I don't think I'm easy to be hacked ？ no ！ In the eyes of hackers , The vast majority of people are defenseless lambs . Want to be safe , Here are some secrets .
When asked to do a computer security practice assessment , We'll see what's useful in the company's overall practice and what's just furnishings . One is engaged in information security consulting 20 I've been a consultant for more than ten years , It's analyzed every year 20~50 Companies big and small , Based on so many years of evaluation experience, he can draw a conclusion ： A successful security strategy is not about tools —— It's the team .
Just put the right people in the right place , Supportive management and implementation of good protection process , Whatever tool you use , Your company will be very safe . Understand the importance of computer security , Make security a key part of the business , It's not just companies that look at the source of evil , And the company least vulnerable to catastrophic data leakage . Every company feels that they have this corporate culture ; However , Few companies really do .
Listed below , It is a common practice and strategy adopted by several companies with very high level of protection in terms of safety , It can be regarded as a secret to ensure the safety of the important assets of one's own enterprise .
One 、 Focus on the real threat
A wave of threats is coming to us , It's really unprecedented , Historic challenges . Malware 、 Human opponents 、 Corporate hackers 、 Hacker activists 、 The government ( Both domestic and foreign governments are ), Even insiders , It's all the threats we face . Copper wire 、 Energy waves 、 radio waves , Even the light , It's all hackers can do .
therefore , We've been taught thousands of “ Safety instructions ”. Every year we are asked to go to the operating system 、 application 、 Hardware 、 The firmware 、 Computer 、 Flat 、 There are hundreds of patches on mobile devices and mobile phones , But we'll still be hacked , The most important data will be locked by blackmail software .
Smart companies realize that , Most security threats are just negligible noise . They understand , anytime , Their own risks come from a small number of basic threats . therefore , Their focus is only on these basic threats . Take the time to identify the main threats from your company , Prioritize , Then focus on the top of the threat list . It's that simple .
However , Most companies don't do that . contrary , They're tossing around in dozens or hundreds of security projects , The most serious gap has been ignored , Or kill the slightest threat .
Think about it . You've been used SNMP( Simple network management protocol ), Or has the server management interface card not been patched ？ Have you ever seen such reports in the real world ？ that , Why should I put these two in my audit report as the highest priority ( There was a customer who asked for this )？ meanwhile , Your environment has been broken through other, more common loopholes ……
To successfully mitigate risk , Find out what kind of risk you need to pay attention to in time , Which can be seen later , It is necessary to .
Two 、 Know what you have
occasionally , The most unimportant thing is the decisive weapon . In computer security , That means building an accurate list of assets , The company's system 、 Software 、 Data and equipment have to be listed . Most companies have no idea what's running in their environment . For things you don't know , How do you protect it ？
lay the hand on the heart and examine oneself , How much does your team know about all the programs and processes running on the company's computers ？ In a world where any extra program will provide another attack interface for hackers , Are all these procedures and processes necessary for employees' work ？ How many copies of each program in your environment ？ What are the versions ？ How many business critical processes build the foundation of the company ？ What are their dependencies ？
The best companies have strict control over which programs run and where . Lack of a comprehensive and accurate current IT Asset list , Safety is empty talk .
3、 ... and 、 Remove , Then protect
Unnecessary procedures are unnecessary risks . The safest companies look at their IT Asset list , Get rid of the unnecessary , Then reduce the risk of the remaining assets .
Recently, I just consulted a company , That company installed more than 80000 No patches Java, Go across 5 A version . Their staff never knew there were so many Java. domain controller 、 The server 、 The workstation , It's all over the place . Everybody knows , only 1 A business critical program needs to use Java, This program only runs on dozens of application servers .
They asked the staff , Immediately Java The scope of installation has been narrowed down to hundreds of computers , The version has also been reduced to 3 individual , And most of them are patched . It's the main play that can't be patched for the remaining dozens . They contacted the supplier , Find out why Java The reason why the version can't be updated , Changed some suppliers , For those who can't be patched Java Set up risk mitigation compensation measures .
Four 、 Imagine the difference between risk assessment and overall workload
This doesn't just apply to every bit of software and hardware , It also applies to data . Clear out unnecessary data first , And then secure the rest of the data . Intentionally delete , Is the most powerful data security policy . Make sure each new data collector defines how long their data needs to be kept . Give the data an expiration date . As soon as the time comes , Check with the owner if you can delete . then , Protect the rest of the data .
5、 ... and 、 Keep the latest version
The safest company , The latest version of both hardware and software . Yes , Every big company has old hardware and old software , But it's IT The vast majority of the assets are up-to-date or updated .
It's not just the hardware and the operating system , The same is true for applications and toolsets . Purchasing cost includes not only purchase price and maintenance cost , It also includes funding for future upgrades . The owners of these assets are responsible for keeping them up to date .
You might think ,“ Why do you want to update for the sake of updating ？” but , It's an outdated , The idea of insecurity . The latest software and hardware , Built in the latest security features , It's usually on by default . The biggest threat of the last version , It's likely to be fixed in the current version , It makes the old version more palatable to hackers who want to exploit known vulnerabilities .
6、 ... and 、 Speed patching
It's a cliche ： All critical vulnerabilities need to be patched within a week of the manufacturer's patch release . however , Most companies still have thousands of key holes left to be filled . and , And they'll tell you “ Our patches are controlled ”.
If your company takes more than a week to patch , Then the risk of being broken goes up —— It's not just because your home is open , And because your secure competitors have locked their doors .
Logically speaking , You should test the patch package before you patch it , But testing is not only difficult , And waste time . Want to be really safe , It's better to play as soon as possible . If necessary , Wait a few days to see if any small problems are reported . but , After a short wait , Fight , Fight , Fight .
Opponents may say , Patching “ Too fast ” It will bring operational problems . however , The most successful company in security tells me , They don't see too many problems with patches . Many of the safest companies say , In the history of the company, there has never been any downtime caused by patches .
7、 ... and 、 train , train , train , Important things are to be repeated for 3 times
Training is extremely important . But unfortunately , Most companies see user training as a good place to cut spending , perhaps , Even with training , The content is also out of date , Full of no longer used scenarios or stuck in the very rare attacks .
Good user training , Focus on what the company is facing , Or a very likely threat . Training should be guided by professionals , Or even better , There are colleagues in the company . One of the most effective anti social engineering attacks I've seen , It is to achieve the purpose of education by highlighting how several company employees were cheated . By sharing the true story of your own gullibility , These colleagues can teach other employees how to prevent becoming victims . Such an example , Make other employees more willing to report their own potential faults .
Security teams also need the latest security training . Every member , Every year we must train . Whether it's inviting people to the company for training , Or send people to external training or meetings . It means , It's not just about what you buy , And around the latest threats and technologies .
8、 ... and 、 Keep configuration consistent
The safest company , Keep almost the same configuration on computers with the same function . Most hackers are more patient than smart . They just keep probing and probing , Until you find one of the thousands of servers that you forgot to fix .
In this case , Consistency is your good friend . every time , In the same way , Do the same thing . Make sure the same software is installed . Don't leave 10 A way to connect to the server . If there's one installed App Or a program , Make sure that the same version and configuration are installed on other similar servers . It's a good idea to bore the people who check your computer .
Want configuration consistency , It can't do without configuration benchmark and strict modification and configuration control . Administrators and users should be aware of , Without permission , Any addition or reconfiguration is not allowed . however , Be careful not to let the once-a-month change committee tire your colleagues out . This will cause the business to stop . To find the right fit between control and flexibility , But make sure any changes , Once approved , It's about being consistent on all machines of the same kind . There should be penalties for non-compliance .
remember , We're talking about benchmarks , It's the bottom line , It's not a generic configuration . in fact , Maybe you can tell from a dozen or two suggestions that 99% The value of . Find out what configuration you really need , Put the rest down , But be consistent .
Nine 、 Strictly practice minimum access control
“ Minimum permissions ” It's the biggest security . However , It's hard for you to find a company that does this in full .
Minimum permissions involve assigning the minimum permissions that are only enough to accomplish basic tasks to the employees who need them . Most security domains and access control lists are full of too open permissions , And lack of audit . Access control lists grow to meaningless levels , And no one wants to talk about it , Because it has become a part of the corporate culture .
Take active forest trust as an example . Most companies have this stuff , Can be set to select authentication or full authentication trust . In the past 10 I've audited in the past year ( Tens of thousands of ) Trust is almost always fully authenticated . And when I suggest that all trusts use selective authentication , All I hear are complaints about how hard it is to achieve ：“ Touch every object , And tell the system which one can access it ！” you 're right , When it comes to the point . This is the minimum privilege .
