Violation of information security of a computer system. Model of an information security violator. · Internet access for users

Information security violations. Internet and security of the corporate information space

Survey results

M.S. Savelyev
Deputy Marketing Director
"Informzashita" company

An effective strategy for protecting the corporate information environment (IS) requires not only the desire to ensure comprehensive security of the company's network, but also an analysis of the current state of affairs in this area and an assessment of the actions taken to analyze existing risks and prevent violations. The results of a study conducted by the magazine "Information Security" may be useful for studying the problems of information security (IS) of a company.

The results of this survey eloquently indicate that the main threat to the security of the corporate information space comes from within the company.

"Hygiene" of the company's information system

Almost none of the respondents experienced significant violations of the company’s information security by external attackers (Fig. 1). Half of the respondents claim that in their memory there have been no attempts to penetrate corporate IP from the outside. True, for an absolutely accurate conclusion, it would be interesting to take into account one more fact: whether the companies participating in the survey have the means to detect and prevent external attacks, but such a question was not asked.

In everyday practice, quite often one encounters the fact that, despite the availability of security means in their arsenal, the information security departments of companies and organizations are not able to successfully use them. An indirect confirmation of this is the pattern of answers to the question “How developed is the management of the information security system?” (Fig. 2): even such a “hygienic” means of protection as an antivirus is used ineffectively. The companies of almost a fifth of respondents do not configure options for automatic updating of anti-virus databases - this issue is left to the users. From this, the following is absolutely clear: the management and IT specialists of the responding companies may simply not be aware of what events are occurring in their systems. By the way, modern threats, such as, for example, bot viruses, can be detected only by subtle signs, or rather, only by analyzing carefully configured security measures.

The most dangerous offender is the user

Contrary to the widespread assertions in 2006 about the enormous danger posed by insider threats, the magazine's survey showed that the majority of incidents in the actual experience of information security professionals are unintentional, unintentional actions of users (Figure 3). In fact, users violate the rules established in the organization for the use of corporate IP by non-maliciously committing one or another action (Fig. 4). Moreover, it is characteristic that the rules of conduct in the field of information security for company employees are prudently described (Fig. 2) both in the information security policy, and in the responsibilities of employees, and in other documents. Despite the presence of special instructions and documents on information security in their companies attested by the survey participants, many security violations occur due to the lack of awareness of users.

Is this happening because the requirements of information security documents are not communicated to employees? In response to the question “How do employees in your company learn about their responsibilities in the field of information security compliance?” (Fig. 5), 15% of respondents said that such requirements exist only on paper, and employees of organizations are not informed about them in any way. Regular training in the field of information security is carried out only in a fifth of the surveyed companies. In the overwhelming majority of cases, information security specialists somewhat arrogantly believe that employees must somehow independently master the contents of security regulations. I dare to say that even familiarization “under signature” does not give any effect: we are all accustomed to formally signing safety instructions without delving into their essence. Often they do without it altogether.

Chasing three rabbits

What does 10% of detected violations mean for us? Judging by the even distribution of answers to the question “Describe the importance of corporate information” (Fig. 6), few information security specialists really understand the essence of the business being protected. Of course, the question itself is asked somewhat straightforwardly, but in practice quite often one has to deal with the fact that in pursuit of three birds with one stone (integrity, confidentiality and availability), many are ready to catch not what is critical, but “who is easier to catch.” Sometimes such attempts begin to lose touch with common sense: at some point, all the security forces are spent on limiting the ability to use USB drives, and at the same time there is no control over email, faxes, printers and other means that allow information to be sent outside the organization . Problems of information recovery and system performance in the event of a failure are generally ignored. And by the way, this is one of the main threats, if you trust the results of the answers to the question: “Indicate the types of use of the company’s information resources by employees in violation of established regimes in the past year?” (Fig. 4).

Is this misunderstanding the reason for the contradiction revealed by the survey: despite the enormous importance that company management attaches to security issues (Fig. 7), TOP managers are in no hurry to increase funding for information security and improve security systems (Fig. 8).

Security specialists "in their own juice"

From the study, it is quite obvious that many security specialists are “stewing in their own juice”: answering the question “What information security management and examination measures has your company taken over the past year?” (Fig. 9), only 12.5% ​​of respondents stated that they use the services and advice of professional security consultants. Another slightly more than 6% turn to international standards and practices. The rest prefer to check reality only with their own experience and the experience of their colleagues. It should be especially noted that a significant portion of respondents are confident that the number of information security-related incidents will only grow in the future, and identifying them will become more difficult (Fig. 10). However, the majority of respondents are hoping for some kind of panacea, a magic wand in the form of some kind of high-tech solution that will save them from the impending danger. It is gratifying to note that the main hopes lie precisely in the correct construction and management of protection processes. And this confirms the growing interest in the adopted international safety standards observed today. Modern specialists consciously strive to use the recommendations of the standards in their daily activities.

Consequences of an information security breach. Characteristics of the network hacking system. "Trojan horses" in pirated software. Security of an enterprise information system: features of the provision process and analysis of the causes of violations.

Submitting your good work to the knowledge base is easy. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

Coursework

Analysis of the causes of information security violations in the communication channel section (system for ensuring data exchange through the medium) in modern government information and communication systems.

Content

• Introduction
• Network hacking system
• Reasons for violation
• Irresponsibility

Introduction

What is information security? Experts say that information security is the protection of information from accidental or intentional negative influences. The responsibilities of those responsible for information security include predicting and preventing attacks on information, as well as minimizing damage from them.

