1. Security Policy
1.1. Three elements of safety
To fully understand a security problem, we have many ways, but first we must understand the composition attributes of the security problem. Through countless practices, the predecessors finally summarized the attributes of security into three elements of security, referred to as CIA.
The three elements of security are the basic components of security, which are confidentiality, integrity, and availability.
Confidentiality requires the protection of data content and cannot be leaked, and encryption is a common means to achieve confidentiality.
To give an example, if you store a file and add the file not in a drawer, but in a transparent glass box, then although outsiders cannot directly obtain the file, because the glass box is transparent, the content of the file may still be seen by others. See, so the confidentiality requirement is not met. But if a cover is added to the file to cover up the content of the file, then it will have a hidden effect, thereby meeting the confidentiality requirements. It can be seen that when we choose a security solution, we need to be flexible and adapt to local conditions, and there is no one-size-fits-all solution.
Integrity requires that the protected data content is complete and has not been altered. A common technical means to ensure consistency is digital signature.
Legend has it that the imperial edict of Emperor Kangxi of the Qing Dynasty was written as "Fourteen sons who pass on the throne", but was changed by the Widow of Yinzhen, who was still the fourth elder brother at that time, into "Fourteen sons who passed on the throne". Leaving aside the authenticity of the legend, in the story, the protection of this will obviously did not meet the integrity requirements. If there were technologies such as digital signatures at that time, it would be difficult to calculate and modify the will. From this story, we can also see the importance of data integrity and consistency.
Availability requires protection resources to be "available on demand".
Assuming that there are 100 parking spaces in a parking lot, under normal circumstances, 100 cars can be parked. But on a certain day, a bad guy moved 100 big rocks to occupy every parking space, and the parking lot could no longer provide normal services. In the security field, this kind of attack is called denial of service attack, or DoS (Denial of Service) for short. Denial of service attacks destroy the availability of security.
1.2. Safety assessment
A security assessment process can be simply divided into four stages: asset classification, threat analysis, risk analysis, and confirmation of solutions.
1. Classification of assets
Asset classification is the basis of all work. This work can help us clarify what the target is and what to protect.
When the three elements of security were mentioned earlier, both confidentiality and integrity are related to data, in the definition of availability. The concept of "resource" describes a wider range than data, but in many cases, the availability of resources can also be understood as the availability of data.
Today, when the Internet infrastructure is relatively complete, the core of the Internet is actually driven by user data—users generate services, and services generate data. In addition to some fixed assets, such as servers and other dead objects, Internet companies have the core value of their user data. Therefore, the core issue of Internet security is the issue of data security.
Therefore, classifying the assets owned by Internet companies is to classify the data. Some companies are most concerned about customer data, and some companies are most concerned about employee information. Depending on their business, the focus is different. In the process of classifying assets, it is necessary to communicate with the heads of each business department one by one to understand what the company's most important assets are and what data they value most. Understanding the company's business, the data the company has, and the importance of different data points the way for the subsequent security assessment process.
2. Threat Analysis
In the field of security, we call the source of possible harm a threat (Threat), and the possible loss is called a risk (Risk). Risk must be associated with loss.
What is Threat Analysis? Threat analysis is to find out all the threats. Usually brainstorming is used. Of course, there are also some more scientific methods, such as using a model to help us think about where there may be threats, and this process can avoid omissions. This is threat modeling.
Introduce a threat modeling method STRIDE model proposed by Microsoft
| threaten | definition | Corresponding security attributes |
|---|---|---|
| Spoofing (camouflage) | pretending to be someone else | certified |
| Tampering | Modify data or code | integrity |
| Repudiation | deny what has been done | non-repudiation |
| InformationDisclosure (information disclosure) | Disclosure of Confidential Information | confidentiality |
| Denial of Service | denial of service | availability |
| Elevation of Privilege | Obtaining a license without authorization | authorized |
3. Risk Analysis
Factors affecting the level of risk, in addition to the size of the loss, also need to take into account the possibility of occurrence.
How to measure risk more scientifically? Introduce another DREAD model, which is also proposed by Microsoft. DREAD is also an acronym for several words, which guides us from what aspects to judge the risk level of a threat.
| grade | high(3) | Medium (2) | low(1) |
|---|---|---|---|
| Damage Potential | Obtaining Full Verification Permissions: Performing Administrator Actions: Uploading Files Illegally | leak sensitive information | leak other information |
| Reproducibilty | The attacker can attack again at will | The attacker can repeat the attack, but there is a time limit | It is difficult for an attacker to repeat the attack |
| Exploitability | Beginners can master the attack method in a short time | A skilled attacker can pull off this attack | The conditions for exploiting the vulnerability are very harsh |
| Affected users | All users, default configuration, key users | Some users, non-default configuration | very few users, anonymous users |
| Discoverability | Vulnerabilities are conspicuous and attack conditions are easy to obtain | Finding this vulnerability is extremely difficult and requires digging deeper into the vulnerability | Finding Vulnerabilities and Their Difficulties |
High risk: 12-15 points Medium risk: 8-11 points Low risk: 0-7 points
4. Confirm the solution
The output of the security assessment is the security solution. The solution must be targeted, which is given by the results of asset classification, threat analysis, risk analysis and other stages.
As a security engineer, what you want to think about is how to solve the security problems encountered through simple and effective solutions. The security solution must be able to effectively resist threats, but at the same time, it must not interfere too much with normal business processes, and it must not slow down its performance.
So a good security plan should be transparent to users, and try not to change the user's usage habits as much as possible.
1.2. General process
back to the top
2. Security tools (vulnerability scanner)
2.1、AppScan
AppScan is a leading web application security testing tool produced by IBM, and was once famous in the industry under the name of Watchfire AppScan. AppScan can automate the security vulnerability assessment of web applications, and can scan and detect all common web application security vulnerabilities, such as SQL injection (SQL injection), cross-site scripting (cross-site scripting), buffer overflow (buffer overflow) And the latest Flash/Flex application and Web 2.0 application exposure and other aspects of security vulnerability scanning.
1. Steps to use
Step 1: Open the Chinese version of AppScan, create a new scan, and have three basic scanning methods: web application, web service, and external client;
Step 2: Scan the configuration wizard and enter the project entry access link;
Step 3: Record the login method, and automatically set the correct user name and password in advance;
Step 4: Set the scanning strategy, provide default value, intrusive, infrastructure, application, third-party, etc., and the default value is the default value;
Configuration testing and optimization, it is recommended to be fast by default;
Step 5: Complete the scan guide configuration. The software provides several options such as fully automatic, semi-automatic, and manual. The default is fully automatic;
After clicking Finish, choose to automatically save the scanning process and scan the face automatically;
Step 6: Finally, wait for the AppScan10 scan to complete and check the scan results.
2.2、Acunetix
Acunetix is an automated web application security testing tool that audits your web application by checking for SQL injection, cross-site scripting (XSS) and other exploitable vulnerabilities. In general, Acunetix is able to scan any website or web application accessed through a web browser and using the HTTP/HTTPS protocol.
1. Steps to use
The first step: Add the website that needs to be detected (vulnerability scanning.)
Then click Yes to perform a vulnerability scan
Here you can choose: scan type
Step 2: View the scan results (including: vulnerability information, website structure, activities.)
Step 3: Check the vulnerability information. (Vulnerability type, link location, repair plan, etc.)
Step Four: Generate Report
Step 5: Click Report.
back to the top
3. Others
3.1. Questions about tools
- Information Gathering Sociology Information Network Assets & Architecture Portals…
- vulnerability scan
- Various types of blasters
- device identifier
- network analyzer
- …
1. Vulnerability Scanner
Vulnerability scanners can quickly help us discover vulnerabilities, for example, SQL injection vulnerabilities (SQLinjection), cross-site scripting attacks (cross-site scripting), buffer overflow (buffer overflow).
A good vulnerability scanner will make penetration testing easy, but there are some vulnerabilities that automated software cannot identify. Therefore, when performing leak scanning (short for vulnerability scanning), it must be combined with manual penetration.
The conclusion is: Vulnerability scanning is also a kind of information detection. Scanners can help us find a lot of problems, but the entire test execution process is not left to the tool to complete.
3.2. The Silver Bullet Theory
In the process of solving security problems, it is impossible to do it once and for all, that is to say, "there is no silver bullet". Security is an ongoing process.
Since the Internet has security issues, attack and defense technologies have been developed in the process of constant collision and confrontation. From a microscopic point of view, one side may have the upper hand in a certain period of time; but from a macroscopic point of view, attack or defense technologies in a certain period of time cannot always be effective and can be used forever. This is because while the defense technology is developing, the attack technology is also constantly developing, and the two are dialectical relationships that promote each other. Confronting the ever-evolving attack technology with constant defense means is a mistake. In the realm of security, there is no silver bullet.
3.3 Principle
Strengthen the study of principles, learn and master the principles of common vulnerabilities and their recurrence. Although there are many kinds of small tools developed by domestic and foreign masters on the Internet, people who don't know the principles are like a person who has no martial arts but has a peerless magic weapon. The use and mastery of this weapon is in a state where it can be used but not used. And it can only deal with some simple and easy-to-find problems.