• home
  •  > 
  • Browser plugins
  •  > 
  • 1 list the most important aspects of information security. Basic aspects of information security

1 list the most important aspects of information security. Basic aspects of information security

Components of information security

In general, information security (IS) can be defined as “the security of information, resources and supporting infrastructure from accidental or intentional impacts of a natural or artificial nature that may cause unacceptable damage to the subjects of information relations - producers, owners and users of information and supporting infrastructure.”

Information security is not limited solely to protection from unauthorized access to information: it is a fundamentally broader concept, including the protection of information, technologies and systems.

Security requirements in various aspects of information activity may differ significantly, but they are always aimed at achieving the following three main components of information security:

  • integrity. This is, first of all, the relevance and consistency of information, its protection from destruction and unauthorized changes, namely: the data and information on the basis of which decisions are made must be reliable, accurate and protected from possible unintentional and malicious distortions;
  • privacy. Classified information should be accessible only to those for whom it is intended. Such information cannot be obtained, read, changed, or transmitted unless there are appropriate access rights;
  • accessibility(readiness). This is an opportunity to receive the required information service in a reasonable time, i.e. Data, information and related services, automated services, interaction and communication tools must be available and ready to work whenever they are needed.

Information security activities are aimed at preventing, preventing or neutralizing the following actions:

  • unauthorized access to information resources (NSD, Unauthorized Access – UAA);
  • distortion, partial or complete loss of confidential information;
  • targeted actions (attacks) to destroy the integrity of software systems, data systems and information structures;
  • failures and malfunctions of software, hardware and telecommunications.

Thus, a methodologically correct approach to information security problems begins with identifying the subjects of information relations and the interests of these subjects related to the use of information technologies and systems (IT/IS).

Assessing the real situation in most cases comes down to answering the key questions that form the systemic basis for ensuring information security, and in particular whether it is necessary to protect, from whom and what should be protected, what and how needs to be protected, what measures will ensure the effectiveness of protection, and also to evaluate the estimated cost of development, implementation, operation, maintenance and modernization of security systems.

The first three questions directly relate to the problem of assessing real threats (Fig. 7.1) 16]. The answers to these questions are ambiguous - much depends on the structure, area of ​​activity and goals of the company. When integrating individual and corporate information systems and resources into a unified information infrastructure, the determining factor is to ensure the appropriate level of information security for each entity that has decided to enter the unified infrastructure.

Rice. 7.1.

In a single information space of a state structure or a commercial company must be created authentication mechanisms and tool to authenticate user, message, and content. Thus, an information security system must be created that would include the necessary set of measures and technical solutions to protect:

  • from dysfunction information space by eliminating the impact on information channels and resources;
  • unauthorized access to information by detecting and eliminating attempts to use the resources of the information space, leading to a violation of its integrity;
  • destruction of built-in protective equipment with the ability to identify unauthorized actions of users and service personnel;
  • implementation of software " viruses " and "bookmarks" "in software products and hardware.

Of particular note are the tasks of ensuring the security of systems being developed and modified in an integrated information environment, since in the process of modifying the CIS, the occurrence of emergency situations of system insecurity (so-called “holes in the system”) is inevitable.

Along with the analysis of the specific means of protection existing in the company, the development information security policies, including a set of organizational and administrative measures and documents, as well as methodological and technical solutions that are the basis for creating an information security infrastructure (Fig. 7.2).

Rice. 7.2.

The next step in developing a comprehensive information security system is the acquisition, installation and configuration of information security tools and mechanisms. Such tools include systems for protecting information from unauthorized access, cryptographic protection systems, firewalls (firewalls, firewalls), security analysis tools, etc. For the correct and effective use of installed security tools, qualified personnel are required.

Over time, existing protection means become outdated, new versions of information security systems are released, the list of found vulnerabilities and attacks is constantly expanding, information processing technology, software and hardware, as well as company personnel are changing. Therefore, it is necessary to regularly review the developed organizational and administrative documents, conduct a survey of the information system or its subsystems, train personnel and update security measures.

Any enterprise that receives resources, including information, processes them in order to ultimately sell its own commercial product on the market. At the same time, it generates a specific internal environment, which is formed by the efforts of personnel of all structural divisions, as well as technical means and technological processes, economic and social relations both within the enterprise and in interaction with the external environment.

Corporate information reflects the financial and economic condition of the enterprise and the results of its activities. Examples of such information are registration and statutory documents, long-term and current plans, orders, instructions, reports, production data, data on the flow of finance and other resources, information on personnel training and areas of application of products, including methods and sales channels, sales techniques , orders, logistics, information about suppliers and partners.

Sources of corporate information - the directorate and administration of the enterprise, planning and financial departments, accounting, IT departments and computer centers, departments of the chief engineer and chief mechanic, production departments, legal, operational and repair services, logistics, purchasing and sales departments, etc. .

The corporate environment includes governmental, economic, political and social actors operating outside the enterprise. Information outside the corporate environment is often incomplete, contradictory, approximate, heterogeneous and does not adequately reflect the state of the external environment. Examples of external information that goes beyond the corporate environment are the state of the market (its long-term and current state, trends in the business environment, fluctuations in supply and demand, instability of the situation, variability, contradictory requirements), changes in legislation, consumer expectations, “intrigues” of competitors , consequences of political events, etc.

Most of this information is open, but depending on the characteristics of internal activities and interaction with the outside world, some of the information may be intended “for official use,” i.e. be "strictly confidential" or "secret". Such information is, as a rule, “closed” and requires appropriate protection measures.

To ensure security when working with protected information, you should: Firstly, line up policy for working with confidential and proprietary information, develop and implement appropriate guidelines and procedures and, secondly, to provide the necessary software and hardware resources.

