JP5366864B2 - Security countermeasure standard creation support system and program, and security countermeasure standard creation support method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To support creation of an effective security countermeasure standard based on the way of thinking of multiple protection and risk control. <P>SOLUTION: An element selection unit 122 extracts from a selection criterion table 122 an order of element (first and second in order closer to an origin of threat occurrence in a route of threat) corresponding to a specific selection criterion (for example, a selection criterion when a risk of the threat is "large"). Then, the element selection unit 122 selects from a protection model table 111 an element (for example, a network and a server) corresponding to a specific threat (for example, virus infection) in which order in the route of the threat coincides with the extracted order. A security management countermeasure selection unit 123 selects from a security management countermeasure-protection model corresponding table 113 a security management countermeasure (for example, installation of a virus countermeasure gateway and introduction of a virus countermeasure software) corresponding to a combination of the threat and the selected element. <P>COPYRIGHT: (C)2011,JPO&amp;INPIT

Description

  The present invention relates to a security countermeasure standard creation support system and program, and a security countermeasure standard creation support method.

  Expert knowledge is required to comprehensively identify security measures in the organization, select appropriate measures that meet the organization's security policy and security requirements, and create standards.

  Several methods and systems for comprehensively analyzing information security risks and presenting countermeasures thereof without requiring specialized knowledge have been proposed (see, for example, Patent Documents 1 to 4).

  In the method proposed in Patent Document 1, an information security risk is analyzed using a security event transition model that models an unauthorized access procedure until damage caused by a security threat occurs. The security event transition model expresses the progress from a state where nothing has occurred to a state where damage has occurred as a transition of a state node due to an unauthorized access action, and defines an unauthorized access action as a threat. Extracts threats that exist in the system from information on the target system components, business type, information type, etc., and further extracts countermeasures from the correspondence table of threats and countermeasures, focusing on cost, safety, effect, threshold method The optimum combination of measures is selected based on the designated measure selection conditions such as.

JP 2009-110177 A JP 2006-350708 A JP 2005-234840 A JP 2004-259197 A

  In the conventional methods as described above, the combination of countermeasures is determined based on the cost required for the countermeasures and the improvement in the attack success probability due to the countermeasures, and as a result, to specific parts of system components such as networks and servers. There is a problem that the risk when the countermeasure of that part is broken cannot be considered.

  In addition, because physical elements such as system components are not considered, even if you try to strengthen countermeasures in response to incident response or changes in security requirements, it is important to consider multiple defenses when considering security countermeasures. There was a problem that effective countermeasures could not be implemented.

  An object of the present invention is to support the creation of effective security measure standards based on, for example, the concept of multiple defenses and risk control.

A security countermeasure standard creation support system according to one aspect of the present invention includes:
For each of multiple security management measures that are measures to protect information assets from multiple threats, there are multiple threats that are addressed by the security control measures and multiple routes that configure the route to the information assets. Among the elements, a security control information storage unit that stores security control information that defines an element to be subjected to the security control in a storage device;
For each of the plurality of threats, a threat information storage unit that stores, in a storage device, threat information that defines a plurality of elements constituting a threat path and an order in which the plurality of elements configure the threat path When,
Among the multiple elements that make up the threat path, for each of the multiple selection criteria that are the criteria for selecting the elements to be subject to security control measures, the elements selected by the selection criteria are A selection criterion information storage unit for storing selection criterion information to be specified in the rank of the element in the route in a storage device;
An input unit for accepting an operation for identifying a threat and a selection criterion by an input device;
The rank of the element corresponding to the selection criterion specified by the operation to the input unit is extracted from the selection criterion information stored in the selection criterion information storage unit by the processing device, and the threat stored in the threat information storage unit An element selection unit that selects, from the information, an element corresponding to a threat identified by an operation to the input unit, and a rank in the path of the threat matches the extracted rank by a processing device;
Processing device for security management corresponding to a combination of a threat specified by an operation to the input unit and an element selected by the element selection unit from the security management information stored in the security management information storage unit And a security management policy selection unit selected by

The selection criterion information defines a risk level obtained by grading the magnitude of the threat risk for each of the plurality of selection criteria, and the occurrence of a threat in the threat path as an element selected by the selection criterion. It is information that specifies the number of elements according to the height of the defined risk level in order from the source,
The input unit accepts input of information indicating a risk level of a threat by an input device as an operation for specifying a selection criterion,
The element selection unit specifies a selection criterion corresponding to the risk level indicated by the information input to the input unit from the selection criterion information stored in the selection criterion information storage unit, and stores the selection criterion information storage The processing device extracts the order of elements corresponding to the specified selection criterion from the selection criterion information stored in the section.

The selection criterion information defines a risk level obtained by grading the magnitude of the risk of an internal threat for each of the plurality of selection criteria, and an internal threat in the threat path as an element selected by the selection criterion. This is information that specifies the number of elements according to the defined risk level in order from the element corresponding to the source of
The input unit receives an operation for specifying an internal threat as an operation for specifying a threat, and receives an input of information indicating a risk level of the internal threat by an input device as an operation for specifying a selection criterion.
The element selection unit specifies a selection criterion corresponding to the risk level indicated by the information input to the input unit from the selection criterion information stored in the selection criterion information storage unit, and stores the selection criterion information storage The rank of the element corresponding to the specified selection criterion is extracted from the selection criterion information stored in the processing unit by the processing device, and specified by the operation to the input unit from the threat information stored in the threat information storage unit The processing apparatus selects an element corresponding to an internal threat, the order of which the rank in the path of the internal threat matches the extracted rank.

The threat information is information that further defines information assets exposed to the threat for each of the plurality of threats,
The selection criteria information defines, for each of the plurality of selection criteria, a damage level obtained by grading the magnitude of damage of information assets due to threats, and as an element selected by the selection criteria, a threat path It is information that specifies the number of elements according to the height of the defined damage level in order from the element corresponding to the information asset,
The input unit further accepts an operation for identifying information assets by the input device, and accepts an input of information indicating the damage level of the information assets by the input device as an operation for identifying selection criteria.
The element selection unit specifies a selection criterion corresponding to the damage level indicated by the information input to the input unit from the selection criterion information stored in the selection criterion information storage unit, and stores the selection criterion information storage The rank of the element corresponding to the specified selection criterion is extracted from the selection criterion information stored in the processing unit by the processing device, and specified by the operation to the input unit from the threat information stored in the threat information storage unit An element corresponding to a combination of an information asset and a threat identified by an operation on the input unit, the element having a rank in the path of the threat that matches the extracted rank is selected by the processing device, To do.

The selection criterion information is information that defines an implementation criterion that is a criterion of a security control measure to be further implemented for each of the plurality of selection criteria.
The input unit further accepts an operation for selecting an arbitrary security control measure from the security control measure selected by the security control measure selection unit by the input device,
The security countermeasure standard creation support system further includes:
From the selection criterion information stored in the selection criterion information storage unit, an execution criterion corresponding to the selection criterion specified by the operation to the input unit is extracted by a processing device, and the input is performed for each combination of threat and element. A security control determination unit that determines whether or not the security control selected by the operation to the unit satisfies the extracted implementation standard by the processing device;
Among the items indicating the plurality of threats and the items indicating the plurality of elements, one item is arranged on the vertical axis, the other item is arranged on the horizontal axis, and each column specified by the vertical axis and the horizontal axis An output unit that outputs an overall map that displays a result determined by the security control determination unit for a security control corresponding to a combination of threats and elements indicated by the vertical and horizontal axes. It is characterized by providing.

The input unit further accepts an operation for specifying, as a candidate criterion, a selection criterion as a candidate for change by an input device,
The security control measure determination unit extracts, from a selection criterion information stored in the selection criterion information storage unit, an execution criterion corresponding to a candidate criterion specified by an operation to the input unit by a processing device, and a threat and an element For each combination, the processing device determines whether or not the security management policy selected by the operation on the input unit satisfies the extracted execution standard.

  The plurality of elements include, as elements, information assets, and at least one of information asset users, information asset managers, networks, facilities, and organizations.

A program according to one aspect of the present invention is:
For each of multiple security management measures that are measures to protect information assets from multiple threats, there are multiple threats that are addressed by the security control measures and multiple routes that configure the route to the information assets. Among the elements, security control information that defines the elements for which the security control is to be implemented, and
For each of the plurality of threats, threat information defining a plurality of elements constituting a threat path, and an order in which the plurality of elements configure the threat path;
Among the multiple elements that make up the threat path, for each of the multiple selection criteria that are the criteria for selecting the elements to be subject to security control measures, the elements selected by the selection criteria are A program that accesses a database that stores in a storage device selection criteria information that is designated by the rank of the element in the route,
An input process for accepting an operation for identifying a threat and selection criteria by an input device;
From the selection criterion information stored in the database, the rank of the element corresponding to the selection criterion specified by the operation to the input processing is extracted by the processing device, and from the threat information stored in the database to the input processing An element selection process for selecting an element corresponding to the threat identified by the operation in which the rank in the path of the threat matches the extracted rank by the processing device;
Security management for selecting a security management policy corresponding to a combination of a threat identified by an operation to the input process and an element selected in the element selection process from a security management information stored in the database by a processing device It is characterized by causing a computer to execute a measure selection process.

The selection criterion information is information that defines an implementation criterion that is a criterion of a security control measure to be further implemented for each of the plurality of selection criteria.
The input process is further accepted by the input device to select an arbitrary security control from the security control selected in the security control selection process,
The program further includes:
An execution criterion corresponding to the selection criterion specified by the operation to the input process is extracted from the selection criterion information stored in the database by the processing device, and the operation to the input process is performed for each combination of threat and element. A security control determination process for determining by the processing device whether the security control selected in (1) satisfies the extracted implementation standard;
Among the items indicating the plurality of threats and the items indicating the plurality of elements, one item is arranged on the vertical axis, the other item is arranged on the horizontal axis, and each column specified by the vertical axis and the horizontal axis Output processing for outputting an entire map that displays the result determined in the security control determination processing for the security control corresponding to the combination of the threat and the element indicated on the vertical axis and the horizontal axis by the output device. The computer is executed.

The input process further accepts an operation for specifying a selection criterion as a candidate for change as a candidate criterion by an input device,
The security control determination process extracts, from the selection criterion information stored in the database, an execution criterion corresponding to the candidate criterion specified by the operation to the input processing by a processing device, and for each combination of threat and element In addition, the processing device determines whether or not the security management measure selected by the operation for the input processing satisfies the extracted execution standard.

A security countermeasure standard creation support method according to an aspect of the present invention includes:
For each of multiple security management measures that are measures to protect information assets from multiple threats, there are multiple threats that are addressed by the security control measures and multiple routes that configure the route to the information assets. Among the elements, security control information that defines the elements for which the security control is to be implemented, and
For each of the plurality of threats, threat information defining a plurality of elements constituting a threat path, and an order in which the plurality of elements configure the threat path;
Among the multiple elements that make up the threat path, for each of the multiple selection criteria that are the criteria for selecting the elements to be subject to security control measures, the elements selected by the selection criteria are Security measure standard creation support using a database that stores in a storage device selection criteria information that is designated by the rank of the element in the route,
The computer accepts an operation to identify threats and selection criteria through an input device,
The computer extracts, from the selection criterion information stored in the database, the rank of elements corresponding to the selection criterion specified by the operation, and is specified by the operation from the threat information stored in the database. The processing device selects an element corresponding to the threat that has the same rank in the path of the threat as the extracted rank,
The computer selects, from the security management information stored in the database, a security management policy corresponding to the combination of the threat identified by the operation and the selected element by the processing device.

