KR101292640B1 - Method for Risk Management using Web based RMS linked with SSO - Google Patents

Abstract

The present invention relates to a risk management method using a web-based risk management system linked to an integrated authentication system, and provides enhanced administrator authentication and accessibility through SSO (Integrated Authentication) and Risk Management System (RMS) interworking in a web environment. Its purpose is to.
An object of the present invention is a vulnerability sensor process for scanning the OS-specific vulnerabilities, network equipment vulnerabilities and web application vulnerabilities of the network area to be checked and stores the log file in the vulnerability database; A vulnerability collection process that collects the SSO authentication log and the process result of the vulnerability sensor process; Asset registration process that the administrator registers assets based on IP in the vulnerability collection result; An asset analysis process of estimating the asset value of an IT asset of a managed network corresponding to the registered asset by using an asset value formula defined by an administrator based on an internal security operation policy; A threat analysis process that calculates threat impact and threat frequency by grasping threat frequency and threat impact; Vulnerability analysis process for deriving vulnerability level from data collected by vulnerability sensor process; And a risk index for each asset, which calculates the risk index for each asset, the risk intensity for each asset, by calculating the calculated asset value and threat impact value, and calculates the risk for each asset through the threat frequency and vulnerability index. do.

Description

Risk management method using web based risk management system linked with integrated authentication system {Method for Risk Management using Web based RMS linked with SSO}

The present invention relates to network security technology, and more particularly, to a risk management method using a web-based risk management system (RMS) linked to a single sign on (SSO) system.

In general, companies or national organizations perform risk management to enable pre / post response to various events related to security breaches occurring in the network (hereinafter referred to as security events). In order to ensure availability, integrity and confidentiality, network management systems such as Enterprise Security Management (ESM), Risk Management System (RMS), and Threat Management System (TMS) are established. The security manager is in charge of enterprise-wide risk management.

The integrated security management system (ESM) manages by collecting and analyzing security events occurring in multiple security devices of the managed network in real time to perform integrated risk management to enable pre / post response to security events. Ensure the availability, integrity and confidentiality of multiple security devices in the target network.

The risk management system (RMS) collects and analyzes security events for IT assets of managed networks, such as various security devices or network devices (eg, servers, routers, etc.), to identify and respond to vulnerabilities and threats in advance. Prevent security accidents in advance and manage the security level at all times.

The threat management system (TMS) collects and analyzes security events occurring in a managed network, and in particular, detects, identifies, and comprehensively analyzes cyber threats of network traffic to provide early warning.

The network management system operated as described above may operate only one network management system or several network management systems at the same time according to the operating environment, but the administrator must go through a separate login procedure for each management system. In addition, there is a problem that accessibility is inferior in terms of administrator access because it is operated in C / S based rather than web based.

The present invention is to solve the conventional problems as described above, an object of the present invention is to provide an integrated authentication system with enhanced administrator authentication and accessibility through SSO (Integrated Authentication) and Risk Management System (RMS) interworking in the Web environment; It provides a risk management method using the linked web-based risk management system.

The risk management process using the web-based risk management system associated with the integrated authentication system for achieving the object of the present invention as described above is performed by the integrated authentication system (SSO: Single Sign On) and the network management system 210. In the risk management method using the web-based risk management system with enhanced administrator authentication and accessibility through interworking with the risk management system (RMS), vulnerabilities by operating systems (OS), network equipment vulnerabilities and web applications in the network area to be inspected. (Web Application) vulnerability sensor process for scanning the vulnerability and stores the log file in the vulnerability DB (203a); A vulnerability collection process 110 for collecting the SSO authentication log and the process result of the vulnerability sensor process 100; An asset registration process 120 of registering an asset by an administrator based on an information provider (IP) in the vulnerability collection result of the vulnerability collection unit 110; The basic indexes set in the security characteristics using Table 1 and Table 2 defined by the administrator on the basis of internal security operation policy of the asset value of the IT network of the managed network corresponding to the asset registered in the asset registration process 120. An asset analysis process 130 for calculating an asset value by using an asset value calculation formula (basic index x level value) multiplying a set value of the level step; Threat analysis process that calculates threat effect and threat frequency by identifying threat frequency (frequency of how often the same threat occurs) and threat impact (ripple intensity of how much impact a single threat has on an asset) (140 ); A vulnerability analysis process 150 for deriving a vulnerability level from data collected by the vulnerability sensor process 100; And multiplying the asset value calculated in the asset analysis process 130 and the threat impact value from the threat analysis process 140 to multiply the threat index by asset, the asset intensity of each asset as shown in Table 5, and the threat analysis process. Asset-based risk calculation process that calculates the risk for each asset (the threat index X vulnerability index by asset) through the vulnerability index in consideration of the threat frequency calculated in (140) and the vulnerability level score calculated in the vulnerability analysis process (150) ( 160); characterized in that consisting of.

