駭客攻擊為企業因應網路時代的重要課題;尤其,當資訊安全威脅典範轉移(paradigm shift)成鎖定特定標的之進階持續性滲透攻擊(Advanced Persistent Threat, APT)模式,使得傳統資安防護方式恐不再作為因應這些高度複雜的威脅時,如何設計安全政策或原則,成為至關重要但卻懸而未決的問題。
為協助政府與大型企業因應此一挑戰,本研究先透過文獻分析,整合企業資安策略、資安標準議題、資安產品架構及解決方案選擇要素、資安服務提供商,與資安解決方案業者之觀點,提出五構面、29項因應APT的資安策略與議題。接著,再透過德菲法對32位專家進行三輪的意見調查。研究結果發現,專家認為,在APT攻擊情境下,企業應注意的面向與議題,表現上和因應傳統資安與資訊治理的差異無幾,但實際上,在重心與思維上,則存有顯著差異。尤其,本研究發現,APT情境下最重要的五個項目為:資訊交換(電子郵件)、網路存取控制(網路隔離)、防範惡意碼與行動碼(端點安全)、社交工程演練及檢討、網路的安全管理(防火牆、入侵偵測)。因此,本研究建議,企業應結合技術面的標準,重新檢視目前的資安政策,並進行風險權重評估。
Prevention from hackers is an important issue for government and corporate in Internet era. It is particularly truly when information security (InfoSec) paradigm has shifted into the Advanced Persistent Threat (APT) Mode of targeted attack, which then makes traditional security methods insufficient in dealing with the complexity of these new threats. How to refine and design suitable policies or principles for government and corporate information systems, therefore, become vital but unanswered challenges.
To help governments and enterprises react to the challenges mentioned above, this research propose a five-dimensional InfoSec strategy framework covering 29 items through literature review. Furthermore, to validate the propose framework and to identify the key issues, 32 InfoSec experts are invited to participate the three-round survey through Delphi method. Our results show that the topics and issues covered are almost the same for the case of APT and that of traditional threats; however, the focal issues worth paying attention to and the suggested way in rethinking of the whole InfoSec strategy are obviously different, from the very nature. In particular, this research finds that the most important five items in APT scenarios are: information exchange (Email), network access control (network segmentation), malicious codes and mobile codes prevention (endpoint security), drills and review of social engineering prevention, and network security management (firewall and intrusion detection). It is suggested that corporate should examine the current InfoSec policies and re-evaluate the risk with technical standards.
