2015 01 an ban mua xuan

Upload: tupro-fessional

Post on 14-Feb-2018

232 views

Category:

Documents


0 download

TRANSCRIPT

  • 7/23/2019 2015 01 an Ban Mua Xuan

    1/31http://fb.com/group/cissp.attt

    2015 - n bn ma xun

    Ngy 30 thng 01 nm 2015

    Ti sao ti gia nhp nhm ny?Cm nhn ca anh Lng Trung Thnh v nhm.

    H thng IDS/IPS v HoneypotL NGC SN - Tip theo phn 1 ng trong n bn ma thu - 2014

    Quy trnh - Cng Ngh - Con NgiBi ngy cn c v d khi ng dng DLP vi bi trang 20

    ISO/IEC-27001Li ch & Tng quan p dng

    Web Application Penetration TestingBi vit ca mt cy bt n u tin n t H Ni.

    [email protected]

    C

    HIN

    TRAN

    H

    M

    NG

  • 7/23/2019 2015 01 an Ban Mua Xuan

    2/31

    Mc lc

    Tng kt nm 2014

    Chin tranh mng

    H thng pht hin tn cng mng ch ngs dng IDS/IPS v Honeypot - tt

    Defense in depth (tt)

    Quy trnh - cng ngh - con ngi

    ISO/IEC 27001Li ch v tng quan p dng

    DLP trong vng xoyQuy trnh - Cng ngh - Con ngi

    Web Application Penetration Testing

    Ti sao ti gia nhp nhm ny?

    Ban c vn

    NGUYN TRUNG LUNCISSP, CISA - Mi2 JSC.

    TRN NGC MINHCISSP, CISA - Sacombank

    NG XUN QUCISSP - SGBank

    LNG TRUNG THNHCISA, CISM

    TRN NGC MINH

    TRN CH CN

    L NGC SN

    VI MINH TOI

    LNG TRUNG THNH

    PH NGUYN

    LNG TRUNG THNH

    NGUYN TH THU HIN

    LNG TRUNG THNH

    [02]

    [03]

    [05]

    [07]

    [12]

    [14]

    [17]

    [20]

    [22]

    [29]

    022015 - n bn ma xun

    Bt u t n bn ny, chng ti s ch gii thiutc gi mi, cc tc gi vit bi trc y, ccbn xem thng tin v tc gi cc n bn trc

    nh.

  • 7/23/2019 2015 01 an Ban Mua Xuan

    3/312015 - n bn ma xun

    Knh tha Qu Bn c,

    Thay mt Nhm, ti im qua mt s hot ng ni bt trong nm 2014 vtng hp cc xut ca cc thnh vin v chng trnh s thc hin trongnm 2015.

    Nm 2014, chng ta rt mnh m trong vic thc hin cc thay i. u

    tin, Nhm chuyn t hnh thc hot ng online sang offline, chuyn t ccbui trnh by vi cc vn ngn, ri rc sang hnh thc trnh by cc chc chng, hi l ton b chng trnh CISSP. C iu g ti cn ln cntrong vic hon di hn cc sinh hot theo ch bn ngoi (chng trnhCISSP) nhng r rng iu kin cha cho php chng ta chy, x l song songnhiu vn .

    Khi Nhm th Nht c hnh thnh, to mi lin kt nht nh gia ccthnh vin v cng c g ci g k tha cho cc Nhm sau, chng ta quyt tm v pht hnhc Hai k Tp ch. Vi tiu ch va hc va chi v

    khng gii hn, Tp ch ca chng ta bc u c nhng ngi lmngh quan tm. Tht s, ti rt vui khi thnh thong c ai gi in hoc traoi qua cc knh khc nhau c nhc v vi thiu st no ca Tp ch hoc/vc nhng gp lm sao Tp ch ngy cng tt hn.

    Mt trong nhng tiu ch nh gi mc thnh cng chnh l cng vicphi hon thnh v c sn phm u ra nh ra. Nhm th Nht c bn hon thnh ng lch trnh v tuy hin ch mi c mt thnh vin thi u CISSPnhng ti rt tin tng rng trong thi gian ngn tip ngay sau y con s sc nng ln nh k vng, c t nht 4 CISSP cho Nhm th Nht.

    Chng ta l mt nhm m, khng phi l mt t chc nhng hot ng rt ct chc. V th, vic Logo ra i s thc y s gn kt gia cc thnh vin vinhau. Nhn y, Nhm gi li cm n su sc ti anh Trn Ch Cn (cng lthnh vin), ngi a ra tng v thit k Logo cho Nhm. Logo cchn c hnh thc n gin nhng mang nhiu ngha, ph hp vi giai onpht trin hin ti ca Nhm. Ch cn nhn vo trong 03 giy l bn c thnhn ra ngay t tng chnh ca Nhm.

    03

    Tng kt hot ng nm 2014TRN NGC MINH

  • 7/23/2019 2015 01 an Ban Mua Xuan

    4/31

    V K hoch nm 2015:

    Nhm th Hai c cng b v hnh thnh s b. Nhm s chnh thc cnhng hot ng u tin k t ngy 01/03/2015.

    V hnh thc hot ng th c bn vn nh Nhm th Nht trong chng trnh(giai on u). Sau , chng ta c th s m rng bng cch mi gi ccthnh vin khu vc pha bc tham gia cng. Hnh thc sinh hot lc ny vn ltp trung nhng c hai u cu, pha nam v pha bc. tng hnh thnh,c s h tng cng khng phi l iu g qu phc tp. Quan trng vn l sng h, quyt tm ca cc thnh vin tham gia. Nu kt qu ban u cho thy

    chng ta tin nhanh hn, bc tin vng chc hn, chng ta tin n s dnghnh thc phn tn 100% cho cc sinh hot Nhm v sau.

    Trong nm 2015, chng ta vn tip tc cho pht hnh t nht 04 k Tp ch vn bn ma Xun ny c xem l ku tin ca nm. Cc thnh vin chcht vn cho rng y l vic lm thit thc, l sn chi b ch anh em c chi th sc vit, kh nng trnh by ca mnh.

    Mt cch rn luyn mi (vi chng ta) v kh nng trnh by, din thuytangc nghin cu mt cch thn trng lt chc cc trn chin, tranh lun,

    phn bin theo phng php i u trc tip. Phng php ny sc chngta nghin cu k v c th p dng t na sau ca chng trnh sinh hot caNhm th Hai.

    Cng nhau khi ng d n Framework, ti sao khng? Vic xy dng mtFramework An ton thng tin cho mt (vi) lnh vc ngnh ngh vi bn scVit l iu m mt s thnh vin c cng suy ngh, c tm huyt ang tnh n.y cng l vn ang c cn nhc c th khi ng trong nm 2015.Mt d n ln, mt chui cc th thch tuyt vi m d thnh cng hay tht bicng s gp phn rt ln a Nhm ln mt level cao hn.

    Trn trng!

    TRN NGC MINH

    042015 - n bn ma xun

  • 7/23/2019 2015 01 an Ban Mua Xuan

    5/3105

    Trc tin cn phi ni r l ti dng chchin tranh mng y khng ng nghavi my ci Cyber war g m my anhhay nghe tuyn truyn trn bo M, Trung,Nga, Triu Tin, v c Vit Nam gn y.Ti dng ch ny ch ni rng ti dngngn ng ca chin tranh ni n vn bo mt mt doanh nghip. V ti chdng mc . Cn anh no c ngh mtquc gia l mt doanh nghip c (siu) ln

    th ty.

    Chin tranh c ti hiu n gin rng haibn chin vi nhau tranh mt ci g m c hai u mun. Nhng bo mt thli c ngha l c mt ai mun bo vmt ci g b mt. Tt nhin s c bncn li chin c ginh ly ci b mtny. V ti mc nh chng ta y l mtai trong cuc chin gi thnh ny.

