What do anti-virus protection profiles provide?
The questions “Do your products meet the requirements of anti-virus protection profiles?” And “Are you certified with the requirements of profiles ...?” Are received regularly. Only through me they pass several times a week. In fact, as a rule, the client does not need a certified product by itself - he heard that it is necessary to use a certified product in his information system and thinks that it is permissible to use only software certified according to the requirements of Profiles. Well, or the profile of the organization requires the use of only certified.
We will not repeat. Questions that actually require legislation on the use of certified products have been considered here and here . And now we will talk about a different topic - does a client get something real if his product is certified according to the requirements set forth in the Anti-Virus Protection Profiles?
Requirements for anti-virus protection (SAVZ) approved by the order of FSTEC of Russia dated March 20, 2012 N 28 (registered by the Ministry of Justice of Russia on May 3, 2012, reg. N 24045). These requirements entered into force on August 1, 2012.
It is declared that these requirements are developed in accordance with the “Common Criteria”. The requirements apply to software used to protect information containing information that constitutes state secrets or other information with restricted access.
')
It is essential that the requirements include both directly requirements for anti-virus protection and security requirements for anti-virus protection.
There are six protection classes for anti-virus protection. Requirements are tightened (in fact, in terms of functionality is not essential) from the sixth grade to the first. The lowest class is the sixth, the highest is the first. In open access are the requirements from the 6th to the 4th levels inclusive. Requirements for other levels are not laid out in open access; they have a level of secrecy - DSP. Available on request.
SAVZ of the 6th class of protection, are used in information systems of personal data of classes 3 and 4, 5th class of protection is intended for ISPDN class 2, and SAVZ, corresponding to class 4 of protection, are used in state information systems in which information of limited access is processed that does not contain information constitute a state secret, and in ISPDN class 1, as well as in information systems of general use class II.
Anti-virus protection, corresponding to classes 3, 2 and 1, are applied in information systems in which information containing information constituting a state secret is processed.
SAVZ or their components are divided into 4 types:
The details of the requirements for the security functions established by the Requirements, as well as the interrelationships of these requirements are given for each class and type of anti-virus protection in profiles (I have encountered two variations of the pronunciation of this word: “Profiles” and “Profiles”) protection approved on June 14, 2012. The FSTEC of Russia as methodological documents in accordance with subparagraph 4 of paragraph 8 of the Statute on the Federal Service for Technical and Export Control, approved by Decree of the President of the Russian Federation of August 16, 2004 N 1085.
Methodical documents of the FSTEC of Russia containing protection profiles of anti-virus protection (usually simply referred to as profiles) of 4, 5 and 6 protection classes are posted on the official website of the FSTEC of Russia www.fstec.ru in the section “Documents on certification of information protection tools and certification of information objects for requirements information security .
Since most often it is required to provide centralized protection of workstations, we consider the requirements for type B of the Type 4 "protection" type of protection (denoted as IT.THE VZ B4), the maximum of which is laid out openly.
Looking ahead - the document does not describe any function that allows you to resist the introduction of malicious programs when working on a local network or the Internet.
By the way, for type “G” threats from the Internet are considered irrelevant. And this is essentially the only difference between IT.SAVZ.G4PZ and IT.SAVZ.V4.PZ.
And immediately a grave mistake. The defense system is not laid on a typical situation when it is necessary to eliminate malicious programs that have already penetrated the protected computers. Apparently the creators of the Profiles assume that the same antiviruses should know everything trying to penetrate, and this is unrealistic.
Judging by the list, it is assumed that the PWV consists only of a pure antivirus. There are no restrictions on rights, control over the executed processes in principle as a means of protection. That is, there is no protection against unknown anti-virus threats. It's sad.
A rather important list that requires an update channel and self-defense. Unfortunately, the ability to automatically receive updates in closed networks is problematic and / or not foreseen when creating them.
And one more serious mistake. Having decided to list all the possible actions of the antivirus program, the profile creators have driven themselves into a trap. The complete list does not allow extensions, but if you read it, you can see that there is no malware removal operation in it! So the work of the antivirus with (for example) trojans is not provided for!
If the antivirus can only send notifications, will it be enough for this functionality to meet the “response” requirement?
What is the test performance? File Monitor? Antivirus scanner? Utility to parse files manually?
What are file areas? The file system includes not only files, but also say (for NTFS) streams - there can also hide viruses. And verification of service areas, MBR and so on?
Well, this is an anti-virus scanner.
That is only known viruses. No polymorphic malware objects. No non-signature methods. No comments.
Actual for the internal network. It is really necessary, but it looks strange against the background of the requirement of a trusted channel to the update servers.
Personally, my opinion is that this is not the case for a separate car. Such things need to perform a means of centralized management. Anyway.
For brevity, we will not consider requirements related to logging, protection against changes in settings, the possibility of access control, and so on. Let's stop only on the functional directly providing protection.
The list of threats is very short. For example, the threat of an attack (spread of viruses) over a local network is not considered.
That is, nevertheless, the antivirus apparently only needs to perform periodic checks or on-demand checks. There is no check for different types of service areas.
And if not? Well, just remove the malware is not provided.
Section almost literally repeats the above.
Further along are descriptions of the functional with dependencies (if any). As a matter of fact once again the written earlier repeats.
Strange. Previously, the system areas of speech did not go. But the requirement to check the memory was gone.
Everything! As we see as an antivirus, we are offered to use an anti-virus scanner from the end of the last century - without the possibility of detecting for example polymorphic viruses.
Summarize:
In fact, IT.SAVZ.V4.PZ / IT.SAVZ.G4.PZ describe a fairly simple anti-virus scanner. At the same time, it is completely incomprehensible, as in the case of IT.SAVZ.B4PZ, it is not foreseen to withstand both infection when working on the Internet, and when working with flash drives.
Recall that the 4th class of protection is ISPDN class 1. What is said - without comment. The only plus is that if someone needs to use certified protection, but full anti-virus protection is not really required or impossible, then you can implement protection in accordance with this profile.
If you are interested, then in the next article you can consider what requirements the typical protection profile is filled in (for IT.AEFA.B4PZ / IT.AEFA G4PZ. Document size is about 48 pages).
We will not repeat. Questions that actually require legislation on the use of certified products have been considered here and here . And now we will talk about a different topic - does a client get something real if his product is certified according to the requirements set forth in the Anti-Virus Protection Profiles?
Requirements for anti-virus protection (SAVZ) approved by the order of FSTEC of Russia dated March 20, 2012 N 28 (registered by the Ministry of Justice of Russia on May 3, 2012, reg. N 24045). These requirements entered into force on August 1, 2012.
It is declared that these requirements are developed in accordance with the “Common Criteria”. The requirements apply to software used to protect information containing information that constitutes state secrets or other information with restricted access.
')
It is essential that the requirements include both directly requirements for anti-virus protection and security requirements for anti-virus protection.
There are six protection classes for anti-virus protection. Requirements are tightened (in fact, in terms of functionality is not essential) from the sixth grade to the first. The lowest class is the sixth, the highest is the first. In open access are the requirements from the 6th to the 4th levels inclusive. Requirements for other levels are not laid out in open access; they have a level of secrecy - DSP. Available on request.
SAVZ of the 6th class of protection, are used in information systems of personal data of classes 3 and 4, 5th class of protection is intended for ISPDN class 2, and SAVZ, corresponding to class 4 of protection, are used in state information systems in which information of limited access is processed that does not contain information constitute a state secret, and in ISPDN class 1, as well as in information systems of general use class II.
Anti-virus protection, corresponding to classes 3, 2 and 1, are applied in information systems in which information containing information constituting a state secret is processed.
SAVZ or their components are divided into 4 types:
- Type “A” - intended for centralized administration by anti-virus protection tools installed on information system components (servers, automated workstations). Self-Defense Plants of this type are not used independently and are intended for use only in conjunction with anti-virus protection products of types “B” and (or) “C”. That is, it is impossible to use a certified centralized management system for working with non-certified protective equipment;
- type "B" - intended for use on servers of information systems;
- type "B" - intended for use at automated workplaces of information systems;
- type "G" - intended for use on autonomous automated workplaces.
The details of the requirements for the security functions established by the Requirements, as well as the interrelationships of these requirements are given for each class and type of anti-virus protection in profiles (I have encountered two variations of the pronunciation of this word: “Profiles” and “Profiles”) protection approved on June 14, 2012. The FSTEC of Russia as methodological documents in accordance with subparagraph 4 of paragraph 8 of the Statute on the Federal Service for Technical and Export Control, approved by Decree of the President of the Russian Federation of August 16, 2004 N 1085.
