[物联网文章之其一] 十大业务步骤——确保物联网生态系统的安全

最新推荐文章于 2024-09-14 20:04:15 发布

StoneDemo

最新推荐文章于 2024-09-14 20:04:15 发布

阅读量620

点赞数

分类专栏：业余兴趣文章标签：物联网安全

业余兴趣专栏收录该内容

21 篇文章 0 订阅

订阅专栏

日常前言

四月份花了一大部分时间去深入代码，把我们的双摄虚化流程解析了一遍。然后为了给组内分享，又花了相当一部分时间去做总结，画思维导图、作流程图等等，这其中学到了挺多东西的，尤其是对高通 Camera HAL 层的数据流部分，Camera Post Process 的前后节点都有了一个比较大概的了解，在跟踪数据流的时候没那么头晕了。
还有，总结、分享知识的时候，作图真的非常重要，一份填满大量文字的 PPT，可能讲 3 个小时都讲不完，最后听众也很难有所收获。然而如果有 70% ~ 90% 的篇幅用图片来直观表述，剩下的文字用于精炼、简洁地描述，这样可能 1~2 个小时就能搞定，并且听众至少也能留下一个比较整体的印象。
好吧，扯远了，回归这次的活动，这一期是物联网的主题，又是我不熟悉的领域，只能找一些介绍性的文章来翻译了。以及……上期又送来一个抱枕……这期要是再送公仔，那就把这些东西送给女盆友一宿舍当毕业礼物吧hh
这期采纳了四篇：

版权相关

翻译人：StoneDemo，该成员来自云+社区翻译社
原文链接：Top 10 business steps to secure IoT ecosystems
原文作者：（未找到作者信息）

Top 10 business steps to secure IoT ecosystems

题目：（十大业务步骤确保物联网生态系统的安全）

In IoT environments where devices, applications and people are interconnected across vast and disparate ecosystems, it’s imperative that security is an integral part of IoT deployments.

在物联网环境中，设备、应用程序和人类通过巨大而又迥然不同的生态系统相互关联，安全是物联网部署中必不可少的一部分，这一点非常重要。

Threats are everywhere. The attack vector is potentially limitless. IoT ecosystems encompass the network edge/perimeter, the data center, applications, data transmission and networking mechanisms. They also include every piece of company-owned equipment and end user-owned devices. Even the most proactive IT departments find it challenging to keep pace with career-hackers and ever-more efficient, targeted attacks.

威胁因素无处不在。攻击途径（Attack vector）可能是无限的。物联网生态系统包含了网络边缘（Edge）/边界（Perimeter），数据中心，应用程序，数据传输和组网机制（Networking mechanisms）。其中还包括每一个公司拥有的器材以及终端用户拥有的设备。即使是最积极主动的 IT 部门也发现，要跟得上职业黑客（和更高效）的针对性攻击是非常困难的。

There is no such thing as a 100% fully secure environment.

Security is not static; it is a work in progress. Organizations must be vigilant and assume responsibility for their system and network security. ITIC’s latest survey data found that an overwhelming 80% of respondents indicated the “carelessness of end users” poses the biggest threat to organizational security. This far outpaces the 57% who cited malware infections as the largest potential security problem.

并没有所谓的，百分百安全的环境。

安全性不是固定的，这是一个不断向前进发的工作。组织机构必须保持警惕，并为其系统和网络的安全负责。ITIC 的最新调查数据显示，80％的受访者表示 “终端用户的疏忽” 对组织安全性构成了最大的威胁。这个数据远远超过了将恶意软件感染列为最大的潜在安全问题所对应的 57% 的受访者。

Security is a 50/50 proposition between technology and the humans who must implement and manage it. In Part one of a two-part article, we outline the top 10 business and procedural must-do steps organizations should take to safeguard the IoT ecosystem and mitigate risk. Part two will detail the top 10 list of technology safeguards organizations should implement to safeguard corporate data assets.

