Information security of enterprises
The task of building an enterprise information security system is complex. Management should assess the level of perceived risks and develop a threat model. It will be different for each type of business. The common thing is that information technology is used to damage the company. To ensure information security, it is necessary to conduct an audit, based on the results of which a set of necessary organizational, software and technical measures is developed.
Information security threats
Hacker attacks are viewed internationally as part of a single global threat associated with the digitalization of society. Even small companies are not immune from external attacks, especially if they are suppliers or contractors of large corporations and operate in their activities with data that can interest cybercriminals. But online stores or small Internet service providers are not immune to DDoS attacks that can completely block communication channels and make the service inaccessible to customers.
Among the current external threats to information security:
- theft of confidential information by hacking an information system or connecting to poorly protected communication channels. DLP systems are best protected from information leaks, but not all small and medium-sized businesses are able to use their resources in full;
- theft of personal data using their own means of authentication and transferring them to intermediaries in the black market of information. This type of threat is most typical for banks and service sector organizations that process a large amount of customer information;
- theft by insiders of trade secrets at the request of competitors, most often the organization's customer databases are stolen;
- DDoS attacks aimed at disrupting communication channels. They make the company's website inaccessible, which turns out to be critical for an organization that sells goods or provides services on the Internet;
- viral infections . Recently, the most dangerous are ransomware viruses that make information in the system inaccessible and unlock it for a ransom. Sometimes, in order to exclude the possibility of tracking, hackers demand that they be paid a reward in cryptocurrencies;
- site deface . In this type of hacker attack, the first page of the resource is replaced with other content, sometimes containing offensive texts;
- phishing . This method of committing computer crimes is based on the fact that an attacker sends a letter from an address that is identical to the usual one for the correspondent, prompting him to go to his page and enter a password and other confidential data, as a result of which they are stolen;
- spam that blocks incoming communication channels and interferes with tracking important correspondence;
- social engineering tools that encourage company employees to transfer resources in favor of an experienced fraudster;
- loss of data due to hardware failures , equipment malfunctions, accidents, natural disasters.
The general list of threats remains unchanged, and the technical means of their implementation are constantly being improved. Vulnerabilities in the standard components of information systems (OS, communication protocols) are not always quickly eliminated. For example, Windows XP problems were fixed by releasing updates only two years after they were fixed. Hackers do not waste time, promptly responding to all updates, constantly testing the degree of security of enterprise information systems using monitoring tools. A feature of the current situation on the computer security market is that machine technologies have improved to such a level that even schoolchildren can use them. By paying a small amount, sometimes not exceeding $ 10, for a subscription to a vulnerability testing service, you can organize a DDoS attack on any site hosted on a small server with a not very productive communication channel and deny clients access to it in a matter of minutes. IoT objects are increasingly used as botnets: refrigerators, coffee makers and IP cameras. They are actively involved in information attacks, since the manufacturers of the software controlling them, in order to save money, have not built in them a protection mechanism against interception of control.
But no less dangerous are information security threats posed by company employees who are interested not in stealing, but in manipulating information. A separate risk is such a violation of the integrity of information in databases, which facilitates theft of material resources of the organization. An example is a change in the storage temperature of fuel upward, at which its volume in tanks increases and the safety sensors will not notice a small pumping out. For such a change, you need to have unauthorized access to communication channels with devices that control temperature setting in the warehouse.
Ensuring information security of enterprises
The task of ensuring information security of enterprises is solved on its own or with the involvement of external experts. It is necessary to conduct an audit and introduce a system of organizational and technical measures of a general and special nature, which will effectively ensure the high quality of information security of the enterprise. You need to start creating a system with an audit. The protection system will be based on its results.
The scope of the audit depends on the size of the company and the value of the information being processed. For small and medium-sized businesses, the audit can be carried out on their own, for a distributed complex system that includes several control loops, in which sensitive data of high importance is processed, it is necessary to involve professional organizations specializing in outsourcing information services for the audit.
At the basic level of auditing, you need to find out:
- whether computers are available to someone other than employees of a certain department, is the access system implemented using electronic passes and recording the time the employee is in the room;
- whether there is a possibility of connecting removable media to workstations, the physical ability to copy data to removable devices;
- what software is installed on the workstations of the information system, is it licensed, are updates carried out regularly, is it known about the shortcomings of the installed software that facilitate access to data from the outside;
- how the operating system is being configured, whether the standard resources for ensuring the information security of enterprises, antiviruses, firewalls, user actions logs, access control;
- how the system of differentiating access rights is implemented, whether the principle of granting the minimum possible rights is applied, who and how makes changes to access rights;
- how is the authentication and identification system implemented, is the two-factor model applied, is there a responsibility for transferring logins and passwords to other employees;
- how the password system is implemented, how often they change, how the system reacts to repeated entering of an incorrect password;
- whether the necessary package of organizational and administrative documents related to information security has been adopted.
For a small business, answering these questions will help you identify the most obvious enterprise information security vulnerabilities and focus efforts on fixing them.
There are situations where threats are more significant than insider actions or random and unpredictable hacker attacks, for example, when a company:
- operates in a highly competitive market;
- participates in the development of scientific or information technologies;
- processes large amounts of personal data.
In these cases, a simple audit of access and software specifics will not solve the problem. IP needs to be investigated at a deeper level, identifying:
- availability of system vulnerabilities for external intrusions using paid and free software - vulnerability scanners;
- the absence or presence of information processing with a high degree of confidentiality in individual clusters of the information system, are firewalls installed at the boundaries of zones;
- whether secure communication protocols are used when transferring information from employees who are on remote access;
- how is the recording of user actions with objects containing confidential information;
- whether differentiated access to data is implemented, what method is used, is there a multilevel access system.
If the company is the operator of personal data, during the audit, it is additionally necessary to identify:
- how scrupulously the requirements of the law "On personal data" are implemented;
- whether organizational measures provided for by the law and recommendations of the FSTEC RF have been implemented;
- whether the required certified software is being used.
Answering audit questions will provide a basis for developing an enterprise information security system, taking into account relevant threats.
Stages of security system implementation
Understanding the current state of the information system and the category of information resources provides the basis for developing a strategy for its modernization and approximation to modern security requirements.
The work must be carried out according to the following algorithm:
- description of all infrastructure and software objects in the architecture of the information network, identifying their key characteristics;
- development of requirements for the optimal configuration of the information system, taking into account time, human and budgetary constraints;
- development of a package of organizational and administrative documentation, familiarizing employees with it, teaching them the basics of information security;
- introduction of technical and software measures designed to exclude the occurrence of information security incidents and make a more effective response to them.
Most of the stages of work can be performed by our own personnel, consultants are involved in especially difficult areas of work. The entire process should be led by a senior manager who is interested in the successful implementation of the enterprise information security strategy implementation project.
Organizational measures applied to ensure the information security of an enterprise are divided into three groups:
- of a generally binding nature;
- protecting personal data;
- protecting individual information objects or processes.
In each category they are divided into two groups - documents and actions, and in each protection sector, both groups of measures are needed.
General organizational arrangements
An enterprise's information security begins with the adoption of a unified policy or methodology for ensuring data protection. The policy should contain the following sections:
- general principles of information protection, threats and security objectives;
- gradation of information according to the degree of importance for the company;
- conditions of access to data, principles of access control;
- rules for working with computer equipment and removable media;
- responsibility for violation of the requirements of the document.
The document is adopted at the level of senior management and is accompanied by policies and methodologies that define the narrower tasks of information security in the enterprise.
Trade secret regime
The civil legislation of the Russian Federation introduces the concept of a commercial secret as an information asset protected by the state. Its intentional or unintentional disclosure, causing damage to the company, is the basis for a civil claim for damages. If the damage is really serious, the case may lead to criminal prosecution. But in order to bring the guilty employee to justice, you will have to take several steps related to the organizational part of the information security system at the enterprise:
- introduce a trade secret regime by issuing a corresponding order;
- make a list of information related to confidential information. Many companies make the mistake of classifying all types of documents and information that security personnel can recall as trade secrets. This turns the data protection regime into a profanation. It is impossible to create a system of protection of the proper level for all files and documents, and every removal of a document from the office, for example, to a tax office or to a meeting with a counterparty, which is not reflected in the ledger of trade secret media, turns into a violation of the regime. The list of data should be clear and specific, this facilitates the control mechanism and makes it possible;
- to introduce a mechanism to control the movement of documents containing commercial secrets, secrecy stamps, a register of movements;
- familiarize all employees against signature with the order on the confidentiality regime and the list of documents (Regulation on the protection of commercial secrets);
- to introduce into labor contracts a clause on liability for disclosure of commercial secrets.
Following these steps will help protect your data privacy as appropriate.
The introduction of software and hardware information security tools is inevitable, many organizations use them without knowing it. In order to choose the most effective types of protection for a particular organization, it is necessary to answer the following questions:
- the types of information to be protected, in which network sectors and in which databases it is stored. In the company's activities, the most important information includes data of corporate bank cards and accounts, personal information, business secrets, customer databases, which are most often the target of intentional theft;
- which devices are involved in the creation of the network infrastructure and which devices are connected to it remotely, who and on what basis gives permission to connect;
- what software needs to be replaced or updated, what additional security modules need to be installed;
- How are administrator accounts protected, whether another person can use them by guessing passwords or otherwise;
- whether there is a need to encrypt files or traffic, what means are used for this;
- do anti-virus programs, e-mail filtering programs, firewalls meet modern security requirements;
- how employees' access to the Internet is regulated, whether it is necessary to obtain special permission, which sites are blocked and on what basis.
Next, the stage of choosing software begins, which is designed to create an enterprise information security system at an effective level:
- antivirus protection. If the company is the operator of personal data, the software product must be certified by the FSTEC RF. If there is no such need, then you can choose a convenient or popular product. Thus, Roskachestvo in its review determined that Internet Security from ESET uses the greatest success in the fight against viruses, while the antivirus built into Windows was only in 17th place;
- firewalls. Here it is advisable to focus on software products approved by the FSTEC RF;
- e-mail filtering tools that protect employees' mailboxes from spam and viruses;
- The Enhanced Mitigation Experience Toolkit (EMET) installed on Windows computers is useful for protecting against code-related vulnerabilities;
- means of cryptographic protection. Depending on the level of data confidentiality, either publicly available products or cryptographic information protection tools (means of cryptographic information protection) approved by the FSB of the Russian Federation are used;
- infrastructure health monitoring tools. You can choose free or licensed products, the main thing is to configure the continuity of monitoring of vulnerabilities. If a decision is made to purchase a product of a higher level, then you should pay attention to SIEM systems designed to identify information security incidents and build a response to them;
- means of combating information leaks. A set of measures can be implemented to prevent leaks at all levels. You can set up a DLP system configured to block any attempt to extract confidential information from the information defense perimeter.
One of the main risks for the information security of an enterprise is the failure to timely update software. There may be several reasons:
- inattention of system administrators;
- limited budget;
- long certification period for software used to protect personal data.
But untimely software updates create loopholes for hackers that can lead to information leaks. If such risks exist, it is recommended that you use the Microsoft Security Analyzer security scanner to determine which patches or updates are not installed for Windows and which configuration changes need to be made to ensure security.
When checking the connection of devices, the following methods should be used:
- using a router (wireless access controller) to check which devices are connected to the network;
- for larger networks, you can use the network scanner when searching for devices. Experts recommend using the popular Nmap program;
- activate the recording of logs of all events related to connecting devices to the network.
The implementation of simple recommendations will allow you to create information security of the enterprise at a level that provides a guaranteed protection system and the absence of incidents.