簡易檢索 / 詳目顯示

回結果列表
研究生: 曾成傑
Chen-Chieh Tseng
論文名稱: 標準化對於更新管理的影響評估: 以某金融機構為例
On Evaluation the Effectiveness of Standardization in Patch Management : Using a Taiwanese Major Financial Institute as an Example
指導教授: 查士朝
Shi-Cho Cha
口試委員: 羅乃維
Nai-Wei Lo
查士朝
Shi-Cho Cha
黃政嘉
Jheng-Jia Huang
學位類別: 碩士
Master
系所名稱: 管理學院 - 資訊管理系
Department of Information Management
論文出版年: 2022
畢業學年度: 110
語文別: 中文
論文頁數: 92
中文關鍵詞: 更新管理系統強化資安合規資訊科技標準化
外文關鍵詞: patch management, hardening, compliance, IT standardization
相關次數: 點閱:236下載:10
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 隨著金融科技的發展,各金融機構加深了對資訊系統的依賴。面對日益高漲的資安威脅,各金融機也越來越重視資訊安全。其中,確保資訊系統符合資安規範,就成為非常重要的議題。也因此,近年各金融機構資訊單位開始研究如何建構符合資訊安全規範的系統環境,而開始陸續導入有效安全的更新管理機制,以確保系統軟體能持續進行修補,而達成資安合規目標。然而,在日趨龐大且複雜的系統環境架構下,如何持續進行軟體更新修補與符合資安合規檢測,是近來金融機構維運團隊面對的一大難題。
    本研究以個案方式研究,蒐集分析個案機構在系統環境不斷增加時,如何面對更新管理問題,以及實施更新管理機制後的預期效益,提出一套有效規劃的更新管理機制,使系統環境在快速部署同時能持續獲得安全保障。

    With the advance of financial technology, financial institutions become more and more relying on information systems and facing more and more security threats. Therefore, information security become more and more important to financial institutions. Ensuring information systems to follow system security best practices is one of major information security requirements for financial institutions. Consequently, financial institutions have begun to improve their patch management systems to ensure that the information systems in financial institutions can be continuously patched or hardened for comply associated security best practices. However, under the increasingly large and complex system environment architecture, it is a challenge to continuously perform system patching and compliance checking.
    To address the issue, this study adopts the case study approach and discusses how a major Taiwanese financial institute addresses the patch management issues. This study collects the issues while the institute implements her patch management system and shows how the institute faces the issues. In addition, this study analyzes the results of patch management system implementation. Based on the results, this study illustrates that standardization plays an important role in implementing patch management systems. Therefore, this study can hopefully contribute to provide experience for other Taiwanese financial institutes to implement patch management systems.

    摘要 I ABSTRACT II 誌謝 III 圖目錄 VI 表目錄 VIII 第壹章、緒論 1 1.1研究背景 1 1.2 研究動機 2 1.3 研究目的 3 1.4 研究方法 4 第貳章、文獻探討 5 2.1標準化 5 2.1.1標準化作業環境(STANDARD OPERATING ENVIRONMENT) 6 2.1.2 虛擬化環境映像範本 7 2.2 更新管理(PATCH MANAGEMENT) 10 2.2.1定期更新的目的 10 2.2.2更新管理的原則 11 2.2.3 CVE與漏洞 13 2.2.4系統強化指引 15 2.2.5 透過SELINUX 強化系統 19 2.2.6 RPM與YUM 22 2.3更新管理與系統強化 23 2.4更新管理集中化 25 2.4.1 RED HAT SATELLITE 25 2.5 SCAP 27 第參章、個案簡介 28 3.1 個案研究方法 28 3.2個案公司簡介 29 3.2.1個案公司資訊發展 31 3.3個案公司系統與更新環境 33 3.3.1 個案公司原RHEL系統環境 33 3.3.2 個案公司傳統RHEL系統更新方式 35 3.3.3 個案公司RHEL系統更新時機 37 第肆章、個案更新管理做法 39 4.1導入系統標準化 39 4.1.1角色化 39 4.1.2系統強化與系統環境標準化 40 4.2 導入集中化更新管理 45 4.2.1伺服器納管註冊 49 4.2.2更新流程設計 69 第伍章、標準化對於更新管理的影響 75 5.1系統標準化的差異 75 5.2更新管理集中化的差異 77 5.3系統標準化的更新管理 78 第陸章、結論與未來研究方向 79 參考文獻 81

    [1] [online] Cormier, P. (2022, February 22). The State of Enterprise Open Source: A Red Hat Report. RedHat. [access on 2022.7.25]: https://www.redhat.com/en/resources/state-of-enterprise-open-source-report-2022
    [2] [online]楊仁達. (2022, March 31). 產業必備的「開源軟體」恐成資安漏洞!問題到底出在哪?. 數位時代. [access on 2022.7.25]: https://www.bnext.ccom.tw/article/68379/inform-security-of-oss
    [3] [online] 資安人編輯部. (2021, December 21). 合規性與安全漏洞:開源軟體資安如何補強. 資安人. [access on 2022.7.25]: https:// www.informationsecurity.com.tw/article_detail.zspx?aid=9624
    [4] [online]Stephen, W. (2020,5 21). Patch Management: A brief introduction. Retrieved from bmc blogs. [access on 2022.7.25]: https://www.bmc.com/blogs/patch-management/
    [5] Souppaya, M., & Scarfone, K. (2022). Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology (No. NIST Special Publication (SP) 800-40 Rev. 4). National Institute of Standards and Technology.
    [6] Barker, E., Smid, M., & Branstad, D. (2014). A profile for us federal cryptographic key management systems. NIST Special Publication, 800, 152.
    [7] 黃詠琦,2016,「因應金融科技發展-推動資訊架構標準化」,證券暨期貨月刊 第三十四卷 第十期,11-15頁
    [8] [online] Wikipedia. (2020, June 18). Standard Operating Environment. WIKIPEDIA. [access on 2022.7.25]: https://en.wikipedia.org/wiki/Standard_Operating_Environment
    [9] [online] Casey, K. (2020, November 24). 4 Benefits of a Standard Operating Environment (SOE). The Enterprises Project. [access on 2022.7.25]: https://enterprisersproject.com/article/2020/11/4-benefits-standard-operating-environment-soe
    [10] Aupek, A. (2006). Architectural design of enterprise-wide standard operating environments.
    [11] [online] Red hat. (2019). What Is an SOE ? Redhat.Com. [access on 2022.7.25]: https://www.redhat.com/en/topics/management/what-is-an-soe
    [12] [online] Dodge, J. (Ed.). (2007). Virtual Center 2: Template Usage and Best Practices. Foedus. [access on 2022.7.25]: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vc-2-templates-usage-best-practices-white-paper.pdf
    [13] Singh, J. (2021). An Approach to Personalize VMware vSphere Hypervisor (ESXi) Using HPE Image Streamer. In Progress in Advanced Computing and Intelligent Engineering (pp. 363-369). Springer, Singapore.
    [14] Singh, J. (2021). An Approach to Personalize VMware vSphere Hypervisor (ESXi) Using HPE Image Streamer. In Progress in Advanced Computing and Intelligent Engineering (pp. 363-369). Springer, Singapore.
    [15] GUIDE, V. D. VMware® AlwaysOn Desktop™.
    [16] Kusek, C., & Daniel, A. (2011). VMware vSphere 5 Administration Instant Reference. John Wiley & Sons.
    [17] [online] Posey, B. (2022). What Is Patch Management? Lifecycle, Benefits and Best Practices. Techtarget. [access on 2022.7.25]: https://www.techtarget.com/searchenterprisedesktop/definition/patch-management
    [18] Cavusoglu, H., Cavusoglu, H., & Zhang, J. (2006, June). Economics of Security Patch Management. In WEIS.
    [19] Gerace, T., & Cavusoglu, H. (2009). The critical elements of the patch management process. Communications of the ACM, 52(8), 117-121.
    [20] Cavusoglu, H., Cavusoglu, H., & Zhang, J. (2006, June). Economics of Security Patch Management. In WEIS.
    [21] Brykczynski, B., & Small, R. A. (2003). Reducing internet-based intrusions: Effective security patch management. IEEE software, 20(1), 50-57.
    [22] Tom, S., Christiansen, D., & Berrett, D. (2008). Recommended practice for patch management of control systems (No. INL/EXT-08-14740). Idaho National Lab.(INL), Idaho Falls, ID (United States).
    [23] [online] CVE. (2022). About the CVE Program. [access on 2022.7.25]: https://www.cve.org/About/Overview
    [24] Red hat. (2022). Red Hat Enterprise Linux 8 Security Hardening Guide. Red Hat.
    [25] Center for internet security, inc. (2022). CIS Red Hat Enterprise Linux 8 Benchmark.
    [26] [online] 2020 cyber hygiene report: What you need to know now - lessons learned from a survey of the state of endpoint patching and hardening, [access on 2022.7.25] : https://patch.automox.com/rs/923-VQX-349/images/Automox_2020_Cyber_Hygiene_Report-What_You_Need_to_Know_Now.pdf
    [27] Smalley, S., & Fraser, T. (2001). A security policy configuration for the Security-Enhanced Linux. NAI Labs Technical Report.
    [28] [online] Chinthaguntla, K. (2020, April 22). Linux Package Management with YUM and RPM. Redhat.Com. [access on 2022.7.25]: https://www.redhat.com/sysadmin/how-manage-packages
    [29] [online] Chan, A. (Ed.). (2015). Red Hat Satellite 6.0 User Guide. Access.Redhat.Com. [access on 2022.7.25]:
    https://access.redhat.com/documentation/en-us/red_hat_satellite/6.0/html-single/user_guide/index
    [30] Yin, R. K. (2009). Case study research: Design and methods (Vol. 5). Sage
    [31] [online]TDCC. (2021). 集保結算所簡介. TDCC官網. [access on 2022.7.25]: https://www.tdcc.com.tw/portal/zh/about/about

    QR CODE