Hacking Book | Free Online Hacking Learning


four problems of safety construction in financial enterprises

Posted by agaran at 2020-04-09

Editor's note: the content of this article comes from the chat record of the wechat group of the security construction of the financial industry enterprises, from the experience sharing of the senior senior of the security construction of the enterprise, with a full supply of dry goods, hoping to provide more comprehensive security knowledge and skills for those in need. It is arranged by the column of the Changting technology safety section. The copyright belongs to all members of WeChat group. Please contact the official account before reprinting.

Recently, the security director of the security construction group of financial enterprises has been busy, discussing four questions: how to deal with many web attacks? What should the enterprise security department be in charge of? Is public cloud security easy to do? It's hard to encrypt enterprise files. Who will do it? Listen to the person in charge of enterprise safety construction.

1、 What about a lot of Web attacks?

"Wait online, it's urgent. What about a lot of scanning or web attacks from Hong Kong?"

"Just get used to it"

The above may be one of the most common self mocking questions and answers in the security circle.

Hacker technology has achieved the improvement of qualitative change, the application of various hardware tools and technical software, which makes the attacks against the web page become more and more frequent, but also has a variety of deformation characteristics, and puts forward higher requirements for the security practitioners' response measures.

First of all, I want to discuss with you:

The most common defense means: IP blocking!

There seems to be no good explanation for this. It's embarrassing to say too much in terms of operation method and implementation way.

Upgraded defense means: WAF deployment mode

There are many deployment methods of WAF, the most suitable scheme, can have the best effect.

The predecessors gave the following suggestions in this regard:

I'm thinking about the deployment mode of WAF. Should it be serial on the link, or there are other better methods?

There is no problem with the serial, or you can bypass and send RST block.

How to deal with the bypass problem?

As long as it does not affect the business, there are various bypasses.

The rst efficiency of bypass is not high, and it feels like leakage?

GFW is by-pass, and the first packet is usually missed. String words, some boxes can't carry, before buying, I must know how much QPS traffic WAF can support.

Best practice defense: IPS rule base upgrade

One of the good defense methods is that the IPS can detect the s2-045 vulnerability the day it is found.

However, sometimes it's hard to avoid the pain: some upgrade event databases of protective equipment have version dependency, the equipment will lose packets or restart, and the network will switch. Moreover, the upgrade is not timely

Security situation: "the source of struts 2 alarm intercepted by IPS is the intranet address, and the purpose is the Internet address. Other alarms are normal. What's the situation? "

Best advice:

• the first step in a problem is to query the logs. Event manager log, network log, remember to transfer the log backup immediately.

It is recommended to check whether all the outgoing ports have abnormal behaviors from the firewall entrance first. Basically, if there is more than one port, you should be careful. Because, if there is an intrusion, the log may be deleted in the first time, which is the most basic operation as a hacker. PS: only for all port operations of the server.

• it's best to do an intrusion test.

• check the server address to make sure the server is under control and try to dig out spies or chickens.

S2-045 vulnerability

The numbers are amazing:

10000 vulnerabilities in two days

More than 70000 moves in the whole network

It's horribly simple:

It's so easy to dig holes in ST2. Kids can do it

There's no way to dig the holes in ST2. Just knock back

For unknown vulnerability prevention, take a big solution:

In the case of no need to execute its own command, as long as the function of Java executing local permission is removed, many problems can be solved, including ordinary users executing Java processes. This method can basically solve this kind of problem, and it is more thorough. This idea can be used to prevent unknown vulnerabilities in advance. It can be simple first. For example, Java hook is not too complex when it is executed by ordinary users. Moreover, these codes are open source, Java virtual machine code is closed source, and libraries are open source. Disadvantages: sometimes, it may be a bit troublesome to do, directly kill the function, there are many Java in the background, and the operation and maintenance don't know how many.

2、 What should the enterprise security department be in charge of?

There is no doubt that in today's online transfer of everything, the network information security of enterprises has become an indispensable part.

More and more enterprises begin to set up security department. The number of security practitioners is increasing, the right to speak is increasing, and the burden on the shoulders is becoming more and more important. In major conferences, forum salons and internal management meetings, the mentioning rate of enterprise safety is also increasing.

However, in the actual work, security is also inevitable to encounter problems. Just like other departments of the enterprise, the security department also needs cooperation and division of labor. It will also face problems such as limited budget, or conflict of manpower, energy and workload. If there is no better way to alleviate it in the short term, appropriate choice will undoubtedly become a necessary ability.

In today's era when security is increasingly valued,

Is your company's security department independent? Everything is safe is not everything to manage it? Is the scope of work of the security department clear?

For example: who is in charge of terminal management?

The answers vary from company to company, such as:

We've left our business running. Deployment and operation and maintenance can be thrown out, safety management results, management audit; product selection, we must care, try our best to promote their favorite.

Safety shall be in charge of scheme, strategy, requirement, audit, early landing delivery and later three-phase maintenance.

Our terminal is in operation and maintenance, and DLP is in our own hands. We still do the overall strategy and audit.

What is the current situation of safety work?

Some say it's because people are expensive, some say it's because people are short of manpower (in fact, it's the same reason that people are expensive), and some say it's too heavy (in fact, it's the same reason that people are less).  

Slot 1: safe people are very expensive and difficult to recruit.

But these are not the problems that every department will encounter?

How to solve it?

The security department should set up its own position and manage everything. Can it manage it?

The person in charge of the security department needs not only strong business ability, but also management ability, communication ability and contingency ability to do a good job in the positioning and management of the security department, which is one of the reasons why the top security talents are hard to find.

3、 Is public cloud security easy to do?

With the advent of the cloud era, the traditional IT environment is migrating to the cloud. For most users with small scale and volume, it is not realistic to build a private cloud. The public cloud with higher cost performance is obviously the best choice. Therefore, the operation and maintenance security of the public cloud is also increasingly attracting the attention of enterprises.

At present, users of public cloud can be divided into two categories:

At the beginning, the business was fully deployed on the public cloud, mainly the emerging Internet companies.

For example, pinterest, a fast-growing social media website, has used 150 AWS instances and stored more than 400tb of data. Thus, a new enterprise puts all its applications on the public cloud.

There is already a self built it environment that needs to be migrated to the public cloud.

With the transformation of user it environment from traditional self built IDC to public cloud environment, the operation and maintenance work has also moved from the Intranet environment to the public network, which is a very big change for users.

But in the cloud age, complaints abound:

"The access control of the public cloud is more difficult than that of the traditional data center. The security group of a cloud service provider is a single firewall (the configuration strategy is deadly). The security group of another cloud service provider is similar to the network firewall, but it can only be configured under the command line, without other functions of the network firewall management system such as object reuse. Some companies choose to develop a security control platform for the public cloud to achieve flexible access control. "

It is true that the security of computing environment from local to cloud is improved, but the operation and maintenance work on cloud is facing some new security risks and challenges. The operation and maintenance management of the public cloud must be completed through the Internet, which is quite different from the operation and maintenance of the traditional IT environment.

Common risk sources:

Operation and maintenance Traffic hijacked:

The biggest change of O & M in the public cloud scenario is that the O & M channel is not in the intranet, but directly accesses various O & M management interfaces on the public cloud through the Internet. It is easy to be sniffed or hijacked by middlemen, resulting in leakage of operation and maintenance management account and credentials.

Increased exposure of operation and maintenance management interface:

In the past, hackers needed to invade the intranet to brutally crack the password of operation and maintenance management interface. Now, users in the public cloud usually expose the management interface of SSH, RDP or other application systems directly to the Internet. Only relying on authentication as a defense line to ensure security, hackers only need to break the password or bypass the authentication mechanism to directly obtain administrator rights.

Difficulty in account and authority management:

Many people share the account password of the system, all of them use the super administrator authority, and there are risks of account information disclosure and unauthorized operation.

Missing operation record:

Resources in the public cloud can be operated through the management console, API, operating system and application system. If there is no operation record, once there is an invasion or internal abuse of ultra vires, it will not be able to trace the loss and locate the intruder.

According to the data, not a few cloud service providers have provided corresponding solutions for the above risks.

But sometimes the biggest risk comes from the cloud service provider itself:

Case 1: in 2015, a cloud service provider experienced large-scale downtime, and multiple apps and websites using its services were unresponsive. Case 2: 26 out of 28 data centers have been affected by a service interruption of a cloud service provider. Users of the affected area cannot create, update, and delete data resources. Case 3: when the intranet of a cloud service business opportunity room breaks down, a large number of Internet companies' businesses are affected, normal customer files are mistakenly isolated, and all basic commands cannot be run. Case 4: at the beginning of this year, a cloud service provider suddenly had a major failure, the accident lasted for more than 4 hours, and some customers suffered heavy losses.

Case 2: 26 out of 28 data centers have been affected by a service interruption of a cloud service provider. Users of the affected area cannot create, update, and delete data resources.

Case 3: when the intranet of a cloud service business opportunity room breaks down, a large number of Internet companies' businesses are affected, normal customer files are mistakenly isolated, and all basic commands cannot be run.

Case 4: at the beginning of this year, a cloud service provider suddenly had a major failure, the accident lasted for more than 4 hours, and some customers suffered heavy losses.

Various downtime events and service interruption accidents show that there are great problems in the reliability of the public cloud at this stage. In order to make the public cloud better serve the public, the public cloud service providers should constantly improve from the technical means, and users also need to re-examine what kind of business is suitable for the public cloud.

What should I do to ensure the operation and maintenance security of the public cloud?

Use multiple, redundant CSPs to spread risk: it is a common practice to purchase high bandwidth from multiple vendors to connect data centers, because enterprises want to spread risk among multiple providers. If one CSP goes down, other manufacturers can still operate normally. At present, many cloud configuration tools have been integrated into leading CSP services. If this method is adopted, the service interruption event of the manufacturer will not have an adverse impact on the application of the enterprise.

Although security is the primary concern of many enterprises when using public cloud as IAAs, there are many ways to effectively solve this problem. The easiest way is to migrate only the least sensitive applications and data to the public cloud.

If an enterprise decides to migrate mission critical applications to the cloud, it needs to add some security measures in addition to those provided by CSP. However, there is always a trade-off when adding the public cloud security layer, because it may increase the failure point or cause the application to run more slowly. Finding the right balance between security and performance can be difficult, but trying to achieve that balance is reassuring.

4、 It's hard to encrypt enterprise documents. Who will do it?

Once the internal documents of enterprises are stolen by hackers, their losses are unimaginable. So in the enterprise, it is a consensus to encrypt the file.

Why file encryption?

There are many insecure factors in the activities of file transmission and e-mail business on the Internet, and this kind of insecurity is the foundation of the Internet, which is inherent in TCP / IP protocol, including some services based on TCP / IP. So in order to ensure security, we must encrypt the file.

Encryption we might

What's the experience of the existing encryption software?

We know that information security needs to step up, encryption or anti leakage is indispensable. But the effect of all kinds of software is really a dilemma.

File encryption is an invalid scheme with huge investment and little effect, which will surely fail.

Network security is looking for security, data security is looking for bodyguards. Trust mechanism, investment and authorization are totally different.

What measures have companies taken to encrypt documents?

Measure 1:

Measure 2:

Measure 3:

Measure 4:

Measure 5:

Measure 6:

Is there really no thorough solution to file encryption?

Is DLP easy to use?

Without data classification, DLP is the moon in the mirror.

In fact, encryption depends on requirements and scenarios. There is no general solution, nor will there be. Manage the source code of the R & D personnel and the documents of the office personnel, the external auditor's data retrieval, post tracking and traceability. These are different scenarios and requirements, and the solutions are different. Many of the sources of leaks in enterprises are not the good people you control.

If you only want to use a certain scheme once and for all, many times it will make the security operation and maintenance work Deadlock:

A set of security solutions, without investigating the actual situation, finding out the real needs, turning over the contradictions, and putting them on the board of the decision-making level, implementing them in a one size fits all manner, making them jump in the sky, but not solving the actual problems. Finally, it's due to the failure of this staff, finding a solution manufacturer to solve the problem, and then complaining about the difficulty of security.

In fact, I am the biggest problem. The right way is to solve the problem a little every day.

concrete measure

Multi level governance mechanism

-Use transparent encryption and decryption in external audit access or closed scenario.

-In the office environment, focus on post tracking and traceability to maintain a good user experience.

-Within the IT department, the management should be as strict as possible, and strict measures can be thought of.

-In the trading area, pay attention to the protection of sensitive data sources.

-----------------I'm the dividing line---------------------

The best things in life are all kinds of experiences and unforgettable experiences. The process is more painful and the results are better. If you, like me, encounter all kinds of rather "painful" physical calendar in enterprise security, you will certainly thank and miss this physical calendar later.

Note appended:

Nie Jun, an information security practitioner, has more than ten years of experience in information security in the financial industry. Good reading, no understanding. Cheerful personality, like football.

This subscription number article is a personal experience and experience sharing of work and life. Reading from different perspectives and positions will lead to deviation, different opinions, not seeking correct unity, but seeking truth, goodness and beauty.

If you want to join the financial industry safety building group, please contact WeChat official account "Jun brother's body calendar", background messages, micro signals + company names, verify identity after entering group, in order to protect the quality of the group, do not guarantee that it can pass the verification.

Long press the QR code to communicate with me.