JP5020776B2 - Information security measure decision support apparatus and method, and computer program - Google Patents

Description

  The present invention relates to an information security measure determination support apparatus and method, and a computer program.

Conventionally, a tool that comprehensively analyzes security problems included in a system and presents a plurality of countermeasures for each problem is known.
For example, Patent Document 1 describes a technique for evaluating a risk against information leakage of a document file based on the actual countermeasure setting status and configuration information. This technology evaluates the risk of a route for accessing a document based on a route model that expresses a route through which information flows and risk assessment rules created from device setting information. From the above, the risk for information leakage of documents is evaluated. And while producing the countermeasure plan for reducing a risk, the cost of each countermeasure plan is calculated | required.
JP 2007-156816 A

Information security risk analysis and countermeasure review of systems and operations must be tailor-made according to the target system, and specialized knowledge and know-how are required. Is difficult to do. Therefore, methods and tools for supporting security risk analysis and countermeasure consideration have been proposed, but there is a lot of information necessary for the tools, and it is difficult to master them. In addition, there are many tools that support comprehensive risk analysis and countermeasure review, such as identifying all risks on the system and presenting multiple countermeasure proposals for each risk. It is not easy to select the countermeasure plan that best meets the needs from the countermeasure proposals.
On the other hand, in the technology of Patent Document 1, although it is possible to support decision of security measures by presenting a plurality of countermeasures against information leakage and its cost, risk analysis for information security risk targeting all information It is not possible to provide support for decision making. In addition, in order to perform security risk analysis based on the intrusion route and present countermeasures, it is necessary to redraw the system relation diagram according to the system configuration content, and again expertise in information security and IT systems. Need.

  The present invention has been made in view of the above circumstances, and comprehensively analyzes information security risks and presents countermeasures without requiring specialized knowledge about information security and IT systems. An object of the present invention is to provide an information security measure determination support apparatus and method and a computer program capable of performing the same.

In order to solve the above problems, the present invention provides a threat that causes a change in state between nodes from a node indicating an initial state to a node in which damage has occurred through a node in an elapsed state, and an attribute of the asset The table shows the correspondence between threats and assets, the correspondence table between threats and countermeasures that can be taken in response to each threat, and the state in which damage has occurred from the initial state node to the elapsed state node A storage means for storing each of the nodes up to the node, a threat list indicating threats that cause a change in state between the nodes, and a countermeasure list indicating information on evaluation of each countermeasure, and a diagnosis target system Attribute information that is input from the correspondence table of threats and assets in response to the input of attribute information indicating the type of device that constitutes the service type, the business type in the diagnosis target system, or the information type handled in the diagnosis target system And threats extracting means for extracting a corresponding threat, in response to the threat extracted by the threat extracting unit reads measures from the correspondence table of measures and the threat and measures extracting means for outputting a countermeasure read, the threat Based on the threat extracted by the extraction means and the information indicating the relationship between the threat and the node read from the threat list corresponding to the extracted threat, the threat that can occur until reaching the damage occurrence node is shown. Procedure creation means for creating procedure information, and selection based on the evaluation information of the countermeasure extracted by the countermeasure extraction means corresponding to the threat between the nodes constituting the procedure created by the procedure creation means An information security measure determination support apparatus comprising: measure selection means for selecting and outputting a measure corresponding to a condition .

  Further, the present invention is the information security measure determination support apparatus described above, wherein the measure selecting means is extracted by the measure extracting means corresponding to the threat between the nodes constituting the procedure created by the procedure creating means. Based on information on the evaluation of countermeasures, the first selection means for selecting the most effective countermeasure in the selection condition between the nodes and the threat corresponding to the nodes between the nodes constituting the procedure for each of the procedures And selecting a countermeasure candidate that is most effective in the selection condition from the countermeasures selected by the first selection means, and providing a second selection means as a countermeasure for the procedure, To do.

  According to the present invention, in the information security countermeasure determination support apparatus described above, the countermeasure selection unit is configured to prevent threats between the nodes constituting the procedure until measures are selected for all the procedures created by the procedure creation unit. The countermeasure that is read out by the countermeasure extracting means in response to and that is not selected as a countermeasure of any of the procedures is selected from the countermeasures that are most effective in the selection condition, and the selected countermeasure is It is characterized in that the corresponding threat is extracted from the correspondence table of the threat and the countermeasure, and for the procedure including the extracted threat, the selected countermeasure is taken as the countermeasure of the procedure.

  In the information security measure determination support apparatus described above, the present invention is characterized in that the evaluation information indicated by the measure list is cost information.

  According to the present invention, in the information security countermeasure determination support apparatus described above, the evaluation information indicated by the countermeasure list is information on the effect after the countermeasure is implemented, and the threat list further includes risk information on each threat. The countermeasure selecting means reads out information on the risk corresponding to the threat indicated by the procedure created by the procedure creating means from the threat list and the information on the effect of the countermeasure corresponding to the threat. It is characterized in that a measure with the highest effect is selected from the risk information of the read threat from the measure list and the information of the effect of the measure corresponding to the threat.

In addition, the present invention associates a threat that causes a change in state between nodes from a node indicating an initial state to a node in a state where damage has occurred through a node in an elapsed state, and an asset attribute. The correspondence table of threats and assets to be shown, the correspondence table of threats and countermeasures that can be taken in response to each threat, and the node from the initial state to the node in the damaged state through the node in the elapsed state To an information security measure decision support device comprising a storage means for storing a list of threats indicating each node, a threat that causes a change in state between the nodes, and a measure list indicating information on evaluation of each measure An information security measure determination support method used, wherein the information security measure determination support device includes a type of device constituting a diagnosis target system, a job type in the diagnosis target system, Receiving the attribute information indicating the type of information handled by the diagnosis target system and extracting the threat corresponding to the input attribute information from the threat-asset correspondence table, and the threat extraction process In response to the threat, the countermeasure is read out from the correspondence table of the threat and countermeasure, the countermeasure extraction process for outputting the read countermeasure, the threat extracted in the threat extraction process, and the threat corresponding to the extracted threat A procedure creation process for creating procedure information indicating threats that can occur up to the damage occurrence node based on the threat and the node relationship information read from the list, and created in the procedure creation process. Based on the evaluation information of the countermeasure extracted in the countermeasure extraction process corresponding to the threat between each node constituting the procedure, the countermeasure corresponding to the selection condition is taken. Is information security decision support method characterized in that it comprises a measure selecting process-option and outputs.

In addition, the present invention causes a computer used as an information security measure decision support device to generate a change in state between nodes from a node indicating an initial state to a node in a state where damage has occurred through a node in an elapsed state Table showing the correspondence between threats to be associated with asset attributes, threat and asset correspondence table showing countermeasures that can be taken in response to each threat, and nodes that have passed from the initial state node to the elapsed state node The threat list that shows each node up to the node where the damage has occurred through the process, the threat that causes a change in the state between the nodes, and the countermeasure list that shows the evaluation information of each countermeasure are stored. Receives input of attribute information indicating the storage means, the types of devices constituting the diagnosis target system, the business type in the diagnosis target system, or the information type handled in the diagnosis target system. Threat extraction means for extracting a threat corresponding to the input attribute information from the threat-asset correspondence table, corresponding to the threat extracted by the threat extraction means, and reading out the countermeasure from the threat-countermeasure correspondence table, Based on the countermeasure extracting means for outputting the read countermeasure, the threat extracted by the threat extracting means, and the information representing the relationship between the threat and the node read from the threat list corresponding to the extracted threat. Procedure creation means for creating procedure information indicating threats that may occur up to the occurrence node, extracted by the countermeasure extraction means in response to threats between nodes constituting the procedure created by the procedure creation means was based on the information of the evaluation of the measures, a computer program for causing to function as a countermeasure selecting means for selecting a measure corresponding to the selected condition A.

  According to the present invention, the information security measure determination support apparatus holds information on association with assets and information on association with measures for threats based on a universal security event transition model independent of the system. Thus, only by inputting the attribute type for the diagnosis target system, it is possible to identify the threat in the diagnosis target system and present a list of countermeasures corresponding to the threat. In addition, by using information on the cost of each measure, information on the risk of each threat, and information on the effectiveness of each measure, select and present measures that meet the desired conditions such as emphasis on cost, safety, and effect measures. can do.

Embodiments of the present invention will be described below with reference to the drawings.
FIG. 1 is a diagram showing an overview of an information security measure decision support device 1 according to an embodiment of the present invention. The information security measure decision support device 1 inputs attribute information of a diagnosis target system, for example, configuration information such as a list of device types of the diagnosis target system, business information indicating a business type, information of an information type handled by the diagnostic target system, and the like. Receive.
The information security measure decision support device 1 receives the input of attribute information of the diagnosis target system, and generates a list of threats generated based on a security event transition model in which the procedure of unauthorized access acts is structured, and threats and security measures (hereinafter referred to as “security threat measures”). , Simply refer to the relationship with “measures”) to identify information security problems included in the diagnosis target system and present a countermeasure pattern for maintaining the information security of the diagnosis target system. At this time, the information security measure determination support apparatus 1 refers to a list of measures indicating the cost and effect of each measure, and calculates the cost, the effect when the measure is taken, the residual risk, etc. for each identified measure. And based on this calculation result, examples of measures that can minimize costs and ensure the strength of the required measures, examples of measures that maximize cost effectiveness, examples of measures that neglect costs and maximize the strength of security measures, etc. , You can select and present measures that meet your needs.

  FIG. 2 shows a block diagram of the information security measure decision support device 1 according to the embodiment of the present invention. The information security countermeasure determination support apparatus 1 includes a receiving unit 11, a threat extracting unit 12, a procedure creating unit 13, a countermeasure extracting unit 14, a countermeasure selecting unit 15, an output unit 16, a security threat-measure corresponding data storage unit 21, and a security threat model. A storage unit 22 is provided.

  The receiving unit 11 receives information input by the user using a keyboard, a mouse, or the like. Alternatively, information may be received from another computer device connected via a network, or information may be read from a computer-readable recording medium. The output unit 16 displays information on a display such as a CRT (cathode ray tube) or LCD (liquid crystal display). The output unit 16 may print information by a printer or the like, write information to a recording medium, or output information to a computer device connected via a network.

The security threat model storage unit 22 stores data of a threat list indicating a security event transition model in which a procedure of an unauthorized access action is structured.
The security threat-countermeasure data storage unit 21 stores data such as a threat-asset correspondence table, a countermeasure list, and a threat-countermeasure correspondence table. The threat-asset correspondence table is data indicating threats that exist for each asset. The measure list shows evaluation values such as cost and measure effect for each measure. The threat-countermeasure correspondence table is data indicating the content of countermeasures that can be taken for each threat.

  The threat extraction unit 12 is based on the attribute information of the diagnosis target system input by the reception unit 11, for example, configuration information such as device type and software type, information on business type, information on information type to be handled, and threat-asset correspondence table. Extract what threats are in the diagnosis target system. Based on the threat extracted by the threat extraction unit 12 and the information of the transition source node and the transition destination node read from the threat list corresponding to the extracted threat, the procedure creation unit 13 Detect possible threat (unauthorized access) procedures. The countermeasure extracting unit 14 extracts what countermeasures can be taken for the diagnosis target system based on the threat extracted by the threat extracting unit 12, the threat-countermeasure correspondence table, and the countermeasure list. The measure selection unit 15 prioritizes measures in accordance with the measure conditions based on the procedure detected by the procedure creation unit 13, the threat extracted by the measure extraction unit 14, and the measure evaluation value obtained from the measure list. Ranking is performed, a security countermeasure list for the diagnosis target system is generated, and the output unit 16 is instructed to output the security countermeasure list.

