External threats to information security
The specifics of dealing with external threats to information security depend on the scope of the organization. For most companies, internal threats from employees are much stronger than external ones, since they are implemented with greater ease and lower financial costs. An external attack on a protected perimeter requires significant resources. Competitors, criminal or hacker groups are often the source of such threats.
According to a PWC survey of the largest Russian companies, 45% of CEOs consider cyber threats to be one of the main problems hindering business development. The same study mentions that the damage caused by cyber threats to the global economy exceeds $ 575 billion a year. At the same time, many cyber incidents remain hidden, since their disclosure undermines the business reputation, and in the United States and the European Union it still leads to multimillion-dollar fines for regulators, which can be imposed both for leakage of customer data and for refusal to publish information about such a leak. The need to compensate clients for moral and material harm leads to additional costs.
Information crimes are always aimed at data manipulation, theft, alteration, destruction, but their results can be different:
- stopping production;
- theft of funds from accounts;
- disclosure of confidential information;
- undermining the business reputation.
Protection against cyber threats is always based on the protection of information of various levels - personal data, trade secrets, program code, user activity logs.
Information processed in the IS of organizations must meet three key requirements:
- confidentiality. Restricted data must not become the property of third parties;
- integrity. The data should not be distorted, this leads to the adoption of incorrect management decisions;
- availability. All data arrays on a PC, website, server must be available to their owners at any time.
If any event or phenomenon can affect these characteristics, it is recognized as a threat to information security.
Threats are always directed at a specific object, they are:
- programs and applications;
- channels of connection;
- life supporting system;
- control algorithms.
External attackers implement threats on their own, using hardware or software tabs to penetrate the system, or through intermediaries. The latter are often:
- customers and suppliers;
- organizations providing services to businesses;
- checking authorities.
Criminal groups often introduce “their” people into enterprises, which allows them to attack the system from inside and outside.
Subjects implementing external threats:
- hackers acting in their own or other people's interests;
- foreign intelligence;
- criminal groups.
According to PWC, at least 18% of external information security threats are related to the actions of suppliers and partners. This risk is especially relevant for companies in the retail sector. According to their leaders, the share of external cyber incidents occurring for these reasons is up to 45% of the total. If an external threat associated with the activities of foreign technical intelligence is realized, and it is inspired by foreign states, the goals change. The targets of attacks are often providers and suppliers, whose know-how, created by order of the state or in order to meet the needs of customers in increasing the level of information security, is of economic and political interest.
By industry, the risk of such attacks is distributed as follows:
- oil and gas industry (11%);
- aerospace and defense (9%);
- high technologies (9%);
- telecommunications (8%).
In addition to external threats implemented by organizations or citizens, sometimes there are dangers of a man-made or natural nature, for example, accidents at power supply organizations or natural disasters. Organized crime groups target financial sector companies, personal data, copies of documents, medical information.
From the point of view of the possibility of implementing external IS threats in the greatest risk zone:
- state organizations;
- MASS MEDIA;
- fuel and energy companies;
- electric power industry and housing and communal services;
- financial sector companies;
- organizations that process personal data;
Classification of threats
Various classifications of threats can be found in regulatory documents. The most complete list of sources of their occurrence can be found in GOST, dedicated to information security issues. Another list of threats with their descriptions is posted on the FSTEC RF website, as new risks appear, it is updated. Every 14 seconds, one new program is created in the world that can damage information arrays, but not specific viruses or programs for hacking sites, but general characteristics of the damage that can be done to the information system, get to the agency's website. The FSTEC classification of threats is of a utilitarian nature; on its basis, recommendations are developed to ensure the protection of IP at various levels, and software certification is carried out.
All threats, according to the department, are divided into groups characterized by different capabilities of the attackers. Threats of low potential are realized by persons who are able to use only software and technical solutions obtained from open sources to hack security systems. With a medium potential, an attacker can write malware himself or find vulnerabilities in security programs and exploit them. The department finds high potential only in foreign technical intelligence services.
Currently, the site contains 87 threats that are implemented by violators with low potential. For example:
- misuse of computer facilities. In practice, information resources of companies are often used by hackers to mine cryptocurrencies;
- use of vulnerable software versions. For example, the hacking of industrial control systems by the Stuxnet virus in 2010;
- the introduction of malicious code into the software distribution;
- unauthorized modification of protected information, for example, replacing the home page of the website of a government organization with a proclamation;
- phishing, spam, email worms;
- covert inclusion of a computing device into a botnet;
- encryption of information on the server;
- “Stealing” an account to access network or cloud services;
- substitution of the content of network resources;
- theft of storage, processing and (or) input / output / transmission of information.
The listed threats are widespread, so the measures to combat them are detailed. FSTEC recommendations will help build a comprehensive protection system.
Mid-potential offenders may be responsible for 64 types of attacks , including:
- obtaining unauthorized access to applications installed on smart cards;
- unauthorized change of parameter values of programmable logic controllers;
- interception of control of a mobile device when using virtual voice assistants, which can lead to information leakage;
- hidden registration in the IS of third-party accounts with administrator privileges;
- interception of one-time passwords in real time;
- substitution of the subject of network access, due to which outsiders gain access to the information system;
- transmission of data through covert channels, organization of leaks not detected by monitoring systems;
- external control of a group of programs through shared data;
- unauthorized access to active and (or) passive virtual and (or) physical network equipment from the physical and (or) virtual network.
There are 12 external threats to information security that can be created by attackers with high potential.
Among the main threats from foreign technical intelligence services:
- control by the malicious program of the list of applications running on the mobile device. The threat is relevant when working remotely and in distributed networks;
- remote use of privileged functions of a mobile device;
- interception of control of the automated control system of technological processes and disconnection of control sensors;
- interception of management of cloud resources;
- distortion of information displayed on peripheral devices.
Some of the types of threats identified by the agency can be generated by both external and internal sources. The threat of interception of control over smartphones and other devices that work with the mobile Internet is becoming more and more urgent.
Ways to fight
The system for combating external threats to information security is based on a set of software and technical solutions. Organizational measures in this case are ineffective.
Usually, the protection system is built in one of the following ways:
- creation of our own multi-level cyber-risk protection system;
- assigning this task to outsourced experts.
Some companies use cyber risk insurance. In Russia, this service is not yet very widespread; it is offered by representative offices of foreign insurance companies. There is an opinion that the regulator needs to make such insurance a mandatory measure for companies from some sectors of the economy, for example, for owners of critical information infrastructure.
Host-level intrusion prevention systems (HIPS) are common among complex software solutions for protecting against external threats to information security. When configured correctly, the level of protection of the computer system approaches 100%.
Experts recommend dividing the cost of protecting data from external information security threats into two parts. The first is for the prevention and protection of cyber incidents, the second is for the detection and response.
Prevention costs are recommended to be distributed as follows:
- account protection - up to 20%;
- training of personnel in basic security requirements, training of employees of IT departments - up to 20%;
- monitoring of information security incidents and personnel behavior - up to 23%;
- creation of differentiated access based on a role model - 19%;
- control over user privileges - 18%.
The protection budget is spent as follows:
- creation of an encryption system for devices of employees working on remote access - 18%;
- means of combating unauthorized software changes - 19%;
- means of blocking unauthorized access - 20%;
- data loss prevention tools (DLP systems) - 25%;
- means of protection against the injection of malicious code - 18%.
To implement a system for detecting external threats to information security, it is proposed to spend money as follows:
- tools for detecting malicious programs on devices of remote employees - 22%;
- means of detecting unauthorized access attempts - 20%;
- vulnerability scanners - 20%;
- tools for monitoring data access and use - 20%;
- malware detection tools - 18%.
The response budget is recommended to be spent as follows:
- SIEM systems that detect information security incidents - 17%;
- active monitoring of the external environment and analysis of the data obtained - 22%;
- threat assessment - 20%;
- security event correlation systems - 21%;
- information security incident response - 20%.
By building on this model, you can avoid wasting your budget by installing the software solutions you really need. Up to 78% of company leaders consider investments in information security not only justified, but also create added value. If the company is the operator of personal data, the proposed ratio may change based on the wishes of the regulator. The presented budget allocation figures are advisory and relevant for corporate and office systems. For industrial production, the ratio will be different, as there will be a need for additional protection of the ACS.
A systematic fight against external threats to information security should be based on a broad analysis of the external environment and the construction of IS in such a way that its components can be updated or replaced when the threat model changes without serious costs and slowing down the organization's business processes.