1. NCCU Academic Hub
  2. Publications
  3. College of Informatics
  4. Theses
  5. Item

Publications-Theses

Article View/Open

Publication Export

Google ScholarTM

NCCU Library

Citation Infomation

Related Publications in TAIR

題名 資料外洩稽核工具之設計與實作
Design and implementation of an audit tool for data leakage
作者 高華志
Kao, Hua Chih
貢獻者 陳恭
Cheng, Kung
高華志
Kao, Hua Chih
關鍵詞 資料外洩
稽核工具
資訊安全
隱碼攻擊
ISO27002
ISO 13569
Data Leakage Prevention
Audit Tools
Information Security
ISO27002
ISO 13569
Injection Flaws
SQL Injection
DLP
日期 2009
上傳時間 9-May-2016 15:28:56 (UTC+8)
摘要 隨著國內法令規範對於隱私政策更加重視,國內外企業組織因應鉅額罰款與政策的施行,再加上個人資料外洩事件頻傳,各企業無不擔心客戶資料的保護與落實內部資料控制。而大型政府機關或企業,由於服務範圍廣大,應用系統繁多,針對資料外洩的保護與落實,將更加的複雜。大部份的組織針對實體文件、安全性儲存設備管制、使用採購防火牆設備等,皆有進行相關的管理與設備的採購,但上述機制未能解決應用系統的資料外洩問題。對稽核人員而言稽查應用程式是否有資料外洩之虞,由應用程式原始程式碼相當實為不易,而新制定一套更安全存取控管的介面更需投入相當高的成本與時間。
The rapid spread of information technologies into every facet of our life results in a surge in attention to privacy recently. Bills are enacted and a comprehensive privacy policy becomes a sign of a responsible corporation. However, the complexity and diversity of application systems of information makes it very difficult to ensure that the information systems conform to all the privacy regulations and polices. Although most corporations have established some privacy policies for controlling physical documents and various hardware devices, the main problem for data leakage is at application layer. Application developers could retrieve sensitive data by exploiting application flaws. This poses great challenges to information system auditors. Firstly, it is rather difficult for auditors to review the code to spot the flaws. Secondly, it is impractical to make a new coding standard and re-write the legacy applications accordingly. Thirdly, application developers lack the motivation to improve the protection level of existing systems.
參考文獻 【1】 個人資料保護法, 行政院, 2008
     【2】 CNS 17799-資訊安全管理之作業要點, 經濟部標準檢驗局, 2002
     【3】 ISO-IEC 27002 Information technology- Security techniques- Code of practice for information security management, ISO, 2005
     【4】 ISO/TR 13569 Banking and related financial services — Information security guidelines, ISO, 2003
     【5】 More Than Half of Ex-Employees Admit to Stealing Company Data According to New Study, http://www.symantec.com/about/news/release/article.jsp?prid=20090223_01
     【6】 Introducing SQL Server Profiler, http://msdn.microsoft.com/en-us/library/ms181091.aspx
     【7】 RadControls for ASP.NET AJAX, http://www.telerik.com/help/aspnet-ajax/introduction.html
     【8】 Role-based access control,
     http://en.wikipedia.org/wiki/Role-based_access_control
     【9】 AJAX,
     http://zh.wikipedia.org/wiki/AJAX
     【10】 Avoid The SQL Injection,
     http://www.microsoft.com/taiwan/sql/SQL_Injection.htm
     【11】 SQL Injection,
     http://en.wikipedia.org/wiki/SQL_injection
     【12】 Injection Flaws,
     http://www.owasp.org/index.php/Injection_Flaws
     【13】 OWASP Top 10 Project,
     http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
     【14】 SQL Server Books online,
     http://msdn.microsoft.com/en-us/library/ms130214.aspx
     【15】 IS Standards, Guidelines and Procedures for Auditing and Control Professionals, ISACA, 2008
描述 碩士
國立政治大學
資訊科學學系
95971014
資料來源 http://thesis.lib.nccu.edu.tw/record/#G0095971014
資料類型 thesis
dc.contributor.advisor 陳恭zh_TW
dc.contributor.advisor Cheng, Kungen_US
dc.contributor.author (Authors) 高華志zh_TW
dc.contributor.author (Authors) Kao, Hua Chihen_US
dc.creator (作者) 高華志zh_TW
dc.creator (作者) Kao, Hua Chihen_US
dc.date (日期) 2009en_US
dc.date.accessioned 9-May-2016 15:28:56 (UTC+8)-
dc.date.available 9-May-2016 15:28:56 (UTC+8)-
dc.date.issued (上傳時間) 9-May-2016 15:28:56 (UTC+8)-
dc.identifier (Other Identifiers) G0095971014en_US
dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/95263-
dc.description (描述) 碩士zh_TW
dc.description (描述) 國立政治大學zh_TW
dc.description (描述) 資訊科學學系zh_TW
dc.description (描述) 95971014zh_TW
