Protection of information in corporate networks of economic information systems. Organizational documents are information security policy, job descriptions of company employees, regulations for working on a personal computer
The heterogeneity of the sphere of activity of various organizations, firms, banks makes it objectively necessary to specify strategies for protecting information and managing them in the event of a serious violation or crisis. This approach encourages the development of various information security concepts depending on the size of the organization (small, medium, large), areas of activity (financial, banking, manufacturing, trade), and national and regional characteristics. Analysis information risks includes determining what needs to be protected, from whom and how to be protected. A rational level of information security is chosen primarily for reasons of economic feasibility.
A corporation is an association of organizations, individuals on the basis of joint, professional interests, one of the forms of joint stock company for large businesses, including banking.
Large corporations are characterized by a complex, geographically distributed structure with a multi-level and multi-link structure. The scale of activity and volumes of products and services can be regional or global.
Characteristic and distinctive feature corporate computer networks is that their construction is carried out, as a rule, over several years. In such networks, equipment from different manufacturers and different generations operates, i.e. equipment, both the most modern and outdated, not always initially focused on collaboration, data transfer and processing. As corporate networks develop quantitatively and qualitatively, the task of managing them becomes more and more complex and requires new means of managing networks across the entire enterprise. Such tools must be protocol independent, scalable, and provide centralized network management.
Currently, consumers are looking for solutions to unite disparate branches not only within one corporation, but also regions throughout the country as a whole. The main goal of merging the branches is to create a single information space and common service functions. Modern solutions allow us to provide consumers with a unified system for managing and monitoring (monitoring) corporate network resources, reducing costs, combining data and telephony networks, and protecting against unauthorized access.
A corporate-level information resource is especially vulnerable and requires high-quality and reliable protection, since the information structure of corporate-type organizations is heterogeneous and consists of a set distributed systems, technologies, databases and data banks and local tasks.
In large organizations, different types of activities have different information support. Data from different departments (in the absence of their integration) can be duplicated and stored in different formats, complement each other in some subject area and at the same time be inaccessible to specialists, etc. The corporation often does not have the opportunity to use the entire variety of information resources to the fullest. This situation makes it difficult, complicated and expensive to create and reliably operate protection systems.
Since at one time security problems information technologies were solved in our country mainly to protect state secrets, now specific problems of protecting banking or other businesses urgently require solutions, and only now are they being integrated with the world system. The protection of information in a particular area of business activity has a number of significant features related to the impact of information security on the organization. The most important of them:
Priority of economic, market factors and property relations;
Using open systems, creating an information security subsystem using tools widely available on the market;
Legal significance of information that provides legal protection of documents, information resources, information processes in accordance with established legislation Russian Federation.
The need to exchange information not only between geographically dispersed users of the corporation, but also with the outside world, requires the use of global world networks. When connected to the Internet, working with its services significantly increases the field of threats to information processed in the corporation.
Internet services are divided into open and closed. An open service involves the interaction of corporation users with external structures. The closed service applies to users of the corporation’s network, including remote ones. An integrated Internet service provides both closed and open type services.
For the purposes of information security of the corporation, the necessary infrastructure is created, reliable programs for interacting with the Internet are used, which requires compliance with the following rules when the corporation works with the Internet:
Carefully save your password and change it if you suspect it;
Do not leave the computer unattended during a communication session;
Having received the necessary information, completely end the communication session before visiting other sites;
Use encryption of messages occurring over the network and more.
When creating corporate networks, legislation on information protection is taken into account, and standards of liability for violations of information security are developed. Modern computer globalization of networks is a space practically uncontrolled by anyone, which is constantly replenished with megabytes of various information. Under the guise of useful information, computers are infected with various viruses (malware). Via the Internet, people can be attacked, confidential data stolen, databases destroyed, etc.
We can formulate the following basic requirements for protecting corporate networks and information objects from malware.
Use of licensed products in work software, technical means and means of protection.
Conducting certification of information objects for compliance with the requirements of regulatory documents on protection, including testing for the presence of undeclared capabilities.
Determination and fixation of the list of software tools acceptable for use, a categorical ban on the use of software not included in the package.
Using modern anti-virus anti-malware tools for protection and ensuring their timely updates.
Development of the necessary organizational and administrative documents to protect objects from malware and specification of prevention methods to prevent them from entering the network, ensuring users are aware of the general signs of the appearance of malware.
Development of methods for backing up, saving and restoring software and information resources when they are infected or damaged by viruses, while ensuring reliable storage of original samples of software and information resources in a safe place.
Ensuring regular checks computer tools for malware infection.
In addition to the legislative level, the managerial level is no less important. The management of each corporation must be aware of the need to maintain a security regime and allocate appropriate resources for this purpose. The main thing that the management level must implement is to develop an information security policy that corresponds to the general direction of the enterprise.
The main goal of measures taken at the management level is to formulate a work program in the field of information security and ensure its implementation. The task of management is to allocate the necessary resources and monitor the state of affairs. The basis of the program is a multi-level security policy that reflects the organization's approach to protecting its information assets and interests. The use of information systems is associated with a certain set of risks. When the risk is unacceptably high, protective measures must be taken. Periodic reassessment of risks is necessary to monitor the effectiveness of security activities and to account for changing conditions.
To maintain an information security regime, software and hardware measures and tools are especially important, since the main threat to computer systems lies in them: hardware failures, software errors, mistakes of users and administrators, etc.
The key mechanisms for ensuring information security of corporate networks are:
Identification and authentication;
Access control;
Recording and recording;
Cryptography and network protection;
Shielding.
Shielding in corporate networks is performed using firewalls. The firewall prevents users from violating information security rules set by administrators. The screen does not allow access to servers that are not required to perform user duties.
Firewalls can be implemented in software and hardware. Software implementations are cheaper, but less productive and require significant computer system resources. Hardware firewalls are produced as special hardware and software technical complexes operating under the control of specialized or conventional operating systems modified to perform protective functions.
1. You need to focus only on certified products.
2. You should choose a security system supplier who will provide a full range of services, i.e. not only sales and guarantees provided by everyone, but also installation and configuration services (if necessary), training of employees to work with protective equipment, and support of purchased systems.
3. Choose a security system that provides access control in various operating systems.
4. You should focus on systems with the best performance characteristics, such as: high reliability, compatibility with various software, minimal performance degradation workstation, mandatory availability of means for centralized management of protective mechanisms from the security administrator’s workplace, prompt notification of the administrator about all NSD events on workstations.
5. When choosing, pay attention not only to the cost of such funds, but also to the level of expected expenses for their operation and maintenance.
Processing information that constitutes a trade secret requires ensuring its security and careful design work at the stage of creating IP. Design includes: inspection of the automated system and development of organizational and administrative documents; selection, acquisition, installation, configuration and operation of protective equipment; training personnel to work with available protective equipment; security information service; periodic audit of the information security system.
It is advisable that such work be carried out by professionals, since miscalculations at the stage of surveying and designing an information security system can result in serious problems and losses during its construction and operation.
Taking into account the peculiarities of the corporate network, the developed documents should provide for the solution of the following tasks:
Protection against penetration into the corporate network and against information leakage from the network via communication channels;
Delineation of information flows between network segments;
Protection of the most critical network resources from interference in the normal functioning process;
Protection of important jobs and resources from unauthorized access (NSD);
Cryptographic protection of the most important information resources.
Currently, there is not a single ready-made solution (hardware, software or other) that provides the implementation of the functions of all of the listed tasks simultaneously.
This is explained by the fact that, on the one hand, the requirements of each specific user the implementation of certain protective measures differ significantly, and, on the other hand, each of the tasks is solved using specific means. Let's look at some tools that implement these functions.
Protection against network penetration and information leakage from the network. The main means of implementing such a threat is the channel connecting the corporate network to global network Internet.
The use of firewalls is the most common solution. They allow you to define and implement access control rules for both external and internal users of a corporate network, hide the network structure from an external user if necessary, block the sending of information to “forbidden” addresses and, finally, simply control the use of the Internet.
Delineation of information flows between network segments. Depending on the nature of the information processed in a particular network segment and on the method of interaction between segments, they implement different variants. The most common is the use of firewalls, which is recommended when organizing interaction between segments via the Internet. As a rule, this method is used when the network already has firewalls designed to control information flows between the internal network and the Internet, which helps prevent unnecessary costs - the capabilities of the available tools are more fully used.
Protecting the most critical network resources from interference with normal operations is a top priority. The most critical resources in a corporate network are servers. The main way to interfere with their normal functioning is to carry out attacks using vulnerabilities in network hardware and software. In this case, the attack can be carried out both from an external (Internet) and from an internal network, for example, by one of the staff members. The main problem lies not only in the timely detection and registration of an attack, which many tools can do, but also in countering it, since even the capture of an attacker (based on the registration results) will serve as little consolation if the corporate network is paralyzed for some time due to for a successful attack.
Protecting important jobs and resources from unauthorized access has the following features. Until now, many automated systems have worked and continue to work, focusing only on the built-in protective mechanisms of various operating systems (usually network), which provides sufficient protection (with proper administration) of information on servers. But the number of servers in the corporate network is 1-3% of the total number of workstations on which protected information is processed. At the same time, the vast majority of workstations (approximately 90%) run MS DOS or Windows and do not have any security measures, since these operating systems do not contain built-in security mechanisms.
A situation arises - important information, access to which is not limited in any way, can be processed in an unprotected workplace. It is in these cases that it is recommended to use additional means of protection, in particular means of cryptographic protection (to protect cryptographic keys); regulation and logging of user actions; differentiation of user rights for access to local resources.
The most important information resources are subject to cryptographic protection. Encryption is a reliable way to protect data from being accessed and used by other people for their own purposes. The peculiarity of such funds in Russia is that their use is strictly regulated by law. Currently information products, intended for encryption in corporate networks, are installed only on those workstations where information of very high importance is stored or electronic cash payments are processed (for example, in Bank-Client systems).
For comprehensive protection of corporate information systems and technologies, it is recommended to use software and hardware tools from large companies. They are able to provide a more complete range of services and facilities and in a more technologically advanced manner.
Since information protection in corporations is a complex issue, no means of digital signature and encryption will help if the other components of protection are not considered. Most corporate structures practically do not consider the threat of information leakage through technical channels (through power supply systems, telephone lines, engineering structures, devices for secret recording of information, etc.) as real, although, according to a number of organizations involved in information security issues, this is one one of the most common channels of information theft today.
Quality control of information security at sites is the responsibility of organizations that have passed a special examination and are accredited in the general certification system. They bear full legal and financial responsibility for their actions. Currently, there are two categories of organizations in the market for services in this area: those that have a license, but are not accredited by the State Technical Commission (currently the Federal Service for Technical and Export Control) as a certification body, and those that have both a license and accreditation. The difference between them is that although both of them can conduct inspections of organizations belonging to the first category (most often these are subcontractor organizations), they do not have the right to approve a certificate of conformity and must apply for this to one of the certification bodies, or directly to the State Technical Commission.
Each corporate enterprise and bank, depending on the specific conditions of its operation, requires a personalized information security system. The construction of such a system is possible only by firms that have a license for the specified type of activity.
Using the example of a bank, a personalized information security system must be adequate to the level of importance and secrecy of information. Its cost should not exceed the possible damage from a breach of the security of protected information. But at the same time, overcoming the security system should be economically inexpedient compared to the possible benefits from gaining access, destruction, modification or blocking of protected information. To determine the adequacy of the cost of the protection system, the extent of damage and the probability of its occurrence should be compared with the cost of providing protection. Since the real cost of information is quite difficult to estimate, qualitative expert assessments are often used. Information resources are classified as critical when doing business, if they are of particular importance in any matter, etc.
The level of information security should formally be determined based on the level of confidentiality of the information being processed and the level of damage from a security breach. Determining the required level of confidentiality is the prerogative of the bank management. It can vary widely depending on the strategic and tactical goals of the bank, the information processing technology used, the private opinion of management, the composition of service personnel, the composition of automated tools and many other reasons. Important when determining the level of confidentiality of information are the requirements of the legislative framework and government agencies.
The degree of information security in automated banking systems is also determined by the specific field of threats to confidentiality violations. The complete list of threats in the modern computerized world is more than one page long. A specific assessment of the probability of occurrence of each threat should be determined on a specific banking system.
The software products available on the market today in relation to information security methods contain an access control system. From an organizational point of view, measures to introduce a new user into the system remain at the discretion of the security services. An example would be filling out a form for the right to access the system, which contains a list of functional tasks, a list of operations in a specific functional task, and a list of actions that the operator is allowed to perform. The questionnaire is approved by the bank management, security service, and support service. After these steps, the operator needs to know two passwords to log into the system: the supervisor password for physically logging into the computer and personal password to login.
In most cases, computer crimes are committed by bank employees. Some banks prefer to employ a staff of software developers. The system developer knows everything about the system, all its weak points, he knows how to modify the information so that no one finds out about it. No one but him can better maintain the system. As practice shows, the implementation of computer crimes is facilitated by violation of regulations and rules for archiving information.
Currently, society as a whole depends on computers, so today the problem of information security is a problem for the whole society.
Information protection has become an independent, dynamically developing branch of science, engineering and technology. Modern trends in information protection follow the general trends in the development of computer systems and technologies: integration, standardization, portability, transparency.
Developments in the field of information security continue to evolve rapidly. The demand for software products with a guarantee of information security is increasing. Network problems remain the most pressing.
In the near future, an increase in the number of corporate information systems is expected, as the country’s leadership has set a course for the formation of digital economy, aimed at increasing the efficiency of all industries through the use of information technologies 1, which means that the need to protect the information processed in them also increases.
Konstantin Samatov
Head of Information Protection Department of TFOMS
Sverdlovsk region, member of the Association of Managers
information security services, teacher
information security URTK im. A.S. Popova
Basic Concepts
The concept of “corporate information system” (CIS) is contained in Art. 2 of the Federal Law of April 6, 2011 No. 63-FZ “On electronic signature". A CIS is understood as an information system in which the participants in electronic interaction comprise a certain circle of persons. In this case, the circle of persons participating in the information exchange can be made up not only of the structural divisions of the organization - the CIS operator, but also of its counterparties. The only important thing is that the composition and the number of participants are strictly defined.
An information system operator is a citizen or legal entity engaged in operating an information system, including processing information contained in its databases (Article 2 of the Federal Law of July 27, 2006 No. 149-FZ “On Information, Information Technologies” and on information protection").
An information system is understood as the totality of information contained in databases and the information technologies and technical means that ensure its processing (Article 2 of the Federal Law of July 27, 2006 No. 149-FZ “On Information, Information Technologies and Information Protection”). Therefore, it is necessary to consider the issue of information protection in CIS by determining what information is subject to protection.
Information to be protected in the corporate information system
Current legislation divides information into two types: publicly available and limited access information (Part 2, Article 5 of Federal Law No. 149-FZ of July 27, 2006 “On Information, Information Technologies and Information Protection”). Restricted information can be divided into two large groups - state secrets and confidential information.
State secret is information protected by the state in the field of its military, foreign policy, economic, intelligence, counterintelligence and operational-search activities, the dissemination of which could harm the security of the Russian Federation (Article 2 of the Law of the Russian Federation of July 21, 1993 No. 5485-1 "On state secret"). Based on the author’s practice, we can say that with this group of information, as a rule, there are the fewest problems (compared to other types of secrets). The list of information provided is specific. The processing procedure is strictly regulated. Before processing information constituting a state secret, the organization must obtain the appropriate license. Sanctions for violating the processing procedure are strict. In addition, the number of subjects with such information is small.
Confidential information includes about 50 types of secrets, the most common of which are commercial secrets and personal (family) secrets, a type of which is personal data.
Personal data is almost always available in the CIS. In particular, any organization that has at least one employee or passport data of at least one client will be a personal data operator within the meaning of Federal Law No. 152-FZ of July 27, 2006 “On Personal Data.” That is, if customer data is processed in a corporate CRM system (for example, full name and delivery address) or this data is located in an MS Excel file on a workstation, we can say with confidence that personal data and, therefore, the organization are processed in the CIS is obliged to comply with the requirements for their protection. In practice, the managers of most organizations do not understand this and believe that they do not process personal data, and therefore do not take measures to protect information before the occurrence of any incident.
In addition to personal data, almost any CIS contains information that has actual or potential value due to its unknownness to third parties, the disclosure or uncontrolled transfer of which the organization seeks to avoid (trade secret). In practice, a common situation is when the list of this information is contained exclusively in the mind of the manager or owner of the organization.
The key is to train staff on information security rules, which should be carried out at regular intervals.
Taking into account the above, the issue of adopting a set of measures in the organization to protect information processed in the corporate information system becomes relevant.
Information protection measures in the corporate information system
There are three main groups of measures:
1. Organizational (organizational and legal). Preparation of organizational and administrative documentation on information security issues: instructions, regulations, orders, guidelines. The goal is to streamline business processes and comply with the requirements of internal and external regulation (the so-called “compliance”, “paper security”). This type measures can be called basic, since:
- The trade secret regime is established solely by taking the organizational measures listed in Part 1 of Art. 5 of the Federal Law of July 29, 2004 No. 98-FZ “On Trade Secrets”;
- in the case of personal data, the main goal of protecting personal data today is often to successfully pass inspections by the so-called “regulators” (Roskomnadzor, FSTEC of Russia, FSB of Russia).
Hence the term “paper security”, which has become widespread among security specialists.
Almost any CIS contains information that has actual or potential value due to its unknownness to third parties, the disclosure or uncontrolled transfer of which the organization seeks to avoid (trade secret). In practice, a common situation is when the list of this information is contained exclusively in the mind of the manager or owner of the organization.
Therefore, personnel often unintentionally transfers (sends it to a participant in an information exchange for whom it is not intended) information stored in the CIS or discloses it (posts it in open access). Moreover, in the absence of an approved list of information constituting a trade secret, it is impossible to bring an employee to disciplinary liability for committing these actions.
2. Technical measures. Technical information protection includes four groups of measures:
- Engineering and technical protection. Its purpose is to protect against physical penetration of an intruder into objects where technical information systems are located (automated workstations, servers, etc.). Protection against penetration is achieved through the use of engineering structures: fences, doors, locks, turnstiles, alarms, video surveillance, etc.
- Protection against unauthorized access to information. The purpose of this group of measures is to prevent unauthorized access directly to the information processed in the information system. It is implemented through the following activities:
- access control (passwords, assignment of powers);
- registration and accounting (logging);
- firewall;
- antivirus protection;
- use of intrusion detection (prevention) tools.
- Protection against leaks through technical channels. The goal is to protect information from leaks through technical channels (visual, auditory, side electromagnetic radiation) during information processing in the CIS. It is implemented using the following measures:
- equipping windows with blinds (curtains);
- the use of means of protection against leakage through acoustic channels, so-called vibroacoustic jammers;
- the use of special filters to protect against unwanted electromagnetic radiation and interference. However, these measures are in practice only necessary for state information systems or information systems in which state secrets are processed.
- Cryptographic information protection. Application of funds cryptographic protection Information technology has been gaining quite a lot of momentum in recent years, largely due to the active development of corporate electronic document management systems and the use of electronic signatures in them as a mechanism for ensuring the integrity of information. In practice, mechanisms for cryptographic transformation of information are used to ensure, first of all, the confidentiality of information stored in databases or on workstations, as well as to protect information in the process of information exchange (during transmission). Actually, only using cryptographic transformation is it possible to fully build VPN networks (Virtual Private Network).
3. Moral and ethical measures are intended to prevent or at least minimize the disclosure of restricted information by CIS users.
According to various studies, the number of information leaks from employees ranges from 80 to 95%, while the vast majority - about 90% of leaks - are not associated with intentional actions.
Moral and ethical measures are inextricably linked with personnel security and include the hiring of qualified personnel, control measures, detailed job descriptions, personnel training, strict access control, and ensuring security when dismissing employees. According to the author, the key is to train personnel in information security rules, which should be carried out at certain intervals. So, in particular, the author annually prepares an order providing for quarterly training of employees of the organization in which he works.
In addition, to prevent information leaks from personnel through communication channels ( Email, messengers, social networks) there is a whole class of information protection systems called “DLP systems” (Data Loss (Leak) Protection (Prevention), generally referred to as “leak prevention systems.” These systems are currently one of the popular solutions for monitoring personnel used by managers of both information and economic security services. Most systems of this class existing on the market allow not only monitoring and blocking of electronic communication channels, but also monitoring of user activity, allowing to identify employees who use their working time irrationally: they are late to work and leave early, “sit” in in social networks, play computer games, work for themselves.
Another trend in the issue of personnel security that appeared just a few months ago is systems for monitoring and identifying deviant user behavior - User and Entity Behavior Analytics (UEBA). These systems are designed to analyze user behavior and, based on it, identify current threats to personnel and information security.
Thus, the vast majority of corporate information systems process personal data and trade secrets, and accordingly, they all require protection. Almost always, especially in the commercial sector, information security issues come into conflict with the convenience of employees and the financing of these activities. In this work, the author considers a minimum set of measures aimed at protecting information in any CIS. This list of measures does not require unique knowledge and is available for practical use by almost any specialist in the field of information technology. In addition, most of the proposed measures do not require significant financial costs.
___________________________________________
1 Address of the President of the Russian Federation to the Federal Assembly of the Russian Federation dated December 1, 2016.
Expert Column
Perimeter: is there anything left to protect?
Alexei
Lukatsky
Business consultant on information security
We are quite conservative in our area. We are very dependent on authorities, on approaches, on products, and on terms and definitions that have not changed for years. The information security perimeter is precisely the term that, unfortunately, is so outdated that it is almost impossible to use it anymore. Moreover, we do not even fully know what the information security perimeter is. Some people perceive the perimeter as a connection point to the Internet, no matter how funny it may sound in the context of geometry, in which the perimeter is still a closed line. Some people perceive the perimeter as a line that outlines a corporate or departmental network. Some people perceive the perimeter as a set of devices that have access to the Internet.
But each of these definitions obviously has its pros and cons, and they are all different. How to perceive the situation even with such a seemingly simple option, as a segment industrial network, perhaps even physically isolated from the outside world, if a representative of a contractor came there with a laptop connected via a 3G modem to the Internet? Do we have a perimeter here or not? What if we look at a situation where an employee with a mobile device connects to an external cloud that stores confidential company data, or runs an application that processes this data? Is there a perimeter here or not? What if an employee connected from his personal device to someone else’s cloud provider infrastructure, where the company’s information is stored? Where is the perimeter in such a situation?
Well, let’s say our mobile devices belong to the company, and the clouds belong to the provider. At the same time, the maximum that we can know is our piece of the cloud in which we locate our servers, our applications, our data. But who has access to them from the outside, from the cloud provider, from its other clients? In such a situation, it is generally impossible to outline the perimeter. And this means that no matter how much we want, we are forced to change our approaches to what we used to call perimeter defense. For example, in some companies, management adheres to the rule that a company employee can work at any time from anywhere in the world from any device. In such a concept, of course, there cannot be a perimeter in the commonly used sense, and this forces us to protect in a completely different way, no, not the perimeter, but the Internet connection! Are you ready for the new reality?
THE CONCEPT OF INFORMATION SECURITY Information security (IS) refers to the security of information and supporting infrastructure from accidental or intentional impacts of a natural or artificial nature aimed at causing damage to the owners or users of information and supporting infrastructure. Three main categories of subjects need information security: government organizations, commercial structures, and individual entrepreneurs.
Availability (the ability to obtain the required information service in a reasonable time); integrity (relevance and consistency of information, its protection from destruction and unauthorized changes); confidentiality (protection from unauthorized access).
Access to information means familiarization with information, its processing, in particular copying, modification or destruction of information. Authorized access to information is access to information that does not violate the established rules of access control. Unauthorized access to information is characterized by a violation of established access control rules. An attack on an information system (network) is an action taken by an attacker to find and exploit a particular system vulnerability.
Constructive, when the main purpose of unauthorized access is to obtain a copy of confidential information, i.e. We can talk about the intelligence nature of the destructive impact, when unauthorized access leads to the loss (change) of data or termination of the service.
Harmonization of national legislation on combating computer crime with the requirements international law; high professional training law enforcement from the investigator to the judicial system; cooperation and legal mechanism for interaction between law enforcement agencies of different states.
STAGES OF DEVELOPMENT OF COMPUTER CRIME 1. The use of information technology in the commission of traditional criminal offenses such as theft, harm and fraud. 2. The emergence of specific computer crimes. 3. The development of computer crime into computer terrorism and extremism. 4. Transformation of computer terrorism and extremism into information wars.
MEASURES AND MEANS AT THE SOFTWARE AND TECHNICAL LEVEL the use of secure virtual private networks VPN to protect information transmitted over open communication channels the use of firewalls to protect the corporate network from external threats when connecting to public communication networks; access control at the user level and protection against unauthorized access to information; guaranteed identification of users through the use of tokens; protecting information at the file level (by encrypting files and directories); protection against viruses using specialized antivirus prevention and protection complexes; technologies for intrusion detection and active research into the security of information resources; cryptographic data transformation to ensure integrity, authenticity and confidentiality of information
ORGANIZATIONAL AND ECONOMIC SECURITY Standardization of methods and means of information protection Certification of computer systems and networks and their means of protection Licensing activities in the field of information protection Insurance of information risks associated with the functioning of computer systems and networks Monitoring the actions of personnel in protected information systems Organizational support for the functioning of protection systems information.
LEGAL SECURITY Federal Law of the Russian Federation dated July 27, 2006 N 149-FZ “On information, information technologies and information protection.” regulates legal relations arising in the process of formation and use of documented information and information resources; creation of information technologies, automated or automatic information systems and networks; determines the procedure for protecting the information resource, as well as the rights and obligations of subjects participating in informatization processes.
BELARUSIAN STATE UNIVERSITY
Final work on
"Basics of information technology"
Master's student
Department of Cybernetics
Kozlovsky Evgeniy
Leaders:
Associate Professor Anishchenko Vladimir Viktorovich,
Art. teacher Kozhich Pavel Pavlovich
Minsk - 2008
ERP – Enterprise Resource Planning System
MRP II– Material Requirement Planning
MRP II– Manufacturing Resource Planning
Software – software
CIS– corporate information systems
SVT – computer facilities
NSD - unauthorized access
Corporate information systems have become a part of our lives. In the modern world, it is quite difficult to imagine a successfully developing enterprise managed without the participation of such a system.
Due to the fact that corporate information systems store information, violation of the integrity or confidentiality of which can lead to the collapse of an entire enterprise, the issue of protecting information in corporate information systems is acute.
this work sets several goals for itself. One of them is the analysis of the structure of corporate information systems. Based on this analysis, their classification will be carried out. Also, one of the goals of this work is to study data protection mechanisms in various classes of corporate information systems. In addition, the goal is to investigate existing threats to corporate information systems and analyze methods for minimizing or completely eliminating them. In this regard, a study will be conducted of existing methods of access control and an analysis of their applicability in certain conditions.
The term corporation comes from Latin word corporatio- Union. A corporation means an association of enterprises operating under centralized control and solving common problems. As a rule, corporations include enterprises located in different regions and even in different countries (transnational corporations).
Corporate information systems (CIS) are integrated management systems for a geographically distributed corporation, based on in-depth data analysis, widespread use of decision-making information support systems, electronic document management and office work.
Reasons for implementing corporate information systems:
· prompt access to reliable and conveniently presented information;
· creation of a unified information space;
· simplification of data registration and processing;
· getting rid of double registration of the same data;
· registration of information in real time;
· reduction of labor costs, their equal distribution among all participants in the accounting, planning and management system;
· automation of data consolidation for a distributed organizational structure.
All corporate information systems can be divided into two large subgroups. One of them includes a single system assembled on a modular basis and having a high level of integration. The other is a set of, although integrated with each other using services and interfaces, but still heterogeneous applications.
The first class mainly includes modern ERP systems.
ERP system (Enterprise Resource Planning System) is a corporate information system designed to automate accounting and management. As a rule, ERP systems are built on a modular basis and, to one degree or another, cover all the key processes of the company.
Historically, the ERP concept has become a development of the simpler concepts of MRP (Material Requirement Planning) and MRP II (Manufacturing Resource Planning). The software tools used in ERP systems allow for production planning, modeling the flow of orders and assessing the possibility of their implementation in the services and departments of the enterprise, linking it with sales.
ERP systems are based on the principle of creating a single data warehouse containing all corporate business information and providing simultaneous access to it by any required number of enterprise employees vested with appropriate authority. Data changes are made through the functions (functionality) of the system. The main functions of ERP systems: maintaining design and technological specifications that determine the composition of manufactured products, as well as the material resources and operations necessary for their manufacture; formation of sales and production plans; planning the requirements for materials and components, timing and volumes of supplies to fulfill the production plan; inventory and procurement management: maintaining contracts, implementing centralized procurement, ensuring accounting and optimization of warehouse and workshop inventories; production capacity planning from large-scale planning to the use of individual machines and equipment; operational financial management, including drawing up a financial plan and monitoring its implementation, financial and management accounting; project management, including planning stages and resources.
They usually have a core consisting of several key modules, without which the system cannot operate. Among others, this set also includes a security system, which takes on most of the functions related to protecting information in the entire system as a whole and in each of the built-in modules in particular. This approach is very convenient for several reasons:
Mechanisms for ensuring confidentiality, integrity and availability of data in such a system are maximally unified. This allows administrators to avoid mistakes when configuring various system modules, which could lead to security holes.
The system has a high level of centralization and allows you to easily and reliably manage the protection of your corporate information system.
The advantages of such systems include:
Using an ERP system allows you to use one integrated program instead of several separate ones.
The information access control system implemented in ERP systems is designed (in combination with other enterprise information security measures) to counter both external threats (for example, industrial espionage) and internal ones (for example, theft).
A study of universities in the union state, mainly state-owned, showed that in the most automated area, finance, 42% of them either use only office applications, or the old fashioned way - paper. But even where the level of automation is relatively high, the modules, as a rule, are not interconnected in any way. And there should be about ten such subsystems: financial planning, real estate management, project management, quality management, reporting, instrumental environment, etc. When developing each of them, labor costs alone will cost, according to the most conservative estimates, approximately 25 thousand dollars. Taking into account that 25-40% of all costs of creating a software product are spent on development, the resulting estimate must be increased by at least 2.5- 4 times. Support for the implemented system will cost another 140-240 thousand dollars annually. So the opinion is that own development cheap is an illusion that occurs in the absence of effective cost controls.
Modern ERP systems can be quite successfully adapted to the work of educational institutions. However, it is worth noting that when implementing such systems, it is necessary to take into account some features inherent in the information systems of such institutions.
The presence of several specialized subsystems that solve fairly independent problems. The data used by each of the subsystems is highly specialized, i.e. independent from other information system applications. For example, within a university, one can distinguish the subsystems of accounting, library, editorial and publishing department, applications for processing the educational process, etc. On the other hand, all subsystems are located in the same information space and are interconnected (a single system of reference data, the result of the work of one application serves as the basis for the functioning of another, etc.).
The requirement to publish a significant part of IP information, with the provision of access interfaces to corporate information system data for third-party users.
The second class of systems, in my opinion, are much more susceptible to security gaps caused by errors in the application's security configuration. As already noted, despite their certain integration, such systems are, in fact, a set of separate independent products. Accordingly, each of them uses its own approaches to ensuring data integrity, confidentiality and availability and requires separate configuration. If we also take into account the fact that parts of such a system are not always compatible with each other, it becomes obvious that in order for applications to work together, sometimes it is necessary to sacrifice security. The decentralization of such systems often does not allow administrators to monitor the delimitation of access rights in the system.
Before considering the vulnerabilities of a corporate information system, we will introduce several definitions.
Under access to information means familiarization with information, its processing, in particular copying, modification or destruction of information.
A distinction is made between authorized and unauthorized access to information.
- This is access to information that does not violate the established rules of access control.
serve to regulate the access rights of access subjects to access objects.
characterized by a violation of established access control rules. A person or process that has unauthorized access to information is violating the rules of access control. Unauthorized access is the most common type of computer violation.
Data privacy is the status given to data and determines the degree of protection required. Essentially, information confidentiality is the property of information to be known only to admitted and verified (authorized) subjects of the system (users, processes, programs). For other subjects of the system, this information should be unknown.
Subject- this is an active component of the system that can cause a flow of information from an object to a subject or a change in the state of the system.
An object- a passive component of the system that stores, receives or transmits information. Accessing an object means accessing the information it contains.
Integrity information is ensured if the data in the system does not differ semantically from those given in the source documents, i.e. unless there was accidental or intentional distortion or destruction.
Integrity component or resource systems are the property of a component or resource to be unchanged in the semantic sense when the system operates under conditions of random or intentional distortions or destructive influences.
Availability component or resource of a system is the property of a component or resource to be accessible" to authorized legitimate subjects of the system.
Under security threat corporate information system understands the possible impacts on it, which directly or indirectly may damage the security of such a system.
Security Damage implies a violation of the security of information contained and processed in corporate information systems. The concept of vulnerability of corporate information systems is closely related to the concept of security threat.
Vulnerability a corporate information system is a certain property of the system that makes possible the emergence and implementation of a threat.
Attack on a computer system is an action taken by an attacker, which consists of searching for and exploiting a particular system vulnerability. Thus, an attack is the implementation of a security threat.
Countering security threats is the goal of protecting information processing systems.
Safe or secure system is a system with security measures that successfully and effectively counter security threats.
Set of protective equipment is a set of software and hardware created and supported to ensure information security of a corporate information system. The complex is created and maintained in accordance with the security policy adopted by the organization.
Security policy is a set of norms, rules and practical recommendations that regulate the operation of means of protecting a corporate information system from a given set of security threats.
A corporate information system, like any information system, is subject to security threats. Let's classify these threats.
1. violation of confidentiality of information in corporate information systems
2. violation of the integrity of information in corporate information systems.
3. denial of service to corporate information systems
Let's take a closer look at these threats.
Confidentiality threats are aimed at disclosing confidential or classified information. When these threats are implemented, information becomes known to people who should not have access to it. In computer security terms, a privacy threat occurs whenever unauthorized access is gained to some proprietary information stored on a computer system or transmitted from one system to another.
Threats to violate the integrity of information stored in a computer system or transmitted over a communication channel are aimed at changing or distorting it, leading to a violation of its quality or complete destruction. The integrity of information can be violated intentionally by an attacker, as well as as a result of objective influences from the environment surrounding the system. This threat is especially relevant for information transmission systems, computer networks and telecommunications systems. Deliberate violations of the integrity of information should not be confused with its authorized change, which is carried out by authorized persons for a justified purpose (for example, such a change is the periodic correction of a certain database).
Threats of disruption (denial of service) are aimed at creating situations where certain intentional actions either reduce the performance of the CIS or block access to some of its resources. For example, if one user of the system requests access to a service, and another takes action to block that access, then the first user is denied service. Blocking access to a resource can be permanent or temporary.
Threats can be classified according to several parameters
· according to the amount of damage caused:
o the limit after which the company may become bankrupt;
o significant, but not leading to bankruptcy;
o insignificant, which the company can compensate for over time.
according to the probability of occurrence:
o highly probable threat;
o probable threat;
o unlikely threat.
· for reasons of appearance:
o natural disasters;
o intentional actions.
· according to the nature of the damage caused:
o material;
o moral;
· by the nature of the impact:
o active;
o passive.
· in relation to the object:
o internal;
o external.
· Sources of external threats are:
o unfair competitors;
o criminal groups and formations;
o individuals and organizations of the administrative and managerial apparatus.
Sources of internal threats can be:
o enterprise administration;
o staff;
o technical means to support production and labor activities.
The ratio of external and internal threats at an average level can be characterized as follows:
82% of threats are committed by the company’s own employees with their direct or indirect participation;
17% of threats are made from outside - external threats;
1% of threats are committed by random individuals.
In most cases, the most dangerous thing in terms of the amount of damage caused is the violation of confidentiality of information. Let's consider possible ways of such violations.
Disclosure is intentional or careless actions with confidential information that led to the familiarization with it of persons who were not allowed to know it. Disclosure is expressed in communication, transmission, provision, forwarding, publication, loss and other forms of exchange and action with business and scientific information. Disclosure is carried out through formal and informal channels of information dissemination. Formal communications include business meetings, meetings, negotiations and similar forms of communication: exchange of official business and scientific documents means of transmitting official information (mail, telephone, telegraph, etc.). Informal communications include personal communication (meetings, correspondence), exhibitions, seminars, conferences and other public events, as well as the media (print, newspapers, interviews, radio, television). As a rule, the reason for the disclosure of confidential information is that employees do not know enough about the rules for protecting trade secrets and do not understand (or misunderstand) the need for careful compliance with them. It is important to note here that the subject in this process is the source (owner) of the protected secrets. It is worth noting the informational features of this action. The information is meaningful, meaningful, ordered, reasoned, voluminous and is often delivered in real time. There is often an opportunity for dialogue. The information is focused on a specific topic area and is documented. To obtain information of interest to the attacker, the latter spends almost minimal effort and uses simple legal technical means (dictaphones, video monitoring).
Leakage is the uncontrolled release of confidential information outside the organization or circle of persons to whom it was entrusted.
Information is leaked through various technical channels. It is known that information is generally carried or transmitted either by energy or matter. It's either acoustic wave(sound), or electromagnetic radiation, or a sheet of paper (written text), etc. Taking this into account, it can be argued that, by physical nature, the following ways of transferring information are possible: light rays, sound waves, electromagnetic waves, materials and substances. Accordingly, information leakage channels are classified into visual-optical, acoustic, electromagnetic and material. An information leakage channel is usually understood as a physical path from a source of confidential information to an attacker, through which the latter can gain access to protected information. For the formation of an information leakage channel, certain spatial, energy and temporal conditions are required, as well as the presence on the attacker’s side of the appropriate equipment for receiving, processing and recording information.
Unauthorized access is the unlawful deliberate acquisition of confidential information by a person who does not have the right to access protected secrets. Unauthorized access to sources of confidential information is implemented different ways: from proactive cooperation, expressed in an active desire to “sell” secrets, to the use of various means of penetration into trade secrets. To carry out these actions, the attacker often has to penetrate the facility or create special control and observation posts near it - stationary or mobile, equipped with the most modern technical means. If we proceed from an integrated approach to ensuring information security, then this division focuses on the protection of information, both from disclosure and from leakage through technical channels and from unauthorized access to it by competitors and attackers. This approach to classifying actions that contribute to the unlawful acquisition of confidential information shows the versatility of threats and the multifaceted nature of protective measures necessary to ensure comprehensive information security.
Taking into account the above, it remains to consider the question of what conditions contribute to the unlawful acquisition of confidential information.
Statistically this is:
Disclosure (excessive talkativeness of employees) - 32%;
Unauthorized access through bribery and inducement to cooperation from competitors and criminal groups - 24%;
Lack of proper control and strict conditions for ensuring information security at the company - 14%;
Traditional exchange of production experience - 12%;
Uncontrolled use of information systems - 10%;
The presence of prerequisites for the emergence of conflict situations among employees - 8%;
The above statistics indicate that the most vulnerable point in the security system of a corporate information system is the employees themselves, who voluntarily or unwittingly commit security violations of the information system.
Based on the methods of impact, all measures to minimize threats are divided into:
Legal (legislative);
Moral and ethical;
Administrative;
Physical;
Hardware and software.
The listed CIS security measures can be considered as a sequence of barriers or boundaries for information protection. In order to get to the protected information, you need to successively overcome several lines of protection. Let's take a closer look at them.
The first line of defense that stands in the way of a person trying to carry out unauthorized access to information is purely legal. This aspect of information protection is associated with the need to comply with legal standards when transmitting and processing information. Legal measures to protect information include laws, decrees and other regulations in force in the country that regulate the rules for handling information of limited use and liability for violations thereof. By doing this, they prevent unauthorized use of information and act as a deterrent to potential violators.
The second line of defense is formed by moral and ethical measures . The ethical aspect of compliance with protection requirements is of great importance. It is very important that people who have access to computers work in a healthy moral and ethical climate.
Moral and ethical countermeasures include all kinds of norms of behavior that have traditionally developed or are developing in society as computers spread in the country. These norms are for the most part not mandatory, like those established by law, but their non-compliance usually leads to a decline in the prestige of a person, group of individuals or organization. Moral and ethical standards can be both unwritten (for example, generally accepted standards of honesty, patriotism, etc.) and formalized in a certain set of rules or regulations. For example, the US Computer Users Association Code of Professional Conduct considers as unethical actions that, intentionally or unintentionally:
Violate normal work computer systems;
Cause unjustified costs of resources (computer time, memory, communication channels, etc.);
Violate the integrity of information (stored and processed);
Violate the interests of other legitimate users, etc.
The third barrier that prevents the unauthorized use of information is administrative measures. Administrators of all ranks, taking into account legal norms and social aspects, determine administrative measures for protecting information.
Administrative measures of protection relate to measures of an organizational nature. They regulate:
CIS functioning processes;
Use of CIS resources;
Activities of its personnel;
The order in which users interact with the system in order to make it more difficult or impossible for security threats to occur.
Administrative measures include:
Development of rules for processing information in the CIS;
A set of actions when designing and equipping computer centers and other CIS facilities (taking into account the influence of natural disasters, fires, security of premises, etc.);
A set of actions during the selection and training of personnel (checking new employees, familiarizing them with the procedure for working with confidential information, with penalties for violating the rules for processing it; creating conditions under which it would be unprofitable for personnel to commit abuse, etc.);
Organization of reliable access control;
Organization of recording, storage, use and destruction of documents and media with confidential information;
Distribution of access control details (passwords, powers, etc.);
Organizing covert control over the work of CIS users and personnel;
A set of actions during the design, development, repair and modification of equipment and software (certification of the hardware and software used, strict authorization, review and approval of all changes, checking for compliance with security requirements, documenting changes, etc.).
It is important to note that until effective measures for administrative protection of computers are implemented, other measures will undoubtedly be ineffective. Administrative and organizational protection measures may seem boring and routine compared to moral and ethical measures and lacking specificity compared to hardware and software. However, they represent a powerful barrier to the illegal use of information and a reliable basis for other levels of protection.
The fourth frontier is physical protection measures . Physical protection measures include various types of mechanical, electro- and electronic-mechanical devices or structures specifically designed to create physical obstacles on possible routes of penetration and access of potential violators to system components and protected information.
The fifth frontier is hardware and software protection . These include various electronic devices and special programs that implement independently or in combination with other means the following methods of protection:
Identification (recognition) and authentication (authentication) of subjects (users, processes) of the CIS;
Restriction of access to CIS resources;
Data integrity control;
Ensuring data confidentiality;
Registration and analysis of events occurring in the CIS;
Reservation of resources and components of the CIS.
Based on the method of implementation, all measures to prevent threats to a corporate information system can be divided as follows.
Table 1. Advantages and disadvantages of various measures to combat CIS threats
Control in its pure form, unfortunately, is less applicable the larger the information system. In addition, the question immediately arises about the advisability of collecting this data, because it is almost impossible to process them in a timely manner, or this requires the creation of a separate department dedicated to this particular work. We must not forget that most data is relevant for a very short time.
A ban is a very inflexible tool. A ban on the use of alienated storage media may give rise to new problems related to the fact that half of the departments used them to communicate with the outside world: e-mail imposes restrictions on the size of transferred files, tax authorities accept accounting reports only on floppy disks, etc. In addition, we must not forget about such an issue as basic work comfort. Employees who feel constant control Those who experience severe restrictions when working with a computer, the Internet, mail or, for example, telephone conversations, become nervous, irritable, and accumulate dissatisfaction within themselves. Naturally, sooner or later, this will lead to the loss of a valuable employee, or to the employee’s desire to try to circumvent these restrictions and prohibitions.
From all of the above, we can conclude that it makes no sense to control and limit, setting all conceivable and inconceivable prohibitions. It is better to determine the circle of people who, due to the nature of their work, have access to confidential information, and then competently set up a system for delimiting access rights, despite the fact that maintaining such a system will require painstaking setup and careful maintenance.
Thus, it becomes clear that one of the main steps towards ensuring the confidentiality of information is the delimitation of employee access to the resources of the corporate information system in order to limit the range of information available to a particular employee to the limits necessary for the performance of his official duties.
Let's consider the most relevant access control mechanisms.
The discretionary access control model is determined by two properties:
All subjects and objects have been identified;
Subjects' access rights to system objects are determined on the basis of some rule external to the system.
The main element of discretionary access control systems is the access matrix. Access matrix - matrix size \S\ X \0\, whose rows correspond to subjects and columns correspond to objects. Moreover, each element of the access matrix M With R defines the subject's access rights s to the object O, Where R- many access rights.
When using a discretionary access control mechanism, the following requirements apply to it:
The security system must control access of named subjects (users) to named objects (files, programs, volumes, etc.).
For each pair (subject - object) in a computer facility (CT), an explicit and unambiguous listing of acceptable access types (read, write, etc.) must be specified, i.e. those types of access that are authorized for a given subject (individual or group of individuals) to a given SVT resource (object).
The security system must contain a mechanism that implements discretionary access control rules.
Access control must be applied to every object and every subject (individual or group of equal individuals).
A mechanism that implements the discretionary principle of access control must provide for the possibility of an authorized change in rules or access control rights (APR), including the possibility of an authorized change in the list of SVT users and the list of protected objects.
The right to change the rules of thumb must be granted to designated entities (administration, security service, etc.).
Controls must be in place to limit the spread of access rights.
The advantages of a discretionary security policy include the relatively simple implementation of an access control system. This is due to the fact that most currently widespread computer systems ensure compliance with the requirements of this particular security policy.
The disadvantages of a discretionary security policy include the static nature of the access control rules defined in it. This security policy does not take into account the dynamics of changes in computer system states. In addition, when using a discretionary security policy, the question arises of determining the rules for distributing access rights and analyzing their impact on the security of the computer system. In the general case, when using this security policy, the security system, which, when authorizing a subject's access to an object, is guided by a certain set of rules, faces an algorithmically insoluble task - to check whether its actions will lead to a security violation or not.
At the same time, there are models of computer systems that implement discretionary security policies and provide security verification algorithms.
However, in general, a discretionary access control policy does not allow the implementation of a clear and precise system of information protection in a computer system. This motivates the search for other, more advanced security policies.
Mandatory (authoritative) access control model is based on mandatory access control (Mandatory Access Control), which is determined by four conditions:
All subjects and objects of the system are uniquely identified;
A grid of information confidentiality levels has been specified;
Each system object is assigned a confidentiality level that determines the value of the information it contains;
Each subject of the system is assigned an access level that determines the level of trust in him in the computer system.
The main goal of a mandatory security policy is to prevent information leakage from objects with a high level of access to objects with low level access, i.e. counteracting the emergence of unfavorable information flows in a computer system from top to bottom.
In many ways, the purpose of its development was to eliminate the shortcomings of matrix models. So-called multi-level protection models have been developed. They involve formalizing the procedure for assigning access rights through the use of so-called sensitivity labels or credentials assigned to access subjects and objects. Thus, for the access subject, labels, for example, can be determined in accordance with the person’s level of access to information, and for the access object (the data itself) - by signs of information confidentiality. Sensitivity attributes are captured in the object label. The access rights of each subject and the privacy characteristics of each object are displayed as a set of privacy level and a set of privacy categories. The confidentiality level can take one of a strictly ordered series of fixed values, for example: confidential, secret, for official use, unclassified, etc.
The basis for implementing access control is:
A formal comparison of the label of the subject who requested access and the label of the object to which access was requested.
Making decisions about granting access based on certain rules, the basis of which is to counteract the reduction in the level of confidentiality of protected information.
Thus, the multi-level model prevents the possibility of intentional or accidental reduction of the level of confidentiality of protected information. That is, this model prevents information from moving from objects with a high level of confidentiality and a narrow set of access categories to objects with a lower level of confidentiality and a wider set of access categories.
The requirements for the mandate mechanism are as follows:
Each subject and access object must be associated with classification labels that reflect their place in the corresponding hierarchy (confidentiality labels). Through these labels, subjects must assign classification levels to objects (vulnerability levels, privacy categories, etc.), which are combinations of hierarchical and non-hierarchical categories. These labels should serve as the basis for the mandatory principle of access control.
When new data is entered into the system, the security system must request and receive classification labels for this data from the authorized user. When a new subject is authorized to be added to the user list, classification labels must be assigned to him. External classification labels (of subjects, objects) must exactly correspond to internal labels (within the security system).
The security system must implement the mandatory principle of access control in relation to all objects with explicit and hidden access from any of the subjects:
A subject can read an object only if the hierarchical classification at the subject's classification level is no less than the hierarchical classification at the object's classification level. In this case, the hierarchical categories at the classification level of the subject must include all the hierarchical categories at the classification level of the object;
A subject writes to an object only if the subject's classification level in the hierarchical classification is no greater than the object's classification level in the hierarchical classification. In this case, all hierarchical categories at the classification level of the subject must be included in the hierarchical categories at the classification level of the object.
The implementation of mandated road rules should provide for the possibility of support and changes in the classification levels of subjects and objects by specially designated subjects.
The SVT must implement an access manager, i.e. a tool that, firstly, intercepts all requests from subjects to objects, and secondly, restricts access in accordance with the specified principle of access control. At the same time, a decision on the authorization of an access request should be made only if it is simultaneously authorized by both discretionary and mandatory DRPs. Thus, not only a single act of access, but also information flows must be controlled.
Practice shows that multi-level protection models are much closer to the needs of real life than matrix models, and represent a good basis for building automated systems access restrictions. Moreover, since individual categories of the same level are equivalent, in order to differentiate them along with a multi-level (mandatory) model, the use of a matrix model is required. With the help of multi-level models, it is possible to significantly simplify the administration task. Moreover, this applies to both the initial setting of a restrictive access policy (such a high level of detail in setting the subject-object relationship is not required), and the subsequent inclusion of new objects and access subjects into the administration scheme.
The information flow delimitation model is based on dividing all possible information flows between system objects into two disjoint sets: a set of favorable information flows and a set of unfavorable information flows. The purpose of implementing the information flow delimitation model is to ensure that unfavorable information flows cannot occur in the computer system.
The information flow delimitation model in most cases is used in combination with other types of mechanisms, for example, with discretionary or mandatory access delimitation models. Implementing a model for delimiting information flows, as a rule, in practice is a difficult task to solve, especially if it is necessary to protect the computer system from the occurrence of unfavorable information flows over time.
Role-based access control is a development of the discretionary access control policy; in this case, the access rights of system subjects to objects are grouped taking into account the specifics of their application, forming roles.
Setting roles allows you to define access control rules that are clearer and more understandable to computer system users. Role-based access control allows you to implement flexible access control rules that change dynamically during the operation of a computer system. Based on role-based access control, mandatory access control can be implemented, among other things.
The purpose of implementing the isolated software environment model is to determine the order of secure interaction between system subjects, ensuring the impossibility of influencing the security system and modifying its parameters or configuration, which could result in a change in the access control policy implemented by the security system.
The sandbox model is implemented by isolating system subjects from each other and by controlling the creation of new subjects so that only subjects from a predefined list can become active in the system. At the same time, the integrity of system objects that affect the functionality of activated subjects must be monitored.
The corporate information environment of the Belarusian State University consists of several dozen applications and services written at different times. Most of them are ActiveX objects, the rest are web applications. In most cases, all of them are independent and do not have built-in tools for organizing interaction. In this case, the obvious choice is the role-based access model, which is a development of the discretionary access control model. The implementation of any other model in the conditions of the corporate information system of the Belarusian State University is almost impossible.
The differentiation of access to such heterogeneous and poorly integrated systems can be built by allocating user rights to access certain applications based on their membership in the corresponding groups on the domain controller, as well as the rights to execute stored procedures on the database servers on which everyone works information system components.
Comparing the presented systems, we can say that in ERP the system takes full responsibility for user authentication and authorization. In addition to traditional password authentication, it offers a wide range of other mechanisms provided by various enterprise information system models.
The security system of a weakly integrated information system assigns authentication and authorization procedures to the built-in tools of the Microsoft Windows domain controller, which significantly reduces the cost of its operation and ensures fairly reliable operation. However, Microsoft Windows user management tools are not oriented towards such use, and therefore are not entirely convenient for controlling the distribution of access, which negatively affects the security of the corporate information system.
From the above it follows that an application that can centrally manage user rights to access certain applications will significantly simplify the work of administrators of the BSU corporate information system, and will also allow more thorough monitoring of user rights to access data various applications. Which in turn will obviously lead to a significant improvement in the performance of the security system.
Thus, I was faced with the task of creating such a system. Let us consider in more detail the features of solving such a problem.
When designing such a system, it is necessary to take into account some features necessary for the normal functioning of both the application itself in particular and the entire corporate information system as a whole.
Because the user management system in Windows Active Directory can be used not only to provide access to the resources of the BSU corporate information system, so it is worth taking this into account when operating the application so that users do not lose the rights that they really need and do not receive unnecessary powers. For this purpose, the system organizes a mechanism for storing a priori user rights that were assigned to him not by this access control system, but by using Windows Active Directory tools.
A similar situation arises in the user management section on SQL servers. However, as mentioned above, the mechanism for delimiting access rights of the BGU when accessing SQL server resources is built on a role basis, which means there is no need to store data about the user’s access rights to each of the objects of a particular SQL server. All this data is stored in group rights on the server. Thus, the access control system only needs to store such fields as the name of the server, the name of the database itself, and the name of the user role.
Let's take a closer look at the access distribution system.
This system is a web application implemented using ASP.NET 1.1 and using a Microsoft database server SQL Server 2000 SP3.
The database consists of the following tables:
· Basic tables
o Users – stores the user object identifier, user name, username and, if necessary, additional text information.
o Applications – stores the application identifier, its name and, if necessary, additional text information.
o WinADGroups – stores the group object identifier, its name, and, if necessary, additional text information.
o SQLGroups - stores the group identifier, its name, server name, database and role that are associated with this group and, if necessary, additional text information.
· Auxiliary tables
o SQLGroups2Apps
o WinGroups2Apps
o UsersPriorSQLGroups
o UsersPriorWinGroups
The main tables store data about users, applications and groups on the domain controller, as well as roles on various SQL servers. Auxiliary tables provide many-to-many relationships that exist in the system.
Tables are accessed using several dozen stored procedures. The use of stored procedures, as well as SQL parameters, allows you to effectively protect the application from SQL injections, which are one of the main ways for hacking web applications that use databases in recent years. The data bakhza diagram is shown in the figure.
The application consists of 8 .aspx pages designed to control access. Let's take a closer look at how the application works.
Use the WinGroupsAdd.aspx page to add group IDs to the system on a domain controller. The user enters a group name. The system searches for groups on the domain controller and provides a list of groups with similar names. The user selects the desired group, if necessary, enters a text description of this group and presses the save button. Group data is stored in the application database.
Using the WinGroupsEdit.aspx page, the user can edit previously entered information about the group, namely its text description. The delete button deletes all information about a group in the system, and also provides a mechanism for removing users from this one, provided that they were added there by this system. The UserPriorWinGroups table is used for checking.
The SQLGroupsAdd.aspx page is used to add data to the system for using groups on the SQL server. The user enters the server name, database name, and roles in the appropriate database. If necessary, the user enters a text description of this group and presses the Save button. Group data is stored in the application database.
Using the SQLGroupsEdit.aspx page, the user can edit previously entered information about the group, namely its text description. The remaining fields are not editable because making such changes requires creating a new user group. The delete button deletes all information about a group in the system, and also provides a mechanism for removing users from this one, provided that they were added there by this system. The UserPriorSQLGroups table is used for checking.
The ApplicationAdd.aspx page is used to add applications to the system. On this page, the user can enter the name of the application, its text description, and also select the groups necessary to work with this application both on SQL servers and on the domain controller. The selection is made from the corresponding lists of groups available in the system database. The save button will remember the corresponding data in the system, and the cancel button will return you to the same page without performing any actions. It will only clear all entered data.
Using ApplicationEdit.aspx, you can change the description of the application, as well as the set of groups needed to use it. When you click the save button. The system will update the data in its database and also change the rights of users who have access to this application accordingly.
The UserAdd.aspx page is designed to add users to the system. This process works as follows. The user enters all or part of the username to be added to the system. A search is performed on the domain controller. After which the user is given a list of suitable username options. The required domain user is selected and the necessary applications are selected for it. The save button will remember the corresponding data in the system, and the cancel button will return you to the same page without performing any actions. It will only clear all entered data.
Using UserEdit.aspx, the user can add or remove access rights to a particular application, as well as remove a user from the application database.
This paper analyzes corporate information systems: their structure and security mechanisms. All corporate information systems were divided into 2 classes: highly integrated systems, prominent representatives which are ERP systems, as well as weakly integrated systems built from several dozen separate, sometimes completely unrelated applications. Access control in the vast majority of them is built on the basis of a role-based discretionary model of delimiting user rights with centralized access control.
An analysis of existing threats to corporate information systems, as well as ways to prevent them, was carried out. Statistics show that our main problem today is the problem of protection from negligent or criminal actions of corporate employees. Methods of protection against such actions are analyzed, the main one of which is the method of limiting user access to the corporate information system.
A study was carried out of existing methods of access control and an analysis of their applicability in certain conditions. A methodology has been selected that is most suitable for organizing access control to corporate information resources Belarusian State University. Based on it, an application was built that allows you to manage user access to the resources of this corporate information system. It provides communication between applications, database management systems, and Active Directory objects. The developed system allows you to globally manage access to heterogeneous applications. A flexible access control system allows you to guide the development of new applications and supports the management of already written applications without making any changes to their code.
1. Malyuk A. A. Information security: conceptual and methodological foundations of information protection. Moscow: Hot Line-Telecom, 2004.
2. Belov E.B. Los V.P. Fundamentals of information security. Moscow: Hot Line-Telecom, 2006.
3. Romanets Yu.V. Timofeev P.A. Information protection in computer systems and networks. Moscow: Radio and Communication 2001.
4. Yarochkin V.I. - Information security Textbook for university students. - M.: Academic Project; Gaudeamus.
5. Noel Simpson. Accessing and Manipulating Active Directory with ASP. NET.
6. Joe Kaplan, Ryan Dunn. The .NET Developer's Guide to Directory Services Programming (Microsoft .NET Development Series)
7. Matthew MacDonald. Beginning ASP.NET 1.1 in C#: From Novice to Professional (Novice to Professional).
8. Hank Meyne, Scott Davis Developing Web Applications with ASP.NET and C#.
9. Robin Duson SQL Server 2000. Programming. Moscow: Binom, 2003.
10. P. Shumakov ADO.NET and creating database applications in the environment Microsoft Visual Studio.NET Moscow: Dialog-MEPhI, 2004
Active Directory................................................... ........................................................ ........................................................ ....................... 31 , 36
ERP................................................... ........................................................ ........................................................ ............... 3 , 5 , 6 , 7 , 8 , 30 , 35 , 39
MRP................................................... ........................................................ ........................................................ ............................................ 3 , 6
Attack ............................................................................................................................................................................................... 11
Availability .................................................................................................................................................................................. 10
Set of protective equipment .......................................................................................................................................................... 11
Data privacy ......................................................................................................................................................... 9
Unauthorized access to information ............................................................................................................................... 9
An object ............................................................................................................................................................................................. 10
Security policy ................................................................................................................................................................ 11
Access control rules .................................................................................................................................................... 9
Authorized access to information ................................................................................................................................... 9
Subject ............................................................................................................................................................................................ 10
Security Damage ...................................................................................................................................................................... 10
Vulnerability ..................................................................................................................................................................................... 10
Integrity ............................................................................................................................................................................ 10, 12
1. http://xakep.ru is one of the most advanced Russian sites dedicated to the analysis of information system vulnerabilities, their exploits, possible ways to hack systems and protect them.
2. http://www.webxakep.ru – the site is dedicated to hacking information systems, as well as measures to protect against attacks.
3. http://msdn.microsoft.com - the site is aimed at developers focused on Microsoft technology solutions, contains documentation on this company's products, code examples, technical articles, reference and training materials, the latest updates, extensions, last news, subscribers forum.
4. http://microsoft.com – the actual Microsoft website
5. http://sdn.sap.com/ is a portal for developers focused on technological solutions from SAP, the world leader in the ERP and corporate products market. The main Internet resource dedicated to everything related to SAP information resources
Slide 1 – Title slide Slide 2 – Introduction. Goals.
Slide 3 – Concept of CIS Slide 4 – Classification of CIS
Slide 5 – Classification of threats Slide 6 – Classification of threats
Slide 7 – Sources of threats Slide 8 – Measures to prevent threats
Slide 9 – Measures to combat threats Slide 10 – Access control mechanisms
Slide 11 – CIS BSU Slide 12 – DB model for the developed system
Slide 13 – Application Demo Slide 14 – Conclusion
1. Afanasyev, D. Office XP/ D. Afanasyev, S. Barichev, O. Plotnikov. – M.: Kudits-Obraz, 2002. – 344 p.
2. Akhmetov, K.S. Introduction to Microsoft Windows XP / K.S. Akhmetov. – M.: Russian Edition, 2001. – 210 p.
3. Bott, Ed. Windows XP / E. Bott, K. Sichert. – Peter, 2006. – 1068 p.
4. Willett, E. Office XP. User's Bible / E. Willett; [Transl. from English Derieva E.N. and others], 2002. – 843 p.
5. Zaiden, M. Word 2000 / M. Zaiden. – M.: Lab. basic knowledge, 2000. – 336 p.
6. Kaimin, V.A. Computer science: workshop on a computer: tutorial/ V.A. Kaimin, B.S. Kasaev; Infra-M. – M, 2001. – 215c.
7. Kishik, A.N. Office XP. Effective tutorial: Fast... Simple... Visual. / A.N. Kishik. – M.: 2002. – 426 p.
8. Kostsov, A.V. Everything about personal computer: big encyclopedia/ A.V. Kostsov, V.M. Kostsov. – M.: Martin, 2004. – 718 p.
9. Kotsyubinsky, A.O. Microsoft Office XP: Latest Versions programs / A.O. Kotsyubinsky. – M.: Triumph, 2001. – 469 p.
10. Kotsyubinsky, A.O. Reader for working on a computer: textbook. allowance / A.O. Kotsyubinsky, A.O. Groshev. – M.: Triumph, 2003. – 496 p.
11. Krupnik, A. Internet search / A. Krupnik. – St. Petersburg: Peter, 2001. – 209 p.
12. Krupsky, A.Yu. Text Microsoft editor Word. Microsoft Excel spreadsheets: textbook / A.Yu. Krupsky, N.A. Feoktistov; Ministry of Education Ros. Federation, Moscow. Institute of State and corporate ex. M.: Dashkov and K. - M., 2004. - 135 p.
13. Levin A. A short tutorial for working on a computer / A. Levin. – M.: A. Levin Publishing House, 2001.
14. Levkovich, O.A. Fundamentals of computer literacy / O. A. Levkovich, E. S. Shelkoplyasov, T. N. Shelkoplyasova. – Minsk: TetraSystems, 2004. – 528 p.
15. Lozovsky, L.Sh. The Internet is interesting! / L.Sh. Lozovsky, L.A. Ratnovsky. – M.: Infra-M, 2000.
16. Makarova, N.V. Informatics: Workshop on computer technology: textbook. allowance / N.V. Makarova [and others]; edited by N.V. Makarova. – M.: Finance and Statistics, 2000. – 255 p.
17. Olifer, V.G. Computer networks. Principles, technologies, protocols / V.G. Olifer, N.A. Olifer. – St. Petersburg: Peter, 2000.
18. Popov, V.B. Fundamentals of computer technology: textbook. allowance / V.B. Popov; Finance and statistics. – M., 2002. – 703 p.
19. Perepelkin, V. Personal computer user. Modern course / V. Perepelkin. – Rostov n/d: Phoenix, 2002. – 703 p.
20. Stone, M.D. Your PC. Problems and solutions / M.D. Stone, P. Alfred. – M.: Economy, 2001.
21. Yakushina, E. Studying the Internet, creating a Web page / E. Yakushina. – St. Petersburg: Peter, 2001.
22. Textbook on HTML for dummies [Electronic resource] / Portal Postroyka.ru. M., 2007. – Access mode: http://www.postroika.ru/html/content2.html. – Access date: 09/21/2008.
23. Higher Certification Commission of the Republic of Belarus [Electronic resource] / Higher Attestation Commission of Belarus. – Minsk, 2007. – Access mode: http://vak.org.by/ – Access date: 11/18/2008.
Definitions Information security of an organization is the state of security of the organization's information environment, ensuring its formation, use and development. Information protection is an activity to prevent leakage of protected information, unauthorized and unintentional impacts on protected information, that is, a process aimed at achieving this state. 2
Information security components. confidentiality - availability of information only to a certain circle of people; integrity (integrity) - guarantee of the existence of information in its original form; Availability - the ability for an authorized user to receive information at the right time. authenticity - the ability to identify the author of information; appealability - the ability to prove that the author is the declared person and no one else. 3
Access control models to ensure confidentiality, integrity and availability use: Mandatory access control Selective access control Role-based access control 4
Mandatory access control. Mandatory access control, MAC - delimitation of access of subjects to objects, based on assigning a confidentiality label to the information contained in objects, and issuing official permissions (admission) to subjects to access information of this level of confidentiality. Also sometimes translated as Forced access control. This is a method combining protection and limitation of rights applied to computer processes, data and system devices and designed to prevent their unwanted use 5
Discretionary access control (DAC) - Controlling subject access to objects based on access control lists or an access matrix. For each pair (subject - object), an explicit and unambiguous listing of acceptable types of access (read, write, etc.) must be specified, that is, those types of access that are authorized for a given subject (individual or group of individuals) to a given resource (object) 7
8
Role Based Access Control (RBAC) - development of a selective access control policy, in which the access rights of system subjects to objects are grouped taking into account the specifics of their application, forming roles, for example Administrator, 1 user, etc. Formation of roles is designed to define clear and understandable access control rules for users. 9
Ensuring security during transmission Implementation – Encryption is a method of converting information used to store important information in unreliable sources or transmitting it over unsecured communication channels. Includes 2 processes - the process of encryption and decryption. The methodological basis is cryptography. 10
Key definition Key - secret information, used by a cryptographic algorithm when encrypting/decrypting messages, establishing and verifying a digital signature, and calculating authenticity codes (MAC). When using the same algorithm, the encryption result depends on the key. For modern strong cryptography algorithms, the loss of a key makes it virtually impossible to decrypt information. The amount of information in a key is usually measured in bits. For modern encryption algorithms, the main characteristic of cryptographic strength is the key length. Encryption with keys of 128 bits and above is considered strong, since it takes years of powerful supercomputers to decrypt information without a key 11
Encryption methods: symmetric encryption: outsiders may know the encryption algorithm, but a small portion of secret information is unknown - the key, which is the same for the sender and recipient of the message; asymmetric encryption: outsiders may know the encryption algorithm, and possibly the public key, but not the private key, known only to the recipient. 12
Means of ensuring authenticity: Signature Digital signature A signature is a unique set of symbols, written by hand, using certain design techniques, which serves to identify a person. Properties of a good signature Resistance to counterfeiting. Repeatability. Identifiability (the signature usually resembles a first or last name). Writing speed 13
Electronic digital signature (EDS) is a requisite of an electronic document intended to protect this electronic document from forgery, obtained as a result of cryptographic transformation of information using the private key of an electronic digital signature and allowing to identify the owner of the signature key certificate, as well as to establish the absence of distortion of information V electronic document, and also ensures non-repudiation of the signatory. Since the documents being signed are of variable (and quite large) length, in digital signature schemes the signature is often placed not on the document itself, but on its hash. Cryptographic hash functions are used to calculate the hash. Hashing is the transformation of an input data array of arbitrary length into an output bit string of a fixed length. Such transformations are also called hash functions. Any changes to the document result in changes to the hash 14
The electronic signature scheme includes: a key generation algorithm; signature calculation function; signature verification function. The calculation functions based on the document and the user's secret key calculate the signature itself. The signature verification function checks whether a given signature matches the given document and the user's public key. The user's public key is publicly available, so anyone can verify the signature on a given document 15
A digital signature provides authentication of the source of a document. Depending on the details of the document definition, fields such as “author”, “changes made”, “time stamp”, etc. can be signed. Protection against document changes. Any accidental or intentional change to the document (or signature) will change the hash and therefore invalidate the signature. Impossibility of relinquishing authorship. Since you can create a correct signature only by knowing the private key, and it is known only to the owner, the owner cannot refuse his signature on the document. 16
Means of authorization and authentication: A password is a secret word or set of characters designed to confirm identity or authority. Cracking passwords is a resource-intensive task, usually solved by the so-called brute force method - that is, simple search. Key - secret information known to a limited circle of people, usually used in encrypted form. Biometrics is a personal identification technology that uses the physiological parameters of the subject (fingerprints, iris, etc.). 17
Data protection in computer networks is becoming one of the most open problems in modern information and computing systems. To date, three have been formulated basic principles information security, the task of which is to ensure: - data integrity - protection from failures leading to loss of information or its destruction; - confidentiality of information; - availability of information for authorized users.
Means of protection - means of physical protection; - software (anti-virus programs, power distribution systems, access control software); - administrative protection measures (access to premises, development of company security strategies, etc.).
physical protection means are systems for archiving and duplicating information. In local networks where one or two servers are installed, most often the system is installed directly into the free slots of the servers. In large corporate networks, preference is given to a dedicated specialized archiving server that automatically archives information from hard drives servers and workstations in certain time installed by the network administrator, providing a report on the backup performed. The most common archive server models are Intel's Storage Express System ARCserve for Windows.
To combat computer viruses Antivirus programs are most often used, and hardware protection is less common. However, recently there has been a tendency towards a combination of software and hardware protection methods. Among the hardware devices, special anti-virus cards are used, inserted into standard computer expansion slots. Intel Corporation has proposed a promising technology for protecting against viruses in networks, the essence of which is to scan computer systems before they boot. In addition to anti-virus programs, the problem of protecting information on computer networks is solved by introducing access control and delineating user powers. For this purpose, built-in tools of network operating systems are used, the largest manufacturer of which is Novell Corporation.
To prevent unauthorized entry into a computer network, a combined approach is used - password + user identification using a personal “key”. The “key” is a plastic card (magnetic or with a built-in microcircuit - smart card) or various devices for personal identification using biometric information - iris, fingerprints, hand size, etc. Servers and network workstations equipped with smart card readers and special software significantly increase the degree of protection against unauthorized access. Access control smart cards allow you to implement functions such as entry control, access to PC devices, programs, files and commands.
Kerberos system is a database that contains information on all network resources, users, passwords, information keys, etc.; - an authorization server, whose task is to process user requests for the provision of one or another type of network service. Upon receiving a request, it accesses the database and determines the user's authority to perform a specific operation. User passwords are not transmitted over the network, thereby increasing the level of information security; - Ticket-granting server (permission issuing server) receives from the authorization server a “pass” with the user’s name and network address, request time, as well as a unique “key”. The packet containing the "pass" is also transmitted in encrypted form. The permission server, after receiving and decrypting the “pass”, checks the request, compares the “keys” and, if identical, gives the go-ahead to use the network equipment or programs.
As enterprises expand their activities, the number of subscribers grows and new branches appear, the need arises to organize access for remote users (user groups) to computing or information resources at company centers. To organize remote access, cable lines and radio channels are most often used. In this regard, protecting information transmitted via remote access channels requires a special approach. Bridges and remote access routers use packet segmentation - dividing them and transmitting them in parallel over two lines - which makes it impossible to “intercept” data when a “hacker” illegally connects to one of the lines. The compression procedure of transmitted packets used when transmitting data ensures that the “intercepted” data cannot be decrypted. Remote access bridges and routers can be programmed in such a way that not all company center resources may be available to remote users
Currently developed special devices access control to computer networks via dial-up lines. An example is the Remote Port Security Device (PRSD) module developed by AT&T, which consists of two blocks the size of a regular modem: RPSD Lock, installed in the central office, and RPSD Key, connected to the modem. remote user. RPSD Key and Lock allow you to set several levels of protection and access control: - encryption of data transmitted over the line using generated digital keys; - access control based on the day of the week or time of day
The strategy for creating backup copies and restoring databases is directly related to the topic of security. Typically these operations are performed outside of business hours in batch mode. In most DBMS backup and data recovery are allowed only to users with broad rights (access rights at the level of the system administrator or database owner), specify such sensitive passwords directly in the files batch processing undesirable. In order not to store the password explicitly, it is recommended to write a simple application program that itself would call the copy/recovery utilities. In this case, the system password must be “hardwired” into the code of the specified application. The disadvantage of this method is that each time the password is changed, this program must be recompiled
At each enterprise, regardless of its size, type of property and line of activity, the same type of methods and methods of protection are used, implementing the model of the protection system. The block of protection methods includes obstacles, regulation, access control, masking, inducement and coercion.
Obstacles (physical method), for example, installation of fences around enterprises, restrictions on access to buildings and premises, installation of alarms, security. Access is limited physically and software and hardware Masking involves the use of cryptographic software. Incentive - compliance by users with ethical standards when processing and using information. Regulation implies the presence of instructions and regulations for the processing of information, and prohibition implies the presence of legal norms enshrined in regulatory documents and defining legal liability in case of violation.
The methods and methods of protection listed above are combined into four subsystems that are installed in information systems: Access control subsystem Registration and accounting subsystem Cryptographic subsystem Integrity subsystem
The access control subsystem protects access to the information system using software (passwords) and software and hardware (electronic keys, key floppy disks, user recognition devices based on biometric characteristics, etc.).
The registration and accounting subsystem registers in a special electronic journal users and programs that have access to the system, files, programs or databases, the time of entry and exit from the system and other operations performed by users.
Cryptographic subsystem is a set of special programs that encrypt and decrypt information. The presence of a cryptographic subsystem is especially necessary in information systems used for electronic business.
The subsystem for ensuring the integrity of information includes the presence of physical security of computer equipment and media, the availability of testing tools for programs and data, and the use of certified security means