Krasnoyarsk scientists have identified the main sources of Internet threats to corporate networks, and how cybersecurity is affected by the COVID-19 epidemic. The greatest danger is posed by web spiders that attack servers through their vulnerabilities. From the data obtained, the researchers compiled recommendations for improving cybersecurity and preventing threats which could interfere with the operation of the corporate network. The results of the study were presented at The 2nd Siberian Scientific Workshop on Data Analysis Technologies with Applications (SibDATA-2021).

In the modern world of information technology, corporate networks are an essential tool of everyday life. These networks provide access to webmail, private clouds, and other online resources. Since web systems and web services use the Internet, there are risks associated with information security. Ignoring them can cause data leakage or loss, unauthorized access to the system, or a complete disruption of its performance.

Researchers from the Institute of Computational Modeling of the Federal Research Center "KSC SB RAS" identified sources of Internet threats in the corporate network, and also determined the impact of the COVID-19 pandemic on the use of Internet services and cybersecurity. Based on the results obtained, the experts gave recommendations for improving the protection of web services.
The scientists analyzed the information from the service logs of web services and the system for monitoring the traffic of the corporate network of KSC SB RAS for two years. The long measurement period allows a deeper assessment of the dynamics of ongoing processes by hours, days and months.

According to the researchers, in 2020, the daily number of attacks increased by 1.5 times for HTTP protocols and 2.5 times for HTTPS compared to the previous year. At the same time, the number of intensive attacks on web resources in 2020 decreased by about half.

“Web spiders” pose a huge threat to the functioning of web services. These are programs which crawl web resources and collect data. Errors and inaccuracies in their work can cause disturbances in the functioning of the system. Moreover, there are special "malicious spiders" that look for existing vulnerabilities in web resources and use them to attack the server. Most errors in the FRC KSC corporate network are caused by crawling and web spider attacks. At the same time, the average number of such errors in 2020 increased by more than 60%.

According to the results of the study, for both years, a significant number of errors are observed in the corporate network at night, when real users are absent. Their activity is observed mainly during working hours from 9:00 to 18:00. This indicates the presence of constant activity of web spiders and bots scanning the web resources.

The COVID-19 pandemic has changed the structure of network security risks and malicious attacks. For example, employees of the center began to use a more secure HTTPS protocol to access site resources more often, reducing the level of cyber threats. Protocols such as the Session Initiation Protocol (SIP) have also become more susceptible to malicious attacks, reflecting the popularity of video conferencing during the COVID-19 pandemic.

“Ensuring information security is a complex task which includes measures to reduce threat risks. An important part is the analysis of web services activity logs, which allows detecting web attacks and optimizing hardware settings. The analysis of service activity is also necessary to identify infrastructure weaknesses (processor, memory, disk, network operations) to reduce the consequences of increased loads, including hacker attacks. The study of the effectiveness of protection measures should be carried out without side effects on the existing infrastructure. The analysis performed makes it possible to ensure the continuous functioning and security of computer systems. When implementing complex software systems, it is necessary to pay special attention to collecting, storing, processing and analyzing logs of various services to identify existing and potential security problems,” says Sergey Isaev, Candidate of Technical Sciences, Head of the Department at the Institute of Computational Modeling of the SB RAS.

Based on the results obtained during the study, the experts developed recommendations for strengthening the cybersecurity of the network and Internet services.

“Here, we recommend adding additional rules to the intrusion detection system, and using the calculated standard deviation parameters to build models to distinguish background scanning from targeted attacks. Site owners should regularly update their web resources which use popular content management systems (CMS), forums, and third-party modules, since the study of the malicious activity of web spiders shows an increased interest in vulnerabilities in older versions of these systems. To enhance security, it makes sense to integrate the automatic download of lists of malicious IP addresses obtained from web resource logs into the threat blocking system on the border router. This measure will allow blocking malicious hosts not only for web services, but also for the entire range of IP addresses of the Krasnoyarsk Science Center. The most effective way to prevent security threats is to use whitelisting of IP addresses and VPN services to access corporate resources,” says Dmitry Kononov, researcher at the Institute of Computational Modeling of SB RAS.