ISC2---CyberSecurity课程笔记---最终章第五章：安全操作 Security Operations

最新推荐文章于 2024-04-25 12:50:07 发布

caoxiaoye

最新推荐文章于 2024-04-25 12:50:07 发布

阅读量589

点赞数 1

文章标签：笔记安全数据库

本文链接：https://blog.csdn.net/caoxiaoye/article/details/132551178

版权

文章目录

第五章：安全操作 Security Operations

第五章：安全操作 Security Operations

Let’s take a more detailed look at the day-to-day, moment-by-moment active use of the security controls and risk mitigation strategies that an organization has in place. We will explore ways to secure the data and the systems they reside on, and how to encourage secure practices among people who interact with the data and systems during their daily duties.
让我们更详细地了解组织所采用的安全控制和风险缓解策略的日常、每时每刻的积极使用情况。我们将探讨如何保护数据及其驻留的系统，以及如何鼓励在日常工作中与数据和系统交互的人员采取安全做法。

模块1：了解数据安全（D5.1）

Module 1: Understand  Data Security  (D5.1)

Hardening is the process of applying secure configurations (to reduce the attack surface) and locking down various hardware, communications systems and software, including the operating system, web server, application server and applications, etc. In this module, we will introduce configuration management practices that will ensure systems are installed and maintained according to industry and organizational security standards.
加固是应用安全配置（以减少攻击面）并锁定各种硬件、通信系统和软件（包括操作系统、Web服务器、应用程序服务器和应用程序等）的过程。在本模块中，我们将介绍配置管理实践，这些实践将确保根据行业和组织安全标准安装和维护系统。

曼尼: 很难想象现在在世界各地传播的庞大数据量。

塔莎: 对，信息安全作为一个过程和学科，提供了一个保护数据价值的结构。作为一个组织，创建、存储、共享、使用、修改、归档并最终销毁这些数据。

曼尼: 将信息写在纸、白板或闪存驱动器上，或将其放入云上的文件中，可以创建有形资产的数据。组织必须保护想法和数据。

塔莎: 是的，所有文件、书籍、对话日志、计算机文件、数据库记录和网络数据包中的副本都有助于将信息从一个位置或用户转移到另一个位置。

曼尼: 哇，这是一项重要的工作。

塔莎: 确实如此。

Manny: It's hard to imagine the sheer volume of data that's flying around the world right now.
Tasha: Right, and information security, as a process and discipline, provides a structure for protecting
the value of data. As an organization creates, stores, shares, uses, modifies, archives, and finally
destroys that data.
Manny: Writing information down on paper, a whiteboard, or a flash drive, or putting it in a file on
Cloud creates data that is a tangible asset. The organization has to protect both the ideas and the
data.
Tasha: Yes, and all the copies of it in papers, books, conversation logs, computer files, database
records and the network packets which help move that information from one location or user to
another.
Manny: Wow, that's an important job.
Tasha: It sure is.

数据处理：Data handling

Data itself goes through its own life cycle as users create, use, share and modify it. Many different models of the life of a data item can be found, but they all have some basic operational steps in common. The data security life cycle model is useful because it can align easily with the different roles that people and organizations perform during the evolution of data from creation to destruction (or disposal). It also helps put the different data states of in use, at rest and in motion, into context. Let’s take a closer look.
数据本身在用户创建、使用、共享和修改数据时会经历自己的生命周期。可以找到数据项生命周期的许多不同模型，但它们都有一些共同的基本操作步骤。数据安全生命周期模型非常有用，因为它可以轻松地与人员和组织在数据从创建到销毁（或处置）的演变过程中所扮演的不同角色保持一致。它还有助于将使用中、静止和运动中的不同数据状态置于上下文中。让我们仔细看看。

All ideas, data, information or knowledge can be thought of as going through six major sets of activities throughout its lifetime. Conceptually, these involve:
所有的想法、数据、信息或知识都可以被认为是在其生命周期中经历六组主要活动。从概念上讲，这些包括：

在这里插入图片描述

Create 建立

Creating the knowledge, which is usually tacit knowledge at this point.
创造知识，这通常是隐性知识。

Store 存储

Storing or recording it in some fashion (which makes it explicit).
以某种方式存储或记录它（这使它明确）

Use使用

Using the knowledge, which may cause the information to be modified, supplemented or partially deleted.
利用该知识，可能导致信息被修改、补充或部分删除。

Share 分享

Sharing the data with other users, whether as a copy or by moving the data from one location to another.
与其他用户共享数据，无论是作为副本还是通过将数据从一个位置移动到另一个位置。

Archive 存档

Archiving the data when it is temporarily not needed.
在暂时不需要数据时将其存档。

Destroy 毁灭

Destroying the data when it is no longer needed.
在不再需要数据时销毁数据。

旁白：数据处理非常重要。一旦我们收到资产，即我们需要保护的数据，我们需要确保我们知道处理这些数据的最佳实践。

首先，我们需要认识到我们需要保护哪些资产。这是基于数据所有者的数据价值。在此基础上，我们看到了我们面临的风险，即这些信息可能以任何方式受到损害、销毁或更改的可能性，以及我们需要解决哪些漏洞。这是数据处理的生命周期，从创建、存储、使用、共享、归档到最终销毁。并且在任何时候，数据都存在不同的风险以及处理数据的不同做法。其中一些程序是由政府标准规定的。

例如，在美国，职业安全与健康管理局 (OSHA) 是保护工人福祉的联邦政府机构。根据医疗保险流通与责任法案 (HIPAA) 的规定，医疗记录需要保存 10 年，但根据 OSHA，如果我们有工伤医疗记录，则需要保留该记录30 多年，即使在那个特定组织工作的最后一天之后。这是一项监管要求，如果您不知道或不遵守，您可能会因审计而陷入困境。所以你可以看到，在决定如何处理数据时，我们必须非常谨慎，因为可能有多个法规适用于单个数据。

同样在美国，还有与支付卡行业数据安全标准 (PCI DSS) 有关信用卡信息以及如何安全维护该信息的要求相关的特定指南。在欧盟，GDPR 对财务数据的处理也有具体要求。为了正确保护数据，您需要了解各个地理区域中受保护数据类型的所有相关要求。

许多国家和其他司法管辖区的法规要求在数据生命周期的每个阶段都进行某些数据保护。这些管理着如何获取、处理、存储和最终销毁数据。而在查看数据的生命周期时，我们需要保持警惕，并在每个阶段保护信息，即使它已经准备好在生命周期结束时被合法销毁。在某些情况下，多个司法管辖区可能会施加影响我们负责保护的数据的规则。在这些情况下，我们需要了解任何和所有影响我们的法规。

一些数据处理实践包括分类和标记，您可以在其中确定数据的敏感性、每个人都可以使用的内容以及需要限制的内容，并相应地标记信息，以便您的访问控制将允许正确的访问级别。保留是我们存储信息的时间和位置，这取决于我们组织的要求，也许还有监管机构的要求。然后需要进行防御性销毁，这意味着我们有监管要求支持我们销毁数据的决定。销毁可以是物理的、硬盘驱动器或计算机芯片的，也可以是数字记录的销毁，这可以通过多种方法来完成。我们需要确保我们了解数据的安全销毁，因为我们通常认为我们可以清空虚拟垃圾桶来删除数据。但是当我们这样做时，旧电子邮件和其他数据可能永远不会被删除。要完全擦除物理介质上的数据，您需要使用一些技术设备进行消磁，例如强大的磁铁来擦除存储在磁带和磁盘介质上的数据，例如计算机和笔记本电脑的硬盘、软盘、卷轴、盒式磁带和盒式磁带。然而，拥有精密设备的个人仍有可能检索到该信息，至少部分是这样。因此，我们必须确保我们了解可用的恢复工具，因为如果您遵守法规，您必须遵循特定的协议和流程，根据需要销毁该信息，以便不再以任何方式访问它。

Data Handling Practices 数据处理实践

Data itself has value and must be handled appropriately. In this section, we will explore the basics of classifying and labeling data to ensure it is treated and controlled in a manner consistent with the sensitivity of the data. In addition, we will complete the data life cycle by documenting retention requirements and ensuring data that is no longer in use is destroyed.
数据本身具有价值，必须适当处理。在本节中，我们将探索分类和标记数据的基础知识，以确保以与数据敏感性一致的方式处理和控制数据。此外，我们将通过记录保留要求并确保销毁不再使用的数据来完成数据生命周期。

Classification 分类

在这里插入图片描述

Businesses recognize that information has value and others might steal their advantage if the information is not kept confidential, so they classify it. These classifications dictate rules and restrictions about how that information can be used, stored or shared with others. All of this is done to keep the temporary value and importance of that information from leaking away. Classification of data, which asks the question “Is it secret?” determines the labeling, handling and use of all data.
企业认识到信息有价值，如果信息不保密，其他人可能会窃取他们的优势，所以他们将其分类。这些分类规定了有关如何使用、存储或与他人共享信息的规则和限制。所有这一切都是为了防止这些信息的临时价值和重要性泄露。数据的分类，提出了一个问题“它是秘密吗？”“确定所有数据的标记、处理和使用。

Before any labels can be attached to sets of data that indicate its sensitivity or handling requirements, the potential impact or loss to the organization needs to be assessed. This is our first definition: Classification is the process of recognizing the organizational impacts if the information suffers any security compromises related to its characteristics of confidentiality, integrity and availability. Information is then labeled and handled accordingly.
在将任何标签附加到数据集以指示其敏感性或处理要求之前，需要评估对组织的潜在影响或损失。这是我们的第一个定义：分类是一个过程，用于识别信息在其机密性、完整性和可用性等特性方面受到任何安全威胁时对组织的影响。然后对信息进行标记和相应处理。

Classifications are derived from laws, regulations, contract-specified standards or other business expectations. One classification might indicate “minor, may disrupt some processes” while a more extreme one might be “grave, could lead to loss of life or threaten ongoing existence of the organization.” These descriptions should reflect the ways in which the organization has chosen (or been mandated) to characterize and manage risks.
分类来源于法律、法规、合同规定的标准或其他业务预期。一种分类可能是“轻微的，可能扰乱某些进程”，而更极端的分类可能是“严重的，可能导致生命损失或威胁组织的持续存在”。这些说明应反映该组织选择（或授权）的风险定性和管理方式。

The immediate benefit of classification is that it can lead to more efficient design and implementation of security processes, if we can treat the protection needs for all similarly classified information with the same controls strategy.
分类的直接好处是，如果我们能够用相同的控制策略来处理所有类似分类信息的保护需求，它可以导致更有效的安全流程的设计和实施。

Labeling 标签

在这里插入图片描述

Security labels are part of implementing controls to protect classified information. It is reasonable to want a simple way of assigning a level of sensitivity to a data asset, such that the higher the level, the greater the presumed harm to the organization, and thus the greater security protection the data asset requires. This spectrum of needs is useful, but it should not be taken to mean that clear and precise boundaries exist between the use of “low sensitivity” and “moderate sensitivity” labeling, for example.
安全标签是实施控制措施以保护机密信息的一部分。需要一种简单的方式来为数据资产分配敏感性级别是合理的，使得级别越高，对组织的假定伤害越大，并且因此数据资产需要更大的安全保护。这种需求范围是有用的，但不应被认为意味着例如在使用“低敏感性”和“中等敏感性”标签之间存在明确和精确的界限。

