About Threat Modeling

The issue of ensuring information security of the State Information Systems not only does not lose its relevance, but with the development of the concept of electronic government and an increase in the number of electronic services, it becomes more significant. So, about a month ago, the article “And so it goes ... or how the data of 14 million Russians were in my hands” aroused great resonance on Habrahabr .

Using the terminology of the draft document “Methodology for identifying threats to the security of information in IP” , this situation can potentially be described as follows:

• State authority, local government and organization, which, in accordance with the legislation of the Russian Federation, are information owners, customers and (or) information system operators: Federal Service for Supervision of Education and Science.
• Source of NSD threats in ISDN: external entities (individuals)
• As possible goals (motivation) for the implementation by violators of threats to the security of information in the information system may be: curiosity or desire for self-realization; identification of vulnerabilities for the purpose of their further sale and obtaining financial benefits;
• To achieve his goal, the violator chooses the weakest link in the information system: “To obtain information about the education document, simply fill out the form, move the slider and click the button.”
• An analysis of access rights is carried out, as a minimum, in relation to the following components of an information system: software, software and hardware, and information processing tools; communication channels that go beyond the controlled zone: in this case, SQL Injection was identified.
• The consequences of implementing the threat, including economic, social, political, etc., are also subject to assessment. For an example, let's see what applies to social consequences: The appearance of negative publications in publicly available sources. The impossibility (interruption) of the provision of social services (services). Other consequences leading to an increase in social tension in society.
• Revision (reassessment) of information security threats is carried out at least in cases: identification of vulnerabilities leading to the emergence of new information security threats or to increase the ability to implement existing ones; the appearance of information and facts about the new capabilities of violators. The vulnerability was closed, the service temporarily did not work.

As you know, the requirements for the protection of State Information Systems (GIS) are regulated by the order of the FSTEC of February 11, 2013 N 17 "On approval of requirements for the protection of information not constituting state secrets contained in state information systems."

This order contains requirements for information protection and defines the stages of work to create information security. The following is a brief summary of such steps.

In order to protect the information contained in the information system, the following activities are carried out:

• formation of requirements for the protection of information contained in the information system;
• development of an information system information security system;
• implementation of information security system information system;
• certification of the information system according to the requirements of information security (hereinafter - certification of the information system) and putting it into effect;
• ensuring the protection of information during the operation of a certified information system;
• ensuring the protection of information during the decommissioning of a certified information system or after a decision is made to end information processing.

In the context of this article, we will be primarily interested in the stage of formation of protection requirements.

The formation of requirements for the protection of information contained in the information system is carried out taking into account GOST R 51583 “Information protection. The procedure for creating automated systems in a secure execution. General Provisions ”and GOST R 51624“ Information Protection. Automated systems in a secure design. General requirements ”, including including:

• making decisions on the need to protect information contained in the information system;
• classification of the information system according to information protection requirements (hereinafter - the classification of the information system);
• identification of information security threats, the implementation of which may lead to a violation of information security in the information system, and the development on their basis of a model of information security threats;
• definition of requirements for the information system information protection system.

As we see, Order No. 17 separately issued a definition of security threats, and the inspection authorities request a document called “Threat Model” during inspections.

So, let's try to deal with this document.

The development of a threat model directly should be based on the following documents of the FSTEC:

• “The basic model of personal data security threats when they are processed in personal data information systems”, Federal Service for Technical and Export Control, 2008
• “Methodology for determining the actual threats to the security of personal data during their processing in personal data information systems”, Federal Service for Technical and Export Control, 2008.

The "Basic Model" contains a systematic list of threats to the security of personal data when they are processed in personal data information systems. Many information security experts are quite skeptical of this document. The threats presented in the base model are outdated and far from comprehensive. However, for want of a better one has to be content with the current edition of the document. I want to note right away that FSTEC also has a newer version of the document, with the help of which the case was partially described at the beginning of the article, but the new version has been under construction for quite some time and has not been approved. Therefore, certification authorities require a threat model based on the above documents.

Read more about the draft document "Methodology for identifying threats to information security in IP" can be read on Habr in the article "The document that they were waiting for ."

However, returning to the 17th order we read the following.

Threats to information security are determined by assessing the capabilities (potential) of external and internal violators, analyzing possible vulnerabilities in the information system, possible ways to implement threats to information security and the consequences of violating information security properties (confidentiality, integrity, accessibility).
As a source of data for determining information security threats, the information security threats data bank (bdu.fstec.ru) is used, as well as other sources containing information about vulnerabilities and threats to information security.

And here there is a hitch, a data bank has been created, there are software products that automate the analysis of security in accordance with this bank, but there is no mention of this bank in the current documents of the “Basic Model” and “Methods for Determining Current Threats”.

In general, the situation is quite typical for our legislators and over time they are usually corrected by them, but when exactly, there is no clarity. Therefore, we approach creative modeling by compiling both approaches, this is not forbidden and gives information more relevant to real security.

What needs to be determined and taken into account according to the order:

• structural and functional characteristics of our system;
• physical, logical, functional and technological relationships between segments of the information system, with other information systems and information and telecommunication networks;
• information processing modes in the information system and in its individual segments;
• other characteristics of the information system, applied information technologies and features of its functioning.

Another important point is that as a result of the simulation, if necessary, it is possible to issue recommendations for adjusting the system, i.e. its structure and / or characteristics.

About the contents of the document “Model of security threats”, I will quote 17 order, which requires the following from us:

“The model of information security threats should contain a description of the information system and its structural and functional characteristics, as well as a description of information security threats, including a description of the capabilities of violators (model of the violator), possible vulnerabilities of the information system, ways to implement information security threats and the consequences of violation of information security properties . ”

This list of points does not claim to be the ultimate truth, but as shown by verification of its completeness is sufficient, of course, depending on the content of such points. To correctly fill out these points, a security specialist needs to dive deep enough into the information about the system, understand which applications are used, for what purpose and for what.

Naturally, if the security functions are not assigned to the system administrator, such a specialist in most cases will need help from people who know this system. But our realities in most cases show that it is system administrators who have to deal with all stages of bringing information systems into compliance with the legislation. Of course, in large organizations for the most part there are corresponding staffing units responsible for security. And if the budget allows, then specialized organizations are hired that have licenses for the corresponding type of activity.