data security construction practice series of financial enterprises (2)

Posted by deaguero at 2020-03-30

Brother Jun has something to say

In addition to landing on the terminal, a lot of data of an enterprise is landing on the back-end storage. The data security work here involves the encryption of stored data, the scanning and discovery of sensitive files, and the destruction of data.

4.1 encryption of stored data

The encryption of storage data is generally divided into application layer encryption (such as database and backup software), gateway layer encryption (such as encryption switch) and storage system encryption according to different data encryption locations.

Application layer encryption is certainly the best solution for compatibility, because the application itself implements encryption, and the storage layer and network layer have no perception at all; in addition, application layer encryption can protect the end-to-end security of data, so it has more practical value. Take the database as an example, including Oracle, SQL server and other databases, all support transparent encryption and decryption function in the higher version, that is, the data stored on the disk is encrypted, and the encryption and decryption function is completed by the database itself. MySQL also launched the data encryption function in version 5.7: transparent data encryption. The user does not specify the encryption key when creating the encryption table. Data is encrypted when writing and decrypted when reading. However, at present, MySQL only supports InnoDB storage engine for transparent data encryption, and there may be new improvements in the future.

Gateway layer encryption, using encrypted storage security switch, connected between the storage device and the host, all data will pass through it, performance is a problem that needs to be concerned; in addition, for enterprises that already have storage switch, they also need to purchase additional encryption switch to realize the encryption function.

The encryption of storage system depends on the encryption provided by the storage itself. It does not need to introduce the encryption switch, nor will it affect the performance of the host. Many enterprises use the method of "pound belt library" for backup, and generally support the encryption function.

4.2 storage data sensitive scanning

Regular DLP products will support sensitive data discovery. In addition to local terminals, they can also scan files on remote storage, such as file sharing, Lotus Notes database, SQL database, SharePoint Server, exchange server scanning, etc., which are the functions of DLP products, so there will be no more.

4.3 data destruction

There are two kinds of data destruction, one is the data erasure we often say, and the other is the pin magnetism or smashing for the physical equipment.

Experienced students know that the files deleted by shift + delete can be found on the disk. The following figure shows the actual effect of a data recovery tool:

The principle is that when you delete a file, you don't really delete the file from the disk storage location, but only set the file storage location flag to 0 on the file allocation table, that is to say, only when you need to use this flag to store new things next time, the original deleted things can be physically overwritten.

The safe deletion method is to use professional tools. For free, there is eraser. You can see what is professional by looking at various modes in its settings. The standards of the US Department of defense have been established. The following figure shows its function setting interface:

If you want to process an important file, but it has been deleted carelessly, one way is to restore it first and then delete it safely. Another way is to fill the hard disk directly for many times. There is a free filldisk on the hard disk filling tool and the system has its own cipher command, as shown in the following figure:

The principle of these tools is to write data until the disk is full. Run them several times and then use the data recovery tool to test the effect.

For magnetic disk sales, professional magnetic equipment is required. Data centers of general financial institutions will be equipped with such equipment, but more information will be provided. For SSD solid-state drive, because it is not composed of magnetic media, so the magnetic pin machine can not be used. The general method is to crush its chip, and there are corresponding devices on the market.

There are all kinds of application systems in enterprises. Data security workers often need to consider data collection or input, storage, internal access or API call, front-end display and other dimensions. The topic of data desensitization involved in the front-end display is described later. It is suggested to provide data consumption function in the form of API interface service. Through the unified management of the interface, and try to provide the final results of the data, avoid the output and use of the original ecological sensitive data, and reduce the diffusion radius of the original ecological sensitive data. In addition to the upper level control of the business system, we also need to pay attention to database security, data submission process control and data security on the big data platform, which are described below.

5.1 database security

The database is stored in a variety of data, so it is often the focus of attacks. In addition to the traditional drag database through web vulnerabilities, there are also internal administrators directly behind dump and business personnel exporting in batches through the system. In order to cover as many attack scenarios as possible, general enterprises need the following solutions:

Using database agent to protect database from attack, for example, database firewall can directly block the attack based on database protocol, general proxy can also provide IP filtering, SQL command filtering and auditing functions, and can block illegal sources or SQL statements;

Encapsulate the database, provide a unified operation and maintenance platform for DBAs or developers to use, so that administrators can not directly contact the database server, through user account management, authority control, operation audit to achieve;

Database audit, through network traffic or agent plug-in technology to achieve database audit, in order to find the database intrusion or illegal operation;

The security reinforcement of the server where the database is located and the database software itself. In fact, this is a basic work. If there is an unauthorized access vulnerability in the database or even a remote overflow to the server, the previous work may be in vain.

