• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.10
• /
• pp.4995-5014
• /
• 2018

As the area covered by the CPS grows wider, agencies such as public institutions and critical infrastructure are collectively measuring and evaluating information security capabilities. Currently, these methods of measuring information security are a concrete method of recommendation in related standards. However, the security controls used in these methods are lacking in connectivity, causing silo effect. In order to solve this problem, there has been an attempt to study the information security management system in terms of maturity. However, to the best of our knowledge, no research has considered the specific definitions of each level that measures organizational security maturity or specific methods and criteria for constructing such levels. This study developed an information security maturity model that can measure and manage the information security capability of critical infrastructure based on information provided by an expert critical infrastructure information protection group. The proposed model is simulated using the thermal power sector in critical infrastructure of the Republic of Korea to confirm the possibility of its application to the field and derive core security processes and goals that constitute infrastructure security maturity. The findings will be useful for future research or practical application of infrastructure ISMSs.

• Convergence Security Journal
• /
• v.16 no.4
• /
• pp.43-51
• /
• 2016

Nowadays hacked using a security vulnerability in a web application, and the number of security issues on the web site at many sites due to the exposure of personal information is increasing day by day. In this paper, considering the open-source Web Application Security Project at the time of production of the website. Proposed the OWASP TOP 10 vulnerability verification method, by applying the proposed method and then analyzed for improved method and vulnerability to verify the performance of security vulnerability.

• The KIPS Transactions:PartD
• /
• v.13D no.1 s.104
• /
• pp.67-74
• /
• 2006

The security requirements identification in the software development has received some attention recently. However, previous methods do not provide clear method and process of security requirements identification. We propose a process that software developers can build application specific security requirements from state transition diagrams at the security threat location. The proposed process consists of building model and identifying application specific security requirements. The state transition diagram is constructed through subprocesses i) the identification of security threat locations using security failure data based on the point that attackers exploit software vulnerabilities and attack system assets, ii) the construction of a state transition diagram which is usable to protect, mitigate, and remove vulnerabilities of security threat locations. The identification Process of application specific security requirements consist of i) the analysis of the functional requirements of the software, which are decomposed into a DFD(Data Flow Diagram; the identification of the security threat location; and the appliance of the corresponding state transition diagram into the security threat locations, ii) the construction of the application specific state transition diagram, iii) the construction of security requirements based on the rule of the identification of security requirements. The proposed method is helpful to identify the security requirements easily at an early phase of software development.

• Journal of the Korea Society of Computer and Information
• /
• v.13 no.3
• /
• pp.139-146
• /
• 2008

Despite of information security installation, leakage of personal information in web services has not decreased. This is because traffics to web applications are still vulnerable by permitting external sources to access services in port HTTF 80 and HTTPS 443, even with firewall systems in place. This thesis analyzes various attack patterns resulted from web service environment and vulnerable traffic and categorizes the traffics into normal and abnormal traffics. Also this proposes ways to analyze web application attack patterns from those abnormal traffics based on weak points warned in OWASF(Open Web Application Security Project), design a system capable of detect and isolate attacks in real time, and increase efficiency of preventing attacks.

• The Transactions of The Korean Institute of Electrical Engineers
• /
• v.57 no.4
• /
• pp.706-714
• /
• 2008

In this paper, we suggest a practical and flexible system architecture for JTAG(Joint Test Action Group) protection of application processors. From the view point of security, the debugging function through JTAG port can be abused by malicious users, so the internal structures and important information of application processors, and the sensitive information of devices connected to an application processor can be leak. This paper suggests a system architecture that disables computing power of computers used to attack processors to reveal important information. For this, a user authentication method is used to improve security strength by checking the integrity of boot code that is stored at boot memory, on booting time. Moreover for user authorization, we share hard wired secret key cryptography modules designed for functional operation instead of hardwired public key cryptography modules designed for only JTAG protection; this methodology allows developers to design application processors in a cost and power effective way. Our experiment shows that the security strength can be improved up to $2^{160}{\times}0.6$second when using 160-bit secure hash algorithm.

