GB/T 36627-2018 PDF English
Search result: GB/T 36627-2018 English: PDF (GB/T36627-2018)
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
| GB/T 36627-2018 | English | 255 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology - Testing and evaluation technical guide for classified cybersecurity protection
| Valid |
PDF Preview: GB/T 36627-2018
GB/T 36627-2018: PDF in English (GBT 36627-2018) GB/T 36627-2018
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Testing and evaluation
technical guide for classified cybersecurity protection
ISSUED ON: SEPTEMBER 17, 2018
IMPLEMENTED ON: APRIL 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions, abbreviations ... 5
3.1 Terms and definitions ... 5
3.1.1 dictionary attack ... 5
3.1.2 file integrity checking ... 6
3.1.3 network sniffer ... 6
3.1.4 rule set ... 6
3.1.5 target of testing and evaluation ... 6
3.2 Abbreviations ... 6
4 General ... 7
4.1 Technical classification ... 7
4.2 Selection of technology ... 7
5 Requirements for classified testing and evaluation ... 8
5.1 Check technology ... 8
5.1.1 File check ... 8
5.1.2 Log check ... 8
5.1.3 Rule set check ... 9
5.1.4 Configuration check ... 10
5.1.5 File integrity check ... 11
5.1.6 Cipher check ... 11
5.2 Identification and analysis technologies ... 11
5.2.1 Network sniffer ... 11
5.2.2 Network port and service identification ... 12
5.2.3 Vulnerability scanning ... 12
5.2.4 Wireless scanning ... 13
5.3 Vulnerability verification technology ... 14
5.3.1 Password crack ... 14
5.3.2 Penetration test ... 14
5.3.3 Remote access test ... 16
Annex A (informative) Activities after testing and evaluation ... 17
Annex B (informative) Description on relevant concept of penetration test ... 19
Bibliography ... 25
Information security technology - Testing and evaluation
technical guide for classified cybersecurity protection
1 Scope
This Standard provides classifications and definitions of relevant testing and
evaluation technology in testing and evaluation for classified cybersecurity
protection (hereinafter referred to as “classified testing and evaluation”). It
proposes key elements, principle of technical testing and evaluation and makes
recommendations for analysis and application of testing and evaluation results.
This Standard is applicable to classified testing and evaluation that is performed
by testing and evaluation authority to classified cybersecurity protection target
(hereinafter referred to as “classified protection target”). It is also applicable to
security evaluation on classified security protection that is performed by
supervising department and operation using authority of classified protection
target to classified protection target.
2 Normative references
The following referenced files are indispensable for the application of this file.
For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced file (including any amendments) applies.
GB 17859-1999, Classified criteria for security protection of computer
information system
GB/T 25069-2010, Information security technology - Glossary
3 Terms and definitions, abbreviations
3.1 Terms and definitions
Terms and definitions defined in GB 17859-1999 and GB/T 25069-2010 as well
as the followings apply to this file.
3.1.1 dictionary attack
an attack mode that it tries words or phrases in user’s custom dictionary one by
one when it is cracking password
4 General
4.1 Technical classification
Testing and evaluation technology that can be used to classified testing and
evaluation can be divided into the following three categories:
a) check technology: a testing and evaluation technology that checks
information system, matches institutional file, equipment and devices, and
discovers security vulnerabilities in related procedures and policies. It
usually adopts manual mode, mainly including file check, log check, rule
set check, system configuration check, file integrity check, cipher check;
b) identification and analysis technologies: testing and evaluation
technologies that identify system, port, service and potential security
vulnerabilities. These technologies can be implemented manually or by
using automated tools, mainly including network sniffer, network port and
service identification, vulnerability scanning, wireless scanning;
c) vulnerability verification technology: a testing and evaluation technology
that verifies existence of vulnerability. Based on results of check, target
identification and analysis, it intentionally and strategically implements
manually or by using automated tools, mainly including password crack,
penetration test, remote access test; verifies and confirms possible
security vulnerability to obtain evidence.
4.2 Selection of technology
When selecting and determining technology method that is used for classified
testing and evaluation activities, the factors that shall be considered mainly
include but not limited to target of testing and evaluation, applicability of testing
and evaluation technology, security risk that might be introduced by testing and
evaluation technology to target of testing and evaluation, so as to select a
suitable technology method.
When the selected technology method might have impact on target of testing
and evaluation during implementation, it shall give priority to test non-
production system that has same configuration with production system of target
of testing and evaluation. Test in non-business time or only use a technology
method that risk can be controlled to test in business operation time, so as to
minimize impact on business of target of testing and evaluation.
Testing and evaluation results after technology testing and evaluation are
implemented can be used for threat analysis, improvement suggestions, and
report generation of target of testing and evaluation. See Annex A for details.
a) authentication of server or system log, including successful or failed
authentication attempt;
b) operation system log, including starting and closing of system and service,
installation of unauthorized software, file access, security policy changes,
account changes (such as account creation and deletion, account rights
assignment), and permission usage;
c) IDS/IPS logs, including malicious behavior and inappropriate use;
d) firewall, switchboard, and router logs, including outbound connections
(such as bots, Trojans, spyware, etc.) that affect internal device, as well
as unauthorized connection attempts and improper use;
e) application log, including unauthorized connection attempts, account
change, permission use, as well as use information of application program
or database;
f) anti-virus logs, including virus killing, infection logs, and other events such
as upgrade failures, software expiration;
g) other security logs, such as patch management; it shall record information
such as service and application of known vulnerability;
h) network running status, network security event related logs; retention time
is not less than 6 months.
5.1.3 Rule set check
Main function of rule set check is to discover vulnerability of security control
measures based on rule set. Check targets include access control list, policy
set of network equipment, security equipment, database, operating system and
application system. Level-three and above protection targets shall also include
mandatory access control mechanism. When performing rule set check, it shall
consider the following evaluation key elements and evaluation principles:
a) routing access control list:
1) every rule shall be valid (for example, the rule that is set due to
temporary demand shall be removed immediately when it is not
needed);
2) only traffic that is authorized by policy is allowed to pass through; other
traffics are disabled by default.
b) policy set of access control device:
1) it shall adopt default prohibition policy;
1) system security officer creates security marks of subject (such as user),
object (such as data);
2) subject, object that implement same mandatory access control security
policy shall be marked with same security marks;
3) scope of mark check shall be expanded to all subjects and objects in
testing and evaluation object.
5.1.5 File integrity check
Main function of file integrity check is to identify unauthorized change of
important files such as system file. When performing file integrity check, it shall
consider the following evaluation key elements:
a) use Hash or digital signature to ensure integrity of important file;
b) compare benchmark sample and important file to realize integrity
verification of important file;
c) use IDS device of which deployment is based on host to realize alert to
integrity of important file integrity.
5.1.6 Cipher check
Main function of cipher check is to perform security check on cipher technology
used in target of testing and evaluation or product. When performing cipher
check, it shall consider the following evaluation principles:
a) relevant functions of provided cryptographic algorithm shall comply with
relevant provisions of national password authority;
b) key length used shall comply with relevant provisions of supervision
department of classified protection object industry.
5.2 Identification and analysis technologies
5.2.1 Network sniffer
Main function of network sniffer is, through capturing and replaying network
traffic, to collect, identify active devices, operation system and protocols,
unauthorized and inappropriate behaviors in network. When performing
network sniffer, it shall consider the following evaluation key elements and
evaluation principles:
a) monitor network traffic, record IP address of active host and report
operation system information found in network;
b) identify connection between hosts, including which hosts communicate
performing vulnerability scanning, it shall consider the following evaluation key
elements and evaluation principles:
a) identify information related to vulnerability, including vulnerability name,
type, vulnerability description, risk level, repair suggestion;
b) through tool identification combined with manual analysis, perform
correlation analysis to found vulnerability so as to accurately judge risk
level of vulnerability;
c) before performing vulnerability scanning, scanning device shall be
updated to the latest vulnerability library so as to ensure the latest
vulnerabilities can be identified;
d) according to vulnerability analysis principles (such as signature matching,
attack detection) of vulnerability scanning tool, choose scanning policy
carefully so as to prevent failure of target of testing and evaluation;
e) when using vulnerability scanning device, it shall restrict number of
scanning threads, traffic so as to reduce risk to target of testing and
evaluation caused by testing and evaluation.
5.2.4 Wireless scanning
Main function of wireless scanning is to identify situation where there is no
physical connection (such as a network cable or peripheral cable) in testing
environment to make one or more devices communicate, help organization
assesses and analyzes security risks that wireless technology poses for
scanning target. When performing wireless scanning, it shall consider the
following evaluation key elements and evaluation principles:
a) identify key attributes of wireless devices in wireless traffic, including SSID,
device type, channel, MAC address, signal strength, and number of
packets transmitted;
b) environmental elements of wireless scanning device deployment location
include: location and scope of scanned device, security protection level of
target of testing and evaluation that uses wireless technology to perform
data transmission, data importance as well as connection and
disconnection frequencies of wireless device and traffic scale in scanning
environment;
c) use mobile device that is configured to configure wireless analysis
software, such as laptop, handheld or professional device;
d) based on wireless security configuration requirements, perform scanning
policy configuration to wireless scanning tool so as to realize difference
1) System/service vulnerabilities. Security vulnerabilities resulted in
environment that operation system, database, middleware which
provide service or support to application system have flaws, such as
buffer overflow vulnerability, heap/stack overflow, memory leak, may
cause program operation failure, system down, restart. More seriously,
they can cause program to execute unauthorized order even obtain
system privileges to carry out various illegal operations.
2) Application code vulnerabilities. Because writing code of developer is
not standardized or lacks necessary verification measures, application
system has security vulnerabilities, including SQL injection, cross-site
scripting, arbitrary upload files. Attackers can exploit these
vulnerabilities to launch attacks on application system to obtain
sensitive information in database. More seriously, it can cause server
to be controlled.
3) Permission bypass vulnerabilities. Because control rules for data
access, function module access are not strict or missed, attackers can
access to these data and function module unauthorizedly. Permission
bypass vulnerabilities usually are divided into override access and
parallel permission. Override access means that low-permission user
unauthorizedly accesses to functional module or data information of
high-permission user. Parallel permission means that attacker use
function module of his own permission to unauthorizedly access to or
operate another user’s data information.
4) Improper configuration vulnerabilities. Because security hardening is
not performed for configuration file, it only uses default configuration or
configuration is not reasonable then it causes security risk. If
middleware configuration supports put method, it may cause attacker
to use put method to upload Trojan file so as to obtain server control
right.
5) Information leakage vulnerabilities. Because system does not provide
necessary protection for important data and information, attacker can
obtain useful information from leaked content, thus providing clues for
further attacks. For example, source code leaks, default error message
contains server information / SQL statement, which are all information
leakage vulnerabilities.
6) Business logic defect vulnerabilities. Because program logic is not strict
or logic is too complicated, it causes that some logical branches are not
able to handle or handle errors properly. If this happens, user can
perform any password modification, override access, abnormal amount
transaction according to different business functions.
Annex A
(informative)
Activities after testing and evaluation
A.1 Analysis on testing and evaluation results
Main goals of analysis on testing and evaluation results are to determine and
eliminate false positives, classify vulnerabilities and determine reasons that
cause vulnerabilities. In addition, find out serious vulnerabilities that need to be
dealt with immediately during entire testing and evaluation. The common
reasons for vulnerabilities are listed as below, including:
a) Insufficient patch management. For example, patch program cannot be
applied in time or patch program cannot be applied to all systems that
have vulnerabilities;
b) Insufficient threat management. For example, antivirus signature
database is not updated in time; invalid spam filtering as well as firewall
policy that does not meet security policy of system operating authority;
c) Lack of security benchmark. Similar systems use inconsistent security
configuration strategies;
d) Lack of security integration in system development. For example, system
development does not meet security requirements, even without
considering security requirements or there are vulnerabilities in system
application code;
e) Flaws in security architecture. For example, security technology is not
effectively integrated into system (for example, security facilities,
unreasonable placement of equipment, inadequate coverage, or outdated
technology);
f) Insufficient security incident response measures. For example, it is
unresponsive to penetration testing activities;
g) Insufficient training for end user (for example, lack awareness of social
engineering, phishing attacks; use unauthorized wireless access points)
or network, system manager (for example, lack security operation and
maintenance);
h) Lack of security policy or security policy is not performed. For example,
open ports, started services, insecure protocols, unlicensed hosts, and
Annex B
(informative)
Description on relevant concept of penetration test
B.1 General
Penetration test is a security test. In such a test, tester shall simulate attacker,
use tools and technology commonly used by attacker to launch a real attack on
application program, information system or network security function. Relative
to single vulnerability, most penetration tests try to find a set of security
vulnerabilities so as to obtain more chances to enter system. Penetration test
can also be used to determine:
a) degree of tolerance of system to attack mode from real world;
b) degree of complexity that attacker needs to face when he successfully
breaks system;
c) other countermeasures to reduce system threats;
d) ability of defender to detect attack and make correct response.
Penetration test is a very important security test. Tester needs a wealth of
expertise and skills. Although an experienced tester can reduce such risk, risks
cannot be completely avoided. Therefore, penetration test shall be carefully
thought out and planned.
Penetration test usually contains non-technical attack method. For example, a
penetration tester can connect to network through means to undermine physical
security control mechanism, so as to steal device, capture sensitive information
(might be through installation of keyboard recording device) or destroy network
communication. When performing physical security penetration test, it shall be
careful; it shall define how to verify effectiveness of tester’s intrusion activities,
for example, through access point or file. Another non-technical attack means
is through social engineering, for example, to disguise as a customer service
agent to call user for his password, or disguise as user to call customer service
agent for password reset. More about physical security test, social engineering
technology as well as other non-technical means penetration attack tests are
not in discussion scope of this Standard.
B.2 Penetration test stages
B.2.1 General
such as CNVD to find vulnerabilities manually.
B.2.4 Stage - attack
Execution of attack is core of penetration test. Attack stage is a process to make
further exploration to vulnerabilities that have been confirmed so as to verify
potential vulnerabilities. If attack is successful, it means that vulnerabilities are
verified. Confirm corresponding security measures then relevant security risks
shall be reduced. Under most cases, execution of exploration does not make
attacker to obtain potential maximum entrance. Instead, it shall let tester know
more about target network and its potential vulnerabilities; or induce changes
to security state of target network. Some vulnerabilities might allow testers to
increase permissions on system or network so as to obtain more resources. If
this happens, additional analysis and test are required to determine network
security and actual risk level. For example, identify types of information that can
be collected, changed, or deleted from system. If an attack that exploits a
particular vulnerability proves to be unworkable, tester can try to exploit another
discovered vulnerability. If tester is able to exploit vulnerability, it can install
more tools on target system or network to facilitate testing. These tools are used
to access other systems or resources on network and get information about
network or organization. During penetration test, it needs to perform test and
analysis to several systems so as to confirm access level that attacker might
obtain. Although vulnerability scanner only checks for possible vulnerabilities,
attack stage of penetration test shall use these vulnerabilities to confirm its
existence.
B.2.5 Stage - report
Report stage of penetration test is performed with other three stages at the
same time (see Figure B.1). In plan stage, test plan is written. In discover and
attack stages, it usually stores test records and report regularly to system
administrator and/or management department. After test ends, report is usually
used to describe found vulnerabilities, current risk level, advice and guidance
on how to bridge weak links that have been found.
B.3 Penetration test plan
Penetration test plan shall focus to position and exploit vulnerabilities that can
be used in design and implementation of application program, system, or
network. Penetration test reproduces the most likely and most destructive
attack mode, including the worst situation, for example, administrator's
malicious behavior. Because penetration test scenario can be designed to
simulate internal attacks, external attacks, or both, external and internal security
test methods must be considered. If internal and external tests are to be
performed, then external tests are usually preferred.
function to database, file (including executing commands such as Insert,
Delete, Update), and data function verification, verification code
mechanism and access control are not implemented for function module,
then it may cause mis-operations on database and file during web
vulnerability scanning, for example, insert junk data, delete records/files,
modify data/files in database;
c) when performing specific vulnerability verification, it may cause downtime,
service stop to host or web application program according to
characteristics of vulnerability;
d) when violent password crack is performed on a Web application
program/operation system/database, security mechanism of setting may
be triggered, resulting in account of Web application program/operation
system/database being locked and temporarily unavailable;
e) when performing host remote vulnerability scanning and host/database
overflow type attack test, in extreme cases, operation system/database of
tested server may crash or restart.
B.5 Penetration test risk avoidance
For test risks that may occur during penetration test, tester shall refer user to
contents of penetration test plan, prompt for possible risks during test, and
negotiate with user about the following content, doing a good job of risk control
of penetration test:
a) test time: in order to reduce pressure caused by penetration test and time
to eliminate risk, it is advisable to choose a time window with a small
amount of traffic and an un-busy business. Publish corresponding
announcement on application system before testing;
b) test policy: in order to prevent interruption of business caused by test,
before conducting high-risk test with infiltration, destruction, and
uncontrollable properties (such as host/database overflow class
verification test, DDoS), tester shall fully communicate with application
system administrator. Perform test after confirmation with application
system administrator. Priority shall be given to test non-production system
with same configuration as production system. Test at non-business hours.
Or use unrestricted technology during business hours to minimize impact
on production system operations. For extremely important production
system, tests of which risks cannot be controlled such as denial of service
are not recommended so as to avoid irreparable damage due to accidental
collapse;
c) backup policy: to prevent abnormal problems during penetration process,
it is recommended that administrator backs up system (including web files,
......
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|