The blogger is one of the early members of the graffiti security department. Although he is not the person in charge of security, he is also fortunate to participate in and witness the construction process of the graffiti security system from scratch. This article is the blogger's thinking about the construction process of Party A's security system, which is divided into three parts:
1. Safety System Construction v1.0—Quick Governance
2. Safety System Construction v2.0—Systematic Construction
3. Safety System Construction v3.0—Completely Perfect
Attachment: Safety System Management
At the same time, for the construction of Party A's security system, I also wrote two attached practice blog posts:
Party A's basic security operation platform construction practice
SDL security and enterprise office security landing practice
1. Security System Construction v1.0—Quick Governance
The business development of many Internet companies usually precedes the construction of a security team. Only when the business has reached a certain scale and a security incident occurs will it be considered to invest in security, but at this time, when the state of the enterprise's information security environment is very poor, security is the business The basic attributes of the company have seriously lagged behind the rapid development of the business.
The security problems that may occur at this time are: many weak passwords and unpatched systems appear on the intranet of the enterprise, there are a lot of common security vulnerabilities in online services, employees have weak security awareness, and serious data leakage ...
For the security risks faced by enterprises at this time, fire-fighting quick cut-in solutions are needed, starting with easy, low-cost, and obvious effects.
1.1 Choose the right person in charge of safety
The security team is usually 1-3 people in the early days, so the breadth of knowledge of the person in charge of security is extremely important. The person in charge should be familiar with safety technology and safety operations, as well as safety management and safety compliance. The person in charge of security needs to lead the security team to carry out work including security research and development (based on open source secondary development), penetration testing, security hardening, emergency response, security audit, security training, security compliance, security management, and security operations.
1.2 Identify major security risks
The main goal of the rapid governance phase is to use 20% of the resources to solve 80% of the security risks, so the first step is to identify the main security risks. The characteristics of Internet companies are that the business technology is mainly web and mobile application APPs (some of which also involve desktop software, cloud services, IoT hardware, etc.), business iteration is fast, staff changes are large, and company management is loose. Most of the security risks of Internet companies come from online businesses, and they also face risks at any time.
1、在线业务
The risk of online business including web安全风险, 业务自身的安全风险, 移动应用安全风险.
2、企业内部
Security risks from within the enterprise including 员工的安全风险, 口令的安全风险, 钓鱼攻击和社会工程学的安全风险, 安全合规风险. In addition to these security risks, there are many other security risks, such as DDoS in business, unpatched devices and tools, including routers, printers, personal computers, and BYOD devices (bring your own devices).
1.3 Implement rapid reduction
With the principle of both hands and hard hands, safety technology and safety operations on the one hand, safety management and safety compliance on the other hand. Two-pronged approach to quickly reduce safety issues.
解决web安全风险可采取的处理方式按优先级排序依次为:
1. Clear webshell backdoors in the whole site, purchase or use open source WAF to quickly solve common web security problems;
2. Use dynamic application security testing, static application security testing, and interactive application security testing products to perform black-box scanning and white-box scanning of web services Scanning and manual penetration testing to solve major online vulnerabilities;
3. Self-protection products should be used for self-immunization protection of the web when deploying RASP (Runtime Application Self-Protection), such as Prevoty, OpenRASP, etc .;
4. Provide a security code filtering library And security coding training to improve the security quality of codes and so on.
解决来自业务的安全风险可采取的处理方式按优先级排序依次为:
1. Initially select appropriate third-party risk control security products based on business characteristics;
2. After personnel are in place, you can build your own from the access layer (query engine, rule engine, model engine), processing layer, and data layer Security risk control platform.
解决移动应用安全风险可采取的处理方式按优先级排序依次为:
1. Use business solutions (free / paid) to perform vulnerability scanning and security hardening of APP to solve common security problems;
2. Members of the security team who are familiar with mobile application security technology conduct in-depth manual security testing of mobile applications;
3. Provide Basic mobile security components and security coding training, security coding specifications.
解决来自员工的安全风险可采取的处理方式按优先级排序依次为:
1. Deploy EDR security products that can be managed in a unified manner, use the bastion machine for remote audit management in the production environment, and use the database management system to audit and access the database;
2. Security training is conducted when employees enter the job, and backgrounds are given to key employees before entering the job investigation, information security staff to develop codes of conduct and examination, the need to inform their safety instructions when employees leave, and security audits;
3, focus on corporate business team to establish quarantine controlled network, unified proxy server to access the Internet, make sure to include HTTPS Including network traffic can be audited;
4, the establishment of machine learning based user abnormal behavior discovery system, such as the UEBA module in Splunk products.
