Shulou(Shulou.com)06/02 Report--

1. NSA's "Eternal Blue" blackmail Worm Global outbreak

The outbreak of WannaCry blackmail virus on May 12, 2017 wreaked havoc on the global network system, causing great panic among enterprises and institutions in various countries. The worst victim this time is the Windows system, which is naturally targeted as a suspect. Some people think that it is the numbness and omission of the system to the loopholes that led to the spread of the blackmail virus. Microsoft, as a victim, pointed the finger at the National Security Agency (NSA) and Eternal Blue. Lawbreakers take advantage of the eternal blue loophole * Windows system to cause system locking and blackmail, otherwise all information will be deleted

As far as the characteristics of WannaCry blackmail virus are concerned, in the face of the new normal of network threats in the new era, it has changed from network security to data security and from passive defense to active protection. At present, there are few domestic products and enterprises engaged in core data security and taking active defense measures, which is also the blue ocean field of the domestic network security market.

In the face of the bad effects of WannaCry blackmail virus, we would like to ask, what is the eternal blue of NSA? What are the loopholes in Windows system? What measures has Microsoft taken in the face of blackmail virus? Under this virus, our country has suffered heavy losses. What should our country do in the face of network security?

What is the NSA Eternal Blue blackmail virus?

NSA is the abbreviation of the National Security Agency, Eternal Blue is that lawbreakers take advantage of leaked tools in the NSA's cyber weapons arsenal. The WannaCry blackmail virus that broke out on May 12th was triggered by lawbreakers using the Eternal Blue computer system. It is reported that NSA Eternal Blue can remotely break about 70% of the world's Windows system vulnerability exploitation tools. There is news that NSA Eternal Blue may be used in the global banking system for security vulnerabilities on computers and servers installed with Microsoft's windows system.

III. What are the problems in Windows system

The fact that the Eternal Blue blackmail virus can sweep the world is to take advantage of Microsoft's MS17-010loophole, which is a loophole in the underlying service of the Windows system, through which port 445 can be affected. * is that by scanning the open port 445 on the network, and then implanting the worm into the computer, the controlled computer will scan other computers and eventually continue to infect other computers in the form of dominoes.

The key Windows systems include Windows Server 2003, Windows 7, Windows 8, Windows 10, and Windows XP. In response to this time, Microsoft has also released remedial measures, security patch download address: https://technet.microsoft.com/zh-cn/library/security/ms17-010.aspx

Judging from the data available, China has had a certain impact under the WannaCrypt extortion virus. Although port 445, as a key point, has been closed by domestic backbone operators, the campus network and key domestic enterprises and institutions are the controllers of China's basic information and core data. Once attacked, the impact will be unimaginable.

IV. Talking about the Safety of Enterprise Operation and maintenance

1. Active and passive discovery of loopholes

The initiative here refers to what the safety engineer takes the initiative to do, while passivity does not mean being beaten passively, but actively obtaining information and active defense.

Because of the information asymmetry between *, many * *, exploitation and vulnerability security engineers may not be able to get the information immediately, which leads to the server being hacked, and the uploaded webshell is nothing more than this:

High-risk vulnerabilities in open source programs are uploaded to webshell by * * users, and server configuration errors cause * * users to upload webshell using operation and maintenance defects. Programmers write code such as sql injection, file inclusion, and command execution problems are found and used by * * users to cause uploaded webshel. Does this mean that as defenders, we must be passively beaten? Of course, the answer is no. If the security of the operation and maintenance is done well, a security check will be made at the initial stage of the server launch to make the reinforcement service into a reinforced baseline package, and at a later stage, outsiders will be invited to conduct * tests to check the enterprise's security. The security foundation is solid.

From an active point of view, enterprises can use these methods to nip the ideas of people in the bud.

1. Proactively do a good job in strengthening the system, resolutely eliminate weak passwords, collect the default management background of the public network (those that can be recycled, and those that cannot be recycled do a good job of access control), and strengthen servers such as tomcat, jboss and resin to avoid weak passwords, because people come to catch broilers through these services all the time on the Internet.

2. The repair of vulnerabilities should not only be limited to reinforcement, but also be found actively. The production environment and web need to be scanned regularly, and the external network port scanning needs to be combined with assets. If it cannot be combined with assets, the scanning results will not be satisfactory.

3. Have an in-depth understanding of the open source programs used by enterprises, such as webserver and third-party middleware, and pay attention to the recent security risks of these app:

For example, struts vulnerabilities can be controlled if things can be detected early (get information in time by following dark clouds, Weibo, etc.)

The second is permission control. In struts loopholes, struts2 running with root is the most seriously affected and the permission to run is lighter, not that it is not * *, but that the user does not have the permission to do further operations on the server, such as rm-rf /, so the control of permissions should also be taken into account in reinforcement.

4. Passive discovery of vulnerabilities can rely on the submission of vulnerabilities on platforms such as Dark Cloud to predict possible vulnerabilities, and detect the application in combination with Point 3. If vulnerabilities are found, they can be repaired quickly, and the webshell uploaded by the users will not be found.

2. Monitoring is primary and analysis is secondary.

The importance of monitoring does not need to be stated. There are surveillance cameras in all angles of the city. The role of monitoring belongs to the in-process or post-event stage.

For example, if a person commits a crime without monitoring, it cannot be traced back. If there is monitoring, his behavior can be analyzed and traced back.

For example, you can also do this in terms of enterprise security protection. You can test the behavior of people who use ossec to monitor their behavior. For example, for webshell detection, pay more attention to "behavior", what is behavior, your every move is behavior, upload files, modify permissions, delete permissions these should be recorded, and monitoring tools such as ossec can do this, of course, you can also write scripts to do real-time detection of the directory. Analysis as a supplement, can be combined from many points, for example, the injection behavior of the person who injects the website will trigger the record, which will be recorded in the log, and the scanning behavior of the ssh will be recorded in the log, and these can be used to analyze the behavior of the person, and some malicious scans in advance can be counted as behavior, and these behaviors can be analyzed and traced back to the person. Secondly, the log needs to be backed up remotely, and you can use big data's log analysis tool splunk to analyze the log. Backing up to the remote also causes * * users to delete local logs to be traced back to. For webshel detection, it can be analyzed from the log, because any user's operation will be recorded in the log. At this time, as long as there is sufficient log analysis ability, the generated webshell can be found, so that the user has nowhere to hide.

Finally, when it comes to the safety of operation and maintenance, the safety work of operation and maintenance is actually a matter of the scope of work, but operation and maintenance can not do this part of the work well, or most of them do not have an in-depth understanding of security, so enterprises have the position of operation and maintenance safety. or you can call it security operation and maintenance, operation and maintenance security needs to have a wide range of knowledge to support the safety of the enterprise.

Industry Analysis of Safety Operation and maintenance Engineers

Safe work requires a sense of trust in each other, and the cake of the future will never be as delicious as it is now.

The security industry is a very realistic thing. Network security is beyond the control of one person, and requires a team.

Let's talk about the four core skills of security operation and maintenance.

(1) * testing and vulnerability mining

The biggest difference between safety operation and maintenance engineers and operation and maintenance engineers is that they have * skills and rely on confrontational thinking to build enterprise security systems.

It is also an indispensable part of security construction. At the beginning, I probably understand that there are three parties in the security industry:

Underground industry = *

Party B: security manufacturer

Party A: safety operation and maintenance

The ability of Party B to trace the source is higher than that of Party B: because Party B has mastered almost all the points.

* * divided into Web*** and system * *. The ways to improve your skills include actual combat, simulation, reading articles, newspapers and online learning.

* this 1st Skill needs not only a variety of programming skills, but also operation and maintenance configuration, psychology, interpersonal communication and logical reasoning.

In short, this is a vocational skill that requires a comprehensive application of multiple skills.

Although the development ability is inferior to that of professional programmers, and the ability of operation and maintenance is not as good as that of operation and maintenance engineers.

* * it's hard to learn. Initial learning path: forum, HTML copy to floppy disk to read carefully. The part of vulnerabilities involves more knowledge applied in enterprises, including the establishment of vulnerability libraries and vulnerability feedback mechanisms. What is more impressive is the concept of automated vulnerability checking, that is, automated vulnerability checking through customized scripts. There is also a relatively new idea, which is to analyze the trend of vulnerabilities from the worst-hit areas and reverse the source of vulnerabilities.

(2) Security monitoring and security deployment

Three key techniques of security monitoring and defense: knowable, controllable and credible. Security deployment starts with baseline scanning and security is configured.

Web security, policy deployment, architectural risks, etc.

What you need is not only a standard, but also a methodology that can actually land.

Security monitoring belongs to passive security.

(3) Emergency response and assets inspection

Audit dimensions include: server audit, code audit, log analysis and * testing

The method of analysis is that when it happens, we need to analyze and sort out the information that is beneficial to the current situation from the existing intelligence.

* Analysis requires a certain degree of logical reasoning ability, and emergency response requires a considerable degree of experience.

Techniques for tracing the source in emergency response: honeypot, internal big data, external threat intelligence and * team

Assets inspection belongs to active security, which can be automated.

But need to consider the cost, there are key monitoring objects: management portals, data zones, interfaces, network boundaries, DMZ

The choice of monitoring platform is a more realistic problem, which can be divided into three options:

Open source (when there is no money and no manpower), closed source (money but no manpower development), building wheels (money and manpower / self-development / customizability)

(4) career planning and peak of life.

The development route of safety operation and maintenance engineer: party A-> Party B (technical direction), Party B-> Party A.

(management direction, customized security system for enterprises, training security personnel, relatively easy and stable)

Party An and Party B start a business (comprehensive orientation, relatively free, using the contacts acquired by Party An and the technology acquired by Party B, realized)

Party A can get contacts, and it is better to do technology in Party B. the future of doing only one aspect of Party An and B is bleak.

Talked about some anecdotes about the security circle, the understanding of the security circle, what technology bulls, idols, bossy presidents

I said something that I agree with: happiness is the pursuit of a lifetime.

Finally, it is mentioned that legal weapons are important to rely on in commercial negotiations.

VI. New thoughts on the operation and maintenance industry

The following is an excerpt of several operation and maintenance technology bosses' views on operation and maintenance, hoping to enlighten all of us.

Dccmx,IT, Internet, technical people

This is related to how to locate the operation and maintenance work and how to require the operation and maintenance work.

It's hard to say whether it's interesting or not, but if there are challenges, there must be. Let's talk about the challenges of operation and maintenance.

Operation and maintenance covers a wide range, from basic resource management and configuration to database maintenance and application deployment.

And then to the analysis and handling of the accident. Technology and wisdom are needed everywhere. Like business development, as long as you measure it, everything is a problem.

If you just position your work as helping the developer prepare the machine, deploy the application, delete the junk file, and then stare at the machine

Then, when doing these things, follow the most common manual method to do it step by step, one person can't do it, only two people do it.

If you can't finish it in one day, you can finish it in two days. Anyway, you can finish it at a certain time. If so, the work will soon become boring.

If you raise the requirements, you can spend the least time and energy with the least number of people.

It will be very difficult to do these basic things beautifully, and follow-up monitoring without human surveillance.

If we go further and want to promote development in turn, so that developers can think about how this business needs to be operated and maintained during development, then there will be even more challenges.

In addition, dealing with unexpected accidents also needs technology and experience. There are many challenges here, and there is no need to say much about the accumulation of technology and experience.

In addition, I think the key point is whether the operation and maintenance staff are involved in the development of the business.

To sum up, it all depends on whether you like the challenge or not. If you like a challenge, it's interesting; otherwise, you're a busboy.

Zhang Qi, System Admin

Think that the operation and maintenance is an odd company, their internal IT is generally not good, may be a mess

First of all, in terms of the nature of operation and maintenance work, it is a "service-oriented" position in any company.

If the operation and maintenance doesn't work well, it will seriously affect the development of the company, especially IT.

To put it very simply, the company's internal network needs maintenance, such as file server, BBS, mail and so on.

Non-technical work also includes fixed assets management, equipment selection and procurement.

In addition, the daily maintenance of office equipment. Maybe the job is a bit complicated, but definitely not a busboy.

Second, let's take a look at what the operators do:

1. Colleagues can not get online, the virus in the system and the printer hang up all need to be solved quickly. This is what happens to most operation and maintenance engineers.

However, it is necessary to study how to make these situations happen as little as possible and recover in the shortest time after they occur.

2. Server maintenance. You can't afford to be able to maintain the operation and maintenance of both Windows and Linux servers.

Don't think that Windows is just a few mouse clicks, and don't think that Linux is as invulnerable as the legend.

Enter and adjust sendmail, postfix, nginx. You can play Exchange, IIS, SQL Server. This is called an operation and maintenance engineer.

3. Network maintenance. Rich people play Cisco, poor people mess with Huawei. Instead of using a router, you can get a Linux PC to play iptables.

4. Advanced tasks. There's a lot that can be done here.

For example, performance tuning, system stability maintenance, unusual fault response, collaborative developers, etc., are the simplest to say and the most complicated to do.

Of course, I said that these do not fully include what the operation and maintenance staff need to do, but they are all what Ops needs to know.

These jobs are not simple coding every day, but also require a lot of document reading, thinking, or manual work.

So, whether it is interesting or not depends on whether the individual likes this way of working or not. Maybe some people have fun with coding, while others have fun with this kind of chores.

Li Gong, someone who still have dream

He used to be a developer, but now he is working as an operation and maintenance staff.

There are a lot of misunderstandings about this position because the time of its emergence and development is not long enough. Let's briefly talk about my understanding:

The goal of Internet operation and maintenance is to ensure that the product (website / application) can run correctly to support the overall business goal.

(provide services / news / provide...) After increasing the scale, you will find that this operation and maintenance can include too many things, or it can be subdivided into countless sub-departments.

One of the characteristics of Internet companies should be the rapid development cycle, which can be divided into many small service under the framework of SOA.

A series of problems encountered by so many service in the process of development and release need to be solved creatively.

This is especially true for system monitoring, although there are some relatively mature open source monitoring systems.

But after all, the situation of each company is different, and most companies will make great efforts in monitoring and problem solving to do their own development.

Being an operator definitely doesn't mean not writing a program, at least doing a good job.

Generally speaking, the program written is no less than that of dev. The difference is that the development done by dev is large-scale, long-cycle and has language requirements, while the requirement of operation and maintenance is to solve problems quickly.

Operation and maintenance staff are suitable for people who like to "solve problems" and those who naturally know how to debug and have fun with it.

The relationship between dev and ops (operation) is: dev writes code; ops runs code.

For most dev, what they care about is how to complete their own function, and there is no way to estimate the impact of function on the whole system.

Good ops plays a role here. They understand the whole system, participate in the design and architecture phases of development, and have the right to make decisions about it.

Finally, we will also review the developed product and let dev call back and rewrite it.

Finally, back to the interesting and boring question:

Interesting and boring? If you like challenges, you like to ask "why" about everything.

Like to do things that no one knows and no one tells you what to do. It's absolutely interesting to go to alexa to find top100's company to do their operation and maintenance.

Chen Yongbao, The dark side of the moon

This topic is a pit, and the reason for gossiping is not to draw any conclusions. So just say a few words.

In my opinion, there are no more than a few situations to do a job:

A) can only do this, due to knowledge, skills or environment, there is no other choice

B) it doesn't matter whether you can do this or something else, it is only accidental or some trivial reason to choose this

C) like to do this, want to make something

So whether the operation and maintenance staff find it "interesting" depends on the demand, that is, the purpose or reason.

"Operation and maintenance" is actually a big concept, which is subdivided into many, computer room operation and maintenance, network operation and maintenance, application operation and maintenance, and Internet companies.

The operation and maintenance of telecom companies are different from those of Internet cafes and IT. The characteristics of each field of operation and maintenance are different, and the requirements for personnel are also different.

Whether it is interesting or not depends on many aspects, but I think whether it can bring a sense of achievement is the most important factor. The actual job requirements and business development are different.

It may be different whether the operation and maintenance staff can do something with a sense of achievement. Those who are interested in operation and maintenance should pursue some challenges while the business is growing.

You can grow on your own. In the end, "fun" is not just the fun of life seasoning, but becomes meaningful.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.