Domestic network security risk assessment market and technical operation
Wu Luka @comnet
version control
V0.1 04/01/2004 Document creation, including a large number of sample files released inside
V0.2 04/19/2004 Delete part sensitive information, increase domestic market analysis, BS7799 and Octave outline,
In the past two years, network security risk assessment gradually pays attention to people, many large companies, especially operators, and financial industries have invited professional companies to evaluate. This paper proposes some of the authors to evaluate the operation of domestic security risk assessment, and try to explain the author's understanding, cropping, easy to operate risk assessment. Since the content is related to the business company, it is inevitable to involve some commercial interests. In the text, the author should try to produce a direct interest relationship, and all the evaluations are purely personal view, if you have different opinions, welcome to the letter.
What is a risk assessment?
Speaking of risk assessment, first-year-old in your mind is: risk, asset, influence, threat, weakness and other series of terms, it does not understand, but once comprehensive considerations will be complicated. For example, the definition in ISO / IEC TR 13335-1: 1996 can be interpreted as: specific threats utilize a certain (some) asset weaknesses, resulting in potential possibilities for asset loss or damage.
In order to help understand, we will give an example of a lower Ribban: I have 100 yuan in my pocket, because I'm sleeping, I've sneaked it, I haven't dinked at night.
This case is described with the viewpoint of risk assessment, we can understand these concepts:
Risk = Money is stolen
Asset = 100 dollars
Impact = Nothing to eat at night
Threat = thief
Weakness = dozing
Back to Yangchun Snow, assume that such a case: a securities company's database server is attacked by the invader because there is a vulnerability of RPC DCOM, and forced to interrupt 3 days.
Let us try to do a connection problem that is often made of primary school, connect the content line segment corresponding to the left and right sides:
Risk RPC DCOM Vulnerability
The asset server was invaded
Impact database server
Invader
Three days of weaknesses
If this question is nothing difficult to you, congratulations, you have almost standing on the same starting line.
2. Domestic existing risk assessment mode
2.1 evaluation market and competition analysis
If you are classified by the domestic risk assessment market, we can see it clearly, and we can see that the operation methods of several types of markets are completely different.
Domestic high-end markets are mainly occupied by companies in IBM (Pli Yong Road), KPMW, often network security assessment covers the entire audit system. In the mid-end market, there are many more powerful network security companies at home and abroad, including the earlier, safety assessment, and the operator market has a better practice, there is a stable style but step by step, one footprints The territory of the territory, there is also a highly competitive Green All-Lead Technology ... Low-end manufacturer, often operates through simple vulnerability scans, viruses.
2.2 Analysis of Evaluation Mode of Main Middle End Vendors
The data from the following analysis is obtained by the author through various channels in engaged in network security assessment practices. However, due to the timeliness of information, the expression and analysis of the current documents are not confirmed that the latest assessment development status of each company is representative. I hope the readers will identify themselves.
2.2.1 Queen Stars
Enlightenment has always been low-key before 2002, but the risk assessment project is initially operated from purely vulnerability scanning, manual audit, penetration test of a securities company to the set of BS7799 to the Octave method to finally form their own network Methodology, operation model, and many professionals have paid a lot of labor. The following figure is an extracted in the slide of the Queen Star, and they evaluate the process of development, and there is a project name through this phase on each step, for security reasons.
Business participation is weak, and the operational differences in solutions are often high-aspirated users' s criticisms criticized the risk assessment team, but from the recent operation there in many large customers in the near future, it is more popular with customers. Venus has more tools that can be applied in risk assessments:
Tiles Evaluation Edition: Scanner, has a version specially used in risk assessments. Tianqing: Againfront SRC, refers to the Struraity Risk Manage, the quantitative and visual assessment tool based on ISO17799. Information Library: Unknown, you can directly import scanning results of scanners such as niosci, NESSUS, ISS and generate reports. It is said to be a good safety assessment process auxiliary tool. Local evaluation package.
I understand the risk assessment characteristics of Qidami Star Chen:
In this regard, Bo Cai is related to the development of the National Standard of the Security Industry. On the other hand, they have more high-quality employees, refining high-end consultation types, and deepened to catch well, and consistently visible to the assessment. Write clear. Change is faster this can be said to be both advantages and disadvantages. They generally have a breakthrough in each large assessment project. This is forced to innovate, but it also leads to the methodology of assessment.
2.2.2 Green Alliance Technology
The Green Alliance Technology has begun to enter the safety assessment field from the initial participation in China Telecom Assessment Project, and has entered the market with powerful system research technology. The following figure is the assessment process description in their speech:
My overall evaluation of the MLF technology risk assessment method is: it is a professional system and network security assessment, not a information security assessment, and there is a shortest possible:
Project operability strong management assessment has insufficient, risk calculation method is not enough scientific and technical weaknesses to grasp accurate
2.2.3 Ans
Another operation of the Internet Security Risk Assessment Project earlier in China, has done a large assessment project (including consultant consultation): China Mobile CMNET Network Security Assessment Project, Tianjin Electric Power Company Security Consulting Project, China Telecom IP Network Safety consulting advisory project, Shanghai Mobile BOSS system security consultant project, Shenzhen Huawei Technology Company Safety Consultant Project, etc.
Personal understanding, 2001, IS-One assessment is more leading in China. On the one hand, they are closely communicated with foreign companies, and their executive layer emphasis on risk assessment, BS7799. However, in 2003, the Octagration of the Octagration, and the products were discontinued, and the high-profile publicity made autonomous products, SOC integration became its main push concept, and the methodology in the field of risk assessment lacks innovation and breakthroughs. There are several advantages in the security risk assessment of Ans:
Project management is a professional image is an excerpt from the PPT from Ans to a user. It is the process of their project management. The comparison of document system is specified which may have a certain relationship with the Some executives of Ans. They pay more attention to the programs, consulting recommendations, etc., of course, this is also easy to cause them to consider the problem, and the small customers are easy to use large businesses. As you have done now, there are at least the following standard programs: security policy assessment and recommendation report
Security solution
Local risk assessment report
Remote risk assessment report
Network Security Status Report
Network Security Solution Suggestions
Scan evaluation application report template
Database scan application report
System scan application report
Network scan application report
......
Here is a list of Anxis's pre-sales program. I believe that the pedestrians can see some doorways;) Chapter 1 Overview
1.1 Project Overview
1.2 project objectives
1.2.4 evaluation method
1.3 Principles of evaluation
1.3.1 Privacy Principles
1.3.2 Standard Principles
1.3.3 Normative principle
1.3.4 Controllage Principles
1.3.5 General principles
1.3.6 Minimum impact principles
1.4 Risk Assessment Model
1.4.1 background and hypothesis
1.4.2 Overview
1.4.3 asset assessment
1.4.4 Threat Assessment
1.4.5 Weakness Evaluation
1.4.6 Risk Assessment 1.5 Asset Recognition and Assignment
1.5.1 Information Asset Classification
1.5.2 information asset assignment
1.6 Main Evaluation Method Description
1.6.1 Tool Evaluation
1.6.2 manual assessment
1.6.3 Security Audit
1.6.4 Analysis of Network Architecture
1.6.5 Policy Evaluation
1.7 project commitment
1.8 project organizational structure
Chapter 2 Project Scope and Evaluation Content
Chapter 3 Project Stage Details
3.1 Phase 1 - Project Preparation and Range Determination
3.2 Second Phase - Project Definitions and Blueprints
3.3 Third Phase - Risk Assessment Stage
3.3.1 Group Corporation Assessment Subject
3.3.2 Provincial Network Level Evaluation Subject
3.3.3 Safety Information Library Development Subject
3.3.4 Security Assessment Risk Avoidance Measures
3.3.5 Work that requires customer cooperation
3.3.6 Safety Information Library System Prototype Summary Design
3.4 Fourth Stage - Comprehensive Evaluation and Strategy Stage
3.4.1 Formation of Reports and Suggestions
3.4.2 "XXXX Network Security Status Report"
3.4.3 "XXXX Network Security Policy Improvement Suggestions"
3.4.4 "XXXX Network Security Solution Suggestions"
3.5 Fifth Stage - Project Review Stage
3.5.1 Acceptance Method and Content
3.5.2 Acceptance standards and processes
3.6 Support and after-sales service
3.6.1 Introduction to the Anti-Customer Service System
3.6.2 Ansian (China) customer service object
3.6.3 Ans (China) Customer Service Center Organizational Structure
3.6.4 Aquary (China) service characteristics
3.6.5 Service Assurance System CRM
3.6.6 Support services provided in this project
3.6.7 Security Notice Service
Chapter 4 Project Quality Assurance and Management
4.1 Configuration Management
4.2 Change Control Management
4.3 Project Communication
4.4 Records and Memo
4.5 Report
4.6 Project Coordination Conference
Chapter 5 Project Quality Control
Chapter 6 Technical Training
6.1 Safety Management Training (ISO 17799)
6.2 Assessment Method Training
6.3 Evaluation Results and Vulnerability Repair Method Training
6.4 Safety Information Library System Training
Chapter 7 Project Software and Hardware Demand Checklist
In addition, the Anthillic information library can also become a powerful weapon in risk assessment.