Methodical documents of the FSTEC of Russia containing protection profiles of anti-virus protection (usually simply referred to as profiles) of 4, 5 and 6 protection classes are posted on the official website of the FSTEC of Russia www.fstec.ru in the section “Documents on certification of information protection tools and certification of information objects for requirements information security .
Since most often it is required to provide centralized protection of workstations, we consider the requirements for type B of the Type 4 "protection" type of protection (denoted as IT.THE VZ B4), the maximum of which is laid out openly.
The main threats for which SAVZ-type “B” is used are the threats associated with the introduction of information and telecommunication networks into information systems, including international information exchange networks (public communication networks) and (or) removable computer storage media, malicious computer programs (viruses) (HF).
Looking ahead - the document does not describe any function that allows you to resist the introduction of malicious programs when working on a local network or the Internet.
By the way, for type “G” threats from the Internet are considered irrelevant. And this is essentially the only difference between IT.SAVZ.G4PZ and IT.SAVZ.V4.PZ.
And immediately a grave mistake. The defense system is not laid on a typical situation when it is necessary to eliminate malicious programs that have already penetrated the protected computers. Apparently the creators of the Profiles assume that the same antiviruses should know everything trying to penetrate, and this is unrealistic.
The following safety functions should be implemented in the SCVZ (the list is slightly abbreviated):
- access control for SAVZ;
- managing the installation of updates (updates) of the database of signs of malicious computer programs (viruses) (DB PCV) SAVZ;
- safety audit SAVZ;
- performance of checks of objects of influence;
- processing of objects of influence.
Judging by the list, it is assumed that the PWV consists only of a pure antivirus. There are no restrictions on rights, control over the executed processes in principle as a means of protection. That is, there is no protection against unknown anti-virus threats. It's sad.
In the environment in which SAVZ operates, the following environmental security functions must be implemented:
- providing trusted communication (route) between the SAVZ and users;
- providing a trusted channel for receiving SAVZ updates;
- ensuring safe operation conditions;
- security attribute management.
A rather important list that requires an update channel and self-defense. Unfortunately, the ability to automatically receive updates in closed networks is problematic and / or not foreseen when creating them.
Anti-virus protection - protection of information and components of an information system (IS) from malicious computer programs (viruses) (detection of malicious computer programs (viruses), blocking, isolating "infected" objects, removing malicious computer programs (viruses) from "infected" objects).
And one more serious mistake. Having decided to list all the possible actions of the antivirus program, the profile creators have driven themselves into a trap. The complete list does not allow extensions, but if you read it, you can see that there is no malware removal operation in it! So the work of the antivirus with (for example) trojans is not provided for!
Antivirus protection tool is a software tool that implements the functions of detecting computer programs or other computer information intended for the unauthorized destruction, blocking, modification, copying of computer information or neutralizing information protection tools, as well as responding to the detection of these programs and information.
If the antivirus can only send notifications, will it be enough for this functionality to meet the “response” requirement?
Antivirus protection corresponding to this PR, should provide:
- performing a check to detect infected HF objects in the file areas of the storage media;
What is the test performance? File Monitor? Antivirus scanner? Utility to parse files manually?
What are file areas? The file system includes not only files, but also say (for NTFS) streams - there can also hide viruses. And verification of service areas, MBR and so on?
- the ability to perform checks to detect infected HF objects on command;
Well, this is an anti-virus scanner.
- performing a check to detect infected HF objects by signature methods;
That is only known viruses. No polymorphic malware objects. No non-signature methods. No comments.
- receiving and installing updates to the PCV database without the use of automation tools;
Actual for the internal network. It is really necessary, but it looks strange against the background of the requirement of a trusted channel to the update servers.
- generating an audit record for audited events;
- the ability to read information from audit records;
- restricting access to reading audit records;
- search, sorting, ordering audit data;
Personally, my opinion is that this is not the case for a separate car. Such things need to perform a means of centralized management. Anyway.
- the possibility for authorized users (roles) to control the mode of execution of safety functions of the SAVZ;
- the ability for authorized users (roles) to manage the settings of the SAVZ security functions;
- support of certain roles for SAVZ and their association with specific security administrators and users of the IP.
For brevity, we will not consider requirements related to logging, protection against changes in settings, the possibility of access control, and so on. Let's stop only on the functional directly providing protection.
3.2. Information security threats
3.2.1. Threats to be countered by the subject matter
Threat-1
1. Abstract of the threat - the introduction of HF in automated workplaces of IP in the implementation of information interaction with external information and telecommunications networks, including networks of international information exchange (public communication networks).
Threat 2
1. Abstract of the threat - the introduction of HF in automated workplaces of IP from removable computer storage media.
The list of threats is very short. For example, the threat of an attack (spread of viruses) over a local network is not considered.
3.3. Organization Security Policy
The subject of the assessment must follow the organization’s security policy below.
Security Policy-1
Appropriate registration and warning mechanisms should be provided for any events related to possible security breaches. Registration mechanisms should provide authorized IP subjects with the opportunity to selectively familiarize themselves with information about events that have occurred.
Security Policy-5
The assessment object must ensure that checks are performed in order to detect infected HF objects in the specified memory areas and files.
That is, nevertheless, the antivirus apparently only needs to perform periodic checks or on-demand checks. There is no check for different types of service areas.
Security Policy-6
The object of evaluation should provide the ability to set the execution modes of checks to detect infected HF objects.
Security Policy-7
The object of assessment should provide the ability to delete (if deleting is technically possible) the HF code from infected objects.
And if not? Well, just remove the malware is not provided.
4.1. Security objectives for the subject property
Section almost literally repeats the above.
Security objective-5. Performing object checks
The assessment object must ensure that checks are performed in order to detect infected HF objects.
Safety objective-6. Inspection Modes
The object of evaluation should provide the ability to set the execution modes of checks to detect infected HF objects.
Security objective-7. Processing infected objects
The object of assessment should provide the ability to delete (if deleting is technically possible) the HF code from infected objects.
Further along are descriptions of the functional with dependencies (if any). As a matter of fact once again the written earlier repeats.
5.1.1. Functional Security Requirements
5.1.1.3. Infections object checks (FAV_DET_EXT)
FAV_DET_EXT.1 Basic HF detection
FAV_DET_EXT.1.1 The TSF should perform checks in order to detect HFs in the file areas of the storage media, [assignment: other objects].
No dependencies.
5.1.1.4. Methods for checking infected objects (FAV_MTH_EXT)
FAV_MTH_EXT.1 Analysis Methods
FAV_MTH_EXT.1.1 The TSF should perform checks in order to detect KV in objects using signature methods, [assignment: other methods].
FAV_MTH_EXT.2 Performing Checks
FAV_MTH_EXT.2.1 The TSF must perform checks in order to detect infected HF objects on the command [assignment: authorized roles] [assignment: other modes of performing checks].
5.1.1.5. Processing objects exposed (FAV_ACT_EXT)
FAV_ACT_EXT.1 KV Removal
FAV_ACT_EXT.1.1. When detecting HFs, the safety function of the SAVZ should perform deletion of HFs from files, system media areas [assignment: other objects].
Strange. Previously, the system areas of speech did not go. But the requirement to check the memory was gone.
5.1.1.6. PKV DB Update (FAV_UPD_EXT)
FAV_UPD_EXT.1 PKV DB Update
FAV_UPD_EXT.1.1 The TSF should ensure the receipt and installation of updates to the PKV database locally without the use of automation tools and [assignment: other update execution modes].
Everything! As we see as an antivirus, we are offered to use an anti-virus scanner from the end of the last century - without the possibility of detecting for example polymorphic viruses.
Summarize:
- Created in accordance with the requirements of profiles, the 4th class protection system is not able to withstand unknown threats. Let's say not yet come to the analysts malware;
- The protection system created in accordance with the requirements of the Profiles cannot withstand the infection in any way;
- The protection system created in accordance with the requirements of the Profiles is not able to remove the missed, previously unknown malware;
- The list of threats to which the protection system must respond does not include many known threats;
- The protection system does not provide for the removal from the infected system of malicious programs that do not have an infection mechanism - for example, Trojans.
In fact, IT.SAVZ.V4.PZ / IT.SAVZ.G4.PZ describe a fairly simple anti-virus scanner. At the same time, it is completely incomprehensible, as in the case of IT.SAVZ.B4PZ, it is not foreseen to withstand both infection when working on the Internet, and when working with flash drives.
Recall that the 4th class of protection is ISPDN class 1. What is said - without comment. The only plus is that if someone needs to use certified protection, but full anti-virus protection is not really required or impossible, then you can implement protection in accordance with this profile.
If you are interested, then in the next article you can consider what requirements the typical protection profile is filled in (for IT.AEFA.B4PZ / IT.AEFA G4PZ. Document size is about 48 pages).
Source: https://habr.com/ru/post/262413/
All Articles