On April 20, 2005, Xie Chaoxia, executive vice president of Akan Science and Technology, was invited to attend the 5th "China Information Security Development Trend and Strategy" high-level seminars, and made the subject statement.
Xie Chaoxia representative AUST, based on the multi-year network security practical experience, in the past, the principal problem in safety offensive activities has been conducted in-depth research on the principles of security offensive activities, and proposes a dialectical network security attack and defense philosophy. The good response and strong resonance of the industry people. Provide beneficial ideas for industrial applications in security worldview, safety methodology and related theory.
The PowerPoint documentation used by the author can be downloaded below ("Save As"):
http://www.cnns.net/html/openvssec.ppt
The following is a conference speech.
///
Security philosophy speech
Everyone is good!
I think about some philosophical ideas related to security today. It has been 9 years. In 2000, the company is a watershed in my safe career, and the research on attack technology is transformed into the role of the defense party.
The gavel in the past four or five years is the professional security service as the main business. Our customers have almost covered all walks of life, and I have been dealing with the frequently colored customers. In order to save resources, I often train some people to explain safety programs and promote security services. But I found that it is difficult to train in a general manner. To make sales staff understand a variety of security theories and domestic and foreign security standards is a less real thing. These are popular abroad, and the domestic market will compete in the imitation of them.
At this time, I am thinking, is it not enough to understand the security? Is the Chinese who made people who committed people Yun Yun Yun, and lack their own thoughts? We need more to stand in the user's angle to think about it. You let them spend two or thirtimes to buy a safety equipment, let him feel like buying a Audi car, this money does not spend Is it?
There is a premise for all users in the final analysis, which is why not pay. If the security manufacturer is guided by this premise, after the contract is signed, the user will feel the feeling, often doing the first order without a second order.
What is the premise?
Some users are asking:
n security is best not to do? Can you guarantee that you don't have something?
The problem is like this:
n security is spending money, can't make money, so leaders don't pay attention, the funds can't come.
There are still many similar problems. If there is no answer, or there are many different answers. Why is this, this is a question worthy of our thought.
Nowadays, many popular information security theories, or most people are difficult to understand, and some of the mouthfuls of the HKEK experts have summed up. I think what we need is not just these.
Here, some views of security philosophy, of course, these views are based on many seniors in the industry on security practices. Today, my colleagues with the galaxy stood on the shoulders of the giants, trying to propose some propositions about security philosophy.
Here are three aspects: network security worldview, safety methodology and theoretical industrial applications.
First part, safe world view
What is safety?
Telling safety, I have to mention a corresponding question is risk.
First, the information system has the essence of risks.
On the one hand, it is the innate solid risk.
Newborn information systems are always not guarded. Just like a newborn baby. It is easier to get sick, it is easy to die. So we now emphasize breastfeeding, which is this truth. In terms of installation of operating systems, there are many Americans to learn, they no longer use the installation dish, but use the GHOST program clone a hard drive, what patches and security strategies are complete, this is called innate immunity.
On the other hand, it is the risk of changes in the day after tomorrow.
The exercise nature of the information system determines the objective existence of risk. Information systems need to continue to run and develop, and each change is risking. For example, you will bring more risks more. You can legally add a user, which can also calculate a broad security incident, and the risk will increase one point. When you open Baidu website, you don't think there is, but in fact this action makes the system's integrity again. In your temporary directory, a cookie file will add a new shortcut in terms of rencent information. Therefore, the risk is an objective existence, it is not everywhere, and it is everywhere, and the so-called security demand is actually a subjective will.
We must be careful not to be misled by the needs of the user's surface. The user gives you the security demand document, which is what he is looking for online, or it is sorted out according to the existing knowledge. This subjective will is often a one-sided or unrealistic.
Next, let's talk about the attack on cybersecurity.
All network attacks, from the source is human.
Regardless of your safety, as long as you are an information system that opens a function of people, the attacking incident will be late and will come late, it is not transferred by people.
The root of attacks is a social contradiction. The information system is a virtual expression of society. The social development is more than a day, risks and conflicts have been constantly in the day, and various purposes attack will also occur on the information system.
So, what is safety?
In the information system, openness constitutes a risk. The constraint constitutes a safe.
Each security increase is because of a more constraint. Security is the total set of all constraint rules.
Constraints and open this contradiction, accompanied by the operation and development of the information system.
Although constraints are related to security, do not always bring a decline in performance.
How is the performance relationship of safety and information systems? Let's look at a curve.
The first phase of this curve, basic security measures not only reduce the performance of the information system, but it can be significantly improved. These measures generally refer to simple firewalls, security patches, and anti-viruses. This area is more suitable for SMEs and individual users.
In the second phase, increase security measures, performance does not have significant improvement, to the final reach the highest performance; this area is more suitable for large enterprises and operators.
In the third stage, with the increase of safety measures, performance begins to decline. This area is more suitable for confidential units or military networks.
Summary here is: Absolute security does not exist, we must allow the risk of risk, and get risks in the network attack and defense struggle.
Second part, safety methodology
To study the safety method, you have to study the law of the attacker.
The activities of the network attacker can be divided into two phases. The first stage is the outcome phase of the protected attack, and the second stage is the latent activity phase.
In the offensive phase, any attacks follow the principles of tricking. If hacker can use the 888888 weak mouth to enter your system, it is absolutely entered, there is no shake.
The sixteen characteristics of the guerrilla war is very applicable here: enemy into my retreat, the enemy is standing; the enemy is tired, I am fighting, and I will talk.
The attack party follows the principle of underground work.
Just attack the defense line, immediately by the network management, the result is swept out, which is completely failure. If the target of attack can be achieved, it depends entirely on the length of the attacker in the internal survival time. Otherwise, only the attack is tested.
To survive under the host eyelid, the concealation of various activities must be achieved: to pay attention to technology concealed, hidden, intention, trace.
In turn, the defensive side should follow the strategic purpose of active defense.
Doing safety, trying to be a strong target, not blindly pursuing a seamless defensed defensed defensed. Dr. Chen, Dr. Chen has a lot of abilities in information security, which is this truth. We must take the purpose of improving the survival of the information system as the purpose.
In terms of tactics, implementing a positive defense security policy, which is necessary to oppose the kind of pure defense that does not have incident, but also against the simple struggle that does not engage in preventive lines. Usually maintain a primary machine on security prevention, and inception in safe event processing, it is fully, and it is annihilated, and it is destroyed, and the latter manager is achieved.
For security personnel, learning things are best to deal with security incidents. Each safety event is the best time to understand the attack means, and thereby discover more weak links, which greatly has improved existing security.
Where is the improvement of information system security capabilities, it is the complementary composition of security prevention and security incidents to handle these two aspects.
Constraints and open opposition, and security precautions and safety incidents have completed the completion of the two, relying on such contradictions to promote the development of safety and survival capacity of information systems.
Third, industrial application
In the face of the user, it is necessary to oppose various off-active security objectives, safety requirements, and security strategies. Since the attacker always "Avoid", it is necessary to reduce the possibility of malicious invasion. Business owners must make their IT systems safer than similar;
For example, there is a hacker to want to steal bank card password, two bank websites, one only if the username and password input, and another verification code other than the username and password. For the former, hackers can lock a simple password to traverse all card numbers, always find users with this password, while the latter, due to the existence of the verification code, each username may try 10,000 times. Black will seize the former as an offensive target.
The law of the attacker tells us that it is safe. It is necessary to pay attention to maintain the primary machine in the usual prevention, and after the safety incident can be realized.
"Capture the lead" is the key to maintaining the security advantage:
The meaning of capturing the opportunity is that you have much more than the enemy.
To take a predictive security measures, do a full prevention avoidance of the gun;
Adopt more immunization techniques rather than anti-virus technology;
When responding in emergency response, don't rush to unplug the network cable, don't rush to restart the system, you must achieve an in-depth of the enemy, so that it is fully in which it will be used to remove the dragon and then remove, and realize the latter man.
Different strategies that different types of users should take below.
For confidential or military networks, the principles of boundary defense and internal depth defense should be adopted. All this work has to be a long time. To take care of all levels. There is a paper on the seven layers of the seven layers, you can refer to it.
For a general large-scale enterprise, there are thousands of hosts, and there is a unrealistic everywhere, so it can be mainly based on border defense, and focus on the perspective.
For small and medium-sized enterprise networks, there is not much computer, and host defense should be considered. It is also possible to consider the inexpensive firewall to achieve border defense. This monthly, a year may be a thousands of investment.
As a security company, we must actively intervene in user security services, pay full attention to each security event of the user, no matter whether there is any charge, you should actively intervene in processing and technical support. Each security event for the user can trigger a security company's service and product improvement.
Products or services are not tight, the key is that the product must be valuable, and the service must contribute, and this is based on a stable security supply partnership;
Finally, come to a safe benefit account.
Safety is to spend money, but I don't spend money after the company opens? I took a technical backbone of 200,000 annual salary, salary is saved, but how big is lost? The boss is clear. So a safe account cannot be a direct money account.
Safety benefits account expenditure and income of two parts.
Expenditures include safety event losses, safe and hardware input, safe and human input. In fact, safety events tend to trigger input, but the business owner generally does not recognize that the safety incident loss is also an input. How is the income?
The key should be considered in the improvement of security (= IT system survival capacity).
Secondly deprived the survival time of intruders in the internal network, which can reduce the loss loss.
It can also reduce the expenditure of future security. Use this way to calculate, safe work, no matter what makes money. Moreover, it is important that we allow risk of reasonable existence, and it also allows for a moderate occurrence of security events.
Finally, thanks to the support of the organizer. In the process of organizing these theoretical perspectives, I got the guidance from Dr. Wu Shizhong. Here, this two experts said that I was paying lofty!
