Information security violations. Internet and security of the corporate information space
Survey results
M.S. Savelyev
Deputy Marketing Director
"Informzashita" company
An effective strategy for protecting the corporate information environment (IS) requires not only the desire to ensure comprehensive security of the company's network, but also an analysis of the current state of affairs in this area and an assessment of the actions taken to analyze existing risks and prevent violations. The results of a study conducted by the journal "Information Security" may be useful for studying problems information security(IS) companies.
The results of this survey eloquently indicate that the main threat to the security of the corporate information space comes from within the company.
"Hygiene" of the company's information system
Almost none of the respondents experienced significant violations of the company’s information security by external attackers (Fig. 1). Half of the respondents claim that in their memory there have been no attempts to penetrate corporate IP from the outside. True, for an absolutely accurate conclusion, it would be interesting to take into account one more fact: whether the companies participating in the survey have the means to detect and prevent external attacks, but such a question was not asked.
In everyday practice, quite often one encounters the fact that, despite the availability of security tools in their arsenal, the information security departments of companies and organizations are not able to successfully use them. An indirect confirmation of this is the pattern of answers to the question “How developed is the management of the information security system?” (Fig. 2): even such a “hygienic” means of protection as an antivirus is used ineffectively. In the companies of almost a fifth of respondents, options are not configured automatic update anti-virus databases - this issue is left to the users. From this, the following is absolutely clear: the management and IT specialists of the respondent companies may simply not be aware of what events are occurring in their systems. By the way, modern threats, such as, for example, bot viruses, can be detected only by subtle signs, or rather, only by analyzing carefully configured security measures.
The most dangerous offender is the user
Contrary to the very common statements in 2006 about the enormous danger posed by insider threats, the magazine's survey showed that the majority of incidents in the actual experience of information security specialists are unintentional, unintentional actions of users (Figure 3). In fact, users violate the rules established in the organization for the use of corporate IP by non-maliciously committing one or another action (Fig. 4). Moreover, it is characteristic that the rules of conduct in the field of information security for company employees are prudently described (Fig. 2) both in the information security policy, and in the responsibilities of employees, and in other documents. Despite the presence of special instructions and documents on information security in their companies, as evidenced by the survey participants, many security violations occur due to the lack of awareness of users.
Is this happening because the requirements of information security documents are not communicated to employees? In response to the question “How do employees in your company learn about their responsibilities in the field of information security compliance?” (Fig. 5), 15% of respondents said that such requirements exist only on paper, and employees of organizations are not informed about them in any way. Regular training in the field of information security is carried out only in a fifth of the surveyed companies. In the overwhelming majority of cases, information security specialists somewhat arrogantly believe that employees must somehow independently master the contents of security regulations. I dare to say that even familiarization “under signature” does not give any effect: we are all accustomed to formally signing safety instructions without delving into their essence. Often they do without it altogether.
Chasing three rabbits
What does 10% of detected violations mean for us? Judging by the even distribution of answers to the question “Describe the importance of corporate information” (Fig. 6), few information security specialists really understand the essence of the business being protected. Of course, the question itself is asked somewhat straightforwardly, but in practice quite often one has to deal with the fact that in pursuit of three birds with one stone (integrity, confidentiality and availability), many are ready to catch not what is critical, but “who is easier to catch.” Sometimes such attempts begin to lose touch with common sense: at some point, all the efforts of the security service are spent on limiting the ability to use USB drives, and at the same time they are not controlled in any way Email, faxes, printers and other means that allow you to send information outside the organization. Problems of information recovery and system performance in the event of a failure are generally ignored. By the way, this is one of the main threats if you trust the results of the answers to the question: “Indicate the types of use information resources company by employees who violated the established regimes in the past year?" (Fig. 4).
Is this misunderstanding the reason for the contradiction revealed by the survey: despite the enormous importance that company management attaches to security issues (Fig. 7), TOP managers are in no hurry to increase funding for information security and improve security systems (Fig. 8).
Security specialists "in their own juice"
From the study, it is quite obvious that many security specialists are “stewing in their own juice”: answering the question “What information security management and examination measures has your company applied to over the past year?” (Fig. 9), only 12.5% of respondents stated that they use the services and advice of professional security consultants. Another slightly more than 6% turn to international standards and practices. Others prefer to check reality only with own experience and the experience of their colleagues. It should be especially noted that a significant portion of respondents are confident that the number of information security-related incidents will only grow in the future, and it will become more difficult to identify them (Fig. 10). However, the majority of respondents are hoping for some kind of panacea, a magic wand in the form of some kind of high-tech solution that will save them from the impending danger. It is gratifying to note that the main hopes lie precisely in the correct construction and management of protection processes. And this confirms the growth of interest in accepted international standards on safety. Modern specialists consciously strive to use the recommendations of the standards in their daily activities.
Consequences of an information security breach. Characteristics of the network hacking system. "Trojan horses" in pirated software. Security of an enterprise information system: features of the security process and analysis of the causes of violations.
Send your good work in the knowledge base is simple. Use the form below
Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.
Posted on http://www.allbest.ru/
Course work
Analysis of the causes of information security violations in the communication channel section (system for ensuring data exchange through the medium) in modern government information and communication systems.
Content
- Introduction
- Network hacking system
- Reasons for violation
- Irresponsibility
Introduction
What is information security? Experts say that information security is the protection of information from accidental or intentional negative influences. The responsibilities of those responsible for information security include predicting and preventing attacks on information, as well as minimizing damage from them.
Today, the computer plays a significant role in all areas of human activity. With implementation information technologies in our lives, the volume of information has also increased in electronic format. Information has become easier to store, but keeping it safe has become more difficult. The document can be locked in a safe, and even if the safe is broken into, it takes a significant amount of time to rewrite the text. Information from electronic media can be stolen almost instantly. In a few seconds, attackers can copy or destroy the results of many years of activity. Appearance computer networks made the task of information thieves even easier. Physical access to the information carrier has ceased to be a prerequisite.
What are the consequences of an information security breach?
