After another series of effective cyber-attacks on the state financial systems, I suggest that citizens-users of computer networks protect their information space independently. After all, the protection of drowning people became a matter for the drowning.
So, you have already installed on your computer a legitimate anti-virus application, a personal firewall, an anti-spam module, all the latest updates for the operating system – it would seem that they did everything to reliably protect themselves and their device from potential attacks of cybercriminals. But is it? Or maybe you missed something, and the attacker will easily find a weak spot in your defense? To test this assumption, it is necessary to conduct a pentest of its system, in fact, to analyze the structure of defense from the point of view of a cybercriminal.
Penetration Test or penetration test (briefly – pentest) is an assessment of the possibility of penetration and finding weaknesses in the defense system through which the attacker can actually penetrate. Of course, when it comes to the pentest of a large company with a powerful local network, dozens and hundreds of workstations, servers, routers and switches, this procedure is performed by a whole team of external high-class specialists. To conduct a pentest can be spent a few weeks and even months, and this service is quite expensive.
In the case of using a personal system, it makes no sense to employ external professionals, besides, a certain analogue of the pentest can be done independently. To do this, you only need to have some knowledge and skills. About how to make a pentest own hands and will be discussed in this material.
Entrance through the front door
Despite the fact that operating systems and applications regularly find new vulnerabilities, hacking the system through a “forehead” attack is a non-trivial task. Therefore, attackers much easier to enter into the system, luring all the necessary access information from the user. To do this, attackers use various variations of social engineering. For example, they can send him a letter or SMS allegedly from the bank manager with a request to call the specified phone and confirm their authentication data for Internet banking. Actually, by calling to the specified number, the user does not fall into the call-center of the bank, but directly into the paws of the attackers.
It is also possible to send spam with a malicious attachment, for example, a Trojan, under the guise of some useful program or an Excel or Word file. When you open a file, malware is installed on the system, and sends all the confidential information found to the cyber-fraudsters.
Also popular is the option of sending a URL link to a malicious site through social networks, Facebook or VC. To do this, cyber-criminals can use the hacked account of one of your friends – and if you receive a link from your friend, then, of course, you will open it without any doubt.
In addition, the Internet has a lot of seemingly quite “clean” sites offering listening and downloading music or video. While you are just listening to music on the site, nothing suspicious happens. But when downloading an MP3 file, the site suggests downloading a proprietary bootloader that supposedly significantly speeds up the download of the MP3 track, and, moreover, removes all restrictions on download speed. And here the problems begin. At best, the installed bootloader will be an adware-type program that will constantly display ads without the ability to disconnect. In the worst case, it will be spyware, a spyware utility that collects and sends confidential information to the control center, or even an aggressive Trojan that intercepts the control of the computer and turns it into a bot.
Obviously, it is the user (that is – you) that potentially is the weakest link in the cyber defense system. Therefore, when conducting a pentest “with your own hands,” try as though to evaluate your reaction to receiving various suspicious letters and SMS from strangers and people you know. Has it ever happened that you opened files enclosed in emails sent from suspicious addresses? Do you always unthinkingly accept and open files received from users from your Skype-list or Facebook friends? Do not you notice anything suspicious while doing this? For example, your friend turned to you in English, although this was not seen before, or wrote to you in his native language, but the style of his writing seems strange. For example, he did not say hello to you, and immediately sent a web link with a proposal to open it to see something very unusual and original.
If you receive such messages, do not be lazy to call your friend and ask if he really sent you a message and what’s in the attached file. After all, it is possible that his account was simply hacked and now he sends malicious spam from him.
Do not fully rely on the antivirus – it is possible that the antidote has not yet been added to the signature database and your anti-virus tool simply does not see anything dangerous in the attached file.
So, to insure against all sorts of scams of scammers, including those built on social engineering, it is necessary to adhere to several rules. First, never open attachments in letters received from strangers. Secondly, be wary of the messages received from friends. As mentioned above, their account may have been hacked and this message is not sent by your friends at all. Third, anyone cannot communicate their authorization data for any kind of services, especially when it comes to banking web services.
