Upload
trinhkhuong
View
250
Download
5
Embed Size (px)
Citation preview
10538
(GCB)
(SSDLC)
2
(Advanced Persistent Threat)
(Cyber-warfare)
3
2015
APT
DDoS
The News Lens
4
2016
http://www.ithome.com.tw/tags/%E5%8B%92%E7%B4%A2%E8%BB%9F%E9%AB%94
5
From Machine-to-Machine to the Internet of Things: Introduction to a New Age of Intelligence
99%2020500
6
(GCB)
(SSDLC)
7
90 93 97 101 105
90-93
()
1003
94-97
()
901
98-101
()
102-105
()
1018
1035
1051
(1/4)
8
(2/4)
9093 9497 98101 106 109
()
102105
1 . 0
2 . 0
- (SOC)CISO
- G-ISACSPMO(
)
-
-
-
-(GCB)CIIP
(ISMS)
(CISO) (G-SOC)
(CIIP)
9
(3/4)
10
/
()
()
()
()
()
()
(
)
(
)
11
(4/4)
()
()
()
()
()
(SP
MO
)
(102-105)
20 52
12
13
ide@Taiwan 2020 (1/2)
App
CERT
14
ide@Taiwan 2020 (2/2)
()
14
C
B
A
15
16
A B C
ISMS ISMS
IDS/IPSWebAPT
SOC
()
(
)
17
(729)
NIST
1. (Access Control)(3)
(Account Management) (Least Privilege) (Remote Access)
2. (Audit and Accountability)(6)
(Audit Events) (Content of Audit Records) (Audit Storage Capacity) (Response to Audit Processing Failures) (Time Stamps) (Protection of Audit Information)
3. (Contingency Planning)(2)
(Information System Backup) (Redundancy of information systems)
4. (Identification and Authentication)(5)
(Identification and Authentication) (Device Identification and Authentication) (Authenticator Management) (Authenticator Feedback) (Cryptographic Module Authentication)
5. (System and Services Acquisition)(8)
(System Development Life Cycle-Requirement) (System Development Life Cycle-Design) (System Development Life Cycle-Develop) (System Development Life Cycle-Test) (System Development Life Cycle-Deployment and Maintenance) (System Development Life Cycle-Outsourcing ) (Acquisition Process) (Information System Documentation)
6. (System and Communications Protection)(2)
(Transmission Confidentiality and Integrity) (Protection of Information at Rest)
7. (System and Information Integrity)(3)
(Flaw Remediation) (Information System Monitoring) (Software, Firmware, and Information Integrity)
18
+
19
20
-() -
- - - - - - -
- - -
- -
- - -
20
1 (1~6)
3 (10~15)
4 (16~22)
5 (23~29)
6 (30~34)
2 (7~9)
21
G-ISMS
CI
(Baseline)
CI
CI
22
(GCB)
(SSDLC)
23
(GCB)
Windows 7
Account Policy 9
Computer Energy Policy 4
Computer Settings 225
User Settings 8
Windows 7 Firewall
Windows 7 Firewall Settings 35
Internet Explorer 8
Internet Explorer 8 Computer Settings
110
Internet Explorer 8 User Settings 5
396 24
(Government Configuration BaselineGCB)()()
GCB
(Microsoft WindowsLinuxUnixiOSAndroidVM)
(IEChromeFirefoxSafariOpera)
(WirelessSwitchRouterFirewall)
(Microsoft OfficeWeb ServerMail ServerDatabase)
GCB
25
GCB
26
102 103 104 105 106 107
Win7 (281)
Win Server 2008 R2 (332)
RHEL 5(190)
Win 8.1 (340)
Win10 Win Server 2012/2016
IE8 (115)
IE11 (154)
Chrome Firefox Edge
Wireless (19)
Juniper Firewall
Cisco Switch
Exchange Server 2013
Outlook 2013
Apache
(SDLC)
->->->->
()
Security design in & build in
27
(Secure Software Development LifecycleSSDLC)
MS - SDL
Cigital TouchPoint Model
28
SSDLC
(Requirements)
(Design) (Threat Modeling)
(Implementation)
(Testing) ()
(Deployment & Maintenance)
29
SSDLC
100
30
RFP
SSDLC
31
(NIST)
http://www.nist.gov/cyberframework/uploa
d/cybersecurity-framework-021214.pdf
32
(1/2)
(PDCA)
(Confidentiality)(Integrity)(Availability)
NIST SP800-100
ISO/IEC 27001
CNS 27014
33
(2/2)
ISACA COBIT 5
(Evaluate)(Direct)(Monitor)
(Plan)
(Do)
(Check))
(Act)
(Evaluate)
(Direct)
(Monitor)
34
1.
2.
4.
3.
1.
CNS 27014:2013ISO/IEC 38500:2008 ISACA COBIT 5NIST SP800-100ISO/IEC 27001:2013
4.
2.
::ISO/IEC 15504-2:2003ISO/IEC 15504-7:2008
3.
35
P.3
M.4
O.1
O.2
O.3
O.4
4 18
36
1
2
3
4
5
P.1
P.
?
P.1.1
2.
3.
1. 18
37
ABC
A B C
M.
M.3
M.3.2
?
1
2
2
1
3 2
1
1()
4
3
3
3
5
2~3
2~3
2~3
38
1047~10 10410~11 1051~10512
1.
2.
3.
4.
1.
2. AB C
3.
4.
1.
2.
39
(GCB)
(SSDLC)
40
41