The document that was waiting

The May holidays gave us not only a very controversial draft Government Resolution from Roskomnadzor, but also a document that the experts had been waiting for a long time. The FSTEC of Russia published on its website a draft document entitled “ Methodology for the Identification of Information Security Threats in the Information System ” and the corresponding information message .

The document after revision and approval will become mandatory for state and municipal authorities. For them, the document describes the methodology for identifying threats relevant to a particular organization. Practice shows that in most cases, changes in the document will not be fundamental, so you need to familiarize yourself with it in advance. Theoretically, for other organizations, including PD operators, this technique is not mandatory, but since in practice there will be no alternatives (which, moreover, Roskomnadzor needs to be justified), it will be necessary to use it.

What allows you to protect IP, created on the basis of the methodology?

The document establishes a unified methodological approach to identifying information security threats and developing models of information security threats in state information systems (hereinafter referred to as information systems), in which information is protected in accordance with the Information Security Requirements that do not constitute state secrets contained in state information systems , approved by order of the FSTEC of Russia of February 11, 2013 No. 17 (registered by the Ministry of Justice of Russia on May 31, 2013, reg. No. 28608).
')
By decision of the operator of personal data, the Methodology can be used to determine ... the security of personal data when they are processed in personal data information systems, the protection of which is ensured in accordance with the Composition and content of organizational and technical measures to ensure the security of personal data when they are processed in personal data information systems,
approved by order of the FSTEC of Russia of February 18, 2013 No. 21 (registered by the Ministry of Justice of Russia on May 14, 2013, reg. No. 28375).

The method does not apply to the identification of threats to the security of information constituting a state secret.

Accordingly, the Methodology can be used to assess security threats in state information systems, as well as all companies and organizations that protect personal data. And it cannot be used to assess threats to the security of information constituting a state secret.

Thus, for some reason, other types of information fell out of the scope of the Methodology, which can be categorized as commercial secrets / bank secrets / official secrets / DSP, etc. But, in fact, these types of information are often more important for companies than those same PD.

Also, the Method does not regulate in any way the protection of information located outside the system of information protection (for example, on personal devices of employees). Nowadays, when most employees of companies can get access to company resources from their smartphones, this approach seems strange.

And at the same time, we note that the FSTEC of Russia clearly distinguishes between the scope of the Order No. 17 and Order No. 21 - in fact, both of these orders must be applied to protect personal data in state information systems, which in general follows from the text of Federal Law No. 152 -FZ.

Who can use the technique?

The technique is intended for:

• public authorities, local authorities and organizations that, in accordance with the legislation of the Russian Federation, possess information, customers and (or) operators of information systems;
• organizations engaged in the creation (design) of information systems in accordance with the legislation of the Russian Federation;
• organizations performing, in accordance with the legislation of the Russian Federation, work on the protection of information in the course of creating (designing) and operating information systems;
• organizations performing in accordance with the legislation of the Russian Federation work on certification (conformity assessment) of information systems with information protection requirements.
  

In fact, all types of companies and organizations are subject to the methodology.

Terms and Definitions

The Methodology uses terms and their definitions established by national standards in the field of information security.

In other publications it has already been noted that the inconsistency in the terms and definitions of various documents of our legislation does not allow us to correctly define even the goals of protecting information. A footnote to national standards is definitely a plus, but it would be better to provide a specific list of related documents in the form of references or attachments. To avoid.

How are threats evaluated?

Information security threat assessment is carried out by an expert method.

... the physical and logical boundaries of the information system must be defined, in which information protection measures for which the operator is responsible are taken and controlled, as well as the protection objects and information system segments.

The process of identifying information security threats is organized by a division of the operator designated as responsible for protecting information in the information system.

The sources of threats to the security of information may be actors (individuals, organizations, states ) or phenomena (man-made accidents, natural disasters, other natural phenomena).

Information security threat is relevant (UBIJA), if for an information system with given structural and functional characteristics and features of operation, there is a likelihood of the threat being considered by the violator with the corresponding potential and its implementation will lead to unacceptable negative consequences (damage) from breach of confidentiality, integrity or availability of information .

In the absence of statistical data on the implementation of information security threats (the occurrence of security incidents) in the information system and / or information systems of the same type, the relevance of the information security threat is determined based on an assessment of the feasibility of the information security threat (Yj)

The methodology provides recommendations on the formation of the expert group and the conduct of expert evaluation.

Note that the threats include threats related to:

• low quality (reliability) of hardware, software or software and hardware;
• low quality (reliability) of communication networks and (or) communication services;
• the absence or low efficiency of backup systems or duplication of software and hardware and hardware;
• low quality (reliability) of engineering systems (air conditioning, power supply, security systems, etc.);
• poor quality of service by service organizations and individuals;
• privilege escalation, exhaustion of computing resources, unavailability of software updates, etc. — threats that create conditions for the realization of direct threats to information security.
  

The method also indicates that “one should first of all pay attention to the assessment of anthropogenic threats associated with unauthorized (illegal) actions of subjects to breach security (confidentiality, integrity, accessibility) of information, including targeted effects by software (software and hardware) tools on information systems implemented for the purpose of disrupting (terminating) their functioning. ”

To identify threats to the security of information in the information system are defined:

• capabilities (type, type, potential) of violators that they need to implement threats to the security of information;
• vulnerabilities that can be used when implementing information security threats (including specially implemented software bookmarks);
• methods (methods) of implementing information security threats;
• objects of the information system, which are directed to the threat of information security (objects of influence);
• the result and consequences of the realization of information security threats.
  

The technique requires, based on available data, to assess the likelihood of threats.

When determining possible ways to implement threats to the security of information, it is necessary to proceed from the following conditions:

• the offender may act alone or as part of a group of offenders;
• with respect to the information system, an external intruder may act in conjunction with an internal violator;
• threats can be implemented at any time and at any point of the information system (on any node or host) ;
• to achieve its goal, the offender chooses the weakest link in the information system.
  

Revision (reassessment) of information security threats is carried out at least in the following cases:

• changes in the requirements of the legislation of the Russian Federation on the protection of information, regulatory legal acts and methodological documents governing the protection of information;
• changes in the configuration (composition of the main components) and features of the information system, which resulted in the emergence of new threats to information security;
• identifying vulnerabilities leading to the emergence of new threats to information security or to an increase in the possibility of realizing existing ones;
• the appearance of information and facts about the new opportunities of violators.
  

It is recommended to review information security threats at least once a year.

The second paragraph of the methodology refers us to the old dispute “if I changed the video card - does this require a revision of the threat model?”.

The advantages of the methodology include the appearance of requirements for assessing the capabilities of violators.

Threats to the security of information in the information system can be implemented by the following types of violators:

• special services of foreign states (blocs of states);
• terrorist, extremist groups;
• criminal groups (criminal structures);
• external subjects (individuals);
• competing organizations;
• developers, manufacturers, suppliers of software, hardware and software and hardware;
• Persons involved in the installation, commissioning, installation, commissioning and other types of work;
• persons ensuring the functioning of information systems or servicing the infrastructure of the operator (administration, security, cleaners, etc.);
• information system users;
• information system administrators and security administrators;
• former employees (users).

The list, it should be noted, correctly indicates the need to assess threats from potential violators who are not employees of the company.

As possible goals (motivation) for the implementation by violators of threats to the security of information in the information system can be:

• damage to the state, its individual areas of activity or sectors of the economy;
• implementation of threats to the security of information for ideological or political reasons;
• the organization of a terrorist act;
• damage to property by fraud or other criminal means;
• discrediting or destabilizing the activities of state bodies and organizations;
• gaining competitive advantage;
• the introduction of additional functionality in software or software and hardware at the design stage;
• curiosity or desire for self-realization;
• the identification of vulnerabilities for the purpose of their further sale and financial gain;
• implementation of threats to the security of information from revenge;
• implementation of information security threats unintentionally due to negligence or unqualified actions.
  

Also very true list. Practice shows that the organization may come under attack by accident. As an example, hacking companies as a result of a scandal around cartoons in a French magazine.

Depending on the access rights, violators may have legitimate physical (immediate) and (or) logical access to information system components and (or) information contained in them or not have such access.

Access rights analysis is carried out, at a minimum, with respect to the following
information system component:

• input / output (display) devices;
• wireless devices;
• software, software and hardware and technical means of information processing;
• removable computer storage media;
• computer storage media out of service;
• active (switching) and passive equipment of communication channels;
• communication channels outside the controlled area.
  

The results of the assessment of violators' capabilities are included in the violator model, which is an integral part (section) of the information security threat model and contains:

• types, types and potential of violators who can ensure the realization of information security threats;
• goals that can be pursued by violators of each type in the implementation of information security threats;
• possible ways to implement information security threats.
  

The above quotes are given with spelling and punctuation of the draft document.

For example, let's see what admins are capable of:

Causing property damage through fraud or other criminal means.
Curiosity or desire for self-realization (proof of status).
Revenge for previously committed actions.
Identification of vulnerabilities for the purpose of their further sale and financial gain.
Unintended, careless or unqualified actions.

About the work of the expert group

At the same time the most correct and the most utopian place of the document:

The probability of the realization of a threat to the security of information is understood to be an indicator defined by an expert, characterizing how likely the implementation of the j-th threat to the security of information in an information system with given structural and functional characteristics and features of functioning is. Three verbal gradations of this indicator are introduced:

• low probability - there are no objective prerequisites for the implementation of the j-th information security threat, there is no required statistics on the facts of the j-th information security threat (occurrence of security incidents), there is no motivation for the j-th threat, the possible frequency of the j-th threat is not exceeds 1 time in 5 years;
• medium probability - there are prerequisites for the implementation of the j-th information security threat, there are cases of the j-th information security threat occurrence (occurrence of security incidents) or there is other information indicating the possibility of the j-th information security threat, there are signs that the intruder has motivation for the realization of such a threat, the possible frequency of realization of the j-th threat does not exceed 1 time per year;
• high probability - there are objective prerequisites for the implementation of the j-th information security threat, there is reliable statistics on the implementation of the j-th information security threat (occurrence of security incidents) or there is other information indicating a high possibility of realizing the j-th information security threat; motives for the realization of the j-th threat, the frequency of the j-th threat - more often 1 time per year.
  

In the absence of the required data to assess the likelihood of a threat to the security of information or doubts about the objectivity of expert assessments when determining verbal gradations of the likelihood of a threat to information security, the relevance of the j-th threat to the security of information is determined based on an assessment of its feasibility (Yj).

The possibility of implementing the j-th information security threat (Yj) is estimated based on the level of information system security (Y1) and the potential of the offender.

When identifying information security threats at the stage of creating an information system in the event that information protection measures are not implemented or their sufficiency and effectiveness are not assessed, the possibility of implementing the j-th information security threat (Yj) is assessed relative to the level of information system design security.

Further, the Methodology provides a table with a list of nodes of the protected network and the corresponding levels of security. There are three levels too - high, medium and low.

Also assessments are subject to the consequences of the threat, including economic, social, political, etc. For example, let's look at what is related to social consequences:

• Creating prerequisites for harming the health of citizens.
• The possibility of disruption of the objects of life support of citizens.
• Organization of pickets, strikes, rallies and other actions.
• Layoffs
• Increasing the number of complaints to state or local authorities.
• .
• () ().
• , .
  

? , . .

( , , ):

• , ;
• ;
• ;
• , ;
• ;
• ( ).
  

, , , () .

, , . , .

, («», «», «» «», «» ). , .

, :

, . (), () , .

( , 2008 .).



, , — . Why?

• ; - . , — . , — , .
  ? ?
• , (ubi.fstec.ru), .
  
  

  , (ubi.fstec.ru), , 4 8 , 16 2004 . № 1085.
  
  , , , , .
  
  , , , , . , , .
  

  
  . -, . , . . , Android. — , . , — .
  
  . , , . ?
  . - , . , , . ? . , , — , , .
  
  — . .
  
  

  , .
  

  
  , , — . : ? . — , ?
  

, , , . . .

, . . . :
. :

• – , - ,