2020 Software Test Information Security Engineer (Second Edition) Study Summary [8]

Others 2021-01-29 04:09:56 views: null

Chapter Twelve Principles and Applications of Network Security Audit Technology

Network security audit overview

  • Cyber ​​security audit concept
    • The work of obtaining, recording, storing, analyzing and using the security-related activity information of the network information system
  • Network security audit purpose
    • Establish “after-the-fact” security protection measures, save network security incidents and behavioral information, provide clues and evidence for network security incident analysis, so as to find potential cyber security threats and conduct cyber security risk analysis and management
  • Regulations and policies related to network security upgrades
    • "Network Security Law of the People's Republic of China": Take technical measures to monitor and record network operation status and network security incidents, and keep relevant network logs for no less than six months in accordance with regulations

Composition and type of network security audit system

  • Network security audit system composition

    image-20201102101947310

  • Network security audit system type

    • Operating system security audit

      • Record operating system users and system services , including user login and logout, system service startup and shutdown, and security events
      • Both Windows and Linux operating systems have their own audit function

    • Database security audit

      • Monitor and record the user's read, write, query, add, modify and delete operations on the database server , and can replay database operation commands
      • Most databases also have their own audit function

    • Network communication security audit

      • Use a dedicated audit system to obtain network traffic through dedicated equipment for storage and analysis

    • Application system security audit, network security equipment audit, industrial control security audit, mobile security audit, Internet security audit, code security audit

    • According to the scope of audit, security audit can be divided into comprehensive audit system and single audit system

      • Integrated audit system architecture

        image-20201102103216092

Network Security Audit Mechanism and Implementation Technology

  • Network security audit data collection

    • System log data collection technology

      • Aggregate event information generated in the operating system, database, network equipment and other systems to a unified server for storage, which is convenient for query analysis and management

      • Common collection methods: SysLog , SNMP Trap

        image-20201102104200618

    • Network traffic data collection technology

      • Common technical methods: shared network monitoring, switch port mirroring , network splitter

      • Shared network monitoring principle: the network traffic collection device connects to the Hub hub to obtain the network traffic data of the devices connected to the hub

        image-20201102104628773

      • Schematic diagram of network traffic collection based on port mirroring

      image-20201102104747407

      • For switches that do not support port mirroring, the network tap (TAP) method is adopted.

        image-20201102104839492

  • Network traffic data collection open source tool

    • Libpcap: Common open source data acquisition software package
      • Tcpdump: Libpcap-based network traffic data collection tool
    • Winpcap: Support capturing network packets on Windows platform
      • Windump: a network protocol analysis tool based on Winpcap
      • Wireshark: Graphical network traffic data collection tool

  • Network audit data analysis technology

    • String matching: regular matching

    • Full-text search: Open source search engine Elasticsearch

    • Data association

      image-20201102105824764

    • Statistical report

    • Visual analysis: charts into pie charts, bar charts, etc.

  • Network audit data protection technology

    • System user decentralized management: set up three types of users : operator, security officer, and auditor
    • Mandatory access to audit data: take mandatory access control measures
    • Audit data encryption
    • Audit data privacy protection
    • Audit data integrity protection: digital signature and source authentication of audit data

Main technical indicators and products of network security audit

  • Log security audit products

    • Main functions: log collection, storage, analysis, query, event alarms, statistical reports, system management, etc.

  • Host monitoring and auditing products

    • Through agent

      image-20201102112057219

    • Main functions: system user monitoring, system configuration management, patch management, access control, storage media (U disk) management, illegal outreach management, etc.

  • Database audit products

    • Three ways to implement database auditing:
      • Network monitoring audit
        • Advantages: Does not affect the database server
        • Insufficiency: It is difficult to audit encrypted database network traffic and cannot audit the local database server
      • Bring your own audit
        • Advantages: Realize database network operation and local operation audit
        • Disadvantages: impact on performance, audit policy configuration, record granularity, unified log analysis is not complete enough, local log storage is easy to be deleted
      • Database Agent
        • Advantages: Realize database network operation and local operation audit
        • Disadvantages, need to install Agent, which affects performance, stability, and reliability

  • Network security audit products

    • Common functions:
      • Network traffic collection
      • Network traffic data mining analysis: analyze the traffic of different protocols to obtain information records
    • Performance indicators mainly include: support for network bandwidth, protocol identification types, original data packet query response time, etc.

  • Industrial control system network audit product

    • Principle: Use network traffic collection and protocol identification technology to restore the industrial control protocol, form operation information records, and save and analyze
    • Two ways to achieve:
      • Integrated centralized product
      • Composed of two parts: the acquisition end and the analysis end

  • Operation and maintenance security audit products

    • The main function:
      1. Character session audit: audit SSH and Telnet protocol operation behavior
      2. Graphic operation audit: audit the graphic operation behavior of RDP, VNC and HTTP/HTTPS protocol
      3. Database operation and maintenance audit: audit Oracle, MS SQL Server, IBM DB2, PostgreSQL database operation behavior
      4. File transfer audit: audit FTP, SFTP and other protocols
      5. Compliance audit: refer to relevant safety management system

Network security audit application

  • Network compliance use

  • Network electronic forensics

  • Network security operation and maintenance guarantee

    image-20201102113125306

Guess you like

Origin blog.csdn.net/weixin_39664643/article/details/109445736
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com