Classification of safety level and emergency response process

Review the warranty requirements and related security construction video ( Zheng Cnhawk: Enterprise Security-Emergency response http://open.freebuf.com/live/181.html) after finishing, immature place also to correct.

Security classification: (is the assessment of the network environment in peacetime)

1, the loss (i.e. the importance of the business system) that will be incurred in the case of different business systems being infringed upon, see table I

2, based on physical security, network security, Host Security, application security, data security five aspects of evaluation (that is, on the basis of the corresponding changes according to the actual situation) See table II

Comprehensive security assessment of the entire network with two points above

Table one business system violation level

	Degree of infringement
	Slight (no effect on work)	General (work can be done normally)	Serious (work is affected, such as slow response, discard phenomenon, etc.)	Danger (inability to work)
Business System A	Class A	Class B	Class C	Class D
Business System B	Class B	Class C	Class D	E-Class
Business System C	Class C	Class D	E-Class	Class F

Note: The level of infringement according to the specific circumstances of the development

The first level is only from "Identity authentication", "Autonomous access Control", simple "malicious code prevention" These control points into the detection system to meet the requirements of the first level of standards. Second level in addition to the control points in the first level to increase the "security audit", "System Protection", "residual Information protection", "resource control" the detection of these control points, while the detection depth of each control point is higher than the first level of standards. The three levels include all two levels of detection control points, while adding "Mandatory access control" project testing, to meet the three level of security standards, four levels for the highest level of evaluation, all detection points in-depth scanning assessment, suitable for high-density computer system security assessment.

Table second-level insurance overview

	Physical security (physical location, physical access, anti-break ring, natural disaster prevention, room layout)	Network security (structural security, access control, security audits, boundary settings, etc.)	Host Security (identification, access control, security audits, intrusion prevention, malicious code, resource control)	Application Security (identification, access control, security audits, malicious code, resource control, communication-related performance)	Data security (data security and backup and recovery)
First level	Room access control and natural disaster prevention)	Related equipment business processing power, device access control, login status)	including host login restrictions, identity authentication, permission settings , operating system patches and application installation)	Security of the app's own vulnerabilities and communications	The integrity and confidentiality of important information data communication; Important information backup and recovery
Second level	Shockproof wind and rain prevention, Access audit record, Waterproof and moisture-proof, temperature and humidity control; Short-term power reserve; Power supply, communication line isolation	+ redundant space, access network and core network bandwidth to meet peak business; subnetting, network segment address allocation according to the principle of ease of control; Network boundaries enable access control (network segment level), User and system control granularity is a single user, limit the number of dial-up rights users; Audit and record the device, traffic, and behavior; boundary Integrity detection The following attacks are monitored at the network boundary: Port scan, brute force attack, Trojan backdoor attack, denial of service attack, buffer overflow attack, IP fragment attack and network worm attack, etc., device login to achieve single sign-on	Operating system and database user rights separation, identity identification and password strength and update, login restrictions, user name uniqueness + audit coverage of each user on the server, and ensure that no unintended deletions + upgrade server mechanism + Malicious code Protection Unified Management	+ identity authentication user unique tag, access control to file, Data table access, security audit coverage to each user, guaranteed cannot be modified + Integrity in communication (MD5 or hash) + Communication limit (number of system concurrency, number of single-user sessions; minimum time without echo)	+ integrity and confidentiality of critical business data + disaster Recovery for critical equipment, business
Third level		+ Avoid assigning important network segments to boundaries, direct-attached external information systems, and isolation from other systems; Prioritize bandwidth allocation by business importance + control granularity is port-level;  To filter the information content in and out of the network, to achieve the application layer HTTP, FTP, TELNET, SMTP, POP3 and other protocol command-level control;  should terminate the network connection at a certain time after the session is inactive or at the end of the session;    Should limit the network maximum traffic number and the network connection number;    important network segment should take the technical means to prevent the address deception; Generate an audit report; Record the attack behavior	+ Minimum permission assignment; Audit coverage to user; Ensure that the removal is clean before storage redistribution Resource monitoring and minimum allocation	+ generate reports; Communication encryption (session authentication, message or session encryption); Accept, send anti-repudiation Resource limit: + time period number of concurrent sessions, Minimum process resource allocation, set service and process priority	+ data integrity check and corrupted recovery, Encrypt critical business data; Full data backup at least once a day; Storage media offsite; off-site data backup; transport redundancy to avoid single point of failure
Fourth level	Prevent natural disasters and human disasters, temperature and humidity control, access audit, important system physical isolation, electronic access + Electromagnetic Shielding	Access control (user-level or process-level), Network boundary security settings, security audits (fine-grained, big data), malicious code prevention and automatic processing mechanisms At least one non-forgery identification + do not allow data with universal Protocol Protocol; Filter information based on sensitive tags; do not open remote dial-up access; Centralized auditing, clock synchronization	Host login limit, at least one identification information can not be forged, permission settings, operating system patches and application installation, virus protection situation, malicious code prevention (host and network different malicious code base), intrusion prevention, virus database even if updated, resource use restrictions; + access control for process-level and field-level + Centralized Audit	+ at least one non-counterfeit identification information + Install, enable security tagging + Prohibit default account access + Establish a trusted and secure communication path for identification and session + Centralized Audit + Hardware encryption and Key management + Automatic recovery function	+ Use proprietary protocols or HTTPS for important communications to avoid compromise of data integrity and confidentiality from protocol-based communication attacks + Offsite real-time backup, seamless switching

Note: The level details can be modified according to the actual situation and then deployed for the level to be reached

Usually can be found after the deployment improvement through penetration testing, simulation attacks (with the following exercises), to solve the security problem

Above is in peacetime to the network environment security assessment and improvement basis, in the attack when the emergency needs additional response measures, the whole system is divided into beforehand, the matter, afterwards;

Beforehand:

Determine personnel responsibilities, event level, escalation system, escalation mechanism

To classify an attack as being subject to a hierarchy of events:

Event level	Effect	Note
Level	Loss of assets for some or all users/employees Such as: critical business system is denial of service attacks, users can not access, site homepage Infected with malicious code, production server was compromised	The core user is compromised, Critical systems are being attacked
Second level	A small number of users or employees, such as: Web-based management system is compromised, but only small amount of information can be obtained.	Edge business was attacked, Normal user is compromised
Three levels	Individual users or employees such as: A single Web server is attacked, inaccessible, but does not affect the entire application	Normal server is attacked, no loss

Note: According to the company's specific business points of development

Prepare the plan:

1, according to the event (attack type) to classify the plan: DDOS, website intrusion, DNS security, etc.

2, depending on the device being attacked: production server, Web server, etc.

Analysis and judgment: monitoring discovery, traffic analysis, log viewing

Process Flow, Method: (depending on attack traffic size, different applications)

Handling Personnel Contact

Exercise: The test plan, to the various conditions can be as predictable as possible

In the matter:

Discover events and escalate

Coordinated scheduling

According to the situation of the event (type of attack), according to the corresponding plan processing

Post-mortem analysis:

Analyze causes, identify optimizations, improve projects, implement

The above for my study record and some of my own ideas, there are immature places or everyone has suggested welcome to correct and exchange, thank you!

Classification of safety level and emergency response process