Information technologies, using more and more new developments in the computer field, find new areas of application every day: from simple gadgets and personal computers to smart homes and autopilots of vehicles. All this leads to an increase in the volume of transmitted, used and stored data, which, in turn, creates more and more information security threat models. This means that there are more and more opportunities for attackers to take advantage of the weakness of outdated information protection systems. This article briefly discusses what threats are and what they are.
Threat Detection Engine
Analysis of security problems should be carried out taking into account economic interests, threats and losses, to which the success of an alleged attack on the information system of a certain enterprise can bring. private modelinformation system security threats is based on the following analysis:
- attack source: external or internal relative to the protected object (enterprises, organizations, etc.);
- taking into account all risk areas: the economic sphere of the company, physical and information resources;
- factors influencing security: vulnerability of data and information, degree of their protection, software, enterprise computers and other devices, material and financial resources, employees;
- detection of types, scales and directions of possible attacks;
- methods of threat implementation: object of attack, mechanism and speed of action, predisposing vulnerability factors;
- consequences: evaluated in terms of financial loss, moral damage and possible compensation.
There are two main views on any threat. It is identified with one or more types and methods of implementing an attack in accordance with the theory of information security or with the results of its impact on the company in question, i.e. with the consequences to which it leads.
Legal aspects of information security threats
The information system threat model is considered in close connection with the concept of damage in the first part of Article 15 of the Civil Code of the Russian Federation. It is defined as the actual costs incurred by the subject as a result of a violation of his rights (theft of confidential information, its distribution or use for personal gain), loss and damage to property, as well as expenses forrecovery.
In Russia, the issue of information security remains quite complicated to this day. After all, even now there is no generally accepted norm for terminology in this area. In different laws, the same entities can be defined differently. Although steps are being taken to standardize the terminology in this area.
Classification of threats
Any, even a basic, information security threat model requires analysis and mandatory identification of both possible attacks and methods for its implementation. For these purposes, various classifications have been created (by source, by probability, by nature, by object, by consequences), which allow the most accurate design of the defense response to a particular attack. Threats are classified according to the following criteria:
- Information system components that can be targeted by attacks. These include data, computers and software, networks, and other structures that keep the system running.
- Methods of implementation, which can be either accidental or deliberate. Man-made or natural events are also taken into account.
- The location of the source of the attack - external or internal in relation to the system used.
- Information security components that can be targeted by attacks, namely availability, confidentiality and data integrity.
Analysis and classification allow you to achieve the state of the protection system, when most of the possible threats are identified and comparedmethods of neutralization. Of course, it does not make sense to build every defense system for defense against everything and everything. A probabilistic approach is applied and the relevance of each individual class of threats is assessed, and it is against them that measures will be taken in the protection system.
Threat analysis and assessment algorithm
With the help of analysis, a matrix of links between information security threat models, vulnerabilities and the likely consequences of a successful attack is built. The danger factor of each individual attack is calculated as the product of the danger factor of the threat and the danger factor of the attack source. Taking action like this allows:
- define priority targets for the defense system;
- set up a list of current attacks and threat sources;
- find information system vulnerabilities;
- assess the possibility of a successful attack based on the relationship between vulnerabilities and threat sources;
- develop a detailed course of a particular threat and build a defense to respond to a possible attack scenario;
- describe in detail the consequences of a successful attack;
- design a security system and an organization's information security management complex.
Users of the system as the main source of threats
The FSTEC information security threat model puts human errors (users, administrators, operators and other persons involved in system maintenance) in one of the first places in terms of the amount of damage caused. According to research, about 65% of losses in successful attacks occurdue to accidental errors committed due to inattention, negligence or due to lack of proper training of employees. Such violations can represent both a source of independent threats (incorrect data entry, errors in programs leading to a system crash), and a vulnerability (administrator's errors) that attackers can take advantage of.
Users of the system as a direct threat
As previously noted, the user himself can be dangerous and be a model of an information security threat. Examples of such a situation will be considered below:
- malicious - disabling an information system, or, for example, planting a logic bomb in the database code that will work under certain conditions and destroy the information stored in it;
- unintentional - accidental data corruption or loss;
- hacking the control system;
- personal data theft (passwords, addresses, bank accounts);
- transfer of personal data to third parties or organizations.
Users of the system as an indirect threat
System vulnerabilities should also be considered in the organization's information security threat model. Examples of the validity of this approach can be user actions that lead to a weakening of the system's protection and open the way to a direct threat:
- refusal to work with the information system, for example, as a result of unwillingness to master new software;
- software mismatchuser requirements;
- impossibility of full-fledged work due to lack of appropriate skills (insufficient knowledge of computer technology, inability to process error messages) and resulting system failures.
Automation and threats
A user can be a weighty list of threats to an information system. Therefore, a logical solution to combat unintentional errors would be to reduce their share and move to automation: the application of the Fool Proof Device dogma, standardization, regulation and strict control of user actions. However, even here there are information security threat models that should be considered:
- forgotten cancellation of access to the system of a terminated employee;
- poor documentation of the automated system and lack of technical support;
- violation of the rules of operation, both accidental and intentional;
- out of normal operation due to user actions (too many requests) or administrative staff (poor estimate of the amount of data processed per unit of time);
- setup errors;
- failures in hardware and software;
- Data integrity breach due to system failures.
In addition to its main structure, an information system also includes an auxiliary one that ensures the operation of the main parts of the system. Support structures should alsoconsider information security threat models. An example of these are man-made and natural disasters. Let's describe in more detail the threats of a larger scale:
- Disturbances in communication systems (Internet, electrical network, water utilities, gas supply, cooling).
- Damage or destruction of buildings.
- Emergency situations in a city or country, when citizens refuse to perform their official duties for any reason: civil wars, major accidents, terrorist explosions or their threat, strikes, etc.
- Natural disasters.
According to statistics, natural and man-made disasters account for 13% to 15% of the losses suffered by information systems. Due to this circumstance, there are even those information systems that need to continue to operate normally, even despite natural disasters.
Types of protected information
Any organization whose resource is information can have private information security threat models. They will be generated by the internal structure of a given company, which is formed on the basis of divisions, employees, technical means, economic relations, internal social relations, etc. Therefore, the total mass of internal and external information, the system and technologies serving it, specialists and personnel constitute information technological resource.
Yes, for any commercialcompany information can be divided into: official, confidential, secret, commercial secret. Although for any non-governmental organization, information is divided into fairly simple classes. But even in the simplified case, everything must be strictly classified and enshrined in the relevant regulations so that you can build a correct and, most importantly, a working information security system.
Competent organization of the information security system is a complex process, and often expensive. To accomplish this task, it is necessary to conduct a detailed inventory of all resources with information, divide all data into categories, classify information security threat models, design and develop a protection system, including all regulatory documents, select hardware and software tools sufficient to implement the workflow properly. level in compliance with information security, etc.
The organization of information security requires competent specialists in this field and competent company management, which will be ready to comply with the required security standards and allocate resources to support them.