Software and hardware for working with protected information are either built into the corresponding modules of the corporate information system (CIS) or used locally in systems specified in the information security policy. These include devices that:

  • monitoring the movement of confidential information through the information system (Data-in-Shell);
  • management of data leakage control through network traffic via TCP/IP, SMTP, IMAP, HTTP(s), IM (ICQ, AOL, MSN), FTP, SQL, proprietary protocols by filtering content at the level:
  • – a gateway through which traffic flows from the internal network to the external network (Data-in-Motion);
  • – a server that processes a certain type of traffic (Data-at-Rest);
  • – workstation (Data-in-Use);
  • – internal mail channels Microsoft Exchange, Lotus Notes, etc.
  • – management control of leakage of protected information from workstations, peripheral and mobile
  • – establishing proactive protection and personal firewalls;
  • – shadow copying of information objects into a single content filtering database for all channels according to uniform rules.

Properly organizing the protection of protected data and information is neither easy nor cheap. To do this, you need to classify data, conduct a thorough inventory of information resources, select an adequate software and hardware solution, develop and implement a set of regulatory documents to ensure internal security. The main role in this difficult work of minimizing the risks of data leakage is played by the competence and will of the top management of the enterprise, current policies and effective software, as well as the trade secret regime when working with protected information.

Rapidly developing computer information technologies are making significant changes in our lives. Information has become a commodity that can be purchased, sold, and exchanged. Moreover, the cost of information is often hundreds of times greater than the cost of the computer system in which it is stored.

The well-being and sometimes the lives of many people currently depend on the degree of security of information technologies. This is the price to pay for the increasing complexity and widespread distribution of automated information processing systems.

Under information security refers to the security of an information system from accidental or intentional interference causing damage to owners or users of information.

In practice, three aspects of information security are most important:

  • availability(the ability to obtain the required information service within a reasonable time);
  • integrity(relevance and consistency of information, its protection from destruction and unauthorized changes);
  • confidentiality(protection from unauthorized reading).

Violations of the availability, integrity and confidentiality of information can be caused by various dangerous impacts on computer information systems.

Main threats to information security

A modern information system is a complex system consisting of a large number of components of varying degrees of autonomy that are interconnected and exchange data. Almost every component can be exposed to external influences or fail. The components of an automated information system can be divided into the following groups:

  • hardware- computers and their components (processors, monitors, terminals, peripheral devices - disk drives, printers, controllers, cables, communication lines, etc.);
  • software- purchased programs, source, object, load modules; operating systems and system programs (compilers, linkers, etc.), utilities, diagnostic programs, etc.;
  • data- stored temporarily and permanently, on magnetic media, printed, archives, system logs, etc.;
  • staff- operating personnel and users.

Dangerous impacts on a computer information system can be divided into accidental and intentional. An analysis of experience in the design, manufacture and operation of information systems shows that information is subject to various random influences at all stages of the system’s life cycle. Reasons random influences during operation there may be:

  • emergencies due to natural disasters and power outages;
  • equipment failures and malfunctions;
  • software errors;
  • errors in personnel work;
  • interference in communication lines due to environmental influences.

Intentional influences- these are targeted actions of the offender. The offender may be an employee, a visitor, a competitor, or a mercenary. The actions of the offender may be due to different motives:

  • employee dissatisfaction with his career;
  • bribe;
  • curiosity;
  • competition;
  • the desire to assert oneself at any cost.

You can create a hypothetical model of a potential violator:

  • qualification of the offender at the level of the developer of this system;
  • the violator can be either an outsider or a legitimate user of the system;
  • the offender knows information about the operating principles of the system;
  • the offender chooses the weakest link in the defense.

The most common and diverse type of computer violations is unauthorized access(NSD). NSD exploits any error in the security system and is possible due to an irrational choice of security means, their incorrect installation and configuration.

Let's classify non-discriminatory information channels through which information can be stolen, changed or destroyed:

  • Through a person:
    • theft of storage media;
    • reading information from the screen or keyboard;
    • reading information from a printout.
  • Through the program:
    • password interception;
    • decryption of encrypted information;
    • copying information from storage media.
  • Via equipment:
    • connection of specially designed hardware that provides access to information;
    • interception of side electromagnetic radiation from equipment, communication lines, power supply networks, etc.

Particular attention should be paid to the threats to which computer networks may be exposed. The main feature of any computer network is that its components are distributed in space. Communication between network nodes is carried out physically using network lines and programmatically using a message mechanism. In this case, control messages and data sent between network nodes are transmitted in the form of exchange packets. Computer networks are characterized by the fact that so-called remote attacks. The intruder may be located thousands of kilometers from the object being attacked, and not only a specific computer may be attacked, but also information transmitted over network communication channels.

Ensuring information security

Formation of an information security regime is a complex problem. Measures to solve it can be divided into five levels:

  1. legislative (laws, regulations, standards, etc.);
  2. moral and ethical (all kinds of standards of behavior, non-compliance with which leads to a decline in the prestige of a particular person or an entire organization);
  3. administrative (general actions taken by the organization’s management);
  4. physical (mechanical, electro- and electronic-mechanical obstacles on possible entry routes for potential intruders);
  5. hardware and software (electronic devices and special information security programs).

A single set of all these measures aimed at countering security threats in order to minimize the possibility of damage form protection system.

A reliable protection system must comply with the following principles:

  • The cost of protective equipment should be less than the amount of possible damage.
  • Each user must have the minimum set of privileges required to operate.
  • The more effective the protection is, the easier it is for the user to work with it.
  • Possibility of shutdown in case of emergency.
  • Specialists involved in the protection system must fully understand the principles of its operation and, in the event of difficult situations, respond adequately to them.
  • The entire information processing system must be protected.
  • The developers of the security system should not be among those whom this system will control.
  • The security system must provide evidence of the correctness of its operation.
  • Persons involved in ensuring information security must bear personal responsibility.
  • It is advisable to divide protected objects into groups so that a violation of protection in one of the groups does not affect the security of others.
  • A reliable security system must be fully tested and consistent.
  • Protection becomes more effective and flexible if it allows the administrator to change its parameters.
  • Security systems must be designed with the assumption that users will make serious mistakes and generally have the worst intentions.
  • The most important and critical decisions must be made by humans.
  • The existence of security mechanisms should be hidden, if possible, from the users whose work is being monitored.

