Talking about the service-oriented information security audit system (1)

"51cto.com comprehensive report" In recent years, IT system development quickly, enterprise's IT system dependence degree is also more and more high, in a network information system, we need to consider not only some traditional security issues, such as hackers, anti-virus, anti-spam, backdoor, prevent worms, but, With the improvement of information level, all kinds of business systems become more and more complex, and the protection of the business system becomes more and more important, and the security governance in non-traditional areas becomes more and more important. According to the latest statistics, 70% of the serious attacks to the enterprise are from internal personnel in the Organization, therefore, the information security governance of the business system becomes a difficult problem, and the audit emerges as the result. Why do I need a business-oriented information security audit? Business-oriented information security audit system, as the name suggests, is the user's business security audit, and the user's various application business has the close relation, is the information security audit system important constituent, it from the user's business security angle, thinks and analyzes the user's network business to exist the vulnerable point and the risk. Let's look at two fresh cases first. Not long ago, the Chinese youth Daily reported that a computer expert in Shanghai, one of the 25-Year-old, studied computer science, was a supermarket branch information group leader. Party to take advantage of the position, the design of illegal software programs, into the supermarket business system, that is, the supermarket cashier system database, through the revision of the supermarket cashier system Database data information, the supermarket sales record of 20% automatically deleted, and the income transferred to their own account. From June 2004 to August 2005, a party and other people interception of misappropriation of supermarkets 3 stores total sales of more than 3.97 million yuan. Cheng 31 years old, is X company Senior software Development Engineer, from February 2005, he by a operator system into the B-Operator's business system-Recharge Center database, to obtain the highest system privileges, according to the "recharge" card display 18-digit password to crack the corresponding 34-bit key, and then "recharge" Change the status to "not recharge" and modify its valid date to activate the already used recharge card. He put the value of 300 yuan in the recharge code to 281.5 to 285 yuan worth of money sold online, illegal profit of 3.8 million. Through the above two cases, we are not difficult to find, internal staff, including internal staff or provide third-party IT support maintenance personnel, they take advantage of the position, the violation of the security problems caused by increasingly frequent and prominent, these operations are closely related to the customer's business. Although firewalls, anti-virus, intrusion detection system, anti-virus, intranet security management and other conventional security products can solve most of the traditional network security problems, but for this kind of business-related operational behavior, violations of security problems, must have strong means to prevent and prevent, This is the value that the information security audit system for the business can bring to us. 1 2 3 next page >> view full-text navigation page 1th: Business-oriented Security Audits page 2nd: Understanding Information Security Audit 3rd page: Implementing Business-oriented security Audit original text: Talking about business-oriented information security audit system (1) Return to network security home