论坛公告:应用容器安全指南(SP800-190)中文版   美国政府宣布禁用卡巴斯基软件   《中华人民共和国网络安全法》讨论帖   新手报到专用帖   【论坛公告】关于本站广告贴泛滥问题的整理通知   

当前时区为 UTC + 8 小时


发表新帖 回复这个主题  [ 11 篇帖子 ] 
作者 内容
 文章标题 : 【开源翻译项目】向公共云迁移对事件响应的影响
帖子发表于 : 2012-02-10 09:10 
离线
站长

关注按钮

注册: 2003-11-11 19:30
最近: 2018-05-23 15:51
拥有: 10,299.00 安全币

奖励: 878692 安全币
在线: 107628 点
帖子: 3276
以下是开源翻译项目《公共云计算安全与隐私指南(SP800-144)》(http://bbs.cisps.org/viewtopic.php?f=128&t=29613)第四章第九节的原文及译文对照,感谢Akira、eqing和miss.tang辛勤和出色的翻译工作。请大家审阅译文并提出修改意见,我会给与提出修改意见者安全币奖励。

4.9 Incident Response

4.9 事件响应

As the name implies, incident response involves an organized method for dealing with the consequences of an attack against the security of a computer system. The cloud provider’s role is vital in performing incident response activities, including incident verification, attack analysis, containment, data collection and preservation, problem remediation, and service restoration. Each layer in a cloud application stack, including the application, operating system, network, and database, generates event logs, as do other cloud components, such as load balancers and intrusion detection systems; many such event sources and the means of accessing them are under the control of the cloud provider.

如标题所说,事件响应包含组织对计算机系统攻击所带来的后果的处理方法。云服务商在执行事件响应时起到至关重要的角色,包括事件核查、攻击分析、攻击遏制、数据的收集和备份保存、补救措施与恢复正常服务。在云应用程序堆栈的每一层。包括应用程序、操作系统、网络和数据库都会生成事件日志,云服务器上的其他组件,如负载均衡和IPS(入侵检测系统)等也会生成事件日志;云服务商们有很多手段获取到类似的事件源。

The complexity of a cloud service can obscure recognition and analysis of incidents. For example, it reportedly took one IaaS provider approximately eight hours to recognize and begin taking action on an apparent denial of service attack against its cloud infrastructure, after the issue was reported by a consumer of the service [Bro09, Met09]. Revising an organization’s incident response plan to address differences between the organizational computing environment and a cloud computing environment is an important, but easy-to-overlook prerequisite to transitioning applications and data.

云服务的复杂度会掩盖事件的识别和分析。例如,据报道,一个IAAS提供商在被一位消费者举报后,大约用了八小时才识别一起很明显针对云基础架构的DoS攻击并采取相应的行动[Bro09, Met09]。重新审视组织内部的应急响应计划,找出组织内部的计算机环境和云计算环境的不同点,这虽然很重要,但也容易忽视迁移应用和数据这个前提。

Data Availability. The availability of relevant data from event monitoring is essential for timely detection of security incidents. Cloud consumers are often confronted with extremely limited capabilities for detection of incidents in public cloud environments [Gro10]. Prominent issues include insufficient access to event sources and vulnerability information under the control of the cloud provider, inadequate interfaces for accessing and processing event data automatically, inability to add detection points within the cloud infrastructure, and difficulty directing third-party reported abuses and incidents effectively back to the correct consumer or the cloud provider for handling. The situation varies among cloud service models and cloud providers [Gro10]. For example, PaaS providers typically do not make event logs available to consumers, who are then left mainly with event data from self-deployed applications (e.g., via application logging). Similarly, SaaS consumers are completely dependent upon the cloud provider to provide event data such as activity logging, while IaaS consumers control more of the information stack and have access to associated event sources.

