About threat modeling

The issue of ensuring information security of State Information Systems not only does not lose relevance, but with the development of the concept of e-government and an increase in the number of e-services, it becomes more significant. So, about a month ago, the article “And so it will come down ... or how the data of 14 million Russians were in my hands” caused a great resonance at Habrahabr.

Using the terminology of the draft document “Methods for determining information security threats in IP” , this situation can potentially be described as follows:
')

• A state authority, a local government body and an organization that, in accordance with the legislation of the Russian Federation, owns information, customers and (or) operators of information systems: the Federal Service for Supervision in the Field of Education and Science.
• Source of threats to NSD in ISPDN: external actors (individuals)
• As possible goals (motivation) for the implementation by violators of threats to the security of information in the information system can be: curiosity or a desire for self-realization; the identification of vulnerabilities for the purpose of their further sale and financial gain;
• To achieve its goal, the offender chooses the weakest link in the information system: “To obtain information about the education document, simply fill out a form, move the slider, and press a button.”
• The analysis of access rights is carried out, at a minimum, with respect to the following components of the information system: software, software and hardware and technical means of information processing; communication channels that go beyond the controlled zone: this case revealed the possibility of SQL Injection.
• Also, the consequences of the threat realization, including economic, social, political, etc., are to be assessed. For example, let's look at what is related to social consequences: The appearance of negative publications in publicly available sources. The impossibility (interruption) of the provision of social services (services). Other consequences leading to increased social tension in society.
• Reconsideration (reassessment) of information security threats is carried out at least in the following cases: the identification of vulnerabilities leading to the emergence of new information security threats or to an increase in the possibility of implementing existing ones; the appearance of information and facts about the new opportunities of violators. The vulnerability was closed, the service temporarily did not work.

As is known, the requirements for the protection of State Information Systems (GIS) are regulated by the order of the FSTEC dated February 11, 2013 N 17 "On approval of requirements for the protection of information that is not a state secret contained in state information systems."

This order contains requirements for the protection of information and defines the stages of work on the creation of information protection. Below is a brief summary of such steps.

To ensure the protection of information contained in the information system, the following measures are taken:

• formation of requirements for the protection of information contained in the information system;
• development of information security information system;
• implementation of information system information protection system;
• certification of information systems for information protection requirements (hereinafter - certification of information systems) and putting it into action;
• ensuring the protection of information during the operation of a certified information system;
• ensuring the protection of information during the decommissioning of a certified information system or after the decision to end information processing.

In the context of this article, we will be primarily interested in the stage of formation of requirements for protection.

Formation of requirements for the protection of information contained in the information system is carried out taking into account GOST R 51583 “Information protection. The procedure for creating automated systems in a protected version. General Provisions ”and GOST R 51624“ Information Security. Automated systems in a protected version. General requirements "and includes:

• deciding on the need to protect the information contained in the information system;
• classification of an information system for information protection requirements (hereinafter - the classification of an information system);
• identification of information security threats, the implementation of which may lead to the violation of information security in the information system, and the development of an information security threat model based on them;
• definition of information security system requirements information system.

As we can see, Order No. 17 separately made a definition of security threats, and the inspection bodies request a document called “Threat Model” during the inspection.

So, let's try to deal with this document.

The development of a threat model itself should be based on the following FSTEC documents:

• "The basic model of threats to the security of personal data when they are processed in personal data information systems", Federal Service for Technical and Export Control, 2008
• “Methods for determining the actual threats to the security of personal data during their processing in personal data information systems”, Federal Service for Technical and Export Control, 2008.

The “base model” contains a systematic list of threats to the security of personal data when they are processed in personal data information systems. Many information security experts are quite skeptical about this document. The threats in the base model are outdated and far from comprehensive. However, in the absence of the best, one has to be content with the current version of the document. At once I want to note that there is also a newer version of the document at FSTEC, with the help of which the case was partially described at the beginning of the article, but the new version has been in the draft stage for quite a long time and has not been approved. Therefore, certification authorities require a Threat Model based on the above documents.

More information about the draft document "Methods for determining threats to the security of information in the IP" can be found in Habré in the article "The document that was expected ."

However, returning to the 17th order, we read the following.

Information security threats are determined based on the results of assessing the capabilities (potential) of external and internal violators, analyzing possible information system vulnerabilities, possible ways to implement information security threats and the consequences of a violation of information security properties (confidentiality, integrity, availability).
As a source of data to determine information security threats, the information security threats database (bdu.fstec.ru) is used, as well as other sources containing information about information security vulnerabilities and threats.

But here there is a hitch, a data bank has been created, there are software products automating security analysis in accordance with this bank, but there is no mention of this bank in existing documents of the Base Model and Methods for Determining Actual Threats.

In general, the situation is quite typical for our legislators, and over time they are usually corrected by them, but when it is, there is no clarity. Therefore, we approach creative modeling by compiling both approaches; this is not prohibited and gives information that is more relevant to real security.

What needs to be determined and taken into account according to the order:

• structural and functional characteristics of our system;
• physical, logical, functional and technological interconnections between segments of an information system, with other information systems and information and telecommunication networks;
• modes of information processing in the information system and in its individual segments;
• other characteristics of the information system, applied information technologies and features of its functioning.

Another important point is that, as a result of the simulation, it is possible, if necessary, to issue recommendations for adjusting the system, i.e. its structure and / or characteristics.

About the contents of the document "Model of security threats", I will quote the 17th order, which the following requires of us:

"The model of information security threats should contain a description of the information system and its structural and functional characteristics, as well as a description of information security threats, including a description of the abuser’s capabilities (violator model), possible information system vulnerabilities, ways to implement information security threats and the consequences of violation of information security properties . "

This list of points does not claim to be the ultimate truth, but as shown by checking its completeness, of course, depending on the content of such points. In order to correctly fill in these points, a security specialist needs to dive deep enough into the system information, understand which applications are used, for what purpose, and for what purpose.

Naturally, if the security functions are not assigned to the system administrator, such a specialist will in most cases need help from people who know the system. But in most cases, our realities show that it is precisely system administrators who have to deal with all stages of bringing information systems into compliance with the legislation of information systems. Of course, in large organizations, for the most part, there are corresponding staff units responsible for security. And if the budget allows, then specialized organizations that have licenses for the relevant type of activity are hired.