Ways to protect information in an enterprise, as well as ways to extract it, are constantly changing. New offers from companies providing information security services appear regularly. Of course, there is no panacea, but there are several basic steps in building the protection of an enterprise information system that you definitely need to pay attention to.
Many of you are probably familiar with the concept of deep protection against hacking an information network. Its main idea is to use several levels of defense. This will at least minimize the damage associated with a possible violation of the security perimeter of your information system.
Next, we will consider the general aspects of computer security, and also create a checklist that serves as the basis for building basic protection enterprise information system.
1. Firewall (firewall, firewall)
A firewall or firewall is the first line of defense that meets intruders.
By the level of access control, the following types of firewall are distinguished:
- In the simplest case, network packets are filtered according to established rules, i.e. based on source and destination addresses of network packets, network port numbers;
- A firewall operating at the session level (stateful). It monitors active connections and drops fake packets that violate TCP/IP specifications;
- Firewall operating at the application layer. Performs filtering based on parsing the application data passed within the package.
Increased attention to network security and the development of e-commerce has led to the fact that an increasing number of users use encrypted connections (SSL, VPN) for their protection. This greatly complicates the analysis of traffic passing through firewalls. As you might guess, malware developers use the same technologies. Viruses that use traffic encryption have become almost indistinguishable from legitimate user traffic.
2. Virtual Private Networks (VPNs)
Situations when an employee needs access to company resources from public places (Wi-Fi at the airport or hotel) or from home ( home network employees are not controlled by your administrators) are especially dangerous for corporate information. To protect them, you just need to use encrypted VPN tunnels. Any access to remote desktop (RDP) directly without encryption is out of the question. The same applies to the use of third-party software: Teamviewer, Aammy Admin, etc. to access the work network. Traffic through these programs is encrypted, but passes through the servers of the developers of this software that are not under your control.
The disadvantages of VPN include the relative complexity of deployment, additional costs for authentication keys and an increase in the bandwidth of the Internet channel. Authentication keys can also be compromised. Stolen mobile devices companies or employees (laptops, tablets, smartphones) with pre-configured VPN connection settings can become a potential hole for unauthorized access to company resources.
3. Intrusion detection and prevention systems (IDS, IPS)
Intrusion detection system (IDS - English: Intrusion Detection System) - software or hardware designed to detect facts of unauthorized access to a computer system (network), or unauthorized control of such a system. In the simplest case, such a system helps to detect network port scans of your system or attempts to enter the server. In the first case, this indicates the attacker's initial reconnaissance, and in the second case, attempts to hack into your server. You can also detect attacks aimed at escalation of privileges in the system, unauthorized access to important files, as well as the actions of malicious software. Advanced network switches allow you to connect an intrusion detection system using port mirroring or through traffic taps.
Intrusion Prevention System (IPS) is a software or hardware security system that actively blocks intrusions as they are detected. If an intrusion is detected, suspicious network traffic can be automatically blocked, and a notification about this is immediately sent to the administrator.
4. Antivirus protection
Antivirus software is the primary line of defense for most businesses today. According to research company Gartner, the size of the anti-virus software market in 2012 amounted to $19.14 billion. The main consumers are the segment of medium and small businesses.
First of all, anti-virus protection is aimed at client devices and workstations. Business versions of antiviruses include centralized management functions for transferring antivirus database updates to client devices, as well as the ability to centralized settings security policies. The range of antivirus companies includes specialized solutions for servers.
Given that most malware infections result from user actions, antivirus packages offer comprehensive protection options. For example, program protection Email, chats, checking sites visited by users. In addition, antivirus packages increasingly include a software firewall, proactive defense mechanisms, and spam filtering mechanisms.
5. Whitelisting
What are "white lists"? There are two main approaches to information security. The first approach assumes that by default the operating system is allowed to run any applications, if they are not previously blacklisted. The second approach, on the contrary, assumes that only those programs that were previously included in the "white list" are allowed to run, and all other programs are blocked by default. The second approach to security is of course more preferable in the corporate world. Whitelists can be created both using the built-in tools of the operating system, and using third-party software. Antivirus software often offers this function in its composition. Most antivirus applications that offer whitelisting filtering allow you to initial setup very quickly, with minimal attention from the user.
However, there may be situations in which the dependencies of the whitelisted program files were not correctly identified by you or the antivirus software. This will cause the app to crash or install incorrectly. In addition, whitelists are powerless against attacks that exploit document processing vulnerabilities by whitelisted programs. You should also pay attention to the weakest link in any defense: the employees themselves, in a hurry, can ignore the warning of antivirus software and whitelist malware.
6. Spam filtering
Spam mailings are often used to carry out phishing attacks that are used to introduce a Trojan or other malware into a corporate network. Users who process a large amount of email on a daily basis are more susceptible to phishing emails. Therefore, the task of the IT department of the company is to filter maximum amount spam from general email traffic.
The main ways to filter spam:
- Specialized Spam Filtering Service Providers;
- Spam filtering software on own mail servers;
- Specialized hardware solutions deployed in a corporate data center.
7. Software support up to date
Timely software updates and the application of current security patches are an important element in protecting a corporate network from unauthorized access. Software vendors usually do not provide complete information about a newly found security hole. However, attackers have enough general description vulnerabilities in order to write software to exploit this vulnerability just a couple of hours after the publication of a description of a new hole and a patch to it.
In fact, this is quite a problem for small and medium-sized businesses, since it is commonly used wide range software products different manufacturers. Often, updates to the entire software fleet are not given due attention, and this is practically open window in the enterprise security system. Currently, a large number of software updates itself from the manufacturer's servers and this removes part of the problem. Why a part? Because the manufacturer's servers can be hacked and, under the guise of legal updates, you will receive fresh malware. And also the manufacturers themselves sometimes release updates that disrupt the normal operation of their software. This is unacceptable in critical areas of the business. To prevent such incidents, all received updates, firstly, must be applied immediately after their release, and secondly, they must be thoroughly tested before application.
8. Physical security
The physical security of a corporate network is one of the most important factors that can hardly be overestimated. Having physical access to network device an attacker, in most cases, will easily gain access to your network. For example, if there is physical access to the switch and the network does not filter MAC addresses. Although MAC filtering will not save you in this case. Another problem is the theft or neglect of hard drives after being replaced in a server or other device. Considering that the passwords found there can be decrypted, server cabinets and rooms or boxes with equipment should always be securely protected from intruders.
We have only touched on some of the most common aspects of security. It is also important to pay attention to user training, periodic independent information security audits, and the creation and implementation of a sound information security policy.
Please note that protecting a corporate network is a rather complex topic that is constantly changing. You must be sure that the company does not depend on just one or two lines of defense. Always try to follow up-to-date information and fresh solutions in the information security market.
Take advantage of the reliable protection of the corporate network as part of the service "maintenance of computers for organizations" in Novosibirsk.
This is the result of a survey of more than 1,000 heads of IT departments of large and medium-sized European companies, commissioned by Intel. The purpose of the survey was to identify a problem that is of greater concern to industry professionals. The answer was quite expected, more than half of the respondents called the problem of network security, a problem that needs to be addressed immediately. Other results of the survey can also be called quite expected. For example, the network security factor is leading among other problems in the field of information technologies; its importance has increased by 15% compared to the situation that existed five years ago.According to the survey, over 30% of their time is spent by highly qualified IT specialists on security issues. The situation in large companies (those with more than 500 employees) is even more worrisome - about a quarter of respondents spend half their time on these issues.
Balance of threats and protection
Alas, the issue of network security is inextricably linked with the fundamental technologies used in modern telecommunications. It just so happened that when developing a family of IP protocols, priority was given to the reliability of the network as a whole. At the time of the emergence of these protocols, network security was provided in completely different ways, which are simply unrealistic to use in the conditions of the Global Network. You can loudly complain about the shortsightedness of the developers, but it is almost impossible to radically change the situation. Now you just need to be able to protect yourself from potential threats.The main principle in this skill should be balance between potential threats to network security and the level of protection needed. A commensurability should be ensured between the cost of security and the cost of possible damage from realized threats.
For a modern large and medium-sized enterprise, information and telecommunication technologies have become the basis of doing business. Therefore, they turned out to be the most sensitive to the impact of threats. The larger and more complex the network, the more effort it requires to protect it. At the same time, the cost of creating threats is orders of magnitude less than the cost of neutralizing them. This state of affairs forces companies to carefully weigh the consequences of possible risks from various threats and choose the appropriate ways to protect against the most dangerous ones.
Currently, the greatest threats to corporate infrastructure are actions associated with unauthorized access to internal resources and blocking the normal operation of the network. There is quite big number such threats, but each of them is based on a combination of technical and human factors. For example, penetration malware into the corporate network can occur not only as a result of the network administrator’s neglect of security rules, but also due to excessive curiosity of a company employee who decides to use a tempting link from email spam. Therefore, do not hope that even the best technical solutions in the field of security will become a panacea for all ills.
UTM class solutions
Security is always a relative concept. If there is too much of it, then the use of the system itself, which we are going to protect, becomes noticeably more complicated. Therefore, a reasonable compromise becomes the first choice in ensuring network security. For medium-sized enterprises, by Russian standards, such a choice may well help to make class-leading solutions. UTM (Unified Threat Management or United Threat Management), positioned as multifunctional network and information security devices. At their core, these solutions are software and hardware systems that combine the functions different devices: firewall (firewall), network intrusion detection and prevention systems (IPS), as well as anti-virus gateway (AV) functions. Often, these complexes are assigned to solve additional tasks, such as routing, switching, or supporting VPN networks.Often, UTM solution providers offer to use them in small businesses. Perhaps this approach is partly justified. But still, it is easier and cheaper for small businesses in our country to use the security service from their Internet provider.
Like any universal solution, UTM equipment has its pros and cons.. The former include cost savings and implementation time compared to organizing protection of a similar level from separate security devices. Also, UTM is a pre-balanced and tested solution that can solve a wide range of security problems. Finally, solutions of this class are not so demanding on the level of qualification of technical personnel. Any specialist can easily handle their configuration, management and maintenance.
The main disadvantage of UTM is the fact that any functionality of a universal solution is often less efficient than the same functionality of a specialized solution. That is why when high performance or a high degree of security is required, security specialists prefer to use solutions based on the integration of individual products.
However, despite this minus, UTM solutions are becoming in demand by many organizations that differ greatly in scale and type of activity. According to Rainbow Technologies, such solutions were successfully implemented, for example, to protect the server of one of the Internet stores of household appliances, which was subjected to regular DDoS attacks. Also, the UTM solution made it possible to significantly reduce the volume of spam in the mail system of one of the automotive holdings. In addition to solving local problems, I have experience in building security systems based on UTM solutions for a distributed network covering the central office of a brewing company and its branches.
UTM manufacturers and their products
The Russian market for UTM class equipment is formed only by offers from foreign manufacturers. Unfortunately, none of the domestic manufacturers has yet been able to offer their own solutions in this class of equipment. The exception is software solution Eset NOD32 Firewall, which, according to the company, was created by Russian developers.As already noted, on Russian market UTM solutions may be of interest mainly to medium-sized companies with up to 100-150 workplaces in their corporate network. When selecting UTM equipment for presentation in the review, the main selection criterion was its performance in various operating modes, which could provide a comfortable user experience. Often manufacturers list performance specifications for Firewall, IPS Intrusion Prevention, and AV Antivirus modes.
