[go: up one dir, main page]

CN118133290A - Security assessment method and device of information technology system and electronic equipment - Google Patents

Security assessment method and device of information technology system and electronic equipment Download PDF

Info

Publication number
CN118133290A
CN118133290A CN202410309313.9A CN202410309313A CN118133290A CN 118133290 A CN118133290 A CN 118133290A CN 202410309313 A CN202410309313 A CN 202410309313A CN 118133290 A CN118133290 A CN 118133290A
Authority
CN
China
Prior art keywords
evaluation
data
risk
information technology
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410309313.9A
Other languages
Chinese (zh)
Inventor
閤华东
杨汶翰
王晶宝
杨金铭
李娇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
FAW Group Corp
Original Assignee
FAW Group Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by FAW Group Corp filed Critical FAW Group Corp
Priority to CN202410309313.9A priority Critical patent/CN118133290A/en
Publication of CN118133290A publication Critical patent/CN118133290A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/18Complex mathematical operations for evaluating statistical data, e.g. average values, frequency distributions, probability functions, regression analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Algebra (AREA)
  • Probability & Statistics with Applications (AREA)
  • Databases & Information Systems (AREA)
  • Operations Research (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Biology (AREA)
  • Computing Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a security assessment method and device of an information technology system and electronic equipment. Wherein the method comprises the following steps: acquiring an evaluation object to be subjected to security evaluation in an information technology system and a risk type of the evaluation object, wherein the evaluation object is used for representing security states of different elements or components in the information technology system; determining a risk level to which the risk type belongs, and determining weight data corresponding to the risk level; determining evaluation data of the evaluation object based on the weight data, wherein the evaluation data of the evaluation object is used for carrying out safety evaluation on the safety state of the corresponding evaluation object; determining evaluation data of the information technology system based on the evaluation data of the evaluation object; based on the evaluation data of the information technology system, the safety state of the information technology system is evaluated, and an evaluation result is obtained. The invention solves the technical problem of low security assessment accuracy of the information technology system.

