CN113114647A

CN113114647A - Network security risk detection method and device, electronic equipment and storage medium

Info

Publication number: CN113114647A
Application number: CN202110357255.3A
Authority: CN
Inventors: 许旭; 盛国军; 唐宇; 庄明旭; 安景斌; 张新硕; 董亮; 曾远毅; 余涛; 李晓龙
Original assignee: Haier Digital Technology Qingdao Co Ltd; Haier Digital Technology Beijing Co Ltd; Qingdao Haier Industrial Intelligence Research Institute Co Ltd
Current assignee: Haier Digital Technology Qingdao Co Ltd; Haier Digital Technology Beijing Co Ltd; Qingdao Haier Industrial Intelligence Research Institute Co Ltd
Priority date: 2021-04-01
Filing date: 2021-04-01
Publication date: 2021-07-13

Abstract

The embodiment of the invention relates to a method and a device for detecting network security risks, electronic equipment and a storage medium, in particular to the technical field of network security, wherein the method comprises the following steps: acquiring safety record information of a target system; acquiring the network policy configuration of the target system; and acquiring the security vulnerability of the target system and the risk level of the security vulnerability according to the security record information and the network policy configuration. The invention can make the network security evaluation more comprehensive and accurate, and can make the network security evaluation result more objective.

Description

Network security risk detection method and device, electronic equipment and storage medium

Technical Field

The embodiment of the invention relates to the technical field of network security, in particular to a method and a device for detecting network security risks, electronic equipment and a storage medium.

Background

The basic purpose of computer network is resource sharing, and with the development of science and technology, there are more and more security factors affecting the system, including, for example, physical environment factors, communication network factors, area boundary factors, computing environment factors, application system factors, system management system factors, security management organization factors, security construction management factors, security operation and maintenance management factors, and so on.

For the existing safety evaluation system, the problems that the evaluation process is too subjective and not objective enough, the evaluation result is not comprehensive and accurate enough and the like exist mostly.

Disclosure of Invention

In view of this, embodiments of the present invention provide a method and an apparatus for detecting a network security risk, an electronic device, and a storage medium, so as to implement compliance prejudgment on a network system, and enable a network security assessment to be more comprehensive and accurate.

Additional features and advantages of embodiments of the invention will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of embodiments of the invention.

In a first aspect of the present disclosure, an embodiment of the present invention provides a method for detecting a network security risk, including:

acquiring safety record information of a target system;

acquiring the network policy configuration of the target system;

and acquiring the security vulnerability of the target system and the risk level of the security vulnerability according to the security record information and the network policy configuration.

In an embodiment, the obtaining of the security vulnerability of the target system and the risk level of the security vulnerability according to the security record information and the network policy configuration includes: and importing the security record information and the network strategy configuration into a preset script, and acquiring the security vulnerability of the target system and the risk level of the security vulnerability by running the preset script.

In an embodiment, before importing the security record information and the network policy configuration into a predetermined script, the method further includes: generating a system topological graph of the target system according to the security record information and the network policy configuration; and acquiring the security vulnerability of the target system and the risk level of the security vulnerability according to the system topological graph.

In one embodiment, the obtaining the security record information of the target system includes: and acquiring the safety record information of the target system filled in a preset network safety inspection condition statistical table by a user.

In an embodiment, after obtaining the security vulnerability of the target system and the risk level of the security vulnerability, the method further includes:

if the risk level of the security vulnerability is higher than a preset level, informing the target system to repair the security vulnerability; and/or

And if the risk level of the security vulnerability is equal to or lower than the preset level, performing penetration test on the target system according to the security vulnerability.

In an embodiment, the safety record information of the target system includes information of affiliated units, safety work responsibility system implementation conditions, network safety daily management conditions, basic information of the target system, network safety protection conditions, network safety emergency work conditions, network safety education training conditions, and technology detection and network safety event conditions.

In an embodiment, the basic information of the target system includes system construction information, stored data information, internet access information, and network security level protection information.

In one embodiment, the network policy configuration includes a physical security policy configuration, an access control policy configuration, a firewall control policy configuration, an information encryption policy configuration, and a network security management policy configuration.

In an embodiment, the access control policy configuration includes a network access control policy configuration, a network right control policy configuration, a directory level security control policy configuration, an attribute security control policy configuration, a network monitoring and locking control policy configuration, a network port policy configuration, and/or a node security control policy configuration.

In one embodiment, the firewall control policy configuration includes a packet filtering firewall control policy configuration, a proxy firewall control policy configuration, and a dual-hole host firewall control policy configuration.

In an embodiment, the information encryption policy configuration includes a link encryption policy configuration, an endpoint encryption policy configuration, and a node encryption policy configuration.

In a second aspect of the present disclosure, an embodiment of the present invention further provides a device for detecting a network security risk, including:

a security record information acquisition unit for acquiring security record information of a target system;

a network policy configuration obtaining unit, configured to obtain a network policy configuration of the target system;

and the vulnerability detection unit is used for acquiring the security vulnerability of the target system and the risk level of the security vulnerability according to the security record information and the network strategy configuration.

In an embodiment, the vulnerability detection unit is configured to: and importing the security record information and the network strategy configuration into a preset script, and acquiring the security vulnerability of the target system and the risk level of the security vulnerability by running the preset script.

In an embodiment, the vulnerability detection unit is further configured to, before importing the security record information and the network policy configuration into a predetermined script: generating a system topological graph of the target system according to the security record information and the network policy configuration; and acquiring the security vulnerability of the target system and the risk level of the security vulnerability according to the system topological graph.

In an embodiment, the security record information obtaining unit is configured to: and acquiring the safety record information of the target system filled in a preset network safety inspection condition statistical table by a user.

In an embodiment, the vulnerability detection unit is further configured to, after obtaining the security vulnerability of the target system and the risk level of the security vulnerability:

In a third aspect of the disclosure, an electronic device is provided. The electronic device includes: a processor; and a memory for storing executable instructions that, when executed by the processor, cause the electronic device to perform the method of the first aspect.

In a fourth aspect of the disclosure, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, carries out the method in the first aspect.

The technical scheme provided by the embodiment of the invention has the beneficial technical effects that:

according to the embodiment of the invention, the security record information of the target system is acquired, the network policy configuration of the target system is acquired, and the security vulnerability of the target system and the risk level of the security vulnerability are acquired according to the security record information and the network policy configuration, so that the network security evaluation can be more comprehensive and accurate, and the network security evaluation result can be more objective.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly described below, and it is obvious that the drawings in the following description are only a part of the embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the contents of the embodiments of the present invention and the drawings without creative efforts.

Fig. 1 is a schematic flow chart of a method for detecting cyber-security risks according to an embodiment of the present invention;

FIG. 2 is a flow chart illustrating another network security risk detection method according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of an apparatus for detecting cyber-security risks according to an embodiment of the present invention;

FIG. 4 shows a schematic diagram of an electronic device suitable for use in implementing embodiments of the present invention.

