Software and hardware level of protection. Basic concepts of the software and hardware level of information security

Software and hardware measures, that is, measures aimed at controlling computer entities - hardware, programs and / or data, form the last and most important frontier information security. Recall that damage is caused mainly by the actions of legal users, in relation to which procedural regulators are ineffective. The main enemies are incompetence and inaccuracy in the performance of official duties, and only software and hardware measures are able to resist them.

Computers have helped automate many areas of human activity. It seems quite natural to want to entrust them with ensuring their own security. Even physical protection is increasingly entrusted not to security guards, but to integrated computer systems, which allows you to simultaneously track the movements of employees both in the organization and in the information space.

However, it should be noted that the rapid development information technologies not only provides the defenders with new opportunities, but also objectively makes it difficult to provide reliable protection, if you rely solely on measures of the software and hardware level. There are several reasons for this:

increasing the speed of microcircuits, the development of architectures with a high degree parallelism allows using brute force to overcome barriers (primarily cryptographic), which previously seemed impregnable;

the development of networks and network technologies, the increase in the number of links between information systems, the growth of channel bandwidth expand the circle of intruders who have technical capability organize attacks;

the emergence of new information services leads to the formation of new vulnerabilities both “inside” services and at their junctions;

competition among software manufacturers forces to reduce development time, which leads to a decrease in the quality of testing and the release of products with security defects;

The paradigm imposed on consumers by constantly increasing hardware and software capacity does not allow for a long time within reliable, proven configurations and, in addition, conflicts with budgetary constraints, which reduces the share of allocations for security.

The above considerations once again emphasize the importance of an integrated approach to information security, as well as the need for a flexible position in the selection and maintenance of software and hardware controllers.

Central to the software and hardware level is the concept of a security service.

Following the object-oriented approach, when considering an information system with a single level of detail, we will see a set of information services provided by it. Let's call them basic. In order for them to function and have the required properties, several levels of additional (auxiliary) services are needed - from the DBMS and transaction monitors to the operating system kernel and hardware.

Ancillary services include security services (we have already encountered them when considering standards and specifications in the field of information security); among them, we will be primarily interested in universal, high-level, allowing the use of various main and auxiliary services. Next, we will look at the following services:

identification and authentication;

access control;

logging and auditing;

encryption;

integrity control;

shielding;

security analysis;

ensuring fault tolerance;

security safe recovery;

tunneling;

Lecture 6
Main software and hardware measures
(security services)
1

Literature

V.A. Galatenko "Fundamentals
information security",
Electronic book
2
Central to the software level is the concept
security service.
3

Basic concepts of the software and hardware level of information security

Ancillary services include
security (we have already encountered
them when considering standards and
specifications in the field of information security); among
them us in the first place will be
interested in universal
high-level, allowing
use by various
primary and secondary
services.
4

Basic concepts of the software and hardware level of information security

Next, we will look at the following services:
;
access control;
logging and auditing;
encryption;
integrity control;
shielding;
security analysis;
ensuring fault tolerance;
ensuring safe recovery;
tunneling;
control.
5

Basic concepts of the software and hardware level of information security

To classify services
security and determining their place in the general
security control architecture
divided into the following types:
preventive, preventing violations
IB;
measures to detect violations;
localizing, narrowing the zone of influence
violations;
measures to identify the offender;
security restoration measures.
6

Basic concepts of the software and hardware level of information security

Most security services fall into
number of preventive, and this is definitely
right. Audit and integrity control
can help detect violations;
active audit also allows
program a reaction to a violation with
the purpose of localization and/or tracing.
Service Orientation
resiliency and security
recovery is obvious. Finally,
management plays an infrastructural role,
serving all aspects of IP.
7

Identification and authentication

Identification allows the subject
(user, process, acting
on behalf of a specific user,
or other hardware and software
component) name yourself (tell your
name).
8

Identification and authentication

Through authentication, the second
party makes sure that the subject
really the one for whom he himself
issues. As a synonym for "
authentication" is sometimes used
the phrase "authentication".
9

10. Authentication

Authentication - verification procedure
authenticity, for example:
user authentication by
comparing the password he entered with the password,
stored in the user database;
confirmation of the authenticity of the electronic
emails by verifying a digital signature
letters by sender's public key;
examination checksum file to
compliance with the amount declared by the author
this file.
10

11. Authorization

Authorization - provision
specific person or group of people
rights to perform certain
actions; as well as the verification process
(confirmation) of these rights when
trying to do these things.
You can often hear the expression that
some person is "authorized" for
performing this operation is
means he has a right to it.
11

12. Authorization

Authorization should not be confused with authentication:
authentication is a verification procedure
legality of the user or data, for example,
verification of compliance with the entered
password user to account password in
database, or digital signature verification
letters by encryption key, or verification
file checksum for compliance
declared by the author of this file.
Authorization controls access
legal users to system resources
after successfully passing
authentication. Often procedures
authentication and authorization are combined.
12

13. Identification and authentication

Authentication is one-way
(usually the client proves his
server authentication) and two-way (
mutual). An example of a one-sided
authentication - login procedure
user to the system.
13

14. Password authentication

The main advantage of the password
authentication - simplicity and
familiarity. Passwords have long been built into
operating systems and other services.
At correct use passwords
can provide acceptable
many organizations level
security. However, by
set of their characteristics should
recognize as the weakest remedy
authentication.
14

