What Is A Computer Virus? Virus
What is a computer virus?
A computer virus is a malicious piece of computer code designed to spread from device to device. A subset of malware, these self-copying threats are usually designed to damage a device or steal data.
Think of a biological virus – the kind that makes you sick. It’s persistently nasty, keeps you from functioning normally, and often requires something powerful to get rid of it. A computer virus is very similar. Designed to replicate relentlessly, computer viruses infect your programs and files, alter the way your computer operates or stop it from working altogether.
What does a computer virus do?
Some computer viruses are programmed to harm your computer by damaging programs, deleting files, or reformatting the hard drive. Others simply replicate themselves or flood a network with traffic, making it impossible to perform any internet activity. Even less harmful computer viruses can significantly disrupt your system’s performance, sapping computer memory and causing frequent computer crashes.
In 2013, the botnet virus Gameover ZueS was discovered to use peer-to-peer downloading sites to distribute ransomware and commit banking fraud. While tens of thousands of computer viruses still roam the internet, they have diversified their methods and are now joined by a number of malware variants like worms, Trojans, and ransomware.
How does a computer get a virus?
Even if you’re careful, you can pick up computer viruses through normal Web activities like:
Sharing music, files, or photos with other users
Visiting an infected website
Opening spam email or an email attachment
Downloading free games, toolbars, media players and other system utilities
Installing mainstream software applications without thoroughly reading license agreements
How do computer viruses spread?
Viruses can be spread several ways, including via networks, discs, email attachments or external storage devices like USB sticks. Since connections between devices were once far more limited than today, early computer viruses were commonly spread through infected floppy disks.
Today, links between internet-enabled devices are for common, providing ample opportunities for viruses to spread. According to the U.S. Cybersecurity and Infrastructure Security Agency, infected email attachments are the most common means of circulating computer viruses. Most, but not all, computer viruses require a user to take some form of action, like enabling “macros” or clicking a link, to spread.
What are the symptoms of a computer virus?
Your computer may be infected if you recognize any of these malware symptoms:
Slow computer performance
Erratic computer behavior
Unexplained data loss
Frequent computer crashes
How are computer viruses removed?
Antiviruses have made great progress in being able to identify and prevent the spread of computer viruses. When a device does become infected, though, installing an antivirus solution is still your best bet for removing it. Once installed, most software will conduct a “scan” for the malicious program. Once located, the antivirus will present options for its removal. If this is not something that can be done automatically, some security vendors offer a technician’s assistance in removing the virus free of charge.
Examples of computer viruses
In 2013, the botnet virus Gameover ZueS was discovered to use peer-to-peer downloading sites to distribute ransomware and commit banking fraud. While tens of thousands of computer viruses still roam the internet, they have diversified their methods and are now joined by several malware variants like:
Worms - A worm is a type of virus that, unlike traditional viruses, usually does not require the action of a user to spread from device to device.
Trojans - As in the myth, a Trojan is a virus that hides within a legitimate-seeming program to spread itself across networks or devices.
Ransomware - Ransomware is a type of malware that encrypts a user’s files and demands a ransom for its return. Ransomware can be, but isn’t necessarily, spread through computer viruses.
Computer virus protection
When you arm yourself with information and resources, you’re wiser about computer security threats and less vulnerable to threat tactics. Take these steps to safeguard your PC with the best computer virus protection:
Use antivirus protection and a firewall
Get antispyware software
Always keep your antivirus protection and antispyware software up-to-date
Update your operating system regularly
Increase your browser security settings
Avoid questionable Websites
Only download software from sites you trust.
Carefully evaluate free software and file-sharing applications before downloading them.
Don't open messages from unknown senders
Immediately delete messages you suspect to be spam
An unprotected computer is like an open door for computer viruses. Firewalls monitor Internet traffic in and out of your computer and hide your PC from online scammers looking for easy targets. Products like Webroot Internet Security Complete and Webroot Antivirus provide complete protection from the two most dangerous threats on the Internet – spyware and computer viruses. They prevent viruses from entering your computer, stand guard at every possible entrance of your computer and fend off any computer virus that tries to open, even the most damaging and devious strains.
While free antivirus downloads are available, they just can't offer the computer virus help you need to keep up with the continuous onslaught of new strains. Previously undetected forms of polymorphic malware can often do the most damage, so it’s critical to have up-to-the-minute, guaranteed antivirus protection.
Computer Virus: What are Computer Viruses?
Computer virus definition
A computer virus is a type of malware that attaches to another program (like a document), which can replicate and spread after a person first runs it on their system. For instance, you could receive an email with a malicious attachment, open the file unknowingly, and then the computer virus runs on your computer. Viruses are harmful and can destroy data, slow down system resources, and log keystrokes.
Cybercriminals aren’t creating new viruses all the time, instead they focus their efforts on more sophisticated and lucrative threats. When people talk about “getting a virus” on their computer, they usually mean some form of malware—it could be a virus, computer worm, Trojan, ransomware or some other harmful thing. Viruses and malware continue to evolve, and often cybercriminals use the type that gives them the best return at that particular time.
“When people talk about “getting a virus” on their computer, they usually mean some form of malware—it could be a virus, computer worm, Trojan, ransomware or some other harmful thing.” Virus vs. malware The terms “virus” and “malware” are often used interchangeably, but they’re not the same thing. While a computer virus is a type of malware, not all malware are computer viruses. The easiest way to differentiate computer viruses from other forms of malware is to think about viruses in biological terms. Take the flu virus, for example. The flu requires some kind of interaction between two people—like a hand shake, a kiss, or touching something an infected person touched. Once the flu virus gets inside a person’s system it attaches to healthy human cells, using those cells to create more viral cells.
A computer virus works in much the same way:
A computer virus requires a host program. A computer virus requires user action to transmit from one system to another. A computer virus attaches bits of its own malicious code to other files or replaces files outright with copies of itself.
It’s that second virus trait that tends to confuse people. Viruses can’t spread without some sort of action from a user, like opening up an infected Word document. Worms, on the other hand, are able to spread across systems and networks on their own, making them much more prevalent and dangerous.
Famously, the 2017 WannaCry ransomware worm spread around the world, took down thousands of Windows systems, and raked in an appreciable amount of untraceable Bitcoin ransom payments for the alleged North Korean attackers.
Computer viruses don’t typically capture headlines like that—at least not anymore. They are still a harmful type of malware, but they are not the only type of threat out there today, on your computer or mobile device.
Windows, Mac, Android, and iOS
Many computer viruses target systems running Microsoft Windows. Macs, on the other hand, have enjoyed a reputation as virus-proof super machines, but in Apple's own admission, Macs do get malware. There are more Windows users in the world than Mac users and cybercriminals simply choose to write viruses for the operating system (OS) with the largest amount of potential victims.
Today, the "computer" in our pockets may be the one we use most often: our smartphones. Android and iOS are susceptible to various forms of malware, too. Fortunately, most cybersecurity companies like Malwarebytes offer protection for Windows, Mac, Android, and iOS today.
Computer virus examples
Sometimes to understand what something is, we have to examine what it isn’t. Keeping that in mind, let’s play: Is It a Virus?
In the Is It a Virus game we’re going to take a look at examples of things people on the Internet commonly believe to be a virus and explain why it is or isn’t. What fun!
Is a Trojan a virus? Trojans can be viruses. A Trojan is a computer program pretending to be something it’s not for the purposes of sneaking onto your computer and delivering some sort of malware. To put it another way, if a virus disguises itself then it’s a Trojan. A Trojan could be a seemingly benign file downloaded off the web or a Word doc attached to an email. Think that movie you downloaded from your favorite P2P sharing site is safe? What about that “important” tax document from your accountant? Think twice, because they could contain a virus.
Is a worm a virus? Worms are not viruses, though the terms are sometimes used interchangeably. Even worse, the terms are sometimes used together in a strange and contradictory word salad; a “worm virus malware.” It’s either a worm or a virus, but it can’t be both, because worms and viruses refer to two similar but different threats. As mentioned earlier, a virus needs a host system to replicate and some sort of action from a user to spread from one system to the next. A worm, conversely, doesn’t need a host system and is capable of spreading across a network and any systems connected to the network without user action. Once on a system, worms are known to drop malware (often ransomware) or open a backdoor.
Is ransomware a virus? Ransomware can be a virus. Does the virus prevent victims from accessing their system or personal files and demands ransom payment in order to regain access à la ransomware? If so, then it’s a ransomware virus. In fact, the very first ransomware was a virus (more on that later). Nowadays, most ransomware comes as a result of computer worm, capable of spreading from one system to the next and across networks without user action (e.g. WannaCry).
Is a rootkit a virus? Rootkits are not viruses. A rootkit is a software package designed to give attackers “root” access or admin access to a given system. Crucially, rootkits cannot self-replicate and don’t spread across systems.
Is a software bug a virus? Software bugs are not viruses. Even though we sometimes refer to a biological virus as a “bug” (e.g. “I caught a stomach bug”), software bugs and viruses are not the same thing. A software bug refers to a flaw or mistake in the computer code that a given software program is made up of. Software bugs can cause programs to behave in ways the software manufacturer never intended. The Y2K bug famously caused programs to display the wrong date, because the programs could only manage dates through the year 1999. After 1999 the year rolled over like the odometer on an old car to 1900. While the Y2K bug was relatively harmless, some software bugs can pose a serious threat to consumers. Cybercriminals can take advantage of bugs in order to gain unauthorized access to a system for the purposes of dropping malware, stealing private information, or opening up a backdoor. This is known as an exploit.
How do I prevent computer viruses?
Preventing computer viruses from infecting your computer starts with situational awareness.
“Situational awareness is something law enforcement and militaries have practiced for decades. It refers to a police officer or a soldier’s ability to perceive threats and make the best decision possible in a potentially stressful situation,” said Malwarebytes Head of Security, John Donovan.
“As it applies to cybersecurity, situational awareness is your first line of defense against cyberthreats. By staying on the lookout for phishing attacks and avoiding suspicious links and attachments, consumers can largely avoid most malware threats.”
Regarding email attachments and embedded links, even if the sender is someone you know: viruses have been known to hijack Outlook contact lists on infected computers and send virus laden attachments to friends, family and coworkers, the Melissa virus being a perfect example.
If an email reads oddly, it’s probably a phishing scam or malspam. When in doubt about the authenticity of an email, don’t be afraid to reach out to the sender. A simple call or text message can save you a lot of trouble.
