Sources of leakage of confidential information. Sources of confidential information (channels of information leakage), threats to the security of confidential information, sources of threats, goals and methods of implementing threats. Planning and technical solutions

Mikhail Bashlykov, Head of Information Security at CROC

At the present stage of development of society, information is the same asset of a company as its products and services, technologies and processes, financial and labor resources. In many companies, most information is stored and processed electronically. Of course, this greatly increases the ease of use and speed of interaction, and also allows you to automate business processes, etc. However, the risks associated with violation of the established status of information (confidentiality, integrity, availability) grow in proportion to the benefits.

PREVENTION information leakage is essentially ensuring one of its inherent properties - confidentiality. Disclosure of confidential information leads to direct material losses, loss of intellectual property, decrease in the organization's reputation and the level of trust of clients and partners. In addition, the company's risk of financial liability for violating legal regulations governing the processing of confidential data increases. In most cases, it is impossible to prevent leaks and reduce the risks of confidentiality violations using technical means or organizational methods alone - an integrated approach is required. Each information owner must be able to answer the following questions: where is confidential data stored, who has access to it, by whom and how is it used, where is it moved?

Approaches to choosing solutions and protection technologies

The best technical option for preventing data leakage is the use of DLP (Data Loss/Leakage Prevention) class systems. They control all the most likely leak channels (e-mail, Internet, removable media, printing, instant messaging (IM), etc.), and allow information to be identified using the most modern methods, which ensures the least number of false positives.

Also, to ensure the confidentiality of information, IRM (Information Right Management) class systems are used. In this case, protection is carried out at the content level, that is, the information itself is protected, for example inside an email or document, and becomes accessible only to those employees who are allowed access by the security policy.

In addition to those listed, there are point solutions for protection against leakage (for example, monitoring only removable media or only mobile devices). They can justify themselves if the company has an acute problem of one or two specific leakage channels. These solutions, as a rule, do not analyze the information itself; protection occurs exclusively at the level of restricting access to certain devices and ports, which is not so convenient and flexible. And in the future, if the need for comprehensive leakage protection arises, the costs associated with the integration of previously implemented solutions for monitoring individual channels will be an unpleasant surprise.

However, we should not forget about other methods used by insiders to disclose confidential information, such as photographing the monitor screen, copying it onto paper, etc. DLP, IRM systems and other technical means are powerless here, but organizational measures come to the rescue - employee training, creation corporate information security culture, etc.

DLP class systems

Let's take a closer look at DLP systems. The concept of DLP (Data Loss/Leakage Prevention) appeared quite a long time ago and characterizes systems of this class. Initially, this is a marketing name that was invented by manufacturers of such systems. Therefore, there is some confusion in the terminology: for example, a hard drive encryption system also ensures the confidentiality of stored information, that is, it prevents the leakage of this information, but no one calls encryption systems DLP systems. Or, for example, if a mail server simply knows how to filter outgoing letters and, depending on the presence of keywords in them, decides to send the letter externally, can such a decision be called a DLP system? I think no.

A modern DLP class system is a technical solution that, together with organizational methods (regulations, guidelines, policies, reporting, employee training), provides comprehensive protection against information leakage. The system has the following main characteristics:

controls almost all technical channels of leakage from the information system;
has the ability to search for information in the information system (file storage, databases, document management systems, etc.);
has a unified management interface with role-based access control capabilities;
can respond in real time to emerging incidents and apply automated rules (block, quarantine, notify an information security officer, etc.);
has powerful and flexible tools for constructing and presenting reports on emerging incidents;
can recognize information in several ways (keywords, fingerprints, file types, etc.).

At the moment, there are a sufficient number of manufacturers of DLP systems on the Russian market; the market is relatively young and, despite the crisis, continues to grow. When building a solution to protect against information leakage, we use products from leaders - Symantec, Websense, RSA, which have proven themselves well and have extensive experience in installations around the world. These manufacturers have a clear product development plan and understand the needs and specifics of the market. The choice of product at the design stage primarily depends on the needs of the customer and the characteristics of his existing infrastructure.

Implementation of a DLP system. CROC's experience and approach

Building a leak prevention system is a complex project that can involve both technical specialists and auditors, as well as representatives of the customer’s business units. In general, the stages of the project can be divided into two components: the organizational part and the technical part.

The organizational part includes the following main stages:

audit of the current state of the information system and information flows, possible leakage channels;
identification and classification of information assets;
identifying the most critical of them from the point of view of ensuring confidentiality (trade secrets, personal data, intellectual property, etc.), determining the role and place of these assets in the company’s business processes, as well as the possible consequences of their disclosure;
development of policies for processing protected information assets;
development of incident response methods;
development of a training program for employees in technologies for working with the system and rules for working with confidential information.

Main stages of the technical part:

choosing the product on which the solution will be implemented;
system design, development of manuals, instructions and regulations;
implementation of the system, integration with the existing IT infrastructure;
implementation of developed rules and policies.

Based on the experience of CROC in implementing DLP systems, I can note that the success of the project and the effective return from the implementation of the system largely depend on the following factors:

interest of both parties in a quality result, constant interaction and coherence of the project team with representatives of the customer;
phased implementation of the system, starting with work in passive mode (only auditing incidents) with a further transition to blocking prohibited actions (this approach will not allow us to dramatically disrupt existing habitual information processing processes, even if they are incorrect);
experience of the project team in implementing infrastructure solutions (corporate mail, Internet access, etc.), without which integration of the DLP system is simply impossible;
experience in conducting information system audits, developing accompanying and reporting documentation;
experience in effectively training employees operating the system, as well as training users in working with confidential information.

In conclusion, I would like to add that the implementation of a DLP system in itself is not a panacea or instant protection against all internal threats associated with privacy violations. The current system eliminates almost all possibilities of accidental information leakage (for example, the information is publicly available on a file server, the employee did not know that the information was confidential and tried to send it to a friend). And in combination with such protection methods as information encryption, access control, auditing and monitoring of information security events, organizational and legal methods, it will significantly complicate the deliberate theft of confidential information.

In addition, when concluding a contract between the head of a business company and an employee, it is necessary to include the latter’s obligations regarding non-disclosure of trade secrets. The presence of such a document allows the entrepreneur - owner of the company to apply various sanctions to employees guilty of leaking confidential information. The most important area of protecting a company’s trade secrets is the stability of its personnel. If the pool of qualified people changes due to high turnover, the firm's invaluable developments may become free property for competitors.

Leakage of confidential information

SECURITY - conditions created by the system that guarantee the prevention of leakage of confidential information, the preservation of the ecosystem and human health, preventing the violation of secrets and sabotage. Security objects can be a country, a region, an ecosystem, a company, a person, etc. The security areas can be military, environmental, economic, informational, technical, etc.

Leakage of confidential information can occur either through the fault of enterprise employees, or as a result of industrial espionage undertaken by competitors. Imperfect marketing policies also cause the risk of increased competition; mistakes made when choosing sales markets, as well as incomplete or incorrect information about the company’s competitors, lead to more negative consequences for the enterprise.

Entrepreneurs need to remember that one of the important channels for leaking confidential information is insurance

Sources and channels of leakage of confidential information

It is obvious that significant economic damage can be caused as a result of the leakage of confidential information. It is also clear that restricting access to relevant information is an indispensable condition for the normal functioning of a commercial organization. At the same time, access to certain information protected by the enterprise is a condition for the normal functioning of a number of government bodies and institutions carrying out management, law enforcement and control functions.

According to various data, in the United States, about 90% of the failures of small organizations are associated with inexperience of management, their official incompetence and inconsistency. The degree of risk is greatly influenced by such factors as lack of professional experience, for example, in the field of taxation, poor knowledge of competition and human relationships when running a joint business, disgusting work organization and, above all, in planning working time and leisure, leakage of confidential information due to the fault of employees of the organization, etc.

Information about facts and signs of crimes, abuse of official position by employees of OJSC TsUP Stroyneft and other enterprises of the Transneft system during contract bidding, leakage of confidential information (in the form of a letter or memo addressed to the director of the Security Service Department) - within 2 working days after obtaining such information.

We note, however, that the specified paragraphs of the Temporary Rules and the corresponding ones of the Draft Law (Article 19 Responsibility of individual auditors, audit organizations and audited entities) are fraught with a significant increase in the risk of leakage of confidential information of entrepreneurs. Indeed, the range of economic entities (audited entities) subject to compulsory audits, if desired, can be expanded to the maximum and include everyone, including private businessmen, as well as individuals working without forming a legal entity.

The reader is likely aware of the growing popularity of terms such as espionage, leaks of confidential information, early warning, electronic surveillance, counterintelligence, dealing with insiders, etc. The popularization of the spy vocabulary, although reminiscent of the anxiety and ambivalence of our times, gives some degree of credibility to the opinion,

Subjects who have unauthorized access to information are called violators. From the point of view of information security, unauthorized access can have the following consequences: leakage of processed confidential information, as well as its distortion or destruction as a result of deliberate disruption of the AIT.

In general terms, the fact of obtaining protected information by attackers is called a leak, thereby, voluntarily or involuntarily, separating it from the specific and giving this phenomenon a purely neutral interpretation, when only the fact of the leak itself is recorded, and its culprit, as well as the conditions and actions that led to it, as would be missing. At the same time, in a significant part of legislative acts and official materials, such terms as disclosure and unauthorized access to confidential information are used.

When preparing and implementing acts of purchase and sale, performance of work, provision of services and other transactions, the parties may transfer to each other information constituting a trade secret, accompanying this procedure with a confidentiality clause or drawing up and concluding a separate agreement on the protection of confidential information. In the latter case, in the subject of the agreement, the disclosing party must determine the content of the transmitted information, which is a company secret, and the receiving party must indicate the purpose of obtaining such information and the legal basis for the transfer (purchase agreement, contract agreement, simple partnership agreement, etc.). The receiving party undertakes not to disclose the received information to third parties and to maintain a sufficient degree of secrecy to avoid information leakage through various channels. The parties may provide for special conditions under which the information will not be a trade secret, for example, if the information received is already known to the receiving party, disclosed at the request of an authorized government agency, etc. The very fact of concluding an agreement between the parties is not disclosed.

Security - conditions created by the system that guarantee the prevention of leakage of confidential information, violation of secrets, sabotage, preservation of the ecosystem and human health. Security objects can be a country, region, ecosystem, organization, person, etc. In the direction

Source information always spreads to the external environment. Channels for the dissemination of information are objective in nature, characterized by activity and include: business, management, trade, scientific, regulated communications; information networks; natural technical channels.

The information dissemination channel is a path for moving valuable information from one source to another in an authorized mode (permitted) or due to objective laws or due to objective laws (83, p. 48).

The term “leakage of confidential information” is probably not the most euphonious, but it more succinctly reflects the essence of the phenomenon than other terms. It has long been entrenched in the scientific literature and regulatory documents (99, p. 11). Leakage of confidential information constitutes unlawful, i.e. unauthorized release of such information beyond the protected zone of its operation or the established circle of persons who have the right to work with it, if this release led to the receipt of information (familiarization with it) by persons who do not have authorized access to it. Leakage of confidential information means not only its receipt by persons who do not work at the enterprise; unauthorized access to confidential information by persons of a given enterprise also leads to leakage (104, p. 75).

The loss and leakage of confidential documented information is caused by the vulnerability of the information. The vulnerability of information should be understood as the inability of information to independently withstand destabilizing influences, i.e. such influences that violate its established status (94, p.89). Violation of the status of any documented information consists of a violation of its physical safety (in general or with a given owner in full or in part), logical structure and content, and accessibility for authorized users. Violation of the status of confidential documented information additionally includes violation of its confidentiality (closedness to unauthorized persons). The vulnerability of documented information is a collective concept. It does not exist at all, but appears in various forms. These include: theft of a storage medium or information displayed on it (theft); loss of storage media (loss); unauthorized destruction of a storage medium or information displayed in it (destruction, distortion of information (unauthorized change, unauthorized modification, forgery, falsification); blocking of information; disclosure of information (distribution, disclosure).

The term "destruction" is used mainly in relation to information on magnetic media. The existing variants of names: modification, forgery, falsification are not entirely adequate to the term “distortion”; they have nuances, but their essence is the same - unauthorized partial or complete change in the composition of the original information (36, p. 59).

Blocking information here means blocking access to it by authorized users, not by attackers.

Disclosure of information is a form of manifestation of the vulnerability of confidential information only.

This or that form of vulnerability of documented information can be realized as a result of intentional or accidental destabilizing effects in various ways on the information carrier or on the information itself from the sources of influence. Such sources can be people, technical means of processing and transmitting information, means of communication, natural disasters, etc. Methods of destabilizing influence on information are its copying (photography), recording, transmission, removal, infection of information processing programs with a virus, violation of processing and storage technology information, withdrawal (or failure) and disruption of the operating mode of technical means of processing and transmitting information, physical impact on information, etc.

The vulnerability of documented information leads or may lead to loss or leakage of information. (97, p.12).

The loss of documented information is caused by theft and loss of storage media, unauthorized destruction of storage media or only the information displayed on them, distortion and blocking of information. The loss can be complete or partial, irreversible or temporary (when information is blocked), but in any case it causes damage to the owner of the information.

Its disclosure leads to leakage of confidential documented information. As some authors note (77, p.94; 94, p.12) in the literature and even in regulatory documents, the term “leakage of confidential information” is often replaced or identified with the terms: “disclosure of confidential information”, “dissemination of confidential information”. This approach, from the point of view of specialists, is unlawful. Disclosure or dissemination of confidential information means unauthorized delivery of it to consumers who do not have the right to access it. Moreover, such delivery must be carried out by someone, come from someone. A leak occurs when confidential information is disclosed (unauthorized distribution), but is not limited to it. A leak can also occur as a result of the loss of a medium of confidential documented information, as well as theft of the information medium or the information displayed on it while the medium is kept safe by its owner (possessor). This doesn't mean it will happen. A lost carrier may fall into the wrong hands, or it may be “grabbed” by a garbage collection machine and destroyed in the manner established for garbage. In the latter case, no leakage of confidential information occurs. The theft of confidential documented information is also not always associated with its receipt by persons who do not have access to it. There are many examples where the theft of confidential information carriers was carried out from work colleagues by persons who had access to this information for the purpose of “helping out” or causing harm to a colleague. Such media are usually were destroyed by the persons who kidnapped them. But in any case, the loss and theft of confidential information, if they do not lead to its leakage, always create a threat of leakage. Therefore, we can say that the leakage of confidential information is caused by its disclosure and can result from theft and loss. The difficulty lies in the fact that it is often impossible to divide, firstly, the very fact of disclosure or theft of confidential information while the information carrier is kept safe by its owner (possessor), and secondly, whether the information got to unauthorized persons as a result of its theft or loss.

The owner of a trade secret is an individual or legal entity who legally possesses information constituting a trade secret and the corresponding rights in full (91, p. 123).

Information that constitutes a trade secret does not exist on its own. It is displayed in various media that can save, accumulate, and transmit it. With their help, information is also used. (8; 91, p.123)

An information carrier is an individual or a material object, including a physical field, in which information is reflected in the form of symbols, images, signals, technical solutions and processes (8; 68, p. 37).

From this definition it follows, firstly, that material objects are not only what can be seen or touched, but also physical fields, as well as the human brain, and secondly, that information in media is displayed not only by symbols, i.e. . letters, numbers, signs, but also images in the form of pictures, drawings, diagrams, other iconic models, signals in physical fields, technical solutions in products, technical processes in product manufacturing technology (39, p. 65).

The types of material objects as information carriers are different. They can be magnetic tapes, magnetic and laser disks, photo, film, video and audio tapes, various types of industrial products, technological processes, etc. But the most widespread type is paper-based media (46, p. 11). The information in them is recorded in handwritten, typewritten, electronic, typographical ways in the form of text, drawing, diagram, picture, formula, graph, map, etc. In these media, information is displayed in the form of symbols and images. Such information of the Federal Law “On Information...” (8) is classified as documented information and represents various types of documents.

Recently, there have been significant adjustments to the forms and means of obtaining confidential information through informal means. Of course, this mainly concerns the impact on a person as a carrier of confidential information.

A person as an object of influence is more susceptible to informal influences than technical means and other carriers of confidential information, due to a certain legal vulnerability at the current moment, individual human weaknesses and life circumstances (64, p. 82).

Such informal influence is, as a rule, hidden, illegal in nature and can be carried out either individually or by a group of people.

The following types of information leakage channels are possible for a person who is a carrier of confidential information: speech channel, physical channel and technical channel.

Speech channel of leakage - information is transmitted from the owner of confidential information through words personally to the object interested in receiving this information (29).

Physical channel of leakage - information is transmitted from the owner of confidential information (carrier) through paper, electronic, magnetic (encrypted or open) or other means to an object interested in receiving this information (36, p. 62).

Technical leakage channel - information is transmitted through technical means (29).

Forms of influence on a person who is a carrier of protected information can be open and hidden (33).

Open influence on the owner (carrier) of confidential information for receipt by the interested object implies direct contact (101, p. 256).

The hidden influence on the owner (carrier) of confidential information for its receipt by the interested object is carried out indirectly (101, p. 256).

The means of informal influence of the owner (carrier) of confidential information to obtain certain information from him through an open speech channel are a person or a group of people who interact through: promises of something, requests, suggestions (107, p. 12).

As a result, the owner (carrier) of confidential information is forced to change his behavior, his official obligations and transfer the required information (91, p. 239).

Hidden influence through the speech channel on the owner (carrier) of confidential information is carried out through indirect coercion - blackmail through a third party, unintentional or intentional eavesdropping, etc.

The mentioned means of influence, in the end, accustom the owner (carrier) of confidential information to his tolerance (tolerance) of the influences exerted on him (85, p. 220).

Forms of influence on the owner (carrier) of confidential information through a physical leak channel can also be open and hidden.

Open influence is carried out through force (physical) intimidation (beatings) or force with a fatal outcome, after receiving (beatings) or force with a fatal outcome, after receiving information (95, p. 78).

The hidden impact is more subtle and extensive in terms of the use of funds. This can be represented in the form of the following structure of influence (95, p.79). Interested object - interests and needs of the carrier of confidential information.

Consequently, the interested object acts covertly (indirectly) on the interests and needs of the person who owns the confidential information.

Such hidden influence can be based on: fear, blackmail, manipulation of facts, bribery, bribery, intimacy, corruption, persuasion, provision of services, assurances about the future of a person who is a carrier of confidential information. (94, p.87)

The form of influence on the owner (carrier) of confidential information through technical channels can also be open or hidden.

Open (direct) means - fax, telephone (including mobile systems), Internet, radio communications, telecommunications, media.

Hidden means include: listening using technical means, viewing from a display screen and other means of displaying it, unauthorized access to a personal computer and software and hardware.

All considered means of influence, regardless of their forms, have an informal impact on the person who is the carrier of confidential information, and are associated with illegal and criminal methods of obtaining confidential information (72).

The possibility of manipulating the individual characteristics of the owner (carrier) of confidential information with his social needs in order to obtain it must be taken into account when placing, selecting personnel and implementing personnel policies when organizing work with confidential information.

You should always remember that the fact of documenting information (applying it to any tangible medium) increases the risk of information leakage. A material medium is always easier to steal, and there is a high degree that the necessary information is not distorted, as happens when information is disclosed orally.

Threats to the safety, integrity and secrecy of confidentiality) of restricted access information are practically realized through the risk of the formation of channels for the unauthorized receipt (extraction) of valuable information and documents by an attacker. These channels are a set of unprotected or weakly protected by the organization directions of possible information leakage, which the attacker uses to obtain the necessary information, deliberate illegal access to protected and protected information.

Each specific enterprise has its own set of channels for unauthorized access to information; in this case, ideal companies do not exist.

This depends on many factors: the volume of protected and protected information; types of protected and protected information (constituting a state secret, or some other secret - official, commercial, banking, etc.); professional level of personnel, location of buildings and premises, etc.

The functioning of channels for unauthorized access to information necessarily entails information leakage, as well as the disappearance of its carrier.

If we are talking about information leakage due to the fault of personnel, the term “disclosure of information” is used. A person can disclose information orally, in writing, by obtaining information using technical means (copiers, scanners, etc.), using gestures, facial expressions, and conventional signals. And transmit it personally, through intermediaries, through communication channels, etc. (56, p.458).

Leakage (disclosure) of information is characterized by two conditions:

1. Information goes directly to the person interested in it, the attacker;

2. Information passes to a random third party.

In this case, a third party is understood as any outsider who has received information due to circumstances beyond the control of this person, or the irresponsibility of personnel, who does not have the right to own the information, and, most importantly, this person is not interested in this information (37, p.5 ). However, information from a third party can easily pass to an attacker. In this case, a third party, due to circumstances set up by the attacker, acts as a “blotter” for intercepting the necessary information.

The transfer of information to a third party seems to be a fairly common occurrence, and it can be called unintentional, spontaneous, although the fact of disclosure of information does occur.

Unintentional transfer of information to a third party occurs as a result of:

1. Loss or improper destruction of a document on any medium, a package of documents, a file, confidential records;

2. Ignoring or deliberate failure by the employee to comply with the requirements for the protection of documented information;

3. Excessive talkativeness of workers in the absence of an intruder - with work colleagues, relatives, friends, other persons in public places: cafes, transport, etc. (recently this has become noticeable with the spread of mobile communications);

4. Work with documented information with limited access to the organization in the presence of unauthorized persons, unauthorized transfer of it to another employee;

5. Use of information with limited access in open documents, publications, interviews, personal notes, diaries, etc.;

6. Absence of secrecy (confidentiality) stamps on information on documents, markings with the corresponding stamps on technical media;

7. The presence in the texts of open documents of unnecessary information with limited access;

8. Unauthorized copying (scanning) of documents, including electronic ones, by an employee for official or collection purposes.

Unlike a third party, an attacker or his accomplice purposefully obtains specific information and deliberately, illegally establishes contact with the source of this information or transforms the channels of its objective dissemination into channels of its disclosure or leakage.

Organizational channels of information leakage are distinguished by a wide variety of types and are based on the establishment of various, including legal, relationships between the attacker and the enterprise or employees of the enterprise for subsequent unauthorized access to the information of interest.

The main types of organizational channels can be:

1. An attacker is hired by an enterprise, usually in a technical or support position (computer operator, forwarder, courier, cleaner, janitor, security guard, driver, etc.);

2. Participation in the work of the enterprise as a partner, intermediary, client, use of various fraudulent methods;

3. The attacker’s search for an accomplice (initiative assistant) working in the organization, who becomes his accomplice;

4. The establishment by the attacker of a trusting relationship with an employee of the organization (for common interests, up to joint drinking and love relationships) or a regular visitor, an employee of another organization who has information of interest to the attacker;

5. Use of the organization’s communication links - participation in negotiations, meetings, exhibitions, presentations, correspondence, including electronic correspondence, with the organization or its specific employees, etc.;

6. Using erroneous actions of personnel or deliberately provoking these actions by an attacker;

7. Secret or fictitious entry into enterprise buildings and premises, criminal, forceful access to information, that is, theft of documents, floppy disks, hard drives (hard drives) or computers themselves, blackmail and inducement to cooperate of individual employees, bribery and blackmail of employees, creation of extreme situations, etc.;

8. Obtaining the necessary information from a third (random) person.

Organizational channels are selected or formed by the attacker individually in accordance with his professional skills and specific situation, and it is extremely difficult to predict them. Detection of organizational channels requires serious search and analytical work (75, p. 32).

Wide possibilities for unauthorized receipt of information with limited access are created by the technical support of the organization’s financial document flow technologies. Any managerial and financial activity is always associated with the discussion of information in offices or via communication lines and channels (conducting video and conference calls), carrying out calculations and analyzing situations on computers, producing and reproducing documents, etc.

Technical channels of information leakage arise when special technical means of industrial espionage are used, which make it possible to obtain protected information without direct contact with the organization’s personnel, documents, files and databases (59, p. 58).

A technical channel is a physical path of information leakage from a source or channel of objective dissemination of information to an attacker. The channel arises when an attacker analyzes physical fields and radiation that appear during the operation of computers and other office equipment, intercepting information that has audio, visual or other form of display. The main technical channels are acoustic, visual-optical, electromagnetic, etc. These are predicted channels , they are of a standard nature and are interrupted by standard countermeasures. For example, in accordance with GOST RV 50600-93. "Protection of classified information from technical intelligence. Document system. General provisions" (26).

It is common and professionally competent to creatively combine both types of channels in an attacker’s actions, for example, establishing a trusting relationship with an organization’s employees and intercepting information through technical channels with the help of this employee.

There can be many options and combinations of channels, so the risk of losing information is always quite high. With an effective information security system, the attacker destroys individual security elements and forms the necessary channel for obtaining information (64, p. 80).

In order to implement the assigned tasks, the attacker determines not only the channels of unauthorized access to the organization’s information, but also a set of methods for obtaining this information.

In order to protect information at the proper level, it is necessary to “know the enemy” and the methods used to obtain information.

Legal methods (61, p. 74) are included in the content of the concepts and “intelligence in business”, are distinguished by legal security and, as a rule, determine the emergence of interest in the organization. In accordance with this, it may be necessary to use unauthorized access channels to the required information. The basis of “their intelligence” is the painstaking analytical work of attackers and competitors of specialist experts on published and publicly available materials of the organization. At the same time, the activities and services provided by the organization, advertising publications, information obtained during official and informal conversations and negotiations with employees of the enterprise, materials from press conferences, presentations of the company and services, scientific symposiums and seminars, information obtained from information networks, including including from the Internet. Legal methods provide the attacker with the bulk of the information he is interested in and allow him to determine the composition of the missing information that must be obtained using illegal methods, and some that no longer need to be obtained due to the painstaking analysis of open information.

Illegal methods of obtaining valuable information are always illegal and are used to gain access to protected information that cannot be obtained through legal methods. The basis for illegally obtaining information is the attacker’s search for the most effective unprotected organizational and technical channels for unauthorized access to information existing in the organization under specific conditions. Formation of such channels in their absence and implementation of a plan for the practical use of these channels.

Illegal methods involve: theft, deliberate deception, eavesdropping on conversations, forgery of identifying documents, bribery, bribery, blackmail, staging or organizing extreme situations, the use of various criminal techniques, etc. In the process of implementing illegal methods, an agent channel for obtaining valuable financial information is often formed. Illegal methods also include: interception of information objectively disseminated through technical channels, visual surveillance of bank buildings and premises and personnel, analysis of objects containing traces of protected information, analysis of architectural features of protected objects, analysis of paper waste taken out and taken out of the enterprise (50 , p.32).

Thus, a leak of information with limited access may occur:

1. If there is an interest of organizations of individuals, competitors in specific information;

2. If there is a risk of a threat organized by an attacker or due to accidental circumstances;

3. In the presence of conditions that allow the attacker to carry out the necessary actions and acquire information. (71, p.47).

These conditions may include:

1. Lack of systematic analytical and control work to identify and study threats and channels of information leakage, the degree of risk of violations of the organization’s information security;

2. Ineffective, poorly organized company information security system or the absence of this system;

3. Unprofessionally organized technology of closed (confidential) financial document flow, including electronic, and record keeping of documented information with limited access;

4. Disorganized selection of personnel and staff turnover, difficult psychological climate in the team;

5. Lack of a system for training employees in the rules of working with documented information with limited access;

6. Lack of control on the part of the enterprise management over compliance by personnel with the requirements of regulatory documents for working with documented information with limited access;

7. Uncontrolled visits to the organization’s premises by unauthorized persons. (50, p.33).

Channels of unauthorized access and information leakage can be of two types: organizational and technical. They are provided by legal and illegal methods (63, p.39).

Thus, obtaining restricted documents or information may be an isolated event or a regular process over a relatively long period of time.

Therefore, any information resources of an organization are a very vulnerable category, and if an attacker shows interest in them, the danger of their leakage becomes quite real.

It is desirable for analysts to have a preliminary assessment of materials about the company prepared for publication, exhibition brochures, advertising publications, etc., and their participation in presentations, exhibitions, shareholder meetings, negotiations, as well as interviews and testing of candidates for positions. The latter is one of the main and most important responsibilities of the information and analytical service, since it is at this stage that it is possible, with a certain degree of probability, to block one of the main organizational channels - the entry of an attacker to work at the company (84, p. 35).

The term “leakage of confidential information” is probably not the most euphonious, but it more succinctly than other terms reflects the essence of the phenomenon, and it has long been entrenched in the scientific literature and regulatory documents. A leak of confidential information is an unlawful, i.e., unauthorized release of such information outside the protected zone of its operation or the established circle of persons who have the right to work with it, if this release led to the receipt of information (familiarization with it) by persons who do not have access to it authorized access. Leakage of confidential information means not only its receipt by persons not working at the enterprise, but unauthorized access to confidential information by persons of the enterprise also leads to leakage.

The vulnerability of documented information is a collective concept. It does not exist at all, but appears in various forms. Such forms, expressing the results of a destabilizing effect on information, include (existing variants of the names of the forms are indicated in brackets):

theft of a storage medium or information displayed on it (theft);

loss of storage media (loss);

unauthorized destruction of a storage medium or information displayed on it (destruction);

distortion of information (unauthorized change, unauthorized modification, forgery, falsification);

blocking information;

disclosure of information (distribution, disclosure).

The term “destruction” is used mainly in relation to information on magnetic media.

The existing variants of names: modification, forgery, falsification are not entirely adequate to the term “distortion”; they have nuances, but their essence is the same - unauthorized partial or complete change in the composition of the original information.

Blocking information in this context means blocking access to it by authorized users, not by attackers.

Disclosure of information is a form of manifestation of the vulnerability of confidential information only.

The implementation of forms of manifestation of vulnerability of documented information leads or can lead to two types of vulnerability - loss or leakage of information.

Its disclosure leads to leakage of confidential documented information. In the literature and even in regulatory documents, the term “leakage of confidential information” is often replaced or identified with the terms: “disclosure of confidential information”, “dissemination of confidential information”. This approach is not legal. Disclosure or dissemination of confidential information means unauthorized delivery of it to consumers who do not have the right to access it. Moreover, such delivery must be carried out by someone, come from someone. A leak occurs when confidential information is disclosed (unauthorized distribution), but is not limited to it. A leak can also occur as a result of the loss of a medium of confidential documented information, as well as theft of the information medium or the information displayed on it while the medium is kept safe by its owner (possessor). “May happen” does not mean it will happen. The lost media may fall into the wrong hands, or perhaps be “grabbed” by a garbage collection machine and destroyed in the manner established for garbage. In the latter case, no leakage of confidential information occurs. The theft of confidential documented information is also not always associated with its receipt by persons who do not have access to it. There have been many cases where the theft of confidential information carriers was carried out from work colleagues by persons who had access to this information for the purpose of “helping out” or causing harm to a colleague. Such media were usually destroyed by the persons who stole them. But in any case, the loss and theft of confidential information, if it does not lead to its leakage, always creates a threat of leakage. Therefore, we can say that the leakage of confidential information is caused by its disclosure and can result from theft and loss. The difficulty lies in the fact that it is often impossible to determine, firstly, the very fact of disclosure or theft of confidential information while the information carrier is kept safe by its owner (possessor), and secondly, whether the information got to unauthorized persons as a result of its theft or loss.

Sources of confidential information (channels of information leakage), threats to the security of confidential information, sources of threats, goals and methods of implementing threats

Confidential information circulating in an enterprise plays an important role in its functioning. Confidential information means documented information, access to which is limited by the legislation of the Russian Federation. Accordingly, this data may become an object of interest for attackers. Therefore, it is necessary to create conditions under which the possibility of leakage of confidential information will be minimized.

Leakage is the uncontrolled release of confidential information outside the organization or circle of persons to whom it was entrusted. Information leakage can occur through various channels. An information leakage channel is a communication channel that allows a process to transmit information in a way that violates the security of the system. Information leakage can occur in three forms:

disclosure of information;
leakage through technical channels;
unauthorized access to information.

All channels of penetration into the system and channels of information leakage are divided into direct and indirect. Indirect channels are understood as those channels, the use of which does not require penetration into the premises where the system components are located (for example, loss of storage media, remote listening, interception of PEMI). To use direct channels, penetration is necessary (this could be the actions of insiders, unauthorized copying, etc.).

A leak of confidential information can occur if a competing organization is interested in it, as well as if conditions exist that allow an attacker to obtain information.

The emergence of such conditions is possible both due to a random combination of circumstances and due to deliberate actions of the enemy. The main sources of confidential information are:

enterprise personnel authorized to access confidential information;
material media of confidential information (documents, products);
technical means storing and processing confidential information;
means of communication used to transmit confidential information;
messages transmitted over communication channels containing confidential information.

Consequently, confidential information may become available to third parties as a result of:

loss or improper destruction of a document on any medium, a package of documents, confidential records;
failure by the employee to comply with requirements for the protection of confidential information;
excessive talkativeness of staff in common areas;
working with confidential information in the presence of unauthorized persons;
unauthorized transfer of confidential information to another employee;
absence of security classifications on documents, markings on media.

In conditions of fierce competition, confidential information, of course, attracts a lot of attention from competing organizations. After all, the more information is available, the greater the chances of finding an opponent’s vulnerabilities. Therefore, channels for the transmission and exchange of confidential information during their operation can be subject to attacks from intruders, which, in turn, can lead to the emergence of channels for leaking confidential information.

Currently, the Internet is actively used. Of course, the Internet provides great opportunities and convenience, but it becomes another reason for the leakage of confidential information. In most cases, leakage occurs due to careless handling of confidential information when transmitting it or publishing it on websites. Most of the incidents occur via email. The next most dangerous channel for leaking confidential information is communication systems (mainly IM clients and Skype). Also, social networks have now become particularly popular, in which it has become possible not only to exchange messages, but also to publish files, which can then become available to a large number of users. And of course, the Internet channel can be subject to hacker attack, which also poses a great danger.

There are special technical means that allow you to obtain information without direct contact with personnel, documents, and databases. When using them, technical channels for information leakage arise. A technical channel of information leakage is usually understood as a physical path from a source of confidential information to an attacker, through which the latter can gain access to protected information. To form a technical channel for information leakage, certain spatial, energy and temporal conditions are required, as well as the presence on the attacker’s side of appropriate equipment for receiving, processing and recording information. The main technical channels of information leakage are electromagnetic, electrical, acoustic, visual-optical, etc. Such channels are predictable and are interrupted by standard countermeasures.

The main threats to confidential information include disclosure, leakage, and unauthorized access. The threat to the security of confidential information is understood as a set of conditions and factors that create a potential or actual danger associated with information leakage and (or) unauthorized and (or) unintentional impacts on it.

The result of illegal actions may be a violation of the confidentiality, reliability, and completeness of information, which, in turn, may cause material damage to the organization.

All threats to confidential information in relation to an object can be divided into internal and external. Internal violators can be the administration, employees of the enterprise with access to the information system, and personnel servicing the building. Sources of external threats are clients, visitors, representatives of competitive organizations, persons who violated the enterprise's access control regime, as well as any persons located outside the controlled territory.

Statistics show that the majority of threats are committed by the organization's own employees, while the share of external threats is relatively small (Figure 3.26).

Rice. 3.26. Information security threat statistics

The most common and dangerous in terms of damage are unintentional errors by users of information systems. Of particular danger are “offended employees,” whose actions are associated with a desire to harm the organization. These may include both current and former employees. Therefore, it is necessary to ensure that when an employee leaves, his access to information resources ceases.

Natural sources of threats are very diverse and unpredictable. The emergence of such sources is difficult to predict and difficult to counteract. These include fires, earthquakes, hurricanes, floods and other natural disasters. The occurrence of such events can lead to disruption of the functioning of the enterprise and, accordingly, to a violation of information security in the organization.

To protect information stored on a computer, it is necessary to use software and hardware protection tools. It is recommended to use the following types of personal computer protection software:

means that provide protection against unauthorized access to a computer;
means of protecting the disk from unauthorized writing and reading;
means of monitoring disk access;
means of removing remnants of classified information.

The main measures to prevent NSD to PC are

physical protection of PCs and storage media, user authentication, access control to protected information, cryptographic protection, registration of access to protected information. Since there is a possibility of your computer becoming infected with viruses, do not forget to equip each PC with special anti-virus programs.

When processing confidential information in enterprise information systems, there is a possibility of its leakage. Leakage of confidential information can cause serious material damage. Therefore, it is necessary to take measures to prevent it. To do this, you should analyze all possible sources and threats and, in accordance with this, make a decision on the comprehensive use of information security tools.