The Journal of Society for e-Business Studies (한국전자거래학회지)

Society for e-Business Studies (한국전자거래학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on Security Requirments Analysis through Security Threat Modeling of Home IoT Appliance

Home IoT 가전의 보안위협모델링을 통한 보안요구사항 분석에 관한 연구

  • Yun, Suk-Jin (Graduate school of Industry Security, ChungAng University) ;
  • Kim, Jungduk (Department of Industry Security, ChungAng University)
  • Received : 2019.03.12
  • Accepted : 2019.05.23
  • Published : 2019.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

Today many companies are offering IoT-enabled products and place emphasis on security from the planning stage to protect their products and user information from external threats. The present security levels, however, remain low because the time and resources invested in developing security requirements for each device are far from enough to meet the needs of a wide range of IoT products. Nevertheless, vulnerabilities of IoT devices have been reported continuously, which calls for more detailed security requirements for home IoT devices. In this context, this research identified threats of home IoT systems by using Microsoft Threat Modeling Tool. It then suggested measures to enhance the security of home IoT devices by developing security assessment items through comparative analysis of the identified threats, domestic and global vulnerability assessment standards and related research. It also verified the effectiveness of the developed security requirements by testing them against the existing ones, and the results revealed the security requirements developed in this research proved to be more effective in identifying vulnerabilities.

최근 많은 기업은 IoT가 적용된 제품들을 개발하여 판매하고 있으며, 외부의 위협으로부터 제품 및 사용자 정보를 보호하기 위해 기획 단계서부터 보안을 고려하고 있다. 그러나 IoT의 다양성으로 인해 제품별 보안요구사항 개발을 하기 위해 투자되는 시간과 인력의 한계가 있어 현재 낮은 수준의 보안이 적용되어 있다. IoT가 적용된 제품에서 취약점이 지속적으로 발표되고 있고, 이에 실제 Home IoT에 대한 보다 상세한 보안요구사항이 필요하게 되었다. 이를 위해 본 논문에서는 Microsoft사의 Threat Modeling Tool을 사용하여 Home IoT의 위협을 도출하였으며, 도출된 위협과 국내 외 취약점 평가 기준 및 논문 등과 비교 분석하여 실제 보안성 점검에 사용할 수 있는 항목을 개발하여 Home IoT 제품의 보안성 강화방안을 제시하였다. 또한 도출된 보안요구사항과 기존의 보안요구사항을 바탕으로 점검을 실시하여 효과성 검토를 하였으며, 그 결과 본 논문에서 도출된 보안요구사항의 취약점 발견 효과성이 대체로 높은 것으로 나타났다.

Keywords

References

  1. Choi, J. W., "The status and prospect of the IoT market," Kotra, 2016.
  2. Gartner, "Press Release: Global Internet of Things Market to Grow to 27 Billion Devices, Generating USD 3 Trillion Revenue in 2025," Gartner, 2016.
  3. Han, J. J., "Configuring the design and inspection item for reviewing the Internet of Things (IoT) security," Master's thesis in Yonsei University, pp. 41-57, 2016.
  4. IoT Security Alliance, "IoT Common Security Guide," IoT Security Alliance, p. 3 2016.
  5. IoT Security Alliance, "IoT Common Security Principles," IoT Security Alliance, pp. 1-10, 2016.
  6. Kang, J. M., "How to Validate Smart TV Security in an Internet of Things," Master's thesis at Soongsil University, pp. 28-29, 2016.
  7. Kim, E. A., "A Study on Development and Application of Taxonomy of Internet of Things Service," The Journal of Society for e-Business Studies, Vol. 20, No. 2, pp. 107-123, 2015. https://doi.org/10.7838/jsebs.2015.20.2.107
  8. Korea Institute for industrial Economics & Trade, "Safety Net in the Age of Internet of Things, Convergence Security Industry," KIET, pp. 1-8, 2014.
  9. Korea Internet & Security Agency. "Seven Cyber Attacks Forecasts of 2019," KISA, p. 13, 2018.
  10. Kumar, S. A. and Vealey, H. S., "Security in Internet of Things: Challenges, Solutions and Future Directions," IEEE, pp. 1-9, 2016.
  11. Lin, H. and N. W. Bergmann, "IoT Privacy and Security Challenges for Smart Home Environments," Information, pp. 1-13, 2016.
  12. OWASP, "OWASP IoT Top 10," OWASP, 2014.
  13. Shostack, A., "Experience Threat Modeling at Microsoft," Microsoft, 2008.
  14. Shostack, A., Threat Modeling: Design for Security, WILEY, pp. 1-30, 2014.
  15. Torr, P., "Demystifying the Threat modeling process," IEEE Security & Private, Vol. 3, No. 5, pp. 66-70, 2005. https://doi.org/10.1109/MSP.2005.119