Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


nie jun: it's been more than ten years since the road of safety construction of financial enterprises was passed by myself, and then i know the best

Posted by loope at 2020-04-14

At the end of the summer, Gou and an met with Nie Jun, the information security director of Anxin securities, together with Zhang Yaojiang, CEO of Anxin securities. It's located in a quiet coffee shop with clean windows and cool breeze. It's a good place to talk with each other.

When brother Gou first saw Nie Jun, he felt that he was a pragmatic and steady man. Looking at its appearance, especially the thick browed stars, it is somewhat similar to Li xunhuan of Jiao Enjun's version.

This is the first time for brother Gou to see Nie Jun, but he is very familiar with Zhang Yaojiang. Brother Gou has to be a quiet listener, ready to listen to the stories and feelings of Nie Jun over the past ten years.

As soon as he came up, Zhang Yaojiang made fun of Nie Jun's accent, because Nie Jun seemed to be able to speak many different dialects in Jiangxi.

Nie Jun said with a smile, "we have different customs in ten li. My mother and my father have different accents, because they are from two county-level cities; my mother and I have different accents, because I have been studying in the county since I was a child, and my mother lives in a town; although my wife and I are classmates in middle school for six years, they have different accents in different towns of the same county-level city. So when I call them, I use different accents. Fortunately in Shenzhen, everyone uses Mandarin. "

A talk and laugh, they will pull each other into the distance, talk gradually open constraints, rambling up.

So, brother dog from a listener, gradually into the story of Nie Jun, inadvertently, a seven law floating on my mind.

An interview with Nie Jun

You're three thousand miles away, and you've got one more in August.

Yashi has the honor to accommodate distinguished guests. There is no chance to stay in Qingyan.

The laughter is surging to express one's mind, and the tea is charming and moistening.

Shenzhen safe to high, when brother Jun hand skyscraper!

In reality, most young people are confused at the beginning of graduation. Even if the Department people interned everywhere and took several offers, it seems that they are spirited, but in fact, their hearts are still confused.

In the past, even if I was admitted to the civil servant of a city's propaganda system, I still thought: will I live here all my life, just like this? I am only twenty-three years old. How can I carve my life? When I am twenty-eight or thirty-three, what will it be? Wonderful or boring

The Nie Jun in front of brother Gou, although he has been in the post for more than ten years, still has a green smile when talking about the past years. Just like that time when he was at a loss, it was the most difficult memory for him to give up.

After graduating from college, Nie Jun said, he went to Shenzhen with his wife (then his girlfriend) and entered a large manufacturing enterprise. At that time, he didn't have a specific career plan at all, or even an idea of the future.

Nie junchu's high spirits in the workplace

Nie Jun felt that with a salary of 3000 yuan per month, he could live in Shenzhen. As for how he would live, it was not among his considerations at that time. And the company gave 3500 yuan treatment, which made his heart slightly lit up a glimmer of light for the future. Because in 2005, the monthly salary of 3500 yuan has been out of the low-income ranks.

Of course, this is not the only enterprise that offers three or four thousand treatment. Nie Junzhi chose it because his biggest hobby at that time was playing football. And Nie Jun discovers, this enterprise happens to have a very big football field.

Nie Jun is always in the office and in the football field. He thinks that he should be an unrestrained cheetah. Galloping is the meaning of his life. After working for more than a year, he began to have some concepts about his work, and realized that his life should not only run on the court, but also run in the field of Internet security. Because this field is much bigger than the stadium.

Manufacturing enterprises have two characteristics. One is to attach importance to information security early, mainly for the protection of intellectual property rights. At that time, the company established the information security department, whose main responsibility is to prevent drawings and data from being stolen by outsiders. In addition, we also do some work of network security and system security protection. Second, we should pay more attention to cost and practical effect, solve safety problems in a real way, and do not put on airs.

Since then, Nie Jun has developed a thinking mode that no matter what safety scheme and solution measures are adopted, and pays attention to safety effectiveness and practice.

Nie Jun recalled that at that time, the safety construction of domestic enterprises was just beginning, and there was no safety major in the University, mainly relying on wild roads and hands-on to acquire some safety knowledge and skills. At that time, he was young and could stay up late. In addition to playing football, Nie Jun's favorite thing was to use his girlfriend's desktop computer to install virtual machines to build the Intranet environment, churn over and over Microsoft's ad, SMS, mom, group strategy, anti-virus, firewall, Cisco router, switch and other products, PGP public and private key encryption and integration with the mail system, devicelock control all kinds of peripheral interfaces, etc. over and over, slowly Slow to like the security industry.

Working for more than two years, Nie Jun had a classmate in China Merchants Bank, who said that the safety team of China Merchants Bank was recruiting people. He asked Nie Jun if he wanted to have a try. Nie Jun is pleased to attend the appointment. The interviewer is the deputy general manager of China Merchants Bank. The director of security asked a lot of knowledge about encryption and decryption. It happened that Nie Jun systematically studied the encryption and decryption system when he was pounding PGP. After passing the interview, he entered China Merchants Bank and started his journey of more than eight years.

After entering China Merchants Bank, Nie Jun's security team mainly maintains the security of China Merchants Bank's production network and access network, especially the security of online banking. Nie Jun divides his career in CMB into three stages.

The first stage is to lay a technical foundation. Nie Jun is like a junior player who just applied for a game account. Every month, he is like a rookie. At this stage, the most impressive thing is that as a new employee, he attended the 2007 Spring Festival Gala of the head office. There are many male employees in the information technology department. As a result, a new Peking opera singing program dressed as a woman came out. As soon as the program appeared, the presidents who were sitting under the platform and were fast asleep laughed, and all the new people had to pass This one's on the edge.

At this stage, Nie Jun has mastered a lot of basic technical knowledge. Almost all mainstream firewall platforms, F5, token, ISS IDS, all commercial scanners, anti-virus, etc. are contacted in the process of fighting and upgrading at this stage. The process is very painful and the result is OK.

The second period is the most enjoyable period for Nie Jun, because most of the things that he felt fulfilled happened at this stage.

At the time of Nie Jun's buried in fighting against monsters and upgrading, China ushered in the 2008 Olympic Games. Nie Jun felt that the Olympic Games was an enlightenment movement for the security construction of enterprises in China. At that time, the whole country was nervous, worried about the tampering of websites and DDoS attacks, and the network security was given unprecedented attention. Its development also got a good opportunity.

Nie Jun's team won the five player football season Army

After the Olympic Games, Nie Jun and his team are thinking about two issues.

First, the enterprise has deployed a large number of safety protection equipment and measures, the number of safety equipment has increased sharply, all kinds of safety logs and alarms have also increased sharply, and are managed by all safety personnel in a decentralized manner. Whether the safety alarms are completely and effectively handled and whether the safety monitoring is invalid depends on the skills and responsibility of all safety personnel. It is difficult for the safety director to actively and comprehensively master the results In the end, it turns out to be a matter of luck.

Second, experienced security personnel are scarce, technical and experienced security personnel have undertaken a lot of basic work at the same time. Is there any way to make security personnel who do not have too many security capabilities and experience can also become a force against attackers?

In the face of the problems, Nie Jun and the leaders of the security team at that time thought hard together, put forward the ideas of improving the security and effectiveness of the security operation at the data center brainstorming meeting, and constantly improved them. Later, they summarized these ideas one after another, and named the nemesis plan.

Nemesis is the goddess of vengeance, who specializes in punishing the lawless. The core of safety operation is four frameworks, and all kinds of safety monitoring and sensing systems constitute the first framework, safety protection framework. Send the monitoring log information of all kinds of security monitoring and sensing systems to the second framework, security operation and maintenance framework, and identify the real high-risk attack alarm, which will be handled by the first, second and third line personnel through the automatic associated work order platform.

In the morning meeting of safety production events every day, the person in charge of safety and technical experts review the handling of safety events the day before, confirm that the alarm is false alarm, optimize the alarm rules and perception system, and trace to the end if it is not false alarm.

Nie Jun has encountered many holes in this area. Some people may have their wife's birthday one day, and there is something at home. They didn't carefully investigate the security alarm, so they hurriedly closed the event work order on the basis of false alarm, leading to the failure of internal red blue confrontation. Through the framework of security operation and maintenance, it can solve the problem of some people's sense of responsibility, and liberate the high-level security experts from the simple handling of security events, and focus more on the construction of security monitoring and perception system and the traceability analysis of complex security events.

With monitoring and treatment, is there any way to know the failure of these monitoring and treatment? This is the third framework, that is, the security verification framework to solve the problem, including white box verification and black box verification.

White box verification is also called penetration detection. For example, through the mail DLP system, it can monitor whether the outgoing mail contains sensitive data such as customer information. This control measure depends on the normal operation of the mail DLP system, the normal sending of alarm logs to the unified log monitoring and processing platform, the normal functioning of the security monitoring rules, and the timely and effective handling of alarms by security personnel. Failure of any link will lead to failure of safety measures.

The solution is to write an automated script, send an email with simulated customer information, and verify the monitoring system. Is there any alarm? Is the log sent to the safe operation platform after the alarm? Does the platform give an alarm? Is there anyone to deal with after the alarm? Did you go to the regular meeting the next day to review the event? The failure of any point can be found within 24 hours by penetration testing.

Basically, every monitoring rule developed is matched with a verification rule. There are too many verification rules, which later become fully automated and visualized, and directly show the rule visualization of safety verification failure to the front-line safety watchman and safety team leader.

Black box verification is mainly red blue confrontation. China Merchants Bank is an enterprise that started red blue confrontation earlier in the financial industry and even the whole industry, and also established a professional blue army earlier.

At first, Nie Jun's defense team was beaten badly, and the success rate and detection rate of security attack and defense confrontation were very low, because the Red Army was still based on the thinking of the defense side, the blue army's thinking was very broad, the application of security, physical security, and even social engineering were used in the later stage, in addition to the size of the enterprise, the deployment rate and normal rate of the security monitoring perceptron had not reached a relatively high level The safety team of China Merchants Bank has made great efforts to focus on the basic construction work such as installation rate, deployment rate and normal rate.

Slowly, learn lessons from time to time, constantly improve the basic security capabilities, and the success rate and detection rate of attack and defense confrontation are constantly improving, which makes Nie Jun and his team have a sense of achievement.

Both sides of attack and defense are typical asymmetric operations. As long as an attacker finds a weakness of the enterprise system, he can achieve the purpose of invading the system. For the enterprise security personnel, they must find all the weaknesses of the system, without omission or lag, so as to ensure that the system will not have problems. This asymmetry leads to different ways of thinking between attackers and security personnel, which is also the root cause of the difficulty of enterprise security work.

The last framework is the safety measurement framework. Through a series of safety measurement indicators, the quality level of safety operation is measured and evaluated, and targeted continuous process improvement is carried out to realize the spiral rise of quality. If a work cannot be measured effectively, it cannot be improved continuously.

Nie Jun thinks that, apart from bat, most enterprises are one way to do security. Through safe operation, basic security can be well done and stabilized at a controllable level of security. You just need to run faster than others. Basic security work ensures that there will be no low-level security problems, because hackers also have to talk about costs, and they will turn to enterprises with weaker protection capabilities.

After about 2012, the above three frameworks are becoming more and more mature, and the basic protection capacity of CMB is beginning to be stable, not high or low. Nie Jun began to think about how to improve the ability of safety monitoring sensor. The solution was innovation and self research (cooperative research and development).

CMB has the gene of innovation. From business to it, to security, it pursues an ultimate user experience and advocates innovation and effectiveness. Also gathered a lot of technical talents, such atmosphere and partners let Nie Jun and the security team put forward a series of new ideas and successfully realized. Such as abnormal traffic analysis system based on account profile, host security client system, unknown vulnerability protection, various honey websites, honey data, honey tables, etc.

Nie Jun felt that the financial industry has an advantage, that is, very rigorous. After all, as a centuries old industry, the regularization process, strict rules and regulations, and strict work thinking are the summing up essence of all kinds of experience, so that every employee, especially those who have just graduated, will benefit from life. For example, the concept of separation of authority and reconciliation has a very good reference for other industries.

In addition, the risk control is very strict, especially the rigor of operation and maintenance, which is difficult to meet in other industries; it is also difficult to have a deep understanding of maintaining the awe of risk in other industries.

The organizational structure of the Information Technology Department of China Merchants Bank is one department and three centers. Nie Jun was working in the data center security management office (Office) of one of the three centers of China Merchants Bank at that time. The directors of China Merchants Bank (corresponding to the directors of other banks) were all competing for posts. At that time, there was a competition opportunity for the directors of the security internal control room of the information technology department. Nie Jun participated in the competition and successfully competed. This was the third stage.

The platform of the security internal control room is wider, and it can reach all fields of it, such as architecture, R & D, testing, operation, security, etc.

In the two years of being in charge of the internal control room, Nie Jun's knowledge field expanded to information technology risk management, started to interact frequently with the people's Bank of China, China Banking Regulatory Commission and other regulatory agencies, and began to have many business contacts with other departments of the head office, such as the operation risk department, audit department, flow information office, office, retail department, etc.

At the beginning, the work experience is very different from the previous technology and project. I feel that my experience value is increasing rapidly. At that time, the Ministry of information technology under the CBRC set up a high-level Steering Committee of the CBRC, all of which were vice presidents in charge of science and technology of 17 major national commercial banks, and also had liaison officers. Nie Jun was the liaison officer of CMB.

Nie Jun would like to thank all the members of the internal control room team. Even in the difficult situation, everyone worked together and achieved good results in the internal control work. He also spent two happy years with you.

In CMB, the most important point Nie Jun got is result oriented. First, it's done. Second, it's done beautifully. Nie Jun said that his always thought is to adapt to the rules, make subjective efforts and strive for the best results under the current resources. Focus on the scope of their own influence, other things that can't be changed will not be forced. This has the advantage that you don't have to think too much, just do it. Leaders are not stupid. For the reasons you said, others also face it. Why can others make achievements, but only find reasons for themselves.

In addition, the most impressive honor for Nie Jun is that for the first time in five years, the data center of China Merchants Bank has selected outstanding employees. More than 200 employees have only selected 12 employees. Based on the five-year performance, Nie Jun is honored to be one of them. His hand model is displayed in the corridor of the data center of China Merchants Bank. Everyone can see that such spiritual encouragement is unparalleled.

Nie Jun won the 12th champion of China Merchants Bank Data Center (Comprehensive five-year performance)

In that year, Nie Jun, 30, was the youngest office director of the IT Department of China Merchants Bank. The career growth channel had been opened, but he left the technology front line too early and entered the comfortable area so that he could not adapt. At the same time in the "retreat" of the job, is a look at the head of despair. Nie Jun doesn't like the so-called stability. He likes to accept challenges and learn new things to fight against uncertainty. "I just love tossing." Nie Jun said with a smile.

Zhang Yaojiang said with a smile, this may be a common problem for technicians.

Nie Jungang's first year, the general manager of Anxin securities found him by chance.

The general manager later recalled this process: "three years ago, I met Nie Jun, but I still remember the scene when I first met him. At that time, Anxin urgently needed to introduce a professional who could stand alone in the field of information security. By chance, I met Nie Jun. several contacts found that not only the knowledge and ability matched with the post, but also the understanding and views of many things were very similar to each other Yes, it's a feeling of hate to meet later. Under Sangumaolu, it's estimated that brother Jun is finally moved by me, and I will finally seek this talent for the company. "

Nie Jun was deeply moved by the trust and sincerity of the general manager. He decided to join Anxin as the safety director and be responsible for the safety and quality control teams.

Nie Jun's work is up to now. In three years, safety took up 70-80% of his time. Nie Jun was ambitious at that time. He wanted to be the best safety. I didn't expect the general manager to pour cold water on him, saying that it means the highest investment and the largest cost, and it's not economical or realistic. What we pursue is the safety guarantee matching the ranking, keeping the bottom line and leading moderately.

Nie Jun felt that this leader was very pragmatic, so he quickly changed his ideas to fast hemostasis and long-term construction. "You can't be stabbed by someone else. You should first investigate the poor quality of this person. You didn't have a good education since childhood. At this time, you need to stop bleeding, go to the hospital, and then go to the reverse drive. Security is basically the same. "

To be safe in Anxin securities, Nie Jun has two deepest feelings.

First, the positioning of security team and security work. The commercial value of financial enterprises is to provide financial services for customers, and business is always its fundamental and main business. The value of it lies in doing well in technology, providing advanced, safe and competitive IT platforms and tools for companies, and serving customers well.

Therefore, it must not jump out and force the company to invest in technology. As the safety practitioners of Party A, they must make a comprehensive safety plan and Implementation Path Based on the company's business, development stage and internal and external environment to help the enterprise achieve business goals. The difference with business is only the different division of labor and responsibilities. In fact, the general manager taught this to Nie Jun.

The second is the value of security team. In essence, security is a service, and security service is a kind of service provided by the security team to users and customers. If the value of this service is not maximized in the design of security scheme and security requirements, then the security team will be washed out by the market in full competition.

If we are not the only security team in the company, our security team is not monopolized within the scope of the company, but other security teams also provide security services. In the case of common competition, can the security services we provide be recognized by users?

When the security team designs the security plan and requirements, it does not start from the business and service, but from the point of view that the security team saves time and trouble and bears as little responsibility as possible. The security scheme designed in this way will definitely hinder business development and reduce efficiency. If a set of security solutions and requirements can guarantee security without reducing or even reducing business development, business teams, development and operation and maintenance are welcome. Who is willing to take a huge risk to forcibly launch new business?

If the security team can analyze with the business, development and operation and maintenance, and stand on the other side's position to design the scheme and implement the requirements, users will recognize the security team and security services from the heart. In fact, Nie Jun has encountered many such situations. Insisting on the practice of security service will make the road of security team go more smoothly.

The second CTF flag competition of Anxin securities

Nie Jun said that he would like to thank Ms. Xu Yanbing, the general manager, who is a leader and learning model he admired very much.

After Nie Jun came out of the bank, he was in September 2016, he opened a official account called "Jun brother's body calendar".

In the early days, Nie Jun didn't just talk about safety, but gradually became pure safety. The reason why it is called "body calendar" is that Nie Jun advocates the practice of practice. So Nie Jun also built a wechat group, called enterprise security construction practice group. To do security in an enterprise is about practice.

Nie Jun has a concept of open sharing and mutual help. He thinks that in addition to a few talents, the IQ of most people is almost the same. We are single individuals, limited by our work and life, with limited energy and strength, so you need to stand on other people's experience to do things. According to other people's best practice experience, combined with your actual situation, make some tailoring, and become the best plan for you.

The safety construction of an enterprise can not be separated from "mutual help on the lookout". There are more things to share, and slowly everyone gathered together to establish a wechat group for the security construction of financial enterprises.

In the early days, it was mainly Nie Jun and his friends who knew each other and were safe. They shared their experiences together. Later, with more and more topics and more and more people required to join, he began to establish a set of group operation mechanism, which is very strict for the audit of the group members. Everyone needs to endorse the group members, audit the real name, the company and the position. During the audit process, more than 1000 people's applications for joining the group were rejected, and the group members should maintain their activeness and value contribution. If they fail to meet the standards, they should be discouraged Handle.

Moreover, the group does not advocate red envelopes, and the best contribution is to share value. " Strict identity verification and good value contribution operation mechanism make the practice group of financial enterprise security construction become the top group of many security personnel, including the heads of seven security laboratories of Tencent and many senior personnel in the circle. Another value of the group is information sharing. There are a large number of live broadcasts in the past security incidents and security emergencies, and the handling measures are timely and effective.

With the official account of the public articles becoming more and more abundant, at the end of 2017, under the proposal of brother Gu, the machinery industry press invited to begin the preparation of the guide to enterprise safety building: financial industry security framework and technology practice. The manuscript has been completed and submitted to the publisher at the latest, which is listed for sale in late October.

When it comes to why he should write a book about "safety practice", Nie Jun said that he has been engaged in enterprise safety construction work in Party A since safety practice. With the rapid development of information technology and security technology, we have been running on the road of learning. I have read many books and listened to many speeches, most of which are based on the fragmented technical points, tool manuals and attack process demonstrations. A few textbooks are theoretical and academic too strong, and little attention is paid to how to better apply security technology to enterprises of different scales and stages, that is, the last kilometer of enterprise security. This part of valuable content, unfortunately, was ignored by the market selectivity.

In recent years, however, books focusing on the safety construction practice of Party A's enterprises have become more and more popular, such as the book "white hat talks about web security". Nie Jun thinks that the most wonderful part is the last part about the thinking and understanding of safety operation. Nie Jun bought two copies, one at home and the other at the company. He can have a look at them at any time. It's very enlightening in many cases.

Nie Jun thinks that Zhao Yan's "Advanced Guide to Internet enterprise security" is very well written, but his book is more highly praised for the Internet, ignoring small and medium-sized enterprises and other industries. But after all, 99% of the enterprises in reality are not what Zhao Yan said. Nie Jun often said that in addition to Li Bai and Du Fu, there were 2534 poets in the Tang Dynasty. You don't just look at Li Bai and Du Fu. You don't just look at Ali and Tencent. There are more companies you haven't heard of. They also need to survive. We also need to pay attention to this part of the needs. "

In the new year of 2018, Nie Jun spent time in Singapore and Malaysia. At that time, he published an article saying that the three authors wanted to write a book this year, and had decided to publish it by the mechanical industry press. He also signed a contract. There was no turning back. Then he began to do it. In the past, there have been some accumulation, some old articles, but 50% of them are written later, such as safety practice, safety assessment, safety compliance management, etc.

"Let's set up the framework first, then divide the work and write about the areas that everyone is good at. If the three authors do a good job of division of labor, everyone will begin to have painful writing time. " Nie Jun said he basically wrote every weekend, and the official account was written.

Nie Jun's greatest driving force for writing a book is: "if someone took me around at the beginning of my career, I could at least walk a detour for 3 to 4 years, which is a pity for me. In fact, I spent a long time to explore, attend various meetings, listen to what people said, read various articles, do various experiments, reflect on the painful failure experience, summarize and optimize, and then I got these things. "

Nie Jun also thinks that this is an act of attracting talents from others. He hopes to drive the whole industry to attach importance to the safety of enterprises and the needs of Party A. Party A and Party B are all on the same ship to make the industry ecological well. Party B has many people who have written a lot of books, and Party A actually needs to do this so that all flowers can bloom.

For safety practice, Nie Jun has too much experience to share and too much to say.

Nie Jun said that there are many areas of safety. As the person in charge of enterprise safety, the focus is on how to make enterprise safety construction more effective, such as safety value, how to ensure business safety, safety compliance, safety summary report, safety assessment, safety measurement, asset management and other areas of work.

Another key point of enterprise safety construction is safety operation. The person in charge of the enterprise and the general manager of IT department often ask: what kind of security is safe? According to Nie Jun, some enterprises have deployed various safety equipment, designed various safety management measures and processes, and the leaders have also supported them. They have made vigorous efforts, and given enough safety budget and safety personnel. As a result, there are still problems. In the final analysis, there are problems with safety and effectiveness.

The equipment is deployed. Are the abnormal alarm rules in place? Is the alarm normal? Are the device dependent conditions, such as the traffic of the image always normal? Do you know the business of security protection? Can you read the alarm log? Is safety monitoring and alarm processing dependent on the sense of responsibility of safety personnel? Is safety penetration testing implemented to verify whether there are failure points in technology, personnel, process and management?

According to Nie Jun, at present, there are two biggest factors restricting the development of safe operation: first, there is no special commercial tool, which can improve the efficiency of safe operation by combining the internal processes and personnel of the enterprise; second, there are 10000 safe operations in the minds of 10000 safety directors, with different ways of thinking, without forming a unified safe operation standard.

Nie Jun's working experience is mainly in banks and securities. Therefore, every year, he will learn from his colleagues in the industry and Internet companies. Different industries and enterprises have different scales, risk threats, corporate culture and actual needs, and security investment, resulting in different styles, and great differences in the way of security construction. However, enterprises that do well focus on solving practical security problems, and actively practice together, so they are increasingly determined to explore security practice and safe operation.

Nie Jun understood this sharing as a spirit of "open source". Code and project open source are very common, and experience and experience of open source are rare. Especially, the systematic thinking and practice of how to do security construction in enterprises need to be summarized and refined.

Never forget why you started, and your mission can be accomplished. It's easy to get at first, but hard to keep. Nie Jun believes that it's lucky that he met two like-minded partners, who worked hard and persevered with each other and overcame all kinds of difficulties before the book came into being.

Nie Jun said that he likes reading very much. He is the chief editor of the college's group newspaper. He has been responsible for typesetting, printing and manuscript writing. Middle school Chinese has been very good, the college entrance examination Chinese test 138 points, 150 is the full score, on the composition deducted 12 points.

When Nie Jun was a child, he read a lot of books. "At that time, there were some books at home. I remember clearly that there was a book called" China has a Mao Zedong "in primary school. At that time, he read it over and over again. At that time, if I could find a book, such as "one thousand and one nights", I would be very happy. "

Nie Jun believes that the article is to express your thoughts, try to let more people understand your meaning and spread your ideas. So he read classic books, such as Lu Yao's ordinary world, Chen Zhongshi's White Deer Plain, Hoda's funeral of Muslims, Ostrowski's how to make steel.

What Nie Jun likes is quite pure. First, he likes playing football. Second, he likes reading news, sports and military. I like traveling in other people's stories. Many things come from books. For example, parenting. I also read a lot of books. Then I practice. How can I not help getting angry at children and how can I have high-quality company? "

Nie Jun is also full of passion for life, less material needs, sincere and kind, to be a capable good man.

As for the relationship between father and son, Nie Jun seemed to feel a lot and said a lot from the bottom of his heart.

"Sometimes, I can't help getting angry with my children. He dumps the garbage in the garbage can on the floor, eats the norfloxacin capsule as sugar, and cries loudly for a thing whether it is reasonable or not. When I am calm, I will say to myself, be patient, don't blame him, but I will scold him when I can't help it, and then I will deeply regret and blame myself. "

"I think every father may have this experience. It suddenly occurred to me, "my father, my son" said: you see, when people really want to go, they can't stop them. So, when we are together, we are glad to have each other in our lives. Don't be stingy with everything we should say to him and do for him. Every child remembers the father he wants to remember. Some of the emotional deficiencies, how hurt that is, I understand

"For my father, I also have a lot of confusion and confusion. There is a generation gap between father and son. When I was a father, slowly, I began to realize the hardships and difficulties of being a father. I wanted to do the best for him, but sometimes I couldn't do anything. This made me understand the greatness of my father and the gap between the great responsibility of my father and my own ability. "

Take a picture of Miaomiao's first birthday

"Maybe as time goes by, I will become the father with all kinds of puzzles in his heart. The father is the worst fighter in the world, but also the most reliable thick shoulder in the child's heart. As Li Chengpeng wrote: but they love their children, like stupid and brave workers, and do not leave behind any work. "

Nie Jun especially wanted to thank his wife for her silent support when she encountered setbacks and failures, so that he could still summon up courage and see the direction when he was confused and confused. Thank her for giving up her career, raising the two most lovely babies in her life, and making him happy and hopeful every day.

At last, Nie Jun breathed a long breath, as if he had accomplished some mission, and felt relieved.

Nie Jun and top Miaomiao take a picture in Malaysia

Zhang Yaojiang asked Nie Jun if there was anything to say.

Nie Jun said with a deep smile: "I think the ultimate goal of career development and work is to make our life better, not the opposite. Many security practitioners may have been on the road for too long, forgetting what their original intention is. In order to go beyond the normal development and promotion and pursue financial benefits, many more valuable things are often ignored or even discarded, such as the bottom line and principles of health, family, morality and even life. "

"Apply a popular saying of longyingtai: choose safety as the direction of work, consider career and development, have the right to choose through their own efforts in the future, choose meaningful and time-consuming work instead of being forced to make a living. When the direction of your safety work is meaningful in your heart, you have a sense of achievement. When your work gives you time and does not deprive you of your life, you have dignity. A sense of achievement and dignity will make you happy. "

"The future for me is no longer a fear, but a journey full of challenges, because I have a clear goal and direction of effort in my heart, which makes my heart bright. I know that success is predictable, rather than a small probability event like winning the lottery."

Looking back on his safety career in the past 14 years, no matter which road he chooses, the road he has taken is the best one. Because there is no way for people to walk two roads at the same time, and then look back at the end of the comparison, people have only one best road, that is, their own way.

Nie Junyan, the dog brother looked at his bright eyes, the heart also suddenly opened up.

After three hours of rambling, brother Gou has gained more than ten years of Nie Jun's experience. No wonder the ancients would say, "listening to your words is better than reading books for ten years.".

Safety is a long road. I hope everyone who embarks on this road will find the best way.

"Recommended reading"

China network security new media alliance is jointly established by new media or self-Media focusing on network security industry, including anyin, e-security, freebuf, kanxue forum, digital security, safety village, network security vision, Ranger safety net, a black book, etc., and supported by China information security consultant. It is a non-profit non entity new media liaison, coordination, cooperation and mutual assistance Mechanism.

People ∣ hot spots ∣ interaction ∣ communication

For contribution and business cooperation, please reply the key words in the background