We check the reliability of password protection
It is recommended to perform a few more actions that will not significantly increase the complexity of the use of technology, but will add another level of protection. First of all, you need to strengthen your password to access e-mail. Email is actually the key to our personal cyberspace. Most online services when registering are attached to your mailbox, a web link is sent to them to recover a lost password or a temporary password. This is especially true if you use Gmail, since this mail service is associated with Google+, YouTube, Google Play, Google Chrome and many other services. In fact, if an attacker breaks your email account, he will gain access not only to your letters, but to tons of other personal confidential information, including access to various web applications. Therefore, it is critical to specify a reliable and password-resistant password. It must contain letters, numbers and special characters, and its length – at least 10 characters.
Most experts say that it is necessary to use a complex and maximally meaningless password, but I argue that this approach is not always optimal. Of course, using the password like “1234512345” is completely unacceptable, but also a variant of the type “xFt%8@mVc!” also not very good, because it is hard to remember. And this ends with the fact that you either write it on the sticker and stick it to the monitor, or put it in the browser’s memory for auto-drive – and then if the mobile gadget is lost or stolen, the cheater will easily gain access to your box. It is more optimal to use cunning and easily remembered combinations of numbers and letters, such as “P9a8r7o6l5$” or “^pA1Ro3L5&”, but instead of the word password, you need to substitute any other word, let’s say your name or patronymic, or the nickname of the dog, and t e.
In addition, many postal services today offer two-factor authentication, for example, every time you enter the mail you enter not only the classic password, but also the SMS that comes to your mobile number. In some cases, it is advisable to use such a service.
Today, the analysis of the safety of mobile devices has become urgent. We are talking about potential security vulnerabilities when using smartphones, tablets, phones, USB-drives, MP3-players and other gadgets.
Therefore, it is extremely important to strengthen passwords for access not only to the laptop, but also to the smartphone. If you still do not block your smartphone with a password or PIN-code – it’s very nonchalant. After all, the risk of losing the phone is much higher than the laptop. And then the fraudster will actually have access to all your personal information, including a bank account. Of course, the most convenient way to unlock a smartphone is to use a fingerprint scanner – such a device already exists in many mobile gadgets. Otherwise, you need to configure an access password or pattern.
Making order in the software
As mentioned above, attackers usually try to enter the system through the “front door” by stealing access passwords in any fraudulent way. And it is possible that you have already fallen for the bait of cyber-fraudsters, having previously downloaded and installed on your computer or gadget any adware or spyware programs, or even malware in its pure form. Therefore, you should put things in order in the installed software, check which applications you use, and remove all unnecessary ones. So, it is possible that you have several utilities for viewing or processing graphics, although you use only one, or several video players that you almost never launch, or there are suspicious game applications.
In addition, it is recommended that you install updates for installed programs, because software updates often contain critical patches that cover security gaps. This process can take a lot of time, but it’s worth it. In addition, in most cases, the update occurs in the background and does not distract from the main job.
Sometimes it makes sense to update the entire operating system at all, unless of course you can afford it. This proposal is especially relevant if you are using an outdated Windows XP that has not been supported by the manufacturer for several years.
Security of Wi-Fi networks and other
The next step of the pentest “with their own hands” is the analysis of network equipment configurations for compliance with safety criteria and recommendations to manufacturers. Using a Wi-Fi network without encryption means that any random person nearby can connect to it, and in the worst case – not only to connect, but also to intercept the signal. Make sure that your modern WiFi network is equipped with modern WPA2 encryption technology, and access to it is protected by a complex password combining numbers and letters. In addition, check and install the latest update for “flashing” the Wi-Fi router, set a complicated administrator password to enter the control panel, then reconnect all of your devices to the wireless network. Important enough point: keep all the passwords somewhere in a secluded place, at least do not put them on the refrigerator.
Also, study your Wi-Fi router. If this is an old noname-device, bought for a share in any supermarket, then it is advisable to replace it with a newer and proprietary device. As a result, you will provide a more powerful signal, faster connection and a higher level of security for all network users.
The above information security audit will take you from several hours to several days, but it will significantly increase the level of protection for your devices. Such ” own hands’ pentest ” should be held regularly, every one to two years.
These procedures will allow all information to be more secure than the state, which is hacked with an enviable regularity.