2.2.4 Others
Other companies referred to herein are strong companies, such as Lenovo flow, intervening the security industry, open a certain situation in terms of good channels and partnerships. It is necessary to point out to Tianlu Technology, the company is not big, but it has been able to have a certain location in the industry.
However, for risk assessments, most of the companies that are classified here lack their own style, even assessing their very small "deputy industry", so in their programs or slides, often see various standard processes, relationships Figure, etc., as below:
In the risk assessment program of almost all companies, I saw the above security risk relationship map, of course, some companies have made some modifications, beautify their own understanding, highlight the core part of their own assessment methods. For example, the security risk relationship of this Qiming Star:
2.241 billion Yang Tong Tong
All of their business processes include: the definition of information assets, policy document analysis, security auditing, network structure assessment, business process analysis, security technical weakness assessment, security threat assessment, existing safety measures assessment, safety and weakness assessment, Comprehensive analysis of safety threats, comprehensive risk analysis. The evaluation method adopted includes five types: tool remote / local assessment, manual assessment, guest test, safety questionnaire, consultant interview.
It is impressed that they have more strict processes in most projects in the program, and those involved in personnel, main assessment methods, input, output, reference specifications, and standards. More rigorous.
2.2.4.2 Yadong Technology
With the advantage of a deep operator industry, its previous subsidiary Marsi has a relatively good results. From the various programs, the study of Yaxin's risk assessment is not deep, just a need for a bunch of basic risk assessment, detailed risk assessment, comprehensive risk assessment. Their assessment is divided into six major parts: assets, vulnerability, threats, influence, safety measures assessment, risk assessment. Risk assessment is the comprehensive integration of the top five, where security measures are estimated to increase by themselves. I understand that the overall thinking feels more confusing.
2.2.4.3 Huawei
The part of Huawei has always been inevitably difficult ... They have a huge and powerful sales team, and the operators have a good cooperation background, these are tempting other manufacturers and cooperation. However, Huawei's rapid development and development process is often made in partners. Take the firewall market as an example, Huawei once made product testing because of the choice of partnerships and envoys firewall manufacturers, the function, performance indicators, and technical characteristics of various products. But in 2003, Huawei launched its own firewall products.
In 2003, it can be said that Huawei will be safely turned from internal construction to the external driver. The reason may be that they find that their main customer operators have increased the security threshold, and it is impossible to make a high threshold on the basis of their own products and integration.
Huawei's assessment is slightly different from other security companies, more focuses on network architecture and application assessment (probably the talents in this area). The 2003 market is also slightly gains.
2.2.4.4 Lenovo
Lenovo Network Security Division and the security products of their net royal family have always been confused - why Lenovo invests in the on-one non-government technology, on the other hand, does it intend to create safety products and service brands? From the current situation, the Net Royal Firewall has made a good sales score in the market, and the net imperial invasion test is also the beginning of the initial angle. But the author's personal testing, these two security products are far from the large manufacturers of Lenovo from the functions and performance.
