the road of internet enterprise security construction: planning

Posted by millikan at 2020-02-27

*Author of this article: secsky, the article belongs to freebuf original award program, and can't be reproduced without permission

At the beginning of the new year, I decided to write an article on the security construction of Internet enterprises. One is to summarize some of the things and ideas that I have done before and are doing now. The other is to help friends who are interested in or have needs in the security construction of Internet enterprises.

The whole article is divided into three parts:

1、 Why Internet enterprises should be safe

2、 What kind of security do Internet enterprises need

3、 How Internet enterprises do well in security

This is also a question that I put forward and constantly think about to myself in the process of enterprise safety construction. First of all, I try to analyze the security threats and challenges that Internet enterprises are facing through the first question; then I dig out the security needs and security goals of Internet enterprises; finally, I make security construction plans that fit the business characteristics of enterprises according to these security needs and security goals.

OK, let's get to the point. Let's talk about the first topic today.

1、 Why Internet enterprises should be safe

From the external environment, the overall security situation of the Internet is not optimistic. Every day, enterprises are faced with security threats from all aspects. Network attacks, blackmail, security loopholes and other incidents happen from time to time. The leakage of sensitive information of enterprises has gradually become a normal. Once such security incidents happen, they will have a negative impact on the normal operation and business development of the enterprise. In addition, in recent years, some major security incidents have been exposed by the media and the development of the entire Internet industry, which makes more and more Internet enterprises realize the importance of security, and start or plan to recruit professional security personnel to improve their own security level.

To sum up, the driving force for Internet enterprises to do security mainly comes from the following aspects:

1. Facing all kinds of security threats

For example: external hackers, network blackouts, competitors, insiders, etc

2. Facing various security challenges

For example: security loopholes, network attacks, blackmail, sensitive information disclosure, etc

3. Security issues will have adverse effects on the company's operation and business development

For example: economic loss, user loss, reputation damage, credibility decline, etc

2、 What kind of security do Internet enterprises need

After understanding why Internet enterprises should do security, we begin to consider the next question: what kind of security do Internet enterprises need? What are the security requirements? What are the core security objectives? In order to achieve the safety goal, what kind of safety capability does the enterprise need?

Through the above analysis, we can easily set up the core security objectives of the enterprise. Although different enterprises have different business characteristics, they still have many commonalities. Let's take a look:

1. Data security

Data security is the core security requirement of all Internet companies, and it is also the most concerned security issue of most Internet executives. The goal is to ensure the safety and controllability of sensitive data.

2. Take the initiative in attack and defense

Be able to control the overall security situation of the enterprise, take the initiative to find potential security risks, know who, when, what kind of attack has been done, whether the attack is successful, the degree of impact on the target system, and solve the security problems encountered in the first time.

3. Ensure business safety, continuity and availability

Reduce the security risk of business system affected by network attacks as much as possible, such as the most common DDoS and CC attacks.

These should be the security expectations or core security goals of most Internet companies. Although it seems that there are not many words on the surface, it is not a simple thing to achieve these goals, which should be a long-term goal.

3、 How can Internet enterprises do well in security?

Now that we have the security goal, let's talk about today's play: how can Internet enterprises do a good job in security? This is a question worthy of consideration.

1. Set up correct safety concept

Safety is relative. Internet enterprise security is not something that can be done by doing a penetration test, finding a security company to provide a security solution or buying some security products and services. Security is a whole, and it is dynamic. It needs to be done for a long time and it needs to be invested continuously.

2. Enterprise security integrity Perspective

As mentioned above, security is a whole. What are the aspects and contents of Internet enterprise security? In order to express more intuitively and clearly, let's look at the pictures and talk directly:

From the above figure, we can see that a complete enterprise security perspective needs to cover four aspects: production network, office network, third-party suppliers and security compliance. It's not difficult to draw this picture. The real difficulty lies in how to turn the safety plan and blueprint into a matter that can be implemented and tracked. I think this is a problem that many security personnel, especially the security director of the enterprise, have been trying and thinking about. My idea and suggestion is to first list the contents of the whole safety plan, decompose a big safety goal into several small safety goals, and then list how to achieve these safety goals, which safety products are to be self-developed, which need to cooperate with the third-party safety manufacturers, and finally schedule and arrange according to the current safety status, existing resources and project priorities of the enterprise Implement and regularly follow up the progress of these projects, timely solve and improve the problems in the whole process, and the ultimate goal is to establish a relatively complete enterprise safety system.

2.1 production network

2.1.1 infrastructure security

If the infrastructure security is divided from the network level, it can be divided into three levels: physical security, network security and system security. This part belongs to the traditional sense of network security, is the most basic part of the whole enterprise security system.

2.1.2 application safety

Application security is absolutely the key point in the security work of Internet enterprises, and it is also the part that enterprises invest the most resources. It is divided into two directions: Web security and mobile security. It focuses on the attack and defense of SDL and application layer.

2.1.3 business safety (risk control)

Business security (risk control) focuses on security confrontation at the business level, which is a very important part of Internet enterprise security. Due to the impact of business characteristics, e-commerce and Internet finance pay more attention to risk control. These enterprises are usually an independent department with high reporting level and authority. Business security has a broad market prospect. Now many security start-ups try to solve business security problems by using new technologies such as big data, machine learning and artificial intelligence.

