Possible threats to information security. Types of information security threats. Specific examples of violations of information security and data access

In modern society information technologies and storage at electronic media huge databases, issues of ensuring the security of information and species information threats are not devoid of idleness. Accidental and intentional actions of natural or artificial origin that can cause damage to the owner or user of information are the topic of this article.

Principles of ensuring security in the information sphere

The main principles of information security, the system for ensuring its safety and integrity are:

• Integrity of information data. This principle implies that information maintains content and structure as it is transmitted and stored. The right to create, change or destroy data is reserved only for users with the appropriate access status.
• Data privacy. It is understood that access to the data array has a clearly limited circle of users authorized in this system, thereby providing protection against unauthorized access to information.
• Availability of the data set. In accordance with this principle, authorized users receive timely and unhindered access to it.
• Reliability of information. This principle is expressed in the fact that information strictly belongs only to the subject from whom it was received and who is its source.

Security Challenges

Information security issues come to the fore when disruptions and errors in a computer system can lead to serious consequences. And the tasks of an information security system mean multifaceted and comprehensive measures. These include preventing misuse, damage, distortion, copying and blocking of information. This includes monitoring and preventing unauthorized access by persons without the proper level of authorization, preventing information leakage and all possible threats to its integrity and confidentiality. At modern development database security issues are becoming important not only for small and private users, but also for financial institutions, large corporations.

Classification of types of information security threats

By “threat” in this context we mean potentially possible actions, phenomena and processes that can lead to undesirable consequences or impacts on the operating system or information stored in it. IN modern world There are a fairly large number of such information threats, the types of which are classified based on one of the criteria.

So, according to the nature of occurrence, they distinguish:

• Natural threats. These are those that arose as a result of physical influences or natural phenomena.
• Man-made threats. TO this species Information threats include everything that is associated with human actions.

In accordance with the degree of intentionality, threats are divided into accidental and intentional.

Depending on the direct source of the threat to information security, it can be natural (for example, natural phenomena), human (violation of confidentiality of information by disclosing it), software and hardware. The latter type, in turn, can be divided into authorized (errors in the operation of operating systems) and unauthorized (website hacking and virus infection) threats.

Classification by source distance

Depending on the location of the source, there are 3 main types of information threats:

• Threats from a source outside the computer operating system. For example, interception of information at the time of its transmission through communication channels.
• Threats whose source is within the controlled operating system. For example, data theft or information leakage.
• Threats that arise within the system itself. For example, incorrect transfer or copying of a resource.

Other classifications

Regardless of the remoteness of the source, the type of information threat can be passive (the impact does not entail changes in the data structure) and active (the impact changes the structure of the data, the content of the computer system).

In addition, information threats may appear during the stages of access to a computer and be detected after authorized access (for example, unauthorized use of data).

Depending on their location, threats can be of 3 types: those that arise at the stage of access to information located on external devices memory, in random access memory and in the one that circulates along communication lines.

Some threats (for example, information theft) do not depend on system activity, others (viruses) are detected solely during data processing.

Unintentional (natural) threats

The mechanisms for implementing this type of information threat have been studied quite well, as have methods for preventing them.

Particular danger for computer systems represent accidents and natural (natural) phenomena. As a result of such impact, information becomes inaccessible (in whole or in part), it can be distorted or completely destroyed. An information security system cannot completely eliminate or prevent such threats.

Another danger is mistakes made when developing a computer system. For example, incorrect operating algorithms, incorrect software. These are the types of errors that are often used by attackers.

Another type of unintentional, but significant types of information security threats is the incompetence, negligence or inattention of users. In 65% of cases of weakened information security of systems, it was violations of functional responsibilities by users that led to loss, violations of confidentiality and integrity of information.

Deliberate information threats

This type of threat is characterized by a dynamic nature and the constant addition of new types and methods of targeted actions by violators.

In this area, attackers use special programs:

• Viruses are small programs that independently copy and spread throughout the system.
• Worms are utilities that are activated every time the computer boots. Like viruses, they are copied and independently spread in the system, which leads to its overload and blocking of work.
• Trojan horses - hidden under useful applications malware. They can send information files to the attacker and destroy the system software.

But malware is not the only deliberate intrusion tool. Numerous methods of espionage are also used - wiretapping, theft of programs and security attributes, hacking and theft of documents. Password interception is most often done using special programs.

Industrial espionage

Statistics from the FBI and the Computer Security Institute (USA) indicate that 50% of intrusions are carried out by employees of companies or enterprises themselves. In addition to them, the subjects of such information threats include competing companies, creditors, buying and selling companies, as well as criminal elements.

Hackers and techno-rats are of particular concern. These are qualified users and programmers who hack websites and computer networks for the purpose of profit or for sporting interest.

How to protect information?

Despite the constant growth and dynamic development of various types of information threats, there are still methods of protection.