Today, the computer plays a significant role in all areas of human activity. With the introduction of information technology into our lives, the volume of information in electronic form has also increased. Information has become easier to store, but keeping it safe has become more difficult. The document can be locked in a safe, and even if the safe is broken into, it takes a significant amount of time to rewrite the text. Information from electronic media can be stolen almost instantly. In a few seconds, attackers can copy or destroy the results of many years of activity. The advent of computer networks has made the task of information thieves even easier. Physical access to the storage medium is no longer a prerequisite.

What are the consequences of an information security breach?

The theft, substitution or destruction of information leads to serious economic losses. Stolen information may fall into the hands of competitors, valuable information may be destroyed or replaced, which will lead to material losses and damage to the company's reputation.

In addition to economic damage, computer attacks also cause moral damage. As a result of hackers' actions, personal correspondence may become public knowledge. Various malware disrupt the operation of computers and create discomfort for their users.

What are the most common causes of information security violations? Even in the age of hacker chaos, the main pest remains the user himself. More than half of the cases of information damage are due to the fault of a “teapot”, which can, through stupidity or carelessness, destroy information. In second place is damage due to fires (approximately 15% of cases). Equipment failure also causes an information security breach in fifteen percent of cases. The share of damage from water and computer attacks is insignificant compared to all of the above, ten percent. However, the role of computer hackers is steadily growing, and security services cannot but take them into account.

Network hacking system

Networks are used every day in corporations and various organizations. Data and resources are being shared everywhere. Of course, security issues must be addressed when planning networks to avoid possible downstream costs. Typically, networks are organized on a client-server basis. Users use workstations to access the server, which contains the bulk of the information and is of greater interest from a hacking point of view. Whatever the company's network - a bank, a ministry, a pharmacy or anything else - hacking causes damage. And although hacking often occurs from the inside, that is, it is carried out by a person who has some access rights, it is interesting to look at hacking from the outside.

Statistics show that network hacking is usually carried out by men aged 16 to 25 years. The reason for this is often the desire to prove oneself, to increase one’s skills in this area, or the desire to use network resources for one’s own purposes.

Who is interested in breaking? Providers - to have free Internet; small commercial companies - to make fun of; cans - because it’s very cool, and often physically impossible (there is no real cable to the outside, for example); many others. Often, hackers use scanner programs to identify machines that can be hacked, and then break them. Burglars who identify a target in advance must be much more experienced. Such actions will be dictated not by interest, but by a specific task, possibly related to a lot of money. Usually, to do this, a huge amount of information about the car is first collected (and not only through the network), but still, most likely the first thing is that they simply break what is easier.

Typically, companies have Internet access:

· WWW server;

· mail;

· Internet access for users.

Typically, mail and WWW are kept on a separate server, and the rest of the computers on the network are separated from the world by a firewall program, which is usually installed on the gateway. Undoubtedly, a good administrator tries to prevent hacking both from the outside and from the inside. In the future, we will assume that the attacker wants to gain access to the network. Web servers are usually not hacked unless the packet filtering is correct. A mail server is more practical from a hacking point of view, since mail must be distributed further and the mail program thereby has some access to the network. In addition to mail, there are several other programs that may be of interest to an attacker:

ftp (21), ssh (22), telnet (23), smtp (25), named (53),

pop3 (110), imap (143), rsh (514), rlogin (513), lpd (515).

Packets for SMTP, named and portmapper can be easily filtered, reducing the risk of hacking. Sometimes, however, the task of hacking is made easier by the fact that packet filtering is not organized correctly. This can occur due to segmentation, incorrect packet routing table by port, organization of several names on one machine, or modem access. The presence of DNS on the network can create unnecessary problems. It is much safer to use numerical addresses within a company. Another bottleneck is the finger program. It makes it quite easy to find out the type of operating system, for example by looking at the users root@host, bin@host or daemon@host.

You should also keep in mind that the addresses specified in the hosts files. equiv. rhosts or. shosts have higher priority when communicating with the machine, so it is possible that hacking from these addresses will be easier. This fact is commonly exploited by hackers. To secure your network, it is advisable to ensure that trusted addresses have the same protection.

Another danger is that users install pirated software on their machines. Such programs may contain various types of Trojan horses disguised as a screensaver, an add-on, or something else. This usually happens on Windows machines, where anyone can install programs. Trojan horses perform simple tasks and then destroy themselves. They can send addresses, contents of server system files, access to which is necessary to enter the network, for example passwd.

It is clear that burglars must protect themselves. To do this, firstly, you need to hide your IP addresses. There are several simple ways to do this:

· use an intermediate address via telnet or rsh;

· use Windows and Wingate;

· use an incorrectly configured proxy server.

Before breaking, the attacker will collect information about the network. It will try to find out the addresses of machines on the network, user names, and operating system type. Some of this can be learned quite legitimately by looking at files on a Web server, an FTP server, running the finger program, or simply trying to log into the server. After this, he will get an idea of ​​​​the network, the connection of computers, the presence of ports suitable for hacking, and much more.

Next, an attempt will be made to recognize the machines that are used as the most trusted. It is possible that some of the information is stored separately and accessed through nfsd or mountd. For example, the /etc configuration and /usr/bin executable system files can be stored this way.

