Information security is understood to mean such a state of it, in which it excludes the possibility of viewing, changing or destroying information by persons who do not have the right to do so, as well as information leakage due to collateral electromagnetic radiation and interference, special interception (destruction) devices when transferring between objects of computer technology ... Information security also includes the protection of information from unintentional destruction (technical failures).
Information protection is a set of measures aimed at ensuring the confidentiality and integrity of the processed information, as well as the availability of information for users.
Confidentiality - keeping in secret sensitive information, access to which is limited to a narrow circle of users (individuals or organizations).
Integrity is a property in the presence of which information retains a predetermined form and quality.
Accessibility is the state of information when it is in the form, place and time that the user needs, and at the time when he needs it.
The goal of information protection is to minimize loss in management caused by violation of data integrity, confidentiality or inaccessibility of information to consumers.
The official part (the copy-paste procedure from the Internet) is over. Now unofficial. From practice.
This article was written for the heads of companies for whom the rules of the National Bank of the Republic of Kazakhstan (the regulator) are not applicable.
How do most managers (and not so much) understand "information security"?
What do employers (companies) mean when they post vacancies with the mention of the phrase "Information Security"?
From practice, most people associate information security with some kind of technical means, for example, a network protection device (firewall) or employee tracking software (so-called DLP - data loss prevention) or antivirus.
The aforementioned means relate to information security, but in no way guarantee the safety of the protected object (information), its integrity and availability. Why?
For a very simple reason - ensuring information security is a process, and not any device, software, which, like most managers (and not only), think that they are a panacea and protection.
Take, for example, a small trading company with 50 users. By users we mean all employees who have access to the information system (IS) of the company through any device (computer, laptop, tablet, mobile phone). Access to the IP means any access - to e-mail, to the Internet, to databases, files, etc.
The mentality of leaders in our companies (including our example) is fundamentally different from those in the West - I am the boss, I can do anything. Including unlimited access to the Internet or the ability to install any software on a computer. From the point of view of information security, such a leader is the main threat to that very information security. Why? Because he is incompetent in the issue of information security, and thinks, as mentioned above - that if there is a system administrator, or some expensive device that he recently bought on the recommendation of the same system administrator - all this MUST provide the same information security. I can say that no specialist and no expensive device will save you from deliberately sending your mail (for example, mail.ru - so beloved by everyone), the attacker will send any malicious software that will not be a virus, but for example will be some kind of script that will allow you to gain access to your IP through your computer. You download the file from your mail.ru mailbox (for example, it is called "Requirements for the supplier.doc" - the script is launched (naturally without your knowledge).
An attacker thus gains access to your network, subsequently quietly expands his activities and voila! One "fine" day, you suddenly discover (underline the necessary):
- all your databases are encrypted. You have received a ransom letter in your mail;
- all your files are destroyed. A smiley came to your mail :);
- your network just isn't working;
- your customers' data has been posted on any sites;
- your competitors learned your real state of affairs;
- your real financial performance has become publicly available;
- the supplier presents you with any claims under the contract you recently signed (violation of the integrity of information). The contract was changed by the attacker on the eve of signing (your lawyers, accountants, commercial director and other officials have already checked it) and saved it in a folder on the server.
- video recording of your corporate party from surveillance cameras, where you and your secretary were dancing on the table in panties made of paper clips somehow got to your wife;
- etc.
What losses will be incurred by the trading company from the fact that the network does not work or due to data leakage? Big ones. Losses are calculated not only by the cost of unshipped products to customers, but also by the cost of maintaining personnel for the period of inactivity of the IS, the cost of electricity, rent, reputational losses, etc. We will keep silent about recordings from surveillance cameras (it is difficult to predict the consequences :).
Many will be indignant - all these are horror stories. The arguments are usually as follows:
- we have backups;
- we have a firewall of the latest model that was set up by the coolest information security company in the country;
- we have the most expensive antivirus;
- we have...
There are usually countless such arguments, which in the above case do not guarantee you anything.
Backups
Backup is one of the most basic ways to protect information - its integrity, availability and safety.
But:
- do you have a backup schedule?
- are you sure your backup (s) are working?
- Has your backup (s) been tested (was there a test restore) by your system administrator?
- How often was the backup tested?
- is there a backup at all?
From practice, almost the entire list given above is either absent, or is usually performed after a fire (and even then, not for long).
Security device (firewall)
The main threat to information - its confidentiality, integrity and availability (CIA) - usually comes from within. Dissatisfied employees, the aforementioned bosses, accountants (with their infected flash drives, who have been in the breeding ground of viruses - the tax one), ordinary employees. Often, to the question “do you have documented procedures for accessing IP”, many people answer with a blank look - “what's this?”. Or the question “were the external (and internal) perimeter of the network checked by qualified people for security” - why? This is because it all refers to the same information security. From practice, most of the companies do not have either one or the other, or the third, have never done or do not know at all why it is necessary (but nevertheless they write in vacancies “information security”). Firewall is not a panacea.This is a technical tool designed to protect both the external and internal perimeter of your IP. And despite its cost, it won't provide you with protection if set up by an amateur. This can be compared to shooting a gun - it can be expensive, but does not guarantee the inept shooter (bad dancer) will hit the target.
Antivirus
How many people - so many antiviruses. Antivirus, as mentioned above, is not a panacea. This is just one of the information security means, which does not exclude or override the appropriate setting of operating systems, group policies, access rights, regulated backup procedures, training and informing users on the basics of information security and other measures that can strengthen the bastion of information security.
Do you need to hire an employee with a special focus on information security, or rush out and buy masks for security devices (firewalls) and antiviruses to ensure information security?
No. At the first stage, you don't need to buy anything, hire anyone and do other rash actions.
Below is a simplified algorithm of actions that must be taken to build an information security system.
0. Decide how you will build an information security system - as usual (how everything is done in the entire CIS space - through the ass and for show, we talked, did smart people at meetings and forgot), or in accordance with generally accepted standards.
If the answer to question 0 is "as usual", you can no longer waste your precious time and stop reading.
1. Decide what and why to protect. The document that describes this is usually called the "Information Security Policy". The document does not describe any specific measures, technical devices, settings and other actions required to ensure the protection of information.
2. Make a list of resources (hardware and software) that are available in the company. Often in the requirements for applicants, a list of software and equipment "Kerio FW, Cisco, Mikrotik, Ubuntu, pfsense", etc. is mentioned. Do you seriously think that all that you have in stock will protect you? Quite the opposite.
3. Create and discuss matrices of user access (customers, partners, etc.) to the information system. What is an access matrix: it is when there is a clear document who, where and what level has access to the IS system.
4. Create a document governing the backup procedure.
5. Create a document that describes all means of information security - physical, technical, software, administrative.
6. Prepare and conduct training sessions on information security for employees of the enterprise. Do them quarterly.
7. Ask the responsible employee whether he will be able to provide the whole process on his own or it requires the involvement of a third party (or hiring an additional employee)
8. Test your IP for penetration (the so-called penetration test).
9. Create or correct the following documents:
- restoration of IS (information system) in case of failure (equipment, man-made and natural disasters, other damage);
- anti-virus protection regulations;
- a document regulating the procedure for backing up and testing backups;
- a document regulating the control and restoration of databases (if any);
- , ;
- , ;
- , ( );
- ( );
- , (WiFi) ;
- , ;
- ( );
- , ;
- ( ).
10. Monitor and adjust procedures and regulations on a monthly basis in accordance with the external and internal situation.
11. Smile. The devil is not as bad as he is portrayed if you have a well-structured, transparent, understandable and manageable information system. Understandable both for you (the manager), for your users (employees) and hopefully for your system administrator.
Take care of yourself.