What can be attributed to information security threats. Types and features of threats to the security of information resources. Examples of information security threats

The main types of threats to the security of information systems are:

Intentional actions of violators and intruders (offended personnel, criminals, spies, saboteurs, etc.).

Security threats can be classified according to various criteria:

1. According to the results of the action:

1) the threat of leakage;

2) threat of modification;

3) the threat of loss.

2. Based on:

· Unintentional;

· Deliberate.

Accidental (unintentional) threats may arise as a result of:

Natural disasters and accidents (flood, hurricane, earthquake, fire, etc.);

Equipment failure and failure ( technical means) AITU;

Consequences of design and development errors of AIS components (hardware, information processing technology, programs, data structures, etc.);

Operational errors (users, operators and other personnel).

Main reasons unintentional, man-made threats AIS:

· Inattention;

· Violation of the regulations and ignoring the restrictions set in the system;

· Incompetence;

· Negligence.

Examples of threats:

1) unintentional actions, leading to partial or complete system failure or destruction of hardware, software, information resources of the system (unintentional damage to equipment, deletion, corruption of files from important information or programs, including system ones, etc.);

2) unlawful inclusion of equipment, or changing the operating modes of devices and programs;

3) unintentional damage to media information;

4) illegal introduction and use of unaccounted programs (games, educational, technological, etc.., not necessary for the violator to perform his official duties) with the subsequent unreasonable waste of resources (CPU load, seizure random access memory and memory on external media);

6) computer infection viruses;

7) careless actions leading to disclosure of confidential information or making it publicly available;

8) disclosure, transmission or the loss of access control attributes (p passwords, encryption keys, identification cards, passes, etc.);

9) ignoring organizational constraints(established rules) at the rank in the system;

10) logging in bypassing security controls(loading an outsider operating system from removable magnetic media, etc.);

11) incompetent use, setting or unauthorized disconnection means of protection security personnel;

12) sending data to the wrong address of the subscriber (device);

13) input of erroneous data;

14) unintentional damage to communication channels.

deliberate threats - these are AIS threats caused by human activity, associated with the selfish aspirations of people (intruders).

Sources of threats in relation to the information system can be external or internal.

Unfortunately, the implementation of both threats results in the same consequences: loss of information, violation of its confidentiality, its modification.

The main deliberate intentional threats usually aimed at:

Deliberate disorganization of the system and its disabling,

· In order to penetrate the system and unauthorized access to information and use it for personal gain.

Intentional threats, in turn, can be subdivided into:

1. Active and passive .

Passive threats - are mainly aimed at unauthorized use of information resources, which does not entail damage and destruction of information.

For this, a variety of implementation methods are used. :

but) the use of eavesdropping devices, remote photo and video filming, media theft, etc .;

b) theft of information carriers (magnetic disks, tapes, memory chips, storage devices and personal computers);

c) interception of data transmitted through communication channels and their analysis in order to find out the exchange protocols, the rules for entering the connection and authorizing the user and subsequent attempts to imitate them to penetrate the system;

G) reading the remnants of information from random access memory and from external storage devices (printer memory buffer);

e) reading information from areas of RAM used by the operating system (including the protection subsystem);

e) illegal receipt of passwords and other details of access control (by means of agents, using the negligence of users, by selection, imitation of the system interface, etc., followed by disguise as a registered user ("masquerade");

Active threats - violation normal functioning system by targeted impact on its components.

Implementation methods:

A) failure of a PC or operating system;

B) disruption of communication channels;

C) hacking the security system;

D) the use of software viruses, etc.

2. Internal and external threats .

Insiders there can be persons from the following categories of personnel:

§ auxiliary and service personnel (operators, electricians, technicians) of the system;

§ employees of software development and maintenance departments (application and system programmers);

§ employees of the security service of AITU;

§ managers at various levels of the job hierarchy.

According to research carried out in the BIS, more than 80% of violations are committed by bank employees

Bystanders who may be external offenders .

