Chapter 6: Information Systems Security – Information Systems for Business and Beyond

Chapter 6: Information Systems Security – Information Systems for Business and Beyond Реферат

Introduction

As computers and other digital devices have become essential to business and commerce, they have also increasingly become a target for attacks. In order for a company or an individual to use a computing device with confidence, they must first be assured that the device is not compromised in any way and that all communications will be secure.

In this chapter, we will review the fundamental concepts of information systems security and discuss some of the measures that can be taken to mitigate security threats. We will begin with an overview focusing on how organizations can stay secure. Several different measures that a company can take to improve security will be discussed.

The Security Triad
The security triad

#2. conduct a server inventory.

Next, make a list of all your servers, along with the purpose of each one and the data stored there. In particular, you should:

This inventory will help you identify and eliminate important security gaps. Remember this is not a one-time thing; you have to do it regularly.

(pdf) building a knowledge base for expert system in information security

We have considered an exampleof the use of information security ontologyin

practice example to ensure the vulnerability of the university. Which were clearly

shows the rules as well as the type of threats and vulnerabilities as well as Controls.

Thus developed the main points of ontology information security system of an expert

system in the field of information security audit

References

1.Val Thiagarajan, B.E. 2002. BS 7799 Audit Checklist. Available:

www.sans.org/score/checklists/ISO_17799_checklist.pdf

2.ISO IEC 27002 2005 Information Security Audit Tool. Available:

http://www.praxiom.com/iso-17799-audit.htm

3.Stepanova, D., Parkin, S. and Moorsel, A. 2009. A knowledge Base For Justified Informa-

tion Security Decision-Making. In 4th International Conference on Software and Data

Technologies (ICSOFT 2009), 326–311.

4.Atymtayeva L., Kanat Kozhakhmet, Gerda Bortsova, Atsushi Inoue. Methodology and On-

tology of Expert System for Information Security Audit //Proceedings of the 6th Interna-

tional Conference onSoft Computing and Intelligent Systems and the 13th International

Symposium on Advanced Intelligent Systems, 20-24 November 2021, Kobe, Japan , pp.

238-243

5.Atymtayeva L., K. Kozhakhmet, G. Bortsova. Some Issues of Development of Intelligent

System for Information Security Auditing // Proceedings of the International conference of

Computational Intelligence and Intelligent Systems 2021, June 1-2, 2021, London, UK,

Vol. 2, pp. 725-731.

6.Atymtayeva L., K. Kozhakhmet, G. Bortsova, A. Inoue. Expert System for Security Audit

Using Fuzzy Logic. // Proceedings of The 23rd midwest artificial intelligence and cogni-

tive science conference, MAICS , April 21-22, 2021, Cincinnati, USA, рр. 146-151.

http://ceur-ws.org/Vol-841/

7.Atymtayeva L.,A. Akzhalova, K.Kozhakhmet, L. Naizabayeva. Development of Intelligent

Systems for Information Security Auditing andManagement:Review and Assumptions

Analysis // Proceedings of the 5th International Conference on Application of Information

and Communication Technologies, 12-14 October, 2021, Baku, Azerbaijan, pp.87-91

8.Tsudik, G. and Summers, R. 1990. AudES – an Expert System for Security Auditing. IBM

Los Angeles Scientific Center.

9.S. Fenz and A. Ekelhart, “Formalizing information security knowledge,” ASIACCS ’09:

Proceedings of the 2009 ACM symposium on Information, computer and communications

security, ACM, 2009.

10.Threats catalogue on Information Systems Information technology Security techniques

— Code of practice for information security management, 2005.

11.ISO/IEC. ISO/IEC 27002:2005, Information technology Security techniques —Code

of practice for information security management, 2005.

12. http://www.odbv.org

13.Maljuk AA Information Security: Contemporary Issues / / SecurityInformation tehnolo-

giy. 2021. – № 1. – P.5-9.

14.Domarev VV Safety of information technology. The System approach. –Kiev, Publishing

house “Diasoft”, 2004, 992s.

§

Authentication

The most common way to identify someone is through their physical appearance, but how do we identify someone sitting behind a computer screen or at the ATM? Tools for authentication are used to ensure that the person accessing the information is, indeed, who they present themselves to be.

Backups

Another essential tool for information security is a comprehensive backup plan for the entire organization. Not only should the data on the corporate servers be backed up, but individual computers used throughout the organization should also be backed up. A good backup plan should consist of several components.

Classification of personal data security threats in information systems

CLASSIFICATION OF PERSONAL DATA SECURITY THREATS IN

INFORMATION SYSTEMS

DOI: 10.36724/2072-8735-2020-14-1-56-60

Vladimir A. Dokuchaev,

MTUCI, Moscow, Russia, v.dok@tlsf.ru

Victoria V. Maklachkova,

MTUCI, Moscow, Russia, v.maklachkova@tlsf.ru

Vyacheslav Yu. Statev,

JSC “RZD”, Moscow, Russia, svu@rnt.ru

Keywords: Personal Data, Information, Security, Threats, Risks, Information Systems, Classification.

The purpose of this work is to analyze and classify threats that arise when working with personal data in information systems. In the field of information technology in any country, one of the national interests is to ensure and protect the constitutional rights and freedoms of man and citizen in so far as it relates to the receipt and use of information, as well as confidentiality when using information technologies. In this regard, special attention is currently being paid to the organization of processing and ensuring the security of personal data in information systems, including during their cross-border transfer. In the European Union, this activity is regulated by the General Data Protection Regulation (GDPR), which was put into effect on May 25, 2021. Personal data are in a high-risk area, especially in organizations that operate with large amounts of personal data, such as passport data, solvency data, employers, contact details, phone numbers, addresses, email, and other information that represents interest for potential computer attacks. The solution to the problem of ensuring the security of personal data is impossible without identifying and classifying potential threats to personal data in information systems. The proposed classification can serve as the basis for a threat model of a specific information system designed to process personal data.

Information about authors:

Vladimir A. Dokuchaev, DSc (Tech), Professor, Head of the Department “Multimedia Communication Networks and Services” MTUCI, Moscow, Russia

Victoria V. Maklachkova, Senior Lecturer of the Department “Multimedia Communication Networks and Services” MTUCI, Moscow, Russia Vyacheslav Yu. Statev, PhD, Head of the Department, JSC “RZD”, Moscow, Russia

Для цитирования:

Докучаев В.А., Маклачкова В.В., Статьев В.Ю. Классификация угроз безопасности персональных данных в информационных системах // T-Comm: Телекоммуникации и транспорт. 2020. Том 14. №1. С. 56-60.

For citation:

Dokuchaev V.A., Maklachkova V.V., Statev V.Yu. (2020) Classification of personal data security threats in information systems. T-Comm, vol. 14, no.1, pр. 56-60. (in Russian)

Introduction

With the development of information technology, attention and interest in the problem of privacy and the further development of the Institute of Personal Data began to significantly increase.

In the Russian Federation, one of the national interests in the information sphere is “ensuring and protecting the constitutional rights and freedoms of man and citizen in so far as it concerns the receipt and use of information, privacy in the use of information technology …”.

From this follows the attention that is currently being paid at enterprises to the organization of processing and ensuring the security of personal data, including when they are processed in information systems.

With the entry into force in May 2021 of the Global Data Protection Regulation (GDPR), personal data operators have faced new threats related to the cross-border transfer of personal data.

Personal data refers to any data that in one way or another relates to an identifiable or identifiable person. An identifiable person is a natural person that can be established directly or indirectly by reference to a certain identification number, as well as by one or more factors specific to its physiological, physical, mental, economic, cultural or social affiliation.

The subjects of personal data in the organization are employees, retirees, candidates for filling vacant posts and others. The purposes of processing personal data may be: providing services to a client of the organization, processing data in accordance with labor legislation, etc. Personal data are divided into categories such as: publicly available, special, as well as other personal data that do not fall under the first two categories.

Former or current employees of an organization at present time commit many violations of the confidentiality of personal data. This is due to the presence in companies of information systems for processing personal data, access to which are available to employees who are able to transfer confidential information to third parties. The existence of such a vulnerability in the company can significantly facilitate the ability of an attacker to obtain personal data, while making a computer attack more effective.

There are a number of mandatory measures that enterprises must take in order to “correctly” store and process personal data in the information system. The functioning of the entire business model of the activity of the personal data operator and the cost of risks associated with the processing of personal data depend on how competently the business processes for organizing automated processing of personal data are implemented.

According to company “InfoWatch” analysis, in 2021 the share of personal data leaks amounted to 80.2% of all confidential information leaks. Type of data compromised by retiring employees shown at Table 1.

Table 1

Personal State Trade Other, %

Data, % Secret, % Secret, %

2021 year 47.2 2.8 36.1 13.9

2021 year 35.3 3.9 58.8 2.0

Source: companyInfoWhatch

T-Comm Vol.14. #1-2020

To create a model for protecting personal data, it is necessary to identify and classify potential threats to personal data in information systems.

Classification of Personal Data Threats

There are two classes of threats to personal data in information systems:

• threats that cannot be correlated with attacks;

• threats that can be correlated with attacks.

There are threats incompatible with attacks that can not only lead to the loss, distortion or compromise of the subject’s personal data, but also create conditions for their use by various violators for their own purposes.

These threats include:

• threats not related to human activities: natural disasters and natural phenomena (earthquakes, floods, hurricanes, etc.);

• threats of a socio-political nature: strikes, sabotage, local conflicts, accompanied by an attack on an object that hosts information system resources, etc .;

• erroneous actions and (or) violation of requirements by personnel and users of the information system of the corresponding operational, organizational, technical or other documentation;

• threats of anthropogenic nature, for example: accidents, various malfunctions, interference and interference, leading to violations and malfunctions in the hardware components of the information system.

Protection against threats that cannot be correlated with attacks is regulated by instructions developed and approved by the authorized services of the personal data operator, taking into account the specific conditions for the functioning of the information system, as well as the current regulatory framework.

Protection against threats that can be correlated with attacks should be provided with the help of protective measures and means used by the information system and designed mainly to counter attacks.

The composition and content of security threats to personal data is determined by the combination of conditions and factors creating the danger of unauthorized, including accidental, access to personal data.

The totality of such conditions and factors is formed taking into account the characteristics of the information system, the properties of the distribution medium of informative signals containing protected information, and the capabilities of the sources of threats.

The following characteristics of an information system can cause threats for personal data:

• structure, category and amount of personal data processed in the information system;

• availability of information system connections to public communication networks and (or) the Internet;

• security subsystem characteristics and personal data processing modes;

• modes of differentiation of access rights of users of the information system;

• location and conditions of placement of technical equipment of the information system.

The main elements of the information system in which personal data is processed are:

• personal data contained in databases, as a combination of information and its sources used in the information system;

• information technology, as a set of methods and methods of using computer technology in the processing of personal data;

• software and hardware that process personal data;

• information security tools;

• additional hardware and systems.

The properties of the information distribution medium containing the protected information are characterized by the type of physical environment in which personal data is distributed, and are determined when assessing the possibility of implementing a security threat channel for personal data.

The security threat to personal data is realized as a result of the formation of channels for the implementation of a security threat to personal data between the threat source and the personal data carrier, creates the necessary conditions for violating the security of personal data.

The main elements of the channel for implementing a security risk to personal data are:

• source of threat – a subject, material object or physical phenomenon that creates a threat to the security of personal data, for example, a violator of the security of personal data, the capabilities of which with respect to the system are determined in the model of the violator;

• an environment for the distribution of personal data or influences in which a physical field, signal, data or program may be distributed and affect the protected characteristics of personal data. These characteristics include: confidentiality, integrity, accessibility;

• personal data carrier – an individual or material object, including a physical field, in which personal data are reflected in the form of symbols, images, signals, technical solutions and processes, quantitative characteristics of physical quantities.

Other security characteristics of personal data that are important to the operator, such as data authenticity, are also possible.

Personal data carriers may contain information presented in the following forms: acoustic (speech) information; textual and visual information; processed (circulating in the information system) information.

A classification of threats to the security of personal data is proposed according to the following criteria:

• by types of possible sources of security risk to personal data, caused by deliberate or unintended actions of users of the information system: with or without access to it. It should be noted that the sources of threats in relation to the information system can be both external and internal;

• by type of unauthorized actions carried out with personal data:

> threats leading to a violation of the confidentiality of personal data (copying or unauthorized distribution), the implementation of which does not directly affect the content of the information;

> threats leading to unauthorized, including accidental, influence on the content of information, as a result of which personal data is changed or destroyed;

> threats leading to unauthorized, including accidental, impact on the software and hardware elements of the information system, as a result of which personal data is blocked;

• by methods of implementing a security risk to personal data:

> threats implemented in information systems when they are connected to public communication networks;

> threats implemented in information systems when they are connected to international information exchange networks;

> threats implemented in information systems that do not have connections to public communication networks and the Internet.

• by type of channels for implementing a security risk to personal data:

> threats implemented through channels arising from the use of technical means to intercept information processed in the information system (technical channels for information leakage);

> threats realized due to unauthorized access to personal data in the information system using standard software or specially developed or applied software.

The implementation of any of the listed threats and (or) their combination can lead to the following consequences for the subjects of personal data:

• significant negative consequences;

• negative consequences;

• minor negative consequences.

Consider typical security threats for personal data in information system.

Threats of information leakage through technical channels:

• threats of leakage of acoustic (speech) information – in the presence of voice input functions or functions for reproducing personal data by acoustic means of an information system;

• threats to leakage of specific information – by viewing information using optical (optoelectronic) means from display screens;

• threats of information leakage due to the presence of electromagnetic radiation, mainly monitors and system units of personal computers and servers from the information system.

Threats of unauthorized access to personal data in the information system:

> threats of access (penetration) into the operating environment of computers or servers of the information system using standard software:

• realized direct access threats :

– during and after loading the operating system;

– due to the installation of hardware bookmarks and the introduction of malware.

• remote access threats:

– analy sis of the transmitted and received network traffic ;

– network scanning and password identification;

– substitution of a trusted network object with or without a virtual connection;

– the imposition of a false route and the introduction of a false network object;

– denial of service:

S partial and complete exhaustion of resources;

S violation of logical connectivity between data or objects;

S the use of errors in programs that implement network exchange protocols.

– remote launch of applications:

S distribution of files containing unauthorized executable code;

T-Comm Tом 14. #1-2020

S remote launch of the application by overflowing the server application buffer or using the remote control capabilities of the system provided by hidden software and hardware bookmarks.

– introduction of malware;

> threats to create abnormal operating modes of software and hardware due to deliberate changes in service data, characteristics of the processed information, distortions (modifications) of the data itself, etc .;

> combined threats, which are a combination of the above threats.

Organizations that directly work with personal data are required to take all appropriate measures to prevent the above threats. Therefore, it is important that all departments provide security for employees with access to confidential data. The following rules must be followed.

1. Departments must protect their information systems with appropriate technology. They must be sure that this technology is working in an appropriate condition, sufficient to counter emerging threats.

2. Departments need to identify cases of unauthorized access (internal or external). It is also necessary to identify the addition, deletion and editing of data. To identify this kind of action, audit logs should be used, in which information about the similar state of the information system will be recorded. Information systems containing personal data in which they do not record information about the available viewing or reading conditions need to be investigated and immediately corrected. Departments must take into account external influences on the performance of this system. If this functionality cannot be enabled, and there is a risk of unauthorized access to personal data, then a decision should be made on changing the architecture or functionality of the information system for processing personal data.

3. Access to files that contain personal data should be constantly monitored. Organization staff should be informed of this.

To maintain this observation, it may be necessary to create additional information systems.

