• Information security measures. Technical information security measures

    Classification of information protection measures in accordance with Art. 16 π. 1 of Federal Law No. 149-FZ is a combination of legal, organizational and technical measures. With a broad interpretation of the concept of information security, which in this case is more correctly replaced by the combination information security, the list of protection measures should also include physical protection measures.

    Legislative measures

    Legislative measures take up about 5% of the funds spent on information protection. These are measures but development and practical application laws, regulations, instructions and rules of operation, control of both hardware and software of computer and information systems, including communication lines, as well as all infrastructure facilities that provide access to these systems. In Russia, activities in the information sphere are regulated by more than 1000 regulatory documents. Criminal prosecution for crimes in this area is carried out in accordance with Chapter. 28 of the Criminal Code of the Russian Federation "Crimes in the field computer information", containing three articles.

    • 1. Article 272 – unauthorized access to information. Unauthorized access to information– violation of established access control rules using regular funds provided by resources computer technology and automated systems (networks). Let us note that when deciding on the authorization of access to specific information, it is necessary to have a document establishing the rules for limiting access, if these rules are not prescribed by law.
    • 2. Article 273 – creation, use and distribution (including sale of infected media) of malicious computer programs, although the list and characteristics of them are not legally established. Malicious program – a specially created or modified existing program that knowingly leads to unauthorized destruction, blocking, modification or copying of information, disruption of the operation of computers or their networks.
    • 3. Article 274 – violation of the rules for operating computers, computer systems or their networks. This is a disruption of the operation of programs, databases, the issuance of distorted information, as well as abnormal functioning of hardware and peripheral devices; violation normal functioning networks, termination of the functioning of automated information systems in the established mode; failure in computer information processing.

    Criminal prosecution for illegal actions with publicly available information is carried out in accordance with Art. 146 “Infringement of copyright and related rights” and 147 “Infringement of inventive and patent rights” Ch. 19 “Crimes against the constitutional rights and freedoms of man and citizen” of the Criminal Code of the Russian Federation.

    Responsibility for compliance by employees of an organization or company with legislative measures to protect information lies with each employee of the organization or company, and control over their compliance lies with the manager.

    Physical measures

    Physical measures (share 15–20%) provide limitation physical access to computer, communication lines, telecommunications equipment and access control. Physical security measures are aimed at controlling access individuals, cars, cargo into a protected area, as well as to counter the means of human and technical reconnaissance. These measures include: protection of the perimeter, territory, premises; visual and video surveillance; identification of people and cargo; identification of equipment; alarm and blocking; restriction of physical access to premises.

    There are three main macrofunctions of physical protection (Fig. 11.2):

    • external protection;
    • recognition;
    • internal protection.

    The listed tools are used to detect threats and notify security officers or facility personnel about the emergence and growth of threats.

    Of the 12 groups divided by functionality, we will take a closer look at four groups that use their own in their technical implementation computer tools or suitable for protecting the work premises themselves with computers.

    Security alarm. The main element of the alarm system is sensors that record changes in one or more physical parameters and characteristics.

    Sensors are classified into the following groups:

    • volumetric, allowing you to control the space of premises, for example inside computer classes;
    • linear, or surface, for monitoring the perimeters of territories, buildings, walls, openings (windows, doors);
    • local, or point, for condition monitoring individual elements(window or door closed).

    Sensors are installed both openly and covertly. The most common:

    Switches (breakers), mechanically or magnetically closing (breaking) control

    Rice. 11.2.

    shuyu electrical circuit when an intruder appears. There are floor, wall, touch;

    • infraacoustic, installed on metal fences to capture low-frequency vibrations that arise during their overcoming;
    • electric zero sensors, consisting of an emitter and several receivers. They are made in the form of wires and cables stretched between poles. The change in the field when an intruder appears is recorded by the sensor;
    • infrared sensors (emitter - diode or laser) used for scanning surfaces or volumes of premises. The thermal “photograph” is stored and compared with the subsequent one to identify the fact of movement of the object in the protected volume;
    • microwave – ultra-high frequency transmitter and receiver;
    • pressure sensors that respond to changes in mechanical load on the environment in which they are laid or installed;
    • magnetic sensors (in the form of a grid) that react to metal objects in the violator’s possession;
    • ultrasonic sensors that respond to sound vibrations of structures in the mid-frequency range (up to 30–100 kHz);
    • capacitive, responsive to changes in electrical capacitance between the floor of the room and the lattice internal fence when a foreign object appears.

    Means of warning and communication. All kinds of sirens, bells, lamps that give constant or intermittent signals that the sensor has detected the appearance of a threat. On long distances They use radio communications; in small ones, they use special shielded, protected cabling. Mandatory requirement– availability of automatic backup of power supply to alarm systems.

    Security television. A common physical defense. Main feature– the ability not only to visually record the fact of violation of the security regime of an object and control the situation around the object, but also to document the fact of violation, as a rule, using a video recorder.

    Unlike regular television, in security TV systems, the monitor receives images from one or more video cameras installed in a place known only to a limited circle of people (the so-called closed TV). Naturally, cable lines for transmitting security TV signals should not be accessible to persons other than security. Monitors are located in separate rooms, access to which should be limited.

    The three groups discussed above fall under the category of intrusion or threat detection tools.

    Natural means of counteracting invasion. This includes natural or artificial barriers (water barriers, heavily intersected terrain, fences, special barriers, special room designs, safes, locked metal boxes for computers, etc.).

    Access restriction tools, which include computer equipment. This includes biometric or other media that use passwords or identification codes external to the computer: plastic cards, flash cards, Touch Memory tablets and other means of restricting access.

    Biometric access restrictions. The peculiarity of biometric admission methods is their statistical nature. In the process of checking an object, if there is a previously stored code, the control device issues a message based on the “matches” or “does not match” principle. In the case of reading a copy of a biological code and comparing it with the original, we are talking about the probability of error, which is a function of the sensitivity, resolution and access control software of the device. The quality of a biometric access control system is determined by the following characteristics:

    • the probability of erroneous admission of an “alien” – an error of the first type;
    • the probability of erroneous detention (denial of admission) of “one’s own” legal user – an error of the second type;
    • access time or identification time;
    • cost of hardware and software parts biometric access control system, including costs for personnel training, installation, maintenance and repairs.

