信息安全风险评估的漏洞分析及评估方法改进.pdf

Master Dissertation of Chongqing University Loopholes Analysis of Information Security Risk Assessment and Improvement of Evaluation Method Master Candidate: Li Ge Supervisor: Prof. Fu Li Major: Computer Software and Theory (Software Engineering Domain ) School of Software Engineering Chongqing University Oct. 2007 摘要在信息安全保障越来越受业内人士关注的今天,风险评估作为信息安全管理的一个重要环节,对保障企事业单位的基础信息系统安全起着非常重要的作用。但是,目前我国的信息安全风险评估工作刚刚起步,具体的评估方法、指标体系、支撑软件等还很不完善,或者缺乏现实的可操作性。本文针对风险评估中非常重要的部分:技术脆弱性及其对应的威胁的评估,提出了一种新的具有良好可操作性的评估方法。本文的研究工作以“重庆市级部门信息安全风险评估”项目(合同编号: 200612002 )为基础,对风险评估和漏洞分析的关系作了深入的研究。信息安全风险评估中,有两大关键因素: “脆弱性严重程度”和“威胁出现频率”,但是目前的计算方法对此大多是定性的,简单的以“高”, “中”,“低”概括, 难以进行风险值的计算;或者给出的评估标准过于粗糙,对评估人员的经验和水平依赖太大,不同的评估人员对同一对象的评估结果可能相去甚远;或者需要的数据在实际工作中难以获得,可操作性不强。本文在具体分析了漏洞与“脆弱性严重程度”和“威胁出现频率”的关系的基础上,提出了“脆弱性严重程度”和“威胁出现频率”新的赋值方法。同时, 提出了对风险评估流程的改进意见,总结了漏洞分析的具体流程。通过使用新的赋值方法,一定程度上改变了以往风险赋值阶段过于依赖评估者经验,评估结果过于主观化,可操作性不强等缺点。最后,通过仿真试验,用具体例证再次说明了漏洞分析与风险评估的关系, 并验证了新赋值方法的有效性。关键词:风险评估,漏洞,脆弱性,威胁 ABSTRACT Today, information security es increasingly a concern for the industry, risk assessment information security management as an important link in the protection of enterprises and institutions based informati on system security plays a very important role. However, at present China's information security risk assessment work has just started the specific assessment methods, inde x system support software, and so is very imperfect or the lack of realistic operational. This paper is very important in the risk assessment of the parts: technical vulnerab ility and its correspondi ng threat assessment, a new and good workable approach. This paper studies "Chongqing municipal depa rtments of information security risk assessment" project (contract number: 200612002) based on risk assessment and analysis of the loopholes in relations made in-depth studies. there are two key factors in Information Security Risk Assessment: "the extent of vulnerability" and the "threat of frequency," but the curren t me