15. Password authentication

The following measures can significantly improve
password protection strength:
imposing technical restrictions (the password must
be not too short, it must contain letters,
numbers, punctuation marks, etc.);
password expiration management, their periodic
change;
restriction of access to the password file;
limiting the number of failed login attempts
(this will make it difficult to use the "brute force method");
user training;
use of software password generators (such as
program, based on simple rules, can
generate only harmonious and, therefore,
memorable passwords).
15

16. One Time Passwords

The above passwords can be
call it reusable; their disclosure
allows the attacker to act
on behalf of a legal user.
Much more powerful
resistant to passive
listening to the network are
one-time passwords.
16

17. Kerberos authentication server

Kerberos is a software product
developed in the mid 1980s
Massachusetts Institute of Technology
Institute and has undergone since then a number of
fundamental changes. Client
Kerberos components are present in
most modern
operating systems.
17

18. Identification/authentication using biometric data

Biometrics is a collection
automated identification methods
and/or authenticate people based on their
physiological and behavioral
characteristics. Among the physiological
characteristics belong to features
fingerprints, retina and cornea,
geometry of the hand and face, etc. to behavioral
characteristics include signature dynamics
(manual), keyboard operation style. At the junction
physiology and behavior are analyzed
voice features and speech recognition.
18

19. Identification/authentication using biometric data

In general, working with biometric
data is organized as follows
way. First created and
feature database supported
potential users. For this
biometric characteristics
user are removed, processed,
and the processing result (called
biometric template) is entered into
database (source data such as
finger scan result
corneas are usually not stored).
19

20. Identification/authentication using biometric data

But the main danger is that
any "hole" for biometrics
turns out to be fatal. Passwords, for all
their unreliability, in extreme cases, you can
change. Lost authentication
You can cancel your card and get a new one.
A finger, an eye or a voice cannot be changed.
If the biometric data is
compromised, will have to at least
make a major upgrade
the entire system.
20

21.

Access Control Models
21

22. Purposes and scope

The purpose of access control is
limitation of transactions that can
hold a legitimate user
(registered in the system).
Access control indicates that
the user has the right
to do in the system, as well as what
operations are allowed to be performed
applications from
username.
22

23. Purposes and scope

way access control
designed to prevent
user actions that can
harm the system, for example
violate the security of the system.
23

24. Terms used

Access
Subject access to an object for certain operations.
An object
Information container in the system
Subject
The entity that defines the user when working in
system
User
A person who performs actions in a system or
application acting on his behalf.
24

25. General description

Access control is the definition
the ability of the subject to operate
over the object. In general
described by the following diagram:
25

26. General description

From a traditional point of view, controls
access allows you to specify and
control the actions that the subjects
(users and processes) can execute on
objects (information and other
computer resources). In this section
this is about logic control access,
which, unlike the physical one, is realized
software tools. Boolean
access control is the main mechanism
multiuser systems designed
ensure confidentiality and integrity
objects and, to some extent, their
availability (by denying service
unauthorized users).
26

27. General description

Objective: to provide access control to
production information.
Access to computer systems and
data needs to be controlled
based on production requirements
(business).
Such control should take into account the rules
dissemination of information and
access control adopted in
organizations.
27

28. General description

Production management requirements
access to systems must be determined
and document.
Access Control Rules and Permissions
per user or group
users must be clear
articulated in policy statements
information access control.
Users and service providers should
know clearly defined
production requirements
satisfying management policy
access.
28

29. General description

When defining access control rules
the following needs to be considered:
differences between rules that should always
be complied with, and the rules that are
optional or conditional;
formulate rules better on the premise
"everything that is not explicitly allowed is forbidden" than on
the premise "everything that is not explicitly prohibited is allowed";
changes in information labels that
initialized automatically by means
information processing and initialized according to
the discretion of the user;
changes in user access rights that
initialized automatically with information
system and initialized by the administrator;
rules that require administrator approval
or anyone else before entry into force, and those
rules that do not require anyone's approval.
29

30. Access control models


Authorized access control
Role-based access control
30

31. Selective access control

Selective access control
(English discretionary access control, DAC) -

objects based on control lists
access or access matrix.
The names are also used
"discretionary access control"
"controlled access control"
or "limitation control
access".
31

32. Selective access control

Each object of the system has a subject attached to it,
called the owner. It is the owner who sets the rights
access to the object.
The system has one dedicated subject - superuser,
who has the power to set ownership rights for all
other subjects of the system.
An entity with a particular access right can transfer that right
any other subject
The access rights of the subject to the system object are determined on
based on some external (with respect to the system) rule
(property of selectivity).
To describe the properties of selective access control
the system model is applied based on the access matrix (AM,
sometimes referred to as the access control matrix). Such a model
called the matrix.
The access matrix is ​​a rectangular matrix, in
to which the system object corresponds to a row, and the subject to a column. At the intersection of the column and row of the matrix, the type is indicated
(types) of allowed access of the subject to the object. Usually isolated
such types of access of the subject to the object as "read access",
"write access", "execute access", etc.
32

33. Selective access control

The set of objects and types of access to them of the subject can
change according to certain rules,
existing in this system.
For example, a subject's access to a particular object can be
allowed only on certain days (date-dependent
condition), hours (time-dependent condition), depending on
other characteristics of the subject (context-dependent
condition) or depending on the nature of the previous work.
Such conditions on access to objects are commonly used in
DBMS. In addition, a subject with certain powers
may transfer them to another subject (if it is not
is against the rules of the security policy).
The decision on the access of the subject to the object is made in
according to the type of access specified in the relevant
access matrix cell. Usually, electoral management
access implements the principle "what is not allowed, then
forbidden", implying explicit access permission
subject to object.
33

