Protection of information through technical channels. Organization of information protection from leaks arising during the operation of computer technology, due to pemin

05.05.2019 Internet, Wi-Fi, local networks

Khorev Anatoly Anatolyevich,
Doctor of Technical Sciences, Professor,
Moscow State Institute of Electronic Technology
(technical university), Moscow

Technical channels leakage of information processed by computer technology.

7. Terminology in the field of information security: Handbook. M .: VNII Standard, 1993.110 p.

8. Technical protection of information. Basic terms and definitions: recommendations for standardization R 50.1.056-2005: approved. By order of Rostekhregulirovanie dated December 29, 2005 No. 479-st. - Introduce. 2006-06-01. - M .: Standartinform, 2006 .-- 16 p.

9. Khorev A.A. Technical information security: textbook. manual for university students. In 3 vols. V. 1. Technical channels of information leakage. M .: NPTs "Analytica", 2008. - 436 p.

10. Anti terror equipment: catalog.- Germany: PKI Electronic Intelligence, 2008. - 116r. + http://www.pki-electronic.com

11. Computer Keyboard Monitoring: product range.- Italy, Torino, B.E.A. S.r.l., 2007. -P. 35-37.

12. KeyDevil Keylogger. [Electronic resource]. - Access mode: http://www.keydevil.com/secure-purchase.html.

13. Kuhn Markus G. Compromising emanations: eavesdropping risks of computer displays.[Electronic resource]. - Access mode: http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-577.html .

14. Security and surveillance products.[Electronic resource]. - Access mode: http://endoacustica.com/index_en.htm.

15. Wireless controlled keylogger.[Electronic resource]. - Access mode:

Engineering subsystem technical protection information from leakage is designed to reduce the risk (probability) of unauthorized dissemination of information from a source located inside a controlled area to an attacker to acceptable values. To achieve this goal, the system must have mechanisms (forces and means) for detecting and neutralizing threats of eavesdropping, surveillance, interception and information leakage through a material channel.

In accordance with the classification of methods of engineering and technical protection of information considered in the second section, the basis for the functioning of the system of engineering and technical protection of information from leakage is made up of methods of spatial, temporal, structural and energy hiding.

To ensure spatial concealment, the system must have hidden locations for information sources, known only to people who directly work with it. A very limited circle of people has access to the premises in which secret documents are kept. The heads of private structures are often used to store especially valuable documents hiding places in the form of a safe built into the wall and covered with a painting, and even a separate room with a camouflaged door.

To implement temporary concealment, the protection system must have a mechanism for determining the time of occurrence of a threat. V general case this time can be predicted, but with a big error. But in some cases it is determined with sufficient accuracy. Such cases include time:

§ flying over the object of protection of the reconnaissance spacecraft;

§ operation of a radio-electronic device or electrical device as a source of dangerous signals;

§ being in the designated room of the visitor.

The ability to accurately determine the location of the reconnaissance spacecraft (SC) in outer space makes it possible to organize effective temporary secrecy of the protected object. This time is calculated by the parameters of the launched spacecraft orbit special service, which informs interested organizations about the schedule of its flight. Inclusion of not passed special check a radio-electronic device and an electrical device creates a potential threat to speech information in the room in which this tool or device is installed. Therefore, conversations on closed issues with untested or unprotected radio electronic means and devices turned on are prohibited. Also, the arrival of a visitor to the allocated room should be considered as the emergence of a threat of information leakage. Therefore, in his presence, conversations and the display of tools and materials that are not related to the subject of the issues solved with the visitor are excluded. In order to avoid leakage of information through visitors, negotiations with them, except for cases when it becomes necessary in the discussion to demonstrate the work of funds, are held in a special dedicated room for negotiations,

located at a minimum distance from the checkpoint.

Structural and energetic concealment means differ significantly depending on the threats. Therefore, in the general case, it is advisable to divide the subsystem of engineering and technical protection against information leakage into complexes, each of which combines the forces and means of preventing one of the threats of information leakage (Fig. 19.7).

Protected information is owned and protected against legal documents. When carrying out measures to protect non-state information resources that are bank or commercial secrets, the requirements of regulatory documents are advisory in nature. Information protection regimes for non-state secrets are established by the owner of the data.

Actions to protect confidential data from leakage through technical channels are one of the parts of measures at the enterprise to ensure information security. Organizational actions to protect information from leaks through technical channels are based on a number of recommendations when choosing premises where work will be carried out to preserve and process confidential information. Also, when choosing technical means of protection, you must first of all rely on certified products.

When organizing measures to protect the leakage of technical information channels at the protected object, the following stages can be considered:

Preparatory, pre-project
STZI design
The stage of putting into operation of the protected object and the system of technical protection of information

The first stage involves preparation for the creation of a system of technical protection of information at protected objects. When examining possible technical leakage flows at the facility, the following are studied:

The plan of the adjacent area to the building within a radius of 300 m.
Plan of each floor of the building with a study of the characteristics of walls, finishes, windows, doors, etc.
Schematic diagram of grounding systems for electronic objects
The layout of the communications of the entire building, together with the ventilation system
Power supply plan of the building showing all panels and the location of the transformer
Plan-diagram
Schematic diagram of fire and burglar alarms with indication of all sensors

Having learned the leakage of information as an uncontrolled exit of confidential data outside the boundaries of the circle of persons or organization, let us consider how such a leak is implemented. At the heart of such a leak is the uncontrolled removal of confidential data by means of light, acoustic, electromagnetic or other fields or material carriers. Whatever the different reasons for the leaks, they have a lot in common. As a rule, the reasons are associated with gaps in the norms of preserving information and violations of these norms.

Information can be transmitted either by substance or by field. A person is not considered as a carrier, he is a source or subject of relations. Figure 1 shows the means of transferring information. A person takes advantage of different physical fields that create communication systems. Any such system has components: a source, a transmitter, a transmission line, a receiver and a receiver. Such systems are used every day in accordance with their intended purpose and are the official means of data exchange. Such channels provide and control for the purpose secure exchange information. But there are also channels that are hidden from prying eyes, and through them they can transfer data that should not be transferred to third parties. Such channels are called leakage channels. Figure 2 shows a schematic diagram of the leakage channel.

Picture 1

Drawing - 2

To create a leakage channel, certain temporal, energetic and spatial conditions are needed that facilitate the reception of data on the side of the attacker. Leakage channels can be divided into:

acoustic
visual-optical
electromagnetic
material

Visual optical channels

These channels are usually remote monitoring. Information acts as a light that comes from a source of information. The classification of such channels is shown in Fig. 3. Methods of protection against visual leakage channels:

reduce the reflective characteristics of the protected object
arrange objects in such a way as to exclude reflection to the sides of the potential location of the attacker
reduce object illumination
apply masking methods and others to mislead the attacker
use barriers

Figure - 3

Acoustic channels

In such channels, the carrier has sound that lies in the ultra range (more than 20,000 Hz). The channel is realized through distribution acoustic wave in all directions. As soon as there is an obstacle in the path of the wave, it activates the oscillatory mode of the obstacle, and the sound can be read from the obstacle. Sound propagates in different ways in different propagation media. The differences are shown in Fig. 4. Figure 5. the diagram of vibrational and acoustic channels of information leakage is shown.

Figure - 4

Figure - 5

Protection from acoustic channels is primarily an organizational measure. They imply the implementation of architectural and planning, regime and spatial measures, as well as organizational and technical active and passive measures. Such methods are shown in Figure 6. Architectural and planning measures implement certain requirements at the stage of building design. Organizational and technical methods imply the implementation of sound-absorbing means. Examples are materials such as cotton wool, carpets, foam concrete, etc. They have a lot of porous gaps that lead to a lot of reflection and absorption of sound waves. They also use special hermetic acoustic panels. The value of sound absorption A is determined by the coefficients of sound absorption and the dimensions of the surface of which the sound absorption is: A = Σα * S. The values of the coefficients are known, for porous materials it is 0.2 - 0.8. For concrete or brick, this is 0.01 - 0.03. For example, when treating walls α = 0.03 with a porous plaster α = 0.3, the sound pressure decreases by 10 dB.

Figure - 6

Sound level meters are used to accurately determine the effectiveness of sound insulation protection. A sound level meter is a device that changes sound pressure fluctuations into readings. The scheme of work is shown in Fig. 7. Electronic stethoscopes are used to assess the characteristics of the protection of buildings from leaks through vibration and acoustic channels. They listen to sound through floors, walls, heating systems, ceilings, etc. Stethoscope sensitivity in the range from 0.3 to 1.5 v / dB. At a sound level of 34 - 60 dB, such stethoscopes can listen through structures up to 1.5 m thick. If passive protection measures do not help, noise generators can be used. They are placed around the perimeter of the room in order to create their own vibration waves on the structure.

Figure - 7

Electromagnetic channels

For such channels, the carrier has electromagnetic waves in the range of 10,000 m (frequency< 30 Гц) до волн длиной 1 — 0,1 мм (частота 300 — 3000 Гц). Классификация электромагнитных каналов утечек информации показана на рис.8.

Figure - 8

There are known electromagnetic leakage channels:

With the help of design and technical measures, it is possible to localize some leakage channels using:

weakening of inductive, electromagnetic coupling between elements
shielding of units and elements of equipment
filtering signals in power or ground circuits

Organizational measures to eliminate electromagnetic leakage channels are shown in Fig. 9.

