Informational safety, as it is known, deals with two categories of threats: external and internal. The last type concern insiders. Their activity in most cases unintentionally and for this reason it is difficult for foreseeing and neutralising. For this purpose it is necessary to involve all arsenal of accessible resources of information security. Статьи
The industry of information security existing now which turns make ten billions dollars, develops basically on a counteraction wave to the external threats obliged by the appearance to break in the field of high technologies, the Internet and electronic commerce. The internetwork screen, step-by-step became one of the first and fundamental mechanisms of protection against external threat “acquired” systems of detection of intrusions, resources VPN and content filterings. Along with internetwork screens actively developed and other resources of support network and host safety continue to develop: systems of monitoring and audit of events, protection frames from harmful software, authentification and access control resources, the cryptography and other resources working on preventing of unauthorized access to the information.
The the big successes reaches mankind in struggle against external cyberthreats, the more resolutely on the foreground there are threats internal to which on statistican it is linked more than 70% of percent of all incidents of safety. According to the research spent by company InfoWatch, the most widespread and dangerous sort of internal threat information leakage is. Protection frames from unauthorized access here render almost useless as the main source of threat appears “insider” – the user of an intelligence system having quite legal access to the confidential information and applying all arsenal of resources accessible to it to exploit the confidential information.
The most widespread channels of leak concern to category unintentional disclosure, because of lack of information or an indiscipline. It and banal “chatter of employees” and absence of representations about rules of operation with confidential documents, and inability to define what documents are confidential. Deliberate “information plums” there is much less often, but in this case an information “merges” purposefully and with the most dangerous consequences for the organisation.
Insiders pose threat, first of all, for organisation intellectual property – one of its main actives. Installation and protection of the rights to intellectual property is now the major aspect of any business, in particular small, being, as it is known, a stronghold of any healthy economy.
Let's consider, who threaten the intellectual property?
To survive in the market, business needs to know how to cope with the whole any army of competitors. Michael Lekter in the book “Protect the main active” 2 subdivides them into three categories: “the big guys” “spoilers” and “pirates”.
“The big guys” are the competitors strongly fixed in the market. They allocate considerable financial resources and put them in marketing, researches and developments. They can get considerable advantages from scales of conducting business, using the stable trade channels, the adjusted mutual relations with partners and good reputation for consumers. Though “the big guys” usually show special scrupulousness concerning another's legitimate rights for intellectual property, they will take advantage of any blank in this area to wrap up it to own advantage and to try to break the competitor by means of money and force which they possess in the market.
“Spoilers” are the competitors representing in the market less expensive and worst on quality variants of production. They can force down the prices or in general destroy the company market. “a spoiler” tries not to notice the rights to intellectual property, but, having received repulse, will learn to show to them respect.
“Pirates” are unscrupulous children. Neglecting the rights to intellectual property, they meaningly copy production or create tangle in the market, marketing the goods under the pretext of the stranger. They will assign the investments made in production and a trade mark until them will not stop.
There are various lawful and not so methods of competitive investigation, but the confidential information to these guys, mainly, through insiders gets. It and “negligent” the employees who are taking out the information from office for operation with it of the house or on business trip with subsequent loss of this information, and “a victim of social engineering” duplicating the confidential information on a mail box of the swindler, and “offended” aspiring to compromise the employer in any way, and “disloyal” dreaming to replace an operation place somewhat quicker, having taken with itself corporate know-how, and earning additionally or specially inserted “insiders” transferring secret plans of junctions and absorption to unfair participants of the share market ready fork out for this information “any grandmas”.
Therefore it is the extremely important to minimise negative influence insiders on business of the organisation by their timely detection, adequate reaction, preventing “plum” information and applications to them of a disciplinary and legal preventive punishment. For solution of this uneasy task it is necessary to involve all arsenal of accessible resources, including legal, organizational and program-technical mechanisms of protection.
Certainly “the big guys” “spoilers” and “pirates” seldom meet in the market in the pure state. Usually we deal with their some combination. However the competitor would not concern what category, the most effective protection against it is correctly put legislative base of the rights to intellectual property. To survive in competitive struggle, it is necessary to use all power and force of the state – our most important shareholder always stably receiving the dividends.
Let's consider legal tools.
Usage of legal tools for intellectual property protection – unique chance for a small-scale business on a survival in competitive struggle with “the big guys”. These tools include patent and the copyright, and also the right to protection of trade marks and a trade secret. First three tools are used for protection of intellectual property rights on the open information and are self-sufficient, i.e. application of any additional measures do not demand. Business with trade secret protection as the main threat here is information leakage much more difficult is, and it is caused, first of all, by fundamental human nature as carrier and the distributor of the information.
At solution so a challenge as trade secret protection will not be possible to be limited to one legal tools. These tools allow to prevent many wrongful operations from outside competitors, is adequate on them to react and restore justice, having brought down on the opponent all power of ruthless state machinery. However to put legal mechanisms in action, it is necessary to detect in time information leakage and to gather necessary proofs.
Mechanisms of legal protection of a trade secret can be started only under certain conditions. According to the law “About a trade secret” the rights of the owner of the information making a trade secret, arise from the moment of installation by it concerning such information of a mode of a trade secret as which are understood “the legal, organizational, technical and other information accepted by the owner, making a trade secret, measures on protection of its confidentiality”.
Thus, besides legal measures on protection of the trade secret, consisting mainly in signing by employees of the organisation of agreements on confidentiality, definition of positions on protection of a trade secret and appropriate lists of the confidential information, the whole complex of organizational and program-technical measures of protection should be applied.
Let's consider the social internetwork screen.
As traditional protection frames from unauthorized access appear of little use for protection against information leakage, absolutely other resources in which basis the concept lies entered by someone from experts here should be used “ the social internetwork screen” (human firewall). Under these the term the collection of organizational measures of the informational safety routed on operation with staff is understood.
Main principles and rules of handle taking into account requirements of information security are defined by staff in the international standard ISO 17799. They are reduced to necessity of performance of certain requirements at hiring and dismissal of workers, rises of awareness and application of a preventive punishment to infringers. Observance of these rules allows to lower essentially influence of the human factor, to avoid characteristic errors and, in many cases, to prevent leak and inadequate usage of the information.
The social internetwork screen is under construction on the base of policy of information security. In the organisation it is necessary to develop position on protection of the confidential information and appropriate instructions. These documents should define rules and criteria for categorization of informational resources on a degree of confidentiality, a rule of labelling and call with confidential informations. It is necessary to define rules of allocation of access to informational resources, to insert appropriate procedures and control mechanisms, including authorisation and access audit.
The social internetwork screen allows to struggle successfully with the most numerous class of threats – threats of inadvertent disclosure of the confidential information, but it is obviously not enough for struggle against its malefactors. To stop inside, it is intended “merging” the information, it is necessary to involve various program-technical mechanisms of protection in addition.
Let's consider control devices of access and information leakage preventing.
For access limitation to the information and recordings of the facts of access it is possible to use standard tools of safety. Authentification, access control, enciphering and audit concern their number.
However traditional circuits of authentification and access control do not provide an adequate security clearance. In addition to them it is expedient to use specialised tools of handle by access rights to the electronic documents, used, for example, in MS Windows Server 2003. RMS (Rights Management Services) – the technology used by RMS-compatible applications for protection of electronic documents from the unapproved use. RMS allows to define at information distribution limitations on its usage. For example, the author of the document can limit “life time” the document, and also possibility for certain users to open, change, copy to the clipboard, print or transfer the document. The main difference of the given technology from traditional ways of differentiation of access to the information consists that access rights and additional limitations are stored in a body of the document and operate irrespective of its occurrence. The enciphering of documents realised in technology RMS, does not allow to get access to their maintenance any roundabout path.
For preventing of unapproved copying of the confidential information on external carriers the specialised software intended for the control of external communication ports of the computer (USB, IR, PCMCIA, etc.) is used. These software products are delivered by such companies as SecureWave, Safend, Control Guard, etc., and also domestic developers: SmartLine and SecurIT. To users access rights to controllable devices, by analogy to access rights to files are assigned. Basically, almost same effect can achieve, using regular mechanisms of Windows, however usage of a specialised product nevertheless it is more preferable, as in a number of products the mechanism of the shadow copying data is supported also, allowing to duplicate the information copied by the user on peripherals.
Disadvantages of similar products on the basis of static locking of devices consist that they do not inspect transmission of data on a network and do not know how to select the confidential information from the common stream, working by a principle “all or anything”. Besides, protection against outswapping of the program agent of such system, as a rule, can be bypassed.
The big possibilities on information leakage preventing are given by the software possessing possibility dynamically to regulate access to data channels, depending on level of confidentiality of the information and level of tolerance of the employee. For implementation of this principle the mechanism of mandate access control is used. The master of an informational resource cannot weaken the requirement of access to this resource, within his power only to strengthen them within the level. In such systems confidential informations cannot be copied on the carrier or be transferred on the communication port having more a low level of confidentiality, rather than copied information. Weaken requirements the manager allocated with special powers can only.
However systems of mandate access control, as a rule, roads, are difficult in implementation and make essential limiting impact on business processes. But the most insulting that if it is a question not of especially guarded objects where on an input search, employees work on record and all behind one computer which is not connected, sealed up anywhere and has no external ports, and about the real corporate environment in which notebooks are used, a handheld computer and various channels of external communications ill-intentioned insider all the same will find a way to steal the information as it has to it legal access. Therefore, while the standard base orders mandatory usage of mandate access control in the systems dealing with the state secret, in the corporate environment such mechanisms of protection are applied seldom.
Control devices of access and information leakage preventing are routed, mainly, on protection against unauthorized access and unapproved copying of the information and are ineffective for protection from “vinsiders” having to this information legal access. In this connection now the market of specialised systems of detection and preventing of information leakages (Information Leakage Detection and Prevention or in abbreviated form ILD&P) especially actively develops.
Let's consider systems of detection and preventing of information leakages.
Existing in the market ILD&P systems can be subdivided on network, host and combined.
Network ILD&P are used for monitoring of the outgoing traffic and revealing of an unapproved information transfer by e-mail, in chats, systems of instant messaging and with usage of various protocols of a network the Internet. Similar systems have started to be delivered on the market by rather recently created companies (Vericept, Vontu, PortAuthority, Tablus, etc.). They represent or the analyzers of the network traffic fulfilled in the form of hardware complexes on the basis of Linux, or the proxy servers intended for the analysis defined protocols the Internet (http, ftp, etc.), or the mail gateway servers parsing smtp protocols, pop3, and imap.
However usage of lock products for detection and preventing deliberate “plum” given equivalently to attempts to catch the spy by observation of its secret addresses and listenings of its phone. Efficiency of these measures is low, since secret addresses can be changed, and instead of the phone to take advantage of other communication facilities or other phone. Therefore products of the given class suit only creation of archives of the traffic and preventing of seepage of the information.
To reveal and stop insajderov-spies, it is necessary to operate against them with their tested weapon which all special services use: to carry on behind them constant observations and in detail to register all their operations (bug in a jacket pocket, shadowing, video-observation, a candid camera and other forms of observation). On workstations and notebooks the specialised espionage software intercepting not only all forms of electronic interactions, but also a keyboard set, and also images of the screen should be installed. This software should possess possibilities of identification of suspicious activity of the user (including such which can precede “plum” data) and to give analytics a set of the reports containing various cuts of the information, concerning operations over confidential bases and files. Hidden shadowing and the continuous analysis of all operations of the potential malefactor is the most effective and uncompromising way of its detection and neutralisation. Sooner or later the spy of will show and here it is necessary to document proofs and legally competently to make investigation.
As expenses for safety should be adequate to the risk value, in the corporate environment the complete complex of operatively-search actions certainly will be seldom applied, and here usage specialised espionage software itself quite justifies, though, also as well as all the rest, is not panacea.
The specialised espionage software host level uses program agents, is reserved installed on computers of users behind which observation, and carrying out detailed recording all of them operations is carried on. It software is delivered on the market by such companies as Verdasys, Orchestria, Onigma, SpectorSoft, etc. Program agents of such systems can lock also certain operations of users, for example, a file transfer, record of the certain information on external carriers and access to certain categories of web sites.
For example, software product Spector 360 developed by American company SpectorSoft, continuously records all operations of users and the information linked to them, including messages of e-mail, the service of the instant messages, the sites visited a web entered from the keyboard characters, the transferred and unpacked files, used retrieval phrases and images of the screen. Agents Spector 360 can function in a stealth-mode imperceptibly for the user and anti-virus programs. Thus they are not displayed by the manager of tasks, they are difficult for detecting standard resources of the operating system and to uninstall.
The greatest effect allow to achieve combined ILD&P the systems combining possibilities as network, and of host systems. In particular, by the way of development of combined systems the Russian company InfoWatch developing the complex of software under name InfoWatch Enterprise Solution into which structure enter as a network layer resource (Web Monitor), and resources host level (Net Monitor), the handles united by the common interface and using the common program kernel of the analysis of a content has gone.
Let's consider a question ethical aspect.
Counteraction to internal threat demands from the organisation of application of the whole series of measures. The organizational and legal measures routed on preventing, reaction and restoring after incident and promoting rise of loyalty of employees, as a rule, are perceived positively, creating for people positive motivation. The measures of technical character routed on detection of violations of safety by monitoring of operations of users, are perceived extremely negatively and do not promote development of confidential ratios between a manual of the organisation and its employees. It is pleasant to whom to understand, what behind it hidden observation is permanently carried on, and all its operations are recorded?
Monitoring of operations of users by means of a special class of the espionage software really is the powerful weapon, especially in struggle with insiders, parasites and unfair employees. However this weapon demands the extremely cautious call.
The organisation security policy should define accurately that all information, stored, handled and transferred on data links in a corporate network is the property of this organisation. Should be categorically and unauthorized access, disclosure, backup, change, removal and inadequate usage of data are openly prohibited. The housekeeping information should be used only in the industrial purposes. The organisation manual should define boundaries of admissible usage of this data.
Users of intelligence systems should be warned that all hardware-software support is under observation, and if necessary all sequence of operations can be restored. It is absolutely normal. We are not confused with presence of videocameras at an input in bank premises, on the guarded object or even in the capital underground because we perfectly understand for what it becomes. The same understanding, along with extremely solicitous attitude to a trade secret, it is necessary to form and for employees. They do not have any necessity (and possibility) the nobility how and with what degree of a detail monitoring of their operations is carried out. It is enough to realise all gravity of threat of leak and that the organisation is obliged to protect the trade secret for a survival in competitive struggle.
At the same time to the security service which is carrying out monitoring of operations of users, studying of personal and auxiliary correspondence of employees in absence of tags of threat and outside the limits of carrying out of the auxiliary investigations should be forbidden. For detailed consideration of streams of the information in an automatic mode the specialised analyzers of a content using keywords and other ways of identification of confidential documents should be used.
Tracing and bringing to account of spies – business quite lawful if appropriate operations competently legally are issued.
Let's consider ways of counteraction to insider attacks.
The common approach to solution of the task of protection
From the theory of protection of the information it is known that effective protection can be constructed only on the basis of implementation of a differentiating policy of access to resources (control mechanisms, in particular the content control, for the obvious reasons can be used only as auxiliary). However, as in existing requirements to a protection frame so in known practical implementations – in OS and in applications, application of a differentiating policy is supposed for differentiation of access of the various users accepted to information processing on the computer, to resources. At implementation of protection of the information from insider attacks, the task of implementation of a differentiating policy of access to resources already other purely in the setting – it is necessary to differentiate modes of processing of various categories of the information on one computer for the same user (instead of access to resources between various users). More correctly here already to speak not about differentiating, and about to the separating policy of access to resources . As consequence, absolutely other approaches are necessary for solution of the task of protection, and by protection mechanisms absolutely other requirements should be fulfilled. We will consider in the given operation the possible approved approach to solution of the task of protection and we will formulate the requirements which implementation is necessary for effective solution of the task of protection against insider attacks.
As on one computer the information of various levels of confidentiality, and thus information processing of various levels of confidentiality is handled demands various resources (various applications, file objects, devices, network resources, etc., etc.), and, as a rule, the more low level of confidentiality of the processed information, the more widely the nomenclature of resources can be used at its processing (as makes potential threat of plunder of the confidential information), the task of protection of the information consists in creation and insulating of modes of information processing of various levels of confidentiality.
Creation of modes of processing of classified information consists in connection of an appropriate set of resources at information processing of each level of confidentiality.
Insulating of modes of processing of classified information consists in counteraction of any possibility of change of a mode of processing (the authorised set of resources) information of each level of confidentiality.
At implementation of the similar approach there is already nothing to inspect, since possibility of plunder of the confidential information, at the expense of usage unapproved (not used for its processing) resources is prevented.
Solving the task of protection of the information, it is necessary to consider that generally protection consists not only in counteraction to plunder of the confidential information (violation of confidentiality of the information), but also in support of its availability and integrity.
Requirements to localisation of computer resources (creation of the object of protection)
It is impossible to protect (if, of course, to tell about effective protection) that object which functionality is not defined. In particular, the approach considered by us to protection consists in creation of modes of processing of classified information – the separating policy of access to the resources, consisting in connection of an appropriate set of resources at information processing of each level of confidentiality should be realised. As consequence, a set of the resources, which connection it is possible to system, it should be regulated rigidly., First of all, it is possible to carry devices to similar resources and applications.
As consequence, basic tasks of localisation of computer resources (creation of the object of protection) are:
- Handle of assembling of devices;
- Localisation of the environment of fulfilment – support of closure of a software environment.
Handle of assembling of devices, consists in localisation of a set resolved for connection to system of devices (we will notice, it is a question not of the prohibition, connections of known devices as it is realised, for example, in OS of Windows XP, and in the connection permission only those devices which are necessary for users for operation). The matter is that in corporate applications the nomenclature of used devices is very strongly limited, in comparison with those possibilities which give modern universal OS. Also we will not notice that following the considered approach, to devices which are authorised for mounting to system, it is required to differentiate access rights. It is necessary to recognise as the major condition of efficiency of implementation of the given mechanism not only implementation of an allowing policy (the permission, instead of the prohibition of connection of devices), but also identification of devices under serial numbers. To that there are two reasons. First, for example, in OS of Windows the file device (for example, the Flash-device) with the serial number will be always mounted to the same character of a disk, without dependence from it is connected to what plug that allows to instal correct differentiations to appropriate file objects. Secondly, only in this case any reasonable organizational measures of the organisation and the control of usage of external disk drives at firm are possible.
So, using the mechanism of handle of assembling of devices, it is necessary to localise on each computer of firm operation of the user with necessary and sufficient, for performance of its professional tasks, a set of the devices providing possibility of solution of appropriate functional tasks, for example, access to a network only on a local area network, and only on wire channels, the press on local, and-or a network printer, usage of disk drives, let concrete (under serial numbers) etc. All other devices, at all their variety to connect to system begins impossible, therefore, access to them it is not required to differentiate Flash-devices. All it concerns and servers, naturally, with the appropriate stipulation.
All told to the full concerns and localisation of software (system and applied) on the protected computer which also defines functionality of the object of protection. Actually, solution of this task rather simply in implementation and the subsequent customisation of the mechanism of protection. It is required to resolve (besides allowing policy) start of executable files from limited number of objects (folders) of the hard disk, which possibility of modification to prevent for users. We receive that the user will manage to start only those programs (system and applied) which are installed by the manager. It would not have what harmful code for protection detour, to start given unapproved software it it will not be possible.
Solution of the given task of protection already allows to talk about sufficiency of mechanisms of protection, otherwise, the nomenclature of threats increases disastrously, and the protection task becomes insoluble.
The remark. Implementation of closure of a software environment is the main step at solution of almost any task of protection of the information. Wish to solve normally the anti-virus task of protection, make active the similar mechanism of protection, and “will forget” about all trojans, sniffers, espionage and other harmful programs, about all types of the virus attacks routed on modification system and applied software. To start them it becomes impossible! Regarding counteraction to errors in software, this mechanism of protection will not allow to start exploits etc.
When speech comes about protection of servers, instead of workstations, it is necessary to provide already closure of a software environment and with reference to system users (that, for example, does not allow to do Windows operating system – prohibit to user System record on a system disk and will see the dark blue screen). However, it already the protection task, more likely, from network attacks. It also can be successfully solved, but already at implementation of a differentiating policy of access to resources for the subject process – prohibit modification of a system disk to user System, and to necessary system processes (them no more than ten) which at implementation of closure of a software environment cannot be updated, it is necessary to resolve similar possibility. Thus even with the system rights start harmful software becomes impossible.
However localisation of functions of the protected object is not limited to a set of devices and software is and a correctness of functioning system software, i.e. purely systems.
The third necessary mechanism is a protection of system resources as directly it is linked to creation of the object of protection. It is possible to carry a system disk, executable files and files of customisations of applications to these objects, for Windows OS, except that, the registry. We have considered questions of protection of system file objects above (without their protection correct implementation of closure of a software environment is impossible). Regarding protection of the register of OS it is enough to prevent possibility of unapproved modification by users of a branch: (for servers and users with the system rights) HKEY_LOCAL_MACHINE. For servers, accordingly, for users with the system rights, here access differentiation to objects of the register of OS for the subject process besides is required.
So, as a result of application of three considered mechanisms of protection the protection object will be generated. Only after that basically there are pertinent any talks about sufficiency of mechanisms of protection, as consequence, in general about basic possibility of protection of the information handled by the given object.
Let's consider requirements to protection:
1. In the object to protection the set of the resources which connection is possible to system should be localised, system resources should be protected from unapproved modification.
2. Information processing between sessions of a various category should be completely isolated.
3. Session should be set (is selected) prior to the beginning of data processing (the data should boot – from the file object, from a network etc., only after the mode of their processing, accordingly, ways of loading and processing, i.e. session is defined).
4. In modern conditions the separating policy of access to resources (the basis of bases of counteraction to insider attacks) should be realised by a differentiating policy of access to resources for accounts.
5. Possibility of the job of a differentiating policy of access to resources for accounts to all resources should be given (file objects, devices, network resources etc.), assembling which (connection) is authorised to system (to the protection object).
6. Possibility to differentiate access right between all accounts to each resource should be given, assembling which (connection) is authorised to system (to the protection object).
7. From the differentiating policy of access to resources should be eliminated, as that, essence of possession of the object (we will remind that under “the owner” the object the user who has created this object) is understood. All tasks of implementation of a differentiating policy of access (customisation of mechanisms of protection) should dare the manager of safety – the user should be eliminated from the administration circuit.
8. The allowing differentiating policy of access to resources – everything should be realised that obviously it is not authorised, it is forbidden, since only access of users to again created objects in this case becomes impossible.
9. Enciphering of the objects assigned by the manager of safety, should be carried out automatically, is transparent for users.
10. The key policy (ways of storage and input of the key information) should provide possibility of decryption information only to those users and only on those computing resources which are defined by the manager of safety.
11. The backup periodic copying of the information from the objects assigned by the manager of safety, should be carried out automatically, is transparent for users.
12. By implementation of a differentiating policy of access to resources possibility of access of users to the objects storing the backup information should be prevented.
1. Struggle with insiders: We select ammunition. – 2007 [http://safe.cnews.ru]
2. Goldfinches A.U. Protection of classified information from insider attacks. – 2008 [http://daily.sec.ru/dailypblshow.cfm?pid=19783]
The author: Челябэнергопроект
Remarks of experts of Челябэнергопроект: