foreword
Security has long been one of the most overlooked key points for businesses. Before the security problem occurs, the sense of existence is low; however, after the occurrence, the loss is irreversible.
In order to provide you with relevant experience and reference, " Soundnet Developer Entrepreneurship Lecture • Phase 4丨How can the entrepreneurial team ensure the safety and compliance of product business? " The event specially invited Ma Yinlong, Director of Youzu Network Information Center, to give a lecture on "Common Information". Security Risks and Countermeasures”.
Ma Yinlong is the person in charge of network informatization and information security of Youzu. He has 12 years of experience in information security management and construction. He has led the construction of the in-depth protection system of Youzu network information security. speech.
01 The core of enterprise security is continuous service and no data loss
1. Encryption ransomware
When it comes to information security, you may think of DDoS, data loss, etc. In fact, the core of security in an enterprise is two sentences. This is what the vice president of a bank in charge of science and technology used to say, that is, "continuous service, no data leave".
For example, in the blackmail we are talking about now, 1 may mean that the service is down, and 2 may mean that the data is gone, so use these two sentences to cover various events, and you will find that the problem to be solved in all things is the service. Constant and data is not lost, we call it availability and confidentiality.
Why is crypto-ransomware so frequent? I do n't think the vast majority of startups have the value of being targeted by a professional hacker group and lurking and attacking for a long time. However, the cost of extortion is very low and the reproducibility is very strong, so the logic of casting a wide net and catching more fish can be adopted.
In the first half of the year, I received inquiries from two friends, asking what to do if I was extorted. After learning about the situation, I found that the attacker's methods were very traditional and simple. There are many ways to spread ransomware. For example, EternalBlue broke out in 2017, and there are still many ransomware exploiting this vulnerability.
Most companies have no control over service opening and administrator privileges when they start-up. This situation will lead to a large number of services being affected if a machine fails, because many ransomware are exploited through loopholes. network for automated dissemination.
1) Attack surface of ransomware
In fact, the most common places where ransomware enters are pirated and cracked software. I think that as long as the paid software has cracked versions, cracked patches, registration machines, etc., there are nine out of ten problems. Although users have exchanged free usage rights, there is no free lunch in the world, so there may be some security hidden in it. Hidden dangers will lead to encryption extortion, mining and other problems.
In fact, the logic of encryption extortion and mining is the same. They both provide the content required by the user, enter their computer to obtain the corresponding permissions, and then do the follow-up processing. Among them, mining is more common, but the damage is relatively low, and it is easy to find, because it involves the communication of network traffic, which can be found through some bypass traffic detection methods.
The harm of extortion is relatively high. In addition to the personal PC we mentioned earlier, its transmission channels also include the leakage of operation and maintenance platforms or batch passwords, and the cloud assistant Access Key. For example, management tools such as pagodas that everyone may use for operation and maintenance management, if these management tools are built directly according to the initial configuration method, or their own versions are relatively low, there may be loopholes. If these vulnerabilities are exposed on the public Internet, they will be targeted by automated attacks.
I would also like to mention here that the vast majority of startups do not actually face very advanced attacks. Hackers often do batch processing through scanning.
2) Response to ransomware
• Data backup and regular recovery testing
The most effective way to deal with extortion is data backup. However, in many cases, we only focus on backup, but in order to close the logic loop, it is best to do a recovery test to ensure that the data is available after the backup. There are many ways to backup, such as overall virtual machine backup, image or database backup, file backup, etc. The choice is based on what the focus is.
In addition, the access control of the backup machine should be done well. For example, the data of a main server is encrypted. If the access control logic of the backup machine is the same as that of the main server, and the data is also encrypted, then the backup will not be very large. meaning. So if we want to prevent the risk of encryption and extortion in a way that minimizes the investment cost, we need to spend time setting up the entire backup system and tighten the access control.
• Terminal standardization and blocking of high-risk ports
The spread of ransomware often requires the use of loopholes or some basic network conditions, so we can also consider risk disposal from the perspective of terminal standardization and network port blocking. However, terminal standardization requires enterprises to have certain management capabilities, and there are standard security baselines on the Internet, such as whether Windows is patched in time, whether the system version of the server is the latest, and whether the terminals on the intranet are standardized. The ban of high-risk ports refers to whether high-risk ports such as 445, which are most commonly used for ransomware virus transmission, are useful. If they are useless, they must be blocked.
• Access Control Closure - Privilege Minimization
In large enterprises, this is actually a more fundamental solution, and it has certain management logic. But for many small businesses, it is actually very easy to minimize permissions. In the case of relatively few assets, you only need to remember one thing, that is, deny by default, and only open permissions if necessary, and only allow certain services. Basic access control policies like local access are fine.
• Last resort
Many of our business owner friends came to ask if there was a way to decrypt them after being recruited. In fact, there are some articles and websites on the Internet that you can refer to. If the key has been disclosed, it may be possible to unlock it, but the probability is extremely small. From the perspective of the algorithm logic of encryption itself, if you are blackmailed by encryption, you can still unlock it yourself, which challenges the theoretical basis of cryptography, so it is almost impossible for someone without a key to unlock it. So is there any remedy? In fact, there is a last resort, you may try it, it may not be 100% successful, try searching for keywords such as data recovery on the e-commerce trading platform.
2. Data leakage
The situation of data leakage security in the whole world is extremely serious. A person who uses the Internet frequently is equivalent to a half-streaking state in the eyes of hackers or social engineering libraries. If you are running a company that accumulates a lot of user information and data, under what circumstances might you be hacked?
1) The attack surface of a data breach
• Web penetration attacks
At present, the most common cause of data leakage is Web penetration attacks. For example, to open a website, this website may be a Web service built with Spring, or it may be a framework written in PHP, or it may be built with a fast website building tool such as wordpress.
If we only pursue the availability of functions, there will often be many security loopholes. On the one hand, these security loopholes may be inherent in the framework, and some of them are due to the lack of developers' own level or security level experience, resulting in imperfect processing logic. For example, a series of logics around account management such as registration, login, password retrieval, and password reset, if there are omissions in this series of logic, it may lead to information leakage. Hackers may obtain this information through blasting and credential stuffing. .
• Internet Unauthorized
If some entrepreneurs are doing basic data services, they may include common technical components such as Redis, Zookeeper, and Kafka. If the network configuration we just mentioned is used, should the cloud server port be open for Internet access or local access? If it is directly opened to the public network without any authentication and authorization protection, only the initial settings will be scanned by the entire network, resulting in data leakage, and may also encounter problems such as mining or extortion.
• Intranet penetration
This is often encountered by some large enterprises, such as phishing, cracking software, watering holes and other attack methods.
Among them, fishing is compared. In the Russian-Ukrainian war, a large number of fishing methods were used to infiltrate infrastructure. A watering hole means that there is often a community in a certain industry. When there is a need for tools, hackers will send some things you may want very much in these communities. For example, a certain development tool of an app is very easy to use, but this The tools are paid. At this time, the hacker will make a backdoor and put it in a certain forum. After you obtain it, you will become a target group of precise positioning.
• Mail system
It is recommended that you use a commercial email system on the cloud instead of building it locally, because there may be some security settings problems when building an email system locally. If the settings are improper, there may be security risks. Attackers actually have a very mature way of playing around the self-built email system. If the self-built email system is targeted, the resistance will be relatively strong.
Among the above-mentioned attack methods, Web penetration attack and Internet non-authorization are particularly important for Pass or SaaS service companies. What we often see is that if some SaaS services are put directly on the public network, it is actually very easy to capture them through Web vulnerabilities, and the tools used are basically all automated.
2) Data leakage protection measures
The protection method of data leakage is actually a huge topic. Many large companies have special positions and even special teams for data security. But for entrepreneurial or start-up companies, the following points are of concern.
• Web vulnerabilities
You may ask, how do you judge whether the tool to use is appropriate? Let me give you a suggestion. If you use a certain development framework, you can search for the framework version and vulnerability keywords on GitHub, Google or Baidu. If it is a more serious vulnerability, you can usually find it, but the latest version is relatively Said the security would be better.
• Access control
For access control, we need to deny by default, not to put all of them on the Internet for arbitrary access, but to selectively open them for continuous maintenance.
• Encryption protection
When the information needs to be encrypted and protected, it is better to write the encryption algorithm and the seed of the key, etc. into the code, because they are relatively protected by binary compilation. Then store the encrypted information in the server or database, so that even if the data is lost, it is not actually visible.
• Endpoint Protection
There will be some dirty backdoors in the cracked version of pirated software. If a small company or individual developer installs 360 or other antivirus software, it will have a very good protection effect, at least to ensure that very popular viruses, backdoors, and Trojans can be killed. of.
• other
In addition, when we, as Party B, are negotiating cooperation with a relatively large Party A, they may question your data security assurance capabilities, so how do you appear to have a certain awareness and understanding of data security? There are two key points, the first is the dynamic flow and static distribution of sensitive data to detect sensitive data, its storage location, and its overall flow. If we are very clear about these, it means that we are very sure of the control of the data, and the other party will have more confidence in your cognition.
Secondly, when we do data protection in some relatively large enterprises, we must ensure a logic, that is , "can't get in, can't touch, can't understand, can't take it, can't run away" . "Can't get in" is the protection of borders and access control; "Can't touch" is to do access control at the application layer, in fact, the first two points are for access control; "Can't understand" is the encryption we just talked about; "Don't go" is the control of authority; "Can't run away" involves complete confrontation and traceability.
So, how can "hands-on" avoid data security risks? In fact, many people will ask such a question - can all the problems be solved directly through a product? My answer is no . I've covered common risks and how to address them today, but they're not something that one product can address.
3. Other network attacks such as DDoS
■Figure 2
For other network attacks such as DDoS, as shown in Figure 2, you may know that such attacks as DDoS and CC are to stop the service through flow accumulation or frequent packet sending. Because many small start-up products are monolithic applications, there is no load balancing and monitoring, and no peak access control is involved, which means that if we are targeted, we may be attacked by DDoS.
The logic of the CC attack is that the normal API interface will receive input. If the processing logic for receiving the input is very complex, it will consume the computing resources of the backend or cause waiting for connections. In this case, if the input is continuously provided, but the input contains a very large amount of computational work, it will bring down the machine on the server side.
Phishing emails have been mentioned before, so I won't repeat them here.
The third is BadUSB. Our common USBs are U disks, but there is a consensus in the security industry that as long as you can physically access a computer, you can basically get the permissions of the machine. My U disk is obviously protected by anti-virus control, why is there such a risk?
Here we see the BadUSB on the left in Figure 2, it looks like a U disk, but in fact it may just be a programmable logic circuit, because our USB interface can not only recognize the U disk, but also recognize the mouse, Keyboard, etc. Now imagine that after this U disk is inserted, it is recognized as a keyboard by the computer. It can completely download the backdoor software and compile and execute it without your knowledge through keyboard operation. So if you find a USB flash drive on the road, don't use it.
In fact, whether it is BadUSB or phishing emails, it is actually through some input things that you can use inside the enterprise environment. In the past, there was a very useful tool Navicat on the Mac. It was a database query management tool. At that time, a free version provided by an Apple application website was poisoned, and the scope of influence was very large. As you can imagine, a large amount of database information is stored in database management tools, and the impact on the enterprise caused by the backdoor dragging all this information away is conceivable.
1) How to implement security protection through standardization
So what can we do to protect against these attacks? I think that the shortcomings of protection can be improved as much as possible through standardized construction, mainly including the standardization of server and client terminals.
• Server
The standardization of the server mainly includes network isolation, password key management, security product protection, etc.
First, network isolation is required in large enterprises. Because the Internet is a very complex environment, the computers in the office environment are actually very close to the Internet, which means that the office environment is often very unsafe. The security level will be improved if the effective isolation between the production environment and the office environment is done.
Secondly, be sure to protect the password and the keys we often use, especially for those who do operation and maintenance development, please believe that all the methods of setting passwords that you are familiar with must be in the common password library. For example, your SSH password is set to 8 or ten digits, but it is a very simple combination. When you are exposed to the public network, you will definitely receive a lot of root to connect your IP address, often using a password dictionary. Keep trying, and you can go and see if this is the case on your own server.
• Terminal
On the terminal side, it also includes network isolation, password protection, antivirus software, and data backup. If there are some important things that must not be lost or must not be encrypted, be sure to make backups. Now all kinds of clouds are actually very convenient, and service companies that provide public storage clouds are often good.
To summarize the attack chain, as shown in Figure 3, getshell means that you can control your computer and make profits, such as mining, stealing data, and destroying. The first few major actions are mainly reconnaissance methods and external attacks. In fact, for entrepreneurial enterprises, it is mainly external attacks such as scanning, and internal attacks may be less. This is followed by a series of automated operations, which ultimately lead to data theft or destruction.
■Figure 3
02 Security protection based on risk assessment and ROI
1. The security protection strategy will eventually move towards zero trust
1) The evolution path of online security
• Security baseline
How to choose a safe product? In the beginning, technicians will study security baselines, such as DNS servers, springboards, and firewall policies for network isolation, which we call security baselines. In addition, the patch must be played in time, and the security of using the latest version of the framework and services will be much better. Because more than 99% of attacks on the network are batch scans for known vulnerabilities, if you are using the latest version, even if there is no protection at the perimeter, it is not a big problem unless you write your own code for SQL injection Or the vulnerability of remote command execution, which directly brings the user request parameters into the execution without input parameter filtering.
• Border security
If you start to spend money on security equipment, in addition to companies that need to be compliant, the first product you usually buy is WAF, which is the web border protection we just mentioned. If your own application is not well written, any parameter in it can be executed, then WAF can take out the traffic in the post request of the web, and confirm whether the parameter has the characteristics of attack, because it is often some scanners, if The features of this scanner and its input parameters are hit, and WAF can do interception and protection. So often when I see a small-scale enterprise start to do security, basically there is a WAF first, and a firewall basically has a firewall on the network side.
• Server security
When the confrontation starts after gradually deepening, the host intrusion detection system will be added. You can look at some open source tools. These tools are relatively cumbersome and their ability to confront is relatively weak, but for most small Not bad for business.
• Special security
But when the company grows to a few thousand people and the data is very important, some commercial products can be considered, and larger companies will have special security services. My personal suggestion is that if you don't have a long-term accumulation of technology, you must rely on commercial products instead of developing them yourself. Talent in this area is scarce and unstable.
• Secure Big Data
In the later stage of security construction, to achieve a complete traceability closed loop, we must rely on security big data.
2) Evolution path of office environment security
For the office environment, it is still necessary to sort out the common problems from the security baseline. In general, when building security in an office environment, it starts with antivirus software, followed by network access, sensitive data leakage prevention, and finally zero-trust office. Zero trust is more popular now. After Google put forward the concept of Beyond Corp, China is doing it in this direction, because our network boundaries are constantly being broken, so this has gradually become a necessity, that is, when we cannot trust the boundaries of the office environment , and with many internal services to be put on the Internet, Zero Trust Office may eventually become a trend of choice for us. However, there are also many pits in zero trust office, so everyone should be a little cautious.
2. From semi-personal security department to security team building
The selection of security personnel and the construction of security team are shown in Figure 4.
■Figure 4
1) Half-person security department
The semi-personal security department is the safety of the operation, maintenance and development of security personnel. In many small enterprises, the security of the most basic online environment is also managed by the operation and maintenance. At the same time, the security of the office environment may be managed by IT, and some Some are in charge of a technician regardless of the environment. So what do they need to do? If the person has relatively strong development ability and rich knowledge of operation and maintenance, since the technical concentration of start-up enterprises is usually sufficient, it is only necessary to read a few overview security books and build basic products and security baselines. Just get up. Many small and medium-sized enterprises I have seen have adequate staffing, but the security is very poor. The reason is that no one pays attention to this issue. If the firewall policies and security baselines we just talked about are done well, many problems are actually will not happen. Then just be prepared, don't worry about it. Why not worry about it? In fact, it is still the same sentence, that is, what many small businesses are facing is only a batch scanning type of danger, and the degree of attack and confrontation is not very intense. If it is just scanning, in fact, it can be dealt with by making basic settings on the boundary, and more importantly, the baseline .
2) One person's security department
When we have a personal security department, we require security personnel to understand web security, because the biggest risk you face is caused by web application penetration. In addition, it is necessary to master the knowledge of operation and maintenance. The reason is that these problems often need to be dealt with by colleagues of development and operation and maintenance. If you understand operation and maintenance, you will know how to temporarily alleviate the problem quickly, and if you understand development, you can know how to fix it. Vulnerability. Simply put, the default deny is added to the whitelist. If the blacklist method is used, the blacklist will continue to increase, there will be many rules, and there will be many ways to bypass. In addition, if the security personnel have two to three years of experience in large factories and may have undergone relatively many tests, their cost performance is often the highest. The next step is to report to the operation and maintenance line. The reason is that in many companies, the security development will become a relatively high-level department in the later stage, and the operation and maintenance level will even be half-level higher than the operation and maintenance department, but this will There is a kind of confrontation and conflict, so if there is only one person at the beginning, it is most comfortable to report to the operation and maintenance. The operation and maintenance must ensure stability and security at the same time. Finally, there is the need for management support.
3) 3-5 people security team
The hardest thing for a one-person security department to do is constructive work that requires cross-team collaboration. I always think that a person's security department can do a lot of things, but it can't do anything major, because a person's security department has a lower reporting level and less resources to use, so when we have to do some constructive work It means that the security department of one person may have to be upgraded to a small team. This team may include three people, one for offense and one for defense, and one responsible for compliance. In fact, many companies are compliance-driven. It is best for the team leader to be a technical background, have management awareness, and the department level should be improved, so that more resources can be driven at a higher level to achieve the upgrade of the entire team management.
03 Summary
To summarize today's content, the biggest risk is extortion, so make a backup of your data. There are two entrances, Internet service and terminal. Internet service includes network entrance tightening, service framework version upgrade, password protection; terminal includes antivirus, password protection is good, do not use cracked software.
About "Soundnet Developer Entrepreneurship Lecture Hall"
Now is an era where everyone can start a business, and for technical people, it is an era of entrepreneurial friendliness. If you understand technology, it will be easier than others to put your entrepreneurial ideas and dreams into practice.
But entrepreneurship means going from 0 to 1, it means continuous creation and innovation, and it means that entrepreneurs and teams need continuous growth and breakthroughs. Only in this way can we create valuable products that meet market demand, gradually form the advantages and barriers of the enterprise, and grow into a mature enterprise.
Shengwang pays attention to developers with innovation ability, development ability and entrepreneurial intention, and hopes to provide developers with corresponding support and services . To this end, we have launched a series of entrepreneurial sharing of "Soundnet Developer Entrepreneurship Lectures" in order to provide more help for everyone on the road of growth and entrepreneurship.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。