摘要
针对信息安全认证中产品更新换代周期短与安全需求增加之间矛盾突出的问题,提出基于威胁树分析的产品安全关键件识别方法。首先确定产品的资产列表,并对资产进行威胁树分析确定基本事件,对基本事件进行权重赋值和量化,计算威胁发生的概率;结合威胁发生的损失严重程度,计算资产的安全重要度并排序,从而识别出产品的安全关键件。以智能卡芯片为例进行了实例验证,识别出了其安全关键件,验证了此方法合理可行,对信息安全产品认证中变更控制实施具有重要参考意义。
In view of the contradiction between the short update cycle of product and the increasing security requirements in information security certification,this paper proposes a method for recognizing security key components based on threat tree analysis. Firstly,the asset list of products is determined,and the basic events are determined by threat tree analysis. The basic events are weighted and quantified to calculate the probability of threat occurrence. Combined with the severity of the loss caused by the threat,the security importance of assets is calculated and ranked,so as to recognize the security key components of products. Taking smart card chip as an example,its security key components are identified,and the method is proved to be reasonable and feasible. It has great significance for alteration control in information security product certification.
作者
陶文卿
张俊彦
陈清明
Tao Wenqing;Zhang Junyan;Chen Qingming(Shanghai Information Security Testing Evaluation and Certification Center,Shanghai 200011,China)
出处
《信息技术与网络安全》
2019年第3期4-8,共5页
Information Technology and Network Security
基金
科技部国家重点研发计划项目(2016YFF0204003)
关键词
安全关键件
威胁树
信息安全产品认证
security key component
threat tree
information security product certification