Daily reports of hacker attacks, also on small and medium-sized companies, require extended information for CEOs and CIOs.
In general, one has to differentiate between a hacker attack and failure to protect the company and since it can be assumed that 90% of companies are poorly or not at all protected, or do not understand the underlying problem in detail, around 95% of the incidents are probably in the area to assign failed protection.
In order to understand the problem, you have to know that attackers generally want to penetrate the company’s network, i.e. to be able to access the network and the data on servers and PC via a system in the LAN. After successful penetration into the network, further actions such as the extraction or encryption of data or an attack on other companies can then be carried out. Networks for such attacks or actions are called BOT networks. The systems infected with a Trojan then start various actions at the command of a master with the additional disadvantage that the IP address of your company is then revealed to the attacked person and you are involved in criminal activities as the perpetrator.
And it can affect any company, because hackers and criminals use the same methods to penetrate computer networks everywhere without knowing who the IP address belongs to.
Main attracks through e-mail attachments and internet downloads
The mass of intruders tries, as the human factor plays a major role, via e-mail and internet downloads. Spammers have huge databases of email addresses, which are extremely useful in this type of attack. Masses of e-mails sent to entries of these databases are sent via already existing bot networks and the networks they are able to enter are purely coincidental for the attackers.
Unfortunately, there are still many companies that do not block proprietary file attachments in their e-mail systems and thus enable an easy attack. In times like these, it is necessary to block all attachments, except PDF and JPG, and to transfer other attachments via encrypted and more verifiable channels.
Now, in order not to give the impression that I am paranoid, a brief explanation to understand the problem.
The senders of the e-mails not only use bot networks to send, but they also have a huge contact database. Many people opens their address books and contacts to any app on their smartphone and thus transmit their entire contact network to strangers on the Internet. Thats the way they collect data too.
This makes it possible for the senders to falsify the sender of the e-mail and it appears to you that the e-mail comes from a known contact. Combined with the problem that attachments are not blocked, the chance that a user will click on the attachment increases dramatically and it is not a question of whether you are affected, just when.
Blocking attachments and shifting data exchange to controlled channels (e.g. OwnCLoud, Nextcloud, etc.) solves the problem to 99%, because only your real contacts know the link for data exchange and all mass e-mails with malicious attachments are blocked in your MailWall, which is placed in front of the mail server. Mailwall and mail server should be operated on in-house servers to prevent third parties from accessing the unencrypted e-mails stored on the server and to prevent meta data collection. In addition, you then have much better access to the locking logic and log files. The remaining risk here is that one of your real contacts loads a Trojan, which then finds the links by reading out the data and tries to distribute malware using this way. With a good password logic and an additional check of the uploads, this problem can be very limited and with this type alone, the attack surfaces are massively reduced.
Mail to Internet
Unfortunately, there is also the option of downloading this malicious software over the Internet. Two approaches come into play here:
Since many users use HTML emails instead of plain text emails, even without understanding that it looks different for each system and email program, there is a really simple trick to trick users.
If the attacker wants the user to click the link http://igotyou.com, then
would it look like this in a text email and be recognizable for everyone:
Here is the info from the boss http://igotyou.com. Please click on it.
In the case of HTML emails, the attacker can easily disguise this:
Here is the info from the boss <a href="http://igotyou.com"> http://company.com/bossinfo </a>. Please click on it.
Shows the user in the mail:
Here is the info from the boss http://company.com/bossinfo . Please click on it.
And when you click on it, the user is directly on http://igotyou.com and there is a high probability that you are infected with malware.
That is the reason why you should switch to text e-mails in your company and your MailWall should convert incoming HTML e-mails into text mails. Nobody needs HTML e-mails, especially since they look different on every e-mail program and many carry out an HTML-> TEXT conversion with a secure setup. After that, a lot of HTML emails look bad and professional emails are just plain text.
When a link is clicked, it is important that the users do not have direct access to the internet. The firewall should block all users and access to the Internet should only be possible through a proxy server. Proxies such as the Suid Proxy make it possible to block downloads and thus dramatically reduce the risk of malicious software.
Also with the proxy, only PDF, JPG, PNG are allowed and everything else is blocked.
Alone with this setup, which can be implemented in-house with open source software, e.g. without license costs, you have reduced the attack surface by 70% -95%, depending on the structure of your IT.
Gateway technically faulty IT installation
After we have already discussed the problem of e-mail and the Internet above, we now turn to the topic of IT setup and the problems that often arise. The chapter is certainly more technical, but I try to keep the explanation easy to understand.