With regard to database security, there are many commercial products, such as Imperva and domestic security. There are many open-source products to choose from, such as McAfee's MySQL audit plug-in and digital company's mysql For the specific use of sniffer, dbproxy of meituan, etc., please refer to the content about database security in the book "Introduction to enterprise security construction: building enterprise network security based on open source software".

5.2 data exchange platform

In theory, the function of business system can be powerful, and the data export function can be realized directly on the business system. There is no need to extract data independently. But sometimes the theory is just an ideal. Does the supervisor or the public security ask to export the original data? Many enterprises separate production from office, and sometimes need to extract some data to the office network, so data exchange platform products appear, from the early security isolation gateway, to some exchange platform solutions now, etc., here is just to evaluate its advantages and disadvantages, the author pays attention to some products begin to integrate the ideas or technologies of gateway, network disk and DLP Through authorization, examination and approval, sensitivity detection, audit and other ways to ensure the safety of the data exchange process. The figure below is a schematic diagram of a company's data exchange platform:

In some cases, large files need to be provided to external organizations. There are usually size restrictions through email. It is not safe to directly open FTP access. If you put it on an external network, like Baidu online disk, you are worried about risks. How can you break it? Some manufacturers use Baidu cloud disk for reference to build their own cloud disk to provide external services for enterprises. External chain sharing, password extraction, validity limit and other functions are available. In combination with internal approval process and email docking, it is also an optional solution.

5.3 big data security

More and more enterprises throw all kinds of logs to the big data platform for analysis. Poor management and control will result in a large number of data leakage. If the enterprise security building capacity is not enough, it is recommended to put it into a closed environment for operation access, similar to the data warehouse protection scheme mentioned above. Internet enterprises are ahead in this field. They can learn from their ideas to carry out their work, including:

Various models are provided on the big data platform, which is convenient for business personnel to analyze and visualize directly on the platform, so as to reduce the demand of data export as much as possible;

Build big data risk control platform, desensitize sensitive data display or only display the final view to users;

If you really need to export the offline analysis, please select based on the previous schemes, such as desktop virtualization to ensure that the data does not fall to the terminal, or the data falling to the terminal has approval, watermark, audit.

The security of big data platform itself, including identity authentication, access control and authorization, etc. Hadoop and other components in its ecosystem support user authentication using Kerberos. Hadoop and HBase both support ACL, and also implement RBAC (role-based access control) model. The more fine-grained ABAC (attach based access control) can also be implemented in the form of access control tag and visibility tag in the newer version of HBase.

6.1 data desensitization

The definition of data desensitization in Baidu Encyclopedia: it refers to the transformation of data through desensitization rules for some sensitive information, so as to realize the reliable protection of sensitive privacy data. In the case of involving customer security data or some commercial sensitive data, under the condition of not violating the system rules, the real data shall be transformed and provided for test use, such as ID card number, mobile phone number, card number, customer number and other personal information, which shall be desensitized.

The application of data desensitization is very extensive, for example, the ID number on our common train ticket will replace some of them with asterisks. According to desensitization rules, it can be divided into recoverable desensitization and non recoverable desensitization. Recoverability desensitization means that after the transformation of desensitization rules, the data can be restored to the original data through some processing again. On the contrary, after the non recoverability desensitization, the data can not be restored to the original appearance, which can be regarded as reversible encryption and irreversible encryption respectively.

As a strong regulatory industry, the customer information collected in the business process, including ID card, bank card number, mobile phone number, address and other personal information, must be strictly protected. Data desensitization is an essential link, especially when the real production data may be used in the development and testing process. With the business becoming more and more complex and the scale and structure of the tables in the background database becoming larger and larger, relying on manual sorting of sensitive information can no longer meet the increasingly complex needs, the commercial desensitization system came into being, basically using the rules of various sensitive information to automatically scan to find sensitive information fields.

In addition, desensitization should also be considered when presenting the real data in the production system to customers; the same is true for the internal system. To avoid unnecessary information leakage, the system needs to be basically transformed and controlled in front-end display and data export. Some pits need to be noted here, such as the data in the test environment has been desensitized, and testers often fail to find out whether there is desensitization in the internal logic of the system when testing the function. Once the code in question is released to the production environment, the effect may be different from that in the test environment. Suppose that customer information such as mobile phone number directly appears on a page. With the development of Internet communication means now Popularity, the reputation risk may be very large.

