How to build efficient and secure operation and maintenance service platform
Hello everyone, I am the Zhanghuapeng of the cloud, today and we share the topic is "efficient security operation and maintenance service platform construction", including: Enterprise data security issues, operation and maintenance security in the face of the network, system services, application-related configuration and other issues.
The core of enterprise security is data security
Before we discuss how to build a secure operations service platform, the question we need to consider is what are the core requirements for building such a platform? The core requirement is to help the enterprise to solve the security risk and avoid the business loss caused by the security risk.
We all know that for an internet-dependent enterprise, data is the core asset of the enterprise, in the final analysis, in fact, the core of enterprise security is data security, so we first need to understand where the company's data exactly?
Business is the carrier of data, it assets is the carrier of the business, then the core of operations is the enterprise's IT assets, thus, enterprise security operations should be a basic requirement of operation and maintenance.
What are the problems with operational security?
The premise of efficient and secure operation and maintenance platform-understand the risks faced by enterprises. Enterprise operation and maintenance security is mainly divided into: network, system services, application-related configuration three aspects.
Network security
is mainly the security risk that the network boundary is breached. For most companies that have internet business, the service is divided into two areas of intranet and extranet, usually the two parts of the business are isolated from each other.
In general, the enterprise intranet mainly deploys a number of sensitive systems within the company, these systems only need to be open to internal staff, and the Internet is isolated. Since there is a boundary separation, there are some security implications of the network boundary being penetrated.
The typical risk of enterprise network boundary security is mainly manifested in the following aspects: including a server to deploy Intranet & extranet services, SSRF vulnerabilities, IDC and office network interoperability, unauthorized proxy configuration, IDC server intrusion and so on.
Here are some of the more professional concepts to do an explanation, a server at the same time to deploy Intranet & extranet business This is actually easy to understand, for example, there are two research and development of a common server, wherein the service's intranet IP map to an internal business system, such as ERP But at the same time this server deploys an external business, such as the official blog of the Enterprise, and this blog is bound to the extranet ip/domain name.
SSRF vulnerability, plainly, is equivalent to an application layer of the agent, you can use this application layer of proxy to the internal network arbitrary address to initiate the request.
Unauthorized proxy configuration mainly some agents like squid do not add authorization control, which can cause anyone to request the intranet resource directly through this proxy.
In a cloud platform, you can often see cases where some attackers can navigate the intranet of the enterprise by breaking through the boundaries to get the core information inside the company.
is a case of an internet company SSRF, see Cloud http://www.wooyun.org/bugs/wooyun-2016-026212, similar to the case of intranet roaming on the Cloud Vulnerability report platform to search for more than 400 records.
System service Security
System service-related security issues are mainly embodied in the system-dependent components and basic Service vulnerability two aspects.
Typical system service-related security issues include OpenSSL heart drops, shellshock Bash remote command execution, Redis unauthorized access, weak passwords for various basic services, and more.
Some of the global security incidents that have erupted in recent years include: Heart drops, bash remote command execution, and so on, all of which are caused by a security problem with the system's underlying dependent components.
is a domestic e-commerce website of the heart of the blood leak, black Cloud main station search Redis related risk also has nearly 400.
Application Configuration Security
Application configuration security is mainly embodied in the application on-line process and various configuration improper aspects.
Security issues that are common in the app-on-line process, such as SVN and git profile directories that are not deleted, lead to the disclosure of code information, database and code backup files placed in the web directory lead to hackers download and other issues.
Usually webserver configuration is also the big problem of configuration risk, there is no lack of webserver configuration caused arbitrary system file traversal, listing risk and other issues.
The problem is so much, so what?
How to build secure operation and maintenance service platform Base Asset Management
The core of enterprise security is data security, and the base asset is the carrier of these core data, so at the beginning of constructing such a secure operation and maintenance service platform, we should first do well the discovery and management of the basic assets.
Based on the discovery of the underlying assets, one can consider from two perspectives, a dependency on the internal asset operations management process, and an external attacker's perspective to conduct asset detection, which can be effectively complementary, as if only from the internal asset operations management process to connect to the enterprise's IP, Domain names and other assets such as the internal asset management requirements will be very high, and often enterprise internal norms landing difficult, resulting in some assets will be omitted, and the external detection method can be very good to make up.
The way of external assets discovery mainly includes: sub-domain name of the violent enumeration, through a sub-domain name commonly used dictionary to walk through subdomains; third-party DNS data analysis to obtain enterprise-related sub-domain names and IP; In addition to third-party query interface, web crawler, Gets the information about the IP of the associated subdomain by the way the domain transmits the vulnerability.
After the base domain IP asset has been combed, we need to think about how to make the asset management thing more efficient.
Domain IP is a coarser grained asset, and in order to address the changing security risks of the world, we need more granular asset identification, such as information about the applications and services deployed on each domain name IP, once these applications and services are exposed to security risks on the Internet, The Operational services platform is able to respond in the first place, which relies on fingerprint recognition technology.
Fingerprint recognition includes service fingerprint recognition and application fingerprint recognition.
The service fingerprint identification aspect Nmap completely can satisfy everybody's demand, moreover may carry on the fingerprint rule customization conveniently;
In the application of fingerprint recognition, we can consider the characteristics of HTTP headers fields from the HTTP protocol level, including special Web applications, such as the use of special cookie values by an application. Also includes static js/css/html file features unique to special applications.
These features are essential to identify all third-party application features on the market.
Continuous risk monitoring
In the previous asset Management module, we mentioned that asset fingerprint identification is mainly divided into service and application of fingerprint identification, also in the risk detection is concerned about service and application of risk detection.
The service risk detection mainly includes the common vulnerabilities related to system basic services and the risk detection of improper service configuration.
Application risk detection mainly includes some third-party applications of common vulnerabilities and self-developed application risk. The general vulnerability of third-party applications is usually based on the use of specific vulnerabilities to write a specific detection strategy, and self-developed application risk, such as typical SQL injection, can only be tried by different attack test payload to determine whether there is a vulnerability, which is usually related to the specific vulnerability scenario.
So how do you make risk detection a more efficient thing?
We know that the most important thing about risk detection is the detection strategy, and that Internet-related technology is constantly changing and poses a different risk of vulnerability. This gives enterprises a great deal of difficulty in testing strategies covering different risks, so if we can combine the power of the security community to improve the strategy can be a perfect and efficient solution to this problem, and as a platform to do only one thing is to provide a good enough engine framework to facilitate the Community security experts to provide the platform strategy.
There is also a need to have a good mechanism to operate the community, such as the results of risk discovery and the white hat to write a test strategy to match the reward, so that the white hat can be very good to write more and better detection strategy.
Security event Handling
When the enterprise discovers the risk, the next thing to do is to deal with the incident, the enterprise needs to establish a timely and effective processing process: First, from the discovery of the problem, followed by the risk of the notification, the risk of the specific business units, while guiding the business unit for risk rectification.
One important detail of this link is that the business unit developers are not aware of the security, so in the attention to security issues and repair process may be in the case of improper repair, so in the process of notification repair is best to have security personnel to follow up.
After the final repair process is completed, a timely regression test.
Of course, in addition to the need to deal with some known security risks in a timely manner, but also the ability to alert the global outbreak of common security incidents, such as the outbreak of the STRUTS2 vulnerability, the first time the vulnerability outbreak needs to be alerted to each of the possible affected business units, the business unit to timely cooperate with the rectification. This will win the repair time to a greater degree.
How is the Security event processing process more efficient?
The core is the need to secure operation and maintenance service platform and business unit product life cycle management process, preferably API directly to the product development on-line process, security issues as a serious product bug to get timely repair of the schedule.
At the same time this process must have a professional security personnel to follow up, to ensure that the problem will not be repaired, causing problems recurring. It is best to connect with the community in global risk warning because small teams cannot track the latest global security risk dynamics.
Ongoing risk management
As the business is continuously iterative, it is necessary to continuously monitor the business system periodically in order to ensure that the business continues to avoid risks during the iterative update process.
This avoids new security risks due to iterative updates and avoids the rollback of security issues that have been fixed. On the other hand, the trend analysis of the results of continuous risk monitoring can help us to find out the main security problems of the enterprise for a period of time, and can provide effective guidance and suggestions in the next stage of security construction.
On the one hand, how to effectively carry out continuous risk management, on the one side need to be able to configure periodic detection, so that can adapt to the iterative update frequency of enterprises, on the other hand, also need to support the variable-time manual start detection risk to meet the unexpected application online.
In risk management, you can support regular report export and custom export strategies, so that you can more efficiently meet the requirements of risk management.
The above is all the content of this share.
Cloud Zhanghuapeng: How to build an efficient and secure operation and maintenance service platform