数据的可用性
事件监测数据的可用性是及时发现安全事故必不可少的条件,在公有云中的事件监测 [Gro10],客户往往面临着极其有限的能力。重点表现在云服务商提供的漏洞信息和访问事件源的不足,用自动处理事件数的接口不够,不能在云基础设施上添加监测点、第三方滥用的事件不能正确的发送给客户。云服务商提供了不同模式的服务,例如:PaaS供应商通常不提供日志给客户,我们能拿到的只有自己部署的应用程序的事件日志数据(例如:经过应用程序的日志)。同样,SaaS 的客户也完全取决于云服务商提供的事件数据,如活动记录;而Iaas客户者则是通过控制更多的信息栈来获取相关的事件来源。

Incident Analysis and Resolution. An analysis to confirm the occurrence of an incident or determine the method of exploit needs to be performed quickly and with sufficient detail of documentation and care to ensure that traceability and integrity is maintained for subsequent use, if needed (e.g., a forensic copy of incident data for legal proceedings) [Gro10]. To gain a full understanding of an incident, the scope of affected networks, systems, and applications must be determined, the intrusion vector must be uncovered, and the activities carried out must be reconstructed [Gro10]. Issues faced by cloud consumers when performing incident analysis include lack of detailed information about the architecture of the cloud relevant to an incident, lack of information about relevant event and data sources held by the cloud provider, ill-defined or vague incident handling responsibilities stipulated for the cloud provider, and limited capabilities for gathering and preserving pertinent data sources as evidence.

事件分析和解决方案
如有必要(例如:拷贝事件数据用于法律程序的取证)[Gro10],应尽快进行分析,以确认事件发生或确定攻击方法,保存足够详细的文件用于准确追踪攻击源,确保云端能完整运行。我们必须全方位了解整个事件,包括受影响的网络范围、受影响系统和应用程序。必须发现入侵方式,重建云端活动进程[Gro10]。进行事件分析时所面临的问题包括缺乏云端的构架信息和相关事件的详细资料,收集和保存作为证据的相关数据来源的能力有限,服务商对事件的处理责任规定往往都是不明确或含糊不清,用户在缺乏云服务商持有的相关事件数据来源信息。

Once the scope of the incident and the assets affected are determined, measures can be taken to contain and resolve the incident, bringing systems back to a secure operational state [Gro10]. The roles and responsibilities between the cloud provider and cloud consumer for containing an attack vary based on the service model and cloud architecture. For example, in SaaS and PaaS cloud environments, containment essentially amounts to reducing or removing the functionality (e.g., by filtering out certain users or features with a web application firewall) that the attacker is using to carry out unauthorized activities, if necessary, taking the entire application off-line [Gro10]. In IaaS cloud environments, the cloud consumer has a more prominent role; however, the cloud provider’s assistance is essential to resolve vulnerabilities exploited in the underlying cloud infrastructure.

一旦确定受事件影响的范围和损失的资产后,我们采取一些措施以便遏制和彻底解决这一事件,使系统恢复到安全的运行状态[Gro10]。在不同的云构架和服务模式上,被攻击后,服务商和用户之间的责任和解决事件中起到的作用不同。例如,在SaaS和PaaS云环境,攻击者利用进行未经授权的活动,遏制基本上是相当于减少或消除的功能(例如,用Web防火墙过滤掉某些用户或功能),如果有必要,下线整个应用程序[Gro10]在IaaS云环境中,用户扮演了一个更为突出的的角色;然而,在解决云基础实施的底层漏洞时,云服务商提供的协助是至关重要的。

Response to an incident should be handled in a way that limits damage and minimizes recovery time and costs. Collaboration between the cloud consumer and provider in recognizing and responding to an incident is vital to security and privacy in cloud computing. Federal agencies have an obligation to report certain categories of incidents to the U.S. Computer Emergency Readiness Team (US-CERT) within one or two hours of discovery or detection.18 A clear understanding is needed of the type of incidents that are reportable by the cloud provider (e.g., data breaches) versus those that are not reportable (e.g., intrusion detection alarms). Remedies may involve only a single party or require the participation of both parties. Being able to convene a mixed team of representatives from the cloud provider and cloud consumer quickly is an important facet of an efficient and cost-effective response.