Next, invest in good cybersecurity software. We’ve made a distinction between computer viruses and malware, which now begs the question, “Do I need antivirus software or anti-malware software?” We’ve covered this topic before in great detail so checkout our article on antivirus vs. anti-malware. For now, though, here’s a quick gloss on the subject.
Antivirus (AV) refers to early forms of cybersecurity software focused on stopping computer viruses. Just viruses. Anti-malware refers to all-encompassing threat protection designed to stop old-fashioned viruses as well as today’s malware threats. Given a choice between traditional AV with limited threat detection technology and modern anti-malware with all the bells and whistles, invest in anti-malware and rest easy at night.
As mentioned previously in this piece, traditional AV solutions rely on signature-based detection. AV scans your computer and compares each and every file against a database of known viruses that functions a lot like a criminal database. If there’s a signature match, the malicious file is thrown into virus jail before it can cause any damage.
The problem with signature-based detection is that it can’t stop what’s known as a zero-day virus; that is, a virus that cybersecurity researchers have never seen before and for which there is no criminal profile. Until the zero-day virus is added to the database, traditional AV can’t detect it.
Malwarebytes’ Multi-Vector Protection, conversely, combines several forms of threat detection technology into one malware crushing machine. Amongst these many layers of protection, Malwarebytes uses what’s called heuristic analysis to look for telltale malicious behavior from any given program. If it looks like a virus and behaves like a virus, then it’s probably a virus.
How do I remove computer viruses?
Going back to our virus analogy one final time—removing a virus from your body requires a healthy immune system. Same for your computer. A good anti-malware program is like having a healthy immune system. As your immune system moves through your body looking for and killing off invading viral cells, anti-malware scans for files and malicious code that don’t belong on your system and gets rid of them.
The free version of Malwarebytes is a good place to start if you know or suspect your computer has a virus. Available for Windows and Mac, the free version of Malwarebytes will scan for malware infections and clean them up after the fact. Get a free premium trial of Malwarebytes for Windows or Malwarebytes for Mac to stop infections before they start. You can also try our Android and iOS apps free to protect your smartphones and tablets.
News on computer viruses
History of computer viruses
Today’s malware authors owe a lot to the cybercriminals of yesteryear. All the tactics and techniques employed by cybercriminals creating modern malware were first seen in early viruses. Things like Trojans, ransomware, and polymorphic code. These all came from early computer viruses. To understand the threat landscape of today, we need to peer back through time and look at the viruses of yesteryear.
1949, John von Neumann and “self-reproducing machines”
It was in those salad days of computing that mathematician, engineer, and polymath John von Neumann delivered a lecture on the Theory and Organization of Complicated Automata in which he first argued that computer programs could “self-reproduce.” In an era where computers were the size of houses, and programs were stored on mile-long punch tapes, Neumann’s ideas must’ve sounded like something from a sci-fi pulp novel.
1982, The proto computer-virus
In 1982 a fifteen-year-old boy pranking his friends proved Neumann’s theory a reality. Rich Skrenta’s Elk Cloner is widely regarded as the first proto-computer virus (the term “computer virus” didn’t exist just yet). Elk Cloner targeted Apple II computers, causing infected machines to display a poem from Skrenta:
Elk Cloner: The program with a personality
It will get on all your disks
It will infiltrate your chips
Yes, it’s Cloner!
It will stick to you like glue
It will modify RAM too
Send in the Cloner!
Other notable firsts—Elk Cloner was the first virus to spread via detachable storage media (it wrote itself to any floppy disk inserted into the computer). For many years to come, that’s how viruses travelled across systems—via infected floppy disk passed from user to user.
1984, Computer virus, defined
In 1984 computer scientist Fred Cohen handed in his graduate thesis paper, Computer Viruses – Theory and Experiments in which he coined the term “computer virus,” which is great because “complicated self-reproducing automata” is a real mouthful. In the same paper, Cohen also gave us our first definition of “computer virus” as “a program that can ‘infect’ other programs by modifying them to include a possibly evolved copy of itself.”
1984, Core War
Up to this point, most talk about computer viruses happened only in the rarified air of college campuses and research labs. But a 1984 Scientific American article let the virus out of the lab. In the piece, author and computer scientist A.K. Dewdney shared the details of an exciting new computer game of his creation called Core War. In the game, computer programs vie for control of a virtual computer. The game was essentially a battle arena where computer programmers could pit their viral creations against each other. For two dollars Dewdney would send detailed instructions for setting up your own Core War battles within the confines of a virtual computer. What would happen if a battle program was taken out of the virtual computer and placed on a real computer system? In a follow-up article for Scientific American, Dewdney shared a letter from two Italian readers who were inspired by their experience with Core War to create a real virus on the Apple II. It’s not a stretch to think other readers were similarly inspired.
1986, the first PC virus
The Brain virus was the first to target Microsoft’s text-based Windows precursor, MS-DOS. The brainchild of Pakistani brothers and software engineers, Basit and Amjad Farooq, Brain acted like an early form of copyright protection, stopping people from pirating their heart monitoring software. If the target system contained a pirated version of the brother’s software, the “victim” would receive the on-screen message, “WELCOME TO THE DUNGEON . . . CONTACT US FOR VACCINATION” along with the brothers’ names, phone number, and business address in Pakistan. Other than guilt tripping victims in to paying for their pirated software, Brain had no harmful effects.
