Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 36627-2018 English PDF (GBT36627-2018)

GB/T 36627-2018 English PDF (GBT36627-2018)

Regular price $255.00 USD
Regular price Sale price $255.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 36627-2018 to get it for Purchase Approval, Bank TT...

GB/T 36627-2018: Information security technology -- Testing and evaluation technical guide for classified cybersecurity protection

This Standard provides classifications and definitions of relevant testing and evaluation technology in testing and evaluation for classified cybersecurity protection (hereinafter referred to as classified testing and evaluation. It proposes key elements, principle of technical testing and evaluation and makes recommendations for analysis and application of testing and evaluation results. This Standard is applicable to classified testing and evaluation that is performed by testing and evaluation authority to classified cybersecurity protection target (hereinafter referred to as classified protection target. It is also applicable to security evaluation on classified security protection that is performed by supervising department and operation using authority of classified protection target to classified protection target.
GB/T 36627-2018
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Testing and evaluation
technical guide for classified cybersecurity protection
ISSUED ON: SEPTEMBER 17, 2018
IMPLEMENTED ON: APRIL 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions, abbreviations ... 5
3.1 Terms and definitions ... 5
3.1.1 dictionary attack ... 5
3.1.2 file integrity checking ... 6
3.1.3 network sniffer ... 6
3.1.4 rule set ... 6
3.1.5 target of testing and evaluation ... 6
3.2 Abbreviations ... 6
4 General ... 7
4.1 Technical classification ... 7
4.2 Selection of technology ... 7
5 Requirements for classified testing and evaluation ... 8
5.1 Check technology ... 8
5.1.1 File check ... 8
5.1.2 Log check ... 8
5.1.3 Rule set check ... 9
5.1.4 Configuration check ... 10
5.1.5 File integrity check ... 11
5.1.6 Cipher check ... 11
5.2 Identification and analysis technologies ... 11
5.2.1 Network sniffer ... 11
5.2.2 Network port and service identification ... 12
5.2.3 Vulnerability scanning ... 12
5.2.4 Wireless scanning ... 13
5.3 Vulnerability verification technology ... 14
5.3.1 Password crack ... 14
5.3.2 Penetration test ... 14
5.3.3 Remote access test ... 16
Annex A (informative) Activities after testing and evaluation ... 17
Annex B (informative) Description on relevant concept of penetration test ... 19 Bibliography ... 25
Information security technology - Testing and evaluation
technical guide for classified cybersecurity protection
1 Scope
This Standard provides classifications and definitions of relevant testing and evaluation technology in testing and evaluation for classified cybersecurity protection (hereinafter referred to as ?€?classified testing and evaluation?€?). It proposes key elements, principle of technical testing and evaluation and makes recommendations for analysis and application of testing and evaluation results. This Standard is applicable to classified testing and evaluation that is performed by testing and evaluation authority to classified cybersecurity protection target (hereinafter referred to as ?€?classified protection target?€?). It is also applicable to security evaluation on classified security protection that is performed by supervising department and operation using authority of classified protection target to classified protection target.
2 Normative references
The following referenced files are indispensable for the application of this file. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced file (including any amendments) applies. GB 17859-1999, Classified criteria for security protection of computer
information system
GB/T 25069-2010, Information security technology - Glossary
3 Terms and definitions, abbreviations
3.1 Terms and definitions
Terms and definitions defined in GB 17859-1999 and GB/T 25069-2010 as well as the followings apply to this file.
3.1.1 dictionary attack
an attack mode that it tries words or phrases in user?€?s custom dictionary one by one when it is cracking password
4 General
4.1 Technical classification
Testing and evaluation technology that can be used to classified testing and evaluation can be divided into the following three categories:
a) check technology: a testing and evaluation technology that checks
information system, matches institutional file, equipment and devices, and discovers security vulnerabilities in related procedures and policies. It usually adopts manual mode, mainly including file check, log check, rule set check, system configuration check, file integrity check, cipher check; b) identification and analysis technologies: testing and evaluation
technologies that identify system, port, service and potential security vulnerabilities. These technologies can be implemented manually or by
using automated tools, mainly including network sniffer, network port and service identification, vulnerability scanning, wireless scanning;
c) vulnerability verification technology: a testing and evaluation technology that verifies existence of vulnerability. Based on results of check, target identification and analysis, it intentionally and strategically implements manually or by using automated tools, mainly including password crack,
penetration test, remote access test; verifies and confirms possible
security vulnerability to obtain evidence.
4.2 Selection of technology
When selecting and determining technology method that is used for classified testing and evaluation activities, the factors that shall be considered mainly include but not limited to target of testing and evaluation, applicability of testing and evaluation technology, security risk that might be introduced by testing and evaluation technology to target of testing and evaluation, so as to select a suitable technology method.
When the selected technology method might have impact on target of testing and evaluation during implementation, it shall give priority to test non- production system that has same configuration with production system of target of testing and evaluation. Test in non-business time or only use a technology method that risk can be controlled to test in business operation time, so as to minimize impact on business of target of testing and evaluation.
Testing and evaluation results after technology testing and evaluation are implemented can be used for threat analysis, improvement suggestions, and report generation of target of testing and evaluation. See Annex A for details. a) authentication of server or system log, including successful or failed authentication attempt;
b) operation system log, including starting and closing of system and service, installation of unauthorized software, file access, security policy changes, account changes (such as account creation and deletion, account rights
assignment), and permission usage;
c) IDS/IPS logs, including malicious behavior and inappropriate use;
d) firewall, switchboard, and router logs, including outbound connections (such as bots, Trojans, spyware, etc.) that affect internal device, as well as unauthorized connection attempts and improper use;
e) application log, including unauthorized connection attempts, account change, permission use, as well as use information of application program or database;
f) anti-virus logs, including virus killing, infection logs, and other events such as upgrade failures, software expiration;
g) other security logs, such as patch management; it shall record information such as service and application of known vulnerability;
h) network running status, network security event related logs; retention time is not less than 6 months.
5.1.3 Rule set check
Main function of rule set check is to discover vulnerability of security control measures based on rule set. Check targets include access control list, policy set of network equipment, security equipment, database, operating system and application system. Level-three and above protection targets shall also include mandatory access control mechanism. When performing rule set check, it shall consider the following evaluation key elements and evaluation principles: a) routing access control list:
1) every rule shall be valid (for example, the rule that is set due to
temporary demand shall be removed immediately when it is not
needed);
2) only traffic that is authorized by policy is allowed to pass through; other traffics are disabled by default.
b) policy set of access control device:
1) it shall adopt default prohibition policy;
1) system security officer creates security marks of subject (such as user), object (such as data);
2) subject, object that implement same mandatory access control security policy shall be marked with same security marks;
3) scope of mark check shall be expanded to all subjects and objects in testing and evaluation object.
5.1.5 File integrity check
Main function of file integrity check is to identify unauthorized change of important files such as system file. When performing file integrity check, it shall consider the following evaluation key elements:
a) use Hash or digital signature to ensure integrity of important file; b) compare benchmark sample and important file to realize integrity
verification of important file;
c) use IDS device of which deployment is based on host to realize alert to integrity of important file integrity.
5.1.6 Cipher check
Main function of cipher check is to perform security check on cipher technology used in target of testing and evaluation or product. When performing cipher check, it shall consider the following evaluation principles:
a) relevant functions of provided cryptographic algorithm shall comply with relevant provisions of national password authority;
b) key length used shall comply with relevant provisions of supervision department of classified protection object industry.
5.2 Identification and analysis technologies
5.2.1 Network sniffer
Main function of network sniffer is, through capturing and replaying network traffic, to collect, identify active devices, operation system and protocols, unauthorized and inappropriate behaviors in network. When performing
network sniffer, it shall consider the following evaluation key elements and evaluation principles:
a) monitor network traffic, record IP address of active host and report operation system information found in network;
b) identify connection between hosts, including which hosts communicate performing vulnerability scanning, it shall consider the following evaluation key elements and evaluation principles:
a) identify information related to vulnerability, including vulnerability name, type, vulnerability description, risk level, repair suggestion;
b) through tool identification combined with manual analysis, perform
correlation analysis to found vulnerability so as to accurately judge risk level of vulnerability;
c) before performing vulnerability scanning, scanning device shall be
updated to the latest vulnerability library so as to ensure the latest
vulnerabilities can be identified;
d) according to vulnerability analysis principles (such as signature matching, attack detection) of vulnerability scanning tool, choose scanning policy carefully so as to prevent failure of target of testing and evaluation; e) when using vulnerability scanning device, it shall restrict number of scanning threads, traffic so as to reduce risk to target of testing and evaluation caused by testing and evaluation.
5.2.4 Wireless scanning
Main function of wireless scanning is to identify situation where there is no physical connection (such as a network cable or peripheral cable) in testing environment to make one or more devices communicate, help organization
assesses and analyzes security risks that wireless technology poses for scanning target. When performing wireless scanning, it shall consider the following evaluation key elements and evaluation principles:
a) identify key attributes of wireless devices in wireless traffic, including SSID, device type, channel, MAC address, signal strength, and number of
packets transmitted;
b) environmental elements of wireless scanning device deployment location include: location and scope of scanned device, security protection level of target of testing and evaluation that uses wireless technology to perform data transmission, data importance as well as connection and
disconnection frequencies of wireless device and traffic scale in scanning environment;
c) use mobile device that is configured to configure wireless analysis
software, such as laptop, handheld or professional device;
d) based on wireless security configuration requirements, perform scanning policy configuration to wireless scanning tool so as to realize difference 1) System/service vulnerabilities. Security vulnerabilities resulted in environment that operation system, database, middleware which
provide service or support to application system have flaws, such as
buffer overflow vulnerability, heap/stack overflow, memory leak, may
cause program operation failure, system down, restart. More seriously,
they can cause program to execute unauthorized order even obtain
system privileges to carry out various illegal operations.
2) Application code vulnerabilities. Because writing code of developer is not standardized or lacks necessary verification measures, application
system has security vulnerabilities, including SQL injection, cross-site scripting, arbitrary upload files. Attackers can exploit these
vulnerabilities to launch attacks on application system to obtain
sensitive information in database. More seriously, it can cause server
to be controlled.
3) Permission bypass vulnerabilities. Because control rules for data
access, function module access are not strict or missed, attackers can
access to these data and function module unauthorizedly. Permission
bypass vulnerabilities usually are divided into override access and
parallel permission. Override access means that low-permission user
unauthorizedly accesses to functional module or data information of
high-permission user. Parallel permission means that attacker use
function module of his own permission to unauthorizedly access to or
operate another user?€?s data information.
4) Improper configuration vulnerabilities. Because security hardening is not performed for configuration file, it only uses default configuration or configuration is not reasonable then it causes security risk. If
middleware configuration supports put method, it may cause attacker
to use put method to upload Trojan file so as to obtain server control
right.
5) Information leakage vulnerabilities. Because system does not provide necessary protection for important data and information, attacker can
obtain useful information from leaked content, thus providing clues for further attacks. For example, source code leaks, default error message
contains server information / SQL statement, which are all information
leakage vulnerabilities.
6) Business logic defect vulnerabilities. Because program logic is not strict or logic is too complicated, it causes that some logical branches are not able to handle or handle errors properly. If this happens, user can
perform any password modification, override access, abnormal amount
transaction according to different business functions.
Annex A
(informative)
Activities after testing and evaluation
A.1 Analysis on testing and evaluation results
Main goals of analysis on testing and evaluation results are to determine and eliminate false positives, classify vulnerabilities and determine reasons that cause vulnerabilities. In addition, find out serious vulnerabilities that need to be dealt with immediately during entire testing and evaluation. The common reasons for vulnerabilities are listed as below, including:
a) Insufficient patch management. For example, patch program cannot be
applied in time or patch program cannot be applied to all systems that
have vulnerabilities;
b) Insufficient threat management. For example, antivirus signature
database is not updated in time; invalid spam filtering as well as firewall policy that does not meet security policy of system operating authority; c) Lack of security benchmark. Similar systems use inconsistent security configuration strategies;
d) Lack of security integration in system development. For example, system development does not meet security requirements, even without
considering security requirements or there are vulnerabilities in system application code;
e) Flaws in security architecture. For example, security technology is not effectively integrated into system (for example, security facilities,
unreasonable placement of equipment, inadequate coverage, or outdated
technology);
f) Insufficient security incident response measures. For example, it is unresponsive to penetration testing activities;
g) Insufficient training for end user (for example, lack awareness of social engineering, phishing attacks; use unauthorized wireless access points) or network, system manager (for example, lack security operation and
maintenance);
h) Lack of security policy or security policy is not performed. For example, open ports, started services, insecure protocols, unlicensed hosts, and Annex B
(informative)
Description on relevant concept of penetration test
B.1 General
Penetration test is a security test. In such a test, tester shall simulate attacker, use tools and technology commonly used by attacker to launch a real attack on application program, information system or network security function. Relative to single vulnerability, most penetration tests try to find a set of security vulnerabilities so as to obtain more chances to enter system. Penetration test can also be used to determine:
a) degree of tolerance of system to attack mode from real world;
b) degree of complexity that attacker needs to face when he successfully breaks system;
c) other countermeasures to reduce system threats;
d) ability of defender to detect attack and make correct response.
Penetration test is a very important security test. Tester needs a wealth of expertise and skills. Although an experienced tester can reduce such risk, risks cannot be completely avoided. Therefore, penetration test shall be carefully thought out and planned.
Penetration test usually contains non-technical attack method. For example, a penetration tester can connect to network through means to undermine physical security control mechanism, so as to steal device, capture sensitive information (might be through installation of keyboard recording device) or destroy network communication. When performing physical security penetration test, it shall be careful; it shall define how to verify effectiveness of tester?€?s intrusion activities, for example, through access point or file. Another non-technical attack means is through social engineering, for example, to disguise as a customer service agent to call user for his password, or disguise as user to call customer service agent for password reset. More about physical security test, social engineering technology as well as other non-technical means penetration attack tests are not in discussion scope of this Standard.
B.2 Penetration test stages
B.2.1 General
such as CNVD to find vulnerabilities manually.
B.2.4 Stage - attack
Execution of attack is core of penetration test. Attack stage is a process to make further exploration to vulnerabilities that have been confirmed so as to verify potential vulnerabilities. If attack is successful, it means that vulnerabilities are verified. Confirm corresponding security measures then relevant security risks shall be reduced. Under most cases, execution of exploration does not make attacker to obtain potential maximum entrance. Instead, it shall let tester know more about target network and its potential vulnerabil...

View full details