基于信息安全框架“金三角模型”的网络安全评估方法研究

Research on Network Security Evaluation Method Based on Information Security Framework “Golden Triangle Model”

网络安全事件的发生频率以及发生的场景均由于"触网"行业的增多而急剧增多,电力行业即使如此。如何实现整体的安全保护,逐渐成为电力行业一项重要的研究课题。与传统的网络安全保护手段相比,安全评估的信息系统保护手段更加先进、全面,能够为电力单位信息系统提供稳定、可靠的安全技术支持。文章基于信息安全框架"金三角模型"采用CVSS方式对网络安全评估方法进行了分析,通过分析电力企业系统中的资产漏洞对各类型安全属性的影响,实现了评估目标。此外,实验以电力企业为基础构建了企业级网络信息系统,对该系统进行了模拟扫描发现了系统中的安全风险,从NVD漏洞库中获取评估标准与具体参数,完成了企业级资产风险值的计算,通过具体的转换后,实现了企业级网络安全评估定性结果。通过实验结果分析,对基于可用性属性的网络安全评估方法的可行性和有效性进行了验证。

the frequency and scenarios of network security events are increasing rapidly due to the increase of "touch" industry,even in the power industry. How to realize the overall security protection has gradually be-come an important research topic in the power industry.Compared with the traditional network security protec-tion methods,the information system protection methods of security assessment are more advanced and compre-hensive,which can provide stable and reliable security technical support for the information system of powerunits.Based on the information security framework"Golden Triangle Model",this paper uses CVss to analyze thenetwork security evaluation method.By analyzing the impact of asset vulnerabilities in the power enterprise sys-tem on various types of security attributes,the evaluation objectives are achieved. In addition,an enterprise lev-el network information system is built on the basis of the electric power enterprise in the experiment. The secu-rity risks in the system are found through the simulation scanning of the system. The evaluation criteria and spe-cific parameters are obtained from the NVD vulnerability database,and the calculation of enterprise level assetrisk value is completed. After the specific conversion,the qualitative results of enterprise level network securityevaluation are achieved.Through the analysis of the experimental results,the feasibility and effectiveness of thenetwork security evaluation method based on the availability attribute are verified.