Qi Anxin reminds: During the long holiday, government and enterprise units need to focus on preventing seven major network security risks. With the deepening of the digital transformation of government and enterprise users, it also brings more unknown network security risks. Usually, enterprise network security personnel are on duty around the clock, and they can quickly deal with problems when they encounter problems. The 8-day National Day holiday is approaching. In order to allow network security personnel to have a pleasant holiday, Qi Anxin has summarized seven common network security risks for government and enterprise users during the long holiday based on the practice of network security emergency response in recent years. I hope it can help network security personnel to do prevention and investigation in advance to avoid “stepping on the pit”.
Risk 1: Ransomware
Figure: The WannaCry ransomware ransomware that broke out in May 2017 ransomware risk features: Once the system is attacked by ransomware, most files will be encrypted and a special suffix will be added, causing the victim to be unable to read the original normal files. resulting in immeasurable losses. Attackers extort high ransoms from victim users through such behaviors. These ransoms must be paid in digital currency and generally cannot be traced back, so the harm is huge.
How to prevent: Network security personnel can make full use of cloud immunity technology, and the cloud will issue immune policies or patches to help users protect or apply patches. Strong directional protection capability, this technology has been applied to Qi’anxin terminal security solutions. But cloud immunity technology is only a compromise solution, and its security still has a certain gap compared with the patched system.
No matter what technology is used by ransomware, the basic feature is to tamper with documents. By monitoring whether there is document tampering in the system and providing necessary protection to the documents that may be tampered with, the loss of ransomware attack can be recovered to a considerable extent. The document automatic backup and isolation technology can automatically back up the document in the quarantine area for the first time when the document on the user terminal is tampered with, and the user can restore the file at any time. In addition, the reason why attackers can penetrate into enterprise servers is mostly because the password set by the administrator is weak or the account password is stolen. Therefore, strengthening the security management of login passwords is also a necessary anti-ransomware technology.
Risk 2: Mining Trojans
Risk characteristics: Mining Trojans will use various methods to invade the system, and use the computing power of the invaded system to mine encrypted digital currency for profit. In order to stay in the server for a long time, the mining Trojan will adopt a variety of security countermeasures, such as modifying scheduled tasks, firewall configuration, system dynamic link library, etc. These technical means may cause server business interruption in severe cases.
How to prevent: First, avoid weak passwords, use strong passwords for server login accounts and services on open ports. The second is to apply patches in a timely manner. The corresponding manufacturers have already pushed relevant patches before most of the details of the vulnerabilities are announced, and patching the system and related services in a timely manner can effectively avoid vulnerability exploitation attacks. The third is to perform regular maintenance on the server. The mining Trojan will generally continue to reside in the host/server. If the server status is not checked regularly, the mining Trojan will be difficult to detect.
Risk 3: Webshell scripting
Risk characteristics: Once a web page is implanted with a webshell, an attacker can use it to obtain server system permissions, control the “broiler” to launch DDoS attacks, tamper with websites, link web pages, act as a proxy server to hide themselves, internal scanning, Implant a series of attacks such as dark chain/black chain.
How to prevent: Network security personnel can configure firewalls and enable relevant policies to prevent exposure of unnecessary services to hackers. Strengthen the security of the server, such as disabling the remote desktop function and changing the password regularly. Strengthen rights management and set rights for sensitive directories. Install the Webshell detection tool. Troubleshoot program loopholes and patch them in a timely manner. Backup important files of the database. Watch out for executable script files of unknown origin on the server. For the system file upload function, a whitelist is used to upload files, and the upload directory permission follows the principle of least permission.
Risk 4: Web page tampering
Risk characteristics: Web page tampering generally has two types: obvious web page tampering and concealment. Obvious web page tampering, such as attackers showing off their technical skills or expressing their views, such as YouTube being hacked, a large number of MVs disappearing and the introduction being tampered with; hidden tampering is generally the implantation of illegal information such as pornography and fraud into the attacked website , and then seek illegal economic benefits through the gray-black industry.
How to prevent: Network security personnel can take the following technical measures to prevent web pages from being tampered with or minimize harm. Upgrade the server to the latest security patches, which are primarily intended to prevent attacks such as buffer overflows and design flaws. Close unused but open network service ports and unused services. Use a complex administrator password. The website program should have a reasonable design and pay attention to the writing of the security code. Set appropriate website permissions. The principle of setting permissions for website directory files is to only assign write permissions to the directories that need to be written, and all others are read-only permissions. Take measures such as installing an ARP firewall and manually binding the gateway mac address to prevent ARP spoofing.
Risk 5: DDoS attacks
Risk characteristics: The vast majority of DDoS attacks are generated by botnets. After the IP or domain name of the victim is determined, the botnet controller can disconnect the connection after sending the attack command, and the command spreads itself among the bots. and execution, each bot will respond while sending a request to the target, which may overflow the target server or network, resulting in a denial of service.
How to prevent: For DDoS attack protection, in essence, it can only be slowed but not completely defensed. We mainly analyze the defense ideas. In the defense phase before an attack, network security personnel need to pay more attention to the latest security notices issued by security vendors, CNCERT and other institutions, and implement targeted protection strategies for attacks in a timely manner. The server prohibits the opening of ports that are not related to services, and filters unnecessary ports on the firewall. In the mitigation phase of an attack, the type of attack needs to be confirmed based on related devices or traffic analysis, and protection policies are adjusted on security devices to restrict abnormal access. If the attack traffic exceeds the local maximum defense limit, the access operator or CDN service provider can conditionally clean the traffic. In the retrospective summary stage after the attack, it is necessary to save and analyze the logs during the attack, and sort out the attack IP to facilitate subsequent tracing.
Risk 6: Data Breach
Risk characteristics: Data leakage is mainly external data leakage and internal data leakage. External data leakage includes government and enterprise users’ own supply chains, third-party suppliers, and data leakage caused by Internet channels such as search engines, online disks, public code repositories, and social networks; internal data leakage mainly includes internal personnel stealing secrets, terminal Trojan horse stealing, data leakage caused by illegal export of data such as basic support platforms and internal application systems.
How to prevent: Network security personnel must do a good job in data access control of their own supply chain and third-party suppliers, especially audit measures. It is also necessary to do a good job in the security configuration of Internet application services and conduct regular inspections to prevent illegal sharing from being indexed by search engines. Before the Internet application system is officially launched, a comprehensive penetration test should be conducted to avoid data leakage caused by unauthorized access, weak passwords, SQL injection and other attack methods as much as possible.
In response to the problem of internal data leakage, it is necessary to implement access control for the access rights of business system operators and R&D personnel, establish a terminal access mechanism, uniformly deploy antivirus and terminal control software, and cultivate good terminal usage habits through security awareness training. Avoid data theft through the terminal.
Risk 7: Traffic hijacking
Risk characteristics: Traffic hijacking controls the traffic communication between the client and the server, tampering with the traffic data or changing the traffic direction by implanting malicious code in the application system, deploying malicious devices in the network, using malicious software, etc. Anticipated behavior of cyber attack techniques. Rogue software, advertisement pop-up windows, and URL jumps that are often encountered in daily life are all forms of traffic hijacking.
How to prevent: Common traffic hijacking includes DNS hijacking, HTTP hijacking, link layer hijacking, etc. For DNS hijacking, network security personnel can prevent by locking the Hosts file and not allowing modification, configuring the local DNS to automatically obtain or setting it as a trusted DNS server, adopting a strong password policy on the router, and using encrypted protocols to perform DNS queries. The key point of HTTP hijacking is to identify the HTTP protocol and the HTTP protocol as a clear text protocol, and HTTP hijacking can be prevented by using HTTPS for data interaction. For link-layer TCP hijacking, encrypted communication can be used and shared networks can be avoided. For ARP hijacking, you can avoid using shared networks, statically bind IP and MAC, and use terminal security software and network devices with ARP protection functions to effectively prevent them.
Finally, Qi Anxin said that if government and enterprise users encounter network security problems, don’t panic, they can call the Qi Anxin emergency response service 7*24-hour hotline 4009 727 120. Qi Anxin’s emergency response service is committed to becoming “Cyber Security 120”. Its business has covered 31 provinces across the country, and it can provide 7*24 hours of cyber security emergency response services to help customers minimize economic losses caused by security incidents. and negative social impacts.