The theft, substitution or destruction of information leads to serious economic losses. Stolen information may fall into the hands of competitors, valuable information may be destroyed or replaced, which will lead to material losses and damage to the company's reputation.
In addition to economic damage, computer attacks also cause moral damage. As a result of hackers' actions, personal correspondence may become public knowledge. Various malware disrupt the operation of computers and create discomfort for their users.
What are the most common causes of information security violations? Even in the age of hacker chaos, the main pest remains the user himself. More than half of the cases of information damage are due to the fault of a “teapot”, which can, through stupidity or carelessness, destroy information. In second place is damage due to fires (approximately 15% of cases). Equipment failure also causes an information security breach in fifteen percent of cases. The share of damage from water and computer attacks is insignificant compared to all of the above, ten percent. However, the role of computer hackers is steadily growing, and security services cannot but take them into account.
Network hacking system
Networks are used every day in corporations and various organizations. Happening everywhere sharing data and resources. Of course, security issues must be addressed when planning networks to avoid possible downstream costs. Typically, networks are organized on a client-server basis. Users use workstations to access the server, which contains the bulk of the information and is of greater interest from a hacking point of view. Whatever the company has a network - a bank, a ministry, a pharmacy or anything else - hacking causes damage. And although hacking often occurs from the inside, that is, it is carried out by a person who has some access rights, it is interesting to look at hacking from the outside.
Statistics show that network hacking is usually carried out by men aged 16 to 25 years. The reason for this is often the desire to prove oneself, to increase one’s skills in this area, or the desire to use network resources for one’s own purposes.
Who is interested in breaking? Providers - to have free Internet; small commercial companies - to make fun of; cans - because it’s very cool, and often physically impossible (there is no real cable to the outside, for example); many others. Often, hackers use scanner programs to identify machines that can be hacked, and then break them. Burglars who identify a target in advance must be much more experienced. Such actions will be dictated not by interest, but by a specific task, possibly related to a lot of money. Usually, to do this, a huge amount of information about the car is first collected (and not only through the network), but still, most likely the first thing is that they just break whatever is easier.
Typically, companies have Internet access:
· WWW server;
· mail;
· Internet access for users.
Typically, mail and WWW are kept on a separate server, and the rest of the computers on the network are separated from the world by a firewall program, which is usually installed on the gateway. Undoubtedly, a good administrator tries to prevent hacking both from the outside and from the inside. In the future, we will assume that the attacker wants to gain access to the network. Web servers are usually not hacked unless the packet filtering is correct. A mail server is more practical from a hacking point of view, since mail must be distributed further and the mail program thereby has some access to the network. In addition to mail, there are several other programs that may be of interest to an attacker:
ftp (21), ssh (22), telnet (23), smtp (25), named (53),
pop3 (110), imap (143), rsh (514), rlogin (513), lpd (515).
Packets for SMTP, named and portmapper can be easily filtered, reducing the risk of hacking. Sometimes, however, the task of hacking is made easier by the fact that packet filtering is not organized correctly. This can occur due to segmentation, incorrect packet routing table by port, organization of several names on one machine, or modem access. The presence of DNS on the network can create unnecessary problems. It is much safer to use numerical addresses within a company. Another bottleneck is the finger program. With its help it is quite easy to find out the type operating system, for example, by looking at the users root@host, bin@host, or daemon@host.
Please also keep in mind that the addresses listed in hosts files. equiv. rhosts or. shosts have higher priority when communicating with the machine, so it is possible that hacking from these addresses will be easier. This fact is commonly exploited by hackers. To secure your network, it is advisable to ensure that trusted addresses have the same protection.
Another danger is that users install pirated software on their machines. Such programs may contain various types of Trojan horses disguised as a screensaver, an add-on, or something else. This usually happens on Windows machines, where anyone can install programs. Trojan horses perform simple tasks and then destroy themselves. They can send addresses, contents of server system files, access to which is necessary to enter the network, for example passwd.
It is clear that burglars must protect themselves. To do this, firstly, you need to hide your IP addresses. There are a few simple ways do this:
· use an intermediate address via telnet or rsh;
· use Windows and Wingate;
· use an incorrectly configured proxy server.
Before breaking, the attacker will collect information about the network. It will try to find out the addresses of machines on the network, user names, and operating system type. Some of this can be learned quite legitimately by looking at files on a Web server, an FTP server, running the finger program, or simply trying to log into the server. After this, he will get an idea of the network, the connection of computers, the presence of ports suitable for hacking, and much more.
Next, an attempt will be made to recognize the machines that are used as the most trusted. It is possible that some of the information is stored separately and accessed through nfsd or mountd. For example, this is how the /etc configuration and executables can be stored system files/usr/bin.
After receiving this type of information, the attacker will scan the network for security holes. For this, there are programs like ADMhack, mscan, nmap for Linux. For their operation, a fast channel is required, preferably optical fiber. ADMhack requires root rights for start; others can start without it. The hacker may not be the administrator of the machine on which the scanner is running; he could have embedded it as a “Trojan horse” into any other program.
ADMhack and mscan do something like this:
· TCP port scanning;
· obtaining information about RPC services launched via portmapper;
· obtaining a list of exported directories via nfsd;
· obtaining information about the presence of samba or netbios;
· running finger to collect information about users;
· checking CGI scripts;
· checking for the possibility of hacking the Sendmail, IMAP, POP3, RPC status and RPC mountd daemons.
If the information collected allows for a bypass through trusted addresses, then the opportunity is usually used. If there is no such path, then a mail server is used to penetrate deeper into the network. At the same time, attempts are being made to programmatically remotely hack Sendmail, IMAP, POP3 and RPC services, such as statd, mountd and pcnfsd. Sometimes already hacked machines are used for this, since it is often necessary to have the program compiled on the same platform.
After at least one of the techniques has passed and it has been possible to gain access, the attacker will carefully cover his tracks, clear records in files and install programs so that his presence will not be detected later.
Typically, this involves installing corrected versions of programs, changing dates and access rights to files. Even ftp can be used to download new programs. It is possible that instead of carefully deleting information about yourself, new versions of the ps and netstat programs will be installed, which will hide information about the hack. Some crackers may place the file. rhosts to the /usr/bin directory to allow the bin user to log in remotely via rsh or csh.
