shield shield

 DDACS 2.0.1

   Protect yourself at all times!

So How Do I Protect Myself At All Times

Today's threats present challenges to computer security. Annual researches like those conducted by Gartner, witness that more and more security solutions appear, but threats also appear more and more. Why?

Let's try to understand. What are threats?

Threats are "holes" in protection that can be exploited to launch an attack. Attacks can target your privacy (stealing or revealing to others your personal information, impersonating as you etc.), your business or other valuable information (credit card numbers, customers lists) and your system (destroy or modify your vital operating system files so that you can't work normally, exploit your system to run hacker's jobs withouit your acknowledge). Attacks can be automated (by a program) or manual (by a human).

Every time when you give someone your privileges on your computer, you open a security hole. Someone may be a program that you run "as Administrator" or a human (a friend, a relative), whom you provide a seat at your computer while doing other things. There are also anonymous human attacks when the remote hacker uses software tools (varying from well-known OS tools to special-written programs) to gain all kind of access to your computer.

How security solutions combat these attacks?

At early days of PC security a concept of virus was popular. The first virus was a research program developed at IBM; it used knowledge of executable format and CPU instructions to inject the "viral" part into the executable file. So virus actually consisted of spreading and viral (harmful) part.

Internet by then was existing mostly at universities and big organizations, and was mostly not available for PC users. The most popular PC operating system was DOS, which was virtually not protected from anything. But software from internet (and sending information to remote) was not available, and denial-of-service attacks only caused the user to reinstall DOS (which took minutes) and not use anymore the offending program. The "viral" part could of course seek and destroy important files, but there were many different formats by different vendors by then, so it was not viable; besides, really harmful "viral" part was considered a moveton in hackers community by then and virus programming was considered more of exercise in programming.

Despite that, harmful "viral" parts appeared already, and early security companies developed anti-virus solutions. Anti-viruses were programs that detected viruses by a signature (binary code sequence of "viral" or "spreading" part). Thus early virus databases appeared; anti-virus programs used databases of signatures in order to recognize infected programs; in most cases when the original program was not modified or destroyed (that would prevent its functionality and make virus presence apparent to the user), anti-viruses were able to "bite out" the virus body and recover original, uninfected software.

Time flowed, and threats evolved. The days when the viral part was as innocent as playing Yankiee Doodle on PC speakers are long ago. Today's hackers don't see producing malware as an exercise in programming; they are much more pragmatic. They are seeking everything that can be converted to a monetary win, using the inherent internet anonimity in order not to get caught.

Today's malware concentrates not on viral spread (though sometimes it's still used), but on different techniques to get run as Administrator (rooting your computer) or as a kernel-mode driver. Or at least to get run as a script in your browser, getting your privileges, even if not Administrator. A valuable asset to the hacker is to get his malware run automatically when computer starts (as a service or as an auto-start program).

However, two facts about malware didn't change since the early days: it has to trick you to run it (programs that come from an unknown or unauthorized source), and it has to get the desired access in order to install the "viral" (malicious) part.

So in principle what you need to prevent any attack is to have a software tool that is able to prevent any access and instruct it in advance what to prevent. Sounds simple?

Today's security software providers concentrate on preventing zero-day attacks. "Zero-day" means that the attack is not known previously, so anti-virus techniques of identifying malware by a part of its code are not applicable. All "zero-way protection" software solutions use access control in some form; however, most of vendors prefer to consider you dummy and not being able to define protection of your computer. Resulting is automated protection solutions that "sometimes" work and "sometimes" miss attacks or block legitimate activity.

Some security suites provide more or less custom rules-based access control.

In order for you to protect your important resources you need a tool that allows you to create rule chains, similar to firewall in network protection. The difference is that access source will be a program and resource may be file, program or registry entry.

Suppose that you want to protect important files that reside in C:\Users\you\My Documents\Important Documents. Say, you have a file Customers List.mdb (MS Access Database). Common sense tells that you need to define two rules:

1) General rule:
ANY program CAN'T access
C:\Users\you\My Documents\Important Documents\Customers List.mdb for ANYTHING (read, write, create, delete, rename)

2) Exception rule:
MS Access
program CAN access C:\Users\you\My Documents\Important Documents\Customers List.mdb for ANYTHING (read, write, create, delete, rename)

A software protection tool that allows you to establish these rules can basically protect your files.

Are these rules enough to protect your important file at all times? Well, not completely. You need more rules to protect MS Access itself. If you by incident install malware and provide its installer with Administrator privileges, it may "along the way" "update" also MS Access with its own hacked version, which e.g. will send every opened .mdb file to remote (actually stealing). So you need two more rules:

1) General rule:
ANY program CAN'T access <path_to_MS_Access> for ANYTHING (read, write, create, delete, rename)

2) Exception rule:
MS Access Updater program
CAN access path_to_MS_Access> for ANYTHING (read, write, create, delete, rename)

Now your important file is protected.

What else would you want to protect?

1) Apparently, Windows programs and system files
2) Probably, you want to control what programs can install something to run as auto-start or as a service. For that, you need a security suite with registry protection. A great asset would be security software that allows you to set alert (ask me) rules - if they are hit, prompt you what to do, keeping the suspicious program meanwhile suspended. As usual, you can create a generic rule and exceptions.
3) You may want to limit programs' ability to create executables, drivers, DLLs and scripts with alert (ask me) rules.

On ANY program's access to *.exe for write, create, delete, rename ASK ME.

You may also set some programs as trusted, i.e. they are allowed everything - if you know what you do.

IMPORTANT: when creating exceptions be cautious about trusting Windows programs. Many of them can be run by malware and do malicious things on their behalf (like cmd.exe, xcopy.exe etc.)

It's a good idea to limit program's access to internet. If Notepad.exe will attempt to get internet access, it would be suspicious, wouldn't it? (e.g. it was patched or replaced by malware and attempts now to send you files to internet). So you can using your firewall limit all access to internet only to programs that you use for that (e.g. Chrome, Internet Explorer, Edge, Opera etc.) and to software updaters. Alert (ask me) rules will also be handy here.

© Daniel Drubin 2020