004 13 Лекция 131313 Организация безопасности данных и...
TRANSCRIPT
004 13 Лекция 131313 Организация безопасности данных и информационной защиты.doc
The given lecture is devoted to questions of organization of safety of the data and information protection. The possible variants of attacks and methods of protection of the information are considered .The contentsWhether it is necessary to be protected?From whom to be protected?From what to be protected?How to be protected?What to be protected by?Who and how should be engaged in organization of protection?What to choose?Control questions and tasks
The modern development of information technologies and, in particular, of technologies Internet/Intranet results in necessity of protection of the information transmitted within the framework of a distributed corporate network, which uses networks of open access. At work on the own closed physical channels of access this problem so is not so sharp, as in this network the access extraneous is closed.
13.1.Results to necessity of protection
However selected channels not any company can to itself allow.
Therefore it is necessary to be content with that is at disposal of
the company. And it is more often Internet. Therefore it is
necessary to invent ways of protection confidential data,
transmitted on the actually unprotected network.
13.2. Key questions of information safety
Considering questions of information protection, it is possible to allocate some questions, which are base, and in the obligatory order should be studied by a top management of the company at organization of information protection .
13.3. It is necessary to be protected?
The answers to this question there can be much, depending on
structure and purposes of the company. For one the main task is
the prevention of outflow of the information (marketing plans,
perspective development and etc.) competitors. Others can
neglect confidentiality of the information and concentrate the
attention on its integrity (for example, for bank important first of
all ensure an invariance of the process able payment orders ).
For third-party in the first place there is the task of ensuring the
availability and uptime of enterprise information systems. For
example, for provider of Internet-services, company having Web-
server or operator of communication a first task is the
maintenance of non-failure operation all (or most important) units
of the information system. To place such priorities, it is possible
only, as a result of the analysis of activity of the company.
13.4. Underestimates importance of information safety
It is usual, when the speech comes about safety of the company,
its management frequently underestimates importance of
information safety. The basic emphasis is done on physical
safety (carrying mode, protection, system of video supervision and
etc.). However for last years the situation essentially has
changed.
In order to penetrate into the secrets of the company, there is no
need to climb over fences and avoid Perimeter sensors invade
protected by thick walls in the room, open safes, etc. It is enough
to enter information system of bank and to transfer hundred
thousand dollars to the necessary accounts, to change or to
destroy the critically important data, to put out of action any unit of
a corporate network.
All this can result in significant damage, and not only to direct,
which can be expressed in the large sums, but also to indirect, not
less значимому. The deducing out of operation of this or that
unit of a network or IS module results in expenses for
restoration of its serviceability, which consist in updating or
replacement of the software, expenditure of the additional salary
of the attendants. The attack on Web-сервер of the company and
replacement of its contents by anyone can result another in
decrease of trust to firm and, as a consequence, to loss of a part
of clientele and decrease of the incomes.
13.5. From whom to be protected?
In most cases, the answer to this question is from external
intruders, hackers. In opinion of the majority of the Russian
businessmen, the basic danger proceeds from them: they will
penetrate into computer systems of banks and military
organizations, intercept management of the companions and etc.
13.5. 70-80 % of all computer crimes are connected to internal infringements
Such danger exists, and it cannot be underestimated. But it is too exaggerated. The statistics shows: till 70-80 of % of all computer crimes are connected to internal infringements, which are carried out by the employees of the company.
Let to casual external malefactor (and majority of "breakings" such
subjects make) it was possible to find a weak place in system of
information safety of the company.
Using this "hole", it will penetrate into a corporate network - to
financial data, strategic plans or perspective projects. What it
really has? Not being by the expert in area, in which the company
works to understand without assistance in gigabytes of the
information simply it is impossible. However employee can really
estimate cost of this or that information, and it has the privileges
of access, which allow it to make the non-authorized
manipulations.
In the publications there are enough of examples, when the
employee of the company, considering, that it at work do not
appreciate, makes a computer crime resulting in the multimillion
losses. The cases are often, when after dismissal the former
employee of the company during long time uses corporate access
in Internet.
At dismissal of this employee nobody has thought of necessity of
a cancellation of its password on access to the data and
resources, with which it worked within the framework of the
official duties. If the administration of access is put poorly,
frequently nobody notices, that the former employees use access
in Internet and can damage to the former company.
Noticing only then, when they notice the sharply increased
accounts for Internet-services and outflow of the confidential
information. Such case is indicative enough, it Illustrates very
much widespread (very much distributed) practice and order of
dismissal in the Russian companies.
13.7. Dismissed or offended ordinaries of the employees
However largest danger can proceed not simply from the
dismissed or offended ordinaries of the employees (for example,
operators of various information subsystems), and from those who
invested with more powers and has access to a wide spectrum of
the most various information.
Usually it is the employees of IT-departments (analysts, the
developers, system managers), which know the passwords to all
systems used in organization. Their qualification, the knowledge
and experience used in harm, can result in the very large
problems.
Besides such malefactors are very difficult for finding out, as they
have sufficient knowledge of system of IS protection of the
company to bypass used protective mechanisms and thus to
remain "invisible".
Therefore at construction of system of protection it is necessary to
be protected not only and not so much from external attacks, but
also from internal attackers, i.e. to build complex system of
information safety.
13.8. From what to be protected?
At integration of individual and corporate information systems and
resources in a uniform information infrastructure the determining
factor is the maintenance of a due level of information safety for
each subject who has accepted the decision enter in this space.
In uniform information space all necessary preconditions for an
establishment of authenticity of the user should be created, of
authenticity of the contents and authenticity of the message (i.e.
the mechanisms and tool authenticity) are created.
Thus, there should be a system of information safety, which
includes a necessary complex of measures and technical
decisions on protection:
1. From of infringement of functioning of information space by
exception of influence on information channels and resources;
2. From of the non-authorized access to the information by
detection and liquidation of attempts of use of resources of
information space, its interfering integrity;
3. From of destruction of built in means of protection with an
opportunity of the proof of incompetence of actions of the users
and attendants;
4. From of introduction of "viruses" both "bookmarks" in software
and means.
Especially it is necessary to note tasks of a safety of developed
and modified systems in integrated information environment .
During updating the occurrence of additional situations of
vulnerability of system is inevitable. For the decision of this
problem alongside with general methods and technologies it is
necessary to note introduction of a number of the requirements
to the developers, creation of the rules of modification in systems,
and also use of the specialized means.
13.9. Avalanche distribution of viruses
The avalanche distribution of viruses became the large problem
for the majority of the companies and official bodies. More 45000
computer viruses now are known and each month occurs more
300 new versions [the Encyclopedia of Viruses,
www.viruslist.com/ru/viruses/encyclo-pedia]. On the various data
in 2007 to virus attacks was subject from 65 % up to 80 % of the
companies all over the world. The direct and indirect losses are
estimated hundreds millions dollars. And these figures steadily
grow.
The computer virus is the specially written program, which can
"attribute" itself to other programs, i.e. " to infect them " with the
purpose of performance of various undesirable actions on the
computer and in a network. When such program begins work, at
first, as a rule, management receives a virus. The virus can work
independently, carrying out certain harm action (changes files or
table of accommodation of files on a disk, litters operative
memory, changes access addresses to external devices etc.), or
"infects" other programs. The infected programs can be
transferred on other computer with the help of diskettes or local
network.
The forms of organization of virus attacks are rather various, but
as a whole practically they can be "scattered" on the following
categories:
1. Distance penetration into the computer - program, which
receives the not authorized access to other computer through
Internet (or local network);
2. Local penetration into the computer - program, which receives
the not authorized access to the computer, on which they
subsequently work;
3. Distance blocking of the computer - program, which through
Internet (or network) blocks work of all removed computer or
separate program on it ;
4. Local blocking of the computer - program, which blocks work of
the computer, on which they work;
5.Net scanners - program, which carries out the collection of the
information about a network to define , what from computers and
programs working on them, are potentially vulnerable to attacks;
6.Scanners of vulnerable places of the programs - the programs
check the large groups of computers in the Internet in searches of
computers, vulnerable to this or that concrete kind of attack;
7. "Opener" of the passwords - program, which find out the easily
guessed passwords in the ciphered files of the passwords;
8.Network analyzers (sniffers) - program, which listen to the
network traffic. Frequently in them there are opportunities of
automatic allocation of names of the users, passwords and
numbers of credit cards from the traffic;
9.Modification of the transmitted data or substitution of the
information;
10.Substitution of the trusted object distributed IS (work from its
name) or false object distributed IS (DIS).
11. " Social engineering " - non-authorized access to the
information differently, than breaking of the software. The purpose
- to lead into error the employees (network or system managers,
users, managers) for reception of the passwords to system or
other information, which will help to break safety of system.
By malicious software includes worms, classic file viruses,
Trojans, hacker tools, and other programs that cause deliberate
harm to the computer on which they run on execution, or to other
computers on the network.
13.10. Network worm
Network worms. The basic attribute, on which the worms types
differ among themselves, is the way of distribution worm - what
way it transfers the copy to the removed computers. Other signs
of the differences between the network worms are ways to run a
copy of the worm on the infected computer, the methods of
implementation of the system, as well as polymorphism, "stealth"
and other characteristics inherent and other types of malware
(viruses and Trojans).
An example - post worm (Email-Worm). That of them concern to the given worm category which for the distribution use electronic mail. Thus worm sends or copy as an investment in the electronic letter, or reference to the file located on any network resource (for example, on the infected file located on broken open or hacker Web-site). In the first case the worm code is made active at opening of the infected investment, in second - at opening the reference on the infected file. In both cases the effect is identical - the worm code is made active.
13.11. Classical computer viruses
Classical computer viruses. The programs distribute copies on
resources of the local computer with the purpose concern to the
given category: the subsequent start of the code at any actions of
the user or further introduction in other resources of the computer.
As against worm, the viruses do not use network services for
penetration on other computers. The copy of a virus gets on the
removed computers only in the event that the infected object on
any not by dependent from functions of a virus to the reasons
appears active on the other computer, for example:
1.At infection of accessible disks the virus has penetrated into
files located on a network resource;
2. Virus has copied itself on the demountable carrier or has
infected files on it ;
3. User has sent the electronic letter with the infected
investment.
Some viruses comprise properties of other versions of the harm
software, for example "backdoor-procedure" or trojans to a
component of destruction of the information on a disk.
Many tabulared and graphic editors, systems of designing, word-
processors have the macrolanguages for automation of
performance of repeating actions. These macrolanguages
frequently have complex structure and advanced set of teams.
The macro-viruses are the programs on the macrolanguages
which have been built - in such systems of data processing. For
the duplication the viruses of this class use opportunities of the
macrolanguages and with their help transfer itself from one
infected file (document or table) in others.
13.12. Script-viruses
Script--viruses. It is necessary to note also script -viruses being a
subgroup of file viruses. The given viruses, are written in various
script -languages (VBS, JS, BAT, PHP etc.). They or infect other
script -programs (command and service files MS Windows or
Linux), or are parts of multicomponent viruses. Also, the given
viruses can infect files of other formats (for example, HTML), if in
them the performance script is possible.
13.13. Trojans program
Trojans program. Given category includes the programs
carrying out various actions, non-authorized by the user: the
collection of the information and it transfers to the malefactor, its
destruction or ill-intentioned updating, infringement of
serviceability of the computer, use of resources of the computer in
the unseemly purposes. The separate trojans categories
programs damage to the removed computers and networks, not
breaking serviceability of the infected computer (for example,
trojans programs developed for mass DoS-attacks on removed
resources of a network).
13.14. The hacker utility
The hacker utility and other harm program. To the given category concern:
1. Utility of automation of creation of viruses, worm and trojan
programs (designers);
2.Software libraries developed for creation harm software
3. The hacker utility of concealment of a code of the infected files
from anti-virus check (enciphering of files);
4. " Malicious jokes ", complicating work with the computer;
The programs informing to the user the obviously false information
on the actions in system;
5.Other program, that or different way intentionally giving direct or
indirect damage given or removed computers.
To other harm programs concern not representing threats is direct
to the computer, on which are executed, and the organizations of
DoS-attacks on removed серверы, breaking of other computers
which are developed for creation of other viruses or trojn
programs.
13.14. " Trojan horse"
Most mass attack will be carried out by the programs such as " trojan horse", which can imperceptibly for the owner be established on its computer and as imperceptibly function on it . The most widespread variant " trojan horse“ carries out more often one function is, as a rule, theft of the passwords, but is and more "advanced" copies.
They realize a wide spectrum of functions for the removed
management of the computer, including viewing of contents of the
screen, interception of signals from pressing keys, theft or
destruction of the data and information, change both replacement
of files and databases.
13.15. Realization of failure
Other widespread type of attacks are the actions directed on deducing out of operation of this or that unit to a network. These attacks have received the name " realization of failure in service " (Denial of Service Realization), and for today it is known more hundreds various variants of these actions. As it was already marked, the deducing out of operation of unit of a network even on some hours or minutes can result in very serious consequences.
For example, the server damage of payment system of bank will
result in impossibility of realization of payments and, as a
consequence, to the large direct and indirect financial losses not
only bank, but also its clients.
Such attacks are now most discussed. However there are also
other threats, which can result in serious consequences. For
example, the system of detection of attacks RealSecure traces
more 600 various events influencing safety and concerning an
opportunity of external attacks.
13.16. General techniques of protection from viruses
The general techniques of protection from viruses in the
obligatory order are an obligatory component " policies of
information safety of the enterprise ". In the appropriate sections
of policy the principles of anti-virus protection used standards
and normative documents determining the order of actions of the
user at work in local and external networks, its powers used anti-
virus means are described. The sets of obligatory rules can be
various enough, however it is possible formulate in a general view
the following rules for the users:
1. To check on viruses all diskettes, CD-RW, ZIP-disks which
have visited on the other computer, all acquired CD;
2. To use the anti-virus programs of the known checked up firms,
is regular (in an ideal - daily) to update their bases;
3. Not to unload a resident part (monitor) of the anti-virus program
from operative memory of the computer;
4. To use only programs and the data received from reliable
sources - more often by viruses are infected piracy copies of the
programs;
5. Never to not open files attached to the electronic letters,
come from the unknown senders, and to not come on sites
promoted through спам-dispatches (on the data to Kaspersky
Laboratory , now about 90 % of viruses are distributed thus).
It is similarly possible to formulate some general requirements to
the good anti-virus program. Such program owes:
1. To provide effective protection in a mode of real time - the
resident part owes (monitor) of the program must constantly
2. To be in operative memory of the computer and make check of
all file operations (at creation, editing, copying of files, start them
on execution ), messages of electronic mail, data and programs
received from Internet;
3. To allow to check all contents of local disks " on demand ",
starting check manually or automatically under the time-table or at
inclusion of the computer;
4. To protect the computer even from unknown viruses - the
program should include technologies of search of unknown
viruses based on principles of the heuristic analysis;
5. To be able to check and to treat Archive files;
6. To give the opportunity regularly (is desirable daily) to update
anti-virus bases (through Internet, from diskettes or CD).
Now in Russia two checked up qualitative anti-virus packages are
used mainly: Dr. Web and " Kaspersky Antivirus ". Each of
these products has the ruler focused on different spheres of
application - for use on local computers, for small and average
business, for the large corporate clients, for protection of local
networks, for post, file серверов, серверов of the appendices.
Both products, certainly, answer all set forth above requirements.
13.17. How to be protected?
The most simple way is to buy the newest promoted means of
protection and to establish them at itself in organization, not
troubling itself by a substantiation of their utility and efficiency. If
the company is rich, it can afford this way. However true chief
should system estimate a situation and correctly spend means.
All over the world now it is accepted to build complex system
protection of the information and information systems in some
stages - on the basis of formation of the concept of information
safety, meaning first of all interrelation of its basic concepts .
13.18. First stage - information inspection of the enterprise
The first stage - information inspection of the enterprise - most
important. At this stage is defined , from what first of all it is
necessary to be protected the companies.
So-called model of the infringer in the beginning is under
construction which describes probable shape of the malefactor, it
is its qualification available means for realization of those or
other attacks, usual time of action and т. Item. At this stage it is
possible to receive the answer to two questions, which were given
above: " What for and from whom it is necessary to be protected?
" At the same stage come to light and the vulnerable places and
possible ways of realization of threats to safety are analyzed, the
probability of attacks and damage from their realization is
estimated.
By results of a stage the recommendations for elimination of the
revealed threats, correct choice and application of means of
protection are developed. At this stage it can be recommended to
not get expensive enough means of protection, and to take
advantage already available. For example, in a case, when in
organization is powerful router, it is possible to recommend to
take advantage by the protective functions, built - in it , instead
of to get more expensive gateway screen (Firewall).
Alongside with the analysis of existing technology the
development of policy should be carried out in the field of
information safety and свода of the организационно-circumspect
documents being a basis for creation of an infrastructure of
information safety . These documents based on the international
legislation and the laws of Russian Federation and the normative
certificates , give necessary legal base to services of safety and
departments of protection of the information for realization of all
spectrum of protective measures, interactions with external
organizations, attraction to the responsibility of the infringers and
etc.
13.19. Formation of policy information safety
The formation of policy information safety should be reduced to the following practical steps.
1. Principles of administration of information safety system and
management of access to computing and telecommunication
means, programs and information resources, and also access in
premises , where they settle down;
2. Principles of the control of a condition of systems of protection
of the information, ways of informing about incidents in information
safety area and development of adjusting measures directed on
elimination of threats;
3. Principles of use of information resources by the personnel of
the company and external users;
4. Organization of anti-virus protection and protection against
the non-authorized access and hackers actions;
5. Questions of reserve copying of the data and information;
6. Order of realization preventive, repair and reestablishing
works;
7. Program of training and improvement of professional skill of
the personnel.
8. Development of methodology of revealing and estimation of
threats also is brave of their realization, definition of the
approaches to management of risks: whether is the sufficient base
level of security or it is required to carry out complete variant of
the analysis is brave.
9. Structure of anti-measures on levels of the requirements to
safety.
13.20. Order of certification on conformity to the standards in information safety area
The periodicity of realization of meetings on information safety
subjects at a level of a management , including periodic
reconsideration of rules of information safety policy , and also
order of training of all categories of the users of information
system on information safety questions should be determined.
The following stage of construction of complex system of
information safety is served by purchase, installation and
adjustment of means, recommended at the previous stage, and
mechanisms of protection of the information. These tools include
systems to protect information from unauthorized access,
cryptographic systems, firewalls, security analysis, and others.
The qualified personnel are necessary for correct and effective
application of the established means of protection.
With current of time the available means of protection become
outdated, the new versions of systems of maintenance of
information safety leave, the list of the found weak places and
attacks constantly extends, the technology of processing of the
information varies, change program and hardware, comes and
there leaves the personnel of the company.
It is therefore necessary to periodically review developed
organizational and administrative documents, conduct a survey of
IS or its subsystems, train new staff, upgrade protection.
13.21. Complex system of maintenance of information safety
The following described above recommendations of
construction of complex system of maintenance of information
safety help to reach a necessary and sufficient level of security
of your automated system.
13.22. Than to be protected?
It is conditionally possible to allocate three categories of means of
protection - traditional means new technologies and means
криптографической of protection of the information.
Cryptographic means are born in a separate category, because
they являют by itself the completely special class of protective
means, which can not be referred to any other class.
It is conditionally possible to allocate three categories of means of
protection - traditional means new technologies and means
криптографической of protection of the information.
Cryptographic means are born in a separate category, because
they являют by itself the completely special class of protective
means, which can not be referred to any other class.
The traditional means of protection were under construction in
view of classical models of differentiation of access developed in
1960-1970-s years. In that time of a network yet have not
received so wide circulation, and these models in military
departments were developed.
To such means it is possible to relate systems of differentiation
of access and gateway screens. The first means realize
differentiation of access of the concrete users to resources of the
concrete computer or all network, and second - differentiate
access between two sites of a network with the various
requirements on safety.
A vivid example of systems of differentiation of access are the
systems of family SecretNet, developed by the Scientific -
engineering enterprise "Informprotection" and for today being the
leaders of the Russian market of information safety.
13.23. From gateway screens
From gateway screens it is possible to name products of the
companies CheckPoint both CyberGuard - Firewall-1 and
CyberGuard Firewall accordingly. In particular, the gateway
screen CheckPoint Firewall-1 on the data of independent
agencies covers more than 40 % of the world market of
protective means of this class. To a class of gateway screens it is
possible also to relate and many routers, realizing a data filtration
on the basis of special rules .
However these means have features. For example, if to present
these systems stolen the identifier and confidential element (as a
rule, name of the user and password), also systems of
differentiation of access, and the gateway screens "will pass"
opener in a corporate network and will give access to those
resources, by which the user is allowed , whose name and
password "are withdrawn". And to receive the password now it is
simple enough.
For this purpose it is possible to use the large arsenal of various means, beginning from the programs - openers touching for short time huge number of the possible passwords, and finishing analyzers of the protocols, which investigate the traffic transmitted on networks, and isolate from it those fragments, which characterize the passwords.
13.24. Analysis of security and detection of attacks
For elimination of such lacks the new technologies and various mechanisms of protection were developed, from which a wide circulation have received the analysis of security and detection of attacks. The analysis of security consists in search in the computing system and its components of various vulnerable places, which can become a target for realization of attacks. The presence of these places results in an opportunity of the non-authorized penetration in computer networks and systems. The most known product in the field of the analysis of security is the family SAFEsuite of the American company Internet Security Systems, which consists of three systems which are finding out of vulnerability ("holes") and a mistake in the software - Internet Scanner, System Scanner and Database Scanner .
13.25. Detection of attacks
The detection of attacks is a new technology, which has received distribution last years. Its distinctive feature consists in detection of any attacks, including outgoing and from the authorized users, and пропускаемых by gateway screens and means of differentiation of access. In this market the company ISS with system of detection of attacks RealSecure also is in the leader.
It is necessary to tell some words about cryptografic means, which are intended for protection critically important data from the non-authorized perusal and - or to updating. Cryptographic theory is a set of technical, mathematical, algorithmic and program methods of transformation of the data (enciphering of the data), which does by their useless for any user, which does not have key for decoding.
13.26. The cryptographic methods were developed by Clod Shenon
The formal mathematical cryptographic methods were
developed by Claude Shannon. The mathematical theory of
cryptographic he has proved the theorem of existence and
uniqueness of the absolutely proof code - such system of
enciphering, when the text unitary enciphering with the help of a
casual open key of same length. In 1976 the American
mathematics U.Diffi and M.Hellman have proved methodology of
asymmetric enciphering with application of the open unidirectional
function (it is such function, when on its ) meaning it is
impossible to restore meaning of argument and open
unidirectional function with a secret.
13.27. Hash-functions
Per 1990 years in USA the methods of enciphering with the help
of the special class of functions - hash-functions (Hash Function)
were developed. The hash -function is a display, on which input
the message of variable length М moves, and an output is the
line of fixed length h(M) - . Crypto resistance of such method of
enciphering consists in impossibility to pick up the document М ',
which would have required meaning of hash-function. The
parameters of calculation of hash-function h are family of keys
{To} N. Now on these principles the algorithms of formation of the
electronic digital signature (EDS) are under construction.
13.28. Are DES (Data Encryption Standard), IDEA
The most used symmetric algorithms of enciphering now are DES
(Data Encryption Standard), IDEA (International Data Encryption
Algorithm), RC2, RC5, CAST, Blowfish. Asymmetric algorithms -
RSA (Rivest, Shamir, Adleman), algorithm Al Gamal ,
cryptosystem ЕСС on elliptic curves, Diffi-Hellman algorithm of
open distribution of keys . Algorithms based on application of
hash-functions, - MD4 (Message Digest 4), MD5 (Message Digest
5), SHA (Secure Hash Algorithm).
13.29. It is free package PGP (Pretty Good Privacy)
The most known software distributed freely, is the package PGP
(Pretty Good Privacy). The package is developed in 1995 by Phil
Zimmerman, which used the mentioned above algorithms RSA,
IDEA, and MD5. PGP consists of three parts - algorithm IDEA,
signature and digital signature. PGP uses three keys - open key
of the addressee, confidential key of the owner and session key
generated with the help RSA and an open key by a casual image
at enciphering of the message . The information on this product
can be received to the address www.mit.edu/network/pgp-
form.html.
The cryptographic transformation provide the decision of the
following base tasks of protection - confidentiality (impossibility to
read the data and to take the useful information) and integrity
(impossibility to modify given for change of sense or entering of
the false information).
13.30. Technology of cryptographic theory
1. Identification of object either subject of a network or
information system;
2. Check of the object authentication or subject of a network;
3. Control / differentiation of access to resources of a local
network or out net to services;
4. Maintenance and control of integrity of the data.
These means provide enough high level of security of the
information, however in Russia there is a specificity of their use
connected to actions of state bodies and not allowing wide to
apply them in commercial sector.
13.31. Who and how should be engaged in organization of protection?
The questions of definition of strategy of development, purchase
and introduction of means of protection of the information,
definition of a circle of prime tasks and formation of policy of
information safety are a prerogative of a maximum management
of the company. The questions of realization and information
safety maintenance directly enter into sphere of the
responsibility of the chief of IT-department (if the company large)
either IT-department or IT-service.
To prove to someone, that the corporate information and data
needs carefully to be protected, there is no necessity. However
those who had on practice to be engaged in questions of
protection of the data and maintenance of information safety in the
automated systems, mark the following feature - real interest to a
problem of protection of the information shown by the managers
of the top level, and general enthusiasm are rather quickly
replaced on sharp rejection at a level of divisions answering for
serviceability IS organization.
13.32. Acceptance of measures on maintenance information
As a rule, the following arguments against realization of works and acceptance of measures on maintenance of information safety are resulted:1. Occurrence of additional restrictions for the end users and experts of divisions of maintenance complicate use both operation of information system and networks of organization;2. Necessity of significant additional material inputs on realization of such works, on expansion of staff of the experts engaged in a problem of information safety, on their training. The economy on information safety can be expressed in the various forms, extreme of which are: acceptance only of most general organizational measures of a safety of the information in IS , use only of simple additional means of protection of the information .
In the first case the numerous instructions, orders and rules called
critical minute to shift the responsibility from the people, issuing
these documents, on the concrete executors, as a rule, are
developed. It is natural, that the requirements of such documents
(at absence of the appropriate technical support) complicate daily
activity of the employees of organization and, as shows
experience, are not carried out.
In the second case the additional means of protection are got and
are established. The application of information safety means
without the appropriate organizational support and scheduled
training also is inefficient that without the established rigid rules of
processing of the information in IS and access to the data use
only strengthens anyone information safety means the existing
disorder.
13.33. For effective protection of the automated system of organization
As experience of practical work shows, for effective protection of
the automated system of organization it is necessary to solve a
number of organizational tasks:
1. To create special division ensuring development of the
service regulations of corporate information system, determining
powers of the users on access to resources of this system and
carrying out administrative support of means of protection (correct
adjustment, control and operative реагирование on acting signals
about infringements of the established rules of access, analysis of
magazines of registration of events of safety and etc.);
2. To develop technology of maintenance of information safety
providing the order of interaction of divisions of organization on
safety at operation of the automated system both modernization
its program and hardware;
3. To introduce technology of protection of the information and
IS by development both statement of the necessary norm -
methodical and organization-circumspect documents (concepts,
rules , instructions and т. Item), and also to organize training all
employees being the managers and the IS users .
At creation of division of information safety it is necessary to take
into account, that the minimal of the employees who are carrying
out support of functioning safety information means, is necessary
for operation of simple means of protection. At the same time
development and introduction of technology of maintenance of
information safety requires the much greater time, large
expenditures of labor and attraction of the qualified experts, the
need in which after its introduction in operation disappears.
Besides development and introduction of such technology should
be carried out in deadlines to keep abreast from development of
the most corporate information system of organization.
13.34. Application of additional means of protection of the information
The application of additional means of protection of the
information mentions interests of many structural divisions of
organization - not so much which the end users of information
systems, how many divisions answering for development,
introduction and support of applied tasks, for service and
operation of means of computer facilities work in.
For minimization of the charges on development and the effective
introduction of technology of maintenance of information safety is
expedient to involve of the outer experts who are possessing
experience in realization of a similar sort of works.
Thus, in any case, responsibility for development, introduction and
the overall performance of protective systems carries a
maximum management of the company.
The developed technology of information safety should provide:
1. The differential approach to protection various AWP
(Automation Working Place) and subsystems (the level of security
should be defined from positions of reasonable sufficiency in
view of importance of the process able information and soluble
tasks);
2.Maximum unification of means of protection of the information
with the identical requirements to safety;
3. Realization of sanction of system of access to IS resources ;
4. Minimum, formalization (in an ideal - automation) real
feasibility of routine operations and coordination of actions of
various divisions on realization of the requirements of the
developed rules and instructions, not creating the large
inconveniences at the decision by the employees of the basic
tasks;
5. Account of changes of development of the automated
system, regulation not only stationary process of operation of the
protected subsystems, but also processes of their modernization
connected to numerous changes of a hardware-software
configuration of AWP (Automation Working Place) ;
6. Minimum of necessary number of the experts of a
department engaged in protection of the information. It is
necessary completely precisely to understand, that the
observance of the necessary requirements on protection of the
information non-authorized changes, interfering realization, in
system, inevitably results in complication of procedure of
competent IS updating .
In it one of is sharpest of the shown contradictions between a
safety both development and perfection of the automated system
consists. The technology of maintenance of information safety
should be enough flexible and provide the special cases of
emergency modification in hardware-software means protected IS.
13.35. What to choose?
The universal recipes here are not present. All depends on those purposes, which are put before itself by the chief of organization or IT-department. It is possible to result only some general recommendations. First, the expenses for maintenance of information safety should not exceed cost of protected object or size of damage, which can arise owing to attack on protected object. The basic problem - correctly to estimate possible cost of such damage.
Depending on scale of the company it is possible to allocate
three basic classes of networks:
1. IECO (International Enterprise Central Office) - central network
of the international distributed company, which can total
hundreds and thousand units;
2. ROBO (Regional Office / Branch Office) - network of regional
branch numbering of tens or hundreds of units;
3. SOHO (Small Office / Home Office), - network of small
branches or home (mobile) computers connected to the central
network.
It is possible also to allocate three basic scripts of maintenance of information safety for these classes of networks differing by the various requirements on maintenance of protection of the information.
13.36. At the first scenario
With the first scenario the minimum level of security is provided
at the expense of the opportunities which have been built - in the
network equipment, which is established on perimeter of a
network (for example, in routers). Depending on scales of a
protected network these opportunities (protection against
substitution of addresses, minimal filtration of the traffic, access to
the equipment under the password and etc.) are realized in main
routers - for example, Cisco 7500 or Nortel BCN, routers of
regional divisions - for example, Cisco 2500 or Nortel ASN, and
routers of the removed access - for example, Cisco 1600 or 3Com
OfficeConnect. The large additional financial expenses this
scenario does not require .
13.37. Second scenario
The second scenario ensuring average level of security, is realized already with the help of the in addition acquired means of protection, by which the simple gateway screens, system of detection of attacks and etc. can be referred. In the central network the gateway screen (for example, CheckPoint Firewall-1) can be established, on routers the elementary protective functions ensuring the first line of a defense (the lists of the control of access and detection of some attacks) can be adjusted all entering traffic is checked on presence of viruses and etc. The regional offices can be protected by more simple models of gateway screens. At absence in regions of the qualified experts it is recommended to establish hardware-software complexes controlled on-line and which are not requiring complex procedure of commissioning (for example, CheckPoint VPN-1 Appliance on base Nokia IP330).
13.38. Third scenario
The third scenario allowing to reach of a maximum level security,
is intended for e-Commerce servers, Internet-banks and etc. In
this scenario the highly effective and multifunctional gateway
screens, authentication servers, system of detection of attacks
and system of the analysis of security are applied. For protection
of the central office can be applied cluster complexes of gateway
screens ensuring failure resistance and high availability of network
resources (for example, CheckPoint VPN-1 Appliance on base
Nokia IP650 or CheckPoint VPN-1 with High Availability Module).
Also in cluster of the systems of detection of attacks (for example,
RealSecure Appliance) can be established.
For detection of vulnerable places, which can be used for realization of attacks, the systems of the analysis of security (for example, family SAFE-suite of the company Internet Security Systems) can be applied. Authentication of the external and internal users is carried out with the help the authentication serversсерверов (for example, CiscoSecure ACS). Well and, at last, access of the home (mobile) users to resources central and regional networks is provided on the protected VPN-connection. The virtual private networks (Virtual Private Network - VPN) also are used for maintenance of the protected interaction central and regional offices. The functions VPN can be realized as through gateway screens (for example, CheckPoint VPN-1), and through special construction tools VPN.
13.39. The purchase of means of protection is just the tip of the iceberg.
It would seem, after the means of protection are acquired, all
problems are removed. However it not so: the purchase of means
of protection is just the tip of the iceberg. It is not enough to get
protective system, it is most important - correctly to introduce
it , to adjust and to maintain. Therefore financial expenses only on
purchase information safety means do not come to an end.
It is necessary beforehand to put in the budget such positions,
as updating of the software, support on the part of the
manufacturer or supplier and training of the personnel to the
service regulations of the acquired means. Without the
appropriate updating the system of protection in due course will
cease to be urgent and can not trace new and refined ways of
the non-authorized access in a network of the company.
The authorized training and support will help quickly to enter
system of protection into operation and to adjust it on technology
of processing of the information accepted in organization.
Provisional cost of updating makes about 15-20 % of cost of the
software. Cost of annual support on the part of the manufacturer,
which, as a rule, already includes updating software, makes
about 20-30 % of cost of system of protection. Thus, each year it
needs to be spent not less than 20-30 % of cost software for
prolongation of technical support of means of protection of the
information.
13.40. Standard set of means of complex protection
The standard set of means of complex protection of the
information contains in structure modern IS usually following
components:
1. Means of maintenance of a reliable storage of the information
with use of technology of protection at a file level (File Encryption
System - FES);
2. Funds and authorization of access to information resources, as
well as protection against unauthorized access to information
systems using biometric authentication technology and tokens
(smart cards, touch-memory, key for USB-ports, etc.);
3. Means of protection against external threats at connection to
popular networks of communication (connection) (Internet), and
also control facility access from Internet with use of technology of
gateway screens (Firewall) and substantial filtration (Content
Inspection);
4. Means of protection against viruses with use of the specialized
complexes of anti-virus preventive maintenance;
5. Means of maintenance of confidentiality, integrity, availability
and authenticity of the information transmitted on open channels
to communication with use of technology of protected virtual
private networks (VPN);
6. Means of maintenance of active research of security of
information resources with use of technology of detection of
attacks (Intrusion Detection);
7. Means of maintenance of the centralized management of
system of information safety according to coordinated and
authorized " by Policy of safety of the company ".
Depending on scale of activity of the company methods and the
means of maintenance of information safety can differ, but
anyone qualified CIO or the expert of a IT-service will tell, that
any problem in information safety area is not solved one side -
complex, integrated approach always is required.
13.41. Purchase and support of means of protection
The purchase and support of means of protection is not useless
expenditure of financial assets. It is the investments, which at a
correct investment will be paid back with interest and will allow
to deduce business on a desirable level.
13.42. Control questions and tasks
Who develops strategy of information safety and protection of the
administrative information?
What modern means of protection of the information are applied in
corporate information systems?
What includes concept " model of information safety of the
enterprise "?
List external and internal threats for information flows and systems
of the company.
What such " policy of information safety " and what elements it
contains?
List key questions of maintenance of information safety.
What hardware-software means are applied at maintenance of
information safety of the enterprise?