Speaking with F-Secure, Basit called Brain a “very friendly virus.” Amjad added that today’s viruses, the descendants of Brain, are “a purely criminal act.”
1986, Viruses go into stealth mode
Also in 1986, the BHP virus was the first to target the Commodore 64 computer. Infected computers displayed a text message with the names of the multiple hackers who created the virus—the digital equivalent of scrawling “(your name) was here” on the side of a building. BHP also has the distinction of being the first stealth virus; that is, a virus that avoids detection by hiding the changes it makes to a target system and its files.
1988, Computer virus of the year
1988, one could argue, was the year computer viruses went mainstream. In September of that year, a story on computer viruses appeared on the cover of TIME magazine. The cover image depicted viruses as cute, googly eyed cartoon insects crawling all over a desktop computer. Up to this point, computer viruses were relatively harmless. Yes, they were annoying, but not destructive. So how did computer viruses go from nuisance threat to system destroying plague?
“Viruses were all about peace and love—until they started crashing people’s computers.”
1988, A message of peace goes haywire
Viruses were all about peace and love—until they started crashing people’s computers. The MacMag virus caused infected Macs to display an onscreen message on March 2, 1988:
RICHARD BRANDOW, publisher of MacMag, and its entire staff
would like to take this opportunity to convey their
UNIVERSAL MESSAGE OF PEACE
to all Macintosh users around the world
Unfortunately, a bug in the virus caused infected Macs to crash well before Brandow’s day of “universal peace.” The virus was also designed to delete itself after displaying Brandow’s message but ended up deleting other user files along with it. One of the victims, a software executive working for Aldus Corp, inadvertently copied the virus to a pre-production version of Aldus’ Freehand illustration software. The infected Freehand was then copied and shipped to several thousand customers, making MacMag the first virus spread via legitimate commercial software product.
Drew Davidson, the person who actually coded the MacMag virus (Brandow wasn’t a coder), told TIME he created his virus to draw attention to his programming skills.
“I just thought we'd release it and it would be kind of neat,” Davidson said.
1988, front page of The New York Times
A little over a month after the TIME magazine piece, a story about the “most serious computer ‘virus’ attack” in US history appeared on the front page of The New York Times. It was Robert Tappan Morris’ Internet worm, erroneously referred to as a “virus.” In all fairness, no one knew what a worm was. Morris’s creation was the archetype. The Morris worm knocked out more than 6,000 computers as it spread across the ARPANET, a government operated early version of the Internet restricted to schools and military installations. The Morris worm was the first known use of a dictionary attack. As the name suggests, a dictionary attack involves taking a list of words and using it to try and guess the username and password combination of a target system.
Robert Morris was the first person charged under the newly enacted Computer Fraud and Abuse Act, which made it illegal to mess with government and financial systems, and any computer that contributes to US commerce and communications. In his defense, Morris never intended his namesake worm to cause so much damage. According to Morris, the worm was designed to test security flaws and estimate the size of the early Internet. A bug caused the worm to infect targeted systems over and over again, with each subsequent infection consuming processing power until the system crashed.
1989, Computer viruses go viral
In 1989 the AIDS Trojan was the first example of what would later come to be known as ransomware. Victims received a 5.25-inch floppy disk in the mail labelled “AIDS Information” containing a simple questionnaire designed to help recipients figure out if they were at risk for the AIDS virus (the biological one).
While an apt (albeit insensitive) metaphor, there’s no indication the virus’ creator, Dr. Joseph L. Popp, intended to draw parallels between his digital creation and the deadly AIDS virus. Many of the 20,000 disk recipients, Medium reported, were delegates for the World Health Organization (WHO). The WHO previously rejected Popp for an AIDS research position.
Loading the questionnaire infected target systems with the AIDS Trojan. The AIDS Trojan would then lay dormant for the next 89 boot ups. When victims started their computer for the 90th time, they’d be presented with an on-screen message ostensibly from “PC Cyborg Corporation” demanding payment for “your software lease,” similar to the Brain virus from three years earlier. Unlike the Brain virus, however, the AIDS Trojan encrypted the victims’ files.
In an era before Bitcoin and other untraceable cryptocurrencies, victims had to send ransom funds to a PO box in Panama in order to receive the decryption software and regain access to their files. Funds, Popp claimed after his arrest, were destined for AIDS virus research.
1990s, Rise of the Internet
By 1990 ARPANET was decommissioned in favor of its public, commercially accessible cousin the Internet. And thanks to Tim Berners-Lee’s pioneering work on web browsers and web pages, the Internet was now a user-friendly place anyone could explore without special technical knowledge. There were 2.6 million users on the Internet in 1990, according to Our World in Data. By the end of the decade, that number would surpass 400 million.
With the rise of the Internet came new ways for viruses to spread.
1990, Mighty morphin’ 1260 virus
Cybersecurity researcher Mark Washburn wanted to demonstrate the weaknesses in traditional antivirus (AV) products. Traditional AV works by comparing the files on your computer with a giant list of known viruses. Every virus on the list is made of computer code and every snippet of code has a unique signature—like a fingerprint. If a snippet of code found on your computer matches that of a known virus in the database, the file is flagged. Washburn’s 1260 virus avoided detection by constantly changing its fingerprint every time it replicated itself across a system. While each copy of the 1260 virus looked and acted the same, the underlying code was different. This is called polymorphic code, making 1260 the first polymorphic virus.
1999, “You’ve got mail (and also a virus)”
Think back to 1999. If someone you knew sent you an email that read “Here is the document you requested ... don’t show anyone else ;-),” you opened the attachment. This was how the Melissa virus spread and it played on the public’s naiveté about how viruses worked up to that point. Melissa was a macro virus. Viruses of this type hide within the macro language commonly used in Microsoft Office files. Opening up a viral Word doc, Excel spreadsheet, etc. triggers the virus. Melissa was the fastest spreading virus up to that point, infecting approximately 250,000 computers, Medium reported.
2012, A full Shamoon over Saudi Arabia
By the turn of the 21st century, the roadmap for future malware threats had been set. Viruses paved the way for a whole new generation of destructive malware. Cryptojackers stealthily used our computers to mine cryptocurrencies like Bitcoin. Ransomware held our computers hostage. Banking Trojans, like Emotet, stole our financial information. Spyware and keyloggers shoulder surfed us from across the web, stealing our usernames and passwords.
Old-school viruses were, for the most part, a thing of the past. In 2012, however, viruses made one last grab at the world’s attention with the Shamoon virus. Shamoon targeted computers and network systems belonging to Aramco, the state-owned Saudi Arabian oil company, in response to Saudi government policy decisions in the Middle East. The attack stands as one of the most destructive malware attacks on a single organization in history, completely wiping out three-quarters of Aramco’s systems, The New York Times reported. In a perfect example of what comes around goes around, cybersecurity researchers have suggested the attack started with an infected USB storage drive—the modern equivalent of the floppy disks used to carry the very first virus, Elk Cloner.
Today, tech support scams
Decades have passed since computer viruses reached their destructive zenith but there’s a related threat you should know about. Commonly referred to as a tech support scam or a virus hoax, this modern threat isn’t a virus at all.
Here’s how tech support scams work. The victim is served up a bogus pop-up ad after landing on a spoofed website or as a result of an adware infection. In a recent example, scammers used malvertising to link victims to malicious support sites after victims searched for things like cooking tips and recipes. We’ve also seen hacked WordPress sites redirecting to support scam sites. The bogus ad is designed to look like a system alert generated by the operating system, and it may say something like, “Security alert: Your computer might be infected by harmful viruses,” along with contact information for “Technical Support.” There’s no virus and no technical support—just scammers who will make it seem like you have a virus and demand payment to “fix” it.
According to the Federal Trade Commission there were 143,000 reports about tech support scams in 2018, with total losses reaching $55 million. What makes this scam particularly insidious is that cybercriminals frequently target the most vulnerable part of the world’s population. People 60-years-old and over were five times more likely to report being a victim of a tech support scam.
Is Chromium a virus?
As discussed above, a number of things that are called viruses are not actually viruses. Some of those, like ransomware or computer worms, are still malicious, but they are not computer viruses. Some things that are not malicious are sometimes suspected as viruses, and Chromium is a good example of this.
Chromium is not a virus. Chromium is a free open-source web browser project by Google. Much of the Chromium code serves as source code for Google Chrome, a legitimate and popular web browser. Just because you suddenly have Chromium on your computer doesn't necessarily mean that it’s malware. You may have unwittingly installed a legitimate copy of Chromium that was bundled with other software.
Because Chromium is open-source, anyone can download Chromium and modify it to suit their needs. Bad actors could download Chromium and alter it to serve malicious purposes. WebNavigator Chromium browser is an example of a threat actor adapting Chromium code and using it as a search hijacker. However to reiterate, Chromium itself is not a virus.
Grundlagen der Netzwerksicherheit
Anforderungen der IT-Sicherheit Grundlagen der Netzwerksicherheit
Zum Absichern von Unternehmensnetzen müssen Administratoren viele Entscheidungen treffen, Maßnahmen planen und noch mehr Konfigurationsschritte durchführen. Dazu gehören die Konfiguration der Firewall, die Absicherung des Mail- und Web-Verkehrs sowie die Auswahl der richtigen Antivirus-Lösung. Dieser Beitrag zeigt, welche Faktoren dabei zu beachten sind und welche Vorgehensweisen Sinn ergeben.
Um ein Netzwerk umfassend abzusichern müssen IT-Sicherheitsverantwortliche viele Entscheidungen treffen und viele Konfigurationsschritte durchführen. (© sdecoret -
In den nächsten Monaten werden wir an dieser Stelle im Rahmen einer Serie auf die Anforderungen eingehen, die die Administratoren bestimmter Branchen, wie Banken, Stadtwerke und ähnliche, berücksichtigen müssen, um ihre Netze abzusichern. Bevor wir aber diese branchenspezifischen Punkte hervorheben, müssen wir uns erst einmal mit den allgemeinen Anforderungen an die Netzwerksicherheit auseinandersetzen, die in jeder Umgebung bestehen.
Um moderne Unternehmensnetze abzusichern, haben Administratoren eine Vielzahl von Aufgaben zu erledigen, die in den letzten Jahren immer komplexer geworden sind. Fangen wir einmal mit den ganz grundlegenden Faktoren an, die es schon seit Jahren gibt. Der Erste davon ist eine professionelle, exakt an die Unternehmensanforderungen angepasste Firewall.
Bildergalerie
In diesem Zusammenhang ist es wichtig zu wissen, dass eine Firewall allein bei weitem nicht ausreicht, um auch nur in einer Zweigniederlassung oder einer Außenstelle für ein ausreichendes Sicherheitsniveau zu sorgen. Dennoch spielen die Firewall und ihre Konfiguration nach wie vor eine zentrale Rolle im gesamten Sicherheitskonzept. Die Firewall übernimmt die Absicherung des Datenverkehrs zwischen LAN und WAN und sieht deswegen praktisch allen ein- und ausgehenden Verkehr. Darüber hinaus sind in den letzten Jahren auch immer mehr Zusatzfunktionen hinzugekommen, die weit über die ursprüngliche Aufgabe einer Paketfilter-Firewall hinausgehen. In diesem Zusammenhang seien nur VPN-Anbindungen von mobilen Benutzern und Außenstellen, Intrusion Protection-Funktionen (IPS) und URL-Filter sowie sämtliche Funktionen, die im Kontext mit dem Begriff "Next-Generation-Firewall" (NGFW) auftauchen genannt.
Die professionelle Konfiguration der Regeln einer Paketfilter-Firewall geht weit über das in vielen Home-Routern gesehene und oft auch als Default-Konfiguration professioneller Lösungen vorhandene Regel-Set "Erlaube allen Zugriff vom LAN auf das Internet" und "Verbiete allen Zugriff aus dem Internet ins LAN" hinaus. Zum Beispiel kann es in vielen Umgebungen, wie Außenstellen und Zweigniederlassungen, sinnvoll sein, Wartungszugriffe von außen über SSH oder ähnliches zu erlauben. Gleichzeitig ergibt es in der Regel auch Sinn, Zugriffe auf das Internet aus dem LAN über Protokolle, die üblicherweise nur in LANs zum Einsatz kommen, zu unterbinden. Beispielsweise ist es denkbar, dass Malware TFTP verwendet, um weiteren Schadcode aus dem Internet nachzuladen, was bei einer Blockierung der dazugehörigen Datenübertragungen folgenlos bleibt. Auch Protokolle zum lokalen Zugriff auf Shares, wie SMB/CIFS sollten auf keinen Fall durch eine Firewall gelassen werden, damit die auf solchen Shares gespeicherten Daten nicht von außen abrufbar sind.
Zugegeben, das Blockieren nicht benötigter Dienste auf Basis von Protokoll und Port spielt heut bei weitem nicht mehr so eine große Rolle wie zuvor, da sowieso ein Großteil der Datenübertragungen über Port 80 und Port 443 und HTTP sowie HTTPS abgewickelt wird, aber als Grundlage eines sicheren Netzes ist eine Firewall, die nur die absolut nötigen Dienste passieren lässt, nach wie vor eine gute Lösung.
Absicherung des Web-Verkehrs
Wie eben erwähnt, läuft heute im Regelfall ein Großteil der Datenübertragungen über die Internet-Protokolle HTTP und HTTPS ab. Diese Protokolle und die dazugehörigen Ports dürften wohl in praktisch allen Firewalls offenstehen. Da auf diese Weise die unterschiedlichsten Datenübertragungen stattfinden, beispielsweise Zugriffe auf Messenger, auf Cloud-Speicher oder auch auf Dienste wie Office 365, vom "normalen" Surfen im Web ganz zu schweigen, hat eine klassische Firewall, die die Datenströme nur nach Port und Protokoll klassifiziert, keine Chance zu erkennen, ob über die jeweilige Verbindung Schädlinge verteilt oder Daten geklaut werden.
Deswegen ist eine Next Generation Firewall unverzichtbar, die HTTP- und HTTPS-Transfers genau unter die Lupe nimmt. Solche Produkte untersuchen den Inhalt der Datenströme, filtern infizierte Daten aus, analysieren das Nutzerverhalten und entscheiden anhand vorgegebener Regeln, welche Übertragungen durchgelassen werden und welche nicht. Auch hier gilt wieder, dass die Administratoren die Policies möglichst restriktiv anlegen sollten, damit nur die Datentransfers erlaubt werden, die tatsächlich nötig sind. In vielen Fällen ergibt es auch Sinn, die ebengenannte Funktion mit einem Web-Filter zu verbinden, der den Zugriff auf potentiell gefährliche und auf infizierte Webseiten unterbindet. Damit sich bei der Konfiguration der Lösung nicht allzu viele Probleme ergeben, sollten die zuständigen Mitarbeiter zunächst einmal ihre Regeln in einem "Log Only"-Modus testen und genau überprüfen, was im Detail gesperrt und durchgelassen wird, bevor sie sie "scharf" schalten. Auf diese Weise lassen sich viele Anrufe erboster Nutzer in der IT-Abteilung verhindern.
Mail-Sicherheit und Anti-Spam
Wenden wir uns nun der Absicherung des Mail-Verkehrs zu. In den meisten Unternehmensumgebungen gibt es entweder einen lokalen Mail-Server wie Exchange oder einen Cloud-Dienst, bei dem sich ein Provider um die Konfiguration und Absicherung der Mail-Infrastruktur kümmert. Da Mails eines der wichtigsten Verbreitungsmedien für Malware wie Ransomware, Trojaner und Viren darstellen, ist es sinnvoll, dem Aspekt der Mail-Sicherheit unabhängig von der jeweils verwendeten Architektur ein besonderes Augenmerk zukommen zu lassen.
Es gibt verschiedene Systeme zur Absicherung des Mail-Verkehrs. Dazu gehören Anti-Virus- und Anti-Spam-Programme auf dem Host, also dem Mail-Server selbst, die die übertragenen Daten während des Transfers untersuchen und Malware entfernen, beziehungsweise infizierte Nachrichten in eine Quarantäne verschieben. Solche Lösungen haben den Vorteil, dass sie an einer zentralen Stelle arbeiten und deswegen sowohl relativ einfach zu verwalten sind, als auch sämtlichen relevanten Traffic zu sehen bekommen.
Was die Anti-Spam-Produkte angeht, so ist darauf zu achten, dass sie dazu in der Lage sein müssen, Mails nicht nur nach der Ursprungsdomäne, sondern auch nach ihrem Inhalt (mit Analyse der Formulierungen und der Schlagworte) und die Absenderreputation unter die Lupe zu nehmen. Außerdem sollten sie für die Klassifizierung auch auf typische Anti-Spam-Listen wie die von zurückgreifen können. In vielen Fällen lassen sich mit leistungsfähigen Spam-Filtern auch Phishing-Mails bekämpfen.
Alternativ sind auch Client-Lösungen zur Mail-Sicherheit verfügbar, die oftmals in Anti-Virus-Programme integriert wurden. Diese übernehmen ebenfalls das Untersuchen und Absichern der ein- und ausgehenden Nachrichten, allerdings direkt auf dem jeweiligen Client. Da sie auf jeder Workstation im Netz arbeiten müssen, gestaltet sich ihre Verwaltung etwas aufwendiger als bei zentral arbeitenden Produkten. In der Regel steht für solche Lösungen aber eine zentrale Management-Konsole zur Verfügung. Ihr Einsatz ergibt vor allem in Umgebungen Sinn, in denen die Clients mit Mail-Servern kommunizieren müssen, auf deren Sicherheitsniveau die Unternehmens-IT keinen Einfluss hat, beispielsweise Google Mail oder ähnliche Dienste.
Antivirus-Lösungen
Da wir jetzt schon bei den Endpoints im Netz angekommen sind, befassen wir uns auch gleich mit typischen, Client-basierten Sicherheitslösungen, nämlich Antivirus-Programmen. Gehörte es früher noch zu den Standardtipps eines jeden Sicherheitsexperten, dass auf jedem (Windows-) Client ein Antivirenprogramm installiert sein muss, so gehen die diesbezüglichen Meinungen heute auseinander. Dafür gibt es mehrere Gründe: Zum einen müssen Antivirus-Programme alle Dateien auf einem Rechner und im Idealfall auch sämtlichen Arbeitsspeicher des Geräts unter die Lupe nehmen können. Damit hebeln sie per se das Sicherheitskonzept des Betriebssystems aus und öffnen auf diese Weise Angriffsflächen, die ohne ein Anti-Virus-Programm gar nicht existieren würden. Verfügt beispielsweise ein Anti-Virus-Tool, das mit höchsten Rechten läuft, über eine Sicherheitslücke und kann ein Angreifer diese ausnutzen, um Zugriff auf das System zu erlangen, so hat er danach in den meisten Fällen automatisch auch die höchsten Rechte und dementsprechend in der Regel auch Gelegenheit, mit dem Rechner zu machen, was er will.
Zum anderen ist es so, dass der seit langem bei Windows mitgelieferte Windows Defender, also Microsofts eigenes Anti-Virus-Werkzeug, sich in den letzten Jahren deutlich verbessert hat. War es anfangs noch so, dass sich der Windows Defender bei Tests von Anti-Viren-Spezialisten nur schlecht schlug und mit verhältnismäßig schwachen Erkennungsraten auffiel, die nicht mir denen der anderen Produkte auf dem Markt mithalten konnten, so hat sich das deutlich verändert. Der Windows Defender erkennt heute genauso viele Viren wie andere Sicherheitslösungen auch.
Ist es folglich überhaupt noch sinnvoll, andere Antivirus-Lösungen einzusetzen? Die Gegner dieses Schrittes sagen, dass kein Unternehmen sich besser mit Windows auskennt als Microsoft und dass die Zahl der Mitarbeiter in Microsofts Sicherheitsabteilung größer ist als die Zahl der Mitarbeiter der meisten Anbieter von Anti-Virus-Software überhaupt. Deswegen sei das Know-How von Microsoft am besten und der Windows Defender allen anderen Produkten aus diesem Bereich vorzuziehen.
Die Vertreter der anderen Meinung sagen, dass der Windows Defender, auch wenn er inzwischen genauso leistungsfähig wie andere Lösungen ist, allein schon wegen der großen Zahl der Installationen zu einem Risiko wird. Viele Angreifer gestalten ihre Malware schließlich so, dass sie eine möglichst große Zahl von Rechnern infiziert und wenn sie davon ausgehen, dass auf den meisten Windows-Computern der Defender als Sicherheitslösung arbeitet, dann werden sie wenn möglich dafür sorgen, dass ihre Schädlinge den Windows Defender überwinden können. Der Einsatz eines anderen Antivirus-Programms würde in so einem Fall dabei helfen, die Infektion zu verhindern.
Ein weiteres Argument für den Einsatz von Drittanbieterlösungen sind Zusatzfunktionen, wie die zuvor genannte Client-basierte Mail-Sicherheit oder auch Anti-Spam-Funktionen. Werden diese im Unternehmen benötigt, so müssen die Administratoren auf ein Produkt ausweichen, das alle jeweils vorhandenen Anforderungen erfüllt. Unter dem Strich hängt das endgültige Vorgehen also von den Vorlieben der Entscheider und den Anforderungen der jeweiligen Umgebung ab.
Bildergalerie
Fazit
Um ein Netzwerk umfassend abzusichern, sind viele Entscheidungen zu treffen und viele Konfigurationsschritte durchzuführen. Dieser Artikel konnte nur einen kurzen Überblick über die wichtigsten Schritte geben. In den meisten Umgebungen werden noch weitere Aktionen erforderlich sein, wie beispielsweise das Einrichten sicherer Remote-Zugänge für mobile Mitarbeiter und Home-Offices über VPN-Verbindungen. In den nächsten Teilen der Reihe gehen wir genauer auf die Anforderungen ein, die bestimmte Branchen an die Netzwerksicherheit stellen.
Jetzt Newsletter abonnieren Täglich die wichtigsten Infos zur IT-Sicherheit Geschäftliche E-Mail Bitte geben Sie eine gültige E-Mailadresse ein. Abonnieren Mit Klick auf „Newsletter abonnieren“ erkläre ich mich mit der Verarbeitung und Nutzung meiner Daten gemäß Einwilligungserklärung (bitte aufklappen für Details) einverstanden und akzeptiere die Nutzungsbedingungen. Weitere Informationen finde ich in unserer Datenschutzerklärung. Aufklappen für Details zu Ihrer Einwilligung Stand vom 30.10.2020 Es ist für uns eine Selbstverständlichkeit, dass wir verantwortungsvoll mit Ihren personenbezogenen Daten umgehen. Sofern wir personenbezogene Daten von Ihnen erheben, verarbeiten wir diese unter Beachtung der geltenden Datenschutzvorschriften. Detaillierte Informationen finden Sie in unserer Datenschutzerklärung. Einwilligung in die Verwendung von Daten zu Werbezwecken Ich bin damit einverstanden, dass die Vogel IT-Medien GmbH, Max-Josef-Metzger-Straße 21, 86157 Augsburg, einschließlich aller mit ihr im Sinne der §§ 15 ff. AktG verbundenen Unternehmen (im weiteren: Vogel Communications Group) meine E-Mail-Adresse für die Zusendung von redaktionellen Newslettern nutzt. Auflistungen der jeweils zugehörigen Unternehmen können hier abgerufen werden. Der Newsletterinhalt erstreckt sich dabei auf Produkte und Dienstleistungen aller zuvor genannten Unternehmen, darunter beispielsweise Fachzeitschriften und Fachbücher, Veranstaltungen und Messen sowie veranstaltungsbezogene Produkte und Dienstleistungen, Print- und Digital-Mediaangebote und Services wie weitere (redaktionelle) Newsletter, Gewinnspiele, Lead-Kampagnen, Marktforschung im Online- und Offline-Bereich, fachspezifische Webportale und E-Learning-Angebote. Wenn auch meine persönliche Telefonnummer erhoben wurde, darf diese für die Unterbreitung von Angeboten der vorgenannten Produkte und Dienstleistungen der vorgenannten Unternehmen und Marktforschung genutzt werden. Falls ich im Internet auf Portalen der Vogel Communications Group einschließlich deren mit ihr im Sinne der §§ 15 ff. AktG verbundenen Unternehmen geschützte Inhalte abrufe, muss ich mich mit weiteren Daten für den Zugang zu diesen Inhalten registrieren. Im Gegenzug für diesen gebührenlosen Zugang zu redaktionellen Inhalten dürfen meine Daten im Sinne dieser Einwilligung für die hier genannten Zwecke verwendet werden. Recht auf Widerruf Mir ist bewusst, dass ich diese Einwilligung jederzeit für die Zukunft widerrufen kann. Durch meinen Widerruf wird die Rechtmäßigkeit der aufgrund meiner Einwilligung bis zum Widerruf erfolgten Verarbeitung nicht berührt. Um meinen Widerruf zu erklären, kann ich als eine Möglichkeit das unter https://support.vogel.de abrufbare Kontaktformular nutzen. Sofern ich einzelne von mir abonnierte Newsletter nicht mehr erhalten möchte, kann ich darüber hinaus auch den am Ende eines Newsletters eingebundenen Abmeldelink anklicken. Weitere Informationen zu meinem Widerrufsrecht und dessen Ausübung sowie zu den Folgen meines Widerrufs finde ich in der Datenschutzerklärung, Abschnitt Redaktionelle Newsletter.
(ID:45855770)