Journal of Information Security Reserach ›› 2022, Vol. 8 ›› Issue (1): 62-.
Previous Articles Next Articles
Online:
2022-01-09
Published:
2022-01-07
杨一未 孙成昊
(中国信息安全测评中心 北京 100085)
通讯作者:
杨一未
硕士,高级企业信息管理师. 主要研究方向为信息安全漏洞、漏洞库建设、关键信息基础设施安全、信息安全管理、大数据分析.
yangyw@itsec.gov.cn
作者简介:
杨一未
硕士,高级企业信息管理师. 主要研究方向为信息安全漏洞、漏洞库建设、关键信息基础设施安全、信息安全管理、大数据分析.
yangyw@itsec.gov.cn
孙成昊
硕士,副研究员. 主要研究方向为信息安全风险评估和漏洞分析.
sunch@itsec.gov.cn
中华人民共和国国家互联网信息办公室.中华人民共和国网络安全法 [EB/OL]. (2016-11-07) [2017-06-01]. http://www.cac.gov.cn/2016-11/07/c_1119867116_3.htm [2] 中华人民共和国国家互联网信息办公室.关键信息基础设施安全保护条例(征求意见稿)[EB/OL]. (2017-07-11)[2020-07-11]. http://www.cac.gov.cn/2017-07/11/c_1121294220.htm [3] 全国信息安全标准化技术委员会WG7信息安全管理工作组.关键信息基础设施网络安全保护基本要求(征求意见稿)[S/OL]. (2018-06-16)[2019-12-03]. https://www.sohu.com/a/236200532_825373 [4] The White House. Presidential policy directive 21: critical infrastructure security and resilience [EB/OL]. 2014[2020-02-12]. https://xueshu.baidu.com/usercenter/paper/show?paperid=254bc1ecc891a00f8df1fc1512a8043d&site=xueshu_se [5] National a Rchives Federal Register. Strengthening the cybersecurity of federal networks and critical infrastructure [EB/OL]. (2017-05-11)[2017-05-16]. https://www.federalregister.gov/documents/2017/05/16/2017-10004/strengthening-the-cybersecurity-of-federal-networks-and-critical-infrastructure [6] Senate - Homeland Security and Governmental Affairs. DHS cyber incident response teams act of 2018 [EB/OL]. (2018-04-12)[2018-07-31]. https://www.congress.gov/bill/115th-congress/senate-bill/3309/text, [7] Kevin S M, Kim Q, Gregory W A. Framework for improving critical infrastructure cybersecurity [R/OL]. (2014-02-19)[2020-02-10]. https://www.nist.gov/publications/framework-improving-critical-infrastructure-cybersecurity [8] The White House. National cyber strategy of the United States of America [EB/OL]. 2018-09[2020-08-15]. https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf [9] Cybersecurity and Infrastructure Security Agency. CISA, DOE, and UK’s NCSC issue guidance on protecting industrial control systems [EB/OL]. (2020-05-22)[2020-06-05]. https://us-cert.cisa.gov/ncas/current-activity/2020/05/22/cisa-doe-and-uks-ncsc-issue-guidance-protecting-industrial-control [10] 林梓瀚.基于数据治理的欧盟法律体系建构研究[J]. 信息安全研究,2021,7(4):335-341 [11] European Union Agency for Cybersecurity. Baseline security recommendations for IoT (in the context of critical information infrastructures) [EB/OL]. (2017-11-20)[2020-08-15]. https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot [12] European Union Agency for Cybersecurity. NIS directive COVID19 [EB/OL]. (2018-05-09)[2020-08-15].https://www.enisa.europa.eu/topics/nis-directive?tab=details [13] The European Parliament and of the Council. Concerning measures for a high common level of security of network and information systems across the Union [EB/OL]. (2016-07-06)[2020-08-15].https://eur-lex.europa.eu/eli/dir/2016/1148/oj [14] 全国信息安全标准化技术委员会WG7信息安全管理工作组.关键信息基础设施安全控制措施(征求意见稿)[S/OL]. (2020-03-18)[2020-08-15]. https://download.csdn.net/download/qqvsdd/12255412?utm_source=iteye_new
全国信息安全标准化技术委员会WG7信息安全管理工作组.关键信息基础设施安全保障指标体系(报批稿)[S/OL]. [2020-03-18]. https://download.csdn.net/download/qqvsdd/12255378
[16] 全国信息安全标准化技术委员会WG7信息安全管理工作组.关键信息基础设施安全防护能力评价方法(征求意见稿)[S/OL]. (2020-07-09)[2020-08-11]. https://www.cebnet.com.cn/20200811/102681974.html
[17] 全国信息安全标准化技术委员会WG7信息安全管理工作组.关键信息基础设施安全检查评估指南(送审稿)[S/OL]. (2018-04-26)[2020-04-26]. https://download.csdn.net/download/xxywyc/10375848?utm_source=iteye_new
[18] ISO/IEC JTC 1/SC 27 Information Security, Cybersecurity and Privacy Protection. ISO/IEC 30111:2019, Information technology — Security techniques — Vulnerability handling processes [S/OL]. 2019-10[2020-08-20].https://www.iso.org/standard/69725.html
[19] ISO/IEC JTC 1/SC 27 Information Security, Cybersecurity and Privacy Protection. ISO/IEC 29147:2018, Information technology — Security techniques — Vulnerability disclosure [S]. 2018-10[2020-08-20]. https://www.iso.org/standard/72311.html
