home-Keyboard-Model of threats to the security of personal data. Private model of threats to the security of confidential information for a bank

Model of threats to the security of personal data. Private model of threats to the security of confidential information for a bank

Classification of unauthorized influences

A threat is understood as the potentially existing possibility of an accidental or intentional action (inaction), as a result of which the basic properties of information and its processing systems may be violated: availability, integrity and confidentiality.

Knowledge of the range of potential threats to protected information, the ability to skillfully and objectively assess the possibility of their implementation and the degree of danger of each of them is an important stage in the complex process of organizing and ensuring protection. Determining the complete set of information security threats is almost impossible, but relatively Full description they, in relation to the object in question, can be achieved by detailed compilation of a threat model.

Remote attacks are classified according to the nature and purpose of the impact, the condition for the start of the impact and the presence feedback with the attacked object, by the location of the object relative to the attacked object and by level reference model interactions open systems EMVOS on which the impact is carried out.

Classification characteristics of objects of protection and security threats automated systems and possible methods of unauthorized access (UNA) to information in protected AS:

  • 1) according to the NSD principle:
    • - physical. Can be implemented through direct or visual contact with the protected object;
    • - logical. Involves overcoming the defense system using software by logical penetration into the structure of the AS;
  • 2) along the NSD path:
    • - use of a direct standard access path. Weaknesses in the established security policy and network administration process are exploited. The result may be masquerading as an authorized user;
    • - use of a hidden non-standard access path. Undocumented features (weaknesses) of the protection system are used (disadvantages of algorithms and components of the protection system, errors in the implementation of the protection system design);
    • - A special group in terms of danger is represented by information security threats carried out through the influence of an intruder, which allow not only to carry out unauthorized influence (II) on informational resources systems and influence them through the use of special software and software-technical influences, but also provide NSD to information.
  • 3) according to the degree of automation:
    • - performed with constant human participation. Publicly available (standard) software can be used. The attack is carried out in the form of a dialogue between the attacker and the protected system;
    • - performed special programs without direct human participation. Special software is used, most often developed using virus technology. As a rule, this NSD method is preferable for implementing an attack;
  • 4) according to the nature of the influence of the subject of the non-destructive activity on the object of protection:
    • - passive. Does not have a direct effect on the AS, but can violate the confidentiality of information. An example is control of communication channels;
    • - active. This category includes any unauthorized influence, the ultimate goal of which is to make any changes in the attacked system;
  • 5) according to the condition of the beginning of the impact:
    • - attack on request from the attacked object. The subject of the attack is initially conditionally passive and expects a certain type of request from the attacked AS, the weaknesses of which are used to carry out the attack;
    • - an attack upon the occurrence of an expected event on the attacked object. The OS of the attack target is monitored. The attack begins when the AC is in a vulnerable state;
    • - unconditional attack. The subject of the attack makes an active impact on the target of the attack, regardless of the state of the latter;
  • 6) according to the purpose of influence. Security is considered as a set of confidentiality, integrity, resource availability and performance (stability) of AS, the violation of which is reflected in the conflict model;
  • 7) based on the presence of feedback from the attacked object:
    • - with feedback. This implies bidirectional interaction between the subject and the target of the attack in order to obtain from the target of the attack any data that affects the further course of the attack;
    • - without feedback. Unidirectional attack. The subject of the attack does not need dialogue with the attacked AS. An example is the organization of a directed "storm" of requests. The goal is to disrupt the performance (stability) of the speaker system;
  • 8) by type of security weaknesses used:
    • - shortcomings of the established security policy. The security policy developed for the AS is inadequate to the security criteria, which is what is used to perform the NSD:
    • - administrative errors;
    • - undocumented features of the security system, including those related to software, - errors, unrealized OS updates, vulnerable services, unprotected default configurations;
    • - disadvantages of protection algorithms. The security algorithms used by the developer to build an information security system do not reflect the real aspects of information processing and contain conceptual errors;
    • - errors in the implementation of the security system design. The implementation of the information security system project does not comply with the principles laid down by the system developers.

Logical characteristics of protected objects:

  • 1) security policy. It is a set of documented conceptual solutions aimed at protecting information and resources, and includes goals, requirements for protected information, a set of information security measures, and the responsibilities of those responsible for information security;
  • 2) the administrative management process. Includes network configuration and performance management, access to network resources, measures to improve the reliability of the network, restore the functionality of the system and data, monitor the standards and correct functioning of security measures in accordance with the security policy;
  • 3) protection system components:
    • - cryptographic information protection system;
    • - Key information;
    • - passwords;
    • - information about users (identifiers, privileges, powers);
    • - security system settings;
  • 4) protocols. As a set of functional and operational requirements for network hardware and software components, they must be correct, complete, and consistent;
  • 5) functional elements computer networks. Must be protected in general case from overloads and destruction of “critical” data.

Possible ways and methods of carrying out unauthorized access (types of attacks):

  • 1) analysis network traffic, research of LANs and security measures to find their weaknesses and study algorithms for the functioning of AS. In systems with a physically dedicated communication channel, messages are transmitted directly between the source and the receiver, bypassing other system objects. In such a system, in the absence of access to the objects through which the message is transmitted, there is no software ability to analyze network traffic;
  • 2) introduction of unauthorized devices into the network.
  • 3) interception of transmitted data for the purpose of theft, modification or redirection;
  • 4) substitution of a trusted object in the AS.
  • 5) introducing an unauthorized route (object) into the network by imposing a false route and redirecting the flow of messages through it;
  • 6) introducing a false route (object) into the network by using the shortcomings of remote search algorithms;
  • 7) exploitation of vulnerabilities in system-wide and application software.
  • 8) cryptanalysis.
  • 9) exploitation of shortcomings in the implementation of cryptographic algorithms and cryptographic programs.
  • 10) interception, selection, substitution and prediction of generated keys and passwords.
  • 11) assigning additional powers and changing the security system settings.
  • 12) implementation of software bookmarks.
  • 13) disruption of the performance (stability) of the AS by introducing an overload, destroying “critical” data, and performing incorrect operations.
  • 14) access to a network computer that receives messages or performs routing functions;

Classification of attackers

The possibilities of carrying out harmful influences largely depend on the status of the attacker in relation to the CC. The attacker could be:

  • 1) CS developer;
  • 2) an employee from among the service personnel;
  • 3) user;
  • 4) an outsider.

The developer owns the most complete information about CS software and hardware. The user has a general understanding of the structures of the computer system and the operation of information security mechanisms. It can collect data about the information security system using traditional espionage methods, as well as attempt unauthorized access to information. An outsider who is not related to the CC is in the least advantageous position in relation to other attackers. If we assume that he does not have access to the CS facility, then he has at his disposal remote methods of traditional espionage and the possibility of sabotage activities. It can carry out harmful effects using electromagnetic radiation and interference, as well as communication channels if the CS is distributed.

Specialists servicing these systems have great potential to exert harmful influences on CS information. Moreover, specialists from different departments have different potential for malicious actions. Information security workers can do the most harm. Next come system programmers, application programmers and engineering staff.

In practice, the danger of an attacker also depends on the financial, logistical and technical capabilities and qualifications of the attacker.

Greetings, Habrazhiteliki!
  • to understand the threats and vulnerabilities that have proliferated in the information system, as well as the violators that are relevant to this information system, in order to launch the technical design process to neutralize them;
  • just for show, so that all the conditions of a certain project are met, for example in the field of personal data (I’m not saying that the threat model when implementing projects in the field of personal data is always done for show, but this is basically the case).
Management also plays a big role here. Depending on what the Management wants, to competently design and build protection (our option), or to protect itself from certain regulatory authorities. But you can write a separate article on this topic; it will have something to say.

The threat model and the adversary model are inextricably linked. A lot of controversy arose on the topic of making these models different documents, or it would be more correct to do this in one document. In my opinion, for the convenience of constructing a threat model and an intruder model, it is more correct to do this in one document. When transferring a threat model to engineers (if different departments in the company are involved in threat modeling, intruder and design), they need to see the situation in full, and not read 2 documents and waste time connecting them together. Thus, in this article I will describe the threat model and the intruder model (hereinafter referred to as the threat model) as a single inextricable document.

Typical problems

In my experience, I have seen a large number of threat models that were written so differently that it was simply unrealistic to bring them to one template. The person did not have a clear idea of ​​what to write in such a document, for whom this document is and what its purpose is. Many people are interested in how many sheets a threat model should have, what to write in it, and how best to do it.

Common mistakes When compiling a threat model, I identified the following:

  • Lack of understanding of who this document is for:
  • lack of understanding of the structure of the document;
  • lack of understanding of the required content of the document;
  • lack of conclusions necessary for design.

Threat Model Plan

Since we, after compiling a threat model, will transfer it to engineers for analysis (not a mandatory condition), the information will be grouped from the point of view of convenience for the developer of the threat model and the engineer who will then analyze it.
When compiling a threat model, I follow the following plan (subsections not included):
Introduction
1. List of abbreviations
2. List of regulatory documents
3. Description of the IP
4. Security risks
Conclusion.
Appendix A.
Appendix B
Appendix B
Looking ahead to the future, the threat model is based on the principle - " There is no need to read the entire document to understand its meaning and draw the right conclusions". Let's look at each of the points.

Introduction

A typical introduction describing the purpose of this document and what should be determined at the writing stage.

1. List of abbreviations

Why is it here? - you ask. And I will answer you:
  • The document can be read not only by a specialist information security;
  • the document can be read by senior management with some technical education;
  • When describing the Information System, some terms may be unknown to either specialists or management.

2. List of regulatory documents

This section is usually necessary in projects that use some kind of documentation that contains certain requirements or recommendations. For example, when working with personal data, regulatory documents of FSTEC, FSB, etc. are recorded in this section.

3. Description of the IP

This section is one of the main parts of the threat model. The description of the Information System should break it down into as much detail as possible. Data should include:
  • the technical means used and their purpose. As an example:

The identifier is used to quickly access an asset from the document text, the description is used to understand what kind of technical tool is used, the note is used to clarify data about technical means ah and their purposes.
  • detailed description of technical means. As an example: TS – terminal server. Connecting remote clients via RDP to work with the system. Connection occurs from hardware thin clients and personal computers. The terminal server has an application installed that is used to work with the database.
  • Connection diagram of technical equipment. This scheme should reflect the detailed architecture of the information system.
  • Implemented protective measures. This information will allow the developer of the threat model to take into account already implemented security measures and evaluate their effectiveness, which will, with some degree of probability, reduce the cost of purchasing security products.
  • Formation of a list of assets. It is necessary to determine the list of assets, their significance for the company and the identifier for quick links from the document. As an example:

Depending on the chosen risk assessment methodology, section 3 of the threat model may contain additional information. For example, in the case of modeling threats to personal data, this section is supplemented with “indicators of the initial security of the ISPD” and “main characteristics of the ISPD”.

4. Security threats

This section describes the results of threat modeling. Description includes:
  • the relevance of external or internal threats;
  • list of current violators;
  • list of current threats to information security.
The list of current threats can be conveniently presented in the form of the following sign:

Here again, everything is simple, an identifier, a description of the threat and the assets that are affected by the threat. There is more than enough information.

Conclusion

In conclusion, it is necessary to describe what measures need to be taken to protect the Information System. Example:

1. Protection against unauthorized connection of unregistered technical equipment:

  • DBMS servers;
  • application servers.
2. Cryptographic protection of communication channels for access to the Information system (building a VPN network).

The information located in the sections described above contains all the necessary data for designing a security system for the Information System. All information that contains the identification of current violators and the calculation of current threats to information security are contained in the appendices. This allows you to get all the necessary information on the first pages of the document. From experience, I can say that a threat model for a good project and a serious information system takes from 100 pages. The information presented above usually takes no more than 30.

Appendix A

In Appendix A, I usually describe the intruder model. Typically it consists of:
  • descriptions of types of violators and their capabilities (internal, external);
  • description of access channels in the IS (physical, public, technical)
  • description of these types of violators with reference to the staffing structure of the organization;
  • description of the capabilities of these violators;
  • determining the relevance of each type of violator.

Exit sign:

Type of intruder
 Categories of violators Identifier
External intruder Criminal structures, external entities (individuals) N1
Intruder inside Persons who have authorized access to the KZ, but do not have access to the ISPD (technical and maintenance personnel) N2
Registered ISPD users with access to PD N3
Registered ISPDn users with ISPDn segment security administrator rights N4
Registered users with ISPD system administrator rights N5
Registered users with ISPD security administrator rights N6
Programmers-developers (suppliers) of application software and persons providing its maintenance at the protected object N7
Developers and persons providing supply, maintenance and repair of technical equipment for ISPD N8

Appendix B

This application is used to describe and calculate the relevance of threats. Depending on the choice of methodology for determining the relevance of information security threats and risk assessment, this application (section) can be designed in different ways. I label each threat with the following sign:

It didn’t work out very well to format the plate in HabraEditor; it looks much better in the document. The history of the formation of this particular type of plate originates from the standards of the STO BR series. Then it was slightly modified for projects dedicated to Personal Data, and now it is a means of describing threats for any of the projects. This plate fully allows you to calculate the relevance of the information security threat to the company’s assets. If any risk assessment technique is used, this plate is also suitable. This example is given to calculate the relevance of threats within the framework of work on the Personal Data Protection Project. The sign is read as follows: Threat -> Violator -> Assets -> Violated properties -> Data for calculating relevance -> Conclusions.

Each threat is documented with this sign, which fully describes it and based on this sign you can easily draw a conclusion about the relevance/irrelevance of the threat.

Appendix B

Appendix B is for reference. It describes methods for calculating relevance or methods for assessing risks.

As a result, using this design methodology, the threat model will be a readable and useful document that can be used within the organization.

Thank you for your attention.

They, in turn, can be divided into authorized and random. External danger can come from terrorists, foreign intelligence services, criminal groups, competitors, etc., who can block, copy, and even destroy information that is valuable to both parties.

Basic threat model

The internal threat of information leakage is a threat created by employees a certain enterprise. They can hack it with permission and use it for personal gain. This is possible if the company does not have technical measures and access control in place.

The right to the protection of personal information, guaranteed by the Constitution of the Russian Federation to every citizen.

Levels of protection

Herself the information security system can have four. Please note that the choice of funds is determined by the operator on the basis of regulations (Part 4 of Article 19 of the Federal Law “On Personal Data”).

Requirements necessary to ensure the fourth level of personal data security:

  • the organization must create a regime that prevents persons who do not have access to the premises from entering;
  • it is necessary to take care of the safety of personal files;
  • the manager must approve the operator, as well as documents containing a list of persons who are allowed, due to official duties, to contact confidential information other employees;
  • use of information security tools that have undergone an assessment procedure in the field of information security.

To ensure the third level of security, it is necessary to comply with all requirements of the fourth level and another one is added - an official (employee) responsible for ensuring the security of personal data in is required.

The second level of security is characterized by the provision that the operator himself or an employee whose official duties allow it can have access. And also all requirements of the third level of security apply to it.

And finally, to ensure the first level of security, it is necessary to comply with all the above requirements and ensure compliance with the following points:

  • installation in electronic magazine the security of a system that could automatically replace an employee’s access to in connection with a change in his powers;
  • appointment of a responsible person (employee) for ensuring the security of personal data in the information system, or entrusting one of structural divisions functions to ensure such security.

The operator must carry out safety inspections more than once every three years.

He has the right to entrust this matter to a legal entity or persons who have a license for this by concluding an agreement with them (“Requirements for the protection of personal data during their processing in personal data information systems dated November 1, 2012 No. 1119”).

Ensuring a high level of protection


The law gives the right legal entities determine the extent to which your confidential information is protected. Don't be vulnerable - take the necessary measures.

when processing them in the personal data information system

1. General Provisions

This particular model of threats to the security of personal data during their processing in the personal data information system “SKUD” in ___________ (hereinafter referred to as ISPDn) was developed on the basis of:

1) “Basic model of threats to the security of personal data when processed in information systems personal data”, approved on February 15, 2008 by the Deputy Director of the FSTEC of Russia;

2) “Methods for identifying current threats to the security of personal data during their processing in personal data information systems,” approved on February 14, 2008 by the Deputy Director of the FSTEC of Russia;

3) GOST R 51275-2006 “Information protection. Factors influencing information. General provisions».

The model identifies threats to the security of personal data processed in the personal data information system “SKUD”.

2. List of threats that pose a potential danger to personal data processed in the ispdn

Potential dangers to personal data (hereinafter referred to as PD) when processed in ISPD are:

    threats of information leakage through technical channels;

    physical threats;

    threats of unauthorized access;

    threats to personnel.

    1. Identification of current threats to the security of personal data during processing in ispdn

3.1. Determining the level of initial security of the data source

The level of initial security of the ISPD was determined by an expert method in accordance with the “Methodology for determining current threats to the security of personal data during their processing in personal data information systems” (hereinafter referred to as the Methodology), approved on February 14, 2008 by the Deputy Director of the FSTEC of Russia. The results of the initial security analysis are shown in Table 1.

Table 1. Initial security level

Technical and operational characteristics of ISPDn

Security level

High

Average

Short

1. By territorialplacement

Local ISPD deployed within one building

2. By connection to public networks

ISPDn, physically separated from public networks.

3. For built-in (legal) operations with PD database records

Read, write, delete

4. By restricting access to personal data

ISPD, to which a certain list of employees of the organization that owns the ISPD, or the subject of the PD has access

5. Based on the presence of connections with other PD databases of other ISPDs

ISPD, which uses one PD database belonging to the organization that owns this ISPD

6. According to the level of generalization (depersonalization) of PD

ISPD, in which the data provided to the user is not anonymized (i.e. there is information that allows you to identify the subject of the PD)

7. According to the volume of personal data, whichare provided to third-party ISPD users without pre-processing

ISPDn, providing part of the PDn

Characteristics of ISPDn

Thus, ISPDn has average (Y 1 =5 ) the level of initial security, since more than 70% of the ISPD characteristics correspond to a security level not lower than “medium”, but less than 70% of the ISPD characteristics correspond to the “high” level.

IN this moment I am revising the private policy on the risks of information security violations and updating the information security threat model.

During my work, I encountered some difficulties. How I solved them and developed a private threat model will be discussed further.

Previously, many banks used the Industry Model of Personal Data Security Threats, taken from the Recommendation in the field of standardization of the Central Bank of the RS BR IBBS-2.4-2010 “Ensuring information security of banking system organizations Russian Federation. Industry-specific model of threats to the security of personal data during their processing in information systems of personal data of organizations of the banking system of the Russian Federation" (RS BR IBBS-2.4-2010). But due to the publication of information from the Bank of Russia dated May 30, 2014, the document has become invalid. Now it is needed develop it yourself.

Not many people know that with the release of the Recommendation in the field of standardization of the Bank of Russia "Ensuring information security of organizations of the banking system of the Russian Federation. Preventing information leaks" RS BR IBBS-2.9-2016 (RS BR IBBS-2.9-2016), a substitution of concepts occurred. Now when defining list of categories of information and list of types of information assets It is recommended to focus on the contents of clauses 6.3 and 7.2 of RS BR IBBS-2.9-2016. Previously, this was clause 4.4 of the Recommendations in the field of standardization of the Bank of Russia "Ensuring information security of organizations of the banking system of the Russian Federation. Methodology for assessing the risks of information security violations" RS BR IBBS-2.2-2009 (RS BR IBBS-2.2-2009). I even contacted the Central Bank for clarification:

Basic sources of threats are listed in clause 6.6 of the Bank of Russia Standard “Ensuring information security of organizations of the banking system of the Russian Federation. General provisions" STO BR IBBS-1.0-2014 (STO BR IBBS-1.0-2014). Intruder Potential you can take it from here.

In general, when defining current information security threats it is necessary to take into account information security incidents that occurred in the organization, information from analytical reports of regulators and companies providing information security services, and expert opinion company specialists.

Also information security threats are determined in accordance with the Bank of Russia Directive No. 3889-U dated December 10, 2015 “On identifying threats to the security of personal data relevant when processing personal data in personal data information systems (3889-U), Appendix 1 RS BR IBBS-2.2-2009, table 1 RS BR IBBS-2.9-2016 (I made it separate application), Data Bank of Information Security Threats of the FSTEC of Russia (BDU).

By the way, I noticed that some threats from 3889-U duplicate threats from BDU:

  • the threat of exposure to malicious code external to the personal data information system - UBI.167, UBI.172, UBI.186, UBI.188, UBI.191;
  • threat of using social engineering methods against persons with authority in the personal data information system - UBI.175;
  • the threat of unauthorized access to personal data by persons who do not have authority in the personal data information system, using vulnerabilities in the software of the personal data information system - UBI.192;

In this regard, I excluded duplicate threats from 3889-U in favor of UBI, because their description contains additional information that makes it easier to fill out tables with a threat model and information security risk assessment.

Current threats source of threats "Adverse events of natural, man-made and social nature" statistics from the Russian Ministry of Emergency Situations on emergencies and fires.

Current threats source of threats "Terrorists and criminal elements" can be determined based on the statistics of the Ministry of Internal Affairs of the Russian Federation on the state of crime and the newsletter "Crimes in the banking sector".

At this stage, we have determined the sources of information security threats and current information security threats. Now let's move on to creating a table with an information security threat model.

As a basis, I took the table “Industry model of threats to personal data security” from RS BR IBBS-2.4-2010. The columns “Source of threat” and “Level of threat implementation” are filled in in accordance with the requirements of clause 6.7 and clause 6.9 of STO BR IBBS-1.0-2014. The columns “Environment object types” and “Security threat” remain empty. I renamed the latter “Consequences of the threat”, as in NOS (in my opinion, this is more correct). To fill them out, we need a description of our threats from the BDU.

As an example, consider “UBI.192: Threat of using vulnerable versions of software”:
Description of the threat: the threat lies in the possibility of an attacker having a destructive impact on the system by exploiting software vulnerabilities. This threat is caused by weaknesses in the mechanisms for analyzing software for vulnerabilities. The implementation of this threat is possible in the absence of checking for vulnerabilities in the software before using it.
Sources of threat: low potential insider; external intruder with low potential.
Object of influence: applied software, network software, system software.
Consequences of the threat: violation of confidentiality, violation of integrity, violation of availability.

For convenience, I have distributed types of environment objects(objects of influence) by levels of threat implementation ( levels of bank information infrastructure).

Scroll environmental objects I compiled it from clause 7.3 of RS BR IBBS-2.9-2016, clause 4.5 of RS BR IBBS-2.2-2009 and from the description of UBI. Levels of threat implementation are presented in paragraph 6.2 of STO BR IBBS-1.0-2014.

That. This threat affects the following levels: the level of network applications and services; level of banking technological processes and applications.

I did the same with other information security threats.

The result is a table like this.

Related publications: