A bit about the hidden channels
Currently, all sources covering information security issues contain information disclosed by Mr. Snowden about hidden channels for obtaining information and devices for secretly accessing information (receiving, removing) that are intentionally introduced into various technical means of the NSA.
And what about in our country with the solution of this problem? Analyzing the modern domestic regulatory framework, we can single out the following documents regulating the issues of identifying and fighting hidden channels:
GOST R 53113.1-2008 “Information technology. Protection of information technologies and automated systems from information security threats implemented using hidden channels. Part 1. General Provisions;
GOST R 53113.2-2009 “Information Technology. Protection of information technologies and automated systems from information security threats implemented using hidden channels. Part 2. Recommendations on the organization of information protection, information technology and automated systems from attacks using hidden channels. "
In accordance with the State Standards, the term “covert channel” is defined - this is a communication channel not intended by the developer of an information technology system and automated systems, which can be used to violate security policies.
The following security breaches can be implemented using covert channels:
The interpreted model of the functioning of the covert channel is presented in the figure (from GOST 53113.2-2009):
Creating a covert channel and the implementation of the impact of the offender on the protected information resources in accordance with the above model is carried out as follows:
As a practical implementation of this approach, on the basis of materials published by Snowden (http://freesnowden.is/2013/12/31/ant-product-data/), for example, the IRONCHEF software, operating on the basis of hardware bookmarks COTTONMOUTH-I (II, III), implemented by devices HOWLERMONKEY and TRINITY (one might say, “classic” construction of a covert channel).
How to carry out work on the identification of hidden channels?
From the point of view of “theory”, the process of identifying a covert channel includes the following actions:
')
1. Assessment of the architecture of the system under study and the communication channels existing in it (both existing and potential channels are subject to consideration). Evaluation of the system architecture implies the identification of all available communication channels (information interaction) and the analysis of the interaction of its components for their potential use for the organization of the hidden channel. As a result of this analysis, the components of the system should be identified, in which hidden channels can potentially be used.
2. Identification of possible ways to exchange hidden information between the offender and his alleged agent in the system. This work is carried out on the basis of a general scheme of the hidden channel functioning model. It is necessary for each of the protected assets to identify which entities have access to them and are isolated from the external environment, but have the opportunity to interact with individual subjects from the external environment (it must be borne in mind that this kind of interaction is controlled by the owner of the assets and can be observed by a potential violator ).
3. Hazard assessment of identified hidden channels for the organization’s protected assets. After identifying hidden channels should be assessed as they are realizable and dangerous for the protected assets of the organization. For the assessment, the most critical indicators are: the volume of assets, the estimated bandwidth of the covert channel and the time interval during which the assets retain their value. All parameters are amenable to numerical calculation and can be used in the corresponding analytical reports. Based on this assessment, channels that do not pose a real risk to assets are considered non-hazardous.
4. Deciding on the appropriateness of countering each of the identified hidden channels (minimizing the level of risk).
It is proposed to use as protective measures:
It should be noted that the choice of methods to counter threats implemented using hidden channels is determined based on the individual characteristics of a particular protected system (topology of the system, used information interaction protocols, features of the arrangement of system elements and their interaction with each other, selectable telecommunications and information security tools).
In conclusion, I would like to refer to the methods of detecting hidden channels. According to GOST, two methods are proposed:
The statistical method of detecting covert channels involves collecting statistical data on packets passing through the protected part of the network without making any changes to them. In this case, the detection of hidden channels can be carried out both in real time and autonomously, using data accumulated over previous periods of time.
The method for detecting hidden channels based on signature analysis is similar to the method used by anti-virus software to search for malware. If there is a set of known implementations of hidden channels, a signature is formed for each of them. The data stream searches for such signatures. According to the results of this work, the conclusion is made about the absence or presence of hidden channels in the system and the variant of its implementation.
Thus, summing up, we can say that we are getting a new round of information confrontation “violator - security administrator”, which introduces in our life both new technologies and methods of attack, as well as new means and methods of protection.
I would like to finish the article with such reflections:
What if we take a look at the materials revealed by Snowden, at what angle. Recently, a number of automated systems have emerged for which ensuring privacy is not a priority at all, for example, automated systems for managing production and the process. Violation of the availability and performance of such a system can lead to even more serious consequences for the state or, than leakage of confidential or secret information. Aggravating is also the fact that the vast majority of the elemental base for such systems is produced and supplied from abroad, and it is technically impossible to carry out a full range of activities to find possible hidden channels and embedded devices for the entire list of imported elements. And as it became known, technical means of foreign production can be full of unpleasant "surprises".
You can not ignore the ubiquitous development of the Internet, and using it as a transport for connecting various corporate and industrial networks, which automatically allows an external attacker to gain control access to the embedded mortgage device or module.
There is something to think and work. The issue of detecting covert channels in automated systems of organizations becomes topical, regardless of the level of the organization and its form of ownership. The secret is the secret, because it knows a limited circle of persons. Plus, you can add the presence (receipt) of negative emotions, when someone maliciously damages your information infrastructure, of which you were confident. And a spoiled mood is not the worst, if at the same time the business process in the organization may suffer.
And what about in our country with the solution of this problem? Analyzing the modern domestic regulatory framework, we can single out the following documents regulating the issues of identifying and fighting hidden channels:
GOST R 53113.1-2008 “Information technology. Protection of information technologies and automated systems from information security threats implemented using hidden channels. Part 1. General Provisions;
GOST R 53113.2-2009 “Information Technology. Protection of information technologies and automated systems from information security threats implemented using hidden channels. Part 2. Recommendations on the organization of information protection, information technology and automated systems from attacks using hidden channels. "
In accordance with the State Standards, the term “covert channel” is defined - this is a communication channel not intended by the developer of an information technology system and automated systems, which can be used to violate security policies.
The following security breaches can be implemented using covert channels:
- The threat of the introduction of malware and data .
- The threat of an agent infiltrating teams to perform its functions .
- The threat of leakage of cryptographic keys, passwords (unauthorized access to them) or individual information objects .
The interpreted model of the functioning of the covert channel is presented in the figure (from GOST 53113.2-2009):
Creating a covert channel and the implementation of the impact of the offender on the protected information resources in accordance with the above model is carried out as follows:
- 1. In the mode of regular operation, work with protected information resources is carried out in the prescribed manner, the subjects having authorized access to them, carry out processing in accordance with the established rules of access control. Inspector displays no security policy violations.
- 2. As part of the processing of protected information resources, there are pre-malicious intruders of the intruder who do not show their activity and in no way detect their presence in this IT (AS).
- 3. At the time necessary for the intruder, the agent from the intruder is sent to the agent to activate and execute his functional load. The command can be submitted either through regular IT communication channels (AU), in the event of the possibility of such a connection (for example, via the Internet), or remotely (for example, using radio channels), if the intruder has such an opportunity.
- 4. The deployed intruder agent implements its functional load, while the channel of information interaction between the intruder and the deployed agent can be hidden from the inspector.
- 5. After the achievement of the task, the work of the agent ends on its own or at the command of the offender.
As a practical implementation of this approach, on the basis of materials published by Snowden (http://freesnowden.is/2013/12/31/ant-product-data/), for example, the IRONCHEF software, operating on the basis of hardware bookmarks COTTONMOUTH-I (II, III), implemented by devices HOWLERMONKEY and TRINITY (one might say, “classic” construction of a covert channel).
How to carry out work on the identification of hidden channels?
From the point of view of “theory”, the process of identifying a covert channel includes the following actions:
')
1. Assessment of the architecture of the system under study and the communication channels existing in it (both existing and potential channels are subject to consideration). Evaluation of the system architecture implies the identification of all available communication channels (information interaction) and the analysis of the interaction of its components for their potential use for the organization of the hidden channel. As a result of this analysis, the components of the system should be identified, in which hidden channels can potentially be used.
2. Identification of possible ways to exchange hidden information between the offender and his alleged agent in the system. This work is carried out on the basis of a general scheme of the hidden channel functioning model. It is necessary for each of the protected assets to identify which entities have access to them and are isolated from the external environment, but have the opportunity to interact with individual subjects from the external environment (it must be borne in mind that this kind of interaction is controlled by the owner of the assets and can be observed by a potential violator ).
3. Hazard assessment of identified hidden channels for the organization’s protected assets. After identifying hidden channels should be assessed as they are realizable and dangerous for the protected assets of the organization. For the assessment, the most critical indicators are: the volume of assets, the estimated bandwidth of the covert channel and the time interval during which the assets retain their value. All parameters are amenable to numerical calculation and can be used in the corresponding analytical reports. Based on this assessment, channels that do not pose a real risk to assets are considered non-hazardous.
4. Deciding on the appropriateness of countering each of the identified hidden channels (minimizing the level of risk).
It is proposed to use as protective measures:
- reduction / limitation of bandwidth transmission channel information (regarding hidden channels);
- architectural solutions for building a system;
- monitoring the effectiveness of system protection.
It should be noted that the choice of methods to counter threats implemented using hidden channels is determined based on the individual characteristics of a particular protected system (topology of the system, used information interaction protocols, features of the arrangement of system elements and their interaction with each other, selectable telecommunications and information security tools).
In conclusion, I would like to refer to the methods of detecting hidden channels. According to GOST, two methods are proposed:
- statistical method;
- signature method.
The statistical method of detecting covert channels involves collecting statistical data on packets passing through the protected part of the network without making any changes to them. In this case, the detection of hidden channels can be carried out both in real time and autonomously, using data accumulated over previous periods of time.
The method for detecting hidden channels based on signature analysis is similar to the method used by anti-virus software to search for malware. If there is a set of known implementations of hidden channels, a signature is formed for each of them. The data stream searches for such signatures. According to the results of this work, the conclusion is made about the absence or presence of hidden channels in the system and the variant of its implementation.
Thus, summing up, we can say that we are getting a new round of information confrontation “violator - security administrator”, which introduces in our life both new technologies and methods of attack, as well as new means and methods of protection.
I would like to finish the article with such reflections:
What if we take a look at the materials revealed by Snowden, at what angle. Recently, a number of automated systems have emerged for which ensuring privacy is not a priority at all, for example, automated systems for managing production and the process. Violation of the availability and performance of such a system can lead to even more serious consequences for the state or, than leakage of confidential or secret information. Aggravating is also the fact that the vast majority of the elemental base for such systems is produced and supplied from abroad, and it is technically impossible to carry out a full range of activities to find possible hidden channels and embedded devices for the entire list of imported elements. And as it became known, technical means of foreign production can be full of unpleasant "surprises".
You can not ignore the ubiquitous development of the Internet, and using it as a transport for connecting various corporate and industrial networks, which automatically allows an external attacker to gain control access to the embedded mortgage device or module.
There is something to think and work. The issue of detecting covert channels in automated systems of organizations becomes topical, regardless of the level of the organization and its form of ownership. The secret is the secret, because it knows a limited circle of persons. Plus, you can add the presence (receipt) of negative emotions, when someone maliciously damages your information infrastructure, of which you were confident. And a spoiled mood is not the worst, if at the same time the business process in the organization may suffer.
Source: https://habr.com/ru/post/225135/
All Articles