    Chin gi thnh, ti ch nghe my t nyt ming ca my anh hay chi game nhtrn, hay trong tiu thuyt kim hip. Lytiu thuyt ni th chc khng hay bngmt cuc chin tht s, nn thi. C lycuc chin tranh bo v t quc ca chngta ra m ni vy. Bt u bng:

    Chin tranh nhn dn

    Bn ch ny l chin lc gip Vit Namchin thng trong tt c cc cuc chintranh bo v t quc t xa n nay. Vy thn c lin quan g n bo mt? Nu chngta xem CSO l mt ng tng, cc SecurityEngineer l cc tinh binh, cc anh IT khc lcc chin binh, th Users s l lc lng cnli : nhn dn. Qun i m khng cs ng h ca nhn dn th khng th nodnh chin thng. Lm bo mt m khng

    c s ng h ca ngi dng th cm chctht bi. Nu nhn dn l cht nc, thngi dng l ch ca my anh security.Gn y, ti hay nghe hi: user bn ti th

    ny, user bn kia mun th n, v tiphi lm sao? Lm sao ai bit lm sao?Ch bit rng l bo mt, my anh ngchm chm i i ph user, v h mi li tng m cc anh cn bo v v phcv ch khng phi i th ca cc anh.Vy lm sao c th c s hp tc caenduser? Chng cn cch no khc ngoivic i vn ng. H s hp tc khi nhnra cng vic ca chng ta mang li li ch

    cho h, v h mt nhiu hn c nunh h thng mt an ton. Thay v ngncm user lm mt vic g y, trc tinhy tm hiu v sao h lm vic , v vmc ch g. Mt khi anh lm bo mthiu c hot ng ca user th mi cc hi thnh cng. Nn nh, user l ngch ca cc anh, khi no c c hi, hytranh th m tm hiu h cng nhiucng tt.

    Kim sot giao thng

    Trong chin tranh, bn no cng s tinhnh kim sot cht ch ti cc cakhu, bn cng, bn xe, Nhng kimsot, khng c ngha l ngn chn. Chintranh khng c ngha l mi hot nggiao thng u b ngng tr. Nu anhnm gi mt vng t m mi hot ng

    giao thng u b nh tr th chngmy chc s chng cn lng thc,hu cn lm l do tn ti ca cucchin. Bo mt, khng phi c ngtinternet l s an ton. M ngc li, cngphi thc y cho cc giao dch nynhanh hn, mnh hn, v nhiu hn.Gio trnh CISSP lun lun c vn bussiness ln hng u, sau mi ncc vn khc l do vy. Khng ai

    mun chim mt ci thnh cht.Nhng nh vy, khng c ngha l aicng thoi mi, lm g cng c m mi

    2015 - n bn ma xun

    TRN CH CN

    CHIN TRANH MNG

  • 7/23/2019 2015 01 an Ban Mua Xuan

    6/3106

    th phi nm trong khun kh. Khng

    cm on iu g, nhng phi bo m miiu u nm trong tm kim sot. Bt khnh ng nghi ng no, bt k lc nocng c thc t vo vng gim st.Gim st g, lc no chnh l trch nhimca chng ta.

    Lut l

    Chin tranh, chng cn phi t qu nhiulut l. Lut l ch dnh cho thi bnh myng quan ngi rnh rang ngi son tronglc chng bit lm g. Chuyn binh ao,tin h th vi cng, trc khi xut binh,phi lm cng vn xin php 7-8 ni ththi nh cho khe. My ci th tc giy tch lm cho cng vic cng ngy cngchm. Nn nu cng vic hin ti vn n,th nn hc theo my anh nh nc cicch hnh chnh, rnh ri ngi kim myci th tc no bc th b. ng ph

    tm c m son thm sinh lm chuyn.n lc user m ku ca l cng vic dony chm qu th my anh xem nh toi.

    Luyn binh

    Trong thi chin, binh s c rn luynthng xuyn qua thc chin. Nhng trongthi bnh th khng c vy. C thi gianri th nn tn dng xy dng mt i

    tinh binh dng khi hu s. Nm va ri, Vit Nam chng c bao nhiu cuc chin.Nhng cuc chin no kt thc, phn thuacng nm pha bn ta. l v nhiu nmri khng c ai tri qua thc chin, ri nlc cn chin, khng c nhiu ngi nhphi chin nh th no. l cn cha ninhiu nm khng tp trn, n lc ra chintrng, khng bit phi hp vi ai, phihp nh th no. Khng thua mi l

    chuyn l.

    Do thm

    Khng c cuc chin no m khng c stham d ca lc lng do thm bo. Bitngi bit ta, trm trn trm thng. Tin tcchnh xc mang v t cc i do thm s gpphn quan trng cho cc quyt nh chin lctrn chin trng. nh ai, nh u, nh lcno u ph thuc vo cc kt qu ny. Vimi trng mng hin nay, nu ch t ccthit b theo di bn trong, hay ti cc cngmng thi th cha . Bi i th ca chng ta

    khng nm , m c mt khp ni trnkhng gian internet ny. Ni th, t thit btheo di c ci internet ny th chc khng ailm ni. Vy nn ch c cch l chng ta philin kt v cng chia s thng tin cho nhau thmi mong nm c tng i tnh hnh. Vchng ta c th tm kim thng tin ti cc imtng hp thng tin trn mng, hoc bt cu c th. T trn bn nhu, t bn b, ngnghip, M nh cao ca ngh thut ny, ccbn hy tm ch anh Dng sensor. (Join vo

    group, ti s gii thiu cho bn anh Dngsensor l ngi no. ).

    K ny, bn nhiu y thi. C thi gian, k sau,chng ta s tip tc vi cc kha cnh: tnh bo,ngy trang, hay cc vn chin lc khc.

    TRN CH CN

    2015 - n bn ma xun

  • 7/23/2019 2015 01 an Ban Mua Xuan

    7/3107

    Bi vit s trc trnh by m hnh tng quan ca h thng pht hin, ngn chnchng xm nhp da vo s phi hp ca cc IDS/IPS v honeypot. Trc khi i vochi tit v s kt hp, chng ta hy tm hiu s qua cc cng ngh ny.

    H thng pht hin xm nhp (Intrusion Detection System - IDS)

    IDS l mt h thng phn mm hoc phn cng hoc kt hp c hai c chc nngtheo di cc hot ng trn mt h thng mng nhm pht hin va ra cc cnhbo i vi s xm nhp hoc cc hnh vi truy xut ti nguyn khng hp l trn h

    thng.

    IDS c th chia thnh 3 nhm:

    - Network-based Intrusion Detection System (NIDS): c t v tr m c ththeo di ton b d liu trao i trn phn on mng.

    - Host-based Intrusion Detection System (HIDS):c ci t cc b, quan stcc file log, s kin v lu lng ra vo host.

    - Distributed Intrusion Detection System (DIDS): H thng IDS lai (Hybrid IDS)kt hp gia NIDS v HIDS.

    2015 - n bn ma xun

    H thng pht hin tn cng mng ch ngs dng IDS/IPS v Honeypot - tt

    L NGC SN

  • 7/23/2019 2015 01 an Ban Mua Xuan

    8/3108

    H thng ngn chn xm nhp (Intrusion Prevention System IPS)

    H thng IDS c kh nng ngn chn cc nguy c xm nhp m n pht hin cth c gi l h thng phng chng xm nhp hay IPS. IPS c th hnh ng phn ng li nhng hnh vi bt hp l nh vic ngt kt ni hoc hy nhng gi tinc th gy tn thng cho mng. Cc phn ng ny c th thc hin mt cch tng hoc c thc chnh bi qun tr vin.