Description

Security assessment method and device of information technology system and electronic equipment
Technical Field
The present invention relates to the field of information technology systems, and in particular, to a security assessment method, apparatus and electronic device for an information technology system.
Background
Currently, if IT is required to evaluate whether an information technology (Information Technology, abbreviated as IT) system is safe, IT can rely on manual auditing, but there are the following problems with manual auditing:
Relying on manual judgment and subjective assessment is susceptible to personal preferences and experience, which may lead to a lack of objectivity and consistency of decisions, and thus, there is a problem in that the objectivity of the assessment results is poor due to manual subjective decisions. The risk is difficult to accurately identify and manage by manpower, so that the IT system is attacked and cannot normally operate, and therefore, the problem that the risk of the IT system is uncontrollable exists. The manual auditing and evaluation needs a great deal of time and manpower resources, and the processing efficiency is reduced, and the decision speed is delayed. The inability to fully understand and track assessment objects throughout an IT system results in a lack of management control over the overall IT environment, and thus, a lack of visibility into the IT system. The management of the evaluation object in the IT system is carried out by relying on manual and complicated processes, including manual recording and tracking, which easily causes error and inaccurate asset information, so that the problem of low accuracy of safety evaluation caused by manual tracking exists. The distribution of evaluation objects across different systems and departments complicates the sorting and analysis of such data, making it difficult to form a global view, and thus, there is a problem of data distribution.
In view of the above, IT can be appreciated that relying on manual auditing and assessment of IT systems presents a number of challenges, including subjective decisions, uncontrollable risk, inefficiency, and security vulnerabilities. Therefore, there still exists a technical problem of low accuracy of security assessment of information technology systems.
Aiming at the technical problem that the security assessment accuracy of the information technology system is low, no effective solution is proposed at present.
Disclosure of Invention
The embodiment of the invention provides a safety evaluation method, a safety evaluation device and electronic equipment of an information technology system, which are used for at least solving the technical problem of low safety evaluation accuracy of the information technology system.
According to one aspect of an embodiment of the present invention, a security assessment method for an information technology system is provided. The method may include: acquiring an evaluation object to be subjected to security evaluation in an information technology system and a risk type of the evaluation object, wherein the evaluation object is used for representing security states of different elements or components in the information technology system; determining a risk level to which the risk type belongs, and determining weight data corresponding to the risk level, wherein different weight data are used for representing the risk degree of different risk levels; determining evaluation data of the evaluation object based on the weight data, wherein the evaluation data of the evaluation object is used for carrying out safety evaluation on the safety state of the corresponding evaluation object; determining evaluation data of the information technology system based on the evaluation data of the evaluation object; based on the evaluation data of the information technology system, the safety state of the information technology system is evaluated, and an evaluation result is obtained.
Optionally, determining a risk level to which the risk type belongs and determining weight data corresponding to the risk level includes: dividing risk types according to the risk degree to obtain corresponding risk grades; determining a risk attribute of the risk type, wherein the risk attribute is at least used for representing the severity of the risk type; determining weight data corresponding to the risk type based on the risk attribute; after determining the weight data corresponding to the risk type based on the risk attribute, the method further includes: and determining a deduction item of the risk type, wherein the deduction item is used for determining the evaluation data of the evaluation object, the deduction item at least comprises a first sub-item, a second sub-item and a third sub-item, the first sub-item is an item with a high deduction degree, the second sub-item is an item with a medium deduction degree, and the third sub-item is an item with a low deduction degree.
Optionally, determining the evaluation data of the evaluation object based on the weight data includes: and distributing corresponding weight data for the deduction item to obtain the evaluation data of the evaluation object.
Optionally, the evaluation object comprises a host computer, and the first sub-item comprises: the probe offline time of the host exceeds a time threshold, the port of the host is in an abnormal state, and the host has an operating system version, a database version and/or a process which are not allowed to operate; the second sub-item includes: an unrepaired threat patch exists in the operating system, and unrepaired loopholes and/or risks exist in the host; the third sub-item includes: the host is at risk of weak passwords, suspicious operations, and/or brute force cracking, and the host is at abnormal login, insufficient resources, and/or misconfiguration.
Optionally, corresponding weight data is allocated to the deduction item to obtain evaluation data of the evaluation object, including: responding to the evaluation object as a host, and acquiring host state data of the host; responding to the detection result of the host state data as the host state data compliance, and distributing weight data for the deduction items based on the security evaluation strategy of the host to obtain the deduction fraction of the host; determining evaluation data of the host based on the point score of the host; the method further comprises the steps of: and setting the evaluation data of the host to zero and marking the evaluation data in response to the detection result being that the state data is not compliant.
Optionally, the evaluation object comprises a network, and the first sub-item comprises: the network has an impermissible frame version and uses an unsafe transmission protocol; the second sub-item includes: the risk file or the risk vulnerability exists in the network and is not repaired; the third sub-item includes: the network has abnormal internet protocol access, and the log of the network contains target information.
Optionally, corresponding weight data is allocated to the deduction item to obtain evaluation data of the evaluation object, including: responding to the evaluation object as a network, and acquiring network state data of the network; responding to the detection result of the network state data as the compliance of the network state data, and distributing weight information for the deduction items based on the security assessment strategy of the network to obtain the deduction score of the network; based on the points of the network, evaluation data of the network is determined.
Optionally, the method further comprises: determining an organization information condition of the network state data in response to the detection result being that the network state data is not compliant, wherein the organization information condition is used for representing whether the network state data has organization information or not; in response to the organization information condition being that there is organization information in the network state data, the assessment data for the network is set to zero and the assessment data is marked.
According to another aspect of the embodiment of the invention, a security assessment device of an information technology system is also provided. The apparatus may include: the information technology system comprises an acquisition unit, a judgment unit and a judgment unit, wherein the acquisition unit is used for acquiring an evaluation object to be subjected to safety evaluation in the information technology system and a risk type of the evaluation object, and the evaluation object is used for representing the safety states of different elements or components in the information technology system; the first determining unit is used for determining the risk level to which the risk type belongs and determining weight data corresponding to the risk level, wherein different weight data are used for representing the risk degree of different risk levels; a second determining unit configured to determine, based on the weight data, evaluation data of an evaluation object, where the evaluation data of the evaluation object is used for performing security evaluation on a security state of a corresponding evaluation object; a third determination unit configured to determine evaluation data of the information technology system based on the evaluation data of the evaluation object; the evaluation unit is used for evaluating the safety state of the information technology system based on the evaluation data of the information technology system to obtain an evaluation result.
According to another aspect of embodiments of the present invention, there is also provided a computer-readable storage medium. The computer readable storage medium comprises a stored program, wherein the device in which the computer readable storage medium is located is controlled to execute the security assessment method of the information technology system according to the embodiment of the present invention when the program runs.
According to another aspect of an embodiment of the present invention, there is also provided a processor. The processor is used for running a program, wherein the safety evaluation method of the information technology system is executed when the program runs.
According to another aspect of an embodiment of the present application, a computer program product is also provided. The computer program product comprises a computer program which, when executed by a processor, implements the method for evaluating the security of an information technology system according to the above-described embodiments of the present application.
In the embodiment of the invention, if the information technology system needs to be subjected to security evaluation, elements and components which need to be subjected to security evaluation in the information technology system can be analyzed to obtain all evaluation objects to be subjected to security evaluation in the information technology system, and the security evaluation of the whole information technology system is integrated by carrying out the security evaluation on all the evaluation objects. And the risk type of the risk to be born by each evaluation object can be determined, corresponding risk grades are matched for each risk type, the degree of the risk in different risk grades is analyzed, and corresponding weight data are matched. According to the weight data corresponding to different risk types, the evaluation data of each evaluation object are obtained respectively to perform security evaluation on each evaluation object, and according to the evaluation data of all the evaluation objects in the information technology system, the evaluation data of the whole information technology system can be obtained, so that the security state of the whole information technology system can be evaluated according to the evaluation data to obtain the evaluation result of the information technology system, namely, the security of the current information technology system can be determined through the evaluation data, and therefore the unsafe problem in the information technology system can be found timely and solved timely.
Because the embodiment of the invention considers the problem of manually carrying out safety evaluation on the information technology system, all evaluation objects in the information technology system and risk types born by the evaluation objects can be systematically analyzed, and weight data can be matched according to the risk level of the risk types, thereby realizing the purpose of carrying out quantitative safety evaluation on the information technology system, further realizing the technical effect of improving the safety evaluation accuracy of the information technology system, and solving the technical problem of low safety evaluation accuracy of the information technology system.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a flow chart of a method of security assessment of an information technology system according to an embodiment of the present invention;
FIG. 2 is a flow chart of a host scoring process according to an embodiment of the invention;
FIG. 3 is a flow chart of a container scoring process according to an embodiment of the present invention;
FIG. 4 is a flow chart of a network scoring process according to an embodiment of the present invention;
FIG. 5 is a flow chart of one other resource scoring process according to an embodiment of the invention;
FIG. 6 is a schematic diagram of an information technology asset information management platform scoring model according to an embodiment of the invention;
fig. 7 is a schematic diagram of a security assessment apparatus of an information technology system according to an embodiment of the present invention.
Detailed Description
In order to make the present invention better understood by those skilled in the art, the following description will be given in detail with reference to the accompanying drawings in which embodiments of the present invention are shown, and it is apparent that the described embodiments are only some, but not all, embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
According to an embodiment of the present invention, there is provided an embodiment of a security assessment method for an information technology system, it being noted that the steps shown in the flowchart of the drawings may be performed in a computer system such as a set of computer-executable instructions, and that, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order different from that shown or described herein.
FIG. 1 is a flow chart of a method for security assessment of an information technology system, according to an embodiment of the present invention, as shown in FIG. 1, the method may include the steps of:
Step S102, an evaluation object to be subjected to security evaluation in the information technology system and a risk type of the evaluation object are obtained.
In the solution provided in the above step S102 of the present invention, the information technology system may also be referred to as IT asset system. The assessment objects may be used to characterize the security status of different elements or components in the information technology system, and may be IT assets to be security assessed in the information technology system, which may also be referred to as assets. An IT asset may be a variety of elements or components that may be present in an IT system. IT assets play an important role in the IT environment of an IT system, and the security state of the IT assets is directly related to the security of the whole IT system. The risk type may be used to represent the type of risk that the assessment object can withstand, and may cover various aspects of IT asset security assessment. In the embodiment of the present invention, a corresponding score may be set for each evaluation object according to the risk type, and thus, the risk type may also be referred to as a scoring item.
Alternatively, the assets may include hosts, networks (web), code, images, capacity orchestration (K8S for short), databases, middleware, load balancing, pipelining, domain names, network transport protocols (Internet Protocol for short IP), applications (APP) and terminals, etc.
It should be noted that the above evaluation object is merely an example, and is not particularly limited herein. The information of the elements or components in the information technology system, which can reflect the security of the whole information technology system, is within the protection scope of the embodiment of the invention.
Alternatively, risk types may include intrusion events, compliance risks, high-risk vulnerabilities, security failures, data vulnerabilities, general vulnerabilities, misconfigurations, under-version, under-resources, abnormal behavior, and security suggestions, among others. It should be noted that the risk types mentioned above are only illustrative, and are not limited in particular, and any risk type that can comprehensively evaluate various aspects of the information technology system is within the scope of the embodiments of the present invention.
In this embodiment, various evaluation objects in the information technology system that need to be subjected to security evaluation may be acquired, and risk types corresponding to risks that each evaluation object may encounter may be analyzed separately.
Alternatively, to ensure accuracy of security assessment of the information technology system, elements and components included in the information technology system may be analyzed to determine assessment objects that can reflect security of the information technology system, i.e., to determine types of assets from the IT asset system. In order to ensure that the analysis of the safety states of the evaluation objects is accurate, risk types corresponding to different risks which each evaluation object can bear can be respectively determined, and the safety state of each evaluation object is determined through the risk types, so that the safety of the information technology system can be evaluated through the safety states of all the evaluation objects contained in the whole information technology system.
In the embodiment of the application, the security state evaluation can be carried out on the IT resources according to the risk types, the evaluation method can help to comprehensively know the security state of each IT asset, and the security state of the whole information technology system is determined based on the security state, so that corresponding security measures and improvement measures are conveniently formulated to ensure the security of the information technology system, and the technical effect of comprehensively and safely evaluating the information technology system is realized.
Step S104, determining the risk level to which the risk type belongs, and determining weight data corresponding to the risk level.
In the technical solution provided in the above step S104 of the present invention, the risk level may also be referred to as a risk level, and the risk level may be used to score a different standard, so as to facilitate distinguishing between different risk types. Different weight data can be used for representing risk degrees of different risk levels, namely, different risk types have certain differences, and different weight data can be corresponding to different risk degrees, so that the purpose of matching the weight data for different risk types is achieved. Different risk types have different risk attributes, which may also be referred to as attributes. The weight data may be used to represent the size of the weight that the risk level occupies.
In this embodiment, after the evaluation object to be subjected to the security evaluation in the information technology system and the risk type of the evaluation object are obtained, the risk levels to which different risk types respectively belong may be determined, and corresponding weight data may be matched for the risk types according to the level of the risk levels.
Alternatively, risk classes may be assigned to various risk types, and the risk of different risk classes may correspond to different scoring criteria, in this way, the risk of different risk types is comprehensively assessed and differentiated.
Optionally, since different risk types have corresponding risk attributes, different risk attributes have different weights, for example, if the risk type of the risk born by a certain evaluation object is higher, that is, the corresponding risk attribute is more serious, a larger weight can be matched for the risk type of the evaluation object; if the risk type of the risk born by a certain evaluation object is lower, that is, the corresponding risk attribute is easier, a smaller weight can be matched for the risk type of the evaluation object. By means of the matching weight, corresponding scoring standards can be set for risk types of different risk grades.
Step S106, based on the weight data, the evaluation data of the evaluation object is determined.
In the technical solution of step S106 of the present invention, the evaluation data of the evaluation object may be used to perform security evaluation on the security status of the corresponding evaluation object, and may be a respective security score for each IT asset, which may also be referred to as an asset scoring result. The higher the security score is, the better the security state of the corresponding evaluation object can be indicated, if the security score is lower, the worse the security state of the corresponding evaluation object can be indicated, and the corresponding measures can be taken in the follow-up to solve the problem.
In this embodiment, after determining the risk level to which the risk type belongs and determining the corresponding weight data according to the risk level, the evaluation data of each evaluation object may be determined based on the weight data, and the quality of the security state of each evaluation object may be determined by the evaluation data of each evaluation object.
Optionally, each evaluation object contains at least one risk type. The evaluation data of the evaluation object can be determined according to the weight data of each risk type in the evaluation object.
In the embodiment of the application, the scoring items can be collected through the steps, so that the types of various assets in the information technology system can be combed, and the scoring items can comprise indexes in the aspects of security holes, configuration errors, abnormal behaviors and the like to evaluate the security states of the various assets. In addition, for each scoring item, quantization processing can be performed, that is, the scoring value of each scoring item can be obtained by distributing corresponding weight data for different scoring items, in the quantization processing process, factors such as severity and influence range of risks can be quantitatively analyzed, so that objectivity and accuracy of scoring are ensured, and the scoring determined by the weight data of each scoring item can be integrated to obtain the evaluation data of the asset, so that the accuracy of safety evaluation of the asset can be improved.
Alternatively, the security score of each asset may be calculated by using factors such as the scoring item, weight, etc. of each asset, where the security score may be indicative of the security of the asset.
Step S108, based on the evaluation data of the evaluation object, determining the evaluation data of the information technology system.
In the technical solution of the above step S108 of the present invention, the evaluation data of the information technology system may be used for performing security evaluation on the security status of the entire information technology system, and may be the security score of the entire information technology system, or may be referred to as the total score, or the application summary score of the assets of the entire IT system.
In this embodiment, after determining the evaluation data of each evaluation object in the information technology system based on the weight data of the risk type, the evaluation data of the entire information technology system may be integrated.
Optionally, the security score of each evaluation object in the information technology system is accumulated, so that the security score of the whole information technology system can be obtained.
Step S110, based on the evaluation data of the information technology system, the safety state of the information technology system is evaluated, and an evaluation result is obtained.
In the technical solution of step S110 of the present invention, the evaluation result may be used to characterize the security of the information technology system, the problems faced by the information technology system, the evaluation object where the problems are located, and the like, which are only illustrative and not specific limitations are imposed on the evaluation result.
In this embodiment, after the evaluation data of the information technology system is determined based on the evaluation data of the evaluation object, the security state of the information technology system may be evaluated based on the evaluation data of the information technology system to obtain the evaluation result.
Optionally, by comprehensively evaluating the risk type, level and attribute of the IT asset, the security score of the asset is calculated, which is helpful for the organization to comprehensively understand the security status of the IT asset, and accordingly, corresponding security policies and improvement measures are formulated, that is, after the evaluation data of the information technology system is determined, the obtained evaluation result can be used for helping related personnel to formulate corresponding security measures and improvement measures to timely solve the currently encountered risk and unsafe problems in the information technology system, so as to improve the security score of the information technology system and ensure the security of the resource.
In the embodiment of the application, through the whole security evaluation method, the security is evaluated by systematically analyzing each evaluation object in the information technology system, and more personalized products and services can be provided, so that the user demands are better met. The management of the information technology system is changed from passive to active, namely, after the information technology system encounters a certain risk or problem, the problem of which resource appears is checked one by one and solved by manual work, but the embodiment of the application can accurately position the asset problem, find the problem and repair the problem in time, and can automate the whole steps, thereby achieving the aim of improving the safety evaluation efficiency of the information technology system and further realizing the technical effect of improving the safety evaluation accuracy of the information technology system.
In the steps S102 to S110, if the information technology system needs to be subjected to security assessment, elements and components in the information technology system which need to be subjected to security assessment can be analyzed to obtain each assessment object to be subjected to security assessment, and the security assessment of the whole information technology system is integrated by carrying out security assessment on each assessment object. And the risk type of the risk to be born by each evaluation object can be determined, corresponding risk grades are matched for each risk type, the degree of the risk in different risk grades is analyzed, and corresponding weight data are matched. According to the weight data corresponding to different risk types, the evaluation data of each evaluation object are obtained respectively to perform security evaluation on each evaluation object, according to the evaluation data of all the evaluation objects in the information technology system, the evaluation data of the whole information technology system can be obtained, so that the security state of the whole information technology system can be evaluated according to the evaluation data to obtain the evaluation result of the information technology system, namely, the security of the current information technology system can be determined through the evaluation data, so that the unsafe problem in the information technology system can be found timely and solved timely, the purpose of quantitative security evaluation on the information technology system is achieved, the technical effect of improving the security evaluation accuracy of the information technology system is achieved, and the technical problem of low security evaluation accuracy of the information technology system is solved.
The above-described method of this embodiment is further described below.
As an optional embodiment, step S104, determining a risk level to which the risk type belongs, and determining weight data corresponding to the risk level, includes: dividing risk types according to the risk degree to obtain corresponding risk grades; determining a risk attribute of the risk type, wherein the risk attribute is at least used for representing the severity of the risk type; determining weight data corresponding to the risk type based on the risk attribute; after determining the weight data corresponding to the risk type based on the risk attribute, the method further includes: and determining a deduction item of the risk type, wherein the deduction item is used for determining the evaluation data of the evaluation object, the deduction item at least comprises a first sub-item, a second sub-item and a third sub-item, the first sub-item is an item with a high deduction degree, the second sub-item is an item with a medium deduction degree, and the third sub-item is an item with a low deduction degree.
In this embodiment, in the process of determining the risk level to which the risk type belongs and determining the weight data corresponding to the risk level, the risk type may be classified according to the risk degree, so as to obtain the corresponding risk level. Risk attributes of the risk type may be determined and corresponding weight data may be determined in accordance with the risk attributes. A withholding item of the risk type may be determined.
Optionally, the risk attribute is at least used to represent severity, scope of influence, possibility, emergency degree, etc. of the risk type, and is only illustrated herein, and the risk attribute is not specifically limited. The deduction item may be used to determine evaluation data of the respective evaluation object, may be a main deduction item of a risk type, and may include at least a first sub-item, a second sub-item, and a third sub-item. Certain differences exist among the first sub-item, the second sub-item and the third sub-item corresponding to different evaluation objects, and corresponding deduction items need to be formulated according to actual evaluation objects. The first sub-item may be a higher degree of deduction item, which may also be referred to as a disallowed item. The second sub-item may be a degree of deduction medium item, also referred to as a risk level. The third sub-item may be referred to as a low-level item of the degree of deduction, or may be referred to as an item in which an abnormality occurs.
It should be noted that, the sub-items included in the above-mentioned deduction items are only illustrative, and are not limited in particular herein, and any deduction item capable of determining the evaluation data of different evaluation objects is within the scope of the embodiments of the present invention.
Optionally, after determining each evaluation object of the information technology system and the risk type of each evaluation object, the risk degree of each risk type may be classified into a corresponding risk level, for example, if the risk degree of a certain risk type is high, the risk degree of a certain risk type may be classified into a risk level with a high risk level. And corresponding weight data can be distributed according to different risk levels.
Alternatively, different risk types may correspond to different points items, and corresponding points may be set for points items of different points, so that the weight data and points items may be combined to determine a security score of an evaluation object.
Optionally, class 14 assets are scored, which may include hosts, web applications, code, images, K8S, databases, middleware, load balancing, pipelines, domain names, IP, APP, and terminals. The collection principle is to conduct carding according to risk types, including intrusion events, compliance risks, high-risk vulnerabilities, security failures, data vulnerabilities, general vulnerabilities, misconfigurations, version undershoots, insufficient resources, abnormal behaviors and security suggestions. Meanwhile, risk types are divided into risk levels, different risk levels correspond to different scores, different risk attributes are distinguished in the risk types, and weights and deduction proportions of the different attributes are different.
As an optional embodiment, step S106, determining, based on the weight data, evaluation data of the evaluation object includes: and distributing corresponding weight data for the deduction item to obtain the evaluation data of the evaluation object.
In this embodiment, in determining the evaluation data of the evaluation object based on the weight data, the corresponding weight data may be matched for different deduction items, so as to obtain the evaluation data of the entire evaluation object.
Optionally, the risk types included under different deduction items have different deduction scores, for example, a smaller deduction score may be set compared to a third sub-item with a lower deduction degree corresponding to a risk type with a lower risk degree; a higher score may be set than a first sub-item corresponding to a risk type with a higher degree of risk. If the evaluation object has the risk types contained in the different sub-projects, the corresponding deduction score can be deducted for the evaluation object, and because the risk degrees of different risk types are different and corresponding weight data exist, the deduction score and the weight data of the risk types can be integrated to obtain evaluation data.
Optionally, determining the point item of each risk type in the evaluation object, thereby determining the point score corresponding to each risk type, and combining the weight data of each risk type, that is, multiplying the point score and the weight data of each risk type, and then accumulating the products of the point score and the weight data of each risk type of the evaluation object, thereby obtaining the evaluation data of the evaluation object.
As an alternative embodiment, the evaluation object comprises a host, and the first sub-item comprises: the probe offline time of the host exceeds a time threshold, the port of the host is in an abnormal state, and the host has an operating system version, a database version and/or a process which are not allowed to operate; the second sub-item includes: an unrepaired threat patch exists in the operating system, and unrepaired loopholes and/or risks exist in the host; the third sub-item includes: the host is at risk of weak passwords, suspicious operations, and/or brute force cracking, and the host is at abnormal login, insufficient resources, and/or misconfiguration.
In this embodiment, if the evaluation object is a host, the first sub-item corresponding to the host may include that the probe offline time of the host exceeds a time threshold, the port of the host is in an abnormal state, the host has an operating system version that does not allow operation, the host has a database version that does not allow operation, and the host has a process that does not allow operation. The second sub-item corresponding to the host may include an unrepaired patch in the operating system, an unrepaired vulnerability in the host, or an unrepaired risk. The third sub-item of the host may include the host having a weak password, having a suspicious operation, having a risk of brute force cracking, having an abnormal login, having insufficient resources or being misconfigured, etc.
It should be noted that the above three sub-items are only illustrative, and the number of sub-items and the type of risk contained therein are not specifically limited.
Optionally, the time threshold may be a preset duration, or may be set according to practical situations, for example, may be preset to twenty-four hours, which is only illustrated herein, and the setting manner and duration of the time threshold are not specifically limited. There is an unrepaired patch in the operating system, which may be a threat patch. The risk of brute force cracking may also be referred to as a brute force cracking potential.
For example, the non-permitted items of the primary scoring items in the home page score may include: the probe off-line time is 24 hours or more, there may be problems with disallowed operating system versions, disallowed data office versions, disallowed processes, ports, etc. The non-permissible items of homepage are not specifically limited by the illustration only.
By way of further example, the items of risk rating in the home page score may include: the threat patch is unrepaired, the host is unrepaired, and the host is at risk unrepaired. The term risk level of the home page is merely illustrative and is not particularly limited.
As an alternative example, the items in the homepage score that are abnormal may mainly include: the host has weak passwords, suspicious operations, violent cracking possibility, abnormal login, insufficient resources or incorrect configuration and the like. The present is merely an example, and the items of the homepage that are abnormal are not particularly limited.
As an optional embodiment, allocating corresponding weight data to the deduction item to obtain evaluation data of the evaluation object, including: responding to the evaluation object as a host, and acquiring host state data of the host; responding to the detection result of the host state data as the host state data compliance, and distributing weight data for the deduction items based on the security evaluation strategy of the host to obtain the deduction fraction of the host; determining evaluation data of the host based on the point score of the host; the method further comprises the steps of: and setting the evaluation data of the host to zero and marking the evaluation data in response to the detection result being that the state data is not compliant.
In this embodiment, if the evaluation object is a host, the host state data of the host may be obtained, the host state data may be detected, and whether the host state data is compliant or not is determined in the detection process, so as to obtain a corresponding detection result. If the detection result is that the host state data is compliant, weight data can be distributed to the deduction item based on the security evaluation strategy of the host, so as to obtain the deduction score of the host. Based on the scoring of the host, evaluation data of the host may be determined. If the detection result is that the host state data is not compliant, the evaluation data of the host may be set to zero, and the evaluation data may be marked, where the host state data may be host related data. The security evaluation policy of the host may be stored in a scoring standard configuration file of the host, and the security evaluation policy may be a scoring rule.
Optionally, if the evaluation object to be evaluated safely is a host, host state data of the host may be obtained. It is possible to confirm whether the host status data of the host is compliant. If the host state data is not compliant, the security score of the host may be set to 0 and the security score may be specially marked.
Optionally, if the host state data is compliant, a corresponding score standard configuration file may be invoked, and the security score of the host may be calculated according to the scoring rules in the score standard configuration file. The risk types of the host can be deployed in the host evaluation list, each risk type and the corresponding deduction score can be determined from the host evaluation list, corresponding weight data are distributed, and the total score is calculated, namely, the security score of the host is determined.
As an alternative embodiment, the evaluation object comprises a network, and the first sub-item comprises: the network has an impermissible frame version and uses an unsafe transmission protocol; the second sub-item includes: the risk file or the risk vulnerability exists in the network and is not repaired; the third sub-item includes: the network has abnormal internet protocol access, and the log of the network contains target information.
In this embodiment, if the evaluation object is a network, the first sub-item corresponding to the network may include that there is an impermissible frame version in the network, and that the network uses an unsafe transmission protocol. The second sub-item corresponding to the network may include a risk file existing in the network, an unrepaired risk vulnerability existing in the network, and the like. The third sub-item of the network may include an internet protocol access in which the network is abnormal, and the presence of target information in the log of the network, where the target information may be sensitive information. It should be noted that the above three sub-items are merely illustrative, and are not particularly limited herein.
For example, the non-permitted items in the primary scoring items in the web score may include: there are disallowed versions of frameworks, there are disallowed programming language (e.g., java) archives (Java Archive, simply referred to as Jar packages and versions), super user (root) rights launch application processes, there are Web backdoors, use of unsecured transport protocols, etc., which may be problematic.
By way of further example, the items of the risk level in the web score may include primarily web application presence risk files and web application presence risk vulnerabilities unrepaired. This is merely illustrative and does not limit the terms of the web's risk rating in any way.
As an alternative example, the term in the web score that is abnormal may mainly include: abnormal IP access, abnormal User Agent access, short time frequent 404 errors, inclusion of sensitive information in the log, etc. The web-based items that are anomalous are not specifically limited by the illustration only.
For example, if the evaluation object is a container, then the disallowed items in the primary deduction item of the container may include: the working directory (Dockerfile workdir) is not an absolute path, dockerfile does not use a specified user, etc.; the items of the risk level of the container may include: the images are not repaired due to emergency/high-risk/medium-risk/low-risk loopholes; the items of the container that are abnormal may include: dockerfile USER the last user designated is ROOT, etc. It should be noted that the risk types included in the three sub-items are only examples, and are not limited herein.
As an optional embodiment, allocating corresponding weight data to the deduction item to obtain evaluation data of the evaluation object, including: responding to the evaluation object as a network, and acquiring network state data of the network; responding to the detection result of the network state data as the compliance of the network state data, and distributing weight information for the deduction items based on the security assessment strategy of the network to obtain the deduction score of the network; based on the points of the network, evaluation data of the network is determined.
In this embodiment, if the evaluation object is a network, network state data of the network may be obtained, the network state data may be detected, and in the detection process, whether the network state data is compliant or not is determined, so as to obtain a corresponding detection result. If the detection result is that the network state data is compliant, weight information can be distributed to the deduction item based on the security evaluation strategy of the network to obtain the deduction score of the network. Based on the scoring of the network, evaluation data of the network may be determined, wherein the network status data may be web related data. The security assessment policy of the network may be stored in a scoring criteria profile with the network, and the security assessment policy may be a scoring rule.
Optionally, if the evaluation object to be evaluated safely is a network, the network state data of the network may be acquired, and whether the network state data of the network is compliant may be confirmed. If the host state data is compliant, the corresponding score standard configuration file can be called to obtain the scoring rule in the score standard configuration file so as to calculate the security score of the network. The risk types of the network can be deployed in the web evaluation list, each risk type and the corresponding deduction score can be determined from the web evaluation list, corresponding weight data are distributed, and the total score is calculated, namely, the web security score is determined.
As an alternative embodiment, determining an organization information condition of the network state data in response to the detection result being that the network state data is not compliant, wherein the organization information condition is used for representing whether the network state data has organization information; in response to the organization information condition being that there is organization information in the network state data, the assessment data for the network is set to zero and the assessment data is marked.
In this embodiment, if the detection result is that the network state data is not compliant, the organization information status in the network state data may be determined, that is, whether the network state data has resistance information may be determined, if so, the evaluation data of the network may be set to zero, and a corresponding special flag may be performed.
Optionally, if the evaluation object to be evaluated safely is a network, network state data of the network may be acquired, and whether the network state data of the network is compliant may be determined. If the network status data is not compliant, it may be further determined whether the network status data has organization information therein. If the network state data has organization information, the security score of the network can be set to 0, and the security score is specially marked.
Optionally, the security evaluation method of the whole information technology system can be deployed in a corresponding IT asset information management platform to construct a corresponding scoring model.
In the embodiment of the invention, if the information technology system needs to be subjected to security evaluation, elements and components which need to be subjected to security evaluation in the information technology system can be analyzed to obtain all evaluation objects to be subjected to security evaluation in the information technology system, and the security evaluation of the whole information technology system is integrated by carrying out the security evaluation on all the evaluation objects. And the risk type of the risk to be born by each evaluation object can be determined, corresponding risk grades are matched for each risk type, the degree of the risk in different risk grades is analyzed, and corresponding weight data are matched. According to the weight data corresponding to different risk types, the evaluation data of each evaluation object are obtained respectively to perform security evaluation on each evaluation object, and according to the evaluation data of all the evaluation objects in the information technology system, the evaluation data of the whole information technology system can be obtained, so that the evaluation result of the information technology system can be obtained according to the evaluation data. Because the embodiment of the invention considers the problem of manually carrying out safety evaluation on the information technology system, all evaluation objects in the information technology system and risk types born by the evaluation objects can be systematically analyzed, and weight data can be matched according to the risk level of the risk types, thereby realizing the purpose of carrying out quantitative safety evaluation on the information technology system, further realizing the technical effect of improving the safety evaluation accuracy of the information technology system, and solving the technical problem of low safety evaluation accuracy of the information technology system.
Example 2
The technical solution of the embodiment of the present invention will be illustrated in the following with reference to a preferred embodiment.
Currently, IT asset management can only rely on manual auditing, but manual auditing can face the following problems:
Subjective decision: relying on manual judgment and subjective assessment is susceptible to personal preferences and experience. This can lead to inconsistent decisions, lack of objectivity and consistency, and poor objectivity, especially in performance scoring of teams. Risk is not controllable: the lack of an accurate risk assessment model makes it difficult to accurately identify and manage risks, which may cause that the service is attacked and cannot operate normally. The efficiency is low: the manual auditing and evaluation needs a great deal of time and manpower resources, reduces the processing efficiency and delays the decision speed. High risk and loss: lack of accurate risk assessment may result in high risk assets, increasing enterprise losses and risk. Lack of visibility: the inability to fully understand and track the condition of the entire IT asset, including hardware, software, and network devices, results in a lack of control over the overall IT environment by the manager. Manual tracking: relying on manual, cumbersome processes for IT asset management, including manual recording and tracking, is prone to error and inaccurate asset information. Data dispersion: the distribution of asset information across different systems and departments complicates the organization and analysis of such data and makes it difficult to form a global view. Security vulnerabilities: because of the incomplete knowledge of the asset, there is a risk of not being updated and repaired in time, increasing the threat in terms of network and data security. Waste of resources: the inability to accurately evaluate and plan the utilization of assets results in wasted resources, including hardware, software, and human resources.
The above problems represent challenges in performing IT asset management, mainly including subjectivity of manual decisions, lack of risk assessment, inefficiency, and dispersion of data. In summary, the technical problem of low security assessment accuracy of the information technology system still exists in the related art.
However, the embodiment of the invention provides a scoring method based on IT asset security, and if security evaluation needs to be performed on an information technology system, the scoring method can analyze elements and components which need to be subjected to security evaluation in the information technology system to obtain evaluation objects to be subjected to security evaluation, wherein the evaluation objects are included in the information technology system, and the security evaluation of the whole information technology system is performed through security evaluation on the evaluation objects. And the risk type of the risk to be born by each evaluation object can be determined, corresponding risk grades are matched for each risk type, the degree of the risk in different risk grades is analyzed, and corresponding weight data are matched. According to the weight data corresponding to different risk types, the evaluation data of each evaluation object are obtained respectively to perform security evaluation on each evaluation object, and according to the evaluation data of all the evaluation objects in the information technology system, the evaluation data of the whole information technology system can be obtained, so that the evaluation result of the information technology system can be obtained according to the evaluation data. Because the embodiment of the invention considers the problem of manually carrying out safety evaluation on the information technology system, all evaluation objects in the information technology system and risk types born by the evaluation objects can be systematically analyzed, and weight data can be matched according to the risk level of the risk types, thereby realizing the purpose of carrying out quantitative safety evaluation on the information technology system, further realizing the technical effect of improving the safety evaluation accuracy of the information technology system, and solving the technical problem of low safety evaluation accuracy of the information technology system.
Embodiments of the present invention are further described below.
In the embodiment of the invention, the safety state evaluation is mainly performed on various types of assets in IT assets. And risk types are divided into risk levels, different grades are different, different risk attributes are distinguished in the risk types, the attributes are different, the occupied weights are different, the deduction proportion is different, and finally the safety score of the asset is measured through each dimension and an asset scoring formula.
Optionally, the scoring items are collected. And carding the types of the assets to obtain the scoring items of the assets, and quantifying according to the scoring items to obtain the values of the corresponding scoring items.
Optionally, a security score is calculated. According to the asset scoring formula, the security score of each asset is calculated according to the weight, proportion and the like by the scoring item of each asset. And finally, integrating the security scores of the assets through formulas to obtain the total score of the final asset.
Optionally, the IT asset security management scoring model: and (5) collecting scoring items of the 14-class assets, wherein the collecting principle is combing according to the risk type. The risk types are divided into risk levels, different grades are different, different risk attributes are distinguished in the risk types, the attributes are different, the occupied weights are different, the deduction proportion is different, and the scoring items of all the assets are introduced one by one, wherein the assets can comprise: host, web application, code, mirror, K8S, database, middleware, load balancing, pipelining, IP, APP, terminal. Risk types may include: intrusion events, compliance risk, high-risk vulnerabilities, security failures, data vulnerabilities, general vulnerabilities, misconfigurations, under-version, insufficient resources, abnormal behavior, security suggestions.
Optionally, the primary points in the host score include, but are not limited to: disallowed items (mainly including probe offline time more than 24 hours, disallowed operating system version, disallowed database version, presence of disallowed processes, ports, etc. may be problematic); risk level (threat patch unrepaired exists in the operating system, vulnerability unrepaired exists in the host, and risk unrepaired exists in the Linux host); the abnormal items (such as weak passwords, suspicious operations, possibility of violent cracking, abnormal login, insufficient resources or incorrect configuration and the like) are generated in the host computer, so that basis is provided for a scoring formula.
Optionally, in the detailed process of host scoring, related data of host scoring and scoring configuration files can be obtained from a database, after the compliance of the data is detected, an IT asset security scoring calculation formula is imported, host attribute data is proposed according to a host scoring list, a deduction score is obtained, and then basic information is combined to calculate a total score.
Optionally, fig. 2 is a flowchart of a host scoring process according to an embodiment of the present invention, and as shown in fig. 2, the method may include the steps of:
in step S201, host-related data is acquired.
In this embodiment, if the evaluation object to be evaluated safely is a host, the host-related data may be obtained.
Step S202, judging whether the host related data is compliant.
In this embodiment, it may be confirmed whether the host-related data is compliant. If the host-related data is not compliant, step S203 may be performed. If the host-related data is compliant, step S204 may be performed.
In step S203, the security score of the host is set to 0 and marked.
In this embodiment, if the host status data is not compliant, the security score of the host may be set to 0 and specially marked.
Step S204, a score standard configuration file is called, and each risk type score is calculated.
In this embodiment, if the host status data is compliant, a corresponding score criteria profile may be invoked to calculate the score of each risk type included in the host based on the scoring rules in the score criteria profile.
In step S205, a security score of the host is calculated.
In this embodiment, the total score of the whole host, i.e., the security score of the host, may be calculated by the score of each risk type in the host.
Optionally, in the detailed container scoring process, the related container scoring data and the scoring configuration file may be obtained from the database, after the compliance of the data is detected, the non-compliance container score is set to 0, and then the IT asset security scoring calculation formula is imported, and according to the container scoring list, the container attribute data is proposed to obtain the deduction score, and then the basic information is combined to calculate the total score.
FIG. 3 is a flow chart of a container scoring process according to an embodiment of the invention, as shown in FIG. 3, the method may include the steps of:
in step S301, container related data is acquired.
In this embodiment, if the evaluation object to be evaluated for security is a container, container-related data may be acquired.
Step S302, judging whether the data related to the container is reasonable.
In this embodiment, it may be confirmed whether the container related data is compliant. If the container related data is not compliant, step S303 may be performed. If the container-related data is compliant, step S304 may be performed.
Step S303, the security score of the container is set to 0 and marked.
In this embodiment, if the container-related data is not compliant, the security score for the container may be set to 0 and specially marked.
Step S304, a score standard configuration file is called, and each risk type score is calculated.
In this embodiment, if the container-related data is compliant, a corresponding score criteria profile may be invoked to calculate the score of each risk type contained in the container based on the scoring rules in the score criteria profile.
Step S305, a security score of the container is calculated.
In this embodiment, the total score for the entire container, i.e., the security score for the container, may be calculated from the score for each risk type in the container described above.
Optionally, in the web scoring detailed flow, web scoring related data and a scoring profile may be obtained from a database, after detecting that the data is compliant, the non-compliant data detects whether organization information exists, if so, the web score is set to 0, and if not, the data is discarded. And importing the compliance data into an IT asset security score calculation formula, providing web attribute data according to a container score list, obtaining a deduction score, and calculating a total score by combining basic information.
Fig. 4 is a flowchart of a network scoring process according to an embodiment of the present invention, as shown in fig. 4, the method may include the steps of:
In step S401, network-related data is acquired.
In this embodiment, if the evaluation object to be evaluated for security is a network, network-related data may be acquired.
Step S402, judging whether the network related data is compliant.
In this embodiment, it may be confirmed whether the network-related data is compliant. If the network-related data is compliant, step S406 may be performed. If the network-related data is not compliant, step S403 may be performed.
Step S403, determining whether the organization information is owned.
In this embodiment, if the network-related data is not compliant, it may be further determined whether the organization information is owned in the network-related data. If the organization information is owned, step S405 may be performed. If the organization information is not owned, step S404 may be performed.
Step S404, discard invalid data.
In this embodiment, if the network-related data is not compliant and the network-related data does not have organization information, the invalid data may be discarded, that is, the security evaluation of the network may be ended.
Step S405, the security score of the network is set to 0 and marked.
In this embodiment, if the network related data has organization information, the security score of the network may be set to 0 and the security score may be specially marked.
Step S406, a score standard configuration file is called, and each risk type score is calculated.
In this embodiment, if the network-related data is compliant, a corresponding score criteria profile may be invoked to obtain scoring rules in the score criteria profile to determine the score of each risk type in the network.
Step S407, calculating a security score of the network.
In this embodiment, the total score of the entire network, i.e., the security score of the network, may be calculated from the score of each risk type in the network.
Alternatively, in the scoring basis of other dimensions, similar to the scoring process, the score of the corresponding type can be obtained only by combining the corresponding type data, the scoring standard configuration file and the IT asset security scoring calculation formula according to the corresponding type list evaluating basis, such as codes, databases, domain names, load balancing and the like.
FIG. 5 is a flow chart of one other resource scoring process according to an embodiment of the present invention, as shown in FIG. 5, the method may include the steps of:
In step S501, other parameters related to the application are acquired.
In this embodiment, other parameters related to the application may be obtained, for example, parameters related to the code, domain name, database, terminal, middleware, etc. to be evaluated for security may be obtained.
Step S502, judging whether other parameters are compliant.
In this embodiment, the acquired data (parameters) may be detected to determine whether the data is compliant, and if not, step S503 may be performed. If so, step S506 may be performed.
Step S503, determining whether the organization information is owned.
In this embodiment, it may be determined whether or not the obtained parameters have organization information, and if so, step S505 may be performed. If not, step S504 may be performed.
Step S504, discard invalid data.
In this embodiment, if the parameters are not compliant and the parameters do not have organization information, the invalid data may be discarded, i.e., the security assessment of the network may be ended.
In step S505, the security score is set to 0 and marked.
In this embodiment, if the above parameters have organization information, the security score of the corresponding evaluation object may be set to 0, and the security score may be specially marked.
Step S506, calling an evaluation list corresponding to the evaluation object to be evaluated safely.
In this embodiment, an evaluation list corresponding to an evaluation object that needs security evaluation currently may be called from the evaluation list, where the evaluation list may include a code evaluation list, a domain name evaluation list, a database evaluation list, a terminal evaluation list, and a middleware evaluation list.
Step S507, a score standard configuration file is called, and each risk type score is calculated.
In this embodiment, after the evaluation list of the security evaluation to be evaluated is called, a corresponding score standard configuration file may be called, and the scores of the risk types included in the current evaluation object are calculated through the score standard configuration file.
Step S508, calculating a security score.
In this embodiment, by the score of each risk type in the above-described evaluation exclusive share of the security evaluation, the total score of the entire evaluation object, that is, the security score of the evaluation object can be calculated.
Optionally, the above information shows a complete set of scoring flows, which are evaluated by various types of bases listed in the manifest, including multiple dimensions of codes, databases, domain names, load balancing, and the like. The whole scoring process is similar, and according to the evaluation basis of each type, the specific score for each type can be obtained by combining the data of the corresponding type, the score standard configuration file and the IT asset security scoring calculation formula. The design of this scoring process facilitates comprehensive inspection and assessment of the safety of information technology assets, covering a number of key dimensions, providing a framework for a security team to ensure that various types of assets are properly focused and evaluated. Through the clear evaluation basis and the calculation formula, the grading result can be more objective and comparable, and provides powerful support for the security decision.
Optionally, fig. 6 is a schematic diagram of an information technology asset information management platform scoring model, where, as shown in fig. 6, a production environment database, a host scoring process, a container scoring process, a web scoring process, other scoring processes, application metadata, a host score summary, a container score summary, a web score summary, other score summaries, a score weight profile, an application score summary process, and an application summary score may be included in the model according to an embodiment of the present invention. The asset total score calculation may utilize an IT asset information management platform scoring model. The model can calculate the direction score summarization of a host, a container, web, other and the like respectively by carrying out data distribution on a production environment database base and combining an IT asset security score calculation formula, and then calculate the application summarization score and information by applying the security score calculation formula and combining metadata and score weight configuration files.
In embodiments of the present invention, the scoring system can provide comprehensive and deep knowledge of the security status of IT assets through multi-dimensional assessment. This helps to find many threats that may be present, not just to a certain extent. Different types of scoring results may help determine priority and urgency of security risks. By identifying which aspects are less secure, organizations may more specifically formulate and implement security improvement plans. Scoring and analyzing the results periodically helps to monitor safety conditions in real time. Meanwhile, by comparing the historical scores, the organization can evaluate the effect of safety improvement and adjust the safety strategy in time. The outcome of the scoring system may be an important basis for decision support, helping the management layer to make strategies and decisions to ensure the overall security of the IT asset.
In the embodiment of the invention, the method can help enterprises to better identify and manage risks and quantitatively manage the risks. Business decision support provides data support for enterprises and helps make more intelligent business decisions. The personalized service can provide more personalized products and services based on the asset scoring result, and better meets the user demands. Market competition advantages can be achieved by more accurate asset assessment. The management is changed from passive to active, so that the asset problem is accurately positioned in time, the problem is accurately found, and the problem is repaired in time. Providing a comprehensive IT asset inventory, including hardware, software, network devices, helps an organization to accurately understand and track asset conditions. And (3) automatic management: and an automatic asset management flow is established, comprising asset registration, updating, tracking and scrapping treatment, so that the management efficiency is improved. Optimizing resource utilization: based on the data analysis of the scoring model, the organization is helped to better understand the utilization rate and the value of the asset, and the resource allocation is optimized. Security and compliance: by updating and maintaining asset information in time, security vulnerabilities and compliance risks are reduced, and system and data security is guaranteed.
In the embodiment of the invention, if the information technology system needs to be subjected to security evaluation, elements and components which need to be subjected to security evaluation in the information technology system can be analyzed to obtain all evaluation objects to be subjected to security evaluation in the information technology system, and the security evaluation of the whole information technology system is integrated by carrying out the security evaluation on all the evaluation objects. And the risk type of the risk to be born by each evaluation object can be determined, corresponding risk grades are matched for each risk type, the degree of the risk in different risk grades is analyzed, and corresponding weight data are matched. According to the weight data corresponding to different risk types, the evaluation data of each evaluation object are obtained respectively to perform security evaluation on each evaluation object, and according to the evaluation data of all the evaluation objects in the information technology system, the evaluation data of the whole information technology system can be obtained, so that the evaluation result of the information technology system can be obtained according to the evaluation data. Because the embodiment of the invention considers the problem of manually carrying out safety evaluation on the information technology system, all evaluation objects in the information technology system and risk types born by the evaluation objects can be systematically analyzed, and weight data can be matched according to the risk level of the risk types, thereby realizing the purpose of carrying out quantitative safety evaluation on the information technology system, further realizing the technical effect of improving the safety evaluation accuracy of the information technology system, and solving the technical problem of low safety evaluation accuracy of the information technology system.
Example 3
According to the embodiment of the invention, a safety evaluation device of the information technology system is also provided. The security evaluation device of the information technology system may be used to perform the security evaluation method of the information technology system in embodiment 1.
Fig. 7 is a schematic diagram of a security assessment apparatus of an information technology system according to an embodiment of the present invention. As shown in fig. 7, the security assessment apparatus 700 of the information technology system may include: an acquisition unit 702, a first determination unit 704, a second determination unit 706, a third determination unit 708, and an evaluation unit 710.
The obtaining unit 702 is configured to obtain an evaluation object to be subjected to security evaluation in the information technology system, and a risk type of the evaluation object, where the evaluation object is used to characterize security states of different elements or components in the information technology system.
The first determining unit 704 is configured to determine a risk level to which the risk type belongs, and determine weight data corresponding to the risk level, where different weight data are used to represent risk degrees of different risk levels.
The second determining unit 706 is configured to determine, based on the weight data, evaluation data of an evaluation object, where the evaluation data of the evaluation object is used for performing security evaluation on a security state of the corresponding evaluation object.
A third determining unit 708 for determining evaluation data of the information technology system based on the evaluation data of the evaluation object.
And the evaluation unit 710 is configured to evaluate the security state of the information technology system based on the evaluation data of the information technology system, to obtain an evaluation result.
Alternatively, the first determining unit 704 may include: the first division module is used for dividing the risk types according to the risk degree to obtain corresponding risk grades; a first determining module, configured to determine a risk attribute of a risk type, where the risk attribute is at least used to characterize a severity of the risk type; and the second determining module is used for determining weight data corresponding to the risk type based on the risk attribute. The apparatus may further include: and the fourth determining unit is used for determining a deduction item of the risk type, wherein the deduction item is used for determining the evaluation data of the evaluation object and at least comprises a first sub-item, a second sub-item and a third sub-item, the first sub-item is an item with a high deduction degree, the second sub-item is an item with a medium deduction degree, and the third sub-item is an item with a low deduction degree.
Alternatively, the second determining unit 706 may include: the first distribution module is used for distributing corresponding weight data for the deduction items to obtain evaluation data of the evaluation objects.
Optionally, the first allocation module may include: the first acquisition sub-module is used for responding to the evaluation object as a host and acquiring host state data of the host; the first distribution sub-module is used for responding to the detection result of the host state data as the host state data compliance, distributing weight data for the deduction items based on the security evaluation strategy of the host, and obtaining the deduction score of the host; the first determining submodule is used for determining the evaluation data of the host computer based on the deduction score of the host computer; and the first processing sub-module is used for setting the evaluation data of the host to zero and marking the evaluation data in response to the detection result that the state data is not compliant.
Optionally, the first allocation module may include: the second acquisition sub-module is used for responding to the evaluation object as a network and acquiring network state data of the network; the second allocation sub-module is used for responding to the detection result of the network state data as the compliance of the network state data, and allocating weight information for the deduction items based on the security evaluation strategy of the network to obtain the deduction score of the network; and the second determination submodule is used for determining evaluation data of the network based on the deduction score of the network.
Optionally, the first allocation module may further include: a third determining submodule, configured to determine an organization information condition of the network state data in response to the detection result being that the network state data is not compliant, where the organization information condition is used to characterize whether the network state data has organization information; and the second processing sub-module is used for setting the evaluation data of the network to zero and marking the evaluation data in response to the organization information condition that the network state data has the organization information.
In the embodiment of the invention, an evaluation object to be subjected to security evaluation in an information technology system and a risk type of the evaluation object are acquired through an acquisition unit, wherein the evaluation object is used for representing security states of different elements or components in the information technology system; determining a risk level to which the risk type belongs through a first determining unit, and determining weight data corresponding to the risk level, wherein different weight data are used for representing risk degrees of different risk levels; determining, by a second determination unit, evaluation data of an evaluation object based on the weight data, wherein the evaluation data of the evaluation object is used for performing security evaluation on a security state of the corresponding evaluation object; determining, by a third determination unit, evaluation data of the information technology system based on the evaluation data of the evaluation object; the evaluation unit evaluates the safety state of the information technology system based on the evaluation data of the information technology system to obtain an evaluation result, thereby solving the technical problem of low safety evaluation accuracy of the information technology system and realizing the technical effect of improving the safety evaluation accuracy of the information technology system.
Example 4
According to an embodiment of the present invention, there is also provided a computer-readable storage medium including a stored program, wherein the program executes the security assessment method of the information technology system in embodiment 1.
Example 5
According to an embodiment of the present invention, there is also provided a processor for running a program, wherein the program executes the security assessment method of the information technology system in embodiment 1.
Example 6
Embodiments of the present application also provide a computer program product. Alternatively, in this embodiment, the computer program product may include a computer program that, when executed by a processor, implements the security assessment method of the information technology system of the embodiment of the present application.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory RAM), a removable hard disk, a magnetic disk, or an optical disk, etc., which can store program codes.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.

Claims (10)

1. A method for security assessment of an information technology system, comprising:
Acquiring an evaluation object to be subjected to security evaluation in an information technology system and a risk type of the evaluation object, wherein the evaluation object is used for representing security states of different elements or components in the information technology system;
Determining a risk level to which the risk type belongs, and determining weight data corresponding to the risk level, wherein different weight data are used for representing risk degrees of different risk levels;
determining evaluation data of the evaluation object based on the weight data, wherein the evaluation data of the evaluation object is used for carrying out security evaluation on the security state of the corresponding evaluation object;
Determining evaluation data of the information technology system based on the evaluation data of the evaluation object;
And based on the evaluation data of the information technology system, evaluating the safety state of the information technology system to obtain an evaluation result.
2. The method of claim 1, wherein determining a risk level to which the risk type belongs and determining weight data corresponding to the risk level comprises:
Dividing the risk types according to the risk degrees to obtain the corresponding risk grades;
determining a risk attribute of the risk type, wherein the risk attribute is at least used for representing the severity of the risk type;
determining the weight data corresponding to the risk type based on the risk attribute;
After determining the weight data corresponding to the risk type based on the risk attribute, the method further includes: and determining a deduction item of the risk type, wherein the deduction item is used for determining evaluation data of the evaluation object, the deduction item at least comprises a first sub-item, a second sub-item and a third sub-item, the first sub-item is an item with a high deduction degree, the second sub-item is an item with a medium deduction degree, and the third sub-item is an item with a low deduction degree.
3. The method of claim 2, wherein determining evaluation data of the evaluation object based on the weight data comprises:
and distributing the corresponding weight data for the deduction item to obtain the evaluation data of the evaluation object.
4. The method of claim 3, wherein the evaluation object comprises a host, and wherein the first sub-item comprises: the probe offline time of the host exceeds a time threshold, the port of the host is in an abnormal state, and the host has an operating system version, a database version and/or a process which are not allowed to operate; the second sub-item includes: the operating system has an unrepaired threat patch, and the host has an unrepaired vulnerability and/or risk; the third sub-item includes: the host is at risk of weak passwords, suspicious operations, and/or brute force cracking, and the host is at risk of abnormal login, insufficient resources, and/or misconfiguration.
5. The method of claim 4, wherein assigning the respective weight data to the withholding items results in the assessment data, comprising:
Responding to the evaluation object as the host, and acquiring host state data of the host;
Responding to the detection result of the host state data as the host state data compliance, and distributing the weight data for the deduction item based on the security evaluation strategy of the host to obtain the deduction score of the host;
determining evaluation data of the host based on the score of the host;
the method further comprises the steps of: and setting the evaluation data of the host to zero and marking the evaluation data in response to the detection result being that the state data is not compliant.
6. A method according to claim 3, wherein the evaluation object comprises a network and the first sub-item comprises: the network has an impermissible frame version, and the network uses an unsafe transmission protocol; the second sub-item includes: the risk file or the risk vulnerability in the network is not repaired; the third sub-item includes: the network has abnormal internet protocol access, and the log of the network contains target information.
7. The method of claim 6, wherein assigning the respective weight data to the withholding items results in the assessment data, comprising:
acquiring network state data of the network in response to the evaluation object being the network;
Responding to the detection result of the network state data as the network state data compliance, and distributing the weight information for the deduction item based on the security assessment strategy of the network to obtain the deduction score of the network;
evaluation data of the network is determined based on the points of the network.
8. The method of claim 7, wherein the method further comprises:
Determining an organization information condition of the network state data in response to the detection result being that the network state data is not compliant, wherein the organization information condition is used for representing whether the network state data has organization information or not;
and setting the evaluation data of the network to zero and marking the evaluation data in response to the organization information condition being that the network state data has the organization information therein.
9. A security assessment apparatus for an information technology system, comprising:
The information technology system comprises an acquisition unit, a judgment unit and a judgment unit, wherein the acquisition unit is used for acquiring an evaluation object to be subjected to safety evaluation in the information technology system and a risk type of the evaluation object, and the evaluation object is used for representing the safety states of different elements or components in the information technology system;
the first determining unit is used for determining the risk level to which the risk type belongs and determining weight data corresponding to the risk level, wherein different weight data are used for representing the risk degrees of different risk levels;
a second determining unit configured to determine, based on the weight data, evaluation data of the evaluation object, where the evaluation data of the evaluation object is used for performing security evaluation on the security state of the corresponding evaluation object;
A third determination unit configured to determine evaluation data of the information technology system based on the evaluation data of the evaluation object;
And the evaluation unit is used for evaluating the safety state of the information technology system based on the evaluation data of the information technology system to obtain an evaluation result.
10. An electronic device comprising a memory and a processor, the memory having stored therein a computer program, the processor being arranged to run the computer program to perform the method of security assessment of an information technology system according to any one of claims 1 to 8.
CN202410309313.9A 2024-03-18 2024-03-18 Security assessment method and device of information technology system and electronic equipment Pending CN118133290A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410309313.9A CN118133290A (en) 2024-03-18 2024-03-18 Security assessment method and device of information technology system and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410309313.9A CN118133290A (en) 2024-03-18 2024-03-18 Security assessment method and device of information technology system and electronic equipment

Publications (1)

Publication Number Publication Date
CN118133290A true CN118133290A (en) 2024-06-04

Family

ID=91231242

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410309313.9A Pending CN118133290A (en) 2024-03-18 2024-03-18 Security assessment method and device of information technology system and electronic equipment

Country Status (1)

Country Link
CN (1) CN118133290A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119449440A (en) * 2024-11-13 2025-02-14 重庆印源科技发展有限公司 A computer network information security protection method
CN119603069A (en) * 2024-12-30 2025-03-11 重庆印源科技发展有限公司 A computer network information security monitoring method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119449440A (en) * 2024-11-13 2025-02-14 重庆印源科技发展有限公司 A computer network information security protection method
CN119603069A (en) * 2024-12-30 2025-03-11 重庆印源科技发展有限公司 A computer network information security monitoring method

Similar Documents

Publication Publication Date Title
US10438001B1 (en) Identification, prediction, and assessment of cyber security risk
US12107869B1 (en) Automated quantified assessment, recommendations and mitigation actions for enterprise level security operations
KR100755000B1 (en) Security risk management system and method
US10691796B1 (en) Prioritizing security risks for a computer system based on historical events collected from the computer system environment
EP3529733B1 (en) Method for the continuous calculation of a cyber security risk index
US9760849B2 (en) Assessing an information security governance of an enterprise
US8201257B1 (en) System and method of managing network security risks
US9038187B2 (en) Insider threat correlation tool
CN118133290A (en) Security assessment method and device of information technology system and electronic equipment
Ismail et al. A unified framework for cloud security transparency and audit
CN109246153A (en) Network safety situation analysis model and network safety evaluation method
WO2019136282A1 (en) Control maturity assessment in security operations environments
Kott et al. The promises and challenges of continuous monitoring and risk scoring
US9692779B2 (en) Device for quantifying vulnerability of system and method therefor
AU2020290431B2 (en) Software application for continually assessing, processing, and remediating cyber-risk in real time
KR101292640B1 (en) Method for Risk Management using Web based RMS linked with SSO
US20170324763A1 (en) Methods and Systems for Predicting Vulnerability State of Computer System
Ghadermazi et al. A machine learning and optimization framework for efficient alert management in a cybersecurity operations center
US10068094B2 (en) System and method for tracing data access and detecting abnormality in the same
CN115525897A (en) System detection method and device for terminal equipment, electronic device and storage medium
CN119182545A (en) Automatically prioritize digital identity cyber risks
KR100902116B1 (en) Identification and evaluation method of information asset
KR20050093196A (en) Method and system for calculating an risk index in real-time of information assets
WO2018073711A1 (en) Method for calculating the cibersecurity risk of an organization
Kuehn et al. The Notion of Relevance in Cybersecurity: A Categorization of Security Tools and Deduction of Relevance Notions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination