Information Security: The Big Picture – Part II

Trang 1

Information Security:

The Big Picture – Part II

Stephen Fried

Trang 2

International Standards &

Policies

• Trusted Computer System Evaluation Criteria (TCSEC – Orange Book) (1985)

• Trusted Network Interpretation (TNI) (1987)

• ITSEC

In most industries there is a common set of rules and procedures that govern that industry The rules may be imposed by

the industry itself or they may be imposed by governmental and legal requirements Examples of such standards in the

US would be the Uniform Commercial Code that governs commercial transactions across the United States, or various

national and local building codes that govern how structures are to be built

Many attempts have been made to standardize the practices and policies across the security industry as well

Unfortunately, because the information security field has been constantly evolving over the last several decades, there has

been no unified consensus on what constitutes good security practice, how those practices should be defined, and how

security should be measured However, over the years several attempts have stood out as having considerable merit and

weight, and thus have risen to the level of standards In some areas, such as government computer security, these

standards are mandatory A side effect of these has been that private industry has picked up on them as well

One of the first standard attempts was the Trusted Computer System Evaluation Criteria, or TCSEC It is also known

as the Orange Book, because of the bright orange cover in its original printing The TCSEC was developed by the US

government in the 1980’s to provide a standard for manufacturers as to what security features to build into new

government systems It was also used as an evaluation criteria for the government to determine the degree of trust that

can be placed in a computer system The TCSEC divided security into four levels, labeled A through D Some of the

levels had several different sub-levels, so the highest rating a system could achieve was A1, while the lowest was level D

Despite several problems with certifying and implementing the requirements in systems that were actually usable, the

TCSEC served its intended purpose for many years

One shortcoming of the TCSEC was that it was valid only for stand-alone computers If a computer was connected to a

network it was no longer eligible for TCSEC evaluation Thus, in 1987 the US Government developed the Trusted

Network Interpretation to the TCSEC, or TNI The purpose of the TNI was to provide interpretations of the TCSEC

for trusted computer and communication network systems

One aspect of the TCSEC that gained wide criticism was that it addressed primarily confidentiality issues and largely

ignored integrity and availability issues In addition, the TCSEC was a US government effort Many countries,

particularly in Europe, felt it did not address international issues As a result, several European countries developed the

International Technology Security Evaluation Criteria, or ITSEC The ITSEC combined the Orange Book criteria

with several of its European counterparts In addition, it covered the integrity and availability issues that the TCSEC

Trang 3

International Standards &

Policies

• Common Criteria

• BS7799

The Common Criteria represents the outcome of international efforts to align and develop the

existing European and North American security evaluation criteria The Common Criteria project

harmonizes ITSEC, the CTCPEC (from Canada) and US Federal Criteria (FC) into the Common

Criteria for Information Technology Security Evaluation (CC) The purpose of the Common

Criteria is to evaluate products and systems and for stating security requirements in a standardized

way internationally It is increasingly replacing national and regional criteria with a worldwide set

accepted by the International Standards Organization Like the TCSEC, the Common Criteria has

seven assurance levels, labeled EAL1 up to EAL7 Each level has a rough counterpart in the

TCSEC Currently, government agencies from Canada, France, Germany, the Netherlands, the

United Kingdom and the United States sponsor the project The latest version has now been ratified

as ISO standard 15408

The latest entry in the standards effort has come from the United Kingdom The BS7799 standard

was developed in 1995 to provide a comprehensive set of controls comprising the best practices in

information security It is intended to serve as a single reference point for identifying the range of

controls needed where information systems are used in industry and commerce The latest revision

to BS7799 was published in 1999 Of all the international standards efforts, BS7799 seems to be

gaining the most support globally

Trang 4

Due Care

• Legalese

– Conducting business in a non-negligent

manner – Doing what any “reasonable person” would

do under similar circumstances – Usual and customary conduct

• English

– Doing what everyone else does that is

prudent and common to protect your interests

In many aspects of security, you will meet up with the concept of due care You can see some of the

legal definitions in the slide, but, in short, due care is the concept of implementing security measures

that are generally accepted to be prudent and common If everybody is doing something, you should

be doing it, too

Why is due care important? It gives you basic legal protection against negligence If you have a

security incident and, for some reason, you get sued, you will need to be able to show that you at

least took the generally accepted and reasonable steps to secure your systems and information This

doesn’t mean you need to have done everything possible and installed all the latest and greatest

security mechanisms, you just have to have taken the generally reasonable precautions