Access control 、 A firewall 、 trust —— The most secure companies always deploy minimal permissions anywhere . They have automated processes that require resource owners to revalidate permissions on a regular basis . The resource owner will receive an email , Indicate the name of the resource and who has what access rights , Then the owner will be asked to confirm the current settings . If the owner fails to reply to the follow-up email , The resource will be deleted or moved to another place as the previous permissions and access control lists are cleared .
Every object in the environment —— The Internet 、 Virtual LAN (VLAN)、 virtual machine (VM)、 Computer 、 file 、 Folder etc. , All of them should be compared ： Minimum authority under active audit .
Ten 、 Try to approach “ Zero Administrator ”
To do all the wrong things , The bad guys are always looking for control of high authority administrator accounts . Once they have it root、 Domain , Or an enterprise administrator account , I'm tired . Most companies don't perform well in preventing high authority certificates from getting out of control . As a means of counterattack , High security companies achieve a goal by canceling these accounts “ Zero Administrator ” The state of . After all , If your own team of administrators doesn't use super accounts or use them very much , So these accounts are not easy to steal , It's also easier to detect and prevent accidental leaks .
ad locum , The art of health is the key . This means using as few permanent super administrator accounts as possible , None of them , Or as close to zero as possible . Permanent super administrator accounts should be closely tracked , Strict auditing , And limited to a small number of predefined areas . And there should be no universal super accounts , Especially the service account .
however , In case someone needs to use super voucher ？ Try delegation . In this way, the requester can only be given the necessary permissions to access a specific object . In the real world , Few administrators need full access to all objects . This kind of thing is simply unreasonable , But it's what most companies are doing right now . contrary , We should only modify a single object 、 Single attribute , Or authorization to modify at most a subset of objects .
such “ Just enough ” It should be in line with “ timely ” A combination of visits , Only in a predetermined period of time to perform a single task for temporary privilege promotion . Plus location restrictions ( for example ： Domain administrators can only appear on domain controllers ). So you have very strong control .
Be careful ： Super administrator accounts don't always require full permissions . for instance , stay Windows In the system , With a single authority —— For example, debugging permissions as part of the operating system (Debug) Or backup rights (Backup), Experienced attackers are enough to do a series of dangerous operations . The upgraded permissions should be strictly controlled as the upgraded accounts .
Delegation —— Give just enough authority in the right area at the right time , Can help you find out the bad guys , Because they may not know this strategy . If you see super accounts roaming the Internet , Or use super permissions in the wrong place , Your security team will go after and intercept .
11、 ... and 、 Develop role based configuration
The minimum permissions apply to both people and computers , All objects in the environment should be configured according to their roles . In the ideal world , Should only be given access to specific tasks at execution time .
First , The various tasks necessary for each application should be investigated , Aggregate common tasks into as few work roles as possible , These roles are then assigned to the required user accounts . thus , Each user account and individual will be assigned the necessary permissions only to perform the task .
Role-based access control (RBAC) It should be applied to every computer , Each computer has the same security configuration for the same role . Practice application binding RBAC, It's very difficult without special software . Leverage existing operating system tools , It is very convenient to implement the operating system and network RBAC turn , But with a third party RBAC Management tools will be more convenient .
future , All access control will be RBAC, because RBAC Embodies the minimum privilege and zero Administrator . The safest companies have done this where possible .
Twelve 、 Isolation , Isolation , Isolation
Good security domain hygiene is another priority . Security domain , One or more security credentials can access objects in it ( logically ) Isolated domains . Theoretically , Without prior agreement or access control modification , The same security certificate cannot be used to access two security domains . Firewall is the simplest example of security domain . Users on the same side can't easily cross to the other side , Except through a protocol defined by predefined rules 、 Ports and things like that . Most websites are security domains , So are most corporate networks , Although they may , It should be , Contains multiple security domains .
Each security domain should have its own namespace 、 Access control 、 jurisdiction 、 Characters and so on , And all should only be valid in that namespace . Determining how many security domains should be set up is tricky . The minimum privilege method should be a guide to determine the security domain , But making each computer a separate security domain is a management nightmare . The key lies in , Ask yourself how much you can afford to lose —— If access control fails , Give the intruder full access to an area . If you don't want to be the victim of someone else's fault , Consider creating your own security domain .
If secure inter domain communication is necessary ( It's like Lin believes in the environment ), Try to set minimum access rights between domains .“ foreign ” Accounts should have little access to objects other than a very small number of applications , In addition to the necessary role-based tasks in these applications , You should not have access to other tasks . All other transactions in the security domain , Should be inaccessible .
13、 ... and 、 Pay attention to the practice of intelligent monitoring and timely response
Most hacking activities are actually captured through event logs , But it's true that only after the event does someone go to see these logs . The safest companies generally and actively monitor specific anomalies , Set the alarm , And respond .
The last part is important . A good monitoring environment doesn't generate too many alarms . In most environments , With event logging enabled , Tens of thousands or even billions of records are generated every day . Not every event is an alarm , But an ill defined environment can generate thousands of potential alerts —— So much so that it becomes the existence of similar noise and finally falls into the situation of being ignored . In the past few years, some major hacking incidents have involved ignored alerts . That's the characteristic of a poorly designed monitoring environment .
The safest company creates a comparison matrix for all log sources and alert objects . Compare this matrix to the threat list , Match every threat task that can be detected by the current log or configuration . then , Adjust the event log , Fill in the gaps as much as possible .
what's more , As long as the alarm is generated , They will respond immediately . If I'm told that a team monitors a particular threat ( Like password guessing ), I'll try to trigger the alarm later to see if someone responds to it . Most of the time, no one responded . Security companies have an alarm , People will jump out of their seats , Ask people what happened .
fourteen 、 Practice ownership and accountability from scratch
Every object and application should have an owner ( Or owner group ), Controlling usage and being responsible for its existence .
In a typical company , Most objects have no owners ,IT The team doesn't know who first requested a resource , Not to mention knowing if the resource is still needed . in fact , In most companies , The number of groups created is more than the number of active users . let me put it another way ,IT The team can assign him to each individual / Her own custom group , Companies can also create fewer groups than they currently have to manage .
However , No one knows if a group should be removed . They are afraid to delete any group . After all , In case that group is needed for a key activity , Unintentionally deleting a function that a task depends on will fail ？
Another common example is , When the company needs to reset all passwords in the environment after being broken . But you can't do it at will , Because some of them are service accounts associated with the application , If you want to change the password, you have to change both the application and the service account itself .
Then came the question , No one knows if a given application is in use , Do you need a service account , Or whether the password can be changed —— Because the owner and related responsibilities are not specified in the beginning , And no one can ask . Final , The problem application is still left behind , Because leading to the interruption of key operations is far more important than allowing a hacker to roam the company's Network , More likely to get you fired .
15、 ... and 、 Quick decision making first
Most companies suffer from analytical incompetence . Uniformity 、 Lack of accountability and ownership , Make everyone afraid of change . And when the problem involves IT Security , The ability to act quickly is the key .
The safest companies have a strong balance between control and quick decision making , Make it part of the company culture . I've even seen carefully selected project managers put into long-term projects , Just to improve the project itself . These special project managers are given a certain amount of budget control , Changes can be recorded afterwards , And there's room to make mistakes all the time .
For quick action , Leaving room for mistakes is the key . In terms of safety , I particularly agree “ in any case , Make decisions first ; If necessary, , Apologize later ” The attitude of .
Compared with typical companies , Most of the questions are untouchable , The problem that the security consultant suggested to fix was still a problem the next year .
sixteen 、 Have a good time
Comradeship cannot be ignored . Companies that think doing the right thing means sacrificing freedom and fun , It's huge , It can be shocking . For them , Resentment from colleagues must be a sign that safety experts are performing their duties . It's so wrong ！ When you have an efficient security team , You won't be overwhelmed by the pressure to constantly refactor your computer and servers , I don't worry all day, I don't know when I'll be blacked again . Because you know the situation is under your control , So I'm calm .
That's not to say , It's easy to work in the safest company . But on the whole , It's more fun than at any other company , Colleagues are more friendly .
seventeen 、 Go ahead and do it
The common features of high security companies may seem easy to understand , It's even a cliche in some ways , For example, quick patching and configuration security protection . But don't be too complacent about your safety practice knowledge . Companies that successfully protect their important assets , And companies suffering from data leaks , There are only differences in two main characteristics ： Focus on the right elements , And a culture rooted in doing the right thing , Not just in words . The secret is listed , Do you want to roll up your sleeves , It's your own business .