    Most of the biometric security measures are implemented on three components: scanner (sensor) – converter (sensor signals into digital code for the computer) – computer (keeper of the database of biometric codes - characteristics of the object, comparison with information received from the sensor, making a decision on admitting the object or blocking his access).

    The parameters of two groups are used as a unique biological code of a person in biometrics.

    Behavioral, based on the specifics of human actions, such as voice timbre, signature, individual gait, keyboard handwriting. The main disadvantage of behavioral characteristics is temporary instability, i.e. possibility of significant change over time. This greatly limits the use of behavioral characteristics as access control tools. However, over a relatively short period of time they are useful as means of personal identification. Example - fixing the keyboard handwriting of a person working in the process of performing network attack and subsequent (after the arrest of the attacker) control typing of a certain text, preferably on a keyboard taken from him (preferably on his own computer).

    Physiological, using the anatomical uniqueness of each person - iris, retina, fingerprints, palm print, hand geometry, facial geometry, facial thermogram, skin structure (epithelium) on the fingers based on ultrasound digital scanning, shape of the auricle, three-dimensional image of the face , structure of blood vessels in the hand, DNA structure, analysis of individual odors. To be fair, we note that most of the listed biometric tools are not yet produced on a mass scale.

    Biometric control devices began to spread in Russia even before 2000. However, due to the high price of Russian markets(tens of thousands of dollars per device) such technology was exotic. Today, biometric tools are available and have steady demand in Russia. Another reason is the awareness of the need for protection from crime in our country. Experience shows that the complexity of access control devices used is increasing. Previously, in Russia, security enterprises used locks with a PIN code, then magnetic plastic cards appeared, which had to be swiped through special reading devices, and even later - remote reading cards. Experience, including Russian, shows that these means are effective only against a random visitor and are weak in severe forms of crime, when both passwords for entering an information system and plastic cards, pressure is being put on individual employees of security and safety services.

    The level of modern biometric protection is very high: it eliminates the possibility of hacking even in a situation where an attacker tries to use a corpse or removed organs. The possibility of technical hacking of the database of standards or their substitution at the identification stage is, as a rule, excluded: the scanner and communication channels are highly protected, and the computer is additionally isolated from the network and does not even have terminal access.

    The well-known company Identix, which deals with automated fingerprinting equipment, has been registered in 52 countries. Its commercially produced equipment solves the following identification problems:

    • control of physical access to the building, parking lots and other premises;
    • control of computer stations (servers, workstations) and telecommunications systems;
    • access control to safes, warehouses, etc.;
    • identification in e-commerce;
    • control of membership in various organizations and clubs;
    • passport control;
    • issuance and control of visas and licenses;
    • control of visiting time;
    • vehicle control;
    • identification of credit and smart cards.

    In table 11.1 compares the characteristics of industrial biometric access control systems.

    Table 11.1

    Characteristics of industrial biometric access control systems

    The spread of biometric access control tools in a number of countries is limited by the legislation in force on their territory. In Russia there is a law on personal data (Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, entered into force on January 26, 2007). Similar laws exist in other countries, and in some they do not exist. Article 11 “Biometric personal data” of this Law does not contain an exhaustive list of parameters that can be attributed to this data.

    There is no doubt that the creation of even small, local databases containing information identifying a citizen should be regulated by law with mandatory measures liability for unauthorized disclosure or distortion of such information.

    Plastic cards. Plastic cards remain the leader among portable media for personal identification codes (PIN) and physical access codes.

    A plastic card is a plate standard sizes(85.6x53.9x0.76 mm), made of special plastic resistant to mechanical and thermal influences. The main function of a plastic card is to ensure the identification of the cardholder as a subject of a physical access system or payment system. The following is applied to the plastic card:

    • logo of the issuing bank (that issued the card);
    • logo or name of the payment system servicing the card;
    • cardholder name;
    • his account number;
    • validity period.

    A photograph, owner's signature and other parameters may be present.

    Alphanumeric data - name, account number and others can be printed in raised font (embossed), which allows, during manual processing, to quickly transfer data from the card to the check using an imprinter that “rolls” the card.

    According to the principle of operation, cards are divided into two groups - passive and active.

    Passive cards only store information on the medium, but do not provide offline processing. An example is cards with a magnetic stripe, widespread throughout the world. back side(three tracks). Two tracks store identification records. On the third one you can write, for example, the current value of the debit card limit. Due to the low reliability of the magnetic coating, cards are usually used only in read mode. When working with a card, it is necessary to establish a connection between the bank and the ATM, which is only possible where the communication infrastructure is well developed. This type of card is vulnerable to fraud, so Visa and MasterCard/Europay systems use additional funds card protection – holograms and non-standard fonts for embossing.

    Active plastic cards contain a built-in microcircuit and allow varying degrees of information processing without the participation of the bank servicing the payment system. A typical example is counter cards and memory cards. But they are giving way to intelligent or smart cards, which contain not just a microcircuit, but a specialized processor. The card itself is a microcomputer that, when connected to an ATM, is capable of independently (without the participation of the bank, i.e. in offline mode) not only identifying the client, but also performing a number of financial transactions: withdrawing money from an account, non-cash payment of bills and goods.

    Although there are cases of distortion of information stored in smart cards, as well as disruption of their functionality due to exposure to high or low temperatures, ionizing radiation, this type cards are highly reliable and displace other types of cards.

    Organizational (administrative) measures

    Administrative measures (50–60% share) include:

    • development of a security policy in relation to a specific information system (what profiles, what passwords, what attributes, what access rights);
    • development of security controls (who, when and in what order changes the security policy);
    • distribution of responsibility for security (who is responsible for what in case of violation of the security policy);
    • training personnel in safe work and periodic monitoring of employee activities;
    • monitoring compliance with the established security policy;
    • development of security measures in case of natural or man-made disasters and terrorist attacks.

    Responsibility for compliance with organizational (administrative) measures to protect information in an organization or company lies with the manager, head of the security service ( information security), system (network) administrator.

