융합정보논문지 (Journal of Convergence for Information Technology)

중소기업융합학회 (Convergence Society for SMB)
권호 표지
DOI QR코드

DOI QR Code

PC보안 강화를 위한 기술적 취약점 진단항목 개선 연구

Study on Improvement of Vulnerability Diagnosis Items for PC Security Enhancement

  • 조진근 (고려대학교 소프트웨어보안학과)
  • Cho, Jin-Keun (Division of Software Security, Korea University)
  • 투고 : 2019.01.17
  • 심사 : 2019.03.20
  • 발행 : 2019.03.28
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

업무용 PC에 다양한 사이버 공격이 발생하고 있다. PC 보안 위협을 줄이기 위해 사전에 취약점 진단을 통해서 예방하고 있다. 하지만 국내의 취약점 가이드는 진단 항목이 업데이트되지 않아서 이 가이드로만은 대응하기가 어렵다. 본 논문에서는 최근 PC의 사이버 침해사고 사례와 보안 위협에 대응하기 위한 국외의 기술적 취약점 진단 항목에 대해서 살펴본다. 또한, 국외와 국내의 기술적 취약점 진단항목의 차이를 비교하여 개선된 가이드를 제시한다. 제안한 41개의 기술적 취약점 개선 항목을 통하여 다양한 보안 위협으로부터 대응할 수 있다는 것을 알 수 있었다. 현재는 알려진 취약점에만 주로 대응이 가능하지만 이 방법의 가이드 적용을 통해 알려지지 않은 보안 위협을 감소시킬 수 있을 것으로 기대한다.

There are various cyber attacks on business PCs. In order to reduce the threat of PC security, we are preventing the vulnerability from being diagnosed beforehand. However, this guideline is difficult to cope with because the domestic vulnerability guide does not update the diagnostic items. In this paper, we examine the cyber infringement cases of PCs and the diagnostic items of foreign technical vulnerabilities in order to cope with security threats. In addition, an improved guide is provided by comparing the differences in the diagnostic items of technical vulnerability from abroad and domestic. Through 41 proposed technical vulnerability improvement items, it was found that various security threats can be coped with. Currently, it is mainly able to respond to only known vulnerabilities, but we hope that applying this guideline will reduce unknown security threats.

키워드

JKOHBZ_2019_v9n3_1_f0001.png 이미지

Fig. 1. Malicious code classification Description

JKOHBZ_2019_v9n3_1_f0002.png 이미지

Fig. 2. Rate of types of malware

JKOHBZ_2019_v9n3_1_f0003.png 이미지

Fig. 3. Summary of vulnerability improvements lists.

Table 1. vulnerability improvements lists.

JKOHBZ_2019_v9n3_1_t0001.png 이미지

참고문헌

  1. CISCO. (2018). Annual Cyber Security Report in 2018. USA : CISCO Publishing.
  2. Ministry of Science and ICT. (2019). Number of hacking accident http://www.index.go.kr/potal/main/EachDtlPageDetail.do?idx_cd=1363
  3. Y. R. Jae & J. W. Cho. (2007). A Study on the Evaluation Consulting Methodology of Important Information Communication Base Facility 5(1), 55-68.
  4. K. H. Han. (2015). A Study on Threat Analysis of PC Security and Countermeasures in Financial Sector. master dissertation. Korea University, Korea,
  5. S. H. Kim. (2016). The Critical Information and Communication Infrastructure Technical Field Vulnerability Assessment Improvements Research. master dissertation. Konku University, Korea,
  6. CIS. (2019). CIS Controls V7 in 2019. Center for Internet Security. https://www.cisecurity.org/controls/
  7. B. B. Jeon. (2018). A Study on the Countermeasures for Detecting Malicious Codes by Cyber Threats. master dissertation. Kongju National University, Korea,
  8. L. D. Yu. (2015). Title. Threats and countermeasures of malware 5(1), 13-18. https://doi.org/10.22156/CS4SMB.2015.5.1.013
  9. S. Y. Hong. (2014). Title. Analysis and Countermeasure of Malicious Code, 4(2), 13-18. https://doi.org/10.5121/ijitcs.2014.4202
  10. S. H. Hong & J. A. Yu. (2018). Title. Ransomware attack analysis and countermeasures of defensive aspects 8(1), 139-145. https://doi.org/10.14801/JAITC.2018.8.2.139
  11. M. S. Gu & Y. Z. Li. (2015). Title. A Study of Countermeasur es for Advanced Per sistent Threats attacks by malicious code, 5(4), 37-42. https://doi.org/10.14801/jaitc.2015.5.2.37
  12. KISA. (2018). Malicious code hidden site detection trend report Second half of 2018. Seoul : Korea Internet & Security Agency Publishing.
  13. SK Infosec. (2018) Evolution of information deception and malicious code emote in 2018. http://blog.naver.com/PostView.nhn?blogId=skinfosec2000&logNo=221260804498&categoryNo=0&parentCategoryNo=0&viewDate=currentPage=1&postListTopCurrentPage=1&from=postView
  14. KOREA COMMUNICATIONS COMMISSION. (2017). Virtual currency trading site Personal information leak in 2017. https://kcc.go.kr/user.do?mode=view&page=A05030000&dc=K05030000&boardId=1113&cp=1&ctx=ALL&searchKey=ALL&searchVal=%EB%B9%97%EC%8D%B8&boardSeq=45265
  15. S. H. Kim (2016). The Critical Information and Communication Infrastructure Technical Field Vulnerability Assessment Improvements Research. master dissertation. Konkuk University, Korea.
  16. KISA. (2017). Critical Information Infrastructure Protection technical vulnerabilities analyze and evaluate Detail Guide in 2017. Seoul : Korea Internet & Security Agency Publishing.
  17. STIG. (2018). Windows 10 Security Technical Implementation Guide in 2018. Security Technical Implementation Guide Viewer. https://www.stigviewer.com/stig/windows_10/
  18. ACSC (2019). Hardening Microsoft Windows 10 in 2019. Australian Cyber Security Center. https://www.acsc.gov.au/publications/protect/hardening-win10.htm