SME network security guidelines.
Theory
As the training site said, the enterprise's network security is a system. If all aspects of the network are done, it will be a major project. Even a branch of network security needs a long time to build up. Therefore, it is necessary to solve the current major contradictions in the early stage (ie "stop bleeding" In the key position to control most of the risk). Based on the past experience of several of our people, we recommend that you take control of the following key positions, you can achieve more with less effort and immediate results:
1) port control. All server non-service ports are closed to the Internet, the management port can only be accessed through internal fortress machines, and the IP (or account) whitelist access control must be strictly enforced on the Internet-enabled ports (for the Web tier, it is safer to Then add a layer of SMS or WeChat secondary authentication, refer to OTP or U2F). When done, you can avoid the primary hacker and worm attacks from the Internet, such as the MangroDB and ElasticSearch ransomware similar to the recent rampant attacks. Guidelines for the Network Security Construction of SMEs
Theory
As the training site said, the enterprise's network security is a system. If all aspects of the network are done, it will be a major project. Even a branch of network security needs a long time to build up. Therefore, it is necessary to solve the current major contradictions in the early stage (ie "stop bleeding" In the key position to control most of the risk). Based on the past experience of several of our people, we recommend that you take control of the following key positions, you can achieve more with less effort and immediate results:
1) port control. All server non-service ports are closed to the Internet, the management port can only be accessed through internal fortress machines, and the IP (or account) whitelist access control must be strictly enforced on the Internet-enabled ports (for the Web tier, it is safer to Then add a layer of SMS or WeChat secondary authentication, refer to OTP or U2F). When done, you can avoid the primary hacking and worm attacks from the Internet, such as the impact of the recent rampant MangoDB, ElasticSearch ransomware;
2) by district isolation. The common area is isolated from the high-risk area network or the DMZ is used as a buffer between the two areas. For example, the office environment with a complicated security situation is isolated from the production environment and the inner core machine in the production environment is separated from the ordinary machine. If hackers invaded a common area, we also have the opportunity to avoid the loss of important assets;
3) unified structure. Reference to Microsoft's SDL (Security Development Lifecycle, security development life cycle), the use of a unified R & D and operation and maintenance framework (this part also R & D management and operation and maintenance cooperation), and in the framework of the critical path to join the security check, if there is Vulnerability only needs to change the framework, to avoid leakage everywhere, once and for all;
4) to prevent exports. Control the business publishing process, embed the security audit into the pre-launch release process and serve as a key link and have a veto of high-risk vulnerabilities;
5) safety interface. From the business team to identify a gay as a security interface, he is responsible for the business team and security team docking, to help promote safety;
6) upper support. This is a decisive factor, not much to say.
As long as the above points are met without any compromise, basically more than 90% of the known problems can be solved, which means that the attacker's point of attack is controlled within a known range by reinforcement, and detailed ideas refer to this article . However, keep in mind that the above measures only ease the external direct attack (many risks still exist within the network), and can not sit back and relax, after all, if hackers can find a breakthrough point into the network can still go its own way.
After the control of a large surface is a point of fine operation, which is to establish a defense in depth system. There needs to be a lot of resources invested here, depending on the level of demand for information security by the enterprise itself. Recently, Google released the Google Infrastructure Security Design Overview (Google Infrastructure Security Design Overview) on Google's basic design of security design ideas and practices, from hardware to the application layer have done a defense, defense in depth, almost To achieve the ultimate business security, but also my model for learning (we will in-depth analysis of other articles to learn Google basic security).
【Tools】
"Workers want to be good at things first and foremost," with the help of tools to save manpower and improve efficiency. Fortunately, the Internet is open, a lot of good security tools are free or even open source, here is to organize some of the commonly used free security tools / online services, hoping to help everyone. Some tools have some years old --old, but not obsolete.
[Scanning probe]
Nmap (https://nmap.org/), not just port scanners, supports the detection of a wide range of networked devices, and is especially useful in today's IoT environments; it combines various scripts to enable vulnerability scanning, Emergency can be used to assess the scope of loopholes, convenient and efficient.
Masscan (https://github.com/robertdavidgraham/masscan) is similar to Nmap, but features are more focused on port scanning, though Nmap is not as powerful as it is fast but is known as the "fastest IP port scanner on the Internet."
[Brute force]
Hydra (https://www.thc.org/thc-hydra/), an online account hacking tool, supports a very large number of protocols and is a good tool for businesses that can be used for weak password testing (of course I think your ports Neither should be on the Internet, but there are always exceptions.)
John the Ripper (http://www.openwall.com/john/), open source free cross-platform brute-force tools, supports many encryption algorithms, such as MD5, DES, etc., is often used for Unix / Linux system login weak password Probe.
