative priority with concrete number can be an effective management method to choose and develop the cloud computing service.

• Journal of KIISE:Computer Systems and Theory
• /
• 제36권5호
• /
• pp.380-386
• /
• 2009

It is most important that identifying security threats(or vulnerabilities) of critical IT assets and checking the propriety of related security countermeasures in advance for enhancing security level. In this paper, we present a new security risk evaluation scheme based on critical assets and threats for this. The presented scheme provides the coverage and propriety of the countermeasures(e.g., intrusion detection rules and vulnerability scan rules, etc.), and the quantitative risk level of identified assets and threats. So, it is expected that the presented scheme will be utilized in threat management process efficiently compared to previous works.

• Convergence Security Journal
• /
• 제20권2호
• /
• pp.29-35
• /
• 2020

The cyber attacks targeting the systems of national and public organizations in the front line of cyber security have been advanced, and the number of cyber attacks has been on the constant rise. In this circumstance, it is necessary to develop the security evaluation technology to prevent cyber attacks to the systems of national and public organizations. Most of the studies of the vulnerability analysis on the information systems of national and public organizations almost focus on automation. In actual security inspection, it is hard to automate some parts. In terms of security policies for threats, many different plans have been designed and applied in the managerial, physical, and technical fields, giving particular answers no matter how they are subjective or situational. These tendencies can be standardized in OCIL(Open Checklist Interactive Language), and partial automation can be achieved. Therefore, this study tries to implement XML Converter in order for OCIL based security level evaluation with typical evaluation questions.

• Smart Media Journal
• /
• 제11권3호
• /
• pp.54-61
• /
• 2022

With the increase in the types of information systems managed by public institutions and companies, a security certification system is being implemented in Korea to quickly respond to vulnerabilities that may arise due to insufficient security checks. The korea security evaluation system, such as ISMS-P, performs a systematic security evaluation for each category by dividing the categories for technical inspection items. NIST in the United States has developed SCAP that can create security checklists and automate vulnerability checks, and the security checklists used for SCAP can be written in OVAL. Each manufacturer prepares a security check list and shares it through the SCAP community, but it's difficult to use it in Korea because it is not categorized according to the korea security evaluation system. Therefore, in this paper, we present a mechanism to categorize the OVAL definition, which is an inspection item written in OVAL, to apply SCAP to the korea security evaluation system. It was shown that 189 out of 230 items of the Red Hat 8 STIG file could be applied to the korea security evaluation system, and the statistics of the categorized Redhat definition file could be analyzed to confirm the trend of system vulnerabilities by category.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• 제14권1호
• /
• pp.25-34
• /
• 2004

Common Criteria(CC, ISO/IEC 15408) is an international standard for evaluation of Information Suity Systems(ISS). There need a suitable evidence of estimation of evaluation cost in an evaluation facility under the CC-based evaluation and assurance scheme. In this paper, we propose an evaluation effort model, which is based not only on assurance-level but also on product-type of ISS, by means of real experience of real evaluators, use-ratio concept and the Function Point of security function. The model is based not on a real evaluation environment of evaluation facility, but on CC, public PPs and product specific STs. Our result might be used as a basic model for estimation of evaluation cost and time of ISS in an CC-based evaluation and assurance scheme.

• Journal of Digital Convergence
• /
• 제12권9호
• /
• pp.159-168
• /
• 2014

With the advancement of internet and mobile communication devices, mobile banking such as internet banking, internet loan and smart phones related to the people's economic activities using mobile communication devices is becoming increasingly more popular. Various security systems to prevent such new crimes are being introduced and the security system market is anticipated to continuously increase substantially in the future. Accordingly, qualitative advancement of the security systems are also in continuous demand. Therefore, this thesis proposes the method and system for quality evaluation of the network access control system by proposing testing and evaluating method for the relevant system through surveying and analyzing the tend in the foundation technologies and standards in the area of network access control system, which is one of the security systems, in order to cope with the demands for the evaluation of the quality of the security system as the security system product market is anticipated to grow continuously.