The selection criterion information is information that defines an implementation criterion that is a criterion of a security control measure to be further implemented for each of the plurality of selection criteria.
The computer further accepts an operation for selecting an arbitrary security control from the selected security control by the input device,
The computer extracts from the selection criteria information stored in the database the implementation criteria corresponding to the selection criteria specified by the operation by the processing device, and the security selected by the operation for each combination of threat and element. The processing device determines whether or not the management policy satisfies the extracted implementation standard,
Among the items indicating the plurality of threats and the items indicating the plurality of elements, the computer arranges one item on the vertical axis and the other item on the horizontal axis, and is identified by the vertical axis and the horizontal axis. For each column, the output device outputs an entire map that displays a result of determination regarding the security management measures corresponding to the combinations of threats and elements indicated by the vertical and horizontal axes.

The computer further accepts an operation for specifying a selection criterion as a candidate for change as a candidate criterion by the input device,
The computer extracts, from the selection criterion information stored in the database, an execution criterion corresponding to the candidate criterion specified by the operation, and the security selected by the operation for each combination of threat and element. Whether the management policy satisfies the extracted implementation standard is determined by the processing device.

  In one aspect of the present invention, the security countermeasure standard creation support system uses the selection standard information to identify elements corresponding to a specific selection standard (for example, a selection standard when the magnitude of threat risk is “large”). The ranks (for example, the first and second in the order closest to the threat source in the threat path) are extracted. The security measure standard creation support system is an element corresponding to a specific threat (for example, virus infection) based on threat information, and an element (for example, a network and a server) whose rank in the path of the threat matches the extracted rank. ) Is selected. Then, the security measure standard creation support system selects a security control measure (for example, installation of anti-virus gateway or introduction of anti-virus software) corresponding to the combination of the threat and the selected element from the security control measure information. . In this way, according to one aspect of the present invention, it is possible to support the creation of effective security countermeasure standards based on the concept of multiple defenses and risk control.

1 is a block diagram illustrating a configuration of a security countermeasure standard creation support system according to Embodiment 1. FIG. It is a figure which shows the example of the defense model which concerns on Embodiment 1. FIG. It is a figure which shows the example of the defense model which concerns on Embodiment 1. FIG. 2 is a diagram illustrating an example of a hardware configuration of a security countermeasure standard creation support system according to Embodiment 1. FIG. It is a figure which shows the example of the defense model table which concerns on Embodiment 1. FIG. It is a figure which shows the example of the selection criteria table which concerns on Embodiment 1. FIG. It is a figure which shows the example of the security management policy-defense model corresponding | compatible table which concerns on Embodiment 1. FIG. It is a figure which shows the example of the security management policy-defense model corresponding | compatible table which concerns on Embodiment 1. FIG. 5 is a flowchart showing the operation of the security countermeasure standard creation support system according to the first embodiment. 5 is a flowchart showing the operation of the security countermeasure standard creation support system according to the first embodiment. It is a figure which shows the example of the defense model selection screen which concerns on Embodiment 1. FIG. 5 is a flowchart showing the operation of the security countermeasure standard creation support system according to the first embodiment. It is a figure which shows the example of the defense domain selection screen which concerns on Embodiment 1. FIG. It is a figure which shows the example of the defense domain selection screen which concerns on Embodiment 1. FIG. 6 is a diagram showing an example of a security management list screen according to the first embodiment. FIG. 6 is a diagram illustrating an example of a security management measure current state input screen according to Embodiment 1. FIG. It is a figure which shows the example of the whole security management policy map which concerns on Embodiment 1. FIG. 6 is a diagram illustrating an example of a security management measure selection screen according to Embodiment 1. FIG. FIG. 6 is a block diagram showing a configuration of a security countermeasure standard creation support system according to Embodiment 2. 10 is a flowchart showing the operation of the security countermeasure standard creation support system according to the second embodiment. 10 is a flowchart showing the operation of the security countermeasure standard creation support system according to the second embodiment. 10 is a flowchart showing the operation of the security countermeasure standard creation support system according to the second embodiment. FIG. 10 is a block diagram illustrating a configuration of a security countermeasure standard creation support system according to a third embodiment. 12 is a flowchart showing the operation of the security countermeasure standard creation support system according to the third embodiment.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

Embodiment 1 FIG.
FIG. 1 is a block diagram showing a configuration of a security countermeasure standard creation support system 100 according to the present embodiment.

  The security countermeasure standard creation support system 100 is a system that supports the creation of comprehensive and valid security countermeasure standards in an organization.

  When creating organizational security measures standards, security management measures are selected and determined from a collection of security management measures such as ISO / IEC27002 based on organizational security requirements, but the selection criteria are not shown. , Specialized knowledge is required. In addition, it is not clear whether the prepared security measure standards are comprehensive and appropriate for the organization. Security management measures (also simply referred to as “control measures” or “measures”) are measures to protect information assets (also simply referred to as “assets”) from threats (also referred to as “security threats”). .

  Countermeasures against security threats such as virus infections and information leaks differ depending on the threat attack pattern (also referred to as “attack method”). In the present embodiment, by selecting an attack pattern assumed in the organization, a defense model against the attack pattern is selected. A defensive model is a model that represents in which domain (the place where countermeasures are taken) to protect information assets from an attack of an assumed threat. An example of a defense model is shown in FIG.

  The defense model 1 shown in FIG. 2 represents protection against a virus infection attack pattern 1 by the defense domains of the network, the server, and the terminal. Threat sources (sources of threats called virus infection) are external, and such threat sources are called external threats. Depending on the security requirements of the organization, it is not necessary to implement countermeasures in all defense domains. For example, countermeasures may be implemented only in the most important “assets to be protected” domain (in this example, servers and terminals). . Alternatively, in order to increase the strength of security measures, it is also possible to implement measures in the domain (in this example, the network) that corresponds to the “threat entrance” based on the concept of multiple defenses.

  Another example of the defense model is shown in FIG.

  The defense model 2 shown in FIG. 3 represents that the defense pattern of the network, the server, and the terminal is protected against the virus infection attack pattern 2 as in the defense model 1. Threat sources are internal servers and terminals, and such threat sources are called internal threats. As described above, depending on the security requirements of the organization, it is not necessary to implement countermeasures in all defense domains. For example, countermeasures may be implemented only in domains with internal threats (in this example, servers and terminals). . Alternatively, in order to increase the strength of security measures, it is possible to implement measures even in a domain (in this example, a network) that corresponds to “threat mediation” based on the concept of multiple defenses.

  The defense model 3 shown in FIG. 3 represents protection against a virus infection attack pattern 3 by an administrator (server, terminal), a user (terminal) and a server, and a defense domain of the terminal. . Like the defense model 1, the threat source is an external threat. As described above, it is conceivable to implement countermeasures in all the defense domains, or to implement countermeasures only in some of the defense domains.

  In this way, the comprehensiveness of the security countermeasure standards is ensured by examining all possible attack patterns of security threats, and countermeasures are required from the defense domains (countermeasure points and defensible elements) defined in the defense model. By selecting a valid domain, it is possible to create a reasonable security measure standard that is more suitable for the organization.

  In FIG. 1, the security measure standard creation support system 100 includes a database 110, an input unit 121, an element selection unit 122, a security control measure selection unit 123, a security control measure determination unit 124, an output unit 125, and a security measure standard storage unit 126. Prepare. In addition to the storage device such as the memory 130 and the HDD 140 (Hard / Disk / Drive), the security countermeasure standard creation support system 100 includes hardware such as a processing device (not shown), an input device, and an output device. The hardware is used by each part of the security countermeasure standard creation support system 100. For example, the processing device is used to perform calculation, processing, reading, writing, and the like of data and information in each unit of the security countermeasure standard creation support system 100. The storage device is used to store the data and information. The input device is used for inputting the data and information, and the output device is used for outputting the data and information.

  The database 110 includes a defense model table 111 (an example of a threat information storage unit), a selection criterion table 112 (an example of a selection criterion information storage unit), and a security management policy-defense model correspondence table 113 (an example of a security management policy information storage unit). Have Note that the defense model table 111, the selection criterion table 112, and the security control / defense model correspondence table 113 may each be implemented by one table, or may be normalized and implemented by a plurality of tables.

  The defense model table 111 is a table that stores an attack pattern of a security threat and a defense model indicating which part of the system or business component can be defended in response to the attack. In the defense model table 111, for example, a record storing the defense model 1 shown in FIG. 2 records that it is possible to defend against a virus infection attack pattern 1 in the defense domain of the network, server, and terminal. Is done. New attack patterns and defense models can be added to the defense model table 111 to reflect changes in security threats, changes in organizational security policies, and the like.

  The selection criteria table 112 includes criteria for defining risks and the like for the attack patterns of security threats, criteria for determining a defense domain for which measures should be taken according to the magnitude of the risk, and the defense domains. It is a table that defines the criteria for judging whether or not the selected control measures are sufficient. In the selection criteria table 112, for example, how to determine that the risk is “large” in the record storing the criteria when the risk of the attack pattern of the security threat is “large”, and what kind of defense It records whether countermeasures should be implemented for the domain and what controls should be implemented.

  The security management measure-defense model correspondence table 113 is a table storing security management measures to be implemented for each defense domain (defensible system or business component) defined in the defense model table 111. . In the security management measure-defense model correspondence table 113, for example, the specific contents of the corresponding security management measure are recorded in a record in which measures for protecting information assets from the virus infection are stored in the network. A new security management policy can be added to the security management policy-defense model correspondence table 113 in order to reflect changes in security threats, revisions to industry standards and standards, and the like.

  The input unit 121 receives operations such as information input and selection from the user by the input device. The output unit 125 outputs information to the user using an output device.

  The element selection unit 122 has a defense model selection function and a defense domain selection function. Each function will be described below.

  Defense model selection function: The element selection unit 122 reads out an assumed attack pattern against a certain security threat from the defense model table 111 and displays it on the output unit 125. The user inputs the risk for the attack pattern assumed in the organization through the input unit 121. The element selection unit 122 automatically determines an attack pattern to be dealt with according to the magnitude of the input risk, and causes the output unit 125 to display a defense model corresponding to the selected attack pattern. The user looks at the display of the selected defense model, and finally selects the defense model with the input unit 121. In addition, the selection operation by the user may be omitted, and the element selection unit 122 may only select the defense model automatically. The element selection unit 122 stores defense model selection information 131 indicating the finally selected defense model in the memory 130.

  Defense domain selection function: The element selection unit 122 reads a plurality of defense domains defined for each defense model selected by the defense model selection function from the defense model table 111 and displays them on the output unit 125. The user uses the input unit 121 to select a defense domain on which security management measures should be implemented. At this time, the element selection unit 122 automatically determines a defense domain with a high priority according to the magnitude of the risk input by the defense model selection function, and displays the selected defense domain on the output unit 125. The user looks at the display of the selected defense domain, and finally selects the defense domain using the input unit 121. Note that the selection operation by the user may be omitted, and the element selection unit 122 may simply select the defense domain automatically. The element selection unit 122 stores defense domain selection information 132 indicating the finally selected defense domain in the memory 130.

  The security management policy selection unit 123 has a security management policy display function, a security management policy selection function, and a current security management policy input function. Each function will be described below.

  Security control measure display function: The security control measure selection unit 123 reads out a security control measure associated with the defense domain selected by the defense domain selection function from the security control measure-defense model correspondence table 113, and displays it as a candidate list. Displayed by the output unit 125. At this time, the security management measure selection unit 123 may display a candidate list for each security threat or defense model.

  Security control measure selection function: The user selects a control measure to be executed from the security control measure candidates displayed by the security control display function. The security management policy selection unit 123 stores management policy selection information 133 indicating the selected security management policy in the memory 130.

  Current security control measure input function: The user inputs, using the input unit 121, whether or not these security measures are currently being implemented for the security control measures read by the security control display function. The security management policy selection unit 123 stores the current management policy information 134 indicating the input security management policy in the memory 130.

  The security management policy determination unit 124 has a security management policy determination function. Hereinafter, this function will be described.

  Security control measure determination function: The security control measure determination unit 124 determines, based on the control measure selection information 133, whether the control measure selected by the user with the security control measure selection function is sufficient according to the selection criteria table 112. The output unit 125 displays the attack pattern of the threat and a map with the defense domain as an axis. The security control measure determination unit 124 displays which defense domain is selected on this map and which defense domain is sufficient or insufficient in the defense domain. Similarly, the security management policy determination unit 124 determines whether the management policy input by the user using the current security management policy input function is sufficient based on the current management policy information 134 according to the selection criterion table 112. The output unit 125 displays the attack pattern of the threat and a map with the defense domain as an axis. This makes it possible to clarify attack patterns and defense models that are insufficient with the current management measures.

  The security countermeasure standard storage unit 126 stores the defense model selection information 131, the defense domain selection information 132, the management policy selection information 133, and the current management policy information 134 stored in the memory 130 as security countermeasure standard information 141 in the HDD 140. The security countermeasure standard storage unit 126 reads the security countermeasure standard information 141 from the HDD 140 when a request is input by the input unit 121 from the user. Then, the security measure standard storage unit 126 provides the element selection unit 122, the security control measure selection unit 123, and the security control measure determination unit 124 with information necessary for each of the above functions (defense model selection information 131, defense domain selection information 132, Management policy selection information 133 and current management policy information 134) are passed.

  In this embodiment, each of the above functions allows you to input a risk against an attack pattern and select a countermeasure pattern to display candidate countermeasures. Become. Also, by examining all the risks of the defined attack patterns, it is possible to ensure the completeness of security countermeasure standards. Furthermore, since a defense domain can be selected according to the risk and sufficient management measures can be selected, it is possible to create an appropriate security measure standard according to the security requirements of the organization.

  Also, in this embodiment, the current security control input function is used to input the current countermeasure implementation status and indicate the defense model (attack pattern and defense domain) for which countermeasures are insufficient. Select security controls.

  FIG. 4 is a diagram illustrating an example of a hardware configuration of the security measure standard creation support system 100.

  In FIG. 4, the security countermeasure standard creation support system 100 is a computer, and includes an LCD 901 (Liquid / Crystal / Display), a keyboard 902 (K / B), a mouse 903, an FDD 904 (Flexible Disk / Drive), and a CDD 905 (Compact / Drive). (Disc Drive) and a printer 906 are provided. These hardware devices are connected by cables and signal lines. Instead of the LCD 901, a CRT (Cathode / Ray / Tube) or other display device may be used. Instead of the mouse 903, a touch panel, a touch pad, a trackball, a pen tablet, or other pointing devices may be used.

  The security measure standard creation support system 100 includes a CPU 911 (Central Processing Unit) that executes a program. The CPU 911 is an example of a processing device. The CPU 911 is connected to the ROM 913 (Read / Only / Memory), the RAM 914 (Random / Access / Memory), the communication board 915, the LCD 901, the keyboard 902, the mouse 903, the FDD 904, the CDD 905, the printer 906, and the HDD 140 via the bus 912. Control these hardware devices. Instead of the HDD 140, a flash memory, an optical disk device, a memory card reader / writer, or other storage medium may be used.

  The RAM 914 is an example of a volatile memory and corresponds to the memory 130. ROM913, FDD904, CDD905, and HDD140 are examples of a non-volatile memory. These are examples of the storage device. The communication board 915, the keyboard 902, the mouse 903, the FDD 904, and the CDD 905 are examples of input devices. The communication board 915, the LCD 901, and the printer 906 are examples of output devices.

  The communication board 915 is connected to a LAN (Local / Area / Network) or the like. The communication board 915 is not limited to a LAN, but is an IP-VPN (Internet, Protocol, Private, Network), a wide area LAN, an ATM (Asynchronous / Transfer / Mode) network, a WAN (Wide / Area / Network), or the Internet. It does not matter if it is connected to. LAN, WAN, and the Internet are examples of networks.

  The HDD 140 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924. The programs in the program group 923 are executed by the CPU 911, the operating system 921, and the window system 922. The program group 923 includes programs for executing functions described as “˜unit” and “˜function” in the description of the present embodiment. The program is read and executed by the CPU 911. The file group 924 includes data, information, and signal values described as “˜data”, “˜information”, “˜ID (identifier)”, “˜flag”, and “˜result” in the description of this embodiment. And variable values and parameters are included as items of “˜file”, “˜database”, and “˜table”. The “˜file”, “˜database”, and “˜table” are stored in a storage medium such as the RAM 914 or the HDD 140. Data, information, signal values, variable values, and parameters stored in a storage medium such as the RAM 914 and the HDD 140 are read out to the main memory and the cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. It is used for processing (operation) of the CPU 911 such as calculation, control, output, printing, and display. During the processing of the CPU 911 such as extraction, search, reference, comparison, calculation, calculation, control, output, printing, and display, data, information, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory. Remembered.

  The arrows in the block diagrams and flowcharts used in the description of this embodiment mainly indicate input / output of data and signals. Data and signals are recorded on a memory such as RAM 914, FDD904 flexible disk (FD), CDD905 compact disk (CD), HDD140 magnetic disk, optical disk, DVD (Digital Versatile Disc), or other recording media. Is done. Data and signals are transmitted by a bus 912, a signal line, a cable, or other transmission media.

  In the description of the present embodiment, what is described as “to part” and “to function” may be “to circuit”, “to device”, and “to device”, and “to step” and “to device”. -"Step", "-Procedure", "-Process" may be used. That is, what is described as “˜unit” and “˜function” may be realized by firmware stored in the ROM 913. Alternatively, what is described as “to part” and “to function” may be realized only by software or only by hardware such as an element, a device, a board, and wiring. Alternatively, what is described as “˜unit” and “˜function” may be realized by a combination of software and hardware, or a combination of software, hardware and firmware. Firmware and software are stored as programs in a recording medium such as a flexible disk, a compact disk, a magnetic disk, an optical disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. In other words, the program causes the computer to function as “˜unit” and “˜function” described in the description of the present embodiment. Alternatively, the program causes a computer to execute the procedures and methods of “˜unit” and “˜function” described in the description of the present embodiment.

  The security measure standard creation support system 100 may be realized by a plurality of computers connected so as to be able to communicate with each other, instead of a single computer.

  Hereinafter, the operation of the security countermeasure standard creation support system 100 (security countermeasure standard creation support method according to the present embodiment, program processing procedure according to the present embodiment) will be described by way of example.

  First, the defense model table 111 used in this example is shown in FIG.

  The defense model table 111 stores an attack pattern (threat, threat attack method) of a security threat against information assets (assets to be protected) and a defense model (defense model number, threat source, defense domain) corresponding to the attack. It is a table.

  Security threats include virus infection and information leakage, and a defense model is defined for each attack pattern of each threat. In the defense model, which part of the system or business component can protect the assets to be protected is defined as a defense domain. The defense domain has system and business components such as users, administrators, data, servers, terminals, networks, facilities, and organizations. Domains that can defend against threat attack patterns are assets that should be protected from threat sources. (Although assets are also one of the defense domains). In the defense model table 111, numerical values indicating the order (order in which the threat follows) are set in order from 1, 2, 3,... The defense domain with the largest number is the domain with assets.

  For example, the first and second records from the top of the defense model table 111 shown in FIG. 5 store data defining the defense model 1 against virus infection shown in FIG. Of these, the first record is the threat type “virus infection”, the defense model number “1”, the asset to be protected “server”, and the threat source “external threat” (“●”). And the specific contents of the threat attack method. In the first record, the “defensive domain” is “server” and “network”, and the threat follows in the order of “network” and “server” (the threat enters the network and reaches the server). Is shown. Data defining the defense model 2 against virus infection shown in FIG. 3 is stored in the third and fourth records from the top of the defense model table 111 shown in FIG. Of these, the third record is “Server” and “Terminal” where the threat type is “virus infection”, the defense model number is “2”, the asset to be protected is “server”, and the threat source is “internal threat” And the specific content of the threat attack method. In the third record, the “defense domain” is “server” and “network”, and the threats follow in the order of “network” and “server”. To be targeted).

  For example, data defining the defense model 1 against information leakage is stored in the eighth record from the top of the defense model table 111 shown in FIG. This eighth record shows that the threat type is “information leakage”, the defense model number is “1”, the asset to be protected is “data”, the threat source is “external threat”, and the threat attack method Specific contents are shown. In the 8th record, the “defense domain” is “data” and “equipment”, and the threat follows the order of “equipment” and “data” (the threat enters the equipment and reaches the data) Is shown. The ninth record from the top of the defense model table 111 shown in FIG. 5 stores data defining the defense model 2 against information leakage. This ninth record shows that the threat type is “information leak”, the defense model number is “2”, the asset to be protected is “data”, the threat source is “external threat”, and the threat attack method Specific contents are shown. In the ninth record, the “defense domain” is “data”, “server”, and “network”, and the threat follows in the order of “network”, “server”, and “data” (the threat enters the network). And reach the data via the server).

  Note that what is shown in FIG. 5 is a part of the defense model table 111, and the same definition is made for other types of threats other than virus infection and information leakage. Also, what is shown in FIG. 5 is an example of the defense model table 111, other definitions may be made, and other data structures may be adopted.

  As described above, the defense model table 111 includes a plurality of elements (in FIG. 5) that constitute a threat path for each of a plurality of threats (in FIG. 5, a combination of a threat type and a threat attack method). , A defense domain) and information defining the order in which the plurality of elements constitute the path of the threat (hereinafter referred to as “threat information”) is stored in the storage device.

  Further, as described above, the threat information may be information defining whether or not the threat is an internal threat (in FIG. 5, a threat source) for each of the plurality of threats. The threat information may be information defining information assets (assets to be protected in FIG. 5) that are exposed to the threats for each of the plurality of threats.

  Next, the selection criteria table 112 used in this example is shown in FIG.

  The selection criteria table 112 is a table that defines defense domain determination criteria based on the occurrence frequency of threats and the amount of damage to assets. For threats, criteria are defined separately for external threats and internal threats. This is because the occurrence frequency of external threats cannot be reduced, but in the case of internal threats, the frequency of occurrence of the threats can be reduced by implementing countermeasures.

  For example, in the selection criteria table 112 shown in FIG. 6A, criteria according to the magnitude of the external threat risk are defined. The first record from the top of the selection criterion table 112 stores data defining a criterion when the risk magnitude is “large”. This first record indicates that when the frequency of threat occurrence is “at least once a month”, the risk magnitude is determined to be “large”. In addition, the first record indicates a defense domain determination criterion that when the risk magnitude is “large”, the defense domain closest to the threat source and the next closest defense domain should be selected. . Also, the first record is a control selection criterion that multiple security controls should be implemented in the defense domain closest to the threat source, and at least one security control should be implemented in the next closest defense domain. Is shown.

  For example, in the selection criterion table 112 shown in FIG. 6B, a criterion corresponding to the risk level of the internal threat is defined. The first record from the top of the selection criterion table 112 stores data defining a criterion when the risk magnitude is “large”. This first record indicates that when the frequency of threat occurrence is “at least once a month”, the risk magnitude is determined to be “large”. In addition, the first record indicates a defense domain judgment criterion that, when the magnitude of the risk is “large”, a defense domain with an internal threat and a defense domain closest to the internal threat should be selected. . Also, the first record is a control selection criterion that multiple security controls should be implemented in a defense domain with an internal threat and at least one security control should be implemented in the defense domain closest to the internal threat Is shown.

