Situational Awareness Solution for Government Websites

I. Background

According to the 37th China Internet Development Statistics Report published by China Internet Network Information Center (CNNIC), the number of Chinese websites keeps growing rapidly and the number of Chinese web pages has outstripped 200 billion for the first time. However, the security protection abilities of the web are still vulnerable. The Cyberspace Administration of China has monitored and investigated the websites of prefectures, cities and counties with the gov.cn domain name across the country from 2013 to 2015. It is found that 76% of government websites have security risks, and some websites have vulnerable site control. With the rapid development of the Internet, prefecture-level governments pay more attention to network security.

II. Solution overview

H3C SecCenter CSAP-WEB focuses on the characteristics of hacker attacks and the compliance with the corresponding national policies. It provides customers with active website security monitoring and detection in the form of cloud SaaS through technologies such as crawler technology, sandbox technology, and vulnerability scanning to actively safeguard website security and monitor website vulnerabilities. It also provides professional suggestions to reduce security risks and provides 7/24 monitoring to ensure continuity. When an unexpected attack occurs, it responds to and handles the attack timely, enabling the construction of a complete website security system. It monitors a wide range of websites by using automation technologies, which reduces labor costs. With all-round monitoring through unified indicators, it provides a technical basis and key indicators for unified supervision.

III. Solution features

Availability monitoring

HTTP monitoring: Calculates the actual time required to open the website from the monitoring node by initiating an HTTP request to the URL of the monitoring website.

DNS monitoring: The web monitoring center can send the DNS request packet of the monitored website to a designated DNS server, and determine whether the domain name resolution service of the website is available based on the calculated DNS response time, the domain name resolution result, and the preset threshold.

PING monitoring: The web monitoring center can calculate the actual response time of the ICMP response packet by sending the ICMP request packet to the monitored website.

Compliance monitoring

Remote web change monitoring service: Uses content matching algorithms and preset sensitivity to reduce false alarm rate.

Remote sensitive information monitoring service: Detects the sensitive information of the monitored website.

Remote malicious URL monitoring service: Detects malicious links such as hidden web links and bridge pages.

Security monitoring

Web vulnerability scanning and detection service: Analyzes the website structure and vulnerability and obtains the website vulnerability status and repair suggestions in a timely manner.

Host system vulnerability scanning and detection service: Obtains the host IP address and scans and detects vulnerabilities of the host, network devices, operating systems, databases, and application systems.

Phishing detection service: Uses domain name matching and fuzzy matching to determine whether a website is a phishing website.

Trojan detection service: Determines whether a web page is hanging horses based on sandbox detection and static rule matching detection.

Weak password check and detection service: Performs remote automatic scanning of websites based on scheduled tasks to obtain the usernames and passwords of the websites.

Webshell detection service: Provides plug-ins for local scanning of files, including common script files such as ASP, PHP, ASPX, JSP, and Perl.

Diverse ecological support

Supports distributed deployment to meet the deployment requirements of multiple scenarios.

Provides standard interfaces, enabling third-party vendors to access the security logs