Solution Check Point is called UTM-1 Edge and is a unified protection device that combines inter firewall, an intrusion prevention system, an anti-virus gateway, as well as VPN building tools and remote access. The firewall included in the solution controls the work with a large number applications, protocols and services, and also has a mechanism for blocking traffic that clearly does not fit into the category of business applications. For example, instant messaging (IM) and peer-to-peer (P2P) traffic. The antivirus gateway allows you to monitor malicious code in email, FTP and HTTP traffic. At the same time, there are no restrictions on the size of files and decompression of archive files is carried out "on the fly".
The UTM-1 Edge solution has advanced VPN capabilities. OSPF dynamic routing and VPN client connectivity are supported. The UTM-1 Edge W comes with a built-in dot WiFi access IEEE 802.11b/g.
For large deployments, UTM-1 Edge seamlessly integrates with Check Point SMART to simplify security management.
Cisco traditionally pays increased attention to network security issues and offers a wide range of necessary devices. For the review, we decided to choose a model Cisco ASA 5510, which is focused on ensuring the security of the corporate network perimeter. This equipment is part of the ASA 5500 series, which includes modular protection systems of the UTM class. This approach allows you to adapt the security system to the specifics of the functioning of the network of a particular enterprise.
Cisco ASA 5510 comes in four main kits - firewall, VPN building tools, intrusion prevention system, as well as virus and spam protection tools. The solution includes additional components such as the Security Manager system to form a management infrastructure for an extensive corporate network, and the Cisco MARS system, designed to monitor the network environment and respond to security breaches in real time.
Slovak Eset company supplies software package Eset NOD32 Firewall class UTM, which includes, in addition to the functions of a corporate firewall, the Eset NOD32 anti-virus protection system, mail (antispam) and web traffic filtering tools, detection and warning systems network attacks IDS and IPS. The solution supports the creation of VPN networks. This complex is built on the basis of a server platform running under Linux control. The software part of the device was developed domestic company Leta IT, controlled by the Russian representative office of Eset.
This solution allows you to control network traffic in real time, filtering content by categories of web resources is supported. Provides protection against DDoS attacks and blocks port scanning attempts. Eset NOD32 Firewall solution includes support for DNS servers, DHCP and Bandwidth Change Control. Traffic of mail protocols SMTP, POP3 is controlled.
This solution also includes the ability to create distributed corporate networks using VPN connections. At the same time, various modes of network aggregation, authentication and encryption algorithms are supported.
Fortinet offers a whole family of devices FortiGate class UTM, positioning their solutions as capable of providing network protection while maintaining a high level of performance, as well as reliable and transparent operation information systems businesses in real time. For review, we have chosen model FortiGate-224B, which is designed to protect the perimeter of a corporate network with 150 - 200 users.
The FortiGate-224B hardware includes firewall functionality, VPN servers, web-traffic filtering, intrusion prevention systems, as well as anti-virus and anti-spam protection. This model has built-in Layer 2 LAN switch interfaces and WAN interfaces, eliminating the need for external routing and switching devices. For this, routing via RIP, OSPF and BGP protocols is supported, as well as user authentication protocols before providing network services.
SonicWALL Company offers a wide range of UTM devices, from which the solution is included in this review NSA 240. This equipment is the youngest model in the line, focused on the use as a system for protecting the corporate network of a medium-sized enterprise and branches of large companies.
The basis of this line is the use of all means of protection against potential threats. These are firewall, intrusion protection system, virus protection gateways and spyware. There is a filtering of web-traffic by 56 categories of sites.
As one of the highlights of its solution, SonicWALL notes the technology of deep scanning and analysis of incoming traffic. To avoid performance degradation this technology uses parallel data processing on a multiprocessor core.
This equipment supports VPN, has advanced routing capabilities, and supports various network protocols. Also, the solution from SonicWALL is able to provide high level security when servicing VoIP traffic over SIP and H.323 protocols.
From the product line watch guard company solution was selected for review Firebox X550e, which is positioned as a system with advanced functionality to ensure network security and is focused on use in networks of small and medium enterprises.
The UTM class solutions of this manufacturer are based on the use of the principle of protection against mixed network attacks. To do this, the equipment supports a firewall, an attack prevention system, anti-virus and anti-spam gateways, web resource filtering, as well as a system to counter spyware.
This equipment uses the principle of joint protection, according to which network traffic checked by a certain criterion at one protection level will not be checked by the same criterion at another level. This approach ensures high performance of the equipment.
Another advantage of its solution, the manufacturer calls support for Zero Day technology, which ensures the independence of security from the presence of signatures. This feature is important when new types of threats appear, for which effective countermeasures have not yet been found. Typically, the "window of vulnerability" lasts from several hours to several days. When using Zero Day technology, the probability of negative consequences of the vulnerability window is significantly reduced.
ZyXEL Company offers its own UTM-class firewall solution for corporate networks with up to 500 users. This ZyWALL 1050 solution is designed to build a network security system that includes full-fledged virus protection, intrusion prevention and support for virtual private networks. The device has five Gigabit Ethernet ports that can be configured for use as WAN, LAN, DMZ, and WLAN interfaces depending on the network configuration.
The device supports the transmission of VoIP application traffic over SIP and H.323 protocols at the firewall and NAT levels, as well as the transmission of packet telephony traffic in VPN tunnels. This ensures the functioning of mechanisms to prevent attacks and threats for all types of traffic, including VoIP traffic, the operation of an anti-virus system with a complete database of signatures, content filtering by 60 categories of sites and spam protection.
The ZyWALL 1050 solution supports a variety of private network topologies, VPN concentrator mode, and the consolidation of virtual networks into zones with uniform security policies.
Main characteristics of UTM
Expert opinion
Dmitry Kostrov, Project Director of the Technological Protection Directorate corporate center JSC "MTS"The scope of UTM solutions mainly extends to companies belonging to small and medium-sized businesses. The very concept of Unified Threat Management (UTM), as a separate class of equipment for protecting network resources, was introduced by the international agency IDC, according to which UTM solutions are multifunctional software and hardware systems that combine the functions of different devices. This is typically a firewall, VPN, intrusion detection and prevention systems, as well as anti-virus and anti-spam gateway and URL filtering functions.
In order to achieve truly effective protection, the device must be multi-layered, active and integrated. At the same time, many manufacturers of protective equipment already have a fairly wide range of products related to UTM. Sufficient ease of deployment of systems, as well as obtaining an all-in-one system, makes the market for these devices quite attractive. The total cost of ownership and return on investment for these devices seem to be very attractive.
But this UTM solution is like a "Swiss knife" - there is a tool for every occasion, but you need a real drill to punch a hole in the wall. There is also a possibility that the appearance of protection against new attacks, signature updates, etc. will not be as fast, in contrast to the support of individual devices that are in the "classic" scheme for protecting corporate networks. There is also the problem of a single point of failure.
Identification / authentication (IA) of operators must be performed in hardware before the OS boot stage. IA databases should be stored in the non-volatile memory of information security systems (IPS), organized in such a way that access to it by means of a PC is impossible, i.e. non-volatile memory must be placed outside the address space of the PC.
Identification / authentication of remote users, as in the previous case, requires hardware implementation. Authentication possible different ways, including electronic digital signature (EDS). The requirement of “strong authentication” becomes mandatory, i.e. periodic repetition of the procedure in the course of work at intervals of time small enough so that, when overcoming the protection, the attacker could not cause tangible damage.
2. Protection of technical means from unauthorized access
Means of protecting computers from unauthorized access can be divided into electronic locks (EL) and hardware trusted boot modules (AMDZ). Their main difference is the way integrity control is implemented. Electronic locks perform user I/A procedures in hardware, use external software to perform integrity control procedures. AMDZ hardware implement both the functions of EZ, and the functions of integrity control and administration functions.
Control of the integrity of the technical composition of the PC and LAN. Control of the integrity of the technical composition of the PC must be performed by the IPS controller before the OS is loaded. All resources that can (potentially) be shared should be controlled, including CPU, system BIOS, floppy disks, hard drives and CD-ROM.
The integrity of the technical composition of the LAN must be ensured by a strong network authentication procedure. The procedure must be performed at the stage of connecting the tested PCs to the network and then at intervals predetermined by the security administrator.
OS integrity control, i.e. control of the integrity of system areas and OS files must be performed by the controller before the OS is loaded to ensure that real data is read. Since various operating systems can be used in electronic document management, the software built into the controller must provide service for the most popular file systems.
Integrity control of application software (APP) and data can be performed by both hardware and software components of the IPS.
3. Differentiation of access to documents, PC and network resources
Modern Operating Systems increasingly contain built-in access control tools. As a rule, these tools use the features of a particular file system(FS) and are based on attributes associated with one of the operating system API levels. This inevitably raises the following two problems.
Binding to the features of the file system. In modern operating systems, as a rule, not one, but several file systems are used - both new and obsolete. Usually, the access control built into the OS works on the new file system, but it may not work on the old one, since it uses significant differences in the new file system.
This circumstance is usually not explicitly stated in the certificate, which can mislead the user. It is for the purpose of ensuring compatibility that the old FS in this case are included in the new OS.
Binding to operating system API. As a rule, operating systems are now changing very quickly - once a year and a half. It is possible that they will change even more often. If, at the same time, access control attributes reflect the composition of the API, with the transition to a modern version of the OS, it will be necessary to redo the security system settings, retrain personnel, etc.
Thus, we can formulate a general requirement - the access control subsystem must be imposed on the operating system and thus be independent of the file system. Of course, the composition of the attributes should be sufficient for the purposes of describing the security policy, and the description should be carried out not in terms of the OS API, but in terms in which system security administrators are accustomed to work.
4.Protection electronic documents
The protection of electronic information exchange includes two classes of tasks:
Ensuring the equivalence of the document during its life cycle to the original EL standard;
Ensuring the equivalence of the applied electronic technologies to the reference ones.
The purpose of any protection is to ensure the stability of the specified properties of the protected object at all points in the life cycle. The security of an object is realized by comparing the standard (the object at the initial point in space and time) and the result (the object at the moment of observation). For example, if at the point of observation (receipt of an ED) there is only very limited contextual information about the standard (the content of the original ED), but there is full information about the result (observed document), this means that the ED must include attributes that certify compliance with the technical and technological requirements, namely, the invariance of the message at all stages of the production and transportation of the document. One option for attributes could be Security Authentication Codes (PACs).
Protecting a document when it is created. When creating a document, it must be generated in hardware security code authentication. The recording of a copy of the electronic document on external media before the development of the SQA should be excluded. If the ED is generated by the operator, then the ZKA must be tied to the operator. If the ED is generated by the software component of the AS, then the ZKA should be generated with reference to this software component.
Protecting the document in transit. The protection of a document during its transmission through external (open) communication channels should be carried out on the basis of the use of certified cryptographic means, including the use of electronic digital signature(EDS) for each transferred document. Another option is also possible - with the help of an EDS, a bundle of documents is signed, and each individual document is certified by another analogue of a handwritten signature (HSA), for example, ZKA.
