Menu
Is free
check in
the main  /  Firmware / 1 The highest threat for corporate networks is connected. Why corporate network perimeter protection no longer works

1 The greatest threat to corporate networks is connected. Why corporate network perimeter protection no longer works

Information systems in which data transfer tools belong to one company are used only for the needs of this company, it is customary to call the network of the enterprise's corporate computer network (COP). COP is an internal private network of an organization that combines computing, communication and information resources of this organization and intended for transmitting electronic data, in which any information can act, thereby based on the foregoing, it can be said that in the COP is defined a special policy describing the hardware used and software, rules for receiving users to network resources, network management rules, resource management and further development network. The corporate network is a network of a separate organization.

Several similar definition can be formulated based on the concept of the corporate network of the Olifer V.G. And Olifer N.D. " Computer networks: Principles, Technologies, Protocols ": Any organization is a combination of interacting elements (divisions), each of which can have its own structure. Elements are interconnected functionally, i.e. They perform certain types of work within the framework of a single business process, as well as information, exchanging documents, faxes, written and oral orders, etc. In addition, these elements interact with external systems, and their interaction can also be both informative and functional. And this situation is valid for almost all organizations, no matter what kind of activity they did not do - for a government agency, a bank, an industrial enterprise, a commercial firm, etc.

Such a general view of the organization allows you to formulate some general principles for building corporate information systems, i.e. Information systems on the scale of the whole organization.

The corporate network is a system that provides information transmitting information between various applications used in the corporation system. A corporate network is considered to be any network working on the TCP / IP protocol and using communication standards, as well as service applications that deliver data to network users. For example, an enterprise can create a Web server to publish ads, production schedules and other service documents. Openers carry out access to the necessary documents using Web viewing.

WEB servers Corporate network can provide users with services, similar services Internet, such as working with hypertext pages (containing text, hyperlinks, graphic images and recording), providing the necessary resources at the requests of WEB clients, as well as access to databases. In this manual, all publishing services are called "Internet services" regardless of where they are used (on the Internet or corporate network).

The corporate network is usually geographically distributed, i.e. Unifying offices, divisions and other structures that are at a significant distance from each other. The principles on which the corporate network is built is quite different from those used when creating local network. This limitation is fundamental, and when designing a corporate network, all measures should be taken to minimize the amounts of transmitted data. The rest of the same, the corporate network should not make restrictions on what exactly applications and how to handle information translated by it. A characteristic feature of such a network is that it features equipment of a variety of manufacturers and generations, as well as inhomogeneous software, which is not originally oriented to joint data processing.

To connect remote users to the corporate network, the easiest and most affordable option is the use of telephone. Where it may be used by ISDN networks. To combine network nodes in most cases, global data transmission networks are used. Even where the laying of selected lines is possible (for example, within one city), the use of batch switching technologies allows to reduce the number of necessary communication channels and is important - to ensure the compatibility of the system with existing global networks.

Connecting the corporate network to the Internet is justified if you need access to appropriate services. In many works, it is an opinion about connecting to Internet-y: use the Internet as a data transfer environment only when other ways are not available and financial considerations outweigh the requirements of reliability and safety. If you use the Internet only as a source of information, it is better to use the "Dial-on-Demand" connection technology, i.e. In this way of connecting, when the connection to the Internet node is installed only on your initiative and at the time you need. This sharply reduces the risk of unauthorized penetration into your network from the outside.

To transfer data within the corporate network, it is also worth using virtual channels of packet switching networks. The main advantages of this approach are versatility, flexibility, safety

As a result of studying the structure of information networks (IP) and data processing technology, the concept of information security IP is being developed. The concepts reflect the following highlights:

  • 1) organization of the organization's network
  • 2) existing information security threats, the possibility of their implementation and the estimated damage from this implementation;
  • 3) organization of storage of information in IP;
  • 4) organization of information processing;
  • 5) regulation of personnel tolerance to one information or other information;
  • 6) Personnel responsibility for security.

Developing this topic, based on the concept of information security of the IP above, the security scheme is proposed, the structure of which must satisfy the following conditions:

Protection against unauthorized penetration into the corporate network and the possibility of leakage of information on communication channels.

Remuneration of information flows between network segments.

Protection of critical network resources.

Cryptographic protection of information resources.

For a detailed consideration of the above safety conditions, it is advisable to bring an opinion: to protect against unauthorized penetration and leakage information is proposed firewall or firewalls. In fact, the firewall is a gateway that performs network protection functions from unauthorized access from outside (for example, from another network).

Three types of firewalls distinguish:

Application Level Gateway Application Level Gateway is often referred to as a proxy server (Proxy Server) - performs the data relay functions for a limited number of user applications. That is, if the gateway does not organize support for a particular application, then the corresponding service is not provided, and the data of the corresponding type cannot pass through the firewall.

Folding router. Filter router. More precisely, this is a router, which includes package filtering (Packet-Filtering Router). Used on packet-switched networks in datagram mode. That is, in those technology transfer technologies on communication networks in which the alarm plane (pre-establishment of the connection between UI and UE) is missing (for example, IP V 4). In this case, making a decision on the transmission of the received data packet on the network is based on the values \u200b\u200bof its header fields. transport level. Therefore, this type firewalls are usually implemented as a list of rules applied to the values \u200b\u200bof the traffic level header fields.

Switching gateway. Switching level gateway - Protection is implemented in the control plane (at the alarm level) by resolution or prohibiting those or other connections.

A special place is given to the cryptographic protection of information resources in corporate networks. Since encryption is one of the most reliable ways to protect data from unauthorized familiarization. A feature of the use of cryptographic funds is rigid legislative regulation. Currently, in corporate networks, they are installed only in those workplaces where information is kept that has a very high degree of importance.

So according to the classification of means of cryptographic protection of information resources in corporate networks, they are divided into:

Cryptosystems with one key, they are often called traditional, symmetrical or with one key. The user creates an open message, the elements of which are the symbols of the final alphabet. An encryption key is generated to encrypt the open message. With the help of an encryption algorithm, an encrypted message is formed.

The model model provides that the encryption key is generated in the same place where the message itself. However, it is possible to have another key to create a key - the encryption key is created by a third party (the key distribution center), which is trusted by both users. In this case, the third party bears responsibility for the delivery of the key to both users. Generally speaking, this decision is contrary to the very essence of cryptography - ensuring the secrecy of the transmitted user information.

The cryptosystems with one key use the principles of substitution (replacement), permutations (transposition) and compositions. When substituting, individual open messages are replaced by other characters. Encryption using the permutation principle involves changing the procedure for following characters in an open message. In order to improve encryption reliability, the encrypted message obtained by the use of some cipher can be encrypted again using another cipher. It is said that in this case a composite approach is applied. Consequently, symmetric cryptosystems (with one key) can be classified on systems that use substitution ciphers, permutations and compositions.

Open key cryptosystem. It only takes place. Users in encryption and decryption use different keys of Ko and KZ. This cryptosystem is asymmetric, with two keys or with an open key.

The recipient of the message (user 2) generates a connected pair of keys:

Ko - open keywhich is publicly available and thus turns out to be an accessible sender of the message (user 1);

The KC is a secret, personal key that remains known only to the recipient of the message (user 1).

User 1, having Ko encryption key, using a specific encryption algorithm forms encrypted text.

User 2, owning the secret key of the KC, has the ability to perform the opposite effect.

In this case, the user 1 prepares a message to the user 2 and encrypts this message before being sent with the PC. User 2 may decrypt this message using the Ko public key. Since, the message was encrypted by the Personal Key of the Sender, it can act as a digital signature. In addition, in this case it is impossible to change the message without access to the personal key of the user 1, so the message also solves the tasks of identifying the sender and integrity of the data.

Finally, I would like to say that through the installation of cryptographic protection tools, it is possible to reliably protect the workplace of the organization employee, which directly works with information that is of particular importance for the existence of this organization, from unauthorized access.

Ways to protect information in the enterprise, as well as ways to prey, are constantly changing. Regularly emerge new offers from companies providing information protection services. Panacea is certainly not, but there are several basic steps to build the protection of the information system of the enterprise, which you need to pay attention to.

Many surely familiar concept of deep protection against hacking information network. The main idea is to use several levels of defense. This will allow, at a minimum, minimize the damage associated with a possible violation of the security perimeter of your information system.
Next, consider the general aspects of computer security, as well as create a certain checklist that serves as a basis for building the basic protection of the enterprise information system.

1. Firewall (firewall, brandmaeer)

Firewall or Firewall is the first line of defense that meets unreasonable guests.
In terms of access control, the following types of brandmaera are distinguished:

  • In the simplest case, the filtering of network packets occurs according to the established rules, i.e. Based on the source addresses and destination of network packets, network port numbers;
  • Brandmauer working at the session level (stateful). It monitors active connections and discards fake packages that violate TCP / IP specifications;
  • Firewall operating at the applied level. Manages filtering based on the analysis of the application data transmitted inside the package.

Increased attention to network security and e-commerce development led to the fact that an increasing number of users are used to protect compounds encryption (SSL, VPN). This greatly makes it difficult to analyze traffic passing through firewalls. As you can guess, the same technologies enjoy malicious software developers. Viruses that use traffic encryption have become practically not distinguishable from legal user traffic.

2. Virtual Private Networks (VPN)

Situations where the employee needs access to the Company's resources from public places (Wi-Fi at the airport or hotel) or from the house (the home network of employees do not control your administrators) are especially dangerous for corporate information. To protect them, it is simply necessary to use the encrypted VPN tunnels. About any access to a remote desktop (RDP) cannot be directly without encryption. The same applies to the use of third-party: TeamViewer, Aammy Admin, etc. To access the working network. Traffic through these programs is encrypted, but passes through the developers of this software unscakenient to you.

The disadvantages of the VPN include the relative complexity of deployment, additional costs of authentication keys and an increase in Internet channel bandwidth. Authentication keys can also be compromised. Stolen mobile devices of the company or employees (laptops, tablets, smartphones) with pre-configured VPN connection parameters can be a potential hole for unauthorized access to the company's resources.

3. intrusion detection and prevention systems (IDS, IPS)

Intrusion detection system (IDS - English: Intrusion Detection System) - software or hardware, designed to identify unauthorized access in computer system (Network) or unauthorized management of such a system. In the simplest case, such a system helps to detect the scanning of the network ports of your system or attempt to enter the server. In the first case, this indicates the initial intelligence by the attacker, and in the second attempt to hack your server. You can also detect attacks aimed at increasing the privileges in the system, unauthorized access to important files, as well as malicious software. Advanced network switches allow you to connect intrusion detection system using port mirrors, or through traffic disintegrators.

Intrusion Prevention System (IPS - English: Intrusion Prevention System) -Program or hardware security system, actively blocking invasion as they are detected. In case of intrusion detection, the suspicious network traffic can be automatically blocked, and the notification of this was immediately sent to the administrator.

4. Antivirus Protection

Anti-virus software is the main border of protection for most modern enterprises. According to Gartner's research company, the volume of the anti-virus market for 2012 amounted to $ 19.14 billion. Major consumers - a segment of medium and small businesses.

First of all, antivirus protection is aimed at client devices and workstations. The business versions of antiviruses include centralized control functions to transfer the client devices, as well as the ability to centrally configure security policies. The assortment of antivirus companies has specialized solutions for servers.
Given the fact that most malware infections occur as a result of the user's actions, antivirus packages offer comprehensive protection options. For example, protection of email programs, chats, checking users visited by users. In addition, antivirus packets increasingly include software firewall, proactive protection mechanisms, as well as spam filtering mechanisms.

5. White lists

What represents "white lists"? There are two main approaches to information security. The first approach suggests that in the default operating system, the launch of any applications is allowed if they have not previously been entered in the "black list". The second approach, on the contrary, suggests that the launch of only those programs that were added in advance to the "White List" are allowed, and all other programs are blocked by default. The second approach to safety is certainly more preferable in the corporate world. White lists can be created, both using the built-in tools of the operating system and using third-party software. Antivirus software often offers this feature in its composition. Most antivirus applications offering filtering on a white list allow you to spend initial setting Very quickly, with minimal attention from the user.

However, there may be situations in which the dependences of the program files from the White List were not correctly defined by you or anti-virus software. This will lead to an application failure or its incorrect installation. In addition, white lists are powerless against attacks using document processing vulnerability by program from a white list. Also, you should pay attention to the weakest link in any protection: the staff themselves in a hurry can ignore the warning of anti-virus software and add a malicious software to the White List.

6. Spam filtering

Spam newsletters are often used to carry out phishing attacks used to introduce a trojan or other harmry to the corporate network. Users who proceed a large amount of email daily, more susceptible to phishing messages. Therefore, the task of the company's IT department is to filter the maximum number of spam from the total email flow.

Basic ways to filter spam:

  • Specialized spam filtering service providers;
  • Software for spam filtering on your own mail servers;
  • Specialized hardware solutions deployed in a corporate data center.

7. Support for actual condition

Timely update of software and the use of current safety patches - an important element of the protection of the corporate network from unauthorized access. Manufacturers of software, as a rule, do not provide full information About a new found hole in safety. However, the attackers have enough and the general description of the vulnerability to literally a couple of hours after publishing a description of the new hole and patchwork to it, write software to operate this vulnerability.
In fact, this is a fairly big problem for small and medium-sized businesses, since a wide range of software products of different manufacturers is commonly used. Often updates of the entire Park software is not paid due attention, and this is practically open window In the system of security of the enterprise. Currently, a large amount is independently updated from the manufacturer servers and it removes part of the problem. Why part? Because the manufacturer's servers can be hacked and, under the guise of legal updates, you will get freshly malicious software. And also the manufacturers themselves sometimes produce updates that violate the normal operation of their software. At critical business sites, it is unacceptable. To prevent such incidents, all received updates, firstly, should be applied immediately after their release, secondly, they must be carefully tested before use.

8. Physical security

The physical security of the corporate network is one of the most important factors that is difficult to overestimate. Having physical access to the attacker's network device, in most cases, it will be easy to access your network. For example, if there is physical access to the switch and the network does not filter the MAC addresses. Although the Mac filtering in this case will not save you. Another problem is theft or negligent attitude towards hard disks after replacing in the server or other device. Given the fact that passwords found there can be deciphered, server cabinets and rooms or equipment with equipment must always be reliably fenced from the penetration of foreign.

We touched on only some of the most common aspects of security. It is also important to pay attention to user training, a periodic independent audit of information security, creating and complying with a reliable information security policy.
Please note that the protection of the corporate network is a rather complicated topic that is constantly changing. You must be sure that the company does not depend on only one or two borders of protection. Always try to follow up to topical information and fresh decisions in the information security market.

Take advantage of the reliable protection of the corporate network in the framework of the service "Service of Computer Computers" in Novosibirsk.

Threats and vulnerabilities of wired corporate networks

At the initial stage of the development of network technologies, damage from viral and other types of computer attacks was small, since the dependence of the global economy from information technologies It was small. Currently, in the context of a significant dependence of the business from electronic access and exchange of information and an ever-growing number of attacks of damage from the lowest attacks leading to loss of machine time, is calculated by millions of dollars, and the cumulative annual damage to the global economy is tens of billions of dollars.

The information processed in corporate networks is especially vulnerable to:
an increase in the volumes processed transmitted and stored in computers information;
Concentration in information databases various levels importance and confidentiality;
expanding the access of the circle of users to information stored in databases and to the computer network resources;
an increase in the number of remote jobs;
Widespread use of global internet and various communication channels;
Automating information exchange between users' computers.

Analysis of the most common threats, which are subject to modern wired corporate networks, shows that the sources of threats can vary from unauthorized intruders to computer virusesAt the same time, human errors are a very substantial threat to security. It must be borne in mind that the sources of safety threats can be located both inside the kitchen - internal sources and outside it - external sources. This division is fully justified because for the same threat (for example, theft) methods of opposition for external and internal sources are different. Knowledge of possible threats, as well as vulnerable places KISA, is necessary to select the most effective security tools.

The most frequent and dangerous (from the point of view of damage) are unintended user errors, operators and system administratorsserving kitty. Sometimes such errors lead to direct damage (incorrectly entered data, an error in the program that caused the stop or destruction of the system), and sometimes create weaknesses that attackers can use (as usual administration errors).

According to the National Institute of Standards and Technologies of the United States (NIST), 55% of cases of impairment of IP is a consequence of unintended errors. Working in global IP makes this factor quite relevant, and the source of damage can be both the actions of the organizations of the organization and users of the global network, which is especially dangerous. In fig. 2.4 A circuit diagram is given illustrating statistical data on sources of security disorders in KIS.

In second place in terms of damage, thefts and threares are located. In most of the investigated cases, the perpetrators were provided by regular employees of organizations, excellent acquaintances with the mode of operation and protective measures. Availability of powerful information canal Communication with global networks in the absence of due control over its work may further facilitate such activities.

Fig. 2.4. Sources of security disorders

Offended employees, even former, familiar with orders in the organization and are able to harm very effectively. Therefore, when dismissing an employee of his access to information resources Must cancel.

Intentional attempts to obtain the NSD through external communications occupy about 10% of all possible violations. Although this value does not seem to be so significant, the experience in the Internet shows that almost a single-minute server is subjected to attempts to penetrate several times a day. The tests of the Agency for Information Systems (USA) have shown that 88% of computers have weaknesses from the point of view of information security that can be actively used to obtain a NSD. Separately, there should be cases of remote access to the information structures of organizations.

Before building security policies, it is necessary to assess the risks to which the computer environment of the organization is exposed and take appropriate actions. Obviously, the cost of the organization to control and prevent security threats should not exceed the expected losses.

The statistical data may suggest the administration and staff of the organization to send efforts to effectively reduce the security threats to the corporate network and the system. Of course, you need to deal with the problems of physical security and measures to reduce the negative impact on the safety of human errors, but at the same time it is necessary to pay the most serious attention to solving network security tasks to prevent the attacks on the corporate network and the system as from outside and from the inside of the system.


Today in my blog we decided to touch the security aspects of corporate networks. And the technical director of LwCom company Mikhail Lyubimov will help us in this.

Why is this theme of network security is extremely relevant in the modern world?

In view of the virtually widespread accessibility of broadband Internet, most of the actions on devices are made through the network, therefore, for 99% of modern threats, it is the network that delivers a threat from the source to the target. Of course, the spread of malicious code is possible with removable media, but this method is currently being used less and less, and most companies have long learned to fight similar threats.

What is a data network?

Let's first draw the architecture of the classic corporate data network in simplified and all understandable.

The data transmission network begins with the access level switcher. Directly to this switch are connected to jobs: computers, laptops, printers, multifunction and various kinds of other devices, such as wireless access points. Accordingly, you can have a lot of equipment, it can be connected to the network in completely different places (floors or even individual buildings).

Usually, the corporate data network is based on the topology "Star", so the interaction of all segments among themselves will provide the network kernel level equipment. For example, the same switch can be used, only usually in a more productive and functional embodiment compared to the access levels.

Servers and storage systems are usually consolidated in one place and, from the point of view of data networks, can be connected both directly to the kernel equipment and may have a certain segment of access equipment segment.

Next, we have equipment for a joint with external data transmission networks (for example, Internet). Usually for these purposes in companies, devices, routers, firewalls, various kinds of proxy servers are used. They are used to organize communication with distributed offices of the company and to connect remote employees.

This is such a simple for understanding and ordinary for modern realities architecture of a locally computer network.

What classification of threats exists today?

Let's determine the main objectives and directions of attacks in the framework of network interaction.

The most common and simple attack goal is a user device. Malicious software is easy to distribute in this direction through content on web resources or via mail.

In the future, the attacker, having access to the user's workstation, or can kidnap confidential data, or develop an attack on other users or other corporate network devices.

The next possible goal of the attack is, of course, servers. Odinels of the most famous types of attacks on published resources are DOS and DDOS attacks that are used to violate the stable operation of resources or their full failure.

Also attacks can be directed from external networks to specific published applications, such as web resources, DNS servers, email. Also, attacks can be directed from the inside of the network - from the user's infected computer or from an attacker connected to the network, on applications such as file balls or databases.



There is also a category of electoral attacks, and one of the most dangerous attack is on the network itself, that is, access to it. An attacker who has access to the network can organize the following attack in fact on any device connected to it, and also secretly access any information. What is most importantly - a successful attack of this kind is quite difficult to detect, and it is not treated with standard means. That is, in fact, you have a new user or, worse than the administrator, about which you do not know anything.

While the goal of the attacking can be communication channels. It should be understood that the successful attack on the communication channels not only allows you to read the information transmitted according to them, but also to be identical to the consequences of an attack on the network, when an attacker can access all resources of a locally computing network.

How to organize competent and reliable data protection?

To begin with, we can provide global practices and recommendations on the organization of the protection of a corporate data network, namely, a set of funds that will allow minimal efforts to avoid most of the existing threats, the so-called secure minimum.

In this context, you must enter the term "network security perimeter", because The closer to the possible source of the threat you will monitor, the stronger you reduce the number of attack methods available to the attacker. In this case, the perimeter must exist both for external and internal connections.

First of all, we recommend securing the bog with public networks, because the largest amount of threats stems from them. Currently, there are a number of specialized network security tools intended just for the safe organization of connecting to the Internet.

For their designation, such terms such as NGFW (UNIFIED THREAT Management) are widely used. These devices do not just combine the functionality of the classic router, firewall and proxy server, but also provide additional services Security, such as: Filtering URL and Content, Antivirus, etc. At the same time, the devices often use cloud system check systems, which allows you to quickly and efficiently check all transmitted data for threats. But the main thing is the ability to report on the identified threats in a retrospective, that is, to identify threats in such cases where the infected content was already transferred to the user, but the information about the harmfulness of this software appeared at the manufacturer later.

Things such as HTTPS traffic inspection and automatic application analysis, allow you to control not only access to specific sites, but also allow / prohibit the operation of such applications as: Skype, Team Viewer and many others, and how you know most of them work for a long time HTTP and HTTPS protocols, and the standard networks of their work simply do not control.

In addition to this, within single device You can also get an intrusion prevention system that is responsible for suppressing attacks aimed at published resources. You can also additionally get a VPN server for safely remote work of employees and connecting branches, antispam, botnet control system, sandbox, etc. All this makes such a device really unified network security.

If your company does not yet use such solutions, we highly recommend starting them to use right now, since the time of their effectiveness has come, and we can say with confidence that such devices have proven their real ability to fight with a lot of threats, which has not been 5 years ago. Then such things only went to the market, had many problems and were rather expensive and low-performance.

But how to choose Next-Generation Firewall?

Now on the market great amount Network devices with declared similar functionality, but really effective protection is able to provide only units. This is explained by the fact that only a limited number of manufacturers have funds and really invest them in nonstop through the current threats, i.e. Constantly update the bases of potentially dangerous resources, ensure uninterrupted support for solutions, etc.

Many partners will try to sell you solutions that are beneficial to them for sale, so the decision of the decision does not always correspond to it real ability resist threats. Personally, I recommend to select the device to refer to the materials of independent analytical centers, for example, NSS Labs reports. In my opinion, they are more accurate and unbiased.

In addition to threats from the outside, your resources can be attacked and from the inside. The so-called "safe minimum" that should be used in your locally computing network is its segmentation on VLANs, i.e. Virtual private networks. In addition to segmentation, it is required to provide an obligatory application of access policies between them at least with standard means of access sheets (ACL), because simply the presence of VLAN as part of the fight against modern threats does not give anything.

A separate recommendation I designate the desirability of using access control directly from the port of the device. However, it is necessary to remember the perimeter of the network, i.e. The closer to the protected services you apply policies - the better. Ideally, such policies should be entered on access switches. In such cases, 4 simple rules are recommended as the most minimal security policies:

  • keep all the unused ports of switches administratively turned off;
  • do not apply 1st VLAN;
  • use Mac filtration sheets on access switches;
  • use the ARP protocol inspection.
An excellent solution will be applied on the path of data transfer the same firewalls with intrusion prevention systems, as well as architecturally use demilitarized zones. It is best to implement the authentication of the connected device to 802. 1x protocol using various AAA systems (authentication, authorization and account authentication systems) for centralized network access control. Typically, these solutions are designated among the terms of the NAC (NETWORK ACCESS CONTROL). An example of one of the similar commercial systems is Cisco ISE.



Also attackers can be attacked on channels. To protect the channels, use strong encryption. Many neglect by this, and then pay for the consequences. Unprotected channels are not only available for kidnapped information, but also the possibility of attacking almost all corporate resources. Our customers in practice had a considerable number of precedents, when attacks on corporate telephony were made by organizing communication through unprotected data channels between the central and remote office (for example, simply using Gre tunnels). Companies came simply crazy bills!

What can you tell about wireless networks and BYOD?

The topic of remote work, wireless networks and the use of your own devices, I would like to allocate separately. From my own experience I can say that these three things are one of the biggest potential holes in the safety of your company. But at the same time they are one of the biggest competitive advantages.

If you bring to the question briefly, then I recommend either completely prohibiting the use of wireless networks, remote operation or work through its own mobile devices, motivating it by corporate rules, or provide these services as much as possible in terms of security, especially since modern solutions provide the opportunity to do This is B. best of sight.

In terms of remote work, you can help the same Next Generation Firewalls or UTM devices. Our practice shows that there are a number of stable solutions (there are Cisco, Checkpoint, Fortinet, Citrix, which allow you to work with many client devices, while ensuring the highest standards for identifying a remote employee. For example, the use of certificates, two-factor authorization, disposable passwords delivered by SMS or generated on a special key. You can also control the software installed on the computer from which access attempts is performed, for example, it is necessary to install the appropriate updates or running antiviruses.

Wi-Fi safety is a deserving topic of a separate article. As part of this post, I will try to give the most important recommendations. If you build corporate Wi-Fi, then be sure to work out all possible safety aspects associated with it.

By the way, Wi-Fi is a whole separate article of the income of our company. We deal with them professionally: Equipment projects wireless equipment TRC and TC, business centers, warehouses, including use modern solutions, such as positioning, are performed in our Nonstop mode. And according to the results of our radio surveys, we in each second office and warehouse we find at least one home Wi-Fi router that employees themselves connected to the network. Usually they do this for their own convenience, let's say, in a smoker with a laptop, go out or freely move within the room. It is clear that no corporate safety rules on such routers were not used and passwords were distributed to familiar colleagues, then with colleagues of colleagues, then guests to coffee and eventually had access to the corporate network almost everything, while it was absolutely uncontrollable.

Of course, it is worth securing the network from connecting such equipment. The main ways to do this are: Using authorization on ports, filtering on Mac, etc. Again, from the Wi-Fi point of view, the network should use strong cryptographic algorithms and Enterprise authentication methods. But it should be understood that not all ENTERPRISE authentication methods are equally useful. For example, Android devices in some software relies can default ignore a public Wi-Fi network certificate, thereby making it possible to attack the EVIL TWIN class. If the authentication method is used, such as EAP GTC, the key in it is transmitted in the open form and can be interbedded in the specified attack. We recommend using the certificate authentication exclusively in corporate networks, i.e. These are TLS methods, but consider that it significantly increases the load on network administrators.

There is still a way: if remote operation is implemented in the corporate network, then the device is connected via Wi-Fi to force the use also VPN client. That is, allocate a Wi-Fi network segment to an initially incredulous area, and in the end it will turn out a good working option with minimizing network management costs.

Manufacturers Enterprise Wi-Fi solutions, such as Cisco, Ruckus, which is now Brocade, Aruba, which is now HPE, in addition to standard Wi-Fi solutions, provide a whole set of services for automatic security control of a wireless environment. That is, they have quite work such things like WIPS (Wireless Intrusion Prevention System). These manufacturers have wireless sensors that can control the entire frequency spectrum, thereby allowing to keep track of automatic mode Pretty serious threats.

Now let's touch the Brug Your Own Device to bring your device) and MDM (Mobile Device Management - Mobile Device Management). Of course, any mobile device on which corporate data is stored, or which has access to the corporate network, is a potential source of problems. The subject of security for such devices concerns not only secure access to the corporate network, but also centralized management of mobile device policies: smartphones, tablets, laptops used outside the organization. This topic has been relevant for a very long time, but now actually working solutions appeared on the market, allowing to manage a variety of mobile technology.

Unfortunately, to tell about them within the framework of this post will not work, but know that there are solutions and in the last year we are experiencing a boom implementation of MDM solutions from Microsoft and Mobileiron.

Have you told about "Safety in a minimum", what then represents "Security at the Maximum"?

At one time on the Internet, a picture was popular for: it was recommended to protect the network to put one over one part-timing screens of well-known manufacturers. We do not understand in any way to do you the same, but, nevertheless, there is a share of truth here. It will be extremely useful to have a network device with a virus signature analysis, for example, from Sofos, and at workplaces already install antivirus from Kaspersky Lab. Thus, we get two non-malicious codes interfering to each other.

There are a number of specialized funds IB:

DLP. Specialized means of information security are presented on the market, that is, developed and aimed at solving some particular threat. Currently, DLP systems (Data Loss Prevention) are popular or preventing data leakage. They work both on the network level, integrating on the data transfer medium and directly on application servers, workstations, mobile devices.

We are somewhat derived from the network subject, but the threat of data leakage will always exist. In particular, these solutions become relevant for companies where data loss carries commercial and reputational risks and consequences. 5 years ago, the introduction of DLP systems was somewhat difficult in view of their complexity and the need to carry out the development process for each specific case. Therefore, due to their value, many companies refused these solutions, or wrote their own. Currently, market systems are enough, so all the necessary security features can be obtained directly from the "box".

On the russian market Commercial systems are mainly represented by the InfoWatch manufacturer (below the picture from this manufacturer on how they represent their solution in a large company) and quite a famous Macafee.

Waf.Due to the development of Internet commerce services, and this is online banking, electronic money, e-commerce, insurance services, etc., recently specialized funds have been in demand to protect web resources. Namely Waf - Web Application Firewall.

This device allows you to reflect attacks aimed at the vulnerability of the site itself. In addition to selective DOS attacks, when the site is suppressed by legitimate requests, it may be attacks SQL Injection, Cross Site scripting, etc. Previously, such devices were purchased mainly by banks, and other customers they were not in demand, and even cost very big money. For example, the cost of the working solution began from $ 100,000. Now the market presents a large number of solutions from well-known manufacturers (Fortinet, Citrix, Positive Technologies), from which you can get a working solution to protect your site for quite yourself sane money (3-5 times less than the amount previously indicated).

Audit. Organizations that are particularly talked for their own security, implement automated audit tools. These solutions are expensive, but allow you to make a number of administrator functions in the automation area, which is extremely demanded for large business. Such decisions are constantly scanning the network and perform an audit of all established operating systems and applications for the presence of famous holes in safety, timeliness of updates, compliance of corporate policies. Probably the most famous solutions in this area not only in Russia, but also the whole world are products from Positive Technologies.

Siem. Similar to SIEM solutions. These are systems, sharpened to identify freelance situations regarding security events. Even standard set From the pair of firewalls, a dozen application servers and thousands of jobs can generate tens of thousands of alerts per day. If you have a big company and you have dozens of border devices, then sort out data from them in manual mode It becomes simply impossible. Automation of the control of the collected logs at the same time from all devices allows administrators and employees of the IB to act immediately. The market is quite well known to SIEM solutions from Arsight (enters HPE products) and Q-Radar (enters IBM products).

And finally: what can you advise those who seriously engaged in the organization of protecting their IT resources?

Of course, when organizing IT security, the enterprise should not forget about the administrative regulations. Users and administrators should be aware that the found flash drives to use on the computer can not be processed by dubious links in letters or discover dubious investments. It is very important at this to tell and explain what links and investments are untested. In fact, not everyone understands that it is not necessary to store passwords on stickers glued to the monitor or phone, which you need to learn how to read the warnings that write the user's user, etc. It should be explained to users that such a security certificate and what messages associated with it are. In general, it is necessary to take into account not only the technical side of the issue, but also to instill the culture of the use of corporate IT resources by employees.
I hope this big post was interesting to you and useful.

In trying to ensure the viability of the security service company focuses on protecting the network perimeter - services available from the Internet. The image of a gloomy attacker who is ready to attack from anywhere in the world to published company services, misfortunes business owners. But as far as true, considering that the most valuable information is not at the perimeter of the organization, but in the depths of its corporate networks? How to evaluate the proportionality of infrastructure protection from attacks of external and internal?

"The ship in the port is safe, but not for this purpose ships are built."

Safety sensation is deceptive

In the conditions of total informatization and globalization, business makes new requirements for corporate networks, the flexibility and independence of corporate resources relate to its end users: employees and partners. For this reason, today's corporate networks are very far from the traditional concept of isolation (despite the fact that they initially described this way).

Imagine an office: walls protect from external worldPartitions and walls divide the total area into smaller specialized zones: kitchen, library, office rooms, jobs, etc. The transition from the zone to the zone occurs in certain places - in doorways, and if necessary, it is also controlled by additional means: Video cameras, access control systems, smiling guards ... entering such a room, we feel safe, there is a feeling of trust, goodwill. However, it is necessary to recognize that this feeling is only a psychological effect based on the "Security Theater", when the purpose of the activities carried out is declared an increase in security, but in fact it is only formed about its availability. After all, if the attacker really wants to take anything, then finding the office will not become an insurmountable difficulty, and perhaps even on the contrary, there will be additional opportunities.

The same thing happens in corporate networks. Under conditions, when there is the possibility of finding within the corporate network, classical safety approaches are insufficient. The fact is that the protection methods are built on the basis of the internal threat model and are aimed at counteracting employees who may randomly or deliberately, but without adequate qualifications, violate security policies. But what if there is a qualified hacker? The cost of overcoming the network perimeter in the underground market has a practically fixed price for each organization and on average does not exceed $ 500. For example, in the black market of Hacker services, Dell, the following price list is shown to April 2016:

As a result, you can buy a burglary of a corporate mailbox, the account of which is most likely suitable for all other corporate services of the company due to the common principle of Single Sign-on authorization. Or to purchase polymorphic viruses that are not tracked for antiviruses and with the help of phishing mailing to infect careless users, thereby caring the computer control inside the corporate network. For well-protected network perimeters, the shortcomings of human consciousness are used, so, for example, having bought new identification documents and having received data on the working and personal life of the employee of the organization through the order of cybershpionage, you can use social engineering and get confidential information.

Our experience in conducting penetration tests shows that the external perimeter is overcome in 83% of cases, and in 54% this does not require highly qualified preparation. At the same time, according to statistics, approximately every fifth employee of the company is ready to consciously sell its credentials, including from remote access, thereby tremendous simplifying overcoming the network perimeter. Under such conditions, internal and external intruders become indistinguishable, which creates a new challenge of the security of corporate networks.

Take critical data and do not protect

Inside the corporate network, the input to all systems is monitored and accessible only for users' checking. But this checker turns out to be mentioned earlier than the usual "security theater", since the real state of affairs looks very dark, and this is confirmed by the statistics of corporate information systems vulnerabilities. Here are some major shortcomings of corporate networks.

  • Word Patients

Oddly enough, the use of weak passwords is typical not only for ordinary company personnel, but also for IT administrators themselves. For example, in terms of services and equipment, passwords installed by the default manufacturer remain in service and equipment, or the same elementary combination is used for all devices. For example, one of the most popular combinations is an ADMIN account with Admin or Password password. Also popular short passwords, consisting of the lowercase letters of the Latin alphabet, and simple numerical passwords, such as 123456. Thus, you can quickly run a password, find the right combination and access corporate resources.

  • Storage of critical information within the network in the open form

Imagine the situation: the attacker got access to the internal network, there may be two options for the development of events. In the first case, the information is stored in an open form, and the company immediately carries serious risks. In another case, the data on the network is encrypted, the key is stored elsewhere - and the company has chances and time to resist the attacker and save important documents from theft.

  • Use of outdated versions of operating systems and their components

Each time an update appears, at the same time the technical document is produced in which it is described in detail which shortcomings and errors have been fixed in the new version. If a security-related problem has been discovered, the attackers begin to actively explore this topic, find related errors and on this basis to develop hacking tools.

Up to 50% of companies or do not update the programs used, or do it too late. At the beginning of 2016, the Royal Hospital of Melbourne suffered from the fact that his computers were running Windows XP. Initially, hitting a computer offices of pathology, the virus rapidly spread over the network, blocking for some time the automated work of the entire hospital.

  • Using business applications self-development without security control

The main task of its own development is functional performance. Such applications have a low protection threshold, often produced in conditions of resource deficiency and proper support from the manufacturer. The product on fact works, performs tasks, but it is very easy to hack and access the necessary data.

  • Lack of effective antivirus protection and other means of protection

It is believed that hidden from an external gaze - protected, i.e. the internal network is as it may be safe. Security companies carefully follow the external perimeter, and if it is protected so well, it will not fall into the inner hacker. And in fact, in 88% of cases, vulnerabilities are not implemented in companies, there are no intrusion prevention and centralized security storage systems. In the aggregate, this does not allow to effectively ensure the security of the corporate network.

At the same time, the information that is stored within the corporate network has a high degree of importance for the work of the enterprise: client bases in CRM systems and billing, critical business indicators in ERP, business communication in mail, document flow contained on portals and file resources, etc. P.

The border between the corporate and public network has become so blurred that it was completely difficult to fully control its safety and expensive. After all, there are practically no countermeasures against theft or trade records, negligence administrator, threats implemented through social engineering, etc. which causes attackers to use these these techniques to overcome external protection and approach the vulnerable infrastructure with more valuable information.

The output can be the concept of information security in which the safety of the internal and external network It is ensured on the basis of a single model of threats, and with the probability of transformation of one type of attacker to another.

Attackers against defenders - whose will take?

Information security as a condition is possible only in the case of the elusive Joe - due to its unnecessariness. The confrontation between intruders and defenders occurs in fundamentally different planes. The attackers benefit due to violation of the confidentiality, availability or integrity of information, and the more effective and more efficiently their work, the greater the benefit they can get. Defenders do not extract benefits from the security process at all, any step is a non-refundable investment. That is why the risk-oriented security management was distributed, in which the attention of defenders focuses on the most expensive (in terms of damage assessment) risks with the lowest price of their overlap. Risks with the cost of overlapping higher than the protected resource, are consciously accepted or insured. The task of this approach is to improve the price of overcoming the least weak security point of the organization as much as possible, so the critical services must be well protected regardless of where this resource is located inside the network or on the network perimeter.

Risk-oriented approach is only a forced measure that allows you to exist the concept of information security in the real world. In fact, it puts defenders in a difficult position: they play their batch black, only responding to emerging actual threats.