dc.description.abstract (摘要) 隨著國內法令規範對於隱私政策更加重視,國內外企業組織因應鉅額罰款與政策的施行,再加上個人資料外洩事件頻傳,各企業無不擔心客戶資料的保護與落實內部資料控制。而大型政府機關或企業,由於服務範圍廣大,應用系統繁多,針對資料外洩的保護與落實,將更加的複雜。大部份的組織針對實體文件、安全性儲存設備管制、使用採購防火牆設備等,皆有進行相關的管理與設備的採購,但上述機制未能解決應用系統的資料外洩問題。對稽核人員而言稽查應用程式是否有資料外洩之虞,由應用程式原始程式碼相當實為不易,而新制定一套更安全存取控管的介面更需投入相當高的成本與時間。zh_TW
dc.description.abstract (摘要) The rapid spread of information technologies into every facet of our life results in a surge in attention to privacy recently. Bills are enacted and a comprehensive privacy policy becomes a sign of a responsible corporation. However, the complexity and diversity of application systems of information makes it very difficult to ensure that the information systems conform to all the privacy regulations and polices. Although most corporations have established some privacy policies for controlling physical documents and various hardware devices, the main problem for data leakage is at application layer. Application developers could retrieve sensitive data by exploiting application flaws. This poses great challenges to information system auditors. Firstly, it is rather difficult for auditors to review the code to spot the flaws. Secondly, it is impractical to make a new coding standard and re-write the legacy applications accordingly. Thirdly, application developers lack the motivation to improve the protection level of existing systems.en_US
dc.description.tableofcontents 第一章 緒論 1
     1.1 前 言 1
     1.2 研究動機 2
     1.3 研究目的 3
     1.4 研究成果 3
     1.5 論文大綱 4
     第二章 核心技術探討 5
     2.1 ISO 27002/ ISO 13569 5
     2.2 Microsoft SQL Server Profiler 8
     2.3 Teleric ASP.NET AJAX Frameworks 12
     2.4 Role-Based Access Control 14
     2.5 SQL Injection 16
     第三章 系統分析 19
     3.1 系統緣起 19
     3.2 系統流程 19
     3.3規則分析 26
     3.4報表分析 34
     3.5角色存取控制模型(Role-Based Access Control) 35
     3.6情境分析 36
     第四章 系統設計與實作 39
     4.1系統架構說明 39
     4.2系統功能說明 40
     4.3資料庫設計說明 45
     4.4系統效能優化設計與實作 48
     第五章 結論與建議 56
     參考文獻 58		zh_TW
dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0095971014en_US
dc.subject (關鍵詞) 資料外洩zh_TW
dc.subject (關鍵詞) 稽核工具zh_TW
dc.subject (關鍵詞) 資訊安全zh_TW
dc.subject (關鍵詞) 隱碼攻擊zh_TW
dc.subject (關鍵詞) ISO27002zh_TW
dc.subject (關鍵詞) ISO 13569zh_TW
dc.subject (關鍵詞) Data Leakage Preventionen_US
dc.subject (關鍵詞) Audit Toolsen_US
dc.subject (關鍵詞) Information Securityen_US
dc.subject (關鍵詞) ISO27002en_US
dc.subject (關鍵詞) ISO 13569en_US
dc.subject (關鍵詞) Injection Flawsen_US
dc.subject (關鍵詞) SQL Injectionen_US
dc.subject (關鍵詞) DLPen_US
dc.title (題名) 資料外洩稽核工具之設計與實作zh_TW
dc.title (題名) Design and implementation of an audit tool for data leakageen_US
dc.type (資料類型) thesisen_US
dc.relation.reference (參考文獻) 【1】 個人資料保護法, 行政院, 2008
     【2】 CNS 17799-資訊安全管理之作業要點, 經濟部標準檢驗局, 2002
     【3】 ISO-IEC 27002 Information technology- Security techniques- Code of practice for information security management, ISO, 2005
     【4】 ISO/TR 13569 Banking and related financial services — Information security guidelines, ISO, 2003
     【5】 More Than Half of Ex-Employees Admit to Stealing Company Data According to New Study, http://www.symantec.com/about/news/release/article.jsp?prid=20090223_01
     【6】 Introducing SQL Server Profiler, http://msdn.microsoft.com/en-us/library/ms181091.aspx
     【7】 RadControls for ASP.NET AJAX, http://www.telerik.com/help/aspnet-ajax/introduction.html
     【8】 Role-based access control,
     http://en.wikipedia.org/wiki/Role-based_access_control
     【9】 AJAX,
     http://zh.wikipedia.org/wiki/AJAX
     【10】 Avoid The SQL Injection,
     http://www.microsoft.com/taiwan/sql/SQL_Injection.htm
     【11】 SQL Injection,
     http://en.wikipedia.org/wiki/SQL_injection
     【12】 Injection Flaws,
     http://www.owasp.org/index.php/Injection_Flaws
     【13】 OWASP Top 10 Project,
     http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
     【14】 SQL Server Books online,
     http://msdn.microsoft.com/en-us/library/ms130214.aspx
     【15】 IS Standards, Guidelines and Procedures for Auditing and Control Professionals, ISACA, 2008		zh_TW