[Web vulnerability detection]
AWVS Acunetix Web Vulnerability Scanner (http://www.acunetix.com/vulnerability-scanner/), the renowned commercial web vulnerability scanner, integrates tools for scanning and exploiting vulnerabilities, supports many types of Web vulnerabilities, and some major Web product history vulnerability scanning, is a comprehensive strong scanner, as the first choice. Tencent self-developed Web vulnerability scanner also take it as one of the benchmark competing products.
APPScan (http://www-03.ibm.com/software/products/en/appscan-standard), IBM Web vulnerability scanner, and AWVS par, but also self-developed Web vulnerability scanner Tencent competing products .
BugScan (https://old.bugscan.net), Clover-safe Python-based Web vulnerability scanner. Highlights are community-based scanners that everyone can write plug-ins, so plug-ins are comprehensive and up-to-date.
sqlmap (http://sqlmap.org/), based on the Python open source SQL injection tool, the function is very powerful, often used for SQL injection vulnerability penetration test, there are many manufacturers based on it to do secondary development, an increase of GUI interface, Active and passive bulk scanning and other functions. It also supports custom scripts, which are often used to bypass WAF fencing for scalability.
Burp Suite (https://portswigger.net/burp/), a well-known web security testing tool that can proxy HTTP / HTTPS packets to analyze and replay request packets. In combination with some security plug-ins, it is easy to discover Web vulnerabilities .
JSky, easy to use Web application security testing tools, domestic hacker zwell produced.
Safe3 Web Vul Scanner, another domestic hacker safe3 Web vulnerability detection tool.
WPScan (https://wpscan.org/), a vulnerability detection tool specifically for WordPress programs. WordPress is a PHP development of the Blog system, there are specialized vulnerability detection tools ....... Thus, there is no special reason not to use third-party open source Web program (I do not know when the all the rage ASP forum is still Not here).
RIPS (http://rips-scanner.sourceforge.net/), an open source PHP code audit tool that detects common Web vulnerabilities at the code level, but requires manual troubleshooting to confirm the results, with some false positives, is more appropriate PHP developer with web security research experience.
[Web Firewall]
ModSecurity (http://www.modsecurity.org/), open source web application firewall, Web server supporting Apache, Nginx, IIS
, The preferred reference for studying and experiencing WAF.
Chuang Yu Shield (https://www.yunaq.com/cyd/), aware of Chuangyu's online web protection service, is the DNS service to the cloud cleaning principle, the free version for small users as a regular attack protection or enough of.
Ali cloud shield (https://cn.aliyun.com/product/waf), Ali cloud provides Web application firewall, is a paid service.
Tencent Cloud WAF (https://www.qcloud.com/document/product/296/2227), provided by Tencent cloud Web application firewall, support for Web vulnerability protection and virtual patches can be purchased directly through the Tencent cloud host.
[Client Security Detection]
Tencent King Kong (http://service.security.tencent.com/kingkong), free terminal security audit service produced by Tencent Security Platform Division, born out of internal use of the Diamond System, is the earliest open Android APP vulnerability detection system.
Ali poly security (http://jaq.alibaba.com/), developed by Ali poly mobile APP online audit system, support for Android / iOS, are charged.
360 significantly dangerous mirror (http://appscan.360.cn), 360 Ministry of Information Security Android APP security risk online scanning system, free service.
AFL-Fuzz (http://lcamtuf.coredump.cx/afl/), a well-known and open-source Fuzzer developed by Google, is particularly good at Fuzzing open source projects and has found hundreds of major software vulnerabilities that can be found automatically Implementation path and feedback drive Fuzzing, be regarded as a star in the field of vulnerability mining.
(At present, the mobile client automatic testing tools are mainly used for automated safety audits before going online, and the test results are not necessarily accurate and need to be manually reviewed)
[APP reinforcement]
Tencent Yunle solid (http://legu.qcloud.com), Tencent cloud produced online APP hardening service, through the confusion of APP encryption, APP can be effectively prevented from reverse analysis to prevent piracy. At the same time provide real-time channel monitoring and security SDK package.
Tencent Royal Security (http://yaq.qq.com/), Tencent mobile housekeeper team produced, mainly to solve the application security encryption, secure storage, security endorsement, anti-debugging, anti-tampering and other problems.
Ari Poly Security (http://jaq.alibaba.com), in addition to providing vulnerability detection APP, it also provides application hardening and continuous monitoring capabilities.
360 to strengthen security (http://jiagu.360.cn), 360 developed Android application hardening services, including piracy detection, crash log analysis, data analysis and other services.
(At present, technically speaking, application hardening can only increase the difficulty of application cracking and can not guarantee 100% security)