2.1.4 safe operation

2.2 office network

2.2.1 infrastructure security

In terms of office network infrastructure security, we should focus on border security protection, especially the security of WiFi and VPN.

2.2.2 internal application security

The internal application of office network mainly includes OA, enterprise mailbox, finance, operation and maintenance and other internal business systems. The main characteristics of such systems are low update frequency after being launched, many of which are purchased from third-party manufacturers, and some are open source systems. Remember not to expose the internal system to the public network. Many serious security events are caused by exposing the internal business system to the public network. In addition, it is necessary to do a good job of safety monitoring for the important internal system and find out abnormal behaviors in time.

2.2.3 terminal safety

This part of work is relatively simple, mainly terminal anti-virus, patch management, terminal security management and audit, many security manufacturers have mature products. For the vast majority of Internet companies, there is no need or need to develop terminal security products by themselves. It can be done by directly selecting, comparing and purchasing the products of third-party security manufacturers.

2.2.4 safety management

People are the weakest part of the whole enterprise security system, which is recognized and accepted by more and more enterprises and security personnel. Safety management focuses on the cultivation and promotion of safety awareness of enterprise personnel, and the core value is to make safety construction a corporate culture.

2.3 third party suppliers

This part was previously ignored by many enterprises. Among the third-party partners cooperating with enterprises, the security level is not the same, and this part is usually uncontrollable. Therefore, the security team should also pay attention to the security of the third-party partners when it has energy and resources, so as to avoid affecting the company's business due to the security problems of the third-party partners.

2.4 safety compliance

For enterprises, if they want to carry out certain businesses, they need to pass some security certification. For example, if they want to apply for payment license, they need to pass PCI DSS certification. There are also some security compliance requirements for overseas listing. In addition, there are some requirements such as ISO 27001, etc., which are different for each enterprise. Generally speaking, this part of work focuses on safety compliance and audit, which will not be discussed here

3. Development stage of safety construction

According to the above safety construction plan, it can be seen that there are many things to be done to build a complete enterprise safety system from scratch, which is not an overnight thing, but a systematic project. Generally, the safety construction of an enterprise needs to go through the following stages:

Figure 11

3.1 fire fighting stage

This is a stage that the enterprise security must go through from scratch. It can be seen from the literal that the security work in this stage is relatively passive, and the security personnel often act as firefighters. The core of this stage is to solve the most serious and priority security problems encountered by enterprises. In this process, we should be familiar with the company's environment, business, system architecture, etc. as soon as possible. In addition, there is a big challenge in this stage, which is how to find the right talents to form a safety team.

3.2 stage of infrastructure security construction

After going through the stage of fire fighting, we will start the construction of basic security. The core security goal of this stage is to solve the highest priority security problem in security planning. This process will formulate and implement some basic safety processes and specifications, and develop some automatic safety tools and systems. The functions may not be perfect, but they can meet the current safety requirements. It will also cooperate with the third-party security manufacturers in some aspects to improve the security level of the enterprise by purchasing some security products or services. Such as regular penetration test, security crowd test, anti-D, bastion machine, firewall and other basic security services and equipment.

3.3. Core business system with security coverage

A large and medium-sized Internet company will have multiple business lines, and each business line will have multiple business systems, and these business lines may be distributed in multiple different departments, which are responsible by different people. If you want to promote SDL in all business lines in the first place, you are likely to fail. Because there are not many people in the security team at this stage, and they do not have enough energy and resources to cover all business lines. The wiser way is to start from the core business system, and then promote to other business lines after the whole process is smooth and straightened out. The core security goal of this stage is to ensure the security of the core business system, which can be achieved by implementing SDL, periodic vulnerability scanning, security monitoring and other measures on the core business system.

3.4 security can cover all business line systems

Due to the accumulation of the previous stage, and by this time, the security construction has also entered the right track, which is relatively easy to achieve. At this stage, the biggest challenge may be how to recruit the right security talents and retain the existing security talents.

3.5 realize comprehensive automation and platform

At this stage, the security team has a certain scale, and various security roles are basically in place. There are also many security systems and platforms, but the problem is that these systems and platforms do not achieve good linkage and association analysis. So the main goal of this stage is to further integrate and polish the existing security system and platform, and then conduct a high degree of linkage and correlation analysis, so as to better control the overall security situation of the company, and to product the existing security system and platform, so as to prepare for the next step of exporting security capabilities.

3.6. Export safety capability

At this stage, only when the company's business and security team has developed sufficiently can they have the opportunity to do such things. At present, in addition to bat, no other domestic Internet companies have the ability and opportunity to export security to the outside world, so there is not much discussion here.

Four, summary

So much has been said above. In fact, whether an enterprise's security can be done well and strong is not only a technical problem, but also a comprehensive decision of many factors. In addition to the correct understanding and strong support of the senior management of the enterprise for safety, it has a great relationship with the ability, vision and industry of the enterprise's safety director.

The road of Internet enterprise security construction is a long way to go. It contains a lot of content, which is far from clear in an article. Let's write more today. I'll write later when I have time. Due to my limited ability, there must be some shortcomings in this article. Welcome to discuss and make progress together.

*Author of this article: secsky, the article belongs to freebuf original award program, and can't be reproduced without permission