34. Selective access control

Mixed options are also possible.
construction, when at the same time in
system are present as owners,
establishing access rights to their
objects, and the superuser,
able to change rights
for any object and/or changing it
owner. Just such a mixed
option implemented in most
operating systems such as Unix or
Windows NT.
34

35. Authorized access control

Mandatory access control
access control, MAC) - access control
subjects to objects based on assignment
privacy labels for information,
contained in objects, and the issuance of official
permissions (admission) to subjects to contact
information of this level of confidentiality.
Also sometimes translated as Forced
access control. This is a way that combines
protection and limitation of rights applied by
towards computer processes, given
and system devices and intended for
prevent their unwanted
use.
35

36. Authorized access control

all subjects and objects of the system must
be uniquely identified;
each object of the system is assigned
criticality label that defines
the value it contains
information;
each subject of the system is assigned
transparency level (security clearance),
defining the maximum value
marks of criticality of objects to which
the subject has access.
36

37. Authorized access control

In the case when the set of labels has the same
values ​​are said to belong to the same
security level. Label organization has
hierarchical structure and, thus, in the system
it is possible to implement a hierarchically non-top-down (according to
values) the flow of information (for example, from ordinary
performers to management). The more important the object or
subject, the higher its criticality mark. So
the most protected are objects with
the highest values ​​of the criticality mark.
Each subject, in addition to the level of transparency, has
the current value of the security level, which can
change from some minimum value to
the value of its transparency level. For acceptance
access decisions are made
comparison of the criticality mark of an object with a level
transparency and current level security
subject.
37

38. Authorized access control

The result of the comparison is determined by two
rules: simple condition protection (simple
security condition) and property. AT
simplified, they define
information can only be transmitted
"up", that is, the subject can read
object content if its current level
safety not lower than the criticality mark
object, and write to it, if not higher.
A simple protection condition states that any
operation on an object the subject can
perform only if its level
transparency not lower than the criticality mark
object.
38

39. Authorized access control

The main purpose of the authoritative policy
security - subject access control
systems to objects with different levels of criticality and
prevention of information leakage from upper levels
job hierarchy to the lower ones, as well as
blocking possible penetrations from the lower
levels to the top. At the same time, it operates on
background of electoral politics, giving it
requirements of a hierarchically ordered nature (in
according to security levels).
Mandatory access control system is implemented in
OS FreeBSD Unix.
SUSE Linux and Ubuntu have a mandated
access control called AppArmor.
39

40. Role-based access control

Role based access control
(Eng. Role Based Access Control,
RBAC) - policy development
selective access control,
while the access rights of the subjects
systems into objects are grouped with
taking into account the specifics of their application,
creating roles.
40

41. Role-based access control

The role model of access control contains a number of
features that do not allow it to be attributed
neither to the category of discretionary nor to the category
mandate models.
The main idea of ​​the implemented in this model
approach is that the concept of "subject"
replaced by two new concepts:
user - a person working in the system;
role - active in the system
abstract entity with which it is associated
limited and logically consistent
the set of powers required to
performing certain actions in the system.
41

42. Role-based access control

The classic example of a role is root on Unix-like systems - the superuser,
with unlimited powers.
This role can be
be involved in various
administrators.
The main advantage of the role model
is proximity to real life: roles,
operating in the AU, can be lined up in
full compliance with the corporate hierarchy
and are not tied to specific
users, but to positions - which, in particular,
simplifies administration in the conditions
high staff turnover.
42

43. Role-based access control

Access control in use
role model is carried out as follows
way:
1. For each role, a set is indicated
powers, which is a set
access rights to AS objects.
2. Each user is assigned a list
roles available to him.
Note that the user can
associated with multiple roles
this opportunity is also
simplifies the administration of complex
corporate AS.
43

44. Role-based access control

RBAC is widely used for
user management
privileges within a single
systems or applications. List
such systems includes Microsoft
Active Directory, SELinux, FreeBSD,
Solaris, Oracle Database and many
others.
44

45. Model Bell - Lapadula

Model Bella - Lapadula - model
access control and management,
based on mandate model
access control. In the model
analyzes the conditions under which
impossible to create
information flows from
subjects with a higher level
access to subjects with lower
access level.
45

46. ​​Model Bell - Lapadula

The classical Bell-Lapadula model was described in
1975 by employees of MITER Corporation
David Bell and Leonard Lapadula to create
models they were pushed by the security system to
work with secret documents US governments.
The essence of the system was as follows: each
subject (person working with documents) and object
(documents) are labeled
confidentiality, starting from the highest
("special importance"), ending with the lowest
("unclassified" or "public"). Moreover, the subject
which is allowed access only to objects with more
low privacy label, can't receive
access to an object with a higher label
privacy. Also, the subject is prohibited
writing information to objects with a lower level
security.
46

47. Harrison-Ruzzo-Ullman Model

Harrison-Ruzzo-Ullman Model
is a classic discretionary
model, implements an arbitrary
access control of subjects to
facilities and distribution control
access rights within this model.
47

48. Harrison-Ruzz-Ullman Model

Harrison-Ruzz-Ullman Model
The processing system is provided as
sets of active entities of subjects,
forming a set of subjects,
who have access to
users of passive entities
objects forming a set
objects containing protected
information, and a finite set of rights
access characterizing the authority to
taking appropriate action before
what to include in the scope
models of relations between subjects.
It is assumed that all subjects
are objects at the same time.
48

49. Hordston's five-dimensional safety space model

Now consider a model called
five-dimensional space
Hartston security. In this
model uses a five-dimensional
safety space for
process modeling, establishing
powers and organization of access to their
basis. The model has five main
sets:
A - established powers; U-
users; E - operations; R-
resources; S - states.
49

50. Hordston's Five-Dimensional Safety Space Model

The security area will look like
Cartesian product: A×U×E×R×S. Access
treated as a series of requests,
carried out by users u for
perform operations e on resources R at that
the time the system is in state s.
For example, an access request is submitted
four-tuple q = (u, e, R, s), u U,e
E,s S,r R. The values ​​u and s are given by the system in
fixed form.
Thus, an access request is a subspace
four-dimensional projection of space
security. Requests are granted access
when they are completely enclosed in
the corresponding subspaces.
50

51. Call Security Monitor

Call Security Monitor Concept
is a fairly natural formalization
some mechanism that implements the distinction
access in the system.
Call Security Monitor (CMO)
is a filter that allows
or deny access based on
the rules of differentiation established in the system
access
51

52. Call Security Monitor

Having received an access request from subject S to object O, the monitor
call security analyzes the rule base,
corresponding to the policy set in the system
security, and either allows or denies access.
The call security monitor satisfies the following
properties:
1. No request for subject access to an object should
be performed bypassing the MBO.
2. The work of the MBO must be protected from outside
intervention.
3. The presentation of the IBO should be simple enough to
the possibility of verifying the correctness of its work.
Although the concept of a security monitor
hits is an abstraction, enumerated properties
are also valid for software or hardware modules,
that implement the functions of the call monitor in real
systems.
52

53. Integrity Models

One of the goals of the policy
security - protection against violation
integrity of information.
Most famous in this class
models, the Beebe integrity model and
the Clark-Wilson model.
53

54. Clark-Wilson Model

The Clark-Wilson model appeared in
as a result of the analysis carried out by the authors
actually applied methods of ensuring
the integrity of the document flow in
commercial companies. Unlike
models Bib and Bella-LaPadula, she
initially focused on the needs
commercial customers, and, in the opinion
authors, more adequate to their requirements,
than the previously proposed commercial
interpretation of the integrity model based on
gratings.
54

55. Clark-Wilson Model

The main concepts of the considered model are
correctness of transactions and differentiation
functional responsibilities. The model sets
computer operating rules
system and defines two categories of objects
data and two classes of operations on them. All
the data contained in the system is subdivided
into controlled and uncontrolled
data items (constrained data items - CDI and
unconstrained data items - UDI respectively).
The integrity of the former is provided by the model
Clark Wilson. The latter contain
information whose integrity within
this model is not controlled (this and
the choice of terminology is explained).
55

56. Clark-Wilson Model

Next, the model introduces two classes of operations
above data elements: procedures
integrity control (integrity
verification procedures - IVP) and procedures
transformation
procedures - TR). The first ones
provide integrity checks
Controlled Data Elements (CDI),
the latter change the composition of the set of all
CDI (for example, converting UDI elements
in CDI).
56

57. Clark-Wilson Model

The model also contains nine rules,
defining relationships
data elements and procedures in
the process of system operation.
57

58.

58

59. Beebe Model

Beebe's model is based on levels
integrity similar to the levels
Bella-Lapadula models. Unlike
Bella-Lapadula models reading
allowed now only up (from
subject to object, level of value
which exceeds the level of the subject),
and the record is only down. Rules of this
models are complete
contrary to the rules of the model
Bella Lapadula.
59

60. Beebe Model

The Beebe model considers
the following subject accesses to
objects and other subjects: access
subject to modify the object,
subject access to read the object,
subject access to execute and
subject-to-subject access.
60

61. Beebe Model

A separate comment deserves the question
what exactly is meant by Beebe's model
integrity levels.
Indeed, in most applications
data integrity is seen as something
property that is either preserved or not
is preserved - and the introduction of hierarchical
integrity levels can be represented
redundant.
In fact, the integrity levels in the model
Biba should be considered as levels
credibility, and the corresponding
information flows as transmission
information from a more reliable population
data to less reliable and vice versa.

Software and hardware measures aimed at control computer equipment, programs and stored data, form the last but not least frontier of information security. At this level, not only positive but also Negative consequences rapid progress in information technology. First of all, additional features appear not only among information security specialists, but also among attackers. Secondly, information systems are constantly being upgraded, rebuilt, insufficiently tested components (primarily software ones) are added to them, which makes it difficult to comply with the security regime.

Central to the software and hardware level is the concept of a security service. These services for institutions and public sector companies include:

• identification and authentication;
• access control;
• logging and auditing;
• encryption;
• integrity control;
• shielding;
• security analysis;
• ensuring fault tolerance;
• ensuring safe recovery;
• tunneling;
• control.

At present, increasing the level of information security of state-owned enterprises can be achieved by introducing modern technologies protection, characterized by increasing functionality, versatility and the ability to port to any platform. In area technical protection information resources, there are three main areas in which Russian state-owned enterprises operate:

• protection internal network;
• protection of access to the Internet and international information exchange;
• protection of interaction with remote divisions.

At the same time, we remember that state structures and state organizations use only information security tools certified by the FSTEC or the FSB of the Russian Federation. To protect internal resources, most federal and regional government authorities use authentication and authorization mechanisms built into operating systems for users. Some departments have special certified systems of protection against unauthorized access and electronic locks, such as "Labyrinth-M", "Accord", SecretNet. As a means of encryption, as a rule, secret keys for protecting information "CryptoPro" or long known and still popular systems family "Verba".

To protect workstations and servers of the internal network from malicious programs (viruses, worms, Trojan horses), the vast majority of government organizations use anti-virus software. software. Most often, these are the Russian Kaspersky Anti-Virus or Dr.Web. However, there are also solutions from Trend Micro, Symantec, McAfee, Eset.




The division of the network into segments with different information security requirements is carried out using MAC and IP address filtering mechanisms on the active network equipment and VLAN mechanisms. Very rarely, security policy monitoring systems are used that compare the current settings of protective mechanisms and subsystems with reference values ​​​​(Cisco, "Uryadnik").

In order to protect the perimeter of the network, government agencies usually use various certified firewalls. These are mainly Cisco, Aladdin and Check Point solutions. But there are also products from other manufacturers, in particular, Novell Border Manager, Microsoft ISA Server, SSPT-1 and SSPT-1M from TsNII RTK, Zastava from Elvis Plus.

Attack detection and prevention systems (so-called HIPS) have so far been implemented in very few government organizations. Usually there are solutions from Symantec, S.N. Safe'n'Software and Cisco. In federal government agencies, protection against spam and abuse on the Internet is provided by various monitoring systems Email and web traffic such as eSafe Gateway, MAILsweeper, WEBsweeper and Websense.

In communication channels with remote subdivisions, only Russian systems cryptographic information protection and VPN - Zastava, VipNet or Continent.

11. Regulatory framework for organizational protection. Sources of law in the field of information security. Types normative documents. Examples of domestic and foreign legislative documents.

AT Russian Federation regulatory legal acts in the field of information security include:

Acts of federal legislation:

· International treaties of the Russian Federation;

the Constitution of the Russian Federation;

· The laws federal level(including federal constitutional laws, codes);

Decrees of the President of the Russian Federation;

· Decrees of the Government of the Russian Federation;

· Normative legal acts of federal ministries and departments;

Regulatory legal acts of the constituent entities of the Russian Federation, local governments, etc.

Regulatory and methodological documents include

1. Methodological documents government agencies Russia:

· Doctrine of information security of the Russian Federation;

· Guiding documents of FSTEC (State Technical Commission of Russia);

FSB orders;

2. Information security standards, which include:

· International standards;

State (national) standards of the Russian Federation;

· Guidelines.

Types of regulatory documents:

Normative legal acts: Laws of the Russian Federation (On security), federal laws(On Personal Data, On Information and Information Technologies, On Electronic Digital Signatures), Decree of the President of the Russian Federation (On Approval of the List of Confidential Information), Government Decree (On Certification of Information Security Tools, On Licensing);

· Normative-methodical and methodological documents: Doctrine, Orders of the FSTEC, Regulations on the certification of protective equipment according to safety requirements, Regulations on the certification of objects, Model provisions, Guiding documents, Methods (security assessments), Regulatory and methodological document;

· Standards: GOST, RD, SanPin (Hygienic requirements for video display terminals), SNiP (noise protection).

Example of foreign legislative documents:

USA

As of today, the United States is a jurisdiction with the largest number documents in the System (more than 12,000 documents).

The database includes documents from two major American federal legal sources: the US Code (USC) and the Code of Federal Regulations (CFR). The first is a systematized set of federal statutory legislation and consists of 52 sections devoted to the regulation of certain legal branches or institutions.

The System includes three sections of the US Code: Section 26 - US Internal Revenue Code, Section 12 - Banks and Banking and Section 15 - Commerce and Trade, which includes legislative acts regulating activities in the securities market. The Code of Laws is reissued by Congress every 6 years and published by the US Code Service. Unlike most publicly available sources, the WBL system provides not only the text of these documents, but also the history of all amendments made to them, as well as notes and the most significant judicial precedents in this area.

The System also includes by-laws issued by the federal executive branch and included in the Code of Federal Regulations. They are published by the Federal Register, an agency of the National Archives Administration.

12. Development of a security policy. Basic provisions of information security. Application area. Goals and objectives of information security. Distribution of roles and responsibilities. General responsibilities.

Development.

First, it is necessary to audit the company's information processes, to identify critical important information that needs to be protected. The audit of information processes should end with the definition of a list of confidential information of the enterprise, areas where this information is accessed, persons admitted to it, as well as the consequences of the loss (distortion) of this information. After the implementation of this stage, it becomes clear what to protect, where to protect and from whom: after all, in the vast majority of incidents, the employees of the company themselves will act as violators - voluntarily or unwittingly. And nothing can be done about it: you have to take it for granted. Various security threats can be assigned a probability value for their occurrence. Multiplying the probability of a threat realization by the damage caused by this realization, we get the threat risk. After that, you should start developing a security policy.

Security policy - a document of the "top" level, which must contain:

persons responsible for the safety of the company;

powers and responsibilities of departments and services in relation to security;

Organization of admission of new employees and their dismissal;

Rules for restricting employee access to information resources;

organization access control, registration of employees and visitors;

the use of software and hardware means of protection;

other general requirements.

The cost of ensuring the security of information should be no more than the amount of potential damage from its loss. Risk analysis carried out at the audit stage makes it possible to rank them by magnitude and protect, first of all, not only the most vulnerable, but also the areas that process the most valuable information. ISO 17799 lets you quantify integrated security:

The development of a security policy involves a number of preliminary steps:

assessment of the personal (subjective) attitude to the risks of the enterprise of its owners and managers responsible for the functioning and performance of the enterprise as a whole or certain areas of its activity;

analysis of potentially vulnerable information objects;

identification of threats to significant information objects (information, information systems, information processing processes) and assessment of the corresponding risks.

When developing security policies at all levels, you must adhere to the following basic rules:

· Security policies for more low levels must fully comply with the relevant policy top level, as well as current legislation and requirements of state authorities.

· The text of the security policy should contain only clear and unambiguous wording that does not allow for double interpretation.

· The text of the security policy must be understandable for those employees to whom it is addressed.

General life cycle information security policy includes a number of basic steps.

· Conducting a preliminary study of the state of information security.

· Development of a security policy.

· Implementation of developed security policies.

Analysis of compliance with the requirements of the implemented security policy and formulation of requirements for its further improvement (return to the first stage, new cycle improvement).

Organization security policy(English) organizational security policies) - a set of guidelines, rules, procedures and practices in the field of security that govern the management, protection and distribution of valuable information.

In the general case, such a set of rules is a certain functional software product, which is necessary for its use in a particular organization. If we approach the security policy more formally, then it is a set of certain requirements for the functionality of the protection system, enshrined in departmental documents.

The security policy depends on:

• from a specific information processing technology;
• from the technical and software tools;
• from the location of the organization;

The protection of a large information system cannot be solved without well-designed information security documentation - Security Policy helps

make sure that nothing important is overlooked;

Establish clear safety rules.

Only a comprehensive and cost-effective protection system will be effective, and the information system itself in this case will be protected.

The security policy document should describe the goals and objectives of information security, as well as valuable company assets that need to be protected. The goals of ensuring information security, as a rule, is to ensure the confidentiality, integrity and availability of information assets, as well as ensuring the continuity of the company's business.

The tasks of ensuring information security are all the actions that must be taken to achieve the goals. In particular, it is necessary to solve such problems as analysis and management information risks, investigation of information security incidents, development and implementation of business continuity plans, advanced training of company employees in the field of information security, etc.

3) Requirement of object reuse security contradicts:
encapsulation +
inheritance
polymorphism

4) Assume that the semantics of programs are taken into account when delimiting access. In that case, on game program The following restrictions may apply:
ban on reading any files other than configuration files
ban on changing any files, except for configuration files +
denial of network connections

5) The need for an object-oriented approach to information security is a consequence of the fact that:
it's an easy way to give information security a scientific look
object-oriented approach - a universal means of dealing with the complexity of modern information systems +
in information security from the very beginning the concepts of object and subject appear

6) The number of facets that allow structuring the means of achieving information security include:
integrity measures
administrative measures +
administrative measures

2Containers in component object environments provide:
general context of interaction with other components and with the environment +
means for preserving components
component transport mechanisms

Duplicate messages are a threat:
accessibility
privacy
integrity +

Melissa attacks accessibility:
e-commerce systems
geoinformation systems
email systems +

Select malware, which opened a new stage in the development of this area:
Melissa +
bubble boy
I LOVE YOU

The most dangerous sources of internal threats are:
incompetent leaders +
offended employees
curious administrators

5. Among the following, select main reason the existence of numerous threats to information security:
miscalculations in the administration of information systems
the need for constant modification of information systems
complexity of modern information systems +

Aggressive Resource Consumption Is a Threat: Availability Confidentiality Integrity

Melissa is:
bomb
virus +
worm

For the introduction of bombs, errors of the type are most often used:
no return code checks
buffer overflow +
violation of the integrity of transactions

The danger window appears when:
becomes aware of the means of exploitation of the vulnerability
it becomes possible to exploit the vulnerability +
new P is installed

Select Trojans from the following:
I LOVE YOU
Back Orifice +
netbus +

1. The Criminal Code of the Russian Federation does not provide for punishment for:
creation, use and distribution of malware
maintaining personal correspondence at the production technical base +
violation of the rules for the operation of a computer, computer system or their network

In the Information Security Improvement Bill (USA, 2001) Special attention drawn to: easing restrictions on the export of cryptocurrencies
development of electronic authentication tools +
building a public key infrastructure

4. The definition of means of protecting information given in the Law "On State Secrets" includes:
means of detecting malicious activity
fault tolerance tools
means of monitoring the effectiveness of information protection +

1. Security level B, according to the Orange Book, is characterized by:
forced access control +
verifiable security

3. The Common Criteria security assurance requirement classes include:
development +
protection profile assessment +
certification

4. According to the Orange Book, the security policy includes the following elements:
security perimeter
security labels +
security certificates

1. Security level A, according to the Orange Book, is characterized by:
random access control
forced access control
verified security +


decision to form or revise comprehensive program security +

ensuring the confidentiality of mail messages

4. The goals of the top-level security program include:
risk management +
determination of those responsible for information services
defining penalties for security policy violations

5. As part of the lower-level security program, the following are carried out:
strategic planning
day to day administration +
tracking weaknesses protection +

"1. The security policy is built on the basis of:
general ideas about the organization's IP
studying the policies of related organizations
risk analysis +

2. The goals of the top-level security policy include:
formulation of administrative decisions on the most important aspects of the implementation of the security program +
choice of user authentication methods
providing a framework for compliance with laws and regulations +

1. Risk is a function of:

1. Risk is a function of: the amount of possible damage the number of vulnerabilities in the organization's authorized capital system

3. The stages of risk management include: identification of assets + liquidation of liabilities selection of analyzed objects +

4. The first step in threat analysis is: threat identification + threat authentication threat elimination

Identification of those responsible for risk analysis Measurement of risks Selection of effective protective equipment

5. Risk management includes the following activities: identification of those responsible for risk analysis - risk measurement - selection of effective protective equipment

6. Risk assessment allows you to answer the following questions: what is the risk of the organization using the information system? What are the risks for information system users? What are the risks for system administrators?

1. Classes of measures of the procedural level include: maintenance of working capacity + maintenance of physical fitness physical protection +

2. The principles of personnel management include: minimizing privileges + minimizing salary maximizing salary

3. The stages of the recovery planning process include: identifying the critical functions of the organization + determining the list of possible accidents + conducting test accidents

5. The daily activities at the procedural level include: situational management configuration management optimal management-

1. Logging and auditing can be used to: prevent IS violations + detect violations + restore IS mode

2. Indicate the most significant features of modern Russian IS from the point of view of security: low throughput most communication channels complexity of administration user computers lack of a sufficient set of cryptographic hardware and software products

Application of the most advanced technical solutions application of simple, proven solutions + a combination of simple and complex protective equipment

Development and implementation of a unified security policy + unification of hardware and software platforms minimization of the number of applications used

1. Screening can be used to: prevent IS violations detect violations localize the consequences of violations

3. The main principles of architectural safety include: adherence to recognized standards application non-standard solutions, not known to attackers - a variety of protective equipment

3. The main principles of architectural security include: strengthening the weakest link + strengthening the most likely object of attack defense separation +

5. To ensure information security network configurations you should be guided by the following principles: use your own communication lines ensure confidentiality and integrity in network interactions + complete analysis of network traffic

Access control + management of information systems and their components media management

To ensure the information security of network configurations, one should be guided by the following principles: encryption of all information separation of static and dynamic data formation of composite services according to the content principle +

1. Integrity control can be used to: prevent IS violations detect violations + localize the consequences of violations

4. The number of universal security services includes: tools for building virtual local networks shielding + logging and auditing +

Cardiogram of the subject + pension insurance card number the result of the one-time password generator operation +

2. Authentication based on an encrypted password transmitted over the network is bad because it does not provide protection against: replay interception+ accessibility attacks+

Role + role executor role user

4. When using the version of the Kerberos authentication server described in the course: encryption is not applied - is applied symmetric encryption asymmetric+ encryption is applied

5. When using the approach to access control in the object environment described in the course, inheritance: always taken into account taken into account sometimes not taken into account+

1. The following can be used as an authenticator in a network environment: year of birth of the subject last name of the subject secret cryptographic key+

3. Role-based access control uses the following object-oriented approach: encapsulation inheritance + polymorphism

4. Kerberos authentication server: does not protect against availability attacks + partially protects against availability attacks - fully protects against availability attacks

5. When using the approach to access control in the object environment described in the course, access control rules are specified in the form: subjects/objects matrices - predicates over objects access lists to object methods

3. The basic concepts of role-based access control include: object + subject method

5. When using the approach to access control described in the course in the object environment, access is limited to: object interfaces object methods (taking into account the values ​​of the actual call parameters) object classes

5. When using the approach to access control described in the course in the object environment, access is limited to: object interfaces + object methods (taking into account the values ​​of the actual call parameters) + object classes

Logging and auditing, encryption, integrity control:

Signature attack detection is good because it: Raises few false alarms+ Capable of detecting unknown attacks Easy to set up and operate+

3. The digital certificate contains: the user's public key+ The secret key username+

4. The implementation of logging and auditing has the following main goals: detection of attempts to violate information security + prevention of attempts to violate information security prevention of attacks on availability

2. The threshold method for detecting attacks is good because it: raises few false alarms is able to detect unknown attacks - easy to set up and operate +

4. The implementation of logging and auditing has the following main goals: ensuring accountability of administrators to users ensuring accountability of users and administrators + providing information for identifying and analyzing problems

2. The statistical method of detecting attacks is good because it: Raises few false alarms Can detect unknown attacks + Easy to set up and operate -

4. The implementation of logging and auditing has the following main goals: holding administrators accountable to users holding users and administrators accountable + providing information for identifying and analyzing problems +

5. Cryptography is necessary for the implementation of the following security services: security control integrity control + access control

4. The implementation of logging and auditing has the following main goals: ensuring the ability to reproduce the sequence of events ensuring the possibility of reconstructing the sequence of events + preventing attempts to reproduce the sequence of events

1. Logging alone cannot provide non-repudiation, because: registration information is usually low-level in nature, and non-repudiation refers to actions application layer registration information has a specific format, incomprehensible to man registration information is too large

5. Cryptography is required to implement the following security services: identification shielding authentication+

1. Logging alone cannot provide non-repudiation because: registration information can be dispersed across different services and different components Distributed IS+ integrity of registration information can be violated, confidentiality of registration information must be respected, and non-repudiation check will violate confidentiality

Identification and authentication, access control

1. The following can be used as an authenticator in a network environment:
subject's cardiogram+
pension insurance card number
the result of the one-time password generator+

2. Authentication based on an encrypted password transmitted over the network is bad because it does not provide protection against:
interception
playback+
accessibility attacks+

3. The basic concepts of role-based access control include:
role+
role performer
role user

4. When using the version of the Kerberos authentication server described in the course:
no encryption applied
symmetric encryption is used
asymmetric encryption is used

5. When using the approach to access control in the object environment described in the course, inheritance: is always taken into account
taken into account sometimes
not taken into account +

1. The following can be used as an authenticator in a network environment:
subject's year of birth
subject's last name
secret cryptographic key+

3. Role-based access control uses the following object-oriented approach:
encapsulation
inheritance+
polymorphism

4. Kerberos authentication server:
does not protect against accessibility attacks+
partially protects against accessibility attacks
fully protects against accessibility attacks

3. The basic concepts of role-based access control include:
object+
subject
method

5. When using the approach to access control described in the course in the object environment, access is limited to:
object interfaces +
object methods (taking into account the values ​​of the actual call parameters) +
object classes

Main software and hardware measures:

2. Indicate the most significant security features of modern Russian IS:
low bandwidth of most communication channels +
complexity of administering user computers
lack of a sufficient set of cryptographic hardware and software products+

3. The main principles of architectural safety include:
application of the most advanced technical solutions
application of simple, proven solutions +
combination of simple and complex protective equipment

5. To ensure the information security of network configurations, the following principles should be followed:
development and implementation of a unified security policy+
unification of hardware and software platforms
minimizing the number of applications used

3. The main principles of architectural safety include:
adherence to recognized standards +
application of non-standard solutions not known to intruders -
variety of protective equipment+

5. To ensure the information security of network configurations, one should be guided by the following principles: encryption of all information - separation of static and dynamic data; formation of composite services according to the content principle +

3. The main principles of architectural safety include:
strengthening the weakest link+
strengthening the most likely object of attack
defense layering+

5. To ensure the information security of network configurations, the following principles should be followed:
use of own communication lines
ensuring confidentiality and integrity in network interactions + n
complete analysis of network traffic

4. Universal security services include:
access control+
management of information systems and their components
media management

To ensure the information security of network configurations, the following principles should be followed:
encryption of all information
separation of static and dynamic data
formation of composite services according to the content principle +

4. Universal security services include:
tools for building virtual local networks
shielding + logging and auditing +

Procedural level of information security

1. The classes of measures of the procedural level include:
maintenance +
keeping fit
physical protection+

2. The principles of personnel management include:
privilege minimization + salary minimization
salary maximization

3. The steps in the recovery planning process include:
identifying critical organizational functions+
determination of the list of possible accidents + test accidents

4. The areas of physical protection include:
physical protection of users -
supporting infrastructure protection+
data interception protection+

5. Day-to-day activities at the procedural level include:
situational management
configuration management
optimal control -

Management of risks

1. Risk is a function of:
amount of possible damage +
number of vulnerabilities in the system
authorized capital of the organization

3. The stages of risk management include:
asset identification+
liquidation of liabilities
choice of analyzed objects+

4. The first step in threat analysis is:
threat identification+
threat authentication
elimination of threats

5. Risk management includes the following activities:
identification of those responsible for risk analysis
measurement of risks selection of effective protective equipment

5. Risk management includes the following activities:
determination of those responsible for risk analysis -
risk measurement +
choice of effective protective equipment+

6. Risk assessment allows you to answer the following questions:
What is the risk of an organization using an information system? +
What are the risks for information system users? +
What are the risks for system administrators?

Ensuring information security is a very difficult task, which has several levels.

Software and technical level.

From a modern point of view, the following security mechanisms should be available to information systems:

• access control,
• shielding,
• user authentication and identification,
• logging and auditing,
• providing high availability,
• cryptography.

procedural level.

It includes measures implemented by people. The experience gained in domestic organizations on the implementation of procedural measures came from the pre-computer past and needs to be substantially revised.
There are the following groups of organizational (procedural) measures:

For each group there should be rules that determine the actions of personnel. They must be established in each specific organization and worked out in practice.

Administrative level.

The security policy adopted by the management of the organization is the basis of the administrative level measures. This is a set of documented management decisions that are aimed at protecting information, as well as the resources associated with it. The security policy is based on an analysis of the real risks that threaten information system one organization or another. After the analysis, a protection strategy is developed. This is a program for which money is allocated, responsible persons are appointed, the procedure for monitoring its implementation, etc. is established.
Since each organization has its own specifics, it is pointless to transfer the practice of state-controlled enterprises to commercial structures, personal computer systems or educational establishments. It is more appropriate to use the basic principles of security policy development or ready-made templates for major types of organizations.

Legislative level.

This is the most important level of information security. It includes a set of measures aimed at creating and maintaining a negative attitude in society towards violators and violations in this area. It is necessary to create a mechanism that would allow coordinating the development of laws with the constant improvement of information technologies. The state should play a coordinating and guiding role in this matter. Russian information technology and information security standards should correspond to the international level. This will facilitate interaction with foreign companies and foreign affiliates of domestic companies. Now this problem is solved by one-time permits, often bypassing the current legislation.

Only the interaction of all levels of information security will make it as effective as possible.