CN116401714A - Security information acquisition method, device, equipment and medium - Google Patents

Security information acquisition method, device, equipment and medium Download PDF

Info

Publication number
CN116401714A
CN116401714A CN202310604410.6A CN202310604410A CN116401714A CN 116401714 A CN116401714 A CN 116401714A CN 202310604410 A CN202310604410 A CN 202310604410A CN 116401714 A CN116401714 A CN 116401714A
Authority
CN
China
Prior art keywords
information
target
equipment
security
vulnerability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310604410.6A
Other languages
Chinese (zh)
Other versions
CN116401714B (en
Inventor
吴潇
王鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202310604410.6A priority Critical patent/CN116401714B/en
Publication of CN116401714A publication Critical patent/CN116401714A/en
Application granted granted Critical
Publication of CN116401714B publication Critical patent/CN116401714B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiment of the disclosure relates to a method, a device, equipment and a medium for acquiring safety information, and relates to the technical field of computers, wherein the method comprises the following steps: scanning target information equipment to obtain the type information of the production place of the target information equipment; determining the security level information of the target information equipment according to the associated information system and/or the associated information equipment of the target information equipment; acquiring the processing interval duration of at least one processed vulnerability in the target information equipment; generating safety comprehensive information of the target information equipment according to the safety sub-information of the target information equipment; the safety sub-information comprises production place type information, safety level information and processing interval duration. According to the embodiment of the disclosure, the safety comprehensive information used in the process of carrying out safety management on the information equipment is determined in a plurality of dimensions, so that the comprehensiveness of analysis on the information equipment is improved, and the subsequent safety management based on the safety comprehensive information is more reliable.

Description

Security information acquisition method, device, equipment and medium
Technical Field
The disclosure relates to the field of computer technology, and in particular, to a method, a device, equipment and a medium for acquiring security information.
Background
With the development and wide application of information technology, information assets become a key foundation for supporting the stable operation of organizations such as enterprises. Meanwhile, security attack events for various information assets are more frequent.
In the related art, the asset devices are classified according to the functions implemented by the asset devices, classification results are obtained, and the information assets are safely managed based on the classification results. However, the dimension involved in the security management method based on the asset equipment function is single, the comprehensiveness of analyzing the information asset is low, and the reliability of the subsequent security management of the asset equipment based on the classification is low.
Disclosure of Invention
In order to solve the above technical problems or at least partially solve the above technical problems, the present disclosure provides a method, an apparatus, a device, and a medium for acquiring security information.
The embodiment of the disclosure provides a method for acquiring safety information, which comprises the following steps:
scanning target information equipment to obtain the information of the type of the production place of the target information equipment; the production place type information characterizes whether the target information equipment meets a preset production place range condition or not;
determining the security level information of the target information equipment according to the associated information system and/or the associated information equipment of the target information equipment; the associated information system is an information system to which the target information equipment belongs, and the associated information equipment is an information equipment with a connection relation with the target information equipment;
Acquiring the processing interval duration of at least one processed vulnerability in the target information equipment; the processing interval duration is the time duration between the bug fix time and the patch release time of each processed bug;
generating safety comprehensive information of the target information equipment according to the safety sub-information of the target information equipment; the safety sub-information comprises the place of origin type information, the safety level information and the processing interval duration.
The embodiment of the disclosure also provides a security information acquisition device, which comprises:
the scanning module is used for scanning the target information equipment to obtain the information of the type of the production place of the target information equipment; the production place type information characterizes whether the target information equipment meets a preset production place range condition or not;
the first determining module is used for determining the security level information of the target information equipment according to the associated information system and/or the associated information equipment of the target information equipment; the associated information system is an information system to which the target information equipment belongs, and the associated information equipment is an information equipment with a connection relation with the target information equipment;
The first acquisition module is used for acquiring the processing interval duration of at least one processed vulnerability in the target information equipment; the processing interval duration is the time duration between the bug fix time and the patch release time of each processed bug;
the first generation module is used for generating the safety comprehensive information of the target information equipment according to the safety sub-information of the target information equipment; the safety sub-information comprises the place of origin type information, the safety level information and the processing interval duration.
The embodiment of the disclosure also provides an electronic device, which comprises: a processor; a memory for storing the processor-executable instructions; the processor is configured to read the executable instructions from the memory and execute the instructions to implement a method for obtaining security information according to an embodiment of the present disclosure.
The present disclosure also provides a computer-readable storage medium storing a computer program for executing the security information acquisition method as provided by the embodiments of the present disclosure.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages: the security information acquisition scheme provided in the embodiment of the disclosure comprises the following steps: scanning target information equipment to obtain the type information of the production place of the target information equipment; the method comprises the steps that the production place type information characterizes whether target information equipment meets a preset production place range condition or not; determining the security level information of the target information equipment according to the associated information system and/or the associated information equipment of the target information equipment; the associated information system is an information system to which the target information equipment belongs, and the associated information equipment is an information equipment with a connection relation with the target information equipment; acquiring the processing interval duration of at least one processed vulnerability in the target information equipment; the processing interval duration is the time length between the bug fix time and the patch release time of each processed bug; generating safety comprehensive information of the target information equipment according to the safety sub-information of the target information equipment; the safety sub-information comprises production place type information, safety level information and processing interval duration. By adopting the technical scheme, the production place type of the target information equipment is determined, the security level of the target information equipment is determined according to the associated system or the associated equipment of the target information equipment, the vulnerability processing interval duration of the target information equipment is determined according to the patch release time and the vulnerability processing time of the vulnerability repaired by using the patch, and then the security comprehensive information used in the process of performing security management on the information equipment is determined in a plurality of dimensions, so that the comprehensiveness of analyzing the information equipment is improved, and the subsequent security management based on the security comprehensive information is more reliable.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments of the present disclosure or the solutions in the prior art, the drawings that are required for the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a flow chart of a method for obtaining security information according to an embodiment of the present disclosure;
fig. 2 is a flowchart of another security information obtaining method according to an embodiment of the present disclosure;
fig. 3 is a flowchart of another method for obtaining security information according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a security information acquiring device according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, a further description of aspects of the present disclosure will be provided below. It should be noted that, without conflict, the embodiments of the present disclosure and features in the embodiments may be combined with each other.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced otherwise than as described herein; it will be apparent that the embodiments in the specification are only some, but not all, embodiments of the disclosure.
With the development and wide application of information technology, information assets become a key foundation for supporting the stable operation of organizations such as enterprises. Meanwhile, security attack events for various information assets are more frequent. Due to the fact that the use frequency of some information assets is low, the possibility that the information assets are forgotten or neglected by organizations such as enterprises in the process of protecting the information assets is high, and further the information assets can be attacked by the network, so that the loss is caused to the organizations such as the enterprises.
In the related art, information assets can be comprehensively counted and managed in a form or the like, but in the existing asset management, asset devices are classified according to functions or the like realized by the asset devices, classification results are obtained, and safety management is performed on the information assets based on the classification results. However, the dimension related to the safety management method based on the asset equipment function is single, some information with higher importance is not included, and the comprehensiveness of analyzing the information asset is low, so that the follow-up safety management of the asset equipment based on classification is not facilitated.
