A potpourri on information security
Currently, there are many controls and security, but all of them can be divided into the following groups or classes:
1. Means of controlling access to the system (access from the console, access over the network) and access control
2. Ensuring control of the integrity and immutability of software (I include anti-virus protection tools here, since the introduction of a virus is a change in software)
3. Means of cryptographic protection
4. Remedies against intrusion from the outside (external influence)
5. Means of recording the actions of users who also serve to ensure security (although not only)
6. Intrusion Detection Tools
7. Means of Monitoring the System Security Status (Vulnerability Detection)
The most interesting are the last three classes, which play a passive role in providing security, but their importance should not be diminished. If we, for example, consider the Deming cycle in relation to ensuring information security at the software level, then the position of these three classes will occupy one-fourth of the entire security process.
The PDCA (Deming Cycle) methodology is the simplest algorithm for the manager’s actions to manage the process and achieve its goals. The management cycle begins with planning.
These tools do not affect (although they can be combined with other systems) security systems, but simply collect storage and ensure availability of complete information on the state of the security system - event logs, denial of service information, suspicious authorization information, analytical logs comparisons of the picture of system vulnerabilities and individual nodes.
The other side of such systems, in particular, vulnerability detection tools, will be decision-making assistance subsystems (CPDs), which, based on some input data, make fairly fair probabilistic decisions to the next node of the PDCA cycle, namely “Act” - impact. The PRD subsystem may be autonomous and not affect the functioning of the system as a whole, however, more efficient systems automatically adjust themselves based on the results of the PRD.
')
An example of such adjustments could be firewalls with automatic addition of new rules when packets are exceeded per unit time per port. There are also more complex IDS + IPS systems that define the rules for the operation of individual nodes among themselves.
It is obvious that for the correct, correct and reasonable operation of such systems, the relevance and completeness of input information about the functioning of an existing security system will be critical. Since false (both false-negative and false-positive) information will be a weak link in the decision-making chain of upgrading the information security protection system, the main task will be to build a quality control and security audit system.
The possible benefit of an attacker with the wrong security audit system can be very diverse, it all depends on what you look at. If, for example, the attacker understands that there are absolutely no vulnerabilities in the existing security system today, but there is no incident policy either, then the attack (especially distributed) will be very successful after a short time after using a fundamentally new attack pattern. Or the inability to identify the attack will also be a back door in the ICC. And the consequences of attacks can also be different - theft of information, denial of service, virus attack, etc.
Also, an incorrect security audit system may be the cause of an illogical decision in the Deming cycle at the time of the Act. This can happen when, due to incorrect data and their analysis, we (or the PRD system) decide to upgrade the system. This upgrade may be unjustified by financial costs, as well as advantageous to attackers who were aiming not to get confidential information by circumventing the protection, but to get it in the weakest moment - rebuilding the system.
A quality monitoring system can be called a system that will, with a probability of 85% to 100%, track the state of information security in an organization (logs of authorizations, attack time, or a guarantee of their absence) at any time.
At present, the test of the reliability of the monitoring-control system (or its presence in general) over the situation in information security can only be test tests on existing and already operating CIS. These are various kinds of attacks, the search for practical means of exploiting system vulnerabilities, checking the completeness of stored information.
In case of detection of deviations of expected results from actual ones, we must analyze the quality and quantity of these deviations and assess the risks that arose during these tests, carry out all measures for their elimination and carry out a control test. If the risks remain, we continue the tests and upgrades.
If the system showed even a 100% result in controlling information flows, we must conduct scheduled and unscheduled tests from time to time, using the latest technologies, to guarantee correctness.
Usually, verification of information security monitoring and control systems is carried out by third parties, since it is a very expensive and constantly unnecessary tool, and bias cannot but affect the results and cost of risk. Within this framework, some solutions are proposed.
The main tasks that are solved during the audit of information system security:
1. Analysis of the structure, functions, technologies used for automated processing and transmission of information in the information system, analysis of business processes, regulatory and technical documentation.
2. Identification of significant threats to information security and ways to implement them; identifying and ranking the degree of danger of existing technological and organizational vulnerabilities in the information system.
3. Compilation of an informal model of the offender, application of an active audit technique to verify that the violator can realize the identified threats to information security.
4. Conducting a penetration test along the outer perimeter of IP addresses, checking the possibility of penetration into the information system using social engineering methods.
5. Analysis and assessment of risks associated with threats to the security of information resources of the Customer.
6. Evaluation of the information security management system for compliance with the requirements of the international standard ISO / IEC 27001: 2005 and the development of recommendations for improving the information security management system.
7. Development of proposals and recommendations for the introduction of new and enhance the effectiveness of existing information security mechanisms.
When receiving recommendations from third-party organizations, you need to remember about financial soundness and unconditional deviation from the ideal option, and it is possible to start the next iteration of the PDCA cycle from past shortcomings.
1. Means of controlling access to the system (access from the console, access over the network) and access control
2. Ensuring control of the integrity and immutability of software (I include anti-virus protection tools here, since the introduction of a virus is a change in software)
3. Means of cryptographic protection
4. Remedies against intrusion from the outside (external influence)
5. Means of recording the actions of users who also serve to ensure security (although not only)
6. Intrusion Detection Tools
7. Means of Monitoring the System Security Status (Vulnerability Detection)
The most interesting are the last three classes, which play a passive role in providing security, but their importance should not be diminished. If we, for example, consider the Deming cycle in relation to ensuring information security at the software level, then the position of these three classes will occupy one-fourth of the entire security process.
The PDCA (Deming Cycle) methodology is the simplest algorithm for the manager’s actions to manage the process and achieve its goals. The management cycle begins with planning.
1. Planning - setting goals and processes necessary to achieve goals, planning work to achieve process goals and customer satisfaction, planning the allocation and allocation of necessary resources.
2. Execution - the execution of planned work.
3. Verification - collecting information and monitoring the result on the basis of key performance indicators (KPI), obtained during the process, identifying and analyzing deviations, determining the causes of deviations.
4. Impact (management, adjustment) - taking measures to eliminate the causes of deviations from the planned result, changes in the planning and allocation of resources.
These tools do not affect (although they can be combined with other systems) security systems, but simply collect storage and ensure availability of complete information on the state of the security system - event logs, denial of service information, suspicious authorization information, analytical logs comparisons of the picture of system vulnerabilities and individual nodes.
The other side of such systems, in particular, vulnerability detection tools, will be decision-making assistance subsystems (CPDs), which, based on some input data, make fairly fair probabilistic decisions to the next node of the PDCA cycle, namely “Act” - impact. The PRD subsystem may be autonomous and not affect the functioning of the system as a whole, however, more efficient systems automatically adjust themselves based on the results of the PRD.
')
An example of such adjustments could be firewalls with automatic addition of new rules when packets are exceeded per unit time per port. There are also more complex IDS + IPS systems that define the rules for the operation of individual nodes among themselves.
It is obvious that for the correct, correct and reasonable operation of such systems, the relevance and completeness of input information about the functioning of an existing security system will be critical. Since false (both false-negative and false-positive) information will be a weak link in the decision-making chain of upgrading the information security protection system, the main task will be to build a quality control and security audit system.
The possible benefit of an attacker with the wrong security audit system can be very diverse, it all depends on what you look at. If, for example, the attacker understands that there are absolutely no vulnerabilities in the existing security system today, but there is no incident policy either, then the attack (especially distributed) will be very successful after a short time after using a fundamentally new attack pattern. Or the inability to identify the attack will also be a back door in the ICC. And the consequences of attacks can also be different - theft of information, denial of service, virus attack, etc.
Also, an incorrect security audit system may be the cause of an illogical decision in the Deming cycle at the time of the Act. This can happen when, due to incorrect data and their analysis, we (or the PRD system) decide to upgrade the system. This upgrade may be unjustified by financial costs, as well as advantageous to attackers who were aiming not to get confidential information by circumventing the protection, but to get it in the weakest moment - rebuilding the system.
A quality monitoring system can be called a system that will, with a probability of 85% to 100%, track the state of information security in an organization (logs of authorizations, attack time, or a guarantee of their absence) at any time.
At present, the test of the reliability of the monitoring-control system (or its presence in general) over the situation in information security can only be test tests on existing and already operating CIS. These are various kinds of attacks, the search for practical means of exploiting system vulnerabilities, checking the completeness of stored information.
In case of detection of deviations of expected results from actual ones, we must analyze the quality and quantity of these deviations and assess the risks that arose during these tests, carry out all measures for their elimination and carry out a control test. If the risks remain, we continue the tests and upgrades.
If the system showed even a 100% result in controlling information flows, we must conduct scheduled and unscheduled tests from time to time, using the latest technologies, to guarantee correctness.
Usually, verification of information security monitoring and control systems is carried out by third parties, since it is a very expensive and constantly unnecessary tool, and bias cannot but affect the results and cost of risk. Within this framework, some solutions are proposed.
The main tasks that are solved during the audit of information system security:
1. Analysis of the structure, functions, technologies used for automated processing and transmission of information in the information system, analysis of business processes, regulatory and technical documentation.
2. Identification of significant threats to information security and ways to implement them; identifying and ranking the degree of danger of existing technological and organizational vulnerabilities in the information system.
3. Compilation of an informal model of the offender, application of an active audit technique to verify that the violator can realize the identified threats to information security.
4. Conducting a penetration test along the outer perimeter of IP addresses, checking the possibility of penetration into the information system using social engineering methods.
5. Analysis and assessment of risks associated with threats to the security of information resources of the Customer.
6. Evaluation of the information security management system for compliance with the requirements of the international standard ISO / IEC 27001: 2005 and the development of recommendations for improving the information security management system.
7. Development of proposals and recommendations for the introduction of new and enhance the effectiveness of existing information security mechanisms.
When receiving recommendations from third-party organizations, you need to remember about financial soundness and unconditional deviation from the ideal option, and it is possible to start the next iteration of the PDCA cycle from past shortcomings.
Source: https://habr.com/ru/post/91421/
All Articles