Basics of information security. Error price

While the material is being prepared for the following parts and we await your wishes, on the topic of the third part of the “fundamentals of information security” left in the comments to the second part “Basics of information security. Part 2: Information and means of its protection . ” We decided to make a small, but nonetheless important, digression, considering the price of mistakes in the design and operation of the information security system with examples.

Quite a few understand perfectly well that any miscalculations and mistakes entail consequences that can turn back more than pitiable. At the same time, as was rightly noted in the comment to the first article “Basics of Information Security. Part 1: Types of Threats. The concept of information security is much broader than the scope of the IT industry and errors and errors in the provision of which can affect everyone, regardless of their field of activity.

Let's start with the most common but equally painful to more interesting.

“Why me” or “For what”?

')
As often happens, the owner of any small company located not even in the largest city of Russia thinks that he really is not exactly needed by anyone, and one should not even spend his forces on it when the circle is full of monsters-corporations who have something what to take. Based on this, the owner of this company does not spend his time and money on information security. The maximum than he is limited - this is an antivirus and hope: "Maybe it will blow over."

However, small and medium businesses suffer from theft of information much more often than large corporations. Even the statistics is hampered by the counting of victims in this segment, since many owners do not even realize that the fact of the leakage took place, since in principle they lack the tracking and analysis tools.

In the 21st century, the problem of data leakage, unfortunately, concerns absolutely everyone. The reasons for this, thousands of worked sneaky insider, the employee does not know the basic safety rules when working on the Internet. Or, for example, competitors get access to the latest developments of the company, which has very serious consequences for it, because as a result of such leaks all the money spent on research and development are actually donated to competitors. Leaks of financial documentation, especially in those moments when the company is not in the best shape, shall we say, also quite predictably, can carry very serious consequences, including bankruptcy. Or let's say hackers have used various vulnerabilities and so on. If you do not want such an incident to put an end to the company's activities, you should at least make backup copies of the information. In this case, they will at least give the opportunity to recover, if we say the database or the whole system has been encrypted.

The most striking example is the WannaCry virus. While he was walking around the world, he managed to pretty much succeed. In Russia, the computer systems of the Ministry of the Interior, the Russian Railways company, banks and the mobile operator Megafon were attacked.

The Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sphere of the Bank of Russia (FinCERT) reported that the WannaCry virus has affected the resources of several Russian banks.

“Following the distribution of malicious software WannaCry recorded facts of compromise of resources of credit institutions. The consequences of these incidents were eliminated as soon as possible. ”

The announcement was published by the Central Bank on May 19 .

Among the most seriously affected by the virus is the British Public Health System (NHS). Many of its hospitals and clinics were forced to send patients home, because the staff could not access computer information. The systems of Deutsche Bahn, Germany’s main railway operator, have also suffered.

Since large market players understand the consequences of possible threats to information security and spend sufficient funds to provide protection, small and medium businesses are most vulnerable and the consequences for business owners can be more than deplorable or even terrifying as in the following example.

In October 2017, an unknown person found a flash drive on earth that revealed details about the security systems of Heathrow’s largest UK airport .



In particular, maps of the location of surveillance cameras, tunnels, emergency exit mines, as well as patrol schemes and a description of the ultrasound radar system used to scan the perimeter and runways were found on the drive.

The airport administration, however, has already stated that it is confident in the effectiveness of its security protocols. With regard to data leakage, the airport launched an internal investigation with the intention of finding out how this could happen and prevent relapses.

In any case, now we need a serious correction of these procedures. The airport is also waiting for serious reputational losses and, most likely, the investigation of the incident at the level of the Government and Parliament.

Another high-profile example occurred in September 2017 it became known about one of the largest leaks of personal data in US history. The hacker hacking of computer systems, which caused nearly half of the country's population to suffer, occurred at the Equifax credit bureau, as reported in the company itself.

According to Equifax, cybercriminals, taking advantage of the company's vulnerability, gained access to certain files from mid-May to late July 2017.



Social security numbers, dates of birth and, in some cases, driver's license numbers were lost. In addition, credit card numbers of about 209 thousand Americans and a number of claims documents containing personal data of 182 thousand Americans fell into their hands of hackers. September 8, 2017, the company's quotes fell by 13% at the time of the termination of the main exchange trading.

Other less painful but equally unpleasant cases include the occasionally emerging news about the discharge of intimate photos of celebrities who may not directly incur commercial losses, but reputational ones are so certain. Including in the flesh and before the commercial, if someone’s intrigue emerged in the photo, which could destroy the marriage and significant sums could be paid under the marriage contract.



So at the beginning of September 2014, a massive drain of intimate photos of American celebrities took place on the network. Among the victims of hackers were such actresses as Jennifer Lawrence, Kirsten Dunst, Emma Watson.

Photos of which were found on the The Fappening forum, where hackers posted, including two videos of an intimate nature, and 123 photos of Emma Watson. There were also much more outspoken pictures of Seyfried resting with actor Thomas Sadoski, with whom they had been engaged since September 2016.

Experts suggested that hackers could steal pictures by breaking into the cloud-based iCloud service.

However, in my opinion the most interesting and large-scale cases of errors in information security, which cost on the one hand many hundreds, if not thousands of victims, and on the other saved lives occurred during the first world war.



An outstanding example of French electronic espionage was the interception of a long message transmitted to the German ambassador in Paris from the Ministry of Foreign Affairs of Germany, which contained a note of declaration of war, intended for transmission to the French government. The French, who had already cracked the code, which encrypted the message, not only intercepted the sent message, but also distorted its content to such an extent that the German ambassador at first could not understand it, while the French had received valuable time to prepare for mobilization.

The British intelligence services also distinguished themselves; they broke into top-secret German codes and for three years had the opportunity to intercept and decrypt all messages that the German Foreign Ministry sent to its foreign embassies. The British managed to keep it secret and only slightly hint about this to their American allies when the Germans, who were completely unaware of the leakage of information from their intelligence services, tried to push Mexico into the war with the promise of assisting in the annexation of the US states of Texas, Arizona and New Mexico .

German colleagues did not remain in debt. At the front, between divisions, the telephone was a common means of communication, and therefore, quite clever methods were invented to eavesdrop on the enemy’s communications. During the trench warfare, the troops mainly used single-wire, grounding telephone systems. Since the only wire was on its territory, the military command was convinced that the enemy could only eavesdrop on their conversations by directly connecting to the line. They were not at all bothered by eavesdropping and, therefore, they took no precautions. This belief, as it turned out, was completely unfounded and the first to know about it was the British Expeditionary Force in France, which already in 1915 began to realize that the Germans could foresee and discourage their operations with annoying regularity. It looked as if the Germans were receiving copies of orders about the planned advance of the British forces. In fact, the Germans created a device that, through a network of copper wires or metal rods dug as close as possible to the lines of the enemy, could take even the weakest currents created by grounding the British telephone system. Stray grounding and leakage currents were picked up and amplified with a newly invented, very sensitive amplifying lamp. Thus, the Germans had the opportunity to take advantage of the unsystematic use of the phones by the enemy, intercepting their messages through grounding. As soon as this original system was discovered, the British immediately invented a device capable of blocking the propagation of sound through the earth within a certain radius from the radiation source. This device not only put an end to the enemy's interception of telephone conversations, but also led to the development of a new system for intercepting telephone conversations through the land.

As you can see, mistakes made in the development of information security systems, as well as in using or ignoring the means and methods of information protection in any field of activity can have from minor to tragic consequences.