Information security should be viewed as. Information security threats that cause the most damage

The security of a virtual server can only be viewed directly as "Information Security"... Many have heard this phrase, but not everyone understands what it is?

"Information Security" is the process of ensuring availability, integrity and confidentiality of information.

Under "Availability" is understood accordingly to provide access to information. "Integrity"- this is to ensure the accuracy and completeness of information. "Confidentiality" implies ensuring that only authorized users have access to information.

Based on your goals and tasks performed on the virtual server, you will also need various measures and degrees of protection applicable to each of these three points.

For example, if you use a virtual server only as a means of surfing the Internet, then of the necessary means for ensuring security, first of all, will be the use of anti-virus protection, as well as compliance with basic security rules when working on the Internet.

Otherwise, if you have a selling site or a game server hosted on your server, then the necessary protection measures will be completely different.

Knowing the possible threats, as well as the vulnerabilities that these threats usually exploit, is necessary in order to choose the most optimal security measures, for this we will consider the main points.

Under "Threat" the potential is understood to violate information security in one way or another. An attempt to implement a threat is called "Attack", and the one who implements this attempt is called "Intruder"... Most often, the threat is a consequence of the presence of vulnerabilities in the protection of information systems.

Let's consider the most common threats to which modern information systems are exposed.

Information security threats that cause the most damage

Consider below the classification of types of threats according to various criteria:

1. Direct threat to information security:
   • Availability
   • Integrity
   • Confidentiality
2. Components that the threats target:
   • Data
   • Programs
   • Equipment
   • Supporting infrastructure
3. By the way of implementation:
   • Accidental or deliberate
   • Natural or man-made
4. By the location of the source of the threat there are:
   • Internal
   • External

As mentioned at the beginning, the concept of “threat” is often interpreted differently in different situations. And the required security measures will be different. For example, for a markedly open organization, confidentiality threats may simply not exist - all information is considered publicly available, but in most cases illegal access is a serious threat.

When applied to virtual servers, the threats that you as a server administrator need to take into account are the threat to availability, confidentiality and data integrity. You bear direct and independent responsibility for the possibility of implementing threats aimed at confidentiality and data integrity that are not related to the hardware or infrastructure component. Including the application of the necessary protection measures, this is your immediate task.

Threats aimed at the vulnerabilities of the programs you use, often you, as a user, will not be able to influence, except not to use these programs. It is allowed to use these programs only if the implementation of threats using the vulnerabilities of these programs is either not advisable from the point of view of an attacker, or does not have significant losses for you as a user.

The hosting company that you have chosen and where you rent your servers is directly involved in ensuring the necessary security measures against threats aimed at equipment, infrastructure or threats of a man-made and natural nature. In this case, it is necessary to approach the choice most carefully, the correctly chosen hosting company will provide you with the reliability of the hardware and infrastructure components at the proper level.

As a virtual server administrator, these types of threats should be taken into account only in cases in which even a short-term loss of access or partial or complete shutdown of the server's performance due to the fault of the hosting company can lead to incommensurate problems or losses. This happens quite rarely, but for objective reasons, no hosting company can provide 100% Uptime.

Direct threats to information security

The main threats to accessibility include

1. Internal failure of the information system;
2. Failure of the supporting infrastructure.

The main sources of internal failures are:

• Violation (accidental or intentional) of the established operating rules
• System exit from normal operation due to accidental or deliberate actions of users (excess of the estimated number of requests, excessive amount of processed information, etc.)
• Errors when (re) configuring the system
• Malicious software
• Hardware and software failures
• Data destruction
• Destruction or damage to equipment

In relation to the supporting infrastructure, it is recommended to consider the following threats:

• Disruption (accidental or intentional) of communication systems, power supply, water and / or heat supply, air conditioning;
• Destruction or damage to premises;
• The inability or unwillingness of the service personnel and / or users to fulfill their duties (civil unrest, transport accidents, terrorist act or its threat, strike, etc.).

Major threats to integrity

Can be divided into static integrity threats and dynamic integrity threats.

It should also be divided into threats to the integrity of service information and content data. Service information refers to access passwords, data transfer routes in the local network, and similar information. Most often and in almost all cases, the attacker, whether consciously or not, turns out to be an employee of the organization who is familiar with the operating mode and protection measures.

In order to violate static integrity, an attacker can:

• Enter incorrect data
• To change the data

Threats to dynamic integrity include reordering, theft, duplication of data, or the insertion of additional messages.

Top privacy threats

Confidential information can be divided into subject and service information. Service information (for example, user passwords) does not belong to a specific subject area, it plays a technical role in the information system, but its disclosure is especially dangerous, since it is fraught with unauthorized access to all information, including subject information.

Even if information is stored on a computer or intended for computer use, threats to its confidentiality can be non-computer and generally non-technical in nature.

Unpleasant threats that are difficult to defend against include abuse of power. On many types of systems, a privileged user (for example, a system administrator) is able to read any (unencrypted) file, access any user's mail, etc. Another example is service damage. Typically, a service engineer has unrestricted access to equipment and is able to bypass software protection mechanisms.

For clarity, these types of threats are also schematically presented below in Fig. 1.


Rice. 1. Classification of types of threats to information security

To apply the most optimal protection measures, it is necessary to assess not only the threats to information security, but also the possible damage; for this, the acceptability characteristic is used, thus, the possible damage is determined as acceptable or unacceptable. For this, it is useful to establish your own criteria for the admissibility of damage in monetary or other form.

Everyone who starts organizing information security must answer three basic questions:

1. What to protect?
2. From whom to protect, what types of threats are prevalent: external or internal?
3. How to protect, by what methods and means?

Taking all of the above into account, you can most fully assess the relevance, possibility and severity of threats. After evaluating all the necessary information and weighing all the pros and cons. You will be able to choose the most effective and optimal methods and means of protection.

The main methods and means of protection, as well as the minimum and necessary security measures applied on virtual servers, depending on the main purposes of their use and types of threats, we will consider in the following articles under the heading "Basics of information security".

New methods of processing and transmitting data contribute to the emergence of new threats that improve the likelihood of distortion, interception, etc. of information. Therefore, today the implementation of information security of computers in the network is the leading direction in IT. A document that supports the legality of actions and the designation of a unified understanding of all aspects - GOST R 50922-96.

Below we will consider the basic concept in this direction:

• Information protection is the direction of preventing threats to information.
• A protected object is information or a medium with information that needs to be protected.
• The goal of protection is a certain result after a certain period of protection of this information.
• Efficiency of information protection - the indicator shows how close the real result is to the set result.
• Protection of information from leakage - work to prevent uncontrolled transmission of protected data from disclosure or
• Information security system - a set of components that are implemented in the form of technology, software, people, laws, etc. that are organized and work in a single system, and are aimed at protecting information
• The subject of access to information is a participant in legal relations in information processes
• Information owner - an author who has full rights to this information within the framework of the laws
• Information owner - a subject who, by order of the owner, uses information and implements it in certain powers
• The right to access information is a set of rules for accessing data established by documents or by the owner / proprietor
• Authorized access - access that does not violate certain access control rules
• Unauthorized access - violation of access control rules. The process or subject that implements the NSD is a violator
• Subject identification is an algorithm for recognizing a subject by identifier
• Subject authorization is an algorithm for granting rights to the subject after successful authentication and identification in the system
• Computer system vulnerability is an aspect of system components that lead to
• An attack on a computer system (CS) is a search and implementation of system vulnerabilities by an attacker
• A protected system is a system where system vulnerabilities are successfully closed and threat risks are reduced
• Methods and methods of information protection - rules and procedure for the implementation of means for protection
• A security policy is a set of rules, norms and documents for implementing the protection of an information system in an enterprise.

Under Information security determine the security of data from illegal actions with it, as well as the operability of the information system and its components. Today, the AS (automated system) of data processing is a whole system, which consists of components of a certain autonomy. Each component can be badly affected. Speaker elements can be categorized into groups:

• Hardware components - computers and their parts (monitors, printers, communication cables, etc.)
• Software - programs, OS, etc.
• Personnel - people who are directly related to the information system (employees, etc.)
• Data - information that is in a closed system. This is printed information, and magazines, media, etc.

Information security is implemented through the following aspects: integrity, confidentiality and availability. Data confidentiality Is an aspect of information that determines the degree of its secrecy from third parties. Confidential information should be known only to authorized subjects of the system. Integrity of information defines the aspect of information in preserving its structure / content during transmission or storage. Achieving the security of this aspect is important in an environment where there is a high probability of distortion or other effects on the destruction of integrity. Reliability of information consists in strict membership of the initial value, during transmission and storage.

The legal significance of the data is determined by the document that is the carrier, and it also has legal force. Data availability determines the receipt by the subject of information using technical means.

The founder of cybernetics, Norbert Wiener, believed that information has unique characteristics and cannot be attributed to either energy or matter. The special status of information as a phenomenon has given rise to many definitions.

In the dictionary of the ISO / IEC 2382: 2015 "Information technology" standard, the following interpretation is given:

Information (in the field of information processing)- any data presented in electronic form, written on paper, expressed at a meeting or in any other medium, used by a financial institution for making decisions, moving funds, setting rates, granting loans, processing transactions, etc., including components processing system software.

To develop the concept of information security (IS), information is understood as information that is available for collection, storage, processing (editing, transformation), use and transmission in various ways, including in computer networks and other information systems.

Such information is of high value and can become objects of encroachment on the part of third parties. The desire to protect information from threats underlies the creation of information security systems.

Legal basis

In December 2017, Russia adopted the Information Security Doctrine. In the document, IS is defined as the state of protection of national interests in the information sphere. In this case, national interests are understood as the totality of the interests of society, the individual and the state, each group of interests is necessary for the stable functioning of society.

Doctrine is a concept paper. Legal relations related to ensuring information security are governed by federal laws "On state secrets", "On information", "On the protection of personal data" and others. On the basis of the fundamental normative acts, government decrees and departmental normative acts are developed on private issues of information protection.

Definition of information security

Before developing an information security strategy, it is necessary to adopt a basic definition of the concept itself, which will allow the use of a certain set of methods and methods of protection.

Industry practitioners suggest that information security be understood as a stable state of security of information, its carriers and infrastructure, which ensures the integrity and stability of information-related processes against intentional or unintentional impacts of a natural and artificial nature. Impacts are classified as IS threats that can harm the subjects of information relations.

Thus, information protection will mean a complex of legal, administrative, organizational and technical measures aimed at preventing real or perceived information security threats, as well as eliminating the consequences of incidents. The continuity of the information protection process should guarantee the fight against threats at all stages of the information cycle: in the process of collecting, storing, processing, using and transmitting information.

Information security in this understanding becomes one of the characteristics of the system's performance. At every moment in time, the system must have a measurable level of security, and ensuring the security of the system must be a continuous process that is carried out at all time intervals during the life of the system.

In information security theory, information security subjects are understood as owners and users of information, and not only users on an ongoing basis (employees), but also users who access databases in isolated cases, for example, government agencies requesting information. In a number of cases, for example, in banking information security standards, the owners of information include shareholders - legal entities who own certain data.

The supporting infrastructure, from the point of view of information security fundamentals, includes computers, networks, telecommunications equipment, premises, life support systems, and personnel. When analyzing security, it is necessary to study all elements of systems, paying special attention to personnel as the carrier of most internal threats.

For information security management and damage assessment, the characteristic of acceptability is used, so damage is determined as acceptable or unacceptable. It is useful for each company to establish its own criteria for the admissibility of damage in monetary form or, for example, in the form of acceptable harm to reputation. In public institutions, other characteristics can be adopted, for example, the influence on the management process or the reflection of the degree of damage to the life and health of citizens. The criteria of materiality, importance and value of information can change during the life cycle of the information array, therefore, they should be revised in a timely manner.

An information threat in the narrow sense is an objective opportunity to influence the object of protection, which can lead to leakage, theft, disclosure or dissemination of information. In a broader sense, information security threats will include directed informational impacts, the purpose of which is to harm the state, organization, and individual. Such threats include, for example, defamation, deliberate misrepresentation, and inappropriate advertising.

Three main questions of information security concept for any organization

What to protect?

What types of threats prevail: external or internal?

How to protect, by what methods and means?

IS system

The information security system for a company - a legal entity includes three groups of basic concepts: integrity, availability and confidentiality. Underneath each are concepts with many characteristics.

Under integrity means the resistance of databases, other information arrays to accidental or intentional destruction, unauthorized changes. Integrity can be viewed as:

• static, expressed in the immutability, authenticity of information objects to those objects that were created according to a specific technical task and contain the amount of information required by users for their main activity, in the required configuration and sequence;
• dynamic, implying the correct execution of complex actions or transactions, which does not harm the safety of information.

To control the dynamic integrity, special technical means are used that analyze the flow of information, for example, financial ones, and identify cases of theft, duplication, redirection, and reordering of messages. Integrity as a key characteristic is required when decisions are made on the basis of incoming or available information to take actions. Violation of the order of the commands or the sequence of actions can cause great damage in the case of describing technological processes, program codes and in other similar situations.

Availability is a property that allows authorized subjects to access or exchange data of interest to them. The key requirement of legitimation or authorization of subjects makes it possible to create different levels of access. The refusal of the system to provide information becomes a problem for any organization or user group. An example is the inaccessibility of public service sites in the event of a system failure, which deprives many users of the opportunity to receive the necessary services or information.

Confidentiality means the property of information to be available to those users: subjects and processes that are initially allowed access. Most companies and organizations perceive confidentiality as a key element of information security, but in practice it is difficult to fully implement it. Not all data on the existing channels of information leakage are available to the authors of information security concepts, and many technical means of protection, including cryptographic ones, cannot be purchased freely, in some cases the turnover is limited.

Equal properties of information security have different values ​​for users, hence the two extreme categories in the development of data protection concepts. For companies or organizations associated with state secrets, confidentiality will become a key parameter, for public services or educational institutions the most important parameter is accessibility.

Information Security Digest

A monthly collection of useful publications, interesting news and events from the world of information security. Expert experience and real cases from SearchInform practice.

Protected objects in information security concepts

The difference in subjects gives rise to differences in the objects of protection. The main groups of protected objects:

• information resources of all types (a resource is understood as a material object: a hard disk, another medium, a document with data and details that help to identify it and refer it to a certain group of subjects);
• the rights of citizens, organizations and the state to access information, the ability to obtain it within the framework of the law; access can be limited only by regulatory legal acts; the organization of any barriers that violate human rights is inadmissible;
• a system for creating, using and distributing data (systems and technologies, archives, libraries, regulatory documents);
• the system for the formation of public consciousness (media, Internet resources, social institutions, educational institutions).

Each object assumes a special system of measures to protect against threats to information security and public order. Ensuring information security in each case should be based on a systematic approach that takes into account the specifics of the facility.

Categories and storage media

The Russian legal system, law enforcement practice and established social relations classify information according to the criteria of accessibility. This allows you to clarify the essential parameters necessary to ensure information security:

• information, access to which is limited on the basis of legal requirements (state secrets, commercial secrets, personal data);
• information in the public domain;
• publicly available information that is provided under certain conditions: paid information or data for which you need to issue an admission, for example, a library card;
• dangerous, harmful, false and other types of information, the circulation and distribution of which is limited either by the requirements of laws or corporate standards.

Information from the first group has two modes of protection. State secret, according to the law, this is information protected by the state, the free distribution of which may harm the security of the country. These are data in the field of military, foreign policy, intelligence, counterintelligence and economic activities of the state. The owner of this data group is the state itself. The bodies authorized to take measures to protect state secrets are the Ministry of Defense, the Federal Security Service (FSB), the Foreign Intelligence Service, and the Federal Service for Technical and Export Control (FSTEC).

Confidential information- a more multifaceted object of regulation. The list of information that may constitute confidential information is contained in presidential decree No. 188 "On approval of the list of confidential information." This is personal data; secrecy of investigation and legal proceedings; official secret; professional secret (medical, notarial, lawyer's); trade secret; information about inventions and utility models; information contained in the personal files of convicts, as well as information on the compulsory execution of judicial acts.

Personal data exists in an open and confidential mode. Part of personal data open and accessible to all users includes first name, last name, patronymic. According to FZ-152 "On Personal Data", subjects of personal data have the right to:

• informational self-determination;
• to access personal personal data and make changes to them;
• to block personal data and access to them;
• to appeal against illegal actions of third parties committed in relation to personal data;
• to compensate for the damage caused.

The right to this is enshrined in the regulations on state bodies, federal laws, licenses to work with personal data issued by Roskomnadzor or FSTEC. Companies that professionally work with personal data of a wide range of people, for example, telecom operators, must enter the register, which is maintained by Roskomnadzor.

A separate object in the theory and practice of information security are information carriers, access to which is open and closed. When developing an information security concept, protection methods are selected depending on the type of media. Main storage media:

• print and electronic media, social networks, other resources on the Internet;
• employees of the organization who have access to information on the basis of their friendships, family, professional ties;
• communication means that transmit or store information: telephones, automatic telephone exchanges, other telecommunication equipment;
• documents of all types: personal, official, government;
• software as an independent information object, especially if its version has been modified specifically for a specific company;
• electronic storage media that process data in an automatic manner.

For the purpose of developing concepts of information security, information security means are usually divided into normative (informal) and technical (formal).

Informal means of protection are documents, rules, events, formal means are special technical means and software. Delineation helps to distribute areas of responsibility when creating information security systems: with general management of protection, administrative personnel implement normative methods, and IT specialists, respectively, technical ones.

The basics of information security imply the delineation of powers not only in terms of using information, but also in terms of working with its protection. This delineation of powers also requires several levels of control.

Formal remedies

A wide range of technical means of information security includes:

Physical protective equipment. These are mechanical, electrical, electronic mechanisms that function independently of information systems and create barriers to access to them. Locks, including electronic ones, screens, blinds are designed to create obstacles for the contact of destabilizing factors with systems. The group is supplemented by means of security systems, for example, video cameras, video recorders, sensors that detect movement or excess of the degree of electromagnetic radiation in the area of ​​the location of technical means of information retrieval, embedded devices.

Hardware protection. These are electrical, electronic, optical, laser and other devices that are embedded in information and telecommunication systems. Before introducing hardware into information systems, it is necessary to ensure compatibility.

Software are simple and systemic, complex programs designed to solve specific and complex problems related to information security. An example of complex solutions are also: the former serve to prevent leakage, reformat information and redirect information flows, the latter provide protection against incidents in the field of information security. Software is demanding on the power of hardware devices, and additional reserves must be provided during installation.

TO specific means information security includes various cryptographic algorithms that encrypt information on the disk and redirected through external communication channels. Information transformation can occur using software and hardware methods operating in corporate information systems.

All means that guarantee the security of information should be used in combination, after a preliminary assessment of the value of the information and comparing it with the cost of resources spent on security. Therefore, proposals for the use of funds should be formulated already at the stage of developing systems, and approval should be made at the level of management that is responsible for approving budgets.

In order to ensure security, it is necessary to monitor all modern developments, software and hardware protection means, threats and promptly make changes to our own systems of protection against unauthorized access. Only the adequacy and promptness of response to threats will help to achieve a high level of confidentiality in the work of the company.

Informal remedies

Informal remedies are grouped into normative, administrative, and moral-ethical. At the first level of protection are the regulatory means that regulate information security as a process in the activities of the organization.

• Regulatory means

In world practice, when developing regulatory tools, they are guided by IS protection standards, the main one is ISO / IEC 27000. The standard was created by two organizations:

• ISO - International Commission for Standardization, which develops and approves most of the internationally recognized methodologies for certification of the quality of production and management processes;
• IEC - International Energy Commission, which introduced into the standard its understanding of information security systems, means and methods of ensuring it

The current version of ISO / IEC 27000-2016 offers ready-made standards and proven methods necessary for the implementation of information security. According to the authors of the methods, the basis of information security lies in the consistency and consistent implementation of all stages from development to post-control.

To obtain a certificate that confirms compliance with information security standards, it is necessary to implement all recommended techniques in full. If there is no need to obtain a certificate, it is allowed to accept any of the earlier versions of the standard, starting with ISO / IEC 27000-2002, or Russian GOSTs, which are advisory in nature, as a basis for the development of their own information security systems.

Based on the results of studying the standard, two documents are being developed that relate to information security. The main, but less formal, is the concept of information security of an enterprise, which defines the measures and methods of implementation of an information security system for information systems of an organization. The second document that all employees of the company must comply with is the information security regulation approved at the level of the board of directors or the executive body.

In addition to the position at the company level, lists of information constituting a trade secret, annexes to labor contracts, securing responsibility for the disclosure of confidential data, other standards and methods should be developed. Internal rules and regulations should contain implementation mechanisms and measures of responsibility. Most often, the measures are disciplinary in nature, and the violator must be prepared for the fact that the violation of the trade secret regime will be followed by significant sanctions, up to and including dismissal.

• Organizational and administrative measures

As part of the administrative activities for the protection of information security for security personnel, there is scope for creativity. These are architectural and planning solutions that help protect meeting rooms and management offices from eavesdropping, and the establishment of various levels of access to information. Important organizational measures will be certification of the company's activities in accordance with ISO / IEC 27000 standards, certification of individual hardware and software systems, certification of subjects and objects for compliance with the necessary security requirements, obtaining licenses necessary to work with protected data arrays.

From the point of view of regulating the activities of personnel, it will be important to formulate a system of requests for access to the Internet, external e-mail, and other resources. A separate element will be the receipt of an electronic digital signature to enhance the security of financial and other information that is transmitted to government agencies via e-mail.

• Moral and ethical measures

Moral and ethical measures determine a person's personal attitude to confidential information or information limited in circulation. Increasing the level of knowledge of employees regarding the impact of threats on the company's activities affects the degree of consciousness and responsibility of employees. To combat violations of the information regime, including, for example, the transfer of passwords, careless handling of media, the dissemination of confidential data in private conversations, it is required to focus on the personal conscientiousness of the employee. It will be useful to establish indicators of the effectiveness of personnel, which will depend on the attitude towards the corporate information security system.

The infographic uses data from our own research.SearchInform.

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

Introduction

2. Information security systems

3. Information resources of limited distribution and threats to resources. Personnel access to confidential information

Conclusion

Introduction

From the very beginning of human history, the need arose for the transmission and storage of information.

Starting from about the 17th century, in the process of the formation of machine production, the problem of mastering energy comes to the fore. At first, the methods of mastering the energy of wind and water were improved, and then mankind took possession of thermal energy.

At the end of the 19th century, the mastery of electrical energy began, an electric generator and an electric motor were invented. And finally, in the middle of the XX century, mankind mastered atomic energy, in 1954 the first nuclear power plant was put into operation in the USSR.

The mastery of energy made it possible to move towards the mass machine production of consumer goods. An industrial society was created. During this period, there were also significant changes in the methods of storing and transmitting information.

In the information society, information is the main resource. It is on the basis of possession of information about a variety of processes and phenomena that one can efficiently and optimally build any activity.

It is important not only to produce a large number of products, but to produce the right products at a specific time. With a certain cost and so on. Therefore, in the information society, not only the quality of consumption increases, but also the quality of production; a person using information technology has better working conditions, work becomes creative, intellectual, and so on.

Currently, the developed countries of the world (USA, Japan, Western European countries) have actually already entered the information society. Others, including Russia, are on the closest approaches to it.

Three can be chosen as criteria for the development of the information society: the availability of computers, the level of development of computer networks and the number of people employed in the information sphere, as well as using information and communication technologies in their daily activities.

Information is expensive today and needs to be protected. The massive use of personal computers, unfortunately, turned out to be associated with the emergence of self-replicating viruses that interfere with the normal operation of the computer, destroy the file structure of disks and damage the information stored in the computer.

Information is owned and used by all people, without exception. Each person decides for himself what information he needs to receive, what information should not be available to others, etc. It is easy for a person to store information that is in his head, but what if the information is entered into the "brain of the machine", to which many people have access.

1. Information protection and information security

Protection of information

The problem of creating an information security system includes two complementary tasks: 1) development of an information security system (its synthesis); 2) evaluation of the developed information security system. The second task is solved by analyzing its technical characteristics in order to establish whether the information protection system meets the set of requirements for these systems. Such a task is currently being solved almost exclusively by expert means with the help of certification of information security tools and certification of the information security system in the process of its implementation.

Let us consider the main content of the presented information protection methods, which form the basis of protection mechanisms.

Obstacles are methods of physically blocking the path of the attacker to the protected information (to equipment, storage media, etc.).

Access control is a method of protecting information by regulating the use of all resources of a computer information system (elements of databases, software and hardware). Access control includes the following security features:

identification of users, personnel and resources of the system (assigning a personal identifier to each object);

identification (authentication) of an object or subject by the identifier presented by him;

authorization check (checking the compliance of the day of the week, time of day, requested resources and procedures with the established regulations);

permission and creation of working conditions within the established regulations;

registration (logging) of calls to protected resources;

registration (alarm, shutdown, delay in work, refusal of the request) in case of attempts at unauthorized actions.

Disguise is a method of protecting information by means of its cryptographic closure. This method is widely used abroad both in processing and storing information, including on floppy disks. When transmitting information over long-distance communication channels, this method is the only reliable one.

Regulation is a method of information protection that creates conditions for the automated processing, storage and transmission of protected information, in which the possibility of unauthorized access to it would be minimized.

Coercion is a method of protection in which users and system personnel are forced to comply with the rules for the processing, transfer and use of protected information under the threat of material, administrative or criminal liability.

Incentive is a protection method that encourages the user and system personnel not to violate the established order by observing the established moral and ethical standards (both regulated and unwritten).

The considered methods of ensuring security are implemented in practice through the use of various means of protection, such as technical, software, organizational, legislative and moral and ethical. The main defenses used to create a security mechanism include the following.

Technical means are implemented in the form of electrical, electromechanical and electronic devices. The entire set of technical means is divided into hardware and physical. By hardware, it is customary to understand technology or devices that interface with such equipment via a standard interface. For example, a system for identifying and differentiating access to information (by means of passwords, recording codes and other information on various cards). Physical assets are implemented as stand-alone devices and systems. For example, locks on doors where equipment is located, grates on windows, uninterruptible power supplies, electromechanical burglar alarm equipment. So, there are external security systems ("Raven", GUARDWIR, FPS, etc.), ultrasonic systems (Cyclops, etc.), beam interruption systems (Pulsar 30V, etc.), television systems (VM216, etc.) ), radar systems ("VITIM", etc.), an equipment opening control system, etc.

Software tools are software specifically designed to perform information security functions. This group of tools includes: an encryption mechanism (cryptography is a special algorithm that is launched by a unique number or bit sequence, usually called an encryption key; then the encrypted text is transmitted over communication channels, and the recipient has his own key for decrypting information), a digital signature mechanism, mechanisms access control, data integrity mechanisms, scheduling mechanisms, routing control mechanisms, arbitration mechanisms, antivirus programs, archiving programs (for example, zip, rar, arj, etc.), protection during information input and output, etc.

Organizational security means are organizational, technical and organizational and legal measures taken in the process of creating and operating computers, telecommunications equipment to ensure the protection of information. Organizational measures cover all structural elements of equipment at all stages of their life cycle (construction of premises, design of a computer information system for banking, installation and adjustment of equipment, use, operation).

Moral and ethical means of protection are implemented in the form of all kinds of norms that have developed traditionally or are taking shape with the spread of computing technology and communications in society. For the most part, these norms are not mandatory as legislative measures, but non-compliance with them usually leads to the loss of a person's authority and prestige. The most prominent example of such norms is the Code of Professional Conduct for Members of the United States Computer Users Association.

Legal remedies are determined by the legislative acts of the country, which regulate the rules for the use, processing and transmission of information of limited access and establish measures of responsibility for violation of these rules.

All considered means of protection are divided into formal (performing protective functions strictly according to a predetermined procedure without direct human participation) and informal (determined by purposeful human activity or regulate this activity).

Viruses are currently the most pressing security problem (even in systems that do not need to store sensitive information, and in home computers). Therefore, we will dwell on them in more detail here. A computer virus is a specially written small program that can "attribute" itself to other programs (that is, "infect" them), as well as perform various unwanted actions on the computer (for example, spoil files or file allocation tables on a disk , "Clog" the RAM, etc.).

The main protection against viruses is archiving. Other methods cannot replace it, although they increase the overall level of protection. Archiving must be done daily. Archiving consists in making copies of the files in use and systematically updating the files that are changed. This makes it possible not only to save space on special archive disks, but also to combine groups of shared files into one archive file, making it much easier to sort out a common archive of files. The most vulnerable are the file allocation tables, the main directory, and the bootsector. It is recommended to periodically copy the files to a special floppy disk. Their reservation is important not only for protection against viruses, but also for insurance in case of emergencies or someone's actions, including your own mistakes.

For prophylactic purposes, to protect against viruses, it is recommended:

work with write-protected floppy disks;

minimization of the periods of availability of floppy disks for recording;

sharing of floppy disks between specific responsible users;

separation of transmitted and received floppy disks;

separation of storage of newly received programs and previously operated ones;

checking the newly received software for the presence of a virus in them by testing programs;

storing programs on a hard disk in an archived form.

In order to avoid the appearance of computer viruses, you must first of all observe the following measures:

do not rewrite software from other computers, if necessary, then the above measures should be taken;

do not allow unauthorized persons to work on the computer, especially if they are going to work with their floppy disks;

do not use other floppy disks, especially with computer games.

The following typical user errors can be distinguished, leading to virus infection:

lack of a proper system for archiving information;

launching the resulting program without first checking it for infection and without setting the maximum protection mode for the hard drive using access control systems and launching the resident watchman;

rebooting the system if there is a floppy disk installed in drive A (in this case, the BIOS makes an attempt to boot from this floppy disk, and not from the hard drive; as a result, if the diskette is infected with a rubble virus, the hard drive is infected);

running all kinds of antivirus programs, without knowing the types of diagnostics of the same viruses by different antivirus programs;

analysis and restoration of programs on the infected operating system.

At present, the most popular anti-virus products of DialogNauka JSC in Russia are:

polyphage Aidstest (polyphage is a program that performs actions opposite to those that a virus produces when infecting a file, i.e. trying to restore a file);

auditor Adinf;

healing block AdinfExt;

polyphage for "polymorphs" Doctor Web.

There are filter programs that check whether files (on a user-specified disk) contain a special combination of bytes for a given virus. A special processing of files, disks, directories is also used - vaccination: the launch of vaccine programs that simulate a combination of conditions in which this type of virus begins to work and manifests itself. An example of a resident virus protection program is Carmel Central Point Software's VSAFF. CRCLIST and CRCTEST programs can be recommended as programs for early diagnosis of a computer virus.

Information Security.

Information from the point of view of information security has the following categories: confidentiality of information - a guarantee that specific information is available only to the circle of persons for whom it is intended; violation of this category is called theft or disclosure of information; integrity of information - a guarantee that the information now exists in its original form, that is, during its storage or transfer, no unauthorized changes were made; violation of this category is called falsification of a message; authenticity of information - a guarantee that the source of information is exactly the person who is declared as its author; violation of this category is also called falsification, but already the author of the message, the appeal of information is a guarantee that, if necessary, it will be possible to prove that the author of the message is exactly the declared person, and no one else can be; The difference between this category and the previous one is that when the author is substituted, someone else tries to declare that he is the author of the message, and when the appeal is violated, the author himself tries to "disown" his words, signed by him once.

In relation to information systems, other categories apply: reliability - ensuring that the system behaves in normal and abnormal modes as planned accuracy - guaranteeing the exact and complete execution of all commands access control - ensuring that different groups of people have different access to information objects, and these access restrictions are constantly executed controllability - a guarantee that at any time a full-fledged check of any component of the software complex can be performed identification control - a guarantee that the client currently connected to the system is exactly who it claims to be resistance to deliberate failures - a guarantee that if errors are deliberately introduced within the predetermined limits, the system will behave as agreed in advance.

2. Information security systems

Security of information transmission on the Internet. Encryption of information using public and private keys. Digital signature.

In the modern Russian Internet, most of its users, including corporate users, use the global network, mainly as a huge database, the widest information resource, where you can conveniently and quickly find any information of interest, or provide a wide audience with information about yourself, your products or services.

One of the reasons for this state of affairs is, in our opinion, the lack of confidence among business representatives in the security of information transmission via the Internet. It is for this reason that a fax, or courier is often used where the possibilities of the Internet can be successfully used.

Let us consider what areas of protection and the corresponding technical means are attracting the most attention from developers and consumers today.

Protection against unauthorized access (NSD) of resources of stand-alone and networked PCs. This function is implemented by software, firmware and hardware, which will be discussed below with specific examples.

Protection of servers and individual users of the Internet from malicious hackers from outside. For this, special firewalls (firewalls) are used, which have recently become more widespread (see "PC World", No. 11/2000, p. 82).

Protection of secret, confidential and personal information from being read by unauthorized persons and its purposeful distortion is carried out most often with the help of cryptographic means traditionally allocated to a separate class. This also includes confirmation of the authenticity of messages using an electronic digital signature (EDS). The use of cryptosystems with public keys and EDS has great prospects in banking and electronic commerce. This type of protection is not considered in this article.

In recent years, software protection against illegal copying using electronic keys has become quite widespread. In this review, it is also considered with specific examples.

Protection against information leakage through side channels (through power circuits, the channel of electromagnetic radiation from a computer or monitor). Here, proven means are used, such as shielding a room and using a noise generator, as well as a special selection of monitors and computer components that have the smallest radiation zone in the frequency range that is most convenient for remote capture and decryption of the signal by intruders.

Protection against spy devices installed directly into computer components, as well as measurements of the radiation zone, is carried out by special organizations that have the necessary licenses of the competent authorities.

There are no doubts the advantages of the Internet associated with the speed of information exchange, resource saving in long-distance and international information exchange, convenience in the operation of application programs that automate various business processes between remote offices of the company, branches, partners, customers, employees with laptop PCs outside their office.

All these opportunities, of course, can significantly reduce the time and financial costs of the company and significantly increase the efficiency of its business.

Even more significant efficiency can be brought by the use of the Internet in intercorporate information exchange, in such systems as a B2B portal or an Internet trading system.

Unfortunately, at the moment, these Internet capabilities are not in sufficient demand, and one of the main reasons for this is precisely the reason why Business does not trust the Internet in terms of the security of its use.

Very often we have to deal with two extreme, opposite points of view.

The first is to deny the security problem as such, and as a consequence, the lack or absence of appropriate security means when transmitting rather important information via the Internet. This approach often ends up in serious troubles and financial losses.

The second point of view is that the Internet is extremely dangerous, and no amount of security measures will help keep the information transmitted over the Internet intact.

In my opinion, the most rational way out of this situation is the "Golden Mean" principle, in which the company uses the Internet to solve its telecommunication problems, subject to the appropriate security measures.

Such measures may include: own analysis of your telecommunications infrastructure from a security point of view, purchase and installation of appropriate protective equipment, and training of your specialists. Another approach is to involve professionals from companies dealing with this problem in organizing and maintaining their security system.

In the Russian market, information security activities are regulated by the State Technical Commission of the Russian Federation and FAPSI. And only companies licensed by these structures have the right to deal with information security in Russia.

As for the products that can be used for protection, there is a certification system on them, which, assessing their quality, assigns them an appropriate protection class. Products used to protect networks and computers from direct penetration of unauthorized users are certified by the State Technical Commission and are called products for protection against unauthorized access (NSD). These products include "Firewalls", Proxy servers, etc.

The use of such systems, with their correct configuration, can significantly reduce the risk of intruders to the protected resources.

Protection against unauthorized access to computer resources is a complex problem that involves solving the following issues by technical means:

identification and authentication of the user when entering the system;

control of the integrity of information security systems, programs and data;

differentiation of user access to PC resources;

blocking OS loading from a floppy disk and CD-ROM;

registration of user and program actions.

The action of such a screen can be demonstrated by the example of a ViPNet personal firewall manufactured by Infotecs. This firewall can be installed both on the server and on the workstation. Using its capabilities, you can organize work in such a way that the owner of the computer can access any open Internet resource, but when someone from the outside world tries to access his computer, the system blocks such an attempt and notifies the owner of it. Next, you can get information from the system about which IP address they tried to access.

Another category of products is designed for the organization of secure information exchange and, by far, is the most reliable from the point of view of security. These products are typically crypto-based and are regulated by the Federal Agency for Government Communications and Information. Such products have the ability to protect data by encryption, and not only data stored on the hard drive, but also data transmitted over networks, including the "Internet".

Thus, it is possible to protect both mail messages and information exchange between subscribers on-line. Systems that allow you to transfer any data over the Internet in a secure manner are called VPN (Virtual Private Network). VPN is a virtual network with information exchange completely closed from outside access via the open Internet. That is why it is called private.

The closure of information in such systems is performed, as a rule, using encryption. Encryption i.e. transformation of open data into private (encrypted) data is performed using special, as a rule, software keys. The main issue from a security point of view in such systems is the issue of key structure. How and where the key is formed, where it is stored, how it is transmitted, to whom it is available.

Today, only two types of encryption algorithms are known: symmetric (classical) and asymmetric (public key encryption algorithms). Each of these systems has its own pros and cons.

When using symmetric algorithms, the same key is used to encrypt and decrypt information. Those. if users A and B want to confidentially exchange information, then they must perform the following actions: user A encrypts the information (plain text) using a key and transmits the received ciphertext to user B, who receives the plain text using the same key.

However, symmetric encryption algorithms have one drawback: before exchanging confidential information, two users need to exchange a shared key, but in an environment where users are disconnected and there are a lot of them, there are great inconveniences for distributing keys. In addition, since these keys are usually formed by a certain Center of Formation, they are known to this center. To solve this problem, asymmetric key cryptography was created.

The basic idea behind asymmetric key cryptography is to use a key pair. The first - the public asymmetric key (public key) - is available to everyone and is used by everyone who is going to send messages to the owner of the key. The second - a secret asymmetric key (private key) - is known only to the owner and with the help of it messages encrypted on his paired public key are decrypted. Thus, the secret part of the key is generated and stored directly by the subscriber and is inaccessible to anyone else. Most modern systems use a combined key system, which has both high symmetric key strength and inaccessibility to the center and the flexibility of an asymmetric system. For example, the system created by Infotecs under the ViPNet trademark possesses such qualities. This system allows: how to transfer any data, including mail, files, speech, video, etc. through the Internet in a protected form, and to protect the resources of the organization's network, including servers, workstations and even mobile computers accessing the Internet anywhere in the world from unauthorized access.

3. Information resources of limited distribution and threats to resources

Information resources are documents and arrays of documents in information systems (libraries, archives, funds, data banks, depositories, museum depositories, etc.).

During the entire preceding XX century. in the history of the development of human civilization, material objects remained the main subject of labor. Activities outside of material production and services, as a rule, belonged to the category of non-productive costs. The economic power of the state was measured by its material resources. Back in the late 70s, the chairman of the program for shaping policy in the field of information resources, professor at Harvard University A. Osttinger wrote that the time is coming when information becomes the same main resource as materials and energy, and, therefore, in relation to this the resource should be formulated with the same critical questions: who owns it, who is interested in it, how accessible it is, is it possible to use it commercially? President of the US Academy of Sciences F. Hendler formulated this thought as follows: "Our economy is based not on natural resources, but on the minds and on the application of scientific knowledge." At present, there is a struggle for control over the most valuable of all known resources - national information resources.

“We are not going to other countries to take advantage of lower costs. We are penetrating there because there are intellectual reserves, and we must intercept them in order to compete successfully ”.

The term "information resources" began to be widely used in scientific literature after the publication of the well-known monograph by G.R. Gromov “National information resources: problems of industrial exploitation”. Now it does not yet have an unambiguous interpretation, despite the fact that this concept is one of the key ones in the problem of informatization of society. Therefore, it is important to understand the essence of an information resource as a form of data and knowledge presentation, its role in social processes, as well as patterns of formation, transformation and distribution of various types of information resources in society.

To ensure the activation and effective use of information resources of society, it is necessary to carry out the "electronicization" of information funds. According to Academician A. Ershov, it is “in the loading and activation of the information fund of mankind in the global computer network that, in fact, lies the task of informatization in its technical content”.

Active information resources are that part of the resources that is made up of information available for automated search, storage and processing: professional knowledge and skills formalized and preserved on machine media in the form of working programs, text and graphic documents, as well as any other content data potentially available on a commercial basis to users of the national park of computers. National and world information resources are economic categories.

Hence, we can conclude that the efficiency of using information resources is the most important indicator of the information culture of a society.

The main participants in the information services market are:

Producers of information (producers);

Information sellers (vendors, Vendors);

Users of information (users) or subscribers

Today, the most common means of access to information resources are computer networks, and the most progressive way to obtain information is the online mode (online - interactive, interactive mode). It provides an opportunity for the user, having entered a computer network, to gain access to the "big computer" (Host - computer) and to its information resources in a direct dialogue mode, realized in real time.

Users of this kind include both end consumers of information and intermediate ones who provide services to their clients in solving information problems (special information centers with access to several online systems, or professional specialists engaged in paid information services for clients, information consumers).

The online information services market includes the following main segments:

Computerized reservation systems and financial information services;

Databases (DB) targeted at the mass consumer;

Professional databases.

Among the databases, the following types are usually distinguished:

Text (full-text, abstract, bibliographic, dictionaries);

Numeric and tabular databases;

Bulletin boards.

Such databases are also stored on CD-ROMs, floppy disks and magnetic tapes. Below, however, we will talk about databases that are accessed online - "professional online databases".

Information producers include both organizations that extract and publish information (information agencies, the media, editorial offices of newspapers and magazines, publishers, patent offices), and organizations that have been professionally involved in its processing for many years (selection of information, indexing, loading into databases in the form of full texts, short abstracts, etc.).

Threats to resources.

Threats to information resources can be generally classified:

1). For the purpose of implementing threats:

Privacy threats:

Theft (copying) of information and means of its processing (carriers);

Loss (unintentional loss, leakage) of information and means of its processing (carriers);

Availability threats:

Blocking information;

Destruction of information and means of its processing (carriers);

Integrity threats:

Modification (distortion) of information;

Denial of the authenticity of information;

Imposing false information, deception

Wherein:

Theft and Destruction of information is understood in the same way as applied to material valuable resources. Destruction of computer information - erasing information in the computer memory.

Copying information - repetition and stable imprinting of information on a machine or other medium.

Damage - a change in the properties of an information carrier, in which its condition deteriorates significantly, a significant part of its useful properties is lost and it becomes completely or partially unsuitable for its intended use.

Modification of information - making any changes other than those related to the adaptation of a computer program or databases for computer information.

Blocking of information - unauthorized obstruction of users' access to information, not related to its destruction;

Unauthorized destruction, blocking, modification, copying of information - any actions not permitted by the Law, by the owner or competent user of the specified actions with information.

Deception (denial of authenticity, imposition of false information) is a deliberate distortion or concealment of the truth in order to mislead the person in charge of the property, and thus obtain from him a voluntary transfer of property, as well as messages for this purpose of knowingly false information.

2) According to the principle of influencing information carriers - the information processing and transmission system (ASOI):

Using the access of the intruder (intruder, ASOI user, process) to the object (to the meeting room, to the data file, communication channel, etc.);

With the use of covert channels - with the use of memory, RZU, ways of transmitting information, allowing two interconnected processes (legitimate and embedded by an attacker) to exchange information in a way that leads to a lot of information.

3) By the nature of the impact on the information processing and transmission system:

Active threats associated with the performance of any actions by the intruder (copying, unauthorized recording, access to data sets, programs, breaking a password, etc.);

Passive threats are carried out by the user observing any side effects of information movement processes and analyzing them.

4) Due to the presence of a possible protection error, the threat may be caused by one of the following reasons:

Inadequacy - inconsistency with the security regime of the protection of the protected area.

Administrative control errors - security mode;

Errors in the algorithms of programs, in the connections between them, etc., which arise at the design stage of programs or a complex of programs and due to which these programs can be used in a completely different way, as described in the documentation.

Errors in the implementation of program algorithms (coding errors), connections between them, etc., which arise at the stages of implementation, debugging and can serve as a source of undocumented properties.

5) By the method of influencing the object of the attack (with active impact):

Direct impact on the object of attack (including the use of privileges), for example: direct access to the zones of audibility and visibility, to a data set, program, service, communication channel, etc., using any error;

Impact on the permission system (including privilege grabbing). In this case, unauthorized actions are performed with respect to the rights of users to the object of attack, and the access to the object itself is then carried out in a legal manner;

Indirect impact (through other users):

- "masquerade". In this case, the user arrogates to himself in some way the authority of another user, impersonating him;

- "use blindly". With this method, one user forces the other to perform the necessary actions (for the protection system, they do not look unauthorized, because they are performed by a user who has the right to do so), and the latter may not even be aware of them. To implement this threat, a virus can be used (it performs the necessary actions and reports their result to the one who introduced it).

The last two methods are very dangerous. To prevent such actions, constant control is required both on the part of administrators and operators over the work of the ASOI in general, and on the part of users over their own data sets.

6) By the method of influencing the ASOI:

In interactive mode - in the process of long-term work with the program;

In batch mode - after long-term preparation by the rapid implementation of a targeted action software package.

Working with the system, the user always deals with any of its programs. Some programs are designed so that the user can quickly influence the course of their execution by entering various commands or data, while others so that all the information has to be set in advance. The former include, for example, some utilities that control database programs, basically these are programs aimed at working with the user. The second group includes mainly system and application programs focused on performing any strictly defined actions without user intervention.

When using programs of the first class, the impact is longer in time and, therefore, has a higher probability of detection, but more flexible, allowing you to quickly change the order of actions. Impact with the help of second-class programs (for example, with the help of viruses) is short-term, difficult to diagnose, much more dangerous, but requires a lot of preliminary preparation in order to foresee all possible consequences of the intervention in advance.

7) By the object of attack:

ASOI as a whole: an attacker tries to penetrate the system for the subsequent execution of any unauthorized actions. They usually use "masquerade", interception or forgery of a password, hacking or access to ASOI through the network;

ASOI objects are data or programs in RAM or on external media, the system devices themselves, both external (disk drives, network devices, terminals) and internal (RAM, processor), data transmission channels. Impact on system objects is usually aimed at accessing their content (violation of the confidentiality or integrity of processed or stored information) or violation of their functionality (for example, filling all the computer's RAM with meaningless information or loading the computer's processor with a task with unlimited execution time);

ASOI subjects are user processors. The purpose of such attacks is either a direct impact on the operation of the processor - its suspension, change of characteristics (for example, priority), or the opposite effect - the use of privileges, characteristics of another process by an attacker for his own purposes. The impact can be on the processes of users, systems, networks;

Data transmission channels - listening to the channel and analyzing the schedule (message flow); substitution or modification of messages in communication channels and at relay nodes; changing the topology and characteristics of the network, switching and addressing rules.

8) By the means of attack used:

Using standard software;

Using specially designed programs.

9) By the state of the object of attack.

The object of the attack is stored on disk, magnetic tape, RAM, or elsewhere in a passive state. In this case, the impact on the object is usually carried out using access;

The object of the attack is in a state of transmission over a communication line between network nodes or within a node. Impact involves either access to fragments of transmitted information (for example, interception of packets on a network repeater), or simply listening using covert channels;

The attack object (user process) is being processed.

The given classification shows the complexity of identifying possible threats and ways of their implementation.

Personnel access to confidential information.

Permission to access confidential information of a representative of another company or enterprise is formalized by a resolution of an authorized official on an order (or letter, commitment) submitted by the person concerned. The resolution must indicate specific documents or information to which access is allowed. At the same time, the surname of an employee of the company is indicated, who acquaints the representative of another company with this information and is responsible for his work - in the premises of the company.

The rule should be followed, according to which all persons having access to certain documents, trade secrets are registered. This makes it possible to carry out information support of analytical work at a high level to identify possible channels for the loss of information.

When organizing the access of company employees to confidential arrays of electronic documents, databases, it is necessary to remember its multi-stage nature. The following main components can be distinguished:

* access to a personal computer, server or workstation;

* access to machine data carriers stored outside the computer;

* direct access to databases and files.

Access to a personal computer, server or workstation that is used to process confidential information includes:

* determination and regulation by the first head of the company of the composition of employees who have the right to access (enter) the premises in which the corresponding computers and communication facilities are located;

* regulation by the first head of the temporary regime of the stay of these persons in the indicated premises; personal and temporary logging (fixing) by the head of the unit or line of business of the company of the availability of permission and the period of work of these persons at other times (for example, in the evenings, weekends, etc.);

* organization of the protection of these premises during working and non-working hours, determining the rules for opening premises and disabling security technical means of information and signaling; determination of the rules for arming premises; regulation of the work of the specified technical means during working hours;

* organization of controlled (in necessary cases, access) mode of entry into and exit from these premises;

* organization of actions of guards and personnel in extreme situations or in case of breakdowns of equipment and equipment of premises;

* organization of removal of material values, machine and paper carriers of information from the indicated premises; control of personal items brought into the room and taken out by the personnel.

Despite the fact that at the end of the working day, confidential information must be transferred to flexible media and erased from the hard disk of the computer, the premises in which the computer equipment is located are subject to protection. This is explained by the fact that, firstly, it is easy to install some kind of industrial espionage into an unguarded computer, and secondly, an attacker can, using special methods, restore erased confidential information on the hard disk (“garbage collection”).

Access to machine media of confidential information stored outside the computer assumes:

* organization of accounting and issuance of clean machine data carriers to employees;

* organization of daily fixed issue to employees and reception from employees of carriers with recorded information (main and backup);

* determination and regulation by the first head of the composition of employees who have the right to operate with confidential information using computers installed at their workplaces, and to receive accounted computer storage media in the CA service;

* organization of a system for assigning computer media to employees and monitoring the safety and integrity of information, taking into account the dynamics of changes in the composition of recorded information;

* organization of the procedure for the destruction of information on the carrier, the procedure and conditions for the physical destruction of the carrier;

* organization of storage of machine media in the CD service during working and non-working hours, regulation of the procedure for evacuating media in extreme situations;

* determination and regulation by the first head of the staff of employees who, for objective reasons, do not hand over technical media for storage in the CA service at the end of the working day, the organization of special security for the premises and computers of these employees. The work of employees of the CA service and the company as a whole with machine information carriers outside the computer should be organized by analogy with paper confidential documents.

Access to confidential databases and files is the final stage of an employee's access to a computer. And if this employee is an intruder, then we can assume that he has successfully passed the most serious lines of protection of protected electronic information. Ultimately, he can simply carry the computer or take out of it and carry the hard drive without "breaking" the database.

Typically, database and file access means:

* determination and regulation by the first head of the composition of employees who are allowed to work with certain databases and files; control of the access system by the database administrator;

* naming of databases and files, fixing in machine memory the names of users and operators who have the right to access them;

* accounting of the composition of the database and files, regular checking of the availability, integrity and completeness of electronic documents;

* registration of entry into the database, automatic registration of username and time of work; preservation of the original information;

* registration of attempts of unauthorized entry into the database, registration of erroneous actions of the user, automatic transmission of the alarm signal to the guard and automatic shutdown of the computer;

* establishment and irregular change of usernames, arrays and files (passwords, codes, classifiers, keywords, etc.), especially with frequent personnel changes;

* computer shutdown in case of violations in the access control system or failure of the information security system;

* mechanical (key or other device) blocking of a disconnected but loaded computer during short interruptions in the user's work. Codes, passwords, keywords, keys, ciphers, special software products, hardware, etc. attributes of the information security system in a computer are developed, changed by a specialized organization and individually brought to the attention of each user by an employee of this organization or a system administrator. The user is not allowed to use his own codes.

Consequently, the procedures for the admission and access of employees to confidential information complete the process of including this employee in the list of persons who actually own the secret company. Since that time, the current work with the staff, who has valuable and confidential information at their disposal, has become of great importance.

Conclusion

The stability of the staff is the most important prerequisite for the reliable information security of the company. Migration of specialists is the most difficult to control channel for the loss of valuable and confidential information. At the same time, it is not possible to completely avoid layoffs of employees. A thorough analysis of the reasons for dismissal is required, on the basis of which a program is drawn up and implemented, excluding these reasons. For example, increasing salaries, renting housing for employees near the firm and improving the psychological climate, dismissing managers who abuse their official position, etc.

List of used literature

information protection security

1. Zabelin E.I. Information security on the Internet - services for business

Original article: http://www.OXPAHA.ru/view.asp?2280.

2. Weekly "Computerworld", # 22, 1999 // Publishing house "Open Systems" http://www.osp.ru/cw/1999/22/061.htm

3. A. Dmitriev Information security systems. PC World magazine, # 05, 2001 // Open Systems Publishing House. http://www.osp.ru/pcworld/2001/05/010.htm

4. Security services from Novell. Encryption modules. http://novell.eureca.ru/

5. Paula Sherick. 10 questions about encryption in NT 4.0 http://www.osp.ru/win2000/2001/05/050.htm

Posted on Allbest.ru

Similar documents

Information security problem. Features of information protection in computer networks. Threats, attacks and information leakage channels. Classification of methods and means of ensuring safety. Network architecture and protection. Methods for securing networks.

thesis, added 06/16/2012


Information security, components of the protection system. Destabilizing factors. Classification of threats to the security of information by the source of occurrence, by the nature of the goals. Methods for their implementation. Information protection levels. Stages of creating protection systems.

presentation added on 12/22/2015


The main channels of information leakage. The main sources of confidential information. The main objects of information protection. The main work on the development and improvement of the information security system. Information security protection model of JSC "Russian Railways".

term paper added 09/05/2013


Types of internal and external intentional threats to information security. The general concept of information protection and security. The main goals and objectives of information security. The concept of economic feasibility of ensuring the safety of enterprise information.

test, added 05/26/2010


Information requirements: availability, integrity and confidentiality. The CIA model as information security, built on the protection of the availability, integrity and confidentiality of information. Direct and indirect threats, information protection means.

presentation added 01/06/2014


The structure and features of the Linux operating system, the history of its development. Information security: concept and regulatory documents, directions of information leakage and its protection. Calculation of the creation of an information security system and a study of its effectiveness.

term paper added 01/24/2014


Information security regime formation system. Tasks of information security of society. Information security means: basic methods and systems. Information protection in computer networks. Provisions of the most important legislative acts of Russia.

abstract, added 01/20/2014


The concept and basic principles of information security. The concept of security in automated systems. Fundamentals of the legislation of the Russian Federation in the field of information security and information protection, licensing and certification processes.

course of lectures, added 04/17/2012


The concept, goals and objectives of information security. Information security threats and ways of their implementation. Access control to information and information systems. Protecting networks and information while working on the Internet. The concept of an electronic signature.

test, added 12/15/2015


The most important aspects of information security. Technical means of information processing, its documentation carriers. Typical ways of unauthorized obtaining of information. The concept of an electronic signature. Protection of information from destruction.

Everyone has at least once heard heartbreaking phrases about the need to maintain a high-quality level of information security. These are scary burglary stories filled with screams and despair. The terrible consequences discussed on almost every site ... Therefore, right now you have to fill the computer with security devices to capacity, as well as cut the wires ... Tips on the topic of ensuring security are dark, but for some reason, they are just to the point it turns out not very much. In many ways, the reason lies in the lack of understanding of such simple things as "what we protect", "from whom we protect" and "what we want to get at the end". But, first things first.

Information Security this term means various measures, state of conservation, technologies, etc., but everything is much simpler. And therefore, first, answer yourself the question, how many people from your environment at least read the definition of this concept, and does not simply imply a comparison of words with their meanings? Most people associate security with antiviruses, firewalls, and other security software. Of course, these tools help protect your computer from threats and increase the level of system protection, but what these programs actually do is not widely known.

When thinking about information security, first of all, you should start with the following questions:

• Protected object- you need to understand what exactly you want to protect. This is personal data stored on the computer (so that other people do not get it), this is the performance of the computer (so that viruses and Trojans do not bring the system to the level of the first pentium), this is network activity (so that programs greedy for the Internet do not send statistics about you every half hour) , this is the availability of the computer (so that the blue screens of death do not flood the system), this is ...
• Desired security level... A fully protected computer is a computer that does not exist. No matter how hard you try, there will always be the possibility that your computer will be hacked. Consider and always remember that there is such a direction as social engineering (getting passwords from trash cans, eavesdropping, peeping, etc.). However, this is not a reason to leave the system unprotected. For example, protecting a computer from most known viruses is a completely feasible task, which, in fact, is performed by every ordinary user, installing one of the popular antiviruses on his computer.
• Acceptable level of consequences... If you understand that your computer can be hacked, for example, by a hacker who just became interested in you (it so happened that the attacker liked your IP address), then you should think about the acceptable level of consequences. The system breaks down - unpleasant, but not scary, because you have a recovery disc at your fingertips. Your computer constantly visits spicy sites - pleasant and unpleasant, but tolerable and fixable. But, for example, if your personal photos got on the Internet, which no one should know about (a serious blow to the reputation), then this is already a significant level of consequences and it is necessary to take preventive measures (exaggerating, take an old computer without the Internet and watch pictures only On him).
• What do you want to get on the way out? This question implies many points - how many extra actions you have to perform, what you have to sacrifice, how protection should affect performance, should it be possible to add programs to the exception lists, how many messages and alarms should appear on the screen (and should they appear at all) , as well as much more. There are a lot of security tools today, but each of them has its pros and cons. For example, the same UAC Windows in the Vista operating system was not made in a very successful way, but already in Windows 7 it was brought to the point that the protection tool became relatively easy to use.

By answering all these questions, it will become much easier for you to understand how you are going to organize the protection of information on your computer. Of course, this is not the whole list of questions, however, a sufficient part of ordinary users do not even ask one of them.

Installing and configuring security tools on your computer is just a part of the steps you take. By opening suspicious links and confirming all actions of equally suspicious applications, you can easily negate all the efforts of the protection programs. For this reason, it is always worthwhile to think about your actions. For example, if your task is to protect your browser, but you cannot help opening suspicious links (for example, due to the specifics), then you can always install an additional browser used exclusively for opening suspicious links, or an extension for checking short links. In this case, if any of them turns out to be phishing (stealing data, access, etc.), then the attacker will achieve little.

The problem of determining a set of actions to protect information usually lies in the lack of answers to the questions from the previous paragraph. For example, if you do not know or do not understand what exactly you want to protect, then it will always be difficult to come up with or find some additional security measures (except for such commonplaces as not opening suspicious links, not visiting questionable resources, and others). Let's try to consider the situation using the example of the task of protecting personal data, which is most often put at the head of the protected objects.

Protection of personal information this is one of the daunting challenges people face. With the rapid growth in the number and content of social networks, information services and specialized online resources, it will be a huge mistake to believe that protecting your personal data comes down to ensuring a reliable level of security for your computer. Not so long ago, it was almost impossible to find out anything about a person who lives hundreds of kilometers away from you, or even in a neighboring house, without having the appropriate connections. Today, almost everyone can find out a lot of personal information about everyone in just a couple of hours of clicking a mouse in the browser, or even faster. Moreover, all his actions can be absolutely legitimate, but you yourself have posted information about yourself in the public domain.

Everyone has met with an echo of this effect. Have you heard that the test word for a security question should not be associated with you and those around you? And this is just a small part. As much as it may surprise you, but in many respects the protection of personal information depends only on you. No means of protection, even if it does not allow anyone but you to access the computer, will not be able to protect information transferred outside the computer (conversations, Internet, recordings, etc.). You left your mail somewhere - expect an increase in spam. You have left photos in an embrace with a teddy bear on third-party resources, wait for the corresponding humorous "crafts" from bored authors.

If a little more seriously, then the enormous openness of the Internet data and your frivolity / openness / frivolity, with all security measures, can nullify the latter. For this reason, it is necessary to take care of the choice of information protection methods and include in them not only technical means, but also actions that cover other aspects of life.

Note: Of course, you shouldn't think that the underground bunker is the best place in life. However, understanding that it is up to you to protect your personal data will give you a great advantage over intruders.

Information security methods are often equated with technical solutions, ignoring such a huge layer for potential threats as the actions of the person himself. You can give the user the ability to run just one program and deal with the elimination of the consequences in literally five minutes, if at all possible. One message in the forum about the information heard can break the most advanced protection (exaggerating, about the prevention of protection nodes, in other words, the temporary lack of protection).

To determine the methods of data protection, it is necessary to engage not only in the search for suitable security tools, lazily clicking the mouse in the browser window, but also to think about how information can be disseminated and what it can relate to. No matter how it sounds, but for this you need to pick up paper and a pencil, and then consider all possible ways of disseminating information and with what it may be associated. For example, let's take the task of keeping the password as secret as possible.

Situation. You have come up with a complex password that has nothing to do with you, fully complies with the most stringent security requirements, did not leave a single mention anywhere (aspects such as leftovers in computer memory, disk and other points are not taken into account), do not use password managers, enter the password from only one computer using a secure keyboard, use a VPN to connect, boot the computer only from the LiveCD. In one sentence, a real paranoid and security fanatic. However, all of this may not be enough to protect the password.

Here are some simple possible situations that clearly demonstrate the need for a broad view of information security methods:

• What do you do if you need to enter a password when other people are present in the room, even the "best" ones? You can never guarantee that they will not accidentally reveal indirect information about the password. For example, sitting in a pleasant atmosphere in a diner, the phrase "he has such a long password, as many as a dozen and a bunch of different characters" is quite possible, which quite well narrows the area of ​​password selection for an attacker.
• What will you do if this happens and you need another person to perform the operation for you? Another person might accidentally hear the password. If you dictate a password to a person who is poorly versed in computers, then it is likely that he will write it down somewhere, demanding your fanaticism from him will not be justified.
• What will you do if this happens and someone finds out about the way you come up with passwords? Such information also narrows down the selection quite well.
• How can you protect your password if one of the nodes providing secure password transmission has been compromised by an attacker? For example, the VPN server through which you access the Internet was hacked.
• Will your password make sense if the system you are using has been compromised?
• And others

Of course, this does not mean the need for a die-hard and persistent search for many months of information protection methods. The point is that even the most complex systems can be broken by simple human flaws, the consideration of which has been abandoned. Therefore, while arranging the security of your computer, try to pay attention not only to the technical side of the issue, but also to the world around you.