004 13 Лекция 131313 Организация безопасности данных и информационной защиты.doc

The given lecture is devoted to questions of organization of safety of the data and information protection. The possible variants of attacks and methods of protection of the information are considered .The contentsWhether it is necessary to be protected?From whom to be protected?From what to be protected?How to be protected?What to be protected by?Who and how should be engaged in organization of protection?What to choose?Control questions and tasks

The modern development of information technologies and, in particular, of technologies Internet/Intranet results in necessity of protection of the information transmitted within the framework of a distributed corporate network, which uses networks of open access. At work on the own closed physical channels of access this problem so is not so sharp, as in this network the access extraneous is closed.

13.1.Results to necessity of protection

However selected channels not any company can to itself allow.

Therefore it is necessary to be content with that is at disposal of

the company. And it is more often Internet. Therefore it is

necessary to invent ways of protection confidential data,

transmitted on the actually unprotected network.

13.2. Key questions of information safety

Considering questions of information protection, it is possible to allocate some questions, which are base, and in the obligatory order should be studied by a top management of the company at organization of information protection .

13.3. It is necessary to be protected?

The answers to this question there can be much, depending on

structure and purposes of the company. For one the main task is

the prevention of outflow of the information (marketing plans,

perspective development and etc.) competitors. Others can

neglect confidentiality of the information and concentrate the

attention on its integrity (for example, for bank important first of

all ensure an invariance of the process able payment orders ).

For third-party in the first place there is the task of ensuring the

availability and uptime of enterprise information systems. For

example, for provider of Internet-services, company having Web-

server or operator of communication a first task is the

maintenance of non-failure operation all (or most important) units

of the information system. To place such priorities, it is possible

only, as a result of the analysis of activity of the company.

13.4. Underestimates importance of information safety

It is usual, when the speech comes about safety of the company,

its management frequently underestimates importance of

information safety. The basic emphasis is done on physical

safety (carrying mode, protection, system of video supervision and

etc.). However for last years the situation essentially has

changed.

In order to penetrate into the secrets of the company, there is no

need to climb over fences and avoid Perimeter sensors invade

protected by thick walls in the room, open safes, etc. It is enough

to enter information system of bank and to transfer hundred

thousand dollars to the necessary accounts, to change or to

destroy the critically important data, to put out of action any unit of

a corporate network.

All this can result in significant damage, and not only to direct,

which can be expressed in the large sums, but also to indirect, not

less значимому. The deducing out of operation of this or that

unit of a network or IS module results in expenses for

restoration of its serviceability, which consist in updating or

replacement of the software, expenditure of the additional salary

of the attendants. The attack on Web-сервер of the company and

replacement of its contents by anyone can result another in

decrease of trust to firm and, as a consequence, to loss of a part

of clientele and decrease of the incomes.

13.5. From whom to be protected?

In most cases, the answer to this question is from external

intruders, hackers. In opinion of the majority of the Russian

businessmen, the basic danger proceeds from them: they will

penetrate into computer systems of banks and military

organizations, intercept management of the companions and etc.

13.5. 70-80 % of all computer crimes are connected to internal infringements

Such danger exists, and it cannot be underestimated. But it is too exaggerated. The statistics shows: till 70-80 of % of all computer crimes are connected to internal infringements, which are carried out by the employees of the company.

Let to casual external malefactor (and majority of "breakings" such

subjects make) it was possible to find a weak place in system of

information safety of the company.

Using this "hole", it will penetrate into a corporate network - to

financial data, strategic plans or perspective projects. What it

really has? Not being by the expert in area, in which the company

works to understand without assistance in gigabytes of the

information simply it is impossible. However employee can really

estimate cost of this or that information, and it has the privileges

of access, which allow it to make the non-authorized

manipulations.

In the publications there are enough of examples, when the

employee of the company, considering, that it at work do not

appreciate, makes a computer crime resulting in the multimillion

losses. The cases are often, when after dismissal the former

employee of the company during long time uses corporate access

in Internet.

At dismissal of this employee nobody has thought of necessity of

a cancellation of its password on access to the data and

resources, with which it worked within the framework of the

official duties. If the administration of access is put poorly,

frequently nobody notices, that the former employees use access

in Internet and can damage to the former company.

Noticing only then, when they notice the sharply increased

accounts for Internet-services and outflow of the confidential

information. Such case is indicative enough, it Illustrates very

much widespread (very much distributed) practice and order of

dismissal in the Russian companies.

13.7. Dismissed or offended ordinaries of the employees

However largest danger can proceed not simply from the

dismissed or offended ordinaries of the employees (for example,

operators of various information subsystems), and from those who

invested with more powers and has access to a wide spectrum of

the most various information.

Usually it is the employees of IT-departments (analysts, the

developers, system managers), which know the passwords to all

systems used in organization. Their qualification, the knowledge

and experience used in harm, can result in the very large

problems.

Besides such malefactors are very difficult for finding out, as they

have sufficient knowledge of system of IS protection of the

company to bypass used protective mechanisms and thus to

remain "invisible".

Therefore at construction of system of protection it is necessary to

be protected not only and not so much from external attacks, but

also from internal attackers, i.e. to build complex system of

information safety.

13.8. From what to be protected?

At integration of individual and corporate information systems and

resources in a uniform information infrastructure the determining

factor is the maintenance of a due level of information safety for

each subject who has accepted the decision enter in this space.

In uniform information space all necessary preconditions for an

establishment of authenticity of the user should be created, of

authenticity of the contents and authenticity of the message (i.e.

the mechanisms and tool authenticity) are created.

Thus, there should be a system of information safety, which

includes a necessary complex of measures and technical

decisions on protection:

1. From of infringement of functioning of information space by

exception of influence on information channels and resources;

2. From of the non-authorized access to the information by

detection and liquidation of attempts of use of resources of

information space, its interfering integrity;

3. From of destruction of built in means of protection with an

opportunity of the proof of incompetence of actions of the users

and attendants;

4. From of introduction of "viruses" both "bookmarks" in software

and means.

Especially it is necessary to note tasks of a safety of developed

and modified systems in integrated information environment .

During updating the occurrence of additional situations of

vulnerability of system is inevitable. For the decision of this

problem alongside with general methods and technologies it is

necessary to note introduction of a number of the requirements

to the developers, creation of the rules of modification in systems,

and also use of the specialized means.

13.9. Avalanche distribution of viruses

The avalanche distribution of viruses became the large problem

for the majority of the companies and official bodies. More 45000

computer viruses now are known and each month occurs more

300 new versions [the Encyclopedia of Viruses,

www.viruslist.com/ru/viruses/encyclo-pedia]. On the various data

in 2007 to virus attacks was subject from 65 % up to 80 % of the

companies all over the world. The direct and indirect losses are

estimated hundreds millions dollars. And these figures steadily

grow.

The computer virus is the specially written program, which can

"attribute" itself to other programs, i.e. " to infect them " with the

purpose of performance of various undesirable actions on the

computer and in a network. When such program begins work, at

first, as a rule, management receives a virus. The virus can work

independently, carrying out certain harm action (changes files or

table of accommodation of files on a disk, litters operative

memory, changes access addresses to external devices etc.), or

"infects" other programs. The infected programs can be

transferred on other computer with the help of diskettes or local

network.

The forms of organization of virus attacks are rather various, but

as a whole practically they can be "scattered" on the following

categories:

1. Distance penetration into the computer - program, which

receives the not authorized access to other computer through

Internet (or local network);

2. Local penetration into the computer - program, which receives

the not authorized access to the computer, on which they

subsequently work;

3. Distance blocking of the computer - program, which through

Internet (or network) blocks work of all removed computer or

separate program on it ;

4. Local blocking of the computer - program, which blocks work of

the computer, on which they work;

5.Net scanners - program, which carries out the collection of the

information about a network to define , what from computers and

programs working on them, are potentially vulnerable to attacks;

6.Scanners of vulnerable places of the programs - the programs

check the large groups of computers in the Internet in searches of

computers, vulnerable to this or that concrete kind of attack;

7. "Opener" of the passwords - program, which find out the easily

guessed passwords in the ciphered files of the passwords;

8.Network analyzers (sniffers) - program, which listen to the

network traffic. Frequently in them there are opportunities of

automatic allocation of names of the users, passwords and

numbers of credit cards from the traffic;

9.Modification of the transmitted data or substitution of the

information;

10.Substitution of the trusted object distributed IS (work from its

name) or false object distributed IS (DIS).

11. " Social engineering " - non-authorized access to the

information differently, than breaking of the software. The purpose

- to lead into error the employees (network or system managers,

users, managers) for reception of the passwords to system or

other information, which will help to break safety of system.

By malicious software includes worms, classic file viruses,

Trojans, hacker tools, and other programs that cause deliberate

harm to the computer on which they run on execution, or to other

computers on the network.

13.10. Network worm

Network worms. The basic attribute, on which the worms types

differ among themselves, is the way of distribution worm - what

way it transfers the copy to the removed computers. Other signs

of the differences between the network worms are ways to run a

copy of the worm on the infected computer, the methods of

implementation of the system, as well as polymorphism, "stealth"

and other characteristics inherent and other types of malware

(viruses and Trojans).

An example - post worm (Email-Worm). That of them concern to the given worm category which for the distribution use electronic mail. Thus worm sends or copy as an investment in the electronic letter, or reference to the file located on any network resource (for example, on the infected file located on broken open or hacker Web-site). In the first case the worm code is made active at opening of the infected investment, in second - at opening the reference on the infected file. In both cases the effect is identical - the worm code is made active.

13.11. Classical computer viruses

Classical computer viruses. The programs distribute copies on

resources of the local computer with the purpose concern to the

given category: the subsequent start of the code at any actions of

the user or further introduction in other resources of the computer.

As against worm, the viruses do not use network services for

penetration on other computers. The copy of a virus gets on the

removed computers only in the event that the infected object on

any not by dependent from functions of a virus to the reasons

appears active on the other computer, for example:

1.At infection of accessible disks the virus has penetrated into

files located on a network resource;

2. Virus has copied itself on the demountable carrier or has

infected files on it ;

3. User has sent the electronic letter with the infected

investment.

Some viruses comprise properties of other versions of the harm

software, for example "backdoor-procedure" or trojans to a

component of destruction of the information on a disk.

Many tabulared and graphic editors, systems of designing, word-

processors have the macrolanguages for automation of

performance of repeating actions. These macrolanguages

frequently have complex structure and advanced set of teams.

The macro-viruses are the programs on the macrolanguages

which have been built - in such systems of data processing. For

the duplication the viruses of this class use opportunities of the

macrolanguages and with their help transfer itself from one

infected file (document or table) in others.

13.12. Script-viruses

Script--viruses. It is necessary to note also script -viruses being a

subgroup of file viruses. The given viruses, are written in various

script -languages (VBS, JS, BAT, PHP etc.). They or infect other

script -programs (command and service files MS Windows or

Linux), or are parts of multicomponent viruses. Also, the given

viruses can infect files of other formats (for example, HTML), if in

them the performance script is possible.

13.13. Trojans program

Trojans program. Given category includes the programs

carrying out various actions, non-authorized by the user: the

collection of the information and it transfers to the malefactor, its

destruction or ill-intentioned updating, infringement of

serviceability of the computer, use of resources of the computer in

the unseemly purposes. The separate trojans categories

programs damage to the removed computers and networks, not

breaking serviceability of the infected computer (for example,

trojans programs developed for mass DoS-attacks on removed

resources of a network).

13.14. The hacker utility

The hacker utility and other harm program. To the given category concern:

1. Utility of automation of creation of viruses, worm and trojan

programs (designers);

2.Software libraries developed for creation harm software

3. The hacker utility of concealment of a code of the infected files

from anti-virus check (enciphering of files);

4. " Malicious jokes ", complicating work with the computer;

The programs informing to the user the obviously false information

on the actions in system;

5.Other program, that or different way intentionally giving direct or

indirect damage given or removed computers.

To other harm programs concern not representing threats is direct

to the computer, on which are executed, and the organizations of

DoS-attacks on removed серверы, breaking of other computers

which are developed for creation of other viruses or trojn

programs.

13.14. " Trojan horse"

Most mass attack will be carried out by the programs such as " trojan horse", which can imperceptibly for the owner be established on its computer and as imperceptibly function on it . The most widespread variant " trojan horse“ carries out more often one function is, as a rule, theft of the passwords, but is and more "advanced" copies.

They realize a wide spectrum of functions for the removed

management of the computer, including viewing of contents of the

screen, interception of signals from pressing keys, theft or

destruction of the data and information, change both replacement

of files and databases.

13.15. Realization of failure

Other widespread type of attacks are the actions directed on deducing out of operation of this or that unit to a network. These attacks have received the name " realization of failure in service " (Denial of Service Realization), and for today it is known more hundreds various variants of these actions. As it was already marked, the deducing out of operation of unit of a network even on some hours or minutes can result in very serious consequences.

For example, the server damage of payment system of bank will

result in impossibility of realization of payments and, as a

consequence, to the large direct and indirect financial losses not

only bank, but also its clients.

Such attacks are now most discussed. However there are also

other threats, which can result in serious consequences. For

example, the system of detection of attacks RealSecure traces

more 600 various events influencing safety and concerning an

opportunity of external attacks.