The risk management method using the web-based risk management system linked with the integrated authentication system according to the present invention has a risk level of various types of vulnerabilities (vulnerabilities by OS, network equipment vulnerabilities, and web application vulnerabilities) for important assets in the enterprise / institution. It provides the information to the managers by estimating the cost, which can give credibility to secure the safety of internal assets.

In addition, it provides a strong administrator authentication method through SSO interworking with various types of network management systems (eg, integrated security management system (ESM), risk management system (RMS), threat management system (TMS), etc.) in the web environment. There is no need for a separate login procedure for each system, and access is granted to each administrator, which enables efficient operation.

In addition, by providing the convenience of access, the administrator can immediately respond to security breaches on the network to quickly protect the IT assets of the managed network.

1 is a block diagram showing a web-based risk management system associated with the integrated authentication system according to the present invention,
2 and 3 are flowcharts illustrating a comprehensive network risk analysis method according to the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram showing a web-based risk management system associated with the integrated authentication system according to the present invention, SSO consisting of a web application (WAS), cryptographic module, Java virtual machine (JVM), operating system, hardware Server 200, the SSO server 200 is connected to the Web-based administrator terminal 201 for network management, SSO storage unit 202 for storing the audit log of the SSO server 200, and the SSO An authentication DB registered with the SSO server 200 and the integrated DB 203 including the asset DB 203a, the threat DB 203b, and the vulnerability DB 203c to store data collected through the storage unit 202. According to the network management system (integrated security management system (ESM), risk management system (RMS), threat management system (TMS)) 210 is installed SSO Agent for network management.

Here, the risk management system (RMS) is operated in conjunction with the SSO server 200 in a web environment.

A risk management method using a web-based risk management system linked to an integrated authentication system according to an embodiment of the present invention configured as described above will be described in detail with reference to the accompanying drawings.

First, SSO according to the present invention is composed of SSO Admin, SSO Server, SSO Agent, SSO Agent is installed in a plurality of network management systems to access and operate each network management system with a single login.

The network management system is composed of an integrated security management system (ESM), a risk management system (RMS), a threat management system (TMS), and the risk management system (RMS) Integrate and integrate the information collected in the vulnerability sensor process 100 from the integrated DB 203 and information on administrator authentication in the SSO audit log stored in the SSO storage unit 202 by the vulnerability collection process 110 Through the process of asset analysis 130, threat analysis 140, vulnerability analysis (150) using the data to calculate the risk for each asset (160) provides an environment in which the manager can take action (170).

The vulnerability sensor process 100 uses a vulnerability scanning tool, and the vulnerability collection process 110 collects vulnerability sensor collection information and SSO authentication log collection information.

The vulnerability sensor process 100 scans the OS-specific vulnerabilities, network device vulnerabilities, and web application vulnerabilities in the network area to be checked, and stores the corresponding log files in the vulnerable DB 203c, SSO. The authentication log collection information is used as an administrator access vulnerability by deriving information on administrator authentication from the SSO storage unit 202 for providing a web section integrated authentication service.

The vulnerability collecting process 110 collects the information collected by vulnerability scanning by the vulnerability sensor process 100 and the administrator authentication related information from the SSO storage unit 202 and stores the information in the vulnerability DB 203a.

Here, the collected vulnerabilities include hardware, OS, application software, network, data, and user vulnerabilities.

The contents stored through the vulnerability collecting process 110 are identified by the IP standard, and the asset registration process 120 is performed.

