这个章节将简单介绍一些信息安全的基本概念和原则。包括安全缺陷(Vulnerabilities)的检测,安全威胁(threats)的类别,数据安全的要求,和数据安全的防御措施。
1 信息安全的基本原则(碎碎念的概念)
作为一个计算机安全的专家,在学习技术领域的知识之前,他必须也要先理解那些重要的信息安全的原则!!!
Computer security specialists must not only know the technical side of their jobs but also must understand the principles behind information security
1.1 一些原则(懒得想标题)
- 没有绝对的安全,有足够的时间,工具和技巧,一个黑客可以穿过任何安全方式。There is no such thing as absolute security. Given enough time, tools, skills, and inclination, a hacker can break through any security measure
- 安全的三个目标,机密性,完整性和可用性。Three security goals – Confidentiality, Integrity and Availability
- Security Controls: Preventative, Detective, and Responsive
- Complexity is the enemy of security
- FUD does not work in selling security
- People, process and technology are all needed
- Open disclosure of vulnerabilities is good for security
- Core Imperative is to rely on principle-based analysis and decision making
1.2 另一些原则
- 要把安全防御上升到战略高度 Defense in depth as strategy
– Security implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response
– The weaknesses of one security layer are offset by the strengths of two or more layers - 如果不培训员工,不指定政策,员工总会做出最糟糕的安全决定。 When left on their own, people tend to make the worst security decisions
– Takes little to convince someone to give up their credentials in exchange for trivial or worthless goods
– Many people are easily convinced to double-click on the attachment - Functional and Assurance requirements
– Functional requirements - Describe what a system should do
– Assurance requirements - Describe how functional requirements should be implemented and tested
1.3 信息安全管理其实就是一种风险管理
我们不可能解决所有的威胁,我们只能最小化已知威胁所会导致的损失。
Security through obscurity is not an answer. Security = Risk Management
– Security is not concerned with eliminating all threats within a system or facility but with addressing known threats and minimizing losses
– Risk analysis and risk management are central themes to securing information systems
– Risk assessment and risk analysis are concerned with placing an economic value on assets to best determine appropriate countermeasures that protect them from losses
1.4 信息安全分析的步骤(这个是正儿八经的)
信息安全分析一般要求我们包括以下几个步骤
What does “Secure” mean
- Information assets 定义信息资产
- Value of Information 定义信息价值
- Protecting valuables 选择要保护的有价值的信息
- Assessing risks 评估风险
- Vulnerabilities and Threats 定义信息安全的缺陷和威胁
- Controls 选择和采取控制手段控制信息安全问题
1.5 最易渗透原则 Principle of Easiest Penetration
最易渗透原则说的有点类似于木桶效应,即一个信息系统的安全程度由它整个系统中最容易突破的环节决定的,所以这就要求我们在改进信息系统的时候需要全面改进其安全性,分析它最薄弱的进攻点并将其改进到可以接受的范围之内。当然,也要考虑到某一个问题,说起来有点搞笑,就是一个好的信息系统不要设计的太强大了,因为一个特别强大的信息系统就很容易受黑客们的青睐,比如美国国防部的信息系统啊,还有google的信息系统啊,虽然很少有人能突破,但是讲真每天防着那么多黑客来进攻也是蛮烦的,哈哈哈哈。
“Perpetrators don’t have the values assumed by the technologists. They generally stick to the easiest, safest, simplest means to accomplishing their objectives.” [Donn Parker]
- A Chain is only as strong as its weakest link
- Analyse weakest points
- Consider a range of possible security breaches– strengthening one might make another more attractive to a perpetrator
2 安全缺陷(Vulnerabilities)的检测
对于安全缺陷的定义主要有两种,但是指的都是一个系统的薄弱环节,同时这些薄弱会遭受潜在威胁的攻击,且在信息安全中,安全缺陷普遍存在于硬件,软件和数据中。
2.1 安全缺陷的定义
Definition of Vulnerability
- a weakness of an asset or group of assets that can be exploited by one or more threats [ISO/IEC 13335-1:2004]
- A security vulnerability is a weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of that product. [Microsoft Security Response Centre - http://technet.microsoft.com/en-au/library/cc751383.aspx]
- Vulnerabilities exist in hardware, software and data
2.2 安全缺陷的检测
正如我们前文所说的,我们不可能将所有的安全缺陷都填补好,但是我们可以处理好很多已知的安全问题。在这个部分,我将列举几个最有价值和应用范围最广的安全检测的网站和工具。作为一个安全工程师,我们在检测系统安全的时候,一定要利用以上几个数据库。千万不要自视过高,拍脑袋和凭自己的经验和感觉来检测系统安全,一你们不是领域最牛的专家,二你记不住那么多东西,三安全隐患所导致的后果会极为严重。而我见过的安全工程师们总是会犯这样的错误,出错了还不愿意承担责任,其实就算是操作员工犯得很多错的责任,安全工程师应该要承担一部分,因为他们的计划和实施过程中,没有仔细地考虑到这个问题。
2.2.1 CVE (Common Vulnerabilities and Exposures database)
http://cve.mitre.org/cve/
The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The National Cybersecurity FFRDC, operated by the MITRE Corporation, maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security.[1] The Security Content Automation Protocol uses CVE, and CVE IDs are listed on MITRE‘s system[2] as well as in the US National Vulnerability Database.
2.2.2 OSVDB(Open Source Vulnerability Database)
http://osvdb.org/
Open Sourced Vulnerability Database (OSVDB) was an independent and open-sourced database. The goal of the project was to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promoted greater and more open collaboration between companies and individuals.
Its goal was to provide accurate, unbiased information about security vulnerabilities in computerized equipment. The core of OSVDB was a relational database which tied various information about security vulnerabilities into a common, cross-referenced open security data source. As of November, 2013, the database cataloged over 100,000 vulnerabilities.
2.2.3 National Vulnerability Database
http://nvd.nist.gov/home.cfm
美国政府的安全缺陷管理数据库,算是美国安全行业的基础标准。
NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.
2.2.4 Vulnerability Review by Secunia Research
The annual Vulnerability Review by Secunia Research at Flexera Software analyzes the evolution of software security from a vulnerability perspective.
It presents global data on the prevalence of vulnerabilities and the availability of patches, to map the security threats to IT infrastructures, and also explores vulnerabilities in the 50 most popular applications on private PCs.
http://www.flexerasoftware.com/enterprise/resources/research/vulnerability-review/
2.2.5 Securityfocus
2.2.6 IBM
http://www-01.ibm.com/support/docview.wss?uid=swg21975358
2.2.7 微软
https://technet.microsoft.com/library/security/ms16-009
3 安全缺陷与潜在威胁 Vulnerabilities and Threats
威胁值得是那些会造成伤害和损失的潜在因素
本章节主要讲的是安全缺陷和威胁的类别,一共有6种,分别是Modification(修改),Destruction(破坏),Disclosure(曝光),Interception(拦截),Interruption(打断),Fabrication(伪造)。在做安全缺陷分析的时候,我们可以通过考虑这六个方面的安全因素来比较完整全面地考虑。
Definition of Threat
– a set of circumstances that has potential to cause loss or harm [Charles & Shari Pfleegar]
– a potential cause of an unwanted incident, which may result in harm to a system or organisation [ISO/IEC 13335-1:2004]
3.1 修改 Modification
数据在未授权的情况下被修改;软件程序被修改造成计算成本的增加;硬件被修改导致数据被修改;数据被修改包括在储存和传输情况下的修改。
– Data is altered without authorisation
– Altered software may perform additional computations
– Changed hardware may modify data
– Data can be modified in store or in transmission
3.2 破坏 Destruction
硬件被环境破坏;软件被恶意破坏;数据被删除,或者由于硬件和软件的破坏导致被破坏。
– Hardware, software, or data is destroyed
– Hardware may be destroyed by the environment
– Software may be destroyed by malicious intent
– Data may be destroyed by deletion, or failure of hardware/software
3.3 曝光 Disclosure
主要是针对数据。数据被偷和曝光,但拥有着依旧拥有数据。
– Mostly about data
– Make data available without due consent
– Data is stolen (but owner still has it)
– Impact on security and privacy
– Intentional or unintended
3.4 拦截/窃听 Interception
非法入侵计算机资源,复制数据,项目等。
– Unauthorised access to computer resources
– Copying of programs, data, or other confidential information
– An interceptor may use computing resources at one location to access assets elsewhere
3.5 打断 Interruption
打断主要指合法用户无法进入系统。损坏的硬件,恶意操作系统,拥堵的网络都会造成这种情况。主要的表现方式是拒绝服务请求。
– Systems unavailable for legitimate use
– Damaged hardware
– Malfunctioned operating system
– Congested network
– Denial of service
3.6 伪造 Fabrication
将伪造的数据插入网络和数据库中。也包括钓鱼网站等伪造。
– Spurious transactions are inserted into a network or records added to an existing database
– Counterfeited objects placed by unauthorised parties
– May be difficult to distinguish between genuine and forged one
– Phishing 钓鱼网站
表
5 数据安全要求 Data Security Requirements
数据安全的要求主要包括5点:Confidentiality 机密性,Integrity 完整性,Availability 可用性,Authentication 验证,Non-repudiation 不可否认性
5.1 Confidentiality 机密性
数据不可被未授权的用户或非法入侵得知,在军事系统中格外重要。
– Protection of private data, either as it resides in the computer systems or during transmission
– Confidentiality of data has been compromised where inference can be drawn without disclosure
– The need to know principle - may work well in military environment, but in business, the need to withhold principles is more appropriate
5.2 Integrity 完整性
数据只能被合法用户操作修改,在商用系统中格外重要。
– An unimpaired condition, a state of completeness and wholeness and adherence to a code of values
– A simpler definition, data and programs are changed only in a specified and authorised manner
– All data is presented and accounted for, irrespective of it being accurate or correct
5.3 Availability 可用性
合法用户随时可以获取数据和服务。
– Data and service are accessible when and where needed by legitimate users
– Relate to aspects of reliability
– Denial of service is perhaps the best known example
– System designs are based on pattern of use
– Availability attacks are most difficult to detect
5.4 Authentication 验证
数据的操作和读取必须记录明确来源,且能验证其的合法性。及时性(timeliness)是一个很重要的测量参数。
– Assures that the message is from a source it claims to be from
– A third party cannot masquerade as one of the two parties
– Extrinsic correct and valid
– Timeliness is an important attribute
– Able to trace to its original
5.5 Non-repudiation 不可否认性
用户不可否认其对数据的操作(读取,修改),这在商业和社会合作中极为重要。其联想淘宝的支付系统。
– Non repudiation is to prevent an individual or entity from denying having performed a particular action
– Business and society increase reliance on electronic communications and maintaining legality of electronic documents
6 数据安全的防御措施 Methods of Defense for Data Security Requirements
因为威胁存在于软件(software),硬件(hardware)和数据(data)三个层面,所以我们也根据这三个层面分别进行防御。
6.1 软件控制 Software Controls
软件控制包括软件开发的控制,操作系统的控制,项目控制,但是要平衡软件的易用性和安全水平。
- Software development controls
- Conformance to standards and methodologies
- Good testing, coding, and maintenance
- Operating system controls
- Protecting individual user
- Establishing extensive checklists
- Program controls
- Above controls can be instituted at an input, processing,and output levels
- Balance between ease of use and level of security controls
6.2 硬件控制 Physical and hardware controls
硬件控制包括锁好门,用智能通行卡来限制对硬件设备的交互。
– Locks and doors, guards at entry, general physical site planning
– Security devices such as firewalls, IDS/IPS, etc.
– Authentication hardware
– Smart card applications and circuit boards controlling access to disk drives
6.3 数据控制 data controls
数据控制包括三个主要的原则。
Three Principles of data Security
- The principle of easiest penetration 最易渗透原则
- Foundation for security
- Identifying and managing the weakest links in the security chain
- The principle of timeliness 及时性原则
- Delay in cracking a system 设置响应时间
- Protecting data long enough 储存数据足够长的时间
- The principle of effectiveness 有效性原则
- Balance between controls 平衡成本和控制
- Controls should not be a hindrance to the business 不能阻碍商业发展和商业合作
参考文献
- Principles of Information Security Systems – Texts and Cases – Gurpreet Dhillon - Chapter 2 : Security of Technical Systems in Organisations