Data Sensitivity Levels and Labels 数据敏感性级别和标签

Unless otherwise mandated, organizations are free to create classification systems that best meet their own needs. In professional practice, it is typically best if the organization has enough classifications to distinguish between sets of assets with differing sensitivity/value, but not so many classifications that the distinction between them is confusing to individuals. Typically, two or three classifications are manageable, and more than four tend to be difficult.
除非另有规定，各组织可自由创建最能满足自身需要的分类系统。在专业实践中，如果组织有足够的分类来区分具有不同敏感度/价值的资产集，但分类数量不要太多，以至于它们之间的区别会使个人感到困惑，这通常是最好的。通常，两个或三个分类是可管理的，超过四个往往是困难的。

Highly restricted: Compromise of data with this sensitivity label could possibly put the organization’s future existence at risk. Compromise could lead to substantial loss of life, injury or property damage, and the litigation and claims that would follow.
高度受限：带有这种敏感标签的数据的妥协可能会使组织的未来存在处于危险之中。妥协可能导致重大的生命损失、伤害或财产损失，以及随之而来的诉讼和索赔。
Moderately restricted: Compromise of data with this sensitivity label could lead to loss of temporary competitive advantage, loss of revenue or disruption of planned investments or activities.
中度受限：如果数据与敏感性标签不符，可能导致暂时竞争优势丧失、收入损失或计划投资或活动中断。
Low sensitivity (sometimes called “internal use only”): Compromise of data with this sensitivity label could cause minor disruptions, delays or impacts.
低灵敏度（有时称为“仅供内部使用”）：带有此敏感性标签的数据受损可能会导致轻微的中断、延迟或影响。
Unrestricted public data: As this data is already published, no harm can come from further dissemination or disclosure.
不受限制的公共数据：由于这些数据已经公布，进一步传播或披露不会造成任何损害。

Retention 保留

在这里插入图片描述

Information and data should be kept only for as long as it is beneficial, no more and no less. For various types of data, certain industry standards, laws and regulations define retention periods. When such external requirements are not set, it is an organization’s responsibility to define and implement its own data retention policy. Data retention policies are applicable both for hard copies and for electronic data, and no data should be kept beyond its required or useful life. Security professionals should ensure that data destruction is being performed when an asset has reached its retention limit. For the security professional to succeed in this assignment, an accurate inventory must be maintained, including the asset location, retention period requirement, and destruction requirements. Organizations should conduct a periodic review of retained records in order to reduce the volume of information stored and to ensure that only necessary information is preserved.
信息和数据只应在有益的情况下保留，不多也不少。对于各种类型的数据，某些行业标准、法律和法规定义了保留期。如果没有设置此类外部要求，则组织有责任定义和实施自己的数据保留策略。数据保留政策适用于硬拷贝和电子数据，任何数据都不应保留超过其规定或使用寿命。安全专业人员应确保在资产达到其保留限制时执行数据销毁。为了使安全专业人员成功完成这项任务，必须保持准确的库存，包括资产位置、保留期要求和销毁要求。组织应定期审查保留的记录，以减少存储的信息量，并确保只保留必要的信息。

Records retention policies indicate how long an organization is required to maintain information and assets. Policies should guarantee that:
记录保留策略指示组织需要多长时间来维护信息和资产。政策应保证：

Personnel understand the various retention requirements for data of different types throughout the organization. 
人员了解整个组织中不同类型数据的各种保留要求。
The organization appropriately documents the retention requirements for each type of information.
组织应适当记录每种类型信息的保留要求。
The systems, processes and individuals of the organization retain information in accordance with the required schedule but no longer.
组织的系统、流程和个人按照要求的时间表保留信息，但不再保留。

A common mistake in records retention is applying the longest retention period to all types of information in an organization. This not only wastes storage but also increases risk of data exposure and adds unnecessary “noise” when searching or processing information in search of relevant records. It may also be in violation of externally mandated requirements such as legislation, regulations or contracts (which may result in fines or other judgments). Records and information no longer mandated to be retained should be destroyed in accordance with the policies of the enterprise and any appropriate legal requirements that may need to be considered.
记录保留中的一个常见错误是对组织中的所有类型的信息应用最长的保留期。这不仅浪费了存储空间，而且增加了数据暴露的风险，并在搜索或处理信息以搜索相关记录时增加了不必要的“噪音”。它也可能违反外部规定的要求，如法律、法规或合同（可能导致罚款或其他判决）。应根据企业政策和可能需要考虑的任何适当的法律的要求销毁不再强制保留的记录和信息。

Destruction 销毁

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-FWRu8UsX-1693244353652)(C:\Users\cyrilcao\AppData\Roaming\Typora\typora-user-images\image-20230828225607084.png)]$

Data that might be left on media after deleting is known as remanence and may be a significant security concern. Steps must be taken to reduce the risk that data remanence could compromise sensitive information to an acceptable level. This can be done by one of several means:
删除后可能留在介质上的数据称为剩磁，可能是一个重要的安全问题。必须采取措施将数据残留可能危及敏感信息的风险降低到可接受的水平。这可以通过以下几种方式之一来完成：

Clearing the device or system, which usually involves writing multiple patterns of random values throughout all storage media (such as main memory, registers and fixed disks). This is sometimes called “overwriting” or “zeroizing” the system, although writing zeros has the risk that a missed block or storage extent may still contain recoverable, sensitive information after the process is completed.
清除设备或系统，这通常涉及在所有存储介质（如主存储器、寄存器和固定磁盘）中写入多个随机值模式。这有时被称为“覆盖”或“归零”系统，尽管写入零具有丢失的块或存储范围在该过程完成后仍可能包含可恢复的敏感信息的风险。
Purging the device or system, which eliminates (or greatly reduces) the chance that residual physical effects from the writing of the original data values may still be recovered, even after the system is cleared. Some magnetic disk storage technologies, for example, can still have residual “ghosts” of data on their surfaces even after being overwritten multiple times. Magnetic media, for example, can often be altered sufficiently to meet security requirements; in more stringent cases, degaussing may not be sufficient.
清除设备或系统，这消除（或大大减少）来自原始数据值的写入的残余物理效应仍然可以被恢复的机会，即使在系统被清除之后。例如，一些磁盘存储技术即使在被多次重写之后，其表面上仍可能有残余的数据“幽灵”。例如，磁介质通常可以被充分改变以满足安全要求;在更严格的情况下，消磁可能不够。
Physical destruction of the device or system is the ultimate remedy to data remanence. Magnetic or optical disks and some flash drive technologies may require being mechanically shredded, chopped or broken up, etched in acid or burned; their remains may be buried in protected landfills, in some cases.
对设备或系统的物理破坏是对数据残留的最终补救。磁盘或光盘以及一些闪存驱动器技术可能需要机械切碎、切碎或破碎、酸蚀或焚烧;在某些情况下，他们的遗体可能被埋在受保护的垃圾填埋场。

In many routine operational environments, security considerations may accept that clearing a system is sufficient. But when systems elements are to be removed and replaced, either as part of maintenance upgrades or for disposal, purging or destruction may be required to protect sensitive information from being compromised by an attacker.
在许多常规操作环境中，安全考虑可以接受清除系统就足够了。但是，当系统元件要被移除和替换时，无论是作为维护升级的一部分还是为了处置，都可能需要清除或销毁以保护敏感信息免受攻击者的危害。

Logging and Monitoring Security Events 记录和监视安全事件

Logging is the primary form of instrumentation that attempts to capture signals generated by events. Events are any actions that take place within the systems environment and cause measurable or observable change in one or more elements or resources within the system. Logging imposes a computational cost but is invaluable when determining accountability. Proper design of logging environments and regular log reviews remain best practices regardless of the type of computer system.
日志记录是尝试捕获事件生成的信号的主要检测形式。事件是在系统环境中发生的任何动作，并且在系统中的一个或多个元素或资源中引起可测量或可观察的变化。记录会带来计算成本，但在确定责任时是非常宝贵的。无论计算机系统的类型如何，正确设计日志记录环境和定期检查日志仍然是最佳实践。

Major controls frameworks emphasize the importance of organizational logging practices. Information that may be relevant to being recorded and reviewed include (but is not limited to):
主要的控制框架强调了组织日志记录实践的重要性。可能与记录和审查相关的信息包括（但不限于）：

user IDs 用户ID
system activities 系统活动
dates/times of key events (e.g., logon and logoff)
关键事件的日期/时间（例如，登录和注销）
device and location identity
设备和位置标识
successful and rejected system and resource access attempts
成功和拒绝的系统和资源访问尝试
system configuration changes and system protection activation and deactivation events
系统配置更改以及系统保护激活和停用事件

Logging and monitoring the health of the information environment is essential to identifying inefficient or improperly performing systems, detecting compromises and providing a record of how systems are used. Robust logging practices provide tools to effectively correlate information from diverse systems to fully understand the relationship between one activity and another.
记录和监控信息环境的健康状况对于识别效率低下或性能不佳的系统、检测危害以及提供系统使用情况的记录至关重要。强大的日志记录实践提供了有效地关联来自不同系统的信息的工具，以充分理解一个活动与另一个活动之间的关系。

Log reviews are an essential function not only for security assessment and testing but also for identifying security incidents, policy violations, fraudulent activities and operational problems near the time of occurrence. Log reviews support audits – forensic analysis related to internal and external investigations – and provide support for organizational security baselines. Review of historic audit logs can determine if a vulnerability identified in a system has been previously exploited.
日志审查不仅是安全评估和测试的基本功能，而且也是在发生时识别安全事件、违反策略、欺诈活动和操作问题的基本功能。日志审查支持审计-与内部和外部调查相关的取证分析-并为组织安全基线提供支持。查看历史审核日志可以确定系统中识别的漏洞以前是否已被利用。

It is helpful for an organization to create components of a log management infrastructure and determine how these components interact. This aids in preserving the integrity of log data from accidental or intentional modification or deletion and in maintaining the confidentiality of log data.
创建日志管理基础结构的组件并确定这些组件如何交互对组织很有帮助。这有助于保护日志数据的完整性，防止意外或故意修改或删除，并有助于维护日志数据的机密性。

Controls are implemented to protect against unauthorized changes to log information. Operational problems with the logging facility are often related to alterations to the messages that are recorded, log files being edited or deleted, and storage capacity of log file media being exceeded. Organizations must maintain adherence to retention policy for logs as prescribed by law, regulations and corporate governance. Since attackers want to hide the evidence of their attack, the organization’s policies and procedures should also address the preservation of original logs. Additionally, the logs contain valuable and sensitive information about the organization. Appropriate measures must be taken to protect the log data from malicious use.
实施控制以防止对日志信息的未经授权的更改。日志记录设施的操作问题通常与记录的消息的更改、日志文件被编辑或删除以及日志文件介质的存储容量被超出有关。组织必须遵守法律、法规和公司治理规定的日志保留策略。由于攻击者希望隐藏其攻击的证据，因此组织的策略和程序还应解决原始日志的保存问题。此外，日志包含有关组织的有价值的敏感信息。必须采取适当的措施来保护日志数据不被恶意使用。

events事件

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-u6IAhwwr-1693244353661)(C:\Users\cyrilcao\AppData\Roaming\Typora\typora-user-images\image-20230828230329029.png)]$

事件详情

原始数据

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-4D1yyUMC-1693244353662)(C:\Users\cyrilcao\AppData\Roaming\Typora\typora-user-images\image-20230828230348759.png)]$

Data Security Event Example 数据安全事件示例

Here is a data security event example. It’s a raw log, and it is one way to see if someone tried to break into a secure file and hijack the server. Of course, there are other systems now that are a little more user-friendly. But security engineers get very familiar with some of these codes and can figure out exactly who was trying to log it, was it a secure port or a questionable port that they were trying to use to penetrate our site.
下面是一个数据安全事件示例。这是一个原始日志，这是一种方法，看看是否有人试图闯入一个安全的文件和劫持服务器。当然，现在还有其他系统更人性化一点。但是安全工程师非常熟悉其中的一些代码，可以准确地找出谁试图记录它，它是一个安全的端口还是一个可疑的端口，他们试图用它来渗透我们的网站。

Information security is not something that you just plug in as needed. You can have some patching on a system that already exists, such as updates, but if you don’t have a secure system, you can’t just plug in something to protect it. From the very beginning, we need to plan for that security, even before the data is introduced into the network.
信息安全并不是您根据需要插入的东西。你可以在已经存在的系统上打一些补丁，比如更新，但是如果你没有一个安全的系统，你不能只是插入一些东西来保护它。从一开始，我们就需要为这种安全性进行规划，甚至在数据引入网络之前。

在这里插入图片描述

Event Logging Best Practices 事件日志记录最佳实践

Different tools are used depending on whether the risk from the attack is from traffic coming into or leaving the infrastructure. Ingress monitoring refers to surveillance and assessment of all inbound communications traffic and access attempts. Devices and tools that offer logging and alerting opportunities for ingress monitoring include:
根据攻击的风险是来自进出基础设施的流量，使用不同的工具。入口监控是指对所有入站通信流量和访问尝试的监视和评估。为入口监控提供记录和报警机会的设备和工具包括：

Firewalls 防火墙
Gateways 网关
Remote authentication servers
远程身份验证服务器
IDS/IPS tools IDS/IPS工具
SIEM solutions SIEM方案
Anti-malware solutions 反恶意软件解决方案

Egress monitoring is used to regulate data leaving the organization’s IT environment. The term currently used in conjunction with this effort is data loss prevention (DLP) or data leak protection. The DLP solution should be deployed so that it can inspect all forms of data leaving the organization, including:
出口监控用于管理离开组织IT环境的数据。目前与此工作结合使用的术语是数据丢失防护（DLP）或数据泄漏防护。应部署DLP解决方案，以便它可以检查离开组织的所有形式的数据，包括：

Email (content and attachments)
电子邮件（内容和附件）
Copy to portable media
复制到便携式媒体
File Transfer Protocol (FTP)
文件传输协议（FTP）
Posting to web pages/websites
发布到网页/网站
Applications/application programming interfaces (APIs)
应用程序/应用程序编程接口（API）

Encryption Overview 加密概述

Almost every action we take in our modern digital world involves cryptography. Encryption protects our personal and business transactions; digitally signed software updates verify their creator’s or supplier’s claim to authenticity. Digitally signed contracts, binding on all parties, are routinely exchanged via email without fear of being repudiated later by the sender.
我们在现代数字世界中采取的几乎每一个行动都涉及密码学。加密保护我们的个人和商业交易;数字签名的软件更新验证其创建者或供应商的真实性声明。数字签名的合同对各方都有约束力，通常通过电子邮件交换，而不必担心后来被发件人拒绝。

Cryptography is used to protect information by keeping its meaning or content secret and making it unintelligible to someone who does not have a way to decrypt (unlock) that protected information. The objective of every encryption system is to transform an original set of data, called the plaintext, into an otherwise unintelligible encrypted form, called the ciphertext.
密码学用于保护信息，方法是将信息的含义或内容保密，并使无法解密（解锁）受保护信息的人无法理解。每个加密系统的目标都是将原始数据集（称为明文）转换为另一种难以理解的加密形式（称为密文）。

Properly used, singly or in combination, cryptographic solutions provide a range of services that can help achieve required systems security postures in many ways:
正确使用，单独或组合，加密解决方案提供了一系列服务，可以通过多种方式帮助实现所需的系统安全状态：

Confidentiality: Cryptography provides confidentiality by hiding or obscuring a message so that it cannot be understood by anyone except the intended recipient. Confidentiality keeps information secret from those who are not authorized to have it.
保密性：密码学通过隐藏或模糊消息来提供机密性，使得除了预期的接收者之外的任何人都无法理解。机密性使信息对那些没有被授权拥有它的人保密。
Integrity: hash functions and digital signatures can provide integrity services that allow a recipient to verify that a message has not been altered by malice or error. These include simple message integrity controls. Any changes, deliberate or accidental, will result in the two results (by sender and by recipient) being different.
完整性：散列函数和数字签名可以提供完整性服务，允许收件人验证消息没有被恶意或错误更改。其中包括简单的消息完整性控制。任何有意或无意的更改都会导致两个结果（发送者和接收者）不同。

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-D6FY5exq-1693244353664)(C:\Users\cyrilcao\AppData\Roaming\Typora\typora-user-images\image-20230828231212579.png)]$

An encryption system is the set of hardware, software, algorithms, control parameters and operational methods that provide a set of encryption services.
加密系统是提供一组加密服务的硬件、软件、算法、控制参数和操作方法的集合。

Plaintext is the data or message in its normal, unencrypted form and format. Its meaning or value to an end user (a person or a process) is immediately available for use.
明文是正常的、未加密的形式和格式的数据或消息。它对最终用户（一个人或一个过程）的意义或价值是立即可用的。

Plaintext can be: 明文可以是：

- image, audio or video files in their raw or compressed forms
  原始或压缩形式的图像、音频或视频文件
- human-readable text and numeric data, with or without markup language elements for formatting and metadata
  人类可读文本和数字数据，带有或不带有用于格式化和元数据的标记语言元素
- database files or records and fields within a database
  数据库文件或数据库中的记录和字段
- or anything else that can be represented in digital form for computer processing, transmission and storage
  或任何其他可以以数字形式表示以供计算机处理、传输和存储的东西

It is important to remember that plaintext can be anything—much of which is not readable to humans in the first place.
重要的是要记住，明文可以是任何东西，其中大部分是人类首先无法读取的。

Symmetric Encryption 对称加密

The central characteristic of a symmetric algorithm is that it uses the same key in both the encryption and the decryption processes. It could be said that the decryption process is just a mirror image of the encryption process. This image displays how symmetric algorithms work.
对称算法的主要特征是在加密和解密过程中使用相同的密钥。可以说，解密过程只是加密过程的镜像。此图像显示了对称算法的工作方式。

The same key is used for both the encryption and decryption processes. This means that the two parties communicating need to share knowledge of the same key. This type of algorithm protects data, as a person who does not have the correct key would not be able to read the encrypted message. Because the key is shared, however, this can lead to several other challenges:
相同的密钥用于加密和解密过程。这意味着通信双方需要共享相同密钥的知识。这种类型的算法保护数据，因为没有正确密钥的人将无法读取加密的消息。然而，由于密钥是共享的，这可能会导致其他几个挑战：

If two parties suspect a specific communication path between them is compromised, they obviously can’t share key material along that path. Someone who has compromised communications between the parties would also intercept the key.
如果双方怀疑他们之间的特定通信路径受到损害，他们显然不能沿着该路径共享密钥材料。破坏各方之间通信的人也会拦截密钥。
Distribution of the key is difficult, because the key cannot be sent in the same channel as the encrypted message, or the man-in-the-middle (MITM) would have access to the key. Sending the key through a different channel (band) than the encrypted message is called out-of-band key distribution. Examples of out-of-band key distribution would include sending the key via courier, fax or phone.
密钥的分发是困难的，因为密钥不能在与加密消息相同的信道中发送，否则中间人（MITM）将有权访问密钥。 通过与加密消息不同的信道（频带）发送密钥称为带外密钥分发。带外密钥分发的示例将包括经由信使、传真或电话发送密钥。
Any party with knowledge of the key can access (and therefore change) the message.
知道密钥的任何一方都可以访问（并因此更改）消息。
Each individual or group of people wishing to communicate would need to use a different key for each individual or group they want to connect with. This raises the challenge of scalability — the number of keys needed grows quickly as the number of different users or groups increases. Under this type of symmetric arrangement, an organization of 1,000 employees would need to manage 499,500 keys if every employee wanted to communicate confidentially with every other employee.
希望进行通信的每个人或组需要为他们想要连接的每个人或组使用不同的密钥。这就带来了可伸缩性的挑战–随着不同用户或组的数量增加，所需的密钥数量也会迅速增长。在这种类型的对称安排下，如果每个员工都希望与其他员工进行保密通信，那么一个拥有1，000名员工的组织将需要管理499，500个密钥。

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-c0EB2pi9-1693244353664)(C:\Users\cyrilcao\AppData\Roaming\Typora\typora-user-images\image-20230828231333579.png)]$

Primary uses of symmetric algorithms:
对称算法的主要用途：

Encrypting bulk data (backups, hard drives, portable media)
加密批量数据（备份、硬盘驱动器、便携式媒体）
Encrypting messages traversing communications channels (IPsec, TLS)
加密穿越通信通道的消息（IPsec、TLS）
Streaming large-scale, time-sensitive data (audio/video materials, gaming, etc.)
流式传输大规模、时间敏感的数据（音频/视频材料、游戏等）

Other names for symmetric algorithms, which you may encounter, include:
您可能会遇到的对称算法的其他名称包括：

Same key 相同的键
Single key 单键
Shared key 共享密钥
Secret key 密钥
Session key 会话密钥

An example of symmetric encryption is a substitution cipher, which involves the simple process of substituting letters for other letters, or more appropriately, substituting bits for other bits, based upon a cryptovariable. These ciphers involve replacing each letter of the plaintext with another that may be further down the alphabet.
对称加密的一个例子是替换密码，它涉及基于密码变量用字母替换其他字母的简单过程，或者更适当地，用比特替换其他比特。这些密码涉及用可能在字母表中更靠下的另一个字母替换明文的每个字母。

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-1IUuhWhc-1693244353665)(C:\Users\cyrilcao\AppData\Roaming\Typora\typora-user-images\image-20230828231416277.png)]$

Asymmetric Encryption 非对称加密

Asymmetric encryption uses one key to encrypt and a different key to decrypt the input plaintext. This is in stark contrast to symmetric encryption, which uses the same key to encrypt and decrypt. For most security professionals, the math of asymmetric encryption can be left to the cryptanalysts and cryptographers to know.
非对称加密使用一个密钥进行加密，使用另一个密钥对输入明文进行解密。这与对称加密形成鲜明对比，对称加密使用相同的密钥进行加密和解密。对于大多数安全专业人员来说，非对称加密的数学可以留给密码分析师和密码学家去了解。

A user wishing to communicate using an asymmetric algorithm would first generate a key pair. To ensure the strength of the key generation process, this is usually done by the cryptographic application or the public key infrastructure (PKI) implementation without user involvement. One half of the key pair is kept secret; only the key holder knows that key. This is why it is called the private key. The other half of the key pair can be given freely to anyone who wants a copy. In many companies, it may be available through the corporate website or access to a key server. Therefore, this second half of the key pair is referred to as the public key.
希望使用非对称算法进行通信的用户将首先生成密钥对。为了确保密钥生成过程的强度，这通常由加密应用程序或公钥基础设施（PKI）实现来完成，而无需用户参与。密钥对的一半是保密的;只有密钥保持器知道该密钥。这就是为什么它被称为私钥。密钥对的另一半可以免费提供给任何想要副本的人。在许多公司中，它可以通过公司网站或访问密钥服务器来获得。因此，密钥对的第二半称为公钥。

Note that anyone can encrypt something using the recipient’s public key, but only the recipient —with their private key—can decrypt it.
请注意，任何人都可以使用接收方的公钥加密某些内容，但只有接收方（使用其私钥）才能解密。

Asymmetric key cryptography solves the problem of key distribution by allowing a message to be sent across an untrusted medium in a secure manner without the overhead of prior key exchange or key material distribution. It also allows for several other features not readily available in symmetric cryptography, such as the non-repudiation of origin and delivery, access control and data integrity.
非对称密钥加密通过允许消息以安全的方式在不可信介质上发送而没有先前密钥交换或密钥材料分发的开销来解决密钥分发的问题。它还允许在对称加密中不容易获得的几个其他功能，例如来源和交付的不可否认性，访问控制和数据完整性。

Asymmetric key cryptography also solves the problem of scalability. It does scale well as numbers increase, as each party only requires a key pair, the private and public keys. An organization with 100,000 employees would only need a total of 200,000 keys (one private and one public for each employee). This is less than half of the number of keys that would be required for symmetric encryption.
非对称密钥加密也解决了可扩展性的问题。随着数量的增加，它确实可以很好地扩展，因为每一方只需要一个密钥对，即私钥和公钥。一个拥有100，000名员工的组织总共只需要200，000个密钥（每个员工一个私钥和一个公钥）。这少于对称加密所需密钥数量的一半。

The problem, however, has been that asymmetric cryptography is extremely slow compared with its symmetric counterpart. Asymmetric cryptography is impractical for everyday use in encrypting large amounts of data or for frequent transactions where speed is required. This is because asymmetric key cryptography is handling much larger keys and is mathematically intensive, thereby reducing the speed significantly.
然而，问题是，与对称加密相比，非对称加密非常慢。非对称密码术对于加密大量数据的日常使用或对于需要速度的频繁事务是不切实际的。这是因为非对称密钥加密处理的密钥要大得多，并且在数学上是密集的，因此大大降低了速度。

Let’s look at an example that illustrates the use of asymmetric cryptography to achieve different security attributes.
让我们看一个示例，它说明了如何使用非对称加密来实现不同的安全属性。

The two keys (private and public) are a key pair; they must be used together. This means that any message that is encrypted with a public key can only be decrypted with the corresponding other half of the key pair, the private key. Similarly, signing a message with a sender’s private key can only be verified by the recipient decrypting its signature with the sender’s public key. Therefore, as long as the key holder keeps the private key secure, there exists a method of transmitting a message confidentially. The sender would encrypt the message with the public key of the receiver. Only the receiver with the private key would be able to open or read the message, providing confidentiality.
两个密钥（私有和公共）是一个密钥对;它们必须一起使用。这意味着任何用公钥加密的消息只能用密钥对的另一半私钥解密。类似地，用发送者的私钥签名消息只能通过接收者用发送者的公钥解密其签名来验证。因此，只要密钥保持器保持私钥安全，就存在一种保密地传输消息的方法。发送方将用接收方的公钥加密消息。只有拥有私钥的接收者才能打开或读取消息，从而提供机密性。

This image shows how asymmetric encryption can be used to send a confidential message across an untrusted channel.
此图显示了如何使用非对称加密通过不受信任的通道发送机密邮件。

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-J9zTwxgf-1693244353665)(C:\Users\cyrilcao\AppData\Roaming\Typora\typora-user-images\image-20230828231611584.png)]$

旁白：加密的例子在整个人类历史中一直存在，从早期的保加利亚玛古拉洞穴洞穴居民的神秘描述到吉萨的金字塔。即便如此，每个部落都有自己原始的密码学方法，因此部落或部落的成员可以相互交流，同时对敌对部落保密，了解狩猎场或水源和食物来源。

加密信息是人性的一部分。您从明文开始，这是您和我都可以轻松阅读的信息，然后您使用算法，这通常是一种可以嵌入系统的软件形式。但这需要使用加密密钥激活。一个非常简单的示例是，如果您尝试加密 PDF 文档；例如，您的会计师可能会在您提交税款之前向您发送一些文件让您签署。加密将创建一个任何人都无法使用的密文，并且您和您的会计师将设置一个预设的加密密钥，以便您可以在通信的任一端检索信息。您需要进行良好的密钥管理，这意味着您要保护信息，因为想象一下，如果您在商业环境中拥有数千个密钥。通常会有第三方或外部服务器单独存储和管理密钥，因此您不会将所有的鸡蛋放在一个篮子里，可以这么说。它将通过散列系统进行保护，我们稍后将对其进行探索，其他人无法访问这些密钥。

非对称加密更安全，因为发送者和接收者各自使用一个唯一的代码，通常是证书，因此您可以确认信息已经以安全的方式从发送者发送到接收者。

Hashing 散列

Hashing takes an input set of data (of almost arbitrary size) and returns a fixed-length result called the hash value. A hash function is the algorithm used to perform this transformation. When used with cryptographically strong hash algorithms, this is the most common method of ensuring message integrity today.
散列采用一组输入数据（几乎任意大小），并返回一个固定长度的结果，称为散列值。散列函数是用于执行此转换的算法。当与加密的强哈希算法一起使用时，这是当今确保消息完整性的最常用方法。

Hashes have many uses in computing and security, one of which is to create a message digest by applying such a hash function to the plaintext body of a message. 
散列在计算和安全中有许多用途，其中之一是通过将这样的散列函数应用于消息的明文正文来创建消息摘要。

To be useful and secure, a cryptographic hash function must demonstrate five main properties: 
为了安全和有用，加密哈希函数必须具备五个主要属性：

Useful: It is easy to compute the hash value for any given message.
有用：很容易计算任何给定消息的哈希值。
Nonreversible: It is computationally infeasible to reverse the hash process or otherwise derive the original plaintext of a message from its hash value (unlike an encryption process, for which there must be a corresponding decryption process).
不可逆：反向散列过程或以其他方式从其散列值导出消息的原始明文在计算上是不可行的（与加密过程不同，加密过程必须有对应的解密过程）。
Content integrity assurance: It is computationally infeasible to modify a message such that re-applying the hash function will produce the original hash value. 
内容完整性保证：修改消息以使重新应用哈希函数将产生原始哈希值在计算上是不可行的。
Unique: It is computationally infeasible to find two or more different, sensible messages that hash to the same value.
Unique：在计算上不可能找到两个或多个不同的、合理的、散列为相同值的消息。
Deterministic: The same input will always generate the same hash, when using the same hashing algorithm.
确定性：当使用相同的哈希算法时，相同的输入将始终生成相同的哈希。

Cryptographic hash functions have many applications in information security, including digital signatures, message authentication codes and other forms of authentication. They can also be used for fingerprinting, to detect duplicate data or uniquely identify files, and as checksums to detect accidental data corruption. The operation of a hashing algorithm is demonstrated in this image.
密码散列函数在信息安全中有许多应用，包括数字签名、消息认证码和其他形式的认证。它们还可以用于指纹识别，以检测重复数据或唯一标识文件，并作为校验和来检测意外的数据损坏。散列算法的操作在此图像中演示。

This is an example of a simple hashing function. The originator wants to send a message to the receiver and ensure that the message is not altered by noise or lost packets as it is transmitted. The originator runs the message through a hashing algorithm that generates a hash, or a digest of the message. The digest is appended to the message and sent together with the message to the recipient. Once the message is delivered, the receiver will generate their own digest of the received message (using the same hashing algorithm). The digest of the received message is compared with the digest sent by the originator. If the digests are the same, the received message is the same as the sent message.
这是一个简单的哈希函数的例子。发起方希望向接收方发送消息，并确保消息在传输时不会被噪声或丢失的数据包改变。发起者通过哈希算法运行消息，该算法生成消息的哈希或摘要。 摘要被附加到消息中，并与消息一起发送给接收者。一旦消息被传递，接收者将生成他们自己的接收消息的摘要（使用相同的散列算法）。将接收到的消息的摘要与始发者发送的摘要进行比较。如果摘要相同，则接收的消息与发送的消息相同。

The problem with a simple hash function like this is that it does not protect against a malicious attacker that would be able to change both the message and the hash/digest by intercepting it in transit. The general idea of a cryptographic hash function can be summarized with the following formula:
像这样的简单散列函数的问题是，它不能防止恶意攻击者通过拦截传输中的消息来改变消息和散列/摘要。加密散列函数的一般思想可以用以下公式总结：

variable data input + hashing algorithm
变量数据输入+哈希算法

= fixed bit size data output (the digest)
=固定位大小数据输出（摘要）

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-6OgOaGZ8-1693244353665)(C:\Users\cyrilcao\AppData\Roaming\Typora\typora-user-images\image-20230828231825070.png)]$

As seen in this image, even the slightest change in the input message results in a completely different hash value.
如图所示，即使输入消息中最微小的变化也会导致完全不同的哈希值。

Hash functions are very sensitive to any changes in the message. Because the size of the hash digest does not vary according to the size of the message, a person cannot tell the size of the message based on the digest.
哈希函数对消息中的任何变化都非常敏感。因为散列摘要的大小不会根据消息的大小而变化，所以人们无法根据摘要来判断消息的大小。

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-U6LyahTx-1693244353666)(C:\Users\cyrilcao\AppData\Roaming\Typora\typora-user-images\image-20230828231940243.png)]$

Hashing puts data through a hash function or algorithm to create an alphanumeric set of figures, or a digest, that means nothing to people who might view it. No matter how long the input is, the hash digest will be the same number of characters. Any minor change in the input, a misspelling, or upper case or lower case, will create a completely different hash digest. So you can use the hash digest to confirm that the input exactly matches what is expected or required, for instance, a password.
哈希将数据通过哈希函数或算法来创建数字的字母数字集或摘要，这对可能查看它的人来说没有任何意义。无论输入有多长，哈希摘要的字符数都是相同的。输入中的任何微小变化，拼写错误，大写或小写，都会创建一个完全不同的哈希摘要。因此，您可以使用哈希摘要来确认输入是否与预期或要求的内容（例如密码）完全匹配。

For example, we pay our rent through automatic withdrawal, and it’s $5,000 a month. Perhaps someone at the bank or at the rental office thinks they can just change it to $50,000 and keep the extra money. They think no one will notice if they just add another zero to the number. However, that change will completely change the digest. Since the digest is different, it will indicate that someone corrupted the information by changing the value of the automatic withdrawal, and it will not go through. Hashing is an extra layer of defense.
例如，我们通过自动提款支付租金，每月5,000美元。也许银行或租赁办公室的人认为他们可以把它换成5万美元，并保留多余的钱。他们认为如果他们只是在数字上再加一个零，没有人会注意到。然而，这种变化将完全改变文摘。由于摘要不同，它将表明有人通过更改自动取款的值来破坏信息，它将不会通过。哈希是一个额外的防御层。

Before we go live with a software product provided by a third party, for instance, we have to make sure no one has changed anything since it was tested by you and the programmer. They will usually send you the digest of their code and you compare that to the original. This is also known as a Checksum. If you see a discrepancy, that means something has changed. Then the security coders will compare the original one and the new one, and sometimes it’s very tedious, but they have software that can do it for them. If it’s something a little more intricate, they may need to go line by line and find out where the bugs are or if some lines need to be fixed. Often these problems are not intentional; they sneak in when you are making final adjustments to the software.
例如，在我们使用第三方提供的软件产品之前，我们必须确保自您和程序员测试以来没有人更改任何内容。他们通常会给你发送他们代码的摘要，你可以将其与原始代码进行比较。这也称为校验和。如果你看到了差异，那就意味着有些事情发生了变化。然后安全编码人员会比较原来的和新的，有时这是非常繁琐的，但他们有软件可以为他们做。如果是一些更复杂的东西，他们可能需要逐行检查，找出bug在哪里，或者是否需要修复某些行。通常这些问题不是有意的;当你对软件进行最后的调整时，它们会偷偷地进来。

An incident occurred at the University of Florida many years ago, where a very reputable software source, Windows 2000 or Millennium, was provided to 50,000 students via CD-ROMs, and the copies were compromised. The problems were detected when the digests did not match on a distribution file.
许多年前，佛罗里达大学发生了一个事件，一个非常有信誉的软件源，Windows 2000或Millennium，通过CD-ROM提供给50，000名学生，副本受到损害。当分发文件上的摘要不匹配时检测到问题。

How Passwords Work

通常您的密码将存储为固定的哈希值或摘要，以便系统可以在密码本身不可见的情况下判断您的密码是否匹配。

带有字母数字和特殊字符的更安全的密码将生成不同类型的哈希摘要。但是，这种密码管理系统已经过时了。通常，出于安全考虑，您会被要求生成一个字符数最少的新密码，其背后的软件会识别散列函数并告诉您密码是否足够安全以供使用，或者它会提示您创建更好的密码。

攻击者可以使用密码哈希离线“猜测”您的密码。如果攻击者可以从受感染的工作站或服务器复制通常经过哈希处理的密码文件，并且他们知道用于哈希密码的算法，他们可以使用计算机尝试随机的字母和数字组合序列来尝试匹配已知的密码哈希

模块2：了解系统强化（D5.2）

Module 2:Understand  System Hardening (D5.2)

曼尼：有这么多数据需要处理，需要处理这么多不同的软件应用程序，公司如何跟踪所有数据？

塔莎：这是一个挑战，这就是我们需要配置管理的原因。它是网络安全的一部分，因为它通过确保仅对系统进行授权和验证的更改来保护数据的机密性、完整性和可用性。每个更改还需要进行测试，以确保它不会对系统的任何其他部分造成任何干扰。

曼尼：我能理解。似乎每次我们在高中升级我们的计算机系统时，其他东西都会停止工作。

塔莎：让我们看看网络安全专业人员如何防止这种情况发生

Configuration Management Overview 配置管理概述

Configuration management is a process and discipline used to ensure that the only changes made to a system are those that have been authorized and validated. It is both a decision-making process and a set of control processes. If we look closer at this definition, the basic configuration management process includes components such as identification, baselines, updates and patches.
配置管理是一个过程和规程，用于确保对系统所做的唯一更改是那些已授权和验证的更改。它既是一个决策过程，也是一套控制过程。如果我们仔细研究这个定义，基本的配置管理过程包括识别、基线、更新和补丁等组件。

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-7crLgrr4-1693244353666)(C:\Users\cyrilcao\AppData\Roaming\Typora\typora-user-images\image-20230828232549269.png)]$

Identification 标识

Baseline identification of a system and all its components, interfaces and documentation.
系统及其所有组件、接口和文件的基线识别。

Baseline 基线

A security baseline is a minimum level of protection that can be used as a reference point. Baselines provide a way to ensure that updates to technology and architectures are subjected to the minimum understood and acceptable level of security requirements.
安全基线是可用作参考点的最低保护级别。基线提供了一种方法来确保对技术和体系结构的更新受到最低的理解和可接受的安全需求级别的约束。

Change Control 变更控制

An update process for requesting changes to a baseline, by means of making changes to one or more components in that baseline. A review and approval process for all changes. This includes updates and patches.
通过对基线中的一个或多个组件进行更改来请求对基线进行更改的更新过程。所有变更的审查和批准流程。这包括更新和补丁。

Verification and Audit 验证和审计

A regression and validation process, which may involve testing and analysis, to verify that nothing in the system was broken by a newly applied set of changes. An audit process can validate that the currently in-use baseline matches the sum total of its initial baseline plus all approved changes applied in sequence.
回归和验证过程，可能涉及测试和分析，以验证系统中没有任何东西被新应用的更改集破坏。 审核过程可以验证当前使用的基线是否与其初始基线加上按顺序应用的所有已批准变更的总和相匹配。

Effective use of configuration management gives systems owners, operators, support teams and security professionals another important set of tools they can use to monitor and oversee the configuration of the devices, networks, applications and projects of the organization. An organization may mandate the configuration of equipment through standards and baselines. The use of standards and baselines can ensure that network devices, software, hardware and endpoint devices are configured in a consistent way and that all such devices are compliant with the security baseline established for the organization. If a device is found that is not compliant with the security baseline, it may be disabled or isolated into a quarantine area until it can be checked and updated.
配置管理的有效使用为系统所有者、操作员、支持团队和安全专业人员提供了另一套重要的工具，他们可以使用这些工具来监控和监督组织的设备、网络、应用程序和项目的配置。组织可以通过标准和基线来强制配置设备。  使用标准和基线可以确保以一致的方式配置网络设备、软件、硬件和端点设备，并且所有这些设备都符合为组织建立的安全基线。  如果发现不符合安全基线的设备，则可以将其禁用或隔离到隔离区域中，直到可以对其进行检查和更新。

inventory 清单

Making an inventory, catalog or registry of all the information assets that the organization is aware of (whether they already exist, or there’s a wish list or need to create or acquire them) is the first step in any asset management process. It requires that we locate and identify all assets of interest, including (and especially) the information assets:
对组织所知道的所有信息资产（无论它们是否已经存在，或者是否有愿望清单或需要创建或获取它们）进行清单，目录或注册表是任何资产管理流程的第一步。它要求我们找到并识别所有感兴趣的资产，包括（尤其是）信息资产：

You can’t protect what you don’t know you have.
你无法保护你不知道你拥有的东西。

It becomes even more challenging to keep that inventory, and its health and status with respect to updates and patches, consistent and current, day in and day out. It is, in fact, quite challenging to identify every physical host and endpoint, let alone gather the data from them all.
日复一日地保持该库存及其与更新和补丁有关的健康状况和状态一致且最新变得更加具有挑战性。事实上，识别每个物理主机和端点都是相当具有挑战性的，更不用说从所有物理主机和端点收集数据了。

Baselines 基线

A commercial software product, for example, might have thousands of individual modules, processes, parameter and initialization files or other elements. If any one of them is missing, the system cannot function correctly. The baseline is a total inventory of all the system’s components, hardware, software, data, administrative controls, documentation and user instructions.
例如，商业软件产品可能具有数千个单独的模块、进程、参数和初始化文件或其他元素。如果其中任何一个缺失，系统都无法正常运行。基线是系统所有组成部分、硬件、软件、数据、行政控制、文件和用户说明的总清单。

Once controls are in place to mitigate risks, the baselines can be referenced. All further comparisons and development are measured against the baselines.
一旦采取控制措施以减轻风险，就可以参考基线。所有进一步的比较和发展都是根据基线来衡量的。

When protecting assets, baselines can be particularly helpful in achieving a minimal protection level of those assets based on value. Remember, if assets have been classified based on value, and meaningful baselines have been established for each of the classification levels, we can conform to the minimum levels required. In other words, if classifications such as high, medium and low are being used, baselines could be developed for each of our classifications and provide that minimum level of security required for each.
在保护资产时，基线特别有助于根据价值实现这些资产的最低保护级别。请记住，如果资产已经根据价值进行了分类，并且已经为每个分类级别建立了有意义的基线，那么我们就可以符合所需的最低级别。换句话说，如果使用高、中、低等分类，就可以为我们的每一个分类制定基线，并为每一个分类提供所需的最低安全水平。

updates 内容更新

Repairs, maintenance actions and updates are frequently required on almost all levels of systems elements, from the basic infrastructure of the IT architecture on up through operating systems, applications platforms, networks and user interfaces. Such modifications must be acceptance tested to verify that newly installed (or repaired) functionality works as required. They must also be regression tested to verify that the modifications did not introduce other erroneous or unexpected behaviors in the system. Ongoing security assessment and evaluation testing evaluates whether the same system that passed acceptance testing is still secure.
几乎所有级别的系统元素都需要经常进行维修、维护和更新，从IT架构的基本基础设施到操作系统、应用程序平台、网络和用户界面。必须对此类修改进行验收测试，以验证新安装（或修复）的功能是否按要求工作。还必须对它们进行回归测试，以验证修改不会在系统中引入其他错误或意外行为。持续的安全评估和评估测试评估通过验收测试的同一系统是否仍然安全。

patches 打补丁

Patch management mostly applies to software and hardware devices that are subject to regular modification. A patch is an update, upgrade or modification to a system or component. These patches may be needed to address a vulnerability or to improve functionality. The challenge for the security professional is maintaining all patches, since they can come at irregular intervals from many different vendors. Some patches are critical and should be deployed quickly, while others may not be as critical but should still be deployed because subsequent patches may be dependent on them. Standards such as the PCI DSS require organizations to deploy security patches within a certain time frame.
补丁管理主要应用于需要定期修改的软件和硬件设备。补丁是对系统或组件的更新、升级或修改。可能需要这些修补程序来解决漏洞或改进功能。安全专业人员面临的挑战是维护所有补丁，因为它们可能来自许多不同的供应商，时间间隔不规则。有些修补程序是关键的，应该快速部署，而其他修补程序可能不那么关键，但仍然应该部署，因为后续修补程序可能依赖于它们。PCI DSS等标准要求组织在一定的时间范围内部署安全补丁。

There are some issues with the use of patches. Many organizations have been affected by a flawed patch from a reputable vendor that affected system functionality. Therefore, an organization should test the patch before rolling it out across the organization. This is often complicated by the lack of a testing environment that matches the production environment. Few organizations have the budget to maintain a test environment that is an exact copy of production. There is always a risk that the testing will not always be able to test everything, and problems may appear in production that were not apparent in the test environment. To the extent possible, patches should be tested to ensure they will work correctly in production.
使用补丁时存在一些问题。许多组织都受到了来自信誉良好的供应商的有缺陷的补丁程序的影响，该补丁程序影响了系统功能。因此，组织应在整个组织中推出修补程序之前对其进行测试。由于缺乏与生产环境相匹配的测试环境，这通常会变得复杂。很少有组织有预算来维护一个完全复制生产环境的测试环境。总是存在这样的风险，即测试并不总是能够测试所有内容，并且在生产环境中可能会出现在测试环境中不明显的问题。应尽可能测试补丁程序，以确保它们在生产环境中正常工作。

If the patch does not work or has unacceptable effects, it might be necessary to roll back to a previous (pre-patch) state. Typically, the criteria for rollback are previously documented and would automatically be performed when the rollback criteria were met.
如果修补程序不起作用或具有不可接受的效果，则可能需要回滚到先前（修补前）的状态。通常，回滚的标准是预先记录的，并且当满足回滚标准时将自动执行。

Many vendors offer a patch management solution for their products. These systems often have certain automated processes, or unattended updates, that allow the patching of systems without interaction from the administrator. The risk of using unattended patching should be weighed against the risk of having unpatched systems in the organization’s network. Unattended (or automated) patching might result in unscheduled outages as production systems are taken offline or rebooted as part of the patch process.
许多供应商为他们的产品提供补丁程序管理解决方案。这些系统通常具有某些自动化过程或无人值守的更新，其允许在没有来自管理员的交互的情况下修补系统。使用无人值守修补程序的风险应与组织网络中存在未修补系统的风险进行权衡。无人值守（或自动化）修补可能会导致计划外的中断，因为生产系统在修补过程中离线或重新启动。

您必须确保拥有强大的变更管理流程，并确保您在模型环境中进行测试，然后再在生产或实时环境中进行任何更改。即使进行了广泛的计划和测试，有时也会产生意想不到的后果，因此您必须确保有一个回滚计划。回滚是将系统恢复到进行更改之前的状态。在我们将更改引入环境之前，我们知道它可以正常工作。我们需要确保我们审查和测试所有补丁，并且可以恢复以前的配置。

对于许多组织来说，维护一个单独的测试环境可能是一个后勤挑战；因此，许多公司没有单独的生产和测试环境来正确审查所有补丁和系统更新。在这种情况下，他们可能会依赖供应商第三方测试来根据一组通用数据来验证新软件版本。回滚计划在所有环境中都很重要，但对于那些无法完全测试更改的人来说绝对至关重要。

模块3：了解最佳实践安全策略（D5.3）

Module 3: Understand  Best Practice Security Policies (D5.3)

An organization’s security policies define what “security” means to that organization, which in almost all cases reflects the tradeoff between security, operability, affordability and potential risk impacts. Security policies express or impose behavioral or other constraints on the system and its use. Well-designed systems operating within these constraints should reduce the potential of security breaches to an acceptable level.
一个组织的安全政策定义了“安全”对该组织的意义，在几乎所有情况下，这反映了安全性、可操作性、可负担性和潜在风险影响之间的权衡。安全策略表达或施加对系统及其使用的行为或其他约束。在这些限制条件下运行的设计良好的系统应将安全漏洞的可能性降低到可接受的水平。

Security governance that does not align properly with organizational goals can lead to implementation of security policies and decisions that unnecessarily inhibit productivity, impose undue costs and hinder strategic intent.
与组织目标不一致的安全治理可能会导致实施不必要地抑制生产力、增加不必要的成本并阻碍战略意图的安全策略和决策。

Common Security Policies 通用安全策略

All policies must support any regulatory and contractual obligations of the organization. Sometimes it can be challenging to ensure the policy encompasses all requirements while remaining simple enough for users to understand.
所有政策必须支持组织的任何法规和合同义务。有时，确保策略包含所有需求，同时保持足够简单以供用户理解可能具有挑战性。

Here are six common security-related policies that exist in most organizations.
以下是大多数组织中存在的六种常见的安全相关策略。

data handling policy 数据处理策略

Appropriate use of data: This aspect of the policy defines whether data is for use within the company, is restricted for use by only certain roles or can be made public to anyone outside the organization. In addition, some data has associated legal usage definitions. The organization’s policy should spell out any such restrictions or refer to the legal definitions as required. Proper data classification also helps the organization comply with pertinent laws and regulations. For example, classifying credit card data as confidential can help ensure compliance with the PCI DSS. One of the requirements of this standard is to encrypt credit card information. Data owners who correctly defined the encryption aspect of their organization’s data classification policy will require that the data be encrypted according to the specifications defined in this standard.
正确使用数据：策略的这一方面定义了数据是供公司内部使用、仅限于某些角色使用，还是可以向组织外部的任何人公开。此外，一些数据具有相关联的法律的使用定义。该组织的政策应阐明任何此类限制，或按要求提及法律的定义。适当的数据分类还有助于组织遵守相关法律法规。例如，将信用卡数据分类为机密可以帮助确保符合PCI DSS。该标准的要求之一是加密信用卡信息。正确定义其组织数据分类策略的加密方面的数据所有者将要求根据本标准中定义的规范对数据进行加密。

Password Policy 密码策略

Every organization should have a password policy in place that defines expectations of systems and users. The password policy should describe senior leadership’s commitment to ensuring secure access to data, outline any standards that the organization has selected for password formulation, and identify who is designated to enforce and validate the policy.
每个组织都应该有一个适当的密码策略，用于定义系统和用户的期望。密码政策应说明高级领导层对确保安全访问数据的承诺，概述组织为密码制定选择的任何标准，并确定指定谁来执行和验证政策。

Acceptable Use Policy 可接受使用策略

The acceptable use policy (AUP) defines acceptable use of the organization’s network and computer systems and can help protect the organization from legal action. It should detail the appropriate and approved usage of the organization’s assets, including the IT environment, devices and data. Each employee (or anyone having access to the organization’s assets) should be required to sign a copy of the AUP, preferably in the presence of another employee of the organization, and both parties should keep a copy of the signed AUP.
可接受使用政策（AUP）定义了组织网络和计算机系统的可接受使用，并有助于保护组织免受法律的诉讼。它应该详细说明组织资产的适当和经批准的使用，包括IT环境、设备和数据。应要求每位员工（或有权访问组织资产的任何人）签署AUP副本，最好是在组织的另一名员工在场的情况下签署，双方应保留已签署AUP的副本。

Policy aspects commonly included in AUPs:
AUP中通常包括的政策方面：

Data access 数据存取
System access 系统访问
Data disclosure 数据披露
Passwords 密码
Data retention 数据保留
Internet usage 互联网使用
Company device usage 公司设备使用情况

Bring your own device Policy( BYOD ) 自带设备策略

An organization may allow workers to acquire equipment of their choosing and use personally owned equipment for business (and personal) use. This is sometimes called bring your own device (BYOD). Another option is to present the teleworker or employee with a list of approved equipment and require the employee to select one of the products on the trusted list.
组织可以允许工人获得他们选择的设备，并使用个人拥有的设备用于商业（和个人）用途。这有时被称为自带设备（BYOD）。另一个选项是向远程工作者或雇员呈现批准的设备的列表，并且要求雇员选择可信列表上的产品之一。

Letting employees choose the device that is most comfortable for them may be good for employee morale, but it presents additional challenges for the security professional because it means the organization loses some control over standardization and privacy. If employees are allowed to use their phones and laptops for both personal and business use, this can pose a challenge if, for example, the device has to be examined for a forensic audit. It can be hard to ensure that the device is configured securely and does not have any backdoors or other vulnerabilities that could be used to access organizational data or systems.
让员工选择最适合他们的设备可能对员工士气有好处，但它给安全专业人员带来了额外的挑战，因为这意味着组织失去了对标准化和隐私的一些控制。如果允许员工将手机和笔记本电脑用于个人和商业用途，这可能会带来挑战，例如，如果必须对设备进行取证审计。很难确保设备配置安全，并且没有任何后门或其他可用于访问组织数据或系统的漏洞。

All employees must read and agree to adhere to this policy before any access to the systems, network and/or data is allowed. If and when the workforce grows, so too will the problems with BYOD. Certainly, the appropriate tools are going to be necessary to manage the use of and security around BYOD devices and usage. The organization needs to establish clear user expectations and set the appropriate business rules.
所有员工必须阅读并同意遵守本政策，然后才允许访问系统，网络和/或数据。如果员工队伍增长，BYOD的问题也会随之增加。当然，适当的工具对于管理BYOD设备和使用的使用和安全性是必要的。组织需要建立明确的用户期望并设置适当的业务规则。

Private Policy 隐私策略

Often, personnel have access to personally identifiable information (PII) (also referred to as electronic protected health information [ePHI] in the health industry). It is imperative that the organization documents that the personnel understand and acknowledge the organization’s policies and procedures for handling of that type of information and are made aware of the legal repercussions of handling such sensitive data. This type of documentation is similar to the AUP but is specific to privacy-related data.
通常，工作人员可以访问个人身份信息（PII）（在医疗行业中也称为电子保护健康信息[ePHI]）。组织必须记录员工了解并确认组织处理此类信息的政策和程序，并了解处理此类敏感数据的法律的后果。这种类型的文档与AUP类似，但特定于与隐私相关的数据。

The organization’s privacy policy should stipulate which information is considered PII/ePHI, the appropriate handling procedures and mechanisms used by the organization, how the user is expected to perform in accordance with the stated policy and procedures, any enforcement mechanisms and punitive measures for failure to comply as well as references to applicable regulations and legislation to which the organization is subject. This can include national and international laws, such as the GDPR in the EU and Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada; laws for specific industries in certain countries such as HIPAA and Gramm–Leach–Bliley Act (GLBA); or local laws in which the organization operates.
组织的隐私政策应规定哪些信息被视为PII/ePHI、组织使用的适当处理程序和机制、用户应如何按照规定的政策和程序执行、任何执行机制和对不遵守的惩罚措施，以及组织所遵守的适用法规和立法的参考。这可能包括国家和国际法律，例如欧盟的GDPR和加拿大的个人信息保护和电子文件法（PIPEDA）;某些国家特定行业的法律，如HIPAA和Gramm-Leach-Bliley法案（GLBA）;或该组织运营所在地的法律。

The organization should also create a public document that explains how private information is used, both internally and externally. For example, it may be required that a medical provider present patients with a description of how the provider will protect their information (or a reference to where they can find this description, such as the provider’s website).
组织还应创建一份公开文档，解释如何在内部和外部使用私人信息。例如，可能要求医疗提供者向患者呈现提供者将如何保护他们的信息的描述（或他们可以在哪里找到该描述的参考，诸如提供者的网站）。

Change Management Policy 变更管理策略

Change management is the discipline of transitioning from the current state to a future state. It consists of three major activities: deciding to change, making the change, and confirming that the change has been correctly accomplished. Change management focuses on making the decision to change and results in the approvals to systems support teams, developers and end users to start making the directed alterations.
变更管理是从当前状态过渡到未来状态的规程。它包括三项主要活动：决定变更、进行变更以及确认变更已正确完成。变更管理的重点是做出变更决策，并批准系统支持团队、开发人员和最终用户开始进行定向变更。

Throughout the system life cycle, changes made to the system, its individual components and its operating environment all have the capability to introduce new vulnerabilities and thus undermine the security of the enterprise. Change management requires a process to implement the necessary changes so they do not adversely affect business operations.
在整个系统生命周期中，对系统、其单个组件及其操作环境所做的更改都有可能引入新的漏洞，从而破坏企业的安全。 变更管理需要一个流程来实施必要的变更，以便它们不会对业务运营产生不利影响。

Policies will be set according to the needs of the organization and its vision and mission. Each of these policies should have a penalty or a consequence attached in case of noncompliance. The first time may be a warning; the next might be a forced leave of absence or suspension without pay, and a critical violation could even result in an employee’s termination. All of this should be outlined clearly during onboarding, particularly for information security personnel. It should be made clear who is responsible for enforcing these policies, and the employee must sign off on them and have documentation saying they have done so. This process could even include a few questions in a survey or quiz to confirm that the employees truly understand the policy. These policies are part of the baseline security posture of any organization. Any security or data handling procedures should be backed up by the appropriate policies.
将根据本组织的需要及其愿景和使命制定政策。这些政策中的每一个都应该有一个惩罚或不遵守的后果。第一次可能是警告;第二种可能是强制休假或停薪留职，严重违规甚至可能导致员工被解雇。所有这些都应该在入职时清楚地概述，特别是对于信息安全人员。应该明确谁负责执行这些政策，员工必须签署这些政策，并有文件证明他们已经这样做了。这个过程甚至可以包括一些调查或测验中的问题，以确认员工真正了解政策。这些策略是任何组织的基线安全状态的一部分。任何安全性或数据处理程序都应通过适当的策略进行备份。

Change Management Components 变更管理组件

The change management process includes the following components.
变更管理流程包括以下组成部分。

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-IJ1z4Ofa-1693244353667)(C:\Users\cyrilcao\AppData\Roaming\Typora\typora-user-images\image-20230828234459966.png)]$

Documentation 文件编制

All of the major change management practices address a common set of core activities that start with a request for change (RFC) and move through various development and test stages until the change is released to the end users. From first to last, each step is subject to some form of formalized management and decision-making; each step produces accounting or log entries to document its results.
所有主要的变更管理实践都涉及一组常见的核心活动，这些活动从变更请求（RFC）开始，经过各种开发和测试阶段，直到将变更发布给最终用户。从第一步到最后一步，每一步都要服从某种形式的正规化管理和决策;每一步骤产生记帐或日志条目以记录其结果。

Approval 批准

These processes typically include: Evaluating the RFCs for completeness, Assignment to the proper change authorization process based on risk and organizational practices, Stakeholder reviews, resource identification and allocation, Appropriate approvals or rejections, and Documentation of approval or rejection.
这些过程通常包括：评估RFC的完整性、根据风险和组织实践分配适当的变更授权流程、利益相关者评审、资源识别和分配、适当的批准或拒绝以及批准或拒绝的文件。

Rollback 回滚

Depending upon the nature of the change, a variety of activities may need to be completed. These generally include: Scheduling the change, Testing the change, Verifying the rollback procedures, Implementing the change, Evaluating the change for proper and effective operation, and Documenting the change in the production environment. Rollback authority would generally be defined in the rollback plan, which might be immediate or scheduled as a subsequent change if monitoring of the change suggests inadequate performance.
根据变更的性质，可能需要完成各种活动。这些一般包括：计划变更、测试变更、验证回滚程序、实施变更、评估变更以确保正确有效地运行、并在生产环境中记录变更。回滚权限通常在回滚计划中定义，如果对更改的监视表明性能不足，则回滚权限可能是立即的或作为后续更改计划的。

旁白：变革管理发生在一个循环中。没有真正的停止点；它在不断地进行。这意味着必须对该环境进行持续监控。因此，如果您或任何人要求更改，则需要经过适当的批准。如有必要，组织必须为回滚做好准备，这意味着如果该特定更改不起作用，我们需要能够回滚到遗留系统。

虽然变更管理是一个组织范围的过程，但它通常由信息安全专业人员来协调工作，并可能提供监督和治理。根据组织的规模，它也可能属于 IT 或开发领域。在拥有质量或风险管理部门的组织中，它也非常适合其中任何一个领域。共同的主题是变更管理承认并整合来自最终用户以及 IT、开发、信息安全和最重要的是管理的所有领域的输入，以确保在实施之前对所有变更进行适当的测试、批准和沟通。

旁白：不同的组织对其可接受的使用策略会有不同的目标。一些组织鼓励员工广泛个人使用组织的 IT 资产，以提高士气并减少用户个人生活和工作之间的中断。一些组织还鼓励用户使用组织资产来执行个人教育任务——这样，员工就可以从资产中受益，组织也会得到训练有素、更快乐的员工。一些组织严格限制用户对 IT 资产的个人使用，以降低组织内的风险

所有与安全相关的策略都应与组织的风险承受能力保持一致，同时确保满足监管要求。不在笔记本电脑或工作站上存储机密数据的组织在可接受的使用政策上可能会更加宽松，而医疗机构、研究机构或国防承包商可能会更加严格，因为他们拥有的数据可能会在以下情况下造成破坏性后果妥协。

模块4：了解安全意识培训（D5.3、D5.4）

Module 4: Understand Security Awareness Training (D5.3, D5.4)

To reduce the effectiveness of certain types of attacks (such as social engineering), it is crucial that the organization informs its employees and staff how to recognize security problems and how to operate in a secure manner. While the specifics of secure operation differ in each organization, there are some general concepts that are applicable to all such programs.
为了降低某些类型的攻击（如社会工程）的有效性，组织必须告知其员工如何识别安全问题以及如何以安全的方式进行操作。虽然每个组织的安全操作细节不同，但有一些通用概念适用于所有此类计划。

曼尼：那么，网络安全最重要的工具是什么，塔莎？

塔莎：我想说最重要的工具是你的人力资源——你的人。

曼尼：人比技术、防火墙、密码和所有这些东西更重要？

塔莎：是的，曼尼。开发这项技术、安装这些防火墙、创建这些密码的是人。更重要的是，每个人都必须遵循最佳实践和政策，以确保安全处理他们每天使用的数据。这就是为什么安全意识培训如此重要的原因。您的员工必须知道要寻找什么以及看到它时要做什么。他们必须保持警惕。自满是网络安全的敌人。

曼尼：如果你看到了什么，说点什么。

塔莎：没错。让我们了解更多。

Purpose 目得

The purpose of awareness training is to make sure everyone knows what is expected of them, based on responsibilities and accountabilities, and to find out if there is any carelessness or complacency that may pose a risk to the organization. We will be able to align the information security goals with the organization’s missions and vision and have a better sense of what the environment is.
意识培训的目的是确保每个人都知道根据职责和问责制对他们的期望，并找出是否存在可能对组织构成风险的任何疏忽或自满。我们将能够使信息安全目标与组织的使命和愿景保持一致，并对环境有更好的了解。

What is Security Awareness Training? 什么是安全意识培训？

Let’s start with a clear understanding of the three different types of learning activities that organizations use, whether for information security or for any other purpose:
让我们首先清楚地了解组织使用的三种不同类型的学习活动，无论是用于信息安全还是用于任何其他目的：

Education: The overall goal of education is to help learners improve their understanding of these ideas and their ability to relate them to their own experiences and apply that learning in useful ways.
教育：教育的总体目标是帮助学习者提高他们对这些思想的理解，以及他们将这些思想与自己的经验联系起来并以有用的方式应用这些知识的能力。
Training: Focuses on building proficiency in a specific set of skills or actions, including sharpening the perception and judgment needed to make decisions as to which skill to use, when to use it and how to apply it. Training can focus on low-level skills, an entire task or complex workflows consisting of many tasks.
培训：侧重于培养对一组特定技能或行动的熟练程度，包括提高决策所需的感知和判断力，以决定使用哪种技能，何时使用以及如何应用。培训可以侧重于低级别技能，整个任务或由许多任务组成的复杂工作流程。
Awareness: These are activities that attract and engage the learner’s attention by acquainting them with aspects of an issue, concern, problem or need.
意识：这些活动通过使学习者熟悉某个问题、关注点、问题或需求的各个方面来吸引和吸引学习者的注意力。

You’ll notice that none of these have an expressed or implied degree of formality, location or target audience. (Think of a newly hired senior executive with little or no exposure to the specific compliance needs your organization faces; first, someone has to get their attention and make them aware of the need to understand. The rest can follow.)
你会注意到，这些都没有一个明确或暗示的正式程度，地点或目标受众。（想象一下，一位新聘用的高级管理人员很少或根本没有接触到您的组织所面临的特定合规需求;首先，必须有人引起他们的注意，让他们意识到理解的必要性。其余的可以跟进）。

加布里埃拉：所以，发生了一些非常奇怪的事情。今天早上我收到一条短信，说我从亚马逊赢了 1000 美元。

基思：哇。你回应了吗？

加布里埃拉：嗯，我本来打算去的，但在最后一刻我注意到它来自亚马逊，而不是亚马逊。我的意思是，一家公司不会拼错自己的名字，不是吗？然后它让我想起有一次我不小心下载了病毒，我想我会等着和你谈谈，因为我知道你一直在研究网络安全和网络钓鱼等等。

基思：恭喜你通过了。那是一个假链接，我发给你看你是否会点击它。

加布里埃拉：（叹气）嗯，我想你一直在做的安全意识培训终于得到了回报。但我还是觉得有人欠我1000美元。

（人们议论纷纷）

塔莎：苏珊及时赶到咖啡店，听到基思和加布里埃尔的谈话。

（人们议论纷纷）

苏珊：嗯，看看自从我们第一次开始谈论网络安全以来你已经走了多远。

基思：嗯，起初我认为我没有技术技能。

苏珊：啊，但真正归结为你有好奇心，你是一个很好的沟通者，你作为团队的一员工作得很好。你也很善于分析。你擅长识别模式，你知道，看到更大的图景，但也看到更小的细节。您实际上非常适合网络安全工作。

基思：我想这很有趣，理解数据以及如何保护人们的数据安全。

苏珊：而且它总是在变化。这个领域有很多机会，你可以采取不同的方向。我很自豪地说我是一名系统安全认证从业者，我什至正在考虑从 ISC2获得我的 CISSP。

基思: 那是什么

苏珊：它是认证信息系统安全专家，全球公认的网络安全认证。

基思：哇，太酷了。似乎网络安全永远不会变得无聊或陈旧。我总是在成长，不像这里。

苏珊：嘿，别让你妈妈听到你这么说。她的血管里流淌着咖啡。

基思：加布里埃拉可以接替我，对吧？我的意思是，您更了解客户的数据以及如何保证数据的安全。

加布里埃拉：我的意思是，这很好，基思，但我自己可能会考虑网络安全的未来。

基思：我现在准备开始。我需要做什么才能得到像你这样的工作？

苏珊：我也许可以为你指出正确的方向。我们在这里得到了什么？

基思：哦，我们正在努力……

The Importance of Security Training 安全培训的重要性

为什么每个人都需要安全培训？任何组织中最薄弱的环节是人，我们每个人，无论我们是新实习生还是角落办公室的主管，我们每个人都有自己的安全责任。每个人都在管理、物理和技术上为改善安全环境做出贡献。

如果员工没有接受过有关政策和程序是什么的培训，他们就不能遵守政策和程序。这对于数据处理和应急响应活动等主题尤其重要。例如：消防演习对于保护健康和人身安全至关重要，并培训用户如何实施保护自己免受危险的过程。

Security Awareness Training Examples 安全意识培训示例

Let’s look at an example of security awareness training by using an organization’s strategy to improve fire safety in the workplace:
让我们看一个安全意识培训的例子，通过使用组织的战略来提高工作场所的消防安全：

Education may help workers in a secure server room understand the interaction of the various fire and smoke detectors, suppression systems, alarms and their interactions with electrical power, lighting and ventilation systems.
教育可以帮助安全服务器机房中的工作人员理解各种火灾和烟雾探测器、灭火系统、警报器的交互以及它们与电力、照明和通风系统的交互。
Training would provide those workers with task-specific, detailed learning about the proper actions each should take in the event of an alarm, a suppression system going off without an alarm, a ventilation system failure or other contingency. This training would build on the learning acquired via the educational activities.
培训将为这些工人提供针对具体任务的详细学习，了解在发生警报、灭火系统在没有警报的情况下关闭、通风系统故障或其他紧急情况时每个人应采取的适当行动。这种培训将建立在通过教育活动获得的知识基础上。
Awareness activities would include not only posting the appropriate signage, floor or doorway markings, but also other indicators to help workers detect an anomaly, respond to an alarm and take appropriate action. In this case, awareness is a constantly available reminder of what to do when the alarms go off.
宣传活动不仅包括张贴适当的标志、地板或门口标记，还包括其他指示器，以帮助工人发现异常情况，对警报作出反应并采取适当行动。在这种情况下，意识是一个不断可用的提醒，提醒你当警报响起时该做什么。

Translating that into an anti-phishing campaign might be done by:
将其转化为反网络钓鱼活动可以通过以下方式完成：

Education may be used to help select groups of users better understand the ways in which social engineering attacks are conducted and engage those users in creating and testing their own strategies for improving their defensive techniques.
教育可以用于帮助选择的用户组更好地理解进行社会工程攻击的方式，并使这些用户参与创建和测试他们自己的策略以改进他们的防御技术。
Training will help users increase their proficiency in recognizing a potential phishing or similar attempt, while also helping them practice the correct responses to such events. Training may include simulated phishing emails sent to users on a network to test their ability to identify a phishing email.
培训将帮助用户提高识别潜在网络钓鱼或类似尝试的熟练程度，同时也帮助他们练习对此类事件的正确响应。训练可以包括发送给网络上的用户的模拟钓鱼电子邮件，以测试他们识别钓鱼电子邮件的能力。
Raising users’ overall awareness of the threat posed by phishing, vishing, SMS phishing (also called “smishing) and other social engineering tactics. Awareness techniques can also alert selected users to new or novel approaches that such attacks might be taking.
提高用户对网络钓鱼、网络钓鱼、短信网络钓鱼（也称为“短信诈骗”）和其他社会工程策略所构成威胁的整体意识。感知技术还可以向选定的用户警告此类攻击可能采取的新的或新颖的方法。

Let’s look at some common risks and why it’s important to include them in your security awareness training programs.
让我们来看看一些常见的风险，以及为什么将它们纳入安全意识培训计划很重要。

Phishing 网络钓鱼

The use of phishing attacks to target individuals, entire departments and even companies is a significant threat that the security professional needs to be aware of and be prepared to defend against. Countless variations on the basic phishing attack have been developed in recent years, leading to a variety of attacks that are deployed relentlessly against individuals and networks in a never-ending stream of emails, phone calls, spam, instant messages, videos, file attachments and many other delivery mechanisms.
使用网络钓鱼攻击来针对个人、整个部门甚至公司是安全专业人员需要意识到并准备防御的重大威胁。近年来，已经开发了基本网络钓鱼攻击的无数变体，导致各种各样的攻击被无情地部署在电子邮件、电话、垃圾邮件、即时消息、视频、文件附件和许多其他传递机制的永无止境的流中针对个人和网络。

Phishing attacks that attempt to trick highly placed officials or private individuals with sizable assets into authorizing large fund wire transfers to previously unknown entities are known as whaling attacks .
网络钓鱼攻击试图欺骗高级官员或拥有大量资产的个人，以授权向以前未知的实体进行大额资金电汇，这种攻击被称为捕鲸攻击。

Social Engineering 社会工程学

Social engineering is an important part of any security awareness training program for one very simple reason: bad actors know that it works. For the cyberattackers, social engineering is an inexpensive investment with a potentially very high payoff. Social engineering, applied over time, can extract significant insider knowledge about almost any organization or individual.
社会工程是任何安全意识培训计划的重要组成部分，原因很简单：坏演员知道这很有效。对于网络攻击者来说，社会工程是一项廉价的投资，潜在回报非常高。随着时间的推移，社会工程学可以提取几乎任何组织或个人的重要内部知识。

One of the most important messages to deliver in a security awareness program is an understanding of the threat of social engineering. People need to be reminded of the threat and types of social engineering so that they can recognize and resist a social engineering attack.
在安全意识计划中，最重要的信息之一是了解社会工程的威胁。需要提醒人们社会工程的威胁和类型，以便他们能够识别和抵御社会工程攻击。

Most social engineering techniques are not new. Many have even been taught as basic fieldcraft for espionage agencies and are part of the repertoire of investigative techniques used by real and fictional police detectives. A short list of the tactics that we see across cyberspace currently includes:
大多数社会工程技术并不新鲜。许多甚至被教导为间谍机构的基本外勤技能，是真实的和虚构的警察侦探使用的调查技术的一部分。我们目前在网络空间中看到的策略的简短列表包括：

Phone phishing or vishing: Using a rogue interactive voice response (IVR) system to re-create a legitimate-sounding copy of a bank or other institution’s IVR system. The victim is prompted through a phishing email to call in to the “bank” via a provided phone number to verify information such as account numbers, account access codes or a PIN and to confirm answers to security questions, contact information and addresses. A typical vishing system will reject logins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems may be used to transfer the victim to a human posing as a customer service agent for further questioning.
电话钓鱼或网络钓鱼：使用恶意交互式语音应答（IVR）系统重新创建银行或其他机构IVR系统的合法副本。通过网络钓鱼电子邮件提示受害者经由所提供的电话号码呼叫“银行”，以验证诸如账号、账户访问代码或PIN的信息，并确认对安全问题、联系信息和地址的回答。典型的网络钓鱼系统会不断拒绝登录，确保受害者多次输入PIN或密码，通常会泄露几个不同的密码。更先进的系统可以用于将受害者转移到冒充客户服务代理的人以进行进一步询问。
Pretexting: The human equivalent of phishing, where someone impersonates an authority figure or a trusted individual in an attempt to gain access to your login information. The pretexter may claim to be an IT support worker who is supposed to do maintenance or an investigator performing a company audit. Or they might impersonate a coworker, the police, a tax authority or some other seemingly legitimate person. The goal is to gain access to your computer and information.
伪装：相当于网络钓鱼的人类，有人冒充权威人物或受信任的个人，试图访问您的登录信息。伪装者可能会声称自己是一名IT支持人员，应该做维护工作，或者是一名执行公司审计的调查员。或者他们可能冒充同事、警察、税务机关或其他看似合法的人。目标是获得对您的计算机和信息的访问权限。
Quid pro quo: A request for your password or login credentials in exchange for some compensation, such as a “free gift,” a monetary payment or access to an online game or service. If it sounds too good to be true, it probably is.
交换条件：要求提供您的密码或登录凭据以换取某些补偿，例如“免费礼物”、金钱支付或在线游戏或服务的访问权限。如果这听起来好得令人难以置信，那么它可能是真的。
Tailgating: The practice of following an authorized user into a restricted area or system. The low-tech version of tailgating would occur when a stranger asks you to hold the door open behind you because they forgot their company RFID card. In a more sophisticated version, someone may ask to borrow your phone or laptop to perform a simple action when he or she is actually installing malicious software onto your device.
尾随：跟随授权用户进入限制区域或系统的行为。低科技版的追尾会发生在一个陌生人要求你在你身后开着门，因为他们忘记了他们的公司RFID卡。在一个更复杂的版本中，有人可能会要求借用你的手机或笔记本电脑来执行一个简单的操作，而他或她实际上是在你的设备上安装恶意软件。

Social engineering works because it plays on human tendencies. Education, training and awareness work best to counter or defend against social engineering because they help people realize that every person in the organization plays a role in information security.
社会工程之所以有效，是因为它利用了人类的倾向。教育、培训和意识最能对抗或防御社会工程，因为它们帮助人们认识到组织中的每个人都在信息安全中发挥作用。

Password Protection 密码保护

We use many different passwords and systems. Many password managers will store a user’s passwords for them so the user does not have to remember all their passwords for multiple systems. The greatest disadvantage of these solutions is the risk of compromise of the password manager.
我们使用许多不同的密码和系统。许多密码管理器将为它们存储用户的密码，因此用户不必记住多个系统的所有密码。这些解决方案的最大缺点是密码管理器的危害风险。

These password managers may be protected by a weak password or passphrase chosen by the user and easily compromised. There have been many cases where a person’s private data was stored by a cloud provider but easily accessed by unauthorized persons through password compromise.
这些密码管理器可以由用户选择的弱密码或密码短语来保护并且容易被破坏。在许多情况下，一个人的私人数据由云提供商存储，但未经授权的人通过密码泄露很容易访问。

Organizations should encourage the use of different passwords for different systems and should provide a recommended password management solution for its users.
组织应鼓励对不同的系统使用不同的密码，并应向其用户提供推荐的密码管理解决方案。

Examples of poor password protection that should be avoided are:
应避免的不良密码保护示例包括：

- Reusing passwords for multiple systems, especially using the same password for business and personal use.
  在多个系统中重复使用密码，尤其是在业务和个人使用中使用相同的密码。
- Writing down passwords and leaving them in unsecured areas.
  写下密码并将它们放在不安全的地方。
- Sharing a password with tech support or a co-worker.
  与技术支持或同事共享密码。

旁白：回到密码的主题。如果你有一个 10 位的密码，那么用带有密码计算的软件对你的环境进行暴力攻击，破解需要 5 秒。大多数人认为包含多个不同字符的 8 个字符非常安全，这是密码要求的一种标准。但如果有人真的想要它，他们可能需要 35 天。我们宁愿比那更安全。

例如，如果您有 16 个字符，其中包含一个大写和一个特殊字符，则这样会更安全，因为您有大小写字符和特殊字符。要破解这个问题，大约需要 152,000 年。

因此，只要遵循良好的密码政策和适当的程序，我们就可以极大地提高我们的密码安全性。

旁白：我们必须确保就当前和潜在威胁进行适当的沟通，以保持高度警惕。我们甚至可以鼓励部门之间的友好竞争，以发现最多的网络钓鱼尝试。我们可以提供友好的提醒，比如一个小小的压力球，上面写着“锁定你的电脑”。还有一些自动系统可以在您离开时自动锁定计算机。

重要的是要确保我们得到关于我们的培训的积极反馈，确保它是适当的和被理解的。确保组织的领导者了解培训的重要性，并努力促进和改善组织的信息安全环境。并通过练习和模拟为员工提供实践所学知识的机会。例如，偶尔发送模拟网络钓鱼电子邮件，并给予他们积极的反馈以进行报告。根据组织的文化和风险状况，意识培训应该是每个人的积极体验，而不是惩罚性的，除非绝对必要。

caoxiaoye

关注

1
点赞
踩
0

收藏

觉得还不错? 一键收藏
2
评论
ISC2---CyberSecurity课程笔记---最终章第五章：安全操作 Security Operations

Encryption我们在现代数字世界中采取的几乎每一个行动都涉及密码学。加密保护我们的个人和商业交易;数字签名的软件更新验证其创建者或供应商的真实性声明。数字签名的合同对各方都有约束力，通常通过电子邮件交换，而不必担心后来被发件人拒绝。ciphertext密码学用于保护信息，方法是将信息的含义或内容保密，并使无法解密（解锁）受保护信息的人无法理解。每个加密系统的目标都是将原始数据集（称为明文）转换为另一种难以理解的加密形式（称为密文）。
复制链接

扫一扫