So let's touch on the third of the FSTEC documents under consideration - the "Basic Model of Personal Data Security Threats". This 100-page document is striking ... in its lagging behind the current situation by 10-15 years.
When I first started reading this manuscript, I had the impression that I had already read all this somewhere. And indeed, having reached the end, I realized that 80 percent of the "Basic Model" is a creative processing of articles and materials from the Internet dedicated to security, network attacks, viruses, etc. True, all these materials were published in the early to mid-90s. What is worth mentioning such modern attacks as Land, Smurf, Ping of Death, etc.
The section about viruses impresses with its intellect - mentioning the interception of the INT 13H interrupt as the main channel for viruses to enter the system, a story about sound and video effects and changing the screen palette, replacing characters when entering, formatting floppy disks (I have not seen computers with Floppy drives for a long time), infection of OBJ files. How do you like this phrase from a document dated 2008: " Companion viruses that use the DOS feature to be the first to execute files with the .COM extension are the most common."? Which COM, which DOS? What are these people who are responsible for information security in the country talking about?
A large section is devoted to network attacks. Everything would be fine if it had not become obsolete even before its publication. The mention of Back Orifice, NetBus, Nuke speaks for itself. The story about how data is intercepted due to address spoofing and vulnerabilities in the ARP protocol would be interesting if it were not reminiscent of the book "Attack from the Internet", published in the mid-90s and posted on the Internet at the same time.
There is not a word about modern network worms, DDoS attacks, data leaks via IM or e-mail, bypass of protection tools, attacks at the application level in this threat model. But there are a lot of references to such "famous" companies in the information security world as Axent, CyberSafe, L-3, BindView, etc. I remember when I mentioned these companies in my articles and book of the late 90s, I wrote back then that these companies no longer exist because were absorbed by larger players in the information security market. The authors of the document are happily unaware of this fact.
The knowledge of the authors of the document in the field of malware is amazing. Among their carriers among video adapters and sound cards, which for some reason are called built-in storage media, the power supply is also indicated! Why the power supply became not only a carrier of information, but also a carrier of malware, I could not understand. Apparently this is the result of closed research conducted by a respected regulator.
What else to say about this document? In general, there is nothing ;-(The mentioned facts speak for themselves.
V this moment I am reviewing private policy on the risks of infringement information security and updating the information security threat model.
In the course of work, I encountered some difficulties. How I solved them and developed a private threat model will be discussed further.
Previously, many banks used the Industry Model of PD Security Threats taken from the Recommendation in the field of standardization of the Central Bank of the Russian Federation BR IBBS-2.4-2010 "Ensuring the information security of organizations in the banking system Russian Federation. Industry private model of threats to the security of personal data during their processing in information systems personal data of organizations of the banking system of the Russian Federation" (RS BR IBBS-2.4-2010). But due to the publication of information from the Bank of Russia dated May 30, 2014, the document has become invalid. Now you need to develop it yourself.
Not many people know that with the release of the Recommendation in the field of standardization of the Bank of Russia "Ensuring information security of organizations of the banking system of the Russian Federation. Prevention of information leaks" RS BR IBBS-2.9-2016 (RS BR IBBS-2.9-2016) there was a substitution of concepts. Now when defining a list of categories of information and a list of types of information assets it is recommended to focus on the content of clauses 6.3 and 7.2 of RS BR IBBS-2.9-2016. Previously, it was clause 4.4 of the Recommendations in the field of standardization of the Bank of Russia "Ensuring the information security of organizations of the banking system of the Russian Federation. Methodology for assessing the risks of information security violations" RS BR IBBS-2.2-2009 (RS BR IBBS-2.2-2009). I even turned to the Central Bank for clarification:
Main threat sources are listed in Clause 6.6 of the Standard of the Bank of Russia “Ensuring Information Security of Organizations in the Banking System of the Russian Federation. General provisions» STO BR IBBS-1.0-2014 (STO BR IBBS-1.0-2014). Intruder Potential can be taken from here.
In general, when determining current IS threats it is necessary to take into account the information security incidents that occurred in the organization, information from the analytical reports of regulators and companies providing information security services, and the expert opinion of the company's specialists.
Also IS threats are determined in accordance with Bank of Russia Ordinance No. 3889-U dated December 10, 2015 "On the identification of threats to the security of personal data that are relevant when processing personal data in personal data information systems (3889-U), Appendix 1 of RS BR IBBS-2.2-2009, table 1 RS BR IBBS-2.9-2016 (I made it separate application), the Data Bank of Information Security Threats of the FSTEC of Russia (BDU).
By the way, I noticed that some threats from 3889-U duplicate threats from the BDU:
- threat of exposure malicious code, external in relation to the personal data information system - UBI.167, UBI.172, UBI.186, UBI.188, UBI.191;
- the threat of using social engineering methods to persons with authority in the personal data information system - UBI.175;
- the threat of unauthorized access to personal data by persons who do not have authority in the personal data information system, using vulnerabilities in the personal data information system software - UBI.192;
In this regard, I excluded duplicate threats from 3889-U in favor of UBI, since their description contains Additional Information, which facilitates filling in tables with a threat model and information security risk assessment.
Actual Threats source of threats "Adverse natural, man-made and social events" statistics of the Ministry of Emergency Situations of the Russian Federation on emergency situations and fires.
Actual Threats source of threats "Terrorists and criminal elements" can be determined based on the statistics of the Ministry of Internal Affairs of the Russian Federation on the state of crime and the newsletter "Crime in the banking sector".
At this stage, we have identified the sources of IS threats and current IS threats. Now let's move on to creating a table with an information security threat model.
As a basis, I took the table "Industry model of PD security threats" from RS BR IBBS-2.4-2010. The columns "Threat source" and "Threat realization level" are filled in in accordance with the requirements of clause 6.7 and clause 6.9 of STO BR IBBS-1.0-2014. We still have empty columns "Types of environment objects" and "Security threat". I renamed the latter to "Consequences of the implementation of the threat", as in the BDU (in my opinion, it is more correct). To fill them in, we need a description of our threats from the BDU.
As an example, consider "UBI.192: The Threat of Using Vulnerable Versions of Software":
Description of the threat: the threat lies in the possibility of a destructive impact on the system by the intruder by exploiting software vulnerabilities. This threat is due to weaknesses in the mechanisms for analyzing software for vulnerabilities. The implementation of this threat is possible in the absence of a check before using the software for the presence of vulnerabilities in it.
Threat Sources: insider with low potential; external intruder with low potential.
Object of influence: applied software, network software, system software.
Consequences of the implementation of the threat: confidentiality violation, integrity violation, accessibility violation.
For convenience, I have distributed environment object types(objects of influence) by levels of threat realization ( levels of information infrastructure of the bank).
Scroll environment objects I compiled from clause 7.3 of RS BR IBBS-2.9-2016, clause 4.5 of RS BR IBBS-2.2-2009 and from the description of UBI. Threat Implementation Levels are presented in clause 6.2 of STO BR IBBS-1.0-2014.
That. this threat affects the following levels: the level of network applications and services; level of banking technological processes and applications.
I did the same with other IS threats.
The result is a table like this.
They, in turn, can be divided into sanctioned and random. External danger can be provided by terrorists, foreign intelligence agencies, criminal groups, competitors, etc., who can block, copy, and even destroy information that is valuable to both parties.
Basic Threat Model
The internal threat of "leakage" of information is such a threat that employees create a certain enterprise. They can hack it and use it for their own benefit. This is possible if the company does not have a technical measure and access control to.
Right to protection personal information guaranteed by the Constitution of the Russian Federation to every citizen.
Protection levels
Itself information security system can have four. Note that the choice of means is determined by the operator on the basis of regulations (part 4 of article 19 of the Federal Law "On Personal Data").
- the organization must establish a regime that prevents the entry into the premises of persons who do not have access to them;
- you need to take care of the safety of personal files;
- the manager must approve the operator, as well as documents that would contain a list of persons who are allowed, by virtue of official duties, to contact confidential information other employees;
- use of information security tools that have passed the assessment procedure in the field of information security.
To ensure the third level of security, it is necessary to comply with all requirements of the fourth level and one more is added - an official (employee) responsible for ensuring the security of personal data in .
The second level of security is characterized by the provision that the operator himself or an employee who is allowed by his official duties can have access to it. And also it includes all the requirements of the third level of security.
And finally, to ensure the first level of security, it is necessary to comply with all of the above requirements and ensure that the following points are met:
- installation in the electronic security log of such a system that could automatically replace the employee's access to in connection with a change in his authority;
- appointment of a responsible person (employee) for ensuring the security of personal data in the information system, or assigning functions to ensure such security to one of the structural divisions.
The operator must carry out safety checks more than once every three years.
He has the right to entrust this matter to a legal entity or persons who have a license for this by concluding an agreement with them (“Requirements for the protection of personal data during their processing in personal data information systems dated November 1, 2012 No. 1119”).
Ensuring a high level of protection
The law has given the right legal entities to determine the measure of protection of their confidential information. Don't be vulnerable - take the necessary measures.
when processing them in the personal data information system
1. General Provisions
This particular model of threats to the security of personal data during their processing in the information system of personal data "SKUD" in ___________ (hereinafter referred to as ISPD) was developed on the basis of:
1) "Basic model of personal data security threats during their processing in personal data information systems", approved on February 15, 2008 by the Deputy Director FSTEC of Russia;
2) "Methods for determining actual threats to the security of personal data during their processing in personal data information systems", approved on February 14, 2008 by the Deputy Director of the FSTEC of Russia;
3) GOST R 51275-2006 “Information security. Factors affecting information. General Provisions".
The model determines the threats to the security of personal data processed in the personal data information system "SKUD".
2. List of threats that pose a potential danger to personal data processed in ispdn
The potential danger for personal data (hereinafter referred to as PD) during their processing in ISPD is:
threats of information leakage through technical channels;
physical threats;
threats of unauthorized access;
personnel threats.
Identification of actual security threats to personal data when processing in ispdn
3.1. Determination of the initial security level of ispDn
The level of initial security of ISPD is determined by an expert method in accordance with the “Methodology for determining actual threats to the security of personal data during their processing in personal data information systems” (hereinafter referred to as the Methodology), approved on February 14, 2008 by the Deputy Director of the FSTEC of Russia. The results of the initial security analysis are shown in Table 1.
Table 1. Initial security level
|
Technical and operational characteristics of ISPD |
Security level |
||
|
High |
Average |
Short |
|
|
1. By territorialaccommodation |
|||
|
Local ISPD deployed within one building |
|||
|
2. By the presence of a connection to public networks |
|||
|
ISPD, physically separated from public networks. |
|||
|
3. For built-in (legal) operations with records of PD databases |
|||
|
Read, write, delete |
|||
|
4. By delimiting access to PD |
|||
|
ISPD, to which a certain list of employees of the organization that owns the ISPD has access, or a PD subject |
|||
|
5. By the presence of connections with other PD databases of other ISPDs |
|||
|
ISPD, which uses one PD database, owned by the organization - the owner of this ISPD |
|||
|
6. By the level of generalization (depersonalization) of personal data |
|||
|
ISPD, in which the data provided to the user is not anonymized (i.e. there is information that allows you to identify the subject of the PD) |
|||
|
7. By the volume of PD, whichprovided to third-party ISPD users without pre-processing |
|||
|
ISPD, providing a part of PD |
|||
|
Characteristics of ISPD |
|||
Thus, ISPD has average (Y 1 =5 ) the level of initial security, since more than 70% of the ISPD characteristics correspond to a security level of at least "medium", but less than 70% of the ISPD characteristics correspond to the "high" level.
