게시일 : 2021년 4월 7일
KISA 인터넷 보호나라인 KrCERT 에서 2021년 주요정보통신기반시설 취약점 분석평가 최신 가이드가 발간되었습니다.
클라우드 기준이 추가된걸 제외하면 2017년 기준과 큰 차이는 없어보이네요.
업무에 참고하시기 바랍니다.
#2021 주요정보통신기반시설 취약점 분석평가 기준 #2021년 주요정보통신기반시설 취약점 분석평가 가이드
[목차]
01. Unix 서버
1. 계정 관리 ·············································································································· 기본 5 / 선택 90
2. 파일 및 디렉터리 관리 ···················································································· 기본 18 / 선택 113
3. 서비스 관리 ······································································································ 기본 39 / 선택 119
4. 패치 관리 ·········································································································· 기본 85 / 선택 000
5. 로그 관리 ·········································································································· 기본 89 / 선택 142
02. 윈도우즈 서버
1. 계정 관리 ······································································································· 기본 163 / 선택 251
2. 서비스 관리 ···································································································· 기본 174 / 선택 271
3. 패치 관리 ······································································································· 기본 229 / 선택 296
4. 로그 관리 ······································································································· 기본 231 / 선택 299
5. 보안 관리 ······································································································· 기본 233 / 선택 303
6. DB 관리 ········································································································· 기본 000 / 선택 321
03. 보안장비
1. 계정 관리 ······································································································· 기본 327 / 선택 349
2. 접근 관리 ······································································································· 기본 333 / 선택 000
3. 패치 관리 ······································································································· 기본 336 / 선택 000
4. 로그 관리 ······································································································· 기본 000 / 선택 350
5. 기능 관리 ······································································································· 기본 338 / 선택 357
04. 네트워크장비
1. 계정 관리 ······································································································· 기본 363 / 선택 396
2. 접근 관리 ······································································································· 기본 371 / 선택 400
3. 패치 관리 ······································································································· 기본 377 / 선택 000
4. 로그 관리 ······································································································· 기본 000 / 선택 407
5. 기능 관리 ······································································································· 기본 379 / 선택 417
05. 제어시스템
1. 계정 관리 ······································································································· 기본 445 / 선택 483
2. 서비스 관리 ···································································································· 기본 451 / 선택 487
3. 패치 관리 ······································································································· 기본 457 / 선택 498
4. 네트워크 접근통제 ························································································· 기본 461 / 선택 500
5. 물리적 접근통제 ····························································································· 기본 471 / 선택 502
6. 보안위협 탐지 ································································································ 기본 473 / 선택 503
7. 복구대응 ········································································································· 기본 475 / 선택 504
8. 보안 관리 ······································································································· 기본 478 / 선택 513
9. 교육훈련 ········································································································· 기본 000 / 선택 517
06. PC
1. 계정 관리 ······································································································· 기본 523 / 선택 563
2. 서비스 관리 ···································································································· 기본 529 / 선택 565
3. 패치 관리 ······································································································· 기본 539 / 선택 000
4. 보안 관리 ······································································································· 기본 547 / 선택 572
07. DBMS
1. 계정 관리 ········································································································· 기본 581 / 선택 613
2. 접근 관리 ········································································································· 기본 594 / 선택 618
3. 옵션 관리 ········································································································· 기본 601 / 선택 628
4. 패치 관리 ········································································································· 기본 605 / 선택 637
5. 로그 관리 ········································································································· 기본 000 / 선택 639
08. Web(웹)
1. 버퍼 오버플로우 ························································································································· 645
2. 포맷스트링 ·································································································································· 647
3. LDAP 인젝션 ····························································································································· 649
4. 운영체제 명령 실행 ···················································································································· 651
5. SQL 인젝션 ······························································································································· 653
6. SSI 인젝션 ································································································································· 659
7. XPath 인젝션 ···························································································································· 661
8. 디렉터리 인덱싱 ························································································································· 663
9. 정보 누출 ··································································································································· 668
10. 악성 콘텐츠 ······························································································································ 672
11. 크로스사이트 스크립팅 ············································································································ 673
12. 약한 문자열 강도 ····················································································································· 678
13. 불충분한 인증 ·························································································································· 680
14. 취약한 패스워드 복구 ·············································································································· 682
15. 크로스사이트 리퀘스트 변조(CSRF) ······················································································· 684
16. 세션 예측 ································································································································· 686
17. 불충분한 인가 ·························································································································· 688
18. 불충분한 세션 만료 ················································································································· 690
19. 세션 고정 ································································································································· 693
20. 자동화 공격 ······························································································································ 694
21. 프로세스 검증 누락 ················································································································· 696
22. 파일 업로드 ······························································································································ 699
23. 파일 다운로드 ·························································································································· 707
24. 관리자 페이지 노출 ················································································································· 711
25. 경로 추적 ································································································································· 714
26. 위치 공개 ································································································································· 716
27. 데이터 평문 전송 ····················································································································· 719
28. 쿠키 변조 ································································································································· 721
09. 이동통신
운영 관리 ········································································································································· 727
10. 클라우드
1. 접근통제 ····································································································································· 737
2. 보안 관리 ··································································································································· 742
Unix 서버 취약점 점검 항목
윈도우즈 서버 취약점 점검 항목
보안장비 취약점 점검 항목
네트워크 장비 취약점 점검 항목
PC 취약점 점검 항목
DBMS 취약점 점검 항목
WEB 취약점 점검 항목
클라우드 취약점 점검 항목
출처 : https://krcert.or.kr/data/guideView.do?bulletin_writing_sequence=35988
게시일 : 2021년 4월 7일
KISA 인터넷 보호나라인 KrCERT 에서 2021년 주요정보통신기반시설 취약점 분석평가 최신 가이드가 발간되었습니다.