That is, the asset registration process 120 is a process representing a series of tasks for registering an asset to be managed in the asset DB 203c and automatically registers the asset based on the updated information which is automatically scanned by the vulnerability agent's execution result. .

The asset analysis process 130 is a process of analyzing the value of the target asset in a quantitative or qualitative manner in order to determine the importance of the asset and obtain information for measuring damage (impact) when a risk occurs.

That is, the asset analysis process 130 is a process of investigating all assets related to the risk analysis target system and estimating the value of these assets, and classifying them into asset research activities and asset value calculations. It consists of setting the scope and preparing the asset list. For the inputted asset information, the asset value is calculated through each asset analysis process, and the result is qualitatively or quantitatively derived according to the characteristics of each asset.

In this case, it is possible to calculate the quantitative value according to the characteristics of the asset. However, since the value of the asset is very difficult to calculate and reliability cannot be accurately guaranteed, the qualitative standard is used.

Therefore, as shown in Table 1, asset value analysis analyzes asset value in three stages of high, medium, and low based on the security characteristics of confidentiality, integrity, availability, dependence of assets, degree of external business connection, and asset purchase cost. . In other words, the asset value is calculated by multiplying the base index set in the security characteristic with the set value of each level level (base index x level value).

Tables 1 and 2 are used to estimate the value of an asset, and the value of an asset is three levels of six levels: confidentiality, integrity, availability, asset dependence, external business linkage, and asset purchase costs. We assign 3 points of baseline index for confidentiality, integrity, and availability, which should be valued due to the security characteristics of the asset, and 2 points for the dependence of the asset, other external linkages, and the cost of purchasing assets. The security feature calculates asset value by dividing one base index score.

Security Characteristics (Basic Index) Level steps Asset value High (H) Medium (M) Low (L) High (H) Medium (M) Low (L) Confidentiality (3) 3 2 One 9 6 3 Integrity (3) 3 2 One 9 6 3 Availability (3) 3 2 One 9 6 3 Dependency of assets (2) 3 2 One 6 4 2 External business connection degree (1) 3 2 One 3 2 One Asset Purchase Costs (1) 3 2 One 3 2 One

Security Characteristics (Basic Index) level Explanation Confidentiality (3) High (H) -Only authorized people within the organization
-When exposed to the outside, the level of personal privacy or lethal damage to the organization's business Medium (M) Can be made public within the organization
-If disclosed outside the organization, the level of personal privacy or the organization's business can cause significant problems. Low (L) -If disclosed outside the organization, the impact on personal privacy or the organization's business progress is minimal Integrity (3) High (H) Intentionally or accidentally altered levels that can seriously damage personal privacy or the organization's business Medium (M) Intentional or accidental changes that can cause significant privacy or organizational business problems. Low (L) Intentional or accidental changes have minimal impact on personal privacy or organizational business progress Availability (3) High (H) -Levels that can cause catastrophic damage to organizational operations and business progress in the event of a service outage Medium (M) If service is disrupted, it can cause significant problems for the organization's operations and business progress. Low (L) -If the service is interrupted, the impact on the organization's operation and business progress is minimal Dependency of assets (3) High (H) -Perform important tasks with current assets
-Paralyzed critical work in case of infringement on current assets
-Impact of organization's existence on paralysis Medium (M) -Perform some important tasks with current assets
-Paralyzed important tasks in case of infringement on current assets
-Significant damage to organization in case of paralyzed critical work Low (L) -Less important work performed with current assets
-In case of infringement on current assets, the impact of important business is small External business connection degree (3) High (H) -The tasks handled by the current assets directly support important tasks of other institutions
Disruption of current assets has a significant impact on the performance of other agencies Medium (M)
-Tasks handled by current assets support major tasks of other institutions
Disruption of current assets has an indirect effect on the performance of other agencies Low (L) -The work handled by the current asset is less related to the performance of other institutions Asset Purchase Costs (3) High (H) The purchase cost for current assets is very high Medium (M) The purchase cost for the current asset is medium Low (L) Low purchase costs for current assets

The threat analysis process 140 identifies threats, which are potential factors that can damage assets from the asset analysis process 130, and analyzes the possibility of occurrence of threats. It is divided into three types of attributes and threat rankings, which target threats specific to hardware, operating systems, application software, and networks that can be used in automated tools. Threat rankings are based on the impact of threats based on value, asset value and threat cycle.

In addition, the threat analysis process 140 calculates the threat effect and risk frequency for the identified threat type, and the threat effect is divided into four stages of "Low, Medium, High, and Grave" as shown in Table 4 below. do.

Rating score Explanation Low One  Minor impact on information assets Medium 2  Damage to information assets occurs High 3  Information system interruption situation Grave 4  Permanent interruption of the information system

The vulnerability analysis process 150 derives a vulnerability, which is a fundamental weakness of an asset, based on the property and importance of the assets derived through asset analysis, and analyzes the impact that the vulnerability may have on the overall risk.

In other words, the vulnerability level of the vulnerability analysis process 150 is defined in the qualitative five-stage rating, as published in the following Table 4, and the actual vulnerability level is a numerical value converted into a percentage, very high (VH) High, Medium, Low, Info.

Rating score Explanation V.H 4  The vulnerability is very likely to be exploited by a threat High 3  The vulnerability is likely to be exploited by a threat Medium 2  Usually the vulnerability is exploited by a threat Low One  The vulnerability is less likely to be exploited by threats Info 0  The level of vulnerability is not assigned

The risk calculation process 160 for each asset is based on the results of the asset analysis process 130, the threat analysis process 140, and the vulnerability analysis process 150. Calculate the Vulnerability Index.

That is, in the risk calculation process 160 for each asset, the risk for each asset is calculated by arithmetic of the threat index and vulnerability index (asset threat index x vulnerability index) for each asset, as calculated in Table 5 below.

division Arithmetic Threat Index by Asset  Asset Value x Threat Impact Score Vulnerability Index  Vulnerability Level Score x Threat Frequency Score

The risk management process 170 extends the SSO to account and authority management for the administrator authentication process, thereby subdividing the administrator access authority of the network management system into a total administrator, a monitoring administrator, and an RMS administrator.

In the risk management process 170, in order to adjust the current risk to the target risk level, it is possible to perform the action to adjust the threat spreading intensity and the frequency of threat occurrence.

In other words, by adjusting the risk intensity and the frequency of occurrence of the risk, the current risk can be adjusted to the target risk level, protecting internal IT assets against external threats and vulnerabilities, and effectively responding to cyber breach response.

2 and 3 are flowcharts illustrating an operation of a network management system according to an administrator's authority according to the present invention. This flowchart shows the access procedure for an administrator with the operating authority of.

As shown in this figure, if the administrator's authority is the top administrator, the SSO Agent can access the registered system with the same token, and the access procedure is as follows.

① The procedure attempts to log in the user.

② Enter ID / Password to login to RMS system.

③ The procedure issues tokens from SSO Agent after ID / Password verification.

④ The procedure is to send Redirection from SSO Agent to user.

⑤ The procedure requests the user to register the issued token with the SSO server.

(6) The procedure registers the token with the SSO server.

(7) The procedure sends a redirection from the SSO server to the user.

⑧ The user can access the RMS system with the token held by the user, and can operate by accessing the ESM, TMS, and RMS where the SSO Agent is installed without a separate login procedure. However, if the authority of the administrator who issued the token is limited to RMS, the administrator can access and operate only the RMS where the SSO Agent is registered.

The risk management method using the web-based risk management system linked to the integrated authentication system according to the present invention described above is not limited to the above-described embodiment, and without departing from the gist of the present invention as claimed in the following claims. Anyone with ordinary knowledge in the field of the invention has the technical spirit to the extent that it can be variously modified and implemented.

Description of the Related Art
100: vulnerability sensor process 110: vulnerability collection process
120: Asset Registration Process 130: Asset Analysis Process
140: threat analysis process 150: vulnerability analysis process
160: Risk Assessment Process by Asset 170: Risk Management Process
200: SSO server 201: administrator terminal
202: SSO storage unit 203: Integrated DB
210: network management system

Claims (13)

delete delete delete delete In the risk management method using the web-based risk management system with enhanced administrator authentication and accessibility through interworking with the single sign-on system (SSO) and the risk management system (RMS) of the network management system 210 in the web environment. In
A vulnerability sensor process of scanning an operating system (OS) vulnerability, a network device vulnerability, and a web application vulnerability of the network area to be checked and storing the log file in the vulnerability database 203a;
A vulnerability collection process 110 for collecting the SSO authentication log and the process result of the vulnerability sensor process 100;
An asset registration process 120 of registering an asset by an administrator based on an information provider (IP) in the vulnerability collection result of the vulnerability collection unit 110;
The asset value of the IT asset of the managed network corresponding to the asset registered in the asset registration process 120 is based on the internal security operation policy and the basic index set in the security characteristics defined by the administrator and the set value of each level step. Asset analysis process 130 for calculating the asset value using the multiplied asset value calculation formula;
A threat analysis process 140 for calculating a threat impact value of how often the same threat occurs and how much impact is generated on the asset by one threat occurrence;
A vulnerability analysis process 150 for deriving a vulnerability level from data collected by the vulnerability sensor process 100; And
The asset index calculated in the asset analysis process 130 and the threat impact value from the threat analysis process 140 are multiplied to calculate a threat index for each asset, the asset intensity index for each asset, and calculated in the threat analysis process 140. Asset risk calculation process 160 for estimating the risk of each asset through the vulnerability index in consideration of the threat frequency and the vulnerability level score calculated in the vulnerability analysis process 150,
The asset analysis process 130 is a process of investigating all assets related to the risk analysis target system and estimating the value of these assets, and classifying them into asset research activities and asset value calculations.
The asset investigation activity is composed of asset range setting and asset list preparation.
Web-based risks associated with integrated certification system, which calculates asset value through each asset analysis process and derives qualitative or quantitative results based on the characteristics of each asset for inputted asset information. Risk management method using management system.
In the risk management method using the web-based risk management system with enhanced administrator authentication and accessibility through interworking with the single sign-on system (SSO) and the risk management system (RMS) of the network management system 210 in the web environment. In
A vulnerability sensor process of scanning an operating system (OS) vulnerability, a network device vulnerability, and a web application vulnerability of the network area to be checked and storing the log file in the vulnerability database 203a;
A vulnerability collection process 110 for collecting the SSO authentication log and the process result of the vulnerability sensor process 100;
An asset registration process 120 of registering an asset by an administrator based on an information provider (IP) in the vulnerability collection result of the vulnerability collection unit 110;
The asset value of the IT asset of the managed network corresponding to the asset registered in the asset registration process 120 is based on the internal security operation policy and the basic index set in the security characteristics defined by the administrator and the set value of each level step. Asset analysis process 130 for calculating the asset value using the multiplied asset value calculation formula;
A threat analysis process 140 for calculating a threat impact value of how often the same threat occurs and how much impact is generated on the asset by one threat occurrence;
A vulnerability analysis process 150 for deriving a vulnerability level from data collected by the vulnerability sensor process 100; And
The asset index calculated in the asset analysis process 130 and the threat impact value from the threat analysis process 140 are multiplied to calculate a threat index for each asset, the asset intensity index for each asset, and calculated in the threat analysis process 140. Asset risk calculation process 160 for estimating the risk of each asset through the vulnerability index in consideration of the threat frequency and the vulnerability level score calculated in the vulnerability analysis process 150,
The threat analysis process 140 identifies threats that are potential factors that can damage assets from the asset analysis process 130 and analyzes the possibility of occurrence.
Based on the ripple intensity and the frequency of occurrence, the analysis is divided into three types of threat identification, threat attributes, and threat rankings, which target threats specific to hardware, operating systems, application software, and networks that can be used in automation tools.
The threat ranking is based on the threat cycle, the importance of the threat, the qualitative value of the asset, and the threat ranking based on the impact of the threat based on the asset value and the threat cycle. Risk Management Method.
delete In the risk management method using the web-based risk management system with enhanced administrator authentication and accessibility through interworking with the single sign-on system (SSO) and the risk management system (RMS) of the network management system 210 in the web environment. In
A vulnerability sensor process of scanning an operating system (OS) vulnerability, a network device vulnerability, and a web application vulnerability of the network area to be checked and storing the log file in the vulnerability database 203a;
A vulnerability collection process 110 for collecting the SSO authentication log and the process result of the vulnerability sensor process 100;
An asset registration process 120 of registering an asset by an administrator based on an information provider (IP) in the vulnerability collection result of the vulnerability collection unit 110;
The asset value of the IT asset of the managed network corresponding to the asset registered in the asset registration process 120 is based on the internal security operation policy and the basic index set in the security characteristics defined by the administrator and the set value of each level step. Asset analysis process 130 for calculating the asset value using the multiplied asset value calculation formula;
A threat analysis process 140 for calculating a threat impact value of how often the same threat occurs and how much impact is generated on the asset by one threat occurrence;
A vulnerability analysis process 150 for deriving a vulnerability level from data collected by the vulnerability sensor process 100; And
The asset index calculated in the asset analysis process 130 and the threat impact value from the threat analysis process 140 are multiplied to calculate a threat index for each asset, the asset intensity index for each asset, and calculated in the threat analysis process 140. Asset risk calculation process 160 for estimating the risk of each asset through the vulnerability index in consideration of the threat frequency and the vulnerability level score calculated in the vulnerability analysis process 150,
The threat impact of the threat analysis process 140 is divided into three stages of Low (1 point), Medium (2 points) and High (3 points), and the threat frequency is Low (1 point) and Medium (2 points). , High (3 points), and grave (4 points)
The vulnerability level of the vulnerability analysis process 150 is linked to the integrated authentication system, characterized in that divided into four stages of High (3 points), Medium (2 points), Low (1 point), Info (0 points). Risk management method using web based risk management system.
delete In the risk management method using the web-based risk management system with enhanced administrator authentication and accessibility through interworking with the single sign-on system (SSO) and the risk management system (RMS) of the network management system 210 in the web environment. In
A vulnerability sensor process of scanning an operating system (OS) vulnerability, a network device vulnerability, and a web application vulnerability of the network area to be checked and storing the log file in the vulnerability database 203a;
A vulnerability collection process 110 for collecting the SSO authentication log and the process result of the vulnerability sensor process 100;
An asset registration process 120 of registering an asset by an administrator based on an information provider (IP) in the vulnerability collection result of the vulnerability collection unit 110;
The asset value of the IT asset of the managed network corresponding to the asset registered in the asset registration process 120 is based on the internal security operation policy and the basic index set in the security characteristics defined by the administrator and the set value of each level step. Asset analysis process 130 for calculating the asset value using the multiplied asset value calculation formula;
A threat analysis process 140 for calculating a threat impact value of how often the same threat occurs and how much impact is generated on the asset by one threat occurrence;
A vulnerability analysis process 150 for deriving a vulnerability level from data collected by the vulnerability sensor process 100;
The asset index calculated in the asset analysis process 130 and the threat impact value from the threat analysis process 140 are multiplied to calculate a threat index for each asset, the asset intensity index for each asset, and calculated in the threat analysis process 140. An asset risk calculation process of estimating risk for each asset through a vulnerability index in consideration of the threat frequency number and the vulnerability level score calculated in the vulnerability analysis process 150; And
An integrated authentication system comprising: a risk management process (170) for adjusting the risk spreading intensity and the frequency of occurrence of risks to adjust the current risk calculated by the asset-specific risk calculation process (160) within a target risk level. Risk management using web-based risk management
11. The method of claim 10,
For the administrator authentication process of the risk management process 170, SSO is extended to account and rights management, and the administrator access authority of the network management system is subdivided into total administrator, monitoring administrator, and RMS administrator grade to perform administrator authentication. Risk management method using web-based risk management system linked with integrated authentication system.
The method of claim 11,
The SSO consists of SSO Admin, SSO Server, and SSO Agent, and installs SSO Agent in multiple network management systems to access and operate each network management system with a single login.
The network management system includes an integrated authentication system comprising an integrated security management system (ESM), a risk management system (RMS), and a threat management system (TMS). Risk management method using linked web based risk management system.
The method of claim 11,
The authority of the administrator of the network management system is a super administrator can access another network system where the SSO Agent is installed with the same token, and if the authority of the administrator who issued the token is limited to RMS, the RMS with the corresponding SSO Agent is installed. Risk management method using a web-based risk management system linked to the integrated authentication system, characterized in that only access to operate.

Images