img
基线安全检查_网络安全检查表_V3.3.xls

完整的安全基线内容主要由三方面必须满足的最低要求组成:系统存在的安全漏洞、系统配置的脆弱性、系统状态的监控。安全基线通过安全合规管理机制判断用户的应用环境安全是否达标,提供一个信息系统所需的最基本的安全保证。 1、安全漏洞:漏洞通常是由于软件或协议等系统自身存在缺陷引起的安全风险,如系统登录漏洞、拒绝服务漏洞、缓冲区溢出、信息泄漏、蠕虫后门、恶意代码执行等,反映了系统自身的安全脆弱性; 2、安全配置:通常都是由于人为的疏忽造成,主要包括了账号、口令、授权、日志、IP协议等方面的配置要求,配置不当导致系统存在安全风险; 3、系统状态:包含系统端口状态、进程、账号、服务以及重要文件的变化。这些信息反映了系统当前所处环境的动态安全状况,存在的安全隐患将威胁系统运行安全。

img
基线安全检查_数据库安全检查表_V3.3.xls

完整的安全基线内容主要由三方面必须满足的最低要求组成:系统存在的安全漏洞、系统配置的脆弱性、系统状态的监控。安全基线通过安全合规管理机制判断用户的应用环境安全是否达标,提供一个信息系统所需的最基本的安全保证。 1、安全漏洞:漏洞通常是由于软件或协议等系统自身存在缺陷引起的安全风险,如系统登录漏洞、拒绝服务漏洞、缓冲区溢出、信息泄漏、蠕虫后门、恶意代码执行等,反映了系统自身的安全脆弱性; 2、安全配置:通常都是由于人为的疏忽造成,主要包括了账号、口令、授权、日志、IP协议等方面的配置要求,配置不当导致系统存在安全风险; 3、系统状态:包含系统端口状态、进程、账号、服务以及重要文件的变化。这些信息反映了系统当前所处环境的动态安全状况,存在的安全隐患将威胁系统运行安全。

img
phpCMS阿里漏洞.doc

phpCMS阿里漏洞补丁

img
dedeCMS阿里漏洞.doc

DeDeCMS阿里漏洞补丁

img
5G安全报告(2020)

中国信息通信研究院和IMT-2020(5G)推进组,作为国内5G领域专业研究机构,结合前期工作基础及近期调研情况联合编制了本报告,系统地梳理了5G关键技术、典型应用场景及产业生态的安全风险,提出了安全理念和应对思路措施,并对后续加强各方互信合作,更好地推动5G发展与安全进行了展望和倡议。

img
勒索病毒应急与响应手册

勒索病毒主要以邮件、程序木马、网页挂马的形式进行传播,利用各种非对称加密算法对文件进行加密,被感染者一般无法解密,必须拿到解密的私钥才有可能破解。勒索病毒性质恶劣、危害极大,一旦感染将给用户带来无法估量的损失。 本手册第1 章详述如何判断是否已感染勒索病毒,是否已被加密;第2 章详述当主机处于不同的中毒阶段时,从基础措施和高级措施方向上,分别应如何进行应急响应;第3 章介绍对于已加密系统的五种处理方式,重要文件需要恢复应分别尝试备份还原、解密、数据恢复、支付解密,价值较低的文件可直接重装系统,并进行主机加固;第4 章详述如何进行勒索病毒的防治建议,包括五个基础措施和应用 终端检测与响应(EDR)产品。 通过应用本手册,在不同阶段及时做出响应,尽可能避免或降低损失。

img
EN50129-2018新版的标准.zip

EN50129-2018新版的标准,很值得拥有。需要赶紧下载吧

img
GBT 37988-2019《信息安全技术 数据安全能力成熟度模型》.docx

GBT 37988-2019《信息安全技术 数据安全能力成熟度模型》(报批稿),本标准依据GB/T1.1—2009 《标准化工作导则 第1部分:标准的结构和编写》给出的规则进行起草。 请注意本文件的某些内容可能涉及专利。本文件的发布机构不承担识别这些专利的责任。 本标准由全国信息安全标准化技术委员会(SAC/TC 260)提出并归口。

img
IP-Guard打印水印和屏幕水印功能培训.pptx

IP-Guard打印水印和屏幕水印功能培训

img
G9SP安全控制器软件简易手册.pdf

OMRON G9SP安全控制器软件简易手册.对OMRON 安全PLC的基本操作进行介绍和演示。适合刚入手的新同学参考。

img
Nisp一级考试知识点.rar

这是nisp一级考试视频中的知识点 nisp:国家信息安全水平考试(National Information Security Test Program,简称NISP),是由中国信息安全测评中心实施培养国家网络空间安全人才的项目。由国家网络空间安全人才培养基地运营/管理,并授权网安世纪科技有限公司做为国家信息安全水平考试(NISP)专项证书管理中心。

