home › Problems › Software protection against insiders pdf. Protection from insiders using the Zlock system. Systems based on static device blocking

Software protection against insiders pdf. Protection from insiders using the Zlock system. Systems based on static device blocking

"Consultant", 2011, N 9

“He who owns the information owns the world” - this famous aphorism of Winston Churchill is more relevant than ever in modern society. Knowledge, ideas and technology come to the fore, and market leadership depends on how well a company can manage its intellectual capital.

In these conditions, the information security of an organization becomes particularly important.

Any leak of information to competitors or publication of information about internal processes instantly affects the positions that the company occupies in the market.

System information security should provide protection against a variety of threats: technical, organizational and those caused by the human factor.

As practice shows, the main channel for information leakage is insiders.

Enemy in the rear

Typically, an insider is a company employee who causes damage to the company by disclosing confidential information.

However, if we consider the three main conditions, the provision of which is the goal of information security - confidentiality, integrity, availability - this definition can be expanded.

An insider can be called an employee who has legitimate official access to confidential information of an enterprise, which causes disclosure, distortion, damage or inaccessibility of information.

This generalization is acceptable because modern world Violation of the integrity and availability of information often entails much more severe consequences for business than the disclosure of confidential information.

For many enterprises, the cessation of business processes, even for a short time, threatens significant financial losses, and disruption of functioning within a few days can cause such a strong blow that its consequences can be fatal.

Various organizations that study business risk regularly publish the results of their research. According to them, insider information has consistently ranked first in the list of reasons for information security violations for many years.

Due to the steady increase in the total number of incidents, we can conclude that the relevance of the problem is increasing all the time.

Threat model

In order to build a reliable layered information security system that will help effectively combat the problem, it is necessary first of all to create a threat model.

You need to understand who insiders are and what motivates them, why they take certain actions.

There are different approaches to creating such models, but for practical purposes you can use the following classification, which includes all the main types of insiders.

Internal hacker

Such an employee, as a rule, has above-average engineering qualifications and understands the structure of enterprise resources, the architecture of computer systems and networks.

He performs hacking actions out of curiosity, sporting interest, exploring the boundaries of his own capabilities.

Usually he is aware of the possible harm from his actions, so he rarely causes tangible damage.

The degree of danger is medium, since his actions may cause a temporary stop of some processes occurring in the company. Identification of activities is possible primarily through technical means.

Irresponsible and low qualified employee

Can have a variety of skills and work in any department of the enterprise.

It is dangerous because it does not have the habit of thinking about the consequences of its actions, it can work with the company’s information resources “by trial and error,” and unintentionally destroy and distort information.

Usually he does not remember the sequence of his actions, and when he discovers negative consequences, he may simply remain silent about them.

May reveal information constituting a trade secret in a personal conversation with a friend or even when communicating on Internet forums and in in social networks.

The degree of danger is very high, especially considering that this type of offender is more common than others. The consequences of his activities can be much more serious than those of a conscious attacker.

In order to prevent the consequences of his actions, it is necessary to take a whole range of different measures, both technical (authorization, mandatory division of work sessions by accounts) and organizational (constant management control over the process and result of the work).

Psychologically unstable person

Just like a representative of the previous type, he can work in any position and have very different qualifications. Dangerous due to a tendency to weakly motivated actions in conditions of psychological discomfort: in extreme situations, psychological pressure from other employees, or simply strong irritation.

In an affective state, it can reveal confidential information, damage data, and disrupt the usual course of work of other people.

The degree of danger is average, but this type of offender is not so common.

To prevent the negative consequences of his actions, it is most effective to use administrative measures - to identify such people at the interview stage, limit access to information and maintain a comfortable psychological climate in the team.

Insulted, offended employee

The widest group of potential violators of the information security regime.

Theoretically, the vast majority of employees are capable of committing acts unfriendly to the company.

This can happen when management shows disrespect for the employee's personality or professional qualities, and when this affects the level of pay.

Potentially, this type of insider poses a very high danger - both leaks and damage to information are possible, and the harm from them will be guaranteed to be noticeable for the business, since the employee causes it consciously and knows all the vulnerabilities well.

Both administrative and technical measures are needed to detect activities.

Unclean employee

An employee who tries to supplement his personal wealth at the expense of the property of the company for which he works. Among the items appropriated there may be various media of confidential information ( hard disks, flash drives, corporate laptops).

In this case, there is a risk of information reaching people for whom it was not intended, with subsequent publication or transfer to competitors.

The danger is average, but this type is not uncommon.

To identify, administrative measures are needed first.

Competitor's representative

As a rule, he is highly qualified and occupies positions that provide ample opportunities for obtaining information, including confidential information. This is either an existing employee recruited, bought out by competitors (more often), or an insider specially introduced into the company.

The degree of danger is very high, since the harm is caused consciously and with a deep understanding of the value of the information, as well as the company’s vulnerabilities.

To identify activities, both administrative and technical measures are needed.

What are we stealing?

Understanding the problem of insider information is impossible without considering the nature of the stolen information.

According to statistics, personal data of clients, as well as information about client companies and partners, are the most in demand; they are stolen in more than half of the cases. Details of transactions, terms of contracts and deliveries follow. Financial reports are also of great interest.

When forming a set of protective measures, each company inevitably faces the question: what specific information requires special protective measures, and what does not need them?

Of course, the basis for such decisions is the data obtained as a result of the risk analysis. However, often an enterprise has limited financial resources that can be spent on an information security system, and they may not be enough to minimize all risks.

Two approaches

Unfortunately, there is no ready answer to the question: “What to protect first.”

This problem can be approached from two sides.

Risk is a complex indicator that takes into account both the likelihood of a particular threat and the possible damage from it. Accordingly, when setting security priorities, you can focus on one of these indicators. This means that the information that is protected first is the one that is easiest to steal (for example, if a large number of employees have access to it), and the information the theft or blocking of which would lead to the most severe consequences.

An important aspect of the insider problem is the information transmission channel. The more physical opportunities there are for unauthorized information to be transferred outside the company, the more likely it is that this will happen.

Transmission mechanisms

Transmission mechanisms can be classified as follows:

oral transmission (personal conversation);
technical data transmission channels ( telephone communications, fax, email, messaging systems, various social Internet services, etc.);
portable media and mobile devices (Cell phones, external hard drives, laptops, flash drives, etc.).

According to research in our time, the most common channels for transmitting confidential data are (in descending order): email, mobile devices (including laptops), social networks and other Internet services (such as instant messaging systems), etc.

