Ensuring information security is becoming a key challenge for an organization that processes data of value to potential attackers. To build an optimal model of an information system (IS), it is necessary to identify all the conditions that make risks more or less likely.
Key factors affecting IP threats exposure
When creating its own data protection model, an organization must assess the objective phenomena that affect the degree of risk.
Factors are understood as events and phenomena of two categories:
- affecting the process of information processing in such a way that it may lead to a deterioration in its quality characteristics - confidentiality, integrity, availability;
- creating conditions that make the risks of theft or modification of information more or less likely.
A wide list of risks of the first category is established by GOST R 51275-99, which is devoted to data protection issues.
The standard offers the following risk classification:
- objective internal. These include the transmission of signals over unprotected communication lines, the presence of electromagnetic, acoustic, optical radiation that can be intercepted, defects, failures and failures of equipment and programs;
- external. These are technogenic phenomena, for example, electromagnetic radiation that can damage information, failures of support systems, natural disasters, thermal risks - fires, biological ones - microbes or rodents;
- subjective internal. This is the disclosure of information by persons who have the right to access it, the transfer of data through open communication channels, their processing on unprotected technical means, the publication of information in the media, its copying to an unaccounted medium, loss of the medium, any illegal actions with data - modification, copying, use hardware bookmarks, incorrect information protection, incorrect alignment of the control mechanism, personnel errors;
- subjective external. This is the organization of access to information from foreign or competitive intelligence services, the use of special means for external access to data, the actions of criminal groups, sabotage activities.
The GOST list almost never forms the basis for building an organization's IP system. In this case, they rely on a more global system for identifying conditions that create risks.
In the local regulations of organizations - security policies - these include:
- the industry in which the organization operates;
- the initial degree of security of the information system and the complexity of its architecture;
- the value of the processed information;
- the type of hypothetical intruder;
- the degree of personnel training.
Assessment of these parameters will allow you to develop your own model of information security risk management. Identification of threats suitable for a particular organization can be done by various methods:
- statistical observation. To apply the method, it is necessary to have a large volume of statistical data on information security incidents in the same or similar sectors of the economy;
- expert judgment. Large information security companies can analyze the situation at a particular enterprise, relying on the accumulated experience and using various methods of analysis;
Most often, a combination of the first and second methods is used. The experiment is available to large corporations and government agencies. During the experiment, a digital model of an enterprise or object is tested for resistance to attacks by malefactors.
Depending on which branch of the economy the organization operates in and on what principle its business is built, parameters that create an information security threat are determined. Some industries are at greater risk than others.
Maximum attention to information security issues should be paid to:
- personal data operators. PD is the most popular product on the black information market, which means they are always at gunpoint;
- banks and financial sector organizations. Attackers are interested in information about the accounts of citizens, the possibility of stealing other people's savings;
- companies working in the field of innovation and information technology. Hackers show interest in new developments, from the point of view of the timely creation of countermeasures. There are known cases when hackers have been tacitly present in the IS of developers for years, recording all their findings and solutions;
- government organizations, damage to which creates a good PR reputation among the attackers;
- government electronic services and companies that ensure their functioning. In this case, the attacks are aimed at stealing personal data or information about citizens' fines. For example, the information infrastructure of the Moscow government is attacked every 20 seconds;
- companies working in the field of protection against hacker attacks. There is an increased demand for their development, their theft helps to hack customers' systems;
- telecommunications enterprises. The temporary collapse of communication channels is used in cyber wars;
- organization of housing and communal infrastructure (water utilities, nuclear power plants, etc.), where accidents can deprive entire areas of water and electricity.
Understanding the goals of attackers, it is possible to identify conditions that create an information security threat, the elimination of which will be required first of all.
A comprehensive solution to information security problems is provided by a DLP system. SearchInform DLP controls the maximum number of data transmission channels and provides the company's information security service with a wide range of tools for internal investigations.
Security and system architecture
A separate issue is the assessment of the quality of information security for the used information technologies. The result of such an assessment determines the readiness of the information system to repel external and internal attacks. FSTEC certification, which reveals undeclared capabilities, is not always a panacea, many problems are hidden in the typical operating systems used, the vulnerabilities of which are well known to attackers.
In GOST, the factors that create a threat to information security and related to this class are defined as follows:
- defects, failures and failures of software;
- information processing on unprotected servers and workstations, its transmission over unprotected communication lines;
- copying data to an unregistered storage medium;
- unauthorized connection to communication channels, technical means and information processing systems;
- use of defects in information processing facilities;
- using software bookmarks;
- the use of viruses.
A systematic approach is required to eliminate these events and actions that pose a threat to information security, and to correctly configure the IS.
There are several standards that allow you to assess the performance of the system as a whole and the quality of software customization. ISO / IEC 15408 "Information Technology Security Assessment Criteria" is key. The application of the norms of the standard provides working tools that can assess the safety and performance of technologies. In fact, it is a set of libraries containing security standards and typical security profiles. These solutions will not always save you from targeted attacks, but in 90% of cases they will save you from external and internal risks. The standard contains 11 functional classes, 66 families, 135 information security components. They are familiar to many system administrators, but in practice only some of them are often implemented.
In a well-protected system, the following software mechanisms should be implemented:
- identification and authentication, often two-step;
- protection of user data from unauthorized taking over for the purpose of logging into the system under someone else's account;
- protection of security functions (the requirements relate to the integrity and control of these security services and the mechanisms that implement them);
- managing security, its attributes and parameters, setting up security monitoring, auditing management results, which means identifying, registering, storing, analyzing data related to ensuring system security, responding to information security incidents, monitoring;
- regulation of differentiated access to the system;
- privacy, protection of user data and operations;
- cryptographic protection;
- organization of communication along a secure route.
Each of the positions has its own protection methods using specific hardware and software. Creation of an information structure according to the standard increases the level of information security.
When working with solution providers, outsourcing organizations that have received an order for the creation of a secure information system, the standard offers power of attorney criteria, performance assessments that help eliminate the occurrence of information security risks.
The actions of developers and implementation engineers should be additionally checked at each stage of the system architecture creation:
- development is tested at every stage - from a brief specification to full implementation;
- life cycle support should be monitored from launch;
- commissioning testing is carried out with the participation of independent experts;
- delivery requires acceptance;
- the user manual is tested for clarity and completeness;
- additionally, the system is tested for compliance with security profiles.
When ordering software or IS development, compliance with the requirements for monitoring the work of information service providers will help to avoid many mistakes. The expense of outsourcing experts often pays off.
The value of data
The value of data becomes a separate issue. It is difficult to develop general criteria for assessing the cost of information and to determine how the limit is formed, after reaching which the data is in the risk zone, and their cost becomes a key parameter that poses a threat to information security.
In any case, due to their unconditional value, the following are subject to substantial protection:
- state secret;
- banking secrecy;
- personal data of citizens;
- scientific developments of high importance;
- new information technologies;
- development of startups with commercial potential. Such organizations, which have not yet gained significant resources, cannot build a reliable information security system. And many competitors are aiming at new technological and not yet patented solutions, ready to steal and resell them.
In the work of an ordinary company that does not possess information of these classes, the value of information is determined by the interest of competitors in it. A company operating in a saturated market must more closely guard its business plans, marketing designs, and customer bases from theft and leaks. Information systems are often hit when a company participates in a public procurement tender. There are known cases of attempts to eliminate a competitor by collapsing its information system. Certain risks are recorded in the work of companies that install and maintain numerous devices with Internet access - temperature sensors, video cameras. These devices are increasingly used as bots when organizing DDoS attacks.
In practice, the degree of personnel training turns out to be the most important of the reasons that pose a threat to information security. The Doctrine of Information Security of Russia explicitly states that one of the threats to the country's information security is a small number of experienced personnel, a low level of education and training of new specialists.
At the same time, professionals are quickly dismantled by large domestic or foreign corporations. And small and medium-sized businesses get employees with low or medium skills, rarely able to build a high-quality security system, even with an emphasis on the FSTEC of Russia standards.
GOST directly names among the factors that worsen the quality of information security:
- improper organizational provision of information protection. It means the rejection of organizational protection measures or their misapplication;
- incorrect development of requirements for information protection, the wrong choice of software products, inaccurate configuration of monitoring systems;
- non-compliance with data protection requirements established by regulators - FSTEC, FSB, Central Bank;
- incorrect organization of control over the effectiveness of data protection, refusal to create an internal control service, keeping logs of user actions;
- mistakes of staff, administrators, companies that provide IT services on outsourcing;
- errors when using hardware and software.
In addition to all the risks listed in the GOST that pose a threat to information security, there are additional ones. The desire to spend large budgets, increasing the importance of the department, and focusing on complex products, rather than constantly monitoring the health of the system, increases the likelihood of threats.
To minimize the impact of poor personnel training, it is required to regularly conduct personnel audit and certification, and, if necessary, organize additional training. The involvement of outsourcers in certain areas of work must be carried out in compliance with all safety requirements, including the introduction of a clause on the protection of commercial secrets with a high level of financial responsibility into contracts.
Fine-tuning the company's information security system, taking into account the influencing parameters and the degree of their significance, will minimize risks and exclude the possibility of causing damage to the organization. In practice, factor analysis is more complex than statistical analysis, but it helps to create a more reliable system of protection.