当前位置:网站首页>Thoughts on data security (Reprint)

Thoughts on data security (Reprint)

2022-07-06 06:09:00 Wandering mage 12

** In this paper, from :https://mp.weixin.qq.com/s/enP8MU7eBWaAbjb954JOMQ**

In recent years , The system construction of system security is improving day by day . But data security , I haven't seen a perfect system come out , More about the rules and regulations related to data . It is Achilles' heel , Do it a little bit , So I kneel . In terms of technical ability , It seems to be absent in the direction of data security . The red blue confrontation in the direction of system security is promoting the improvement of the system security system at a visible speed , But data security , It is even difficult for us to define a model of red blue confrontation .

Safe communication q:830709780

Our technology is developing , But it should be applied in data security , Our various technologies seem to be on cotton .

Data security customers
-------

Companies will talk about how to protect customer data , User first .

But if you tear the veil of being responsible for customers , From the perspective of company survival , The most important and basic meaning of data security is legal compliance . Then secrecy . The first one here is to prevent customer data leakage , One is to prevent their own data leakage .

Whether it's the EU GDPR, Or the domestic network security law , Have defined sensitive data , Define penalty clauses for data leakage events .

Refuse to perform the obligation of information network security management , Cause user information to leak , Having one of the following circumstances , It should be recognized as stipulated in Item 2, paragraph 1, article 286-1 of the criminal law “ With serious consequences ”:
( One ) Cause to leak track information 、 Communication content 、 Credit information 、 Property information 500 Above article ;**
( Two ) Causing the disclosure of accommodation information 、 Communication record 、 Health physiological information 、 Other factors such as transaction information may affect people 、 User information for property security **5000 Above article ;**

( 3、 ... and ) Cause the first item to leak 、 User information beyond the second provision 50000 Above article ;

Article 286-1 【 The crime of refusing to perform the obligation of information network security management 】 Network service providers do not comply with the law 、 Information network security management obligations stipulated in administrative regulations , After being ordered by the regulatory authorities to take corrective measures, they refuse to make corrections , Under any of the following circumstances **, To be sentenced to not more than three years in prison 、 Detention or control , Penalty concurrently or only :**

( One ) Causing a large number of illegal information to spread ;

( Two ) Cause user information to leak , Causing serious consequences ;

To completely eliminate any potential threat to data security , Just don't touch any sensitive data . But in fact, this is a huge bullshit . In the age of big data , Data has become a basic factor of production . Do not do any data analysis , The advertisement recommends this kind of business , Personalized business is out of the question .

** In the final analysis, data security is to strike a balance between data availability and data security **.

Data security threat scenarios
--------

The data lifecycle includes collection , transmission , Storage , Use , Share and destroy .

We often encounter the following data leakage scenarios :

1.  Data collection violates laws and regulations , There have been many recently App Notified .Tiktok I was also hammered out by Lao Mei because of the problem of accessing the clipboard .   
2.  Data transmission uses http, Operators are born with these data . Some are used to play advertisements , Some are used for marketing , What's more, it is used for fraud .   
3.  Data is stored on a third-party infrastructure , These data are naturally available to third parties    
4.  There is an unauthorized access vulnerability in the data store  
5.  There are loopholes in data usage , Authentication can be bypassed    
6.  Data users are insiders    
7.  Data sharing to third parties , The third party has any of the above problems    
8.  Incomplete destruction of data storage media

Technical scheme of data security
--------

Here we will not talk about homomorphic encryption , Without talking about differential privacy, these technologies that are difficult for small and medium-sized companies to implement .

Just talk about common data security threat scenarios , What kind of technical system should we establish .

For more sharing, please follow wechat official account : Security info

I personally think ,Gartner The previously mentioned adaptive security architecture for system security direction is also applicable to data security .

Prevent

1.  Set the standard , Do a good job in education . Do a good job in identifying business data , Define privacy data   
2.  Identify data assets    
3.  Around the users of data , Usage mode , Transmission link construction data scenario , It is required to cover the most typical and common business scenarios . for example , The customer service department of many companies can access some sensitive data of users , Used to help users troubleshoot problems . This is a typical scenario . There are also many outsourcing employees in companies who need access to code bases and sensitive business systems , This is also a typical scenario . Or big data analysis and modeling of business intelligence team , Need to access a lot of data , It is also a typical scene . Users have to access their own data when they are logged in , It is also a typical scene .   
4.  Data collection , The data transfer , Data storage is well defined and standardized , Reinforce , Avoid passage http transmission , Avoid direct exposure of the database .  
5.  After building the data scenario , Convergence of data access channels . For example, no employee is allowed to directly check the table , Must pass Web Portal Visit .  
6.  Define qualification review for data sharing , And minimize sharing .   

