Journal of Information Technology Applications and Management

Korea Data Strategy Society (한국데이터전략학회)
권호 표지
DOI QR코드

DOI QR Code

SCAP Applicability for Vulnerability Management of Server-Oriented System

서버 중심의 취약성 관리를 위한 SCAP 적용 가능성

  • Shin, Dong Cheon (Dept. of Industrial Security, Chung-Ang University) ;
  • Kim, Seon Kwang (Dept. of Industrial Convergence Security, Graduate School of Chung-Ang University)
  • Received : 2019.06.03
  • Accepted : 2019.08.21
  • Published : 2019.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

Many organizations need to comply with ISMS-P for information systems and personal information management for ISMS-P certification. Organizations should safeguard vulnerablities to information systems. However, as the kinds of information systems are diversified and the number of information systems increases, management of such vulnerabilities manually accompanies with many difficulties. SCAP is a protocol to manage the vulnerabilities of information system automatically with security standards. In this paper, for the introduction of SCAP in domestic domains we verify the applicability of server-oriented system which is one of ISMS-P certification targets. For SCAP applicability, For obtaining this goal, we analyze the structures and functions of SCAP. Then we propose schemes to check vulnerabilities of the server-oriented system. Finally, we implement the proposed schemes with SCAP to show the applicability of SCAP for verifying vulnerabilities of the server-oriented system.

Keywords

References

  1. Andrew, B. and Neal, Z., "Common Platform Enumeration(CPE)-Specification", Technical Report, The MITRE Corporation AND National Security Agency, 2009.
  2. Cheikes, B., Waltermire, D., and Scarfone, K., "Common Platform Enumeration : Naming Specification version 2.3", NIST Interagency Report 7695, NIST, 2011.
  3. Chung, T.-H., "Reinforcement of Security Management for National Important Facilities : Focused on Government's Public Organizations", Korean Association for Public Security Administration, Vol. 8, No. 1, 2011, pp. 93-110.
  4. David, M., "An Introduction to the Common Configuration Enumeration", Technical Report MITRE Corporation, 2008.
  5. David, W. and Charles, S., "Specification for the Extensible Configuration Checklist Description Format(XCCDF) Version 1.2", NIST Interagency Report 7275, Revision 4, 2011.
  6. Fitzgerald, W. M. and Foley, S. N., "Avoiding inconsistencies in the Security Content Automation Protocol", IEEE Conference on Communications and Network Security (CNS), ISBN : 9781-479908943, 2013.
  7. Harold, B. and Melanie, C., "Security Content Automation Protocol(SCAP) Version 1.2 Content Style Guide", Technical Report, NIST, 2015.
  8. Harold, B., Doug, R., and Greg, W., "The National Vulnerability Database Overview", Technical Report, NIST, 2013.
  9. Hwang, G.-H. and Chang, T.-K., "An operational model and language support for securing XML documents", In Computers and Security, Vol. 23, No. 6, 2004, pp. 498-529. https://doi.org/10.1016/j.cose.2004.03.003
  10. Korea Internet Security Agency(KISA), "Personal Information and Information Security Management", Technical Report, January 19, 2019.
  11. Lee, S.-J. and Lee, I.-G., "A Study on the Analysis and Enhancement for Cyber Security", The Korean Association for Research of Industrial Security, Vol, 9, No. 1, 2019, pp. 69-91.
  12. Mell, P., Scarfone, K., and Romanosky, S., "Common Vulnerability Scoring System", IEEE Security & Privacy, Vol. 4, No. 6, 2006, pp. 85-89. https://doi.org/10.1109/MSP.2006.145
  13. NIST, "The Technical Specification for the Security Content Automation Protocol (SCAP) : SCAP Version 1.0", NIST Special Publication 800-126 November, 2009.
  14. NIST, "The Technical Specification for the Security Content Automation Protocol (SCAP) : SCAP Version 1.1", NIST Special Publication 800-126 February, 2011.
  15. NIST, "Use of the Common Vulnerablities and Exposures(CVE) Vulnerability Naming Scheme," NIST Special Publication 800-51 September, 2002.
  16. Radack, S. and Kuhn, R., "Managing security : The security content automation protocol", IT Professional, Vol. 13, No. 1, 2011, pp. 9-11. https://doi.org/10.1109/MITP.2011.11
  17. Soh, W.-Y. and Kim, W.-K., "Development of Security Level Evaluation Tool (ISSPET) Based on Information Security System", Korea Academy Industrial Cooperation Society, Vol. 10, No. 8, 2019, pp. 1911-1919.
  18. Sohn, J.-M. and Lim, H.-C., "Development of Management Indicators Pool for Enhancing Enterprise Security in Public Organizations", Korean Management Consulting Review, Vol. 18, No. 1, 2019, pp. 241-252.