Products
▸
By information security, we mean a set of organizational and technical measures to ensure the protection, integrity, accessibility and manageability of data arrays. Information security provides the interaction of all system elements within the general concept of state security. The structural elements of information security at international and national levels include:
To protect all components, it is required to develop methodology and build infrastructure. Information security tasks may be challenging because the information space has no boundaries. Specific features of the Internet and wireless connection create the preconditions for uncontrolled and unhindered transfer across state borders of large data volumes, often containing information whose circulation is prohibited or restricted in the world or in individual countries
Cyber-attack technologies are developing faster than protection technologies, that’s why even government databases can be prone to risk. The most advanced technologies are used to protect state secrets. However, state secrets fall in the risk zone as soon as they leave the most protected perimeter and become the object of interaction of state institutions with commercial or public establishments which have a lower protection level.
However, the state protective measures are also imperfect, as indicated by the growing number of attacks at government servers in different countries. In 2012, during the presidential election in Russia, polling stations used a webcast system to record violations of election laws. That day, within 24 hours the system was attacked 1.2 million times. In the same year, hackers attacked Israeli state information networks 44 million times, Iran – 28 million time, and the United States – 12 million times.
The problem is even more complex because most often hackers do not fall under the jurisdiction of the state that was cyberattacked. Criminals are either foreigners or people without citizenship, or global citizens. All this forces to seek a global consensus in the fight against threats and to create a common system of information security. Governments conduct negotiations to explore the possibility of criminalizing cyber-attacks and equating them to armed attacks when aimed at state institutions.
Five years ago, US Secretary of Defense Leon Panetta proposed to equate cyber-attacks to armed attacks. The politician compared the consequences of hacking into computers in chemical and nuclear enterprises and life support systems of cities with the consequences of a nuclear explosion. The United States Congress supported the minister’s idea, but the initiative has not been legalized.
A rare example when the norms in the information security field were systematized is the government agreement concluded in 2013 between Russia and the United States on cooperation in scientific research and development in the nuclear and energy sectors. The document also listed confidence-building measures and ways to combat cyber war, and declared the creation of a common information security system. However, in 2016 the agreement was suspended.
Another argument which confirms the need to create an international regulatory framework for combating cyber threats is the reputational risk. The use of information technology in political competition has become commonplace, and the damage from cyber-attacks against a competing state is seen not only as reputational, but also as financial losses. Information security and the protection of the state's reputation should become one of the tools in geopolitical confrontation.
All this reinforces the idea to concentrate the world efforts on building a system of preventive measures. One of them can be the criminalization of offences in the information security field to the fullest extent. Such an approach will be more useful in the fight against cybercrime than mitigating the consequences of incidents.
According to the US Center for Strategic and International Studies, the annual damage from crimes related to the theft of computer information exceeds $ 440 billion worldwide.
Not only hackers threaten information of corporations, banks and government organizations. Security threats also include:
At the national level, in addition to the strategy for combating threats, governments develop offensive cyber-attacks. Offensive cyber-attacks are committed by government agencies to damage networks of competing states in order to steal or damage critical information. For example, already by 2014, in the United States, the authorities controlled almost all of the entire industry of spyware (programs for theft and redirecting data from the computers of users) and adware (programs that generate viral advertising).
Other tools for attacking government, corporate and personal devices include:
Ransomware. When you launch the program, the computer or mobile device becomes unavailable for various reasons. You need to pay hackers to regain access. The feature of the attacks using the new wave ransomware is that attackers demand a ransom in crypto currency, the turnover of which is in the shadow zone, and it is extremely difficult to track its recipient.
Rogue security software. The version of the Trojan programs. The user voluntarily installs malware on the computer that either disables PC and requires payment, or helps other viruses to infiltrate the system.
Madware. Aimed at damaging mobile software.
Cyberbullying is the use of information attacks for psychological influence on victims.
Both personal computers, that randomly relate to the protection of personal data, and thoroughly protected databases of international corporations are under constant threat. Companies in the US and the European Union are ready to pay for a hacker attack and data steal from competitors from $ 3 to $ 12 million. The price is five times higher if the attack is aimed at a military or industrial facility.
Political sphere has not yet developed common international norms outlining the main areas to combat information security threats. On the contrary, the sphere of standardization and security systems has not only developed the norms but also successfully applies them. These are the standards on production and commercial turnover which refer to the ISO/IEC 27000 system.
The double abbreviation ISO/IEC means that these standards are the result of the collaboration between the International Commission for Standardization (ISO), whose regulations determine the quality of production and management processes and the International Electrotechnical Commission (IEC). ISO/IEC 27000 contains a number of recommendations and practical suggestions for implementing the Information Security Management System (ISMS). In addition to the ISO/IEC 27000 series, European countries develop and implement their own regulatory documents that define the requirements for ensuring information security. Often national standards of one country are applied by other states. This is the case of Practical rules of information security management BS 7799, developed in the UK.
Companies that care about data protection and that certify goods and services under ISO 9001 should strive to establish their own information security management system (ISMS) based on ISO/IEC 27000-2016 or earlier versions (if ISMS was introduced before the standard edition).
According to the ISO 9001 management model, the process of creating and implementing the system includes four stages designated as PDCA:
PLAN | The Plan stage involves the development of internal regulatory documentation, audit systems, inventory of risk-prone or critical assets, and the elaboration of technical measures. |
DO | The Do stage involves the implementation of the developed system and tools to assess the effectiveness of measures taken. |
CHECK | At the Check stage, the quality of the system's performance is assessed. The assessment should be purpose-oriented and regular. |
ACT | At the Act stage, the identified shortcomings are refined and eliminated. |
If implemented through PDCA, the system will meet the requirements of international certification standards.
ISMS advantages
ISMS has several advantages compared to traditional protection systems:
When building ISMS, it is important to remember that the provision of information security at the international, state and corporate level is firstly based on the regulatory framework, standards, forecasts and preventive measures, and only then – on the practical implementation of the ISMS strategies. In this case, the society (if it is the state level) and employees (if it is the corporate level) are expected to understand the degree of danger and support initiatives for ensuring information security.