Detailed Description

In order to make the technical problems solved, the technical solutions adopted and the technical effects achieved by the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be described in further detail below with reference to the accompanying drawings, and it is obvious that the described embodiments are only some embodiments, but not all embodiments, of the embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, belong to the scope of protection of the embodiments of the present invention.

It should be noted that the terms "system" and "network" are often used interchangeably herein in embodiments of the present invention. Reference to "and/or" in embodiments of the invention is intended to include any and all combinations of one or more of the associated listed items. The terms "first", "second", and the like in the description and claims of the present disclosure and in the drawings are used for distinguishing between different objects and not for limiting a particular order.

It should be further noted that, in the embodiments of the present invention, each of the following embodiments may be executed alone, or may be executed in combination with each other, and the embodiments of the present invention are not limited in this respect.

The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.

The technical solutions of the embodiments of the present invention are further described by the following detailed description with reference to the accompanying drawings.

Fig. 1 shows a schematic flow chart of a method for detecting cyber-security risks according to an embodiment of the present invention, where the embodiment is applicable to a situation where a network system performs cyber-security compliance prejudgment, and the method may be executed by a device for detecting cyber-security risks configured in an electronic device, as shown in fig. 1, the method for detecting cyber-security risks according to the embodiment includes:

in step S110, secure record information of the target system is acquired. For example, the security record information of the target system filled in a predetermined network security check condition statistic table by the user can be obtained.

In step S120, a network policy configuration of the target system is obtained.

The network policy configuration includes various aspects, for example, configuration of network policy including but not limited to the following aspects:

(1) physical security policy: the purpose of the physical security strategy is to protect hardware entities such as computer systems, network servers, printers and the like and communication links from natural disasters, artificial damage and tap attacks; verifying the identity and the use authority of the user and preventing the user from unauthorized operation; ensuring that the computer system has a good electromagnetic compatibility working environment; a complete safety management system is established to prevent illegal access to a computer control room and various theft and damage activities.

(2) And (3) access control policy: the method comprises the following steps of network access control, network authority control, directory level security control, attribute security control, network monitoring and locking control and security control of network ports and nodes.

(3) And (3) firewall control: a firewall is a technical measure developed recently to protect the security of a computer network, and is a barrier for preventing hackers in the network from accessing the network of an organization, and may also be called a threshold for controlling communications in/out of two directions. And isolating the internal network and the external network by the established corresponding network communication monitoring system on the network boundary so as to block the invasion of the external network. The main current firewalls are divided into three categories: the firewall comprises a filtering firewall, a proxy firewall and a dual-hole host firewall.

(4) An information encryption strategy is as follows: the network encryption method includes three methods, namely link encryption, endpoint encryption and node encryption. The purpose of link encryption is to protect the link information security between network nodes; the purpose of the endpoint encryption is to provide protection for data from a source end user to a destination end user; the purpose of node encryption is to provide protection for the transmission link between the source node to the destination node.

(5) Network security management policy: in network security, besides the technical measures, the safety management of the network is strengthened, relevant rules and regulations are made, and the method plays an effective role in ensuring the safe and reliable operation of the network. The security management policy of the network includes: determining a safety management level and a safety management range; making a management system related to network operation and use rules and personnel entering and exiting a machine room; and making a maintenance system and emergency measures of the network system.

In step S130, a security vulnerability of the target system and a risk level of the security vulnerability are obtained according to the security record information and the network policy configuration.

For example, the security record information and the network policy configuration may be imported into a predetermined script, and the predetermined script may be executed to obtain a security vulnerability of the target system and a risk level of the security vulnerability.

According to one or more embodiments of the present disclosure, before the security record information and the network policy configuration are imported into a predetermined script, a system topology map of the target system may be further generated according to the security record information and the network policy configuration, and a security vulnerability of the target system and a risk level of the security vulnerability may be obtained according to the system topology map.

According to one or more embodiments of the present disclosure, after step S130, that is, after obtaining the security vulnerability of the target system and the risk level of the security vulnerability, a vulnerability repair notification or penetration test may be further performed according to the risk level.

For example, if the risk level of the security breach is higher than a predetermined level, the target system is notified to fix the security breach.

For another example, if the risk level of the security vulnerability is equal to or lower than the predetermined level, performing penetration test on the target system according to the security vulnerability.

Among them, the penetration test is an evaluation method for evaluating the security of a computer network system by simulating an attack method of a malicious hacker. This process involves an active analysis of any vulnerability, technical flaw or vulnerability of the system from a location where an attacker may exist and conditionally exploit the security vulnerability.

In other words, the penetration test means that penetration personnel test a specific network at different positions (such as an internal network position, an external network position and the like) by various means so as to discover and mine the existing vulnerabilities in the system, and then output a penetration test report and submit the report to the network owner. The network owner can clearly know the potential safety hazard and the problem existing in the system according to the penetration test report provided by the penetration personnel.

It should be noted that the penetration test implemented in the present embodiment is a mechanism provided for proving that the network defense operates normally according to the expected plan. The network policy can be independently checked by penetration testing, which corresponds to a double eye to the target system.

According to one or more embodiments of the present disclosure, the safety record information of the target system may include various information, such as belonging unit information, safety work responsibility implementation situation, network safety daily management situation, basic information of the target system, network safety protection situation, network safety emergency work situation, network safety education training situation, and technology detection and network safety event situation.

According to one or more embodiments of the present disclosure, the basic information of the target system may include various kinds, and may include, for example, system construction information, stored data information, internet access information, and network security level protection information.

According to one or more embodiments of the present disclosure, the network policy configuration may include a variety, for example, may include a physical security policy configuration, an access control policy configuration, a firewall control policy configuration, an information encryption policy configuration, and a network security management policy configuration.

According to one or more embodiments of the present disclosure, the access control policy configuration may include a plurality of types, for example, a network access control policy configuration, a right control policy configuration of a network, a directory level security control policy configuration, an attribute security control policy configuration, a network monitoring and locking control policy configuration, a network port policy configuration, and/or a security control policy configuration of a node.

According to one or more embodiments of the present disclosure, the firewall control policy configuration may include a plurality of configurations, for example, a packet filtering firewall control policy configuration, a proxy firewall control policy configuration, a dual-hole host firewall control policy configuration, and the like.

According to one or more embodiments of the present disclosure, the information encryption policy configuration may include a plurality of types, and may include, for example, a link encryption policy configuration, an endpoint encryption policy configuration, and a node encryption policy configuration.

According to the embodiment, the security record information of the target system and the network strategy configuration of the target system are obtained, and the security vulnerability of the target system and the risk level of the security vulnerability are obtained according to the security record information and the network strategy configuration, so that the network security evaluation can be more comprehensive and accurate, and the network security evaluation result can be more objective.

Fig. 2 is a schematic flow chart illustrating another method for detecting cyber-security risks according to an embodiment of the present invention, where the embodiment is based on the foregoing embodiment and is optimized. As shown in fig. 2, the method for detecting cyber-security risk according to this embodiment includes:

in step S210, secure record information of the target system is acquired.

In step S220, a network policy configuration of the target system is obtained.

In step S230, the security record information and the network policy configuration are imported into a predetermined script, and the predetermined script is run to obtain the security vulnerability of the target system and the risk level of the security vulnerability.

The embodiment of the invention provides a high risk judgment method for network security level protection evaluation, which can be used for carrying out risk judgment on aspects such as a secure physical environment, a secure communication network, a secure region boundary, a secure computing environment, an application system, a secure region boundary, a secure management system, a secure management mechanism, secure construction management, secure operation and maintenance management and the like.

The safe physical environment risk judgment comprises the risk judgment on the aspects of physical access control, theft and damage prevention, fire prevention, temperature and humidity control, power supply, electromagnetic protection and the like.

The safety communication network risk judgment comprises the risk judgment in the aspects of network architecture, communication transmission and the like.

And the safe area boundary risk judgment comprises the risk judgment in the aspects of boundary protection, access control, intrusion prevention, malicious code and junk mail prevention, safety audit and the like.

The safe computing environment risk judgment comprises the risk judgment of network equipment, safe equipment, host equipment, application systems and the like. The method comprises the steps that the network equipment, the safety equipment and the host equipment are divided into identity authentication, access control, safety audit, intrusion prevention, malicious code prevention and the like to carry out risk judgment.

The risk judgment of the application system comprises the risk judgment in the aspects of identity authentication, access control, security audit, intrusion prevention, data integrity, data confidentiality, data backup recovery, residual information protection, personal information protection and the like.

And the safety region boundary risk judgment comprises centralized management and control, and the safety construction management comprises risk judgment in aspects of product purchase and use, outsourcing software development, test acceptance and the like.

The safety operation and maintenance management risk judgment comprises the risk judgment in the aspects of vulnerability and risk management, network and system safety management, malicious code prevention management, change management, backup and recovery management, emergency plan management and the like.

For example, if there is no access control measure in the machine room entrance/exit area, the machine room has no electronic or mechanical door lock, and the machine room entrance also has no special person on duty, so that office or foreign personnel can enter or exit the machine room at will, and there is no any control and monitoring measure, so that there is a large potential safety hazard and high risk judgment, and the physical access control is that an electronic access control system should be configured for the machine room entrance/exit to control, identify and record the entering personnel.

For another example, if the machine room is not provided with the anti-theft alarm system, or is not provided with the video monitoring system on duty, the occurrence of a theft event cannot be warned and traced, the risk can be judged high, and the machine room anti-theft measures in anti-theft and anti-damage are that the anti-theft alarm system is deployed for the machine room or the video monitoring system on duty is provided for the special person, so that the machine room environment can be warned or traced in time if the theft event occurs, and the safety and the controllability of the machine room environment can be ensured.

For another example, if there is no fire protection measure in the equipment room (for example, there is no automatic fire extinguishing, there is no handheld fire extinguisher or the medicament of the handheld fire extinguisher is overdue), once there is a fire, there is no fire protection measure, so that high risk can be determined.

If the temperature and humidity control measures in the temperature and humidity control measure are adopted, the temperature and humidity control measure can be used for setting temperature and humidity automatic adjusting equipment for the machine room, and the change of the temperature and the humidity of the machine room is ensured within the range allowed by the operation of the equipment.

It should be noted that, for systems with high availability requirements, such as trading systems of banks, securities, etc., civil systems, industrial control systems, etc., which provide public services, the machine room is not equipped with short-term backup power supply equipment (such as UPS) or equipped equipment cannot meet the normal operation requirements in case of power failure in a short time, and a high risk can be determined, the short-term backup power supply measure of the machine room in power supply is to be equipped with backup power sources with reasonable capacity, and the UPS is regularly inspected to ensure that the backup power supply equipment can meet the short-term normal operation of the system in case of external power supply interruption, the machine room is not equipped with redundant or parallel power lines for supplying power from the same substation, and a high risk can be determined, and redundant or parallel power lines are equipped, the power lines are from different substations, for the systems with high availability requirements (4-level systems), the transformer substations are from different mains supplies, and a machine room where the system is located must be equipped with emergency power supply measures, such as no emergency power supply measures or emergency power supply measures which cannot be used, can judge high risk, and can be equipped with emergency power supply facilities, such as standby power generation equipment.

For a system related to a large amount of core data, for example, if a cabinet in which a machine room or key equipment is located is not provided with an electromagnetic shielding measure, the risk can be judged high, the electromagnetic shielding measure of the machine room in the electromagnetic protection adopts an electromagnetic shielding technology for the machine room or the important equipment or the cabinet in which the important equipment is located, and related products or technologies obtain the certification of related detection authentication qualification.

The network architecture is divided into network equipment service processing capacity and network area division, a system with high requirement on availability is characterized in that the service processing capacity of the network equipment is insufficient, equipment downtime or service interruption can be caused at peak time to influence financial order or cause group events, if no technical countermeasures exist, high risk can be judged, equipment with performance meeting the requirement of the service peak time is replaced, service growth is reasonably expected, a proper capacity expansion plan is formulated, network area division is carried out according to functions and importance degrees of different networks, if important areas and non-important networks exist in the same subnet or network segment, high risk can be judged, different network areas can be divided according to factors such as work functions, importance degrees and importance degrees of related information, and access control measures among the areas can be made.

The internet boundary access control equipment has no management authority and no other boundary protection measures, is difficult to ensure the effectiveness of boundary protection, cannot adjust the access control strategy in time according to business needs or generated security events, can be judged to be high risk, is uncontrollable and can deploy the own boundary access control equipment or rent the boundary access control equipment with the management authority, and reasonably configures the related equipment.

The Internet exit has no access control measures or configuration of the access control measures is invalid, so that the potential safety hazard is high, the high risk can be judged, the Internet boundary access control is that special access control equipment is deployed for the Internet exit, and related control strategies are reasonably configured to ensure that the control measures are effective.

No access control measure is provided between the office network and the production network, the core production server and the network equipment can be managed by any network access in the office environment, can be judged as high risk, the access control of different area boundaries is that access control equipment should be deployed among different network areas, and reasonably configures an access control strategy to ensure that the control measures are effective, such as the control measures are realized by a router, a switch or a load balancer with an ACL function, for a system with higher availability requirement, if the network link is a single link, the core network node, the core network equipment or the key computing equipment are designed without redundancy, and once a fault occurs, service interruption may be caused, it may be determined as a high risk, and the key network link, the core network device, and the key computing device adopt redundancy design and deployment (for example, adopt deployment manners such as hot standby, load balancing, etc.), so as to ensure high availability of the system.

In a system with higher requirement on data transmission integrity, data is transmitted in a network layer without integrity protection measures, once the data is tampered, property loss can be judged to be high risk, communication transmission is to ensure the integrity of the data in a communication process by adopting a verification technology or a password technology, important sensitive information such as passwords, secret keys and the like can be transmitted in a clear text in a network and can be judged to be high risk, an SSH (secure Shell) or HTTPS (Hypertext transport protocol) protocol or an encryption channel is established through related equipment, and the sensitive information is transmitted through the encryption modes.

The boundary protection may include internet boundary access control, uncontrollable network access control device, illegal inline inspection measure, wireless network management and control measure, and may include, for example:

(1) the Internet exit has no access control measures or configuration of the access control measures is invalid, so that the potential safety hazard is high, the high risk can be judged, the Internet boundary access control can deploy special access control equipment at the Internet exit, and related control strategies are reasonably configured to ensure that the control measures are effective.

(2) If the internet boundary access control equipment does not have the management authority and does not provide the access control strategy as required, the access control strategy cannot be timely adjusted according to the service requirement or the generated security event, the high risk can be judged, and the network access control equipment can not control the network access control equipment to deploy the own boundary access control equipment or rent the boundary access control equipment with the management authority and reasonably configure the related equipment.

(3) Unauthorized equipment can be directly accessed to important network areas such as server areas, management network segments and the like, measures such as alarming, limiting, blocking and the like are not needed, high risk can be judged, and illegal inline inspection measures can be used for inspecting, positioning and blocking illegal inline behaviors through deploying safety access products.

(4) The core important server equipment and the important core management terminal can judge as high risk if the behavior of unauthorized connection to the external network cannot be checked or limited, or internal personnel can bypass and bypass the boundary access control equipment to privately connect the Internet, and the illegal external connection checking measures can check, position and block the illegal external connection behavior by deploying the safety management device.

(5) The internal core network is interconnected with the wireless network, and no control measure is provided between the internal core network and the wireless network, once the wireless network is accessed in an unauthorized manner, the internal core network area can be accessed, so that a larger potential safety hazard exists, and high risk can be judged; if the service needs, the management and control of the access of the wireless network equipment are enhanced, the access of the access equipment of the wireless network to the internal core network is limited through the boundary equipment, and the fact that an attacker utilizes the wireless network to invade the internal core network is reduced.

Access control may include internet border access control and communication protocol translation and isolation measures, etc., and may include, for example:

(1) in a system interconnected with the Internet, if no special access control equipment is arranged at the boundary or an all-pass strategy is configured, the high risk can be judged, and the Internet boundary access control ensures that control measures are effective by deploying the special access control equipment at the Internet exit and reasonably configuring the related control strategy.

(2) Data transmission between the controllable network environment and the uncontrollable network environment does not adopt the communication protocol conversion or the communication protocol isolation and other modes for data conversion, and can be judged as high risk, and the communication protocol conversion and isolation measures carry out data exchange through the communication protocol conversion or the communication protocol isolation and other modes when data are transmitted between network boundaries of different levels.

Intrusion prevention may include external network attack defense, internal network attack defense, and the like, and may include, for example:

(1) the key network nodes (such as the internet boundary) do not take any protective measures, cannot detect, prevent or limit the attack behavior initiated by the internet, and can be judged to be high risk, and the external network attack defense does not take any protective measures through the key network nodes (such as the internet boundary), cannot detect, prevent or limit the attack behavior initiated by the internet, and can be judged to be high risk.

(2) The critical network nodes (such as the boundary between the core server region and other internal network regions) do not take any protective measures, cannot detect, prevent or limit internally-initiated cyber attack behaviors, and can be determined to be high risk, and the internal cyber attack defense performs strict access control measures at the critical network nodes (such as the boundary between the core server region and other internal network regions) and deploys related protective equipment to detect, prevent or limit internally-initiated cyber attack behaviors.

Malicious codes and spam prevention are prevention of network layer malicious codes, and a host and a network layer do not have any malicious code detection and removal measures and can be judged as high risk.

The safety audit measures are taken as network safety audit measures, no safety audit measures exist at network boundaries and important network nodes, log audit cannot be performed on important user behaviors and important safety events, high risk can be judged, log audit is performed on the important user behaviors and the important safety events through the network boundaries and the important network nodes, and related events or behaviors can be traced conveniently.

In accordance with one or more embodiments of the present disclosure, performing identity authentication includes: device weak passwords, remote management safeguards, two-factor authentication, including for example:

(1) the network equipment, the security equipment, the operating system, the database and the like have a null password or a weak password account, can log in through the weak password account and can be judged to be high risk, the weak password of the equipment establishes a related management system by deleting or renaming a default account, standardizes the minimum length, complexity and life cycle of the password, and reasonably configures an account password strategy according to the requirements of the management system to improve the password quality.

(2) Through the network equipment, the safety equipment, the operating system, the database and the like remotely managed by the uncontrollable network environment, the plaintext transmission of the authentication information is easy to monitor, data leakage is caused, and high risk can be judged.

(3) The important core equipment, the operating system and the like do not adopt two or more than two identification technologies to identify the identity of the user. For example, only the user name/password mode is used for identity authentication, so that the security of an administrator account is weakened, unauthorized stealing or illegal use of an account cannot be avoided, the risk can be judged to be high, the two-factor authentication adds identity authentication technologies except the user name/password, such as a password/token mode, a biological authentication mode and the like through important core equipment, an operating system and the like, the two-factor identity authentication is realized, and the security of the identity authentication is enhanced.

The access control is default password processing, the default passwords of default account numbers such as network equipment, security equipment, an operating system and a database are not modified, the default passwords are used for logging in equipment and can be judged to be high-risk, and the default password processing is used for renaming or deleting default administrator accounts through the network equipment, the security equipment, the operating system and the database, modifying default passwords to enable the default passwords to have certain strength and enhancing account security.

The safety audit measures are taken as equipment safety audit measures, important core network equipment, safety equipment, an operating system, a database and the like do not start any audit function, cannot audit important user behaviors and important safety events, cannot trace the source of the events and can be judged as high risk, the equipment safety audit measures start user operation and safety event audit strategies or use third-party log audit tools on the premise that the performances of the important core equipment, the safety equipment, the operating system and the database are allowed, so that comprehensive audit records of relevant equipment operations and safety behaviors are realized, and the source tracing can be timely carried out when safety problems occur.

Among these intrusion prevention, include, but are not limited to, unnecessary service handling, management interrupt management measures, known major bug fixes, and test discovery bug fixes. Examples may include:

(1) redundant system services/default shared/high-risk ports exist in network equipment, safety equipment, an operating system and the like, high-risk holes or major potential safety hazards capable of being utilized exist in the network equipment, the safety equipment, the operating system and the like, high risks can be judged, unnecessary services and ports are closed through the network equipment, the safety equipment, the operating system and the like in unnecessary service treatment, and safety holes such as backdoors are reduced; according to the application requirements, related configuration such as account authority should be reasonably set when the shared service needs to be opened.

(2) The management terminal is not limited by technical means through network equipment, safety equipment, an operating system, a database and the like which are remotely managed in an uncontrollable network environment, high risk can be judged, and management interruption management and control measures are adopted to limit the management terminal through technical means.

(3) For some network devices, security devices, operating systems, databases and the like directly accessible to the internet, if there is a major vulnerability disclosed outside, the major vulnerability is not repaired and updated in time, whether there is a POC attack code or not is not considered, and the major vulnerability can be determined as a high risk.

(4) Vulnerabilities (including but not limited to buffer overflow, privilege escalation vulnerabilities, remote code execution, serious logic defects, sensitive data leakage and the like) which can cause major potential safety hazards to network equipment, safety equipment, an operating system, a database and the like can be confirmed and utilized through verification tests or penetration tests and can be judged to be high-risk, and tests find that vulnerability repair passes through patch updating of the equipment in time under the condition of full tests to repair known high-risk security vulnerabilities; in addition, equipment should be regularly missed to be scanned, risk loopholes found are timely processed, and stability and safety of the equipment are improved.

Malicious code prevention is the malicious code prevention of an operating system, the Windows operating system is not provided with malicious code prevention software and is managed in a unified manner, damage caused by malicious attack from the outside or system bugs cannot be prevented, high risk can be judged, the malicious code prevention of the operating system uniformly deploys anti-virus software through the operating system, or an integrated anti-virus server or a virtualized bottom layer anti-virus measure is adopted, and a virus library is updated in time to resist the attack of external malicious codes.

Identity authentication includes password policy, weak password, login failure handling, two-factor authentication, which may include, for example:

(1) the application system has no user password complexity check mechanism, the check mechanism comprises the length, complexity and the like of a password and can be judged as high risk, and the password strategy checks the account password length and complexity of the user through the application system, if the system account password is required to have at least 8 bits, the system account password consists of 2 modes of numbers, letters or special characters; for special purpose passwords such as PIN codes and the like, a weak password library is required to be set, and the password quality of a user is improved in a comparison mode;

(2) the application system has a common password account/a weak password account which is easy to guess and can be judged to be high risk, and the weak password improves the password quality of the application system through the application system in the modes of password length, complexity verification, comparison of a common password database/a weak password database and the like;

(3) the application system which can log in through the Internet does not provide any login failure processing measures, an attacker can guess the password and can judge the password as high risk, and login failure processing provides login failure processing functions (such as account locking, multiple authentication and the like) through the application system to prevent the attacker from carrying out brute force password cracking;

(4) the system is accessed through an internet mode, and relates to operations such as large-amount fund transaction, core business and the like, identity authentication is carried out in two or more modes before important operations are carried out, if authentication is carried out only in one verification mode, high risk can be judged, identity authentication technologies except a user name/password, such as a password/token, a biological authentication mode and the like, are added through an application system for double-factor authentication, double-factor identity authentication is realized, and the security of identity authentication is enhanced;

the access control includes: login user authority control, default password processing, access control policies, for example, may include:

(1) the access control function of the application system is lost, the access of a user to the system function and data cannot be controlled according to a design strategy, the unauthorized access to the system function module can be judged to be high risk in the mode of directly accessing URL and the like under the condition of not logging in the system, the authority control of a logged-in user completes the access control measures through suggestion, the access control is carried out on important pages and function modules of the system, and the condition that the access control fails does not exist in the application system is ensured.

(2) The default password of the default account number of the application system is not modified, the default password can be used for logging in the system and can be judged to be high risk, the default password processing renames or deletes the default administrator account through the application system, and the default password is modified to have certain strength, so that the account security is enhanced.

(3) The access control strategy of the application system has defects, and the application system can access the functional module of the system in an unauthorized way or view and operate the data of other users. If a parallel authority vulnerability exists, a low-authority user can access the high-authority functional module without the right to judge the high risk, and the access control strategy carries out identity and authority identification on important pages and functional modules of the system again by perfecting access control measures, so that the condition that the access control fails does not exist in the application system.

The safety audit is taken as a safety audit measure, an application system (comprising a front-end system and a background management system) does not have any log audit function, important behaviors of a user cannot be audited, events cannot be traced, high risk can be judged, the safety audit measure perfects an audit module through the application system, log audit is carried out on the operations and behaviors of important users, and the audit range not only aims at the operations and behaviors of the front-end user, but also comprises the important operations of a background manager.

Intrusion prevention includes data validity checking functions, known major bug fixes, test discovery bug fixes, which may include, for example:

(1) the application system caused by the lack of the verification mechanism has high-risk vulnerabilities such as SQL injection, cross-site scripting, uploading vulnerabilities and the like, and can be judged to be high-risk, and the data validity checking function verifies the data validity in a code modifying mode, submits the security of the application system and prevents related vulnerabilities from occurring;

(2) the method has the advantages that the environment, the framework, the components and the like used by the application system have available high-risk vulnerabilities, so that sensitive data leakage, webpage tampering, server invasion and other security events can occur, serious consequences can be caused, the high-risk vulnerability can be judged, known major vulnerability repair is realized by periodically carrying out vulnerability scanning on the application system, and the potential known vulnerabilities are repaired in time after repeated test and evaluation, so that potential safety hazards are reduced;

(3) if the service functions (such as password retrieving function and the like) of the application system have high-risk security loopholes or serious logic defects, which may cause the conditions of modifying any user password, bypassing the unauthorized access of a security verification mechanism and the like, the conditions can be judged to be high-risk, and the discovered high-risk/serious logic defects are repaired in a mode of modifying the application program by testing and discovering loophole repair, so that the potential safety hazard is avoided;

the data integrity is transmission integrity protection, if a system with higher requirement on transmission integrity ensures the transmission integrity of important data without any measures, the important data is tampered in the transmission process and can cause serious consequences, the system can be judged to be high risk, the transmission integrity protection ensures the integrity of the transmitted data through a cryptographic technology on an application layer, and the validity of the data is verified on a server end to ensure that only unmodified data is processed,

data privacy includes transmission privacy protection, storage privacy protection, and may include, for example:

(1) user authentication information, citizen sensitive information data or important service data and the like are transmitted in a plaintext mode in an uncontrollable network and can be judged as high risk, and the confidentiality of the important data in the transmission process is ensured by adopting a cryptographic technology for transmission confidentiality protection.

(2) User identity authentication information, personal sensitive information data, important business data, non-plaintext storage data defined by an industry governing department and the like are stored in a plaintext mode, other effective protection measures are not provided, high risk can be judged, and the storage confidentiality protection ensures the confidentiality of the important data in the storage process through a password technology.

