Modern technologies to protect against leakage of confidential information
Information leakage is a serious problem for both government agencies and commercial organizations. New technologies for intercepting important data appear and are constantly being improved. Protection measures do not always keep up with them, this is due to the fact that before implementation, a new technology must go through the stages of approbation, assessment, implementation. Nevertheless, anticipating possible threats and using the full range of resources offered by modern science and technology will help ensure reliable protection.
Defense and attack players
The industry related to the development of means and methods of theft of commercial secrets is developing very rapidly. Today there are foreign, mainly Chinese, companies on the market that specialize in the development and sale of spy devices; foreign and domestic programmers and hackers improving spyware; numerous intermediaries adapting intelligence technologies for the market; equipment sellers, including:
- radio transmitters;
- disguised and embedded devices;
- mobile phones with activated police functions (transmission of sound confidential information generated in the area around the device);
- hardware-industrial complexes for corporate intelligence.
In protection against information leaks, the key role is played mainly by large Russian companies specializing in the development of technologies and technical means of protection, as well as IT companies that create specialized software. For the most part, they also interact with the special services or have their employees in their structure, which allows them to monitor the attack market and give adequate answers to it. In addition, large international corporations have focused on the release of workstations with an increased class of reliability against information security threats. The use of such equipment can reduce the risk of data leakage through typical office channels.
The defense players should also include:
- international organizations working in the field of standardization that develop security standards;
- legislators who create normative legal acts that increase accountability for crimes committed in the field of information.
Information is not a subject limited by physical and spatial boundaries, so the channels of its leakage cannot be only material. It literally flows through the air, for example, when reading sound or electromagnetic waves by special embedded devices. The classification of leakage channels assumes their initial division according to the initiator of creation into external and internal. External include persons who penetrate the object or the perimeter of protected data from the outside using modern technologies, internal - employees of the company, insiders, whose actions create the lion's share of leaks. Insiders use the following channels to steal sensitive information:
- copying of confidential information stored in electronic form from hard drives of computers or MFPs to various media - from flash cards to memory cards of mobile phones;
- printing documents and taking them out in material form outside the office territory;
- data transmission via external e-mail channels, via messengers that allow you to attach files, or social networks. To prevent interception, the data can be preprocessed, converted into graphic or video files using steganography methods;
- direct theft of media;
- photographing or video recording of documents or events;
- sound recording of negotiations.
Most of these actions can be prevented by implementing a system of organizational and technical measures.
When stealing confidential information from the outside, the following methods are added:
- hacker penetration into confidential data storages;
- interception or receipt of information about telephone conversations from the provider;
- installation of embedded devices that intercept sound information or electromagnetic waves that can be converted into information;
- the introduction of virus programs - worms that steal and transfer files;
- obtaining data from counterparties or when instigating a custom inspection by regulatory authorities.
Combating these methods of organizing leaks is also necessary organizationally and technically, but focusing on the operational component in the activities of internal security services.
Any methods of protection should be based on a coherent concept, involving attention to all aspects and nuances of the organization of the defense perimeter. To systematize knowledge, information security standards are developed and implemented. The most applicable now is the ISO 27000 group of standards, the American model that replaced the British model BS 7799-1: 2005. Companies that pay attention not only to combating leaks, but also to demonstrating to business partners the degree of their protection, certify their activities on them and apply the recommended technologies. Within their framework, 4 separate groups of standards have been developed:
- overview, clarifying terminology;
- defining key requirements for the development and implementation of an ISMS (information security management system);
- defining rules for conducting and requirements for an ISMS audit;
- best practices for the implementation, development and improvement of the information security management system and protection against leakage of confidential information.
The standards provide for the following algorithm for working with possible data leakage channels:
- development and implementation of preventive measures;
- identification of possible leakage channels in the protected perimeter;
- detection of real channels involved in the organization of the theft process;
- hazard assessment;
- proposing measures to protect against leaks of confidential information, assessing their cost;
- determination of the appropriateness of taking certain protection measures;
- application of measures;
- channel localization;
- checking the quality of the closure of the channels;
- audit of the measures taken, development of proposals for their optimization.
Basic methods of protection
The standards propose a hierarchical system of protection measures. It begins with the adoption of a general concept of information security protection and prevention of confidential information leaks, on the basis of which standards and methods are developed and the latest technical solutions are introduced.
The policies and practices that are developed and adopted at the management level of the company become the cornerstone on which the building of reliable protection is built. Among the policies that should be implemented in the first place:
- a commercial secret regime, including a list of data, a familiarization system, a stamp system, disciplinary measures;
- the policy of ranking the importance of data, access to them by employees depending on their ranks in the system;
- policy for working with computers and storage media;
- a policy of exchanging information with government organizations at their request.
Compliance with policies should be at the heart of staff incentive measures. After the development of regulatory documentation, it is necessary to pay attention to the physical protection of data, providing access control, means of identifying employees, protecting telephone lines and premises from wiretapping, and equipping them with video cameras.
Also, organizational measures include periodic conversations with employees on compliance with the commercial secrets regime, secret control over potential insiders, and operational combinations to identify them. Of course, all these measures must fully comply with applicable law and not violate the rights of staff to protect privacy.
But the main burden of dealing with leaks falls on the technical means. Among them:
- creation of a special architecture of workstations;
- creation of isolated automated systems;
- installation of a terminal server;
- software products designed to ensure security.
Isolated automated systems
Practice is increasingly moving towards the introduction of isolated automated systems into the work of companies. Workstations that process and store confidential data are united into a single integrated network, which works according to the following principles:
- she is completely disconnected from the Internet;
- the system requires employees to enter it with increased degrees of identification;
- the system is equipped with access control, workstations are located in secure rooms, access to which is possible with electronic passes, and rooms where computers are located are equipped with video cameras;
- computers, scanners, printers and other devices have been improved so that copying information to its external media is excluded - floppy drives are disabled, USB inputs, system blocks and ports are sealed;
- transfer of information to the external environment, for example, creating a backup copy of data and documents for storage on a remote server, is carried out according to strictly specified procedures by only a few authorized employees.
This technology is often implemented by banks, in which computers connected to banking software products containing data on accounts, customers and transactions, financial and accounting information are not connected to the public network and the Internet. This method is quite old, but it still proves its effectiveness. It is practically impossible to implement for commercial organizations operating in the open market and do not have a large amount of confidential data, due to its obvious high cost, since it requires the creation of two parallel systems of workplaces with all the ensuing costs.
Active monitoring systems for workstations
Recently, the introduction of systems for active monitoring of workstations has proven itself. These tools allow you to continuously check all events occurring on user workstations, identify and prevent security incidents. A modern active monitoring system includes the following components:
- sensor modules. They are installed on employees' workstations, register all events occurring on them and transmit information to the data analysis module, then to agents authorized by security policies - data processing systems or directly to security personnel. Sensors independently allow or block certain actions, for example, prohibit data copying or transmission via external communication channels;
- the data analysis module checks, according to the regulations, the information transferred to it in order to identify information security incidents, which may include actions of various kinds - from copying to transferring data;
- a response module that chooses an action algorithm when detecting incidents;
- a module for storing monitoring data and an archive of decisions made for subsequent analysis of their effectiveness;
- centralized systems management module.
Systems for active monitoring of workstations are relatively inexpensive; with the correct formulation of the technical specifications, they can reduce the number of unauthorized actions to a minimum, but they have two or three significant drawbacks:
- do not protect data from external attacks;
- complicate system administration;
- can create software conflicts, which leads to the failure of the corporate system.
Terminal server installation
Another inexpensive solution would be to install a terminal server through which all transactions related to the processing of confidential information will pass. The terminal is equipped with working applications required by the user for data processing. He connects to them, opening a terminal session, but all commands pass through the terminal, which can block unwanted transactions and completely exclude the writing of confidential data to external media. When working with data, the user sees only their graphical display; he cannot copy them in any way, except for a screenshot of the screen. One server can simultaneously respond to requests of several hundred users. Among the solutions offered on the market in the terminal access segment are Microsoft Terminal Services and Citrix MetaFrame. The advantages of the technology are:
- limiting the ability to copy or print important documents;
- the ability to block the transmission of data packets from the terminal to external resources due to the method of filtering them with the selection of only those packets that contain graphic information necessary for users.
This model of working with confidential information will help to reliably protect personal, accounting and production databases, customer data bases.
Comprehensive software solutions help protect the entire information perimeter and prevent most situations related to insider actions or hacker attacks. It is necessary to consider the following types of software tools used in the field of information security:
- content analysis tools;
- means of cryptographic protection;
- DLS systems.
Among the individual market offers, it is necessary to highlight the means of content analysis. They help filter traffic directed to external servers. These protections are installed in the gap between the corporate network and the Internet. Data processing is carried out by splitting them into service fields, inside of which there is a filtering according to the criteria set by the security service initially. The easiest way would be to identify the "confidential" or "for official use" labels. These mechanisms do not work if the message was encrypted or steganographed into a music or image file before sending.
Cryptographic software helps to encrypt data on hard drives, removable media, in data packets transmitted over communication channels. In this case, the keys are stored on a separate medium, which is in a protected place. Even the theft of a hard drive in this case will make it almost impossible to decrypt confidential information. Microsoft, in addition to this algorithm, has offered another level of protection in which only a user with special rights can decrypt the data.
In addition to installing the software and creating the optimal configuration of the enterprise security service system, within the framework of the organizational and technical solutions being implemented, checks should be carried out systematically to identify embedded devices - electronic devices for intercepting information - and to perform special studies (SR) on side electromagnetic radiation and interference. To organize such checks, special equipment is also required. When ensuring the protection of a certain area, it is necessary to pay attention to the access control in the controlled area and ensure the detection by hidden means of electromagnetic radiation emanating from all visitors - from customers and contractors to repair services. Each of them can carry an embedded device - an interceptor of audio information - into the protected perimeter.
Only a combination of all modern means of technical protection with organizational measures will make it possible to achieve success in combating information leaks.