Maulalo ku magawo ena a kafukufukuyu
- (Muli pano)
Nkhaniyi imamaliza mndandanda wa zofalitsa zomwe zaperekedwa kuti zitsimikizire chitetezo chazidziwitso zamabanki osalipira ndalama. Apa tiwona zitsanzo zowopsa zomwe zikutchulidwa :
- .
- .
- .
- .
CHENJEZO-HABRO!!! Okondedwa Khabrovites, iyi si nkhani yosangalatsa.
Masamba a 40+ azinthu zobisika pansi pa odulidwa amapangidwira thandizani ntchito kapena maphunziro anthu odziwa zambiri zamabanki kapena chitetezo chazidziwitso. Zida zimenezi ndizo zomaliza za kafukufukuyu ndipo zimalembedwa mowuma komanso momveka bwino. M'malo mwake, izi ndizosowa zolembedwa zachitetezo chamkati.Chabwino, chikhalidwe - "Kugwiritsa ntchito chidziwitso chochokera m'nkhaniyo pazinthu zosaloledwa ndikulangidwa ndi lamulo". Kuwerenga kopindulitsa!
ChidziΕ΅itso cha oΕ΅erenga amene adziΕ΅a bwino phunziro kuyambira mβbuku lino.
Kodi phunziroli ndi chiyani?
Mukuwerenga kalozera wa katswiri yemwe ali ndi udindo wowonetsetsa chitetezo chazidziwitso zamalipiro kubanki.
Malingaliro owonetsera
Pachiyambi mu ΠΈ kufotokozera kwa chinthu chotetezedwa kumaperekedwa. Kenako kulowa akufotokoza momwe angapangire chitetezo ndikulankhula za kufunikira kopanga chitsanzo choopsya. MU imakamba za mitundu yowopsa yomwe ilipo komanso momwe imapangidwira. MU ΠΈ Kusanthula kwa kuukira kwenikweni kumaperekedwa. ΠΈ muli ndi kufotokozera kwachitsanzo chowopseza, chomangidwa poganizira zambiri za zigawo zonse zam'mbuyo.
TYPICAL THREAT MODEL. KULUMIKIZANA KWA NETWORK
Chinthu chachitetezo chomwe chiwopsezo (chiwopsezo) chimagwiritsidwa ntchito
Cholinga chachitetezo ndi data yomwe imafalitsidwa kudzera pa intaneti yomwe ikugwira ntchito mumanetiweki a data omangidwa pamaziko a stack ya TCP / IP.
zomangamanga
Kufotokozera za zomangamanga:
- "Zomaliza" - mfundo zotumizirana mauthenga otetezedwa.
- "Nfundo zapakatikati" - zinthu za netiweki yotumizira ma data: ma routers, ma switch, ma seva olowera, ma seva a proxy ndi zida zina - momwe magalimoto olumikizira netiweki amafalikira. Nthawi zambiri, kulumikizana kwa intaneti kumatha kugwira ntchito popanda ma node apakatikati (mwachindunji pakati pa ma node omaliza).
Zowopsa zachitetezo chapamwamba
Kuwola
U1. Kufikira kosaloledwa kwa data yotumizidwa.
U2. Kusintha kosavomerezeka kwa data yotumizidwa.
U3. Kuphwanya mlembi wa data yotumizidwa.
U1. Kufikira kosaloledwa kwa data yotumizidwa
Kuwola
U1.1. <β¦>, zomwe zimachitika pomaliza kapena apakatikati:
U1.1.1. <β¦> powerenga deta ili m'zida zosungiramo:
U1.1.1.1. <β¦> mu RAM.
Kufotokozera kwa U1.1.1.1.
Mwachitsanzo, pakukonza deta ndi stack network network.
U1.1.1.2. <β¦> mu kukumbukira kosasunthika.
Kufotokozera kwa U1.1.1.2.
Mwachitsanzo, posungira deta yotumizidwa mu cache, mafayilo osakhalitsa kapena kusinthana mafayilo.
U1.2. <β¦>, zomwe zimachitika pagulu lachitatu la netiweki ya data:
U1.2.1. <...> ndi njira yojambulira mapaketi onse omwe akufika pa intaneti ya wolandila:
Kufotokozera kwa U1.2.1.
Kujambula mapaketi onse kumachitika ndikusintha khadi yamaneti kukhala yachiwerewere (mawonekedwe achiwerewere a ma adapter a waya kapena kuwunika kwa ma adapter a Wi-Fi).
U1.2.2. <β¦> pochita ziwopsezo za munthu wapakati (MiTM), koma osasintha zomwe zimatumizidwa (osawerengera data ya network protocol).
U1.2.2.1. Ulalo: .
U1.3. <β¦>, yochitika chifukwa cha kutayikira kwa chidziwitso kudzera munjira zaukadaulo (TKUI) kuchokera kumagulu amthupi kapena mizere yolumikizirana.
U1.4. <β¦>, yochitidwa ndikuyika njira zapadera zaukadaulo (STS) kumapeto kapena ma node apakatikati, omwe amapangidwira kusonkhanitsa kwachinsinsi.
U2. Kusintha kosavomerezeka kwa data yotumizidwa
Kuwola
U2.1. <β¦>, zomwe zimachitika pomaliza kapena apakatikati:
U2.1.1. <β¦> powerenga ndikusintha zomwe zili muzosungirako za node:
U2.1.1.1. <β¦> mu RAM:
U2.1.1.2. <β¦> mu kukumbukira kosasunthika:
U2.2. <β¦>, zomwe zimachitika pagulu lachitatu la network yotumizira ma data:
U2.2.1. <β¦> pochita ziwopsezo za munthu wapakati (MiTM) ndikuwongolera magalimoto kumalo omwe akuwukirawo:
U2.2.1.1. Kulumikizana kwakuthupi kwa zida za owukira kumapangitsa kuti intaneti iwonongeke.
U2.2.1.2. Kulimbana ndi ma protocol a network:
U2.2.1.2.1. <β¦> kasamalidwe ka ma network apafupi (VLAN):
U2.2.1.2.1.1. .
U2.2.1.2.1.2. Kusintha kosaloledwa kwa VLAN pa ma switch kapena ma routers.
U2.2.1.2.2. <β¦> njira zamagalimoto:
U2.2.1.2.2.1. Kusintha kosaloledwa kwa ma static routing tables a ma routers.
U2.2.1.2.2.2. Kulengeza kwa njira zabodza ndi omwe akuwukira kudzera mumayendedwe osinthika.
U2.2.1.2.3. <β¦> kasinthidwe kake:
U2.2.1.2.3.1. .
U2.2.1.2.3.2. .
U2.2.1.2.4. <β¦> adilesi ndi kukonza dzina:
U2.2.1.2.4.1. .
U2.2.1.2.4.2. .
U2.2.1.2.4.3. Kupanga zosintha zosaloleka pamafayilo am'malo am'malo (makamu, lmhosts, ndi zina)
U3. Kuphwanya ufulu wazinthu zotumizidwa
Kuwola
U3.1. Kusalowerera ndale kwa njira zodziwira kulembetsedwa kwa chidziwitso powonetsa zabodza zokhudza wolemba kapena gwero la data:
U3.1.1. Kusintha zambiri za wolemba zomwe zili muzomwe zimafalitsidwa.
U3.1.1.1. Kusalowerera ndale kwa chitetezo cha cryptographic cha kukhulupirika ndi kulembedwa kwa data yofalitsidwa:
U3.1.1.1.1. Ulalo: .
U3.1.1.2. Kusalowerera ndale kwa kutetezedwa kwa copyright kwa data yofalitsidwa, kukhazikitsidwa pogwiritsa ntchito ma code otsimikizira kamodzi:
U3.1.1.2.1. .
U3.1.2. Kusintha zambiri za komwe kumachokera zidziwitso zopatsirana:
U3.1.2.1. .
U3.1.2.2. .
TYPICAL THREAT MODEL. ZINTHU ZAMBIRI ZOMWE AMANGIDWA PA MAZISI A CLIENT-SERVER ARCHITECTURE
Chinthu chachitetezo chomwe chiwopsezo (chiwopsezo) chimagwiritsidwa ntchito
Cholinga cha chitetezo ndi dongosolo lachidziwitso lomangidwa pamaziko a zomangamanga za kasitomala-server.
zomangamanga
Kufotokozera za zomangamanga:
- "Kasitomala" - chipangizo chomwe gawo la kasitomala la chidziwitso limagwira ntchito.
- "Seva" - chipangizo chomwe gawo la seva lachidziwitso limagwira ntchito.
- "Data store" - gawo lachitukuko cha seva ya dongosolo la chidziwitso, lopangidwa kuti lisunge deta yokonzedwa ndi chidziwitso.
- "Network connection" - njira yosinthira zidziwitso pakati pa kasitomala ndi Seva yodutsa pa netiweki ya data. Kufotokozera mwatsatanetsatane kwa element element kumaperekedwa .
Zoletsa
Popanga chinthu, zoletsa zotsatirazi zimayikidwa:
- Wogwiritsa ntchito amalumikizana ndi dongosolo lazidziwitso mkati mwa nthawi yomaliza, yotchedwa magawo a ntchito.
- Kumayambiriro kwa gawo lililonse la ntchito, wogwiritsa ntchito amadziwika, amatsimikiziridwa ndi kuvomerezedwa.
- Zidziwitso zonse zotetezedwa zimasungidwa pagawo la seva la chidziwitso.
