Provincial IS - Stagnation or Development?

Good day to all. Today we would like to discuss information security in the regions, and talk about the eighth annual Forum "Actual Issues of Information Security" that took place on June 19-20, which we traditionally have been holding since 2009 on the basis of the Primorsky Krai Administration in Vladivostok.

I have not for nothing said that there will be a discussion of pressing problems of information security here, I don’t want to publish a dry press release about the event at Habré, but who needs it anyway, you can read here . There you can also download presentations of speakers, among which were both representatives of regulators, and vendors and integrators.
')
Under the cut a lot of photos, whining and a ray of optimism.

First day

Regulators' speeches

FSB

One of the first speakers was a representative of the FSB of Russia in the Primorsky Territory. The topic is the requirements of the Federal Security Service of Russia for handling the means of cryptographic protection of information (hereinafter - SKZI).

In general, in this speech, there were no new revolutionary changes compared to previous years. We were reminded that the treatment of SKZI is regulated by PKZ-2005 , 152 by the order of FAPSI and the 378th order by the FSB .

We were also reminded that:

• SKZI must be certified;
• the class of the CIPS used should ensure the neutralization of the identified threats (you can read more about the choice of the CIPP class here );
• SKZI should be purchased from licensees of the Federal Security Service of Russia;
• Distributions, forms and terms of use should be available at the place of operation of the CIPF;
• SKZI must be accounted for in accordance with the account numbers assigned by the FSB of Russia;
• SKZI users should be trained in the rules of working with marks in the register of users of SKZI;
• storage of CIPS and documentation should be organized with the exception of the possibility of unauthorized access;
• during the operation of the SKZI, it is necessary to carefully consider the fulfillment of the requirements and conditions specified in the form and rules of use.

The most interesting, perhaps, here was a slide with statistics checks.



The increase in the detection of violations in 2018 compared with previous periods, the representative of the FSB associates with a more thorough approach of the inspectors.

I personally waited for some information about the replacement of FAPSI-152, which is rumored about, but did not wait.

FSTEC of Russia

The representative of the FSTEC Office of Russia in the Far Eastern Federal District, Alexei Alexandrovich Baranov, spoke about the changes made to the regulatory legal acts issued in the field of protection of critical information infrastructure objects (hereinafter referred to as CII).

Everyone who follows the topic of the KII knows that recently there has been an active change in legislation in this area - both the RF Government Decree No. 127 and the orders of the FSTEC. I will not retell the report. In the presentation, everything is quite clear and understandable.

Here it was indicated that the primary task of the subjects of the CII is to submit information to the FSTEC until September 1, 2019. At the same time, it was announced that many KII subjects who have already sent such information do not do this in the approved form with redundant or insufficient information.



A representative of the central office of the FSTEC of Russia, Marchenko Anatoly Vasilyevich, also spoke. He spoke about the problem of the lack of qualified personnel in information security.



I think many will be interested in a slide with statistics on the number of information security specialists in various fields. It is clear that this is all taken from the data that organizations submit to the FSTEC, respectively, there are no commercial organizations that do not overlap with the FSTEC, but they are still curious.



Ok, this number - 22 thousand people is, in general, a lot. And what about the quality? And the quality is rather sad. There are no comments here, just watch the slide.



At the same time, the number of vacancies in each industry is not enough for about 2-3 thousand specialists.

Here I, as the head and employer of personnel in the field of information security, also wanted to add a little about the quality of the current education in this area. Recently, I had a questionnaire on the table about the quality of education IBShniki, I had to put low marks and here's why.

First, the story of my life. When I entered the university in 2000, I really wanted to enter a new and promising at that time specialty "Information Security", but I did not get any points and went to study physics. Bezopasniki were our parallel group and 3 years out of five we went with them almost to the same lectures. That is, safes most of the time, we studied physics and mathematics with us.

From conversations with current graduates, I realized that not much had changed since then. Now we have a lot of young talented guys and girls in our team. But the fact that they basically do well with the tasks set is not the merit of the universities, but their own (the ability to quickly understand the new material and learn).

As a result, graduates of the “Information Security” direction know physics, mathematics (including cryptography), know information technologies in general, and are trained in varying degrees in programming.

But what they do not know and do not know:

• do not know the current legislation on information protection;
• do not know how to write documents on information security, do not know what documents are needed at all;
• they do not know how to build an information security system in a more or less large enterprise;
• they do not know the means of protecting information (that foreign, domestic), respectively, do not know how to work with them, set them up, and so on;
• do not know tools for pentest (even a banal vulnerability scanner), do not know how to use them;
• do not know how to read and interpret reports on found vulnerabilities, do not know what to do with the obtained data;
• and much more.

This is my personal experience in the city of Vladivostok. Maybe somewhere the situation is much better. But we have graduates of universities in the specialty "Information Security", unfortunately, immediately after receiving the coveted diploma can not perform the tasks or "paper" or practical information security. This is sad.

But in order not to be completely sad, keep a photo of our team of professionals! =)

Integrators

So, in fact, there was only one integrator speaking - this is us. The first was made by our CEO - Statsenko Pavel Sergeevich.



The report was devoted to centralized monitoring of information security events. It was said that ensuring information security is an ongoing process and tracking suspicious events in the system is an integral part of it.

Unfortunately, we often come across, especially in government agencies, with the approach "I received a certificate of conformity and forgot about information security for 5 years." The problem here is that the certification of an information system for security requirements is the process of confirming the compliance of this system with various requirements. The certificate itself does not provide safety and does not give any guarantees (especially if after receiving the certificate all protective equipment is removed, yeah).

Our monitoring center is still quite young and small, especially in comparison with the giants of this trend, but according to our data, the numbers are quite talking.



In general, monitoring information security events is important and not very expensive.

I also spoke.



I decided to raise topics that are often talked about, but which are still ignored by many. These are mostly problems in the minds.

The first thing they remembered was Eternal Blue. What for? He has recently turned 2 years old. And because according to our statistics, at the sites where we work there is still a huge number of nodes affected by this vulnerability. It would seem that such a rare case, the vulnerability was trumpeted even on the federal channels. Probably everyone ran, updated. As if not so, the reality is much sadder. And we are talking about the vulnerability 2 years ago. What's next? Will we eliminate new vulnerabilities for years too?

He also touched upon the problem of disregard for "paper" security. Here everything seems to be clear, I won't say more concisely than Mr. Fry.



I casually mentioned another problem that caused the askerin - dumping security issues on ITshnikov. It remains only to inform the heads of organizations that information security is a separate broad area of ​​knowledge and, in general, IT + information security in one person is also a conflict of interest. After all, IT needs everything to work quickly and reliably, and information security solutions in any case eats away some amount of system resources.

Remembered publications on Habré about fraud with electronic signatures. What for? And here it is easy to draw an analogy of certification centers with certification centers. The problem is the same - the client wants faster and without red tape, some licensees go on about the customer, as a result of "certification in photography" and other delights. But we will talk about substandard services of licensees of FSTEC.

The next problem is the problem of poor-quality development of information system components. Especially the problem is relevant for the public sector. And the matter is that part of the public procurement system. Here the government agency announces a tender for the development of a portal. Wins the one who offered a lower price. Where the price is lower, the quality is worse there (usually). The technical assignment for the competition, as a rule, is not written down in too great detail, therefore you will not ask later from careless performers. As a result, we get childhood diseases: XSS, SQLi, default passwords and other "joys".

And the last thing - what was enough for the presentation time is the problem of certified cloud data centers. For a reminder of this urgent problem, thanks to the author of this post . The problem is relatively new and serious. It is connected with the fact that it is sometimes difficult to find out what and how it is actually certified from the provider, and even if everything is fine there, then usually there are no mechanisms to make sure that your virtual server is really running on the certified cluster.

At the same time, I in no way urge not to look towards certified cloud data centers in general. But to pay attention to the reaction of the provider to the requests to show the certificate and, perhaps, the site itself is necessary. It is also necessary in the contracts for cloud services to prescribe the responsibility of such a provider.

Vendors

Since our event for visitors is free, then, as a result, there were a lot of vendors on it. To the credit of the latter it is worth saying that in their speeches there was not so much direct advertising. Almost every speaker from vendors tried to tell the audience something interesting and useful, although they also mentioned their products.

I think you should not retell their speeches in detail, who wants to get acquainted - you can download the presentations by reference at the beginning of the article.

Stands

In addition to the speeches, demonstration stands were presented in the lobby of the Primorsky Krai Administration. Live showed the work of vulnerability scanners, SIEM-systems, IDS / IPS-solutions.

Second day

The second day of the forum was held in another place and in a different format. Place - Pushkin Theater. Format - round tables.

At the entrance, visitors were greeted by a medieval beberman.



In the hall there are also demonstration stands.



The format of round tables is interesting because it is a lively discussion format. For example, the head of our monitoring center, Aleksey Isihara, scolded vendors with the fact that they did not update the signatures for their IDS / IPS solutions very quickly. I received the answer: “We will try!”.



When discussing the topic “Certification of objects of informatization,” a discussion ensued on the topic of substandard services provided by licensees of the FSTEC of Russia. One of the forum visitors told his story. Their tender for the provision of information security design services was won by one of the licensees, who did not even want to come to the site for work. After this licensee was still forced to work directly at the site, the result left much to be desired.

The uniqueness of this situation is that in this case the customer of the services revealed their poor quality before signing the certificate of completion. Unfortunately, problems are more often identified after the contract is closed. Here I can not say again about the importance of raising awareness of employees in the field of information security. Even if it is supposed to do all information security with the help of third-party organizations, there must be someone who can assess the quality of the work performed.

A representative of the FSTEC of Russia was also present in the hall and answered the question about the measures of the regulator’s influence on such unscrupulous licensees. Alexey Baranov said that such violations should be stopped within the framework of the licensing activity control conducted by the FSTEC of Russia. In the event of violations by the regulator or upon receipt of complaints against the licensee, an order will be issued to eliminate the violations. In case of repeated violations or complaints, the licensee may be revoked.

Total

I promised a ray of optimism in this article. And here he is.

We have been holding a forum since 2009. And even from year to year we mainly discuss IS problems and their possible solutions, there is a positive trend. And it lies in the fact that today we are already discussing completely different problems of a completely different level. And the problems themselves will always be. It is unlikely that an information security event will ever take place, where the speakers will say that over the past year no new vulnerabilities have been identified, no one has been hacked, and no one's personal data has leaked.

As for the level of problems, see for yourself.

In 2009, we said that in the organization, at least someone needs to be assigned the responsibility of ensuring information security. In 2019, we are already talking about how much full-fledged security officers we lack in organizations.

In 2009, we talked about the need to introduce at least some means of protecting information and protecting personal data. In 2019, we are talking about the need to collect logs, build correlations and track information security events from these remedies.

In 2009, the year we bring information about which information systems should be certified. In 2019 that information security does not end at the issuance of a certificate of conformity.

Therefore, despite all my pessimism and the indicated problems, something is slowly but surely changing. The main thing is that to whom this locomotive called “IB” is to push.

PS

Our forum has just ended, and we are already thinking about how we can improve our next event.

Write down what positive or negative impressions you had from information security measures. What events are held in your region? What format suits you best? What topics do you think are too hackneyed, and which are deprived of attention?

Pps

Photographer: Elena Berezova