Today very few people imagines possibility of computer processing of the information without its protection. But here is how to protect the information at performance of design works what for this purpose to use protection frames that such effective remedy of protection of the information at performance of projects “turnkey”?
Let's consider alternative areas of appendices of protection frames of the information
Speaking about construction, or about use of a protection frame of the information, first of all, it is necessary to be defined with area of its practical application (for what it is created, as consequence, than its consumer cost), since area of practical use is defined and dictates those requirements to any system means, which should be realised the developer to raise consumer cost of the given means.
Unfortunately, the given obvious message not always is considered both developers, and consumers of protection frames. At the same time, simply enough to show that requirements to protection frames for various areas of their practical use very strongly differ, and sometimes, and contradict each other that does not allow to create a uniform protection frame “for all occasions”. In other words, it is impossible to speak about efficiency of an abstract protection frame, it is possible to have conversation on efficiency of the means created for concrete appendices.
Really, when speech comes about an information technology, it is possible to allocate two their cores of the appendix is personal use of the computer (in house conditions) and corporate use (in the design organisation). The difference of requirements, including, and to protection frames, in the given appendices is huge.
So far as concerns personal use of the computer in house conditions, we start to reflect at once on services given by system means is greatest possible use of devices, universality of appendices, every possible games, players etc., etc.
The major differences of use of a protection frame in the given appendices is the following:
- By and large, absence of any confidentiality (at least, formalized) the information demanding protection. The information is the property of the user;
- Absence of criticality of confidentiality (at least, formalized) not only regarding plunder of the processed information, but also regarding its unapproved updating, or destruction, not so are critical in these appendices and attacks to system resources, to a great extent, they are connected only with inconvenience for the user;
- Absence of qualification of the user in questions of maintenance of information safety, and natural unwillingness to prosecute these subjects;
- Absence of any external administration of system means, including, regarding adjustment of mechanisms of protection – all problems of administration dare directly the user – actually the user should solve independently all questions connected with safety, i.e. the user and is the manager, it and protects the own information;
- Absence of any mistrust to the user – the user himself processes own information (it the owner of the computer, it the owner of the information – can not trust only to itself), at the same time, for the same reason, mistrust from outside the user to any display of external administration;
- In the majority, processing of the information by the user is carried out on one computer, locally.
If we start to speak about corporate appendices, especially at rendering of services – performance of projects “turnkey” here, both use conditions system means, and the requirement to a protection frame not that there were cardinally others, they are directly opposite. In particular, here already there is no necessity for the big nomenclature of devices, appendices, toys and other are the factor distracting from office activity, possibility of their start basically is desirable for preventing, etc., etc.
To the design organisations which are carrying out commercial projects, in particular, projects “turnkey” it is important to secure itself first of all against viruses and hacker attacks as on the statistican the greatest losses of the company suffer in connection with theft by the confidential both commercial information and DoS-attacks.
The faults arising in work of servers, seriously reduce a company overall performance as a whole, leading to loss of the valuable information, to refusals in service, loss of clients and to failure of transactions.
Time and money are lost also on reading of a spam by employees of the company. In 2003 in many companies the share of the spam correspondence in incoming mail made already 60-70%! In a stream of uninvited advertising the important business letters are quite often lost that also leads to serious financial losses (still the big losses arise at use of incorrectly working means of a filtration of a spam with considerable percent of false operations).
The major differences of use of protection frames in the given (corporate) appendices is the following:
- At the given appendices a priori there is the confidential information demanding qualified protection. The given information is not the property of the user and is given it in time use for performance of the official duties that causes possibility of its plunder by the user (so-called insider breaking).
- Critical is not only the fact of plunder of the processed information, but also possibility of its unapproved updating, or (it is possible, casual) destructions. Critical in these appendices also there is a conclusion out of operation system means for long time, and it is the most important at performance of projects “turnkey” as the delay in performance of one work conducts to a delay of performance of all project “turnkey” i.e. the major objects of protection become not only information, but also system resources.
- Absence of qualification of the user in questions of maintenance of information safety, and unwillingness to prosecute these subjects (at it other duties connected with preparation of the design documentation, performance of design works), and at the same time, presence of the system administrator on the safety which basic official duties is information protection, i.e. for the decision of this problem it and is employed, which a priori should possess high qualification as, otherwise, in modern conditions it is not necessary to speak about any effective protection of the confidential information.
- All problems of administration of protection frames should dare directly manager, the user should be excluded from the administration scheme in all of them displays as only in these conditions the manager can organise information protection.
- To the user – the user processes mistrust not own, but corporate, or other confidential information which potentially is “the goods” as consequence, the user should be considered as the potential malefactor (recently, even there was such concept, as insider, and internal IT-threat – threat of plunder of the information by the authorised user, some consumers and manufacturers of protection frames is positioned, as one of dominating threats that is not deprived the bases).
- In the majority, processing of the confidential information is carried out in a corporate network, and, not always in local is causes impossibility of the effective decision of a problem of administration of safety locally on each computer – without corresponding toolkit (Armagh the manager in a network).
It should be noted that now more than ever need-designed, comprehensive protection of corporate information space
from the encroachments of the attackers – both outside and inside the company:
- Last years experts notice that the damage caused by viruses
, all increases. According to Computer Economics in 2002 the damage has made about $11 billion, in 2003 this figure has reached $12.5 billion, and in the beginning of 2004 the damage only from epidemic MyDoom has made more than $4 billion
- The damage from a spam increases every year all more considerably: with the uninvited correspondence it is dispatched more and more viruses and trojan programs. Besides, the damage from working hours loss on analysis and spam reading by different estimations makes already $50-200 in a year counting on one employee, and these figures also continue to grow.
- The fixed volume of losses from the computer crimes made by hackers
, and from theft the confidential information
employees of the company is estimated already hundreds billions dollars.
Naturally, same protection frame cannot satisfy simultaneously to both groups of the given inconsistent conditions of use, i.e. to be effective in alternative appendices. But then it is obvious that for alternative areas of appendices, in a basis of construction of protection frames should be put and alternative principles.
At a choice of protection frames of the confidential data of the design organisation safety issues in appendices, instead of simplicity of the interface and frequency of replenishment base of the revealed signatures are dominating. Really, when speech comes about corporate appendices, already “as the corner-stone” the problem of effective protection of the information which should dare professionally is put. Not casually that information protection in the given appendices is regulated by corresponding standard documents, protection frames assume their certification, and the automated system of processing of the information – certification, and all in aggregate – the qualified analysis of sufficiency and a correctness of realisation of mechanisms of protection.
The basis of maintenance of information safety in the given appendices already is made by the mechanisms of protection realising the differentiating policy of access to resources, instead of the elementary mechanisms of the control!
The major condition of construction of protection in corporate appendices is that actually the user should be considered as the basic potential malefactor (insider). As marked, it is caused by that the user here processes not own information, and corporate, hence, can be interested in its plunder. As consequence, there is a necessity of an exception of the user from the scheme of administration of a protection frame. Here the task of any questions to the user answers on which define system actions is not admissible not so. There is a manager of safety, any “dialogue” protection frames it is possible only with the manager. With the account of that, as a rule, the manager of safety to be responsible for safety possibility similar should nobody a set of computers in a network (which number can be defined by hundreds) “dialogue” it is essentially excluded.
Let's result the known integrated classification of virus attacks:
1. “harmful programs” (trojans, etc.). Separate programs which carry out those or other destructive/unapproved actions.
2. “viruses”. The programs which usually do not have own executed module and “living” (as a rule, infection is carried out on means of their joining to an executed file) in other file object or a part of the physical carrier.
3. “Macro-viruses” (scripting viruses) – programs, for which execution the certain environment of performance (shell, the virtual car, etc.) is required. In the same group we can carry and the office applications, allowing to create and connect macroes.
4. “hearts”. A version 1,2,3 using network possibilities for infection.
From this classification that threat of virus attack bears in itself process, for any reasons realising that action from which it is necessary to be protected follows. On the basis of all told, we can draw a conclusion that the problem of anti-virus protection can dare the mechanisms realising the differentiating policy of access to resources. Really, resolve start on the protected computer only the authorised processes (including, system) and prevent any possibility of updating of their executed files – “will forget” about all trojans, espionage and other destructive programs. Thus the problem dares in a general view – you allow to start only necessary programs, start of others is forbidden, without dependence from a way of their entering on the computer – it is not required revealings of any signatures, any control – comparisons with the standard. If you for any reasons do not trust any authorised processes (for example, to the office applications, allowing to start macroes), it is possible to establish for them own differentiations (for example, having prevented it possibility of updating of a system disk and OS register). It is besides realised by a differentiating policy of access to resources, but any more for accounting records, and for processes (process represents itself as the subject of access).
We see that it is received absolutely other decision of a problem of the anti-virus protection, allowing effectively in a general view to counteract both known, and to any potentially possible viruses. Involuntarily there is a question – if there are similar technologies why to them in large quantities have not passed? And here also the major principle is shown – alternative areas of appendices of protection frames of the information demand alternative approaches to their construction
. Imagine the ordinary user who will need to adjust isolation of the program environment, differentiations for processes, including for the system. All it is not difficult in the presence of corresponding qualification, but whether the usual owner of the personal computer it is necessary for him will be engaged in it? And if will try, what at it will turn out? Here it also uses the means realised on mechanisms of the control it it is better, than anything.
Let's consider a methodological basis of formalisation of requirements to information protection frames
Vulnerability of system of protection is a sign of system, and presence (absence) vulnerabilities is the characteristic of security of system. Hence, absence maintenance of vulnerability protection should be necessary in a basis of formalisation of requirements to information protection frames.
As the reason of vulnerability of protection can be or an incorrectness of realisation of the mechanism of protection, or insufficiency of a set of mechanisms of protection for conditions of use of protected object of information, to information protection frames it is necessary to consider as a methodological basis of formalisation of requirements definition of requirements to a correctness of realisation of mechanisms of protection and requirements to sufficiency (completeness of a set) mechanisms of protection for conditions of use of protected object of information.
The formalized requirements, in that kind, as they are formulated in standard documents (in a general view), in full formulate requirements to a correctness of mechanisms of protection.
The formalized requirements have the general character, do not assume detailed elaboration, with reference to architectural features of concrete system means that does possible their ambiguous interpretation in each specific case.
With reference to concrete areas of appendices, it makes sense to define specifying requirements to a correctness of realisation of mechanisms of protection. The purpose of specifying requirements is elimination of ambiguity of interpretation of the general requirements at construction of protection frames for alternative appendices.
The formalized requirements (as the basic, and specifying) should be obligatory for realisation by the developer, without dependence from a way of formalisation of requirements to a protection frame since their default bears in itself vulnerability of the mechanism of protection, i.e., in essence, does practical use of the given mechanism in many respects useless.
Condition of performance of requirements to completeness of realisation of a differentiating policy of access to resources in a general view is possibility of the control of access by protection frames to all local and network resources, including, to the local both divided file objects and devices, to ports, to devices, to local and network printers, to OS register, to remote computers (function of the personal gateway screen) etc.
Condition of possibility of use of the protection frame which is not realising in a general view formalized requirements to completeness of differentiations, without application, along with it, still additional protection frames, regarding performance of uncovered requirements, is switching-off (or not use) in system of those local and network resources to which the protection frame does not provide the access control – as a matter of fact, is realised by it change of conditions of use of a protection frame.
Any substitutions of technical possibilities of the control of access to protection frame resources organizational measures – are inadmissible. Unique in this case the organizational measure is a switching-off of a resource, access to which a protection frame is not supervised, and it is admissible, if similar possibility is technically realised (it is impossible to disconnect OS register, etc.).
Base requirements (independent use of the computer) to a set of mechanisms of the control of access to resources (performance of the given requirements should be obligatory for protection system under any conditions of use of the protected computer):
- the access control to file objects on a hard disk;
- the access control to all external stores and to file objects on alienated data carriers (a diskette, the Flash-device, CD-ROM a disk etc.);
- the access control to objects of the register of OS;
- the access control to devices (including their hierarchy – the ports connected to ports of the device, carriers), i.e. to all objects, interpreted OS, as devices.
The protection frame which is not realising base requirements, is not sufficient for protection of the confidential information processed by computing means.
- the control of access of remote users to divided into the computer in a network to file objects, stores and devices;
- the control of access of users to remote divided into network computers to file objects, stores and devices;
- the access control to remote hosts and network devices (having the IP-address, for example, to network printers), accordingly, from remote hosts and network devices.
The protection frame which is not realising additional to base requirement, is not sufficient for protection of the confidential information processed by computing means as a part of a network (in particular, a LAN).
Thus, we will formulate the basic conclusions:
1. The information protection frame can be used as a self-sufficient protection frame (without use, besides it, additional means) only under condition of performance in full all requirements to a correctness of realisation and to completeness of a set (sufficiency for use area) protection mechanisms.
2. The requirements formulated in considered standard documents (in particular, the specifying requirements formulated in work) are positioned by us, as obligatory for performance by the developer of protection frames. The given requirements should be considered without dependence from a way of formalisation of requirements to a protection frame (at any way of formalisation of requirements, these requirements should be present) since them even partial default bears in itself vulnerability of a protection frame of the information – forms “the channel” unauthorized access to the information, as consequence, threat of overcoming by the malefactor of protection of the information.
3. In a case if any mechanism does not carry out requirements to a realisation correctness, it should not be used and considered as a part of an information protection frame since this mechanism bears in itself vulnerability, as consequence, threat to be the overcome malefactor.
4. In a case if the set of mechanisms of a protection frame does not carry out requirements to completeness (to sufficiency for use area), the given protection frame is not self-sufficient for the set conditions of its use. Two approaches to the decision of a problem of protection are thus possible – or to change conditions of use of protected computing means (if technically it probably – use of organizational measures for the decision of this problem is inadmissible), or to supplement protection system with other means, for the purpose of performance of in aggregate formalized requirements by them to completeness of a set of mechanisms of protection.
5. Base and additional to base requirements to completeness of a set of mechanisms of protection define possibility of use of a protection frame in possible alternative appendices of protected computing means (the independent computer, the computer as a part of a network). Hence, any of possible conditions of use of computing means falls under the given set of requirements to completeness of a set of mechanisms of protection.
Let's consider simple and free protection for a workstation: an Internet sluice + firewall.
If all personal computers are protected, there is a question: and what for still in addition to protect a network by means of a sluice? The problem consists that all local computers are in the entrusted network and the sluice which is established on border of the entrusted network and a network the Internet becomes a weak spot. Having grasped a sluice through the Internet, the malefactor gets to the entrusted network of the organisation performing design works, and can grasp other computers of a local network and get access to important design documentation. Therefore requirements to a modern sluice are shown very high.
The Internet sluice ranks with other ready decisions and should correspond to following main criteria:
- universality (approaches for the majority of the design organisations);
- functionality (possesses all necessary possibilities for the decision of problems);
- reliability (non-failure operation of work in any conditions);
- low cost of possession (the minimum expenses on introduction and support, simplicity in use and management).
However the most widespread Internet sluices for today not completely meet modern requirements.
Recently in the world market there were new specialised decisions for the enterprises which at the small price have high safety, reliability and low cost of possession and can effectively be applied in the organisations performing design works. There are similar systems and in the Russian market.
Thus, the fireproof wall is necessary for the control and restriction of the network traffic. Complete set Windows XP Service Pack 2 includes a fireproof wall. To include it it is possible in “the safety Center” on the control panel. A lack of fireproof wall XP that it blocks only entering signals. If the espionage module already works on your computer you cannot trace the proceeding signals sent by it from your personal computer. The bilateral fireproof wall is necessary for full safety. An optimum variant, perhaps, – free version ZoneAlarm from Zone Labs. However, ZoneAlarm does not support old versions Windows (98, 2000). If at you old OS, it is necessary or to establish urgently Windows XP SP 2, or to fork up on a paid fireproof wall.
Let's consider enciphering of the data
Even if anybody except you does not use your home PC, the important data stored on a hard disk, all the same can get not to those hands. On work the colleague can take advantage of your computer while you are absent. In any case, the important data is better for ciphering. The majority of programs for enciphering of the data there are money, and many of them for the majority of users, perhaps, complex. One of good variants can name free supplement Cryptainer LE. After installation the program creates on hard drive
the virtual ciphered volume. The files copied on this disk, are coded automatically, for work with them the password (it is entered only at connection of a virtual disk) is not required. The program also allows to cipher whole USB-flash.
Let's consider protection against swindlers (phishing)
“Phishing” – the kind of swindle assuming dispatch of electronic messages for reception of the confidential data about your bank accounts or the personal information. The scheme simply works: you receive the letter ostensibly from the bank, in the text to you ask to follow the link for “acknowledgement before the specified data” etc. Having followed the link, you appear on a site exactly same, as at your bank. To be protected simply – do not use the references specified in electronic letters from your bank. Additional protection is offered by panels of tools for browsers – for example, Google Toolbar, Netcraft Toolbar, etc. – they will warn you in time about danger. Yes, and all new browsers – Internet Explorer 7 and Firefox 2,0 – contain the built in protection frames from “phishing”.
It is impossible without preliminary check by special programs to open files with unknown persons to you expansions (or with known expansions of executed files – *.com, *.exe, *.bat), downloaded through the Internet or received on e-mail. If you have received by mail files from your acquaintances preliminary ask by phone, they sent them to you or not. It will allow to avoid a contamination of the computer programs-spies and “Grecian horses”.
Let's consider use of proxies-servers
The most important thing – not to use on the computer the real IP-address of the Internet and then the malefactor cannot be connected to your computer. We will explain in passing that the IP-address (Internet Protocol Address – Internet report address) is a unique identifier of the device (computer) connected to a local network or the Internet on which it is defined by external devices for the purpose of reception from it the information or its transfer.
Owners of web-resources can receive about your computer many the data – to learn, you use what operating system, the personal computer name to track your movings to networks, on IP to the address to define your approximate geographical position and many other things. These problems can and be avoided if to be engaged in Internet surfing anonymously – it is possible to buy the special software or if it would not be desirable to spend money, to take advantage of free anonymous proxies-servers. The anonymous proxy-server serves as the buffer between your computer and a network. In such situation even your IP-address will be in relative safety, servers on which Internet sites, work “will see” IP a proxy-server, instead of your computer. Similar service is given, for example, by system of anonymous using network The Cloak. It is necessary to follow the link “surf!” in the left corner of page and to type URL that site which be going to see. Also it is possible to adjust manually a browser for work through a proxy-server. The list of suitable servers can be found on AiS Alive Proxy List. Write down IP the address of a server and number of port which it uses. For example, figures “126.96.36.199:80” mean 188.8.131.52 IP-address, port 80. Having defined with a server, in Internet Explorer choose Tools-> Internet Options-> Connections-> LAN Settings. Choose “Use a proxy server for your LAN” also fill fields “IP the address” and “port number”. Block use of a proxy-server for local addresses (separate tag Bypass proxy server for local addresses in the same window) as there is no necessity for anonymity for a local network. Then press ОК for an exit twice. If you are connected to the Internet not through a local network, it is necessary to adjust properties of that connection, with which help you are connected to the Internet: establish a tick “to use a proxy-server for the given connection” specify IP and port number. In Firefox choose Tools-> Options-> General-> Connection Settings, press “Manual proxy configuration”, enter the information on a server and press OK twice.
Let's consider protection of local files
Establish passwords in length not less than 12 letters and never inform the password to anybody, even to the system administrator (it should have a password). Ask the system administrator to limit access to your files, except those employees for whom it is necessary under duty regulations, and as much as possible to limit access to files through a network. Store the most important files on flesh-card USB, to use it not more difficult, than a diskette. Change the password as it is possible is more often: choose for itself algorithm of change of the password, for example, 1st days of each month. It is not necessary to rely that your colleagues – respectable citizens, after all can get to a premise and strangers and will start to touch known passwords: “1” “11” “12345” “the password” “2006” “lena2006” etc. Necessarily block the computer or switch off it if leave office. Ask your manager to establish the password in BIOS on inclusion of the computer and seal up the computer a label with the press.
Be attentive to coming experts is one of the basic channels of leak of the data; write down their nameplate data and take the receipt on information nondisclosure. Never leave for long time key a system diskette “the client-bank” in the computer also do not create its copy on the computer.
For protection of the information of the personal computer use at least four kinds of programs:
1. Antiviruses, such as Kaspersky Antivirus, DrWeb, Norton Antivirus, Panda, NOD32.
2. The personal gateway screen (other names – a fireproof wall or firewall). Such programs protect from penetration into your computer through a network and block virus epidemics. It is possible to use built in in Windows a fireproof wall though more powerful are recommended – Agnitum Outpost, Symantec Personal Firewall.
3. Utilities for detection of programs-spies and Trojan programs. System administrators often forget about such utilities, from free it is possible to recommend Ad-aware companies Lavasoft.
4. Programs of reserve copying. Here the choice very wide, is better to consult with the system administrator that the important information from all computers was duplicated on the reserve carrier. You can and create independently backup copies of the files on flesh-card USB or re-recorded CD (CDs-RW). Protect the work and create backup copies as it is possible is more often, after all to restore lost accounts department or important files you is necessary manually.
Let's consider protection of users and a network of the organisation performing design works
The modern Internet sluice first of all should provide protection of users and a network of the design organisation from attacks from a network the Internet. For the decision of this problem in Ideco ICS technology NAT (Network Address Translation) is used. This technology hides users from external malefactors, doing invisible of a network the Internet. Other important function NAT is granting of qualitative access to the Internet, and all user programs work without additional options that favourably distinguishes NAT from technology Proxy.
But, besides dangers which trap you directly in a network the Internet, there are also threats in the organisation performing design works. For example, the information can be intercepted or transferred in the Internet on behalf of other user. For prevention of similar threats together with NAT technology VPN (Virtual Private Network) is used. On VPN to each user the manager appoints the personal protected IP-address which is fixed to it constantly. The computer of the design organisation no access to the Internet, and only after input of a login and the password the employee of the organisation performing design works by default has, receives the personal protected exit in the Worldnet. Besides technology VPN allows to connect on the protected channel branches and the mobile employees who are working from the house or being on business trip.
Internet sluice Ideco ICS provides also anti-virus protection. All sent and accepted mail is checked by the built in antivirus. Thus, at reception and mail sending it is possible to be assured that it does not contain viruses and virus epidemics will not amaze your local network through electronic post system.
Let's consider the traffic account, planning and restriction of expenses
But what to do, if safety has already been broken? In this case very opportunely there will be a detailed statistics. She allows to find out circumstances has put already after safety has been broken by unfair employees. With the help of statistics always it is possible to define precisely, who, when and where has transferred the data. Besides other it helps to save monetary resources of the organisation performing design works. Having received the report on Internet visiting in mbytes and in roubles, it is easy to plan in the subsequent expenses on the Internet for users and departments and to establish corresponding restrictions. Often programs without the knowledge of the user download very much great volumes of the data, therefore a limit it is necessary to establish and for diligent users, and for the organisation as a whole, it will allow to avoid heavy expenses.
The modern Internet sluice allows to supervise expenses in real time, to warn about the over-expenditure and to block access to the Internet at excess of the established limit.
Let's consider a traffic filtration according to a policy of the organisation performing design works
The important point in maintenance of information safety is firewall, working on a sluice. Firewall a sluice allows to forbid unnecessary reports or to limit access to certain sites, and also to forbid work of certain appendices, for example programs of support of file exchange networks.
Danger any given for downloading on the Internet can represent also files. Such files are often infected by viruses and programs-spies. Firewall allows to forbid downloading of files of certain type, for example with expansions *.exe or *.avi.
Firewall in Ideco ICS has one interesting feature: it provides intellectual processing of the traffic for the purpose of allocation of priorities that allows the important appendices to work qualitatively at absolute loading of the Internet channel.
Certainly, the sluice and itself should be as much as possible protected. At its choice it is necessary to pay attention to that, on base of what operating system it works, after all at Internet sluice breaking other protection simply loses meaning. One of the most protected operating systems for today is Linux. Earlier use Linux the enterprises in which staff there are highly skilled system administrators with special knowledge could only. Today appears more and more the ready products based on Linux. So, sluice Ideco ICS works on OS Linux, but copes through the simple graphic interface, clear to the usual user.
Let's consider the complex approach to protection against virus threats
Such approach to protection against a harmful code provides the coordinated application of the legal, organizational and software and hardware measures blocking in aggregate all basic channels of realisation of virus threats. According to this approach in the organisation the following series of measures should be realised:
- revealing and elimination vulnerabilities on which basis virus threats are realised. It will allow to exclude the reasons of possible occurrence of virus attacks;
- timely detection and blocking of virus attacks;
- revealing and liquidation of consequences of virus threats. The given class of measures of protection is directed on minimisation of the damage put as a result of realisation of virus threats.
It is important to understand that effective realisation of the measures set forth above in the organisation performing design works, is possible only in the presence of is standard-methodical, technological and personnel maintenance of anti-virus safety.
Is standard-methodical maintenance of anti-virus safety assumes creation of the balanced legal base in the field of protection against virus threats. For this purpose in the company the complex of internal standard documents and the procedures providing process of operation of system of anti-virus safety should be developed. The structure of such documents in many respects depends on the sizes of the organisation, level of complexity AIS, quantity of objects of protection etc. So, for example, for the large organisations the concept or a policy of anti-virus safety should be the basic standard document in the field of protection against a harmful code. It is enough to develop corresponding instructions and regulations of work of users for the small companies, and also to include requirements to maintenance of anti-virus protection in structure of a policy of information safety of the organisation.
Within the limits of personnel maintenance of anti-virus safety in the company process of training of employees to counteraction to virus threats should be organised. The training program should be directed on minimisation of the risks connected with erroneous actions of users, virus attacks leading to realisation. Examples of such actions are: an applications launch from unchecked external carriers, use unstable to guessing of passwords of access, download of ActiveX-objects from the sites which have been not included in the list entrusted, etc. In the course of training should be considered both theoretical, and practical aspects of anti-virus protection. Thus the training program can be made depending on official duties of the employee, and also from to what information resources it has access.
Technological maintenance is directed on creation of complex system of anti-virus protection (CSAVP) which besides antiviruses in addition should include such subsystems, as protection against a spam, detection and prevention of attacks, revealing vulnerabilities, network shielding and a management subsystem.
The subsystem of revealing of computer viruses is base element of CSAVP and is intended for detection of various types of computer viruses at level of workstations of users, servers, and also network sluices. For detection of viruses the subsystem should use both signature, and analysis heuristic methods. In case of detection of a virus the subsystem provides possibility of the notification of the user and the manager of safety, and also removal of the revealed viruses from the infected files. For effective protection against viruses the subsystem should be based on anti-virus kernels various manufacturers. It will allow to raise essentially probability of detection of a virus because each file or the post message will be checked by various means. One more advantage of use of multinuclear antiviruses is higher reliability of work of CSAVP. In a case if in one of scanning kernels of CSAVP there will be a failure it can be always replaced by other active anti-virus kernel. An example of software product which can be used for realisation of CSAVP, company Microsoft system Antigen (www.antigen.ru), intended for anti-virus protection of servers Exchange, SharePoint, SMTP-sluices and another applied is software. The given product can include to eight anti-virus kernels of various manufacturers.
The subsystem of network shielding is intended for protection of workstations of users against possible network virus attacks by means of a filtration of potentially dangerous packages of the data. The subsystem should provide filtration possibility at channel, network, transport and applied levels of stack TCP/IP. As a rule, the given subsystem is realised on the basis of gateway and personal network screens. Thus the gateway screen is established in a point of connection AIS to a network the Internet, and personal screens take places on workstations of users.
The subsystem of revealing and prevention of attacks is intended for detection of unapproved virus activity by means of the analysis of packages of the data circulating in AIS, and also the events registered on servers and workstations of users. The subsystem supplements functions of gateway and personal screens for the account of possibility of more detailed contextual analysis of contents of transferred packages of the data. This subsystem includes following components:
- Network and the host sensor controls intended for gathering of the necessary information on functioning of AIS. Network sensor controls are realised in the form of separate hardware-software blocks and intended for gathering of the information on all packages of the data transferred within the limits of that network segment where the sensor control is established. The given type of sensor controls should be present at all key segments of AIS where protected knots of system are located. Hostovye sensor controls are established on workstations and servers of AIS and collect the information on all events occurring on these knots of system. Hostovye sensor controls can collect the information not only on packages of the data, but also on other operations which are carried out by the appendices started on knot of AIS;
- The module of revealing of the attacks, carrying out the data processing, collected by sensor controls, for the purpose of detection of information attacks of the infringer. The given module of a subsystem should realise signature and behavioural methods of the analysis of the information;
- The module of reaction to the found out attacks. The module should provide possibility both passive, and active reaction. Passive reaction assumes the notification of the manager about the revealed attack, while active – blocking of attempt of realisation of virus attack;
- The data storage module in which the configuration information, and also results of work of a subsystem contains.
The revealing subsystem vulnerabilities should provide possibility of detection technological and operational vulnerabilities of AIS by means of carrying out of network scanning. As objects of scanning workstations of users, servers, and also the communication equipment can act. For scanning carrying out can be used both passive, and active methods of gathering of the information. By results of work the subsystem should generate the detailed report including the information about found out vulnerabilities, and also recommendations about their elimination. Together with a revealing subsystem vulnerabilities in AIS the control system of modules of updatings system-wide and application software, established in AIS can be used. Sharing of these systems will allow to automate process of elimination revealed vulnerabilities by installation of necessary updatings on knots of AIS (service pack, hotfix, patch, etc.).
The subsystem of protection against a spam is directed on blocking of post messages of advertising character. For this purpose the subsystem should support possibility of work with lists RBL (Real-Time Black Lists), and also to realise own signature or behavioural methods of revealing of a spam. The subsystem is established so that all entering post messages arriving from the Internet, passed in the beginning through its contextual filter, and then got on a corporate post server.
The subsystem of management is intended by anti-virus safety for performance of following functions:
- Remote installation and uninstall of anti-virus means for servers and workstations of users;
- Remote management in parametres of work of subsystems of the protection which are a part of CSAVP;
- The centralised gathering and the analysis of the information arriving from other subsystems. The given function allows to automate process of processing of the arriving data, and also to raise efficiency of decision-making on reaction to the revealed incidents connected with infringement of anti-virus safety.
Introduction of complex system of anti-virus protection, represents difficult enough multistage process which includes following stages:
- Audit of information safety of AIS which is directed on gathering of the initial information necessary for working out of the plan of introduction of CSAVP;
- Formation of requirements to CSAVP, intended for protection of AIS. At the given stage the technical project on introduction of CSAVP is formed;
- Tehniko-equipment design working out on introduction of CSAVP, containing the description of design decisions, schemes of installation, parametres of adjustment of CSAVP and other office data;
- training of the personnel of the organisation responsible for administration of CSAVP;
- the starting-up and adjustment works connected with expansion of CSAVP;
- technical support of CSAVP in which frameworks the questions connected with service of system in the course of its operation are solved.
The structure of stages and their duration depend on dimension protected of AIS, and also from scales of introduction of CSAVP. The works connected with installation and operation of system of detection of attacks, can be spent as own forces of the design organisation, and with attraction of the external organisations specialising on granting of services in the field of information safety. Thus some stages can unite or be spent simultaneously. So, for example, working out of the tehniko-equipment design and training of the personnel of the organisation performing design works, can be carried out in parallel.
In given article we have tried to prove that requirements to protection frames and to approaches to their realisation are completely defined by the appendix (area of practical use) protection frames. Criteria of efficiency of the protection frames intended for personal and corporate use within the limits of performance of projects “turnkey” essentially differ, as consequence, those are necessary also, and other decisions. However essentially incorrect conversation on efficiency of a protection frame, not with reference to conditions of its practical use will have. Also the consumer should understand that the protection frame can be or simple (in operation and administration), or to provide effective protection. Other it is not given – requirements to realisation are too various. For each of these means there is the “a niche” – area of their practical use. Choosing between simplicity and efficiency of protection, the user should understand accurately in what merits and demerits of protection frames for alternative appendices consist.
1. Scheglov A.U. Protection of the computer information against unapproved access. – M: Science and technics, 2004. – 384 P.
2. Corporate decisions [http://www.kaspersky.ru/corporatesolutions]
3. Lebedev P. Protection for the computer: simply and free of charge [http://www.gazeta.ru/techzone/2006/11/02_a_1003191.shtml]
4. Larionov N. The enemy will not pass. – 2006 [http://www.buhcomp.ru/htm/new_namb/arhive_2006/06/statyi/statya_2.shtml]
5. Serdyuk V. Comprehensive approach to combating virus attacks – a guarantee of effective protection of the company//Bookkeeper and the computer. – 2007. – #3 [http://www.buhcomp.ru/htm/new_namb/arhive_2007/03/statyi/statya_3.shtml]
The author: Челябэнергопроект
Comments of experts of Челябэнергопроект: