{"id":353,"date":"2021-05-31T15:16:48","date_gmt":"2021-05-31T07:16:48","guid":{"rendered":"https:\/\/choson.lifenet.com.tw\/?p=353"},"modified":"2023-03-29T16:51:41","modified_gmt":"2023-03-29T08:51:41","slug":"%e5%a8%81%e8%84%85%e5%bb%ba%e6%a8%a1%ef%bc%88threat-modeling%ef%bc%89","status":"publish","type":"post","link":"https:\/\/choson.lifenet.com.tw\/?p=353","title":{"rendered":"\u5a01\u8105\u5efa\u6a21\uff08Threat modeling\uff09"},"content":{"rendered":"\n<p>\u201c\u5f9e\u6982\u5ff5\u4e0a\u8b1b\uff0c\u5927\u591a\u6578\u4eba\u5728\u65e5\u5e38\u751f\u6d3b\u4e2d\u90fd\u63a1\u7528\u4e86\u67d0\u7a2e\u5f62\u5f0f\u7684\u5a01\u8105\u5efa\u6a21\uff0c\u751a\u81f3\u6c92\u6709\u610f\u8b58\u5230\u9019\u4e00\u9ede\u3002\u201d \uff08<a href=\"https:\/\/en.wikipedia.org\/wiki\/Threat_model\" target=\"_blank\" rel=\"noreferrer noopener\">\u7dad\u57fa\u767e\u79d1<\/a>\uff09\u52d2\u7d22\u8edf\u4ef6\u653b\u64ca\u7684\u767c\u751f\u4e26\u4e0d\u662f\u56e0\u70ba\u8a72\u516c\u53f8\u6c92\u6709\u9032\u884c\u5a01\u8105\u5efa\u6a21\u3002\u76f8\u53cd\uff0c\u516c\u53f8\u5fc5\u9808\u6539\u9032\u5a01\u8105\u5efa\u6a21\u904e\u7a0b\u3002<br>\u6b64\u5916\uff0c\u7531\u65bc\u76f8\u95dc\u516c\u53f8\u5df2\u7d93\u5b8c\u6210\u4e86\u8abf\u67e5\uff0c\u9019\u610f\u5473\u8457\u5a01\u8105\u5efa\u6a21\u5df2\u7d93\u5230\u4f4d\u4e26\u4e14\u6b63\u5728\u9032\u884c\u4e2d\u3002\u52d2\u7d22\u8edf\u4ef6\u653b\u64ca\u5df2\u88ab\u8b58\u5225\u3001\u5206\u6790\u548c\u78ba\u8a8d\u3002\u73fe\u5728\u662f\u8a55\u4f30\u6d88\u9664\u554f\u984c\u7684\u7279\u5b9a\u89e3\u6c7a\u65b9\u6848\u6216\u6e1b\u8f15\u98a8\u96aa\u7684\u5c0d\u7b56\u7684\u6642\u5019\u4e86\u3002\u56e0\u6b64\uff0c\u7121\u9700\u63d0\u51fa\u5c07\u5a01\u8105\u5efa\u6a21\u4f5c\u70ba\u4e3b\u52d5\u6027\u6216\u89e3\u6c7a\u65b9\u6848\u7684\u5efa\u8b70\u3002<br>\u5728\u9019\u500b\u554f\u984c\u4e2d\uff0c\u653b\u64ca\u8005\u7121\u9700\u7528\u6236\u4ea4\u4e92\u5373\u53ef\u5728\u7db2\u7d61\u4e2d\u56db\u8655\u79fb\u52d5\u3002\u7d50\u679c\uff0c\u6280\u8853\u5b89\u5168\u63a7\u5236\u6bd4\u8af8\u5982\u610f\u8b58\u57f9\u8a13\u7684\u884c\u653f\u7ba1\u7406\u66f4\u6709\u6548\u3002<\/p>\n\n\n\n<p><strong>\u7d30\u7c92\u5ea6\u8207\u7c97\u7c92\u5ea6\u8a2a\u554f\u63a7\u5236(Fine-Grained vs. Coarse-Grained Access Control)<\/strong><br>\u8a2a\u554f\u63a7\u5236\u53ef\u80fd\u4e0d\u662f\u9632\u6b62\u52d2\u7d22\u8edf\u4ef6\u653b\u64ca\u518d\u6b21\u767c\u751f\u7684\u6700\u7d42\u89e3\u6c7a\u65b9\u6848\u3002\u4f46\u662f\uff0c\u5b83\u662f\u56db\u500b\u9078\u9805\u4e2d\u6700\u597d\u7684\u3002<br>. \u81ea\u4e3b\u8a2a\u554f\u63a7\u5236 (DAC) \u662f\u4e00\u7a2e\u7c97\u7c92\u5ea6\u7684\u8a2a\u554f\u63a7\u5236\u6a5f\u5236\uff0c\u800c\u57fa\u65bc\u98a8\u96aa\u7684\u8a2a\u554f\u63a7\u5236\uff08\u57fa\u65bc\u6a19\u51c6\u6216\u57fa\u65bc\u5206\u6578\uff09\u662f\u4e00\u7a2e\u7d30\u7c92\u5ea6\u7684\u8a2a\u554f\u63a7\u5236\uff0c\u901a\u5e38\u4f9d\u8cf4\u65bc\u57fa\u65bc\u5c6c\u6027\u7684\u8a2a\u554f\u63a7\u5236 (ABAC)\u3002<br>. \u57fa\u65bc\u98a8\u96aa\u7684\u8a2a\u554f\u63a7\u5236\u662f\u201c\u96f6\u4fe1\u4efb\u201d\u7684\u6838\u5fc3\u8981\u7d20\uff0c\u53ef\u4ee5\u6709\u6548\u7de9\u89e3\u6a6b\u5411\u79fb\u52d5\u548c\u6578\u64da\u6d29\u9732\u3002<br><img decoding=\"async\" src=\"https:\/\/ithelp.ithome.com.tw\/upload\/images\/20210531\/20132160dp7fzh7u1H.jpg\" alt=\"https:\/\/ithelp.ithome.com.tw\/upload\/images\/20210531\/20132160dp7fzh7u1H.jpg\"><br>-\u7d30\u7c92\u5ea6\u3001\u52d5\u614b\u548c\u53ef\u898b\u6027<\/p>\n\n\n\n<p><strong>\u52d2\u7d22\u8edf\u4ef6\uff08Ransomware\uff09<\/strong><br>\u52d2\u7d22\u8edf\u4ef6\u53ef\u4ee5\u50cf\u9700\u8981\u7528\u6236\u4ea4\u4e92\u7684\u75c5\u6bd2\uff08\u7279\u6d1b\u4f0a\u6728\u99ac\uff09\u4e00\u6a23\u88ab\u52d5\u904b\u884c\uff0c\u4e5f\u53ef\u4ee5\u50cf\u8815\u87f2\u4e00\u6a23\u4e3b\u52d5\u50b3\u64ad\uff0c\u7121\u9700\u7528\u6236\u4ea4\u4e92\u5373\u53ef\u611f\u67d3\u5176\u4ed6\u8a08\u7b97\u6a5f\uff08WannaCry\uff09\u3002<br>\u52d2\u7d22\u8edf\u4ef6\u662f\u4e00\u7a2e\u4f86\u81ea\u5bc6\u78bc\u75c5\u6bd2\u5b78\u7684\u60e1\u610f\u8edf\u4ef6\uff0c\u9664\u975e\u652f\u4ed8\u4e86\u8d16\u91d1\uff0c\u5426\u5247\u5c31\u5a01\u8105\u8981\u767c\u5e03\u53d7\u5bb3\u8005\u7684\u6578\u64da\u6216\u6c38\u4e45\u963b\u6b62\u5c0d\u5176\u7684\u8a2a\u554f\u3002\u201d<br>\u52d2\u7d22\u8edf\u4ef6\u653b\u64ca\u901a\u5e38\u662f\u4f7f\u7528\u507d\u88dd\u6210\u5408\u6cd5\u6587\u4ef6\u7684\u7279\u6d1b\u4f0a\u6728\u99ac\u9032\u884c\u7684\uff0c\u7576\u5b83\u4f5c\u70ba\u96fb\u5b50\u90f5\u4ef6\u9644\u4ef6\u5230\u9054\u6642\uff0c\u7528\u6236\u6703\u88ab\u8a98\u9a19\u4e0b\u8f09\u6216\u6253\u958b\u3002\u7136\u800c\uff0c\u4e00\u500b\u5f15\u4eba\u6ce8\u76ee\u7684\u4f8b\u5b50\u662f WannaCry \u8815\u87f2\uff0c\u5b83\u5728\u6c92\u6709\u7528\u6236\u4ea4\u4e92\u7684\u60c5\u6cc1\u4e0b\u81ea\u52d5\u5728\u8a08\u7b97\u6a5f\u4e4b\u9593\u50b3\u64ad\u3002<br>\u8cc7\u6599\u4f86\u6e90\uff1a<a href=\"https:\/\/en.wikipedia.org\/wiki\/Ransomware\" target=\"_blank\" rel=\"noreferrer noopener\">\u7dad\u57fa\u767e\u79d1<\/a><\/p>\n\n\n\n<p><strong>\u5a01\u8105\u5efa\u6a21\uff08Threat Modeling\uff09<\/strong><br>\u672c\u7bc0\u4ecb\u7d39\u5177\u9ad4\u7684\u5b9a\u7fa9\u548c\u773e\u6240\u5468\u77e5\u7684\u5a01\u8105\u5efa\u6a21\u65b9\u6cd5\u3002<br>. \u201c\u5a01\u8105\u5efa\u6a21\u662f\u4e00\u7a2e\u98a8\u96aa\u8a55\u4f30\u5f62\u5f0f\uff0c\u5b83\u5c0d\u7279\u5b9a\u908f\u8f2f\u5be6\u9ad4\u7684\u653b\u64ca\u548c\u9632\u79a6\u65b9\u9762\u9032\u884c\u5efa\u6a21\uff0c\u4f8b\u5982\u4e00\u6bb5\u6578\u64da\u3001\u4e00\u500b\u61c9\u7528\u7a0b\u5e8f\u3001\u4e00\u500b\u4e3b\u6a5f\u3001\u4e00\u500b\u7cfb\u7d71\u6216\u4e00\u500b\u74b0\u5883\u3002\u201d \uff08NIST SP 800-154\uff0c\u8349\u6848\uff09<br>. \u5728\u7cfb\u7d71\u548c\u8edf\u4ef6\u5de5\u7a0b\u4e2d\uff0c\u5a01\u8105\u5efa\u6a21\u662f\u4e00\u7a2e\u201c\u7cfb\u7d71\u7684\u63a2\u7d22\u6280\u8853\uff0c\u4ee5\u66b4\u9732\u4efb\u4f55\u53ef\u80fd\u4ee5\u7834\u58de\u3001\u62ab\u9732\u3001\u4fee\u6539\u6578\u64da\u6216\u62d2\u7d55\u670d\u52d9\u7684\u5f62\u5f0f\u5c0d\u7cfb\u7d71\u9020\u6210\u640d\u5bb3\u7684\u60c5\u6cc1\u6216\u4e8b\u4ef6\u3002\u201d (ISO 24765:2017)<br>. \u5a01\u8105\u5efa\u6a21\u662f\u6355\u7372\u3001\u7d44\u7e54\u548c\u5206\u6790\u5f71\u97ff\u61c9\u7528\u7a0b\u5e8f\u5b89\u5168\u6027\u7684\u6240\u6709\u4fe1\u606f\u7684\u904e\u7a0b\u3002(&nbsp;<a href=\"https:\/\/owasp.org\/www-community\/Threat_Modeling\" target=\"_blank\" rel=\"noreferrer noopener\">OWASP<\/a>&nbsp;)<br>. \u5a01\u8105\u5efa\u6a21\u662f\u201c\u4e00\u7a2e\u5de5\u7a0b\u6280\u8853\uff0c\u53ef\u7528\u65bc\u5e6b\u52a9\u60a8\u8b58\u5225\u53ef\u80fd\u5f71\u97ff\u60a8\u7684\u61c9\u7528\u7a0b\u5e8f\u7684\u5a01\u8105\u3001\u653b\u64ca\u3001\u6f0f\u6d1e\u548c\u5c0d\u7b56\u3002\u60a8\u53ef\u4ee5\u4f7f\u7528\u5a01\u8105\u5efa\u6a21\u4f86\u5851\u9020\u61c9\u7528\u7a0b\u5e8f\u7684\u8a2d\u8a08\u3001\u6eff\u8db3\u516c\u53f8\u7684\u5b89\u5168\u76ee\u6a19\u4e26\u964d\u4f4e\u98a8\u96aa\u3002\u201d \uff08<a href=\"https:\/\/www.microsoft.com\/en-us\/securityengineering\/sdl\/threatmodeling\" target=\"_blank\" rel=\"noreferrer noopener\">\u5fae\u8edf<\/a>\uff09<br>\u201c\u5a01\u8105\u6a21\u578b\u672c\u8cea\u4e0a\u662f\u5f71\u97ff\u61c9\u7528\u7a0b\u5e8f\u5b89\u5168\u6027\u7684\u6240\u6709\u4fe1\u606f\u7684\u7d50\u69cb\u5316\u8868\u793a\u3002\u5f9e\u672c\u8cea\u4e0a\u8b1b\uff0c\u5b83\u662f\u901a\u904e\u5b89\u5168\u773c\u93e1\u67e5\u770b\u61c9\u7528\u7a0b\u5e8f\u53ca\u5176\u74b0\u5883\u7684\u8996\u5716\u3002\u201d (<a href=\"https:\/\/owasp.org\/www-community\/Threat_Modeling\" target=\"_blank\" rel=\"noreferrer noopener\">OWASP<\/a>)<br>\u5f9e ISO 3100 \u7684\u89d2\u5ea6\u4f86\u770b\uff0c\u5a01\u8105\u5efa\u6a21\u662f\u7cfb\u7d71\u548c\u8edf\u4ef6\u5de5\u7a0b\u80cc\u666f\u4e0b\u7684\u4e00\u7a2e\u201c\u98a8\u96aa\u7ba1\u7406\u201d\u5f62\u5f0f\u3002\u98a8\u96aa\u7ba1\u7406\u5305\u62ec\u5982\u4e0b\u5716\u6240\u793a\u7684\u6d3b\u52d5\uff1a<br><img