Security evaluation for information assurance
Páginas: 8 (1851 palabras)
Publicado: 1 de mayo de 2010
Fifth International Conference on Computational Science and Applications
Security Evaluation for Information Assurance
Yong-tae Kim1, Gil-cheol Park1, Tai-hoon Kim1, Sang-ho Lee2 Dept. of Multimedia Engineering, Hannam University, Daejeon, Korea {ky7762, gcpark, taihoonn}@hannam.ac.kr 2 School of Electrical and Computer Engineering, Chungbuk National University, GaeSin Dong 12, Cheongju,Korea shlee@chungbuk.ac.kr
1
Abstract
In general, threat agents’ primary goals may fall into three categories: unauthorized access, unauthorized modification or destruction of important information assets, and denial of authorized access. Security countermeasures are implemented to prevent threat agents from successfully achieving these goals. Because the general systems of today are composed ofa number of components such as servers and clients, protocols, services, and so on, the possibility of success of attack may be increased. As though Systems connected to network have become more complex and wide, unfortunately, the researches for the systems are focused on the ‘performance’ or ‘efficiency’. While most of the attention in system security has been focused on encryption technologyand protocols for securing the data transaction, it is critical to note that a weakness (or security hole) in any one of the components may comprise whole system. Security engineering is needed for reducing security holes may be included in the Information systems. This paper proposes a method for securing the Information systems by evaluation of security functions of system component. This paperproposes Information system security evaluation and certification for achieving some level of assurance each owners of their Information systems want to get.
1. Introduction
In general, threat agents’ primary goals may fall into three categories: unauthorized access, unauthorized
modification or destruction of important information assets, and denial of authorized access. Securitycountermeasures are implemented to prevent threat agents from successfully achieving these goals. Information assets consist of many components. The physical systems and the information stored or processed in the systems are examples of the information assets. Therefore, the strategy protecting only information is not good one. If someone wants to protect or secure his valuable information, he must buildsome countermeasures for Information systems itself. Security countermeasures should be considered with consideration of applicable threats and security solutions deployed to support appropriate security services and objectives. Subsequently, proposed security solutions may be evaluated to determine if residual vulnerabilities exist, and a managed approach to mitigating risks may be proposed. Butthere is a problem about the security countermeasures. How can we believe that the countermeasures implemented may protect our Information systems? About this question, some answers may exit. And the answers may assure that the countermeasures can protect Information systems from the threat. Evaluation is a method of them and has been the traditional means of providing assurance. This paperidentifies some components should be evaluated and certified to assure that Information systems are secure. Security objective of Information systems will be obtained by protecting all areas of Information systems, so not only visible parts but also non-visible parts must be protected. And for verifying all the parts of Information systems are protected, we
** This work was supported by a grant fromSecurity Engineering Research Center of Korea Ministry of Commerce, Industry and Energy.
0-7695-2945-3/07 $25.00 © 2007 IEEE DOI 10.1109/ICCSA.2007.55
227
Authorized licensed use limited to: IEEE Xplore. Downloaded on May 01,2010 at 15:56:56 UTC from IEEE Xplore. Restrictions apply.
should check the scope of evaluation and certification covers all necessary parts.
3. Information...
Security Evaluation for Information Assurance
Yong-tae Kim1, Gil-cheol Park1, Tai-hoon Kim1, Sang-ho Lee2 Dept. of Multimedia Engineering, Hannam University, Daejeon, Korea {ky7762, gcpark, taihoonn}@hannam.ac.kr 2 School of Electrical and Computer Engineering, Chungbuk National University, GaeSin Dong 12, Cheongju,Korea shlee@chungbuk.ac.kr
1
Abstract
In general, threat agents’ primary goals may fall into three categories: unauthorized access, unauthorized modification or destruction of important information assets, and denial of authorized access. Security countermeasures are implemented to prevent threat agents from successfully achieving these goals. Because the general systems of today are composed ofa number of components such as servers and clients, protocols, services, and so on, the possibility of success of attack may be increased. As though Systems connected to network have become more complex and wide, unfortunately, the researches for the systems are focused on the ‘performance’ or ‘efficiency’. While most of the attention in system security has been focused on encryption technologyand protocols for securing the data transaction, it is critical to note that a weakness (or security hole) in any one of the components may comprise whole system. Security engineering is needed for reducing security holes may be included in the Information systems. This paper proposes a method for securing the Information systems by evaluation of security functions of system component. This paperproposes Information system security evaluation and certification for achieving some level of assurance each owners of their Information systems want to get.
1. Introduction
In general, threat agents’ primary goals may fall into three categories: unauthorized access, unauthorized
modification or destruction of important information assets, and denial of authorized access. Securitycountermeasures are implemented to prevent threat agents from successfully achieving these goals. Information assets consist of many components. The physical systems and the information stored or processed in the systems are examples of the information assets. Therefore, the strategy protecting only information is not good one. If someone wants to protect or secure his valuable information, he must buildsome countermeasures for Information systems itself. Security countermeasures should be considered with consideration of applicable threats and security solutions deployed to support appropriate security services and objectives. Subsequently, proposed security solutions may be evaluated to determine if residual vulnerabilities exist, and a managed approach to mitigating risks may be proposed. Butthere is a problem about the security countermeasures. How can we believe that the countermeasures implemented may protect our Information systems? About this question, some answers may exit. And the answers may assure that the countermeasures can protect Information systems from the threat. Evaluation is a method of them and has been the traditional means of providing assurance. This paperidentifies some components should be evaluated and certified to assure that Information systems are secure. Security objective of Information systems will be obtained by protecting all areas of Information systems, so not only visible parts but also non-visible parts must be protected. And for verifying all the parts of Information systems are protected, we
** This work was supported by a grant fromSecurity Engineering Research Center of Korea Ministry of Commerce, Industry and Energy.
0-7695-2945-3/07 $25.00 © 2007 IEEE DOI 10.1109/ICCSA.2007.55
227
Authorized licensed use limited to: IEEE Xplore. Downloaded on May 01,2010 at 15:56:56 UTC from IEEE Xplore. Restrictions apply.
should check the scope of evaluation and certification covers all necessary parts.
3. Information...
Leer documento completo
Regístrate para leer el documento completo.