The basic principles of information security
With the security of an enterprise, an organization cannot foresee all threats, despite the broad capabilities of data protection systems from unauthorized access and the active introduction of new methods and ways to ensure information security. It is especially difficult to foresee all the activities and organize a reliable system for the safety and restriction of access to information, if the company employs a large number of employees.
Actually, the main part of the work of an employee of a company responsible for incidents related to information security comes down to relying on the intuition and vigilance of each employee, for example, when something in a received letter does not look quite right. In order to prevent cases of information leakage due to misinterpretation, errors or omissions during work with it, which open the way to a possible violation, it is necessary to familiarize yourself with the basic principles of ensuring information security and comply with the requirements to ensure the safety of information in the company.
Data leakage can happen at various moments of work with them. For example, information can be hijacked by clicking on a link in an email. This is the most common option, when not one person may be affected, but hundreds and thousands of people whom this information concerns directly or indirectly.
The second place in the list of information leakage risks is taken by fraud in a social network - extortion of passwords by intruders, attempts to obtain other personal data. Sometimes information can be obtained in another illegal way - using blackmail. Often, malefactors deceive gullible interlocutors over the phone.
The main principles of fraudsters are searching for a "victim" and creating false information that will attract attention and force them to perform some action, after which the attackers will gain access to the information they need.
Therefore, it will be difficult to find salvation in any magic pill: in order to protect the company and its information, as well as employees, you need to familiarize yourself with the information security program, develop a system for protecting information stored and processed at the enterprise, and create a full-fledged system for monitoring compliance by all employees of the information security regime.
What is information security and what is its purpose
Information security is a practical action aimed at preventing unauthorized access to stored, processed and transmitted data in the company. In addition, the methods used to ensure it are aimed at preventing the use, disclosure, distortion, alteration or destruction of data stored on computers, in databases, archives or any other storages, media.
The main task of creating information security at an enterprise is data protection, namely, ensuring their integrity and availability without prejudice to the organization. The information security system is being built gradually.
The process includes identification:
- fixed assets and intangible assets;
- sources of information security threats and vulnerabilities;
- control and risk management capabilities.
Today there are several methods and technical means that will help to achieve a high level of information security in the most effective way.
The definition of an enterprise's own information security system begins with a clear goal setting, planning specific steps aimed at the safety of valuable corporate information. Compliance with the security policy by all participants in the process, the introduction of new methods of information security will fully affect various areas of the organization. The main direction is the creation of conditions for one hundred percent security and protection against violations of authentication, confidentiality, integrity.
The developed protection scheme should guarantee the use of different levels of access to corporate information through personal identification or programmed authorization of employees who have the right to access and process information. As part of the company's security policy, employees will be able to use certain documentation solely for business purposes. Documented and established restrictions will help to quickly identify the violator, preventing the leakage of information resources outside the enterprise.
The main burden in the matter of monitoring the implementation of an enterprise's information protection policy falls on the security service. The correct work of employees with information directly depends on the goals set. For example, when providing an employee with access to certain papers, you should pay attention to the transfer of data using cloud storage - it must be protected; the use of cryptographic protection will maximally limit the possibility of unauthorized downloading of documents.
Delimiting the levels of access to the use of information will help coordinate requests, distribute functions between employees, and promptly identify permitted and prohibited actions. This will not only prevent incorrect, unlawful actions with the processed information, but also help to correct the work with information if deviations are detected in the work with this data.
How to ensure information security for company employees
Information security experts recommend using software algorithms to ensure information security: their implementation allows you to reliably protect information and respond in a timely manner to possible incidents. Training the organization's employees in the rules for working with data will reduce the number of information security incidents and financial losses from them.
The main points that should be taken into account when creating and operating an information security system at an enterprise:
- You need to start building a multi-stage employee training process as early as possible. This principle is based on the theory that the executive section of the team sets the tone for the entire company, each group (department, division) and each project. If the owner of the company strives for his program of actions to ensure information security to be successful, it is necessary to involve a team of managers who will be responsible for ensuring the requirements of information security at every stage of working with data, and provide for the performance of these functions in their job responsibilities.
- It is necessary to continuously train employees in the methods and requirements for ensuring information security at the enterprise. Following this principle, it is necessary to instill in personnel a culture of handling data, when everyone complies with information security rules directly at their workplace. Most experts agree that the “once and done” approach does not provide information security. It is important to incorporate “learning moments” into day-to-day business operations. For example, attack simulation exercises generally provide the most realistic context for practicing information security in real-life, risky situations that employees face. During such training, it is often possible to develop and subsequently implement the most valuable methods for solving the problem.
- Use of up-to-date solutions in the field of information security. Following this principle, it is necessary to raise awareness of staff, make changes in their behavior based on real, relevant and convincing examples. There is no need to complicate the obvious, try to solve all sorts of situations with the main method. Only by using the information protection system in all directions, you can get a really high-quality result and minimize or stop information leaks outside the enterprise.
- Choosing the best approach. It is necessary to show employees how to perform various operations with information safely, using the most appropriate, correct approach in specific situations. It is important to remember: the goal of the owner of the company is to instill professional skills and habits in staff so that safety is observed on an intuitive level, and not just memorizing the rules for a while.
- Priority training. Information security training is most significant when it is closely related to the role of the employee in the enterprise in the context of the risks that he faces in performing this role.
- There is no learning tool for everyone. You will need to use new ways, based on the principles of creativity, to manage information security: newsletters, posters, blogs, other means. From this principle, we can conclude: you need to look for an individual approach to each employee.
Following these principles, the leader can easily ensure information security for the employees of the enterprise.
Objectives of training staff on information security
Creation of effective security systems in an enterprise is a complex undertaking, although there are many programs that can automate the control process. Professional metrics not only tell you what was done, but how well it was done - they predict the future, not recount the past.
Here are some tips for raising awareness and effectively teaching how to work safely with information systems:
- tracking support tickets; employees are more sensitive to suspicious events and are confident when they report problems;
- learning non-traditional teaching methods such as simulation exercises. They are needed to test an employee's resilience to social fraud and then measure progress on a quarterly basis.
Nevertheless, the owner of the enterprise needs to work with his team, which provides information security, in order to ensure that everyone can maintain trust and transparency of relations.
Programs aimed at training need to be constantly refined and updated, taking into account new trends and the emergence of new methods and ways of protecting information. The stagnant methods of dealing with outside interference cannot guarantee maximum information protection.
When developing training programs, consider:
- the opportunity to study without interrupting the work process;
- the regularity of updating the acquired knowledge;
- availability and clarity of the information provided.
Distance teaching is one of the most productive ways to quickly and easily train any number of employees without violating the established working hours and without reducing their productivity. It can be videos, movies, screensavers, cartoons or short news from the security service. Constantly reminding employees of the importance of information security allows you to instill strong skills in the implementation of information security requirements.
Employee training does not guarantee 100% data protection, but increases the level of protection of the system as a whole.
What you need to know about phishing attacks
In order to achieve the required level of protection in the information retrieval system, it is necessary to reduce the number of incidents, based on the basic principles of security. The first step is to focus on the biggest employee risk - phishing.
Phishing attacks are threats that are the most common way to manipulate employees. The purpose of these actions is to put the company at risk. This scam is built on social engineering and is responsible for the massive violations that are heard everywhere today.
For example, a hacker creates a modified Facebook address: users who enter the page do not notice the changes, enter the system and provide the fraudster with their personal data.
Phishing emails contain psychological traps. As a rule, they are addressed to a specific employee or company. If phishing emails cover a wider range of recipients, the emails are less specific.
Protection against this type of attacks is based on the vigilance and awareness of each employee, otherwise access to information resources may suffer due to one open letter, for example, due to a picked up virus. Employees should be rewarded if they spot a suspicious email and report it. This will keep the information and software intact.
In order to ensure the required level of protection of the information security system, phishing attacks can be simulated to educate employees on the correct behavior when receiving suspicious emails and identify gaps in knowledge, inability to protect confidential information.
It must be remembered: the purpose of this kind of attack is, first of all, to obtain information about electronic payment systems, bank accounts, transfers. Phishing, which is directed at a specific employee, can be prevented by setting restrictions on the sending and receiving of emails and messages.
Despite modern developments in the field of combating Internet attacks, this type of security policy violation remains effective.
Types of attacks: what you need to defend against
The best way to choose an appropriate response to a security threat is to understand what types of attacks can be used against you.
List of main types of attacks:
- an attack on external / removable media is performed using removable media (for example, a flash drive, a CD-ROM that infects an information resource) or a peripheral device;
- an attack on an email address is carried out using an email with a link or attachment (for example, infection with malicious software);
- an attack on a system is performed using the degradation or destruction of a system, network or service, providing an attacker with access to information;
- misuse is any incident caused by a violation of the organization's rules by an authorized user;
- an attack from a website or web application;
- loss or theft of equipment.
The security policy mitigates most of the risks associated with various types of attacks on an information resource.
Attackers rarely enter through the front door or, in this context, the equipment firewall. But each attack, as a rule, works according to a certain pattern or a “chain of cyber-kills”. In this case, the protection system should be built gradually, covering all communication channels.
A "chain of cyber-kills" is a sequence of steps required for an attacker to successfully penetrate a network and remove data from it or perform other actions. Developing a monitoring and response plan based on the cyber-killing chain model is an effective method for preventing cybercriminals from doing so, as it focuses on the actual attacks that are being carried out remotely by the attacker. The goal of the attacker is to find the necessary data and destroy it, before that, having performed reconnaissance and developing an attack plan.
What security events really need to worry about
To classify the types of information system security incidents, each must be mapped to a “chain of cyber-killings” in order to prioritize and respond appropriately to incidents.
For example, in port scans, many problems are ignored if there is a source IP address that does not have a bad reputation and several actions are taken from the same address in a short period of time. The information resource in most cases remains untouched.
A malicious infection that has entered the device with the software must be eliminated immediately. The main treatment method is to scan the network for signs of compromise associated with the problem and destroy them before the attackers copy the database. At the guarded facility, it is necessary to configure web servers to protect against HTTP and SYN requests. During an attack, you need to coordinate with your ISP to block the source IP addresses.
Sometimes it is necessary to investigate all related activities to prevent fraudsters from diverting attention from a more serious attack attempt. Information resistance in this case is successful in close cooperation with the Internet provider or service provider.
You need to define privileged user accounts for all domains, servers, applications, and critical devices. You will need to make sure that monitoring is enabled for all systems and for all system events. In addition, all important data must be backed up, tested, documented, and updated system recovery procedures. When a system is compromised, you must carefully collect evidence and document all stages of recovery.