Next, data held by the information security measure determination support apparatus 1 will be described.
First, in order to generate data held in the information security measure decision support device 1, a universal model in which the procedure of unauthorized access action is structured, that is, a security event transition model that does not depend on the diagnosis target system is generated. .

FIG. 3 is a diagram showing a security event transition model.
The security event transition model is a model of an unauthorized access procedure that can be performed on an information system, and is a universal model that does not depend on the structure or components of the information system. The security event transition model is in the middle from the start node S (0) indicating the start state where nothing has occurred to the risk occurrence node (the node indicated by the bold line) in the state where damage has occurred. It is indicated by how the progress state node indicating a certain state is transited and an unauthorized access act as a transition condition between the nodes. Since the approximate method of unauthorized access is fixed, it can be expressed by such a universal model. For example, when an unauthorized access action, which is a threat signature described in correspondence with an arrow starting from the start node S, is performed from the start node S (0), it is indicated by the node at the end of the arrow. Transition to the state of the progress state node. Furthermore, when an unauthorized access action described in correspondence with an arrow starting from the progress state node is performed from the progress state node, a transition is made to the state indicated by the progress state node ahead of the arrow. . By repeating this, one of the damage occurrence nodes is reached. The unauthorized access procedure performed from the start node S (0) to the damaged node is an unauthorized access procedure.

  FIG. 4 is a diagram showing a list of threats stored in the security threat model storage unit 22 and shows the security event transition model described above. In the figure, the threat list shows a threat ID for identifying the threat, a transition source ID, a transition destination ID, a precondition, a threat content, a threat frequency (frequency), and a technical ease ( (Difficulty level) and attack success probability (hit rate). The transition source ID is an unauthorized access action in the security event transition model, that is, a node ID that identifies the original node where the threat occurs, and the transition destination ID is the transition destination when the unauthorized access action (threat) occurs. It is indicated by a node ID that identifies the node.

  The threat frequency (frequency), technical ease (difficulty), and attack success probability (hit rate) shown in FIG. 4 are represented by quantified values, as shown in FIG. The probability of occurrence is “7” if the frequency is very high, such as once or more per day, and “1” if the frequency is very low, such as once or more in several years, depending on the frequency. Indicated by typical values. Similarly, the technical ease can be executed very easily without requiring any special device. ・ It is generated only by a very simple factor or randomness. ・ It can be executed by anyone. "Unless very elaborate, it is almost impossible to execute.-It will hardly occur unless a lot of factors overlap.-" 1 "if there is almost no need for advanced security technology or the possibility of executing it. As shown in stepwise values. The hit rate is indicated by a stepwise value as “7” when it is very high and “1” when it is very low.

FIG. 6 is a diagram showing a threat-asset correspondence table stored in the security threat-countermeasure data storage unit 21.
In the figure, the threat-asset correspondence table is composed of a plurality of records in which a threat ID for identifying threat contents, preconditions for generating a threat, technique contents, and attributes are associated with each other. The attributes include an asset type, an information type, a business type, and the like, and these types are further divided into types. For example, asset types include asset types “software”, “hardware”, and the like, and “OS (basic software)”, “application software”, etc. are “hardware” below the asset type “software”. In the lower level, asset types such as “computer”, “network equipment”, “office equipment”, and “equipment” are lower. In addition, information types such as “personal information” are subordinate to information types, and business types such as “operation” are subordinate to business types. Further, there are detailed attribute types below these attribute types.

  This threat-asset correspondence table is a plot of the unauthorized access actions shown in the security event transition model of FIG. Therefore, extracting the threat contents corresponding to the attribute type of the diagnosis target system from the threat-asset correspondence table shown in FIG. 6 is an illegality existing in the diagnosis target system from the security event transition model shown in FIG. Access acts (threats) are extracted. Further, a security event transition model specialized in the diagnosis target system (for example, the model shown in FIG. 16) is obtained by extracting the node that becomes the transition source of the extracted threat and the node that becomes the transition destination from the threat list. ) Will be extracted.

  FIG. 7 is a diagram showing a threat-countermeasure correspondence table stored in the security threat-countermeasure data storage unit 21. In the figure, the threat-countermeasure correspondence table is composed of a plurality of records in which threat IDs, preconditions and threat contents, countermeasure contents, and countermeasure IDs for identifying countermeasure contents are associated with each threat contents. As shown in the figure, a plurality of measures can be taken for one threat.

  FIG. 8 is a diagram showing a list of countermeasures stored in the security threat / countermeasure correspondence data storage unit 21. The countermeasure list is obtained by associating each unauthorized access action shown in the security event transition model of FIG. 3, that is, an evaluation of unauthorized access actions for each threat, for example, costs and effects of countermeasures. In the figure, the countermeasure list includes records in which countermeasures are associated with countermeasure costs, residual risk as a result of the countermeasures, and derived risks. The countermeasure information indicates countermeasure ID, countermeasure contents, and type classification information. The countermeasure cost information includes introduction cost and operation cost information, and the residual risk information includes attack frequency (threat occurrence probability) after the countermeasure and attack success probability (hit rate) after the countermeasure. Derived (new) risk information includes information on threat contents newly generated when countermeasures are taken, frequency (occurrence probability), technical ease (difficulty), and attack success probability (hit rate). The occurrence probability, difficulty level, and accuracy rate are quantified in the same manner as shown in FIG. By using such quantified information, it is possible to make a quantitative comparison of possible countermeasures for each threat (method).

Next, the operation of the information security measure determination support device 1 will be described.
FIG. 9 is a diagram illustrating a processing flow of the information security measure determination support device 1.
First, the receiving unit 11 of the information security measure determination support apparatus 1 receives an input of a check list that is attribute information of a diagnosis target system, that is, data indicating a device type, a job type, an information type, and the like (step S100).

FIG. 10 shows an example of a check list, and FIG. 11 shows a configuration example of a diagnosis target system.
In FIG. 10, the check list includes information indicating whether each owned asset is included in the diagnosis target system. The types of assets are classified according to the attribute types of a plurality of hierarchies similar to the threat-asset correspondence table shown in FIG.

  In the case of the diagnosis target system shown in FIG. 11, in the conventional method, the configuration of each individual device must be input, and “Lixxx-A”, “Lixxx-B”, “Lixxx-C”, “Winxxxx” Server-A, Winxxxx Server-B, Firewall-A, Router-A, Wireless LAN AP-A, WinxxxxXp-A, WinxxxxXp-B, Winxxxx-pC, "Winxxxx Server-A", "Winxxxx Server-B", "Winxxxx Server-C", "Database-A", "MailServer-A", "Browser-A", "Browser-B", "Browser-C" , ... had to be extracted. On the other hand, in the present embodiment, the assets having the same attribute type need only be collected together, so that the checklist includes “Lixxx series”, “Winxxx series”, “Firewall”, “Router”, “ Attribute types such as “wireless LAN access point”, “WWW server”, “DB server”, “mail server”, and “Web browser” are extracted and indicated as “present” in the checklist.

  In FIG. 9, the threat extraction unit 12 of the information security measure determination support device 1 includes the check list input in step S100, the threat-asset correspondence table and the security threat model storage unit in the security threat-measure correspondence data storage unit 21. Based on the threat list in 22, the threats existing in the diagnosis target system are extracted (step S 110). Therefore, the threat extraction unit 12 of the information security measure determination support apparatus 1 extracts a threat ID corresponding to the attribute type indicated as “present” in the input checklist from the threat-asset correspondence table. Next, the threat extraction unit 12 uses the threat ID extracted from the threat-asset correspondence table as a key, and makes a transition source ID and a transition destination ID corresponding to the threat ID from the threat list, a precondition, a threat content, and a threat frequency. Then, the technical ease and the attack success probability are read out, and threat extraction result data indicating a threat extraction result as shown in FIG. 12 is generated. That is, the threat extraction result data includes a threat ID extracted from the threat-asset correspondence table and information in a record read from the threat list corresponding to the threat ID. This threat extraction result corresponds to the security event transition model extracted from the security event transition model specialized for the diagnosis target system.

  The procedure creation unit 13 of the information security measure decision support device 1 creates a procedure of unauthorized access action (hereinafter also simply referred to as “procedure”) that can be performed in the diagnosis target system from the threat extraction result data generated in step S110. (Step S120). FIG. 13 is a diagram of procedure search result data showing the created procedure. The procedure search result data describes an ID for identifying each procedure and the execution order of threats (unauthorized access acts). The execution order of threats is indicated by threat IDs in the columns 1 to n.

  Specifically, in order to specify the procedure, the following is performed for each threat ID indicated by the threat extraction result data. First, one threat ID acquired from the threat extraction result data is defined as a signature 1. At this time, the node whose start node is the transition source node may be selected. Then, the transition destination ID is read out from the record of the threat extraction result data specified by the threat ID set as the signature 1, and if the transition destination ID is an elapsed state node, the read transition destination ID is set as the transition source ID. Identify threat extraction result data records. Then, the threat ID in the identified record is used as the signature 2, and the transition destination ID is read from the record. If the transition destination ID is an elapsed state node, a record of threat extraction result data in which the read transition destination ID is set as the transition source ID is specified. By repeating this until the transition destination ID reaches the risk occurrence node, the procedure in the diagnosis target system is extracted. The procedure creation unit 13 assigns a procedure ID for identifying the procedure for each extracted procedure.

  In FIG. 9, the countermeasure extraction unit 14 of the information security countermeasure determination support apparatus 1 stores the security threat-countermeasure correspondence data using each threat ID set as a technique in the procedure search result data generated in step S120 as a key. The precondition, threat content, countermeasure ID, and countermeasure content are read from the threat-countermeasure correspondence table in the unit 21, and the threat frequency, technical ease, and attack success probability are read from the threat list in the security threat model storage unit 22 ( Step S130). Further, the measure extraction unit 14 reads out information on the cost, the remaining risk, and the derived (new) risk from the measure list using the read measure ID as a key. And the countermeasure extraction result data which shows the extraction result of the countermeasure shown in FIG. 14 from these information are produced | generated. In FIG. 14, cost information for each countermeasure is omitted.

  Next, the countermeasure selection unit 15 of the information security countermeasure determination support apparatus 1 receives the information on the cost of the countermeasure corresponding to each threat indicated by the procedure search result data, the residual risk, the derived (new) risk, and the like. A measure that matches the measure selection condition received via is selected (step S140). Detailed processing of this prioritization will be described later. The output unit 16 outputs the procedure search result data, the list of measures selected by the measure selection unit 15, the threat classification corresponding to the measures shown in the list, the preconditions, the threat contents, and the countermeasure contents (step S150).

  Next, as a countermeasure selection processing procedure in step S140 described above, two processes of a step type algorithm and an overall optimization algorithm will be described. Suppose that there are four options for the measure selection condition: cost emphasis, safety emphasis, effect emphasis, and threshold method. The threshold method is a method for selecting an optimum combination having a predetermined effect or more within a predetermined cost.

  FIG. 15 is a processing flow using a step type algorithm. In the figure, the measure selecting unit 15 is based on the cost, residual risk, and derived (new) risk in the measure extraction result data, out of the measures that can be taken between all two nodes, cost-oriented, safety-oriented, A countermeasure in the case of emphasizing the effect is selected (steps S200 and S210). After selecting all the countermeasures between the two nodes, subsequently, for each procedure indicated by the procedure search result data, select which one of the countermeasures selected in step S210 should be taken according to the selection condition. (Steps S220 and S230). Finally, when the same measures are included in the measures selected for each procedure in step S240, the list of normalized measures is made by leaving only one measure so as not to overlap (steps S240 and S250). .

  Details of the two-node countermeasure selection process at step S210 and the intra-procedure countermeasure selection process at step S230 in the stepped algorithm shown in FIG. 15 will be described below.

  FIG. 16 shows an overview of the countermeasure selection process between two nodes in step S210. As shown in the figure, there may be a plurality of possible measures between each two nodes in the security event transition model extracted specifically for the diagnosis target system. Therefore, in the countermeasure selection process between nodes in step S210, safety-oriented, cost-oriented, and effect-oriented conditions are selected from among a plurality of countermeasure candidates for each of the two nodes constituting the security event transition model of the diagnosis target system. Select one measure that was appropriate.

  With reference to FIG. 17, a description will be given of a countermeasure selection process between two nodes in the case of cost emphasis in S <b> 210. For each threat indicated by the countermeasure extraction result data shown in FIG. 14, the countermeasure selection unit 15 reads information on the introduction cost and operation cost of each countermeasure associated with the threat, and calculates the total cost using a predetermined calculation formula. calculate. Here, (total cost) = (introduction cost) + (operation cost) × (year of use) is used. The years of use are stored in association with each countermeasure in the security threat-countermeasure data storage unit 21 corresponding to each countermeasure, or five years or the like is used for countermeasures for which the years of use are not registered. A predetermined number of years of use may be used, or a predetermined number of years may be used for all countermeasures. The measure selection unit 15 selects the measure with the lowest total cost for each threat.

  For example, the threat with threat ID = T-002 shown in FIG. 17 has four countermeasures with countermeasure ID = C-031, C-041, C-069, and C-078, and the number of years of use is five years. To do. In this case, for the countermeasure of countermeasure ID = C-031, (introduction cost) 500 to 1,000,000 yen and (operation cost) 0 to 100,000 yen × 5 years are totaled, and (total cost) 50 to 150 Calculated as 10,000 yen. Regarding the countermeasure of countermeasure ID = C-041, (introduction cost) 1 to 5 million yen and (operation cost) 1 to 5 million yen × 5 years are totaled, and (total cost) 600 to 30 million yen calculate. Similarly, the countermeasure ID = C-069 is calculated as (total cost) 500 to 1,500,000 yen, and the countermeasure ID = C-078 is calculated as (total cost) 1050 to 12.5 million yen. Therefore, the countermeasure with countermeasure ID = C-031, C-069 having the lowest total cost is selected.

  Next, with reference to FIG. 18, the countermeasure selection process between two nodes in the case of emphasizing safety in S210 will be described. Here, a countermeasure with the highest safety is selected from a plurality of countermeasures against a single threat. The countermeasure selection unit 15 calculates the frequency after the countermeasure and the improvement amount of the attack success probability for each countermeasure associated with the threat for each threat indicated by the countermeasure extraction result data shown in FIG. A comprehensive evaluation value is calculated by a predetermined calculation formula. Here, (total evaluation value) = 1 ^ (frequency improvement amount) + 3 ^ (attack success probability improvement amount) is used. “^” Indicates a power. The measure selection unit 15 selects the measure having the highest overall evaluation for each threat.

  For example, for the threat with threat ID = T-005 shown in FIG. 18, there are three countermeasures with countermeasure IDs = C-041, C-038, and C-078. The threat risk is the threat frequency “5” and the attack success probability “4”, and the countermeasure of C-038 is the attack frequency “5” and the attack success probability “1” after the countermeasure. Therefore, (frequency improvement amount) = (threat frequency) 5− (attack frequency after countermeasures) 5 = 0, (attack success probability improvement quantity) = (threat attack success probability) 4− (attack success after countermeasures) Since (probability) 1 = 3, (total evaluation value) = 1 ^ (frequency improvement amount) 0 + 3 ^ (attack success probability improvement amount) 3 = 28. Therefore, the measure ID = C-038 of the measure having the highest comprehensive evaluation value is selected.

  With reference to FIG. 19, the two-node countermeasure selection process in S210 when the countermeasure effect is emphasized will be described. The measure selection unit 15 selects measures with a good balance between total cost and safety for each threat indicated by the measure extraction result data shown in FIG. The countermeasure selecting unit 15 calculates the total cost for each countermeasure associated with the threat for each threat indicated by the countermeasure extraction result data shown in FIG. 14 by the method shown in FIG. Then, the overall evaluation is calculated, and the cost required to improve a certain level of safety is calculated by (countermeasure effect value) = (total cost) / (total evaluation). For each threat, the countermeasure with the highest effect countermeasure value is selected.

  For example, for the threat with threat ID = T-005 shown in FIG. 19, there are three countermeasures with countermeasure ID = C-041, C-038, and C-078. With regard to the countermeasure with countermeasure ID = C-041, Countermeasure effect value) = (Total cost) 600 to 30 million yen / (Comprehensive evaluation) 10 = 60 to 3 million yen / Countermeasure, and for the measure with measure ID = C-038, (Countermeasure effect value) = (Total (Cost) 50 to 1,500,000 yen / (Comprehensive evaluation) 28 = 1.8 to 54,000 yen / Countermeasure, and for the countermeasure with countermeasure ID = C-078, (Countermeasure effect value) = (Total cost) 1050 ˜12.5 million yen ÷ (overall evaluation) 10 = 105 to 1.25 million yen / measure. Therefore, the countermeasure with the countermeasure ID = C-038 having the highest countermeasure effect value is selected.

  FIG. 20 shows an overview of the processing in step S230. In step S210, a measure that matches a selection condition is selected for a threat constituting a series of procedures from the start node to the damage occurrence node in the diagnosis target system. In this series of procedures, a countermeasure against any one or more threats is taken, so that the damage occurrence node can be prevented. Therefore, in step S230, among the threats constituting the procedure from the start node to the damage occurrence node, a minimum countermeasure (for example, countermeasure A), a combination of efficient countermeasures (measure A + countermeasure C), etc. Find and choose the best one.

  In order to take the minimum measures, for each procedure shown in FIG. 13, out of the threat countermeasures constituting the procedure, when cost is emphasized, the total cost calculated in FIG. 17 is the lowest, and when safety is emphasized Is the one with the highest overall safety evaluation value calculated in FIG. 18, and in the case of emphasis on the countermeasure effect, one having the highest countermeasure effect value calculated in FIG. 19 may be selected.

In order to take a combination of countermeasures with high efficiency, a certain effect can be obtained with the smallest combination among a plurality of countermeasures (four countermeasures A to D in FIG. 20) in one procedure. Select a combination of measures.
FIG. 21 is a diagram for explaining selection of a combination of measures with high efficiency. To select an efficient measure, focus on the lowest cost while ensuring a certain level of safety. That is, for a certain threat, the ideal countermeasure is to reduce the threat frequency to “1” and the attack success probability “1”, and is the best countermeasure. In the example illustrated in FIG. 21, (frequency improvement) = (threat frequency) 5- (attack frequency after countermeasure) 1 = 4, (attack success improvement amount) = ( (Threat attack success probability) 4− (attack success probability after countermeasure) 1 = 3, (total evaluation value) = 1 ^ (frequency improvement amount) 4 + 3 ^ (attack success probability improvement amount) 3 = 28 It becomes. Therefore, in FIG. 18, a comprehensive evaluation value when an ideal measure is taken for each threat constituting the procedure is calculated, and the highest value is the comprehensive evaluation value of the ideal measure in the procedure. Then, using the comprehensive evaluation values calculated for the measures that can be taken for each threat, out of the multiple combinations of countermeasures against the threats that make up the procedure, measures that exceed the criteria for the overall evaluation value of the ideal countermeasures. Select a combination. In the example shown in FIG. 21, there is already one countermeasure with the same comprehensive evaluation value as the comprehensive evaluation value of the ideal countermeasure, so that countermeasure is selected. On the other hand, if there is no countermeasure with the same overall evaluation value as the ideal countermeasure, a combination of countermeasures exceeding the overall evaluation value of the ideal countermeasure from the threat countermeasures that make up the currently focused procedure Is selected. Next, when there are a plurality of combinations, the one with the lowest total cost is selected from the combinations.

Next, an overall optimization algorithm that is executed as a processing procedure for selecting and prioritizing measures in step S140 described above will be described.
FIG. 22 shows a processing flow using an overall optimization algorithm in the case of cost emphasis.
First, the measure selection unit 15 selects measures sequentially from the measure extraction result data shown in FIG. 14, and calculates and stores the total cost for the selected measures in the same manner as the processing shown in FIG. 17 (step S300: NO, S310). As a result, a total cost calculation result list for each countermeasure, which is data indicating a list of total cost calculation results for each countermeasure, is generated and stored. When the measure selection unit 15 calculates the total cost for all measures included in the measure extraction result data (step S300: YES), the measure selecting unit 15 selects the measure with the lowest total cost from the list of total cost calculation results for each measure ( Step S320). This selected measure is defined as measure A. The measure selection unit 15 deletes measure A from the total cost calculation result list for each measure (step S330). The countermeasure selection unit 15 reads out a threat from the threat-countermeasure correspondence table in the security threat-countermeasure data storage unit 21 using the countermeasure ID of the countermeasure A as a key (step S340). Here, it is assumed that threat A has been read.

  If a plurality of threats A are found in step S340, the following is executed by paying attention to all the found threats in order (step S350). If the measure selection unit 15 determines that all the threats A have not been noticed yet, the measure selection unit 15 selects the threat A to be noticed, and the threat A exists in the procedure search result data (FIG. 13) generated in step S130. It is determined whether or not to perform (step S360). When there is a threat A currently focused on in the procedure search result data (step S360: YES), the countermeasure selection unit 15 adds and stores the threat A in the countermeasure list (step S370), and the threat A is included. The procedure to be deleted is deleted from the procedure search result data (step S380). Then, returning to step S350, the process is repeated, and if it is determined that the repeated process has been completed for all the extracted threats A (step S350: YES), is there still a procedure in the procedure search result data? Is determined (step S390). If the procedure remains (step S390: YES), the processing from step S320 is repeated again. If it is determined that there is no procedure remaining in the procedure search result data (step S390: NO), the process is terminated. The countermeasure selection unit 15 instructs the output unit 16 to output a countermeasure list.

FIG. 23 shows a processing flow using an overall optimization algorithm in the case of emphasizing safety.
First, the countermeasure selection unit 15 selects countermeasures in order from the countermeasure extraction result data shown in FIG. 14, and calculates and stores a comprehensive evaluation value for the selected countermeasures as in the process shown in FIG. 18 (step S400: NO). , S410). As a result, a comprehensive evaluation value calculation result list for each countermeasure, which is data indicating a list of comprehensive evaluation values for each countermeasure, is generated and stored. When the measure selection unit 15 calculates the comprehensive evaluation value for all the measures included in the measure extraction result data (step S400: YES), the measure having the largest comprehensive evaluation value is selected from the comprehensive evaluation value calculation result list for each measure. Select (step S420). This selected measure is defined as measure A. The measure selection unit 15 deletes measure A from the comprehensive evaluation value calculation result list for each measure (step S430).
Hereinafter, the processing from step S440 to S490 is the same as the processing from step S340 to S390 in FIG. That is, the countermeasure selection unit 15 reads the threat A corresponding to the countermeasure A from the threat-countermeasure correspondence table. When there are a plurality of read threats A, it is determined in order for all the threats A whether the threats A are present in the procedure search result data. If they exist, the threats A are added to the countermeasure list and the procedure A process of deleting from the search result data is executed. When all the procedures in the procedure search result data are deleted, the process is terminated and the output of the countermeasure list is instructed.

FIG. 24 shows a processing flow using an overall optimization algorithm in the case where effect countermeasures are emphasized.
First, the countermeasure selection unit 15 selects countermeasures in order from the countermeasure extraction result data shown in FIG. 14, and calculates and stores countermeasure effect values for the selected countermeasures as in the process shown in FIG. 19 (step S500: NO). , S510). As a result, a countermeasure effect value calculation result list for each countermeasure, which is data indicating a list of countermeasure effect values for each countermeasure, is generated and stored. When the measure selection unit 15 calculates measure effect values for all measures included in the measure extraction result data (step S500: YES), the measure with the smallest measure effect value is selected from the list of measure effect value calculation results for each measure. Select (step S520). This selected measure is defined as measure A. The measure selecting unit 15 deletes measure A from the measure effect value calculation result list for each measure (step S530).
Hereinafter, the processing from step S540 to S590 is the same as the processing from step S340 to S390 in FIG. That is, the countermeasure selection unit 15 reads the threat A corresponding to the countermeasure A from the threat-countermeasure correspondence table. When there are a plurality of read threats A, it is determined in order for all the threats A whether the threats A are present in the procedure search result data. If they exist, the threats A are added to the countermeasure list and the procedure A process of deleting from the search result data is executed. When all the procedures in the procedure search result data are deleted, the process is terminated and the output of the countermeasure list is instructed.

  According to the above-described embodiment, the information security measure determination support device 1 includes a threat list, a threat-asset correspondence table, a measure list, a threat-measure correspondence table based on a universal security event transition model that does not depend on the system. Therefore, by simply entering the attribute type of the diagnosis target system, it is possible to identify unauthorized access actions (threats) in the diagnosis target system, and to use each threat and countermeasure risk indicated by quantitative values. Accordingly, it is possible to present a list of security measures for the diagnosis target system that meet desired conditions such as cost-oriented, safety-oriented, and effect-oriented. When selecting measures that meet the conditions, you can select and optimize the measures for each procedure that can occur in the diagnosis target system, and which combination is the best measure for the measures of the entire system. Can be selected.

  Note that the information security measure determination support apparatus 1 described above has a computer system therein. The operation process of the information security measure determination support device 1, the receiving unit 11, the threat extracting unit 12, the procedure creating unit 13, the measure extracting unit 14, the measure selecting unit 15, and the output unit 16 is performed in the form of a program in the form of a computer. The program is stored in a readable recording medium, and the above-described processing is performed by the computer system reading and executing this program. The computer system here includes a CPU, various memories, an OS, and hardware such as peripheral devices.

Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW system is used.
The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Furthermore, the “computer-readable recording medium” dynamically holds a program for a short time like a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line. In this case, a volatile memory in a computer system serving as a server or a client in that case, and a program that holds a program for a certain period of time are also included. The program may be a program for realizing a part of the functions described above, and may be a program capable of realizing the functions described above in combination with a program already recorded in a computer system.

It is a figure which shows the outline | summary of the information security countermeasure determination assistance apparatus by one embodiment of this invention. It is a block diagram of the information security measure decision support device by the embodiment. It is a figure which shows the example of a security event transition model. It is a figure which shows the example of a threat list. It is a figure which shows the example of quantification of a risk. It is a figure which shows the relationship between a threat and an attribute. It is a figure which shows the example of a threat-countermeasure correspondence table. It is a figure which shows the example of a countermeasure list. It is a figure which shows the processing flow of an information security countermeasure determination support apparatus. It is a figure which shows the example of a check list. It is a figure which shows the example of a diagnostic object system. It is a figure which shows the example of threat extraction result data. It is a figure which shows the example of procedure search result data. It is a figure which shows the example of countermeasure extraction result data. It is a figure which shows the processing flow of a step type algorithm. It is a figure which shows the outline | summary of the countermeasure selection process between 2 nodes. It is a figure explaining the countermeasure selection process between 2 nodes in the case of cost emphasis. It is a figure explaining the countermeasure selection process between 2 nodes in the case of emphasizing safety. It is a figure explaining the countermeasure selection process between 2 nodes in case of countermeasure effect emphasis. It is a figure explaining the outline | summary of the countermeasure selection process in a procedure. It is a figure for demonstrating selection of the combination of a countermeasure with good efficiency. A processing flow using an overall optimization algorithm in the case of cost emphasis is shown. The processing flow using the whole optimization algorithm when safety is important is shown. A processing flow using an overall optimization algorithm when effect countermeasures are emphasized is shown.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Information security measure decision support apparatus 11 ... Reception part 12 ... Threat extraction part (Threat extraction means)
13 ... Procedure creation unit (procedure creation means)
14 ... Countermeasure extraction unit (Countermeasure extraction means)
15 ... Measure selection unit (measure selection means, first selection means, second selection means)
16 ... Output unit 21 ... Security threat-countermeasure data storage unit (storage means)
22 ... Security threat model storage unit (storage means)

Claims (7)

Correspondence of threats and assets that indicate the correspondence between the threats that cause a change in state between each node from the node that shows the initial state to the node that has caused damage through the node in the elapsed state and the attribute of the asset Table and
A correspondence table of threats and countermeasures indicating possible countermeasures corresponding to each threat ;
A threat list indicating each node from a node indicating an initial state to a node in which a damage has occurred through a node in an elapsed state, and a threat that causes a change in state between the nodes;
Storage means for storing a countermeasure list indicating information on evaluation of each countermeasure ;
Upon receiving input of attribute information indicating the type of device constituting the diagnosis target system, the business type in the diagnosis target system, or the information type handled by the diagnosis target system, the attribute information input from the correspondence table of threats and assets is input. Threat extraction means for extracting corresponding threats;
Corresponding to the threat extracted by the threat extracting means, the countermeasure extracting means for reading the countermeasure from the correspondence table of the threat and the countermeasure and outputting the read countermeasure;
Threats that can occur up to the damage occurrence node based on the threats extracted by the threat extraction means and the information that represents the relationship between the threats and the nodes read from the threat list corresponding to the extracted threats Procedure creation means for creating procedure information indicating
Select and output a countermeasure corresponding to the selection condition based on the evaluation information of the countermeasure extracted by the countermeasure extracting means corresponding to the threat between the nodes constituting the procedure created by the procedure creating means. An information security measure determination support device comprising: measure selection means . The measure selection means is
Based on the information on the evaluation of the countermeasure extracted by the countermeasure extracting means corresponding to the threat between the nodes constituting the procedure created by the procedure creating means, the most effective in the selection condition between the nodes. A first selection means for selecting a measure;
For each of the procedures, a countermeasure candidate that is most effective in the selection condition is selected from the countermeasures selected by the first selection unit corresponding to the threat between the nodes constituting the procedure, and the procedure is performed. A second selection means as a countermeasure against
The information security measure determination support apparatus according to claim 1 , wherein The measure selecting means is
Until measures are selected for all procedures created by the procedure creation means,
Among the countermeasures that are read out by the countermeasure extracting means in response to the threat between the nodes constituting the procedure and are not selected as countermeasures for any of the procedures, the selection condition is most effective. Select a countermeasure,
The threat corresponding to the selected countermeasure is extracted from the correspondence table of the threat and the countermeasure, and for the procedure including the extracted threat, the selected countermeasure is the countermeasure of the procedure.
Repeat that,
The information security measure determination support apparatus according to claim 1 , wherein The information of the evaluation indicated by measures list, the information security determination assisting device according to any one of claims claims 1 to 3, characterized in that the cost information. The evaluation information shown in the countermeasure list is information on the effect after the countermeasure is implemented,
The threat list further includes risk information of each threat,
The countermeasure selecting means reads out risk information corresponding to the threat indicated by the procedure created by the procedure creating means from the threat list, and information on the effect of the countermeasure corresponding to the threat from the countermeasure list. Select the countermeasure that is most effective from the information on the risk of the read threat and the information on the risk of the read threat and the effect of the countermeasure corresponding to the threat.
That the information security determination assisting device according to any one of claims claims 1 to 3, characterized. Correspondence of threats and assets that indicate the correspondence between the threats that cause a change in state between each node from the node that shows the initial state to the node that has caused damage through the node in the elapsed state and the attribute of the asset Table and
A correspondence table of threats and countermeasures indicating possible countermeasures corresponding to each threat ;
A threat list indicating each node from a node indicating an initial state to a node in which a damage has occurred through a node in an elapsed state, and a threat that causes a change in state between the nodes;
An information security measure determination support method used in an information security measure determination support apparatus having a storage means for storing a measure list indicating information of evaluation of each measure ,
The information security measure determination support device
Upon receiving input of attribute information indicating the type of device constituting the diagnosis target system, the business type in the diagnosis target system, or the information type handled by the diagnosis target system, the attribute information input from the correspondence table of threats and assets is input. A threat extraction process to extract corresponding threats;
In response to the threat extracted in the threat extraction process, a countermeasure extraction process that reads out the countermeasure from the correspondence table of the threat and the countermeasure and outputs the read countermeasure;
Threats that can occur up to the damage occurrence node based on the threats extracted in the threat extraction process and the information indicating the relationship between the threats and nodes read from the threat list corresponding to the extracted threats A procedure creation process for creating procedure information indicating
Select and output a countermeasure corresponding to the selection condition based on the evaluation information of the countermeasure extracted in the countermeasure extracting process corresponding to the threat between the nodes constituting the procedure created in the procedure creating process. An information security measure decision support method comprising: a measure selection process . A computer used as an information security measure decision support device,
Correspondence of threats and assets that indicate the correspondence between the threats that cause a change in state between each node from the node that shows the initial state to the node that has caused damage through the node in the elapsed state and the attribute of the asset Table and
A correspondence table of threats and countermeasures indicating possible countermeasures corresponding to each threat ;
A threat list indicating each node from a node indicating an initial state to a node in which a damage has occurred through a node in an elapsed state, and a threat that causes a change in state between the nodes;
Storage means for storing a countermeasure list indicating information of evaluation of each countermeasure ;
Upon receiving input of attribute information indicating the type of device constituting the diagnosis target system, the business type in the diagnosis target system, or the information type handled by the diagnosis target system, the attribute information input from the correspondence table of threats and assets is input. Threat extraction means for extracting corresponding threats,
In response to the threat extracted by the threat extraction means, a countermeasure extraction means for reading out the countermeasure from the correspondence table of the threat and countermeasure, and outputting the read countermeasure,
Threats that can occur up to the damage occurrence node based on the threats extracted by the threat extraction means and the information that represents the relationship between the threats and the nodes read from the threat list corresponding to the extracted threats Procedure creation means for creating procedure information indicating
Select and output a countermeasure corresponding to the selection condition based on the evaluation information of the countermeasure extracted by the countermeasure extracting means corresponding to the threat between the nodes constituting the procedure created by the procedure creating means. A computer program which functions as a measure selection means .

Images