    IPS c th hot ng di hai hnh thc (mode) khc nhau:

    - Promiscuos mode:IPS s lng nghe, theo di lung d liu i vo h thngnhng khng can thip trc tip vo chng. Khi hot ng mode ny, IPS s phn

    tch v kt hp vi firewall chn li cc hnh ng nghi ng m khng lm nhhng n tc lu thng ca mng.

    - In-line mode:IPS c thm chc nng traffic-blocking so vi promiscuosmode IPS gip ngn chn lung d liu nguy him nhanh hn. Tuy nhin, n slm gim tc ca lung d liu ra vo h thng mng.

    2015 - n bn ma xun

  • 7/23/2019 2015 01 an Ban Mua Xuan

    9/3109

    Mt s vn khi trin khai h thng IDS/IPS

    Cc h thng IDS/IPS hin nay hot ng hiu qu trong vic chng li s xm nhp caworm, virus v cc cuc tn cng mng bit. Tuy nhin h thng IDS/IPS cng tn timt s yu im sau:

    - hot ng c hiu qu, h thng IDS/IPS phi theo di c tt c cc lulng mng trong vng mng m n bo v. Do , khi h thng mng s dng switchn gin (khng c Span Port), d liu c chuyn n cc cng ph hp lm choIDS/IPS khng th theo dic tt c lu lng mng m ch theo di c mt phn.

    - Cc h thng mng hin nay tng i nhanh so vi tc x l ca IDS/IPS. - a s h thng IDS/IPS khng c kh nng pht hin cc tn cng cha c bittrc (Zero-day-attack).

    - IDS thng pht sinh mt s lng ln cc cnh bo, trong c rt nhiu cnhbo sai (false positive), lm lng ph ti nguyn, thi gian v cng sc ca ngi qun tr.Vi mc tiu ngn chn cc cuc tn cng, h thng IDS/IPS phi hot ng theo thigian thc, v vy, tc hat ng ca h thng l mt yu t rt quan trng. Ngoi ra,qu trnh pht hin xm nhp phi nhanh c th ngn chn cc cuc tn cng ngaylp tc. Nu khng p ng c iu ny th cc cuc tn cng c thc hin xongv h thng IDS/IPS tr nn v ngha.

    Honeypot

    Cc gii php bo mt h thng nh firewall, IDS/IPS u c hn ch chung lc thitlp da trn cc thng tin bit da vo cc lut (rule) v cc du hiu (signature) c nh ngha trc. Tuy nhin, cc h thng ny khng pht hin c cc cuc tncng mi do khng c thng tin v cc loi tn cng . Vic kt hp gia IDS/IPS vHoneypot c th gii quyt phn no vn ny. V b ngoi ca Honeypot l mt hocmt tp cc dch v, hiu hnh hay thm ch l mt network, nhng tht s chng ul h thng gi, c xy dng thu ht vnh la nhng k s dng, xm nhp bt

    hp php, nhm lm tn thi gian v ti nguyn ca chng hoc tm hiu phng php,cng c m chng dng tn cng. Trn cc h thng gi ny, ngi qun tr c th thchin theo di v ghi li thng tin v kt ni, d liu c c gi ra v vo Honeypot, tc th phn tch, tm hiu cch thc tn cng, xy dng cc phng php phng ththch hp cng nh to ra cc lut v du hiu mi cho IDS/IPS.

    V tr ca Honeypot trong h thng mng

    Honeypot c thc t nhiu v tr khc nhau trong h thng mng, mi v tr c u vnhc im ring. Ty vo mc ch s dng v tnh cht ca h thng mng, c tht

    Honeypot cc v tr khc nhau:- Bn ngoi h thng mng (External): Honeypot c t bn ngoi h thng mngcc b (trc firewall) trong trng hp mun thu c lng thng tin v cc cuc tn

    2015 - n bn ma xun

  • 7/23/2019 2015 01 an Ban Mua Xuan

    10/3110

    cng nhiu nht khi k tn cng sc t do khai thc. Honeypot trong trng hp ny sthu ht c s lng tn cng ln, thch hp cho cc trung tm nghin cu an ninh mng.

    - Bn trong h thng mng (Internal): Honeypot c tht bn trong h thngmng, trong trng hp ny Honeypotc ngn cch vi Internet bi firewall. Honeypotc t v tr ny s gp phn bo v h thng theo chiu su khi khng nhng c thpht hin v cnh bo c cc cuc tn cng vt qua c firewall m cn thu thpc cc thng tin v cch thc tn cng a ra phng php phng chng. M hnhHoneypot ny thch hp cho m hnh mng ca cc t chc, doanh nghip thng thng,

    mun tng thm mt lp bo v cho h thng. Tuy nhin, vn xy ra khi t Honeypotbn trong h thng mng l k tn cng sau khi lm chc Honeypot, c th dngHoneypot tn cng cc ni khc trong mng ni b. Do , trong trng hp ny cn cc ch qun l lu lng mng t Honeypot n cc phn vng khc ca mng mt cchcht ch.

    2015 - n bn ma xun

  • 7/23/2019 2015 01 an Ban Mua Xuan

    11/3111

    - t Honeypot trong vng DMZ (Demilitarized Zone): Thng l s la

    chn tt nht cho h thng mng ca cc cng ty hay doanh nghip khi Honeypotc t chung vi cc server bnh thng khc ca h thng mng v lm nhimv cnh bo khi c cc nguy c an ninh mng xy ra ti y. Honeypot trongtrng hp ny gip h thng phng th theo chiu su, c th pht hin v cungcp cc thng tin hu ch v cc cuc tn cng vt qua c firewall vIDS/IPS hoc cc cuc tn cng t bn trong.

    V gii hn khng gian ca tp ch, bi vit tip theo s trnh by v vic trin khai Snort choIDS/IPS, Honeyd cho Honeypot v gii php kt hp hai h thng ny li vi nhau.

    L NGC SN

    2015 - n bn ma xun

  • 7/23/2019 2015 01 an Ban Mua Xuan

    12/3112

    u nhc im ca chin lc Phngth chiu su

    u:

    Tng cng kh nng bo mt ca hthng. Hacker cn thi gian xuynthng cc tng bo mt dng nn

    trong h thng.

    Tng cng kh nng gim st, truy vtcc lung tn cng v lch s cc cuctn cng xm nhp

    Nhc im:

    C kh nng lm chm vic truy xut v xl d liu, cng tc vn hnh hng ngy.

    Cn thm ti nguyn, con ngi, tng chiph vn hnh thng xuyn.

    Khng th chng li mt s dng tn cngc bit, c kh nng xuyn thng ton bcc tng hoc hacker c tht mc chtn cng m khng cn xuyn thng tt ccc tng bo mt (OpenSSL, SSLv3).

    Defense in depth - tt

    Kt lun:

    Thch thc ln nht khi trin khai Phng th chiu su l s cn bng gia tnh bo mtvi chi ph, hiu sut hot ng v vn hnh hng ngy. Bt c cng ty no cng c ngnsch gii hn, khng chn gin l u t hon ton cho an ton bo mt m cn phim bo c li nhun duy tr pht trin cng ty. Khng phi c ti sn c gi trt tinth cn phi bo mt mt cch tuyt i. Ngi lm cng tc bo mt cn xem xt nhgi mc bo mt cn thit cho cng ty nhng vn phi m bo hiu sut hot ngcng nh mc tiu kinh doanh ca cng ty.

    Chin lc Phng th chiu su l mt phng thc tip cn. N khng phi l ba hmnh trc mi cuc tn cng ngy cng tinh vi v sc so ca hacker. Ni mt cch nmna th Phng th chiu su s hn chc phn no cc cuc tn cng ca hacker,

    gip ngi qun tr c th pht hin cc cuc tn cng v c thi gian p dng ccbin php ngn chn cng nh gim thiu thit hi m hacker gy ra

    Sau y, ti xin trnh by chi tit phngthc phng th ca tng lp:

    Lp phng th Chnh sch, Quy trnhv nhn thc bo mt (hay cn ginm na l Operation Layer):

    Chnh sch, quy trnh ng vai tr quantrng trong cng tc vn hnh hng ngy

    m bo an ton bo mt. Hy thtng tng chng ta khng c chnhsch, khng c cc tiu chun bo mtcng nh quy trnh kim sot, thc hincc chnh sch, cc tiu chun v hotng hng ngy. Chng ta s rt kh

    khn trong vic thc hin gim st cclung d liu cng nh truy vt tn cngsau ny.

    2015 - n bn ma xun

    VI MINH TOI

  • 7/23/2019 2015 01 an Ban Mua Xuan

    13/3113

    Mt h thng bo mt khi t vo h

    thng m khng c p dng cc chnhsch bo mt, cng nh khng c ngivn hnh v gim st th h thng cm bo an ton khng? Cu tr li lKHNG. Ai s gim st cc lung d liuvo ra h thng, ai sm nhn vic phntch cc l hng pht hin, ai s thchin cc phn tch d liu cn thit cho cctruy xut Internet v cc hnh vi truy cpbt thng ca cc ti khon qun tr?

    Chng ta s cn i ng cc chuyn giabo mt c thm bo cng tc vnhnh hng ngy cho cng ty, c bit lcc t chc tn dng, ti chnh.iu mkhng phi cng ty no cng c kinh ph thc hin.

    Bn thn ti tng nhn thy s ri rctrong chnh sch ca mt s cng ty ln,m c th nht l chnh sch mt khu.Ngay bn thn phng cng ngh thng tinvn c nhiu b phn p dng chnh schmt khu rt ring l, thiu tng th vkhng ging nhau. S thiu nht qun vchnh sch s dn n kh qun l v khp dng cc bin php k thut mbo tun th theo quy nh.

    Mi cng ty nn ban hnh mt chnhsch an ton bo mt thng nht, ta ra cc quy nh c th nhm hinthc ha chnh sch v cc b phn uphi tun th thc hin theo chnh schan ton bo mt ban hnh.mbo vic tun th, hng nm cc cngty nn c b phn kim sot r sotli vic thc hin chnh sch, quy trnhca t chc.

    Khi xy dng chnh sch an ton bomt, cn ch chnh sch phi thc tv c tnh tun th. Hn na, n cnphi ph hp vi chnh sch chung cacng ty, khng lm nh hng n hotng kinh doanh ca cng ty. Cchthc hin tt nht l nn da theo mttiu chun no ca th gii nhISMS (ISO 27001), PCI DSS, COBIT,ITILS, m xy dng nn chnh schan ton bo mt cho cng ty.

    Mt s quy nh/ quy trnh p dng chovic vn hnh hng ngy nh:

    Quy trnh vn hnh h thng hngngyQuy trnh qun l ti khon ngi dngQuy trnh kt ni t xa vo mng ni bQuy nh v mt khu.Quy trnh cp nht bn v cho h

    thng.Quy trnh qun l s cQuy trnh qun l vn Quy trnh qun l thay i h thngQuy trnh m bo kinh doanh lin tcv quy trnh x l thm ha.

    2015 - n bn ma xun

  • 7/23/2019 2015 01 an Ban Mua Xuan

    14/3114

    Mt s tiu chun p dng cho cc lp bo mt nh:

    Tiu chun cu hnh cho cc thit b mng.Tiu chun cu hnh cho cc thit b bo mt.Tiu chun cu hnh cho cc my ch Windows, Linux.Tiu chun cu hnh cho cc my trm.

    Khi ni v chnh sch, quy nh, chng ta cng khng th khng nhc n vic o to nhnthc an ton bo mt cho ngi dng. Ngi dng l mt trong nhng yu im m hackerthng tn cng. Mt s cng ty ln trn th gii b xm nhp cng mt phn do nhn thcbo mt hn ch ca nhn vin hoc nhn vin khng tun th theo quy nh ca cngty. Mt s t chc khi nhn vin tham gia vo cng ty u c pht cho cun S tay nhn

    vin - Employee handbook. Ni dung miu t chnh sch, quy nh ca cng ty cng nhcch bo mt d liu v phng chng mt s dng tn cng ph bin nh socialengineering, spear phishing,...

    Ngoi ra, hng nm, mt s cng ty c t chc cc bui o to nhn thc bo mt trctuyn km cc bi tp kim tra sau o tom bo nhn vin thng sut v c trchnhim bo mt d liu c nhn ni ring v cho cng ty ni chung. C nhn ti nhn thyy l hnh thc rt b ch nng cao nhn thc an ton bo mt cho nhn vin.

    Kt lun:

    Lp phng th Chnh sch, quy trnh v nhn thc bo mt chuyn v hnh thc vn hnhhng ngy v cc tiu chun, yu cu m bo an ton bo mt ca h thng.

    Ngoi vic ban hnh cc tiu chun, quy trnh, quy nh, chnh sch, cng ty cnm bocc nhn vin nghim tc thc hin v cn c i ng gim st m bo vic thc hinng theo yu cu. iu m khng phi cc cng ty no cng c th thc hin c.

    VI MINH TOI

    2015 - n bn ma xun

    QUY TRNH - CNG NGH - CONNGI

    Quy trnh, cng ngh, con ngi trong bui tr d tuhu my anh em trong Group c cp ti ch ny vt nhin bn ci cho ti lnh nhim v vit v ci chny, m thc s nghim tc mt cht th ng l ti

    cng gp phn du v la nn nh phi vit chny hi..hi..

    Trc ht, do qua mtcht xu v nhng vn lm au u ngi lmbo mt thng tin hay cngi l an ton thng tin l cha tm thy m hnhno r rng p dng,trin khai cho hot ngdoanh nghip m vn bom vic bo mt. l ldo v sao m m hnh: Quytrnh cng ngh - con

    LNG TRUNG THNH

  • 7/23/2019 2015 01 an Ban Mua Xuan

    15/3115

    ngi c p dng rng ri v ISO 27001 cng cp n vic ny. Ri, gin lc doqua m hnh Quy trnh (Process) Cng ngh (Technology) v Con ngi (People), ti ththch my ch vit tt l PPT ging nh nh dng ca file PowerPoint hn

    Quy trnh Process c xem l tri tim trong hot ng ca doanh nghip, quy trnhca doanh nghip cng c mt sim chung nh trong cng ngnh ngh chng hn s crt nhiu im chung, th nhng do mc tiu ca doanh nghip, chin lc hay t chcphng ban khc nhau m s c nhng quy trnh c th ca doanh nghip y; lc doanhnghip khc c mun bt chc cng khng c.

    Cng ngh - Technology thng c xem l mt phng thc h tr cho hot ngca quy trnh, thng thng cng ngh s gip cho cc cng vic trong quy trnh c xl nhanh hn, c th tng hp v bo co chnh xc hn so vi vic thc hin bng tay hoc

    c th tn dng cng nght ph ng u th trng thm ch c th ni l 'nhngha li cuc chi' theo ci cch m Steve Jobs ni (trch theo ghi nh ca ti, khi miPhone ra i ln u tin, v Nokia gi bn cho Microsoft).

