n bn ma ng

Ngy 21 thng 11 nm 2014

MEMORY FORENSIC
Chng ta s tm thy g thng qua vic iu tra cc thng tin lu tr trn RAM?

CISSP - Mt gc nhn khc

Gc nhn ca mt ngi va u k thi CISSP
Mt bi vit hay m cc bn khng nn b l

PCI DSS
Lm th no trin khai thnh cng tiu chun PCI DSS?

DEFENSE IN DEPTH
Phng th nhiu lp, tip cn v p dng nh th no?

cissp.attt@gmail.com

http://fb.com/group/cissp.attt

[02]

Mc lc

Ban c vn

[03]

Th ng

NGUYN TRUNG LUN

CISSP, CISA - Mi2 JSC.

[04]

ACCESS CONTROL

[09]

MEMORY FORENSIC

[12]

CISSP - Mt gc nhn khc

[14]

Separation of Duties

[17]
[22]
[24]
[26]

TRN NGC MINH

LNG TRUNG THNH
L CNG PH
S TM NGUYN

TRN NGC MINH

Security Architecture & Design
TRN CH CN
Tng quan v tiu chun PCI DSS
PHAN CNH NHT
Defense in depth
VI MINH TOI
Certication and Accreditation
L NGUYN VNH PH

n bn ma ng

TRN NGC MINH

CISSP - Sacombank
NG XUN QU
CISSP - SGBank
LNG TRUNG THNH
CISA

02

Bn c thn mn,
Qu IV hng nm lun l khong thi gian bn
rn vi mi ngi v c l v th m n bn
ma ng b tr hon n hai ln. Tuy nhin,
vi quyt tm chnh tr cao, mi vic n v
chng ti trn trng gi n Qu Bn c s
pht hnh th hai (n bn ma ng).
s ny, chng ta s c anh S Tm
Nguyn, mt CISSP mi ca Vit Nam chia s
gc nhn khc v CISSP. Th tht, khi c bi
vit ny, ti lin tng ngay n hnh nh anh
Nguyn ang cm ngn uc (Olympic) truyn
qua tay cc vn ng vin cc lp lin ngay
sau anh.
C s trng hp ngu nhin, n bn ma ng
s mang ti cho Bn c ci lnh n nt mi,
n chy mu ca ma ng H Ni bi bi
vit m cht k thut ca anh L Cng Ph v
iu tra s (qua memory). Qua kho st nhanh
th cc chuyn gia u cho rng lnh vc iu
tra ti phm cng ngh cao s pht trin rt
nhanh v th trng s rt si ng trong thi
gian ti y. V vy, anh/ch/em ang theo ui
lnh vc ny yn tm v con ng mnh ang
i nh.
Mt anh trng tn Ph (L Nguyn Vnh Ph,
Si Gn) ln u tin ra mt Bn c vi ti
rt kh nhn Certication and Accreditation.
Thc ra, trong cng vic chng ta ng chm
rt nhiu vn ny nhng n vn c xem
l bi ton kh. Bi vit ca anh Ph s gip ta
gii p, g dn khc mc trn.

Tham gia t nhng ngy u tin thnh lp

Nhm nhng t pht hnh ny anh Vi Minh
Toi mi tung ra bi vit v Phng th chiu
su. Ti tin rng Qu Bn c khng l g khi
nim ny nhng khoan vi b qua v trong bi
vit, anh Toi s cho chng ta thy c th chng
ta ang c nhng cch hiu khc nhau. Rt th
v!
Tha bn c,
Mc d ch chnh k ny l Access Control
(do anh Lng Trung Thnh lm ch sn) nhng
thc t cho thy cc ni dung Domain
Architech/Design ln lt hon ton ti n
bn ma ng bi hng lot bi vit ca anh Ph
(HN), anh Ph (SG) v anh Ch Cn (bi vit
Security Architecture and Design).
Cch y vi hm, trong Group Skype c thnh
vin a ln yu cu tuyn dng Gim c An
ninh Thng tin ca mt Ngn hng ln (VN).
Trong , Ngn hng yu cu ng vin phi p
ng c vn an ninh lin quan n nhn
s. May mn thay, trc y ti c vit lan man
v ch ny v v th, n gip ti c xut hin
trong n bn ma ng.
Hi vng Tp ch mang li cho Qu bn c nhng
thng tin hu ch.
Trn trng!
TRN NGC MINH

Th trng gn y ang rt si ng vi vn
PCI-DSS. y c xem l chun bt
buc phi p ng vi mt s t chc/doanh
nghip. nng ca PCI-DSS s c y
ln cao hn khi anh Phan Cnh Nht chia s
tng quan v cc kinh nghim trin khai thc t
ca mnh. Ti d on, lnh o doanh nghip
(c lin quan) cha trin khai chun ny s c
nhng trao i, lin h vi anh Nht ngay sau
khi c bi vit bi n c tnh thuyt phc rt
cao.

n bn ma ng

03

i tng ch yu ca Access
Control l mi quan h gia ch th
- thng l ngi dng , v i
tng thng l ti nguyn ca t
chc doanh nghip; v kim sot
chnh l thit lp cc hnh ng
tng ng kim sot 'hnh vi'
ca 2 i tng k trn.
Da theo 5W1H th WHAT = object
(i tng), WHO = subject (ch
th), WHY l l do vi mong mun
kim sot, bo v cc ti nguyn v
trnh cc tc ng n t chc,
doanh nghip v HOW l cc hnh
ng tng ng kim sot hnh
vi.

Gi tr ca cc i tng (Object) ph thuc vo

gi tr ca thng tin, d liu (Content) ca n;
c th l mt tp tin vi cc thng tin quan trng
(k hoch kinh doanh, u t ) hoc l mt
chng trnh, ng dng, x l quan trng (x l
th ATM trong ngn hng chng hn).
Mt ch th (Subject) thng c 'kim sot'
qua mt s cc thuc tnh (attribute) v quyn
hn xc nh quyn truy cp; kt qu c
tr v cho ch th l c php truy cp (grant)
hoc t chi (deny). Cc thuc tnh c th bao
gm mt hoc mt s cc m t nh phng ban,
thi gian, mi trng cc thuc tnh ny c
dng xc nh cc ng cnh (Context) truy
cp.

Cc phng thc tip cn Kim sot truy cp

Vi mc tiu l bo v cc ti sn, ti nguyn c gi tr cho cng ty, mt s cc phng thc v
cch thc c a vo p dng cng vi cch tip cn khc nhau nh l:
- MAC: thng da vo mc quan trng ca i tng (object) tc l gi tr ca ni dung
ca thng tin (content) v yu cu ngi truy cp cng c mc /cp bc tng ng
(clearance) c th tip cn vi ni dung; ni dung c th l ton phn hoc ch l mt phn
ty theo cp ca ngi yu cu thut ng thng s dng l need-to-know. MAC thin v
tnh b mt ca thng tin v thng c p dng cc mi trng qun s hn l mi trng
hot ng doanh nghip.
- DAC: da trn nguyn tc ngi ch s hu (ngi to ra i tng) c ton quyn thit
lp vic kim sot truy cp, c th gn cc quyn ny cho cc i tng khc nu mun. Khi s
dng DAC th vic qun tr tr nn kh khn hn v ch thch hp cho mi trng nh cng v
ngi dng phi c nhn thc nht nh v gi tr thng tin.
MAC v DAC c p dng trn vic kim sot trn tng ngi v trn gi tr thng tin ca trn
. y l hai cch thc tip cn c s dng ph bin nhng giai on u vic kim sot
truy cp.

n bn ma ng

04

- RBAC (Role base access control): da trn nguyn

tc thit lp phn quyn da trn cng vic (Role) v
thng p dng cho mt nhm ngi hn l da trn cc
ch th c th; v vic ny rt hiu qu mi trng
ln. Nguyn tc chnh ca RBAC chnh l cp quyn
va cho ngi s dng thc hin cc cng vic cn
thit cho cng vic, thut ng thng gi l At-leastprivilege.
- ABAC (Attribute based access control): hnh thc
kim sot truy cp m rng ca RBAC, cung cp thm
cc ng cnh (thng l thi gian, a im, thit b)
cn thit xc nh quyn hn truy cp ca mt i
tng . ABAC thng c thy trong cc chng trnh
qun tr doanh nghip trn mi trng Web nh
SharePoint hoc c cung cp trong Windows 2012 vi
tnh nng DAC (Dynamic Access Control)
RBAC v ABAC ang c s dng rng ri trong
mi trng doanh nghip v tnh linh ng v d kim
sot hn vi mi DAC hay MAC.

Khuyn ngh: ty theo mc

ch v iu kin m cc hng, nh
phn phi cung cp dng Black-list
hay White-list, tuy nhin nguyn
tc chung ca vic bo mt thng
tin l dng white-list tc l ch cho
php nhng g bit, cn li t
chi khng cp quyn truy cp.

n bn ma ng

Rule base access control:

cng l mt hnh thc kim sot truy
cp nhng t khi c nhc n
trong khun kh chng trnh
CISSP, Rule base l nhng cu pht
biu theo dng mnh if then v
thng c s dng trong vic
thit lp cc quy tc ng x v
thng c p dng trn cc thit
b chuyn dng nh Firewall, IDS,
IPS... iu quan trng nht khi s
dng Rule base access control
chnh l thit lp theo dng Whitelist tc l ch cho php nhng g nh
ngha cn li l t chi hnh ng
mc nh l deny all; hoc theo dng
Black-list tc l cm nhng g nh
ngha cn li l cho php hnh
ng mc nh l allow all.

Thc t p dng:
Cc phng thc kim sot truy cp trn thc t
c p dng l dng 'lai' gia cc hnh thc kim
sot truy cp k trn bao gm c RBAC v cc
hnh thc DAC. V d tiu biu nht cho vic ny
chnh l trang Facebook, hy xem qua mt
cht v cc hnh thc kim sot truy cp ca
Facebook (tm thi b qua bc xc thc ngi
dng):
05

Ngi s dng lun c 2 ch ch

yu l: Home (trang ch) hay cn gi l
Wall v trang c nhn. cc trang ny
ngi s dng lun c ton quyn tng
t nh DAC
o Ngi s dng ton quyn thit lp
vic chia s 'trng thi' (status) ca
mnh cho cc nhm/i tng bn b
o Ton quyn tt hin th, xa b status,
comment ca ngi khc trn tng
nu mun.
o Cc nhm chng trnh chng hn nh
cc Games, cc tr chi trn facebook
thng yu cu quyn hn truy cp
v ng tin ln tng. Hu nh tt c
u cn c s chp thun ca ngi
s dng.

Khi ngi s dng tham gia (Join) mt

nhm hot ng no (nhm m, nhm
ng ) th cc nhm ny cung cp thm
quyn hn nh RBAC l:
o Ngi s dng c th c thit lp
quyn qun tr - thng gi l ngi qun
l hay Admin ca nhm v c quyn hn
nht nh nh vic ph duyt cc bnh
lun, xa bi hoc cho php ngi no
gia nhp nhm.
o Ngi s dng ch gia nhp nhm v ch
c th comment, xem bi vit nhng
khng c quyn xa bi vit.
o Ngi khng gia nhp nhm th ch c th
xem (nhm m) hoc khng th xem ni
dung (nhm ng).

Mt hnh thc khc ca RBAC v thng c p dng rng ri l gii hn cc cu

lnh, kh nng tng tc v tnh nng ca chng trnh ng dng. y l hnh thc
thng c p dng khi doanh nghip s dng cc chng trnh/h thng qun l,
chng hn nh ERP, SAP, CRM Hnh thc RBAC ny c s dng nh mt hnh
thc b sung cung cp cc quyn hn cho ngi dng c linh hot khi m cc
kim sot trc khng h tr.
V d thng gp l ngi dng ng nhp vo my tnh (thng l Windows) sau
chy cc chng trnh qung dng v c yu cu nhp ng nhp vo chng
trnh v cp quyn hn ph hp ng vi ti khon ng nhp vo chng trnh .

n bn ma ng

06

Cc vn thng gp vi RBAC
Mt trong nhng vn thng gp v tng
i kh gii quyt mt cch trit nu
khng c cc nh hng t trc. Cc vn
thng ri vo vn qun tr, thng
l:
* Xy dng r rng bng m t cng vic v
cc tc v thit yu cho cng vic
* Cc quyn hn thit lp gia cc nhm r
rng v hn ch ti a vic chng cho.
* Cc vn lun chuyn cng tc / cng vic
*
Thc s cc cng vic trn l rt kh khn
trong vic thc hin, mt s h thng da
trn RBAC c th nh ngha cc vai tr ca
cc nhm cng vic r rng v khng chng

n bn ma ng

cho l cc h thng c quy

c v thng nht v nguyn tc hot
ng t trc nh ngn hng l mt v
d; cn cc h thng cn li ngi
dng cn phi xc nh cc quyn hn
ny cho ph hp.
Mt v d tiu biu cho vn qun tr
chnh l vic lun chuyn t b
phn ny sang b phn khc th lc
mt s li ph bin thng xy ra
l:
o Quyn hn ca ngi dng nhm
c cha c g b
o Quyn hn ca ngi dng nhm
mi c th 'ph duyt' cc yu cu ca
mnh nhm c
Vic t ph duyt cc yu cu l mt
trong nhng vn cn c quan

07

tm hng u, v l mt trong nhng iu kin to thun li cho vic trc li c nhn v

lm thit hi hoc nh hng ln n hot ng ca t chc / doanh nghip.
Thng thng hn ch cc tnh hung xy ra tng t nh trn th bin php cc bin
php qun tr thng c p dng v mt trong nhng cch d thy nht l:
o Chia nh cng vic thnh cc 'khu' c lp tin cho vic qun l, gim st v ng
thi to thnh cc Role tng ng.
o Khng lun chuyn cng tc nhng 'khu' gn nhau v c bit ch n cc khu
quan trng nn c b sung cc c ch gim st khc nh cn t nht 2 ngi ph duyt.
o Lun c thi gian 'hc vic' v tr mi v trong thi gian ny cn gii quyt dt im
nhng yu cu v tr c.
Cc bin php qun tr trong CISSP c gi l 'Separation of duties' (phn thnh cc
'khu'), 'Job Rotation'. Bin php ny c s dng pht hin nhng tht thot, lm
dng quyn hn trc li hoc thng ng cu kt vi nha. Nhng bin php kim sot
qun tr ny c dng lm tin cho vic xy dng cc bin php kim sot truy cp
v ci thin hiu qu ca cc bin php k thut.
Ghi ch: phn ny ch gii thiu s lc v cch thc tip cn kim sot truy cp mc
vt l v qun tr. Vic kim sot truy cp mc vt l tm thi khng cp trong
khun kh ny.
Li cui: c th hin thc ha vic qun l truy cp cng nh d dng cho vic vn
hnh h thng ny rt cn s r rng ca cc chnh sch c bit l cc chnh sch qun tr
(administrative control) iu gip cho vic thit lp cc quyn hn da trn cc bin
php k thut (technical control) c bao qut, ton din v p ng c k vng v
mong i ca t chc/doanh nghip.
(Phn sau: mt s th thut cho vic Audit Kim sot truy cp).

Tc gi:
LNG TRUNG THNH

Mt trong s t chuyn gia CISA Vit Nam hin nay.

Xut thn l dn s phm Ton, anh chuyn sang nghin cu v ging dy
CNTT, ATTT t nhiu nm nay.
C dp nghe anh trnh by, bn s nhn ra kh nng thuyt trnh cng kin
thc CNTT tuyt vi ca anh. C l v th m sinh vin trung tm VKC, H
Hng Vng, H Nguyn Tt Thnh u rt thch c hc vi thy Thnh.
Ngoi vic hp tc vi nhiu n v chuyn v CNTT, anh Thnh cn l ng
sng lp ca din n ICT24h.

n bn ma ng

08

L CNG PH
Gii thiu
Ngy nay cng vi vic xy dng h thng
gim thiu ti a tc ng ca cc cuc
tn cng nhm vo t chc, th vic x l
phn hi v iu tra s cng ang l mt
th thch khng nh trong vic xc nh
nguyn nhn b tn cng, cc hnh vi
xy ra trn h thng, cng nh cung cp
cc chng c phc v cho vic x l ti
phm sau ny.
Cng vi cc phng php iu tra s
truyn thng, Memory Forensics ang
ng mt vai tr quan trng trong ngnh
khoa hc iu tra ti phm cng ngh cao.
y l k thut iu tra my tnh bng vic
ghi li v phn tch b nh RAM ca

Cc tin trnh ang chy trn

h thng
T khi c a vo h thng cho
n khi kt thc tin trnh tn ti
cc trng thi khc nhau. Trong h
iu hnh c nhiu tin trnh khc
nhau, tin trnh ny c th l tin
trnh con, hay tin trnh cha ca
tin trnh kia, tt c nhng tin
trnh c th c tm thy trong
b nh RAM. Cc tin trnh n cng
c th c trch xut ra khi b
nh c ghi li. Khi cc tin
trnh kt thc n vn c th
c c tr trong b nh bi v
khng gian c tr vn cha c
phn b li.

n bn ma ng

h thng cn tin hnh iu tra. C th

hn th y l k thut m ngi iu tra
c gng s dng kin trc qun l b nh
trong my tnh nh x, trch xut cc
tp tin ang thc thi v lu tr trong b
nh vt l ca my tnh. Nhng tp tin
thc thi c th c s dng chng
minh cho nhng hnh vi din ra trn h
thng.
Chng ta s tm thy nhng g t vic
phn tch iu tra b nh?
Trong khoa hc iu tra s, vic iu tra
b nh RAM, ni m d liu lun sn sng
ghi li v phn tch, cung cp nhng
chng c rt c gi tr, chng ta s tm
thy

