Information Security Security Today

To begin with - a very simple model. There are three conceptual threats to the security of specific data: violation of the integrity, availability and confidentiality of information .

When hacker Vasya finds your mistress's letter in the trash bin, this is a breach of confidentiality, when Bill's hamster gnaws the server cable from the repository - this is a violation of accessibility, and when admin Pupkin floods backup in the opposite direction - this is a violation of integrity.
')
At the same time, these three examples are associated with three different factors: the hacker Vasya specially hunted for your garbage; Hamster Bill showed us the equipment failure; and the administrator Pupkin is just a clinical gouging. Over the past year, only 37 % of data problems were the result of actions by planned attacks. 29 % of cases accounted for system failures. And the remaining approximately 34 % - on the human factor, that is, the negligence of the staff.

Therefore, it is not necessary to introduce a hero who slumps hacker hordes alone when they are told “ information security ”.

Technique and technology

There is a first level of security when you close the children’s doorsteps . For example, you prohibit the use of flash drives and floppy disks, configure data access policies for different employees, and so on. Organize backup, have a reserve for hardware, you can deploy services on another site, protect the main communication channels. Explain to users why not need to stick leaves with passwords on the wall in front of the computer. I think it's generally understandable.

Then you hit Disaster Recovery in the direction of data protection from failures and fools, to psychology to protect against social engineering and deeper into software and hardware protection of information. The latter is the most interesting.

Farther

The next level is to close the pain points of your software. Vulnerabilities that arise in operating systems and applications, in principle, are published. Both hackers and those involved in security know about them. Therefore, you need to periodically monitor your system for their presence.

Now let's look at the cases of authorized copying (designer Lena decided to record the presentation to the client on a disk) and unauthorized (accountant Zina tried to carry the accounting database home). At the hardware level, we monitor user access to certain ports, do not allow to use certain carriers, we define policies that can be copied and what cannot.

There are special solutions that detect the leakage of information through different channels and prevent it. For example, if you try to send a sales history to your friends, you may receive an appropriate alert from the security officer, and until he resolves, the letter will not go away. Analyzing various network traffic, you can catch the critical company data in the network and also prevent them from leaving the office.

As you know, employees are becoming more resourceful in their attempts to circumvent restrictions. Accordingly, we need a system that processes and correlates security events from various protection systems . The second component is a vigilant guard who examines the results of her work. Alternatively, instead of a person, a system that automatically reconfigures defense mechanisms based on identified security incidents.

Since it is practically impossible to process such data with hands, semi-intelligent systems that analyze security events are used. If the security tool has recorded the fact of a leak or a fact similar to a leak, then it forms the corresponding event and sends it to the centralized control system. In turn, these events can then be consolidated in one place - the monitoring system, and processed there depending on other events and rules. At the exit - the decision that this is really a leak, or it may be a single event, which, in general, does not speak about anything.

Data starts to have some value.

Further, instead of a gibberish, a hacker appears on the scene. Fortunately, for a start, it will have a threshold for entry - it will require penetration into the control zone. He can introduce himself as a cleaner, a tech support employee, a guest, hire you on the staff, and so on - and use all his skills in the field of social engineering. He can use some technical means to penetrate, for example - listen to your radio. It can passively collect data, sifting your garbage. And finally, the most common type of attack today is that it can calculate your users' habits and place malicious code somewhere on the “big internet” that users go to. As a rule, hacking a third-party server is simpler than yours - and already from them your users will drag the malware inside the corporate environment. Today, the attack model, when non-standard software is prepared for a separate company, is the most relevant. For example, it can be a network worm that drastically acquires functionality only when it realizes that it has hit the right place. What is most exciting, such attacks, by definition, cannot be detected as a well-known pattern - because they are done individually for you.

In order to resist the attacker, it is necessary to have a base of non-standard situations, each of which corresponds to a certain threat . As with antivirus, it has known signatures and heuristics. In this direction, the world is developing along the path of developing systems for detecting anomalous states. That is, when something strange starts to happen, the system should show it to people who can figure it out.

It works like this: at the initial stage of its work, it analyzes how and what happens inside a system. A profile of normal behavior is formed, and then deviations from this profile are recorded. And depending on how strongly the deviation, calculated according to certain criteria, to draw conclusions that something is wrong.

The problem is that such systems have been around for a long time, but, as a rule, remain obscure shaman pieces for an average customer.

Now back to the other types of threats.

By accessibility today, the main vector is “banal” DDoS. Since to implement such an attack can anyone with money and courage to rent a botnet, the likelihood that you put, increases with the seriousness of the business. About how they are protected from them, you can read in a bunch of topics here. In short - you need to have special tools that cut off parasitic traffic and allow you to quickly respond to real users. Plus, the ability to expand its channels if necessary, since you can throw anything with a large capacity.

For integrity, it is important to monitor critical changes in the system in order not to overlook the appearance of a backdoor or unauthorized change of security settings. If, for example, you are developing an OS, then here the main development will be in monitoring everything that happens with the source code.

What minimizes the damage?

Here are some simple things that work universally:

• Emergency plan . For example, to know what to do if right now your site starts to be felled by DDoS or what happens if the admin accidentally collapses the combat servers. Clearly work out a plan - you can recover in an hour, not a day.
• Distribution of responsibility between employees of the company . It should not be that a single sysadmin is responsible for accounting, but so that every accountant clearly knows that he is involved in security.
• It is necessary to discipline all outsourcers in time to report problems . There are cases when the counterparty corrupts the data, and then after two weeks is afraid to say so. It sounds ridiculous, but a lot of damage to information occurs through the fault of third parties.
• It is good to check critical data from time to time . It happens that a large array of information, needed once a year, is damaged so that it is remembered only on the next cycle, that is, the integrity violation is detected six months after the event itself.
• It is important to monitor the company's iron and employees . BYOD-vector is being actively discussed, but it has not yet become a real threat, but there were examples. We in Russia have one software giant, for laptops of which there was a real conference hunt. Then the problem was partially solved by necessarily encrypting the disks of these machines.

What is the average percentage of the value of the lost data to the value of the company?

As a rule, dramatic. On average, around the world - about a third of the company's value, and in countries with tough industrial activities such as the United States - up to half. Very clearly visible dependence IT development of the region and the cost of data loss. One lost record in the United States means about $ 277 loss, in Germany - $ 214, and, for example, in India - only $ 46. By the way, while hackers are most of all in Germany, the USA and France, and the most mistaken people live in Brazil.
This is according to the May 2013 Report of the Cost of Data Breach Study: Global Analysis (study sponsored by Symantec, done by the Ponemon Institute).

What has changed in 15 years in information security?

If earlier “white hats” were heroes, ready to work with their hands to protect the company, now the scale has shifted towards the wars of the software used. Much depends on the preparation of solutions in case of attack or failure, and not improvisations on the spot. The complexity and variety of threats grows, so smart software is required to focus attention on strange events. More and more companies keep data with outsourcers - there is a growing need to make sure not only their protection, but also the protection and responsibility of counterparties.

Information security technologies are developing in parallel with IT, but, unfortunately, with a slight time lag. For example, at the moment information security tools are trying to actively catch up with virtualization and mobile technologies. There is no doubt that this state of affairs will continue in the future.

To date, changing as a portrait of a security guard, and a hacker. Both are becoming more and more professionals. If 10 years ago, a typical hacker was an enthusiastic young man interested in various technologies, today it is often experienced professionals who have a commercial interest.

The situation is similar with the security officers. So, the first professional specialists in the field of information security universities began to prepare about 15 years ago. At that time, there were few such people outside the walls of the special services. Today, there are already a significant number of such specialists in the IT market, although there is still a lack of them.

How to study?

Good safety learners in practice (experience can replace little) and non-standard tasks. One of the interesting ways to learn is to participate in tournaments. It is for this reason that Symantec Corporation and CROC are organizing C ^ 2: Cyber ​​Challenge, an online game, offline tournament and security conference.

During online and offline games, users will play cybercriminals. The competition is held on the principle of "capture the flag" and allows you to test your abilities in a unique imitation of the real environment.

The online game, by the way, will take place in the near future - July 15-19. Places still have, here you can register . Then in September there will be an offline championship where the tournament will be held in real time. And there will be a big security conference there.