Modern system ensure information security should be based on the integration of various protection measures and rely on modern methods of forecasting, analyzing and modeling possible threats to information security and the consequences of their implementation.
The simulation results are intended to select adequate optimal methods for parrying threats.
How to make a private model of information system security threats
At the modeling stage, the study and analysis of the existing situation is carried out and actual threats to the security of PD as part of ISPD are identified. For each identified ISPD, its own threat model is compiled.
The information system security threat model is built in accordance with the requirements of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. In addition, methodological documents of the FSTEC of Russia can be used: “ base model threats to the security of PD when they are processed in ISPD", "Methodology for determining actual threats to the security of PD when they are processed in ISPD".
The initial data for the assessment and analysis are usually the materials of the "Act of Inspection", the results of a survey of employees of various departments and services, methodological documents of the FSTEC, etc.
A particular model of information system security threats must be approved by the head of the organization or the commission based on the report on the results of the internal audit.
The threat model can be developed by the organization's data protection officers or external experts. Threat modelers should be proficient in complete information about the personal data information system, to know the regulatory framework for information protection.
Content of the information system security threat model
The ISPD security threat model reflects:
- Directly the threats to the security of personal data. When processing personal data in ISPD, the following threats can be distinguished: those created by an intruder (an individual), created by a hardware tab, created by malware, threats of special effects on ISPD, threats of electromagnetic impact on ISPD, threats of information leakage through technical channels, etc.
- Sources of threats to ISPD. Possible sources of threats to ISPD can be: an external intruder, an internal intruder, a hardware-software tab or a malicious program.
- General characteristics of ISPD vulnerabilities. It contains information about the main groups of ISPD vulnerabilities and their characteristics, as well as information about the causes of vulnerabilities.
- Used means of information protection. For each ISPD, the necessary measures to reduce the risk of actual threats should be determined.
To download a private information system security threat model for a specific enterprise, answer the clarifying questions and enter the data into the template.
Information security threat model ISPD
As well as methodological documents of the FSTEC of Russia:
- "Basic model of security threats to personal data when they are processed in ISPD"
- "Methodology for determining actual threats to the security of personal data when they are processed in ISPD"
Initial data
The initial data for evaluation and analysis are:
Materials of the "Inspection Act";
The results of a survey of employees of various departments and services;
Methodological documents of the FSTEC;
- the requirements of a government decree;
Description of the approach to modeling personal data security threats
2.1.
The security threat model was developed on the basis of FSTEC methodological documents:
On the basis of the "Basic model of security threats to personal data during their processing in ISPD", a classification of security threats was carried out and a list of security threats was compiled.
Based on the compiled list of PD security threats as part of ISPD using the "Methodology for determining actual PD security threats when they are processed in ISPD", a model of PD security threats as part of ISPD ACS was built and actual threats were identified.
2.2.
Actual threats to the security of personal data are understood as a set of conditions and factors that create an actual danger of unauthorized, including accidental, access to personal data during their processing in an information system, which may result in the destruction, modification, blocking, copying, provision, distribution of personal data and other illegal activities.
2.3.
Threats of the 1st type are relevant for an information system if, among other things, it is subject to threats related to the presence of undocumented (undeclared) capabilities in the system software used in the information system.
2.4.
Threats of the 2nd type are relevant for an information system if, among other things, it is subject to threats related to the presence of undocumented (undeclared) capabilities in the application software used in the information system.
2.5.
Threats of the 3rd type are relevant for an information system if it is subject to threats that are not related to the presence of undocumented (undeclared) capabilities in the system and application software used in the information system.
Threat model
3.1.
Classification of personal data security threats
When processing personal data in ISPD, the following threats can be distinguished:
| № | Name of the threat | Description of the threat | Probability of occurrence | Possibility of realization of the threat |
3.2.
Sources of threats to ISPD
Sources of threats in ISPD can be:
| № | Name of threat source | General characteristics of the source of threats |
Budget institution of the Chuvash Republic
"Yadrinsky complex center of social services for the population"
Ministry of Labor and Social Protection
Chuvash Republic
Approved by order
BU "Yadrinsky KTsSON"
Ministry of Labor of Chuvashia
Personal data security threat model
during their processing in the information system
personal data "Accounting and personnel"
Yadrin 2018
Symbols and abbreviations 4
Terms and definitions 4
Introduction 6
- Description of the personal data information system
"Accounting and personnel" BU "Yadrinsky KTSSON" Ministry of Labor of Chuvashia 7
1.1 Characteristics of objects of protection 7
"Accounting and personnel" BU "BU "Yadrinsky KTSSON" Ministry of Labor of Chuvashia 8
1.3 Use of protective equipment 8
1.4 Functioning model of ISPD "Accounting and personnel
BU "Yadrinsky KTsSON" Ministry of Labor of Chuvashia 9
1.5 Controlled areas of BU "Yadrinsky KTsSON" of the Ministry of Labor of Chuvashia 10
"Accounting and personnel" BU "Yadrinsky KTSSON" Ministry of Labor of Chuvashia 10
- Structural and functional characteristics of ISPD "Accounting and personnel"
BU "Yadrinsky KTSSON" Ministry of Labor of Chuvashia 12
- Protected resources ISPD "Accounting and personnel" BU "Yadrinsky KTsSON"
- Ministry of Labor of Chuvashia 12
- The main security threats ISPD "Accounting and personnel"
- BU "Yadrinsky KTSSON" Ministry of Labor of Chuvashia 13
4.1. Information leakage channels 13
4.1.1. Threats of leakage of acoustic (speech) information 13
4. 13
4.1.3. Threats of information leakage through the channels of side electromagnetic
radiation and interference (PEMIN) 14
4.2 Threats of unauthorized access to ISPD "Accounting and Personnel"
BU "Yadrinsky KTsSON" Ministry of Labor of Chuvashia 14
4.3. Sources of threats of unauthorized access to ISPD "Accounting and
personnel "BU "Yadrinsky KTSSON" Ministry of Labor of Chuvashia 15
4.3.1. Source of threats to NSD - intruder 15
4.3.2. Source of threats to NSD - carriers of malicious programs 17
5. Model of threats to the security of personal data during their processing in
personal data information system "Accounting and Personnel"
BU "Yadrinsky KTSSON" Ministry of Labor of Chuvashia 17
5.1. Determining the level of initial security of ISPD "Accounting and Personnel" 18
5.2. Determining the likelihood of threats in the ISPD "Accounting and Personnel"
BU "Yadrinsky KTSSON" Ministry of Labor of Chuvashia 19
BU "Yadrinsky KTSSON" Ministry of Labor of Chuvashia 21
BU "Yadrinsky KTSSON" Ministry of Labor of Chuvashia 23
5.5. Determining the relevance of threats in ISPD 24
6. Model of the violator of the ISPD "Accounting and personnel" BU "Yadrinsky KTsSON"
Ministry of Labor of Chuvashia 26
6.1. Description of offenders (sources of attacks) 33
6.2. Determination of the type of violator of ISPD BU "Yadrinsky KTsSON"
Ministry of Labor of Chuvashia 34
6.3. The level of cryptographic protection of PD in ISPD 34
Conclusion 34
Designations and abbreviations
VTSS - auxiliary technical means of communication
ISPD - personal data information system
KZ - controlled zones
ME - firewall
NDV - undeclared opportunities
NSD - unauthorized access
OS - operating system
OTSS - basic technical means of communication
PD - personal data
PPO - application software
PEMIN - spurious electromagnetic radiation and interference
PMV - program-mathematical impact
SZPDn - personal data protection system
CIPF - a means of cryptographic information protection
SF - CIPF functioning environment
Иi - sources of security threats of the i-th category (i=0,1...,8), where И0 - external
violator, I1,...,I8 - internal violators according to the FSTEC classification
FSB of Russia - federal Service security Russian Federation
FSTEC of Russia - Federal Service for Technical and Export Control
Terms and Definitions
The following terms and their definitions are used in this document:
Blocking personal data- temporary suspension of the collection, systematization, accumulation, use, distribution of personal data, including their transfer.
Virus (computer, software) - executable program code or an interpreted set of instructions that has the properties of unauthorized distribution and self-reproduction. The created duplicates of a computer virus do not always coincide with the original, but retain the ability to further spread and reproduce themselves.
Malware- a program designed to carry out unauthorized access and (or) impact on personal data or resources of the personal data information system.
Auxiliary technical means and systems- technical means and systems not intended for the transfer, processing and storage of personal data, installed together with technical means and systems intended for processing personal data, or in premises where personal data information systems are installed.
Access to the information- the possibility of obtaining information and its use.
Protected information- information that is the subject of ownership and subject to protection in accordance with the requirements of legal documents or the requirements established by the owner of the information.
Identification- assigning an identifier to subjects and objects of access and (or) comparing the presented identifier with the list of assigned identifiers.
Information system of personal data - information system, which is a collection of personal data contained in the database, as well as information technology and technical means that allow the processing of such personal data with or without the use of automation tools.
Information Technology- processes, methods for searching, collecting, storing, processing, presenting, disseminating information and methods for implementing such processes and methods.
controlled area- a space (territory, building, part of a building, premises) in which the uncontrolled stay of unauthorized persons, as well as transport, technical and other material means, is excluded.
Confidentiality of personal data- a mandatory requirement for an operator or other person who has gained access to personal data to prevent their distribution without the consent of the subject of personal data or other legal grounds.
Firewall- local (single-component) or functionally distributed software (software and hardware) tool (complex) that implements control over information entering the personal data information system and (or) leaving the information system.
Undeclared Capabilities- functionality of computer facilities and (or) software, not described or not corresponding to those described in the documentation, the use of which may violate the confidentiality, availability or integrity of the information being processed.
Unauthorized access (unauthorized actions)- access to information or actions with information carried out in violation of the established rights and (or) rules for access to information or actions with it using standard information system tools or tools similar to them in their functional purpose and technical characteristics.
Processing of personal data- actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, change), use, distribution (including transfer), depersonalization, blocking, destruction of personal data.
Operator- a state body, municipal body, legal or natural person organizing and (or) carrying out the processing of personal data, as well as determining the purposes and content of the processing of personal data.
Intercept (information)- illegal receipt of information using a technical means that detects, receives and processes informative signals.
Personal data- any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name, patronymic, date and place of birth, address, marital, social, property status, education, profession, income , other information.
Spurious electromagnetic radiation and interference- electromagnetic radiation of technical means for processing protected information, arising as a side effect and caused by electrical signals acting in their electrical and magnetic circuits, as well as electromagnetic pickups of these signals on conductive lines, structures and power circuits.
Access control rules- a set of rules governing the access rights of access subjects to access objects.
Program bookmark- a functional object secretly introduced into the software, which, when certain conditions capable of providing unauthorized software exposure. A software bookmark can be implemented in the form of a malicious program or program code.
Program (program-mathematical) impact- unauthorized impact on the resources of an automated information system, carried out using malicious programs.
Information system resource- a named element of the system, application or hardware of the functioning of the information system.
Computer facilities- a set of software and technical elements of data processing systems capable of functioning independently or as part of other systems.
Access subject (subject)- a person or process whose actions are regulated by the rules of access control.
Technical means of the personal data information system- computer equipment, information and computer systems and networks, means and systems for transmitting, receiving and processing personal data (means and systems for sound recording, sound amplification, sound reproduction, intercom and television devices, means for manufacturing, replicating documents and other technical means for processing speech, graphic , video and alphanumeric information), software (operating systems, database management systems, etc.), information security tools.
Technical channel of information leakage- the totality of the information carrier (means of processing), the physical environment for the propagation of an informative signal and the means by which the protected information is obtained.
Personal data security threats- a set of conditions and factors that create the danger of unauthorized, including accidental, access to personal data, which may result in the destruction, modification, blocking, copying, distribution of personal data, as well as other unauthorized actions during their processing in the personal data information system.
Destruction of personal data- actions as a result of which it is impossible to restore the content of personal data in the information system of personal data or as a result of which material carriers of personal data are destroyed.
Leakage of (protected) information through technical channels- uncontrolled dissemination of information from the carrier of protected information through the physical environment to the technical means that intercepts information.
Person authorized by the operator- a person to whom, on the basis of an agreement, the operator entrusts the processing of personal data.
Information integrity- the state of information in which there is no any change in it or the change is carried out only intentionally by the subjects that have the right to it.
Introduction
This document presents an information security threat model (a list of threats) and an intruder model (assumptions about the intruder's capabilities that he can use to develop and carry out attacks, as well as restrictions on these capabilities) to create an information protection system (IPS) of an information system of personal data "Accounting and personnel" BU "Yadrinsky KTsSON" of the Ministry of Labor of Chuvashia.
The threat model was developed in accordance with the "Methodology for determining actual threats to the security of personal data during their processing in information systems personal data”, approved by the Deputy Director of the FSTEC of Russia on February 14, 2008, based on the “Basic Model of Threats to the Security of Personal Data during their Processing in Personal Data Information Systems”, approved by the Deputy Director of the FSTEC of Russia on February 15, 2008.
When forming this Personal Data Security Threats Model, the following legal documents were used:
Federal Law No. 149-FZ of July 27, 2006 “On Information, Information Technologies and Information Protection”;
Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”;
Decree of the Government of the Russian Federation dated November 1, 2012 No. 1119 “On approval of requirements for the protection of personal data during their processing in personal data information systems”;
Order of the FSTEC of Russia dated February 18, 2013 No. 21 “On approval of the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems”;
Regulation on the development, production, sale and operation of encryption (cryptographic) means of information protection (Regulation PKZ-2005), approved by order of the Federal Security Service of Russia dated 09.02.2005 No. 66;
The basic model of personal data security threats during their processing in personal data information systems, approved by the Deputy Director of the FSTEC of Russia on February 15, 2008;
Methodology for determining actual threats to the security of personal data during their processing in personal data information systems, approved by the Deputy Director of the FSTEC of Russia on February 14, 2008;
Guidelines for the development of regulatory legal acts that define threats to the security of personal data that are relevant when processing personal data in information systems of personal data operated in the course of the relevant activities, approved by the leadership of the 8th Center of the FSB of Russia on March 31, 2015 No. 149/7/2/6- 432;
GOST R 50922-2006 “Information security. Basic terms and definitions”;
GOST R 51275-2006 “Information security. Informatization object. Factors affecting information. General Provisions”;
GOST R 51583-2014 “Information security. The order of creation of automated systems in protected execution. General Provisions".
1. Description of the personal data information systemBU "Yadrinsky KTSSON" of the Ministry of Labor of Chuvashia
1.1.Characteristic objects protection
The information system of personal data "Accounting and Personnel" of the Budgetary Institution "Yadrinsky KTSSON" of the Ministry of Labor of Chuvashia has the following characteristics:
- name of ISPD - "Accounting and personnel";
- location of ISPD - BU "Yadrinsky KTSSON" of the Ministry of Labor of Chuvashia (hereinafter referred to as the institution);
- organization address - Chuvash Republic, Yadrin, st. 30 years of Victory, 29
- composition of ISPD - software for automating accounting "1C: Accounting of a state institution 8" (manufacturer LLC "Softechno"); software “FIREPLACE: Payroll for budgetary institutions. Version 3.5" (manufacturer LLC "Kamin-Soft"), the system "SBiS ++: Electronic reporting and document flow” (manufacturer LLC “Company “Tenzor”).
In the process of accounting and personnel records management in the institution, databases are formed containing the following personal data:
Date of Birth;
Place of Birth;
information about the change of full name;
citizenship;
address of registration and place of residence;
marital status, information about dependents, family composition;
phone number;
information about the identity document (series, number, when and by whom it was issued);
information about education;
information about the appointment and movement;
information about work activity
information about awards and promotions;
information about the last place of work (occupation, average salary, date of dismissal, reason for dismissal, company);
information about the status of military registration;
information about your stay abroad;
special skills and qualities;
information about sick leave and interruptions;
information about vacations (annual, without pay) and compensation;
information on vacation compensation payments;
information about being a member of a trade union;
account number;
account number.
The specified personal data refers to other categories of personal data (not special, not biometric, not publicly available) of subjects who are employees of the institution.
1.3.Use of funds protection
Currently, the following means of protection are used in the ISPD "Accounting and Personnel" of the institution:
Software product "Kaspersky Internet security", no FSTEC certificate of Russia
Standard OS password systems with the transfer of logins and passwords within the local area network - to identify and authenticate users when accessing workstations and servers, including those designed to process and store protected information.
In the ISPD "Accounting and Personnel" of the institution, the following organizational protection measures have been implemented:
Processed PD and objects of protection are defined;
The circle of persons involved in the processing of PD has been determined;
The rights of access differentiation of ISPD users necessary for the performance of official duties are determined;
Persons responsible for ensuring the security of PD have been appointed;
The Concept of Information Security was approved;
The Information Security Policy was approved;
The regime of access and protection of the premises in which the ISPD hardware is installed has been organized;
Organized informing and training of employees on the procedure for processing PD;
Changes were made to the job regulations of employees on the procedure for processing PD and ensuring the introduced protection regime;
Instructions on action in case of emergency situations have been developed;
Organized accounting of technical means and means of protection, as well as documentation for them;
Brought in line with the requirements of the regulators of the premises with ISPD hardware;
Installed uninterruptible power supply systems for all key elements of ISPD;
Implemented system Reserve copy key elements of ISPD;
Responsible employees who use technical means of information protection have been trained.
1.4. Functioning model of ISPD "Accounting and personnel" BU "Yadrinsky KTSSON" of the Ministry of Labor of Chuvashia
1.5. Controlled zonesBU "Yadrinsky Complex Center for Social Services to the Population" of the Ministry of Labor of the Chuvash Republic
The boundaries of the controlled zone of the premises in which the information system of personal data "Accounting and Personnel" of the institution is located:
The organization of admission to the territory of the controlled zone in the institution is entrusted to the director.
Control over the procedure for admission to the premises located on the territory of the controlled zone of the institution is assigned to the director.
Control of access to premises located on the territory of the controlled zone of the institution, using local network CCTV assigned to the director.
The authorization system of admission (access matrix) to the ISPD "Accounting and Human Resources" of the institution was approved in accordance with the levels of authority of employees to access ISPD resources:
. Administrator- has full access rights to all ISPD resources (viewing, printing, modifying, adding, deleting information, copying information to registered external media, installing and configuring software and hardware);
. User- has limited access rights to ISPD resources, does not have the rights to install and configure software and hardware.
List of ISPD resources and employees' access rights to them
depending on the level of authority.
|
Resource name |
||
|
Accounted internal media: |
||
|
ISPD database hard disk, all catalogs |
||
|
ISPD database hard disk, database directory |
||
|
Employee workstation hard disk, all catalogs |
||
|
Employee's workstation hard magnetic disk, personal catalog |
||
|
Accounted external media: |
||
|
Flexible magnetic disks |
||
|
CDs/DVDs |
||
|
Flash drives |
||
|
Portable hard disks |
||
|
Devices for reading / writing external media: |
||
|
Floppy drives |
||
|
CD/DVD drives |
||
|
Periphery equipment: |
||
|
Printers |
||
Legend:
"A" - administrator;
"P" - user;
"ARM" - automated workplace;
"+" - full access rights;
"-" - limited access rights.
In addition, in relation to the ISPD "Accounting and personnel" of the institution, individuals are singled out who do not have the right to access the controlled area within which the software and hardware are located, and who are not registered users or technical personnel, but who have authorized access to external communications and information resources outside the short circuit:
- provider's technical support specialists;
- telephone network specialists (ATS);
- HVAC specialists;
- electricians;
- firefighters;
- law enforcement officers.
Also, in relation to the ISPD "Accounting and Human Resources" of the institution, individuals are identified who do not have the right to access the inside of the controlled area within which the software and hardware are located, and who are not registered users or technical personnel and who do not have authorized access to external communications and information resources located outside the short circuit.
2. Structural and functional characteristics of the ISPD "Accounting and personnel" BU "Yadrinsky KTSSON" of the Ministry of Labor of Chuvashia
The determination of the structural and functional characteristics of the ISPD "Accounting and Personnel" of the institution is carried out in order to establish the methods and means of protection necessary to ensure the security of PD.
ISPD "Accounting and Personnel" of the institution is an information system of personal data and is subject to protection in accordance with the requirements for ISPD for the protection of information during their processing in personal data information systems.
In accordance with Decree of the Government of the Russian Federation dated November 1, 2012 No. 1119 “On approval of requirements for the protection of personal data when processing them in personal data information systems” and methodological documents of the FSTEC, the following structural and functional characteristics of the ISPD “Accounting and Personnel” are defined:
Type of information system for the category of PD - ISPD is an information system that processes other categories of personal data (not special, not biometric, not publicly available);
Type of information system by category of subjects - ISPD is an information system that processes personal data of the operator's employees;
The volume of simultaneously processed personal data in ISPD (number of personal data subjects) - data of less than 100,000 personal data subjects are simultaneously processed in the information system;
The structure of the information system - ISPD is a local information system consisting of complexes of automated workstations, combined into a single information system by means of communication without the use of technology remote access;
Availability of connections to public communication networks and (or) international information exchange networks - ISPD, which has connections;
Personal data processing mode - ISPD is multi-user
Differentiation of user access to the information system - ISPD is a system with access rights differentiation;
Location - all technical means of ISPD are located within the Russian Federation.
The level of information system security is determined on the basis of a personal data security threat model in accordance with the methodological documents of the FSTEC, in accordance with Decree of the Government of the Russian Federation dated 01.11.2012 No. 1119 “On approval of requirements for the protection of personal data during their processing in personal data information systems”.
3. Protected resources ISPD "Accounting and Personnel" BU "Yadrinsky KTSSON" of the Ministry of Labor of Chuvashia
ISPD "Accounting and Personnel" of the institution is a set of information and software and hardware elements.
The main elements of the ISPD "Accounting and Personnel" are:
- personal data contained in databases;
- information technologies, as a set of techniques, methods and methods of using computer technology in the processing of personal data;
- technical means of ISPD "Accounting and Personnel" that process PD (computer equipment (CVT), information and computer systems and networks, means and systems for transmitting, receiving and processing PD);
- software tools (operating systems, DBMS, application software);
- information security tools (ISZ);
- auxiliary technical means and systems (HTSS) (technical means and systems, their communications, not intended for processing PD, but located in the premises where the technical means of the ISPD "Accounting and Personnel" are located, such as computer equipment, means and systems of security and fire alarm systems, air conditioning equipment and systems, electronic office equipment, telephones, etc.).
- carriers of protected information used in the information system in the process of cryptographic protection of personal data, carriers of key, password and authentication information of CIPF and the procedure for accessing them;
- premises in which the resources of the ISPD "Accounting and personnel" are located, related to the cryptographic protection of personal data.
4. The main security threats to the ISPD "Accounting and Personnel"BU "Yadrinsky KTSSON" of the Ministry of Labor of Chuvashia
4.1. Information leakage channels
When processing PD in ISPD, threats to the security of personal data (UBPD) may occur due to the implementation of the following channels of information leakage:
- threats of leakage of acoustic (speech) information;
- threats of leakage of specific (visual) information;
- threats of information leakage through PEMIN channels.
4.1.1. Threats of leakage of acoustic (speech) information
The emergence of threats of leakage of acoustic (speech) information contained directly in the spoken speech of the ISPD user when processing PD in the ISPD is due to the presence of functions voice input PD in ISPD or PD playback functions by acoustic means of ISPD.
4.1.2. Threats of species information leakage
The source of visual (visual) information leakage threats are individuals who do not have authorized access to ISPD information, as well as technical viewing tools embedded in office premises or secretly used by these individuals.
The propagation medium of this informative signal is homogeneous (air).
Threats of leakage of visual (visual) information are realized by viewing PD using optical (optoelectronic) means from display screens and other means of displaying SVT that are part of ISPD.
A necessary condition for the viewing (registration) of PD is the presence of a direct line of sight between the indicated individuals or means of observation and the technical means of ISPD, on which PD is visually displayed.
Interception of PD in ISPD can be carried out by individuals during their uncontrolled stay in office premises or in close proximity to them using portable wearable equipment (portable photo and video cameras, etc.), portable or stationary equipment, as well as through direct personal observation in office premises or with the help of technical viewing tools, hidden in the office premises.
4.1.3. Threats of information leakage through the channels of spurious electromagnetic radiation and interference (PEMIN)
The source of information leakage threats through PEMIN channels are individuals who do not have authorized access to ISPD information.
The threat of PD leakage through PEMIN channels is possible due to the interception by technical means of secondary (not related to the direct functional meaning of ISPD elements) informative electromagnetic fields and electrical signals that occur during the processing of PD by ISPD technical means.
The generation of information containing PD and circulating in the ISPD technical means in the form of electrical informative signals, the processing and transmission of these signals in the electrical circuits of the ISPD technical means is accompanied by spurious electromagnetic radiation, which can propagate beyond the short circuit, depending on the power, radiation and dimensions of the ISPD.
Registration of PEMIN is carried out in order to intercept information circulating in the technical means that process PD by using equipment as part of radio receivers designed to recover information. In addition, PEMIN interception is possible using electronic information interception devices connected to communication channels or technical means of processing personal data (“hardware bookmarks”).
4.2. Threats of unauthorized access to ISPD "Accounting and Personnel"BU "Yadrinsky KTSSON" of the Ministry of Labor of Chuvashia
For the ISPD "Accounting and Personnel" the following types of UA threats are considered using software and hardware and software that are implemented when unauthorized, including random access is carried out, as a result of which confidentiality (copying, unauthorized distribution), integrity (destruction, changes) and availability (blocking) of PD, and include:
- threats of access (penetration) into the operating environment of a computer using standard software (operating system tools or general application programs);
- threats to create abnormal modes of operation of software (hardware and software) due to deliberate changes in service data, ignoring the restrictions on the composition and characteristics of the processed information provided for in regular conditions, distortion (modification) of the data itself, etc.;
- threats of malware introduction (software-mathematical impact).
In addition, combined threats are possible, which are a combination of these threats. For example, due to the introduction of malicious programs, conditions can be created for UA into the operating environment of a computer, including by forming non-traditional information channels access.
4.3. Sources of threats of unauthorized access to ISPD "Accounting and Personnel" BU "Yadrinsky KTSSON" of the Ministry of Labor of Chuvashia
Sources of threats to UA in ISPD can be:
- intruder;
- malware carrier;
- hardware bookmark.
4.3.1. The source of threats to NSD is the intruder
According to the right of permanent or one-time access to controlled areas (KZ), ISPD violators are divided into two types:
External violators - violators who do not have access to ISPD, realizing threats from outside the short circuit;
Internal violators - violators who have access to ISPD in the short circuit, including users of ISPD.
The capabilities of external and internal violators significantly depend on the regime and organizational and technical measures of protection operating within the short circuit, including the admission of individuals to personal data and control of the work procedure.
An external intruder (hereinafter referred to as I0 for convenience) does not have direct access to the ISPD systems and resources located within the short circuit. To the intruder of this type can include individuals (external entities, former employees) or organizations that carry out attacks in order to obtain PD, impose false information, disrupt the performance of ISPD, violate the integrity of PD.
Internal violators are persons who have access to the security zone and to the ISPD, including ISPD users who implement threats directly in the ISPD.
Internal potential infringers in ISPD according to the classification of the FSTEC of Russia are divided into eight categories depending on the method of access and the authority to access PD.
The first category (hereinafter I1) includes persons who have authorized access to ISPD, but do not have access to PD. This type of offenders includes officials who ensure the normal functioning of the ISPD - service personnel who work in the premises where the ISPD technical means are located, employees who have access to the premises where the ISPD technical means are located.
The second category of internal potential violators (hereinafter I2) includes registered ISPD users who have limited access to ISPD resources from the workplace - authorized ISPD users who process PD. This category of violators includes registered users of the ISPD "Accounting and Personnel", employees of the institution. Registered users are trusted persons and are not considered as a violator. Therefore, there are no internal potential violators of the second category in the ISPD "Accounting and Personnel".
The third category of internal potential violators (hereinafter I3) includes registered users of ISPD, who provide remote access to PD via a distributed information system. Since ISPD is a local information system consisting of complexes of automated workstations, combined into a single information system by means of communication without using remote access technology, there are no internal potential violators of the third category in ISPD.
The fourth category of internal potential violators (hereinafter I4) includes registered users of ISPD with the authority of a security administrator for a segment (fragment) of ISPD. Registered users of the ISPD "Accounting and Personnel" with the authority of a security administrator are trusted persons and are not considered violators. Therefore, there are no internal potential violators of the fourth category in the ISPD "Accounting and Personnel".
The fifth category of internal potential violators (hereinafter I5) includes registered users of ISPD with the authority system administrator. Registered users of the ISPD "Accounting and Personnel" with the authority of the ISPD system administrator are trusted persons and are not considered violators. Therefore, there are no internal potential violators of the fifth category in the ISPD "Accounting and Personnel".
The sixth category of internal potential violators (hereinafter I6) includes registered ISPD users with the authority of an ISPD security administrator. Registered users of the ISPD "Accounting and Human Resources" with the authority of the security administrator of the ISPD "Accounting and Human Resources" are authorized persons and are not considered violators. Therefore, there are no internal potential violators of the sixth category in the ISPD "Accounting and Personnel".
The seventh category of internal potential violators (hereinafter I7) includes programmers-developers (suppliers) of application software (APS) and persons providing its support in ISPD. The internal potential violators of the seventh category in the ISPD "Accounting and Personnel" include programmers-developers who are not authorized users of the ISPD "Accounting and Personnel", but who have one-time access to the controlled area.
The eighth category of internal potential violators (hereinafter referred to as I8) includes developers and persons providing the supply, maintenance and repair of technical means in ISPD. The internal potential violators of the eighth category in the ISPD "Accounting and Human Resources" include employees who are not authorized users of the ISPD "Accounting and Human Resources", but who have one-time access to the controlled area, as well as employees of third-party organizations that support the technical means of the ISPD "Accounting and Human Resources" personnel".
Based on the foregoing, the following violators should be considered as sources of threats to UA:
- external intruder I0;
- internal violator Il, who has authorized access to the ISPD "Accounting and Personnel", but does not have access to PD. This type of violators includes officials who ensure the normal functioning of the ISPD "Accounting and Human Resources" - service personnel who work in the premises that house the technical means of the ISPD "Accounting and Human Resources", employees who have access to the premises that house the technical means ISPD "Accounting and Personnel";
- internal violator I7, who is a programmer-developer (supplier) of software or a person who provides support for software in the ISPD "Accounting and Personnel";
- internal violator I8, which is the developer or the person providing the supply, maintenance and repair of technical means in the ISPD "Accounting and Personnel".
4.3.2. Source of NSD threats - malware carriers
The carrier of a malicious program can be a hardware element of a computer or a software container.
If a malicious program is associated with any application program, then the following are considered as its carrier:
Alienable media, that is, a diskette, optical disc(CD-R, CD-RW), flash memory, detachable hard drive, etc.;
Built-in storage media (hard drives, RAM chips, processor, chips system board, microchips of devices embedded in system unit- video adapter network board, sound card, modem, input / output devices of magnetic hard and optical disks, power supply, etc., microcircuits for direct access to memory of data buses, input / output ports);
- chips of external devices (monitor, keyboard, printer, modem, scanner, etc.).
If a malicious program is associated with any application program, files with certain extensions or other attributes, with messages transmitted over the network, then its carriers are:
- packets transmitted over a computer network of messages;
- files (text, graphic, executable, etc.).
5. Model of threats to the security of personal data during their processing in the information system of personal data "Accounting and Personnel" BU "Yadrinsky KTSSON" of the Ministry of Labor of Chuvashia
It follows from the analysis that, in accordance with the requirements of the “Procedure for Classifying Personal Data Information Systems”, the ISPD “Accounting and Human Resources” of an institution is a local ISPD that has connections to public communication networks.
Thus, as a basic model of threats to the security of personal data during their processing in the ISPD "Accounting and Personnel", we can take the "Typical model of threats to the security of personal data processed in local information systems of personal data that have connections to public communication networks and (or) networks international information exchange.
In accordance with the specified typical model of PD security threats in the ISPD "Accounting and Human Resources", it is possible to implement the following PD security threats:
- threats of information leakage through technical channels;
- threats of UA to PD processed at the workstation.
Threats to ISPD for ISPD "Accounting and Personnel" are associated with the actions of violators who have access to ISPD, including ISPD users who implement threats directly in ISPD (internal offender), as well as violators who do not have access to ISPD and implement threats from external communication networks of the general use (external intruder).
Taking into account the composition of the means of protection used, the categories of personal data, the categories of potential violators and the recommendations of the "Basic model of personal data security threats when they are processed in personal data information systems", it is necessary to consider the following security threats for the ISPD "Accounting and Personnel":
- threat of leakage of acoustic information;
- the threat of leakage of species information,
- the threat of information leakage through the PEMIN channel;
- a threat implemented during the loading of the operating system;
- a threat that is implemented after the operating system is loaded;
- the threat of malware injection;
- threat "Analysis of network traffic" with the interception of information transmitted over the network;
- threat scanning aimed at identifying open ports and services, open connections, etc.;
- the threat of password exposure;
- the threat of obtaining UA by replacing a trusted network object;
- Denial of Service Threat;
- the threat of remote application launch;
- the threat of introducing malware over the network.
5.1. Determining the level of initial security of ISPD "Accounting and Personnel"
The level of initial security is understood as a generalized indicator Y 1 , which depends on the technical and operational characteristics of the ISPD.
In accordance with the "Methodology for determining actual threats to the security of personal data during their processing in personal data information systems" to find the level of initial security of ISPD, i.e. values of the numerical coefficient Y 1 , it is necessary to determine the indicators of the initial security.
|
Technical and operational characteristics of ISPD |
Security level |
||
|
High |
Average |
Short |
|
|
1. By territorial location: |
|||
|
local ISPD deployed within one building |
|||
|
2. By availability of connection to public networks: |
|||
|
ISPDn, which has a single point access to the public network; |
|||
|
3. For built-in (legal) operations with records of personal data bases: |
|||
|
recording, deleting, sorting; |
|||
|
4. By delimiting access to personal data: |
|||
|
ISPD, to which employees of the organization that owns the ISPD, specified in the list, or a PD subject have access; |
|||
From the analysis of the results of the initial security, it follows that more than 70% of the characteristics of the ISPD "Accounting and personnel" of the institution correspond to a level not lower than "average".
Therefore, in accordance with the "Methodology for determining actual threats to the security of personal data during their processing in personal data information systems" ISPD "Accounting and personnel" have an average level of initial security and a numerical coefficient Y 1 = 5.
5.2. Determining the likelihood of threats in the ISPD "Accounting and Personnel"BU "Yadrinsky KTSSON" of the Ministry of Labor of Chuvashia
The probability of a threat being realized is understood as an expert-determined indicator that characterizes how likely it is to realize a specific threat to the security of PD for a given ISPD in the prevailing conditions of the situation.
The numerical coefficient (Y 2) for assessing the likelihood of a threat is determined by four verbal gradations of this indicator:
- unlikely - there are no objective prerequisites for the implementation of the threat (Y 2 = 0);
- low probability - there are objective prerequisites for the realization of the threat, but the measures taken significantly complicate its implementation (Y 2 = 2);
- medium probability - objective prerequisites for the implementation of the threat exist, but the measures taken to ensure the security of personal data are insufficient (Y 2 = 5);
- high probability - objective prerequisites for the implementation of the threat exist and measures to ensure the security of personal data have not been taken (Y 2 = 10).
|
Type of PD security threat |
Probability of realization of the threat Y2. Threat source - violators of categories (I0, I1, I7, I8) |
|||||
|
Total Y2=MAX (I0,I1,I7,I8) |
||||||
|
1.2. Threats of species information leakage |
||||||
|
|
||||||
|
2.1.1. PC theft |
||||||
|
|
||||||
|
2.2.3. Installing non-work related software |
||||||
|
|
||||||
|
2.3.6. Disaster |
||||||
|
|
||||||
|
|
||||||
|
2.5.1.1. Interception outside the controlled zone |
||||||
|
2.5.4 Threats of imposing a false network route |
||||||
5.3. Determining the possibility of implementing threats in the ISPD "Accounting and Personnel" BU "Yadrinsky KTSSON" of the Ministry of Labor of Chuvashia
Based on the results of assessing the level of initial security (Y 1) and the probability of the threat (Y 2), the threat feasibility coefficient (Y) is calculated and the possibility of the threat being realized is determined.
The threat feasibility ratio is calculated by the formula:
Y \u003d (Y 1 + Y 2) / 20.
According to the value of the threat realizability coefficient Y, a verbal interpretation of the threat realizability is formulated as follows:
- if 0≤Y≤0.3, then the possibility of a threat is considered low;
- if 0.3≤Y≤0.6, then the possibility of a threat is recognized as medium;
- if 0.6≤Y≤0.8, then the possibility of a threat is recognized as high;
- if Y>0.8, then the possibility of a threat is recognized as very high
|
Type of PD security threat |
Threat realization probability Y2 |
Threat feasibility ratio |
|
|
1. Threats from leakage through technical channels |
|||
|
1.1. Threats of leakage of acoustic information |
|||
|
1.2. Threats of species information leakage |
|||
|
1.3. Threats of information leakage through PEMIN channels |
|||
|
2. Threats of unauthorized access to information |
|||
|
2.1. Threats of destruction, theft of ISPD hardware of information carriers by means of physical access to ISPD elements |
|||
|
2.1.1. PC theft |
|||
|
2.1.2. Media theft |
|||
|
2.1.3. Theft of keys and access attributes |
|||
|
2.1.4. Theft, modification, destruction of information |
|||
|
2.1.5. Disablement of PC nodes, communication channels |
|||
|
2.1.6. Unauthorized access to information during maintenance (repair, destruction) of PC nodes |
|||
|
2.1.7. Unauthorized disabling of protections |
|||
|
2.2. Threats of theft, unauthorized modification or blocking of information due to unauthorized access (UAS) using software and hardware and software tools(including program and mathematical influences) |
|||
|
2.2.1. Actions of malware (viruses) |
|||
|
2.3. Threats of unintentional actions of users and violations of the security of the functioning of ISPD and SZPDn in its composition due to software failures, as well as from non-anthropogenic threats (hardware failures due to unreliable elements, power failures) and natural (lightning strikes, fires, floods and etc.) character |
|||
|
2.3.1. Loss of keys and access attributes |
|||
|
2.3.2. Unintentional modification (destruction) of information by employees |
|||
|
2.3.3. Inadvertent disabling of protections |
|||
|
2.3.4. Failure of hardware and software |
|||
|
2.3.5. Power failure |
|||
|
2.3.6. Disaster |
|||
|
2.4. Threats of deliberate actions by insiders |
|||
|
2.4.1. Access to information, modification, destruction of persons not allowed to process it |
|||
|
2.4.2. Disclosure of information, modification, destruction by employees admitted to its processing |
|||
|
2.5. Threats of unauthorized access via communication channels |
|||
|
2.5.1. Threat "Analysis of network traffic" with the interception of information transmitted from ISPD and received from external networks: |
|||
|
2.5.1.1. Interception outside the controlled zone |
|||
|
2.5.1.2. Interception within the controlled zone by external intruders |
|||
|
2.5.1.3. Interception within the controlled zone by insiders. |
|||
|
2.5.2 Scanning threats aimed at identifying the type or types used operating systems, network addresses of ISPD workstations, network topology, open ports and services, open connections, etc. |
|||
|
2.5.3 Threats of revealing passwords over the network |
|||
|
2.5.5 Threats of spoofing a trusted object in the network |
|||
|
2.5.6 Threats of introducing a false object both in ISPD and in external networks |
|||
|
2.5.7 Denial of Service Threats |
|||
|
2.5.8 Threats of remote application launch |
|||
|
2.5.9. Threats of introducing malware over the network |
|||
5.4. Risk assessment of threats in ISPD "Accounting and Personnel" BU "Yadrinsky KTSSON" of the Ministry of Labor of Chuvashia
The risk assessment of threats in ISPD is based on a survey of information security specialists and is determined by a verbal indicator of danger, which has three meanings:
- low danger - if the implementation of the threat can lead to minor negative consequences for the subjects of personal data;
- medium danger - if the implementation of the threat can lead to negative consequences for the subjects of personal data;
- high danger - if the implementation of the threat can lead to significant negative consequences for personal data subjects
|
Type of PD security threat |
The danger of threats |
|
1. Threats from leakage through technical channels |
|
|
1.1. Threats of leakage of acoustic information |
|
|
1.2. Threats of species information leakage |
|
|
1.3. Threats of information leakage through PEMIN channels |
|
|
2. Threats of unauthorized access to information |
|
|
2.1. Threats of destruction, theft of ISPD hardware of information carriers by means of physical access to ISPD elements |
|
|
2.1.1. PC theft |
|
|
2.1.2. Media theft |
|
|
2.1.3. Theft of keys and access attributes |
|
|
2.1.4. Theft, modification, destruction of information |
|
|
2.1.5. Disablement of PC nodes, communication channels |
|
|
2.1.6. Unauthorized access to information during maintenance (repair, destruction) of PC nodes |
|
|
2.1.7. Unauthorized disabling of protections |
|
|
2.2. Threats of theft, unauthorized modification or blocking of information due to unauthorized access (UAS) using software, hardware and software (including software and mathematical influences) |
|
|
2.2.1. Actions of malware (viruses) |
|
|
2.2.3. Installation of non-work related software |
|
|
2.3. Threats of unintentional actions of users and violations of the security of the functioning of ISPD and SZPDn in its composition due to software failures, as well as from non-anthropogenic threats (hardware failures due to unreliable elements, power failures) and natural (lightning strikes, fires, floods, etc.) .p.) character |
|
|
2.3.1. Loss of keys and access attributes |
|
|
2.3.2. Unintentional modification (destruction) of information by employees |
|
|
2.3.3. Inadvertent disabling of protections |
|
|
2.3.4. Failure of hardware and software |
|
|
2.3.5. Power failure |
|
|
2.3.6. Disaster |
|
|
2.4. Threats of deliberate actions by insiders |
|
|
2.5. Threats of unauthorized access via communication channels |
|
|
2.5.1. Threat "Analysis of network traffic" with the interception of information transmitted from ISPD and received from external networks: |
|
|
2.5.1.1. Interception outside the controlled zone |
|
|
2.5.1.2. Interception within the controlled zone by external intruders |
|
|
2.5.1.3. Interception within the controlled zone by insiders. |
|
|
2.5.2. Scanning threats aimed at identifying the type or types of operating systems used, network addresses of ISPD workstations, network topology, open ports and services, open connections, etc. |
|
|
2.5.3 Threats of revealing passwords over the network |
|
|
2.5.4 Threats imposing a false network route |
|
|
2.5.5 Threats of spoofing a trusted object in the network |
|
|
2.5.6 Threats of introducing a false object both in ISPD and in external networks |
|
|
2.5.7 Denial of Service Threats |
|
|
2.5.8 Threats of remote application launch |
|
|
2.5.9. Threats of introducing malware over the network |
|
5.5. Determining the relevance of threats in ISPD
In accordance with the rules for classifying a security threat as an actual one, for the ISPD "Accounting and Human Resources" of an institution, actual and irrelevant threats are determined.
|
Possibility of realization of the threat |
Threat Danger |
||
|
irrelevant |
irrelevant |
up-to-date |
|
|
irrelevant |
up-to-date |
up-to-date |
|
|
up-to-date |
up-to-date |
up-to-date |
|
|
Very high |
up-to-date |
up-to-date |
up-to-date |
|
Type of PD security threat |
The danger of threats |
Possibility of realization of the threat |
Relevance of the threat |
|
1. Threats from leakage through technical channels |
|||
|
1.1. Threats of leakage of acoustic information |
irrelevant |
||
|
1.2. Threats of species information leakage |
irrelevant |
||
|
1.3. Threats of information leakage through PEMIN channels |
irrelevant |
||
|
2. Threats of unauthorized access to information |
|||
|
2.1. Threats of destruction, theft of ISPD hardware, information carriers through physical access to ISPD elements |
|||
|
2.1.1. PC theft |
up-to-date |
||
|
2.1.2. Media theft |
up-to-date |
||
|
2.1.3. Theft of keys and access attributes |
up-to-date |
||
|
2.1.4. Theft, modification, destruction of information |
up-to-date |
||
|
2.1.5. Disablement of PC nodes, communication channels |
irrelevant |
||
|
2.1.6. Unauthorized access to information during maintenance (repair, destruction) of PC nodes |
up-to-date |
||
|
2.1.7. Unauthorized disabling of protections |
up-to-date |
||
|
2.2. Threats of theft, unauthorized modification or blocking of information due to unauthorized access (UAS) using software, hardware and software (including software and mathematical influences) |
|||
|
2.2.1. Actions of malware (viruses) |
up-to-date |
||
|
irrelevant |
|||
|
2.2.3. Installation of non-work related software |
irrelevant |
||
|
2.3. Threats of unintentional actions of users and violations of the security of the functioning of ISPD and SZPDn in its composition due to software failures, as well as from non-anthropogenic threats (hardware failures due to unreliable elements, power failures) and natural (lightning strikes, fires, floods, etc.) .p.) character |
|||
|
2.3.1. Loss of keys and access attributes |
irrelevant |
||
|
2.3.2. Unintentional modification (destruction) of information by employees |
up-to-date |
||
|
2.3.3. Inadvertent disabling of protections |
irrelevant |
||
|
2.3.4. Failure of hardware and software |
up-to-date |
||
|
2.3.5. Power failure |
irrelevant |
||
|
2.3.6. Disaster |
up-to-date |
||
|
2.4. Threats of deliberate actions by insiders |
|||
|
2.4.1. Access to information, modification, destruction of persons not allowed to process it |
up-to-date |
||
|
2.4.2. Disclosure of information, modification, destruction by employees admitted to its processing |
up-to-date |
||
|
2.5. Threats of unauthorized access via communication channels |
|||
|
2.5.1. Threat "Analysis of network traffic" with the interception of information transmitted from ISPD and received from external networks: |
up-to-date |
||
|
2.5.1.1. Interception outside the controlled zone |
up-to-date |
||
|
2.5.1.2. Interception within the controlled zone by external intruders |
up-to-date |
||
|
2.5.1.3. Interception within the controlled zone by insiders. |
up-to-date |
||
|
2.5.2. Scanning threats aimed at identifying the type or types of operating systems used, network addresses of ISPD workstations, network topology, open ports and services, open connections, etc. |
up-to-date |
||
|
2.5.3 Threats of revealing passwords over the network |
up-to-date |
||
|
2.5.4 Threats imposing a false network route |
irrelevant |
||
|
2.5.5 Threats of spoofing a trusted object in the network |
irrelevant |
||
|
2.5.6 Threats of introducing a false object both in ISPD and in external networks |
irrelevant |
||
|
2.5.7 Denial of Service Threats |
up-to-date |
||
|
2.5.8 Threats of remote application launch |
up-to-date |
||
|
2.5.9. Threats of introducing malware over the network |
up-to-date |
||
Thus, the actual threats to the security of PD in the ISPD "Accounting and Human Resources" of an institution are the threats of unauthorized access to information:
Threats of destruction, theft of ISPD hardware, information carriers through physical access to ISPD elements;
Threats of unintentional actions of users and violations of the security of the functioning of ISPD and SZPDn in its composition due to software failures, as well as from non-anthropogenic threats (hardware failures due to unreliable elements, power failures) and natural (lightning strikes, fires, floods, etc.) .p.) character;
Threats of deliberate actions of insiders;
Threats of unauthorized access through communication channels.
6. Model of the violator of the ISPD "Accounting and Personnel" BU "Yadrinsky KTSSON" of the Ministry of Labor of Chuvashia
In accordance with Decree of the Government of the Russian Federation of 01.11.2012 No. 1119 “On approval of requirements for the protection of personal data when they are processed in personal data information systems”, the security of personal data when processed in an information system is ensured using a personal data protection system that neutralizes current threats, determined in accordance with Part 5 of Article 19 of the Federal Law "On Personal Data".
The personal data protection system includes organizational and (or) technical measures determined taking into account current threats to the security of personal data and information technologies used in information systems.
Hardware and software must meet the requirements established in accordance with the legislation of the Russian Federation, ensuring the protection of information.
Characteristics of the ISPD "Accounting and Human Resources" of the institution, protected resources of the ISPD "Accounting and Human Resources" of the institution, threats of leakage of PD through technical channels, threats of NSD to information of the ISPD "Accounting and Human Resources" of the institution and the Model of PD security threats are considered in the previous sections of this document.
Based on the data obtained in the indicated sections, taking into account the “Methodological recommendations for the development of regulatory legal acts that define threats to the security of personal data that are relevant when processing personal data in personal data information systems operated in the course of the relevant activities” approved by the leadership of the 8th Center of the FSB of Russia on 31.03. 2015 No. 149/7/2/6-432, it is possible to clarify the capabilities of violators (sources of attacks) when using cryptographic means to secure PD when they are processed in the ISPD "Accounting and Personnel" of the institution.
|
Generalized capabilities of attack sources |
||
|
The ability to independently create attack methods, prepare and conduct attacks only outside the controlled zone |
||
|
The ability to independently create attack methods, prepare and conduct attacks within the controlled zone, but without physical access to hardware (hereinafter referred to as AS) on which cryptographic information protection tools and their operating environment are implemented |
||
|
The ability to independently create attack methods, prepare and conduct attacks within a controlled area with physical access to the AS on which the cryptographic information protection system and the environment for their operation are implemented |
||
|
Opportunity to involve specialists with experience in the development and analysis of cryptographic information protection (including specialists in the field of analysis of linear transmission signals and signals of spurious electromagnetic radiation and interference of cryptographic information protection) |
||
|
The ability to involve specialists with experience in the development and analysis of cryptographic information protection (including specialists in the field of using undocumented features of application software to implement attacks); |
||
|
The ability to involve specialists with experience in developing and analyzing CIPF (including specialists in the field of using undocumented capabilities of the hardware and software components of the CIPF operation environment to implement attacks). |
The implementation of threats to the security of personal data processed in personal data information systems is determined by the capabilities of attack sources. Thus, the relevance of using the capabilities of attack sources determines the presence of relevant actual threats.
|
Refined adversary capabilities and attack vectors (relevant current threats) |
Relevance of use (application) for the construction and implementation of attacks |
Justification for Absence |
|
|
carrying out an attack while within the controlled zone. |
not relevant |
representatives of technical, maintenance and other support services when working in the premises where the CIPF is located, and employees who are not users of the CIPF, are in these premises only in the presence of operating employees; employees who are users of ISPD, but who are not users of CIPF, are informed about the rules of work in ISPD and responsibility for non-compliance with the rules for ensuring information security; CIPF users are informed about the rules for working in ISPD, the rules for working with CIPF and responsibility for non-compliance with the rules for ensuring information security; the premises in which the cryptographic information protection system is located are equipped with entrance doors with locks, ensuring that the doors of the premises are locked and opened only for authorized passage; approved the rules for access to the premises where the CIPF is located, during working and non-working hours, as well as in emergency situations; a list of persons entitled to access to the premises where the CIPF is located was approved; registration and accounting of user actions with PD; the integrity of the means of protection is monitored; |
|
|
carrying out attacks at the stage of CIPF operation on the following objects: Documentation for CIPF and SF components; Premises in which there is a set of software and technical elements of data processing systems capable of functioning independently or as part of other systems (hereinafter referred to as CVT) on which CIPF and SF are implemented. |
not relevant |
work on recruitment is carried out; documentation for CIPF is kept by the person responsible for CIPF in a metal safe; the premises in which the documentation for CIPF, CIPF and SF components are located, are equipped with entrance doors with locks, ensuring that the doors of the premises are permanently locked and opened only for authorized passage; approved the list of persons entitled to access to the premises. |
|
|
Obtaining, within the framework of the granted authority, as well as as a result of observations, the following information: Information about the physical measures to protect the objects in which the resources of the information system are located; Information on measures to ensure a controlled area of objects in which information system resources are located; Information on measures to restrict access to the premises in which the SVT is located, where CIPF and SF are implemented. |
not relevant |
work on recruitment is carried out; information about the physical protection measures of the objects in which the ISPDs are located is available to a limited circle of employees; employees are informed about the responsibility for non-compliance with the rules for ensuring the security of information. |
|
|
the use of standard ISPD tools, limited by measures implemented in the information system that uses CIPF, and aimed at preventing and suppressing unauthorized actions. |
not relevant |
work on the selection of personnel; the premises in which the SVT are located, on which the CIPF and SF are located, are equipped with entrance doors with locks, the doors of the premises are locked and opened only for authorized passage; employees are informed about the responsibility for non-compliance with the rules for ensuring information security; differentiation and control of user access to protected resources; ISPD uses: certified means of protecting information from unauthorized access; certified anti-virus protection. |
|
|
physical access to SVT, on which CIPF and SF are implemented. |
not relevant |
work on recruitment is carried out; the premises where the SVT are located, on which the CIPF and SF are located, are equipped with entrance doors with locks, the doors of the premises are locked and opened only for authorized passage. |
|
|
the ability to influence the hardware components of the CIPF and the SF, limited by the measures implemented in the information system in which the CIPF is used and aimed at preventing and suppressing unauthorized actions. |
not relevant |
work on recruitment is carried out; representatives of technical, maintenance and other support services when working in the premises where the CIPF and SF components are located, and employees who are not users of the CIPF, are in these premises only in the presence of operating employees. |
|
|
creating methods, preparing and carrying out attacks with the involvement of specialists in the field of signal analysis accompanying the operation of the cryptographic information protection system and SF, and in the field of using undocumented (undeclared) application software capabilities to implement attacks. |
not relevant |
work on recruitment is carried out; the premises in which the CIPF and SF are located are equipped with entrance doors with locks, the doors of the premises are locked and opened only for authorized passage; differentiation and control of user access to protected resources; registration and accounting of user actions; on workstations and servers on which CIPF is installed: certified means of protecting information from unauthorized access are used; certified anti-virus protection tools are used. |
|
|
conducting laboratory studies of CIPF used outside the controlled area, limited by measures implemented in the information system in which CIPF is used and aimed at preventing and suppressing unauthorized actions. |
not relevant |
processing of information constituting a state secret, as well as other information that may be of interest for the implementation of the opportunity is not carried out; |
|
|
carrying out work on the creation of methods and means of attacks in research centers specializing in the development and analysis of cryptographic information protection tools and SF, including using the source code of the application software included in the SF, directly using calls to the CIPF software functions. |
not relevant |
processing of information constituting a state secret, as well as other information that may be of interest for the implementation of the opportunity is not carried out; high cost and complexity of preparing the implementation of the opportunity. |
|
|
creating methods, preparing and carrying out attacks with the involvement of specialists in the field of using undocumented (undeclared) capabilities of system software to implement attacks. |
not relevant |
processing of information constituting a state secret, as well as other information that may be of interest for the implementation of the opportunity is not carried out; high cost and complexity of preparation for the implementation of the opportunity; work on recruitment is carried out; the premises in which the CIPF and SF are located are equipped with entrance doors with locks, the doors of the premises are locked and opened only for authorized passage; representatives of technical, maintenance and other support services when working in the premises where the CIPF and SF components are located, and employees who are not users of the CIPF, are in these premises only in the presence of operating employees; differentiation and control of user access to protected resources; registration and accounting of user actions; on workstations and servers on which CIPF is installed: certified means of protecting information from unauthorized access are used; certified anti-virus protection tools are used. |
|
|
the ability to have information contained in the design documentation for the hardware and software components of the SF. |
not relevant |
||
|
the ability to influence any components of the CIPF and SF. |
not relevant |
the processing of information constituting a state secret, as well as other information that may be of interest for the implementation of the opportunity, is not carried out. |
6.1. Description of offenders (sources of attacks)
The offender (source of attacks) of ISPD is understood as a person (or a process initiated by him) that conducts (conducts) an attack.
In the case of data transfer from (to) a third-party (s) organization (s) only using paper media, the employees of this organization cannot influence the technical and software tools of the ISPD "Accounting and Human Resources" of the institution and therefore in this document cannot be considered as potential violators.
All other individuals who have access to the technical and software tools of the ISPD "Accounting and Human Resources" of the institution can be classified into the following categories:
All potential violators are divided into two types:
External violators - violators carrying out attacks from outside the controlled zone of the ISPD;
Internal violators - violators who carry out attacks while being within the controlled zone of the ISPD.
It is assumed that:
External intruders can be both Category I and Category II persons;
Only category II persons can be insiders.
The possibilities of potential violators of the ISPD "Accounting and Personnel" of the institution significantly depend on the security policy implemented in the ISPD "Accounting and Personnel" of the institution and the adopted regime, organizational, technical and technical measures to ensure security.
All individuals who have access to the technical and software tools of the ISPD "Accounting and Personnel" of the institution, in accordance with the basic model of threats to the security of personal data when they are processed in personal data information systems "(Extract) (approved by the FSTEC of the Russian Federation on February 15, 2008), refer to sources of threats and can be considered as potential violators.According to the analysis carried out regarding potential violators of this ISPD "Accounting and Human Resources", institutions fall into four out of nine possible categories:
Violators of category I0 (external violators) - persons who do not have direct access to the technical and software tools of the ISPD "Accounting and Personnel" of the institution, located within the KZ;
Violators of category I1 (internal violators) - persons who have authorized access to the ISPD "Accounting and Personnel" of the institution, but do not have access to PD (service personnel who work in the premises where the technical means of this ISPD are located, employees who have access to premises in which the technical means of the ISPD "Accounting and Personnel" of the institution are located;
Violators of category I7 (internal or external violators) - programmers-developers (suppliers) of software and persons who provide its support in the ISPD "Accounting and Personnel" of the institution and have or do not have one-time access to the KZ;
Violators of category I8 (internal or external violators of category 8) - developers and persons providing the supply, maintenance and repair of technical means in the ISPD "Accounting and Personnel" of the institution and having or not having one-time access to the KZ.
Taking into account the specifics of the functioning of the ISPD "Accounting and Personnel" of the institution and the nature of the PD processed in it, it is assumed that privileged users of this ISPD (administrators) who carry out technical management and maintenance of ISPD hardware and software, including security tools, including their configuration , configuration and distribution of key and password documentation, as well as a limited circle of registered users, are especially trusted persons and are excluded from potential violators.
6.2. Determining the type of ISPD violatorBU "Yadrinsky KTSSON" of the Ministry of Labor of Chuvashia
Considering the foregoing, potential violators in the ISPD "Accounting and Personnel" of the institution can be considered:
an external intruder who does not have access to the ISPD hardware and software located in the short circuit, and independently creates methods and means for implementing attacks, and also independently performs these attacks;
an internal violator who is not a user of ISPD, however, he has the right to permanent or one-time access to computer equipment on which cryptographic tools and SF are implemented, and independently creates attack methods, prepares and conducts them.
In connection with the hierarchical order of determining the capabilities of the intruder in ISPD, the above-named internal intruder has the greatest opportunities.
6.3. The level of cryptographic protection of PD in ISPD
Since the greatest opportunities in the ISPD "Accounting and Personnel" of the institution are possessed by an internal violator who is not a user of the ISPD, but has the right to permanent or one-time access to computer equipment on which cryptographic tools and SF are implemented, independently creates attack methods, prepares and their implementation, then the cryptographic tool used in the ISPD "Accounting and Personnel" of the institution must provide cryptographic protection at the level of KS2. It is this level of cryptographic protection that can be provided by the institutions certified by the Federal Security Service of Russia for cryptographic information protection “ViPNet Client KS2” installed in the ISPD “Accounting and Personnel”.
Conclusion
Based on the above, the following conclusions can be drawn:
- ISPD "Accounting and Personnel" of the institution is a local single-user special information system with delimitation of access rights for users who have connections to public communication networks.
- The threats of leakage through technical channels, including the threats of leakage of acoustic (speech) information, the threats of leakage of visual information and the threats of leakage through the PEMIN channel in accordance with the level of initial security of the ISPD "Accounting and Personnel" of the institution, the operating conditions and technologies for processing and storing information are irrelevant.
- Threats associated with:
Unauthorized access to information;
Unintentional actions of users and violations of the security of the functioning of ISPD and SZPDn in its composition due to software failures, as well as threats of non-anthropogenic (hardware failures due to unreliable elements, power failures) and natural (lightning strikes, fires, floods, etc.) n.) character;
Deliberate actions of insiders;
Unauthorized access through communication channels
are neutralized by the means of anti-virus protection installed in the ISPD "Accounting and Personnel" of the institution, means of protection against unauthorized access, including firewalls, the use of cryptographic protection tools, as well as organizational measures that ensure the safe functioning of the ISPD "Accounting and Personnel" of the institution in the normal mode . Therefore, the above threats are irrelevant. (If these protections are installed.
- Actual threats to the security of personal data, identified in the course of studying the ISPD "Accounting and Human Resources" of the institution, are conditions and factors that create a real danger of unauthorized access to personal data in order to violate their confidentiality, integrity and availability.
These types of threats can be neutralized by using the Dallas Lock information security system.
- Potential violators of the security of personal data of the ISPD "Accounting and Personnel" of the institution refer to violators of external (I0) and internal 1, 7 and 8 categories (I1, I7, I8) according to the classification of the FSTEC of Russia. In accordance with the constructed model of the intruder, the greatest opportunities in the ISPD "Accounting and personnel" of the institution are possessed by an internal intruder who is not a user of the ISPD, but has the right to permanent or one-time access to computer equipment in the short circuit, on which cryptographic tools and SF are implemented, independently creates methods of attacks, preparation and implementation. To ensure cryptographic protection of at least KS2, it is recommended to use the CIPF "ViPNet Coordinator KS2", CIPF "ViPNet Client KS2" in the ISPD of the institution, provided that the Dallas Lock information security system is installed. (If not used)
In accordance with the requirements for this ISPD "Accounting and Personnel", it is recommended that the institution establish a security level of UZ 3. In accordance with the order of the FSTEC of Russia dated February 18, 2013 No. 21 "On approval of the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in information systems of personal data" it is necessary to carry out the following measures to ensure the security of personal data in the ISPD "Accounting and Personnel" of the institution:
|
Conditional designation |
personal data |
Required list of measures to ensure the security of personal data for the level of security of personal data UZ 3 |
|
||
|
Identification and authentication of users, who are employees of the operator |
||
|
ID management, including creation, assignment, destruction of identifiers |
||
|
Authentication management, including storage, issuance, initialization, blocking means of authentication and taking action in case of loss and (or) compromise of authentication means |
||
|
Protection feedback when entering authentication information |
||
|
Identification and authentication of users, not who are employees of the operator (external users) |
||
|
||
|
Management (institution, activation, blocking and destruction) user accounts, including number of external users |
||
|
Implementation of the necessary methods (discretionary, mandate, role or other method), types (reading, record, execution or other type) and rules access control |
||
|
Management (filtering, routing, control connections, unidirectional transmission and other control methods) information flows between devices, information system segments, as well as between information systems |
||
|
Separation of powers (roles) of users, administrators and persons providing functioning of the information system |
||
|
Assigning the minimum necessary rights and privileges for users, administrators and persons ensuring the functioning of the information system |
||
|
Limiting unsuccessful login attempts information system (access to information system) |
||
|
Blocking a session of access to the information system after the set idle time (inactivity) of the user or at his request |
||
|
Permission (prohibition) of user actions, allowed before identification and authentication |
||
|
Implementation of secure remote access of access subjects to access objects through external information and telecommunication networks |
||
|
information system technology wireless |
||
|
Regulation and control of use in information system of mobile technical means |
||
|
Management of interaction with information systems of third parties (external Information Systems) |
||
|
III. Protection of machine carriers of personal data (PDR) |
||
|
Destruction (erasure) or depersonalization personal data on machine media when they are transfer between users, to third parties organization for repair or disposal, and control of destruction (erasure) or depersonalization |
||
|
||
|
Definition of security events to be registration and retention periods |
||
|
Determining the composition and content of information about security events to be logged |
||
|
Collection, recording and storage of information about events security within the set time storage |
||
|
Protecting information about security events |
||
|
V. Antivirus protection (AVZ) |
||
|
Implementation of anti-virus protection |
||
|
Update the Malware Signs Database computer programs (viruses) |
||
|
||
|
Identification, analysis of information vulnerabilities systems and prompt elimination of newly identified vulnerabilities |
||
|
Controlling the installation of software updates software, including software updates providing means of information protection |
||
|
Health monitoring, settings and correct functioning of the software |
||
|
Control of the composition of hardware, software provision and means of information protection |
||
|
VII. Virtualization Environment Protection (SEP) |
||
|
Identification and authentication of access subjects and access objects in the virtual infrastructure, including number of fund management administrators virtualization |
||
|
Managing Access Subject Access to Objects access to virtual infrastructure, including inside virtual machines |
||
|
Logging Security Events in a Virtual infrastructure |
||
|
Implementation and management of anti-virus protection in virtual infrastructure |
||
|
Partitioning virtual infrastructure into segments (segmentation of virtual infrastructure) for processing of personal data by a separate user and (or) user group |
||
|
VIII. Protection of technical means (ZTS) |
||
|
Control and management of physical access to technical means, means of protecting information, means of ensuring the functioning, as well as to the premises and structures in which they are installed, excluding unauthorized physical access to the means of processing information, means of protecting information and means of ensuring the functioning of the information system, to the premises and structures in which they installed |
||
|
Placement of output devices (displays) of information tion, excluding its unauthorized viewing |
||
|
IX. Protection of the information system, its means, communication and data transmission systems (3IS) |
||
|
Ensuring the protection of personal data from disclosure, modification and imposition (input of false information) during its transmission (preparation for transmission) through communication channels that go beyond controlled area, including wireless communication channels |
||
|
Protection wireless connections used in information system |
||
|
X. Information system configuration management and personal data protection systems (UKF) |
||
|
Determination of persons who are allowed to act on making changes to the configuration of the information system and the personal data protection system |
||
|
Management of changes in the configuration of the information system and the personal data protection system |
||
|
Analysis of the potential impact of planned changes in the configuration of the information system and the personal data protection system to ensure the protection of personal data and the coordination of changes in the configuration of the information system with the official (employee) responsible for ensuring the security of personal data |
||
|
Documentation of information (data) about changes in the configuration of the information system and personal data protection system |
||
Classification of unauthorized influences
A threat is understood as a potentially existing possibility of accidental or deliberate action (inaction), as a result of which the basic properties of information and its processing systems can be violated: availability, integrity and confidentiality.
Knowledge of the range of potential threats to protected information, the ability to competently and objectively assess the possibility of their implementation and the degree of danger of each of them, is an important step in the complex process of organizing and ensuring protection. Determining the full set of IS threats is almost impossible, but a relatively complete description of them, in relation to the object under consideration, can be achieved by compiling a detailed threat model.
Remote attacks are classified by the nature and purpose of the impact, by the condition for the start of the impact and the presence of feedback from the attacked object, by the location of the object relative to the attacked object and by the level of the reference model of interaction open systems EMVOS, on which the impact is carried out.
Classification signs of objects of protection and security threats to automated systems and possible methods of unauthorized access (UAS) to information in protected AS:
- 1) according to the principle of NSD:
- - physical. It can be implemented by direct or visual contact with the protected object;
- - logical. It involves overcoming the protection system with the help of software by logical penetration into the structure of the AU;
- 2) along the way of NSD:
- - using a direct standard access path. Weaknesses in the established security policy and network management process are exploited. The result may be to masquerade as an authorized user;
- - use of a hidden non-standard access path. Undocumented features (weaknesses) of the protection system are used (deficiencies in algorithms and components of the protection system, errors in the implementation of the protection system project);
- - A special group in terms of the degree of danger is represented by IS threats carried out by the actions of the intruder, which allow not only to carry out an unauthorized impact (NSV) on the information resources of the system and influence them by using means of special software and software and hardware impact, but also to provide UA to information .
- 3) according to the degree of automation:
- - performed with the constant participation of a person. Public (standard) software may be used. The attack is carried out in the form of a dialogue between the intruder and the protected system;
- - performed by special programs without the direct participation of a person. Special software is used, most often developed using virus technology. As a rule, this method of UA is preferable for implementing an attack;
- 4) by the nature of the impact of the subject of NSD on the object of protection:
- - passive. Does not have a direct impact on the AU, but can violate the confidentiality of information. An example is the control of communication channels;
- - active. This category includes any unauthorized impact, the ultimate goal of which is the implementation of any changes in the attacked AS;
- 5) according to the condition of the beginning of the impact:
- - attack on request from the attacked object. The subject of the attack is initially conditionally passive and expects from the attacked AS a request of a certain type, the weaknesses of which are used to carry out the attack;
- - attack on the occurrence of the expected event on the attacked object. The OS of the attack object is monitored. The attack starts when the AC is in a vulnerable state;
- - unconditional attack. The subject of the attack makes an active impact on the object of attack, regardless of the state of the latter;
- 6) according to the purpose of the impact. Security is considered as a combination of confidentiality, integrity, availability of resources and operability (stability) of the AS, the violation of which is reflected in the conflict model;
- 7) by the presence of feedback from the attacked object:
- - with feedback. This implies a bidirectional interaction between the subject and the object of the attack in order to obtain from the object of the attack any data that affects the further course of the UA;
- - no feedback. Unidirectional attack. The subject of the attack does not need a dialogue with the attacked AS. An example is the organization of a directed "storm" of requests. The goal is a violation of the performance (stability) of the AU;
- 8) according to the type of protection weaknesses used:
- - shortcomings of the established security policy. The security policy developed for the AS is inadequate to the security criteria, which is used to perform NSD:
- - administrative errors;
- - undocumented features of the security system, including those related to software, - errors, failed OS updates, vulnerable services, unprotected default configurations;
- - shortcomings of protection algorithms. The security algorithms used by the developer to build the information security system do not reflect the real aspects of information processing and contain conceptual errors;
- - errors in the implementation of the protection system project. The implementation of the information security system project does not comply with the principles laid down by the system developers.
Logical features of protected objects:
- 1) security policy. Represents a set of documented conceptual solutions aimed at protecting information and resources, and includes goals, requirements for protected information, a set of IS measures, duties of persons responsible for IS;
- 2) the administrative management process. It includes managing the configuration and performance of the network, access to network resources, measures to improve the reliability of the network, restoring the system and data, monitoring the norms and correct functioning of protection tools in accordance with the security policy;
- 3) components of the protection system:
- - system of cryptographic protection of information;
- - Key information;
- - passwords;
- - information about users (identifiers, privileges, powers);
- - settings of the protection system;
- 4) protocols. As a set of functional and operational requirements for network hardware and software components, they must be correct, complete, consistent;
- 5) functional elements computer networks. Must be protected in the general case from overloading and destruction of "critical" data.
Possible ways and methods of implementation of UA (types of attacks):
- 1) analysis of network traffic, study of the LAN and means of protection to search for their weaknesses and study of the algorithms for the functioning of the AU. In systems with a physically dedicated communication channel, messages are transmitted directly between the source and the receiver, bypassing the rest of the system objects. In such a system, in the absence of access to the objects through which the message is transmitted, there is no software capability network traffic analysis;
- 2) introduction of unauthorized devices into the network.
- 3) interception of transmitted data for the purpose of theft, modification or redirection;
- 4) substitution of a trusted object in the AS.
- 5) introduction of an unauthorized route (object) into the network by imposing a false route with redirection of the message flow through it;
- 6) introduction of a false route (object) into the network by using the shortcomings of remote search algorithms;
- 7) use of vulnerabilities in general system and application software.
- 8) cryptanalysis.
- 9) the use of shortcomings in the implementation of cryptoalgorithms and cryptographic programs.
- 10) interception, selection, substitution and prediction of generated keys and passwords.
- 11) assigning additional powers and changing the settings of the protection system.
- 12) introduction of program bookmarks.
- 13) violation of the operability (stability) of the AU by introducing an overload, destroying "critical" data, performing incorrect operations.
- 14) access to a network computer that receives messages or performs routing functions;
Classification of intruders
Possibilities of implementation of wrecking influences to a large extent depend on the status of the attacker in relation to the CS. An attacker can be:
- 1) CS developer;
- 2) an employee from among the service personnel;
- 3) user;
- 4) an outsider.
The developer has the most complete information about the software and hardware of the CS. The user has a general idea about the structures of the CS, about the operation of information protection mechanisms. He can collect data about the information security system using traditional espionage methods, as well as attempt unauthorized access to information. An outsider who is not related to the CC is in the least advantageous position in relation to other attackers. If we assume that he does not have access to the COP facility, then he has at his disposal remote methods of traditional espionage and the possibility of sabotage. It can carry out harmful effects using electromagnetic radiation and interference, as well as communication channels, if the CS is distributed.
Great opportunities for wrecking the information of the CS have specialists serving these systems. Moreover, specialists from different departments have different potential for malicious actions. The greatest harm can be done by information security workers. Next come system programmers, application programmers, and engineering staff.
In practice, the danger of an attacker also depends on the financial, logistical capabilities and qualifications of the attacker.
UDC 004.056
I. V. Bondar
METHODOLOGY FOR BUILDING A MODEL OF INFORMATION SECURITY THREATS FOR AUTOMATED SYSTEMS*
A technique for constructing a model of information security threats is considered. The purpose of modeling is to control the level of information system security by risk analysis methods and to develop an effective information security system that ensures the neutralization of alleged threats by appropriate protective measures.
Key words: threat model, information system, information security system model.
At present, the development of a methodology is of particular relevance that allows, within the framework of a unified approach, to solve the problems of designing automated systems in a secure design in compliance with the requirements of regulatory and methodological documents and automatically generating a list of protective measures and searching for the optimal set of information security tools (ISP) corresponding to this list.
One of the main tasks of ensuring information security is to determine the list of threats and assess the risks of exposure to current threats, which makes it possible to justify the rational composition of the information security system. Although problems of this kind are already being solved (see, for example,), including within the framework of a unified methodology, all of them are not without limitations and are aimed at creating a threat model suitable for solving a particular problem. I would especially like to note the rarity of attempts to visualize threat models.
This article presents a technique for modeling information security threats for automated systems based on a geometric model. This technique is interesting primarily for the universality of taking into account negative impacts, which was previously encountered only in work where the model was built on the basis of perturbation theory, and the possibility of visualizing the result. The usual way of visualization - the use of Kohonen maps with their inherent limitations and disadvantages - is not considered by the author, which increases the universality of the solution.
Geometric model of the SZI. Let P = (p P2, ■ ■ -, p2) be the set of means of defense, and A = (ab a2, ..., an) be the set of attacks. Those attacks that cannot be expressed by combinations of attacks will be called independent. Their set A "is a subset of the set A - the basis of attacks. Let's choose the space K1 for constructing the geometric model of the IPS, the dimension of which coincides with the power of the set A.
Any attack AeA is associated with certain means of defense (p "b p" 2, ..., p "k) with P. Let's denote this set (p "bp" 2, ..., p "i) = Pn-.
If the agent does not belong to the set Przi, then the attack of Ai is not dangerous for it.
The coordinate axes in the Kp space represent classes of threats. The unit of measurement on the coordinate axes is an independent attack, which is associated with a security tool. For each attack, the values of the coordinates of the corresponding vector indicate the means of protection that are part of the system under study.
As an example, let's consider an attack "UAS to the information stored on the workstation by an external intruder" in the Cartesian space, where the x-axis is the threats associated with physical security; y - threats associated with software and hardware protection; z - threats associated with organizational and legal protection (Fig. 1). The attack can be implemented if three protection measures are not met: "An outsider in the controlled zone", "Unblocked OS session" and "PB violation".
Rice. 1. Model of the attack "NSD to information stored on the workstation by an external intruder"
This attack can also be implemented in other ways, such as "Connecting to technical means and systems of the OI", "Using bugging tools", "Disguising as a registered user", "Defects and vulnerabilities in software", "Introducing software bookmarks", "Using viruses and other malicious program code”, “Theft of the carrier of protected information”, “Violation of the functioning of the information processing system” (Fig. 2).
*The work was carried out as part of the implementation of the Federal Target Program "Research and development in priority areas of development of the scientific and technological complex of Russia for 2007-2013" (GK No. 07.514.11.4047 dated 06.10.2011).
Initially, each P1 vector is in the first coordinate octant. Let us construct the surface of a convex polyhedron £ in R" so that each of its vertices coincides with the end of one of the vectors p1, p2, p.
Rice. 2. Model of the attack "NSD to information stored on the workstation by an external intruder"
It is natural to formalize the result of the impact of any attack A( by the reflection of a vector along the axis with an unfulfilled protection measure. Due to this method of modeling, the vectors corresponding to the means for which this attack is not dangerous will not change their position (Fig. 3).
So, after the impact of the A^ attack, with the proposed modeling method, only the i-th coordinate of the vectors p1, p2, ..., pr, included in the geometric model, will change, and all other coordinates will remain unchanged.
Based on the results of attack modeling, one can judge the sensitivity or insensitivity of the information system (IS) to disturbing influences. If the coordinates of the polyhedron belong to
to the first coordinate octant, then a conclusion is made about the insensitivity of the IS to a disturbing effect, otherwise a conclusion is made about the insufficiency of protective measures. The measure of stability is reduced to carrying out such a number of iterations in which the IS remains unperturbed by the effects of combinations of attacks.
threat model. The primary list of threats is formed by combinations of various factors affecting the protected information, categories of protection tools and levels of influence of violators (Fig. 4).
Identification and consideration of factors that affect or may affect protected information in specific conditions form the basis for planning and implementing effective measures to ensure the protection of information at the informatization object. The completeness and reliability of identifying factors is achieved by considering the full set of factors that affect all elements of the informatization object at all stages of information processing. The list of main subclasses (groups, subgroups, etc.) of factors in accordance with their classification is presented in section 6 of GOST 51275-2006 “Information security. Informatization object. Factors affecting information. General Provisions".
Threats of information leakage through technical channels are unambiguously described by the characteristics of the information source, the medium (path) of propagation and the receiver of the informative signal, i.e., they are determined by the characteristics of the technical channel of information leakage.
The formation of the secondary list of threats occurs due to its replenishment based on statistics on incidents that have taken place and based on the conditional degree of their destructive impact.
The degree of disturbing influence can be determined:
The likelihood of a threat;
Loss from the implementation of the threat;
System recovery time.
Rice. 3. Simulation results
The level of impact of violators
Rice. 4. BL-model of the threat model database in Chen's notation
Disturbance can lead to:
Violation of the confidentiality of information (copying or unauthorized distribution), when the implementation of threats does not directly affect the content of information;
Unauthorized, including accidental, impact on the content of information, as a result of which the information is changed or destroyed;
Unauthorized, including accidental, impact on software or hardware elements of the IS, as a result of which information is blocked;
Loss of accountability of system users or entities acting on behalf of the user, which is especially dangerous for distributed systems;
Loss of data authenticity;
Loss of system reliability.
The measure of risk, which allows one to compare threats and prioritize them, can be determined by the total damage from each type of problem.
The result of the risk assessment for each threat should be:
Integrated use of appropriate information security tools;
Reasonable and targeted risk taking, ensuring full satisfaction of the requirements of the organization's policies and its risk acceptance criteria;
The maximum possible rejection of risks, the transfer of related business risks to other parties, such as insurers, suppliers, etc.
The considered method of constructing a threat model allows solving the problems of developing particular models of threats to information security in specific systems, taking into account their purpose, conditions and features of functioning. The purpose of such modeling is to control the level of IP security by risk analysis methods and to develop an effective information protection system that ensures the neutralization of alleged threats.
In the future, this technique can be the basis for the development of universal algorithmic and then mathematical security models that effectively combine the requirements of regulatory and methodological documents, the methodology for building threat models, intruder models, etc. Availability of such methodological support
will allow moving to a qualitatively higher level of design, development and security assessment of information security systems.
1. Kobozeva A. A., Khoroshko V. A. Analysis of information security: monograph. Kyiv: Publishing House of the State. un-ta inform.-communication. technologies, 2009.
2. Vasiliev V. I., Mashkina I. V., Stepanova E. S. Development of a threat model based on the construction of a fuzzy cognitive map for numerical assessment of the risk of information security violations. Izv. South feder. university Technical science. 2010. V. 112, No. 11. S. 31-40.
3. Operationally Critical Threat, Asset, and Vulnerability Evaluation (Octave) Framework: Techn. Rep. CMU/SEI-SS-TR-017 / C. J. Alberts, S. G. Behrens, R. D. Pethia, and W. R. Wilson; Carnegie Mellon Univ. Pittsburgh, PA, 2005.
4. Burns S. F. Threat Modeling: a Process to Ensure Application Security // GIAC Security Essentials
Certification Practical Assignments. Version 1.4c / SANS Inst. Bethesola, Md, 2005.
5. Popov A. M., Zolotarev V. V., Bondar I. V. Methodology for assessing the security of an information system according to the requirements of information security standards // Informatika i sistemy upr. / Pacific Ocean. state un-t. Khabarovsk, 2010. No. 4 (26). pp. 3-12.
6. Analysis of reliability and risk of special systems: monograph / M. N. Zhukova, V. V. Zolotarev, I. A. Panfilov et al.; Sib. state aerospace un-t. Krasnoyarsk, 2011.
7. Zhukov V. G., Zhukova M. N., Stefarov A. P.
Model of an access violator in an automated system // Program. products and systems / Research Institute Centerprogramsystems. Tver, 2012. Issue. 2.
8. Bondar I. V., Zolotarev V. V., Gumennikova A. V., Popov A. M. Decision support system for information security “OASIS” // Program. products and systems / Research Institute Centerprogramsystems. Tver, 2011. Issue. 3. S. 186-189.
CONSTRUCTION METHOD FOR INFORMATION SECURITY THREAT MODELS
OF AUTOMATED SYSTEMS
The authors consider a technique of threat models constructing. The purpose of modeling is to control the information system security level with risk analysis methods and describe the development of an effective information security system that ensures the neutralization of the supposed threats with appropriate security measures.
Keywords: threat model, information system, information security system model.
© Bondar I. V., 2012
V. V. Buryachenko
VIDEO STABILIZATION FOR A STATIC SCENE BASED ON A MODIFIED BLOCK MATCHING METHOD
The main approaches to the stabilization of video materials are considered, in particular, finding the global motion of the frame caused by external influences. An algorithm for stabilizing video materials based on a modified block matching method for successive frames is constructed.
Keywords: video stabilization, block matching method, Gaussian distribution.
digital system Image stabilization first assesses unwanted motion and then corrects image sequences to compensate for external factors such as shooting instability, weather conditions, etc. It is likely that motion capture hardware systems will include image stabilization, so this study is focused on modeling and implementation of algorithms that can work effectively on hardware platforms.
There are two main approaches to solving the problem of stabilizing video materials: a mechanical approach (optical stabilization) and digital image processing. The mechanical approach is used in optical systems to adjust motion sensors during camera shake and means the use of a stable camera installation or the presence of gyroscopic stabilizers. Although this approach may work well in practice, it is almost never used due to the high cost of stabilizers and the availability of
Greetings, Habrazhitel!- to understand the threats and vulnerabilities that have bred in the information system, as well as the violators that are relevant to this information system, in order to start the process of technical design to neutralize them;
- for show, so that all the conditions of a certain project are met, for example, in the field of personal data (I’m not saying that the threat model when executing projects in the field of personal data is always done for show, but basically it is).
The threat model and the adversary model are inextricably linked. A lot of controversy arose on the topic of making these models separate documents, or is it more correct to do this in one document. In my opinion, for the convenience of building a threat model and an intruder model, it is more correct to do this in one document. When transferring the threat model to engineers (if different departments in the company deal with threat modeling, intruder and design), they need to see the situation in full, and not read 2 documents and spend time putting them together. Thus, in this article I will describe the threat model and the intruder model (hereinafter referred to as the threat model) as a single inseparable document.
Typical problems
In my experience, I have seen a large number of threat models that were written in so many different ways that it was simply unrealistic to bring them to the same template. The person did not have a clear idea of what to write in such a document, for whom this document is and what its task is. Many people are interested in how many sheets a threat model should have, what to write in it, and how best to do it.Common Mistakes When compiling the threat model, I found the following:
- lack of understanding for whom this document:
- lack of understanding of the structure of the document;
- lack of understanding of the necessary content of the document;
- lack of conclusions necessary for designing.
Threat Model Plan
Since, after compiling the threat model, we will transfer it to engineers for analysis (not a mandatory condition), the information will be grouped in terms of convenience for the developer of the threat model and the engineer, who will then analyze it.When compiling a threat model, I adhere to the following plan (subsections not included):
Introduction
1. List of abbreviations
2. List of regulatory documents
3. Description of IP
4. Security Threats
Conclusion.
Appendix A
Appendix B
Appendix B
Looking to the future, the threat model is built from the principle - " There is no need to read the entire document to understand its meaning and draw the right conclusions.". Let's look at each of the points. Introduction
A typical introduction describing the purpose of this document and what should be determined at the stage of its writing.1. List of abbreviations
Why is it here? - you ask. And I will answer you:- the document can be read not only by an information security specialist;
- the document can be read by senior management with some technical background;
- when describing the Information System, some terms may be unknown to either specialists or management.
2. List of regulatory documents
This section is usually needed in projects where some kind of documentation is used, in which certain requirements or recommendations are attributed. For example, when working with personal data, regulatory documents of the FSTEC, FSB, etc. are recorded in this section.3. Description of IP
This section is one of the main parts of the threat model. The description of the Information System should lay it out on the shelves in as much detail as possible. The data should include:- used technical means, their purpose. As an example:
The identifier is used to quickly access the asset from the text of the document, the description is used to understand what kind of technical tool is used, the note is used to clarify data about the technical means and their purposes.
- detailed description of technical means. As an example: TS is a terminal server. Connecting remote clients via the RDP protocol to work with the system. Connection occurs from hardware thin clients and personal computers. On the terminal server the application used to work with the database is installed.
- Scheme of connection of technical means. This diagram should reflect the detailed architecture of the information system.
- Implemented protective measures. This information will allow the developer of the threat model to take into account the already implemented protection tools and evaluate their effectiveness, which will, with some degree of probability, reduce the cost of purchasing protection tools.
- Formation of the list of assets. It is necessary to define a list of assets, their significance for the company and an identifier for a quick link from the document. As an example:
Depending on the chosen risk assessment methodology, section 3 of the threat model may contain additional information. For example, in the case of modeling threats to personal data, this section is supplemented with “indicators of the initial security of ISPD”, “main characteristics of ISPD”.
4. Security Threats
AT this section the results of threat modeling are described. The description includes:- relevance of external or internal threats;
- list of current violators;
- list of current threats to information security.
Here again, everything is simple, the identifier, the description of the threat and the assets affected by the threat. More than enough information.
Conclusion
In conclusion, it is necessary to describe what measures need to be taken to protect the Information System. Example:1. Protection against unauthorized connection of unregistered technical means:
2. Cryptographic protection communication channels for access to the Information system (building a VPN network).
The information located in the above sections contains all the necessary data for the design of the Information System security system. All information that contains the definition of current violators, the calculation of current threats to information security are in the appendices. This allows you to get all the necessary information on the first pages of the document. From experience, I can say that a threat model for a good project and a serious information system takes from 100 pages. The information presented above takes usually no more than 30.
Annex A
In Appendix A, I usually describe the attacker model. As a rule, it consists of:- descriptions of the types of violators and their capabilities (internal, external);
- description of access channels in IS (physical, public, technical)
- description of these types of violators with reference to the staffing structure of the organization;
- description of the capabilities of these offenders;
- determining the relevance of each type of violators.
Exit plate:
| Type of intruder |
Categories of violators | Identifier |
| External intruder | Criminal structures, external actors (individuals) | N1 |
| insider | Persons who have authorized access to the short circuit, but do not have access to ISPD (technical and maintenance personnel) | N2 |
| Registered ISPD users with access to PD | N3 |
|
| Registered ISPD users with ISPD segment security administrator privileges | N4 |
|
| Registered users with ISPD system administrator privileges | N5 |
|
| Registered users with ISPD security administrator privileges | N6 |
|
| Programmers-developers (suppliers) of application software and persons providing its maintenance at the protected object | N7 |
|
| Developers and persons providing supply, maintenance and repair of technical means for ISPD | N8 |
Annex B
This application is used to describe and calculate the relevance of threats. Depending on the choice of methodology for determining the relevance of information security threats, risk assessment, this appendix (section) can be designed in different ways. I frame each threat with the following sign:It was not very successful to format the plate in the habraeditor, it looks much better in the document. The history of the formation of this particular type of plate originates from the standards of the STO BR series. Further, it was slightly modified for projects under Personal data, and now it is a tool for describing threats for any of the projects. This plate fully allows you to calculate the relevance of the information security threat to the company's assets. If any risk assessment methodology is used, this label will also work. This example is provided to calculate the relevance of threats as part of the work on the Personal Data Protection project. The tablet is read as follows: Threat -> Violator -> Assets -> Violated properties -> Data for relevance calculation -> Conclusions.
Each threat is drawn up with this sign, which fully describes it, and on the basis of this sign, one can easily draw a conclusion about the relevance / irrelevance of the threat.
Annex B
Appendix B is for reference. It describes methods for calculating relevance or methods for assessing risks.As a result, when using this formatting technique, the threat model will be a readable and useful document that can be used in an organization.
Thank you for your attention.