However, not all encrypted traffic on the Internet can be decrypted, and Certificate Pinning and CAC Authentication cannot be decrypted. Chen Zhiwei explained that typical examples of Certificate Pinning are applications, such as Twitter, Skype, Window Update, etc. SSLi has a predefined list for them, and SSLi-Bypass can be set. CAC Authentication is used for natural person credentials and online banking digital signatures. It will bypass SSLi only when a specific remote server (Specified remote server, SNI) requests CAC.
In addition, regulations in some regions require that decryption of encrypted traffic is not allowed to protect the privacy of sensitive data on the user end, such as HIPAA, PHI, PCI/DSS, etc. A10 has been classified, and the network administrator can directly use the bypass setting as long as it is pulled in. Chen Zhiwei gave an example, "There are public departments that need to provide encryption and decryption of Server Farm services internally, and provide encryption and decryption of Office Area User Area traffic internally and externally. However, it is necessary to maintain the existing structure and provide URL Filtering, and only need to start from one or two departments to gradually introduce traffic. These are all things SSLi can do. "
Digital document process has been applied in many industries. With the advantages of paperless, high efficiency and time saving, the signing process of a huge organization covers internal and external units and different levels, which is very time-consuming. Adobe's original technical consultant Cao Shenggeng said: "Compared with traditional paper internal signing work, electronic signatures can be significantly shortened to one and a half days to complete."
Cao Shenggeng explained that electronic signatures and digital signatures are different, and the differences It depends on the signature legal and regulatory requirements. Digital signatures are a subset of the larger category "electronic signatures". Traditional electronic signatures use various methods to verify the signer, such as email, business ID or phone verification, but digital signatures only use one specific method - the signer will use a digital ID to verify the identity, and this ID is usually verified by a trusted third party The certificate is issued by the authorized unit.
In addition, Cao Shenggeng reminded that the digital signature system also needs to take into account the file system and cloud platform, especially when files need to be uploaded to the cloud. "If government units use Microsoft 365, One Drive, Teams...the digital signature system must be able to integrate with it and use it as a plug-in directly."
Endpoint response to the new information security law
The new information security law mentions the approved Level A and Level B Public agencies shall complete the introduction of the information security vulnerability reporting mechanism within one year and the endpoint detection mechanism within two years. According to the text, "Endpoint detection and response mechanism refers to protection operations that have the functions of active scanning and detection of endpoints, vulnerability protection, analysis of suspicious programs or abnormal activity behavior, and presentation of related threat levels."
SMIC Data Technical manager Sun Weirong reminded, "The focus of this project should be on 'abnormal activity behavior analysis', which involves two issues: one is behavior and the other is analysis." The data must first be recorded before the behavior can be seen. Who analyzes it and how accurate it is are all major impacts of the new information security law. He said, "If it is not understood clearly, it will not only increase the workload of security personnel, but also fail to improve the energy of security protection."
Sun Weirong also cited Japanese video game developer Capcom as an example of the ransomware that everyone is currently paying attention to. , proposed a clarification: "Is the real problem a ransomware virus or a hacker attack? Capcom's "1TB data was stolen" and "hackers used legal computer tools PowerShell to steal accounts", using legal tools to cover up illegal attacks. This is not a simple ransomware virus. , but the hacker attack behavior." There are two key points in analyzing hacker attacks: How do
hackers find important hosts within the organization? How does he know which one?
How do hackers steal really important files? How did he know where the files were?
Sun Weirong pointed out that the three middle steps of the APT attack chain: inserting backdoors, collecting information and elevating rights, and spreading horizontally are the key points in solving ransomware attacks. "When unknown malicious programs come in, 'unstoppable' is the malicious behavior that often causes the greatest losses to an organization. When hackers invade, they will create a backdoor and enable the malicious program to be launched every time the computer is turned on. After putting in the backdoor, There are actions to collect information and escalate privileges. Hackers use tools to steal device passwords, not through brute force or rainbow tables, which are too easy to detect.Now it is the MitM (Man-in-the middle) method, as long as the logged in account password can be directly extracted. And use the stolen account passwords to spread horizontally to other devices and extract data. "
's prior defense relies on intelligence, which is the result of investigation after the malicious program is discovered by other units. But during this process, we can find that the handling of APT attack incidents is completely without intelligence. Sun Weirong described, "Hackers usually put 3 to 4 backdoors. If you don't know which devices have problems during incident processing, how can you ensure that they can be found? During analysis, are you sure you can find those backdoors? During forensics, you can find Have you got the source? If not, there is no guarantee that hackers will come in the same way next time. "
Endpoint management requires four keys:
The system must be able to record the behavior of malicious programs, and gray programs must also be collected to avoid them. When an unknown malicious program takes action, it cannot be analyzed.
people:
needs to have sufficient manpower and technical energy to analyze all alarms to avoid abnormalities found in the system but not discovered by the unit.
is fast:
can perform analysis immediately when an unknown malicious program behaves. It does not need to collect other data. It can grasp all the situations and avoid any fish that slip through the net.
does:
can accurately locate the location of malicious programs and remove them efficiently, instead of requiring personnel to come to the scene to handle them one by one, so as to reduce the damage to the unit
Now it is the MitM (Man-in-the middle) method, as long as the logged in account password can be directly extracted. And use the stolen account passwords to spread horizontally to other devices and extract data. "'s prior defense relies on intelligence, which is the result of investigation after the malicious program is discovered by other units. But during this process, we can find that the handling of APT attack incidents is completely without intelligence. Sun Weirong described, "Hackers usually put 3 to 4 backdoors. If you don't know which devices have problems during incident processing, how can you ensure that they can be found? During analysis, are you sure you can find those backdoors? During forensics, you can find Have you got the source? If not, there is no guarantee that hackers will come in the same way next time. "
Endpoint management requires four keys:
The system must be able to record the behavior of malicious programs, and gray programs must also be collected to avoid them. When an unknown malicious program takes action, it cannot be analyzed.
people:
needs to have sufficient manpower and technical energy to analyze all alarms to avoid abnormalities found in the system but not discovered by the unit.
is fast:
can perform analysis immediately when an unknown malicious program behaves. It does not need to collect other data. It can grasp all the situations and avoid any fish that slip through the net.
does:
can accurately locate the location of malicious programs and remove them efficiently, instead of requiring personnel to come to the scene to handle them one by one, so as to reduce the damage to the unit
