Unlike the protection and maintenance of corporate networks, the protection and maintenance of computers belonging to home users and small businesses seems to be a simple task, but only at first glance. The problem is that next to the home user (as well as next to the user of the only computer of a small company) there is usually neither a system administrator nor an information security specialist their functions are forced to be performed by the user himself, who in the general case is neither others, and it's good if he is at least aware of the need to protect and maintain his computer.
Naturally, this situation implies certain requirements for products and services designed to protect and maintain personal computers. Such products should have a simple interface that does not overload the user with unnecessary details and questions, the answers to which he does not know, convenient (preferably automatic) means of updating themselves, combine many different functions (for example, not just an antivirus, but an antivirus plus antispyware plus anti-phishing and anti-spam tools…), remind the user that it is time to take certain actions (for example, perform a virus scan of disks), perform certain procedures without the user noticing (for example, perform online anti-virus scanning of incoming e-mail messages, documents opened and installed applications).

More recently, Symantec, McAfee, and Trend Micro have led the end-user security market. However, despite the rather convenient interfaces of the individual protection products of the listed companies, according to Microsoft, about 70% of users either do not use anti-virus programs at all or update anti-virus databases very rarely. According to Microsoft representatives, it is for such users that the new service, which will be discussed in this article, will be intended. According to Bill Gates at the RSA Conference 2006 in February, this service is being developed primarily to improve computer security in general, and not to solve individual problems in this area.

The corporation's plans to release a personal anti-virus product and organize a corresponding service have been discussed since its purchase of the Romanian anti-virus company GeCAD in June 2003. This year they are planned to be implemented: Microsoft intends to enter the personal protective equipment market this summer with its paid personal computer maintenance service, OneCare Live, available by subscription.

According to employees of the corporation, the OneCare Live service will be put into operation in June. The subscription will cost about $50 per year (with a discount of up to $20 for the first year for beta testers), and up to three PCs will be serviced for this fee. OneCare Live is currently available for beta testing to owners of the English version of Windows XP with SP2 installed. performance. A beta version of Windows OneCare is available at http://www.windowsonecare.com.

Below we will look at the main features of this product. Please note that this article is a beta version, so there may be some changes to the functionality of the Windows OneCare app and OneCare Live service before the final launch of OneCare Live.

Key Features

Like most personal Microsoft products, Windows OneCare is positioned as an easy-to-use yet feature-packed product for those Windows XP SP2 users who don't have time to set up security and take care of their computer on a daily basis. This product integrates with the Windows Security Center in Windows XP and allows you to perform antivirus protection, hard disk defragmentation, data backup and recovery using CD or DVD media, and personal firewall management. OneCare users can also use the Windows Defender anti-spyware app.

The user interface of Windows OneCare is extremely simple: there is an icon in the system tray of the taskbar, the color of which (green, yellow, or red) indicates how urgently some measures should be taken to improve the security of the computer (Fig. 1).

Clicking on the icon brings up the main window of the application, allowing the user to determine what actions need to be taken and, if desired, initiate their execution (Fig. 2).

Rice. 2. The main window of the Windows OneCare application

If necessary, you can perform several actions in turn: anti-virus scanning, deleting unnecessary files, defragmentation.

Antivirus

Antivirus is one of the most important components of Windows OneCare, which allows you to scan memory and disks and constantly monitor the system for antiviruses.

The anti-virus scanner is launched by clicking on the Scan for Viruses link in the main application window, after which you need to select the drive or folder that you want to scan. The anti-virus scan process is carried out automatically, and infected objects found are automatically quarantined (Fig. 3).

The antivirus settings allow you to enable or disable constant anti-virus monitoring of the system, configure the list of anti-virus exclusions, and manage the contents of the quarantine (Fig. 4).

Note that at the moment, independent tests of the effectiveness of this antivirus and the speed of response of the OneCare service itself to new threats are not available, so it is not yet possible to compare it with competing products. For this comparison to work properly, at a minimum, wait for the final product release and the launch of OneCare Live in commercial mode.

Data backup and recovery tools

The backup and restore tools, which you can launch by clicking the Back up files link, scan your computer's hard drive for new or changed files since the last backup and offer to burn those files to an external hard drive, CD, or DVD. Before backup, the user can select the types of files he is interested in and view the resulting list (Fig. 5).

Rice. 5. Select files for backup

Before starting a backup, the user is informed about how many disks he will need to create a backup and how long it will take.

To restore files from a backup, select the Restore Files link. OneCare allows you to recover all your lost files, determine which ones you need to recover, and find the files you need inside the backup.

Performance Tools

Windows OneCare performance optimization tools provide the ability to sequentially perform five operations: deleting unnecessary files, defragmenting the hard drive, antivirus scanning; checking for the presence of files that need to be backed up, checking for all necessary operating system updates (Fig. 6).

At the end of the optimization, you can get a report on its results (Fig. 7).

Configuring optimization tools allows you to set a schedule according to which the listed actions are performed and indicate whether unnecessary files should be deleted during their execution.

***

So, this year, users will receive from Microsoft a product that can simplify the care of computers and provide them with relatively little effort, as well as a service that maintains anti-virus databases and the product itself in proper condition. It's hard to predict now how much this product will outshine competing solutions from Symantec, McAfee and Trend Micro, especially given that Symantec plans to launch a similar service this fall (this project is codenamed Genesis). For now, we only note that often a platform manufacturer that has just entered the market for tools or other applications for this platform is in a much more advantageous position than companies that have already settled in this market, but do not produce the platforms themselves, and the development of the market for development tools for Windows and .NET in the last five years is a clear proof of this. True, unlike the market for development tools, the market for personal protective equipment is still far from saturation.

	At the end of February, in a report by Bill Gates at the RSA Conference, the company's immediate and long-term plans to create a more secure environment for using digital technologies were revealed. Thus, in order to support the Identity Metasystem ideology, which allows private users and websites to more securely and securely exchange personal identification information over the Internet, Microsoft plans to introduce a number of new technologies, including InfoCard technology, which simplifies this process and at the same time improves the security of access to resources and personal data on the Internet. Microsoft also has plans to further reduce user costs associated with identity and access control. Starting with the next server version of Windows, Microsoft will expand the Active Directory role to include Rights Management Services, Certificate Services, Metadirectory Services, and Federation Services, which will enable a unified identity and access control infrastructure. Mr. Gates also unveiled the first beta version of Microsoft Certificate Lifecycle Manager, a policy enforcement solution that accelerates the planning, configuration, and management of digital certificates and smart cards, and enhances security with multi-factor authentication technology.

A few words about products for corporate users

Note that Microsoft's soon-to-be-anticipated entry into the security market is by no means limited to products and services for home users.

In addition to OneCare, Microsoft plans to release a similar Microsoft Client Protection product for corporate workstations and laptops. Client Protection will allow the system administrator to carry out anti-virus protection of workstations. The corporation plans to release a beta version for the general public in the third quarter of 2006. The launch of Microsoft Client Protection in production is scheduled for the end of this year.

In addition to client-side protection, anti-virus and anti-spam software for Microsoft Exchange email and SMTP servers is expected to be released, and to this end, Microsoft recently acquired one of its partners, Sybari Software, which specialized in such tools. Named Antigen for Exchange, Antigen for SMTP Gateways, Antigen Spam Manager and Antigen Enterprise Manager, these products protect against viruses, worms, spam and inappropriate content using split multi-engine scanning and will be available for the next 6 months. In addition, a beta version of Internet Security & Acceleration Server (ISA Server) 2006 is now available, which combines a firewall, virtual private networking (VPN), and Web caching.

Microsoft also announced the acquisition of FutureSoft, Inc. DynaComm i:filter Web filtering technology, which allows companies to manage Internet access in their environment.

We will talk about the products and technologies listed above as they become available.

In the era of information technology, the question of how to protect data on a computer is acute. Passwords and logins from social networks, bank account management systems, account data, private photos and other files - all this may be of interest to attackers.
Not only government agencies, banks or popular websites become targets of hacker attacks. Personal information of ordinary users may also be of interest to hackers. Stolen accounts in Odnoklassniki or Facebook are used by criminals for fraudulent purposes, stolen photos become the subject of blackmail, and obtaining data from payment systems gives attackers the opportunity to leave their owners without a penny in their account.
In order not to become a victim of hackers, it is necessary to pay attention to the security of storing personal data. This article will tell you how you can protect personal information on your computer.

Method 1: strong passwords

The easiest way to protect data on your computer is to use strong passwords. The fact that security experts do not recommend using simple combinations of numbers and letters as a key (qwerty, 12345, 00000) is known to most users. But the advent of "smart" cracking programs has led to the fact that even more complex passwords can be calculated by brute force. If the attacker knows the potential victim personally, an atypical but simple key (date of birth, address, pet name) is also easily selected.
To save accounts on social networks and other resources, as well as a user account on a PC, it is recommended to use complex combinations that consist of large and small Latin letters, numbers and service symbols. It is desirable that the password be easy to remember, but does not contain an explicit semantic load. For example, a key of the form 22DecmebeR1991 is recognized by sites as reliable, but contains a date of birth and therefore can be easily cracked.

Method 2: Data Encryption

To protect personal information on a computer in the event an attacker attempts to access it, we recommend that you use data encryption. Enterprise and professional versions of Windows come with the BitLocker tool. The system mechanism allows you to encrypt information on one or more hard disk partitions. Access to files becomes possible only when using a special key.
If you need to secure individual files and folders, the easiest way to protect personal data on your computer is to use encrypted archives. By moving documents, photos or other data to a password-protected archive, an attacker will not be able to open them even after gaining full access to the PC. To open ZIP or RAR content, you need to dial an access code. Most modern archivers are equipped with similar functionality.
There is also a large number of free software that allows you to encrypt data. Among such programs are Free Hide Folder, Folder Lock, TrueCrypt and others.

Method 3: Using an antivirus program

To gain access to someone else's PC, hackers use auxiliary software that is installed on the victim's computer. Trojan viruses intercept information entered from the keyboard, replace websites with copies created by scammers, and send personal data. To protect personal data, it is advisable to install the latest version of anti-virus software and follow its updates. It is also recommended to restrict access to drives by prohibiting reading information from them over the network.

Method 4: Setting a Password on the BIOS and/or Hard Drive

Basic OS password protection does not allow quick hacking of the system, but is vulnerable if the computer falls into the hands of a criminal for a long time. By reinstalling Windows, you can access unencrypted files. Setting a BIOS (UEFI)* password to be entered when the computer is turned on prevents the PC from booting from either built-in or external media.
*BIOS (Basic Input / Output System) or UEFI (Unified Extensible Firmware Interface) is a part of the computer system software that is responsible for organizing the operation of the hardware components of the system and controlling its boot. The BIOS / UEFI setup menu is entered at an early stage of PC boot (the first seconds after turning on) by pressing the Del, F1 or F2 buttons (see the instructions for the PC or laptop). For different computer models, the names of the settings sub-items may differ, but, as a rule, the necessary options are located in the section whose name contains the word Security.
An even greater degree of protection of personal information is provided by password protection of the hard drive. By setting the access code for the drive through the BIOS / UEFI, the user makes it useless in the hands of an attacker. Even after removing the hard drive from the PC case and connecting it to another device, data cannot be accessed. Attempting to unlock the drive with a "master key" will destroy the data.

Method 5: Using the HTTPS protocol

The use of the HTTPS secure data transfer protocol eliminates the risk of intercepting information that is sent to the server in encrypted form. This standard is not a separate technology, but is an add-on to standard HTTP. When using it, data encryption is carried out using the SSL protocol.
Unfortunately, in order for this method of data protection to work, the server must be equipped with support for this technology. It cannot be used unilaterally.
If the server supports HTTPS, then when the client connects, the system assigns it a unique certificate and all transmitted data is encrypted with a 40, 56, 128, or 256-bit key. Thus, decryption is carried out only on end devices, and the interception of someone else's signal will not give the attacker anything.
If the service involves working with confidential information or conducting financial transactions, it is recommended to be wary of resources that do not support HTTPS.
Websites of online stores, banks, and payment systems (Yandex.Money, Webmoney) use the HTTPS protocol by default. Facebook, Google, Twitter, Vkontakte services provide the ability to enable it in the account settings. Other sites work with it.

Method 6: Secure your wireless networks

If your computer's security settings are not set to restrict access to it over the network, an insecure Wi-Fi network allows an attacker to get into the contents of the drives. To avoid this, it is recommended to set the WPA/WPA2 data encryption method on the router and set a complex password (see Method 1).
To eliminate the risk of hacking your Wi-Fi network, you can turn off broadcasting the connection name (SSID). In this case, only users who know the network name will be able to connect to the router.

