Introduction to the basics of network security

Our system design and reclamation team will start a new project on Security Related series of discussions , Just use this time to chat with you Security Related topics , Today's article is mainly to talk with you IT Security Related basic concepts , It is a general introduction . Mainly to see why we need IT Security And which ones tool And methods can protect us from attack Or at least by attack When alert We .

Why IT Security

With the development of society , A lot of our information is actually stored in some place on the network server On , For example, your name , Age , Bank card account number , password , Medical records , Shopping records , Web browsing records and so on . From our personal point of view , These data show that it is very important , We provide this information to the corresponding companies , Of course, we don't want our personal information to be leaked . Another aspect , From a company perspective , These data are also very valuable , For example, your browsing records can be analyzed and added to the recommendation system , That means you searched the refrigerator today , Tomorrow you will find that all the advertisements for you are recommendations for all kinds of refrigerators , And these more targeted recommendations can obviously bring a lot of benefits to the company ; Another example is that your medical records may be desensitized by the hospital （ Delete name ,ID You can wait Identify Someone's information ） Sell it to analysis and research institutions for data analysis , So as to better promote the development of the medical system and so on . therefore , do Security It is a good thing for both companies and individuals .

The ultimate goal of safety design CIA

We know Security Very important , So how to judge Security Is it good or bad ？ in other words Security What is the ultimate goal ？ We can analyze it from three elements ：CIA (Confidentiality,Integrity as well as Availability) .

• Confidentiality： confidentiality , That is, we hope our data will not be accessed by unauthorized people . In terms of medical records , Obviously, we don't want our medical records to be known by anyone who is not authorized by us , Sometimes we can hear the medical records of some stars being made public , That is the destruction of confidentiality . There are many ways to achieve confidentiality , Such as encryption , Access control , Information Steganography and so on , We can talk about these methods alone in the future .
• Integrity： integrity , It is used to ensure the reliability and integrity of data , That is to say, people without authorization cannot modify data . Also in terms of medical records , If you are allergic to nuts , But someone modified this data , Say you are not allergic to nuts , In this way, it is likely to affect the doctor's judgment , Thus causing great problems .
• Availability: Usability , That is, we can access the corresponding data when we want to access . The same medical data , If the doctor wants to see your medical records for auxiliary diagnosis , But there is no way to access the relevant data , It's obviously not going to work either .

damage CIA The means of

Before we get to know CIA After the definition of , Let's look at destruction CIA What are the means of , We from Threats,Vulnerabilities as well as Exploits Let's talk about three aspects ：

• Threats： The United States CSRC（Computer security resource center） About threats Is defined as follows ：Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. in general ,Threats It may happen inside the network , For example, an employee is dissatisfied with the company , It exposes the data of the company's content , And that's destroying Confidentiality. It may also happen on the outside network attack, It's easy to understand , Someone tried to get some information from the Internet . When you need attention ,Threats Not necessarily intentional , For example, roads are being built outside a data center where you store data , Then they destroyed all your optical cables , The entire data center is inaccessible , such Availability It was destroyed .
• Vulnerabilities： This is what we often call a loophole , It refers to the deficiencies and weaknesses in the security of information assets and their security measures . A good example I heard before is that someone said that loopholes are actually like windows in your house , They are all made of glass to , If attacked , It's easy to break .
• Exploits： Exploit , It refers to exploiting vulnerabilities in the program to attack assets , Of course, many times, the purpose of attacking assets is to control assets . The vulnerability itself is not a problem , The real problem is that these vulnerabilities will be exploited , And the process is Exploits, Like the house above us , If someone takes a hammer to break the glass , Then enter the house to steal or do other things , This process is Exploits.

Ways to reduce damage

After we understand the common destruction CIA After the means of , A common means to reduce damage is Zero Trust, seeing the name of a thing one thinks of its function , So-called Zero Trust That is, any personnel and equipment inside and outside the enterprise network must be authenticated and continuously authenticated , Then it can be granted to connect to IT Access rights to systems or services . It's in 2010 Year by year Forrester Research analysts John Kindervag Proposed . Its basic idea is before authentication and authorization , Do not trust any user or device accessing resources . For example, you are telecommuting , Whether you have visited any resources before , You need to re authenticate , Otherwise, you can't get trust . So how to do it Zero trust Well ？ There are mainly the following aspects ：

• User/Admin Access: It's easy to understand , Just need to be able to identify Different users and then give different access rights . For example, we can use Role based Of access, It's different role Can only do different operations , We certainly don't want everyone to have admin Access rights of , So a basic principle is to only give permission to the system that must be accessed . Another scenario is that we may have some background Running script, Sometimes you need to give these script Some permissions , At this time, you should also control these script Can have permissions , Don't give too much unnecessary Authority , We can set up a multi person check mechanism to reduce the probability of giving too much permission .
• Network Access Control: Mainly through some process To make sure they're really what they say , And they have access . So we will authenticate Users to confirm that users can access our system ,authenticate Equipment to ensure that there is no problem with this equipment , Make sure this device is not replaced , At the same time, we need to keep scan device In order to make sure device The latest patches have been installed , Then we can give the least permission —— This is sometimes difficult .
• Network Segmentation: Network segmentation is to divide the computer into smaller parts , In this way, the system and application can be separated from each other . From the perspective of security, there are many benefits , Even if a small segment is broken , Attackers or unauthorized people can only access resources on the same subnet .
• Demilitarized Zone （DMZ）： In Chinese, it means separation zone or demilitarized zone . It is to solve the problem that the external network cannot access the internal network server after installing the firewall , And set up a buffer between the insecure system and the secure system , This buffer is located in the small network area between the internal network and the external network of the enterprise , In this small network area, you can place some server facilities that must be exposed , Such as enterprise Web The server 、FTP Servers and forums . On the other hand , Through such a DMZ Area , More effective protection of the internal network , Because of this kind of network deployment , Compared with the general firewall scheme , Another level for the attacker .

summary

This article briefly introduces why we need IT security And its ultimate purpose CIA, Destruction is also introduced CIA Some means and corresponding preventive measures , It's a simple overall Introduction to , I hope you can have a basic concept of network security after reading .