Protection of the document during its processing, storage and execution. At these stages, the protection of the document is carried out using two ZKA - input and output for each stage. In this case, the SKA should be generated in hardware with the SKA tied to the processing procedure (information technology stage). For an incoming document (with a ZKA and an EDS), a second ZKA is generated and only then the EDS is removed.
Protecting a document when it is accessed from an external environment. Protecting a document when it is accessed from the external environment includes two mechanisms already described - identification / authentication of remote users and access control to documents, PC and network resources.
5. Data protection in communication channels
Traditionally, to protect data in a communication channel, channel scramblers are used and not only data, but also control signals are transmitted.
6. Information technology protection
Despite the well-known similarity, the mechanisms for protecting the ED itself as an object (number, data) and protecting the ED as a process (function, computing environment) are radically different. When protecting information technology, in contrast to protecting ED, the characteristics of the required reference technology are reliably known, but there is limited information about the fulfillment of these requirements by the technology actually used, i.e. result. The only object that can carry information about the actual technology (as a sequence of operations) is the ED itself, or rather the attributes included in it. As before, one of the types of these attributes can be ZKA. The equivalence of technologies can be established the more precisely, the more functional operations are attached to the message through the ZKA. The mechanisms in this case do not differ from those used in the protection of ED. Moreover, it can be considered that the presence of a specific SCA characterizes the presence in technological process corresponding operation, and the value of the SQA characterizes the integrity of the message at this stage of the technological process.
7. Differentiation of access to data streams
For the purposes of restricting access to data streams, as a rule, routers are used that use cryptographic means of protection. In such cases, special attention is paid to the key system and the reliability of key storage. The access requirements for stream demarcation are different from those for file and directory delimitation. Only the simplest mechanism is possible here - access is allowed or denied.
Fulfillment of the listed requirements provides a sufficient level of security for electronic documents as the most important type of messages processed in information systems.
As a technical means of protecting information, a trusted boot hardware module (TMB) has been developed that ensures booting the OS, regardless of its type, for a user authenticated by the security mechanism. The results of the development of the IMS NSD "Akkord" (developer OKB CAD) are mass-produced and are today the most well-known in Russia means of protecting computers from unauthorized access. During the development, the specifics of the application area was used, reflected in the family of hardware for protecting information in electronic document management, which use authentication codes (CA) at various levels. Consider examples of the use of hardware.
1. In cash registers (KKM) KA are used as a means of authenticating checks as one of the types of ELD. Each cash register must be equipped with an intelligent fiscal memory (FP), which, in addition to the functions of accumulating data on the results of sales, performs a number of functions:
Provides protection of KKM software and data from unauthorized access;
Generates authentication codes for both KKM and each check;
Supports a typical interface for interaction with the tax inspector module;
Provides the removal of fiscal data for submission to the tax office simultaneously with the balance sheet.
The developed block FP "Akkord-FP" is made on the basis of the SZI "Akkord". It is characterized by the following features:
The functions of the SZI NSD are integrated with the functions of the FP;
As part of the FP block, non-volatile KKM registers are also made;
The procedures of the tax inspector module are also integrated as an integral part of the Accord-FP block.
2. In the system for monitoring the integrity and validation of electronic documents (SKCPD) in an automated system of the federal or regional level, the fundamental difference is the ability to protect each individual document. This system allowed for control without significantly increasing traffic. The basis for the creation of such a system was the controller "Akkord-S B / KA" - a high-performance security coprocessor that implements the functions of generating / checking authentication codes.
The Regional Information and Computing Center (RICC) manages the activities of the SCCC as a whole, while interacting with all KA workstations - operator-participant workstations equipped with Akkord-SB/KA (A-SB/KA) hardware and software systems and software SKTSPD. The structure of the RICC should include two automated workstations - ARM-K for making keys, ARM-R for preparing the scattering of verification data.
3. The use of authentication codes in the subsystems of the technological protection of information EL. The basis for the implementation of hardware information security can be "Akkord SB" and "Akkord AMDZ" (in terms of protection against unauthorized access). Authentication codes are used to protect technologies. Authentication codes for electronic documents in the subsystem of technological information security are generated and verified on authentication code servers (ACS) using key tables (reliability tables) stored in the internal memory of Accord-SB coprocessors installed in the ACS. Validity tables closed on the delivery keys are delivered to the SKA and loaded into internal memory coprocessors, where they are revealed. Delivery keys are generated and registered at a specialized workstation ARM-K and loaded into coprocessors at the initial stage in the process of their personalization.
Experience of large-scale practical application more than 100,000 hardware protection modules of the "Accord" type in computer systems of various organizations in Russia and neighboring countries shows that the focus on the software and hardware solution was chosen correctly, since it has great opportunities for further development and improvement.
conclusions
Underestimating the problems associated with the security of information can lead to enormous damage.
The growth of computer crime forces us to take care of information security.
The operation in Russian practice of the same type of mass software and hardware (for example, IBM-compatible personal computers; operating systems - Window, Unix, MS DOS, Netware, etc.) creates conditions for attackers to a certain extent.
The strategy for building an information security system should be based on integrated solutions, on the integration of information technologies and security systems, on the use of advanced methods and tools, on universal technologies protection of information of industrial type.
Questions for self-control
1. Name the types of information threats, define the threat.
2. What are the ways to protect information?
3. Describe access control as a way to protect information. What is its role and significance?
4. What is the purpose of cryptographic methods of information protection? List them.
5. Give the concept of authentication and digital signature. What is their essence?
6. Discuss the problems of information security in networks and ways to resolve them.
7. Expand the features of the information security strategy using a systematic approach, integrated solutions and the principle of integration in information technology.
8. List the stages of creating information security systems.
9. What measures are required to implement the technical protection of electronic document management technologies?
10. What is the essence of the multiplicative approach?
11. What procedures must be followed to protect the electronic document management system?
12. What functions does the firewall perform?
Tests for Ch. five
Fill in the missing terms and phrases.
1. Events or actions that can lead to unauthorized use, distortion or destruction of information are called...
2. There are two types of information security threats: ...
3. The listed types of countering threats to information security: obstacle, access control, encryption, regulation, coercion and inducement refer to ... ensuring information security.
4. The following ways to counter security threats: physical, hardware, software, organizational, legislative, moral and ethical, physical are related to ... ensuring the security of information.
5. Cryptographic methods of information protection are based on its...
6. Assigning a unique designation to a user to confirm their compliance is called...
7. Authenticating a user to verify their identity is called...
8. The greatest threat to corporate networks is related to:
a) with heterogeneity information resources and technologies;
b) with software and hardware;
c) with equipment failures. Choose the correct answers.
9. The rational level of information security in corporate networks is primarily selected based on the following considerations:
a) specification of protection methods;
b) economic feasibility;
c) defense strategies.
10. A resident program that is permanently located in the computer's memory and controls operations related to changing information on magnetic disks is called:
a) a detector;
c) watchman;
d) auditor.
11. Antivirus tools are designed:
a) to test the system;
b) to protect the program from a virus;
c) to check programs for the presence of a virus and their treatment;
d) to monitor the system.
If we consider the information security system of any large company, then this is not only an antivirus, but also several other programs for protection in all areas. Time simple solutions for IT security is long gone.
Of course, the basis of the overall information security system for any organization is the protection of a standard workstation from viruses. And here the need to use an antivirus remains unchanged.
But the requirements for corporate protection have generally changed. Companies need full-fledged end-to-end solutions that can not only provide protection against today's most complex threats, but also stay ahead of the curve.
"More and more large companies are building a security system based on the principle of defense in depth."
Moreover, earlier echelons were lined up on various elements of the IT infrastructure, but now multi-level protection should be even on individual elements of the IT environment, primarily on workstations and servers
What threats did companies face in 2014
In terms of threats, a huge information security challenge in Lately targeted attacks on corporations and government structures. Many of the techniques that hackers used to attack home users are now being applied to businesses as well.
These are modified banking Trojans that target employees of financial departments and accounting departments, and various encryption programs that began to work within corporate information networks, and the use of social engineering methods.
In addition, network worms have gained popularity, the removal of which requires the shutdown of the entire corporate network. If companies with a large number of branch offices located in different time zones face a similar problem, then any network outage will inevitably lead to financial losses.
According to the results of a study conducted by Kaspersky Lab in 2014 among information security specialists, Russian companies most often face
- malware,
- unwanted mail (spam),
- attempts of unauthorized penetration into the system by phishing.
- vulnerabilities in installed software,
- risks associated with the behavior of company employees.
The problem is aggravated by the fact that cyber threats are far from static: they multiply every day, become more diverse and complex. In order to better understand the current situation in the field of information security and the consequences that even a single computer incident can lead to, we will present everything in figures and facts obtained on the basis of Kaspersky Lab data on the analysis of the events of 2014.
Cyber Threat Statistics
By the way, it is mobile devices that today continue to be a separate “headache” for information security specialists. The use of personal smartphones and tablets for work purposes is already acceptable in most organizations, but proper management of these devices and their inclusion in the overall information security system of the company is not practiced everywhere.
"According to Kaspersky Lab, 99% of mobile-specific malware targets the Android platform today."
To understand where so many threats come from and to imagine how fast they increase in number, it is enough to say that every day Kaspersky Lab specialists process 325,000 samples of new malware.
Malware most often enters users' computers in two ways:
- through vulnerabilities in legitimate software
- using social engineering methods.
Of course, a combination of these two techniques is very common, but attackers do not neglect other tricks.
A separate threat to business is targeted attacks, which are becoming more and more frequent.
"The use of illegal software, of course, further increases the risk of becoming a successful target for a cyberattack, primarily due to the presence of more vulnerabilities in it."
Vulnerabilities appear sooner or later in any software. These may be errors in the development of the program, obsolescence of versions or individual elements of the code. Be that as it may, the main problem is not the presence of a vulnerability, but its timely detection and closure.
By the way, lately, and 2014 is a clear evidence of this, software manufacturers are beginning to increasingly close the vulnerabilities in their programs. However, there are still enough gaps in applications, and cybercriminals actively use them to penetrate corporate networks.
In 2014, 45% of all vulnerability incidents were caused by holes in the popular Oracle Java software.
In addition, last year there was a kind of tipping point - a vulnerability was discovered in the widespread OpenSSL encryption protocol, dubbed Heartbleed. This bug allowed an attacker to read the contents of memory and intercept personal data on systems using vulnerable versions of the protocol.
OpenSSL is widely used to protect data transmitted over the Internet (including information that the user exchanges with web pages, emails, messages in Internet messengers), and data transmitted over VPN (Virtual Private Networks) channels, so the potential damage from this vulnerability was huge. It is possible that attackers could use this vulnerability as a start for new cyber-espionage campaigns.
Victims of attacks
In general, in 2014 the number of organizations that became victims of targeted cyber attacks and cyber espionage campaigns increased by almost 2.5 times. Over the past year, almost 4,500 organizations in at least 55 countries, including Russia, have been targeted by cybercriminals.
Data theft occurred in at least 20 different sectors of the economy:
- state,
- telecommunication,
- energy,
- research,
- industrial,
- healthcare,
- construction and other companies.
Cybercriminals gained access to the following information:
- passwords,
- files,
- location information,
- audio Data,
- screenshots
- webcam shots.
Most likely, in some cases, these attacks were supported by state structures, while others were more likely to be carried out by professional groups of cyber mercenaries.
In recent years, Kaspersky Lab's Global Threat Research and Analysis Center has tracked the activities of more than 60 criminal groups responsible for cyberattacks around the world. Their participants speak different languages: Russian, Chinese, German, Spanish, Arabic, Persian and others.
The consequences of targeted operations and cyber-espionage campaigns are always extremely serious. They inevitably end with hacking and infection of the corporate network, disruption of business processes, leakage of confidential information, in particular intellectual property. In 2014, 98% of Russian companies encountered some kind of cyber incident, the sources of which, as a rule, were outside the enterprises themselves. In addition, incidents caused by internal threats were recorded in another 87% of organizations.
"The total amount of damage to large companies averaged 20 million rubles for each successful example of a cyber attack."
What companies are afraid of and how things are in reality
Kaspersky Lab annually conducts research to find out the attitude of IT professionals to information security issues. A 2014 study showed that the vast majority of Russian companies, 91% to be exact, underestimate the amount of malware that exists today. Moreover, they do not even assume that the number of malware is constantly increasing.
Curiously, 13% of IT professionals said they were not worried about insider threats.
Perhaps this is due to the fact that in a number of companies it is not customary to divide cyber threats into external and internal ones. In addition, among the Russian heads of IT and information security services there are those who still prefer to solve all problems with internal threats with bans.
However, if something is forbidden to a person, this does not mean at all that he does not do it. Therefore, any security policy, including prohibition, requires appropriate controls to ensure that all requirements are met.
As for the types of information that attackers are primarily interested in, the study showed that the perceptions of companies and the real state of affairs are quite different.
So, the companies themselves are most afraid of losing
- customer information,
- financial and operational data,
- intellectual property.
- information on competitor analysis,
- payment information
- personal data of employees
- data on corporate bank accounts.
"In fact, it turns out that cybercriminals most often steal internal operating information of companies (in 58% of cases), but only 15% of companies consider it necessary to protect this data in the first place."
For security, it is equally important to consider not only technologies and systems, but also take into account the human factor: understanding the goals of the specialists who build the system, and understanding the responsibility of the employees who use the devices.
Recently, attackers are increasingly relying not only on technical means, but also on the weaknesses of people: they use social engineering methods that help to extract almost any information.
Employees, taking away data on their device, must understand that they bear exactly the same responsibility as if they took away paper copies of documents with them.
Company personnel should also be well aware that any modern technically complex device contains defects that an attacker can exploit. But in order to take advantage of these defects, an attacker must gain access to the device. Therefore, when downloading mail, applications, music and pictures, it is necessary to check the reputation of the source.
It is important to be careful about provocative SMS and emails and check the reliability of the source before opening the email and clicking on the link.
In order for a company to still have protection against such accidental or intentional actions of employees, it should use modules to protect data from leaks.
"Companies need to regularly think about the work with the staff: from training of IT employees to explaining the basic rules for safe online browsing, no matter what devices they access from."
Thus, this year Kaspersky Lab released a new module that implements data leakage protection functions -
Cloud protection
Many large companies use the cloud in one way or another, in Russia most often in the form of a private cloud. It is important to remember here that, like any other information system created by man, cloud services contain potential vulnerabilities, which can be used by virus writers.
Therefore, when organizing access even to your own cloud, you must remember about the security of the communication channel and the end devices that are used on the side of employees. Equally important are internal policies governing which employees have access to data in the cloud, or what level of secrecy information can be stored in the cloud, etc. The company should have transparent rules:
- what services and services will work from the cloud,
- which - on local resources,
- what kind of information should be placed in the clouds,
- what you need to keep "at home".
Based on the article: Time for "hard" decisions: security in the Enterprise segment.
Information systems in which data transmission facilities belong to one company are used only for the needs of this company, it is customary to call an enterprise-wide network a corporate computer network (CN). cop is internal private network an organization that combines the computing, communication and information resources of this organization and is intended for the transfer of electronic data, which can be any information software, rules for getting users to network resources, network management rules, resource usage control, and further development networks. An enterprise network is a network of an individual organization.
A somewhat similar definition can be formulated based on the concept of a corporate network given in the work of Olifer V.G. and Olifer N.D. “ Computer networks: principles, technologies, protocols”: any organization is a set of interacting elements (subdivisions), each of which can have its own structure. The elements are interconnected functionally, i.e. they perform certain types of work within the framework of a single business process, as well as information, exchanging documents, faxes, written and oral orders, etc. In addition, these elements interact with external systems, and their interaction can also be both informational and functional. And this situation is true for almost all organizations, no matter what type of activity they are engaged in - for a government agency, a bank, an industrial enterprise, a commercial firm, etc.
Such a general view of the organization allows us to formulate some general principles for building corporate information systems, i.e. information systems throughout the organization.
Corporate network - a system that provides information transfer between various applications used in the corporation system. A corporate network is any network that uses the TCP/IP protocol and uses communication standards the Internet, as well service applications, providing data delivery to network users. For example, an enterprise may create web server to publish announcements, production schedules and other official documents. Employees access the necessary documents using Web browsers.
Corporate network Web servers can provide users with services similar to those of the Internet, such as working with hypertext pages (containing text, hyperlinks, graphic images and sound recordings), providing the necessary resources at the request of Web clients, as well as providing access to databases. In this guide, all publishing services are referred to as "Internet services" regardless of where they are used (on the Internet or on a corporate network).
The corporate network, as a rule, is geographically distributed, i.e. uniting offices, divisions and other structures located at a considerable distance from each other. The principles by which a corporate network is built are quite different from those used to create a local network. This limitation is fundamental, and when designing a corporate network, all measures should be taken to minimize the amount of transmitted data. Otherwise, the corporate network should not impose restrictions on which applications and how they process the information transferred over it. A characteristic feature of such a network is that it operates equipment of various manufacturers and generations, as well as heterogeneous software that is not initially focused on joint data processing.
To connect remote users to the corporate network in the simplest and most affordable option is the use of the telephone. Where possible, may be used ISDN networks. To unite network nodes, in most cases are used global networks data transmission. Even where it is possible to lay leased lines (for example, within one city), the use of packet switching technologies makes it possible to reduce the number of required communication channels and, which is important, ensure system compatibility with existing global networks.
Connecting your corporate network to the Internet is justified if you need access to the appropriate services. In many works, there is an opinion about connecting to the Internet: It is worth using the Internet as a data transmission medium only when other methods are not available and financial considerations outweigh the requirements of reliability and security. If you will use the Internet only as a source of information, it is better to use the technology "connection on demand" (dial-on-demand), ie. in such a way of connection, when the connection with the Internet node is established only on your initiative and for the time you need. This dramatically reduces the risk of unauthorized entry into your network from outside.
To transfer data within a corporate network, it is also worth using virtual channels of packet switching networks. The main advantages of this approach are versatility, flexibility, security.
As a result of studying the structure of information networks (IS) and data processing technology, the concept of information security of IS is being developed. The concept reflects the following main points:
- 1) Networking organization
- 2) existing threats to the security of information, the possibility of their implementation and the expected damage from this implementation;
- 3) organization of information storage in IS;
- 4) organization of information processing;
- 5) regulation of personnel access to this or that information;
- 6) the responsibility of personnel for ensuring safety.
Developing this topic, based on the concept of IS information security given above, a security scheme is proposed, the structure of which must satisfy the following conditions:
Protection against unauthorized penetration into the corporate network and the possibility of information leakage through communication channels.
Differentiation of information flows between network segments.
Protection of critical network resources.
Cryptographic protection of information resources.
For a detailed consideration of the above security conditions, it is advisable to give an opinion: to protect against unauthorized entry and information leakage, it is proposed to use firewalls or firewalls. In fact, a firewall is a gateway that performs the functions of protecting the network from unauthorized access from outside (for example, from another network).
There are three types of firewalls:
Application layer gateway Application layer gateway is often called a proxy server (proxy server) - performs the functions of a data relay for a limited number of user applications. That is, if the gateway does not support one or another application, then the corresponding service is not provided, and data of the corresponding type cannot pass through the firewall.
filtering router. filter router. More precisely, this is a router, the additional functions of which include packet filtering (packet-filtering router). Used on packet-switched networks in datagram mode. That is, in those technologies for transmitting information on communication networks in which there is no signaling plane (pre-establishment of a connection between UI and UE) (for example, IP V 4). IN this case the decision to transmit the incoming data packet over the network is based on the values of its transport header fields. Therefore, firewalls of this type are usually implemented as a list of rules applied to the values of the transport header fields.
Switch layer gateway. Switching level gateway - protection is implemented in the control plane (at the signaling level) by allowing or denying certain connections.
A special place is given to the cryptographic protection of information resources in corporate networks. Since encryption is one of the most reliable ways to protect data from unauthorized access. A feature of the use of cryptographic means is strict legislative regulation. Currently, in corporate networks, they are installed only at those workplaces where information of a very high degree of importance is stored.
So, according to the classification of means of cryptographic protection of information resources in corporate networks, they are divided into:
Single-key cryptosystems, often referred to as traditional, symmetric, or single-key cryptosystems. The user creates an open message, the elements of which are the characters of the final alphabet. An encryption key is generated to encrypt the open message. Using the encryption algorithm, an encrypted message is generated
The above model assumes that the encryption key is generated in the same place as the message itself. However, another key generation solution is also possible - the encryption key is generated by a third party (key distribution center) trusted by both users. In this case, a third party is responsible for delivering the key to both users. Generally speaking, this decision contradicts the very essence of cryptography - ensuring the secrecy of transmitted user information.
Cryptosystems with one key use the principles of substitution (replacement), permutation (transposition) and composition. Substitution replaces individual characters in the open message with other characters. Encryption using the principle of permutation involves changing the order of characters in open message. In order to increase the strength of encryption, an encrypted message received using a certain cipher can be encrypted again using another cipher. They say that in this case a compositional approach is applied. Therefore, symmetric cryptosystems (with one key) can be classified into systems that use substitution, permutation, and composition ciphers.
Public key cryptosystem. It takes place only if users use different keys KO and K3 when encrypting and decrypting. This cryptosystem is called asymmetric, with two keys or with a public key.
The recipient of the message (user 2) generates an associated key pair:
KO - public key, which is publicly available and, thus, is available to the sender of the message (user 1);
KS is a secret, private key that remains known only to the recipient of the message (user 1).
User 1, having the encryption key KO, generates a cipher text using a certain encryption algorithm.
User 2, having the secret key Kc, has the opportunity to perform the opposite action.
In this case, user 1 prepares a message for user 2 and encrypts this message with the private key KS before sending. User 2 can decrypt this message using the public key KO. Since the message was encrypted with the sender's private key, it can act as a digital signature. In addition, in this case it is impossible to change the message without access to the private key of user 1, so the message also solves the problems of sender identification and data integrity.
Finally, I would like to say that by installing cryptographic means of protection, it is possible to reliably protect workplace an employee of an organization who directly works with information that is of particular importance for the existence of this organization, from unauthorized access.