    To ensure the security of information in office networks, various measures are carried out, united by the concept of “information security system”. An information security system is a set of measures, software and hardware, legal, moral and ethical standards aimed at countering the threats of violators in order to minimize possible damage to users and owners of the system.

    Traditional measures to counteract information leaks are divided into technical and organizational Konakhovich G. Information protection in telecommunication systems. - M.: MK-Press, 2005.P.123..

    Technical measures include protection against unauthorized access to the system, redundancy of particularly important computer subsystems, organization of computer networks with the possibility of redistributing resources in the event of failure of individual links, installation of fire detection and extinguishing equipment, water detection equipment, adoption of structural measures to protect against theft, sabotage, sabotage, explosions, installation of backup power supply systems, equipping premises with locks, installation of alarm systems and much more.

    Organizational measures include security of servers, careful selection of personnel, exclusion of cases of special important works only by one person, the presence of a plan for restoring the server’s functionality after its failure, the universality of protection against all users (including senior management).

    Unauthorized access to information can occur during computer maintenance or repair by reading residual information on media, despite its removal by the user using conventional methods. Another method is to read information from the media while it is being transported without security within an object or region.

    Modern computer tools are built on integrated circuits. During the operation of such circuits, high-frequency changes in voltage and current levels occur, which leads to occurrences in power circuits, in the air, in nearby equipment, etc. electromagnetic fields and interference, which, with the help special means can be transformed into processed information. As the distance between the intruder's receiver and the hardware decreases, the likelihood of this type of information collection and decryption increases.

    Unauthorized access to information is also possible by the offender directly connecting “spyware” to communication channels and network hardware.

    Traditional methods of protecting information from unauthorized access are identification and authentication, password protection. Korzhov V. Strategy and tactics of defense.//Computerworld Russia.- 2004.-№14.С.26.

    Identification and authentication. Computer systems contain information the right to use of which belongs to certain individuals or groups of individuals acting on their own initiative or in accordance with job responsibilities. To ensure the security of information resources, eliminate the possibility of unauthorized access, and strengthen control of authorized access to confidential or classified information, various systems identification, authentication of an object (subject) and access control. The construction of such systems is based on the principle of admitting and performing only such accesses to information that contain the corresponding signs of authorized powers.

    The key concepts in this system are identification and authentication. Identification is the assignment of a unique name or image to an object or subject. Authentication is the establishment of authenticity, i.e. checking whether an object (subject) is really who it claims to be.

    Classification of information protection measures

    Currently, the types of computer crimes are extremely diverse. All measures to combat computer crimes can be divided into:

    · Regulatory

    · Moral and ethical

    · Organizational

    · Technical.

    Regulatory - include laws and other legal acts, as well as mechanisms for their implementation, regulating information relations in society. Legal measures should include the development of rules establishing liability for computer crimes, protection of copyrights of programmers, improvement of criminal and civil legislation, as well as legal proceedings. Legal measures also include issues of public control over developers of computer systems and the adoption of relevant international treaties on their restrictions if they affect or may affect the military, economic and social aspects of life in the countries concluding the agreement. Only in recent years have works appeared on the problems of the legal fight against computer crimes.

    Moral and ethical - rules and norms of behavior aimed at ensuring the security of information, not enshrined in legislation or administratively, but supported in teams through traditions and the mechanism of public opinion.

    Organizational - rules, measures and activities regulating access, storage, application and transfer of information, put into effect by administrative means. Without following these seemingly trivial rules, the installation of any, even the most expensive, technical means of protection will result in a waste of money for an organization in which organizational issues have not been resolved at the proper level. Measures to ensure the safety and protection of information at each enterprise or firm vary in scope and form. They depend on the production, financial and other capabilities of the company. Availability large quantity vulnerabilities in any modern enterprise or firm, a wide range of threats and fairly high technical equipment of attackers requires an informed choice special solutions on information protection. The basis for such decisions can be considered:

    · Application of scientific principles in ensuring information security, including: legality, economic feasibility and profitability, independence and responsibility, scientific organization of work, close connection between theory and practice, specialization and professionalism, program-target planning, interaction and coordination, accessibility in combination with the necessary confidentiality

    · Acceptance of legal obligations on the part of enterprise employees regarding the safety of information entrusted to them

    · Creation of administrative conditions under which the possibility of theft, misappropriation or distortion of information is excluded

    To reliably protect confidential information, it is advisable to apply the following organizational measures:

    · Determination of levels (categories) of confidentiality of protected information

    · Selection of principles (local, object or mixed) of methods and means of protection

    · Establishment of the procedure for processing protected information

    · Consideration of spatial factors: introduction of controlled (protected) zones right choice premises and the location of objects among themselves and relative to the boundaries of the controlled area

    · Taking into account temporary factors: limiting the processing time of protected information, increasing the processing time of information from high level confidentiality to a narrow circle of people

    Technical means are complexes of special hardware and software designed to prevent leakage of information being processed or stored by you by preventing unauthorized access to it using technical means of retrieval. Technical methods of information protection are divided into hardware, software and hardware-software.

    To block possible channels of information leakage through technical means of supporting production and labor activities with the help of special technical means and create a facility protection system for them, it is necessary to implement a number of measures:

    · specific features of the location of buildings, premises in buildings, the area around them and the supplied communications

    · Identify those premises within which confidential information circulates and take into account the technical means used in them

    Carry out the following technical activities:

    · check the equipment used to ensure that the amount of spurious radiation corresponds to the permissible levels; shield the premises with the equipment or this equipment in the premises

    · reinstall individual circuits, lines, cables, use special devices and means of passive and active protection.

    Real system protection includes all of the listed types of tools and, as a rule, is created by integrating them. The main difficulty in its creation is that it must simultaneously satisfy two groups of directly opposing requirements:

    · Ensure reliable information security

    · Do not create noticeable inconvenience to employees and especially clients.

    In addition, the protection system must be adequate to possible threats, with a mandatory assessment of both the likelihood of their occurrence and the amount of real damage from the loss or disclosure of information circulating in a certain medium.

    Computer protection

    In a personal computer, the computing resources are RAM, processor, built-in hard or flexible storage devices. magnetic disks, keyboard, display, printer, peripherals. Protecting RAM and processor includes monitoring the appearance of so-called resident programs in RAM, protecting system data, and clearing remaining secret information in unused memory areas. To do this, it is enough to have at your disposal a RAM viewer to monitor the composition of resident programs and their location.