[20] 中国国家标准化管理委员会.GB/T 30276-2020信息安全技术 网络安全漏洞管理规范[S]. 北京:中国标准出版社,2020
[21] Dempsey K, Takamura E, Eavy P, et al. NISTIR 8011 Vol.4, Automation Support for Security Control Assessments: Software Vulnerability Management [S/OL]. 2020-04 [2020-08-20] https://csrc.nist.gov/publications/detail/nistir/8011/vol-4/final
[22] Dempsey K, Eavy P, Moore G. NISTIR 8011 Vol.1, 1Automation Support for Security Control Assessments: Overview [S/OL]. 2017-06 [2020-08-20]. https://csrc.nist.gov/publications/detail/nistir/8011/vol-1/final
[23] Dempsey K, Eavy P, Moore G. NISTIR 8011 Vol.2, Automation Support for Security Control Assessments: Hardware Asset Management [S/OL]. 2017-06 [2020-08-20]. https://csrc.nist.gov/publications/detail/nistir/8011/vol-2/final
[24] Dempsey K, Goren N, Eavy P, et al. NISTIR 8011 Vol.3, Automation Support for Security Control Assessments: Software Asset Management [S/OL]. 2018-12 [2020-08-20]. https://csrc.nist.gov/publications/detail/nistir/8011/vol-3/final
[25] Mell P, Bergeron T, Henning D. SP 800-40 Version 2.0 Creating a Patch and Vulnerability Management Program [S/OL]. 2005-11 [2020-08-20].https://csrc.nist.gov/publications/detail/sp/800-40/version-20/archive/2005-11-16
[26] Souppaya Murugiah, Scarfone Karen. SP 800-40 Rev. 3 Guide to Enterprise Patch Management Technologies [S/OL]. 2013-07 [2020-08-20] https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final
[27] National Cyber Security Centre. Vulnerability management (guidance to help organisations assess and prioritise vulnerabilities) [EB/OL]. (2016-09-23)[2020-09-20].https://www.ncsc.gov.uk/guidance/vulnerability-management
[28] International Telecommunication Union. ITU-TX.1520, Common Vulnerabilities and Exposures [S/OL]. (2014-01-24)[2018-05-10]. https://www.itu.int/rec/T-REC-X.1520-201401-I/en
[29] International Telecommunication Union. ITU-TX.1521, Common Vulnerability Scoring System [S]. (2016-03-23)[ 2018-05-10]. https://www.itu.int/rec/T-REC-X.1521-201603-I/en
[30] International Telecommunication Union. ITU-TX.1524, Common Weakness Enumeration [S]. (2012-03-02)[ 2018-05-10]. https://www.itu.int/rec/T-REC-X.1524-201203-I/en
[31] International Telecommunication Union. ITU-TX.1525, Common Weakness Scoring System [S]. (2015-04-17)[ 2018-05-10] .https://www.itu.int/rec/T-REC-X.1525-201504-I/en
[32] International Telecommunication Union. ITU-TX.1526, Language for the open definition of vulnerabilit-ies and for the assessment of a system state[S]. (2014-01-24)[ 2018-05-10].https://www.itu.int/rec/T-REC-X.1526-201401-I/en
[33] 中国国家标准化管理委员会.GB/T 28458-2020信息安全技术 网络安全漏洞标识与描述规范[S]. 北京:中国标准出版社,2020
[34] 中国国家标准化管理委员会.GB/T 30279-2020信息安全技术 网络安全漏洞分类分级指南[S]. 北京:中国标准出版社,2020
[35] Cybersecurity and Infrastructure Security Agency. Continuous diagnostics and mitigation (CDM) [EB/OL]. 2012 [2020-09-20].https://www.cisa.gov/cdm
[36] Cybersecurity and Infrastructure Security Agency. Coordinated vulnerability disclosure (CVD) process [EB/OL]. (2019-02-06)[2020-09-20]. https://www.cisa.gov/coordinated-vulnerability-disclosure-process
[37] Cybersecurity and Infrastructure Security Agency. A guide to critical infrastructure security and resilience[EB/OL]. 2019-11[2020-09-20]. https://www.cisa.gov/publication/guide-critical-infrastructure-security-and-resilience
[38] Cybersecurity and Infrastructure Security Agency. The National Cyber Incident Response Plan (NCIRP)[EB/OL]. 2016-12[2020-09-20]. https://us-cert.cisa.gov/ncirp
[39] European Union Agency for Cybersecurity. State of vulnerabilities 2018/2019 - analysis of events in the life of vulnerabilities[R/OL]. (2019-01-14)[2020-09-20].https://www.enisa.europa.eu/publications/technical-reports-on-cybersecurity-situation-the-state-of-cyber-security-vulnerabilities
[40] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 4 vulnerability management [R/OL]. 2016[2020-10-15].https://us-cert.cisa.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-VM.pdf
