One, the external case
External events means that security incidents caused by external attack, the purpose of external attacks are the following:
1, white hat security test
Generally white hat in order to improve their technology or platform to get points on the vulnerability of the system will be tested in vulnerability without authorization, and even intranet roaming. White hat test just to prove vulnerable generally will not damage the system.
2, the hacker bots
The system could be hacked in order to obtain meat grinder, after acquiring broilers can become a springboard to attack other machines or systems with broilers launched DDOS.
3, hackers get the data
Access to enterprise data is one of the main reasons hackers to attack the system, user data can be traded online in the dark, it can bring great use to a hacker.
4, the hacker inserted mining or extortion virus
In recent years, mining and extortion virus virus reckless, style is also varied, mainly because you can get great benefits and access to different data, deploy hollowed out the virus and the virus is lucrative extortion, the success rate is very high.
5, ddos attacks
ddos attack ddos attack into sexual extortion and malicious competitors ddos attack, attack small cost, the effect is obvious.
The main attack outside attack are the following:
1, business application attacks
Business applications typically have a web application, APP, clients, small micro-channel program, the public number.
Common attack methods sql injection, XSS, XXE, SSRF, code execution, command execution, file disclosure, business weak passwords, business logic loopholes, loopholes framework
Corresponding to the APP and the client can also be decompiled to obtain access to sensitive information.
General attack ideas: information collection -> exploits -> Get shell -> elevated privileges -> laterally within the network penetration
2, the system of service attacks
Whether linux or windows are high-risk vulnerabilities, an attacker could exploit these vulnerabilities to obtain system privileges directly or indirectly, such as remote login blasting, ms-17010, dirty cattle loopholes
3, application components attack
Methods The main components of vulnerability is the hacker attacks, such as unauthorized application components, weak passwords, Tomcat upload any file, weblogic command, IIS parsing vulnerability, apche parsing vulnerabilities
4, social workers and fishing
Fishing and social workers mainly for the IT administrator, customer service, network users. Get some important information to further penetration by social workers, internal users can directly control the computer through fishing, mining deployment of extortion virus or viruses.
Second, internal events
1, internal staff leaks
Interested in information disclosure: internal staff for their own interests, both inside and outside work will use their own collusion reselling company confidential data
Unintentional information disclosure: employees due to the inadvertent result in the loss of storage media, networks, and other important files to upload
2, internal staff vandalism incident
Internal staff because of dissatisfaction with the company could use for work permission application systems, data tampering and destruction
3, internal staff misuse event
Due to the effect of employees lead to operational errors, such as server downtime, data is deleted, the application can not service
Third, to prevent security incidents
1, external security incident prevention
Let attacker could not come:
-> external network assets comb: To clear himself open to those IP and services, opening up the program to avoid non-business, such as management background, middleware, management background and so on, in a timely manner under the waste out of the system
-> Port: Foreign business only open the necessary ports, such as port open only 80443
-> Sensitive directory: For web may be some sensitive directories and files can be accessed at deployment, such as a website profile, .git, .svn, background address
-> CMS: patched in time manufacturers release of CMS based website development, if it is able to be open source CMS code audit
-> Password: Log In place restrictions logins and password strength policies, such as verification codes, logins limit, do not use some of the additional password combination can be guessed, the attacker will use mobile phones to the website information is password combination
-> Encryption: try encrypted sensitive data transmission or http
-> app, clients reinforcement: For app and clients need to reinforce the program itself, such as making confusion, not to store important information in the program, important information is strongly encrypted
-> Vulnerability: The only vulnerability scanning, penetration testing, code audit, and is of a continuing nature
-> vulnerabilities: patched in time
Attack can be found:
-> security monitoring devices to detect attacks, automatically block attacks, no waf, IPS, FW, flow cleaning
-> host monitoring equipment, to host exception monitor, CPU, memory, suspicious processes, suspicious activity, suspicious account
It came in non-proliferation:
-> division security domain, the network can be isolated, port-level network control.
-> Key protection equipment
2, internal security incident prevention
Employee security awareness: antivirus security awareness, anti-phishing security awareness, security awareness, safety awareness operation
Account Management: unified login, permissions assigned permissions recovery, account auditing
Terminal Management: anti-virus, patch management, network access
Network management: security isolation