decoding=\"async\" src=\"https:\/\/ithelp.ithome.com.tw\/upload\/images\/20210531\/201321604igM5F7njW.jpg\" alt=\"https:\/\/ithelp.ithome.com.tw\/upload\/images\/20210531\/201321604igM5F7njW.jpg\"><br>-ISO 31000<\/p>\n\n\n\n<p>NIST \u4ee5\u6578\u64da\u70ba\u4e2d\u5fc3\u7684\u7cfb\u7d71\u5a01\u8105\u5efa\u6a21<br>\u672c\u51fa\u7248\u7269\u4e2d\u4ecb\u7d39\u7684\u4ee5\u6578\u64da\u70ba\u4e2d\u5fc3\u7684\u7cfb\u7d71\u5a01\u8105\u5efa\u6a21\u65b9\u6cd5\u6709\u56db\u500b\u4e3b\u8981\u6b65\u9a5f\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u8b58\u5225\u548c\u8868\u5fb5\u611f\u8208\u8da3\u7684\u7cfb\u7d71\u548c\u6578\u64da\uff1b<\/li>\n\n\n\n<li>\u8b58\u5225\u4e26\u9078\u64c7\u8981\u5305\u542b\u5728\u6a21\u578b\u4e2d\u7684\u653b\u64ca\u5411\u91cf\uff1b<\/li>\n\n\n\n<li>\u8868\u5fb5\u7528\u65bc\u6e1b\u8f15\u653b\u64ca\u5411\u91cf\u7684\u5b89\u5168\u63a7\u5236\uff1b\u548c<\/li>\n\n\n\n<li>\u5206\u6790\u5a01\u8105\u6a21\u578b\u3002<\/li>\n<\/ol>\n\n\n\n<p>\u5fae\u8edf\u5a01\u8105\u5efa\u6a21<br>\u5a01\u8105\u5efa\u6a21\u61c9\u8a72\u662f\u60a8\u65e5\u5e38\u958b\u767c\u751f\u547d\u9031\u671f\u7684\u4e00\u90e8\u5206\uff0c\u4f7f\u60a8\u80fd\u5920\u9010\u6b65\u5b8c\u5584\u60a8\u7684\u5a01\u8105\u6a21\u578b\u4e26\u9032\u4e00\u6b65\u964d\u4f4e\u98a8\u96aa\u3002\u6709\u4e94\u500b\u4e3b\u8981\u7684\u5a01\u8105\u5efa\u6a21\u6b65\u9a5f\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u5b9a\u7fa9\u5b89\u5168\u8981\u6c42\u3002<\/li>\n\n\n\n<li>\u5275\u5efa\u61c9\u7528\u7a0b\u5e8f\u5716\u3002<\/li>\n\n\n\n<li>\u8b58\u5225\u5a01\u8105\u3002<\/li>\n\n\n\n<li>\u6e1b\u8f15\u5a01\u8105\u3002<\/li>\n\n\n\n<li>\u9a57\u8b49\u5a01\u8105\u5df2\u5f97\u5230\u7de9\u89e3\u3002<br><img decoding=\"async\" src=\"https:\/\/ithelp.ithome.com.tw\/upload\/images\/20210531\/20132160dvoMB07zYd.png\" alt=\"https:\/\/ithelp.ithome.com.tw\/upload\/images\/20210531\/20132160dvoMB07zYd.png\"><br>-\u5716\u7247\u4f86\u6e90\uff1a<a href=\"https:\/\/www.microsoft.com\/en-us\/securityengineering\/sdl\/threatmodeling\" target=\"_blank\" rel=\"noreferrer noopener\">\u5fae\u8edf<\/a><\/li>\n<\/ol>\n\n\n\n<p>\u53c3\u8003<br>.&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Ransomware\" target=\"_blank\" rel=\"noreferrer noopener\">\u52d2\u7d22\u8edf\u9ad4<\/a><br>.&nbsp;<a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-154\/draft\" target=\"_blank\" rel=\"noreferrer noopener\">NIST SP 800-154\uff08\u8349\u7a3f\uff09\uff1a\u6578\u64da\u4e2d\u5fc3\u7cfb\u7d71\u5a01\u8105\u5efa\u6a21\u6307\u5357<\/a><br>.&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/securityengineering\/sdl\/threatmodeling\" target=\"_blank\" rel=\"noreferrer noopener\">\u5fae\u8edf\u5a01\u8105\u5efa\u6a21<\/a><br>.&nbsp;<a href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Threat_Modeling_Cheat_Sheet.html\" target=\"_blank\" rel=\"noreferrer noopener\">OWASP \u5a01\u8105\u5efa\u6a21\u5099\u5fd8\u55ae<\/a><br>.&nbsp;<a href=\"https:\/\/owasp.org\/www-community\/Threat_Modeling\" target=\"_blank\" rel=\"noreferrer noopener\">OWASP \u5a01\u8105\u5efa\u6a21<\/a><br>.&nbsp;<a href=\"https:\/\/www.webfarmr.eu\/2011\/05\/coarse-grained-vs-fine-grained-access-control-part-i\/\" target=\"_blank\" rel=\"noreferrer noopener\">\u7c97\u7c92\u5ea6\u8207\u7d30\u7c92\u5ea6\u8a2a\u554f\u63a7\u5236\u2014\u2014\u7b2c\u4e00\u90e8\u5206<\/a><br>.&nbsp;<a href=\"https:\/\/blog.plainid.com\/coarse-grained-and-fine-grained-authorization\" target=\"_blank\" rel=\"noreferrer noopener\">\u7c97\u7c92\u5ea6\u548c\u7d30\u7c92\u5ea6\u6388\u6b0a<\/a><br>.&nbsp;<a href=\"https:\/\/csrc.nist.gov\/csrc\/media\/events\/privilege-management-workshop\/documents\/radac-paper0001.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">\u9069\u61c9\u98a8\u96aa\u7684\u8a2a\u554f\u63a7\u5236\uff08RAdAC\uff09<\/a><\/p>\n\n\n\n<p>\u8cc7\u6599\u4f86\u6e90\uff1a\u00a0<a rel=\"noreferrer noopener\" href=\"https:\/\/wentzwu.com\/2021\/03\/21\/cissp-practice-questions-20210322\/\" target=\"_blank\">Wentz Wu QOTD-20210322<\/a><\/p>\n\n\n\n<p>PS:\u6b64\u6587\u7ae0\u7d93\u904e\u4f5c\u8005\u540c\u610f\u520a\u767b \u4e26\u4e14\u6388\u6b0a\u53ef\u4ee5\u7ffb\u8b6f\u6210\u4e2d\u6587<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u201c\u5f9e\u6982\u5ff5\u4e0a\u8b1b\uff0c\u5927\u591a\u6578\u4eba\u5728\u65e5\u5e38\u751f\u6d3b\u4e2d\u90fd\u63a1\u7528\u4e86\u67d0\u7a2e\u5f62\u5f0f\u7684\u5a01\u8105\u5efa\u6a21\uff0c\u751a\u81f3\u6c92\u6709\u610f\u8b58\u5230\u9019\u4e00\u9ede\u3002\u201d \uff08\u7dad\u57fa\u767e\u79d1\uff09\u52d2\u7d22\u8edf\u4ef6\u653b [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-353","post","type-post","status-publish","format-standard","hentry","category-cisspcertified-information-systems-security-professional"],"_links":{"self":[{"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=353"}],"version-history":[{"count":4,"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/353\/revisions"}],"predecessor-version":[{"id":2880,"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/353\/revisions\/2880"}],"wp:attachment":[{"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}