Methods of prevention of information leakage
Information leakage is a serious threat for many businesses. It can occur as a result of the intent of third parties or through the negligence of employees. The intentional organization of the leak is committed with two goals: the first of them is causing damage to the state, society or a specific enterprise, this goal is characteristic of manifestations of cyber terrorism; the second goal is to gain a competitive edge.
Unintentional leakage occurs most often due to the negligence of employees in the organization, but can also lead to serious adverse consequences. The creation of a system for protecting information assets from loss in companies of all types should be carried out at a professional level, using modern technical means. To do this, it is necessary to have an understanding of the channels of leakage and methods of blocking these channels, as well as the requirements for modern security systems.
SearchInform DLP intercepts data transmitted through various channels - mail, cloud services, removable media, instant messengers, documents sent to print. The program analyzes the data flow and identifies cases of their unsafe use.
All information arrays are divided into two main groups:
- subject to protection in accordance with federal laws;
- to be protected in accordance with the internal policy of the organization.
The first includes data containing state secrets and other information provided for by federal laws. This is the personal data of employees and customers, protected in accordance with the Law "On Personal Data". Their uncontrolled spread can damage the person and their safety. This group of information also includes banking secrecy, which is protected on the basis of the Law on Banks and Banking Activities, and some others. Leakage of this information can lead to financial damage for customers, which can be passed on to the culprit in a recourse manner.
When an organization works with information containing state secrets, which are, for example, in some state contracts, it is required to comply with special regimes for protecting information, this is provided for by the Law on State Secrets. The compliance of the organization's security system with the requirements for working with such information is confirmed by a license issued by the FSB. Most of the companies participating in tenders should receive it. To obtain it, the system of leakage protection measures will be checked for compliance with all requirements by the certification center. The procedure for issuing a license is regulated by Government Decree No. 333.
The commercial and professional secrets of an organization of interest to its competitors are protected in accordance with the norms of the Civil and Labor Code and the internal regulations of the company. Most often, it is of interest to the company's competitors, who can use it in the struggle for advantages in the sales markets, but it may also have an independent value for criminal gangs.
The creation of a situation for theft of information or the crime itself is prosecuted in accordance with the Criminal Code, which contains article 183 “Illegal receipt and disclosure of information constituting commercial, tax or banking secrets”.
Leakage and interception of information
In terms of terminology, it is necessary to distinguish between information leakage and its interception. Interception is an illegal way of acquiring information using technical means. Information leakage is its loss when it spreads through communication channels and physical space for all types of reasons, including interception and redirection. An intentionally created leak of information through technical channels involves the installation of various devices on the path of its distribution, which intercept it.
This term is used more often in the professional field; in practice, this definition refers to all types of leaks based on both human and technical factors. The illegal act of recording information containing a secret protected by law on an external medium and taking it out of the corporate space is the most common method of theft. Modern DLP systems are now configured mainly for the risks posed by the corporate user, and not from outside intrusion.
An example of such a situation was the case when Google corporation sued Uber, which recruited a former employee of the company. The top manager illegally copied almost all the data related to the development of an unmanned vehicle under his leadership. The security system that exists in one of the largest corporations in the world was unable to prevent theft of information committed by one of its top managers. At the same time, the judicial prospects for compensation for damage caused are vague, since between the company and the employee, obviously, an agreement was not concluded that determines the mechanism for compensation for damage in this case. Uber was chosen as the defendant, which became the beneficiary of the theft. The files may have been returned, but the information they contained could be used to create a competitive advantage.
This case suggests that regardless of the level of the company, the risk of losing information is equally serious for everyone.
Organizations at risk
Based on the above criteria for protected data, there are several types of business entities that are in the main risk zone of information leakage. It:
- commercial and non-commercial, scientific and other organizations working with information constituting a state secret, for example, fulfilling a state order;
- organizations possessing information that could be necessary for criminal communities to commit terrorist acts, or are by their nature the target of terrorist attacks;
- organizations operating in the financial services market that have data on the accounts and finances of their clients, their bank card numbers;
- organizations working with large amounts of personal data, which often fall prey to hackers and enter the open market;
- organizations using new technologies and know-how in their work;
- any organizations operating in competitive markets in which the available information about technologies, markets, customers, strategies, contracts will become a method to achieve an advantage in the fight for a customer;
- organizations in relation to which there are disputes about the redistribution of property, or are the targets of raider attacks. In this case, the theft of important information may become the basis for inspections or filing lawsuits.
All of them need to make the most of the available ways to prevent information leakage, since damage in this case can be caused not only directly to a legal entity, but also to an indefinitely wide range of persons. In some cases, the company may be held liable for failure to take protective measures. Each channel of information leakage should be analyzed from the point of view of determining its security and maximally protected.
Technical channels of information leakage
There are four main groups of technical methods of organizing information leakage:
- visual, allowing to intercept or copy information reflected in a visual form, these are documents, information displayed on a computer monitor;
- acoustic, allowing you to intercept negotiations in the room or telephone conversations;
- electromagnetic, allowing to receive data expressed in the form of radiation of electromagnetic waves, their decoding can also provide the necessary information;
- material related to the analysis of objects, documents and waste arising from the company's activities.
In each case of a technical leakage channel, competitors use the most modern methods of obtaining and processing information, and the very knowledge of the availability of such opportunities should help reduce the level of risk. To completely remove the danger, communication with professionals is necessary, who will be able to determine the most valuable data sets that are the target for possible attacks, and offer a full range of protection tools.
If the monitor screen or part of documents lying on the table can be seen through the office window, there is a risk of leakage. Any luminous flux emanating from a source of information can be intercepted. To combat this method, it is necessary in most cases to use simple technical means:
- decrease in reflective characteristics and decrease in illumination of objects;
- installation of various obstacles and disguises;
- the use of reflective glass;
- location of objects so that light from them does not fall into the area of possible interception.
But there is also a more typical risk of leakage of species information: taking documents out of the room for photographing them, other forms of copying, screenshots of database screens containing important information, and other methods. The main measures to combat these risks relate exclusively to the administrative and organizational sphere, although there are software tools that, for example, do not make it possible to screen the data displayed on the monitor screen.
Information in the form of sound is most vulnerable to interception and leakage. Sound that is in the ultra-frequency range (over 20 thousand hertz) spreads easily. If there is an obstacle in its path, the sound wave will cause vibrations in it, and they will be read by special devices. This property of sound should be taken into account already at the design stage of a building or office, where the arrangement of premises by architects should be thought out so as to exclude information leakage. If this method is unrealizable, it is necessary to turn to technical means and use sound-reflecting materials, for example, porous plaster, to decorate the room. Stethoscopes are used to assess the degree of security.
If it is not possible to achieve maximum sound absorption, noise generators can be used, which can be installed around the perimeter of the main walls of the building that are not protected from listening or in meeting rooms.
Leakage of acoustic information is also possible with the use of voice recorders during negotiations. To detect their presence, special devices are used. The installation of voice pickup devices on telephones (bugs) is now practically not used, digital traffic is intercepted in another way, including through a telephone operator or through an Internet provider. This degree of risk should also be taken into account, perhaps by creating special instructions for that confidential information that can be discussed in telephone conversations.
Electromagnetic channels and communication channels
Interception of information contained in spurious electromagnetic radiation is also dangerous. Electromagnetic waves propagating within the electromagnetic field at a short distance can also be intercepted. They can come from:
- from microphones of telephones and intercom;
- from the main grounding and power circuits;
- from an analog telephone line;
- from fiber-optic communication channels;
- from other sources.
Intercepting and decrypting them is not difficult for modern technical means.
Technologies allow connecting embedded PEMIN devices (the term stands for "side electromagnetic radiation and interference") directly to power circuits or installed in a monitor or computer case, while they can intercept data through internal connections to the boards:
- displayed on the monitor screen;
- entered from the keyboard;
- output through wires to peripheral devices (printer);
- recorded on the hard disk and other devices.
In this case, the methods of struggle will be grounding of wires, shielding the most obvious sources of electromagnetic radiation, identifying bookmarks, or using special software and hardware to identify bookmarks. However, information transmitted over the Internet is available for interception. Here, the fight against its theft can be carried out by both hardware and software technical means.
Ordinary trash or industrial waste can be a valuable source of data. Chemical analysis of waste leaving the controlled area can become a source of critical information about the composition of the product or about the production technology. To develop a system to combat this risk, an integrated solution is needed, including the use of waste processing technologies.
All of the above methods of information leakage (except for material and material) require the territorial availability of the source for the thief, the operating area of a conventional device for intercepting audio or visual information does not exceed several tens of meters. Installation of embedded devices for picking up electromagnetic radiation and acoustic vibrations should require direct penetration into the object. Knowledge of its layout is also required, this may require recruiting an employee. Despite the fact that most of the premises are equipped with video surveillance cameras, these methods are now used in extremely rare cases.
The most serious threat is carried by modern methods of theft using the capabilities of the Internet and accessing data archives or voice traffic with it.
Ways to prevent information leakage
For effective protection against all of the above methods of leakage, it is necessary to develop a system of security measures, which includes two main groups of actions and measures:
- administrative and organizational measures;
- technical and programmatic measures.
Both the first and the second groups of measures require mandatory consultation with professionals before their implementation, especially if the company intends to obtain a license to work with state secrets. The technical means used must be certified and approved for circulation on the territory of the Russian Federation; it is unacceptable to use either untested or prohibited, belonging to the category of "spyware" in order to protect information. Information protection should be based only on legal methods of struggle.
The security system should be designed in a comprehensive manner, relying on organizational measures as a basis. All its elements should form a single complex, control over the performance of which should be entrusted to competent employees.
Protection system design principles
There are certain principles on which a comprehensive system of measures to protect confidential information from leaks should be based:
- the continuity of the system in space and time. The methods of protection used should control the entire material and information perimeter around the clock, preventing the occurrence of certain gaps or a decrease in the level of control;
- multi-zone protection. The information should be ranked according to the degree of importance, and methods of different levels of impact should be used to protect it;
- prioritization. Not all information is equally important, so the most severe safeguards should be applied to information that has the highest value;
- integration. All system components must interact with each other and be controlled from a single center. If the company is a holding company or has several branches, it is necessary to set up management of information systems from the parent company;
- duplication. All the most important blocks and communication systems must be duplicated so that in the event of a breakthrough or destruction of one of the links of protection, it will be replaced by a control one.
Building systems of this level are not always required for small trading firms, but for large companies, especially those cooperating with a government customer, it is an urgent need.
Administrative and organizational measures
The head of the company, as well as one of his deputies, who is in charge of the security service, should be responsible for their observance. Almost 70% of the general degree of information security depends on administrative and technical measures, since in the activities of commercial espionage services, the use of bribery of employees is much more common than the use of special technical means of stealing information that requires high qualifications and the disclosure of information to third parties is not directly participating in the competition.
Development of documentation
All regulations of the organization dedicated to the protection of trade secrets and other information must comply with the most stringent requirements for similar documents required to obtain a license. This is due not only to the fact that they are the most elaborated, but also to the fact that high-quality preparation of this type of documentation will in the future provide an opportunity to defend the company's position in court in the event of disputes about information leakage.
Work with personnel
Personnel are the weakest link in any information leakage protection system. This leads to the need to pay maximum attention to working with him. For companies working with state secrets, there is a system for issuing admissions. Other organizations need to take various measures to ensure that the ability to work with confidential data is limited. It is necessary to draw up a list of information constituting a commercial secret and draw it up as an annex to the employment contract. When working with information contained in the database, access systems must be developed.
Restrict all copying and access to external e-mail. All employees must be familiar with the instructions on how to work with information containing commercial secrets, and confirm this by writing in the magazines. This will allow them to be held accountable if necessary.
The access regime that exists at the facility should involve not only fixing the data of all visitors, but also cooperation only with security companies that also meet all security requirements. A situation when an employee of a private security company is on duty at night at a facility where employees, for the convenience of the system administrator, write down their passwords and leave them on the desktop, can be just as dangerous as the work of a professional hacker or the technical interception equipment installed in the premises.
Working with contractors
Quite often, the perpetrators of information leaks are not employees, but the company's counterparties. These are numerous consulting and auditing companies, firms that provide services for the development and maintenance of information systems. As a rather curious, albeit controversial, example, we can cite the Ukrainian situation, where the work of a number of 1C subsidiaries was prohibited due to suspicions of the possibility of theft of confidential accounting information by its employees. The same danger is posed by the cloud CRM systems that are widespread today, which offer cloud storage services. With a minimum level of their responsibility for the safety of the information entrusted to them, no one can guarantee that the entire database of customer phone calls recorded in the system during its integration with IP telephony will not immediately become the prey of competitors. This risk must be assessed as very serious. When choosing between server or cloud programs, you should choose the former. According to Microsoft, the number of cyber attacks on cloud resources increased by 300% this year
Equally cautious is the need to treat all counterparties that require the transfer of data constituting a commercial secret. All contracts must provide for conditions introducing liability for its disclosure. Quite often, certificates of property and share appraisal, audits, and consulting research are resold to competing organizations.
Planning and technical solutions
When planning the architecture of the premises in which negotiations are held or the protected information is located, all GOST requirements for protection methods must be observed. Meeting rooms must be able to pass the required certification, all modern shielding methods, sound-absorbing materials must be used, and noise generators must be used.
Leakage prevention technology and systems
To protect information from leakage or theft, it is necessary to apply a wide range of hardware and technical measures. Modern technical means are divided into four groups:
This category of protective equipment is used in the implementation of planning and architectural solutions. They are devices that physically block the entry of unauthorized persons to protected objects, video surveillance systems, alarms, electronic locks and other similar technical devices.
These include measuring devices, analyzers, technical devices that allow you to determine the location of embedded devices, everything that allows you to identify the existing channels of information leakage, evaluate the effectiveness of their work, identify significant characteristics and role in a situation with possible or occurred loss of information. Among them there are field indicators, radio frequency meters, nonlinear locators, equipment for testing analog telephone lines. To identify voice recorders, detectors are used that detect collateral electromagnetic radiation, and video camera detectors work according to the same principle.
This is the most significant group, since it can be used to avoid penetration of unauthorized persons into information networks, block hacker attacks, and prevent information interception. Among them, it is necessary to note special programs that provide systemic information protection. These are DLP systems and SIEM systems that are most often used to create complex information security mechanisms. DLP (Data Leak Prevention, data leakage prevention systems) provide complete protection against loss of confidential information. Today, they are mainly configured to work with threats within the perimeter, that is, those emanating from users of the corporate network, and not from hackers. The systems use a wide range of techniques for identifying points of loss or transformation of information and are capable of blocking any unauthorized entry or transmission of data, automatically checking all channels of their sending. They analyze the user's mail traffic, the contents of local folders, messages in instant messengers and, if an attempt to forward data is detected, they block it.
SIEM systems (Security Information and Event Management) manage information flows and events in the network, and an event is understood as any situation that can affect the network and its security. When it occurs, the system independently proposes a solution to eliminate the threat.
Software hardware can solve individual problems, and can provide complex security of computer networks.
This category provides encryption algorithms for all information that is transmitted over networks or stored on a server. Even if lost, it will not be of interest to a hypothetical competitor.
The complex application of the entire range of protection methods can be redundant, therefore, to organize information security systems in a particular company, you need to create your own project, which will be optimal from a resource point of view.