Figure - 9

Any electronic unit under the influence of a high-frequency electromagnetic field becomes a re-emitter, a secondary source of radiation. This is called intermodulation radiation. To protect against such a leakage channel, it is necessary to prevent the passage of high-frequency current through the microphone. It is realized by connecting a capacitor with a capacity of 0.01 - 0.05 μF to a microphone in parallel.

Material channels

Such channels are created in a solid, gaseous or liquid state. This is often the waste of the enterprise. The classification of material-material channels is shown in Fig. 10.

Figure - 10

Protection from such channels is a whole range of measures to control the release of confidential information in the form of industrial or production waste.

conclusions

Data leakage is the uncontrolled escape of information beyond physical boundaries or the circle of persons. Systematic monitoring is needed to identify data leaks. Localization of leakage channels is implemented by organizational and technical means.

The stability of the receipt of information, the implicit, hidden from the owner, the form of retrieving information processed by technical means, led to an unrelenting interest in the leakage channel arising from side electromagnetic radiation and interference (PEMIN) accompanying the operation of this equipment.

Below is a description of the channels of leakage, the methodology and methods of protecting information from leakage due to PEMIN are described. The ways of implementation and characteristics of modern active protection means - noise generators are considered, recommendations for their application are given.

Characteristics of the channel of information leakage due to PEMIN

The frequency range of spurious electromagnetic radiation accompanying informative signals extends from units of kilohertz to gigahertz and higher and is determined by the clock frequency of the used information processing means (SOI). So, for the standard computer monitor interception of information is possible at frequencies up to the 50th harmonic of the clock frequency, and the radiation level, which is up to tens of dB in the near zone, makes it possible to receive signals at a distance of up to several hundred meters.

In addition to electromagnetic radiation, there are quasi-static information electric and magnetic fields around information processing facilities, causing interference to closely spaced cables, telephone wires, lines security and fire alarm, power grid, etc. The intensity of the fields in the frequency range from units of kilohertz to tens of megahertz is such that the reception of signals can be carried out outside the controlled area (SC) when directly connected to these transmission lines.

Methodology for protecting information from leakage due to PEMIN

Depending on the medium of propagation of informative signals, two possible leakage channels are considered: due to PEMIN itself and communication.

According to the method of formation, four types of leakage channels are classified:

The channel of electromagnetic radiation (EMR), formed by the fields arising from the passage of information through the circuits of the SOI;

The channel of random antennas (SA), arising due to the induced EMF in conductive communications, galvanically not connected with the SDI and having an exit outside the controlled area (SC);

Channel of outgoing communications, galvanically connected with SOI;

The channel of uneven current consumption (UCT), formed due to the amplitude modulation of the current by the triggering of the SDI elements during information processing.

The EMP channel is characterized by the size of the EMP zone - the distance between the SOI and the antenna interception equipment, beyond which it is impossible effective reception due to a natural decrease in the level of the emitted signal.

The channel of random antennas is characterized by the size of their area for lumped random antennas (LAC) and distributed random antennas (SAR). Lumped random antennas include any technical means that go beyond the controlled area. Distributed random antennas include wires, cables, building structural elements, etc. The distance between SDI and CA, at which effective interception is impossible, determines the size of the CA zone.

The channel of outgoing communications is characterized by the maximum permissible value of the ratio of the powers of the informative signal and the normalized interference, at which effective reception is impossible.

The NPT channel is characterized by the maximum permissible value of the ratio of the magnitude of the change in the current coming from the source during information processing to the average value of the current consumption. If the specified ratio does not exceed the limiting value, effective reception via the NPT channel is impossible. At present, given the practical absence of low-speed devices in the SVT (the frequency range of this channel is taken from 0 to 30 Hz), this channel is of little relevance.

Taking into account the above, it is possible to formulate a criterion for the protection of SDI from leakage through PEMI and pickup: SDI is considered protected if:

The radius of the electromagnetic radiation zone does not exceed the minimum permissible distance from the SOI to the SC boundary;

The power ratio of the informative signal of the normalized interference in all SA does not exceed the maximum permissible value at the boundary of the short circuit;

The power ratio of the informative signal of the normalized interference in all outgoing communications at the boundary of the short circuit does not exceed the maximum permissible value;

The ratio of the magnitude of the change in the "processing" current to the average value of the current consumption from the mains at the boundary of the short circuit does not exceed the maximum permissible value.

The main tasks and principles of protection of SVT

To protect information signals of SVT from possible information leakage, following ways and activities:

Organizational;

Technical.

The technical measures for protecting information in the SVT include measures and means that affect either the level of PEMIN, or the level of electromagnetic noise. For example electromagnetic shielding - effective method information protection, however, requires significant economic costs and regular monitoring of the effectiveness of shielding. In addition, full electromagnetic shielding brings discomfort to the work of the service personnel.

Modification of CBT can significantly reduce the level of information radiation, but they cannot be completely eliminated. In modern conditions, the refinement of SVT equipment is reduced to the selection of SVT components, since there are no own developments of electronic computers in the Russian Federation and the assembly of a PC is made from foreign components. When selecting components at assembly firms (red assembly), attention is paid to the motherboard, the structural design of the system unit case (case), video card (video controller), display type, etc.

Active radio camouflage, noise - the use of broadband noise generators.

Noise generators can be hardware and object. The main task of noisy air is to raise the level of electromagnetic noise and thereby prevent radio interception of information signals of SVT. Indicators of the intensity of the obstructive noise interference (noise with a normal distribution of instantaneous values of amplitudes) is the noise zone R w. The technical means of SVT will be protected if I w> I 2.

Methodology for conducting special studies of technical means of electronic equipment

Basic requirements for the conditions of measurements.

The identification of dangerous signals from the general set of signals and the measurement of their level is carried out under specially organized test modes of technical means (TS), in which the duration and amplitude of information pulses remain the same as in the operating mode, but a periodic pulse sequence in the form of packets is used. This requirement is due to the fact that in the adopted method for calculating the SI results, the values of the summation band of the frequency components and clock frequency information impulses must be constants. Otherwise, the calculation of the results becomes impossible.

In addition, the cyclical repetition of the same "packets" of information makes it much easier to identify and measure the values of "dangerous" signals against a background of noise and interference.

Signal detection is carried out from all sides of the technical facility. The signal is measured in the peak (quasi-peak) mode from the direction of maximum radiation, where a dangerous signal is detected. To detect test signals and identify them from the total set of received signals, such signs are used as the coincidence of the frequencies of the detected harmonics and the intervals between them with the calculated values, the period and duration of the bursts, the change in the waveform at the receiver output when the parameters of the test signal change, etc. P.

When taking measurements, it is necessary:

Explore technical description and schematic diagrams of the vehicle;

Study the possible modes of operation of the vehicle;

Prepare the measuring equipment for work.

Measurement of the parameters of spurious electromagnetic radiation and interference of the vehicle is carried out in all modes of its operation. The grounding and power supply of the vehicle must be carried out in accordance with the rules of operation of this vehicle. Before starting measurements, the vehicles are checked for operability in accordance with the operating instructions.

The room in which measurements of the parameters of the dangerous signal field are carried out must have a room size of at least 6x6 m (36 m 2);

Near the measured technical device (closer than 2.5 m), which is installed in the middle of the room, there should be no bulky metal objects (safes, cabinets, etc.) that can distort the TEM I picture;

The flooring of the room can be either wooden (parquet) or metal;

The laws of decreasing the field in the certified room must comply with standard function field weakening within 2 ... 2.5 m from the vehicle in the direction of installation of the measuring antenna.

The technical device is installed on a rotary pedestal with a height of 0.8 ... 1.0 m, power is supplied to the vehicle through a noise-protective fiber of the FP type or another type, with an attenuation of at least 40 .. .60 dB.

This zone equation is solved by the graphical analytical method or on a PC.

Organization of PC protection from unauthorized access

Currently, in connection with the rapid development of computer technology and the emergence of new information technologies, a new direction for obtaining categorized information has appeared, closely related to computer crime and unauthorized access (NSD) to restricted information. Development of local and global computer networks led to the need to close unauthorized access to information stored in automated systems.

The objectives of information protection are: prevention of damage, the occurrence of which is possible as a result of loss (theft, loss, distortion, forgery) of information in any of its manifestations.

Any modern enterprise cannot function successfully today without creating a reliable system for protecting its information, including not only organizational and regulatory measures, but also technical software and hardware, organizing information security control during its processing, storage and transmission in automated systems (AS).

The practice of organizing the protection of information from unauthorized access during its processing and storage in automated systems should take into account the following principles and rules for ensuring information security:

1. Compliance of the information security level with legislative provisions and regulatory requirements for the protection of information subject to protection by current legislation, incl. the choice of the security class of the nuclear power plant in accordance with the characteristics of information processing (processing technology, specific operating conditions of the nuclear power plant) and the level of its confidentiality.

2. Identification of confidential (protected) information and its documentation in the form of a list of information to be protected, its timely correction.

3. Most important decisions on the protection of information should be accepted by the management of the enterprise or the owner of the AU.

4. Determination of the procedure for establishing the level of user authority, as well as the circle of persons who have this right (information security administrators).

5. Establishment and execution of access control rules

(PRD), i.e. a set of rules governing the access rights of access subjects to access objects.

6. Establishing the personal responsibility of users for maintaining the level of security of the AU when processing information to be protected.

7. Ensuring physical security of the facility on which the protected nuclear power plant is located (territory, buildings, premises, storage of information carriers), by establishing appropriate posts, technical means of protection or by any other means that prevent or significantly complicate the theft of computer equipment (SVT), information carriers, as well as NSD to SVT and communication lines.

8. Organization of an information security service (responsible persons, IS administrator), which records, stores and issues information carriers, passwords, keys, maintains service information of the ISS NSD (generation of passwords, keys, maintenance of access control rules), acceptance of new software included in the AS funds, as well as control over the course technological process processing confidential information, etc.

9. Systematic and operational control of the security level of protected information in accordance with the applicable guidelines on information security, incl. checking the protective functions of information security tools.

Information protection means must have a certificate confirming their compliance with information security requirements.

Analysis of the experience of work related to the processing and storage of information using computer technology, made it possible to draw conclusions and summarize the list possible threats information. They can be conditionally divided into three types:

Violation of confidentiality of information;

Violation of the integrity of information;

Violation of the availability of information.

Based on this, a system for protecting automated systems and personal computers from unauthorized access is being built.

Building a protection system

The construction of a protection system based on a software and hardware complex of information protection means from unauthorized access and its interaction with the software and hardware of a personal computer in general are shown in Fig. 4.13.

Rice. 4.13. Building a protection system based on a hardware and software complex

Information protection with the use of hardware and software of the anti-tampering complex is based on the processing of events that arise when applied programs or system software (software) access PC resources. In this case, the means of the complex intercept the corresponding software and / or hardware interrupts (requests to perform operations to the hardware and / or software resources of the PC). In the event of a controlled event (interrupt request), the request is analyzed, and depending on the correspondence of the authority of the access subject (his applied task), set by the administrator the security of the PRD, either enable or disable the handling of these interrupts.

In the general case, the protection system consists of the actual means of protection against unauthorized loading of the OS and means of delimiting access to information resources, which can be conditionally represented in the form of four interacting information security subsystems (Fig. 4.14).

Access control subsystem

The access control subsystem is designed for security. Personal computers from unauthorized users, access control to access objects and organization of their joint use by registered users in accordance with the established rules of access control.

Under by outsiders means all persons who are not registered in the system (who do not have a personal identifier registered in a particular PC). DC protection

Rice. 4.14. The subsystems for protecting information of third-party users are provided by identification procedures (comparison of the presented identifier with the list of those registered on the PC) and authentication (confirmation of authenticity), which is usually carried out by entering a password of a certain length. To identify users in anti-tampering systems, personal identifiers such as Touch Memory (Ibutton) DS 199X are most often used, which are distinguished by high reliability, uniqueness, high-speed memory, ease of use, acceptable weight and size characteristics and low price.

In complexes of protection against tampering, two principles of access control to protected resources can be implemented: discretionary and mandatory.

Discretionary principle of access control. Each registered user is assigned access rights according to the principle of assigning specified access characteristics to each pair of "subject-object", which are registered in the DRP. When a user requests access, an unambiguous interpretation of the established transmission rules is provided and, depending on the user's authority level, the requested type of access is allowed or denied.

This access control option allows any user of the system to create an isolated software environment (ISS), i.e. restrict its ability to run programs, specifying as allowed to run only those programs that are really necessary for the user to perform their official duties. Thus, the user will not be able to launch programs that are not included in this list.

Mandatory principle of access control. The principle of access control to PC resources (hardware and software),

based on a comparison of the level of confidentiality assigned to each resource and the authority of a specific registered user to access PC resources with a given level of confidentiality.

To organize mandatory access control, a certain level of access to confidential information is set for each user of the system, and a so-called confidentiality label is assigned to each resource (directories, files, hardware).

In this case, the differentiation of access to confidential directories and files is carried out by comparing the user's access level and the resource's confidentiality label and making a decision on granting or not granting access to the resource.

Registration and accounting subsystem

The registration and accounting subsystem is intended for registration in the system log, which is a special file located on the hard disk of the PC, of various events that occur during the operation of the PC. When registering events in the system log, the following are recorded:

Date and time of the event;

The name and identifier of the user performing the registered action;

User actions (information about the user's entry / exit to / from the system, program launches, tampering events, changes in authority, etc.). Access to the system log is possible only for the IS administrator (supervisor). The events recorded in the system log are determined by the ISS administrator.

This subsystem also implements a mechanism for zeroing freed memory areas.

Integrity Subsystem

The subsystem for ensuring the integrity is designed to exclude unauthorized modifications (both accidental and malicious) of the software and hardware environment of the PC, including the software of the complex and the processed information, while protecting the PC from the introduction of software bugs and viruses. In software and hardware complexes of information security systems (PAKSZI) from NSD, this is usually implemented:

Checking the unique identifiers of the hardware parts of the PC;

Checking the integrity of the system files assigned for monitoring, including the PAXZI NSD files, custom programs and data;

Controlling access to the operating system directly, bypassing DOS interrupts;

Eliminating the possibility of using a PC without a hardware controller of the complex;

The mechanism for creating a closed software environment that prohibits the launch of imported programs, excluding unauthorized access to the OS.

When checking the integrity of the PC software environment, the checksum of the files is calculated and compared with the reference (check) value stored in a special data area. These data are entered during user registration and may change during the operation of the PC. Complexes of protection against tampering use a complex calculation algorithm checksums-calculation of the value of their hash functions, excluding the fact that the file modification is not detected.

Cryptographic protection subsystem

The subsystem of cryptographic protection is designed to enhance the protection of user information stored on a PC hard disk or removable media. The subsystem of cryptographic information protection allows the user to encrypt / decrypt their data using individual keys, usually stored in a personal TM-identifier.

Composition of a typical complex of protection against unauthorized access

A typical complex for protecting a personal computer from tampering includes hardware and software. Hardware includes a hardware controller, a scraper, and personal user IDs.

The hardware controller (Fig. 4.15) is a board (ISA / PCI) installed in one of the expansion slots of the PC motherboard. The hardware controller contains a ROM with software, connector for information reader and additional devices.

Rice. 4.15. Hardware controller "Sobol"

Relays for blocking loading of external devices (FDD, CD-ROM, SCSI, ZIP, etc.) can be installed on the hardware controller as additional devices; hardware random number generator; non-volatile memory.

An information reader is a device designed to read information from a personal identifier presented by a user. Most often, in complexes of protection against tampering, readers of information from personal identifiers such as Touch Memory (Ibutton) DS199X are used, which are contact devices.

Contact and contactless smart card readers (Smart Card Reader), as well as biometric information readers that allow identifying a user by his biometric characteristics (fingerprint, personal signature, etc.) can be used as information readers.

A personal user ID is a hardware device that has unique, non-copyable characteristics. Most often, in systems of protection against tampering, identifiers of the Touch-Memory type (Ibutton) are used, which are electronic circuit equipped with a battery and a unique 64-bit identification number, which is formed technologically. The service life of the electronic identifier, declared by the manufacturer, is about 10 years.

In addition to TM-identifiers, Smart Card identifiers are used in anti-tampering systems.

A smart card is a plastic card (Fig. 4.16.), With a built-in microcircuit containing non-volatile rewritable memory.

Some anti-tampering systems allow the use of biometric user characteristics (personal signature, fingerprint, etc.) as an identifier. The composition of the software for a typical information security system (SIS) from the unauthorized system is shown in Fig. 4.17.

All software of the anti-tamper protection complex can be conditionally divided into three groups.

System protection programs are programs that perform functions of protecting and delimiting access to information. Also, using this group of programs, you can configure and manage the protection system in the process.

A special loader is a program that provides a trusted boot of the base OS.

The security driver ("security monitor") is a resident program that controls authority and delimits access to information and hardware resources while the user is working on the AS (PC).

Installation programs - a set of programs available only to the administrator of the information security system for managing the operation of the information security system. This set of programs allows you to carry out the regular process of installing and removing the information security system.

Identification / authentication system programs are a set of programs for the formation and analysis of individual user characteristics used for identification / authentication. This group also includes programs for creating and managing a database of system users.

Training program - in general, it is a program for the accumulation and analysis of individual user characteristics (alphanumeric combination personal password, personal signature, fingerprints) and the development of an individual characteristic, which is recorded in the database.

Rice. 4.17. Composition of software for a typical information security system

The user base contains unique numbers of user identifiers registered in the system, as well as service information(user rights, time restrictions, privacy labels, etc.).

The identification program manages the process of carrying out user identification: issues a request for presenting an identifier, reads information from a personal identifier, searches for a user in the user database. If the user is registered in the system, it generates a request to the database of individual characteristics of users.

The database of individual characteristics contains the individual characteristics of all users registered in the system and selects the necessary characteristics at the request of the identification program.

Technological programs are auxiliary means for ensuring the safe functioning of the protection system, accessible only to the administrator of the protection system.

Station recovery programs are designed to restore the station's performance in case of hardware or software failures. This group of programs allows you to restore the user's original working environment (that existed before the installation of the protection system), as well as to restore the functionality of the hardware and software parts of the protection system.

An important feature of the station recovery programs is the ability to remove the protection system in an abnormal manner, i.e. without using the installation program, as a result of which the storage and accounting of this group of programs must be carried out especially carefully.

The system logging program is designed to register in the system log (a special file) all events that occur in the protection system at the time the user is working. The program allows you to form selections from the system log according to various criteria (all events of the tamper, all events of the user logging into the system, etc.) for further analysis.

