Cat Ning! ! !
Reference Links: https://mp.weixin.qq.com/s/O0zLvuWPRPIeqnRooNEFYA
Old article I mentioned a word, information security defense this thing in the industry, one-third rely on technology, seven by contacts.
When knowledge of the planet mentioned, some people think, but it seems fast hardware hackers, security practitioners can rely on a network of defense.
Of course, there is a point of view is also very common, I hire a company to do the operation and maintenance of powerful hacker safe, foolproof.
These two views say one thing, but unfortunately, this is wrong.
1, asymmetric attack and defense
Attack only need a point, while the defense is comprehensive.
The attacker as long as a fresh recruit, you can have a brilliant record, while the defense is a comprehensive system, any omission of a field is likely to be fatal.
2, there is a sense of lack of defense
Only when it happened, people will blame the person responsible for information security in charge of defense.
As almost know that wonderful question, why there is no invasion of Alipay?
A group of security experts strenuous efforts to build a defense system, the perfect defense a lot of intrusion attempts, but for the outside world and even leadership, it seems they do not exist. Only problem is that moment, we will think of it, the company spent so much money to support you, how gall hurt? !
3, the exchange of information and intelligence network, is an important part of security and defense
This country, as you say you have troops, weapons can begin, or need help intelligence network, to know who the potential risk is that vandals who yes. And the latest attacks, attacks what.
An attacker may be loners, there are private secrets on it, but the defenders need to face a large number of unknown attacker, therefore, can help intelligence network to identify unknown risks, as well as for the problems that have emerged relevant information as soon as possible.
Now sustainable intrusion increasingly common, many companies have long caught without realizing it, in their own database has a black circle flow production fell apart, and businesses still in the dark, there are many such cases since the .
4, first and foremost a defense system, followed by the specific technology.
A basic principle is that any defense strategy should be coupled with additional recovery strategy after a failure.
Specifically below will talk about
So I want to share some additional perspective on the field of information security
Realm of information security
Standing on the highest level, not as we know the information security experts, but some scholars on the mathematician, or informatics. They provide that, and think of some related areas of information security theory.
For example, last year there is a sensational case, trojaned Apple compiler, in fact, almost all that long ago, the theory of Chinese Internet giant move there. (Ah, in fact, solve the case quickly, and then the content was blocked, blocked, and shelter, and the.)
Such as buffer overflow is an information security theory, such as distributed denial of service attack is a theory, such as the Department of Mathematics, Shandong University professor Wang Xiaoyun encryption algorithm collision contribution numbers. No one would think Wang Xiaoyun is an information security expert, but her contribution in the field of information security is extremely great.
For example, the previously mentioned consensus algorithm, the algorithm even get some idea of the Turing Award, in fact, it can also be classified as theory in the field of information security.
On the theory of information security innovation, China did not stand in the leading position.
The second layer is a loophole mining, information security theory based on well-known software platform, operating system vulnerability discovery and research, before the Green League of information security in China Whampoa Military Academy, has trained more top experts in terms of vulnerability discovery. But today, China's most powerful mining loophole Tencent. (Nice money)
Vulnerability mining target operating system, common software platforms and services, as well as product design and the use of common processes. (Yes, some security vulnerabilities in products from the operation and use of the process, the general said, wool party is this category.)
Vulnerabilities in mining areas, China has become one of the world's top level.
It is once again a tool design and production, based on existing theory and information security vulnerabilities known type, designed to make scanning, monitoring, and automatic intrusion defense system.
Again level, is the attacker or intruder, they make good use of tools, understand the principles of vulnerability and execute the invasion.
But in fact this division is only a very rough model, actually more complicated.
For example, there are loopholes in mining tool designer, and their familiarity with mining capabilities information security theory, is very strong and can even make a batch tool for digging holes. Although this is a tool designer, but in fact, higher than normal levels of vulnerability mining.
Suppose, for example, attacks on web applications, although some also use existing tools to scan and try to sniff, but because each web application is completely different code, so the technology is similar to the process and vulnerability discovery, and not simply use the existing tools and exploits.
Suppose, for example, even the use of tools, is also similar to ordinary soldiers and special forces, some people are very familiar with the principles and mechanisms of loopholes, very familiar with the tools to make the maximum efficiency of aggressive behavior, which is similar to the familiar special forces firearms of various properties; but there do not understand the technical principles, only holding tools chaos sweeping stretch touch intruder luck, this is untrained soldiers, weapons in hand but also lethal.
However the above, it is only based on the level of attack, but as a defender, may not need to have a loophole mining capabilities, but you must understand that all forms of invasion and intrusion disclosed principles. In addition to these, the need for additional defense theory, which is designed defense system, the so-called defense system, I'm no expert, but I can list some of the goals defense system.
1, as far as possible to protect all known types of intrusion.
2, once the emergency situation arise, the case of peripheral missed as much as possible to protect the core of the system is not affected critical data, safeguard system will not be rid of destructive intrusions.
3, core and even the theft of critical data, protect some of the key information still can not be read. The so-called random salt encryption policy.
4, can do for intrusion track, locate, obtain evidence, to facilitate the use of legal means to protect their interests.
5, the establishment of information security audit processes and workflows, standardize data of a large number of internal company employees to read, share and operating behavior.
6, to maintain the smooth flow of intelligence resources, close observation of the rainbow spread outside the library, and black ash production capacity information at any time, needs related to the interests of the company as soon as possible to master the details.
7, review products business and operational processes, business data audit logs to prevent improper operating procedures are utilized, such as wool party ad hijack fraud and so on. Of course, this job may be a bit difficult one for information security personnel, but as far as I know, for some giants, this kind of thing is the information security sector to face the challenges, but also increasingly become more severe challenges.
Now, still feel, hire a powerful hacker, you can let your company's information security foolproof it?
However, defense is always no sense of presence, we know that Tencent Yuan brother, have TK, there are Miss Stone, are the top loophole mining experts, so the question is, who is responsible for the defense of Tencent technical experts? no one knows.
The field of information security has white hat, gray hat and black hat.
Whitecaps mainly in the major Internet companies or security companies engaged in information security-related work, mainly engaged in black black hat production-related, but there are some people in between, called the gray cap, a paradox, sometimes to help large companies solve some security problems, but also sometimes tempted, hands and feet is not very clean, but lower than black hat might be a little bit kind of the bottom line, for example, they will privately trafficking broilers vulnerability to black hat or profit, but they do not directly engaged intrusion.
Top white hat familiar with each other, most of the relationship better, so-called circle of contacts, you see a lot of saliva Internet giants battle each other played badly, but under the charge of security experts are often friends in private, often have contacts and exchange of information. After all, black is the production of common opponents, of course, there are some refused to accept the other side, an occasional puff of saliva, writers who, there is always some personal matters, but is usually limited to saliva.
For example, a biography of Daniel secure Ali's point had been my name that I despise him, so little hate. However, it is ashamed, first my skill level did not look down on anyone qualified to engage in safe, second in fact, he complained that the security focus, but I'm just a very good relationship with the security focus, and just before I wrote some security-related article, he felt that some of the content is safe for me focus insinuation attacked him, but I really did not know him, did not even know they have grievances that it exists.
When I was really named man attacked through security circles, looks like only the lonely swordsman young boy ice, slammed him not because of technology, but the intention is not, can not be said to be black and the production of it, but what open training courses teach children QQ Trojan tool for black people the result was finally arrested. Security practitioners, especially the bit level, a little bit crooked idea to make quick money, is actually very easy to trouble.
I do not like another in recent years in the limelight for quite know almost young man, before this child in Canada, before doing quite black production make some money, in fact, I am the person that is not particularly pious, I feel so young did some bad things, but also can not say how much sin; the best of it, is to turn over repentance fault, and vowed never to repeat, this is the best; secondary level, know this history does not look good, do not speak, quit, good man wants. To tell the truth, it is the last few years, after black production whiten the company a lot of money, I really do know a few. Although I do not deal with such people, but the police do not care, I can not tell what is right. But children often show off their black production history, felt quite ability, I think this, so I really can not accept, let alone worship or with a lot of his fans.
We say Ye Hao work, entrepreneurship or, in fact, are profit-driven, every day talking about the dream that will never be home next week, so we still talk about the very real money. But the problem came as a top hat, If you want to make more money, in fact, is very easy, you say that the invasion of Alipay is not easy, not easy to invade TenPay, but the Internet platform so much, so many products of interest in the above, for people who have a vulnerability discovery capabilities, it really is to see how many problems there is the bottom line.
Fortunately, in recent years, the Internet giant with high salaries to some of the top security experts keep up, though not engage in black makes more money, but that is part of decent and secure jobs. However, such a position is limited, there are still a lot of reach top level, but there are still some loopholes talent analysis capabilities, scattered throughout the Internet, they can be black and white ash can, if there is a generous salary, they will be good employees, but if you have been living distress, they just can not make money on merit, will inevitably move a few other thoughts. In fact, before the clouds it is a good channel, so that these people have a chance to show their front, and through this exhibition, a chance to get a good job, or incentives to white hat. But we must admit that this platform may not all are good. There must be trying to whiten black production, there must be two gray hat view of the fence. To deal with certain issues should be, but the channel off really bad.
The world can not expect all the good people, perfect constituted, can not expect hand-held technology of Dragonslayer people rely on moral conduct and defend our homeland. But those who can make a positive incentive to move forward in the right direction, so that talented people can make a decent income with talent, let the people choose to sit on the fence and into the light. Unfortunately, they chose the opposite ***, maybe some institutions that they punish the bad guys, results, rejoicing black hat, gray hat despair sink, white hat silent and then silence.
Having said that, we feel, and I have to do?
A few days ago Why Bitcoin crash? Go beyond it.
In fact, enterprise information security defense also has an important job safety training is internal, the industry there is a saying that the best way to get the boss's business is invading a small secret, high-value information, poor safety awareness, it is easy to be caught, once caught, you can quickly penetrate the network, and get a lot of valuable information, as well as to executives or bosses on behalf of the Trojan lead to the spread of full-scale invasion.
For corporate information security, not just a technical matter, but full of things, the old text has mentioned, not repeat them.