• Journal of Internet Computing and Services
• /
• v.18 no.5
• /
• pp.113-121
• /
• 2017

Company A's core competency is IT internet security services. The Web diagnosis team analyzes the vulnerability of customer's internet web servers and provides remedy reports. Traditionally, Company A management has utilized a simple table format report for resource planning. But these reports do not notify the timing of human resource commitment. So, upper management asked its team leader to organize a task team and design a visual dashboard for decision making with the help of outside professional. The Task team selected the web security diagnosis practice process as a pilot and designed a dashboard for performance evaluation. A structural design process was implemented during the heuristic working process. Some KPI (key performance indicators) for checking the productivity of internet web security vulnerability reporting are recommended with the calculation logics. This paper will contribute for security service management to plan and address KPI design policy, target process selection, and KPI calculation logics with actual sample data.

• Journal of Electrical Engineering and Technology
• /
• v.9 no.6
• /
• pp.1864-1872
• /
• 2014

Maloperation of protective relays is one of the major causes for cascading tripping in WANS. Another line trip followed by a previous line trip may occur due to overloading of the line, because of the load redistribution or unwanted trip of a backup relay due to change in the flow of fault current. Evaluation of each line is required by considering both of these effects. A new index named Line Security Index (LSI) is proposed in this paper which combines both Vulnerability Index (VI) and Protectability Index (PI) to completely evaluate the security of individual lines and their importance in the power grid. Computer simulations have been performed on the Korean power grid data to establish the feasibility of the proposed idea.

• International journal of advanced smart convergence
• /
• v.10 no.4
• /
• pp.22-29
• /
• 2021

For web application vulnerability diagnosis, from the development stage to the operation stage, it is possible to stably operate the web only when there is a policy that is commonly applied to each task through diagnosis of vulnerabilities, removal of vulnerabilities, and rapid recovery from web page damage. KISA presents 28 evaluation items for technical vulnerability analysis of major information and communication infrastructure. In this paper, we diagnose the vulnerabilities in the automobile goods shopping mall website and suggest security measures according to the vulnerabilities. As a result of diagnosing 28 items, major vulnerabilities were found in three items: cross-site scripting, cross-site request tampering, and insufficient session expiration. Cookie values were exposed on the bulletin board, and personal information was exposed in the parameter values related to passwords when personal information was edited. Also, since the session end time is not set, it was confirmed that session reuse is always possible. By suggesting security measures according to these vulnerabilities, the discovered security threats were eliminated, and it was possible to prevent breaches in web applications and secure the stability of web services.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.6
• /
• pp.1539-1552
• /
• 2018

The necessity of establishing a more secure cyber security system is emerging to protect NPP against cyber attacks as nuclear facilities become increasingly reliant on digital system. Proper security measures should be established through periodic analysis and evaluation of vulnerabilities. However, as Nuclear facilities has safety characteristics as their top priority and it requires a lot of time and cost to construct regarding the activities for vulnerability analysis, it is difficult to apply the existing vulnerability analysis environment and analysis tools. In this study, We propose a analytical vulnerability assessment method to overcome the limitations of existing vulnerability analysis methods through analysis the existing vulnerability analysis methods and the issues to be considered when applying the vulnerability analysis method.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.18 no.7
• /
• pp.1-8
• /
• 2017

As the IT environment becomes more sophisticated, various threats and their associated serious risks are increasing. Threats such as DDoS attacks, malware, worms, and APT attacks can be a very serious risk to enterprises and must be efficiently managed in a timely manner. Therefore, the government has designated the important system as the main information communication infrastructure in consideration of the impact on the national security and the economic society according to the 'Information and Communication Infrastructure Protection Act', which, in particular, protects the main information communication infrastructure from cyber infringement. In addition, it conducts management supervision such as analysis and evaluation of vulnerability, establishment of protection measures, implementation of protection measures, and distribution of technology guides. Even now, security consulting is proceeding on the basis of 'Guidance for Evaluation of Technical Vulnerability Analysis of Major IT Infrastructure Facilities'. There are neglected inspection items in the applied items, and the vulnerability of APT attack, malicious code, and risk are present issues that are neglected. In order to eliminate the actual security risk, the security manager has arranged the inspection and ordered the special company. In other words, it is difficult to check against current hacking or vulnerability through current system vulnerability checking method. In this paper, we propose an efficient method for extracting diagnostic data regarding the necessity of upgrading system vulnerability check, a check item that does not reflect recent trends, a technical check case for latest intrusion technique, a related study on security threats and requirements. Based on this, we investigate the security vulnerability management system and vulnerability list of domestic and foreign countries, propose effective security vulnerability management system, and propose further study to improve overseas vulnerability diagnosis items so that they can be related to domestic vulnerability items.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.1
• /
• pp.179-186
• /
• 2018

The number of devices connect to the internet is rapidly increasing with the advent of the IoT(Internet of Things). The IoT has improved the convenience of life. However, it makes security issues such as privacy violations. Therefore cybersecurity is the most important issue to be discussed nowadays. Especially, various protocols are used for same purpose due to rapidly increase of IoT market. To deal with this security threat noble vulnerability analysis is needed. In this paper, we contribute to the IoT security by proposing a new randomness-based test case evaluation methodology using variance and entropy. The test case evaluation method proposed in this paper can evaluate the test cases at a high speed regardless of the test set size, unlike the traditional technique.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.885-895
• /
• 2017

Security issues arise due to various types of external intrusions as much as the rapidly changing IT environment. Attacks using vulnerabilities in web applications are increasing, and companies are trying to find the cause of the vulnerability, prevent external intrusion, and protect their systems and important information. Especially, according to the Supervision Regulation, each financial institution and electronic financial service provider shall perform vulnerability analysis evaluation for the website for disclosure once every six months and report the result to the Financial Services Commission. In this study, based on the Web vulnerability items defined in the Supervision Regulation, based on the inspection cases of actual financial institution, we analyze the most frequently occurring items and propose effective countermeasures against them and ways to prevent them from occurring in advance.

• Journal of Korean Society of Disaster and Security
• /
• v.5 no.2
• /
• pp.43-48
• /
• 2012

As the major information communication infrastructure had been getting more important, 'Act on the Protection of Information and Communications Infrastructure'(APICI) was legislated in Korea 2001. Consequently, the major information system, nationwide monitering service systems and government administration operation & management systems have been registered and managed under the APICI. The authorized organizations related to above service and system, perform vulnerability analysis and evaluation for chief communication infrastructures by themselves or registered agencies. In this research, we propose an advanced model for vulnerability analysis and evaluation and apply it to the main information and communication infrastructures through the case study. We hope each related organization could apply this model for analysis and evaluation of vulnerability in these infrastructures.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.5
• /
• pp.69-79
• /
• 2003

We analyze key business process by using IDEF method in the perspective of business continuity, identify key information assets by using Skandia model, and use Nessus Version 1.4.2 to assess vulnerability about the sever of library information system according to OCTAVE(The Operationally Critical Threat, Asset, and Vulnerability Evaluation) approach. We suggest the vulnerability assessment case for introducing improved OCTAVE method including IDEF method and Skandia model.

• Convergence Security Journal
• /
• v.6 no.4
• /
• pp.133-140
• /
• 2006

For the verification of the security level against a IT product development environment, we should analyze the vulnerability and the various threatening factors which exists in the IT product development environment. Also we need the evaluation criteria and tools for the evaluation and improvement of the level of information security. For that, we need evaluation indices and the standard it will be able to improve the evaluation methodology in the actual IT product development environment which will reach it will be able to apply must be researched. In this study, our aims are the development of verification tools for the security level of IT product development environment.