13.16. General techniques of protection from viruses

The general techniques of protection from viruses in the

obligatory order are an obligatory component " policies of

information safety of the enterprise ". In the appropriate sections

of policy the principles of anti-virus protection used standards

and normative documents determining the order of actions of the

user at work in local and external networks, its powers used anti-

virus means are described. The sets of obligatory rules can be

various enough, however it is possible formulate in a general view

the following rules for the users:

1. To check on viruses all diskettes, CD-RW, ZIP-disks which

have visited on the other computer, all acquired CD;

2. To use the anti-virus programs of the known checked up firms,

is regular (in an ideal - daily) to update their bases;

3. Not to unload a resident part (monitor) of the anti-virus program

from operative memory of the computer;

4. To use only programs and the data received from reliable

sources - more often by viruses are infected piracy copies of the

programs;

5. Never to not open files attached to the electronic letters,

come from the unknown senders, and to not come on sites

promoted through спам-dispatches (on the data to Kaspersky

Laboratory , now about 90 % of viruses are distributed thus).

It is similarly possible to formulate some general requirements to

the good anti-virus program. Such program owes:

1. To provide effective protection in a mode of real time - the

resident part owes (monitor) of the program must constantly

2. To be in operative memory of the computer and make check of

all file operations (at creation, editing, copying of files, start them

on execution ), messages of electronic mail, data and programs

received from Internet;

3. To allow to check all contents of local disks " on demand ",

starting check manually or automatically under the time-table or at

inclusion of the computer;

4. To protect the computer even from unknown viruses - the

program should include technologies of search of unknown

viruses based on principles of the heuristic analysis;

5. To be able to check and to treat Archive files;

6. To give the opportunity regularly (is desirable daily) to update

anti-virus bases (through Internet, from diskettes or CD).

Now in Russia two checked up qualitative anti-virus packages are

used mainly: Dr. Web and " Kaspersky Antivirus ". Each of

these products has the ruler focused on different spheres of

application - for use on local computers, for small and average

business, for the large corporate clients, for protection of local

networks, for post, file серверов, серверов of the appendices.

Both products, certainly, answer all set forth above requirements.

13.17. How to be protected?

The most simple way is to buy the newest promoted means of

protection and to establish them at itself in organization, not

troubling itself by a substantiation of their utility and efficiency. If

the company is rich, it can afford this way. However true chief

should system estimate a situation and correctly spend means.

All over the world now it is accepted to build complex system

protection of the information and information systems in some

stages - on the basis of formation of the concept of information

safety, meaning first of all interrelation of its basic concepts .

13.18. First stage - information inspection of the enterprise

The first stage - information inspection of the enterprise - most

important. At this stage is defined , from what first of all it is

necessary to be protected the companies.

So-called model of the infringer in the beginning is under

construction which describes probable shape of the malefactor, it

is its qualification available means for realization of those or

other attacks, usual time of action and т. Item. At this stage it is

possible to receive the answer to two questions, which were given

above: " What for and from whom it is necessary to be protected?

" At the same stage come to light and the vulnerable places and

possible ways of realization of threats to safety are analyzed, the

probability of attacks and damage from their realization is

estimated.

By results of a stage the recommendations for elimination of the

revealed threats, correct choice and application of means of

protection are developed. At this stage it can be recommended to

not get expensive enough means of protection, and to take

advantage already available. For example, in a case, when in

organization is powerful router, it is possible to recommend to

take advantage by the protective functions, built - in it , instead

of to get more expensive gateway screen (Firewall).

Alongside with the analysis of existing technology the

development of policy should be carried out in the field of

information safety and свода of the организационно-circumspect

documents being a basis for creation of an infrastructure of

information safety . These documents based on the international

legislation and the laws of Russian Federation and the normative

certificates , give necessary legal base to services of safety and

departments of protection of the information for realization of all

spectrum of protective measures, interactions with external

organizations, attraction to the responsibility of the infringers and

etc.

13.19. Formation of policy information safety

The formation of policy information safety should be reduced to the following practical steps.

1. Principles of administration of information safety system and

management of access to computing and telecommunication

means, programs and information resources, and also access in

premises , where they settle down;

2. Principles of the control of a condition of systems of protection

of the information, ways of informing about incidents in information

safety area and development of adjusting measures directed on

elimination of threats;

3. Principles of use of information resources by the personnel of

the company and external users;

4. Organization of anti-virus protection and protection against

the non-authorized access and hackers actions;

5. Questions of reserve copying of the data and information;

6. Order of realization preventive, repair and reestablishing

works;

7. Program of training and improvement of professional skill of

the personnel.

8. Development of methodology of revealing and estimation of

threats also is brave of their realization, definition of the

approaches to management of risks: whether is the sufficient base

level of security or it is required to carry out complete variant of

the analysis is brave.

9. Structure of anti-measures on levels of the requirements to

safety.

13.20. Order of certification on conformity to the standards in information safety area

The periodicity of realization of meetings on information safety

subjects at a level of a management , including periodic

reconsideration of rules of information safety policy , and also

order of training of all categories of the users of information

system on information safety questions should be determined.

The following stage of construction of complex system of

information safety is served by purchase, installation and

adjustment of means, recommended at the previous stage, and

mechanisms of protection of the information. These tools include

systems to protect information from unauthorized access,

cryptographic systems, firewalls, security analysis, and others.

The qualified personnel are necessary for correct and effective

application of the established means of protection.

With current of time the available means of protection become

outdated, the new versions of systems of maintenance of

information safety leave, the list of the found weak places and

attacks constantly extends, the technology of processing of the

information varies, change program and hardware, comes and

there leaves the personnel of the company.

It is therefore necessary to periodically review developed

organizational and administrative documents, conduct a survey of

IS or its subsystems, train new staff, upgrade protection.

13.21. Complex system of maintenance of information safety

The following described above recommendations of

construction of complex system of maintenance of information

safety help to reach a necessary and sufficient level of security

of your automated system.

13.22. Than to be protected?

It is conditionally possible to allocate three categories of means of

protection - traditional means new technologies and means

криптографической of protection of the information.

Cryptographic means are born in a separate category, because

they являют by itself the completely special class of protective

means, which can not be referred to any other class.

It is conditionally possible to allocate three categories of means of

protection - traditional means new technologies and means

криптографической of protection of the information.

Cryptographic means are born in a separate category, because

they являют by itself the completely special class of protective

means, which can not be referred to any other class.

The traditional means of protection were under construction in

view of classical models of differentiation of access developed in

1960-1970-s years. In that time of a network yet have not

received so wide circulation, and these models in military

departments were developed.

To such means it is possible to relate systems of differentiation

of access and gateway screens. The first means realize

differentiation of access of the concrete users to resources of the

concrete computer or all network, and second - differentiate

access between two sites of a network with the various

requirements on safety.

A vivid example of systems of differentiation of access are the

systems of family SecretNet, developed by the Scientific -

engineering enterprise "Informprotection" and for today being the

leaders of the Russian market of information safety.

13.23. From gateway screens

From gateway screens it is possible to name products of the

companies CheckPoint both CyberGuard - Firewall-1 and

CyberGuard Firewall accordingly. In particular, the gateway

screen CheckPoint Firewall-1 on the data of independent

agencies covers more than 40 % of the world market of

protective means of this class. To a class of gateway screens it is

possible also to relate and many routers, realizing a data filtration

on the basis of special rules .

However these means have features. For example, if to present

these systems stolen the identifier and confidential element (as a

rule, name of the user and password), also systems of

differentiation of access, and the gateway screens "will pass"

opener in a corporate network and will give access to those

resources, by which the user is allowed , whose name and

password "are withdrawn". And to receive the password now it is

simple enough.

For this purpose it is possible to use the large arsenal of various means, beginning from the programs - openers touching for short time huge number of the possible passwords, and finishing analyzers of the protocols, which investigate the traffic transmitted on networks, and isolate from it those fragments, which characterize the passwords.

13.24. Analysis of security and detection of attacks

For elimination of such lacks the new technologies and various mechanisms of protection were developed, from which a wide circulation have received the analysis of security and detection of attacks. The analysis of security consists in search in the computing system and its components of various vulnerable places, which can become a target for realization of attacks. The presence of these places results in an opportunity of the non-authorized penetration in computer networks and systems. The most known product in the field of the analysis of security is the family SAFEsuite of the American company Internet Security Systems, which consists of three systems which are finding out of vulnerability ("holes") and a mistake in the software - Internet Scanner, System Scanner and Database Scanner .

13.25. Detection of attacks

The detection of attacks is a new technology, which has received distribution last years. Its distinctive feature consists in detection of any attacks, including outgoing and from the authorized users, and пропускаемых by gateway screens and means of differentiation of access. In this market the company ISS with system of detection of attacks RealSecure also is in the leader.

It is necessary to tell some words about cryptografic means, which are intended for protection critically important data from the non-authorized perusal and - or to updating. Cryptographic theory is a set of technical, mathematical, algorithmic and program methods of transformation of the data (enciphering of the data), which does by their useless for any user, which does not have key for decoding.