As you probably know, recently, ambiguous changes were made to the FSTEC order No. 17 “Requirements for the protection of information that does not contain state secrets contained in state information systems”, for which there are questions and problems with their application. Today let's discuss one of these problems:
now, when modeling threats, it is necessary to use the “new” BDU of the FSTEC of Russia, and a new methodology for modeling threats is not expected. Further details…
In accordance with paragraph 14 of the order, the charming stage in the formation of requirements for the protection of information in a GIS is:
“threat identification information security, the implementation of which may lead to a breach of information security in the information system, and development based on them threat models information security;”
In fact, these are two separate works, the requirements for each of which are detailed in paragraph 14.3 of the order:
I. Definition of threats
“14.3. Information Security Threats determined according to the results capacity assessment(potential) external and internal violators, analysis possible vulnerabilities information system, possible ways to implement information security threats and consequences from violation of information security properties (confidentiality, integrity, availability).
The database of information security threats ( bdu.fstec.ru) …”
II. Development of a threat model
“Information Security Threat Model must contain a description information system and its structural and functional characteristics, as well as a description threats security information, including a description offenders' capabilities(intruder model), possible vulnerabilities information system, ways to implement threats information security and consequences from violation of information security properties”
Is it possible to use arbitrary methods in this case? Not…
"For threat definitions information security and threat model development information security apply methodological documents, developed and approved by the FSTEC of Russia”
III. Let's figure out what methodological document should be used? According to what document should require government agency work from a contractor?
The only approved and published methodological document of the FSTEC of Russia in terms of threat modeling is “Methodology for determining actual threats to the security of personal data during their processing in personal data information systems. FSTEC of Russia, 2008”. We will conditionally call it “the old technique”. (There is also an approved but not published document - "Methodology for determining actual threats to information security in key information infrastructure systems", approved by the FSTEC of Russia on May 18, 2007, but we will not consider it).
According to informal information, a “new” methodology for GIS should not be expected in the near future. Then you need to decide on the "old" method. Is it necessary and can it be used? There are several reasons against using the technique:
First: The “old” methodology is intended only for identifying threats to PD and ISPD. We are considering State information systems, which may not always be PD. The requirements of the Order also apply to other information in the GIS, including publicly available information and information subject to mandatory publication.
Second: The “old” methodology was developed on the basis of Government Decree No. 781, which has already been canceled. At the same time, the following applies in legal practice: general rule “Recognition of the main normative legal act as invalid means the loss legal force derivative and auxiliary normative legal acts, unless otherwise established”. That is, it has lost its legal force.
Third: The “old” technique is designed to identify current threats - “A current threat is considered to be a threat that can be implemented in ISPD and poses a danger for PD", and in accordance with the Order, we are required to determine “information security threats whose implementation may lead to violation information security”. Agree that there is a difference and these concepts are not identical.
Fourth: The methodological document should also cover the second part of the work - namely, describe how a document called the Threat Model is being developed. There is not a word about this in the “old” methodology.
Fifth: According to the Order, threats must be defined according to one set of characteristics. Approximately the same set of characteristics is used in the BDU FSTEC. And in the “old” method, they are determined depending on another set. More details in the picture.
On the one hand, all findings point to the fact that this is not a suitable technique for GIS. On the other hand, there is one weighty argument for its use - this is the only approved and published methodology of the FSTEC of Russia in the field of threat modeling.
PS : In fact, all these arguments against the use of the “old” methodology could be eliminated by making small “cosmetic” updates to the methodology. Change the terms, ISPD for IP, PD for information, etc. + add some descriptive sections from the draft “new” methodology + slightly update the table for calculating the initial security. And all the formulas for calculating the relevance of threats could be left unchanged - they have shown themselves well since 2008.
I think that for such a small update of the threat modeling methodology, a month would be quite enough. But three years is already too much.