解决口令安全风险可采取的处理方式按优先级排序依次为:
1. Use the weak password scanner (Hydra / Medusa) to detect all system services related to the password of the company ’s employee account and intranet (SSH, MySQL, RDP, web background, etc.), and order the password to be changed to quickly solve the hidden danger of weak passwords;
2. Construct a unified single sign-on system based on OpenLDAP, and use dynamic password two-factor authentication or RSA Key based on TOTP scheme. If Wi-Fi technology is used, two-factor authentication can be achieved through the Radius protocol;
3. Establish a more stringent Fido-based authentication U2F authentication protocol entity security key login system and BeyondCorp account security system.
解决来自钓鱼攻击和社会工程学的安全风险可采取的处理方式按优先级排序依次为:
1. Conduct relevant security awareness training for employees, and organize relevant drill tests from time to time to verify the training effect, strengthen physical security management and control of office premises, avoid the use of third-party communication software to establish a working group;
2, strengthen phishing attacks and use social engineering Perform technical monitoring of attacks (such as terminal security monitoring). If you want to view high-risk files, you can use sandbox technology to isolate access. For high-risk operations of browsing the web, you can use remote safe browsing products;
3. Strengthen the security management of BYOD devices .
解决安全合规认证可采取的处理方式按优先级排序依次为:
1. Read the official security compliance documents to understand the requirements of security compliance;
2. List the documents required for security compliance and write security compliance documents;
3. Determine which requirements the company has already fulfilled and which have not yet, for Failed to formulate the implementation plan;
4. External regulations to internal regulations, internal regulations to inspections, inspections to rectification, rectification to assessment principles, to promote the landing;
5. Pass compliance certification, get a compliance certificate.
2. Security System Construction v2.0—Systematic Construction
After the first stage of fire-fighting rapid governance, most of the hidden dangers in the enterprise have been basically eliminated, so the second stage can systematically improve the enterprise security structure and implement the security concept of "security in the system".
2.1 Establish a safety management system based on ISMS
ISMS is specifically composed of ISO 27001-ISO 27013 series of standards, among which ISO 27001 is the most well-known in the industry. ISO 27001 mainly stipulates the requirements of the information security management system, which is mainly an introduction and overview of some concepts, which are generally used for certification. ISO 27002 is a detailed practice corresponding to ISO 27001. The standard covers 14 fields and 113 control measures.
ISMS provides a large and comprehensive guidance requirements framework, which can help the Internet enterprise security team:
1. Provide a comprehensive security view to avoid blind spots caused by insufficient security coverage;
2. Give executives a accountable information security implementation basis to facilitate the implementation of security strategies;
3. After obtaining ISO 27001 certification, it can improve The company's popularity and trust make customers confident in the company.
ISMS is based on the PDCA cycle principle:
P即Plan(计划). Formulate policies, ISMS objectives, processes and procedures related to risk management and information security improvement to provide results consistent with the organization's global policies and objectives
D即Do(实施);. Implement and use ISMS policies to control processes and procedures
C即Check(检查);. During the inspection process, the process is evaluated accordingly, and the performance of the process is measured according to policies, objectives, and practical experience when appropriate, and the results are reported to management for review.
A即Act(行动). Based on the results of ISMS internal audits and management reviews or other relevant information, corrective and preventive measures are taken to continuously improve the above system.
For the safety management system 具体可以依照ISO 27001的14个控制领域开展, by providing the ISMS with a check form, complete the corresponding modules one by one and check each other. When the check is almost completed, the safety management system will naturally be established.
Although the safety management is complicated, the changes are inseparable. It is necessary to thoroughly understand the compliance requirements and rules and regulations, and then discover the risks and shortcomings of the company's implementation, and finally complete the rectification and resolution of risks.
2.2 Ability to build security engineering based on BSIMM
1. Introduction to BSIMM
BSIMM is a scale to measure whether the software is safe. You can implement your own security development and construction through the BSIMM standard. BSIMM consists of three major parts:
1. Software Security Framework (SSF): The infrastructure supporting BSIMM consists of 12 practical modules divided into 4 areas;
2. Software Security Group (SSG): an internal working group responsible for implementing and promoting software security;
3. Software Security Plan (SSI): A project that covers the entire organization to instill, evaluate, manage, and evolve software security activities in a coordinated manner.
12 practical modules in 4 areas of software security framework:
| Governance | intelligence | SSDL contacts | deploy |
|---|---|---|---|
| Strategy and Indicators (SM) | Attack Model (TM) | Architecture analysis (AA) | Penetration testing (PT) |
| Compliance and Policy (CP) | Security Function and Design (SFD) | Code Audit (CR) | Software Environment (SE) |
| Training (T) | Standards and requirements (SR) | Safety test (ST) | Configuration and Security Vulnerability Management (CMVM) |
治理:Practices used to assist in the organization, management, and evaluation of software security programs, and personnel training are also core practices in the governance field.
情报:Prospective security guidance and threat modeling are practices that are used to gather corporate knowledge in companies to carry out software security activities.
SSDL触点:Analyze and safeguard practices related to specific software development work and processes.
部署:In the practice of dealing with traditional network security and software maintenance organizations, software configuration, maintenance, and other environmental issues have a direct impact on software security.
2. Solutions to common problems in safety engineering capacity building
Question 1: The time for online services is tight and pressure is high, and the time taken to fix security vulnerabilities takes too much time, which affects the progress of online services
To avoid safety work becoming a development bottleneck, safety testing techniques should be integrated with existing systems as much as possible. For example, if the SpotBugs plug-in is integrated directly on the IDE, developers can be prompted to modify the vulnerability code when compiling; when managing third-party component vulnerabilities, BlackDuck and Maven repositories can be combined. Business personnel can solve the Java library without intervention. Security issues; when submitting code to GitLab, add Gitrob to automatically scan keys, passwords and other sensitive information leakage issues; integrate Facebook Infer on CI platforms (such as Jenkins) to form a scanning cluster to automatically detect code vulnerabilities and write Python scripts Send the vulnerability information to JIRA to remind the R & D personnel to fix it and track the progress of the bug fix.
Question 2: Too many false positives regarding security breaches
Any automated safety test system may have false alarm problems when it is first launched. For such problems, you can design a false positive feedback function, set up a full-time safety team to provide safety technical support, and make it participate in the continuous optimization of detection rules. After several iterations, the problem of false positives can basically be solved.
Question 3: The company has no quantitative indicators of employee work, and some R & D team members have insufficient sense of responsibility, and they do not care about bug fixes, thus leaving a lot of hidden security risks
Establish a process system related to vulnerability repair, link code quality with KPI, and punish employees who have hidden security risks due to violation of the process system according to the level of the vulnerability. Combined with the quality assurance team regularly sending project quality reports, the security vulnerability data is finally aggregated to the code quality management platform. Put bug fixes into KPI indicators to promote developers' enthusiasm to fix security vulnerabilities.
Question 4: Security solutions and requirements often hinder business development
When designing security plans and requirements, the security team should not start with the security team saving time and effort and assuming fewer responsibilities. This will hinder business development and reduce efficiency. A set of security schemes and requirements should be able to ensure safety even if the business development is reduced or not reduced. Only such schemes and requirements can be welcomed by the business team and the development and maintenance team.
3. Build a universal security technology architecture
Network layer:
In the NTA network traffic analysis, there are AOL open source Molochand so redborderon, and in deception defense, Thinkst OpenCanaryandCanarytokens
Host layer:
open source products have FacebookOsquery
Application layer:
Baidu's open source productsOpenRASP
Identity and access rights management:
open source products aregluu
Data security and privacy:
open source products with fine-grained rights management, open source products with Apache Rangerbig data security and performance analysis Apache Eagle, and open source key management systemsVault
Safe operation:
Open source products include Mozilla open source SIEM platformMozDef
3. Security System Construction v3.0—Complete Improvement
After the second stage of system security construction, the enterprise has basically formed a complete security system. Therefore, the third stage of the security system construction work is mainly to comprehensively improve it.
3.1 Strengthen the construction of safety culture
How to build an enterprise safety culture? Safety should be incorporated into the company's values and evaluated together with performance. If the corporate culture is posted on the wall and you do n’t know how to assess it, then the corporate culture has little effect. Only when a company's safety culture is established will the company not gradually dilute its safety values due to personnel changes.