In order to solve the above-described problems, the embodiments of the present disclosure provide a security information acquisition method, which is described below in connection with specific embodiments.
Fig. 1 is a flow chart of a method for obtaining security information according to an embodiment of the present disclosure, where the method may be performed by a security information obtaining apparatus, and the apparatus may be implemented by software and/or hardware, and may be generally integrated in an electronic device, as shown in fig. 1, and the method for obtaining security information includes:
step 101, scanning target information equipment to obtain the information of the type of the production place of the target information equipment; the production place type information characterizes whether the target information equipment meets a preset production place range condition.
The information device is also called an information asset, and may be a device storing data. The type of the information apparatus is various, and the present embodiment does not limit the type of the information apparatus, for example, the information apparatus includes: one or more of a firewall, a switch, a server, and an office terminal. The target information device may be the device that obtains the security information for the current demand. The number of the target information devices is not limited in this embodiment, and the number of the target information devices may be one or more. The origin type information may be information characterizing the origin of the information device. The origin range condition may be a condition for judging whether or not the origin of the information apparatus is within a preset origin range, and the origin range condition may be set according to a user demand or the like, and the embodiment is not limited.
In the embodiment of the disclosure, the security information acquisition device may scan the target information device to obtain producer information, compare the producer information with preset candidate information, and if the producer information belongs to the candidate information, determine that the target information device meets a preset producing area range condition, and set producing area type information as in-range type information; if the producer information does not belong to the candidate information, determining that the target information equipment does not meet the producing area condition, and setting the producing area type information as out-of-area type information. The candidate party information may characterize a producer having a production place within a preset production place range.
In some embodiments of the present disclosure, scanning a target information device for information of a type of a place of origin of the target information device includes: scanning target information equipment to obtain producer information of the target information equipment; determining the production place information corresponding to the producer information; if the production place information is in the preset production place range, determining that the target information equipment meets the production place range condition, wherein the production place type information is in-range type information; if the production place information is out of the preset production place range, the fact that the target information equipment does not meet the production place range condition is determined, and the production place type information is out-of-range type information.
The producer information may be information of a brand of the recording information device. The information of the place of origin may be information of the place where the producer of the recording information device is located. The origin area may be an area composed of a plurality of sites, and the present embodiment does not limit the origin area, for example, the origin area may be an area composed of one or more cities, or the origin area may be an area composed of one or more countries. The in-range type information may be information characterizing that the production region to which the production region information corresponds is in the range of the production region. The out-of-range type information may be information characterizing that the production region to which the production region information corresponds is out of range of the production region.
In the present embodiment, a production place relationship in which a production place relationship is recorded is preset. The security information acquiring means may scan the target information device to obtain producer information of the target information device and one or more of device identification, device classification, and device version. And if the producer information of the target information equipment is obtained through scanning, inquiring the producer relationship according to the producer information, and determining the producer information matched with the producer information. Further, a production place corresponding to the production place information is determined, if the production place is in a preset production place range, the target information equipment is determined to meet the production place range condition, and accordingly, the production place type information of the target information equipment is set as in-range type information. If the production place is out of the preset production place range, the fact that the target information equipment does not meet the production place range condition is determined, and accordingly the production place information of the target information equipment is set to be out-of-range type information.
In the scheme, the production area range condition can be dynamically adjusted according to the requirements of users. Under the condition that the production place of the production party changes, the corresponding relation between the production party and the production place is dynamically adjusted, so that direct coupling between the production party and the production place range condition is avoided, and the method and the device can be suitable for wider application scenes.
Step 102, determining the security level information of the target information equipment according to the associated information system and/or the associated information equipment of the target information equipment; the associated information system is an information system to which the target information device belongs, and the associated information device is an information device having a connection relationship with the target information device.
The information system may be a device system determined by a combination of a plurality of information devices, and may have one or more service functions. There are various kinds of information systems, and the present embodiment does not limit the information system. The associated information system may be an information system including the target information device. The associated information device may be an information device capable of data transmission with the target information device, and the associated information device may be an information device accessible to the target information device. The associated information device may be directly connected to the target information device or the associated information device may be indirectly connected to the target information device through other information devices. The connection manner between the information devices is not limited in this embodiment, and may be, for example, a wired connection or a wireless connection. The security level information may be information characterizing a security level of the target information device, may be set according to a user demand or the like, and is not limited in this embodiment, and may include five levels of one to five, for example.
In the embodiment of the present disclosure, the security information acquisition means may determine, as the associated information system, the device system to which the target information device belongs, or determine, as the associated information device, the information device that the target information device can access. And further setting security level information of the target information device based on the security requirements of the associated information system and/or the associated information device.
In some embodiments of the present disclosure, determining security level information of a target information device according to an associated information system and/or associated information device of the target information device includes: if the associated information system has corresponding system grade information, determining security grade information according to the system grade information; and if the corresponding system grade information does not exist in the associated information system, determining the security grade information according to the associated grade information of the associated information equipment.
The system level information may be information characterizing a security level of the information system, and the association level information may be information characterizing a security level of the associated information device.
In this embodiment, the security information acquiring apparatus determines at least one associated information system including the target associated device according to the correspondence between the device and the system set in advance. And if one associated information system exists in the at least one associated information system and has corresponding system level information, taking the system level information as the security level information of the target associated equipment. If a plurality of associated information systems correspond to a plurality of system level information in the at least one associated information system, determining the system level information with the highest security level in the plurality of system level information as the security level information of the target associated equipment.
If the system level information does not exist in the at least one associated information system, the associated information device which can be accessed by the target information device is determined, and the method for determining the associated information device is various, which is not limited in this embodiment. In an alternative embodiment, the associated information device that can be accessed by the target information device may be determined according to a preset device access relationship. In another alternative embodiment, the secure information obtaining apparatus may send an access instruction to the target information device, so that the target information device may perform an access attempt to each information device in the preset device list after receiving the access instruction, determine the information device that has successfully accessed as an associated information device, and return to the associated information device list of the associated information device.
After the security information acquisition device determines the associated information equipment of the target information equipment, the security information acquisition device determines the associated level information of the associated information equipment according to the relation between the preset equipment and the level information, and if the number of the associated level information is one, the security level information of the target information equipment is set as the associated level information; if the number of the associated level information is plural, the security level information of the target information device is set as the associated level information having the highest security level among the plural associated level information.
Step 103, obtaining the processing interval duration of at least one processed vulnerability in the target information equipment; the processing interval duration is the time length between the bug fix time and the patch release time of each processed bug.
The processed vulnerability may be a software vulnerability that has been repaired using the patch. The bug fix time may be a time point of completing bug fix for the processed bug on the target information device, and the bug fix time may be understood as a time point of completing bug fix. The patch release time can be a time point of the patch disclosure release of the processed vulnerability, and the patch release time can be understood as the earliest time point of the vulnerability restoration. The processing interval duration may be a time period length between a point in time at which the bug can be initially repaired and a point in time at which the bug is completed.
In the embodiment of the present disclosure, for each processed vulnerability, the security information obtaining device may obtain a patch release time of a patch corresponding to the processed vulnerability, obtain a vulnerability repair time when the processed vulnerability is repaired, and use a time length between the vulnerability repair time and the patch release time corresponding to the processed vulnerability as a processing interval duration. It can be appreciated that the smaller the processing interval duration, the higher the timeliness of the vulnerability being processed, and the larger the processing interval duration, the lower the timeliness of the vulnerability being processed.
In some embodiments of the present disclosure, obtaining a processing interval duration of at least one processed vulnerability in a target information device includes: sending a vulnerability log acquisition instruction to the target information equipment so that the target information equipment returns to the vulnerability processing log after receiving the vulnerability log acquisition instruction; determining the vulnerability restoration time of each processed vulnerability according to the vulnerability processing log; determining the patch release time of each processed vulnerability; and determining the processing interval duration of each processed vulnerability according to the patch release time and the vulnerability restoration time corresponding to each processed vulnerability.
The vulnerability log obtaining instruction may be an instruction for obtaining a vulnerability log of the information device. The vulnerability processing log may be a log that records vulnerability processing procedures in the information device.
In the embodiment of the disclosure, the security information acquisition device may send the vulnerability log acquisition instruction to the target information device, and the target information device sends the vulnerability processing log to the security information acquisition device after receiving the vulnerability log acquisition instruction. The security information acquisition device analyzes the vulnerability processing log and determines vulnerability restoration time of the processed vulnerability related to the vulnerability processing log. Further, for each processed vulnerability, determining the patch release time of the processed vulnerability by using methods such as network inquiry, patch release inquiry and the like, and taking the length of the time period between the vulnerability restoration time and the patch release time as the processing interval duration of the processed vulnerability.
104, generating safety comprehensive information of the target information equipment according to the safety sub-information of the target information equipment; the safety sub-information comprises production place type information, safety level information and processing interval duration.
The security sub-information may be information characterizing the security of the target information device from a certain dimension. The number of the security sub-information is not limited in this embodiment, and the dimension of the security sub-information is not limited in this embodiment, for example, the dimension includes but is not limited to: one or more of a place of origin dimension, a security level dimension, a vulnerability handling interval dimension. The security integrated information may be information capable of comprehensively characterizing security conditions of the target information device from multiple dimensions. The type of the security integrated information is various, and the embodiment is not limited, and for example, the security integrated information may be a chart type.
In the embodiment of the disclosure, after the origin type information, the security level information and the processing interval duration of the target information device are determined, the security information obtaining device may collect the origin type information, the security level information and the processing interval duration in a chart and other manners to obtain the security comprehensive information.
The method for acquiring the safety information provided by the embodiment of the disclosure comprises the following steps: scanning target information equipment to obtain the type information of the production place of the target information equipment; the method comprises the steps that the production place type information characterizes whether target information equipment meets a preset production place range condition or not; determining the security level information of the target information equipment according to the associated information system and/or the associated information equipment of the target information equipment; the associated information system is an information system of the target information equipment, and the associated information equipment is an information equipment with a connection relation with the target information equipment; acquiring the processing interval duration of at least one processed vulnerability in the target information equipment; the processing interval duration is the time length between the bug fix time and the patch release time of each processed bug; generating safety comprehensive information of the target information equipment according to the safety sub-information of the target information equipment; the safety sub-information comprises production place type information, safety level information and processing interval duration. By adopting the technical scheme, the production place type of the target information equipment is determined, the security level of the target information equipment is determined according to the associated system or the associated equipment of the target information equipment, the vulnerability processing interval duration of the target information equipment is determined according to the patch release time and the vulnerability processing time of the vulnerability repaired by using the patch, and then the security comprehensive information used in the process of performing security management on the information equipment is determined in a plurality of dimensions, so that the comprehensiveness of analyzing the information equipment is improved, and the subsequent security management based on the security comprehensive information is more reliable.
In some embodiments of the present disclosure, the security sub-information further includes: at least one of password detection information, vulnerability detection information, configuration detection information, log storage duration information.
The password detection information characterizes whether a password with the complexity lower than a preset level threshold exists in the target information device, the preset level threshold can be the simplest value of the complexity, the preset level threshold can be set according to user requirements and the like, and the embodiment is not limited. Optionally, if a password with the complexity lower than the preset level threshold exists in the target information device, the password detection information may be abnormal password information; if no password with the complexity lower than the preset level threshold exists in the target information equipment, the password detection information can be normal password information.
The vulnerability detection information characterizes whether a vulnerability which is not repaired completely exists in the target information equipment. Optionally, if the target information device has a bug that is not repaired yet, the bug detection information may be bug existence information; if the target information equipment does not have the bug which is not repaired completely, the bug detection information can be bug repair information.
The configuration detection information characterizes whether other software and/or other open ports exist in the target information equipment; the other software is software outside a preset software list, and the other open ports are ports outside the preset open port list; the software in the software list may be understood as security software, and the software list may be various and may be set according to the user requirement, etc., which is not limited in this embodiment. Ports in the open port list may be understood as security ports, and the open port list may be various and may be set according to user requirements, etc., which is not limited in this embodiment. It can be understood that if other software exists in the target information device outside the software list and/or other ports exist in the target information device outside the open port list, the configuration detection information is configuration anomaly information; if no other software exists in the target information equipment outside the software list and no other ports exist in the target information equipment outside the open port list, the configuration detection information is the configuration normal information.
The log storage duration information characterizes whether the log storage duration of the target information device meets a preset duration threshold. The time threshold may be the shortest time of the stored log, and the time threshold may be set according to a user requirement, etc., which is not limited in this embodiment. It can be appreciated that if the log storage duration is less than the duration threshold, and the log storage duration does not meet the duration threshold, the log storage duration information may be duration anomaly information; if the log storage duration is not less than the duration threshold, and the log storage duration meets the duration threshold, the log storage duration information can be the duration normal information.
In this embodiment, the security information acquiring apparatus may send a password detection instruction to the target information device, and after receiving the password detection instruction, the target information device performs weak password detection by a weak password detection program provided in itself or a third-party weak password detection program, and generates password detection information according to a result of the weak password detection, and the target information device sends the password detection information to the security information acquiring apparatus.
The security information acquisition device may send a vulnerability detection instruction to the target information device, after receiving the vulnerability detection instruction, the target information device performs vulnerability detection through a vulnerability detection program or a third party vulnerability detection program, generates vulnerability detection information according to a vulnerability detection result, and sends the vulnerability detection information to the security information acquisition device.
The security information acquisition device may send a configuration detection instruction to the target information device, and after receiving the configuration detection instruction, the target information device detects whether other software exists outside the software list or whether other ports outside the open port list exist, if yes, determines that the configuration detection information is configuration abnormal information, and if not, determines that the configuration detection information is configuration normal information.
The security information acquisition device may send a log storage duration acquisition instruction to the target information device, after receiving the log storage duration acquisition instruction, the target information device determines a first time and a last time of a log stored by itself, takes a time period length between the first time and the last time as log storage duration information, and sends the log storage duration information to the security information acquisition device.
In the scheme, the security comprehensive information of the information equipment is enriched from one or more dimensions of the weak password, the loophole, the software configuration, the port configuration and the log storage duration, the comprehensiveness of analysis of the information equipment is further improved, and the reliability of subsequent security management based on the security comprehensive information is further improved.
In some embodiments of the present disclosure, the security sub-information further includes access type information, where the access type information may be information indicating whether access to the information device is abnormal, and fig. 2 is a schematic flow chart of another security information acquisition method provided in an embodiment of the present disclosure, as shown in fig. 2, before generating the security comprehensive information of the target information device, the security information acquisition method further includes:
step 201, sending an access record acquisition instruction to the target information device, so that the target information device returns the access record after receiving the access record acquisition instruction.
The record obtaining instruction may be an instruction for obtaining an access record, and the access record may be a log of an access process in the record information device.
In this embodiment, the security information acquisition means transmits an access record acquisition instruction to the target information device, and the target information device transmits the access record to the security information acquisition means after receiving the access record acquisition instruction.
Step 202, receiving the access record, and extracting access behavior data in the access record.
The access behavior data may be data for recording access behavior of the user to the document, and optionally, one access behavior data may record one access behavior of the user to the document.
In this embodiment, the security information acquiring apparatus may receive an access record sent by the target information device, and extract access behavior data in the access record, where access behavior of the user to the file is recorded.
Step 203, if the access behavior data accords with a preset access rule, determining that the access type information is access normal information; if the access behavior data does not accord with the preset access rule, the access type information is determined to be the access abnormal information.
The access rule may be a rule for recording access rights of users, and the access rule may include an authorization file that each user can access.
In this embodiment, after determining the access behavior data, the security information obtaining device extracts the user identifier in the access data and the access file corresponding to the user identifier. And for each user identifier, inquiring the access rule according to the user identifier, and determining an authorization file corresponding to the user identifier. If the access files are all included in the authorization file, determining that the user identifier corresponds to normal access, and if at least one access file is not included in the authorization file, determining that the user identifier corresponds to abnormal access. If all the user identifications are corresponding to the normal access, the access behavior data are indicated to accord with the access rule, and the access type information is access normal information; if at least one user identifier corresponds to the access abnormality, the access behavior data is not in accordance with the access rule, and the access type information is access abnormality information.
In the scheme, whether the target information equipment has access behaviors which do not accord with the access rule is determined, if so, the access type information is used for prompting in the safety comprehensive information, so that a user can determine whether the target information equipment has risks from the angle of access authority.
In some embodiments of the present disclosure, the security information acquisition method further includes: determining the first equipment quantity of which the first target sub-information is preset subtype information in an associated information system aiming at the first target sub-information in the safety sub-information; determining a type standard rate corresponding to the first target sub-information according to the first equipment number and the total equipment number in the associated information system; and if the type standard reaching rate is smaller than the standard reaching rate threshold corresponding to the first target sub-information, generating standard reaching rate lifting prompt information based on the first target sub-information.
The first target sub-information may be any one or any plurality of security sub-information. The preset subtype information may be a specific type of the preset first target sub-information. The total number of devices associated with the information system may be the number of information devices included in the associated information system. The type achievement rate may be a parameter that characterizes a proportion of the first target sub-information as the preset sub-type information. The standard reaching rate threshold may be a ratio minimum value of preset sub-type information as the preset first target sub-information, and may be set according to a user requirement, etc., which is not limited in this embodiment. The standard rate prompt promotion prompt information can be prompt information for prompting promotion of the type standard rate.
In the present embodiment, the security information acquiring means may determine one or more pieces of security sub-information as the first target sub-information. Determining specific types of a plurality of first target sub-information of a plurality of information devices in a relation information system, determining information devices with specific types of preset sub-type information in the plurality of first target sub-information as first devices, and determining first device quantity of the first devices. Dividing the first equipment number by the total equipment number in the associated information system to obtain the type standard rate of the first target sub-information. Comparing the standard reaching rate of the type with a standard reaching rate threshold corresponding to the first target sub-information, and if the standard reaching rate of the type is smaller than the standard reaching rate threshold, indicating that the standard reaching rate of the type of the first target sub-information is too low in the associated information system, generating standard reaching rate lifting prompt information of the first target sub-information.
For example, the first target sub-information may be the origin type information, the preset sub-type information may be the in-range type information, and the security information obtaining apparatus may determine a first device number of the first devices in the associated information system, where the origin type information is the in-range type information, and determine whether to generate the compliance rate improvement prompt information based on the first device number.
In the scheme, whether the duty ratio of the first target sub-information in the associated information system is the preset sub-type information meets the standard is calculated, and then a user is prompted to correspondingly adjust information equipment in the associated information system.
In some embodiments of the present disclosure, the security information acquisition method further includes: aiming at second target sub-information in the safety sub-information, acquiring second equipment quantity with the second target sub-information in an information subsystem of an associated information system; the information subsystem comprises a system formed by information equipment on a network link or a system formed by information equipment in a virtual area; determining the information coverage rate of the second target sub-information according to the number of the second devices and the total number of the devices of the information sub-system; and if the information coverage rate is smaller than a coverage rate threshold corresponding to the second target sub-information, generating coverage rate improving prompt information based on the second target sub-information.
The second target sub-information may be any one or any plurality of security sub-information. The second target sub-information may be the same as or different from the first target sub-information, which is not limited in this embodiment. The network link may be a link from an ingress end of the associated information system to a switch of an access stratum within the associated information system, and the network link may comprise a plurality of network nodes, each network node being an information device. The virtual area may be a network area formed by a plurality of information devices, and the number of information devices included in the virtual area is not limited in this embodiment, for example, the virtual area may be an isolation zone (Demilitarized Zone, DMZ) in the associated information system. The coverage rate threshold may be a minimum value of the information coverage rate, and the coverage rate threshold may be set according to a user requirement, etc., which is not limited in this embodiment.
In this embodiment, the security information acquiring means may determine a system composed of information devices on one network link in the associated information system as the information subsystem, or a system composed of information devices in a virtual area in the associated information system as the information subsystem. A second number of devices in the information subsystem in which second target sub-information is present is determined. Dividing the number of the second devices by the total number of the devices of the information subsystem to obtain the information coverage rate of the second target sub-information. And comparing the information coverage rate with a preset coverage rate threshold value, and if the information coverage rate is smaller than the coverage rate threshold value, indicating that the information coverage rate is too low, generating coverage rate promotion prompt information of the second target sub-information.
In the scheme, the coverage rate of the second target sub-information in the information subsystem is calculated, and the coverage rate is compared with the coverage rate threshold value to prompt a user to calculate the second target sub-information of the information equipment in the information subsystem.
The security information acquisition method in the embodiment of the present disclosure is further described below by way of a specific example. Fig. 3 is a flowchart of another method for obtaining security information according to an embodiment of the present disclosure, where, as shown in fig. 3, the method for obtaining security information includes:
In step 301, information assets are identified.
Specifically, based on network security, various technical means such as active detection and passive identification are comprehensively utilized, and all information assets governed by organizations such as enterprises are identified by combining a method of consulting documents such as asset record forms and checking in the field. The identification of the information asset may continue.
Step 302, categorizing the information asset.
Specifically, based on network security perspective, the identified information assets are classified into different security categories according to the network security requirements that the information assets adhere to. The security category may include a primary category and a secondary category below the primary category, wherein the primary category is coarser in granularity and each primary category may be subdivided into a plurality of secondary categories.
Step 303, determining the level information of the information asset.
Specifically, based on the network security perspective, the security equivalent of an information asset is divided into: unfixed stage, primary, secondary, tertiary, quaternary, and quintuplet. Wherein, the higher the security level, the more stringent the security requirements.
Step 304, determining a plurality of attribute information of the information asset, and determining a ledger of the information asset according to the plurality of attribute information.
Specifically, based on the network security angle, determining attribute names corresponding to the information assets according to the grade information of the information assets, and determining attribute fields of the attribute names to obtain the ledger of the asset information.
In step 305, asset identifications for information assets are generated to determine whether security sub-information for the information assets is erroneous based on scanning operations for the asset identifications.
Specifically, based on the network security angle, the asset identification is generated according to the department number, the category, the security level and the internal serial number of the department of the information asset. The asset identification is posted to or displayed on a screen of the information asset. During an information asset inventory, a scanning instrument may scan the asset identification. If an unrecorded information asset is found to exist, step 301 is returned.
Step 306, a plurality of security sub-information of the target information device is determined.
Specifically, based on the network security, information asset security protection management is performed in terms of place of production substitution, patch management, weak password management, security vulnerability management, security configuration management, security audit management and the like. Wherein the place of origin substitution management is to substitute existing information assets with information assets generated within a prescribed area. Patch management can improve the timeliness of the information asset to complete patch updating. Weak password management can reduce the number of weak passwords in an information asset. Security vulnerability management can reduce the number of vulnerabilities of an information asset. Security configuration management enables security settings of information assets to better meet security baseline requirements. Security audit management can determine if an information asset has abnormal operations such as abnormal access.
Step 307, determining the type standard rate of each piece of security sub-information in the associated equipment system where the asset information is located.
Specifically, full lifecycle management is performed on information assets based on a network security perspective. The quantization calculation is performed on the security sub-information, and specifically, the information asset security management quantization index comprises: production area conversion rate, station account error rate, inventory time consumption, patch upgrading time consumption, weak password rate, vulnerability troubleshooting time consumption, vulnerability restoration rate, configuration qualification rate, log storage duration qualification rate, network link coverage rate and area coverage rate. If the achievement rate is too low, then return to step 304 to update the ledger of the asset information, or return to step 306 to redetermine the secure sub-information of the information asset.
The numerical value of the index can intuitively reflect the current situation of safety management of information assets of organizations such as enterprises, so that the organization enterprises are promoted to find the problem of the information assets in safety dimension, and related safety problems are effectively treated to form closed-loop management.
The embodiment of the disclosure also provides a safety information acquisition system, through which the safety information acquisition method can be realized. The safety information acquisition system comprises an information asset identification module, an information asset classification module, an information asset ledger module, an information asset identification and checking module, an information asset protection module and an information asset management quantification module. The functions of the above modules are described separately:
First, the functions of the information asset identification module include: an active scanning information asset function, a passive analysis information asset function, a receive input information asset function, an import information asset function, and an information asset integration function.
Actively scanning information asset functionality: a probe packet is sent to each IP address of the internet protocol (Internet Protocol, IP) list, a returned reply packet is received, the reply packet is parsed, and a classification of the information asset is determined, e.g., server, switch, etc.
Passive analysis information asset functionality: network traffic data and/or log data in the network are acquired, the acquired data are analyzed, and the type of information asset related to the data, such as video monitoring node equipment, is judged.
Receive input information asset function: known information assets entered by a user are received.
Importing information asset functionality: the information assets are imported into the information assets in batches by means of tables and the like.
Information asset integration function: and performing deduplication on the information assets determined in different modes to obtain a list to be classified of the information assets.
Second, the functions of the information asset classification module include: an information asset classification template function and an information asset classification management function.
Information asset classification template function: information asset classification templates are built in, wherein 17 are classified in primary class and 109 are classified in secondary class. And each primary classification includes at least one scalable secondary classification to facilitate modification or expansion of information asset classifications in different scenarios.
Information asset classification management function: and determining an information asset security classification mode meeting the requirements of the user according to the information asset classification template, and completing information asset classification based on the information asset to be classified.
Third, the functions of the information asset ranking module include: an information asset classification template function and an information asset classification management function.
Information asset classification template function: the built-in information asset classification templates are divided into: unfixed stage, primary, secondary, tertiary, quaternary, and quintuplet.
Information asset hierarchical management function: for information assets within the level protection rating, the security level is the same as the security level of the object to which it belongs. For information assets that are not within the level protection rating, their security level may be determined based on the security level of the business application system that they have access to. For information assets that are capable of accessing a plurality of different security levels of a business application system, the security level is the highest of the plurality of different security levels.
Fourth, the information asset ledger module includes: information asset account template function, information asset account management function.
Information asset ledger template function: an information asset ledger template is built in, and divides the fields of the information asset ledger into 6 asset attributes, which are respectively: asset basic information, asset network information, asset security information, asset status information, asset software information, and asset component information, and each asset attribute has one or more information asset attribute fields therein, for a total of 44 information asset attribute fields, of which 18 information asset attribute fields have to be filled.
Information asset ledger management function: and forming an asset account book list meeting the organization and management requirements of enterprises and the like based on the information asset account book template.
Fifth, the information asset identification and inventory module functions include: information asset identification management and information asset inventory management.
Information asset identification management: and according to the information asset identification rule, completing the generation of the identification tag. Specifically, the information asset identification rule includes: 3-digit department number (001-999), which may be a uniform number for departments. 3-digit information asset class number (001-999), which may be a uniform number for information asset classes. 1-bit information asset security level number (0-5), where 0 represents an indefinite level and 1-5 represents a security level of 1-5. 5-bit information asset organization internal sequence numbers (00001-99999), which are uniform numbers for all information assets within each organization department.
Information asset inventory management: and scanning the identification label of each information asset through a handheld scanning instrument, analyzing the identification label and comparing the identification label with the data of a background database to realize quick checking of the information asset.
Sixth, the information asset protection module functions include: a place of production substitution function, a patch management function, a weak password management function, a security vulnerability management function, a security configuration management function, and a security audit management function.
Place of origin substitution function: continuously collecting information asset replacement information within the range of a preset production place, and determining the information asset with the production place replacement condition in the information system through comparative analysis.
Patch management function: and detecting whether the patch which is not updated in time exists in the information asset through the self patch management function or a patch management tool provided by a driving third party.
Weak password management function: and detecting whether the weak password exists in the information asset through a weak password detection function of the information asset or a weak password management tool provided by a driving third party.
Security hole management function: and detecting whether the security hole exists in the information asset through the security hole management function of the information asset or a security hole management tool provided by a driving third party.
Security configuration management function: and detecting whether the security setting of the information asset meets the security baseline requirement or not through the security configuration function of the information asset or a security configuration tool provided by a driving third party.
Security audit management function: and carrying out security audit on a log generated by the information asset through a security audit function of the security audit device or a security audit tool provided by a driving third party, and detecting whether abnormal access, abnormal operation and the like exist in the information asset.
Seventh, functions of the information asset management quantization module include: extracting safety sub-information of the information asset, calculating the safety sub-information through an index calculation model, and determining the type standard rate of the safety sub-information.
The yield is as follows: the number of sites implemented in an information asset divided by the total number of information assets, the resulting range of the information asset site availability is 0-100%, the greater the index results, the higher the popularity of site availability.
Ledger error rate: the number of information assets with inaccurate information asset account is divided by the number of all the information assets to be checked in the checking, the result range is 0-100%, and the smaller the index result is, the more accurate the enterprise organization information asset account is.
The time spent on the checking is as follows: the time length between the time point of the enterprise organization completing the full information asset checking and the time point of the enterprise organization starting the full information asset checking is not fixed, the smaller the result range is, and the higher the information asset checking efficiency of the enterprise organization is.
Patch upgrades are time consuming: the time length between the time point when the enterprise organization finishes the upgrading of the patches of the certain type of information assets and the time point when the official officials of the certain type of information assets release patch information externally is not fixed, the smaller the index result is, the higher the timeliness of the enterprise organization to the patches of the certain information assets is.
Weak password rate: the number of information assets found to have a weak password in the inspection divided by the number of information assets all inspected ranges from 0% to 100%, and the smaller the index result, the fewer information assets in the enterprise organization having a weak password.
Vulnerability discovery is time-consuming: the time length between the official notice time point of the security hole and the time point of the information asset checking whether the security hole exists is not determined, the result range of the hole checking time is uncertain, and the smaller the index result is, the faster the enterprise organization can check the hole.
Vulnerability repair rate: the number of the information assets of the type for which the security hole repair is completed is divided by the total number of the information assets of the type, the result range of the hole repair rate is 0-100%, and the larger the index result is, the higher the security hole repair degree of the enterprise organization on the information assets of the type is.
And (3) configuring the qualification rate: the number of the information assets which are qualified in the safety configuration is divided by the total number of the information assets which are required to realize the qualified work of the safety configuration, the result range of the qualification rate of the configuration is 0-100%, and the larger the index result is, the better the implementation of the qualified work of the safety of the information assets of the enterprise organization is.
Network link coverage: for a certain network link, the number of information assets which are subjected to security audit is divided by the number of information assets on the network link in a switch from an outlet of an external network to an internal access layer of the information system, the result range of the network link coverage rate is 0-100%, and the larger the index result is, the more sufficient the audit work of the network link is indicated.
Coverage of area: for a network area, dividing the number of information assets covered by the security audit by the total number of information assets in the area, wherein the coverage rate of the area ranges from 0% to 100%, and the larger the index result is, the higher the centralized security audit degree in the area is.
For example, enterprise organization a may determine aspects that can promote information asset network security through the secure information acquisition method. Specific index data obtained by the security information obtaining method is as follows:
the yield was 0.2%, and the recommended values were: 5%, recommended measures: information assets conforming to the range of the producing area are evaluated and replaced.
The error rate of the standing book is 67%, and the recommended numerical value is: within 5%, recommended measures: a unified information asset ledger template is determined and attribute fields must be explicitly filled and the information asset ledgers are filled in synchronously during the full inventory of information assets.
The time for checking is 3 months, the recommended value is within 1 week, and the recommended measures are as follows: and carrying out safety identification management on the information assets, uniformly manufacturing identification labels, and utilizing the identification labels to realize quick comprehensive checking of the information assets.
Patch upgrades take 2 months, recommended values are within 1 week, recommended measures: the method has the advantages that various modes are comprehensively used, the timely acquisition of the patch information of the information assets is guaranteed, the time limit for the completion of patch updating of various information assets is set, and review is carried out within the specified time limit to prompt upgrading.
The weak password rate is 13.4%, the recommended value is 0, and the recommended measures are as follows: training is carried out, the risk of using a weak password is highlighted, the strong password setting requirement is explained in detail, weak password detection is continuously carried out, and the information assets with the weak password are required to be rectified within a fixed time limit.
The leak investigation takes a week, the recommended value is 1 day, and the measures are recommended: and forming a complete information asset ledger through comprehensive information asset checking work, and performing vulnerability checking in batches.
The bug fix rate is 69.2%, the recommended value is 95%, and recommended measures are as follows: the security hole level that specifies the necessary repair includes: super-critical vulnerabilities, high-risk vulnerabilities, and medium-risk vulnerabilities. And checking an information asset list which is not subjected to bug repair, completing bug repair within a specified time period, and performing rechecking verification. And, for a small number of old information assets that cannot be repaired by security vulnerabilities, after other compensatory security measures are taken, the exception condition needs to be recorded in detail.
The configuration qualification rate is 67%, the recommended numerical value is 95%, and recommended measures are as follows: and (3) defining a safety configuration baseline, and training the baseline to enable relevant personnel to understand a specific implementation method. And the information asset safety coordination qualification condition is checked regularly, and the modification is completed within a specified time for the unqualified information asset. For a small number of old information assets for which the security configuration cannot be altered, this exception must be recorded in detail after other compensatory security measures are taken.
Log storage time is 76%, recommended value is 100%, recommended measures are: the ability to collect and store logs is extended and the security log of all information assets is set to be sent to a preset platform periodically and storage aging is set to at least 6 months.
Network link coverage is 56%, recommended value is 100%, recommended measures: all network devices and security devices on the network link are brought into the network security periodic audit working range, and specific information devices included in the network link are listed.
The area coverage was 54% and the recommended value was 100%, recommended as shown: and carrying out centralized security audit on all information assets in the area, and listing specific information equipment included in the area.
In the scheme, automatic calculation of the type standard reaching rate is realized, and the situation that the calculation results of the type standard reaching rate are different due to different skill backgrounds of users is avoided. By the method, network security management of the information asset can be systematically carried out in the whole period of the information asset, network security of the information asset is improved, and network security protection capability of the information asset is improved. And the quantitative index of the information asset security dimension is determined, the network security current situation of the information asset can be intuitively reflected, the discovery of the information asset security problem is promoted, the effective treatment of the security problem is guided, and a management closed loop is formed.
Fig. 4 is a schematic structural diagram of a security information acquisition device according to an embodiment of the present disclosure, where the device may be implemented by software and/or hardware, and may be generally integrated in an electronic device, as shown in fig. 4, and the device includes:
a scanning module 401, configured to scan a target information device to obtain information of a type of a place of origin of the target information device; the production place type information characterizes whether the target information equipment meets a preset production place range condition or not;
a first determining module 402, configured to determine security level information of the target information device according to an associated information system and/or an associated information device of the target information device; the associated information system is an information system to which the target information equipment belongs, and the associated information equipment is an information equipment with a connection relation with the target information equipment;
a first obtaining module 403, configured to obtain a processing interval duration of at least one processed vulnerability in the target information device; the processing interval duration is the time duration between the bug fix time and the patch release time of each processed bug;
a first generating module 404, configured to generate, according to the security sub-information of the target information device, security comprehensive information of the target information device; the safety sub-information comprises the place of origin type information, the safety level information and the processing interval duration.
Optionally, the scanning module 401 is configured to:
scanning the target information equipment to obtain producer information of the target information equipment;
determining the production place information corresponding to the producer information;
if the production place information is in a preset production place range, determining that the target information equipment meets the production place range condition, wherein the production place type information is in-range type information;
and if the production place information is out of the preset production place range, determining that the target information equipment does not meet the production place range condition, wherein the production place type information is out-of-range type information.
Optionally, the first determining module 402 is configured to:
if the associated information system has corresponding system grade information, determining the security grade information according to the system grade information;
and if the associated information system does not have the corresponding system grade information, determining the security grade information according to the associated grade information of the associated information equipment.
Optionally, the first obtaining module 403 is configured to:
sending a vulnerability log acquisition instruction to the target information equipment, so that the target information equipment returns a vulnerability processing log after receiving the vulnerability log acquisition instruction;
Determining the vulnerability restoration time of each processed vulnerability according to the vulnerability processing log;
determining the patch release time of each processed vulnerability;
and determining the processing interval duration of each processed vulnerability according to the patch release time and the vulnerability restoration time corresponding to each processed vulnerability.
Optionally, the security sub-information further includes: at least one of password detection information, vulnerability detection information, configuration detection information and log storage duration information;
the password detection information characterizes whether a password with the complexity lower than a preset degree threshold exists in the target information equipment or not; the vulnerability detection information characterizes whether a vulnerability which is not repaired completely exists in the target information equipment; the configuration detection information characterizes whether other software and/or other open ports exist in the target information equipment; the other software is software outside a preset software list, and the other open ports are ports outside the preset open port list; and the log storage duration information characterizes whether the log storage duration of the target information equipment meets a preset duration threshold value or not.
Optionally, the security sub-information further includes access type information;
correspondingly, the device further comprises:
the sending module is used for sending an access record acquisition instruction to the target information equipment before the generation of the safety comprehensive information of the target information equipment so that the target information equipment returns an access record after receiving the access record acquisition instruction;
the extraction module is used for receiving the access records and extracting access behavior data in the access records;
the second determining module is used for determining that the access type information is access normal information if the access behavior data accords with a preset access rule;
and the third determining module is used for determining that the access type information is access abnormal information if the access behavior data does not accord with a preset access rule.
Optionally, the apparatus further comprises:
a fourth determining module, configured to determine, for a first target sub-information in the security sub-information, a first device number of which the first target sub-information is preset subtype information in the association information system;
a fifth determining module, configured to determine, according to the number of the first devices and the total number of devices in the association information system, a type achievement rate corresponding to the first target sub-information;
And the second generation module is used for generating standard reaching rate lifting prompt information based on the first target sub-information if the type standard reaching rate is smaller than a standard reaching rate threshold corresponding to the first target sub-information.
Optionally, the apparatus further comprises:
the second acquisition module is used for acquiring a second device number with second target sub-information in the information sub-system of the associated information system aiming at the second target sub-information in the security sub-information; the information subsystem comprises a system formed by information equipment on a network link or a system formed by information equipment in a virtual area;
a sixth determining module, configured to determine, according to the second device number and the total device number of the information subsystem, an information coverage rate of the second target sub-information;
and the third generation module is used for generating coverage rate improvement prompt information based on the second target sub-information if the information coverage rate is smaller than a coverage rate threshold corresponding to the second target sub-information.
The safety information acquisition device provided by the embodiment of the disclosure can execute the safety information acquisition method provided by any embodiment of the disclosure, and has the corresponding functional modules and beneficial effects of the execution method.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 5, electronic device 500 includes one or more processors 501 and memory 502.
The processor 501 may be a Central Processing Unit (CPU) or other form of processing unit having secure information acquisition capabilities and/or instruction execution capabilities, and may control other components in the electronic device 500 to perform desired functions.
Memory 502 may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random Access Memory (RAM) and/or cache memory (cache), and the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, and the like. One or more computer program instructions may be stored on the computer readable storage medium that can be executed by the processor 501 to implement the security information acquisition methods of embodiments of the present disclosure described above and/or other desired functions. Various contents such as an input signal, a signal component, a noise component, and the like may also be stored in the computer-readable storage medium.
In one example, the electronic device 500 may further include: an input device 503 and an output device 504, which are interconnected by a bus system and/or other form of connection mechanism (not shown).
In addition, the input device 503 may also include, for example, a keyboard, a mouse, and the like.
The output device 504 may output various information to the outside, including the determined distance information, direction information, and the like. The output device 504 may include, for example, a display, speakers, a printer, and a communication network and remote output apparatus connected thereto, etc.
Of course, only some of the components of the electronic device 500 that are relevant to the present disclosure are shown in fig. 5 for simplicity, components such as buses, input/output interfaces, etc. are omitted. In addition, the electronic device 500 may include any other suitable components depending on the particular application.
In addition to the methods and apparatus described above, embodiments of the present disclosure may also be a computer program product comprising computer program instructions which, when executed by a processor, cause the processor to perform the security information acquisition method provided by the embodiments of the present disclosure.
The computer program product may write program code for performing the operations of embodiments of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server.
Further, embodiments of the present disclosure may also be a computer-readable storage medium having stored thereon computer program instructions which, when executed by a processor, cause the processor to perform the security information acquisition method provided by the embodiments of the present disclosure.
The computer readable storage medium may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is merely a specific embodiment of the disclosure to enable one skilled in the art to understand or practice the disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown and described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (11)

1. A security information acquisition method, characterized by comprising:
scanning target information equipment to obtain the information of the type of the production place of the target information equipment; the production place type information characterizes whether the target information equipment meets a preset production place range condition or not;
determining the security level information of the target information equipment according to the associated information system and/or the associated information equipment of the target information equipment; the associated information system is an information system to which the target information equipment belongs, and the associated information equipment is an information equipment with a connection relation with the target information equipment;
acquiring the processing interval duration of at least one processed vulnerability in the target information equipment; the processing interval duration is the time duration between the bug fix time and the patch release time of each processed bug;
generating safety comprehensive information of the target information equipment according to the safety sub-information of the target information equipment; the safety sub-information comprises the place of origin type information, the safety level information and the processing interval duration.
2. The method of claim 1, wherein the scanning the target information device for information on the type of origin of the target information device comprises:
Scanning the target information equipment to obtain producer information of the target information equipment;
determining the production place information corresponding to the producer information;
if the production place information is in a preset production place range, determining that the target information equipment meets the production place range condition, wherein the production place type information is in-range type information;
and if the production place information is out of the preset production place range, determining that the target information equipment does not meet the production place range condition, wherein the production place type information is out-of-range type information.
3. The method according to claim 1, wherein said determining security level information of said target information device from an associated information system and/or an associated information device of said target information device comprises:
if the associated information system has corresponding system grade information, determining the security grade information according to the system grade information;
and if the associated information system does not have the corresponding system grade information, determining the security grade information according to the associated grade information of the associated information equipment.
4. The method of claim 1, wherein the obtaining a processing interval duration of at least one processed vulnerability in the target information device comprises:
Sending a vulnerability log acquisition instruction to the target information equipment, so that the target information equipment returns a vulnerability processing log after receiving the vulnerability log acquisition instruction;
determining the vulnerability restoration time of each processed vulnerability according to the vulnerability processing log;
determining the patch release time of each processed vulnerability;
and determining the processing interval duration of each processed vulnerability according to the patch release time and the vulnerability restoration time corresponding to each processed vulnerability.
5. The method of claim 1, wherein the secure sub-information further comprises: at least one of password detection information, vulnerability detection information, configuration detection information and log storage duration information;
the password detection information characterizes whether a password with the complexity lower than a preset degree threshold exists in the target information equipment or not; the vulnerability detection information characterizes whether a vulnerability which is not repaired completely exists in the target information equipment; the configuration detection information characterizes whether other software and/or other open ports exist in the target information equipment; the other software is software outside a preset software list, and the other open ports are ports outside the preset open port list; and the log storage duration information characterizes whether the log storage duration of the target information equipment meets a preset duration threshold value or not.
6. The method of claim 1, wherein the security sub-information further comprises access type information;
accordingly, before the generating the security integrated information of the target information device, the method further includes:
sending an access record acquisition instruction to the target information equipment so that the target information equipment returns an access record after receiving the access record acquisition instruction;
receiving the access record and extracting access behavior data in the access record;
if the access behavior data accords with a preset access rule, determining that the access type information is access normal information;
and if the access behavior data does not accord with the preset access rule, determining that the access type information is access abnormal information.
7. The method according to claim 1, wherein the method further comprises:
determining the first equipment quantity of which the first target sub-information is preset subtype information in the associated information system aiming at the first target sub-information in the safety sub-information;
determining a type standard rate corresponding to the first target sub-information according to the first equipment number and the total equipment number in the associated information system;
And if the type standard reaching rate is smaller than the standard reaching rate threshold corresponding to the first target sub-information, generating standard reaching rate lifting prompt information based on the first target sub-information.
8. The method according to claim 1, wherein the method further comprises:
aiming at second target sub-information in the security sub-information, acquiring second equipment quantity with the second target sub-information in an information subsystem of the associated information system; the information subsystem comprises a system formed by information equipment on a network link or a system formed by information equipment in a virtual area;
determining the information coverage rate of the second target sub-information according to the second equipment number and the total equipment number of the information sub-system;
and if the information coverage rate is smaller than a coverage rate threshold corresponding to the second target sub-information, generating coverage rate improvement prompt information based on the second target sub-information.
9. A security information acquisition apparatus, characterized by comprising:
the scanning module is used for scanning the target information equipment to obtain the information of the type of the production place of the target information equipment; the production place type information characterizes whether the target information equipment meets a preset production place range condition or not;
The first determining module is used for determining the security level information of the target information equipment according to the associated information system and/or the associated information equipment of the target information equipment; the associated information system is an information system to which the target information equipment belongs, and the associated information equipment is an information equipment with a connection relation with the target information equipment;
the first acquisition module is used for acquiring the processing interval duration of at least one processed vulnerability in the target information equipment; the processing interval duration is the time duration between the bug fix time and the patch release time of each processed bug;
the first generation module is used for generating the safety comprehensive information of the target information equipment according to the safety sub-information of the target information equipment; the safety sub-information comprises the place of origin type information, the safety level information and the processing interval duration.
10. An electronic device, the electronic device comprising:
a processor;
a memory for storing the processor-executable instructions;
the processor is configured to read the executable instructions from the memory and execute the instructions to implement the security information acquisition method according to any one of the preceding claims 1-8.
11. A computer-readable storage medium, characterized in that the storage medium stores a computer program for executing the security information acquisition method according to any one of the preceding claims 1 to 8.
CN202310604410.6A 2023-05-26 2023-05-26 Security information acquisition method, device, equipment and medium Active CN116401714B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310604410.6A CN116401714B (en) 2023-05-26 2023-05-26 Security information acquisition method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310604410.6A CN116401714B (en) 2023-05-26 2023-05-26 Security information acquisition method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN116401714A true CN116401714A (en) 2023-07-07
CN116401714B CN116401714B (en) 2023-09-26

Family

ID=87007867

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310604410.6A Active CN116401714B (en) 2023-05-26 2023-05-26 Security information acquisition method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN116401714B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008176634A (en) * 2007-01-19 2008-07-31 Toshiba Corp Security level monitoring evaluation device and security level monitoring evaluation program
CN101674302A (en) * 2009-09-25 2010-03-17 联想网御科技(北京)有限公司 Method and device for conducting security identification on information system
CN107545379A (en) * 2017-10-13 2018-01-05 上海众人网络安全技术有限公司 A kind of safe class monitoring and managing method, device, Billboard and system
CN112866186A (en) * 2019-11-28 2021-05-28 大唐移动通信设备有限公司 Security level determination method and device
CN114491555A (en) * 2022-01-17 2022-05-13 深圳供电局有限公司 Equipment safety detection method and device, computer equipment and storage medium
CN115859305A (en) * 2022-12-26 2023-03-28 国家工业信息安全发展研究中心 Knowledge graph-based industrial control security situation sensing method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008176634A (en) * 2007-01-19 2008-07-31 Toshiba Corp Security level monitoring evaluation device and security level monitoring evaluation program
CN101674302A (en) * 2009-09-25 2010-03-17 联想网御科技(北京)有限公司 Method and device for conducting security identification on information system
CN107545379A (en) * 2017-10-13 2018-01-05 上海众人网络安全技术有限公司 A kind of safe class monitoring and managing method, device, Billboard and system
CN112866186A (en) * 2019-11-28 2021-05-28 大唐移动通信设备有限公司 Security level determination method and device
CN114491555A (en) * 2022-01-17 2022-05-13 深圳供电局有限公司 Equipment safety detection method and device, computer equipment and storage medium
CN115859305A (en) * 2022-12-26 2023-03-28 国家工业信息安全发展研究中心 Knowledge graph-based industrial control security situation sensing method and system

Also Published As

Publication number Publication date
CN116401714B (en) 2023-09-26

Similar Documents

Publication Publication Date Title
US10560486B2 (en) Method and system for rapid accreditation/re-accreditation of agile it environments, for example service oriented architecture (SOA)
CN101902366B (en) Method and system for detecting abnormal service behaviors
KR100752677B1 (en) Information technology risk management system and method the same
US20120116984A1 (en) Automated evaluation of compliance data from heterogeneous it systems
CN111240994A (en) Vulnerability processing method and device, electronic equipment and readable storage medium
US20120290544A1 (en) Data compliance management
US20220166789A1 (en) Usage-Tracking Of Assets For Security Assurance
US11283840B2 (en) Usage-tracking of information security (InfoSec) entities for security assurance
US11792222B2 (en) Automated risk assessment module with real-time compliance monitoring
CN112668010A (en) Method, system and computing device for scanning industrial control system for bugs
KR20200036488A (en) Apparatus and method for managing information security
CN112799722A (en) Command recognition method, device, equipment and storage medium
Abbass et al. Using EBIOS for risk management in critical information infrastructure
US8090994B2 (en) System, method, and computer readable media for identifying a log file record in a log file
Putra et al. Integrated Methodology for Information Security Risk Management using ISO 27005: 2018 and NIST SP 800-30 for Insurance Sector
CN116401714B (en) Security information acquisition method, device, equipment and medium
JP2007287132A (en) Information technology risk management system and its method
Maiti Capturing, Eliciting, and Prioritizing (CEP) Non-Functional Requirements Metadata during the Early Stages of Agile Software Development
Ashraf et al. Security assessment framework for educational ERP systems
CN117421198B (en) Visual asset management system and method based on security
Samuel et al. Leveraging external data sources to enhance secure system design
CN111352975B (en) Data quality management method, client, server and system
Feng et al. SHINE: a Collaborative System for Sharing Insights and Information of Economic Impacts of Cyberattacks
Chew et al. Sp 800-55 rev. 1. performance measurement guide for information security
Nikumaa Vulnerability Management Process

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant