> >

Data security: ensuring the security of information. Chapter V

Rapidly developing computer information technologies are making noticeable changes in our lives. Information has become a commodity that can be bought, sold, exchanged. At the same time, the cost of information is often hundreds of times greater than the cost of the computer system in which it is stored.

The well-being, and sometimes the life of many people, depends on the degree of information technology security. Such is the payment for the complication and ubiquity of automated information processing systems.

Under information security security is understood information system from accidental or deliberate interference that harms the owners or users of information.

In practice, three aspects are most important information security:

  • availability(possibility to receive the required information service within a reasonable time);
  • integrity(relevance and consistency of information, its protection from destruction and unauthorized changes);
  • confidentiality(protection against unauthorized reading).

Violations of the availability, integrity and confidentiality of information can be caused by various dangerous effects on information computer systems.

The main threats to information security

A modern information system is a complex system consisting of a large number of components of varying degrees of autonomy that are interconnected and exchange data. Almost every component can be exposed to external influences or fail. The components of an automated information system can be divided into the following groups:

  • hardware- computers and their components (processors, monitors, terminals, peripherals- disk drives, printers, controllers, cables, communication lines, etc.);
  • software- purchased programs, source, object, boot modules; Operating Systems and system programs (compilers, linkers, etc.), utilities, diagnostic programs etc.;
  • data- stored temporarily and permanently, on magnetic media, printed, archives, system logs etc.;
  • staff- service personnel and users.

Hazardous impacts on a computer information system can be divided into accidental and intentional. An analysis of the experience of designing, manufacturing and operating information systems shows that information is subjected to various random influences at all stages of the system life cycle. Causes random influences during operation can be:

  • emergencies due to natural disasters and power outages;
  • equipment failures and failures;
  • software bugs;
  • errors in the work of personnel;
  • interference in communication lines due to environmental influences.

Intentional Impacts- These are targeted actions of the offender. An employee, a visitor, a competitor, a mercenary can act as an intruder. The actions of the violator may be due to various motives:

  • employee's dissatisfaction with his career;
  • a bribe;
  • curiosity;
  • competitive struggle;
  • striving for self-assertion at any cost.

You can make a hypothetical model of a potential intruder:

  • qualification of the violator at the level of the developer of this system;
  • the violator can be both an outsider and a legitimate user of the system;
  • the violator knows the information about the principles of the system;
  • the offender chooses the weakest link in the defense.

The most common and diverse type of computer violations is unauthorized access(NSD). NSD uses any error in the protection system and is possible with an irrational choice of protection tools, their incorrect installation and configuration.

Let's classify the UA channels, through which it is possible to carry out the theft, change or destruction of information:

  • Through a person:
    • theft of storage media;
    • reading information from the screen or keyboard;
    • reading information from a printout.
  • Through the program:
    • interception of passwords;
    • decryption of encrypted information;
    • copying information from media.
  • Through hardware:
    • connection of specially designed hardware providing access to information;
    • interception of spurious electromagnetic radiation from equipment, communication lines, power supply networks, etc.

Particular attention should be paid to the threats to which computer networks may be exposed. The main feature of any computer network is that its components are distributed in space. Communication between network nodes is carried out physically using network lines and programmatically using the message mechanism. In this case, control messages and data sent between network nodes are transmitted in the form of exchange packets. Computer networks are characterized by the fact that so-called remote attacks. An intruder can be located thousands of kilometers from the attacked object, and not only a specific computer, but also information transmitted over network communication channels can be attacked.

Ensuring information security

The formation of an information security regime is a complex problem. Measures to address it can be divided into five levels:

  1. legislative (laws, regulations, standards, etc.);
  2. moral and ethical (all kinds of norms of behavior, non-compliance with which leads to a drop in the prestige of a particular person or an entire organization);
  3. administrative (general actions taken by the management of the organization);
  4. physical (mechanical, electro- and electronic-mechanical obstacles on possible ways penetration of potential intruders);
  5. hardware-software ( electronic devices and special information security programs).

A single set of all these measures aimed at countering security threats in order to minimize the possibility of damage form protection system.

A reliable protection system must comply with the following principles:

  • The cost of protective equipment should be less than the amount of possible damage.
  • Each user must have the minimum set of privileges required to work.
  • Protection is the more effective, the easier it is for the user to work with it.
  • Possibility of switching off in case of emergency.
  • Specialists related to the protection system must fully understand the principles of its functioning and, in case of difficult situations, adequately respond to them.
  • The entire information processing system must be protected.
  • The developers of the protection system should not be among those whom this system will control.
  • The protection system must provide evidence of the correctness of its work.
  • Persons involved in ensuring information security should be personally responsible.
  • It is expedient to divide protected objects into groups so that violation of protection in one of the groups does not affect the security of others.
  • A reliable protection system must be fully tested and agreed upon.
  • Protection becomes more efficient and flexible if it allows the administrator to change its settings.
  • The security system must be designed with the assumption that users will make serious mistakes and generally have the worst of intentions.
  • The most important and critical decisions must be accepted by the person.
  • The existence of security mechanisms should be kept as hidden as possible from the users whose work is under control.

Hardware and software information security

Despite the fact that modern operating systems for personal computers, such as Windows 2000, Windows XP and Windows NT, have their own protection subsystems, the relevance of creating additional protection tools remains. The fact is that most systems are not able to protect data that is outside of them, for example, during network information exchange.

hardware- software information security can be divided into five groups:

  1. Systems of identification (recognition) and authentication (authentication) of users.
  2. Disk data encryption systems.
  3. Encryption systems for data transmitted over networks.
  4. Electronic data authentication systems.
  5. Cryptographic key management tools.

1. User identification and authentication systems

They are used to restrict access of random and illegal users to the resources of a computer system. The general algorithm of such systems is to obtain from the user information proving his identity, verify its authenticity and then provide (or not provide) this user with the ability to work with the system.

When building these systems, the problem of choosing information arises, on the basis of which the procedures for identifying and authenticating the user are carried out. The following types can be distinguished:

  • secret information that the user has (password, secret key, personal identifier, etc.); the user must remember this information or special storage facilities can be used for it;
  • physiological parameters of a person (fingerprints, iris pattern, etc.) or behavioral features (keyboard work, etc.).

Systems based on the first type of information are considered traditional. Systems that use the second type of information are called biometric. It should be noted the emerging trend of advanced development of biometric identification systems.

2. Disk data encryption systems

To render information useless to an adversary, a set of data transformation techniques called cryptography[from Greek. cryptos- hidden and grapho- writing].

Encryption systems can perform cryptographic transformations of data at the file level or at the disk level. The programs of the first type include archivers such as ARJ and RAR, which allow the use of cryptographic methods to protect archive files. An example of a second type of system is the Diskreet encryption program, which is part of the popular Norton Utilities software package, Best Crypt.

Another classification feature of disk data encryption systems is the way they operate. According to the method of functioning, the disk data encryption system is divided into two classes:

  • "transparent" encryption systems;
  • systems specifically called in to perform encryption.

In transparent encryption systems (on-the-fly encryption), cryptographic transformations are carried out in real time, imperceptibly to the user. For example, a user writes a document prepared in a text editor to a protected disk, and the protection system encrypts it during the writing process.

Second-class systems are usually utilities that need to be specifically invoked to perform encryption. These include, for example, archivers with built-in password protection.

Most systems that offer to set a password for a document do not encrypt the information, but only provide a password request when accessing the document. These systems include MS Office, 1C and many others.

3. Encryption systems for data transmitted over networks

There are two main encryption methods: channel encryption and terminal (subscriber) encryption.

When channel encryption all information transmitted over a communication channel, including service information, is protected. This encryption method has the following advantage - embedding encryption procedures at the data link layer allows the use of hardware, which improves system performance. However, this approach also has significant drawbacks:

  • service data encryption complicates the network packet routing mechanism and requires data decryption in intermediate communication devices (gateways, relays, etc.);
  • Encryption of service information can lead to the appearance of statistical patterns in encrypted data, which affects the reliability of protection and imposes restrictions on the use of cryptographic algorithms.

End-to-end (subscriber) encryption allows you to ensure the confidentiality of data transmitted between two subscribers. In this case, only the content of messages is protected, all service information remains open. The disadvantage is the ability to analyze information about the structure of the message exchange, such as the sender and recipient, the time and conditions of data transmission, as well as the amount of data transmitted.

4. Electronic data authentication systems

When exchanging data over networks, the problem arises of authenticating the author of the document and the document itself, i.e. establishing the author's identity and checking the absence of changes in the received document. For data authentication, a message authentication code (imitation insertion) or an electronic signature is used.

Imitation insert is generated from open data by means of a special encryption transformation using a secret key and transmitted over a communication channel at the end of the encrypted data. The spoof insertion is verified by the receiver, who owns the secret key, by repeating the procedure previously performed by the sender on the received public data.

Electronic digital signature represents a relatively small amount of additional authentication information transmitted along with the signed text. The sender generates a digital signature using the sender's private key. The recipient verifies the signature using the sender's public key.

Thus, the principles of symmetric encryption are used to implement imitate insertion, and asymmetric encryption is used to implement an electronic signature. We will study these two encryption systems in more detail later.

5. Cryptographic Key Management Tools

The security of any cryptosystem is determined by the cryptographic keys used. In the case of weak key management, an attacker can get hold of key information and get full access to all information in a system or network.

There are the following types of key management functions: generation, storage, and distribution of keys.

Ways key generation for symmetric and asymmetric cryptosystems are different. To generate keys of symmetric cryptosystems, hardware and software generation tools are used. random numbers. Key generation for asymmetric cryptosystems is more difficult, since the keys must have certain mathematical properties. We will dwell on this issue in more detail when studying symmetric and asymmetric cryptosystems.

Function storage involves the organization of secure storage, accounting and deletion of key information. To ensure the secure storage of keys, they are encrypted using other keys. This approach leads to the concept of a key hierarchy. The key hierarchy typically includes a master key (i.e., a master key), a key encryption key, and a data encryption key. It should be noted that the generation and storage of the master key is a critical cryptographic issue.

Distribution- the most responsible process in key management. This process must ensure that the keys to be distributed are kept secret and must be prompt and accurate. Keys are distributed between network users in two ways:

  • using a direct exchange of session keys;
  • using one or more key distribution centers.

List of documents

  1. ABOUT THE STATE SECRET. Law of the Russian Federation No. 5485-1 of July 21, 1993 (as amended by Federal Law No. 131-FZ of October 6, 1997).
  2. ABOUT INFORMATION, INFORMATIZATION AND PROTECTION OF INFORMATION. Federal Law of the Russian Federation of February 20, 1995 No. 24-FZ. Adopted by the State Duma on January 25, 1995.
  3. ON LEGAL PROTECTION OF PROGRAMS FOR ELECTRONIC COMPUTERS AND DATABASES. Law of the Russian Federation of February 23, 1992 No. 3524-1.
  4. ABOUT ELECTRONIC DIGITAL SIGNATURE. Federal Law of the Russian Federation of January 10, 2002 No. 1-FZ.
  5. ABOUT COPYRIGHT AND RELATED RIGHTS. Law of the Russian Federation of July 9, 1993 No. 5351-1.
  6. ABOUT THE FEDERAL BODIES OF GOVERNMENT COMMUNICATIONS AND INFORMATION. Law of the Russian Federation (as amended by Decree of the President of the Russian Federation of December 24, 1993 No. 2288; Federal Law of November 7, 2000 No. 135-FZ.
  7. Regulations on the accreditation of testing laboratories and certification bodies for information security tools for information security requirements / State Technical Commission under the President of the Russian Federation.
  8. Instructions on the procedure for marking certificates of conformity, their copies and certification information security equipment / State Technical Commission under the President of the Russian Federation.
  9. Regulations on the certification of informatization objects for information security requirements / State Technical Commission under the President of the Russian Federation.
  10. Regulations on the certification of information security tools for information security requirements: with additions in accordance with Decree of the Government of the Russian Federation of June 26, 1995 No. 608 "On certification of information security tools" / State Technical Commission under the President of the Russian Federation.
  11. Regulations on state licensing of activities in the field of information security / State Technical Commission under the President of the Russian Federation.
  12. Automated systems. Protection against unauthorized access to information. Classification of automated systems and information security requirements: Guiding document / State Technical Commission under the President of the Russian Federation.
  13. Money protection concept computer science and automated systems from unauthorized access to information: Guidance document / State Technical Commission under the President of the Russian Federation.
  14. Computer facilities. Firewalls. Protection against unauthorized access to information. Indicators of security against unauthorized access to information: Guidance document / State Technical Commission under the President of the Russian Federation.
  15. Computer facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information: Guidance document / State Technical Commission under the President of the Russian Federation.
  16. Data protection. Special security marks. Classification and general requirements: Guiding document / State Technical Commission under the President of the Russian Federation.
  17. Protection against unauthorized access to information. Terms and definitions: Guiding document / State Technical Commission under the President of the Russian Federation.

The essence of the concept of "information security"

While Information Security- this is condition security of the information environment, data protection represents activity to prevent leakage of protected information, unauthorized and unintentional impacts on protected information, that is process aimed at achieving this state.

Information security of the organization- purposeful activity of its bodies and officials using authorized forces and means to achieve the state of security of the information environment of the organization, ensuring its normal functioning and dynamic development.

Information security tuple is a sequence of actions to achieve a specific goal.

Information security of the state- the state of preservation of information resources of the state and the protection of the legal rights of the individual and society in the information sphere.

Standardized Definitions

The state of security of information (data), in which its (their) confidentiality, availability and integrity are ensured.

Information Security- protection of confidentiality, integrity and availability of information.

  1. Confidentiality: property of information resources, including information, related to the fact that they will not become available and will not be disclosed to unauthorized persons.
  2. Integrity: the immutability of information in the process of its transmission or storage.
  3. Availability: a property of information resources, including information, which determines the possibility of their receipt and use at the request of authorized persons.

Information Security(English) information security) - all aspects related to the definition, achievement and maintenance of confidentiality, integrity, availability, non-repudiation, accountability, authenticity and reliability of information or its means of processing.

Information (data) security(English) information (data) security) - the state of security of information (data), which ensures its (their) confidentiality, availability and integrity.

The security of information (data) is determined by the absence of an unacceptable risk associated with information leakage through technical channels, unauthorized and unintentional impacts on data and (or) other resources of an automated information system used in an automated system.

Information security (when using information technology)(English) IT security) - the state of security of information (data), ensuring the security of information for the processing of which it is used, and the information security of the automated information system in which it is implemented.

Security of the automated information system- the state of security of an automated system, which ensures the confidentiality, availability, integrity, accountability and authenticity of its resources.

Information security is the protection of information and supporting infrastructure from accidental or intentional impacts of a natural or artificial nature that can cause unacceptable damage to the subjects of information relations. Supporting infrastructure - electrical, heat, water, gas supply systems, air conditioning systems, etc., as well as maintenance personnel. Unacceptable damage is damage that cannot be neglected.

Essential features of the concept

Three categories are often cited as the standard security model:

There are other not always mandatory categories of the security model:

The State Standard of the Russian Federation provides the following recommendation for the use of the terms "safety" and "safe":

The words "safe" and "safe" should only be used to express confidence and risk assurance.

The words "safety" and "safe" should not be used as a descriptive adjective, as they do not convey any useful information. It is recommended, wherever possible, to replace these words with signs of the subject, for example:

  • "safety helmet" instead of "safety helmet";
  • "non-slip flooring" instead of "safe flooring".

For the term "information security" the same recommendations should be followed. It is desirable to use more precise characteristics of objects, shared as signs of the concept of "information security". For example, it would be more accurate to use the argument "to prevent threats to the availability of an object" (or "to preserve data integrity") instead of the argument "based on information security requirements".

The scope (implementation) of the concept of "information security"

A systematic approach to the description of information security proposes to highlight the following components of information security:

  1. Legislative, regulatory and scientific base.
  2. The structure and tasks of bodies (divisions) that ensure IT security.
  3. Organizational, technical and regime measures and methods (Information Security Policy).
  4. Software and hardware methods and means of ensuring information security.

Below in this section, each of the components of information security will be discussed in detail.

The purpose of implementing the information security of any object is to build an information security system this object(SOIB). For the construction and effective operation of IS Maintenance System, it is necessary:

  • identify information security requirements specific to a given protection object;
  • take into account the requirements of national and international Legislation;
  • use established practices (standards, methodologies) for building similar IS Maintenance System;
  • determine the units responsible for the implementation and support of IS Maintenance System;
  • allocate areas of responsibility in the implementation of IS Maintenance System requirements between departments;
  • on the basis of information security risk management, determine the general provisions, technical and organizational requirements that make up the information security policy of the protected object;
  • implement the requirements of the Information Security Policy by introducing appropriate software and hardware methods and means of protecting information;
  • implement the Information Security Management System (ISMS);
  • using the ISMS, organize regular monitoring of the effectiveness of the IS Maintenance System and, if necessary, review and adjust the IS Maintenance System and the ISMS.

As can be seen from the last stage of work, the IS Maintenance System implementation process is continuous and cyclically (after each revision) returns to the first stage, repeating all the others in sequence. This is how the IS Maintenance System is adjusted to effectively fulfill its tasks of protecting information and meeting the new requirements of a constantly updated information system.

Regulatory documents in the field of information security

In the Russian Federation, regulatory legal acts in the field of information security include:

Acts of federal legislation:

  • International treaties of the Russian Federation;
    • the Constitution of the Russian Federation;
    • Federal level laws (including federal constitutional laws, codes);
    • Decrees of the President of the Russian Federation;
    • Decrees of the Government of the Russian Federation;
    • Normative legal acts of federal ministries and departments;
    • Regulatory legal acts of the constituent entities of the Russian Federation, local governments, etc.

The lists and content of the specified regulatory documents in the field of information security are discussed in more detail in the section Information law.

Regulatory and methodological documents include

  • Methodical documents government agencies Russia:
    • Doctrine of information security of the Russian Federation;
    • Guiding documents of the FSTEC (State Technical Commission of Russia);
    • FSB orders;
  • Information security standards, of which there are:
    • International standards;
    • State (national) standards of the Russian Federation;
    • Recommendations for standardization;
    • Methodical instructions.

Bodies (divisions) ensuring information security

Depending on the application of activities in the field of information protection (within state authorities or commercial organizations), the activity itself is organized by special state bodies (divisions), or departments (services) of the enterprise.

State bodies of the Russian Federation that control activities in the field of information security:

  • Federal Service for Technical and Export Control (FSTEC of Russia);
  • Federal Security Service of the Russian Federation (FSB of Russia);
  • Federal Security Service of the Russian Federation (FSO of Russia);
  • Foreign Intelligence Service of the Russian Federation (SVR of Russia);
  • Ministry of Defense of the Russian Federation (Ministry of Defense of Russia);
  • Ministry of Internal Affairs of the Russian Federation (MVD of Russia);
  • Federal Service for Supervision of Communications, Information Technology and Mass Communications (Roskomnadzor).

Services that organize information protection at the enterprise level

  • Personnel Security Service (Security Department);
  • Human Resources Department;

Organizational, technical and regime measures and methods

To describe the information security technology of a particular information system, the so-called Information security policy or The security policy of the information system in question.

Security policy(information in the organization) (eng. Organizational security policy ) - a set of documented rules, procedures, practices or guidelines in the field of information security, which guides the organization in its activities.

Security policy of information and telecommunication technologies(English) IST security policy) - rules, directives, established practices that determine how within the organization and its information and telecommunication technologies to manage, protect and distribute assets, including critical information.

To build an Information Security Policy, it is recommended to separately consider the following areas of information system protection:

  • Protection of information system objects;
  • Protection of processes, procedures and information processing programs;
  • Protection of communication channels (acoustic, infrared, wired, radio channels, etc.);
  • Suppression of side electromagnetic radiation;
  • Protection system management.

At the same time, for each of the above areas, the Information Security Policy should describe the following stages of creating information protection tools:

  1. Definition of information and technical resources to be protected;
  2. Identification of the full set of potential threats and information leakage channels;
  3. Conducting an assessment of the vulnerability and risks of information in the presence of a variety of threats and leakage channels;
  4. Determination of requirements for the protection system;
  5. Implementation of the choice of information security tools and their characteristics;
  6. Implementation and organization of the use of selected measures, methods and means of protection;
  7. Implementation of integrity control and protection system management.

The information security policy is formalized in the form of documented requirements for the information system. Documents are usually divided according to the levels of description (detail) of the protection process.

The documents top level Information security policies reflect the position of the organization to activities in the field of information security, its desire to comply with state, international requirements and standards in this area. Such documents may be called "IS Concept", "IS Management Regulation", "IS Policy", technical standard IS”, etc. The area of ​​distribution of top-level documents is usually not limited, however, these documents can be issued in two editions - for external and internal use.

According to GOST R ISO / IEC 17799-2005, on top level The following documents should be drawn up in the information security policy: "IS Security Concept", "Rules for the Permissible Use of Information System Resources", "Business Continuity Plan".

To average level include documents related to certain aspects of information security. These are the requirements for the creation and operation of information security tools, the organization of information and business processes of the organization in a specific area of ​​information security. For example: Data security, Communications security, Use of cryptographic protection tools, Content filtering, etc. Such documents are usually published in the form of internal technical and organizational policies (standards) of the organization. All middle-level information security policy documents are confidential.

To information security policy lower level includes work regulations, administration manuals, operating instructions for individual information security services.

Software and hardware methods and means of ensuring information security

The literature suggests the following classification of information security tools.

Organizational protection of informatization objects

Organizational protection- this is the regulation of production activities and the relationship of performers on a regulatory basis, which excludes or significantly hinders the unlawful possession of confidential information and the manifestation of internal and external threats. Organizational protection provides:

  • organization of security, regime, work with personnel, with documents;
  • the use of technical security equipment and information and analytical activities to identify internal and external threats to business activities.

The main organizational activities include:

  • organization of regime and protection. Their goal is to exclude the possibility of secret entry into the territory and into the premises of unauthorized persons;
  • organization of work with employees, which provides for the selection and placement of personnel, including familiarization with employees, their study, training in the rules for working with confidential information, familiarization with the measures of responsibility for violation of information protection rules, etc.;
  • organization of work with documents and documented information, including organization of the development and use of documents and media confidential information, their accounting, execution, return, storage and destruction;
  • organizing the use of technical means for collecting, processing, accumulating and storing confidential information;
  • organization of work on the analysis of internal and external threats to confidential information and the development of measures to ensure its protection;
  • organization of work on carrying out systematic control over the work of personnel with confidential information, the procedure for accounting, storage and destruction of documents and technical media.

