Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the National Technical Committee on Information Security of Standardization Administration of China (SAC/TC 260).
Introduction
The testing and evaluation process of classified cybersecurity protection consists of four basic activities: testing and evaluation preparation activity, scheme development activity, on-site testing and evaluation activity and report development activity. This standard provides guidance for the selection and implementation of testing and evaluation technology involved in the program preparation activity and on-site testing and evaluation activity.
The testing and evaluation standards related to classified cybersecurity protection mainly include GB/T 22239, GB/T 28448 and GB/T 28449, etc. Among them, GB/T 22239 is the basic standard for the testing and evaluation of classified cybersecurity protection. GB/T 28448 puts forward the testing and evaluation requirements for different cybersecurity classes according to the requirements specified in GB/T 22239. GB/T 28449 mainly specifies the testing and evaluation process of classified cybersecurity protection. The difference between this standard and GB/T 28448 and GB/T 28449 is that GB/T 28448 mainly describes the specific requirements and process for testing and evaluation of target of classified protection at all levels, while GB/T 28449 mainly puts forward guidance on the activities, work tasks and input/output products of each task for testing and evaluation of classified cybersecurity protection, and does not involve specific testing methods and technologies. This standard clearly classifies and defines the relevant testing and evaluation technologies in the testing and evaluation of classified cybersecurity protection, systematically summarizes and expounds the technical methods of testing and evaluation, outlines the elements of technical security testing and evaluation, focuses on the realization functions and principles of specific technologies, and puts forward suggestions for use. Therefore, this standard can be used as a supplement to GB/T 28448 and GB/T 28449 when applied to the testing and evaluation of classified cybersecurity protection.
Information security technology - Testing and evaluation technical guide for classified cybersecurity protection
1 Scope
This standard gives the classification and definition of relevant testing and evaluation technologies in the testing and evaluation of classified cybersecurity protection (hereinafter referred to as "classified testing and evaluation"), puts forward the elements and principles of technical testing and evaluation, and puts forward suggestions on the analysis and application of testing and evaluation results.
This standard is applicable to the classified testing and evaluation for target of classified cybersecurity protection (hereinafter referred to as "target of classified protection") carried out by testing and evaluation institutions, and the security evaluation on the status of target of classified protection carried out by the competent departments and operating units of target of classified protection.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB 17859-1999 Classified criteria for security protection of computer information system
GB/T 25069-2010 Information security technology - Glossary
3 Terms, definitions and abbreviations
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in GB 17859-1999 and GB/T 25069-2010 and the following apply.
3.1.1
dictionary attack
a type of attack that trying words or phrases in user-defined dictionaries one by one while cracking passwords
3.1.2
file integrity checking
by establishing a file verification database, calculate and store the verification of each reserved file, and recalculate the stored verification to compare the current value with the stored value, thereby identifying whether the file has been modified
3.1.3
network sniffer
a passive technology that monitors network communication and decoding protocols and checks information headers and payloads concerned, which is also a target recognition and analysis technology
3.1.4
rule set
a set of rules used to compare network traffic or system activity to determine response measures, e.g. sending or denying a packet, creating an alert, or allowing a system event
3.1.5
target of testing and evaluation
the target of different testing and evaluation methods in classified testing and evaluation, mainly involving related information systems, supporting system files, devices, facilities and personnel, etc.
3.2 Abbreviations
For the purposes of this document, the following abbreviations apply.
CNVD: China National Vulnerability Database
DNS: Domain Name System
DDoS: Distributed Denial of Service
ICMP: Internet Control Message Protocol
IDS: Intrusion Detection Systems
IPS: Intrusion Prevention System
MAC: Media Access Control
SSH: Secure Shell
SSID: Service Set Identifier
SQL: Structured Query Language
VPN: Virtual Private Network
4 General
4.1 Technology classification
Testing and evaluation technologies that can be used for classified testing and evaluation are divided into the following three categories:
a) Checking technology: the testing and evaluation technology to check information systems, supporting system documents, devices and facilities, and discover security vulnerabilities in relevant procedures and policies. Manual modes are usually adopted, mainly including document checking, log checking, rule set checking, system configuration checking, file integrity checking, password checking, etc.
b) Identification and analysis technology: the testing and evaluation technology to identify systems, ports, services and potential security vulnerabilities. These technologies can be implemented manually or with automated tools, mainly including network sniffer, network port and service identification, vulnerability scanning, wireless scanning, etc.
c) Vulnerability validation technology: the testing and evaluation technology to verify the existence of vulnerabilities. Based on the results of checking, target identification and analysis, targeted manual execution or use of automated tools, mainly including password cracking, penetration testing, remote access testing, etc., are used to verify the possible security vulnerabilities and obtain evidence.
4.2 Technology selection
When selecting and determining the technical methods to be used for classified testing and evaluation activities, the factors to be considered mainly include but are not limited to the target of testing and evaluation, applicability of the testing and evaluation technology, and possible security risks that the testing and evaluation technology may be introduced to target of testing and evaluation, so as to select the appropriate technical methods.
When the selected technical method may affect the target of testing and evaluation in the implementation process, it is appropriate to give priority to testing the non-production system with the same configuration as the production system of the target of testing and evaluation, testing during non-business operation time or testing only using risk-controlled technical methods during business operation time, so as to minimize the impact on the business of the target of testing and evaluation.
The testing and evaluation results generated after the implementation of technology testing and evaluation can be used for threat analysis of targets of testing and evaluation, proposing suggestions for improvement and generation of result reports, etc. See Annex A for details.
5 Requirements for classified testing and evaluation
5.1 Checking technology
5.1.1 Document checking
The main function of document checking is to evaluate the technical accuracy and integrity of its policies and procedures based on documents provided by the operation unit of the target of classified protection. The following evaluation elements can be considered when performing document checking:
a) Targets of checking, including security policies, architecture and requirements, standard operating procedures, system security plans and authorization permits, technical specifications for system interconnection, event response plans, etc., to ensure the accuracy and integrity of the technology;
b) Checking the integrity of documents such as security policies, architecture and requirements, standard operating procedures, system security plans and authorization permits, technical specifications for system interconnection, event response plans, etc., and confirming the consistency between the implementation of the tested party's security measures and the system documents by checking the execution records and corresponding forms;
c) Finding defects and weaknesses that may lead to omission or improper implementation of security control measures;
d) Verifying whether the documents of the target of testing and evaluation are consistent with the standards, laws and regulations for classified cybersecurity protection, and searching for defective or outdated policies;
e) The results of document checking can be used to adjust other testing technologies. For example, when the password management policy specifies minimum password length and complexity requirements, this information shall be used to configure password cracking tools to improve password cracking efficiency.
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms, definitions and abbreviations
3.1 Terms and definitions
3.2 Abbreviations
4 General
4.1 Technology classification
4.2 Technology selection
5 Requirements for classified testing and evaluation
5.1 Checking technology
5.1.1 Document checking
5.1.2 Log checking
5.1.3 Rule set checking
5.1.4 Configuration checking
5.1.5 File integrity checking
5.1.6 Password checking
5.2 Identification and analysis technology
5.2.1 Network sniffer
5.2.2 Network port and service identification
5.2.3 Vulnerability scanning
5.2.4 Wireless scanning
5.3 Vulnerability validation technology
5.3.1 Password cracking
5.3.2 Penetration test
5.3.3 Remote access testing
Annex A (Informative) Post-testing and evaluation activities
Annex B (Informative) Description of concepts related to penetration testing
Bibliography
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the National Technical Committee on Information Security of Standardization Administration of China (SAC/TC 260).
Introduction
The testing and evaluation process of classified cybersecurity protection consists of four basic activities: testing and evaluation preparation activity, scheme development activity, on-site testing and evaluation activity and report development activity. This standard provides guidance for the selection and implementation of testing and evaluation technology involved in the program preparation activity and on-site testing and evaluation activity.
The testing and evaluation standards related to classified cybersecurity protection mainly include GB/T 22239, GB/T 28448 and GB/T 28449, etc. Among them, GB/T 22239 is the basic standard for the testing and evaluation of classified cybersecurity protection. GB/T 28448 puts forward the testing and evaluation requirements for different cybersecurity classes according to the requirements specified in GB/T 22239. GB/T 28449 mainly specifies the testing and evaluation process of classified cybersecurity protection. The difference between this standard and GB/T 28448 and GB/T 28449 is that GB/T 28448 mainly describes the specific requirements and process for testing and evaluation of target of classified protection at all levels, while GB/T 28449 mainly puts forward guidance on the activities, work tasks and input/output products of each task for testing and evaluation of classified cybersecurity protection, and does not involve specific testing methods and technologies. This standard clearly classifies and defines the relevant testing and evaluation technologies in the testing and evaluation of classified cybersecurity protection, systematically summarizes and expounds the technical methods of testing and evaluation, outlines the elements of technical security testing and evaluation, focuses on the realization functions and principles of specific technologies, and puts forward suggestions for use. Therefore, this standard can be used as a supplement to GB/T 28448 and GB/T 28449 when applied to the testing and evaluation of classified cybersecurity protection.
Information security technology - Testing and evaluation technical guide for classified cybersecurity protection
1 Scope
This standard gives the classification and definition of relevant testing and evaluation technologies in the testing and evaluation of classified cybersecurity protection (hereinafter referred to as "classified testing and evaluation"), puts forward the elements and principles of technical testing and evaluation, and puts forward suggestions on the analysis and application of testing and evaluation results.
This standard is applicable to the classified testing and evaluation for target of classified cybersecurity protection (hereinafter referred to as "target of classified protection") carried out by testing and evaluation institutions, and the security evaluation on the status of target of classified protection carried out by the competent departments and operating units of target of classified protection.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB 17859-1999 Classified criteria for security protection of computer information system
GB/T 25069-2010 Information security technology - Glossary
3 Terms, definitions and abbreviations
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in GB 17859-1999 and GB/T 25069-2010 and the following apply.
3.1.1
dictionary attack
a type of attack that trying words or phrases in user-defined dictionaries one by one while cracking passwords
3.1.2
file integrity checking
by establishing a file verification database, calculate and store the verification of each reserved file, and recalculate the stored verification to compare the current value with the stored value, thereby identifying whether the file has been modified
3.1.3
network sniffer
a passive technology that monitors network communication and decoding protocols and checks information headers and payloads concerned, which is also a target recognition and analysis technology
3.1.4
rule set
a set of rules used to compare network traffic or system activity to determine response measures, e.g. sending or denying a packet, creating an alert, or allowing a system event
3.1.5
target of testing and evaluation
the target of different testing and evaluation methods in classified testing and evaluation, mainly involving related information systems, supporting system files, devices, facilities and personnel, etc.
3.2 Abbreviations
For the purposes of this document, the following abbreviations apply.
CNVD: China National Vulnerability Database
DNS: Domain Name System
DDoS: Distributed Denial of Service
ICMP: Internet Control Message Protocol
IDS: Intrusion Detection Systems
IPS: Intrusion Prevention System
MAC: Media Access Control
SSH: Secure Shell
SSID: Service Set Identifier
SQL: Structured Query Language
VPN: Virtual Private Network
4 General
4.1 Technology classification
Testing and evaluation technologies that can be used for classified testing and evaluation are divided into the following three categories:
a) Checking technology: the testing and evaluation technology to check information systems, supporting system documents, devices and facilities, and discover security vulnerabilities in relevant procedures and policies. Manual modes are usually adopted, mainly including document checking, log checking, rule set checking, system configuration checking, file integrity checking, password checking, etc.
b) Identification and analysis technology: the testing and evaluation technology to identify systems, ports, services and potential security vulnerabilities. These technologies can be implemented manually or with automated tools, mainly including network sniffer, network port and service identification, vulnerability scanning, wireless scanning, etc.
c) Vulnerability validation technology: the testing and evaluation technology to verify the existence of vulnerabilities. Based on the results of checking, target identification and analysis, targeted manual execution or use of automated tools, mainly including password cracking, penetration testing, remote access testing, etc., are used to verify the possible security vulnerabilities and obtain evidence.
4.2 Technology selection
When selecting and determining the technical methods to be used for classified testing and evaluation activities, the factors to be considered mainly include but are not limited to the target of testing and evaluation, applicability of the testing and evaluation technology, and possible security risks that the testing and evaluation technology may be introduced to target of testing and evaluation, so as to select the appropriate technical methods.
When the selected technical method may affect the target of testing and evaluation in the implementation process, it is appropriate to give priority to testing the non-production system with the same configuration as the production system of the target of testing and evaluation, testing during non-business operation time or testing only using risk-controlled technical methods during business operation time, so as to minimize the impact on the business of the target of testing and evaluation.
The testing and evaluation results generated after the implementation of technology testing and evaluation can be used for threat analysis of targets of testing and evaluation, proposing suggestions for improvement and generation of result reports, etc. See Annex A for details.
5 Requirements for classified testing and evaluation
5.1 Checking technology
5.1.1 Document checking
The main function of document checking is to evaluate the technical accuracy and integrity of its policies and procedures based on documents provided by the operation unit of the target of classified protection. The following evaluation elements can be considered when performing document checking:
a) Targets of checking, including security policies, architecture and requirements, standard operating procedures, system security plans and authorization permits, technical specifications for system interconnection, event response plans, etc., to ensure the accuracy and integrity of the technology;
b) Checking the integrity of documents such as security policies, architecture and requirements, standard operating procedures, system security plans and authorization permits, technical specifications for system interconnection, event response plans, etc., and confirming the consistency between the implementation of the tested party's security measures and the system documents by checking the execution records and corresponding forms;
c) Finding defects and weaknesses that may lead to omission or improper implementation of security control measures;
d) Verifying whether the documents of the target of testing and evaluation are consistent with the standards, laws and regulations for classified cybersecurity protection, and searching for defective or outdated policies;
e) The results of document checking can be used to adjust other testing technologies. For example, when the password management policy specifies minimum password length and complexity requirements, this information shall be used to configure password cracking tools to improve password cracking efficiency.
Contents of GB/T 36627-2018
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms, definitions and abbreviations
3.1 Terms and definitions
3.2 Abbreviations
4 General
4.1 Technology classification
4.2 Technology selection
5 Requirements for classified testing and evaluation
5.1 Checking technology
5.1.1 Document checking
5.1.2 Log checking
5.1.3 Rule set checking
5.1.4 Configuration checking
5.1.5 File integrity checking
5.1.6 Password checking
5.2 Identification and analysis technology
5.2.1 Network sniffer
5.2.2 Network port and service identification
5.2.3 Vulnerability scanning
5.2.4 Wireless scanning
5.3 Vulnerability validation technology
5.3.1 Password cracking
5.3.2 Penetration test
5.3.3 Remote access testing
Annex A (Informative) Post-testing and evaluation activities
Annex B (Informative) Description of concepts related to penetration testing
Bibliography