Detect

Many companies have defined many specifications for data security . But because there is no technical support , These specifications are difficult to check , Can't close the loop . Everyone claims to obey , Lack of technical support , You can only choose to trust him .

How to use technology to check whether it conforms to data security specifications ?

Discover data assets

1.  Scan table structure , Identify sensitive data assets    
2.  Scan the code , Identify sensitive data    

Collection problems found

1.  To move app To scan and detect    

Transmission problems found

1.  Through the flow detection system , Passive identification of sensitive data transmission    
2.  Check through the attack , Actively discover sensitive data transmission channels and problems    

Find problems in use

1.  Conduct vulnerability screening for systems involving the use of sensitive data    
2.  Monitor the behavior of any person who uses data , Identify anomalies    

Storage problems found

1.  Databases with authentication problems   
2.  Sensitive data is stored randomly , On the user's computer , The server , Third party network disk ,github All storage   

Find sharing problems

1.  Strictly review the shared interface , Give priority to sharing data through interfaces , Convergence of shared channels    

Response

The response to data security problems is mainly two problems :

1.  Which data asset , Which hole went out ?   
2.  Who is most likely to get the data out ?   

If all our data queries are interfaced , Then we should be able to make it clear , Which ones are most likely api Leaked the above data . At present, many companies in China are doing api A safe solution . Including omniscient Technology , Scarlett had to wait . This is really a very good entry point .

Then we will try to make it clear , Who got the data out .

For intranet sensitive systems , Screenshot class , Watermarking technology has been relatively mature . Watermark can be built into the picture .

Directly through Web Portal Export sensitive files on , You can also use transparent encryption and decryption technology , Good prevention .

The biggest headache is , Copy the corresponding data , Directly to the third-party platform .

There are several ways to transfer to the third-party platform :

1.  Internal employees open the browser to access the third-party platform , Then post the data . This can be solved through browser plug-ins    
2.  Employees access the third-party platform to transmit data through programming , It's similar to using curl Order or python Conduct http post. At this time, the data leakage prevention software on the host must be used ,hook http Interface api To test .
    
    Or, , Directly hijacking all employees https Traffic . This is the time , If you encounter HSTS Class , It may not load
    
    Of course, there is another way , Build a separate network for sensitive systems . You must be on a specific terminal to access
    
3.  Employees transmit data through instant messaging software . Be similar to QQ WeChat nailing .
    
    This place requires software convergence , Limit the installation of specific software . Of course , There will always be something missing , For example, you can transmit data by learning from powerful countries .
    
    Here I have to mention , In fact, nailing can be considered , Expose the interface , It is up to the enterprise to define the sensitive data transmission strategy . For example, it is required to include some keywords , Nailing fails if it is sent to non employees . Otherwise, at present, enterprises cannot solve the problem of data security with nails .   

The above solutions are all aimed at checking the data plaintext , Once employees encrypt data , And then transmit , All the testing schemes have failed .

Is that as long as employees with authority , After getting the data , Encrypt data , Send it out , We can't find it at all ?

In fact, there are still some solutions .

1.  Identify a large number of data access behaviors    
2.  Provide traceable links for data queries . That is, what data each user accesses , Through what interface    
3.  Identify how users access data .
    
    a. If the user uses Web Portal get data , Then it is necessary to store these data locally , Then encrypt . This place needs to monitor the files that store sensitive data , Identify the operation process . This can be combined with the terminal data leakage prevention software EDR Conduct
    
    b. If the user uses non Web Portal get data , Directly violate the rules           

Predict

We have a way before things happen , I already know whether this event may be happening ?

Here we need Threat Intelligence through the collection of public intelligence , And third-party intelligence analysis and internal data security case, Precipitate a threat intelligence source against yourself , So as to ensure data security case To make predictions

For more sharing, please follow wechat official account : Security info

原网站

版权声明
本文为[Wandering mage 12]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/187/202207060559225744.html