How to catch what is not. Part Four: Personal data without an umbrella
Many years of work by regulators led to the emergence in our country of the third generation of laws in this area. It would seem that for many years of discussions on blogs and at conferences, all controversial points should be settled. But no. Practice has shown that (at least in our country) companies are interested in paper protection. Perhaps that is why more issues related to legal subtleties are being discussed - what to protect, how to get an agreement, where to place the server. But the issues of methods for assessing threats and choosing protection measures are not worked out at all. Implement a reliable protection system is unrealistic in principle.
Another problem - “did not read, but was discussing.” A huge number of requests and comments are made without reading the documents that are discussed.
Do not agree? Two simple questions:
')
Have you answered? Let's check the answers.
Personal data protection is probably the area that, due to legal requirements, probably all companies have to face. Therefore, we will look at how they see the solution to the problem of anti-virus protection at the legislative level, let's start with it.
Anti-virus protection from the point of view of the Federal Law of 27.07.2006 No. 152-
The Federal Law of 27.07.2006 No. 152- “On Personal Data” (as amended by the Federal Law of 25.07.2011 N 261-). (Hereinafter, for simplicity, non-technical measures have been removed from the lists of measures - the compilation of lists of persons, appointment of responsible persons, the use of certified products, etc. There are also many interesting things, but the article has already grown incredibly)
Everything! The word "antivirus" is not mentioned once. Access control, backup, logging system (in the light of the modern fashion - DLP) are more or less clearly required. The use of antivirus is not defined. According to Federal Law No. 152-, the list of protection measures should be determined by the government:
True, the same Federal Law No. 152- establishes that measures determined by the government are mandatory only for state or municipal bodies:
To use or not to use PP 1119, defining these measures to ordinary companies? On this occasion, a lot of copies were broken.
My personal opinion:
Cases when the company did not use the classification of PP 1119, I do not know.
Security in terms of government
To clear your conscience, look at PP 1119:
If you draw a line, then for the protection of personal data you need to hire a guard, do not lose diskettes and documents, appoint a person in charge and do not let outsiders to the logs. This, we note, measures for the level of special importance. Beauty. Antiviruses are not required again.
True, PP 1119 made a reservation:
Requirements FSTEC of Russia for the protection of personal data
At the moment, the only document issued by the FSTEC of Russia is Order No. 21. Let us honor the FSTEC. Despite the heavy legacy of the PP 1119 document, if we consider it as a list of measures (and the procedure for calculating threats has not yet been determined), is not bad. Open it.
Respectively:
Anti-virus protection functionality is not defined in the order - all that is mentioned:
Fortunately, since in Order No. 17, we have identified completely analogous measures for anti-virus protection - we can use the document of the FSTEC of Russia “Methodological document. Measures to protect information in state information systems "and find out what the regulator thinks about the functions of the antivirus.
This provision absolutely correctly requires the installation of anti-virus protection on all computers and devices susceptible to infection (including personal devices and home computers that access the information system). But:
In addition, it should be noted that the protection of servers with anti-virus protection may not imply the protection of services running on them. Thus, the installation of real-time anti-virus protection of the server (file monitor) will not mean checking mail passing through MS Exchange or traffic through MS ISA / TMG. In this regard, several anti-virus protection tools need to be installed on the servers - to protect the service itself, as well as to protect objects passing through the services running on the server that are inaccessible to file antivirus for one reason or another.
Also, the use of the words “introduction (infection)” is not very successful, since the infection involves launching and activating the malicious program, and the introduction can be done simply by placing the file — including on the OS that cannot be infected by this malware (for example, by placing the malicious program on Linux file server).
Key error in defining protection tasks. A re-check is required not only for previously received objects if they are received from external sources, but also for other files / objects (including those that were available at the time of installation and / or placed by intruders bypassing security systems). The check is necessary due to the fact that at the time of penetration (deployment) the malicious programs may not be known by the anti-virus system - but it will become known after the next update.
Moreover. It is also necessary to check the already running processes - there may also be previously unknown threats.
Well, I would add that the check at startup should occur before the client receives the object (browser, email client) - in order to prevent attackers from using the vulnerabilities of these programs to bypass the protection systems built into them.
A common phenomenon is changing the settings specified by the administrator, users of the system, ignoring the recommendations for the implementation of urgent actions to improve security. But despite the fact that the above required the protection of all network nodes, this paragraph does not provide for the centralized management of mobile devices, personal computers, etc.
It's funny, but in the table that distributes protection measures depending on the class of the information system, this requirement is not mentioned at all. Why then the word "must"?
This requirement is based on the fact that due to the fact that the flow of generated malware is quite large, at an arbitrary time, each of the antivirus programs knows only a part of the latest malware. It is also logical that, since each vendor has its own malware detection network, some vendors will find some malicious files, some others. In its expanded form, the rule implies that any document received by the user must undergo two anti-virus checks:
In this form, the requirement is described in the Letter of the Bank of Russia of March 24, 2014 No. 49-T:
and in the Bank of Russia Regulation of June 9, 2012 No. 382-P (as amended in accordance with the Bank of Russia Instructions 3007-U of 06/05/2013, N 3361-U of August 14, 2014):
However, this requirement does not take into account the changed malware development system - in reality, the main danger is presented by malware tested on current versions of the protection systems that are not detected by them. In this connection, the number of antiviruses does not play a significant role (subject to the use of equal level protection systems).
But the use of two antiviruses in the system is still justified - if the second antivirus is designed to periodically check for malicious files that are still unknown to the manufacturer. In fact, Dr.Web CureIt! Is used in Russia as an emergency treatment utility. ( ) Dr.Web CureNet! ( ).
«», . , .
— ?
, — .
, — , - .
, . .1 .
- — . .
. ? . .
VmWare. , ! !
(, , — ), , , , . ( ) — .
, — .
, . () . , ! — — .
, , , ( , ).
:
, , :
, , , :
?
, — :
. , :
.
Another problem - “did not read, but was discussing.” A huge number of requests and comments are made without reading the documents that are discussed.
Do not agree? Two simple questions:
')
- Do laws and documents require regulators in the field of personal data to use as antivirus protection?
- Is it possible to use tools with foreign certificates for protection?
Have you answered? Let's check the answers.
Personal data protection is probably the area that, due to legal requirements, probably all companies have to face. Therefore, we will look at how they see the solution to the problem of anti-virus protection at the legislative level, let's start with it.
Anti-virus protection from the point of view of the Federal Law of 27.07.2006 No. 152-
The Federal Law of 27.07.2006 No. 152- “On Personal Data” (as amended by the Federal Law of 25.07.2011 N 261-). (Hereinafter, for simplicity, non-technical measures have been removed from the lists of measures - the compilation of lists of persons, appointment of responsible persons, the use of certified products, etc. There are also many interesting things, but the article has already grown incredibly)
Article 18.1. Measures aimed at ensuring that the operator performs the duties stipulated by this Federal Law
1. The operator is obliged to take measures that are necessary and sufficient to ensure the fulfillment of the obligations provided for by this Federal Law and the regulatory legal acts adopted in accordance with it. The operator shall independently determine the composition and the list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by this Federal Law and the regulatory legal acts adopted in accordance with it, unless otherwise provided by this Federal Law or other federal laws. Such measures may, in particular, apply ...
Article 19. Measures to ensure the security of personal data during their processing
1. The operator, when processing personal data, is obliged to take the necessary legal, organizational and technical measures or ensure their adoption for the protection of personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other misconduct in relation to personal data.
2. Ensuring the security of personal data is achieved, in particular:
2) the use of organizational and technical measures to ensure the security of personal data when processing them in personal data information systems necessary to meet the requirements for the protection of personal data, the execution of which ensures the levels of personal data protection established by the Government of the Russian Federation;
6) detection of facts of unauthorized access to personal data and taking measures;
7) recovery of personal data modified or destroyed due to unauthorized access to it;
8) the establishment of rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system;
Everything! The word "antivirus" is not mentioned once. Access control, backup, logging system (in the light of the modern fashion - DLP) are more or less clearly required. The use of antivirus is not defined. According to Federal Law No. 152-, the list of protection measures should be determined by the government:
Article 19. Measures to ensure the security of personal data during their processing
2. Ensuring the security of personal data is achieved, in particular:
2) the use of organizational and technical measures to ensure the security of personal data when processing them in personal data information systems necessary to meet the requirements for the protection of personal data, the execution of which ensures the levels of personal data protection established by the Government of the Russian Federation;
True, the same Federal Law No. 152- establishes that measures determined by the government are mandatory only for state or municipal bodies:
Article 18.1. Clause 3. The Government of the Russian Federation establishes a list of measures aimed at ensuring the fulfillment of obligations provided for by this Federal Law and the regulatory legal acts adopted in accordance with it, by operators that are state or municipal bodies.
To use or not to use PP 1119, defining these measures to ordinary companies? On this occasion, a lot of copies were broken.
My personal opinion:
- Anyway, there is no other document.
- Whatever we come up with - in most cases the rights will be the verifier.
Cases when the company did not use the classification of PP 1119, I do not know.
Security in terms of government
To clear your conscience, look at PP 1119:
13. To ensure the 4th level of security of personal data when processing them in information systems, the following requirements must be met:
a) the organization of a security regime for the premises in which the information system is located that prevents the possibility of uncontrolled penetration or stay in these premises of persons who do not have the right of access to these premises;
b) ensuring the safety of personal data carriers;
15. In order to ensure the 2nd level of protection of personal data when processing them in information systems, in addition to fulfilling the requirements stipulated in clause 14 of this document, it is necessary that access to the content of the electronic message log is possible only for officials (employees) of the operator or authorized person, which information contained in this journal is necessary for the performance of official (labor) duties.
16. In order to ensure the 1st level of protection of personal data when processing them in information systems, in addition to the requirements stipulated in clause 15 of this document, the following requirements must be met:
a) automatic registration in the electronic security log of changes in the powers of an operator of the operator to access personal data contained in the information system;
If you draw a line, then for the protection of personal data you need to hire a guard, do not lose diskettes and documents, appoint a person in charge and do not let outsiders to the logs. This, we note, measures for the level of special importance. Beauty. Antiviruses are not required again.
True, PP 1119 made a reservation:
4. The choice of information protection means for the personal data protection system is carried out by the operator in accordance with the regulatory legal acts adopted by the Federal Security Service of the Russian Federation and the Federal Technical and Export Control Service in pursuance of Part 4 of Article 19 of the Federal Law “On Personal Data”.
Requirements FSTEC of Russia for the protection of personal data
At the moment, the only document issued by the FSTEC of Russia is Order No. 21. Let us honor the FSTEC. Despite the heavy legacy of the PP 1119 document, if we consider it as a list of measures (and the procedure for calculating threats has not yet been determined), is not bad. Open it.
8.6. Anti-virus protection measures should ensure detection of computer programs or other computer information in the information system intended for unauthorized destruction, blocking, modification, copying of computer information or neutralization of information protection tools, as well as response to the detection of these programs and information.
Respectively:
- No other measures of protection defined in the order (there are quite a lot of them: control of access of subjects of access to objects of access, restriction of the software environment, ensuring integrity ...) are not directed according to the order to protection against malicious programs.
- "Anti-virus protection measures" is not an antivirus, it is a list of measures aimed at eliminating the threat from malware. Moreover, if the antivirus cannot be installed due to low system requirements - there are no obstacles not to use it:
10. If it is impossible to technically implement individual selected measures to ensure the security of personal data, and also taking into account the economic feasibility, other (compensating) measures aimed at neutralizing current security threats can be developed at the stages of adapting the basic set of measures and / or refining the adapted basic set of measures. personal data.
Anti-virus protection functionality is not defined in the order - all that is mentioned:
- AVZ.1 Implementation of antivirus protection
- AVZ.2 Update database of signs of malicious computer programs (viruses)
Fortunately, since in Order No. 17, we have identified completely analogous measures for anti-virus protection - we can use the document of the FSTEC of Russia “Methodological document. Measures to protect information in state information systems "and find out what the regulator thinks about the functions of the antivirus.
3.6. ANTI-VIRUS PROTECTION (AVZ)
AVZ.1 REALIZATION OF ANTI-VIRUS PROTECTION
Requirements for the implementation of AVZ.1: The operator should provide anti-virus protection of the information system, including the detection of computer programs or other computer information intended for the unauthorized destruction, blocking, modification, copying of computer information or neutralization of information protection tools, as well as response to the detection of these programs and information.
Implementation of antivirus protection should include:
- the use of anti-virus protection on automated workplaces, servers, perimeter information protection tools (firewalls, proxy servers, mail gateways and other information protection tools), mobile technical means and other access points to the information system susceptible to introduction (infection) malicious computer programs (viruses) through removable computer storage media or network connections, including to public networks (e you, the Web and other network services);
This provision absolutely correctly requires the installation of anti-virus protection on all computers and devices susceptible to infection (including personal devices and home computers that access the information system). But:
- There are a number of computers and devices for which the installation of the necessary protective equipment is impossible. In particular, such devices include technological and embedded systems that work out a strictly defined procedure (cyclogram). Due to the fact that any anti-virus tool does not guarantee that the scan will be performed within a certain time, only an anti-virus scanner can be installed on such devices, which is executed at system startup or by an external command.
- There are devices operating under rare operating systems or operating systems whose creators do not allow the creation of anti-virus protection tools (Apple iOS and similar).
- It is impossible to install anti-virus tools on devices with a small amount of RAM (old computers, network devices, printers, TVs, etc.). Infection of these devices and / or their use by attackers is possible, but there are not enough resources to install and operate modern means of protection.
- Full installation of antivirus products is also undesirable on highly loaded systems.
In addition, it should be noted that the protection of servers with anti-virus protection may not imply the protection of services running on them. Thus, the installation of real-time anti-virus protection of the server (file monitor) will not mean checking mail passing through MS Exchange or traffic through MS ISA / TMG. In this regard, several anti-virus protection tools need to be installed on the servers - to protect the service itself, as well as to protect objects passing through the services running on the server that are inaccessible to file antivirus for one reason or another.
Also, the use of the words “introduction (infection)” is not very successful, since the infection involves launching and activating the malicious program, and the introduction can be done simply by placing the file — including on the OS that cannot be infected by this malware (for example, by placing the malicious program on Linux file server).
- close-to-real scan of objects (files) from external sources (removable storage media, network connections, including to public networks, and other external sources) when loading, opening or executing such files;
Key error in defining protection tasks. A re-check is required not only for previously received objects if they are received from external sources, but also for other files / objects (including those that were available at the time of installation and / or placed by intruders bypassing security systems). The check is necessary due to the fact that at the time of penetration (deployment) the malicious programs may not be known by the anti-virus system - but it will become known after the next update.
Moreover. It is also necessary to check the already running processes - there may also be previously unknown threats.
Well, I would add that the check at startup should occur before the client receives the object (browser, email client) - in order to prevent attackers from using the vulnerabilities of these programs to bypass the protection systems built into them.
Requirements for amplification AVZ.1:
2) in the information system, centralized management (installation, removal, updating, configuration and control of the relevance of anti-virus protection software versions) should be provided with anti-virus protection installed on the components of the information system (servers, workstations);
A common phenomenon is changing the settings specified by the administrator, users of the system, ignoring the recommendations for the implementation of urgent actions to improve security. But despite the fact that the above required the protection of all network nodes, this paragraph does not provide for the centralized management of mobile devices, personal computers, etc.
3) the operator should ensure the prohibition of the use of removable computer storage media, which can be sources of malicious computer programs (viruses);
It's funny, but in the table that distributes protection measures depending on the class of the information system, this requirement is not mentioned at all. Why then the word "must"?
4) the information system should provide for the use of anti-virus protection devices from different manufacturers at different levels of the information system;
This requirement is based on the fact that due to the fact that the flow of generated malware is quite large, at an arbitrary time, each of the antivirus programs knows only a part of the latest malware. It is also logical that, since each vendor has its own malware detection network, some vendors will find some malicious files, some others. In its expanded form, the rule implies that any document received by the user must undergo two anti-virus checks:
- when receiving a document from a file server or storage - by antivirus on the file server and by antivirus on the workstation;
- when a message is received or sent - by the antivirus on the mail server and by the antivirus on the workstation;
- when receiving or sending a file to the Internet - by the antivirus on the gateway and by the antivirus on the workstation.
In this form, the requirement is described in the Letter of the Bank of Russia of March 24, 2014 No. 49-T:
2.1.10. Use of protective equipment from VC of various manufacturers or suppliers and their separate installation on the following groups of computer equipment and objects of protection:
- workstations;
- servers;
- routers and firewalls.
and in the Bank of Russia Regulation of June 9, 2012 No. 382-P (as amended in accordance with the Bank of Russia Instructions 3007-U of 06/05/2013, N 3361-U of August 14, 2014):
2.7.3 A cash transfer operator, a bank payment agent (subagent), a payment infrastructure service operator ensure the use of technical means to protect information from the effects of malicious code from different manufacturers and their separate installation on personal electronic computers and servers used to make money transfers , as well as on the firewalls involved in the implementation of the transfer of funds, if there is a technical possibility.
However, this requirement does not take into account the changed malware development system - in reality, the main danger is presented by malware tested on current versions of the protection systems that are not detected by them. In this connection, the number of antiviruses does not play a significant role (subject to the use of equal level protection systems).
But the use of two antiviruses in the system is still justified - if the second antivirus is designed to periodically check for malicious files that are still unknown to the manufacturer. In fact, Dr.Web CureIt! Is used in Russia as an emergency treatment utility. ( ) Dr.Web CureNet! ( ).
6) ;
«», . , .
8) .
— ?
.2 ()
.2:
2) () ;
, — .
3) () ;
4) () ().
, — , - .
.9
.9: .1, .2.
:
- () , , , ;
, . .1 .
- , , , , .
- — . .
.9:
2) , ;
. ? . .
4) () ;
VmWare. , ! !
(, , — ), , , , . ( ) — .
, — .
, . () . , ! — — .
, , , ( , ).
:
- ;
- ;
- ;
- ;
- ;
- () ;
- ;
- , .
, , :
- , , , — , , ;
- () , — , .
, , , :
.30 ,
.30: .
:
( ) .1 .5, .2, .5, .13 .15, .3, .1, .2, .4, .8, .1, .2, .3 .5, .1 .2, () .1, .2 .3, .1.
?
, — :
- № 152-, . . , 1119 — . .
- , , . , , , , , — .
- .
. , :
- , â„– 152-?
- , , ?
.
Source: https://habr.com/ru/post/255595/
All Articles