In terms of security services and risk assessments, the Lenovo intervention market is relatively late, but it is very good by joining the Annire employees who have a few masters and attack penetration (which can also be seen in the accumulation of Anntane;)), they are so fast Based on the predecessor has a set of its own standard methods and operational processes.
2.2.4.5 Anluo Technology
At the beginning of the establishment of Tianlu Technology, there is a relatively high reputation in the domestic network security community. However, it has always been an end of Shenzhen and lost the opportunity to grow rapidly. Therefore, it is squeezed from the first echelon from domestic security vendors.
In their many programs, it includes assessment proposals and a medium and long-term security planning recommendation. Their distance risk assessment is taking advantage of man, local risk assessment is very fine, including implementation of safety, platform security, data security, communication security, application security, safety, management security assessment. However, the skills under operability are not enough.
2.3 Partial low-end manufacturers evaluation mode
Some low-end assessment vendors not only exist in the market, but also have a large living space. Their target customer group is a small business. It will not take too much energy and money to assess, and safety only needs to simply reach a baseline.
Usually these vendors are quick and concise:
Vulnerability Scan -> Remote Scan Report
Sampling Manual Audit -> Artificial Audit Report
Sampling virus scanning and killing -> Virus monitoring report
After that, you can sit down the gold, this mode of operation requires only a few techniques to be well carried out.
3. BS7799 and OCTAVE
3.1 Advantages and Weakness of BS7799
I have to know BS7799, I think it will start from two angles.
Understand the security management process of the BS7799, that is, the method and step system of the establishment of the information security management system understands the contents of the 10 127 control items mentioned in BS7799 and can be used on this selection (even added) control items on this basis. . Just like the NISS (network and information security standards) proposed by the recent mobile group.
Personally feel that the biggest defect in BS7799 is that it is not possible to operate, if only the requirements of the BS7799 (similar to ISO9000 review), may eventually fail to meet the initial security objectives. This may also be a high BS7799 and ISO17799 voices, but there are not many reasons for practical applications or through entries. As a reference, a list of SANS provided by SANS is given here. 3.2 Effective Supplement of Octave
The so-called Octave is actually an abbreviation of OperationAl Critical Threat, Asset, and Vulnerability Evaluation, refers to a key threat, asset and weakness assessment. In my understanding, Octave first emphasized that O, followed by C, that is, it focuses most of the operability, followed by key attention, grasp 80/20 principles :)
Simply describe how many key points I understand (actually every link in Octave can not be ignored, what kind of focus here is that I think Octave is better, or a relatively critical part of the evaluation process) :
Process Control (Overall) Octave divides the overall network security risk assessment process into three stages nine links, respectively: stage 1: establish an asset-based threat profile
01. Identify high-level management knowledge
02. Identify business area knowledge
03. Identify general employee knowledge
04. Establish a threat profile
Stage 2: Identify the weakness of the infrastructure
05. Identify critical assets
06. Evaluate the selected assets
Stage 3: Determine security strategy and plan
07. Executive risk analysis
8A. Development Protection Strategy A
8b. Development protection strategy B
The following figure is the process schedule of CERT in the process of risk assessment for a hospital, we can use it as a reference. Creating threat statistics (Process 4) This process actually completes two things, one is to organize data collected in the three processes to make data analysis clear. Second, it is possible to create a global view of the threat of important assets and assets by analyzing the threat of assets. From the figure below, we can see that Octave has analyzed the assets, access, motivation, participants and results of a certain asset (this picture is only for an asset - personal computer, and an access - network The threat view of the establishment is true to help us see the threat of the company. Identifying key assets (Process 5) is also a continuation of the first phase, according to Octave, divided into two steps: identify key types of components and identification of infrastructure components to be analyzed. If we consider from operational flexibility, we can also identify CIA (confidentiality, integrity, and availability) at the stage, and the final conclusion is obtained by comprehensively calculating CIA. Risk analysis (Process 7) corresponds to the threat view of the creation threat statistics, where you need to identify the possible impact of threats. It should be noted that risk analysis is not only a single image below, but a variety of systems may crossover, so this view will eventually be a big chart.
4. The characteristics of SMEs and the re-evaluation of Octave
4.1 Senior and medium-sized businesses and large companies in assessment activities
Direct ideas, large enterprises and small and medium-sized companies do not have the same point? Is it completely different? What are the things you have done in large companies? I rarely see about these discussions, so I want to put out the problem here and give my thick consideration, I hope to introduce jade.
The same point (some can be reused) 1. Asset assessment
Asset survey form
Asset attributes and assignment research forms and methods
Survey method for key assets
2. Threat assessment (some SMEs can even do it)
BS7799 review form
Octave threat analysis method and view
Event analysis method
3. Weakness assessment
Remote scanning method and tool
Artificial audit method and tool
Penetration test method and tool
4. Risk analysis
Existing risk view refining method and report
Different points (parts that need to be developed separately) 1. Asset assessment
Asset report (different industries, large-scale enterprises, key assets have great differences)
2. Threat assessment
The threat to the face is more wide than small businesses
3. Weakness assessment
Risk avoidance measures
4. Risk analysis
Solution for organizational characteristics
Management system and strategy framework
4.2 Re-evaluation Octave
Through preliminary learning of Octave, we can realize that it has many lack of operability of BS7799, but there is still a certain distance from perfect, simply talking about it:
Excessive emphasis on the assessment activities of large enterprises, the evaluation process is more cumbersome, and the complete view is not easy to operate, and multiplayers are required to participate. The risk control action list has a bit of thickness and a certain distance from the actual work of subsequent security construction. Due to emphasizing the operation, the standard based on the execution is relatively simple (may have a subjective factor).
Anything, even if it is very good, it is not possible to move, it is necessary to criticize, from above to the simple analysis of BS7799 and Octave, can you extract your own assessment method?
5. How to develop a risk assessment plan that best suits your company
Here, consider using a small business assessment example to illustrate the method of developing a business risk assessment suitable for its current state. Since there is no suitable case, it will be perfect for the next version.
6. Brief introduction
6.1 Definition Stage
In fact, the continuation of pre-sales work, that is, the scope of the project, clearly defines the needs of users. This seems simple, but the actual operator needs considerable experience, it is possible to judge the resources you have; how much work can be completed in a predetermined time; negotiations to the customer in the most appropriate level Maintain to the end of the project.
We list five modules here: pre-communication, initial programs, bidding programs, reply documents, and reference quotes.
According to the actual project operation process, the work of these five modules in the pre-sales stage should be complete. When entering the project definition stage, users have already understood network security risk assessments, and it is more clear that their network environment needs to be evaluated. Therefore, this stage of the user will further describe the manufacturer on the bidding plan, and they The details of interest are expanded.
6.2 Blueprint Stage
The two parties have developed a detailed schedule. It is recommended to include at least fewer contents in the planning process: problem description, target and scope, SWOT analysis, work decomposition, milestones, and schedules, two parties resource requirements, and change control methods.
A blueprint meeting is required in the blueprint phase. After the end of the meeting, you must develop and sign the project blueprint on the basis of both parties. Subsequent work is strictly controlled by the blueprint.
The assessment project is highly required for the customer's knowledge, usually on the assessment method in the early stage of the project, it is recommended to complete the project training in the blueprint phase.
In addition, it is necessary to remind it that because most companies are not well-established, the previous coordination of assets assessment can effectively guarantee the time of the project if they can start as soon as possible.