    People con ngi thng thng con ngi l im yu nht trong vn bo mt, chng trm cc mi nguy c t con ngi nhng y khng bn vn ny; y xcnh rng con ngi l mt thnh t quan trng trong hot ng doanh nghip v h chnhl ngi trc tip vn hnh quy trnh, trc tip s dng cng ngh v vn hnh quy trnh. l ti sn qu gi nht nu bit tn dng bi v: qua vic tip xc, s dng, vn hnh m con ngi c c cc kinh nghim qu gi, cc tri nghim cng vi nhng sai st, sai

    lm v thm ch l khc phc cc hu qu do sai lm ca mnh hoc ngi khc to ra vtt c nhng kinh nghim y li tr thnh tin cho vic ci tin quy trnh.

    l s lc qua v m hnh Quy trnh Cng ngh - Con ngi theo mt cch hiu ngin nht, nhng trn hot ng doanh nghip u c chuyn n gin nh vy. Phn diy l nhng xung t do m hnh Quy trnh Cng ngh - Con ngi cn phi gii quyt:

    2015 - n bn ma xun

  • 7/23/2019 2015 01 an Ban Mua Xuan

    16/3116

    Con ngi nhn vt trung tm ca s vic l ngi trc tip vn hnh v cng vinhng hnh vi thuc v bn nng, conngi thng c xu hng khng chu thayi hay ni mt cch khc l khng theo kpcng ngh v thng s dng cch nhgi c p cho mt ci mi. l mt smu thun gia con ngi v cng ngh.Tiu biu nht l vic cch y gn 1 nmmi ngi hay hi cu hi l nt Start caWindows 8 i u ri . Trong doanh nghipvic tip nhn thay i d dng nht chnhl 'lp tr' (bao nhiu l tr th b qua cho

    em nh) v cng l nhm trn y nhithuyt vi mong mun l p dng cc cngngh mi ci tin/y nhanh hot ngca quy trnh th nhng hu nh h thiukinh nghim thng l cc k nng mm vhiu bit v hot ng doanh nghip; cnngc li nhng bc trng bi thng tkhi chu thay i nhng li l ngi cnhiu kinh nghim, nm r tng ng thica doanh nghip thng gi l . Kt

    hp c 2 yu t ny l mt iu m c.

    Con ngi thng xung t vi quy trnh vcng ngh, th nhng gia cng ngh vquy trnh thng t khi c s xung t bi vmt trong hai yu t cng ngh v quytrnh phi chy trc v ci kia s tngcp nht theo sau. l l do ti cp trn l cng ngh thng h tr cho hotng doanh nghip, quy trnh; khng c

    cng ngh mi cng khng sao ch c vn l c th chm hn ngi khc v b lc hi thi v hy yn tm thng ngich doanh nghip nhn ra vn nynhanh hn nhng ngi lm cng nghthng tin.

    Mi quan h bin chng gia m hnh Quytrnh Cng ngh - Con ngi l mt mhnh t pht trin, tc l t n s gii quyt

    cc mu thun ni ti dn ti mt trngthi tt hn v c nh th. Tuy nhin, gc qun tr doanh nghip hoc v an tonthng tin th m hnh trn (theo ti) l cha

    thc s ph hp, bi v c m hnh khchon chnh hn l m hnh BMIS cm t vi 4 i tng chnh l T chc, Conngi, Cng ngh, Quy Trnh tc l thmvo t chc/doanh nghip v 6 thnh phnlin kt gia cc i tng l: Vn ha, Yut con ngi, H tr, kin trc, gn kt,qun tr.

    Uhm, khi yu t doanh nghip xut hinth vic con ngi gn kt vi nhau nhiu kin tn binh ti nng v lnh gi kinh

    nghim phi hp n chnh l thng quayu t Vn ha cng ty. Mi quan h giaQuy trnh v doanh nghip chnh l yu tqun tr tng th trn cc hot ng ,quy trnh phc v cho hot ng doanhnghip m; v d nhin yu t cng nghgn kt vi doanh nghip chnh l kintrc, cng l iu d nhin, nu nhkhng c chin lc pht trin, kin trctham chiu th vic khng th tch hp li

    c th s tr thnh s ri rc v thngch c hiu qu trong thi gian cc ngncn li th b hoc khng s dngc. Nhiu doanh nghip nh vy khip dng ht Google Apps, chuyn sangAzure hoc l AWS nhng n vn nhc.

    Haiz thc ra nh vit thm t na v mhnh BMIS th nhng c l li link

    c gi tm hiu thm c l s tt hn,nhng iu vit trn l nhng g ti chtlc c lc chc s c nhiu cuc traoi hn.

    2015 - n bn ma xun

  • 7/23/2019 2015 01 an Ban Mua Xuan

    17/3117

    ISO 27001 v s lc ISO 27002 vi cchng dn:

    ISO 27001 chnh l tn gi ca tiu chunH Thng Qun-L An-Ton Thng-Tin(Information Security ManagementSystems - ISMS). Tiu chun ny ct ra vi cc yu cu m h thng thngtin cn phi thit k theo chun mc qunl, hn ch cc ri ro v p ng vic la

    chn gii php an ton thng tin to s hilng cho cng ty, t chc cng nh khchhng.

    Vi ISO 27002, y l B m thc hnhQun-L An-Ton Thng-Tin (Code ofPractice for Information SecurityManagement) . Tiu chun ISO 27002khi qut m t cc hng dn thc hintheo 11 chng (Clauses) vi:

    1. Chnh sch an ton (Security Policy)

    2. T chc an ton thng tin (Organizationof Information Security)

    3. Qun l ti sn (Asset Management)

    4. An ton ngun nhn lc (HumanResource Security)

    5. An ton vt l v mi trng (Physical &Environmental Security)

    6. Qun l vic truyn thng viu hnh(Commun i ca t i on s & Ope ra t i on sManagement)

    7. iu khin vic truy nhp (AccessControl)

    8. Sp nhp, pht trin v bo tr h thngthng tin (Information System

    A c q u i s i t i o n , D e v e l o p m e n t &Maintenance)

    9. Qun l s c an ton thng tin( In fo rmat i on Secu r i t y In c i den tManagement)

    10. Qun l hot ng kinh doanh lin tc(Business Continuity Management)

    11. S tun th (Compliance)p dng ISO 27001 lm g?V cc ch li ca vic p dng:

    y l cu hi ph bin khi tm hiu v lich ca vic theo ui chng nhn v btu p dng m hnh qun l an tonthng tin. Trc ht cn xc nh thngtin l ti sn rt quan trng c th tn ti

    di nhiu hnh thc khc nhau nh giy(vn bn hardcopy), file (softcopy),e m a i l h o c c c d n g m e d i a(presentation, movies), script notes(ghi m, ghi ch, m hnh V chnh ttrong s cnh tranh m thng tin ngycng be da nhiu hn na bi snhcp, ngy to v.vvi nhiu ngun bntrong, bn ngoi, tnh c hay c ch S quan tm n vic p dng ISO 27001trong qun l chnh l m bo tnh bomt, ton vn v sn sng (C.I.A) cho tisn - thng tin ca cng ty, khch hng,nh u t theo danh mc sau ca tchc ISO:1. Thng tin: c s d liu, cu hnh hthng, mu hng dn s dng(database, config file, template)

    2. Phn mm: ng dng, cng c, tinch (application, tool, utility)

    3. Phn cng: my tnh, thit b mng,thit b lu tr (computer, network

    2015 - n bn ma xun

    LI CH CA ISO/IEC 27001V TNG QUAN P DNG

    PH NGUYN

  • 7/23/2019 2015 01 an Ban Mua Xuan

    18/3118

    device, storage device)

    4. Dch v: bo v, v sinh, tuyn dng(guard, clean, headhunt)

    5. Con ngi: nhn vin, i tc(employee, party)

    6. Hnh nh cng ty (Reputation)

    ..

