|
So How Do I Protect Myself At All Times
Today's threats present challenges to computer security. Annual
researches like those conducted by Gartner, witness that more and more
security solutions appear, but threats also appear more and more. Why?
Let's try to understand. What are threats?
Threats are "holes" in protection that can be exploited to launch an
attack. Attacks can target your privacy (stealing or revealing to
others your personal information, impersonating as you etc.), your
business or other valuable information (credit card numbers, customers
lists) and your system (destroy or modify your vital operating system
files so that you can't work normally, exploit your system to run
hacker's jobs withouit your acknowledge). Attacks can be automated (by
a program) or manual (by a human).
Every time when you give someone your
privileges on your computer, you open
a security hole. Someone may be a program that you run "as
Administrator" or a human (a friend, a relative), whom you provide a
seat at your computer while doing other things. There are also anonymous human attacks when the
remote hacker uses software tools (varying from well-known OS tools to
special-written programs) to gain all kind of access to your computer.
How security solutions combat these attacks?
At early days of PC security a concept of virus was popular. The first virus
was a research program developed at IBM; it used knowledge of
executable format and CPU instructions to inject the "viral" part into
the executable file. So virus actually consisted of spreading and viral (harmful) part.
Internet by then was existing mostly at universities and big
organizations, and was mostly not available for PC users. The most
popular PC operating system was DOS, which was virtually not protected
from anything. But software from internet (and sending information to
remote) was not available, and denial-of-service attacks only caused
the user to reinstall DOS (which took minutes) and not use anymore the
offending program. The "viral" part could of course seek and destroy
important files, but there were many different formats by different
vendors by then, so it was not viable; besides, really harmful "viral"
part was considered a moveton in hackers community by then and virus
programming was considered more of exercise in programming.
Despite that, harmful "viral" parts appeared already, and early
security companies developed anti-virus
solutions. Anti-viruses were programs that detected viruses by a signature (binary code sequence of
"viral" or "spreading" part). Thus early virus databases appeared; anti-virus
programs used databases of signatures in order to recognize infected
programs; in most cases when the original program was not modified or
destroyed (that would prevent its functionality and make virus presence
apparent to the user), anti-viruses were able to "bite out" the virus
body and recover original, uninfected software.
Time flowed, and threats evolved. The days when the viral part was as
innocent as playing Yankiee Doodle on PC speakers are long ago. Today's hackers don't see producing malware as
an exercise in programming; they are much more pragmatic. They are
seeking everything that can be converted to a monetary win, using the inherent internet anonimity in order not to
get caught.
Today's malware concentrates not on viral spread (though sometimes it's
still used), but on different techniques to get run as Administrator (rooting your computer) or as a kernel-mode driver. Or at least to
get run as a script in your browser, getting your privileges, even if
not Administrator. A valuable asset to the hacker is to get his malware
run automatically when
computer starts (as a service or as an auto-start program).
However, two facts about malware didn't change since the early days: it
has to trick you to run it
(programs that come from an unknown
or unauthorized source), and
it has to get the desired access
in order to install the "viral" (malicious) part.
So in principle what you need to prevent any attack is to have a software
tool that is able to prevent any
access and instruct it in
advance what to prevent. Sounds simple?
Today's security software providers concentrate on preventing zero-day attacks. "Zero-day" means
that the attack is not known previously, so anti-virus techniques of identifying malware by a part of its
code are not applicable. All "zero-way protection" software solutions
use access control in some form; however, most of vendors prefer to
consider you dummy and not being able to define protection of your
computer. Resulting is automated protection solutions that
"sometimes" work and "sometimes" miss attacks or block legitimate
activity.
Some security suites provide more or less custom rules-based access
control.
In order for you to protect your important resources you need a tool
that allows you to create rule chains, similar to firewall in network
protection. The difference is that access source will be a program and
resource may be file, program or registry entry.
Suppose that you want to protect important files that reside in C:\Users\you\My Documents\Important
Documents. Say, you have a file Customers List.mdb (MS Access
Database). Common sense tells that you need to define two rules:
1) General
rule:
ANY program CAN'T access C:\Users\you\My
Documents\Important Documents\Customers List.mdb
for ANYTHING (read, write,
create, delete, rename)
2) Exception rule:
MS Access program CAN
access C:\Users\you\My Documents\Important
Documents\Customers List.mdb
for ANYTHING (read, write, create, delete, rename)
A software protection tool that allows you to establish these rules can
basically protect your files.
Are these rules enough to protect your important file at all times?
Well, not completely. You need more rules to protect MS Access itself. If you by incident
install malware and provide its installer with Administrator
privileges, it may "along the way" "update" also MS Access with its own
hacked version, which e.g. will send every opened .mdb file to remote
(actually stealing). So you need two more rules:
1) General rule:
ANY
program CAN'T access <path_to_MS_Access>
for ANYTHING (read, write,
create, delete, rename)
2) Exception
rule:
MS Access Updater
program CAN access path_to_MS_Access> for ANYTHING (read, write,
create, delete, rename)
Now your important file is
protected.
What else would you want to protect?
1) Apparently, Windows programs and
system files
2) Probably, you want to control what programs can install something to
run as auto-start or as a service. For that, you need a
security suite with registry protection. A great asset would be
security software that allows you to set alert (ask me) rules - if they are hit,
prompt you what to do, keeping the suspicious program meanwhile
suspended. As usual, you can create a generic rule and exceptions.
3) You may want to limit programs' ability to create executables, drivers, DLLs and scripts
with alert (ask me) rules.
E.g.:
On ANY program's access to *.exe for write,
create, delete, rename ASK
ME.
You may also set some programs as trusted,
i.e. they are allowed everything - if you know what you do.
IMPORTANT:
when creating exceptions be cautious
about trusting Windows programs. Many of them can be run by malware and
do malicious things on their behalf (like cmd.exe, xcopy.exe etc.)
It's a good idea to limit program's access to internet. If Notepad.exe will attempt to get
internet access, it would be suspicious, wouldn't it? (e.g. it was
patched or replaced by malware and attempts now to send you files to
internet). So you can using your firewall limit all access to internet
only to programs that you use for that (e.g. Chrome, Internet Explorer,
Edge, Opera etc.) and to software updaters. Alert (ask me) rules will also be handy
here.
|
|
|
|
|
|
|
|