式，只有一小部分能夠成為資安破口，所以                              方法，就是用蒐證偵緝的方式，了解潛在入
              從整體國家的角度來看，改善資安的第一要                              侵者面貌，盡量建立一個完整的威脅模型。
              務，就是自己打造健全的軟體產業。自己能                                   《網路戰兵法》（T h e  A r t  o f  C y b e r-
              夠生產安全軟體之後，也就更會知道如何正                              warfare）的作者Jon  DiMaggio，曾在某次
              確使用來自外部的軟體，因為無論是什麼組                              訪談中指出幫入侵者分類的重要性。「高級

              織，平常使用的軟體大部分都是從外面買來                              威脅的主要特徵……就是入侵者的目標都相
              的，而大部分的破口都來自這些外部軟體。                              當明確。在入侵孟加拉銀行之前，北韓就花
              再者，絕大多數公司只要真正了解自己需要                              了一整年時間來準備，然後才真正發動假交
              怎樣的資安環境，都可以直接購買產業中頂                              易。一整年！你平常看到的網路犯罪或機器
              尖軟體業製作的系統，來儲存密碼之類的敏                              騷擾，別說要準備一年，大概連準備一天都
              感資料。所以只要這個軟體業更加蓬勃，勢                              不願意吧。」
              必能改善台灣依賴過時軟體和危險作業系統                                   DiMaggio認為，這種高級威脅不會消
              的迫切問題。                                           失。「即使他們駭不進你的網路……也會做
                  當然，台灣的最終目標並非軟體開發，而                           出其他破壞 。這種攻擊一 定 會 同 時 設 定 好

              是要能夠抵禦國家級攻擊。所以不能只靠程式                             幾個目標。只要是面臨某個高級威脅，你
              設計，而是得從公開來源情報（OSINT）解決                           就一定會同時受到好幾種攻擊。」此外，
              問題。這個領域相當廣泛，其中守護資安的                              這類威脅除了瞄準組織，也會同時攻 擊 個




              designed with the opposite approach. There are   Know your attacker

              several aspects to this safe design, but one of the
              most important is simply error management. And        Most mistakes simply reduce the functionality of
              errors are fundamentally nothing more than text strings   a program, if they have any effect at all; only a fraction
              which are meant to be read by humans (programmers   turn into vulnerabilities. Thus, the most important way
              themselves, others within the organization, or less   to improve cybersecurity from a national perspective
              ideally end users).                              is to build a software industry. Notably, the skills
                  This comparison should make it clear that many   to create safe software align closely with those to
              problems in software development are in fact issues   correctly use outside software – which will be the vast
              of organizational management, rather than purely   majority of software in any organization, and also

              programming. That realization should both encourage   the most important source of vulnerabilities. Notably,
              those without technical skills not to be scared of the   the vast majority of companies can simply import
              topic of cybersecurity, and also point to the connection   systems made by industry leaders for sensitive tasks
              been safe software and other aspects of management   like password storage, as long as they understand
              processes.                                       their security requirements. A vibrant software industry





                                                                                           台灣銀行家2022.9月號 75







   1          5%     JOEE