See the six moves to capture the illegal "Black Hands"

See the six moves to capture the illegal "Black Hands"

The so-called "maintenance proxy" means that enterprises outsource their IT systems to third parties for operations including system configuration, daily O & M, system management, and other management permissions. This frees enterprises from heavy it o & M efforts. However, this third-party O & M management brings more or less some risks to the enterprise. The following is a case study to describe the security risks caused by maintenance proxy violations.

A software supplier of a public security vehicle management system secretly deletes illegal traffic violation records by embedding malicious programs in the software system of the vehicle management office. The operator used the convenience of providing O & M technical support for the software system of the vehicle management office to avoid on-site supervision, input the deleted programs in advance, and then modify the network configuration of the Public Security Intranet server, avoid the Public Security Intranet alarm system and remotely intrude into the Public Security Network System from the Internet to illegally Delete more than tens of thousands of vehicle violation records. As of the time of the incident, the Public Security Department found that a total of more than 14000 records of illegal traffic violations were deleted, involving more than 1800 million yuan.

Six challenges faced by Dai Wei

Based on the description of the above case, we can see that daowei has indeed brought some security risks to users. Due to insufficient understanding of third-party enterprises and insufficient permission control over third-party employees, these problems that can be easily avoided cannot be solved. However, if you have the ability to audit and control risks for third-party O & M, you can avoid this embarrassment to a large extent.

First, we analyze the O & M risks faced by users, mainly including the following aspects: first, third-party personnel may use their positions to log on to the user's intranet and business systems at any time; second, the permission control is not rigorous, and the definition of who can access the system is vague. Third, the regulatory measures are not strict, O & M veterans familiar with user systems can clearly understand how to bypass supervision; 4. There are no good control measures for O & M personnel to upload and download files from the IT system; 5. Lack of more effective tracing capabilities; 6. Real-time alarms cannot be triggered for illegal operations by O & M personnel.

Next, let's take a look at how to conduct more standardized O & M management through O & M audit and risk control to effectively eliminate these security risks:

Standardized Management: provides centralized management, identity authentication, permission allocation, behavior control, and Operation Audit through O & M protocol proxy.

Six tricks: Catch the hacker behind the scenes

No. 1: "Identity confirmation" and recruitment "job-oriented"

Through centralized identity management, each O & M personnel is assigned a user ID, and each user ID is associated with each O & M personnel. O & M personnel must log on to the identity management platform before they can access the user's IT system.

No. 2: Permission Control"

Fine-grained permission control means are used to authorize the account of O & M personnel. Unauthorized O & M personnel cannot access the system and control the time range. For example, access is allowed during work hours, access is prohibited during off-duty hours.

No. 3: "Real-time Monitoring"

Through real-time monitoring of O & M operation sessions, when the O & M personnel access the system, the management personnel can monitor the operation process in real time through the management platform. Once a violation is detected, you can immediately disable the operation.

No. 4: "file record" and "Upload program"

By recording the original transmitted files, the O & M personnel can complete the records for uploading, downloading, and modifying the files. The management personnel can view the original content of the files.

No. 5: "Operation Audit" and "avoidance tracking"

With more detailed auditing techniques, we will not miss any information: start and end times, source IP addresses, source users, source MAC addresses, system IP addresses, system accounts, system MAC addresses, operating videos, Command records, file records, and so on; users can use this key information for post-event location tracking.

No. 6: "behavior alarm" and "illegal deletion"

Through real-time violation alarms, once the O & M personnel trigger behavior such as modifying network configurations and deleting system information, the real-time alarms will immediately notify the management personnel by email.

Summary

Of course, we do not mean that all third-party maintenance providers have such problems, but users still need to cultivate "internal strength" to be more confident. Anheng information security experts suggest that the majority of users should be hard at their own discretion. Enterprises should always think about strengthening their own security awareness, and keep the string of security in their minds, only security risks can be prevented. On the basis of improving security awareness, the risk of information leakage can be greatly reduced through O & M audit and risk control.