13.26. The cryptographic methods were developed by Clod Shenon

The formal mathematical cryptographic methods were

developed by Claude Shannon. The mathematical theory of

cryptographic he has proved the theorem of existence and

uniqueness of the absolutely proof code - such system of

enciphering, when the text unitary enciphering with the help of a

casual open key of same length. In 1976 the American

mathematics U.Diffi and M.Hellman have proved methodology of

asymmetric enciphering with application of the open unidirectional

function (it is such function, when on its ) meaning it is

impossible to restore meaning of argument and open

unidirectional function with a secret.

13.27. Hash-functions

Per 1990 years in USA the methods of enciphering with the help

of the special class of functions - hash-functions (Hash Function)

were developed. The hash -function is a display, on which input

the message of variable length М moves, and an output is the

line of fixed length h(M) - . Crypto resistance of such method of

enciphering consists in impossibility to pick up the document М ',

which would have required meaning of hash-function. The

parameters of calculation of hash-function h are family of keys

{To} N. Now on these principles the algorithms of formation of the

electronic digital signature (EDS) are under construction.

13.28. Are DES (Data Encryption Standard), IDEA

The most used symmetric algorithms of enciphering now are DES

(Data Encryption Standard), IDEA (International Data Encryption

Algorithm), RC2, RC5, CAST, Blowfish. Asymmetric algorithms -

RSA (Rivest, Shamir, Adleman), algorithm Al Gamal ,

cryptosystem ЕСС on elliptic curves, Diffi-Hellman algorithm of

open distribution of keys . Algorithms based on application of

hash-functions, - MD4 (Message Digest 4), MD5 (Message Digest

5), SHA (Secure Hash Algorithm).

13.29. It is free package PGP (Pretty Good Privacy)

The most known software distributed freely, is the package PGP

(Pretty Good Privacy). The package is developed in 1995 by Phil

Zimmerman, which used the mentioned above algorithms RSA,

IDEA, and MD5. PGP consists of three parts - algorithm IDEA,

signature and digital signature. PGP uses three keys - open key

of the addressee, confidential key of the owner and session key

generated with the help RSA and an open key by a casual image

at enciphering of the message . The information on this product

can be received to the address www.mit.edu/network/pgp-

form.html.

The cryptographic transformation provide the decision of the

following base tasks of protection - confidentiality (impossibility to

read the data and to take the useful information) and integrity

(impossibility to modify given for change of sense or entering of

the false information).

13.30. Technology of cryptographic theory

1. Identification of object either subject of a network or

information system;

2. Check of the object authentication or subject of a network;

3. Control / differentiation of access to resources of a local

network or out net to services;

4. Maintenance and control of integrity of the data.

These means provide enough high level of security of the

information, however in Russia there is a specificity of their use

connected to actions of state bodies and not allowing wide to

apply them in commercial sector.

13.31. Who and how should be engaged in organization of protection?

The questions of definition of strategy of development, purchase

and introduction of means of protection of the information,

definition of a circle of prime tasks and formation of policy of

information safety are a prerogative of a maximum management

of the company. The questions of realization and information

safety maintenance directly enter into sphere of the

responsibility of the chief of IT-department (if the company large)

either IT-department or IT-service.

To prove to someone, that the corporate information and data

needs carefully to be protected, there is no necessity. However

those who had on practice to be engaged in questions of

protection of the data and maintenance of information safety in the

automated systems, mark the following feature - real interest to a

problem of protection of the information shown by the managers

of the top level, and general enthusiasm are rather quickly

replaced on sharp rejection at a level of divisions answering for

serviceability IS organization.

13.32. Acceptance of measures on maintenance information

As a rule, the following arguments against realization of works and acceptance of measures on maintenance of information safety are resulted:1. Occurrence of additional restrictions for the end users and experts of divisions of maintenance complicate use both operation of information system and networks of organization;2. Necessity of significant additional material inputs on realization of such works, on expansion of staff of the experts engaged in a problem of information safety, on their training. The economy on information safety can be expressed in the various forms, extreme of which are: acceptance only of most general organizational measures of a safety of the information in IS , use only of simple additional means of protection of the information .

In the first case the numerous instructions, orders and rules called

critical minute to shift the responsibility from the people, issuing

these documents, on the concrete executors, as a rule, are

developed. It is natural, that the requirements of such documents

(at absence of the appropriate technical support) complicate daily

activity of the employees of organization and, as shows

experience, are not carried out.

In the second case the additional means of protection are got and

are established. The application of information safety means

without the appropriate organizational support and scheduled

training also is inefficient that without the established rigid rules of

processing of the information in IS and access to the data use

only strengthens anyone information safety means the existing

disorder.

13.33. For effective protection of the automated system of organization

As experience of practical work shows, for effective protection of

the automated system of organization it is necessary to solve a

number of organizational tasks:

1. To create special division ensuring development of the

service regulations of corporate information system, determining

powers of the users on access to resources of this system and

carrying out administrative support of means of protection (correct

adjustment, control and operative реагирование on acting signals

about infringements of the established rules of access, analysis of

magazines of registration of events of safety and etc.);

2. To develop technology of maintenance of information safety

providing the order of interaction of divisions of organization on

safety at operation of the automated system both modernization

its program and hardware;

3. To introduce technology of protection of the information and

IS by development both statement of the necessary norm -

methodical and organization-circumspect documents (concepts,

rules , instructions and т. Item), and also to organize training all

employees being the managers and the IS users .

At creation of division of information safety it is necessary to take

into account, that the minimal of the employees who are carrying

out support of functioning safety information means, is necessary

for operation of simple means of protection. At the same time

development and introduction of technology of maintenance of

information safety requires the much greater time, large

expenditures of labor and attraction of the qualified experts, the

need in which after its introduction in operation disappears.

Besides development and introduction of such technology should

be carried out in deadlines to keep abreast from development of

the most corporate information system of organization.

13.34. Application of additional means of protection of the information

The application of additional means of protection of the

information mentions interests of many structural divisions of

organization - not so much which the end users of information

systems, how many divisions answering for development,

introduction and support of applied tasks, for service and

operation of means of computer facilities work in.

For minimization of the charges on development and the effective

introduction of technology of maintenance of information safety is

expedient to involve of the outer experts who are possessing

experience in realization of a similar sort of works.

Thus, in any case, responsibility for development, introduction and

the overall performance of protective systems carries a

maximum management of the company.

The developed technology of information safety should provide:

1. The differential approach to protection various AWP

(Automation Working Place) and subsystems (the level of security

should be defined from positions of reasonable sufficiency in

view of importance of the process able information and soluble

tasks);

2.Maximum unification of means of protection of the information

with the identical requirements to safety;

3. Realization of sanction of system of access to IS resources ;

4. Minimum, formalization (in an ideal - automation) real

feasibility of routine operations and coordination of actions of

various divisions on realization of the requirements of the

developed rules and instructions, not creating the large

inconveniences at the decision by the employees of the basic

tasks;

5. Account of changes of development of the automated

system, regulation not only stationary process of operation of the

protected subsystems, but also processes of their modernization

connected to numerous changes of a hardware-software

configuration of AWP (Automation Working Place) ;

6. Minimum of necessary number of the experts of a

department engaged in protection of the information. It is

necessary completely precisely to understand, that the

observance of the necessary requirements on protection of the

information non-authorized changes, interfering realization, in

system, inevitably results in complication of procedure of

competent IS updating .

In it one of is sharpest of the shown contradictions between a

safety both development and perfection of the automated system

consists. The technology of maintenance of information safety

should be enough flexible and provide the special cases of

emergency modification in hardware-software means protected IS.

13.35. What to choose?

The universal recipes here are not present. All depends on those purposes, which are put before itself by the chief of organization or IT-department. It is possible to result only some general recommendations. First, the expenses for maintenance of information safety should not exceed cost of protected object or size of damage, which can arise owing to attack on protected object. The basic problem - correctly to estimate possible cost of such damage.

Depending on scale of the company it is possible to allocate

three basic classes of networks:

1. IECO (International Enterprise Central Office) - central network

of the international distributed company, which can total

hundreds and thousand units;

2. ROBO (Regional Office / Branch Office) - network of regional

branch numbering of tens or hundreds of units;

3. SOHO (Small Office / Home Office), - network of small

branches or home (mobile) computers connected to the central

network.

It is possible also to allocate three basic scripts of maintenance of information safety for these classes of networks differing by the various requirements on maintenance of protection of the information.

13.36. At the first scenario

With the first scenario the minimum level of security is provided

at the expense of the opportunities which have been built - in the

network equipment, which is established on perimeter of a

network (for example, in routers). Depending on scales of a

protected network these opportunities (protection against

substitution of addresses, minimal filtration of the traffic, access to

the equipment under the password and etc.) are realized in main

routers - for example, Cisco 7500 or Nortel BCN, routers of

regional divisions - for example, Cisco 2500 or Nortel ASN, and

routers of the removed access - for example, Cisco 1600 or 3Com

OfficeConnect. The large additional financial expenses this

scenario does not require .

13.37. Second scenario

The second scenario ensuring average level of security, is realized already with the help of the in addition acquired means of protection, by which the simple gateway screens, system of detection of attacks and etc. can be referred. In the central network the gateway screen (for example, CheckPoint Firewall-1) can be established, on routers the elementary protective functions ensuring the first line of a defense (the lists of the control of access and detection of some attacks) can be adjusted all entering traffic is checked on presence of viruses and etc. The regional offices can be protected by more simple models of gateway screens. At absence in regions of the qualified experts it is recommended to establish hardware-software complexes controlled on-line and which are not requiring complex procedure of commissioning (for example, CheckPoint VPN-1 Appliance on base Nokia IP330).

13.38. Third scenario

The third scenario allowing to reach of a maximum level security,

is intended for e-Commerce servers, Internet-banks and etc. In

this scenario the highly effective and multifunctional gateway

screens, authentication servers, system of detection of attacks

and system of the analysis of security are applied. For protection

of the central office can be applied cluster complexes of gateway

screens ensuring failure resistance and high availability of network

resources (for example, CheckPoint VPN-1 Appliance on base

Nokia IP650 or CheckPoint VPN-1 with High Availability Module).

Also in cluster of the systems of detection of attacks (for example,

RealSecure Appliance) can be established.

For detection of vulnerable places, which can be used for realization of attacks, the systems of the analysis of security (for example, family SAFE-suite of the company Internet Security Systems) can be applied. Authentication of the external and internal users is carried out with the help the authentication serversсерверов (for example, CiscoSecure ACS). Well and, at last, access of the home (mobile) users to resources central and regional networks is provided on the protected VPN-connection. The virtual private networks (Virtual Private Network - VPN) also are used for maintenance of the protected interaction central and regional offices. The functions VPN can be realized as through gateway screens (for example, CheckPoint VPN-1), and through special construction tools VPN.

13.39. The purchase of means of protection is just the tip of the iceberg.

It would seem, after the means of protection are acquired, all

problems are removed. However it not so: the purchase of means

of protection is just the tip of the iceberg. It is not enough to get

protective system, it is most important - correctly to introduce

it , to adjust and to maintain. Therefore financial expenses only on

purchase information safety means do not come to an end.

It is necessary beforehand to put in the budget such positions,

as updating of the software, support on the part of the

manufacturer or supplier and training of the personnel to the

service regulations of the acquired means. Without the

appropriate updating the system of protection in due course will

cease to be urgent and can not trace new and refined ways of

the non-authorized access in a network of the company.

The authorized training and support will help quickly to enter

system of protection into operation and to adjust it on technology

of processing of the information accepted in organization.

Provisional cost of updating makes about 15-20 % of cost of the

software. Cost of annual support on the part of the manufacturer,

which, as a rule, already includes updating software, makes

about 20-30 % of cost of system of protection. Thus, each year it

needs to be spent not less than 20-30 % of cost software for

prolongation of technical support of means of protection of the

information.

13.40. Standard set of means of complex protection

The standard set of means of complex protection of the

information contains in structure modern IS usually following

components:

1. Means of maintenance of a reliable storage of the information

with use of technology of protection at a file level (File Encryption

System - FES);

2. Funds and authorization of access to information resources, as

well as protection against unauthorized access to information

systems using biometric authentication technology and tokens

(smart cards, touch-memory, key for USB-ports, etc.);

3. Means of protection against external threats at connection to

popular networks of communication (connection) (Internet), and

also control facility access from Internet with use of technology of

gateway screens (Firewall) and substantial filtration (Content

Inspection);

4. Means of protection against viruses with use of the specialized

complexes of anti-virus preventive maintenance;

5. Means of maintenance of confidentiality, integrity, availability

and authenticity of the information transmitted on open channels

to communication with use of technology of protected virtual

private networks (VPN);

6. Means of maintenance of active research of security of

information resources with use of technology of detection of

attacks (Intrusion Detection);

7. Means of maintenance of the centralized management of

system of information safety according to coordinated and

authorized " by Policy of safety of the company ".

Depending on scale of activity of the company methods and the

means of maintenance of information safety can differ, but

anyone qualified CIO or the expert of a IT-service will tell, that

any problem in information safety area is not solved one side -

complex, integrated approach always is required.

13.41. Purchase and support of means of protection

The purchase and support of means of protection is not useless

expenditure of financial assets. It is the investments, which at a

correct investment will be paid back with interest and will allow

to deduce business on a desirable level.

13.42. Control questions and tasks

Who develops strategy of information safety and protection of the

administrative information?

What modern means of protection of the information are applied in

corporate information systems?

What includes concept " model of information safety of the

enterprise "?

List external and internal threats for information flows and systems

of the company.

What such " policy of information safety " and what elements it

contains?

List key questions of maintenance of information safety.

What hardware-software means are applied at maintenance of

information safety of the enterprise?