How to ensure the security of the corporate network. Network security threat analysis. What is a data network
In an effort to ensure the company's viability, security services are focusing on securing the network perimeter - services accessible from the Internet. The image of a gloomy attacker who is ready to attack the published services of the company from anywhere in the world scares business owners in earnest. But how fair is this, given that the most valuable information is not located on the perimeter of the organization, but in the depths of its corporate networks? How to assess the proportionality of infrastructure protection against external and internal attacks?
"A ship in port is safe, but ships are not built for this purpose"
Feeling safe is deceiving
In the context of total informatization and globalization, business makes new demands on corporate networks, flexibility and independence of corporate resources in relation to its end users: employees and partners come to the fore. For this reason, today's corporate networks are very far from the traditional notion of isolation (despite the fact that they were originally defined as such).
Imagine an office: walls protect against outside world, partitions and walls divide the total area into smaller specialized zones: kitchen, library, service rooms, workplaces, etc. The transition from zone to zone occurs in certain places - in doorways, and, if necessary, is controlled there by additional means: video cameras, access control systems, smiling guards ... Entering such a room, we feel safe, there is a feeling of trust and benevolence. However, it should be admitted that this feeling is only a psychological effect based on the "theater of security", when the goal of the measures being taken is to increase security, but in fact only an opinion is formed about its existence. After all, if an attacker really wants to do something, then being in the office will not become an insurmountable difficulty, and perhaps even vice versa, there will be additional opportunities.
The same thing happens on corporate networks. In an environment where there is a possibility of being inside a corporate network, classical approaches to security are insufficient. The fact is that protection methods are built on the basis of an internal threat model and are aimed at counteracting employees who may accidentally or deliberately, but without proper qualifications, violate the security policy. But what if there is a skilled hacker inside? The cost of breaking through the network perimeter of an organization in the underground market has an almost fixed price for each organization and does not exceed $ 500 on average. So, for example, in the black market of hacker services from Dell for April 2016, the following price list is shown:
As a result, you can buy hacking a corporate mailbox, the account from which is likely to fit all other corporate services of the company due to the common principle of Single Sign-on authorization. Or purchase untraceable for antivirus polymorphic viruses and infect unwary users with the help of phishing mailings, thereby taking control of a computer within the corporate network. For well-protected network perimeters, the flaws of human consciousness are used, for example, by purchasing new identification documents and obtaining data about the work and personal life of an organization employee through ordering cyber espionage, you can use social engineering and obtain confidential information.
Our experience with penetration tests shows that the outer perimeter is overcome in 83% of cases, and in 54% this does not require highly qualified training. At the same time, according to statistics, approximately every fifth employee of the company is willing to knowingly sell their credentials, including from remote access, thereby enormously simplifying overcoming the network perimeter. Under such conditions, internal and external attackers become indistinguishable, which poses a new challenge to the security of corporate networks.
Take critical data and not protect
Within the corporate network, logins to all systems are monitored and accessible only to already authenticated users. But this very check turns out to be the usual "theater of security" mentioned earlier, since the real state of affairs looks very gloomy, and this is confirmed by the statistics of the vulnerabilities of corporate information systems. Here are some of the main disadvantages of corporate networks.
- Dictionary passwords
Oddly enough, the use of weak passwords is common not only for the ordinary staff of companies, but also for the IT administrators themselves. So, for example, often in services and equipment passwords set by the manufacturer by default remain, or the same elementary combination is used for all devices. For example, one of the most popular combinations is admin with admin or password. Also popular are short passwords consisting of lowercase letters of the Latin alphabet, and simple numeric passwords, such as 123456. Thus, you can quickly brute force a password, find the correct combination and gain access to corporate resources.
- Storing critical information within the network in an open form
Imagine a situation: an attacker gained access to the internal network, there can be two scenarios for the development of events. In the first case, the information is stored in an open form, and the company immediately bears serious risks. Otherwise, the data on the network is encrypted, the key is stored elsewhere - and the company has the chance and time to resist the attacker and save important documents from theft.
- Usage outdated versions operating systems and their components
Every time an update is released, a whitepaper is released at the same time that it details what bugs and bugs have been fixed in the new version. If a security issue is discovered, attackers begin to actively research the topic, find related bugs, and develop hacking tools on this basis.
Up to 50% of companies either do not update their software, or they do it too late. In early 2016, the Royal Melbourne Hospital suffered from its computers running under Windows control XP. Initially hitting the computer of the pathology department, the virus rapidly spread over the network, blocking the automated operation of the entire hospital for some time.
- Using self-developed business applications without security control
The main task of our own development is functional performance. Such applications have a low security threshold and are often released in conditions of scarcity of resources and proper support from the manufacturer. The product actually works, performs tasks, but at the same time it is very easy to hack and get access to the necessary data.
- Lack of effective anti-virus protection and other means of protection
It is believed that what is hidden from the outside is protected, that is, the internal network is, as it were, safe. Security guards closely monitor the outer perimeter, and if it is so well guarded, then the internal hacker will not get into. And in fact, in 88% of cases, companies do not implement vulnerability detection processes, there are no intrusion prevention systems and centralized storage of security events. Taken together, this does not effectively ensure the security of the corporate network.
At the same time, the information that is stored within the corporate network has a high degree of importance for the operation of the enterprise: customer bases in CRM systems and billing, critical business indicators in ERP, business communication in mail, document flow contained on portals and file resources, etc. NS.
The line between the corporate and the public network has become so blurred that it has become very difficult and expensive to fully control its security. After all, they almost never use countermeasures against theft or trading of accounts, negligence of a network administrator, threats implemented through social engineering, etc. What makes attackers use these methods of overcoming external protection and approach vulnerable infrastructure with more valuable information.
The solution could be the concept information security, in which the security of the internal and external networks is ensured on the basis of a single threat model, and with the probability of transformation of one type of attacker into another.
Attackers versus defenders - who will take it?
Information security as a state is possible only in the case of the elusive Joe - because of his uselessness. The confrontation between attackers and defenders takes place on fundamentally different levels. Attackers benefit from a breach of confidentiality, availability, or integrity of information, and the more efficient and effective they are, the more benefit they can get. Defenders, on the other hand, do not benefit from the security process at all; any step is a non-refundable investment. That is why risk-oriented safety management has become widespread, in which the attention of defenders is focused on the most expensive (in terms of damage assessment) risks with the lowest cost to cover them. Risks with an overlap price higher than that of a protected resource are deliberately accepted or insured. The goal of this approach is to increase the cost of overcoming the least weak point of the organization's security as much as possible, so critical services must be well protected, regardless of whether this resource is located within the network or at the network perimeter.
The risk-based approach is only a forced measure that allows the concept of information security to exist in the real world. In fact, it puts the defenders in a difficult position: they play their game with black, only responding to the emerging threats.
If we consider the information security system of any large company, then this is not only an antivirus, but also several other programs for protection in all directions. Time simple solutions for IT security has long been left behind.
Of course, the basis of a general information security system for any organization is the protection of a standard workstation from viruses. And here the need to use an antivirus remains unchanged.
But the requirements for corporate security in general have changed. Companies need complete end-to-end solutions that can not only protect against today's most complex threats, but also stay ahead of the curve.
"More and more large companies are building a security system based on the defense-in-depth principle."
Moreover, earlier echelons were lined up on various elements of the IT infrastructure, but now multilevel protection should be even on individual elements of the IT environment, primarily on workstations and servers.
What threats faced companies in 2014
From a threat perspective, a huge cyber security challenge in recent times targeted attacks on corporations and government structures began. Many of the techniques that hackers used to attack home users are now being applied to businesses as well.
These include modified banking Trojans that target employees of financial departments and accounting departments, and various ransomware programs that began to work within corporate information networks, and the use of social engineering methods.
In addition, network worms have gained popularity, and in order to remove them, the entire corporate network must be shut down. If a similar problem is faced by companies with a large number of branch offices located in different time zones, then any network interruption will inevitably lead to financial losses.
According to a study conducted by Kaspersky Lab in 2014 among information security specialists, most often Russian companies are faced with
- malware,
- unwanted mail (spam),
- attempts to unauthorized entry into the system by phishing.
- vulnerabilities in installed software,
- risks associated with the behavior of company employees.
The problem is aggravated by the fact that cyber threats are far from static: they multiply every day, become more diverse and complex. In order to better understand the current situation in the field of information security and the consequences to which even a single computer incident can lead, let us present everything in figures and facts obtained on the basis of data from Kaspersky Lab on the analysis of the events of 2014.
Cyber Threat Statistics
By the way, exactly mobile devices today they continue to be a separate "headache" for information security specialists. The use of personal smartphones and tablets for work purposes is already permissible in most organizations, but the proper management of these devices and their inclusion in the general information security system of the company is not practiced everywhere.
"According to data from Kaspersky Lab, 99% of malware specializing in mobile devices is targeted at the Android platform today."
To understand where such a number of threats come from, and to imagine how fast they are increasing in number, it is enough to say that every day Kaspersky Lab specialists process 325,000 samples of new malware.
Malware most often reaches users' computers in two ways:
- through vulnerabilities in legal software
- using social engineering methods.
Of course, a combination of these two techniques is very common, but attackers do not neglect other tricks either.
Targeted attacks, which are becoming more common, are a separate threat to businesses.
"The use of illegal software, of course, further increases the risks of becoming a successful target for a cyberattack, primarily due to the presence of more vulnerabilities in it."
Vulnerabilities sooner or later appear in any software. These can be errors during the development of the program, obsolete versions or individual code elements. Be that as it may, the main problem is not the presence of a vulnerability, but its timely detection and closure.
By the way, recently, and 2014 is a vivid evidence of this, software vendors are increasingly beginning to close the vulnerabilities in their programs. However, there are still enough gaps in applications, and cybercriminals actively use them to penetrate corporate networks.
In 2014, 45% of all vulnerability incidents were caused by holes in the popular Oracle Java software.
In addition, in the past year, there was a kind of turning point - a vulnerability was discovered in the popular encryption protocol OpenSSL, called Heartbleed. This bug allowed an attacker to read the contents of memory and intercept personal data on systems using vulnerable versions of the protocol.
OpenSSL is widely used to protect data transmitted over the Internet (including information that the user exchanges with web pages, emails, messages in Internet messengers), and data transmitted over VPN (Virtual Private Networks) channels, therefore potential damage from this vulnerability was huge. It is possible that attackers could use this vulnerability as a start for new cyber espionage campaigns.
Attack victims
In general, in 2014, the number of organizations that became victims of targeted cyber attacks and cyber espionage campaigns increased by almost 2.5 times. Over the past year, almost 4.5 thousand organizations in at least 55 countries, including Russia, have become the target of cybercriminals.
Data theft has occurred in at least 20 different sectors of the economy:
- state,
- telecommunication,
- energy,
- research,
- industrial,
- healthcare,
- construction and other companies.
Cybercriminals gained access to such information:
- passwords,
- files,
- geolocation information,
- audio data,
- screenshots
- webcam snapshots.
Most likely, in some cases these attacks were supported by government agencies, while others were more likely carried out by professional groups of cyber mercenaries.
In recent years, Kaspersky Lab's Global Threat Research and Analysis Center has tracked the activities of more than 60 criminal groups responsible for cyberattacks around the world. Their participants speak different languages: Russian, Chinese, German, Spanish, Arabic, Persian and others.
The consequences of targeted operations and cyber espionage campaigns are always severe. They inevitably end in hacking and infection of the corporate network, disruption of business processes, leakage of confidential information, in particular intellectual property. In 2014, 98% of Russian companies faced some kind of cyber incidents, the sources of which were usually located outside the enterprises themselves, and in another 87% of organizations there were incidents caused by internal threats.
"The total amount of damage for large companies averaged 20 million rubles for each successful example of a cyber attack."
What companies fear and how things really are
Every year Kaspersky Lab conducts research in order to find out the attitude of IT specialists to information security issues. A 2014 study showed that the vast majority of Russian companies, or rather 91%, underestimate the amount of malware that exists today. Moreover, they do not even assume that the number of malware is constantly increasing.
Curiously, 13% of IT professionals said they weren't worried about internal threats.
Perhaps this is due to the fact that in a number of companies it is not customary to separate cyber threats into external and internal. In addition, there are those among Russian IT and information security managers who still prefer to solve all problems with internal threats by means of prohibitions.
However, if something is forbidden to a person, this does not mean at all that he does not do it. Therefore, any security policy, including prohibition, requires appropriate control tools to ensure that all requirements are met.
As for the types of information that cybercriminals are primarily interested in, the study has shown that companies' perceptions and the actual state of affairs are quite different.
So, the companies themselves are most afraid of losing
- customer information,
- financial and operational data,
- intellectual property.
- information on the analysis of competitors' activities,
- billing information,
- personal data of employees
- data on corporate bank accounts.
"In fact, it turns out that cybercriminals most often steal internal operational information of companies (in 58% of cases), but only 15% of companies consider it necessary to protect this data in the first place."
For safety, it is equally important to think over not only technologies and systems, but also to take into account the human factor: the understanding of the goals by the specialists who build the system, and the understanding of the responsibility of the employees who use the devices.
Recently, attackers are increasingly relying not only on technical means, but also on the weaknesses of people: they use social engineering methods that help to extract almost any information.
Employees, taking away data on their device, should understand that they bear exactly the same responsibility as if they took paper copies of documents with them.
The company's staff should also be well aware that any modern technically complex device contains defects that can be exploited by an attacker. But in order to take advantage of these defects, an attacker must gain access to the device. Therefore, when downloading mail, applications, music and pictures, it is necessary to check the reputation of the source.
It is important to be wary of provocative text messages and emails and check the reliability of the source before opening the letter and following the link.
In order for the company to still have protection against such accidental or intentional actions of employees, it should use modules to protect data from leaks.
"Companies need to regularly remember about working with personnel: starting with improving the qualifications of IT employees and ending with explanations of the basic rules for safe working on the Internet, no matter what devices they use there."
For example, this year Kaspersky Lab released a new module that implements data leakage protection functions -
Cloud protection
Many large companies use the cloud in one way or another, in Russia most often in the form of a private cloud. It is important to remember here that, like any other information system created by a person, cloud services contain potential vulnerabilities that can be used by virus writers.
Therefore, when organizing access even to your own cloud, you need to remember about the security of the communication channel and about the end devices that are used on the side of employees. Equally important are internal policies governing which employees have access to data in the cloud, or what level of secrecy information can be stored in the cloud, etc. The company must formulate transparent rules:
- what services and services will run from the cloud,
- what - on local resources,
- what kind of information should be placed in the clouds,
- what should be kept "at home".
Based on the article: Time for "hard" decisions: security in the Enterprise segment.
Identification / authentication (IA) of operators must be performed in hardware before the OS boot stage. IA databases should be stored in the non-volatile memory of information security systems (SSS), organized so that access to it by means of a PC was impossible, i.e. non-volatile memory must be located outside the PC address space.
Identification / Authentication remote users, as in the previous case, requires hardware implementation. Authentication possible different ways, including electronic digital signature (EDS). The requirement for "strong authentication" becomes mandatory, i.e. periodic repetition of the procedure during operation at intervals of time that are small enough so that, when overcoming the protection, the attacker could not cause tangible damage.
2. Protection of technical equipment from NSD
Means of protecting computers from tampering can be divided into electronic locks (EZ) and hardware modules of trusted loading (AMDZ). Their main difference is the way of implementing integrity control. Electronic locks perform hardware I / A user procedures, use external software to perform integrity control procedures. ASMD hardware implements both EZ functions and integrity control functions and administration functions.
Control of the integrity of the technical composition of PC and LAN. The integrity control of the technical composition of the PC should be carried out by the SZI controller before loading the OS. At the same time, all resources that (potentially) can be shared should be controlled, including CPU, system BIOS, floppy disks, hard drives and CD-ROM.
The integrity of the technical composition of the LAN should be ensured by the enhanced network authentication procedure. The procedure should be performed at the stage of connecting the tested PCs to the network and then at intervals predetermined by the security administrator.
OS integrity control, i.e. integrity control of system areas and OS files must be performed by the controller prior to loading the OS to ensure that real data is read. Since various operating systems can be used in electronic document management, the software built into the controller should provide servicing of the most popular file systems.
Integrity control of application software and data can be performed by both hardware and software components of the information security system.
3. Differentiation of access to documents, PC resources and the network
Modern operating systems increasingly contain built-in access control. Typically, these tools use the features of a particular file system (FS) and are based on attributes associated with one of the operating system API levels. In this case, the following two problems inevitably arise.
Binding to the peculiarities of the file system. In modern operating systems, as a rule, not one, but several filesystems are used - both new and outdated. Usually, the access control built into the OS works on a new file system, but on the old one it may not work, since it uses significant differences in the new file system.
This circumstance is usually not directly specified in the certificate, which can mislead the user. It is for the purpose of ensuring compatibility that old FS in this case are included in the new OS.
Binding to the operating system API. As a rule, operating systems change very quickly now - once a year and a half. It is possible that they will change even more often. If at the same time the access control attributes reflect the composition of the API, with the transition to the modern version of the OS it will be necessary to redo the security system settings, retrain personnel, etc.
Thus, we can formulate a general requirement - the access control subsystem must be imposed on the operating system and thus be independent of the file system. Of course, the composition of the attributes should be sufficient for the purpose of describing the security policy, and the description should be carried out not in terms of the OS API, but in terms in which system security administrators are accustomed to work.
4.Protection of electronic documents
The protection of electronic communication includes two classes of tasks:
Ensuring the equivalence of the document during its life cycle with the original electronic standard;
Ensuring the equivalence of the applied electronic technologies to the reference ones.
The purpose of any protection is to ensure the stability of the specified properties of the protected object at all points in the life cycle. The security of the object is realized by comparing the standard (the object at the initial point of space and time) and the result (the object at the time of observation). For example, if at the point of observation (receipt of electronic data) there is only very limited contextual information about the standard (the content of the original electronic document), but there is complete information about the result (the observed document), then this means that the electronic document must include attributes confirming compliance with technical and technological requirements, namely, the invariability of the message at all stages of production and transportation of the document. One of the attribute options can be authentication security codes (ASCs).
Protection of the document when it is created. When creating a document, it must be generated by hardware security code authentication. Recording a copy of an electronic document on external media before the development of the PCA should be excluded. If the email is generated by the operator, then the PCA must be linked to the operator. If the electronic document is generated by the AS software component, then the PCA must be generated with reference to this software component.
Protection of the document during its transmission. The protection of a document during its transmission via external (open) communication channels should be carried out on the basis of the use of certified cryptographic means, including the use of electronic digital signature(EDS) for each transmitted document. Another option is also possible - a bundle of documents is signed with the help of an EDS, and each individual document is certified by another analogue of a handwritten signature (HSA), for example, PCA.
Protection of a document during its processing, storage and execution. At these stages, the protection of the document is carried out by using two PCA - input and output for each stage. In this case, the PCA must be generated in hardware with the linkage of the PCA to the processing procedure (information technology stage). For the received document (with PCA and EDS), a second PCA is generated and only then the EDS is removed.
Protection of a document when accessing it from the external environment. Document protection when accessing it from the external environment includes two already described mechanisms - identification / authentication of remote users and differentiation of access to documents, PC and network resources.
5. Data protection in communication channels
Traditionally, to protect data in a communication channel, channel encoders are used and not only data, but also control signals are transmitted.
6. Protection information technologies
Despite the well-known similarities, the protection mechanisms of electronic data itself as an object (number, data) and protection of electronic data as a process (function, computing environment) are radically different. In the protection of information technology, in contrast to the protection of electronic data, the characteristics of the required reference technology are reliably known, but there is limited information about the fulfillment of these requirements by the technology actually used, i.e. the result. The only object that can carry information about the actual technology (as a sequence of operations) is the ED itself, or rather the attributes included in it. As before, one of the types of these attributes can be PCA. The equivalence of technologies can be established the more accurately, the more functional operations are attached to the message via the PCA. In this case, the mechanisms do not differ from those used for the protection of electronic documents. Moreover, it can be assumed that the presence of a specific PCA characterizes the presence of the corresponding operation in the technological process, and the PCA value characterizes the integrity of the message at this stage of the technological process.
7. Differentiation of access to data streams
For the purpose of delimiting access to data streams, as a rule, routers that use cryptographic security means are used. In such cases, special attention is paid to the key system and the reliability of key storage. The access requirements for the delimitation of streams differ from those for the delimitation of access to files and directories. Only the simplest mechanism is possible here - access is allowed or denied.
Fulfillment of the listed requirements provides a sufficient level of security for electronic documents as the most important type of messages processed in information systems.
As a technical means of protecting information, a hardware module for trusted loading (ASDM) has been developed, which provides OS loading, regardless of its type, for a user authenticated by a security mechanism. The results of the development of the data protection system of the NSD "Akkord" (the developer of the OKB CAD) are mass-produced and are today the most famous means of protecting computers from unauthorized access in Russia. During the development, the specificity of the application area was used, reflected in the family of information security hardware in the electronic document flow, which use authentication codes (CA) at various levels. Let's look at some examples of using hardware.
1. In cash registers (KKM), CA are used as a means of authenticating checks as one of the types of electronic documents. Each cash register must be equipped with a block of intelligent fiscal memory (FP), which, in addition to the functions of accumulating data on sales results, performs a number of other functions:
Provides protection of KKM software and data from tampering;
Generates authentication codes for both cash register and each check;
Supports a typical interface for interacting with the tax inspector module;
Provides retrieval of fiscal data for submission to the tax office simultaneously with the balance sheet.
The developed block FP "Akkord-FP" is made on the basis of SZI "Akkord". It is characterized by the following features:
The functions of the DSS NSD are integrated with the functions of the FP;
The FP block also includes non-volatile KKM registers;
The procedures of the tax inspector module are also integrated as an integral part of the "Accord-FP" block.
2. In the system for controlling the integrity and validation of electronic documents (SKTsPD) in an automated system at the federal or regional level, the fundamental difference is the ability to protect each individual document. This system allowed for control without significantly increasing traffic. The basis for the creation of such a system was the "Accord-S B / KA" controller - a high-performance security coprocessor that implements the functions of generating / checking authentication codes.
The regional information and computing center (RICC) ensures the management of the SKTsPD activity as a whole, interacting with all the AWPs of the SC - the AWPs of the participating operators, equipped with the hardware and software complexes "Akkord-SB / KA" (A-SB / KA) and by software SKTsPD. The RIVC should include two automated workstations - ARM-K for the manufacture of keys, ARM-R for preparing the distribution of verification data.
3. Application of authentication codes in the subsystems of technological protection of electronic data. The basis for the implementation of information security hardware can be "Accord SB" and "Accord AMDZ" (in terms of protection against unauthorized access). Authentication codes are used to protect technologies. Authentication codes for electronic documents in the information technology security subsystem are generated and checked on the authentication code servers (SCA) using key tables (validity tables) stored in the internal memory of the Akkord-SB coprocessors installed in the SCA. Validity tables, closed on delivery keys, are delivered to SKA and uploaded to internal memory coprocessors, where they are disclosed. Delivery keys are generated and registered at a specialized workstation ARM-K and loaded into coprocessors at the initial stage in the process of their personalization.
Experience of large-scale practical application more than 100 000 modules of hardware protection of the "Accord" type in the computer systems of various organizations in Russia and neighboring countries shows that the focus on the software and hardware solution was chosen correctly, since it has great opportunities for further development and improvement.
conclusions
Underestimating information security issues can lead to enormous damage.
The growth of computer crime forces people to take care of information security.
Operation in Russian practice of the same type of mass software and hardware (for example, IBM-compatible personal computers; operating systems - Window, Unix, MS DOS, Netware, etc.) creates conditions for intruders to a certain extent.
The strategy for building an information security system should be based on integrated solutions, on the integration of information technologies and security systems, on the use of advanced techniques and tools, on universal technologies for protecting information of an industrial type.
Questions for self-control
1. Name the types of threats to information, give a definition of the threat.
2. What are the ways to protect information?
3. Describe access control as a way to protect information. What is its role and significance?
4. What is the purpose of cryptographic information protection methods? List them.
5. Give the concept of authentication and digital signature. What is their essence?
6. Discuss the problems of protecting information in networks and the possibilities of their resolution.
7. Expand the features of the information protection strategy using systems approach, integrated solutions and the principle of integration in information technology.
8. List the stages of creating information security systems.
9. What measures are required to implement the technical protection of technologies electronic document management?
10. What is the essence of the multiplicative approach?
11. What procedures must be followed to protect the electronic document management system?
12. What functions does the firewall perform?
Tests for Ch. 5
Insert the missing concepts and phrases.
1. Events or actions that can lead to unauthorized use, distortion or destruction of information are called ...
2. Among the threats to information security, two types should be distinguished: ...
3. The listed types of counteraction to information security threats: obstacle, access control, encryption, regulation, coercion and inducement refer to ... information security.
4. The following methods of countering security threats: physical, hardware, software, organizational, legislative, moral and ethical, physical refer to ... ensuring the security of information.
5. Cryptographic methods of protecting information are based on its ...
6. Assigning a unique designation to a user to confirm its compliance is called ...
7. Authenticating a user to verify its compliance is called ...
8. The greatest threat to corporate networks is associated with:
a) with heterogeneity information resources and technology;
b) with software and hardware;
c) with equipment failures. Choose the correct answers.
9. The rational level of information security in corporate networks is primarily selected based on considerations:
a) specifying protection methods;
b) economic feasibility;
c) defense strategies.
10. A memory resident program that resides in the computer's memory and controls operations related to changing information on magnetic disks is called:
a) a detector;
c) a watchman;
d) an auditor.
11. Antivirus tools are intended for:
a) to test the system;
b) to protect the program from a virus;
c) to scan programs for a virus and treat them;
d) to monitor the system.
Today in our blog we decided to touch upon the aspects of corporate network security. And Mikhail Lyubimov, Technical Director of LWCOM will help us with this.
Why is this topic of network security extremely relevant in the modern world?
Due to the almost ubiquitous availability of broadband Internet, most actions on devices are performed through the network, therefore, for 99% of modern threats, it is the network that is the transport on which the threat is delivered from source to target. Of course, the spread of malicious code is possible using removable media, but this way is now used less and less, and most companies have long learned to deal with such threats.
What is a data network?
Let's first draw the architecture of a classic corporate data network in a simplified and understandable way.
The data transmission network begins with an access level switch. Workstations are directly connected to this switch: computers, laptops, printers, multifunctional and various other devices, for example, wireless access points. Accordingly, you can have a lot of equipment, it can be connected to the network in completely different places (floors or even separate buildings).
Typically, a corporate data transmission network is built according to a "star" topology, therefore, the interaction of all segments with each other will be provided by the equipment of the network core level. For example, the same switch can be used, only usually in a more productive and functional version compared to those used at the access level.
Servers and data storage systems are usually consolidated in one place and, from the point of view of data transmission networks, they can be connected directly to the core equipment, or they can have a certain segment of access equipment allocated for these purposes.
Further, we have the equipment for the interface with external data transmission networks (for example, the Internet). Typically, companies use devices, routers, firewalls, and various kinds of proxy servers for these purposes. They are also used to organize communication with the distributed offices of the company and to connect remote employees.
This is how the architecture of a local area network, simple for understanding and common for modern realities, turned out.
What is the current classification of threats?
Let's define the main goals and directions of attacks in the framework of network interaction.
The most common and simplest target of an attack is the user device. It is easy to spread malicious software in this direction through content on web resources or via mail.
In the future, an attacker, having gained access to a user's workstation, can either steal confidential data, or develop an attack on other users or on other devices on the corporate network.
The next possible attack target is, of course, servers. Some of the most well-known types of attacks on published resources are DoS and DDoS attacks, which are used with the aim of disrupting the stable operation of resources or their complete failure.
Attacks can also be directed from external networks to specific published applications, for example, web resources, DNS servers, e-mail. Attacks can also be directed from within the network — from an infected user's computer or from an attacker connected to the network — to applications such as file shares or databases.
There is also a category of selective attacks, and one of the most dangerous is an attack on the network itself, that is, on access to it. An attacker who has gained access to the network can launch the next attack on virtually any device connected to it, as well as secretly gain access to any information. Most importantly, a successful attack of this kind is difficult to detect and cannot be cured. by standard means... That is, in fact, you have a new user or, worse, an administrator about whom you do not know anything.
Another target of the attacker can be communication channels. It should be understood that a successful attack on communication channels not only makes it possible to read the information transmitted over them, but also to be identical in the consequences of an attack on the network, when an attacker can gain access to all resources of the local area network.
How to organize competent and reliable data transmission protection?
To begin with, we can present global practices and recommendations for organizing the protection of a corporate data transmission network, namely the set of tools that will allow you to avoid most of the existing threats with minimal effort, the so-called safe minimum.
In this context, it is necessary to introduce the term "network security perimeter", since the closer you are to a possible threat source, the more you reduce the number of attack methods available to an attacker. In this case, the perimeter must exist for both external and internal connections.
First of all, we recommend securing the interface with public networks, because the largest number of threats arise from them. Currently, there are a number of specialized network security tools designed just for the secure organization of connections to the Internet.
For their designation, terms such as NGFW (Next-generation firewall) and UTM (Unified Threat Management) are widely used. These devices not only combine the functionality of a classic router, firewall and proxy server, but also provide additional security services, such as: URL and content filtering, antivirus, etc. At the same time, devices often use cloud-based content verification systems, which allows you to quickly and effectively scan all transmitted data for threats. But the main thing is the ability to report detected threats in retrospect, that is, to identify threats in such cases when the infected content was already transmitted to the user, but the manufacturer received information about the harmfulness of this software later.
Things like inspection of HTTPS traffic and automatic analysis of applications allow you to control not only access to specific sites, but also allow / prohibit the operation of applications such as Skype, Team Viewer and many others, and as you know, most of them have been working on HTTP and HTTPS protocols, and standard network tools simply cannot control their work.
In addition to this, within a single device, you can also get an intrusion prevention system, which is responsible for stopping attacks aimed at published resources. Also, you can additionally get a VPN server for secure remote work of employees and connecting branches, antispam, a botnet control system, a sandbox, etc. All this makes such a device a truly unified network security tool.
If your company does not yet use such solutions, then we highly recommend starting to use them right now, since the time for their effectiveness has already come, and we can say with confidence that similar devices proved their real ability to deal with a large number of threats, which was not the case even 5 years ago. At that time, such things had just entered the market, had many problems and were quite expensive and low-performance.
How to choose Next-generation firewall?
Now on the market there is a huge number of network devices with the declared similar functionality, but only a few can provide really effective protection. This is due to the fact that only a limited number of manufacturers have funds and really invest them in nonstop development of actual threats, i.e. constantly update databases of potentially dangerous resources, provide uninterrupted support for solutions, etc.
Many partners will try to sell you solutions that are profitable for them to sell, so the price of a solution does not always correspond to its real ability to resist threats. Personally, I recommend referring to the materials of independent analytical centers for choosing a device, for example, NSS Labs reports. In my opinion, they are more accurate and unbiased.
In addition to threats from the outside, your resources can also be attacked from within. The so-called "safe minimum" that should be used in your local area network is its segmentation into VLANs, ie. virtual private networks. In addition to segmentation, the mandatory application of access policies between them at least by standard means of access lists (ACL) is required, because the mere presence of a VLAN in the fight against modern threats gives practically nothing.
As a separate recommendation, I will indicate the desirability of using access control directly from the device port. However, it is necessary to remember about the network perimeter, i.e. the closer you apply policies to the protected services, the better. Ideally, these policies should be enforced on the access switches. In such cases, it is recommended to use 4 simple rules:
- keep all idle switch ports administratively disabled;
- do not use 1st VLAN;
- use MAC filtering lists on access switches;
- use ARP inspection protocol.
Attacks on channels can also be carried out by cybercriminals. Strong encryption should be used to protect the channels. Many neglect this, and then pay the price for the consequences. Unprotected channels are not only information available for theft, but also the ability to attack almost all corporate resources. Our customers have had a considerable number of precedents in practice when attacks were made on corporate telephony by organizing communication through unprotected data transmission channels between the central and remote offices (for example, simply using GRE tunnels). The companies received just crazy invoices!
What can you tell us about wireless networks and BYOD?
Theme remote work, wireless networks and the use of their own devices, I would like to highlight separately. From my own experience, these three things are one of the biggest potential security holes in your company. But they are also one of the biggest competitive advantages.
Briefly, I recommend either completely prohibiting the use of wireless networks, working remotely or working through their own mobile devices, motivating this with corporate rules, or provide these services with the most elaborated from the point of view of security, especially since modern solutions provide an opportunity to do it is at its best.
In terms of remote work, the same Next Generation Firewalls or UTM devices can help you. Our practice shows that there are a number of stable solutions (these include Cisco, Checkpoint, Fortinet, Citrix) that allow you to work with a variety of client devices, while ensuring the highest standards for identifying a remote employee. For example, the use of certificates, two-factor authentication, one-time passwords delivered via SMS or generated on a special key. You can also control the software installed on the computer from which access is attempted, for example, for the installation of appropriate updates or running antiviruses.
Wi-Fi security is a topic that deserves a separate article. In this post I will try to give the most important recommendations. If you are building corporate Wi-Fi, then be sure to work through all the possible security aspects associated with it.
By the way, Wi-Fi is a whole separate item of our company's income. We deal with them professionally: projects for equipping shopping malls and shopping centers, business centers, warehouses with wireless equipment, including the use of modern solutions such as positioning, are carried out in our non-stop mode. And according to the results of our radio surveys, we find at least one home in every second office and warehouse. Wi-Fi router that were connected to the network by the employees themselves. Usually they do this for their own convenience of work, for example, go to the smoking room with a laptop or move freely within the room. It is clear that no corporate security rules were applied on such routers and passwords were distributed to well-known colleagues, then to colleagues of colleagues, then to guests who dropped in for coffee, and as a result, almost everyone had access to the corporate network, while it was absolutely uncontrollable.
Of course, it is worth protecting the network from connecting such equipment. The main ways to do this can be: using authorization on ports, filtering by MAC, etc. Again, from the point of view of Wi-Fi, strong cryptographic algorithms and enterprise authentication methods should be used for the network. However, it should be understood that not all enterprise authentication methods are equally useful. For example, Android devices in some software releases may by default ignore the public Wi-Fi certificate, thereby making Evil twin attacks possible. If an authentication method is used, such as EAP GTC, then the key is transmitted in it in cleartext and it can be completely intercepted in the specified attack. We recommend using only certificate authentication in corporate networks, i.e. these are TLS methods, but keep in mind that it significantly increases the burden on network administrators.
There is another way: if remote work is implemented in the corporate network, then you can connect via Wi-Fi network to force devices to use also a VPN client. That is, to allocate the Wi-Fi network segment to an initially untrusted area, and as a result, you will get a good working option with minimizing network management costs.
Enterprise Wi-Fi vendors such as Cisco, Ruckus, now Brocade, Aruba, now HPE, in addition to standard Wi-Fi solutions, provide a range of services to automatically monitor the security of the wireless environment. That is, things like WIPS (Wireless intrusion prevention system) work for them. These manufacturers have implemented wireless sensors that can monitor the entire spectrum of frequencies, thereby allowing tracking in automatic mode pretty serious threats.
Now let's touch on topics such as BYOD (Bring your own device) and MDM (Mobile device management). Of course, any mobile device that stores corporate data or has access to the corporate network is a potential source of problems. The topic of security for such devices concerns not only secure access to the corporate network, but also centralized policy management of mobile devices: smartphones, tablets, laptops used outside the organization. This topic has been relevant for a very long time, but only now there are really working solutions on the market that allow you to manage a diverse fleet of mobile equipment.
Unfortunately, it will not be possible to talk about them within the framework of this post, but know that there are solutions and in the last year we have experienced a boom in the implementation of MDM solutions from Microsoft and MobileIron.
You talked about "security at a minimum", what then is "security at a maximum"?
At one time, a picture was popular on the Internet: it was recommended to install firewalls from well-known manufacturers one by one to protect the network. We in no way urge you to do the same, but, nevertheless, there is some truth here. It will be extremely useful to have a network device with analysis of virus signatures, for example, from SOFOS, and already install an anti-virus from Kaspersky Lab at workstations. Thus, we get two systems of protection against malicious code that do not interfere with each other.
There are a number of specialized information security tools:
DLP. There are specialized information security tools on the market, that is, developed and aimed at solving a specific threat. Currently, DLP (Data Loss Prevention) or data loss prevention systems are becoming popular. They work both on network layer, integrating into the data transmission medium, and directly on application servers, workstations, mobile devices.
We are somewhat moving away from the network topic, but the threat of data leakage will always exist. In particular, these solutions become relevant for companies where data loss carries commercial and reputational risks and consequences. Even 5 years ago, the implementation of DLP systems was somewhat difficult due to their complexity and the need for a development process for each specific case. Therefore, due to their cost, many companies abandoned these solutions, or wrote their own. Currently, market systems have been developed enough, so all the necessary security functionality can be obtained right out of the box.
On the Russian market, commercial systems are mainly represented by the manufacturer Infowatch (below is a picture from this manufacturer about how they present their solution in a large company) and the rather well-known MacAfee.
WAF. Due to the development of Internet commerce services, and this is Internet banking, electronic money, e-commerce, insurance services, etc., recently, specialized tools have become in demand for protecting web resources. Namely WAF - Web Application Firewall.
This device allows you to repel attacks aimed at vulnerabilities of the site itself. In addition to selective DoS attacks, when a site is suppressed by legitimate requests, these can be SQL injection attacks, Cross site scripting, etc. Previously, such devices were purchased mainly by banks, while other customers did not require them, and they cost a lot big money... For example, the cost of a working solution started at $ 100,000. Now on the market there are a large number of solutions from well-known manufacturers (Fortinet, Citrix, Positive Technologies), from which you can get a working solution to protect your site for quite reasonable money (3-5 times less than the previously indicated amount).
Audit. Organizations, especially those advocating for their own security, are implementing automated audit tools. These solutions are expensive, but they allow you to bring a number of administrator functions into the field of automation, which is extremely in demand for large businesses. These solutions constantly scan the network and audit all installed operating systems and applications for known security holes, timely updates, and corporate policy compliance. Probably the most famous solutions in this area not only in Russia, but all over the world are products from Positive Technologies.
SIEM. Similar to SIEM solutions. These are systems designed to identify emergency situations related specifically to safety-related events. Even a standard set of a couple of firewalls, a dozen application servers, and thousands of workstations can generate tens of thousands of alerts a day. If you have a large company and you have dozens of border devices, then understand the data received from them in manual mode it becomes simply impossible. Automation of control over the collected logs from all devices simultaneously allows administrators and information security staff to act immediately. SIEM solutions from Arсsight (included in HPE products) and Q-RADAR (included in IBM products) are quite well known on the market.
And finally: what advice can you give to those who are seriously engaged in organizing the protection of their IT resources?
Of course, when organizing the IT security of an enterprise, one should not forget about the administrative regulations. Users and administrators should be aware that the found flash drives cannot be used on a computer, just like they cannot click on dubious links in letters or open dubious attachments. It is very important to tell and explain which links and attachments are unverified. In fact, not everyone understands that it is not necessary to store passwords on stickers glued to the monitor or phone, that you need to learn how to read the warnings that are written to the user of the application, etc. You should explain to users what a security certificate is and what the messages associated with it mean. In general, it is necessary to take into account not only the technical side of the issue, but also to instill a culture of using corporate IT resources by employees.
Hope you found this great post interesting and helpful.
The methods of protecting information in the enterprise, as well as the methods of obtaining it, are constantly changing. New offers from companies providing information security services appear regularly. Of course, there is no panacea, but there are several basic steps in building the protection of an enterprise information system, which you definitely need to pay attention to.
Many are probably familiar with the concept of deep protection against hacking. information network... Its main idea is to use several levels of defense. This will allow, at a minimum, to minimize the damage associated with a possible violation of the security perimeter of your information system.
Next, consider the general aspects computer security, and also create a checklist that serves as the basis for building the basic protection of the enterprise information system.
1. Firewall (firewall, firewall)
A firewall or firewall is the first line of defense that meets intruders.
According to the level of access control, the following types of firewalls are distinguished:
- In the simplest case, the filtering of network packets occurs according to the established rules, i.e. based on source and destination addresses of network packets, network port numbers;
- A stateful firewall. It monitors active connections and discards spoofed packets that violate TCP / IP specifications;
- Application-level firewall. Filters based on the analysis of application data passed within the packet.
The increased focus on network security and the development of e-commerce has led to the fact that all more users use encryption of connections (SSL, VPN) for their protection. This makes it quite difficult to analyze traffic passing through firewalls. As you might guess, the same technologies are used by the developers of malicious software. Viruses using traffic encryption have become practically indistinguishable from legitimate user traffic.
2. Virtual Private Networks (VPN)
Situations when an employee needs access to company resources from public places (Wi-Fi at an airport or hotel) or from home ( home network employees are not controlled by your administrators) are especially dangerous for corporate information. To protect them, you just need to use encrypted VPN tunnels. Direct access to remote desktop (RDP) without encryption is out of the question. The same applies to the use of third-party software: Teamviewer, Aammy Admin, etc. to access working network... Traffic through these programs is encrypted, but passes through the servers of the developers of this software beyond your control.
Disadvantages of a VPN include the relative complexity of deployment, the additional cost of authentication keys, and an increase in bandwidth internet channel. Authentication keys can also be compromised. Stolen mobile devices of a company or employees (laptops, tablets, smartphones) with pre-configured VPN connection settings can become a potential hole for unauthorized access to company resources.
3. Intrusion detection and prevention systems (IDS, IPS)
Intrusion Detection System (IDS) is a software or hardware tool designed to detect the facts of unauthorized access to a computer system (network), or unauthorized control of such a system. In the simplest case, such a system helps detect network port scans on your system or attempts to log on to the server. In the first case, this indicates an initial reconnaissance by the attacker, and in the second, an attempt to hack your server. You can also detect attacks aimed at elevating privileges on the system, unauthorized access to important files, and malicious software activity. Advanced network switches allow intrusion detection systems to be connected using port mirroring or through traffic taps.
Intrusion Prevention System (IPS) is a software or hardware security system that actively blocks intrusions as they are detected. If an intrusion is detected, suspicious network traffic can be automatically blocked, and a notification about this is immediately sent to the administrator.
4. Antivirus protection
Antivirus software is the main line of defense for most modern enterprises... According to the research company Gartner, the volume of the antivirus software market in 2012 amounted to $ 19.14 billion. The main consumers are the segment of medium and small businesses.
First of all antivirus protection targeted at client devices and workstations. Business versions of antiviruses include centralized management functions for transmitting antivirus database updates to client devices, as well as the ability to centrally configure security policies. The range of antivirus companies includes specialized solutions for servers.
Given that most malware infections occur as a result of user actions, antivirus suites offer comprehensive protection options. For example, protection of e-mail programs, chat rooms, checking sites visited by users. In addition, anti-virus packages increasingly include software firewalls, proactive defense mechanisms, and spam filtering mechanisms.
5. White lists
What are whitelisting? There are two main approaches to information security. The first approach assumes that the operating system is allowed to run any applications by default, if they are not previously blacklisted. The second approach, on the contrary, assumes that only those programs that were previously included in the "white list" are allowed to run, and all other programs are blocked by default. The second approach to security is, of course, more preferable in the corporate world. Whitelists can be created using either the built-in tools of the operating system or third-party software. Antivirus software often offers this feature in its composition. Most antivirus applications that offer whitelisting filtering allow you to initial setup very fast, with minimal user attention.
However, there may be situations in which the dependencies of the whitelisted program files have not been correctly identified by you or the antivirus software. This will cause the application to crash or not install correctly. In addition, whitelisting is powerless against attacks that exploit document processing vulnerabilities by whitelisted programs. You should also pay attention to the weakest link in any protection: employees themselves in a hurry can ignore the warning of antivirus software and add malicious software to the whitelist.
6. Filtering spam
Spam mailings are often used to carry out phishing attacks that are used to inject a Trojan or other malware into a corporate network. Users who process large amounts of email on a daily basis are more susceptible to phishing emails. Therefore, the task of the IT department of the company is to filter maximum amount spam from the general email flow.
The main ways to filter spam:
- Specialized providers of spam filtering services;
- Spam filtering software on our own mail servers;
- Specialized hardware solutions deployed in a corporate data center.
7. Software support up to date
Timely software updates and the application of the latest security patches are an important element in protecting your corporate network from unauthorized access. Software vendors usually do not provide complete information about a new security hole they find. However, a general description of the vulnerability is enough for cybercriminals to write software to exploit this vulnerability literally in a couple of hours after the publication of a description of a new hole and a patch to it.
In fact, this is quite a problem for small and medium-sized enterprises, since a wide range of software products different manufacturers... Often, updates of the entire software park are not given due attention, and this is practically open window in the enterprise security system. Currently, a large number of software is independently updated from the manufacturer's servers and this removes part of the problem. Why part? Because the servers of the manufacturer can be hacked and, under the guise of legal updates, you will receive fresh malware. And also the manufacturers themselves sometimes release updates that violate normal work your software. In critical areas of the business, this is unacceptable. To prevent such incidents, all received updates, firstly, must be applied immediately after their release, and secondly, they must be thoroughly tested before being applied.
8. Physical security
The physical security of the corporate network is one of the critical factors, which is difficult to overestimate. Having physical access to network device an attacker will, in most cases, easily gain access to your network. For example, if there is physical access to the switch and the network does not filter MAC addresses. Although MAC filtering will not save you in this case. Another problem is theft or neglect of hard drives after replacement in a server or other device. Given that the passwords found there can be decrypted, server cabinets and rooms or equipment boxes must always be reliably protected from intruders.
We have just touched on a few of the most common security aspects. It is also important to pay attention to user training, periodic independent audit of information security, creation and adherence to a reliable information security policy.
Please note that protecting the corporate network is a complex topic that is constantly changing. You need to be sure that the company does not depend on just one or two lines of defense. Always try to keep up with the latest information and fresh solutions in the information security market.
Take advantage of reliable protection of your corporate network within the framework of the service "servicing corporate computers" in Novosibirsk.