  For example, in the selection criterion table 112 shown in FIG. 6C, a criterion corresponding to the magnitude of damage to the assets to be protected due to the threat is defined. The first record from the top of the selection criterion table 112 stores data defining a criterion when the magnitude of damage is “large”. This first record indicates that when the amount of damage is “50 million yen or more at a time”, the amount of damage is determined to be “large”. Further, the first record indicates a defense domain determination criterion that, when the magnitude of damage is “large”, a defense domain having an asset and a defense domain closest to the asset should be selected. The first record also shows the control selection criteria that multiple security controls should be implemented in the defense domain with the asset and at least one security control should be implemented in the defense domain closest to the asset. ing.

  6 is an example of the selection criteria table 112, other definitions may be made, and other data structures may be adopted. In particular, in this example, regarding the magnitude of the risk of the threat, it may be “large” if the attack pattern occurrence frequency is once or more / month, “medium” if it is once or more / year, and less than once / year. For example, a criterion of “small” is defined, but this may be defined for each organization according to the size of the organization, the size of the information system, and the like. Also, in this example, regarding the magnitude of damage to the asset, “large” if the damage amount is 50 million yen or more / time, “medium” if the damage is 5 million yen or more / time, less than 5 million yen / time If so, the criterion “small” is defined, but the same applies to this. For example, the defense domain determination criterion may be set so as to preferentially select a domain located between the threat source (external or internal) and the asset. For example, if the risk size is “Large”, the defense domain located between the defense domain closest to the threat source (or the defense domain with the internal threat) and the defense domain with the asset Set so that the defense domain next to the defense domain (the side near the threat source or the side near the defense domain with the asset) should be selected.

  As described above, the selection criteria table 112 includes the elements selected by the selection criteria (the defense domain determination criteria in FIG. 6) for each of a plurality of selection criteria (in FIG. 6, threat criteria or asset value criteria). Are stored in the storage device in the storage device (hereinafter referred to as “selection criterion information”). The selection criterion is a criterion for selecting an element to be subjected to the security control measure among a plurality of elements constituting the threat path.

  In addition, as described above, the selection criterion information is obtained by, for example, grading the magnitude of the threat risk with respect to each of the plurality of selection criteria (in FIG. 6A, threat criterion (external)). This is information that defines a risk level and designates a number of elements according to the height of the defined risk level in the order closer to the source of the threat in the threat path as an element selected by the selection criteria. In addition, the selection criterion information defines, for example, a risk level obtained by grading the magnitude of the risk of an internal threat with respect to each of the plurality of selection criteria (the threat criterion (internal) in FIG. 6B). In addition, as elements selected by the selection criteria, information specifying a number of elements corresponding to the height of the defined risk level in order from the elements corresponding to the source of the internal threat in the threat path. The selection criterion information defines, for example, a damage level obtained by grading the magnitude of damage of information assets due to threats with respect to each of the plurality of selection criteria (in FIG. 6, (c), asset value criteria). In addition, as elements to be selected according to the selection criteria, information that specifies the number of elements corresponding to the height of the defined damage level in order from elements corresponding to information assets in the threat path.

  In addition, as described above, the selection criterion information further defines an implementation criterion (control policy selection criterion in FIG. 6) that is a criterion of the security control measure to be implemented for each of the plurality of selection criteria. It may be information.

  Next, the security management policy-defense model correspondence table 113 used in this example is shown in FIGS.

  The security management policy-defense model correspondence table 113 is a table that holds information indicating which security model is a management policy to be implemented in which defense model of which defense model against which security threat.

  For example, in the security management measure-defense model correspondence table 113 shown in FIG. In the record 1, data defining one of the management measures corresponding to the defense model 1 against virus infection shown in FIG. 2 is stored. Specifically, this data defines security controls implemented on the network. Here, in the defense model against the attack pattern in which the threat source is inside, a control measure for the internal threat source (defense domain with the internal threat) is also necessary. In such a case, the domain name is entered in “internal threat source” of the security control measure-defense model correspondence table 113. For example, the control policy No. Record 5 stores data defining one of the management measures corresponding to the defense model 2 against virus infection shown in FIG. The threat source of the attack pattern that the defense model 2 counters is a terminal infected with an internal virus. Specifically, this data defines the security control measures implemented for the terminal as the internal threat source. It is.

  One security control may correspond to multiple security threats and multiple defense models. For example, in the security management measure-defense model correspondence table 113 shown in FIG. The 51 records (there are two records) store data defining one of the management measures corresponding to both the defense model 1 and the defense model 3 against information leakage. Specifically, this data defines the security controls implemented for the equipment.

  7 and 8 are part of the security control / defense model correspondence table 113, and the same definition is made for threats other than virus infection and information leakage. 7 and 8 are examples of the security control / defense model correspondence table 113, other definitions may be made, and other data structures may be adopted.

  As described above, the security management measure-defense model correspondence table 113 indicates that each of the plurality of security management measures is a threat to be dealt with by the security management measure (in FIG. 7 and FIG. 8, a combination of the threat and the defense model). ) And an element (in FIG. 7 and FIG. 8, an internal threat source or a defense domain) that is an implementation target of the security control among a plurality of elements that constitute a path until the threat reaches the information asset. Information to be defined (hereinafter referred to as “security management information”) is stored in a storage device.

  Further, as described above, the security management information indicates whether or not the threat addressed by the security management policy is an internal threat for each of the plurality of security management policies (in FIGS. 7 and 8). Information defining internal threat sources).

  FIG. 9 is a flowchart showing the operation of the security countermeasure standard creation support system 100.

  First, in step S101 of FIG. 9, the element selection unit 122 receives an input of a risk for a threat attack pattern by the input unit 121 and selects a defense model necessary to counter the threat by the processing device.

  Here, the detailed operation of step S101 (defense model selection procedure) is shown in FIG.

  In step S <b> 201, the element selection unit 122 receives an operation for the user to select one threat by the input unit 121. When one security threat is selected, the element selecting unit 122 selects the attack pattern (threat attack method) data of the selected threat from the defense model table 111, and the corresponding defense model (defense model number, threat source). Then, the asset data to be protected is read out by the processing device, and a defense model selection screen 151 as shown in FIG. As will be described below, in the defense model selection screen 151 shown in FIG. 11, “threat source” and “assets to be protected” for each defense model number “No.” for the selected threat type “virus infection”. ”, The“ attack method ”of the threat, the size of“ threat ”to be described later, the value of the value of“ assets ”to be protected, and the“ selection ”column are displayed in a table format.

  In the defense model selection screen 151 shown in FIG. 11, “virus infection” is selected as the threat type. For example, when the “threat selection” button is pressed, the element selection unit 122 displays a list of threat types and receives an operation for selecting the threat type.

  In step S <b> 202, the element selection unit 122 inputs an operation in which the user inputs a threat magnitude (threat risk magnitude) and an asset value magnitude (damage to the asset) with respect to the attack pattern. Received by the unit 121.

  In the defense model selection screen 151 shown in FIG. 11, the magnitude of the threat against the attack pattern of virus infection and the magnitude of the value of the assets to be protected are specified. The magnitude of the threat and the magnitude of the asset value are specified in three stages, for example, large, medium, and small. Alternatively, the attack pattern occurrence frequency is specified as the threat size, and the damage amount per time when the server or the terminal is infected with a virus is specified as the asset value.

  When the occurrence frequency is designated, the element selection unit 122 selects one of the selection criteria tables 112 shown in FIGS. 6A and 6B depending on whether the threat indicated by the attack pattern is an external threat or an internal threat. Select. Then, the element selection unit 122 determines the magnitude of the risk corresponding to the designated occurrence frequency from the selected selection criterion table 112 by the processing device. On the other hand, when the damage amount is designated, the element selection unit 122 selects the selection criterion table 112 shown in FIG. Then, the element selection unit 122 determines, from the selected selection criterion table 112, the magnitude of damage corresponding to the specified damage amount by the processing device.

  For example, in the defense model selection screen 151 shown in FIG. 11, it is one of the attack patterns of “virus infection”, the defense model number is “1”, the threat source is “external threat”, and the asset to be protected is “server”. And “terminal”, the magnitude of the threat risk is manually designated or automatically determined as “large” and the magnitude of damage to the asset is “medium”.

  In step S203, the element selection unit 122 automatically determines an attack pattern to be handled by the processing device (selects a defense model). For example, when the “automatic determination” button is pressed, the element selection unit 122 automatically determines the attack pattern to be handled according to the input threat and asset size, and enters the selection field on the defense model selection screen 151. indicate. At this time, the element selection unit 122 determines to exclude it from the selection if both the threat and the asset are set to “small”. The element selection unit 122 determines that one of them is included in the selection if it is “medium” or more.

  Thereafter, if there is a problem with the selection result due to the user's operation or the like, the process proceeds to step S204. If it is not necessary to modify the element, when the selection of the attack pattern for one threat is completed, the element selection unit 122 returns to step S201 and accepts an operation for the user to select another threat using the “threat selection” button. . And the element selection part 122 selects the attack pattern which should be countered similarly. On the other hand, when the selection of attack patterns for all threats is completed, the element selection unit 122 accepts an operation of the user pressing the “OK” button, and completes the selection of the defense model. The element selection unit 122 stores the attack pattern selected for each security threat and information on the defense model corresponding to the attack pattern on the memory 130 as the defense model selection information 131 when the defense model selection is completed.

  In step S <b> 204, the element selection unit 122 accepts an operation by the input unit 121 for the user to correct the check in the selection column. For example, when the “selection correction” button is pressed, the element selection unit 122 enables editing of the selection field, and accepts an operation for the user to correct the selection result.

  Next, in step S102 of FIG. 9, the element selection unit 122 uses the processing device to select a defense domain to take a countermeasure in the defense model selected in step S102.

  Here, the detailed operation of step S102 (protection domain selection procedure defined in each defense model) is shown in FIG.

  In step S <b> 301, the element selection unit 122 receives an operation by the input unit 121 for the user to select one threat. In step S <b> 302, the element selection unit 122 receives an operation by the input unit 121 for the user to select one attack pattern. When one security threat is selected and one of the attack patterns selected on the defense model selection screen 151 is selected, the element selection unit 122 reads the corresponding defense model (defense model number, threat) from the defense model table 111. Source, defense domain) and asset data to be protected are read out by the processing device, and a defense domain selection screen 152 as shown in FIGS.

  The defense domain selection screen 152 shown in FIGS. 13 and 14 displays a target security threat, a threat attack pattern, a defense model diagram against the attack pattern, and a defense domain selection column. In the defense domain selection screen 152 shown in FIG. 13, “virus infection” is selected as the threat type, “attack pattern 1” is selected as the attack pattern, and the defense model 1 shown in FIG. 2 is displayed in the defense model diagram. . In the defense domain selection screen 152 shown in FIG. 14, “virus infection” is selected as the threat type, “attack pattern 2” is selected as the attack pattern, and the defense model 2 shown in FIG. 2 is displayed in the defense model diagram. . For example, when the “threat selection” button is pressed, the element selection unit 122 displays a list of threat types and receives an operation for selecting the threat type. In addition, when the “attack pattern selection” button is pressed, the element selection unit 122 displays a list of attack patterns of the selected threat and receives an operation for selecting an attack pattern.

  In step S303, the element selection unit 122 automatically selects a defense domain to be countered by the processing device in accordance with a domain selection criterion corresponding to the threat and asset size input at the time of defense model selection. That is, the element selection unit 122 determines a defense domain according to the defense domain determination criteria defined in the selection criteria table 112 selected in step S202 of FIG.

  For example, in the case of an external threat, the element selection unit 122 selects the selection criterion table 112 in FIG. If the threat size is “large”, the element selection unit 122 selects “1” and “2” domains from among the numbers described in the defense domain column of the defense model table 111. In the case of an internal threat, the element selection unit 122 selects the selection criterion table 112 shown in FIG. If the size of the threat is “large”, the element selection unit 122 selects a domain with a “●” mark in the internal domain column of the threat source in the defense model table 111, and further selects the most threat. The domain of “1” in the defense domain column is selected as a close domain. Further, the element selection unit 122, for the attack pattern with the asset value “large”, in accordance with the selection criteria table 112 of FIG. 6C, the number described in the defense domain column of the defense model table 111, Select the domain with the largest number and the second largest number. At this time, the element selection unit 122 selects the defense domain if it is a selection target based on either the threat or the asset value. However, domains with internal threats and other defense domains are treated as separate domains. For example, when the internal threat is “server” and the threat size is “medium”, the element selection unit 122 selects the “server” domain with the internal threat as the internal threat domain, but the asset value is “ If the “server” is also included in the domain with the asset and the domain closest to the asset, the “server” is separately selected as the defense domain. In other words, the countermeasure for the “server” as an internal threat is different from the countermeasure for the “server” as a defense domain for assets. The element selection unit 122 displays which defense domain has been selected in the defense domain selection field of the defense domain selection screen 152.

  For example, on the defense domain selection screen 152 shown in FIG. 13, all the defense domains of the defense model 1 corresponding to “attack pattern 1” of “virus infection” are automatically selected in the selection column. Specifically, “network”, “server”, and “terminal” are selected. Further, for example, in the defense domain selection screen 152 shown in FIG. 14, the defense domain with the internal threat is automatically selected in the selection column among the defense domains of the defense model 2 corresponding to “attack pattern 2” of “virus infection”. Is selected. Specifically, “server” with internal threat and “terminal” with internal threat are selected.

  Thereafter, if there is a problem with the selection result due to the user's operation or the like, the process proceeds to step S304. If there is no need to modify, after selecting a defense domain for one attack pattern, the element selection unit 122 returns to step S302, and the user selects another attack pattern with the “attack pattern selection” button. Accept the operation. And the element selection part 122 selects a defense domain similarly. On the other hand, when selection of defense domains for all attack patterns is completed for one threat, the element selection unit 122 returns to step S301, and the user performs an operation of selecting another threat using the “threat selection” button. Accept. And the element selection part 122 selects the defense domain with respect to all the attack patterns similarly. When selection of defense domains for all attack patterns is completed for all threats, the element selection unit 122 accepts an operation of the user pressing the “OK” button, and completes selection of defense domains. When the selection of the defense domain is completed, the element selection unit 122 stores the security threat and information on the defense domain selected for each attack pattern on the memory 130 as the defense domain selection information 132.

  In step S <b> 304, the element selection unit 122 accepts an operation by the input unit 121 for the user to correct the check in the selection column. For example, when the “selection correction” button is pressed, the element selection unit 122 enables editing of the selection field, and accepts an operation for the user to correct the selection result.

  As described above, in steps S <b> 101 and S <b> 102, the input unit 121 receives an operation for specifying a threat and a selection criterion by the input device. The element selection unit 122 extracts, from the selection criterion information stored in the selection criterion table 112, the rank of elements corresponding to the selection criterion identified by the operation on the input unit 121 by the processing device. Then, the element selection unit 122 corresponds to the threat identified by the operation on the input unit 121 from the threat information stored in the defense model table 111 (“attack pattern 1” of “virus infection” in FIG. 13). The processing device selects an element (in FIG. 13, “network”, “server”, “terminal”) whose rank in the path of the threat matches the extracted rank.

  For example, the input unit 121 receives an input of information indicating the threat level of the threat (for example, an attack pattern occurrence frequency) as an operation for specifying the selection criterion. The element selection unit 122 selects the selection criterion corresponding to the risk level indicated by the information input to the input unit 121 from the selection criterion information stored in the selection criterion table 112 (in FIG. 11, for example, the threat of “attack pattern 1”). Is determined by the processing device. The element selection unit 122 extracts, from the selection criterion information stored in the selection criterion table 112, the ranks of the elements corresponding to the identified selection criterion (for example, the first and second in order from the closest to the threat source) by the processing device. To do. Then, the element selection unit 122 corresponds to the threat identified by the operation on the input unit 121 from the threat information stored in the defense model table 111 (“attack pattern 1” of “virus infection” in FIG. 13). The processing device selects an element (in FIG. 13, “network”, “server”, “terminal”) whose rank in the path of the threat matches the extracted rank.

  Further, for example, the input unit 121 accepts an operation for specifying an internal threat as an operation for specifying a threat, and information indicating a risk level of the internal threat (for example, an attack pattern occurrence frequency or the like) as an operation for specifying a selection criterion ) Is received by the input device. The element selection unit 122 selects the selection criterion corresponding to the risk level indicated by the information input to the input unit 121 from the selection criterion information stored in the selection criterion table 112 (in FIG. 11, for example, the threat of “attack pattern 2”). Is determined by the processing device. The element selection unit 122 uses the processing device to determine the order of elements corresponding to the specified selection criteria (for example, the first from the element corresponding to the source of the internal threat) from the selection criteria information stored in the selection criteria table 112. Extract. Then, the element selection unit 122 corresponds to the internal threat (“attack pattern 2” of “virus infection” in FIG. 14) identified from the threat information stored in the defense model table 111 by an operation on the input unit 121. The processing device selects an element (in FIG. 14, “internal server”, “internal terminal”) whose rank in the path of the internal threat matches the extracted rank.

  Further, for example, the input unit 121 further accepts an operation for specifying an information asset by the input device, and as an operation for specifying a selection criterion, information indicating the damage level of the information asset (for example, when the server is infected with a virus) The amount of damage per time is received by the input device. The element selection unit 122 selects the selection criteria corresponding to the damage level indicated by the information input to the input unit 121 from the selection criteria information stored in the selection criteria table 112 (in FIG. 11, for example, the asset of “attack pattern 1” Is determined by the processing device. The element selection unit 122 extracts, from the selection criterion information stored in the selection criterion table 112, the rank of elements corresponding to the identified selection criterion (for example, the first in order from the element corresponding to the information asset) by the processing device. Then, the element selection unit 122 uses the threat information stored in the defense model table 111 to identify the information asset (for example, server) identified by the operation on the input unit 121 and the threat identified by the operation on the input unit 121 ( In FIG. 13, an element corresponding to a combination of “virus infection” and “attack pattern 1”), the rank of the threat in the path matches the extracted rank (in FIG. 13, for example, “server )) Is selected by the processing equipment.

  Next, in step S <b> 103 of FIG. 9, the security management measure selection unit 123 displays a list of necessary security management measures on the output unit 125. Specifically, the security control measure selection unit 123 reads out, from the security control measure-defense model correspondence table 113, the control measures associated with the defense domain of the defense model selected in step S102 by the processing device. Then, the security management measure selection unit 123 causes the output unit 125 to display a list of the read security management measures on a security management measure list screen 153 as shown in FIG. The management measures listed in this list are candidates for security countermeasure standards.

  In the security management measure list screen 153 shown in FIG. 15, “virus infection” is selected as the threat type. For example, when the “threat selection” button is pressed, the security management measure selection unit 123 displays a list of threat types and receives an operation for selecting the threat type. Thereby, the security management measure selection unit 123 can display a list of management measures for each threat. It should be noted that all threats may be selected at the same time so that the security management measure selection unit 123 can display all the management measures on the security management list screen 153. In that case, the security management list screen 153 has a form in which a threat column is added to the list column.

  As described above, in step S103, the security management measure selection unit 123 determines the threat identified by the operation to the input unit 121 from the security control measure information stored in the security control measure-defense model correspondence table 113 (FIG. 15). Then, for example, a security control measure corresponding to a combination of “defense model 1” of “virus infection” and the elements selected by the element selection unit 122 (for example, “server” and “terminal” in FIG. 15). Select by processing equipment. The output unit 125 outputs the security management policy selected by the security management policy selection unit 123 by the output device.

  Next, in step S104 of FIG. 9, the security management measure selection unit 123 accepts the input of the security management measure currently implemented in the security management measures selected in step S103 by the input unit 121. For example, when the “current input” button is pressed on the security management policy list screen 153 shown in FIG. 15, the security management policy selection unit 123 displays the security management policy current input screen 154 as shown in FIG. Is displayed. The user puts a check in the check box in the input column when the currently displayed security management measure is being implemented. Since one security control may be effective for multiple defense models, if the same control is also present in other defense models, the security control selection unit 123 automatically checks the input field as well. Is put.

  In the security management measure current state input screen 154 shown in FIG. 16, “virus infection” is selected as the threat type. For example, when the “threat selection” button is pressed, the security management measure selection unit 123 displays a list of threat types and receives an operation for selecting the threat type. When the user completes the input of the currently implemented control for one threat, the user can display the security control for another threat with the “Select Threat” button, and the current currently implemented control Input. When the “OK” button is pressed, the security management policy selection unit 123 stores information input by the user in the memory 130 as current management policy information 134.

  Next, in step S105 of FIG. 9, the security management policy determination unit 124 inputs the security management policy input in step S104 (if a security management policy is also input in step S106 described later, it is input in step S104 and step S106). The security device) determines whether or not the security control measure is sufficient, and the output unit 125 displays an overall map indicating the result. For example, when the “overall map” button is pressed on the security control measure current state input screen 154 shown in FIG. 16, the security control measure determination unit 124, as shown in FIG. An example) is displayed by the output unit 125. In the security control overall map 155, the horizontal axis represents threats and attack patterns, the vertical axis represents internal threat sources and defense domains, which defense domain is selected, and sufficient control measures are selected for that defense domain. It shows whether or not.

  In the security management overall map 155 shown in FIG. 17, the number under the threat indicates the attack pattern number (equal to the defense model number). The “■” mark indicates that it is selected as a defense domain, and the “□” mark indicates that it is not selected as a defense domain. If there is nothing, it indicates that the domain does not exist in the defense model. The shaded area indicates that countermeasures have been implemented. Therefore, the place marked with “■” and not shaded is a lack of countermeasures.

  The security control measure determination unit 124 determines whether or not a sufficient measure has been selected according to the control measure selection criteria defined in the selection criteria table 112. The security management policy determination unit 124 selects one of the selection criteria tables 112 shown in FIGS. 6A and 6B depending on whether the threat indicated by the attack pattern is an external threat or an internal threat. And in accordance with the management policy selection criteria, the processing device determines whether a sufficient management policy has been selected. For the asset value, the security management policy determination unit 124 selects the selection criterion table 112 shown in FIG. 6C, and determines whether a sufficient management policy is selected according to the management policy selection criterion by the processing device. judge.

  For example, in the case of an external threat, the security control measure determination unit 124 selects the selection criterion table 112 in FIG. If the size of the threat is “large”, the security control measure determination unit 124 selects a plurality of control measures in the domain “1” among the numbers described in the defense domain column of the defense model table 111. If so, it is determined that the security management measures in the defense domain are sufficient. For other defense domains, if there is a defense domain for which at least one management measure has been selected, it is determined that the security control measures taken for that defense domain are sufficient. If the threat size is “medium”, the security management determination unit 124 selects at least one management policy in the domain “1” among the numbers described in the defense domain column of the defense model table 111. If so, it is determined that the security management measures in the defense domain are sufficient. For other defense domains, even if the protection domain is not selected, it is determined that the security management measures taken for that defense domain are sufficient. If the threat size is “small”, the security management policy determination unit 124 determines that the security management policy is sufficient for all defense domains.

  In the case of an internal threat, the security management measure determination unit 124 selects the selection criterion table 112 in FIG. 6B. If the size of the threat is “large”, the security control measure determination unit 124 selects a plurality of control measures in the domain that is marked with “●” in the internal domain column of the threat source in the defense model table 111. If so, it is determined that the security management measures in the defense domain are sufficient. For other defense domains, if there is a defense domain for which at least one management measure has been selected, it is determined that the security control measures taken for that defense domain are sufficient. If the threat size is “medium”, the security control determination unit 124 selects at least one control measure in the domain that is marked with “●” in the internal domain column of the threat source in the defense model table 111. If so, it is determined that the security management measures in the defense domain are sufficient. For other defense domains, even if the protection domain is not selected, it is determined that the security management measures taken for that defense domain are sufficient. If the threat size is “small”, the security management policy determination unit 124 determines that the security management policy is sufficient for all defense domains.

  For an attack pattern with an asset value of “Large”, the security control measure determination unit 124 uses the number described in the defense domain column of the defense model table 111 according to the selection criterion table 112 of FIG. If a plurality of management measures are selected in the domain with the largest number, it is determined that the security management measures taken for the defense domain are sufficient. For other defense domains, if there is a defense domain for which at least one management measure has been selected, it is determined that the security control measures taken for that defense domain are sufficient. For an attack pattern with an asset value of “medium”, the security control measure determination unit 124 has at least one control measure in the domain having the largest number of the numbers described in the defense domain column of the defense model table 111. If it is selected, it is determined that the security control measures taken for the defense domain are sufficient. For other defense domains, even if the protection domain is not selected, it is determined that the security management measures taken for that defense domain are sufficient. The security management policy determination unit 124 determines that the security management policy is sufficient for all defense domains against an attack pattern with an asset value of “small”.

  When the security control measures taken for a certain defense domain against a certain attack pattern are sufficient for both the threat and the asset value, the security control determination unit 124 is implemented in the defense domain for the attack pattern. Determine that the security controls in place are sufficient. Then, the security control measure determination unit 124 displays a column (also referred to as “cell”) corresponding to the combination of the attack pattern and the defensive domain on the overall security control map 155 by shading “■”. . If at least one of the threat and the asset value is not sufficient, the security control determination unit 124 does not shade the field.

  One control may be effective for multiple threats and attack patterns. For a certain attack pattern, even if the control policy selected in another attack pattern is effective for the defense domain even if it is not selected as the defense domain, the security control determination unit 124 On the map 155, a column corresponding to the combination of the attack pattern and the defense domain is displayed by shading with “□”. As a result, it can be seen that multiple countermeasures are taken even in domains other than the selected defense domain.

  For example, in the security control overall map 155 shown in FIG. 17, three defense domains of a server, a terminal, and a network are selected for the attack pattern 1 of virus infection. As specified in the defense model selection screen 151 shown in FIG. 11, it is assumed that the magnitude of the risk of threat is “large” and the magnitude of damage to the asset is “medium”.

  Referring to the defense model table 111 shown in FIG. 5, the server is not a defense domain closest to the threat source, but a defense domain having assets to be protected. Since the threat source is “external threat”, referring to the selection criteria table 112 shown in FIG. 6A, when the magnitude of the risk is “large”, the defense other than the closest defense domain to the threat source At least one security control must be implemented in the domain. Further, referring to the selection criteria table 112 shown in FIG. 6C, when the damage magnitude is “medium”, it is necessary that at least one security management measure is implemented in the defense domain having the assets to be protected. There is. From these conditions, the security control measure determination unit 124 determines that at least one security control measure needs to be implemented in the server. Therefore, for example, the management policy No. in the security management policy-defense model correspondence table 113 shown in FIG. If the security management policy 2 is selected, the security management policy determination unit 124 sets a column corresponding to the combination of the virus infection attack pattern 1 and the server on the security management overall map 155 with a network marked with “■”. Display by hanging. On the other hand, for example, if no security control measure is selected, the security control determination unit 124 sets a column corresponding to the combination of the virus infection attack pattern 1 and the server on the security control overall map 155 as “■”. ", But not shaded. The same applies to terminals.

  Referring to the defense model table 111 shown in FIG. 5, the network is the defense domain closest to the threat source, and is not a defense domain having assets to be protected. Since the threat source is “external threat”, referring to the selection criterion table 112 shown in FIG. 6A, when the risk magnitude is “large”, a plurality of defense domains in the closest defense source to the threat source Security controls need to be implemented. In addition, referring to the selection criteria table 112 shown in FIG. 6C, when the magnitude of damage is “medium”, the security management measures are implemented in the defense domains other than the defense domain having the assets to be protected. There is no need. From these conditions, the security control measure determination unit 124 determines that a plurality of security control measures need to be implemented in the network. Therefore, for example, the management policy No. in the security management policy-defense model correspondence table 113 shown in FIG. If one security control measure and at least one other security control measure (for the virus infection attack pattern 1) are selected, the security control determination unit 124 displays the virus infection on the security control overall map 155. The column corresponding to the combination of attack pattern 1 and network is displayed with a shaded “■” mark. On the other hand, for example, the management policy No. If only one security control measure has been selected, the security control determination unit 124 marks the column corresponding to the combination of the virus infection attack pattern 1 and the network on the security control overall map 155 with “■”. However, it is not displayed with shading.

  As described above, in steps S <b> 104 and S <b> 105, the input unit 121 accepts an operation for selecting a currently implemented security management policy from the security management policy selected by the security management policy selection unit 123 using the input device. Note that the input unit 121 may accept an operation for selecting an arbitrary security management measure, such as a security management measure that is planned to be implemented in the future, as well as a security management measure that is currently implemented. The security management measure determination unit 124 extracts, from the selection criterion information stored in the selection criterion table 112, an execution criterion corresponding to the selection criterion specified by the operation on the input unit 121 by the processing device. Then, the security management policy determination unit 124 determines, for each combination of threat and element, whether or not the security management policy selected by the operation on the input unit 121 satisfies the extracted implementation standard. . The output unit 125 outputs an overall security control policy map 155 that displays the determination result of the security control policy determination unit 124 by using the output device. In the overall security management map 155, items indicating a plurality of threats (in FIG. 17, virus infection attack patterns 1 to 3 and information leakage attack patterns 1 to 9) and items indicating a plurality of elements (in FIG. One of the threat sources (user, administrator, server, terminal and defense domain user, administrator, server, terminal, etc.) is the vertical axis. The other item (in FIG. 17, the item indicating the element) is arranged on the horizontal axis. Then, in the security control overall map 155, for each column specified by the vertical axis and the horizontal axis, a security control determination unit for the security control corresponding to the combination of the threat and the element indicated by the vertical axis and the horizontal axis. The result determined in 124 is displayed (in FIG. 17, for example, the column corresponding to the combination of the virus infection attack pattern 1 and the server is displayed by shading of “■”).

  According to the present embodiment, what elements are sufficient or insufficient for what kind of threat the security management measures that are currently being implemented (or security management measures to be implemented in the future). Can be easily grasped from the viewpoint of risk distribution and multiple defenses. Therefore, it is possible to efficiently formulate effective security countermeasure standards.

  After step S105, if there is an insufficient measure due to user operation or the like, the process proceeds to step S106, and if not, the process proceeds to step S107.

  In step S106 of FIG. 9, the security management measure selection unit 123 accepts selection of a security control measure to be executed by the input unit 121, and returns to step S105. For example, the security control measure selection unit 123 displays a cell (for example, a user or a user of the attack pattern 3 of the virus infection) that is displayed in the security control overall map 155 shown in FIG. When the “administrator domain” is selected and the “control measure selection” button is further pressed, a security control measure selection screen 156 as shown in FIG. Note that the security control measure selection unit 123 displays the security control measure selection screen 156 on the output unit 125 even when the “control measure selection” button is pressed on the security control measure list screen 153 shown in FIG.

  In the security management measure selection screen 156 shown in FIG. 18, “virus infection” is selected as the threat type. For example, when the “threat selection” button is pressed, the security management measure selection unit 123 displays a list of threat types and receives an operation for selecting the threat type. On the security management measure selection screen 156, a list of unselected management measures is displayed for the target threat (for example, “virus infection”). The user can select a management measure to be included in the security measure standard by checking a check box in the selection column. When the “OK” button is pressed, the security management policy selection unit 123 stores information input by the user in the memory 130 as management policy selection information 133. When the “overall map” button is pressed, the process returns to step S105, and the security control measure determination unit 124 displays the security control measure overall map 155 on the output unit 125 in a form reflecting the information input in the selection field. . If there is still a shortage, the process proceeds to step S106 again, and the user selects an additional management policy on the security management policy selection screen 156.

  Finally, in step S107 of FIG. 9, the security measure standard storage unit 126 stores information indicating the security control measures that are shown to be implemented in the storage device as the security measure criteria in the entire map displayed in step S105. save. For example, when the “OK” button is pressed in the security management whole map 155 shown in FIG. 17, the security measure standard storage unit 126 stores the defense model selection information 131 and the defense domain selection information stored in the memory 130. 132, management policy selection information 133, and current management policy information 134 are stored as security countermeasure standard information 141 in the HDD 140 or other storage device. By reading the security countermeasure standard information 141 from the HDD 140 or other storage device, it is possible to perform operations such as selecting a defense domain or selecting a management policy again. Only when it is determined that sufficient measures have been taken for all threats / attack patterns and internal threat domains / defense domains, the “OK” button cannot be pressed on the entire security control map 155. Also good.

  As described above, according to the present embodiment, it is possible to support the creation of effective security measure standards based on the concept of risk distribution and multiple defenses.

  In the present embodiment, the security countermeasure standard creation support system 100 determines whether the currently implemented security management measures are sufficient (that is, whether or not they are insufficient) according to a predetermined standard, and the whole Although displayed on the map, conversely, it may be determined based on the same criteria whether the currently implemented security control is not excessive and displayed on the entire map.

Embodiment 2. FIG.
In the present embodiment, differences from the first embodiment will be mainly described.

  FIG. 19 is a block diagram showing a configuration of the security countermeasure standard creation support system 100 according to the present embodiment.

  In FIG. 19, the security measure standard creation support system 100 includes a database 110, a defense model addition unit 127, and a security management measure addition unit 128. Although omitted in FIG. 19, the security measure standard creation support system 100 is similar to the first embodiment, the input unit 121, the element selection unit 122, the security control measure selection unit 123, the security control measure determination unit 124, the output It is also assumed that a unit 125 and a security measure standard storage unit 126 are provided. In addition to the storage device such as the memory 130 and the HDD 140, the security countermeasure standard creation support system 100 includes hardware such as a processing device (not shown), an input device, and an output device, as in the first embodiment.

  The defense model addition unit 127 has a defense model addition function. Hereinafter, this function will be described.

  Defense model addition function: The user defines a new attack pattern and adds a defense model corresponding to the new attack pattern via the input unit 121. At this time, the user creates a defense model using the input unit 121 as a defense model diagram in which a threat and an asset are connected by a defense domain. The defense model adding unit 127 automatically generates a record of the defense model table 111 with the defense model diagram as an input. In the security management policy addition function described later, a security management policy in the defense domain is added corresponding to the newly created defense model.

  The security management policy adding unit 128 has a security management policy adding function. Hereinafter, this function will be described.

  Security control measure addition function: The user adds a security control measure using the input unit 121 as a response to the revision of industry standards and guidelines and as a response to the defense model newly added by the defense model addition function. The user inputs a new management measure through the input unit 121. The security management policy adding unit 128 adds the input management policy to the security management policy-defense model correspondence table 113. The user uses the input unit 121 to define a defense model and internal threat / defense domain corresponding to the management policy. The security management policy adding unit 128 adds a new defense model and internal threat / defense domain to the entry of the management policy registered in the security management policy-defense model correspondence table 113 according to this definition.

  In this embodiment, each of the above functions can add new attack patterns and defense models to cope with changes in security threats, changes in organizational security policies, revisions to industry standards and guidelines, etc. .

  Hereinafter, the operation of the security countermeasure standard creation support system 100 (security countermeasure standard creation support method according to the present embodiment, program processing procedure according to the present embodiment) will be described by way of example.

  FIG. 20 is a flowchart showing the operation of the security countermeasure standard creation support system 100.

  In step S401, the defense model adding unit 127 displays a screen of a drawing tool or the like on the output unit 125, and the input unit 121 performs an operation for the user to create a defense model diagram corresponding to a new attack pattern with the drawing tool or the like. Accept. As a drawing tool or the like, for example, a tool having a function of outputting a defense domain defined in the defense model diagram and a connection relationship between the defense domains in an XML (extensible / Markup / Language) format is used. In step S402, the defense model adding unit 127 converts the defense model diagram created in step S401 into an XML format file using a drawing tool or the like and saves it in the memory 130. In step S403, the defense model adding unit 127 reads the XML file saved in the memory 130 in step S402. In step S <b> 404, the defense model adding unit 127 accepts an operation in which the user inputs a threat name and an attack method through the input unit 121. Then, the defense model adding unit 127 adds a new defense model record corresponding to the input threat name and attack method to the defense model table 111. In step S405 (processing A), the defense model adding unit 127 extracts data items of the defense model table 111 from the XML file read in step S403 by the processing device. Then, the defense model adding unit 127 writes the extracted data item in the record added to the defense model table 111 in step S404.

  Here, the details of the processing A (conversion procedure to a table) are shown in FIG.

  In step S501, the defense model adding unit 127 extracts threat information from the XML file of the defense model read in step S403 by the processing device. If the threat information indicates an external threat, the defense model adding unit 127 writes “●” in the external threat column of the defense model table 111 in step S502. On the other hand, if the threat information indicates an internal threat, in step S503, the defense model adding unit 127 writes “●” in the domain field corresponding to the internal threat in the defense model table 111. In step S504, the defense model adding unit 127 extracts one defense domain connected to the threat from the threat information by the processing device. In step S505, the defense model adding unit 127 sets the corresponding defense domain number in the defense model table 111 to “1”. In step S506, the defense model adding unit 127 extracts one next defense domain from the threat information. In step S507, the defense model adding unit 127 sets the corresponding defense domain number in the defense model table 111 to “2”. If the defense domain is not a defense domain with assets, the process returns to step S506. On the other hand, if it is a defense domain with assets, the defense model adding unit 127 writes the defense domain name in the asset column to be protected in the defense model table 111 in step S508. If no defense domain remains connected to the threat, the process is terminated. On the other hand, if it remains, the defense model addition unit 127 adds a new defense model record to the defense model table 111 in step S509. Then, the defense model adding unit 127 copies the contents of the threat, defense model number, and threat source column to the record, and returns to step S504.

  For example, in steps S401 to S403 in FIG. 20, it is assumed that the defense model adding unit 127 receives an operation of inputting the virus infection defense model 3 shown in FIG. 3 as a new defense model (the defense model diagram is also shown in FIG. 3). As shown). In this case, in steps S <b> 404 to S <b> 405, the defense model adding unit 127 receives an operation of inputting specific contents of “virus infection” as the threat type and “attack pattern 3” as the threat attack method. Then, the defense model adding unit 127 adds, to the defense model table 111, three records with the threat “virus infection” and the defense model number “3” (manually or automatically numbered) in FIG. To do.

  In step S406 of FIG. 20, the security management policy adding unit 128 extracts a management policy corresponding to the target threat (the threat type input in step S404) from the security management policy-defense model correspondence table 113 by the processing device. To do. Then, the security management measure adding unit 128 causes the output unit 125 to display a list of extracted security management measures on the screen. In step S407, the security management measure adding unit 128 accepts an operation by the input unit 121 for the user to select a security management measure corresponding to the new defense model from the list of security management measures displayed in step S406. The security management policy adding unit 128 duplicates the selected security management policy record and adds it to the security management policy-defense model correspondence table 113. Then, the security management policy adding unit 128 writes the new defense model information in the record added to the security management policy-defense model correspondence table 113.

  For example, in steps S <b> 404 to S <b> 405, the defense model adding unit 127 has added three records with the threat “virus infection” and the defense model number “3” in FIG. 5 to the defense model table 111. . In this case, in step S406, the security management policy adding unit 128 sets the management policy No. 1 in FIG. Records from “1” to “6” are extracted from the security control-defense model correspondence table 113. Then, the security management measure adding unit 128 displays a list of extracted security management measures on the screen. At this time, in FIG. No record with "7" exists yet. In step S407, the security management policy adding unit 128 determines the management policy No. 2 is accepted, and the control policy No. Is duplicated and added to the security control / defense model correspondence table 113. Then, the security management measure adding unit 128 sets the defense model (number) of the added record to “3”.

  After step S407, if there is a management measure to be added by a user operation or the like, the process proceeds to step S408, and if not, the process ends.

  In step S408 (Process B), the security management policy adding unit 128 accepts an operation for the user to input a new management policy via the input unit 121. Then, the security management policy adding unit 128 adds the input security management policy to the security management policy-defense model correspondence table 113.

  Here, details of the process B (procedure for adding security management measures) are shown in FIG.

  In step S <b> 601, the security management policy adding unit 128 accepts input of the content of the security management policy to be added, and creates a security management policy record in the security management policy-defense model correspondence table 113. In step S602, the security management measure adding unit 128 accepts an operation for selecting a threat countered by the security management measure (the threat type handled in step S404 may be automatically selected), and writes it in the record. In step S603, the security control measure adding unit 128 may accept an operation of selecting an attack pattern (defense model) of a threat countered by the security control measure (the defense model handled in step S404 may be automatically selected). ) Write to the record. In step S604, the security management policy adding unit 128 accepts an operation of selecting an internal threat source and a defense domain, and writes it in the record. If there is an attack pattern to be countered, in step S605, a security management record in which the same threat type is written is added to the security management / defense model correspondence table 113, and the process returns to step S603. If there is still a threat to counter, in step S606, a security management record is added to the security management / defense model correspondence table 113, and the process returns to step S602. On the other hand, if there remains a management measure to be added, the process returns to step S601.

  For example, in steps S404 to S405 in FIG. 20, the defense model adding unit 127 adds three records in FIG. 5 where the threat is “virus infection” and the defense model number is “3” in the defense model table 111. Suppose that In this case, in step S408, the security management measure adding unit 128 accepts an operation of inputting “user” and “administrator” as the defense domain to be implemented together with the specific contents of the new security management measure. No. 7 is the control policy no. Is added to the security management policy-defense model correspondence table 113.

  As described above, according to the present embodiment, the user can freely add a defense model and a security management measure, so that the usability, convenience, versatility, expandability, and the like of the security measure standard creation support system 100 are improved. .

Embodiment 3 FIG.
In the present embodiment, differences from the first embodiment will be mainly described.

  FIG. 23 is a block diagram showing a configuration of the security countermeasure standard creation support system 100 according to the present embodiment.

  In FIG. 23, the security measure standard creation support system 100 includes a database 110, an element selection unit 122, and a security management measure determination unit 124. Although omitted in FIG. 23, the security measure standard creation support system 100 includes an input unit 121, a security control measure selection unit 123, an output unit 125, and a security measure standard storage unit 126 as in the first embodiment. And In addition to the storage device such as the memory 130 and the HDD 140, the security countermeasure standard creation support system 100 includes hardware such as a processing device (not shown), an input device, and an output device, as in the first embodiment.

  The security management policy determination unit 124 has a simulation function in addition to the security management policy determination function. Hereinafter, this function will be described.

  Simulation function: The user uses the input unit 121 to change the magnitude of the risk for the threat attack pattern. In this case, the security management policy determination unit 124 determines whether or not the current management policy is sufficient by simulation. Based on the current management policy, the security management policy determination unit 124 changes the magnitude of the risk for the attack pattern, and displays the entire security management policy map on the output unit 125 using the security management policy determination function.

  In the present embodiment, the above function makes it possible to grasp whether or not the currently implemented management measures are insufficient or sufficient when the risk to threats in the organization changes.

  Hereinafter, the operation of the security countermeasure standard creation support system 100 (security countermeasure standard creation support method according to the present embodiment, program processing procedure according to the present embodiment) will be described by way of example.

  FIG. 24 is a flowchart showing the operation of the security measure standard creation support system 100.

  In step S701, the element selection unit 122 reads, from the security countermeasure standard information 141, the defense model selection information 131 when the current security countermeasure standard is created by the processing device. In step S <b> 702, the element selection unit 122 causes the output unit 125 to display the current risk setting status for the threat attack pattern based on the defense model selection information 131. In step S <b> 703, the element selection unit 122 receives a risk change input for the attack pattern by the input unit 121. For example, the element selection unit 122 displays the defense model selection screen 151 as illustrated in FIG. 11 and accepts an operation for changing the magnitude of the risk of threat and / or the magnitude of damage received by the asset.

  In step S704, the element selection unit 122 causes the output unit 125 to display a defense domain to be newly selected corresponding to the risk changed in step S703. Then, the element selection unit 122 receives an input for changing the defense domain by the input unit 121. For example, the element selection unit 122 reads from the selection criterion table 112 the defense domain determination criterion corresponding to the threat risk level and / or the damage level that the asset receives in step S703. If there is no change in the defense domain determination criteria, the element selection unit 122 displays a defense domain selection screen 152 as shown in FIGS. 13 and 14. On the other hand, if there is a change, the element selection unit 122 displays the changed part (the defense domain that should be newly selected and the other one on the defense domain selection screen 152 as shown in FIGS. 13 and 14). An operation to change the selection of the defense domain. In this case, it is arbitrary whether or not to change the selection of the defense domain.

  In step S705, the security management policy determination unit 124 reads out the current management policy information 134 indicating the current security management policy from the security countermeasure standard information 141 by the processing device. In step S706, the security management policy determination unit 124 determines, based on the current management policy information 134, whether the current security management policy is sufficient for the risk changed in step S703. In step S707, the security management measure determination unit 124 displays an entire map indicating the result. In step S708, the security management policy determination unit 124 displays the current management policy and the management policy that can be implemented with respect to the attack pattern and defense domain for which the countermeasure is insufficient. For example, the security management policy determination unit 124 reads the management policy selection criterion corresponding to the risk level of the threat changed in step S703 and / or the level of damage received by the asset from the selection criterion table 112. The security control measure determination unit 124 determines whether or not a sufficient measure has been selected according to the control measure selection criteria, and displays a security control overall map 155 indicating the result. At this time, if there is a part where the judgment result has changed due to a change in the selection of the defense domain or a change in the control policy selection criteria, the part is highlighted in the security control overall map 155 To do. For example, it is displayed by color coding or the like so that it can be understood which part has changed due to the change in risk. When there is an attack pattern or a defense domain that is predicted to be insufficient, the security management determination unit 124 displays the current management policy and a management policy that can be implemented for strengthening in the form of a security management policy list. indicate.

  As described above, in steps S <b> 701 to S <b> 708, the input unit 121 receives an operation for specifying a selection criterion (hereinafter referred to as “candidate criterion”) as a candidate for change by the input device. The security management measure determination unit 124 extracts, from the selection criterion information stored in the selection criterion table 112, an execution criterion corresponding to the candidate criterion specified by the operation on the input unit 121 by the processing device. Then, for each combination of threat and element, the security control measure determination unit 124 satisfies the extracted execution standard when the security control measure selected by the operation on the input unit 121 (the currently implemented security control measure) is satisfied. It is determined by the processing device whether or not. The output unit 125 outputs an overall security control policy map 155 that displays the determination result of the security control policy determination unit 124 by using the output device.

  As mentioned above, although embodiment of this invention was described, you may implement combining 2 or more embodiment among these. Alternatively, one of these embodiments may be partially implemented. Or you may implement combining two or more embodiment among these partially.

  100 security countermeasure standard creation support system, 110 database, 111 defense model table, 112 selection standard table, 113 security control-defense model correspondence table, 121 input unit, 122 element selection unit, 123 security control policy selection unit, 124 security management Measure judgment unit, 125 output unit, 126 security measure standard storage unit, 127 defense model addition unit, 128 security control measure addition unit, 130 memory, 131 defense model selection information, 132 defense domain selection information, 133 management measure selection information, 134 Current management policy information, 140 HDD, 141 Security countermeasure standard information, 151 Defense model selection screen, 152 Defense domain selection screen, 153 Security management policy list screen, 154 Security management policy Status input screen, 155 security control overall map, 156 security control selection screen, 901 LCD, 902 keyboard, 903 mouse, 904 FDD, 905 CDD, 906 printer, 911 CPU, 912 bus, 913 ROM, 914 RAM, 915 communication Board, 921 operating system, 922 window system, 923 programs, 924 files.

Claims (13)

For each of multiple security management measures that are measures to protect information assets from multiple threats, there are multiple threats that are addressed by the security control measures and multiple routes that configure the route to the information assets. Among the elements, a security control information storage unit that stores security control information that defines an element to be subjected to the security control in a storage device;
For each of the plurality of threats, a threat information storage unit that stores, in a storage device, threat information that defines a plurality of elements constituting a threat path and an order in which the plurality of elements configure the threat path When,
Among the multiple elements that make up the threat path, for each of the multiple selection criteria that are the criteria for selecting the elements to be subject to security control measures, the elements selected by the selection criteria are A selection criterion information storage unit for storing selection criterion information to be specified in the rank of the element in the route in a storage device;
An input unit for accepting an operation for identifying a threat and a selection criterion by an input device;
The rank of the element corresponding to the selection criterion specified by the operation to the input unit is extracted from the selection criterion information stored in the selection criterion information storage unit by the processing device, and the threat stored in the threat information storage unit An element selection unit that selects, from the information, an element corresponding to a threat identified by an operation to the input unit, and a rank in the path of the threat matches the extracted rank by a processing device;
Processing device for security management corresponding to a combination of a threat specified by an operation to the input unit and an element selected by the element selection unit from the security management information stored in the security management information storage unit A security countermeasure standard creation support system comprising a security management policy selection section selected by The selection criterion information defines a risk level obtained by grading the magnitude of the threat risk for each of the plurality of selection criteria, and the occurrence of a threat in the threat path as an element selected by the selection criterion. It is information that specifies the number of elements according to the height of the defined risk level in order from the source,
The input unit accepts input of information indicating a risk level of a threat by an input device as an operation for specifying a selection criterion,
The element selection unit specifies a selection criterion corresponding to the risk level indicated by the information input to the input unit from the selection criterion information stored in the selection criterion information storage unit, and stores the selection criterion information storage The security measure standard creation support system according to claim 1, wherein the processing device extracts the rank of the element corresponding to the specified selection standard from the selection standard information stored in the section. The selection criterion information defines a risk level obtained by grading the magnitude of the risk of an internal threat for each of the plurality of selection criteria, and an internal threat in the threat path as an element selected by the selection criterion. This is information that specifies the number of elements according to the defined risk level in order from the element corresponding to the source of
The input unit receives an operation for specifying an internal threat as an operation for specifying a threat, and receives an input of information indicating a risk level of the internal threat by an input device as an operation for specifying a selection criterion.
The element selection unit specifies a selection criterion corresponding to the risk level indicated by the information input to the input unit from the selection criterion information stored in the selection criterion information storage unit, and stores the selection criterion information storage The rank of the element corresponding to the specified selection criterion is extracted from the selection criterion information stored in the processing unit by the processing device, and specified by the operation to the input unit from the threat information stored in the threat information storage unit The security countermeasure standard creation support system according to claim 1, wherein an element corresponding to an internal threat and having a rank in the path of the internal threat corresponding to the extracted rank is selected by a processing device. The threat information is information that further defines information assets exposed to the threat for each of the plurality of threats,
The selection criteria information defines, for each of the plurality of selection criteria, a damage level obtained by grading the magnitude of damage of information assets due to threats, and as an element selected by the selection criteria, a threat path It is information that specifies the number of elements according to the height of the defined damage level in order from the element corresponding to the information asset,
The input unit further accepts an operation for identifying information assets by the input device, and accepts an input of information indicating the damage level of the information assets by the input device as an operation for identifying selection criteria.
The element selection unit specifies a selection criterion corresponding to the damage level indicated by the information input to the input unit from the selection criterion information stored in the selection criterion information storage unit, and stores the selection criterion information storage The rank of the element corresponding to the specified selection criterion is extracted from the selection criterion information stored in the processing unit by the processing device, and specified by the operation to the input unit from the threat information stored in the threat information storage unit An element corresponding to a combination of an information asset and a threat identified by an operation on the input unit, the element having a rank in the path of the threat that matches the extracted rank is selected by the processing device, The security countermeasure standard creation support system according to claim 1. The selection criterion information is information that defines an implementation criterion that is a criterion of a security control measure to be further implemented for each of the plurality of selection criteria.
The input unit further accepts an operation for selecting an arbitrary security control measure from the security control measure selected by the security control measure selection unit by the input device,
The security countermeasure standard creation support system further includes:
From the selection criterion information stored in the selection criterion information storage unit, an execution criterion corresponding to the selection criterion specified by the operation to the input unit is extracted by a processing device, and the input is performed for each combination of threat and element. A security control determination unit that determines whether or not the security control selected by the operation to the unit satisfies the extracted implementation standard by the processing device;
Among the items indicating the plurality of threats and the items indicating the plurality of elements, one item is arranged on the vertical axis, the other item is arranged on the horizontal axis, and each column specified by the vertical axis and the horizontal axis An output unit that outputs an overall map that displays a result determined by the security control determination unit for a security control corresponding to a combination of threats and elements indicated by the vertical and horizontal axes. The security countermeasure standard creation support system according to any one of claims 1 to 4, further comprising: The input unit further accepts an operation for specifying, as a candidate criterion, a selection criterion as a candidate for change by an input device,
The security control measure determination unit extracts, from a selection criterion information stored in the selection criterion information storage unit, an execution criterion corresponding to a candidate criterion specified by an operation to the input unit by a processing device, and a threat and an element 6. The security countermeasure according to claim 5, wherein for each combination, the processing device determines whether or not the security management policy selected by the operation on the input unit satisfies the extracted execution standard. Standard creation support system.   The plurality of elements include, in addition to information assets as elements, at least one of a user of information assets, an administrator of information assets, a network, a facility, and an organization. The security countermeasure standard creation support system described in any of the above. For each of multiple security management measures that are measures to protect information assets from multiple threats, there are multiple threats that are addressed by the security control measures and multiple routes that configure the route to the information assets. Among the elements, security control information that defines the elements for which the security control is to be implemented, and
For each of the plurality of threats, threat information defining a plurality of elements constituting a threat path, and an order in which the plurality of elements configure the threat path;
Among the multiple elements that make up the threat path, for each of the multiple selection criteria that are the criteria for selecting the elements to be subject to security control measures, the elements selected by the selection criteria are A program that accesses a database that stores in a storage device selection criteria information that is designated by the rank of the element in the route,
An input process for accepting an operation for identifying a threat and selection criteria by an input device;
From the selection criterion information stored in the database, the rank of the element corresponding to the selection criterion specified by the operation to the input processing is extracted by the processing device, and from the threat information stored in the database to the input processing An element selection process for selecting an element corresponding to the threat identified by the operation in which the rank in the path of the threat matches the extracted rank by the processing device;
Security management for selecting a security management policy corresponding to a combination of a threat identified by an operation to the input process and an element selected in the element selection process from a security management information stored in the database by a processing device A program for causing a computer to execute a measure selection process. The selection criterion information is information that defines an implementation criterion that is a criterion of a security control measure to be further implemented for each of the plurality of selection criteria.
The input process is further accepted by the input device to select an arbitrary security control from the security control selected in the security control selection process,
The program further includes:
An execution criterion corresponding to the selection criterion specified by the operation to the input process is extracted from the selection criterion information stored in the database by the processing device, and the operation to the input process is performed for each combination of threat and element. A security control determination process for determining by the processing device whether the security control selected in (1) satisfies the extracted implementation standard;
Among the items indicating the plurality of threats and the items indicating the plurality of elements, one item is arranged on the vertical axis, the other item is arranged on the horizontal axis, and each column specified by the vertical axis and the horizontal axis Output processing for outputting an entire map that displays the result determined in the security control determination processing for the security control corresponding to the combination of the threat and the element indicated on the vertical axis and the horizontal axis by the output device. The program according to claim 8, wherein the program is executed by a computer. The input process further accepts an operation for specifying a selection criterion as a candidate for change as a candidate criterion by an input device,
The security control determination process extracts, from the selection criterion information stored in the database, an execution criterion corresponding to the candidate criterion specified by the operation to the input processing by a processing device, and for each combination of threat and element The program according to claim 9, wherein the processing device determines whether or not the security management policy selected by the operation for the input processing satisfies the extracted execution standard. For each of multiple security management measures that are measures to protect information assets from multiple threats, there are multiple threats that are addressed by the security control measures and multiple routes that configure the route to the information assets. Among the elements, security control information that defines the elements for which the security control is to be implemented, and
For each of the plurality of threats, threat information defining a plurality of elements constituting a threat path, and an order in which the plurality of elements configure the threat path;
Among the multiple elements that make up the threat path, for each of the multiple selection criteria that are the criteria for selecting the elements to be subject to security control measures, the elements selected by the selection criteria are Security measure standard creation support using a database that stores in a storage device selection criteria information that is designated by the rank of the element in the route,
The computer accepts an operation to identify threats and selection criteria through an input device,
The computer extracts, from the selection criterion information stored in the database, the rank of elements corresponding to the selection criterion specified by the operation, and is specified by the operation from the threat information stored in the database. The processing device selects an element corresponding to the threat that has the same rank in the path of the threat as the extracted rank,
A security countermeasure standard, wherein the computer selects a security management measure corresponding to a combination of the threat identified by the operation and the selected element from the security control measure information stored in the database by a processing device. Creation support method. The selection criterion information is information that defines an implementation criterion that is a criterion of a security control measure to be further implemented for each of the plurality of selection criteria.
The computer further accepts an operation for selecting an arbitrary security control from the selected security control by the input device,
The computer extracts from the selection criteria information stored in the database the implementation criteria corresponding to the selection criteria specified by the operation by the processing device, and the security selected by the operation for each combination of threat and element. The processing device determines whether or not the management policy satisfies the extracted implementation standard,
Among the items indicating the plurality of threats and the items indicating the plurality of elements, the computer arranges one item on the vertical axis and the other item on the horizontal axis, and is identified by the vertical axis and the horizontal axis. 12. The output device outputs an overall map that displays a result of determination regarding security management measures corresponding to combinations of threats and elements indicated on the vertical axis and the horizontal axis for each column. Security measures standard creation support method described in 1. The computer further accepts an operation for specifying a selection criterion as a candidate for change as a candidate criterion by the input device,
The computer extracts, from the selection criterion information stored in the database, an execution criterion corresponding to the candidate criterion specified by the operation, and the security selected by the operation for each combination of threat and element. 13. The security countermeasure standard creation support method according to claim 12, wherein the processing unit determines whether or not the management policy satisfies the extracted implementation standard.

Images