§ clients (representatives of organizations, citizens);

§ visitors (invited for any reason);

§ representatives of organizations interacting on issues of ensuring the life of the organization (energy, water, heat supply, etc.);

representatives of competing organizations (foreign special services) or persons acting on their behalf;

2. Methods and means of protection

Protection system - it is a set (complex) of special measures of a legal (legislative) (administrative nature, organizational measures, physical and technical (software and hardware) protection means, as well as special personnel designed to ensure the security of information, information technology and the automated system as a whole.

In international and Russian practice, standards are used to assess the level of safety computer systems... In the United States, the document containing these standards is called the Orange Book. (1985). It provides the following levels of system security:

· Highest class - A;

· Intermediate class - B;

· Low level - C;

· The class of systems that did not pass the tests - D.

In Russian practice, the State Technical Commission under the President of the Russian Federation has developed a guideline document providing for the establishment of 7 classes of security for SVT against unauthorized access. At the same time, protective measures cover the subsystems:

· Access control;

· Registration and accounting;

· Cryptographic;

· Ensuring integrity;

· Legislative measures;

· Physical measures.

Methods and means of information security are shown in Fig. 2. Let us consider the main content of the presented information protection methods, which form the basis of protection mechanisms.

Sources internal threats are:

1. Employees of the organization.

2. Software.

3. Hardware.

Internal threats can manifest themselves in the following forms:

Errors of users and system administrators;

Violations by the company's employees of the established regulations for the collection, processing, transfer and destruction of information;

Errors in the software;

Failures and malfunctions of computer equipment.

TO external sources of threats include:

1. Computer viruses and malware.

2. Organizations and individuals.

3. Natural disasters.

The forms of manifestation of external threats are:

Infection of computers with viruses or malware;

Unauthorized access (NSD) to corporate information;

Information monitoring by competing structures, intelligence and special services;

Actions of government agencies and services, accompanied by the collection, modification, seizure and destruction of information;

Accidents, fires, man-made disasters, natural disasters.

All of the above types of threats (forms of manifestation) can be divided into willful and unintentional... According to the Computer Defense Institute (CSI), over 50% of intrusions are the work of companies' own employees. Regarding the frequency of intrusions, 21% of those surveyed indicated that they had experienced recurrences of “attacks”. Unauthorized alteration of data was the most common form of attack and was mainly used against medical and financial institutions. Over 50% of respondents view competitors as a likely source of “attacks”. The respondents attach the greatest importance to the facts of eavesdropping, penetration into information systems and "attacks" in which "attackers" falsify return address to redirect searches to innocent individuals. These attackers are most often resentful employees and competitors.

By methods of exposure threats to information security objects are subject to the following classification: information, software, physical, radio-electronic and organizational and legal.

TO information threats include:

Unauthorized access to information resources;

Illegal copying of data in information systems;

Theft of information from libraries, archives, banks and databases;

Violation of information processing technology;

Illegal collection and use of information;

Use of information weapons.

TO programmatic threats include:

Using bugs and "holes" in software;

Computer viruses and malware;

Installation of "embedded" devices.

TO physical threats include:

Destruction or destruction of information processing and communication facilities;

Theft of information carriers;

Theft of software or hardware keys and means of cryptographic data protection;

Effects on personnel.

TO electronic threats include:

Implementation of electronic devices for intercepting information in technical facilities and premises;

Interception, decryption, substitution and destruction of information in communication channels.

TO organizational and legal threats include:

Violation of legal requirements and delay in making the necessary regulatory decisions in the information sphere;

Procurement of imperfect or outdated information technologies and informatization means.

To protect the interests of subjects of information relations, it is necessary to combine measures the following levels:

1)legislative level(laws, regulations, standards, etc.). The legislative level is the most important for ensuring information security. Measures at this level include the regulation by law and regulations of actions with information and equipment, and the occurrence of liability for violation of the correctness of such actions. This issue is discussed in more detail in other chapters.

2) administrative level(actions of a general nature taken by the organization's management). The main purpose of the administrative level measures is to form a program of work in the field of information security and ensure its implementation by allocating the necessary resources and monitoring the state of affairs. The core of the program is a security policy that reflects the organization's approach to protecting its information assets. The management of each organization must realize the need to maintain a security regime and allocate significant resources for this purpose.

3)procedural level(specific security measures targeted at people).

Measures at this level include:

Measures carried out in the design, construction and equipment of computing centers and other objects of data processing systems;

Measures for the development of rules for user access to system resources (development of a security policy);

Activities carried out in the selection and training of personnel serving the system;

Organization of security and the regime of access to the system;

Organization of accounting, storage, use and destruction of documents and information carriers;

Distribution of access control details;

Organization of explicit and covert control over the work of users;

Activities carried out during the design, development, repair and modification of equipment and software.

4)software and hardware level(technical measures).

The protections of this level are based on the use of special programs and equipment and performing (independently or in combination with other means) protection functions:

User identification and authentication;

Differentiation of access to resources;

Registration of events;

Cryptographic transformations;

System integrity check;

Checking for the absence of malware;

Software protection of transmitted information and communication channels;

System protection from the presence and appearance of unwanted information;

Creation of physical obstacles in the way of penetration of intruders;

Monitoring and signaling compliance with the correct operation of the system;

Creation backups valuable information.

Threats arise from the contradictions of the economic interests of various elements interacting both inside and outside the socio-economic system, including in the information sphere. They determine the content and directions of activities to ensure general and information security. It should be noted that the analysis of the problems of economic security must be carried out, taking into account the interconnection of economic contradictions, threats and losses, which can result from the implementation of threats. This analysis leads to the following chain:

< источник угрозы (внешняя и/или внутренняя среда предприятия)>

<зона риска (сфера экономической деятельности предприятия, способы её реализации, материальные и информационные ресурсы)>

<фактор (степень уязвимости данных, информации, программного обеспечения, компьютерных и телекоммуникационных устройств, материальных и финансовых ресурсов, персонала)>

< угроза (вид, величина, направление)>

<возможность её реализации (предпосылки, объект , способ действия, скорость и временной интервал действия)>

<последствия (материальный ущерб , моральный вред, размер ущерба и вреда, возможность компенсации)>.

The threat is usually identified either with the nature (type, method) of a destabilizing effect on material objects, software or information, or with the consequences (results) of such an impact.

From a legal point of view, the concept of threat is strictly related to the legal category of damage, which the Civil Code of the Russian Federation (Part I, Art. 15) defines as "actual costs incurred by the subject as a result of violation of his rights (for example, theft, disclosure or use of confidential information by the violator) , loss or damage to property, as well as expenses that he will have to make to restore the violated right and the value of the damaged or lost property. "

Analysis of the negative consequences of the emergence and implementation of threats involves the mandatory identification of possible sources of threats, vulnerabilities that contribute to their manifestation and methods of implementation. In this regard, threats to economic and information security must be classified in order to most fully and adequately carry out the specified identification: by the source of the threat, by the nature of occurrence, by the likelihood of implementation, in relation to the type of human activity, by the object of encroachment, by the consequences, by forecasting capabilities.

Threats can be classified according to several criteria:

• on the most important components of information security (availability, integrity, confidentiality), against which threats are directed in the first place;
• by the components of information systems and technologies (data, hardware and software systems, networks, supporting infrastructure), which are directly targeted by threats;
• by the method of implementation (accidental or deliberate actions, events of a man-made or natural scale);
• to localize the source of threats (outside or inside information technology or system).

One of the possible threat classification models is shown in Fig. 2.1 [Vikhorev, S., Kobtsev R., 2002].

Rice. 2.1.

During the analysis, it is necessary to make sure that most of the possible sources of threats and vulnerabilities are identified and compared with each other, and methods for their neutralization and elimination are compared to all identified sources of threats and vulnerabilities.

This classification can serve as a basis for developing a methodology for assessing the relevance of a particular threat, and when the most actual threats measures can be taken to select methods and means to prevent or neutralize them.

When actual threats are identified, the expert-analytical method determines the objects of protection that are exposed to a particular threat, the characteristic sources of these threats and vulnerabilities that contribute to the implementation of threats.

Based on the analysis, a matrix of interconnection of sources of threats and vulnerabilities is compiled, from which the possible consequences of the implementation of threats (attacks) are determined and the coefficient of significance (degree of danger) of these attacks is calculated as the product of the hazard coefficients of the corresponding threats and sources of threats defined earlier.

One of the possible algorithms for carrying out such an analysis, which is easily formalized and algorithmized, is shown in Fig. 2.2.

Rice. 2.2.

Thanks to this approach, it is possible:

• set the priorities of security objectives for the subject of the relationship;
• determine the list of actual sources of threats;
• determine the list of current vulnerabilities;
• assess the relationship of vulnerabilities, sources of threats, the possibility of their implementation;
• determine the list of possible attacks on the object;
• develop scenarios of possible attacks;
• describe the possible consequences of the implementation of threats;
• to develop a set of protective measures and a management system for the economic and information security of the enterprise.

It was noted above that the most frequent and most dangerous (in terms of the amount of damage) are unintentional mistakes of staff users, operators, system administrators and other persons serving Information Systems... Sometimes such errors are actually threats (incorrectly entered data or an error in a program that caused a system crash), sometimes they create vulnerabilities that can be exploited by attackers (these are usually administrative errors). According to some reports, up to 65% of losses occur due to unintentional mistakes committed by negligence, negligence or inadequate training of personnel.

Typically, users can be sources of the following threats:

• intentional (embedding a logical bomb that will eventually destroy the software kernel or applications) or unintentional loss or corruption of data and information, "hacking" of the administration system, theft of data and passwords, transferring them to unauthorized persons, etc .;
• the user's unwillingness to work with the information system (most often it manifests itself when it is necessary to master new capabilities or when there is a discrepancy between user requests and actual capabilities, and technical characteristics) and deliberate disabling of its hardware and software devices;
• inability to work with the system due to lack of appropriate training (lack of general computer literacy, inability to interpret diagnostic messages, inability to work with documentation, etc.).

It's obvious that effective method dealing with unintentional errors - maximum automation and standardization, information processes, the use of devices "fool proof" (Fool Proof Device), regulation and strict control of user actions. It is also necessary to ensure that upon dismissal of an employee, his access rights (logical and physical) to information resources are canceled.

The main sources of internal system failures are:

• inability to work with the system due to the lack of technical support(incomplete documentation, lack of reference information, etc.);
• deviation (accidental or deliberate) from the established operating rules;
• system exit from normal operation due to accidental or deliberate actions of users or service personnel (excess of the estimated number of requests, excessive amount of processed information, etc.);
• system configuration errors;
• software and hardware failures;
• data destruction;
• destruction or damage to equipment.

In relation to the supporting infrastructure, it is recommended to consider the following threats:

• disruption (accidental or intentional) of communication systems, power supply, water and / or heat supply, air conditioning;
• destruction or damage to premises;
• the inability or unwillingness of the service personnel and / or users to fulfill their duties (civil unrest, transport accidents, terrorist act or its threat, strike, etc.).

Dangerous, of course natural disasters(floods, earthquakes, hurricanes) and events resulting from man-made disasters (fires, explosions, collapses of buildings, etc.). According to statistics, the share of fire, water and the like "intruders" (among which the most dangerous is a power failure) account for 13-15% of losses caused by production information systems and resources.

The results of the assessment and analysis can be used in the selection of adequate optimal methods of countering threats, as well as in the audit of the real state of information security of the object.

To create an optimal information security system of an enterprise, it is necessary to correctly assess the situation, identify possible risks, develop a security concept and policy, on the basis of which the system model is built and the appropriate implementation and functioning mechanisms are developed.

Viruses are programs that can add malicious code to programs installed on your computer. This process is called infection.

The main purpose of the virus is to spread. In the process of spreading, viruses can delete files and even the operating system, spoil the structure of data placement, and block users' work.

Worms

Worms are malicious programs that use network resources to spread. The name of this class was given based on the ability of worms to "crawl" from computer to computer using networks, email and other information channels.

Worms have a very high spreading rate. They infiltrate the computer, calculate network addresses other computers and send copies of themselves to these addresses. Worms can also use data address book mail clients.

Representatives of this class of malicious programs sometimes create working files on the system disks, but may not access computer resources at all, with the exception of RAM.

Worms spread faster than viruses.

Trojans

Trojans are programs that perform actions unauthorized by the user on affected computers. For example, they destroy information on disks, cause the system to freeze, steal confidential information, and the like.

This class of malware is not a virus in the traditional sense of the term, that is, it does not infect other programs or data. Trojans are unable to penetrate computers on their own and are distributed by cybercriminals under the guise of "useful" software. At the same time, the harm they cause can be many times greater than the losses from a traditional virus attack.

Spyware

Spyware - software that allows you to collect information about a single user or organization without their knowledge. You may not even be aware of the presence of spyware on your computer. Typically, spyware targets are:

• Tracking user actions on the computer.
• Collecting content information hard disk... In this case, we are talking about scanning some directories and system registry for the purpose of compiling a list of the software installed on the computer.
• Collecting information about the quality of connection, connection method, modem speed, and so on.

However, these programs are not limited to collecting information, they pose a real security threat. At least two of the well-known programs - Gator and eZula - allow an attacker not only to collect information, but also to control someone else's computer.

Another example of spyware is software that plugs into your computer's browser and redirects traffic. You may have come across similar programs if, when requesting one site, another opened.

Phishing

Phishing is a type of Internet fraud, the purpose of which is to gain access to usernames and passwords.

To obtain user data, the attacker creates an exact copy of the Internet banking website and composes a letter that is as similar as possible to a real letter from the selected bank. In the letter, the attacker disguised as a bank employee asks the user to confirm or change his credentials and provides a link to a fake Internet bank website. The purpose of such an email is to force the user to click on the link provided and enter their details.

For more information about phishing, see the Kaspersky Lab Encyclopedia. For information on protection against spam and phishing, see Kaspersky Lab.

Rootkits

Rootkits are utilities used to hide malicious activity. They mask malware to avoid detection by antivirus software.

Rootkits can also modify the operating system on a computer and replace its basic functions in order to hide their own presence and actions that an attacker takes on an infected computer.

Cryptographers

Encryptors are programs that, when they get on a computer, encrypt valuable files: documents, photographs, game saves, databases, and so on - in such a way that they cannot be opened. That is, the user will not be able to use the encrypted files. And the creators of the ransomware demand a ransom for decryption.

Miners

Miner programs are programs that, without the knowledge of the user, connect his device to the mining process. In fact, the device becomes part of a distributed network, the computing power of which is used to extract some kind of cryptocurrency at the expense of the owner of the miner program.

In most cases, the miner enters the computer using a specially created malicious program, the so-called dropper, main function which - to secretly install other software. Such programs are usually disguised as pirated versions of licensed products or as generators of activation keys that users look for, for example, on file hosting services and knowingly download.

hoax

hoax - programs showing false information to the user. The main purpose of such programs is to force the user to pay for the imposed program or service. They do not cause direct harm to the computer, but they display messages that such harm has already been done or will be done. In other words, they alert the user to a hazard that does not actually exist.

Hoax includes, for example, programs that scare the user with messages about a large number of registry errors found, outdated drivers, and the like. Their goal is to get a reward from the user for detecting and correcting non-existent errors.

Spam

Spam is mass mailing of an unwanted nature. For example, spam is mailings of a political and agitation nature, and the like.

• with offers to cash out a large amount of money;
• involving in financial pyramids;
• designed to steal passwords and credit card numbers;
• with a request to send to friends, for example, letters of happiness.

Spam significantly increases the load on mail servers and increases the risk of losing information important to the user.

Other dangerous programs

Various programs that are designed to create other malicious programs, organize DoS attacks on remote servers, and hack other computers. These programs include Hack Tools, virus constructors, and the like.

Information security is the protection of information from accidental or deliberate influences of a natural or artificial nature that may harm its owner or user.

Basic principles of information security

1. Data integrity- such a property, according to which information retains its content and structure in the process of its transmission and storage. Only an authorized user can create, destroy or modify data.

2. Confidentiality- a property that indicates the need to restrict access to specific information for a designated circle of persons. Thus, confidentiality guarantees that in the process of data transmission, they can only be known to authorized users.

3. Availability of information- this property characterizes the ability to provide timely and unimpeded access to the required information by full-fledged users.

4. Credibility- this principle is expressed in the strict belonging of information to the subject, which is its source or from which it is received.

The task of ensuring information security implies the implementation of multifaceted and comprehensive measures to prevent and track unauthorized access by unauthorized persons, as well as actions to prevent unauthorized use, damage, distortion, copying, blocking of information.