The dynamics of the anti-tamper protection complex

To implement the functions of the anti-tampering complex, the following mechanisms are used:

1. The mechanism of protection against unauthorized loading of the OS, which includes user identification by a unique identifier and authentication of the identity of the owner of the presented identifier.

2. A mechanism for locking the screen and keyboard in cases where certain threats to information security can be realized.

3. A mechanism for monitoring the integrity of critical programs and data from the point of view of information security (protection mechanism against unauthorized modifications).

4. The mechanism for creating functionally closed information systems by creating an isolated software environment;

5. The mechanism for differentiating access to the AS resources, determined by the access attributes, which are set by the system administrator in accordance with each pair of "subject access and object of access" when registering users.

6. The mechanism for registering control events and tampering events occurring during the work of users.

7. Additional protection mechanisms.

At the stage of installing the tamper-resistant system, the hardware controller is installed in a free slot of the PC motherboard and the software is installed on the hard disk.

Setting up the complex consists in establishing access control rights and user registration. When a user is registered, the security system administrator determines his access rights: lists of executable programs and modules allowed to run by a given user.

At the installation stage, lists of files are also formed, the integrity of which will be checked when the PC is started by this user. The calculated values of the hash functions (checksums) of these files are stored in special areas of memory (in some systems, they are entered into the memory of a personal TM identifier).

The mechanism of protection against unauthorized loading of the OS is implemented by carrying out identification procedures, authentication and control of the integrity of protected files before loading the operating system. This is provided by a ROM installed on the hardware controller board, which is controlled during the so-called ROM-SCAN procedure. The essence of this procedure is as follows: during the initial start, after checking the main equipment, the computer BIOS starts searching for external ROMs in the range from C800: 0000 to EOOO ".OOOO with a step of 2K. The presence of the ROM is indicated by the presence of the word AA55H in the first word of the checked interval. If this symptom is found, then the next byte contains the length of the ROM in 512-byte pages. Then the checksum of the entire ROM is calculated, and if it is correct, a procedure will be called located in the ROM with an offset. This procedure is usually used when initializing hardware devices.

In most complexes of protection against tampering, this procedure is designed to implement the process of user identification and authentication. On error (access denied), no return from the procedure occurs, i.e. further PC loading will not be performed.

With the installed hardware controller and installed software of the anti-tamper system, the PC is loaded in the following order:

1. The BIOS of the computer performs the standard POST procedure (checking the main computer hardware) and upon its completion goes to the ROM-SCAN procedure, during which control is taken over by the hardware controller of the anti-tamper system.

2. The process of user identification is carried out, for which an invitation is displayed on the PC monitor to present his personal identifier (in some security systems, simultaneously with the display of the invitation, a countdown is started, which makes it possible to limit the time of the identification attempt).

3. If the user submits the identifier, the information is read. If the identifier is not presented, access to the system is blocked.

4. If the presented identifier is not registered in the system, then an access denied message is displayed and a return to Clause 2 occurs.

5. If the presented identifier is registered in the system, the system goes into the authentication mode. Most anti-tampering systems use a personal password for authentication.

6. If the password is entered incorrectly, you will return to A.2.

7. If the password is entered correctly, the hardware controller transfers control to the PC and the normal process of loading the OS is performed.

We add that many systems allow you to limit the number of "invalid" inputs by rebooting in the event of a given number of failures.

The robustness of the identification / authentication procedure is highly dependent on the personal identifiers used and the user authentication algorithms. If a TM-identifier is used as an identifier, and the authentication procedure is to enter a personal password, its resistance to cracking will depend on the length of the password.

When performing control procedures (user identification and authentication, integrity check), the driver of the anti-tamper system blocks the keyboard and OS loading. When the information reader is touched, the presented TM-identifier is searched for in the list of identifiers registered on the PC. Usually the list is stored on disk C. If the presented TM-identifier is found in the list, then in some anti-tampering systems, the integrity of files is monitored in accordance with the list compiled for given user.

In this case, when checking the list of user files for integrity, the hash function of the checksum of these files is calculated and compared with the reference (check) value read from the presented personal TM-identifier. To carry out the authentication procedure, a password entry mode is provided in a hidden form - in the form special characters(for example, the symbol is "*"). This prevents the possibility of disclosing an individual password and using the lost (stolen) TM-identifier.

With a positive result of the above control procedures, the OS is loaded. If the identifier provided by the user is not registered in the list or the integrity of the protected files is violated, the OS is not loaded. Administrator intervention is required to proceed.

Thus, the control procedures: identification, authentication and integrity check are carried out before the OS is loaded. In any other case, i.e. if this user does not have the rights to work with this PC, the OS is not loaded.

When executing the configuration files CONFIG.SYS and AUTOEXEC.BAT, the keyboard is locked and the

"Security monitor" of the anti-tampering system, which monitors the use of only the resources allowed by the user.

The integrity control mechanism is implemented by comparing two vectors for one data array: the reference (control), developed in advance at the stage of user registration, and the current one, i.e. developed just before checking.

The reference (check) vector is generated on the basis of the hash functions (checksum) of the protected files and is stored in a special file or identifier. In the case of authorized modification of protected files, the procedure for overwriting the new value of the hash function (checksum) of the modified files is performed.

The mechanism for creating an isolated software environment is implemented using the resident part of the "security monitor" of the anti-tamper system. During the operation of the anti-tampering system, the resident part of the "security monitor" checks the files of all drivers loaded from the CONFIG.SYS file and provides operational control of the integrity of executable files before transferring control to them. This provides protection against software viruses and bookmarks. If the check is successful, control is transferred to the OS to download the file for execution. If the check is negative, the program does not start.

The access control mechanism is implemented using the resident part of the "security monitor" of the anti-tamper system, which intercepts the processing of OS functions (basically, this is an interrupt int 21, as well as int 25/26, and int 13). The meaning of the work of this resident module is that when a request is received from a user program, for example, to delete a file, it first checks whether the user has such permissions.

If such authority exists, control is transferred to the normal OS handler to execute the operation. If no such authority exists, an error exit is simulated.

Access control rules are set by assigning access attributes to access objects. A set attribute means that the operation specified by the attribute can be performed on the given object.

The installed attributes define the most important part of the user's PRP.

The efficiency of the protection system largely depends on the correct choice and setting of attributes. In this regard, the administrator of the security system must clearly understand what and how the choice of attributes assigned to the objects to which the user has access depends. At a minimum, it is necessary to study the principle of access control using attributes, as well as the peculiarities of the software that will be used by the user when working.

The software of anti-tampering systems allows for each subject-object pair to determine (part of the specified access characteristics or all):

for disks:

Logical drive availability and visibility;

Creation and deletion of files;

File visibility;

Execution of tasks;

Inheritance by subdirectories of the attributes of the root directory (with the extension of inheritance rights only to the next level or to all the following levels);

for directories:

Accessibility (go to this catalog);

Visibility;

Inheritance by subdirectories of directory attributes (with the extension of inheritance rights only to the next level or to all the following levels);

for directory contents:

Creation and removal of subdirectories;

Renaming files and subdirectories;

Opening files for reading and writing;

Creation and deletion of files;

File visibility;

for tasks:

Execution.

The mechanism for registering control events and events of the NDS contains means of selective familiarization with registration information, and also allows you to register all attempts to access and actions of selected users when they work on a PC with installed system protection against tampering. In most anti-tampering systems, the administrator has the ability to select the level of detail of the recorded events for each user.

Registration is carried out in the following order:

The system administrator sets the log verbosity level for each user.

For any level of detail, the log reflects the parameters of user registration, access to devices, launching tasks, attempts to violate the PRD, change the PRD.

For a medium level of detail, the log additionally reflects all attempts to access protected disks, directories and separate files, as well as attempts to change some system parameters.

For a high level of detail, the log additionally reflects all attempts to access the contents of protected catalogs.

For the selected users, the log reflects all changes to the PRD.

In addition, a mechanism for compulsory registration of access to some objects is provided.

In general, the system log contains the following information:

1. Date and exact time of registration of the event.

2. Subject of access.

3. Type of operation.

4. Object of access. The access object can be a file, directory, disk. If the event is a change in access rights, then updated DRPs are displayed.

5. The result of the event.

6. Current task - a program running at the station at the time of registration of the event.

Additional protection mechanisms against unauthorized access to personal computers

Additional protection mechanisms from unauthorized access to personal computers (AS) allow to increase the level of protection of information resources, relative to the basic level achieved when using staff functions protection systems. To increase the level of protection of information resources, it is advisable to use the following protection mechanisms:

Limiting the "lifetime" of the password and its minimum length, excluding the possibility of its quick selection in case the user loses his personal identifier;

Using "time limits" for users to log into the system by setting for each user a time interval by days of the week in which work is allowed;

Setting the screen saver control parameters - blanking the screen after a predetermined time interval (if no operator has performed any actions during the specified time interval). The ability to continue working is provided only after re-identification is carried out upon presentation of a personal user identifier (or password);

Setting for each user restrictions on the output of protected information to alienable media (external magnetic media, ports of printers and communication devices, etc.);

Periodically checking the integrity of system files, including files of the software part of the protection system, as well as user programs and data;

Control of access to the operating system directly, bypassing OS interrupts, to exclude the possibility of functioning of debugging and development programs, as well as "viruses" programs;

Exclusion of the possibility of using a PC in the absence of a hardware controller of the protection system, to exclude the possibility of loading the operating system by users with the protection system removed;

Using mechanisms for creating an isolated software environment that prohibits the launch of executable files from external media or embedded in the OS, as well as excludes unauthorized entry of unregistered users into the OS;

Indication of attempts of unauthorized access to a PC and protected resources in real time by giving sound, visual or other signals.

Test questions for independent work 1. Name the organizational measures that need to be taken to protect the facility.

2. What is the purpose of search activities?

3. Name the passive and active methods of technical protection.

4. List the methods of protecting speech information.

5. What is the difference between sound insulation and vibroacoustic protection of a room?

6. How are recording devices and radio microphones neutralized?

7. Give the characteristics of the protection devices of the terminal equipment of low-current lines.

8. List the ways to protect subscriber telephone lines.

^ 9. What is the main purpose of shielding?

h 10. List the basic requirements for grounding devices.

11. Compare the protective properties of mains noise suppression filters and power line noise generators. Indicate the areas of application of these products.

12. What are the technical measures for protecting information in SVT.

13. List the main security criteria for SVT.

14. The procedure and features of conducting special studies of technical means of electronic computers.

15. What is the essence graphical method calculating the radius of the zone I (I 2)?

16. The main purpose of complexes of protection against unauthorized access.

17. What is a personal identifier? What types of identifiers are used in anti-tampering systems, name the main properties of the identifier.

18. What procedures are performed by the anti-tamper system until the OS is loaded?

19. What is done in the authentication process. What types of authentication processes are used in tamper protection systems?

20. What determines the strength of the identification / authentication process?

21. What is meant by the definition of the right to differentiate access?

22. What is meant by an access object?

23. How is the mandatory principle of access control implemented?

24. What subsystems are included in the access control facilities?

25. What hardware resources are included in the typical composition of the anti-tamper system?

26. What parameters are recorded in the system log during the user's work. Why is the system log kept?

27. What systems of protection against unauthorized attacks can be used in the AU, processing information constituting a state secret?

Questions:

1. Methods and means of protection against leakage of confidential information through technical channels.

2. Features of software and mathematical influence in public networks.

3. Protection of information in local area networks.

Literature:

1. Budnikov S.A., Parshin N.V. Information security of automated systems: Textbook. manual - Voronezh, TsPKS TZI, 2009.

2. Belov E.B. and others. Basics of information security: Tutorial... - M .: Hot line - Telecom, 2005.

3. Zapechnikov S.V. and other Information security of open systems. Part 1: Textbook for universities. - M .: Hot line - Telecom, 2006.

4. Malyuk A.A. Information Security: Conceptual and Methodological Foundations of Information Security: Textbook for Universities. - M .: Hot line - Telecom, 2004.

5. Malyuk A.A., Pazizin S.V., Pogozhin N.S. Introduction to Information Security in Automated Systems: A Textbook for Universities. - M .: Hot line - Telecom, 2004.

6. Khorev A.A. Protection of information from leakage through technical channels. - Training. allowance. - M .: Ministry of Defense of the Russian Federation, 2006.

7. Law of the Russian Federation dated 28.12.2010 No. 390 "On security".

8. Federal Law of 27.07.2006 No. 149-FZ "On Information, Information Technologies and Information Protection".

9. Decree of the President of the Russian Federation of March 6, 1997 No. 188 “On approval of the List of confidential information”.

Internet resources:

1.http: //ict.edu.ru

1. Methods and means of protection against leakage of confidential information through technical channels

Information protection from leakage through technical channels is a complex of organizational, organizational, technical and technical measures opium, excluding or weakening the uncontrolled exit of confidential information outside the controlled area.

1.1. Protection of information from leakage through visual-optical channels

In order to protect information from leakage through the visual-optical channel, it is recommended:

· Arrange objects of protection so as to exclude light reflection in the direction of the possible location of the attacker (spatial reflections);

· To reduce the reflective properties of the protected object;

· To reduce the illumination of the object of protection (energy restrictions);

· Use means of blocking or significantly weakening the reflected light: screens, screens, curtains, shutters, dark glasses and other obstructing environments, barriers;

· Use means of camouflage, imitation and others in order to protect and mislead the attacker;

· Use means of passive and active protection of the source from uncontrolled propagation of reflected or emitted light and other radiation;

· To carry out masking of objects of protection, varying the reflective properties and contrast of the background;

· It is possible to use masking means of concealing objects in the form of aerosol curtains and masking nets, paints, shelters.

1.2. Information protection against leakage through acoustic channels

The main measures in this type of protection are organizational and organizational and technical measures.

Organizational measures involve the implementation of architectural planning, spatial and regime activities. Architectural planning the measures provide for the imposition of certain requirements at the design stage of buildings and premises or their reconstruction and adaptation in order to exclude or weaken the uncontrolled propagation of sound fields directly in airspace or in building structures in the form of 1/10 of the structural sound.

Spatial The requirements may provide for both the choice of the location of the premises in a spatial plan and their equipment with elements necessary for acoustic safety, excluding the propagation of sound directly or reflected in the direction of the possible location of the intruder. For this purpose, the doors are equipped with vestibules, the windows are oriented towards the guarded (controlled) from the presence outsiders territory, etc.

Regime measures provide for strict control over the stay of employees and visitors in the controlled area.

Organizational and technical measures suggest passive(sound insulation, sound absorption) and active(sound reduction) activities.

The use and technical measures through the use of special secure means of conducting confidential negotiations (secure acoustic systems).

To determine the effectiveness of protection when using sound insulation, sound level meters are used - measuring instruments that convert sound pressure fluctuations into readings corresponding to the sound pressure level.

In cases where passive measures do not provide the required level of safety, active means are used. Active means include noise generators - technical devices generating noise-like electronic signals... These signals are fed to appropriate acoustic or vibration transducers. Acoustic sensors are designed to create acoustic noise in rooms or outside them, and vibration sensors are designed to mask noise in building envelopes.

Thus, protection against leakage through acoustic channels is implemented:

· The use of sound-absorbing facings, special additional vestibules of doorways, double window frames;

· Using means of acoustic noise pollution of volumes and surfaces;

· Closing ventilation ducts, systems for entering the premises of heating, power supply, telephone and radio communications;

· The use of special certified premises, excluding the emergence of information leakage channels.

1.3. Protection of information from leakage through electromagnetic channels

To protect information from leakage through electromagnetic channels, both general methods of protection against leakage are used, as well as specific ones focused on known electromagnetic information leakage channels. In addition, protective actions can be classified into design and technological solutions aimed at eliminating the possibility of the occurrence of such channels, and operational, associated with ensuring the conditions for the use of certain technical means in production and labor conditions.

Design and technological activities to localize the possibility of the formation of conditions for the emergence of channels of information leakage due to side electromagnetic radiation and interference (PEMIN) in technical means of processing and transmitting information are reduced to rational design and technological solutions, which include:

· Shielding of elements and units of equipment;

· Weakening of electromagnetic, capacitive, inductive coupling between elements and current-carrying wires;

· Filtering signals in power and ground circuits and other measures related to the use of limiters, decoupling circuits, mutual compensation systems, attenuators to weaken or destroy PEMIN.

Schematic and design methods of information protection:

· Shielding;

· Grounding;

· Filtration;

· Interchange.

Filters for various purposes are used to suppress or attenuate signals when they arise or propagate, as well as to protect power systems for information processing equipment.

Operational measures focused on the choice of locations for the installation of technical equipment, taking into account the peculiarities of their electromagnetic fields in such a way as to exclude their going outside the controlled area. For these purposes, it is possible to carry out shielding of premises in which facilities with a high level of PEMI are located.

Organizational measures protection of information from leakage due to electromagnetic radiation:

1. Prohibition

1.1. Exclusion of radiation

1.2. Use of shielded rooms

2. Decreased availability

2.1. Extension of the controlled area

2.2. Reducing the propagation distance:

Decrease in power

Decrease in altitude

2.3. Using spatial orientation:

Choosing safe locations

Safe orientation of the main lobe of the pattern

Using highly directional antennas

Suppression of the side and back lobes of the DN

2.4. Choice of operating modes:

Shorter run times

Using known operating modes

Using calculation methods.

1.4. Protection of information from leakage through material channels

The protection measures for this channel do not need special comments.

In conclusion, it should be noted that when protecting information from leakage for any of the considered, it is advisable to adhere to the following order of actions:

1. Identification of possible leakage channels.

2. Detection of real channels.

3. Assessment of the hazard of real channels.

4. Localization of dangerous channels of information leakage.

5. Systematic control over the availability of channels and the quality of their protection.

2. Features of software and mathematical influence in public networks

Program-mathematical influence - This is the impact on the protected information with the help of malicious programs.

Malicious program - a program designed to implement unauthorized access to information and (or) impact on information or resources of the information system. In other words, a certain independent set of instructions is called a malicious program that is capable of performing the following:

· Hide your presence on the computer;

· Have the ability to self-destruct, disguise themselves as legal programs and copy themselves to other areas of RAM or external memory;

· Modify (destroy, distort) the code of other programs;

Perform independently destructive functions- copying, modification, destruction, blocking, etc.

· Distort, block or replace the displayed in external channel communication or to an external storage medium.

The main routes of entry malware in IS, in particular, on a computer, are networking and removable media information (flash drives, disks, etc.). In this case, the introduction into the system can be random.

The main types malware are:

software bookmarks;
software viruses;
network worms;
other malicious programs designed to carry out unauthorized attacks.

TO program bookmarks includes programs and fragments of program code intended for the formation of undeclared capabilities of legal software.

Undeclared software capabilities- software functionality not described in the documentation. A software tab often serves as a conduit for other viruses and, as a rule, is not detected by standard anti-virus controls.

Software bookmarks are distinguished depending on the method of their implementation into the system:

software and hardware. These are bookmarks integrated into the PC firmware ( BIOS, firmware of peripheral equipment);
bootable. These are tabs that are integrated into the boot programs (boot loaders) located in the boot sectors;
driver. These are bookmarks integrated into drivers (files required by the operating system to manage peripheral devices connected to the computer);
applied. These are bookmarks integrated into application software (text editors, graphic editor, various utilities, etc.);
executable. These are bookmarks integrated into executable program modules. Program modules are most often batch files;
simulator bookmarks. These are bookmarks that, using a similar interface, imitate programs that require you to enter confidential information;

To identify software bugs, a qualitative approach is often used, which consists in observing the functioning of the system, namely:

decrease in performance;
changing the composition and length of files;
partial or complete blocking of the system and its components;
simulation of physical (hardware) malfunctions computing facilities and peripherals;
message forwarding;
bypassing software and hardware for cryptographic information transformation;
providing access to the system from unauthorized devices.

There are also diagnostic methods for detecting bookmarks. So, for example, antiviruses successfully find boot bookmarks. Disk Doctor, which is part of the popular Norton Utilities suite of utilities, does a good job of triggering a static error on disks. The most common software bookmark is the Trojan horse.

Trojan horse called:

a program that, being part of another program with functions known to the user, is able to secretly execute some additional actions with the aim of causing him certain damage;
a program with functions known to its user, in which changes have been made so that, in addition to these functions, it can secretly perform some other (destructive) actions.

The main types of Trojans and their capabilities:

Trojan-Notifier- Notification of a successful attack. Trojans of this type are designed to inform their "owner" about an infected computer. In this case, information about the computer is sent to the "host" address, for example, the computer's IP address, open port number, e-mail address, etc.
Trojan-PSW- Stealing passwords. They steal confidential data from a computer and transmit it to the owner via email.
Trojan-Clicker- Internet clickers - A family of Trojans whose main function is to organize unauthorized access to Internet resources (usually to web pages). Methods for this are different, such as setting the malicious page as the home page in the browser.
Trojan-DDoS – Trojan-DDoS turn an infected computer into a so-called bot, which is used to organize attacks denying access to a specific site. Further, the site owner is required to pay money to stop the attack.
Trojan-Proxy- Trojan proxy servers... A family of Trojans that secretly carry out anonymous access to various Internet resources. Usually used to send spam.
Trojan-Spy- Spyware. They are able to track all your actions on the infected computer and transfer data to their owner. This data may include passwords, audio and video files from a microphone and video camera connected to the computer.
Backdoor- Capable of performing remote control of an infected computer. Its possibilities are endless, your entire computer will be at the disposal of the owner of the program. He will be able to send messages on your behalf, get acquainted with all the information on the computer, or simply destroy the system and data without your knowledge.
Trojan-Dropper- Installers of other malicious programs. Very similar to Trojan-Downloader, but they install the malicious programs that they themselves contain.
Rootkit- are able to hide in the system by replacing various objects with themselves. Such Trojans are very unpleasant because they can replace source operating system that does not antivirus the ability to detect the presence of a virus.

Absolutely all software bookmarks, regardless of the method of their introduction into the computer system, the period of their stay in the RAM and their purpose, have one thing in common: the obligatory execution of the operation of writing to the operating or external memory of the system. In the absence of this operation, the program bookmark cannot have any negative effect.

Virus (computer, software) - an executable program code or an interpreted set of instructions with properties of unauthorized distribution and self-reproduction. The created duplicates of a computer virus do not always coincide with the original, but retain the ability to further spread and reproduce itself. In this way, required property a software virus is the ability to create copies of itself and implement them in computer networks and / or files, computer system areas and other executable objects. At the same time, duplicates retain the ability for further distribution.

The life cycle of a virus consists of the following stages:

computer penetration
virus activation
search for objects to be infected
preparation of viral copies
viral copy injection

Classification of viruses and network worms is shown in Figure 1.

Fig. 1. Classification of viruses and network worms

Boot-type virus code allows you to take control of the computer at the initialization stage, even before the system itself starts up. Boot viruses write themselves either to the boot sector, or to the sector containing the boot loader of the hard drive, or change the pointer to the active boot sector. The principle of operation of boot viruses is based on the algorithms for starting the OS when the computer is turned on or restarted: after the necessary tests of the installed equipment (memory, disks, etc.), the system boot program reads the first physical sector of the boot disk and transfers control to A :, C: or CD -ROM, depending on the parameters set in BIOS Setup.

In the case of a floppy disk or CD-disk, control is given to the boot-sector of the disk, which analyzes the disk parameter table (VRB - BIOS Parameter Block), calculates the addresses of the OS system files, reads them into memory and runs them for execution. The system files are usually MSDOS.SYS and IO.SYS, or IBMDOS.COM and IBMBIO.COM, or others depending on the version of DOS and / or Windows or other OS installed. If there are no operating system files on the boot disk, the program located in the boot sector of the disk displays an error message and offers to replace the boot disk.

In the case of a hard drive, the program located in the MBR of the hard drive gets control. It analyzes the Disk Partition Table, calculates the address of the active boot sector (usually this sector is the boot sector of the C :) drive, loads it into memory and transfers control to it. Having received control, the active boot sector of the hard drive performs the same actions as the boot sector of a floppy disk.

When infecting disks, boot viruses substitute their code for any program that gets control at system startup. Thus, the principle of infection is the same in all the methods described above: the virus "forces" the system to read it into memory when it is restarted and give control not to the original bootloader code, but to the virus code.

Example: The malware Virus.Boot.Snow.a writes its code to the MBR of a hard disk or to the boot sectors of floppy disks. In this case, the original boot sectors are encrypted by the virus. After gaining control, the virus remains in the computer memory (residency) and intercepts interrupts. Sometimes the virus manifests itself as a visual effect - snow begins to fall on the computer screen.

File viruses - viruses that directly infect files. File viruses can be divided into three groups depending on the environment in which the virus spreads:

1. File viruses - work directly with the resources of the operating system. Example: one of the most known viruses received the name "Chernobyl". Due to its small size (1 Kb), the virus infected PE files in such a way that their size did not change. To achieve this effect, the virus searches files for "empty" sections that appear due to the alignment of the beginning of each section of the file with multiple byte values. After gaining control, the virus intercepts the IFS API, monitoring calls to the file access function and infecting executable files. On April 26, the destructive function of the virus is triggered, which consists in erasing the Flash BIOS and initial sectors of hard disks. The result is the inability of the computer to boot at all (in case of a successful attempt to erase the Flash BIOS) or loss of data at all hard drives computer.

2. Macro viruses - viruses written in macro languages built into some data processing systems (text editors, spreadsheets, etc.). The most common are viruses for programs Microsoft Office... For their reproduction, such viruses use the capabilities of macro languages and with their help transfer themselves (their copies) from one document to another.

For a macro virus to exist in a particular editor, the built-in macro language must have the following capabilities:

binding a program in a macro language to a specific file;
copying macro programs from one file to another;
gaining control of a macro program without user intervention (automatic or standard macros).

These conditions are satisfied application programs Microsoft Word, Excel and Microsoft Access. They contain macro languages: Word Basic, Visual basic for Applications. Modern macro languages have the above features in order to provide an opportunity automatic processing data.

Most macro viruses are active not only at the moment of opening (closing) a file, but as long as the editor itself is active. They contain all their functions as standard Word / Excel / Office macros. There are, however, viruses that use techniques to hide their code and store their code as non-macros. Three such techniques are known, all of them use the ability of macros to create, edit and execute other macros. As a rule, such viruses have a small virus macro loader that calls the built-in macro editor, creates a new macro, fills it with the main virus code, executes it and then, as a rule, destroys it (to hide the traces of the virus presence). The main code of such viruses is present either in the virus macro itself in the form of text strings (sometimes encrypted), or is stored in the variable area of the document.

3. Network viruses - viruses that use the protocols and capabilities of local and global networks for their distribution. The main property of a network virus is the ability to replicate itself over the network on its own. However, there are network viruses capable of running themselves on a remote station or server.

The main destructive actions performed by viruses and worms are:

denial of service attacks

data loss

theft of information.

In addition to all of the above, there are combined type viruses that combine the properties different types viruses, for example, file and boot. As an example, let's take a file boot virus popular in the past years called "OneHalf". Once in the computer environment of the "MS-DOS" operating system, this virus code infected the main boot record. During the initialization of the computer, it encrypted the sectors of the main disk, starting with the trailing ones. When the virus enters memory, it begins to control any access to the encryption sectors and can decrypt them in such a way that all programs will work in normal operation... If the "OneHalf" virus is simply erased from memory and boot sector, then the information written in the encryption sector of the disk will become inaccessible. When the virus encrypts a part of the disk, it warns about this with the following inscription: "Dis is one half, Press any key to continue ...". After these actions, he waits for you to press any button and continue to work. The "OneHalf" virus uses different cloaking mechanisms. It is considered invisible virus and performs polymorphic algorithmic functions. It is very problematic to detect and remove the "OneHalf" virus code, because not all antivirus programs can see it.

At the stage of preparing virus copies, modern viruses often use copy masking methods in order to make it difficult for antivirus tools to find them:

Encryption - a virus consists of two functional pieces: the virus itself and the encryptor. Each copy of a virus consists of an encryptor, a random key, and the virus itself, encrypted with this key.
Metamorphism is the creation of various copies of a virus by replacing blocks of commands with equivalent ones, rearranging pieces of code in places, inserting "garbage" commands between meaningful pieces of code that do practically nothing.

The combination of these two technologies results in the following types of viruses:

Encrypted virus is a virus using simple random-key encryption and an unchanging encryptor. Such viruses are easily detected by the encryption signature.
A metamorphic virus is a virus that applies metamorphism to its entire body to create new copies.
Polymorphic virus is a virus that uses a metamorphic encryptor to encrypt the main body of the virus with a random key. In this case, part of the information used to obtain new copies of the encryptor can also be encrypted. For example, a virus can implement several encryption algorithms and, when creating a new copy, change not only the encryptor commands, but also the algorithm itself.

Worm - a type of malware that spreads through network channels capable of autonomously overcoming the protection systems of automated and computer networks, as well as creating and further distributing copies of itself that do not always coincide with the original, and doing otherwise harmful effects. The most famous worm is the Moriss worm, the mechanisms of which are described in detail in the literature. The worm appeared in 1988 and paralyzed many computers on the Internet for a short period of time. This worm is a "classic" of malicious programs, and the attack mechanisms developed by the author when it was written are still used by cybercriminals. Moriss was a self-distributing program that distributed copies of itself over the network, gaining privileged access rights to hosts on the network by exploiting vulnerabilities in the operating system. One of the vulnerabilities exploited by the worm was the vulnerable version of the sendmail program (the "debug" function of the sendmail program, which set the debug mode for the current session), and the other was the fingerd program (which contained a buffer overflow error). The worm also exploited vulnerabilities in the rexec and rsh commands, as well as incorrectly selected user passwords to destroy systems.

At the stage of penetration into the system worms are divided mainly by the types of protocols used:

Network worms - worms that use Internet and local area networks for propagation. Typically, this type of worm spreads through the mishandling of basic TCP / IP packets by some applications.
Mail worms - worms that spread in the format of e-mail messages. As a rule, the letter contains the body of the code or a link to the infected resource. When you run the attached file, the worm is activated; when you click on a link, download and then open a file, the worm also begins to perform its malicious action. After that, he continues to distribute copies of himself, looking for other email addresses and sending infected messages to them. The worms use the following methods to send messages: direct connection to the SMTP server using the mail library built into the worm's code; using MS Outlook services; using Windows MAPI functions. To find the addresses of victims, the MS Outlook address book is most often used, but the WAB address base can also be used. The worm can scan files stored on disks and extract lines from them related to e-mail addresses. Worms can send copies of themselves to all addresses found in the mailbox (some have the ability to reply to mail in the mailbox). There are instances that can combine methods.
IRC worms - worms that spread through IRC (Internet Relay Chat) channels. Worms of this class use two types of propagation: sending a URL link to the body file to the user; sending a file to the user (in this case, the user must confirm the receipt).
P2P worms - worms that spread using peer-to-peer file-sharing networks. The mechanism of operation of most of these worms is quite simple: in order to inject into a P2P network, a worm only needs to copy itself to a file exchange directory, which is usually located on the local machine. The P2P network takes over the rest of the work to distribute it - when searching for files on the network, it will inform remote users about this file and will provide all the necessary service to download it from the infected computer. There are more sophisticated P2P worms that mimic the network protocol of a specific file-sharing system and respond positively to search queries(the worm offers its copy for download).
IM worms - worms that use instant messaging systems to spread (IM, Instant Messenger - ICQ, MSN Messenger, AIM, etc.). Known computer worms of this type use the only way distribution - sending messages to discovered contacts (from the contact list) containing a URL to a file located on a web server. This technique almost completely repeats a similar distribution method used by mail worms.

Currently, mobile worms and worms that spread copies of themselves over network shares are becoming more and more popular. The latter use the functions of the operating system, in particular, they sort through the available network folders, connect to computers in global network and try to open their drives on full access... They differ from standard network worms in that the user needs to open a file with a copy of the worm in order to activate it.

By their destructive capabilities, viruses and network worms are distinguished:

harmless, that is, they do not affect the operation of the computer in any way (except for reducing free memory on disk as a result of its distribution);
harmless, the impact of which is limited to a decrease in free memory on the disk and graphic, sound and other effects;
dangerous viruses that can lead to serious malfunctions of your computer;
very dangerous - in the algorithm of their work, procedures are deliberately incorporated that can cause the loss of programs, destroy data, erase the information necessary for the operation of the computer recorded in system areas memory.

But even if no branches were found in the virus algorithm that damage the system, this virus cannot be called harmless with complete certainty, since its penetration into a computer can cause unpredictable and sometimes catastrophic consequences. After all, a virus, like any program, has errors, as a result of which both files and disk sectors can be damaged ( for example, the DenZuk virus, quite harmless at first glance, works quite correctly with 360K floppies, but it can destroy information on larger floppy disks). Until now, we come across viruses that determine COM or EXE not by the internal file format, but by its extension. Naturally, if the format and extension of the name do not match, the file becomes inoperable after infection. It is also possible for the resident virus and the system to "jam" when using newer versions of DOS, when working in Windows or with other powerful software systems.

If you analyze all of the above, you can see the similarities between network worms and computer viruses, in particular, the complete coincidence of the life cycle and self-replication. The main difference between worms and software viruses is their ability to spread over a network without human intervention. Network worms are sometimes referred to as a subclass of computer viruses.

In connection with the rapid development of the Internet and information technologies, the number of malicious programs and options for their introduction into the information system is constantly growing. Greatest danger represent new forms of viruses and network worms, the signatures of which are not known to information security vendors. Nowadays, such methods of struggle as the analysis of abnormal system behavior and artificial immune systems, which make it possible to detect new forms of viruses, are gaining popularity.

According to the analytical report on the virus activity of the Panda Security company for the 3rd quarter of 2011, the ratio of the created malicious programs looked as shown in Figure 2.

Rice. 2. Ratio of malicious software created in Q3 2011

That is, three out of four new software samples turned out to be Trojans, followed by viruses. If earlier malicious software was created most often for experimental or "joke" purposes and was rather an act of cyber vandalism, now it is powerful weapon to obtain material or other benefits, acquiring rather the character of cybercrime.

In any case, malware can cause significant damage, realizing threats to the integrity, confidentiality and availability of information. The most popular method of dealing with them is by installing anti-virus protection.

3. Information protection in local area networks

3.1. Antivirus

Today antivirus programs can be safely called the most popular information protection tool. Antivirus software - programs designed to combat malicious software (viruses).

Antivirus programs use two methods to detect viruses - signature and heuristic.

Signature method is based on comparing a suspicious file with the signatures of known viruses. A signature is a certain sample of a known virus, that is, a set of characteristics that make it possible to identify a given virus or the presence of a virus in a file. Each anti-virus stores an anti-virus database containing virus signatures. Naturally, new viruses appear every day, so the anti-virus database needs to be updated regularly. Otherwise, the antivirus will not find new viruses. Previously, all anti-virus programs used only the signature-based method for detecting viruses due to its ease of implementation and the accuracy of detecting known viruses. Nevertheless, this method has obvious drawbacks - if the virus is new and its signature is unknown, the antivirus will "skip" it. So modern antiviruses also use heuristic methods.

Heuristic method is a collection of approximate methods for detecting viruses based on certain assumptions. As a rule, the following heuristic methods are distinguished:

search for viruses similar to known(this method is often called heuristic). In principle, the method is similar to the signature method, only in in this case it is more flexible. The signature method requires exact match, here the file is examined for modifications of known signatures, that is, not necessarily a complete match. It helps to detect hybrids of viruses and modifications of already known viruses;
abnormal method- the method is based on tracking anomalous events in the system and identifying the main malicious actions: deletions, writing to certain areas of the registry, sending letters, etc. It is clear that performing each such action separately is not a reason to consider the program as malicious. But if a program sequentially performs several such actions, for example, writes itself into the autostart key of the system registry, intercepts data entered from the keyboard and, with a certain frequency, sends this data to some Internet address, then this program is at least suspicious. Behavioral analyzers do not use additional objects similar to virus databases to operate and, as a result, are unable to distinguish between known and unknown viruses - all suspicious programs a priori are considered unknown viruses. Similarly, the behavior of tools that implement behavioral analysis technologies does not involve treatment;
checksum analysis Is a way of tracking changes in objects of a computer system. Based on the analysis of the nature of the changes - simultaneity, massiveness, identical changes in file lengths - we can conclude that the system is infected. Checksum analyzers, like analyzers of anomalous behavior, are not used in work anti-virus databases and make a decision on the presence of a virus in the system solely by the method of expert judgment. The great popularity of checksum analysis is associated with memories of single-tasking operating systems, when the number of viruses was relatively small, the files were few and they changed rarely. Today change auditors have lost their positions and are rarely used in antiviruses. More often, similar technologies are used in scanners upon access - during the first check, the checksum is removed from the file and placed in the cache, before the next check of the same file, the sum is removed again, compared, and if there are no changes, the file is considered uninfected.

Heuristic methods also have advantages and disadvantages. The advantages include the ability to detect new viruses. That is, if the virus is new and its signature is unknown, antivirus with signature detection will "skip" it during scanning, and with heuristic detection it will probably find it. The main drawback of the heuristic method follows from the last sentence - its probabilistic nature. That is, such an antivirus can find a virus, fail to find it, or mistake a legitimate file for a virus.

In modern anti-virus complexes, manufacturers try to combine the signature method and heuristic methods. A promising direction in this area is the development of antiviruses with artificial immune system - an analogue of the human immune system, which can detect "foreign" bodies.

The antivirus must contain the following modules:

update module - delivers updated signature databases to the antivirus user. The update module contacts the manufacturer's servers and downloads updated anti-virus databases.
planning module - intended for planning actions that the antivirus must regularly perform. For example, scan your computer for viruses and update the anti-virus databases. The user can select a schedule for these actions.
control module - designed for administrators of large networks . These modules contain an interface that allows you to remotely configure anti-viruses on network nodes, as well as ways to restrict access local users to the antivirus settings.
quarantine module - designed to isolate suspicious files in a special place - quarantine. It is not always possible to cure or delete a suspicious file, especially given the false positives of the heuristic method. In these cases, the file is quarantined and cannot take any action from there.

In large organizations with extensive internal network and access to the Internet to protect information, anti-virus complexes are used.

Antivirus engine - implementation of a signature scanning mechanism based on available virus signatures and heuristic analysis.

Antivirus complex - a set of antiviruses using the same antivirus kernel or kernels, designed to solve practical problems to ensure antivirus security of computer systems.

The following types of antivirus complexes are distinguished, depending on where they are used:

anti-virus complex for protecting workstations
antivirus complex for protecting file servers
anti-virus complex for protecting mail systems
anti-virus complex for protection of gateways

Antivirus complex for protecting workstations usually consists of the following components:

on-access antivirus scanner - checks the files accessed by the OS;
local mail antivirus scanner - for scanning incoming and outgoing emails;
on-demand antivirus scanner - scans the specified disk areas or files at the request of either the user, or in accordance with the schedule set in the scheduling module.

Antivirus complex for protecting mail systems is designed to protect the mail server and includes:

mail flow filter - checks the incoming and outgoing traffic of the server on which the complex is installed for viruses;
scanner shared folders(databases) - checks databases and shared folders of users for viruses in real time (at the time these folders or databases are accessed). It can be integrated with the mail flow filter, depending on the implementation of the technology for intercepting messages / calls to folders and sending them for scanning.
On-demand antivirus scanner - checks for viruses in user mailboxes and public folders if they are used on the mail server. The scan is carried out at the request of the anti-virus security administrator or in the background.

Antivirus complex for protecting file servers - designed to protect the server on which it is installed. It usually consists of two distinct components:

an on-access anti-virus scanner - similar to an on-access scanner for a workstation;
antivirus scanner on demand - similar to an on-demand scanner for a workstation.

Anti-virus complex for protection of gateways, as the name suggests, it is designed to scan data transmitted through the gateway for viruses. Since data is transmitted through the gateway almost constantly, components that work in continuous mode are installed on it:

HTTP stream scanner - checks data transmitted over the HTTP protocol;
FTP stream scanner - checks the data transferred via the FTP protocol;
SMTP stream scanner - checks the data transmitted through the gateway via SMTP.

An obligatory component of all considered complexes is the anti-virus database updating module.

Antivirus tools are widely available in the market today. However, they have different capabilities, price and resource requirements. In order to choose the right anti-virus software, you need to follow the statistics of testing anti-virus tools published on the network. One of the first to test antivirus products was the British magazine Virus Bulletin back in 1998. The core of the test is the WildList malware collection, which can be found on the Internet if desired. To successfully pass the test, the antivirus program needs to identify all viruses from this list and demonstrate a zero level false positives on a collection of clean log files. Testing is carried out on various operating systems (Windows, Linux, etc.), and products that successfully pass the test receive a VB100% award. For a list of the latest scanned programs, visit http://www.virusbtn.com/vb100/archive/summary.

In addition to Virus Bulletin, testing is carried out by such independent laboratories as AV-Comparatives and AV-Tests. Their "collection" of viruses alone can contain up to a million malicious programs. On the Internet, you can find reports of these studies, however, at English language... Moreover, on the Virus Bulletin website, you can compare antivirus vendors (vendors) with each other on next page http://www.virusbtn.com/vb100/archive/compare?nocache.

3.2. Firewall

Firewall (ME) is a software or software and hardware tool that delimits information flows at the border of the protected system.

The firewall passes all traffic through itself, making a decision regarding each passing packet: whether to allow it to pass or not. In order for the firewall to perform this operation, it needs to define a set of filtering rules.

Application of ME allows:

improve the security of objects within the system by ignoring unauthorized requests from the external environment;
control information flows to the external environment;
ensure the registration of information exchange processes.

At the heart of the DOE's decision on whether to pass traffic or not is filtering according to certain rules. There are two methods for adjusting the ME:

initially "deny everything" and then define what should be allowed;
initially "allow everything" and then define what should be prohibited.

Obviously, the first option is safer, since it prohibits everything and, unlike the second, cannot let unwanted traffic through.

Depending on the principles of functioning, several classes of ME are distinguished. The main feature of the classification is the level of the ISO / OSI model at which the ME operates.

1. Packet filters

The simplest class of firewalls operating at the network and transport layers of the ISO / OSI model. Packet filtering is usually done according to the following criteria:

Source IP address;
Recipient IP address;
source port;
recipient port;
specific parameters of the headers of network packets.

Filtering is implemented by comparing the listed parameters of the headers of network packets with the base of filtering rules.

2. Session level gateways

These firewalls operate at the session layer of the ISO / OSI model. Unlike packet filters, they can check the validity of a session by analyzing the parameters of the session-layer protocols. The positive qualities of packet filters include the following:

low cost;
the ability to flexibly configure filtering rules;
small delay in the passage of packets.

The disadvantages include the following:

packet filtering rules are difficult to describe and require a very good knowledge of TCP and UDP technologies. Often, such MEs require many hours manual setting highly qualified specialists;
if the packet filtering firewall malfunctions, all computers behind it become completely unprotected or inaccessible;
there is no user-level authentication.

3. Application gateways

Firewalls of this class allow filtering certain types commands or data sets in application-level protocols. For this, proxy services are used - special-purpose programs that control traffic through the firewall for certain high-level protocols (http, ftp, telnet, etc.). If, without using proxy services, a network connection is established between the interacting parties A and B directly, then in the case of using a proxy service, an intermediary appears - a proxy server that independently interacts with the second participant in the information exchange. This scheme allows you to control the admissibility of using individual commands of high-level protocols, as well as filter data received by the proxy server from the outside; in this case, the proxy server, based on the established policies, can make a decision on the possibility or impossibility of transferring this data to client A.

4. Expert Firewalls

The most sophisticated firewalls, combining elements of all three of the above categories. Instead of proxy services, such screens use algorithms for recognizing and processing data at the application level.

In addition to the filtering function, ME allows you to hide the real addresses of nodes in the protected network using network address translation - NAT (Network Address Translation). When a package arrives at the ME, it replaces real address sender to virtual. Upon receipt of a response, the ME performs the opposite procedure.

Most of the currently used firewalls are in the expert category. The most famous and widespread ME are CISCO PIX and CheckPoint FireWall-1.

3.3. Intrusion detection system

Intrusion detection is the process of identifying unauthorized access (or attempted unauthorized access) to information system resources. An Intrusion Detection System (IDS) is generally a hardware and software system that solves this task... Intrusion detection systems (IDS) work like a building alarm. The structure of the IDS is shown in Figure 3.

Rice. 3. Structural scheme IDS

The IDS scheme is shown in Figure 4.

As you can see from the figure, the functioning of IDS systems is in many ways similar to firewalls: sensors receive network traffic, and the kernel, by comparing the received traffic with the records of the existing database of attack signatures, tries to identify traces of unauthorized access attempts. The response module is an optional component that can be used to quickly block a threat: for example, a firewall rule can be generated to block the source of the attack.

There are two types of IDS - hub (HIDS) and network (NIDS). HIDS is located on a separate node and monitors for signs of attacks on this node.

Rice. 4. Scheme of IDS work

Nodal IDS are a system of sensors that monitor various events in the system for abnormal activity. There are the following types of sensors:

log analyzers - most often the system log and security log records are monitored;
feature sensors - compare the features of certain events associated either with incoming traffic or with logs;
system call analyzers - analyze calls between applications and the operating system to see if they are appropriate for an attack. These sensors are of a preventive nature, that is, they can prevent an attack, unlike the previous two types;
application behavior analyzers - analyze calls between applications and the operating system to see if the application is allowed to do something;
file integrity checkers - track changes in files using checksums or EDS.

NIDS is located on a separate system and analyzes all network traffic for signs of attacks. A database of attack signs is built into the systems data, for which the system analyzes network traffic.

Each type of IDS has its own advantages and disadvantages. Network-level IDSs do not degrade overall system performance, but host-level IDSs are more effective in detecting attacks and analyzing activity associated with an individual host. In practice, it is advisable to use systems that combine both described approaches.

It should be noted that a promising direction in the development of IDS is the use of heuristic methods by analogy with antiviruses - these are artificial intelligence systems, artificial immune systems, analysis of abnormal behavior, etc.