The basics of information security. Price error
While the material is being prepared for the following parts and we are waiting for your wishes, on the topic of the third part of the “Information Security Fundamentals” left in the comments to the second part of the “Information Security Basics. Part 2: Information and means of protection . " They decided to make a small, but nevertheless not less important digression, examining the price of errors in the design and operation of the information security system as examples.
Quite a lot of people are well aware that any miscalculations and errors entail consequences that can turn out more than deplorably. Moreover, as was rightly noted in the commentary to the first article, “Fundamentals of Information Security. Part 1: Types of Threatsthe concept of information security is much broader than the scope of the IT industry and miscalculations and errors in the provision of which can affect everyone regardless of the field of activity.
Let's start with the most ordinary but no less painful to more interesting.
“Why me” or “Why?”
As often happens, the owner of any small company located even in the not-so-largest city of Russia thinks that he is something that no one needs, and you should not even spend your energy on it when there are a lot of monster corporations in the circle what to take. Based on this, the owner of this company does not spend his time and money on information security. The maximum that it is limited to is an antivirus and a hope: "Maybe it will carry it."
However, small and medium-sized businesses suffer from information theft more often than large corporations. Even statistics make it difficult to count victims in this segment, as many owners are not even aware that a leak occurred, since they do not have tracking and analysis tools in principle.
In the 21st century, the problem of data leakage, unfortunately, concerns absolutely everyone. The reasons for this have worked thousands of vile insider, the employee does not know the basic safety rules when working on the Internet. Or for example, competitors gain access to the latest developments of the company, which has very serious consequences for it, since as a result of such leaks all the funds spent on research and development are actually donated to competitors. Leaks in financial documentation, especially at those moments when the company is, let's say, not in the best shape, can also quite predictably have very serious consequences, up to bankruptcy. Or say hackers used various vulnerabilities and so on. If you do not want this incident to put an end to the activities of the company, It’s worth at least making backup copies of the information. In this case, they will at least make it possible to restore work if, say, the database or the whole system was encrypted.
The most striking example is the WannaCry virus. While he walked around the world he managed to pretty much inherit. In Russia, the computer systems of the Ministry of the Interior, the Russian Railways companies, banks, and the mobile communications operator Megafon were attacked.
The Center for Monitoring and Response to Computer Attacks in the Bank of Russia Credit and Finance (FinCERT) reported that the WannaCry virus has affected the resources of several Russian banks.
“According to the results of the WannaCry malware distribution, facts of compromising the resources of credit organizations were recorded. The consequences of these incidents were eliminated as soon as possible. ”
A message about this was published by the Central Bank on May 19 .
Among the most seriously affected by the virus is the British Public Health System (NHS). Many of its hospitals and clinics were forced to send patients home, because staff could not access computer information. The systems of the main railway operator of Germany Deutsche Bahn also suffered.
Since large players in the market understand the consequences of possible threats to information security and spend sufficient funds to provide protection, medium and small businesses are most vulnerable and the consequences for business owners can be more than dire or even terrifying as in the following example.
In October 2017, an unknown person found on the ground a flash drive on which detailedsecurity information on Heathrow's largest UK airport .
In particular, on the drive there were maps of the location of security cameras, tunnels, emergency exit shafts, as well as patrol schemes and a description of the ultrasonic radar system used to scan the perimeter and runways.
The airport administration, however, has already stated that it is confident in the effectiveness of its security protocols. With regard to data leakage, the airport began an internal investigation with the intention of finding out how this could happen and to prevent relapses.
In any case, a serious correction of these procedures is now required. The airport also expects serious reputational losses and, most likely, an investigation of the incident at the level of the Government and Parliament.
Another high-profile example occurred In September 2017, it became known about one of the largest personal data leaks in US history. A hacker hack into computer systems, which affected nearly half the country's population, occurred at Equifax's credit bureau, as reported by the company itself.
According to Equifax, cybercriminals, taking advantage of the vulnerability of the company's website, gained access to certain files from mid-May to the end of July 2017.
Lost were numbers of social insurance, dates of birth and, in some cases, numbers of driver's licenses. In addition, credit card numbers of about 209 thousand Americans and a number of claims documents containing personal data of 182 thousand Americans fell into their hands. On September 8, 2017, the company's quotes fell 13% by the time the main exchange trading ended.
Other less painful but no less unpleasant cases include periodically appearing news about the release of intimate photos of celebrities, which directly may not incur commercial losses, but reputationally so sure. Including to the flesh and to commercial ones, if someone’s affair appeared on the photo that could destroy the marriage and significant sums could be paid under the marriage contract.
So in early September 2014 the network was a massive drain of intimate photos of American celebrities. Among the victims of hackers were such actresses as Jennifer Lawrence, Kirsten Dunst, Emma Watson.
Photos of which were discovered at The Fappening forum, where hackers posted, including two clips of an intimate nature and 123 photos of Emma Watson. There were also much more candid shots of Seyfried resting with actor Thomas Sadoski, with whom they were engaged since September 2016.
Experts suggested that hackers could steal pictures by breaking into the iCloud cloud service.
However, in my opinion the most interesting and large-scale case of errors in information security, which cost on the one hand many hundreds, if not thousands of victims, and on the other saved lives, occurred during the First World War.
An outstanding example of French electronic espionage was the interception of a long message sent to the German ambassador in Paris from the German Ministry of Foreign Affairs, which contained a note on declaring war, intended for transmission to the French government. The French, who had already cracked the code by which the message was encrypted, not only intercepted the sent message, but also distorted its content to such an extent that the German ambassador at first could not understand anything about it, and the French, meanwhile, received valuable time to prepare for mobilization.
The British intelligence services also broke that hacked top-secret German codes and for three years had the opportunity to intercept and decrypt all messages that the German Foreign Ministry sent to its foreign embassies. The British managed to keep this a secret and only hint slightly about it to their American allies, when the Germans, who were completely unaware of the leak of information from their intelligence services, tried to push Mexico into the war with the promise of assistance in the annexation of the US states of Texas, Arizona and New Mexico .
The German colleagues did not remain in debt. At the front, between units, the telephone was the usual means of communication, and therefore quite cunning ways were invented to eavesdrop on enemy communications. During the trench warfare, the troops mainly used single-wire, grounded telephone systems. Since the only wire was on its territory, the military command was convinced that the enemy could eavesdrop on their conversations only by directly connecting to the line. They were not at all bothered by eavesdropping and, therefore, they did not take any precautions. This belief, as it turned out, was completely unfounded and the first to know about it was the British Expeditionary Force in France, which already in 1915 began to understand that the Germans manage to anticipate and impede their operations with annoying regularity. It all looked as if the Germans were receiving copies of orders for the planned offensive of the British troops. In fact, the Germans created a device that, through a network of copper wires or metal rods dug as close as possible to the enemy’s lines, could receive even the weakest currents created by grounding the British telephone system. Stray earth currents and leakage currents were received and amplified using a newly invented, very sensitive amplification lamp. Thus, the Germans were able to take advantage of the unsystematic use of telephones by the enemy, intercepting their messages through grounding. As soon as this original system was discovered, the British immediately came up with an apparatus, able to block the propagation of sound through the earth within a certain radius from the radiation source. This device not only put an end to the interception of telephone conversations by the enemy, but also led to the development of a new system for intercepting telephone conversations through the ground.
As you can see, the mistakes made in the development of an information security system, as well as in the use or neglect of means and methods of information protection, in any field of activity can have minor to tragic consequences.