Wondershare EdrawMind
EdrawMindCISSP AIO Information Security
MindMap Gallery CISSP AIO Information Security
- 13
CISSP AIO Information Security
CISSP test points are used in conjunction with the ALL-IN-ONE book. The key test points are divided. The red parts must be remembered. All eight knowledge areas are covered. The most comprehensive test point analysis at present is suitable for sorting out knowledge points and preparing for the exam. Because the map content is too large, it is not fully expanded. Definitely detailed enough.
Edited at 2022-10-27 09:29:52- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
CISSP AIO Information Security
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
- Recommended to you
- Outline
CISSP ALL IN ONE
8. Software security development
Application Development Learning Objectives
Software Development Lifecycle Security
Software development life cycle approach
maturity model
Operation and maintenance
Change management
Integrated product team
Security controls in development environments
The security of the software environment (programming language, libraries, toolboxes, comprehensive development environment, runtime);
Source code level security weaknesses and vulnerabilities
Configuration management as an important component of secure coding
Application interface security
Software security effects
Audit and log changes
Risk analysis and mitigation (corrective actions, testing and validation, regression testing)
User acceptance testing
Application development concerns
0. Architecture pattern
Three-tier architecture
user
front section
Complex middleware
database
Bug tracking and security features
client/server
Client: user interface, local database operations, communication mechanism
Server: execute and process data requests and return results
browser/server
1. Environmental control V application control
Balance of multiple control methods
Understand the boundaries between environmental controls and application controls
2. Safety V functionality
Balance of software functionality and security measures
Balance of functional requirements, security requirements and security mechanisms
3. Security V user experience
usually inversely proportional to
4. Security function V configuration security
Default installation does not guarantee security
Configuration security is not enabled (access should be denied by default)
Failure to follow the minimal installation principle
Post-patch installation
System development security
SDLC
Project begining
Clarify requirements and determine the basic safety objectives of the product
Risk analysis assessment, assessing threats and vulnerabilities, estimating the cost/benefit ratio of different security countermeasures
Risk Management
Risk Analysis
demand analysis
Safety requirements
The project development and requirements management team conducts complex analysis of current and likely future functional requirements to ensure the new system meets end-user requirements
Project team members will also review the documents output during the initial phase of the project and revise and update them as needed.
For relatively small projects, the above processes are often included in the initial stages of the project.
Security requirements should also be formed accordingly. (Security requirements are determined during the requirements analysis stage, and security personnel must participate in the requirements stage)
system design
Software development as part of system design
Generally, the functions implemented by software are decided during system design.
Verification of software must take into account all the context in which the system is designed
Consider the specs
The difference between software and hardware
Software can have branches, and software can execute different commands based on different inputs, so software is complex;
Software is not physical and therefore does not wear out.
Software can be changed easily and quickly
Software development procedures should be fully planned, controlled, and recorded to detect and correct unintended consequences caused by software changes.
Software components are not standardized and replaceable as often as hardware.
Tools for describing user requirements and system internal behavior
Includes all activities related to system and software design.
Design system architecture, system outputs and system interfaces
Establish data input, data flow and data output requirements, and generally design software security features based on the company's security architecture.
design
data design
Extract data design and information model data and convert them into data structures
Architecture design
Defines the main structures and relationships between application components
process design
Transform structural components into descriptive processes
security design approach
Threat Modeling (STRIDE)
Attack surface minimization analysis
Clean input and output
Questions to consider
Work breakdown structure (WBS) for subsequent phases
Details of the product and the environment in which it is implemented
Product modularization and important issues
Software development and implementation
The main work
The source code has been generated, and test scenarios and test cases have been developed accordingly.
Start implementing unit and integration testing
Procedures and systems also begin to be documented for maintenance and then move to acceptance testing and production transition
Test type
unit test
Validate data structures, edits, and boundary conditions
Integration Testing
Verify that components work together according to design specifications
System test
Function/Performance
Acceptance Test
Ensure code meets customer needs
Regression Testing
System changes are re-tested to ensure functionality, performance and protection levels
function test
Performance Testing
load test
pressure test
Fuzzing testing
Send complex/random data to the software to cause software errors. It is mainly used to identify buffer overflows, DOS, injections, verification errors and other errors that may cause the software to freeze, crash or occur.
Vulnerability scanning
Use automated tools to check major program errors, such as strongly typed language errors, development and configuration errors, transaction sequence faults, mapping trigger conditions, etc. Manual further investigation is usually required after scanning. .
Manual testing
By analyzing a program through human experience and intuition, often using computer technology, testers can locate design errors, such as logic errors. Includes penetration testing.
Dynamic analysis
Dynamic analysis is a timely analysis of a running program. It is usually executed after static analysis and after the basic problems of the program have been solved.
Separation of environments and separation of responsibilities
verification
Ensure product specifications are met
validation
Ensure the main objectives of the project are met
Focus on how to use and operate the developed system or application
Certification
The security evaluation of the technical and non-technical security characteristics of an IT system and its protective measures measures the extent to which the implementation of a specific design meets a specified set of security needs and provides support for the accreditation process.
A process for examining and estimating security controls
Executed by an external independent inspection agency
Confirm compliance with security policies and standards
Accreditation or any (Accreditation)
A formal statement by an authority that an IT system has been approved to operate in a specific security model that employs a defined set of security measures that meet an acceptable level of risk
Management’s approval of the system
clear acceptance of risk
Migrations and fixes
At this stage, the system is transformed from the acceptance stage to the real production environment.
Activities at this stage include obtaining security accreditation;
Train users according to plan;
Implement the system, including installation and data conversion;
Execute and act if necessary.
Operation and Maintenance
Correctly configure the security environment
Continuously conduct vulnerability testing, monitor system activity and audit events (when vulnerabilities are discovered during the maintenance phase, the action taken is reporting)
If major changes occur, perform a risk assessment and perform certification and accreditation processes (re-certification, re-accreditation)
Disposal (Chapter 2)
Destroy data based on data sensitivity.
Destruction method
physical damage
Degaussing
overwrite
SELC Systems Engineering Life Cycle
Requirements analysis, Design, Implementation, Verification, Operation Requirements analysis, Design, Implementation, Verification, Operation
Change and configuration management
Capability Maturity Model (CMM)
1. Initial (Ad hoc)
2. Repeatable
3. Customization (Defined customization)
4. Managed (Managed, measurement indicator)
5. Optimization (Optiminzing, continuous improvement)
Capability Maturity Model Integration (CMMI)
1, 3, and 5 are the same as CMM, 2 has been managed, and 4. Quantification has been managed.
Integrated product team
Integreated Proudct and Process Development (IPPD) integrated product and process development
Management techniques that optimize design, manufacturing and support processes by integrating all necessary acquisition activities simultaneously using multi-discipline teams
IPPD facilitates meeting cost and performance targets from product concept to production, including on-site support
A key principle of IPPD is the multidisciplinary collaboration model of Integrated Product Teams (IPTs)
IPT
Representatives from all functional disciplines work with the Team Leader to build successful and balanced programs, identify and solve problems, and make sound and timely decisions
Team members may not necessarily contribute 100% of their time to the project, and a member may be on multiple IPT teams.
The purpose of IPTs is to specify that team decisions are based on real-time input from all teams (e.g., project management, engineering, manufacturing, test, logic, financial management, procurement and contract management) also including customers and suppliers
Team members for ITPs are composed of project manager-level members, including members from the enterprise and system/subsystem contractors
A typical IPT is at the program level and may, for example, consist of the following functional disciplines: Design Engineering, Manufacturing, Systems Engineering, Test and Evaluation, Subcontracting, Quality Assurance, Training, Finance, Reliability, Maintenance Lines, Support, Procurement , contract management, suppliers and customers.
DevOps
concept
in principle
Development and testing of similar production systems
Deploy with a repeatable, reliable process
Monitor and verify operational quality
Expand the feedback loop
software development model
waterfall model
Planning, requirements analysis, software design, program writing, software testing, operation and maintenance
spiral model
Structured editing and development
iterative development
prototype model
Abandonment
Improved
rapid prototyping
Explore the model
Joint analysis development
Rapid Application Development (RAD)
Reuse models
clean room
component development
Agile development
Agile Manifesto
Individuals and interactions over processes and tools
Working software trumps thorough documentation
Customer cooperation takes precedence over contract negotiation
Responding to change over following a plan
Scrum
Extreme Programming XP
Lean
Programming language concepts (Engage in clustering and low coupling)
structured programming
Top-down analysis and design; Bottom-up, step-by-step implementation
User-oriented perspective, strictly distinguish work stages
Disadvantages: long development cycle, cumbersome development process and difficult auditing, and user communication is not intuitive
object-oriented programming
It is composed of two parts: class and object.
ClassClass
Class Class defines the abstract characteristics of an object
A class defines the physical properties and what it can do (its behavior). The methods and properties of a class are called "members"
ObjectObject
Object is an instance of a class
The system allocates memory space to objects but not to classes; Classes are abstract. It is impossible for the system to allocate space to abstract things. Objects are concrete.
object=property method
Properties: describe the structure and status characteristics of an object
Method: A function or procedure that an object can perform
Methods of communication between objects: message passing
polymorphism (Polymorphism)
The simplest understanding of encapsulation is packaging, which means hiding the properties and implementation details of an object and only exposing the interface to the outside world, that is, the internal state of the object is transparent to the outside world.
Encapsulation Encapsulation
means hiding object information
public members
private member
inherit (inheritance)
Is a mechanism for creating one or more subtypes from an existing class
Software Architecture
data structure
Representation of logical relationships between data elements
scalar
linked list
hierarchical tree
cohesion and coupling (high cohesion, low coupling)
cohesion
Reflects how many different types of tasks a module can perform
The higher the cohesion, the easier it is to update and modify it without affecting other modules with which it interacts.
coupling
How much interaction a module needs to perform its tasks
Low coupling makes it easier to reuse, and modifications will not affect other modules.
Distributed Computing
Request proxy architecture through objects (CORBA)
Microsoft COM/DCOM model
EJB
API
API is a connector for loT (Internet of Things), allowing devices to link to each other
Representational State Transfer(REST)API
REST security expert usage advice
Three safe paths for REST APIs
Typical application system
Web security (Assess and mitigate web-based system vulnerabilities)
collect message (Information gathering)
Security assessment begins with reconnaissance or information gathering
Specific threats to web environments
Web-based administrative interfaces (Administrative interfaces)
Authentication and access control
Input validation
response
Buffer overflow attack
XSS cross-site scripting attack
SQL injection attack
Parameter validation
Session management
Database management
database management system (DBMS)
Assemblies that manage and control data access
Organize and store data and record files in a certain format, allowing users to access, manage and update
Focus: Data collection, storage, recovery
Most concerned with integrity, followed by availability, and finally confidentiality
metadata
Essence: Data about data
Key data related to data source definition, target definition, conversion rules, etc.
Features:
data consistency
Operations must adhere to each data integrity policy and complete transaction data consistent
data sharing
Multiple users can access the database at the same time, with the help of concurrency control
Data Recovery
If an error occurs or the system crashes, the system can be restored. Check the transaction being processed at the time of the crash or roll it back, or if you want money to complete a transaction, maintain the consistency of the data
Checkpointing is a common recovery technique
safely control
Provides various security controls to restrict user access
Ensure an effective approach or process
Compression: The ability to compress data and save storage space and I/O
Reorganize: Reclaim unused space
Refactoring: the ability to add and change records, data, access controls, disk configurations, and processing methods
database language
Data Definition Language (DDL), For example: CREATE, DROP, ALTER and other statements
Data Manipulation Language (DML), For example: SELECT (query), INSERT (insert), UPDATE (modify), DELETE (delete) statements.
Data Control Statement (DCL), For example: GRANT, REVOKE and other statements.
Transaction Control Statement (TCL), For example: COMMIT, ROLLBACK and other statements
Database model
hierarchical database model
A logical tree structure consisting of records and fields that are related in the logical tree structure
A tree structure contains many branches, each branch has many leaves or data fields
Access requires a clear path, which is not suitable for frequent changes and is suitable for querying.
Example: Lightweight Directory Access Protocol LDAP, registry structure
Network database model
Use directed graphs to represent entity types and relationships between entities. A redundant structure similar to a network, not a strict tree structure.
Each data element has multiple parent nodes and child nodes
Faster retrieval compared to hierarchical models
relational database model
Features: attributes/fields (columns) and tuples/records (rows)
Combination of Cartesian products
Primary and foreign keys
The primary key uniquely identifies a record
Foreign key: If the value of an attribute in one table matches the primary key in another table and establishes a relationship, then this attribute is considered a foreign key.
Relational Integrity (RDBMS)
Entity integrity (Entity integrity)
Each record is uniquely identified by the primary key value
semantic completeness Semantic integrity
Ensure that structural rules and semantic rules are followed to prevent semantically incorrect data from entering the database. This can be achieved through rules constrained by rules.
(reference) referential integrity (Referential integrity)
No database record can reference a non-existent primary key. If a record containing a primary key is deleted, all referenced records must be deleted. (foreign key)
Data Dictionary
It is a central library that describes data elements and their relationships. It can store key information such as data usage, data relationships, data sources, and data formats.
The data dictionary is a centralized management part that controls database data and describes cross-references between data elements and databases.
Describes a collection of data element definitions, schema objects, and reference keys
Schema objects include tables, views, indexes, procedures, functions, and triggers
The data management software reads the data dictionary, determines whether it exists, and checks access permissions for specific user processes. It also defines view permission settings for each user.
Update the data dictionary when new records, tables, views and schemas need to be added
object-oriented database model
Combining the object data model in object-oriented programming with DBMS, it can store image, voice, video and other data.
Object-oriented databases use classes to define the properties and procedures of their objects
object-relational database model
Database programming interface
Open Database Connectivity, ODBC
Object connection and database entry, OLEBD
ActiveX Data Objects, ADO
Java Database Interconnect, JDBC
Database Vulnerabilities and Threats
integrity Integrity
rollback
Terminate the current object, cancel changes, and restore the previous state
submit
Submit, terminate the current transaction, execute the modifications made by the user, and roll back if the execution cannot be successful.
savepoint/checkpoint check point
If a test error is detected, the user can return to the corresponding location.
Use locking mechanisms to deal with the threat of concurrent operations
polymerization Aggregation
Some pieces of information are not sensitive separately but are sensitive together.
Solution
Strictly control access to aggregate functions
Users are prohibited from directly accessing data through views.
reasoning Inference
Solution
Access control
Content-based access control
Context-sensitive access control
unit inhibition (Cell suppression)
Techniques used to hide specific units
Database partitioning (database partition)
Split the database into different parts
noise and disturbance (noise and perturbation)
Techniques for inserting fake information into databases
Database view
multiple instances (MRDBMS)
Establish relationships between instances with the same primary key and multiple metacombinations defined by security levels
deadlock (Deadlocking)
Other threats
database
Online Transaction Processing, OLTP
ACID principles
Atomictiy
Either all changes are committed or the database is rolled back
Consistency
Circular database integrity to ensure the consistency of data in different databases
Isolation
Transactions do not affect each other
Durability
Once submitted, it cannot be rolled back
OLAP, online analytical processing
OLAP is the main application of database warehouse systems
Suitable for decision-makers and senior managers
Data warehousing and data mining
To achieve information retrieval and data analysis, multiple databases or data sources are combined into one large database
data mining
Classification: Grouping data based on common similarities
Possibilities: Identify interdependencies between data and apply possibilities to their relationships
expert system
rules-based programming
Rules are based on if-then logical units
composition
inference engine
The inference engine provides user interface, external file, plan and program access capabilities
knowledge base
Knowledge base contains data related to a specific problem or domain
Expert systems are often used by IDS to automatically review security logs
Artificial neural networks
Electronic model based on the neural structure of the human brain
The brain stores information in a simulated form
When something is learned and used frequently, the connection path to the information storage unit is strengthened
Neural networks are programmed to have decision-making and learning capabilities, improving their functionality through a large process of trial and error decision-making.
threaten
buffer overflow Buffer Overflow
covert passage Convert Channel
timing
Storage
Memory reuse/object reuse (Memory reuse/Object reuse)
social engineering
Trapdoor/Backdoor Trapdoor/Backdoor
spoofing attack (Spoofing attack)
web security
vandalism
Replace legitimate image and title with modified image and title
perception and reality
financial fraud
Deception of services and transactions in virtual environments
privileged access
Restrict access to privileged users
Stealing transaction information
theft of intellectual property
denial of service attack
SAML
SAML Security Assertion Markup Lauguage,
is an XML-based protocol
is a federated identity standard
Used to transmit authentication and authorization information in different security domains and can be used to implement single sign-on. Similar to Kerberos relying on KDC, SAML depends on IDP (Identity provider) SAML has a feature called policy enforcement.
OAuth2.0
OAuth (Open Authorization) is an open standard that allows users to let third-party applications access the user's private resources (such as photos, videos, contact lists) stored on a website without providing the username and password to the third party. application
The original OAuth will issue a token with a very long validity period (typically one year validity or no validity limit). In OAuth2.0, the server will issue an end-validity access token and a long-life refresh token, and also Limit the validity period of access token
move code
7. Safe operation
1. Basic concepts of safe operations
key themes
Maintain operational resiliency
Critical business resilience and continuity
Have an emergency plan in place
Real-time monitoring and response
Protect valuable assets
Provide routine maintenance of various assets
Protect assets from damage
Control system account
Maintain controls over user access to business-critical systems
Provide checks and balances for various accounts (especially privileged accounts) to ensure that these accounts become reasonable business needs
Effectively manage security services
Change, configuration and issue management of IT services
Security-related programs, such as user allocation and help desk programs
Focus on reporting and service continuous improvement practices
Operations staff requirements
prudent man a responsible, prudent, wise and capable person
due care due care
Reasonable protective measures have been taken
due diligence due deligence
Fulfill responsibilities in daily management
examine
Gather information to make normal decisions
Control privileged accounts
Strictly control the number and type of accounts
Carefully monitor the system’s account management permissions
Service account
The account that executes the script
Identity and access management,IAM identity and access management
The provisioning of users User configuration (provisioning activation)
managing their access across multiple systems managing their access across multiple systems
native access control systemslocal access control systems
Necessary knowledge and least privilege (complementary to each other)
need to know need to know
Minimum scope of knowledge and access granted based on job or business needs
Operational safety is key
I east privilege least privilege
Require users or processes to perform work, tasks, and functions without unnecessary access privileges
Target
Restrict users and processes to access only the necessary resources and tools to complete designated tasks
limit
accessible resources
What users can do
Manage accounts using combined roles
Different types of accounts
Privileged account
Root or built-in management account
All-purpose default account used to manage devices and systems
safely control
Make the name change as strict as possible
Default password needs to be changed
Logs records personal use and root account behavior
When logging in remotely using the root account
Sessions should be strongly encrypted and monitored
Use multi-factor authentication methods
Service account
Privileged access used by system services and core applications
Passwords are complex and frequently changed
Have a strategy for reclaiming and closing compromised accounts
Administrator account
These accounts are assigned to designated individuals who require privileged access to the system to perform maintenance tasks
These accounts should be separate from the user's regular account
Account passwords should be distributed to individuals safely and reliably
Administrators should acknowledge in writing that they accept the account and abide by the organization's rules
Accounts that are no longer in use should be deleted immediately.
All activities should be audited
Deploy additional logging systems
Multi-factor authentication
root
These account permissions are granted beyond ordinary user permissions due to work requirements but do not require administrator permissions.
Superusers can install software on their own desktops
Acceptance of the account should be acknowledged in writing and abided by organizational rules, such as signing a security agreement
Normal or restricted user account
Most users
Based on the principle of least privilege or need-to-know
Segregation of duties (can lead to collusion)
Definition: Breaking a key task into different parts, with each part being performed by a different person
lead to complicity
Commitment of fraud requires multiple conspirators
Purpose
Constraints to reduce the chance of vandalism
Supplement to reduce the chance of unintentional omission errors
reason
Different safety-related tasks require different skills
Separate administrator tasks into multiple roles to give different levels of trust
Prevent security-related functions from being delegated to a role or person
System administrator
least privilege
Determine necessary access and applications as needed
monitor
Behavior is audited by logs and sent to a separate auditing system
Prevent fraud
Administrators are incapable of engaging in malicious activity without colluding with others
background check
job rotation
operator
Job responsibilities
Carry out the daily operation of the host, ensure that scheduled work is carried out effectively and solve possible problems
Permission description
Operators have high privileges, but lower than those of system administrators. These privileges can circumvent the system's security policy. The use of these privileges should be monitored and log audited.
safely control
least privilege
monitor
Operator actions are recorded and sent to an independent system not controlled by the operator
Segregation of Duties
Administrators are incapable of engaging in malicious activity without colluding with others
background check
security administrator
Function: Define system security settings and collaborate with administrators to perform related configurations, provide a check and balance of rights, and provide audit and review activities for system administrators
main duty
Account management
Assignment of sensitive labels
System security settings
Review of audit data
IT Help/Service Desk Staff
Provide first-line support
Reset user password when needed
Conduct monitoring and background checks
general user
Requires access to information technology resources
Monitoring privileges
Licensing, suitability and background checks
The following situations should not be granted access (e.g., based on IDS and firewall logs, access to an IP should be immediately blocked, but not; adjusting the clock or deleting logs, etc.)
There has been a serious lack of relevant judgment recently.
Repeated high-risk patterns of behavior regarding characters
Character's performance related to illegal activities
Account ValidationAccount Validation
Determine existing inactive accounts (e.g., accounts of employees who have resigned/retired, accounts of employees who are on temporary leave)
Job rotationsJob rotations
Reduce the risk of collusive activities between individuals
two-person operation (two mon rule)
Supervise each other on site
Dual Control
For example: realized through knowledge segmentation
Mandotory vacationsmandatory vacations
Mandate employee furloughs so that potential fraud can be identified and job rotation possible.
The sudden nature of mandatory vacation leaves fraudsters with no practice to cover up traces of fraud; fraudsters may voluntarily give up vacation for a long time in order to avoid others discovering their behavior.
Security Administrators and Network Administrators
the difference
Network administrators focus on usability and the functionality and efficiency users need
However, efficiency and functionality often come at the expense of security. Focusing on security often reduces efficiency, such as using anti-virus software to scan, deploying firewalls, IDS, etc.
Security Administrator Responsibilities
1. Implement and maintain security equipment and software 2. Perform security assessments 3. Create and maintain user information, implement and maintain access control mechanisms; 4. Configure and maintain mandatory access controls and tags in the environment; 5. Set an initial password for the user; 6. Check the audit log;
Accountability
User access to resources must be appropriately controlled to avoid granting excessive permissions that could cause damage to the company and its resources.
User behavior of accessing and operating resources should be monitored, audited, and logged. The user ID should be included in the log routine
The manner log should be recorded regularly and analyzed regularly. It can be done through a combination of automatic and manual methods. When the alarm exceeds the specified threshold, the administrator will provide timely analysis and treatment.
Clipping levels
definition
A threshold should be set for the number of times a certain error occurs. If this threshold is exceeded, the relevant behavior will be suspect or prohibited.
effect
The purpose of setting error alarm thresholds is to use threshold values, monitoring and auditing to detect problems in time and prevent greater losses.
Operational Responsibilities
Operational Security Goal: Reduce the likelihood of loss that may result from unauthorized access or misuse
Management is responsible for employee behavior and responsibilities
Operations personnel are responsible for ensuring that systems are protected and operating as intended
Operations Department Goals: Prevent recurring problems and reduce hardware and software failures to acceptable levels to reduce the impact of accidents or sabotage
Follow content
unusual or unexplained events; Deviations from standards, security incidents that deviate from standards; Irregular initial program loading (restart) concerns innocently restarting devices; Asset representation and management. Asset management refers to understanding everything in the entire environment: hardware, firmware, operating system, language runtime environment, applications and different libraries; System control: ensuring instructions are executed in the correct context; Trusted recovery: The mechanisms and procedures required to ensure that failures and operational disruptions do not undermine the safe operation of the system; Input and output control: The input and output of the application are directly related, and task errors and possible behaviors in the control input need to be monitored; System enhancement: Jin Yong does not need components and services; system security configuration reinforcement; Remote access security: commands and data must not be transmitted in clear text, SSH should be used instead of telnet; management should be done locally rather than remotely; only a few administrators are allowed to perform this remote function; strong authentication should be implemented for any hanging activities; any Access by unauthorized persons.
Software license control
Only authorized software can be installed, and pirated software is prohibited from being installed.
Those who use pirated software or install and use licenses beyond the authorized quantity and scope will be held legally responsible.
Measures should be taken to monitor software license usage
Personal safety
Privacy privacy
Travel
Duress coercion (social engineering)
2. Configuration management
Target
Establish and maintain integrity throughout the lifecycle of products, systems and projects
Configuration management is suitable for different types of asset management
Physical assets (servers, laptops, tablets)
Virtual assets For example: Software-defined networks SDNs. Virtual SAN (vSAN)
Applications (e.g. Web Services, Software as a Service)
Systems, virtual machines (VMs)
Cloud assetsCloud assets
effect
identifying configuration items for the software project identifying configuration items for the software product
contorlling these configuration items and changes to them. Controlling configuration items and changes to them.
recording and reporting status and change activity for these configuration items, recording and reporting status and change activity for these configuration items, and conducting audits
Activity
1. Identify the configuration items, components and related work that will be placed under configuration management.
2. Establish and maintain configuration management and change management systems to control work products
3. Establish and publish baselines for internal use and baselines delivered to customers.
4. Track configuration item change requests
5. Control changes in configuration item content
6. Establish and maintain records describing configuration items
7. Perform configuration audits to maintain the integrity of configuration items.
Trusted recovery
Purpose
The purpose of trusted recovery is to ensure that the security and functional functions of the system are maintained in the event of failures and operational interruptions; in order to achieve the above purposes, the system should incorporate a series of mechanisms to maintain a safe state when predefined failures or interruptions occur;
type
System restart: Shut down the system in a controlled manner. The data is still in an inconsistent state before restarting. Restart and enter the maintenance state to automatically perform recovery and bring the system to a consistent state;
System cold start: The automated recovery mechanism cannot bring the system to a consistent state, and the administrator manually intervenes to restore the system from maintenance mode to a consistent state; (a startup method used to defeat defeat attacks)
Correct steps after a system crash
Enter single-user or safe mode
Fix problems and repair files
Identify critical files and operations
Input and output control
An application's input directly affects the output, so the input should be monitored for errors or suspicious behavior.
Applications should programmatically qualify the type of input data and check it
System enhancement
Physical controls for network equipment
Lock the cabinet
Control of mass storage device media
Physical control Technical control
Workstation safety measures
Make a hard copy image called Gold Master (GM) master disk
Application system security protection
Focus on vulnerability detection and repair
Component security protection
Properly configure components
Remote access security
Remote access is a commonly used operation and maintenance method for organizations. It is also an important means to ensure recovery in disasters and can reduce operation and maintenance costs.
Fortune access is an access method used in mobile office, business trips, etc.
risk
Unauthorized access, introduction of viruses and malicious code, etc.
security measures
Use VPN technology for secure network access
Data transmission is encrypted, even using VPN technology
Take strong authentication measures
Critical equipment is managed locally rather than remotely
Limit the number of administrators with remote access to a minimum
3. Physical Security (Chapter 3)
Border security implementation and operations
Physical Security Purpose
Controlling access to physical facilities, the first barrier to facility protection
Defense-in-depth
If one layer of mechanisms fails, other mechanisms function
secure the weakest linksecure the weakest link
doorman
Physical protection measures ultimately require personnel to intervene to respond to alarms
Security personnel can conduct foot patrols of the building or station themselves at a fixed location
Control access by checking employee ID cards
Strong deterrent, but high cost
Limited personnel reliability
When choosing a security guard, it is more important to screen and choose reliable personnel.
4. Security resource configuration
Asset list
Tracking hardware
1. Brand 2. Model 3. MAC address 4. Serial number 5. OS or firmware version 6. Location 7. BIOS and other hardware 8. Assigned IP address (if available) 9. Labels or barcodes for organizational asset management
tracking software
1. Software name 2. Supplier 3. Password or activation code 4. License type and version 5. Number of licenses 6. Number of licenses 7. License consistency 8. Organization software library administrator or asset administrator 9. Contact person of the organization where the software has been installed 10. Upgrade, full or limited license
The security role of software and hardware libraries
Security experts can quickly find and mitigate vulnerabilities related to hardware type and version
Knowing the type and location of hardware in the network can reduce the effort of identifying affected devices
Unauthorized devices on the network can be discovered through scanning
Maintain configuration list
Logging and tracking configuration changes provides assurance of network integrity and availability
Regular checks to ensure unauthorized changes
Change management
change management process
Requests
Impact Assessment Impact Assessment
Approval/Disapproval Approval/Disapproval
Build and Test Build and Test
Notification notification
Implementation
Validation
Documentation record
Emergency changes
Get verbal authorization
There must be appropriate testing and rollback plans.
Make up records and formal authorization afterwards
ECAB (Emergency Change Advisory Board)
5. Network and resource availability
Means to ensure availability
Redundant hardware capable of “hot swapping”;
Fault tolerance technology
Failover failover
load balancing
Service Level Agreement SLA
What
An SLA is a simple document that describes the level of service the business/customer receives from IT, showing service measurement metrics, remediation, or penalties if agreement requirements are not met.
If the SLA is not met due to customer reasons, there should be no penalty
SLA
IT commitments to business units or external customers
OLA (Operational Level Agreements) Operational Level Agreements
IT internal
uc support contract
Sign with supplier
Why
Make sure you both understand the requirements
Ensure that the agreement has not been misinterpreted intentionally or unintentionally
Different levels, different prices
starting point for negotiation
Important section
Service elements Service elements
Provide specific services
Service availability status
Service standards (time window)
Upgrade procedure
Responsibilities
Cost/service trade-off
Management elements Management elements
Measurement Standards and Methods Definition\Reporting Process\Content and Frequency\Dispute Resolution Process
SLAs kept updated
Changes in supplier capabilities and service needs
compensation
The supplier will have to pay the customer any third party costs resulting from the breach of warranty
SLA is not transferable
How to verify SLA
measurement standard
Service Availability Service Availability
Defect RatesDefect Rate
Technical Quality Technical Quality
Security
Examples of usability metrics
99%(which allows for over 7 hours of unplanned downtime per month)
99.9% (43.8 minutes per month allowed outage)
99.99% (4.4 minutes per month, allowing 4 minutes of interruption per month)
Suitability review SLA
Robust operational measures;
Redundancy and fault tolerance
Device backup
spare parts
cold standby
Spare parts not started
Exactly the same as the main device
Can be used if needed
Generally stored in the main device attachment
Cannot be used in non-artificial environments
warm standby
Already injected into the system but not enabled unless needed
Hot standby
Inject into the system and boot until needed to wake up
redundant system
Typical redundant configuration
Active/standby pair mode
The main system provides all services
Problems with passive systems monitoring primary systems
cluster
Two or more join the cluster and provide services simultaneously
network computing
Another load-balancing large-scale parallel computing method
Network computing is not suitable for computers that require confidentiality and is more suitable for projects such as financial modeling, weather modeling, and earthquake modeling.
Power backup
Redundant (or dual) power supplies
ups
Alternative energy sources (such as diesel generators)
Drives and data storage
SAN and NAS
SAN storage area network
A SAN consists if dedicated block level storage on a dedicated network.
numerous Storage devices such as tape libraries, optical drives, and disk arrays
protocols like iSCSI to appear to operating systems as locally attached devices Use protocols like iSCSI to appear to operating systems as locally attached devices
large banks of disks are made avilable to multiple systems connecting to them via specialized controllers or via Internet Protocol (IP) networks
NAS network attached storage
Allow network servers to share their storage space with network clients
file level instead of the block level file level instead of the block level
designed to simply store and serve files designed to simply store and serve files
NAS can also be used to provide storage for multiple systems on a network
RAID cheap redundant disk array
A technique used to increase redundancy and/or improve performance by logically combining multiple physical disks in the form of a logical array. When data is saved, the information is written to all drivers
RAID 0
Write files striped across multiple disks without using parity information.
Improve reading and writing speed
All disks can be accessed in parallel
Does not provide redundancy
RAID 1
This level copies all disk writes from one disk to the other to create two identical drives.
Data mirroring
redundancy
Costly spends more money
RAID 2
More theoretical, less used in practice
Hamming error correcting code
RAID 3 and 4
RAID 3 byte level and RAID 4 block level parity
Three or more drives are required to achieve this.
Striping
parity disk
Parity information is written on a disk
The parity drive is Argyle's heel because it can become a bottleneck and will often fail earlier than other drives.
RAID 5
Similar to RAID 4
Parity information blocks are scattered across each disk
Striping
More commonly used
RAID 6
Extended functionality of RAID 5
Calculate two sets of parity information.
RAID6 performance is slightly worse
RAID 01 and RAID 10
Generally speaking, RAID 1 0 is considered superior to RAID 0 1 in all aspects, both in terms of speed and redundancy.
In RAID 0 1, the first set of disks stripes data across all available drives (RAID 0 part), which are then mirrored to another set of disks (RAID 1 part)
Direct access versus sequential access to storage devices
The difference between direct access and sequential access
When accessing the storage device directly, any location can be reached immediately; when accessing the storage device sequentially, the distance between the current location and the target location needs to be traversed to reach the target;
Tape drives are sequential access storage devices;
Multi-track tape devices are direct access drives (DASD), which store the starting position of the main data segment at a specific point on the tape and in the tape drive's cache, allowing the tape drive to reach a certain track and a certain point on the track more quickly. point;
Redundant independent tape array RAIT
Use tape drives instead of disk drives;
Tape drives cost less when saving large amounts of data
Compared with the disk, its speed is slower;
database shadowing (real time)
Used for database management systems to update records at multiple points
Full database copy for remote use
Backup and restore system
Backup data includes critical system files and user data
backup window
big enough
fully prepared
not big enough
Differential or incremental backup
Backup involves copying data from production systems to remote media
Such as moving high-density tapes or storing them in different places
At least three backup tapes
Original site
Recover a single failed system
melee point
The primary site suffered a general failure and the tapes were corrupted
remote site
Offsite site
A safe location some distance away from the main site
Electronic Transfer/Electronic Jump/Electronic Vault
Back up data over the network
Changes to the main system are transferred to the library server
Electronic Vaulting transmits in stages, not in real time
repository server
Configured like a storage device
As opposed to real-time updates, file changes are delivered to the repository using incremental and differential backups
Log or transaction record
Database management systems use techniques that provide transactional redundancy
Staffing Flexibility
Avoid single points of failure for key personnel
Adequate staffing levels
Proper training and education
Rotation training
Mean time between failures (MTBF)
Uptime
System available time
Mean time to repair (MTTR)
downtime
Refers to the estimated time required to repair a piece of equipment and put it back into production.
MTBSI=MTBF MTTR
single point of failure
Prevent the failure of one device from having a negative impact on the entire network
Trusted paths and fail-safe mechanisms
trusted path
Provides a trusted interface for privileged user functionality
Provides means to ensure that communications using this path are not disrupted or corrupted
Typical measures
Log collection and analysis, vulnerability scanning, patch management and regular system integrity checks
Fail-Safe
Automatically turns on in case of failure (e.g. power outage)
Concerned about life or system safety
Fail-Secure Fail-Secure Property Security
Automatic locking in case of failure (e.g. power interruption)
Focus on blocking access in a controlled manner after a failure, when the system is in an inconsistent state
6. Resource protection measures
resource protection
tangible and intangible assets
Facility protection
hardware
Hardware requires appropriate physical security measures to maintain the required confidentiality, integrity and availability
Access should be restricted to operator terminals and at work
Access to facilities should be restricted
Mobile assets should be protected
Printing facilities should be located at the Authorized User Annex
Network devices are core assets and need to be protected
General process for protective measures
1. Identify and assess risks
2. Choose appropriate control measures
3. Correct use of control measures
4. Management configuration
5. Evaluation operations
Unauthorized leakage
is a threat worthy of concern
The malicious activities of malware as well as malicious users can lead to the loss of important information
vandalism, disruption and theft
inappropriate modifications
Firewall (Chapter 4)
Intrusion Detection System Architecture (Chapter 5)
Email protection – whitelist, blacklist and greylist
whitelist
A list of email addresses or IP addresses, etc., listed as "good" senders
blacklist
A list of "bad" senders
Gray list
It cannot be judged whether it is good or bad. Greylisting will tell the sending email server to quickly resend the email.
non-profit organization
Non-profit organizations
Track the operations and sources of Internet spam
Provide real-time and effective spam protection for the Internet
sandbox, anti-malware, Honeypots and honeynets, third-party services
Honeypots and HoneynetsHoneypot systems and honeynets (detective control)
Acts as a decoy server to collect information about attackers or intruders operating on the system
Sandboxing
Software virtualization technology
Let programs and processes run in an isolated environment
Restrict access to other system files and systems
What happens in the sandbox only happens in the sandbox (minimum authorization)
A replacement for traditional antivirus
Possible detection of zero-day vulnerabilities and hidden attacks
Malware uses a variety of techniques to evade detection
Anti-malware Anti-malware
installed on individual hosts,on systems deployed on individual hosts and systems
Unified Threat Management (UTM) security gateway
Continual updates Continuously update the virus database (updated every day)
monitored to ensure they are still active and effective Monitoring to ensure that anti-virus systems are still active and effective
automatic scanning for new media and email attachments. Deploy automatic scanning policy for media and email attachments
Scanning should be scheduled and accomplished on a regular basis. Scanning should be scheduled and accomplished on a regular basis.
environmental checks environmental monitoring
Third-party Security Services
Dynamic application security testing Dynamic application security testing (DAST)
Used to detect security vulnerabilities in the running state of the application
Most of the exposed HTTP and HTML problems are based on WEB vulnerabilities
Some are non-Web protocols and data malformations
method
Dynamic Application Security Testing is a Service
Have crawler capabilities to test RIA (Rich Internet Applications)
HTML5. (using Websockets)
Have crawling capabilities and test applications using other web protocol interfaces
Static Application Testing Capability (SAST)
Interactive security testing
Comprehensive fuzz testing
Test mobile and cloud-based applications
Patch and vulnerability management
The purpose of patch management
Establish a continuous configuration environment to protect operating systems and applications from known vulnerabilities
Many times, manufacturers do not give reasons and reasons for upgrading when upgrading versions.
Risk factors to consider for patch management
Is it approved by management?
Comply with configuration management policies
Whether to consider bandwidth utilization
Whether to consider service availability
Centralized patch managementPatch centralized management
is a best practice for patch management
Virtualization technology makes it easier to set up a patch testing lab
Some control measures can mitigate the impact of software vulnerabilities, such as firewalls, IDS, etc., and allow us time to test patches.
Reverse Engineering PatchesReverse Engineering Patches
Responding to zero-day attacks
Vendors can push out software patches through reverse engineering
Reverse engineering makes it easier for hackers to exploit the latest vulnerabilities
Depends on how quickly hackers and vendors apply reverse engineering
Patch management steps
Security experts need to determine whether it is a vulnerability
Do you need to upgrade the patch?
risk-based decision making
Importance of patches
Management and system owners determine whether to update patches
Will it affect the business?
Update patches have been tested and residual risks have been addressed
Schedule updates
Notify users before deployment
Update at night or on weekends
Back up the server before deployment
After the update is completed, it needs to be verified in the production environment
Some invisible problems may arise
Once deployment is complete ensure all appropriate machines are updated
Log all changes
Security and patch information management
Important section
Patch management is about knowing both about security issues and patch releases
Be aware of security issues and software updates relevant to their environment
It is recommended that a dedicated person and team be responsible for alerting administrators and users of security issues or app updates.
Pacth Prioritization and SchedulingPatch priority and job scheduling
1. Patch life cycle (Pacth cycle) guides the normal application of patches and system and updates
cycle
time or practice driven
Helps with the release and updating of applied standard patches
2. Job planning to handle critical security and functional patches and updates
patch priority and urgency scheduling
Vendor-reported criticality(e.g.. high .medium,and low)
system criticality
importance of the applications and data the system
Patch testing
Breadth and depth of patch testing
system criticality
Processed data
environmental complexity
Availability requirements
Available resources
The patch testing process begins with the acquisition of software updates and continuous acceptance testing after production deployment
Verification is required when obtaining patches
Source (soucre) verification
Integrity check
Data signature
Checksum
Test after patch verification is completed
The test environment is as close as possible to the production environment
You can use subsystems of the production system as a test environment
Patch change management
Change is important at every step of patch management
Patching applications should include contingency and fallback plans
Include risk reduction strategies in your change management program
Change management program includes monitoring and acceptance plan
Demonstrate patch success with specific milestones and acceptance criteria
Allow updates in closed change system
Patch installation and deployment
The deployment phase of patch management must have well-experienced administrators and engineers
Installation and deployment means that patches and updates to production systems are actually implemented
A technical factor affecting patch deployment is tool selection
Tool selection
Buy
Self-built
Tool type
agent-based
agentless systems
Deploy security patches
Complete in time
Controllable and predictable
Patch audit and assessment
Routine audits and assessments measure patch management success and extent
two questions
What systems need to be patched for any known bugs?
Is the system updated with real patches?
critical success factors
Asset and host management
Ideal hosting management software can claim reporting
Management tools
System discovery and auditing as part of the audit and assessment process
Vulnerability management system
vulnerability scan
Identify these weaknesses
Vulnerability type
System defects
Product design defects
buffer overflow
Configuration error
Configuration errors leave systems vulnerable to attacks
Strategy error
The individual fails to comply with or implement safety measures as required
Host-based scanning
Identify missing security updates on the server
Identify unauthorized software or services that may indicate system compromise
Apply security scan
Database security scan
Configuration error found
7. Incident management (safety accident management)
event definition
Time is a negative thing that can be observed, verified and recorded
An incident is a series of events that negatively affects a company and its safety posture
Incident Response: Something happens to the company that causes a safety breach, and dealing with it becomes Incident Response or Incident Handling
Incident response or incident handling has become a primary responsibility of organizational security departments
general framework
Creation of a response capability;
Incident handling and response;
Recovery and feedbackRecovery and feedback
incident management (quick recovery)
Including people, technology and processes
Direct all incident-related activities and guide security personnel to a predefined and pre-authorized path to resolution
Describe the activities undertaken in relation to the roles and responsibilities of the parties involved in the incident.
managing an adverse event
Limiting the effect of an incident.Limiting the effect of an incident.
event handling Strategy, roles and responsibilities
The policy must be clear, concise, and empower the incident response/handling team to handle any and all incidents
Staffed and well-trained incident response team
virtual team
Dedicated team
Hybrid mode team
Outsourcing resources
Upgrades may be required during event handling
Response Team Core Areas
Establishing a team requires training and keeping it up-to-date, which requires a huge amount of resources.
Handle public disclosures with caution
process
diagnosis
Contains the practical sub-phases of detection, identification and notification;
Classify events according to their potential risk level, which is affected by event type, source (internal or external), growth rate, and error suppression capabilities;
Handling false-positive events/false positives is the most time-consuming;
If it is a real event, classification (based on the needs of the organization) and classification (determining the level of potential risk or the criticality of the event) are required
investigation
Directly deals with analysis, interpretation, response, and recovery of events;
Investigation involves the appropriate collection of relevant data, which will be used in analysis and subsequent stages;
Management must determine whether law enforcement is involved in the investigation, gathering evidence for prosecution, or simply patching the loophole;
contain
Contain incidents and reduce their impact;
The purpose of mitigation is to prevent or reduce further damage from an incident, thereby initiating recovery and repair
Appropriate containment measures buy the incident response team time to properly investigate and determine the root cause of the incident;
Exhaustion strategy (example: cutting off the infected host from the network and taking control of it)
Mitigation measures should be based on the type of attack, the assets affected by the incident, and the criticality of those assets;
Conduct digital forensics to preserve forensic evidence
Analysis and Tracking
Collect more data (logs, videos, system activity, etc.) during the analysis phase to try to understand the root cause of the incident and determine whether the source of the incident was internal or external, and how the intruder penetrated;
Security experts need a combination of real training and real-world experience to properly explain, and often don’t have enough time;
Tracking often goes hand-in-hand with analysis and inspection, and requires weeding out sources of false leads or deliberate bullying;
Also important is what needs to be done once the root cause is identified and traced back to the true source.
recovery stage
The purpose is to get the business back up and running, return affected systems to production, and be consistent with other activities
Make necessary repairs to ensure this does not happen again;
recover
eradicate
RCA Root Cause Analysis
work backwards to detemine what allowed the event to happen in the first place. Work backwards to detemine what allowed the event to happen in the first place. Work backwards to determine the cause of the event, proceed layer by layer, and directly discover the root cause
RCA can quickly cross boundaries between technical, cultural, and organizational. RCA can quickly cross boundaries between technical, cultural, and organizational.
Remediation Repair
from RCA are then reviewed by management for adoption and implementation
Problem managementProblem management
tracking that event back to a root cause and addressing the underlying problem
addressing defects that made the incident possible or more successful. Addressing defects that made the incident possible or more successful.
have a longer term view take longer
incidents as they occur in the operational environment the long-term course of events that occur in the operational environment
track down the underlying defect because it may take specific conditions to be in place that may not occur frequently.
Eradication is the process of removing the threat. Eradication is the process of removing the threat. (If a system is infected with a virus and is no longer functioning properly, a thorough antivirus will eradicate the problem.)
Restore or repair the system to a known good state.
Recovery becomes more complicated if the last known image or state contains the actual cause of the incident. In this case, a new image should be generated and tested before the application is moved to production.
Repair work includes: organizing sensitive ports, disabling vulnerable services or functions, applying patches, etc.
Reports and records (summary of lessons learned from the incident)
Policies and procedures Policies and procedures must be defined
Does the media or an organizations external affairs group need to be involved? Does the media or an organizations external affairs group need to be involved?
Does the organizations Iegal team need to be involved in the review?
At what point does notification of the incident rise to the line management.
middle management, senior management, the board of directors, or the stakeholders? Senior management? director? A board of directors?
What confidentiality requirements are necessary to protect the incident information? What are the confidentiality requirements to protect the incident information?
what methods are used for the reporting? If email is attacked, how does that impact the reporting and notification proess? What methods are used for the reporting? How are reporting and notification procedures initiated if an email system is compromised? Mobile phone, solidification, emergency contact?
The most important and easily overlooked stage is the reporting and feedback stage;
Organizations often learn a lot from events and move from mistakes to success;
Debriefing requires all team members, including representatives from each team affected by the incident;
The advantage is that this phase can develop or track response team performance from collecting meaningful data;
Measurement indicators can determine budget allocation, staffing needs, baselines, and demonstrate prudence and rationality;
The difficulty lies in producing statistical analysis and metrics that are meaningful to the organization.
Monitoring/detection
(SIEM) Security Information Event Management System
One disadvantage of system logs is that they provide a view into that single system. The disadvantage of system logs is that they can only provide a single system perspective and cannot provide logs and information about related events involving multiple systems.
Provide a common platform for log collection, collation, and analysis in real time Provide a common platform for log collection, collation, and real-time analysis.
provide reports on historical events using log information from multiple sources
Log management systems are similarLog management systems are similar
combined with SIEM solutions combined with SEIM solutions
real time functions provide real-time analysis.
maintain a disciplined practice of log storage and archiving maintain strict log storage and archiving discipline
Modern reporting tools can also be used to transform security event information into useful business intelligence. Modern reporting tools can also be used to transform security event information into useful business intelligence.
8. Disaster recovery
Strategy
Develop a recovery strategy
The choice of recovery strategy must meet organizational needs
Cost-benefit analysis (CBA)
Initial cost of setting up a strategy
Maintenance and recovery strategies determine the ongoing costs of the program
The cost of periodic testing of the plan
Communication related expenses
Implement a backup storage strategy
Recovery Time Objective (RTO) Recovery Point Objective (RPO)
Backup method
fully prepared
incremental backup
differential backup (differential backup)
Recovery site strategy
Dual Data Center dual data center (redundant site)
Using this strategy makes the application unacceptable for downtime to impact the organization
Advantage
Very short downtime (minutes/seconds)
Easy to maintain
No need to restore
shortcoming
higher cost
Requires redundant hardware, networks and personnel
limited by distance
hot siteshot sites
Advantage
Allow testing of recovery strategies
High availability
Site can be restored within hours
shortcoming
Internal hot sites are more expensive than external hot sites
There are software and hardware compatibility issues in external hot wars
Warm Site
A rental facility partially equipped with some equipment but not actual computers
Heavenly recovery
Cold Site Cold War
A cold site is a shell or data center without any technical facilities on the floor
Advantage
low cost
for longer recoveries
shortcoming
Unable to recover in time
No testing work done up front
weekly recovery
mobile sitemobile site
It is a movable trailer or standard container equipped with appropriate telecommunications equipment and IT equipment. It can be towed and placed at the required backup location to provide key application services, such as telephone switching functions.
Processing Agreement
Reciprocal agreementsReciprocal agreements
Used to share downtime risks between organizations
In the event of a disaster, each organization commits to taking on the other's data and processing tasks
question
The organization's commitment to reserve spare processing capacity for others or to reduce processing capacity when other organizations are down
Organizations first need to be able to comply with these protocols
Difficulty finding the right partner within the industry or among competitors
outsourcing outsourcing
Meet the cost-effectiveness needs of enterprises
Take the risk of unknown capabilities and ability to meet requirements
The SAL agreement can indicate that services will be provided for a period of time, but it does not truly guarantee coverage in the event of a disaster.
advantage
on demand services
All requirements and execution responsibility lie with the third party
less cost
shortcoming
More proactive testing and assessment to confirm competency maintenance
Arguments over the agreement prevent manufacturers from enforcing it
If you deploy a proprietary system, you will be locked into the vendor
If outages occur frequently, capacity building may cost more
process
DR areas
DR includes response, people, communication, assessment, recovery and training
The process must be recorded
Organizational level continuous testing strategy
the board and senios management
Test strategy and plan
Includes use of BIA and risk assessment (BCP)
Identify key roles and responsibilities and establish minimum requirements for the organization's business continuity testing, including baseline requirements for testing frequency, scope and results reporting
Testing strategies vary depending on the scope and risk scenarios of the organization
Address testing issues for the organization and its service providers
The testing strategy for internal systems should include the people involved when systems and data files are tested
Documentation of plans
Document recovery in response to various incidents
Documentation should be stored in all recovery facilities
The document should be detailed enough for the technical recovery operation so that people with relevant skills can still complete it for the first time.
Test the recovery plan each time and update as needed
response
Notify the centralized communications team of incidents after they occur
centralized number
Help desk
Technical Operations Center
physical security personnel
Monitoring personnel
response plan
Create an emergency contact list
Assessment Team
Notify first
Determine if the incident requires escalation
First upgrade team
event owner
incident responder
Establish communication channels
conference call
Establish alternative communication channels internally and externally
Don’t forget about the unavailability of some services
express delivery
Water and electricity services
Executive Emergency Management Team
Made up of senior managers in the organization
No need to do the initial response part
Take full responsibility for the recovery of the organization and business
Located in the command center after the incident
No need to manage daily operation and maintenance
Executives need to respond and assist in resolving issues that require their guidance
Focus on strategic responses
Crisis Management vs. Crisis Leadership Crisis Management vs. Crisis Leadership
Managing
response
short term
process
narrow
tactical level
Leading
expect
long
in principle
extensive attention
strategic level
emergency management team
Report directly to the command center
Responsible for monitoring the disaster recovery team and developing recovery and recovery processes
Report incident status to senior management
Make decisions that support recovery
main function
Disaster recovery team
Retrieve off-site records and recovery information stored off-site
Report to offsite site
Perform recovery procedures in order of priority
Communicate recovery status to command center as needed
Identify issues and report to management team for resolution
Establish a recovery team to support 24/7 shifts
Establish liaisons with key business users and personnel
Repair and replace equipment and necessary software to resume normal operations
command center
Center for communication and decision-making during emergencies
In the event of a disaster, provide emergency response documentation and other resources needed to respond to the disaster
Also includes procedures for dealing with financial issues
initial response plan
If your organization has multiple locations, you will need a plan for each business site
What are the key businesses or technologies in the site?
Prepare an appropriate recovery strategy for it
who is the decision maker
Where should people go if they can't get back into the building?
The process of declaring a disaster
Backup site location
Reaching the location of the backup site
Workstation allocation at backup site
Hotels near backup sites\Transportation services and logistics
personnel
The problem with many plans is human resources issues
Disasters can greatly affect people
In a disaster, organizations need to pay attention to the hardships of team families in addition to responding to their own needs.
The level of support team members will be clearly defined by the nature of the disaster itself
Incorporate administrative support as part of the recovery team
communicate
Notify employees
In emergencies, members of the emergency contact list are contacted directly by the Responsible Management Team
Describe how the organization will contact remaining members
Establish emergency information line
Keep employees informed about disasters that have occurred
Put it behind the employee’s badge or on a refrigerator magnet
Stakeholders
how to say
During the disaster recovery process, each employee should be consistent in what they tell the customer or vendor about the situation
Businesses should provide all stakeholders with updated information on recovery status
honest
accurate
Security professionals need to establish problem reporting and management processes
conference bridges
Evaluate
In an incident, the impact of the incident needs to be determined
tiers or categories
Non-Incident non-incident
Incident
Report to management
Severe Incidentserious incident
Requires reporting to management
recover
The last part of the plan is about restoring the main environment and migrating to normal operation (reconstruction)
Other parts of the organization are concerned with the recovery of the backup site organization
Part of the focus is on what needs to be done to get back to the main facility production environment
You will need to contact your legal department and insurance company before restoring your primary site.
Take photos before taking action
The migration plan must document the process and details of how to migrate
Asset replacement
Negotiate with vendors to provide equipment to build or restore data centers
Provide training
No matter how good a plan is, it won't work if no one knows about it
leading a team
Know crisis management
In disaster recovery, it’s not about performing recovery but leading the organization back to normal.
Technical team
Know the procedures for performing recovery
and the logistics facilities they're going to.
employee
evacuation plan
Put part of the BCP plan into new employee training
Drills, Assessments and Maintenance Plans
testing strategy
Lines of business and supporting professional departments demonstrate business continuity testing objectives to obtain expectations, consistent with BIA and risk assessments
A description of the depth and breadth of testing to be accomplished; a description of the depth and breadth of testing to be accomplished;
The involvement of staff technology,and facilities
Expecttations for testing internal and external interdependencies;Expectations for testing internal and external dependencies
An evaluation of the reasonableness of assumptions used in developing the testing strategy
Test strategy contains test goals and scope
BCP/DRP tested at least once a year
Testing is required when major changes occur
Test objectives can start simply and gradually increase in complexity, participation level, function, and physical location
Testing should not jeopardize normal business operations
Tests demonstrate various management and response capabilities under simulated crises, gradually adding more resources and participants
Reveal inadequacies so test procedures can be corrected
Consider deviating from test scripts to insert unexpected events, such as the loss of key individuals or services
Include sufficient amounts of all types of transactions to ensure appropriate capabilities and functionality of the restoration facility
Test strategy includes test plan
Based on predetermined test scope and objectives
Contains test plan review level
Including the development of various test scenarios and methods
Test Plan
The master test plan should contain all test objectives
Detailed description of test goals and plans
All test participants including support roles
Delegation of test participants
Test decision makers and follow-up plans
Test location
Test upgrade conditions and test contact information
DR test
testing strategy
Test scope and goals
Verify RTO and RPO through testing
testing strategy
Set by senior management
Role responsibilities, frequency, scope and reporting results
Business recovery and disaster recovery testing
business recoverybusiness recovery
Pay attention to the operation of the test business line
disaster recoverydisaster recovery
Focus on testing the continuity of technical parts
Checklist Review
Distribute copies of BCP/DRP to managers of each key business unit
Ask them to review portions of the plan that are appropriate for their department
Tabletop Exercise/Structured Walkthrough Testing
As a tool for planning initial testing
Target
Ensure key personnel from all areas are familiar with BCP/DRP
Ensure the planned response organization's ability to recover from disasters
Features
Meeting room drills to reduce costs
Rehearsal drill/simulation drill (simulation test is characterized by simulating a real disaster scenario)
Contains more content than the tabletop walkthrough
Participate in this selection of specific event scenarios to apply in BCP
functional testing
The main purpose is to determine whether critical systems can be restored at a backup processing station (DRP) if personnel apply the procedures specified in the BCP.
Parallel testing (DRP)
Compare the running results of the backup site with the running results of the primary site
Complete Outage/Full Testing (DRP/Highest Risk)
Switch to backup site
Update and maintenance schedule
Any team has an obligation to participate in the change control process
Planning documents and all related procedures are reviewed every three months
Formal audit of program at least once per year
Plans must version control
From project to program
Continuity planning is an ongoing process
All defined tasks must be kept current and consistent with the existing environment
There must be annual requirements
emergency management organization (EMO) emergency management organization
Formal management response process
On-site coverage, support and expertise
Areas covered
Safety
system
human Resources
organizational communication
Compliance
Risk and Insurance Management
Organizational Contingency Plan
Team Responsibilities
Response times and emergencies
Determine the extent of an imminent or actual emergency
Establish and maintain communication with senior management
Communicate with employees and customers
Manage media communications, security, systems, facilities
Coordinate and integrate business continuity planners
The organizational emergency operations center (EOC) Organizational Emergency Operations Center (EOC)
Provide location
Provide the necessary resources to manage the organization's recovery regardless of whether EMO is initiated
9. Forensic investigation
Name explanation
digital forensics
computer forensics, digital forensics, and network forensics to electronic data discovery, cyber forensics and forensic computing computer forensics, digital forensics and network forensics, electronic data discovery, network forensics and forensic computing.
Based on methodological, verifiable and auditable procedures and protocols
Evidence Collection Guide
Identifying Evidence Identifying Evidence
Collecting or Acquiring Evidence Collecting or Acquiring Evidence
Examining or Analyzing the EvidenceExamining or Analyzing the Evidence
Presentation of FindingsPresentation of Evidence
crime scene
formal principle
1. Identify the scene
2. Protect the environment
3. Identify evidence and potential sources of evidenceIdentify evidence and potential sources of evidence
4. Collect evidenceCollect evidence
5. Minimize the degree of contamination
environment
physical environment
server,workstation,laptop,smartphone,digital music device,tabletserver,workstation,laptop,smartphone,digital music device,tablet
Dealing with it is relatively straightforword to deal with;
virtual environment
e.g,.data on a cluster or GRID,or storage area networks (SANs)
difficult to determine the exact location of the evidence or acquire the evidence.
dynamic evidence
Data exists in a dynamic operating environment
more difficult for the security professional to protect the virtual scene
Motivation, Opportunity, and Ways to MOM
motivation
Who and why
Chance
when and where
Way
Criminals need the ability to succeed
computer crime
Commonly used methodsMO
Criminals use different operating techniques to commit crimes, which can be used to represent various types of crimes
Rocca's Law of Exchange
It is determined that criminals leave something behind when taking something away
General Guidelines G8
When dealing with digital evidence, all common forensic and procedural principles must be applied
The act of grabbing evidence cannot change the evidence
When it is necessary for a person to access a Fellow's digital evidence, that person needs to be trained for this purpose
All activities related to the seizure, access, storage or transmission of digital evidence must be fully documented, retained and available for review inspection.
When digital evidence is in someone's possession a person must be responsible for all activities related to the digital evidence
Any organization responsible for capturing, accessing, storing and transmitting data evidence is responsible for compliance with these principles,
Evidence collection and processing
Evidence chain of custody/chain of custody
What it refers to is that evidence media must have clear records (Document) and accountability (Accountability) from the initial collection and identification to transportation, use, intermediate custody, and final storage and archiving to ensure the original evidence media. There is absolutely no chance of contamination (Contaminate) and tampering (Tamper);
Throughout the life cycle of evidence, it is all about the processing of evidence: who, what, when, where, and low;
Ensure the authenticity and integrity of evidence with the help of Hash (SHA-256) and digital signatures;
Interview
The most delicate part of the investigation is the interviewing of witnesses and suspects;
Interviews must be preceded by reviewing strategy, notifying management, and contacting company legal counsel;
Do not conduct the interview alone. If possible, record the entire interview process as evidence;
Understand the forensic process
evidence admissible in court
Evidence classification
Classification of presentation methods
written
oral
testimony given by witnesses
computer generated
visual or auditory
Events captured during or immediately after a crime
Classified by influence
best evidence
original contract
auxiliary evidence
Oral evidence, copies of original documents
direct evidence
witness testimony
Evidence gathered based on the five senses of the witness
decisive evidence
circumstantial evidence
Confirm intermediate facts, which can be used to infer or determine the existence of another fact
conclusive evidence
Supporting administrative evidence used to help provide an idea or perspective
opinion evidence
Educational Perspectives Presented by Expert Witnesses
Ordinary witnesses can only testify to facts
hearsay evidence
Oral or written evidence presented in court is second-hand
Evidence characteristics
authenticity or relevance
Must have a modest and realistic relationship to the findings
integrity
Evidence must present the whole truth
adequacy or credibility
There must be sufficient persuasion to convince a reasonable person of the authenticity of the investigation, and the evidence must be strong and not easily doubted.
reliability or accuracy
Must be consistent with the facts. The evidence is not reliable if it is based on one person's opinion or a copy of an original document
computer logs
The premise is that they must be collected during the standardization process of business, and business records are specially
Most computer-related documents are considered hearsay, i.e. secondary evidence
Evidence collection principles
Any action taken as a result of the investigation shall not alter data on the storage medium or digital device;
People accessing data must be qualified to do so and able to explain their actions
Audit trails or other records suitable for third-party audits and applied to the process should be generated and protected, and each step of the investigation should be accurately documented
Those responsible for the investigation must be fully accountable for ensuring the procedures mentioned above and complying with government laws
Regarding the behavior of people grabbing data, they must not change the evidence.
When necessary personnel have access to original evidence, this must be legally qualified
Actions related to the capture, access, storage or transmission of digital evidence must be carefully recorded, preserved and made available for audit
When digital evidence is held by someone, that person must carefully record, preserve and make it available for audit
When digital evidence is held for someone, that person must be fully responsible for actions taken with respect to the evidence
Evidence analysis method
Media Analysis: Recovering information or evidence from information media
Web Analysis: Analysis and examination of web logs and web activity used as potential evidence
Software analysis: analyze and inspect program code (including source code, compiled code and machine code), use decoding and reverse engineering techniques, including author identification and content analysis, etc.;
Hardware/embedded device analysis: should include analysis of mobile devices;
Several computer crimes
salami attack
Providers commit several small crimes in the hope that they combined into a larger crime will not attract attention
data diddling
There was manipulation when entering data
Password sniffing
Capture passwords sent between computers
IP spoofing
The attacker does not want others to know his real address, so he changes the IP address of the packet so that it points to another address.
spam search
Look through other people's trash cans to find discarded documents, information, and other valuable items that could be used against that person or company.
eavesdropping
A passive attack, the tools used to eavesdrop on communications can be wireless phone scanners, radio receivers, microphone receivers, voice recorders, network sniffers, etc.
Domain name squatting
This refers to someone purchasing a domain name with the goal of using a similar domain name to damage a company or to extort money.
6. Security assessment and testing
basic concept
Security assessment and testing
"Security Assessment and Testing" covers a broad range of ongoing and point-of-time based testing methods used to determine vulnerabilities and associated risks risk.
Basic objectives of T&E
T&E can measure system and capability development progress
T&E's expertise is to provide early understanding of system strengths and weaknesses during the development process during the system life cycle.
Provide knowledge to assist with risk management in developing, producing, operating and maintaining system capabilities
Ability to identify technical, operational and system deficiencies prior to system deployment in order to develop appropriate and timely corrective actions
T&E strategy
The content of the test and evaluation strategy is the functionality that applies to the acquisition/development process, the capability requirements provided, and the capabilities required to drive the technology
tend to
Awareness required to manage risk
Empirical data for validating models and simulations
Testing of technical performance and system maturity
Determination of operation and maintenance efficiency, adaptability and production capacity
Target
Identify, manage and reduce risks
Assessment and Testing Strategies Assessment and Test Strategies
T&E strategy
The role of strategy
What you need to know to manage risk
Empirical data for validating models and simulations
Testing of technical performance and system maturity
Determination of operation and maintenance efficiency, adaptability and survivability
Systems Engineers and Security Experts
Work with sponsoring organizations to establish or evaluate T&E strategies to support program acquisition/development;
Provide T&E methods that can deeply manage risks;
Monitor T&E processes and changes that may be required
Evaluate and provide recommendations for suitability of test plans and procedures for development testing or operational testing;
It is further expected to understand the rationale behind acquisition/development procedures for establishing and executing T&E strategies;
Expect to understand the specific activities of T&E testing, such as interoperability testing;
Enterprises need to establish working groups
This group is often called the T&E integrated product team and is composed of T&E experts, customer user representatives and other stakeholders;
The T&E strategy is a living document and the group is responsible for updating it as needed
The group needs to ensure that the T&E process includes acquisition strategies and that the system meets operational requirements based on the capabilities used
Perform audits and forensic investigations
Log review
Logs related to computer security
For example, routing log analysis is helpful in identifying security incidents, policy violations, fraudulent behaviors, and operational problems.
Log function
Support internal investigations
Establish a baseline
Identify operational trends and identify long-term issues
challenge
Need to balance limited log management resources with continuously generated log data
Log production and storage
Different log sources
Inconsistent log content, format, timestamp, etc.
Mass generation of log data
Need to protect the integrity, confidentiality and availability of logs
Ensure security, system and network administrators regularly and effectively analyze log data
Log management policies and procedures
Define logging requirements and goals
Develop clearly defined mandatory and recommended requirements for log management activities
Including log production, delivery, storage, analysis and disposal
Integration and support log management requirements and recommendations
Management should provide necessary support
Logging requirements and recommendations should be generated along with the resources and detailed analysis techniques required to implement and maintain logging
Raw log protection
Send a copy of network traffic logs to a central device
Prioritize Log Management
Optimize log requirements based on perceived organizational risk reduction and the resources and expected time required to perform log management.
Establish log management responsibilities and roles
Establish maintenance log management structure
Log management architecture includes hardware, software, networks and media used to generate, transmit, store, analyze and process logs
Designing a log management framework should consider the current and future needs of the management framework as well as independent log sources across the organization.
Centralized log server and log data storage
The amount of log data that needs to be processed
network bandwidth
Online and offline data storage
Data security requirements
Time and resources required by staff to analyze logs
Provide appropriate support to all employees with their log management responsibilities
System administrators should receive adequate support
Including information dissemination, providing training, providing contact points for answering questions, providing specific technical guidance, providing corresponding tools and documents, etc.
Standard log management process
Log administrator responsibilities
Control log status
Monitor log rotation and archiving processes
Check log system patches, obtain, test and deploy patches
Make sure the log source system keeps its clock synchronized
When policy or technology changes, reconfigure logging if necessary
Logging and reporting log exceptions
Ensure log integration storage, such as security information and event management system SIEM
Log management process
Configure log sources, perform log analysis, initiate cognitive impacts on identification, and manage long-term storage of logs
Log source
Web-based and host-based software
anti-virus software
IPS and IDS systems
remote access software
Web proxy
Vulnerability management software
Authentication server
router
firewall
Network Access Control (NAC)/Network Access Protection (NAP) Server
Operating system time and audit records
application based
Client request and server response
account information
Usage information
important operational activities
challenge
Log distribution properties, log format inconsistencies, and log capacity all pose log management challenges.
The integrity, confidentiality and availability of logs must be protected
Organizations also need to protect the availability of their logs
The confidentiality and integrity of archived logs also need to be protected.
System and network administrator
Need to analyze logs
Unable to effectively perform log analysis
did not receive good training
no tool support
Log analysis is often reactive
Many log analyzes require real-time or near-real-time
key practices
Optimize log management appropriately across the organization
Establish log management policies and procedures
Establish and maintain security log management infrastructure
Provide appropriate support for log management for all employees
Synthetic Trading VS Real Trading Synthetic Transactions VS Real Transactions
Real user monitoring RUM
Web monitoring methods designed to capture or analyze every transaction of every user on the web or app
Also known as real-user measurement, real-user metrics or end-user experience monitoring (EUM) end-user experience monitoring
Passive Monitoring Passive monitoring method
Rely on web monitoring services to continuously obtain system activity and track its availability, functionality and sensitivity
Monitor mode
Bottom-up forms
Capture server-side information to reconstruct user experience
Top-down client-side RUM
Client RUM can directly see how users interact with the application and experience it
Focus on site speed and user satisfaction, providing in-depth insights into optimizing application components and improving overall performance.
synthetic trading
proactive monitoring Proactive or pre-responsive monitoring approach
Contains a way to run scripted transactions using an external agent instead of a web application
These scripts measure user experience against typical user experiences such as searching, viewing products, logging in, and supporting
Synthetic monitoring is a lightweight and low-level proxy approach, but is necessary for the web browser to run the processing of JavaScript, CSS, and AJAX calls that occur on the page.
Does not track actual user sessions
A known set of steps are performed at a known location at regular intervals, with predictable performance. Better than RUM for assessing site availability and network issues.
Selenium
http://docs.seleniumhq.org
Fully controllable by the client full control over the client
Unlike RUM driven by sandbox JAVA scripting, details can be obtained more objectively
Microsoft System Center Operations Management Software
web site monitoring
Database monitoring
TCP port monitoring
Increase value
7*24 system availability monitoring Monitor application availability 24*7
Find out if the remote site is reachable
Understand the performance impact of third-party services on business application systems
Monitor SaaS application performance and availability
Test B2B web sites using SOAP, REST or other web services
Monitor the availability of critical databases
Measuring Service Level Agreements SLAs
As compensation for real user monitoring during periods of low business traffic
Establish performance limits and perform performance trend analysis
Code review and testing
Common causes of vulnerabilities Vulnerabilities are caused
Inappropriate programming patterns such as missing checks affecting user data, SQL injection (input validation)
Mismatch of security infrastructure: excessive access control or weak encryption configuration;
Functional errors in the security infrastructure: access control enforcement facilities themselves do not restrict access to the system;
Logical errors in the implementation process: For example, the user places an order without paying
Common software vulnerabilities Common Software Vulnerabilities
Insecure Interaction between Components
Risky Resource Management (Risy Resource Management)
Porous Defenses
testing technology Testing techniques
White box (structural testing/open box testing) VS. black box testing (functional testing/closed box testing)
Dynamic Testing vs. Static TestingDynamic Testing vs. Static Testing
Manual vs. Automation Manual Testing vs. Automated Testing
planning and design phase During P;anning and Design
Architecture security review
Prerequisite: Architectural Model
Pros: Verification architecture deviates from security standards
Threat Modeling Threat Modeling
Prerequisite: Business use case or usage scenario
Identify threats, their impacts and potential controls specific to the software product development process.
STRIDE model
Application development stage During Application Development
Static Source Code Analysis(SAST) and Manual Code Review (static code analysis and manual code review)
Analyzing application code without executing the application to find weaknesses
Prerequisite: Application source code
Benefits: Detects insecure programming, outdated code bases, and misconfigurations
Static Binary Code Analysis and Manual Binary Review (static binary code analysis and manual binary review)
Compiled applications are analyzed to find weaknesses, but the applications are not executed.
Inaccurate and does not provide fix suggestions.
Executable in test environment Executable in a Test Environment
Manual or automated penetration testing
Send data like an attacker and discover their behavior.
Advantages: Identify a large number of vulnerabilities in deployed applications;
Automated vulnerability scanning
Test apps that use known unsafe system components or configurations.
Set pre-attack mode and analyze system fingerprints
Advantages: Detects known vulnerabilities
Fuzz Testing ToolsFuzz testing tools
Advantages: Detects crashes of critical applications (e.g. caused by buffer overflows)
Send random data (often much larger and faster than the application expects) to the application input channel to cause the application to crash.
system operation and Testing under maintenance
Software testing characteristics
It is recommended to use passive security testing technology to monitor system behavior and analyze system logs
During software maintenance, patch testing is very important
Patches require thorough security testing
Software testing has its limitations and it is impossible to complete 100% testing
Testing all program functions and all program code does not mean that the program is 100% correct!
Test plans and test cases should be developed as early as possible in the software development phase
Code-based testingCode-based testing
Software security testing generally starts with unit-level testing and ends with system-level testing.
Structured testing ("white box" test/crystal box test) unboxing test
Structured testing is mainly testing at the module level;
The structured testing sector can be measured using the percentage of software structures that are tested as an indicator.
Test cases are based on knowledge gained from source code, detailed design specifications, and other development documents;
Common structural coverage Test coverage (used for white box)
Statement CoverageStatement coverage
Condition CoverageCondition Coverage
Multi-Condition CoverageMulti-Condition Coverage
Loop Coverage loop coverage
path CoveragePath coverage
Data Flow CoverageData flow coverage
Functional testing or “black box” testing/closed box testing functional testing or blackbox testing
Test cases are defined based on what the software product is specifically supposed to do;
The main challenges for test cases are the intended use and functionality of the program as well as the internal interfaces of the program;
Functional testing should be applied to any level of software testing, from unit testing to system level testing
Software functional testing functional software testing
Normal CaseNormal use case
Output Forcing output requirements
Robustness
Combinations of Inputs Input combinations
weaknessweakness
It is difficult to link the completion criteria of structured and functional testing to the reliability of the software product;
Statistical test methods statistical testing
Provides high structural coverage
Produce random data from a distribution defined based on the operating environment (intended use, dangerous use or malicious use of the software product);
Generating large amounts of test data and using it to cover specific areas or areas of concern provides increased likelihood of identifying individual and rare operating conditions that were not anticipated by designers and testers.
Software change testing
reason
Debug discovered issues and correct them
New or changing requirements.
Discover design modifications that can be implemented more efficiently or effectively
Purpose
Changes have been implemented correctly
No adverse effects on other parts
Regression analysis and testing
Regression analysis and testing Regression analysis: Determine the impact of changes, based on the review of relevant documents (software specifications, design specifications, source code, etc.), and also identify and apply necessary regression tests;
Regression testing: Use the previous program to execute correct test cases and compare the existing results with previous results to discover the unexpected results of software changes.
Rigorous and complete testing (V-shaped model)
Unit(module or component)level testingunit testing
Integration Level Testing Integration testing (testing the interface between modules)
Top-DownTop-Down
Bottom-upBottom-up
sandwich method
System level testingsystem testing
Security and privacy (e.g., encryption capabilities, security log reporting)
Performance issues (e.g., response time, reliability measurements)
Response under stress conditions (e.g., behavior under maximum load)
Operation of internal and external security features
Effectiveness of complex steps
Usability;
Performance under different configurations
Documentation accuracy
Compatibility with other software
Acceptance Test
UAT (User Acceptance Testing)
QAT (Quality Assurance Testing)
Testing considerations
System testing will present the behavior of the product you are looking at in a specific environment;
Test procedures, test data, and test results should be documented in a manner that allows for pass/fail decisions;
Enterprise software products are complex, and the testing of software products needs to maintain consistency, completeness, and effectiveness;
Software maintenance tasks are different from hardware maintenance. Hardware has preventive measures but software does not;
Requires effective verification of changes;
Other maintenance tasks
Software Validation Plan RevisionSoftware Validation Plan Revision
Anomaly Evaluation anomaly verification
Problem Identification and Resolution TrackingProblem Identification and Resolution Tracking
Proposed Change AssessmentRequest a change assessment
Task IterationTask iteration
Documentation Updating Documentation Update
Use cases and misuse cases
Use caseUse case
Test cases from the perspective of normal users using the system
Misuse caseMisuse case
Use cases from the perspective of someone with malicious intent on the system
Positive Testing
Make sure the application works as expected and fail if errors are found during forward testing
Negative testing Negative testing
Make sure your app handles invalid input or unexpected user behavior appropriately.
Interface testing Interface test
Purpose
Mainly by checking whether the different components of the application or system development are in sync with each other
From a technical level, interface testing is mainly used to determine whether different functions such as data are transmitted as designed in different elements of the system.
Used to ensure software quality
Penetration testing
At the request of many users, simulate the process of attacking a network and its systems.
Penetration testing types take precedence over the organization, its security goals, and management's goals
Penetration testing reports should be submitted to management
A letter of authorization authorizing the scope of testing should be signed (written authorization from management is required)
step
1. Discovery, collecting relevant information about the target Discovery
Found operating system version CentOS5.1
dig
DNS Footprinting Tools to collect information during the discovery phase
2. Enumeration, execution of port scanning and resource identification methods
nbtstat belongs to enumeration It's in the enumeration stage, not the discovery stage.
3. Vulnerability exploration, identifying vulnerabilities in identified systems and resources
Vulnerability Classification
human vulnerability
physical vulnerability
System and network vulnerabilities
4. Exploitation, trying to exploit a vulnerability to gain unauthorized access
5. Report to management and submit reports and safety suggestions to management
Classification
Black box testing, zero understanding, the penetration team tests without understanding the test objectives
Gray box testing, testing based on knowing some information related to the test target
White box testing, testing based on understanding the essence of the target
Penetration testing team classification
0 knowledge
Don't know anything about the goal
partial knowledge
partial knowledge of the target
all knowledge
Fully understand the target's situation
Example: War Dial
Dial a range of phone numbers to find available modems
Some organizations still use modems for communications equipment
War dialing is a form of intrusion into an organization's network designed to circumvent firewalls and intrusion detection systems (IDS).
War dialing attacks involve attempts to gain access to an organization's internal computer and network resources through, for example, access, which facilitates hacking.
self test
Administrators use the war-dial method to test unauthorized installations of modems in the organization and educate random installers in the organization.
Other vulnerability types
Kernel Flaws kernel vulnerability
There are vulnerabilities in the kernel layer
Countermeasure: Ensure that security patches to the operating system remain as effective as possible after adequate testing of the vulnerability window even after deployment in the environment
Buffer overflowsBuffer overflows
Countermeasures: Good programming practices and development education, automatic source code scanners, enhanced programming libraries, strong language typing that does not allow buffer overflows
Symbolic links Symbolic links
Hackers redirect symbolic links to gain unauthorized access.
Countermeasure: When writing programs (especially scripts), there is no way to avoid the full path of the file
File descriptor attacks file description attack
File descriptors are numbers used by many operating systems to represent open files in a process. Certain file descriptor numbers are universal and have the same meaning for all programs.
If a program uses file descriptors unsafely, it could allow an attacker to exploit the program's privileges to provide unexpected input to the program, or cause output to go to an unexpected place.
Countermeasures: Good programming practices and development education, automated source code scanners and application security testing
Race conditions race conditions (In multi-process and multi-thread environment)
Failure to eliminate environmental vulnerability factors before executing procedures
Can allow an attacker to read or write unexpected data or execute unauthorized commands
Countermeasures: Good programming practices and development education, automated source code scanners and application security testing
File and directory permissions File and directory permissions
Improper file or directory permissions
Countermeasure: File integrity check, also check the permissions of expected files and directories
Collect safety process data Collect Security Process Data
Information security continuous monitoring Information security continuous mointoring ISCM
ISCM
Awareness used to define current information security, vulnerabilities and hazards Users support organizational information security risk decisions;
Any efforts and processes to support information security monitoring across the organization must begin with a sophisticated ISCM strategy defined by senior leadership
ISCM strategy
It is built on a clear understanding of organizational risk tolerance and helps businesses set priorities and align risk across your entire organization;
Include metrics to provide true meaning of security posture at all organizational levels;
Ensure the continued effectiveness of all security controls;
Verify compliance with information security requirements driven by organizational identity/business functions, national laws and regulations, guidelines, and guideline standards;
All organization IT assets are informed and help maintain visibility into asset security;
Ensure control of knowledge of changes to organizational systems and environment;
Maintain awareness of threats and vulnerabilities.
NIST SP 800-137
Information Security Continuous Monitoring (ISCM) of Federal Information Systems and Organizations
Features
ISCM programs are established to collect data based on predictive metrics, in part through implemented security controls to leverage information change content.
Organizational disciplined risk monitoring cannot be effectively achieved by relying solely on manual processes or automated processes alone.
Develop ISCM strategy process
Define ISCM policies based on risk tolerance to maintain asset visibility, vulnerability awareness, threat information updates, and mission/business impact
Establish an ISCM plan to determine measurement indicators, status monitoring frequency, control evaluation frequency, and establish an ISCM technical architecture.
Implement ISCM programs and collect safety-related information required for measurement, evaluation and reporting. Automate collection, analysis and reporting wherever possible
Analyze all collected data and report findings with appropriate responses. It is necessary to collect additional information to clarify or supplement existing monitoring data
Influence discovery through technical, management, and operational activities, including abatement activities or acceptance, transfer, sharing, or avoidance, rejection, etc.
Review and update ISCM programs, adjust ISCM policies and mature measurement capabilities to increase asset visibility and vulnerability awareness, enable more organizational information security architecture and data-driven controls, and increase organizational resilience
Metrics
Definition and content of measurement indicators
Measurements include all security-related information from assessments and monitoring produced by automated tools as well as manual procedures, organized into meaningful information to support decision-making and reporting requirements
Metrics should be driven by specific goals to maintain or improve security posture
Metrics develop system-level data to make sense of mission/business context or organizational risk management
Measurement metrics Security-related information obtained from different times with varying levels of latency
examplesexamples
Principles for establishing measurement indicators NIST SP 800-137
Security Control VolatilitySecurity Control Volatility
System Categories/Impact LevelsSystem Categories/Impact Levels
Security Controls or Secific Assessment Objects Providing Critical Functions Security controls or key functionality provided by a specific assessment object
Security Controls with Identified Weaknesses Security Controls with Identified Weaknesses
Organizational Risk ToleranceOrganizational Risk Tolerance
Threat InformationThreat Information
Vulnerability InformationVulnerability information
Risk Assessment ResultsRisk Assessment Results
Reporting RequirementsNotification requirements
change factors
Internal and third-party audits Internal and Third-Part Audits
Audit process
1. Determine the goal, everything else depends on the goal
2. Introduce appropriate business department leaders to ensure business needs are identified and resolved
3. Determine the scope because it’s impossible to test everything
4. Select an audit team, which may include internal or external personnel, depending on objectives, scope, budget and available expertise.
5. Plan audits to ensure goals are achieved on time and within budget
6. Perform audits and record any deviations while sticking to the plan
7. Record the results. The information generated is both valuable and volatile.
8. Communicate results to appropriate leadership to achieve and maintain a strong security posture.
Audit requirements
Legal and regulatory requirements
Such as the US Federal Information Security Act (FISMA Federal information Security Management) Federal agencies are required to provide protection to organizations at least annually, but rarely complete protection or risk management of information systems
Information security professionals need to understand the requirements outlined in legal standards to provide protection, but rarely achieve complete protection or risk management of information systems.
Information security professionals must ensure appropriate scope and tailoring for target systems to obtain the appropriate number of controls at the level being sought.
business driven
In order to focus on core competencies, reduce expenses and deploy new application functions faster, organizations continue to outsource system business processes and data processing to service providers.
The organization frequently updates outsourced service provider monitoring processes and management and outsourcing risks
Internal Audit (First Audit)
Organizations have their own audit team to achieve an ongoing security posture closer to your organization
advantage
They are familiar with the work processes within the organization.
work efficiency
Able to accurately identify the most problematic points
It can make the audit work more flexible, and the management can constantly change the audit needs, allowing the audit team to adjust the audit plan accordingly.
shortcoming
Their access to information systems is relatively limited
Potential for conflict of interest, impeding objectivity
External audit (second party audit)
Business partners or their representatives conduct audits.
fulfill the contract
Once the contract is executed, the client organization can request access to people, locations and information to verify that the service provider meets security regulations.
Key points:
Understand the contract: The audit scope is based on the contract.
Arrange internal and external briefings
Internal briefings scheduled before audits
External briefing scheduled at the end of the audit
Travel in pairs
Ensure that someone from the audit organization is present to avoid misunderstandings.
be friendly
The goal of the entire process is to build trust.
third party audit
advantage
Has audited many different information systems and has rich experience
They are unaware of the dynamics and politics within the target organization. will remain objective and neutral
shortcoming
high cost
You still need to handle the increased resources to organize them and oversee their work in a timely manner and sign NDAs.
Lack of understanding of the inner workings of the organization.
Compliance
Historically, many organizations often draw on Statement on Auditing Standards (SAS) 70 Reports Auditing Standards Statement to gain comfort for outsourced activities, however SAS 70 focuses on Internal Control over Financial Reporting (ICOFR) and not on system availability and security
The SAS70 report was retired in 2011 and replaced by the SOC (Service Organization Control) report
Statement onAuditing Standards(SAS)70
Specifically on risk related to internal control over financial reporting(ICOFR) Internal Control over Financial Reporting
In the past, most organizations using outsourcing services required SAS70 reporting, but from a financial perspective alone, many users began to focus on security, availability and then privacy;
SOC report
SOC1 report
SOC1: The report requires the service provider to describe his systems and define the control objectives and controls that relate to internal control over financial reporting.
SOC1 reports generally do not cover services and controls that are not relevant to user ICOFR reporting
SOC1 reporting began to be used by many service providers for core financial processing services in 2011
SOC2/SOC3 reporting
Reports covering design and operational effectiveness over time
Principles and guidelines specifically define security, availability, confidentiality, processing integrity and privacy
Providing Beyond Internal Control over Financial Reporting (ICOFR)
Based on the needs of service providers and their users, a module approach can be used to facilitate SOC2/SOC3 reports to cover one or more principles
If the IT service provider has no impact or has a brief impact on the user's financial system, then use SOC2 reporting
SOC3 reports are generally used to inform a wide range of users of their assurance levels without disclosing detailed control test results.
Audit Management Control
Account management
Add account
1. New employees should read and sign the Acceptable Use Policy (AUP)
2. Confirm employees' compliance with AUP through auditor accounts.
3. Retrieve the list of new employees from the human resources department and compare it with the employee accounts opened in the system by the IT department to ensure the effectiveness of communication between the two departments.
4. The policy should also clarify the account expiration time, password policy, and the scope of information that users can access.
Modify account
Problems with using privileged accounts:
1. Normally, each computer user account has local administrator rights, and server management and maintenance personnel have administrative rights, both of which are risky.
2. The addition, deletion, and modification of accounts should be strictly controlled and documented.
3. Implement hierarchical management of administrator rights
4. Use privileged accounts only when necessary, accounts used for daily maintenance work
Suspend account
1. To suspend the use of the account
2. Obtain the list of short-term and long-term leavers from the Human Resources Department, compare it with the IT system accounts, delete the accounts of long-term leavers, and suspend the use of short-term leavers' accounts.
Backup verification
type of data
user files
There are situations where multiple versions and backup location files are inconsistent, as well as situations where data retention principles apply
database
Ensure database backups can be restored to production when needed
Email data
Considering the limited storage space of the server, medium and large email backup, the email server should be combined with electronic evidence collection methods
Authentication method
Test data backup situation
Analyze various scenarios of threats that the organization may face
Develop a plan to test all mission-critical data backups in each scenario
Leverage automation to minimize auditor workload and ensure testing occurs regularly
Minimize the impact of data backup test plans on business processes, but not necessarily within the same test.
Record results so you know what worked and what needed work
Correct or improve any issues you documented.
Disaster recovery and business continuity
Test and revise business continuity plans
Test type
Checklist TestChecklist Test
Distribute copies of the BCP to each key business unit manager
Ask them to audit the portion of the program that is appropriate for their department
Structured Walk-Through Test Structured walk-through testing
As a tool for planning initial acquaintance testing, but not the best way to test
Target
Ensure key personnel from all areas are familiar with BCP
Ensure the planned response organization's ability to recover from disasters
Features
Meeting room contact, low cost
Simulation Test Simulation Test
Contains more content than the tabletop walkthrough
Participants choose specific time scenarios to be applied in BCP
Parallel TestParallel Test
Including real personnel moving to other sites in an effort to establish communications and implement real recovery procedures in accordance with DRP regulations
The primary purpose is to determine whether critical systems can be restored at an alternate processing site if personnel apply the procedures specified in the DRP.
Full-Interruption Test Full-Interruption Test
The riskiest test
Simulate the real scene as much as possible
Cannot affect business
Security training and security awareness training
The difference between safety training and safety awareness promotion
Safety training refers to the process of teaching a skill or set of skills to enable people to better perform specific functions
Security awareness training is the process of exposing people to security issues so that they can recognize them and better respond to them
social engineering
In the context of information security, it is the process of manipulating individuals to perform actions that violate security protocols.
Onlline Safety Online Complete
Phishing is social engineering through digital communications
A driver download is an automated attack that is triggered simply by visiting a malicious website.
Data protection
culture
Key performance and risk indicators
Key Performance Indicators KPI
Key Performance Indicators KPIs measure how effectively an organization performs a given task at a given time
Key risk indicator KRI
Measure the risk inherent in performing a given set of actions
Report
Technical Reports
A technical report should be more than the output of an automated scan tool or a common inventory.
Technical Reports
threaten
vulnerability
Probability of vulnerability being exploited
influence level
Suggestions for Improvement
executive summary
Reports to senior leaders should be concise and easy to understand, focusing on key findings and recommendations
Risk is best described quantitatively, and one way to quantify risk is to express it in monetary terms.
management review
Management review A formal meeting in which senior organizational leaders determine whether the management system is effectively achieving its objectives.
Before management review
Management reviews should be carried out periodically, otherwise the inspection risk will change from active to passive.
The frequency of meetings should also be synchronized with the length of time required to implement the decisions of the previous review.
review input
A key input is the results of relevant audits, both external and internal
In addition to making the audit report available for review, it is also necessary to produce an executive summary that describes the key findings, the impact on the organization, and recommended changes (if any). Remember to write these summaries in AM language.
Another input is a list of problems found during the last review and their rectifications.
Customer Reviews
The final input is a suggestion for improvement based on all other inputs.
management action
Senior leaders consider all input, often asking targeted questions, and then decide to approve, reject, or defer recommendations.
Senior management will decide whether to accept its recommendations in their entirety, accept them with minor changes, reject them, or ask the ISMS team to re-gather more supporting data or redesign the proposed options.
5. Identity and access management
Concept & function
concept
Goal: Protect against unauthorized access
Use of system resources by illegal users
Illegal use of system resources by legitimate users
Concept: Access control is a security method that controls how users and systems communicate and interact with other systems and resources.
effect
Protect confidentiality, integrity, availability
ConfidentialityConfidentiality
Prevent leakage of sensitive information
IntegrityIntegrality
illegal tampering
Unauthorized modification
Internal and external information consistency
ReliabilityAvailability
Reliable and timely access to resources
Access control steps
Identification: The subject providing identification information
Promote user identity
elements
Uniqueness: unique within a control environment for easy auditing
Non-descriptive: Identification should not reveal the user’s identity or position
Features
The first step in access control
unique identifier
Prerequisites for traceability
Authentication Verify identification information
Verify user identification information
what do you know? Can remember
Password/Passwordpassword
static, fixed length
passphrase passphrase
Dummy password, usually longer than the password
cognitive code cognitive password
Information based on personal performance or judgment
Example
Credit card repayment date and other information
Graduation school or mother’s surname
How many combinations of cognitive information can there be?
What to own?
storage card
Stores information but cannot process it
smart card
Contains microprocessors and integrated circuits, with information processing capabilities
Classification
Contact
Has a golden seal on the surface
Requires power and data I/O
Contactless
There are antennas all around
Power is provided by the electromagnetic field entering the card reader
smart card attack
Side-channel attack: A non-intrusive attack and used to find out sensitive information about how a component operates without exploiting any form of flaw or vulnerability.
Smart cards are more tamper-resistant
One time password OTP One-Time Password
Also called dynamic password (Dynamic password) is used for authentication and can only be used once
Prevent replay attacks
Implementation: token
synchronous mode
Counter synchronization: The user presses the token device's button to initiate one-time password creation
Time synchronization: token and server must have the same clock
asynchronous mode
challenge/response mechanism
Advantages and Disadvantages
Once the user ID and token device are shared or stolen, they can be used fraudulently
The advantage is that you don’t have to remember the password
Example: Token Device
SMS verification code
what is it, What have you done?
Physiological characteristics
face scan
Scan facial attributes and features, including bones, forehead and other information
Algorithm: Regional Feature Analysis Algorithm
Features
Low accuracy, high speed
Recognition rate, rejection rate is high
hand shape
Collection features of human hand shape, fingers and entire hand shape information
Includes: length, width and shape of palm and fingers
hand topology
Examine the different undulating shapes along the entire hand shape and its curved parts
Disadvantages: Hand topology needs to be combined with hand shape
Palm scan
The palm has grooves, ridges and creases, the only characteristic
Includes: fingerprints for each finger
Fingerprints
Fingerprints are made up of curves and bifurcations and very tiny features
voice recognition
Differences between voice modes
You are required to speak different words during registration, and you need to mix the words and ask them to repeat them during the test.
retina scan
Scanning blood vessel patterns on the retina at the back of the eye
iris scan
The iris is the colored part of the eye that surrounds the pupil
Irises have unique patterns, bifurcations, colors, changes, halos, and wrinkles
Features: Iris recognition is the most accurate
Behavioral TraitsBehavioral Traits
Signature analysis
The speed and manner of signing, the way the signer holds the pen
The physical movement caused by the signature produces an electrical signal that can be considered a biometric
keystrokes
Dynamic keystrokes capture the electrical signals produced when specific phrases are typed
Capture the speed and movement of action
Strong verification Strong authentication
Two factors: two of three types
Three factors: all three types are included
Advantages and disadvantages of the three identification methods
What to know: Economical, but easy to be used fraudulently
What to Have: Have access to facilities or sensitive areas where items can easily get lost
What it is and what it does: Based on physical characteristics and biometrics, it is not easy to be used by others.
Type 1 Error FRR: False Rejection Rate, rejecting authorized individuals (false positives)
Type 2 error FAR: Accepting an impostor that should have been rejected (false negative)
Crossover error rate (EER/CER): the equivalent point of false rejection rate and false acceptance rate
Authorization Determine the operation performed by the subject on the object
Determine the operation performed by the subject on the object
Access guidelines
role based
group based
Based on physical location and logical location
Based on time period or time interval
Based on transaction type
Access denied by default
Know what they need
principle of least privilege
Audit or Audit Accountability Accountability Audit logging and monitoring to track user activity
Traceability/Responsibility (Accountability)
audit
security audit
Audit scope: system-level events, applications and events, user-level events
Audit content: time, place, tasks, what happened
Log storage period and size
Audit log protection (log integrity)
Log server
write-once media
Use of logs
Manual check
automatic check
Log management
Keystroke monitoring
Purpose: To audit a person and his activities
Access control application
Identity management Identity Management
Table of contents
Follow the hierarchical data structure format, based on X.500 standards and protocols (such as LDAP) (LDAP: Lightweight Directory Access Protocol)
Directory Services (DS)
Allows administrators to configure and manage identities, authentication, authorization and access control that appear on the network
Metadirectory
Only connect to one directory at a time
Metadirectory contains identity data
virtical list
Connect to multiple data sources
Points to where the actual data resides
identity repository
Vast amounts of information stored in identity management directories are spread across the enterprise
web access management
Front-end control software that provides single sign-on and other functions
HTTP is stateless
Cookies and sessions to maintain application state
Password management password management
Password synchronization
Maintaining only one password can strengthen the password
Weakness: Single point of failure, if the password is obtained, all resources can be accessed
Self-service password reset
Send a reset connection by answering the registration question
Assisted password reset
Reset password after authenticating with helpdesk
sign in SSO
Centralized identity storage
Verify multiple resource access at once
Weakness: Single point of failure, if the password is obtained, all resources can be accessed
SSO instance
Kerberos
Identity authentication protocol
Based on symmetric cryptography
An example of single sign-on in a distributed environment
Provide end-to-end security
Integrity and confidentiality are provided, availability is not guaranteed
Main components
Key Distribution Center KDC
Identity authentication serviceAutentication Service;AS
Ticket Granting Service, TGS
Secret key: shared between the KDC and the principal (the key is stored on the KDC)
Session key: secret shared between two principals, destroyed at the end of the session
weakness:
KDC is a single point of failure
The secret key is temporarily stored on the user's workstation
The session key resides on the user's workstation
SESAME
Using symmetric and asymmetric cryptography
Main components
Privileged Attribute Server PAS Privileged Attribute Server
Privileged attribute integer PAC with data signature
PAC includes: the identity of the subject, the ability to access the object, the access time period and the PC life cycle
Play a similar role to KDC
Authentication ServerAS Authentication Server
KryptoKnight
ticket-based
two-part authentication
No clock synchronization is required, use Nonce (one-time random number)
SAML
Web-based single sign-on
Is the standard for federated identity management
Security domains: Establish trust relationships between domains that share the same security policy and management
IDP (Identity Provider)
SA security assertion
Account management
Centralized account management, synchronized identity directory
Streamlined identity management approval creation process
federated identity
Sharing user information between multiple units
Identity as a ServiceIDaas /SaaSIAM
Cloud-based identity broker and access management service Cloud-IAM
Identity management, access control, intelligent analysis
Can realize single sign-on, federated identity, fine-grained control, service integration, etc.
access control markup language
GML
SGML
HTML: Hypertext Markup Language
Standard Generalized Markup
XML
SPML
Service Configuration Markup Language (Provisioning)
SAML (implementation of recording web sso) (Security Assertion security assertion)
An XML-based standard for exchanging authentication and authorization data between different security domains
IDP (Identity Provider)
If there is a problem with the IDP, all users will be affected
XACML
Use web services and other applications to implement asset management and control using security policies and access permissions
OpenID
OpenID is an open standard for user authentication by third parties
Users do not need to remember traditional authentication tokens like usernames and passwords. Instead, they only need to pre-register on the website of an OpenID Identity Provider (IDP)
OAuth
An open standard (Open Authorization)
OAuth2.0 uses token access
access control model (Authorization)
Discretionary access control model DAC
Based on user authorization
Rely on object owner’s discretion
type
Based on user resource identification
Restrictions directly to users
Disadvantages: unsafe
facing problems
Trojan horse
social engineering
Mandatory access control model MAC
MAC relies on security tags
Develop customer sensitive labels (objects have classification) At the same time, only users higher than the object level are allowed to access (the subject has permission clearance) (inherent attribute)
Only administrators can change the object level, not the object owner (Data owner)
Higher security situations: military/government agencies
Role-based access control model RBAC
Also known as: Non-autonomous access control Non-DAC (the definition in OSG is: as long as it is not DAC, it is Non-DAC)
Use centralized access control to determine access to subjects and objects
Based on user roles
Features
Assigning permissions based on job responsibilities
Can be associated with organizational structure
Able to follow the principle of least privilege
Segregation of Duties
Users or groups correspond to roles and grant certain permissions to the roles.
category
Core RBAC
Users, roles, permissions, operations and sessions should be defined and mapped according to policy
Hierarchical RBAC
Role relationships define user membership and permission integration
Response organization and functional description
type
limited level
Single role inheritance
Normal level
Multiple role inheritance
Restricted RBAC
Introduce separation of duties
Static separation of duties in RBAC
Example: Accounting and Cashier
Prevent fraud
Dynamic separation of duties in RBAC
Dynamically restrict additional separation of duties permissions based on roles in the active session
Rule-based access control RuBAC
based on if x then y
Use specific rules to dictate what can and cannot happen between subjects and objects.
Rule-based access control is not necessarily identity-based
Many routers and firewalls use rules to determine which types of packets are allowed into the network and which are denied
Attribute-based access control ABAC
The new access control solves the shortcomings of RBAC. Each resource and user is assigned a series of attributes. Based on the comparative evaluation of user attributes, such as time, position and location, it is determined whether the user can access a certain resource. RBAC is a characteristic of ABAC
Access control methods
access control matrix Access Control Matrix
Matrix of subject and object access relationships
Access capability table (rows in matrix)
Specifies that the subject can access the object
Takes the form of a ticket, token or key
Example: Tickets for keberos
Access control list ACL (column in matrix)
Specifies who can access it
Permissions table
Example: Configuration of firewalls and routers
Content-based access control content-dependent
Access to the object depends on the object content
Example: Content-based filtering rules Packet filtering firewall
Context-sensitive access control context-dependent
Context-based access decisions
Example: Stateful Inspection Firewall
Restrictive user interface
include
Menu/Shell
Database view (Create view)
Physically restricted interface (for example: ATM cash machine keyboard)
Access control management methods
Way
Authentication Protocol (Chapter 4)
Password Authentication Protocol, PAP (Password Authentication Protocol)
Challenge Handshake Authentication Protocol, CHAP (Challenge Handshake Authentication Protocol)
Extensible Authentication Protocol, EAP (Extensible Authentication Protocol)
Centralized access control management (Centralized access control administration)
RADIUS
Combined authentication and authorization
Use UDP
Encrypt only passwords transmitted between RADIUS client and RADIUS server
TACACS
Use TCP
Support dynamic password
Use AAA architecture to separate authentication, authorization and auditing
Encrypt all traffic between client and server
Diameter
basic agreement
extended protocol
Built on the basis of basic protocols, it can expand a variety of services, such as VoIP, etc.
Decentralized access control management
A way to control access to who is close to a resource to better understand who should and should not have access to certain files, data and resources.
Compared
Centralized access control has a single point of failure and unified access is efficient
Decentralized access control: based on user authorization, no single point, lack of consistency
category
management control
strategies and measures
personnel control
regulatory structure
Security awareness training
test
physical control
network segmentation
perimeter security
computer control
Regional isolation
wiring
control area
technical control
system access
network architecture
network access
Encryption and protocols
audit
Accountability: Auditing capabilities ensure users are accountable for their actions, ensure security enforcement of security policies, and serve as an investigative tool
Access control monitoring
intrusion detection system Intrusion Detection System system structure
Classified by protection scope
Based on network intrusion detection system NIDS
Real-time monitoring of network traffic, deployed on the debug port of a tap or switch or on a hub
Basic Host Intrusion Detection System HIDS
Real-time monitoring of host audit logs and deployment on each key host (analyze logs)
shortcoming
Very harmful to the host operating system
Interfering with normal system processing and excessively consuming CPU and memory
Based on application IDS
IDS to monitor malicious behavior of specific applications
Classification according to protection principle
Feature-based IDS
Signature matching, similar to antivirus software
Signature-based IDS
Features must be continuously updated
Only previously identified attack signatures are detected, no new attacks can be discovered
Category: feature matching, status matching
Based on anomaly IDS
Behavior-based systems that require learning of “routine” activities in the environment
Can detect new attacks
shortcoming
Possible false detection of non-attack events caused by momentary anomalies in the system
Also called behavior-based or heuristic
Classification
statistical anomaly
Protocol exception
Traffic abnormality
Rule-based IDS
Using rule-based procedures IF/THEN in expert systems
Allow artificial intelligence
The more complex the rules, the higher the requirements for software and hardware performance.
Unable to detect new attacks
Intrusion response
If the IDS detects an intrusion
Restrict or organize system traffic
Also integrates with other devices to respond
For example, rules are injected into routers, VPN gateways, Vlan switching devices, etc.
Early versions of IDS were integrated with firewalls, allowing the firewall to formulate rules for traffic in real time.
Normal business may be affected during the process of activating rules
The false alarm rate must be strictly controlled
Alerts and alerts
IDS basic components
1. Sensor
Deployment detection mechanism
Identify events
Generate appropriate notifications
Notify administrator
activate a rule
2. Control and communication Control and communication
Handle alarm information
Send an email or text message
3. Alarm Enunciator
Determine who can receive information
Ensure timely information delivery mechanism
IDS management
Hire a technically knowledgeable person to select, implement, configure, run and maintain an IDS
Regularly update the system with new attack characteristics and evaluate expected behavioral characteristics
Noting IDS vulnerabilities and effectively protecting them
Attackers may launch attacks to disable IPS/IDS systems
Distinguish the difference between IDS and IPS
IPS serial in-line
IDS bypass out-of-band
Intrusion Prevention System IPS Intrusion Prevention System
IDS passive detection
IPS active defense
honey jar
Honeypot Decoy Enticement
is legal
Trap entrapment is not a honeypot
Illegal and cannot be used as evidence
Threats faced
Password attack methods
electronic monitoring
By monitoring traffic, capturing password information, and conducting replay attacks
access password file
Access the password file on the server
Brute force attack/brute force cracking
Loop through passwords using all possible characters, data and combinations
dictionary attack
Construct a dictionary file to compare with the user's password
social engineering
Reset your password by calling or spoofing your password
rainbow table
Includes all hashed passwords
keylogging
Password Security Advice
Password checker
Tools for testing password strength
Password Hashing and Encryption
Password life cycle
Specify password change period
Remember the number of historical passwords
Limit the number of logins
Smart cards under attack
side channel attack
Differential power analysisDifferntiial power analysis
View transmit frequency
electromagnetic analysiselectromagnetic analysis
View transmit frequency
Timing analysis
Calculate the time required for a specific function
software attack
Enter information in the smart card to retrieve user instructions
fault generation fault generation
Cause errors through some environment components
Includes: temperature fluctuations. Change input voltage, clock frequency
direct attack
microprobing
Use a needle and ultrasonic vibration to remove the outer protective material from the smart card point path. Directly connect to the smart card ROM chip to access and operate the data in it
information leakage
Chapter 1: Social Engineering
Chapter 3: Covert Passage
Chapter 8: Malicious Code
object reuse
Memory locations, variables and registers not cleared before object allocation
Files and data tables are not cleared before object allocation
radiation safety
The metal shell of the Faraday cage ensures that electronic devices emit signals within a certain range
White noise: Random electronic signals with a uniform spectrum that cannot obtain information from electromagnetic waves
control area
Special materials are used on the surface of the device to shield electronic signals
Need to create a security perimeter
Authorization process issues
Authorization to spread creep
Gaining more and more authority due to job or department transfer
phishing
Social engineering as a means of attack
Create similar web sites to the issuing site
URL forwarding pharming
DNS poisoning
Redirect to illegal IP address or URL
identity theft
4. Communications and network security
Basic concepts of network
protocol
A standard set of rules that determine how systems communicate on a network
Communication between peer layers must comply with certain rules, such as communication content and communication method. This rule is called a protocol.
layered
Separate network interconnection tasks, protocols and services into different layers
Each layer has its own responsibilities; each layer has specific functions and is implemented by the services and protocols working within that layer
Each layer has a special interface that allows interaction with the other three layers
Communicate with the upper layer interface
Communicate with the next interface
Communicates with the same layer in the destination packet address interface
encapsulation
Decapsulation
Open Internet Reference Model OSI
Application layer, layer 7
The place closest to users
Provides file transfer, message exchange, terminal sessions, and network requests to execute applications
Including: SMTP, HTTP, LPD, FTP, TELNET, TFTP, SFTP, RIP (UDP at the bottom), BGP (TCP at the bottom), SIP (Session Initiation Protocol)
Presentation layer, layer 6
Convert information into a format that can be understood by computers that follow the OSI model
The presentation layer cares about the format and syntax of the data and handles the encryption of data compression.
Typical formats are: ASCII, ASN, JPEG, MPEG, etc.
Session layer, layer 5
Responsible for establishing connections between two applications
Manage session processes between management hosts and be responsible for establishing, managing, and terminating sessions between processes.
Typical protocols include: NETBIOS, PPTP (underlying TCP port), RPC, etc.
Transport layer, layer 4
The transport layer provides end-to-end data transmission services and establishes a connection between two communicating computers
The session layer establishes application connections, and the transport layer establishes connections between computer systems.
Typical protocols include: TCP, UDP, SPX, etc.
The data unit is segment (TCP segment, UDP datagram)
Network layer, layer 3
Responsible for routing data packets between subnets. Realize congestion control, Internet and other functions.
The data unit is a data packet (packet/packet)
Typical protocols include: ipx, ip, icmp, igmp, IPsec, etc.
Data link layer, layer 2
The data link layer provides reliable transmission over unreliable physical media.
The functions include: physical address addressing, data framing, flow control, data error detection, retransmission, etc.
Typical protocols: SDLC, PPP, STP, Frame Relay, ARP/RAPP, etc.
The data unit is frame
Physical layer, layer 1
Specifies the mechanical, electrical, functional and process characteristics for activating, maintaining and closing communication endpoints.
The data unit is bit (bit)
Typical specification representatives: EIA/TIA RS-232, RJ-45
TCP/IP model
TCP: Reliable connection-oriented protocol
UDP: non-link-oriented protocol
IPv4 and IPv6 are 32-bit addresses and 128-bit addresses respectively
Socket: From the header information, there are source address and destination address, source port and destination address, source port and destination port (port numbers of common protocols:) FTP:20/21 SSH:22 Telnet:23 SMTP:25 HTTP:80
Transmission type
Analog Vs Digital
Analog signals, that is, the amplitude, frequency, and phase of the signal change continuously, and the transmission rate is low
Digital signal: that is, the signal is a discontinuous pulse, not easily distorted, and has a high transmission rate
Asynchronous vs Synchronous
Synchronization relies on clock
Asynchronous dependency flag
Broadband and baseband
Digital or analog signals are directly added to the cable for transmission. The information is not modulated and the entire channel of the cable is used. Ethernet is a baseband network.
Multiple different signals are loaded onto the cable by modulating them to different "carrier" frequencies. That is, the bandwidth of the entire cable is divided into different channels. For example, if it supports voice, image and data transmission at the same time, cable TV is a broadband-based network.
LAN technology
Network topology
ring network
bus network
star network
mesh topology
Transmission medium
LAN implementation type
Ethernet
Defined by IEEE802.3 standard
Physically star, logically bus
Using broadcast domains and collision domains
Access via CSMA/CD media
Ethernet/IEEE802.3 (10Mbps on coaxial cable), FastEthernet on twisted pair (100Bbps), GigabitEthernet (1Gps on optical fiber or twisted pair)
Token Ring
IEEE802.5 standard
Logical ring, usually physical star connection
Each node must regenerate the signal
Predictable load bandwidth, 4Mbps or 16Mbps
FDDI
The token transmission network uses two opposite rings, the main ring is clockwise, and the secondary ring is counterclockwise. It uses active monitoring and new tokens.
Speeds up to 100mbps
Typically used on LAN/WAN backbones
CDDI (Copper Distributed Data Interface) works over UTP
media access technology
token passing
Token Ring and FDDI technology adoption
Computers that own the token have the right to communicate
CSMA
CSMA/CD
Carrier Sense Multiple Access with Collision Detection
Used on Ethernet
CSMA/CA
Carrier Sense Multiple Access with Collision Avoidance
Used in wireless networks such as 802.11
broadcast domain
Broadcasting is a method of information dissemination, which means that a certain device in the network simultaneously
conflict domain
wiring
concept
Data throughput rate is after compression and encoding
The actual amount of data passing through the cable
Bandwidth can be viewed as a pipe
Data throughput is the actual amount of data passing through the pipe
coaxial cable
Coaxial cable has a copper core surrounded by shielding and ground wires
Coaxial cable is more resistant to electromagnetic interference
50 ohm cable users transmit digital signals
70 ohm cable users transmit high-speed digital signals and analog signals
Coaxial cable can utilize baseband method or bandwidth method
twisted pair
Shielded twisted pair, STP and double shielded twisted pair, UTP
Twisted pair cable has copper wires wrapped around each other to avoid radio frequency interference (crosstalk)
There is signal attenuation in twisted pairs
UTP is the most insecure network interconnect cable
Fiber optic (highest security) (Compare FC SAN and IP SAN) (Detecting the attenuation of light is one of the ways to determine whether it is being eavesdropped)
Multimode fiber: short to medium distances
Single-mode fiber: long distance
wiring problem
noise
attenuation
crosstalk
Flame retardant rate of cable
Transmission method
Unicast
broadcast
multicast
Anycast
LAN protocol
Address Resolution Protocol, ARP
Complete the resolution of IP and MAC addresses
ARP table poisoning
Dynamic Host Configuration Protocol, DHCP
RARP
BOOTP
DHCP
Internet Control Message Protocol, ICMP
Routing Protocol (Routing protocols can be divided into dynamic and static. Dynamic routing protocols are able to discover routes and build a routing table of their own, while static routing tables require administrators to manually configure the router's routing table.)
Individual networks become autonomous systems AS
distance vector
RIP
ICRP
Link status (establishes a network topology database)
OSPF
The external routing protocol used by routers to connect different ASs, often called Extranet Gateway Protocol BGP
Network and security equipment
Network connection equipment
Repeater
Working at the physical layer
Function accepts and amplifies signals and sends signals to all ports
Multiple device links on the same network segment increase conflicts and contention
Bridges and switches
Data link layer equipment
A switch combines hub and bridge technology
VLAN (logical network segmentation)
Reduce conflict
Improved network security
The switch receives the physical address information of the data. If the destination port is found, it is sent directly to the destination port. If the port cannot be determined, it is sent to all ports.
router
Network layer equipment
Routers divide the network into different collision domains and broadcast domains
gateway
Application layer equipment
Connect different types of networks and perform translations of protocols and formats
PBX
Digital switching equipment that controls analog and data signals
PBX's internal security management issues, such as eavesdropping, phone charges, etc.
CDN
content delivery network
A strategically deployed overall system, including the four elements of distributed storage, load balancing, network request redirection and content management
SDN
software defined network
The control rights on network equipment are separated and managed by a centralized controller, without relying on underlying network equipment (routers, switches, firewalls), shielding the differences from underlying network equipment.
Address Translation Protocol, NAT (NAT not only solves the problem of insufficient IP addresses, but also effectively avoids attacks from outside the network, hides and protects computers inside the network, and is implemented on routers and firewalls)
static mapping
dynamic mapping
Port Mapping
safety equipment
firewall
Classification
Packet filtering firewall (first generation)
Works at the network layer
Difficult to prevent attacks on upper layer protocols
Application proxy firewall (second generation)
Works at the application layer
Monitors the application protocol and forwards it on its own behalf. There is no direct route between the communicating parties.
second generation firewall
Circuit Level Gateway Firewall
Works at the session layer
A hybrid of packet filtering application proxies
Stateful Inspection Firewall (Third Generation)
Works at the network layer, transport layer, and application layer
Maintain a status table to keep track of each communication channel
For tracking UDP or TCP packets
third generation firewall
Dynamic packet filtering firewall (Fourth Generation)
ACL is dynamic and is destroyed after the connection ends.
fourth generation firewall
Kernel proxy firewall (Fifth Generation)
fifth generation firewall
Evaluating packets, the firewall builds a dynamic, customized TCP/IP protocol stack
next generation firewall (NGFW)
Improving the limitations of existing firewall static policies
Introduce external dynamic data resources (such as policy server or AD)
Develop a process to get to the right place at the right time with the right rules.
Through risk assessment, determine the location, quantity, quantity and specific strategies of firewall deployment
Firewall architecture
Dual home firewall
Blocked host
Shielded subnet (forming DMZ with high security)
UTM Unified Threat Management
NGFW next generation firewall
SIEM Security Incident Management (Chapter 7)
remote access technology
AAA service Authentication verification, Authorization authorization, Accounting/Auditing
RADIUS
Remote Authentication Dial In User Service, remote user dial-in authentication system, using UDP protocol
Use UDP protocol
TACACS
Terminal Access Controller Access-Control System, terminal access controller access control system
Use UDP protocol
TACACS
Two-factor password authentication (allows the use of dynamic passwords)
Use TCP protocol
Diameter
Identity authentication protocol Authentication
Password Authentication Protocol, PAP
Send username and password in clear text format. (unsafe)
The PAP authentication process is very simple, two-way handshake mechanism
The authenticated party is the initiator and can make unlimited attempts (brute force cracking)
PAP verification is only performed during the link establishment phase. Once the link is successfully established, verification testing will no longer be performed. Currently, it is more commonly used in PPPOE dial-up environments.
Challenge Handshake Authentication Protocol, CHAP
Challenge-response mechanism for authentication
CHAP is used to use a 3-way handshake
Transfer the hash value for verification
This is done during link establishment initialization, and verification can be repeated any time after link establishment.
CHAP resists replay attacks by incrementally changing the identity and "challenge-value" values.
CHAP requires the key to be in clear text
Does the enterprise require a method that can both prevent replay and verify plain text? (Choose PAP or CHAP EAP?)
(is an extensible authentication framework) Extensible Authentication Protocol, EAP
EAP-MD5
Weak authentication based on hash value
One-way authentication
Server authenticates client
EAP-TLS
Use digital certificates for authentication
Two-way authentication
Both the server and the client require digital certificates
(Note: EAP-TTLS and PEAP only require server-side certificates, not client certificates)
PEAP
Used TLS
EAP-TTLS
Extended TLS capabilities
Identity authentication method
call-back(callback)
In a callback, the host system disconnects the caller and then dials the authorized telephone number of the remote terminal in order to reestablish the connection, Synonymous with dialback. In a callback, the host system disconnects the caller and then dials the remote terminal's authorized phone number to reestablish the connection.
Integrated Services Digital Network, ISDN
Integrate multiple technologies, including circuit switching, dedicated lines and packet switching, to realize voice, commentary and data transmission services on a single network
Basic Rate Interface, BRI basic rate interface 2B D, that is, two 64Kbps data channels and one 16Kbps control channel
Primary Rate Interface, PRI base group rate interface 23B D, that is, 23 64Kbps data channels and 1 64Kbps control channel
dedicated line
Safety
Expensive
Digital Subscriber Line, DSL
Symmetric DSL,SDSL
Data is uplinked and downlinked at the same rate, suitable for bidirectional high-speed transmission services
High bit rate DSL, HDSL
Two pairs of twisted pairs are required to provide T1 speed on conventional telephone lines.
Asymmetric DSL, ADSL
The speed of data downlink is faster than the speed uplink, suitable for home users
IDSL
For users further away from the switching center, 128Kbps symmetrical speed
Point-to-Point Tunneling Protocol, PPTP
Works in the session layer 5 and serves the second layer
point-to-point connection
Designed for client/server connections
Encapsulate PPP frames for tunnel transmission
Use MPPE encryption
L2F
Created by cisco before L2TP
Merged with PPTP to form L2TP
Provides secure authentication and encryption
no encryption
L2TP
A mix of L2F and PPTP
Point-to-point connection between two computers
To improve security combined with IPSEC
L2TP: only defines the encrypted transmission method of control messages, and does not encrypt the data being transmitted in the tunnel.
IPSec
Ability to handle multiple connections simultaneously
Provides secure authentication and encryption
Works at the network layer
Two modes: tunnel mode and transmission mode
Important protocols such as AH/ESP/ISAKMP/IKE
AH (Authentication Header)
provide integrity
ESP (Encapsulating Security Payload)
Provide confidentiality and integrity
SA (security association)
One-way, security association, stored VPN parameters
IKE (Internet Key Exchange)
key exchange protocol
ISAKMP
Secure connection and key exchange negotiation framework
SSL/TLS
Provide application layer security Works at the transport layer
Formerly known as TLS (TLS1.0 is the successor of SSL3.0, also known as SSL3.1)
Easy to implement and maintain, --IPSEC VPN is implemented at the network layer, which is relatively complex. TLS VPN is implemented at the transport layer, which is simple and flexible. --Relatively speaking, IPSEC VPN transmission efficiency is higher, and TLS VPN transmission efficiency is lower.
MPLS
(Multi-Protocol Label Switching) MPLS connects an enterprise's offices and equipment in different locations through a safe, reliable, and efficient virtual private network to realize data, voice, video transmission or other important network applications, while maintaining quality of service (QOS). )ensure.
MPLS VPN relies on forwarding tables and packet labels to create a secure VPN, rather than relying on encapsulation and encryption techniques.
VPNs use tunneling protocols to ensure confidentiality and integrity during data transmission.
Wan
circuit switched link (circuit switching)
Based on the traditional telephone network, which is a physical, permanent connection
An example of a telephone switching system is an everyday telephone application
Generally ISDM using dial-up modem, suitable for low bandwidth and backup applications, low resource efficiency
Program-controlled switch
packet exchange link (packet switching)
Store and forward mode
Shared by multiple systems, transmitted in packets, routed by switching equipment, reassembled at the destination, and used efficiently
Traditional packet switching: frame relay, X.25, internet
cell switched connection (cell switching)
Asynchronous Transfer Mode (ATM)
Voice and video transmission carriers
Data fragment size is fixed at 53 bytes of cells
dedicated link
T-carriers are dedicated lines that carry voice and data information
T1 line up to 1.544Mbps
T3 lines up to 45Mbps
Time Division Multiplexing (TDM)
T1 and T3 are gradually being replaced by fiber optics
CSU/DSU
Channel Service Unit/Data Service Unit
Digital signal conversion between LAN and WAN
DSU converts digital signals from routers, bridges, etc. into signals that can be transmitted over the phone company's digital lines
CSU connects the network directly to telephone company lines
WAN virtual circuit (Virtual circuit)
Frame Relay and X.25 forward data frames over virtual circuits
Switched virtual circuits work as dedicated circuits to achieve agreed available bandwidth with customers, with permanent connections and persistent transmission of user data.
Switched virtual circuits require dialing and connection steps, circuit establishment, data transmission, and circuit interruption.
frame relay
WAN protocol that works at the data link layer
There are two main types of devices that User Frame Relay continues to connect to:
data terminal equipment, DTE
Typically customer-owned equipment such as routers and switches that provide connectivity between a company's own network and the Frame Relay network
Data circuit terminal equipment, DCE
The service provider's equipment is the telecommunications company's equipment, and it completes the actual data transmission and exchange in the Frame Relay cloud.
X.25
Defines how devices and networks are established and maintained
Switched Megabit Data Service SMDC
A high-speed packet switching technology
no connection protocol
Synchronous data link control, SDLC
A network based on the use of dedicated leased connections as well as permanent physical connections
Suitable for large host remote communication, providing rotation training media access technology
Advanced Data Link Control, HDLC
bit-oriented link layer protocol
For transmission on synchronized lines
High speed serial interface, HSSI
Interfaces connecting multiplexers and routers to high-speed communication services (ATM and Frame Relay)
Working at the physical layer
Multi-service access technology
The telephone system is based on circuit switching, and voice is based on the central network, the Public Switched Telephone Network (PSTN).
Signaling No. 7 system controls the establishment of connections, control instructions, and cancels replies.
Session Initiation Protocol SIP, a protocol that establishes and tests small call sessions, capable of working over TCP or UDP
VoIP Voice does not go through a telecom operator's traditional phone network (voice network) for transmission, but converts voice into IP data Packets, technology based on IP network transmission
H.323 gateway
ITU-T recommendations include a large number of multi-US communication services
H323 is designed to handle video, audio and packet transmission
SIP gateway
VoIP security issues and countermeasures
Legal Compliance
Guarantee of business continuity
IP phone
WAN multiplexing technology
Time division multiplexing STDM
Frequency Division Multiplexing FDM
Wavelength Division Multiplexing, WDM
Dense wavelength division multiplexing, DWDM
wireless technology
WAP
wireless application protocol
Based on WML Infinite Markup Language, based on XML
WAP has its own session and transport protocols as well as the transport layer security protocol of Wireless Transport Layer Security (WTLS)
Anonymous authentication: The wireless device and server do not authenticate each other
Server Authentication: The server authenticates the wireless device
Bidirectional client and server authentication: The wireless device and server authenticate each other
802.11
802.11a
Up to 54Mbps speed
5GHz frequency range
802.11b
Up to 11Mbps speed
2.4Ghz
802.11n
QoS
801.11g
20-54Mbps
2.4GHz frequency band
802.11i
Inherited Extensible Authentication Protocol EAP
Inherited message integrity code, MIC
Temporal Key Integrity Protocol, TKIP (WPA)
Each data frame has a different IV value
Uses standard AES Advanced Encryption Standard (WPA2)
Wi-Fi Alliance’s version using pre-shared key is called [WAP-Personal Edition] Or【WAP2-Personal version】(WAP-Personal or WPA2-Personal,) The version certified with 802.1X is called [WPA-Enterprise] or [WPA2-Enterprise] (WAP-Enterprise or WPA2-Enterprise)
802.1X IEEE 802.1X is an authentication standard specified by IEEE for user access to the network. The 802,1X protocol is used when users/devices access the network (can be LAN or So WLAN) is verified before running with the MAC layer of the network.
The same authentication architecture and a method of dynamically distributing encryption keys consists of three parts: supplicant (wireless device), authenticator (AP), and authentication server (RADIUS)
The supplicant is a clinet device(such as a laptop)that wishes to attach to the LAN/WAN. The authenticator is a network device ,such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols The supplicant is a client device (such as a laptop) that wishes to connect to the LAN/WAN. The authenticator is a network device, such as an Ethernet switch or wireless access point; the authentication server is typically a host running software that supports the RADIUS and EAP protocols
Use EAP authentication
Bluetooth, Bluetooth
Bluejacking
Actively initiate a message to a Bluetooth device. (No vandalism)
bluesnarfing
spread spectrum technology
Frequency Hopping Spread Spectrum, FHSS
Use the FHSS algorithm to decide on the different frequencies to use and their order
Direct sequence spread spectrum, DSSS
Orthogonal frequency division multiplexing, OFDM
Wireless LAN (WLAN) Secure/two-way wireless authentication
Open Systems Authentication (OSA)
Just provide the correct SSID
Securing your WLAN
Requires wireless device to prove useful key
WEP protocol (Wired Equivalent Privacy)
Use RC4 encryption (insecure, obsolete)
IV initial vector size 24bit, easy to break
WPA
TKIP (TKIP; Temporal Key Integrity Protocol is responsible for handling the encryption part of wireless security issues. To solve the security problems encountered in WEP-protected networks)
IV 128bit, safer
WPA2(Wifi Protected Access 2)
CCMP replaces TKIP
safest
wireless attack
war walking/driving/chalking
AP (Access Point)
Anti-theft, antenna power, anti-rouge AP, wireless router (wi-fi AP) that is privately connected to the corporate network without the permission of the corporate
Wireless Communication Technology
Satellite Communications
One-way networks, such as digital television
WeChat links to the Internet, two-way transmission
1G
900MHz
Analog FDMA
Basic telephone service
2G
1800MHz
TDMA
Caller ID and voicemail
circuit switching
text only
3G
2GHz
CDMA
2Mbps(3.5G10Mbps)
Conference calls and low-quality video
Graphics and formatted text
packet switching
4G
40GHz and 60Ghz
0FDM
Telepresence and HD video
Complete Unified Messaging
Local IPv6
100Mbps
SIM Card Subscriber Identity Module (3G/4G USIM: universal SIM)
Network interconnection services and protocols
Domain name service, DNS
threaten
DNS cache poisoning
DNS cache poisoning attacks mainly target DNS servers that work in recursive resolution and cache resolution results for non-local domains.
DNS security
DNSSEC, strengthens the authentication mechanism of DNS
One of the purposes of developing DNSSEC technology is to ensure integrity by "digitally signing" data
Industrial control system SCADA
Data collection and monitoring
ModBus, FieldBus protocol
facing threats
mobile phone security
Phones have cameras and store sensitive information
Authentication, there may be fake base stations
Mobile phone cloning
WLAN war driving attack
Used to sniff AP and crack passwords
Spyware and adware
instant messaging (The biggest risk is information leakage)
Impersonation, authentication and other attacks
Denial of Service Attack (DOS)
Attack using tcp protocol
SYN Flood
Principle of attack process
TCP three-way handshake is under attack
Attack using ICMP protocol
ping of death
Send malformed ICMP packets (>64k)
Smuff
Sending massive broadcast packets causing crashes (Smurf attacks work by flooding the victim host with ICMP reply request (ping) packets with the recovery address set to the broadcast address of the victim network, eventually causing all hosts on the network to reply to the ICMP reply request, causing network congestion. )
Attack using udp protocol
fraggle
Send massive udp echo packets
trardrop
Overlapping during UDP packet reassembly causes crash
Distributed Denial of Service DDOS
reflector,amplifier attack
Traffic pulling, cleaning, backhauling
Black hole (traffic is abandoned) / Sewer routing (sinkhole) traffic is drawn to a certain point and further analyzed to deal with DDOS attacks.
3. Safety engineering
concept
security architecture
in the system life cycle Use safe design principles
Systems engineering life cycle
key technical process
Requirements definition
demand analysis
Architecture design
implement
integrated
verify
confirm
Transfer (online)
key management processes
Strategic analysis
Technical planning
technology assessment
Demand management
Risk Management
Configuration management
Interface management
Technical data management
safety principles
NIST SP 800-14
NIST SP 800-27
Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
Security development life cycle framework
BISMM
Build Security In
Security is built into the entire development process
ISO/IEC 21827:2008
Architecture
Enterprise security architecture
Common architecture (enterprise architecture, IT architecture, security architecture)
ZACHMAN
The originator of architectural models
TOGAF
A model for development and operations architecture
SABSA
security architecture model
Security Architecture Development Methods
Obtain and analyze security requirements
Create and design security architecture
System security architecture
Common system components
CPU
process
thread
virtual machine
multi-programming
Multitasking
multiprocessing
Multithreading
Multi-threading is more likely to lead to race condition attacks
Protection mechanism - protection ring
memory
register
cache
random access memory
ROM
auxiliary memory
virtual memory
Attacks on storage
Buffer overflow attack
Basic input/output/peripherals
operating system
single layer operating system
multi-layer operating system
microkernel operating system
Hybrid microkernel operating system
Information system security capabilities
Processor status
Secure memory management
access control mechanism
layered
data hiding
abstract
Encryption protection
Host firewall
Audit and Monitoring
Virtualization
isolation
security model
State machine model
information flow model
interference-free model
multilevel lattice model
(Lattice model/lattice model) minimum upper bound and maximum lower bound
matrix-based model
Security model example
Bell-Lapadula model
Concern about confidentiality
No reading at the top, no writing at the bottom
Biba model
focus on completeness
No reading, no writing
Clark-Wilson model
Chinese Wall Model (Brew and Nash: Chinese Wall)
Lipner model
Graham-Denning model
Harrison-Ruzzo-Ullman model
Database Security (Chapter 8)
cloud computing
Three service models
Saas
Laas
Paas
Four deployment models
Private Cloud
community cloud
public area
hybrid cloud
five basic characteristics
resource pool
Allocate on demand
remote access
Fast and flexible
measurable
Cloud security Pay attention to data isolation
Security Architecture Weaknesses
System weaknesses
TEMPEST
State Attacks (race conditions)
covert passage
middleware
Mainframe and thin client systems
Server weaknesses
single point of failure
Client Weaknesses
Software and system vulnerabilities and threats
Web Security (Chapter 8)
Mobile system weaknesses
Embedded and cyber-physical device vulnerabilities
Information system security assessment model
product evaluation model
TCSEC (Orange Book)
TCB (Trusted Computing Base)
Reference Monitor (Abstract Machine)
Security core (the core of TCB)
ITSEC (Information Security Evaluation Criteria)
CC
PP(Protection Profile)
TOE (Target of Evaluation)
ST(Security Target)
EAL 1-7
Functional testing
Structural testing and inspection
Systematic testing and inspection
Systematic design, testing and review
Semi-formal testing and inspection
Formal verification, design and testing
ISO/IEC 15408
Cryptography
Terminology and basic concepts
DiffusionDiffusion
Cryptology
Cryptography (cryptography, cryptography)
Cryptanalysis(Cryptoanalysis/Cryptodecryption)
cryptography history
Manual era
atbash
password stick
Caesar cipher
mechanical age
modern
Emerging Technologies
Quantum cryptography
Cryptosystem
Basic principles and methods of encryption
substitute
Transposition (Permutation)
other
rolling password hidden password
one time pad
Steganography
According to the processing method of plain text (symmetric encryption algorithm)
block encryption
stream encryption
Other cryptographic conversion technologies
Classification according to encryption method (key characteristics)
Symmetric cryptography
advantage
shortcoming
out-of-band transmission
DES
ECB (Electronic Code Book) mode
CBC (Ciphertext Block Chaining) mode
CFB (ciphertext feedback) mode
OFB (output feedback) mode
CTR (counting) mode
2DES
3DES
AES
CCMP
IDEA
CAST
SAFER
Blowfish
Twofish
RC4
not safe
RC5
Application of symmetric cryptography technology
Confidentiality
Asymmetric cryptography
advantage
shortcoming
Diffie-Hellman
Used to exchange session keys to solve session key hard-coding (hard-coding)
RSA
ECC
EIGamal
Knapsack algorithm (Merkle)
Application of asymmetric cryptography technology
Confidentiality
Authenticity and non-repudiation
Confidentiality, authenticity and non-repudiation
hybrid encryption
Countermeasures combined with asymmetric cryptography to ensure confidentiality
message integrity
Hash function
Simple hash function
MD5
SHA-1
sha-2/sha-3
256
224
384
512
Attacks on hashing algorithms
Collision problem (birthday attack)
rainbow table
cryptanalysis
Complete implementation
Hash verification integrity
HMAC
CBC-MAC
CMAC
Comparison of four methods
digital signature
accomplish
No confidentiality provided
Public Key Infrastructure PKI
digital certificate
CA center
RA
Key management process
Kerckhoff principle
Advances in Key Management
Creation of keys
Distribution of keys
Key storage and destruction
Certificate replacement costs and destruction
Key recovery
Key escrow
TPM (Trusted Platform Module)
1. Store and manage BIOS power-on password and hard disk password
2. TPM security chip can perform a wide range of encryption
3. Encrypt any partition of the hard disk
Cryptozoology
Services that can be provided
Confidentiality
authenticity
Integrity (hash value)
Non-repudiation (asymmetric encryption)
Link encryption
Encrypt all information, including user information, packet headers, trailers, addresses and routing information
End-to-end encryption
Only user information is encrypted, packet headers, trailers, addresses and routing information are not encrypted.
S/MIME
PGP
HTTPS
SET
SSH
Cooike
IPSec (IKE for key exchange, you can use the ISAKMP framework) network layer encryption
Two protocols
AH
ESP
ICV (Intergrity Check Value) (AH, ESP comparison)
Two working modes
Transmission mode
tunnel mode
Security Association (SA)
DRM (Digital Right Management)
digital water mark
Password life cycle
Three stages (password/key resistance to cracking decreases over time)
strong
empty
lack of resistance
Algorithm/Protocol Governance
Some other security issues
Password attack methods
Ciphertext-only attack
known plaintext attack
selected plaintext attack
Differential Cryptoanalysis
linear cryptanalysis
side channel attack
Error analysis
detection attack
replay attack
algebraic attack
frequency analysis
Reverse Engineering
social engineering
Attacking a random number generator
Temporary Files
other
physical security
Site and facility design considerations
ATM cash machines should pay attention to physical security and prevent physical damage
The data center should not be located on the ground floor or top floor of the building. It should be located at the core of the building.
security investigation
Protection target identification
Threat identification
Current status of facilities
Physical Security Plan
CPTED
The difference from goal strengthening
natural access control
natural surveillance
Reinforcement of natural areas
factors to consider
place
visibility
accessibility
Surrounding areas and conditions
natural disaster
put up
wall
floor
ceiling
window
Door
building materials
Glass
internal division
other
Entrance
garage
communication
facility
data center
The air pressure in the data center must be positive
Plan outline
Implement a physical security plan
Physical security operations
data center
electricity
question
interference
electromagnetic interference
radio frequency interference
fluctuation
Voltage is too high
Voltage too low
power supply interruption
Protect
ups
Online
backup
power cord conditioner
backup power
Preventive measures and best practices
Lightning strike protection
Cable management
environment
Temperature and humidity
anti-static
ventilation
Heat dissipation
fire
Fire classification
prevention
Detection
Thermal excitation
flame excitation
smoke ignition
Light detection (photoelectric device)
Ionization type (fastest)
Detector installation location
put out
Principles of fire extinguishing (isolate burning materials, isolate oxygen, lower temperature, block chemical reactions)
water
Acid-base fire extinguishing agent
carbon dioxide
Gas fire extinguishing
fire extinguishing system
portable fire extinguisher
Sprinkler System
wet pipe
Main pipe
Pre-response
Flooding
Gas fire extinguishing
Halon
Aero-K
CO2 (easily causing suffocation)
FM-200(Heptafluoropropane)
perimeter security
Facility access control
mechanical lock
combination lock
password
device lock
lock strength
Lock cylinder classification
Personnel access control
tailgating
External boundary protection mechanism (non-entry protection)
fence
Door
illumination
physical surveillance
CCTV
intrusion detection system
Electromechanical systems
Volume measurement system (sound, light, temperature, electromagnetic, vibration)
proximity detection system
Optoelectronic or photometric detection systems
Passive infrared detection system (needs to automatically compensate for changes in background temperature)
Acoustic detection system
Vibration detection system
Physical access control audit
Emergency plan testing and drills (at least once a year)
2. Asset security
learning target
Classify information and related assets
Determine and maintain owner responsibilities and authorities
privacy protection
Ensure appropriate data retention
Identify data security controls
Establishing data processing requirements
Data management
Data Management Best Practices Reference
Develop a data strategy and clarify the strategic goals and principles of data management
Clearly define data roles and responsibilities, including data providers, owners and managers
Data quality control process in the data management process to confirm and verify the accuracy of the data
Documentation of data management and description of metadata within each dataset
Plan and define the database based on user needs and usage
Information system infrastructure, data storage, data backup and update strategies for the data itself
Continuous data auditing to provide management effectiveness and data integrity of data and assets
Continuously implement layered data security controls to protect data security
Clearly define data access standards and provide comprehensive control over data access
data strategy Data Policy
Data strategy sets long-term strategic goals for data management for an enterprise or project
Data strategy is a set of high-level principles that provide a guiding framework for data management
Data strategy to solve some strategic issues, such as data access and related legal issues Data management issues, data management responsibilities, data acquisition and other issues
Issues security personnel need to consider when developing a data strategy include
cost
Ownership and management rights
privacy
responsibility
sensitivity
Legal and strategic requirements
Strategy and Process
Data roles and responsibilities
Define roles for all data
Establish full life cycle data ownership
Establishing data traceability step by step
Ensure data quality and metadata metrics are maintained at a basic level
Data ownership (Ownership)
Information life cycle: creation, use, storage, transmission, change, destruction, etc.
Once information is created, ownership responsibilities must be clear. Usually the person who created, purchased, or obtained the information
Owner responsibilities typically include:
Define the impact of information on organizational use
Understanding the replacement cost of information
Determine who on the organization's intranet needs information and in what environment the information should be released
Understand when data is no longer accurate or needed and should be destroyed
The data owner usually has legal rights to the data, including intellectual property rights and copyrights, etc.
A policy should be established and documented
Data Ownership, Intellectual Property, Copyright
Business-related legal obligations and illegal obligations to ensure data compliance
Data security, anti-leakage control, data release, price, and dissemination related strategies
Before data is released, sign a memorandum and authorization agreement with users or customers to clarify the conditions for use.
Data Custodianship
The responsibilities of data managers mainly include
Follow data policy and data ownership guidelines
Ensure access to appropriate users and maintain appropriate levels of data security
Basic data set maintenance, including but not limited to data storage and archiving
Documentation of data sets, including updates to documents
Ensure data quality and validation of data sets, including periodic audits to ensure data integrity
Roles related to data management authority positions include:
Project managers, data managers, IS managers, IT experts, Database administrator, application developer, data collection or acquisition
Data quality Data Quality
process
Data quality principles should be applied throughout the entire data management life cycle. Starting from data collection, data quality loss at any stage will lead to reduced data availability.
Data acquisition, and record data collection time
Data operations before digitization (including label preparation, data classification copy, etc.)
Identification and recording of data samples
Digitization of data
Documentation of data (obtaining and recording metadata)
Data storage and archiving
Data publishing and dissemination (including paper and electronic publishing, web-accessible databases, etc.)
Using data (data manipulation and analysis, etc.)
control
Quality Control (Quality Control) is based on internal standards, processes and steps to control and monitor quality. QC controls based on data product results.
Quality Assurance is based on external standards to check data activities and quality control processes to ensure that the final product meets quality requirements. QA provides guarantee for the entire life cycle of data.
Two elements of data quality expectations
1. Frequency of incorrect data recording
2. The Importance of Errors in Data Recording
Two processes of data quality
Verification: Checking whether it matches metadata, guarantees accuracy, etc. This can usually be done by someone less familiar with the data.
Validation: Evaluating whether data quality goals are met and the reasons for any deviations, usually performed by professionals
promote
Prevention: Error prevention is mainly in the stages of data collection and data entry into the database
Correction: an essential means
Documentation: Integrated into database design
1. Ensure that each record Record is checked, as well as any changes to the record
2. Metadata records
Data life cycle control
Data life cycle
Data definition, data modeling, data processing, database maintenance and data security
Continuous data auditing to monitor data usage and data validity
Archiving to ensure maintenance effectiveness, including regular snapshots, allowing rollback to previous versions in the event of data or backup corruption
Data storage and archiving
Fixed data saving issue
Factors to consider include: server hardware and software, network infrastructure, data set size and format, database maintenance and updates, database backup and recovery needs
Data archiving is the process of moving data that is no longer frequently used to a separate storage device for long-term storage.
Data Security
Threats to data security include: abuse, malicious attacks, unintentional errors, unauthorized access, theft or damage to physical equipment, natural disasters, etc.
Adopt a layered security architecture and a defense-in-depth architecture
Uninterruptible power supply, server mirroring (redundancy), backup, backup integrity testing
Physical access control, network access control, firewalls, sensitive data encryption
Software patch updates, incident response, disaster recovery plans, etc.
Adopt a risk management-based approach
risk assessment
Risk reduction
Evaluation and Assessment
Data retentionRetention
Customize data retention policies based on business requirements and legal requirements
Steps to define a data retention policy
Assess statutory requirements, regulatory obligations, business needs
Record and grade
Determine retention period and destruction method
Develop a data retention policy
Staff training
Conduct data retention checks and audits
Regularly update strategies
Documented policies, procedures, training, audits, etc.
How to do data retention
Taxonomy classification
Make a data classification plan, involving various categories, including function, time, organization, etc.
Classification
Classified processing according to data sensitivity level
Normalization (normalization)
Develop standard schemas to make data easily retrieval
Indexingindex
Establish data index to facilitate query of archived data
What data is retained
Decisions to retain data must be deliberate, specific and enforceable.
We only want to keep the data we decide to keep and then make sure we can enforce the retention
e-Discovery
Discovery of electronically stored information,ESI electronic forensics
The ElectroicDiscovery Reference Model,EDRM electronic discovery reference model
Identification; Identification
Save; Preservation
Save this data to ensure it is not destroyed accidentally or routinely while complying with the order
Collection; Collection
Processing
Process to ensure that both data and elements are in the correct format.
Review; Review
Review data to ensure it is relevant
Analysis; Analysis
Production; Production
Produce the final dataset to those who need it
Submit; Presentation
Report data to external audiences to prove or disprove claims.
Data Remanence
Clearing Clear: Cannot be restored through normal system or tools such as restore. Special laboratory tools (data forensic tools) can be used for recovery.
Overwriting: Use a program to write to the meson to overwrite the original data, usually three times (>6 changes)
Purging, eradication: no technology can restore
Destruction: The storage medium is damaged to the point that it cannot be read by conventional devices.
Media Destruction: Media Destruction: The safest, physical destruction
Chemical methods: incineration, corrosion
Physical Destruction: Crush Shred
Form transformation: solid hard drive, liquefaction and gasification
For magnetic media, increase the temperature beyond the Curie temperature
Degaussing: Using strong magnetic fields or electromagnetic fields to eliminate data in magnetic media (Magnetic Media)
The disk is scrapped after degaussing
Tapes can be reused after degaussing
Sanitizing (equivalent to Purging in some contexts)
Deletion and formatting: are the most unsafe methods (not even Clearing, ordinary software tools can restore it)
Encryption: Encrypting data to make it unreadable without the corresponding key
Data Security and Data Residue Issues in Cloud Storage: Using Data Encryption
Data life cycle security control
definition
Security control measures accompanying the data change process
Obtain
Two ways to obtain: copy and create
Before the data can be used, metadata is designed and matched and then the information is indexed for search and allocated to one or more data stores.
Control Strategy
Encrypt credit card numbers and PII personally identifiable information when stored
Set strict data access policies for sensitive information
Set a data rollback strategy to restore data to its previous state
Try to ensure that measures are in place during the acquisition phase rather than controlling afterward.
use
definition
Users with different access levels can read and modify data.
The three CIA characteristics of protecting data at this stage are extremely challenging
Should ensure that only the right people modify data in an authorized manner
Ensure internal consistency
Ensure operations that modify data are repeatable
Has an automatic mechanism to resolve inconsistencies (such as a rollback mechanism) to prevent data inconsistencies caused by sudden power outages, etc.
The use and aggregation of information will trigger changes in information classification and classification.
Archive
definition
Information is archived when it is no longer in regular use
Have an appropriate data retention policy in place
Prevents data modification and unauthorized access from being discovered for long periods of time
Data backup protection
Safe physical location
data encryption
Data retention period
Too short, the data may still be useful
If the data operation fails or is attacked, the data needs to be restored.
eDiscovery
Too long, which wastes data storage costs and increases corresponding responsibilities.
The difference between backup and archive
A data backup is a copy of a currently used data set, used to recover from the loss of the original data. Backing up data often becomes less useful.
Data archives are copies of data sets that are no longer in use, but are needed to be saved for future use. When data is archived, it is usually removed from its original location so that storage space can be used where the data is in use.
Disposal processing (disposal)
definition
When the data owner confirms that the data is no longer needed, choose appropriate disposal methods
Main points
Data is indeed destroyed
Make sure the copy is destroyed as well
was destroyed correctly
Data recovery costs more than the data itself is worth
Information classification and asset management
Information classificationClassification
Classification classification, according to sensitivity (confidentiality destruction), such as Cofidential, Sensitive according to importance (Impact of usability loss)
government or military
Top Secret
If leaked, it could cause serious damage to national security
New weapons blueprints, spy satellite information, spy data
Secret
If leaked, it may cause serious damage to national security.
Force Deployment Plan: Force Readiness Information
Confidential
For internal company use only
Data exempt from disclosure under the Freedom of Information Act or other laws and regulations
Unauthorized disclosure could seriously impact the company
Sensitive but unclassified (SBU)
Little secrets that, if revealed, may not cause serious damage
Medical Data Test, Score Answers.
Unclassified
Data is not sensitive or unclassified
Computer Manuals and Warranty Information Job Postings
Business
Confidential
For internal company use only
Data exempt from disclosure under the Freedom of Information Act or other laws and regulations
Unauthorized disclosures can severely impact a company.
Trade secrets, healthcare information, programming code, information to keep companies competitive
Private
Personal information used within the company
Unauthorized disclosure could adversely affect people or the company
Work history, human resources information, medical information
Sensitive
Special precautions are required to ensure the integrity and confidentiality of data and prevent unauthorized modification or deletion
Requires higher readiness and completeness than ordinary assurance
Examples: financial information, project details, profit returns and forecasts
Pulic
Disclosure is unwelcome but adversely affects the company or people
hierarchical control
The choice of control classification depends on the security needs of the management group and security team for the corresponding category of information.
Strict and granular access control for all sensitive data and programs
Encrypt data while storing and transmitting
Auditing and monitoring (determine what level of auditing is required and how long logs are retained)
Segregation of duties (determine that two or more people must be involved in accessing sensitive information to prevent fraud; define procedures)
Periodic review (review classification hierarchies, data and procedures to ensure they remain consistent with business needs; data or applications may need to be reclassified)
Backup and recovery procedures (definition)
Change Control Procedure (Definition)
Physical Security Protection (Definition)
Information flow channels (where sensitive data resides and how it travels across the network)
Proper data processing procedures such as shredding, degaussing, etc. (Definition)
Marking, identification and processing procedures Marking (on storage media) in the Labling system
data classification process
1. Define the classification level
2. Specify the criteria that will determine the classification of data
3. Determine the data owner responsible for data classification
4. Determine the data custodian responsible for maintaining the data and its security level
5. Indicate the security controls or protection mechanisms required for each classification level
6. Document any anomalies from previous classification questions
7. Indicate methods that may be used to transfer custody of information to a different data owner
8. Create a process to regularly review classification and ownership and to disseminate any changes to data hosting
9. Display program reclassifies data
10. Integrate these issues into security awareness programs
levels of responsibility
Senior managers understand company vision, business goals
The next level up are functional managers, whose members understand how their respective departments work, what roles individuals play within the company, and how security directly affects their departments
The next level down are operations managers and employees. These layers are closer to the actual operations of the company. They know detailed technical and procedural requirements, the system and information on how to use the system.
Employees at these layers understand the security mechanisms integrated into the system, how to configure them, and how they impact daily productivity.
At each level, the best security measures, procedures and controls selected should be input to ensure that the agreed level of security provides the necessary protection.
Note: Senior management is ultimately responsible for organizational security.
Data management role
Board of Directors, Board of Directors Security Officer, Data Owner, Data Hosting, System Owner, Security Administrator, Security Analyst, Application Owner, Director (User Management), Change Control Analyst, Data Analyst, Process, Solutions Providers, Users, Product Line Managers
Executive Management, executive management
CEO Chief Executive Officer
Responsible for ensuring that the organization exercises due care and due diligence in relation to information security
CFOChief Financial Officer
This person is responsible for forecasting and budgeting, as well as the process of filing quarterly and annual financial statements with the Securities and Exchange Commission (SEC) and you, the interested party.
CIOChief Information Officer
Responsible for the strategic use and management of information systems and technology within the organization
CPOChief Privacy Officer
Responsible for ensuring customer, company and employee data remains secure, keeping the company out of criminal and civil courts and hopefully out of the headlines
CSOChief Security Officer
Responsible for understanding the risks faced by the company and reducing these risks to acceptable levels
The creation of this role is a sign of the security industry's "win" column, as it means security is ultimately viewed as a business issue
The CSO's job is to ensure that the business is not disrupted in any way by security issues that extend beyond IT boundaries and involve business processes.
Legal issues, business issues, revenue generation and reputation protection.
CISO reports directly to CSO
The CISO should have more IT professional background, and his business scope is narrower than that of the CSO
Data ownerData owner
Typically a manager who is responsible for a specific business unit and is ultimately responsible for protecting and using a specific subset of information
The data owner has a duty of care due to the data and will therefore be responsible for any negligent behavior that results in the damage or leakage of the data.
Responsible for determining data classification
Responsible for ensuring necessary security controls are in place, defining security requirements for each classification and backup requirement.
Approve access to data
Deal with violations of data security policies
Assign a data custodian responsible for day-to-day maintenance of: data protection mechanisms
Data Custodian
Responsible for maintaining and protecting data
Implement and maintain security controls
Perform regular backup of data
Regularly verify data integrity
Restore data from backup media
Record keeping activities
Implement the requirements of company security policies, standards and guidelines related to information security and data protection.
System Owner System Owner
Responsible for one or more systems, each of which can hold and process data owned by different data owners.
Responsible for integrating security considerations into application and system procurement decisions and development projects
Responsible for ensuring necessary controls, password management, remote access controls, operating system configuration, etc. provide adequate security.
Ensure systems are properly assessed for vulnerabilities
Report any systems to the incident response team and data owners
Security Administrator, security administrator
Responsible for implementing and maintaining specific security network equipment and software within the enterprise
Pay attention to distinguishing the responsibilities of security administrators and network administrators
Security administrators pay attention to network security
Network administrators focus on keeping the network continuously available
Security administrators are responsible for creating permanent system user accounts, implementing permanent security software, testing security patches and components, and issuing permanent passwords.
Security administrators must ensure that access rights given to users support policy and data owner directives.
Supervisor, supervisor
Also called user manager User manager
Ultimately responsible for all user activity and any assets created and owned by those users
Change Control AnalystChange Control Analyst
Responsible for approving or denying requests to make changes to networks, systems or software.
Ensure that the change does not introduce any vulnerabilities, that it has been properly tested, and that it is implemented correctly.
Need to understand how various changes impact security, interoperability, performance and productivity
Data AnalystData Analyst
Responsible for ensuring who is stored in a way that makes the most sense for the company and compound needs access to people working needs
Ensure that the architecture you build is consistent with the company’s business goals
user
Users must have the necessary level of access to the data
Perform operational security procedures to ensure data confidentiality, integrity and availability
Auditor Auditor
It's about checking regularly that everyone is doing what they're supposed to do, making sure the right controls are in place and safety is being maintained.
Asset management concept
Inentory Management: Mainly maintains the status of software and hardware assets;
Configuration ManagementConfiguration Management (Chapter 7)
Configuration management can establish classifications, components, upstream and downstream, parent-child relationships, etc. based on configuration items (CI).
Perform change control based on configuration items and monitor the status of configuration items
Configuration Management Database (CMDB): A library that centralizes all your asset configuration information
IT Asset ManagementAsset Management
Added financial perspective of assets: cost, value, contract status
Full lifecycle management of assets: from procurement to retirement
Comprehensive management of physics, finance and contracts
Asset Management and Information Security
Asset management is the foundation of information security implementation. Without asset management, information security incidents cannot be understood.
Asset management drives access control construction, such as NAC network access control
Software License Management: To prevent infringement, security administrators should assist in implementing controls and conduct regular inspections
Equipment life cycle security management
Requirements definition phase: define security requirements, whether the security costs are appropriate, and whether the security architecture is met
Acquisition and implementation phase: Verification of security features, security configuration, security certification and approval, and storage of equipment
Operation and maintenance phase: configuration inspection, vulnerability assessment, change control
Abolition phase: data security, configuration library update
Privacy Protection and Security Control
Laws related to privacy protection
Basic requirements for privacy protection
Fair and legal acquisition: only used for the most original purpose; appropriate information, information that does not exceed the target;
Accurate and up-to-date; accessible to principals; kept secure; deleted when goals are accomplished
In 2012, the EU issued more comprehensive data protection guidelines
The European Union and the U.S. Department of Commerce signed the "Safe Harbor" safe harbor agreement to resolve the inconsistencies between the two parties.
2018 5 GDPR General Data Protection Regulation
Data owner data owner
Indirectly or directly determine who has access to specific data
Data ProcessorsData Processors
The key issue regarding privacy is that these individuals understand the boundaries of what is acceptable behavior and what to do when they know but lose a hand accidentally or intentionally in a manner inconsistent with applicable policies.
Must clarify one's obligations and responsibilities
There must be routine checks to ensure they are complying with all applicable laws, regulations and policies
Limits on Collection limit collection
Countries have enacted relevant laws
In addition to applicable laws and regulations, the types of personal data an organization collects, and its life cycle considerations, must be a clear written policy.
Data security control
Data at Rest, static data
Protection for stored data, including backup tapes, off-site storage, password files and other sensitive data
risk
Malicious users may obtain sensitive information through physical or logical access to storage devices
Recommended countermeasures
Develop and test a data recovery plan
Removable devices and media must be encrypted; including laptops, tablets, smartphones, wearables
Choose appropriate encryption tools and algorithms, such as AES encryption
Create secure passwords
Use password and key management tools
Location and tracking of removable media
Data at Transit, dynamic data
For the protection of transmitted data, encryption methods are mainly used to prevent interception, such as link encryption and end-to-end encryption.
risk
Malicious users may intercept or monitor inscribed data in transit
Recommended countermeasures
Confidential data must be encrypted when transmitted over any network, including transmission between intranets
When data can be accessed via the Web, a secure encryption protocol must be used, such as TLS1.2/1.3
Email transmission must use PGP or S/MIME and the data must be encrypted by encryption software as an attachment.
Non-Web data should use application-level encryption
When application-level encryption is not possible, IPsec encryption or SSH encryption should be used
Communication between applications and databases should be encrypted
Sensitive data transferred between devices should be encrypted
Sensitive data transferred between devices should be encrypted
DLP(Data Leak/loss Prevention) Data leakage prevention
definition
A set of technologies aimed at preventing the leakage of sensitive corporate information
Advantages of deploying DLP
Protect critical business data and intellectual property
Strengthen compliance
Reduce the risk of data breaches
Increase training and awareness
Improve business processes
Optimize disk space and network bandwidth
Detect rogue/malware
Three key goals
Locate and program sensitive information stored throughout the fit directory;
Monitor and control the movement of sensitive information across the enterprise;
Monitor and control the movement of sensitive information from end-user systems;
Classification, storage location and transmission path of organizational sensitive information
Organizations often fail to realize the type and location of the information they process. When purchasing a DLP solution, they must first understand the types of sensitive data and data flows between systems and from systems to users;
Classifications, which can include attribute Categories, such as privacy data, financial data, and intellectual property;
Once the data is properly identified and categorized, a deeper analysis process helps locate primary data and critical data paths;
It is necessary to pay attention to the life cycle of enterprise data, and understanding the processing, maintenance, storage and disposal of data can reveal deeper data storage and transmission paths;
Data at Reststatic data
Find and identify specific file types and identify and record the location where information is stored;
Once found, DLP opens and identifies the contents of the file
DLP uses crawler systems, crawlers
Data in Motion (Network) dynamic data
DLP solution
1. Passively detect network traffic
2. Identify the correct data traffic captured
3. Assemble all mobile phone data;
4. File reconstruction in data stream
5. Perform static data analysis and confirm that any part of the file content is restricted by its rules.
To detect data movement on enterprise networks, DLP solutions use special network devices or built-in technologies to selectively capture and analyze network traffic.
Deep packet inspection (DPI) technology, as the core capability of DLP, DPI can read the packet payload content beyond the basic header information.
DPI technology allows DLP to inspect data in transit to determine content, source and destination;
DLP has the ability to handle encrypted data (with an encryption key), or to decrypt it before detection and continue to encrypt it after detection.
Data in Use(EndPoint)Data in use
Monitor data movement actions taken by end users on their workstations
Use Agent to complete tasks
Steganography and watermarking technology
Watermark
Steganography is an information hiding technology that can hide large amounts of information in images and video files;
Information hiding includes covert channels, hiding text on Web pages, hiding visible files, and empty passwords;
Security baselines, scope and tailoring
Establish minimal safeguards for the system
Enterprises can specify security baselines based on their own circumstances
Scoping and Tailoring
Focus on the key points of the security architecture through scope definition and tailoring methods
Flexibly apply various standards and baselines according to the needs of the enterprise
Protect other assets
Protect mobile devices
Inventory all mobile devices, including serial numbers so they can be properly identified and then recovered if they are stolen. Harden the operating system by applying baseline security configurations
Password protect BIOS laptop.
Register all devices with their respective vendors and submit a report to the vendor if a device is stolen. If a stolen device is sent for repair after it is stolen, it will be flagged by the supplier if you have a theft report.
Carry it with you when flying, do not check it in checked baggage
Never leave your mobile device unattended and keep it in an inconspicuous carrying case.
Encrypt all data on the device
Using a slot lock to link a laptop with a cable
Hard copy documents
Educate employees on the proper handling of paper documents
Minimize use of paper records
Ensure that workspaces are kept clean and regularly audit work to ensure sensitive documents are not exposed.
Lock up all sensitive files
Doing sensitive paperwork at home is prohibited
Identifies the classification level of all files and, ideally, the name of their owner and disposition (e.g., retention) instructions.
Conduct random searches as employees leave the office to ensure sensitive materials are not taken home.
Destroy excess sensitive documents using a paper shredder. For very sensitive documents, consider destroying them.
1. Safety and risk management
1. Basics of information security and risk management
information
definition
Life cycle handling
Basic principles of information security
Confidentiality Conifdentiality
Ensure that information is not disclosed to unauthorized users or entities during storage, use, and transmission
integrity Integrity
Prevent unauthorized tampering
Prevent authorized users from inappropriately modifying information
Maintain internal and external consistency of information
Internal consistency: redundant information stored in the system must be consistent
External consistency: The information stored in the system is consistent with the external real situation report
Availability Availability
Ensure that authorized users or entities can use information resources normally, will not be abnormally rejected, and run their reliable and timely access to information
Opposite triplet DAD
LeakDisclosure
TamperingAlteration
Destruction
Information security CIA related technologies
Confidentiality, C
Data encryption (whole disk, data encryption)
Transmission data encryption (IPSec, SSL, TLS, PPTP, SSH)
Access control (physical and technical controls)
Integrity, I
Hashing (Data Integrity): Code Signing
Configuration management (system complete)
Change management (complete process)
Access control (physical and technical controls)
Software digital signature
Transmission CRC check function (can be used for multiple layers of network transmission)
Availability,A
Redundant Disk Array RAID
cluster
load balancing
Redundant data and power lines
Software and data backup
disk image
Location and off-site facilities
rollback function
Failover configuration
Security control classification
Ways and means
administrative control
Develop strategies, standards, measures and guidelines
Risk Management
personnel safety
Security awareness training
technical control /logic control
Implement and maintain logical access control mechanisms
Password and resource management
Identification and authentication methods
safety equipment
Physics control
Measures to control individual access to facilities and different departments (access control, security, locks)
Protect the perimeter of the facility (fences, walls, lighting)
Physical detection of intrusions
environmental control
effect
control function
preventive
deterrent
Test line
corrective
restorative
Backup, BCP, DRP
compensatory
Information security risk management basics
Governance, Risk Management and ComplianceGRC
Assurance
risk management framework
2. Security governance and security system framework
Security Management Reference Framework
IT control, COBIT
Internal Control - Holistic Framework, COSO Enterprise internal management framework
Defines five categories of control elements that meet financial reporting and disclosure objectives
control environment
risk assessment
control activities
Information and communication
monitor
A framework for many organizations to address SOX 404 compliance
IT Service Management, ITIL (Best Practice Framework)
ITIL is IT service management best practices
IT service management standard (ISO/IEC20000)
five stages
Service strategy
service design
service transition
Service operation
Continuous service improvement
Zachman framework
The originator of enterprise architecture
TOGAF Enterprise Framework
ADM, a model for developing and maintaining architectures
SABSA security architecture framework
Security Controls Reference, NIST SP800-53r5
CMM&CMMI software development maturity model &Maturity Model Integration
Capability Maturity Model CMM
InitialInitial/Ad hoc
RepeatableRepeatable
Defined
Managed metrics
OptimizingOptimizingcontinuous improvement
Capability Maturity Model Integration CMMI
InitialInitial
Managed
Defined
Quantitatively Managed
Optimizing
Information security management
Two factors for the success or failure of information security: technology and management
ISO27001 information Safety management system standards
PDCA model
Plan: Determine control objectives and control measures based on risk assessment results, legal and regulatory requirements, organizational business, and operational needs.
Implement, Do: Implement the selected security controls.
Check: based on policies, procedures, standards and laws and regulations
Measures, Act: Take countermeasures based on the inspection results to improve the safety situation
A comprehensive set of controls based on information security best practices
2013 version, 14 domains, 35 humans, 114 controls
information security performance
ISO27004
Information Security Risk Management
ISO27005
3. Law, ethics and compliance
computer crime
Characteristics of computer crime
It is difficult to investigate and collect evidence, and the evidence is easily destroyed (Chapter 7)
Relevant laws are incomplete
Cross-regional characteristics
Statistically speaking, insiders are more likely to commit crimes
Victimized institutions sometimes fail to report for fear of affecting the normal operations of the institution and damaging users' trust in the institution.
Types of computer crime
Computer-targeted crime
Crimes against computers, networks and the information stored on these systems
Computer-Assisted Crime: The use of computers as tools to help commit crimes Computers are not a necessary factor in crime, they are only used as tools to assist criminals
Computer-related crimes: the computer must be the attacker or the victim, Just happened to be involved in the attack when it happened.
Legal System
common law
criminal law
civil law
administrative law
civil law system
common law system
religious legal system
mixed legal system
intellectual property
trade secret
The company's ability to compete or market is critical
Not well-known, the company invested relevant resources and efforts to develop
Is properly protected by the company against disclosure or unauthorized use
Example
product distribution
Program source code
Encryption Algorithm
copyright
Legally protected rights to publicly publish, copy, display and modify new works
It does not protect the creativity of the work, but the expression of the creativity.
Example
Program code, source code and executable files, even user interfaces
literature
painting
song melody
trademark
It protects words, names, symbols, shapes, sounds, colors that represent the company's image
A trademark is a symbol of goodwill and credibility established by a company in its market operations.
Trademarks are usually registered with a trademark registration agency
patent
Any law that imposes ownership rights on a patent registrant or company and prohibits unauthorized use by others or companies
Patent is valid for 20 years
Example
drug formulations
Encryption Algorithm
Software classification
free software
shareware
open source software
commercial software
academic software
privacy
processing target
Proactively seeks to protect citizens’ personally identifiable information (PII)
Proactively seek to balance the needs of government and business with personal security concerns regarding the collection and use of PII
personal privacy
type
right to be left alone
Protection from unreasonable rights against individuals
The right to decide what personal information may be disseminated and to whom
Things to note
To prevent unreasonable infringement, the bottom line is informed consent and appropriate protective measures.
To prevent the lack of appropriate methods, the bottom line is "fairness and justice" and there is an error correction mechanism.
Personal Information Use Principles
Obligations of the Personal Data Controller
The collection of personal data requires the consent of the data subject and notification of the purpose
Only collect data related to the purpose and use and save it only for the period required for the purpose.
The method of data collection and the purpose of the data should be lawful
Take reasonable measures, technical, managerial and operational measures to prevent personal information from being maliciously infringed upon, ensure the integrity and confidentiality of data, and remove outdated data to prevent access by persons who need it for purposeless work.
Obligations and rights of personal data subjects
Review collected information and correct errors
GDPR General Data Protection Regulation
personal data
Any data relating to an identified or other natural person ("data subject")
Special Categories of Personal Data (sensitive data)
ethnic origin
Political Views
Religious or philosophical beliefs or trade union membership
genetic data
biometric data
health related data
Data concerning a natural person’s sex life or sexual orientation
Principles for processing personal data:
Legal, fair and transparent
Personal data should be processed in a lawful, fair and transparent manner involving data protection.
purpose limitation
Controllers and processors must collect personal data for clear, legible and legitimate purposes, and the processing of personal data shall not exceed the purpose for which it was collected.
data minimization
The scope of personal data collected by controllers and processors should be limited to what is necessary to achieve the purpose, and the processing activities performed on personal data should be guaranteed to the minimum extent necessary to achieve the purpose.
accuracy
storage limit
Integrity and Confidentiality
data subject
an identifiable natural person a natural person who can be identified directly or indirectly
Data subject rights
available
objectable
Can be revoked
Can be restricted
correctable
Portable
Erasable (right to be forgotten)
data controller
Determine the purposes and means of processing personal data
data processor
Process data in accordance with the requirements of the data controller
pseudonymization
De-identification
Data pseudonymization is the processing of personal data in such a way that the personal data cannot be linked to a specific data subject without the use of additional information. This process is reversible (as long as there is a corresponding KEY), and this person is still considered personal data.
Anonymize
Data cannot be linked to individuals
Anonymized data is no longer personal data
ethics
ISC2 Code of Ethics
Protect society, public interests and infrastructure, and win necessary information and trust from the Federation of Industry and Commerce Act with integrity, honesty, fairness, responsibility, and law-abiding Promote industry development and maintain professional reputation Diligent, responsible and professional
4. Information security strategy and organization
security documentation
Policy/Policy Policies change less frequently, procedures change more frequently
policy
Regulatory approach
Advisory policy
Indicative policyInformative
Most General Statement on Information Security
A commitment by top management to take responsibility for information security
Describe what you want to protect and what you want to achieve
Standard
Establish an enforcement mechanism for policy implementation
Guideline/Guideline
Similar to standards, methods to strengthen system security are recommendations.
Security baseline Baseline
Meet the minimum level of security requirements required by the policy
Procedure/Step/Procedure
Detailed steps to perform a specific task
The program is a detailed description (HOW) of the specific steps to perform the protection task.
security organization
1. Senior management/executive management CEO,CFO,COO
Fully responsible for information security and the final person in charge of information security
Plan information security, determine goals and limited sequences, and delegate information security responsibilities
Clarify information security goals and simulations to guide information security activities
Provide resources for information security activities
Make decisions on important matters
Coordinate the relationship between different links in different units of the organization
2. Information security expert
Responsible for implementing and maintaining security as delegated by senior management (usually to the CIO)
Design, implement, manage and review the organization's security policies, standards, guidelines and procedures
Coordinate all security-related interactions between units within the organization
3. Chief Information Officer, CIO
Supervise and be responsible for the daily technical operations of the company
4. Chief Security Officer, CSO
Ensure business information assets are properly safeguarded
Play the role of internal information security coordinator and facilitator
Need to understand the organization's business objectives, guide the risk management process, and ensure Achieve the right balance between business operations and acceptable risks
Specific responsibilities
Budget for information security activities
Development of development strategies, procedures, baselines, standards and guidelines
Develop a security awareness program
Participate in management meetings
Assist with internal and external audits
5. Safety Steering Committee SSG Steering
Members are composed of people from all departments of the organization, including CEO leadership, CFO, CIO, department managers, and chief internal auditors
Meet at least once a quarter with a clear agenda
Responsibilities
Define an organization's acceptable level of risk
Determine security goals and strategies
Prioritize security activities based on business needs
Review risk assessment and audit reports
Monitor the business impact of security risks
Review of major safety violations and incidents
Approve any significant changes to security policies and plans
6. Audit Committee
Appointed by the Board of Directors to help it review and evaluate the company's internal operations, internal audit systems, and the transparency and accuracy of financial statements.
Responsible
The integrity of the company’s financial statements and financial information
Company's internal control system
Employment and Performance of Independent Auditors
Performance of the internal audit function
Comply with legal requirements and company policies related to ethics
7. Risk Management Committee
Understand the organization's risks as a whole and assist senior management in reducing risks to acceptable levels.
Study overall business risks, not just IT security risks
security plan
The organization's information security construction should be carried out according to plan, and the security management plan should be top-down.
Responsibilities
1. Senior management defines the organization’s security policy
2. The middle layer will complete the security policy standards, baselines, functions and procedures, and monitor the execution.
3. Business managers and security experts are responsible for implementing the configurations formulated in the security policy file
4. End users are responsible for complying with all security policies of the organization.
type
Strategic Plan strategic plan
Long-term plan, e.g. 5 years
Relatively stable and defines the goals and mission of the organization
tactical plan Tactical plan
Medium term plan, e.g. 1 year
Detailed description of tasks and progress toward implementing the goals established in the strategic plan Such as employment plans, budget plans, etc.
Operational plan operational plan
Short-term, highly detailed plans, frequently updated
Monthly or quarterly updates such as training plans, system deployment plans, etc.
5. Risk management
concept
The process of identifying and assessing risks, reducing risks to acceptable levels, and implementing appropriate mechanisms to maintain this level
A 100% safe environment does not exist. Risk management is a balance between technology/cost and security/availability.
Risk = Threat * Vulnerability * Asset Value
Risk = Impact * Possibility
possibility
Specific threats use the asset's weak current to bring potential risks to the asset or assets.
Influence
Consequences, direct or indirect damage or harm caused to an organization by an unexpected event
Related elements
Assets: Information assets that have value to the organization
threaten
Potential reasons why a security practice occurs that could cause harm to an asset or organization
Threat modeling STRIDE
Threat modeling has a structured approach to systematically identifying and evaluating the threats most likely to affect a system
See who is most likely to want to attack us, brainstorm how they could accomplish their goals, and then come up with countermeasures to stop such attacks.
Vulnerabilities/vulnerabilities Vulnerability
Also known as a vulnerability or weakness, a weakness exists in an asset or asset group that can be exploited by threats. Once the weakness is exploited, it may cause damage to the asset.
security measures
Controls or countermeasures, that is, mechanisms, methods and measures to reduce risks by preventing threats, reducing vulnerabilities, limiting the impact of unexpected events, etc.
residual risk
Risks that remain after security measures have been implemented
risk assessment
main mission
1. Identify the elements that constitute risks
2. Assess the likelihood and impact of risks
3. Determine the organization’s ability to withstand risk
4. Determine strategies, goals and limited sequences for risk reduction and control
5. Recommend risk reduction countermeasures for implementation
method
Risk Assessment (ISO27005)
Identify risks
Identify information assets
Establish an asset list and use business processes to identify information assets
Identify the owner, custodian and user of each asset
The form in which the asset exists
Electronic data: databases and data files, user manuals, etc.
Written contracts: contracts, strategic guidelines, archived documents, important business results
Software assets: application software, system software, development tools, software programs
Physical assets: magnetic media, power and air conditioning, network infrastructure, servers, etc.
People: People or roles with specific functions and responsibilities
Services: computer and communications services, outsourcing services, other technical services
Organizational Image and Reputation: Intangible Assets
Identify threats
One asset may face multiple threats, and one threat may affect multiple assets.
Identify threat sources
Threat to personnel
System threats
environmental threats
natural threats
Assess weaknesses
Possible exploitable vulnerabilities for each asset
technical weakness
operational weaknesses
managerial weakness
identification pathway
Audit reports: practice reports, security inspection reports, system testing and evaluation reports
Automated vulnerability scanning tools
Analyze risks
Analyze factors
Influence
direct loss caused by damage
The cost of asset recovery, including the labor and physical costs of detection, control, and repair
Loss of public image and reputation of the organization, loss of competitive advantage
Other losses, such as increased insurance costs
possibility
Quantitative Risk Analysis
Quantitative risk analysis attempts to provide for all elements of the risk analysis process
Cost of protective measures, asset value, business impact, threat frequency Each element, such as the effectiveness of protective measures and the likelihood of vulnerability exploitation, is quantified, and finally the total risk and residual risk are calculated.
Quantitative analysis steps
Assign value to assets
Estimate potential losses for each threat
Assess threats and weaknesses, and evaluate the impact of specific threats on specific assets, that is, EF (0~100%)
Perform threat analysis
Calculate annual incidence rate ARO
Frequency of events: ARO
Single Loss Expectation (SLE) calculated for each asset and threat
SLE (Single Loss Expectation) = asset value(asset value)xEF(exposure factor)
Calculate potential annual losses for each threat
Annual Loss Expectation (ALE) per threat
ALE=SLE X ARO
ROSI=ALE1-ALE2-Contrl.Cost
Qualitative risk analysis
Consider the scenarios in which various risks may occur, and rank the severity of various threats and the effectiveness of various countermeasures based on different perspectives
qualitative analysis techniques
Judgment, best practice, directness and experience
Qualitative analysis techniques for collecting data
Group decision-making methods, Delphi
Questionnaire
examine
Interview
Qualitative and quantitative methods
Qualitative methods and results are relatively subjective
Qualitative methods cannot establish a monetary value for cost/benefit analysis
Quantitative methods require a lot of calculations and are difficult to implement
Evaluate risk Evluate
NIST SP800-30 and SP800-66
Qualitative RA approach, focusing on IT risks
1. System classification, 2. Weakness identification, 3. Threat identification, 4. Symmetry identification, 5. Possibility assessment, 6 Impact assessment, 7. Risk assessment, 8. New symmetry recommendation, 9 Document report
OCTAVE
An autonomous information security risk assessment specification based on information asset risks, emphasizing asset-driven, consisting of 3 stages and 8 processes.
The OCTAVE approach deploys risk management programs organization-wide and integrates with security plans
CRAMM
Basic processes, asset identification and evaluation, threat and vulnerability assessment, symmetry selection and recommendations
FRAP
After limited screening, focus only on those systems that really need to be evaluated to reduce cost and time.
Limited budget situation
STA
Create a tree of all threats that the system may face. The branches can represent categories such as network threats, physical threats, component failures, etc. When performing RA, unused branches need to be pruned.
FEMA
Derived from hardware analysis, the potential failure of each component or module is examined and the impact of the failure is examined
risk management strategy
Risk treatment methods
Mitigate/reduce/weaken risk Mitigate/Reduce Risk control measures
reduce threats
Implement malicious code controls
Strengthen safe operation capabilities through safety awareness training
Disaster recovery plan and business continuity plan, make backups
Avoid RiskAvoid Risk
Transfer Risk Transfer Risk
Outsource, buy insurance
Accept RiskAccept Risk
Risk control measures selection strategies
Cost-benefit analysis
Basic principle: The cost of implementing security measures should not be greater than the value of the assets to be protected
Symmetric costs: purchase costs, impact on object business efficiency, additional manpower and material resources, training costs, maintenance costs, etc.
Value of control = ALE before implementation of control - ALE after implementation of control - Annual cost of control
Restrictions
time constraints, technical constraints, environmental constraints
legal constraints, social constraints
Basic functions and effectiveness of protective measures
Assess residual risk
Information classification and hierarchical management (Chapter 2)
Purpose: Describe the level of confidentiality, integrity and availability protection required for each data set
Depending on the sensitivity of the information, the company adopts different security measures to ensure that the information is properly protected and to indicate the priority of security protection (while avoiding over-protection)
6. BCP&DRP requirements
BCP overview (DRP in Chapter 7)
what is disaster
Sudden, unfortunate accidents that result in heavy losses.
include
Natural disasters: earthquakes, floods, natural fires, volcanic eruptions, severe convective weather
System/Technical: Hardware, software interruptions, system/programming errors
Supply systems, communications outages, distribution system failures, pipe ruptures
Man-made, explosion, fire, vandalism, chemical contamination, harmful code
political, terrorism, riots, strikes
Large-scale epidemics, SARS, COVID-19
organizational disaster
For an organization, any event that renders critical business functions unavailable for a certain period of time is considered a disaster
Features
Unplanned service outage
Prolonged service outage
The outage cannot be resolved through normal problem management procedures
Disruptions cause significant losses
two elements
The criticality of the business functions affected by the outage
length of interruption
business continuity plan
Business Continuity Goal
Ensuring that the organization can maintain business operations despite various situations
Solve problems from a longer-term perspective, mainly providing methods and measures for long-term production shutdowns and disaster events
Objectives
Provide timely and appropriate response in the event of emergency
Protect lives and ensure safety
Reduce impact on business
Restore critical business functions
Less chaos in disasters
Ensure the company's production capacity
Get “up and running” quickly after a disaster
The BCP should be consistent with the organization's business objectives and be part of the overall decision-making process
The BCP should be part of the organization's security program and coordinated with other elements of the security program
Disaster Recovery Plan (DRP)
Disaster recovery goals
Reduce the impact of disaster or business interruption
Take the necessary steps to ensure resources, people and business processes are restored as quickly as possible
Pay more attention to the IT aspect
Standards and best practices
NIST SP800-34
1. Develop a continuity planning strategy (Policy)
2. Perform business impact analysis (BIA)
3. Determine preventive control methods
4. Develop a recovery strategy
5. Develop BCP
6. Test BCP
7. Maintain business continuity plan
ISO27031
ISO22301
Business Impact Analysis BIA
BIA purpose
Assist management in understanding the impact of potential disruptions
Identify critical business functions and the IT resources that support these functions
Assist managers in identifying organizational support gaps
Sequence the recovery of IT resources
Analyze the impact of outages
Loss in revenue
Delayed income costs
Loss in productivity
Increase in operational expenses (Increase in operational expenses)
Loss in reputation and public confidence
Loss of competitive advantages
Violations of contract agreements
Violations of legal and regulatory requirements
Determine recovery windows for each business function
BIA process
1. Determine collection technology
Surveys, Questionnaires
2. Select respondents
3. Identify critical business functions and their supporting resources
4. Determine how long these features can survive if they lose the support of these resources.
5. Identify weaknesses and threats
6. Calculate risks for each business function
7. Prepare to submit BIA report
Problems
Response suggestions
BIA information analysis
Dranize, Correlate AnalysisAnalyses, Confirm
Regular and quantitative automated tools assist in information collation and analysis
The business representative checks and confirms the results of the information analysis
Determine the operation interruption time MTD
The core task of business impact analysis is to determine the maximum allowable interruption time (MTDs) of critical business functions and their supporting staff.
Resources that support multiple business functions are more critical
The interruption time exceeds the maximum allowed interruption timeMaximum Tolerable Downtime
will make it difficult to restore the business, the more critical functions or resources
Sequence the recovery of critical business functions and their supporting resources based on MTDs
Determination of support resources
resource
• Human resources
– Such as operators, experts, system users, etc.
• Processing capability
– Such as data centers, backup data centers, networks, minicomputers, workstations, personal computers, etc.
• Physical infrastructure
– Such as offices, office furniture, environmental control systems, electricity, water supply, logistics services, etc.
• Computer-based services
– Such as voice and data communication services, database services, announcement services, etc.
• Application and Data
– Various programs running and data stored on computer equipment
• Documents and papers
Documents and information such as contract bill operation procedures and other documents
Determine all supporting resources (including non-computer resources) for key functions, the period of use of the resources, the impact of the resources on the functions, and the interdependencies between resources
Disaster recovery metrics
Recovery Time Object, RTO
The maximum amount of time allowed to elapse before system impossibility seriously affects the organization
Recovery Point Objectives, Recovery Point Objectives, RPO
The point at which data must be recovered in order for processing to continue. That is, the maximum amount of data loss allowed
Work Recovery Time, WRT
Work recovery events are relatively fixed
RTO WRT=MTD
BCP project planning
Preparatory activities before the BCP project is launched
1. Determine BCP requirements, which may include targeted risk analysis to identify possible disruptions to critical systems
2. Understand relevant laws, regulations, industry specifications and the requirements of the organization’s business and technical planning to ensure that the BCP is consistent with them
3. Appoint a BCP project leader and establish a BCP team, including representatives from business and technical departments
4. Develop a project management plan, which should clearly define the project scope, goals, methods, responsibilities, tasks and progress.
5. Hold a project kick-off meeting to obtain management support
6. Determine the automation tools needed to collect data
7. Necessary skills training and awareness-raising activities for facilities
BCP project leader
As the BCP project leader, the business continuity coordinator is fully responsible for the planning, preparation, training and other tasks of the project.
work tasks
1. Communication and liaison between the planned development team and management
2. The right to have direct contact and communication with everyone involved in the plan
3. Fully understand the impact of business interruption on the organization’s business
4. Be familiar with the needs and operations of the organization and have the ability to balance the different needs of relevant departments
5. Easier access to senior management
6. Understand the business direction of the organization and the intentions of senior management
7. Ability to influence senior management decisions
Key Roles in the BCP Project
1. Recovery team, multiple teams related to assessment, recovery, recovery, etc. after a disaster
2. Business department representatives identify the key business functions of the organization and assist in the selection and formulation of recovery strategies
3. IT department
4. Communications department
5. Information security department
6. Legal representative
BCP Policy
BCP planning should ultimately form a business continuity strategy
goals, scope, needs
Basic principles and guidelines
Duties and Responsibilities
Basic requirements for key links
The terms of the policy should be formally approved by senior management and published as an organizational policy to guide business continuity efforts.
7. Personnel safety
Personnel recruitment control
background check
Reduce risks, reduce recruitment costs, and reduce employee turnover
Skills assessment
confidentiality agreement
Protect sensitive company information
Personnel on-the-job control (Chapter 7)
Segregation of Duties
least privilege
job rotation
compulsory leave
Personnel departure control
Disabling access rights for resigned personnel
Recycling of identifiable objects
Third party personnel control
If the third party is not present but has administrator rights
Confidentiality agreements should be signed with third-party organizations and individuals
Monitor all work activities of third parties
Ensure the identity of third-party personnel is verified upon access
If a third party is present and has administrator rights
On the basis of appeal measures, background checks of family members
Third-party personnel leave the site and need to take back relevant permissions
Contractual terms with third parties, confidentiality requirements, and related commercial terms
Security awareness, training and education
Education
Equipping security professionals with the technical expertise they need to do their jobs
Mode: Theoretical guidance, seminars, reading and study, research
security insights
Why
Training
Transmission security-related work skills, mainly for information system management and maintenance personnel
Method: Practical guidance, lectures, case studies, experiments
acquire knowledge
How to do
Consciousness, Awareness
The general collective awareness among an organization's employees of the importance of security and controls
Method: video, media, poster, etc.
Send message
what is