6.2 watermark and traceability

Watermark is widely used in the field of data security. It is mainly used to prevent sensitive information from being leaked by screen capture and photo taking. Watermarks, distinguished from visibility, can be divided into plaintext watermarks and hidden watermarks. Plaintext watermark is generally used as a warning effect. For example, the watermark of "internal data, please pay attention to confidentiality" is usually added to the internal documents of the enterprise, while the hidden watermark is more considered from the perspective of tracing the source. These two kinds of watermarks are generally used at the same time. The effective use of technical means and administrative means in enterprises often has better deterrent effect.

From different scenarios, watermarks can be presented in various ways, such as screen watermarks, web digital watermarks, image watermarks, document watermarks, etc. The screen watermark is usually achieved by the background agent, the web page watermark is generally achieved by the web page background technology, and the image watermark is achieved by the watermark mark on the picture to generate another picture. The document watermark is more embodied in the document itself and needs the support of the document tool. Combined with the author's experience, this paper introduces three special watermark processing technologies for your reference.

6.2.1 enhanced web digital watermark

The conventional web digital watermark is basically a picture with high transparency, such as employee number and other information. The background image method is used to tile the whole screen. Students with a little understanding can use the browser to find the corresponding elements and delete them directly by pressing F12.

Is there a better way to prevent deletion? People will think of JavaScript as a way to regenerate the DOM node when someone deletes it. In addition to deletion, there are also means of hiding, moving and tampering DOM nodes, which will also affect the watermark effect, and we have to continue.

In addition, what if the request of watermark service is intercepted through firewall or some browser plug-in tools? Another connection check request to see if the watermark service is reachable. If not, the page will be damaged and normal content will not be displayed.

If all of the above are solved, how about the attacker modify the corresponding result in the browser agent tool by checking the JS code to find its judgment logic? At this time, we need to protect JS code, which is not a common compression confusion, but also involves the front-end code protection technology. The confrontation here is endless. Combining with the existing protection technology, it's also a very good plan to record malicious behaviors by burying points in the code. After all, there are not many enterprises that really understand these people. It's also interesting to find "experts" by burying points.

6.2.2 WPS font watermark

The official document created by WPS document source special edition client can form the basic information of user's login identity (as well as the information of hardware ID device) into a hidden digital watermark and distribute it in the text layout of official document.

It can be seen from the above figure that the watermark function is to use special fonts to draw fonts when opening and printing files and embed corresponding data watermarks. The following is the schematic diagram of WPS steganography of user information:

The above process does not affect the original file, only affects the effect presented by WPS, and cannot be recognized by the naked eye, and the user basically cannot feel it. However, if the user leaks the document by printing, copying, photographing, etc., the unit manager only needs to obtain the copy of the official document, or the relevant photos, and then can find the original person of the leak through the WPS official document traceability analysis system, so as to facilitate the accountability work. The following figure is the traceability extraction schematic diagram:

6.2.3 vector watermark

Screen vector watermark is a new generation of watermark solution of liansoft company. This scheme discards the original "what you see is what you get" watermark, and uses a "slight" mark to show the watermark, which is almost equivalent to "invisible watermark". If there are screen photos or screenshots, once a leak occurs, the leaker can be quickly locked through the vector watermark information on the leaked photos.

The screen vector watermark has the characteristics of anti folding, redundant backup and anti Boer print, which means that no matter how the picture is compressed, optimized or folded, it will not affect the audit of watermark information and the location of leak source. Only in the query page, input watermark information to query, you can lock the leaker. If the leaked pictures are not complete, the system can also support the most accurate results.

Here is a screenshot of the effect of vector watermark:

You can see that there are many lattice on it. Each lattice background represents different characters, as shown below:

Through the specific algorithm, only 4-6 connected lattice can be extracted to trace the document leakage information.

6.3 UEBA

In 2014, Gartner released the market definition of user behavior analysis (UBA). The target market of UBA technology focuses on Security (stealing data) and fraud (using stolen information), helping organizations detect internal threats, targeted attacks and financial fraud. But with more and more data theft incidents, Gartner thinks it is necessary to separate this part from fraud detection technology, so it was officially renamed as user entity behavior analysis (ueba) in 2015.

Ueba has been very popular recently. Some leading ueba manufacturers in foreign countries have been trying to subvert the original market pattern by virtue of their advantages in detection capabilities, including exabeam, gurucul, intersect, niara, securonix, Splunk (acquired caspida in 2015), etc. The starting point of these products is to solve the following problems, including:

Account lost detection

Main engine collapse detection

Data leak detection

Internal user abuse

Provide context for incident investigation

There is no doubt that these threats are the most concerned risks of enterprises. However, the domestic companies or products are not perfect enough, and many enterprises are trying to shift from traditional Siem / SOC to big data platform and then to ueba, which needs to be paid attention to. The popularity of foreign ueba is not unreasonable.

From the perspective of data security, internal users need to pay attention to the abnormal access to the business system. For example, the cases reported last year for batch query of credit system can be found by logging in to the accounts in different places and at abnormal times and downloading the data in batch.

6.4 CASB

With the popularization of cloud technology and virtualization technology, more and more enterprises have no data center computer room in the traditional sense. Various business systems are migrated to the cloud, including enterprise mailbox, enterprise network disk, CRM, ERP, OA, HR and other business systems are hosted to cloud service providers. The large-scale and intensive computing resources have greatly improved the office efficiency. In this case, the storage resources become shared, and the enterprise loses the security control of the application and data. Based on this expectation, Gartner put forward the concept of CASB in 2012 and defined a solution model for enterprises or users to control data security on cloud in the new era of cloud computing. CASB products work in two modes: proxy mode and API mode.

In the proxy mode, CASB processes all the traffic uploaded to the cloud application by the enterprise. The important data is encrypted and then uploaded to the cloud service provider. In the API mode, the enterprise data is directly transmitted to the cloud service provider. CASB uses the API of the cloud application to access and control the user and implement the security policy of the enterprise.

Due to the particularity of the financial industry, cloud business is still a controversial topic. The author suggests that we still need to pay attention to it. The trend of technology is unstoppable. Facing the challenge of Internet companies, traditional financial institutions are bound to accelerate the technological transformation in this area.

Recently, a classmate told me that when a manufacturer came to talk about PPT, he mentioned the Facebook leak at the beginning. He didn't see how they could solve the problem of Facebook when he talked about the whole ppt. He expressed his understanding after talking and laughing. Because there is no black technology in data security construction, we can only rely on the whole process management of enterprise data combined with technical means to avoid data leakage as much as possible. The wide physical distribution of office terminals leads to the sharp expansion of data management radius, and the diversity of terminals leads to the further difficulty of terminal data security management. The future management direction of data security can be considered to turn to the background centralized management on the basis of focusing on sensitive data. The bearing platform of data concentration includes application system and virtual desktop, etc., but the precondition is to improve the data processing and sharing capacity of application system and virtual desktop, and to open the data flow process in the background. In the future, with the popularity of the cloud and possible deregulation, CASB is a good direction, which deserves attention.

Thank you for your discussion with me on this topic:

Yu Ting, ZTE

Guangfa Securities Tang Qin

Serial payment Liao Weiming

Online Qian Wenbin


Recommendation of previous articles

Data security construction practice series of financial enterprises (1)

Construction of information security assessment system for financial enterprises

Planning and practice of information security training in financial enterprises

What is the experience of working in CMB for eight years

Construction and practice of it internal control and compliance management in financial enterprises

Technical part of network security emergency response of financial enterprises

The foundation of network security emergency response of financial enterprises

E-mail security in the practice of enterprise security construction

Information security team building of financial enterprises (Practical)

Construction of information security team in financial enterprises

Safety planning of enterprise safety construction

Matrix monitoring of enterprise safety construction to improve safety effectiveness

Limited time? Look at this article.

The road to the safety construction of financial enterprises


The safety construction of an enterprise can not be separated from "mutual help on the lookout". In the past security incidents and security emergencies, there have been a large number of live broadcasts of the security construction wechat group of financial enterprises. The timeliness and effectiveness of disposal measures have benefited me a lot. If you are interested in joining the company safety leader, please pay attention to WeChat official account "Jun brother's body calendar", background messages, micro signals + company names, and verify identity after entering the group.

Note appended:

Nie Jun, an information security practitioner, has more than ten years of experience in information security in the financial industry. Good reading, no understanding. Cheerful personality, like football.

This subscription number article is a personal experience and experience sharing of work and life. Reading from different perspectives and positions will lead to deviation, different opinions, not seeking correct unity, but seeking truth, goodness and beauty.

Long press identification QR code to communicate with me

Appreciation is recognition or affirmation, and more original sharing is encouraged

Please help me to like it below. Thank you.