-
10538
-
(GCB)
(SSDLC)
2
-
(Advanced Persistent Threat)
(Cyber-warfare)
3
-
2015
APT
DDoS
The News Lens
4
-
2016
http://www.ithome.com.tw/tags/%E5%8B%92%E7%B4%A2%E8%BB%9F%E9%AB%94
5
-
From Machine-to-Machine to the Internet of Things: Introduction
to a New Age of Intelligence
99%2020500
6
-
(GCB)
(SSDLC)
7
-
90 93 97 101 105
90-93
()
1003
94-97
()
901
98-101
()
102-105
()
1018
1035
1051
(1/4)
8
-
(2/4)
9093 9497 98101 106 109
()
102105
1 . 0
2 . 0
- (SOC)CISO
- G-ISACSPMO(
)
-
-
-
-(GCB)CIIP
(ISMS)
(CISO) (G-SOC)
(CIIP)
9
-
(3/4)
10
/
()
()
()
()
()
()
(
)
(
)
-
11
(4/4)
()
()
()
()
()
-
(SP
MO
)
(102-105)
20 52
12
-
13
ide@Taiwan 2020 (1/2)
App
CERT
-
14
ide@Taiwan 2020 (2/2)
()
14
-
C
B
A
15
-
16
A B C
ISMS ISMS
IDS/IPSWebAPT
SOC
()
-
(
)
17
-
(729)
NIST
1. (Access Control)(3)
(Account Management) (Least Privilege) (Remote Access)
2. (Audit and Accountability)(6)
(Audit Events) (Content of Audit Records) (Audit Storage
Capacity) (Response to Audit Processing Failures) (Time Stamps)
(Protection of Audit Information)
3. (Contingency Planning)(2)
(Information System Backup) (Redundancy of information
systems)
4. (Identification and Authentication)(5)
(Identification and Authentication) (Device Identification and
Authentication) (Authenticator Management) (Authenticator Feedback)
(Cryptographic Module Authentication)
5. (System and Services Acquisition)(8)
(System Development Life Cycle-Requirement) (System Development
Life Cycle-Design) (System Development Life Cycle-Develop) (System
Development Life Cycle-Test) (System Development Life
Cycle-Deployment and Maintenance) (System Development Life
Cycle-Outsourcing ) (Acquisition Process) (Information System
Documentation)
6. (System and Communications Protection)(2)
(Transmission Confidentiality and Integrity) (Protection of
Information at Rest)
7. (System and Information Integrity)(3)
(Flaw Remediation) (Information System Monitoring) (Software,
Firmware, and Information Integrity)
18
-
+
19
-
20
-() -
- - - - - - -
- - -
- -
- - -
20
-
1 (1~6)
3 (10~15)
4 (16~22)
5 (23~29)
6 (30~34)
2 (7~9)
21
-
G-ISMS
CI
(Baseline)
CI
CI
22
-
(GCB)
(SSDLC)
23
-
(GCB)
Windows 7
Account Policy 9
Computer Energy Policy 4
Computer Settings 225
User Settings 8
Windows 7 Firewall
Windows 7 Firewall Settings 35
Internet Explorer 8
Internet Explorer 8 Computer Settings
110
Internet Explorer 8 User Settings 5
396 24
(Government Configuration BaselineGCB)()()
-
GCB
(Microsoft WindowsLinuxUnixiOSAndroidVM)
(IEChromeFirefoxSafariOpera)
(WirelessSwitchRouterFirewall)
(Microsoft OfficeWeb ServerMail ServerDatabase)
GCB
25
-
GCB
26
102 103 104 105 106 107
Win7 (281)
Win Server 2008 R2 (332)
RHEL 5(190)
Win 8.1 (340)
Win10 Win Server 2012/2016
IE8 (115)
IE11 (154)
Chrome Firefox Edge
Wireless (19)
Juniper Firewall
Cisco Switch
Exchange Server 2013
Outlook 2013
Apache
-
(SDLC)
->->->->
()
Security design in & build in
27
-
(Secure Software Development LifecycleSSDLC)
MS - SDL
Cigital TouchPoint Model
28
-
SSDLC
(Requirements)
(Design) (Threat Modeling)
(Implementation)
(Testing) ()
(Deployment & Maintenance)
29
-
SSDLC
100
30
-
RFP
SSDLC
31
-
(NIST)
http://www.nist.gov/cyberframework/uploa
d/cybersecurity-framework-021214.pdf
32
-
(1/2)
(PDCA)
(Confidentiality)(Integrity)(Availability)
NIST SP800-100
ISO/IEC 27001
CNS 27014
33
-
(2/2)
ISACA COBIT 5
(Evaluate)(Direct)(Monitor)
(Plan)
(Do)
(Check))
(Act)
(Evaluate)
(Direct)
(Monitor)
34
-
1.
2.
4.
3.
1.
CNS 27014:2013ISO/IEC 38500:2008 ISACA COBIT 5NIST
SP800-100ISO/IEC 27001:2013
4.
2.
::ISO/IEC 15504-2:2003ISO/IEC 15504-7:2008
3.
35
-
P.3
M.4
O.1
O.2
O.3
O.4
4 18
36
-
1
2
3
4
5
P.1
P.
?
P.1.1
2.
3.
1. 18
37
-
ABC
A B C
M.
M.3
M.3.2
?
1
2
2
1
3 2
1
1()
4
3
3
3
5
2~3
2~3
2~3
38
-
1047~10 10410~11 1051~10512
1.
2.
3.
4.
1.
2. AB C
3.
4.
1.
2.
39
-
(GCB)
(SSDLC)
40
-
41
