安全漏洞 漏洞原理_发现IT安全漏洞的5个步骤

安全漏洞 漏洞原理

From local businesses to Google, IT breaches can happen to anyone.

从本地企业到Google，任何人都可能发生IT违规事件。

According to IBM, there were 1.5 million monitored cyber attacks in the United States last year. Organizations are attacked an average of 16,856 times per year, and many of these attacks result in quantifiable data breaches. A moderate attack costs an average of $38,065 per minute of downtime.

据IBM称， 去年美国有150万起受监控的网络攻击 。 组织每年平均受到16856次攻击，其中许多攻击导致可量化的数据泄露。 中度攻击平均每分钟停机时间要花费$ 38,065 。

With organizations facing a growing number of threats by sophisticated hackers, IT security needs to be a priority. However, many IT professionals aren’t aware of the vulnerabilities that could give hackers access to their systems and bring their organizations to a standstill.

随着组织面临越来越多的老练黑客威胁，IT安全必须成为首要任务。 但是，许多IT专业人员并未意识到可能使黑客访问其系统并使他们的组织陷入瘫痪的漏洞。

While closing these gaps is usually simple, the hard part is finding them.

尽管缩小这些差距通常很简单，但困难的部分是找到它们。

您的5步IT安全计划 (Your 5-Step IT Security Plan)

Here are five steps you must take to uncover your IT security gaps:

您必须采取以下五个步骤来发现IT安全漏洞：

1.进行外部渗透测试。 (1. Conduct external penetration testing. )

Hiring a white hat hacker to conduct penetration tests can help you identify your key external security gaps much more easily than by using security vulnerability scanning tools. Starting with just your company name, these authorized hackers will use the latest attack vectors to gather as much information about your employees and infrastructure as possible. They’ll search for vulnerabilities in your website, applications, systems and configurations, and exploit them as a malicious person would.

与使用安全漏洞扫描工具相比，雇用白帽黑客进行渗透测试可以帮助您更轻松地确定关键的外部安全漏洞。 这些授权的黑客仅从您的公司名称开始，将使用最新的攻击媒介来收集有关您的员工和基础架构的尽可能多的信息。 他们将在您的网站，应用程序，系统和配置中搜索漏洞，并像恶意软件一样利用它们。

If the white hat hackers can’t find any technical vulnerabilities, they’ll use social engineering tactics such as phishing to try to collect data from your users. Including social engineering with your penetration tests is vital to learn if your users are engaging in risky behavior.

如果白帽黑客找不到任何技术漏洞，他们将使用网络钓鱼等社交工程策略来尝试从用户那里收集数据。 在渗透测试中包括社交工程对于了解用户是否从事危险行为至关重要。

You should perform penetration tests on a regular basis – especially if you’re in a regulated industry. This will ensure your systems are secure and keep you a few steps ahead of hackers.

您应该定期执行渗透测试-尤其是在受监管的行业中。 这将确保您的系统安全，并使您比黑客领先几步。

2.确定您的内部风险。 (2. Identify your internal risks. )

As the NSA with Edward Snowden can attest, your employees can be your biggest security risk. An internal penetration test can tell you exactly how much information a disgruntled employee can make off with, and estimate risk of loss in case that person decided to do something malicious.

正如拥有Edward Snowden的NSA所能证明的那样，您的员工可能是最大的安全风险。 内部渗透测试可以准确地告诉您，一个心怀不满的员工可以从中获取多少信息，并可以估算出该人决定执行恶意操作时遭受损失的风险。

During an internal penetration test, an authorized hacker works inside your organization to exploit your internal vulnerabilities. They’ll look for weaknesses in your IT systems, databases, networks, applications, access controls and firewalls. This will reveal defects in your infrastructure and help you identify at-risk data.

在内部渗透测试期间，一名授权黑客会在您的组织内部工作以利用您的内部漏洞。 他们将寻找您的IT系统，数据库，网络，应用程序，访问控制和防火墙中的弱点。 这将揭示基础架构中的缺陷，并帮助您识别高风险数据。

You should perform an internal penetration test every time you perform an external penetration test.

每次执行外部渗透测试时，都应执行内部渗透测试。

3.进行风险评估。 (3. Perform a risk assessment. )

Based on the results of the external and internal penetration tests, you should perform a risk assessment. Analyze your risks and decide which ones are the biggest threats to your organization. You may need to educate your organization’s executives about your risks and convince them to invest in security. Make recommendations about what needs to be fixed and how much you should invest to reduce your risk of security breaches. Perform a new risk assessment every year to keep up-to-date with the latest technology and threats. A risk assessment is also mandatory if you accept payment card transactions and must comply with PCI-DSS regulations.

根据外部和内部渗透测试的结果，您应该执行风险评估。 分析您的风险，并确定哪些风险对您的组织构成最大威胁。 您可能需要对组织的管理人员进行风险教育，并说服他们投资于安全性。 就需要解决的问题以及应该投入多少以减少安全漏洞的风险提出建议。 每年进行一次新的风险评估，以了解最新技术和威胁。 如果您接受支付卡交易并且必须遵守PCI-DSS法规，则还必须进行风险评估。

4.创建数据泄露和安全事件响应计划。 (4. Create a data breach and security incident response plan.)

The Economist Intelligence Unit found that while 77% of companies have faced a security breach within the past two years, 38% of these companies still don’t have an incident response plan. Globally, only 17% of organizations are prepared for a security incident.

经济学人智库发现，尽管过去两年中77％的公司面临安全漏洞，但其中38％的公司仍未制定事件响应计划。 在全球范围内，只有17％的组织为安全事件做好了准备。

An incident response plan is critical to quickly recover data and restore service after a breach. Your plan should specify:

事件响应计划对于在发生漏洞后快速恢复数据和恢复服务至关重要。 您的计划应指定：

• The members of your response team and the actions they should take in case of a breach or attack.
  您的响应团队的成员以及在受到破坏或攻击时应采取的措施。
• Whom to involve to investigate a breach and get things up and running again.
  由谁来调查漏洞并重新启动并运行。
• How you will communicate with employers, customers and stakeholders after a breach.
  违约后您将如何与雇主，客户和利益相关者进行沟通。
• How you will implement lessons learned to avoid similar breaches in future.
  您将如何实施所学到的经验教训，以避免将来再次发生类似的违规情况。

Test your incident response plan in action with your IT team and employees during your annual penetration tests. Your IT group should be able to detect and react to attacks internally. Test your plan in action and train your team to react and think proactively.

在年度渗透测试期间，与IT团队和员工一起测试您的事件响应计划。 您的IT小组应该能够在内部检测到攻击并做出React。 实际测试您的计划，并训练您的团队做出React和主动思考。

5.测试您的备份和恢复准备情况。 (5. Test your backup and recovery readiness.)

Many companies fail to test their backups. Your backups might not be as reliable as you think, leaving you vulnerable if your data is lost or corrupted. It’s critical to test your backups to make sure you can quickly recover your data after a breach or other security incident.

许多公司未能测试其备份。 您的备份可能不如您想像的那样可靠，如果数据丢失或损坏，您将容易受到攻击。 测试您的备份以确保在出现安全漏洞或其他安全事件后可以快速恢复数据非常重要。

You can also consider backing up your data in several data centers. You might want a local data center to have fast access to your infrastructure, along with a data center in another city or country. If one data center goes down, you’ll still have your data available.

您也可以考虑在多个数据中心中备份数据。 您可能希望本地数据中心以及另一个城市或国家/地区的数据中心能够快速访问您的基础架构。 如果一个数据中心发生故障，您仍然可以使用数据。

Test how your team is able to react in a trial case. Have them compete against themselves for the fastest time in rolling server backups into use.

测试您的团队在审判案件中的React能力。 让他们与自己竞争以最快的速度将服务器备份投入使用。

结论 (Conclusion)

Perform each of these five steps to identify your IT security gaps and learn what you must do to protect yourself from threats.

执行以下五个步骤中的每个步骤，以找出您的IT安全漏洞，并了解必须采取哪些措施来保护自己免受威胁。

When was the last time you performed a security check? Do you have any tips for keeping safe?

您上次执行安全检查的时间是什么时候？ 您有任何安全提示吗？

翻译自: https://www.sitepoint.com/5-steps-to-uncovering-your-it-security-gaps/

安全漏洞 漏洞原理