To control technical channels, various means can be used, a wide range of products currently available on the security market.

For example, content filtering systems (dynamic blocking systems), means of restricting access to information media (CD, DVD, Bluetooth).

Administrative measures are also applied: filtering Internet traffic, blocking physical ports of workstations, ensuring administrative regime and physical security.

When choosing technical means protecting confidential information requires a systematic approach. Only in this way can the greatest efficiency be achieved from their implementation.

You must also understand that the challenges facing each company are unique, and it is often simply impossible to use solutions used by other organizations.

The fight against insider information should not be carried out on its own; it is an important component of the overall business process aimed at ensuring an information security regime.

It must be carried out by professionals and include a full cycle of activities: development of an information security policy, determination of the scope, risk analysis, selection of countermeasures and their implementation, as well as audit of the information security system.

If an enterprise does not ensure information security throughout the entire complex, then the risks of financial losses from leaks and damage to information increase sharply.

Minimizing risks

Examination

Thorough screening of applicants applying for any positions in the company. It is recommended to collect as much information as possible about the candidate, including the content of his pages on social networks. It may also help to ask for a reference from a previous place of work.
Candidates for IT engineer positions should be subject to especially thorough screening. Practice shows that more than half of all insiders are system administrators and programmers.
When hiring, at least a minimum psychological check of candidates must be carried out. It will help identify applicants with unstable mental health.

Access right

Access sharing system corporate resources. The enterprise must create regulatory documentation that ranks information by level of confidentiality and clearly defines access rights to it. Access to any resources must be personalized.
Access rights to resources should be allocated according to the principle of “minimum sufficiency”. Access to maintenance of technical equipment, even with administrator rights, should not always be accompanied by access to view the information itself.
As deep as possible monitoring of user actions, with mandatory authorization and recording of information about performed operations in a log. The more carefully the logs are kept, the more control the management has over the situation in the company. The same applies to the employee’s actions when using official access to the Internet.

Communication standard

The organization must adopt its own standard of communication, which would exclude all forms of inappropriate behavior of employees towards each other (aggression, violence, excessive familiarity). First of all, this applies to the “manager-subordinate” relationship.

Under no circumstances should an employee feel that he is being treated unfairly, that he is not valued enough, that he is being unnecessarily exploited, or that he is being deceived.

Following this simple rule will allow you to avoid the vast majority of situations that provoke employees to give inside information.

Confidentiality

A non-disclosure agreement should not be a mere formality. It must be signed by all employees who have access to important information resources companies.

In addition, even at the interview stage, potential employees need to be explained how the company controls information security.

Funds control

Represents control of technical means used by an employee for work purposes.

For example, using a personal laptop is undesirable, since when an employee leaves, most likely it will not be possible to find out what information is stored on it.

For the same reason, it is undesirable to use boxes Email on external resources.

Internal routine

The enterprise must comply with internal regulations.

It is necessary to have information about the time employees spend at the workplace.

Control of the movement of material assets must also be ensured.

Compliance with all of the above rules will reduce the risk of damage or leakage of information through insider information, and therefore will help prevent significant financial or reputational losses.

Managing partner

group of companies Hosting Community

Today, there are two main channels for the leakage of confidential information: devices connected to the computer (all kinds of removable storage devices, including flash drives, CD/DVD drives, etc., printers) and the Internet (email, ICQ, social networks, etc.). d.). And therefore, when a company is “ripe” to implement a protection system against them, it is advisable to approach this solution comprehensively. The problem is that different approaches are used to cover different channels. In one case the most effective way protection will control the use of removable drives, and the second will include various options for content filtering, allowing you to block the transfer of confidential data to an external network. Therefore, companies have to use two products to protect against insiders, which together form a comprehensive security system. Naturally, it is preferable to use tools from one developer. In this case, the process of their implementation, administration, and employee training is simplified. As an example, we can cite the products of SecurIT: Zlock and Zgate.

Zlock: protection against leaks through removable drives

The Zlock program has been on the market for quite some time. And we already. In principle, there is no point in repeating myself. However, since the publication of the article, two new versions of Zlock have been released, which have added a number of important features. It’s worth talking about them, even if only very briefly.

First of all, it is worth noting the possibility of assigning several policies to a computer, which are independently applied depending on whether the computer is connected to corporate network directly, via VPN, or works autonomously. This allows, in particular, to automatically block USB ports and CD/DVD drives when the PC is disconnected from the local network. Generally this function increases the security of information stored on laptops, which employees can take out of the office on trips or to work at home.

Second new opportunity- providing company employees with temporary access to blocked devices or even groups of devices over the phone. The principle of its operation is to exchange program-generated secret codes between the user and the employee responsible for information security. It is noteworthy that permission to use can be issued not only permanently, but also temporarily (for a certain time or until the end of the work session). This tool can be considered a slight relaxation in the security system, but it allows you to increase the responsiveness of the IT department to business requests.

The next important innovation in new versions of Zlock is control over the use of printers. After setting it up, the security system will record all user requests to printing devices in a special log. But that's not all. Zlock now offers shadow copying of all printed documents. They enroll in PDF format and are a complete copy of the printed pages, regardless of which file was sent to the printer. This helps prevent the leakage of confidential information on paper sheets when an insider prints out the data in order to take it out of the office. The security system also includes shadow copying of information recorded on CD/DVD discs.

An important innovation was the appearance of the server component Zlock Enterprise Management Server. It provides centralized storage and distribution of security policies and other program settings and significantly facilitates the administration of Zlock in large and distributed information systems. It is also impossible not to mention the emergence of its own authentication system, which, if necessary, allows you to abandon the use of domain and local Windows users.

In addition to this, in latest version Zlock now has several less noticeable, but also quite important functions: monitoring the integrity of the client module with the ability to block user login when tampering is detected, expanded capabilities for implementing a security system, support for the Oracle DBMS, etc.

Zgate: protection against Internet leaks

So, Zgate. As we have already said, this product is a system for protecting against leakage of confidential information via the Internet. Structurally, Zgate consists of three parts. The main one is the server component, which carries out all data processing operations. It can be installed both on a separate computer and on those already running in a corporate information system nodes - Internet gateway, domain controller, mail gateway, etc. This module in turn consists of three components: for monitoring SMTP traffic, monitoring internal mail of the Microsoft Exchange 2007/2010 server, as well as Zgate Web (it is responsible for control of HTTP, FTP and IM traffic).

The second part of the security system is the logging server. It is used to collect event information from one or more Zgate servers, process it and store it. This module is especially useful in large and geographically distributed corporate systems, since it provides centralized access to all data. The third part is the management console. It uses a standard console for SecurIT products, and therefore we will not dwell on it in detail. We only note that using this module you can control the system not only locally, but also remotely.

Management Console

The Zgate system can operate in several modes. Moreover, their availability depends on the method of product implementation. The first two modes involve working as a mail proxy server. To implement them, the system is installed between the corporate mail server and the “outside world” (or between the mail server and the sending server, if they are separated). In this case, Zgate can both filter traffic (delay infringing and questionable messages) and only log it (pass all messages, but save them in the archive).

The second implementation method involves using the protection system in conjunction with Microsoft Exchange 2007 or 2010. To do this, you need to install Zgate directly on the corporate mail server. There are also two modes available: filtering and logging. In addition to this, there is another implementation option. We are talking about logging messages in mirrored traffic mode. Naturally, to use it, it is necessary to ensure that the computer on which Zgate is installed receives this same mirrored traffic (usually this is done using network equipment).

Selecting Zgate operating mode

The Zgate Web component deserves a separate story. It is installed directly on the corporate Internet gateway. At the same time, this subsystem gains the ability to monitor HTTP, FTP and IM traffic, that is, process it in order to detect attempts to send confidential information through web mail interfaces and ICQ, publishing it on forums, FTP servers, and social networks etc. By the way, about ICQ. The function of blocking IM messengers is available in many similar products. However, there is no “ICQ” in them. Simply because it is in Russian-speaking countries that it is most widespread.

The operating principle of the Zgate Web component is quite simple. Each time information is sent to any of the controlled services, the system will generate a special message. It contains the information itself and some service data. It is sent to the main Zgate server and processed according to the specified rules. Naturally, sending information is not blocked in the service itself. That is, Zgate Web works only in logging mode. With its help, you cannot prevent isolated data leaks, but you can quickly detect them and stop the activities of a voluntary or unwitting attacker.

Setting up the Zgate Web component

The way information is processed in Zgate and the filtering procedure is determined by the policy, which is developed by the security officer or other responsible employee. It represents a series of conditions, each of which corresponds to a specific action. All incoming messages are “run” through them sequentially one after another. And if any of the conditions are met, then the action associated with it is launched.

Filtration system

In total, the system provides 8 types of conditions, as they say, “for all occasions.” The first of these is the attachment file type. With its help, you can detect attempts to send objects of a particular format. It is worth noting that the analysis is carried out not by extension, but by the internal structure of the file, and you can specify both specific types of objects and their groups (for example, all archives, videos, etc.). The second type of conditions is verification by an external application. As an application, it can act as a regular program launched from command line, and the script.

Conditions in the filtration system

But the next condition is worth dwelling on in more detail. We are talking about content analysis of transmitted information. First of all, it is necessary to note the “omnivorousness” of Zgate. The fact is that the program “understands” a large number of different formats. Therefore, it can analyze not only simple text, but also almost any attachment. Another feature of content analysis is its great capabilities. It can consist of a simple search for an occurrence in the text of a message or any other field of a certain word, or a full-fledged analysis, including taking into account grammatical word forms, stemming and transliteration. But that is not all. The system for analyzing patterns and regular expressions deserves special mention. With its help, you can easily detect the presence of data in a certain format in messages, for example, passport series and numbers, telephone number, contract number, bank account number, etc. This, among other things, allows you to strengthen the protection of personal data processed by the company.

Patterns for identifying various confidential information

The fourth type of conditions is the analysis of the addresses indicated in the letter. That is, searching among them for certain strings. Fifth - analysis of encrypted files. When executed, the attributes of the message and/or nested objects are checked. The sixth type of conditions is to check various parameters of letters. The seventh is dictionary analysis. During this process, the system detects the presence of words from pre-created dictionaries in the message. And finally, the last, eighth type of condition is compound. It represents two or more other conditions combined by logical operators.

By the way, we need to say separately about the dictionaries we mentioned in the description of the conditions. They are groups of words combined by one characteristic and are used in various filtering methods. The most logical thing to do is to create dictionaries that are highly likely to allow you to classify a message into one category or another. Their contents can be entered manually or imported from existing ones text files. There is another option for generating dictionaries - automatic. When using it, the administrator simply needs to specify the folder that contains the relevant documents. The program itself will analyze them, select the necessary words and assign their weight characteristics. For high-quality compilation of dictionaries, it is necessary to indicate not only confidential files, but also objects that do not contain sensitive information. In general, the automatic generation process is most similar to training antispam on advertising and regular letters. And this is not surprising, because both countries use similar technologies.

Example of a dictionary on a financial topic

Speaking of dictionaries, we also cannot fail to mention another confidential data detection technology implemented in Zgate. We are talking about digital fingerprints. The essence this method is as follows. The administrator can indicate to the system folders that contain confidential data. The program will analyze all the documents in them and create “digital fingerprints” - sets of data that allow you to determine an attempt to transfer not only the entire contents of the file, but also its individual parts. Please note that the system automatically monitors the status of the folders specified to it and independently creates “fingerprints” for all objects that appear in them again.

Creating a category with digital fingerprints of files

Well, now all that remains is to figure out the actions implemented in the protection system in question. In total, there are already 14 of them sold in Zgate. However, most of it determines the actions that are performed with the message. These include, in particular, deleting without sending (that is, in fact, blocking the transmission of a letter), placing it in an archive, adding or deleting attachments, changing various fields, inserting text, etc. Among them, it is especially worth noting the placement of a letter in quarantine. This action allows you to “postpone” a message for manual verification by a security officer, who will decide on its further fate. Also very interesting is the action that allows you to block an IM connection. It can be used to instantly block the channel through which a message with confidential information was transmitted.

Two actions stand somewhat apart - processing by the Bayesian method and processing by the fingerprint method. Both of them are designed to check messages to see if they contain sensitive information. Only the first uses dictionaries and statistical analysis, and the second uses digital fingerprints. These actions can be performed when a certain condition is met, for example, if the recipient's address is not in a corporate domain. In addition, they (like any others) can be set to be unconditionally applied to all outgoing messages. In this case, the system will analyze the letters and assign them to certain categories (if, of course, this is possible). But for these categories you can already create conditions with the implementation of certain actions.

Actions in the Zgate system

Well, at the end of our conversation today about Zgate, we can sum it up a little. This protection system is based primarily on content analysis of messages. This approach is the most common for protecting against leakage of confidential information over the Internet. Naturally, content analysis does not provide a 100% degree of protection and is rather probabilistic in nature. However, its use prevents most cases of unauthorized transfer of sensitive data. Should companies use it or not? Everyone must decide this for themselves, assessing the costs of implementation and possible problems in case of information leakage. It is worth noting that Zgate does an excellent job of catching regular expressions, which makes it very effective means protection of personal data processed by the company.

Recent information security studies, such as the annual CSI/FBI ComputerCrimeAndSecuritySurvey, have shown that financial losses to companies from most threats are decreasing year over year. However, there are several risks from which losses are increasing. One of them is the deliberate theft of confidential information or violation of the rules for handling it by those employees whose access to commercial data is necessary to perform their official duties. They are called insiders.

In the vast majority of cases, the theft of confidential information is carried out using mobile media: CDs and DVDs, ZIP devices and, most importantly, all kinds of USB drives. It was their mass distribution that led to the flourishing of insiderism around the world. The heads of most banks are well aware of the dangers of, for example, a database with personal data of their clients or, moreover, transactions on their accounts falling into the hands of criminal structures. And they are trying to combat the possible theft of information using organizational methods available to them.

However, organizational methods in this case are ineffective. Today you can organize the transfer of information between computers using a miniature flash drive, cell phone, mp3 player, digital camera... Of course, you can try to ban all these devices from being brought into the office, but this, firstly, will negatively affect relations with employees, and secondly, it will still be impossible to establish really effective control over people very difficult - the bank does not " Mailbox" And even disabling all devices on computers that can be used to write information to external media (FDD and ZIP disks, CD and DVD drives, etc.) and USB ports will not help. After all, the former are needed for work, and the latter are connected to various peripherals: printers, scanners, etc. And no one can stop a person from turning off the printer for a minute, inserting a flash drive into the free port and copying to it important information. You can, of course, find original ways to protect yourself. For example, one bank tried this method of solving the problem: they filled the junction of the USB port and the cable with epoxy resin, tightly “tying” the latter to the computer. But, fortunately, today there are more modern, reliable and flexible control methods.

The most effective means of minimizing risks associated with insiders is a special software, which dynamically controls all devices and ports of the computer that can be used to copy information. The principle of their work is as follows. Permissions to use various ports and devices are set for each user group or for each user individually. The biggest advantage of such software is flexibility. You can enter restrictions for specific types of devices, their models and individual instances. This allows you to implement very complex access rights distribution policies.

For example, you might want to allow some employees to use any printers or scanners connected to USB ports. However, all other devices inserted into this port will remain inaccessible. If the bank uses a user authentication system based on tokens, then in the settings you can specify the key model used. Then users will be allowed to use only devices purchased by the company, and all others will be useless.

Based on the principle of operation of protection systems described above, you can understand what points are important when choosing programs that implement dynamic blocking of recording devices and computer ports. Firstly, it is versatility. The protection system must cover the entire range of possible ports and input/output devices. Otherwise, the risk of theft of commercial information remains unacceptably high. Secondly, the software in question must be flexible and allow you to create rules using a large amount of various information about devices: their types, model manufacturers, unique numbers that each instance has, etc. And thirdly, the insider protection system must be able to integrate with the bank’s information system, in particular with ActiveDirectory. Otherwise, the administrator or security officer will have to maintain two databases of users and computers, which is not only inconvenient, but also increases the risk of errors.

Protecting information from insiders using software

Alexander Antipov

I hope that the article itself and especially its discussion will help to identify various nuances of using software tools and will become a starting point in developing a solution to the described problem for information security specialists.

nahna

For a long time, the marketing division of the Infowatch company has been convincing all interested parties - IT specialists, as well as the most advanced IT managers, that most of the damage from a violation of the company's information security falls on insiders - employees divulging trade secrets. The goal is clear - we need to create demand for the product being manufactured. And the arguments look quite solid and convincing.

Formulation of the problem

Build a system for protecting information from theft by personnel on a LAN based Active Directory Windows 2000/2003. User workstations under Windows control XP. Enterprise management and accounting based on 1C products.
Secret information is stored in three ways:

DB 1C - network access via RDP ( terminal access);
shared folders on file servers - network access;
locally on the employee’s PC;

Leakage channels - the Internet and removable media (flash drives, phones, players, etc.). The use of the Internet and removable media cannot be prohibited, since they are necessary for the performance of official duties.

What's on the market

I divided the systems under consideration into three classes:

Systems based on context analyzers - Surf Control, MIME Sweeper, InfoWatch Traffic Monitor, Dozor Jet, etc.
Systems based on static device locking - DeviceLock, ZLock, InfoWatch Net Monitor.
Systems based on dynamic device blocking - SecrecyKeeper, Strazh, Accord, SecretNet.

Systems based on context analyzers

Principle of operation:
Keywords are searched in the transmitted information, and based on the search results, a decision is made on the need to block the transmission.

In my opinion, InfoWatch Traffic Monitor (www.infowatch.ru) has the maximum capabilities among the listed products. The basis is the well-proven Kaspersky Antispam engine, which most fully takes into account the peculiarities of the Russian language. Unlike other products, InfoWatch Traffic Monitor, when analyzing, takes into account not only the presence of certain rows in the data being checked, but also the predetermined weight of each row. Thus, when making a final decision, not only the occurrence of certain words is taken into account, but also the combinations in which they occur, which allows increasing the flexibility of the analyzer. The remaining features are standard for this type of product - analysis of archives, MS Office documents, the ability to block the transfer of files of an unknown format or password-protected archives.

Disadvantages of the considered systems based on contextual analysis:

Only two protocols are monitored - HTTP and SMTP (for InfoWatch Traffic Monitor, and for HTTP traffic only data transmitted using POST requests is checked, which allows you to organize a leakage channel using data transfer using the GET method);
Data transfer devices are not controlled - floppy disks, CDs, DVDs, USB drives, etc. (InfoWatch has a product for this case: InfoWatch Net Monitor).
to bypass systems built on the basis of content analysis, it is enough to use the simplest text encoding (for example: secret -> с1е1к1р1е1т), or steganography;
the following problem cannot be solved by the method of content analysis - no suitable formal description comes to mind, so I’ll just give an example: there are two Excel files - in the first there are retail prices (public information), in the second - wholesale prices for a specific client (private information), the contents of the files differ only numbers. These files cannot be distinguished using content analysis.

Conclusion:
Contextual analysis is only suitable for creating traffic archives and countering accidental information leakage and does not solve the problem.

Systems based on static device blocking

Principle of operation:
Users are assigned access rights to controlled devices, similar to access rights to files. In principle, almost the same effect can be achieved using standard Windows mechanisms.

Zlock (www.securit.ru) - the product appeared relatively recently, so it has minimal functionality (I don’t count frills), and it is not particularly well-functioning, for example, the management console sometimes crashes when trying to save settings.

DeviceLock (www.smartline.ru) is a more interesting product; it has been on the market for quite a long time, so it works much more stable and has more diverse functionality. For example, it allows shadow copying of transmitted information, which can help in investigating an incident, but not in preventing it. In addition, such an investigation will most likely be carried out when the leak becomes known, i.e. a significant period of time after it occurs.

InfoWatch Net Monitor (www.infowatch.ru) consists of modules - DeviceMonitor (analogous to Zlock), FileMonitor, OfficeMonitor, AdobeMonitor and PrintMonitor. DeviceMonitor is an analogue of Zlock, standard functionality, without raisins. FileMonitor - control of access to files. OfficeMonitor and AdobeMonitor allow you to control how files are handled in their respective applications. It is currently quite difficult to come up with a useful, rather than toy, application for FileMonitor, OfficeMonitor and AdobeMonitor, but in future versions it should be possible to conduct contextual analysis of the processed data. Perhaps then these modules will reveal their potential. Although it is worth noting that the task of contextual analysis of file operations is not trivial, especially if the content filtering base is the same as in Traffic Monitor, i.e. network.

Separately, it is necessary to say about protecting the agent from a user with local administrator rights.
ZLock and InfoWatch Net Monitor simply do not have such protection. Those. the user can stop the agent, copy the data, and start the agent again.

DeviceLock has such protection, which is a definite plus. It is based on intercepting system calls for working with the registry, file system and process management. Another advantage is that the protection also works in safe-mode. But there is also a minus - to disable the protection, it is enough to restore the Service Descriptor Table, which can be done by downloading a simple driver.

Disadvantages of the considered systems based on static device blocking:

The transmission of information to the network is not controlled.
-Does not know how to distinguish classified information from non-secret information. It works on the principle that either everything is possible or nothing is impossible.
Protection against agent unloading is absent or easily bypassed.

Conclusion:
It is not advisable to implement such systems, because they do not solve the problem.

Systems based on dynamic device locking

Principle of operation:
access to transmission channels is blocked depending on the user's access level and the degree of secrecy of the information being worked with. To implement this principle, these products use the authoritative access control mechanism. This mechanism does not occur very often, so I will dwell on it in more detail.

Authoritative (forced) access control, in contrast to discretionary (implemented in the security system of Windows NT and higher), is that the owner of a resource (for example, a file) cannot weaken the requirements for access to this resource, but can only strengthen them within the limits your level. Only a user with special powers - an information security officer or administrator - can relax the requirements.

The main goal of developing products such as Guardian, Accord, SecretNet, DallasLock and some others was the possibility of certifying information systems in which these products will be installed for compliance with the requirements of the State Technical Commission (now FSTEC). Such certification is mandatory for information systems in which government data is processed. a secret, which mainly ensured the demand for products from state-owned enterprises.

Therefore, the set of functions implemented in these products was determined by the requirements of the relevant documents. Which in turn led to the fact that most of the functionality implemented in the products either duplicates the standard Windows functionality(cleaning objects after deletion, cleaning RAM), or uses it implicitly (discriminate access control). And the DallasLock developers went even further by implementing mandatory access control for their system through the Windows discretionary control mechanism.

The practical use of such products is extremely inconvenient; for example, DallasLock requires repartitioning for installation hard drive, which must also be performed using third-party software. Very often, after certification, these systems were removed or disabled.

SecrecyKeeper (www.secrecykeeper.com) is another product that implements an authoritative access control mechanism. According to the developers, SecrecyKeeper was developed specifically to solve a specific problem - preventing the theft of information in a commercial organization. Therefore, again according to the developers, special attention during development was paid to simplicity and ease of use, both for system administrators and ordinary users. How successful this was is for the consumer to judge, i.e. us. In addition, SecrecyKeeper implements a number of mechanisms that are absent in the other mentioned systems - for example, the ability to set the privacy level for resources with remote access and an agent protection mechanism.
Control of information movement in SecrecyKeeper is implemented based on the Information Secrecy Level, User Permission Levels and Computer Security Level, which can take the values public, secret and top secret. The Information Security Level allows you to classify the information processed in the system into three categories:

public - not secret information, there are no restrictions when working with it;

secret - secret information, when working with it, restrictions are introduced depending on the User's Permission Levels;

top secret - top secret information; when working with it, restrictions are introduced depending on the User's Permission Levels.

The Information Security Level can be set for a file, network drive and the port of the computer on which some service is running.

User Clearance Levels allow you to determine how a user can move information based on its Security Level. The following User Permission Levels exist:

User Permission Level - limits the maximum Security Level of Information to which an employee can access;

Network Access Level - limits the maximum Security Level of Information that an employee can transmit over the network;

Level of Access to Removable Media - limits the maximum Security Level of Information that an employee can copy to external media.

Printer Access Level - limits the maximum Security Level of Information that an employee can print.

Computer Security Level - determines the maximum Security Level of Information that can be stored and processed on a computer.

Access to information with a public security level can be provided by an employee with any security clearance. Such information can be transmitted over the network and copied to external media without restrictions. The history of working with information classified as public is not tracked.

Access to information with a security level of secret can only be obtained by employees whose clearance level is equal to secret or higher. Only employees whose network access level is secret or higher can transmit such information to the network. Only employees whose access level to removable media is secret or higher can copy such information to external media. Only employees whose printer access level is secret or higher can print such information. History of working with information with the secret level, i.e. attempts to access it, attempts to transmit it over the network, attempts to copy it to external media or print it are logged.

Access to information with a top secret level of secrecy can only be obtained by employees whose clearance level is equal to top secret. Only employees whose network access level is equal to top secret can transmit such information to the network. Only employees whose access level to removable media is equal to top secret can copy such information to external media. Only employees whose printer access level is equal to top secret can print such information. History of working with information with a top secret level, i.e. attempts to access it, attempts to transmit it over the network, attempts to copy it to external media or print it are logged.

Example: let an employee have a Permission Level equal to top secret, a Network Access Level equal to secret, a Removable Media Access Level equal to public and a Printer Access Level equal to top secret; in this case, an employee can gain access to a document with any level of secrecy, the employee can transfer information to the network with a secrecy level no higher than secret, copy, for example, onto floppy disks, the employee can only information with the public secrecy level, and the employee can print any information on a printer .

To manage the dissemination of information throughout the enterprise, each computer assigned to an employee is assigned a Computer Security Level. This level limits the maximum Security Level of Information that any employee can access from a given computer, regardless of the employee's clearance levels. That. if an employee has a Clearance Level equal to top secret, and the computer on which he is in this moment works has a Security Level equal to public, then the employee will not be able to access information with a security level higher than public from this workstation.

Armed with theory, let's try to use SecrecyKeeper to solve the problem. The information processed in the information system of the abstract enterprise under consideration (see problem statement) can be described in a simplified way using the following table:

The employees of the enterprise and the area of their job interests are described using the second table:

Let the following servers be used in the enterprise:
Server 1C
File server with balls:
SecretDocs - contains secret documents
PublicDocs - contains publicly available documents

Please note that standard capabilities are used to organize standard access control operating system and application software, i.e. in order to prevent, for example, a manager from accessing the personal data of employees, there is no need to introduce additional protection systems. We are talking specifically about countering the dissemination of information to which the employee has legal access.

Let's move on to the actual configuration of SecrecyKeeper.
I will not describe the process of installing the management console and agents, everything is as simple as possible - see the documentation for the program.
Setting up the system consists of performing the following steps.

Step 1. Install agents on all PCs except servers - this immediately prevents them from getting information for which the Secrecy Level is set higher than public.

Step 2. Assign Clearance Levels to employees according to the following table:

	User Permission Level	Network Access Level	Level of Access to Removable Media	Printer Access Level
director	secret	secret	secret	secret
manager	secret	public	public	secret
personnel officer	secret	public	public	secret
accountant	secret	public	secret	secret
secretary	public	public	public	public

Step 3. Assign Computer Security Levels as follows:

Step 4. Configure Information Security Levels on the servers:

Step 5. Configure Information Security Levels on employee PCs for local files. This is the most time-consuming part, since it is necessary to clearly understand which employees work with what information and how critical this information is. If your organization has undergone an information security audit, its results can make the task much easier.

Step 6. If necessary, SecrecyKeeper allows you to limit the list of programs that users are allowed to run. This mechanism is implemented independently of the Windows Software Restriction Policy and can be used if, for example, it is necessary to impose restrictions on users with administrator rights.

Thus, with the help of SecrecyKeeper, it is possible to significantly reduce the risk of unauthorized dissemination of classified information - both leakage and theft.

Flaws:
- difficulty with initial setup privacy levels for local files;

General conclusion:
maximum opportunities for protecting information from insiders are provided by software that has the ability to dynamically regulate access to information transmission channels, depending on the degree of secrecy of the information being worked with and the employee’s security clearance level.

Company is a unique service for buyers, developers, dealers and affiliate partners. Moreover, this is one of the best online stores Software in Russia, Ukraine, Kazakhstan, which offers customers a wide range, many payment methods, prompt (often instant) order processing, tracking the order process in a personal section.

Recently, the problem of protection against internal threats has become a real challenge to the understandable and established world of corporate information security. The press talks about insiders, researchers and analysts warn about possible losses and troubles, and news feeds are full of reports about yet another incident that led to the leakage of hundreds of thousands of customer records due to an error or carelessness of an employee. Let's try to figure out whether this problem is so serious, whether it needs to be dealt with, and what available tools and technologies exist to solve it.

First of all, it is worth determining that a threat to data confidentiality is internal if its source is an employee of the enterprise or some other person who has legal access to this data. Thus, when we talk about insider threats, we are talking about any possible actions legal users, intentional or accidental, which can lead to the leakage of confidential information outside the corporate network of the enterprise. To complete the picture, it is worth adding that such users are often called insiders, although this term has other meanings.

The relevance of the problem of internal threats is confirmed by the results of recent studies. In particular, in October 2008, the results of a joint study by Compuware and Ponemon Institue were announced, according to which insiders are the most common cause of data leaks (75% of incidents in the United States), while hackers were only in fifth place. In the 2008 annual study by the Computer Security Institute (CSI), the numbers for the number of insider threat incidents are as follows:

The number of incidents as a percentage means that of the total number of respondents this type incident occurred in the specified percentage of organizations. As can be seen from these figures, almost every organization has a risk of suffering from internal threats. By comparison, according to the same report, viruses affected 50% of organizations surveyed, and with hackers infiltrating local network only 13% encountered it.

Thus, internal threats– this is the reality of today, and not a myth invented by analysts and vendors. So those who, in the old-fashioned way, believe that corporate information security is a firewall and antivirus, need to take a broader look at the problem as soon as possible.

The law “On Personal Data” is also increasing the degree of tension, according to which organizations and officials will have to answer not only to their management, but also to their clients and the law for improper handling of personal data.

Intruder model

Traditionally, when considering threats and defenses against them, one should start with an analysis of the adversary model. As already mentioned, we will talk about insiders - employees of the organization and other users who have legal access to confidential information. As a rule, with these words, everyone thinks of an office employee working on a computer as part of a corporate network, who does not leave the organization’s office while working. However, such a representation is incomplete. It is necessary to expand it to include other types of persons with legal access to information who can leave the organization’s office. These could be business travelers with laptops, or those working both in the office and at home, couriers transporting media with information, primarily magnetic tapes with a backup copy, etc.

Such an expanded consideration of the intruder model, firstly, fits into the concept, since the threats posed by these intruders also relate to internal ones, and secondly, it allows us to analyze the problem more broadly, considering all possible options combat these threats.

The following main types of internal violators can be distinguished:

Disloyal/resentful employee.Violators belonging to this category may act purposefully, for example, by changing jobs and wanting to grab confidential information in order to interest a new employer, or emotionally, if they considered themselves offended, thus wanting to take revenge. They are dangerous because they are most motivated to cause damage to the organization in which they currently work. As a rule, the number of incidents involving disloyal employees is small, but it can increase in situations of unfavorable economic conditions and massive staff reductions.
An infiltrated, bribed or manipulated employee.In this case we're talking about about any purposeful actions, usually for the purpose of industrial espionage in conditions of intense competition. To collect confidential information, they either introduce their own person into a competing company for certain purposes, or find a less than loyal employee and bribe him, or force a loyal but careless employee to hand over confidential information through social engineering. The number of incidents of this kind is usually even less than previous ones, due to the fact that in most segments of the economy in the Russian Federation, competition is not very developed or is implemented in other ways.
Negligent employee. This type a violator is a loyal but inattentive or negligent employee who may violate policy internal security enterprise due to her ignorance or forgetfulness. Such an employee might mistakenly send an email with a sensitive file attached to the wrong person, or take home a flash drive with confidential information to work on over the weekend and lose it. This type also includes employees who lose laptops and magnetic tapes. According to many experts, this type of insider is responsible for the majority of leaks of confidential information.

Thus, the motives, and, consequently, the course of action of potential violators may differ significantly. Depending on this, you should approach the task of ensuring the internal security of the organization.

Technologies for protecting against insider threats

Despite the relative youth of this market segment, clients already have plenty to choose from depending on their goals and financial capabilities. It is worth noting that now there are practically no vendors on the market who specialize exclusively in internal threats. This situation has arisen not only due to the immaturity of this segment, but also due to the aggressive and sometimes chaotic policy of mergers and acquisitions carried out by manufacturers of traditional security products and other vendors interested in a presence in this segment. It is worth recalling the company RSA Data Security, which became a division of EMC in 2006, the purchase by NetApp of the startup Decru, which developed server storage protection systems and backup copies in 2005, Symantec’s purchase of DLP vendor Vontu in 2007, etc.

Despite the fact that a large number of such transactions indicate good prospects for the development of this segment, they do not always benefit the quality of the products that come under the wing large corporations. Products begin to develop more slowly, and developers do not respond as quickly to market demands compared to a highly specialized company. This is a well-known disease of large companies, which, as we know, lose in mobility and efficiency to their smaller brothers. On the other hand, the quality of service and availability of products for customers in different parts of the world is improving due to the development of their service and sales network.

Let's consider the main technologies currently used to neutralize internal threats, their advantages and disadvantages.

Document control

Document control technology is embodied in modern rights management products, such as Microsoft Windows Rights Management Services, Adobe LiveCycle Rights Management ES and Oracle Information Rights Management.

The operating principle of these systems is to assign usage rules for each document and control these rights in applications that work with documents of these types. For example, you can create a document Microsoft Word and set rules for it: who can view it, who can edit and save changes, and who can print. These rules are called a license in Windows RMS terms and are stored with the file. The contents of the file are encrypted to prevent unauthorized users from viewing it.

Now, if any user tries to open such a protected file, the application contacts a special RMS server, confirms the user's permissions, and, if access to this user is allowed, the server passes the key to the application to decrypt this file and information about the rights of this user. Based on this information, the application makes available to the user only those functions for which he has rights. For example, if a user is not allowed to print a file, the application's print feature will not be available.

It turns out that the information in such a file is safe even if the file gets outside the corporate network - it is encrypted. RMS functionality is already built into the applications Microsoft Office 2003 Professional Edition. To embed RMS functionality into applications from other developers, Microsoft offers a special SDK.

Adobe's document control system is built in a similar way, but is focused on documents in PDF format. Oracle IRM is installed on client computers as an agent and integrates with applications at runtime.

Document control is an important part of the overall concept of insider threat protection, but the inherent limitations of this technology must be taken into account. Firstly, it is designed exclusively for monitoring document files. If we are talking about unstructured files or databases, this technology does not work. Secondly, if an attacker, using the SDK of this system, creates a simple application that will communicate with the RMS server, receive an encryption key from there and save the document in clear text, and launches this application on behalf of a user who has a minimum level of access to the document, then this system will be bypassed. In addition, one should take into account the difficulties when implementing a document control system if the organization has already created many documents - the task of initially classifying documents and assigning rights to use them may require significant effort.

This does not mean that document control systems do not fulfill the task, we just need to remember that information security is a complex problem, and, as a rule, it is not possible to solve it with the help of just one tool.

Leak protection

The term data loss prevention (DLP) appeared in the vocabulary of information security specialists relatively recently, and has already become, without exaggeration, the hottest topic in recent years. As a rule, the abbreviation DLP refers to systems that monitor possible leak channels and block them if an attempt is made to send any confidential information through these channels. In addition, in the function similar systems often includes the ability to archive information passing through them for subsequent audits, incident investigations and retrospective analysis of potential risks.

There are two types of DLP systems: network DLP and host DLP.

Network DLP work on the principle of a network gateway, which filters all data passing through it. Obviously, based on the task of combating internal threats, the main interest of such filtering lies in the ability to control data transmitted outside the corporate network to the Internet. Network DLPs allow you to monitor outgoing mail, http and ftp traffic, instant messaging services, etc. If sensitive information is detected, network DLPs can block the transmitted file. There are also options for manual processing of suspicious files. Suspicious files are placed in quarantine, which is periodically reviewed by a security officer and either allows or denies file transfer. However, due to the nature of the protocol, such processing is only possible for email. Additional opportunities for auditing and incident investigation are provided by archiving all information passing through the gateway, provided that this archive is periodically reviewed and its contents are analyzed in order to identify leaks that have occurred.

One of the main problems in the implementation and implementation of DLP systems is the method of detecting confidential information, that is, the moment of making a decision about whether the transmitted information is confidential and the grounds that are taken into account when making such a decision. As a rule, this is done by analyzing the content transferred documents, also called content analysis. Let's consider the main approaches to detecting confidential information.

Tags. This method is similar to the document control systems discussed above. Labels are embedded in documents that describe the degree of confidentiality of information, what can be done with this document, and to whom it should be sent. Based on the results of the tag analysis, the DLP system decides whether it is possible this document send outside or not. Some DLP systems are initially made compatible with rights management systems to use the labels that these systems install; other systems use their own label format.
Signatures. This method consists of specifying one or more sequences of characters, the presence of which in the text of the transferred file should tell the DLP system that this file contains confidential information. A large number of signatures can be organized into dictionaries.
Bayes method. This method, used to combat spam, can also be successfully used in DLP systems. To apply this method, a list of categories is created, and a list of words is indicated with the probabilities that if the word occurs in a file, then the file with a given probability belongs or does not belong to the specified category.
Morphological analysis.The method of morphological analysis is similar to the signature one, the difference is that not 100% match with the signature is analyzed, but similar root words are also taken into account.
Digital prints.The essence of this method is that a hash function is calculated for all confidential documents in such a way that if the document is slightly changed, the hash function will remain the same or also change slightly. Thus, the process of detecting confidential documents is greatly simplified. Despite the enthusiastic praises of this technology from many vendors and some analysts, its reliability leaves much to be desired, and given the fact that vendors, under various pretexts, prefer to leave details of the implementation of the digital fingerprint algorithm in the shadows, trust in it does not increase.
Regular expressions.Known to everyone who has dealt with programming, regular expressions make it easy to find template data in text, such as phone numbers, passport information, bank account numbers, social security numbers, etc.

From the above list it is easy to see that detection methods either do not guarantee 100% identification of confidential information, since the level of errors of both the first and second types in them is quite high, or require constant vigilance of the security service to update and maintain an up-to-date list of signatures or assignments labels for confidential documents.

In addition, traffic encryption can create a certain problem in the operation of network DLP. If security requirements require you to encrypt email messages or use SSL when connecting to any web resources, the problem of determining the presence of confidential information in transferred files can be very difficult to resolve. Don't forget that some instant messaging services, such as Skype, have encryption built in by default. You will have to refuse to use such services or use host DLP to control them.

However, despite all the difficulties, when correct setting When taken seriously, network DLP can significantly reduce the risk of confidential information leakage and provide an organization with a convenient means of internal control.

Host DLP are installed on each host on the network (on client workstations and, if necessary, on servers) and can also be used to control Internet traffic. However, host-based DLPs are less widespread in this capacity and are currently used mainly for control external devices and printers. As you know, an employee who brings a flash drive or an MP3 player to work poses a much greater threat to the information security of an enterprise than all hackers combined. These systems are also called network endpoint security tools ( endpoint security), although this term is often used more broadly, for example, antivirus products are sometimes called this way.

As you know, the problem of using external devices can be solved without using any means by disabling the ports either physically or using the operating system, or administratively by prohibiting employees from bringing any storage media into the office. However, in most cases, the “cheap and cheerful” approach is unacceptable, since the required flexibility of information services required by business processes is not provided.

Because of this, there has been a certain demand for special means, with the help of which you can more flexibly solve the problem of using external devices and printers by company employees. Such tools allow you to configure access rights for users to various types devices, for example, for one group of users to prohibit work with media and allow them to work with printers, and for another - to allow work with media in read-only mode. If it is necessary to record information on external devices for individual users, shadow copy technology can be used, which ensures that all information that is saved on an external device is copied to the server. The copied information can be subsequently analyzed to analyze user actions. This technology copies everything, and currently there are no systems that allow content analysis of stored files in order to block the operation and prevent leakage, as network DLPs do. However, an archive of shadow copies will provide incident investigations and retrospective analysis of events on the network, and the presence of such an archive means that a potential insider can be caught and punished for their actions. This may turn out to be a significant obstacle for him and a significant reason to abandon hostile actions.

It is also worth mentioning control over the use of printers - hard copies of documents can also become a source of leakage. Hosted DLP allows you to control user access to printers in the same way as other external devices, and store copies of printed documents in graphic format for subsequent analysis. In addition, the technology of watermarks has become somewhat widespread, which prints a unique code on each page of a document, which can be used to determine exactly who, when and where printed this document.

Despite the undoubted advantages of host-based DLP, they have a number of disadvantages associated with the need to install agent software on each computer that is supposed to be monitored. Firstly, this can cause certain difficulties in terms of deploying and managing such systems. Secondly, a user with administrator rights may try to disable this software to perform any actions not permitted by the security policy.

However, for reliable control of external devices, host-based DLP is indispensable, and the problems mentioned are not unsolvable. Thus, we can conclude that the concept of DLP is now a full-fledged tool in the arsenal of corporate security services in the face of ever-increasing pressure on them to ensure internal control and protection against leaks.

IPC concept

In the process of inventing new means of combating internal threats, the scientific and engineering thought of modern society does not stop, and, taking into account certain shortcomings of the means that were discussed above, the market for information leak protection systems has come to the concept of IPC (Information Protection and Control). This term appeared relatively recently; it is believed that it was first used in a review by the analytical company IDC in 2007.

The essence of this concept is to combine DLP and encryption methods. In this concept, using DLP, information leaving the corporate network is controlled via technical channels, and encryption is used to protect storage media that physically falls or may fall into the hands of unauthorized persons.

Let's look at the most common encryption technologies that can be used in the IPC concept.

Encryption of magnetic tapes.Despite the archaic nature of this type of media, it continues to be actively used for Reserve copy and for transferring large volumes of information, since it still has no equal in terms of the unit cost of a stored megabyte. Accordingly, tape leaks continue to delight the newswire editors who put them on the front page, and frustrate the CIOs and security teams of the enterprises who become the heroes of such reports. The situation is aggravated by the fact that such tapes contain very large amounts of data, and, therefore, a large number of people can become victims of scammers.
Encryption of server storages.Despite the fact that server storage is very rarely transported, and the risk of its loss is immeasurably lower than that of magnetic tape, a separate HDD from storage may fall into the hands of criminals. Repair, disposal, upgrade - these events occur with sufficient regularity to write off this risk. And the situation of unauthorized persons entering the office is not a completely impossible event.

Here it is worth making a small digression and mentioning the common misconception that if a disk is part of a RAID array, then, supposedly, you don’t have to worry about it falling into the wrong hands. It would seem that the alternation of recorded data into several hard drives, which RAID controllers perform, provides an unreadable appearance to the data that is located on any one hard type. Unfortunately, this is not entirely true. Interleaving does occur, but in most modern devices it is done at the 512-byte block level. This means that, despite the violation of file structure and formats, confidential information can still be extracted from such a hard drive. Therefore, if there is a requirement to ensure the confidentiality of information when stored in a RAID array, encryption remains the only reliable option.

Encryption of laptops.This has already been said countless times, but still, the loss of laptops with confidential information has not been out of the top five of the hit parade of incidents for many years now.
Encryption of removable media.In this case, we are talking about portable USB devices and, sometimes, recordable CDs and DVDs if they are used in the business processes of the enterprise. Such systems, as well as the aforementioned laptop hard drive encryption systems, can often act as components of host DLP systems. In this case, they talk about a kind of cryptographic perimeter, which ensures automatic transparent encryption of media inside, and the inability to decrypt data outside of it.

Thus, encryption can significantly expand the capabilities of DLP systems and reduce the risk of leakage of confidential data. Despite the fact that the concept of IPC took shape relatively recently, and the choice of complex IPC solutions on the market is not very wide, the industry is actively exploring this area and it is quite possible that after some time this concept will become the de facto standard for solving problems of internal security and internal security. control.

conclusions

As can be seen from this review, internal threats are a fairly new area in information security, which, nevertheless, is actively developing and requires increased attention. The considered document control technologies, DLP and IPC make it possible to build a fairly reliable internal control system and reduce the risk of leakage to an acceptable level. Without a doubt, this area of information security will continue to develop, newer and more advanced technologies will be offered, but today many organizations are opting for one solution or another, since carelessness in matters of information security can be too expensive.

Alexey Raevsky
CEO of SecurIT

Popular in the category: