Controls of CIA

    It would be very interesting to command the CIA, but this is only available to Comrade Snowden. In this note (although the size for the note is too big), we will talk about the three pillars of information security, as everyone, of course, has already guessed: Confidentiality, Integrity, Availability. The material is not very similar to the one in Russian-made textbooks, so I hope it will be interesting. I leave some concepts in the original, those who are in the know do not need a translation, and in the context, I think, everything will be very clear. Each of these three aspects is closely related to physical safety (Safety) and violation of any of them can lead to negative consequences.

    Consider today's popular cloud services, the main advantages of which are scalability and flexibility or elasticity. When trusting your data to another organization, for example, SP (service provider), you need to be sure that they remain known only to us, i.e. ensure their confidentiality (C). What basic types (control types) can be used? Regardless of the platform, we can use ... cryptography or encryption, as you like.
    1. File by file encryption - before sending critical information for the “perimeter”, regardless of the services provided (well, ok, SP encrypts in your cloud), you must first encrypt all the information locally. Similarly, if information is stored on mobile devices - full device / disk encryption, as a prerequisite for use.
    2. The next condition is access control, Access separation, Information separation, in the context of Technical controls, then it will be clear why. The main application scheme is MAC-DAC (do not confuse yourself with what) and RBAC. Using these schemes, we can protect ourselves from unauthorized access to information.
    3. Well, a little toy, but also an effective tool - steganography. For those who are not familiar - OpenPaff to the rescue. You can try to bypass DLP =) by ensuring the privacy of sensitive information bypassing security policies.

    As the administrator of critical infrastructure components, you often need to update them. How to be sure that the updates are exactly the original files from the developer, i.e. their integrity (I) is not broken. Especially for these purposes, on the developer's sites, next to the link to the object, there is usually a line with additional identifying information - checksum or HASH. This is a one-way control value calculation based on the HASH function (MD5, SHA-1). And these values ​​should match - on the site and yours, calculated after downloading.

    The following I support technology makes full use of the above - electronic signatures (according to Federal Law No. 63), or electronic digital signatures, as they were called before. There are 3 types of EP: simple and enhanced: qualified, unskilled. Depending on the type, the electronic signature ensures non-repudiation of the author (non-repudiation) and / or the integrity of the sent message. The whole essence of using ES is reduced to asymmetric encryption technology - open and the only private key pair to it. For the global use of ES, a public key infrastructure (PKI) is specially formed, the main structural element of which is CA (CA), where all subjects of ES trust CA.

    Now a little about availability. We have a lot of money, we will make a redundancy (redundant) infrastructure. What is the benefit? High availability - clustering - fault tolerance. With force majeure, you can be sure that the systems will be available, and in the absence of negative factors, you can increase performance. An important factor A is the proper installation of patches. Before you update something, you need to thoroughly test everything and coordinate all changes with documentation (change management).

    Applying organizational and technical security measures, we must not forget about physical access. If possible, and something is mandatory, use fences, video surveillance, special locks, etc.

    "Make money, make money, and the rest is all rubbish ..."

    So! Nobody wants to lose “acquired by overwork” - Assets. There is always damage from possible negative consequences - Threats. Impossible systems do not exist - Vulnerabilities. And the likelihood of damage from exploiting the vulnerability is Risk. If the violation of the CIA is a threat, then it is necessary to somehow counter this threat (risk mitigation - countermeasures).

    Each admin is familiar and close, the so-called Technical controls. These are all the technologies that are used to provide information security: FW, Port Security, ACL, AV, IPS, UTM, DLP, PKI, 802.1x, Passwords, etc. In principle, what else is needed then? =)
    What is needed is based on which all this should function: Management controls - administrative management. A very competent Risk / Vulnerability assessment as the basis for the security policy approved by the head of the organization, as well as other regulatory documents regulating the organization's activities in the field of information security - all this is administrative management.

    Based on the management, operational or operational control is built - daily work regulations, instructions, plans for next / extraordinary work (change management). All this should correlate with security policy in order to determine the “normal” functioning of the IT infrastructure.
    On the importance of policies (management controls) “Everything that is agreed is recommended, everything that is written is executed!”

    For ordinary users, it is recommended to do something like a privacy policy, acceptable use policy, focusing on what the user may or may not, i.e. to determine the areas of its influence and responsibility (work with mail, the Internet, removable media, CT disclosure, etc.), to oblige the user not to turn off the server equipment during the working day makes no sense, because he should not have access to this area of ​​responsibility. These policies can be reviewed as often as necessary in terms of job responsibilities.

    Global security policy (security policy) - is based on the area in which the organization operates and consists of many pages of text, diagrams, etc., describing all kinds of situations. Ideally, in this policy you can find the answer to any questions about information security in the organization.
    In the policy or other documents, it is worth reflecting the following risk reduction procedures associated with the subjective component.

    1. Mandatory vacations: (it’s hard to believe), during this period, the employee is forbidden to appear at work and contact the company employees in order to reduce or detect fraud (fraud, embezzlement, neglect) - Discovering or deterrent mechanism. For example, SuperAdmin went on compulsory leave, another skilled person was sent to replace SuperAdmin. Usually effective in financial institutions. From experience at the bank, I can say that everything described is correct, but only in Planned vacations, I have never met mandatory. In theory, this should help with the dismissal of the employee, so that the organization would always be ready for its replacement (cross-training).
    2. Approximately the same thing, only without mandatory leave (just what is in most organizations) - Job rotation.
    3. One of the most important ways of control is the division of responsibilities, the principle of 2 persons, etc. (Separation of Duties). A critical operation consisting of several iterations cannot be performed by one subject - each subject controls his area of ​​responsibility.
    4. Immediately follows another important factor - the minimum privileges (rights) to perform duties or the principle of necessity and sufficiency (Least privileges). For example, you (the networker) have access to information that has a chipboard stamp, this is enough to have access to any chipboard documents, but is there a need for access to documents, for example, by physical security sensors, are they chipboard too? The answer is no! This information is not in your area of ​​responsibility. Therefore, first the rights are divided (according to the minimum principle), and only then responsibility is assigned.

    The main policy, with such changes in roles and responsibilities, should be the procedure for conducting a periodic audit, in order to identify possible overlapping “conflicts of access rights”, when one entity receives the rights of all entities for which he once performed duties, not to mention other problems of information security.

    Risks when integrating with third-party organizations.

    "Write more papers - more papers less problems." In principle, there is nothing more to say: SLA - service layer agreement, BPA - business partner agreement, MOU - memorandum of understanding, ISA - interconnect security agreement.
    In general, as elsewhere, to describe in the most detailed way the interaction procedures and the responsibility of the parties for disclosure, storage, processing, etc. You never know, you have to go to court ...

    We believed, we wrote

    Now let's take the bills. How much you need to spend to reduce risk - quantitative risk analysis (quantitative analysis).
    Например, у нас есть актив – сервер, стоимостью 1100, нам предлагают страховку – 250 в год, перенос риска на страховую компанию (risk transference). Сначала определим SLE (single loss) – стоимость однократной замены = 1100. ARO – annual rate occurrence – как часто в год происходит поломка (1 раз в 5 лет) = 0.2. ALE – annual loss expect (потеря в год) = SLE * ARO = 220, это меньше чем страховка на год. Делаем правильный выбор.

    In addition to risk transfer, we can avoid it (avoidance - not allow BYOD), accept (accept - cheaper), reduce (mitigation - FW, AV), and counteract (deterrence - mantrap). There is also a qualitative risk analysis based on expert assessments (qualitative): Impact * Likelihood, a not very accurate type of analysis, but better than nothing.
    To assess the reliability of operation, the following concepts are introduced:
    • MTBF - meantime between failure - how many hours worked between failures, reliability.
    • MTTR - meantime to restore - time needed for recovery, speed.
    • MTTF - meantime to failure - how much worked until failure, after deployment.
    • Threat vector - the technology that will be attacked (email, web, IM, Tel).
    • RTO - recovery time objective - how much time to restore.
    • RPO - recovery point objective - how old version of the copy to use.

    How to reduce the risk?

    The answer to the surface: either get rid of vulnerabilities or threats. It is very likely that it will not be possible to get rid of the threat. Therefore, everyone is trying to close known vulnerabilities. We are not talking about 0-day vunls now. Vulnerabilities are closed mainly through technical controls, the application of which should be described through change management. The plan of work (test, monitoring, recovery) with a detailed description of actions and time intervals indicating the responsible persons must be signed by all interested parties. A recovery plan for force majeure situations is also needed. "No security issues after update."
    The sad part. Incident management - something bad happened, and we did not have time to counteract it. Our actions should coincide with a plan prepared in advance for such cases. Users must act according to instructions or policies (who to call, write or drop everything and run), and for this they need to be taught - Security awareness. Preparing a plan after an incident is pointless.
    We have already talked about the audit of user rights - this is very important, but it may turn out that the “guardian Comrade Masha” will open the repository and cease to be a guardian. Disabled employees to disconnect (when they are sure that they are unnecessary to remove), vacationers should not be allowed. Carry out audits, both planned and sudden - the result should be a report on the audit. Such reports should be analyzed to determine the dynamics and, possibly, the impact on employees.
    In many organizations, Pii is processed, in Russian PD. About the legislation of the Russian Federation, not a word =). Data should be closed (encrypted), to protect against leaks, you can implement DLP (it will not help with encrypted data, but do not forget about SSL analysis), prohibit the use of removable media using software, policies, and scripts.

    If the incident occurs, then you need to investigate - Forensics.

    Three main steps in a non enterprise incident: find, isolate, neutralize . In case of an incident in production, you need to follow other recommendations. Do not turn off temporary sources of information (most Volatility): registers, RAM, Cache, Process, until the data is collected and, if possible, use Middle volatile - swap file in the analysis.
    For Least volatile - HDD, make a bit-by-bit disk image, calculate and compare the hash. Make a copy of the image and work only with it in Read-only mode if necessary. Collect information from network devices through Syslog, if SIEM is deployed, collect reports, GiGo - network traffic, take into account time offset for accurate analysis (use NTP), screenshots are also useful, conduct interviews with employees, if nothing comes out, then hire employees from the outside (do not forget about the agreement), without fail to control the integrity when transferring information from one entity to another (chain of custody).

    If you want peace, get ready for war! How to resist (Incident response).

    Get ready, get ready, get ready. The more we prepare, the less time we spend on an answer. Rules are needed, whom to notify first of all in case of a problem (Head, Help-desk, DIB). Next, competent staff should determine the priority: how important, complex, the scale of the incident. Apply countermeasures (isolate, neutralize). After eliminating the incident, it is imperative to update the knowledge base (lessons learned), improve protection technologies, document the incident so that the next time it is more effective to respond or change the infrastructure and policies so that (policy & infrastructure update) so that the likelihood of this type of incident is minimized. In case of emergency, contact the law enforcement authorities, however, it is worth considering that during the investigation, you can get a very "good rake" and additional reputation risks. "Not sure, don't get ahead!" After incident response procedures and impact assessments, it is necessary to bring the infrastructure into working condition. For this, the organization must have developed a recovery plan - “Disaster / recovery plan”.

    Information Security Training - Aware, then armed.

    With employees, it is necessary to periodically conduct training on information security, with further testing of knowledge on issues related to their operational activities. Ideally, this should discipline users, which ultimately leads to a reduction in risk. At least knowledge control makes users remember the main aspects of information security policy.

    It is necessary to categorize all data (labeling) by importance / criticality, approximately in the same way as is done with the information constituting the GT, for commercial information and in accordance with the legislation regarding CI and PD. The banks provide their own categorization regarding financial documentation. For such information, a mandatory access policy (MAC) is applied and users should understand that access to information is determined solely by production necessity. The processing, transportation and destruction of critical information similarly should be carried out correctly in accordance with regulatory documents. Do not throw GT into the trash and do not resell hard drives =)

    User habits are also a sore subject: passwords under the keyboard, an unlocked computer, documents left on the table, found near the office flash drives, helping “strangers” get into the office - all this should be eliminated and explained with real examples and emerging risks, both for the organization, and for the user (loss of premium, administrative responsibility, etc.). To everything you need to add the rules for using social networks (if they are not prohibited), opening links and advertisements, "favorite" user Internet resources.

    Natural disaster risks can occur in production - natural and man-made risks (fire, earthquake, flood, lightning) that can slow down production activities. To accelerate the process of returning to normal functioning, it is desirable to have a BCP - business continuity plan - conceptual actions, the main part of which is BIA - business impact analysis.
    It needs to identify critical systems, communications and their impact on business continuity. Set the RTO, RPO you want to strive for. Have several scenarios, assess risks, preferably quantitatively. Identify possible losses of part of the business and fines from regulators.
    For example, we decided to deploy a Hot site - it's cool, but very expensive. If something happens to the main site, the hot reserve, having all the information and technical capabilities of the duplicate (Fully operational), will perform the replacement. We want to save money - Warm site: requires more time for commissioning, does not have operational information, is only a copy of the hardware. In general, beggars are a low-budget organization - at least organize a cold site, well, or nothing ... As you know, it all depends on the value of the assets.
    Thus, the Disaster recovery plan being developed should be based on the existing assets of the organization. When assets are changed, it is reviewed and constantly monitored. It follows that BCP -> 1 DRP + 2 DRP + ... + n DRP -> IT contingency plans for each DRP. IT contingency plan evaluates a single system or asset. In order to know what to do in emergency situations - they develop Succession planning, it makes sense to develop it exclusively before these situations occur.
    About redundancy and fault tolerance, which give rise to the implementation of HA -> Clustering -> Load Balancing, were discussed above. RedundantArraryID (RAID) can also be attributed to this: 0 - strip, 1 - mirror, 5, 6 - with a bit, combined 10, 50 and 60. The use of these technical tools and technologies is the best practice in the design of BCP.
    Backup plan . Here you need to determine how often you need to make backups and their volumes: full, incremental and differential. Usually, full backups are done on weekends, incremental in the evening of the working day. Yes, and you need to backup only what is really needed, it makes no sense to clutter up any storage with any garbage.

    In total, in a note I tried to talk about IS management methods, risk assessment and a little about technology. Remembering the work at the enterprise, a dangerous type of activity, I can say that the concepts described above are really very important and often help out, both when working with integrators and contractors, and during emergency situations, when there is a need for an urgent "relocation" of infrastructure.

    As always, I will be glad to see your comments.
    I understand that the volume is too big, so thanks for mastering it to the end!
    PS Concerning work with users. You can conduct tests after training, as I wrote, or you can arrange a “test purchase” after a while: send an email from an unknown name, indicate in the subject line “bonus on the results of work / additional leave / something else with details in the file” and put this file with the script in the attachment, which after opening it notifies you about the user. It will be interesting, the main thing is not to burn yourself, so regulate your actions.

    Also popular now: