How to ensure the protection of personal data in the company. Improving the personal data protection system of Alfa Bank JSC Audit of the current situation in the company
Marina Prokhorova, editor of the magazine "Personal data"
Natalia Samoilova, Lawyer at InfoTechnoProject
The regulatory framework that has developed to date in the field of personal data processing, documents that have yet to be adopted for more efficient organization of work on the protection of personal data in organizations, the technical aspects of preparing information systems for personal data operators - these are the topics that have recently been touched upon in many newspapers. and journal publications on the subject of personal data. In this article, I would like to dwell on such an aspect of the organization of the work of banking and credit institutions as the "non-technical" protection of personal data processed in these organizations.
Let's start with a concrete example
We are talking about the judicial review of the case on the protection of personal data, initiated against Sberbank in June 2008. The essence of the trial was as follows. A guarantee agreement was concluded between the citizen and the bank, according to which the citizen assumed the obligation to be responsible to the bank for the fulfillment by the borrower of obligations under the loan agreement. The latter did not fulfill its obligations within the period established by the loan agreement, information about the guarantor as an unreliable client was entered into the Stop-List automated information system of the bank, which, in turn, was the basis for refusing to grant him a loan. At the same time, the bank did not even notify the citizen about the improper fulfillment by the borrower of his obligations under the loan agreement. In addition, the guarantee agreement did not indicate that in the event of improper fulfillment by the borrower of its obligations, the bank has the right to enter information about the guarantor into the Stop List information system. Thus, the bank processed the citizen's personal data by including information about him in the Stop List information system without his consent, which violates the requirements of Part 1 of Art. 9 of the Federal Law No. 152-FZ of July 27, 2006 "On Personal Data", according to which the subject of personal data decides to provide his personal data and consents to their processing by his own will and in his own interest. In addition, in the manner prescribed by Part 1 of Art. 14 of the same law, a citizen applied to the bank with a demand to provide him with the opportunity to familiarize himself with the information entered about him in the Stop List information system, as well as to block this information and destroy it. The bank refused to meet the requirements of the citizen.
Based on the results of the consideration of the case, the Leninsky District Court of Vladivostok satisfied the claims of the Office of Roskomnadzor for the Primorsky Territory against Sberbank of Russia for the protection of violated rights of a citizen and ordered the bank to destroy information about the citizen from the Stop List information system.
Why is this example significant? Banks, storing personal data of a significant number of their customers, do not hesitate to move them from one database to another, and most often without informing the subject of personal data about it, not to mention getting his consent to such actions with his personal data. Of course, banking activity has a number of features, and often the personal data of customers are used not only to fulfill the agreements concluded by the bank, but also to control the bank over the fulfillment by the client of his obligations, but this means that any manipulations with personal data already require the consent of their subject .
Difficulties in interpreting provisions
Why not make any operations with personal data legal? Of course, this will most likely require the involvement of third-party specialists, since even lawyers from the legal departments of large banks are first-class professionals only in a certain area, and they have to get acquainted with the specifics of working in the field of personal data practically from scratch. So the best way out is to involve companies specializing in the provision of services for organizing work with personal data, including those capable of auditing the compliance of your non-technical protection measures with the requirements of the legislator, to work on organizing a personal data protection system.
The results of analytical studies allow us to conclude that the interpretation of which provisions of the Federal Law No. 152-FZ "On Personal Data" causes the greatest difficulty.
In accordance with part 1 of Article 22 of this regulatory document, the operator is obliged to notify the authorized body of the processing of personal data. Among the exceptions is the case when the processed personal data was obtained in connection with the conclusion of an agreement to which the subject of personal data is a party ... and is used by the operator solely to fulfill the said agreement on the basis of paragraph 2 of part 2 of Article 22 of Federal Law No. 152-FZ "On personal data". Based on this particular provision, some banks do not submit a notification on the processing of personal data, and many do not consider themselves operators, which is fundamentally wrong.
Also, another common mistake of banks, as personal data operators, related to the contract is as follows. According to Art. 6 of the above law, the processing of personal data may be carried out by the operator with the consent of the subjects of personal data, with the exception of cases, among which the processing is carried out in order to fulfill the contract, one of the parties to which is the subject of personal data. Therefore, many banking institutions explain their lack of consent of the subject of personal data precisely by the fact of concluding such an agreement.
But let's think about it, doesn't the bank, being an operator, use the subject's personal data obtained at the conclusion of the contract, for example, to send notifications about new services, to maintain "Stop-lists"? This means that the processing of personal data is carried out not only for the purpose of fulfilling the contract, but also for other purposes, the achievement of which is of commercial interest to banks, therefore:
- banks are required to submit a notification on the processing of personal data to the authorized body;
- banks should process personal data only with the consent of the subject.
And this means that banks must organize a system for working with the personal data of their customers, that is, ensure non-technical protection of such data.
Written consent to the processing of personal data
As for the consent of the subject of personal data to the processing of personal data, Federal Law No. 152-FZ "On Personal Data" obliges operators to obtain written consent to the processing of personal data only in cases specified by law. At the same time, in accordance with Part 3 of Art. 9, the obligation to prove the consent of the subject to the processing of his personal data rests with the operator. In order not to waste time, if necessary, on collecting such evidence (for example, searching for witnesses), in our opinion, it is better in any case to obtain consent from the subjects in writing.
Here is another argument for the written form of personal data processing. Often, the activity of banks involves the transfer of data (including personal data) to the territory of a foreign state. On this occasion, part 1 of Art. 12 of the Federal Law No. 152-FZ "On Personal Data" states that before the start of a cross-border transfer of personal data, the operator is obliged to make sure that the foreign state to whose territory the transfer of personal data is carried out provides adequate protection of the rights of subjects of personal data. If such protection is not provided, cross-border transfer of personal data is possible only with the written consent of the subject of personal data. It can be assumed that it is easier for a bank employee to obtain the client's written consent to the processing of personal data than to establish the degree of adequacy of their protection in a foreign country.
We draw your attention to the fact that the information that must be contained in the written consent is listed in Part 4 of Art. 9 of the aforementioned Federal Law, and this list is exhaustive. And the signature under the phrase, for example, in a loan agreement: "I agree to the use of my personal data", according to Federal Law No. 152-FZ "On Personal Data", is not consent to their processing!
It would seem that there are only a few points of the law, but how many complications, up to litigation, can be caused by their misinterpretation. In addition, today, when the personal data of subjects often become a commodity in the competitive struggle of various structures, the successful solution of the issues of their protection, ensuring the security of information systems of banking and credit institutions becomes the key to maintaining the reputation, the good name of any organization.
Every day, citizens are becoming more aware of the possible negative consequences of the dissemination of their personal data, which is facilitated by the emergence of specialized publications. There are also information resources of various companies. Some of them generally cover the entire wide range of issues related to the concept of "information security", others are devoted to reviews of measures and means of technical protection, someone, on the contrary, focuses on the problems associated with non-technical protection. In other words, information on the protection of personal data is becoming more and more accessible, which means that citizens will be more savvy in the field of protecting their rights.
control over the implementation of the necessary rules. List of used literature:
1. Federal law "On banks and banking activities"
2. www.Grandars.ru [Electronic resource] Access mode: http://www.grandars.ru/student/finansy/vozniknovenie-bankov.html (Date of access: 05.05.2016)
3. In-bank.ru [Electronic resource] Access mode: http://journal.ib-bank.ru/post/411 (Date of access: 05/05/2016)
Khlestova Daria Robertovna
Email: [email protected]
FEATURES OF PROTECTION OF PERSONAL DATA IN THE BANKING SECTOR
annotation
This article discusses the features of protecting the client's personal data in the banking sector. A number of legal acts are listed, on the basis of which the system for processing and protecting personal data in the bank should be built. A list of measures for organizing data security in banking institutions has been highlighted.
Keywords
Personal data, security in banks, information security,
protection of personal information
The protection of personal data in the age of information technology has become especially relevant. There are more and more cases when attackers gain access to any confidential information by attacking the information systems of organizations. Undoubtedly, the attacks do not bypass the banking sector. Since banking systems contain a large number of personal data of customers, their security should be under the close attention of the state and the owners of financial institutions themselves.
To begin with, it is worth figuring out what kind of personal data of a person can become available to the bank if he becomes its client. So, it is obligatory: surname, name and patronymic; Date and place of birth; citizenship; place of registration and actual residence; all passport data (series, number, when and by whom the document was issued); mobile and home phone number; place of work, position. In most cases, institutions ask a person for additional information, but even without it, the list of data that a person trusts the bank turns out to be impressive. Of course, the client hopes that his personal data will be reliably protected during processing and storage.
In order for financial institutions to be able to qualitatively organize a system for processing and protecting personal data, it is necessary to designate a list of legal acts that a bank should rely on when working with personal data of clients: The Constitution of the Russian Federation is the most important document of the country; Labor Code of the Russian Federation; Civil Code and Criminal Code of the Russian Federation; Federal Law No. 152 "On Personal Data"; federal law No. 149 "On
information, information technologies and information protection”; federal law No. 395-1 "On banks and banking activities". Also in banks, when creating a system for processing and storing personal data, a number of local documents are created that provide additional control over working with data.
When receiving personal data from a client, a banking organization assumes the obligation to carry out all organizational and technical measures to protect the information entrusted to it from unauthorized access (accidental or intentional), blocking, modification, destruction and other illegal actions. It is worth highlighting a number of measures for the qualitative organization of the processing and protection of personal data in banks: the appointment of those responsible for processing and ensuring the security of data in the bank's information system; implementation of control measures and familiarization of employees with the relevant regulatory framework and internal documents on which the bank's data security system is based; identification of threats in the processing of personal data in the bank and measures to counter them; evaluation of the effectiveness of the applied organizational and technical measures to ensure data protection, before the introduction of the protection system into operation; accounting of all machine carriers of personal data; establishing rules for access to the processing and protection system for employees; in case of detection of unauthorized access to protected data, taking measures to eliminate the threat and restore lost data. And a mandatory measure for banks with a functioning system for storing and protecting client personal data is constant monitoring and improvement of the security system.
Thus, it is worth noting that the processing, storage and protection of personal data in banks should be carried out on the basis of the conditions determined by the regulatory framework of the Russian Federation. Each financial institution must: observe the principle of legality when organizing the protection of personal data of its clients; carry out a full range of measures for organizational and technical data protection; when creating local documents related to information security, rely on the best Russian and international practices in this area; comply with all requirements of regulatory authorities (FSTEC, Roskomnadzor, FSB) to ensure the protection of the client's personal data.
List of used literature:
1. Khlestova D.R., Popov K.G. "On the issue of legal aspects of personal data protection"
2. Federal law "On banks and banking activity"
3. Bank of Russia [Electronic resource] Access mode: http://www.cbr.ru/ (Date of access: 05/06/2016)
© Khlestova D.R., Popov K.G., 2016
Khlestova Daria Robertovna
2nd year student of the Institute of Economics and Behavioral BashGU, Ufa, RF E-mail: [email protected] Popov Kirill Gennadievich Candidate of Economics, Associate Professor of the Department of Information Security, Bashkir State University, Ufa, RF
Email: [email protected]
BUSINESS INTELLIGENCE AS THE MOST LEGAL WAY OF OBTAINING INFORMATION
annotation
The article deals with the methods of business intelligence. It is also substantiated why business intelligence is a legal activity in business. Highlighted basic principles that should be followed,
1. THEORETICAL FOUNDATIONS FOR THE SECURITY OF PERSONAL DATA
1.1 Legislative framework for the protection of personal data in the Russian Federation
1.3.1 General description of the sources of threats of unauthorized access in the information system of personal data.
1.3.2 General characteristics of threats of direct access to the operating environment of the personal data information system
1.3.3 General characteristics of personal data security threats implemented using internetworking protocols
1.4 Characteristics of the Bank and its activities
1.5 Personal data bases
1.5.1 Information system of personal data of employees of the organization
1.5.2 Personal data information system of the access control and management system
1.5.3 Personal data information system of the automated banking system
1.6 Structure and threats of the Bank's local area network
1.7 Information security tools
2.2 Software and hardware protections
2.3 Basic security policy
2.3.1 Information security awareness system for employees
2.3.4 How employees work with e-mail
2.3.5 Password policy of the Bank
3. ECONOMIC JUSTIFICATION OF THE PROJECT
CONCLUSION
Applications.
INTRODUCTION
The widespread computerization that began at the end of the 20th century continues to this day. Automation of processes in enterprises increases the productivity of workers. Users of information systems can quickly obtain the data necessary to perform their duties. At the same time, along with facilitating access to data, there are problems with the safety of these data. Having access to various information systems, attackers can use them for personal gain: collecting data to sell it on the black market, stealing money from the organization's customers, stealing the organization's trade secrets.
Therefore, the problem of protecting critically important information for organizations is very acute. Increasingly, it becomes known from the media about various techniques or methods of stealing money by hacking the information systems of financial organizations. Having gained access to personal data information systems, an attacker can steal the data of clients of financial organizations, disseminate information about their financial transactions, causing both financial and reputational harm to a bank client. In addition, having learned data about the client, fraudsters can directly call the client, posing as bank employees and fraudulently, using social engineering techniques, find out passwords from remote banking systems and withdraw money from the client's account.
In our country, the problem of theft and illegal distribution of personal data is very acute. There are a large number of resources on the Internet that contain stolen personal data bases, with the help of which, for example, by mobile phone number, you can find very detailed information on a person, including his passport data, residential addresses, photographs and much more.
In this graduation project, I explore the process of creating a personal data protection system at PJSC Citibank.
1. BASICS OF SECURITY OF PERSONAL DATA
1.1 Legal basis for the protection of personal data
Today in Russia, state regulation is carried out in the field of ensuring the security of personal data. The main legal acts regulating the personal data protection system in the Russian Federation are the Constitution of the Russian Federation and the Federal Law “On Personal Data” dated July 27, 2006 No. 152-FZ. These two main legal acts establish the main theses about personal data in the Russian Federation:
Every citizen has the right to privacy, personal and family secrets, protection of his honor and good name;
Everyone has the right to privacy of correspondence, telephone conversations, postal, telegraphic and other communications. Restriction of this right is allowed only on the basis of a court decision;
Collection, storage, use and dissemination of information about the private life of a person without his consent is not allowed;
The processing of personal data must be carried out on a lawful and fair basis;
The processing of personal data should be limited to the achievement of specific, predetermined and legitimate purposes. It is not allowed to process personal data that is incompatible with the purposes of collecting personal data.
It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other.
Only personal data that meet the purposes of their processing are subject to processing.
When processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, their relevance in relation to the purposes of processing personal data, must be ensured. The operator must take the necessary measures or ensure that they are taken to remove or clarify incomplete or inaccurate data.
The storage of personal data should be carried out in a form that allows determining the subject of personal data, no longer than required by the purposes of processing personal data, if the period for storing personal data is not established by federal law, an agreement to which the subject of personal data is a party, beneficiary or guarantor. The processed personal data is subject to destruction or depersonalization upon reaching the goals of processing or in case of loss of the need to achieve these goals, unless otherwise provided by federal law.
Other regulations that have a legal impact in the field of personal data protection in organizations of the banking sector of the Russian Federation are:
Federal Law of the Russian Federation dated July 27, 2006 No. 149 FZ “On Information, Information Technologies and Information Protection”;
Labor Code of the Russian Federation (Chapter 14);
Decree of the Government of the Russian Federation dated November 1, 2012 No. 1119 “On approval of requirements for the protection of personal data during their processing in personal data information systems”;
Order of the FSTEC of Russia dated February 18, 2013 No. 21 “On approval of the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems”.
Consider the main definitions used in the legislation.
Personal data - any information relating directly or indirectly to a specific or identifiable natural person (subject of personal data).
Personal data operator - a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
Processing of personal data - any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
Automated processing of personal data - processing of personal data using computer technology;
Dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of persons;
Providing personal data - actions aimed at disclosing personal data to a certain person or a certain circle of persons;
Blocking of personal data - temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data);
Destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed;
Depersonalization of personal data - actions, as a result of which it becomes impossible, without the use of additional information, to determine the ownership of personal data by a specific subject of personal data;
Personal data information system - a set of personal data contained in databases and information technologies and technical means that ensure their processing;
Cross-border transfer of personal data is the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity.
Biometric personal data - information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity (biometric personal data) and which is used by the operator to identify the subject of personal data.
Security of personal data - the state of protection of personal data, characterized by the ability of users, technical means and information technologies to ensure the confidentiality, integrity and availability of personal data when they are processed in personal data information systems
1.2 Classification of threats to information security of personal data.
An information security threat is understood as a threat of violation of information security properties - the availability, integrity or confidentiality of an organization's information assets.
The list of threats, the assessment of the probability of their implementation, as well as the intruder model serve as the basis for analyzing the risk of threats and formulating requirements for the automated system protection system. In addition to identifying possible threats, it is necessary to analyze the identified threats based on their classification according to a number of characteristics. Threats corresponding to each classification feature allow you to refine the requirement reflected by this feature.
Since the information stored and processed in modern AS is exposed to an extremely large number of factors, it becomes impossible to formalize the task of describing the full set of threats. Therefore, for a protected system, it is usually not a list of threats that is determined, but a list of threat classes.
The classification of possible threats to the information security of the AS can be carried out according to the following basic features:
By the nature of occurrence:
Natural threats caused by the impact on the NPP of objective physical processes or natural disasters;
Artificial threats to NPP safety caused by human activity.
According to the degree of intentionality of manifestation:
Threats caused by human error or negligence, such as misuse of protective equipment, negligence in handling data;
Threats of deliberate action, such as hacking an automated system by intruders, destruction of data by employees of the organization in order to retaliate against the employer.
According to the immediate source of threats:
Natural hazards, such as natural disasters, man-made disasters;
Human threats, for example: destruction of information, disclosure of confidential data;
Allowed firmware, such as physical hardware failure, software errors, software conflicts;
Unauthorized software and hardware, for example, the introduction of hardware bugs, software bugs.
By the position of the threat source:
Outside the controlled area, for example, interception of data transmitted over communication channels;
O within the controlled area, for example, unauthorized copying of information, unauthorized access to the protected area;
Directly in an automated system, for example, incorrect use of AS resources.
According to the degree of dependence on AS activity:
Regardless of the activity of the AU, for example, the physical theft of storage media;
Only during data processing, such as malware infection.
By the degree of impact on the AC:
Dangerous threats that, when implemented, do not change anything in the structure and content of the AS, for example, the threat of copying secret data;
Active threats that, when exposed, make changes to the structure and content of the AS, for example, deletion of data, their modification.
By stages of access of users or programs to resources:
Threats that manifest themselves at the stage of access to AS resources, for example: threats of unauthorized access to AS;
Threats that appear after allowing access to AS resources, for example, incorrect use of AS resources.
By way of access to AS resources:
Threats carried out using the standard access path to AS resources
Threats carried out using a hidden non-standard access path to AS resources, for example: unauthorized access to AS resources by using undocumented features of the installed software.
According to the current location of information stored and processed in the AS:
Threats of access to information located on external storage devices, for example: copying confidential information from storage media;
Threats of access to information located in RAM, for example: reading residual information from RAM, access to the system area of RAM by application programs;
Threats of access to information circulating in communication lines, for example: illegal connection to communication lines in order to remove information, sending modified data;
Hazardous impacts on an automated system are divided into accidental and intentional.
The causes of accidental impacts during NPP operation can be:
Emergencies due to natural disasters and power outages;
Service denials;
Software bugs;
Errors in the work of service personnel and users;
Interference in communication lines due to environmental influences.
Using software bugs is the most common way to violate the information security of information systems. Depending on the complexity of the software, the number of errors increases. Attackers can find these vulnerabilities and through them gain access to the organization's information system. To minimize these threats, it is necessary to keep software versions up-to-date at all times.
Deliberate threats are associated with targeted actions of intruders. Attackers are divided into two types: internal attacker and external attacker. An internal intruder commits illegal actions while within the controlled zone of the automated system and can use official authority for authorized access to the automated system. An external attacker does not have access to the controlled zone, but can act simultaneously with an internal attacker to achieve their goals.
There are three main information security threats directed directly at the protected information:
Violation of confidentiality - confidential information is not changed, but becomes available to third parties who are not allowed to access this information. When this threat is realized, there is a high probability of the attacker disclosing the stolen information, which can lead to financial or reputational damage. Violation of the integrity of protected information - distortion, change or destruction of information. The integrity of information can be violated not intentionally, but as a result of incompetence or negligence of an employee of the enterprise. Integrity can also be violated by an attacker to achieve their own goals. For example, changing account details in an automated banking system in order to transfer funds to an attacker's account or substituting the personal data of an organization's client to obtain information about the client's cooperation with the organization.
Violation of the availability of protected information or denial of service - actions in which an authorized user cannot access protected information due to such reasons as: failure of hardware, software, failure of the local area network.
After considering the threats of automated systems, you can proceed to the analysis of threats to the personal data information system.
Personal data information system - a set of personal data contained in databases and information technologies and technical means that ensure their processing.
Personal data information systems are a set of information and software and hardware elements, as well as information technologies used in the processing of personal data.
The main elements of ISPD are:
Personal data contained in databases;
Information technologies used in the processing of PD;
Technical means that process personal data (computer equipment, information and computer systems and networks, means and systems for transmitting, receiving and processing personal data, means and systems for sound recording, sound amplification, sound reproduction, means for manufacturing, replicating documents and other technical means processing of speech, graphic, video and alphanumeric information);
Software (operating systems, database management systems, etc.);
Means of information protection ISPDn;
Auxiliary technical means and systems - technical means and systems, their communications, not intended for the processing of personal data, but located in the premises in which the ISPD is located.
Threats to the security of personal data - a set of conditions and factors that create the danger of unauthorized, including accidental, access to personal data, which may result in the destruction, modification, blocking, copying, distribution of personal data, as well as other unauthorized actions during their processing in information personal data system.
The characteristics of the personal data information system that cause the emergence of UBPD include the category and volume of personal data processed in the information system of personal data, the structure of the personal data information system, the presence of ISPD connections to public communication networks and (or) international information exchange networks, the characteristics of the subsystem security of personal data processed in ISPD, modes of processing personal data, modes of differentiation of access rights of ISPD users, location and conditions for placement of ISPD technical means.
The properties of the propagation environment of informative signals containing protected information are characterized by the type of physical environment in which PD is distributed and are determined when assessing the possibility of implementing UBPD. The capabilities of UBPD sources are determined by a combination of methods of unauthorized and (or) accidental access to PD, as a result of which confidentiality (copying, illegal distribution), integrity (destruction, modification) and availability (blocking) of PD can be violated.
The threat to the security of personal data is realized as a result of the formation of a channel for the implementation of the UBPD between the source of the threat and the carrier (source) of the PD, which creates conditions for violating the security of the PD.
The main elements of the UBPD implementation channel (Figure 1) are:
Source of UBPD - a subject, material object or physical phenomenon that creates UBPD;
PD distribution environment or influences in which a physical field, signal, data or programs can spread and affect the protected properties of personal data;
Personal data carrier - an individual or a material object, including a physical field in which PD are reflected in the form of symbols, images, signals, technical solutions and processes, quantitative characteristics of physical quantities.
Figure 1. Generalized scheme of the channel for the implementation of threats to the security of personal data
PD carriers may contain information presented in the following forms:
Acoustic (speech) information contained directly in the spoken speech of the ISPD user when he performs the function of voice input of PD in the personal data information system, or reproduced by acoustic means of ISPD (if such functions are provided for by the PD processing technology), as well as contained in electromagnetic fields and electrical signals , which arise due to the transformation of acoustic information;
View information (VI) presented in the form of text and images of various information display devices of computer technology, information and computing systems, technical means for processing graphic, video and alphanumeric information that are part of the ISPD;
Information processed (circulating) in ISPD, in the form of electrical, electromagnetic, optical signals;
Information processed in ISPD, presented in the form of bits, bytes, files and other logical structures.
In order to form a systematic list of UBPDs during their processing in ISPDs and the development of private models on their basis, in relation to a specific type of ISPDs, threats are classified according to the following features (Figure 2):
By the type of information protected from UBPD, containing PD;
By types of possible sources of UBPD;
By type of ISPD, to which the implementation of UBPD is directed;
According to the method of implementation of UBPD;
By the type of property of information being violated (type of unauthorized actions carried out with PD);
By exploited vulnerability;
According to the object of influence.
According to the types of possible sources of UBPD, the following are distinguished
Threat classes:
Threats associated with intentional or unintentional actions of persons having access to the ISPD, including users of the personal data information system, implementing threats directly in the ISPD (internal offender);
Threats associated with intentional or unintentional actions of persons who do not have access to ISPD, implementing threats from external public communication networks and (or) international information exchange networks (an external intruder).
In addition, threats can arise from the introduction of hardware bugs and malware.
According to the type of ISPD, which the implementation of the UBPD is aimed at, the following classes of threats are distinguished:
UBPD processed in ISPD on the basis of an autonomous workstation (AWP);
UBPD processed in ISPD on the basis of an automated workplace connected to the public network (to the network of international information exchange);
UBPD processed in ISPD based on local information systems without connection to the public network (to the network of international information exchange);
UBPD processed in ISPD based on local information systems with connection to the public network (to the network of international information exchange);
UBPD processed in ISPD on the basis of distributed information systems without connection to the public network (to the network of international information exchange);
UBPD processed in ISPD based on distributed information systems connected to a public network (to a network of international information exchange).
The following classes of threats are distinguished according to the methods of UBPD implementation:
Threats associated with UA to PD (including threats of introducing malware);
Threats of leakage of personal data through technical channels of information leakage;
Threats of special impacts on ISPD.
According to the type of unauthorized actions carried out with PD, the following classes of threats are distinguished:
Threats that lead to a violation of the confidentiality of PD (copying or unauthorized distribution), the implementation of which does not directly affect the content of information;
Threats leading to unauthorized, including accidental, impact on the content of information, as a result of which PD is changed or destroyed;
Threats that lead to unauthorized, including accidental, impact on software or hardware-software elements of ISPD, as a result of which PD is blocked.
The following threat classes are distinguished by the exploited vulnerability:
Threats implemented using system software vulnerabilities;
Threats implemented using application software vulnerabilities;
Threats resulting from the use of a vulnerability caused by the presence of a hardware tab in the AS;
Threats implemented using vulnerabilities in network communication protocols and data transmission channels;
Threats resulting from the exploitation of a vulnerability caused by deficiencies in the organization of VBI from NSD;
Threats implemented using vulnerabilities that cause the presence of technical channels for information leakage;
Threats implemented using information security vulnerabilities.
According to the object of influence, the following classes of threats are distinguished:
Threats to the security of PD processed at the workstation;
Threats to the security of PD processed in dedicated processing tools (printers, plotters, plotters, remote monitors, video projectors, sound reproduction tools, etc.);
Threats to the security of PD transmitted over communication networks;
Threats to application programs that process PD;
Threats to system software that ensures the functioning of ISPD.
The implementation of one of the UBPDs of the listed classes or their combination can lead to the following types of consequences for PD subjects:
Significant negative consequences for PD subjects;
Negative consequences for PD subjects;
Insignificant negative consequences for PD subjects.
Threats of leakage of personal data through technical channels are unambiguously described by the characteristics of the source of information, the medium of distribution and the receiver of the informative signal, that is, they are determined by the characteristics of the technical channel of PD leakage.
Unauthorized access threats (UAH) are presented as a set of generalized classes of possible sources of UA threats, ISPD software and hardware vulnerabilities, methods for implementing threats, objects of influence (protected information carriers, directories, directories, files with PD or the PDN) and possible destructive actions. Such a representation is described by the following formalized notation (Fig. 2).
1.3 General characteristics of threat sources in personal data information systems
Threats to UA in ISPD with the use of software and software and hardware are implemented when unauthorized, including accidental, access is carried out, as a result of which confidentiality, integrity and availability of PD are violated, and include:
Threats of unauthorized access to the computer operating environment using standard software (operating system tools or general application programs);
Threats of creating abnormal modes of operation of software (software and hardware) means due to deliberate changes in service data, ignoring the restrictions on the composition and characteristics of the processed information provided for in regular conditions, distortion (modification) of the data itself, etc.;
Figure 2 Classification of UBPD processed in personal data information systems
Threats of introducing malicious programs (software-mathematical impact).
The composition of the elements of the description of UA threats to information in the ISPD is shown in Figure 3.
In addition, combined threats are possible, which are a combination of these threats. For example, due to the introduction of malicious programs, conditions can be created for unauthorized access to the operating environment of a computer, including through the formation of non-traditional information access channels.
Threats of unauthorized access to the ISPD operating environment using standard software are divided into threats of direct and remote access. Threats of direct access are carried out using software and firmware input / output of the computer. Remote access threats are implemented using network communication protocols.
Such threats are implemented with respect to ISPD both on the basis of an automated workplace that is not included in the public communication network, and in relation to all ISPD that are connected to public communication networks and international information exchange networks.
Figure 3 Classification of UBPD processed in personal data information systems
1.3.1 General description of the sources of threats of unauthorized access in the information system of personal data.
Sources of threats in the personal data information system can be:
Intruder;
Carrier of a malicious program;
Hardware bookmark.
PD security threats associated with the introduction of hardware bugs are determined in accordance with the regulatory documents of the Federal Security Service of the Russian Federation in the manner established by it.
According to the presence of the right of permanent or one-time access to the controlled zone of the ISPD, violators are divided into two types:
Violators who do not have access to ISPD, realizing threats from external public communication networks and (or) international information exchange networks, are external violators;
Violators who have access to ISPD, including ISPD users who implement threats directly in ISPD, are internal violators.
External intruders can be:
Competing organizations;
unscrupulous partners;
External subjects (individuals).
An external intruder has the following capabilities:
To carry out unauthorized access to communication channels that go beyond the office premises;
Carry out unauthorized access through workstations connected to public communication networks and (or) international information exchange networks;
Perform unauthorized access to information using special software actions through software viruses, malware, algorithmic or software bookmarks;
To carry out unauthorized access through the elements of the information infrastructure by the information system of personal data, which in the course of their life cycle (modernization, maintenance, repair, disposal) are outside the controlled area;
To carry out unauthorized access through the information systems of interacting departments, organizations and institutions when they are connected to ISPD.
Internal potential violators are divided into eight categories depending on the method of access and authority to access PD.
The first category includes persons who have authorized access to ISPD, but do not have access to PD. This type of offenders includes officials who ensure the normal functioning of the ISPD.
Have access to fragments of information containing PD and distributed via internal ISPD communication channels;
To have fragments of information about the topology of the ISPD and about the communication protocols used and their services;
Have the names and conduct the identification of passwords of registered users;
Change the configuration of the ISPD hardware, enter software and hardware bookmarks into it and provide information retrieval using a direct connection to the ISPD hardware.
Possesses all the capabilities of persons of the first category;
Knows at least one legal access name;
It has all the necessary attributes that provide access to a certain subset of PD;
Has confidential data to which he has access.
Its access, authentication and access rights to a certain subset of PD should be regulated by the relevant access control rules.
Has all the capabilities of persons of the first and second categories;
Has information about the ISPD topology based on a local and (or) distributed information system through which access is provided, and about the composition of the ISPD technical means;
It has the possibility of direct (physical) access to fragments of ISPD technical means.
Possesses complete information about the system and application software used in the ISPD segment (fragment);
Possesses complete information about the technical means and configuration of the ISPD segment (fragment);
Has access to information security and logging tools, as well as to individual elements used in the ISPD segment (fragment);
Has access to all technical means of the ISPD segment (fragment);
It has the rights to configure and administer some subset of the technical means of the ISPD segment (fragment).
The powers of the ISPD system administrator.
Has all the capabilities of persons of the previous categories;
Possesses complete information about the system and application software of ISPD;
Possesses complete information about technical means and configuration of ISPD;
Has access to all technical means of information processing and ISPD data;
Possesses the rights of configuring and administrative setting of ISPD technical means.
The system administrator configures and manages software and equipment, including equipment responsible for the security of the protected object: means of cryptographic information protection, monitoring, registration, archiving, protection against unauthorized access.
Has all the capabilities of persons of the previous categories;
Possesses full information about ISPD;
Has access to information security and logging tools and to some of the key elements of ISPD;
Has no access rights to configuring network hardware, except for control (inspection) ones.
Possesses information about algorithms and programs for processing information on ISPD;
Possesses the ability to introduce errors, undeclared features, software bookmarks, malware into the ISPD software at the stage of its development, implementation and maintenance;
It can have any fragments of information about the topology of the ISPD and the technical means of processing and protecting the PD processed in the ISPD.
Has the ability to make bookmarks in the technical means of ISPD at the stage of their development, implementation and maintenance;
It can have any fragments of information about the topology of the ISPD and the technical means of processing and protecting information in the ISPD.
The carrier of a malicious program can be a hardware element of a computer or a software container. If the malicious program is not associated with any application program, then the following are considered as its carrier:
Alienable media, i.e. floppy disk, optical disk, flash memory;
Built-in storage media (hard drives, RAM chips, processor, motherboard chips, chips of devices embedded in the system unit - video adapter, network card, sound card, modem, input / output devices of magnetic hard and optical drives, power supply, etc. .p., direct memory access chips, data buses, input / output ports);
Chips of external devices (monitor, keyboard, printer, modem, scanner, etc.).
If a malicious program is associated with any application program, with files that have certain extensions or other attributes, with messages transmitted over the network, then its carriers are:
Packets of messages transmitted over a computer network;
Files (text, graphic, executable, etc.).
1.3.2 General characteristics of threats of direct access to the operating environment of the personal data information system
Threats of unauthorized access to the operating environment of the computer and unauthorized access to PD are associated with access to:
To information and commands stored in the basic I/O system of ISPD, with the possibility of intercepting the control of loading the operating system and obtaining the rights of a trusted user;
In the operating environment, that is, in the environment of the functioning of the local operating system of a separate technical means of ISPD with the possibility of performing unauthorized access by calling regular programs of the operating system or launching specially designed programs that implement such actions;
To the environment for the functioning of application programs (for example, to a local database management system);
Directly to the user's information (to files, text, audio and graphic information, fields and records in electronic databases) and are conditioned by the possibility of violation of its confidentiality, integrity and availability.
These threats can be implemented in the case of obtaining physical access to the ISPD or, at least, to the means of entering information into the ISPD. They can be grouped according to the terms of implementation into three groups.
The first group includes threats implemented during the loading of the operating system. These information security threats are aimed at intercepting passwords or identifiers, modifying the software of the basic input/output system, intercepting the download control with changing the necessary technological information to receive UA in the ISPD operating environment. Most often, such threats are implemented using alienated media.
The second group is threats that are implemented after loading the operating environment, regardless of which application program is launched by the user. These threats are usually aimed at performing directly unauthorized access to information. When gaining access to the operating environment, an intruder can use both the standard functions of the operating system or some public application program (for example, database management systems), and programs specially created to perform unauthorized access, for example:
Registry viewers and modifications;
Programs for searching texts in text files by keywords and copying;
Special programs for viewing and copying records in databases;
Programs for quickly viewing graphic files, editing or copying them;
Programs to support the possibilities of reconfiguration of the software environment (ISPD settings in the interests of the offender).
Finally, the third group includes threats, the implementation of which is determined by which of the application programs is launched by the user, or by the fact that any of the application programs is launched. Most of these threats are malware injection threats.
1.3.3 General characteristics of personal data security threats implemented using internetworking protocols
If ISPD is implemented on the basis of a local or distributed information system, then information security threats can be implemented in it by using internetworking protocols. At the same time, NSD to PD can be provided or the threat of denial of service can be realized. Threats are especially dangerous when ISPD is a distributed information system connected to public networks and (or) networks of international information exchange. The classification scheme of threats implemented over the network is shown in Figure 4. It is based on the following seven primary classification features.
Figure 4 Classification scheme of threats using internetworking protocols
1. The nature of the threat. On this basis, threats can be passive and active. A passive threat is a threat, the implementation of which does not directly affect the operation of the ISPD, but the established rules for restricting access to PD or network resources may be violated. An example of such threats is the "Network traffic analysis" threat, which is aimed at listening to communication channels and intercepting transmitted information. An active threat is a threat associated with an impact on ISPD resources, the implementation of which directly affects the operation of the system (configuration change, disruption of performance, etc.), and in violation of the established rules for restricting access to PD or network resources. An example of such threats is the Denial of Service threat, marketed as a "TCP request storm".
2. The purpose of the implementation of the threat. On this basis, threats can be aimed at violating the confidentiality, integrity, and availability of information (including violating the operability of the ISPD or its elements).
3. The condition for the start of the process of implementing the threat. On this basis, a threat can be realized:
Upon request from the object against which the threat is being implemented. In this case, the intruder is waiting for the transmission of a request of a certain type, which will be the condition for the start of unauthorized access;
Upon the occurrence of an expected event at the facility against which the threat is being implemented. In this case, the intruder constantly monitors the state of the ISPD operating system and, if a certain event occurs in this system, unauthorized access begins;
Unconditional impact. In this case, the beginning of the implementation of unauthorized access is unconditional in relation to the purpose of access, that is, the threat is realized immediately and regardless of the state of the system.
4. Availability of feedback from ISPD. On this basis, the process of implementing a threat can be with or without feedback. The threat, carried out in the presence of feedback from the personal data information system, is characterized by the fact that some requests transmitted to the ISPD require the violator to receive a response. Consequently, there is a feedback between the violator and the personal data information system, which allows the violator to adequately respond to all changes occurring in the ISPD. Unlike threats implemented in the presence of feedback from the personal data information system, when implementing threats without feedback, it is not required to respond to any changes occurring in the ISPD.
5. The location of the intruder relative to ISPD. In accordance with this sign, the threat is realized both intra-segment and inter-segment.
Network segment - a physical association of hosts (ISPD hardware or communication elements having a network address). For example, a segment of the personal data information system forms a set of hosts connected to the server according to the “common bus” scheme. In the case when there is an intra-segment threat, the intruder has physical access to the ISPD hardware elements. If there is an inter-segment threat, then the offender is located outside the ISPD, realizing the threat from another network or from another segment of the personal data information system.
6. The level of the reference model of open systems interaction (ISO/OSI) on which the threat is implemented. On this basis, a threat can be implemented at the physical, channel, network, transport, session, presentation, and application levels of the ISO/OSI model.
7. The ratio of the number of violators and ISPD elements against which the threat is being implemented. On this basis, a threat can be classified as a class of threats implemented by one intruder against one ISPD technical means (one-to-one threat), against several ISPD technical means at once (one-to-many threat) or by several intruders from different computers relative to one or several technical means of ISPD (distributed or combined threats).
Taking into account the classification carried out, we single out the main types of attacks on the information system of personal data:
1. Analysis of network traffic.
This threat is implemented using special packet sniffer software that intercepts all packets transmitted over a network segment and singles out among them those in which the user ID and password are transmitted. During the implementation of the threat, the intruder studies the logic of the network - that is, seeks to obtain a one-to-one correspondence between the events occurring in the system and the commands sent by the hosts at the time of the occurrence of these events. In the future, this allows the attacker, based on the assignment of appropriate commands, to obtain privileged rights to act in the system or expand his powers in it, intercept the stream of transmitted data exchanged between the components of the network operating system in order to extract confidential or identification information, its substitution and modification.
2.Scanning the network.
The essence of the threat implementation process is to send requests to the network services of ISPD hosts and analyze the responses from them. The goal is to identify the protocols used, the available ports of network services, the laws for the formation of connection identifiers, the definition of active network services, the selection of user identifiers and passwords.
3. The threat of password exposure.
The purpose of the implementation of the threat is to obtain UA by overcoming password protection. An attacker can implement a threat using a variety of methods, such as simple brute force, brute force using special dictionaries, installing malware to intercept the password, spoofing a trusted network object, and packet sniffing. Basically, to implement the threat, special programs are used that try to gain access to the host by successively guessing passwords. If successful, the attacker can create an entry point for himself for future access, which will remain in effect even if the access password is changed on the host.
4.Substitution of a trusted network object and transmission of messages through communication channels on its behalf with the assignment of its access rights.
Such a threat is effectively implemented in systems where weak algorithms for identifying and authenticating hosts and users are used. A trusted object is a network object (computer, firewall, router, etc.) legally connected to the server. Two varieties of the process of implementing this threat can be distinguished: with and without establishing a virtual connection. The implementation process with the establishment of a virtual connection consists in assigning the rights of a trusted subject of interaction, which allows an intruder to conduct a session with a network object on behalf of a trusted subject. Implementation of this type of threat requires overcoming the system of message identification and authentication. The process of implementing a threat without establishing a virtual connection can take place in networks that identify transmitted messages only by the sender's network address. The essence lies in the transmission of service messages on behalf of network control devices (for example, on behalf of routers) about changing routing and address data.
As a result of the implementation of the threat, the violator receives the access rights set by the user for the trusted subscriber to the ISPD technical tool.
5. Imposing a false network route.
This threat is realized in one of two ways: by intra-segment or inter-segment imposition. The possibility of imposing a false route is due to the shortcomings inherent in routing algorithms (in particular, due to the problem of identifying network control devices), as a result of which you can get, for example, to a host or an attacker's network, where you can enter the operating environment of a technical tool as part of an ISPD . The implementation of the threat is based on the unauthorized use of routing and network control protocols to make changes to the routing tables. In this case, the intruder needs to send a control message on behalf of the network control device (for example, a router).
6. Introduction of a false network object.
This threat is based on exploiting weaknesses in remote search algorithms. If network objects initially do not have address information about each other, various remote search protocols are used, which consist in transmitting special requests over the network and receiving answers to them with the required information. In this case, it is possible for the violator to intercept the search query and issue a false answer to it, the use of which will lead to the required change in the routing and address data. In the future, the entire flow of information associated with the victim object will pass through the false network object
7. Denial of service.
These threats are based on flaws in network software, its vulnerabilities that allow the intruder to create conditions when the operating system is unable to process incoming packets. Several types of such threats can be distinguished:
A covert denial of service caused by the involvement of a part of the ISPD resources for processing packets transmitted by an attacker with a decrease in the bandwidth of communication channels, the performance of network devices, and a violation of the requirements for request processing time. Examples of the implementation of threats of this kind are: a directed storm of echo requests via the ICMP protocol, a storm of requests to establish TCP connections, a storm of requests to an FTP server;
An explicit denial of service caused by the exhaustion of ISPD resources when processing packets transmitted by an attacker (occupation of the entire bandwidth of communication channels, overflow of service request queues), in which legal requests cannot be transmitted through the network due to the unavailability of the transmission medium or are denied in maintenance due to overflowing request queues, memory disk space, etc. Examples of threats of this type are ICMP broadcast echo request storm, directed storm, mail server message storm;
Explicit denial of service caused by a violation of the logical connectivity between the ISPD technical means when the offender transmits control messages on behalf of network devices, leading to a change in routing and address data or identification and authentication information;
An explicit denial of service caused by an attacker transmitting packets with non-standard attributes or having a length exceeding the maximum allowable size, which can lead to failure of network devices involved in processing requests, provided there are errors in programs that implement network exchange protocols. The result of the implementation of this threat may be a disruption in the performance of the corresponding service for providing remote access to PD in the ISPD, the transfer from one address of as many requests for connection to the technical facility as part of the ISPD, which can process the traffic as much as possible, which entails an overflow of the request queue and the failure of one from network services or a complete shutdown of the computer due to the inability of the system to do anything other than process requests.
8.Remote launch of applications.
The threat lies in the desire to run various pre-embedded malicious software on the ISPD host: bookmarks, viruses, "network spies", the main purpose of which is to violate the confidentiality, integrity, availability of information and complete control over the operation of the host. In addition, unauthorized launch of user application programs is possible for unauthorized obtaining of the data necessary for the offender, for launching processes controlled by the application program, etc. There are three subclasses of these threats:
Distribution of files containing unauthorized executable code;
Remote launch of the application by overflowing the buffer of application servers;
Remote launch of the application by using the remote system management capabilities provided by hidden software and hardware tabs or by standard tools used.
Typical threats of the first of these subclasses are based on the activation of distributed files when they are accidentally accessed. Examples of such files are: files containing executable code in the form of macros (Microsoft Word, Excel documents), html documents containing executable code in the form of ActiveX controls, Java applets, interpreted scripts (for example, JavaScript malware); files containing executable program codes.
For distribution of files, e-mail, file transfer, network file system services can be used.
The threats of the second subclass exploit the shortcomings of programs that implement network services (in particular, the lack of buffer overflow control). By adjusting system registers, it is sometimes possible to switch the processor, after a buffer overflow interrupt, to the execution of code contained outside the buffer boundary.
With threats of the third subclass, the intruder uses the remote system control capabilities provided by hidden components or standard tools for managing and administering computer networks. As a result of their use, it is possible to achieve remote control over the station in the network. Schematically, the main stages of the work of these programs are as follows: installation in memory; waiting for a request from a remote host running a client program and exchanging readiness messages with it; transfer of intercepted information to the client or giving him control over the attacked computer. Possible consequences from the implementation of threats of various classes are shown in Table 1
Table 1. Possible consequences of the implementation of threats of various classes
|
№
p/n |
Attack type | Possible consequences | |
| 1 | Network traffic analysis | Study of network traffic characteristics, interception of transmitted data, including user IDs and passwords | |
| 2 | Network Scan | Definition of protocols, available ports of network services, rules for generating connection identifiers, active network services, user IDs and passwords | |
| 3 | "Password" attack | Performing any destructive action related to gaining unauthorized access | |
| 4 | Spoofing a trusted network object | Changing the route of messages, unauthorized change of routing and address data. Unauthorized access to network resources, imposition of false information | |
| 5 | Imposing a false route | Unauthorized change of routing and address data, analysis and modification of transmitted data, imposition of false messages | |
| 6 | Injection of a mock network object | Interception and viewing of traffic. Unauthorized access to network resources, imposition of false information | |
| 7 | Denial of Service | Partial resource exhaustion | Decreased bandwidth of communication channels, performance of network devices. Decreased performance of server applications. |
| Complete exhaustion of resources | The impossibility of transmitting messages due to lack of access to the transmission medium, refusal to establish a connection. Denial of service. | ||
| Violation of logical connectivity between attributes, data, objects | Inability to send messages due to the lack of correct routing and address data. Inability to receive services due to unauthorized modification of identifiers, passwords, etc. | ||
| Using bugs in programs | Failure of network devices. | ||
| 8 | Remote application launch | By sending files containing destructive executable code, virus infection. | Violation of confidentiality, integrity, availability of information. |
| By buffer overflow of the server application | |||
| By using the remote system management capabilities provided by hidden software and hardware tabs or by standard tools used | Hidden system management. | ||
The threat realization process generally consists of four stages:
Collection of information;
Intrusions (penetration into the operating environment);
Implementation of unauthorized access;
Elimination of traces of unauthorized access.
At the stage of collecting information, the violator may be interested in various information about ISPD, including:
About the topology of the network in which the system operates. In this case, the area around the network can be explored (for example, the intruder may be interested in the addresses of trusted, but less secure hosts). There are parallel host availability utilities that can scan a large area of the address space for host availability in a short amount of time.;
About the type of operating system (OS) in ISPD. The method of determining the type of OS can be noted as the simplest request to establish a connection via the Telnet remote access protocol, as a result of which, by the “appearance” of the response, you can determine the type of host OS. The presence of certain services can also serve as an additional indication of the host OS type;
About services functioning on hosts. The definition of services running on a host is based on the "open ports" method to collect information about the availability of a host.
At the invasion stage, the presence of typical vulnerabilities in system services or errors in system administration is investigated. Successful exploitation of vulnerabilities typically results in an attacker's process gaining privileged execution mode (access to the processor's privileged execution mode), injecting an illegal user account into the system, obtaining a password file, or disrupting the attacked host.
This stage of development of the threat, as a rule, is multi-phase. The phases of the threat implementation process may include, for example: establishing a connection with the host against which the threat is being implemented; vulnerability identification; the introduction of a malicious program in the interests of empowerment, etc.
Threats implemented at the intrusion stage are divided into layers of the TCP / IP protocol stack, since they are formed at the network, transport or application level, depending on the intrusion mechanism used. Typical threats implemented at the network and transport levels include the following:
A threat aimed at replacing a trusted object;
A threat aimed at creating a false route in the network;
Threats aimed at creating a false object using the shortcomings of remote search algorithms;
Denial of service threats.
Typical threats implemented at the application level include threats aimed at the unauthorized launch of applications, threats, the implementation of which is associated with the introduction of software bugs, with the detection of access passwords to a network or to a specific host, etc. If the implementation of the threat did not bring the violator the highest access rights in the system, attempts to extend these rights to the maximum possible level are possible. For this, vulnerabilities of not only network services, but also vulnerabilities of the system software of ISPDN hosts can be used.
At the stage of implementation of unauthorized access, the goal of implementing the threat is achieved:
Violation of confidentiality (copying, illegal distribution);
Violation of integrity (destruction, change);
Violation of availability (blocking).
At the same stage, after the specified actions, as a rule, the so-called "back door" is formed in the form of one of the services serving a certain port and executing the intruder's commands. The "back door" is left in the system in the interests of ensuring: the ability to gain access to the host, even if the administrator eliminates the vulnerability used to successfully implement the threat; the ability to access the host as discreetly as possible; the ability to gain access to the host quickly (without repeating the process of implementing the threat). "Back door" allows an attacker to inject a malicious program into a network or onto a specific host, for example, a "password analyzer" - a program that extracts user IDs and passwords from network traffic when high-level protocols are running). Malware injection targets can be authentication and identification programs, network services, operating system kernel, file system, libraries, etc.
Finally, at the stage of elimination of traces of the implementation of the threat, an attempt is made to destroy the traces of the intruder's actions. This removes the corresponding entries from all possible audit logs, including records about the fact that information was collected.
1.4 Characteristics of the Bank and its activities
PJSC Citibank is a financial and credit organization of the Banking System of the Russian Federation that conducts financial transactions with money and securities. The Bank provides financial services to individuals and legal entities.
The main activities are lending to legal entities and individuals, servicing accounts of corporate clients, attracting funds from the population in deposits, operations in the foreign exchange and interbank markets, investments in bonds and bills.
The Bank has been carrying out its financial activities since August 1, 1990, on the basis of the General License of the Bank of Russia for banking activities No. 356.
The Bank has three personal data information systems:
Information system of personal data of the Bank's employees - allows to identify 243 subjects of personal data;
Personal data information system of the access control and management system - allows you to identify 243 subjects of personal data;
Information system of personal data of the automated banking system - allows you to identify 9681 subjects of personal data.
1.5 Personal databases
The Bank needs to protect several informational personal data at once, namely:
Information system of personal data of the Bank's employees;
Information system of personal data of the access control and management system;
Information system of personal data of the automated banking system.
1.5.1 Information system of personal data of employees of the organization
The ISPD of the Bank's employees is used to pay salaries to the Bank's employees, automate the work of the personnel department employees, automate the work of the Bank's accounting department employees and solve other personnel and accounting issues. Consists of a database 1C "Salary and personnel management", located on a separate workstation with the ability to connect to the workplace via the network. The workstation is located in the office of the HR department. The workstation is running the Microsoft Windows XP operating system. There is no Internet connection at the workstation.
Full Name;
Date of Birth;
Series and number of the passport;
Phone number;
The right to work with the software 1C "Salary and personnel management" and the database of personal data have:
Chief Accountant;
Chief accountant's assistant;
Head of Human Resources Department;
An employee responsible for payroll for the Bank's employees.
Manual data change;
1.5.2 Personal data information system of the access control and management system
The personal data information system of the access control and management system is used to store personal data of employees and visitors of the Bank who have access to various premises of the Bank. ISDN of the access control and management system is used by the Bank's security department. The ISPD database is installed on the workstation located in the security room of the security department. Microsoft Windows 7 operating system is installed on AWP ISPD, Microsoft SQL Server 2012 DBMS is used as a database management system. AWP ISPD does not have access to the local network, and also does not have access to the Internet.
The ISPD stores the following personal data:
Full Name;
Photo of an employee.
The right to work with ISPDn access control and management systems have:
Head of the Security Department of the Bank;
Deputy Head of the Security Department of the Bank;
Employees of the security department of the Bank.
Access to the automated workplace of the access control and management system has:
System administrators, to administer the workstation and software 1C "Salary and personnel management" and personal data database;
Employees of the division responsible for the information security of the Bank to administer the AWP information protection system.
The following functions can be performed in the ISPD for bank employees:
Automated deletion of personal data;
Manual deletion of personal data;
Manual data change;
Manual addition of personal data;
Automated search for personal data.
The personal data information system stores data that makes it possible to identify 243 employees of the Bank.
After achieving the goals of processing the employee's personal data, his personal data is deleted from the ISPD.
1.5.3 Personal data information system of the automated banking system
The personal data information system of the automated banking system is designed to automate the work of most bank employees. It improves the productivity of employees. As an automated banking system, a complex of software products "CFT-Bank" produced by the group of companies "Center for Financial Technologies" is used. Oracle software is used as a database management system. ISPD is deployed on the Bank's server, the operating system installed on the server is Microsoft Windows Server 2008 R2. The ISPD of the automated banking system is connected to the local computer network of the bank, but does not have access to the Internet. Users are connected to the ISPD database using CFT-Bank software products from dedicated virtual terminals. Each user has his own login and password in the ISPD.
Personal data processed in ISPD:
Full Name;
Date of Birth;
Series and number of the passport;
Phone number;
The following persons have the right to work with CFT-Bank software and personal data database:
accounting staff;
Loan officers;
Employees of the risk management department;
Employees of the collateral department;
Personal managers;
Client managers;
Security staff.
Access to the workstation is available to:
System administrators to administer the server, personal data database and CFT-Bank software;
Employees of the department responsible for information security of the Bank to administer the server, personal data database and CFT-Bank software.
The following functions can be performed in the ISPD for bank employees:
Automated deletion of personal data;
Manual deletion of personal data;
Manual addition of personal data;
Manual data change;
Automated search for personal data.
The personal data information system stores data that makes it possible to identify 243 employees of the Bank and 9,438 customers of the Bank.
After achieving the goals of processing the employee's personal data, his personal data is deleted from the ISPD.
1.6 Structure and threats of the Bank's local area network
The bank has a client-server network. The name of the domain in which the users' workstations are located is vitabank.ru. In total, the bank has 243 automated user workstations, as well as 10 virtual servers and 15 virtual workstations. The system administration department monitors the network performance. The network is built mainly on Cisco network equipment. Communication with additional offices is maintained using VPN channels using the Internet through the active and backup channels of the Internet provider. The exchange of information with the Central Bank takes place through a dedicated channel, as well as through conventional communication channels.
All users have access to the Internet on local workstations, but work with documents and information systems of the Bank is carried out only using virtual workstations, on which access to the Internet is limited and only local resources of the Bank are loaded.
Access to the Internet from local workstations is delimited by access groups:
Minimum access - access only to the resources of federal services, to the website of the Bank of Russia;
Normal access - all resources are allowed except for entertainment, social networks, watching videos and downloading files is prohibited.
Full access - all resources and file uploads are allowed;
Resource filtering by access groups is implemented by the proxy server.
Below is a diagram of PJSC Citibank's network (Fig. 5).
1.7 Information security tools
Information security tools are a set of engineering, electrical, electronic, optical and other devices and devices, devices and technical systems, as well as other elements used to solve various problems of information security, including preventing leakage and ensuring the security of protected information .
Information security tools in terms of preventing intentional actions, depending on the method of implementation, can be divided into groups:
Technical (hardware) means. These are devices of various types (mechanical, electromechanical, electronic, etc.), which solve the problems of information protection with hardware. They prevent access to information, including by masking it. Hardware includes: noise generators, network filters, scanning radios, and many other devices that “block” potential information leakage channels or allow them to be detected. The advantages of technical means are related to their reliability, independence from subjective factors, and high resistance to modification. Weaknesses - lack of flexibility, relatively large volume and weight, high cost.
Figure 5 PJSC Citibank network diagram
Software tools include programs for user identification, access control, information encryption, deletion of residual (working) information such as temporary files, test control of the protection system, etc. The advantages of software tools are versatility, flexibility, reliability, ease of installation, ability to modify and develop. Disadvantages - limited functionality of the network, the use of part of the resources of the file server and workstations, high sensitivity to accidental or deliberate changes, possible dependence on the types of computers (their hardware).
Mixed hardware and software implement the same functions as hardware and software separately, and have intermediate properties.
All office premises of the Bank are monitored by the security service using an access control and management system, as well as a video surveillance system. Entrance to the office premises of the bank is carried out with the appropriate permissions in the access control and management system. An employee, when applying for a job, or a visitor of the Bank, if access to the Bank's office premises is required, is issued contactless Proximity-cards on which the user identifier is recorded and when trying to access the office, this identifier is transmitted to the access control and management system. The system compares the list of rooms that the card user is allowed to enter with the room he wants to enter and allows or restricts access to the room.
The Bank's workstations have Kaspersky Endpoint Security 10 anti-virus software installed, which has a certificate of compliance of the FSTEC of Russia No. 3025, valid until November 25, 2019, the virus signature databases are updated centrally by the server part of the anti-virus installed on the server located in the Bank.
To organize electronic document management with the Central Bank, the authorities in the Bank held a dedicated communication line.
An electronic signature is used to organize electronic document management with federal services (Federal Tax Service, Pension Fund of Russia, Financial Monitoring Service, etc.). To work with an electronic signature on local workstations of performers responsible for document management with federal services, specialized software is installed:
Crypto-Pro CSP;
Crypto-ARM;
CIPF Verba-OW;
CIPF Validat;
Signal-COM CSP.
The use of certain software by the contractor depends on the requirements of a particular Federal agency.
A Cisco ASA 5512 firewall manufactured by Cisco Corporation is installed at the edge of the Bank's local network. Also, critical banking systems (Workstation of the Bank of Russia Client, SWIFT, Bank's ISPD) are additionally separated from the Bank's local network by Cisco firewalls. VPN tunnels for communication with an additional office are organized using Cisco firewalls.
1.8 Organizational safeguards
According to a study conducted by the British audit and consulting company Ernst & Yong in 2014, 69 percent of the companies participating in the study consider company employees to be the main source of information security threats.
Employees of the company may, unknowingly or their incompetence in the field of information security, disclose critical information necessary to carry out targeted attacks on the organization. The attackers also send phishing messages with embedded malicious software that allows the attackers to gain control over the employee's workplace and attack the Bank's information systems from this workplace.
Therefore, in the Bank, the information security department is obliged to train the Bank's employees in the fundamental principles of information security, monitor compliance with security requirements when working in the workplace, and inform the Bank's employees about new information security threats that they may face.
At PJSC Citibank, all employees undergo an introductory briefing upon employment. Also, new employees, employees transferred from other structural divisions undergo an initial briefing in the information security department, during which employees are explained the basic information security rules when working with the Bank's information systems, security rules when working on the Internet, security rules when working with e-mail Bank, password policy of the Bank.
Employees of the information security department of the Bank are involved in the development and implementation of new information systems of the Bank at all levels of system development.
At the stage of system design and preparation of terms of reference for the development of an information system, the information security department imposes security requirements on the system.
At the stage of developing an information system, employees of the information security department study the current documentation, test the software for possible vulnerabilities in the program code.
At the stage of testing and commissioning the information system, the information security department actively participates in testing the information system, conducts penetration tests into the information system and denial of service tests, and also distributes access rights to the information system.
At the stage of operation of the information system already put into operation, the information security department monitors and detects suspicious activity.
At the stage of finalizing the information system, the information security department, based on the data obtained during the operation of the information system, builds new requirements for the information system.
The Information Security Department at PJSC Citibank approves all requests for access to resources on the Internet, as well as to the internal resources of the Bank.
1.9 Personal data processing cycle
Personal data stored in the Bank was obtained only legally.
The received personal data of an employee of the Bank are processed only for the Bank to fulfill its obligations under the contract concluded with the employee. The personal data of the Bank's employee is obtained from the employee himself. All employees of the Bank are familiarized against signature with the documents of the Bank that establish the procedure for processing personal data of employees of the Bank, as well as their rights and obligations in this area.
The personal data of bank employees stored in the ISPD of the access control and management system are intended to allow the employee to enter the workplace.
The personal data of the Bank's clients stored in the ISPD of the automated banking system are processed there only for the Bank to fulfill its obligations under the agreement concluded with the Bank's client. Also, in the ISPD of the automated banking system, personal data of persons who did not enter into an agreement with the Bank, but obtained legally, are processed, for example, personal data received and processed at the request of Federal Law No. obtained by criminal means and financing of terrorism”.
After achieving the goals of processing personal data, they are destroyed or depersonalized.
2. DEVELOPMENT OF MEASURES TO PROTECT PERSONAL DATA IN THE BANK
At PJSC Citibank, the personal data protection system is regulated by both state-level laws and local regulations (for example, the Rules for Remote Banking Services for Legal Entities and Individual Entrepreneurs at PJSC CITIBANK in Appendix 1).
PJSC Citibank's personal data protection system is set up sufficiently to avoid simple attacks such as phishing and infection of workstations with ransomware viruses, but it is not capable of resisting targeted attacks aimed at stealing personal data.
I carried out work on the restructuring and modernization of the personal data protection system.
2.1 Measures to protect the local computer network of the bank and the personal data information system
There are pronounced weaknesses in the Citibank network, using which attackers can gain full access to the bank's network and take control of it, after which they can easily steal, change or delete the personal data of customers or Bank employees.
Since the Bank's network is one single segment, in order to minimize the risks of intruders entering the Bank's network, it must be divided into several segments using virtual network technology.
The concept of virtual networking technology (VLAN) is that the network administrator can create logical groups of users in it, regardless of which part of the network they are connected to. You can combine users into logical working groups, for example, on the basis of the commonality of the work performed or the jointly solved task. At the same time, user groups can interact with each other or be completely invisible to each other. Group membership is changeable and a user can be a member of multiple logical groups. Virtual networks form logical broadcast domains, restricting broadcast packets from passing through the network, much like routers do, which isolate broadcast traffic between network segments. In this way, the virtual network prevents broadcast storms from occurring because broadcast messages are restricted to members of the virtual network and cannot be received by members of other virtual networks. Virtual networks can allow access to members of another virtual network in cases where it is necessary to access shared resources, such as file servers or application servers, or where a common task requires the interaction of various services, such as credit and settlement departments. Virtual networks can be created on the basis of switch ports, physical addresses of devices included in the network, and logical addresses of protocols of the third level of the OSI model. The advantage of virtual networks lies in the high speed of the switches, since modern switches contain a specialized set of integrated circuits specially designed to solve switching problems at the second level of the OSI model. Virtual networks of the third level are the most easy to install if no reconfiguration of network clients is required, the most difficult to administer, because any action with a network client requires either reconfiguration of the client itself or the router, and is the least flexible, since virtual networks require routing to communicate, which increases the cost of the system and reduces its performance.
Thus, the creation of virtual networks in the Bank will prevent ARP-spoofing attacks. Malefactors will not be able to intercept the information passing between the server and the client. When penetrating the network, attackers will not be able to scan the entire network of the Bank, but only the network segment to which they gained access.
When infiltrating the Bank's network, attackers will first of all scan the network to find critical network nodes. These nodes are:
domain controller;
proxy server;
Mail server;
File server;
Apps server.
Since the local network in the Bank will be organized using virtual network technology, attackers will not be able to detect these nodes without additional steps. In order to make it more difficult for attackers to find critical local network nodes and confuse them, and to further study the strategy of attackers when conducting an attack on a network, it is necessary to use false objects that will attract attackers. These objects are called Honeypots.
The task of the Honeypot is to be attacked or unauthorized research, which will subsequently allow us to study the attackers' strategy and determine the list of means by which real security objects can be struck. A honeypot implementation can be either a dedicated dedicated server or a single network service whose task is to attract the attention of hackers.
A honeypot is a resource that does nothing without any impact on it. Honeypot collects a small amount of information, after analyzing which statistics are built on the methods used by crackers, as well as the presence of any new solutions that will subsequently be used in the fight against them.
For example, a web server that has no name and is virtually unknown to anyone should therefore not have guests accessing it, so anyone who tries to break into it is a potential attacker. Honeypot collects information about the behavior of these crackers and how they affect the server. After that, the specialists of the information security department collect information about the attack of intruders on the resource and develop strategies to repel attacks in the future.
To control information incoming from the Internet and detect threats to information security at the stage of their transmission over the network, as well as to detect the activity of intruders who have penetrated the Bank's local network, it is necessary to install an intrusion prevention system at the edge of the network.
An intrusion prevention system is a software or hardware network and computer security system that detects intrusions or security breaches and automatically protects against them.
Intrusion Prevention Systems can be seen as an extension of Intrusion Detection Systems, as the task of tracking attacks remains the same. However, they differ in that the intrusion prevention system monitors activity in real time and quickly implements attack prevention actions.
Intrusion detection and prevention systems are divided into:
Network intrusion prevention systems - analyze traffic directed to the organization's network, passing through the network itself or directed to a specific computer. Intrusion detection and prevention systems can be implemented by software or hardware-software methods, installed on the perimeter of the corporate network and sometimes inside it.
Personal intrusion prevention systems are software that is installed on workstations or servers and allows you to control the activity of applications, as well as monitor network activity for possible attacks.
A network intrusion prevention system was chosen for deployment in the Bank's network.
Network intrusion systems from IBM, Check Point, Fortinet, Palo Alto were considered, since the declared functionality of the manufacturers of these systems met the requirements of the Bank's information security department.
After deploying test benches and testing intrusion prevention systems, the Check Point system was chosen as it showed the best performance, the best virus detection subsystem transmitted over a local network, the best tools for logging and logging important events and the acquisition price.
IBM's intrusion prevention system was rejected because the cost of the devices exceeded the information security department's budget for the purchase of an intrusion prevention system.
Fortinet's intrusion prevention system was rejected due to incomplete response when the information security department performed tests for transferring infected files and insufficiently informative tools for logging important events.
Palo Alto's intrusion prevention system was rejected due to insufficiently informative tools for logging important events, excessive complexity of working with the system, and acting more like a router.
The Check Point intrusion prevention system was chosen for implementation in the local network. This system showed a high level of detection of information security threats, flexible settings, the ability to expand functionality by purchasing additional software modules, it has a powerful system for logging important events and powerful tools for providing incident reports, which can be used to investigate information security incidents much easier.
The network diagram of PJSC Citibank with a changed architecture is shown in Figure 6.
2.2 Software and hardware protections
Since the security of personal data cannot be ensured only by network protection, because intruders, despite all the measures taken to protect the network, can gain access to the Bank's network.
Figure 6 PJSC Citibank network diagram with additional security systems
For more resilient protection against attacks, it is necessary to add software and hardware protection devices for local workstations, virtual workstations, virtual and regular servers to the devices designed to protect the network.
As you know, anti-virus programs do not provide complete protection against malicious software, as they work on the principle of signature analysis. The anti-virus software company has experts on its staff who monitor virus activity on the Internet, study the behavior of virus software on test stations, and create signatures that are subsequently sent to users' computers by updating anti-virus software signature databases. Having received an updated database of anti-virus software signatures, the anti-virus scans files on the user's workstation and looks for signs of malicious software; if such signs are found during the scan, the anti-virus signals this and acts in accordance with the settings that are set by the user or anti-virus administrator. Thus, if the malware is not detected and analyzed by the experts of the antivirus software company, then the antivirus will not be able to detect the malware and will not take any action, considering the scanned file to be safe. Therefore, in order to reduce the likelihood of access to the network and the launch of malicious software, the Bank installed a second anti-virus protection loop. Since most antivirus software companies work separately from each other, malware that has not yet been detected by one antivirus software company can be detected by another developer and signatures can already be created for the detected threat.
To implement such a scheme, a virtual workstation was created on which the Doctor WEB Enterprise security suite antivirus was installed, which has a certificate of conformity from the FSTEC of Russia No. 2446, valid until September 20, 2017. All files downloaded by bank employees during their work are sent to this station and scanned by antivirus. If malicious software is detected, the antivirus sends an email to the information security department with the name of the threat and the path where the infected file is stored. The information security department takes steps to remove malicious software. If the files uploaded by users pass the anti-virus software check, the user who uploaded the file makes a request to the information security department and the department employees transfer the downloaded file to the user.
Also, a large amount of malicious software comes to the Bank's employees by e-mail. These can be both ordinary encryption viruses and malicious software that allows attackers to penetrate the infected computer of a Bank employee using a remote connection.
To minimize the risks of such threats, ClamAW anti-virus software, designed to protect mail servers, was installed on the Bank's mail server.
To protect against unauthorized access by internal intruders who somehow learned the password of a user of a local station that has access to personal data information systems, it is necessary to install an information protection system from unauthorized access on the local workstations of users working with personal data information systems.
.Training of the Bank's employees is carried out by a specialist of the information security department.
An employee of the information security department conducts training in a division of the Bank determined by the plan. After the training, the employees of the unit pass tests in which they confirm the knowledge gained during the training.
The basic security policy regulates the conduct of training in each unit at least four times a year.
Also, in parallel with the training of employees, employees of the information security department are required to send information letters to all employees of the Bank at least once a month, which describe the basic security rules, new threats to the information security of the Bank, if any are detected.
2.3.2 The order of employees' access to Internet resources
The Bank has 3 groups of access to the Internet, but such division of access is inefficient, since an employee, in order to perform his duties, may need to obtain information from a network resource included in the full access group, then he will have to give full access to the Internet , which is unsafe.
Group 6: downloading archives - the group does not provide any access to Internet resources;Group 7: downloading executable files - the group does not provide any access to Internet resources;
Group 8: full access to the Internet - full access to Internet resources, downloading any files.
To gain access to Internet resources, an employee creates an application through the ServiceDesk system and, after approval by the head of the department or management and an employee of the information security department, the employee is granted access to Internet resources according to the requested group.
2.3.3 Procedure for employee access to intrabank resources
The main documents on the work of an employee are located at the local workplace or in the automated system in which he works. Also, each division of the Bank has a section on the file server of the Bank, which stores information necessary for several employees of the division and which is large in size for transmission by e-mail of the Bank.
When a new employee gets a job at the Bank, his/her direct supervisor sends an application through the ServiceDesk system to the system administration department for access to the intrabank resource, and after the application is approved by an employee of the information security department, the employee of the system administration department provides the new employee with access to the requested resource.
Often there are situations in which the work of several divisions of the Bank intersects and for the exchange of information these divisions need a separate one on the Bank's file server.
To create this section, the project manager, the head of one of the departments involved in the process of working on the project, creates an application through the ServiceDesk system for the creation of a shared resource and access to this resource for certain employees of his department working on a joint project and the head of the department with whom he cooperates within the project . Once approved by the information officer, the system administration officer creates the requested resource and grants access to it to the requested employees. Each head of the department participating in the project requests access only for those employees who are subordinate to him.
2.3.4 How employees work with e-mail
Previously, before creating a basic security policy, each employee himself determined the degree of danger of letters and files received by e-mail from external mail servers.
After creating a basic security policy, each user is required to send each file received by e-mail from external mail servers to the information security department to check it for malicious software, the employee determines the degree of danger of letters on his own. If an employee of the Bank suspects that an incoming message contains spam or phishing, he is obliged to send the letter in full, that is, containing all the official information about the sender, his mailbox and IP address, to the information security department. After analyzing a suspicious letter and confirming the threat of this letter, the information security department sends the address of the sender of the letter to the system administration department, and the employee of the system administration department blacklists the sender's address.
Always block the workplace when weaning from it.
2.3.6 Rules for employee access to personal data
According to Article 89 of Chapter 14 of the Labor Code of the Russian Federation, a Bank employee has the right to access his personal data, but is allowed to process personal data of other Bank employees or Bank customers only for the performance of his official duties.
To ensure control over access to personal data information systems, the bank has established the following rules for access to personal data information systems:
Only employees whose job responsibilities include the processing of personal data have access to ISPD;
Access to ISPD is allowed only from the local workplace of an employee working with personal data;
The Bank has created a document that defines by last name employees who are allowed access to personal data of employees and customers of the Bank, indicating the Personal Data Information System and a list of personal data allowed for processing by an employee.
3. ECONOMIC JUSTIFICATION OF THE PROJECT
To implement a personal data protection system, it is necessary to purchase:
Equipment to protect the Bank's network;
Information security hardware;
Information security software.
To rebuild the organization's network, it is necessary to purchase Cisco Catalyst 2960 switches in the amount of 3 copies. One switch is required for operation at the core level of the Bank's network, 2 others for operation at the distribution level. The network equipment that worked in the bank before the network restructuring will also be used.
Total cost (RUB) 9389159 613
Doctor WEB Enterprise security suit155005500
Total cost1 371 615
CONCLUSION
In my graduation project, I reviewed the legal framework for the protection of personal data. I have considered the main sources of threats to the security of personal data.
Based on the considered threats to personal data, I analyzed the existing personal data protection system at PJSC Citibank and came to the conclusion that it needs to be seriously improved.
During the graduation project, weaknesses were found in the Bank's local network. Taking into account the revealed weaknesses in the Bank's local network, measures were determined to minimize the risks of information security of the Bank's network.
Devices and software for protecting local workplaces of employees processing personal data of employees and customers of the Bank were also considered and selected.
With my participation, a system was created to raise awareness of employees in matters of information security.
The procedure for accessing the Bank's employees to the Internet has been profoundly redesigned, and groups for accessing the Internet have been redesigned. New Internet access groups make it possible to significantly minimize information security risks due to the limited ability of users to download files and access untrusted resources.
Calculations of the cost of rebuilding the network and creating a viable personal data protection system that can reflect most information security threats are given.
LIST OF USED LITERATURE
1. "The Constitution of the Russian Federation" (adopted by popular vote on 12/12/1993) (subject to amendments made by the Laws of the Russian Federation on amendments to the Constitution of the Russian Federation of 12/30/2008 N 6-FKZ, of 12/30/2008 N 7-FKZ, of 02/05/2014 N 2-FKZ, dated July 21, 2014 N 11-FKZ) // The official text of the Constitution of the Russian Federation, as amended on July 21, 2014, was published on the Official Internet Portal of Legal Information http://www.pravo.gov.ru, 08/01/2014
2. "Basic model of personal data security threats during their processing in personal data information systems" (Extract) (approved by the FSTEC of the Russian Federation on February 15, 2008)
3. Federal Law of July 27, 2006 N 149-FZ (as amended on July 6, 2016) “On Information, Information Technologies and Information Protection” // The document was not published in this form. The original text of the document was published in Rossiyskaya Gazeta, No. 165, 29.07.2006
4. "Labor Code of the Russian Federation" dated December 30, 2001 N 197-FZ (as amended on July 3, 2016) (as amended and supplemented, entered into force on October 3, 2016) // The document was not published in this form , the original text of the document was published in Rossiyskaya Gazeta, N 256, 12/31/2001
5. Decree of the Government of the Russian Federation of 01.11.2012 N 1119 "On approval of the requirements for the protection of personal data during their processing in personal data information systems" // "Rossiyskaya Gazeta", N 256, 07.11.2012
6. Order of the FSTEC of Russia dated February 18, 2013 N 21 “On approval of the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems” (Registered in the Ministry of Justice of Russia on May 14, 2013 N 28375) // “Russian newspaper”, N 107, 05/22/2013
7. “Standard of the Bank of Russia “Ensuring information security of organizations of the banking system of the Russian Federation. General provisions "STO BR IBBS-1.0-2014" (adopted and put into effect by the Order of the Bank of Russia dated May 17, 2014 N R-399) // Bulletin of the Bank of Russia, No. 48-49, May 30, 2014
8. “Regulation on the requirements for ensuring the protection of information when making money transfers and on the procedure for the Bank of Russia to exercise control over compliance with the requirements for ensuring the protection of information when making money transfers” (approved by the Bank of Russia on 09.06.2012 N 382-P) (as amended dated 08/14/2014) (Registered with the Ministry of Justice of Russia on 06/14/2012 N 24575) // The document was not published in this form, the original text of the document was published in the Bulletin of the Bank of Russia, N 32, 06/22/2012
9. “Regulations on the procedure for the submission by credit institutions to the authorized body of information provided for by the Federal Law “On counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism” (approved by the Bank of Russia on August 29, 2008 N 321-P) (as amended. dated 10/15/2015) (together with the "Procedure for ensuring information security during the transmission and reception of the ECO", "Rules for the formation of the ECO and filling in individual fields of the ECO records") (Registered in the Ministry of Justice of Russia on September 16, 2008 N 12296) // In this form, the document was published was not, The original text of the document was published in the Bulletin of the Bank of Russia, N 54, 09/26/2008
10. Order of the FSTEC of Russia dated February 18, 2013 N 21 “On approval of the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems” (Registered in the Ministry of Justice of Russia on May 14, 2013 N 28375) // “Russian newspaper”, N 107, 05/22/2013
11. Averchenkov V.I., Rytov M.Yu., Gainulin T.R. Protection of personal data in organizations. M.: Flinta, 2018
12. Agapov A. B. Fundamentals of public administration in the field of informatization in the Russian Federation. M.: Jurist, 2012
13. Kostin A. A., Kostina A. A., Latyshev D. M., Moldovyan A. A. Program complexes of the AURA series for the protection of personal data information systems. Izv. universities. instrumentation. 2012. V. 55, No. 11
14. Moldovyan A. A. Cryptography for the protection of computer information (part 1) // Integral. 2014. No. 4 (18)
15. Romanov O.A., Babin S.A., Zhdanov S.G. Organizational support of information security. - M.: Academy, 2016
16. Shults V.L., Rudchenko A.D., Yurchenko A.V. Business safety. M.: Yurayt Publishing House, 2017
Applications (available in the archive with the work).
Security of personal data in the bank
What is personal data?
According to the definition from the federal law, personal data is any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status, education, profession, income, other information.
Where is personal data located?
Personal data (PD) in the bank is located in the following systems:
Automated banking system (ABS);
Client-Bank systems;
Instant money transfer systems;
accounting systems;
Personnel accounting systems;
Corporate information system;
Internal web portal.
PD may be present on paper documents (contracts, forms, orders, instructions, questionnaires, agreements, etc.).
What documents establish requirements for the protection of personal data?
federal laws
Federal Law No. 149-FZ of July 27, 2006 "On Information, Information Technologies and Information Protection";
Government Decrees
Decree of the Government of the Russian Federation No. 781 dated November 17, 2007 "On approval of the regulation on ensuring the security of personal data during their processing in personal data information systems";
Decree of the Government of the Russian Federation No. 957 dated December 29, 2007 “On approval of regulations on licensing certain types of activities related to encryption (cryptographic) means”;
Decree of the Government of the Russian Federation No. 687 of September 15, 2008 "On Approval of the Regulations on the Specifics of Personal Data Processing without the Use of Automation Tools".
FSTEC of Russia
Joint order of the FSTEC of Russia, the FSB of Russia and the Ministry of Information and Communications of Russia dated February 13, 2008 No. 55/86/20 “On approval of the procedure for classifying personal data information systems”;
Guiding document of the FSTEC of Russia "Basic model of threats to the security of personal data during their processing in information systems of personal data";
Guiding document of the FSTEC of Russia "Methodology for determining actual threats to the security of personal data during their processing in information systems of personal data";
Order of the FSTEC of Russia dated February 5, 2010 No. 58 "On Approval of the Regulations on Methods and Methods for Protecting Information in Informational Personal Data".
FSB of Russia
Order of FAPSI dated June 13, 2001 No. 152 “On approval of instructions on organizing and ensuring the security of storage, processing and transmission through communication channels using cryptographic protection of information with limited access that does not contain information constituting a state secret”;
Order of the Federal Security Service of the Russian Federation of February 9, 2005 No. 66 "On approval of the regulation on the development, production, sale and operation of encryption (cryptographic) information security tools (Regulation PKZ-2005)";
Guiding document of the FSB of Russia dated February 21, 2008 No. 149 / 54-144 “Guidelines for ensuring the security of personal data using cryptographic tools when they are processed in personal data information systems using automation tools”;
Guiding document of the FSB of Russia dated February 21, 2008 No. 149/6/6-622 "Typical requirements for the organization and operation of encryption (cryptographic) means designed to protect information that does not contain information constituting a state secret, if they are used for ensuring the security of personal data during their processing in personal data information systems”;
Standard of the Bank of Russia
STO BR IBBS-1.0-2010 “Ensuring information security of organizations of the banking system of the Russian Federation. General Provisions”;
STO BR IBBS-1.1-2007 “Ensuring information security of organizations of the banking system of the Russian Federation. Information security audit”;
STO BR IBBS-1.2-2010 “Ensuring information security of organizations of the banking system of the Russian Federation. Methodology for assessing the compliance of information security of organizations of the banking system of the Russian Federation with the requirements of STO BR IBBS-1.0-20xx”;
RS BR IBBS-2.0-2007 “Ensuring information security of organizations of the banking system of the Russian Federation. Guidelines for documentation in the field of information security in accordance with the requirements of STO BR IBBS-1.0”;
RS BR IBBS-2.1-2007 “Ensuring information security of organizations of the banking system of the Russian Federation. Guidance on self-assessment of compliance of information security of organizations of the banking system of the Russian Federation with the requirements of STO BR IBBS-1.0”;
RS BR IBBS-2.3-2010 “Provision of information security for organizations of the banking system of the Russian Federation. Requirements for ensuring the security of personal data in information systems of personal data of organizations of the banking system of the Russian Federation”;
RS BR IBBS-2.4-2010 “Provision of information security for organizations of the banking system of the Russian Federation. Industry private model of personal data security threats during their processing in PD information systems of organizations of banks of the banking system of the Russian Federation”;
Methodological Recommendations for Compliance with Legal Requirements when Processing Personal Data in RF BS Organizations, developed jointly by the Bank of Russia, the ARB and the Association of Regional Banks of Russia (the Rossiya Association).
How should personal data be protected?
According to the requirements of methodological documents for the protection of PD, the following subsystems are common to all types of ISPD:
Access control subsystem;
Subsystem of registration and accounting;
Integrity subsystem;
Internet security subsystem.
If the ISPD is connected to the Internet, then the following subsystems must be additionally used:
Subsystem of anti-virus security;
Intrusion detection subsystem;
Security analysis subsystem.
It is also necessary to use electronic locks and/or electronic keys to securely identify and authenticate users.
If ISPD is additionally distributed to prevent unauthorized access by separating protected information from public information, it is necessary to use cryptography when transmitting PD over unsecured communication channels, as well as, EDS, to confirm the authenticity of data.
Such a breakdown into subsystems and the formation on their basis of a list of products for the protection of personal data is generally accepted and is used in most cases.
From what it is necessary to protect personal data?
If the task is to ensure only the confidentiality of PD, it is necessary to take measures and / or use technical means aimed at preventing unauthorized access, then such PDIS becomes typical.
If additional requirements are imposed to ensure other properties of information security, such as ensuring integrity, availability, as well as their derivatives (non-repudiation, accountability, adequacy, reliability, etc.), then such ISPD becomes special. In most cases, any ISPD will be special, that is, in addition to PD classes, to determine protection mechanisms, one must be guided by the threat model created for this.
How to reduce the class of PD?
In order to reduce and simplify measures to protect PD, Banks use various tricks. Below I give the most typical ways to reduce the cost of protective equipment. However, in itself, such a "reshaping" of the Bank's information systems is a rather complex and time-consuming task.
Reducing the number of sites
As shown above, if the ISPD is distributed, then increased requirements are imposed on its protection, in order to reduce them, you need to try to get away from the distributed ISPD.
With distributed ISPD, PD are located at different sites, PD are transmitted via communication channels not controlled by the Bank, and in the general case, this means that PD enter or leave the controlled area. Then, first of all, it is necessary to localize PD by reducing the number of sites where they will be located. In some cases, this is real, but if we consider the ABS, then most likely there will be no such possibility.
Reducing the number of servers
If ISPD is local, that is, it operates within the Bank's local network, then the simplest way to reduce the cost of protection costs will be to reduce the amount of server equipment on which PD is present and / or processed.
Reducing the number of workstations and personnel
With any type of ISPD (in the form of AWS, local, distributed), the final processing of PD, as a rule, is carried out by the Bank's personnel. If you do not use the terminal access, which will be discussed below, it makes sense to reduce the number of Bank personnel involved in the processing of personal data or having access to them.
IC Sharing with ITU
In order to reduce the amount of PD, and hence reduce the cost of protection tools, a good way is to divide information networks into segments in which PD is processed. To do this, it is necessary to install and use firewalls, to the ports of which segments with PD should be connected. Often, all server equipment is located in the demilitarized zone, that is, in segments separated from public and banking networks by firewalls. This method also requires a significant "reshaping" of information networks. There is a method based on the so-called "linear encryption", that is, encryption of the client-client, client-server, server-server channel. Such encryption of network traffic can be implemented both using special protection tools and using standard IPSec technology, however, it is not certified by the FSB of Russia, which is its significant disadvantage.
Another way to separate ISPDs across the entire network could be the technology of virtual networks - VLANs, however, in fact, VLAN is just an identifier in one of the fields of the network packet, which allows us to speak of this technology as "IT". Therefore, the separation of networks using VLANs does not exempt from the use of information security technologies.
Division of databases into parts
Let's assume that there is a database consisting of thousands of records: and the amount of the deposit.
Let's create two other databases. Let's enter an additional unique identifier. We will divide the table into two parts, in the first we will place the fields Full name and identifier, in the other the identifier and the amount of the contribution.
Thus, if each employee can handle only one of these new databases, then the protection of PD is greatly simplified, if not reduced to nothing. Obviously, the value of such a database is significantly lower than the original one. Both databases will be located on the most secure server. In reality, there are many more fields in the database, but this principle can work in almost every case, because. the number of fields that are significant from the point of view of PD security is not so large, but rather very limited. In the extreme case, you can store key matches on a PC that is not part of the local network, or even not use automated processing.
Depersonalization of PD
According to the definition of 152-FZ, the depersonalization of PD is an action, as a result of which it is impossible to determine whether PD belongs to a specific PD subject. From this definition follows a series of methods by which PD can be obtained, by which it is impossible to determine the ownership of PD. For example, if the exact data of certain fields is not important for processing purposes, you can either not display them, or display only the ranges in which they fall. For example, age 20-30, 30-40, etc. The address can be "rounded" to the district, district or city: Tsaritsyno, Yuzhny, Moscow. Depending on the need, the process of depersonalization of PD can be reversible or irreversible. Irreversible includes the above methods of "rounding", and reversible, for example, encryption. From my point of view, encryption (encoding) can be a way to anonymize data and should be used for these purposes.
"Thin clients" and terminal access
The use of "thin client" technologies and the corresponding terminal access technology on servers can significantly reduce the requirements for protecting personal data. The fact is that when using "thin" clients" and terminal access on the PC of the Bank's employees, it is not necessary to install specialized software, such as client parts of databases, client parts of ABS, etc. Moreover, there is no need to install any special protection tools on the PCs of the Bank's employees. These technologies allow you to display information from databases stored on servers at your workplace and manage the processing of personal data. These technologies are a priori safe, because. using terminal policies, it is easy to limit the ability of end customers (the Bank's staff) to copy, and hence distribute, PD. The communication channel between servers and a PC with a "thin client" can be easily encrypted, that is, in simple ways, you can ensure the confidentiality of transmitted data.
The speed of potential data leaks will be limited only by the visual channel, which is determined by the speed of the camera or video camera, however, with the introduction of special organizational measures, such copying becomes very difficult.
How can personal data be protected?
In a broad sense, protection against unauthorized access is understood as a set of organizational and technical measures. These activities are based on an understanding of the mechanisms for preventing unauthorized access at various levels:
Identification and authentication (also two-factor or strong). This can be (operating system, infrastructure software, application software, hardware, such as dongles);
Registration and accounting. This can be logging (logging, logging) of events in all of the above systems, software and tools);
Ensuring integrity. This may be the calculation of the checksums of controlled files, ensuring the integrity of software components, using a closed software environment, as well as ensuring trusted OS boot);
Firewall, both gateway and local;
Anti-virus security (up to three levels of defense are applied, the so-called layered or multi-vendor approach);
Cryptography (functionally applied at different levels of the OSI model (network, transport and above), and provides various protective functionality).
There are several complex products that have developed NSD functionality. They all differ in application types, hardware support, software, and implementation topology.
When distributed or connected to a public network (Internet, Rostelecom, etc.) ISPD, security analysis products are used (MaxPatrol from Positive Technologies, which has no direct competitors in the Russian Federation), as well as intrusion detection and prevention (IDS / IPS) - as on at the gateway level and at the end node level.
How can personal data be transferred?
If the ISPD is distributed, this means the need to transmit PD over unsecured communication channels. By the way, “air” also applies to an unprotected channel. To protect PD in communication channels, various methods can be used:
Communication channel encryption. It can be provided in any way, such as VPN between gateways, VPN between servers, VPN between workstations (InfoTecs ViPNet Custom, Informzaschita APKSh Continent, etc.);
MPLS Packet Switching. Packets are transmitted along different paths in accordance with the labels assigned by the network equipment. For example, Rostelecom's MPLS network has a certificate of compliance of the packet switching network with the information security requirements of the FSTEC of Russia, which is a guarantee of high security of services provided on its basis;
Document encryption. Various software can be used to encrypt data files, as well as container files (ViPNet SafeDisk, InfoWatch CryptoStorage, True Crypt, etc.);
Encryption of archives. Various archivers can be used that allow you to archive and encrypt files using strong algorithms such as AES. (WinRAR, WinZIP, 7-ZIP, etc.).
Do I need to use certified protective equipment?
To date, there is the only requirement of the FSTEC of Russia in terms of certification of means of protecting personal data. The requirement concerns the provision of level 4 of undeclared capabilities, therefore, on the last issue, I will give only three theses:
The certification system for protective equipment is voluntary;
Enough to comply with the requirements of the law;
It is not necessary to certify the personal data information system as a whole.
Shauro Eugene
Similar Documents
Legislative basis for the protection of personal data. Classification of information security threats. Database of personal data. The device and threats of the LAN of the enterprise. Main software and hardware means of PC protection. Basic security policy.
thesis, added 06/10/2011
Prerequisites for creating a personal data security system. Threats to information security. Sources of unauthorized access to ISPD. The device of personal data information systems. Means of information protection. Security policy.
term paper, added 10/07/2016
Analysis of the structure of a distributed information system and personal data processed in it. Selection of basic measures and means to ensure the security of personal data from current threats. Determining the cost of creating and maintaining the project.
thesis, added 07/01/2011
Access control and management system at the enterprise. Analysis of processed information and classification of ISPD. Development of a model of threats to the security of personal data during their processing in the information system of personal data ACS JSC "MMZ".
thesis, added 04/11/2012
Description of the main technical solutions for equipping the personal data information system located in the computer room. Subsystem of anti-virus protection. Measures to prepare for the introduction of information security tools.
term paper, added 09/30/2013
Secrecy and security of documented information. Types of personal data used in the activities of the organization. Development of legislation in the field of ensuring their protection. Methods for ensuring information security of the Russian Federation.
presentation, added 11/15/2016
Information security risk analysis. Evaluation of existing and planned means of protection. A set of organizational measures to ensure information security and protection of enterprise information. A control example of the project implementation and its description.
thesis, added 12/19/2012
Regulatory documents in the field of information security in Russia. Analysis of information systems threats. Characteristics of the organization of the personal data protection system of the clinic. Implementation of an authentication system using electronic keys.
thesis, added 10/31/2016
General information about the activity of the enterprise. Objects of information security at the enterprise. Measures and means of information protection. Copying data to removable media. Installing an internal backup server. Efficiency of improving the IS system.
test, added 08/29/2013
The main threats in relation to information. Concepts, methods and ways to ensure data protection. Requirements for the security system. Authorization mechanism in the infobase to determine the type of user. Administrator's work with the security system.
Loading...