安全性是技术与（必须实现与管理它）的人之间的 ”50/50 命题”（50/50 proposition，每一方都应愿意妥协，以便让事情顺利进行）。在一篇由两部分组成的文章的第一部分中，我们概述了组织应采取的十大业务化以及程序化的必做步骤，以保护物联网生态系统并降低风险。而在第二部分，我们将详细介绍组织机构应实施的，用于保护企业数据资产的十大技术保障措施。

Top 10 business steps to defend against cybersecurity threats

（抵御网络安全威胁的十大业务步骤）

1. Take inventory. Know what people, devices and applications are on your network. That includes the various versions of software your users have installed on their myriad desktops, notebooks, tablets and smartphones. Twenty-five years ago in the early 1990s, before the internet, businesses used to brag about the longevity and reliability of their servers and network operating systems. It was considered a badge of honor if an IT administrator discovered a forgotten Novell Netware 3.x or 4.x server running in a closet that hadn’t been rebooted in nine or 10 years. Ignorance is not bliss. Complacency, forgetfulness and ignorance of what devices are on your network, along with a host of overlooked configuration errors that unwittingly give opportunistic hackers carte blanche to exploit your network could spell disaster and leave a corporation’s data assets unprotected. Compile a list of all devices, applications, transmission mechanism and access levels for all network users (from the CEO down to office temps). Retire old and outmoded equipment or retrofit them with the latest security mechanisms. Take inventory at least every six months and preferably on a quarterly basis. Additionally, corporations that have acquired another firm via a merger or acquisition should do a complete and thorough inventory of the acquired entity’s infrastructure before connecting it to their own. This requires cooperation and collaboration with the acquired company’s IT department, engineers and software developers.

1. 清点库存（Take inventory）。要清楚您的网络上有哪些人员、设备，以及应用程序。其中还包括用户在其各种台式机、笔记本电脑、平板电脑和智能手机上所安装的软件的各种版本。在二十五年前（20 世纪 90 年代初），那时还没有互联网，企业常常吹嘘其服务器和网络操作系统的可靠性以及寿命之长。若某位 IT 管理员发现了一台被遗忘在壁橱中，不断运行着（而且在 9 或 10 年内都未重新启动过）的 Novell Netware 3.x 或 4.x 服务器，这将会被视为一种荣誉勋章。无知不是福。自满，忘却，以及对自己网络中设备的无知，连同一大堆被忽略的配置错误，这些因素无意中让投机取巧黑客全权使用您的网络，从而招致灾祸，并使公司的数据资产不受保护。为所有网络用户（从首席执行官到办公室临时工）编制一个列表，该列表的内容包括所有的设备、应用程序、传输机制以及访问级别。淘汰陈旧过时的设备，或使用最新的安全机制对其进行改造。至少每六个月清点一次库存（最好是每季度一次）。此外，通过兼并（Merger）或收购（Acquisition）方式收购了另一家公司的公司，则应在与其合并之前，将其基础设施进行完整而彻底的清点。这就需要与被收购公司的 IT 部门、工程师以及软件开发人员进行协调合作了。

2. Regularly review and update computer security policies. As the saying goes, “The best defense is a good offense.” The business case should always precede and drive the technological aspects of computer security. Organizations should construct and/or update existing security policies and procedures involving all aspects of the business. Security policies and procedures should reflect the current business climate. They should provide clear guidelines on how to respond to the latest cyberthreats. The organization’s security policies should have a clear list of “Dos and Don’ts.” It should be disseminated by human resources to all employees via hard copy and email. And it should also be incorporated into the onboarding training process for new employees. Businesses should treat cybersecurity with the same seriousness as they do with issues of discrimination and sexual harassment.

2. 定期检查和更新计算机安全策略（Security policies）。俗话说，“进攻即是最佳的防御”。商业案例应该总是走在计算机安全技术的前列，并推动其发展。组织机构应构建并且（或者）更新现存的涉及到业务各个方面的安全策略和程序。安全策略及程序应当反映出当前的商业环境。他们应该就 “如何应对最新的网络威胁” 这一问题提供明确的指南。该组织的安全策略应该有一个明确的 “应该做的事和不该做的事情” 的列表。人力资源应通过复印件（Hard copy）以及电子邮件向所有员工传播这份列表，还应将其纳入新员工的入职培训过程。企业应该像对待歧视和性骚扰一样严肃对待网络安全。

3. Enforce computer/cybersecurity policies and procedures. No exceptions. Make it clear that the corporate cybersecurity rules are not made to be broken. The organization should construct a clear, concise list of the penalties associated with various infractions. These should include a sliding scale of actions the corporation may take for first, second and third infractions. Failure to comply with the corporation’s cybersecurity policies may involve myriad actions ranging from a warning to termination and even criminal prosecution.

3. 严格执行计算机/网络安全策略和程序。没有例外。要明确的是，企业的网络安全规则不能被打破。组织机构应该建立一个清晰、简明的，与各种违规行为有关的处罚清单。清单中应包括公司可能采取的第一次、第二次，以及第三次出现违规行为时的浮动处罚力度。不遵守公司的网络安全策略，则可能会遭受从警告到解雇，甚至是刑事起诉等各种处罚。

Educate all users. Everyone in the organization from the chief executive to the IT department, application developers, knowledge workers, contract workers and office temps must be educated and adhere to the company’s computer and cybersecurity policies and procedures. Additionally, the IT department should regularly inform users about the latest threats via email and hard copy.

4. 教育所有用户。组织中，从首席执行官到 IT 部门、应用开发者，知识型工作者、合同工，以及办公室临时工，他们每个人都必须要接受教育并遵守公司的计算机和网络安全策略及程序。此外，IT 部门应定期通过电子邮件和复印件向用户通报最新的安全威胁。

5. Construct a cybersecurity-specific operational level agreement/response plan. Every organization, irrespective of size or vertical market, should have a detailed OLA plan in place to quickly and efficiently respond to cyberattacks and cyberheists. An OLA is a set of detailed policies and procedures that governs how the company’s internal stakeholders — chief security officer, chief technology officer, director or VP of IT, administrators and security professionals — will work together to respond to issues. The OLA agreement will detail the policies and procedures for dealing with hacks to minimize downtime, data loss and theft. Quick response to a security issue can be the difference between thwarting a hack or suffering downtime and data losses. The cybersecurity OLA should establish and define the organizational chain of command, assign specific duties and responsibilities in the event of an attack, outline daily security operations and provide detailed instructions on how all the various internal stakeholders will work synergistically to respond to security issues. The cybersecurity OLA should also include a list of all outside third-party vendors and service providers and a list of contacts at those organizations.

5. 构建针对网络安全的，操作级别协议/响应计划。无论其规模大小还是垂直市场（Vertical market），每个组织都应该制定详细的 OLA（Operational Level Agreement，操作级别协议）计划，以便能够迅速有效地应对一般网络攻击（Cyberattack）和针对金融与交易的网络攻击（Cyberheists）。OLA 是一套详细的策略与程序，它规定了公司的内部利益相关者 —— 即首席安全官、首席技术官、IT 主管或副总、管理员，以及安全专业人员 —— 他们将如何共同应对问题。OLA 协议将详细介绍处理黑客行为的策略和程序，以最小化故障时间（Downtime），数据丢失和资料窃取所带来的损失。对安全问题的快速响应可能就是阻止黑客与遭受停机和数据丢失的区别。网络安全 OLA 应建立并规定组织的指挥系统（Chain of command），当网络袭击发生时指定具体的职责，并概述日常安全操作，以及提供关于 “所有内部利益相关者如何协同工作以应对安全问题” 的详细说明。它还应包括所有外部第三方供应商和服务提供商的名单，以及这些组织的联络人名单。

6. Security should be built in. Security cannot be practiced with 20/20 hindsight. It is the company’s responsibility to perform due diligence and work in concert with its vendors, resellers, third-party independent software vendors and professional service providers to ensure that all new devices and applications incorporate the latest security mechanisms. Before provisioning or deploying any device or application, the company should take great pains to ensure they are secure by design, secure by default, secure in usage, secure in transmission and secure at rest (storage).

6. 安全应该是内置（Build in）的。对于安全的实践，我们不能当事后诸葛亮（20/20 hindsight）。公司有责任进行尽职调查，并与其供应商，代理商，第三方独立软件供应商和专业服务提供商协同工作，确保所有新设备和应用程序都采用了最新的安全机制。在配置或部署任何设备或应用程序之前，公司应该极力确保其设计安全（Secure by design），默认巩固安全（Secure by default），使用安全，传输安全以及静止（存储）安全。

7. Budget appropriately. There’s a lot of competition among the various corporate upgrade projects and individual departments to get their slice of the organization’s capital expenditure (Capex) and ongoing operational expenditure (Opex) budget. Oftentimes, security gets short shrift and loses out to other projects and stakeholders. The adage, “If it ain’t broke, don’t fix it,” definitely does not apply here. There’s intense competition within the IT department for various Capex and Opex projects. Any firm that delays and defers security does so at its peril. Perform due diligence involving all pertinent parties to determine a timetable and construct a budget for hiring skilled security IT staff, or hiring outside third parties to perform vulnerability testing and risk mitigation, purchasing new security software, equipment or upgrading existing devices.

7. 适当的预算。企业的各种升级项目（Upgrade project）和独立部门之间存在者很多竞争，以从企业的资本支出（Capex，Capital expenditure）和持续运营支出（Opex，Operational expenditure）预算中分得一杯羹。通常情况下，安全性会受到忽视，并输给其他项目和利益相关者。“如果没有坏，就不要修复它”这句格言，在这方面绝对不适用。在 IT 部门内，对于各种 Capex 和 Opex 项目存在着的激烈的竞争。任何延迟和拖延安全的公司都处在危机之中。对所有涉及到的相关方进行尽职调查，以确定时间表并制定预算，从而聘用熟练的安全 IT 人员或聘请外部第三方执行漏洞测试（Vulnerability testing）和风险消减（Risk mitigation），以及购买新的安全软件、设备或升级现有装置。

8. Deploy security awareness training from the C-suite down to the IT department. ITIC’s most recent security survey found that over 40% of the 600 responding organizations could not identify the type, length or severity of the cyberattacks their firms had experienced. Additionally, 11% of respondents said they were “unsure” if their companies had suffered a hack over the last 12 months. Hardly a day goes by without another new major cyberattack or other security-related issue making the news. Overworked and often under-staffed IT and security administrators are hard pressed to keep pace with the increase in security threats. If you can’t identify a threat, you won’t recognize it when it happens. If your organization fails to implement the appropriate safeguards, such as auditing, authentication and tracking mechanisms, it will be difficult if not impossible to track the culprits.

**8. 上至最高管理层，下到 IT 部门，都要展开安全意识培训。**ITIC 最新的安全调查发现，在 600 个响应的组织中，有超过 40％的组织无法确定其公司所经历的网络攻击的类型、（时间的）长度或严重程度。此外，11％的受访者表示，他们 “不确定” 自己的公司在过去的 12 个月中是否有遭受过黑客入侵。几乎每天都有新的重大网络攻击或者其它与安全相关的新闻出现。劳累过度并且经常人手不足的 IT 和安全管理员难以跟上安全威胁的增长速度。如果您无法识别出威胁，则当其发生时您就无法发现它的存在。如果您的组织未能实施适当的保护措施（例如审计，认证和追踪机制），那么追踪肇事者就是很困难的。

9. Stay current on the latest security patches and fixes. This may seem obvious, but its importance cannot be overstated.

9. 随时关注最新的安全补丁和修复。这似乎是显而易见的，但其重要性如何强调都不为过。

10. Calculate the cost of downtime related to cyberattacks and hacks. There is no more sobering wake-up call than for corporations to calculate the monetary costs and business consequences as a result of a cyberattack. These include, but are not limited to, downtime; lost, stolen, damaged/destroyed or altered data; and the cost and amount of time it takes for IT perform remediation. Also consider the monetary cost of potential litigation, civil and criminal penalties, damage to the company’s reputation and brand, and potential lost business.

10. 对与网络攻击和黑客行为相关的停机时间成本进行计算。对公司来说，没有什么能够比 “计算由于网络攻击导致的金融成本和商业后果“ 更令其清醒的警钟了。这些包括（但不仅限于）：停机时间；丢失、被盗、被损坏/破坏或更改的数据；以及 IT 进行修复所需的时间和成本。还要考虑潜在的诉讼成本，民事和刑事处罚，对公司声誉和品牌的损害以及潜在的业务损失。

Ultimately, everyone in the corporate enterprise — from the C-level executives to the IT department and all the end users — must communicate, collaborate and cooperate to defend the data assets. Ask yourself: What have you got to lose?

最终，企业中的每一个人 —— 从首席高管到 IT 部门，以及所有终端用户 —— 都必须沟通、协作和配合起来，保护数据资产。扪心自问：你有什么损失呢？