Hardware and software for information security

Despite the fact that modern operating systems for personal computers, such as Windows 2000, Windows XP and Windows NT, have their own security subsystems, the relevance of creating additional security tools remains. The fact is that most systems are not able to protect data located outside of them, for example during network information exchange.

Hardware and software information security tools can be divided into five groups:

  1. User identification (recognition) and authentication (authentication) systems.
  2. Disk data encryption systems.
  3. Encryption systems for data transmitted over networks.
  4. Electronic data authentication systems.
  5. Cryptographic key management tools.

1. User identification and authentication systems

They are used to restrict access of random and illegal users to computer system resources. The general algorithm for the operation of such systems is to obtain identification information from the user, verify its authenticity, and then provide (or not provide) this user with the ability to work with the system.

When building these systems, the problem of choosing information on the basis of which user identification and authentication procedures are carried out arises. The following types can be distinguished:

  • secret information that the user has (password, secret key, personal identifier, etc.); the user must remember this information or special storage means can be used for it;
  • physiological parameters of a person (fingerprints, iris patterns, etc.) or behavioral characteristics (features of working on a keyboard, etc.).

Systems based on the first type of information are considered traditional. Systems that use the second type of information are called biometric. It should be noted that there is an emerging trend of rapid development of biometric identification systems.

2. Disk data encryption systems

To make information useless to an adversary, a set of data transformation methods called cryptography[from Greek kryptos- hidden and grapho- writing].

Encryption systems can perform cryptographic transformations of data at the file level or at the disk level. Programs of the first type include archivers such as ARJ and RAR, which allow the use of cryptographic methods to protect archive files. An example of the second type of system is the Diskreet encryption program, part of the popular Norton Utilities software package, Best Crypt.

Another classification feature of disk data encryption systems is the way they operate. According to the method of functioning, disk data encryption systems are divided into two classes:

  • "transparent" encryption systems;
  • systems specifically called to perform encryption.

In transparent encryption systems (on-the-fly encryption), cryptographic transformations are carried out in real time, unnoticed by the user. For example, a user writes a document prepared in a text editor to a protected disk, and the security system encrypts it during the writing process.

Second-class systems are usually utilities that must be specifically called to perform encryption. These include, for example, archivers with built-in password protection.

Most systems that offer to set a password for a document do not encrypt the information, but only require a password when accessing the document. Such systems include MS Office, 1C and many others.

3. Encryption systems for data transmitted over networks

There are two main encryption methods: channel encryption and terminal (subscriber) encryption.

When channel encryption All information transmitted over the communication channel, including service information, is protected. This encryption method has the following advantage - embedding encryption procedures into the data link layer allows the use of hardware, which helps improve system performance. However, this approach also has significant disadvantages:

  • encryption of service data complicates the mechanism for routing network packets and requires data decryption in intermediate communication devices (gateways, repeaters, etc.);
  • encryption of service information can lead to the appearance of statistical patterns in encrypted data, which affects the reliability of protection and imposes restrictions on the use of cryptographic algorithms.

Terminal (subscriber) encryption allows you to ensure the confidentiality of data transmitted between two subscribers. In this case, only the content of messages is protected, all service information remains open. The disadvantage is the ability to analyze information about the structure of the message exchange, such as the sender and recipient, the time and conditions of data transfer, and the amount of data transferred.

4. Electronic data authentication systems

When exchanging data over networks, the problem of authenticating the author of the document and the document itself arises, i.e. establishing the authenticity of the author and checking that there are no changes in the received document. To authenticate data, a message authentication code (imit insertion) or an electronic signature is used.

Imitovstak generated from the plain data through a special encryption transformation using a secret key and transmitted over the communication channel at the end of the encrypted data. The impersonation insertion is verified by the recipient, who holds the secret key, by repeating the procedure previously performed by the sender on the received public data.

Electronic digital signature represents a relatively small amount of additional authentication information transmitted along with the signed text. The sender generates a digital signature using the sender's private key. The recipient verifies the signature using the sender's public key.

Thus, to implement imitations, the principles of symmetric encryption are used, and to implement an electronic signature, asymmetric encryption is used. We will study these two encryption systems in more detail later.

5. Cryptographic key management tools

The security of any cryptosystem is determined by the cryptographic keys used. If key management is insecure, an attacker could obtain key information and gain full access to all information on a system or network.

The following types of key management functions are distinguished: generation, storage, and distribution of keys.

Methods key generation for symmetric and asymmetric cryptosystems are different. To generate keys for symmetric cryptosystems, hardware and software tools for generating random numbers are used. Key generation for asymmetric cryptosystems is more complex, since the keys must have certain mathematical properties. We will dwell on this issue in more detail when studying symmetric and asymmetric cryptosystems.

Function storage involves organizing the safe storage, recording and deletion of key information. To ensure secure storage of keys, they are encrypted using other keys. This approach leads to the concept of a key hierarchy. The key hierarchy typically includes a master key (i.e., a master key), a key encryption key, and a data encryption key. It should be noted that the generation and storage of the master key is a critical issue in cryptographic security.

Distribution- the most critical process in key management. This process must ensure the confidentiality of the keys being distributed, as well as be fast and accurate. Keys are distributed among network users in two ways:

  • using direct exchange of session keys;
  • using one or more key distribution centers.

List of documents

  1. ABOUT STATE SECRETS. Law of the Russian Federation of July 21, 1993 No. 5485-1 (as amended by Federal Law of October 6, 1997 No. 131-FZ).
  2. ABOUT INFORMATION, INFORMATION AND INFORMATION PROTECTION. Federal Law of the Russian Federation of February 20, 1995 No. 24-FZ. Adopted by the State Duma on January 25, 1995.
  3. ON LEGAL PROTECTION OF PROGRAMS FOR ELECTRONIC COMPUTING MACHINES AND DATABASES. Law of the Russian Federation of February 23, 1992 No. 3524-1.
  4. ABOUT ELECTRONIC DIGITAL SIGNATURE. Federal Law of the Russian Federation of January 10, 2002 No. 1-FZ.
  5. ABOUT COPYRIGHT AND RELATED RIGHTS. Law of the Russian Federation of July 9, 1993 No. 5351-1.
  6. ABOUT FEDERAL GOVERNMENT COMMUNICATIONS AND INFORMATION BODIES. Law of the Russian Federation (as amended by Decree of the President of the Russian Federation dated December 24, 1993 No. 2288; Federal Law dated November 7, 2000 No. 135-FZ.
  7. Regulations on the accreditation of testing laboratories and certification bodies for information security equipment according to information security requirements / State Technical Commission under the President of the Russian Federation.
  8. Instructions on the procedure for marking certificates of conformity, their copies and certification means of information security / State Technical Commission under the President of the Russian Federation.
  9. Regulations on certification of informatization objects according to information security requirements / State Technical Commission under the President of the Russian Federation.
  10. Regulations on certification of information security means according to information security requirements: with additions in accordance with Decree of the Government of the Russian Federation of June 26, 1995 No. 608 “On certification of information security means” / State Technical Commission under the President of the Russian Federation.
  11. Regulations on state licensing of activities in the field of information security / State Technical Commission under the President of the Russian Federation.
  12. Automated systems. Protection against unauthorized access to information. Classification of automated systems and requirements for information protection: Guiding document / State Technical Commission under the President of the Russian Federation.
  13. The concept of protecting computer equipment and automated systems from unauthorized access to information: Guiding document / State Technical Commission under the President of the Russian Federation.
  14. Computer facilities. Firewalls. Protection against unauthorized access to information. Indicators of security against unauthorized access to information: Guiding document / State Technical Commission under the President of the Russian Federation.
  15. Computer facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information: Guiding document / State Technical Commission under the President of the Russian Federation.
  16. Data protection. Special protective signs. Classification and general requirements: Guiding document / State Technical Commission under the President of the Russian Federation.
  17. Protection against unauthorized access to information. Terms and definitions: Guiding document / State Technical Commission under the President of the Russian Federation.

Corporate security is not a new phenomenon at all. What has only recently come to be called by this term has existed since the beginning of trade. Each merchant sought to protect his professional secrets from competitors, so as not to lose profit.

Modern realities of corporate security of the company

In fact, modern corporate security is not much different from the old one. Only the realities in which businessmen must conduct their business are changing. Any company wants to be reliably protected not only from external threats, but also from internal ones. This problem is solved by corporate and information security specialists. They are faced with the task of carrying out a whole range of measures, including almost all areas of the company’s life:

  • protection of trade secrets;
  • internal work with employees;
  • domestic counterintelligence;
  • official investigations;
  • economical safety;
  • technical and physical protection.

If there are problems with at least one of these points, there will be trouble. Not long ago, a scandal erupted in the UK - hard drives with clinic patient data that were supposed to be destroyed suddenly ended up on eBay auctions.

Hospitals transferred the decommissioned disks to a contracting company, which, in turn, used the services of a private party. An enterprising Englishman, instead of conscientiously fulfilling his duties - destroying the media - put up disks with data for sale.

In this case, two points can be called “weak links” - internal work with employees and technical protection. Let's figure out why. The leak was caused by an overly long chain of intermediaries, as a result of which the customer was not even aware of who was directly involved in the destruction of disks and whose actions needed to be monitored. In addition, the very fact that hospitals transferred disks with unprotected personal data of patients to third parties is a technical omission of employees.

A responsible approach to ensuring corporate information security would help avoid this situation. Let's figure out what needs to be done to get a really working information security system.

How to identify a thief in a company using KIB SearchInform?

Three difficult steps

Before starting to build an effective information security system, it is necessary to carefully analyze the data storage and processing system already existing in the enterprise. There are three main steps that need to be taken to do this:

1. Identifying critical information.

2. Identifying weaknesses in corporate security.

3. Assessing the possibilities for protecting this information.

All these actions can be performed either by your own employees, or you can order an audit of the company’s information security from specialists. The advantages of the first method are lower cost and, importantly, the lack of access to corporate data for third parties. However, if the organization does not have good full-time security audit specialists, then it is best to resort to the help of third-party companies - the result will be more reliable. This will help you avoid the most common mistakes in information security.

"The most common mistakes- this is an underestimation and overestimation of threats to business activity, - believes Alexander Doronin, economic security expert and author of Business Intelligence. “In the first case, there are gaping holes in the enterprise’s security system, which for the organization results in direct damage from the leakage of confidential information, corporate fraud and outright theft of whatever comes to hand.”

When overestimating threats, the security system not only places a heavy burden on the enterprise's budget, but also unjustifiably makes it difficult for the organization's employees to fulfill their assigned duties. This threatens the loss of possible profits and loss of competitiveness.”

Identifying critical information. At this stage, the identification of those documents and data occurs, the security of which is of great importance for the company, and the leakage of which causes huge losses. Most often, such information includes information constituting a trade secret, but not only.

For example, after the adoption of the new edition of the federal law “On Personal Data,” all information collected by an organization about its employees and clients also needs protection. Last year’s series of leaks from Megafon, online stores and Russian Railways, as well as the fines received by the perpetrators of these incidents, are the best proof of the need to protect such information.

It is important to remember: third-party auditors cannot independently compile a list of all documents that need to be protected. The work of the auditor should be performed jointly with an employee of the enterprise who is well aware of the peculiarities of document flow.

Identifying weaknesses in corporate security. This task is performed directly by the specialists conducting the audit. The choice of information security design scheme depends on the results of this work.

When identifying gaps in information and, as a consequence, corporate security, not only technical means are assessed. A very important point is the existence of a differentiation of employee access rights to this or that information, and a non-disclosure agreement on corporate information. It is also important to assess the loyalty of employees to management and relationships in the team - all of this is the responsibility of the HR department.

A recent example of a situation where a staff employee took advantage of his position and stole information was the theft by the Kenyan representative office of Google of information about the startup Mocality (an online business information database). Google was forced to make an official apology to the victims, and the head of the representative office, through whose fault the incident occurred, was removed from his position.

Assessment of information security capabilities. This is the final stage of the audit, during which, based on the analysis, a list of specific measures that must be taken to protect the company’s corporate secrets is compiled. Recommendations can be both technical and organizational in nature.

In addition, at this stage the financial capabilities of the company to protect information are analyzed, since many information protection tools may turn out to be too expensive for the enterprise. And some of these measures are simply not practical for small businesses. A special need arises if the organization uses 50 or more computers.

Installation of a DLP system always precedes a technical audit. After ordering, the customer is consulted by SearchInform engineers, who assess the company’s IT infrastructure and determine how much capacity is required to install the program.

Two-way protection

Information security is just one of many ways (albeit the most important) to ensure corporate protection. A set of measures is needed - technical and organizational.

Technical solutions for protecting corporate secrets include the installation of a DLP system (Data Leak Prevention). This set of software tools monitors all information flows in the organization - from email to programs that use encryption algorithms (for example, Skype) or the HTTPS protocol. All removable storage media, corporate computers and laptops are also under control.

An important feature of DLP systems is their autonomy. There is no need for a company to maintain an entire department dedicated to information security. Just a few specialists are enough.

Recent research by SearchInform, a leading player in the Russian information security market, has shown that DLP systems are not very popular now in Russia and the CIS countries. Just over half of organizations (58%) plan to install comprehensive security soon. The rest do not consider its implementation necessary or believe that partial protection is sufficient. However, information security will only be at an optimal level when comprehensive protection is provided.

The DLP system allows not only to ensure reliable protection of secrets. Their functions are much broader: with the right approach, you can obtain information about the mood of employees in the team, track the movement of key documents, incoming and outgoing messages. As a result, the use of DLP systems is also an effective aid in such important corporate security activities as internal counterintelligence or internal investigations.

However, technical data security and tracking employee actions alone are not enough. Organizational measures, work with employees, and development of internal documentation are also important.

“The corporate security system must be comprehensive, otherwise it will be like a joke: at the entrance, a security guard strictly checks the passes of the company’s employees, and twenty meters from the entrance there is a hole through which anyone can enter the company’s territory,” he shares his experience Alexander Doronin.

Organizational work includes informing personnel about the presence of information security systems in the organization, the need to maintain trade secrets and the possible consequences of its disclosure, both for the company and for the employee himself. Creating a positive work environment is another key aspect of organizational measures. Corporate security is impossible if employees look at each other with distrust. Such a “cold war” will significantly slow down business processes. Therefore, it is worth recalling once again the important role of the HR department.

As for the development of internal documentation, the responsibilities of employees must be clearly stated, as well as their rights of access to certain documents. Each department must perform the tasks assigned to it - no more, but no less.

We must not forget about such seemingly basic things as the work of the security service. Physical protection of employees in the workplace is also an important part of corporate security.

Only by achieving such two-way - technical and organizational - protection, without exaggerating or minimizing the threat, can you create reliable corporate protection for the company.

The following aspects can be distinguished in the problem of information security:

Information integrity

Information integrity– this is its physical safety, protection from destruction and distortion, as well as its relevance and consistency.

Information integrity is divided into:

· static,

· dynamic.

Static integrity information presupposes the immutability of information objects from their original state, determined by the author or source of information.

Dynamic Integrity information includes issues of correctly performing complex actions with information flows, for example, analyzing the flow of messages to identify incorrect ones, monitoring the correct transmission of messages, confirming individual messages, etc.

Integrity is the most important aspect of information security in cases where information is used to manage various processes, for example, technical, social, etc.

Thus, an error in the control program will lead to the stop of the controlled system, an incorrect interpretation of the law can lead to its violations, just as an inaccurate translation of the instructions for using a medicinal product can cause harm to health. All these examples illustrate a violation of the integrity of information, which can lead to catastrophic consequences. That is why information integrity is highlighted as one of the basic components of information security.

Integrity is a guarantee that information now exists in its original form, that is, no unauthorized changes were made during its storage or transmission.

For example, when recording information about college students on a computer’s hard drive, we hope that it will be stored there for an indefinitely long time (until we erase it ourselves) unchanged (that is, spontaneously, without our knowledge, the names of students in this list do not change) . In addition, we count on the consistency of information, for example, that there will not be a one-year-old child on the list of students, or that the same student will not be on the lists of two groups at once.

Availability of information

Availability of information is a guarantee that the user will receive the required information or information service within a certain time.

The role of information availability is especially evident in various types of management systems - production, transport, etc. Less dramatic, but also very unpleasant consequences - both material and moral - can be caused by the long-term unavailability of information services that are used by a large number of people, for example, sales railway and air tickets, banking services, access to the Internet information network, etc.

The time factor in determining the availability of information in some cases is very important, since some types of information and information services are meaningful only during a certain period of time.

For example, receiving a pre-booked plane ticket after departure loses all meaning. Likewise, getting a weather forecast for yesterday does not make any sense, since that event has already occurred. In this context, the saying “A spoon is dear to dinner” is very appropriate.

Availability of information implies that the subject of information relations (user) has the opportunity to obtain the required information service within an acceptable time.

For example, when creating an information system with information about college students, we expect that with the help of this system at any time within a few seconds we will be able to obtain the required information (a list of students of any group, complete information about a specific student, final data, for example, the average age of students , the number of boys and girls, and so on).

It should be noted that electronic data processing systems are created specifically to provide certain information services. If the provision of such services becomes impossible, then this causes damage to all subjects of information relations. Therefore, without contrasting accessibility with other aspects, it is singled out as the most important element of information security.

Almost all organizations have confidential information. This could be a production technology, a software product, personal data of employees, etc. In relation to computer systems, passwords for accessing the system are mandatory confidential data. Confidentiality of information

– this is a guarantee of the availability of specific information only to the circle of people for whom it is intended. Confidential information

If access to confidential information is obtained by a person who does not have such a right, then such access is called unauthorized and is considered a violation of the protection of confidential information. A person who obtains or attempts to obtain unauthorized access to confidential information is called intruder.

For example, if Sasha sent Masha a letter by email, then the information in this letter is confidential, since the secrecy of personal correspondence is protected by law. If Machine's brother, having hacked the password, gained access to Machine's mailbox and read the letter, then unauthorized access to confidential information has occurred, and Machine's brother is an attacker.

Ensuring information confidentiality is the most developed section of information security.

The Federal Law “On Information, Informatization and Information Protection” determines that information resources, that is, individual documents or arrays of documents, including in information systems, being the object of relations between individuals, legal entities and the state, are subject to mandatory accounting and protection, as any tangible property of the owner. In this case, the owner is given the right to independently, within his competence, establish a regime for protecting information resources and access to them. The law also establishes that “confidential information is such documented information, access to which is limited in accordance with the legislation of the Russian Federation.” At the same time, federal law may contain a direct provision according to which any information is classified as confidential information or access to it is limited. Thus, the federal law “On Information, Informatization and Information Protection” directly classifies personal data (information about citizens) as confidential information. The Russian Federation Law “On Banks and Banking Activities” limits access to information on transactions and accounts of bank clients and correspondents.

However, the direct rule does not apply to all information constituting confidential information. Sometimes only the characteristics that must be satisfied by this information are defined by law. This, in particular, applies to official and commercial secrets, the characteristics of which are determined by the Civil Code of the Russian Federation and are as follows:

 relevant information unknown to third parties

 there is no legal basis for free access to this information

 measures to ensure the confidentiality of information are taken by the owner of the information.

Confidential information is divided into:

· subject,

· service.

Subject information- this is information about some area of ​​​​the real world. which, in fact, is what the attacker needs, for example, drawings of a submarine or information about the location of Osama Bin Laden. Service information does not relate to a specific subject area, but is related to the operating parameters of a particular data processing system. Service information primarily includes user passwords for working in the system. Having received service information (password), an attacker can then use it to gain access to confidential information.

Violation of each of the three categories leads to a violation of information security as a whole. So, accessibility violation leads to denial of access to information, integrity violation leads to falsification of information and, finally, breach of confidentiality leads to information disclosure.

This aspect of information security has become extremely relevant recently due to the adoption of a number of international legal acts on the protection of intellectual property. This aspect mainly concerns the prevention of illegal use of programs.

So, for example, if a user installs an unlicensed Windows system on his computer, then there is a violation of information security.

In addition, this aspect concerns the use of information obtained from electronic sources. This problem has become more pressing due to the development of the Internet. A situation has arisen where an Internet user considers all information posted there as his personal property and uses it without any restrictions, often passing it off as his own intellectual product.

For example, a student “downloads” an essay from the Internet and submits it to the teacher under his last name.

Legislative acts and law enforcement practice related to this problem are still in their infancy.

It should be noted that although in all civilized countries there are laws to guard the security of citizens (including information security), in the field of computer technology law enforcement practice is not yet sufficiently developed, and the legislative process does not keep pace with the development of technology, therefore the process of ensuring information security is largely based on to self-defense measures.

Therefore, it is necessary to understand where information security threats may come from and what they may be, what measures can be taken to protect information, and be able to competently apply these measures.

Information security: concept, goals, principles.

State policy for ensuring information security.

State of information security in Russia.

INFORMATION SECURITY: CONCEPT, GOALS, PRINCIPLES

In recent decades, the world has been experiencing a period of transition from an industrial society to an information society. There is a fundamental change in the method of production, people's worldview, and interstate relations. In terms of its significance and impact on society, this is comparable to the new worldwide industrial revolution, which is in no way inferior in significance to the revolutions of the past. It's actually about deployment and implementation. The level of development of the information space of society has a decisive influence on the economy, politics and many elements of statehood.

The use of opportunities opened up by the development of new information and telecommunication technologies is considered by the leadership of developed countries as the basis of their socio-economic, political and cultural development, as a means of solving the most pressing internal and external problems. The country's wealth and its security today are ensured not only by private property, capital, and the market, but also by their connection with colossal resources of a wide variety of knowledge and information technologies. Such a connection forms an information society, the main characteristics of which are:

Openness of information and access to it for any subject in

any time and anywhere;

  • the presence of technological systems that guarantee this openness;
  • the presence of national intellectual potential;
  • automation, robotization and technologization of any systems in any area of ​​economic activity;
  • connection to global information channels. The modern information revolution is associated with the invention of intelligent technologies based on gigantic information processing speeds. It provides a colossal increase in information circulating in society, which makes it possible to effectively solve economic, social, cultural, political and other problems. Modern information technologies in an effective open society provide access to almost all material and spiritual benefits, multiply intellectual resources, and, consequently, all other resources, promoting development. Without information technology, it is impossible to ensure effective economic growth, increase the level of education and qualifications of the population, create a modern credit and financial system, establish rational management of social processes, and improve the standard of living of citizens. The information society is a means of achieving national well-being, understood as prosperity, comfort, spiritual and intellectual wealth, freedom, justice, and security.

Expanding the information space of economic activity requires ensuring the security of producers, owners and consumers of information. The modern “dependence” of business on information technology can negatively affect the economic security of the enterprise, since the high degree of centralization of corporate information makes it especially vulnerable and increases the risk of data leakage. Thus, one of the components of economic security is information.

  • information- information about persons, objects, facts, events, phenomena and processes, regardless of the form of their presentation;
  • informatization- organizational socio-economic and scientific-technical process of creating optimal conditions for meeting information needs and realizing the rights of citizens, government bodies, local governments, organizations, public associations based on the formation and use of information resources;
  • documented information (document) - information recorded on a tangible medium with details that allow its identification;
  • information processes- processes of collecting, processing, accumulating, storing, searching and distributing information;
  • Information system - an organizationally ordered set of documents and information technologies;
  • information resources - individual documents and arrays of documents in information systems (libraries, archives, funds, data banks, other information systems);
  • information about citizens (personal data) - information about facts, events and circumstances of a citizen’s life that allow his personality to be identified;
  • confidential information- documented information, access to which is limited in accordance with the legislation of a given state.

The information security of a state is understood as the state of protection of its national interests in the information sphere, determined by the totality of balanced interests of the individual, society and the state.

The interests of the individual in the information sphere lie in the implementation of the constitutional rights of man and citizen to access information, to use information in the interests of carrying out activities not prohibited by law, physical, spiritual and intellectual development, as well as to protect information that ensures personal safety.

The interests of society in the information sphere are to ensure the interests of the individual in this area, strengthening democracy, creating a legal social state, achieving and maintaining public harmony.

The interests of the state in the information sphere are to create conditions for the harmonious development of information infrastructure, the implementation of constitutional human rights and freedoms in the field of obtaining information and using it in order to ensure the inviolability of the constitutional system, sovereignty and territorial integrity of the state, political, economic and social stability, in unconditional ensuring law and order, developing equal and mutually beneficial international cooperation.

Based on the national interests of the state in the information sphere, strategic and current tasks of the state’s domestic and foreign policy to ensure information security are formed.

There are four main components of national interests in the information sphere:

  • 1) compliance with constitutional human rights and freedoms in the field of obtaining information and using it, preserving and strengthening the moral values ​​of society, tradition, patriotism and humanism, the cultural and scientific potential of the country;
  • 2) information support for state policy, related to communicating to the public reliable information about state policy, its priorities and the official position on socially significant events, ensuring citizens’ access to open state information resources;
  • 3) development of modern information technologies, the domestic information industry, including the industry of information technology, telecommunications and communications, meeting the needs of the domestic market with its products and the entry of these products into the world market, as well as ensuring the accumulation, preservation and effective use of domestic information resources. In modern conditions, only on this basis can the problems of creating high-tech technologies, technological re-equipment of industry, and increasing the achievements of domestic science and technology be solved;
  • 4) protecting information resources from unauthorized access, ensuring the security of information and telecommunication systems.

Main goals information security are:

  • protection of the national interests of the state in the context of the globalization of information processes, the formation of global information networks and the desire of developed countries for information dominance;
  • providing authorities and management, enterprises and citizens with reliable, complete and timely information necessary for decision-making, as well as preventing violations of the integrity and illegal use of information resources;
  • implementation of the rights of citizens, organizations and the state to receive, disseminate and use information.

To objects information security include:

  • information resources, regardless of storage forms, containing information constituting state secrets and restricted access, trade secrets and other confidential information, as well as open (publicly available) information and knowledge;
  • a system for the formation, distribution and use of information resources, including information systems of various classes and purposes, libraries, archives and data banks, information technologies, regulations and procedures for collecting, processing, storing and transmitting information, scientific, technical and service personnel;
  • information infrastructure, including information processing and analysis centers, information exchange and telecommunication channels, mechanisms for ensuring the functioning of telecommunication systems and networks, including information security systems and means;
  • a system for the formation of public consciousness (worldview, moral values, etc.), based on the media;
  • the rights of citizens, enterprises and the state to receive, disseminate and use information, protect confidential information and intellectual property. Information security of the listed objects creates

conditions for the reliable functioning of state and public institutions, as well as the formation of public consciousness that meets the progressive development of the country.

It is necessary to distinguish between the concepts of “information security”, “information security” and “information protection”. As shown above, the very general concept of “security” means “the state of protecting the vital interests of the individual, society and state from internal and external threats.” In this regard, it can be decomposed into two components:

  • safety of the content (meaning) of information - the absence in it of inducing a person to negative actions, deliberate mechanisms of negative impact on the human psyche or negative impact on another block of information (for example, information contained in a computer program called a computer virus);
  • protection of information from external influences (attempts of illegal copying, distribution, modification (change of meaning) or destruction).

The second component of the concept of “information security” will be called information security. Thus, a series of three scientific categories is built: information security, information security and information protection. Moreover, each subsequent category is an integral part of the previous one.

An event that may cause a disruption in the functioning of an economic entity (firm, enterprise, organization, etc.), including distortion, destruction or unauthorized use of processed information, is a threat. The possibility of threats being realized depends on the presence of vulnerabilities. The composition and specificity of vulnerabilities is determined by the type of tasks being solved, the nature of the information being processed, the hardware and software features of information processing at the enterprise, the availability of protective equipment and their characteristics.

Sources of threats Information security can be divided into external and internal.

TO external sources include: unfriendly policies of a foreign state in the field of global information monitoring, dissemination of information and new information technologies; activities of foreign intelligence and special services; activities of foreign economic structures directed against the interests of a given state; criminal actions of international groups, formations and individuals; natural disasters and catastrophes.

Internal sources of threats are: illegal activities of political and economic structures in the field of formation, dissemination and use of information; unlawful actions of government agencies leading to violation of the legal rights of citizens and organizations in the information sphere; violation of established regulations for the collection, processing and transmission of information; hardware failures and software failures in information and telecommunication systems.

There are two main classes of information security threats.

  • 1. Unintentional or random, actions, expressed in inadequate support for security mechanisms and management errors (for example, if users write passwords on pieces of paper and stick them to monitors, there can be no talk of any information protection).
  • 2. Deliberate threats - unauthorized acquisition of information and unauthorized manipulation of data, resources and systems themselves (for example, hard (optical) drives and magnetic tapes falling into the hands of unauthorized persons often leads to leakage of confidential information). Today, for example, the widespread distribution of mobile information storage devices, such as flash drives, hard drives iBV interface, etc., has led to the emergence of a new class of information security threats. Unauthorized use of such devices by disloyal employees can lead to information leakage from the corporate network. The only alternative to physically disabling III-ports may be the use of a special information security system. Most information security specialists consider mobile drives to be the main threat to business today (Fig. 12.1).

Internet pagers

Mobile storage

Email

Internet (webmail, forums)

Printing devices

Photo supplies

2008 2007

Rice. 12.1. The most common channels of information leakage

Email has long held a leading position in the ranking of the most dangerous leak channels. The reason is that mobile storage is more discreet: miniature storage devices that can hold tens of gigabytes of data - a capacity comparable to the capacity of hard drives. Their capacity, mobility and ease of connection are the main reasons for their proliferation as insider weapons. On the other hand, email in most businesses is closely monitored by security. And also, obviously, it is difficult to send a large amount of data in this way. It is not always possible to simply prohibit the use of mobile drives, since very often flash cards are required for production reasons. At the same time, today there is already a wide selection of specialized software that can prevent leaks programmatically.

Methods of influencing threats to information security objects are divided into information, software and mathematical, physical, radio-electronic, organizational and legal.

TO informational methods include: violations of targeting and timeliness of information exchange, illegal collection and use of information; unauthorized access to information resources; manipulation of information (disinformation, concealment or distortion of information); illegal copying of data in information systems; use of the media from positions that are contrary to the interests of citizens, organizations and states; theft of information from libraries, archives, banks and databases; violation of information processing technology.

Software and mathematics methods include: introduction of virus programs; installation of software and hardware devices; destruction or modification of data in information systems.

Physical methods include: destruction or destruction of information processing and communication facilities; destruction, destruction or theft of machine and other original storage media; theft of software keys and means of cryptographic protection of information; impact on personnel; supply of “infected” information system components.

Radioelectronic the methods are: interception of information in technical channels of its leakage; introduction of electronic information interception devices in technical facilities and premises; interception, decryption and imposition of false information in data networks and communication lines; impact on password-key systems; radio-electronic suppression of communication lines and control systems.

Organizational and legal methods include: procurement of imperfect or outdated information technologies and information tools; failure to comply with legal requirements and delays in adopting necessary regulatory provisions in the information sphere; unlawful restriction of access to documents containing information important to citizens and organizations.

IN economics most susceptible to information security threats:

  • state statistics system;
  • sources that generate information about the commercial activities of economic entities of all forms of ownership, about the consumer properties of goods and services;
  • systems for collecting and processing financial, stock exchange, tax, customs information, information on foreign economic activities of the state and commercial structures.

The state statistics system must have sufficient protection from serious and massive distortions. The main focus should be on protecting primary sources of information and aggregated reporting data. Ultimately, the information in this system must have completeness, reliability, sufficiency, comparability and regularity - properties necessary for making national decisions at the level of the state, industry, enterprise for conducting general economic analysis and forecasting economic development.

The normal functioning of business entities is disrupted due to the lack of legal provisions defining the responsibility of sources of information about commercial activities and consumer properties of goods and services for unreliability and concealment of information (about the results of real economic activity, investments, etc.). On the other hand, significant economic damage can be caused to government and business structures due to the disclosure of information containing trade secrets.

In systems for collecting and processing financial, stock exchange, tax, and customs information, the greatest danger from the point of view of information security is theft and deliberate distortion of information, the possibility of which is associated with a deliberate or accidental violation of the technology for working with information, unauthorized access to it, which is due to insufficient security measures information. The same danger exists in bodies involved in the formation and dissemination of information about foreign economic activity.

A serious danger to the normal functioning of the economy as a whole is posed by increasingly sophisticated computer crimes associated with the penetration of criminal elements into computer systems and networks.

The highest degree of automation that the information society strives for makes it dependent on the degree of security of the information technologies it uses, on which, in turn, the well-being and even the lives of many people depend.

In connection with the mass computerization of information processes, the increase in the value and importance of information resources in economic development, the problem of reliable protection of information circulating in critical information systems, i.e., becomes especially acute. prevention of its distortion and destruction, unauthorized modification, illegal receipt and use. The well-known facts eloquently demonstrate the relevance of the problem of information technology security: every 20 seconds in the United States, a crime using software occurs. Moreover, in more than 80% of computer crimes, “burglars” penetrate the attacked system through the global Internet.

The intensive development of information processes could not but cause an increase in illegal actions. Added to computer errors is computer crime, which threatens to develop into a problem whose economic, environmental, political and military consequences could be catastrophic. Criminal groups and communities are beginning to actively use the latest achievements of science and technology in their activities.

The vulnerability of information is growing. At the same time, there is a particular danger "information terrorism" using global computer networks, the prevention of which is difficult, and the elimination of the consequences is extremely expensive.

As already noted, the use of modern means and methods of mass media ensures the controllability of society. Talking about the problem "new colonization" Russian philosopher A. Zinoviev, among historical types of colonization, singled out capture with forced transformation in his own way. This type of colonization corresponds to the present time. What is meant here is not a military takeover, but an ideological one: the introduction of unusual ideals and aspirations into the structure of life values ​​of the colonized country, i.e. conducting information warfare. The result of this process, according to Zinoviev, “Westernization” is that in “the colonized country the socio-political system of colonial democracy is forcibly created. Colonial democracy is something artificial, imposed on the country from the outside and contrary to the existing capabilities and trends of evolution. The appearance of sovereignty is maintained. Centers of a Western-style economy are being created under the control of Western banks or in the form of joint ventures.”

Today, the list of information-colonized countries is not exhausted by the list of so-called third world countries, since a single information space requires the unification of information and telecommunication technologies of all countries - subjects of the network space, and the degree of informatization required today can only be achieved in a society with high scientific, technical and industrial potential and a sufficient cultural and educational level of the population. This makes it possible for powerful post-industrial powers, such as the USA and Japan, to strengthen their economic, political and military superiority through leadership in information technology, exercise global information control over the world community and actually impose their norms and rules.

The information-cultural and information-ideological expansion of Western leaders, carried out through global telecommunication networks, is causing concern in different countries of the world. The prospect of dependence and the possibility of loss of independence worries both state leaders, public institutions and citizens. Many countries are already taking measures to protect their culture, traditions and spiritual values ​​from alien information influence, building an effective system for ensuring information security.

  • Cm.: Zinoviev A.A. No illusions. L'Age d'Homme. Lausanne, 1979.