In the footsteps of Bremen’s musicians, or “How can we build the information security of Russia” correctly


    Laughter prolongs life

    As you know, yesterday we enjoyed either super-sarcasm , or gag, or “the author has a spring exacerbation” - on the topic “How do we equip rabcrin” “How do we build information security in Russia”.

    Let's try to make out what is in the proposed “wrong”. As you know - do not know how to present the material - stick to the training manual.

    1. What is it?
    2. Who is it for?
    3. How to use it?

    And only after that you can move on to the details.

    Alas, there was no important preamble in the source text. Excuse me - who are we going to defend against? What for? What specific threats do we need to stop or at least weaken?

    The author never conveyed to us - and what kind of green men are these, the fight against which means the destruction of all IT in the Russian Federation. Here in terms of destruction - yes, the items are painted with knowledge of the matter.

    Let's try to assess the situation. For laughter, there will be plenty of material in the text from the perspective of couch analysts . I deliberately do not single out emoticons and other special characters, but you can traditionally laugh after the word “spade”.


    External threats

    Let's start with horror stories. We are surrounded by enemies with alpha centaurs, evil green men. They headed our antipodes and they sow the rational, good, eternal even in our sovereign territory.

    Organizational threats

    At the moment, Zashit apologists are very fond of operating with concepts such as "well, potentially yes." As in a joke - we are potentially millionaires, but in practice - two prostitutes in the house.

    That is - potentially manufacturers of android / ai-axis can introduce any scary bookmarks into their systems.

    Can they? And how. But.

    In order to assess the need for protection against such "potential" measures, imagine that there are bookmarks and they worked. Will this disrupt command and control of the Ministry of Emergencies? Ambulance work and the Ministry of Internal Affairs? Wired communication on a ten-step automatic telephone exchange? And, all who need mobile communications - will they get radio stations from the VHF zashashnik?

    And then what exactly is the threat, suddenly, instead of the brainchild of Pavel Durov, the product of Zuckerberg will open?

    So with a mental ray we find out that “taking mobile phones on the border” is not required.

    But the development of their own "software" recorded directly on SIM cards and allowing to stop the creeps of antipodes in which case - they have a right to life. And for categories of citizens with a first admission, it would not hurt to extradite them.

    Threats intentional and not only

    This does not mean that we deny threats of all kinds - not at all. However, the scale is not the same, and “take it to the safe” is necessary precisely in those places where the presence of uncontrolled communication systems can lead not to leakage of records of evil birds, but to the disclosure of state secrets. That is - in public places, bases and storage areas for military equipment, military units and so on.

    Moreover, a cheap “jammer” will provide an acceptable level of security, and a rusty nail will guarantee the absence of unauthorized photo shoots in secret places.

    And antipodes spies with shahid belts are caught using the same archaic methods - carrying out operational investigative measures, introducing agents, and monitoring the media. If you remember, it was precisely this kind of antipodal intelligence activity that someone Snowden discovered.

    Threats friendly fire

    We also touch on interesting side effects. Obviously, if in the State Duma the deputy’s assistant became ill, then (due to jammers) he cannot take his smartphone out of his pocket and call an ambulance. He will have to crawl to a landline phone.

    So you must always remember - the introduction of protections not only reduces the risks against which it is directed, but also always creates new ones. And they also need to be evaluated and minimized. Lovers of “banning" this theme often try to circumvent a dashing cavalry maneuver, because in many cases super-protection super systems not only add unacceptable risks, but also cost more than the potential damage from leaks or even deliberate destructive actions.

    Therefore, many who will actually be against the NSA wiretap system. Just because although it does not bear the appearance of new threats, there is a strong risk of such a leak in the NSA itself! Plus abuse and corruption.

    But blocking sites with a list is a destructive measure that complicates the life of conscientious users, and gives a lot of scope for abuse, and carries much more risks.

    Social threats

    In the age of webdanol (C), social networks so beloved by all bring new threats. For example, unfaithful spouses publish in them evidence of their marital infidelity. Sami, voluntarily.

    In the same way, NPP protection schemes (real case), maps, photographs of the latest technology and so on fall into the social network. And interestingly, it’s already unrealistic to ban social networks. And educating users about the basics of social hygiene is all the more unrealistic.

    Therefore - only automated monitoring (see Kribrum and analogues) and targeted work.

    Instead, lovers of crazy ways to protect themselves from green men offer to go to greedy students only with a passport scan. I wonder how it will protect against "I climbed into the hole and took a picture of Topol-M"? Young people of post-puberty will not guess to attach a scan of a neighbor at the desk?

    But it’s useful to breed “85 rubles kremlebots” precisely for the purpose of disavowing both the source and the materials. If there is a bundle of materials on the photo of “poplar” “yes this truck is carrying a pipe to a substation, I drove past an hour ago!” - then the value of the photograph is sharply reduced. And also it can be done automatically.

    Technical threats

    Here I would like to recall such simple things as DDoS, spam, carding and other tricks of black hats. As well as targeted attacks on certain points of infrastructure and potential carriers of monetized secrets.

    Fortunately, almost none (except for spam and theft of the database with credit cards) does not allow a purely economical recovery of a serious attack. That, in turn, does not allow the formation of a full-fledged market for the division of labor among cybercriminals. Agent - and here they are, malware, in full view.

    All that is needed is to bring your agents to positions closer to the direct receipt of money.

    And of course, the usual work of intercepting botnets with the involvement of civilian specialists.

    But the attempts to "use only domestic" on the contrary - reduce security. What should the same bankers do without SSL / TLS? Without client certificates and secret code generators? Without all these applets and client banks? Obviously, long lines and blurry round stamps. But excuse me - in the age of a scanner with photoshop, what can round printing protect from? She did not defend avisovki in the 1990s.

    Mental threats

    Yes, yes, these are psychological tricks, Internet memes, "Albanian" and other techniques for influencing minds.

    What does this have to do with security? Yes, no.

    Except for the fact that it’s from this “threat” that all sorts of free Internet leagues and deputy Mizulin are actively “defending”.

    Let me remind you again - there are no magical defenses without new risks.

    So, protection against pedophiles (C) in the “decaying west” is better developed than in the Russian Federation, the same Google suggests enabling filtering of content both for search and for smartphones. The problem is common - approaches and solutions should also be common. But on one side is the development of semantic analysis, photo recognition, and the integration of all this into parental control, and on the other - global blacklists.

    From a purely technical point of view, blacklists for mail in no way cancel the filtering by content, but only complement it as an additional point to the overall rating of text and headings. Single blacklists have not been working for a very long time, and there are no prerequisites that the situation will be better for sites.


    Internal threats

    Having slightly dealt with external threats, we will move on to the renegades and hired antipodes in our own camp.

    It is these malicious insiders that can easily bring the scary on a flash drive, remove it with a DVR, take a picture with a smartphone. And post terrible secrets to the true Trub social networks “greedy classmates” or even to “LJ”. What will cause agro- damage.

    If without jokes, the danger is different - you can not only put a picture of Anna Semenovich on a flash drive or smartphone, but also make a secret drawing, instructions or even an order with the stamp “top secret”. And unlike anti-Pod spies who can be seen from afar ( "Grandma, how did you determine that I am an American spy? Well, dear, there are no blacks in our village!" ) They are endowed with access to the service.

    And here it is necessary to apply a much larger arsenal - from test purchases to DLP and the correct regulations of the Security Council.

    Organizational threats

    Something betrayed Shtirlitsa - either a budennovka with a red star, or a parachute ...

    In fact, we are dealing with the most dangerous class of vulnerabilities - holes in the perimeter, incorrectly assessed perimeter, incorrectly assessed risks and so on. It is this class of errors that creates the very fertile environment for all other classes.

    It is important to remember that security holes come both from a disregard for security (“everyone has access to a network share,” “only cowards do backups,” and so on), and from excessive zeal (“mail does not happen with attachments over 100 kilobytes ", As a result, all employees send confidential letters via email).

    At the moment, the only correct method for constructing defense systems is the principle of minimizing damage.

    How much loss will be in dead presidents of antipodes if our specialist Vasya takes the customer base to a competitor? And how much is the implementation of a security policy, in which the list of clients lies in the database and is visible only to "their" managers? This difference in money is the only right measure of the introduction of protections or their non-implementation. Let's get out in plus?

    Unfortunately, the current situation in the defense market is largely (fortunately not always) built on aggressive marketing using mental techniques. If you do not install an antivirus, money will be stolen from you! How? I don’t have money in my computer? Believe us and be afraid.

    And as the “apotheosis of apofigee”, we get a typical situation of the “prison guard syndrome”, where ordinary employees are forced to bring work on flash drives to their homes or even come in with their laptop with an iota.

    But for the authorities, who took into operation a set of jokes and insanities instead of competent regulations, these restrictions do not apply from the word at all. In this way, subordinates gain the esoteric knowledge “boss password is 111” and much more access than they require. That allows them to put various proxies and other tunnels on the server or the director’s computer. And disable the antivirus so that it does not interfere. The result is sad - that there is protection, that it is not, everything is one.

    So only a competent understanding of all the risks and dangers, only the design of the system without exceptions - will achieve the minimum necessary level of security. Minimally! For there is no need to spend mountains of money on something that you can not protect.

    Social threats

    It would seem that the threats are similar to the paragraph above? Not really.

    Here comes the forefront of social engineering. As part of the rules for checking the cryptographic strength of passwords - tell your current one on the phone! Many report, even knowing that it is impossible to do so. Well, simply because how did the stranger recognize the internal phone? It’s the guards who are testing us! And it is possible for them.

    And they really test ... sometimes.

    Here you can also remember the password written on the monitor, stickers on the table with classified information and so on.

    Only systematic training and testing of personnel saves from this, but it is advisable to test so that they are not aware of this. And it’s not exactly what we tested for.

    Oddly enough - but this item is often ignored simply because of its serious cost. Training personnel takes him away from work, requires hiring external trainers, close contact with your DLP vendor and constant adherence to regulations.

    As one big boss explained to me - when we buy an antivirus, a monitoring system, and so on, we put this on balance, this is our asset. And spending on training is a write-off in liabilities, nobody likes this and nobody likes it.

    Technical threats

    Briefly point out their large assortment, from a voice recorder or camera in a smartphone to professional equipment.

    Therefore, if you want to protect yourself, if not from everyone, then from the majority, it is easier to rent an office in the basement without windows, in the industrial zone, and the communication line is tightly encrypted. And also hung up with jammers as cellular communications and sound. And in general, clean the room from any sources of radio emission.

    At the entrance, plant a KGB or FSB colonel, give him a rusty nail, and oblige everyone to hand in smartphones and laptops at the entrance. And if you need a smartphone for work - a nail to break through the lens.

    Computers are regularly taken for examination. Software use only marginal or very outdated. The list is updated centrally. Access rights cut to a minimum.

    Do not forget to maintain an autonomous water and sewage system, as well as a boiler room.

    Something kind of weird picture turns out, right? Either Arzamas-16, or something else. And in such places and transfer all particularly important developments.



    And here’s the shovel!

    Of course, in such a long sheet, we were only able to list some threats, consider typical mistakes, and even even outline some steps to improve the situation. However, as it turns out, the decisions each time and for each threat are different , localized in time and space . The need for some external super-solution is not visible.

    I probably missed something important in a hurry, so I ask you to correct and suggest, I will be grateful for any constructive criticism.

    UPD ( bypasser ): In general, the statement of the problem of the type “Russian information security” looks somehow strange. For cutting it is the most, but in practice - grotesque.

    Information security should be with individual enterprises and / or specialists. It’s easier to identify possible threats and rational responses.

    By the way, “do nothing” is in some cases a completely rational way of responding, for example, to threats with an extremely low probability of implementation or with low financial losses. Like in a store - starting from a certain moment, “badasses” cause less damage than we start spending on “security”.

    Also popular now: