Information security methods. Legal protection of information
Send your good work in the knowledge base is simple. Use the form below
Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.
Introduction
J. Historiography
YY. Main part
2.1 Types of intentional threats to information
2.2 Information security methods
Conclusion
Bibliography
Introduction
Information plays a special role in the development of civilization. Possession of information resources creates the prerequisites for the progressive development of society. Distortion of information, blocking the process of obtaining it or implementation false information, contribute to making wrong decisions.
Even 25-30 years ago, the problem of information protection could be effectively solved with the help of organizational measures and separate software and hardware means of access control and encryption. Appearance personal computers, local and global networks, satellite communication channels, effective technical intelligence and confidential information have significantly aggravated the problem of information protection.
At the same time, information is a very specific product, which can be in both material and intangible (non-fixed) form. Therefore, without clear boundaries defining information as an object of law, the application of any legislative norms in relation to it is very problematic.
Until recently, this was a fairly important reason complicating the regulation of legal relations in the information sphere.
The main guarantees of information rights are contained in the Constitution of the Russian Federation. Despite the fact that the Constitution is a law of direct effect, it would be difficult to apply its provisions to certain types of relations without further specification.
Certain types of relations are regulated by special laws, which, as a rule, also do not contain norms that directly establish the rules information interaction.
The rules of information interaction that arise during the implementation of specific relationships are regulated at the level of Government resolutions or departmental regulations. At the same time, on this level As a rule, a normative act is created that is binding on the participants in these relations, and the rules established therein are communicated to employees or structural units of the relevant government body by issuing instructions or sending out a letter.
Increase in the number and quality of information security threats in computer systems does not always lead to an adequate response in the form of creating reliable system and secure information technologies. In most commercial and government organizations, not to mention ordinary users, only anti-virus programs and differentiation of user access rights based on passwords are used as protection measures.
Threatened information security refers to events or actions that can lead to distortion, unauthorized use or even destruction of the information resources of the managed system, as well as software and hardware.
Y. Historiography
The term “information” comes from the Latin information, meaning “acquaintance, explanation, presentation, concept” and was originally associated exclusively with the communicative activities of people. It appeared in Russia, apparently, in the era of Peter the Great, but did not become widespread. Only at the beginning of the twentieth century did it begin to be used in documents, books, newspapers and magazines, and was used in the sense of reporting, informing, information about something.
However, rapid development in the 20s of the last century, communication means and systems, the emergence of computer science and cybernetics urgently required a scientific understanding of the concept of information and the development of an appropriate theoretical framework. This led to the formation and development of a whole “family” of very different doctrines about information and, accordingly, approaches to defining the very concept of information.
The history of studies about information began with the consideration of its mathematical (syntactic) aspect associated with quantitative indicators (characteristics) of information systems.
In 1928, R. Hartley, in his work “Transmission of Information,” determined the measure of the amount of information for uniform events, and in 1948, Claude Shannon proposed a formula for determining the amount of information for a set of events with different probabilities. And although back in 1933 the work of our outstanding scientist V.A. Kotelnikov about the quantization of electrical signals, containing the famous “theory of reports”, in the world scientific literature it is believed that 1948 is the year of the birth of information theory and a quantitative approach to information processes.
The statistical theory of information formulated by K. Shannon had a significant impact on various fields of knowledge. It was noted that Shannon's formula is very similar to the Boltzmann formula used in physics for the statistical determination of entropy, taken with the opposite sign. This allowed L. Brillun to characterize information as negative entropy (negentropy).
The significance of the statistical approach to defining the concept of information also lay in the fact that within its framework the first definition of information was obtained, satisfactory, including from a philosophical point of view: information is the elimination of uncertainty. According to A.D. Ursula “If there is ambiguity or uncertainty in our knowledge about any subject, and having received new information about this subject we can judge it more definitely, this means that the message contained information.”
However, highlighting only its quantitative aspect in the information was clearly not enough. As V.A. correctly noted. Bokarev, in statistical theory, “made this theory, on the one hand, preliminary broad, but on the other hand, preventing it from becoming a science that studies information comprehensively.” All this forced us to look for other, more universal approaches to defining the concept of information.
This essentially different, complementary approach was the cybernetic approach, covering the structures and connections of systems. With the advent of cybernetics, as a science “about the general laws of transformation of information in complex control systems,” methods of perception, storage, processing, and use of information, the term “information” became a scientific concept, a kind of tool for studying management processes.
YY.Main part
2.1 Types of intentional threats to information
Passive threats are aimed mainly at the unauthorized use of information resources of an information system, without affecting its functioning. For example, unauthorized access to databases, listening to communication channels, etc.
Active threats have the goal of disrupting the normal functioning of the IS by purposefully influencing its components. Active threats include, for example, the failure of a computer or its operating system, distortion of information in the BnD, destruction of computer software, disruption of communication lines, etc. Active threats can come from hackers, malware, etc.
Deliberate threats are also divided into internal (arising within the managed organization) and external.
Internal threats are most often determined by social tension and a difficult moral climate.
External threats can be determined by malicious actions of competitors, economic conditions and other reasons (for example, natural disasters). According to foreign sources, industrial espionage has become widespread -- This is the illegal collection, appropriation and transfer of information constituting a trade secret by a person not authorized by its owner that is detrimental to the owner of a trade secret.
The main threats to information security and normal functioning of information systems include:
* leakage of confidential information;
* compromise of information;
* unauthorized use of information resources;
* erroneous use of information resources;
* unauthorized exchange of information between subscribers;
* refusal of information;
* violation of information services;
* illegal use privileges.
Leakage of confidential information -- This is the uncontrolled release of confidential information outside the IP or the circle of persons to whom it was entrusted through service or became known in the course of work. This leak may be due to:
* disclosure of confidential information;
* care of information through various, mainly technical, channels;
* unauthorized access To confidential information in various ways.
Disclosure of information her owner or possessor are intentional or careless actions of officials and users to whom the relevant information was entrusted in the established manner through their service or work, which led to familiarization with it to persons not admitted to this information.
Uncontrolled loss of confidential information is possible via visual-optical, acoustic, electromagnetic and other channels.
Unauthorized access -- This is the unlawful deliberate acquisition of confidential information by a person who does not have the right to access protected information.
The most common ways of unauthorized access to information are:
* interception of electronic radiation;
* use of listening devices (bookmarks);
* remote photography;
* interception of acoustic radiation and restoration of printer text;
* reading residual information in the system memory after executing authorized requests;
* copying storage media by overcoming security measures
* disguise as a registered user;
* disguise as system requests;
* use of software traps;
* exploiting the shortcomings of programming languages and operating systems;
* illegal connection to equipment and communication lines of specially designed hardware that provides access to information;
* malicious disabling of protection mechanisms;
* decryption of encrypted information by special programs;
* information infections.
The listed methods of unauthorized access require quite a lot of technical knowledge and appropriate hardware or software development from the burglar. For example, technical leakage channels are used - these are physical paths from the source of confidential information to the attacker, through which it is possible to obtain protected information. The cause of leakage channels is design and technological imperfections circuit solutions or operational wear of elements. All this allows hackers to create converters operating on certain physical principles, forming an information transmission channel inherent in these principles - a leakage channel.
However, there are also quite primitive ways of unauthorized access:
* theft of storage media and documentary waste; * proactive cooperation;
* inducement to cooperation on the part of the burglar; * probing;
* eavesdropping;
* observation and other ways.
Any methods of leaking confidential information can lead to significant material and moral damage both for the organization where the information system operates and for its users.
Managers should remember that quite a large part of the reasons and conditions that create the preconditions and the possibility of unlawful acquisition of confidential information arise due to elementary shortcomings of organizational leaders and their employees. For example, the reasons and conditions that create the prerequisites for the leakage of trade secrets may include:
* insufficient knowledge by employees of the organization of the rules for protecting confidential information and a lack of understanding of the need for their careful compliance;
* use of uncertified technical means for processing confidential information;
* weak control over compliance with information protection rules by legal, organizational and engineering measures;
* staff turnover, including those possessing information constituting a trade secret;
* organizational shortcomings, as a result of which the culprits of information leakage are people - IS and IT employees.
Most of the listed technical ways of unauthorized access can be reliable locking with a properly designed and implemented security system. But the fight against information infections presents significant difficulties, since a huge variety of malicious programs exist and are constantly being developed, the purpose of which is to damage information in the database and computer software. Big number The variety of these programs does not allow us to develop permanent and reliable means of protection against them.
Malicious programs are classified as follows: Logic bombs, as the name implies, they are used to distort or destroy information; less often, they are used to commit theft or fraud. Logic bomb manipulation is usually done by disgruntled employees who are planning to leave the organization, but it can also be done by consultants, employees with certain political beliefs, etc.
A real-life example of a logic bomb: a programmer, anticipating his dismissal, makes certain changes to the payroll program that take effect when his last name disappears from the data set O company personnel.
Trojan horse -- a program that performs, in addition to the main, i.e., designed and documented actions, additional actions not described in the documentation. The analogy with the ancient Greek Trojan horse is justified - in both cases it is not suspicious there is a threat to the shell. The Trojan horse represents additional block commands, one way or another inserted into the original harmless program, which is then transferred (donated, sold, replaced) to IS users. This block of commands can be triggered when a certain condition occurs (date, time, by external command, etc.). Anyone who runs such a program endangers both their files and the entire IP system as a whole. A Trojan horse usually acts within the authority of one user, but in the interests of another user or even a stranger, whose identity is sometimes impossible to establish.
A Trojan horse can perform the most dangerous actions if the user who launched it has an extended set of privileges. In this case, an attacker who created and introduced a Trojan horse, and does not himself have these privileges, can perform unauthorized privileged functions with the wrong hands.
Virus -- a program that can infect other programs by including in them a modified copy that has the ability to further reproduce.
The virus is believed to be characterized by two main features:
1) the ability to self-reproduce;
2) the ability to intervene in the computing process (i.e., to gain control).
Worm -- a program that spreads through the network and does not leave a copy of itself on a magnetic medium. The worm uses network support mechanisms to determine which node may be infected. Then, using the same mechanisms, it transfers its body or part of it to this node and either activates or waits for suitable conditions for this. Most famous representative This class is the Morris virus (Morris worm), which infected the Internet in 1988. A suitable environment for the spread of a worm is a network in which all users are considered friendly and trust each other, and there are no protective mechanisms. The best way to protect yourself from a worm is to take precautions against unauthorized access to your network.
Password Grabber -- These are programs specifically designed to steal passwords. When a user tries to access the system terminal, the information necessary to end the work session is displayed on the screen. When attempting to log in, the user enters a name and password, which are sent to the owner of the invader, after which an error message is displayed and input and control are returned to the operating system. A user who thinks they have made a mistake in typing their password logs in again and gains access To system. However, its name and password are already known to the owner of the invader program. Password interception is also possible in other ways. To prevent this threat, before logging into the system, you need to make sure that you are entering your name and password into the system input program and not some other one. In addition, you must strictly adhere to the rules for using passwords and working with the system. Most violations occur not due to clever attacks, but due to basic negligence. Compliance with specially developed rules for using passwords is a necessary condition for reliable protection.
Compromise of information (one of the types of information infections). It is implemented, as a rule, through unauthorized changes in the database, as a result of which its consumer is forced to either abandon it or make additional efforts to identify changes and restore true information. When using compromised information, the consumer is at risk of making poor decisions.
Unauthorized use of information resources , With on the one hand, it is the consequences of its leak and a means of compromising it. On the other hand, it has independent significance, since it can cause great damage managed system (up to complete IT failure) or its subscribers.
Erroneous use of information resources while authorized may nonetheless result in the destruction, leakage, or compromise of said resources. This threat Most often it is a consequence of errors in IT software.
Unauthorized exchange of information between subscribers can lead to one of them obtaining information, access to which he is prohibited from. The consequences are the same as for unauthorized access.
Refusal of information consists in the non-recognition by the recipient or sender of this information of the facts of its receipt or sending. This allows one of the parties to terminate the concluded financial agreements technically, without formally abandoning them, thereby causing significant damage to the other party.
Information service disruption -- a threat that comes from IT itself. A delay in providing information resources to the subscriber can lead to dire consequences for him. The user's lack of timely data necessary to make a decision can cause him to act irrationally.
Illegal use of privileges . Any protected system contains tools used in emergency situations, or tools that are capable of functioning in violation of the existing security policy. For example, in case of an unexpected audit, the user must be able to access all sets of the system. These tools are typically used by administrators, operators, system programmers, and other users who perform specialized functions.
Most security systems use privilege sets in such cases, meaning that a certain privilege is required to perform a certain function. Typically, users have a minimum set of privileges, while administrators have the maximum.
Privilege sets are protected by a security system. Unauthorized (illegal) seizure of privileges is possible if there are errors in the security system, but most often occurs in the process of managing the security system, in particular when privileges are used carelessly.
Strict adherence to the rules for managing the security system and adherence to the principle of minimum privileges allows you to avoid such violations.
2.2 Information security methods
In September 2000, the President of Russia signed the “Doctrine of Information Security of the Russian Federation”, on the basis of which the law on information was adopted. This law distinguishes the following types information that belongs to state protection:
Cryptographic methods:
The problem of protecting information by transforming it to prevent it from being read by an outsider has worried the human mind since ancient times. The history of cryptography is coeval with the history of human language. Moreover, writing itself was originally a cryptographic system, since in ancient societies only a select few mastered it. The sacred books of Ancient Egypt and Ancient India are examples of this.
With the widespread use of writing, cryptography began to emerge as an independent science. The first cryptosystems are found already at the beginning of our era. Thus, Caesar in his correspondence used a more or less systematic cipher, which received his name.
Cryptographic systems developed rapidly during the years of the First and Second World Wars. From the post-war period to the present day, the advent of computing has accelerated the development and improvement of cryptographic methods.
Why has the problem of using cryptographic methods in information systems (IS) become currently particularly relevant?
On the one hand, the use of computer networks has expanded, in particular global network The Internet, through which large volumes of information of a state, military, commercial and private nature are transmitted, preventing unauthorized persons from accessing it.
On the other hand, the emergence of new powerful computers, network and neural computing technologies have made it possible to discredit cryptographic systems that until recently were considered practically unbreakable.
Cryptology (kryptos - secret, logos - science) deals with the problem of protecting information by transforming it. Cryptology is divided into two areas - cryptography and cryptanalysis. The goals of these directions are directly opposite.
Cryptography deals with the search and study of mathematical methods for converting information.
The area of interest of cryptanalysis is the study of the possibility of decrypting information without knowing the keys.
Modern cryptography includes four major sections:
1.Symmetric cryptosystems.
2. Public key cryptosystems.
3. Electronic signature systems.
4.Key management.
The main areas of use of cryptographic methods are the transfer of confidential information through communication channels (for example, e-mail), establishing the authenticity of transmitted messages, storing information (documents, databases) on media in encrypted form.
Public key systems:
No matter how complex and reliable cryptographic systems are, they weak points in practical implementation - the problem of distribution keys. In order for the exchange of confidential information between two IP subjects to be possible, the key must be generated by one of them, and then somehow, again confidentially, transferred to the other. Those. V general case transferring the key again requires the use of some kind of cryptosystem.
To solve this problem, based on the results obtained by classical and modern algebra, they proposed public key systems.
Their essence is that each IP addressee generates two keys that are connected to each other according to a certain rule. One key is declared public and the other private. The public key is published and available to anyone who wishes to send a message to the recipient. The secret key is kept secret.
The original text is encrypted with the recipient's public key and transmitted to him. The ciphertext cannot in principle be decrypted with the same public key. Decryption of a message is only possible using a private key, which is known only to the recipient.
Public key cryptographic systems use so-called irreversible or one-way functions, which have the following property: given a value x relatively easy to calculate value f(x), however if y=f(x), then no the easy way to calculate the value x.
The set of classes of irreversible functions gives rise to all the variety of public key systems. However, not every irreversible function is suitable for use in real ICs.
There is uncertainty in the very definition of irreversibility. Irreversibility does not mean theoretical irreversibility, but the practical impossibility of calculating the reciprocal value using modern computing tools over a foreseeable time interval.
Therefore, in order to guarantee reliable information protection, public key systems (PKS) are subject to two important and obvious requirements:
1. Conversion source text must be irreversible and cannot be restored based on the public key.
2. Determining a private key based on a public key should also be impossible at the current technological level. In this case, an exact lower bound for the complexity (number of operations) of breaking the cipher is desirable.
Public key encryption algorithms are widely used in modern information systems. So, RSA algorithm has become the de facto global standard for open systems and is recommended by the CCITT.
In general, all public key cryptosystems offered today rely on one of the following types of irreversible transformations:
Decomposition large numbers into prime factors.
Calculating the logarithm in a finite field.
Calculation of roots of algebraic equations.
It should be noted here that public key cryptosystem (PSC) algorithms can be used for three purposes.
1. As independent means of protection transmitted and stored data.
2. As a means for distributing keys. RNS algorithms are more labor intensive than traditional cryptosystems. Therefore, in practice it is often rational to use RNS to distribute keys, the volume of which as information is insignificant. And then, using conventional algorithms, exchange large information flows.
User authentication means.
Electronic signature
In 1991, the National Institute of Standards and Technology (NIST) proposed the DSS (Digital Signature Standard) standard for the then emerging digital signature algorithm DSA (Digital Signature Algorithm), which was based on the ElGamal and RSA algorithms.
What is the problem with data authentication?
At the end of a regular letter or document, the executor or responsible person usually puts his signature. Such an action usually serves two purposes. Firstly, the recipient has the opportunity to verify the authenticity of the letter by comparing the signature with a sample he has. Secondly, a personal signature is a legal guarantee of the authorship of the document. The last aspect is especially important when concluding various types of trade transactions, drawing up powers of attorney, obligations, etc.
If it is very difficult to forge a person’s signature on paper, and establishing the authorship of a signature using modern forensic methods is a technical detail, then with an electronic signature the situation is different. Any user can tamper with a bit string by simply copying it, or make illegal corrections to a document without being noticed.
Widespread in modern world electronic forms of documents (including confidential ones) and means of processing them, the problem of establishing the authenticity and authorship of paperless documentation has become particularly relevant.
In the section on public key cryptographic systems, it was shown that with all the advantages modern systems encryption, they do not allow for data authentication. Therefore, authentication means must be used in conjunction with cryptographic algorithms.
Sometimes there is no need to encrypt transmitted message, but you need to seal it with an electronic signature. In this case, the text is encrypted with the sender's private key and the resulting string of characters is attached to the document. The recipient, using the sender's public key, decrypts the signature and checks it against the text. In 1991, the National Institute of Standards and Technology (NIST) proposed the DSS (Digital Signature Standard) standard for the then emerging digital signature algorithm DSA (Digital Signature Algorithm), which was based on the ElGamal and RSA algorithms.
Methods of protecting information inInternet:
Today the most relevant for Internet theme- problem of information security. The network is rapidly developing on a global scale, and internal network systems (intranet, intranet) are becoming increasingly widespread. The emergence of a huge new niche in the market has served as an incentive for both users and network service providers to look for ways to improve the security of information transmission over the Internet.
The problem of security on the Internet is divided into two categories: general security and issues of reliability of financial transactions. Successful resolution of problems in the field of financial activity could open up vast prospects for the Internet in providing business services. Credit card giants such as MasterCard and Visa, as well as computer industry leaders Microsoft and Netscape, have joined the fight to solve this problem. All this concerns “money” matters; Our article is devoted to the problem of general security.
The goal of research in this area is to solve the problem of privacy. Let's take an example of transferring email messages from one SMTP server to another. In some cases, these messages are simply copied from one hard drive to another as ordinary text files, i.e. anyone can read them. Figuratively speaking, the mechanism for delivering e-mail over the Internet is similar to the situation when washed clothes are hung outside instead of being wrung out in a washing machine. It doesn't matter whether the message contains any financial information or not; The following is important: any information sent over the Internet must be inaccessible to outsiders.
In addition to privacy, users are also concerned about the issue of guarantees with whom they are currently “talking.” They need confidence that the Internet server with which they are currently communicating is really who it claims to be; be it a server World-Wide Web, FTP, IRC or any other. It is not particularly difficult to imitate (either as a joke or with criminal intentions) an unprotected server and try to collect all the information about you. And, of course, network service providers also want to be sure that those who contact them for certain Internet resources, such as e-mail and IRC services, are who they say they are.
Password protection method:
The legitimacy of the user's request is determined by the password, which is usually a string of characters. The password method is considered quite weak, since the password can become the object of theft, interception, brute force, or guessing. However, the simplicity of the method stimulates the search for ways to enhance it.
To increase the effectiveness of password protection, it is recommended:
choose a password longer than 6 characters, avoiding common, easily guessed words, names, dates, etc.;
1.use special characters;
2.passwords stored on the server are encrypted using a one-way function;
3. place the password file in a specially protected area of the computer’s memory, closed for reading by users;
4.the boundaries between adjacent passwords are masked;
5.password file comments should be stored separately from the file;
6. change passwords periodically;
7.provide for the possibility of forcibly changing passwords on the part of the system after a certain period of time;
8.use several user passwords: the password itself, a personal identifier, a password for locking/unlocking equipment during a short-term absence, etc.
9. More complex password methods include random sampling of password characters and one-time use of passwords. In the first case, the user (device) is allocated a fairly long password, and each time a randomly selected part of the password is used for identification. When using a one-time password, the user is allocated not one, but a large number of passwords, each of which is used according to a list or random sample once. In a truly distributed environment, where users have access to multiple servers, databases, and even remote login rights, security becomes so complex that it's only a nightmare for an administrator.
Administrative protection measures:
The problem of information security is solved by introducing access control and delineating user powers.
A common means of restricting access (or limiting authority) is a password system. However, it is unreliable. Experienced hackers can hack this protection, “snoop” someone else’s password, or enter the system by brute-forcing possible passwords, since very often they use users’ first names, last names, or dates of birth. A more reliable solution is to organize access control to premises or to a specific PC on a LAN using various types of plastic identification cards.
Using plastic cards with a magnetic stripe for these purposes is hardly advisable, since it can be easily counterfeited. A higher degree of reliability is provided by plastic cards with a built-in microcircuit - the so-called microprocessor cards (MP - cards, smart - cards). Their reliability is due primarily to the impossibility of copying or counterfeiting using a homemade method. In addition, during the production of cards, each chip contains unique code, which cannot be duplicated. When a card is issued to a user, one or more passwords are written on it, known only to its owner. For some types of MP cards, an attempt at unauthorized use ends with its automatic “closing”. To restore the functionality of such a card, it must be presented to the appropriate authority.
Installation of a special MP card reader is possible not only at the entrance to the premises where computers are located, but also directly at workstations and network servers.
Protection of corporate information:
However, when solving this problem, enterprises often follow the lead of contractor companies that promote one or more products that, as a rule, solve private problems. Below we will consider the most general approaches to a comprehensive solution to the problem of ensuring information security.
The most common mistake when building a security system is the desire to protect everything from everything at once. In fact, identifying the necessary information (files, directories, disks) and other objects of the information structure that need to be protected is the first step in building an information security system. You should start with defining this list: you should estimate how much the loss (deletion or theft) of a particular database or, for example, a simple one workstation during the day.
The second step is to identify the sources of threats. As a rule, there are several of them. Identifying a source of threats means assessing its goals (if the source is intentional) or possible impact (unintentional), the likelihood (or intensity) of its occurrence. If we're talking about about the malicious actions of a person (or a group of persons), then it is necessary to assess his organizational and technical capabilities for accessing information (after all, the attacker may also be an employee of the company).
Once the source of threats has been identified, threats to information security can be formulated. That is, what can happen to the information. As a rule, it is customary to distinguish the following groups of threats:
§ unauthorized access to information (reading, copying or changing information, forgery and imposition);
§ disruption of computers and application programs
§ destruction of information.
In each of these three groups, dozens of specific threats can be identified, but let’s stop there for now. Let us only note that threats can be intentional and accidental, and accidental ones, in turn, can be natural (for example, natural disasters) and artificial (erroneous actions of personnel). Random threats that lack malicious intent are usually dangerous only in terms of information loss and system disruption, which is quite easy to insure against. Intentional threats are more serious from the point of view of losses for business, because here you have to fight not with blind (albeit merciless in its power) chance, but with a thinking enemy.
It is useful to build a protection system using protection principles that are quite universal for a wide variety of subject areas (engineering in the army, physical security of persons and territories, etc.)
§ Adequacy (reasonable sufficiency). The total cost of protection (time, human and monetary resources) must be lower than the cost of the resources being protected. If a company's turnover is $10,000 a month, it hardly makes sense to deploy a million-dollar system (just like vice versa).
§ Systematicity. The importance of this principle is especially evident when building large protection systems. It consists in the fact that the protection system should not be built in the abstract (protection against everything), but on the basis of an analysis of threats, means of protection against these threats, the search for the optimal set of these means and the construction of the system.
§ Transparency for legal users. The introduction of security mechanisms (in particular user authentication) inevitably leads to the complication of their actions. However, no mechanism should require impossible steps (for example, coming up with a 10-digit password every week and not writing it down anywhere) or delay the procedure for accessing information.
§ Equal stability of links. Links are elements of protection, overcoming any of which means overcoming the entire protection. It is clear that the weakness of some links cannot be compensated for by strengthening others. In any case, the strength of the defense (or its level, see below) is determined by the strength of the weakest link. And if a disloyal employee is ready to “throw it on a floppy disk” for $100 valuable information, then the attacker is unlikely to build a complex hacker attack to achieve the same goal.
§ Continuity. In general, the same stability, only in the time domain. If we decide that we will protect something and somehow, then we must protect it this way at any given time. You cannot, for example, decide to back up information on Fridays and have a “sanitary day” on the last Friday of the month. The law of meanness is inexorable: precisely at the moment when measures to protect information are weakened, what we were protecting ourselves from will happen. A temporary failure in protection, as well as a weak link, makes it meaningless.
§ Multi-level. Multi-level protection is found everywhere; just wander through the ruins of a medieval fortress. Why is protection built into several layers that must be overcome by both the attacker and the legitimate user (who, of course, finds it easier to do this)? Unfortunately, there is always the possibility that some level can be overcome either due to unforeseen accidents or with a non-zero probability. Simple mathematics suggests: if one level guarantees protection of 90%, then three levels (in no case repeating each other) will give you 99.9%. This, by the way, is a savings reserve: by separating inexpensive and relatively unreliable means of protection, it is possible little blood achieve a very high degree of protection.
Taking these principles into account will help you avoid unnecessary costs when building an information security system and at the same time achieve a truly high level of business information security.
Assessing the effectiveness of software protection systems
Software protection systems are widespread and are constantly evolving, thanks to the expansion of the software and telecommunications technology market. The need to use software protection systems (SP) is due to a number of problems, among which we should highlight: illegal use of algorithms that are the intellectual property of the author when writing analogues of the product (industrial espionage); unauthorized use of software (theft and copying); unauthorized modification of software for the purpose of introducing software abuse; illegal distribution and sale of software (piracy).
Based on the installation method, software protection systems can be divided into systems installed on compiled software modules; systems built into the software source code before compilation; and combined.
Systems of the first type are the most convenient for a software manufacturer, since it is easy to protect already fully prepared and tested software (usually the process of installing protection is as automated as possible and comes down to specifying the name of the protected file and pressing “Enter”), and therefore they are the most popular. At the same time, the resistance of these systems is quite low (depending on the operating principle of the protection system), since to bypass the protection it is enough to determine the termination point of the protection “envelope” and transfer control to the protected program, and then forcefully save it in an unprotected form.
Systems of the second type are inconvenient for the software manufacturer, since there is a need to train personnel to work with the program interface (API) of the security system with the ensuing financial and time costs. In addition, the software testing process becomes more complicated and its reliability decreases, since in addition to the software itself, errors may contain an API of the security system or procedures that use it. But such systems are more resistant to attacks, because here the clear boundary between the protection system and the software itself disappears.
A number of methods are used to protect software, such as:
§ Obfuscation algorithms - chaotic transitions to different parts of the code are used, the introduction of false procedures - “dummies”, idle loops, distortion of the number of real parameters of software procedures, scattering of code sections across different areas of RAM, etc.
§ Mutation algorithms - correspondence tables of operands - synonyms are created and replaced with each other every time the program is launched according to a certain scheme or randomly, random changes in program structure.
§ Data compression algorithms - the program is packaged and then unpacked as it runs.
§ Data encryption algorithms - the program is encrypted and then decrypted as it runs.
§ Calculation of complex mathematical expressions during practice protection mechanism - elements of protection logic depend on the result of calculating the value of a formula or group of formulas.
§ Methods for making disassembly difficult - various techniques are used to prevent disassembly in batch mode.
§ Methods for making debugging difficult - various techniques are used to make debugging a program more difficult.
§ Emulation of processors and operating systems - a virtual processor and/or operating system (not necessarily real) is created and a translator program from the IBM command system to the command system of the created processor or OS; after such translation, the software can only be executed using an emulator, which is drastic makes it difficult to study the software algorithm.
§ Non-standard methods of working with hardware - protection system modules access computer hardware, bypassing operating system procedures, and use little-known or undocumented capabilities of it.
Conclusion
We can say that there is no one absolutely reliable method of protection. Most complete safety can only be achieved with an integrated approach to this issue. It is necessary to constantly monitor new solutions in this area.
To summarize, it should be mentioned that there are many cases where companies (not only foreign ones) wage real “spy wars” among themselves, recruiting competitor employees in order to gain access through them to information that constitutes a trade secret. Regulation of issues related to trade secrets has not yet received sufficient development in Russia. The existing legislation still does not provide regulation of certain issues, including trade secrets, that corresponds to modern realities. At the same time, we must be aware that the damage caused by the disclosure of trade secrets is often quite significant (if it can be estimated at all). The presence of standards on liability, including criminal liability, can serve as a warning to employees against violations in this area, so it is advisable to inform all employees in detail about the consequences of violations. I would like to hope that the information security system being created in the country and the formation of a set of measures for its implementation will not lead to irreversible consequences on the path of the information and intellectual unification that is emerging in Russia with the whole world.
The main conclusions about the methods of using the means, methods and measures of protection discussed above boil down to the following:
The greatest effect is achieved when all the means, methods and measures used are combined into a single, holistic mechanism for protecting information.
The protection mechanism should be designed in parallel with the creation of data processing systems, starting from the moment the overall design of the system is developed.
The functioning of the protection mechanism must be planned and ensured along with the planning and provision of basic automated information processing processes.
It is necessary to constantly monitor the functioning of the protection mechanism.
Statistics show that in all countries losses from malicious acts are continuously increasing. Moreover, the main causes of losses are associated not so much with the insufficiency of safety equipment as such, but with the lack of relationship between them, i.e. with the failure to implement a systematic approach. Therefore, it is necessary to rapidly improve comprehensive means of protection.
Bibliography
1. Federal Law “On Information, Informatization and Information Protection” dated February 20, 1995 N 24-FZ;
2. Law “On the legal protection of topologies of integrated circuits” dated September 23, 1992 N 3526-I
3. Law “On participation in international information exchange” dated June 5, 1996 N 85-FZ
4. Law Russian Federation“On the legal protection of programs for electronic computers and databases” dated September 23, 1992 No. 3523-1;
6. Law “On funds mass media» dated December 27, 1991 N 2124-I
7. Law “On Federal Bodies of Government Communications and Information” dated February 19, 1992 N 4524-1
10. Law “On State automated system Russian Federation “Elections” dated January 10, 2003 N 20-FZ
11. Krylov V.V. Information computer crimes. M.: InfraM-Norma, 1997.
12. Vedeev D.V. Data protection in computer networks. - M., 1995;
13. Kopylov V.A. Information law. - M.: Yurist, 1997;
14. Gaikovich V.Yu. “Fundamentals of information technology security”, Moscow, “Info-M”, 1998
15. “How to stop software piracy? (Simkin L., “Russian Justice”, 1996, No. 10)
16. “Information as an element of criminal activity” (Krylov V.V., “Bulletin of Moscow University”, Series 11, Law, 1998, No. 4)
17. Fomenkov G.V. “About security on the Internet”, “Information protection. Confidential", No. 6, 1998.
18. " Legal protection computer programs and databases" (Vitaliev G.V. http://www.relcom.ru).
19. “Legal protection of topologies of integrated circuits” (Sergeev A.P. Jurisprudence 1993 No. 3).
Similar documents
Types of intentional threats to information security. Methods and means of information security. Methods and means of ensuring information security. Cryptographic methods of information protection. Comprehensive means of protection.
abstract, added 01/17/2004
The concept of protecting intentional threats to the integrity of information in computer networks. Characteristics of information security threats: compromise, disruption of service. Characteristics of NPO Mekhinstrument LLC, the main methods and methods of information security.
thesis, added 06/16/2012
Development of new information technologies and universal computerization. Information Security. Classification of intentional threats to information security. Methods and means of information security. Cryptographic methods of information protection.
course work, added 03/17/2004
Basic properties of information. Operations with data. Data is a dialectical component of information. Types of intentional threats to information security. Classification of malware. Basic methods and means of protecting information in computer networks.
course work, added 02/17/2010
Types of internal and external intentional threats to information security. General concept of information protection and security. The main goals and objectives of information security. The concept of economic feasibility of ensuring the safety of enterprise information.
test, added 05/26/2010
Problems of information security in information and telecommunication networks. Study of information threats and ways of their impact on information security objects. Enterprise information security concepts. Cryptographic methods of information protection.
thesis, added 03/08/2013
The history of the emergence and development of encryption from ancient times to the present day. Analysis of modern problems of ensuring the secrecy and integrity of transmitted or stored data, the most commonly used cryptographic methods of information protection.
test, added 04/23/2013
Classification of information by significance. Categories of confidentiality and integrity of protected information. The concept of information security, sources of information threats. Areas of information protection. Software cryptographic methods of protection.
course work, added 04/21/2015
Organization of an information security system in all its areas. Development, production, sales, operation of protective equipment, training of relevant personnel. Cryptographic security measures. Basic principles of engineering and technical information security.
course work, added 02/15/2011
Types of protection computer information. Features of algorithms and fonts used in cryptography. Specifics of using public key cryptosystems. Malware structure software. Ensuring database security.
Information Properties
Subject of protection
Information protection object.
Threat to information. Types of threats.
Sources internal threats are:
1. Employees of the organization;
2. Software;
3. Hardware.
Insider threats can manifest themselves in the following forms:
User errors and system administrators;
Violations by company employees of established regulations for the collection, processing, transfer and destruction of information;
Software errors;
Failures and malfunctions of computer equipment.
TO external sources of threats relate:
1. Computer viruses and malware;
2. Organizations and individuals;
3. Natural disasters.
The forms of manifestation of external threats are:
Infecting computers with viruses or malware;
Unauthorized access (UA) to corporate information;
Information monitoring by competing structures, intelligence and special services;
Actions of government agencies and services, accompanied by the collection, modification, seizure and destruction of information;
Accidents, fires, man-made disasters.
All of the types of threats (forms of manifestation) we have listed can be divided into intentional and unintentional.
Threat to information. Threat classification options.
There are various ways to classify security threats: by the object of impact, by the source of the threat, methods of its implementation, possible consequences and types of damage. Several classification criteria can be used at the same time, for example, threats classified by the object of influence, additionally, within each class, can be classified by types of damage and sources of threat.
According to the methods of impact on information security objects, threats are subject to the following classification: informational, software, physical, radio-electronic and organizational-legal.
TO information threats relate:
Unauthorized access to information resources;
Illegal copying of data in information systems;
Theft of information from libraries, archives, banks and databases;
Violation of information processing technology;
Illegal collection and use of information;
Use of information weapons.
TO software threats relate:
Use of errors and "holes" in software;
Computer viruses and malware;
Installation of "embedded" devices;
TO physical threats relate:
Destruction or destruction of information processing and communication facilities;
Theft of storage media;
Theft of software or hardware keys and cryptographic data protection means;
Impact on personnel;
TO electronic threats relate:
Introduction of electronic information interception devices into technical means and premises;
Interception, decryption, substitution and destruction of information in communication channels.
Organizational and legal threats include:
Purchases of imperfect or outdated information technologies and information tools;
Violation of legal requirements and delay in making necessary regulatory decisions in the information sphere.
Information leakage channels.
Indirect channels do not require direct access to the technical means of the information system:
Theft or loss of storage media, examination of undestroyed garbage;
Remote photography, listening;
Interception of electromagnetic radiation.
Direct channels require access to hardware and information system data.
Insiders (human factor). Leakage of information due to non-compliance with trade secrets;
Direct copy.
Information leakage channels can also be divided according to physical properties and operating principles:
Acoustic - sound recording, eavesdropping and listening;
Acoustoelectric - obtaining information through sound waves with its further transmission through power supply networks;
Vibroacoustic - signals arising through the transformation of an informative acoustic signal when exposed to building structures and engineering communications of protected premises;
Optical - visual methods, photography, video recording, observation;
Electromagnetic - copying fields by removing inductive interference;
Radio emissions or electrical signals from special electronic pickup devices installed in technical means and protected premises speech information“stowing devices” modulated by an informative signal;
Material - information on paper or other physical media
Cryptography. Basic concepts.
Cryptography is developing conversion (encryption) methods information in order to protect it from illegal users . Such methods and methods of converting information are called ciphers.
Encryption (encryption) - the process of applying a cipher to protected information, i.e. conversion of protected information (plain text) into an encrypted message (ciphertext, cryptogram) using certain rules contained in the cipher.
Decryption - the reverse process of encryption, i.e. converting an encrypted message into protected information using certain rules contained in the cipher (based on the key, the ciphertext is converted to the original).
Key - a replaceable cipher element that is used to encrypt a specific message. For example, the key could be the amount of shift of the ciphertext letters relative to the plaintext letters.
Opening (cracking) a cipher — the process of obtaining protected information from an encrypted message without knowing the cipher used.
Cipher strength- the ability of a cipher to withstand all kinds of attacks on it is called .
Attack to cipher - an attempt to break this cipher.
Cryptanalysis - science (and the practice of its application) about the methods and methods of breaking ciphers.
Replacement cipher performs the transformation of replacing letters or other “parts” of plaintext with similar “parts” of ciphertext.
Alphabet- a finite set of characters used to encode information.
Text- an ordered set of elements of the alphabet.
Key- information necessary for smooth encryption and decryption of texts.
Shorthand. Basic Concepts
Steganography is a method of organizing communication that actually hides the very existence of a connection. Unlike cryptography, where an adversary can accurately determine whether a transmitted message is encrypted text, steganography techniques allow secret messages to be embedded in harmless messages so that it is impossible to suspect the existence of an embedded secret message.
Any information can be used as data: text, message, image, etc. By analogy with cryptography, based on the type of stegokey, stegosystems can be divided into two types:
- with a secret key;
- with a public key.
In a private key stegosystem, a single key is used, which must be determined either before secret messages are exchanged, or transmitted over a secure channel. In a public key stegosystem, different keys are used to embed and retrieve a message, which differ in such a way that computationally impossible derive one key from another. Therefore, one key (public) can be transmitted freely over an insecure communication channel. Besides, this scheme works well even with mutual distrust of the sender and recipient.
Any stegosystem must meet the following requirements:
- The properties of the container must be modified so that the change cannot be detected by visual inspection. This requirement determines the quality of hiding the embedded message: to ensure unhindered passage of the stego message through the communication channel, it should in no way attract the attention of the attacker.
- The stego message must be resistant to distortions, including malicious ones. During transmission, an image (sound or other container) can undergo various transformations: reduced or enlarged, converted to another format, etc. In addition, it can be compressed, including using lossy compression algorithms.
- To maintain the integrity of the embedded message, error correction code must be used.
Security policies. Basic Concepts
Security policy(information in the organization) (eng. Organizational security policy) - a set of documented rules, procedures, practices or guidelines in the field of information security that guide an organization in its activities.
To build an Information Security Policy, it is recommended to separately consider the following directions information system protection:
§ Protection of information system objects;
§ Protection of processes, procedures and information processing programs;
§ Protection of communication channels (acoustic, infrared, wired, radio channels, etc.);
§ Suppression of side electromagnetic radiation;
§ Security system management.
At the same time, for each of the above areas, the Information Security Policy should describe the following stages of creating information security tools:
1. Identification of information and technical resources to be protected;
2. Identification of the full range of potential threats and information leakage channels;
3. Conducting an assessment of the vulnerability and risks of information given the multitude of threats and leakage channels;
4. Determination of requirements for the protection system;
5. Selecting information security tools and their characteristics;
6. Introduction and organization of the use of selected measures, methods and means of protection;
7. Implementation of integrity monitoring and management of the security system.
17.Basis mandated (authorized) The security policy is made up of Mandatory Access Control (MAC), which implies that: all subjects and objects of the system must be uniquely identified;
access level
.The main goal of a mandatory security policy is to prevent information leakage from objects with a high level of access to objects with a low level of access, i.e. counteracting the emergence of information channels in the AS from top to bottom.
Most often, a mandatory security policy is described in terms, concepts and definitions of the properties of the Bell-Lapaluda model, which will be discussed later. Within the framework of this model, an important statement is proved, indicating fundamental difference systems that implement mandatory protection from systems with discretionary protection: if the initial state of the system is safe, and all transitions of the system from state to state do not violate the restrictions formulated by the security policy, then any statesystems safely
.
In addition, compared to systems built on the basis of a discretionary security policy, systems implementing a mandatory policy are characterized by a higher degree of reliability. This is due to the fact that the MBO of such a system must monitor not only the rules of access of system subjects to objects, but also the state of the AS itself. That. Leakage channels in systems of this type are not directly incorporated into it, but can only appear during the practical implementation of the system.
15. An integral characteristic of the protected system is the security policy - a qualitative (or quantitative-qualitative) expression of security properties in terms representing the system.
Security policies related to the concept of “access” are most often considered. Access
– a category of subjective-objective policy that describes the process of performing operations of subjects on objects.
The security policy includes:
o set of operations of subjects on objects;
o for each “subject-object” pair (Si,Oi) a set of allowed operations, from the set of possible operations.
The following types of security policies exist: discretionary, mandated and role-based.
basis discretionary (discretionary) level of security
is Discretionary Access Control (DAC), which is defined by two properties:
o all subjects and objects must be identified;
o the subject’s access rights to the system object are determined on the basis of some rule external to the system.
As an example of implementations of a discretionary security policy in AC, one can cite an access matrix, the rows of which correspond to system subjects, and the columns correspond to objects; matrix elements characterize access rights. The disadvantages include the static nature of the model ( this policy security does not take into account the dynamics of changes in the AC state and does not impose restrictions on system states. Mandatory access control (Mandatory Access Control - MAC), which implies that:
o all subjects and objects of the system must be uniquely identified;
o a linearly ordered set of security labels is specified;
o each system object is assigned a security label that determines the value of the information it contains - its security level in AC;
o each subject of the system is assigned a security label that determines the level of trust in it in the AC - the maximum value of the privacy label of objects to which the subject has access; the subject's security label is called it access level .
Role-based access control.
With a large number of users, traditional access control subsystems become extremely difficult to administer. The number of connections in them is proportional to the product of the number of users and the number of objects. Object-oriented solutions are needed that can reduce this complexity.
Such a solution is role-based access control (RAC). Its essence is that intermediate entities—roles—appear between users and their privileges. For each user, several roles can be active at the same time, each of which gives him certain rights.
Authentication Factors
Even before the advent of computers, various distinctive features of the subject, his characteristics, were used. Now the use of one or another characteristic in a system depends on the required reliability, security and cost of implementation. There are 3 authentication factors:
Something we know is a password. This is sensitive information that should only be held by an authorized entity. The password can be a speech word, a text word, a lock combination or a personal one. an identification number(PIN). A password mechanism can be implemented quite easily and is low cost. But it has significant disadvantages: keeping a password secret is often problematic; attackers are constantly coming up with new methods of stealing, hacking and guessing passwords (see gangster cryptanalysis). This makes the password mechanism weakly protected.
Something we have is an authentication device. What is important here is the fact that the subject possesses some unique object. This could be a personal seal, a key to a lock, or for a computer it is a data file containing a characteristic. The feature is often built into a dedicated authentication device, e.g. a plastic card, smart card. For an attacker, obtaining such a device becomes more problematic than cracking a password, and the subject can immediately report if the device is stolen. It does this method more secure than a password mechanism, however, the cost of such a system is higher.
Something that is part of us is biometrics. A characteristic is a physical feature of a subject. This could be a portrait, a finger or palm print, a voice, or a feature of the eye. From the subject's point of view, this method is the simplest: there is no need to remember a password or carry an authentication device with you. However, a biometric system must be highly sensitive to confirm an authorized user but reject an attacker with similar biometric parameters. Also, the cost of such a system is quite high. But despite its disadvantages, biometrics remains a fairly promising factor.
Authentication protocols
Authentication refers to verifying the identity of a user or computer. When a user logs into a network, whether on a local network or over a connection remote access, she will have to provide a username and password, smart cards, certificates or other means of proving that she is who she claims to be. Several authentication protocols are designed to securely exchange authentication information network connections and are described in the following paragraphs.
CHAP Authentication Protocol (CHAP) is an authentication protocol that is used primarily for PPP dial-up connections. CHAP is the successor to Plain Authentication Protocol (PAP), which transmits the username and password unencrypted over a network of information. CHAP uses a more secure method, when a client logs in, the server sends a challenge to the client, the client responds with a challenge, a response that has a hashed (one way encrypted) value based on username/password combinations and a random number. The server performs the same encryption and if the received value matches the response from the client, the client is authenticated. In fact, the password is not transmitted over the network.
CHAP protocol authentication(CHAP), allows you to avoid sending passwords in unencrypted form over any communication channel. Under CHAP, during negotiation, the NAD password creates problems (random sequence) and sends it to the user. The user's PPP client creates a digest (the password is combined with the task), encrypts the digest using one-way encryption, and sends the digest to the NAD.
NAD sends this digest as the password in the Access-Request.
Because the encryption is one-way, Steel-Belted Radius Carrier cannot recover the password from the digest. Instead, it performs identical operations, using the NAD value task (provided in the Access-Request package) and its own copy of the user's password to create its own digest. If two matches are digests, the password is the same.
Steel-Belted Carrier Radius must be able to perform digest operations to support CHAP. Therefore, he must have access to his own copy of the user's password. Users' native passwords are stored in the Radius carrier's Steel-Belted database. SQL or LDAP authentication BindName obtains the password using a database query, obtaining the password can be used to create a digest if it is in the plaintext of the form.
Information and its properties. Subject of information protection.
Information is information about persons, facts, objects, phenomena, events and processes.
Information Properties
Objectivity of information. The concept of objectivity of information is relative. More objective is the information to which processing methods introduce less subjectivity. For example, as a result of observing a photograph of a natural object, more objective information is formed than when observing a drawing of the same object. During the information process, the objectivity of information always decreases.
Completeness of information. Completeness of information characterizes the sufficiency of data for decision making. The more complete the data, the wider the range of processing methods used and the easier it is to select a method that introduces a minimum of error into the information process.
Adequacy of information. This is the degree of its correspondence to the real state of affairs. Inadequate information can be created when new information is created based on incomplete or unreliable data. However, complete and reliable data can lead to the creation of inadequate information if inadequate methods are applied to them.
Availability of information. This is a measure of the ability to obtain information. Lack of access to data or lack of adequate methods for processing it leads to the fact that information is inaccessible.
Relevance of information. This is the degree of correspondence of information to the current point in time. Since information processes are extended over time, reliable and adequate, but outdated information can lead to erroneous decisions. The need to find or develop an adequate data processing method can lead to such a delay in obtaining information that it becomes unnecessary.
Subject of protection is information stored, processed and transmitted in computer (information) systems. The features of this type of information are:
Binary representation of information within the system, regardless of the physical nature of the original information carriers;
High degree of automation of information processing and transmission;
Concentration large quantity information in the CC.
Information protection object.
Information protection objects are information, a storage medium or an information process that needs protection from unauthorized access, modification and copying by third parties.
Main objects of information protection
Information resources containing confidential information;
Systems and tools that process confidential information (technical means of receiving, processing, storing and transmitting information (TSPI);
TSPI located in the premises for processing classified and confidential information. The generally accepted abbreviation is VTSS (auxiliary technical means and systems). VTSS includes technical means of open telephone communication, alarm systems, radio broadcasts, etc., as well as premises that are intended for processing information with limited use.
Information today is an important resource, the loss of which is fraught with unpleasant consequences. The loss of confidential company data carries the threat of financial losses, since the information obtained can be used by competitors or attackers. To prevent such undesirable situations, all modern companies and institutions use information security methods.
Information systems (IS) security is a whole course that all programmers and specialists in the field of IS development take. However, knowing the types of information threats and protection technologies is necessary for everyone who works with classified data.
Types of information threats
The main type of information threat, against which an entire technology is created at every enterprise, is unauthorized access by attackers to data. Attackers plan criminal actions in advance, which can be carried out through direct access to devices or through a remote attack using programs specially designed to steal information.
In addition to the actions of hackers, companies often face situations of information loss due to disruption of software and hardware.
In this case, secret materials do not fall into the hands of attackers, but they are lost and cannot be restored, or they take too long to recover. Failures in computer systems can occur for the following reasons:
- Loss of information due to damage to storage media – hard drives;
- Errors in the operation of software;
- Hardware malfunction due to damage or wear.
Modern methods of information protection
Data protection technologies are based on the use of modern methods that prevent information leakage and loss. Today there are six main methods of protection:
- Let;
- Disguise;
- Regulation;
- Control;
- Compulsion;
- Inducement.
All of these methods are aimed at building an effective technology that eliminates losses due to negligence and successfully repels various types of threats. An obstacle is a method of physical protection of information systems, thanks to which attackers are not able to enter the protected area.
Masking is a method of protecting information that involves converting data into a form that is not suitable for perception by unauthorized persons. Deciphering requires knowledge of the principle.
Management – methods of protecting information in which all components of the information system are controlled.
Regulation is the most important method of protecting information systems, which involves the introduction of special instructions according to which all manipulations with protected data must be carried out.
Coercion – methods of information protection that are closely related to regulation, involving the introduction of a set of measures in which employees are forced to comply with established rules. If methods of influencing workers are used in which they follow instructions for ethical and personal reasons, then we are talking about motivation.
The video shows a detailed lecture on information protection:
Information systems protection means
Methods of protecting information require the use of a certain set of tools. To prevent the loss and leakage of secret information, the following means are used:
- Physical;
- Software and hardware;
- Organizational;
- Legislative;
- Psychological.
Physical information security measures prevent unauthorized persons from accessing the protected area. The main and oldest means of physical obstruction is the installation of strong doors, reliable locks, and bars on windows. To enhance information security, checkpoints are used where access control is carried out by people (guards) or special systems. In order to prevent information loss, it is also advisable to install a fire protection system. Physical means are used to protect data on both paper and electronic media.
Software and hardware are an indispensable component for ensuring the security of modern information systems.
Hardware is represented by devices that are built into equipment for processing information. Software means programs that reflect hacker attacks. Also included in the category of software are software packages that perform the restoration of lost information. Using a complex of equipment and programs, information is backed up to prevent losses.
Organizational means are associated with several methods of protection: regulation, management, coercion. Organizational means include the development of job descriptions, conversations with employees, and a set of punishment and reward measures. With the effective use of organizational tools, enterprise employees are well aware of the technology of working with protected information, clearly perform their duties and are responsible for the provision of false information, leakage or loss of data.
Legislative measures are a set of regulations that regulate the activities of people who have access to protected information and determine the extent of responsibility for the loss or theft of classified information.
Psychological means are a set of measures to create personal interest among employees in the safety and authenticity of information. To create personal interest among staff, managers use different types of incentives. Psychological means also include building a corporate culture in which every employee feels important part systems and is interested in the success of the enterprise.
Protection of transmitted electronic data
To ensure the security of information systems, methods of encryption and protection of electronic documents are actively used today. These technologies allow for remote data transfer and remote authentication.
Methods of protecting information by encryption (cryptographic) are based on changing information using secret keys of a special type. The technology of cryptography of electronic data is based on transformation algorithms, replacement methods, and matrix algebra. The strength of the encryption depends on how complex the conversion algorithm was. Encrypted information is reliably protected from any threats other than physical ones.
Electronic digital signature(EDS) – parameter electronic document, which serves to confirm its authenticity. An electronic digital signature replaces an official’s signature on a paper document and has the same legal force. The digital signature serves to identify its owner and confirm the absence of unauthorized transformations. The use of digital signatures not only ensures information security, but also helps reduce the cost of document flow technology and reduces the time it takes to move documents when preparing reports.
Information systems security classes
The protection technology used and the degree of its effectiveness determine the security class of the information system. International standards distinguish 7 systems security classes, which are combined into 4 levels:
- D – zero safety level;
- C – random access systems;
- B – systems with forced access;
- A – systems with verifiable safety.
Level D corresponds to systems in which protection technology is poorly developed. In such a situation, any unauthorized person has the opportunity to gain access to information.
The use of underdeveloped security technology is fraught with loss or loss of information.
Level C has the following classes – C1 and C2. Security class C1 involves separation of data and users. A certain group of users has access only to certain data; authentication is required to obtain information - verifying the authenticity of the user by asking for a password. With safety class C1, the system has hardware and software protection. Systems with class C2 are supplemented with measures to guarantee user responsibility: an access log is created and maintained.
Level B includes security technologies that have Level C classes, plus a few extra ones. Class B1 requires a security policy, a trusted computing base to manage security labels, and enforced access control. With class B1, specialists carry out thorough analysis and testing source code and architecture.
Safety class B2 is typical for many modern systems and assumes:
- Providing security labels to all system resources;
- Registration of events that are associated with the organization of secret memory exchange channels;
- Structuring the trusted computing base into well-defined modules;
- Formal security policy;
- High system resistance to external attacks.
Class B3 assumes, in addition to class B1, notifying the administrator about attempts to violate security policy, analyzing the appearance of secret channels, having mechanisms for data recovery after a hardware failure or.
Level A includes one, the highest security class - A. This class includes systems that have been tested and received confirmation of compliance with formal top-level specifications.
The video shows a detailed lecture on information system security:
a commercial mystery concept and protection
Abstract >> MarketingEnsuring safety, security her property, as well as life and health her employees. Information about... protection commercial information. IN different countries there are different priority areas protection commercial information (commercial secrets). So...
a commercial mystery and marketing
Abstract >> MarketingLegal framework providing the guarantee protection entrepreneurs' rights to commercial information, - this is first of all... the main aspects, one can immediately note her importance and continuity with marketing activities. First...
Legal protection information
Abstract >> State and law... information, displayed through content information. 2. information not subject to physical aging. 3. separability of information from her... The Russian Federation independently determines the methods protection information, component commercial the secret conveyed to him by...
Protection information at the enterprise (1)
Abstract >> Computer ScienceAreas (administrative, scientific and technical, commercial etc.). Therefore questions protection information(ZI) are acquiring more and more... and paper media information. To block the possibility of leakage information by her copying to external...
The concept and essence of information security
Prevention of unauthorized access to information;
Creation of conditions limiting the dissemination of information;
Protecting the owner’s right to own and dispose of information;
Prevention of leakage, theft, loss, unauthorized destruction, copying, modification, distortion, blocking, disclosure of information, unauthorized and unintentional impacts on it;
Maintaining the completeness, reliability, integrity, reliability, confidentiality of information, etc.
Methodological basis To reveal the essence and definition of the concept of information protection, there must be a definition of the concept of protection as a whole, regardless of the subject of protection.
In explanatory dictionaries, the term protection is interpreted in two ways: as a process of protecting, saving, saving from someone something unpleasant, hostile, dangerous, and as a set of methods, means and measures taken to prevent something. Thus, the content in these definitions coincides in meaning - this is prevention, prevention of something dangerous, hostile. If we correlate this provision with the protection of information, then the most dangerous thing for the owner of information is a violation established status information, and therefore the content of the protection should be the prevention of such a violation.
Violation of the status of any information consists in violating its physical safety in general or for a given owner (in full or partial), structural integrity, and accessibility for authorized users. Violation of the status of confidential information, including that constituting a state secret, additionally includes a violation of its confidentiality (closedness to outsiders).
The second component of the essence of information protection - the method of implementing the content - in explanatory dictionaries, as already noted, is presented as a process or as a set of methods, means and activities.
Information protection includes a certain set of methods, means and activities, but it would be wrong to limit the method of implementation only to this. Information protection must be systematic, and the system, in addition to methods, means and measures, also includes other components: objects of protection, protection bodies, users of information. At the same time, protection should not be something static, but a continuous process. But this process does not occur on its own, but occurs as a result of human activity. Activity, by definition, includes not only a process, but also goals, means and results. Protection of information cannot be aimless, ineffective and carried out without the help of certain means. Therefore, activity should be the way to implement the content of protection.
Data protection– activities to prevent the loss and leakage of confidential information and the loss of protected open information.
Purpose of information protection– the desired result of information protection. The purpose of information protection may be to prevent damage to the owner, possessor, or user of information as a result of possible information leakage and/or unauthorized and unintentional impact on information.
The concept of information security, as a system of views on goals, methods of ensuring information security and means of protecting it, should generally answer three simple questions:
What to protect?
What to protect from?
How to protect?
With the question “What to protect?” The concept of the object of protection is related.
Object of protection– information or information carrier, or information process, in respect of which it is necessary to ensure protection in accordance with the stated purpose of information protection;
Object of protection– information, technical means and technology for processing it, in respect of which it is necessary to ensure the security of information.
The key property of information is its value, that is, the cost of damage from destruction, loss or disclosure. In addition, the specificity of information is that it does not disappear upon consumption and is not completely transferred during exchange (unlike money, it remains with the old user). On the one hand, it is “indivisible”, that is, it makes sense only with a sufficiently complete volume of information, on the other hand, its quality increases with the addition of new reliable data, that is, it is possible to gradually accumulate information and in small parts. Therefore, before answering the first question, it is necessary to clearly understand what information may require protection. (This could be, for example, the entire volume of data accumulated and generated in the company that is of commercial significance, information about suppliers and manufacturers, sellers and dealers, contracts and clients, company plans, maximum prices, bonuses for dealers and intermediaries, names and addresses of employees, production costs, marketing and analytical research).
The next step should be to separate these protected objects according to the value of the information they contain and identify potentially dangerous systems that allow access to them. Therefore, all the described means of unauthorized information retrieval are tied to the specific media for which they are intended to work. Based on the above, we can practically answer the first question. If you know at least in general terms the basic methods of operation of attackers and the capabilities of their equipment, then it will not take much time.
Many security services of large commercial structures successfully conduct operations to obtain information about potential clients, partners or competitors. They strictly control their own employees to avoid leakage of their secrets. We must not forget that Russia’s integration into international organizations, participation in joint companies and projects makes domestic entrepreneurs the object of attention of private and even state intelligence services of the West and East.
The question “What to protect from?” associated with the concept of threat. Threat– the potential for unlawful intentional or accidental influence leading to loss or disclosure of information. Typically, internal and external sources of threats are distinguished.
With the question “How to protect information?” The concept of information security system is inherently connected.
Information security system– a set of bodies and/or performers, the information protection technology they use, as well as protection objects, organized and functioning according to the rules established by the relevant legal, organizational, administrative and regulatory documents on information protection.
The main goals of information protection are:
Prevention of leakage, theft, loss, distortion, falsification of information;
Preventing threats to the security of individuals, society, and the state;
Prevention of unauthorized actions to destroy, modify, distort, copy, block information;
Prevention of other forms of illegal interference in information resources and information systems;
Ensuring the legal regime of documented information as an object of property;
Protection of the constitutional rights of citizens to maintain personal secrets and confidentiality of personal data available in information systems;
Maintaining state secrets of documented information in accordance with the law;
Ensuring the rights of subjects in information processes and in the development, production and use of information systems, technologies and means of supporting them.
Consistent with these goals, the information security process must ensure that its integrity and confidentiality are maintained.
Classification and characteristics of basic methods and means of protection
To date, many different tools, methods, measures and activities have been developed to protect information. This includes:
Hardware and software,
Cryptographic information closure,
Physical measures
Organizational events,
Legislative measures
Moral and ethical means.
Sometimes all these means of protection are divided into technical and non-technical, and technical means include hardware and software and cryptographic information closure, and non-technical means all the rest.
Hardware – devices built directly into computer technology, or devices that interface with it via a standard interface. Hardware protection includes various electronic, electronic-mechanical, and electro-optical devices. For example, code generators designed to automatically generate an identifying code for a device, a device for measuring individual characteristics of a person (voice, fingerprints) for the purpose of identifying him (biometric identification), etc. A special and most widely used group of hardware security devices are devices for encrypting information (cryptographic methods).
Software – These are special programs and software packages designed to protect information in IP. Security software includes special programs that are designed to perform security functions and are included in the software of data processing systems. Software protection is the most common type of protection, which is facilitated by such positive properties of this tool as versatility, flexibility, ease of implementation, almost unlimited possibilities for change and development, etc.
Cryptographic closure(encryption) of information consists in such a transformation of the protected information in which appearance the content of private data cannot be determined. Cryptographic protection experts pay special attention, considering it the most reliable, and for information transmitted over long-distance communication lines, the only means of protecting information from theft.
Physical means include various engineering devices and structures that prevent physical penetration of attackers into protected objects and protect personnel (personal security equipment), material resources and finances, information from illegal actions. Examples of physical devices: locks on doors, bars on windows, electronic devices burglar alarm and so on.
Organizational means carry out their complex regulation of production activities in the IP and the relationships of performers on a legal basis in such a way that disclosure, leakage and unauthorized access To confidential information becomes impossible or significantly hampered due to organizational measures. The set of these measures is implemented by the information security group, but must be under the control of the first manager.
Legislative means protections are determined by the legislative acts of the country, which regulate the rules for the use, processing and transmission of restricted information and establish penalties for violating these rules.
Moral and ethical means protections include all kinds of norms of behavior that have traditionally developed previously, are emerging as IP and IT spread throughout the country and the world, or are specially developed. Moral and ethical standards can be unwritten (for example, honesty) or formalized in a certain set (charter) of rules or regulations. These norms, as a rule, are not legally approved, but since their non-compliance leads to a decline in the prestige of the organization, they are considered mandatory.
Information protection measures:
Organizational– measures of a restrictive nature, reduced to regulating access and use of technical means of information processing.
Organizational and technical– provide blocking possible channels leakage of information through technical means using special devices installed on structural elements of buildings, premises, and technical means of information processing.
Technical– acquisition, installation and use of technical means of information processing protected from various influences.
It is customary to distinguish the following main types of protective equipment:
Regulatory
Moral and ethical
Organizational
Technical.
Regulatory– include laws and other legal acts, as well as mechanisms for their implementation, regulating information relations in society.
Moral and ethical– rules and norms of behavior aimed at
ensuring the security of information, not enshrined in legislation or administratively, but supported in teams through traditions and the mechanism of public opinion.
Organizational– rules, measures and measures regulating access, storage, application and transfer of information, put into effect by administrative means. Without following these rules, installing any, even the most expensive, technical means of protection will result in a waste of money for an organization in which organizational issues have not been resolved at the proper level. And this is true for any leakage channels.
Technical means– these are special hardware and software complexes designed to prevent leakage of processed or stored information by preventing unauthorized access to it using technical means of retrieval.
Real system protection includes all of the listed types of tools and, as a rule, is created by integrating them. The main difficulty in its creation is that it must simultaneously satisfy two groups of directly opposing requirements: provide reliable information protection and not create noticeable inconveniences. Usually only a sufficiently qualified professional can combine these requirements. In addition, the protection system must be adequate to possible threats, with a mandatory assessment of both the likelihood of their occurrence and the amount of real damage from the loss or disclosure of information circulating in a certain medium.
Protected information
Protected information– information that is proprietary and subject to protection in accordance with the requirements of legal documents or requirements established by the owner of the information.
The main objects of state information security include:
Information resources containing information constituting state secrets, commercial secrets and other confidential information;
A system for the formation of the dissemination and use of information resources, including information systems of various classes and purposes, information technologies, regulations and procedures for collecting, processing, storing and transmitting information, scientific, technical and service personnel;
Information infrastructure, including information processing and analysis centers, channels information exchange and telecommunications, mechanisms for ensuring the functioning of telecommunication systems and networks, including systems and means of protecting information.
Information security of the listed objects creates conditions for the reliable functioning of state and public institutions, legal entities and individual citizens. The means of its processing, accumulation, storage and transmission are constantly being improved. Information as a category that has actual or potential value, value, like any other type of value, is guarded and protected by its owner or possessor.
Owner of protected information– a legal or natural person who, at his own discretion, owns, uses and disposes of the information belonging to him.
Owner of protected information– a legal or natural person who has the authority to own, use and dispose of this information under an agreement with the owner, by virtue of law or a decision of administrative bodies.
Each state protects its information resources. State information resources, as a very first approximation, can be divided into three large groups:
Information is open – there are no restrictions on its distribution and use;
Patented information is protected by domestic legislation or international agreements as an object of intellectual property;
Information that is “closed” by its owner, possessor and protected using proven mechanisms for protecting state, commercial or other protected secrets. This type usually includes information that is not known to other persons, which either cannot be patented or is deliberately not patented in order to avoid or reduce the risk of this information being taken over by rivals and competitors.
They protect and protect, as a rule, not all or not all information, but the most important, valuable for its owner, limiting the distribution of which brings him some benefit or profit, the ability to effectively solve the problems facing him.
What information is considered protected?
First, classified information. Currently, classified information includes information containing state secrets.
Secondly, confidential information. This type of protected information usually includes information containing commercial secrets, as well as secrets relating to the personal (non-official) life and activities of citizens.
Thus, protected information means information the use and distribution of which is subject to restrictions by its owner.
Protected information has the following distinctive features:
Only its owner (owner) or persons authorized by him can classify information, that is, limit access to it;
The more important the information is for the owner, the more carefully he protects it. And in order for everyone who comes across this protected information to know that some information needs to be protected more carefully than others, the owner assigns it varying degrees of secrecy;
Protected information must bring certain benefits to its owner and justify the effort and resources spent on its protection.
Thus, one of the main features of protected information is the restrictions imposed by the owner of the information on its distribution and use.
Media of protected information
Information can be considered from the point of view of its display on some or in some material (physical) objects, which for a long time can preserve it in a relatively unchanged form or transfer it from one place to another.
Information carriers– material objects, including physical fields, in which information is reflected in the form of symbols, images, signals, technical solutions and processes, thereby creating the opportunity for its accumulation, storage, transmission and use.
The same media is used to record both classified and unclassified information.
As a rule, carriers of secret and confidential information are protected by the owner of this information. This is due to the fact that if a rival or a person from whom this information is protected gains unauthorized access, the carrier can become a source of information from which this person can illegally obtain information that interests him and is protected from him.
Protected information media can be classified as follows:
Human;
Documentation;
Products (items);
Substances and materials;
Electromagnetic, thermal, radiation and other radiation;
Hydroacoustic, seismic and other fields; geometric shapes of buildings, their sizes, etc.
The human brain is an extremely complex system that stores and processes information coming from the outside world. The properties of the brain to reflect and cognize the outside world, to accumulate colossal amounts of information in its memory, including secret information, naturally place a person in first place as a carrier of confidential information. A person, as a keeper of secret and confidential information, has the ability (in addition to receiving such information from the outside) to generate new information, including secret information. As a carrier of protected information, he may have both positive and negative traits.
The positive thing is that without the consent of the subject - the carrier of the protected information, or, as they also say, the secret carrier, as a rule, no information can be extracted from his memory. He can assess the importance of the information he has in his memory and treat it accordingly. He can also rank consumers of protected information, that is, know who and what information he can trust. At the same time, he may be mistaken regarding the truth of the consumer of the protected information, or stand in the way of deliberately failing to preserve secret or confidential information entrusted to him in his service or work: commit high treason (espionage, giving out state or official secrets to the enemy, etc.) or spill secrets to your friends and relatives.
Document– fixed on material medium information with details that allow its identification. Documents as information carriers can be very diverse in form: paper, film and photographic film, magnetic tapes and disks, perforated tapes and cards, etc. Information recorded on the medium can be in the form of text, drawings, formulas, graphs, maps, etc. etc.
The document, the carrier of the protected information, indicates the degree of confidentiality of the information (classification of secrecy), so the consumer, having such data in hand, can know who and how to handle this information. The level of protection of secret documents can be organized taking into account the importance of the protected information contained in them. The weak properties of a document as a carrier of protected information are the following. If an unscrupulous consumer has gained unauthorized access to a document, he can use the information for his own purposes (if it is not encrypted). The document may also be lost: stolen or destroyed, damaged, etc. Foreign intelligence services are also more often hunting for documentary information.
Products(objects) as carriers of protected information are also quite common. They mean classified samples and systems of weapons, military and other equipment; equipment; functional systems, units, devices included in complexes or samples; component elements - assembly units and parts that do not have an independent operational purpose and are intended to perform corresponding functions as part of equipment, weapons, military and other equipment. Their performance as information carriers is carried out simultaneously with the fulfillment of their main purpose by these products.
Only a specialist can determine whether a particular product is secret. Especially if this concerns some components or equipment.
Materials and substances under certain conditions they can also act as carriers of protected information. These include structural and operational materials, semi-finished products, raw materials, fuel, etc., used in the manufacture and operation of equipment and its elements. For example, heat-resistant coatings on spacecraft.
Substances that can carry information about a sensitive facility also include waste from sensitive enterprises (water, air, precipitation on the ground around the facility, etc.). In order for this information to be used, it must be decoded using special equipment. An example of how this type of carrier of protected information is of interest to foreign intelligence services can be the cases of intelligence officers and intelligence agents being detained at the border with samples of water, soil, plants, etc.
Radio and electromagnetic radiation of various frequencies carry information from the source of information (radio transmitter, emitter) to the receiver and are a “product” of the operation of radio engineering and other systems, and, therefore, carry information about these systems. Radio and electromagnetic radiation can carry both confidential and classified information. Their distribution, as a rule, is uncontrollable and can be intercepted by an opponent. To receive them, appropriate technical devices and devices are required. Only a specialist can judge that this intercepted information is secret. For possible use such information must be previously decoded.
Concept and structure of threats to protected information
One of the main features of the problem of information security is the requirement for a complete definition of information threats that are potentially possible in modern information systems. Even one unaccounted for (undetected, not taken into account) destabilizing factor can significantly reduce (and even eliminate) the effectiveness of protection.
– this is the potentially existing possibility of accidental or intentional action or inaction, as a result of which the security of information (data) may be violated.
Information security threat– a set of conditions and factors that create a potential or actual danger associated with information leakage and/or unauthorized and/or unintentional impacts on it.
Threat is a person, thing, event or idea that poses some danger to values that need protection.
Threat– this is a potential opportunity to violate information security in a certain way.
An attempt to implement a threat is called attack, and the one who makes such an attempt - intruder. Potential attackers are called sources of threat.
Threats to information security in modern information systems are caused by:
Accidental and intentional destructive and distorting influences of the external environment;
The degree of reliability of the functioning of information processing tools;
Intentional selfish influences of unauthorized users, the purpose of which is the theft, disclosure, destruction, destruction, unauthorized modification and use of processed information;
Unintentional, accidental actions of maintenance personnel, etc.
Classification of security threats
The main manifestations of the considered threats are the illegal possession of confidential information, its copying, modification, destruction in the interests of attackers with the aim of causing damage, both material and moral. In addition, unintentional actions of maintenance personnel and users also lead to certain damage.
The main ways in which threats are realized are:
Agent sources in government and information security agencies;
Recruitment of officials of government bodies, organizations, enterprises, etc.;
Interception and unauthorized access to information using technical intelligence means;
Use of deliberate program and mathematical influence;
Eavesdropping on confidential conversations in office premises, transport and other places where they are conducted.
Factors causing information losses and various types of damage are:
Accidents, causing exit failure of equipment and information resources (fires, explosions, accidents, shocks, collisions, falls, exposure to chemical or physical environments);
Failure of elements of information processing facilities;
Consequences of natural phenomena (floods, storms, lightning, earthquakes, etc.);
Theft, deliberate damage to material assets;
Accidents and failure of equipment, software, without data;
Errors in the accumulation, storage, transmission, use of information, perception, reading, interpretation of the content of information, compliance with rules, inability, oversights, interference, failures and distortions of individual elements and signs or messages;
Operation errors: security violation, file overflow, data management language errors, errors in preparing and entering information;
Malicious Acts in the material sphere; talkativeness, disclosure;
Social losses (resignation, dismissal, strike, etc.).
Main types of threats: external and internal. Insider threats include both intentional actions and unintentional human errors. External threats are very diverse.
Features of the protection of documented information
Confidentiality presupposes the preservation of rights to information, its non-disclosure (secrecy) and immutability in all cases except for authorized use.
Confidential information– documented information, access to which is limited in accordance with the legislation of the Russian Federation.
Owners (proprietors) confidential information may be:
The state and its structures (bodies). In this case, it includes information that is a state secret, official secret, and other types of protected information belonging to the state or department. This may include information that is a trade secret;
Enterprises, partnerships, joint stock companies(including joint ones) and others - the information is their property and constitutes a trade secret;
Public organizations are, as a rule, a party secret; state and commercial secrets are also possible;
Citizens of the state: their rights (secrecy of correspondence, telephone and telegraph conversations, medical confidentiality, etc.) are guaranteed by the state, personal secrets are their own business. It should be noted that the state is not responsible for the safety of personal secrets.
Classification of information by degree of its confidentiality without attributing it to any specific species, it looks somewhat abstract. But it gives an idea of the possibility of ranking protected information according to the degree of its importance for the owner. All information according to the degree of secrecy can be divided into five levels:
1. Of particular importance (especially important);
2. Top secret (strictly confidential);
3. Secret (confidential);
4. For official use(not for print, sent to the list);
5. Unclassified (open).
It should be noted that the higher the secrecy of information is determined by its owner, the higher the level of its protection, the more expensive it becomes, and the narrower the circle of people who become acquainted with this information.
It should be noted that the above classifications are not exhaustive and their development remains to be done by science and legislation.
All confidential information and part of public information determined by the owner are subject to protection. Information protection is carried out in a differentiated manner, including depending on the composition of the information and the belonging of confidential information to various types secrets. The organization, technology, and level of protection depend on what type of secret is protected. Not only the boundaries, but also the concepts of some types of secrets and even their composition have not yet been clearly defined. That is, the types of secrets do not have clear legal regulation indicating the necessary grounds for classifying confidential information as certain types of secrets.
Information classification structure:
Media: documented and undocumented;
Ownership: state and non-state information resources;
Conditions of the legal regime: state secrets and confidential information.
Personal Information– information about facts, events and circumstances of a citizen’s private life, allowing his personality to be identified. Personal data for all company employees is usually stored in the human resources department. At the same time, the company is liable to employees in accordance with the legislation of the Russian Federation for violation of the protection regime, processing and procedure for using this information.
Personal secret– personal information protected by an individual, the dissemination of which could cause moral or material harm to an individual individual.
Official secret – official information, access to which is limited by government authorities in accordance with the Civil Code of the Russian Federation and federal laws.
trade secret– information that is not state secrets, related to production, technical, technological information, management of financial and other activities of an enterprise, the disclosure (transfer, leak) of which may harm its interests.
trade secret– information that is not state secrets related to production, technological information, management, finance and other activities of the enterprise, the disclosure (transfer, leak) of which may harm its interests.
Professional secrecy– information related to professional activity, access to which is limited in accordance with the Constitution of the Russian Federation and federal laws. In the part of a company engaged in the provision of communication services, this is information from telecom operators and other clients, which is transmitted and processed in the information and telecommunications resources of the company.
Open information;
Confidential information;
Strictly confidential information.
This division is not correct taking into account the regulatory documents in force on the territory of the Russian Federation. According to current legislation In the Russian Federation, the following differentiation of information according to the degree of confidentiality can be applied:
Open information (OI);
For internal use (DVI);
Confidential information (CI).
It should be noted that the right to classify information as confidential and determine the list and composition of such information belongs to its owner.
The basic principles of information protection are confidentiality, integrity and availability, compliance with which is a necessary condition for ensuring the security of various categories of information.
