EC-Council ECIH 資安危機處理員認證考試準備心得
資安事件應變一直是企業需要的準備的項目之一,這個話題說夯不夯,但又不能缺少,這個領域更同時包含了管理與技術!而在這時代雲端上的資安事件應變又是各企業頭痛的議題了,如果想初步瞭解管理面的資安事件應變,我想透過 ECIH 或許是個不錯的起手式,當然身為一個資安從業人員,基本的技術知識與概念也是少不了的。
教材與課程主題大綱心得
- Introduction to Incident Handling and Response (資安事件危機處理與回應簡介)
- Incident Handling and Response Process (資安事件危機處理的程序)
- Forensic Readiness and First Response (數位鑑識與第一時間反應準則)
- Handling and Responding to Malware Incidents (惡意程式所造成的危機事件應對與處理原則)
- Handling and Responding to Email Security Incidents (電子郵件所造成的危機事件應對與處理原則)
- Handling and Responding to Network Security Incidents (網路攻擊所造成的危機事件應對與處理原則)
- Handling and Responding to Web Application Security Incidents (網站及網路應用程式所造成的危機事件應對與處理原則)
- Handling and Responding to Cloud Security Incidents (雲端應用所造成的危機事件應對與處理原則)
- Handling and Responding to Insider Threats (內部威脅所造成的危機事件應對與處理原則)
( Source : UUU )
EC-Council 教材與你的學習心態
平心而論,先撇除 EC-Council 的營運方式、考試模式與公信力,我認為 EC-Council 的教材對於入門者來說,涵蓋的範圍與知識說明其實是寫得非常不錯的,當然學生來上課也要把教材認真念過,才會讓自己的實力有所提升,不要只背題目,盡可能正面看待課程本身所帶來的知識價值所在,並可以應用在自己的工作上,即便你在這張證照的實務或許很熟悉,但你不見得可以保證自己的觀念是否符合國際上的觀點,如何在理想的框架中與實務保持平衡而不偏廢,這才是考驗從業者能力。
ECIH 在 EC-Council 定位
我想官方有他的商業模式在,個人覺得如果你是個甲方人員與資安管理顧問,或許 CEH 與 ECIH 就足夠了,剩下的靠 CISSP 與 CISM 去奠定你資安管理的基本功後再回頭補足你認為所缺乏的專業知識
延伸閱讀:
唸書與準備心得
我過往文章的習慣都是會先將書上或是有關的資料整理成自己的數位筆記,至於內容要怎麼整裡我認為依據每個習慣即可,沒有太多標準答案,我個人就是喜歡把全部的東西都讀過並盡可能記住,因為這些知識或許在工作上都用得著,能力夠的話當然就都學起來好囉!
Ch1 — Ch3 都是偏向管理的部分,包含事件應變概論、事件應變程序與數位鑑識的基本流程,CH2 應該是本書管理流程的精華與重點了,重點是每個步驟都可以詳細到都可以做成一張檢查表,教材內也附上了流程圖做說明!對於新手與老手學習都是非常有助益的(如果你真的有念 XD)
以 IH&R Process Flow:
Preparation > Incident Recording and Assignment > Incident Triage > Notification > Containment > Evidence Gathering and Forensic Analysis > Eradication > Recovery > Post-Incident Activities
在每個階段中又獨立拆成很多個子章節來討論你應該要做什麼,以 Preparetion 來說,
- Determine the Need for IH&R Processes
- Define IR Vision and Mission
define the purpose and scope of the planned IR capabilities
mid-term and long-term goals for incident management capabilities
- Management Approvals and Funding
obtain prope permissions of the management, stakeholder, and other authorized personnel
- Develop IR Plan 包括 :
Address the organization’s mission and vision statements — 處理組織的使命和願景聲明
Meet the goals of the incident response initiative — 滿足事件響應計劃的目標
Comply with the statement of senior management approval — 遵守高級管理人員批准的聲明
Include strategies to achieve set goals and timelines -包括實現既定目標和時間表的策略
Have an organized approach to incident response — 有組織的事件響應方法
Identify incident response key performance indicators that organizations can use for future reference — 確定組織可以用於未來參考的事件響應關鍵績效指標
Provide a statement of interoperability — 提供互操作性聲明
Add value to other organizational processes — 為其他組織流程增加價值
Make efficient use of all resources — 有效利用所有資源
- Develop IR Policy 還要包括 :
Statement of management commitment to IH&R plan 管理層對 IH&R 計劃的承諾聲明
Policy purpose and objectives 政策宗旨和目標
Policy scope 政策範圍
Definition of security incidents and their consequences within the context of the organization 安全事件的定義及其在組織範圍內的後果
Organizationalstructure and delineation of roles, responsibilities, and levels of authority 組織結構和角色、職責和權限級別的劃分
Guidelines for prioritizing incidents or assigning severity levels 確定事件優先級或指定嚴重級別的指南
Performance measures and proper project management and time management details 績效衡量和適當的項目管理和時間管理細節
Reporting guidelines 報告指南
Guidelines for communication within and outside of the organization 組織內外溝通指南
以上只是非常小一部分的舉例,並附上 Google 翻譯做參考,我想整本書好好閱讀並寫成你自己的東西,在工作上都會非常有幫助!
Ch 4— Ch9 就比較偏技術啦!但也不是真的很技術,書上除了有許多技術名詞解說外,更有價值的是因應威脅的內容,每個主題都包含其相關的偵測方式、損害控制、根除、復原、最佳實務的建議,對於新手與老手來說都是不錯的葵花寶典
以常見的 Web Appliction Incident 來講:
偵測方式 : Indicator
Unavailability of websites, web services, or applications
Alerts and notifications from tools like WAF, SIEM, and IDS
Leakage of sensitive data
Redirection of URLs to incorrect sites
Web page defacement
Unusually slow network performance
Frequent rebooting of the server
Anomalies in log files, such as web server logs, application logs, and database logs
Database logs showing multiple errors within a short period of time
Suspicious activities in user accounts, like new processes users, and jobs
損害控制建議:
Web content filtering helps to filter web applications used by attackers to host malware or to launch phishing and spam campaigns
Enable the Blackhole feature on the web application, such that it drops all the requests from the same source after a certain limit
Define a level of load that authenticated users can place on the web application. If they need more, terminate the previous request and raise a new request to process their request again
Deny unnecessary access to any resources for unauthorized users. To reduce the burden on servers, cache the content that unauthorized users send, instead of using the main databases for it
根除建議:
SQL Injection Attacks :
Limit the length of user input
Use custom error messages
Monitor DB traffic using an IDS, WAF
Disable commands like xp_cmdshell
Isolate database server and web server
Command Injection Attacks
Perform input validation
Escape dangerous characters
Use language-specific libraries that avoid problems due to shell commands
Perform input and output encoding
Use a safe APl that avoids the use of the interpreter entirely
最佳實務建議
Limit the script activity to certain subtrees, such that they can modify only certain document subtrees
Restrict the length and char type of input fields in HTML and JavaScript to a certain limit, such that buffer overflow attacks do not occur
In the case of multiple simultaneous log in attempts, terminate previous sessions or alert users and ask them which session they need to keep active
比較可惜的是雲端上如果要套這些管理流程並不是非常適用,我想這也是大家所面臨到的問題之一!!
另外…
不要只背考古題!
Summary
熟讀教材的內容後,該記住的記一下,像是 Security Policy 中有分 Promiscuous Policy、Permissive Policy、Prudent Policy、Paranoid Policy,而管理流程與對應的工具名稱更是基本中的基本,我想將底子與知識體系打好後,後續你要裸考還是去看題目都會很輕鬆,重點是你在學習的過程中有學到東西,如果你是乙方,可以完整的回答一套流程給客戶,也可以檢視客戶缺少什麼東西,而你是甲方則能夠檢視公司的管理流程是否恰當,又或者可以好好評估你的廠商是否專業。
我想把各種經驗寫出來做分享教學,希望把社群的分享風氣帶出來給大家。並期望之後有人也可以寫出不同的心得文,如果是自修同學對於申請考試和準備上有任何問題,可以透過 LinkedIn 交朋友與 Facebook 來聯絡我,能力範圍內盡量幫你解決(或是你想認識我出來喝杯咖啡也歡迎,我很喜歡多認識業界的朋友們交流,也真的不少人找我聊聊過了!)。
- 關於 Kuro 介紹、聯絡方式、文章分享(推薦透過此連結比較完整) :https://portaly.cc/kurohuang
- 其他聯絡方式 : https://kuronetwork.me/contact/
- 所有文章: https://kuronetwork.me/posts/
- LinkedIn: https://www.linkedin.com/in/kurohuang/
- 我做的資安貼圖 :
ISACA 考試延伸參考:
已取得(有付費的並持續更新)
- 2019.01 — Cisco Certified Network Associate : Routing and Switching (CCNA RS) (文化大學進修推廣部上課)
- 2019.11 — Network Security of Packet Analysis Course (NSPA)(重點整理)
- 2019.12 — EC-Council Certification Ethical Hacker (CEH) (心得)
- 2020.04 — Cisco Certified Network Professional: Enterprise (CCNP Enterprise)( Link )
- 2020.04 — VMware Certified Professional : Network Virtualization (VCP-NV)(心得點我)
- 2020.05 — Cisco Certified Network Professional : Security (CCNP Security )
- 2020.07 — Azure AZ-900 (心得點我)
- 2020.11 — EC-Council Certified Security Analyst (ECSA) & CPSA換證心得
2021 (心得連結在最後證照簡稱上)
- 2021.02 — Certified Threat Intelligence Analyst ( CTIA )
- 2021.04 — Certified Information Systems Auditor ( CISA )
- 2021.05 — EC-Council Certified SOC Analyst ( CSA )
- 2021.08 — Certified Information Systems Manager ( CISM )
- 2021.09 — Certified in Risk and Information Systems Control (CRISC)
- 2021.10 — Certified in the Governance of Enterprise IT (CGEIT)
2022 (心得連結在最後證照簡稱上)
- 2022.07 — Certified Information Systems Security Professional (CISSP)
- 2022.10 — Certified Data Privacy Solutions Engineer ( CDPSE )
- 2022.12.30 — Certified Cloud Security Professional ( CCSP)
- 2023.02 — Certified in Cybersecurity Certification( CC)
- 2023.04 —EC-Council Certified Incident Handler ( ECIH)
- 2023.08 — EC-Council Certified Ethical Hacker Practical / Master (CEHP)