Method 7: Parental Control Systems

If children use the computer, the risk of catching malware increases significantly. To protect personal data on a PC, you can create an account with limited access rights for a child. Windows (version 7 and up) has built-in parental controls. With their help, you can limit the time your child spends at the computer, prohibit access to certain programs, and block the ability to install third-party software.
There is also third-party software that has the same (or more) functionality. On the Internet, you can find both paid and free parental control tools. In addition, some providers support this feature. In this case, in your personal account on the website of the telecom operator, you can set restrictions on visiting individual resources.

How to protect information on your computer most reliably

Each of the above methods of protecting personal data on a computer is reliable in one situation, but it also has vulnerabilities. To achieve a high level of security, it is recommended to combine methods.
Unfortunately, there is no universal way to protect data that would be 100% effective. Even the servers of banks and law enforcement agencies are vulnerable to hacker attacks, as evidenced by large-scale leaks of documents from the Pentagon, US governments and other countries published by Wikileaks.
Nevertheless, given that ordinary users rarely become victims of hackers of this level, it is possible to secure personal data. For this it is recommended:
install the latest version of the anti-virus program (preferably with firewall and firewall functions);
protect the user account with a strong password;
do not use the same access codes for all accounts;
protect Wi-Fi, disable file sharing on a PC over a local network, first of all, to the system partition (if this is not possible, restrict access, allowing it only to trusted network members who really need it);
do not store keys and passwords in TXT, DOC, RTF files and other documents on the PC itself;
the most valuable files and folders should be placed in a password-protected archive or encrypted.

You can protect personal information on your computer in other ways. The main thing is to find a compromise between the level of security and the convenience of using a PC. Radical measures (for example, full data encryption, access to a PC using a physical key, and limiting the list of allowed resources) can be redundant on a home PC and cause unnecessary inconvenience. Practice shows that the use of overly complex protective equipment leads to a gradual refusal of users to use them.

How to increase the security level of your PC?

Very often a person is faced with the fact that he cannot find a good complex, preferably free, and scammers for his personal computer. As a rule, there are a huge number of such programs on the Internet, but this does not mean that they are reliable “guardians” of PC security. If you have important data stored on your computer, or you just don't want it to be affected by viruses, spyware or Trojans, there are a few things you need to do to protect it. To help each user secure their computer, this article provides some tips to keep your computer and your files safe.

Let's see how it's possible

Protect personal computer

Information encryption

On a personal computer, as everyone knows, the main component of the system is where most of the information is contained. The loss of such media can be considered the most common way of data loss. You can avoid the risk with disk encryption. A person will not be able to access the information unless they enter the correct code. The solution to the problem can also be the purchase of media with built-in encryption, up to scanning the owner's fingerprints.

Software update

One of the easiest ways to protect your PC information is to keep your software up to date. The conversation is not only about the operating system as a whole and, but also about other software. Developers of this or that software always release new versions. This must be done in order not only to improve protection, but also to correct some shortcomings in the previous program. Because of such "holes" most often there is a "leakage" of information and there is open access for other users.
Most protection programs are equipped with an automatic update function. Agree, it’s much better when a message appears in front of you and the “update” button than the user himself spends time tracking and searching for updates.

Timely update

This is a very important point that should be observed if you wish. Since new viruses appear quite quickly and often, the developers of anti-virus programs strive to add the signatures of these new "infections" to update files as soon as possible. An anti-virus program that is rarely updated may miss a new virus that it does not know, even if it uses a heuristic analysis method. Therefore, it is important to update yours as often as possible, and even better, turn on the automatic update function so that it is always ready for any virus attack.

WiFi security

If you use a Wi-Fi network to access the Internet, then you need to protect your home network with a password. This action is necessary so that unauthorized users cannot bring a "harmful" infection into your . In addition, in the absence of a protective password, anyone gets access to the personal data of your computer.

Purchases

When shopping in an online store, you must be using your bank card. However, in the modern world of advanced information technology, this is not safe, as fraudsters can easily “hack” your computer in order to take advantage of your card details and use it for their own purposes. When making purchases, the safest option is to use a virtual card.

HTTPS protocol

When using the World Wide Web, use the HTTPS protocol, which creates some protection between your personal computer and the site. A striking example of this is the fact that many sites that have high security requirements often automatically use this protocol.

Checking hyperlinks

Even the most secure sites are attacked by hackers and spammers. They usually pose a threat to your computer by placing malicious links on pages. Therefore, any site, even the most secure in your opinion, can be hacked. If you have some concerns about this, it's best to play it safe and check the link you're about to click on.

Safety

The easiest way to lose access to information is to lose access directly to the computer. If you leave your PC unattended, you run the risk of never seeing it again. This method of information loss is the most “hurtful”, since access to files cannot be restored. In any case, if you often use your computer in public places where it is possible for unauthorized persons to access it, then secure it with a password.

Strong passwords

The security of your data directly depends on the complexity of the password. Therefore, if you are thinking about which combination of letters to use, consider some details:

• it is not recommended to use standard words, names, nicknames, because burglars very often act by simple selection;
• do not use memorable dates, for example, a birthday, because now you can get a lot of information from social networks (Vkontakte, Odnoklassniki, My world);
• also, you should not replace letters with similar characters, since this method is familiar to "pests";
• in addition to using letters, use a combination of numbers, symbols, signs, and also change the case of letters. Moreover, the greater the number of characters and characters in your password, the more reliable it will be. For example password 5y;G!gF9#$H-4^8%Is will be quite complex and, of course, very reliable.

Public networks

Try, if possible, to refrain from important work when using public access networks in, as anyone will have access to your computer, and therefore to your data.

Annotation: The lecture discusses the purpose and principles of operation of programs necessary for the full and effective protection of home computers from harmful effects.

General information

The main difference between a home computer and a conventional production workstation is its versatility. If in organizations computer equipment is usually acquired for a specific purpose: for typing, drawing in professional graphics packages or for programming, then a home computer is often used not only for working outside working hours, but also for computer games, personal correspondence, search and browsing the Internet, to play movies and music. Wherein administration home computer in the vast majority of cases is produced solely by the owner's own resources.

Therefore, all programs intended for home use have a transparent interface, are easy to install and manage, and are necessarily accompanied by documentation that is understandable even for a layman. Anti-virus security software must also meet all of the above requirements.

Among the necessary for the full and effective protection of home computers from the harmful effects of programs are:

• Antivirus software, which is responsible for checking files and other objects of the file system for viruses and, if they are detected, takes user-defined actions with respect to them
• Programs for protection against unauthorized access and network hacker attacks often included in the anti-virus complex or built into the operating system
• Spam filters- this is an additional measure that allows in some cases to significantly reduce the load on anti-virus software, thereby increasing the reliability of protection

The listed programs can either be included in one home computer protection package or be installed separately. The main advantage of the first method is the presence of a single control interface and the complementarity of each of the modules thought out by the creators of the programs. Installing individual programs, especially from different manufacturers, can only be useful in some cases, for example, when specific functions are needed for one reason or another, but no single integrated product can provide them. In the case of a home user, this is extremely rare, and if you need to install all three modules, then it is advisable to do this using a comprehensive solution.

Antivirus software

The main and part-time mandatory element in anti-virus protection is, of course, an anti-virus program. Without it, one cannot speak of effective anti-virus security when it comes to a computer capable of exchanging information with other external sources. Even if the user complies with all the rules of computer hygiene, it does not guarantee the absence of malware, unless an antivirus is used.

Antivirus software- this is a rather complex software package, its creation requires the efforts of a team of highly qualified virus analysts, experts and programmers with many years of experience and very specific knowledge and skills. The main technology of anti-virus scanning - signature analysis implies continuous monitoring of virus incidents and regular release of anti-virus database updates. For these and other reasons, antivirus programs are not built into operating systems. Only the simplest filter, which does not provide a full-fledged anti-virus scan, can be built-in.

The main elements of any anti-virus protection of a workstation or network server are continuous real-time scanning, on-demand scanning and a mechanism for updating anti-virus databases. They are also required to protect your home computer.

Real time check

As a rule, on a home computer there is a constant exchange of information with external sources: files are downloaded from the Internet, copied from CDs or over a home local network, and subsequently opened and launched. Therefore, the main tool in the arsenal of anti-virus protection for a home computer is a real-time scan. Its task is to prevent infection of the system.

On a home computer, it is highly recommended to use the constant scan whenever it is turned on - regardless of whether it is currently connected to the network, whether other people's mobile storage media are used, or only some internal tasks are performed. Constant scanning is characterized by the minimum system requirements necessary for it to work, and therefore the antivirus launched in this mode in the vast majority of cases remains unnoticed by the user and appears only when viruses or other suspicious programs are detected.

Without much damage to the quality of anti-virus protection of a home computer, it is often possible to exclude scanning of outgoing mail messages and archives from real-time scanning, but it is recommended to scan all other objects.

On-Demand Check

As mentioned above, on a home computer, information is often exchanged using CDs, floppy disks and other mobile media: new games are installed, e-books and textbooks are copied, films and music are rewritten. In order to detect malicious code that has penetrated the system, on-demand scanning is used. All home users are strongly advised to check all suspicious storage media for viruses, and each time before reading or copying files from them. This simple action takes a little time, but it can significantly reduce the chances of malware infiltrating your computer. Additionally, it is recommended to scan the entire hard drive for viruses at least once a week.

According to the scan settings, this mode is especially thorough - in an on-demand scan, all objects of the file system are usually scanned.

Updating anti-virus databases

Antivirus databases

Only timely updating of anti-virus databases can guarantee the correct and efficient operation of the most reliable part of anti-virus protection - signature analysis.

Antivirus databases are files containing virus signatures. They are produced by antivirus companies and, accordingly, they are different for different programs - for example, Kaspersky Anti-Virus will not be able to work with Dr. web and vice versa.

You can get the latest versions of the required databases from the manufacturer's website using the tools built into the anti-virus program, or by copying the files from the website yourself. In regular situations, it is recommended to update in the first way, the second is more complicated and is intended for extraordinary situations, for example, if you suspect that the built-in update modules are not working correctly or you cannot access the Internet directly.

This means that in order to update anti-virus databases, a home user usually just needs to connect to the Internet and press a button in the anti-virus program interface that starts the update process. If an Internet connection is not provided, the only way out is to go to the anti-virus manufacturer's website using another computer, download and copy the databases to your computer using mobile media. A detailed description of this procedure can be found in the user manual or documentation for the program.

Maintaining the relevance of anti-virus databases

The expansion of the boundaries of the Internet, together with the improvement of communication channels between different computer networks, makes data exchange much faster. In proportion to the growth in the power of information flows, the rate of spread of viruses also increases. Today, from the release of a virus into the world to the start of mass lesions, only a few hours, and sometimes even minutes, pass. In such a situation, the dominant criterion for choosing anti-virus protection is the frequency of release of anti-virus database updates by the manufacturer of anti-virus programs, as well as the response time to the outbreak of an epidemic. Today, the leader in this area is Kaspersky Lab, which has the best release rate of anti-virus databases, releasing updates hourly, while most other companies have settled on daily updates.

However, home computers often have a very limited channel, especially when connected via a regular telephone line. Therefore, it can be difficult for such users to check for new anti-virus databases every hour. Therefore, the optimal update schedule is highly dependent on how you connect to the network. According to this parameter, the following categories of home users can be distinguished:

• Permanent connection- in this case, scheduled anti-virus database updates are configured - once every three hours (unless the manufacturer of the anti-virus program recommends otherwise)
• Periodic connection does not allow updating every three hours. Therefore, in this mode, it is optimal to check for new anti-virus databases every time you connect to the Internet, but at least once a day
• Inability to connect to the Internet- the most difficult option. In this case, it is necessary to organize the delivery of updates using mobile media. However, since the exchange of information with external sources is usually limited on such computers, it is usually possible to update anti-virus databases at intervals of up to three days.

Steegle.com - Google Sites Tweet Button

Unauthorized access (UAS) of an attacker to a computer is dangerous not only by the possibility of reading and/or modifying processed electronic documents, but also by the possibility of introducing a controlled software bookmark by an attacker, which will allow him to take the following actions:

2. Intercept various key information used to protect electronic documents.

3. Use the captured computer as a springboard for capturing other computers on the local network.

4. Destroy the information stored on the computer or disable the computer by running malicious software.

Protecting computers from unauthorized access is one of the main problems of information security, therefore, various subsystems for protecting against unauthorized access are built into most operating systems and popular software packages. For example, performing user authentication when logging into operating systems of the Windows 8 family. However, there is no doubt that the built-in tools of operating systems are not enough to seriously protect against UA. Unfortunately, the implementation of security subsystems in most operating systems often causes criticism due to regularly discovered vulnerabilities that allow access to protected objects bypassing access control rules. The service packs and patches released by software vendors objectively lag behind the information about discovered vulnerabilities. Therefore, in addition to the standard means of protection, it is necessary to use special means of restricting or delimiting access.

These funds can be divided into two categories:

1. Means of restricting physical access.

2. Means of protection against unauthorized access over the network.

Means of restricting physical access

The most reliable solution to the problem of restricting physical access to a computer is the use of hardware for protecting information from unauthorized access, which is performed before the operating system is loaded. The means of protection in this category are called "electronic locks".
Theoretically, any software access control tool can be exposed to an attacker in order to distort the algorithm of such a tool and subsequently gain access to the system. It is practically impossible to do this with hardware protection: the electronic lock performs all user access control actions in its own trusted software environment, which is not subject to external influences.
At the preparatory stage of using an electronic lock, it is installed and configured. The setup includes the following steps, usually performed by the person in charge, the Security Administrator:

1. Creating a list of users who are allowed access to the protected computer. For each user, a key carrier is generated (depending on the interfaces supported by a specific lock - a flash drive, an iButton electronic tablet or a smart card), which will be used to authenticate the user upon entry. The list of users is stored in the non-volatile memory of the lock.

2. Formation of a list of files, the integrity of which is controlled by the lock before loading the operating system of the computer. Important files of the operating system are subject to control, for example, the following:

§ Windows 8 system libraries;

§ executable modules of the applications used;

§ Microsoft Word document templates, etc.

File integrity control is the calculation of their reference checksum, for example, hashing according to the GOST R 34.11-94 algorithm, storing the calculated values ​​in the non-volatile memory of the lock and then calculating the real file checksums and comparing them with the reference ones.
In the normal mode of operation, the electronic lock receives control from the BIOS of the protected computer after the latter is turned on. At this stage, all actions to control access to the computer are performed, namely:

1. The lock asks the user for a carrier with key information necessary for his authentication. If key information of the required format is not presented or if the user identified by the information provided is not included in the list of users of the protected computer, the lock blocks the computer from booting.

2. If the user authentication was successful, the lock calculates the checksums of the files contained in the list of controlled files and compares the received checksums with the reference ones. If the integrity of at least one file from the list is violated, the computer will be blocked from loading. To be able to continue working on this computer, the problem must be resolved by the Administrator, who must find out the reason for the change in the monitored file and, depending on the situation, take one of the following actions to allow further work with the protected computer:

§ restore the original file;

§ remove a file from the list of monitored files.

3. If all checks are passed successfully, the lock returns control to the computer to load the standard operating system.

Since the above steps are performed before the computer's operating system is loaded, the lock usually loads its own operating system (located in its non-volatile memory - usually MS-DOS or similar low-resource OS) in which user authentication and file integrity checks are performed. . This also makes sense from a security point of view - the lock's own operating system is not subject to any external influences, which does not allow an attacker to influence the control processes described above.
Information about user logins to the computer, as well as unauthorized access attempts, is stored in a log, which is located in the non-volatile memory of the lock. The log can be viewed by the Administrator.

When using electronic locks, there are a number of problems, in particular:

1. The BIOS of some modern computers can be configured in such a way that boot control is not transferred to the BIOS of the lock. To counteract such settings, the lock must be able to block the computer boot (for example, by closing the Reset contacts) if the lock has not received control within a certain period of time after turning on the power.

2. An attacker can simply pull the lock out of the computer. However, there are a number of countermeasures:

§ Various organizational and technical measures: sealing the computer case, ensuring that users do not have physical access to the computer system unit, etc.

§ There are electronic locks that can lock the case of the computer system unit from the inside with a special latch at the command of the administrator - in this case, the lock cannot be removed without significant damage to the computer.

§ Quite often, electronic locks are structurally combined with a hardware encoder. In this case, the recommended security measure is to use the lock in conjunction with transparent (automatic) encryption software for computer logical drives. In this case, the encryption keys can be derived from the keys used to authenticate users in the electronic lock, or separate keys, but stored on the same medium as the user's keys to enter the computer. Such a comprehensive protection tool will not require the user to perform any additional actions, but it will not allow an attacker to gain access to information even when the electronic lock equipment is removed.

Means of protection against unauthorized access over the network

The most effective methods of protection against unauthorized access over computer networks are virtual private networks (VPN - Virtual Private Network) and firewalls. Let's consider them in detail.

Virtual Private Networks

Virtual private networks provide automatic protection of the integrity and confidentiality of messages transmitted over various public networks, primarily the Internet. In fact, a VPN is a collection of networks on the outer perimeter of which VPN agents are installed. A VPN agent is a program (or software and hardware system) that actually provides protection for transmitted information by performing the operations described below.
Before sending any IP packet to the network, the VPN agent does the following:

1. Information about its destination is extracted from the header of an IP packet. According to this information, based on the security policy of this VPN agent, security algorithms (if the VPN agent supports several algorithms) and cryptographic keys are selected with which this packet will be protected. In the event that the security policy of the VPN agent does not provide for sending an IP packet to a given addressee or an IP packet with these characteristics, sending an IP packet is blocked.

2. Using the selected integrity protection algorithm, an electronic digital signature (EDS), an imitator or a similar checksum is generated and added to the IP packet.

3. Using the selected encryption algorithm, the IP packet is encrypted.

4. Using the established packet encapsulation algorithm, the encrypted IP packet is placed in an IP packet ready for transmission, the header of which, instead of the original information about the destination and the sender, contains information about the destination VPN agent and the sender VPN agent, respectively. Those. network address translation is in progress.

5. The packet is sent to the destination VPN agent. If necessary, it is split and the resulting packets are sent one by one.

When receiving an IP packet, the VPN agent does the following:

1. Information about its sender is extracted from the header of an IP packet. If the sender is not allowed (according to the security policy) or is unknown (for example, when receiving a packet with a deliberately or accidentally corrupted header), the packet is not processed and discarded.

2. According to the security policy, algorithms for protecting this package and keys are selected, with the help of which the package will be decrypted and its integrity checked.

3. The informational (encapsulated) part of the packet is extracted and decrypted.

4. The integrity of the package is checked based on the selected algorithm. If an integrity violation is detected, the packet is discarded.

5. The packet is sent to the destination (over the internal network) according to the information in its original header.

The VPN agent can be located directly on the protected computer. In this case, with its help, only the information exchange of the computer on which it is installed is protected, however, the principles of its operation described above remain unchanged.

The basic rule for building a VPN is that communication between a secure LAN and an open network should be carried out only through VPN agents. There should absolutely be no communication methods that bypass the protective barrier in the form of a VPN agent. Those. a protected perimeter must be defined, communication with which can only be carried out through an appropriate means of protection.
A security policy is a set of rules according to which secure communication channels are established between VPN subscribers. Such channels are usually called tunnels, an analogy with which can be seen in the following:

1. All information transmitted within one tunnel is protected from both unauthorized viewing and modification.

2. Encapsulation of IP packets makes it possible to hide the topology of the internal LAN: from the Internet, the exchange of information between two protected LANs is visible as an exchange of information only between their VPN agents, since in this case all internal IP addresses do not appear in IP packets transmitted over the Internet . .

The rules for creating tunnels are formed depending on the various characteristics of IP packets, for example, when building most VPNs, the IPSec (Security Architecture for IP) protocol sets the following set of input data, according to which tunneling parameters are selected and a decision is made when filtering a specific IP packet:

1. Source IP address. This can be not only a single IP address, but also a subnet address or a range of addresses.

2. Destination IP address. It can also be a range of addresses, specified explicitly using a subnet mask or wildcard.

3. User ID (sender or recipient).

4. Transport Layer Protocol (TCP/UDP).

5. Port number from which or to which the packet was sent.

Firewall
A firewall is a software or software and hardware tool that protects local networks and individual computers from unauthorized access from external networks by filtering a two-way message flow during information exchange. In fact, the firewall is a "cut down" VPN agent that does not encrypt packets and control their integrity, but in some cases it has a number of additional functions, the most common of which are the following:
antivirus scanning;
packet correctness control;
control of the correctness of connections (for example, the establishment, use and termination of TCP sessions);
content control.

Firewalls that do not have the functions described above and perform only packet filtering are called packet filters.
By analogy with VPN agents, there are also personal firewalls that protect only the computer on which they are installed.
Firewalls are also located on the perimeter of protected networks and filter network traffic according to the configured security policy.

Comprehensive protection

An electronic lock can be developed on the basis of a hardware encoder. In this case, one device is obtained that performs the functions of encryption, random number generation and protection against unauthorized access. Such an encoder is able to be the security center of the entire computer; on its basis, you can build a fully functional cryptographic data protection system that provides, for example, the following features:

1. Protecting your computer from physical access.

2. Protecting your computer from unauthorized access over the network and organizing a VPN.

3. File encryption on demand.

4. Automatic encryption of computer logical drives.

5. Calculation/verification of EDS.

6. Protection of email messages.