Information security issues become top priority in cases where failure or the occurrence of an error in a particular computer system can lead to serious consequences.

Types of information security threats

Under the threat of information security, it is customary to understand potentially possible actions, phenomena or processes that can have an undesirable effect on the system or on the information stored in it.

Such threats, affecting resources, can lead to data corruption, copying, unauthorized distribution, restriction or blocking of access to them. Currently, a fairly large number of threats are known, which are classified according to various criteria.

By the nature of occurrence, they distinguish natural and artificial threats. The first group includes those that are caused by the impact on the computer system of objective physical processes or natural phenomena. The second group - those threats that are caused by human activity.

By the degree of intentionality of the manifestation , threats are divided into random and deliberate.

There is also a division in depending on their immediate source, which can be the natural environment (for example, natural disasters), a person (disclosure of confidential data), software and hardware: authorized (error in the operating system) and unauthorized (infecting the system with viruses).

The source of threats can be in different locations. Depending on this factor, they also distinguish three groups:

- Threats, the source of which is outside the controlled group of the computer system (for example, interception of data transmitted through communication channels)

- Threats, the source of which is within the controlled area of ​​the system (this may be theft of information carriers)

- Threats that are directly in the system itself (for example, incorrect use of resources).

Threats can affect a computer system in different ways. It can be passive influences, the implementation of which does not entail a change in the data structure (for example, copying). Active threats- these are those that, on the contrary, change the structure and content of the computer system (the introduction of special programs).

Consistent with the separation of threats by stages of user or program access to system resources there are such dangers that appear at the stage of access to the computer and are detected after permission is granted (unauthorized use of resources).

Classification by location in the system implies division into three groups: threats of access to information located on external storage devices, in random access memory and to that circulating in communication lines.

Threats can use a direct standard path to resources using illegally obtained passwords or through misuse of legitimate users' terminals, or they can "bypass" existing funds protection in a different way.

Actions such as stealing information are classified as threats that manifest themselves regardless of the activity of the system. And, for example, the spread of viruses can only be detected during data processing.

Random, or unintentional such threats are called that are not associated with the actions of intruders. The mechanism of their implementation has been studied well enough, so there are developed methods of counteraction.

Accidents and natural disasters pose a particular danger to computer systems, as they entail the most negative consequences. Due to the physical destruction of systems, information becomes inaccessible or lost. In addition, it is impossible to completely avoid or prevent failures and failures in complex systems, as a result of which, as a rule, the information stored on them is distorted or destroyed, the algorithm of operation of technical devices is disrupted.

Errors that can be made in the process of developing a computer system, including incorrect algorithms of work and incorrect software, can lead to consequences that are similar to those that occur when technical means fail and fail. Moreover, such errors can be used by cybercriminals to influence system resources.

User errors lead to a weakening of information security in 65% of cases. Incompetent, negligent or inattentive performance of functional duties by employees at enterprises leads to the destruction, violation of the integrity and confidentiality of information.

There are also deliberate threats, which are associated with the deliberate actions of the offender. The study of this class is difficult, since it has a very dynamic nature and is constantly updated with new types of threats.

To penetrate a computer system with the aim of further theft or destruction of information, such methods and means of espionage are used as wiretapping, theft of programs, security attributes, documents and information carriers, visual observation and others.

In case of unauthorized access to data, standard hardware and software of computer systems are usually used, as a result of which the established rules for delimiting user or process access to information resources are violated. The most common violations are interception of passwords (carried out using specially designed programs), performing any actions under the name of another person, as well as using the privileges of legitimate users by an attacker.

Special malware

– « computer viruses» - These are small programs that can independently spread after being introduced into a computer by creating their own copies. Under certain conditions, viruses have a negative effect on the system;

– "Worms"- utilities that are activated every time the computer boots. They have the ability to roam within a system or network and replicate in a manner similar to viruses. The avalanche-like multiplication of programs leads to an overload of communication channels, memory, and then to blocking of work;

– « trojan horses» - such programs "hide" under the guise useful application, but, in fact, harm the computer: they destroy software, copy and send files with confidential information to the attacker, etc.