클라우드 기준이 추가된걸 제외하면 2017년 기준과 큰 차이는 없어보이네요.
업무에 참고하시기 바랍니다.
#2021 주요정보통신기반시설 취약점 분석평가 기준 #2021년 주요정보통신기반시설 취약점 분석평가 가이드
[목차]
01. Unix 서버
1. 계정 관리 ·············································································································· 기본 5 / 선택 90
2. 파일 및 디렉터리 관리 ···················································································· 기본 18 / 선택 113
3. 서비스 관리 ······································································································ 기본 39 / 선택 119
4. 패치 관리 ·········································································································· 기본 85 / 선택 000
5. 로그 관리 ·········································································································· 기본 89 / 선택 142
02. 윈도우즈 서버
1. 계정 관리 ······································································································· 기본 163 / 선택 251
2. 서비스 관리 ···································································································· 기본 174 / 선택 271
3. 패치 관리 ······································································································· 기본 229 / 선택 296
4. 로그 관리 ······································································································· 기본 231 / 선택 299
5. 보안 관리 ······································································································· 기본 233 / 선택 303
6. DB 관리 ········································································································· 기본 000 / 선택 321
03. 보안장비
1. 계정 관리 ······································································································· 기본 327 / 선택 349
2. 접근 관리 ······································································································· 기본 333 / 선택 000
3. 패치 관리 ······································································································· 기본 336 / 선택 000
4. 로그 관리 ······································································································· 기본 000 / 선택 350
5. 기능 관리 ······································································································· 기본 338 / 선택 357
04. 네트워크장비
1. 계정 관리 ······································································································· 기본 363 / 선택 396
2. 접근 관리 ······································································································· 기본 371 / 선택 400
3. 패치 관리 ······································································································· 기본 377 / 선택 000
4. 로그 관리 ······································································································· 기본 000 / 선택 407
5. 기능 관리 ······································································································· 기본 379 / 선택 417
05. 제어시스템
1. 계정 관리 ······································································································· 기본 445 / 선택 483
2. 서비스 관리 ···································································································· 기본 451 / 선택 487
3. 패치 관리 ······································································································· 기본 457 / 선택 498
4. 네트워크 접근통제 ························································································· 기본 461 / 선택 500
5. 물리적 접근통제 ····························································································· 기본 471 / 선택 502
6. 보안위협 탐지 ································································································ 기본 473 / 선택 503
7. 복구대응 ········································································································· 기본 475 / 선택 504
8. 보안 관리 ······································································································· 기본 478 / 선택 513
9. 교육훈련 ········································································································· 기본 000 / 선택 517
06. PC
1. 계정 관리 ······································································································· 기본 523 / 선택 563
2. 서비스 관리 ···································································································· 기본 529 / 선택 565
3. 패치 관리 ······································································································· 기본 539 / 선택 000
4. 보안 관리 ······································································································· 기본 547 / 선택 572
07. DBMS
1. 계정 관리 ········································································································· 기본 581 / 선택 613
2. 접근 관리 ········································································································· 기본 594 / 선택 618
3. 옵션 관리 ········································································································· 기본 601 / 선택 628
4. 패치 관리 ········································································································· 기본 605 / 선택 637
5. 로그 관리 ········································································································· 기본 000 / 선택 639
08. Web(웹)
1. 버퍼 오버플로우 ························································································································· 645
2. 포맷스트링 ·································································································································· 647
3. LDAP 인젝션 ····························································································································· 649
4. 운영체제 명령 실행 ···················································································································· 651
5. SQL 인젝션 ······························································································································· 653
6. SSI 인젝션 ································································································································· 659
7. XPath 인젝션 ···························································································································· 661
8. 디렉터리 인덱싱 ························································································································· 663
9. 정보 누출 ··································································································································· 668
10. 악성 콘텐츠 ······························································································································ 672
11. 크로스사이트 스크립팅 ············································································································ 673
12. 약한 문자열 강도 ····················································································································· 678
13. 불충분한 인증 ·························································································································· 680
14. 취약한 패스워드 복구 ·············································································································· 682
15. 크로스사이트 리퀘스트 변조(CSRF) ······················································································· 684
16. 세션 예측 ································································································································· 686
17. 불충분한 인가 ·························································································································· 688
18. 불충분한 세션 만료 ················································································································· 690
19. 세션 고정 ································································································································· 693
20. 자동화 공격 ······························································································································ 694
21. 프로세스 검증 누락 ················································································································· 696
22. 파일 업로드 ······························································································································ 699
23. 파일 다운로드 ·························································································································· 707
24. 관리자 페이지 노출 ················································································································· 711
25. 경로 추적 ································································································································· 714
26. 위치 공개 ································································································································· 716
27. 데이터 평문 전송 ····················································································································· 719
28. 쿠키 변조 ································································································································· 721
09. 이동통신
운영 관리 ········································································································································· 727
10. 클라우드
1. 접근통제 ····································································································································· 737
2. 보안 관리 ··································································································································· 742
Unix 서버 취약점 점검 항목
윈도우즈 서버 취약점 점검 항목
보안장비 취약점 점검 항목
네트워크 장비 취약점 점검 항목
PC 취약점 점검 항목
DBMS 취약점 점검 항목
WEB 취약점 점검 항목
클라우드 취약점 점검 항목
출처 : https://krcert.or.kr/data/guideView.do?bulletin_writing_sequence=35988