Cc tp tin ang m v cc x l
Registry
Cc tp tin ang m cng nh bt k
mt x l Registry no c truy xut
bi mt tin trnh u c lu tr trong
b nh. Chng hn nh mt tin trnh
ca phn mm c hi ang chy trn h thng
th cc tp tin ang m c th gip ngi iu tra
khm ph ni m m c hi ang c lu tr
trn a. i vi h iu hnh Windows, Registry
cha rt nhiu thng tin c gi tr, bng vic s
dng cc k thut v cng c h tr to dng
li d liu Registry gip chng ta c th thu thp
cc chng c hu ch phc v cho vic iu tra.
Cc kt ni mng ang c trong h thng
Thng tin v cc kt ni mng bao gm cc
cng ang lng nghe trn h thng, cc kt ni
ang c thit lp v cc thng tin lin kt gia

09

h thng vi cc kt ni t xa, nhng thng tin

ny u c th c ly ra t b nh. Cc
thng tin v cc kt ni mng c th cho ta
bit cc Backdoor ang kt ni trong h
thng, cc my ch iu khin Botnet da
vo cc kt ni ca n. Thng tin v kt ni
mng l mt trong nhng yu t rt quan
trng v ng tin cy khi iu tra mt h
thng b tha hip
Mt khu v cc kha mt m
Mt trong nhng li th quan trng ca phn
tch iu tra b nh l vic phc hi li mt
khu ngi dng v cc kha mt m c th
c dng gii m cc tp tin, chng trnh
m ngi dng truy cp, s dng. Mt khu v
kha mt m c quy lut chung l khng bao
gi c lu trn a cng m khng c bt k
s bo v no khi s dng chng. Tuy nhin
chng li c lu tr trong b nh RAM v
mt khi iu ny xy ra th vic iu tra bng
vic ghi li b nh RAM c th gip phc hi
d liu, khi phc mt khu v c th truy cp
vo ti khon trc tuyn thuc s hu ca k
ang b iu tra nh email, d liu lu tr
Cc tp tin b xa
y c th l nhng bng chng m k tn
cng mun hy i gy kh khn cho vic
iu tra khi tm kim chng c. Tuy nhin cc
tp tin khi c x l s c lu li trong b
nh, cho d n khng c lin kt lu hn
thng qua danh sch c duy tr bi h iu
hnh, v h iu hnh phi tm ra phng
php s dng thay th. Vi vic phn tch b
nh RAM c th cho php lit k cc tp tin v
phc hi li cc tp tin ging nh xy dng
li cc tp tin trn a cng b xa.

dng m c ngy cng ph bin v gia

tng, k tn cng c th chy m khai
thc t b nh thay v m c s thc
hin vic lu tr chnh n trong a.
iu ny mc ch chnh l trnh s
pht hin, qua mt cc chng trnh
dit virus. Vic k tn cng thc hin
vic lu tr m c trong b nh s lm
cho nhng ngi trc tip phn tch gp
kh khn trong vic ly mu, dch ngc
m tm ra cch thc n lm vic nh
th no, chnh v th vic kim tra m
c n cha trong b nh RAM c th
a ra nhng pht hin th v, nhng
thng tin quan trng cho qu trnh iu
tra.
S lc quy trnh thc hin
Cng ging nh cc loi hnh iu
tra s khc, m bo tnh tin cy ca
chng c, th Memory Forensics cng
cn thc hin theo ng quy trnh ca
n, c th tin hnh phn tch iu
tra b nh RAM, cuc iu tra thng
tri qua 4 gian on: Chun b
(Preparation), tip nhn d liu hay cn
gi l nh ha tang vt (Acquisition),
phn tch (analysis) v lp bo co
(Reporting)

M c hi v cc tp tin b ly nhim
Trong nhng nm gn y vic tn cng s

n bn ma ng

10

Preparation: Bc ny thc hin vic m

t li thng tin h thng, nhng g xy ra,
cc du hiu, xc nh phm vi iu tra,
mc ch cng nh cc ti nguyn cn thit
s s dng trong sut qu trnh iu tra.
Chng ta cn phi m t chi tit cc thng
tin v h thng nh thi gian h thng b tn
cng, c im phn cng, h iu hnh
ang s dng, phn mm ang ci trn h
thng, danh sch ngi dng v nhiu
thng tin hu ch lin quan khc
Acquisition: y l bc to ra mt bn
sao chnh xc nhng d liu ang tn ti
trn b nh RAM hay cn gi l nhn bn
iu tra b nh d thay i. Chng c thu
nhn c phi c ghi li bi nhng phn
mm tin cy v k m bi cc thut ton nh
MD5 hoc SHA1 m bo tnh ton vn.
Trc khi bt u iu tra th ngi thc hin
nhim v phn tch iu tra s kim tra
tin cy ca chng c da vo thng tin m
cc chui MD5 hay SHA1 cung cp. Giai
on ny rt quan trng, v nhng d liu
sau ny c phn tch s dng lm
chng c ph thuc rt nhiu vo qu trnh
chng ta thu nhn d liu. Cng c thng
s dng Acquisition b nh RAM l
Dumpit, FTK (i vi Windows) v Lime (i
vi Linux)
Analysis: y l giai on chng ta s
dng cc phng php nghip v, cc k
thut cng nh cng c khc nhau thu
thp v phn tch cc bng chng thu c,
nh lit k cc tin trnh, tin trnh n ang
chy, cc kt ni vo ra, cc cng ang lng
nghe, trch xut cc tp tin nghi ng trn
h thng ti thi im b nh c ghi li.
Qu trnh iu tra nn c cch ly trong
mt mi trng iu tra an ton. Mt s
cng c h tr cho vic phn tch thng
c s dng nhiu giai on ny l SANS
SIFT, Volatility, Mandiant Redline, IDA Pro.

chng c c gi tr v c tnh thuyt phc

th tt c phi c ti liu ha li r
rng, chi tit v bo co li cho b phn
c trch nhim x l chng c thu c,
cc chuyn gia phn tch phi a ra cc
k thut iu tra, cc cng ngh, phng
thc c s dng, cng nh cc chng
c thu c, tt c phi c gii thch r
rng trong bo co qu trnh iu tra.
Memory Forensics l mt lnh vc th v,
nhiu th thch, bao trm c cc
ngc ngch thc s cn s nghin cu lu
di, nghim tc. Bi vit ny ch a ra
ci nhn tng quan gip ngi c nm
bt c nhng kin thc c bn. Qua
dn dn tip cn gn hn v lnh vc ny.

Tc gi:

L CNG PH
Mt trong nhng thnh
vin tr tui nht ca
nhm CISSP v ATTT.
Vi 2 nm kinh nghim
thc tin trong ngnh
bo mt, chu trch nhim chnh v nh gi,
kim nh v phn hi cc s c ATTT trong
doanh nghip. Anh c kin thc kh rng, bao
trm tt cc ngc ngch ca ngnh ATTT.
Hin anh ang lm vic cho mt cng ty
chuyn v bo mt ln Vit Nam.

Reporting: Sau khi thu thp c nhng

n bn ma ng

11

S TM NGUYN
Cc bn ang c mt n bn chuyn
v CISSP nn ti khng cn phi gii thiu
theo kiu nh ngha c in v CISSP
na. c qu nhiu bi vit y v chi
tit v ni dung v cc vn xung quanh
chng ch ny (nhng nu bn l ngi
mi v t m v CISSP, hy tm li s th 1
ca n bn, c 2 bi nh th cho bn tham
kho). Cn trong bi vit ngy hm nay,
ti xin tip cn CISSP mt kha cnh
khc, l thi CISSP c kh khng?
C kh nhiu li n truyn ming xung
quanh chng ch v bo mt ny, phn ln
theo kiu n kh lm, n ch dnh cho
ng no lm qun l an ton thng tin trn
10 nm, thi ton hi kinh nghim lm
vic, khng c sch v g c, c chng
ch ny lng s cao lm v nhiu nhiu
li n khc na. Nhng thng tin ny
v tnh lm cho CISSP tr thnh mt
chng ch kh hot v c khao kht,
khao kht theo kiu chp ming thm,
n ng thi to nn ro cn v hnh ko
xa s tip cn v quyt tm ca nhng
ngi mong mun t c chng ch
nhng cha tm hiu y thng tin.
Trc y, ti cng tng b bao vy bi
nhng thng tin nh vy, nhng sau khi
thi xong (v u) th sng lc c mt s
vn . Ti xin c chia s cng cc bn
nh sau:
Luyn c ht nhng g trong phm
vi CISSP yu cu l nhim v bt kh thi
Ni dung ca CISSP c lit k di dng
tiu trong CBK (Common Body of
Knowledge) ca ISC2. Do phm vi ch
c gii hn bng tiu nn khng ai
dm chc l mnh nm tt c nhng g
ISC2 yu cu. 100% th khng, nhng
80%-90% th c th. Phn ln ni dung
thi c th da vo nhng g chun b
theo CBK tr li.
n bn ma ng

Cu hi lc thi nh trn tri rt

xung, khng n nhp g vi sch hc c
Sai ! Bn c th tr li phn ln cu hi
(80-90%) nu chun b kin thc k
cng. 10-20% cn li da vo kinh nghim
lm vic v s trng khc nhau ca mi
ngi. Lu l 10% s lng cu hi lc thi
(tng ng 25 cu) s c ISC2 dng
kho st v khng tnh im. Th nn
nhng cu hi l rt c th nm trong
nhm 25 cu ny.
Cu hi rt di, khong 1 trang
Chng ta c 250 cu phi tr li trong 360
pht. Liu bn c th c v suy ngh 250
trang giy trong 6 ting ? Khng th !
thi ch c vi cu di 1 trang nh vy, v
nhng cu ny l b cu hi kt hp, bn
c 1 ln v lm cho nhiu cu sau. a
s cc cu cn li c di tng ng
vi cc cu hi dng luyn thi, c th
c v tr li trong khong 0.5-1.5 pht
mi cu.
4 s la chn tr li rt mp m
Thc ra ch c 2 s la chn mp m lm
bn phi suy ngh, 2 la chn cn li c th
loi ra ngay. Tuy nhin theo nhiu li
khuyn l bn nn c t nht 2 ln, v
sau ln c th 2 th a s cu hi chng
ta c th nhn ra ci by n ng sau v
loi tip la chn sai th 3.
y l chng ch v qun l, khng cn
i su vo k thut
y l c im ca CISSP nhng ng
ly lm ci c cho qua nhng ch
nm trong s on ca chng ta. ESP vs
AH L2TP vs PPTP l hai v d c trong
thi.

12

CISSP khng c tesking, pass4sure

ng ! Bn hon ton khng gp bt k mt cu hi luyn thi no trong thi tht. Nhng
ci rut ni dung bn trong cu hi th c. Cu hi luyn thi l cng c n tp kin thc,
bn ng tn cng hc thuc lng cu hi.
CISSP khng phi dnh cho ti!
Bn c quyt tm khng ?
Nu bn c quyt tm, quyt tm thc s ch khng phi kiu quyt tm 1 tun, bn c
c iu kin cn th nht, iu kin cn th 2 l thi gian. Bn phi c thi gian dnh
cho CISSP v s dng thi gian mt cch hiu qu v u n. CISSP rt rng nn nu
sau khi c xong domain 1->3 bn b kt trong 1 d n khong 3 thng lin ri mi quay li
th kh lm. Phn kh nht trong CISSP khng phi l Risk management, Asset
management m l Time management ! Lm tt time management bn c c iu kin
cn th 2. iu kin th ph thuc vo xut pht im ca mi ngi.
Li kt: CISSP khng phi l mt chng ch d, nhng cng khng phi l mt
huyn thoi qu xa vi. Bn hon ton c th thi u nh vo s chun b tt.
Nu n cn cho cng vic ca bn, hoc bn mun lm p thm CV ca mnh,
hay n gin ch l s thch th hy bt tay vo cho th thch ny, mt cch
nghim tc, bn s thy n gn hn mnh tng tng !

Tc gi:

S TM NGUYN
CISSP, CCSI, MSc
C nhiu nm kinh
nghim trong lnh vc
Networking,
Network Security,
IT Govermance.
Hin ang l ging vin ca i hc Php PUF.
Anh l thnh vin mi nht ca nhm CISSP &
ATTT va u k thi CISSP va qua.
sutamnguyen@gmail.com

n bn ma ng

13

Separation of Duties
mt s t chc, mt s cng vic quan
trng/nhy cm (ty theo quy nh ca t
chc hoc theo mt yu cu no ca
php lut) bt buc phi cn hn mt ngi
hon thnh. y chnh l mt trong
nhng cch gii thch cho Separation of
Duties.
Trong Thng t 01/2011 ca Ngn hng
Nh nc c lu mt s im nh sau:
- i vi h thng thng tin nghip v:
khng mt c nhn lm ton b cc
khu t khi to n ph duyt mt giao
dch nghip v.
- H thng vn hnh chnh thc: Tch bit
vi mi trng pht trin v mi trng
kim tra, th nghim.
(Ngun: http://congbao.chinhphu.vn/noidung-van-ban-so-01_2011_TT-NHNN%286947%29?cbid=6943)
C mt cch din gii bnh dn, khng
va bng va thi ci.
S ra sao khi mt Giao dch vin Ngn hng
t to mt giao dch chuyn tin (khong
10 t) ri sau t ph duyt giao dch
thnh cng? Rt c th c/anh ta s chuyn
10 t cho chnh mnh ri chy sang mt
nc th ch no ? iu ny tht nguy
him? y, phng trnh ri ro cng
nh kim sot c chuyn ny, ngi ta
phi phn chia cng vic ra lm hai: mt
ngi to giao dch v mt ngi khc kim
tra, ph duyt th giao dch mi hp l,
tin mi c chuyn i. Nghe c v an
ton?
Trong mt s t chc, vic phn chia nh
vy s tn nhiu nhn lc (t nht l gp
i) nn h c th cho php mt ngi c
th va to v va duyt giao dch. Tuy
nhin, ngi s khng c duyt giao

n bn ma ng

TRN NGC MINH

dch do mnh to ra (yu cu phi duyt

cho). Hoc mt s t chc cho php
kim nhim nhng c mt ma trn cc
chc danh (cng vic) khng c kim
nhim.
Gn y mi ngi c xem b phim
Godzilla th thy c tnh hung ngi
chng c nu ko vic ng cnh ca
an ton (cho khu vc cch ly) ch v
anh y c c hi chy ra ngoi (an ton).
Ti th xem nhiu cnh tng t nh
vy ri ( cc phim khc) v cho rng
o din c dng cnh y ly nc
mt ca ngi xem m thi. Ch thc
t th c khi anh vi ng ca ngay t
nhng giy u tin vi tm trng y
hn hoan (ti a). V sao ti a ny
vo vn ang bn?
Trong mt s t chc, h c quy nh
vic hai v chng hoc nhng ngi c
quan h thn thuc khng c lm
chung mt n v hoc cng tham gia
mt tin trnh quan trng/nhy cm
no y. V d trn gii thch cho vn
ny. Th hi, s ra sao nu anh chng
yu lng, khng kp thi ng cnh ca
cch ly th hu qu s nh th no? V
chuyn ca hai ngi m c mt cng
ng ln bn ngoi b nh hng? Hoc
nh t chc c phn cng ngi to giao
dch v ngi duyt giao dch l khc
nhau nhng h li l v chng v c cng
mc ch xu th ng ngha vi vic t
chc ang i mt vi ri ro (kh
nng ln).
l vn thng ng? Thng ng
khng ch l cu chuyn hai v chng
(hoc ngi thn) m l nhng nhm
ngi c cng gn b v li ch.
Mt trong nhng gii php hn ch vn
thng ng l thc hin Job
Rotation

14

Job Rotation
Trc tin, y l mt cch thc nhm
gim thiu cc ri ro lin quan n vic
thng ng (collusion hy ghi nh cc
t kiu keyword nh th ny, n s rt hu
ch khi bn lm bi thi).
Thng ng lun l mi e da kh kim
sot nht v thng gy ra hu qu rt
nng n. Thng ng xut pht t
nhng con ngi c chung li ch - R
rng ri.
ng ng Vn Thnh, cu Ch tch
Sacombank c ni: i khi, ri ro trong
kinh doanh vn mang li li nhun nu
khu v ri ro tt. Nhng, nu chng ta c
c m hnh tt, chin lc pht trin tt
m cng tc qun tr nhn s yu km th
kh thnh cng. Bi khi , ri ro nm
trong lng t chc, ri ro ca mi ri ro l
con ngi - (Ngun: Google).
Mun kim sot hy thc hin iu
chuyn.
Gi s sp ca bn l mt ngi c nhiu
vic lm xu gy tn hi cho t chc
nhng cha b l, vic iu chuyn c
th s gip t chc pht hin ra cc vic
xu ny sm hn. Sp mi nhn ra qua h
s, h thng li cc vic lm bt
thng. Hoc, khi n ni/v tr cng tc
mi, cc sp xu s d chng hn (v c
th cha to c -kip lm xu
ngay). Gi s, t chc ca chng ta o
lng (nh lng) c khong thi gian
trung bnh mt sp c iu kin (nu c
) lm iu xu th c phi l iu rt hay
hn ch cc ri ro?
Nn nh, y hon ton l bin php
t chc ngn nga ri ro ch khng
phi sp no nhn quyt nh lun
chuyn l sp c vn nh.

n bn ma ng

Thng thng, khi hi cc ng vin mt

cch bnh dn l ti sao anh/ch li ngh
vic ch c? Thng th cu tr li l h
mong mun c mt khng kh/mi trng
lm vic khc h pht huy y cng
l mt im khi t chc cn nhc lm
lun chuyn cn b.
T chc c th iu chuyn bn qua
nhm khc, lm cng vic khc nhm
gip bn pht huy kh nng ca mnh
hoc qua , t chc s theo di
nhn ra c ti nng ang dng
tim n ca cc c nhn. Nghe cng
ging mt a tr i hc nh? a tr s
c hc, th nhiu mn khc nhau nh:
ma, bi, ht, v, xem mn no b c
nng khiu m khuyn khch, bi
dng.
Khi thc hin iu chuyn kiu nh vy,
vic nhn s d phng cng c sn
sng. Gi s mt nhn s no ca
nhm ngh vic t ngt, t chc c
sn vi bn tng tri qua cng vic
nhn s kia tip nhn. Rt ch ng!
ng l rt ch ng. Nhng c ri ro g
khng? y l cu hi m cc ng vin
CISSP phi thng xuyn t ra (khi
nghin cu) v thi rt t khi hi dng
nh ngha (nh Job Rotation l g?) m a
s s l dng tnh hung hoc u/nhc
im ca tng vn /gii php.
Thay v tr li, ti a ra mt v d thc t
ca ch bn bnh xo gn nh. Ch trc
y c thu vo lm ra chn/bt. Rt
cc! Ri t t ch c phn cng m
trch cc v tr khc nh: lau bn, lau sn,
bng b, ph bp, ph ch bin, ng
bp, Sau 3 nm, 8 thng, 27 ngy, ch
ra ring v qun hin nay rt ng
khch. y qu l n lc vn ln qu
tuyt vi ca ch - ti rt hay ng h n lc
!

15

Vi t chc/doanh nghip, vic xut hin

thm mt t chc/doanh nghip khc
(i th) khng thnh vn . Vn
chng ta cn quan tm (trong chng
trnh, cho t chc/doanh nghip ca
chng ta) l vic lun chuyn nh th c
kh nng lm l cc thng tin nhy cm,
cc tin trnh/quy trnh kinh doanh b
mt (trade secret) hoc n gin hn l
c th to iu kin cho nhng i tng
c ng c xu c th tp hp thng
tin/c s tn cng chng ta. Nn nh,
i th thng thng minh hn, c
ng c r rng, quyt lit, c kh
nng xu chui vn , tt hn
chng ta.

Trong thi gian nhn vin i ngh, t chc

c ngi ti cng tc vi v tr tng
ng kim tra cc chnh sch/quy
trnh/hng dn c c thc thi mt
cch y , c g bt thng trong hot
ng ti ni ngi ang i ngh ph trch,
Sau , bo co cho lnh o t chc
(vai tr , chc nng ging nh mt
Auditor).

Vic lun chuyn nhiu lc n n gin

chi l thay i v tr khi ngi lm vic.
Ngc nhin qu! N cng ging nh ti
c mt cn nh, thnh thong ti thay i
v tr ca mt s vt trng n c ci
g mi thi. Vi t chc th hi khc, h
c th thay i v tr ngi ca bn bn
ngi cnh (xung quanh) ngi khc. Khi
, cc kt ni ca bn vi -kip c v
kh khn hn? Hoc bn ang giu mt
ci g m v tr a l (ch ngi) n
ang ng h bn. (phn ny ni thm,
khng lin quan n tiu Job
Rotation)

Tuy nhin, trng hp ngh php lin tc

bt buc s to iu kin thun li hn
(su, rng hn) cho ngi i kim tra.
ng thi, cc im yu ca h thng
s d dng bc l v lc ny iu kin mi
trng hot ng khc so vi lc bnh
thng m sp th ang i ngh kh lng
che chn c (nu c).

Nu pht hin mt vn g (ang

nghi ng) hoc ch l kim tra cc ti liu,
quy trnh c phn nh ng hin trng
m phi iu chuyn (di hn) nhn s
ang m nhim v tr th c th hi
rc ri. Trong trng hp ny, hy ngh
n Mandatory Vacations.
Mandatory Vacations
Phng php ny gi l ngh php bt
buc.

n bn ma ng

Chc hn s c bn t cu hi, vic ny

cng ging kim ton thng thng
(audit) th th cn g phi ngh lin tc
nhiu ngy? Cc t kim ton vn lm
nh k, thng xuyn v vn c mt cc
sp (i lm) th c sao u? ng !

Phng php i ngh bt buc ny thng

c p dng vi cc t chc ln, vic sn
sng v nhn s (d tr) hoc cng tc
lun chuyn cn b c thc hin
thng xuyn, bi bn v nhng ngi i
r sot hot ng ca ngi khc thng
th phi am hiu cng vic ngi y
ang m trch.
Cn phn bit r vic i ngh/chi bt
buc ny (chnh sch ca t chc, vi
mc ch rt cao p l sp c thi
gian ngh ngi, th gin, ti to sc
tip tc cng hin) vi vic thi chc tm
thi, nh ch chc v (thng dng
xem xt, iu tra mt cch khn cp).
TRN NGC MINH - CISSP
Thng tin v tc gi, vui lng xem ti trang 21

16

Security Architecture and Design

TRN CH CN
Ni n kin trc, ngi ta s ngh ngay n
thit k, cc tiu chun (c dng trong
thit k), v cc cu trc (t c). Vy
kin thit mt h thng bo mt s bao
gm nhng g? Xin tha rng n bao trm
tt c nhng g m cc bn c th tng
tng c v tn ti trong mt h thng
thng tin. T ci vi m, mc endpoint
l vn v phn cng, kin trc my
tnh, h iu hnh, phn mm. Rng hn
mt cht l cc vn mng, kin trc h
thng mng. Hay mc v m, cc bn
s lm kin trc quy hoch, hoch nh mt
kin trc tng th sao cho n c th p
ng c nhu cu business ca n v m
vn bo m an ton. l cng vic ca
mt CSO hay mt CIO m ti hi vng mt
ngy no cc bn s (phi) c m
nhim.
Cc vn v kin trc, my tnh, c l
khng cn phi ni na, v gn nh tt c
cc bn u hc qua, cc khi nim v
ROM, EPROM, RAM, SWAP, hay CPU,
HDD, u thuc nm lng. Chng ta s
ch bn v cc vn bo mt, da trn cc
m hnh c s dng ph bin hin nay:
Graham-Denning, Information-Flow,
State-Machine (m hnh my trng thi),
v Non-Interference (m hnh chia
ngn),
M hnh Graham-Denning ra i nm
1972 da trn m hnh ma trn kim sot
truy cp, n l mt b cc quy tc gm 8
quy tc c bn quy nh lm th no to,
xa mt i tng/mt ch th an ton v
lm th no c, cp, xa, hay chuyn
giao quyn truy cp mt cch an ton. Mt
i tng s c mt ch th c cc quyn
c bit. V mt ch th, li c th c mt
ch th khc c cc quyn i vi n.
M hnh my trng thi (statemachine) li l mt m hnh c chng
mnh bng ton hc, v thng c s

n bn ma ng

dng trong cc h iu hnh, hay cc phn

mm ng dng. M hnh ny m t vic p
ng ca h thng vi cc s kin, hay ni
cch khc, n biu din cc trng thi ca h
thng tng ng vi cc s kin gy dch
chuyn trng thi.
M hnh lung d liu (InformationFlow) li biu bin cch x l d liu trong
h thng, m t dng chy ca d liu bn
trong h thng. Da trn mc bo mt
ca i tng, m cc dng chy (data ow)
s b gii hn bo m mt thng tin c
bo mt khng n c mt ni khng c
php.
Ngc li, m hnh chia ngn (NonInterference) li khng quan tm n
lung d liu, m n li bo m mt hnh
ng mc bo mt cao khng c nh
hng, hoc can thip vo mt hnh ng
din ra mt mc thp hn. Do vy, trong
m hnh ny, mt thc th mc bo mt
cao hn thc hin hnh ng, n khng th
thay i trng thi cho cc thc th cp
thp hn.
Ngoi ra, cn c mt vi m hnh khc na.
Tuy nhin, y l cc m hnh thng c
s dng bn trong cc my tnh, h iu
hnh, hay ng dng. Nu bn d nh thit
k hay sn xut mt m hnh my mi, mt
h iu hnh, hay pht trin mt ng dng
cho ring mnh th hy quan tm. (V cn
na, bn nn quan tm nu mun thi chng
ch CISSP v c th khi thi s c hi cc
vn ny). Cn nu n v ca bn ch mua
sm cc thit b c sn trn th trng, th
nn bit cc tiu ch nh gi, v chng nhn
an ton cho mt h thng, mt sn phm
cng ngh thng tin. l cc tiu ch
T C S E C ( Tr u s t e d C o m p u t e r S y s t e m
Evaluation Criteria), ITSEC (Information
Technology Security Evaluation Criteria) hay
cc tiu ch nh gi chung (CC- common
criteria) khc nh ISO (15408 hay 27000s).

17

Xut bn ln u vo nm 1983 v cp nht vo

nm 1985, TCSEC (hay DoD 5200.28-STD ),
thng c gi l Sch Cam (Orange Book) ca B
Quc phng M (DoD), l b tiu chun c bn thc
hin cc bin php bo mt trong h thng my
tnh; ch yu nhm gip B Quc phng tm thy
( mua) cc sn phm ph hp, p ng nhng
tiu chun bo mt c bn. TCSEC nh gi da
trn 6 yu cu sau:

Security policy

Marking of objects

Identication of subjects

Accountability

Assurance

Continuous protection
Nhng, TCSEC khng c chp nhn rng ri bn
ngoi nc M. Do vy, nhm cc nh pht trin
chu u ra tiu ch ITSEC, trong xc nh cc
mc tiu bo mt cho sn phm v cc nh sn xut
s cung cp sn phm theo hng . Khng nh
TCSEC ch nh gi C, ITSEC bao gm c CIA.

(Target of Evaluation), m t ng
cnh nh gi, v cc i tng cn
thit. N cung cp cc khi nim
quan trng, cc yu cu bo mt,
v cc guideline cho mc tiu bo
mt. Bao gm danh mc cc chc
nng bo mt da theo cc nhu cu
bo mt thng dng c phn
thnh cc class, family, component
khc nhau.
- ISO/IEC 15408-2: xc nh cc
yu cu v chc nng bo mt, cc
chc nng s c nh gi.
- ISO/IEC 15408-3: cc phn v
bo m bo mt (Security
assurance). Cc nh sn xut s
theo cc tiu chun ny khi sn xut
sn phm v thc hin nh gi
theo cc tiu chun ny.

TCSEC Rating
Orange
Book

Canadian
Criteria
(CTCPEC)

UK
Condence

Federal
Criteria

German
Criteria

TCSEC
1991

ISO 15408 1999

Common
Criteria
(CC)

French
Criteria

So snh gia ITSEC v TCSEC

Trong khon thi gian ny, cn xut hin mt vi tiu

chun na, nhng khng c tiu chun no c
chun ha quc t cho n nm 1996, khi b tiu
chun ISO 15408 ra i.
ISO/IEC 15408 l b tiu chun quc t c s
dng lm c s cho vic nh gi c tnh bo mt c
bn ca mt sn ph, gm c 3 phn chnh:
- ISO/IEC 15408-1: a ra cc khi nim chung v
nguyn tc ca m hnh nh gi. Phn ny nh
ngha cc thut ng, cc khi nim ct li ca ToE

n bn ma ng

l ni mc endpoint, mc
network, chng ta s quan tm
n vic t chc h thng mng
mt cch an ton nht. l m
hnh rewall 2 lp, hay m hnh bo
v nhiu lp (defense-in-depth)
Trong n bn ma ng ny, c mt
bi ca anh Vi Minh Toi v vn
ny. Do vy, ti xin b qua, v tip
tc vi vn bo mt tm v m
hn, quy hoch kin trc bo mt.

18

Thc t cho thy, trong mt t chc ln, h

thng ti cc b phn trc thuc c xy
dng, qun l bi cc i tng khc nhau,
phc v cho cc mc ch khc nhau, v
thng ch phc v cho mc ch ca ring
h, khng th p dng cho cc ni khc.
Nu mun kt hp tt c thnh mt kin
trc tng th th trc tin, cn phi thit
lp mt b khung chung m nhiu ngi
gi l EA (Enterprise Architect).

Ni n kin trc quy hoch, u tin chng ta

cn bit mc tiu ca t chc m chng ta
ang phc v. Mt n v quc phng s c
yu cu bo mt gt gao hn mt t chc
chnh ph, v , tin khng phi l mt vn
quan trng. Mt t chc ti chnh s c yu
cn cao hn mt t chc phi li nhun. V nu
bn ang phc v trong mt n v kinh
doanh, hy lun nh rng, i vi ng ch ca
bn, tin l trn ht. Ni th, hiu rng,
mun lm SA (Security Architect), trc ht,
cn phi hiu c trit l ca ngi qun l
cao nht, ng ch ca t chc.

Kh c th xy dng mt khung chung duy

nht cho tt c mi trng hp do s khc
nhau v lnh vc, trnh qun l, ngun
nhn lc, kh nng u t, trang b, c ch
hot ng T y, xut hin nhng cch
tip cn khc nhau v xy dng khung EA
cho nhng lp t chc khc nhau.

Quay li vn , Security Architect l g?

Security Architect n gin l mt gc nhn v
System Architect gc security. Mt SA s
m t vic h thng nn c thit lp nh th
no tha cc yu cu an ninh.

TOGAF - The Open Group Architectural Framework: l mt phng php (method)

hng dn chi tit cch xy dng mt kin trc v cc cng c h tr km theo.
Architecture Principles, Vision, and Requirements
Preliminary

Architecture Vision
Architecture Requirements

Bussiness Architecture

Information Systems Architecture

Data

Motivation

Technology
Architecture

Aplication

Organization

Function

Architecture Realization
Oppotunities, Solution, and Migration Planning

Implementation Govermance

TOGAF dng ln mt khung kin trc tng th

gm phn li v cc thnh phn m rng. Khung
kin trc tng th li bao gm 4 domain:

Kin trc d liu (Data Architecture): Xc nh

cc quan h gia cc tp hp d liu, cc quy trnh
nghip v v d liu

Kin trc nghip v (Bussiness Architecture):

M t cc mc tiu hot ng, cc hot ng,
cc quy trnh nghip v.

Kin trc ng dng (Application Architecture) :

Xc nh m hnh ng dng, giao din ngi
my, c ch x l, cc quy tc nghip v

n bn ma ng

19

Kin trc k thut (Technology Architecture): Th hin cc

m hnh d liu vt l, thit k h thng k thut, cng
ngh v cc c ch trnh din, thit k cc th tc v c
ch kim sot.
Cc thnh phn m rng gm:
Cc tiu chun, chnh sch (Standard, Policy): Xc nh
cc tiu chun, xut cc chnh sch cho tng b phn
cu thnh
Kin trc bo mt (Security Architecture): Xc nh cc
yu cu v gii php v bo mt cho ton b t chc.
Kin trc dch v (Service Architecture): Xc nh cch
thc cung cp dch v ca t chc.
Zachman (The Zachman Framework for Enterprise
Architectures): li l mt h thng phn loi (taxonomy),
m t cc thnh phn kin trc phi c di gc nhn khc
nhau ca nhng ngi lin quan.
N bao gm mt ma trn hai chiu da trn giao ca 6 cu
hi : What, Where, When, Why, Who, How vi 5 cp
ca reication (qu trnh bin mt tng thnh mt i
tng), lin tc a cc vn tru tng ( scope level)
thnh cc vn n gin, c th hn mc operation.

n bn ma ng

ng ra, Zachman khng phi l mt

phng php (methodology), n khng
c mt phng php hay quy trnh c
th no thu thp, qun l hay s
dng thng tin. M ng hn, n l mt
ontology (m hnh d liu) theo s
kin trc ca t chc (ti liu thit k,
m hnh,) c a v cc i tng
c th (ch doanh nghip, nh qun
l, ) v cc vn c th (data,
function,) cn gii quyt.
F E A- The Federal Enterprise
Architecture: khng ch l 5 m hnh
tham chiu, m cn c 4 ti liu v
phng php p dng v hng dn
tng bc. V vy, FEA c xem l
mt phng php y , kt hp c
c hai phng php ni trn, c khung
nh gi kt qu. Mc d tn chnh thc
ca n l kin trc (architecture) nhng
cng c xem nh mt frameworkFEAF.
FEAF l phng php c cch din t
r rng v d hiu hn c.

20

M hnh FEAF xy dng

da trn 4 thnh phn c
bn: kin trc nghip v,
kin trc d liu, kin trc
ng dng, v kin trc
cng ngh, thng qua qu
trnh vn ng m cng
ngy cng hon thin.

Mi mt kin trc c u c u v nhc im ring ca

n, FEAF c s dng nhiu trong cc t chc c trnh
pht trin tng i cao, ni c cc ng dng, h tng
tng i ng nht. Cn nu bn tip nhn mt t chc
m h thng c lp ghp, chp v t nhng mnh ri
rc khc nhau th TOGAF c v l mt phng php c
xem l ph hp. Tuy nhin, bn khng cn qu lo lng,
ti tin rng, n khi c giao cho s mnh , bn, mt
cch t nhin, s bit mnh cn phi lm nh th no.

Tc gi:
TRN CH CN
Tt nghip H Bch Khoa
ngnh T - VT, gn 10 nm
ln ln vi cc d n tch hp
h thng t cc cng ty nh,
cc cng ty ln, tp on a
quc gia Tri qua trm
trn ln nh nh vy nn anh l mt kho tng sng
vi nhng kinh nghim trin khai, t vn, giao tip
cho ti cc chnh sch lut.
Hin anh ang lm vic ti mt cng ty cung cp thit
b, dch v bo mt hng u ti Vit Nam.

Tc gi bi Separation of Duties:

TRN NGC MINH

CISSP
Vi hn 10 nm kinh nghim
hot ng trong lnh vc ATTT
vi nhiu v tr quan trong
cc cng ty Lc Vit, CMC, Sacombank, ngoi ra cn
tham gia ging dy, t vn cho nhiu n v bn. Anh
Minh l mt trong s t cc CISSP dy dn kinh
nghim Vit Nam hin nay.
Cng vi anh ng Xun Qu, anh Minh l mt trong
2 CISSP khi xng v sng lp nn nhm
CISSP & ATTT, nhm khai sinh ra tp ch ny.

n bn ma ng

21

TNG QUAN V TIU CHUN PCI DSS

PHAN CNH NHT
1. PCI DSS:
PCI DSS l tiu chun bo mt d liu trong
cng nghip thanh ton th (Payment Card
Industry Data Security Standard) c thit
lp t cc t chc pht hnh th bao gm :
VISA, MasterCard, American Express,
Discover, v JCB. Tiu chun PCI c duy
tr v iu hnh bi Hi ng Tiu Chun Bo
Mt Cng Nghip Thanh Ton Th - PCI SSC
(Payment Card Industry Security Standards
Council).

Yu cu 4: M ha d liu ch th trn ng
truyn khi giao dch.
Duy tr mt chng trnh qun l im yu
(Vulnerability Management)
Yu cu 5: Bo v ton b h thng chng li m
c v nh k cp nht cho chng trnh chng
virus.
Yu cu 6: Xy dng v duy tr h thng v ng
dng m bo an ninh mng.

Tiu chun PCI c pht trin khuyn

khch v tng cng an ton d liu ch th
v to iu kin p dng rng ri cc bin
php bo mt d liu ph hp trn ton cu.
PCI DSS cung cp b c s cc yu cu k
thut v hot ng c thit k bo v
d liu ch th. PCI DSS p dng cho tt c
cc bn tham gia trong qu trnh x l thanh
ton th, bao gm c ngn hng pht hnh
th, ngn hng chp nhn th, nh cung cp
dch v thanh ton, thng nhn, cng nh
tt c cc n v khc tham gia trong qu
trnh lu tr, x l hoc truyn ti d liu ch
th (CHD - cardholder data) v / hoc d liu
xc thc nhy cm (SAD - Sensitive
Authentication Data ). Tiu chun PCI
c nng np ln n version 3.0 v c
pht hnh vo thng 11 nm 2013 v c hiu
lc t 01/01/2014.

Xy dng h thng kim sot truy cp

mnh

PCI DSS a ra 6 mc tiu v 12 yu cu nh

sau:

Duy tr chnh sch an ton thng tin

Xy dng v duy tr h thng mng bo

mt
Yu cu 1: Xy dng v duy tr h thng
tng la bo v d liu th.
Yu cu 2: Khng s dng cc tham s hoc
mt khu c sn t cc nh cung cp.
Bo v d liu ch th
Yu cu 3: Bo v d liu ch th khi lu tr

n bn ma ng

Yu cu 7: Gii hn truy cp d liu ch th.

Yu cu 8: nh danh v xc thc truy cp vo
h thng
Yu cu 9: Gii hn truy cp vt l d liu ch
th
Theo di v th nghim h thng thng
xuyn
Yu cu 10: Kim tra v theo di tt c cc truy
nhp vo h thng v d liu ch th
Yu cu 11: Thng xuyn nh gi v th
nghim h thng v quy trnh

Yu cu 12: Duy tr chnh sch an ton thng tin

cho tt c nhn s
Lu quan trng t tiu chun PCI: PCI DSS
khng thay th lut php a phng v khu
vc, cc quy nh ca chnh ph, hoc cc yu
cu php l khc.
2. Li ch khi trin khai PCI DSS:
Theo iu tra ca CyberSource c n 85%
khch hng c gng tm kim nhng du hiu an

22

ton ca website trc khi quyt nh mua

hng v c n 50% khch hng dng thanh
ton ngay ti gi hng ca mnh v lo ngi
nhng ri ro khi thanh ton trc tuyn. iu
ny cho thy an ton l iu m phn ln khch
hng bn khon khi tham gia cc hot ng
thanh ton trc tuyn. Do , vic p dng tiu
chun bo mt quc t nn l iu kin bt
buc vi khng ch cc ngn hng, n v pht
hnh th m c nhng trang thng mi in
t, cc n v thanh ton trc tuyn. Cc n v
kinh doanh trc tuyn cng nn lu tm p
dng tiu chun ny nh l du hiu an ton
thu ht khch hng.
Ngoi ra cc n v tham gia vo qu trnh x l,
lu tr hay truyn ti thng tin th nu b pht
hin cc im khng ph hp (noncompliance) vi PCI DSS gy ra r r thng tin
th c th b x pht n 500.000 USD tu theo
tnh cht v vic; hoc x pht 90 300 USD
cho mi d liu ch th b nh cp. Cc nh
bn l c th b pht bi cc cng ty th v cc
khon thanh ton b vi phm v phi tr chi ph
cho vic iu tra (c th ln n 100.000 USD).
Trong mt s trng hp nghim trng, nu cc
ngn hng thnh vin ca cc t chc cung ng
th thanh ton quc t khng p ng c tiu
chun PCI DSS, c th khng c thc hin
cc giao dch thanh ton trn mng. Cc ngn
hng thnh vin c trch nhim m bo cc
i tc kt ni thanh ton trc tuyn phi p
ng c tiu chun PCI DSS
3. p dng tiu chun PCI DSS v ly
chng nhn nh th no?
Nu cng vic kinh doanh ca doanh nghip
lin quan hoc c nhng nh hng mi,
nhng k hoch kinh doanh mi c lin quan
n vic x l, lu tr hoc truyn dn thng tin
th; hoc cc ngn hng tham gia vo vic pht
hnh hay chp nhn th tn dng quc t th
phi p dng tiu chun PCI DSS v ly chng
nhn cng sm cng tt.
Cc doanh nghip mun p dng tiu chun
PCI DSS cn tin hnh nh gi mi trng lm
vic v xc nh vic tun th cc quy nh

n bn ma ng

v bo mt. K n, phi da trn kt qu nh

gi ca cc chuyn gia kim nh h thng
thng tin trong quy trnh nh gi phn tch sai
bit (GAP Analysis Assessment).
Vic nh gi phn tch sai bit cung cp mt
bo co hin trng tun th PCI cho cc khu
vc tun th v khng tun th cng vi cc
nhim v c th cn thit khc phc t
c s tun th. Sau , doanh nghip bt
u trin khai cc chnh sch an ton thng tin,
xy dng tng la bo v d liu ch th, thit
lp h thng phng chng xm nhp tri php,
iu chnh h thng, trang b mi hoc thay
th, sa i cc trang thit b, ng dng c
xc nh khng ph hp vi tiu chun. Vic s
dng cc n v t vn cng cc chuyn gia
giu kinh nghim s gip vic trin khai tun
th nhanh hn rt nhiu. Ngoi ra, c rt nhiu
cng vic, trang thit b cn thay th, sa i
khi chng ta c c bng nh gi phn tch
sai bit v n lc chng ta mi c mt bc
tranh ton cnh v vic trin khai PCI DSS nh
th no. Vic trin khai cng vic c th mt t
6 thng n 2 nm ty theo phm vi cng vic
kinh doanh ca doanh nghip.
Sau khi doanh nghip hon tt cc im khng
ph hp trong nh gi phn tch sai bit, n
v nh gi s c nhn vin thm nh (QSA Qualied Security Assessor) nh gi doanh
nghip. Khi nhn vin thm nh kt lun
doanh nghip hon tt v cung cp mt
chng thc tun th (AOC - Attestations of
Compliance) v sau n v nh gi s cung
cp mt bo co tun th (ROC - Report on
Compliance) chng nhn doanh nghip
t tiu chun PCI DSS.

Tc gi:

PHAN CNH NHT

Hin ang l
Ph Gim c K Thut
Cty Cng ng Vit,
n v vn hnhv in t Payoo.
Vi 14 nm kinh nghim trong lnh vc CNTT, anh l
trng d n trin khai v ly chng nhn ISO 27001
v PCI DSS cho v Payoo.
23

VI MINH TOI
Defense in depth hay cn gi l
phng th nhiu lp l cch tip
cn p dng cc kim sot bo mt
theo nhiu phn lp khc nhau
m bo an ton bo mt ca h
thng. Cch thc ny th hin mt
quan im: Khi c l hng ca phn
lp ny th vn cn cc phn lp
bo v v cc phn lp khng c
cng mt l hng/im yu nn
cc cuc tn cng s khng d
dng g xm nhp vo phn li ca
h thng. Bn cnh , cch thc
ny cng s gip cho cc nh qun
tr h thng d dng tm kim
thng tin v cc cuc xm nhp v
c thi gian p dng cc bin
php ngn chn.

M hnh Defense in depth theo c ch phn tng

bo mt nh sau:

Nh hnh trn, ta c th nhn thy c th xm nhp c d liu, k tn cng phi

vt qua c nhiu lp phng th: Policies, Procedures, Awareness -> Physical
Security -> Perimeter Security -> Internal Network Security -> Host Security > Application Security -> Data Security.
ng vi mi lp phng th ta c th p dng nhiu bin php bo mt m bo an ton
cho lp phng th . Th d nh hnh bn di l cc bin php bo mt bo v lp
Internal Network:

Mt s bin php bo mt cho lp Network.

n bn ma ng

24

Mt v d c th hn v thit k phn lp l
m hnh bo mt tng la thng c 2
lp: tng la bn ngoi (external
rewall) v tng la bn trong (internal
rewall). Tng la bn ngoi c nhim v
bo v phn vng DMZ (vng cha cc
my ch cng cng) v kim sot cc
lung d liu vo/ ra phn vng ny ti
Internet v vo cc phn vng ni b bn
trong. Tng la bn trong c nhim v
bo v cc phn vng my ch ng dng
v core, kim sot cc lung d liu vo ra
cc phn vng my ch ng dng v core.
Cc lung d liu t ngoi Internet ch c
th truy cp vo phn vng DMZ m thi.
M hnh bo mt tng la 2 lp thng
c s dng trong cc t chc tn dng
nh ngn hng, chng khon, bo him,...
Tuy nhin, vic p dng nhiu lp bo mt
nh th no th s li ty thuc vo tng
doanh nghip c th cng nh mong mun
v nhn thc bo mt ca ban lnh o.
Ngi lm cng tc bo mt cng cn c t
duy bo mt v c kinh nghim v thit k
kin trc bo mt c th cn bng gia
chi ph v nng sut cng nh m bo
hot ng hng ngy ca kin trc nhiu
lp.
Phng thc quan trng ca chin lc
phng th nhiu lp l m bo cn bng
gia cc nhn t: Con ngi , cng ngh v
vn hnh hng ngy.

Cui cng, nhn t quan trng nht l con

ngi. Thiu nhn lc th chng ta khng
th m bo gim st, khng i
ph vi cc tnh hung tn cng ngy cng
phc tp. Nhn s c nng lc nm
bt cng ngh, quy trnh v ti u h
thng ph hp vi tng mi trng ring
bit cng chnh l nhn t quyt nh kh
nng ng ph ca h thng phng th
nhiu lp. Ngoi ra khng th khng ni
n vn o to nhn thc an ton bo
mt cho cc nhn vin. L nhn t gp
phn gim thiu ri ro cho doanh nghip.
Cc s sau s c ni chi tit hn v tng
lp phng th cng nh kinh nghim khi
trin khai. Cc bn n xem nh./.

Tc gi:
VI MINH TOI
MCSE, CEH, F5 Advance
Vi hn 9 nm kinh nghim
v lnh vc CNTT, chuyn
v cng tc m bo an ton
bo mt cho cc h thng ln nh banking,
chng khon.
Anh hin l chuyn vin bo mt, cng tc ti
mt trng i hc ln Vit Nam.

Cng ngh: Thiu trang b v cp nht

cc cng ngh bo mt mi, chng ta s
gp kh khn khi i u vi cc cuc tn
cng ngy mt tinh vi v mi m, cng
nh qu ti cng tc vn hnh hng ngy.
Chnh sch (Process): Thiu cc chnh
sch, quy nh, quy trnh vn hnh hng
ngy, cc chng ta mt i tnh sn sng v
kh nng gim st ng ph kp thi.

n bn ma ng

25

Certication and Accreditation

L Nguyn Vnh Ph
Vi vai tr l chuyn gia bo mt,
chuyn gia qun tr mng hay h thng,
chng ta s lm g khi c lnh o giao
cho trch nhim chn h thng, gii
php, sn phm, thit b bo mt (cn
gi l bin php bo v bo mt h
thng thng tin) cho nhu cu bo mt
ca t chc? y, chng ta tho lun
trn quan im chuyn mn k thut v
b qua cc mi quan h vi nh cung
cp. Chng ta s lm g chn thit b
bo mt ph hp vi nhu cu ca t chc
?
* Trc tin, chng ta phi xem xt nhu
cu ca t chc khi mua thit b, gi
l qu trnh phn tch c yu cu c
th ca cng ty i thit b? Xc nh
kinh ph cho sn phm?
* Tm kim trn Internet cc thit b ni
ting, xem xt cc chc nng? Xem mt
s trang web nh gi i khng cc sn
phm theo mt s tiu ch no
(Nhng a s cc chc nng ca cc
hng u nh nhau? => au u tp 1)
* Ln mng hi kinh nghim ca nhng
ngi i trc xc nh tnh n nh
ca h thng? (Mi ngi mt nhn xt
=> au u tp 2).

doanh nghip th bo mt cha chc m bo.

Bi v tnh bo mt c hnh thnh t vic
qun tr h thng, bo mt vt l, cch lp t,
cc c ch cu hnh bn trong mi trng v
vic gim st lin tc. Cng bng m ni, h
thng l bo mt khi tt c cc hng mc
phi c xem xt v tnh ton ph hp. V vy,
vic nh gi ch l mt mnh trong bc
tranh bo mt.
Vy lm cch no hon chnh bc tranh bo
mt ny? C mt cch chnh thc c p dng
m bo thit b bo mt c chn v t
ni ph vi chc nng ca n. Thm vo ,
cn c cp qun l c thm quyn chu trch
nhim a h thng vo hot ng. Nhng
hnh ng c gi l Certication v
Accreditation (C&A) tm dch Chng Nhn v
Cng Nhn tng ng:
1.
Mc tiu ca giai on Certication:
m bo thit b, h thng bo mt l ph hp
vi mc ch ca doanh nghip. Giai on ny
nh gi cc bin php bo v ca h thng,
phn tch ri ro, kim tra, th nghim v kim
ton k thut kho st mc ph hp ca
h thng trong mi trng c th. m bo
rng h thng, thit b l ph hp cho cc
nhim v, mc ch v khng lm gim i hiu
sut ca mi trng vn hnh.

* T nh khng bit lnh o c va

vi cc bo co chi tit khng? C nn
chn thit b c chc nng lm report tt
khng? (au u tp 3)

2.
Trong giai on Accreditation: l s
chp nhn chnh thc ca cp qun l c thm
quyn v nng lc ca h thng trong vic p
ng nhu cu ca t chc v chc nng ln mc
m bo.

Cao cp hn, chng ta c th kim tra

danh sch cc sn phm, thit b xem
xt chng c nh gi theo cc tiu
ch TCSEC (Trusted Computer Security
Evaluation Criteria), ITSEC
(Information Technology Security
Evaluation Criteria) hay CC (Common
Criteria) ang bc no trong thang
nh gi. Tuy nhin, mt khi chng ta
mua sn phm c thang nh gi tt
nht v v thit lp n vo mi trng

Tm li, Certication l nh gi k thut

nhm kho st c ch bo mt ca h thng,
gii php, thit b bo mt v tnh hiu qu ca
n. Accreditation l s chp nhn chnh thc
ca cp qun l v cc ri ro c th c c tm
ra trong qu trnh Certication. Qu trnh C&A
phi lun c cp nht khi c bt k s thay
i no xy ra trong h thng v mi trng,
hoc/v chng c thc hin nh k.

n bn ma ng

26

n y, chc mi ngi ang t hi sao

khng nhc nhiu n ngn sch mua
thit b, gii php? i n giai on
Accreditaiton, ngha l chng ta chp
nhn nhng mc ri ro m danh nghip c
th chp nhn c. iu ny ni ln chng
ta phi thc thi tin trnh qun l ri ro lin
h n h thng, v cc bc cn thit di
chuyn l hng, nhc im gim ri ro
n mc chp nhn. Trong tin trnh qun l
ri ro bao gm phn tch chi ph v li ch,
thm nh ri ro, chn la gii php, hin
thc, th nghim v nh gi cc bin php
bo mt.
hiu su v c th hn v C&A, cc bn
c th tham kho thm hai chun nh gi
NIACAP (National Information Assurance
Certication and Accreditation Process),
DIACAP (Defense Information Assurance
Certication and Accreditation Process) v
cc ti liu NIST v C&A:

Special Publication 800-37, Guide for the

Security Certication and Accreditation of
Federal Information Systems

Special Publication 800-53, Security

Controls for Federal Information Systems
(interim guidance)

Special Publication 800-53A, Techniques

and Procedures for Verifying the Effectiveness of
Security Controls in Federal Information
Systems

N I S T Special Publication 800-59,

Guideline for Identifying an Information System
as a National Security System

NIST Special Publication 800-60, Guide

for Mapping Types of Information and Information
Systems to Security Objectives and Risk Levels

Tc gi:
L NGUYN VNH PH
Master of Computer Science
MBA
MCSE
Vi hn 9 nm kinh nghim trong lnh vc CNTT ti ngn
hng, c kinh nghim trong lnh vc System, Networking,
Security, IT Governance. L mt ngi thch nghin cu,
ng dng v chia s cc gii php qun l trong cng
ngh nhm tng cng hiu sut trong cng vic.
Hin nay ang ph trch mng h thng mng ti mt
ngn hng TP.HCM.

Bn quyn thuc nhm CISSP & ATTT. Nu bn mun pht hnh li, vui lng ghi r: Ngun: CISSP & ATTT
Mi chi tit, xin vui lng lin h: cissp.attt@gmail.com

n bn ma ng

27