Proving your due care efforts will not guarantee that you will successfully defend against any

lawsuits It only means that you will probably not lose outright

Practicing Due Care standards also does not mean that you will have an extremely effective security

defense Remember, due care means you have taken basic, minimally accepted steps It does not

mean that you have done all you could have done To have an effective security program you will

have to do everything you can do to ensure complete coverage of all aspects of security protections

Due care is a good place to start, but you don’t want to stop there

Trang 5

Policies

• The cornerstone of your security effort

• Should reflect your security stance

• Let people know what’s expected

• Define Rules of the Road

– Responsibility – Accountability – Consequences

• Should reflect your organization

• Should change as circumstances change

All organizations need to have a security policy The security policy is where you define how your organization

feels about security and how those feelings affect the members of the organization In effect, the security policy

becomes the cornerstone of the security effort The security policy should reflect your security stance Do you

support strong, restrictive security efforts (as most corporations do) or is your environment more open (like

many academic environments)? These answers will have a bearing on your overall stance and be reflected in

your policies

Security policies also let people know what is expected of them You can’t hold people responsible for

following the rules if they don’t know what those rules are Clearly defined policies, when combined with an

effective awareness program, will go a long way toward enhancing your security efforts

Security policies effectively define the rules of the road for your organization First, they define who has

responsibility for what activities and who needs to take action based on those responsibilities Second, they

define who has accountability for activities Often, the people or groups responsible for executing a function are

acting on behalf of another group that has ultimate ownership and accountability for that activity Your policies

should acknowledge this duality and account for it Finally, the policies should explain the consequences for not

following the policies These consequences may be monetary fines, disciplinary action, or even civil or criminal

penalties

Your security policies should ultimately be a reflection of your organization, and you can learn a lot about an

organization by examining its security policies You can tell what areas are important to the organization and

what areas they are less concerned about You can learn if they are a permissive company or a restrictive one

You can tell how they feel about Internet access, personal use of e-mail and computers, handling of sensitive

information, and a whole host of other organizational traits

No matter how much effort you put into creating your security policies, and how complete you may feel they

are, you must leave room for change Organizations change over time, and the way you feel about some aspects

of security may not be the way you feel a year or two from now You need to leave room in your policies for

change This change can come from within the security organization or it may come from your user or business

partner community Whatever the source, you need to account for change in your policies

Trang 6

Security Through Obscurity

• Hiding security mechanisms in an

attempt to keep it secure

• Use trade secrets, patents, NDAs, etc.

• Will only delay, not stop, attacks

– The Bad Guys already know how to get in

– Provides a false sense of security

• Be cautious, but not paranoid

• Best security is open, available, and

verifiable

Many people believe that security is all about secrecy The belief is that the more you keep

information about your security mechanisms hidden, the harder it will be for potential attackers to be

successful This is commonly called “Security Through Obscurity.” We see this in many

examples in real life Software companies won’t discuss the details of their product’s security for

fear it will be attacked And some companies won’t discuss their security policies for fear of giving

away company secrets

There are other ways to keep security information secret Many products that use proprietary

algorithms will use patents or trade secret laws to hide their mechanisms Some companies use

Non-Disclosure Agreements to protect their security processes from disclosure, and the list goes on

However, these efforts fail to realize one of the basic truths about security and security mechanisms:

sometimes the best security mechanism is one that is out in plain view for all to see The best

security in use today, from locks, to access controls, to encryption systems has been used for a

number of years It has been reviewed by experts numerous times and been continuously refined

based on their findings There are no secret keys, no back doors, and all known attacks have been

documented and hopefully corrected Hiding the security mechanisms will only delay the bad guys

for a while, if at all Worse yet, reliance on Security Through Obscurity provides a false sense of

security for the user They may feel they are protected by the so-called “secret formula,” but in

reality they are relying on a possibly unproven technology or mechanism

The moral of this story is that customers, vendors, and users of security should be cautious about the

secrecy of the mechanisms They should have a solid understanding of how it works and have a high

comfort level that the mechanism fits its security needs But they shouldn’t be too paranoid about the

secrecy of the process Again, the best security available is open and available It has been verified

by experts in the field and enjoyed extensive use and testing Avoid Security Through Obscurity as

much as possible

Trang 7

Business Continuity

Planning

• “What if something bad happens?”

• Business Continuity vs Disaster Recovery

• Multiple layers, multiple plans

• Y2K – The Ultimate BCP

An important part of your operational strategy should be the formulation of a business continuity plan The business continuity plan

answers the question, “What if something bad happened to my business?” The “something bad” may vary It can be as simple as a disk

crash or as serious as a large building fire, but it means some sort of interruption to your business, and you better be prepared

My office building sits right next to a major interstate highway in New Jersey Three or four times a year some clown driving a tanker

truck of dangerous chemicals decides to flip over his rig on the highway Occasionally, we even have to evacuate the building until the

chemicals are cleared away Does my facility have a business continuity plan? You bet! Would we be able to continue our operation in

the event we were not able to return to the building for a few days? Yes, we would A well-planned business continuity plan enables you

to anticipate emergencies instead of just reacting to them

You may often hear the terms “Business Continuity” and “Disaster Recovery” used interchangeably, and in many cases they mean virtually

the same thing However, there is a slight difference between the two The term “Business Continuity” refers to the activities required to

keep your organization running during a period of displacement or interruption of normal operations Even if your building burns down,

your customers still need their orders filled and your creditors still want their money You need to be able to get back into operation as

quickly as possible That’s business continuity

“Disaster Recovery” is the process of rebuilding your operation or infrastructure after the disaster has passed It is linked to your business

continuity plan, but it is a separate and distinct process Once you have enacted your business continuity plan to keep your business

running during and after the disaster, you enact your disaster recovery plan to begin the process of getting your business back into

“normal” operation

Business continuity planning can be an extremely complex task For one thing, there are often multiple layers of planning Starting

simply, you may have a plan for a disk or tape failure in your data center Next, you might plan for a major application to crash,

potentially losing vital information Next, you may plan for a major building fire or explosion in your data center

Then, things get interesting What if there is a nuclear explosion and your town is uninhabitable for the next century or so? A wild

example? Not if you work for the Chernobyl Power and Light Company What if a truck bomb explodes in front of your building, killingdozens of your employees Sound farfetched? Not if you work for the Federal government in Oklahoma City True, these may not be

everyday occurrences, but depending on your business, your location, or any number of other factors you may have to take these types of situations into account A complete, well-thought-out business continuity plan will have multiple layers and multiple plans to handle a

wide variety of situations

Perhaps the most widely known business continuity plan was the Y2K effort Unless you have been living in a cave for the past five years

or so, you know all about the Y2K planning effort Many of you were probably involved in these efforts at your jobs A major part of

Y2K planning was preparing for the worst What if the power failed? What if the communication lines went dead? All these scenarios

had to be examined and dealt with, making Y2k possibly the largest business continuity planning effort in history

Trang 8

5 Implement the Plan

6 Test the Plan

7 Modify the Plan (continuously)

There are a number of basic steps that have to be performed in order to create a good business continuity plan

First, you have to define the scope of the plan Are you worried about a single application failure or a major network outage? If you

make the scope too small you will need a separate plan for each individual element in your operation or organization If you make the

scope too large you risk getting bogged down in too much detail and interdependency between parts of the plan

Next, you must perform a Business Impact Analysis, or BIA The BIA will help you determine the actual impact to your business

the defined disaster will have The BIA should account for all the processes and organizations upon which the target area relies as

well as all the processes and organizations that rely on the target for their own operation Once you have completed the BIA, you will

have a good idea how much effort you need to put into business continuity plans for the target area as well as the areas of dependent

operations

Next you need to define your recovery strategy This is the statement of overall intent with respect to business continuity Do you

intend to recover fully or just write-off the lost part of the business? Do you want to use fully-redundant systems or just a few cold

spares? These issues define how you will approach your BCP and DR efforts

Next you will develop the actual business continuity plan This is the tactical, step by step process for enabling your business to

continue during an emergency In the plan you will define who is responsible for what activities, when those activities should take

place, and how they should operate The plan should be clear enough that anyone can pick it up and begin implementing it

Next, you need to implement the plan No, this doesn’t mean creating an actual disaster to see if your plan works, but it does mean

putting everything in place to make sure you are ready Make sure people know what their responsibilities are and make sure all the

resources and equipment you need to enact the plan are in place before you need them When the disaster hits it is too late

Next, you need to test the plan Again, you don’t need to create a real disaster, but you can simulate one well enough to see if your

plan works Test if the right people are in the right place at the right time, and make sure they have all the resources they need to get

the job done Testing the plan is the only way to ensure all will work well when an actual disaster strikes

Once you test the plan you will undoubtedly find things that did not go strictly according to plan Or, you may find that some

conditions have changed since the plan was originally developed For these reasons you need to continuously modify the plan,

keeping up to date with whatever changes need to be accounted for

By following these simple steps, you will be well on the way toward creating a robust business continuity plan

Trang 9

User and Role Based

Security (1)

• User Based – Access is assigned per

user

– Easy to understand

– Good for small groups of users & objects

• Role Based – Access is assigned by

“roles”

– Better for large numbers of users/objects

There are many methods of assigning access to systems and information in a computer system or

network One method is called “User Based” security In user based security, each user is given a

unique identity in the system Each time the user tries to access an object, for example a file or a disk

drive, the user’s identity is checked against a list of the users that are allowed to access that object If

the user is on the list, they pass If the user is not on the list, their access is denied

User based security works well in a variety of situations It is also the easiest to understand For each

object, all you need to do is come up with a list of people that are allowed to access that object

Unfortunately, user-based access security begins to break down when you reach a high level of

objects and a large number of people that need to access those objects For example, suppose you

have ten users and ten objects that they need to access In the worst case (assuming you want the

tightest security possible) you would need 100 specifications (10 * 10) to make sure you covered

each person and each object Maybe a hundred isn’t that bad, but if you have 150,000 users and a

couple of hundred thousand objects, it gets unmanageable pretty fast

One answer to this problem is called “Role Based” security With role-based security, each user is

assigned not only an ID on the system, but also a role to play Each object is then given a list of what

user roles are allowed to access that object For example, suppose you had roles for Secretary,

Engineer, and Accountant Each user in your system would be assigned to one of those three roles

Each object in the system would then be tagged as being accessible by Secretaries, Accountants, or

Engineers You will still need to tag each item as to which role is permitted access, but role-based

access makes it a lot easier Using our previous example of ten users and ten objects, we will now

split the users into the 3 roles Assuming there are 3 secretaries, 3 engineers, and 4 accountants, each

object will then only need at most 3 entries, one each for Secretaries, engineers, and accountants

This leaves a maximum of 30 entries, rather than the 100 in the previous example

Trang 10

User and Role Based

Security (2)

• As people change jobs, “roles” change

• As people enter and leave organization,

roles are assigned and removed

• As objects and applications change,

roles can be re-assigned accordingly

One of the big advantages of role-based security is that by assigning someone to a particular group,

access permissions to objects can be automatically assigned without changing any of the permissions

on the objects themselves If a file is permitted to be viewed only by the Accountant group, by

assigning a user to the Accountant group you are automatically giving them permission to that file

The better you determine and assign your roles, the better you can control access to your resources

Second, as people change jobs and roles in your organization their access changes automatically

When the secretary gets promoted to the Accounting department, by changing their role from

Secretary to Accountant, you automatically give them access to a completely different set of objects

quickly and easily

Third, as people enter and leave the organization, their role in the access control mechanism will be

fairly straightforward and clear Depending on the job they are doing, you assign them a role and off

they go There is no need to determine what resources they need to access, that has already been

predetermined

Finally, as objects and applications change, you can change the user roles that are allowed to access

those objects and applications If you decide that the Engineers no longer need access to an object,

you don’t need to figure out what users are Engineers, you just remove access to the Engineer role

Role-based security is not the last word in access control, but when used effectively it can be a

valuable tool in controlling access to resources on your network

Trang 11

Security Organizations

• Computer Security Institute (CSI) – www.gocsi.com

• System Administration, Networking, and Security Institute (SANS) – www.sans.org

• International Information System Security Certification Consortium (ISC)2 – www.isc2.org

• Information Security Forum (ISF) – www.securityforum.org

• Computer Emergency Response Team (CERT) – www.cert.org

• Computer Incident Advisory Capability (CIAC) – www.ciac.org

As you progress in the information security field there are a number of ways to get more involved in the security community One way is through

association and memberships in any number of national or international organizations devoted to the advancement of the security profession This slide

shows most of the more popular and reputable organizations Please note that the information I have on these organizations was taken mostly from the web sites of the various organizations themselves.

The Computer Security Institute (CSI) is a membership organization specifically dedicated to serving and training the information, computer and

network security professional Since 1974, CSI has been providing education and aggressively advocating the critical importance of protecting information assets Information on CSI can be found at www.gocsi.com

The SANS (System Administration, Networking, and Security) Institute is a cooperative research and education organization through which more than

96,000 system administrators, security professionals, and network administrators share the lessons they are learning and find solutions for challenges they

face SANS was founded in 1989 The core of the Institute is the many security practitioners in government agencies, corporations, and universities around the world who invest hundreds of hours each year in research and teaching to help the entire SANS community The SANS community creates three types

of products: system and security alerts and news updates, special research projects and publications, and in-depth education SANS can be found at

www.sans.org.

The International Information System Security Certification Consortium (ISC)² is an international organization dedicated to the certification of

Information Systems Security professionals and practitioners (ISC)² grants the "Certified Information Systems Security Practitioner" (CISSP) designation

to information systems security practitioners Candidates are required to pass a rigorous CISSP examination and subscribe to the (ISC)² Code of Ethics

(ISC)2 can be found at www.isc2.org.

The Information Security Forum (ISF) is an independent, not-for-profit association of the world's leading organizations who recognize the importance

of protecting their business information The Forum undertakes an extensive work program, and provides members with the opportunity to develop best

practices and share a wealth of experience and expertise Funded by a substantial membership fee, the Forum helps to ensure that members can adopt

leading edge security practices - without incurring the expense of developing individual solutions ISF can be found at www.securityforum.org.

The CERT Coordination Center is part of the Survivable Systems Initiative at the Software Engineering Institute at Carnegie Mellon University It was

started by DARPA (the Defense Applied Research Projects Agency, part of the U.S Department of Defense) in December 1988 after the Morris Worm

incident crippled approximately 10% of all computers connected to the Internet Originally, their work was almost exclusively incident response Since

then, they have worked to help start other incident response teams, coordinate the efforts of teams when responding to large-scale incidents, provide

training to incident response professionals, and research the causes of security vulnerabilities, prevention of vulnerabilities, system security improvement,

and survivability of large-scale networks CERT can be found at www.cert.org.

The Computer Incident Advisory Capability (CIAC) provides on-call technical assistance and information to Department of Energy (DOE) sites faced

with computer security incidents CIAC also provides awareness, training, and education; trend, threat, vulnerability data collection and analysis; and

technology watch CIAC was established in 1989 to serve the DOE Community CIAC is one of two oldest response teams and is recognized nationally

and internationally for its contributions to the Internet community

There are also many other organizations, associations and clubs that one can join to learn more about computer, network and information security.

Trang 12

CISSP Certification

• Certified Information Systems Security

Professional

• Demonstrates basic competency in

information system security

• Based on the Common Body of

Knowledge

• Must pass exam to qualify

• Continuing education requirements

One way to demonstrate your knowledge of information security practices is by becoming a Certified Information

Systems Security Professional, or CISSP for short The CISSP certification is a designation given to those security

practitioners that demonstrate a basic competency in various topics related to information security The exam and the

certification program is administered by the International Information System Security Certification Consortium, or

(ISC)2

The examination is based on knowledge in ten areas of security that every practitioner should know The ten areas are:

• Access Control Systems and Methodology

• Computer Operations Security

• Cryptography

• Application & System Development

• Business Continuity & Disaster Recovery Planning

• Telecommunications & Network Security

• Security Architecture & Models

• Physical Security

• Security Management Practices

• Law, Investigations & Ethics

It is expected that a CISSP should have a general understanding of each of these ten areas In order to receive a CISSP

certification, a candidate must pass a difficult 250 question multiple choice exam covering each of the ten areas Once the

candidate passes the exam, he or she must obtain 120 credits of continuing security education in order to maintain the

certification

The CISSP designation is not an indicator of how good a security person is, but it does give an indication of their basic

competence and their ability to understand and apply good security principles and concepts Just as there are bad lawyers

that have passed the bar exam and bad accountants that have passed the CPA exam, a CISSP designation should not be

Trang 13

GIAC Certification

• Sponsored by SANS Global Incident

Analysis Center

• Geared toward industry practitioners

• Based on class learning and practical

experience

Another certification track is the Global Incident Analysis Center (GIAC) Certification Program The

program was established by the SANS Institute to serve the people who are or will be responsible for

managing and protecting important information systems and networks GIAC consists of a number of

courses, offered both in person and on-line, examinations, and practical experience

Unlike the CISSP exam, in which candidates need only pass an examination to obtain certification,

GIAC candidates must also demonstrate applied knowledge before obtaining certification GIAC

candidates create portfolios of materials proving that they have actually done many of the important

tasks that will be required of them on the job

Like CISSP and other certifications, GIAC training and certification provides a value both to

professionals and their employers For security and system professionals, GIAC offers added

confidence that they know what tasks need to be done first to protect their systems and that they have

the knowledge and skills needed to do those tasks GIAC offers them continuous access to updated

information so they can keep their skills and knowledge current

Trang 14

• World Wide Web Security

• Information Secrecy & Privacy

• Identification and Access Control

• Programmatic Security

• Conclusion

The next section of the course focuses on basic telecommunications We will begin with simple

telephone traffic and work our way up to modern data networks While this may not seem important

to information security, keep in mind that today’s modern computer networks work on many of the

same principles that guided basic phone service over a hundred years ago - only a lot faster Without

a basic understanding of how information gets from here to there, and the steps it needs to go through

to get there, you will not fully appreciate how communications security works

Trang 15

Simple Communications

Medium

Let’s start with simple, basic communications For every type of communication you need three

elements – a transmitter, a medium, and a receiver The transmitter is the device that creates the

communication The medium is the device that carries the communication from the source to the

destination The receiver is the device that receives the communication Without these three

elements there is no communication

Basic communication can best be demonstrated through the use of two cans and a string If you pull

the string tight and talk into one of the cans, the sound can be heard through the other can The can

you talk into is the transmitter, the can you listen from is the receiver, and the string is the medium

How does it work? The sound waves from your voice make the can vibrate That vibration is

transferred through the string and sent to the other can The receiving can then repeats the vibrations

from the string and replicates the sound of your voice

Note that this only works for limited distances If the string gets too long, the sound vibrations lose

strength and the receiving can will not receive them

You may be asking, why is this important to a discussion of information security? The answer is

simple Information security is all about protecting information In order for information to be useful

it must be moved from one place to another While it is moving, it is vulnerable to all kinds of

evil-doing So, understanding how communications works and how information gets from one place to

another is fundamental to understanding a large part of information security

So, remember the Cans and String model, because we will be referring to it often No matter how

complex the communications (phone, computer, video), or how advanced the medium (cable, fiber

optics, microwave), all of these forms can be distilled down to the basic “cans and string” model

Trang 16

Early Telephone Communications

The next stop on our tour of communications is simple phone transmission In many ways, it is the

same as the Cans and String model, except the cans are replaced by the phones and the string is

replaced by copper wire Like the can, the telephone picks up the voice of the person making the call

It then transmits that voice over the copper wire medium to the receiving phone on the other end Just

like the Cans and String model, we have a transmitter, a medium, and a receiver

There is a slight difference with phone over Cans and String With the Cans and String, only one

person can talk at a time Otherwise the sound gets garbled on the string and nobody knows what the

other person is saying With phone communications the system is set up so that both people can

speak at the same time

In the early days of phone communications, if you had more than one phone you would need a

separate string - I mean wire - for each other phone you wanted to communicate with You also

needed a separate phone for each line, as well This quickly became unmanageable as the telephone

became an increasingly popular form of communicating If you were an extremely important person,

you might have ten or more phones on your desk, one each for the ten most important people you

needed to speak with You can see how this might be very confusing for the poor phone customer

However, this early type of phone communication illustrates an important point: you had multiple,

fixed end points and a dedicated line between each endpoint When you needed to communicate with

another phone, you found the phone on your end that was connected to that other phone and used that

particular line

Tiêu đề	Information Security: The Big Picture – Part II
Tác giả	Stephen Fried
Trường học	SANS Institute
Thể loại	Essay
Năm xuất bản	2000
Thành phố	United States

Định dạng
Số trang	33
Dung lượng	1,18 MB