• Physical protection- This is the first stage of information security. This includes restricting access for unauthorized users and a access system, especially for access to the server department.
• The basic level of information protection is programs that block computer viruses And antivirus programs, systems for filtering correspondence of a dubious nature.
• Protection against DDoS attacks offered by developers software.
• Creation backup copies, stored on other external media or in the so-called “cloud”.
• Disaster and data recovery plan. This method is important for large companies who want to protect themselves and reduce downtime in the event of a failure.
• Encryption of data when transmitting it using electronic media.

Information protection requires an integrated approach. And the more methods are used, the more effective the protection against unauthorized access, threats of destruction or damage to data, as well as theft will be.

A few facts to make you think

In 2016, 26% of banks experienced DDoS attacks.

One of the largest personal data leaks occurred in July 2017 at the Equifax credit history bureau (USA). The data of 143 million people and 209 thousand credit card numbers fell into the hands of attackers.

“Whoever owns the information owns the world.” This statement has not lost its relevance, especially when we're talking about about competition. So, in 2010 it was disrupted iPhone presentation 4 due to the fact that one of the employees forgot the smartphone prototype in a bar, and the student who found it sold the prototype to journalists. As a result, an exclusive review of the smartphone was published in the media several months before its official presentation.

The entire set of potential threats to information security in a computer system can be divided into 2 main classes (Fig. 1).

Fig.1

Threats that are not associated with the deliberate actions of attackers and are implemented at random times are called random or unintentional. The mechanism for implementing random threats is generally quite well studied, and considerable experience has been accumulated in countering these threats.

Natural disasters and accidents are fraught with the most destructive consequences for the CS, since the latter are subject to physical destruction, information is lost or access to it becomes impossible.

Failures and failures complex systems are inevitable. As a result of failures and failures, performance is disrupted technical means, data and programs are destroyed and distorted, the algorithm of operation of devices is disrupted.

Errors in the development of CS, algorithmic and software errors lead to consequences similar to the consequences of failures and failures of technical equipment. In addition, such errors can be used by attackers to influence CS resources.

As a result errors by users and maintenance personnel security breach occurs in 65% of cases. Incompetent, careless or inattentive performance of functional duties by employees leads to the destruction, violation of the integrity and confidentiality of information.

Deliberate threats associated with the targeted actions of the offender. This class of threats has not been sufficiently studied, is very dynamic and is constantly updated with new threats.

Methods and means of espionage and sabotage most often used to obtain information about the security system for the purpose of penetrating the CS, as well as for theft and destruction information resources. Such methods include eavesdropping, visual surveillance, theft of documents and computer storage media, theft of programs and security system attributes, collection and analysis of computer storage media waste, and arson.

Unauthorized access to information (UAI) usually occurs with the use of standard hardware and software of the computer system, as a result of which the established rules for limiting access of users or processes to information resources are violated. Access control rules are understood as a set of provisions regulating the access rights of persons or processes to units of information. The most common violations are:

Password interception is carried out by specially designed

programs;

-- “masquerade” - performance of any actions by one user on behalf of another;

Illegal use of privileges is the seizure of the privileges of legitimate users by an intruder.

The process of processing and transmitting information by technical means of a computer system is accompanied by electromagnetic radiation into the surrounding space and the induction of electrical signals in communication lines. They got names spurious electromagnetic radiation and interference (PEMIN). With the help of special equipment, signals are received, isolated, amplified and can either be viewed or recorded in storage devices (memory devices). Electromagnetic radiation are used by attackers not only to obtain information, but also to destroy it.

A major threat to information security in the CS is unauthorized modification of the algorithmic, software and technical structures of the system , which is called “bookmark”. As a rule, “bookmarks” are embedded in specialized systems and are used either for direct harmful effects on the computer system, or to provide uncontrolled entry into the system.

One of the main sources of security threats is the use of special programs, collectively called “sabotage programs” . Such programs include:

-- “computer viruses” - small programs that, after being introduced into a computer, spread independently by creating copies of themselves, and if certain conditions are met, have a negative impact on the computer system;

-- “worms” are programs that are executed every time the system boots, with the ability to move into a computer system or network and self-reproduce copies. An avalanche-like proliferation of programs leads to overload of communication channels, memory, and then to blocking of the system;

-- “Trojan horses” - programs that look like useful application, but in fact perform harmful functions (destruction of software, copying and sending files with confidential information to an attacker, etc.).

In addition to the security threats mentioned above, there is also the threat of information leakage, which is becoming an increasingly significant security issue every year. To effectively deal with leaks, you need to know how they occur (Fig. 2).

Fig.2

Four main types of leaks account for the vast majority (84%) of incidents, with half of this share (40%) accounting for the most popular threat - media theft. 15% is inside information. This category includes incidents caused by the actions of employees who had legal access to information. For example, an employee did not have access rights to information, but managed to bypass security systems. Or an insider had access to information and took it outside the organization. On hacker attack also accounts for 15% of threats. This broad group of incidents includes all leaks that occurred as a result of external intrusion. The not too high proportion of hacker intrusions is explained by the fact that the intrusions themselves have become less noticeable. 14% were web leaks. This category includes all leaks associated with the publication of confidential information in public places, for example, in Global networks. 9% is a paper leak. By definition, a paper leak is any leak that occurs as a result of printing confidential information on paper. 7% are other possible threats. This category includes incidents for which the exact cause could not be determined, as well as leaks that became known after the fact, after personal information was used for illegal purposes.

In addition, it is currently actively developing phishing - Internet fraud technology, which consists of theft of personal confidential data, such as access passwords, credit card numbers, bank accounts and other personal information. Phishing (from the English Fishing - fishing) stands for password fishing and uses not the technical shortcomings of the computer system, but the gullibility of Internet users. The attacker throws bait onto the Internet and “catch all the fish” - users who fall for it.

Regardless of the specifics of specific types of threats, information security must maintain integrity, confidentiality, and availability. Threats to integrity, confidentiality and availability are primary. Violation of integrity includes any deliberate modification of information stored in a computer system or transmitted from one system to another. A breach of confidentiality can result in a situation where information becomes known to someone who does not have the authority to access it. The threat of information inaccessibility arises whenever, as a result of deliberate actions of other users or attackers, access to some CS resource is blocked.

Another type of information security threat is the threat of disclosure of CS parameters. As a result of its implementation, no damage is caused to the information processed in the CS, but at the same time the possibilities for the manifestation of primary threats are significantly enhanced.

Threats arise from conflicting economic interests various elements, interacting both inside and outside the socio-economic system - including in the information sphere. They determine the content and directions of activities to ensure general and information security. It should be noted that the analysis of economic security problems must be carried out taking into account the interrelationships of economic contradictions, threats and losses that the implementation of threats can lead to. This analysis leads to the following chain:

< источник угрозы (внешняя и/или внутренняя среда предприятия)>

<зона риска (сфера экономической деятельности предприятия, способы её реализации, материальные и информационные ресурсы)>

<фактор (степень уязвимости данных, информации, программного обеспечения, компьютерных и телекоммуникационных устройств, материальных и финансовых ресурсов, персонала)>

< угроза (вид, величина, направление)>

<возможность её реализации (предпосылки, объект , способ действия, скорость и временной интервал действия)>

<последствия (материальный ущерб , моральный вред, размер ущерба и вреда, возможность компенсации)>.

A threat is usually identified either with the nature (type, method) of a destabilizing effect on material objects, software or information, or with the consequences (results) of such influence.

From a legal point of view, the concept of threat is strictly related to the legal category of damage, which the Civil Code of the Russian Federation (Part I, Article 15) defines as “actual expenses incurred by the subject as a result of a violation of his rights (for example, theft, disclosure or use of confidential information by the violator) , loss or damage to property, as well as the expenses that he will have to make to restore the violated right and the value of the damaged or lost property."

Analysis of the negative consequences of the emergence and implementation of threats requires the mandatory identification of possible sources of threats, vulnerabilities that contribute to their manifestation and methods of implementation. In this regard, threats to economic and information security must be classified in order to most fully and adequately carry out this identification: by the source of the threat, by the nature of its occurrence, by the likelihood of implementation, in relation to the type of human activity, by the object of the attack, by the consequences, by forecasting capabilities.

Threats can be classified according to several criteria:

• on the most important components of information security (availability, integrity, confidentiality), against which threats are primarily directed;
• by components of information systems and technologies (data, hardware and software systems, networks, supporting infrastructure) that are directly targeted by threats;
• by method of implementation (accidental or deliberate actions, events of man-made or natural scale);
• by localizing the source of threats (outside or inside information technology or system).

One of the possible threat classification models is shown in Fig. 2.1 [Vikhorev, S., Kobtsev R., 2002].

Rice. 2.1.

During the analysis, it is necessary to ensure that the majority of possible sources of threats and vulnerabilities are identified and compared with each other, and that all identified sources of threats and vulnerabilities are compared with methods for their neutralization and elimination.

This classification can serve as the basis for developing a methodology for assessing the relevance of a particular threat, and when the most current threats measures can be taken to select methods and means to prevent or neutralize them.

When identifying current threats, the expert-analytical method determines the objects of protection that are exposed to a particular threat, the characteristic sources of these threats and the vulnerabilities that contribute to the implementation of the threats.

Based on the analysis, a matrix of relationships between sources of threats and vulnerabilities is compiled, from which the possible consequences of the implementation of threats (attacks) are determined and the significance coefficient (degree of danger) of these attacks is calculated as the product of the danger coefficients of the corresponding threats and the sources of threats identified earlier.

One of the possible algorithms for carrying out such an analysis, which can be easily formalized and algorithmized, is shown in Fig. 2.2.

Rice. 2.2.

Thanks to this approach it is possible:

• set priorities for security goals for the subject of the relationship;
• determine a list of current threat sources;
• determine a list of current vulnerabilities;
• assess the relationship between vulnerabilities, sources of threats, and the possibility of their implementation;
• determine a list of possible attacks on the facility;
• develop scenarios for possible attacks;
• describe the possible consequences of the implementation of threats;
• develop a set of protective measures and a management system for the economic and information security of the enterprise.

It was noted above that the most frequent and most dangerous (in terms of the amount of damage) are unintentional errors of regular users, operators, system administrators and other persons serving Information Systems. Sometimes such errors are actually threats (incorrectly entered data or a program error that caused a system crash), sometimes they create vulnerabilities that can be exploited by attackers (these are usually administrative errors). According to some estimates, up to 65% of losses occur due to unintentional errors caused by carelessness, negligence or inadequate training of personnel.

Typically, users can be sources of the following threats:

• intentional (embedding a logic bomb that will eventually destroy the software core or applications) or unintentional loss or distortion of data and information, “hacking” of the administration system, theft of data and passwords, transferring them to unauthorized persons, etc.;
• user reluctance to work with the information system (most often manifested when it is necessary to master new capabilities or when there is a discrepancy between user requests and actual capabilities and technical characteristics) and intentional disabling of its hardware and software devices;
• inability to work with the system due to lack of appropriate training (lack of general computer literacy, inability to interpret diagnostic messages, inability to work with documentation, etc.).

It's obvious that effective method combating unintentional errors - maximum automation and standardization, information processes, the use of Fool Proof Devices, regulation and strict control of user actions. It is also necessary to ensure that when an employee leaves, his access rights (logical and physical) to information resources are revoked.

The main sources of internal system failures are:

• inability to work with the system due to lack of technical support(incomplete documentation, lack of reference information, etc.);
• deviation (accidental or deliberate) from established rules operation;
• exit of the system from the normal operating mode due to accidental or intentional actions of users or maintenance personnel (exceeding the estimated number of requests, excessive volume of processed information, etc.);
• system configuration errors;
• software and hardware failures;
• data destruction;
• destruction or damage to equipment.

It is recommended to consider the following threats in relation to the supporting infrastructure:

• disruption (accidental or intentional) of communication systems, power supply, water and/or heat supply, air conditioning;
• destruction or damage to premises;
• inability or unwillingness of service personnel and/or users to perform their duties (civil unrest, transport accidents, terrorist attack or threat thereof, strike, etc.).

Dangerous, of course natural disasters(floods, earthquakes, hurricanes) and events resulting from man-made disasters (fires, explosions, building collapses, etc.). According to statistics, fire, water and similar “attackers” (among which the most dangerous is power failure) account for 13-15% of losses caused to production information systems and resources.

The results of the assessment and analysis can be used when choosing adequate optimal methods for fending off threats, as well as when auditing the real state of an object’s information security.

For creating optimal system information security of an enterprise, it is necessary to competently assess the situation, identify possible risks, develop a concept and security policy, on the basis of which a system model is built and appropriate implementation and operation mechanisms are developed.

Chapter 2 The concept of information threats and their types

2.1 Information threats

Since the late 80s and early 90s, problems related to information security have worried both specialists in the field computer security, as well as numerous ordinary users personal computers. This is due to the profound changes computer technology brings to our lives.

Modern automated information systems (AIS) in economics are complex mechanisms consisting of a large number of components of varying degrees of autonomy, interconnected and exchanging data. Almost each of them can fail or be exposed to external influences.

Despite the expensive methods taken, the functioning of computer information systems has revealed the presence of weaknesses in information security. The inevitable consequence has been ever-increasing costs and efforts to protect information. However, in order for the measures taken to be effective, it is necessary to determine what a threat to information security is, to identify possible channels of information leakage and ways of unauthorized access to protected data.

Under threat to information security (information threat) means an action or event that can lead to destruction, distortion or unauthorized use of information resources, including stored, transmitted and processed information, as well as software and hardware. If the value of information is lost during its storage and/or distribution, then threat of violation confidentiality of information. If information is changed or destroyed with loss of its value, then it is realized threat to information integrity. If information does not reach the legal user on time, then its value decreases and over time is completely depreciated, thereby threatening the efficiency of use or availability of information.

So, the implementation of threats to information security consists in violating the confidentiality, integrity and availability of information. An attacker can view confidential information, modify it, or even destroy it, as well as limit or block a legitimate user’s access to information. In this case, the attacker can be either an employee of the organization or an outsider. But, besides this, the value of information may decrease due to accidental, unintentional errors of personnel, as well as surprises sometimes presented by nature itself.

Information threats can be caused by:

natural factors (natural disasters - fire, flood, hurricane, lightning and other causes);

human factors. The latter, in turn, are divided into:

– threats that are random, unintentional in nature. These are threats associated with errors in the process of preparing, processing and transmitting information (scientific, technical, commercial, monetary and financial documentation); with untargeted “brain drain”, knowledge, information (for example, in connection with population migration, travel to other countries, to reunite with family, etc.) These are threats associated with errors in the design, development and manufacturing process of systems and their components (buildings, structures, premises, computers, communications equipment, operating systems, application programs, etc.) with errors in the operation of equipment due to poor quality manufacturing; with errors in the process of preparing and processing information (errors of programmers and users due to insufficient qualifications and poor quality service, operator errors in the preparation, input and output of data, correction and processing of information);

– threats caused by deliberate, deliberate actions of people. These are threats associated with the transfer, distortion and destruction of scientific discoveries, inventions of production secrets, new technologies for selfish and other antisocial reasons (documentation, drawings, descriptions of discoveries and inventions and other materials); eavesdropping and transmission of official and other scientific, technical and commercial conversations; with a targeted “brain drain”, knowledge and information (for example, in connection with obtaining another citizenship for selfish reasons). These are threats associated with unauthorized access to the resources of an automated information system (making technical changes to the means computer technology and communications, connection to computer equipment and communication channels, theft of information media: floppy disks, descriptions, printouts, etc.).

Deliberate threats are aimed at causing damage to AIS users and, in turn, are divided into active and passive.

Passive threats, as a rule, are aimed at the unauthorized use of information resources without affecting their functioning. A passive threat is, for example, an attempt to obtain information circulating in communication channels by listening to them.

Active threats have the goal of disrupting the normal functioning of the system through targeted impact on hardware, software and information resources. Active threats include, for example, destruction or electronic jamming of communication lines, disablement of a PC or its operating system, distortion of information in databases or in system information, etc. Sources of active threats can be direct actions of attackers, software viruses, etc.

Deliberate threats are divided into internal arising within the managed organization, and external .

Internal threats are most often determined by social tension and a difficult moral climate.

External threats can be determined by malicious actions of competitors, economic conditions and other reasons (for example, natural disasters). According to foreign sources, it has become widespread industrial espionage - is the illegal collection, appropriation and transfer of information constituting a trade secret by a person not authorized by its owner that is harmful to the owner of a trade secret.

The main security threats include:

disclosure of confidential information;

compromise of information;

unauthorized use of information resources;

misuse of resources; unauthorized exchange of information;

refusal of information;

refusal of service.

Means of threat implementation disclosure of confidential information There may be unauthorized access to databases, wiretapping of channels, etc. In any case, obtaining information that is the property of a certain person (group of persons), which leads to a decrease and even loss of the value of the information.

The implementation of threats is a consequence of one of the following actions and events: disclosures confidential information, leakage of confidential information and unauthorized access to protected information (106). When disclosed or leaked, the confidentiality of information with limited access is violated (Fig. 2).

Rice. 2 Actions and events that violate information security

Leakage of confidential information - this is the uncontrolled release of confidential information beyond the boundaries of the IP or the circle of persons to whom it was entrusted through service or became known in the course of work. This leak may be due to:

disclosure of confidential information;

the flow of information through various, mainly technical, channels;

unauthorized access to confidential information in various ways.

Disclosure of information its owner or possessor is the intentional or careless actions of officials and users to whom the relevant information was entrusted in the prescribed manner through their service or work, which led to the familiarization with it of persons who were not allowed to have access to this information.

Available uncontrolled removal of confidential information via visual-optical, acoustic, electromagnetic and other channels.

Due to their physical nature, the following means of information transfer are possible:

Light rays.

Sound waves.

Electromagnetic waves.

Materials and substances.

By an information leakage channel we mean a physical path from a source of confidential information to an attacker, through which leakage or unauthorized receipt of protected information is possible. For the emergence (formation, establishment) of an information leakage channel, certain spatial, energy and temporal conditions are required, as well as appropriate means of perceiving and recording information on the attacker’s side.

In relation to practice, taking into account the physical nature of education, information leakage channels can be divided into the following groups:

visual-optical;

acoustic (including acoustic-transforming);

electromagnetic (including magnetic and electric);

tangible (paper, photos, magnetic media, industrial waste various types– solid, liquid, gaseous).

Visual optical channels– this is, as a rule, direct or remote (including television) observation. The carrier of information is light emitted by sources of confidential information or reflected from it in the visible, infrared and ultraviolet ranges.

Acoustic channels. For a person, hearing is the second most informative after vision. Therefore, one of the fairly common channels of information leakage is the acoustic channel. In the acoustic channel, the carrier of information is sound lying in the ultra (more than 20,000 Hz), audible and infrasound ranges. Range audio frequencies heard by humans ranges from 16 to 20,000 Hz, and contained in human speech - from 100 to 6,000 Hz.

In free air space, acoustic channels are formed in rooms during negotiations in the case of open doors, windows, and vents. In addition, such channels are formed by the air ventilation system of the premises. In this case, the formation of channels significantly depends on the geometric dimensions and shape of the air ducts, the acoustic characteristics of the shaped elements of the valves, air distributors and similar elements.

Electromagnetic channels. The carrier of information are electromagnetic waves in the range from ultra-long with a wavelength of 10,000 m (frequencies less than 30 Hz) to sublimated with a wavelength of 1 - 0.1 mm. (frequencies from 300 to 3000 GHz). Each of these types electromagnetic waves has specific propagation characteristics, both in range and in space. Long waves, for example, propagate over very long distances, while millimeter waves, on the contrary, extend only to a line of sight within a few or tens of kilometers. In addition, various telephone and other wires and communication cables create magnetic and electric fields around themselves, which also act as elements of information leakage due to interference with other wires and equipment elements in the near zone of their location.

Material and material channels Information leaks include a variety of materials in solid, liquid, gaseous or corpuscular (radioactive elements) form. Very often these are various production wastes, defective products, rough materials, etc.

Obviously, each source of confidential information may have, to one degree or another, a set of information leakage channels. The causes of leakage are usually associated with imperfect standards for storing information, as well as violations of these standards (including imperfect ones), deviations from the rules for handling relevant documents, technical means, product samples and other materials containing confidential information.

Leakage factors may include, for example:

insufficient knowledge by enterprise employees of information security rules and lack of understanding (or lack of understanding) of the need for their careful compliance;

weak control over compliance with information protection rules by legal, organizational and engineering measures.

Unauthorized access (UNA)

This most common type of information threat involves a user gaining access to an object for which he does not have permission in accordance with the organization's security policy. The biggest challenge is usually determining who should have access to which data sets and who should not. In other words, the term “unauthorized” needs to be defined.

By nature, the influence of NSD is an active influence that uses system errors. NSD usually refers directly to the required set of data, or affects information about authorized access in order to legalize the NSD. Any system object can be subject to NSD. NSD can be carried out using both standard and specially designed software to objects.

There are also quite primitive ways of unauthorized access:

theft of storage media and documentary waste;

proactive cooperation;

inducement to cooperation on the part of the burglar;

probing;

eavesdropping;

observation and other ways.

Any methods of leaking confidential information can lead to significant material and moral damage both for the organization where the information system operates and for its users.

Managers should remember that quite a large part of the reasons and conditions that create the preconditions and the possibility of unlawful acquisition of confidential information arise due to elementary shortcomings of organizational leaders and their employees. For example, the reasons and conditions that create the prerequisites for the leakage of trade secrets may include:

insufficient knowledge by the organization’s employees of the rules for protecting confidential information and a lack of understanding of the need for their careful compliance;

use of uncertified technical means for processing confidential information;

weak control over compliance with information protection rules by legal organizational and engineering measures, etc.

Example No. 1 (M. Nakamoto “Japan is fighting leaks”, “Monday” dated 03/02/2004)

Japanese companies have long been defendants in industrial espionage scandals and disputes, with one of the most famous examples being the 1982 case of Hitachi employees accused of stealing intellectual property from IBM. Now, however, as international competition intensifies in areas where the Japanese have traditionally dominated, they themselves are increasingly becoming victims of industrial spies.

The Sharp Corporation, which carefully guards its own technological developments, has located its ultra-modern plant for the production of liquid crystal panels in the town of Kameyama - in a remote mountainous area, far from prying eyes. But here, too, the giant of the electronics industry does not feel at ease. complete safety: for a certain time, Sharp employees began to be alarmed by a mysterious car that drove around the corporation’s secret facility about once a month. The suspicious car, according to Sharp representatives, may well belong to an agent of a competing company hoping to find out important details of someone else's know-how.

“Technology leakage from Japan reduces the country's competitiveness and leads to a decline in employment,” said Yoshinori Komiya, director of the Intellectual Property Protection Agency at the Ministry of Economy, Trade and Industry (METI). We recognize that some technologies are subject to overseas transfer; but now technologies are often transferred that company leaders seek to keep secret.”

This problem has become especially painful for the Japanese government now that the neighbors of the land of the rising sun have achieved serious success in the high-tech market. Even the largest and most powerful Japanese companies now have to take a defensive stance and carefully guard their intellectual property.

According to the METI, many companies that become victims of industrial espionage try not to stir up a scandal, since their own employees, and not outside agents, are guilty of the thefts. As Yokio Sotoku, vice-president of Matsushita, admits, violations by fifth columnists, such as employees working at rival firms on weekends, are still common in Japanese business.

METP research also shows that one of the channels for the leakage of commercial information is former employees of Japanese companies who take jobs in other Asian countries and take with them the know-how of their former employers. METP identified the main ways in which confidential information leaks to competitors of Japanese companies, including copying of data by employees during non-working hours; employees work part-time in competing companies (for example, on weekends); creating a joint venture with a foreign company with an insufficiently developed information security policy; violation of a confidentiality agreement by a partner-equipment supplier, etc.

METI notes that many companies that did not realize in time the risk associated with leakage of know-how suffer significant losses because of this, but the courts in such cases treat them without sympathy, since we are talking about negligence and carelessness. Of the 48 court cases in which Japanese companies sought compensation for damages from intellectual property theft, only 16 cases were found to have merit.

Example No. 2 (B. Gossage “Chatterbox - a godsend for a competitor”; “Monday” dated 02/16/2004)

Phil Sipowicz, founder and head of the American IT consulting company Everynetwork, has never considered himself talkative or prone to indiscreet statements. When negotiating a possible partnership with one of his competitors, Sipovich tried not to reveal his cards, saying only what he considered truly necessary to advance the deal.

After the negotiations, an optimistic Sipovich, together with his lawyer, drafted a non-disclosure agreement and faxed it to his partner. The answer came only a few weeks later and was unexpected - the partner said that he was not interested in a merger, an alliance, or anything else... And a month later, one of Sipovich’s clients called and said that he had been contacted by proposal from another consultant. As it turned out, that same failed partner! Only then did Sipovich remember that during the negotiations he accidentally mentioned three of his key clients. His suspicions were justified: soon two other clients also received offers from an alternative consultant. “This was not a large-scale marketing campaign, they were looking for an approach only to those clients whom I myself mentioned,” states Sipovich. “I couldn’t do anything, since I spilled the beans myself.”

Disclosure and leakage leads to unauthorized access to confidential information when minimum costs efforts on the part of the attacker. This is facilitated by some not the best personal and professional characteristics and actions of the company’s employees, presented in Fig. 3

Rice. 3 Personal and professional characteristics and actions of employees that contribute to the implementation of information security threats

And even if the employee is not an attacker, he may make mistakes unintentionally due to fatigue, illness, etc.

Erroneous use of information resources, being sanctioned, nevertheless, can lead to destruction and disclosure. or compromise of specified resources. This threat is most often a consequence of errors in AIS software.

Destruction of computer information- this is erasing it in the computer memory, deleting it from physical media, as well as unauthorized changes to its constituent data, radically changing the content (for example, introducing false information, adding, changing, deleting records). The simultaneous transfer of information to another computer medium is not considered in the context of criminal law to be the destruction of computer information only if, as a result of these actions, access to the information by lawful users was not significantly hindered or excluded.

The user has the opportunity to restore destroyed information using software or obtain this information from another user does not relieve the culprit from liability.

Destruction of information does not mean renaming the file where it is contained, nor does it automatically “evict” it. older versions of files are up to date.

Blocking computer information– this is an artificial difficulty in accessing computer information for users, not related to its destruction. In other words, this is the performance of actions with information, the result of which is the impossibility of obtaining or using it for its intended purpose, with complete safety of the information itself.

Compromise of information, as a rule, is implemented by making unauthorized changes to databases, as a result of which its consumer is forced to either abandon it or make additional efforts to detect changes and restore true information. If compromised information is used, the consumer is exposed to the risk of making wrong decisions with all the ensuing consequences.

Refusal of information, in particular, non-recognition of a transaction (bank operation) consists in the non-recognition by the recipient or sender of information of the facts of its receipt or sending. In the context of marketing activities, this, in particular, allows one of the parties to terminate the concluded financial agreements “technically”; way, without formally renouncing them and thereby causing significant damage to the other party.

Modification of computer information- this is the introduction of any changes to it, except those related to the adaptation of a computer program or database. Adaptation of a computer program or database is “the introduction of changes carried out solely for the purpose of ensuring the functioning of a computer program or database on specific technical means of the user or under the control of specific user programs” (Part 1 of Article 1 of the Law of the Russian Federation of September 23, 1992 year "On the legal protection of programs for electronic computers and databases";). In other words, this means a change in its content compared to the information that was initially (before the act was committed) at the disposal of the owner or legal user.

Copying computer information– production and permanent recording of the second and subsequent copies of the database, files in any material form, as well as their recording on computer media, in computer memory.

Denial of service represents a very significant and widespread threat, the source of which is the AIS itself. Such a refusal is especially dangerous in situations where a delay in providing resources to a subscriber can lead to dire consequences for him. Thus, the user’s lack of data necessary to make a decision during the period when this decision can still be effectively implemented may cause him to act irrationally.

The main typical ways of unauthorized access to information are:

interception of electronic radiation;

• 
  Document

  ... informationalsecurity. 8.2.9. General collateral requirements informationalsecurity banking information technological processes 8.2.9.1. System provision informationalsecurity banking informational ... -economic ...

• Information security

  Tutorial

  By provision informationalsecurity RF; insufficient economic the power of the state; decreased efficiency systems education and upbringing...

• Information security of entrepreneurial activity educational and methodological complex

  Training and metodology complex

  Mathematics, computer science, economic theory, statistics, ... informationalsecurity. B. Cryptographic assurance methods informationalsecurity. B. Collateral requirements informationalsecurity corporate informationalsystems ...

The main types of threats to the security of information systems are:

Deliberate actions of violators and attackers (offended personnel, criminals, spies, saboteurs, etc.).

Security threats can be classified according to various criteria:

1. Based on the results of the action:

1) threat of leakage;

2) threat of modification;

3) threat of loss.

2. Based on:

· Unintentional;

· Deliberate.

Random (unintentional) threats may arise as a result of:

Natural disasters and accidents (flood, hurricane, earthquake, fire, etc.);

Failure and failure of equipment (technical means) of AITU;

Consequences of errors in the design and development of AIS components (hardware, information processing technology, programs, data structures, etc.);

Operational errors (by users, operators and other personnel).

Main reasons unintentional, man-made threats AIS:

· Inattention;

· violation of regulations and ignoring restrictions established in the system;

· Incompetence;

· Negligence.

Examples of threats:

1) unintentional actions, leading to partial or complete failure of the system or destruction of hardware, software, information resources of the system (unintentional damage to equipment, deletion, distortion of files with important information or programs, including system ones, etc.);

2) illegal switching on of equipment or changing operating modes of devices and programs;

3) unintentional damage to media information;

4) illegal introduction and use of unaccounted programs (games, educational, technological, etc.., not necessary for the offender to perform his official duties) with subsequent unreasonable consumption of resources (processor load, capture of RAM and memory on external media);

6) computer infection viruses;

7) careless actions leading to disclosure of confidential information or making it publicly available;

8) disclosure, transfer or loss of access control attributes (p passwords, encryption keys, identification cards, passes, etc.);

9) ignoring organizational constraints(established rules) with rank in the system;

10) logging into the system bypassing security measures(loading a foreign operating system from removable magnetic media, etc.);

11) incompetent use, setting or unauthorized shutdown protective equipment security personnel;

12) sending data to the wrong address of the subscriber (device);

13) entering erroneous data;

14) unintentional damage to communication channels.

deliberate threats - These are AIS threats caused by human activity and associated with the selfish aspirations of people (attackers).

Sources of threats towards information system can be external or internal.

Unfortunately, the implementation of both threats results in the same consequences: loss of information, violation of its confidentiality, its modification.

Basic deliberate intentional threats usually aimed at:

· deliberate disorganization of the system operation and its failure,

· for the purpose of penetrating the system and unauthorized access to information and using it for personal gain.

Deliberate threats, in turn, can be divided into:

1. Active and passive .

Passive threats - are aimed mainly at the unauthorized use of information resources, which does not entail damage or destruction of information.

Various implementation methods are used for this. :

A) use of listening devices, remote photo and video shooting, media theft, etc.;

b) theft of storage media (magnetic disks, tapes, memory chips, storage devices and personal computers);

c) interception of data transmitted via communication channels and their analysis in order to determine exchange protocols, rules for entering into communication and user authorization and subsequent attempts to imitate them to penetrate the system;

G) reading remaining information from RAM and external storage devices (printer memory buffer);

d) reading information from RAM areas, used by the operating system (including the security subsystem);

e) illegal obtaining of passwords and other access control details (through intelligence, using the negligence of users, by selection, imitation of the system interface, etc., followed by disguise as a registered user (“masquerade”);

Active threats - violation normal functioning system through targeted influence on its components.

Implementation methods:

A) failure of the PC or operating system;

B) disruption of communication channels;

C) hacking the security system;

D) use of software viruses, etc.

2. Internal and external threats .

Internal violators may be persons from the following categories of personnel:

§ support and maintenance personnel (operators, electricians, technicians) of the system;

§ employees of software development and maintenance departments (application and system programmers);

§ AITU security officers;

§ managers at various levels of the official hierarchy.

According to research conducted in BIS, more than 80% of violations are committed by bank employees

Outsiders who may be external violators .

§ clients (representatives of organizations, citizens);

§ visitors (invited for any reason);

§ representatives of organizations interacting on issues of ensuring the life of the organization (energy, water, heat supply, etc.);

representatives of competing organizations (foreign intelligence services) or persons acting on their instructions;

2.Methods and means of protection

Protection system - This is a set (complex) of special measures of a legal (legislative) (administrative nature, organizational measures, physical and technical (hardware and software) means of protection, as well as special personnel designed to ensure the security of information, information technology and the automated system as a whole.

In international and Russian practice, standards are used to assess the level of security of computer systems. In the US, the document containing these standards is called the Orange Book. (1985). It provides the following levels of system security:

· Highest class - A;

· Intermediate class –B;

· Low level – C;

· Class of systems that have not passed the test – D.

In Russian practice, the State Technical Commission under the President of the Russian Federation has developed a guideline document providing for the establishment of 7 classes of security of electronic equipment from unauthorized access. In this case, protective measures cover the following subsystems:

· Access control;

· Registration and accounting;

· Cryptographic;

· Ensuring integrity;

· Legislative measures;

· Physical measures.

Methods and means of ensuring information security are shown in Fig. 2. Let's consider the main content of the presented information security methods, which form the basis of security mechanisms.