事件的应急响应过程中应抑制攻击造成的损害,并尽量缩短恢复时间和减少费用。对云计算的安全和隐私来说,云的提供者和使用者在事件的识别和处理过程中的合作是非常关键的。在事件检测或系统恢复的一两个小时之内,联邦机构有义务向美国应急响应中心(US-CERT)报告特定类型的事件。与某些不用报告的事件(如,入侵检测示警信息)相比,有必要清晰的理解云提供者报告的事件(如,数据的破坏)。系统的恢复可能只涉及一方,也有可能要求双方的参与。能够快速的组建一支成员分别来自云提供者和使用者的队伍,是应急响应高效性和有效性的重要体现之一。

For an incident response team to perform effectively, it must be able to act autonomously and decisively. The resolution of a problem may impact many consumers of the cloud service. It is important that cloud providers have a transparent response process and mechanisms to share information with their consumers during and after the incident. Understanding and negotiating the provisions and procedures for incident response should be done before entering into a service contract, rather than as an afterthought. For example, incident response plans should address breaches involving PII and ways to minimize the amount of PII involved when reporting and responding to a breach [Mcc10]. The geographic location of data is a related issue that can impede an investigation, and is a relevant subject for contract discussions.

只有能够独立、果断的采取行动,应急响应团队才能高效的工作。事件的解决可能会影响到云服务的众多使用者,在事件发生时和发生后,云提供者具有透明的响应流程和机制来与云使用者共享信息是非常重要的。在形成服务协议(合同)之前,双方需要对事件响应形成统一的理解并协商相关条款和程序,而不是一个事后行为。比如,当报告和响应一次信息泄露时,事件响应计划应包含已泄露的PII(个人身份信息)以及减少被涉及的PII(个人身份信息)数量的方法[Mcc 10]。数据的地理位置是可能阻碍事件的调查的因素之一,也是协议(合同)协商时需要关注的内容之一。


--------本帖迄今已累计获得6安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对事件响应的影响
帖子发表于 : 2012-02-11 16:31 
离线
中级用户

注册: 2009-05-01 00:35
最近: 2014-10-18 21:56
拥有: 1,395.00 安全币

奖励: 297 安全币
在线: 3787 点
帖子: 83
引用:
4.9 Incident Response
As the name implies, incident response involves an organized method for dealing with the consequences of an attack against the security of a computer system. The cloud provider’s role is vital in performing incident response activities, including incident verification, attack analysis, containment, data collection and preservation, problem remediation, and service restoration. Each layer in a cloud application stack, including the application, operating system, network, and database, generates event logs, as do other cloud components, such as load balancers and intrusion detection systems; many such event sources and the means of accessing them are under the control of the cloud provider.

4.9: 事件响应
如标题所说,事件响应包含组织对计算机系统攻击所带来的后果的处理方法,云服务商在执行事件响应时起到至关重要的角色,包括事件核查、攻击分析、攻击遏制、数据的收集和备份保存、补救措施与恢复正常服务。在云应用程序堆栈的每一层。包括运用程序、操作系统、网络和数据库生成的事件日志 。 云服务器上的其他组件,例如:负载均衡和IPS(入侵检测系统)等 .云服务商们有很多手段获取到这些事件源


--------本帖迄今已累计获得42安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对事件响应的影响
帖子发表于 : 2012-02-11 21:44 
离线
顶级用户

注册: 2008-05-24 12:30
最近: 2018-05-15 13:08
拥有: 17,902.90 安全币

奖励: 15343 安全币
在线: 22264 点
帖子: 943
又有兄弟参与进来了,太好了啊!


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对事件响应的影响
帖子发表于 : 2012-02-11 23:00 
离线
新手

关注按钮

注册: 2011-07-18 20:10
最近: 2013-08-02 22:38
拥有: 484.00 安全币

奖励: 0 安全币
在线: 1025 点
帖子: 19
接着来,指正:)
The complexity of a cloud service can obscure recognition and analysis of incidents. For example, it reportedly took one IaaS provider approximately eight hours to recognize and begin taking action on an apparent denial of service attack against its cloud infrastructure, after the issue was reported by a consumer of the service [Bro09, Met09]. Revising an organization’s incident response plan to address differences between the organizational computing environment and a cloud computing environment is an important, but easy-to-overlook prerequisite to transitioning applications and data.

云服务的复杂度会掩盖事件的识别和分析。例如,据报道,一个IAAS提供商在被一位消费者举报后,大约用了八小时才识别一起很明显针对云基础架构的DoS攻击并采取相应的行动[Bro09, Met09]。重新审视组织内部的应急响应计划,找出组织内部的计算机环境和云计算环境的不同点,这虽然很重要,但也容易忽视迁移应用和数据这个前提。


--------本帖迄今已累计获得46安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对事件响应的影响
帖子发表于 : 2012-02-13 02:16 
离线
中级用户

注册: 2009-05-01 00:35
最近: 2014-10-18 21:56
拥有: 1,395.00 安全币

奖励: 297 安全币
在线: 3787 点
帖子: 83
引用:
Data Availability. The availability of relevant data from event monitoring is essential for timely detection of security incidents. Cloud consumers are often confronted with extremely limited capabilities for detection of incidents in public cloud environments [Gro10]. Prominent issues include insufficient access to event sources and vulnerability information under the control of the cloud provider, inadequate interfaces for accessing and processing event data automatically, inability to add detection points within the cloud infrastructure, and difficulty directing third-party reported abuses and incidents effectively back to the correct consumer or the cloud provider for handling. The situation varies among cloud service models and cloud providers [Gro10]. For example, PaaS providers typically do not make event logs available to consumers, who are then left mainly with event data from self-deployed applications (e.g., via application logging). Similarly, SaaS consumers are completely dependent upon the cloud provider to provide event data such as activity logging, while IaaS consumers control more of the information stack and have access to associated event sources.


数据的可用性:事件监测数据的可用性是及时发现安全事故必不可少的条件,在公有云中的事件监测 [Gro10],客户往往面临着极其有限的能力。重点表现在 云服务商提供的漏洞信息和访问事件源的不足,用自动处理事件数的接口不够,不能再云基础实施上添加监测点、第三方滥用的事件不能正确的发送给客户。云服务商提供了不同模式的服务,例如:PaaS供应商通常不提供日志给客户,我们能拿到的只有自己部署的应用程序的事件日志数据(例如:经过应用程序的日志)。同样,SaaS 的客户也完全取决于云服务商提供的事件数据,如活动记录;而Iaas客户者则是通过控制更多的信息栈来获取相关的事件来源。

Ps:翻译可能存在诸多不足,请各位指正 !


--------本帖迄今已累计获得33安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对事件响应的影响
帖子发表于 : 2012-02-15 03:17 
离线
中级用户

注册: 2009-05-01 00:35
最近: 2014-10-18 21:56
拥有: 1,395.00 安全币

奖励: 297 安全币
在线: 3787 点
帖子: 83
引用:
Incident Analysis and Resolution. An analysis to confirm the occurrence of an incident or determine the method of exploit needs to be performed quickly and with sufficient detail of documentation and care to ensure that traceability and integrity is maintained for subsequent use, if needed (e.g., a forensic copy of incident data for legal proceedings) [Gro10]. To gain a full understanding of an incident, the scope of affected networks, systems, and applications must be determined, the intrusion vector must be uncovered, and the activities carried out must be reconstructed [Gro10]. Issues faced by cloud consumers when performing incident analysis include lack of detailed information about the architecture of the cloud relevant to an incident, lack of information about relevant event and data sources held by the cloud provider, ill-defined or vague incident handling responsibilities stipulated for the cloud provider, and limited capabilities for gathering and preserving pertinent data sources as evidence.


事件分析和解决方案 需要尽快进行分析,以确认事件发生或确定攻击方法 。 保存足够详细的文件用于准确追踪攻击源,确保云端能完整运行,如又必要(例如:拷贝事件数据用于法律程序的取证)[Gro10] 。我们必须全方位了解整个事件,包括受影响的网络范围、受影响系统和应用程序。必须发现入侵方式,重建云端活动进程[Gro10]。由于收集和保存作为证据的相关数据来源的能力有限。服务商对事件的处理责任规定往往都是不明确或含糊不清。用户在缺乏云服务商持有的相关事件数据来源信息 ,进行事件分析时所面临的问题包括缺乏云端的构架信息和相关事件的详细资料。


--------本帖迄今已累计获得33安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对事件响应的影响
帖子发表于 : 2012-02-15 03:59 
离线
中级用户

注册: 2009-05-01 00:35
最近: 2014-10-18 21:56
拥有: 1,395.00 安全币

奖励: 297 安全币
在线: 3787 点
帖子: 83
引用:
Once the scope of the incident and the assets affected are determined, measures can be taken to contain and resolve the incident, bringing systems back to a secure operational state [Gro10]. The roles and responsibilities between the cloud provider and cloud consumer for containing an attack vary based on the service model and cloud architecture. For example, in SaaS and PaaS cloud environments, containment essentially amounts to reducing or removing the functionality (e.g., by filtering out certain users or features with a web application firewall) that the attacker is using to carry out unauthorized activities, if necessary, taking the entire application off-line [Gro10]. In IaaS cloud environments, the cloud consumer has a more prominent role; however, the cloud provider’s assistance is essential to resolve vulnerabilities exploited in the underlying cloud infrastructure.


一旦确定受事件影响的范围和损失的资产后,我们采取一些措施以便遏制和彻底解决这一事件,使系统恢复到安全的运行状态[Gro10]。在不同的云构架和服务模式上,被攻击后,服务商和用户之间的责任和解决事件中起到的作用不同。例如,在SaaS和PaaS云环境,攻击者利用进行未经授权的活动,遏制基本上是相当于减少或消除的功能(例如,用Web防火墙过滤掉某些用户或功能),如果有必要,下线整个应用程序[Gro10]在IaaS云环境中,用户扮演了一个更为突出的的角色;然而,在解决云基础实施的底层漏洞时,云服务商提供的协助是至关重要的。


--------本帖迄今已累计获得33安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对事件响应的影响
帖子发表于 : 2012-02-15 10:48 
离线
新手

注册: 2010-12-04 19:25
最近: 2015-08-28 15:33
拥有: 58.00 安全币

奖励: 5 安全币
在线: 804 点
帖子: 10
Response to an incident should be handled in a way that limits damage and minimizes recovery time and costs. Collaboration between the cloud consumer and provider in recognizing and responding to an incident is vital to security and privacy in cloud computing. Federal agencies have an obligation to report certain categories of incidents to the U.S. Computer Emergency Readiness Team (US-CERT) within one or two hours of discovery or detection.18 A clear understanding is needed of the type of incidents that are reportable by the cloud provider (e.g., data breaches) versus those that are not reportable (e.g., intrusion detection alarms). Remedies may involve only a single party or require the participation of both parties. Being able to convene a mixed team of representatives from the cloud provider and cloud consumer quickly is an important facet of an efficient and cost-effective response.


事件的应急响应过程中应抑制攻击造成的损害,并尽量缩短恢复时间和减少费用。对云计算的安全和隐私来说,云的提供者和使用者在事件的识别和处理过程中的合作是非常关键的。在事件检测或系统恢复的一两个小时之内,联邦机构有义务向美国应急响应中心(US-CERT)报告特定类型的事件。与某些不用报告的事件(如,入侵检测示警信息)相比,有必要清晰的理解云提供者报告的事件(如,数据的破坏)。系统的恢复可能只涉及一方,也有可能要求双方的参与。能够快速的组建一支成员分别来自云提供者和使用者的队伍,是应急响应高效性和有效性的重要体现之一。


--------本帖迄今已累计获得33安全币用户奖励--------


最后由 miss.tang 编辑于 2012-02-15 14:52,总共编辑了 1 次

回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对事件响应的影响
帖子发表于 : 2012-02-15 11:32 
离线
新手

注册: 2010-12-04 19:25
最近: 2015-08-28 15:33
拥有: 58.00 安全币

奖励: 5 安全币
在线: 804 点
帖子: 10
For an incident response team to perform effectively, it must be able to act autonomously and decisively. The resolution of a problem may impact many consumers of the cloud service. It is important that cloud providers have a transparent response process and mechanisms to share information with their consumers during and after the incident. Understanding and negotiating the provisions and procedures for incident response should be done before entering into a service contract, rather than as an afterthought. For example, incident response plans should address breaches involving PII and ways to minimize the amount of PII involved when reporting and responding to a breach [Mcc10]. The geographic location of data is a related issue that can impede an investigation, and is a relevant subject for contract discussions.

只有能够独立、果断的采取行动,应急响应团队才能高效的工作。事件的解决可能会影响到云服务的众多使用者,在事件发生时和发生后,云提供者具有透明的响应流程和机制来与云使用者共享信息是非常重要的。在形成服务协议(合同)之前,双方需要对事件响应形成统一的理解并协商相关条款和程序,而不是一个事后行为。比如,当报告和响应一次信息泄露时,事件响应计划应包含已泄露的PII(个人身份信息)以及减少被涉及的PII(个人身份信息)数量的方法[Mcc 10]。数据的地理位置是可能阻碍事件的调查的因素之一,也是协议(合同)协商时需要关注的内容之一。

PS:修改了一稿


--------本帖迄今已累计获得36安全币用户奖励--------


最后由 miss.tang 编辑于 2012-02-16 10:15,总共编辑了 4 次

回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对事件响应的影响
帖子发表于 : 2012-02-15 11:48 
离线
高级用户

注册: 2004-08-03 16:33
最近: 2015-06-25 09:13
拥有: 4,332.10 安全币

奖励: 491 安全币
在线: 8148 点
帖子: 214
全文可以去看
http://csrc.nist.gov/publications/nistp ... 00-144.pdf


--------本帖迄今已累计获得1安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
 文章标题 : Re: 【开源翻译项目】向公共云迁移对事件响应的影响
帖子发表于 : 2012-02-15 14:27 
离线
中级用户

注册: 2011-11-27 19:21
最近: 2013-10-02 10:02
拥有: 4,283.00 安全币

奖励: 934 安全币
在线: 8828 点
帖子: 69
PII 在NIST中大多数的指引中是指 Personally Identifiable Information

[MCC10] - 上述段落中标注一下论文或著作的出处(引述他人的说法/论述/观点).


--------本帖迄今已累计获得33安全币用户奖励--------


回到顶部
 奖励本帖 用户资料  
 
显示帖子 :  排序  
发表新帖 回复这个主题  [ 11 篇帖子 ] 

当前时区为 UTC + 8 小时


在线用户

正在浏览此版面的用户:没有注册用户 和 2 位游客


不能 在这个版面发表主题
不能 在这个版面回复主题
不能 在这个版面编辑帖子
不能 在这个版面删除帖子
不能 在这个版面提交附件

前往 :  
华安信达(CISPS.org) ©2003 - 2012