    Much more important is the protection of built-in storage devices. There are several types software, capable of solving this problem:

    Disk write and read protection

    Disk access control

    Tools for removing remnants of classified information.

    But the most reliable method of protection is, of course, encryption, since in this case the information itself is protected, and not access to it (for example, an encrypted file cannot be read even if the floppy disk is stolen). However, in some cases, using encryption is difficult or impossible, so it is necessary to use both methods together. Most security tools are implemented in the form of programs or software packages that extend the capabilities of standard operating systems and database management systems. More details about protecting computer information are described in the following chapters.



    Methods and means of protecting information in communication channels

    Communication security when transmitting voice messages is based on the use of a large number of various methods closing messages that change the characteristics of speech in such a way that it becomes illegible and unrecognizable to the eavesdropper who intercepted private message. Moreover, it occupies the same frequency band as the open signal. The choice of closure methods depends on the specific application and the technical characteristics of the transmission channel.

    Depending on the transmission spectrum of speech signals, methods for protecting speech signals in narrowband channels are divided into the following types:

    Analog scrambling

    · Signal masking with special barrage interference

    · Speech sampling followed by encryption.

    With analog scrambling, the characteristics of the speech signal change, resulting in the formation of a modulated signal that has the properties of illegibility and unrecognizability. The spectral bandwidth of the converted signal remains the same as the original one. Analogue scrambling is carried out on the basis of time and/or frequency permutations of speech segments.

    Due to temporary rearrangements, the converted message is encoded, thereby expanding the spectrum. Spectral distortion in a narrowband channel determines the loss in the reconstructed message. Similarly, rearrangements of spectrum segments during frequency scrambling lead to intermodulation distortions of the reconstructed message.

    Speech signal masking is based on the formation of additive barrier interference, followed by its isolation and compensation on the receiving side. As a rule, this method is used in combination with simple scrambling (imposing multiplicative noise on the signal).

    The method of speech sampling with subsequent encryption involves the transmission of the main components of the speech signal by converting them into a digital data stream, which is mixed with a pseudo-random sequence. The closed message received in this way is transmitted to the communication channel using a modem.

    In digital systems, speech components are converted into a digital stream. Further transformation operations include permutation, scrambling with a pseudo-random sequence, and time delay.

    Digital signature

    To solve the problem of information authentication, Diffie and Hellman in 1976 proposed the concept of authentication based on a “digital signature”. It lies in the fact that each network user has his own secret key necessary to generate a signature; the public key corresponding to this secret key, intended for verifying the signature, is known to all other network users. In the proposed scheme, a digital signature is calculated based on the protected message and the secret key of the specific user who is the sender of this message. Each user with the corresponding public key can authenticate the message by signature. In addition, knowledge of the public key does not allow forging the signature. Such authentication schemes are called asymmetric.

    Regardless of the algorithm used, the digital signature scheme includes two procedures: a signature generation procedure and a verification procedure, the essential feature of which is the following. When performing the signature generation procedure, a secret key is used, known only to the person performing this procedure. When performing the verification procedure, a public key is used. Only in this case, the arbitrator, when resolving the dispute, can make sure that it was the one who owns the corresponding key who made this signature.

    The main area of ​​application of a digital signature is information systems, in which there is no mutual trust of the parties (financial systems, systems for monitoring compliance with international treaties, for example the nuclear test control treaty, etc.). It is possible to use digital signature schemes to create an “electronic notary” to ensure copyright protection for software products. As for the digital signature, then:

    1. Each person uses his own secret unique key to sign documents.

    2. Any attempt to sign a document without knowing the corresponding secret key is practically unsuccessful.

    3. The digital signature of a document is a function of the content of this document and the secret key. The digital signature can be transmitted separately from the document.

    4. A copy of a digitally signed document does not differ from its original (there is no problem of signing each copy).

    Methods for constructing a digital signature

    Most often used to build a digital signature scheme RSA algorithm. The digital signature scheme based on the RSA algorithm is as follows. Let's say user A wants to send an unclassified message X to user B after signing it. To do this, using the secret key d, he calculates the signature of

    And sends (H.u). Recipient B having the appropriate open key, having received (X.y) checks equality

    And compares the result of this calculation with X. If there is a match, the received message is considered genuine. The length of the signature in this case is equal to the length of the message, which is not always convenient.

    Other methods are based on the formation of a control combination corresponding to the message using classical cryptographic algorithms or so-called “one-way compression functions”.

    Examples of such methods are:

    1. MAC (Message Authentication Codes) method. It generates a control combination from a document (message or file) in the form of a convolution of this document with a secret key based on a classic DES-type algorithm.

    2. MDS (Manipulation Detection Codes) method. The method is based on the use of codes that detect deception. The control combination from the document is calculated based on the use of a one-way (polyrandom) compression function.

    Which method is considered the best is determined by specific operating conditions. For short messages such as payment orders or receipt confirmations, it is probably better to use the RSA algorithm. To control the integrity of large volumes of information, authentication methods based on block algorithms are preferable.

    Let's compare a digital signature with a regular signature. With the help of a regular signature you can always prove authorship, because:

    1. Each person has his own unique handwriting, which is characterized by a certain writing of letters, pressure on the pen, etc.

    2. An attempt to forge a signature is detected using graphological analysis

    3. The signature and the document being signed are transmitted only together on one sheet of paper. There are no situations where a signature is transferred separately from a document. In this case, the signature does not depend on the content of the document on which it is affixed.

    4. Copies of a signed document are invalid if they do not have their real (and not copied) signature.

    Passwords are usually considered as keys for logging into a system, but they are also used for other purposes: blocking writes to a disk drive, in commands to encrypt data, that is, in all those cases where firm confidence is required that the appropriate actions will only be made by the legal owners or users of the software.

    Passwords used can be divided into seven main groups:

    User-defined passwords

    System generated passwords

    Random access codes generated by the system

    Half words

    Key phrases

    Interactive question-answer sequences;

    "Strong" passwords.

    The first group is the most common. Most of these passwords are of the “choose your own” type. For better protection To prevent unauthorized access, you must use a fairly long password, so the system usually asks for a password containing at least four to five letters. There are also other measures to prevent the user from creating a bad password. For example, the system may insist that the password include lowercase and uppercase letters mixed with numbers; obviously obvious passwords, for example, internet, are rejected by it. There are many programs in different operating systems that look at files containing passwords, analyze user passwords and determine how secret they are. Inappropriate passwords are replaced.

    When a person boots up a computer for the first time and it asks him for a password, this password will probably turn out to be a variation of one of the common and relevant topics for everyone - especially if the user is short on time. Imagine the state of a person when he is asked to come up with his own secret password. Be that as it may, as soon as the request appears on the monitor screen, the person is struck by the idea that something needs to be done immediately. Apart from geniuses and hopeless idiots, all people, when it comes to accepting quick solutions, think and act approximately the same. It takes them time to start thinking creatively, so the initial assumptions and first conclusions in certain groups of people turn out to be the same. And users give out the first thing that comes to their mind. What comes to mind is what they see or hear at the moment, or what they are going to do immediately after loading. In such a situation, the password is created in a hurry, and its subsequent replacement with a more secure one occurs quite rarely. Thus, many passwords created by users can be revealed quite quickly.

    Random passwords and codes set by the system can be of several varieties. System software can use a completely random sequence of characters - up to random selection of registers, numbers, punctuation length; or use restrictions in generating procedures. Computer-generated passwords can also be randomly drawn from a list of common or meaningless words created by the program's authors, which form passwords like onah.foopn, or ocar-back-treen.

    Halfwords are partly created by the user and partly by some random process. This means that even if the user comes up with an easy-to-guess password, for example, “paragraph,” the computer will add some confusion to it, creating a more complex password like “paragraph, 3yu37.”

    Key phrases are good because they are long and difficult to guess, but easy to remember. Phrases can be meaningful, such as “we were concerned about this,” or meaningless, such as “fishing nose.” It should be noted that in programming there is a gradual tendency towards a transition to wider use key phrases. Closely related to the concept of passphrases is the concept of a code acronym, which security experts rate as a short but perfectly secure form of password. In an acronym, the user takes an easy-to-remember sentence, phrase, line from a poem, etc., and uses the first letter of each word as a password. For example, the acronyms for the two phrases above are “mboe” and “lrn.” Such innovations in password theory make electronic espionage much more difficult.

    Interactive question-answer sequences ask the user to answer several questions, usually of a personal nature: “What is your mother's maiden name?”, “What is your favorite color?”, etc. The computer stores the answers to many of these questions. When the user logs into the system, the computer compares the answers received with the “correct” ones. Question-and-answer systems tend to interrupt the user every ten minutes, prompting them to answer questions to confirm their right to use the system. Currently, such passwords are almost never used. It seemed like a good idea when they were invented, but the annoying interruption factor meant that this method practically disappeared from use.

    "Strong" passwords are usually used in conjunction with some external electronic or mechanical device. In this case, the computer usually, with simple-minded cunning, offers several options for invitations, and the user must give suitable answers to them. This type of password is often found in one-time code systems. One-time codes are passwords that work only once. They are sometimes used to create a temporary copy for guests to demonstrate the capabilities of the system to potential clients. They are also sometimes used when a user first logs into the system. During the first session, the user enters his own password and subsequently enters the system only through him. One-time codes can also be applied to the system when a valid user logs in for the first time; then the user should change their password to a more secret one personal code. In cases where a group of people uses the system, but secrecy cannot be violated, they resort to a list of one-time codes. This or that user enters a code corresponding to the time, date or day of the week.

    So, in order for a password to be truly secure, it must meet certain requirements:

    Be of a certain length

    Include both uppercase and lowercase letters

    Include one or more numbers,

    Include one non-numeric and one non-alphabetic character.

    Electronic keys

    To combat computer piracy, along with special software, hardware and software are also used. They are based on application electronic devices, connected either to the internal bus of the computer or to its external connectors. If we evaluate the degree of reliability of protection by the amount of labor required to “break” it, then hardware and software are “stronger” than pure software.

    Indeed, to reveal such a defense, it is not enough to unravel the tricks in the program. It is necessary to restore the protocols and content of the exchange of programs with additional equipment. Solving these problems usually requires the use of special hardware such as logic analyzers.

    An electronic key is a compact device that is connected to a parallel or serial ports computer and does not affect the interaction of the computer with external devices. The idea of ​​protection using an electronic key is to use a special algorithm for interacting with the key in the protected program, which does not allow the program to be executed without it. In this case, each copy of the program is supplied with an electronic key. Criteria for assessing the quality of an electronic key: the key must be some kind of function generator, and not just a memory for constants; the key must be made on the basis of a custom integrated circuit, which excludes the possibility of its legal reproduction.

    Electronic keys can be used to solve the following tasks:

    • protection of programs from unauthorized distribution;
    • protecting data from disclosure of the information contained therein;
    • protecting computers from unauthorized access

    1. Programs are protected in two ways. The first method (let's call it manual) consists of the developer himself integrating fragments into his program that interact with the electronic key. The second method is based on automatic inclusion of key exchanges in the protected file. In this case, the special program supplied with the key automatically processes executable files in such a way that without the key they are inoperative. The advantage of automatic protection over manual protection is the almost zero labor intensity of this procedure. In addition, the automatic protection program is created by highly qualified specialists, which ensures its greater reliability.

    2. Data protection from disclosure of the information contained in it is achieved through encryption. There are quite effective encryption methods, such as the DES algorithm. However, the security of encryption cannot be higher than the secure storage and transmission of the encryption key. In this case, the encryption key does not need to be remembered or written down and, which is very important, does not need to be entered into the computer from the keyboard. Data stored on a computer can only be decrypted if the key is available. In addition, to increase reliability, the encryption/decryption program itself can be protected using the same key.

    3. Protecting your computer from unauthorized persons involves downloading operating system only for authorized users, as well as ensuring that each user has access only to allocated resources, which may include logical drives, catalogs and separate files. The implementation of such protection is related to user identification. Electronic keys can be used for this. In this case, two approaches are possible.

    The first approach assumes that each authorized user has at his disposal a unique electronic key. User recognition is carried out without entering any passwords after connecting the key to the connector. In this case, it can be argued that the key to the user's secrets is kept in their pocket. But, if a computer is used in an organization, then the administration, as a rule, wants to have access to all files and control the work of all users. To do this, you must have at least two identical sets of keys, with one set kept by the head of the organization.

    The second approach reduces the cost of protection by using only one key for all users. The key is managed by the system administrator, appointed by the organization's management. The operating system can only be loaded when the dongle is connected. User identification is carried out by entering passwords.


    Data integrity refers to a system of rules Microsoft Access, which allow, when some objects are changed, to automatically change all objects associated with them and provide protection against accidental deletion or change of associated data.

    The list of values ​​can be specified either by a fixed set of values ​​that are entered by the user when the field is created, or by a list of values ​​from a reference table or query.

    Index - Microsoft tool Access, which speeds up searching and sorting in a table. The key field of the table is indexed automatically. You cannot create indexes on MEMO and Hyperlink fields or OLE object fields.

    A unique index is an index defined for the Indexed field property with the value "Yes (No matches allowed)". In this case, it becomes impossible to enter duplicate values ​​into the indexed field. A unique index is created automatically for key fields.

    Regulations on measures to ensure Information Security.

    General provisions

    Usage automated systems significantly increases the efficiency of the organization and at the same time creates the preconditions for distortion and loss of information due to failures, failures, erroneous or malicious actions of service personnel, unauthorized actions of third parties, and computer crimes.

    The use of network technologies in information processing brings the security problem to the forefront.

    This document defines the following security aspects:

    • restricting access to hardware;
    • compliance with workplace safety standards;
    • user access to network resources;
    • differentiation of rights at the application program level;
    • security when working with email;
    • security when working with the Internet;
    • information protection when working with electronic financial documents;
    • ensuring protection when transferring financial information.

    1. Hardware protection

    Computer equipment should be located in places that exclude the possibility of access by unauthorized persons without the knowledge of the organization's employees. Main servers should be located in separate server rooms, to which a limited number of employees of the organization’s automation service have access. The list of these employees must be approved by the authorized head of the organization.

    The network structure should minimize the likelihood of unauthorized connection to backbone cables and/or switching devices.

    To protect computers located outside an organization's controlled area, the following additional requirements must be met:

    • the computer case must be sealed;
    • setting Computer BIOS must be protected by an administrator password;
    • The computer should start after entering the user password ( this password is controlled by BIOS);
    • BIOS administrator and user passwords must be at least 6 characters long and must not match each other;
    • if the specifics of the user's work allow this, then they should be blocked ( disabled physically or through appropriate BIOS settings) devices such as CD drive, floppy disk drive ( floppy disks), USB ports;

    2. Compliance with safety standards in the workplace

    Each employee is required to ensure protection against unauthorized access to information on his or her computer during working hours. At the workplaces of system users, this is achieved by using authentication when loading the computer OS and locking the keyboard when temporarily leaving the workplace.

    In departments of the organization, constant visual control of employees over the computers of temporarily absent colleagues must be ensured.

    When outputting information to a printing device, employees are required to monitor the printing process, and the printer should not be left unattended. All printed documents must be taken to your workplace. Paper documents, the need for further use of which has ceased, must be destroyed in the manner established by the organization, i.e. using appropriate equipment that excludes the possibility of restoring their contents.

    If you need to install on your computer new program the user is obliged to contact the Automation Department to take appropriate actions. Self-installation programs, as well as independent changes to the computer settings, operating system and application programs, and changes to the computer configuration are not allowed. Each employee of the organization is responsible for the presence of third-party programs and other non-official electronic information on their machine.

    When employees of an organization work with clients, it is advisable to exclude the possibility of clients viewing the contents of the monitor screen. This is achieved by the mutual position of the employee and the client being served “face to face” and the corresponding rotation of the monitor.

    Particular care must be taken when entering passwords: both network passwords and passwords used in application programs. It is prohibited to record or save information about user passwords in files.

    3. Protection at the local network level

    3.1. Registration of users on the network

    The local network access control system determines:

    • which users can work on the file server;
    • on what days and at what times users can work;
    • from which workstations users can work.

    Registration of a user account on the LAN Server is carried out by the Administrator based on an application signed by the head of the department in which the employee works.

    To control access to the organization's network, each user is assigned one unique identifier ( network name), which is issued to him by the LAN Administrator upon registration, and a temporary password for the initial connection to the network. When connecting to the network for the first time, the access control system will check the correctness of the temporary password and, if the verification result is positive, will offer to change the password to a permanent one. The length of the password chosen by the user must be sufficient to ensure reasonable resistance to brute force, typically 6 or more characters. Password validity should be limited and is typically one year or less.

    The application for user access to LAN resources is signed by the head of the department.

    When an employee is dismissed, suspended from work, or his job duties and functions change, his immediate supervisor is obliged to promptly notify the LAN administrator about this in writing. The administrator is obliged to immediately make appropriate changes in the account settings and/or in the set of user permissions (rights).

    Each LAN user, when registering, can be limited to the number of connections to each of the servers - as a rule, one connection to each of the servers necessary for the user’s work. As additional protection, network names can be linked to MAC addresses of workstations.

    If it is necessary to temporarily transfer the powers of one LAN user to another, the head of the relevant department is obliged to promptly notify the LAN administrator about this in writing. The notice shall indicate the start date and date of cancellation of the delegation of authority from one user to another. The administrator is prohibited from delegating user powers at the verbal request of department heads and employees. It is not permitted to transfer the network name and/or password from one user to another.

    Applications for connection, delegation of authority and disconnection ( blocking) of users to network resources are saved by the administrator.

    The Administrator is obliged to immediately report to the head of the automation department about all attempts of unauthorized access to information on the LAN.

    The administrator must be able to quickly obtain a list of users, groups and the structure of their access to network resources.

    3.2. Restricting access to network resources

    The differentiation of access rights to certain databases and programs located on file servers is carried out at the level network devices and directories. If server DBMSs are used, their internal mechanisms for user authentication and data protection should be used.

    To organize collaboration with Server resources and exchange data through the Server, user groups are created ( for example, according to the principle of administrative division, according to the applications used, directories, etc.). Each group has access rights to certain resources. The access rights of groups, as a rule, do not overlap.

    Each user, in accordance with his functional responsibilities, belongs to one or more user groups.

    Should not be on the Servers accounts general use, such as Guest.

    4. Differentiation of access rights at the application program level

    To work with the organization's systems, each user must have his own unique identifier and/or password. Depending on the operations performed, the user is given access to certain system components. At the same time, access is limited at the level of the functions used and the operations performed. At the lowest level, the groups of available accounts and the authority to work with these accounts are determined for performers.

    An application for user access to programs is signed by the head of the department and endorsed by the chief accountant of the organization.

    The functions of assigning user access rights to application systems are assigned to System and Program Administrators.

    5. Using a corporate email system

    Each user of the mail system must have his own unique identifier and password. The Postal System Administrator is responsible for connecting users to the system and carrying out the necessary maintenance work.

    It is prohibited to use the mail system to send messages that are not related to the work of the organization: personal correspondence, spam, etc.

    It is prohibited to send messages containing commercial and other types of secrets in open ( not protected CIPF) form.

    When receiving messages containing attached files, the employee must ensure anti-virus control of these files before they are used in application programs.

    On a corporate mail server, it is advisable to use antispam and antivirus filters.

    6. Security measures when working with the Internet

    The main task when interacting with the Internet is to protect the internal network. Mandatory use firewalls(firewall), the physical separation of external network resources from the internal network of an organization.

    Since the unification of the organization’s networks, branches and additional offices is carried out via VPN, built on the Internet, it is necessary to ensure reliable protection of the perimeter of the integrated network in each of the separate departments. This is achieved by using appropriate hardware and/or software: VPN routers, firewalls, and anti-virus software.

    The use of Internet access for personal or non-business purposes is prohibited.

    If there are signs of non-standard behavior or unstable operation of the computer when accessing the Internet, as well as signals of an infection attempt from the anti-virus system, you must immediately notify the organization’s LAN administrator about this.

    7. Protection when transmitting financial information

    When exchanging payment documents, means of cryptographic protection of the transmitted information must be used: encryption and electronic digital signature ( EDS ). It is allowed to use only certified cryptographic protection products.

    Employees responsible for creating key floppy disks for cryptographic protection tools ( security administrators), are appointed by order of the organization. All actions to generate and transfer keys must be documented by security administrators in special logs.

    8. Additional requirements for compliance with safety standards when operating the Client-Bank system

    Compliance with the security measures prescribed by the relevant documents of the authorized bodies is required to ensure security in an organization engaged in the technical support, distribution and operation of information protection programs in the class " WITH ».

    It is required to comply with safety measures when working in the system " Client-Bank».

    Access to the room in which a computer is installed that transmits and receives documents using the " Client-Bank»should be provided only to a limited circle of persons, the list of which is reflected in the relevant orders for the organization.

    Due to the fact that the computer is software transmitting and receiving files from system participants " Client-Bank» directly connected to external computer networks, you must:

    1. Take measures to ensure that it is impossible for an external user to log into the organization’s internal network from this computer.

    2. All confidential information stored on this computer must be encrypted or otherwise transformed to prevent unauthorized use.

    All operations and actions occurring in the system " Client-Bank", must be written to files ( magazines) protocols.

    With a purpose quick recovery system, it is necessary to create it daily backup copies, which must be stored on another computer physically located in another premises of the organization.

    9. Ensuring the integrity and reliability of information

    Preventative measures should be carried out periodically scanning hard computer disks using antivirus programs. When using removable electronic storage media, it is necessary to check them antivirus program upon first installation ( and for rewritable media - with each installation) to the computer.

    Backup of basic information stored in electronic form on the organization's servers, must be carried out daily. It is necessary to have a copy of the operating activity databases as of the beginning of the day.

    Archival information must be copied in duplicate onto long-term storage media ( CD-ROM, DVD-ROM, magneto-optical disks, etc.). Copies of archival information should be stored in separate storage facilities that ensure proper conditions for their maintenance and the impossibility of unauthorized access to them.

    Download ZIP file (20862)

    If the documents were useful, please give them a “like”:

    Where does information security of enterprise computer networks begin? The theory talks about risk analysis, policy development and security system organization. And that's right. But before turning to theory, it is necessary to establish basic order and discipline in the information services of the enterprise.

    You must be able to clearly answer the questions:

    How many computers (communications, support equipment) are installed in your enterprise?

    How many are there now, at the moment, and not how many there were yesterday or a month ago; how many are at work, how many are under repair, how many are in reserve.

    Will you be able to recognize each computer by sight? Will you discover a hardware "masquerade" where some computer or part or software is tampered with so that what appears to be a workhorse piece of equipment is actually a Trojan horse?

    What tasks and for what purpose are solved on each computer? Are you sure that every piece of equipment you control is necessary and that there is nothing superfluous among it, installed, say, for beauty and waiting to be noticed by some hacker from among the young and daring employees? After all, if the equipment is of no use, from the point of view of information security, only harm can be expected from it. Here are a few more questions about equipment. What is the procedure for computer repair and technical maintenance?

    How is equipment returned from repair checked before being installed in a regular workplace? How are computers seized and transferred to departments and what is the procedure for commissioning new equipment?

    The list of questions goes on... Similar questions can be asked regarding software and personnel.

    In other words, information protection begins with the formulation and resolution of organizational issues. Those who have already had to deal in practice with issues of ensuring information security in automated systems unanimously note the following feature - the real interest in the problem of information security shown by top-level managers at the level of departments responsible for the performance of the organization's automated system is replaced by sharp rejection. As a rule, the following arguments are given against carrying out work and taking measures to ensure information security:

    The emergence of additional restrictions for end users and specialists of support departments, making it difficult to use and operate the organization’s automated system;

    The need for additional material costs both for carrying out such work and for expanding the staff of specialists dealing with the problem of information security.

    Savings on information security can be expressed in various forms, the extreme of which are:

    Taking only organizational measures to ensure the security of information in the corporate network (CN);

    Use only additional technical means of information security (TSI).

    In the first case, as a rule, numerous instructions, orders and regulations are developed, designed at a critical moment to shift responsibility from the people issuing these documents to specific executors. Naturally, the requirements of such documents (in the absence of appropriate technical support) complicate the daily activities of the organization’s employees and, as a rule, are not met.

    In the second case, additional TSZI are purchased and installed. The use of TSZI without appropriate organizational support is also ineffective due to the fact that without established rules for processing information in the CS, the use of any TSZI only reinforces the existing disorder. Let's consider a set of organizational measures necessary to implement information security in computer networks. On the one hand, these measures should be aimed at ensuring the correct functioning of the security mechanisms and should be carried out by the system security administrator. On the other hand, the management of an organization operating automation tools must regulate the rules for automated processing of information, including rules for its protection, and also establish a measure of liability for violation of these rules.

    Organizational measures include:

    One-time (once carried out and repeated only with a complete revision of the decisions taken) events;

    Measures taken when certain changes occur or occur in the protected system itself or in the external environment (if necessary);

    Events held periodically (after a certain time);

    Continuously (continuously or discretely at random times) events.

    One-time events

    One-time events include:

    System-wide measures to create scientific, technical and methodological foundations (concepts and other guiding documents) for the defense of the Constitutional Court;

    Activities carried out during the design, construction and equipment of computer centers and other NPP facilities (excluding the possibility of secret entry into premises, excluding the possibility of installing listening equipment, etc.);

    Activities carried out during the design, development and commissioning of hardware and software (verification and certification of the hardware and software used, documentation, etc.);

    Carrying out special inspections of all computer equipment used in the computer system and taking measures to protect information from leakage through the channels of side electromagnetic radiation and interference;

    Development and approval of the functional responsibilities of computer security service officials;

    Making the necessary changes and additions to all organizational and administrative documents (regulations on departments, functional responsibilities of officials, instructions for system users, etc.) on issues of ensuring the security of software and information resources of the CS and actions in the event of crisis situations;

    Preparation of legal documents (in the form of contracts, orders and instructions from the management of the organization) on the regulation of relations with users (clients) working in the automated system, between participants in information exchange and a third party (arbitration, arbitration court) on the rules for resolving disputes related to the use of electronic signature;

    Determining the procedure for assigning, changing, approving and granting specific officials the necessary powers to access system resources;

    Measures to create a CS protection system and create infrastructure;

    Activities to develop rules for managing access to system resources (defining a list of tasks solved by structural divisions of the organization using CS, as well as data processing and access modes used in solving them; defining a list of files and databases containing information constituting commercial and official secrets, as well as requirements for the levels of their protection from unauthorized access during transmission, storage and processing in the CS; identification of the most likely threats to a given CS; identification of vulnerabilities in the information processing process and access channels; assessment of possible damage caused by a violation of information security; development of adequate requirements; in the main areas of protection);

    Organization of reliable access control;

    Determining the procedure for accounting, issuing, using and storing removable magnetic storage media containing reference and backup copies of programs and information arrays, archival data, etc.;

    Organization of accounting, storage, use and destruction of documents and media with classified information;

    Determining the procedure for designing, developing, debugging, modifying, purchasing, special research, commissioning, storing and monitoring the integrity of software products, as well as the procedure for updating versions of used and installing new system and application programs at workstations of a protected system (who has the right to authorize such actions , who implements, who controls and what they should do);

    Creation of computer security departments (services) or, in the case of small organizations and divisions, the appointment of non-staff responsible persons who exercise unified management, organization and control over compliance by all categories of officials with the requirements for ensuring the security of software and information resources of an automated information processing system;

    Determining the list of necessary regularly carried out preventive measures and operational actions of personnel to ensure continuous operation and restoration of the AS computing process in critical situations arising as a result of non-compliance, failures and failures of computer systems, errors in programs and personnel actions, and natural disasters.

    Periodically held events

    Periodically held events include:

    Distribution of access control details (passwords, encryption keys, etc.);

    Analysis of system logs, taking action on detected violations of operating rules,

    Measures to revise the rules for limiting user access to information in the organization;

    Periodically, with the involvement of third-party specialists, analyzing the status and assessing the effectiveness of measures and protective equipment used. Based on the information obtained as a result of such analysis, take the necessary measures to improve the protection system;

    Measures to review the composition and construction of the protection system.

    Events carried out as necessary

    Activities carried out as necessary include:

    Activities carried out during personnel changes in the system personnel;

    Activities carried out during repairs and modifications of equipment and software (strict authorization, review and approval of all changes, checking them for compliance with security requirements, documenting changes, etc.);

    Activities for the selection and placement of personnel (checking those hired, training in the rules of working with information, familiarization with measures of responsibility for violating security rules, training, creating conditions under which it would be unprofitable for personnel to violate their duties, etc.).

    Regular events

    Ongoing activities include:

    Measures to ensure a sufficient level of physical protection of all components of the CS (fire protection, security of premises, access control, ensuring the safety and physical integrity of equipment, storage media, etc.).

    Measures for continuous support of the functioning and management of the protection means used;

    Explicit and hidden control over the work of system personnel;

    Monitoring the implementation of selected protection measures during the design, development, commissioning and operation of nuclear power plants;

    Constantly (with the help of the security department) and periodically (with the involvement of third-party specialists) carried out analysis of the state and assessment of the effectiveness of the measures and protective equipment used.

    Having somewhat detailed the methodology for constructing information security systems in relation to the corporate network, and also taking into account the above regarding possible threats to the network and the available methods of combating them, the algorithm for constructing an information security system for the corporate network can be presented as follows.

    The entire protected object has several directions of possible attacks. For each type of attack, there are corresponding ways and means to combat them. Having determined the main methods of struggle, we will thereby formulate an information security policy. By selecting a set of information security tools in accordance with the established policy and combining them with a management system, we will actually obtain an information protection system.

    Threats at the corporate network level are analyzed in a similar way. It can be represented by three main components - technical support, information support and software. Each of these components can be further detailed to a degree sufficient to formulate the main threats at this level and possible ways to combat them.

    The choice of specific methods and means of protecting information at the network level also results in the appropriate policy and information security system, which organically merge into the general policy and information security system of the entire facility ( see below diagrams “Probable threats”).

    Read more: