Analysis of the enterprise information security system. Analysis of the information security system and choice of method for its modernization
INTRODUCTION
Any human activity has always been associated with obtaining information. Today it is becoming the main resource for scientific, technical and socio-economic development of the world community. Any entrepreneurial and government activity is closely related to receiving and using a variety of information flows. Therefore, even a slight suspension of information flows can lead to a serious crisis in the work of one or another organization, and perhaps even a number of organizations, thereby leading to conflicts of interest. It is for this reason that in modern market-competitive conditions a lot of problems arise related not only to ensuring the safety of commercial information as a type of intellectual property, but also physical and legal entities, their property and personal safety. Thus, information is treated as a commodity.
Information security is a relatively young, rapidly developing field information technologies. The correct approach to information security problems begins with identifying the subjects of information relations and the interests of these subjects associated with the use of information systems. Information security threats are reverse side use of information technology.
Information protection in modern conditions is becoming an increasingly complex problem, which is due to a number of reasons, the main of which are: the mass distribution of electronic computer technology; increasing complexity of encryption technologies; the need to protect not only state and military secrets, but also industrial, commercial and financial secrets; expanding possibilities of unauthorized actions over information.
The security system should not so much limit users' access to information resources as determine their authority to access this information, identify abnormal use of resources, predict emergency situations and eliminate their consequences.
Currently, methods of unauthorized acquisition of information have become widespread. Their goal is, first of all, commercial interest. Information is diverse and has different values, and the degree of its confidentiality depends on who owns it.
In parallel with the development of computer technology, new ways of violating information security are emerging, while old types of attacks do not disappear, but only worsen the situation.
Problematic issues There are many issues related to information protection; their decision depends on objective and subjective factors, including the lack of opportunities.
Thus, the above facts make the design problem effective system protection of information relevant today.
Analytical part
1.1 Structure of the enterprise and characteristics of its information technologies
The Alfaproekt enterprise is located in Kursk and has two branches located in the region: the villages of Pryamitsino and Ushakovo.
The activity of the Alfaproekt organization is a range of services for the development of design documentation for industrial and civil facilities capital construction, reconstruction and technical re-equipment, as well as services in the field of standardization and metrology. Design of production facilities, including the placement of machinery and equipment, industrial design is the main focus of the company.
Figure 1.1 shows the organizational structure of Alfaproekt OJSC.
From the structure it is clear that the enterprise is divided into departments that perform certain tasks depending on their purpose. The head office directly manages and controls the work of each department. Departments are managed by leading specialists, that is, department heads. Each department in turn has its own staff.
The structure of the enterprise is hierarchical, which allows for clear management and execution of work in a short time. But timely completion of work also depends on the technological process.
Figure 1.2 shows a block diagram of the production document flow of Alfaproekt OJSC.
According to the production workflow scheme, the customer submits a list of documents necessary for the project or drawing up any other type of order to the document acceptance/issuance department, where a receipt for the cost of the service provided, necessary for reporting in the accounting department, is drawn up. After prepayment, an application is submitted for the preparation of technical documentation of the facility, which is subsequently sent to the archive. Next, the economic department evaluates the cost of the future object, which is also sent to the archive. All process management is still carried out by the head office.
Figure 1.1 – Organizational structure of JSC Alfaproekt
Figure 1.2 – Block diagram of production document flow
All stages of production document flow, and, consequently, the enterprise itself are serviced by high-tech equipment. All documentation is stored in computer format; drawings for large objects are made using special plotters that are equipped in the main department and branches. The enterprise OJSC "Alfaproekt" uses modern technologies data transmission and storage.
All used computers are integrated into a local area network (LAN), which in turn, to ensure data safety, is divided into independent segments (production departments) using VLAN technology. From the local network, workers have access to the Internet to search necessary materials and email exchange. The work of users of all departments in a single information database makes it possible to maintain automated records of the execution of technical inventory work. The program automatically checks the availability of information about the property and copyright holders in the database, and the correctness of entering the addresses of the objects. This allows you to eliminate duplication of information and get rid of uncontrolled growth of the database.
User workstations connect to enterprise servers in terminal mode, which provides high performance speed of applications on remote terminals.
Also, using terminal access, work in the 1C Accounting program was implemented. This solution allows you to store information on the central server of the enterprise, which guarantees data safety, and provides operational control and obtaining information about the financial and economic activities of departments.
The Alfaproekt OJSC enterprise uses the Inter Base SQL server software package, which ensures the full workflow of the enterprise from receiving applications to submitting cases to the electronic archive.
The complex is constantly modified taking into account the requirements of the organization for document flow. The software package is designed for operation using VPN technology and requires minimal network resources during its operation.
The organization's branches are connected through the regional provider's channels to the main office network using VPN (virtual private network) technology. VPN technology was chosen for these purposes as it ensures a reliable data transmission system and high level protecting information from unauthorized access from outside. The use of VPN technology implements:
− Single space of the enterprise network;
− Full network transparency for employees;
− Protection of information from unauthorized access by third parties;
− Introduction of a unified automated control system into the company’s existing network structures and full integration into the existing production document flow;
− Scaling the existing enterprise network and connecting additional company offices into a single enterprise network;
The VPN is supported and maintained by four Windows 7-based servers and Cisco telecommunications equipment. The enterprise LAN has two connection points to the global Internet, which makes it possible to increase the reliability of data transmission.
The ActiveDirectory directory service is deployed on top of the enterprise LAN, allowing you to fully manage access to information resources for users and groups. Figure 1.3 shows the block diagram of the LAN of Alfaproekt OJSC.
Figure 1.3 – Block diagram of the LAN of JSC Alfaproekt
The main network information technologies that ensure stability and security of work on the LAN of Alfaproekt OJSC are considered.
VLAN (Virtual Local Area Network) is a group of devices that have the ability to communicate with each other directly at the data link level, although they may be physically connected to different network switches. Conversely, devices located in different VLANs are invisible to each other at the data link level, even if they are connected to the same switch, and communication between these devices is possible only at the network and higher levels.
In modern networks, VLAN is the main mechanism for creating a logical network topology that is independent of its physical topology. VLANs are used to reduce broadcast traffic on a network. They are of great importance from a security point of view, in particular as a means of combating ARP spoofing.
VPN (Virtual Private Network) is a technology that allows you to provide one or more network connections (logical network) over another network (Internet). The level of trust in the constructed logical network does not depend on the level of trust in the underlying networks, thanks to the use of cryptography tools (encryption, authentication, public key infrastructure). Depending on the protocols used and the purpose, a VPN can provide connections three types: node-to-node, node-to-network and network-to-network.
Active Directory is an implementation of Microsoft's directory service for operating systems of the Windows NT family. Active Directory allows administrators to use group policies to ensure uniform configuration of the user's work environment, deploy and update application and server software on all computers on the network. Active Directory stores data and environment settings in a centralized database. Active Directory networks can vary in size, from several hundred to several million objects. The directory service is both an administrator tool and an end user tool. As the number of objects on a network grows, the importance of directory services increases.
DNS (Domain Name System) is a distributed computer system for obtaining information about domains. Most often used to obtain an IP address by host name (computer or device), obtain information about mail routing, serving hosts for protocols in a domain.
The basis of DNS is the idea of a hierarchical domain name structure and zones. Each server responsible for the name can delegate responsibility for a further part of the domain to another server, which allows you to assign responsibility for the relevance of information to the servers of various organizations that are responsible only for “their” part of the domain name.
DNS is important to the operation of the Internet because... To connect to a host, you need information about its IP address, and it is easier for people to remember alphabetic (usually meaningful) addresses than the sequence of numbers of an IP address. In some cases, this allows the use of virtual servers, such as HTTP servers, distinguishing them by the request name.
1.2 Threats to the information security of the enterprise JSC Alfaproekt and a description of possible damage from their implementation
Information security is the protection of information and supporting infrastructure from accidental or intentional impacts of a natural or artificial nature that could cause damage to the owners or users of information and supporting infrastructure.
Information resources - individual documents and individual arrays of documents, documents and arrays of documents in information systems (libraries, archives, funds, data banks, other information systems). Relations regarding ownership of information resources are regulated by relevant civil legislation.
Classification of threats to information security of automated data processing systems (ADS) is necessary due to the fact that modern means computer technology and the information they accumulate are subject to random influences of an extremely large number of factors. Thus, there is no need to describe the full set of threats. As a result, for the protected system it is necessary to determine full list threats, and consider only classes of threats.
The classification of all possible threats to information security of ASOD can be carried out according to a number of basic characteristics. ASOD threat classes are shown in Figure 1.4
In each class of information security threats, several types of threats affecting an automated data processing system can be distinguished. Based on this, a table of types of information security threats was constructed for specific classes of threats and their characteristics (Table 1.1).
Figure 1.4 – ASOD threat classes
Table 1.1 – Characteristics of types of ASOD information security threats for the corresponding classes
| Type of threats | Threat class |
| 1. By nature of occurrence | Natural threats are threats caused by impacts on the ASOD and its components of objective physical processes or natural phenomena independent of humans. |
| Man-made threats are threats to the information security of nuclear power plants caused by human activity. | |
| 2. According to the degree of intentionality of manifestation | Accidental threats and/or threats caused by personnel errors or negligence. |
| Threats of intentional action, for example, threats of an attacker to steal information. | |
| 3.According to the direct source of threats | Threats whose direct source is the natural environment ( natural disasters, magnetic storms, radioactive radiation). |
| Threats whose direct source is a person. | |
| Threats whose direct source is authorized software and hardware. | |
| Threats whose direct source is unauthorized software and hardware. | |
| 4. According to the position of the threat source | Threats whose source is located outside the controlled zone of the territory (premises) where the ASOD is located. |
| Threats, the source of which is located within the controlled zone of the territory (premises) where the ASOD is located. | |
| Threats whose source has access to ASOD peripheral devices. | |
| Threats whose source is located in ASOD. | |
| 5. According to the degree of dependence on ASOD activity | Threats that can occur regardless of the activity of the ASOD: breaking information cryptographic protection ciphers; theft of storage media (magnetic disks, tapes, memory chips, storage devices and computer systems). |
| Threats that can only appear during automated data processing (for example, threats of execution and spread of software viruses). |
| End of table 1.1 | |
| 6. According to the degree of impact on ASOD | Passive threats that, when implemented, do not change anything in the structure and content of the ASOD (for example, the threat of copying secret data). |
| Active threats that, when exposed, make changes to the structure and content of the ASOD. | |
| 7. By stages of user or program access to ASOD resources | Threats that may appear at the stage of access to ASOD resources (for example, threats of unauthorized access to ASOD). |
| Threats that may appear after permission to access ASOD resources (for example, threats of unauthorized or incorrect use of ASOD resources). | |
| 8. By method of accessing ASOD resources | Threats aimed at using a direct standard path to access ASOD resources. |
| Threats aimed at using a hidden, non-standard path to access AS resources. | |
| 9. According to the current location of information | Threats to access information on external storage devices |
| Threats to access information in RAM. | |
| Threats of access to information circulating in communication lines. | |
| Threats to access information displayed on a terminal or printed on a printer. |
All the considered classes and types of threats are, to one degree or another, inherent in the ASOD at Alfaproekt OJSC.
You can also classify threats according to the Criminal Code of the Russian Federation and highlight the following threats to information security:
− Theft (copying) of information.
− Destruction of information.
− Modification (distortion) of information.
− Violation of availability (blocking) of information.
− Denial of the authenticity of information.
− Imposition of false information.
Theft is the unlawful gratuitous seizure and (or) conversion of someone else's property for the benefit of the perpetrator or other persons, which caused damage to the owner or possessor of the property.
Copying computer information is the repetition and permanent imprinting of information on a computer or other medium.
Destruction - external influence on property, as a result of which it ceases to exist physically or is rendered completely unfit for use for its intended purpose.
Damage is a change in the properties of property in which its condition significantly deteriorates, a significant part of it is lost useful properties and it becomes completely or partially unsuitable for its intended use.
Modification of computer information - making any changes, except those related to the adaptation of a computer program or database.
Blocking computer information is an artificial impediment of user access to information that is not associated with its destruction.
Deception (denial of authenticity, imposition of false information) - deliberate distortion or concealment of the truth in order to mislead the person in charge of the property and thus obtain from him the voluntary transfer of property, as well as the communication of knowingly false information for this purpose.
The classification of threats will look most clear if we consider threats in conjunction with their source. In accordance with this approach, the classification of information security threats at Alfaproekt OJSC will look as follows (Figure 1.5).
All threats presented may be intentional or unintentional.
It is also necessary to consider threats directed at specific ASOD facilities at Alfaproekt OJSC. According to the LAN block diagram shown in Figure 1.3, the following objects can be distinguished automated system: Employee's workstation, database server, file server, management server. For each of the objects, Table 1.2 presents specific information security threats.
From the perspective of the economic approach, the total damage to an enterprise’s information security consists of two components: direct and indirect damage.
Direct damage to the information security of an enterprise occurs due to the leakage of confidential information. Indirect damage is the losses incurred by an enterprise in connection with restrictions on the dissemination of information classified as confidential in the prescribed manner.
Figure 1.5 – Classification of information security threats at Alfaproekt OJSC
Table 1.2. – Information security threats to each of the ASOD objects
| ASOD object | Information security threats |
| Employee's workstation | Copying information to media |
| Installing and using “left” software | |
| Infecting your computer with viruses | |
| Operator errors when operating SVT | |
| Operator errors when operating software | |
| Unauthorized access to AS resources and its further use (copying, modification, deletion) | |
| DB server | Copying information |
| Access to information through disruption | |
| User errors when using software | |
| File server | Change information |
| Copying information | |
| Deleting information | |
| Disclosure of protected information by transferring storage media to persons not authorized to access | |
| Management server | Illegal acquisition of passwords and other access control details. |
| Blocking access of registered users |
As part of the development or analysis of an information security system, the most appropriate is a qualitative assessment of the value of the information resource on the part of the owner. Depending on the needs of the organization, its size or other factors, the qualitative rating scale may use designations such as “insignificant”, “low”, “medium”, “high”, “critical”, which imply a certain interval of the quantitative rating scale.
After compiling a list of threats, the degree of probability of implementation (SVR) of the threats is compiled. Risk assessment occurs by comparing assessments of the severity of consequences with the SVR assessment of information security threats (Table 1.4).
At the risk assessment stage, the potential damage from information security threats is determined for each resource or group of resources. Determining the severity of the consequences of the loss of information security properties by a resource is necessary in order to determine: how much a “downtime” system will cost during the time required to restore it and what the damage will be if this information becomes known to competitors.
Table 1.4 – Comparison of assessments of the severity of consequences with the SVR assessment of information security threats
| Degree of probability of an information security threat being realized | The severity of the consequences of an information security violation | |||
| minimum | average | high | critical | |
| unrealizable | acceptable | acceptable | acceptable | acceptable |
| minimum | acceptable | acceptable | acceptable | unacceptable |
| average | acceptable | acceptable | unacceptable | unacceptable |
| high | acceptable | unacceptable | unacceptable | unacceptable |
| critical | unacceptable | unacceptable | unacceptable | unacceptable |
When considering possible damage, it is also necessary to consider the resources used by the enterprise. The classification of information resources is presented in Figure 1.7.
Figure 1.7 – Types of enterprise resources
Resources to be protected include information and technical resources.
At JSC Alfaproekt, technical resources include:
− control server;
− database server;
− file server;
− Printers and plotters;
− Network equipment (switches, routers).
Information resources located in electronic form and on paper media of this enterprise include:
− Copies of identification documents of the customer;
− Technical passports for real estate objects;
− Certificates of book value indicating the residual book value for the period of technical inventory;
− Design and executive documentation;
− Accounting statements.
Thus, the electronic resources of the Alfaproekt OJSC enterprise have limited access and are classified as confidential. Therefore, allocated resources are exposed to information security threats, and if the threats are realized, the enterprise may suffer various types of damage. Figure 1.8 shows three types of damage.
Figure 1.8 – Types of possible damage
Manifestations of possible damage can be different and mixed:
− moral and material damage to the organization’s business reputation
− moral, physical or material damage associated with the disclosure of personal data of individuals;
− material damage from the need to restore damaged protected information resources;
− material damage from the inability to fulfill obligations undertaken to a third party;
− moral and material damage from disruption of the organization’s activities;
− material and moral damage from violation of international relations.
Damage can also be considered according to the severity of the consequences of information security threats. Figure 1.9 shows the classification of damage by severity.
Figure 1.9 – Severity of consequences from information security threats
Based on the above, in Alfaproekt OJSC we can distinguish a number of possible consequences from the implementation of information security threats. First of all, it should be noted that the damage will mainly be material. The main damage will occur to technical resources, since this type of resource involves the use and storage of digital information resources. But we cannot ignore the fact that the enterprise also uses non-digital information resources, although most of them have digital copies, but these resources are no less valuable.
According to the severity of the consequences greatest losses will arise in the event of failure of the technical resources of Alfaproekt OJSC, since there will be a suspension of production document flow and a possible loss of digital information resources, which is a significant consequence. If the implementation of information security threats affects only digital information resources, the severity of the consequences can be characterized as medium; in extreme cases, for example, natural disasters, the severity can move into the category of significant severity of consequences or even high. The severity of all these consequences primarily depends on the specific threats. Based on this principle, Table 1.5 of the severity of the consequences of specific information security threats at Alfaproekt OJSC was compiled.
Table 1.5 – Severity of consequences from information security threats at Alfaproekt OJSC
| Information security threat | Severity of consequences (damage) |
| Errors of users and system administrators | medium - low |
| Violations by company employees of established regulations for the collection, processing, transfer and destruction of information | average |
| Errors at work software | low |
| Failures and malfunctions of computer equipment | average |
| Infecting computers with viruses or malware | average |
| Unauthorized access (UA) to corporate information | average - significant |
| Information monitoring by competing structures, intelligence and special services | average |
| Actions government agencies and services, accompanied by the collection, modification, removal and destruction of information | average - significant |
| Accidents, fires, man-made disasters | significant - high |
Information security of ASOD is ensured if a certain level is maintained for any information resources in the system:
− confidentiality (impossibility of unauthorized receipt of any information);
− integrity (impossibility of unauthorized or accidental modification);
− accessibility (the ability to obtain the required information within a reasonable time).
Information security threats affect not only the properties of information, but also the technical resources of the enterprise, therefore the security information protection system must meet the following requirements:
− requirements for non-distortion of information properties;
− requirements of the ASOD security class;
− requirements of the SVT security class;
− requirements for protecting information from unauthorized access.
Also, the information security system must perform:
− warning about the emergence of threats to information security;
− detection, neutralization and localization of the impact of threats;
− access control to protected information;
− restoration of the information security system;
− registration of events and unauthorized access attempts;
− ensuring control over the functioning of the protection system.
ANALYSIS OF THE INFORMATION SECURITY SYSTEM AND SELECTION OF A METHOD FOR ITS MODERNIZATION
2.1 Methods and means of protecting information in networks
At the first stage of development of data security concepts, preference was given to software security tools. But practice has shown that this is not enough to ensure data security, and all kinds of devices and systems have received intensive development. Gradually, as a systematic approach to the problem of ensuring data security was formed, the need arose for the integrated use of protection methods and the means and protection mechanisms created on their basis. Typically, in enterprises, depending on the volume of stored, transmitted and processed confidential data, individual specialists or entire departments are responsible for information security. Figure 2.1 shows the model comprehensive protection information.
Figure 2.1 model of comprehensive information security
In information protection, two areas are clearly distinguished: confidentiality protection and performance protection. To accomplish these tasks there are special methods and data protection measures, which are presented in detail in Figure 2.2.
Figure 2.2 - Classification of methods and means of data protection
Methods for ensuring information security in information systems are divided into: obstruction, access control, encryption mechanisms (masking), regulation, coercion, inducement, and countering malware attacks.
An obstacle is a method of physically blocking an attacker’s path to protected information (equipment, storage media, etc.).
Access control – methods of protecting information by regulating the use of all IP resources. These methods must resist all possible ways of unauthorized access to information.
Access control includes:
− identification of users, personnel and system resources;
− identification of the subject by the identifier presented by him;
− verification of credentials;
− creation of working conditions within the established regulations;
− registration of requests to protected resources;
− when attempting unauthorized actions.
Encryption mechanisms – cryptographic closure of information.
Regulation – the creation of such conditions for the automated processing, storage and transmission of protected information under which the norms and standards for protection are met to the greatest extent.
Coercion is a method of protection in which users and information system personnel are forced to comply with the rules for the processing, transfer and use of protected information under the threat of material, administrative or criminal liability.
Incentive is a method of protection that encourages users and IS personnel not to violate established procedures by observing established moral and ethical standards.
Countering malware attacks involves a set of various organizational measures and the use of anti-virus programs. The goals of the measures taken are to reduce the likelihood of infection of the IP, to identify facts of infection of the system; reducing the consequences of information infections, localizing or destroying viruses; restoration of information in the IS.
The entire set of technical means is divided into hardware and physical.
Hardware – devices built directly into computer equipment, or devices that interface with it using a standard interface.
Physical means include various engineering devices and structures that prevent physical penetration of attackers into protected objects and protect personnel (personal security equipment), material resources and finances, information from illegal actions.
Software tools are special programs and software systems designed to protect information in IP.
Among the security system software, we will also highlight software that implements encryption (cryptography) mechanisms. Cryptography is the science of ensuring the secrecy and/or authenticity (authenticity) of transmitted messages.
Organizational means carry out their complex regulation of production activities in the information system and the relationships of performers on a legal basis in such a way that disclosure, leakage and unauthorized access to confidential information becomes impossible or significantly hampered due to organizational measures.
Legislative remedies are determined legislative acts countries that regulate the rules for the use, processing and transmission of restricted information and establish penalties for violating these rules.
Moral and ethical means of protection include all sorts of norms of behavior (which traditionally developed earlier), which are taking shape as IP spreads in the country and in the world. Moral and ethical standards can be unwritten or formalized in a certain set of rules or regulations. These norms, as a rule, are not legally approved, but since their non-compliance leads to a decline in the prestige of the organization, they are considered mandatory.
2.2 Definition of security classes
2.2.1 Determination of the required security class of ASOD at JSC Alfaproekt
To determine the required security class in Russian Federation there is a specific approach implemented in the guiding document of the State Technical Commission under the President of the Russian Federation “Classification of automated systems and requirements for information protection” Part 1. This document identifies 9 classes of security of automated systems from unauthorized access to information, and for each class the minimum composition of the necessary protection mechanisms and content requirements protective functions each of the mechanisms in each of the classes of systems (Figure 2.3).
The article describes the experience in ensuring information security of operating systems and database management systems of organizational complex hierarchical structures. A project of a comprehensive information security system based on a hierarchical approach to modeling is presented. complex systems management.
Currently, in the areas of information technology (IT), the issues of creation and development are in first place. regulatory framework in the field of information security, as well as the need to carry out a set of works aimed at developing standardization and certification in the field of information security (IS).
Standards that define information security requirements and are the basis of the regulatory framework are important for all subjects of relations in this area, primarily for those organizations and enterprises that are interested in protecting their information resources. Management and security services of enterprises should clearly understand what requirements, depending on the operating conditions, their information systems (IS) must meet. Developers of information technology and information systems must be guided by standards to ensure the security of their developments.
Anyone working in IT understands the need to ensure operating system (OS) security. The need for built-in security at this level is beyond doubt. The operating system protects application-level mechanisms from misuse, circumvention, or imposition of false information. If it fails to meet these requirements, system-wide vulnerabilities will appear.
One of the tasks of IS is data storage and processing. To solve this problem, efforts were made that led to the emergence of specialized software - database management systems (DBMS). DBMSs allow you to structure, systematize and organize data for computer storage and processing. It is impossible to imagine the activities of a modern enterprise or institution without the use of professional database management systems. Undoubtedly, they form the foundation of information activity in all areas - from production to finance and telecommunications. In this sense, the OS and the DBMS are similar to each other.
The basis of legal regulation in the field of providing information security for operating systems and database management systems where confidential information is processed is passed laws and regulations of the Russian Federation. One of such documents is the “Information Security Doctrine of the Russian Federation,” which is a set of official views on the goals, objectives, principles and main directions of ensuring information security in the Russian Federation. The doctrine serves as the basis for the formation public policy in the field of information security of the Russian Federation and develops the Concept of National Security of the Russian Federation in relation to the information sphere. The interests of the individual in the information sphere lie in the implementation of the constitutional rights of man and citizen to access information, to use information in the interests of carrying out activities not prohibited by law, physical, spiritual and intellectual development, as well as in the protection of information that ensures personal security. The interests of society in the information sphere lie in ensuring the interests of the individual in this area, strengthening democracy, creating a legal social state, achieving and maintaining public harmony, and the spiritual renewal of Russia.
According to their general focus, threats to information security in the Russian Federation are divided into legal; technological; organizational and economic (Table 1). General methods of ensuring information security of the Russian Federation are organizational and technical, legal, organizational and economic, software and technical and economic (Table 2).
Table 1. Types of RF cybersecurity threats
| Legal | | Technological | Organizational and economic | |
Table 2. Methods for providing information security in the Russian Federation
| Organizational and technical | | Legal | Organizational and economic | Software and hardware | Economic methods | |
The most important objects of providing information security of the Russian Federation in the field of science and technology are:
- results of fundamental, search and applied scientific research, potentially important for the scientific, technical, technological and socio-economic development of the country, including information, the loss of which could harm the national interests and prestige of the Russian Federation;
- discoveries, unpatented technologies, industrial designs, utility models and experimental equipment;
- scientific and technical personnel and their training system.
The main external threats to the information security of the Russian Federation in the field of science and technology include the desire of developed foreign countries to gain illegal access to the scientific and technical resources of Russia in order to use the results obtained by Russian scientists in their own interests.
The main internal threats to information security of the Russian Federation in the field of science and technology include:
- the continuing difficult economic situation in Russia, leading to sharp decline financing of scientific and technical activities, temporary decline in the prestige of the scientific and technical sphere, leakage of ideas and advanced developments abroad;
- serious problems in the field of patent protection of the results of scientific and technical activities of Russian scientists;
- difficulties in implementing measures to protect information, especially at corporatized enterprises, in scientific and technical institutions and organizations.
The real way to counter threats to information security of the Russian Federation in the field of science and technology is to improve the legislation of the Russian Federation regulating relations in this area and the mechanisms for its implementation. For these purposes, the state should promote the creation of a system for assessing possible damage from the implementation of threats to the most important objects of ensuring the information security of the Russian Federation in the field of science and technology.
Literature
- ISO/IEC 17799. Information security management. Rules of thumb.
- Information technology security - Operating systems - Basic security profile (draft). Information Security Center. 2003.
- GOST R 50739-95. “Computer facilities. Protection against unauthorized access to information. General technical requirements".
- ESPD GOST 19102-77. "Planning Requirements design work on software development".
- Kovalev S.V. Calculation and mathematical model for managing the risks of economic security of projects for the development of complex systems // Problems of managing the security of complex systems: Proceedings of the XVII International Conference. M.: RSUH. 2009.
- Kovalev S.V. A model for ensuring the protection of enterprise information based on the principles of risk control // Information Economics: Institutional Problems. Materials of the Ninth Drucker Readings. M: Good word. 2009.
- Kovalev S.V. Methodology of information security of complex systems based on the industrial risk management system // Problems of security management of complex systems: Proceedings of the XVII International Conference. M.: RSUH. 2009.
- Kovalev S. V. Methodology for the development and application of information support technologies life cycle knowledge-intensive products // Information technologies of modeling and management. 2009. No. 5(57).
One of the fundamental components of the successful operation of a modern enterprise is the development of a system for ensuring information security and information protection. The need to carry out activities in this area is explained by the storage of personal data about students in the information system, which is confidential information. Unscrupulous competitors are ready to take illegal actions in order to take possession of someone else's information, and having taken possession of it, use it to the detriment of competitors. Another important aspect of ensuring information security is protection against intentional or accidental destruction of data, which will lead to the loss of information important both for the operational work of the institution and for analytical reporting.
When maintaining paper records in Children's Sports School No. 5, the situation with ensuring information security and information protection is very mediocre. Data about students and their health, teachers, and tuition fees are stored in the form of paper documents in employee cabinets, and processed documents are stored in the archive. At the same time, nothing prevents unauthorized employees from reading these documents or copying them, and an attacker from stealing them. Job descriptions about the need to comply with the procedure for storing documents are unlikely to stop an attacker who has set himself the goal of taking possession of them. With the paper version of business management, there is also a high probability of loss of documents, as well as intentional or accidental destruction of documents.
When using a computerized version of work, the level of information security increases by an order of magnitude. The automated document flow system itself forces the user to be more responsible in this matter.
Technically, information security and information protection is carried out using a password system for access to information system resources at various levels.
First of all, this is the user’s login password to the operating system of his workplace. Entering this password gives the user access to the resources of this computer and to documents stored on it. At the same time, the security policy must be configured in such a way that the user is not the complete “master” of his workplace and cannot, for example, install malicious software or programs for copying information. Restricting rights somewhat complicates the work of users, but at the same time guarantees data security. It is always necessary to find a balance between the convenience and comfort of the user's work and the security of storing corporate or customer information.
When a user enters his login password into the operating system, he gains access not only to the resources of this computer, but also to the resources of the enterprise computer network. This is possible if the user logs on to the computer as a domain or network user. In this case, you need to be even more careful about the delimitation of user rights on the network. You need to configure the rights of a network user in such a way as to give him the opportunity to freely work with his documents, but at the same time limit access to documents for which he does not have rights to work, or only view rights. In this case, the problem of protecting data from unauthorized access and from accidental damage is simultaneously solved.
The system administrator has the prerogative to distribute user rights in an enterprise. It is he who must differentiate user rights to access documents and applications both on the network and on local computers.
The third level of password protection of information is the password for accessing the SQL Server meringue data when building a client-server version of the architecture of the 1C:Enterprise 8.1 system. In this version of work, the data stored in the database is protected not only by the system for delineating access rights for users of the 1C: Enterprise system, but also by the SQL Server system, which increases the level of security by an order of magnitude.
The responsibility for distributing user access rights to data stored in the 1C:Enterprise 8.1 information system lies with the system administrator. He must configure the rights of each user in such a way as to limit his access to data to which he does not have access, without creating difficulties in his work. Together with the system administrator, they configure access to the SQL Server database.
An undeniable factor that increases the level of information security and information protection when implementing an electronic sales accounting system is the ability, if necessary, to “save” the entire database of documents on any electronic media in the event of, for example, natural disasters. In the future, this copy of the database can be deployed to a new location and work with documents can be continued from the point where it was interrupted.
In addition to organizing password protection of information, you should not neglect the physical protection of information. It is advisable to place the servers of the computer network, the 1C: Enterprise system and the SQL Server database servers (in the client-server mode of operation) in a separate room (server room) in which, in addition to the special conditions necessary for the operation of the servers (air conditioning, ventilation,...), create and special conditions preventing the entry of unauthorized persons. This could be an access control system or other organizational measures.
Despite the planned implementation of an automated system at Children's Sports School No. 5, work with paper documents will still take place. For example, contracts concluded with clients have legal force only on paper. Organizing the storage of such documents, excluding the possibility of access to them by unauthorized persons or employees who do not have access to them, is an important point in ensuring the overall information security system. It is advisable to organize an archive in which such documents would be stored and regulate employee access to it. Exclude the possibility of unauthorized persons entering by physical methods (iron door, bars on windows).
graduate work
1.2.4 Analysis of the information security and information protection system
The process of globalization of information and telecommunication complexes, the introduction at the State Unitary Enterprise OC "Moscow House of Books" of information technologies, implemented mainly on hardware and software of its own production, have significantly aggravated the problem of the dependence of the quality of information transportation processes on the possible intentional and unintentional effects of an intruder on the transmitted user data , management information and hardware and software that support these processes.
An increase in the volume of stored and transmitted information leads to an increase in the violator’s potential for unauthorized access to the information sphere of the State Unitary Enterprise OC Moscow House of Books and impact on its functioning processes.
The increasing complexity of the technologies used and the functioning processes of the State Unitary Enterprise OC Moscow House of Books leads to the fact that the hardware and software used in the State Unitary Educational Center Moscow House of Books may objectively contain a number of errors and undeclared capabilities that can be used by violators.
The absence of the necessary means of protection in the conditions of information warfare in the State Unitary Enterprise OC Moscow House of Books makes the company as a whole vulnerable to possible hostile actions, unfair competition, as well as criminal and other illegal actions. Organizational structure of the information security system of the State Unitary Educational Center Moscow House Books" can be represented as a set of the following levels:
Level 1 - Management of the organization;
Level 2 - Information Security Division;
Level 3 - Staff and additional funds protection;
Level 4 - Responsible for safety information security in departments (in technological areas);
Level 5 - End users and service personnel.
When developing software at the State Unitary Enterprise OC Moscow House of Books, they follow the basic standards regulating:
Software quality indicators;
Life cycle and technological process creating critical software packages that support them high quality and preventing unintentional defects;
Testing software to detect and eliminate defects in programs and data;
Testing and certification of programs to certify the achieved quality and safety of their operation.
Table 1.3. International standards aimed at ensuring technological safety
|
ISO 09126:1991. IT. |
Software product evaluation. Quality characteristics and guidelines for their use. |
|
|
ISO 09000-3:1991. |
General quality management and quality assurance standards. Part 3: Guidelines for the application of ISO 09001 in software development, delivery and maintenance. |
|
|
Software life cycle processes. |
||
|
ANSI/IEEE 829 - 1983. |
Documentation for program testing. |
|
|
ANSI/IEEE 1008 - 1986. |
Testing of software modules and software components. |
|
|
ANSI/IEEE 1012 - 1986. |
Planning for verification (verification) and confirmation of reliability (validation) of software. |
To protect information from external threats, the State Unitary Enterprise OC Moscow House of Books uses a firewall - a software or hardware router combined with a firewall. This system allows filtering data packets.
The company also has regulatory, legal and organizational documents such as:
1. Information security regulations:
· employee access to proprietary information that constitutes a trade secret;
· access to the use of personal software configured for the State Unitary Enterprise OC Moscow House of Books.
2. Regulations for the use of the Internet, e-mail "SUE OC "Moscow House of Books".
Automation of the work of the senior administrator of the boarding house of the Federal State Unitary Enterprise "OK Rublevo-Uspensky" UDP of the Russian Federation
The enterprise information security system covers all components of the information infrastructure described in this project and ensures the integrity, confidentiality and availability of information...
Analysis of the information system of the enterprise OJSC "Uraltransnefteprodukt"
Due to the increasing incidence of terrorist attacks, oil theft, this topic has become widespread, since in addition to these types of threats, there is competition in the market for oil-related services...
Selection and justification for purchasing an information system for automation using the example of 1C Bit LLC
To ensure the security and protection of information, the company's management decided to resort to the help of Kaspersky Lab...
The process of globalization of information and telecommunication complexes, the introduction at the State Unitary Enterprise OC "Moscow House of Books" of information technologies, implemented mainly using hardware and software of our own production...
Information security in the State Unitary Enterprise OC "Moscow House of Books"
According to the methods of implementation of all information protection measures...
Information security in the State Unitary Enterprise OC "Moscow House of Books"
Information security in the State Unitary Enterprise OC "Moscow House of Books"
In the Russian Federation, regulatory legal acts in the field of information security include: 1...
Information security in the State Unitary Enterprise OC "Moscow House of Books"
Organizational (administrative) protection measures are measures regulating the functioning of ASOEI, the use of its resources, the activities of personnel, as well as the procedure for interaction of users of the system in this way...
Design and development of an information system for accounting for repair work and maintenance of office equipment from Computer World LLC, Samara
The creation of information security systems in information systems is based on the following principles: a systematic approach, the principle of continuous development of the system, separation and minimization of powers, complete control and registration of attempts...
Development of a business process module for the customer service department and warehouse based on the configuration of the basic 1C model
Development of a module for automating business processes in the customer service department and warehouse of ZhilRemStroy LLC based on the configuration of the basic 1C model
The company has regulatory, legal and organizational administrative documents: 1. Information security regulations: · employee access to proprietary information...
Development of a reporting documentation export module
To protect against external threats, the operating system (Windows XP SP3), which is installed on all personal computers of employees of the Nimfa trading house, is protected by the licensed software product Kaspersky Antivirus 6.0 and Kaspersky Internet Security 6.0...
Improving the personal data protection system of Alfa Bank OJSC
Improving the information security system on the premises of OJSC "Raschet"
In an enterprise, as we can see in Table 9, most vulnerabilities are associated with insufficient supervision of premises. Since the enterprise OJSC "Raschet" rents premises from another enterprise that provides a pass-through system...
CJSC Consultant Plus has a security policy.
The company has the following regulatory documents in the field of information protection and information security (IS):
- - Regulations on confidential information
- - Statement on the use of software
- - Regulations on the use of email
- - Regulations on the use of the Internet
- - Regulations on the use of mobile devices and storage media
- - Internal labor regulations
- - Order on the introduction of an information security policy
- - Order on the introduction of internal labor regulations
- - Order on the introduction of intra-facility access control
The head of the security service and the head of the system administration department are responsible for the implementation of these regulatory documents.
IN employment contracts Employees of the enterprise have a clause dedicated to the non-disclosure of confidential information during the term of the contract, as well as three years after its termination. Employees are required to comply with all relevant requirements of orders, instructions and regulations to ensure the safety of trade secrets and other confidential information of the Employer, compliance with internal and access control regimes.
When employees use email, it is prohibited:
- 1) Use email for personal purposes.
- 2) Transmit electronic messages containing:
a. confidential information
b. information constituting a trade secret, except when this is part of the official duties of the sender.
d. Information, files or software that can disrupt or limit the functionality of software and hardware of a corporate network.
- 3) Follow links and open attachments in incoming email messages received from unknown senders.
- 4) On your own initiative, send out (including mass) electronic messages (if the mailing is not related to the performance of official duties).
- 5) Publish your email address or the email address of other employees of the Organization on publicly available Internet resources (forums, conferences, etc.).
- 6) Provide employees of the Organization (except for IS administrators) and third parties with access to their electronic mailbox.
- 7) Encrypt electronic messages without prior approval from IS administrators.
When using the Internet it is prohibited:
- 1) Use the Internet access provided by the Organization for personal purposes.
- 2) Use specialized hardware and software that allow you to gain unauthorized access to the Internet.
- 3) Perform any actions aimed at disrupting the normal functioning of elements of the Organization’s IP.
- 4) Publish, upload and distribute materials containing:
a) Confidential information,
b) Information constituting a trade secret, except when it is part of official duties.
- 5) Information, in whole or in part, protected by copyright or other rights, without the permission of the owner.
- 6) Malicious software designed to disrupt, destroy or limit the functionality of hardware and software, as well as serial numbers for commercial software and software for their generation, passwords and other means for gaining unauthorized access to paid Internet resources, as well as links to the above information.
- 7) Falsify your IP address, as well as other official information.
CJSC Consultant Plus allows the use of a limited list of commercial software (according to the Register of Approved Software) and free software (necessary to perform production tasks). Users are prohibited from installing other software on their PCs.
In the IS of CJSC Consultant Plus, it is allowed to use only registered mobile devices and storage media that are the property of the Organization and are subject to regular audit and control. On mobile devices provided by the Organization, it is permitted to use commercial software included in the Register of Approved Software.
At the program level, role-based access control is undertaken in the Microsoft Active Directory directory service, as well as when accessing the DBMS. The same service manages user passwords: each password has an expiration date, after which the user is forced to set a different password; The system does not allow you to enter a password that is too short or too simple. This ensures protection against unauthorized access to the system.
To protect LANs and computers from external threats, the Kaspersky Enterprise Space Security package is used, which performs the following functions:
- 1) Protection against hacker attacks. Modern hackers use keyloggers (keyloggers) and rootkits for attacks - programs that allow you to gain unauthorized access to data while avoiding detection. The anti-virus engine effectively neutralizes these threats, preventing unauthorized access to computers on the corporate network.
- 2) Phishing protection. The database of URLs for phishing sites is constantly growing; with its help, suspicious links are recognized and blocked, and phishing emails are filtered, increasing the level of LAN protection.