In each case, organizational measures have a specific form and content for this organization, aimed at ensuring the security of information in specific conditions.

Historical aspects of the emergence and development of information security

Objectively, the category of "information security" arose with the appearance between people, as well as with a person's awareness of the presence of people and their communities of interests that can be damaged by influencing the means of information communications, the presence and development of which ensures information exchange between all elements of society.

Given the impact on the transformation of information security ideas, several stages can be distinguished in the development of information communications:

  • Stage I - until 1816 - is characterized by the use of naturally occurring means of information communications. During this period, the main task of information security was to protect information about events, facts, property, location and other data that are of vital importance to a person personally or to the community to which he belonged.
  • Stage II - starting from 1816 - is associated with the beginning of the use of artificially created technical means of electrical and radio communications. To ensure the secrecy and noise immunity of radio communications, it was necessary to use the experience of the first period of information security at a higher technological level, namely the use of noise-resistant coding of a message (signal) with subsequent decoding of the received message (signal).
  • Stage III - starting from 1935 - is associated with the advent of radar and hydroacoustic means. The main way to ensure information security in this period was a combination of organizational and technical measures aimed at increasing the security of radar facilities from the effects of active masking and passive simulating electronic interference on their receiving devices.
  • Stage IV - starting from 1946 - is associated with the invention and introduction into practice of electronic computers (computers). The tasks of information security were solved mainly by methods and ways of restricting physical access to the equipment of the means of obtaining, processing and transmitting information.
  • Stage V - starting in 1965 - is due to the creation and development of local. The tasks of information security were also solved, mainly, by methods and means of physical protection of the means of obtaining, processing and transmitting information, united in a local network by administering and managing access to network resources.
  • Stage VI - since 1973 - is associated with the use of ultra-mobile communication devices with a wide range of tasks. Information security threats have become much more serious. To ensure information security in computer systems with wireless networks data transmission required the development of new security criteria. Communities of people have formed - hackers, whose goal is to damage the information security of individual users, organizations and entire countries. Information resource became the most important resource of the state, and ensuring its security - the most important and mandatory component of national security. Information law is being formed - a new branch of the international legal system.
  • Stage VII - starting from 1985 - is associated with the creation and development of global information and communication networks using space support tools. It can be assumed that the next stage in the development of information security will obviously be associated with the widespread use of ultra-mobile communication devices with a wide range of tasks and global coverage in space and time provided by space information and communication systems. To solve the problems of information security at this stage, it is necessary to create a macro-system of information security of mankind under the auspices of leading international forums.

see also

  • Abstract models of information security
  • State information policy of Russia
  • Criteria for determining the security of computer systems
  • Undeclared Capabilities
  • Standard of the Bank of Russia for ensuring information security of organizations of the banking system of the Russian Federation (STO BR IBBS)
  • Offenses in the field of technical security of systems
  • Protection of information from leakage through material channels

Notes

  1. National standard of the Russian Federation “Information protection. Basic terms and definitions” (GOST R 50922-2006).
  2. National standard of the Russian Federation “Information technology. Practical rules for information security management” (GOST R ISO/IEC 17799-2005) .
  3. Security: theory, paradigm, concept, culture. Dictionary-reference book / Author-comp. Professor V. F. Pilipenko. 2nd ed., add. and reworked. - M.: PER SE-Press, 2005.
  4. Information security (2nd book of the socio-political project "Actual problems of social security"). M.: "Arms and technologies", 2009.
  5. National standard of the Russian Federation “Methods and means of ensuring security. Part 1. The concept and models of security management of information and telecommunication technologies "(GOST R ISO / IEC 13335-1 - 2006).
  6. Recommendations for standardization “Information technologies. Basic terms and definitions in the field of technical protection of information "(R 50.1.053-2005) .
  7. Search. Glossary.ru
  8. Recommendations for standardization " Technical protection information. Basic terms and definitions” (R 50.1.056-2005).
  9. State standard of the Russian Federation “Aspects of security. Rules for inclusion in standards "(GOST R 51898-2002).
  10. Domarev VV Safety of information technologies. System approach - K .: OOO TID Dia Soft, 2004. - 992 p.
  11. Lapina M. A., Revin A. G., Lapin V. I. Information law. M.: UNITY-DANA, Law and Law, 2004.
  12. Information security in modern database management systems

Literature

  • Bartender Scott. Development of information security rules. M.: Williams, 2002. - 208 p. - ISBN 5-8459-0323-8, ISBN 1-57870-264-X.
  • Galatenko V. A. Information security standards. - M.: Internet University of Information Technologies, 2006. - 264 p. - ISBN 5-9556-0053-1.
  • Galitsky A.V., Ryabko S.D., Shangin V.F. Protection of information in the network - analysis of technologies and synthesis of solutions. M.: DMK Press, 2004. - 616 p. - ISBN 5-94074-244-0.
  • Zapechnikov S. V., Miloslavskaya N. G., Tolstoy A. I., Ushakov D. V. Information Security open systems. In 2 vols.
    • Volume 1. Threats, vulnerabilities, attacks and approaches to protection. M.: Hotline- Telecom, 2006. - 536 p. - ISBN 5-93517-291-1, ISBN 5-93517-319-0.
    • Volume 2. Means of protection in networks. M.: Hot Line - Telecom, 2008. - 560 p. - ISBN 978-5-9912-0034-9.
  • Lepekhin A. N. Investigation of crimes against information security. Theoretical-legal and applied aspects. M.: Tesey, 2008. - 176 p. - ISBN 978-985-463-258-2.
  • Lopatin V. N. Information security of Russia: Man, society, state Series: Security of man and society. M.: 2000. - 428 p. - ISBN 5-93598-030-4.
  • Rodichev Yu. Information Security: Regulatory and Legal Aspects. St. Petersburg: Piter, 2008. - 272 p. - ISBN 978-5-388-00069-9.
  • Petrenko S. A., Kurbatov V. A. Information security policies. - M.: Company

Introduction

information crypto optical

Information is the most important resource of human society. It is expressed in the multidimensional information potential accumulated over many years and stored on the territory of residence of a given society, that is, on our planet. Increasing volumes of various information (symbolic, textual, graphic, etc.) and the expansion of the circle of its users cause the need to control its reliability, provide protection against unauthorized access, distortion, loss and copying in order to comply with state and world legislation, as well as the rights of information authors .

The development of new information technologies and general computerization have led to the fact that information security is not only becoming mandatory, it is also one of the characteristics of the information system. There is a rather extensive class of information processing systems in the development of which the security factor plays a primary role (for example, banking information systems).

An information system is a set of interconnected means that store and process information, also called information and computing systems. The information system receives data from the source of information. This data is sent to storage or undergoes some processing in the system and then transferred to the consumer.

The security of an information system is understood as the protection of the system from accidental or deliberate interference in the normal process of its functioning, from attempts to steal (unauthorized receipt) of information, modification or physical destruction of its components. In other words, it is the ability to counteract various disturbing influences on the information system.

An information security threat refers to events or actions that can lead to distortion, unauthorized use, or even destruction of the information resources of the managed system, as well as software and hardware.

A person who tries to disrupt the operation of an information system or gain unauthorized access to information is usually referred to as a hacker or "software pirate" (hacker).

In their illegal actions aimed at mastering other people's secrets, hackers seek to find such sources of confidential information that would give them the most reliable information in the maximum amount with minimal cost to obtain it. With the help of various tricks and a variety of techniques and means, ways and approaches to such sources are selected. In this case, the source of information means a material object that has certain information that is of particular interest to attackers or competitors.

Currently, to ensure the protection of information, it is required not just to develop private protection mechanisms, but to implement a systematic approach that includes a set of interrelated measures (the use of special hardware and software tools, organizational measures, legal acts, moral and ethical countermeasures, etc.). ). The complex nature of protection stems from the complex actions of intruders who seek by any means to obtain information that is important to them.

Today it can be argued that a new modern technology is being born - the technology of protecting information in computer information systems and in data transmission networks. The implementation of this technology requires increasing costs and effort. However, all this makes it possible to avoid significantly greater losses and damage that may occur during the actual implementation of threats to the information system and information technologies.

Information security measures

Information security emphasizes the importance of information in modern society- understanding that information is a valuable resource, something more than individual data elements. Information security refers to measures to protect information from unauthorized access, destruction, modification, disclosure and delays in access. It includes measures to protect the processes of data creation, input, processing and output. The goal of information security is to secure the values ​​of the system, to protect and ensure the accuracy and integrity of information, and to minimize the disruption that can occur if the information is modified or destroyed. Information security requires accounting for all events during which information is created, modified, accessed or distributed.

The following areas of information security measures can be distinguished.

Legal

Organizational

Technical

Legal measures include the development of rules establishing liability for computer crimes, protection of programmers' copyrights, improvement of criminal and civil legislation, as well as legal proceedings. Legal measures also include issues of public control over the developers of computer systems and the adoption of international treaties on their restrictions, if they affect or may affect the military, economic and social aspects of the life of the countries concluding the agreement.

Organizational measures include the protection of the computer center, careful selection of personnel, the exclusion of cases of special important works only one person, the existence of a plan for restoring the center's performance after its failure, the organization of maintenance of the computer center by an outside organization or persons not interested in hiding the facts of disruption of the center, the universality of means of protection from all users (including top management), imposing responsibility on persons, which should ensure the security of the center, the choice of the location of the center, etc.

Technical measures include protection against unauthorized access to the system, redundancy of especially important computer subsystems, organization of computer networks with the possibility of redistributing resources in the event of a malfunction of individual links, installation of fire detection and extinguishing equipment, water detection equipment, the adoption of structural measures to protect against theft, sabotage, sabotage, explosions, installation of backup power supply systems, equipping premises with locks, installation of alarms and much more.

Methods, means and conditions for ensuring information security

Methods for ensuring the protection of information in enterprises are:

Obstacle - a method of physically blocking the path of an attacker to protected information (to equipment, storage media, etc.)

Access control is a method of protecting information by regulating the use of all resources of an automated information system of an enterprise. Access control includes the following security features:

Identification of users, personnel and resources of the information system (assignment of a personal identifier to each object);

Authentication (authentication) of an object or subject by the identifier presented to them;

Verification of authority (checking the compliance of the day of the week, time of day, requested resources and procedures with the established regulations);

Permission and creation of working conditions within the established regulations;

Registration (logging) of calls to protected objects and information;

Response (alarm, shutdown, work delay, request denied) in case of unauthorized action attempts.

Masking is a method of protecting information in an automated information system of an enterprise by means of its cryptographic closure.

Regulation is a method of protecting information that creates such conditions for automated processing, storage and transmission of protected information, in which the possibility of unauthorized access to it would be minimized.

Coercion is a method of protecting information in which users and system personnel are forced to comply with the rules for processing, transferring and using protected information under the threat of financial, administrative or criminal liability.

Encouragement is a method of protecting information that encourages users and staff not to violate established rules due to the established moral and ethical standards.

Information security tools

Information security means is a set of engineering, electrical, electronic, optical and other devices and devices, instruments and technical systems, as well as other real elements used to solve various problems of information protection, including preventing leakage and ensuring the security of protected information. In general, the means of ensuring information security in terms of preventing deliberate actions, depending on the method of implementation, can be divided into groups:

Technical means

These are devices of various types (mechanical, electromechanical, electronic, etc.), which solve the problems of information protection with hardware. They either prevent physical penetration, or, if penetration did take place, access to information, including by means of its disguise.

To protect the perimeter of the information system, the following are created:

Security and fire alarm systems;

Digital video surveillance systems;

Access control and management systems (ACS). Protection of information from its leakage by technical communication channels is provided by the following means and measures:

Using shielded cable and laying wires and cables in shielded structures;

Installation of high-frequency filters on communication lines;

Construction of shielded rooms (“capsules”);

Use of shielded equipment;

Installation of active noise systems;

Creation of controlled zones.

The advantages of technical means are related to their reliability, independence from subjective factors, and high resistance to modification. Weaknesses - lack of flexibility, relatively large volume and weight, high cost.

Annotation: The lecture deals with the basic concepts of information security. Familiarization with the Federal Law "On information, information technology and on the protection of information.

GOST " Data protection. Basic terms and definitions" introduces the concept information security as a state of information security, in which it is provided confidentiality, availability and integrity .

  • Confidentiality- the state of information in which access to it is carried out only by subjects who have the right to it.
  • Integrity- the state of information in which there is no any change in it or the change is carried out only intentionally by the subjects that have the right to it;
  • Availability- the state of information, in which the subjects with the right of access can exercise it without hindrance.

Information security threats- a set of conditions and factors that create a potential or real danger of information security breach [ , ]. Attack an attempt to implement a threat is called, and the one who makes such an attempt - intruder. Potential attackers are called sources of threat.

The threat is the result of vulnerabilities or vulnerabilities in the information system. Vulnerabilities can arise for various reasons, for example, as a result of unintentional mistakes by programmers when writing programs.

Threats can be classified according to several criteria:

  • on properties of information(availability, integrity, confidentiality), against which threats are directed in the first place;
  • by the components of information systems that threats are aimed at (data, programs, hardware, supporting infrastructure);
  • according to the method of implementation (accidental / intentional, natural / man-made actions);
  • by the location of the source of threats (inside/outside the considered IS).

Ensuring information security is a complex task that requires A complex approach. There are the following levels of information protection:

  1. legislative - laws, regulations and other documents of the Russian Federation and the international community;
  2. administrative - a set of measures taken locally by the management of the organization;
  3. procedural level - security measures implemented by people;
  4. software and hardware level- direct means of protecting information.

The legislative level is the basis for building an information security system, as it provides basic concepts subject area and determines the punishment for potential intruders. This level plays a coordinating and guiding role and helps maintain a negative (and punitive) attitude in society towards people who violate information security.

1.2. Federal Law "On information, information technologies and information protection"

AT Russian legislation The basic law in the field of information protection is the Federal Law "On Information, Information Technologies and Information Protection" dated July 27, 2006, No. 149-FZ. Therefore, the basic concepts and decisions enshrined in the law require close consideration.

The law regulates relations arising from:

  • exercising the right to search, receive, transfer, produce and disseminate information;
  • application of information technologies;
  • ensuring the protection of information.

The law provides basic definitions in the field of information protection. Here are some of them:

  • information- information (messages, data) regardless of the form of their presentation;
  • Information Technology- processes, methods for searching, collecting, storing, processing, providing, disseminating information and methods for implementing such processes and methods;
  • Information system- a set of information contained in databases and information technologies and technical means that ensure its processing;
  • owner of information- a person who has independently created information or who has received, on the basis of a law or an agreement, the right to allow or restrict access to information determined by any signs;
  • information system operator- citizen or entity those carrying out activities for the operation of the information system, including the processing of information contained in its databases.
  • confidentiality of information- a mandatory requirement for a person who has gained access to certain information not to transfer such information to third parties without the consent of its owner.

Article 4 of the Law formulates the principles legal regulation relations in the field of information, information technology and information protection:

  1. freedom to seek, receive, transmit, produce and distribute information in any legal way;
  2. setting restrictions on access to information only federal laws;
  3. openness of information about the activities of state bodies and local self-government bodies and free access to such information, except in cases established by federal laws;
  4. equality of languages ​​of the peoples of the Russian Federation in the creation of information systems and their operation;
  5. ensuring the security of the Russian Federation in the creation of information systems, their operation and protection of the information contained in them;
  6. reliability of information and timeliness of its provision;
  7. privacy, the inadmissibility of collecting, storing, using and disseminating information about the private life of a person without his consent;
  8. the inadmissibility of establishing by regulatory legal acts any advantages of using some information technologies over others, unless the mandatory use of certain information technologies for the creation and operation of state information systems is established by federal laws.

All information is divided into public and limited access. Publicly available information includes generally known information and other information, access to which is not limited. The law defines information to which access cannot be restricted, such as information about the environment or the activities of government agencies. It is also stipulated that Access limitation to information is established by federal laws in order to protect the foundations of the constitutional order, morality, health, rights and legitimate interests of other persons, to ensure the defense of the country and the security of the state. It is mandatory to maintain the confidentiality of information, access to which is limited by federal laws.

It is forbidden to demand from a citizen ( individual) providing information about his private life, including information constituting a personal or family secret, and receiving such information against the will of a citizen (individual), unless otherwise provided by federal laws.

  1. information freely distributed;
  2. information provided by agreement of the persons participating in the relevant relationship;
  3. information that, in accordance with federal laws, is subject to provision or dissemination;
  4. information whose dissemination in the Russian Federation is restricted or prohibited.

The law establishes equivalence email, signed with an electronic digital signature or other analogue of a handwritten signature, and a document signed with one's own hand.

The following definition of information security is given - it is the adoption of legal, organizational and technical measures aimed at:

  1. ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to such information;
  2. confidentiality of information limited access;
  3. exercising the right to access information.

The owner of information, the operator of the information system, in cases established by the legislation of the Russian Federation, are obliged to ensure:

  1. prevention of unauthorized access to information and (or) its transfer to persons who do not have the right to access information;
  2. timely detection of facts of unauthorized access to information;
  3. prevention of the possibility of adverse consequences of violation of the order of access to information;
  4. prevention of impact on the technical means of information processing, as a result of which their functioning is disrupted;
  5. the possibility of immediate recovery of information modified or destroyed due to unauthorized access to it;
  6. constant control over ensuring the level of information security.

Thus, the Federal Law "On information, information technologies and information protection" creates legal basis information exchange in the Russian Federation and determines the rights and obligations of its subjects.

Modern enterprises are characterized by the rapid development of their information environment. The constant accumulation of information requires its proper processing and storage.

As a result of working with data, an important task is the organization of information protection in the enterprise.

If the work in this direction is not properly organized, then it is possible to fail in the modern economic environment, which is not always characterized by benevolent competition.

Often things are different, competing firms are trying the right and in the wrong ways get information about your competitor in order to get ahead of him in development and promotion in the market.

Today, the protection of information in an enterprise is a set of measures that are aimed at maintaining the integrity, protecting against theft and substitution of the following data:

  1. database of clients and partners;
  2. electronic document management of the company;
  3. technical nuances of the enterprise;
  4. trade secrets.

To successfully manage the huge flows of listed data, an enterprise must have an information security management system.

Ways to protect information

It must continuously work to solve the problem of protection important information and differ in good protection against external threats and attacks.

Risk assessment

The information security system at the enterprise should be developed taking into account the risks that are most common in the information environment of modern companies.

The main ones include:

  • attempts to gain access to data that are not available to unauthorized users of the enterprise information system;
  • unauthorized change and substitution of information, which can lead to the loss of reputation and image by enterprises;
  • attempts to gain access to and theft of confidential, secret and technical information.

Based on the listed risks, methods and algorithms for protecting information important to the enterprise should be selected.

In order to solve this problem positively, an information policy must be developed and implemented at the enterprise, according to which data is graded, which can have open or only closed access.

Possible sources of problems

In order to choose the right methods for protecting information in an enterprise and use them effectively, one should determine the sources of possible threats of data loss.

The main ones include:

  1. failures in the enterprise hardware system that provides data processing and storage;
  2. fraud to gain access to information;
  3. misrepresentation of data in order to obtain an improper benefit or damage to the company;
  4. forgery of data or their theft using various hardware and software;
  5. theft of information with the help of devices that use electromagnetic radiation, acoustic signals, visual observation for this purpose.

The listed threats may come from third parties who need certain company data for their own interests, competing firms or employees of organizations that carelessly perform their functional duties, or choose to transfer important data to competitors.

If the threat comes from employees, then they are likely to try to discreetly copy the information, using their powers, and pass it on to third parties.

When third parties try to obtain data, various software tools are mainly used.

They are divided into:

  • spamming with malicious links;
  • virus programs;
  • Trojan and spyware plugins;
  • game bookmarks with modified code for virus software;
  • false software with modified functions.

Considering the listed threats, the protection of confidential information in an enterprise should be built both at the hardware and software levels. Only in a complex can you successfully protect your data from cyber-intruders.

Examples of Misconduct

As an example of illegal actions aimed at obtaining benefits from forgery, replacement, theft of information, the following can be cited.

  1. An attacker gains access to bank customer data. Having information about an individual, numbers of his accounts, payment cards, he can forge documents or bank cards and illegally withdraw money from the account of another person.
  2. If a cybercriminal gains access to electronic copies documents, he will be able to forge original documents and issue a loan to another person.
  3. During checkout in an online store, an attacker, using special plugins, can change the details of the store by transferring the buyer's money to his account, and not to the store.
  4. When transmitting important technical information through communication channels, cyber spies, using various means of tracking and reading, can scan the channel through which information traffic is transmitted and gain access to the technical secrets of the enterprise.

The process of organizing information security at the enterprise

The main stages of complex information protection at the enterprise include:

  • formation information policy enterprises, companies;
  • creation of an internal legal field for the use of information;
  • formation of information protection and security division.

The protective activity of the company should be carried out in the following areas:

  1. protection of data that is processed and stored in archives;
  2. exclusion of the possibility of unauthorized penetration into the information environment of the company;
  3. proper work with personnel to prevent the theft of important data by company employees.

Protective Measures

To improve information security, enterprises actively use the following security measures.

Formation of a data access system within the corporate network

Companies use different automated systems managing access to data according to the priorities and statuses of the company's employees.

This simplifies the process of tracking the movement of data flows and identifying information leaks.

Antivirus protection

Using an effective antivirus software exclude the possibility of data theft with the help of special software.

It can get into the information environment of the company via the Internet.

Often practiced parallel use of two software products, which differ in different algorithms for detecting spyware and virus software.

Systems for detecting and protecting against cyber attacks

Systems of this kind are being actively introduced into the information systems of enterprises, since they allow protecting not only from the spread of programs with malicious code, and block attempts to stop the information system of the enterprise.

Network security staff training

Many companies hold seminars and conferences for their employees, where they teach safe behavior in a local and global network environment, as well as the safe handling of information during the performance of their daily functional duties.

This significantly reduces the risk that information will be lost or transferred to third parties due to the negligence of employees.

Conclusion

An integrated information security system at an enterprise is a complex task that is quite difficult for an enterprise to solve on its own.

To do this, there are specialized organizations that will help create information security systems for any enterprise.

Qualified specialists will skillfully create a protection structure, the concept of its implementation in a particular company, and also choose the appropriate hardware and software to solve the task.

They also train company employees who will then work with the implemented security system and maintain its functionality at the appropriate level.

Video: The approach to information security in the modern Enterprise

A computer
The most interesting:
How to connect the printer via LAN
Instagram self-promotion tools
How to make money on Glopart