practice of one person's enterprise safety construction

Posted by millikan at 2020-04-11


With the implementation of safety law, the discussion on enterprise safety construction is also hot. Safety has gradually entered the vision range of middle and senior leaders of each company. However, due to the lack of safety investment of small and medium-sized enterprises, many practices stop at thinking, and there are few contents that can be put into practice, so more people are looking for enterprise safety construction schemes, but large companies have large ones The advantages of the company, small companies have the convenience of small companies, so we need to use it reasonably to achieve unexpected results, so as to share our own practice content and the content of the security system we have built, hoping to provide some reference for you, and please point out the optimization. At present, the company has more than 300 people, more than 20 business platforms, and more than 1000 servers (it's a hooligan who doesn't talk about security according to the enterprise background and business scenarios, and there are all kinds of wonderful scenes after communicating with many enterprise security directors). At present, the overall security work ideas and contents are as follows:

1、 Asset sorting

There is no doubt that asset sorting is the initial link of all safety work, but after discussion with many friends, it seems that the simplest work is indeed the most difficult practice. I hope to sort out a way for you, as shown in the figure:

1. Structure chart: firstly, the company's organizational structure chart needs to have a clear understanding of each business platform, different teams such as R & D, business, operation and maintenance, network and other departments and their principals, so as to facilitate the development and promotion of various security work in the future; 2 Topology map: the second part is the topology map. In this process, you need to have a certain understanding of the (cloud) machine room where the production environment is located, (Security) equipment, domain division, mapping table and deployment mode, which will be helpful for later security testing and troubleshooting; 3 Business chart: the third part is to be familiar with business, which is also the most difficult part. An enterprise may have multiple businesses. Each business division uses Excel for statistics at first in different computer rooms and servers, including business line name, system name, domain name and URL, access method, person in charge and Department, internal and external IP. At the beginning of CMDB, the company obtains and determines the above information It can be said that it is a timely help.

2、 Foundation work bedding

Basic work, such as periodic security test, equipment operation and maintenance, weak password audit, external network port monitoring, equal protection evaluation, and security strategy approval and control, is very important to optimize and effectively do this part of work. In the stage of personnel shortage, the passing standard should be achieved first:

1. Policy control: for example, too loose policy control such as firewall, account application and port mapping can easily lead to security events, which are too strict and affect the business process, even offend a business department. A moderate solution is very necessary. If there is a real risk point, you can put forward the risk and lock the strategy in the future, so as not to become a backer (throwing the pot is an art); 2 Safety test: at present, the safety test is divided into pre launch iterative safety test and periodic safety test. The periodic safety test cycle is generally completed quarterly. Iterative safety test is recommended to be conducted in the way of soft intervention. When the project is not special, it should not affect the normal online business as much as possible, and do not let safety become a bottleneck; 3 Equipment operation and maintenance: have a general understanding of the existing safety equipment and its deployment mode, policy configuration and certificate time. When there are problems and demands, flexible response can be achieved. At the initial stage, it is suggested to formulate few and accurate rules, which are not to be opened for blocking temporarily. As an alarm, it is OK to send out. At the same time, it is also necessary to pay attention to the impact of various possible failure problems of the equipment on the production environment ; 4. Account audit: weak password is a very simple and highly threatening security risk with high cost performance. Therefore, weak password of key system must be eliminated, which must be put in the basic work. After carpet bombing, it is suggested to eliminate weak password risk from the system, such as the initialization and modification of password to control, so as to avoid excessive repeated audit in the later period; 5 External network port monitoring: the port monitoring has experienced manual nmap scanning, to write script email alarm by itself, to scan the port of test environment, production environment and office network with the help of wind patrol system, and now three sets of wind patrol systems have been built due to environmental isolation factors; 6 Level protection: after the implementation of the safety law, the equal protection has become less formalized. Although there are still many technical and management links that are difficult to implement, the current compulsory equal protection is helpful to the promotion of the follow-up company system and the reporting of the leadership work. It is suggested that the equal protection content can be carefully speculated and it may be helpful;

3、 Division and implementation of key work

In the stage of fire fighting, safety construction is as important as emergency response. In the condition of limited resources, fire fighting and construction work are compatible. It is a good practice to find the intersection and promote safety work by incidents. At present, the work priorities are simply sorted and classified according to the business characteristics (severe disaster area of security events, core business platform):

1. Fire fighting in the disaster area: Although the business platform in the disaster area may not be the core, it is a time-consuming thing to often have problems. At present, strengthen the Internet border protection and security baseline (OS, Tomcat, nginx), data remote backup and other measures to prevent SSH explosion, redis unauthorized access, blackmail software and other attacks; 2. Security construction of core business: to For core business, periodic safety testing and safe online process are very necessary. To control the iteration speed and business risk of each core business, and then strengthen the safety training for the R & D and testing personnel of this part, which also lays a certain foundation for SDL. If you want to try "castration version of SDL", you can choose an iteration cycle rule, which is not special Frequent projects to try, and finally have the energy to strengthen this part of the business log analysis work, has started to build elk.

4、 Establishment and promotion of system

When should the security system be established and how to promote it? At one time, it was thought that there should be a system first, and then it can be implemented according to the system. Later, it was found that it was too simple for a system to be implemented, which was just a virtual one. It can be summarized in three steps:

1. With enforceability: whether it's iterative safety testing, emergency response or SDL and other safety systems, make sure that they have enforceability and sufficient time and labor cost before they are established; 2. Circle key points: general network spreading and key training, and the business scope that can be implemented should be selected according to the business characteristics and system adaptability; 3. Break one by one: anything Don't think about it overnight. It's very necessary to have a deep discussion with the project leader after focusing on it. Tell how the system process can guarantee the security of the business. The key is to pay at least in proportion to the return and even let the other party improve the security of the business in the state of no perception (this is what I have been pursuing);

5、 The extinction of the fire fighting stage

Many large Internet Co are building their own SOC platform to realize the integration of security scanning, port detection, host protection, emergency response, etc., but when the investment of small and medium-sized enterprises is insufficient, it is advisable to adopt the semi-automatic scheme. At present, "information security center" has been built inside the company, including: attack and defense drill platform, Github monitoring platform, patrol system, ELK log analysis platform As an enterprise information security window for the whole company, here is a brief introduction:

1. Attack and defense drill platform: it combines multiple open-source systems, such as zvuldrill, DVWA, webug, tea news, XSS challenges, etc., and is mainly used for security training and possible later security assessment; 2. GitHub monitoring system: Currently, a set of GitHub monitoring system with 0xbug open-source is used, and the construction and use methods are very simple, and the effect is very good; 3. Elk security log analysis: The experience shared by vipshop is used for reference in the early stage of construction. In the middle and later stages, we need to analyze the specific scheme suitable for our environment, among which there are many pits, which are not introduced one by one. The overall idea: in the early stage of construction, the work is in the stage of fire fighting, in the state of passive beating, at present, we have a certain "anti beating ability", and then build our own big data log analysis platform to analyze the ng and system logs In the later stage, more schemes are adopted to block the behavior in the process of invasion, so as to achieve the ability of active defense. It is a long way to go. We are willing to work together with you.

6、 Conclusion

At present, small and medium-sized enterprises (including large enterprises with little safety investment) have a lot of pressure on their safety team, lack of experience in enterprise safety construction and insufficient investment. Therefore, we hope to establish a "small and medium-sized enterprise safety alliance". We do not share data in order to keep it secret, because of the lack of resources, we cannot provide technical support, but we can share experience, implementation plan, third-party product (service) testing effect If you are interested in joining the club, you can leave messages in the community, share the next step, and make complaints about the talks. At present, the information security platform uses the source code (open source method is good). In order to respect the author, the original link has been used as much as possible: security platform framework: 2015/srcms (Updated) XSS cross site platform: building tutorial: attack and defense drill level Platform: 1. Http s:// (Updated) 2. Http:// Tea_news (self-developed), XSS challenge. See cloud disk for webug (link: Password: ud4f) GitHub monitoring platform: http s:// patrol system: in addition, the internal security training system of the enterprise is also under construction. The general idea is as follows, some of which have not been completed, and only share the completed part: link: password: ud4f

Finally, I would like to thank all the above friends who have provided source code sharing, and those who have provided safety suggestions, ideas, schemes and technology sharing in the whole process of safety construction, such as Yiren loan, Nongxin Internet, sunshine insurance, Yibao payment, 58 intra city, chain home, melon seed used car, qilala, Alibaba cloud, Ivy cloud, Lvmeng technology, Douxiang technology, 360 enterprise safety, zhichuangyu , iqiyi, etc. (ranking in no order).