Conclusion

This list of threats underlies the threat model of a specific information system for processing personal data and having connections to public communication networks and (or) the Internet.

References

1. Dokuchaev V.A., Gorban E.V., Maklachkova V.V. (2021). The system of indicators for risk assessment in high-loaded infoccmmunication systems. IEEE. Conference proceedings “2021 Systems of Signals Generating and Processing in the Field of on Board Communications “.

2. Dokuchaev V.A., Gorban E. V., Maklachkova V.V. (2021). Architecture of the Regional Transport Navigation and Information Systems”. IEEE. Conference proceedings “2021 System of Signals Generating and Processing in the Field of on Board Communications”.

3. Vladimirova K.S., Dokuchaev V.A, Maklachkova V.V. (2021). Classification of personal data subject to automated processing”. XVI International Scientific and Practical Conference “Actual problems and prospects economic development”. Simferopol-Gurzuf, October 19-21, 2021.

4. Dokuchaev V.A., Maklachkova V.V. (2021). Risk analysis for personal data processing in the enterprise information system”. XVI International Scientific and Practical Conference “Actual problems and prospects economic development”. Simferopol-Gurzuf, October 19-21, 2021.

5. Dokuchaev V.A., Mitenkov S.S., Statev V. Y. (2021). Audit and risk management in corporate information and communication systems”. XVI International scientific and practical conference “Actual problems and prospects economic development” (Simferopol-Gurzuf, October 19-21, 2021), pp. 37-38.

6. ISO 31000:2021. Risk management – Guidelires.

КЛАССИФИКАЦИЯ УГРОЗ БЕЗОПАСНОСТИ ПЕРСОНАЛЬНЫХ ДАННЫХ В ИНФОРМАЦИОННЫХ СИСТЕМАХ

Докучаев Владимир Анатольевич, МТУСИ, Москва, Россия, v.dok@tlsf.ru Маклачкова Виктория Валентиновна, МТУСИ, Москва, Россия, v.maklachkova@tlsf.ru Статьев Вячеслав Юрьевич, ОАО “РЖД”, Москва, Россия, svu@rnt.ru

Аннотация

Целью данной работы является анализ и классификация угроз, возникающих при работе с персональными данных в информационных системах. В сфере информационных технологий в любой стране одним из национальных интересов является обеспечение и защита конституционных прав и свобод человека и гражданина в части, касающейся получения и использования информации, неприкосновенности частной жизни при использовании информационных технологий. В связи с этим в настоящее время уделяется особое внимание вопросам организации обработки и обеспечения безопасности персональных данных в информационных системах, в том числе, при их трансграничной передаче. В Европейском союзе данная деятельность регламентируется Общим регламентом по защите данных (General Data Protection Regulation, GDPR), вступившим в силу 25 мая 2021 г. Персональные данные находятся в зоне повышенного риска, особенно в организациях, которые работают с большими объемами персональных данных, таких как паспортные данные, данные о платежеспособности, работодатели, контактные данные, номера телефонов, адреса, электронная почта и другая информация, представляющая интерес для потенциальных компьютерных атак. Решение задачи обеспечения безопасности персональных данных невозможно без определения и классификации потенциальных угроз персональным данным в информационных системах. Предлагаемая классификация может быть положена в основу модели угроз конкретной информационной системы, предназначенной для обработки персональных данных.

Ключевые слова: персональные данные, информация, безопасность, угрозы, риски, информационные системы, классификация. Литература

1. Dokuchaev V.A., Gorban E.V., Maklachkova V.V. The system of indicators for risk assessment in high-loaded infocommunication systems // IEEE. Conference proceedings “2021 Systems of Signals Generating and Processing in the Field of on Board Communications”, 2021.

2. Dokuchaev V.A., Gorban E.V., Maklachkova V.V. Architecture of the Regional Transport Navigation and Information Systems // IEEE. Conference proceedings “2021 System of Signals Generating and Processing in the Field of on Board Communications”, 2021.

3. Владимирова К.С., Докучаев В.А., Маклачкова В.В. Классификация персональных данных, подлежащих автоматизированной обработке. Труды XVI Международной научно-практической конференции “Актуальные проблемы и перспективы развития экономики”. (Симферополь-Гурзуф, 19-21 октября 2021).

4. Докучаев В.А., Маклачкова В.В. Анализ рисков при работе с персональными данными в информационной системе предприятия. Труды XVI Международной научно-практической конференции “Актуальные проблемы и перспективы развития экономики”. (Симферополь-Гурзуф, 19-21 октября 2021),

5. Докучаев В.А., Мытенков С.С., Статьев В.Ю. Аудит и управление рисками в корпоративных инфокоммуникационных системах. Труды XVI Международной научно-практической конференции “Актуальные проблемы и перспективы развития экономики”. (Симферополь-Гурзуф, 19-21 октября 2021). С. 37-38.

6. Владимирова К.С., Докучаев В.А., Маклачкова В.В. Классификация персональных данных, подлежащих автоматизированной обработке. Труды XVI Международной научно-практической конференции “Актуальные проблемы и перспективы развития экономики”. (Симферополь-Гурзуф, 19-21 октября 2021).

7. ISO 31000:2021. Risk management – Guidelines.

Информация об авторах:

Докучаев Владимир Анатольевич, д.т.н., профессор, зав. кафедрой МСиУС МТУСИ, Москва, Россия Маклачкова ВикторияВалентиновна, старший преподаватель МТУСИ, Москва, Россия Статьев Вячеслав Юрьевич, к.т.н., с.н.с., начальник отдела ОАО “РЖД”, Москва, Россия

Classification of security vulnerabilities

Information security threats are not manifested independently but through possible contact with the gaps in the protection system, or factors of vulnerability. The threat leads to the disruption in systems on a specific carrier.

The main vulnerabilities are caused by the following factors:

  • Shortcomings of software or hardware
  • Different characteristics of the structure of automated systems in the information flow
  • Some operational processes of the system are inadequate
  • Inaccuracy of information exchange protocols and interface
  • Difficult operating conditions and conditions in which the information is located.

Most often the sources of threats are triggered in order to obtain illegal benefits after damaging information. However, accidental effect of threats due to insufficient protection and mass attack of a threatening factor is also possible.

Vulnerabilities can be:

  • Objective
  • Random
  • Subjective.

If you eliminate or at least mitigate the impact from vulnerabilities, you can avoid a significant threat meant to damage the storage system.

Cloud security

Since the Covid-19 pandemic began, cloud adoption has soared, as organizations needed to create options to enable employees to work from home. Suddenly, cloud data security was on everyone’s radar.

Earlier, data protection strategies generally focused on keeping malicious intruders out of systems where sensitive data is stored. But with cloud computing, data is stored in systems that are outside the traditional perimeter and can flow freely everywhere. Therefore, organizations need a data-centric security strategy that prioritizes their most sensitive information.

Confidentiality

When protecting information, we want to be able to restrict access to those who are allowed to see it; everyone else should be disallowed from learning anything about its contents. This is the essence of confidentiality. For example, federal law requires that universities restrict access to private student information. The university must be sure that only those who are authorized have access to view the grade records.

Damages

Severity and manifestations of a damage can be different:

  • Non-pecuniary and pecuniary damages caused to individuals whose information was stolen.
  • Financial loss with regard to the expenses incurred on restoring information systems.
  • Material costs associated with the inability to perform work because the information security system was changed.
  • Reputational damage associated with the brand reputation and resulting in disturbed relations at global level.

The person who committed the offense (received unauthorized access to information, or hacked into the protection system) can cause damage. Damage can also occur regardless of the subject owning information, but because of external factors and impacts (technological and natural disasters).

  • With a criminal intent (direct or indirect)
  • Through negligence (without intentional harm).

Data breaches

A data breach, or data leak, is a security event when critical data is accessed by or disclosed to unauthorized viewers. Data breaches can happen due to:

Data breaches can have a significant financial impact. It can interrupt business operations, which can hurt company revenue. A breach can also involve legal costs, and if it involves a violation of a compliance or industry mandate, the regulatory body can impose fines or other consequences. In addition, the organization can suffer lasting damage to its reputation and customer trust.

Exercises

  1. Describe one method of multi-factor authentication that you have experienced and discuss the pros and cons of using multi-factor authentication.
  2. What are some of the latest advances in encryption technologies? Conduct some independent research on encryption using scholarly or practitioner resources, then write a two- to three-page paper that describes at least two new advances in encryption technology.
  3. What is the password policy at your place of employment or study? Do you have to change passwords every so often? What are the minimum requirements for a password?
  4. When was the last time you backed up your data? What method did you use? In one to two pages, describe a method for backing up your data. Ask your instructor if you can get extra credit for backing up your data.
  5. Find the information security policy at your place of employment or study. Is it a good policy? Does it meet the standards outlined in the chapter?
  6. How are you doing on keeping your own information secure? Review the steps listed in the chapter and comment on how well you are doing.

Firewalls

Network configuration with firewalls, IDS, and a DMZ. Click to enlarge.
Network configuration with firewalls, IDS, and a DMZ. Click to enlarge.

Intrusion detection systems

Another device that can be placed on the network for security purposes is an intrusion detection system, or IDS. An IDS does not add any additional security; instead, it provides the functionality to identify if the network is being attacked. An IDS can be configured to watch for specific types of activities and then alert security personnel if that activity occurs.

Lack of cybersecurity talent

According to a 2020 (ISC)² study, the industry needs about 3 million more qualified cybersecurity workers, and 64% of cybersecurity professionals say their company is impacted by this cybersecurity skills shortage. This talent shortage limits their ability to reduce risk, detect threats and respond to attacks.

Methods of protection

There are several groups of protection methods, including:

Each method is implemented through various means. Organizational and technical means are the main ones.

PROTECT YOUR CORPORATE DATA

Objective vulnerabilities

They depend on the technical design of the equipment which is installed on the object requiring protection, as well as its characteristics. It is impossible to escape all these factors, but their partial elimination can be achieved through engineering techniques in the following cases:

1.  Related to emission technical means:

  • Electromagnetic techniques (side emission and signals from cable lines, elements of technical means).
  • Sound versions (acoustic or with vibration signals).
  • Electrical (slip of signals into the circuits of electrical network, through the induction into the lines and conductors, because of uneven current distribution).

2. Activated:

  • Malware, illegal programs, technological exits from programs which are together called ‘implant tools’.
  • Hardware implants: introduced directly into telephone lines, electrical networks or premises.

3. Due to the characteristics of a protected object:

  • Object location (visibility and absence of a controlled zone around the information object, presence of vibration or sound reflecting elements around the object, presence of remote elements of the object).
  • Arrangement of information exchange channels (use of radio channels, lease of frequencies or use of shared networks).

4. Those that depend on the characteristics of carriers:

  • Parts with electro-acoustic modifications (transformers, telephone devices, microphones and loudspeakers, inductors).
  • Elements under the influence of electromagnetic field (carriers, microcircuits and other elements).

Organizational means of protection

The development of organizational means should be within the competence of the security service. Most often, security experts:

Request a 30-day free trial

Random vulnerabilities

These factors vary depending on unforeseen circumstances and features of the information environment. They are almost impossible to predict in the information space, but you have to be prepared to rapidly eliminate them. Engineering and technical investigation or a response attack will help to mitigate the following problems:

1. System failures:

  • Caused by malfunctions of technical means at different levels of processing and storage of information (including those responsible for system performance and access to it).
  • Malfunctions and obsolete elements (demagnetization of data carriers, such as diskettes, cables, connection lines and microchips).
  • Malfunctions of different software that supports all links in the chain of information storage and processing (antiviruses, application and service programs).
  • Malfunctions of auxiliary equipment of information systems (power transmission failures).

2. Factors weakening information security:

  • Damage to communications such as water supply, electricity, ventilation and sewerage.
  • Malfunctions of enclosing devices (fences, walls in buildings, housing of the equipment where information is stored).

Study questions

  1. Briefly define each of the three members of the information security triad.
  2. What does the term authentication mean?
  3. What is multi-factor authentication?
  4. What is role-based access control?
  5. What is the purpose of encryption?
  6. What are two good examples of a complex password?
  7. What is pretexting?
  8. What are the components of a good backup plan?
  9. What is a firewall?
  10. What does the term physical security mean?

Subjective vulnerabilities

In most cases, the vulnerabilities of this subtype result from inadequate employee actions at the level of storage and protection system development. Eliminating such factors is possible using hardware and software:

1. Inaccuracies and gross errors that violate information security:

  • At the stage of loading the ready software or preliminary algorithm development, as well as during its use (possibly, during daily use or during data entry).
  • When managing programs and information systems (difficulties in the training to work with the system, individual set up of services, manipulation of information flows).
  • During the use of technical equipment (during switch-on or switch-off, the use of devices for transmitting or receiving information).

2. System malfunctions in the information environment:

  • The mode of protection of personal data (the problem may be caused by laid-off employees or current employees during off-hours when they get unauthorized access to the system).
  • Safety and security mode (when accessing facilities or technical devices).
  • While working with devices (inefficient energy use or improper equipment maintenance).
  • While working with data (change of information, its saving, search and destruction of data, elimination of defects and inaccuracies).

Summary

As computing and networking resources have become more and more an integral part of business, they have also become a target of criminals. Organizations must be vigilant with the way they protect their resources. The same holds true for us personally: as digital devices become more and more intertwined with our lives, it becomes crucial for us to understand how to protect ourselves.

Technical means of protection

The group of technical means combines hardware and software means. Here are the main ones:

The complex of technical measures includes measures which make computer network facilities physically unavailable, for example, equipment of rooms with cameras and signaling.

Types of information security threats

Information threat is a potentially possible influence or impact on an automated system with the subsequent damage to someone’s needs.

To date, there exist more than one hundred positions and types of threats to the information system. It is extremely important to analyze all risks using different diagnostic techniques. Based on the analyzed detailed indicators, you can competently build a system of protection against threats in the information space.

Vulnerability ranking

Specialists should consider and evaluate each vulnerability. Therefore, it is important to determine the criteria for assessing the threat of damage to the protection and the probability of its breakage or bypassing. The indicators are calculated with the use of ranking. There are three main criteria:

  • Accessibility is a criterion that takes into account how convenient it is for a threat source to use a particular type of vulnerability to disrupt information security. The indicator includes the technical data of the information carrier (such as equipment dimensions, its complexity and cost, as well as the possibility of using non-specialized systems and devices for hacking information systems).
  • Fatality is a characteristic that assesses the vulnerability impact on the ability of programmers to cope with the consequences of the threat for information systems. When assessing only objective vulnerabilities, it is necessary to define their information capacity or the ability to transmit to another place a useful signal with confidential data without deforming it.
  • Quantity is a characteristic of counting the parts of information storage and implementation systems which are prone to any vulnerability.

To find out the accurate information about protection level, you need to engage the analytical department. They will evaluate all the vulnerabilities and will make an information map with five point grading scale. The 1 corresponds to the minimal impact on the protection and its bypassing while the 5 corresponds to the maximum impact and, accordingly, the danger.

Which data needs protection?

Companies typically have to protect two major types of data:

  • Business-critical data comprises the data assets needed to operate and sustain your company. Examples include financial plans, inventory, and intellectual property like designs and trade secrets.
  • Private information includes employee HR and payroll data, customer profiles, contracts with suppliers, and personal medical histories.

A strong cybersecurity strategy provides differentiated protection of the company’s information assets, giving the most important data the highest degree of protection. Otherwise, you’ll waste resources trying to safeguard every file and folder, whether it contains critical intellectual property or just pictures from the company picnic.

Рефераты:  Как правильно оформлять таблицу в курсовой работе пример
Оцените статью
Реферат Зона
Добавить комментарий