1.1[R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-AM.pdf
[42] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 2 controls management version 1.1[R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-CM_0.pdf
[43] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 3 configuration and change management [R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-CCM_0.pdf
[44] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 5 incident management [R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-IM_0.pdf
[45] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 6 service continuity management version 1.1[R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-SC_0.pdf
[46] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource cuide volume 7 risk management version 1.1[R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-RM_0.pdf
[47] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 8 external dependencies management version 1.1[R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-EDM_0.pdf
[48] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 9 training and awareness version 1.1[R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-TA_0.pdf
[49] Cybersecurity and Infrastructure Security Agency, Carnegie Mellon University. CRR supplemental resource guide volume 10 situational awareness version 1.1[R/OL]. 2016[2020-10-15].https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-SA_0.pdf
[50] 朱琳, 陆明.信息系统建设者视角下生命周期安全管理研究[J].信息安全研究,2020,6(12):1139-1144
|
[1] | . Research on Source Code Vulnerability Detection Based on Abstract Syntax Tree Compression Coding [J]. Journal of Information Security Reserach, 2022, 8(1): 35-. |
[2] | . The Analysis of National Security Risk in Open Source Software Supply Chain [J]. Journal of Information Security Reserach, 2021, 7(9): 790-794. |
[3] | . A Comparative Study of International Vulnerability Equities Process [J]. Journal of Information Security Reserach, 2021, 7(6): 496-502. |
[4] | . Research on Web service resource consumption vulnerability detection technolog [J]. Journal of Information Security Reserach, 2021, 7(6): 527-534. |
[5] | . Open Source Software Vulnerability DataBase Overview [J]. Journal of Information Security Reserach, 2021, 7(6): 566-574. |
[6] | . Research on International Disclosure Policy of Security Vulnerabilities [J]. Journal of Information Security Research, 2021, 7(3): 215-224. |
[7] | . the limitation of rasp technology in the protection of critical information infrastructure [J]. Journal of Information Security Research, 2021, 7(3): 250-256. |
[8] | . 5G supply chain security risk analysis and countermeasure research [J]. Journal of Information Security Reserach, 2021, 7(12): 1178-. |
[9] | (国网湖南省电力有限公司信息通信分公司 长沙 ). Practical Research of IAST Technology under DevOps Development Model [J]. Journal of Information Security Reserach, 2021, 7(12): 1198-. |
[10] | . Intelligent Security Test Platform for Power Metering System [J]. Journal of Information Security Reserach, 2021, 7(11): 1103-. |
[11] | . Research and Practice of File Upload Vulnerability [J]. Journal of Information Security Research, 2020, 6(2): 151-158. |
[12] | . Overview of Current Situation of Critical Information Infrastructure Security Protection at Home and Abroad [J]. Journal of Information Security Research, 2020, 6(11): 0-0. |
[13] | . Information Security Vulnerability Knowledge Base Based on Ontology [J]. Journal of Information Security Research, 2020, 6(10): 0-0. |
[14] | . A Survey of Research Work on Critical Information Infrastructure System Security Defense [J]. Journal of Information Security Research, 2020, 6(1): 14-24. |
[15] | . Research on 5G Supply Chain Security Under Global Digital Economy Strategic [J]. Journal of Information Security Research, 2020, 6(1): 46-51. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||