Menu
homeBreakdowns

Computer security threats and the basics of antivirus protection. What are network vulnerabilities, threats and attacks

They have become a problem for all PC users with Internet access, without exception. Many companies use firewalls and encryption mechanisms as solutions to security problems in order to remain protected from possible threats. However, this is not always enough.

Classification of network threats

Network threats are classified into four categories:

  1. Unstructured threats;
  2. Structured threats;
  3. Internal threats;
  4. External threats.

Unstructured threats

Unstructured threats often involve unfocused attacks on one or more network systems. The attacked and infected systems may be unknown to the criminal. Program codes such as a virus, worm or Trojan horse can easily get onto your PC. Some common terms to be aware of:

Virus– a malicious program that can replicate with little or no user intervention, and replicated programs can also replicate.

Worm– a form of virus that spreads by creating duplicates on other drives, systems, or networks. For example, a worm operating on an email system can send copies of itself to every address in the email system's address book.

Trojan horse- This is, at first glance, a useful program (perhaps a game or a screensaver), but in the background it can perform other tasks, such as deleting or changing data, or capturing passwords. A true Trojan horse is not technically a virus because it does not replicate.

Unstructured attacks using code that replicates itself and sends a copy to all email users, can easily cross the globe in a few hours, causing problems for networks and individuals around the world. Although the original intention may have been minor.

Structured threats

Structured threats targeted at one or more individuals; will be reproduced by people with higher level skills actively working to compromise the system. The attackers, in this case, have a specific goal. They tend to be knowledgeable about network design, security, access procedures, and hacking tools, and have the ability to create scripts or applications to achieve their goals.

Insider threats

Insider threats come from persons with authorized access to the network. This could be a disgruntled employee or an unhappy fired employee whose access is still active. Many studies show that insider attacks can be significant in both number and loss.

External threats

External threats are threats from individuals outside the organization who frequently use the Internet or dial-up. These attackers do not have authorized access to the systems.

The classification of a particular threat may result in a combination of two or more threats. For example, an attack may be structured from an external source and, at the same time, may have one or more compromised employees internally actively promoting the effort.

The term “malware” refers to any program created and used to perform unauthorized and often malicious actions. As a rule, it includes various types of viruses, worms, Trojans, keyloggers, password theft programs, macro viruses, boot sector viruses, script viruses, fraudulent software, spyware and adware. Unfortunately, this list is far from complete, which is replenished every year with more and more new types of malicious programs, which in this material we will often call the general word - viruses.

The motives for writing computer viruses can be very different: from a banal desire to test one’s programming skills to the desire to cause harm or gain illegal income. For example, some viruses do almost no harm, but only slow down the machine due to their reproduction, littering the computer's hard drive or producing graphic, sound and other effects. Others can be very dangerous, leading to the loss of programs and data, erasing information in system memory areas, and even failure of parts of the hard drive.

CLASSIFICATION OF VIRUSES

At the moment, there is no clear classification of viruses, although there are certain criteria for their division.

Virus habitat

First of all, malware is divided according to its habitat (according to the objects it affects). The most common type of malware is file viruses , which infect executable files and are activated every time the infected object is launched. It is not without reason that some email services (for example, the Gmail service) do not allow sending emails with executable files (files with the .EXE extension) attached to them. This is done in order to protect the recipient from receiving an email with a virus. Getting onto a computer through a network or any storage medium, such a virus does not wait to be launched, but starts automatically and carries out the malicious actions for which it is programmed.

This does not mean that all executable files are viruses (for example, installation files also have the .exe extension), or that viruses only have the exe extension. They can have the extension inf, msi, and in general they can be without an extension or attached to existing documents (infect them).

The next type of viruses has its own characteristic feature: they are registered in the boot areas of disks or sectors containing the system bootloader. As a rule, such viruses are activated when the operating system boots and are called boot sector viruses .

Objects of infection macroviruses Document files are used, which include both text documents and spreadsheets developed in macro languages. Most viruses of this type are written for the popular text editor MS Word.

And finally, network or script viruses To reproduce, they use computer network protocols and scripting language commands. Recently, this type of threat has become very widespread. For example, attackers often use JavaScript vulnerabilities to infect a computer, which is actively used by almost all website developers.

Virus operation algorithms

Another criterion for dividing malware is the features of its operating algorithm and the technologies used. In general, all viruses can be divided into two types - resident and non-resident. Resident ones are located in the computer’s RAM and are active until it is turned off or rebooted. Non-resident, they do not infect memory and are active only at a certain point in time.

Satellite viruses (companion viruses) do not modify executable files, but create copies of them with the same name, but a different, higher-priority extension. For example, the file xxx.COM will always be launched before xxx.EXE due to the specifics of the Windows file system. Thus, the malicious code is executed before the original program, and only after that it itself.

Viruses-worms independently distributed in hard drive directories and computer networks by creating their own copies there. The use of vulnerabilities and various administrative errors in programs allows worms to spread completely autonomously, selecting and attacking user machines automatically.

Invisible viruses (stealth viruses) try to partially or completely hide their existence in the OS. To do this, they intercept the operating system's access to infected files and disk sectors and substitute uninfected areas of the disk, which greatly interferes with their detection.

Ghost viruses (polymorphic or self-encrypting viruses) have an encrypted body, so that two copies of the same virus do not have the same parts of the code. This circumstance greatly complicates the procedure for detecting this type of threat and therefore this technology is used by almost all types of viruses.

Rootkits allow attackers to hide traces of their activities in a compromised operating system. These types of programs are engaged in hiding malicious files and processes, as well as their own presence in the system.

Additional functionality

Many malicious programs contain additional functionality that not only makes them difficult to detect on the system, but also allows attackers to control your computer and obtain the data they need. These viruses include backdoors (system hacker), keyloggers (keyboard interceptor), spyware, botnets and others.

Operating systems affected

Various viruses can be designed to operate on certain operating systems, platforms and environments (Windows, Linux, Unix, OS/2, DOS). Of course, the vast majority of malware is written for the world's most popular Windows system. However, some threats work only in Windows 95/98, some only in Windows NT, and some only in 32-bit environments, without infecting 64-bit platforms.

SOURCES OF THREATS

One of the primary goals of attackers is to find a way to deliver an infected file to your computer and force it to be activated there. If your computer is not connected to a computer network and does not exchange information with other computers via removable media, you can be sure that it is not afraid of computer viruses. The main sources of viruses are:

  • Floppy disk, laser disk, flash card or any other removable storage medium containing virus-infected files;
  • A hard drive that received a virus as a result of working with infected programs;
  • Any computer network, including a local network;
  • Email and messaging systems;
  • Global Internet;

TYPES OF COMPUTER THREATS

It’s probably no secret to you that today the main source of viruses is the worldwide global network. What types of computer threats can any ordinary user of the global Internet encounter?

  • Cybervandalism . Distribution of malware with the aim of damaging user data and disabling the computer.
  • Fraud . Distribution of malware to obtain illegal income. Most programs used for this purpose allow attackers to collect confidential information and use it to steal money from users.
  • Hacker attacks . Hacking of individual computers or entire computer networks in order to steal confidential data or install malware.
  • Phishing . Creation of fake websites that are an exact copy of existing ones (for example, a bank website) with the aim of stealing confidential data when users visit them.
  • Spam . Anonymous mass emails that clog up users' email inboxes. As a rule, they are used to advertise goods and services, as well as phishing attacks.
  • Adware . Distributing malware that runs ads on your computer or redirects search queries to paid (often pornographic) websites. It is often built into free or shareware programs and installed on the user’s computer without his knowledge.
  • Botnets . Zombie networks consisting of computers infected with a Trojan (including your PC), controlled by one owner and used for his purposes (for example, sending spam).

SIGNS OF COMPUTER INFECTION

Detecting a virus that has entered your computer at an early stage is very important. After all, until it has time to multiply and deploy a self-defense system from detection, the chances of getting rid of it without consequences are very high. You can determine the presence of a virus on your computer yourself by knowing the early signs of infection:

  • Reducing the amount of free RAM;
  • Significantly slower loading and operation of the computer;
  • Incomprehensible (for no reason) changes in files, as well as changes in sizes and the date of their last modification;
  • Errors when loading the operating system and during its operation;
  • Inability to save files in certain folders;
  • Incomprehensible system messages, music and visual effects.

If you find that some files have disappeared or cannot be opened, the operating system cannot be loaded, or the hard drive has been formatted, it means that the virus has entered the active phase and simply scanning your computer with a special anti-virus program will not get you off. You may have to reinstall the operating system. Or run treatment tools from an emergency boot disk, since the antivirus installed on your computer has probably lost its functionality due to the fact that it was also modified or blocked by malware.

True, even if you manage to get rid of infected objects, it is often impossible to restore the normal functionality of the system, since important system files may be irretrievably lost. At the same time, remember that your important data, be it photographs, documents or a music collection, may be at risk of destruction.

To avoid all these troubles, you must constantly monitor the anti-virus protection of your computer, as well as know and follow basic information security rules.

ANTI-VIRUS PROTECTION

To detect and neutralize viruses, special programs are used, which are called “antivirus programs” or “antiviruses”. They block unauthorized access to your information from the outside, prevent infection by computer viruses and, if necessary, eliminate the consequences of infection.

Antivirus protection technologies

Now, let's take a look at the antivirus protection technologies used. The presence of a particular technology as part of an antivirus package depends on how the product is positioned on the market and affects its final cost.

File antivirus. A component that controls the computer's file system. It checks all opened, launched and saved files on your computer. If known viruses are detected, as a rule, you are asked to disinfect the file. If for some reason this is not possible, then it is deleted or moved to quarantine.

Mail antivirus. Provides protection for incoming and outgoing mail and scans it for dangerous objects.

Web antivirus. Performs anti-virus scanning of traffic transmitted via the Internet HTTP protocol, which ensures the protection of your browser. Monitors all running scripts for malicious code, including Java script and VB script.

IM antivirus. Responsible for the security of working with Internet pagers (ICQ, MSN, Jabber, QIP, Mail.RUAgent, etc.) checks and protects information received via their protocols.

Program control. This component logs the actions of programs running on your operating system and regulates their activities based on established rules. These rules regulate program access to various system resources.
Firewall (firewall). Ensures the security of your work on local networks and the Internet by monitoring incoming traffic for activity typical of network attacks that exploit operating system and software vulnerabilities. Rules are applied to all network connections that allow or prohibit certain actions based on the analysis of certain parameters.

Proactive protection. This component is designed to identify dangerous software based on analysis of its behavior in the system. Malicious behavior may include: activity typical of Trojan programs, access to the system registry, self-copying of programs to various areas of the file system, interception of keyboard input, injection into other processes, etc. In this way, an attempt is made to protect the computer not only from already known viruses, but also from new ones that have not yet been studied.

Anti-Spam. Filters all incoming and outgoing mail for unwanted messages (spam) and sorts it depending on the user's settings.

Anti-Spy. The most important component designed to combat fraud on the Internet. Protects against phishing attacks, backdoor programs, downloaders, vulnerabilities, password crackers, data grabbers, keyboard loggers and proxies, automated dialers for paid websites, joke programs, advertising programs and annoying banners.

Parental control. This is a component that allows you to set access restrictions for using your computer and the Internet. With this tool, you can control the launch of various programs, Internet use, visiting websites depending on their content, and much more, thereby protecting children and adolescents from negative influences when working on a computer.

Safe environment or sandbox (Sandbox). Limited virtual space that blocks access to system resources. Provides secure work with applications, documents, Internet resources, as well as with Internet banking web resources, where security when entering confidential data is of particular importance. It also allows you to run unsafe applications internally without the risk of infecting the system.

Basic rules of antivirus protection

Strictly speaking, there is no universal way to combat viruses. Even if you have the most modern antivirus program on your computer, this absolutely does not guarantee the fact that your system will not be infected. After all, viruses appear first, and only then there is a cure for them. And despite the fact that many modern antivirus solutions have systems for detecting yet unknown threats, their algorithms are imperfect and do not provide you with 100% protection. But, if you adhere to the basic rules of anti-virus protection, you can significantly reduce the risk of infection of your computer and loss of important information.

  • Your operating system should have a good antivirus program that is updated regularly.
  • The most valuable data should be backed up.
  • Partition your hard drive into several partitions. This will allow you to isolate important information and not keep it on the system partition where your OS was installed. After all, it is he who is the main target of attackers.
  • Do not visit websites with dubious content, especially those that are engaged in the illegal distribution of content, keys and key generators for paid programs. As a rule, in addition to free “freebies”, there is a huge amount of malware of all varieties.
  • When using email, do not open or launch email attachments from emails from unfamiliar recipients.
  • All those who like to communicate using Internet messengers (QIP, ICQ) should also beware of downloading files and clicking on links sent by unfamiliar contacts.
  • Users of social networks should be doubly careful. Recently, they have become the main targets of cyber fraudsters who come up with multiple schemes that allow them to steal users’ money. A request to provide your sensitive information in dubious messages should immediately alert you.

CONCLUSION

We think that after reading this material, you now understand how important it is to take seriously the issue of security and protection of your computer from intrusions by intruders and the effects of malicious programs on it.
At the moment, there are a huge number of companies that develop anti-virus software and, as you understand, it is not difficult to get confused with its choice. But this is a very important moment, since it is the antivirus that is the wall protecting your system from the flow of infection pouring from the network. And if this wall has many gaps, then there will be zero sense in it.

To make it easier for ordinary users to choose suitable PC protection, on our portal we test the most popular anti-virus solutions, getting to know their capabilities and user interface. You can check out the latest of them, and very soon you will find a new review of the latest products in this area.

Avast always tries to stay ahead when it comes to protecting users from new threats. More and more people are watching movies, sports and TV shows on smart TVs. They control the temperature in their homes using digital thermostats. They wear smart watches and fitness bracelets. As a result, security needs are expanding beyond the personal computer to cover all devices on a home network.

However, home routers, which are key devices in the home network infrastructure, often have security problems and provide easy access to hackers. A recent study by Tripwire found that 80 percent of top-selling routers have vulnerabilities. Moreover, the most common combinations for accessing the administrative interface, in particular admin/admin or admin/no password, are used in 50 percent of routers worldwide. Another 25 percent of users use their address, date of birth, first or last name as router passwords. As a result, more than 75 percent of routers worldwide are vulnerable to simple password attacks, opening the door for threats to be deployed on the home network. The router security landscape today is reminiscent of the 1990s, when new vulnerabilities were discovered every day.

Home Network Security feature

The Home Network Security feature in Avast Free Antivirus, Avast Pro Antivirus, Avast Internet Security and Avast Premier Antivirus allows you to solve these problems by scanning your router and home network settings for potential problems. With the Avast Nitro Update, the Home Network Security tool's detection engine has been completely redesigned, adding support for multi-threaded scanning and an improved DNS hijack detector. The engine now supports ARP protocol scans and port scans performed at the kernel driver level, which allows for several times faster scanning compared to the previous version.

Home Network Security can automatically block cross-site request forgery (CSRF) attacks on your router. CSRF exploits exploit website vulnerabilities and allow cybercriminals to send unauthorized commands to a website. The command simulates instructions from a user who is known to the site. Thus, cybercriminals can impersonate a user, for example, transfer money to the victim without his knowledge. Thanks to CSRF requests, criminals can remotely make changes to router settings in order to overwrite DNS settings and redirect traffic to fraudulent sites

The Home Network Security component allows you to scan your home network and router settings for potential security issues. The tool detects weak or default Wi-Fi passwords, vulnerable routers, compromised Internet connections, and IPv6 enabled but not secured. Avast lists all devices on your home network so users can check that only known devices are connected. The component provides simple recommendations for eliminating detected vulnerabilities.

The tool also notifies the user when new devices join the network, network-connected TVs and other devices. Now the user can immediately detect an unknown device.

The new proactive approach underlines the overall concept of providing maximum comprehensive user protection.

Views: 3378

The article is intended for those who have begun to think about network security or continue to do so and are strengthening the protection of web applications from new threats - after all, first you need to understand what threats there may be in order to prevent them.

For some reason, the need to think about network security is considered the right of only large companies, such as , and , or , which openly announce competitions for finding vulnerabilities and improve the security of their products, web applications and network infrastructures in every possible way. At the same time, the vast majority of existing web systems contain “holes” of various types (90% of systems contain medium-risk vulnerabilities).

What is a network threat or network vulnerability?

WASC (Web Application Security Consortium) has identified several basic classes, each of which contains several groups of common vulnerabilities, the use of which can cause damage to a company. The full classification is laid out in the form, and in Russian there is a translation of the previous version from InfoSecurity - which will be used as the basis for the classification and significantly expanded.

Main groups of website security threats

Insufficient authentication when accessing resources

This group of threats includes attacks based on Selection (), Abuse of Functionality () and Predictable Resource Location (). The main difference from insufficient authorization is that there is insufficient verification of the rights (or features) of an already authorized user (for example, a regular authorized user can gain administrative rights simply by knowing the address of the control panel if sufficient access rights verification is not performed).

Such attacks can only be effectively countered at the application logic level. Some attacks (for example, too frequent brute force attacks) can be blocked at the network infrastructure level.

Insufficient authorization



This may include attacks aimed at easily brute-forcing access details or exploiting any errors when checking access to the system. In addition to the Selection () techniques, this includes Access Guessing () and Session Fixing ().

Protection against attacks from this group requires a set of requirements for a reliable user authorization system.

This includes all techniques to change the content of a website without any interaction with the server serving the requests - i.e. the threat is implemented through the user’s browser (but usually the browser itself is not the “weak link”: the problem lies in content filtering on the server side) or an intermediate cache server. Attack Types: Content Spoofing (), Cross-Site Requests (XSS, ), Redirect Abuse (), Cross-Site Request Forgery (), HTTP Response Splitting (, HTTP Response Smuggling (), and Routing Bypass (), HTTP Request Splitting () and HTTP Request Smuggling ().

A significant part of these threats can be blocked at the level of setting up the server environment, but web applications must also carefully filter both incoming data and user responses.

Executing Code

Code execution attacks are classic examples of website hacking through vulnerabilities. An attacker can execute his code and gain access to the hosting where the site is located by sending a specially prepared request to the server. Attacks: Buffer Overflow(), String Formatting(), Integer Overflow(), LDAP Injection(), Mail Injection(), Null Byte(), OS Command Execution(), External File Execution (RFI, ), SSI Injection() , SQL Injection (), XPath Injection (), XML Injection (), XQuery Injection (), and XXE Injection ().

Not all of these types of attacks may affect your website, but they are correctly blocked only at the level of WAF (Web Application Firewall) or data filtering in the web application itself.

Disclosure of information

Attacks from this group are not a pure threat to the site itself (since the site does not suffer from them in any way), but can harm a business or be used to carry out other types of attacks. Types: Fingerprint () and Directory Traversal ()

Proper configuration of the server environment will allow you to completely protect yourself from such attacks. However, you also need to pay attention to the web application's error pages (which can contain a lot of technical information) and handling of the file system (which can be compromised by insufficient input filtering). It also happens that links to some site vulnerabilities appear in the search index, and this in itself is a significant security threat.

Logical attacks

This group includes all the remaining attacks, the possibility of which lies mainly in limited server resources. In particular, these are Denial of Service () and more targeted attacks - SOAP Abuse (), XML Attribute Overflow and XML Entity Expansion ().

Protection against them is only at the web application level, or blocking suspicious requests (network equipment or web proxies). But with the emergence of new types of targeted attacks, it is necessary to audit web applications for vulnerabilities.

DDoS attacks



As should be clear from the classification, a DDoS attack in the professional sense is always the exhaustion of server resources in one way or another. Other methods () are not directly related to a DDoS attack, but represent one or another type of site vulnerability. Wikipedia also describes protection methods in sufficient detail; I will not duplicate them here.

The Internet is like a planetary minefield where you can easily encounter dangers.

1. Malicious programs and, first of all, Trojans that live on fraudulent sites. They are usually disguised as useful software, and these “attractive” programs are downloaded and installed on their PC by the Internet visitor himself.
2. Websites that exploit browser vulnerabilities to download malware. Moreover, pages with dangerous code can also be placed on completely decent sites that have been attacked by attackers.
3. Phishing sites that imitate the interface of popular sites (from email services and social networks to payment systems) in order to obtain visitor credentials.
4. Spam mailings received by users of almost all existing means of communication: electronic
mail, instant messaging, social networks, etc. Such messages may contain purely advertising information and links to phishing sites or sites that distribute malicious software.
5. Interception of data transmitted in unencrypted form. At the same time, confidential information may fall into the hands of criminals

In fact, all the troubles associated with accessing the Internet can be avoided by following basic safety rules.

Protect physical access to computers

Your system may be protected and locked with the latest tools, but if an attacker gains physical access to it, all your efforts will be nullified. Make sure computers are never left unattended.

Do not use administrative accounts for daily work

In the Windows NT era, before the Remote Desktop Connection client and the runas command, administrators often placed their own personal accounts in the Domain Admins group. This is not recommended at this time; It's better to create additional Active Directory administrative accounts (for example, for myself, I could create a personal rallen account and an administrative rallen.adm account). To run programs that require administrative privileges, use the Remote Desktop Connection service or the runas command. This will reduce the chance (although not much) of accidental damage to the system.

Using a regular user account also reduces the potential damage that a virus or worm can cause to your system.

Update virus definitions and anti-spyware applications regularly

One of the reasons that viruses spread so quickly is that virus definitions are updated too infrequently. These days, new viruses and worms are appearing with alarming frequency, and to be able to combat the virus threat, it is necessary to use the latest definitions. The same applies to spyware, which today has become almost a bigger problem than viruses.

Make sure all critical patches are installed on your computer

Even if virus definitions are not updated as frequently as they should be, most viruses and worms can be stopped at logon if you install critical security updates as soon as they become available. Of course, when Windows NT was widely used and Windows 2000 had just come out, this was not strictly necessary, but today a system in which new security updates are not installed for several days (and sometimes minutes) after release is completely open to new viruses and worms We recommend that you add the following website to your favorites list and visit it periodically to stay up to date with the latest Microsoft security technologies:
http://windowsupdate.microsoft.com.

Enable auditing of important activities
Windows provides the ability to log certain system actions and activities; Thanks to this, you can trace through the event log the necessary actions, such as modification of certain files, if a security threat arises.

Check event logs regularly

Event logs contain a lot of important information regarding system security, but they are often forgotten. Among other things, the reason for this is a large amount of “garbage” in the logs, that is, messages about insignificant events. Develop a process for centralizing and regularly reviewing event logs. Having a mechanism for regularly scanning logs will especially help you when auditing the important activities discussed in the previous section.

Develop an action plan in case of attack

Most people think that nothing like this will ever happen to them, but life shows that this is far from the case. In reality, most users do not have even a fraction of the security knowledge that “professional” attackers can boast of. If a specific attacker (or worse, a group of attackers) has their eye on your organization, you will need to use all your dexterity, intelligence and knowledge to prevent infiltration of the system. Even the largest companies in the world have been attacked. The moral is this: everyone should be prepared for the fact that the target of the next attack may be their system. What to do?
Here are some helpful links to help you develop a response plan.