我的資訊保安工作經驗分享 (三) | My IT Security Experiences (3)

上兩回分享了我當資訊保安工程師的大部分工作，今次我會介紹一下當年的資訊保安審計是如何進行的。

I had shared with you many of the works I did when I was an I.T. Security Engineer. Now let's see what's it all about as I.T. security audit.

當年有一個客戶，是城中一家大型報紙，雜誌出版商。他們的公司有自己的物業，所有不同報紙雜誌都是在同一棟工業大廈中。包括管理層的辦公室都是在入面。我的工作就是負責審計整個報業集團的資訊保安守則。把不足之處找出來，之後報告給管理層，並提供建議用來完善整個集團的資訊保安。

One of my customers was a newspaper and magazine group. It was located in its own industrial building with different departments separated in different floors of the building, including their management. My responsibility was to audit the group's I.T. security policy. Discovering all shortcomings, to report them to management and to provide improvement suggestions.

一開始，就是先跟客戶管理層開會，原因是：

• 制訂整個項目的時間表
• 列出客戶所需要提供的資源，當要求客戶管理層的支持
• 列出我方將會交付的成果，並得到客戶的同意

We setup kick-off meeting with customer's management for :

• agreement upon project timeline
• confirmation with customer about the resources to be provided by them with management's endorsement
• confirmation of deliverables

當中第二項是非常重要的。因為做審計是需要接觸公司內部很多敏感的資料和資源，如果沒有最高領導層的命令，這些東西都不可能得到的。在這個會議中，客戶會再次確認審計會覆蓋的範圍。就著這個範圍，我們會要求客戶提供相對應的支持，例如每個將會被審計的部門要有一名負責協調的人員和我們合作。通常這位員工會是部門真正有話事權的人。

It was particularly important to have second item confirmed. To perform an audit, we needed to access sensitive information and resources. Without support of menagement, this could never happened. Customer had to confirm our scope of work (SoW) in the meeting. With the SoW, we identified resources needed, e.g. each department to assign one coordinator to work with us, usually the in-charge person.

有類似工作經驗的人都應該知道，整個工作成功與否，很大程度上在這個會議上已經有了決定。如果得到最高管理層的支持，項目可以說是成功了一大半，只要在執行上不要犯太多錯誤，完成任務只是時間問題。相反的話，無論執行項目的人是多麼的有能力，要成功交貨基本上是不可能的了。真的發生這個情況，項目執行時的目標就要改成傷害控制了，就是要把項目對公司的損害減至最低。就是因為這個會議的重要性，我們公司都會派出資深的顧問和公司高層一起差與。到執行時才由我這年資較淺的工程師來負責。

This was well known to those who had similar experiences that the meeting determined wether the project could be successful or not. With the support of customer's management, it wad very likely that the project would be a successful one. Otherwise, we had to work on damage control. Because of the importance of this meeting, our senior consultants and manangement would join the kick-off meeting and passed the project to the engineers to execute afterwards.

項目開始之後，我基本上是每天都到客戶的辦公室去上班。為期大約三個月。工作包括：

1. 查看原有的保安守則(當時可以說是沒有的)
2. 約見每個部門不同的員工，套取員工們平時的工作流程
3. 在原來的守則中找出不足之處
4. 對比原來的守則和員工的工作流程找出不符合的地方
5. 對客戶的電腦系統進行測試以找出系統的漏洞。現今的公司可能會找專業的駭客去做一些叫道德駭客攻擊，但當時連保安守則也沒有的公司當然不會做這些深層次的檢測。我們在客戶的網絡上做些簡單的攻擊測試
6. 將所有資料，發現整合，編寫報告
7. 將報告轉化做簡報，再向客戶（包括高層)匯報

I had to work on customer site after the project was started for about 3 months, with tasks:

1. Review original policy (which was very limited at that time)
2. Meet with employees at different departments for their daily workflows
3. pinpoint shortcomings in existing policy
4. find non-compliance out of existing work flows
5. Attack customer's computer systems and networks. Not to the level of ethical hacking thought.
6. Consolidate data and findings and create report.
7. Presentation to customer.

在那三個月之中，為了配合客戶的工作時間，時常要在特別的時間到客戶辦公室工作。例如要在每天零晨4:30之後才能到電腦房做攻擊測試。因為出版流程在每晚1:30 ~ 4:00之間是最需要使用電腦的。

I worked plenty odd hours during that 3 months as I had to cope with customer's internal workflow. For example, I was only allowed to do hacking after 4:30am because the computers were extremely busy during 1:30am to 4:00am for publishing of newspapers.

除了要檢查電腦系統及網絡的安全程度之外，我們連物理層面上的資訊保安亦要顧及的。大家來數一數
在電腦內的資料外洩有什麼途徑：

• 首先有電子形式的外洩，例如電腦或伺服器被入侵
• 另外就是物理式的外洩，例如整個電腦或硬盤被偷走，又或者資料被打印出來並偷走

We also took care of the physical security because it was also one of the possible loophole that could cause breach of I.T. security.

電腦被入侵，可以是從外邊經網絡入侵，或者是從公司內部入侵。內部的入侵可以是從其中一部連接著網絡的電腦經駭客攻擊，又或者是從其他途徑得到電腦的操控權再抄走資料。

Hacking could be from external and internal. It could be as simple as gaining access right of a networked computer, started from there to get data or access to other networked resources.

很多人有誤解，以為網絡攻擊都是從網外進攻，其實大部分的攻擊是從網內進行的。因為要防止經互聯網而來的網外攻擊，只要用心配置防火牆，定期更新所有網絡裝置的安全更新，和定期的監控整個網絡便可以了。但從防火牆的內部進行攻擊就容易得多了， 而且直接得多。簡單的只要能拿到一個密碼便可以做到很多的事。又或者在某一台使用者離開之後忘記了關機或鎖屏的工作站上插入一支USB硬盤，便能拷貝公司大量機密。

Many people thought that cyber attacks were only from outside world, but in fact, majority of them happened from internal. It wasn't too difficult to protect the system from external atracks with properly configured firewalls, well maintained system patches and carefully monitored networks. Attacks originated from internal, on the other hand, were more direct, effective and difficult to defend. It was as simple as getting a password from some careless employee, or plug an USB HD to a workstation that was not locked.

物理式的入侵更是與電腦技術無太大關係。這方面的保安要求其實更像一般的場地保安。例如不同辦公室區域要有不同權限才能進入。特定的資料要有特別的權限同時在特定的打印機才可以打印。電腦要有專用的防盜電腦鎖之類的要求。

To provide protections against physical attacks, like theft of computers, printouts, etc, it was more like physical security control. For example, access control of restricted areas, limitation of printing devices for sensitive data, use of anti-theft locks for computers, etc.

所以做了一些簡單的內、外部測試，和大量員工會議之後，就會找出很多有問題的地方。之後就是要打這些發現放進一份報告和一個簡報表入面， 作為項目的交付成果的一部分送呈客戶。還記得這個項目的報告是超過三百三十頁的，光是編寫報告已經要兩，三個星期。可想而知當中找到的問題有多少。

After simple internal and external penatration tests and lots of interviews, there werw plenty of findings. We had to put together a report and presentation to deliver to customer. It was a 330+ pages report which took me about 3 weeks time to complete. Think about the no. of findings that it covered.

當然並不是每一個發現都是嚴重的。所以我們需要把發現分為不同的級別。就着不同級別的問題嚴重性和迫切性向客戶提供相對應的建議。至於客戶會採用多少建議則沒有保證的。

All findings were classified by severity, put into priority lists. Suggustions will be provided based on their priorities. However, what customer would take was another story.

最後我希望向大家重申一點，整個系統的安全程度是止於整個安全系統中最弱的一環的。打個比喻：一個電腦系統有著全世界最先進的網絡保安系統，從網絡上，不管裏，外都不可以攻破其防衛。但原來任何人都可以直接走到伺服器前面，隨意拷貝內面的資料。那麼這個系統基本上可以說是沒有任何保安措施。大家請小心不要成為這最弱的一環呀。

Finally I would like to emphases that a system's security is as good as its weakest link. For example, a well protected system with most advanced security I.T. security system, properly configured, could be rendered completely useless if the system can be accessed physically without any control. Make sure you are not the weakest link of your system.

圖片來源 | Image source : Pixabay

我的資訊保安工作經驗分享 (二) | My IT Security Experiences (2)

我的資訊保安工作經驗分享 (一) | My IT Security Experiences (1)