WO2008004498A1

WO2008004498A1 - Security risk management system, device, method, and program

Info

Publication number: WO2008004498A1
Application number: PCT/JP2007/063087
Authority: WO
Inventors: Hiroshi Sakaki; Kazuo Yanoo
Original assignee: Nec Corporation
Priority date: 2006-07-06
Filing date: 2007-06-29
Publication date: 2008-01-10
Also published as: JP5304243B2; JPWO2008004498A1

Abstract

A security risk management system for presenting a countermeasure most suitable for the state of the running system from countermeasure candidates mitigating the risk by analyzing the risk from the state (presence/absence of fragility, occurrence frequency of fragility, and property value) of the running system. The security risk management system comprises current state analyzing means (201) for checking for presence/absence of fragility from a system (200) which is the object of risk management, property analyzing means (202) for checking property information, risk analyzing means (103) for calculating the risk value according to the collected fragility information and the property information and a risk model presenting the relation among the fragility, the property, and the threat, countermeasure plan creating means (105) for creating countermeasure plans to reduce the risk value within an allowable range according to a countermeasure model representing the relation among the threat, the countermeasure, and various costs (restrictions), and countermeasure priority order determining means (107) for presenting countermeasure plans arranged in the priority order according to the countermeasure order determining policy determining a cost valuation method.

Description

Specification

Security risk management system, apparatus, method, and program

Technical field

[0001] (Related application) This application claims the priority of the previous Japanese patent application No. 2006-187236 (filed on July 6, 2006). It shall be deemed to have been incorporated with citations.

The present invention relates to a security risk management system, apparatus, method, and program for managing security risks in a target system, and in particular, a security risk management system, apparatus, method, and program used for security risk management during operation of the target system. And programs. Background art

[0002] As an organization becomes more dependent on information systems, the importance of information security is becoming increasingly important. The ultimate goal of information security is to ensure that the information system is operated in accordance with predetermined requirements (security policy). However, it is practically difficult to ensure 100% information security at all times. There are three reasons for this.

[0003] The first is due to a technical problem that the mechanism for ensuring security is insufficient. The second is due to the economic constraints that the costs of strengthening and operating security are limited and sufficient measures cannot always be taken. Third, the three requirements that make up security are: Confidentiality / Integrity 'Availability' is essentially the opposite, and in many cases they cannot be guaranteed at the same time.

[0004] Therefore, the information system security administrator evaluates the security risks to which the system is exposed, considers the technical and economic constraints, and concludes conflicting requirements. An optimal system configuration must be built, maintained, and improved. This is called security risk management. Several methods have been disclosed for managing system security risks.

[0005] As one of the prior arts, Patent Document 1 is based on the inspection result by the vulnerability inspection tool. Discloses a method for notifying unauthorized access countermeasure tools to protect discovered vulnerabilities. This is called prior art 1.

[0006] In addition, as another conventional technique, in Patent Document 2, attribute information such as loss amount 'confidentiality' is assigned to a file with asset value, and file access to the file 'network access is based on Discloses a method for updating the risk value. In the method described in Patent Document 2, if the updated risk value exceeds a pre-specified threshold, measures such as file access restriction and file deletion are taken.

[0007] In addition, Patent Document 3 discloses a method for taking countermeasures (patch application or firewall network access control) to deal with detected attacks based on the detection results of the unauthorized intrusion detection tool. . Patent Document 4 discloses a method for generating countermeasures by performing risk analysis in consideration of security incident information and information asset information corresponding to the discovered vulnerability. Such a technique disclosed in Patent Documents 2, 3, and 4 is referred to as Conventional Technique 2.

[0008] Further, as another conventional technique, Non-Patent Document 1 is based on pre-defined information such as the frequency of occurrence of vulnerabilities, the amount of damage at the time of the occurrence of a threat, and the cost (expense) of an implementation method for dealing with it. In addition, a method for selecting a candidate set of countermeasure targets that can reduce risk most efficiently at low cost has been proposed.

[0009] Further, in Non-Patent Document 2, there is a method for selecting a countermeasure target candidate set that can reduce risk most efficiently at a low cost based on the relationship between the occurrence probability of a predefined threat and the value of information assets. Proposed. Such technology disclosed in Non-Patent Documents 1 and 2 is referred to as Conventional Technology 3.

[0010] Patent Document 1: Japanese Patent Application Laid-Open No. 2002-328896

Patent Document 2: Japanese Patent Laid-Open No. 2005-190066

Patent Document 3: Japanese Patent Laid-Open No. 2005-301551

Patent Document 4: Japanese Patent Laid-Open No. 2005-242754

Non-Patent Document 1: Nagai et al., “Proposal for Basic Design of Security for Information Systems Considering Functional Compatibility”, Journey to the Journal of Information Processing, April 2004, Vol. 45, No. 4

Non-Patent Document 2: Nakamura et al., "Proposal and Evaluation of a Practical Method for Selecting Security Measures" , Journey to the Journal, August 2004, Vol. 45, No. 8

Disclosure of the invention

Problems to be solved by the invention

[0011] The disclosures of Patent Documents 1 to 4 and Non-Patent Documents 1 to 2 described above are incorporated herein by reference.

With the prior art 1, it is possible to keep the security risk of the operating system below a certain level. However, since the relationship between the target vulnerabilities and countermeasures is fixed, security risk management that can take adaptive countermeasures according to the system status has not been realized.

[0012] Conventional technology 2 solves the problem of conventional technology 1 by introducing a risk analysis method to some extent when detecting the state power vulnerability of the system and deriving the detected countermeasures against the vulnerability. . However, in general, there are multiple countermeasures against a given threat, but in Conventional Technology 2, the means for determining which countermeasure should be derived from multiple countermeasures is fixed, and is not always optimal. Measures are now available!

[0013] In particular, when a countermeasure is taken for an operating system, side effects such as interruption of business due to a server stop and reduced convenience due to enhanced access authority may occur depending on the countermeasure. For this reason, measures with less side effects may be desired than measures that minimize the risk. Therefore, when taking measures on a system in operation, it is desirable that the security administrator can determine how much side effects are caused by the measures. In addition, when multiple countermeasures are possible, it is desirable to take step-by-step countermeasures as soon as possible, taking measures that can be easily implemented as an emergency measure and gradually shifting to an ideal measure.

[0014] Prior art 3 is intended to be used when selecting the optimal configuration at the time of system design 'introduction, and has the function to determine the current risk of the operating system and output the optimal countermeasures. do not have. In addition, it is necessary to input all information such as the frequency of vulnerability occurrence and the value of information assets. However, it is difficult to update such information according to the operating status of the system. In addition, although the cost of implementing measures is taken into account, restrictions such as availability are taken into account! [0015] In other words, the first problem with the conventional technology is that the risk is reduced after analyzing the risk based on the state of the operating system (whether there is a vulnerability, the frequency of occurrence of the vulnerability, the asset value, etc.). This means that it is not possible to present an optimal countermeasure method from candidate countermeasures. The reason for this is that the conventional technology is in operation when evaluating side effects (cost required for introduction, interruption of work due to server shutdown, reduced convenience due to enhanced access authority, etc.). This is because the state of the system is not considered.

[0016] The second problem is that when multiple countermeasures are considered, it is not possible to prioritize the countermeasures in consideration of multifaceted side effects such as costs and reduced availability when taking countermeasures. Or the security administrator cannot determine what side effects will occur and to what extent. Prior art 3 has proposed a method to reduce the risk in consideration of the cost at the time of introduction, but it does not consider other constraints such as reduced availability.

[0017] The third problem is that step-by-step measures are not taken into account when measures that can be easily taken are taken as an emergency measure and gradually shifted to an ideal measure. The reason for this is that the conventional technology has realized a countermeasure plan that takes into account the reduction in availability due to countermeasures and the lead time (deployment time) until countermeasures are taken.

[0018] Therefore, the present invention analyzes the risk based on the state of the operating system, and considers various constraints that occur in the operating system from the countermeasure candidates for reducing the risk, and is optimal. The purpose is to provide a security risk management system, apparatus, method and program capable of presenting countermeasures.

Means for solving the problem

[0019] According to the first aspect of the present invention, state analysis means (for example, current state analysis means, asset analysis) that analyzes the state of the target system (for example, presence or absence of vulnerability, occurrence frequency of threat, asset value). And a risk determination means (for example, a risk analysis means) for determining the security risk of the target system based on the analysis result of the state analysis means, and the security risk exceeds a predetermined allowable range by the risk determination means. If the target system is determined to be, the risk reduction that indicates the degree of security risk that is reduced by implementing the predetermined countermeasures on the target system, and the various restrictions that occur on the target system by implementing the predetermined countermeasures The Security risk management system that manages the security risk in the target system, with a measure plan selection means (for example, a measure plan generation means) that selects a measure plan to reduce the security risk based on the degree of constraint Is provided.

[0020] In addition, the security risk management system outputs countermeasure plan information including a risk reduction degree of the countermeasure and a degree of restriction of the countermeasure for the countermeasure proposal selected by the countermeasure proposal selecting means. Countermeasure plan information output means (for example, countermeasure priority order determination means) and countermeasure execution means for executing predetermined processing to reduce security risks according to the countermeasure plan selected by the countermeasure plan selection means (for example, implementation of countermeasures) And means 203). Here, as a process to reduce the security risk, for example, in order to set a password for the disk encryption tool, a process for displaying a warning screen when the user logs on, or a password is set. It is desirable to adopt a process that sends an email alerting the user.

[0021] Further, the state analysis means analyzes at least the presence / absence of the vulnerability of the target system and the value of the target system, and the risk judgment means analyzes the presence / absence of the vulnerability of the target system and the target system. A threat model that predefines the asset value, the threat model that defines the frequency of occurrence of security threats in advance, and the vulnerabilities related to the manifestation of threats based on the presence or absence of vulnerabilities in advance; and Based on the threat asset model that defines the relationship between the threat and the threat related to the impact of asset manifestation in advance, the risk value indicating the security risk level of the target system is calculated, and the above countermeasures are taken. The draft selection means includes a vulnerability-one countermeasure model that defines countermeasure means for reducing the security risk due to each vulnerability in advance, and is created in the target system by implementing each countermeasure means in advance. Based on the countermeasure constraint model that defines the degree of constraint that indicates the size of various constraints, countermeasure measures that meet the specified conditions after the implementation of the risk value and various constraint degrees can be selected as countermeasure plans. Good.

[0022] In addition, the security risk management system described above is a countermeasure stage that is defined according to the implementation stage of the countermeasure, and the transition condition of the countermeasure stage power is set for each countermeasure stage to which the countermeasure to be implemented is associated. Either a storage means (for example, a countermeasure model storage means) for storing defined countermeasure stage transition rules (for example, a countermeasure scenario model) or a countermeasure proposal selected by the countermeasure proposal selecting means according to a predetermined condition. ,versus It is provided with countermeasure scenario generation means (for example, countermeasure scenario generation means) that generates a countermeasure scenario that indicates which countermeasure proposal is executed at which timing by assigning it to each countermeasure stage indicated by the countermeasure stage transition rule. Well, okay.

[0023] In addition, the security risk management system generates the countermeasure scenario based on at least the state change of the target system, the current time, or the elapsed time since the countermeasure was implemented, according to the countermeasure stage transition rule. A measure execution decision means (measure measure determination means) that determines the measure plan to be executed by transitioning the measure stage on the measure scenario generated by the measure may be provided! / ヽ.

[0024] Further, the security risk management system includes a target system that is a target of risk management, and a risk management device that is connected to the target system via a communication network, and the target system includes the target system. A current state analysis means for determining whether there is a vulnerability and transmitting the determination result to the risk management system; and an asset analysis means for determining the value of the target system and transmitting the determination result to the risk management system, The risk management device determines a security risk from information collection means for collecting vulnerability information indicating whether there is a vulnerability in the target system and asset information indicating the value of the target system from the target system. As a risk model, there are at least a threat model that is information indicating the frequency of occurrence of each security threat and a threat model. For each threat, the threat vulnerability model, which is the relationship between the existence of each vulnerability related to the threat manifestation, and each threat indicated by the threat model, Implemented at least for each vulnerability indicated by the threat vulnerability model as a risk model storage means for storing the threat asset model, which is information indicating the degree of impact on the asset, and a countermeasure model for determining the countermeasure means Measures that store the vulnerability one countermeasure model, which is information indicating possible countermeasure means, and the countermeasure constraint model, which is information indicating the degree of various restrictions of the countermeasure means, for each countermeasure means indicated by the vulnerability one countermeasure model By analyzing the vulnerability information and asset information collected by the model storage means and the information collection means using each model stored in the risk model storage means A risk analysis means for calculating a risk value based on the frequency of occurrence of each threat in the target system, the degree of vulnerability to each threat, and the degree of impact on the assets of the target system when each threat becomes apparent; Risk analysis hand When the risk value calculated by the step exceeds the predetermined tolerance, it is implemented by analyzing countermeasures against vulnerabilities that have been discovered using each model stored in the countermeasure model storage means. This means that the countermeasure means that the risk value and the degree of restriction later meet the predetermined condition is equipped with the countermeasure proposal generation means for selecting the countermeasure proposal.

[0025] Further, according to the second aspect of the present invention, based on the state of the target system! /, A risk determination means for determining the security risk of the target system, and the security risk is determined by the risk determination means. If it is determined that the allowable range is exceeded, the risk reduction degree indicating the degree of security risk that is reduced by implementing the prescribed countermeasures on the target system, and the occurrence of the prescribed measures on the target system A security risk management device is provided for managing the security risk in the target system, including a measure plan selection means for selecting a measure plan for reducing the security risk based on the constraint level indicating the size of various constraints. The

[0026] Further, the security risk management apparatus outputs countermeasure plan information including a risk reduction degree of the countermeasure and a degree of restriction of the countermeasure for the countermeasure proposal selected by the countermeasure proposal selecting means. It is also possible to provide countermeasure proposal information output means and countermeasure execution means for executing predetermined processing for reducing security risk according to the countermeasure proposal selected by the countermeasure proposal selection means.

[0027] In addition, the risk determination means includes the presence / absence of vulnerability of the target system, the asset value of the target system, a threat model in which the occurrence frequency of security threats is defined in advance, and a threat based on the presence / absence of vulnerability in advance. A threat vulnerability model that defines the relationship between vulnerabilities and threats related to the manifestation of threats in advance, and a threat asset model that defines the relationship between threats and assets related to the impact on assets due to the manifestation of threats in advance. Based on the above, the risk value indicating the degree of security risk of the target system is calculated, and the countermeasure proposal selection means is a vulnerability that defines countermeasure means for reducing the security risk due to each vulnerability in advance. Based on a countermeasure model and a countermeasure constraint model that defines the degree of constraint that indicates the size of various constraints that occur in the target system by implementing each countermeasure measure in advance. In addition, countermeasures with various degrees of restriction that meet predetermined conditions may be selected as countermeasures. [0028] In addition, the security risk management device described above is a countermeasure stage that is defined according to the implementation stage of the countermeasure, and for each countermeasure stage to which the countermeasure to be implemented is associated, a countermeasure that defines a transition condition for the countermeasure stage power. By allocating one of the storage means for storing the stage transition rule and the countermeasure proposal selected by the countermeasure proposal selecting means to each countermeasure stage indicated by the countermeasure stage transition rule according to a predetermined condition, V. It is possible to provide a countermeasure scenario generation means for generating a countermeasure scenario indicating whether a countermeasure plan for deviation is executed at the timing of deviation.

[0029] Further, the security risk management device generates the countermeasure scenario based on at least the state change of the target system, the current time, or the elapsed time of the power when the countermeasure is implemented in accordance with the countermeasure stage transition rule. There may be provided countermeasure execution decision means for deciding a countermeasure plan to be executed by changing the countermeasure stage on the countermeasure scenario generated by the means.

[0030] In addition, the security risk management device includes, from the target system, information collection means for collecting vulnerability information indicating whether there is a vulnerability in the target system and asset information indicating the value of the target system, security risk, As a risk model for determining whether or not there are vulnerabilities related to the realization of threats, the threat model is information that indicates at least the frequency of occurrence of each threat on the security and each threat indicated by the threat model. Threat model, which is information indicating the relationship, and risk model that stores the threat asset model, which is information indicating the degree of impact on the assets of the target system due to the manifestation of the threat for each threat indicated by the threat model As a countermeasure model for determining the storage means and countermeasure means, at least for each vulnerability indicated in the threat vulnerability model The vulnerability one countermeasure model, which is information indicating the countermeasure means to be stored, and the countermeasure constraint model, which is information indicating the degree of various restrictions of the countermeasure means, are stored for each countermeasure means indicated by the vulnerability one countermeasure model. The countermeasure model storage means and the vulnerability information and asset information collected by the information collection means are stored in the risk model storage means and analyzed by using each model, and each threat in the target system is analyzed. Risk analysis means that calculates the risk value based on the frequency of occurrence, the size of the vulnerability to each threat, and the degree of impact on the assets of the target system when each threat emerges, and the risk analysis means Risk value When the limit is exceeded, the countermeasures against the vulnerabilities whose existence has been discovered are analyzed using each model stored in the countermeasure model storage means, so that the risk value and various degrees of restriction after implementation are predetermined. It is also possible to adopt a configuration comprising countermeasure means generating means for selecting countermeasure means that meet the above conditions as a countermeasure proposal.

[0031] According to the third aspect of the present invention, a state analysis step for analyzing the state of the target system, a risk determination step for determining the security risk of the target system based on the analysis result, When it is determined that the risk exceeds the predetermined allowable range, the risk reduction degree indicating the degree of security risk V, which is reduced by implementing the predetermined countermeasures on the target system, and the predetermined countermeasures are implemented. Security measures to manage the security risks in the target system, including a measure proposal selection step for selecting a measure plan for reducing the security risk based on the degree of restriction indicating the size of each type of constraint generated in the target system. A risk management method is provided.

[0032] Further, the security risk management method outputs a countermeasure plan information output step including, for the selected countermeasure plan, countermeasure plan information including a risk reduction degree of the countermeasure and a degree of constraint of the countermeasure. And a countermeasure execution step for executing a predetermined process for reducing the security risk in accordance with the selected countermeasure plan.

[0033] In the state analysis step, at least the presence / absence of the vulnerability of the target system and the value of the target system are analyzed, and in the risk determination step, the presence / absence of the vulnerability of the target system and the assets of the target system are analyzed. A threat model that defines the value and frequency of occurrence of security threats in advance, a threat that predefines the relationship between vulnerabilities and threats related to the emergence of threats based on the presence or absence of vulnerabilities, and a threat model Based on the threat asset model that defines the relationship between the asset and the threat related to the impact on the asset due to the materialization of risk, a risk value indicating the security risk level of the target system is calculated and In addition, a vulnerability countermeasure model that defines countermeasures to reduce the security risk due to each vulnerability in advance, and the target scenario by implementing each countermeasure in advance. Based on the countermeasure constraint model that defines the degree of restriction that indicates the size of various restrictions that occur in the system, the countermeasure means that the risk value after implementation and the degree of restriction meet the specified conditions is selected as a countermeasure proposal. That's right. [0034] In addition, the security risk management method described above is a countermeasure stage that is defined according to the implementation stage of a countermeasure, according to a predetermined condition, according to a predetermined condition. For each countermeasure stage to be associated, assign it to each countermeasure stage indicated by the countermeasure stage transition rule that defines the transition conditions from the countermeasure stage. Including a countermeasure scenario generation step that generates a countermeasure scenario that indicates

[0035] Further, the security risk management method is based on the countermeasure scenario based on at least the state change of the target system, the current time, or the elapsed time of the force when the countermeasure is implemented according to the countermeasure stage transition rule. It includes a measure execution decision step that decides a measure plan to be executed by transitioning the measure stage.

[0036] Further, in the security risk management method, the target system determines whether there is a vulnerability in the target system, sends the determination result to the risk management system, and the target system power determines the value of the target system. The step of sending the judgment results to the risk management system, and the risk management device collects the vulnerability information indicating the presence or absence of the vulnerability of the target system and the asset information indicating the value of the target system from the target system And the risk management device uses the vulnerability model and asset information collected by the information collection means, the threat model that is the information indicating the occurrence frequency of each security threat, and each threat indicated by the threat model. Is indicated by the threat vulnerability model, which is information indicating the relationship between the existence of each vulnerability related to the manifestation of the threat, and the threat model Analyzing threats using the threat asset model, which is information indicating the degree of impact of threats on the assets of the target system, the frequency of occurrence of each threat in the target system and the vulnerability to each threat. The step of calculating the risk value based on the size and the impact on the assets of the target system when each threat becomes apparent, and the risk management device, when the calculated risk value exceeds the predetermined allowable range For each vulnerability indicated in the vulnerability vulnerability model, there is a vulnerability one countermeasure model that is information indicating the countermeasures that can be implemented, and each countermeasure means indicated in the vulnerability one countermeasure model! By analyzing countermeasures against vulnerabilities that have been discovered using countermeasure constraint models, which are information indicating the degree of various constraints on the means, the risk values and various constraints after implementation are analyzed. Pairs but which meets a predetermined condition The measure means may be a method including a step of selecting as a measure plan.

[0037] Further, according to the fourth aspect of the present invention, a state analysis process for analyzing the state of the target system on a computer, a risk determination process for determining the security risk of the target system based on the analysis result, The degree of security risk that can be reduced by implementing the prescribed measures on the target system when it is determined that the security risk exceeds the prescribed tolerance! Based on the degree of risk reduction that indicates /, and the degree of restriction that indicates the size of various restrictions that occur in the target system by implementing the prescribed countermeasures, a countermeasure plan for reducing the security risk is selected. A security risk management program is provided to execute countermeasure selection processing and manage security risks in the target system.

[0038] Further, the security risk management program outputs to the computer a countermeasure plan information including a risk reduction degree of the countermeasure and a constraint degree of each countermeasure for the selected countermeasure plan. In accordance with the information output process and the selected countermeasure plan, the countermeasure execution process for executing a predetermined process for reducing the security risk may be executed.

[0039] Further, the security risk management program causes the computer to analyze at least whether there is a vulnerability in the target system and the value of the target system in the state analysis process, and in the risk determination process, The relationship between the presence of vulnerabilities, the asset value of the target system, the threat model that predefines the occurrence frequency of security threats, and the vulnerabilities and threats related to the manifestation of threats based on the presence or absence of vulnerabilities in advance Risk value that indicates the degree of security risk of the target system based on the defined threat vulnerability model and the threat asset model that defines the relationship between the asset and the threat related to the asset impact caused by the manifestation of the threat in advance. A vulnerability pair that defines countermeasures to reduce the security risk due to each vulnerability in the countermeasure proposal selection process in advance. Based on the model and the countermeasure constraint model that defines the degree of constraint that indicates the size of various constraints that occur in the target system by executing each countermeasure measure in advance, the risk value and various constraint levels after implementation are the specified conditions. It is possible to select a countermeasure means that matches the above as a countermeasure plan.

[0040] Further, the security risk management program defines, in the computer, any of the selected countermeasure proposals according to the implementation stage of the countermeasures according to a predetermined condition. For each countermeasure stage to which the countermeasure to be implemented is associated, assigning it to each countermeasure stage indicated by the countermeasure stage transition rule that defines the transition conditions from the countermeasure stage, V, deviation of Measure scenario generation processing may be executed to generate a measure scenario indicating whether the measure plan is to be executed at the timing of deviation.

[0041] Further, according to the security risk management program, at least based on the state change of the target system, the current time, or the elapsed time since the countermeasure was taken according to the countermeasure stage transition rule! The countermeasure execution decision process for determining the countermeasure plan to be executed may be executed by changing the countermeasure stage on the countermeasure scenario.

[0042] Further, the security risk management program collects information from a target system on the computer, such as vulnerability information indicating the presence or absence of the vulnerability of the target system and asset information indicating the value of the target system. Vulnerability information and asset information collected by means of the threat model, which is information indicating the frequency of occurrence of each security threat, and each vulnerability indicated by the threat model for each vulnerability related to the manifestation of the threat. The threat vulnerability model, which is information indicating the presence / absence relationship, and the threat asset model, which is information indicating the degree of impact on the assets of the target system due to the realization of the threat, for each threat indicated by the threat model. To analyze the frequency of occurrence of each threat in the target system, the level of vulnerability to each threat, and the target when each threat becomes apparent Risk level based on the impact on system assets, and when the calculated risk value exceeds a predetermined tolerance, it can be implemented for each vulnerability indicated in the threat vulnerability model Existence exists by using the vulnerability one countermeasure model that is information indicating countermeasure means and each countermeasure means indicated by the vulnerability one countermeasure model using a countermeasure constraint model that is information indicating the degree of various restrictions of the countermeasure means. By analyzing countermeasures against discovered vulnerabilities, it is possible to create a program that executes a process of selecting countermeasure means that meet the specified conditions for the risk value and various constraints after implementation. it can.

The invention's effect

[0043] According to the present invention, the risk determination means determines the security risk based on the analysis result of the state of the system that is the object of risk management, and then the measure proposal selection means determines the risk reduction degree and various restriction degrees. Is generated in the target system because it is configured to select countermeasures based on It is possible to present an optimal countermeasure plan in consideration of various constraints.

[0044] For example, by implementing countermeasures from candidate countermeasures that reduce current security risks analyzed based on the state of the operating system (existence of vulnerabilities, frequency of occurrence of vulnerabilities, asset value, etc.) In consideration of various constraints that occur, it is possible to present the most appropriate countermeasures. The reason is that the risk value is calculated using a risk model for analyzing a predetermined security risk from the asset value and vulnerability information in the target system obtained by examining the state of the system. Furthermore, this is because a countermeasure model for determining countermeasure means determined in advance is used to generate a countermeasure plan after calculating various costs (constraints) generated when the countermeasure is implemented.

[0045] Further, in a specific viewpoint or embodiment of the present invention, when a plurality of countermeasures are conceivable, the security administrator determines how much various costs are incurred when implementing the countermeasures. Can implement optimal measures. The reason is, for example, whether to prioritize the decline in availability or prioritize rapid countermeasure deployment by defining multiple costs such as equipment cost, availability cost, and deployment cost as a countermeasure model. Whether to give priority to minimizing the overall cost, t can present several different countermeasures, and what measures should be taken by the security administrator and what cost This is because it will be possible to grasp whether it will occur.

[0046] Further, in a specific viewpoint or embodiment of the present invention, the security administrator implements step-by-step countermeasures when a simple countermeasure is taken as an emergency measure and gradually transitions to an ideal countermeasure. it can. The reason for this is that when a measure with a low deployment cost is implemented first, and then an optimum measure is taken in consideration of other conditions (costs), a typical measure implementation pattern is generated as a measure scenario. It is because it can be implemented.

Brief Description of Drawings

FIG. 1 is a block diagram showing a configuration example of a security risk management system according to the present invention.

FIG. 2 is a flowchart showing an example of an operation in which the security risk management system implements countermeasures according to the security risk of the target system.

FIG. 3 is an explanatory diagram showing an example of the data structure of vulnerability information stored in the state storage means. 4) It is an explanatory diagram showing an example of the confidential level of a document file and its value.

FIG. 5 is an explanatory diagram showing an example of the data structure of asset information stored in the state storage means.

FIG. 6 is an explanatory diagram showing an example of a threat model.

7] It is an explanatory diagram showing an example of a threat-vulnerability model.

8] It is an explanatory diagram showing an example of the data storage format of the threat-vulnerability model.

9) An explanatory diagram showing an example of a solution of a function that also derives threat-vulnerability model power. [10] Threat is an explanatory diagram showing an example of an asset model.

[11] This is a flowchart showing an example of risk analysis processing performed by the risk analysis means.

V12] Vulnerability—An explanatory diagram showing an example of a countermeasure model.

[13] Countermeasure—An explanatory diagram showing an example of a cost model.

圆 14] This is an explanatory diagram showing an example of a combination of vulnerability—countermeasure model and measure—cost model 104b.

15) This is a flowchart showing an example of countermeasure plan generation processing performed by the countermeasure plan generation means.

圆 16] It is an explanatory diagram showing an example of a threat-vulnerability-countermeasure model.

圆 17] It is explanatory drawing which shows the example of the screen which a countermeasure priority order determination means outputs.

圆 18] It is an explanatory view showing an example of a setting screen for setting a countermeasure order determination policy.圆 19] It is explanatory drawing which shows the example of the setting screen for setting a countermeasure ranking decision policy. [20] It is an explanatory diagram showing an example of threat-vulnerability-countermeasure model expressed using countermeasure-related operators.

圆 21] This is a flowchart showing an example of the process of generating a countermeasure proposal for threat-vulnerability-measure model power using countermeasure-related operators.

FIG. 22 is a block diagram showing a configuration example of a security risk management system according to a second example.

FIG. 23 is an explanatory diagram showing an example of a countermeasure scenario model 114c for “information leakage due to occurrence of a worm”.

[Figure 24] This is an example of a measure confirmation screen when each measure is assigned to a measure stage according to cost.

圆 25] It is an explanatory diagram showing an example of the components of the countermeasure scenario model. FIG. 26 is a flowchart showing an example of countermeasure scenario generation processing performed by the countermeasure scenario generation means.

[0048] 100 risk management system

101 State storage means

102 Risk model storage means

102a Threat model

102b Threat—Vulnerability Model

102c Threat Asset Model

103 Risk analysis tools

104 Countermeasure model storage means

104a Vulnerability—the countermeasure model

104b Countermeasure—Cost Model

105 Proposal generation method

106 Policy storage means

106a Policy for determining the order of measures

107 Countermeasure priority determination means

200 target system

201 Analysis method

202 Asset analysis tools

203 Countermeasure implementation measures

111 Countermeasure scenario generation means

112 Countermeasure execution judgment means

114c Countermeasure scenario model

211 Event collection means

BEST MODE FOR CARRYING OUT THE INVENTION

[0049] Example 1.

Subsequently, as the best mode for carrying out the present invention, the security of the system in operation is In addition to generating multiple countermeasure proposals when the risk is beyond the allowable range, it also shows how many restrictions (various side effects such as cost and availability reduction) that occur when each countermeasure is implemented. A first embodiment of the present invention that assists the security administrator in making an appropriate decision will be described.

Hereinafter, a first embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a block diagram showing a configuration example of a security risk management system according to the present invention. As shown in FIG. 1, the security risk management system includes a risk management system 100 and a target system 200. The risk management system 100 and the target system 200 are connected via a communication network such as the Internet, for example. Specifically, the risk management system 100 is realized by an information processing apparatus such as a workstation or a personal computer.

[0051] The risk management system 100 includes a state storage means 101, a risk model storage means 102, a risk analysis means 103, a countermeasure model storage means 104, a countermeasure plan generation means 105, a policy storage means 106, Countermeasure priority order determining means 107 and policy setting means 108 are provided. Further, the target system 200 subject to risk management includes a current state analyzing means 201, an asset analyzing means 202, and a countermeasure implementing means 203.

The target system 200 is specifically an information processing apparatus such as a personal computer in which an operating system (OS) is installed. For example, the target system 200 is a terminal used by a user (hereinafter referred to as a client PC) or various servers. In this embodiment, it is assumed that the target system is a client PC or server on which Microsoft Windows (registered trademark) is installed, and is not limited to this. For example, Linux (registered) It may be a server workstation on which (trademark) is installed. In addition, in FIG. 1, a force security risk management system showing one target system 200 includes a plurality of target systems 200, and one risk management system 100 may manage a plurality of target systems 200. Oh ,.

The current state analyzing means 201 checks the state of the target system 200, determines whether or not there is a vulnerability, and notifies the risk management system 100 of it. In this embodiment, the target system 200 provided with the current state analysis means 201 determines whether or not there is a vulnerability on the target system 200, and transmits it to the risk management system 100 as vulnerability information of the target system 200 for status analysis. It is stored in the payment means 101. Vulnerability refers to the nature of an information system (system defects, specification problems, user usage, etc.) that can be a cause of information security threats in an information system. Vulnerabilities are, for example, “Disk encryption tool installed! / ヽ”, information on the installation of software, and system status such as “USB memory is available”. User account information such as “Guest account is not disabled”, or “The telnet service is executed” and the status of the operating system.

The asset analysis means 202 examines the state of the target system 200, determines the security level (an index required for confidentiality, integrity, and availability) of the asset, and notifies the risk management system 100 of it. In this embodiment, in the target system target system 200 including the asset analysis means 202, the confidentiality of the document file existing on the target system 200 is determined, and the risk management system is used as the asset information of the target system 200. It is transmitted to 100 and stored in the state storage means 101. Here, the confidentiality of the document file is an index that represents a classification (degree) relating to the confidentiality of the document, which is determined in advance according to the security policy, such as “personal information”, “handling information”, and “confidential information”. It is determined by the contents of the document stored as a file.

The countermeasure execution unit 203 executes processing for eliminating the security risk in the target system 200 including the countermeasure execution unit 203 according to the countermeasure plan instructed by the risk management system 100.

[0056] The current state analyzing means 201, the asset analyzing means 202, and the countermeasure implementing means 203 are specifically realized by a CPU that operates according to a program. In this embodiment, the current state analysis means 201, the asset analysis means 202, and the countermeasure execution means 203 are provided in each system (target system) that is subject to risk management, for example, by installing a program in each target system. It is assumed that

[0057] The state storage means 101 stores information indicating the current system state of the target system 200.

(Remember. Specifically, the state storage unit 101 stores vulnerability information indicating whether or not there is a system vulnerability collected (received) from the target system 200 and asset information indicating the asset value of the system. For vulnerability information and asset information, the target system 200 has a predetermined type. The state storage means 101 may include a collection means, and the collection means may ask the target system and receive it as a response.

[0058] The risk model storage means 102 stores (stores) a risk model necessary for analyzing a risk value indicating the system state capability of the target system and the degree of security risk. Specifically, the risk model storage unit 102 stores a threat model 102a, a threat-vulnerability model 102b, and a threat-asset model 102c. The threat model 102a is a model (information) for defining security threats and the frequency of occurrence of those threats. The threat vulnerability model 102b is a model for defining the relationship between the vulnerabilities detected by the current state analysis means 201 and the threats defined in the threat model 102a (relationships related to the realization of threats). is there. The threat—asset model 102c is a model for defining the relationship between the threat defined in the threat model 102a and the asset on the target system (the relationship related to the impact on the asset). These models are prepared in advance based on security expertise. These models may be created as XML files or HTML files, for example!

[0059] The risk analysis unit 103 stores information (vulnerability information, asset information) indicating the current system state of the target system 200 stored in the state storage unit 101 in the risk model storage unit 102. Analyze using a recurring risk model to calculate the current risk value of the target system 200.

The countermeasure model storage means 104 stores (stores) a countermeasure model necessary for analyzing an optimal countermeasure against the current security risk of the target system 200. Specifically, the countermeasure model storage means 104 stores vulnerability—the countermeasure model 104a and countermeasure—cost model 104b defined for each countermeasure. The vulnerability-countermeasure model 104a is a model for defining countermeasures that can be implemented for the vulnerabilities defined in the threat-vulnerability model 102b. The countermeasure-cost model 104b is a model for defining various costs that are incurred when implementing the countermeasure means for the countermeasure means defined in the vulnerability-countermeasure model 104a. In the following, when expressed as “cost”, it will occur when implementing measures that collectively refer to costs necessary for measures that do not simply refer to “costs” and side effects caused by the implementation of measures. A “constraint”. These models are, for example, XML files or HT It may be created as an ML file!

[0061] Countermeasure plan generation means 105 performs analysis using a risk model and a countermeasure model when the risk value calculated by risk analysis means 103 exceeds an allowable range, and performs several measures to reduce security risk. Generate a countermeasure plan. As the risk value tolerance range, it is possible to use a value set by the security administrator, in addition to using a predetermined value.

[0062] The policy storage means 106 stores (stores) a countermeasure order determination policy 106a that is information indicating an evaluation formula of cost and cost to be prioritized when a countermeasure is applied to the target system. The countermeasure order determination policy 106a may include an allowable risk value indicating the maximum allowable risk value in the target system. It is assumed that the countermeasure order determination policy 106a is registered in advance as a security policy by the security administrator. The countermeasure order determination method 106a may be stored after being converted into specific numerical values or expressions expressing the security policy by the policy setting means 108 described later.

The countermeasure priority order determining means 107 determines the countermeasure to be implemented by prioritizing the countermeasure plans in accordance with the countermeasure order determining policy 106a stored in the policy storage means 106. The countermeasure priority order determination means 107 rearranges the countermeasure proposals according to the priority order just by determining the countermeasure proposals according to the priority order, and presents it to the security administrator, for example, by outputting it on the selection screen, and implements which countermeasure. You may decide by letting you choose what to do. The countermeasure priority order determination means 107 performs various controls for implementing the determined countermeasures. For example, the countermeasure priority order determination means 107 transmits a request to the countermeasure implementation means 203 of the target system 200 to implement the determined countermeasure.

The policy setting means 108 sets a countermeasure order determination policy 106a that reflects the security policy. For example, the policy setting unit 108 prepares a predetermined setting screen, and the policy storage unit 106 sets the condition or evaluation formula expressing the security policy input by the security administrator using the input unit as the countermeasure order determination policy 106a. Store.

Note that the state storage unit 101, the risk model storage unit 102, the countermeasure model storage unit 104, and the policy storage unit 106 are specifically realized by a storage device. Risk analysis means 103, countermeasure plan generation means 105, countermeasure priority order determination means 107, policy setting means Specifically, the stage 108 is realized by a CPU that operates according to a program. When the state storage unit 101 includes a collection unit, the state storage unit 101 is realized by a storage device, a communication device, and a CPU that operates according to a program.

Next, the operation will be described. FIG. 2 is a flowchart showing an example of an operation in which the security risk management system implements countermeasures according to the security risk of the target system 200. For example, the system administrator operates the risk management system 100 and inputs an instruction to execute the security risk check process of the target system 200. Then, the risk management system 100 instructs the target system 200 to execute the current state analysis and the asset analysis.

[0067] The current state analyzing means 201 of the target system 200 determines whether there is a vulnerability on the target system 200, and transmits the determination result to the risk management system 100 as vulnerability information (step S11). The risk management system 100 stores the received vulnerability information in the state storage unit 101. Further, the asset analysis unit 202 of the target system 200 determines the confidentiality of the document file existing on the target system 200, and transmits the determination result to the risk management system 100 as asset information (step S12). The risk management system 100 stores the received asset information in the state storage means 101.

[0068] Next, the risk analysis unit 103 of the risk management system 100 stores the information (vulnerability information, asset information) stored in the state storage unit 101 in the risk model storage unit 102! Analysis is performed using the model, and a risk value in the current system state of the target system 200 is calculated (step S13).

[0069] Next, the measure plan generation means 105 of the risk management system 100 determines whether or not the risk value calculated by the risk analysis means 103 exceeds the allowable range (step S14). When the risk value exceeds the allowable range, the countermeasure plan generation means 105 stores the risk model stored in the risk model storage means 102 and the countermeasure model stored in the countermeasure model storage means 104. Analyze and generate several countermeasures to reduce security risks (Step S15). The countermeasure plan generating means 105 selects, for example, a countermeasure means that can satisfy the predetermined conditions among various countermeasure means that can keep the risk value after implementation within an allowable range. Then, as a countermeasure plan, for example, the processing contents indicating what kind of processing the selected countermeasure means performs and the size of each cost generated when the countermeasure is implemented are output. Generate as XML file or HTML file to help.

Next, the countermeasure priority order determination means 107 of the risk management system 100 determines the countermeasure to be implemented from the countermeasure proposals generated by the countermeasure proposal generation means 105 (step S16). The countermeasure priority order determination means 107 may prioritize the countermeasure proposals according to the countermeasure priority determination policy 106a stored in the policy storage means 106, for example, and determine the countermeasure with the highest priority. In addition, for example, according to the countermeasure order decision policy 106a, the countermeasure proposal is evaluated according to the priority order of each cost, the evaluation result (the influence according to each cost, etc.) is presented, and the security administrator makes a selection. It may be decided whether to take measures. When the countermeasure to be implemented is determined, the countermeasure priority order determining means 107 transmits the determined countermeasure proposal to the countermeasure implementing means 203 of the target system 200.

[0071] Then, the countermeasure execution means 203 of the target system 200 executes processing for eliminating the security risk in accordance with the received countermeasure proposal (step S17).

[0072] Next, details of the processing of each means will be described. As already described, the current state analyzing means 201 is a means for examining the state of the system and determining whether or not there is a vulnerability. The vulnerabilities for determining whether or not the current state analysis means 201 exists are the vulnerabilities listed in the threat vulnerability model 102b stored in the risk model storage means 102 of the risk management system 100. For example, the risk management system 100 indicates the analysis method for each vulnerability in the threat-vulnerability model 102b. Information may also be stored in the risk model storage means 102 and sent to the target system 200 at the timing when the analysis instruction is sent or when the threat-vulnerability model 102b is updated. Further, for example, the target system 200 may access the network and read directly. It should be noted that the specific processing contents of the current state analysis means 201 are different for each vulnerability for determining the presence or absence.

[0073] The current state analysis means 201, for example, when determining the vulnerability “disk encryption tool is not installed”, the registry “HKEY 丄 OCAL_MACHINE \ SOFT WARE \ Microsoft \ Windows (registered trademark) \ Current Version It can be realized by using a program that checks if \ UninstallJ is installed and checks whether an existing disk encryption tool is installed, and existing vulnerabilities such as Microsoft Baseline Security analyzer. It may be possible to activate a sex inspection tool and determine whether there is a vulnerability from the output.

[0074] The presence / absence of the determined vulnerability is combined with the location (information for identifying the target system 200) collected by the risk management system 100 as vulnerability information, and the state storage means 101 Stored in FIG. 3 is an explanatory diagram showing an example of the data structure of vulnerability information stored in the state storage means 101. In FIG. 3, for example, client PC1, which is one of the target systems, has a vulnerability of “notebook PC”, a vulnerability of “disk encryption tool not installed”, and “file encryption key”. “Tools not yet implemented” and “vulnerabilities” are shown to exist. In addition, for example, the client PC2, which is another target system, has a vulnerability of “notebook PC”, a vulnerability of “disk encryption tool password is empty”, and a “file encryption tool”. It has been shown that there are “unintroduced” and “vulnerabilities”! Also, for example, the server SERVER1, which is another target system, does not have the vulnerability of “notebook PC”, but other vulnerabilities exist as well as the client PC 1. . From the example shown in Fig. 3, it can be seen that the client PC 1 is a notebook personal computer (hereinafter referred to as a notebook PC), and neither a disk encryption tool nor a file encryption tool is installed. In addition, it can be seen that the client PC 2 is a notebook PC, and the disk encryption tool is installed, but the password is set. Server SERVER1 also has a disk encryption tool and a file encryption tool that are not installed in a notebook PC.

As described above, the asset analysis unit 101 is a unit that examines the state of the target system and determines the security level of the asset. Here, the security level represents an index required for confidentiality, integrity, and availability. For example, the security level related to confidentiality (referred to as the confidentiality level) is an index that represents the degree to which the confidentiality of files in the target system must be secured.

Here, the confidentiality level is an index that represents the confidentiality of the document that is determined in advance by the information security policy in the organization. For example, “confidentiality of related parties” that restricts disclosure to those other than related parties, These are indicators such as “confidentiality” that restricts disclosure outside the company and “careful handling” that restricts disclosure outside the company and partner companies. For each confidential level, the asset value of the confidential level, that is, the average amount of damage when information is leaked, is set. Good. By doing so, it is possible to calculate the final risk value with a specific index called damage amount. Fig. 4 is an explanatory diagram showing an example of the confidential level of document files and their value. In the example shown in FIG. 4, it is shown that L4 to L0 are set as the security level. In addition, the example shown in Fig. 4 shows that the asset values (average damage amount) of document files with confidential levels LI, L2, L3, and L4 are 10, 100, 100, and 1000 [1,000 yen], respectively. .

The asset analysis means 202 regarding confidentiality can be realized by using a program that analyzes the contents of a file and returns the confidential level. As such means, for example, the amount of personal information and confidential information obtained by taking out the character string in the file and the structure information such as the position of the character string, and determining the character string according to a predetermined dictionary, The file may be analyzed using a known technique such as determining the sensitivity and importance of the file based on the importance obtained by determining the structure information, and the result may be used. The file analysis method shown above is, for example, the document “Hosomi et al.,“ Information leakage threat analysis method based on document analysis and setting verification (2) Sensitivity determination using document content analysis and structure analysis ”, It is described in the 67th Annual Meeting of the Information Processing Society of Japan, 3E-7J.In addition, when targeting a system in a company, even if the office is simply judging whether the confidentiality is based on text or not. Good, because the files stored on the client PCs in the company are often confidential information in the company.In this case, it is not possible to determine whether the information is confidential or confidential. .

The determined confidentiality level is stored in the state storage unit 101 as asset information together with the collected location (information for identifying the target system 200). FIG. 5 is an explanatory diagram showing an example of the data structure of the asset information stored in the state storage means 101. In the example shown in Fig. 5, as asset information, the asset value of the entire system multiplied by the asset value of the confidential level shown in Fig. 4 is combined with the number of files for each confidential level held by each target system. Stored. In the example shown in FIG. 5, for example, the client PC 1 does not hold any files with the confidentiality levels L1 to L4, and the asset value of the entire system is 0 [thousand yen]. Also, for example, server SERVER1 has 100 files with security level L1, 80 files with security level L2, and 80 files with security level L3. It is shown that 3 files and 1 confidential level L4 file are retained, and the asset value of the entire system is 10 300 [thousand yen]!

The risk analysis means 103 is a means for calculating a risk value in the current system state of the target system 200 as already described. Specifically, by analyzing the vulnerability information and asset information collected from the target system 200 using the risk model registered in the risk model storage means 102, the current risk for each threat in the target system 200 is analyzed. Calculate the value.

First, the risk model stored in the risk model storage means 102 will be described. The threat model 102a is information that enumerates security threats and indicates the frequency of occurrence of those threats. The threat model 102a is created in advance based on statistical data or the like. FIG. 6 is an explanatory diagram showing an example of the threat model 102a. In the example shown in Fig. 6, the information leakage of “information leakage due to PC loss / theft (threat tl)”, “information leakage due to malware (threat t2)”, and “information leakage due to incorrect email transmission (threat t3)” 3 threats (tl to t3) are listed, and it is shown that 0.1, 0.5, and 0.1 [times Z years] are set as the frequency of occurrence of each threat. The frequency of occurrence may be set to a value such as three levels of large, medium, and small, which need not be set in a quantitative unit of [times Z years].

[0081] The threat vulnerability model 102b is information indicating a relationship related to the manifestation of the threat defined by the threat model 102a and the vulnerability. The relationship between threats and vulnerabilities can be expressed by an AND (logical product) or OR (logical sum) relationship or a combination thereof. AND indicates that the threat becomes apparent only when all the input vulnerabilities exist. OR indicates that the threat becomes apparent if any of the input vulnerabilities exist. The threat-vulnerability model 102b also includes a numerical value (maximum vulnerability level) that indicates how much a threat is manifested in the presence of a certain vulnerability, and how much threat is present in the absence of a certain vulnerability. It may also contain a numerical value (minimum vulnerability) that indicates whether it will manifest. In this embodiment, the maximum vulnerability level and the minimum vulnerability level take values from 0 to 1.

[0082] Here, we define a variable xi that has xi = 1 if the vulnerability vi exists and xi = 0 if it does not exist, and if the maximum vulnerability of vi is ai and the minimum vulnerability is bi The relationship (magnitude of vulnerability) related to the manifestation of a threat based on the presence or absence of two vulnerabilities (vl, v2) is expressed as AND and OR. These can be represented by the following formula (1).

[0083] AND: (alxl + bl (l-xl)) (a2x2 + b2 (l-x2))

OR: l- (l- (alxl + bl (l-xl))) (l- (a2x2 + b2 (l-x2)))-· · · Equation (1)

It should be noted that these pieces of information are created in advance based on expertise related to vulnerability. FIG. 7 is an explanatory diagram showing an example of the threat-vulnerability model 102b. The example shown in Fig. 7 shows the relationship between the four vulnerabilities (vl to v4) that can be the cause of the emergence of “information leakage due to PC loss / theft (threat tl)”. In Figure 7, the numerical value above the arrow drawn from each vulnerability indicates the maximum vulnerability level of the vulnerability, and the numerical value below the arrow indicates the minimum vulnerability level of the vulnerability. .

[0085] The threat vulnerability model 102b shown in FIG. 7 is an example described based on the following expertise on vulnerabilities. “If it is not a laptop, it will not be stolen or lost. (Knowledge 1)”, “Even if a laptop is lost or stolen, the disk encryption tool power s Will not leak because the file is encrypted. (Knowledge 2) ”,“ If the password of the disk encryption tool is not set, it will be stolen even if it is encrypted. However, since the user name must be estimated, the possibility of leakage is at most 10%. (Knowledge 3) ”,“ Files in the user directory are automatically encrypted. If a file encryption tool is installed, even if a laptop is lost or stolen, important files are encrypted and are not easily leaked. Because when there may be stored incorrectly outside Li, as it can completely prevent some potential leakage about 5% Nag. (Knowledge 4) ".

In other words, in the example shown in FIG. 7, from knowledge 2 and knowledge 3, “disk encryption tool not installed (vulnerability v2)” and “disk encryption tool password is empty (vulnerability v3)” If either of them exists, the threat tl becomes apparent, and vulnerabilities v2 and v3 are combined with an OR gate. In addition, from Knowledge 1, Knowledge 2, Knowledge 4, both "Notebook PC (Vulnerability vl)", Vulnerability v2, Vulnerability v3, and "File encryption tool not yet introduced (Vulnerability v4)" If there is no gap, the threat tl will not manifest, so they are combined with an AND gate. Also, from Knowledge 4, there is a possibility of 5% leakage even in the absence of vulnerability v4. The minimum vulnerability b4 is 0.05. Also, from Knowledge 3, there is only a 10% possibility of leakage even in the presence of vulnerability v3, so the minimum vulnerability a3 of vulnerability v3 is 0.1.

[0087] In this way, the threat-vulnerability model 102b as shown in Fig. 7 can be defined using the expertise related to vulnerability. For example, the threat-vulnerability model 102b may be stored as XML format data as shown in Fig. 8, or a logic gate may be applied to the calculation formula, as shown in the following formula (2). As a function to find the size of the vulnerable vulnerability S

[0088] S (tl) = xl X (1- (1-χ2) (1-0.1 X x3) X (χ4 + 0.05 (1-χ4)) · · · · Equation (2)

FIG. 9 shows a list of values taken by the function shown in equation (2). In FIG. 9, the solution indicated by S1 (S (tl) = 0) indicates that the threat tl does not manifest at all because it is not a notebook PC. The solution indicated by S2 (S (tl) = 0) indicates that the threat tl does not appear at all because the disk encryption tool is installed and the password is set. In addition, the solution shown in S3 (S (tl) = 0.005) has both the disk encryption tool and the file encryption tool installed! /, But the disk encryption tool password is not set. This indicates that there is a slight possibility of leakage (0.5%). The solution indicated by S4 (S (tl) = 0.1) indicates that there is a possibility of leakage of 10% because only the disk encryption tool is installed but no password is set. is doing. The solution shown in S5 (S (tl) = 0.05) indicates that there is a possibility of leakage (5%) because only the file encryption tool is installed. The solution shown in S6 (S (tl) = 1) indicates that both the disk encryption tool and the file encryption tool should be installed, so that the threat tl is fully manifested.

[0090] The threat asset model 102c is information indicating the relationship between the threat defined in the threat model 102a and the impact level of the asset. Specifically, it is information indicating how much assets are affected when a certain threat becomes apparent. FIG. 10 is an explanatory diagram showing an example of the threat asset model 102c. In Figure 10, for example, when a threat tl (information loss due to PC loss 'theft') occurs on the client PC 1, the assets on the client PC 1 are affected by 100%, and other assets are affected. It has been shown not to give. In addition, for example, when threat t3 (information leakage due to erroneous email transmission) becomes apparent in client PCI, assets on client PC1 are affected by 10%, and assets on server SERV ER1 are also affected by 10%. Has been shown to give. This is because the user cannot accidentally send a file on the server SERVER1 that can be accessed from the client PC1. Also, unlike threat tl, threat t3 is affected only by files that are sent in error rather than all files being affected, so the numerical value indicating the impact is set to a small value of 0.1. ing.

[0091] Next, risk analysis performed by the risk analysis means 103 using the risk model described above will be described. FIG. 11 is a flowchart showing an example of risk analysis processing (risk value calculation processing) performed by the risk analysis means 103. As shown in FIG. 11, the risk analysis means 103 first applies the vulnerability information of the target system stored in the state storage means 101 to the threat vulnerability model 102b, thereby making it possible to Find the size of the vulnerability (step S101). The risk analysis means 103, for example, substitutes the presence / absence (xi = 0, 1) of each vulnerability indicated in the vulnerability information into a function that is derived from the threat-vulnerability model 102b, thereby calculating the size of the vulnerability S (t ) Is calculated. For example, assume that vulnerability information as shown in Figure 3 is collected from client PC2. Further, for example, it is assumed that Expression (2) derived from the relationship shown in FIG. 7 is registered as the threat-vulnerability model 102b. In such a case, the vulnerability size S (P C2tl) for threat tl in client PC2 is the presence or absence of each vulnerability in current client PC2 (xl = l, x2 = 0, x3 = 1, x4 = l) By substituting into equation (2), it is found to be 0.1.

[0092] Next, the risk analysis unit 103 calculates the asset value affected by the manifestation of each threat by applying the asset information stored in the state storage unit 101 to the threat-asset model 102c. (Step S102). For example, the risk analysis means 103 obtains, from the threat-asset model 102c, a calculation formula for calculating the asset value affected by the manifestation of each threat for each target threat. For example, if the asset value on the client PC1 is pl, the asset value on the client PC2 is p2, and the asset value on the server SERVER1 is p3, the client PC1 based on the threat-asset model 102c example shown in Figure 10 The asset value ass affected by the manifestation of threats tl, t2, and t3 is expressed by the following equation (3) Indicated by

[0093] ass (PCltl) = pi

ass (PClt2) = 0.5pl + 0.5p3

ass (PClt3) = O.lpl + 0.1ρ3 · · 'Expression (3)

Here, the asset values pi, p2, and p3 on each target system are based on the asset information stored in the state storage means 101. For example, in the example shown in FIG. 5, pl = 0, p2 = 2400, p3 = 10300 [thousand yen], and by substituting these into equation (3), the asset value ass affected by the manifestation of each threat on each target system can be calculated. Togashi.

[0095] Finally, the risk analysis means 103 refers to the threat occurrence rate (occurrence frequency) f from the threat model 102a (step S103), and affects the asset value ass and the occurrence frequency f affected by each threat. By multiplying by the vulnerability size S, the risk value Risk for the threat is calculated (step S104). For example, the risk value Risk (PC2tl) for threat tl on client PC2 is calculated to be 24 [thousand yen] according to the following equation (4).

[0096] Risk (PC2tl) = ass (PC2tl) X Ktl) X S (tl)

= 2400 X 0.1 X 0.1 ... Formula (4)

Note that, when the obtained risk value exceeds a predetermined allowable range (risk allowable value), a countermeasure plan generation unit 105 generates a countermeasure plan.

[0098] As already described, the countermeasure proposal generation means 105 is stored in the risk model storage means 102 and stored in the risk model and countermeasure model storage means 104 when the risk value exceeds the allowable range. This is a means of analyzing the risk value using a countermeasure model and generating several countermeasure plans for reducing the risk value.

First, the countermeasure model stored in the countermeasure model storage means 104 will be described. The vulnerability-countermeasure model 104a is information indicating what countermeasure means is available for the vulnerability defined in the threat vulnerability model 102b. FIG. 12 is an explanatory diagram showing an example of the vulnerability-countermeasure model 104a. The vulnerability-countermeasure model 104a is created in advance based on the knowledge about the vulnerability and countermeasures thereof, as in the case of the threat-vulnerability model 102b. Multiple countermeasures may be associated with one vulnerability. In the example shown in Figure 12, an example For example, as a countermeasure against vulnerability v3, “Warn to change if empty password (Countermeasure c3)” is associated with “Forcibly assign password if empty password (Countermeasure c4)”. It has been. There may be no countermeasures against vulnerabilities.

[0100] Further, the countermeasure-cost model 104b is information indicating various costs generated when implementing the countermeasure means for each countermeasure means defined in the vulnerability-countermeasure model 104a. As already explained, the cost means a “constraint” that collectively refers to the side effects caused by implementing measures that are not just the costs necessary for the measures. In this example, countermeasures are defined in terms of three costs: “equipment cost”, “availability cost”, and “deployment cost”.

[0101] “Equipment cost” refers to an indicator of the cost that is continuously incurred by introducing the measure. Equipment costs are a major constraint because you cannot spend unlimited money on security.

[0102] "Availability cost" refers to an index indicating a decrease in availability (convenience) caused by introducing the countermeasure. For example, banning the use of notebook PCs can greatly reduce availability, such as disrupting work on the go. Since countermeasures against information leakage often impair the availability, it becomes an important constraint when planning countermeasures.

[0103] Further, the "deployment cost" refers to an index indicating the time required to implement the countermeasure.

For example, even if an empty password is warned to change, it will take a considerable amount of time before the instruction is actually distributed to the user. When urgent countermeasures are required, such as virus countermeasures, countermeasures with a high deployment cost are not useful, and may still be a constraint when planning countermeasures.

Countermeasure—Cost model 104b is information in which equipment cost, availability cost, and deployment cost are associated with each countermeasure (see FIG. 13). FIG. 13 is an explanatory diagram showing an example of the countermeasure-cost model 104b. Figure 13 shows the costs incurred for implementing each countermeasure for each countermeasure defined in the vulnerability-countermeasure model 104a shown in Figure 12. In addition, it represents that the restrictions are so strong that cost is large. For example, the countermeasure cl “prohibiting taking out notebook PCs” is an administrative measure, so the equipment cost must be reduced. However, since the impact on availability is large and it takes time to be implemented and implemented, the deployment cost is also set high (equipment cost 0, availability cost 100, deployment cost 100). On the other hand, the measure c2, “Installing a disk encryption tool,” requires equipment costs because it requires a license agreement for the tool, but has little impact on availability (equipment cost 80, availability cost 10 Deployment cost 80).

[0105] In the example shown in Fig. 13, each cost unit is assumed to be a dimensionless quantity.

The equipment cost may be expressed in units of [Amount Z years] as well as the risk value. Doing so makes it easier to compare risk and cost, and makes it easier for security administrators to take appropriate measures.

FIG. 14 is an explanatory diagram in which the example of the vulnerability-measure model 104a shown in FIG. 12 is combined with the example of the measure-cost model 104b shown in FIG. The vulnerability-countermeasure model 104a and the countermeasure-cost model 104b are created in advance based on specialized knowledge regarding countermeasure means, as in the risk model.

Next, the countermeasure plan generation operation performed by the countermeasure plan generation means 105 will be described using the risk model and the countermeasure model described above. FIG. 15 is a flowchart showing an example of countermeasure plan generation processing performed by the countermeasure plan generation means 105. As shown in Fig. 15, the countermeasure plan generation means 105 first divides vulnerabilities with multiple countermeasures and ANDs them, so that there is a one-to-one correspondence between the existence of vulnerabilities and the presence or absence of countermeasures. Threat A vulnerability countermeasure model is generated (step S201).

FIG. 16 is an explanatory diagram showing an example of the threat vulnerability one countermeasure model. In the example shown in Fig. 16, vulnerability v3 and countermeasures c3 and c4 for vulnerability v3 are made to correspond one-to-one so that vulnerability v3 ^ v31 and v32 are defeated ij and ANDed. Measures c3 and c4 are associated with ¾ '| 4ν31 and v32, respectively. Since the divided vulnerabilities are ANDed, the content of the threat—vulnerability model 102b and vulnerability—countermeasure model 104a does not change by this transformation. This threat-vulnerability-countermeasure model may be generated in advance when threat-vulnerability model 102b and vulnerability-countermeasure model 104a are determined.

[0109] Next, the countermeasure plan generation means 105 generates a countermeasure plan that minimizes the total cost, for example, while keeping the risk value below the allowable range for each threat (step S202). Further, the countermeasure plan generating means 105 generates a countermeasure plan that minimizes the deployment cost, for example, while keeping the risk value below the allowable range (step S203). Further, the countermeasure plan generation means 105 generates a countermeasure plan that minimizes the total availability cost, for example, while keeping the risk value below the allowable range (step S204).

[0110] Here, a method for generating each countermeasure plan will be described in detail by taking a threat tl as an example. In the following, for ease of explanation, the ability to target only the risk value of client PC2 Even when targeting multiple PCs, by summing the risk values of those PCs

It is possible to calculate similarly.

[0111] First, if the variable yi is defined such that yi = 0 when countermeasure ci is implemented and yi = l when countermeasure ci is not implemented, the risk value for threat tl on client PC2 is It can be expressed as 5).

[0112] Risk (PC2tl) = E01 = 2400 X 0.1 X (yl X (l- (l-y2) X (1-0.1 X y3 X y4)) (y5 + 0.05 X (1- y5)))

Formula (5)

[0113] where 2400 is the affected asset value ass (PC2tl), 0.1 behind it is the frequency f (tl) of threat tl, and behind it is the threat-vulnerability model 102b. The risk formula (1) is applied to the threat vulnerability countermeasure model shown in Fig. 16. Here, the presence or absence of the current vulnerability stored in the state storage means 101 corresponds to the presence or absence of the current countermeasure, and if the current yi value is set to Yi, in the example shown in FIG. Current measures are as follows: Υ1 = 1, Υ2 = 0, Υ3 = 1, Υ4 = 1, Υ5 = 1.

[0114] The value of the device cost can be expressed as ∑Ci (l-yi) when the device cost of a certain measure ci is Ci. In other words, if a measure ci is implemented (yi = 0), the device cost Ci is incurred regardless of whether the measure is already implemented or not.

[0115] The value of availability cost can be expressed as ∑Ci (Yi—yi) when the availability cost of a measure ci is Ci. In other words, if a measure ci is implemented (yi = 0), if the measure has already been implemented! / (If Yi = 0), the availability cost is power !, but must be implemented! For example, (Yi = l) Ci costs an availability cost. Also, if the countermeasure ci is not implemented (yi = l), the availability cost is reduced if the countermeasure is already implemented (when Yi = 0). In other words, the current The availability is better than the situation.

[0116] The value of the deployment cost can be expressed as ∑YiCi (l−yi) when the deployment cost of a certain measure ci is Ci. In other words, if a measure ci is implemented (yi = 0), that measure has already been implemented! If Yi = 0, the measure has already been taken, so the deployment cost does not increase. If not, (Yi = 1) the cost of deployment is Ci. If countermeasure ci is not implemented (yi = 0), deployment cost Ci does not occur.

Applying the above formulas, in the threat / vulnerability one countermeasure model shown in Fig. 16, the formulas for obtaining the equipment cost, availability cost, and deployment cost can be expressed by the following formula (6).

[0118] Equipment cost = E02 = 80 X (1- y2) + 70 X (1- y5)

Availability cost = E03 = 100X (Yl-yl) + 10X (Y2-y2) + 50X (Y4-y4) + 10X (Y5-y5) Deployment cost = E04 = lOOX (l-yl) + 80X (l-y2) + 30X (l-y3) + 40X (l-y5)

Formula (6)

[0119] It can be seen that these formula forces are also expressed as integer programming problems concerning the variables yl, y2, y3, y4, and y5 in steps S202, S203, and S204. For integer programming problems, exact or approximate solutions can be obtained using known methods such as the branch and bound method or genetic algorithm. For example, step S 203 is expressed as an integer programming problem shown in the following equation (7).

[0120] Goal function: 100X (1-yl) + 80X (l-y2) + 30X (l-y3) + 40 X (l-y5) → min

Restriction: 2400 X 0.1 X (yl X (1- (1- y2) X (1-0.1 Xy3X y4)) (y5 + 0.05 X (1- y5 >>)) <10 Equation (7)

[0121] In the above example, risk tolerance = 10 is given as a constraint, and solving these results in the solution of step S202 and step S204 y3 = 0 (implementing measure c3). The solution of S203 is y4 = 0 (measure c4 is implemented) t ヽぅ solution is obtained.

[0122] The countermeasure priority order determination means 107 presents the countermeasure proposal obtained by the countermeasure proposal generation means 105 to the security administrator, and transmits the countermeasure selected by the security administrator to the countermeasure implementation means 203. Is provided. FIG. 17 is an explanatory diagram showing an example of a screen output by the countermeasure priority order determination means 107. In the example shown in Figure 17, the countermeasure plan with the smallest deployment cost is the emergency countermeasure plan, the countermeasure plan with the lowest availability cost is the normal countermeasure plan, and the sum of all costs is the smallest. The plan is presented as an optimal measure plan. In this example, the current risk against information leakage (threat tl) due to PC loss / theft is 24 (warning state), and the risk after implementation is 0 as an emergency measure against this threat t1. It presents a countermeasure c4 (forcibly assigning a password if it is an empty password) with an availability cost of 50, an equipment cost of 80, and a deployment cost of 0. In addition, as countermeasures for normal measures and proposals for optimum measures, c3 (warning to change if there is an empty password) is proposed with zero risk after implementation, zero availability cost, equipment cost 80, and deployment cost 30. is doing. In addition, as shown in Fig. 17, the current risks, the risks after implementation of each measure, and the costs incurred when implementing the measure are color-coded according to their size (shaded in Fig. 17). May be.

[0123] This allows the security administrator to select “Emergency Measures” if they want to take immediate measures, and to minimize the impact on user availability! In the case where the optimal measures including the equipment cost are implemented, the “optimum countermeasure plan” can be selected. Therefore, measures can be determined in consideration of the ease of implementing measures and the impact on users, not only in terms of costs required for measures.

[0124] The countermeasure implementation means 203 is a means for implementing the countermeasure determined by the countermeasure priority order determination means 107. For example, when the optimum countermeasure plan shown in FIG. 17 is implemented, the countermeasure implementation means 203 executes a process for warning the user to set a password for the disk encryption tool. This process can be realized, for example, by using a program that displays a warning screen when the user logs on on the client PC. The countermeasure implementation means 203 does not necessarily have to be realized using a program that runs on the target system 200. That is, the risk management system 100 may include the countermeasure implementation means 203. In such a case, for example, the countermeasure implementation means 203 of the risk management system 100 is a program that sends an email warning the user to set a password for the disk encryption tool that operates on the risk management system 100. It can be realized using.

[0125] Further, the countermeasure priority order determination means 107, when the countermeasure order determination policy 106a is stored in the policy storage means 106, is the priority and target of various costs defined in the countermeasure order determination policy 106a. Based on the value, you can select and rank the proposed measures! For example, the policy setting means 108 displays a setting screen for the countermeasure order determination policy as shown in FIG. The countermeasure order decision policy 106a corresponding to the security policy is set by presenting it and allowing the security administrator to input it. FIG. 18 is an explanatory diagram showing an example of a setting screen for setting the countermeasure order determination policy 106a. As shown in FIG. 18, the setting screen includes, for example, input items that can set risk tolerances and input items that can specify cost evaluation methods (minimize risk, minimize the sum of specified costs, For example, the cost may be evaluated in a specified order), and an input item for specifying a target value for each cost may be included. Note that the countermeasure order determination policy 106a, which is a condition for generating countermeasure proposals, is determined based on the security policy corresponding to each organization, and the security administrator can determine the cost evaluation formula and risk tolerance according to the security policy. By entering values, it is possible to generate more desirable countermeasures.

[0126] For example, as shown in Figure 18, the risk tolerance (allowable risk in the figure) is set to 1,000 yen Z year and deployment cost of 2 months or less, and the sum of equipment cost, deployment cost, and availability cost. Assume that the evaluation method of minimizing is set. In such a case, if E01 to E04 in Eq. (6) and Eq. (7) are used, the objective function: E02 + E03 + E04 → min, constraint 1: E01 ≤ 1000, constraint 2: E0 4≤ 60.

[0127] As shown in Fig. 19, when the constraint condition of equipment cost 1000 yen Z years is set and the evaluation method is set to minimize the risk, the objective function and the constraint equation are Target function: E01 → min, constraint: E04≤10000.

[0128] As described above, according to the present embodiment, the risk value using the risk model determined in advance from the asset value and vulnerability information in the target system obtained by examining the system state. It can be seen that by implementing measures based on the countermeasure model and implementing countermeasures, it is possible to implement countermeasures that take into account the reduction in equipment costs and availability caused by implementing countermeasures and the time required for deployment. Deployment costs and availability costs are calculated based on the current vulnerability status (countermeasurement status), so the optimal countermeasure plan is proposed to the security administrator according to the current system status. be able to.

[0129] That is, when multiple countermeasures are possible, the security administrator can implement the optimal countermeasures while judging how much various costs are incurred when implementing the countermeasures. Become. The reason for this is, for example, by defining multiple costs such as equipment cost, availability cost, and deployment cost as a countermeasure model, whether to prioritize a decline in availability or prioritize rapid countermeasure deployment, It is possible to present a number of different countermeasures, such as whether to prioritize minimizing costs, and to understand what costs are incurred and what costs are incurred by the security administrator. This is because

[0130] In the above description, as shown in Fig. 16, the threat / vulnerability one countermeasure model is an example of a force threat vulnerability one countermeasure model expressed as AND and OR. Instead of the threat-vulnerability model 102b expressed using, it can also be expressed using countermeasure relational operators such as OR, MAX, MIN, SUB, and XOR. Here, the countermeasure relational operator is the relationship between countermeasures in which multiple countermeasures can be effective independently, only one of them can be implemented, or effective only when a certain vulnerability is implemented. It expresses.

[0131] FIG. 20 is an explanatory diagram showing an example of a threat-vulnerability-countermeasure model expressed using countermeasure-related operators. In Fig. 20, vulnerability and countermeasures can be replaced in a one-to-one relationship, so the vulnerability is not shown.

[0132] In FIG. 20, OR means that measures combined with OR can be freely combined and implemented, and the effect on threats when these measures are implemented is added. In other words, when there are measures A and B, (1) implement only measure A, (2) implement only measure B, and (3) implement both measure A and measure B. You can choose from three countermeasures, and (3) is more effective than (1) and (2).

[0133] In addition, MAX is the power that can be implemented by freely combining measures combined with MAX. Only those measures that have the greatest effect are effective in reducing threats. Represents that. In addition, MIN is the opposite of MAX and means that only the combined measures that have the minimum effect can exert the effect.

[0134] SUB represents a combination of measures that can implement a subordinate measure only when the main measure is implemented. For example, a measure that enables the password measure restriction, which is a subordinate measure, to be implemented only when the main measure, “Introduction of authentication mechanism”, is implemented. Represents the relationship between. XOR represents the relationship between measures that cannot be implemented simultaneously by two or more measures combined by XOR. For example, the “encryption of communication path” countermeasure and the “detection of confidential document in communication path” countermeasure cannot detect confidential documents in the communication path if the communication path is encrypted. Cannot be implemented. XOR represents the relationship between these measures.

[0135] As described above, a more precise threat vulnerability countermeasure model can be created by defining the relationship between countermeasures. In addition, constraints such as SUB that cannot be described with only descriptive operators such as AND, OR, and NOT can be added.

[0136] Also, in FIG. 20, the effectiveness of each countermeasure is indicated by a numerical value (a numerical value added to the arrow with each countermeasure power drawn in the figure). In this example, the numerical value indicating effectiveness is a value between 0 and 1, and corresponds to the maximum vulnerability level in the threat-vulnerability model 102b using AND and OR described above (in practice, the maximum It is the reciprocal of the vulnerability level). In other words, the effectiveness and maximum vulnerability can be converted to each other by taking the reciprocal of each other.

Next, the operation when calculating the risk value from the threat vulnerability one countermeasure model using countermeasure relational operators is explained. Here, a variable xi is defined such that xi = l if the vulnerability vi exists, and xi = 0 if it does not exist, and the countermeasure for the vulnerability vi is ci. In addition, let zi be the validity of ci. At this time, the countermeasure-related operators described above can be calculated as shown in the following equation (8).

[0138] OR: max (zl XAND (xl,! X2), (l— 1—zl) (l—z2) XAND (xl, x2), z2 XAND (! Xl, x2 >>

MAX: max (zl X xl, z2 X x2)

MIN: min (zl Xxl, z2 Xx2)

SUB: max (zl X AND (xl,! X2), (l— 1— zl) (l— z2) X AND (xl, x2))

XOR: max (zl X AND (xl,! X2), z2 X AND (! Xl, x2 >> Formula (8)

[0139] In the equation (8), "!" Is an operator representing the previous negation. For example,! xi is a xi denial, when xi = l! When xi = 0, when xi = 0! xi = l. Furthermore, max () represents an operator that extracts the maximum value among the numerical values of 0, and min () represents an operator that extracts the minimum value among the numerical values that are not 0. AND 0 represents a logical operator. In this way, risk values can be calculated even if countermeasure relational operators are introduced. [0140] Next, with reference to FIG. 21, the operation when generating a countermeasure plan from a threat-vulnerability-countermeasure model using countermeasure-related operators will be described. FIG. 21 is a flowchart showing an example of processing for generating a threat vulnerability vulnerability countermeasure model countermeasure plan using countermeasure relational operators. As shown in Fig. 21, if the threat vulnerability countermeasure model using countermeasure relational operators includes SUB relational operators (countermeasure relational operators), SUB is AND, OR,! And a constraint equation is added (step S 201). For example, if xl and x2 are in a SUB relationship, xl—x2≥0 is stored in the constraint expression. Similarly, if the relational operator of XOR is included, XOR is AND, OR,! And a constraint equation is added (step S202). For example, if xl and x2 are in an XOR relationship, add xl + x2 = l to the constraint expression. In this way, after adding the constraint equation, it is generated in the same procedure as the procedure for generating the threat-vulnerability-countermeasure model power countermeasure plan using AND and OR.

[0141] As described above, by using the threat vulnerability one countermeasure model including countermeasure-related operators, it is possible to express constraint conditions between countermeasures that cannot be expressed only by ordinary AND and OR, and more precise countermeasures. Proposals can be generated. In addition, the model can be easily generated by directly expressing the relationship between measures.

[0142] Example 2.

Next, a second embodiment of the present invention will be described in which a function for implementing a step-by-step countermeasure implementation procedure is added.

[0143] Next, a second embodiment of the present invention will be described with reference to the drawings. FIG. 22 is a block diagram illustrating a configuration example of the security risk management system according to the second embodiment. Compared to the first embodiment shown in FIG. 1, in the security management system shown in FIG. 22, the risk management system 100 includes a countermeasure scenario generation means 111 instead of the policy storage means 106 and the countermeasure priority determination means 107. The countermeasure execution determination unit 112 is different from the target system 200 in that the target system 200 includes an event collection unit 211. Another difference is that the countermeasure model storage means 104 includes a countermeasure scenario model 114c.

[0144] Hereinafter, operations unique to the second embodiment will be described. The event collection means 211 detects changes in security (for example, the occurrence of attacks and worms) in the target system 200. Then, the risk management system 100 is notified (transmitted) as an event. The event collection unit 211 is realized by, for example, an IDS (Intrusion Detection System) that can monitor a packet or log, detect an attack or worm occurrence, and send an event.

[0145] The countermeasure scenario generation means 111 assigns the countermeasure proposal generated by the countermeasure proposal generation means 105 to the same day countermeasure, emergency countermeasure, normal countermeasure, final countermeasure, etc., based on the countermeasure scenario model 114c. Generate a countermeasure model that indicates which countermeasures will be implemented. Based on the generated countermeasure scenario and the event notified from the event collecting means 211, the countermeasure execution determining means 112 determines which countermeasure is to be implemented and notifies the countermeasure implementing means 203.

[0146] Next, the generation of a countermeasure scenario and the determination operation of the countermeasure to be implemented will be described in detail. First, the countermeasure scenario model 114c will be described. The countermeasure scenario model 114c is a model described as a state transition model in which each countermeasure transitions according to an event. The countermeasure implementation stage (hereinafter referred to as countermeasure stage) and the conditions for moving between countermeasure stages ( A transition condition). Figure 23 shows a specific example of the countermeasure scenario model 11 4c. FIG. 23 is an explanatory diagram showing an example of a countermeasure scenario model 114c for “information leakage due to the occurrence of a worm”. In the example shown in Fig. 23, five countermeasure stages are defined: initial condition, same-day countermeasure, emergency countermeasure, normal countermeasure, and final countermeasure.For example, the same-day countermeasure stage force Transitions to conditions are defined, such as transition from the normal countermeasure stage to the emergency countermeasure stage on the condition of the occurrence of a worm. As shown in FIG. 23, the transition condition may include the elapsed time and time of the countermeasure execution ability that is not limited to the event notified from the event collection means 211. The countermeasure scenario model 114c is created in advance by the security administrator.

The countermeasure scenario generation unit 111 generates a countermeasure scenario by assigning the countermeasure plan generated by the countermeasure plan generation unit 105 to each countermeasure stage defined in the countermeasure scenario model 114c. Which countermeasure stage is assigned depends on a predetermined condition. For example, as an example of determining by cost, after setting the allowable risk value high, the countermeasure with the lowest availability cost is the same day countermeasure, the countermeasure with the lowest deployment cost is the emergency countermeasure, the availability cost And the sum of the equipment costs is the lowest, the countermeasure is the normal countermeasure, the allowable risk value is set low, and the countermeasure with the smallest sum of all costs may be the final countermeasure. The same countermeasure may be assigned to multiple countermeasure stages. Fig. 24 shows an example of a measure confirmation screen when each measure is assigned according to the conditions described above. In addition, as shown in Figure 25, the countermeasure scenario model 114c may include a constraint equation for determining the countermeasure to be assigned to each countermeasure stage, together with the countermeasure stage name and transition conditions between countermeasure stages. .

FIG. 26 is a flowchart showing an example of countermeasure scenario generation processing performed by the countermeasure scenario generation means 111. As shown in FIG. 26, the countermeasure scenario generation means 111 first extracts a constraint equation (measure priority determination policy) of the countermeasure stage from the countermeasure scenario model 114c (step S301). Next, the measure scenario generation unit 111 evaluates the measure plan generated by the measure plan generation unit 105 according to the constraint formula, selects a measure that best matches the constraint formula, and assigns it to the stage (step S302). This is performed for all countermeasure stages defined in the countermeasure scenario model 114c.

Based on the countermeasure scenario generated by the countermeasure scenario generation means 111, the countermeasure execution determination means 112 determines a countermeasure to be executed according to the event notified from the event collection means 211. For example, when the event received from the event collection unit 211 satisfies a transition condition to another countermeasure stage, the countermeasure execution determination unit 112 transitions the countermeasure stage (updates the current state), and The countermeasure assigned to the transition countermeasure stage is determined as the countermeasure to be executed. When the measure stage changes and the measure to be executed is determined, the measure execution determination unit 112 notifies the measure execution unit 203 of the measure. The measure execution determination unit 112 determines whether the current measure stage power is a condition that satisfies the transition condition to another measure stage at a fixed timing only when an event is received from the event collection unit 211. If the current time exceeds the threshold time, or if the elapsed time since the current countermeasure has been exceeded exceeds the threshold time, the countermeasure stage is transitioned in the same way as the state transition due to the occurrence of an event. .

[0150] For example, in the scenario scenario model 114c shown in FIG. 23, if the current countermeasure stage is the same day countermeasure stage and the event collecting means 211 is notified of a worm occurrence event, the countermeasure execution determining means 112 is , The same day measure stage power thing transition condition "力 In response to the occurrence of a problem, the state is shifted from the current countermeasure stage to the emergency countermeasure stage, and the countermeasure implementation means 203 is requested to implement the countermeasure assigned to the emergency countermeasure stage. After that, when the event collection means 211 notifies the event of worm convergence and the current time exceeds a predetermined threshold, it follows the transition condition “Warm convergence 'time> threshold 1” from the emergency countermeasure stage. The current countermeasure stage is transitioned to the normal countermeasure stage, and the countermeasure implementation means 203 is requested to implement the countermeasure assigned to the normal countermeasure stage.

[0151] Thus, by generating a countermeasure scenario that defines a plurality of countermeasure stages that perform state transitions according to a predetermined condition, a more realistic countermeasure can be implemented. Further, the countermeasure execution determination means 112 analyzes the event and determines the countermeasure to be executed, so that it is possible to implement a dynamic countermeasure according to the situation of the attack and the network usage situation.

[0152] That is, the security administrator can implement step-by-step measures, such as taking measures that can be easily done as an emergency measure and gradually shifting to ideal measures. The reason for this is that when a measure with a low development cost is implemented first, and then the optimum measure is taken into account other conditions (costs), a typical measure implementation pattern is generated as a measure scenario. It is because it can be implemented.

Industrial applicability

The present invention can be applied to uses such as a security operation management tool that collects system vulnerabilities and applies appropriate countermeasures. It can also be applied to security policy compliance tools that guarantee the security status of the system based on the policy.

[0154] Within the scope of the entire disclosure (including claims) of the present invention, the embodiment or examples can be changed and adjusted based on the basic technical idea. Various combinations and selections of various disclosed elements are possible within the scope of the claims of the present invention.

Claims

The scope of the claims

[1] A security risk management system for managing security risks in a target system,

State analysis means for analyzing the state of the target system;

A risk judging means for judging a security risk of the target system based on an analysis result of the state analyzing means;

Degree of risk reduction that indicates the degree of security risk that is reduced by implementing predetermined measures on the target system when it is determined by the risk determination means that the security risk exceeds a predetermined allowable range. And a measure plan selecting means for selecting a measure plan for reducing the security risk based on the degree of restriction indicating the size of various constraints generated in the target system by implementing the predetermined measure. Security risk management system characterized by

[2] With regard to the countermeasure proposal selected by the countermeasure proposal selecting means, countermeasure proposal information output means for outputting countermeasure proposal information including the risk reduction degree of the countermeasure and the degree of restriction of each countermeasure;

Measure execution means for executing predetermined processing for reducing security risk in accordance with the measure proposal selected by the measure proposal selection means.

The security risk management system according to claim 1.

[3] The state analysis means analyzes at least the presence / absence of the vulnerability of the target system and the value of the target system,

The risk determination means includes the presence / absence of vulnerability of the target system, the asset value of the target system, a threat model in which the occurrence frequency of security threats is defined in advance, and the manifestation of threats based on the presence / absence of vulnerability in advance. Based on a threat vulnerability model that defines the relationship between vulnerabilities and threats in advance, and a threat asset model that defines the relationship between threats and assets related to the impact of asset manifestation in advance! / And calculating a risk value indicating the degree of security risk of the target system,

The countermeasure proposal selection means is based on a vulnerability-one countermeasure model that defines countermeasure means for reducing the security risk due to each vulnerability in advance and by implementing each countermeasure means in advance. Based on the countermeasure constraint model that defines the degree of constraint that indicates the size of various constraints that occur in the target system! /, The countermeasure means that the risk value after implementation and the various constraint degrees match the predetermined conditions, Select as a countermeasure plan

The security risk management system according to claim 1 or claim 2.

[4] Measure stage transition rules that define transition conditions from the countermeasure stage for each countermeasure stage that is defined according to the implementation stage of the countermeasure and to which the countermeasure to be implemented is associated are stored. Storage means;

By assigning one of the countermeasure proposals selected by the countermeasure proposal selecting means to each countermeasure stage indicated by the countermeasure stage transition rule according to a predetermined condition, the countermeasure countermeasure for deviation is determined at the timing of deviation. And a countermeasure scenario generation means for generating a countermeasure scenario indicating whether to execute

The security risk management system according to any one of claims 1 to 3.

[5] According to the countermeasure stage transition rule, the countermeasure stage is set on the countermeasure scenario generated by the countermeasure scenario generation means based on at least the state change of the target system, the current time, or the elapsed time since the countermeasure was implemented. Measure execution decision means that decides the countermeasure plan to be executed by making a transition

The security risk management system according to claim 4.

[6] A security risk management system for managing security risks in the target system,

The target system for risk management, and a risk management device connected to the target system via a communication network,

The target system is:

A current state analysis means for determining whether the target system has a vulnerability and transmitting the determination result to the risk management system;

Asset analysis means for determining the value of the target system and transmitting the determination result to the risk management system;

The risk management device includes: Information collection means for collecting vulnerability information indicating the presence or absence of the vulnerability of the target system and asset information indicating the value of the target system from the target system, and at least as a risk model for determining security risk, The threat model, which is the information indicating the frequency of occurrence of each threat in security, and the threat that is the information indicating the relationship between the existence of each vulnerability related to the manifestation of the threat for each threat indicated in the threat model A risk model storage means for storing, for each threat indicated in the threat model, a threat asset model, which is information indicating the degree of influence on the assets of the target system due to the manifestation of the threat,

As a countermeasure model for determining countermeasure means, a vulnerability one countermeasure model that is information indicating countermeasure means that can be implemented at least for each vulnerability indicated by the threat vulnerability model, and the vulnerability one countermeasure model. A countermeasure model storage means for storing a countermeasure constraint model, which is information indicating the degree of various constraints of the countermeasure means,

By analyzing the vulnerability information and asset information collected by the information collection means using each model stored in the risk model storage means, the frequency of occurrence of each threat in the target system and each threat A risk analysis means for calculating a risk value based on the magnitude of the vulnerability of the target system and the degree of impact on the assets of the target system when each threat becomes apparent;

When the risk value calculated by the risk analysis means exceeds a predetermined allowable range, the countermeasure means for the vulnerability found to exist is analyzed using each model stored in the countermeasure model storage means Therefore, there is a countermeasure plan generation means for selecting a countermeasure measure whose risk value and various degrees of restriction after the implementation meet predetermined conditions as a countermeasure plan.

Security risk management system characterized by this.

A security risk management device that manages security risks in the target system.

A risk determining means for determining a security risk of the target system based on a state of the target system; Degree of risk reduction that indicates the degree of security risk that is reduced by implementing predetermined measures on the target system when it is determined by the risk determination means that the security risk exceeds a predetermined allowable range. And a measure plan selecting means for selecting a measure plan for reducing the security risk based on the degree of restriction indicating the size of various constraints generated in the target system by implementing the predetermined measure. A security risk management device characterized by comprising:

[8] With regard to the countermeasure proposal selected by the countermeasure proposal selection means, countermeasure proposal information output means for outputting countermeasure proposal information including the risk reduction degree of the countermeasure and the degree of restriction of each countermeasure;

The security risk management device according to claim 7.

[9] The risk determination means includes the presence / absence of vulnerability in the target system, the asset value of the target system, a threat model in which the occurrence frequency of security threats is defined in advance, and the manifestation of threats due to the presence / absence of vulnerability in advance. Based on a threat vulnerability model that predefines the relationship between the vulnerabilities and threats related to escalation and a threat asset model that defines the relationship between threats and assets related to the impact of asset manifestation in advance. ! /, Calculate a risk value indicating the degree of security risk of the target system,

The countermeasure proposal selection means includes a vulnerability one countermeasure model that defines countermeasure means for reducing the security risk due to each vulnerability in advance, and various restrictions that occur in the target system by implementing each countermeasure means in advance. Based on the countermeasure constraint model that defines the degree of constraint that indicates the size of the project! /, Select countermeasure measures that meet the specified conditions for the risk value and various restrictions after implementation.

The security risk management device according to claim 7 or 8.

[10] Measure stage transition rules that define transition conditions from the countermeasure stage are stored for each countermeasure stage that is defined according to the implementation stage of the countermeasure and to which the countermeasure to be implemented is associated. Storage means;

Any of the countermeasure proposals selected by the countermeasure proposal selecting means is determined according to a predetermined condition. And a countermeasure scenario generation means for generating a countermeasure scenario indicating whether the countermeasure plan for deviation is executed at the timing of deviation by assigning to each countermeasure stage indicated by the countermeasure stage transition rule according to

The security risk management device according to any one of claims 7 to 9.

[11] According to the countermeasure stage transition rule, the countermeasure stage is set on the countermeasure scenario generated by the countermeasure scenario generation means based on at least the state change of the target system, the current time, or the elapsed time since the countermeasure was implemented. Measure execution decision means that decides the countermeasure plan to be executed by making a transition

The security risk management device according to claim 10.

[12] A security risk management device that manages security risks in the target system.

Information collection means for collecting vulnerability information indicating the presence or absence of the vulnerability of the target system and asset information indicating the value of the target system from the target system, and at least as a risk model for determining security risk, The threat model, which is the information indicating the frequency of occurrence of each threat, and the threat, which is the information indicating the relationship between the existence of each vulnerability related to the manifestation of the threat, for each threat indicated in the threat model A risk model storage means for storing, for each threat indicated in the threat model, a threat asset model, which is information indicating the degree of influence on the assets of the target system due to the manifestation of the threat,

By analyzing the vulnerability information and asset information collected by the information collection means using each model stored in the risk model storage means, the frequency of occurrence of each threat in the target system and each threat The risk value is calculated based on the degree of vulnerability to the system and the degree of impact on the assets of the target system when each threat becomes apparent Risk analysis means to

When the risk value calculated by the risk analysis means exceeds a predetermined allowable range, the countermeasure means for the vulnerability found to exist is analyzed using each model stored in the countermeasure model storage means Therefore, a countermeasure plan generation means is provided for selecting a countermeasure measure that has a risk value after implementation and various restrictions satisfying predetermined conditions as a countermeasure measure.

Security risk management apparatus characterized by the above.

[13] A security risk management method for managing security risks in the target system.

A state analysis step of analyzing the state of the target system;

A risk determination step of determining a security risk of the target system based on the analysis result; and

When it is determined that the security risk exceeds a predetermined allowable range, the risk reduction degree indicating the degree of the security risk to be reduced by implementing the predetermined countermeasure on the target system and the predetermined countermeasure are implemented. And a measure plan selection step for selecting a measure plan for reducing the security risk based on the degree of constraint indicating the size of various constraints generated in the target system.

Security risk management method characterized by the above.

[14] For the selected countermeasure plan, a countermeasure plan information output step for outputting countermeasure plan information including the risk reduction degree of the countermeasure and the degree of constraint of the countermeasure,

A countermeasure execution step for executing a predetermined process for reducing the security risk according to the selected countermeasure plan

The security risk management method according to claim 13.

[15] In the state analysis step, at least the presence / absence of the vulnerability of the target system and the value of the target system are analyzed,

In the risk determination step, the presence / absence of vulnerabilities in the target system, the asset value of the target system, the threat model in which the occurrence frequency of security threats is defined in advance, and the manifestation of threats due to the presence / absence of vulnerabilities in advance Predefined relationship between vulnerability and threat Threat A risk value that indicates the degree of security risk of the target system based on the vulnerability model and the threat asset model that defines the relationship between the asset and the threat related to the impact on the asset due to the manifestation of the threat. To calculate

In the countermeasure proposal selection step, a vulnerability one countermeasure model that defines countermeasure means for reducing security risks due to each vulnerability in advance, and various restrictions that occur in the target system by implementing each countermeasure means in advance. Based on the countermeasure constraint model that defines the degree of constraint indicating the magnitude, select countermeasure measures that meet the prescribed conditions for the risk value and various restrictions after implementation.

15. The security risk management method according to claim 13 or claim 14.

[16] Any of the selected countermeasure proposals is a countermeasure stage that is defined according to the implementation stage of the countermeasure according to a predetermined condition, and is applied to each countermeasure stage to which the countermeasure to be implemented is associated. Therefore, by assigning to each countermeasure stage indicated by the countermeasure stage transition rule that defines the transition conditions from the countermeasure stage, a countermeasure scenario that indicates whether or not to implement the countermeasure for deviation is executed at the timing of deviation. Including countermeasure scenario generation step to generate

The security risk management method according to any one of claims 13 to 15.

[17] A countermeasure to be executed by transitioning the countermeasure stage on the countermeasure scenario based on at least the state change of the target system, the current time, or the elapsed time since the countermeasure was implemented, according to the countermeasure stage transition rule. Includes steps to determine the implementation of measures

The security risk management method according to claim 16.

[18] A security risk management method for managing security risks in the target system.

The target system determines whether there is a vulnerability in the target system, and transmits the determination result to the risk management system;

The target system determining the value of the target system and transmitting the determination result to the risk management system; A step in which the risk management device collects vulnerability information indicating whether or not there is a vulnerability in the target system and asset information indicating the value of the target system from the target system, and the risk management device collects the information Vulnerability information and asset information collected by means of a threat model, which is information indicating the frequency of occurrence of each security threat, and each vulnerability related to the manifestation of threats for each threat indicated in the threat model. Threats, which are information indicating the relationship between the presence of threats and threats, which are information indicating the degree of impact on the assets of the target system due to the manifestation of threats, for each threat indicated by the threat model Analysis using a model, the frequency of occurrence of each threat in the target system, the magnitude of the vulnerability to each threat, and the Calculating the risk value based on the degree of influence asset serial systems,

When the calculated risk value exceeds a predetermined allowable range, the risk management device is a vulnerability list that is information indicating countermeasures that can be implemented for each vulnerability indicated in the threat vulnerability model. Using the countermeasure model and the countermeasure countermeasure model indicated by the vulnerability-one countermeasure model, the countermeasure constraint model, which is information indicating the degree of various restrictions of the countermeasure means, is used to determine the countermeasure means against the vulnerabilities that have been discovered. And selecting the countermeasure means that the risk value and various restrictions after implementation meet the specified conditions by analyzing as a countermeasure plan.

Security risk management method characterized by the above.

A security risk management program for managing security risks in a target system,

On the computer,

A state analysis process for analyzing the state of the target system;

A risk determination process for determining the security risk of the target system based on the analysis result; and

When it is determined that the security risk exceeds a predetermined allowable range, the risk reduction degree indicating the degree of the security risk to be reduced by implementing the predetermined countermeasure on the target system and the predetermined countermeasure are implemented. To reduce the security risk based on the degree of restriction indicating the size of various restrictions generated in the target system. Measures selection process for selecting measures

Security risk management program to execute.

[20] On the computer,

About the selected countermeasure plan, countermeasure plan information output processing for outputting countermeasure plan information including the risk reduction degree of the countermeasure and the degree of constraint of the countermeasure, and

In order to execute a countermeasure execution process for executing a predetermined process for reducing the security risk in accordance with the selected countermeasure plan

20. The security risk management program according to claim 19.

[21] On the computer,

In the state analysis process, at least analyze whether the target system is vulnerable and the value of the target system,

In the risk judgment process, whether the target system is vulnerable, the asset value of the target system, a threat model in which the frequency of security threats is defined in advance, and the threat manifesting in advance based on the presence of vulnerability Based on a threat vulnerability model that predefines the relationship between vulnerabilities and threats, and a threat asset model that predefines the relationship between threats and assets related to the impact of asset realizations! / And calculating a risk value indicating the degree of security risk of the target system,

In the countermeasure proposal selection process, a vulnerability-one countermeasure model that defines countermeasure means for reducing the security risk due to each vulnerability in advance, and various restrictions that occur in the target system by implementing each countermeasure means in advance. Based on the countermeasure constraint model that defines the degree of constraint indicating the size of the !!, the countermeasure means that the risk value after implementation and the degree of restriction meet the specified conditions is selected as a countermeasure plan.

21. The security risk management program according to claim 19 or claim 20.

[22] On the computer,

One of the selected countermeasure proposals is a countermeasure stage defined according to the implementation stage of the countermeasure in accordance with a predetermined condition, and for each countermeasure stage to which the countermeasure to be implemented is associated. By assigning to each countermeasure stage indicated by the countermeasure stage transition rule that defines the transition conditions from the countermeasure stage, the deviation countermeasure proposal! To generate the countermeasure scenario generation process that generates the countermeasure scenario that indicates when to execute

The security risk management program according to any one of claims 19 to 21.

[23] On the computer,

In accordance with the countermeasure stage transition rule, the countermeasure plan to be executed is determined by transitioning the countermeasure stage on the countermeasure scenario based on at least the state change of the target system, the current time, or the elapsed time since the countermeasure was implemented. 23. The security risk management program according to claim 22, wherein the countermeasure execution decision process is executed.

[24] A security risk management program for managing security risks in the target system,

On the computer,

A process of collecting vulnerability information indicating whether or not there is a vulnerability in the target system and asset information indicating the value of the target system from the target system;

Vulnerability information and asset information collected by the information collection means are classified into threat models, which are information indicating the frequency of occurrence of security threats, and threats that are manifested for each threat indicated by the threat models. Threats that are information indicating the relationship between the existence of each vulnerability Vulnerability models and threats that are information indicating the impact on the assets of the target system due to the manifestation of threats for each threat indicated in the threat model Analysis using the asset model, the frequency of occurrence of each threat in the target system, the level of vulnerability to each threat, and the degree of impact on the asset of the target system when each threat becomes apparent Processing to calculate a risk value based on

When the calculated risk value exceeds a predetermined allowable range, a vulnerability countermeasure model that is information indicating countermeasures that can be implemented for each vulnerability indicated by the threat vulnerability model; and By analyzing the countermeasures for the vulnerabilities whose existence has been discovered by using the countermeasure constraint model, which is information indicating the degree of various restrictions of the countermeasure means, for each countermeasure means indicated by the vulnerability one countermeasure model, Processing to select countermeasure measures that meet the specified conditions for risk values and various restrictions after implementation as countermeasure measures Security risk management program to execute.