To understand the firewall and setup problem, you have to know that a computer normally has a maximum of 3 * 65535 front doors. These three areas are TCP v4, TCP v6 and UDP. Imagine that your house (computer) is on three streets and theoretically there are 65535 doors on every street. These front doors in your house that are threatened by people and the doors on the UDP street are threatened by excavators.
If you read or hear that there were x-tens of thousands of attacks per day, 99.9% of this results from the fact that the attackers now have so many bot networks that so-called scanners are constantly searching the Internet for open doors. If an open door is found, another bot computer starts up and tries to break into this door. This means that it doesn’t matter who you are, because the scanners run over all house numbers (IP addresses) in the network without knowing who you are. If one of your front doors is open or easy to open, you are lost.
In addition, the installation in your home must be divided into fire protection sections (network separation). That means internal servers are in their own network (fire protection section), separated from the PC network by a firewall, which only allows the necessary services to pass through. Networks can be very complex, in general, secure everything internally with firewalls and network separation, admin workstations with static IP addresses and special permissions in the firewall, but never “everything open”.
In addition, WLANs, storage systems and the like should always be separated and devices that were once connected to the Internet outside the company should never be connected internally again. To do this, set up a separate WiFi network and transfer data e.g. via OwnCloud. Never grant such a notebook access to the LAN again. Otherwise, no firewall protects and the device possibly infected with a Trojan attacks all accessible devices in order to spread the malware further or to encrypt the network.
It should also be noted that telephone systems, house controls and other PLC systems are mostly small Linux or Windows computers, often with outdated operating systems without any updates. The break-in by attackers via the control of an aquarium into a casino shows that these devices are extremely dangerous because the companies are not even aware that they are computers.
- Separate networks by firewalls, never “open everything”, but “close everything” and only open the required ports (front doors), limited to IP addresses.
- Never connect devices directly to the Internet and do not make any ports publicly accessible from outside, not even through port forwarding.
- Restrict all access to services (ports) to IP addresses, never establish public accessibility.
- Only Internet servers, e.g. web servers, shops, mail walls and similar, which are in the DMZ network (fire protection section), are publicly accessible on the required ports.
- All external access (IT maintenance, external supervisors) must be done with static IP via VPN. Every professional supervisor has a static IP and those who do not just want to save the Internet business account and work with a cheaper private account. Do not accept that, because these people are endangering your IT by making access public and not being able to restrict it to its IP address. When a supervisor is on the move, he must first connect to his office, secured by VPN, and then to you via his static IP. Everything else puts you at extreme risk and all the excuses about static IP addresses are wasted time. The rule is that, if restricted to its IP, attackers cannot hack the password because the front door cannot be reached and every attempt and scanner fails at the outset or does not see the door.
- Connect home office workstations only via VPN (OpenVPN, IPSec) and define restrictive firewall rules for the VPN. Best to work with Windows or Linux RDP Terminal Server and not allow direct access through the VPN. With RDP you only need front door 3389.
- No access for PCs and servers to the Internet without a proxy. Servers themselves should not have any access to the Internet. Updates via local update servers, ala WSUS for Windows environments.
If you also observe these basic rules, you have further reduced your attack surface and with this setup you are already very safe.
Hybrid IT landscape
A quick recovery should now be ensured in the event that the remaining 1-2% probability occurs. You can best achieve this with the following basic rules:
- virtualize all services with Proxmox or VMWare
- Save snapshot backups via a network interface to which the VMs have no access. This protects the backup in the event of a infection in the networks on the other network cards.
- Build hybrid networks, e.g. backup NAS for snapshot backups with Unix, file servers with Unix or Linux, terminal servers with Windows, workplaces ideally as pure terminals of RDP terminal servers, etc.
- Make sure that nobody has access to the backup and store backups outside of your office.
Of course, every company has to be examined individually and a corresponding IT concept that offers the greatest possible protection against attackers has to be worked out, but with a corresponding will to innovation and increased security, it is possible in every company, usually without any license costs, to build extremely good protection.
Do not let people who only know one environment, often poorly, persuade you. Future security, innovation and the trend are:
- In-house self-hosting
- Use of Linux and open source software to increase security and save license costs
- Decentralization of communication
- Data protection and sovereignty over your own data without access by strangers on the Internet
- Abandonment of data storage on servers belonging to strangers on the Internet (aka cloud)
We are happy to discuss all topics within the framework of our project in the Matrix! Recruiters and headhunters can contact Karl with their questions via Element/Matrix at @karl:matrix.ctseuro.com directly.
Alternatively, emails can be sent to firstname.lastname@example.org.
EURAFRI public room in the matrix
We look forward to an active participation in the EURAFRI project and also ask you to visit the EURAFRI reception in the Matrix.
your EURAFRI TEAM
Author: Karl M. Joch
Permission to publish the article on EURAFRI.com @20210713