    Cc li ch:V mt cng ty: Cam kt sm bo vhiu qu ca cc n lc gip bo m anton thng tin cho cng ty tt c cc cpphng ban.

    V mt vn hnh: Chun ha cc kin thctrong vic qun l h thng thng tingip bo v ti sn bng vic qun l ri ro.

    V mt nhn lc: Tng nhn thc, trchnhim ca ngi nhn vin v gip thcy gia tng hiu qu cng vic.V mt ti chnh v qun l chi ph: Gimthiu cc ri ro c lin quan n an tonthng tin do cc s c xy ra t hn.V mt kinh doanh thng mi: t ctn nhim ca khch hng, i tckhi tintng s qun l c tiu chun v ti sn,ngun u t ca hc bo v an ton.

    V mt lut php: Chng minh c stun th lut php v cc qui nh ca nhnc vi cc c quan chc nng c thmquyn.

    Tm tt phin bn ISO 27001:2013 S thay i ln so vi ISO 27001:2005

    I. V cu trc (framework): ch cn Ph lc

    A trong phin bn ny (B & C khng cn).

    0 Gii thiu.

    1 Phm vi ca tiu chun.

    2 Ti liu tham chiu.

    3 Thut ng vnh ngha.

    4 M hnh t chc.

    5 Lnh o.

    6 K hoch v h thng qun l an tonthng tin; nh gi ri ro; x l ri ro.

    7 H tr cho h thng qun l an tonthng tin.

    8 Hot ng.

    9 Hiu nng hot ng.

    10 Hnh ng ci tin.II.Lnh o (leadership): cc yu cu camkt qun l tp trung vo thut ng lnho.

    III. V cc bn lin quan (interestedparties): c tm quan trng rt ln trongthay i ti phin bn ny.

    IV. Thng tin ti liu (document version):khi nim v ti liu v h sc gpchung li.

    V. nh gi ri ro v x l ri ro: lin kt viISO 31000. V cc khi nim v ch s huti sn c thay th bng ch s hu riro vi trch nhim trch nhim c th &chi tit hn.

    VI. Mc tiu, vic theo di v o lng.

    2015 - n bn ma xun

  • 7/23/2019 2015 01 an Ban Mua Xuan

    19/3119

    VII. V hnh ng khc phc v phng nga

    VIII. Truyn thngIX. Danh sch ti liu

    X. Danh sch h s

    S thay i so vi ISO 27001:20051. Cu trc:

    Phin bn 2013: ni dung t 4-10; ph lc A: 14 chng, 35 mc tiu v 114 kim sot.

    Phin bn 2005: ni dung t 4-8; ph lc A: 11 chng, 39 mc tiu v 133 kim sot.

    2. Phm vi: xc nh ng cnh, yu cu ca cc bn lin quan, giao din v ph thuc.

    3. Qun l ri ro: Phin bn 2013 tham chiu ISO 31000.

    4. Qun l ti liu v qun l h s thay th bng qun l ti liu thng tin (documentedinformation).

    5. Khng cn hnh ng phng nga trong phin bn 2013.

    Kt lun:D vic tnh ton cc mc tiu ca cng ty m bo c chi ph qun lchiu qu cng nh kim sot c cc ri ro ng thi tun th theo ng cc quy nh caphp lut nh th no th vic p dng chng nhn ISO 27001 vo trong h thng qun lchung ca cng ty lun gip c vic xc nh cc loi ti sn cn c phn loi bo v,trin khai cc bin php qun l ph hp t c mc tiu chung gim chi ph v an tonthng tin.

    PH NGUYN

    2015 - n bn ma xun

    Tc gi:

    PH NGUYN

    Anh Ph ang m nhim vai tr m bo s tun th ccchnh sch an ninh trong cng ty phn mm nc ngoi.

    Anh ang xy dng v pht trin cc chnh sch ca cngty theo ISO 27001, cc gii php tng th cng nh ccvn lin quan khc nh nh gi ri ro, k hoch khiphc vn hnh sau thm ha

    Ngoi ra, anh ang l mt trong nhng VCI c VMWarechng nhn, nn nu c cc vn lin quan n o hahoc VMWare c th lin h s ph ny.

  • 7/23/2019 2015 01 an Ban Mua Xuan

    20/3120

    Nm 2014 l nm c nh du bngcc s kin ni bt v vic tht thotcc d liu nh ca Sony, Target mcd cng ngh chng tht thot d liuDLP (Data Loss Prevention) cng c gii thiu t rt lu. Ti tm thily cng ngh DLP ra lm v d chobi vit trc l Quy trnh Cngngh - Con ngi.

    Trc ht, vic chng tht thot dliu/thng tin l nhu cu cp thit nhtv cng c k vng nht trong knguyn s ca ngy hm nay. Giiphp chng tht thot d liu l tnca mt Cng ngh (DLP).

    Trn thc t, p dng DLP mt cchhiu qu th cn phi c s h tr tithiu ca 2 chnh sch l Phn loiti liu (Information Classification) vo to nhn thc (Tra in ingAwareness); 2 chnh sch ny xuynsut qu trnh trin khai & p dng DLPvo trong doanh nghip. Th nhng chai chnh sch ny ch l mt phn caQuy trnh hay ni mt cch chnh xchn n l mt dng Governance cnthit cho DLP.

    Con ngi l thnh phn quan trng nhttrong vic vn hnh, h l ngi trc tiptng tc v s dng DLP vo trong cngvic; c nhng vn nh pht sinh lthay i thi quen lm vic nh hng ngychng hn nh: cc file nh km khng gic, b DLP block. l l do cn chnh scho to nhn thc thay i/iu chnhhnh vi ngi dng trnh nhng b ngv nhng rc ri khng cn thit.

    Ngoi vic , vic phn loi ti liu cng lrt quan trng, v d nhin vi nguyn tcphn loi tt nht l phn loi ngay tingun. Nhng ti liu c phn loi c thc p dng theo mt vi cch chng hnnh l: ngi to ti liu s phn loi(thng l ti liu mi) cn vi cc ti liu cth c th s dng cng ngh c sn trongDLP (thng c tn l Discovery) nhndin v phn loi, sau cho ngi dngnhng gi chn la vic phn loi. Cngngh v con ngi u ng vai tr quantrng trong bc ny, cng ngh h tr chovic phn loi bng cch so snh vi cc Rulev a vo phn loi, con ngi snh gili ln na v phn loi qua k thut nyhoc ngc li u c, tt cu c thquy nh c.

    Hnh bn l nhng m tngn gn v vic p dngDLP v nhng im cn ch ci thin hot ng saumt thi gian s dng. Vicphn tch s cho bit kt quv vic o to v nhngthit lp trn DLP c ph hpcha v nhng iu chnhcn thit do s sai khc vnhn thc, cu hnh vi vic

    thc t trin khai (cha kvic gii hn ca cng ngh,tnh nng na).

    2015 - n bn ma xun

    DLP trong vng xoyQuy trnh - Cng ngh - Con ngi

    LNG TRUNG THNH

  • 7/23/2019 2015 01 an Ban Mua Xuan

    21/3121

    Vy th Quy trnh s nm u? V nguyn tc, quy trnh bao gm tt c cc bc trn v chin thc ha bng cc th tc (Procedure) hoc cc hng dn (Guideline) v vi s tham gia

    ca con ngi, cng ngh (y l DLP) v trong hot ng hng ngy ca t chc/doanhnghip. Mt cch s khi c l s tng t nh hnh bn di:

    l mt s nhng vn ti c th 'define' cho chng trnh DLP c th hot ng cnhng ch l vic nm trn l thuyt (giy) nu nh khng c s quyt tm ca cc cpqun l, lnh o v s linh ng ca ngi qun l d n. l quyn lc mm m i khicng ngh khng gii quyt c.

