"2019 China Host Security Service Report" released
In the beginning of 2020, a new crown epidemic quickly spread, the virus broke the physical boundary, and brought unpredictable variables to the development of human society. In the "fifth space"-cyberspace, outside land, sea, sky, and space, with the deep integration of the physical and virtual worlds, unknown threats continue to touch the red line of security, and it is imperative to prevent cybersecurity. Among them, for enterprises, the mainframe is the core of carrying enterprise data and services, and the last mile of defense against cyber threats. How to solve their security risks is especially critical.
In order to make organizations in all walks of life fully and clearly understand the current security status of the host, and how to protect the security of the host. Recently, Qingteng Cloud Security, together with China Industrial Internet Development Alliance (IDAC), Tencent Standards and Tencent Security, jointly released the "2019 China Host Security Service Report". The report takes theory as a guiding principle and analyzes the current overall state of mainframe security and the maturity of mainframe security products in China through a large number of data surveys in the early stage, which points out the direction for the future development of mainframe security.
4 dimensions and 20 perspectives to analyze the overall status of the host
This report will analyze the overall overview of host security in 2019 from four aspects: host asset overview, host risk analysis, host intrusion detection, and host compliance analysis.
Inventory of assets
Without a complete and detailed list of mainframe assets, the security operations team will not be able to ensure the security of the organization, because no one can protect the security of "unknown" things. This report analyzes a large number of enterprise-level mainframe core assets, so as to provide support and assistance for enterprises to develop security protection strategies.
Through statistical analysis, it is found that among enterprise-level customers, more than 81.45% of the hosts use the Linux operating system, and only 18.55% of the hosts use the Windows operating system. There are many reasons for this, such as better Linux compatibility, modularity, less resource consumption, etc., so many customers will choose the Linux system.
Figure 1: Use ratio of different host operating systems
Through the analysis of the sample data, it can be seen that 74% of the hosts have special accounts such as UID 0, GID 0, Root / Administrator account, and Sudo permissions. These special accounts often become assets favored by hackers, which are high-risk key protected assets.
Figure 2: The use of special host accounts
In addition, in the analysis of sample data, it is found that in Linux system, the most used Web service application is Tomcat service, up to 58%, followed by Nginx, the utilization rate reached 32%.
Figure 3: Use of Linux Top5 Web Service
In the Windows environment, IIS uses the most, reaching 47%, followed by Tomcat, reaching 36%. In addition, the use of Apache and Nginx also accounted for a certain proportion.
Figure 4: Usage of Windows Top5 Web Service
Assess what risks exist
In order to discover system risk points before hacking, security personnel need to use professional risk assessment tools to detect, remove, and control risks to reduce the attack surface, including security patches, vulnerabilities, weak passwords, application risks, and account risks Wait.
Based on the number of hosts affected by the vulnerability, many of the TOP10 vulnerabilities with the largest impact in 2019 were found, many of which were vulnerabilities from previous years. Especially for those old assets, patch repairs are seriously inadequate, so these vulnerabilities have become a breakthrough point for hacking.
Figure 5: Vulnerabilities affecting host TOP10 in 2019
In addition to the risk of vulnerabilities, after space surveying and mapping of Internet space assets such as Web servers, it was found that a large number of assets have opened high-risk ports, and there are high security risks. For example, many hackers like to try to invade ports 22 and 3389. If the host has a weak password login, it is easy to be hacked successfully, and then the server is controlled by hackers. In particular, BlueKeep (CVE-2019-0708) and Windows RDS (CVE-2019-1181), which were exposed this year, are all vulnerabilities of Windows Remote Desktop Services and are very harmful, and 3389 is the default port of Windows Remote Desktop. Windows servers are more vulnerable to intrusion attacks. It is recommended that the server modify the default remote connection port. If it is not necessary, the port can be closed.
Figure 6: Opening of common high-risk ports
In addition, different services have some weak passwords with their own service characteristics, and some are the default passwords during installation. For example, the default password of the MySQL database is empty. Through analysis, it is found that the weak passwords of the host software are mainly concentrated in the five types of applications of MySQL, SSH, SVN, Redis, and vsftpd. Among them, the weak passwords of MySQL and SSH are more than 30%.
Figure 7: Weak password inventory of host software
Trojan horse virus is also the most common risk in the host. Risk trojan software accounts for the highest proportion (over 40%) in all industries. The technology industry has a smaller proportion of trojan software than other industries. Because the infection of risky Trojan software is mainly caused by bad Internet habits and lack of security awareness (such as the use of pirated software or plug-in tools, etc.), it may be that the Internet security awareness of employees in the technology industry is relatively higher.
The proportion of infected Trojan horses in the education industry is relatively high, which may be related to the frequent file interactive transmission in this industry.
Figure 8: Distribution of virus types in different industries
The backdoor remote control Trojan is the most infected type except for risky software, accounting for about 20%. Backdoor remote control Trojans have extremely high concealment, accepting remote instructions to perform information theft, screenshots, file uploads and other operations, which can cause great harm to information-sensitive industries such as financial technology.
Detect what attacks exist
Through a sample analysis of the servers exposed on the public network, it is found that among the common types of attacks, remote code execution (RCE), SQL injection, and XSS attacks have a high proportion. At the same time, in order to obtain basic information about servers and websites, hackers often encounter The amount of Probe Scan is also very high.
Figure 9: Common host vulnerabilities
In 2019, there were more than one million virus server Trojan infections among enterprise users across the country. Among them, Webshell malicious program infection accounts for 73.27%; Windows malicious program infection accounts for 18.05%; Linux malicious program infection accounts for 8.68%.
Figure 10: The host is infected with a virus Trojan
From the infected hosts, a total of more than 10,000 Trojan horse viruses were found, of which Webshell accounted for about 27%, Windows Trojan viruses accounted for about 61%, and Linux Trojan viruses accounted for about 12%.
Figure 11: Distribution of virus Trojan species
As can be seen from the above, there are nearly 800,000 Webshell malware infections in 2019, accounting for 70% of all infections. In terms of the number of infected servers, Webshell infection of Windows servers accounts for about 44% of all Windows servers, and Webshell infection of Linux servers accounts for about 0.2% of all Linux servers. This shows that the Windows server is more vulnerable to Webshell attacks.
From the perspective of infected Webshell language types, PHP-type Webshell is the most, followed by ASP language.
Figure 12: Proportion distribution of Webshell language types
In addition, in this report, based on analysis of sample data of different operating systems, a total of more than 3000 Windows servers were found to be infected with mining Trojans, of which more than 2000 Linux servers were infected with mining Trojans.
By analyzing the infected host, it is found that the mining Trojan mainly mines Bitcoin and Monero. Guess the reason, it may be that Bitcoin is the pioneer of digital currency, and its value is very high, and it has become the focus of hackers. Monero is an emerging digital currency. Because it mainly uses the CPU for mining, the black gang likes to use the intrusion server for mining. From the perspective of intrusion mining time:
The mining events of the Windows platform at the beginning of the year (January-March) and the end of the year (December) are as follows:
Figure 13: Monthly statistics of mining events on the Windows platform
However, Linux platform mining events are mainly concentrated in the middle of the year (April-June) and the end of the year (November-December):
Figure 14: Monthly statistics of Linux platform mining events
It can be seen that regardless of the Windows platform or the Linux platform, the end of the year is a period of high incidence of mining intrusion events. During this period, it is necessary to focus on whether the server has excessive CPU usage.
Determine if compliance is met
The network security construction of all enterprises and institutions needs to meet the national or regulatory security standards, such as isoguaranty 2.0 and CIS security standards. Safety standards, also known as "safety baselines". The significance of the security baseline is to formulate a series of benchmarks to achieve the most basic protection requirements, and it is widely used in finance, operators, Internet and other industries. Self-inspection and self-reinforcement through the compliance baseline can better help enterprises to recognize their own risk status and hidden vulnerability.
The importance of the security of the host account is self-evident, but during the analysis of the sample, we still found that many accounts have non-compliant situations, such as not setting the number of password attempt locks, not setting the password complexity limit, etc., which is not in line with the country Requirements related to grade protection. In the identity verification control items of the general basic requirements of Isobao 2.0, it is clearly required that “the identity of the logged-in user should be identified and authenticated, the identity is unique, and the identity authentication information has complexity requirements and is periodically replaced”, “should have the login failure handling Function, you should configure and enable relevant measures such as ending the session, limiting the number of illegal logins, and automatically logging out when the login connection times out. "
Figure 15: Non-compliance of hosting account
In addition, many applications are hosted on the host server. If there are non-compliant situations in the applications, such as configuration errors, unpatched vulnerability patches, etc. Then hackers can enter the host system through the application, which will bring great risks.
Figure 16: Configuration risks of common applications
Of course, if the underlying operating system of the host is not properly configured, it will cause many security problems. It is recommended that security operation and maintenance personnel can carefully configure the host to meet the security needs of the organization, and can be reconfigured according to the needs. Through research and analysis of sample data, it is found that the three types of problems such as GRUB password setting, abnormal UMASK value, and not opening SYN COOKIE are the three types with the largest proportion of all host system risks.
Figure 17: Analysis of the non-compliance of the host system
Interpretation of the future evolution of host security at three levels
As Darwin's "Evolution" says, evolution comes from mutations, and it is "unpredictable future" that is faced with safety. Host security is an important branch in the field of network security. In the face of the difficulty of predicting hacker attacks, traditional prevention and blocking strategies have not worked.
On the one hand, attackers and defenders are in a natural unequal position. The traditional detection techniques based on alarms or existing threat characteristics, including passive defense methods such as firewalls, IPS, antivirus, and sandbox, make this inequality even more Seriously. Many enterprise organizations that have been compromised by hackers have yet to establish a certain security defense system, but they have not been able to detect or stop threats in a timely manner and minimize losses. The main reason is that the current detection system has some shortcomings in the process of responding to unknown threats, which are manifested in the following aspects:
- Single detection technology: Based on signature detection technology, it is impossible to detect unknown threats, and it is impossible to locate the lost host.
- Lack of continuous detection: can only do periodic detection, can not cover the entire life cycle of the threat.
- Unable to link: Each security detection product works independently, the attack alarm information is split, and it cannot be linked.
On the other hand, the current security offensive and defensive confrontation is becoming more and more fierce, and it is no longer feasible to simply rely on prevention and prevention strategies, and more attention must be paid to detection and response. Enterprise organizations should build a new security protection system that integrates defense, detection, response, and prevention under the assumption that they have been attacked. This can also be seen from the rules of the network exercise in June 2019. It does not force the system not to be invaded, but emphasizes the ability to respond quickly after the intrusion.
Finally, with the rapid development of cloud computing, the multi-cloud and cloud-native trends have gradually become mainstream. In the face of new architectures such as multi-cloud and cloud-native, new host architectures have also emerged. Topics not considered.
In order to cope with the continuous evolution of the external environment, host security protection software is also constantly updated and iterated, resulting in a series of host security products in subdivided fields. From the perspective of the development level of host security products, it can be summarized as "basic host security products", "host security products with application as the core", "host security products with detection and response as the core", and "active defense" It is the five stages of core host security products "and" host security products in the new form ".
Figure 18: Host security maturity curve
We can see that in the future, as a necessity of enterprise infrastructure construction, only if the mainframe security products develop in the direction of "continuous detection, rapid response, and comprehensive adaptation" can we help enterprises better cope with the unknown future.
Write at the end
The grand theoretical system of "China Host Security Service Report 2019" not only promotes the market to fully understand the current status of host security in China, but also points out the direction for the development of host security. In the future, as a domestic mainframe security leader, Ivy will continue to deepen the exploration and promotion of this field, continue to help users in different industries such as government, finance, Internet, operators, medical care, education, etc., and build a last-mile line of defense for cyber security. China's network security business has a steady stream of security immunity!