We make sure all operation and maintenance of the said such a sentence, "Are you sure this can work." There is no doubt that most of us have probably said this more than once. This sentence is not used to inspire confidence, on the contrary it reveals us doubt their own abilities and is currently being tested functions. Unfortunately, these words very well describe our traditional security model. Our operations based on the assumption, and we hope that the implementation of control measures - swept from the drain web applications to antivirus software on the terminal - to prevent viruses and malicious software into our system, damage or steal our information.
Penetration Testing by actively attempting to invade the network, the web application to inject malicious code or to spread viruses, etc. These steps by sending phishing emails to avoid our dependence on assumptions. As we come up vulnerability discovery and penetration, manual testing can not solve the situation vulnerability is actively opened at different security levels. In the safety study, we deliberately create confusion in the case of a controlled, simulated accident situations to test our objective to detect, prevent such problems.
"Experiments provide security for the distributed system security test a way to build confidence in the ability against malicious attacks."
In terms of security and complexity of distributed systems, we need to repeatedly reiterate famously chaotic engineering sector, "Hope is not an effective strategy." We will take the initiative to test how long time we design or build a system to determine whether we have lost control of it? Most organizations will not find their safety control measures fail, until the occurrence of security incidents. We believe that "security incidents than reconnaissance measures" and "do not want an accident is not an effective strategy" should be IT professionals to implement effective security practices slogan.
Industry emphasis on preventive security measures and defense in depth on the tradition, but our mission is to drive the new knowledge and insights on security tool chain by detectives experiments. Because it is too focused on prevention mechanisms, security measures we rarely try more than once or manually year of testing requirements, to verify that these controls as designed by the implementation.
With the ever-changing modern distributed system of non-state variables, it is difficult to fully understand the behavior of their systems, because it will change at any time. One way to solve this problem is detected by the powerful systematic equipment for safety testing, you can use this issue is divided into two main areas: testing, and we call experimental part. Verification and testing is part of the assessment we know, in simple terms, is that before we started looking, first figure out what we're looking for. On the other hand, the experiment is to find before we get is not clear insights and knowledge. Although the test is an important practice for a sophisticated security team, but the following examples will help to further elaborate the differences between the two, and the added value of the experiment provides a more apt description.
Example scenario: Brew
Thinking web service or web application to receive a craft beer orders.
It is this craft beer transport company an important service, mobile devices these orders from customers, web pages, and by restaurant serving the craft beer company's API. This important service is running on AWS EC2 environment, and the company believes it is safe. The company successfully passed the PCI rules last year, and every year make a third-party penetration testing, so the company believes that the system is safe.
The company sometimes twice a day to DevOps deployment and ongoing delivery of work, proud of their company.
Chaos in the understanding of what engineering and safety aspects of the experiment, the company's development team hopes to determine, on the basis of a continuous on their security system effectiveness of real-world events and how to fast recovery. At the same time, to ensure that they will not introduce new problems to security controls can not be detected in the system.
The team hopes on a small scale by assessing port security and firewall settings to allow them to detect, prevent and warn them wrong port settings on EC2 security group configuration changes.
[If! SupportLists] · [endif] First, assume that the team under their normal conditions summarized.
[If! SupportLists] · [endif] is assumed to be a safe port in EC2 instances inside.
[If! SupportLists] · [endif] is an unauthorized experiment to change the port selection and configuration YAML file.
[If! SupportLists] · [endif] This configuration will be randomly assigned to objects from the target has been selected, the range and number of ports at the same time will be changed.
[If! SupportLists] · [endif] team will set the time and narrow the scope of the experiment blast attack, to ensure minimal impact on the business.
[If! SupportLists] · [endif] For the first test, choose to run the team in their test environment, test and run a separate test.
[If! SupportLists] · [endif] in a real game day (Game Day) style, the team in the pre-planned two-hour window period, select the Master of Disaster (Master of Disaster) to run experiments. During that window period, the Master of Disaster will
EC2 instance to perform this experiment on an instance of the security group.
[If! SupportLists] · [endif] Once the end of the game day, the team will begin a thorough, free from blame after the exercise. It focuses on the experimental results and the original assumptions of steady state. These issues will be similar to the following:
After the verification issue
[If! SupportLists] · [endif] if the firewall detects unauthorized changes to the port?
[If! SupportLists] · [endif] If the change is detected, whether the changes will be blocked?
[If! SupportLists] · [endif] if the firewall will be useful log information to a log aggregation tools?
[If! SupportLists] · [endif] SIEM whether unauthorized changes will issue a warning?
[If! SupportLists] · [endif] if the firewall does not detect unauthorized changes, then the configuration management tools are found in this change?
[If! SupportLists] · [endif] configuration management tool is reported to the log aggregation tools complete information?
[If! SupportLists] · [endif] SIEM Finally, whether or not associated alarm?
[If! SupportLists] · [endif] if SIEM gave the alarm, Security Operations Center whether it can receive the alerts?
Whether [if! SupportLists] · [endif] get alerts SOC analysts can take to the warnings, or the lack of the necessary information?
[If! SupportLists] · [endif] SOC determine if the alarm is true, then the security incident response whether simply classify activities from the data?
The failure of our system to recognize and expectations have begun to reveal our assumptions about the system works. Our mission is to use what we have learned and apply it more widely. In order to really take the initiative to solve the security problem, beyond the current security model to deal with the problem of passive traditional mainstream.
Reproduced in: https: //www.jianshu.com/p/64695ed63024