Cyber ​​attacks are powerful, and Microsoft was hit! Five reflections on corporate risk control!

Author | Chen Jun

Planning | Yun Zhao

On March 22, 360 Government and Enterprise Security disclosed the technical features of the Quantum network attack platform used by the US National Security Agency (NSA) against targets in China, and proved that its indiscriminate network attacks can not only hijack page traffic in any corner of the world, but also implement zero-day (0 day) vulnerability exploitation attacks and remotely implant backdoor programs.

The next day, on the 24th, it was revealed online that a Microsoft account was stolen by the hacker group Lapsus$, which obtained limited access rights and claimed to have control of part of the source code.

Even a giant like Microsoft was inevitably affected!

Regarding the intrusion, Microsoft said, "Our cybersecurity response team quickly engaged to remediate the compromised accounts and prevent further activity by the hacker group."

In less than three days, major security news broke out. I believe that the risk control departments of various domestic companies will take a deep breath. Some have already begun to organize security personnel and are ready to roll up their sleeves to carry out inspections and rectifications on their own system security. However, as the saying goes, "sharpening the knife does not delay the chopping of wood." Instead of looking for a needle in a haystack in the existing production environment, we might as well calm down and think from the two dimensions of system development and operation. Combining my previous work experience, I have summarized five major system security practice reference points: development security, system combing, weight classification, risk management, and monitoring response. I hope to help you quickly identify security risks and prevent them before they happen.

Development Security

I believe everyone is familiar with the term DevSecOps. It evolved from the agile development model and aims to "shift left" security to the initial stage of each development sub-cycle as much as possible to help R&D personnel learn about possible threats and vulnerabilities in application code as early as possible. To this end, we can adopt the following four practice models:

Prepare for a rainy day: Split the dependencies between applications to isolate each component, limit future vulnerabilities and threats to a single component, and ensure the continued operation of other components. The typical scenario of this mode is microservice applications.

One-vote denial: Through the construction of code logic and user scenarios, all processes are interrupted when malicious behavior occurs. For example, if a user attempts to perform a cross-site scripting attack when visiting a website, all of his operations and sessions should be directly blocked.

Learning from others’ experience: In a team that lacks security experts, you can use the threat models and control models commonly used in the industry to identify potential risks that application components may face in advance and select the best protection measures.

Continuous flow: Use automated monitoring methods and multiple input parameters to integrate risk assessment of the operating environment and use cases into the entire life cycle of the software service.

In addition, in the construction of software applications, we also need to implement the following aspects:

Set up different user function groups for different application services.

Through encryption and other means, avoid the leakage of any password, passcode, certificate or private key information during the transmission of application data.

Unify the login methods of multiple applications into multi-factor authentication (MFA) + single sign-on (SSO) to achieve automatic matching of user account permissions.

Use mature products to manage keys and promptly detect expired and revoked certificates.

Check program code to promptly identify invalid or outdated dependencies, code libraries, potential memory leaks, dead loops, and code vulnerabilities.

System Comb

Of course, in addition to providing software application services, we also cannot do without the system architecture that carries the application. As the enterprise develops, its IT architecture and platform will present a complex structure. Therefore, we need to sort out the environment and resources used by daily IT services through activities such as drilling the machine room, logging on to equipment, checking lines, testing applications, following business, and visiting users.

Before counting and filling in the specific content, we need to classify and define the items in advance to ensure that the generated list is unified and standardized. In practice, we need to find the tangible hardware devices that store static data, the software applications that process real-time data, the networks that carry dynamic data, the databases that contain structured data, the cloud platforms that store unstructured data, and the file servers and user terminals that are used to continuously read and write data based on the characteristics and status of the data.

To ensure accuracy, we can use the method of "automated tool discovery + manual input + secondary review" to build a comprehensive, complete and intuitive system baseline. This will be our reference standard for subsequent rectification.

Weight classification

After completing the systematic review, we can start from the classic theory of information security and comprehensively consider the impact that various components and data may have on the enterprise when their confidentiality (C), integrity (I) and availability (A) are damaged, and assign corresponding values ​​to the three dimensions accordingly. With the assignment, we can calculate the weight value (V) of the asset based on the following formula:

It is worth noting that we can not only assign values ​​to software and hardware assets, but also assign weight values ​​to data to further clarify which data needs to be encrypted and stored, which data needs to be immediately cleared when in use, which data can only be used internally with restrictions, and which data can be directly opened to the outside world. Of course, precise numbers are often difficult to define, so we can divide them into "top secret, confidential, private, sensitive, and public" levels based on the range of values.

At the same time, in some occasions where confidentiality requirements are extremely strict, we even need to distinguish different security levels for fields in certain structured data tables, key/value (K/V) in unstructured data domains, and meta-information in attribute tags corresponding to a certain medium. Of course, in addition to logically grading data, we also need to use physical labels to clearly identify the confidentiality level of equipment components.

Risk management: Identification and response to operational risks

Some developers may wonder: What are the factors that affect C, I, and A? At this point, we need to identify external threats to components and data in the operating environment, internal weaknesses, and the risks that are formed when they are combined. Generally, we can take the following four steps to identify risks:

1. Collection and identification: Based on past records and industry experience, recruit people with different roles and use methods such as brainstorming, questionnaires, and matrix charts to identify hidden dangers in the existing environment. For example:

(1) Technical aspects: failure and damage of software and hardware media, inherent defects of the application system, deadlock of malicious software, and various denial of service attacks on the network.

(2) Support system level: power outages, water leaks in the computer room, and operator network interruptions, etc.

(3) Human factors: visiting websites that have Trojan horses, various operational errors, and file data being accidentally modified or tampered with.

(4) At the management level: lack of staff awareness, incorrect handling methods, and imperfect rules and regulations.

2. Analysis and evaluation: Use qualitative/quantitative methods to evaluate and rank the discovered risks from three dimensions: degree, scope, and possibility, and then derive a risk level matrix. In practice, we can refer to the following definition criteria to quantify risks:

(1) The extent of the damage – minor, moderate, major, severe, extremely severe, etc.

(2) Scope of impact - the entire enterprise, all external customers, multiple sites, a department, part of the system, a single service, etc.

(3) Likelihood of occurrence – Consider the physical and logical location, fault tolerance, level of protection, and compliance, etc.

3. Response and disposal: We need to choose from common risk reduction, transfer, avoidance, and acceptance disposal methods based on the company's risk preference (i.e. risk acceptance level) and respond accordingly. Among them, we need to pay attention to the following two aspects:

(1) According to the barrel principle, we should pay attention to the consistency of treatment measures to avoid local "shortcomings".

(2) On the basis of distinguishing the risk owners and control implementers, taking into account time, budget and other costs, and flexibly adjusting various management and control strategies.

Monitoring and Response: Minimizing Security Incidents

Currently, many companies are minimizing the negative impact of security incidents on business operations by establishing active monitoring and response mechanisms. For example, the operations team can set up a reliability engineer (SRE) position to monitor the status of key equipment in real time during daily preventive inspections, and promptly discover and locate component failures based on documentation. At the same time, they can also review and track various performance indicators in a remote and centralized manner by deploying open source log and event monitoring tools such as Zabbix.

Next, I will use a cloud business environment as an example to discuss how to implement management and control throughout the entire life cycle of event monitoring and response.

Detection and identification phase: Capture and filter system events from each virtual machine and abnormal network traffic information, and then continuously write the filtered log information into the HBase database, providing important basis for various subsequent correlation analyses and necessary forensics.

Investigation and analysis phase: Use tools to group event types and count event frequencies according to feature codes. At the same time, we can introduce the application performance analysis (APM) module to accurately locate the URL of the application service where the access speed has dropped sharply, or the SQL statement submitted by the user has a delay, so as to locate the root problem more quickly.

Suppression and remediation phase: You can isolate the logical connection between the problematic virtual machine image and other systems and services by pausing it. This will not destroy the evidence on the virtual machine and can prevent the situation from getting worse.

In general, we can refer to the following process to effectively respond to emergencies.

Conclusion

In summary, we have discussed the key points of feasible system security practices from five aspects: development security, system organization, weight classification, risk management, and monitoring response.

Faced with the complex internal and external network environment, we should adhere to the simple concept of "don't have the intention to harm others, but be on guard against others", and actively and proactively comb, inspect and improve the IT system of our company. I believe that as long as each company can make up for the security shortcomings in a timely manner, the overall network security situation of our country will be significantly improved.

About the Author

Julian Chen, editor of 51CTO community, has more than ten years of experience in IT project implementation. He is good at managing internal and external resources and risks, and focuses on spreading network and information security knowledge and experience. He continues to share cutting-edge technologies and new knowledge in the form of blog posts, special topics and translations. He often conducts information security training and lectures online and offline.