The concept of information system security is familiar to most users. The relevance of building an information security system is confirmed by the constant growth of hacker attacks, attacks on banking, corporate networks and computers of private users. Even IoT devices carry risks of unauthorized access. All this gives rise to special attention to the construction of security systems.
Legal regulation of information security
In Russia, the main tasks of information security are set in the Information Security Concept, adopted as a unified state strategy for combating the main types of threats. The document, prepared at the level of the Security Council of the Russian Federation, becomes the basis for the development of new laws and by-laws. It does not regulate the activities of companies in the field of information security. If the work of a public or private organization is related to information arrays, the protection of which is provided for by state policy, for example, with personal data, the requirements for IS, the choice of hardware, software and organizational protection measures will be established by the recommendations and regulations of the regulators - FSTEC RF and FSB RF. For banks and financial sector organizations, additional requirements are developed by the Central Bank.
Types of cybersecurity threats
Information security at any level involves the implementation of three components:
- confidentiality of information or its inaccessibility to third parties;
- integrity or absence of distortion or substitution;
- availability or constant ability for the user to have access to the data he needs.
Hackers may be interested in destroying any of these components, depending on the goals, which will be different for the organizer of business espionage, an attacker stealing bank card numbers, and a foreign state that has set itself the goal of disorganizing the enemy's control system using information technologies.
The threat model is also ranked depending on the network level. The Concept of Information Security describes the main types of threats facing the state and, therefore, society and business. It:
- activities of foreign technical intelligence services capable of undermining the security of the state;
- international terrorism encroaching on information systems of different levels;
- weakness of national human resources for IP protection and software.
The document offers a complete system of protection against top-level risks.
At the private level, the types of threats are specified. In various studies, systemic problems of information systems security are named:
- manipulation of access to the internal information space;
- stealing information from corporate networks and databases;
- change of information, forgery of documents in electronic form;
- industrial espionage;
- theft of funds from bank accounts;
- viral threats.
The vulnerability of software, the presence of undeclared capabilities allow using various methods of hacking databases. At the national level, more and more priority is given to Russian software that is developed taking into account current threats and does not contain regulatory documents.
Information security components
A company wishing to build an effective information security system must take into account the increasing degree of risks. The level of technologies aimed at committing violations in the field of information security is constantly growing, while the qualifications of performers are falling. Now, building a system of botnets organizing DDoS attacks is capable of destroying IS of not the most protected level, and their use is available to a student. Risks are becoming not isolated, but massive, any online store, whose products are not liked by the buyer, runs the risk of becoming a victim of an attack.
A company wishing to implement a holistic concept of information systems security must use at least three levels of protection:
- administrative, involving the adoption of local company regulations governing the general approach to the task, for example, naming the responsible department or approving budgets and strategies;
- organizational, on which methods are adopted that determine particular tasks, for example, a list of persons with different levels of access to data;
- technical, where software and hardware solutions are made and implemented.
By implementing these measures, the organization achieves the following goals:
- protection of intellectual property and commercial secrets of the company;
- compliance with the requirements of the legislation on the security of personal data;
- protection of company information resources;
- effective use of the organization's resources for solving problems of information systems security.
Saving resources is becoming a key challenge for the company. So, Russian Railways can afford to create its own communications network, Intranet, the level of security of which removes most of the risks. A small organization uses exclusively the Internet, bearing all the consequences associated with the insecurity of public access systems.
Building an information security system
When building a working structure for the security of information systems, an organization must start with a development that will help optimize and systematize the selected measures and tools. The basis for its construction is the answers to the questions:
- whether it is necessary to be protected with something other than standard means, and what information arrays should be protected;
- who should be protected from, who is most interested in breaking the security system;
- what, what type of threats should be protected from;
- how to protect yourself, by what means and using what technologies, whether you need to use software certified for specific purposes;
- what measures and human resources will ensure the effectiveness of protection;
- what financial resources are needed for the development, implementation, operation, maintenance, updating and development of protection systems.
Is it necessary to defend and what to defend
In simple situations, for small companies, the problem of IP security is solved by standard security tools built into operating systems. These are firewalls, antiviruses, e-mail filtering programs. But the research institute will be interested in the safety of its archives from unauthorized access, the medical institution needs to ensure the protection of the personal data of customers, the Internet service provider is puzzled by the constant availability of the server. A threat model is prepared by each organization based on what information resources the attacker is interested in.
The second step will be to solve the problem of what type of threats should be protected. It is necessary to propose measures that can:
remove the risk of disrupting the functioning of the information space by eliminating the impact on information systems;
to provide protection against unauthorized access to information by detecting and eliminating attempts to use the resources of the information space, leading to a violation of its integrity;
- protect from destruction of built-in protection means with the possibility of proving the unauthorized actions of users and service personnel;
- build a protection scheme against the introduction of viruses and bookmarks (undeclared features) into software products and hardware.
Who needs to be protected from
The threat model will be individual in each case. According to IT professionals in most organizations, the main threat comes from hackers or external attackers. Indeed, most of the recorded incidents stem from the fact that information systems are attacked from external resources. And such risks threaten not only the confidentiality of information, they occur rarely and with clearly defined goals of PR and demonstration of the capabilities of hacker groups. A big threat is associated with the fact that external attackers attack the management systems of enterprises, housing and communal services organizations, websites of government agencies in order to destabilize management systems. External threats are typical for the banking sector, where attempts are made to steal money from citizens' accounts. Mass virus attacks are also external in nature, and their goal is to extort funds for unblocking a resource whose availability has been lost. For security purposes, any information system must have one or more built-in protection modules against threats of this kind.
But from the point of view of the theft of internal corporate information or processed personal data, employees are much more dangerous. In 70-80% of cases, studies show, leaks are organized by company employees. There are several psychological types of offenders:
- employees who are dissatisfied with the organization or management and want to harm its interests;
- employees who are financially interested in providing information to competitors, usually managers of different levels;
- employees who have access to personal data or other information of value on the dark web, motivated by a financial proposal from intermediaries;
- employees who do not think about the illegality of their actions, who transfer data to friends or acquaintances at their request, sometimes without financial motivation.
In many cases, the possibility of organizing a leak remains with the employee even after dismissal, if he managed to retain the right to remote access to the corporate system. Information security often underestimates this degree of risk. The greatest danger is posed by IT personnel, who have access to all accounts and databases and are able not only to steal information, but also to hide information about their illegal steps in the system. Even if auditing of user actions is configured, most software products provide an opportunity to erase their traces in the logs.
The degree of risk cannot be assessed financially, since most companies and banks, based on the need to preserve their business reputation, keep data on the theft of valuable information related to customers secret. Most often, such incidents are opened by accident. In the United States, the fact of losing customer data can lead to the imposition of multimillion-dollar fines on the company, which serves as an additional reason for silence. The loss of confidential data indicates that the company devoted little time or money to work with personnel, allowed not to change passwords or have unauthorized access to other people's accounts, which means that it does not care enough about customers.
Often, standard means of ensuring the security of information systems do not make it possible to delimit access to data of varying degrees of confidentiality at the software level. It was this risk that emerged when Windows XP first entered the market with support for Universal Serial Bus (USB) technology. After the vulnerability was identified, the Service Pack 2 update for Windows XP with many security improvements, offered to users, was unable to offer means of restricting access to USB and FireWire ports. Likewise, the standard system for auditing user actions, contained in Windows, does not allow effective searches for operations performed by users, and does not exclude the risk that data from the activity logs will be deleted by system administrators.
These situations lead to the need to develop a security structure that is individual for each organization and takes into account the risks stated in the threat model. There is a need to purchase more sophisticated security products than those built into operating systems. Often the solution for removing risks from insiders is the installation of a DLP system, which comprehensively solves the problem of organizing data leaks from the side of staff.
What to defend against in terms of external threats
When developing the architecture of the information security system, it is necessary to provide protection methods that minimize the risks of the most common problems - viruses and spam. This task is solved by installing:
- firewalls (firewalls);
- antivirus software;
- e-mail filtering programs.
But if a user unintentionally opens an attachment containing a virus and sent by mail from a correspondent friend or from someone whose address seems familiar, the virus or Trojan horse can undermine the security of the entire IP. Therefore, the main tasks will be the education and training of users, the installation of software tools that provide protection against unintended errors.
How to build a security system
Often, managers who are aware of the existence of threats follow the lead of IT departments and purchase popular software products without performance analysis. They do not analyze the actual compliance of the proposed software with the organization's objectives.
Building a sound strategy will help you select and implement software products that will match the real level of threats. This is most consistent with the tasks of economic security, since the costs will be consistent with the threats, and the company will not incur additional damage due to the inefficiency of the implemented software.
But choosing software isn't the only challenge. Without developing a system of organizational measures, the software will be useless. Not only based on the requirements of the regulator for the protection of personal data, but also based on the logic of data protection, it is necessary to determine:
- degree and group of protected information;
- persons responsible for its protection and having the right to access it.
In the future, the definition of these two groups will make it possible to correlate already at the program level, building the degree of differentiation of access, a model of restricting the rights to work with data. Such a system is built first at the level of adoption of a local normative act, then at the level of software decisions. But this is not enough. The company needs to accept and develop such documents as:
1. Security policy for working with information.
2. Rules for working with the Internet and external e-mail.
3. Rules for handling information carriers, the procedure for monitoring their use.
4. Rules for handling paper documents, their safety.
In some cases, it becomes necessary to control the use of copying systems, printers and copiers. In each of these cases, modern software solutions minimize the risk of information leakage on paper. For operators of personal data, it is important to prepare a personal data processing policy and post it in the public domain.
But purely technical solutions are not enough, it is necessary to introduce a working mechanism to bring the violator to justice. This requires:
- issue an order in the company on the introduction of a trade secret protection regime, familiarize employees with it;
- develop a list of information resources related to commercial secrets, including personal data;
- introduce into labor contracts with personnel a condition on responsibility for the safety of commercial secrets.
When implementing the legal mechanism for ensuring the security of information systems, any case of intentional or unintentional data leakage will be the basis for an official investigation or the involvement of law enforcement agencies. The perpetrator will not only incur disciplinary responsibility, up to and including dismissal, but will also be obliged to compensate for the damage caused, and in critical cases, he will even be held criminally liable. The conviction of staff that any employee will be punished for any attempt to steal information reduces the risk in most cases. And if employees know that all their actions within the company's information perimeter are monitored, the security level of the information system will increase further.
Technical means of protection
Personnel controls that can block any attempts to move data outside the organization, such as DLP systems, are an obvious solution, but not available to all organizations. But they cannot be limited, especially in a situation where there is a risk of external attacks. Powerful hardware, such as routers, will be required and will reduce the cost of firewalls.
The software used to maintain security must comply with the requirements of the FSTEC RF, cryptographic information protection tools must comply with the recommendations of the FSB. Simple encryption of outgoing traffic removes the risk of data interception.
The entire concept of working with the security of information systems must comply with the requirements of regulators, and in some cases even exceed them, since sometimes the developed recommendations do not meet the growing level of threats.