• Convergence Security Journal
• /
• v.13 no.3
• /
• pp.79-84
• /
• 2013

In this study the improved service innovation model to solve the problems that appear from a vantage point of the providing security services process through the application and appeal process of convergence security technologies proposed. The model was in view of service science to resolves the limitations that facilities management and unmanned security of physical security field through the application of meteorological information on convergence security technologies. The contribution of this research: improved risk management based on convergence security technologies through service innovation management, evaluated the quantitative value of risk management activity using service effects, and development of physical security service providing methodology using meteorological information.

• Journal of the Korea Society of Computer and Information
• /
• v.12 no.1 s.45
• /
• pp.161-168
• /
• 2007

Web attack uses structural, logical and coding error or web application rather than vulnerability to Web server itself. According to the Open Web Application Security Project (OWASP) published about ten types of the web application vulnerability to show the causes of hacking, the risk of hacking and the severity of damage are well known. The detection ability and response is important to deal with web hacking. Filtering methods like pattern matching and code modification are used for defense but these methods can not detect new types of attacks. Also though the security unit product like IDS or web application firewall can be used, these require a lot of money and efforts to operate and maintain, and security unit product is likely to generate false positive detection. In this research profiling method that attracts the structure of web application and the attributes of input parameters such as types and length is used, and by installing structural database of web application in advance it is possible that the lack of the validation of user input value check and the verification and attack detection is solved through using profiling identifier of database against illegal request. Integral security management system has been used in most institutes. Therefore even if additional unit security product is not applied, attacks against the web application will be able to be detected by showing the model, which the security monitoring log gathering agent of the integral security management system and the function of the detection of web application attack are combined.

• Journal of Korea Multimedia Society
• /
• v.19 no.1
• /
• pp.51-59
• /
• 2016

Physical security protecting people from physical threats, such as a person or vehicle, has received a great attention. However, it has many risks of hacking and other security threats because it is highly dependent on automated management systems. In addition, a representative system of physical security, a CCTV control system has a high risk of hacking, such as video interceptions or video modulation. So physical security needs urgent security measures in accordance with these threats. In this paper, we examine the case of security threats that have occurred in the past, prevent those from threatening the physical security, and analyze the security problem with the threats. Then we study the countermeasures to prevent these security threats based on the problems found in each case. Finally we study for the method to apply these countermeasures.

• Spatial Information Research
• /
• v.23 no.6
• /
• pp.89-98
• /
• 2015

In this study, The criteria for assessing the security-related functions and services using spatial information is deduced, and orders of priority a priority for the applicable alternatives of functions/services of intelligent security service application based on spatial information are suggested by calculating relative importance. Also this study suggested connection plan about service implementation of national security services by government ministry & local government. And, the intelligent security app service model which has possible substantiation and commercialization is proposed. This study performed the AHP as the final assessment criterions by 3 item in 1st class and 12 item in 2nd class. And, tried to implementation methods of the intelligent security service application(ex. control of emergency and the crime opportunity, real-time location tracking of protector, the device for missing child & dementia patient, user participation & provision of information).

• Journal of Digital Convergence
• /
• v.14 no.11
• /
• pp.501-505
• /
• 2016

Recently, the frequency of dealing important information regarding financial services like paying through smart device or internet banking on smart device has been increasing. Also, with the development of smart device execution environment towards open software environment, it became easier for users to download and use random application software, and its security aspect appears to be weakening. This study inspects features of hardware-based smart device security technology. Furthermore, this study proposes a realization method in MTM hardware-based secure smart device execution environment for an application software that runs in smart devices. While existing MTM provides the root of trust function only for the mobile device, the MTM-based mobile security environment technology proposed in this paper can provide numerous security functions that application program needs in mobile device. The further researches on IoT devices that are compatible with security hardware, gateway security technology and methods that secure reliability and security applicable to varied IoT devices by advancing security hardware are the next plan to proceed.