1. Vulnerability management requirements under laws and regulations
Vulnerabilities are strategic resources for network attack and defense.
In recent years, the United States has promulgated a series of related regulations and bills on vulnerability disclosure management, and its management of vulnerability disclosure is very strict and cautious. It is not difficult to see that the United States has long regarded vulnerabilities as cyber arms for mining, collection and strict control. As a network security company that plays an important role in the vulnerability management chain, it should also use its own security technology and talent advantages to play a more important role in the discovery, repair and disposal of vulnerabilities, and improve the level of national and social network security protection.
1.1 Domestic regulatory requirements
Currently, there are some management regulations on loopholes in China:
June 1, 2019: The Ministry of Industry and Information Technology's "Network Security Vulnerability Management Regulations (Draft for Comment)" has been updated July
12, 2021: The Ministry of Industry and Information Technology, the State Internet Information Office, and the Ministry of Public Security "Network Product Security Vulnerability Management Regulations" September 2021 Effective
December 31, 2013: National Standard | "GB/T 30276-2013 Information Security Technology Information Security Vulnerability Management Specification" has been invalidated November
19, 2020: National Standard | "GB/T 30276-2020 Information Security Technology Network Security Vulnerability Management Specification
1.1.1 What is the purpose and significance of the "Network Product Security Vulnerability Management Regulations"?
The main purpose is to maintain national network security, protect the safe and stable operation of network products and important network systems; standardize vulnerability discovery, reporting, repair and release, etc. The responsibilities and obligations of various entities such as organizations or individuals involved in such activities; encourage various entities to use their respective technical and mechanism advantages to carry out related work such as vulnerability discovery, collection, and release. The promulgation of the "Regulations" will promote the institutionalization, standardization, and legalization of network product security vulnerability management, improve the vulnerability management level of relevant entities, guide the construction of standardized, orderly, and dynamic vulnerability collection and release channels, and prevent major risks in network security. Guarantee national network security.
1.1.2 Responsibilities of the National Information Security Standardization Technical Committee "GB∕T 30276-2020 Information Security Technology Network Security Vulnerability Management Specification"
The management process, management requirements and verification methods of each stage of the network security vulnerability management process (including vulnerability discovery and reporting, reception, verification, disposal, release, tracking, etc.).
1.2 Interpretation of "Regulations on the Management of Network Product Security Vulnerabilities"
It is divided into three types of management objects, which are network operators for enterprises:
1.2.1 The "Network Product Security Vulnerabilities Management Regulations" confirms two types of subject responsibilities
Whether it is a network product provider or a network operator, it shall establish and improve channels for receiving network product security vulnerability information and keep them open, and keep vulnerability reception logs for no less than 6 months.
Network Product Provider:
Reception: A channel for receiving information on security vulnerabilities of network security products should be established and maintained unimpeded, and vulnerability reception logs should be kept for no less than 6 months.
After discovering or knowing that there are security vulnerabilities in the provided network products:
Verification: Immediately take measures and organize the verification and evaluation of security vulnerabilities, and immediately notify the upstream related product providers.
Submission: The relevant vulnerability information should be submitted to the Ministry of Industry and Information Technology's network security threat and vulnerability information sharing platform within 2 days.
Repair: The repair of the vulnerability should be organized in a timely manner, and the product users who may be affected by the risk of the vulnerability and the repair method should be notified in a timely manner, and necessary technical support should be provided.
Network operator:
Reception: A sound channel for receiving network product security vulnerability information should be established and kept unimpeded, and vulnerability reception logs should be kept for no less than 6 months.
Repair: After discovering or knowing that there are security vulnerabilities in its network, information system and equipment, it should immediately take measures to verify the security vulnerabilities and complete the repair in a timely manner.
1.2.2 "Regulations on the Management of Network Product Security Vulnerabilities" encourages enterprises to establish a reward mechanism for security vulnerabilities
Provisions:
Article 6: Encourage relevant organizations and individuals to notify network product providers of security loopholes in their products.
Article 7: Encourage network product providers to establish a reward mechanism for the security vulnerabilities of the network products they provide, and reward organizations or individuals who discover and report security vulnerabilities of the network products they provide.
Impact:
White hats are a technical force that cannot be ignored in China's Internet industry. At present, most network security product providers have their own Security Emergency Response Department (SRC). These company departments have annual reward conferences for vulnerability submitters. It is equivalent to rewarding external "white hats" to help them improve product security. The "Regulations" released this time further clarify the standardized management of network vulnerabilities from the level of policies and regulations, standardize the handling and life cycle process of network product vulnerabilities, and prohibit the use of vulnerabilities to engage in illegal activities.
The "Regulations" also encourage the various entities in the security ecosystem to give full play to their own advantages, mobilize enterprises and social organizations to build their own vulnerability management platforms, and participate in and carry out vulnerability discovery, collection, release and other related work in a standardized manner.
The release of the regulations will also have a positive impact on companies engaged in the operation of vulnerability platforms and the research and development of vulnerability lifecycle management platforms.
1.2.3 Requirements for the issuance of the "Regulations on the Management of Network Product Security Vulnerabilities"
(1) Vulnerability information shall not be published before the network product provider provides network product security vulnerability repair measures; if it is deemed necessary to release in advance, it shall jointly evaluate and negotiate with the relevant network product provider, and report to the Ministry of Industry and Information Technology and the Ministry of Public Security , released after evaluation by the Ministry of Industry and Information Technology and the Ministry of Public Security.
(2) It is not allowed to publish the details of security loopholes in the networks, information systems and equipment used by network operators.
(3) Do not deliberately exaggerate the harm and risks of network product security vulnerabilities, and do not use information on network product security vulnerabilities to carry out malicious speculation or conduct fraud, extortion and other illegal and criminal activities.
(4) Shall not publish or provide programs and tools specially designed to exploit network product security loopholes to engage in activities that endanger network security.
(5) When publishing network product security vulnerabilities, repair or preventive measures should be released simultaneously.
(6) During major events held by the country, without the consent of the Ministry of Public Security, information on network product security vulnerabilities must not be released without authorization.
(7) Not to provide undisclosed network product security vulnerability information to overseas organizations or individuals other than network product providers.
(8) Other relevant provisions of laws and regulations.
1.2.4 "Network Product Security Vulnerability Management Regulations" Vulnerability Collection Platform Requirements
(1) Organizations engaged in the discovery and collection of network product security vulnerabilities shall strengthen internal management and take measures to prevent network product security vulnerability information from leaking and publishing in violation of regulations.
(2) Network product security vulnerability collection platforms need to file with the Ministry of Industry and Information Technology. After the Ministry of Industry and Information Technology promptly notifies the Ministry of Public Security and the Cyberspace Administration of China, it will publish the vulnerability collection platforms that have passed the filing.
(3) Encourage organizations to collect security vulnerabilities on four major platforms: Ministry of Industry and Information Technology Network Security Threat and Vulnerability Information Sharing Platform, National Network and Information Security Information Notification Center Vulnerability Platform, National Computer Network Emergency Technology Processing Coordination Center Vulnerability Platform, China Information Security Evaluation The central vulnerability library reports network product security vulnerability information.
1.2.5 Penalties related to the Regulations on the Administration of Network Product Security Vulnerabilities
(1) If network product providers fail to take measures to remedy or report network product security vulnerabilities in accordance with these regulations, the Ministry of Industry and Information Technology and the Ministry of Public Security shall deal with it according to their respective responsibilities.
(2) If the network operator fails to take measures to repair or prevent network product security vulnerabilities in accordance with these regulations, the relevant competent department shall deal with it according to law; if it constitutes the situation specified in Article 62 of the "Network Security Law of the People's Republic of China", it shall be punished in accordance with this regulation. punishment.
(3) Anyone who collects and publishes network product security vulnerability information in violation of these regulations shall be dealt with by the Ministry of Industry and Information Technology and the Ministry of Public Security in accordance with their respective responsibilities. (4
) Using network product security vulnerabilities to engage in activities that endanger network security, or using network products for others Those who provide technical support for activities that endanger network security through security vulnerabilities shall be dealt with by the public security organs in accordance with the law.
2. Vulnerability management pain points in real scenarios
The number of network security vulnerabilities will increase exponentially. With the advancement of graded protection 2.0, the "Network Product Security Vulnerabilities Management Regulations" will be issued. As the most basic and most important link in network security protection, vulnerability management cannot be relaxed at all times.
2.1 Major Security Risks Faced by Enterprises
In recent years, with the rapid development of the Internet, the application range of network products used to realize various networking interactive functions has become wider and wider, but security problems caused by software and hardware vulnerabilities have also followed. Statistics from CNNVD, China's national information security vulnerability database, show that as of June 30, the total number of vulnerabilities collected by CNNVD for the Chinese Internet in the first half of 2021 has reached 9,639, with an average monthly number of 1,607.
According to the Ministry of Public Security's HW action in the past two years, one of the 12 major security issues is: the slow speed of vulnerability repair
Whether it is from the research results of the authoritative organization Gartner, or from the intuitive experience summarized by the Ministry of Public Security's network protection operations, the main reason for security incidents is that known security vulnerabilities are not discovered and remedied effectively. Known vulnerabilities are a major risk! To discover and fix critical vulnerabilities in a timely manner, the most important thing is to enhance comprehensive detection capabilities and efficient vulnerability closed-loop management capabilities.
2.2 Pain points of real vulnerability life cycle
19 years ago, the application vulnerability life cycle of China Eastern Airlines has formed a closed-loop management, but a lot of work is done manually or offline, which is cumbersome. In the vulnerability detection stage, security personnel conduct vulnerability detection through single-point security device scanning and manual penetration testing. There are many pain points:
2.2.1 Pain points in the vulnerability detection stage
1. The internal and external network assets are huge, and vulnerability scanning is difficult.
2. It is necessary to manually write test scripts, and a large number of manual continuous interventions are required to complete the test.
2.2.2 Pain points in the vulnerability rating stage
After the vulnerability is detected, the risk level of the vulnerability is manually calculated according to the 10 parameters of the international CVSS vulnerability scoring standard, and the repair period is set.
2.2.3 Pain points in the report writing stage
Security personnel need to repeatedly write a large number of solutions and vulnerability test reports
2.2.4 Pain points in asset identification stage
After the vulnerability report is written, it is necessary to query asset information through multiple channels, including telephone/email consultation methods, inquiring about project team, host, and network department asset ownership to confirm the person in charge of the asset, resulting in a large number of asset communication emails and phone calls, and the timeliness of asset confirmation and accuracy difficulties, resulting in increased labor costs.
2.2.5 Pain points in the vulnerability retesting stage
During the project detection process, a large amount of information collection, email communication and vulnerability tracking process lead to extremely complicated problem solving and consume a lot of energy and time of information security personnel. On the other hand, posting the vulnerability to the project manager via email requires a large number of in-depth communication on the repair plan through phone calls\WeChat\email. After the project party fixes the vulnerability, it informs the vulnerability repair that the vulnerability retest is completed until the vulnerability is closed.
According to data records, there were more than 1,200 communication emails sent by a single information security personnel for vulnerability repair and retesting in 2018.
2.2.6 Pain Points in Vulnerability Storage Stage
1. It is impossible to quantify the risks caused by vulnerabilities, and it is impossible to refine the operation of vulnerabilities.
2. The detected vulnerability data is stored in Excel text. For the overdue unrepaired vulnerabilities, mark yellow, manually track and repair the vulnerabilities, and form weekly information security testing weekly reports .
3. For example, according to the types of application layer vulnerabilities, the design accumulates historical vulnerabilities and repair suggestion knowledge, produces some security training materials, and it is impossible to make statistics on the security awareness of each department or even each individual.
Three stages of vulnerability management
Comparing these five stages, it can be seen that most enterprises are often in the second or third stage of maturity. The state before the establishment of the vulnerability management system is not until the final goal of reducing the security risk of the enterprise after the completion of the platform.
4. Practical Exploration of China Eastern Airlines Vulnerability Management Platform
Technical level: The vulnerability management platform is responsible for managing all security vulnerabilities in the company, realizing the online tracking and processing of the entire life cycle of vulnerabilities, ensuring the traceability, maintenance and efficient execution of the vulnerability processing process, visualizing and quantifying vulnerability risks, and supporting vulnerability management and operation The development of the work effectively accumulates and precipitates the company's vulnerabilities and security experience to form the company's own security knowledge base; at the
management level: the vulnerability management regulations and the security liaison mechanism of branch companies are defined and clarified through these two security management systems. Vulnerability overall processing process, vulnerability level evaluation basis, vulnerability repair time, and corresponding information security liaison, etc.;
Operational level: at the operational level, define and clarify the vulnerability operation indicators, take special personnel to be responsible, and realize the quantification and management of vulnerability risks from multiple dimensions. Visualization, through continuous vulnerability operations, the entire vulnerability handling process forms a closed loop.
4.1 Practical Exploration of China Eastern Airlines Vulnerability Management Platform - Continuous Security Scanning Operation Process
Solve the problem of a large amount of scattered assets:
China Eastern Airlines Group and its subsidiaries have more than a dozen subsidiaries, and the situation of Internet outlets and intranet dedicated lines is relatively complicated, with total assets of more than 100,000 yuan. We deploy asset surveying and mapping nodes through the internal and external networks to realize the structure covered by the group's general manager and subsidiary companies. APIs link various hosts and WEB missing scanning devices, and can set weekly and monthly automatic timing scanning tasks respectively, and monitor vulnerabilities and asset fingerprints. All kinds of data are automatically synchronized to the vulnerability management system for centralized management.
Assets and organizational structure docking:
At the same time, we docked the asset information of China Eastern Airlines' core data center computer room CMDB and the group's personnel organizational structure information, so that the production data center server can locate the organizational structure and ownership of personnel at any time. When a new domain name and port are released on the external network, it can be automatically entered into the asset module of the vulnerability management system through the API. The asset module has a different color mark reminder for the newly added assets every week.
Realize high-risk emergency scanning:
In the early warning stage of HW or some high-risk vulnerabilities, if POC can be found, you can directly write scripts or update distributed missing scanning tools, and perform rapid coverage scanning detection through single-port high-risk services covering all assets, greatly reducing The dangers of Nday or 0day.
Situational awareness system vulnerability practice:
In the enterprise situational awareness system, we transfer the vulnerability part of the vulnerability management as the vulnerability of the asset to the situational awareness. We found that in some real HW cases, such as triggering the payload of some vulnerabilities Yes, the asset actually has this vulnerability, so the emergency process can be quickly activated to deal with the incident.
4.2 Practical Exploration of China Eastern Airlines Vulnerability Management Platform - Realizing the Full Lifecycle Tracking of Platform Vulnerabilities
The Eastern Airlines security vulnerability management platform is established based on the full life cycle of vulnerabilities. The entire vulnerability repair process can be divided into five stages. Once the status of the vulnerability changes during this process, the system will automatically trigger an email reminder to the relevant parties.
Pending review status:
Through API or online submission through various channels such as missed scan, black box detection, penetration test submission, etc., enter the pending review queue, and information security experts receive email notifications to conduct secondary confirmation, review, and grading of vulnerabilities.
Confirmed status:
The person in charge of the corresponding asset (CC department leader + security liaison officer) can log in to the vulnerability management platform to check the vulnerability details and evaluate the vulnerability repair schedule after receiving the new vulnerability reminder email.
Vulnerability repair stage:
At this point, it will enter the vulnerability repair stage. The person in charge of the asset can repair it according to the actual situation, and the report can also be exported to pdf and other forms for R&D repair.
At this stage, if the risk of the vulnerability is found to be controllable, the risk acceptance can be initiated online, and the risk acceptance needs to be directly uploaded by the supervisor's email or written approval.
At this stage, if the ownership of the asset is found to be incorrect, the asset can be directly reported and transferred to the person in charge of the new asset.
Vulnerability retesting stage:
When the vulnerability repair is completed, the person in charge of the asset initiates "submit for retesting" on the vulnerability management platform. At this time, the system will send a reminder email to the security expert. Security experts verify the vulnerability after receiving the information to confirm whether the vulnerability has been corrected.
If the verification is passed, the vulnerability submitter can click the "Repair Complete" button on the vulnerability management platform, and the vulnerability will automatically enter the next stage; if the verification fails, the vulnerability submitter can click the "Refix" button, and the vulnerability will automatically return to the previous stage.
Vulnerability closing stage:
In the vulnerability completion stage, you can directly select the "Synchronize Knowledge Base" button to synchronize the detailed repair suggestions of the vulnerability to the vulnerability type knowledge base, and then directly click the close button to complete the storage.
4.3 Practical Exploration of Eastern Airlines Vulnerability Management Platform - Six Core Functional Modules
The platform implements six core functional modules, namely asset management, vulnerability management, vulnerability statistics, personal center, task management, and vulnerability knowledge base
Vulnerability management function: In addition to the basic functions of vulnerability lifecycle management, it also includes vulnerability level (embedded with CVSS 3.0 vector calculator), vulnerability source, type management, and vulnerability internal and external network expiration time management, etc.
Vulnerability statistics: Vulnerability statistics realize the quantification and visualization of the vulnerability situation from multiple dimensions, and can directly export related chart lists.
Personal Center: Vulnerability-related to-do items are directly clear at a glance
Task Management: It is a special feature for project launch security detection. For non-agile projects, the project manager can directly query and test through vulnerability management, and automatically read the source code of git and svn code warehouses Audit scanning, the results are automatically retrieved to related projects, and after the security experts have passed the review, the project online security inspection report can be automatically released.
Vulnerability knowledge base: Vulnerability repair solutions and technical precipitation.
Asset Management Module
Asset management: The core functions include asset addition, editing, deletion, asset list and other functions, and realize the asset association corresponding department, security liaison officer and asset person in charge, etc. We can correlate asset fingerprints and port service information through active asset monitoring of assets and CMDB API data reading for secondary consumption.
Vulnerability Management Module
Vulnerability management: It is divided into website vulnerability management, including common host vulnerabilities and web-level vulnerabilities. In the detailed system interface, it can be seen that as long as the asset is associated with the security liaison of the department under the organizational structure, it can be automatically matched to the asset. The applicant for the asset is the first person in charge and the security liaison is the second in the department. The person in charge can help information security personnel share a lot of pressure, such as clearing and urging repairs of overdue vulnerabilities every week and tracking internal comments.
4.4 Practical Exploration of Eastern Airlines Vulnerability Management Platform - Detailed Design of Vulnerability Management
Vulnerability submission interface:
Vulnerability alert email:
Project launch security test pass report:
4.5 Practical Exploration of China Eastern Airlines Vulnerability Management Platform - Multi-dimensional Leakage Situation Monitoring and Analysis
Through the statistical analysis of the vulnerability data overview at different time nodes and different organizational structures, such as the weekly and monthly vulnerability ratio, the vulnerability audit rate of security experts, the statistics of processed vulnerabilities and pending vulnerabilities in different states, etc. These data are of great significance and value in weekly or monthly security data analysis.
1. Within each quarter, the Information Security Department ranks the Top 10 according to the types of vulnerabilities, and produces a vulnerability repair training plan and organizes the R&D department to conduct training together with real vulnerability scenarios.
2. The repair suggestions for each type of vulnerability are reflected in the content of the system's knowledge base, and security personnel can maintain and update them at any time. Due to the docking of some missing scans and security devices, we try our best to support the selection of sources of vulnerability knowledge through multiple channels to provide developers with a more convenient repair experience.
3. For different roles with different permissions, you can see the past affected historical vulnerabilities under this vulnerability type in the system, which will increase the convenience of collecting real case materials in the later security training.
4.6 Practical Exploration of Eastern Airlines Vulnerability Management Platform - Multi-dimensional Leakage Situation Monitoring and Analysis
Role management
Five roles: security expert, security liaison, department leader, ordinary user, administrator
Security expert: submit, control vulnerabilities, asset management
Security liaison: view and manage all vulnerabilities and assets of their own department
Ordinary user: view and manage themselves Responsible for Assets and Vulnerabilities
Structured account management
Connect with the internal account system, automatically synchronize the authentication structure and account information
Security control: the login point is connected to the enterprise WeChat message platform with two-factor verification codes,
account login can be banned
Personal Center
Security experts: can view, audit, retest, overdue and weekly and monthly processed vulnerability dynamics
Security liaison officer: can view department to be repaired, overdue and weekly and monthly processed vulnerability dynamics
Ordinary users: can view their own pending repairs , Vulnerabilities that have expired and have been processed weekly
4.7 Practical Exploration of China Eastern Airlines Vulnerability Management Platform - Value of Vulnerability Management Platform
Five, write at the end
However, it is not enough to have a vulnerability management platform. If there is a platform but no one uses it, then the value of the platform will not be reflected. Therefore, in order to do a good job in vulnerability management, it is necessary to cooperate at the three levels of technology, management, and operation, and to touch each other.
Clarify and standardize the vulnerability repair process and the responsibilities of security liaison officers through management means;
realize and ensure the efficient and effective execution of the vulnerability process through technical means, quantify and visualize vulnerability risks, and
support vulnerability management and operations from the technical dimension development;
Finally, through continuous vulnerability operations, the entire vulnerability handling process forms a complete closed loop and continuously optimizes the overall vulnerability handling process, and finally achieves the goal of continuously improving the level and capabilities of vulnerability management.