security information and event management 学习初探（二）

上次勉强看完了第一本关于关联分析的书
今天来看下一本真正讲到SIEM当中有关概念以及实现的书

PART I Introduction to SIEM: Threat Intelligence for IT Systems

CHAPTER 1 Business Models

商业模式分为三种： Government Commercial Universities

首先是一个概念，学过安全的人都知道：CIA -> Confidentiality、Integrity、Availability
Three-Letter Agencies
Central Intelligence Agency (CIA)
Federal Bureau of Investigations (FBI)
National Security Agency (NSA)
Britain’s MI5
Iran’s Ministry of Security (MOIS/VEVAK)
Germany’s Federal Intelligence Service(Bundesnachrichtendienst)

principles of system security:categorization of data、need to know、the principle of least privilege

接下来就对这三种模式当中的这三个属性进行评估

CHAPTER 2 Threat Models

The Bad Things That Could Happen：

• Vulnerabilities：存在安全上的漏洞
• Vulnerable Protocols：有漏洞与缺陷的协议
• Misconfiguration：配置出错
• User Awareness and Mistakes：用户操作不当

Malicious Intent：
1.Internal Threats：其实这是最关键的一环，当然也没什么好讨论的，有几个措施可以预防：

• Separation of duties
• Job rotation Security awareness training
• Strict permissions on all resources
• Implement auditing on critical data,applications, and system configuration and logs

2.External Threats：human attack

Recognizing Attacks on the IT Systems：
Scanning or Reconnaissance（footprint and fingerprint）
Exploits：

• Viruses
• Worms
• IP Spoofing from the Outside
• IP Spoofing from the Inside
• Distributed Denial-of-Service (DDoS)
• Buffer Overflow and SQL Injection Attacks
• Password Attacks
• Attacks on IDS/IPS Systems
• Other Systems Under Attack

Entrenchment（留后门等一系列动作，用于进一步控制系统同时避开各种监测）：

• Disable operating system and application updates
• Disable antivirus and antispyware updates
• Disable forwarding logs to syslog or the SIEM system
• Make system configuration changes
• Install new service(s) and/or stop service(s)

Phoning Home（进一步安装各种恶意软件及工具等等等等）：

• Reset the browser’s default home page
• Use known bad or blacklist IP addresses
• Use of dark IP address space
• Use of a good destination IP address, but with unusual behavior

Control：IRC protocol等

CHAPTER 3 Regulatory Compliance（法规遵从性）

Regulatory Compliance：

• Sarbanes-Oxley Act (2002) - SOX
• Gramm-Leach-Bliley Act (1999) - GLBA
• Healthcare Insurance Portability and Accountability Act (1996) - HIPAA
• Payment Card Industry Data Security Standard - PCI DSS
• California Senate Bill 1386 (2003) - CA SB1386
• Federal Information Security Management Act (2002) - FISMA
• Cyber Security Act of 2009 (SB 773) - not yet ratified

Prudent Security：

1. Assign a Specific Individual or Group Responsible for Security/Compliance
2. Implement Environmental (Physical) and Operational Security
3. Identify, Categorize, and Protect Sensitive IT Assets (Systems and Data)
4. Define Policies and Procedures Regarding IT Security
5. Follow Vendor, Industry, and Government Security and Configuration “Best Practices”
6. Provide Ongoing Security Awareness Training to All Employees
7. Design Systems and Applications with Security Built In
8. Separate Development, Quality Assurance, and Production Systems and Processes
9. Secure Sensitive Data in Transit and at Rest (Encryption)
10. Implement Unique User IDs per User and per User’s Role
11. Implement Strong Authentication Techniques
12. Implement a Strong Password Policy
13. Provide Access Using the Principle of Least Privilege
14. Implement Access Controls on All IT Assets
15. Configure Systems Securely Before Implementing Them in Production
16. Patch Operating Systems, Devices (Firmware), and Applications in a Timely Manner
17. Implement Antivirus and Antispyware Applications on All Nodes, and on IDS and IPS Systems and Update Definitions Frequently
18. Implement Properly Configured Perimeter/Boundary Security Systems (IP Tables, Firewalls,Proxy Servers)
19. Monitor All IT System Access (Auditing)
20. Provide Automatic Alerting Systems on Violations of IT System Assets
21. Implement Incident Response to All Breaches of Security
22. Test Security Systems and Processes Regularly

好长啊~- -这里看的我都要吐了 大致都是一些规则，如果要设计安全的系统必须要参考的，摆在这里镇着吧。