Waiting for equal protection (1) - a brief introduction

The germination period of waiting for protection is 2004. Before 2017, it was called information security, and after 2017, it was called network security.

The full name of the Level Protection Assessment is Information Security Level Protection Assessment. It is a qualified assessment institution certified by the Ministry of Public Security. According to the national information security level protection regulations, it is entrusted by relevant units and in accordance with relevant management norms and technical standards to evaluate the security level of information systems. Activities to monitor and assess the protection status.

Major cyber security events at home and abroad

Fear is the pain point, the pain point is the need, and the need is money ( improving the ability to engage in high-end conversations is the basis for communicating with high-end customers)

1. Iran Stuxnet Incident and Stuxnet Virus

Stuxnet is a worm (created in 2010)

Features: Very strong self-reproduction ability and destructive
Attack target: Programmable logic controllers (PLCs) used in industry
Transmission method: U disk transmission
Hazard: Modify the speed of the centrifuge by modifying some control codes of the controller
Impact: Network security is upgraded to industrial control security, cyberspace security

It is not harmful to ordinary computers. It will only infect Siemens PLC control files and periodically modify the controller configuration files. From 2009.11 to 2010.01, it destroyed more than 1,000 centrifuges.

2. Hikvision video weak password incident

The vulnerability submitted in 2014 is that there is a weak root password and a weak web background password. Through the weak password to enter the administrator interface, the camera can be controlled.

3. Mirai virus and video security

Mirai infects IoT devices that have security vulnerabilities or built-in default passwords, and controls them to launch targeted attacks against target network systems. Network surveillance cameras, DVRs, routers and other home network devices may be infected.

4. Security vulnerabilities in the camera itself

Weak password for camera system

Replace the camera with a terminal device (the camera is connected to a network cable and will be pulled out to connect to the terminal device. It can access devices on the same internal network segment for scanning)

There are unnecessary remote services

System component and application vulnerabilities

Common camera protective equipment

H3C - Eagle Vision
Ruijie - ISG (video security protection)
DPUK—Video security access gateway

Can access front-end cameras to prevent external connections --- mac address binding

5. Ukraine substation incident

December 2015

Phishing email → Download malware as a springboard → Control the equipment in the configuration area and issue power-off instructions → Launch a DDOS attack to block other people’s communication with the power station

6. Venezuela substation incident

March 2019

Directly: blow up the power plant
Indirect: Explosive Energy
Now: Hackers disrupt power plants

Companies that are more willing to spend money on security

Financial securities industry, government, China Tobacco, power grid, public security, secret-related military

7. A leak of a certain drawing

Shielded twisted pair --- tin foil to prevent the internal magnetic field from leaking out

Use shielded cabinets for unshielded twisted pairs

At present, optical fibers are generally used and there is no magnetic field.

8. A website was hacked

Website protection measures: WAF

Database audit

9. Snowden incident

year 2013

Citizen Four: An introduction to the Snowden affair

……

equal protection system

Five steps for equal protection

The five steps of information security level protection are: rating, filing, construction and rectification, level assessment and supervision and inspection. details as follows:

1. Rating : Determine the security level of the information system based on the importance of the information system, security risks and other factors.

2. Filing : Filing the security level, security measures, etc. of the information system, and accepting the supervision and management of the competent department

3. Construction and rectification : According to the security level and security assurance requirements of the information system, formulate corresponding safety construction plans and rectification measures and implement them.

4. Level assessment : Conduct security level assessment on information systems that have completed construction and rectification to evaluate their security capabilities and actual security conditions.

5. Supervision and inspection : The competent department shall supervise and inspect the security level and security measures of the information system, and promptly correct and deal with any problems found to ensure the security and reliability of the information system.

(Note that the order of rectification and evaluation here can be flexibly adjusted, and there is no fixed requirement)

Hierarchical protection

The importance of information determines the level, which is divided into three levels: secret level, confidential level, and top secret level. It is the responsibility of the National Security Bureau.

Level protection

Class security refers to information security level protection, which refers to the security level protection of important national information systems, critical information infrastructure and important information resources. There are five levels of MPS, namely Level 1, Level 2, Level 3, Level 4 and Level 5.

1. Grading process

The main basis for grading is the status, role and value of information systems in national security and economic and social development, as well as the security risks and security assurance capabilities of information systems and other factors. The specific grading process includes the following steps:

1. Determine the grading objects : Determine the information systems or information resources that need to be guaranteed.

2. Determine the grading unit : Determine the unit responsible for organizing and implementing the grade protection work.

3. Determine the basis for grading : Determine the basis and standards for grading, including national laws and regulations, policy documents, standards and specifications, etc.

4. Conduct risk assessment : Conduct a comprehensive risk assessment of the information system to determine its security risk level and security assurance capabilities.

5. Determine the classification protection level : Determine the classification protection level of the information system based on the risk assessment results and the classification protection basis.

6. Filing and publicizing : Filing and publicizing information such as the classification protection level and protection measures of the information system, and accepting social supervision.

The purpose of grading is to ensure national security and social stability, prevent information systems from being attacked by hackers, virus infections and other security threats, and protect the security of important national information resources and critical information infrastructure.

2. Level protection content

In graded protection, the requirements are different for different levels. The following are some basic requirements:

1. The first level (autonomous protection level): It can prevent malicious attacks initiated by individuals with few resources and protect the basic functions of the system from being destroyed.

2. Level 2 (Guidance Protection Level): It can prevent attacks from external attackers and prevent the system from being seriously damaged.

3. The third level (supervision and protection level): It can prevent attacks from internal attackers, prevent the leakage of confidential information, and protect the key functions of the system from being destroyed.

4. Level 4 (mandatory protection level): It can prevent attacks from state-level attackers, prevent confidential information from being stolen, and protect national security and social stability.

5. Level 5 (Specialized Control Protection Level): It can prevent high-level attacks from hostile forces, prevent national security and confidential information from being stolen, and protect national security and social stability.

The requirements of different levels will gradually increase as the level increases, including system safety protection measures, safety management systems, safety technology and safety management. At the same time, different levels of protection objects also have different scopes of application. For example, the first level applies to individual users and small enterprises, the second level applies to medium-sized enterprises, and the third level applies to internal state agencies, enterprises, and public institutions above the prefecture and municipal level. For important information systems, Level 4 is applicable to important national information systems, while Level 5 is applicable to the highest level of national security and confidential information protection.

3. Test frequency

According to the "Basic Requirements for Information Security Level Protection", the frequency of assessment of information systems at different levels is different, as follows:

1. Level 1 (independent protection level) : No evaluation required.

2. Level 2 (Guidance Protection Level) : Conduct a level assessment at least once every two years.

3. Level 3 (Supervision and Protection Level) : Conduct level assessment at least once a year.

4. Level 4 (mandatory protection level) : Conduct level assessment at least once every six months.

5. Level 5 (Exclusive Control Protection Level) : Conduct level assessment at least once a month.

It should be noted that the above assessment frequency only applies to level assessment and not other forms of safety inspections and monitoring. For other forms of security inspection and monitoring, such as security vulnerability scanning and security log auditing, the frequency should be adjusted according to the actual situation. At the same time, security protection measures and evaluation frequency need to be adjusted in a timely manner based on actual conditions and needs, combined with changes in security events and security threats.

Class protection evaluation

The main purpose of equal protection is to protect the computer room

Security Technology Assessment

Including: secure physical environment (10), secure communication network (3), secure area boundary (6), secure computing environment (11), security management center (4)

Safety management assessment

Including: safety management system (4), safety management organization (5), safety management personnel (4), safety construction management (10), safety operation and maintenance management (14)

What links are high, medium and low?

In the overall evaluation during the report preparation process , security risk levels are divided into three levels: high risk, medium risk, and low risk .
How do you define high risk, medium risk, and low risk? For details, please refer to the filing process of "Guidelines for High Risk Determination of Network Security Level Protection Assessment"
The security protection level of information systems should be based on the importance of the information system in national security, economic construction, and social life, and the degree of harm to national security, social order, public interests, and the legitimate rights and interests of citizens, legal persons, and other organizations if destroyed. Determined by other factors
What is good and medium?

Excellent, medium, and poor are the evaluation results of the information system's grade protection level, and are evaluated based on the performance of the grade protection grading results.

1. Excellent classification guarantee : It means that the information system has a high classification guarantee level, strong security assurance capabilities, and can effectively prevent and respond to various security threats and risks.

2. Medium : Indicates that the information system's secondary protection level is moderate, its security assurance capability is average, and security protection measures and management need to be further strengthened.

3. Poor : It means that the information system's secondary protection level is low, the security protection capability is insufficient, and there are large security risks and hidden dangers. Measures need to be taken as soon as possible to strengthen security protection and management.

The evaluation results of excellent, medium, and poor classification protection are determined based on the actual performance and security assurance capabilities of the information system's classification protection level. It is an evaluation and feedback on the information system's classification protection work, and helps guide information systems, etc. development and improvement of security work.

Excellent, average, and poor are included in the evaluation conclusions. (Evaluation conclusions are formed in the report preparation process, and the evaluation conclusions are divided into four levels)

0-70 (excluding 70): There is a high risk or the comprehensive score is below 70

70-80 (inclusive): Moderate to high risk

80-90 (including 80): No high risk

90-100 (inclusive): Excellent, no high risk

What is the difference between the key items and the risk items in the Class A Guarantee?

Critical Item: A critical item refers to a component, resource, or control measure that has importance and critical functionality in an information system. These critical items are critical to the normal operation and security of information systems.

Risk items: Risk items refer to components, resources or controls that have potential security risks in the information system. These risk items may be caused by improper system configuration, existence of vulnerabilities, imperfect access control, etc. Risk items may be exploited by attackers to cause damage to information systems. The management and control of risk items is to reduce security risks and improve the security of information systems.

The difference between key items and risk items is that key items emphasize important components and functions in the information system, while risk items emphasize components and measures that have potential security risks. In the Class A guarantee, key items need to be protected to ensure their safety and availability; at the same time, risk items need to be risk assessed and managed, and corresponding control measures need to be taken to reduce risks.

What do the results of the equal protection assessment include?

Evaluation report, evaluation results, grade determination