6.3 Execution Stage
This is the most critical stage, most of the operations are completed at this stage, we can divide this stage into four links, as follows:
Asset assessment (can be completed remotely) System and business information collection
Asset list
Asset classification and assignment
Asset report
The content of asset assessment is not complicated. In this work, the focus is in the classification and assignment of assets to customers. At the same time, it is necessary to pay attention to controlling the completion time of asset assessment, as it is clear that the asset can effectively conduct subsequent threats and weaknesses, otherwise it is easy to lead to a half. Threat assessment (local completed) IDS deployment collection threat source
Collect and evaluate the policy document
BS7799 consultant interview
Event analysis
Threat report
Interviews in the threat assessment accounted for the largest part of the site. However, due to the fact that there are several criteria for the definition of threats at this stage, it can be said that threat assessment is a difficulty of operation. It is recommended to refer to the threat assessment report sample before implementation. If you can get more complete security event information through interviews, you can consider that you will not make a threat assessment to more clearly analyze the essential event analysis. Weakness evaluation (local completion) Remote Scan Manual Audit
Penetration test
Weak point report
Weakness assessment is a pure technical operation, which is not described herein. Risk analysis and control (can be done remotely) Data finishing, storage and analysis
Safety status report
Security solution
When the field work is over, after the basic data is collected, how to refine and excavate the information of the voyage sea, there are many techniques. The ultimate risk analysis needs to be clear and thorough, and the performance form of the program should compare the customer needs. Solutions three words: operable.
6.4 Reporting Stage
In the project report phase, all on-site work and most documentation have been completed, and the key task is to let users really understand and recognize our work. Therefore, this phase is recommended to communicate in depth in depth (need to face to face to achieve the best results).
The reporting phase needs to pay attention to various detail adjustments (some need to be considered in conjunction with project features), for example:
1. Increase the "Document Guide" chapter in the forefront of the report;
2. Write the client to write the staff and write the author;
3. Provide a concise and strong summary to the leaders;
4. Wait ...
6.5 after-sales service
According to the Octave evaluation method, the user is equivalent to the snapshot of its current risk after completing a safe assessment, and also completing the setting of its information security risks. Later, organizations must solve or manage the highest risks of the priority in the assessment process, and control and eliminate risk in accordance with the development solution.
However, since the organization's security state changes over time, the baseline must be reset to the user by performing another assessment. So here we can define the work after the PDCA cycle (Plan, Do, Check, Action).
7. Project Management in Evaluation
7.1 Determining Project Management Group
Clarify the organizational structure of the project usually three of the following small items in the informal structure. However, when there is a large-scale assessment item of a considerable resource, it is necessary to properly consider and argue whether the matrix structure is reasonably utilized for project resources. Clearly included departments and key people usually include members of the business, evaluation group, research department and other cross-sectors, need to be determined in advance and explicitly manage the focus of authority and project members, which can effectively reduce obstacles in post-projects. Clarify project management responsibilities selection project manager, project supervision (at least document supervision), child project manager, etc. If the resources are sufficient, try not to reuse the resource, otherwise it will eventually become a resource bottleneck.
7.2 Dispatching and Resource Allocation
Optimizing project processes are similar to coordination, and when all tasks in the project can be found, some tasks can be found in parallel, some tasks can be advanced, some tasks do not need many pre-tasks ... Optimize and estimate the execution time period of the task. Clarify project focus and determine the key path and milestones in the priority order
7.3 Tracking, Reporting, and Control
Defining the data requirements data collection process requires a clear definition (even using standard tools), which ensures that the data format, data descriptions, and measurement dimensions obtained by different people are consistent. Data analysis and document generation delivery schedule
7.4 Common traps
Authorized project managers, project supervision, sub-project managers, consultants, technical engineers, etc. in a blurred regular projects, such as: Project Supervision and Sub-Project Manager of Several Nodes. The most direct consequences of a multi-angle is that each character is not acting as good. Demand explicit in the early stage of assessment, users may lack understanding, but as the assessment is in-depth, they will gradually become "passage" in the security field, this time will propose a large number of new needs, effective for these new needs. Control and guidance (the primer to become new projects) is quite important. Resource misplaced This is primarily happening, for example, for example: We reserve to complete weaknesses for UNIX experts a and network equipment experts B, but in the case of insufficient resources, it is possible B. The assessment is impossible to exhaust, and all operations must be completed independently of A. Insufficient communication, most technical employees have a strong technical operation capacity, but communication is relatively lacking in the project. In the final stage of an assessment project, there is a user euphemistically: You can really be "buried"! Since security assessment is a strong work, it is possible to successfully ensure the team to complete assessment tasks in a large-scale assessment project.
8 References
Tsinghua University Press "Information Security Management" Machinery Industry Press "Introduction to Information Security Administration" through the company's information
Power by Debian, Created with Vim