Fundamentals of Computer Security. Information Security
The digital world that has surrounded a person in recent decades makes his life much easier, contributes to the development of the economy, and helps to solve many everyday and professional tasks. But at the same time, an increase in the level of convenience is accompanied by an increase in the number of threats aimed at the personal interests and rights of a citizen, for the normal functioning of business. Compliance with even simple information security requirements can protect funds on cards and personal data of an individual. Companies, especially those operating in competitive markets, need to take a more responsible approach to computer security.
The need to protect information
Experts who develop computer security concepts for companies begin by preparing a threat model. This document helps to define the architecture of information systems and the necessary organizational and technical safeguards.
At the state level, the model of systemic threats is formulated in the Doctrine of Information Security, and the fight against them occurs mainly in the legal field, through the adoption of laws and the establishment of standards and methods that determine the foundations of information security. For a company, the main threats will depend on what markets it operates in and what categories of information it processes.
Among the threats that most often find themselves in models are the following:
- external. They are either competitors seeking information on business processes or customer bases, or hackers pursuing their own goals;
- internal, insider. According to experts, more than 70% of information leaks occur as a result of the actions of company employees, ordinary users. Such actions can be deliberate or accidental.
The basic principle of building a security system will be that there can be no absolute security of information. It is always necessary to compare the methods and means of protection and their cost with the actual price of information.
It is easier to deal with internal threats than external ones. Informing employees about the basic rules for working with a computer, establishing a trade secret regime, differentiating access levels and informing about cases of prosecution for violating computer security rules can reduce insider risks to a minimum. They are reduced to almost zero if a modern DLP system is installed on work computers, but not all companies operating in the small and medium-sized business sector can afford it.
Most often, IT specialists are limited to a few typical solutions:
- installation of passwords on computers;
- installation of protection against computer viruses;
- prohibiting the installation of any software that has not been tested or found on the Internet;
- ranking the level of user access to certain information arrays stored on the computer.
This is not always enough. If information is of value to third parties, a complex of organizational and technical measures must be applied to protect it, and also, when violations of information security are detected, legal means must be used.
All of them should be aimed at ensuring the three main properties of information security:
- confidentiality. Any information in respect of which a secrecy regime has been established (personal data, banking or commercial secrets) should be available only to authorized users;
- integrity. Data should be stored on computers and information systems in their original form, not changed or distorted;
- availability. The user of a personal computer or information resource should receive the necessary information at the time of the request, their inaccessibility for one reason or another (hacking of the site or the appearance of a ransomware program on the computer) should not interfere with work.
The state establishes standards designed to ensure the security of information on the computers and servers of the company. It is up to the organizations to either comply with the rules and standards in cases stipulated by law, or to appeal to state bodies for bringing to justice persons who have committed computer crimes.
Information security standards and rules are established for certain information objects. So, for the protection of personal data or objects of critical information infrastructure, by orders of the FSTEC of the Russian Federation, software tools have been installed, the use of which is necessary to protect against leaks or control interception.
In the event that an insider or a third party commits a computer crime, a citizen or an organization can turn to law enforcement agencies with a statement to initiate a criminal case under articles of the Criminal Code on crimes in the field of computer security. It:
- illegal access to computer information (Article 272 of the Criminal Code of the Russian Federation). Any attempt to use confidential information located on the computer, if it was recorded, will be prosecuted;
- development and distribution of malicious programs (Article 273 of the Criminal Code of the Russian Federation). All authors of viruses, worms, Trojans, logic bombs fall under this rule;
- violation of the rules for the operation of computers and information systems (Article 274 of the Criminal Code). Liability will arise if the information was copied, modified or destroyed, and this caused losses to its owner.
Legal protection mechanisms begin to operate only when there is a desire to bring the insider to justice, without fear that the business reputation and stable operation of the company will suffer.
The role of administrative measures
In any organization, there are rules and regulations developed in order to structure the work of the company. The creation of such a set of rules for working at a computer can eliminate many risks or prevent them from occurring. In some cases, the development of internal policies will become mandatory.
For example, a personal data operator, based on the norms of the law on personal data and government decrees, will need to prepare:
- Personal data processing policy.
- List of persons who have access to information.
- Standard consent to processing.
- But in addition to the mandatory set of rules, many companies are developing:
- Information security policy and rules for working at the computer.
- Principles of working on the Internet.
- Principles of working with material media.
- Standards for assigning information to a particular security class.
Employees get acquainted with all the documents against signature, only this will allow them to subsequently be held accountable for violating computer security rules.
Additionally, norms on compliance with regulations and preservation of trade secrets are included in labor contracts with employees and contracts with suppliers and contractors. Often, the most critical information leaks occur when it is transferred to the service provider or to cloud storage systems.
When working on a computer, an ordinary user is faced with the only technical means of protecting information, namely anti-virus protection. IT departments of the corporation are dealing with a significantly wider set of technical tools designed to ensure information security. It:
- cryptographic protection tools used to encrypt data on a computer and outgoing traffic;
- programs that allow you to convert confidential data into graphic or sound form;
- SIEM systems ;
- DLP systems that guarantee the interception of any attempts to transmit confidential information by e-mail, using instant messengers or social networks, print a document, make a screen from a computer screen or copy data to removable media;
Additionally, the problem of using hardware is solved. An information system architecture is being installed that minimizes the risks of information leakage during its transfer, and a two-factor system for protecting a computer with passwords is being installed. The second password is set at the BIOS level. But passwords don't always solve the problem. Some manufacturers of foreign motherboards set the function of entering a single password to enter the system. A mandatory step will be to back up data that may be lost in the event of a technical failure, user error or hacker attack.
The entire set of information protection tools is designed to ensure computer security at a high level, even without the need to spend significant resources on solving this problem.