    Ghi ch:

    DLP khi p dng s thc sng chm n kh nhiu cc b phn, cc VIP vnhng thi quen ca ngi dng. Di p lc doanh s c th s lm choDLP i lch hng khi m c qu nhiu ngi c c quyn c by-passed. DLP cng ch l mt phn trong gii php tng th v Security nncng ng qu k vng rng DLP s gii quyt tt c cc bi ton m doanhnghip gp phi; lun xc nh ci mnh cn hn l ci mnh mun m

    bo DLP hiu qu nht.

    LNG TRUNG THNH

    2015 - n bn ma xun

  • 7/23/2019 2015 01 an Ban Mua Xuan

    22/31222015 - n bn ma xun

    Ngy nay ng dng web vang tr nn rt thn thin, gn gi vi ngi dng, giph d dng hn trong vic tng tc, trao i thng tin. Tuy nhin bn cnh nhng li ch th nhng ngi cung cp v s dng dch v ny cng gp phi nhiu mi e da linquan n vic tht thot thng tin, ti sn, tip cn vi nhng thng tin khng chnh xc,cc thng tin nhy cm b xm phm Nguyn nhn ca vic ny phn ln l do ng dngweb tn ti cc l hng bo mt gip k xu c th khai thc v buc ngi khc phi thchin theo mc ch ca mnh.Mt trong nhng cch hn ch ti a vic cc l hng btm ra v tn dng khai thc bi k xu chnh l thc hin tn cng, tm l hng trn ngdng ca mnh v v n trc khi nhng k xu thc hin vic ny.

    Web Application Penetration Testing (kim th xm nhp ng dng web) l phng phpc thc hin nhm tm kim cc l hng tn ti trn ng dng web v thc hin khaithc ht mc c th t l hng . Sau qu trnh tm kim v khai thc, cc l hng sc tng hp v bo co vi ch s hu ca ng dng tin hnh fix li.

    S lc quy trnh thc hin:

    Thu thp thng tin ng dng:Bc ny nhm mc ch hiu r v ng dng c th lcc chc nng trn ng dng. Nm r cch thc hot ng v qu trnh x l d liu trnng dng, v s chc nng ca ng dng, xc nh cc im nhp liu, phn tch nh

    gi v don kh nng mc li. i vi pentester y l bc rt quan trng, gip h cc ci nhn tng quan v ton din v ng dng cn nh gi.

    Web Application Penetration TestingNGUYN TH THU HIN

  • 7/23/2019 2015 01 an Ban Mua Xuan

    23/31232015 - n bn ma xun

    S dng cng c scan t ng:

    Cng c scan c th l cc sn phmthng mi, min ph hay nhng onscript do chnh pentester pht trin,nhm mc ch scan l hng hay nthun ch l thu thp cc thng tin vphin bn, nn tng, v nhng ngdn tn ti trn ng dng (crawler). ivi cng c scan l hng, ta cn cu hnhcho ph hp vi tng ng dng (tngiu kin c th, c ch an ninh ca ngdng), cu hnh session trong khi qut,thi gian delay hp l Bng vic sdng cng c, pentester s gim clng thi gian ng k trong vic thuthp thng tin v d tm mt s l hngtrn ng dng. Tuy nhin vic s dngcng c d qut c th dn n nhng ktqu sai lch. V d: trong trng hp ngdng s dng load balancer m cc mychc cu hnh khc nhau s dn nvic hi p khc nhau cho cng mt

    request.iu gy ra vic cng c tng hiu lm v s tn ti ca l hngtrn ng dng. V vy ti bc ny cn cs can thip ca pentester nhm xcminh tnh ng n ca kt qu.

    Business logic testing v advancetesting: Ti bc ny pentester s thchin tm kim cc l hng v mtbusiness logic, phng php ch yu l

    thao tc th cng. Nguyn nhn canhng l hng ny c th do qu trnh xl d liu ca cc chc nng trn ngdng khng n khp vi nhau gy nn.Nhng l hng thuc dng ny thngkhng th pht hin c bng cng cd qut tng, pentester cn trc tipthc hin bng nhng kinh nghim, knng v s nhn nhn ca mnh. y lbc kh kh khn trong qu trnh tm

    li, yu cu c v kinh nghim, tnh t mv kh nng quan st nhy bn ca ngithc hin. Tuy nhin nhng l hng v

    mt business logic thng c mc nguy

    him cao, v vy y l mt bc quantrng khng th ch quan i vi qu trnhkim th xm nhp.

    Advance testing l vic thc hin d tm lhng bng phng php th cng, d tngchc nng, tng im nhp liu, s dngk thut fuzzing, quan st kt qu mtcch k lng xc nh im khcthng trong x l t pha server. Bncnh cn a ra ginh v phn tchv c ch an ninh m ng dng ang sdng tm cch bypass cc c ch ny.y l vic m cng c t ng khng thlm chnh xc c.

    Pentester tuyt i khng c tin tnghon ton vo kt qu do cc cng c tng tm ra, cc cng c ch nhm mcch gip chovic thc hin pentest dinra nhanh, chnh xc v trit hn. Mi

    chc nng, im nhp liu, cc kim sotan ninh cn c Pentester phn tch vtm li mt cch cn thn, t m bng nhiuphng php hn ch ti a nhngthiu sttrong qu trnh nh gi.

    Kim th xm nhp: Bc ny yucu phi ln kch bn khai thc bng cchkt hp nhng thng tin thu thp cvi cc l hng c tm thy t bc

    trc. Mc ch l khai thc su vo hthng, trong qu trnh xm nhp ny cth s tm ra c cc l hng khc do qutrnh bo v theo chiu su cha cthc hin tt. L hng mi ny sc cpnht vo danh sch cc l hng trn ngdng v b sung thm vo thnh phn cakch bn tn cng. Qu trnh ny c lpi lp li nhm o su v tm kim nht mc c th cc l hng trn ng dng.

    nh gi v phn loi: Sau khi tm

  • 7/23/2019 2015 01 an Ban Mua Xuan

    24/31242015 - n bn ma xun

    kim v khai thc thnh cng l hng, pentester s thc hin vic nh gimc nghim trng ca l hng v phn loi chng. Vic nh gi mc phi da trn nhng tiu ch c th, nhng thang im r rng, khng phich phn on theo cm tnh ca ngi nh gi. Nhng tiu chl: khnng khai thc v tc ng ca l hng vi h thng.

    Mc = Kh nng b khai thc * nh hng/tc ng ca l hng

    Chi tit qu trnh nh gii vi tng l hng

    Vi mi l hng cn xt trn 4 kha cnh, mi kha cnh c chia thnh 4 phn vtnh theo thang im t 9 n 1 (9, 6, 3, 2, 1) theo th t t trn xung.

