1
/
of
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 36627-2018 English PDF (GB/T36627-2018)
GB/T 36627-2018 English PDF (GB/T36627-2018)
Regular price
$255.00 USD
Regular price
Sale price
$255.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get Quotation: Click GB/T 36627-2018 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 36627-2018
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 36627-2018: Information security technology - Testing and evaluation technical guide for classified cybersecurity protection
GB/T 36627-2018
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Testing and evaluation
technical guide for classified cybersecurity protection
ISSUED ON: SEPTEMBER 17, 2018
IMPLEMENTED ON: APRIL 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions, abbreviations ... 5
3.1 Terms and definitions ... 5
3.1.1 dictionary attack ... 5
3.1.2 file integrity checking ... 6
3.1.3 network sniffer ... 6
3.1.4 rule set ... 6
3.1.5 target of testing and evaluation ... 6
3.2 Abbreviations ... 6
4 General ... 7
4.1 Technical classification ... 7
4.2 Selection of technology ... 7
5 Requirements for classified testing and evaluation ... 8
5.1 Check technology ... 8
5.1.1 File check ... 8
5.1.2 Log check ... 8
5.1.3 Rule set check ... 9
5.1.4 Configuration check ... 10
5.1.5 File integrity check ... 11
5.1.6 Cipher check ... 11
5.2 Identification and analysis technologies ... 11
5.2.1 Network sniffer ... 11
5.2.2 Network port and service identification ... 12
5.2.3 Vulnerability scanning ... 12
5.2.4 Wireless scanning ... 13
5.3 Vulnerability verification technology ... 14
5.3.1 Password crack ... 14
5.3.2 Penetration test ... 14
5.3.3 Remote access test ... 16
Annex A (informative) Activities after testing and evaluation ... 17
Annex B (informative) Description on relevant concept of penetration test ... 19
Bibliography ... 25
Information security technology - Testing and evaluation
technical guide for classified cybersecurity protection
1 Scope
This Standard provides classifications and definitions of relevant testing and
evaluation technology in testing and evaluation for classified cybersecurity
protection (hereinafter referred to as “classified testing and evaluation”). It
proposes key elements, principle of technical testing and evaluation and makes
recommendations for analysis and application of testing and evaluation results.
This Standard is applicable to classified testing and evaluation that is performed
by testing and evaluation authority to classified cybersecurity protection target
(hereinafter referred to as “classified protection target”). It is also applicable to
security evaluation on classified security protection that is performed by
supervising department and operation using authority of classified protection
target to classified protection target.
2 Normative references
The following referenced files are indispensable for the application of this file.
For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced file (including any amendments) applies.
GB 17859-1999, Classified criteria for security protection of computer
information system
GB/T 25069-2010, Information security technology - Glossary
3 Terms and definitions, abbreviations
3.1 Terms and definitions
Terms and definitions defined in GB 17859-1999 and GB/T 25069-2010 as well
as the followings apply to this file.
3.1.1 dictionary attack
an attack mode that it tries words or phrases in user’s custom dictionary one by
one when it is cracking password
4 General
4.1 Technical classification
Testing and evaluation technology that can be used to classified testing and
evaluation can be divided into the following three categories:
a) check technology: a testing and evaluation technology that checks
information system, matches institutional file, equipment and devices, and
discovers security vulnerabilities in related procedures and policies. It
usually adopts manual mode, mainly including file check, log check, rule
set check, system configuration check, file integrity check, cipher check;
b) identification and analysis technologies: testing and evaluation
technologies that identify system, port, service and potential security
vulnerabilities. These technologies can be implemented manually or by
using automated tools, mainly including network sniffer, network port and
service identification, vulnerability scanning, wireless scanning;
c) vulnerability verification technology: a testing and evaluation technology
that verifies existence of vulnerability. Based on results of check, target
identification and analysis, it intentionally and strategically implements
manually or by using automated tools, mainly including password crack,
penetration test, remote access test; verifies and confirms possible
security vulnerability to obtain evidence.
4.2 Selection of technology
When selecting and determining technology method that is used for classified
testing and evaluation activities, the factors that shall be considered mainly
include but not limited to target of testing and evaluation, applicability of testing
and evaluation technology, security risk that might be introduced by testing and
evaluation technology to target of testing and evaluation, so as to select a
suitable technology method.
When the selected technology method might have impact on target of testing
and evaluation during implementation, it shall give priority to test non-
production system that has same configuration with production system of target
of testing and evaluation. Test in non-business time or only use a technology
method that risk can be controlled to test in business operation time, so as to
minimize impact on business of target of testing and evaluation.
Testing and evaluation results after technology testing and evaluation are
implemented can be used for threat analysis, improvement suggestions, and
report generation of target of testing and evaluation. See Annex A for details.
a) authentication of server or system log, including successful or failed
authentication attempt;
b) operation system log, including starting and closing of system and service,
installation of unauthorized software, file access, security policy changes,
account changes (such as account creation and deletion, account rights
assignment), and permission usage;
c) IDS/IPS logs, including malicious behavior and inappropriate use;
d) firewall, switchboard, and router logs, including outbound connections
(such as bots, Trojans, spyware, etc.) that affect internal device, as well
as unauthorized connection attempts and improper use;
e) application log, including unauthorized connection attempts, account
change, permission use, as well as use information of application program
or database;
f) anti-virus logs, including virus killing, infection logs, and other events such
as upgrade failures, software expiration;
g) other security logs, such as patch management; it shall record information
such as service and application of known vulnerability;
h) network running status, network security event related logs; retention time
is not less than 6 months.
5.1.3 Rule set check
Main function of rule set check is to discover vulnerability of security control
measures based on rule set. Check targets include access control list, policy
set of network equipment, security equipment, database, operating system and
application system. Level-three and above protection targets shall also include
mandatory access control mechanism. When performing rule set check, it shall
consider the following evaluation key elements and evaluation principles:
a) routing access control list:
1) every rule shall be valid (for example, the rule that is set due to
temporary demand shall be removed immediately when it is not
needed);
2) only traffic that is authorized by policy is allowed to pass through; other
traffics are disabled by default.
b) policy set of access control device:
1) it shall adopt default prohibition policy;
1) system security officer creates security marks of subject (such as user),
object (such as data);
2) subject, object that implement same mandatory access control security
policy shall be marked with same security marks;
3) scope of mark check shall be expanded to all subjects and objects in
testing and evaluation object.
5.1.5 File integrity check
Main function of file integrity check is to identify unauthorized change of
important files such as system file. When performing file integrity check, it shall
consider the following evaluation key elements:
a) use Hash or digital signature to ensure integrity of important file;
b) compare benchmark sample and important file to realize integrity
verification of important file;
c) use IDS device of which deployment is based on host to realize alert to
integrity of important file integrity.
5.1.6 Cipher check
Main function of cipher check is to perform security check on cipher technology
used in target of testing and evaluation or product. When performing cipher
check, it shall consider the following evaluation principles:
a) relevant functions of provided cryptographic algorithm shall comply with
relevant provisions of national password authority;
b) key length used shall comply with relevant provisions of supervision
department of classified protection object industry.
5.2 Identification and analysis technologies
5.2.1 Network sniffer
Main function of network sniffer is, through capturing and replaying network
traffic, to collect, identify active devices, operation system and protocols,
unauthorized and inappropriate behaviors in network. When performing
network sniffer, it shall consider the following evaluation key elements and
evaluation principles:
a) monitor network traffic, record IP address of active host and report
operation system information found in network;
b) identify connection between hosts, including which hosts communicate
performing vulnerability scanning, it shall consider the following evaluation key
elements and evaluation principles:
a) identify information related to vulnerability, including vulnerability name,
type, vulnerability description, risk level, repair suggestion;
b) through tool identification combined with manual analysis, perform
correlation analysis to found vulnerability so as to accurately judge risk
level of vulnerability;
c) before performing vulnerability scanning, scanning device shall be
updated to the latest vulnerability library so as to ensure the latest
vulnerabilities can be identified;
d) according to vulnerability analysis principles (such as signature matching,
attack detection) of vulnerability scanning tool, choose scanning policy
carefully so as to prevent failure of target of testing and evaluation;
e) when using vulnerability scanning device, it shall restrict number of
scanning threads, traffic so as to reduce risk to target of testing and
evaluation caused by testing and evaluation.
5.2.4 Wireless scanning
Main function of wireless scanning is to identify situation where there is no
physical connection (such as a network cable or peripheral cable) in testing
environment to make one or more devices communicate, help organization
assesses and analyzes security risks that wireless technology poses for
scanning target. When performing wireless scanning, it shall consider the
following evaluation key elements and evaluation principles:
a) identify key attributes of wireless devices in wireless traffic, including SSID,
device type, channel, MAC address, signal strength, and number of
packets transmitted;
b) environmental elements of wireless scanning device deployment location
include: location and scope of scanned device, security protection level of
target of testing and evaluation that uses wireless technology to perform
data transmission, data importance as well as connection and
disconnection frequencies of wireless device and traffic scale in scanning
environment;
c) use mobile device that is configured to configure wireless analysis
software, such as laptop, handheld or professional device;
d) based on wireless security configuration requirements, perform scanning
policy configuration to wireless scanning tool so as to realize difference
1) System/service vulnerabilities. Security vulnerabilities resulted in
environment that operation system, database, middleware which
provide service or support to application system have flaws, such as
buffer overflow vulnerability, heap/stack overflow, memory leak, may
cause program operation failure, system down, restart. More seriously,
they can cause program to execute unauthorized order even obtain
system privileges to carry out various illegal operations.
2) Application code vulnerabilities. Because writing code of developer is
not standardized or lacks necessary verification measures, application
system has security vulnerabilities, including SQL injection, cross-site
scripting, arbitrary upload files. Attackers can exploit these
vulnerabilities to launch attacks on application system to obtain
sensitive information in database. More seriously, it can cause server
to be controlled.
3) Permission bypass vulnerabilities. Because control rules for data
access, function module access are not strict or missed, attackers can
access to these data and function module unauthorizedly. Permission
bypass vulnerabilities usually are divided into override access and
parallel permission. Override access means that low-permission user
unauthorizedly accesses to functional module or data information of
high-permission user. Parallel permission means that attacker use
function module of his own permission to unauthorizedly access to or
operate another user’s data information.
4) Improper configuration vulnerabilities. Because security hardening is
not performed for configuration file, it only uses default configuration or
configuration is not reasonable then it causes security risk. If
middleware configuration supports put method, it may cause attacker
to use put method to upload Troj...
Get Quotation: Click GB/T 36627-2018 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 36627-2018
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 36627-2018: Information security technology - Testing and evaluation technical guide for classified cybersecurity protection
GB/T 36627-2018
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Testing and evaluation
technical guide for classified cybersecurity protection
ISSUED ON: SEPTEMBER 17, 2018
IMPLEMENTED ON: APRIL 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions, abbreviations ... 5
3.1 Terms and definitions ... 5
3.1.1 dictionary attack ... 5
3.1.2 file integrity checking ... 6
3.1.3 network sniffer ... 6
3.1.4 rule set ... 6
3.1.5 target of testing and evaluation ... 6
3.2 Abbreviations ... 6
4 General ... 7
4.1 Technical classification ... 7
4.2 Selection of technology ... 7
5 Requirements for classified testing and evaluation ... 8
5.1 Check technology ... 8
5.1.1 File check ... 8
5.1.2 Log check ... 8
5.1.3 Rule set check ... 9
5.1.4 Configuration check ... 10
5.1.5 File integrity check ... 11
5.1.6 Cipher check ... 11
5.2 Identification and analysis technologies ... 11
5.2.1 Network sniffer ... 11
5.2.2 Network port and service identification ... 12
5.2.3 Vulnerability scanning ... 12
5.2.4 Wireless scanning ... 13
5.3 Vulnerability verification technology ... 14
5.3.1 Password crack ... 14
5.3.2 Penetration test ... 14
5.3.3 Remote access test ... 16
Annex A (informative) Activities after testing and evaluation ... 17
Annex B (informative) Description on relevant concept of penetration test ... 19
Bibliography ... 25
Information security technology - Testing and evaluation
technical guide for classified cybersecurity protection
1 Scope
This Standard provides classifications and definitions of relevant testing and
evaluation technology in testing and evaluation for classified cybersecurity
protection (hereinafter referred to as “classified testing and evaluation”). It
proposes key elements, principle of technical testing and evaluation and makes
recommendations for analysis and application of testing and evaluation results.
This Standard is applicable to classified testing and evaluation that is performed
by testing and evaluation authority to classified cybersecurity protection target
(hereinafter referred to as “classified protection target”). It is also applicable to
security evaluation on classified security protection that is performed by
supervising department and operation using authority of classified protection
target to classified protection target.
2 Normative references
The following referenced files are indispensable for the application of this file.
For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced file (including any amendments) applies.
GB 17859-1999, Classified criteria for security protection of computer
information system
GB/T 25069-2010, Information security technology - Glossary
3 Terms and definitions, abbreviations
3.1 Terms and definitions
Terms and definitions defined in GB 17859-1999 and GB/T 25069-2010 as well
as the followings apply to this file.
3.1.1 dictionary attack
an attack mode that it tries words or phrases in user’s custom dictionary one by
one when it is cracking password
4 General
4.1 Technical classification
Testing and evaluation technology that can be used to classified testing and
evaluation can be divided into the following three categories:
a) check technology: a testing and evaluation technology that checks
information system, matches institutional file, equipment and devices, and
discovers security vulnerabilities in related procedures and policies. It
usually adopts manual mode, mainly including file check, log check, rule
set check, system configuration check, file integrity check, cipher check;
b) identification and analysis technologies: testing and evaluation
technologies that identify system, port, service and potential security
vulnerabilities. These technologies can be implemented manually or by
using automated tools, mainly including network sniffer, network port and
service identification, vulnerability scanning, wireless scanning;
c) vulnerability verification technology: a testing and evaluation technology
that verifies existence of vulnerability. Based on results of check, target
identification and analysis, it intentionally and strategically implements
manually or by using automated tools, mainly including password crack,
penetration test, remote access test; verifies and confirms possible
security vulnerability to obtain evidence.
4.2 Selection of technology
When selecting and determining technology method that is used for classified
testing and evaluation activities, the factors that shall be considered mainly
include but not limited to target of testing and evaluation, applicability of testing
and evaluation technology, security risk that might be introduced by testing and
evaluation technology to target of testing and evaluation, so as to select a
suitable technology method.
When the selected technology method might have impact on target of testing
and evaluation during implementation, it shall give priority to test non-
production system that has same configuration with production system of target
of testing and evaluation. Test in non-business time or only use a technology
method that risk can be controlled to test in business operation time, so as to
minimize impact on business of target of testing and evaluation.
Testing and evaluation results after technology testing and evaluation are
implemented can be used for threat analysis, improvement suggestions, and
report generation of target of testing and evaluation. See Annex A for details.
a) authentication of server or system log, including successful or failed
authentication attempt;
b) operation system log, including starting and closing of system and service,
installation of unauthorized software, file access, security policy changes,
account changes (such as account creation and deletion, account rights
assignment), and permission usage;
c) IDS/IPS logs, including malicious behavior and inappropriate use;
d) firewall, switchboard, and router logs, including outbound connections
(such as bots, Trojans, spyware, etc.) that affect internal device, as well
as unauthorized connection attempts and improper use;
e) application log, including unauthorized connection attempts, account
change, permission use, as well as use information of application program
or database;
f) anti-virus logs, including virus killing, infection logs, and other events such
as upgrade failures, software expiration;
g) other security logs, such as patch management; it shall record information
such as service and application of known vulnerability;
h) network running status, network security event related logs; retention time
is not less than 6 months.
5.1.3 Rule set check
Main function of rule set check is to discover vulnerability of security control
measures based on rule set. Check targets include access control list, policy
set of network equipment, security equipment, database, operating system and
application system. Level-three and above protection targets shall also include
mandatory access control mechanism. When performing rule set check, it shall
consider the following evaluation key elements and evaluation principles:
a) routing access control list:
1) every rule shall be valid (for example, the rule that is set due to
temporary demand shall be removed immediately when it is not
needed);
2) only traffic that is authorized by policy is allowed to pass through; other
traffics are disabled by default.
b) policy set of access control device:
1) it shall adopt default prohibition policy;
1) system security officer creates security marks of subject (such as user),
object (such as data);
2) subject, object that implement same mandatory access control security
policy shall be marked with same security marks;
3) scope of mark check shall be expanded to all subjects and objects in
testing and evaluation object.
5.1.5 File integrity check
Main function of file integrity check is to identify unauthorized change of
important files such as system file. When performing file integrity check, it shall
consider the following evaluation key elements:
a) use Hash or digital signature to ensure integrity of important file;
b) compare benchmark sample and important file to realize integrity
verification of important file;
c) use IDS device of which deployment is based on host to realize alert to
integrity of important file integrity.
5.1.6 Cipher check
Main function of cipher check is to perform security check on cipher technology
used in target of testing and evaluation or product. When performing cipher
check, it shall consider the following evaluation principles:
a) relevant functions of provided cryptographic algorithm shall comply with
relevant provisions of national password authority;
b) key length used shall comply with relevant provisions of supervision
department of classified protection object industry.
5.2 Identification and analysis technologies
5.2.1 Network sniffer
Main function of network sniffer is, through capturing and replaying network
traffic, to collect, identify active devices, operation system and protocols,
unauthorized and inappropriate behaviors in network. When performing
network sniffer, it shall consider the following evaluation key elements and
evaluation principles:
a) monitor network traffic, record IP address of active host and report
operation system information found in network;
b) identify connection between hosts, including which hosts communicate
performing vulnerability scanning, it shall consider the following evaluation key
elements and evaluation principles:
a) identify information related to vulnerability, including vulnerability name,
type, vulnerability description, risk level, repair suggestion;
b) through tool identification combined with manual analysis, perform
correlation analysis to found vulnerability so as to accurately judge risk
level of vulnerability;
c) before performing vulnerability scanning, scanning device shall be
updated to the latest vulnerability library so as to ensure the latest
vulnerabilities can be identified;
d) according to vulnerability analysis principles (such as signature matching,
attack detection) of vulnerability scanning tool, choose scanning policy
carefully so as to prevent failure of target of testing and evaluation;
e) when using vulnerability scanning device, it shall restrict number of
scanning threads, traffic so as to reduce risk to target of testing and
evaluation caused by testing and evaluation.
5.2.4 Wireless scanning
Main function of wireless scanning is to identify situation where there is no
physical connection (such as a network cable or peripheral cable) in testing
environment to make one or more devices communicate, help organization
assesses and analyzes security risks that wireless technology poses for
scanning target. When performing wireless scanning, it shall consider the
following evaluation key elements and evaluation principles:
a) identify key attributes of wireless devices in wireless traffic, including SSID,
device type, channel, MAC address, signal strength, and number of
packets transmitted;
b) environmental elements of wireless scanning device deployment location
include: location and scope of scanned device, security protection level of
target of testing and evaluation that uses wireless technology to perform
data transmission, data importance as well as connection and
disconnection frequencies of wireless device and traffic scale in scanning
environment;
c) use mobile device that is configured to configure wireless analysis
software, such as laptop, handheld or professional device;
d) based on wireless security configuration requirements, perform scanning
policy configuration to wireless scanning tool so as to realize difference
1) System/service vulnerabilities. Security vulnerabilities resulted in
environment that operation system, database, middleware which
provide service or support to application system have flaws, such as
buffer overflow vulnerability, heap/stack overflow, memory leak, may
cause program operation failure, system down, restart. More seriously,
they can cause program to execute unauthorized order even obtain
system privileges to carry out various illegal operations.
2) Application code vulnerabilities. Because writing code of developer is
not standardized or lacks necessary verification measures, application
system has security vulnerabilities, including SQL injection, cross-site
scripting, arbitrary upload files. Attackers can exploit these
vulnerabilities to launch attacks on application system to obtain
sensitive information in database. More seriously, it can cause server
to be controlled.
3) Permission bypass vulnerabilities. Because control rules for data
access, function module access are not strict or missed, attackers can
access to these data and function module unauthorizedly. Permission
bypass vulnerabilities usually are divided into override access and
parallel permission. Override access means that low-permission user
unauthorizedly accesses to functional module or data information of
high-permission user. Parallel permission means that attacker use
function module of his own permission to unauthorizedly access to or
operate another user’s data information.
4) Improper configuration vulnerabilities. Because security hardening is
not performed for configuration file, it only uses default configuration or
configuration is not reasonable then it causes security risk. If
middleware configuration supports put method, it may cause attacker
to use put method to upload Troj...
Share
