Basics of information security of a virtual server. Part 4: Standards and Specifications
This is the fourth article in a series of articles on the topic of "basics of information security", which is designed to help develop and ensure the safety of the system and data on the virtual server you rent or on any other machine in your work network. The issues described earlier:
- Part 1: Types of Threats
- Part 2: Information and Remedies
- Error price
- Part 3: Information Security Models
It is almost impossible for specialists in the field of information security today to do without knowledge of the relevant standards and specifications. There are several reasons for this. The formal is that the need to follow certain standards, such as "cryptographic" standards or "governing documents" is enshrined in law. However, the most convincing reasons are substantial.
First of all, standards and specifications are one of the forms of knowledge accumulation, first of all about the procedural and program-technical levels of information security. They recorded approved, high-quality solutions and methodologies developed by the most qualified specialists.
')
Secondly, both are the main means of ensuring the mutual compatibility of hardware and software systems and their components.
Thirdly, the standards of information security are faced with the difficult task of reconciling three different points of view, the “manufacturer of protective equipment”, “consumer” and various “certification specialists”, as well as creating an effective mechanism for interaction between all parties.
Consumers are interested in methods that allow them to choose a product that meets their needs and solves their problems; this may also be the VPS running Windows Standard Server, for which they need a security rating scale. As well as the consumer needs a tool with which he will be able to formulate their requirements before the producer. Unfortunately, many consumers often do not understand that safety requirements necessarily contradict not only ease of operation but speed, and often impose certain restrictions on compatibility and, as a rule, force to refuse widespread, convenient to use, but less protected means. .
Certification specialists view standards as a tool to enable them to assess the level of security and provide consumers with the opportunity to make the most effective choice for themselves.
One of the first and most famous documents was the so-called "Orange Book" developed in the 90s as the "Computer Security Criteria" of the US Department of Defense. It defines 4 levels of security, A, B, C, D, where A is the highest level of security, in which, respectively, the most stringent requirements are imposed.
Although the “Orange Book” has become one of the first most well-known documents, however, it is clear that every state that wants to ensure its information security has developed its own documentation - “national standards” in the field of information security. These include “European Criteria for Information Technology Security”, “Canadian Criteria for Computer Systems Security”, as well as “British Practical Rules for Information Security Management” which, by the way, created the international standards ISO / IEC 17799: 2000 (BS 7799— 1: 2000). At the moment, the latest version of the ISO / IEC 27001: 2013 standard, as well as the “Guiding documents of the USSR State Technical Commission” (and later Russia).
It should be noted that the Americans praised the activities of the State Technical Commission of the USSR. In the American editions they wrote that the Soviet body for the protection of information and the counteraction of technical intelligence thoroughly examines everything that is known in the West about the Soviet Union, and develops "a huge amount of materials in order to distort the real picture." The commission, as they reported, controls all military parades and exercises, in which there are foreigners, the construction of missile bases and barracks, while in some areas the achievements are deliberately hidden, in others such as missile defense, are greatly exaggerated. The activity of the State Technical Commission in this area really brought its first fruits very soon. As the American newspaper The New York Times wrote, as early as 1977, as a result of measures taken at shipyards and shipyards of the USSR, the Americans had problems controlling the progress of construction of Soviet submarines.
The results of the work of the USSR State Technical Commission in the Soviet period was not only an increase in the protection of information at military-industrial enterprises, and testing of new types of weapons at landfills. Serious work has been done to ensure the security of information processed by the ACS and the computer, in particular, secure computer control systems and confidential document handling tools have been created, eliminating leakage of secret information, communication channels at the level of government bodies and the high command of the Soviet Army, and much more.
It should also be noted that the previously mentioned role of standards is fixed in the Federal Law " On Technical Regulation " dated December 27, 2002 N 184-
It should be noted that among the principles of standardization enshrined in the said law, Article 7 "Content and application of technical regulations" includes the principle of applying an international standard as the basis for developing a national standard, unless such application is deemed impossible due to non-compliance of international standards with climate and geographical features, technical or technological features, or for other reasons, or if the Russian Federation, It fell against the adoption of an international standard or individual position.
Article 7. Clause 8:
International standards should be used in whole or in part as the basis for the development of draft technical regulations, unless the international standards or their sections would be ineffective or inappropriate for achieving the objectives established in Article 6 of this Federal Law, including due to climatic and geographical features Russian Federation, technical and (or) technological features. (as amended by the Federal Law of July 18, 2009 No. 189-)
National standards of the Russian Federation can be used in whole or in part as a basis for developing draft technical regulations.
Since from a practical point of view, the number of standards and specifications, including international, national and industry in the field of information security is infinite, we will cite only some of them, a complete list of national standards is provided on the website of the FSTEC of Russia in the relevant section “National Standards”.
| Designation | Russian name |
|---|---|
| GOST R 50739-95 | Computing facilities. Protection against unauthorized access to information. General technical requirements |
| GOST R 50922-2006 | Protection of information. Basic terms and definitions |
| GOST R 51188-98 | Protection of information. Tests of software for the presence of computer viruses. Sample guide |
| GOST R 51583-2014 | Protection of information. The procedure for creating automated systems in a protected version. General provisions |
| GOST R 53110-2008 | Information security system for a public communication network. General provisions |
| GOST R 53111-2008 | The stability of the public communication network. Requirements and verification methods |
| GOST R 53113.1-2008 | Information technology. Protection of information technologies and automated systems from information security threats implemented using hidden channels. Part 1. General Provisions |
| GOST R 53113.2-2009 | Information technology. Protection of information technologies and automated systems from information security threats implemented using hidden channels. Part 2. Recommendations on the organization of information protection, information technology and automated systems from attacks using hidden channels |
| GOST R 54581-2011 / I | Information technology. Methods and means of security. Basics of confidence in IT security. Part 1. Overview and Basics |
| GOST R 54582-2011 / | Information technology. Methods and means of security. Basics of confidence in the security of information technology. Part 2. Methods of trust |
| GOST R 54583-2011 / | Information technology. Methods and means of security. Basics of confidence in the security of information technology. Part 3. Analysis of methods of trust |
| GOST R ISO 7498-1-99 | Information technology. The interconnection of open systems. Basic reference model. Part 1. Basic model |
| GOST R ISO 7498-2-99 | Information technology. The interconnection of open systems. Basic reference model. Part 2. Information Security Architecture |
| GOST R ISO / IEC 13335-5-2006 | Information technology. Methods and means of security. Part 5. Network Security Management Guide |
| GOST R ISO / IEC 15408-1-2012 | Information technology. Methods and means of security. Criteria for assessing the security of information technology. Part 1. Introduction and general model |
For example, consider GOST R 53113.2-2009 “Information Technology (IT). Protection of information technologies and automated systems from information security threats implemented using hidden channels. ”
Part 2. Recommendations on the organization of information protection, information technology and automated systems from attacks using hidden channels.
This standard presents not only the general scheme of the functioning of covert channels in an automated system, the rules for forming a threat model, but also various recommendations for protecting information and the methods used in building information security systems that take into account the presence of such covert channels.
Below in Figure 1, the general scheme of the functioning of covert channels in an automated system is presented.
Figure 1 - The general scheme of the functioning of covert channels in an automated system
1 - security violator (intruder), whose goal is unauthorized access to information of limited access or unauthorized influence on an automated system;
2 - restricted access information or a critical function;
3 - a subject with authorized access to 2 and 5;
3 'is the intruder's agent located in a closed loop with 2 and interacting with 2 on behalf of subject 3;
4 - an inspector (software, software and hardware, hardware or a person), controlling (her) informational interaction 3, crossing the closed loop, separating the object of informatization from the external environment;
5 - a subject located outside a closed circuit, with whom 3 performs authorized information interaction
Security threats that can be implemented using covert channels include:
1. The introduction of malware and data;
2. Submission of commands by an attacker to an agent for execution;
3. Leakage of cryptographic keys or passwords;
4. Leakage of individual information objects.
Protecting information, information technology and automated systems from attacks implemented using covert channels is a cyclic process that includes the following steps, repeated at each of the iterations of the process:
1. Risk analysis for the assets of the organization, including the identification of valuable assets and an assessment of the possible consequences of the implementation of attacks using covert channels
2. Identifying hidden channels and assessing their danger to the assets of the organization
3. Implementation of protective measures to counter covert channels
4. Organization of control over the opposition of covert channels.
The cyclical nature of the process of protecting against information security threats implemented using hidden channels is determined by the emergence of new ways to build hidden channels unknown at the time of the previous iterations.
Based on the risk assessment of covert channels, taking into account the results of the risk analysis, it is concluded that it is expedient or inappropriate to counter such channels.
Based on the results of revealing hidden channels, an action plan is formed to counter the threats implemented with their use. These measures may include the implementation of one of the already known (or the improvement of already existing) methods of countering information security threats implemented using covert channels.
It is advisable to use as protective measures:
1. Reducing the bandwidth of the information transmission channel;
2. Architectural solutions for building automated systems;
3. Monitoring the effectiveness of the protection of automated systems.
The choice of methods to counter the threats to information security of a VDS server leased by you, implemented using hidden channels and creating a plan for their implementation is determined by experts based on the individual characteristics of the protected automated system.
As you can see, even a short list of standards is far from being short, not to mention the regulations and recommendations, but you must have at least basic knowledge in this area so that you can not only navigate but also apply the necessary standards in practice.
Source: https://habr.com/ru/post/350288/
All Articles