Audit SKZI and crypto keys
From an information security point of view, cryptographic keys are critical data. If earlier, in order to rob a company, attackers had to penetrate into its territory, open premises and safes, now it is enough to steal a token with a cryptographic key and make a transfer through the Internet Client-Bank system. The foundation of security with the help of cryptographic information protection systems (CIPS) is to maintain the confidentiality of cryptographic keys.
And how to ensure the confidentiality of the existence of what you do not guess? To remove the token with the key in the safe, you need to know about the existence of the token and safe. Paradoxically, very few companies have an idea of ​​the exact number of key documents they use. This can occur for a variety of reasons, for example, underestimation of information security threats, lack of established business processes, insufficient staff qualifications in security matters, etc. They usually recall this problem after incidents, such as this one .
')
This article will describe the first step towards improving the protection of information using cryptographic tools, or more specifically, consider one of the approaches to conducting an audit of CPS and crypto keys. The story will be conducted on behalf of an information security specialist, while we assume that the work is carried out from scratch.
Terms and Definitions
At the beginning of the article, in order not to frighten the unprepared reader with complex definitions, we widely used the terms of a cryptographic key or a cryptokey, now it is time to improve our conceptual apparatus and bring it in compliance with current legislation. This is a very important step, as it will effectively structure the information obtained from the audit results.
- A cryptographic key (cryptographic key) is a set of data that ensures the selection of one specific cryptographic transformation from among all possible in a given cryptographic system (the definition from “Pink Instruction - FAPSI Order No. 152 of June 13, 2001 , hereinafter referred to as FAPSI 152).
- Key information is a specially organized set of cryptographic keys designed to implement cryptographic protection of information for a certain period of time [FAPSI 152].
To understand the fundamental difference between a cryptokey and key information, use the following example. When organizing HTTPS, a public and private key pair is generated, and a certificate is obtained from the public key and additional information. So, in this scheme, a set of certificate and private key form key information, and each of them separately is a cryptokey. Here you can follow the following simple rule - end users, when working with the MIPS, use key information, and the crypto keys usually use the MISS inside. At the same time, it is important to understand that key information may consist of a single cryptokey. - Key documents - electronic documents on any media, as well as documents on paper media containing key information of limited access for cryptographic transformation of information using the algorithms of cryptographic transformation of information (cryptographic key) in encryption (cryptographic) means. (definition from the Government Decree No. 313 of April 16, 2012 , hereinafter referred to as PP-313)
In simple language, a key document is key information recorded on a carrier. When analyzing key information and key documents, it should be emphasized that key information is being used (that is, used for cryptographic transformations - encryption, electronic signature, etc.), and key documents containing it are transmitted to employees. - Means of cryptographic information protection (SKZI) - encryption tools, imitation protection tools, electronic signature tools, encryption tools, key documents production tools, key documents, hardware encryption tools (cryptographic) tools, software-hardware encryption tools (cryptographic) tools. [PP-313]
When analyzing this definition, it is possible to detect the presence of the term key documents. The term is given in the Government Decree and we have no right to change it. At the same time, the further description will be carried out on the basis that only means of cryptographic transformations will apply to the CIPF). This approach will simplify the audit, but at the same time will not affect its quality, since the key documents will still be taken into account, but in our section and our own methods.
Audit methodology and expected results
The main features of the audit methodology proposed in this article are the postulates that:
- no company employee can accurately answer the questions asked during the audit;
- existing data sources (lists, registries, etc.) are not precise or poorly structured.
Here are the main dependencies that will help us in this:
- If there is SKZI, then there is key information.
- If there is an electronic document flow (including with contractors and regulators), then most likely it uses an electronic signature and, as a result, the SKPI and key information.
- Electronic document management in this context should be understood broadly, that is, it will include both the direct exchange of legally relevant electronic documents and the filing of reports, work in payment or trading systems, and so on. The list and forms of electronic document management are determined by the company's business processes, as well as current legislation.
- If an employee is involved in electronic document circulation, then most likely he has key documents.
- When organizing an electronic document flow with counterparties, organizational and administrative documents (orders) on the appointment of responsible persons are usually issued.
- If information is transmitted via the Internet (or other public networks), then most likely it is encrypted. First of all it concerns VPN and various remote access systems.
- If protocols that transmit traffic in encrypted form are detected in the network traffic, the CRPD and key information are used.
- If settlements were made with counterparties engaged in: the supply of information protection means, telecommunications devices, the provision of services for the transfer of puffiness, and services of certification centers, then, during this interaction, CIPS or key documents could be acquired.
- Key documents can be either on removable media (floppy disks, flash drives, tokens, ...) or written inside computers and hardware SKZI.
- When using virtualization tools, key documents can be stored both inside virtual machines and mounted to virtual machines using the hypervisor.
- Hardware SKZI can be installed in the server and be unavailable for analysis over the network.
- Some electronic document management systems may be in an inactive or low-active form, but at the same time contain active key information and SKZI.
- Internal regulatory and organizational-administrative documentation may contain information about electronic document management systems, SKZI and key documents.
For the extraction of primary information will be:
- interview workers;
- analyze the company's documentation, including internal regulatory and administrative documents, as well as outgoing payment orders;
- carry out a visual analysis of server rooms and communication cabinets;
- to conduct technical analysis of the contents of automated workplaces (AWP), servers and virtualization tools.
We will formulate specific measures later, but for now we will consider the final data that we should receive as a result of the audit:
SKZI list:
For each element of the list, we fix the following data:
- SKZI model . For example, Crypto CSPP 3.9, or OpenSSL 1.0.1
- The instance identifier of the SKZI . For example, serial, license (or registration number for PKZ-2005 ) SKZI number
- Information about the certificate of the Federal Security Service of Russia on SKZI , including the number and dates of commencement and termination of validity periods
- Information about the place of operation of SKZI . For example, the name of the computer on which the software SKZI is installed, or the name of the hardware or premises where the hardware SKZI are installed.
This information will allow:
- Manage vulnerabilities in the SKZI, that is, to quickly detect and fix them.
- Track the validity of certificates on SKZI, and also check whether a certified SKZI is used in accordance with the rules established by the documentation or not.
- Plan the cost of SKPI, knowing how much is already in operation and how much more consolidated funds there are.
- Generate regulatory reporting.
List of key information:
For each element of the list, we fix the following data:
- The name or identifier of the key information . For example, “The key is a qualified ES. The serial number of the certificate is 31: 2D: AF, and the identifier should be selected so that it can be used to find the key. For example, certification authorities, when sending notifications, usually identify keys by certificate numbers.
- The Key System Management Center (CSC) that released this key information. This may be the organization that issued the key, for example, the certification authority.
- An individual in whose name key information is issued. This information can be extracted from the CN fields of the X.509 certificates.
- The format of key information . For example, CryptoPRO SKZI, Verba-OW SKZI, X.509, etc. (or in other words, for which SKFM this key information is intended).
- Assign key information . For example, “Participation in bidding at the Sberbank AST site”, “Qualified electronic signature for reporting”, etc. From the point of view of technology, in this field, you can record the limitations of the fields extended key usage and other X.509 certificates.
- Start and end of the validity of key information .
- The procedure for the re-release of key information . That is, knowledge of what needs to be done and how when reissuing key information. At least it is desirable to record the contacts of officials of the CUKS who issued the key information.
- The list of information systems, services or business processes in which key information is used . For example, "The system of remote banking services Internet Client-Bank".
This information will allow:
- Track the expiration of key information.
- If necessary, quickly reissue key information. This may be necessary for both planned and unscheduled reissuing.
- Block the use of key information, when dismissing an employee for which she is released.
- Investigate information security incidents, answering the questions: “Who had the keys to make payments?” And others.
List of key documents:
For each element of the list, we fix the following data:
- Key information contained in the key document.
- Key information carrier on which key information is recorded.
- The person responsible for the security of the key document and the confidentiality of the key information contained therein.
This information will allow:
- Re-issue key information in cases of: the dismissal of employees with key documents, as well as the compromise of carriers.
- Ensure the confidentiality of key information by inventorying the media containing it.
Audit plan
It is time to consider the practical features of the audit. We will do this on the example of a credit and financial organization or in other words on the example of a bank. This example was not chosen randomly. Banks use a fairly large number of disparate cryptographic protection systems that are involved in a huge number of business processes, and besides, almost all banks are Licensees of the Federal Security Service of Russia on cryptography. Further, the article will present the audit plan for the CIPF and crypto keys, as applied to the Bank. At the same time, this plan can be taken as a basis for conducting an audit of almost any company. For the convenience of perception, the plan is divided into stages, which in turn are collapsed into spectators.
Stage 1. Data collection from the infrastructure departments of the company
| No | Act | Expected result and its use |
| Source - all company employees | ||
| one | We send a corporate mail to all employees of the company with a request to inform the information security service about all the cryptographic keys they use. | We receive emails, on the basis of which we form a list of key information and a list of key documents |
| Source - Head of the Information Technology Service | ||
| one | We request a list of key information and key documents. | With some probability, the IT service maintains such documents; we will use them to compile and refine lists of key information, key documents, and SKPI |
| 2 | We request a list of SKZI | |
| 3 | We request the registry of software installed on servers and workstations | In this registry we are looking for software SKZI and their components. For example, CryptoPRO CSP, Verba-OW, Signal-COM CSP, Signature, PGP, ruToken, eToken, CrytoARM, etc. On the basis of this data we form the list of SKZI. |
| four | We are requesting a list of employees (probably technical support) who help users to use the SKPI and re-issue key information. | We request from these persons similar information as from system administrators. |
| Source - Information Technology Services System Administrators | ||
| one | We are requesting a list of domestic crypto-gateways (VIPNET, Continent, S-terra, etc.) | In cases where the company does not implement regular IT and IS management business processes, such questions can help system administrators remember the existence of a particular device or software. We use this information to obtain a list of SKZI. |
| 2 | We request a list of domestic software SKZI (SKPI MagPro CryptoPack, VIPNET CSP, CryptonDisk, SecretDisk, ...) | |
| 3 | We request the list of routers that implement VPN for: a) communication offices of the company; b) interaction with counterparties and partners. | |
| four | We request a list of information services published on the Internet (available from the Internet). They may include: a) corporate email; b) instant messaging systems; c) corporate web-sites; d) services for the exchange of information with partners and counterparties (extranet); e) remote banking systems (if the company is a bank); e) systems of remote access to the company's network. To check the completeness of the information provided, we compare them with the list of Portforwarding rules for border firewalls. | Analyzing the information obtained with high probability one can come across the use of SKZI and crypto keys. We use the obtained data to form a list of CIPS and key information. |
| five | We request a list of information systems used for reporting (Taxcom, Contour, etc.) | These systems use keys of the qualified electronic signature and SKZI. Through this list we form the list of CIPF, a list of key information, and also we recognize the workers using these systems to compile a list of key documents. |
| 6 | We request a list of internal electronic document management systems (Lotus, DIRECTUM, 1C: Document circulation, etc.), as well as a list of their users. | Within the framework of internal electronic document management systems, electronic signature keys may occur. Based on the information received, we formulate a list of key information and a list of key documents. |
| 7 | We request a list of internal certification centers. | The funds used to organize certification centers are recorded in the list of CIPF. In the future, we will analyze the contents of the database of certification centers to identify key information. |
| eight | We request information on the use of technologies: IEEE 802.1x, WiFiWPA2 Enterprise and IP video surveillance systems | In the case of using these technologies, we can find key documents in the devices involved. |
| Source - Head of Personnel Service | ||
| one | Please describe the process of hiring and firing employees. Focus on the question of who takes away key documents from employees who leave; | We analyze documents (bypass lists) for the presence of information systems in them that can be used by the CIPP. |
Stage 2. Data collection from the company's business units (by the example of the Bank)
| No | Act | Expected result and its use |
| Source - Head of the settlement service (correspondent relations) | ||
| one | Please provide a scheme for organizing interaction with the Bank of Russia payment system. In particular, this will be relevant for Banks with a developed branch network, whereby branches can connect to the Central Bank payment system directly | On the basis of the data obtained, we determine the location of payment gateways (ARM CBD, UTA) and the list of involved users. The obtained information is used to form the list of CIPS, key information and key documents. |
| 2 | We request a list of banks with which direct correspondent relations are established, and also ask to tell who is engaged in the implementation of transfers and what technical means are used. | Similarly, as for the payment system of the Bank of Russia |
| 3 | We request a list of payment systems in which the Bank participates (SWIFT, VISA, MasterCard, NSPK, etc.), as well as the location of communication terminals | Similarly, as for the payment system of the Bank of Russia |
| Source - Head of the unit responsible for the provision of remote banking services | ||
| one | We request a list of remote banking systems. | In these systems, we analyze the use of SKZI and key information. Based on the received data, we form the list of SKZI and key information and key documents. |
| Source - Head of the unit responsible for the operation of payment card processing | ||
| one | Requesting the HSM registry | On the basis of the information received, we formulate a list of SKZI, key information and key documents. |
| 2 | We request the roster of security officers | |
| four | We request information about the components of LMK HSM | |
| five | We request information about the organization of 3D-Secure systems and the organization of payment card personalization. | |
| Source - Heads of divisions performing the functions of treasury and depositary | ||
| one | The list of banks with which correspondent relations are established and which participate in interbank lending. | We use the information obtained to clarify previously obtained data from the settlement service, as well as record information about interaction with stock exchanges and depositories. On the basis of the information received, we form the list of SKZI and key information. |
| 2 | The list of exchanges and specialized depositories with which the Bank works | |
| Source - Heads of financial monitoring services and divisions responsible for submitting reports to the Bank of Russia | ||
| one | We request information on how they send information and receive information from the Central Bank. List of persons involved and technical means. | Informational interaction with the Bank of Russia is strictly regulated by the relevant documents, for example, 2332-U, 321-I and many others, we check compliance with these documents and form the lists of CPSF, key information and key documents. |
| Source - Chief Accountant and accountants engaged in the payment of bills for intrabank needs | ||
| one | We request information on how the preparation and submission of reports to the tax inspectorates and the Bank of Russia takes place | We specify the previously obtained information. |
| 2 | We request the register of payment documents to pay for intrabank needs | In this registry, we will look for documents where: 1) Certification centers, specialized telecom operators, VHF manufacturers, telecommunication equipment suppliers are indicated as payment recipients. The names of these companies can be obtained from the Register of certified CIPF of the FSB of Russia, the list of accredited certification centers of the Ministry of Communications and other sources. 2) as a decryption of the payment, the following words are present: “SKZI”, “signature”, “token”, “key”, “BKI”, etc. |
| Source — Heads of Overdue Debt and Risk Management Services | ||
| one | We request a list of credit bureaus and collection agencies with which the Bank works. | Together with the IT service, we analyze the data obtained in order to ascertain the organization of the electronic document flow, on the basis of which we refine the lists of CIPP, key information and key documents. |
| Source - Heads of document management, internal control and internal audit services | ||
| one | We request the register of internal organizational and administrative documents (orders). | In these documents we are looking for documents related to SKZI. To do this, we analyze the presence of the keywords "security", "responsible person", "administrator", "electronic signature", "EDS", "EDS", "EDM", "TS", "SKZI" and their derivatives. Then we reveal the list of Bank employees fixed in these documents. We conduct interviews with employees on the use of cryptographs. The resulting information is reflected in the lists of CIPF, key information and key documents. |
| 2 | We request lists of contracts with contractors | We try to identify agreements on electronic document circulation, as well as agreements with companies engaged in the delivery of information protection facilities or providing services in this field, as well as companies providing services of certification centers and reporting services via the Internet. |
| 3 | Analyzing the technology of storing documents of the day in electronic form | When implementing the storage of documents of the day in electronic form necessarily apply SKZI |
Stage 3. Technical audit
| No | Act | Expected result and its use |
| one | We conduct a technical inventory of software installed on computers. For this we use: · Analytical capabilities of corporate anti-virus protection systems (for example, Kaspersky Anti-Virus can build such a registry). · WMI scripts for polling computers running Windows; · The ability of package managers to survey * nix systems; · Specialized software for inventory. | Among the installed software, we are looking for software SKZI, drivers for hardware SKZI and key carriers. On the basis of the information received, we update the list of CIPP. |
| 2 | We carry out the search for key documents on servers and workstations. For this · Logon-scripts poll AWS in the domain for the presence of certificates with private keys in user profiles and computer profiles. · On all computers, file servers, hypervisors, we search for files with extensions: crt, cer, key, pfx, p12, pem, pse, jks, etc. · We look for mounted disk drives and floppy disk images on virtualization hypervisors. | Very often, key documents are presented in the form of file key containers, as well as containers stored in the registry of computers running Windows. The found key documents are fixed in the list of key documents, and the key information contained in them is in the list of key information. |
| 3 | Analyzing the content of databases of certification centers | Certification center databases usually contain data about certificates issued by these centers. The received information is entered in the list of key information and the list of key documents. |
| four | We carry out a visual inspection of server rooms and wiring closets, we are looking for SKZI and hardware key carriers (tokens, drives) | In some cases, it is not possible to make an inventory of the CIPP and key documents on the network. Systems can be located in isolated network segments, or have no network connections at all. To do this, we conduct a visual inspection, in the results of which the names and purpose of all the equipment presented in the server room should be established. The received information is entered in the list of SKZI and key documents. |
| five | We analyze network traffic in order to identify information flows using encrypted exchange. | Encrypted protocols - HTTPS, SSH, and others. Allow us to identify the network nodes on which cryptographic transformations are performed, and as a result, containing the key information security systems and key documents. |
Conclusion
In this article, we reviewed the theory and practice of conducting audit of CPSS and cryptokeys. As you have seen, this procedure is rather complicated and time consuming, but if you competently approach it, it is quite feasible. Let's hope this article will help you in real life. Thank you for your attention, waiting for your comments.
Source: https://habr.com/ru/post/280131/
All Articles