Internal threats to information security
Digitalization and automation of business processes - not just a trend but a necessity, which increases the competitiveness of the enterprise. The transfer of information processing from paper to electronic databases created certain risks for the business, the elimination of which became an independent business process. Internal information security threats are in most cases more dangerous than external ones, since they are implemented with the help of personnel who are often responsible for data protection.
Risk Factor Identification Standards
Information security threat is understood as a factor, phenomenon, event caused by objective or subjective reasons and capable of affecting the key properties of information:
The classification of risks can be found in the guidance documents of the FSTEC RF and in the GOST on information security issues. External threats traditionally mean hacker attacks, activities of foreign intelligence services or criminal groups aimed at stealing information. Internal are a combination of technical and software errors and illegal actions of the company's employees - insiders.
The FSTEC RF website contains a directory of information security threats, now it lists more than 200 types of risks. For each of them, a description, source, object of influence and the result of the threat are indicated.
The search filter allows you to identify risks that arise within the information perimeter of the company. They are ranked by degrees:
- threats posed by low-potential offenders. This level of capabilities of a hypothetical intruder assumes that he can only use hardware or software obtained from publicly available sources to access or destroy data;
- Threats from Medium Potential Intruders. The level of capabilities of the intruder assumes experience in detecting errors in the program code and exploiting vulnerabilities;
- threats posed by a high potential intruder. These offenders have the ability to use special equipment and make software bookmarks, the department refers to them as foreign technical intelligence.
There are just over 90 threats in the first category. Additionally, you can filter by the property of the information that is at risk - confidentiality, integrity, availability.
The most significant threats:
- use of unverified user data, identification difficulties;
- problems with authentication, re-entering information already used to enter the network;
- loss of access of an external user to communication channels;
- use of vulnerable software versions;
- the introduction of malicious code into the software distribution;
- physical obsolescence of hardware components;
- computer infection when visiting dangerous sites;
- unauthorized elevation of administrator privileges;
- loss of media;
- leakage of data processed in the cloud;
- tampering with event log entries;
- interception of information on peripheral devices;
- unauthorized change of settings of protection systems.
As you can see, there are many more threats of incorrect software configuration than threats generated by users who want to receive confidential information for transfer to third parties or for sale. Judicial practice shows that insiders usually copy unprotected data using their own accounts or the logins and passwords of colleagues. Often this happens at the request of operators of the shadow market of information, using the weaknesses of the organization's human resources.
FSTEC identifies five subjects of information security threats generated within the organization, its employees or counterparties:
- non-professional system administrators who make mistakes out of ignorance or do not solve typical tasks;
- system administrators-cybercriminals who deliberately use their knowledge to cause damage to the enterprise and protected arrays of information;
- inexperienced employees responsible for creating and configuring a system of distributed network resources (remote workplaces, cloud storage, services for teamwork on a project);
- users who are not trained in the rules of information security, who can unknowingly damage the information system, for example, infect it with viruses;
- malicious insiders.
Interestingly, the trends of the first half of 2020 show that uninformed and poorly trained employees are becoming the most vulnerable link in the enterprise security system.
PricewaterhouseCoopers researchers draw attention to a significant increase in cases:
- theft of company data using social engineering technologies (phishing, compromise of business email, etc.);
- business difficulties due to spam;
- exploitation of the flaws and vulnerabilities of cloud technologies by hackers.
Training of personnel, organized on a constant and systematic level, will help to seriously reduce the risk of internal threats to the information security of the enterprise. In parallel, it is necessary to update the threat model and use technical and software measures to combat cybercriminals.
When analyzing threats carried by attackers with medium potential, the picture changes slightly.
The agency has identified just over 50 types of threats in this category. Among the main ones:
- interception of information system control;
- information leakage from workstations not connected to the Internet;
- aggregation of data processed on a mobile device;
- software substitution;
- inclusion in the IS of components whose tests were unreliable;
- external modification of files, causing a failure in their processing;
- interception of information transmitted through covert channels;
- exploiting weaknesses in input encoding.
Many threats, such as interception of control of an information system, are complex in nature. They are created by exploiting vulnerabilities in software code or weaknesses in technological data transfer protocols. Medium-potential criminals often target large companies with such valuable knowledge that the cost of developing complex software designed to steal data is much lower than the expected profit.
Risk mitigation measures
Elimination of the main groups of risks is based on algorithms that limit unauthorized access.
Basic principles of building a protection system:
- if the company is supposed to only implement internal threats posed by insiders with low potential, the cost of creating protection systems should not be higher than to prevent normal business risks;
- if there is a likelihood of medium-level threats occurring, the protection system should be built in such a way that the cost of breaking IP is comparable to the cost of data.
The choice of a protection strategy should be based on an analysis of the factors influencing the formation of risks. In the context of the transfer of business to remote work, when employees communicate with the office via remote communication, there is a risk of intersection of external and internal threats.
Ensuring the security of cloud technologies, when working with which FSTEC identifies about 10 risk zones, is becoming a new serious task. Cloud servers should be understood not only cloud data storage, to which companies transfer their archives, but also such commonly used services as:
- SRM systems, where part of the information is stored on the server of the service provider;
- accounting software and office applications that follow the same principle.
Many companies do not think about the risks of storing information on external servers, although sometimes security services raise the issue of prohibiting the processing of sensitive data in the cloud. The main risk is that the data is accessed by a service provider who can use it for their own purposes.
There are other risks as well:
- periods of refusal to provide services due to technological problems of the provider or at the time of software updates. This temporarily suspends the company's business processes, which leads to a drop in profits;
- unannounced provider software update that slows down or stops work, rebuilds streamlined business processes;
- non-compliance of the cloud server protection system with the requirements of regulators to protect certain categories of confidential information. This threatens to be held accountable for violation of the law. Moreover, the responsibility will be borne by the company that did not show due diligence when choosing a service provider.
The transfer of a part of the company's activity to the cloud environment must be controlled according to all the specified parameters. This will reduce the level of risks for the company's information security.
The algorithm for protecting against them is as follows:
- determination of the potential of a hypothetical intruder - low or medium;
- identification of potential violators among the personnel of the indicated groups, exclusion of one or more of them;
- development of measures to protect against threats that may arise as a result of the actions of violators, replacement of unqualified IT personnel, user training;
- introduction of software and technical protection measures against qualified violators;
- strengthening control over cloud technologies.
The implementation of this algorithm will reduce the level of most risks without significant costs for the business. Regular review of the threat model, retraining of employees and reformatting of protection systems is necessary to maintain a high level of information security in the organization.