Give a brief answer.
Generally speaking, many security experts will tell you that there is no absolute security. If hackers must keep an eye on your company for a long time and have targeted penetration, few can be spared.
It's frustrating to say so. However, we can't wait for death. Even if all companies are hacked, we also hope that we can be the last one hacked. At the same time, if appropriate measures are taken, it is possible to minimize losses.
For entrepreneurial teams, the business development speed is fast, and the operation and maintenance strategy and R&D process may not be standardized, which will bring many problems to the security work. The most common are:
1. The code is updated frequently and quickly, and adding security checks is an additional burden
2. The test environment and production environment are chaotic, and the programmer, test, operation and maintenance may all have the authority of the server
3. Lack of necessary strategies and processes, resulting in many problems such as SVN permissions being given indiscriminately, leaving employees still have permissions, employees opening ports on the server at will and exposing them
The above problems have brought many difficulties to safety work, and entrepreneurial teams generally do not have full-time Safety Engineer Of the post.
According to my experience, the degree of attention that general companies attach to safety has a great relationship with whether the company has ever had a safety incident. If a company has never encountered safety problems before, it will not have any determination to invest in safety; In contrast, if a company has been attacked by hackers and caused some losses, its attitude towards security issues will turn 180 degrees.
Whether in textbooks or in my professional experience, I have identified one fact: Safe work It needs to expand from top to bottom. Numerous lessons have taught us that bottom-up security work is doomed to failure.
So how to effectively carry out safety work? The most important premise is that the company's management can attach strategic importance to security issues. If the top management itself has a strong sense of security, and even knows a lot of technical knowledge of attack or defense, the security work is often very effective and can save a lot of money.
For entrepreneurial teams, I have the following suggestions on how to carry out safety work:
1. Regularly ask a third-party security company to do Safety assessment
In this way, you can reduce the input of human costs and let more professional people do professional things at the same time.
2. Consider using open source or commercial WAF (Web application firewall), or IPS( Intrusion prevention system )
The advantage of using WAF is that you can change the code as little as possible and buy time for patching. Because sometimes it is troublesome to change code, and some Third party procedures It is more troublesome to change the code of.
3. Reasonably tighten various authorities
Including database, server Application background , SVN and other permissions, which are only open to those who need to use them.
4. Properly keep all journal
It includes various application logs, Web logs, server logs, etc. Real time remote collection is required. The reason for remote collection is that some hackers tamper with logs first after intrusion.
5. Give some safety training to employees
Basic safety awareness is still needed. Hackers often call customer service or send emails to cheat. At the same time Weak password Many management backends are hacked out because of weak passwords. Programmers also need to have some basic qualities to eliminate common unsafe code writing.
6. Consider finding a reasonable and reliable security solution
The solution generally considers three aspects: code safety How to implement, how to formulate network security policies, and how to strengthen the operating system.
If you want to run the whole security system, you also need to develop a security operation strategy, such as regularly scanning websites, audit logs and codes, and developing emergency response processes.
That's about it. It says that it is almost the same as that of ordinary companies. It's really not easy to do a good job in safety. If conditions permit, you'd better recruit professional people.
Back to the original question of "low cost".
All the above points are free of charge. Regular safety assessment can be carried out by scanning Substitution, but the effect is worse. Another way to take advantage of this is to collect loopholes from the security community and give rewards. The cost is not very high, but the effect is surprisingly good.