3.2 Improve the security and resilience framework
The security and resilience architecture mainly implements 4 capabilities:
1, is expected ability to stay informed readiness for invasion;
2, affordability, even though the invasion can continue to perform basic tasks or business functions;
3, resilience, after the recovery task or business function during the invasion and;
4, adapt Ability to modify the support capabilities of tasks or business functions to predict changes in technology, operations, and threat environments.
Attachment: Security System Management
The system is generally displayed in the form of articles, and the name is usually titled policies, regulations, methods, procedures, rules, guidelines, etc .; the system can be adjusted, supplemented and improved by means of system patches. It is generally reflected in titles such as revision notice, supplementary notice and strengthening management notice.
1. Institutional System
The system should follow the principles of reasonable structure, clear hierarchy and comprehensive coverage. The system generally includes three levels:
1. The policy-level system refers to the system used to regulate the basic matters of the operation and management responsibilities of the business lines, and the general use of names is the system, regulations, policies, regulations, etc.
2. Method-level system refers to the system used to standardize the working methods and specific contents of business lines. The name generally uses management methods and management procedures.
3. Regulation-level system is used to standardize the specific operation content. The name generally uses the operation regulations, operation rules, implementation rules, guidelines, etc.
2. Drafting of the system
In the process of drafting the system, investigation and research should be carried out to widely solicit the opinions of the personnel of the system implementation department and relevant personnel within the department to demonstrate the necessity, effectiveness, rationality and operability of the system. The solicitation of opinions may be carried out by sending out solicitation emails or holding system discussion meetings.
The content of the system generally includes: general rules (including purpose basis, scope of application, management principles, division of responsibilities, definitions, etc.), management processes, supervision, inspection and punishment rules, and supplementary rules (including requirements for detailed rules, interpretation departments, implementation dates, invalidation statements, etc.) .
3. System review
The system review mainly includes the following:
1. Whether it complies with laws, rules, guidelines and regulatory requirements;
2. Whether it is coordinated with the company's relevant systems and the interface is clear;
3. Whether it affects the rationality and clarity of the company's overall system structure;
4. Whether the process of system description Clarity and operability;
5. Whether it meets the normative requirements of the company's system;
6. The reviewer can put forward review opinions on other system issues it considers.
4. Release of the system
The system that has been reviewed, reviewed or approved is issued in the form of a notice for all employees. In order to facilitate system maintenance and management, the issued system should in principle correspond to a system with one symbol. The organizer should reasonably determine the implementation date of the system and make it clear in the system. It is recommended to clarify the implementation date directly instead of "implementation from the date of publication of this article".
5. System maintenance
The maintenance of the system includes the subsequent evaluation and improvement of the system. The follow-up evaluation of the system refers to the self-evaluation of the actual management effect of the system by the sponsoring department, which aims to discover the problems of the system and evaluate whether the system needs to be rectified. The follow-up assessment includes the following:
1. Whether there are system problems such as compliance, effectiveness, operability and standardization;
2. Whether there are duplications and conflicts between the
systems ; 3. Whether there are missing systems and management blind spots;
4. Sort out the systems and find out System patch situation, assess the feasibility and necessity of implementing integration.
For a system that reflects a lot of opinions at the executive level, the sponsor should conduct a follow-up evaluation in a timely manner. At the same time, the host department should collect and organize system information in a timely manner to improve the efficiency and quality of subsequent evaluation of the system. System information includes: changes in external policies, feedback from grassroots operators, management vulnerabilities found in business inspections, management vulnerabilities reflected in external or peer cases, internal organizational structure, management, and business process adjustments.
System improvement refers to the work of adding, changing, revising, supplementing and integrating the system implemented by the host department according to the follow-up evaluation results of the system and business management needs. Before implementing the system improvement work, the host department should evaluate the cost of the system improvement, taking into account the stability of the system and the convenience of implementation, and choose to issue system patches, add new systems, and change the version to improve the system. If there are many patches in the system, the sponsoring department shall integrate the system with the arrangement of the departmental system structure.
6. Daily management of the system
The system should clearly explain the department. In principle, the system sponsor department is responsible for the interpretation. In special cases, the scope of the interpretation of each department should be clear. When the low-level system conflicts with the regulations of the high-level system, the provisions of the high-level system shall prevail, unless the system interpretation department has otherwise formally approved or replied to.