Cleaning up your records is necessary. You can't protect yourself by simply duplicating yourself. A nice trick is to send the registration records to the printer. This makes it virtually impossible to edit them. In any case, the attacker will move on only after the records have been cleared. Whether he will hack the network itself or only the main servers is most likely a matter of taste, but if everything previous went more or less smoothly, eradicating the hacker will be quite a labor-intensive task.
If the goal of hacking was to obtain information from the network, then we can admit that it is half achieved, since by hacking something like a mail server, it is much easier to gain access to the network. Most likely, further protection will not be better, and its hacking has already been rehearsed. However, there is still something to do - collect passwords, download information from protected machines, and the like. The burglar has also undoubtedly mastered these techniques.
Most effective way Collecting names and passwords is the installation of "ethernet sniffer" programs. This program “hangs” on the network card, “sniffing” everything that runs over the network, selecting packets with names and passwords. It is most effective to use computers from the same subnet where you want to hack the machine. It is clear that installing sniffer under Windows is much easier. If you have to install it on a UNIX machine, then most likely this program will be installed in the /usr/bin or /dev directory with the date and time the same as other files.
Typically, all program work is written to a file on the same machine, so there is no unnecessary sending of data. Since a modified ps program is usually installed in advance, the process is not visible. It works most efficiently when the network interface is in "promiscuous" mode. It is clear that all data passing through the network is eavesdropped, and not just those addressed to a given machine.
After bugging is installed, the burglar returns to the machine about a week later to download the files. Of course, it tries to hide the presence of the program as thoroughly as possible, but it can be detected, for example, by scanning file systems for file changes. The Tripwire program can be used for such purposes. Another program - cpm - monitors changes in network interfaces.
The next and most harmful stage of hacking is the destruction of the servers that control the network. This is necessary both to cover your tracks and to make the network work for you. Not always, but quite often this happens with the command "rm - rf / &". Recovery is entirely dependent on the availability of backups. Another way is to change the packet routing.
So, all of the above represents a scheme for hacking a standard network. How can you protect yourself? First you need to install the system correctly and correctly. Carefully set up routing and remove all unnecessary things. If you take on the task of administering a network, take a look at the fixes to the system, which are usually mentioned on the developer’s website, especially when it comes to security. Next you need to check simple things: users bin, system, daemon, etc. should not be able to log in, which should be reflected in the passwd file. All users must have passwords and change them regularly. You can prohibit holding files of the type. rhosts so that everything doesn't end up there. But this is quite banal. A less trivial, although already very common, step is to install Secure Shell. The thing is good and reliable. If anyone doesn't know, I'll explain. If you do telnet, then the password is transmitted as is, which is beneficial for the sniffer, but with Secure Shell, which must be on both connected machines, the password is encrypted. Simple, but nice, especially considering that this very shell is free. You also need to look at your log files for signs of logins from strange addresses, attempts to log in under someone else's name multiple times, and much more. It doesn't hurt to sometimes check important system files against a backup copy, say, installation disk. Plus, it is desirable to monitor the operation of the entire network. Need to know more about installed programs, allow less freedom for users, in general, to monitor their household. Very useful thing- make a backup, say, once a day. Surely these are already simple tips can help. But you can go further - for example, check the status file system, print registration files to a printer.
Reasons for violation
The information security process refers to operational processes and is included in the block of IT service support processes. A breach of the security of an enterprise information system can lead to a number of negative consequences affecting the quality of IT services:
· reduced availability of services due to lack of access or low speed of access to data, applications or services;
· complete or partial loss of data;
· unauthorized modification of data;
· gaining access by third parties to confidential information.
An analysis of the causes of information security violations shows that the main ones are the following:
· configuration errors of software and hardware of the IS;
· accidental or intentional actions of end users and IT service employees;
· malfunctions in software and hardware IP;
· malicious actions of persons outside the information system.
Enterprise information security software can be divided into three large groups: antivirus protection, firewalls and attack detection tools. Typically, these tools are used in combination, so they often talk not about specific products, but about security platforms that combine several solutions at once. However, the software itself can be completely useless without a proper security policy that defines the rules for PC, network and data use, as well as procedures for preventing violations of these rules and a plan for responding to such violations if they occur. We also note that when developing such a policy, an assessment of the risks associated with a particular activity is required, as well as consideration of the economic feasibility of choosing a security platform.
When building the IT infrastructure of clients, the ESC company pays special attention to ensuring information security. Customer data and services are protected according to the latest industry standards. The main efforts of our specialists are aimed at guaranteeing the confidentiality, integrity and availability of data. Configured access audit policies allow you to have full control over who gets access to sensitive information and when. Generally accepted reliable systems and mechanisms serve as tools to provide our clients with the necessary level of protection.
Among them:
· control of user privileges and organization of security policies in Active Directory
· use of HTTPS and other encrypted data transfer protocols
access protection corporate network through the use VPN servers
· restriction and control of access to the network from the outside using software and hardware - software solutions(services are provided for setting up hardware routers from any manufacturer, as well as services for setting up software such as Kerio WinRoute Firewall, Outpost, WinGate, IPFW, IPTables, etc.)
· protection against virus attacks by installing and configuring commercial and free anti-virus software both on client PCs and on servers, using special modules (anti-spam, mail, for gateways, etc.)
· restriction and control of Internet access using proxy servers
· use of protection against port scanning and ARP spoofing and a number of other network threats.
In addition to information security measures, ESC provides its clients with reliable data security mechanisms. Organization Reserve copy data, the development of recovery procedures and storage rules allows our clients not to worry that data may be lost as a result of physical or software damage to the systems or equipment responsible for their storage.
Three main causes of violations
Today, three main causes of information security violations have been identified:
· inexperience
irresponsibility (self-assertion)
· selfish interest.
Inexperience
This motive is the most harmless, and, at the same time, widespread among new system users.
