Provincial information security - stagnation or development?
Good day to all. Today we would like to discuss information security in the regions, and talk about the eighth annual Forum “Actual Issues of Information Security” held on June 19-20, which we traditionally hold since 2009 on the basis of the Administration of the Primorsky Territory in Vladivostok.
I knowingly told that there would be discussion of the pressing issues of information security, a dry press release does not want to publish the event on the Habré, and to whom he still needed can be read here . You can also download presentations of speakers there, among which were representatives of regulators, as well as vendors and integrators.
Under the cut a lot of photos, whining and a ray of optimism.
Performance of regulators
One of the first speakers was the representative of the Federal Security Service of Russia in the Primorsky Territory. The topic is the requirements of the Federal Security Service of Russia for the use of cryptographic information protection facilities (hereinafter - CIPF).
On the whole, there were no new revolutionary changes in this speech compared to previous years. We were reminded that the treatment of cryptographic information protection is regulated by PKZ-2005 , 152 by the order of the FAPSI and the 378th order of the FSB .
We were also reminded that:
- CIPF must be certified;
- the class of the cryptographic information protection tool should neutralize the established threats (more about the selection of the cryptographic information protection class can be found here );
- CIPF must be acquired from licensees of the FSB of Russia;
- Distribution tools, forms and rules of use should be available at the place of operation of the CIPF;
- CIPFs should be accounted for in accordance with the account numbers assigned by the FSB of Russia;
- cryptographic information protection users should be trained in the rules for working with notes in the cryptographic information security user logbook;
- storage of cryptographic information protection and documentation should be organized with the exception of the possibility of unauthorized access;
The most entertaining, perhaps, was the slide with the statistics of checks.
An increase in the identification of violations in 2018 compared with previous periods is attributed by the FSB representative to a more thorough approach of inspectors.
I personally expected some information about the replacement of FAPSI-152, which is rumored, but I did not wait.
FSTEC of Russia
Alexey Alexandrovich Baranov, representative of the Office of the FSTEC of Russia for the Far Eastern Federal District, spoke about the changes made to the regulatory legal acts issued in the field of protection of critical information infrastructure objects (hereinafter - KII).
Everyone who follows the topic of KII knows that recently there has been an active change in the legislation in this area - both Decree of the Government of the Russian Federation No. 127 and orders of the FSTEC. I will not retell the report. In the presentation, everything is quite clear and understandable.
It was indicated here that the primary task of the KII subjects is to submit information to the FSTEC before September 1, 2019. At the same time, it was announced that many KII subjects who have already sent such information do not do so in an approved form with excessive or insufficient information.
Also, a representative of the Central Administration of the FSTEC of Russia, Anatoly Vasilyevich, spoke. He spoke about the problem of a shortage of qualified personnel in information security.
I think many will be interested in a slide with statistics on the number of information security specialists in various industries. It is clear that this is all taken from the data that organizations submit to the FSTEC; accordingly, there are no commercial organizations that do not intersect with the FSTEC in any way, but are still curious.
Ok, this number - 22 thousand people, in general, a lot. And what about quality? And with quality, everything is rather sad. No comment here, just watch the slide.
At the same time, in terms of the number of IS specialists, a large number of vacancies are not closed in each industry; about 2-3 thousand specialists are lacking.
Here, as a leader and employer of personnel in the field of information security, I also wanted to add a little about the quality of the current education in this field. Recently, I had a questionnaire on the table about the quality of education of IBshnikov, I had to put low marks and that's why.
First a story from my life. When I entered the university in 2000, I really wanted to enroll in a new and promising at that time specialty "Information Security", but did not get the points and went to study in physics. The security guards were our parallel group, and 3 of the five years we went with them to almost the same lectures. That is, the security people most of the time studied physics and mathematics with us.
From conversations with current graduates, I realized that since then, not much has changed. Now we have a lot of young talented guys and girls in our team. But the fact that they basically cope well with the tasks set is not the merit of the universities, but their own (the ability to quickly understand new material and learn).
As a result, graduates of the "Information Security" direction know physics, mathematics (including cryptography), they know information technology as a whole, and are trained to varying degrees in programming.
And here is what they do not know and do not know how:
- Do not know the current legislation on information protection;
- they don’t know how to write documents on information security; they don’t know what documents are needed at all;
- they don’t know how to build an information security system in a more or less large enterprise;
- They don’t know the means of information protection (that is foreign, that domestic), respectively, do not know how to work with them, configure them, etc.
- they don’t know the tools for the pentest (even a commonplace vulnerability scanner), they don’t know how to use them;
- Do not know how to read and interpret reports on vulnerabilities found, do not know what to do with the data received;
- and much more.
This is my personal experience in the city of Vladivostok. Maybe somewhere the situation is much better. But we have university graduates in the specialty "Information Security", unfortunately, right after receiving the coveted diploma, they can not perform the tasks of either "paper" or practical information security. This is sad.
But to not be completely sad, keep a photo of our team of professionals! =)
So, in fact, the integrator acted only one - that is us. The first speaker was our CEO, Statsenko Pavel Sergeevich.
The report was devoted to centralized monitoring of information security events. It was said that ensuring information security is an ongoing process and tracking suspicious events in the system is an integral part of it.
Unfortunately, we often come across, especially in government agencies, the approach “received a certificate of conformity and forgot about information security for 5 years”. The problem here is that certification of an information system for safety requirements is a process of confirming compliance of this system with one or another requirement. The certificate of conformity itself does not provide security and does not give any guarantees (especially if, after receiving the certificate, remove all protective equipment, yeah).
Our monitoring center is still quite young and small, especially in comparison with the giants of this direction, but according to our data the numbers are quite telling.
In general, monitoring information security events is important and not very expensive.
I made a speech.
I decided to raise topics that are often talked about, but which are still ignored by many. These are mainly problems in the head.
The first thing they remembered was Eternal Blue. What for? He recently turned 2 years old. And because, according to our statistics, on the objects on which we work there are still a huge number of nodes exposed to this vulnerability. Already, it would seem - such a rare case, they even trumped vulnerability on federal channels. Probably everyone ran, updated. No matter how, reality is much sadder. And we are talking about a vulnerability 2 years ago. What's next? Will new vulnerabilities be eliminated for years too?
He also touched on the problem of neglect of "paper" security. Everything seems to be clear here, I won’t tell you more concisely than Mr. Fry.
He casually mentioned one more problem that got a big deal - blaming IS issues on IT specialists. It remains only to convey to the leaders of organizations that IS is a separate wide area of knowledge and in general IT + IS in one person is also a conflict of interest. After all, IT needs everything to work quickly and reliably, and IB solutions in any case eat up a certain amount of system resources.
I remembered publications on Habré about fraud with electronic signatures. What for? And here it is easy to draw an analogy of certification centers with certification centers. The problem is the same - the client wants faster and without red tape, some licensees go about the customer, as a result of “certification on the photograph” and other amenities. But we will talk about poor-quality services of FSTEC licensees.
The next problem is the problem of poor-quality development of components of information systems. The problem is especially relevant for the public sector. And partly because of the public procurement system. Here the state agency announces a tender for the development of a portal. The winner is the one who offered a lower price. Where the price is lower, there is worse quality (usually). The terms of reference for the competition, as a rule, are not prescribed in too much detail, so you will not ask later on from negligent performers. As a result, we get childhood diseases: XSS, SQLi, default passwords and other "joys".
And the last thing - what was enough time for the performance is the problem of certified cloud data centers. For the reminder of this pressing issue, thanks to the author of this post.. The problem is relatively new and serious. It is connected with the fact that it’s sometimes difficult to find out what and how the provider is actually certified, and even if everything is fine there, then usually there are no mechanisms to make sure that your virtual server really runs on a certified cluster.
At the same time, I by no means urge not to look towards certified cloud data centers in general. But pay attention to the provider’s reaction to requests to show a certificate and, possibly, the site itself is needed. It is also necessary to specify the responsibility of such a provider in cloud service agreements.
Since our event is free for visitors, as a result, there were many vendors at it. To the credit of the latter, it is worth saying that there was not so much direct advertising in their speeches. Almost every speaker from the vendors tried to tell the audience something interesting and useful, although they also mentioned their products.
I think it’s not worth retelling their speeches in detail, who wants to get acquainted - you can download the presentations from the link at the beginning of the article.
In addition to presentations, demonstration stands were presented in the lobby of the Administration of Primorsky Krai. Live showed the work of vulnerability scanners, SIEM systems, IDS / IPS solutions.
The second day of the forum was held in a different place and in a different format. Place - Pushkin Theater. The format is round tables.
At the entrance, visitors were met by a medieval security guard.
Demonstration stands were also located in the lobby.
The format of the round tables is interesting in that it is a format for lively discussion. For example, the head of our monitoring center, Alexei Isikhara, chided the vendors by saying that they do not update signatures for their IDS / IPS solutions too quickly. To which he received the answer: "We will try!".
When discussing the topic "Certification of objects of informatization", a discussion ensued on the topic of low-quality services provided by licensees of the FSTEC of Russia. One of the forum visitors told his story. Their tender for the provision of services for the design of an information security system was won by one of the licensees, who did not even want to come to the facility for work. After this licensee was nevertheless forced to carry out work directly at the facility, the result was poor.
The uniqueness of this situation is that in this case the customer of the services revealed their poor quality before signing the certificate of completion. Unfortunately, much more often problems are identified after the contract is closed. Here I cannot but say again about the importance of raising employee awareness in the field of information security. Even if all information security is supposed to be done by third-party organizations, there must be someone who can assess the quality of the work performed.
A representative of the FSTEC of Russia was also present in the hall and answered the question about the regulator’s impact on such unscrupulous licensees. Alexey Baranov said that such violations should be suppressed as part of the FSTEC of Russia monitoring licensed activities. In case of violations by the regulator or upon receipt of complaints against the licensee, an order will be issued to eliminate the violations. In the event of repeated violations or complaints, the licensee may be revoked.
I promised a ray of optimism in this article. And here he is.
We have been holding the forum since 2009. And although from year to year we mainly discuss IS problems and their possible solutions, there are positive dynamics. And it consists in the fact that today we are already discussing completely different problems of a completely different level. And the problems themselves will always be. It is unlikely that an information security event will ever be held, where speakers will tell that over the past year no new vulnerabilities have been identified, no one has been hacked and no personal data has been leaked.
As for the level of problems, then see for yourself.
In 2009, we talked about the fact that in the organization at least someone needs to be assigned responsibility for ensuring information security. In 2019, we are already talking about how many full-fledged security guards we lack in organizations.
In 2009, we talked about the need to introduce at least some means of information protection and protect personal data. In 2019, we talk about the need to collect logs from these remedies, build correlations and track information security events.
In 2009, we bring information about which information systems should be certified. In 2019, information security does not end with the issuance of a certificate of conformity.
Therefore, despite all my pessimism and the indicated problems, something is slowly but surely changing. The main thing is to have someone push this locomotive called "IB".
Our forum has just ended, and we are already thinking about how to make our next event better.
Write down what your positive or negative impressions of information security events were. What events are held in your region? Which format is best for you? What topics do you consider too hackneyed, and which are deprived of attention?
Photographer: Elena Berezova