After receiving this type of information, the attacker will scan the network for security holes. For this, there are programs like ADMhack, mscan, nmap for Linux. For their operation, a fast channel is required, preferably optical fiber. ADMhack requires root privileges to run; others can start without it. The hacker may not be the administrator of the machine on which the scanner is running; he could have embedded it as a “Trojan horse” into any other program.

ADMhack and mscan do something like this:

· TCP port scanning;

· obtaining information about RPC services launched via portmapper;

· obtaining a list of exported directories via nfsd;

· obtaining information about the presence of samba or netbios;

· running finger to collect information about users;

· checking CGI scripts;

· checking for the possibility of hacking the Sendmail, IMAP, POP3, RPC status and RPC mountd daemons.

If the information collected allows for a bypass through trusted addresses, then the opportunity is usually used. If there is no such path, then a mail server is used to penetrate deeper into the network. At the same time, attempts are being made to programmatically remotely hack Sendmail, IMAP, POP3 and RPC services, such as statd, mountd and pcnfsd. Sometimes already hacked machines are used for this, since it is often necessary to have the program compiled on the same platform.

After at least one of the techniques has passed and it has been possible to gain access, the attacker will carefully cover his tracks, clear records in files and install programs so that his presence will not be detected later.

Typically, this involves installing corrected versions of programs, changing dates and access rights to files. Even ftp can be used to download new programs. It is possible that instead of carefully deleting information about yourself, new versions of the ps and netstat programs will be installed, which will hide information about the hack. Some crackers may place the file. rhosts to the /usr/bin directory to allow the bin user to log in remotely via rsh or csh.

Cleaning up your records is necessary. You can't protect yourself by simply duplicating yourself. A nice trick is to send the registration records to the printer. This makes it virtually impossible to edit them. In any case, the attacker will move on only after the records have been cleared. Whether he will hack the network itself or just the main servers is most likely a matter of taste, but if everything previous went more or less smoothly, eradicating the hacker will be quite a labor-intensive task.

If the goal of hacking was to obtain information from the network, then we can admit that it is half achieved, since by hacking something like a mail server, it is much easier to gain access to the network. Most likely, further protection will not be better, and its hacking has already been rehearsed. However, there is still something to do - collect passwords, download information from protected machines, and the like. The burglar has also undoubtedly mastered these techniques.

The most effective way to collect usernames and passwords is to install "ethernet sniffer" programs. This program “hangs” on the network card, “sniffing” everything that runs over the network, selecting packets with names and passwords. It is most effective to use computers from the same subnet where you want to hack the machine. It is clear that installing sniffer under Windows is much easier. If you have to install it on a UNIX machine, then most likely this program will be installed in the /usr/bin or /dev directory with the date and time the same as other files.

Typically, all program work is written to a file on the same machine, so there is no unnecessary sending of data. Since a modified ps program is usually installed in advance, the process is not visible. It works most efficiently when the network interface is in "promiscuous" mode. It is clear that all data passing through the network is eavesdropped, and not just those addressed to a given machine.

After installing the bug, the burglar returns to the machine about a week later to download the files. Of course, it tries to hide the presence of the program as thoroughly as possible, but it can be detected, for example, by scanning file systems for file changes. The Tripwire program can be used for such purposes. Another program - cpm - monitors changes in network interfaces.

The next and most harmful stage of hacking is the destruction of the servers that control the network. This is necessary both to cover your tracks and to make the network work for you. Not always, but quite often this happens using the command "rm - rf / &". Recovery is entirely dependent on the availability of backups. Another way is to change the packet routing.

So, all of the above represents a scheme for hacking a standard network. How can you protect yourself? First you need to install the system correctly and correctly. Carefully set up routing and remove all unnecessary things. If you take on the task of administering a network, take a look at the fixes to the system, which are usually mentioned on the developer’s website, especially when it comes to security. Next you need to check simple things: users bin, system, daemon, etc. should not be able to log in, which should be reflected in the passwd file. All users must have passwords and change them regularly. You can prohibit holding files of the type. rhosts so that everything doesn't end up there. But this is pretty banal. A less trivial, although already very common, step is to install Secure Shell. The thing is good and reliable. If anyone doesn't know, I'll explain. If you do telnet, then the password is transmitted as is, which is beneficial for the sniffer, but with Secure Shell, which must be on both connected machines, the password is encrypted. Simple, but nice, especially considering that this very shell is free. You also need to look at your log files for signs of logins from strange addresses, attempts to log in under someone else's name multiple times, and much more. It doesn't hurt to sometimes check important system files with a backup copy, say, from an installation disk. Plus, it is desirable to monitor the operation of the entire network. You need to know more about installed programs, allow less freedom for users, and, in general, look after your household. A very useful thing is to make a backup, say, once a day. Surely these simple tips can help. But you can go further - for example, check the status of the file system, print registration files to a printer.

Reasons for violation

The process of ensuring information security refers to operational processes and is included in the block of IT service support processes. A breach of the security of an enterprise information system can lead to a number of negative consequences affecting the quality of IT services:

· reduced availability of services due to lack of access or low speed of access to data, applications or services;

· complete or partial loss of data;

· unauthorized modification of data;

· gaining access by unauthorized users to confidential information.

An analysis of the causes of information security violations shows that the main ones are the following:

· configuration errors of software and hardware of the IS;

· accidental or intentional actions of end users and IT service employees;

· malfunctions in the operation of IS software and hardware;

· malicious actions of persons outside the information system.