Zowopsa zachitetezo chapamwamba
Kuwola
U1. Kuchita zosaloledwa ndi omwe akuukira m'malo mwa ogwiritsa ntchito ovomerezeka.
U2. Kusintha kosavomerezeka kwa chidziwitso chotetezedwa panthawi yomwe ikukonzedwa ndi gawo la seva la chidziwitso.
U1. Kuchita zosaloledwa ndi omwe akuukira m'malo mwa ogwiritsa ntchito ovomerezeka
Ndemanga
Nthawi zambiri pamakina azidziwitso, zochita zimayenderana ndi wogwiritsa ntchito yemwe adazichita pogwiritsa ntchito:
- zipika za ntchito ya dongosolo (zipika).
- mawonekedwe apadera azinthu zomwe zili ndi chidziwitso chokhudza wogwiritsa ntchito yemwe adazipanga kapena kuzisintha.
Pokhudzana ndi gawo la ntchito, chiwopsezo ichi chikhoza kugawidwa kukhala:
- <β¦> idachitika mkati mwa gawo la ogwiritsa ntchito.
- <β¦> kuchitidwa kunja kwa gawo la ogwiritsa ntchito.
Gawo la ogwiritsa ntchito litha kukhazikitsidwa:
- Ndi wogwiritsa ntchito mwiniwake.
- Ochita zoipa.
Panthawi imeneyi, kuwonongeka kwapakatikati kwa chiwopsezochi kudzawoneka motere:
U1.1. Zochita zosaloledwa zidachitika mkati mwa gawo la ogwiritsa ntchito:
U1.1.1. <β¦> yoyikidwa ndi wogwiritsa ntchito.
U1.1.2. <β¦> yokhazikitsidwa ndi owukira.
U1.2. Zochita zosaloledwa zidachitidwa kunja kwa gawo la ogwiritsa ntchito.
Pakuwona kwazinthu zachidziwitso zomwe zingakhudzidwe ndi omwe akuwukira, kuwonongeka kwa ziwopsezo zapakatikati kudzawoneka motere:
Zinthu
Kuwola kwa ziwopsezo
U1.1.1.
U1.1.2.
U1.2.
Makasitomala
U1.1.1.1.
U1.1.2.1.
Kulumikizana kwa netiweki
U1.1.1.2.
Seva
U1.2.1.
Kuwola
U1.1. Zochita zosaloledwa zidachitika mkati mwa gawo la ogwiritsa ntchito:
U1.1.1. <β¦> yoyikidwa ndi wogwiritsa ntchito:
U1.1.1.1. Owukirawo adachita mosadalira kasitomala:
U1.1.1.1.1 Owukirawo adagwiritsa ntchito zida zofikira pazidziwitso:
Π£1.1.1.1.1.1. Owukirawo adagwiritsa ntchito njira zolowera / zotulutsa za Wokasitomala (kiyibodi, mbewa, chowunikira kapena chojambula chapa foni yam'manja):
U1.1.1.1.1.1.1. Owukirawo adagwira ntchito panthawi yomwe gawoli likugwira ntchito, zida za I / O zinalipo, ndipo wogwiritsa ntchito sanalipo.
Π£1.1.1.1.1.2. Owukirawo adagwiritsa ntchito zida zowongolera zakutali (zokhazikika kapena zoperekedwa ndi code yoyipa) kuti aziwongolera kasitomala:
U1.1.1.1.1.2.1. Owukirawo adagwira ntchito panthawi yomwe gawoli likugwira ntchito, zida za I / O zinalipo, ndipo wogwiritsa ntchito sanalipo.
U1.1.1.1.1.2.2. Owukirawo adagwiritsa ntchito zida zowongolera zakutali, zomwe sizikuwoneka kwa wogwiritsa ntchito.
U1.1.1.2. Owukirawo adalowa m'malo mwa data yomwe idalumikizidwa pamanetiweki pakati pa kasitomala ndi Seva, ndikuisintha m'njira yoti iwoneke ngati zochita za wogwiritsa ntchito movomerezeka:
U1.1.1.2.1. Ulalo: .
U1.1.1.3. Owukirawo adakakamiza wogwiritsa ntchito kuti achite zomwe adafotokoza pogwiritsa ntchito njira zama socialinjiniya.
Π£1.1.2 <β¦> yoyikidwa ndi owukira:
U1.1.2.1. Owukirawo adachita kuchokera kwa kasitomala (Π):
U1.1.2.1.1. Owukirawo adasokoneza njira yowongolera mwayi wamakina azidziwitso:
U1.1.2.1.1.1. Ulalo: .
Π£1.1.2.1.2. Owukirawo adagwiritsa ntchito zida zodziwika bwino zolumikizira zidziwitso
U1.1.2.2. Owukirawo adagwiritsa ntchito ma node ena a netiweki ya data, pomwe kulumikizana kwa netiweki ku Seva kumatha kukhazikitsidwa (Π):
U1.1.2.2.1. Owukirawo adasokoneza njira yowongolera mwayi wamakina azidziwitso:
U1.1.2.2.1.1. Ulalo: .
U1.1.2.2.2. Owukirawo adagwiritsa ntchito njira zosavomerezeka zopezera zidziwitso.
Kufotokozera U1.1.2.2.2.
Owukirawo atha kukhazikitsa kasitomala wokhazikika pazidziwitso pagawo lachitatu kapena atha kugwiritsa ntchito mapulogalamu osakhazikika omwe amagwiritsa ntchito njira zosinthira pakati pa kasitomala ndi Seva.
U1.2 Zochita zosaloledwa zidachitidwa kunja kwa gawo la ogwiritsa ntchito.
U1.2.1 Owukira adachita zinthu zosaloleka kenako adasintha mosaloledwa pazipika zachitetezo chazidziwitso kapena mawonekedwe apadera azinthu za data, zomwe zikuwonetsa kuti zomwe adachita zidachitidwa ndi wogwiritsa ntchito wovomerezeka.
U2. Kusintha kosavomerezeka kwa chidziwitso chotetezedwa panthawi yomwe ikukonzedwa ndi gawo la seva la chidziwitso
Kuwola
U2.1. Zigawenga zimasintha zidziwitso zotetezedwa pogwiritsa ntchito zida zodziwika bwino zachidziwitso ndikuchita izi m'malo mwa ogwiritsa ntchito ovomerezeka.
U2.1.1. Ulalo: .
U2.2. Zigawenga zimasintha zidziwitso zotetezedwa pogwiritsa ntchito njira zopezera deta zomwe sizimaperekedwa ndi momwe zidziwitso zimagwirira ntchito.
U2.2.1. Owukira amasintha mafayilo okhala ndi zidziwitso zotetezedwa:
U2.2.1.1. <β¦>, pogwiritsa ntchito njira zoyendetsera mafayilo zoperekedwa ndi makina opangira.
U2.2.1.2. <β¦> poyambitsa kubwezeretsedwa kwa mafayilo kuchokera muzosunga zosinthidwa zosaloledwa.
U2.2.2. Zigawenga zisintha zidziwitso zotetezedwa zomwe zasungidwa munkhokwe (Π):
U2.2.2.1. Owukira amachepetsa dongosolo lowongolera la DBMS:
U2.2.2.1.1. Ulalo: .
U2.2.2.2. Owukira amasintha zambiri pogwiritsa ntchito mawonekedwe amtundu wa DBMS kuti apeze deta.
U2.3. Zigawenga zimasintha zidziwitso zotetezedwa mwakusintha mosavomerezeka ma aligorivimu ogwiritsira ntchito pulogalamu yomwe imawayendetsa.
U2.3.1. Khodi yoyambira pulogalamuyo imatha kusinthidwa.
U2.3.1. Khodi yamakina a pulogalamuyo imatha kusinthidwa.
U2.4. Zigawenga zimasintha zidziwitso zotetezedwa pogwiritsa ntchito kusatetezeka mu pulogalamu yazidziwitso.
U2.5. Owukira amasintha zidziwitso zotetezedwa zikasamutsidwa pakati pa magawo a seva ya chidziwitso (mwachitsanzo, seva ya database ndi seva yofunsira):
U2.5.1. Ulalo: .
TYPICAL THREAT MODEL. ACCESS SYSTEM
Chinthu chachitetezo chomwe chiwopsezo (chiwopsezo) chimagwiritsidwa ntchito
Chinthu chotetezedwa chomwe chiwopsezochi chikugwiritsidwira ntchito chimagwirizana ndi chinthu chotetezedwa cha mtundu wowopseza: "Momwemo wowopseza. Dongosolo lazidziwitso lomangidwa pamapangidwe a kasitomala-server. β
Muchitsanzo chowopseza ichi, njira yowongolera mwayi wogwiritsa ntchito imatanthawuza gawo lachidziwitso chomwe chimakwaniritsa izi:
- Chizindikiritso cha ogwiritsa.
- Kutsimikizika kwa ogwiritsa ntchito.
- Zololeza ogwiritsa ntchito.
- Kulowetsa zochita za ogwiritsa ntchito.
Zowopsa zachitetezo chapamwamba
Kuwola
U1. Kukhazikitsa kopanda chilolezo kwa gawo m'malo mwa wogwiritsa ntchito wovomerezeka.
U2. Kuwonjezeka kosaloledwa kwa mwayi wa ogwiritsa ntchito mudongosolo lazambiri.
U1. Kukhazikitsa kopanda chilolezo kwa gawo m'malo mwa wogwiritsa ntchito wovomerezeka
Ndemanga
Kuwonongeka kwa chiwopsezochi nthawi zambiri kumatengera mtundu wa ogwiritsa ntchito komanso njira zotsimikizira zomwe zimagwiritsidwa ntchito.
Muchitsanzo ichi, njira yokhayo yozindikiritsira ndi kutsimikizira ogwiritsa ntchito mawu olowera ndi mawu achinsinsi ndi omwe adzaganizidwe. Pachifukwa ichi, tiganiza kuti kulowa kwa ogwiritsa ntchito ndi chidziwitso chopezeka pagulu chodziwika ndi omwe akuukira.
Kuwola
U1.1. <β¦> chifukwa cha kusagwirizana kwa zidziwitso:
U1.1.1. Owukirawo adasokoneza mbiri ya wogwiritsa ntchito pomwe akusunga.
Kufotokozera U1.1.1.
Mwachitsanzo, zidziwitsozo zitha kulembedwa pa cholemba chomata chokanidwa pamoniti.
U1.1.2. Wogwiritsa mwangozi kapena mwadala adapereka zambiri zofikira kwa omwe akuwukirawo.
U1.1.2.1. Wogwiritsa adalankhula zidziwitso mokweza pamene akulowa.
U1.1.2.2. Wogwiritsa mwadala adagawana zidziwitso zake:
U1.1.2.2.1. <β¦> kugwira ntchito ndi anzanu.
Kufotokozera U1.1.2.2.1.
Mwachitsanzo, kuti athe m'malo mwa matenda.
U1.1.2.2.2. <β¦> kwa makontrakitala a abwana omwe amagwira ntchito pazinthu zopangira zidziwitso.
U1.1.2.2.3. <β¦> kwa anthu ena.
Kufotokozera U1.1.2.2.3.
Imodzi, koma osati njira yokhayo yochitira chiwopsezochi ndikugwiritsa ntchito njira zopangira anthu owukira.
U1.1.3. Owukirawo adasankha zidziwitso pogwiritsa ntchito njira zankhanza:
U1.1.3.1. <β¦> pogwiritsa ntchito njira zofikira.
U1.1.3.2. <β¦> pogwiritsa ntchito ma code omwe adalandidwa kale (mwachitsanzo, mawu achinsinsi) posunga mbiri.
U1.1.4. Owukirawo adagwiritsa ntchito nambala yoyipa kuti awononge mbiri ya ogwiritsa ntchito.
U1.1.5. Owukirawo adatulutsa zidziwitso kuchokera pa intaneti pakati pa Client ndi Seva:
U1.1.5.1. Ulalo: .
U1.1.6. Owukirawo adatulutsa zidziwitso kuchokera muzolemba zamakina owunikira ntchito:
U1.1.6.1. <β¦> makina owonera makanema (ngati makiyi a kiyibodi adajambulidwa panthawi yogwira ntchito).
U1.1.6.2. <β¦> machitidwe owunikira zochita za ogwira ntchito pakompyuta
Kufotokozera U1.1.6.2.
Chitsanzo cha dongosolo loterolo ndi .
U1.1.7. Owukirawo adasokoneza zidziwitso za ogwiritsa ntchito chifukwa cha zolakwika pakufalitsa.
Kufotokozera U1.1.7.
Mwachitsanzo, kutumiza mawu achinsinsi momveka bwino kudzera pa imelo.
U1.1.8. Owukira adapeza zidziwitso poyang'anira gawo la wogwiritsa ntchito pogwiritsa ntchito machitidwe owongolera akutali.
U1.1.9. Owukirawo adapeza zidziwitso chifukwa cha kutayikira kwawo kudzera munjira zaukadaulo (TCUI):
U1.1.9.1. Owukirawo adawona momwe wogwiritsa ntchito adalowetsamo zidziwitso kuchokera pa kiyibodi:
U1.1.9.1.1 Owukirawo anali pafupi ndi wogwiritsa ntchitoyo ndipo adawona kulowetsa kwa zizindikiro ndi maso awo.
Kufotokozera U1.1.9.1.1
Milandu yotereyi imaphatikizapo zochita za ogwira nawo ntchito kapena vuto pamene kiyibodi ya wosuta ikuwonekera kwa alendo ku bungwe.
U1.1.9.1.2 Achiwembuwo adagwiritsa ntchito njira zina zaukadaulo, monga ma binoculars kapena ndege yandege yopanda munthu, ndipo adawona malowedwe azizindikiro kudzera pawindo.
U1.1.9.2. Owukirawo adatulutsa zidziwitso kuchokera pamaulumikizidwe awayilesi pakati pa kiyibodi ndi gawo la makina apakompyuta pomwe adalumikizidwa kudzera pawayilesi (mwachitsanzo, Bluetooth).
U1.1.9.3. Owukirawo adapeza zidziwitso powatsitsa kudzera munjira yachinyengo yamagetsi yamagetsi ndi interference (PEMIN).
Kufotokozera U1.1.9.3.
Zitsanzo za kuukira ΠΈ .
U1.1.9.4. Wowukirayo adalowetsa zidziwitso kuchokera pa kiyibodi pogwiritsa ntchito njira zapadera zaukadaulo (STS) zomwe zidapangidwa kuti zipeze zambiri mwachinsinsi.
Kufotokozera U1.1.9.4.
zitsanzo .
U1.1.9.5. Owukirawo adalanda zomwe zidachokera pa kiyibodi pogwiritsa ntchito
kusanthula kwa siginecha ya Wi-Fi yosinthidwa ndi njira ya wosuta.
Kufotokozera U1.1.9.5.
Chitsanzo: .
U1.1.9.6. Owukirawo adasokoneza kulowetsa kwa zizindikiro kuchokera pa kiyibodi posanthula phokoso la makiyi.
Kufotokozera U1.1.9.6.
Chitsanzo: .
U1.1.9.7. Owukirawo adasokoneza kulowa kwa zidziwitso kuchokera pa kiyibodi ya foni yam'manja posanthula zowerengera za accelerometer.
Kufotokozera U1.1.9.7.
Chitsanzo: .
U1.1.10. <β¦>, idasungidwa kale pa Makasitomala.
Kufotokozera U1.1.10.
Mwachitsanzo, wogwiritsa ntchito amatha kusunga malowedwe ndi mawu achinsinsi mu msakatuli kuti alowe patsamba linalake.
U1.1.11. Zigawenga zasokoneza zidziwitso chifukwa cha zolakwika pakuletsa mwayi wogwiritsa ntchito.
Kufotokozera U1.1.11.
Mwachitsanzo, wogwiritsa ntchito atachotsedwa ntchito, maakaunti ake amakhala osatsekeka.
U1.2. <β¦> pogwiritsa ntchito ziwopsezo pamakina owongolera.
U2. Kukwezedwa kosavomerezeka kwa mwayi wa ogwiritsa ntchito mudongosolo lazambiri
Kuwola
U2.1 <β¦> popanga zosintha zosaloleka kuzinthu zomwe zili ndi chidziwitso chokhudza mwayi wa ogwiritsa ntchito.
U2.2 <β¦> pogwiritsa ntchito ziwopsezo pamakina owongolera mwayi.
U2.3. <β¦> chifukwa cha zolakwika mu kasamalidwe ka ogwiritsa ntchito.
Kufotokozera U2.3.
Chitsanzo 1. Wogwiritsa ntchito amapatsidwa mwayi wochuluka woti agwire ntchito kuposa momwe amafunira chifukwa cha bizinesi.
Chitsanzo 2: Wogwiritsa ntchito atasamutsidwa kupita kwina, maufulu omwe adapatsidwa kale sanachotsedwe.
TYPICAL THREAT MODEL. WOTHANDIZA MODULI
Chinthu chachitetezo chomwe chiwopsezo (chiwopsezo) chimagwiritsidwa ntchito
Integration module ndi gulu lazinthu zopangira zidziwitso zomwe zidapangidwa kuti zithandizire kusinthana kwa chidziwitso pakati pa machitidwe azidziwitso.
Poganizira kuti m'magulu amakampani sikutheka nthawi zonse kulekanitsa dongosolo lachidziwitso chimodzi kuchokera ku lina, gawo lophatikizana lingathenso kuonedwa ngati kugwirizana pakati pa zigawo zomwe zili mkati mwa chidziwitso chimodzi.
zomangamanga
Chithunzi chokhazikika cha module yophatikiza chikuwoneka motere:
Kufotokozera za zomangamanga:
- "Exchange Server (SO)" - node / ntchito / gawo lachidziwitso chomwe chimagwira ntchito yosinthanitsa deta ndi chidziwitso china.
- "Mkhalapakati" - node / ntchito yokonzedwa kuti ikonzekere kuyanjana pakati pa machitidwe azidziwitso, koma osati gawo lawo.
Zitsanzo "Akhalapakati" pakhoza kukhala ma imelo, mabasi ogwira ntchito zamabizinesi (mabasi ochitira bizinesi / zomangamanga za SoA), ma seva amtundu wachitatu, ndi zina zambiri. Kawirikawiri, gawo lophatikizana silingakhale ndi "Intermediaries". - "Deta processing software" - mndandanda wa mapulogalamu omwe amagwiritsira ntchito ndondomeko zosinthira deta ndikusintha mawonekedwe.
Mwachitsanzo, kutembenuza deta kuchokera ku mtundu wa UFEBS kupita ku mtundu wa ABS, kusintha masitepe a mauthenga panthawi yotumizira, ndi zina zotero. - "Network connection" zimagwirizana ndi chinthu chofotokozedwa mu "Network connection" yowopsyeza chitsanzo. Malumikizidwe ena a netiweki omwe akuwonetsedwa pachithunzi pamwambapa mwina kulibe.
Zitsanzo za ma module ophatikiza
Chiwembu 1. Kuphatikiza kwa ABS ndi AWS KBR kudzera pa seva ya fayilo ya gulu lina
Kuti alipire, wogwira ntchito ku banki wovomerezeka amatsitsa zikalata zolipirira pakompyuta kuchokera kumabanki oyambira ndikuzisunga ku fayilo (mumtundu wake, mwachitsanzo, kutaya kwa SQL) pafoda ya netiweki (...SHARE) pa seva yamafayilo. Kenako fayiloyi imasinthidwa pogwiritsa ntchito chosinthira kukhala mafayilo amtundu wa UFEBS, omwe amawerengedwa ndi malo ogwirira ntchito a CBD.
Pambuyo pake, wogwira ntchito wovomerezeka - wogwiritsa ntchito malo ogwirira ntchito a KBR - amalembera ndi kusaina mafayilo omwe adalandira ndikuwatumiza ku Bank of Russia.
Ndalama zikalandiridwa kuchokera ku Bank of Russia, malo ogwirira ntchito a KBR amawachotsa ndikuwunika siginecha yamagetsi, pambuyo pake imawalemba m'mafayilo amtundu wa UFEBS pa seva yamafayilo. Asanalowetse zikalata zolipirira ku ABS, amasinthidwa pogwiritsa ntchito cholembera kuchokera ku mtundu wa UFEBS kupita ku mtundu wa ABS.
Tidzaganiza kuti mu chiwembu ichi, ABS imagwira ntchito pa seva imodzi yakuthupi, malo ogwirira ntchito a KBR amagwira ntchito pakompyuta yodzipatulira, ndipo cholembera chosinthira chimayenda pa seva yamafayilo.
Kulumikizana kwa zinthu zachithunzichi zomwe zimaganiziridwa pazinthu zamtundu wophatikiza:
"Sinthani seva kuchokera ku mbali ya ABS" - ABS seva.
"Sinthani seva kuchokera ku mbali ya AWS KBR" - makina apakompyuta a KBR.
"Mkhalapakati" - seva ya fayilo yachitatu.
"Deta processing software" - Converter script.
Scheme 2. Kuphatikiza kwa ABS ndi AWS KBR poyika foda ya netiweki yogawana ndi zolipira pa AWS KBR
Chilichonse chiri chofanana ndi Scheme 1, koma seva yosiyana ya fayilo sikugwiritsidwa ntchito; m'malo mwake, foda ya intaneti (...GAWANI) yokhala ndi zikalata zolipira zamagetsi imayikidwa pa kompyuta ndi ntchito ya CBD. Zolemba zosinthira zimagwiranso ntchito pa CBD workstation.
Kulumikizana kwa zinthu zachithunzichi zomwe zimaganiziridwa pazinthu zamtundu wophatikiza:
Zofanana ndi Scheme 1, koma "Mkhalapakati" osagwiritsidwa ntchito.
Scheme 3. Kuphatikiza kwa ABS ndi malo ogwirira ntchito KBR-N kudzera pa IBM WebSphera MQ ndi kusaina zikalata zamagetsi "mbali ya ABS"
ABS imagwira ntchito pa pulatifomu yomwe siyikuthandizidwa ndi Siginecha ya CIPF SCAD. Kusaina kwa zikalata zamagetsi zomwe zikutuluka kumachitika pa seva yapadera ya siginecha yamagetsi (ES Server). Seva yomweyo imayang'ana siginecha yamagetsi pazolemba zomwe zimachokera ku Bank of Russia.
ABS imakweza fayilo yokhala ndi zikalata zolipira mumtundu wake ku ES Server.
Seva ya ES, pogwiritsa ntchito script converter, imasintha fayilo kukhala mauthenga apakompyuta mumtundu wa UFEBS, pambuyo pake mauthenga apakompyuta amasindikizidwa ndikutumizidwa ku IBM WebSphere MQ.
Malo ogwirira ntchito a KBR-N amafikira ku IBM WebSphere MQ ndikulandila mauthenga olipira omwe asainidwa kuchokera pamenepo, pambuyo pake wogwira ntchito wovomerezeka - wogwiritsa ntchito KBR workstation - amawalembera ndikuwatumiza ku Bank of Russia.
Ndalama zikalandiridwa kuchokera ku Bank of Russia, malo ogwirira ntchito a KBR-N amawachotsa ndikutsimikizira siginecha yamagetsi. Ndalama zomwe zasinthidwa bwino ngati mauthenga a pakompyuta osiyidwa komanso osayinidwa mumtundu wa UFEBS amasamutsidwa kupita ku IBM WebSphere MQ, kuchokera komwe amalandiridwa ndi Electronic Signature Server.
Seva ya siginecha yamagetsi imatsimikizira siginecha yamagetsi yamalipiro omwe adalandilidwa ndikusunga mufayilo mumtundu wa ABS. Pambuyo pake, wogwira ntchito wovomerezeka - wogwiritsa ntchito ABS - amatsitsa fayiloyo ku ABS m'njira yovomerezeka.
Kulumikizana kwa zinthu zachithunzichi zomwe zimaganiziridwa pazinthu zamtundu wophatikiza:
"Sinthani seva kuchokera ku mbali ya ABS" - ABS seva.
"Sinthani seva kuchokera ku mbali ya AWS KBR" - makina apakompyuta a KBR.
"Mkhalapakati" - Seva ya ES ndi IBM WebSphere MQ.
"Deta processing software" - script converter, CIPF SCAD Signature pa ES Server.
Scheme 4. Kuphatikiza kwa RBS Server ndi core banking system kudzera pa API yoperekedwa ndi seva yosinthana yodzipereka.
Tiganiza kuti banki imagwiritsa ntchito njira zingapo zamabanki akutali (RBS):
- "Internet Client-Bank" kwa anthu (IKB FL);
- "Internet Client-Bank" yamabungwe ovomerezeka (IKB LE).
Pofuna kuonetsetsa chitetezo chazidziwitso, kuyanjana konse pakati pa ABS ndi machitidwe amabanki akutali kumachitika kudzera pa seva yodzipatulira yosinthana yomwe ikugwira ntchito mkati mwa dongosolo la chidziwitso cha ABS.
Kenako, tikambirana njira yolumikizirana pakati pa dongosolo la RBS la IKB LE ndi ABS.
Seva ya RBS, italandira chilolezo chovomerezeka chovomerezeka kuchokera kwa kasitomala, iyenera kupanga chikalata chofananira mu ABS potengera izo. Kuti muchite izi, pogwiritsa ntchito API, imatumiza chidziwitso ku seva yosinthira, yomwe imalowetsamo deta mu ABS.
Pamene miyeso ya akaunti ya kasitomala ikusintha, ABS imapanga zidziwitso zamagetsi, zomwe zimatumizidwa ku seva yakutali yakubanki pogwiritsa ntchito seva yosinthanitsa.
Kulumikizana kwa zinthu zachithunzichi zomwe zimaganiziridwa pazinthu zamtundu wophatikiza:
"Sinthani seva kuchokera kumbali ya RBS" - Seva ya RBS ya IKB YUL.
"Sinthani seva kuchokera ku mbali ya ABS" - seva yosinthira.
"Mkhalapakati" - palibe.
"Deta processing software" - Zigawo za RBS Server zomwe zimagwiritsa ntchito API ya seva yosinthira, zigawo za seva zomwe zimagwiritsidwa ntchito pogwiritsira ntchito API yaikulu ya banki.
Zowopsa zachitetezo chapamwamba
Kuwola
U1. Kulowetsa kwa zidziwitso zabodza ndi owukira kudzera mugawo lophatikiza.
U1. Kulowetsedwa kwa zidziwitso zabodza ndi owukira kudzera mugawo lophatikiza
Kuwola
U1.1. Kusintha kosavomerezeka kwa data yovomerezeka ikatumizidwa pamanetiweki:
U1.1.1 Ulalo: .
U1.2. Kutumiza kwa data yabodza kudzera munjira zoyankhulirana m'malo mwa otenga nawo mbali movomerezeka:
U1.1.2 Ulalo: .
U1.3. Kusintha kosavomerezeka kwa data yovomerezeka panthawi yomwe ikukonzedwa pa Exchange Servers kapena Intermediary:
U1.3.1. Ulalo: .
U1.4. Kupanga deta yabodza pa Exchange Servers kapena Intermediary m'malo mwa otenga nawo mbali movomerezeka:
U1.4.1. Ulalo:
U1.5. Kusintha kosavomerezeka kwa data ikakonzedwa pogwiritsa ntchito pulogalamu yokonza data:
U1.5.1. <β¦> chifukwa cha owukira omwe akupanga zosintha zosaloleka pazikhazikiko (makonzedwe) a pulogalamu yosinthira deta.
U1.5.2. <β¦> chifukwa cha owukira omwe akupanga kusintha kosaloledwa kumafayilo omwe angathe kukwaniritsidwa a pulogalamu yosinthira deta.
U1.5.3. <β¦> chifukwa cha kuwongolera kwa pulogalamu yokonza deta ndi owukira.
TYPICAL THREAT MODEL. CRYPTOGRAPHIC INFORMATION PROTECTION SYSTEM
Chinthu chachitetezo chomwe chiwopsezo (chiwopsezo) chimagwiritsidwa ntchito
Cholinga cha chitetezo ndi njira yotetezera chidziwitso cha cryptographic yomwe imagwiritsidwa ntchito kuonetsetsa chitetezo cha chidziwitso.
zomangamanga
Maziko a dongosolo lililonse lazidziwitso ndi pulogalamu yamapulogalamu yomwe imakwaniritsa zomwe mukufuna.
Chitetezo cha Cryptographic nthawi zambiri chimakhazikitsidwa poyitanitsa zoyambira za cryptographic kuchokera pamabizinesi apulogalamu yamapulogalamu, omwe amakhala m'malaibulale apadera - crypto cores.
Ma Cryptographic primitives amaphatikiza ntchito zotsika kwambiri, monga:
- encrypt/decrypt chipika cha data;
- pangani / kutsimikizira siginecha yamagetsi ya block block;
- kuwerengera ntchito ya hashi ya block block;
- kupanga / katundu / kukweza mfundo zazikulu;
- ndi zina zotero.
Malingaliro abizinesi a pulogalamu yogwiritsira ntchito amagwiritsa ntchito magwiridwe antchito apamwamba kwambiri pogwiritsa ntchito zilembo za cryptographic:
- encrypt fayilo pogwiritsa ntchito makiyi a omwe asankhidwa;
- kukhazikitsa maukonde otetezedwa;
- dziwitsani za zotsatira za kuyang'ana siginecha yamagetsi;
- ndi zina zotero
Kulumikizana kwamalingaliro abizinesi ndi crypto core zitha kuchitika:
- mwachindunji, ndi malingaliro abizinesi oyitanitsa zoyamba za cryptographic kuchokera ku malaibulale osinthika a crypto kernel (.DLL ya Windows, .SO ya Linux);
- mwachindunji, kudzera mu cryptographic interfaces - wrappers, mwachitsanzo, MS Crypto API, Java Cryptography Architecture, PKCS # 11, ndi zina zotero. Pankhaniyi, malingaliro amalonda amapeza mawonekedwe a crypto, ndipo amamasulira kuyitana kwa crypto core yofanana, yomwe mu mlanduwu umatchedwa crypto provider. Kugwiritsiridwa ntchito kwa cryptographic interfaces kumapangitsa kuti pulogalamu ya pulogalamuyo isasokonezeke ndi ma cryptographic algorithms ndikukhala osinthika.
Pali njira ziwiri zosinthira cryptocore:
Chiwembu 1 - Monolithic crypto core
Chiwembu 2 - Gawani maziko a crypto
Zomwe zili muzithunzi pamwambapa zitha kukhala ma module apulogalamu omwe akuyenda pakompyuta imodzi kapena mautumiki apakompyuta omwe amalumikizana ndi netiweki yamakompyuta.
Mukamagwiritsa ntchito machitidwe opangidwa molingana ndi Scheme 1, pulogalamu yogwiritsira ntchito ndi crypto core imagwira ntchito mkati mwa malo amodzi ogwiritsira ntchito chida cha crypto (SFC), mwachitsanzo, pa kompyuta yomweyi, yomwe imagwiritsa ntchito machitidwe omwewo. Wogwiritsa ntchito dongosolo, monga lamulo, akhoza kuyendetsa mapulogalamu ena, kuphatikizapo omwe ali ndi code yoyipa, mkati mwa malo omwewo ogwiritsira ntchito. Pansi pazimenezi, pali chiopsezo chachikulu cha kutayikira kwachinsinsi chachinsinsi chachinsinsi.
Kuti muchepetse chiopsezo, chiwembu 2 chimagwiritsidwa ntchito, pomwe maziko a crypto amagawidwa m'magawo awiri:
- Gawo loyamba, pamodzi ndi mapulogalamu ogwiritsira ntchito, limagwira ntchito m'malo osadalirika pomwe pali chiopsezo chotenga kachilombo ka code yoyipa. Tidzatcha gawoli "gawo la pulogalamu".
- Gawo lachiwiri limagwira ntchito pamalo odalirika pa chipangizo chodzipatulira, chomwe chili ndi zosungirako zachinsinsi. Kuyambira tsopano tidzatcha gawoli "hardware".
Kugawika kwa crypto core kukhala mapulogalamu ndi zida za hardware ndizosamveka. Pali machitidwe pamsika omwe amamangidwa molingana ndi chiwembu chokhala ndi crypto core, koma gawo la "hardware" lomwe limaperekedwa ngati chithunzi cha makina - pafupifupi HSM ().
Kuyanjana kwa mbali zonse ziwiri za crypto core kumachitika m'njira yoti makiyi achinsinsi achinsinsi samasamutsidwa ku gawo la pulogalamuyo ndipo, motero, sangathe kubedwa pogwiritsa ntchito code yoyipa.
Mawonekedwe olumikizirana (API) ndi seti ya cryptographic primitives yoperekedwa ku pulogalamu yogwiritsira ntchito ndi crypto core ndizofanana muzochitika zonsezi. Kusiyana kwagona m'mene amagwiritsidwira ntchito.
Chifukwa chake, mukamagwiritsa ntchito chiwembu chokhala ndi crypto core, kuyanjana kwa mapulogalamu ndi ma hardware kumachitika molingana ndi mfundo iyi:
- Ma Cryptographic primitives omwe safuna kugwiritsa ntchito kiyi yachinsinsi (mwachitsanzo, kuwerengera ntchito ya hashi, kutsimikizira siginecha yamagetsi, ndi zina zotero) amachitidwa ndi pulogalamuyo.
- Ma Cryptographic primitives omwe amagwiritsa ntchito kiyi yachinsinsi (kupanga siginecha yamagetsi, decrypting data, etc.) amachitidwa ndi hardware.
Tiyeni tiwonetse ntchito ya crypto core yogawidwa pogwiritsa ntchito chitsanzo chopanga siginecha yamagetsi:
- Gawo la pulogalamuyo limawerengera ntchito ya hashi ya data yosainidwa ndikutumiza mtengowu ku hardware kudzera pa njira yosinthira pakati pa crypto cores.
- Gawo la hardware, pogwiritsa ntchito kiyi yachinsinsi ndi hashi, limapanga mtengo wa siginecha yamagetsi ndikuyitumiza ku gawo la mapulogalamu kudzera pa njira yosinthira.
- Gawo la pulogalamuyo limabweza mtengo womwe walandilidwa ku pulogalamu yofunsira.
Mawonekedwe akuwona kulondola kwa siginecha yamagetsi
Pamene gulu lolandira lilandira deta yosindikizidwa pakompyuta, liyenera kuchita zinthu zingapo zotsimikizira. Chotsatira chabwino choyang'ana siginecha yamagetsi chimatheka pokhapokha ngati magawo onse otsimikizira akwaniritsidwa bwino.
Gawo 1. Kulamulira kukhulupirika kwa deta ndi kulemba deta.
Zamkatimu siteji. Siginecha yamagetsi ya datayo imatsimikiziridwa pogwiritsa ntchito njira yoyenera ya cryptographic algorithm. Kumaliza bwino kwa gawoli kukuwonetsa kuti deta siinasinthidwe kuyambira pomwe idasainidwa, komanso kuti siginecha idapangidwa ndi kiyi yachinsinsi yomwe ikugwirizana ndi kiyi yapagulu yotsimikizira siginecha yamagetsi.
Malo a siteji: crypto core.
Gawo 2. Kulamulira kwa chikhulupiliro mu fungulo la anthu osayina ndi kulamulira kwa nthawi yovomerezeka yachinsinsi chachinsinsi cha siginecha yamagetsi.
Zamkatimu siteji. Gawoli lili ndi magawo awiri apakatikati. Choyamba ndikuzindikira ngati kiyi yapagulu yotsimikizira siginecha yamagetsi idadaliridwa panthawi yosayina deta. Yachiwiri imatsimikizira ngati kiyi yachinsinsi ya siginecha yamagetsi inali yovomerezeka panthawi yosayina deta. Nthawi zambiri, nthawi zovomerezeka za makiyiwa sizingafanane (mwachitsanzo, paziphaso zoyenerera zamakiyi otsimikizira siginecha yamagetsi). Njira zokhazikitsira kukhulupilika kwa makiyi a anthu osayinawo zimatsimikiziridwa ndi malamulo a kasamalidwe ka zikalata pakompyuta omwe amatengedwa ndi maphwando omwe akukambirana.
Malo a siteji: pulogalamu yamapulogalamu / crypto core.
Gawo 3. Kuwongolera ulamuliro wa wosayina.
Zamkatimu siteji. Mogwirizana ndi malamulo okhazikitsidwa a kasamalidwe ka zikalata zamagetsi, zimafufuzidwa ngati wosayinayo anali ndi ufulu wotsimikizira deta yotetezedwa. Mwachitsanzo, tiyeni tipereke mkhalidwe wa kuswa ulamuliro. Tiyerekeze kuti pali bungwe lomwe antchito onse ali ndi siginecha yamagetsi. Dongosolo loyang'anira zikalata zamkati mwamagetsi amalandila lamulo kuchokera kwa manejala, koma losainidwa ndi siginecha yamagetsi ya woyang'anira nyumba yosungiramo zinthu. Choncho, chikalata choterocho sichingaganizidwe kuti ndi chovomerezeka.
Malo a siteji: pulogalamu yamapulogalamu.
Malingaliro opangidwa pofotokoza chinthu chachitetezo
- Njira zotumizira zidziwitso, kupatula njira zazikulu zosinthira, zimadutsanso pulogalamu yamapulogalamu, API ndi crypto core.
- Zambiri zokhuza kukhulupirira makiyi a anthu onse ndi (kapena) satifiketi, komanso zambiri zamphamvu za eni makiyi a anthu, zili mu sitolo yachinsinsi.
- Pulogalamu yogwiritsira ntchito imagwira ntchito ndi sitolo yachinsinsi pagulu kudzera mu crypto kernel.
Chitsanzo cha dongosolo lazidziwitso lotetezedwa pogwiritsa ntchito CIPF
Kuti tiwonetse zithunzi zomwe zidawonetsedwa kale, tiyeni tiganizire zachidziwitso chongoyerekeza ndikuwunikira zonse zomwe zidalipo.
Kufotokozera za dongosolo la chidziwitso
Mabungwe awiriwa adaganiza zoyambitsa kasamalidwe ka zikalata zovomerezeka zamalamulo (EDF) pakati pawo. Kuti achite izi, adachita mgwirizano womwe adalengeza kuti zikalata zidzatumizidwa ndi imelo, ndipo nthawi yomweyo ziyenera kulembedwa ndi kusindikizidwa ndi siginecha yoyenerera yamagetsi. Mapulogalamu akuofesi a phukusi la Microsoft Office 2016 ayenera kugwiritsidwa ntchito ngati zida zopangira ndi kukonza zikalata, ndipo CIPF CryptoPRO ndi mapulogalamu obisala CryptoARM ayenera kugwiritsidwa ntchito ngati njira zotetezera.
Kufotokozera za zomangamanga za bungwe 1
Bungwe 1 linaganiza kuti liyike CIPF CryptoPRO ndi CryptoARM mapulogalamu pa ntchito ya wosuta - kompyuta thupi. Makiyi a encryption ndi siginecha zamagetsi adzasungidwa pa makiyi a ruToken, akugwira ntchito mumayendedwe obweza. Wogwiritsa ntchito amakonzekera zikalata zamagetsi kwanuko pakompyuta yake, kenako amalemba, kusaina ndikuzitumiza pogwiritsa ntchito kasitomala wamaimelo omwe adayikidwa kwanuko.
Kufotokozera za zomangamanga za bungwe 2
Bungwe 2 lidaganiza zosuntha ntchito za encryption ndi siginecha zamagetsi kumakina odzipatulira. Pankhaniyi, ntchito zonse za cryptographic zidzachitidwa zokha.
Kuti tichite izi, zikwatu ziwiri zapaintaneti zimakonzedwa pamakina odzipatulira: "... Mu", "... Out". Mafayilo omwe alandilidwa kuchokera ku gulu lotseguka adzayikidwa mufoda ya netiweki "...Mu". Mafayilowa adzasinthidwa ndipo siginecha yamagetsi idzatsimikiziridwa.
Wogwiritsa ntchito adzayika mafayilo mufoda ya "... Out" yomwe ikufunika kubisidwa, kusaina ndikutumizidwa kwa mnzake. Wogwiritsa ntchitoyo adzikonzekeretsa okha mafayilo pazogwiritsa ntchito.
Kuti mugwiritse ntchito kubisa komanso siginecha yamagetsi, CIPF CryptoPRO, pulogalamu ya CryptoARM ndi kasitomala wa imelo zimayikidwa pamakina enieni. Kuwongolera zokha kwazinthu zonse zamakina owoneka bwino kudzachitika pogwiritsa ntchito zolemba zopangidwa ndi oyang'anira makina. Ntchito ya scripts imalowetsedwa mu mafayilo a log.
Makiyi a Cryptographic a siginecha yamagetsi adzayikidwa pa chizindikiro chokhala ndi kiyi ya JaCarta GOST yosabweza, yomwe wogwiritsa ntchitoyo alumikizane ndi kompyuta yake.
Chizindikirocho chidzatumizidwa kumakina omwe amagwiritsa ntchito pulogalamu yapadera ya USB-over-IP yomwe imayikidwa pamalo ogwirira ntchito komanso pamakina enieni.
Wotchi yamakina pa malo ogwirira ntchito a wogwiritsa ntchito mu bungwe 1 idzasinthidwa pamanja. Wotchi yamakina odzipatulira mu Organisation 2 idzalumikizidwa ndi wotchi ya hypervisor system, yomwe imalumikizidwa pa intaneti ndi ma seva anthawi yapagulu.
Kuzindikiritsa zinthu zamapangidwe a CIPF
Kutengera ndi zomwe tafotokozazi za zomangamanga za IT, tiwunikira zomwe zidapangidwa ndi CIPF ndikuzilemba patebulo.
Table - Kulumikizana kwa zinthu zachitsanzo za CIPF kuzinthu zamadongosolo azidziwitso
Chuma
Bungwe 1
Bungwe 2
Pulogalamu yamapulogalamu
Pulogalamu ya CryptoARM
Pulogalamu ya CryptoARM
Mapulogalamu gawo la crypto core
CIPF CryptoPRO CSP
CIPF CryptoPRO CSP
Crypto core hardware
akusowa
Chithunzi cha JaCarta GOST
API
MS CryptoAPI
MS CryptoAPI
Sitolo Yachinsinsi Pagulu
Malo ogwiritsira ntchito:
- HDD;
- malo osungira satifiketi a Windows.
Hypervisor:
- HDD.
Makina owonera:
- HDD;
- malo osungira satifiketi a Windows.
Kusungirako makiyi achinsinsi
makiyi a ruToken akugwira ntchito mumakina obwezerezedwanso
JaCarta GOST chonyamulira makiyi akugwira ntchito mumayendedwe osachotsedwa
Njira yosinthira makiyi pagulu
Malo ogwiritsira ntchito:
- RAM.
Hypervisor:
- RAM.
Makina owonera:
- RAM.
Njira yachinsinsi yosinthira makiyi
Malo ogwiritsira ntchito:
- basi ya USB;
- RAM.
akusowa
Sinthani njira pakati pa crypto cores
kusowa (palibe crypto core hardware)
Malo ogwiritsira ntchito:
- basi ya USB;
- RAM;
- USB-over-IP software module;
- mawonekedwe a intaneti.
Network Network ya bungwe 2.
Hypervisor:
- RAM;
- mawonekedwe a intaneti.
Makina owonera:
- mawonekedwe a netiweki;
- RAM;
- USB-over-IP software module.
Tsegulani Data Channel
Malo ogwiritsira ntchito:
- zolowetsa-zotulutsa zikutanthauza;
- RAM;
- HDD.
Malo ogwiritsira ntchito:
- zolowetsa-zotulutsa zikutanthauza;
- RAM;
- HDD;
- mawonekedwe a intaneti.
Network Network ya bungwe 2.
Hypervisor:
- mawonekedwe a netiweki;
- RAM;
- HDD.
Makina owonera:
- mawonekedwe a netiweki;
- RAM;
- HDD.
Tetezani njira yosinthira deta
Intaneti.
Network Network ya bungwe 1.
Malo ogwiritsira ntchito:
- HDD;
- RAM;
- mawonekedwe a intaneti.
Intaneti.
Network Network ya bungwe 2.
Hypervisor:
- mawonekedwe a netiweki;
- RAM;
- HDD.
Makina owonera:
- mawonekedwe a netiweki;
- RAM;
- HDD.
Njira yanthawi
Malo ogwiritsira ntchito:
- zolowetsa-zotulutsa zikutanthauza;
- RAM;
- ndondomeko yowerengera nthawi.
Intaneti.
Network network ya bungwe 2,
Hypervisor:
- mawonekedwe a netiweki;
- RAM;
- ndondomeko yowerengera nthawi.
Makina owonera:
- RAM;
- ndondomeko yowerengera nthawi.
Control command transmission channel
Malo ogwiritsira ntchito:
- zolowetsa-zotulutsa zikutanthauza;
- RAM.
(Mawonekedwe ogwiritsa ntchito pulogalamu ya CryptoARM)
Makina owonera:
- RAM;
- HDD.
(Zolemba zokha)
Channel yolandirira zotsatira za ntchito
Malo ogwiritsira ntchito:
- zolowetsa-zotulutsa zikutanthauza;
- RAM.
(Mawonekedwe ogwiritsa ntchito pulogalamu ya CryptoARM)
Makina owonera:
- RAM;
- HDD.
(Mafayilo a Log of automation scripts)
Zowopsa zachitetezo chapamwamba
Ndemanga
Malingaliro opangidwa pakuwola zowopseza:
- Ma algorithms amphamvu a cryptographic amagwiritsidwa ntchito.
- Ma Cryptographic algorithms amagwiritsidwa ntchito motetezeka m'njira zolondola (mwachitsanzo. sichimagwiritsidwa ntchito kubisa deta yambiri, katundu wovomerezeka pa kiyi amaganiziridwa, ndi zina zotero).
- Owukira amadziwa ma algorithms onse, ma protocol ndi makiyi apagulu omwe amagwiritsidwa ntchito.
- Zigawenga zimatha kuwerenga zonse zosungidwa.
- Owukira amatha kutulutsanso mapulogalamu aliwonse mudongosolo.
Kuwola
U1. Kusokoneza makiyi achinsinsi a cryptographic.
U2. Kubisa deta yabodza m'malo mwa wotumiza wovomerezeka.
U3. Kutsitsidwa kwa data yosungidwa ndi anthu omwe si olandila zovomerezeka (oukira).
U4. Kupanga siginecha yamagetsi ya wosayina wovomerezeka pansi pazabodza.
U5. Kupeza zotsatira zabwino poyang'ana siginecha yamagetsi ya data yabodza.
U6. Kuvomereza molakwika zikalata zamagetsi kuti aphedwe chifukwa cha zovuta pakukonza kasamalidwe ka zikalata zamagetsi.
U7. Kufikira kosaloledwa kwa data yotetezedwa panthawi yomwe akukonzedwa ndi CIPF.
U1. Kusokoneza makiyi achinsinsi a cryptographic
U1.1. Kubweza kiyi yachinsinsi kuchokera ku sitolo yachinsinsi.
U1.2. Kupeza chinsinsi chachinsinsi kuchokera ku zinthu zomwe zili mu malo ogwiritsira ntchito crypto-tool, zomwe zingakhalepo kwakanthawi.
Kufotokozera U1.2.
Zinthu zomwe zitha kusunga kiyi wachinsinsi kwakanthawi zikuphatikizapo:
- RAM,
- mafayilo osakhalitsa,
- kusintha mafayilo,
- mafayilo a hibernation,
- jambulani mafayilo "otentha" pamakina enieni, kuphatikiza mafayilo omwe ali mu RAM yamakina omwe adayimitsidwa.
U1.2.1. Kutulutsa makiyi achinsinsi pakugwira ntchito kwa RAM ndikuwumitsa ma module a RAM, kuwachotsa ndikuwerenga zomwe zili (kuwunda kozizira).
Kufotokozera U1.2.1.
Chitsanzo: .
U1.3. Kupeza kiyi yachinsinsi kuchokera ku njira yachinsinsi yosinthira makiyi.
Kufotokozera U1.3.
Chitsanzo cha kukhazikitsidwa kwa chiwopsezochi chidzaperekedwa .
U1.4. Kusintha kosaloledwa kwa crypto core, chifukwa chake makiyi achinsinsi amadziwika ndi omwe akuukira.
U1.5. Kusokoneza makiyi achinsinsi chifukwa chogwiritsa ntchito njira zaukadaulo zaukadaulo (TCIL).
Kufotokozera U1.5.
Chitsanzo: .
U1.6. Kusokoneza makiyi achinsinsi chifukwa chogwiritsa ntchito njira zaukadaulo zapadera (STS) zopangidwira kubweza zambiri mwachinsinsi ("bugs").
U1.7. Kusokoneza makiyi achinsinsi panthawi yosungira kunja kwa CIPF.
Kufotokozera U1.7.
Mwachitsanzo, wogwiritsa ntchito amasunga zofalitsa zake zazikulu mu kabati yapakompyuta, momwe angatulutsiremo mosavuta ndi omwe akuukira.
U2. Kubisa deta yabodza m'malo mwa wotumiza wovomerezeka
Ndemanga
Chiwopsezochi chimangoganiziridwa pamachitidwe achinsinsi a data okhala ndi kutsimikizika kwa wotumiza. Zitsanzo za ziwembu zotere zikuwonetsedwa muzolimbikitsa zokhazikika . Kwa machitidwe ena achinsinsi, chiwopsezochi kulibe, popeza kubisa kumachitika pamakiyi agulu a wolandila, ndipo nthawi zambiri amadziwika ndi omwe akuukira.
Kuwola
U2.1. Kusokoneza makiyi achinsinsi a wotumiza:
U2.1.1. Ulalo: .
U2.2. Kusintha kwa data mu njira yotseguka yosinthira deta.
Zolemba za U2.2.
Zitsanzo za kukhazikitsidwa kwa chiwopsezochi zaperekedwa pansipa. ΠΈ .
U3. Kutsitsidwa kwa data yosungidwa ndi anthu omwe si olandila zovomerezeka (oukira)
Kuwola
U3.1. Kusokoneza makiyi achinsinsi a wolandira data yobisidwa.
U3.1.1 Ulalo: .
U3.2. Kusintha kwa data yobisika munjira yotetezeka yosinthira deta.
U4. Kupanga siginecha yamagetsi ya wosayina wovomerezeka pansi pazabodza
Kuwola
U4.1. Kusokoneza makiyi achinsinsi a siginecha yamagetsi ya wosayina wovomerezeka.
U4.1.1 Ulalo: .
U4.2. Kusintha kwa data yomwe yasainidwa munjira yotseguka yosinthira deta.
Zindikirani U4.2.
Zitsanzo za kukhazikitsidwa kwa chiwopsezochi zaperekedwa pansipa. ΠΈ .
U5. Kupeza zotsatira zabwino poyang'ana siginecha yamagetsi ya data yabodza
Kuwola
U5.1. Owukira amatenga uthenga munjira yotumizira zotsatira zantchito zokhudzana ndi zotsatira zoyipa zoyang'ana siginecha yamagetsi ndikuyisintha ndi uthenga wokhala ndi zotsatira zabwino.
U5.2. Zigawenga zimawukira chikhulupiriro pakusaina satifiketi (SCRIPT - zinthu zonse ndizofunikira):
U5.2.1. Zigawenga zimapanga kiyi yapagulu ndi yachinsinsi ya siginecha yamagetsi. Ngati makinawa akugwiritsa ntchito ziphaso za siginecha yamagetsi, ndiye kuti amapanga satifiketi ya siginecha yamagetsi yomwe ili yofanana momwe ingathekere ndi satifiketi ya omwe akufuna kutumiza deta yomwe uthenga wake akufuna kupanga.
U5.2.2. Zigawenga zimapanga kusintha kosaloledwa ku sitolo yachinsinsi ya anthu onse, kupatsa makiyi a anthu kuti apange mlingo wofunikira wa chidaliro ndi ulamuliro.
U5.2.3. Zigawenga zimasaina data yabodza ndi kiyi yosainira yamagetsi yomwe idapangidwa kale ndikuyiyika munjira yotetezeka yosinthira deta.
U5.3. Zigawenga zimachita chiwembu pogwiritsa ntchito makiyi a siginecha apakompyuta omwe atha ntchito a wosayina mwalamulo (SCRIPT - zinthu zonse ndizofunikira):
U5.3.1. Zigawenga zanyengerera makiyi achinsinsi atha ntchito (osati yovomerezeka pakadali pano) a siginecha yamagetsi ya wotumiza wovomerezeka.
U5.3.2. Zigawenga zimalowa m'malo mwa njira yotumizira nthawi ndi nthawi yomwe makiyi owonongeka anali akadali ovomerezeka.
U5.3.3. Zigawenga zimasaina data yabodza ndi kiyi ya siginecha yamagetsi yomwe idasokonezedwa kale ndikuyibaya munjira yotetezeka yosinthira deta.
U5.4. Zigawenga zimawukira pogwiritsa ntchito makiyi osainira osagwirizana ndi osayina mwalamulo (SCRIPT - zinthu zonse ndizofunikira):
U5.4.1. Wowukirayo amapanga kopi ya sitolo yachinsinsi.
U5.4.2. Owukirawo amasokoneza makiyi achinsinsi a m'modzi mwa otumiza ovomerezeka. Amawona kunyengerera, amachotsa makiyi, ndipo chidziwitso chokhudza kuchotsedwa kwachinsinsi chimayikidwa mu sitolo yachinsinsi.
U5.4.3. Zigawenga zilowa m'malo sitolo ya makiyi a anthu onse ndi yomwe inakopera kale.
U5.4.4. Zigawenga zimasaina data yabodza ndi kiyi ya siginecha yamagetsi yomwe idasokonezedwa kale ndikuyibaya munjira yotetezeka yosinthira deta.
U5.5. <β¦> chifukwa cha kukhalapo kwa zolakwika pakukhazikitsa gawo lachiwiri ndi lachitatu pakutsimikizira siginecha yamagetsi:
Kufotokozera U5.5.
Chitsanzo cha kukhazikitsidwa kwa chiwopsezochi chaperekedwa .
U5.5.1. Kuyang'ana kukhulupilira pa satifiketi yamakiyi a siginecha yamagetsi pokhapokha ngati pali chidaliro pa satifiketi yomwe idasainidwa, popanda macheke a CRL kapena OCSP.
Kufotokozera U5.5.1.
Chitsanzo chokhazikitsa .
U5.5.2. Pomanga chain trust for satifiketi, olamulira opereka satifiketi samawunikidwa
Kufotokozera U5.5.2.
Chitsanzo cha kuwukira kwa satifiketi za SSL/TLS.
Otsutsawo adagula satifiketi yovomerezeka ya imelo yawo. Kenako adapanga chiphaso chachinyengo cha malo ndikusaina ndi satifiketi yawo. Ngati zidziwitso siziyang'aniridwa, ndiye kuti poyang'ana mndandanda wa trust udzakhala wolondola, ndipo, motero, satifiketi yachinyengo idzakhalanso yolondola.
U5.5.3. Mukapanga satifiketi yodalirika, ziphaso zapakatikati sizimayang'aniridwa kuti zichotsedwe.
U5.5.4. Ma CRL amasinthidwa pafupipafupi kuposa momwe amaperekera certification.
U5.5.5. Lingaliro lokhulupirira siginecha yamagetsi limapangidwa asanayankhe OCSP za momwe satifiketiyo ilili, yotumizidwa pa pempho lomwe lapangidwa mochedwa kuposa nthawi yomwe siginecha idapangidwa kapena kale kuposa CRL yotsatira siginecha itapangidwa.
Kufotokozera U5.5.5.
M'malamulo a ma CA ambiri, nthawi yochotsa satifiketi imatengedwa kuti ndi nthawi yotulutsidwa kwa CRL yapafupi yomwe ili ndi chidziwitso chokhudza kuchotsedwa kwa satifiketi.
U5.5.6. Mukalandira zidziwitso zosainidwa, satifiketiyo ndi ya wotumizayo samafufuzidwa.
Kufotokozera U5.5.6.
Chitsanzo cha kuukira. Pokhudzana ndi ziphaso za SSL: kulemberana kwa adilesi yotchedwa seva ndi mtengo wa gawo la CN mu satifiketi sikungawunikidwe.
Chitsanzo cha kuukira. Zigawenga zasokoneza makiyi a siginecha apakompyuta a m'modzi mwa omwe adatenga nawo gawo pamakina olipira. Pambuyo pake, adalowa pa intaneti ya wina yemwe adatenga nawo gawo ndipo, m'malo mwake, adatumiza zikalata zolipirira zomwe zidasainidwa ndi makiyi osokonekera ku seva yolipira. Ngati seva imangosanthula kukhulupirirana ndipo sichiyang'ana kuti ikutsatiridwa, ndiye kuti zolemba zachinyengo zimaonedwa kuti ndizovomerezeka.
U6. Kuvomereza molakwika zikalata zamagetsi kuti aphedwe chifukwa cha zovuta pakukonza kasamalidwe ka zikalata zamagetsi.
Kuwola
U6.1. Wolandirayo samazindikira kubwereza kwa zikalata zolandilidwa.
Kufotokozera U6.1.
Chitsanzo cha kuukira. Zigawenga zimatha kuletsa chikalata chomwe chikutumizidwa kwa wolandira, ngakhale chitakhala chotetezedwa mwachinsinsi, kenako ndikuchitumiza mobwerezabwereza panjira yotetezedwa yotumizira deta. Ngati wolandirayo sazindikira zobwereza, ndiye kuti zikalata zonse zolandilidwa zidzazindikiridwa ndikusinthidwa ngati zolemba zosiyanasiyana.
U7. Kufikira kosaloledwa kwa data yotetezedwa panthawi yomwe akukonzedwa ndi CIPF
Kuwola
U7.1. <β¦> chifukwa cha kutayikira kwa chidziwitso kudzera pamakina am'mbali (kuukira kwa tchanelo chakumbali).
Kufotokozera U7.1.
Chitsanzo: .
U7.2. <β¦> chifukwa cha kusalowerera ndale kwa chitetezo kuzinthu zosaloledwa zomwe zakonzedwa pa CIPF:
U7.2.1. Kugwira ntchito kwa CIPF mophwanya zofunikira zomwe zafotokozedwa muzolemba za CIPF.
U7.2.2. <β¦>, zomwe zimachitika chifukwa cha kupezeka kwa ziwopsezo mu:
U7.2.2.1. <β¦> njira zodzitetezera kuti musapezeke mosaloledwa.
U7.2.2.2. <β¦> CIPF yokha.
U7.2.2.3. <...> malo ogwiritsira ntchito crypto-Tool.
Zitsanzo za kuukira
Zochitika zomwe zafotokozedwa m'munsimu mwachiwonekere zili ndi zolakwika zokhudzana ndi chitetezo ndipo zimangosonyeza ziwonetsero zomwe zingatheke.
Chitsanzo 1. Chitsanzo cha kukhazikitsidwa kwa ziwopsezo za U2.2 ndi U4.2.
Kufotokozera kwa chinthu
Mapulogalamu a AWS KBR ndi Siginecha ya CIPF SCAD amaikidwa pa kompyuta yomwe siinalumikizidwa ndi netiweki yamakompyuta. FKN vdToken imagwiritsidwa ntchito ngati chonyamulira chachikulu munjira yogwirira ntchito ndi kiyi yosachotsedwa.
Malamulo okhazikika amalingalira kuti katswiri wokhazikika pakompyuta yake amatsitsa mauthenga apakompyuta m'mawu omveka bwino (dongosolo la malo ogwirira ntchito a KBR) kuchokera pa seva yapadera yotetezedwa ya fayilo, kenako amawalemba pa USB flash drive yosunthika ndikuwasamutsira ku malo ogwirira ntchito a KBR, kumene iwo ali obisika ndi zizindikiro. Pambuyo pake, katswiriyo amasamutsa mauthenga otetezeka apakompyuta kwa otalikirana, ndiyeno, kupyolera mu kompyuta yake ya ntchito, amawalembera ku seva ya fayilo, kumene amapita ku UTA ndiyeno ku Bank of Russia.
Pankhaniyi, njira zosinthira deta yotseguka ndi yotetezedwa iphatikiza: seva yamafayilo, kompyuta yantchito ya akatswiri, ndi media zosiyanitsidwa.
Kuukira
Owukira osaloleka amayika makina owongolera akutali pakompyuta ya akatswiri ogwira ntchito ndipo, panthawi yolemba malamulo olipira (mauthenga amagetsi) kupita ku sing'anga yosamutsidwa, m'malo mwake zomwe zili m'modzi mwa iwo momveka bwino. Katswiriyo amasamutsa maoda olipira ku malo ogwirira ntchito a KBR, amasaina ndikuwalemba osazindikira kuti alowa m'malo (mwachitsanzo, chifukwa cha kuchuluka kwa zolipira paulendo wa pandege, kutopa, ndi zina). Pambuyo pake, dongosolo la malipiro abodza, litadutsa muzitsulo zamakono, likulowa mu dongosolo la malipiro a Bank of Russia.
Chitsanzo 2. Chitsanzo cha kukhazikitsidwa kwa ziwopsezo za U2.2 ndi U4.2.
Kufotokozera kwa chinthu
Kompyuta yokhala ndi malo ogwirira ntchito a KBR, Siginecha ya SCAD ndi chonyamulira makiyi olumikizidwa FKN vdToken imagwira ntchito m'chipinda chodzipatulira popanda anthu ogwira ntchito.
Katswiri wowerengera amalumikizana ndi malo ogwirira ntchito a CBD mumayendedwe akutali kudzera pa protocol ya RDP.
Kuukira
Zigawenga zimadumphadumpha mwatsatanetsatane, pogwiritsa ntchito zomwe katswiri wowerengerayo amalumikiza ndikugwira ntchito ndi malo ogwirira ntchito a CBD (mwachitsanzo, kudzera pa code yoyipa pakompyuta yake). Kenako amalumikiza m'malo mwake ndikutumiza chikalata chabodza ku Bank of Russia yolipira.
Chitsanzo 3. Chitsanzo cha kuwopseza kugwiritsa ntchito U1.3.
Kufotokozera kwa chinthu
Tiyeni tilingalire imodzi mwazinthu zongoyerekeza pakukhazikitsa ma module ophatikizira a ABS-KBR a chiwembu chatsopano (AWS KBR-N), pomwe siginecha yamagetsi yamakalata otuluka imapezeka kumbali ya ABS. Pankhaniyi, tiganiza kuti ABS imagwira ntchito pamaziko a makina ogwiritsira ntchito omwe samathandizidwa ndi CIPF SKAD Signature, ndipo, motero, ntchito ya cryptographic imasamutsidwa kumakina apadera - kuphatikiza kwa "ABS-KBR" moduli.
Chizindikiro cha USB chokhazikika chomwe chimagwira ntchito mumakina obwezerezedwanso chimagwiritsidwa ntchito ngati chonyamulira chachikulu. Pamene kulumikiza TV kiyi kwa hypervisor, kunapezeka kuti panalibe ufulu madoko USB mu dongosolo, choncho anaganiza kulumikiza chizindikiro USB kudzera maukonde USB likulu, ndi kukhazikitsa USB-pa-IP kasitomala pa pafupifupi. makina, omwe amalumikizana ndi likulu.
Kuukira
Owukirawo adalanda chinsinsi chachinsinsi cha siginecha yamagetsi kuchokera panjira yolumikizirana pakati pa USB hub ndi hypervisor (deta idatumizidwa momveka bwino). Pokhala ndi kiyi yachinsinsi, owukirawo adapanga chikalata chabodza, ndikuchisaina ndi siginecha yamagetsi ndikutumiza kumalo ogwirira ntchito a KBR-N kuti akaphedwe.
Chitsanzo 4. Chitsanzo cha kukhazikitsidwa kwa ziwopsezo U5.5.
Kufotokozera kwa chinthu
Tiyeni tilingalire dera lomwelo monga momwe zidalili kale. Tiganiza kuti mauthenga a pakompyuta ochokera ku malo ogwirira ntchito a KBR-N amathera pa ...SHAREIn foda, ndipo omwe amatumizidwa ku malo ogwirira ntchito a KBR-N komanso kumalipiro a Bank of Russia amapita ku ...SHAREout.
Tidzaganizanso kuti pokhazikitsa gawo lophatikizira, mindandanda ya ziphaso zochotsedwa imasinthidwa pokhapokha makiyi a cryptographic atulutsidwanso, komanso kuti mauthenga apakompyuta omwe alandilidwa muβ¦SHAREIn chikwatu amangoyang'aniridwa kuti athe kuwongolera umphumphu ndi kudalirika mu kiyi ya anthu onse. siginecha yamagetsi.
Kuukira
Owukirawo, pogwiritsa ntchito makiyi omwe adabedwa muzochitika zam'mbuyomu, adasaina chikalata chabodza chokhala ndi chidziwitso chokhudza kulandira ndalama muakaunti ya kasitomala wachinyengo ndikuzilowetsa munjira yotetezeka yosinthira deta. Popeza palibe chitsimikiziro chakuti lamulo lolipira lidasainidwa ndi Bank of Russia, likuvomerezedwa kuti liphedwe.
Source: www.habr.com