Information security threat analysis
The development of information security systems begins with the creation of a threat model. For enterprises, risks depend on the scope of activity and the readiness of the information system to repel attacks. The model must be built taking into account the results of the analysis of information security threats and after classifying the types of violators.
Concept and sources of risks
The threat of information security is understood as a set of conditions and factors, the implementation of which leads to a situation in which the information security of an organization is at risk. The result of risk realization is an event, the occurrence of which has economic or other unfavorable consequences for a person, organization or state. The format of damage to information can be threefold - leakage, change or violation of the level of availability. But the consequences are varied - from man-made accidents to loss of funds from card accounts or disclosure of compromising information.
In the process of analyzing information threats, it is necessary to assess:
- source of risk;
- risk zone;
- a hypothetical figure of an attacker;
- probability of risk realization;
- the degree of damage from its implementation;
- the ratio of the costs required to minimize the risk, and the loss caused in the event of its realization.
Positions can be analyzed by qualitative and quantitative methods.
Traditionally, international or national hacker groups are considered the main source of threats. However, in practice, the situation is different, more and more often criminal groups or foreign technical intelligence services come to the fore. Experts identify three groups of sources:
- anthropogenic (internal and external);
Anthropogenic sources of threats to information security are citizens or organizations whose accidental or intentional actions or inaction lead to the implementation of information security risks; up to 95% of incidents can be associated with them. According to research, up to 80% of leaks are of internal, insider, origin.
If the risks initiated by employees are predictable and can be eliminated by obvious software and technical means, external sources are unpredictable, these include:
- criminal structures;
- unscrupulous suppliers and contractors;
- consulting, appraisal companies, other business structures providing outsourcing services;
- cloud service providers, while a hacker attack on their infrastructure will simultaneously turn out to be an attack on customers;
- inspection organizations, FTS and law enforcement agencies.
The more qualified a specialist and the higher his position in the organization's table of ranks, the more opportunities he has to inflict damage on the enterprise, situations often appear on the pages of the media when a top manager steals information entrusted to him, as happened in the conflict between Google, whose development of unmanned cars were transferred to Uber.
Man-made threats are more difficult to predict, but easier to prevent. These include technical means, internal and external.
- uncertified and unlicensed software;
- licensed software with flaws known to hackers or undeclared capabilities;
- means of monitoring the performance of information networks with weak monitoring capabilities, refusal of timely and accurate response to their signals;
- low-quality means of monitoring premises and employees;
- faulty or low-quality equipment.
- channels of connection;
- engineering networks;
- Internet service providers and cloud technology providers.
To mitigate the risks associated with technical sources of threats, one should pay attention to the recommendations of the FSTEC and the FSB when choosing software and hardware.
It is convenient to use a SIEM system to control events in software and hardware sources. SearchInform SIEM processes the flow of events, identifies threats and collects the results in a single interface, which speeds up internal investigations.
Natural sources of threats are the least predictable, they include natural disasters and other force majeure circumstances.
When analyzing the risk zone, it is necessary to establish the object at which the hypothetical threat is directed. From a technical point of view, objects are information, equipment, programs, communication channels, control and monitoring systems.
The classic "victims" of cybercriminals are signs of information good quality:
- confidentiality. This risk is realized with unauthorized access to data and their subsequent leak;
- integrity. As a result of the realization of the risk, data can be lost, modified, distorted, and decisions made on their basis, managerial or technical, will turn out to be incorrect;
- availability. Access to data and services is blocked or lost.
When determining the sector for the implementation of the threat, it is required to additionally assess the degree of importance of the data, their cost. This will allow for a more accurate analysis of information security threats.
When analyzing risk areas, you must also take into account:
- the volume of the current zone of control over information security and the prospects for its expansion in the event of an increase in the organization, the emergence of new enterprises or areas of activity;
- features of the functioning of software and hardware tools and their compatibility, prospects for the emergence of new threats, new requirements of regulators, directions of development of the information technology market;
- the emergence of zones of the information perimeter, outside protective measures;
- unpredictability of attack points, their number and growth;
- peculiarities of managing complex, multi-object networks.
The factors of risk realization are changeable, therefore their analysis should take place with the regularity established in the company.
Classification of offenders
It is impossible to analyze information security threats if one does not rely on an understanding of the types and roles of information security violators. In Russia, there are two classifications of violators, they are proposed by the regulators - FSTEC RF and FSB. Combining the classifications will create an optimal model that takes into account most risks and will help develop a methodology for eliminating most threats. If a company works with cryptographic tools certified by the RF FSB, it will have to take into account in its threat model the characteristics of the violator proposed by this department. In most cases, when protecting personal data or trade secrets, when analyzing threats to the confidentiality of information, the FSTEC model will be exhaustive.
The agency classifies violators according to their potential (low, medium, high). It affects the set of capabilities, the list of used hardware, software and intellectual means.
Most threats are generated by low-potential intruders . They are associated with the ability to obtain resources for illegal access to information only from publicly available sources. These are insiders and hackers who use Internet resources to monitor system health and distribute malware.
Offenders with average potential are able to analyze application software code, site code, independently find errors and vulnerabilities in it, and use them to organize leaks. FSTEC includes hacker groups, competitors using illegal methods of information extraction, system administrators, companies that develop software on request.
High potential is characterized by the ability to "bookmark" the software and hardware of the system, to organize scientific research aimed at deliberately creating vulnerabilities, to use special means of penetrating information networks to extract information.
The agency believes that only foreign intelligence services can be classified as infringers with high potential. Practice adds to them the military departments of foreign countries, on whose order hackers sometimes act.
The FSB classifies information security violators according to their capabilities and the degree of threat growth:
1. Attacks on data can be carried out only outside the crypto-protection zone.
2. Attacks are organized without physical access to computer equipment (CBT), but within the crypto-protection zone, for example, when transferring data through communication channels.
3. Attacks are carried out when accessing SVT and in the area of operation of crypto-protection.
4. Violators have the listed capabilities and can resort to the help of experts with experience in the analysis of linear transmission signals and PEMIN (spurious electromagnetic radiation and interference).
5. Violators can also attract specialists who are able to find and use undeclared capabilities (UDF) of application software.
6. Attackers work with experts who are able to find and use NDV hardware and software components of the environment for the operation of cryptographic protection tools.
Based on the alleged class of the intruder, it is necessary to select the class of applied cryptographic protection devices, they are also classified by the level of intruders. When analyzing threats to information security and forming a threat model, the FSTEC and FSB parameters can be combined.
In most cases, the company is not threatened by attackers with high potential according to the FSTEC classification and from 4-6 groups according to the FSB classification. Therefore, the analysis is based on the low to medium potential of insiders or hackers. For state information systems, the level of risks will be higher.
Sometimes, when analyzing the likelihood of a threat, several more categories of threats to information confidentiality are required:
- by the degree of impact on IP. When passive threats are implemented, the architecture and content of the system do not change; when active, they are partially destroyed or modified;
- by the nature of occurrence - natural and artificial. The former are extremely rare, the latter are most likely, while the damage from the implementation of the former is higher, often manifesting itself in the complete loss of data and equipment. Such threats, given their likelihood, for example, in earthquake-prone areas, create the need for constant backup;
- unintentional and intentional.
It is advisable to rely on statistics showing the likelihood of a particular risk being realized.
Analysis of the likelihood of the threat and damage from its occurrence
At the first stages of the analysis, qualitative methods are used, research, comparison, referring to the data collected by experts will allow us to assess the real risks for the business.
Quantitative methods of analysis will help in a situation when you need to determine:
- what is the likelihood of a threat of one type or another;
- what damage can be caused to the company if the risk is serious.
To solve the first problem, statistics are required. The reports of companies providing information services provide quarterly or semi-annual statistics on those risks that were most often realized in the past period and are forecast for the future. These statistics are often provided by industry. These reports can provide figures for the damage caused to the economy, industry, or an individual enterprise when a threat is realized. These figures are far from always correct, many companies withhold real data for fear of reputational risks. But even in truncated form, open numbers will help assess the real risk of data leakage.
In the event of a loss of availability of information, you can calculate losses or lost profits and understand how much can be lost if information security measures are not taken in a timely manner. The analysis will also help to understand how cost-effective it is to apply more complex protection systems,
When analyzing information security threats, it is necessary to rely on the recommendations of regulators and the real situation in business or in a government organization. This will make the research result relevant and avoid unnecessary or unplanned expenses. The budget spent on risk analysis will return, allowing you to reduce the cost of hardware or software that would not be needed in the real world.
You can check whether everything is in order with data protection in the company during the 30-day free test of SearchInform DLP.