当前位置:网站首页>Top ten information security principles

Top ten information security principles

2022-06-10 23:53:00 InfoQ

When it comes to information security , The confidentiality of information must be guaranteed 、 integrity 、 Usability is the most important goal , In order to establish a perfect and effective protection mechanism , Avoid looking at one thing and losing the other . Through a lot of practice , Summarize the ten most critical and effective safety principles :

  • Defense in depth
Implement multi-layer security control on information system ( defense ). The goal of defense in depth is to provide redundant security controls , That is, after a control measure fails or is broken through , Additional security controls can be used to prevent further harm . let me put it another way , The goal of defense in depth is to increase the probability of an attacker being found and reduce the probability of an attacker's successful attack .
To protect core data , We need to control and defend at multiple levels , Generally speaking, it includes physical security defense ( If the server is locked 、 Security measures, etc )、 Network security defense ( for example , Use firewall to filter network packets, etc )、 Host security defense ( for example , Guarantee the safety of users 、 Software package management and file system protection, etc )、 Application security defense ( for example , Yes Web Application protection, etc ), And the protection of the data itself ( for example , Encrypting data, etc ). Without defense in depth , It is difficult to build a real system security system .

  • Application PDCA Model
PDCA(Plan-Do-Check-Act, plan — perform — Check — improvement ) Also known as Dai Minghuan (Deming Cycle), It is the methodology of iterative control and continuous improvement commonly used in management science .PDCA The continuous improvement emphasized by iterative cycle is also lean production (Lean Production) Soul .
In the field of security PDCA Methods and steps : Sort out assets 、 Develop a security strategy 、 Make an implementation plan 、 Develop validation plan 、 Guided by the output of the inspection phase , Perfect security strategy , Go to the next upgrade iteration .

  • The minimum authority rule
The minimum authority rule (Principle of Least Privilege,PoLP) It's just giving people 、 Program 、 The system is minimized 、 It's the right authority to perform its functions . for example : Server network access control 、 Running an application with normal users 、 Database access control .

  • White list mechanism
The white name single machine system is relative to the blacklist mechanism , The latter clearly defines what is not allowed , All other situations are allowed . The obvious drawback of using blacklist alone is , In many cases , We cannot exhaust all possible threats ; in addition , Just use the blacklist mechanism , It may also give hackers the opportunity to bypass through various deformations . The advantage of using the whitelist mechanism is , New threats that are not anticipated are also prevented .

  • Fail safely
Fail safely (Fail Safely) It refers to handling errors safely . Handling errors safely is an important aspect of safe programming . In programming , Ensure that the safety control module follows the processing logic of prohibited operation in case of exception .

  • Avoid hiding to achieve security
Security by hiding (Security by obscurity) It means to achieve security by trying to hide some information from the outside . Let me give you an example from life . Put valuables in the car , And then cover it with a newspaper , We thought it was extremely safe . This is a big mistake .

7
.  Intrusion detection
Intrusion detection system can be generally divided into network intrusion detection system and host intrusion detection system .
  • The network intrusion detection system is deployed at the network boundary , Analyze network traffic , Identify intrusion .
  • The host intrusion detection system is deployed on the server , By analyzing file integrity 、 Network connection activities 、 Process behavior 、 Log string matching 、 Document characteristics, etc , Identify whether an intrusion is taking place , Or determine whether an intrusion has occurred .

  • Don't trust infrastructure
Although the mainstream information infrastructure design and implementation will put security in an important position , But without robust verification mechanism and security control measures , Instead, these applications will become obvious attack points in the infrastructure , Allow hackers to completely control the infrastructure through application vulnerabilities .

9
.  Don't trust service
The service here refers to any system provided externally or internally 、 platform 、 Interface 、 function , It also includes self-developed client and software as client function , For example, browser 、FTP Upload and download tools, etc .

  • It's safe to deliver by default
When delivering the application , We want to make sure that the default settings are safe . such as , For applications with initial passwords , We need to set a strong initial password , And enable the password invalidation mechanism to force users to change the default password the first time they use it . Another example is the delivery of virtual machine images . When we're burning virtual machine images , Basic security settings should be made for the image , Including deleting useless system default accounts 、 Default password settings 、 Firewall settings 、 Application clipping started by default, etc . After the virtual machine image is delivered to the user , Users can optimize and perfect it according to the actual needs , To meet business needs .
原网站

版权声明
本文为[InfoQ]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/161/202206102226166926.html

边栏推荐

猜你喜欢

随机推荐