img
NIST SP800-60 Vol2 Rev1.pdf

Title III of the E-Government Act (Public Law 107-347), titled the Federal Information Security Management Act (FISMA), tasked the National Institute of Standards and Technology (NIST) to develop: • Standards to be used by all Federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels; • Guidelines recommending the types of information and information systems to be included in each such category; and • Minimum information security requirements (i.e., management, operational, and technical security controls), for information and information systems in each such category. In response to the second of these tasks, this guideline has been developed to assist Federal government agencies to categorize information and information systems. The guideline’s objective is to facilitate provision of appropriate levels of information security according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or loss of availability of the information or information system. This guideline assumes that the user is familiar with Standards for Security Categorization of Federal Information and Information Systems (FIPS 199). The guideline and its appendices: • Review the security categorization terms and definitions established by FIPS 199; • Recommend a security categorization process; • Describe a methodology for identifying types of Federal information and information systems; • Suggest provisional security impact levels for common information types; • Discuss information attributes that may result in variances from the provisional security impact level assignment; and • Describe how to establish a system security categorization based on the system’s use, connectivity, and aggregate information content. This document is intended as a reference resource rather than as a tutorial. Not all of the material will be relevant to all agencies. This document includes two volumes, a basic guideline and a volume of appendices. Users should review the guidelines provided in Volume I, then refer to only that specific material from the appendices that applies to their own systems and applications. The provisional security impact level assignments contained in appendices C and D are only the first step in impact assignment and subsequent risk assessment processes. The impact assignments are not intended to be used by auditors as a definitive checklist for information types and impact assignments.

img
NIST SP800-60 Vol1 Rev1.pdf

Title III of the E-Government Act (Public Law 107-347), titled the Federal Information Security Management Act (FISMA), tasked the National Institute of Standards and Technology (NIST) to develop: • Standards to be used by all Federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels; • Guidelines recommending the types of information and information systems to be included in each such category; and • Minimum information security requirements (i.e., management, operational, and technical security controls), for information and information systems in each such category. In response to the second of these tasks, this guideline has been developed to assist Federal government agencies to categorize information and information systems. The guideline’s objective is to facilitate application of appropriate levels of information security according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or use of the information or information system. This guideline assumes that the user is familiar with Standards for Security Categorization of Federal Information and Information Systems (Federal Information Processing Standard [FIPS] 199). The guideline and its appendices: • Review the security categorization terms and definitions established by FIPS 199; • Recommend a security categorization process; • Describe a methodology for identifying types of Federal information and information systems; • Suggest provisional1 security impact levels for common information types; • Discuss information attributes that may result in variances from the provisional impact level assignment; and • Describe how to establish a system security categorization based on the system’s use, connectivity, and aggregate information content. This document is intended as a reference resource rather than as a tutorial and not all of the material will be relevant to all agencies. This document includes two volumes, a basic guideline and a volume of appendices. Users should review the guidelines provided in Volume I, then refer to only that specific material from the appendices that applies to their own systems and applications. The provisional impact assignments are provided in Volume II, Appendix C and D.

img
NIST SP800-59.pdf

This document provides guidelines developed in conjunction with the Department of Defense, including the National Security Agency, for identifying an information system as a national security system. The basis for these guidelines is the Federal Information Security Management Act of 2002 (FISMA, Title III, Public Law 107-347, December 17, 2002), which provides government-wide requirements for information security, superseding the Government Information Security Reform Act and the Computer Security Act. FISMA both provides a framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets and provides for the maintenance of minimum controls required to protect Federal information and information systems. Federal agencies are responsible for providing information security protection of information collected or maintained by or on behalf of the agency and information systems used or operated by or on behalf of the agency. The head of each Federal agency is also responsible for (1) assessing the risk and magnitude of the harm that could result from unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems that support operations or assets under their control; (2) determining the levels of information security appropriate to protect such information and information systems; (3) implementing policies and procedures to cost-effectively reduce risks to an acceptable level; and (4) periodically testing and evaluating information security controls and techniques to ensure that they are effectively implemented. Except for national security systems as defined by FISMA, the Secretary of Commerce is responsible for prescribing standards and guidelines pertaining to Federal information systems on the basis of standards and guidelines developed by NIST. The Committee on National Security Systems (CNSS) along with Federal agencies that operate systems falling within the definition of national security systems provide security standards and guidance for national security systems. In addition to defining the term national security system FISMA amended the NIST Act, at 15 U.SC. 278g-3(b)(3), to require NIST to provide guidelines for identifying an information system as a national security system. As stated in the House Committee report, “This guidance is not to govern such systems, but rather to ensure that agencies receive consistent guidance on the identification of systems that should be governed by national security system requirements.” Report of the Committee on Government Reform, U. S House of Representatives, Report 107-787, November 14, 2002, p. 85.

img
NIST SP800-57Pt3r1.pdf

Application-Specific Key Management Guidance, Part 3 of the Recommendation for Key Management is intended primarily to help system administrators and system installers adequately secure applications based on product availability and organizational needs and to support organizational decisions about future procurements. This document also provides information for end users regarding application options left under their control in normal use of the application. Recommendations are given for a select set of applications, namely: Section 2 – Public Key Infrastructures (PKI) Section 3 – Internet Protocol Security (IPsec) Section 4 – Transport Layer Security (TLS) Section 5 – Secure/Multipurpose Internet Mail Extensions (S/MIME) Section 6 – Kerberos Section 7 – Over-the-Air Rekeying of Digital Radios (OTAR) Section 8 – Domain Name System Security Extensions (DNSSEC) Section 9 – Encrypted File Systems (EFS) Section 10 – Secure Shell (SSH) The following is provided for each topic: • A brief description of the system under discussion that is intended to provide context for the security guidance, • Recommended algorithm suites and key sizes and associated security and compliance issues, • Recommendations concerning the use of the mechanism in its current form for the protection of Federal Government information, • Security considerations that may affect the security effectiveness of key management processes, • General recommendations for purchase decision makers, system installers, system administrators and end users. Following Section 10 are five appendices with a glossary, an explanation of acronyms, basic information for novice and end users on obtaining and using keys, references for documents cited herein, and changes incorporated into this revision. This document does not reflect a comprehensive view of current products and technical specifications. Future versions of this document will include updates to the topics covered, and may include additional subjects as new techniques are widely implemented.

img
NIST SP800-57pt2r1.pdf

Cryptographic mechanisms are often used to protect the integrity and confidentiality of data that is sensitive, has a high value, or is vulnerable to unauthorized disclosure or undetected modification during transmission or while in storage. A cryptographic mechanism relies upon two basic components: an algorithm (or cryptographic methodology) and a variable cryptographic key. The algorithm and key are used together to apply cryptographic protection to data (e.g., to encrypt the data or to generate a digital signature) and to remove or check the protection (e.g., to decrypt the encrypted data or to verify a digital signature). This is analogous to a physical safe that can be opened only with the correct combination. Two types of cryptographic algorithms are in common use today: symmetric key algorithms and asymmetric key algorithms. Symmetric key algorithms (sometimes called secret key algorithms) use a single key to both apply cryptographic protection and to remove or check the protection. Asymmetric key algorithms (often called public key algorithms) use a pair of keys (i.e., a key pair): a public key and a private key that are mathematically related to each other. In the case of symmetric key algorithms, the single key must be kept secret from everyone and everything not specifically authorized to access the information being protected. In asymmetric key cryptography, only one key in the key pair, the private key, must be kept secret; the other key can be made public. Symmetric key cryptography is most often used to protect the confidentiality of information or to authenticate the integrity of that information. Asymmetric key cryptography is commonly used to protect the integrity and authenticity of information and to establish symmetric keys. Given differences in the nature of symmetric and asymmetric key cryptography and of the requirements of different security applications of cryptography, specific key management requirements and methods necessarily vary from application to application. Regardless of the algorithm or application, if cryptography is to deliver confidentiality, integrity, or authenticity, users and systems need to have assurance that the key is authentic, that it belongs to the entity with whom or which it is asserted to be associated, and that it has not been accessed by an unauthorized third party. SP 800-57, Recommendation for Key Management (hereafter referred to as SP 800-57 or the Recommendation), provides guidelines and best practices for achieving this necessary assurance. SP 800-57 consists of three parts. This publication is Part 2 of the Recommendation (i.e., SP 800-57 Part 2 – Best Practices for Key Management Organizations) and is intended primarily to address the needs of U.S. government system owners and managers who are setting up or acquiring cryptographic key management capabilities. Parts 1 and 3 of SP 800-57 focus on cryptographic key management mechanisms. SP 800-57 Part 1, General, (hereafter referred to as Part 1) contains basic key management guidance intended to advise users, developers and system managers; and SP 800-57 Part 3, Application-Specific Key Management Guidance, (hereafter referred to as Part 3) is intended to address specific key management issues associated with currently available implementations. SP 800-57 has been developed by and for the U.S. Federal Government. Non-governmental organizations may voluntarily choose to follow the practices provided herein.

img
NIST SP800-57pt1r4.pdf

The use of cryptographic mechanisms is one of the strongest ways to provide security services for electronic applications and protocols and for data storage. The National Institute of Standards and Technology (NIST) publishes Federal Information Processing Standards (FIPS) and NIST Recommendations (which are published as Special Publications) that specify cryptographic techniques for protecting sensitive, unclassified information. Since NIST published the Data Encryption Standard (DES) in 1977, the suite of approved standardized algorithms has been growing. New classes of algorithms have been added, such as secure hash functions and asymmetric key algorithms for digital signatures. The suite of algorithms now provides different levels of cryptographic strength through a variety of key sizes. The algorithms may be combined in many ways to support increasingly complex protocols and applications. This NIST Recommendation applies to U.S. government agencies using cryptography for the protection of their sensitive, unclassified information. This Recommendation may also be followed, on a voluntary basis, by other organizations that want to implement sound security principles in their computer systems. The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If an adversary knows the combination, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of the mechanisms and protocols associated with the keys, and the protection afforded the keys. Cryptography can be rendered ineffective by the use of weak products, inappropriate algorithm pairing, poor physical security, and the use of weak protocols. All keys need to be protected against unauthorized substitution and modification. Secret and private keys need to be protected against unauthorized disclosure. Key management provides the foundation for the secure generation, storage, distribution, and destruction of keys.

img
NIST SP800-56C.pdf

Introduction During an execution of some of the public-key-based key establishment schemes specified in NIST Special Publications 800-56A [1] and 800-56B [2], a key derivation method is used to obtain secret cryptographic keying material. This Recommendation specifies an alternative key derivation method to be used in a key establishment scheme specified in 800-56A and 800-56B. 2. Scope and Purpose This Recommendation specifies a two-step key derivation procedure, as one of the approved key derivation methods, that employs an extraction-then-expansion technique for deriving keying material from a shared secret generated during a key establishment scheme specified in [1] or [2]. Several application-specific key derivation functions that use approved variants of this extraction-then-expansion procedure are described in NIST Special Publication 800-135 [5]. The key derivation procedure specified in this Recommendation consists of two steps: 1) randomness extraction (to obtain a single key derivation key) and 2) key expansion (to derive keying material with a desired length from the key derivation key). Since NIST Special Publication 800-108 [4] specifies several families of key derivation functions that are approved for deriving additional keying material from a given cryptographic key derivation key, those functions are employed in the second (key expansion) step of the procedure.

img
NIST SP800-56Br2.pdf

Many U.S. Government Information Technology (IT) systems need to employ strong cryptographic schemes to protect the integrity and confidentiality of the data that they process. Algorithms such as the Advanced Encryption Standard (AES), as defined in Federal Information Processing Standard (FIPS) 197,1 and HMAC, as defined in FIPS 198,2 make attractive choices for the provision of these services. These algorithms have been standardized to facilitate interoperability between systems. However, the use of these algorithms requires the establishment of secret keying material that is shared in advance. Trusted couriers may manually distribute this secret keying material, but as the number of entities using a system grows, the work involved in the distribution of the secret keying material grows rapidly. Therefore, it is essential to support the cryptographic algorithms used in modern U.S. Government applications with automated key-establishment schemes. This Recommendation provides the specifications of key-establishment schemes that are appropriate for use by the U.S. Federal Government, based on a standard that was developed by the Accredited Standards Committee (ASC) X9, Inc: ANS X9.44.3 A key-establishment scheme can be characterized as either a key-agreement scheme or a key-transport scheme. This Recommendation provides key-agreement and key-transport schemes that are based on the Rivest Shamir Adleman (RSA) asymmetric-key algorithm.

img
NIST SP800-56Ar3.pdf

Many U.S. Government Information Technology (IT) systems need to employ well-established cryptographic schemes to protect the integrity and confidentiality of the data that they process. Algorithms such as the Advanced Encryption Standard (AES) as defined in Federal Information Processing Standard (FIPS) 197,1 and the Keyed-Hash Message Authentication Code (HMAC) as defined in FIPS 1982 make attractive choices for the provision of these services. These algorithms have been standardized to facilitate interoperability between systems. However, the use of these algorithms requires the establishment of keying material between the participating entities in advance. Trusted couriers may manually distribute this secret keying material. However, as the number of entities using a system grows, the work involved in the distribution of the secret keying material could grow rapidly. Therefore, it is essential to support the cryptographic algorithms used in modern U.S. Government applications with automated key-establishment schemes. A key-establishment scheme can be characterized as either a key-agreement scheme or a key-transport scheme. The asymmetric-key-based key-agreement schemes in this Recommendation are based on the Diffie-Hellman (DH) and Menezes-Qu-Vanstone (MQV) algorithms. Asymmetric-key-based key-establishment schemes using Integer Factorization Cryptography are specified in SP 800-56B.3 The selection of schemes specified in this Recommendation is based on standards for key-establishment schemes developed by the Accredited Standards Committee (ASC) X9, Inc.: ANS X9.42, Agreement of Symmetric Keys using Discrete Logarithm Cryptography, and ANS X9.63, Key Agreement and Key Transport using Elliptic Curve Cryptography.