Characteristics of inexperience are:
· unintentional errors made by users when entering data. This type of violation is easily blocked by introducing into the interface of the software package with which the user works, internal rules for checking completed forms and a system for notifying the user about errors made;
· misunderstanding by users of the rules for working on the network, and, as a result, failure to comply with these requirements. The fight against this type of violator consists of providing detailed instructions to the user and explaining to him the goals and policies of the company.
· misunderstanding by users of security requirements when working with data, and, as a result, transfer to other users or third parties of their passwords for logging into the system.
It is unlikely that security system designers could anticipate all such situations. Moreover, in many cases, the system cannot in principle prevent such violations (for example, accidentally destroying its own data set).
Irresponsibility
In case of violations caused by irresponsibility, the user purposefully performs any destructive actions, which, however, are not associated with malicious intent. Some users consider gaining access to system data sets a major success, engaging in a kind of game of user versus system for the sake of self-aggrandizement, either in their own eyes or in the eyes of their colleagues. Although the intent may be harmless, exploiting the resources of an automated system is considered a violation of security policy. Users with more serious intentions may find sensitive data and try to corrupt or destroy it in the process. Most systems have a number of means to counteract such “pranks”. If necessary, the security administrator uses them temporarily or permanently. This type of violation is called probing systems.
Selfish interest
This is the most dangerous type of violation. The fight against this type of violator consists of conducting methodological checks of facility employees various services security.
Life shows that it is almost impossible to completely protect an object from penetration.
Practice shows that the damage from each type of violation is inversely proportional to its frequency: violations caused by inexperience occur most often, but the damage from them is, as a rule, insignificant and can be easily compensated. For example, an accidentally destroyed data set can be restored if the error is immediately noticed. If the information is important, it is necessary to keep it regularly updated. backup copy, then the damage is almost invisible.
The damage from probing the system can be much greater, but its probability is many times lower. Such actions require sufficiently high qualifications, excellent knowledge of the protection system and certain psychological characteristics. The most typical result of system probing is blocking: the user ultimately introduces the system into a state of insoluble contradiction. After this, operators and system programmers must spend a lot of time getting the system back up and running.
The rarest, but also the most dangerous type of violation is penetration. Distinctive feature penetration has a specific goal: access (reading, modification, destruction) to certain information, influencing the performance of the system, monitoring the actions of other users, etc. To perform such actions, the intruder must have the same qualities as for probing the system, but in excellent degree, and also have a clearly formulated goal. Due to these circumstances, damage from penetrations may be, in principle, irreparable. For example, for banks this may be a complete or partial modification of accounts with the destruction of the transaction log.
Thus, when organizing an information security system, a certain differentiation of protection measures is necessary: for protection against violations caused by negligence, minimal protection is needed, for protection against system probing - more stringent, and the most stringent (along with constant monitoring) - against intrusions. The purpose of such differentiation should be the rational distribution of information security means and computing resources of the system.
In relation to possible violations, one should adhere to the principle of reasonable sufficiency, and sometimes the “golden mean”. For example, there is a possibility of a nuclear incident, but very few people seek to protect themselves by building bomb shelters, stocking up on food and water, since this probability is too low At the same time, every person strives to secure his apartment, car, savings - the likelihood of a threat being realized is significant, and the damage can be significant.
The reasons that prompted the user to commit a violation or even a crime may be different. About 50% of violations are unintentional errors caused by negligence and lack of competence. But much more serious may be damage caused as a result of intentional influence due to resentment, dissatisfaction with one’s official or financial situation, or at the direction of other persons. Moreover, this damage will be greater the higher the user’s position in the service hierarchy. These are just a few of the possible reasons, encouraging users to violate the rules of working with the system.
Defendants based on motivation for computer crimes fit into three categories:
· pirates - mainly violate copyright by creating illegal versions of programs and data;
· hackers (from the English hack - to chop, shred, break) - gain unauthorized access to the computers of other users and the files in them. However, they generally do not damage or copy files, content in the knowledge of their power over the systems;
· crackers (from the English crack - to split, crack) - the most serious violators who allow themselves everything.
Methods for preventing violations arise from the nature of the incentives themselves. This is, first of all, appropriate training of users, as well as maintaining a healthy socio-psychological climate in the team, recruiting personnel, timely detection of potential attackers and taking appropriate measures. The first of them is the task of the system administration, the second is the task of the psychologist and the entire team as a whole. Only in the case of a combination of these measures is it possible not to correct violations and not to investigate crimes, but to prevent their very cause.
information security network hacking
Classification of information security threats
|
Natural hazards |
Technical threats |
Human-made threats |
|
|
1. Natural disasters 2. Magnetic storms 3. Radiation and fallout |
1. Deviations or fluctuations in power supply and failures in other means of ensuring the functioning of the system 2. Failures and malfunctions in the operation of IS hardware and software 3. Electromagnetic radiation and interference 4. Leaks through communication channels |
1. Unintentional actions: service personnel management personnel programmers users archival service security services 2. Deliberate actions 3. Hacker attacks |
Posted on Allbest.ru
...Similar documents
Study of professional and job responsibilities information security department specialists. Characteristics of the process of introducing a new enterprise information system. Creation of planned, discretionary and executive information systems.
The essence of information, its classifications and types. Analysis of information security in the era of post-industrial society. Research of problems and threats of ensuring information security of a modern enterprise. Tasks of providing protection against viruses.
course work, added 04/24/2015
The essence of information, its classification. The main problems of ensuring and threats to enterprise information security. Risk analysis and principles of enterprise information security. Development of a set of measures to ensure information security.
course work, added 05/17/2016
Information security risk analysis. Assessment of existing and planned means of protection. A set of organizational measures to ensure information security and protection of enterprise information. Test example of project implementation and its description.
thesis, added 12/19/2012
The concept of information and informatization. Modern security concept and characteristics of information security means. Features of ensuring information security in educational institutions depending on their type.
thesis, added 01/26/2013
Analysis of the infrastructure of LLC store "Style". Creation of an information security system for the accounting department of an enterprise based on its pre-project examination. Development of a concept, information security policy and selection of solutions to ensure it.
course work, added 09/17/2010
Categories of actions that can harm information security, methods of ensuring it. The scope of the company's activities and analysis of financial indicators. The company's information security system and development of a set of measures for its modernization.
thesis, added 09/15/2012
Process of creation integrated system information security designed to ensure the security of all important data of the Tabletka pharmacy chain. Research into the practice of functioning of data processing and computing systems. Risk assessment.
course work, added 06/17/2013
The essence and main purpose of the Information Security Doctrine Russian Federation(RF). Types and sources of threats to information security of the Russian Federation. Basic provisions of the state policy of ensuring information security in Russia.
article, added 09/24/2010
One of the features of ensuring information security in information systems is that abstract concepts such as " access subject", "information", etc., are put in accordance physical representations in the computing environment:
To represent the concept " access subject"- active programs and processes ,
To represent the concept “ information" - machine media information as external devices computer systems (terminals, printing devices, various storage devices, lines and communication channels), volumes, sections and subsections of volumes, files, records, record fields, RAM, etc.
Information security of IP - the state of the information system under consideration, in which it:
- On the one side, able to withstand the destabilizing effects of external and internal information threats,
- with another - its presence and operation does not create information threats to the elements of the system itself and the external environment.
IP Security - this is protection from accidental or intentional interference in the normal process of its functioning, as well as attempts to steal, change or destroy components.
IP Security Threat - these are possible impacts on the IP that can directly or indirectly damage its security.
Security Damage - this is a violation of the security status of information contained and processed in the information system. Security damage implies a violation of the security status of the information contained in the information system through unauthorized access (NAA) to the objects of the information system.
IP vulnerability - This characteristic or property IP, the use of which by an intruder can lead to the implementation of a threat.
Attack on a computer system - this is an action taken by an attacker, which consists of searching for and exploiting a particular system vulnerability.
Unauthorized access to information – the most common type of computer violations. It consists of a user gaining access to an object for which there is no permission in accordance with the organization's security policy.
Countering security threats is the goal of protecting information processing systems.
Thus, an attack is the implementation of a security threat.
3. Analysis of information security threats
Threat usually identified either with the nature (type, method) of a destabilizing impact on information, or with the consequences (results) of such an impact. However, these kinds of terms can have many interpretations. Another approach to defining a threat to information security is also possible, based on the concept of “threat”.
According to " Dictionary of the Russian language" Ozhegova , « threat “is the intention to cause physical, material or other harm to public or personal interests, a possible danger.
Under threat (in general) usually understand a potentially possible event, action (impact), process or phenomenon that could lead to damage to someone’s interests.
In other words, the concept of threat is strictly connected with the legal category of “damage”, which The Civil Code defines How " actual expenses incurred by the subject as a result of violation of his rights (for example, disclosure or use by the violator of confidential information), loss or damage to property , and expenses which he will have to produce to restore the violated right and the value of damaged or lost property » .
Under threat to information security of IP are called:
1) possibility of implementation impact on information , processed in the IS, leading to: - distortion, destruction, copying, blocking access to information;
2) as well as the possibility impact on IS components , leading to: loss, destruction or malfunction of the storage medium, the means of interaction with the medium or the means of its control.
Currently, a fairly extensive list of threats to information security of IP, numbering hundreds of items, is being considered. The most typical and frequently realized threats to information security of information systems:
Unauthorized copying of storage media;
Careless actions leading to the disclosure of confidential information or making it publicly available;
Ignoring organizational restrictions (established rules) when determining the rank of the system.
The basis for analyzing the risk of the implementation of threats and formulating requirements for the developed IP protection system is the analysis of the negative consequences of the implementation of threats and involves their mandatory identification, namely:
List of possible threats to information security,
Estimates of the probabilities of their implementation,
Intruder model.
In addition to identifying possible threats, an analysis of these threats should be carried out based on theirclassification according to a number of characteristics .
Each of classification features reflects one of the general requirements for the protection system. At the same time, threats corresponding to each classification characteristic allow us to detail the requirement reflected by this characteristic.
The need to classify threats to information security of IP is due to the fact that:
Architecture of modern means of automated information processing,
Organizational, structural and functional construction of information and computing systems and networks,
Technologies and conditions for automated information processing are such that the accumulated, stored and processed information is subject torandom influences extremelya large number of factors . Due to this it becomes it is impossible to formalize the task of describing the complete set of threats.
Consequently, for the protected system determinenot a complete list of threats,and a list of threat classes.
Research into the problems of ensuring information security and methods for preventing violations in this area has highlighted the need to more deeply understand the issues of information conflicts, which often lead to more serious consequences than simply fixing an obvious conflict and waiting for it to fade or develop into an offense.
“Conflict translated from Latin,” says Professor T. A. Polyakova, “is a clash of opposing goals, interests, positions, opinions or views of opponents or subjects of interaction.” Such contradictions in the construction information society inevitable, diverse and comprehensive.
Considering conflicts as a form of contradiction objectified in the relations of subjects, we drew attention to the fact that conflicts arise both in the social sphere and in the information system, in the information infrastructure. They can be both negative in relation to the problems being solved by society, and positive, pushing responsible subjects to search for new or more advanced solutions. A conflict can act as a motive for an offense if it is not taken into account in the process of identifying it. Most often, conflicts manifest themselves in the legislation itself due to its weak consistency and insufficiently thorough preparation of draft regulations, as well as omissions in the processes of law enforcement and execution of legislative acts.
Conflicts in the field of lawmaking are very significant in the context of cultural diversity and ignorance of historical factors in the implementation of established rules, lack of understanding of the balance and consistency of actions in the field of relations between state authorities and local governments, legal leaders and citizens. Conflicts arise due to non-compliance with the rules for working with information technologies, information resources, and failure to comply with requirements for communication systems. Methods for resolving conflicts are different and depend on the causes and area of their occurrence. They can be repaid administratively, officially, through peaceful interaction between the parties, but they can also be brought to judicial review. In any case, the presence of a conflict, identified and recorded, is a condition for preventing more serious situations. We can say that behind each form of violation of information security rules there are hidden identified or undetected conflicts of an objective or subjective nature. In this regard, in 2008, a theoretical seminar was held at the IGP RAS on the topic “Conflicts in information sphere", the materials of which were published in the collection of articles and speeches of its participants of the same name.
Not all types of conflicts develop into offenses, or even less into crimes.
Taking into account the significance of the conflict in the area of social relations under consideration, it is important to formulate concept of legally significant conflict in the information environment (sphere) as follows. Legally significant conflict is to create a situation instability in implementation the legitimate rights and interests of citizens, the state, society, individual organizations in their information environment, situations that reduce the level of security, including those leading to the creation of threats, risks and destruction in the information infrastructure itself or in the field of the rights of subjects - participants in information relations and processes . And this was covered in the previous chapters of the textbook, as well as in the works of S.I. Semiletov. Let us note that conflicts lead to undermining the importance of information in the process of developing an information, civil, democratic, social, sustainable legal and humane society
Classification of threat sources
Classification of information security threats
Topic 2 - Information security threats
Threat concepts security object and object vulnerabilities were introduced earlier. To fully represent the interaction between the threat and the protected object, we introduce the concepts of the source of the threat and the attack.
Site security threat- possible impact on the object, which directly or indirectly may damage its safety.
Source of threat- these are potential anthropogenic, man-made or natural sources of security threats.
Object vulnerability- these are the reasons inherent in the object that lead to a violation of the security of information at the object.
Attack- This possible consequences implementation of a threat when the threat source interacts through existing vulnerabilities. An attack is always a “source-vulnerability” pair that implements a threat and leads to damage.
Figure 2.1
Suppose, a student goes to school every day and at the same time crosses the roadway in the wrong place. And one day he gets hit by a car, which causes him damage, in which he becomes unable to work and cannot attend classes. Let's analyze this situation. The consequences in this case are the losses that the student suffered as a result of the accident. Our threat is the car that hit the student. The vulnerability was that the student crossed the roadway in an unspecified location. And the source of the threat in this situation was that certain force that did not allow the driver to avoid hitting the student.
Information is not much more difficult. There are not so many threats to information security. A threat, as follows from the definition, is the danger of causing damage, that is, this definition shows a strict connection technical problems with a legal category, which is “damage”.
Manifestations of possible damage may vary:
Moral and material damage business reputation organizations;
Moral, physical or material damage associated with the disclosure of personal data of individuals;
Material (financial) damage from disclosure of protected (confidential) information;
Material (financial) damage from the need to restore damaged protected information resources;
Material damage (losses) from the inability to fulfill assumed obligations to a third party;
Moral and material damage from disruption of the organization’s activities;
Material and moral damage from violation of international relations.
Threats to information security are violations in ensuring:
2. Availability;
3. Integrity.
Confidentiality of information- this is the property of information to be known only to its authenticated legitimate owners or users.
Confidentiality violations:
Theft (copying) of information and means of processing it;
Loss (unintentional loss, leakage) of information and means of processing it.
Availability of information is the property of information to be accessible to its authenticated legitimate owners or users.
Accessibility violations:
Blocking information;
Destruction of information and means of processing it.
Information integrity- this is the property of information to be unchanged in semantic sense when exposed to accidental or intentional distortions or destructive influences.
Violations in ensuring integrity:
Modification (distortion) of information;
Denial of the authenticity of information;
Imposing false information.
Carriers of security threats information are sources of threats. Both subjects (personality) and objective manifestations can act as sources of threats. Moreover, sources of threats can be located both inside the protected organization - internal sources, and outside it - external sources.
All sources of information security threats can be divided into three main groups:
1 Caused by the actions of the subject (anthropogenic sources of threats).
2 Caused by technical means (man-made sources of threat).
3 Caused by natural sources.
Anthropogenic sources threats to information security are entities whose actions can be classified as intentional or accidental crimes. Only in this case can we talk about causing damage. This group is the most extensive and is of the greatest interest from the point of view of organizing protection, since the actions of the subject can always be assessed, predicted and adequate measures taken. Methods of counteraction in this case are manageable and directly depend on the will of the organizers of information security.
As an anthropogenic source threats can be considered a subject who has access (authorized or unauthorized) to work with the standard means of the protected object. Subjects (sources) whose actions may lead to a violation of information security can be both external and internal. External sources may be accidental or deliberate and have varying levels of expertise.
Internal actors(sources), as a rule, are highly qualified specialists in the field of software development and operation and technical means, are familiar with the specifics of the tasks being solved, the structure and basic functions and principles of operation of software and hardware information security tools, and have the ability to use standard equipment and technical means of the network.
It is also necessary to take into account that a special group of internal anthropogenic sources consists of persons with mental disorders and specially deployed and recruited agents, who may be from among the main, auxiliary and technical personnel, as well as representatives of the information security service. This group is considered as part of the sources of threats listed above, but the methods of countering threats for this group may have their own differences.
The second group contains sources of threats determined by technocratic human activity and the development of civilization. However, the consequences caused by such activities are beyond human control and exist on their own. This class of sources of threats to information security is especially relevant in modern conditions, since in the current conditions experts expect a sharp increase in the number of man-made disasters caused by the physical and moral obsolescence of the equipment used, as well as the lack of material resources to update it. Technical means that are sources of potential threats to information security can also be external and internal.
Third group of sources threats are united by circumstances that constitute force majeure, that is, circumstances that are objective and absolute in nature, applicable to everyone. Force majeure in legislation and contractual practice includes natural disasters or other circumstances that cannot be foreseen or prevented, or can be foreseen, but cannot be prevented if modern level human knowledge and capabilities. Such sources of threats are completely unpredictable, and therefore measures to protect against them must always be applied.
Natural sources potential threats to information security, as a rule, are external to the protected object and are understood, first of all, as natural disasters.
The classification and list of threat sources are given in Table 2.1.
Table 2.1 - Classification and list of sources of information security threats
| Anthropogenic sources | External | Criminal structures |
| Potential criminals and hackers | ||
| Unfair partners | ||
| Technical staff of telecommunications service providers | ||
| Representatives of supervisory organizations and emergency services | ||
| Representatives of law enforcement agencies | ||
| Domestic | Key personnel (users, programmers, developers) | |
| Information security representatives (administrators) | ||
| Support staff (cleaners, security) | ||
| Technical personnel (life support, operation) | ||
| Technogenic sources | External | Means of communication |
| Utility networks (water supply, sewerage) | ||
| Transport | ||
| Domestic | Poor quality technical means of information processing | |
| Poor quality software information processing | ||
| Auxiliary equipment (security, alarm, telephony) | ||
| Other technical means used in the institution | ||
| Natural sources | External | Fires |
| Earthquakes | ||
| Floods | ||
| Hurricanes | ||
| Magnetic storms | ||
| Radioactive radiation | ||
| Various contingencies | ||
| Unexplained phenomena | ||
| Other force majeure circumstances |
All threat sources have varying degrees of danger TO fear, which can be quantified by ranking them. In this case, the assessment of the degree of danger is carried out using indirect indicators.
The following can be selected as comparison criteria (indicators):
Possibility of a source K 1 - determines the degree of accessibility to the ability to exploit vulnerability for anthropogenic sources, distance from vulnerability for man-made sources or features of the situation for random sources;
Source readiness TO 2 - determines the degree of qualification and attractiveness of committing acts from the source of the threat for anthropogenic sources or the presence of the necessary conditions for man-made and natural sources;
Fatality TO 3 - determines the degree of unavoidability of the consequences of the threat.
Each indicator assessed by an expert-analytical method using a five-point system. Moreover, 1 corresponds to the minimum degree of influence of the assessed indicator on the danger of using the source, and 5 corresponds to the maximum.
TO The factor for a particular source can be defined as the ratio of the product of the above indicators to the maximum value (125):
Threats, as possible dangers of committing any action directed against the object of protection, do not manifest themselves, but through vulnerabilities that lead to a violation of information security at a specific object of informatization.
Vulnerabilities are inherent object of informatization, are inseparable from it and are determined by the shortcomings of the functioning process, the properties of the architecture automated systems, exchange protocols and interfaces used software and hardware platform, operating conditions and location.
Sources of threats can use vulnerabilities to violate the security of information, obtain illegal benefits (causing damage to the owner, possessor, user of information). In addition, non-malicious actions by threat sources to activate certain vulnerabilities that cause harm are possible.
Each threat can be associated with different vulnerabilities. Elimination or significant mitigation of vulnerabilities affects the possibility of information security threats being realized.
Information security vulnerabilities can be:
Objective;
Subjective;
Random.
Objective vulnerabilities depend on the construction features and technical characteristics equipment used at the protected object. Complete elimination of these vulnerabilities is impossible, but they can be significantly weakened by technical and engineering methods of fending off threats to information security.
Subjective vulnerabilities depend on the actions of employees and are mainly eliminated by organizational and software and hardware methods.
Random vulnerabilities depend on the characteristics of the environment surrounding the protected object and unforeseen circumstances. These factors, as a rule, are little predictable and their elimination is possible only by carrying out a set of organizational, engineering and technical measures to counter threats to information security.
The classification and list of information security vulnerabilities are given in Table 2.2.
Table 2.2 - Classification and list of information security vulnerabilities
| Objective vulnerabilities | Related technical means of radiation | Electromagnetic | Spillover emissions from technical equipment elements |
| Cable lines of technical means | |||
| Radiation at generator frequencies | |||
| At self-excitation frequencies of amplifiers | |||
| Electrical | Induction of electromagnetic radiation onto lines and conductors | ||
| Leakage of signals in the power supply circuit, in the ground circuit | |||
| Uneven power supply current consumption | |||
| Sound | Acoustic | ||
| Vibroacoustic | |||
| Activated | Installable hardware bookmarks | into telephone lines | |
| On the power supply | |||
| Indoors | |||
| In technical means | |||
| Software bookmarks | Malware | ||
| Technological outputs from programs | |||
| Illegal copies of software | |||
| Determined by the characteristics of the elements | Elements with electroacoustic transformations | Telephone sets | |
| Loudspeakers and microphones | |||
| Inductors | |||
| Chokes | |||
| Transformers, etc. | |||
| Items exposed to electromagnetic fields | Magnetic media | ||
| Microcircuits | |||
| Nonlinear elements subject to RF interference | |||
| Determined by the characteristics of the protected object | Object location | No controlled area | |
| Availability of direct visibility of objects | |||
| Remote and mobile object elements | |||
| Vibrating reflective surfaces | |||
| Organization of information exchange channels | Using radio channels | ||
| Global information networks | |||
| Rented channels | |||
| Subjective vulnerabilities | Errors (negligence) | When preparing and using the software | When developing algorithms and software |
| When installing and downloading software | |||
| When using the software | |||
| When entering data (information) | |||
| When setting up universal system services | |||
| Self-learning (self-adjusting) complex system of systems | |||
| When using technical equipment | When turning on/off technical means | ||
| When using technical security means | |||
| Incompetent actions | When configuring and managing a complex system | ||
| When setting up the software | |||
| When organizing information exchange flow management | |||
| When setting up technical means | |||
| When setting regular funds software protection | |||
| Unintentional actions | Damage (deletion) of software | ||
| Damage (deletion) of data | |||
| Damage (destruction) of storage media | |||
| Damage to communication channels | |||
| Violations | Security and protection modes | Access to the facility | |
| Access to technical means | |||
| Confidentiality | |||
| Mode of operation of hardware and software | Energy supply | ||
| Life support | |||
| Installations of non-standard equipment | |||
| Installations of non-standard software (game, educational, technological) | |||
| Use of information | Processing and exchange of information | ||
| Storage and destruction of storage media | |||
| Destruction of production waste and defects | |||
| Psychogenic | Psychological | Antagonistic relationships (envy, bitterness, resentment) | |
| Dissatisfaction with your situation | |||
| Dissatisfaction with the actions of management (discipline, dismissal) | |||
| Psychological incompatibility | |||
| Mental | Psychical deviations | ||
| Stressful situations | |||
| Physiological | Physical condition (fatigue, pain) | ||
| Psychosomatic condition | |||
| Random vulnerabilities | Failures and failures | Failures and malfunctions of technical equipment | Processing information |
| Ensuring the functionality of information processing facilities | |||
| Providing security and access control | |||
| Aging and demagnetization of storage media | Floppy disks and removable media | ||
| Hard drives | |||
| Microcircuit elements | |||
| Cables and connecting lines | |||
| Software glitches | Operating systems and DBMS | ||
| Application programs | |||
| Service programs | |||
| Antivirus programs | |||
| Power failures | Information processing equipment | ||
| Support and auxiliary equipment |
All vulnerabilities have varying degrees of danger K problem, which can be quantified by ranking them.
In this case, you can choose as comparison criteria:
Fatality K 4 - determines the degree of influence of the vulnerability on the unavoidability of the consequences of the threat;
Availability K 5 - determines the possibility of exploitation of the vulnerability by a threat source;
Quantity K 6 - determines the number of object elements that are characterized by a particular vulnerability.
K The margin for an individual vulnerability can be defined as the ratio of the product of the above indicators to the maximum value (125):
Intruder model information security is a set of assumptions about one or more possible violators of information security, their qualifications, their technical and material means, etc.
Properly designed model violation is a guarantee of building an adequate information security system. Based on the constructed model, it is already possible to build an adequate information security system.
Most often built informal model of the offender, reflecting the reasons and motives of actions, his capabilities, a priori knowledge, goals pursued, their priority for the violator, the main ways to achieve his goals: methods of implementing the threats emanating from him, the place and nature of the action, possible tactics, etc. To achieve his goals, the violator must make certain efforts and spend some resources.
Having identified the main reasons violations, it seems possible to influence them or necessary to adjust the requirements for the system of protection against of this type threats. When analyzing security violations, it is necessary to pay attention to the subject (personality) of the violator. Eliminating the reasons or motives that prompted the violation can help avoid a recurrence of a similar incident in the future.
There may be more than one model; it is advisable to build several different models different types violators of information security of the protected object.
To build a model the offender uses information received from security services and analytical groups, data on existing funds ah access to information and its processing, oh possible ways interception of data at the stages of their transmission, processing and storage, about the situation in the team and at the protection site, information about competitors and the market situation, about past cases of information security violations, etc.
In addition, they evaluate real operational technical capabilities of an attacker to influence the protection system or the protected object. Under technical capabilities implies a list of various technical means that an offender may have in the process of committing actions directed against the information security system.
Violators are internal and external.
Among internal violators, we can primarily highlight:
Direct users and operators of the information system, including managers at various levels;
Administrators computer networks and information security;
Application and system programmers;
Security officers;
Technical personnel for building maintenance and computer equipment, from cleaners to service engineers;
Support staff and temporary workers.
Among the reasons that motivate employees to engage in unlawful actions are the following:
Irresponsibility;
User and administrator errors;
Demonstration of one's superiority (self-affirmation);
- “fight against the system”;
Selfish interests of system users;
Disadvantages of the information technologies used.
The group of external violators may include:
Clients;
Invited visitors;
Representatives of competing organizations;
Employees of departmental supervision and management bodies;
Access control violators;
Observers outside the protected area.
In addition, classification can be carried out according to the following parameters.
Methods and means used:
Collection of information and data;
Passive interception means;
Use of tools included in the information system or its protection system and their shortcomings;
Active monitoring of modifications of existing information processing tools, connecting new tools, using specialized utilities, implementation software bookmarks and “back doors” into the system, connection to data transmission channels.
The offender’s level of knowledge regarding the organization of the information structure:
Typical knowledge about methods for constructing computer systems, network protocols, use of a standard set of programs;
High level of knowledge network technologies, experience working with specialized software products and utilities;
High knowledge in programming, system design and operation of computer systems;
Possession of information about the means and mechanisms of protection of the attacked system;
The offender was a developer or took part in the implementation of an information security system.
Time of information impact:
At the time of information processing;
At the time of data transfer;
In the process of storing data (taking into account the operating and non-operating states of the system).
By location of impact:
Remotely using interception of information transmitted over data channels, or without its use;
Access to the protected area;
Direct physical contact with computer technology, which can be distinguished: access to workstations, access to enterprise servers, access to administration, control and management systems of the information system, access to management programs of the information security system.
Table 2.3 shows examples of models of information security violators and their comparative characteristics.
Table 2.3 - Comparative characteristics several models of the intruder
| Characteristic | Lone hacker | Hacker group | Competitors | Government agencies, special forces |
| Computing power of technical means | Personal Computer | LAN, use of other people's computer networks | Powerful computing networks | Unlimited computing power |
| Internet access, type of access channels | Modem or leased line | Using someone else's high-bandwidth channels | Own high-bandwidth channels | Independent control over Internet traffic routing |
| Financial opportunities | Severely limited | Limited | Great opportunities | Virtually unlimited |
| Level of knowledge in the field of IT | Low | High | High | Tall, Standard Developers |
| Technologies used | Ready-made programs, known vulnerabilities | Search for new vulnerabilities, production of malware | Modern methods of penetration into Information Systems and impact on data flows in it | Thorough knowledge of information technology: possible vulnerabilities and shortcomings |
| Knowledge of building a facility protection system | Insufficient knowledge about building an information system | May make efforts to gain an understanding of how the security system operates | They can make efforts to gain an understanding of the principles of operation of the security system and introduce their representative into the security service | In the process of system certification, representatives of government agencies can receive enough full information about its construction |
| Pursued goals | Experiment | Introducing distortions into the operation of the system | Blocking the functioning of the system, undermining the image, ruin | Unpredictable |
| Nature of action | Hidden | Hidden | Hidden or open demonstrative | May not bother hiding his actions |
| Penetration depth | Most often stops after the first successful impact | Until the goal is achieved or a serious obstacle appears | Until the bitter end | Nothing can stop them |
Loading...
