Modern software for information protection on the network. Information security software. Methods based on knowledge of some secret information

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

Basic data on work

Version of template 1.1.

Nizhny Novgorod branch

Type of work Electronic written prevention

The name of the discipline of WRC

Subject

Software security software in networks

I've done the work

Ipatov Alexander Sergeevich

Contract number 09200080602012.

Introduction

1. The main provisions of the theory of information security

1.1 Information Security. Main definitions

1.2 Threats of information security

1.3 Building protection systems from threats of information confidentiality

1.3.1 Model Protection System

1.3.2 Organizational measures and measures to ensure physical security

1.3.3 Identification and authentication

1.3.4 Disposal of access

1.3.5 Cryptographic methods for ensuring confidentiality of information

1.3.6 External perimeter protection methods

1.3.7 Logging and Audit

1.4 Building protection systems against threats of integrity

1.4.1 Principles of integrity

1.4.2 Cryptographic methods for ensuring the integrity of information

1.5 Building protection systems from threats of accessibility

2. Software for information protection in the COP

2.1 Safety at the operating system level

2.2 Cryptographic Protection Methods

2.3 Disk encryption

2.4 Specialized information security software

2.5 Architectural Aspects Security

2.6 Archiving and Duplication Systems

2.7 Analysis of security

Conclusion

Glossary

List of sources used

List of abbreviations

Introduction

Progress presented humanity a great many achievements, but the same progress spawned a lot of problems. The human mind, allowing some problems, necessarily faces with others, new. Eternal problem - protection of information. At various stages of its development, humanity solved this problem with the characteristic one inherent in this epoch. The invention of the computer and the further rapid development of information technologies in the second half of the 20th century made the problem of information protection so relevant and acute, how relevant today is informatization for the entire society.

Julia Caesar also decided to protect valuable information during the transfer. He invented Caesar's cipher. This cipher allowed sending messages that no one could read in case of interception.

This concept has been developed during World War II. Germany used the machine called Enigma to encrypt messages sent by military units.

Of course, ways to protect information are constantly changing how our society and technology change. The appearance and widespread computers led to the fact that most people and organizations began to store information in electronic form. There was a need to protect such information.

In the early 70s. XX century David Bell and Leonard La Padula developed a security model for operations produced on a computer. This model was based on the government concept levels of classification of information (uncommittent, confidential, secret, completely secret) and tolerance levels. If a person (subject) had a level of admission higher than the file level (object) by classification, then it received access to the file, otherwise access was deviated. This concept has found its implementation in Standard 5200.28 "Trusted Computing System Evaluation Criteria" (TCSEC) ("Criteria for Evaluation of Computer Systems") developed in 1983 by the US Department of Defense. Because of the cover of the cover, he got the name "Orange Book".

The "Orange Book" defined for each partition functional requirements and warranty requirements. The system should satisfy these requirements to meet a specific level of certification.

Performing warranty requirements for most security certificates took a lot of time and cost greater money. As a result, very little systems were certified higher than the C2 level (in fact, only one system for all time was certified by level A1 - Honeywell SCOMP) Cole E. Hacker protection guide. - M.: Publishing House "Williams", 2002 - p. 25.

When drawing up other criteria, attempts were made to divide the functional requirements and warranty requirements. These developments entered the "Green Book" of Germany in 1989, in the "Criteria of Canada" in 1990, "Criteria for Information Technology Assessment" (ITSEC) in 1991 and in "Federal Criteria" (known as Common Criteria - "General criteria") In 1992, each standard offered its own way of certification of computer systems.

GOST 28147-89 - Soviet and Russian standard of symmetric encryption introduced in 1990, is also the standard of the CIS. Full name - "GOST 28147-89 information processing system. Cryptographic protection. Algorithm of cryptographic transformation. " Block cipher-algorithm. When using the encryption method with gamming, can perform a flow of a flow cipher-algorithm.

According to some information A. Vinokurov. Encryption algorithm GOST 28147-89, its use and implementation for computers intel Platforms x86. (http://www.enlight.ru.), The history of this cipher is much more long. The algorithm, which subsequently, the basis of the standard, was born, presumably in the depths of the eighth of the Main Directorate of the KGB of the USSR (now in the FSB structure), most likely, in one of the closed research institutes, probably in the 1970s, as part of the software creation projects and hardware cipher implementations for various computer platforms.

From the moment of publication of the GOST on Him, there was a restrictive neck "for official use", and formally, the cipher was declared "fully open" only in May 1994. The history of the creation of the cipher and the criteria of developers as of 2010 were not published.

One of the problems associated with the criteria for assessing the safety of systems was to insufficient understanding of the network mechanisms. When combining computers to old security issues added new ones. In the Orange Book, there were no problems that arise when combining computers into a common network, therefore, in 1987, TNI appeared, or the "Red Book". In the "Red Book", all security requirements are stored from the "Orange Book", an attempt is made to address the network space and creating a network security concept. Unfortunately, the "Red Book" associated functionality with warranty. Only some systems have been evaluated by TNI, and none of them had commercial success.

Nowadays, the problems have become even more serious. Organizations began to use wireless networks, the appearance of which "Red Book" could not foresee. For wireless networks The Certificate of "Red Book" is considered obsolete.

Computer and network technology develops too quickly. Accordingly, new ways of protecting information also appear. Therefore, the topic of my qualifying work "Software protection software in networks" is very relevant.

The object of the study is information transmitted by telecommunication networks.

The subject of the study is information security networks.

The main purpose of the qualification work is to study and analyze information security software in networks. To achieve this purpose, it is necessary to solve a number of tasks:

Consider safety threats and their classification;

Characterize methods and means of protecting information on the network, their classification and features of application;

Disclose the capabilities of physical, hardware and software for information protection in computer networks (COP), reveal their advantages and disadvantages.

1. The main provisions of the theory of information security

1.1 Information Security. Main definitions

The term "information" Different sciences are determined by various ways. For example, in philosophy, information is considered as the property of material objects and processes to maintain and generate a certain state, which in various material-energy forms can be transmitted from one object to another. In cybernetics, information is customary to call the measure of uncertainty. We are under information in the future we will understand everything that can be represented in the symbols of finite (for example, binary) alphabet.

Such a definition may seem somewhat unusual. At the same time, it naturally follows from the basic architectural principles of modern computing technology. Indeed, we are limited to the issues of information security of automated systems - and all that is processed with the help of modern computing equipment, it seems in binary form. Tsirlov V.L. Fundamentals of information security of automated systems - "Phoenix", 2008 - pp. 8

The subject of our consideration is automated systems. Under an automated information processing system (AC) we will understand the set of the following objects:

1. Computer equipment;

2. Software;

3. Communication channels;

4. Information on various carriers;

5. Personnels and user users.

The information security of the AC is considered as the state of the system in which:

1. The system is able to withstand the destabilizing effects of internal and external threats.

2. Function and the very fact of the presence of the system do not create threats for the external environment and for the elements of the system itself.

In practice, information security is usually considered as a combination of the following three basic properties of the protected information:

? Confidentiality meaning that only legal users can get access to information;

? Integrity that ensures that first, the protected information can be changed only by legal and having appropriate authority users, and secondly, the information internally consistent and (if this property is applicable) reflects the real state of affairs;

? Accessibility that guarantees unhindered access to the protected information for legal users.

Activities aimed at ensuring information security is customary to call information protection.

Information security methods (Appendix A) are very diverse.

Network safety services are information protection mechanisms processed in distributed computing systems and networks.

Engineering and technical methods are aimed at ensuring the protection of information from leakage technical canals - For example, due to the interception of electromagnetic radiation or speech information. Legal and organizational methods of information protection create a regulatory framework for organizing various kinds of information security.

Theoretical methods for ensuring information security, in turn, solve two main tasks. The first of these is the formalization of a different kind of processes related to the provision of information security. For example, formal access control models allow you to strictly describe all possible information flows in the system - and therefore ensure that the required security properties are fulfilled. From here directly follows the second task - strict substantiation of the correctness and adequacy of the functioning of information security systems when analyzing their security. Such a task arises, for example, when certifying automated systems for the safety requirements of information.

1.2 Threats of information security

When formulating the definition of information security ACs, we mentioned the concept of a threat. Let us dwell on it several more.

We note that in general, under threat, it is customary to understand a potentially possible event, action, process or a phenomenon that can lead to damage to some interests. In turn, the threat of information security of an automated system is the possibility of implementing the impact on information processed in the AC, which leads to a violation of the confidentiality, integrity or availability of this information, as well as the possibility of influencing the components of the AC, leading to their loss, destruction or failure.

Classification of threats can be carried out by many signs. We give the most common of them. Cirlov V.L. Fundamentals of information security of automated systems - "Phoenix", 2008 - pp. 10

1. By nature, it is customary to allocate natural and artificial threats.

Naturally called threats arising from the impact on the AC objective physical processes or natural natural phenomena, independent of humans. In turn, artificial threats are caused by the action of the human factor.

Examples of natural threats can serve as fires, floods, tsunamis, earthquakes, etc. An unpleasant feature of such threats is the extreme difficulty or even the impossibility of predicting them.

2. According to the degree of perseverance, random and deliberate threats are distinguished.

Random threats are caused by negligence or unintentional personnel errors. Deliberate threats usually occur as a result of the directional activities of the attacker.

As examples of random threats, it is possible to bring unintended entry of erroneous data, an unintentional damage of equipment. An example of a deliberate threat is the penetration of an attacker to a protected area with a violation of the established rules of physical access.

3. Depending on the source, the threat is made to allocate:

- Threats, the source of which is the natural environment. Examples of threats - fires, floods and other natural disasters.

- Threats whose source is a person. An example of such a threat can be the introduction of agents in the ranks of the AC personnel by a competing organization.

- Threats, the source of which are authorized software and hardware. An example of such a threat is the incompetent use of system utilities.

- Threats whose source is unauthorized software and hardware. Such threats can be attributed, for example, the introduction of keylogerers into the system.

4. According to the position of the source, the threat is distinguished:

- Threats whose source is located outside the controlled zone. Examples of such threats - interception of side electromagnetic radiation (pemin) or interception of data transmitted through communication channels; remote photo and video;

interception of acoustic information using directional microphones.

- Threats whose source is located within the controlled zone.

Examples of such threats can be the use of overhearding devices or the embezzlement of media containing confidential information.

5. According to the degree of impact on the ACs, passive and active threats are distinguished. Passive threats during implementation do not carry out any changes in the composition and structure of the AU.

The implementation of active threats, on the contrary, violates the structure of an automated system.

An example of a passive threat can be unauthorized copying files with data.

6. By way of access to resources, ACs are distinguished:

- Threats using standard access. An example of such a threat is an unauthorized password by bribing, blackmail, threats or physical violence against the legal owner.

- Threats using a non-standard access path. An example of such a threat is the use of non-declared security features.

Criteria for threat classification can be continued, however, in practice, the following main classification of threats based on three previously entered the basic properties of protected information is most often used:

1. Threats of violation of the confidentiality of information, as a result of the implementation of which information becomes an affordable subject that does not have any absenteeism to familiarize yourself with it.

2. Threats of violation of the integrity of information to which any malicious distortion of information processed using the AU.

3. Threats of violation of the availability of information arising in cases where access to a certain AC resource for legal users is blocked.

Note that the real threats of information security can not always be strictly attributed to some of the listed categories. For example, the threat of the embezzlement of information carriers may be related to all three categories under certain conditions.

Note that the transfer of threats characteristic of a particular automated system is an important step in analyzing the vulnerabilities of the AC conducted, for example, as part of an audit of information security, and creates a base for subsequent risk analysis. There are two basic methods for transferring threats:

1. Building arbitrary threat lists. Possible threats are detected by experts and fixed by random and unstructured manner.

For this approach, the incomplete and inconsistency of the results obtained are characteristic.

2. Building threat trees. Threats are described in the form of one or more trees. Detailing threats is carried out from top to bottom, and ultimately every sheet of wood gives a description of a particular threat. Between subtings, if necessary, logical connections may be organized.

Consider as an example a tree threat to block access to a network application (Appendix B).

As you can see, blocking access to the application can occur either as a result of the implementation of the DOS attack on the network interface, or as a result of the completion of the computer. In turn, the completion of the computer can occur either due to unauthorized physical access of the attacker to the computer, or as a result of using an attacker of the vulnerability that realizes the attack on the buffer overflow.

1.3 Building protection systems from threats of information confidentiality

1.3.1 Model Protection System

When building protection systems from threats to violate the confidentiality of information in automated systems, an integrated approach is used. (Appendix B).

As can be seen from the shown scheme, the primary protection is carried out due to the organizational measures and mechanisms for controlling physical access to the AU. In the future, at the stage of controlling logical access, protection is carried out using various network security services. In all cases, the engineering complex should be deployed in parallel technical means Protection of information overlapping the possibility of leakage on technical channels.

Let us dwell in more detail on each of the subsystems involved in the implementation.

1.3.2 Organizational measures and measures to ensure physical security

These mechanisms generally provide:

- deploying the control system and distinguishing physical access to the elements of the automated system.

- Creating security and physical security service.

- organization of mechanisms for monitoring the movement of employees and visitors (using video surveillance systems, proximity cards, etc.);

- development and implementation of regulations, official instructions and the like regulatory documents;

- Regulation of the procedure for working with media containing confidential information.

Without affecting the logic of the functioning of the AC, these measures with correct and adequate implementation are an extremely effective protection mechanism and vital to ensure the safety of any real system.

1.3.3 Identification and authentication

Recall that under identification it is customary to understand the assignment of unique identifiers access to the subjects and a comparison of such identifiers with a list of possible. In turn, authentication is understood as checking belonging to the subject of access to the identifier presented to them and confirm its authenticity.

Thus, the task of identification is to answer the question "Who is it?", And authentication - "Is it really?".

All the many authentication methods currently can be divided into 4 large groups:

1. Methods based on knowledge of some secret information.

A classic example of such methods is password protection, when the user is proposed to enter a password as an authentication tool - some sequence of characters. These authentication methods are the most common.

2. Methods based on the use of a unique subject. As such an item, a smart card, token, electronic key, etc. can be used.

3. Methods based on the use of human biometric characteristics. In practice, one or more of the following biometric characteristics are most often used:

- fingerprints;

- pattern of retina or iris eye;

- heat hand drawing hand;

- photo or thermal pattern of the face;

- Hand writing (painting);

- Voice.

Fingerprint scanners and retinal patterns and rainbow shells received the greatest distribution.

4. Methods based on information associated with the user.

An example of such information can serve as the coordinates of the user defined using GPS. This approach can hardly be used as a single authentication mechanism, however, it will be quite admissible as one of several jointly used mechanisms.

The practice of sharing several of the above mechanisms listed above is widespread - in such cases, they are talking about multifactorial authentication.

Features of password authentication systems

With all the diversity of existing authentication mechanisms, password protection remains the most common of them. For this there are several reasons from which we note the following:

- relative simplicity of implementation. Indeed, the implementation of the password protection mechanism usually does not require the attraction of additional hardware.

- Traditional. Password protection mechanisms are familiar to most users of automated systems and do not cause psychological rejection - in contrast, for example, from the scanners of the retina pattern.

At the same time, for password protection systems, a paradox is characterized, which makes it difficult to effectively implement them: persistent passwords are little suitable for human use.

Indeed, the password resistance arises as complicated; But the more difficult the password, the harder it is to remember it, and the user appears the temptation to write an uncomfortable password, which creates additional channels for its discredit.

Let us dwell in more detail on the main threats to the safety of password systems. In general, the password can be obtained by an attacker one of three main ways:

1. Due to the use of the weaknesses of the human factor. Methods for receiving passwords here can be very different: peeping, listening, blackmailing, threats, finally, the use of other accounts with the permission of their legal owners.

2. By selecting. The following methods are used:

- Full bust. This method allows you to choose any password regardless of its complexity, however, for a persistent password, the time required for this attack must significantly exceed the permissible time resources of the attacker.

- Selection of the dictionary. A significant part of passwords used in practice is meaningful words or expressions. There are dictionaries of the most common passwords, which in many cases allow them to do without complete busting.

Selection using user information. This intelligent password selection method is based on the fact that if the system security policy provides for independent password assignments by users, then in the overwhelming majority of cases, some personal information related to the AC user will be selected as a password. And although as such information can be chosen by anything, from the day of birth and to the nickname of your favorite dog, the availability of information about the user allows you to check the most common options (birthdays, the names of children, etc.).

3. Due to the use of deficiencies in the implementation of password systems. These disadvantages include operated networking vulnerabilities that implement certain components of the password protection system, or non-declared capabilities of the corresponding software or hardware.

When building a password protection system, it is necessary to take into account the specifics of the AC and be guided by the results of the analysis of risks. At the same time, the following practical recommendations can be brought:

- Set the minimum password length. Obviously, the regulation of the minimum permissible password length makes it difficult for an attacker to implement the selection of the password by full of extinguishing.

- Increase the power of password alphabet. Due to the increase in power (which is achieved, for example, by the mandatory use of special systems), it is also possible to complicate the full bust.

- Check and rejection of passwords in the dictionary. This mechanism makes it difficult to make the selection of passwords in the dictionary due to the rejection of obviously easily selected passwords.

- Set the maximum password. The password validity period limits the time lapse that the attacker can spend on the selection of the password. Thus, the reduction in the password validity reduces the likelihood of its successful selection.

- Set the minimum password period. This mechanism prevents user attempts to immediately change new password on the previous one.

- Password history rejection. The mechanism prevents password reuse - perhaps previously compromised.

- Restriction of the number of password input attempts. The corresponding mechanism makes it difficult to interactive password selection.

- Forced password change when the user is first logged into the system. If the primary password generation for all the user performs the administrator, the user can be prompted to change the initial password at the first login input - in this case, the new password will not be known to the administrator.

- Delay when entering an incorrect password. The mechanism prevents the interactive selection of passwords.

- Ban the password selection by the user and automatic password generation. This mechanism allows you to guarantee the persistence of the generated passwords - but do not forget that in this case users will inevitably have problems memorizing passwords.

Evaluation of the persistence of password systems Cirlov V.L. Fundamentals of information security of automated systems - "Phoenix", 2008 - pp. 16

We estimate the elementary relationship between the main parameters of password systems. We introduce the following notation:

- A - Password alphabet power;

- L - password length;

- S \u003d Al - Password space power;

- V - reciprocal speed;

- T - password validity;

- P is the probability of the selection of the password during its validity period.

Obviously, the following ratio is true:

Typically, the recording speed of passwords V and the password validity period can be considered known. In this case, by specifying the permissible value of the probability p of the password selection during its validity period, you can determine the required power of password space S.

Note that the reduction of the recruitment of passwords V reduces the likelihood of the password selection. From this, in particular, it follows that if the password selection is carried out by calculating the hash function and compare the result with a given value, then the large durability of the password system will provide the use of slow hash function.

Password storage methods

In general, there are three password storage mechanism in AC:

1. In the open form. Definitely this option It is not optimal because automatically creates a set of password leakage channels. The real need for password storage in open form is extremely rare, and usually a similar solution is a consequence of the developer's incompetence.

2. In the form of hash values. This mechanism is convenient for password checks, since the hash values \u200b\u200bare uniquely connected with the password, but at the same time they themselves do not represent interests for the attacker.

3. In encrypted form. Passwords can be encrypted using a certain cryptographic algorithm, while the encryption key can be stored:

- on one of the permanent elements of the system;

- on some carrier (electronic key, smart card, etc.), which is presented when initializing the system;

- The key can be generated from some other safety parameters - for example, from the administrator password when initializing the system.

Password transmission over network

The following embodiments are most common:

1. Transfer passwords in the open form. The approach is extremely vulnerable because passwords can be intercepted in communication channels. Despite this, the multiple network protocols used in the practice (for example, FTP) assume password transmission in the open form.

2. Transferring passwords in the form of hash values \u200b\u200bis sometimes found in practice, but it usually does not make sense - hash passwords can be intercepted and re-transferred by an attacker through the communication channel.

3. Password transmission in encrypted form in most is the most reasonable and justified option.

1.3.4 Disposal of access

Under the delimitation of access, it is customary to understand the establishment of authority of subjects for the sixteen monitoring of the authorized use of resources available in the system. It is customary to allocate the two main method of delimitation of access: discretion and mandatory.

The discretionary is called the separation of access between the named subjects and the named objects.

Obviously, instead of an access matrix, you can use the authority lists: for example, each user can be matched the list of resources available to it with appropriate rights, or each resource may be mapped to the list of users with access to this resource.

The mandatory accession of access is usually implemented as a distinction between secrecy levels. The powers of each user are set in accordance with the maximum level of secrecy to which it is allowed. At the same time, all AC resources must be classified by secrecy levels.

The fundamental difference between the discretionary and mandatory delineation of access is as follows: if in the case of a discretionary delimitation of access rights to access the resource for users, its owner determines, then in the case of a mandatory separation of access, secrecy levels are set from the outside, and the resource owner cannot affect them. The term "mandate" itself is an unsuccessful translation of the word Mandatory - "Mandatory". Thus, the mandatory separation of access should be understood as forced.

1.3.5 Cryptographic methods for ensuring confidentiality of information

In order to ensure confidentiality of information, the following cryptographic primitives are used:

1. Symmetric cryptosystems.

In symmetric cryptosystems for encryption and decrypt information, the same common secret key is used, which interacting the parties are pre-exchange according to some protected channel.

As examples of symmetric cryptosystems, the domestic algorithm GOST 28147-89 can be brought, as well as international DES standards and replacing AES.

2. Asymmetric cryptosystems.

Asymmetric cryptosystems are characteristic of the fact that they use various keys to encrypt and decrypt information. The key to encryption (public key) can be made publicly, so that anyone can encrypt a message for some recipient.

The recipient, being the only owner of the key to decryption (secret key), will be the only one who can decipher the message encrypted for it.

Examples of asymmetric cryptosystems - RSA and an el-gamal scheme.

Symmetric and asymmetric cryptosystems, as well as different combinations, are used in the AU primarily to encrypt data on various media and for traffic encryption.

protection Information Network Threat

1.3.6 External perimeter protection methods

The subsystem for the protection of the external perimeter of the automated system usually includes two main mechanism: means of firewall and intrusion detection tools. Solving related tasks, these mechanisms are often implemented within a single product and function as a whole. At the same time, each of the mechanisms is self-sufficient and deserves separate consideration.

Firewater shielding http://www.infotecs.ru.

The firewall (ME) performs the functions of information flows on the border of the protected automated system. This allows:

- improve the security of the internal environment objects due to ignoring unauthorized requests from the external environment;

- control information flows into an external environment;

- Ensure registration of information exchange processes.

Control of information flows is performed by filtering information, i.e. Analysis of it for the aggregate of criteria and deciding on the distribution in the AC or from the AU.

Depending on the principles of operation, several classes of firewalls are distinguished. The main classification feature is the level of the ISO / OSI model, which functions the ME.

1. Package filters.

The simplest class of firewalls operating on the network and transport levels of the ISO / OSI model. Package filtering is usually carried out according to the following criteria:

- the source IP address;

- recipient IP address;

- port of the source;

- port of the recipient;

- Specific parameters of network packet headers.

Filtering is implemented by comparing the listed parameters of network packet headers with the base of filtering rules.

2. Session Gateways

These firewalls operate at the ISO / OSI session level. Unlike packet filters, they can control the admissibility of a communication session by analyzing the session-level protocol parameters.

3. Applied Level Gateways

Detailed screens of this class allow you to filter individual types of commands or data sets in application-level protocols. For this, proxy services are used - special-purpose control programs through a firewall for certain high-level protocols (HTTP, FTP, Telnet, etc.).

The procedure for using proxy services is shown in Appendix G.

If without the use of proxy services, the network connection is established between the interacting parties A and B directly, then in the case of the use of the proxy service, an intermediary appears - a proxy server that independently interacts with the second participant of the information exchange. This scheme allows you to control the allowability of the use of individual protocol commands. high level, as well as filter the data received by the proxy server from the outside; At the same time, the proxy server on the basis of the established policies may decide on the possibility or inability to transfer this data to the client A.

4. Expert level screens.

The most complex firewalls that combine elements of all three categories above. Instead of proxy services, these screens use algorithms for recognition and data processing at the application level.

Most of the currently used firewalls refer to the category of expert. The most famous and common ME - Cisco Pix and Checkpoint Firewall-1.

Intrusion detection systems

The intrusion detection is the process of detecting unauthorized access (or attempts to unauthorized access) to the automated system resources. The intrusion detection system (Intrusion Detection System, IDS) is generally a software and hardware complex that decisive this task.

There are two main categories of IDS systems:

1. Network IDS IDS.

In such systems, the sensor functions on a host dedicated for these purposes in the protected network segment. Usually, the network adapter of this host functions in the audition mode (Promiscuous Mode), which allows you to analyze the entire network traffic passing in the segment.

2. Host IDS IDS.

In case the sensor functions at the host level, the following information can be used to analyze:

- Entries standard tools operating system logging;

- information about resources used;

- Profiles of expected user behavior.

Each of IDS types has its advantages and disadvantages. IDS network level do not reduce overall productivity Systems, however, the host IDS ids more effectively detect attacks and allow you to analyze the activity associated with a separate host. In practice, it is advisable to use systems that combine both of the described approaches.

There are developments aimed at using methods in iDS systems artificial Intelligence. It is worth noting that currently commercial products do not contain such mechanisms.

1.3.7 Logging and Audit active.audit. .narod.ru.

The logging and audit subsystem is a mandatory component of any AC. Logging, or registration, is a mechanism for accounting a system for providing information security, which records all events related to security issues. In turn, the audit is an analysis of the logged information in order to promptly identify and prevent violations of the information security regime. Host level intrusion detection systems can be considered as an active audit system.

Appointment of the registration and audit mechanism:

- ensuring the accountability of users and administrators;

- ensuring the possibility of reconstruction of the sequence of events (which is necessary, for example, when investigating information security incidents);

- detection of attempts to violate information security;

- provision of information for identifying and analyzing technical problemsNot related to security.

Local data is placed in the registration log, which is a chronologically ordered set of records of the results of the activities of ACs, sufficient to restore, view and analyze the sequence of actions in order to monitor the final result.

Since system logs are the main source of information for subsequent audit and identify security violations, the issue of protecting system journals from unauthorized modification should be given the closest attention. The logging system should be designed in such a way that no user (including administrators!) Could not modify the records of system logs to modify the records of system logs.

No less important is the procedure for storing system logs. Since log files are stored on a particular carrier, the problem of overflowing the maximum permissible volume of the system log is inevitably arise. At the same time, the system reaction may be different, for example:

- the system can be blocked up to solving a problem with accessible disk space;

- the oldest records of system logs can be automatically removed;

- The system can continue operation, temporarily suspending the logging of information.

Of course, the last option in most cases is unacceptable, and the order of storage of system magazines must be clearly regulated in the organization's safety policies.

1.4 Building protection systems against threats of integrity

1.4.1 Principles of integrity

Most mechanisms that implement the protection of information from the threats of confidentiality violations, to one degree or another contribute to the integrity of the information. In this section, we will focus in more detail on the mechanisms specific to the integrity of integrity. We formulate to start the basic principles of ensuring the integrity, formulated by Clark and Wilson:

1. Correctness of transactions.

The principle requires the impossibility of an arbitrary modification of data by the user. The data should be modified solely in such a way that their integrity is maintained.

2. User authentication.

Changing data can only be authenticated to perform the appropriate actions by users.

3. Minimizing privileges.

Processes should be endowed with those and only those privileges in the ACs that are minimally sufficient to perform them.

4. Separation of responsibilities.

To perform critical or irreversible operations, several independent users are participating.

In practice, the separation of responsibilities can be implemented either exclusively by organizational methods or using cryptographic sharing schemes.

5. Audit of occurred events.

This principle requires the creation of a user accountability mechanism that allows you to track the moments of violation of the integrity of information.

6. Objective control.

It is necessary to implement the operational data allocation, the control of the integrity of which is justified.

Indeed, in most cases, strictly control the integrity of all data present in the system is inappropriate at least for considerations of productivity: integrity control is an extremely resource operation.

7. Management of privilege transmission.

The procedure for transmitting privileges must fully comply with the organizational structure of the enterprise.

The listed principles make it possible to form the overall structure of the system of protection against the threats of integrity disorders (Appendix D).

As can be seen from Appendix D, fundamentally new compared to the services used to build a system of protection against threats of confidentiality violation, are cryptographic integrity mechanisms.

Note that transaction correctness mechanisms may also include in seed cryptographic primitives.

1.4.2 Cryptographic methods for ensuring the integrity of information

In constructing protection systems from threats, the following cryptographic primitives are used:

- digital signatures;

- cryptographic hash functions;

- authentication codes.

Digital signatures

The digital signature is a mechanism for confirming the authenticity and integrity of digital documents. In many ways, it is an analogue of handwritten signature - in particular, almost similar requirements are presented to it:

1. The digital signature should allow to prove that it is a legal author, and no one else consciously signed a document.

2. The digital signature must be an integral part of the document.

It should be impossible to separate the signature from the document and use it to sign other documents.

3. Digital signature should ensure the impossibility of changing the signed document (including for the author himself!).

4. The fact of signing the document must be legally provable. It should be impossible to refuse the authorship of the signed document.

In the simplest case, a mechanism similar to the asymmetric cryptosystem can be used to implement a digital signature. The difference will be that for encryption (which is in this case, the signature) will use the secret key, and for the broadering playing the role of verification of the signature, is a well-known open key.

The procedure for using a digital signature in this case will be as follows:

1. The document is encrypted by the secret key of the signing, and the encrypted copy is distributed along with the original document as a digital signature.

2. The recipient using a publicly accessible open key of the signing, decrypts the signature, merges it with the original and makes sure that the signature is true.

It is easy to make sure that this implementation of the digital signature fully satisfies all the above requirements, but at the same time has a fundamental disadvantage: the volume of the transmitted message increases at least twice. Get rid of this disadvantage allows the use of hash functions.

Cryptographic hash functions

The function of the form y \u003d F (x) is called a cryptographic hash function if it satisfies the following properties:

1. On the input of the hash function, the sequence of data of arbitrary length can act, the result (called the hash, or digest) has a fixed length.

2. The value of Y according to the existing value of X is calculated for polynomial time, and the value x according to the existing value of Y almost in all cases is not possible.

3. Computationally impossible to find two input hash function values, giving identical hashi.

4. When calculating the hash, all the information of the input sequence is used.

5. The description of the function is open and publicly available.

We show how hash functions can be used in digital signature schemes. If you do not sign the message itself, but its hash, you can significantly reduce the volume of transmitted data.

By signing its hash instead of the initial message, we transmit the result along with the original message. The recipient decrypts the signature and compares the result received with the hash message. In the case of coincidence, it is concluded that the signature is true.

2 . Information security software in CS

Under information security software, information is understood as special programs included in the COP software exclusively to perform protective functions.

The main software security software includes:

* Identification programs and authentication of users of the COP;

* Media access programs to the resources of the COP;

* information encryption programs;

* Programs for the protection of information resources (system and application software, databases, computer learning tools, etc.) from unauthorized changes, use and copying.

It should be understood that under identification, in relation to the provision of information security of the COP, understand the unambiguous recognition of the unique name of the subject of the COP. Authentication means confirmation that the file presented corresponds to this subject (confirmation of the authenticity of the subject) 8 Biyschuv T.A. Safety of corporate networks. Tutorial / Ed. L.G.Sovetsky - St. Petersburg: St. Petersburg State University, 2004, from 64..

Also, information security software includes:

* programs to destroy residual information (in blocks of RAM, temporary files, etc.);

* audit programs (logbooks) of the security of the CS, to ensure the possibility of restoring and evidence of the fact of the incident of these events;

* program imitation programs with a violator (to distract it to receive allegedly confidential information);

* Test control programs for the security of the COP and others.

The advantages of information security software are:

* Easy replication;

* flexibility (ability to configure various conditions of application that take into account the specifics of the threats of information security of specific CS);

* Easy application - Some software, such as encryption, work in the "transparent" (invisible) mode, while others do not require any new (compared to other programs) skills;

* Practically unlimited possibilities of their development by making changes to record new information security threats.

The disadvantages of information security software are:

* Reducing the effectiveness of the COP due to the consumption of its resources required for the functioning of protection programs;

* lower performance (compared to performing similar functions with hardware protection, such as encryption);

* Docking of many software for protection (and not their built-in software of the COP, Fig. 4 and 5), which creates a fundamental possibility of bypassing them for a violator;

* The possibility of malicious change in software protection during the operation of the COP.

2 .1 Operating System Safety

The operating system is the most important software component of any computing machine, therefore, the overall safety of the information system depends on the level of safety policies in each specific OS.

The MS-DOS operating system is an Intel's actual mode of the microprocessor mode, and therefore there can be a speech about separation random access memory between processes. All resident programs and the basic program use the general space of RAM. File protection is absent, it is difficult to say anything defined about network security, because at the stage of development on drivers for network interaction was not developed by Microsoft, but by third-party developers.

The family of operating systems Windows 95, 98, Millenium is clones, originally focused on working in home computers. These operating systems use the levels of protected mode privileges, but do not make any additional checks and do not support security descriptors. As a result, any application can access all over the amount of available RAM as with reading and write rights. Network safety measures are present, however, their implementation is not at the height. Moreover, a solid error was made in the Windows 95 version, which allows you to remotely for several packets to enhance the computer, which also significantly undermined the reputation of the OS, in subsequent versions there were many steps to improve the network security of this clone Winter V., Moldovan A., Moldova N. Security of global network technologies. Series "Master." - SPb.: BHV-Petersburg, 2001, p. 124.

Generation of Windows NT, 2000 operating systems is already a significantly more reliable development of Microsoft. They are really multiplayer systems reliably protecting files various users On the hard disk (though, the data encryption is still not performed and the files can be read without problems, booting from the disk of another operating system - for example, MS-DOS). OS data actively use protected regime intel processors, and can reliably protect the data and the process code from other programs, unless it wants to provide additional access to them from the outside of the process.

For a long time, the development has taken into account many different network attacks and errors in the security system. The corrections to them went out in the form of update blocks (Eng. Service Pack).

Formal methods and means

These are such funds that perform their protective functions strictly formally, that is, according to a predetermined procedure and without direct human participation.

Technical means

Technical means of protection are called various electronic and electron-mechanical devices, which are included in the technical means of IP and are performed independently or in a complex with other means, some features of protection.

Physical means

The physical and electronic devices are called physical and electronic devices, elements of buildings, fire extinguishing equipment, and a number of other means. They ensure the following tasks:

protection of the territory and premises of the computing center from the penetration of intruders;
protection of equipment and carriers of information from damage or embezzlement;
preventing the possibility of observing the work of personnel and the functioning of equipment from outside the territory or through the windows;
preventing the possibility of intercepting electromagnetic emissions of working equipment and data lines;
monitoring staff;
organization of access to the staff of the staff;
control over the movement of personnel in various work areas, etc.

Cryptographic Methods and Means

Cryptographic methods and means are called special information transformation, as a result of which its representation changes.

In accordance with the functions performed, cryptographic methods and tools can be divided into the following groups:

identification and authentication;
access separation;
encryption protected data;
protection of programs from unauthorized use;
monitoring the integrity of information, etc.

Informal methods and means of information protection

Informal tools are such that are implemented as a result of targeted activities of people or regulate (directly or indirectly) this activity.

Informal funds include:

Organizational means

These are organizational and technical and legal activities carried out in the process of creating and operating IP in order to ensure information protection. In its content, all many organizational measures can be divided into the following groups conditionally:

events carried out when creating IP;
activities carried out during the operation of the IP: the organization of the bandwidth, the organization of automated information processing technology, the organization of work in shifts, the distribution of details of the separation of access (passwords, profiles, powers, etc.);
general Events: Accounting for protection requirements for selection and training, organization of planned and preventive verification mechanism for protection, planning of information protection measures, etc.

Legislative means

These are legislative acts of the country that regulate the rules for use and processing information of limited use and establish responsibility measures for violating these rules. It is possible to formulate five "basic principles", which underlie the system of law protection laws:

systems that accumulate large amounts of personal information should not be created, whose activities would be classified;
there must be ways with which a single personality can establish the fact of collecting personal information, find out what it is going, and how will be used;
there should be guarantees that the information obtained for some one goal will not be used for other purposes without informing the person to which it belongs;
there must be methods with which a person can correct information relating to it and contained in IP;
any organization accumulating storing and using personal information Must ensure the reliability of data storage with their appropriate use and should take all measures to prevent malnutrition data.

Moral - ethical norms

These norms can be as not written (generally accepted norms of honesty, patriotism, etc.) and written, i.e. decorated in some set of rules and regulations (charter).

On the other hand, all methods and information security tools can be divided into two large groups by the type of protected object. In the first case, the object is a carrier of information, and all informal, technical and physical methods and information protection means are used here. In the second case, we are talking about the information itself, and cryptographic methods are used to protect it.

The most dangerous (significant) information threats are:

violation of confidentiality (disclosure, leakage) of information constituting banking, judicial, medical and commercial secret, as well as personal data;
impairment of performance (disorganization of work) of IP, blocking information, violation of technological processes, breaking the timely solution of tasks;
violation of integrity (distortion, substitution, destruction) of information, software and other IP resources, as well as falsification (fake) of documents.

Let us give a brief classification of possible channel leakage channels in the methods of organizing unauthorized access to information.

Indirect channelsallowing unauthorized access to information without physical access to IP components:

use of overhearding devices;
remote observation, video and photography;
interception of electromagnetic radiation, registration of crosspads, etc.

Channels related to access to IP elements, but do not require changes in the components of the system, namely:

monitoring information in the processing process to memorize it;
theft of media;
collecting production waste containing processed information;
intentional reading of data from files of other users;
reading residual information, i.e. data remaining on the storage fields after queries;
copying media;
intentional use to access the information terminals of registered users;
disguise under a registered user by abduction of passwords and other details of delimitation of access to information used in IP;
use to access information so-called "laseeks", that is, the possibilities for bypassing the accessing mechanism of access arising from the imperfection and ambiguities of programming languages \u200b\u200band system-wide software components in the IP.

Channels related to access to IP elements and with a change in the structure of its components:

illegal connection of special recording equipment to system devices or communication lines;
malicious change in programs so that these programs along with the basic information processing functions also carried out an unauthorized collection and registration of protected information;
the malicious conclusion is due to the protection mechanism.

1.3.3. Restricting access to information

In general, the information protection system from unauthorized access consists of three main processes:

identification;
authentication;
authorization.

At the same time, participants in these processes it is customary to the subjects - active ingredients (users or programs) and objects - passive components (files, databases, etc.).

The task of identification, authentication and authorization systems is the definition, verification and purpose of a set of percentage of the subject when accessing the information system.

Identification subject When accessing the IP is called the process of comparing it with some stored system in some object, the characteristic of the subject - the identifier. In the future, the subject identifier is used to provide a subject of a certain level of rights and powers when using the information system.

Authentication The subject is called the verification procedure to the identifier to the subject. Authentication is made on the basis of a secret element (authenticator), which have both the subject and the information system. Usually, in some facility in the information system, called the database of accounts, the secret element itself is stored, and some information about it, on the basis of which the decision is made on the adequacy of the subject by the identifier.

Authorization The subject is called the procedure for entering by its rights relevant to its powers. Authorization is carried out only after the subject has successfully passed identification and authentication.

The entire identification and authentication process can be schematically represented as follows:

Fig. 2. Identification and authentication process scheme

2- requirement to pass identification and authentication;

3- reference of the identifier;

4- checking the availability of the received identifier in the account database;

6- sending authenticators;

7- Checking the compliance of the authenticator received by the previously specified account identifier.

From the diagram (Fig. 2) it can be seen that to overcome the system of protection against unauthorized access, it is possible to either change the subject to the subject that implements the process of identification / authentication, or change the contents of the object - the account database. In addition, it is necessary to distinguish between local and remote authentication.

With local authentication, it can be considered that the processes 1,2,3,5,6 pass in the protected zone, that is, the attacker does not have the ability to listen or change the transmitted information. In the case of remote authentication, it is necessary to reckon with the fact that the attacker can take both passive and active participation in the process of sending identification / authentication information. Accordingly, such systems use special protocols that allow the subject to prove knowledge of confidential information without disclosure (for example, an authentication protocol without disclosure).

The general information protection scheme in IP can be represented as follows (Fig. 3):

Fig. 3. Removing information security in the information system

Thus, the entire system for the protection of information in IP can be divided into three levels. Even if the attacker succeeds in bypassing a system of protection against unauthorized access, it will face the problem of finding the information you need into IP.

Semantic protection implies concealment of the location of the information. For these purposes, it can be used, for example, a special format for recording for media or steganographic methods, that is, concealing confidential information in file-container files that are not carrying any significant information.

Currently, the steganographic methods for the protection of information were widespread in the two most actual directions:

concealing information;
copyright protection.

The last obstacle to the path of the attacker to confidential information is its cryptographic transformation. Such a conversion is called chipping. A brief classification of encryption systems is shown below (Fig.4):

Fig. 4. Classification of encryption systems

The main characteristics of any encryption system are:

key size;
the complexity of the encryption / decryption information for legal user;
the complexity of "hacking" encrypted information.

Currently it is assumed that the encryption / decryption algorithm is open and is well known. Thus, only the key is unknown, the owner of which is a legal user. In many cases, it is the key that is the most vulnerable component of the information protection system from unauthorized access.

Of the ten security laws, Microsoft two are dedicated to passwords:

Law 5: "Weak password will violate the most strict protection",

Law 7: "Encrypted data is accurately protected as much as the key of the decryption is."

That is why the choice, storage and change of the key in information protection systems are of particular importance. The key can be selected by the user independently or impose by the system. In addition, it is customary to distinguish between three main forms of key material:

1.3.4. Technical means of information protection

In general, information protection by technical means is provided in the following options:
The source and carrier of information are localized within the boundaries of the protection object and the mechanical barrier is provided from contact with them an attacker or remote effects on them fields of its technical means

the ratio of the carrier energy and interference at the receiver input installed in the leakage channel is such that the attacker cannot withdraw information from the carrier with the quality items necessary for its use;
an attacker cannot detect a source or carrier of information;
instead of true information, the attacker gets the false, which he takes as true.

These options implement the following protection methods:

preventing the direct penetration of the attacker to the source of information with the help of engineering structures, technical means of protection;
hiding reliable information;
"Using" an attacker of false information.

The use of engineering structures and protection is the most ancient method of protecting people and material values. The main task of the technical means of protection is to prevent (prevent) direct contact of the attacker or nature forces with protection objects.

Under the objects of protection are understood as people and material values \u200b\u200band carriers of information localized in space. Such media includes paper, machine carriers, photo and film, products, materials, etc., that is, everything that has clear sizes and weight. To organize the protection of such objects, such technical means of protection as a security and fire alarm are commonly used.

Media of information in the form of electromagnetic and acoustic fields, electric currents do not have clear boundaries and methods of hiding information can be used to protect such information. These methods provide such changes in the structure and energy of the carriers in which the attacker cannot directly or with the help of technical means to allocate information with quality sufficient to use it in its own interests.

1.3.5. Information security software

These protections are designed specifically for protection. computer Information and built on the use of cryptographic methods. The most common software are:

Cryptographic processing programs (encryption / decryption) of information ("Verba" Mo PNIEI www.security.ru; "Crypton" Ankad www.ancud.ru; SECRET NET informschitis www.infosec.ru; "DALLAS LOCK" WWW configurity. confident.ru and others);
Programs to protect against unauthorized access to information stored on a computer ("Sable" Ankad www.ancud.ru and others);
Programming programs of information ("Stegano2et" and others);
Software guaranteed information destruction;
Protection systems from unauthorized copying and use (using electronic keys, for example, Aladdin www.aladdin.ru and with reference to the unique properties of the starforce information media).

1.3.6. Anti-virus information protection tools

In general, it is necessary to talk about "malware", which is how they are determined in the governing documents of the State Technical Commission and in the existing legislative acts (for example, Article 273 Ukrf "Creating, Use and Dissemination of Malicious Programs for ECM"). All malicious programs can be divided into five types:

Viruses - Defined as pieces of software code that have the ability to generate objects with similar properties. Viruses in turn are classified by habitat (for example: boot -, macro - etc. viruses) and destructive action.
Logic bombs- Programs, the launch of which occurs only when performing certain conditions (for example: Date, pressing the key combination, the absence / availability of specific information, etc.).
Worms - Programs that have the opportunity to distribute over the network, transferring to the destination node not necessarily completely all the program code - that is, they can "collect" themselves from individual parts.
Troyans- Programs that do not documented actions.
Bacteria - Unlike viruses, this is a solid program that have the property of reproducing themselves like.

Currently, malicious programs in the "clean" form practically do not exist - all of them are some symbiosis of the above types. That is, for example: Troyan may contain a virus and in turn the virus can have the properties of a logical bomb. According to statistics, about 200 new malicious programs appears daily, and the "leadership" belongs to the worms, which is quite natural, due to the rapid growth of the number of active Internet users.

As protection against malware, it is recommended to use anti-virus software packages (for example: DrWeb, AVP - domestic developments, or foreign, such as NAV, TrendMicro, Panda, etc.). The main method of diagnosing all available antivirus systems is an "signature analysis", that is, an attempt to check the received new information for the "signature" of a malicious program in it is a characteristic piece of program code. Unfortunately, this approach has two essential drawbacks:

You can diagnose only already known malware, and this requires constant updating of the "signatures" databases. This is about this warns one of the security laws Microsoft:

Law 8: "Not updated antivirus program is not much better than the absence of such a program"

A continuous increase in the number of new viruses leads to a significant increase in the size of the "signature" base, which in turn causes significant use of the computer's resource anti-virus program and, accordingly, slowing its operation.

One of the well-known ways to improve the efficiency of diagnosing malware is the use of the so-called "heuristic method". In this case, an attempt is made to detect the presence of malicious programs, given the well-known methods of their creation. However, unfortunately, in the event that a high-class specialist participated in the development of the program, it is possible to detect it only after the manifestation of its destructive properties.

print version

Reader

Job title	annotation

Workshop

Name of workshop	annotation

Presentations

Presentation name	annotation

Data protection in computer networks becomes one of the most acute problems in modern computer science. To date, three basic information security principles have been formulated, which should provide:

Data integrity - protection against failures leading to loss of information, as well as unauthorized creation or destruction of data;

Confidentiality of information and, at the same time,

It should also be noted that certain areas of activity (banking and financial institutions, information networks, systems government controlledThe defense and special structures) require special data security measures and have increased requirements for the reliability of information systems.

When considering data protection problems in the network, there is primarily the question of the classification of failures and violations of access rights, which can lead to destruction or unwanted data modification. Among such potential "threats" can be allocated:

1. Equipment failures:

Crash system;

Power interruptions;

Disk system failures;

Failures of data archiving systems;

Servers, workstations, network cards, etc.;

2. Losses of information due to incorrect work on:

Loss or change data in case of software errors;

Loss when infecting the system with computer viruses;

3. Losses associated with unauthorized access:

Unauthorized copying, destruction or fake information;

Familiarization with confidential information constituting the mystery, unauthorized persons;

4. Information loss associated with incorrect storage of archive data.

5. Errors of service personnel and users.

Random destruction or data change;

The incorrect use of software and hardware leading to destroying or changing data.

Depending on the possible types of network work violations, numerous types of information protection are combined into three main classes:

Tools of physical protection, including the means of protecting the cable system, power supply systems, archiving tools, disk arrays, etc.

Protection software, including: antivirus programs, deletion systems of authority, access control systems.

Administrative protection measures, including the control of access to the premises, the development of a firm's security strategy, emergency plans, etc.

It should be noted that such a division is quite conditionally, since modern technologies Develop in the direction of combining software and hardware protection.

Archiving and Duplication Information Systems

The organization of a reliable and efficient data archiving system is one of the most important tasks to ensure the safety of information on the network. In small networks where one or two servers are installed, the archiving system is most often used directly to the free slots of the servers. In large corporate networks, it is most preferable to organize a dedicated specialized archiving server.

Such a server automatically archiving information from hard drives of servers and workstations to the time specified by the administrator of the local computing network, issuing a report on the conducted backup copying. This ensures the management of the entire archiving process from the administrator console, for example, you can specify specific volumes, directories or individual files that need to be archived.

It is also possible to organize automatic archiving on the occurrence of a particular event ("Event Driven Backup"), for example, when receiving information that on the server's hard disk or workstation There is little free space left, or when the failure of one of the "mirror" disks on the file server.

To ensure data recovery in magnetic disks fails, systems have recently been most often used. disk massifs - Disk groups working as a single device that meet Raid Standard (Redundant Array of Inexpensive Disks).

Protection against computer viruses

Today, in addition to thousands of already known viruses, 100-150 new strains appear monthly. The most common methods of protection against viruses to this day are various antivirus programs.

However, as a promising approach to protection against computer viruses in recent years, a combination of software and hardware protection methods is increasingly used. Among the hardware devices of such a plan, special anti-virus cards can be noted, which are inserted into standard computer expansion slots.

Safety from unauthorized access

The problem of protecting information from unauthorized access was particularly aggravated with the wide distribution of local and, especially global computer networks. It should also be noted that it is often damaged not because of the "malicious intent", but because of the elementary user errors who accidentally spoil or delete vital data. In this regard, in addition to controlling access, the necessary element of information protection in computer networks is the delimitation of user authority.

In computer networks when organizing access control and delimitation of user authority, built-in network operating systems are most commonly used.

There are many possible directions for leakage of information and unauthorized access paths in systems and networks. Among them:

reading residual information in the system's memory after executing authorized requests;

· Copy media of information and information files with overcoming protection measures;

· Disguise under a registered user;

· Masking under the request of the system;

· Use of software traps;

· Use the deficiencies of the operating system;

· Unlawful connection to equipment and communication lines;

· The malicious conclusion is due to protection mechanisms;

· Implementation and use of computer viruses.

Ensuring the safety of information is achieved by a complex of organizational, organizational and technical, technical and software measures.

To organizational measures Information protection includes:

· Restriction of access to the premises in which the information is prepared and processing;

· Admission to the processing and transfer of confidential information only proven officials;

· Storage of magnetic media and registration logs in unauthorized persons closed to access;

· Exclusion of viewing by unauthorized persons of the material being processed through the display, printer, etc.;

· Use of cryptographic codes when transmitting valuable information over channels;

· Destruction of coloring tapes, paper and other materials containing fragments of valuable information.

Organizational and technical measures Information protection includes:

· Equipment of equipment processing valuable information from an independent power source or through special network filters;

· Installation on the door of the premises of code locks;

· Use to display information when entering a liquid crystal or plasma displays, and to obtain solid copies - inkjet printers and thermal printer, since the display gives such high-frequency electromagnetic radiation that the image from its screen can be taken at a distance of several hundred kilometers;

· Destruction of information, when writing or sending a computer to repair;

· Installing the keyboard and printers on soft gaskets in order to reduce the possibility of removing information by an acoustic way;

· Restriction of electromagnetic radiation by screening of rooms, where information is processed, sheets of metal or from special plastics.

Technical meansinformation protection is the protection systems of territories and premises by shielding machine rooms and the organization of check-in systems. Protection of information in networks and computing means using technical means is implemented on the basis of the organization of access to memory using:

· Access control to various levels of computers;

· Data blocking and key entry;

· Selecting check bits for entries for identification, etc.

Software architectureinformation protection includes:

· Security control, including control of registration of entering the system, fixing in the system log, user actions control;

· Reaction (including sound) on violation of a system for protecting access control to network resources;

· Control of access mandates;

· Formal control of the protection of operating systems (basic system-wide and network);

· Control of protection algorithms;

· Check and confirm the correctness of the operation of technical and software.

To ensure the protection of information and detecting cases of unauthorized actions, registration of the system is carried out: special diaries and protocols are created, which are recorded all actions related to the protection of information in the system. Special programs for testing protection system are also used. Periodically or in randomly chosen moments of time, they check the performance of hardware and software protection.

A separate group of measures to ensure the safety of information and identifying unauthorized requests includes programs for detecting violations in real time. The programs of this group form a special signal when registering actions that can lead to unlawful actions with respect to protected information. The signal may contain information on the nature of the violation, the place of its occurrence and other characteristics. In addition, programs may prohibit access to secure information or simulate such a mode of operation (for example, instant loading of I / O devices), which will allow you to identify the intruder and detain it with the relevant service.

One of the common protection methods is a clear indication of the secrecy of the displayed information. This requirement is implemented using relevant software.

With the server or network workstations, such as smart card reader and special software, can significantly increase the degree of protection against unauthorized access. In this case, to access the computer, the user must insert a smart card into a reader and enter his personal code.

Smart access control cards allow you to implement, in particular, features such as input control, access to personal computer devices, access to programs, files and commands.

In bridges and routers remote access Package segmentation is used - their separation and transmission in parallel to two lines - which makes it impossible to "intercept" data when the "hacker" is illegally connected to one of the lines. In addition, the procedure for compressing the transmitted packets used in transmitting data ensures the impossibility of decrypting "intercepted" data. In addition, bridges and remote access routers can be programmed in such a way that remote users will be limited to access to individual main office network resources.

Security mechanisms

1. Cryptography.

To ensure secrecy, encryption is applied, or cryptography, which allows you to transform data into an encrypted form, from which it is possible to extract initial information if there is a key.

The basis of encryption is two basic concepts: the algorithm and key. The algorithm is a way to encode the source text, resulting in an encrypted message. An encrypted message can be interpreted only with the key.

All elements of protection systems are divided into two categories - long-term and easily replaced. Long-term elements include those elements that relate to the development of protection systems and to change require the intervention of specialists or developers. Elements of the system that are intended for arbitrary modification or modification of a predetermined rule are elements, based on the randomly selected initial parameters, relate to easily connected elements. Easily changeable elements include, for example, key, password, identification, etc.

Information secrecy is ensured by the introduction of special keys (codes) into algorithms. The use of a key in encryption provides two significant advantages. First, you can use one algorithm with different keys to send messages to different addressees. Secondly, if the key secrecy is broken, it can be easily replaced without changing the encryption algorithm. Thus, the safety of encryption systems depends on the secrecy of the key used, and not on the secrecy of the encryption algorithm.

It is important to note that the growing performance of the technique leads to a decrease in the time required to open the keys, and security systems have to use more and longer keys, which, in turn, leads to an increase in encryption costs.

Since such an important place in encryption systems is paid to key secrecy, the main problem of such systems is generation and key transmission.

There are two main encryption schemes: symmetric encryption (it is also sometimes called traditional or encryption with a secret key) and an open key encryption (sometimes this type of encryption is called asymmetric).

With symmetrical encryption, the sender and the recipient own the same key (secret), with which they can encrypt and decipher the data.

Electronic signature

With the help of electronic signatures, the recipient may make sure that the message received by the message is sent not by a third-party person, but having certain rights by the sender. Electronic signatures are created by encrypting the checksum and additional information using the Personal Key of the sender. Thus, anyone can decipher the signature using the public key, but only the owner of the personal key can correctly create a signature. To protect against interception and reuse, the signature includes a unique number - the sequence number.

Authentication

Authentication is one of the most important components of the organization of information protection in the network. Before the user will be given the right to receive one or another resource, it is necessary to make sure that he is really the one for whom it gives out.

When you receive a request for the use of a resource on behalf of a user, the server that provides this resource transmits the authentication server management. After receiving the positive response of the authentication server, the user is provided with a requested resource.

When authentication is used, as a rule, the principle called "What He knows," is used - the user knows some secret word, which he sends the authentication server in response to his request. One of the authentication schemes is the use of standard passwords. Password - Enters it at the beginning of the network interaction session, and sometimes at the end of the session (in particularly responsible cases, the password for normal output from the network may differ from the input). This scheme is the most vulnerable in terms of security - the password can be intercepted and used by another person.

Schemes are most often used using disposable passwords. Even being intercepted, this password will be useless for the next registration, and get the next password from the previous one is extremely difficult task. To generate disposable passwords, both software and hardware generators are used, which are devices inserted into the computer slot. Knowledge of the secret word is necessary to the user to bring this device into action.

Network protection

Recently, corporate networks are increasingly included in the Internet or even use it as their basis. Firewalls are used to protect corporate information networks. Firewalls are a system or a combination of systems that allow you to divide the network into two or more parts and implement a set of rules that determine the conditions for passing packets from one part to another. As a rule, this border is carried out between local Network Enterprises and Internetom, although it can be carried out inside. However, protecting individual computers is unprofitable, therefore usually protect the entire network. Firewall misses all traffic through itself and for each passing package makes a decision - to skip it or discard. In order for the firewall to make these decisions, a set of rules is defined for it.

Firewall can be implemented as hardware (i.e., as a separate physical device) and in the form special Programrunning on the computer.

As a rule, the Operational System, under the control of which the firewall is running, changes are made, the purpose of which is to increase the protection of the firewall itself. These changes affect both the OS kernel and the corresponding configuration files. On the firewall itself, it is not allowed to have partitions of users, and therefore potential holes - only the administrator section.

Some firewalls work only in single-user mode, and many have a system for checking the integrity of program codes.

Firewall usually consists of several different components, including filters or screens that block the transmission of part of traffic.

All firewalls can be divided into two types:

· Batch filters that perform filtering IP packets by means of filter routers;

· Applied level servers that block access to specific services on the network.

Thus, the firewall can be defined as a set of components or a system that is located between two networks and has the following properties:

· All traffic from the internal network to the external and external network into the inner must pass through this system;

· Only traffic defined by a local defense strategy may pass through this system;

In the first part of the "Fundamental Security Fundamentals" we reviewed the main types of information security threats. In order for us to start choosing information security tools, it is necessary to consider in more detail what can be attributed to the concept of information.

Information and its classification

There are many definitions and classifications of "information". The most brief and at the same time capacious determination is given in the federal law of July 27, 2006 № 149-ФЗ (Ed. dated July 29, 2017), Article 2: Information is information (messages, data) regardless of the form of their presentation. "

Information can be classified according to several types and, depending on the category of access to it, it is divided into publicly available information, as well as information, access to which is limited - confidential data and state secrets.

Information depending on the procedure for its provision or distribution is divided into information:

Freely distributed
Provided by the Agreement of Personsparticipating in the appropriate relationship
Which in accordance with federal laws be subject to or distributing
Distribution in which Russian Federation limited or prohibited

Information on the appointment is the following types:

Mass - Contains trivial information and operates with a set of concepts, understandable most of the society.
Special - Contains a specific set of concepts that may not be understood by the bulk of society, but necessary and understood as part of a narrow social group, which uses this information.
Secret - Access to which a narrow circle of individuals is provided and closed (protected) channels.
Personal (private) - A set of information about any personality that determines the social status and types of social interactions.

Information security tools must be applied directly to information access to which is limited - this state secrets and confidential data.

According to the Law of the Russian Federation of 21.07.1993 n 5485-1 (Ed. from 08.03.2015) "On State Secret" Article 5. "The list of information components of the state secret" Refers:

Information in the military field.
Information in the field of economics, science and technology.
Information in the field of foreign policy and economy.
Information in the field of intelligence, counterintelligence and operational search activities, as well as in the field of countering terrorism and in the field of security of persons in respect of which the decision to apply state protection measures.

The list of information that can compile confidential information is contained in presidential decree dated March 6, 1997 №188 (Ed. dated July 13, 2015) "On approval of a list of confidential information".

Confidential data - This is information, access to which is limited in accordance with the laws of the state and the norms that companies are installed on their own. You can select the following types of confidential data:

Personal confidential data: Information on the facts, events and circumstances of the private life of a citizen who can identify his personality (personal data), with the exception of information to be disseminated in the media in cases established by federal laws. Exception is only information that applies to the media.
Service confidential data: Official information, access to which is limited by state authorities in accordance with the Civil Code of the Russian Federation and federal laws (service secrets).
Judicial confidential data: On state protection of judges, officials of law enforcement and supervisory authorities. On state protection of victims, witnesses and other participants in criminal proceedings. Information contained in the personal affairs of convicts, as well as information on the forced execution of judicial acts, acts of other bodies and officials, in addition to information that are publicly available in accordance with the Federal Law of October 2, 2007 N 229-FZ "On Enforcement Proceedings" .
Commercial confidential data: All types of information related to commerce (profit) and access to which is limited by law or information on the essence of the invention, a useful model or an industrial design to the official publication of information about them by the enterprise (secret developments, manufacturing technologies, etc.).
Professional confidential data: Information related to professional activities, access to which is limited in accordance with the Constitution of the Russian Federation and federal laws (medical, notary, lawyer mystery, secret correspondence, telephone conversations, mailings, telegraph or other messages and so on)

Figure 1. Classification of types of information.

Personal Information

Separately, it is worth paying attention and consider personal data. According to the Federal Law of 27.07.2006 № 152-ФЗ (Ed. dated 29.07.2017) "On Personal Data", Article 4: Personal Information - This is any information related to directly or indirectly defined or determined to the physical person (subject to personal data).

Personal data operator is - state body, municipal authority, legal or individualAlone or together with other persons organizing and (or) processing personal data, as well as determining personal data processing purposes, the composition of personal data to be processed, actions (operations) committed with personal data.

Processing personal data - any action (operation) or a set of actions (operations) committed using automation tools or without the use of personal data from personal data, including the collection, recording, systematization, accumulation, storage, refinement (update, change), extraction, use, transmission (distribution, provision, access), depersonal, blocking, deleting, destruction of personal data.

Personal data processing rights are enshrined in state bodies, federal laws, licenses for working with personal data, which gives Roskomnadzor or FSTEC.

Companies that professionally work with personal data of a wide range of persons, such as virtual server hosting, or telecom operators, must enter the registry, Roskomnadzor leads it.

For example, our hosting virtual VPS server servers operates under the legislation of the Russian Federation and in accordance with the licenses of the Federal Service for Supervision in Communications, Information Technologies and Mass Communications No. 139322 of 25.12.2015 (telematic services of communication) and No. 139323 of 25.12 .2015 (Data transfer services, with the exception of data transfer services for voice transmission purposes).

Based on this, any site on which there is a form of registration of users, which indicates and is subsequently processed by information related to personal data is a personal data operator.

Considering Article 7, the Law № 152-ФЗ "On personal data", operators and other persons who have gained access to personal data are obliged not to disclose to third parties and do not disseminate personal data without the consent of the personal data entity, unless otherwise provided by federal law. Accordingly, any personal data operator is obliged to provide the necessary security and confidentiality of this information.

In order to ensure the security and confidentiality of information, it is necessary to determine which there are information carriers, access to which is open and closed. Accordingly, the methods and means of protection are selected depending on the type of media.

Main carriers of information:

Printed and electronic media, social networks, other resources on the Internet;
Employees of the organization who have access to information on the basis of their friendly, family, professional ties;
Communication means that transmit or save information: phones, PBX, other telecommunication equipment;
Documents of all types: personal, official, state;
Software as an independent information object, especially if its version was refined specifically for a particular company;
Electronic media of information that process data automatic order.

Having determined which information is to be protected, media and possible damage in its disclosure, you can choose the necessary means of protection.

Classification of information security tools

In accordance with the Federal Law of July 27, 2006 № 149-ФЗ (Ed. dated July 29, 2017) "On information, information technologies and information protection", Article 7, paragraph 1. and paragraph 4:

1. Information protection represents taking legal, organizational and technical measures, aimed at:

Security protection of information from unlawful access, destruction, modification, blocking, copying, providing, distribution, as well as other unlawful actions for such information;
Compliance confidentiality of limited access information;
Implementation Rights to information.

4. Information owner, information system operator In cases established by the legislation of the Russian Federation, we must provide:

Prevention unauthorized access to information and (or) transferring it to persons who do not have the right to access information;
Timely detection unauthorized access to information;
A warning the possibility of adverse effects of violation of the procedure for access to information;
Non-admission impact on technical means of processing information, as a result of which their functioning is violated;
The possibility of immediate recovery information modified or destroyed due to unauthorized access to it;
Constant control ensuring the level of information security;
Finding On the territory of the Russian Federation databases of information, using which collect, recording, systematization, accumulation, storage, refinement (update, change), the extraction of personal data of citizens of the Russian Federation (Section 7 introduced by Federal Law of July 21, 2014 № 242-ФЗ).

Based on the law № 149-ФЗ Information protection can be divided as much as several levels:

Legal level Provides compliance with state standards in the field of information protection and includes copyright, decrees, patents and job descriptions.
A competently built-up protection system does not violate user rights and data processing standards.
Organizational level Allows you to create a regulation of users with confidential information, pick up the personnel, organize work with documentation and data carriers.
The regulations of users with confidential information are called access to the rules of access. The rules are established by the management of the company together with the security service and the provider, which introduces the security system. The goal is to create the conditions for access to information resources for each user, for example, the right to read, edit, transmit a confidential document.
The rules of separation of access are developed at the organizational level and are introduced at the stage of work with the technical component of the system.
Technical Level Conditionally divided into physical, hardware, software and mathematical (cryptographic).

Information protection tools

Information protection tools It is customary to divide regulatory (informal) and technical (formal).

Informal information protection tools

Informal information security tools - are regulatory (legislative), administrative (organizational) and moral-ethical Means to which can be attributed: documents, rules, activities.

Legal basis ( legislative means) Information security provides the state. Information protection is governed by international conventions, a constitution, federal laws "On information, information technologies and information protection", the laws of the Russian Federation "On Security", "On Communication", "On State Secret" and various by-laws.

Also, some of the listed laws were listed and considered by us above, as the legal basis for information security. Not compliance with these laws entails the threats of information security, which can lead to significant consequences, which in turn is punishable in accordance with these laws in the flesh to criminal liability.

The state will also determine the measure of responsibility for violating the provisions of information security legislation. For example, Chapter 28 "Crimes in the Sphere of Computer Information" in the Criminal Code of the Russian Federation includes three articles:

Article 272 "Unauthorized access to computer information";
Article 273 "Creation, Use and Dissemination of Malicious Computer Programs";
Article 274 "Violation of the rules of operation of storage, processing or transmission of computer information and information and telecommunication networks."

Administrative (organizational) Events play a significant role in creating a reliable information protection mechanism. Since the possibilities of unauthorized use of confidential information is largely due to non-technical aspects, but by malicious actions. For example, negligence, negligence and negligence of users or personnel of protection.

To reduce the influence of these aspects, a set of organizational and legal and technical and technical measures, which would exclude or minimize the possibility of the occurrence of confidential information threats.

In this administrative and organizational activity on the protection of information for security officers, space for creativity opens.

This is the architectural and planning solutions that allow you to protect negotiation rooms and manuals from listening, and establishing different levels of access to information.

From the point of view of the regulation of personnel activities, it will be important to design a system of requests for access to the Internet, external e-mail, other resources. A separate element will be obtaining an electronic digital signature to enhance the security of financial and other information, which is transmitted to state authorities over email channels.

To the moral and ethical Means include moral norms or ethical rules in society or this team, compliance with the protection of information, and their violation is equal to non-compliance with the rules of behavior in society or the team. These norms are not mandatory, as legislatively approved norms, however, their non-compliance leads to the fall of the authority, prestige of a person or organization.

Formal information security tools

Formal protective equipment - These are special technical means and software that can be divided into physical, hardware, software and cryptographic.

Physical means of information protection - These are any mechanical, electrical and electronic mechanisms that function independently of the information systems and create obstacles to access to them.

Castles, including electronic, screens, blinds are designed to create obstacles to the contact of destabilizing factors with systems. The group is complemented by means of safety systems, such as camcorders, video recorders, sensors that detect movement or excess of the degree of electromagnetic radiation in the location zone of technical means for removing information.

Hardware Information Protection - These are any electrical, electronic, optical, laser and other devices that are embedded in information and telecommunication systems: special computers, employee control systems, server protection and corporate networks. They interfere with access to information, including using its masking.

Hardware includes: noise generators, network filters, scanning radio and many other devices, "overlapping" potential channel leakage channels or to detect them.

Information security software - These are simple and integrated programs designed to solve problems related to the provision of information security.

Example comprehensive solutions Serve DLP systems and SIEM systems.

DLP Systems (Data Leak Prevention literally "Preventing Data Leakage"), respectively, serve to prevent leakage, reformatting information and redirect information flows.

Siem Systems (SECURITY INFORMATION AND EVENT MANAGEMENT, that in translation means "management of events and information security") provide real-time event analysis (alarms) of security emanating from network devices and applications. SIEM is represented by applications, devices or services, and is also used to log data and generate reports for compatibility with other business data.

Software are demanding that the power of hardware devices, and when installing, it is necessary to provide additional reserves.

Mathematical (cryptographic) - Implementation of cryptographic and stenograph data protection methods for secure transmission over the corporate or global network.

Cryptography is considered one of the most reliable data protection methods, because it protects the information itself, and not access to it. Cryptographically transformed information has an increased degree of protection.

The introduction of the cryptographic protection of information provides for the creation of a software and hardware complex, the architecture and composition of which is determined based on the needs of a specific customer, the requirements of the legislation, the tasks and the necessary methods, and the encryption algorithms.

Here can include software encryption components (cryptoproders), VPN organization, certificate management tools, tools for forming and verifying keys and electronic digital signatures.

Encryption tools can support GOST encryption algorithms and provide the necessary cryptographic classes depending on the required degree of protection, regulatory framework and compatibility requirements with other, including external systems. At the same time, encryption tools provide the protection of the entire set of information components including files, files with files, physical and virtual media, entirely servers and data storage systems.

In conclusion, the second part of considering briefly the main methods and means of information protection, as well as the classification of information, can be said as follows: the well-known thesis is confirmed again that the provision of information security is a whole range of measures that includes all aspects of protection. Information, to the creation and provision of which, it is necessary to approach most carefully and seriously.

It is necessary to strictly observe and under no circumstances cannot violate the "Gold Rule" - this is an integrated approach.

For a more visible presentation, the means of protecting information, it is precisely as an indivisible set of measures, presented below in Figure 2, each of the bricks of which is the protection of information in a specific segment, remove one of the bricks and there will be a threat to safety.

Figure 2. Classification of information protection tools.