  • 7/23/2019 2015 01 an Ban Mua Xuan

    25/31252015 - n bn ma xun

    V k tn cng

    V l hng

  • 7/23/2019 2015 01 an Ban Mua Xuan

    26/31262015 - n bn ma xun

    Tcng ca l hng xt trn cc tnh cht ca ATTT

    Tc ng ca l hng v mt kinh doanh v nghip v

  • 7/23/2019 2015 01 an Ban Mua Xuan

    27/31272015 - n bn ma xun

    Mt s k hiu vit tt trong hnh:

    (1) ATTT: An ton thng tin(2) Ng. dng: Ngi dng(3) PT: Pht trin(4) DL: D liu(5) Q.Trng: Quan trng

    (1) KN: Kh nng(2) TN: Trch nhim(3) DV: Dch v(4) G: Gin on(5) TT: Thng tin

    Sau qu trnh tnh im da trn cc yu t c th, ta s tnh c im trung bnh catng l hng theo 2 tiu ch: kh nng khai thc v tc ng ca l hng i vi hthng. Ba mc chia im: 0 3; 3 6; 6 9 tng ng vi cc mc: THP, TRUNG

    BNH, CAO. Ti y mc cui cng ca l hng s c tnh ton nh bng di:

    Sau khi nh gi mc nghim trng ca l hng, chng ta s phn loi l hng da trn

    nguyn nhn gy li:- Do pht trin ng dng: L hng tn ti do vic lp trnh khng an ton, x l chc nngkhng thng nht

    - Do qun tr h thng: L hng tn ti do qu trnh qun tr cha ng n, mc mt ssai lm trong ci t, cu hnh trn my ch ng dng

    Mc ch ca vic phn loi l hng l xc nh r tng cn thc hin khc phc, gip choqu trnh iu phi cng vic c thun tin v d dng hn.

  • 7/23/2019 2015 01 an Ban Mua Xuan

    28/31282015 - n bn ma xun

    Report: Cui cng, sau khi tm kim, khai thc, nh gi v phn loi l hngtm c trn ng dng chng ta cn tng hp v lp bo co, trong nu r m t vl hng, hu qui vi h thng khi l hng b khai thc, mt vi kch bn khai thc vmc nh hng ca chng. Bo co sc gi li cho bn lin quan nhm ln khoch khc phc vi nhng l hng mc cao, c kh nng gy nh hng nghim trnghoc workaroundi vi nhng l hng mang tnh c hu, khng th khc phc trit.

    Web Application Penetration Testing Kim th xm nhp ng dng web l mt lnh

    vc th v v bao hm kh nhiu kin thc, thc hin cng vic ny yu cu phi cnhng kin thc c bn v ng dng web (giao thc HTTP, m hnh hot ng, giao tipCSDL), nhng kin thc v cc l hng trn ng dng web, v mt phn khng ththiu l s nhy bn v mt suy ngh khng khun kh. Bi vit ch mang tnh giithiu v truyn cm hng ti nhng bn c ang v sp c tnh yu vi cng vicph phch c trch nhim v mong mun tri nghim n trn nhng ng dng webthn thuc hng ngy. Ti rt mong phn no mang n cho cc bn s hng th vilnh vc m theo ti l rt tuyt vi ny!

    Tc gi:

    NGUYN TH THU HIN

    Tt nghip Hc vin K thut Mt M, Hin c hainm kinh nghim trong lnh vc an ton thng tin,c th l tm li ng dng.

    Tng tham gia nh gi, t vn gii php cho cct chc nh nc v t nhn nh: Hi quan, Kho

    bc, cng ty bo him

    Hin ti em ang cng tc ti cng ty chuyncung cp dch v v an ton thng tin Vit Nam.

  • 7/23/2019 2015 01 an Ban Mua Xuan

    29/31292015 - n bn ma xun

    V sao ti gia nhp nhmCISSP ny? Ni tht th tikhng c nh join vonhm vo nhng ngy u,l do l ti fail 2 ln chok thi CISSP ny v mi lncng c 1000$ do phi ra

    nc ngoi thi nn bt uchn ci mn CISSP ny.Nhng cng lc , c myanh em bn b join nhmv ku i tham gia cho vui;, tnh ham vui nn bt utham gia; cn c th anhem bn b l: Chris Trn,Kitaro Lee, Quan Vo

    Nhm CISSP bt u sinhhot t cc chc lp,chuyn su v chia s kinhnghim ngay t nhng buiu cafe ng H, ng lti cng c c mt skinh nghim mi, tip thunhng ci hay Bi v ccbui trao i cng kh stsn vi chng trnh

    CISSP nn nhm t hcCISSP c thnh lp vsau vi tun ti cchuyn giao nhim v lmhi trng t tay anh Cngv tip tc n gi. V saoti c giao nhim v ny:theo li ngi sng lp lanh Minh th ti c kinhnghim i thi 2 ln, v cng

    thuc dng c cun CISSPAll-in-one xm cht na lthuc lng nn c th nhhng cho anh em Nichung li ca anh Minh ngnhng n bt u ng chmti ni u thm kn

    V tht l vui khi m trongnhm t hc CISSP c rtnhiu cc anh em lm cclnh vc khc nhau, c ngilm ngn hng (a s), cngi lm bn mng dch vtch hp (SI), c ngi lm mng ti chnh v trong cng c nhng ngi chuyn

    v lm quy trnh, ngi ct h a m v n g l m c iFramework, ngi li thchmng Reverse v pht trinphn mm V thc snhm rt may mn l hunh th mnh ca mi ngili trng khp vi 8/10d o m a i n c a C I S S P .

    Vi nhng gc nhn khcnhau, mt ln na ti nhnra c rt nhiu s khc bit,nhng quan im m ticha tng nhn ra trong thigian trc v n em licho ti s ho hc ch ivic chia s ca cc anh emvo mi tun ch nht. Tichp nhn s khc bit c

    th phn chiu li hnhnh ca mnh, nhng gcn b sung, ci g cnb bt, vic g cn cithin cho mc ch tpht trin bn thn. Tingh l cng l mt

    trong nhng ng lc anh em trong nhmCISSP gn kt n phtcui cng v vn duy trnhm cho ti tn by gi(mc d l nhm kn,chm gi kinh lm).

    D nhin, n luyn l mtchuyn nhng vn cn

    kt qu v ngi utin em li nim vui vs thch thc cho nhml anh S Tm Nguyn,ngi pass CISSPngay ln u tin v chia s rng CISSPkhng kh nh tngtng - mh, anh c bitl mt ln na anh li

    ng v ni au ca tuihem, g g Anh emho hc lm v cng cgng n luyn c thc thm vi anh c ciCertificate ny. C lanh Nguyn m hngqu may mn nn trongthng 1/2015 chng tili c ngi pass qua

    TI SAO TI GIA NHP NHM NY?

    LNG TRUNG THNH

  • 7/23/2019 2015 01 an Ban Mua Xuan

    30/31302015 - n bn ma xun

    mt k thi khc, khng phi CISSP caISC2 m l mt t chc khc. Chng tis cng b khi c confirm chnh thc tnhng ngi .

    Nh vy, nhm CISSP ca chng tikhng ch c cch tip cn ca ISC2 mcn c nhng gc nhn khc, nhng

    chuyn gia (tm gi th) trong tng lnhvc s l mt c vn cho mi ngi thamgia nhm CISSP cho vic nh hng,tho lun, chia s cc kin thc v ticng thay mt nhm thng bo rng:nhm t hc CISSP#02 d kin bt ungy 1/3/2015

    t hay nhiu th nhm CISSP#01 cngc xem l mt thnh cng, v vinhng l do trn liu c thuyt phccc anh em tham gia nhm CISSP#02c cha nh?

    Mt ngy nhiu tm trngTP.HCM, 17-01-2015

    (, ti thi im ny ti vn cha cCISSP nha, anh em ng c ng v niau ln na nhen).

    LNG TRUNG THNH

    Ti chp nhn s khc bit c th phn chiu li hnh nhca mnh, nhng g cn b sung, ci g cn b bt, vic gcn ci thin cho mc ch t pht trin bn thn.

  • 7/23/2019 2015 01 an Ban Mua Xuan

    31/31

    y mi l logo chnh thc ca nhm CISSP & ATTT.Ci mu trng m bn nhn thy trc , ch l mu nn ca logo.

    , i khi chn l nm ngay trc mt, khng phi bn khng nhn thy,

    ch l bn v tnh b qua n thi.