Enterprise information security software can be divided into three large groups: anti-virus protection tools, firewalls and attack detection tools. Typically, these tools are used in combination, so they often talk not about specific products, but about security platforms that combine several solutions at once. However, the software itself can be completely useless without a proper security policy that defines the rules for PC, network and data use, as well as procedures for preventing violations of these rules and a plan for responding to such violations if they occur. We also note that when developing such a policy, an assessment of the risks associated with a particular activity is required, as well as consideration of the economic feasibility of choosing a security platform.

When building the IT infrastructure of clients, the ESC company pays special attention to ensuring information security. Customer data and services are protected according to the latest industry standards. The main efforts of our specialists are aimed at guaranteeing the confidentiality, integrity and availability of data. Configured access audit policies allow you to have full control over who gets access to sensitive information and when. Generally accepted reliable systems and mechanisms serve as tools to provide our clients with the necessary level of protection.

Among them:

· control of user privileges and organization of security policies in Active Directory

· use of HTTPS and other encrypted data transfer protocols

· protecting access to the corporate network through the use of VPN servers

· restriction and control of access to the network from the outside using software and hardware-software solutions (services are provided for setting up hardware routers from any manufacturer, as well as services for setting up software such as Kerio WinRoute Firewall, Outpost, WinGate, IPFW, IPTables, etc. )

· protection against virus attacks by installing and configuring commercial and free anti-virus software both on client PCs and on servers, using special modules (anti-spam, mail, for gateways, etc.)

· restriction and control of Internet access using proxy servers

· use of protection against port scanning and ARP spoofing and a number of other network threats.

In addition to information security measures, ESC provides its clients with reliable data security mechanisms. Organization of data backup, development of recovery procedures and storage rules allows our clients not to worry that data may be lost as a result of physical or software damage to the systems or equipment responsible for their storage.

Three main causes of violations

Today, three main causes of information security violations have been identified:

· inexperience

irresponsibility (self-assertion)

· selfish interest.

Inexperience

This motive is the most harmless, and, at the same time, widespread among new system users.

Characteristics of inexperience are:

· unintentional errors made by users when entering data. This type of violation is easily blocked by introducing into the interface of the software package with which the user works, internal rules for checking completed forms and a system for notifying the user about errors made;

· misunderstanding by users of the rules for working on the network, and, as a result, failure to comply with these requirements. The fight against this type of violator consists of providing detailed instructions to the user and explaining to him the goals and policies of the company.

· misunderstanding by users of security requirements when working with data, and, as a result, transfer to other users or third parties of their passwords for logging into the system.

It is unlikely that security system designers could anticipate all such situations. Moreover, in many cases, the system cannot in principle prevent such violations (for example, accidentally destroying its own data set).

Irresponsibility

In case of violations caused by irresponsibility, the user purposefully performs any destructive actions, which, however, are not associated with malicious intent. Some users consider gaining access to system data sets a major success, engaging in a sort of user versus system game for the sake of self-aggrandizement, either in their own eyes or in the eyes of their colleagues. Although the intent may be harmless, exploiting the resources of an automated system is considered a violation of security policy. Users with more serious intentions may find sensitive data and try to corrupt or destroy it in the process. Most systems have a number of means to counteract such “pranks”. If necessary, the security administrator uses them temporarily or permanently. This type of violation is called probing systems.

Selfish interest

This is the most dangerous type of violation. The fight against this type of violator involves conducting methodical checks of facility employees by various security services.

Life shows that it is almost impossible to completely protect an object from penetration.

Practice shows that the damage from each type of violation is inversely proportional to its frequency: violations caused by inexperience occur most often, but the damage from them is, as a rule, insignificant and can be easily compensated. For example, an accidentally destroyed data set can be restored if the error is immediately noticed. If the information is important, then it is necessary to keep a regularly updated backup copy, then the damage is almost invisible.

The damage from probing the system can be much greater, but its probability is many times lower. Such actions require sufficiently high qualifications, excellent knowledge of the protection system and certain psychological characteristics. The most typical result of system probing is blocking: the user ultimately introduces the system into a state of insoluble contradiction. After this, operators and system programmers must spend a lot of time getting the system back up and running.

The rarest, but also the most dangerous type of violation is penetration. A distinctive feature of penetrations is a specific goal: access (reading, modification, destruction) to certain information, influencing the performance of the system, monitoring the actions of other users, etc. To perform such actions, the intruder must have the same qualities as for probing the system, but superlative, and also have a precisely formulated goal. Due to these circumstances, damage from penetrations may be, in principle, irreparable. For example, for banks this may be a complete or partial modification of accounts with the destruction of the transaction log.

Thus, when organizing an information security system, a certain differentiation of protection measures is necessary: ​​for protection against violations caused by negligence, minimal protection is needed, for protection against system probing - more stringent, and the most stringent (along with constant monitoring) - against intrusions. The purpose of such differentiation should be the rational distribution of information security means and computing resources of the system.

In relation to possible violations, one should adhere to the principle of reasonable sufficiency, and sometimes the “golden mean”. For example, there is a possibility of a nuclear incident, but very few people seek to protect themselves by building bomb shelters, stocking up on food and water, since this probability is too low At the same time, every person strives to protect his apartment, car, savings - the likelihood of a threat being realized is significant, and the damage can be significant.

The reasons that prompted the user to commit a violation or even a crime may be different. About 50% of violations are unintentional errors caused by negligence and lack of competence. But much more serious may be damage caused as a result of intentional influence due to resentment, dissatisfaction with one’s official or financial situation, or at the direction of other persons. Moreover, this damage will be greater the higher the user’s position in the service hierarchy. These are just some of the possible reasons that encourage users to violate the rules of working with the system.

Defendants based on motivation for computer crimes fit into three categories:

· pirates - mainly violate copyright by creating illegal versions of programs and data;

· hackers (from the English hack - to chop, shred, break) - gain unauthorized access to the computers of other users and the files in them. However, they generally do not damage or copy files, content with the knowledge of their power over the systems;

· crackers (from the English crack - to split, crack) - the most serious violators who allow themselves everything.

Methods for preventing violations arise from the nature of the incentives themselves. This is, first of all, appropriate training of users, as well as maintaining a healthy socio-psychological climate in the team, recruiting personnel, timely detection of potential attackers and taking appropriate measures. The first of them is the task of the system administration, the second is the task of the psychologist and the entire team as a whole. Only in the case of a combination of these measures is it possible not to correct violations and not to investigate crimes, but to prevent their very cause.

information security network hacking

Classification of information security threats

Posted on Allbest.ru

Similar documents

The essence of information, its classifications and types. Analysis of information security in the era of post-industrial society. Research of problems and threats of ensuring information security of a modern enterprise. Tasks of providing protection against viruses.

course work, added 04/24/2015


The essence of information, its classification. The main problems of ensuring and threats to enterprise information security. Risk analysis and principles of enterprise information security. Development of a set of measures to ensure information security.

course work, added 05/17/2016


Information security risk analysis. Assessment of existing and planned means of protection. A set of organizational measures to ensure information security and protection of enterprise information. Test example of project implementation and its description.

thesis, added 12/19/2012


The concept of information and informatization. Modern security concept and characteristics of information security means. Features of ensuring information security in educational institutions depending on their type.

thesis, added 01/26/2013


Analysis of the infrastructure of LLC store "Style". Creation of an information security system for the accounting department of an enterprise based on its pre-project examination. Development of a concept, information security policy and selection of solutions to ensure it.

course work, added 09/17/2010


Categories of actions that can harm information security, methods of ensuring it. The scope of the company's activities and analysis of financial indicators. The company's information security system and development of a set of measures for its modernization.

thesis, added 09/15/2012


The process of creating a comprehensive information security system designed to ensure the security of all important data of the Tabletka pharmacy chain. Research into the practice of functioning of data processing and computing systems. Risk assessment.

course work, added 06/17/2013


The essence and main purpose of the Information Security Doctrine of the Russian Federation (RF). Types and sources of threats to information security of the Russian Federation. Basic provisions of the state policy of ensuring information security in Russia.

article, added 09/24/2010


• Studying the professional and job responsibilities of information security department specialists. Characteristics of the process of introducing a new enterprise information system. Creation of planned, discretionary and executive information systems.

This article makes an attempt to consider real threats to information security that may arise in modern conditions. It should be noted that the article does not pretend to be a “textbook on information security”, and everything stated in it is solely the opinion of the author.

A traditional mistake of many managers of Russian companies is to underestimate or overestimate the threats to the information security of an enterprise. Often, they perceive IT security at best as one of the auxiliary measures to ensure security in general, and sometimes it is not given any significant role at all - they say that this is all the concern of system administrators. This option is typical primarily for small and partially for medium-sized companies. The second extreme – overestimation of the importance of IT security – is found mainly among large companies and is characterized by elevating a set of measures to ensure IT security to the rank of “hyperstrategy”, around which the main business strategy is built.

It's no secret that in the modern world, business is more or less dependent on information technology. The advantages of using IT for business are obvious: the speed and ease of generation, distribution, manipulation and retrieval of heterogeneous information, organizing it according to various criteria, ease of storage, the ability to access from almost anywhere in the world... All these advantages require well-established support and maintenance, which, in turn, imposes certain requirements on the basic IT infrastructure. On the other hand, information systems often contain information the disclosure of which is extremely undesirable (for example, confidential information or information constituting a trade secret). Violation of the normal functioning of the infrastructure or gaining access to information located in the information system are threats to information security.

Thus, threats to enterprise information security can be divided into several classes:

• Availability Threats
• Integrity Threats
• Confidentiality threats

Availability threats are threats associated with an increase in the time it takes to obtain this or that information or information service. Availability disruption is the creation of conditions under which access to a service or information will be either blocked or possible for a time that will not ensure the fulfillment of certain business goals. Let's consider an example: if the server on which the information required for making a strategic decision is located fails, the property of information availability is violated. A similar example: in case of isolation for any reason (server failure, failure of communication channels, etc.) of the mail server, we can talk about a violation of the availability of the IT service “e-mail”. Particularly noteworthy is the fact that the cause of disruption of the availability of information or information service does not necessarily have to be the responsibility of the owner of the service or information. For example, in the example discussed above with a disruption in the availability of a mail server, the cause (failure of communication channels) may lie outside the area of ​​responsibility of the server administrators (for example, failure of the main communication channels). It should also be noted that the concept of “availability” is subjective at each point in time for each of the subjects consuming the service or information at a given point in time. In particular, disruption of the availability of a mail server for one employee may mean the disruption of individual plans and loss of a contract, and for another employee of the same organization it may mean the inability to receive the latest news release.

Integrity threats are threats associated with the likelihood of modification of certain information stored in the information system. Violation of integrity can be caused by various factors - from deliberate actions of personnel to equipment failure. Violation of integrity can be either intentional or unintentional (the cause of unintentional violation of integrity can be, for example, malfunctioning equipment).

Confidentiality threats are threats associated with access to information outside the access privileges available to that particular subject. Such threats can arise as a result of the “human factor” (for example, accidental delegation to one or another user of the privileges of another user), software and hardware failures.

The implementation of each of these threats individually or in combination leads to a violation of the information security of the enterprise.

As a matter of fact, all measures to ensure information security should be based on the principle of minimizing these threats.

All information security activities can be conditionally considered at two main levels: at the level of physical access to data and at the level of logical access to data, which are a consequence of administrative decisions (policies).

At the level of physical access to data, mechanisms for protecting data from unauthorized access and mechanisms for protecting against damage to physical storage media are considered. Protection against unauthorized access involves placing server equipment with data in a separate room, to which only personnel with appropriate authority have access. At the same level, it is possible to create a geographically distributed system of servers as a means of protection. The level of protection against physical damage involves the organization of various kinds of specialized systems that prevent such processes. These include: server clusters and back-up (backup) servers. When working in a cluster (for example, two servers), in the event of a physical failure of one of them, the second will continue to work, thus the functionality of the computing system and data will not be impaired. With the additional organization of backup (back-up server), it is possible to quickly restore the computer system and data even if the second server in the cluster fails.

The level of protection against logical access to data involves protection from unauthorized access to the system (hereinafter in the text, a system is understood as an IT system designed for generating, storing and processing data of any class - from simple accounting systems to ERP-class solutions) both at the database level data, and at the level of the system core and user forms. Protection at this level involves taking measures to prevent access to the database both from the Internet and from the organization’s local network (the latter aspect of security has traditionally received little attention, although this aspect is directly related to such a phenomenon as industrial espionage). Protecting the system kernel involves, along with the measures outlined above, calculating checksums of critical parts of executable code and periodically auditing these checksums. This approach allows you to increase the overall level of system security. (It should be noted that this event is not the only one; it is given as a good example). Providing security at the level of user forms declares mandatory encryption of traffic transmitted over a local network (or over the Internet) between the client (user form) and the application (system kernel). Also, security at this level can be ensured by calculating the checksums of these forms, followed by their verification, adopting the ideology of “separation of data and code.” For example, a system built using “thin client” technology from the point of view of ensuring security at this level has an advantage over a system built using “thick client” technology, since at the level of user forms it does not provide access to business logic code (for example, by disassembling the executable file). The same level of protection includes the certification mechanism, when in the exchange between the user form and the server, as well as the authenticity of the user form itself, is confirmed by a third participant in the exchange - a certification authority.

Similarly, at the logical access protection level at the access database level, it is advisable to calculate checksums of critical tables and maintain a log of object access to the database. In an ideal case (“thin client”), only the server application (business logic server) has access to the database, and all other (third-party) requests to the database are blocked. Such an approach will eliminate several types of attacks and concentrate the database protection policy on ensuring security “at critical points.”

Protection at the level of administrative decisions includes administrative measures aimed at creating a clear and understandable policy regarding IT, IP, information security, etc. We can say that this level is primary in relation to the user - since it is protection at the level of administrative decisions that can prevent most critical situations related to information security.

Two more important issues related to security should be considered - methods and means of user authentication and logging of events occurring in the IS.

User authentication refers to the logical level of information security. The purpose of this procedure is, firstly, to inform the IS which user is working with it, in order to provide it with the appropriate rights and interfaces; secondly, confirm the rights of this particular user in relation to the IP. Traditionally, the authentication procedure is reduced to the user entering a username (login) and password.

Quite often, in mission-critical applications, the username/password entry form is an application running in a secure software (less often, hardware) tunnel that unconditionally encrypts all information transmitted over the network. Unfortunately, the most common situation is when the username and password are transmitted over the network in clear text (for example, most of the well-known free email systems on the Internet work on this principle). In addition to software (entering a username/password combination), there are also software and hardware solutions for user authentication. These include floppy disks and USB drives with a key file (quite often in combination with entering a regular name/password to confirm authority for critical actions), protected from copying; Write-once USB drives with a key file; iris scanners; fingerprint scanners; systems of anthropology. One of the options for increasing the degree of IS protection is to limit the password validity period and limit the time the user is inactive in the IS. Password lifetime limitation is the issuance of a password that is valid only for a certain number of days - 30, 60, etc. Accordingly, with periodic password changes, the degree of security of the information system as a whole increases. Limiting user inactivity time involves automatically closing a user session if no user activity has been recorded in this session for a certain period of time.

Logging of all events occurring in the information system is necessary to obtain a clear picture of attempts at unauthorized access, or unqualified actions of personnel in relation to the information system. A frequent situation is the introduction of specialized modules into the IS that analyze system events and prevent destructive actions in relation to the IS. Such modules can work based on two premises: intrusion detection and availability prevention. In the first case, the modules statistically analyze typical user behavior and issue an “alarm” in case of noticeable deviations (for example, the operator’s work at 22-30 for the first time in two years is definitely suspicious); in the second case, based on an analysis of the current user session, they try to prevent potentially destructive actions (for example, an attempt to delete any information).

Note:

IS – information security

IT – information technologies

IS – information systems or information system (by context)

Classification of threat sources

Classification of information security threats

Topic 2 - Information security threats

Threat concepts security object and object vulnerabilities were introduced earlier. To fully represent the interaction between the threat and the protected object, we introduce the concepts of the source of the threat and the attack.

Site security threat- possible impact on the object, which directly or indirectly may damage its safety.

Source of threat- these are potential anthropogenic, man-made or natural sources of security threats.

Object vulnerability- these are the reasons inherent in the object that lead to a violation of the security of information at the object.

Attack- these are the possible consequences of a threat when the source of the threat interacts through existing vulnerabilities. An attack is always a “source-vulnerability” pair that implements a threat and leads to damage.

Figure 2.1

Suppose, a student goes to school every day and at the same time crosses the roadway in the wrong place. And one day he gets hit by a car, which causes him damage, in which he becomes unable to work and cannot attend classes. Let's analyze this situation. The consequences in this case are the losses that the student suffered as a result of the accident. Our threat is the car that hit the student. The vulnerability was that the student crossed the roadway in an unspecified location. And the source of the threat in this situation was that certain force that did not allow the driver to avoid hitting the student.

Information is not much more difficult. There are not so many threats to information security. A threat, as follows from the definition, is the danger of causing damage, that is, this definition reveals a strict connection between technical problems and the legal category, which is “damage”.

Manifestations of possible damage may vary:

Moral and material damage business reputation organizations;

Moral, physical or material damage associated with the disclosure of personal data of individuals;

Material (financial) damage from disclosure of protected (confidential) information;

Material (financial) damage from the need to restore damaged protected information resources;

Material damage (losses) from the inability to fulfill assumed obligations to a third party;

Moral and material damage from disruption of the organization’s activities;

Material and moral damage from violation of international relations.

Threats to information security are violations in ensuring:

2. Availability;

3. Integrity.

Confidentiality of information is the property of information to be known only to its authenticated legitimate owners or users.

Confidentiality violations:

Theft (copying) of information and means of processing it;

Loss (unintentional loss, leakage) of information and means of processing it.

Availability of information is the property of information to be accessible to its authenticated legitimate owners or users.

Accessibility violations:

Blocking information;

Destruction of information and means of processing it.

Information integrity- this is the property of information to be unchanged in semantic sense when exposed to accidental or intentional distortions or destructive influences.

Violations in ensuring integrity:

Modification (distortion) of information;

Denial of the authenticity of information;

Imposing false information.

Carriers of security threats information are sources of threats. Both subjects (personality) and objective manifestations can act as sources of threats. Moreover, sources of threats can be located both inside the protected organization - internal sources, and outside it - external sources.

All sources of information security threats can be divided into three main groups:

1 Caused by the actions of the subject (anthropogenic sources of threats).

2 Caused by technical means (man-made sources of threat).

3 Caused by natural sources.

Anthropogenic sources threats to information security are entities whose actions can be classified as intentional or accidental crimes. Only in this case can we talk about causing damage. This group is the most extensive and is of the greatest interest from the point of view of organizing protection, since the actions of the subject can always be assessed, predicted and adequate measures taken. Methods of counteraction in this case are manageable and directly depend on the will of the organizers of information security.

As an anthropogenic source threats can be considered a subject who has access (authorized or unauthorized) to work with the standard means of the protected object. Subjects (sources) whose actions may lead to a violation of information security can be both external and internal. External sources may be accidental or deliberate and have varying levels of expertise.

Internal actors(sources), as a rule, are highly qualified specialists in the field of development and operation of software and hardware, are familiar with the specifics of the tasks being solved, the structure and basic functions and principles of operation of software and hardware information security tools, and have the ability to use standard equipment and technical means networks.

It is also necessary to take into account that a special group of internal anthropogenic sources consists of persons with mental disorders and specially deployed and recruited agents, who may be from among the main, support and technical personnel, as well as representatives of the information security service. This group is considered as part of the sources of threats listed above, but the methods of countering threats for this group may have their own differences.

The second group contains sources of threats determined by technocratic human activity and the development of civilization. However, the consequences caused by such activities are beyond human control and exist on their own. This class of sources of threats to information security is especially relevant in modern conditions, since in the current conditions experts expect a sharp increase in the number of man-made disasters caused by the physical and moral obsolescence of the equipment used, as well as the lack of material resources to update it. Technical means that are sources of potential threats to information security can also be external and internal.

Third group of sources threats are united by circumstances that constitute force majeure, that is, circumstances that are objective and absolute in nature, applicable to everyone. Force majeure in legislation and contractual practice includes natural disasters or other circumstances that cannot be foreseen or prevented, or can be foreseen, but cannot be prevented with the current level of human knowledge and capabilities. Such sources of threats are completely unpredictable, and therefore measures to protect against them must always be applied.

Natural sources potential threats to information security, as a rule, are external to the protected object and are understood, first of all, as natural disasters.

The classification and list of threat sources are given in Table 2.1.

Table 2.1 - Classification and list of sources of information security threats

All threat sources have varying degrees of danger TO fear, which can be quantified by ranking them. In this case, the assessment of the degree of danger is carried out using indirect indicators.

The following can be selected as comparison criteria (indicators):

Possibility of a source K 1 - determines the degree of accessibility to the ability to exploit vulnerability for anthropogenic sources, distance from vulnerability for man-made sources or features of the situation for random sources;

Source readiness TO 2 - determines the degree of qualification and attractiveness of committing acts from the source of the threat for anthropogenic sources or the presence of the necessary conditions for man-made and natural sources;

Fatality TO 3 - determines the degree of unavoidability of the consequences of the threat.

Each indicator assessed by an expert-analytical method using a five-point system. Moreover, 1 corresponds to the minimum degree of influence of the assessed indicator on the danger of using the source, and 5 corresponds to the maximum.

TO The factor for a particular source can be defined as the ratio of the product of the above indicators to the maximum value (125):

Threats, as possible dangers of committing any action directed against the object of protection, do not manifest themselves, but through vulnerabilities that lead to a violation of information security at a specific object of informatization.

Vulnerabilities are inherent object of informatization, are inseparable from it and are determined by the shortcomings of the functioning process, the properties of the architecture of automated systems, exchange protocols and interfaces used by the software and hardware platform, operating conditions and location.

Sources of threats can use vulnerabilities to violate the security of information, obtain illegal benefits (causing damage to the owner, possessor, user of information). In addition, non-malicious actions by threat sources to activate certain vulnerabilities that cause harm are possible.

Each threat can be associated with different vulnerabilities. Elimination or significant mitigation of vulnerabilities affects the possibility of information security threats being realized.

Information security vulnerabilities can be:

Objective;

Subjective;

Random.

Objective vulnerabilities depend on the design features and technical characteristics of the equipment used at the protected object. Complete elimination of these vulnerabilities is impossible, but they can be significantly weakened by technical and engineering methods of fending off threats to information security.

Subjective vulnerabilities depend on the actions of employees and are mainly eliminated by organizational and hardware-software methods.

Random vulnerabilities depend on the characteristics of the environment surrounding the protected object and unforeseen circumstances. These factors, as a rule, are little predictable and their elimination is possible only by carrying out a set of organizational, engineering and technical measures to counter threats to information security.

The classification and list of information security vulnerabilities are given in Table 2.2.

Table 2.2 - Classification and list of information security vulnerabilities

All vulnerabilities have varying degrees of severity K problem, which can be quantified by ranking them.

In this case, you can choose as comparison criteria:

Fatality K 4 - determines the degree of influence of the vulnerability on the unavoidability of the consequences of the threat;

Availability K 5 - determines the possibility of exploitation of the vulnerability by a threat source;

Quantity K 6 - determines the number of object elements that are characterized by a particular vulnerability.

K The margin for an individual vulnerability can be defined as the ratio of the product of the above indicators to the maximum value (125):

Intruder model information security is a set of assumptions about one or more possible violators of information security, their qualifications, their technical and material means, etc.

Properly designed model violation is a guarantee of building an adequate information security system. Based on the constructed model, it is already possible to build an adequate information security system.

Most often built informal model of the offender, reflecting the reasons and motives of actions, his capabilities, a priori knowledge, goals pursued, their priority for the violator, the main ways to achieve his goals: methods of implementing the threats emanating from him, the place and nature of the action, possible tactics, etc. To achieve his goals, the violator must make certain efforts and spend some resources.

Having identified the main reasons violations, it seems possible to influence them or necessary to adjust the requirements for the protection system against this type of threat. When analyzing security violations, it is necessary to pay attention to the subject (personality) of the violator. Eliminating the reasons or motives that prompted the violation can help avoid a recurrence of a similar incident in the future.

There may be more than one model; it is advisable to build several different models of different types of information security violators of the protected object.

To build a model the offender uses information received from security services and analytical groups, data on existing means of access to information and its processing, on possible methods of intercepting data at the stages of its transmission, processing and storage, on the situation in the team and at the protected site, information about competitors and market situation, information security violations that have taken place, etc.

In addition, they evaluate real operational technical capabilities of an attacker to influence the protection system or the protected object. Technical capabilities mean a list of various technical means that an offender may have in the process of committing actions directed against the information security system.

Violators are internal and external.

Among internal violators, the following can be primarily identified:

Direct users and operators of the information system, including managers at various levels;

Administrators of computer networks and information security;

Application and system programmers;

Security officers;

Technical personnel for building maintenance and computer equipment, from cleaners to service engineers;

Support staff and temporary workers.

Among the reasons that motivate employees to engage in unlawful actions are the following:

Irresponsibility;

User and administrator errors;

Demonstration of one's superiority (self-affirmation);

- “fight against the system”;

Selfish interests of system users;

Disadvantages of the information technologies used.

The group of external violators may include:

Clients;

Invited visitors;

Representatives of competing organizations;

Employees of departmental supervision and management bodies;

Access control violators;

Observers outside the protected area.

In addition, classification can be carried out according to the following parameters.

Methods and means used:

Collection of information and data;

Passive interception means;

Use of tools included in the information system or its protection system and their shortcomings;

Actively monitoring modifications of existing information processing tools, connecting new tools, using specialized utilities, introducing software bookmarks and “back doors” into the system, connecting to data transmission channels.

The offender’s level of knowledge regarding the organization of the information structure:

Typical knowledge of methods for constructing computer systems, network protocols, use of a standard set of programs;

High level of knowledge of network technologies, experience with specialized software products and utilities;

High knowledge in programming, system design and operation of computer systems;

Possession of information about the means and mechanisms of protection of the attacked system;

The offender was a developer or took part in the implementation of an information security system.

Time of information impact:

At the time of information processing;

At the time of data transfer;

In the process of storing data (taking into account the operating and non-operating states of the system).

By location of impact:

Remotely using interception of information transmitted via data channels, or without its use;

Access to the protected area;

Direct physical contact with computer technology, which can be distinguished: access to workstations, access to enterprise servers, access to administration, control and management systems of the information system, access to management programs of the information security system.

Table 2.3 shows examples of models of information security violators and their comparative characteristics.

Table 2.3 - Comparative characteristics of several intruder models