The choice of protective technologies depends on the popularity and prevalence of the protected technology, on the type of hacker attacks, on the communication field and on the scale of the network. A change in any of these factors will lead to a change in the protection technologies and in the ways they are used. And now let’s see what protective technologies are most common in the modern digital world.
One of the first technologies so far demanded by the market (both corporate and home users) is anti-virus protection, which appeared in the mid-80s. It was the time when the first virus scanners, phages and monitors began to appear. At the dawn of the active development of computer networks, antiviruses were widely used. They detected and treated traditional file and boot viruses that spread through floppy disks and BBS. But now there are practically no such viruses. Today, other classes of malware are leading the virus charts – Trojans and worms that spread not from file to file, but from computer to computer. Viral outbreaks have turned into real epidemics and pandemics, and the damage from them is measured in tens of billions of dollars.
The first antiviruses protected only stand-alone computers. There could be no talk of any network protection, which, of course, made it difficult to use these solutions in the corporate market. Unfortunately, today the state of affairs in this matter is also far from ideal since modern antivirus companies are not giving paramount attention to this aspect, focusing mainly on replenishing the virus signature database. The only exceptions are some foreign firms (TrendMicro, Symantec, Sophos, etc.) that take care of the corporate user as well.
The late 80s and early 90s witnessed the widespread development of computer networks. The task of protecting them was solved with the help of firewalls installed between the protected and unprotected networks. Leading from conventional packet filters, these solutions have turned into multifunctional complexes that solve many tasks – from firewalling and load balancing to bandwidth control and dynamic address management. A module for building a VPN can be built into the ITU, which provides protection for traffic transmitted between network sections.
The development of firewalls went completely different than the development of antiviruses. The latter evolved from personal protection to the protection of entire networks, but the second – exactly the opposite. For a long time, no one could have thought that ITU was able to protect anything else but the corporate perimeter (which is why it was called the Internet perimeter). But with the increase in the number of personal computers connected to the World Wide Web, the task of protecting stand-alone nodes became urgent, which spawned personal ITU technology, which is currently being actively developed. Some manufacturers went even further by offering consumer firewalls for applications that protect not networks or even individual computers but programs running on them (for example, Web server software). Outstanding representatives of this class of security products are Check Point Firewall-1 NG with Application Intelligence and Cisco PIX Firewall (corporate ITUs), RealSecure Desktop Protector and Check Point SecureClient (personal ITUs), Sanctum AppShield.
Authorization and access control
Protecting the perimeter is an important matter but you also need to think about internal security, especially according to statistics saying that 51-83% of all computer incidents in companies occur through the fault of their own employees, where no firewalls will help. Therefore, there is a need for authorization and access control systems that determine to whom, to what resource and at what time you can access. These systems are based on classical models of access control (Bella – La Padullah, Clark – Wilson, etc.), developed in the 70-80s of the last century and originally used by the US Department of Defense.
One of the areas of security technologies of this class is authentication, which allows you to compare the password entered by the user and the name with the information stored in the database of the security system. If the input and reference data coincide, access to the corresponding resources is allowed. It should be noted that, in addition to the password, other unique elements used by the user can serve as authentication information. All these elements can be divided into categories that correspond to three principles: “I know something” (classic password schemes), “I have something” (a Touch Memory tablet, smart card, eToken keychain can act as a unique element , contactless proximity card or SecurID one-time password card) and “I have something” (a unique element is a fingerprint, hand geometry, handwriting, voice or retina).
Attack detection and prevention systems
Even though there are firewalls and antiviruses on the perimeter of the corporate network, some attacks still penetrate security barriers. Such attacks are called hybrid attacks, and they include all the latest sensational epidemics – Code Red, Nimda, SQL Slammer, Blaster, MyDoom, etc. Attack detection technology is designed to protect against them. However, the history of this technology began much earlier – in 1980, when James Anderson proposed using event logs to detect unauthorized actions. It took another ten years to move from the analysis of logs to the analysis of network traffic, where searches for signs of attacks were conducted.
Over time, the situation has changed – it was necessary not only to detect attacks but also to block them until they reach their goal. Thus, the attack detection systems made a logical step forward (and maybe to the side since the classical systems are still actively used in networks, and they haven’t yet invented alternatives in the internal network). The attack detection systems combined the existed technologies and began to skip all network traffic (to protect a network segment) or system calls (to protect an individual node), which allowed achieving 100% blocking of detected attacks.
Then the story repeated: personal systems appeared that protected workstations and mobile computers, and then there was a logical merger of personal firewalls, attack detection systems and antiviruses, and this was almost an ideal solution for protecting a computer.
It is known that it is easier to prevent a fire than put it out. The situation is similar in information security: it is necessary to detect all vulnerabilities and eliminate them before they are discovered by attackers. Security scanners (or security analysis systems) work both at the network level and at the level of an individual node. They serve this purpose. The first scanner looking for holes in the UNIX operating system was COPS, developed by Eugene Spafford in 1991, and the first network scanner was Internet Scanner, created by Christopher Klaus in 1993.
Currently, there is a gradual integration of attack detection systems and security scanners, which makes it possible to completely exclude a person from the process of detecting and blocking attacks, focusing attention on more important activities. The integration is as follows: the scanner that detects the hole instructs the attack detection sensor to track the corresponding attack, and vice versa: the sensor that detects the attack gives the command to scan the attacked node.
The market leaders for intrusion detection systems and security scanners are Internet Security Systems, Cisco Systems and Symantec.
Content and anti-spam systems
So, we found a means of protection from viruses, worms, and Trojans. And what to do with spam, leakage of confidential information, downloading unlicensed software, aimless walks of employees on the Internet, reading jokes, online games? All of the protection technologies described above can only partially solve these problems. However, this is not their task. Other decisions come to the fore here – email and Web-traffic monitoring tools that control all incoming and outgoing electronic correspondence, as well as allowing access to various sites and downloading files (including video and audio files) from them (and to them).
This actively developing area in the field of information security is represented by many well-known manufacturers – SurfControl, Clearswift, Cobion, TrendMicro, Jet Infosystems, etc.
Corporate networks use some other protective technologies – although very promising but not widespread. Such technologies include PKI, security event correlation systems, and systems for the uniform management of heterogeneous security features. These technologies are in demand only in cases of effective use of firewalls, antiviruses, access control systems, etc. Only a few of the thousands of companies have grown up to using correlation technologies, PKI, etc.