Emergency response technology report
1 Emergency response background network security incident is continuous from macroscopic, uninterrupted, but specific to each event is burst, random. In the face of sudden large-scale viruses or worm invasion, even professional people are often helpless. This is like China after "9.11", China after "SARS", in order to cope with emergencies, we must set up a special emergency group, and its responsibility is to make effective response to emergencies in the first time, will lose loss To the lowest. The earliest response organization in the world is the CERT / CC established in 1988, which is beneficial to the famous worm "Morris" at the time. After that, many departments have also set up their own emergency response organization. However, the 1989 WANK worm exposed the problem of communication between these organizations, so in 1990, the International Internal Response Team Forum was established. At present, the organization has more than 100 emergency organizations from around the world as members, exchange information, and technology, and also collaborates to process some events. National Computer Network Emergency Technology Processing Coordination Center CNCERT / CC was established in 2001, which has become a formal member of First in 2002, responsible for the monitoring of backbone networks, and established work with operators and other emergency organizations to form an Internet emergency treatment system. . Many domestic security companies have also set up their own emergency response centers, providing services for security consulting and security incidents. my country's government has also given high attention, China Run [2003] No. 27 clearly proposes: Pay attention to information security emergency treatment.
2 The concept of emergency response emergency response, watching its name, the response to emergency events. But carefully analyze, the emergency response also includes two levels of meaning, one is to respond to emergency events, the first time, so that the event will continue to develop or reduce the impact of the incident before the situation; The response of the emergency must be effective, this point is self-evident, only effective measures can contain incidents. From the concept of emergency response, you can know the following points: an emergency response must be fully prepared. This includes personnel, knowledge, technology, and tools, etc., people are the most fundamental, because the key critical critical responsibility of emergency response depends on the quality of the person. Second emergency response must have a perfect mechanism. Although the emergency response emphasizes its "urgency" characteristics, it must be in an orderly, which must have a perfect mechanism for constraints or specifications. When the security incident occurs, how to collect information, determine events, analyze events, proposing programs, put into implementation, and afterward experience summary or education training requires a mature mechanism to protect the smoothness of the process. Three emergency responses must rely on extensive cooperation. Once the network security event is now, the influence surface is often wide, sometimes not only affects several ISPs, and even affects the multinational network ("shock wave" and "shock wave" is a good example). When the virus or worm is in the early stage of its infection, if an emergency response is detected, then the virus does not cause large area infection.
3 The scope of emergency response of emergency response is primarily to discuss the business scope of emergency response. Comprehensive analysis of domestic and foreign emergency response organizations is not difficult to find that its business mainly includes security incidents, safety announcements, vulnerability information release, security audit, risk assessment, security consultation, security solutions, technical tracking, tool development, education and training, etc. And even the assessment and certification of safety products. Safety event processing is the original intention of the emergency response organization, which is its main business. Safety incidents have a mature process, divided into preparation, event detection and analysis, event suppression cancellation and recovery, and four steps of post-transactions. Since Internet is connected, security event processing should also be linked to each emergency response organization. Security announcements and vulnerability information is issued in a proactive business model. If users often review security announcements and vulnerability, keep the host patch up to date, which also helps the security event decrease. However, today, there is still no professional vulnerability information database in China, even if some organizations have created their own vulnerability databases. There are also two questions, one is the field information of the existing vulnerability database, less information about the vulnerability details, and most of the information source of the database is Internet, the authenticity and reliability of this information to be verified; second, these vulnerabilities The database cannot achieve information communication and sharing, as the information format is not compatible, the CVE standard only provides the basis for verifying the uniqueness of vulnerabilities. As for security audits, risk assessments, security consulting and security solutions, we can provide users with service. Especially in the safety solution, this part of the market is very large. Most of the small and medium-sized companies in China, very few professional security personnel, its network is very fragile, but these companies are reluctant to invest more funds safely, and we can provide long-term security solutions. Education and training are an eternal topic. Some people have done in education and training of cyber security, but the level is very low, and there are many have no credit guarantee, and there are few more education for network intrusion and prevention. The key to doing education and training is to select a suitable listener, that is, the right user group. Technical tracking and tool development can be seen as the accumulation of technology and knowledge, and there are many attractive directions in this field. Vulnerability detection and vulnerability excavation This two directions have both theoretical depth and practical value. Vulnerability detection can be used as a secure assessment tool for local area networks, and can be used as a smart self-upgrade, self-defense system, based on vulnerability detection. Vulnerability excavation, at this stage, there is no mature model. Most of the vulnerabilities announced today are some individual behaviors, and the vulnerability mining should move toward the systematic direction. 4 The status quo of emergency response domestic emergency response organizations are mostly responded to emergency response to safety events, and is also responsible for coordinating other organizations under its. The emergency response center of the enterprise is generally a technical consultation and technical accumulation department. So if we do emergency response, there are several aspects: (1) Chinese vulnerability database, standardization of vulnerability information format; (2) SME, institution or government security solution; (3) Education and training of specific user groups; (4) Vulnerability detection technology, the theory and practice of vulnerability mining; (5) Safety event processing, safety audit, safety consultation, risk assessment, etc.
5 The foreground security of emergency response is a process, and since the safety incident is inevitable, we do not calmly face it. The emergency response is gradually transformed from passive mode to active mode. Network security is no longer centered on the product, but the service as a service. Emergency response is a good service model. If you can make your own characteristics, you can have a place in the network security field.