Information security program today
For starters - a very simple model. There are three conceptual threats to the security of specific data: violation of the integrity, accessibility and confidentiality of information .
When a hacker Vasya finds a letter from your mistress in a garbage bin - this is a violation of confidentiality, when a hamster Bill cuts a server cable with a repository - this is a violation of accessibility, and when the administrator Pupkin uploads backup in the opposite direction - this is a violation of integrity.
Moreover, these three examples are associated with three different factors: the hacker Vasya specifically hunted for your garbage; Hamster Bill showed us equipment failure; and administrator Pupkin is just a clinical gouge. Over the past year, only 37 % of data problems were the result of planned attacks. 29th% of cases were due to system failures. And the remaining approximately 34 % - on the human factor, that is, staff negligence.
Therefore, you don’t have to imagine a hero fighting off hacker hordes alone when they say “ information security ”.
Technique and technology
There is a first level of security when you close children's jambs . For example - you prohibit the use of flash drives and floppy disks, configure data access policies for different employees and so on. Organize backup, have a reserve for hardware, you can deploy services to another site, protect the main communication channels. Explain to users why it is not necessary to stick leaflets with passwords on the wall in front of the computer. I think, in general, it’s clear.
Then you hit Disaster Recovery in the direction of protecting data from crashes and fools, in psychology for protection from social engineering, and deeper into software and hardware information protection. The latter is most interesting.
The next level is the closure of pain points in your software. Vulnerabilities that arise in operating systems and applications are, in principle, published. Both hackers and those involved in security know about them. Therefore, you need to periodically monitor your system for their availability.
Now let's look at the cases of authorized copying (designer Lena decided to record the presentation to the client on disk) and unauthorized (accountant Zina tried to take the accounting database home). At the hardware level, we monitor user access to certain ports, do not allow the use of certain media, we determine the policies of what can and should not be copied.
There are special solutions that detect information leakage through different channels and prevent it. For example, when you try to send your friends a sales history, a security alert may appear for the security officer, and until he allows it, the letter will not go away. By analyzing various network traffic, you can catch critical company data on the network and also prevent their leaving the office.
As you know, employees are becoming more inventive in their attempts to circumvent restrictions. Accordingly, we need a system that processes and correlates security events from various security systems . The second component is the watchful guardstudying the results of her work. Alternatively, instead of a human being, a system that automatically retunes protective mechanisms based on identified security incidents.
Since it is almost impossible to process such data with your hands, semi-intelligent systems that analyze security events are used. If the remedy has detected a leak or a fact similar to a leak, then it generates the corresponding event and transfers it to the centralized control system. In turn, these events can then be consolidated in one place - the monitoring system, and processed there depending on other events and rules. The outcome is the decision that this is really a leak, or it may be a single event, which, in general, does not mean anything.
Data is starting to add some value.
Then, instead of gouging, a hacker appears on the scene. Fortunately, to begin with, he will have an entry threshold - it will require penetration into the control zone. He may introduce himself as a janitor, technical support employee, guest, hire a staff member and so on - and use all his skills in the field of social engineering. He can use some technical means to penetrate, for example - listen to your radio. It can passively collect data by sifting through your garbage. And finally, the most common type of attack today - it can calculate the habits of your users and place malicious code somewhere on the "big Internet" where users go. As a rule, hacking a third-party server is easier than yours - and from them your users will drag malware into the corporate environment. Today’s attack model, when non-standard software is prepared for a separate company, it is most relevant. For example, it can be a network worm that abruptly grows in functionality only when it realizes that it’s in the right place. What is most exciting, such attacks, by definition, cannot be detected as a well-known template - because they are made individually for you.
In order to confront an attacker, you must have a base of non-standard situations, each of which corresponds to a certain threat . As with antivirus, it has well-known signatures and heuristics. In this direction, the world is developing along the path of developing systems for detecting abnormal conditions. That is, when something strange starts to happen, the system should show it to people who can figure it out.
It works like this: at the initial stage of its work, it analyzes how and what happens inside a system. A profile of normal behavior is formed, and then deviations from this profile are recorded. And depending on how strong the deviation, calculated according to certain criteria, draw conclusions that something is wrong.
The problem is that such systems have been around for a long time, but, as a rule, remain obscure shamanistic things for the average customer.
Now back to other types of threats
In terms of accessibility, the main vector today is the “banal” DDoS. Since anyone with the money and courage to rent a botnet can implement such an attack, the likelihood that they will put you up increases with the seriousness of the business. About how they are protected from them, you can read in the heap of topics here. In short - you need to have special tools that cut off spurious traffic and allow real users to respond quickly. Plus the ability to expand their channels if necessary, since you can fill up with great power anything.
In terms of integrity, it is important to monitor critical changes in the system so as not to miss the fact that a backdoor or unauthorized change to security settings has occurred. If, for example, you are developing an OS, then the main development will be in monitoring everything that happens with the source code.
What minimizes damage?
Here are some simple things that work universally:
- Action plan in case of an emergency . For example, to know what to do if right now your site will be felled by DDoS or what will happen if the admin accidentally fails the battle servers. Clearly work out the plan - you can recover in an hour, not a day.
- Distribution of responsibility between company employees . It should not be so that a single system administrator is responsible for accounting, but so that every accountant clearly knows that he is involved in ensuring security.
- It is necessary to discipline all outsourcers in time to report problems . There are cases when the counterparty spoils the data, and then for two weeks is afraid to say so. It sounds funny, but a lot of information corruption is caused by third companies.
- It is good to check critical data from time to time . It happens that a large amount of information, needed once a year, can be damaged so that it is remembered only in the next cycle, that is, a violation of the integrity is detected six months after the event itself.
- It is important to monitor the iron of the company and employees . The BYOD vector is being actively discussed, but has not yet become a real threat, but there have been examples. In Russia, we have one software giant, whose laptops were a real hunt at conferences. Then, the encryption of the disks of these machines partially solved the problem.
What is the average percentage of the cost of lost data to the value of the company?
Generally dramatic. The world average is about a third of the company's value, and in countries with strong industrial espionage like the United States, up to half. The dependencies of the IT development of the region and the cost of data loss are very clearly visible. One lost entry in the United States means about $ 277 loss, in Germany - $ 214, and, for example, in India - only $ 46. By the way, at the same time, most hackers are in Germany, the USA and France, and the most mistaken people live in Brazil.
This is according to the May 2013 report of Cost of Data Breach Study: Global Analysis (study sponsored by Symantec, performed by the Ponemon Institute).
What has changed over 15 years in information security?
If earlier “white hats” were heroes ready to work with their hands to protect the company, now the scale has shifted towards the wars of the software used. A lot depends on the preparation of decisions in the event of an attack or failure, rather than improvisations in place. The complexity and variety of threats is growing, so smart software is required to focus attention on strange events. More and more companies store data with outsourcers - there is an increasing need to make sure not only of their protection, but also of the protection and responsibility of counterparties.
Information security technologies are developing in parallel with IT, but, unfortunately, with a slight delay in time. For example, at the moment, information security tools are trying to actively catch up with virtualization technologies and mobile technologies. There is no doubt that this state of affairs will continue in the future.
Today, both the portrait of the security guard and the hacker are changing. Both that and another more and more become professionals. If 10 years ago a typical hacker was an enthusiastic young man interested in various technologies, today they are often experienced professionals with commercial interest.
The situation is similar with the security guards. Thus, universities began to train the first professional specialists in the field of information security about 15 years ago. At that time, there were few such people outside the walls of the special services. Today, there are already a noticeable number of such specialists in the IT market, although their lack is still felt.
How to study?
Good security guards learn from practice (experience can hardly replace anything) and non-standard tasks. One of the interesting ways to learn is by participating in tournaments. It is for this reason that Symantec Corp. together with CROC organize C ^ 2: Cyber Challenge - an online game, an offline tournament and a security conference.
During online and offline games, users will be in the role of cybercriminals. The competition is held on the principle of "capture the flag" and allows you to test your abilities in a unique simulation of a real environment.
The online game, by the way, will take place in the near future - July 15-19. There are still places, here you can register . Then in September there will be an offline championship where the tournament will be held in real time. And there will be a big conference on security.