Data backup and recovery comprise data backup measures, remote backup measures, data processing redundancy measures, and remote disaster backup centers, and may include:

(1) the application system does not provide any data backup measures, once the application system is damaged by data, the data cannot be restored, the data can be judged to be at high risk, and the data backup measures regularly carry out backup and restoration tests on important data by establishing a backup restoration mechanism so as to ensure that the data can be restored by using the backup data when the data are damaged.

(2) The system with high requirements for system and data disaster tolerance, such as financial, medical and health, social security and other industry systems, can be judged as high risk if no foreign data disaster backup measures exist or a remote backup mechanism cannot meet business requirements, and the remote backup measures are realized by setting a remote disaster backup machine room and backing up important data to a backup site in real time by using a communication network.

(3) For systems with higher requirements on data processing availability (such as financial industry systems, auction systems, big data platforms and the like), a thermal redundancy technology is adopted to improve the availability of the systems, if a single point of failure exists in a core processing node (such as a server, a DB and the like), high risk can be judged, and the data processing redundancy measures are adopted to improve the availability of the systems by adopting the thermal redundancy technology for important data processing systems.

(4) The system with high requirements for disaster tolerance and availability, such as a financial industry system, can be judged to be high-risk if a remote application-level disaster tolerance center is not set or the remote application-level disaster tolerance center cannot realize service switching, and the remote disaster backup center improves the availability of the system by adopting a hot redundancy technology for an important data processing system.

The remaining information protection may also include authentication information release measures and sensitive data release measures, which may include, for example:

(1) the identity authentication information release or removal mechanism has defects, for example, after the identity authentication information release or removal operation is normally carried out, the system resources can still be accessed or operated without authorization, the risk can be judged to be high, and the authentication information release measures ensure that the authentication information is completely released/removed after the release/removal related operation is carried out by perfecting the authentication information release/removal mechanism.

(2) The identity authentication information release or removal mechanism has defects, for example, after the identity authentication information release or removal operation is normally performed, the system resources can still be accessed or operated without authorization, the risk can be determined to be high, and the sensitive data release measures ensure that the sensitive data is completely released/removed after the release/removal related operation is performed by perfecting the sensitive data release/removal mechanism.

Personal information protection includes personal information collection, storage and personal information access, usage, which may include, for example:

(1) when the personal information of the user is collected and stored, the user agrees and authorizes through a formal channel, if the personal privacy information of the user is collected and stored under the unauthorized condition, the personal privacy information can be judged to be high risk, the personal information collection and storage shows the content, the application and the related safety responsibility of the collected information to the user through an official formal channel, and the personal information of the user necessary for business is collected and stored under the condition that the user agrees and authorizes.

(2) Unauthorized access and illegal use of personal information, such as submitting user information to a third party for processing under the condition of unauthorized, being used for other business purposes under the condition of no desensitization, not strictly controlling personal information inquiry and export authority, illegally buying and selling, revealing user personal information and the like, can be judged to be high risk, the content and the purpose of information collection and related security responsibility are indicated to users through official channels for personal information access and use, and the user personal information necessary for business is collected and stored under the condition of user approval and authorization, and the unauthorized access and the illegal use are prevented through technical and management means.

The security management center is a centralized management and control system, which includes operation monitoring measures, centralized collection and storage of logs, and security event discovery and handling measures, which may include:

(1) for a system with higher availability requirement, if no monitoring measure is provided, the fault is difficult to be positioned and processed in time when the fault occurs, the high risk can be judged, and the operation monitoring measure is used for carrying out centralized monitoring on the operation conditions of a network link, safety equipment, network equipment, a server and the like.

(2) For example, if the current network security specification requires technical measures for monitoring and recording the network operation state and network security events, and the related weblogs are retained according to the regulations for not less than a predetermined time (for example, six months), if the retention of the related device logs does not meet the related requirements of laws and regulations, the high risk can be determined, the logs are collected and stored in a centralized manner through deploying a log server, auditing data of each device are collected in a unified manner, centralized analysis is performed, and the logs are retained according to the requirements of laws and regulations.

(3) Relevant safety equipment is not deployed, safety events occurring in the network are identified, an alarm is given to the important safety events, the high risk can be judged, and various safety events occurring in the network are identified, alarmed and analyzed through deployment of relevant professional protection equipment in safety event discovery and handling measures, so that the relevant safety events are discovered in time and are handled in time.

The safety management system is embodied on the management system, the management system is embodied on the detection of the management system, no management system related to the safety management activity is established or the related management system cannot be applied to the current system to be detected, the system can be judged to be high risk, and the system management construction establishes various management systems related to the safety management activity, including a general policy and a safety policy according to the related requirements of the grade protection.

The safety management mechanism is embodied as the setting of the post, namely the establishment of a network safety leader group, a committee or a leader group for guiding and managing information safety work is not established, or the highest leader of the network safety leader group is not delegated or authorized by a unit supervisor, so that the high risk can be judged, the establishment of the network safety leader group is the establishment of a committee or a leader group for guiding and managing network safety work, and the highest leader of the network safety leader group is delegated or authorized by the unit supervisor leader.

The product purchase and use are embodied as network security product purchase and use and password product and service purchase and use, the use of network key equipment and network security special products violates the national relevant regulations and can be judged as high risk, the network security product purchase and use are according to the national relevant regulations and purchase and use network key equipment and network security special products, the use of password products and services violates the requirements of the national password management department and can be judged as high risk, and the password product and service purchase and use are according to the requirements of the national password management department and use the password products and services.

Outsourcing software development is outsourcing development code audit, a business core system related to important industries such as finance, civil life, infrastructure and the like is developed by an outsourcing company, source code examination is not carried out on the system developed by the outsourcing company before online, the outsourcing company cannot provide related safety detection evidence and can judge the system to be high-risk, the outsourcing development code audit is carried out on the source code examination on the core system developed by the outsourcing company, whether backdoor and hidden channels exist or not is checked, and if no technical means is used for carrying out source code examination, a third-party professional institution can be hired to carry out safety detection on related codes;

the detection acceptance is a safety test before the system is on line, the system does not pass the safety test before the system is on line, or the relevant high-risk problem is not subjected to safety assessment and still is on line with diseases, and the high risk can be judged. The safety inspection content can include but is not limited to a scanning penetration test, a safety function verification and a source code safety audit, wherein the safety test before the online is that before a new system is online, the system is subjected to safety evaluation, problems found in the evaluation process are repaired in time, and the system is ensured not to be online with diseases.

Vulnerability and risk management is identification and repair of security vulnerabilities and hidden dangers, the discovered security vulnerabilities and hidden dangers are not repaired in time, large potential safety hazards exist in the system, a hacker is likely to utilize the security vulnerabilities to carry out malicious attack on the system, if the security vulnerabilities and the hidden dangers can form high-risk risks, the high risks can be judged, the identification and repair of the security vulnerabilities and the hidden dangers are timely repair and evaluation of the discovered security vulnerabilities and the hidden dangers, reinforcement and test are carried out on the security vulnerabilities and the hidden dangers which need to be repaired, after the test is correct, system data are backed up, then the repair is carried out from a production environment, residual risk analysis is carried out on the residual security vulnerabilities.

The network and system security management includes important operation and maintenance operation change management, operation and maintenance tool management and operation and maintenance external connection management, and may include:

(1) the method comprises the steps that change examination and approval are not carried out on change of connection, installation of system components or adjustment of configuration parameters in the operation and maintenance process, changeability test is not carried out, once the installation of the system components or the adjustment of the configuration parameters affects the system, the system can not be normally accessed possibly, abnormity occurs, high risk can be judged, important operation and maintenance operation change management is that actions needing to be changed are examined and approved, change contents are tested, system data and parameter configuration are backed up after the test is correct, change is carried out from the production environment, a flow and a backspacing scheme are definitely changed, and configuration information base updating is carried out after the change is finished.

(2) The effectiveness of various operation and maintenance tools (particularly, the operation and maintenance tools which are not commercialized) is not checked, the access of the operation and maintenance tools is not strictly controlled and approved, leaks or backdoors may exist in the operation and maintenance tools, once data leakage is possibly caused by utilization of hackers, high risk can be determined, the operation and maintenance tools are managed and controlled to be used, the operation and maintenance tools which are commercialized are recommended to be used, and operation and maintenance personnel are strictly prohibited to download the operation and maintenance tools which are not commercialized by a third party.

(3) The authorization and approval system of the server and the terminal connected with the outside in the system also does not regularly check the related behaviors violating the network security policy, the potential safety hazard of illegal external connection exists, once the intranet server or the terminal violates the external connection, secret-related information (trade secret information) can be leaked, the possibility of virus infection is increased, the risk can be judged to be high, the management and control of the operation and maintenance external connection are that all authorization and approval systems connected with the outside are determined in the system, the related violations are regularly checked, the terminal management system can be adopted to realize illegal external connection and illegal access, reasonable security policies are set, and the illegal external connection and illegal access can be detected and blocked at the first time.

The malicious code prevention management is mainly used for checking malicious codes of external access equipment, the external computer or the storage equipment can be infected with viruses or trojans, the malicious codes are not checked before the external computer or the storage equipment is accessed into the system, the system can be infected with the viruses or the trojans, the system can be greatly damaged and can be judged to be high risk, the malicious codes of the external access equipment are checked to make an external access equipment checking system, the malicious codes must be checked before any external computer or the storage equipment is accessed into the system, and the equipment can be accessed into the system after the malicious codes are checked and approved.

The change management is the requirement change management, the management process is not clearly changed, the content needing to be changed is not analyzed and demonstrated, a detailed change scheme is not made, and the requirement and the necessity of change cannot be clearly determined; the change is accompanied by the risk which can cause the system to be unable to normally access, and can be judged as high risk, the requirement change management is that any change of the system needs management flow, related personnel (business department personnel, system operation and maintenance personnel and the like) must be organized to carry out analysis and demonstration, after the change is determined to be necessary, a detailed change scheme is made, after the examination and approval, the system is backed up firstly, and then the change is carried out.

The backup and recovery management is mainly a data backup strategy, a data backup strategy and a data recovery strategy are not clear, and a backup program and a recovery program cannot realize the regular backup and recovery test of important data. In addition, if a relevant system exists, but the system is not implemented, the system content is not determined to be not implemented, the high risk can be determined, the data backup strategy is to make a system relevant to backup and recovery, the data backup strategy and the data recovery strategy are determined, and a backup program and a recovery program are determined, so that the regular backup and recovery test of important data is realized, and the high availability and the recoverability of backup data are ensured.

Emergency protocol management includes emergency protocol formulation and emergency protocol training drills, which may include, for example:

(1) the emergency plan of the important event is formulated, the contents of the emergency processing flow, the system recovery flow and the like of the important event are not determined, once the emergency event occurs, the emergency event disposal process cannot be reasonably and orderly carried out, the emergency response time is prolonged, the system cannot be recovered in the shortest event, the high risk can be determined, the emergency plan is formulated to be the emergency plan for formulating the important event, the contents of the emergency processing flow, the system recovery flow and the like of the important event are determined, and the emergency plan is exercised corresponding to the emergency plan.

(2) The emergency plan training and practicing method has the advantages that emergency plan training is not carried out on related personnel regularly, emergency practicing is not carried out according to different emergency plans, emergency plan training and practicing records cannot be provided, high risks can be judged, the emergency plan training and practicing are carried out on the related personnel regularly, the emergency plan training and practicing records are reserved, and personnel participating in emergency are enabled to master the whole emergency process skillfully.

Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

On the basis of the above embodiment, the specific aspect of obtaining the security vulnerability of the target system is further described in detail in this embodiment, including risk judgment on aspects such as a secure physical environment, a secure communication network, a secure area boundary, a secure computing environment, an application system, a secure area boundary, a secure management system, a secure management mechanism, secure construction management, and secure operation and maintenance management, so that network security evaluation can be more comprehensive and accurate.

As an implementation of the methods shown in the above drawings, the present application provides an embodiment of a device for detecting cyber-security risks, and fig. 3 illustrates a schematic structural diagram of the device for detecting cyber-security risks provided in this embodiment, where the embodiment of the device corresponds to the embodiment of the methods shown in fig. 1 and fig. 2, and the device may be specifically applied to various electronic devices. As shown in fig. 3, the apparatus for detecting cyber-security risk according to this embodiment includes a security record information obtaining unit 310, a network policy configuration obtaining unit 320, and a vulnerability detecting unit 330.

The secure record information obtaining unit 310 is configured to obtain secure record information of a target system.

The network policy configuration obtaining unit 320 is configured to obtain a network policy configuration of the target system.

The vulnerability detection unit 330 is configured to obtain a security vulnerability of the target system and a risk level of the security vulnerability according to the security record information and the network policy configuration.

According to one or more embodiments of the present disclosure, the vulnerability detection unit 330 is configured to import the security record information and the network policy configuration into a predetermined script, and obtain a security vulnerability of the target system and a risk level of the security vulnerability by running the predetermined script.

According to one or more embodiments of the present disclosure, the vulnerability detection unit 330 is configured to, before importing the security record information and the network policy configuration into a predetermined script: generating a system topological graph of the target system according to the security record information and the network policy configuration; and acquiring the security vulnerability of the target system and the risk level of the security vulnerability according to the system topological graph.

According to one or more embodiments of the present disclosure, the security record information obtaining unit 310 is configured to obtain the security record information of the target system, which is filled in a predetermined network security check condition statistic table by a user.

According to one or more embodiments of the present disclosure, the vulnerability detection unit 330 is configured to, after obtaining the security vulnerability of the target system and the risk level of the security vulnerability, notify the target system to repair the security vulnerability if the risk level of the security vulnerability is higher than a predetermined level.

According to one or more embodiments of the present disclosure, the vulnerability detection unit 330 is configured to, after obtaining the security vulnerability of the target system and the risk level of the security vulnerability, if the risk level of the security vulnerability is equal to or lower than the predetermined level, perform penetration test on the target system according to the security vulnerability.

According to one or more embodiments of the present disclosure, the safety record information of the target system includes belonging unit information, safety work responsibility implementation situation, network safety daily management situation, basic information of the target system, network safety protection situation, network safety emergency work situation, network safety education training situation, and technology detection and network safety event situation.

According to one or more embodiments of the present disclosure, the basic information of the target system includes system construction information, storage data information, internet access information, and network security level protection information.

According to one or more embodiments of the present disclosure, the network policy configuration includes a physical security policy configuration, an access control policy configuration, a firewall control policy configuration, an information encryption policy configuration, and a network security management policy configuration.

According to one or more embodiments of the present disclosure, the access control policy configuration includes a network access control policy configuration, a right control policy configuration of a network, a directory level security control policy configuration, an attribute security control policy configuration, a network monitoring and locking control policy configuration, a network port policy configuration, and/or a security control policy configuration of a node.

According to one or more embodiments of the present disclosure, the firewall control policy configuration includes a packet filtering firewall control policy configuration, a proxy firewall control policy configuration, and a dual-hole host firewall control policy configuration.

According to one or more embodiments of the present disclosure, the information encryption policy configuration includes a link encryption policy configuration, an endpoint encryption policy configuration, and a node encryption policy configuration.

The device for detecting the cyber-security risk provided by the embodiment of the present disclosure can execute the method for detecting the cyber-security risk provided by the embodiment of the present disclosure, and has functional modules and beneficial effects corresponding to the execution method.

Referring now to FIG. 4, a block diagram of an electronic device 400 suitable for use in implementing embodiments of the present invention is shown. The terminal device in the embodiment of the present invention is, for example, a mobile device, a computer, or a vehicle-mounted device built in a floating car, or any combination thereof. In some embodiments, the mobile device may include, for example, a cell phone, a smart home device, a wearable device, a smart mobile device, a virtual reality device, and the like, or any combination thereof. The electronic device shown in fig. 4 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.

As shown in fig. 4, electronic device 400 may include a processing device (e.g., central processing unit, graphics processor, etc.) 401 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)402 or a program loaded from a storage device 408 into a Random Access Memory (RAM) 403. In the RAM 403, various programs and data necessary for the operation of the electronic apparatus 400 are also stored. The processing device 401, the ROM 402, and the RAM 403 are connected to each other via a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.

Generally, the following devices may be connected to the I/O interface 405: input devices 406 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; an output device 407 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 408 including, for example, tape, hard disk, etc.; and a communication device 409. The communication means 409 may allow the electronic device 400 to communicate wirelessly or by wire with other devices to exchange data. While fig. 4 illustrates an electronic device 400 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.

In particular, according to an embodiment of the present invention, the processes described above with reference to the flowcharts may be implemented as a computer software program. For example, embodiments of the invention include a computer program product comprising a computer program embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication device 409, or from the storage device 408, or from the ROM 402. The computer program performs the above-described functions defined in the methods of embodiments of the invention when executed by the processing apparatus 401.

It should be noted that the computer readable medium mentioned above can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In embodiments of the invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In yet another embodiment of the invention, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.

The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.

The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: acquiring safety record information of a target system; acquiring the network policy configuration of the target system; and acquiring the security vulnerability of the target system and the risk level of the security vulnerability according to the security record information and the network policy configuration.

Computer program code for carrying out operations for embodiments of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The units described in the embodiments of the present invention may be implemented by software or hardware. Where the name of a unit does not in some cases constitute a limitation of the unit itself, for example, the first retrieving unit may also be described as a "unit for retrieving at least two internet protocol addresses".

The foregoing description is only a preferred embodiment of the invention and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the disclosure in the embodiments of the present invention is not limited to the specific combinations of the above-described features, but also encompasses other embodiments in which any combination of the above-described features or their equivalents is possible without departing from the spirit of the disclosure. For example, the above features and (but not limited to) the features with similar functions disclosed in the embodiments of the present invention are mutually replaced to form the technical solution.

Claims

1. A method for detecting network security risks is characterized by comprising the following steps:

acquiring safety record information of a target system;

acquiring the network policy configuration of the target system;

2. The method of claim 1, wherein obtaining the security vulnerability of the target system and the risk level of the security vulnerability according to the security record information and the network policy configuration comprises:

and importing the security record information and the network strategy configuration into a preset script, and acquiring the security vulnerability of the target system and the risk level of the security vulnerability by running the preset script.

3. The method of claim 2, further comprising, prior to importing the security record information and the network policy configuration into a predetermined script:

generating a system topological graph of the target system according to the security record information and the network policy configuration;

and acquiring the security vulnerability of the target system and the risk level of the security vulnerability according to the system topological graph.

4. The method of claim 1, wherein obtaining the security record information of the target system comprises:

and acquiring the safety record information of the target system filled in a preset network safety inspection condition statistical table by a user.

5. The method of claim 1, further comprising, after obtaining the security vulnerabilities and the risk levels of the security vulnerabilities of the target system:

6. The method of claim 1, wherein the safety record information of the target system comprises information of affiliated units, safety work responsibility implementation situation, network safety daily management situation, basic information of the target system, network safety protection situation, network safety emergency work situation, network safety education and training situation, and technical detection and network safety event situation.

7. The method of claim 6, wherein the basic information of the target system comprises system construction information, storage data information, internet access information, and network security level protection information.

8. The method of claim 1, wherein the network policy configuration comprises a physical security policy configuration, an access control policy configuration, a firewall control policy configuration, an information encryption policy configuration, and a network security management policy configuration.

9. The method of claim 8, wherein the access control policy configuration comprises a network access control policy configuration, a directory level security control policy configuration, an attribute security control policy configuration, a network monitoring and lock control policy configuration, a network port policy configuration, and/or a node security control policy configuration.

10. The method of claim 8, wherein the firewall control policy configuration comprises a packet filtering firewall control policy configuration, a proxy firewall control policy configuration, and a dual-hole host firewall control policy configuration.

11. The method of claim 8, wherein the information encryption policy configuration comprises a link encryption policy configuration, an endpoint encryption policy configuration, and a node encryption policy configuration.

12. An apparatus for detecting cyber-security risks, comprising:

13. An electronic device, comprising:

a processor; and

a memory to store executable instructions that, when executed by the one or more processors, cause the electronic device to perform the method of any of claims 1-11.

14. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-11.