Fundamentals of information security
Each of us has heard a lot about the concept of "information security" (IS), but for most these words remain an empty sound. For the vast majority of those who have an idea about information security, its basic principles are a sealed secret and only a few professionals can tell what information security is. Practitioners will not learn anything new, but it will be useful for "ordinary people".
At one time (including recently) I shoveled mountains of information in search of the basics of information security and got... Mountains of useless information. Why useless? Because there is no coordinated approach to the problem. Depending on the author, goals and objectives, there is a sea of approaches, classifications and theories in information security, but there is no unified system. Therefore, the text below is a brief summary of the practice collected over 14 years.
Firstly, we will destroy a few stamps, secondly, we will figure out what practical information security is, and thirdly, there will be practical advice accumulated over 14 years.
Stamps:
1. Hackers are crackers. This is not the case at all, these are specialists of an extra class. The word comes from the verb to hack - "clumsy work", so they called (and call) specialists capable of squeezing 120% (or more) of software and hardware and knowing systems better than their creators. Hackers are not "malicious hackers" (although one does not exclude the other), they are exactly top-class specialists, regardless of what they do.
2. Antivirus software protects the computer. It does not protect and, in principle, cannot protect the computer from all threats, the limit of the capabilities of antiviruses is the screening out of the spent, but not cleaned, riffraff.
3. There is a single system by which you can configure and forget about the threats of information security. Does not exist and cannot exist in nature.
4. Software manufacturers take care of information security. The search for information security threats in software products is a matter that requires high qualifications and huge time expenditures, and this is, firstly, an increase in the development budget by several times (and sometimes dozens of times), and secondly, the need for specialists, of whom there are literally a few units on the market.
5. You can protect yourself from IS threats (as an option, the computer is offline). It is impossible, not only there are, but also methods of hacking and off-line machines are actively used.
Practical information security:
Hackers (those who break software, servers and write viruses) are divided into 2 categories:
1. For money. These are the ones who carry out attacks for money.
2. For the idea. Those who break, firstly, to see how it works (by analogy with the autopsy of laboratory animals), secondly, to receive well-deserved respect from colleagues, and thirdly, to achieve some personal goals.
The second category is the most dangerous for IS. If an idealistic hacker is interested in your system, then the issue of hacking is a matter of time.
Therefore, the first axiom of practical information security is the calculation that you have already been hacked.
Let's go ahead and answer the key questions (which 99% of people don't even ask): what is hacking and how does it actually happen?
Hacking is an unauthorized (unauthorized) interference in the operation of the information infrastructure that violates information in the form of:
1. Creating information - uploading new information or software to the attacked computers.
2. Information changes - data and software changes.
3. Copying information - copying to information media from the victim's computer.
4. Deletion of information - destruction of information on the victim's computer.
5. Denial of service - the product of actions as a result of which the victim's computer will not be able to perform the assigned tasks.
How hacking happens (generalization of the read "memoirs" of hackers):
First of all, the hacker collects information about the attacked system. The topic is about how much you can learn by examining the network traffic from the victim, not even for a post - for a whole series of posts. But in the end, the hacker has information about what exactly he is attacking.
The second stage is the creation of a copy of the attacked system in a virtual or real environment. This stage is needed to work out the attack mechanism, although under some conditions this stage is absent.
The third stage is the creation of a hacking tool (or the use of a ready-made one).
The fourth stage is testing the tool on anti-virus protection tools. A virus that is recognized "at once" is not needed by anyone, so a tool that is qualitatively prepared for use in an attack will safely pass any antivirus protection.
The fifth stage is the preparation of the attack. At this stage, ways to bypass external information infrastructure protections are being developed and access problems are being solved.
The sixth stage is hacking. This is exactly what they show in movies - ready-made tools are used in ready-made channels for attack.
The seventh stage is the use of the results of the attack.
Recommendations:
0. Make copies of important information. Copies of working data must be at least 2, critical data - at least 4, while copies must be placed so as not to be damaged/destroyed during an attack or in any event.
1. Use antiviruses. There are very few cases when the attack was carried out purely on one information infrastructure. Basically, some segment is attacked, which includes the attacked object. At the same time, the attack succeeds, and after a while (from a day to several years) the viruses used in the attack get to antivirus companies and they update their databases. The antivirus will simply filter out the scraps of long-past hacks flying around the network and allow you to focus on the current threats of information security.
2. Use firewalls (at least on gateways). It is highly recommended to use them manually and on every device. The recommended setting on workstations is to prohibit all incoming connections, outgoing connections are allowed. The recommended configuration on servers is to allow specific ports to specific clients.
3. Differentiate networks and close access to shared folders. Quite a few viruses can attack through the network and through public resources.
4. Make the most of virtualization. A virtual machine is inferior in performance to a real one, but it is an ordinary file that is easy to copy and, if necessary, copy back. Thus, the restoration of operability takes minimal time and reduces losses.
5. A minimum amount of software must be installed on computers. There is no invulnerable software, and in the pursuit of the client, everyone has scored on the IB, so each program is a set of holes in the IB and the less software, the fewer potential problems. The same position should be taken in relation to services running on computers - only necessary for work.
6. Use file system scanners. Any attack by any virus will affect the file system. FS scanners store a table of files and hashes and serve file accesses, if unusual manipulations with the FS have gone, you are attacked.
7. Do not use "standard" solutions. There are typical ways to bypass these solutions for typical solutions. Think and fantasize about how to direct an attack from real cars into some kind of "cesspool" (or into a prepared DMZ). Take care of the reliability of the "cesspool", the data in it must firstly be useless for the hacker, and secondly be plausible, otherwise he will understand that he has been deceived and will change the attack vector.
8. Protection begins with installation. Even at the stage of installing the OS, you can protect yourself from a lot of typical threats. Firstly, the ready-to-use OS image needs to be copied to a separate partition (in case of infection, it will be enough to restore the OS from the image), secondly, by means of the OS or third-party software, prescribe "white" executable files and prohibit the execution of all others, thirdly, disable the startup of all devices, and fourth, minimize the software supplied with the OS.
9. Document everything. No one and nothing lasts forever, and memory is imperfect. Competently compiled documentation allows, firstly, to have a clear understanding of the situation, secondly, to have an idea of possible threats, and thirdly, to plan the elimination of the consequences of hacking.
A. Love paper, not files. Files can be easily copied, but it is much more difficult to do this with paper. All critical passwords should never be saved or stored in files. Passwords of the "second level" should be stored only in local password managers, but passwords from "spam" accounts can be written out in a notebook on the desktop.
B. Don't trust anyone or anything. With a few exceptions, everything we see on the monitor is the fruit of the work of programs that may already be infected. To repeat the interface of something is a very simple task, so if there is a threat
C. The biggest IS threat is sitting in front of the monitor. The easiest hacking is through a computer user, so the user should be as limited as possible in the possibilities on the computer. There is one folder with documents and access to the programs used in the work, the rest is prohibited. Conduct explanations and exercises on information security.
D. Prevention reduces the depth of the ass. In my practice, there was a case when two months of hard work by the sysadmin led to the fact that the attack initiated by a fake letter from the FIU for the accountant failed (when detecting file changes, the computer was turned off) and performance was restored in about 30 minutes.
E. Consider that you have already been hacked. Devote much more time not to protection, but to ways, firstly, to complicate access to critical data and, secondly, to restore the system's operability as quickly as possible. The more complex unauthorized access to data is organized, the more hackers will be online and the higher the chance of intrusion detection, which means the higher the chance of detection and the beginning of counteraction. The faster it is possible to restore the operability of the system, the less there will be a simple organization and, accordingly, losses. There are oceans of ways that life will not be enough to try.
F. Hack yourself. If you know how to hack, then you will know how to protect yourself accordingly.
And finally (most importantly) - audit. Get into the habit of checking what's going on in your computer by booting from a "live" OS image (preferably from an antivirus recovery disk) and see if everything is in order?
Information security is not a single action or a set of actions, but a constant and uninterrupted process.