Anton Kuzmin: ‘There is no universal pill, no antivirus guarantees security’
Expert about additional information security solutions and simple rules for reliable cyber protection of businesses
The cybersecurity market is changing dynamically this year — in the context of a sharply increased number of cyber attacks in Russia, control over the operation of IT infrastructure is being strengthened. Protection from hackers is an important and difficult task that is relevant for any company today. Anton Kuzmin, the head of Innostage CyberART Cyber Threat Counteraction Centre, talks about what steps businesses need to take not to become a victim of cybercriminals.
Hackers scare children and even adults. Cybercriminals have an image of elusive and unpunished bandits who, with the help of viruses, are able to rob both a large bank and a simple man in the street. And there is no protection from them — you just have to wait for the villains to get to your business. There is another legend, they say the notorious hackers threaten only large companies from which you can immediately steal a lot of money and valuable data.
And now let's stop scaring ourselves and others. Or, on the contrary, embellish reality. It's better to take a closer look at exactly how cybercriminals threaten all of us and figure out how to protect businesses from them.
How hackers attack
All information security incidents are related to the penetration of hackers into enterprise infrastructure. Any organisation has it — even several computers connected to a small network and connected via a wireless router to the Internet are information infrastructure. In most cases, the company's “IT economy” is even more complicated: it usually has a server (physical or cloud), a data warehouse, and a website. And any element of such infrastructure can get into the hacker's field of view.
The first channel through which hackers are able to penetrate the company's infrastructure is various Internet services. By hacking and placing malicious software on one of them, criminals are then able to spread the “infection” to the computers of users who use this network service. It is also worth mentioning the so-called “phishing” sites, which sometimes disguise themselves as official websites of various companies. They often ask users to enter their personal information in order to steal it later.
Hackers can also gain access to the corporate infrastructure through user interaction services — e-mail, various messengers or social networks.
The third way is with the help of files downloaded by users. It can be not only random documents, pictures or videos, but even software updates. There is another option for such penetration — through infected media (flash drives, external disks) that users connect to their computers.
Finally, attackers can also carry out an “attack through a supplier”. Third-party organisations often have access to enterprise infrastructure: contractors who service information systems, business partners who place orders in the trading system, cloud services that host virtual servers or storage systems (Azure, Sbercloud, Yandex.Cloud, etc.).
As you can see, the ways hackers can penetrate the infrastructure are very diverse. The “arsenal” of cybercriminals is also developed, which can use hundreds of different technical tools. Therefore, it will not work when organising defense with a “universal pill”: it is impossible to install antivirus software on all the company's computers and live in peace. In any case, a set of measures will have to be applied to protect the company from cyber threats.
Measures to protect against cyber attacks
These measures can be divided into three main groups.
- The first category includes preventive measures, technical solutions that prevent hackers from entering the infrastructure: information security tools and automated means of blocking penetration.
- The second group is compensatory measures, those solutions that prevent the development of a cyber attack, even if hackers managed to crack the protection and penetrate one or more infrastructure nodes.
- Finally, the third group consists of organisational measures. They are aimed at leveling the so-called “human factor”, when the way to the enterprise infrastructure is opened to attackers by users, in most cases — unwittingly or unknowingly.
Unfortunately, many companies consider it unnecessary to develop their information security systems and limit themselves (at best) only to using antivirus tools. Again, there is no “universal pill”, and no antivirus is able to guarantee the security of the infrastructure. It needs to be supplemented with other information security solutions.
For small businesses today, in addition to antivirus, it is mandatory to use other security tools. To control network traffic and block suspicious connections to the infrastructure, firewalls are used, and of a new generation, NGFW (Next Generation Firewall). They allow not only to control network traffic, but also the operation of applications that access the network, as well as to prevent intrusions into the infrastructure through the network. A tool such as a proxy server also effectively filters traffic. This is a server through which centralised Internet access is provided from all computers of the organisation.
To prevent attackers from intercepting data at the time of their transfer between the server and the user's workstation, a VPN is needed. Today, this technology is widely known due to regulatory restrictions, so it's worth telling a little more about it.
VPN services were created to combine devices into a common secure virtual network, tunneling connections. Such connections make it possible to provide data protection, and very effective, when remotely connected to the company's infrastructure. Restrictions from regulators do not affect corporate VPN services, but those that are used only to bypass locks. By the way, they may belong to attackers or be controlled by them, which is a great danger for inexperienced users.
Today, data is becoming the main asset for any company and requires special protection. Backup systems are used for this purpose, which make it possible to effectively combat such a common threat as cryptographers.
Finally, for those companies that actively use their own website for promotion and sales, it will not be superfluous to use a special solution to protect against DDoS attacks.
Using such a set of solutions allows you to close up to 90% of the vulnerabilities that exist in the infrastructure of a small or medium-sized company.
Compensating measures allow compensating for the development of a hacker attack even in the case when criminals managed to get inside the guarded perimeter. Here, first of all, it is worth mentioning the fine-tuning of the corporate infrastructure, its segmentation, as well as the configuration of operating systems. If they are executed correctly, then attackers simply will not get access to the data or infrastructure nodes they are interested in.
For example, the workplaces of privileged users, those who have the rights of system administrators or access to particularly valuable and confidential data are equipped with separate means of protection. Imagine what information hackers can get who have gained access to the working computer of the CEO or chief accountant! The same can be said about databases used by a corporate accounting system or CRM. Such nodes should be located in isolated infrastructure segments.
As compensating means, complex specialised information security solutions are also used, with the help of which specialists analyse threats, check software or even code, monitor the activity of cybercriminals. In the vast majority of cases, such means are very expensive and are also intended for employees with special knowledge. For small and medium-sized businesses interested in using such solutions to protect their infrastructure, it is worth using the services of specialised enterprises. This will avoid significant investments in equipment, software, and staff expansion.
Organisational protection measures are no less important than technical ones. Alas, the weakest point in ensuring the security of the company's infrastructure remains (and always will remain) people. At the same time, we are talking about completely innocent at first glance actions that carry a potential threat.
The company's staff should not only know, but also strictly follow simple rules: do not use information carriers, do not open letters, and especially attached files from unknown senders, do not click on links sent by mail or in messengers, do not visit questionable Internet sites, do not download files, do not forward or publish confidential data. It is worth spending time, but to make a clear and strict list of prohibited actions and data that should never be transferred outside the company's infrastructure.
In addition to drawing up instructions and monitoring their implementation, continuous training of users is necessary. The main topics of such trainings should be training in the rules and errors of working with equipment and network technologies, rules for using passwords and rules for working with confidential information.
It is often not superfluous to use user controls, RAM or DLP systems, which are designed, respectively, to manage privileged users and to prevent information leaks.
What to do with clouds
Today, many if not most small companies use mainly cloud services. With their help, the needs for many elements of the information infrastructure are “closed”, ranging from e-mail to specialised systems such as CRM.
Most often, businesses don't even think about that cloud services also require compliance with security requirements. Yes, service providers and cloud providers undertake the solution of most tasks related to the protection of systems and data. But this does not exempt from the need to follow special rules when working with clouds.
In order to work with such services safely, it is necessary to follow the same rules as when protecting your own infrastructure: encrypt data, monitor the network, use protection against DDoS attacks.
Special attention should be paid to passwords. Firstly, they must be reliable and, at the same time, easily remembered by users, and secondly, it is necessary to use multi-factor authorisation, when in addition to entering a pair of “login-password”, the user must confirm their rights by entering a one-time code sent, as a rule, via SMS.
Another rule when working with cloud services is to change the default settings. For example, most often the account that manages the account is called admin. Hackers are well aware of this, who are trying to find the password from such an entry using automatic brute force. Therefore, it is best to assign an account with a completely different name as an administrator after the initial setup.
- there is no universal protection against hackers;
- in addition to antivirus, you need to use other means of protection;
- the weakest link in the defense against cyber attacks is people.
The author's opinion may not coincide with the position of the editorial board of Realnoe Vremya.