Corporate protection against internal threats to information security. Local network security

SULAVKO A. E., graduate student

Siberian State Automobile and Highway Academy,

TECHNOLOGIES FOR PROTECTION AGAINST INTERNAL THREATS TO INFORMATION SECURITY *

Annotation. The shortcomings of existing means of protection against internal threats to information security have been identified. The approaches to recognizing confidential information in the information flow and their effectiveness, as well as the basic requirements for such systems, used in modern security systems are described. Possible directions for future research are outlined to improve the effectiveness of means of combating internal threats.

Keywords: information security, internal threats, content analysis, context filtering, protection against leakage of confidential information.

Introduction. Today, the greatest threat to information security (hereinafter referred to as information security) is posed by internal attackers. This threat is growing every year. The times when business executives feared attacks from hackers and viruses are now a thing of the past. Of course, this class of threats still poses a great danger, but companies are most concerned about the loss and leakage of corporate information and personal data. This is evidenced by the results of almost any research in the field of information security conducted within the framework of various projects (Figures 1, 2).

Figure 1. The most dangerous cybersecurity threats according to respondents

* The work was carried out within the framework of the program “Scientific and scientific-pedagogical personnel of innovative Russia for years”, contract No. P215 dated July 22, 2009.

According to the results of the study “INSIDER THREATS IN RUSSIA '09” (Figure 1), conducted by the analytical center of the Russian company Perimetrix, it is clear that threats emanating from within the company, in total, give a higher danger rating than threats emanating from outside.

Figure 2. The ratio of the danger of internal and external information security incidents

This situation is observed not only in Russia. According to the technical reports INFORMATION SECURITY BREACHES SURVEY 2006 and 2008, internal incidents also prevail over external ones. In recent years, the fear of internal incidents among representatives of small and medium-sized businesses has increased significantly (Figure 2). Leaks are suffered not only by business representatives, but also by government agencies around the world. This is evidenced by the results of the global InfoWatch study (Figure 3).

Figure 3. Distribution of incidents by type of organization

From the presented materials it is clear that today the issue of combating internal threats is more pressing than the issue of combating external ones. It should be noted that the most dangerous threat today is the leak of confidential data (Figure 1).

Means and methods of combating internal threats. To effectively combat insider threats, it is necessary to identify the shortcomings of existing security measures in this area. There are several types of internal security systems.

Monitoring and audit systems are a good tool when investigating incidents. Modern audit systems allow you to record almost any user actions. The disadvantage of these systems is the inability to prevent leakage, since this requires a system for responding to events and making decisions that recognizes which sequence of actions poses a threat and which does not. After all, if a response to a violation does not follow immediately, the consequences of the incident cannot be avoided.

Strong authentication systems serve to protect against unauthorized access to data. They are based on a two- or three-factor authentication process, as a result of which the user can be granted access to the requested resources. Such means can protect information from an “uninitiated” employee, but not from an insider who already has access to protected information.

Media encryption tools. This class of programs will protect against information leakage if the media or laptop is lost. But, if an insider transfers the media along with the key on which the information is encrypted to the other party, then this method of protection will be useless.

Leak detection and prevention systems (Data Leakage Prevention, DLP ). These systems are also called systems for protecting confidential data from internal threats(hereinafter referred to as leak protection systems). These systems monitor data leakage channels in real time. There are complex (covering many leakage channels) and targeted (covering a specific leakage channel) solutions. These systems use proactive technologies, thanks to which they not only register the fact of an information security violation, but also prevent the information leakage itself. Of course, the quality of such control directly depends on the system’s ability to distinguish confidential information from non-confidential information, i.e., on the content or context filtering algorithms used. Most modern anti-leak systems have media and file encryption functions (such systems are also called Information Protection and Control (IPC)). They can use secure data storage, in particular crypto containers, which, when accessing a file, take into account not only the encryption key, but also various factors such as user access level, etc.

Today, internal threat protection systems are the only solution that allows you to prevent leaks in real time, controlling the actions of users and processes performed with files and being able to recognize confidential information in the information flow. To determine the vulnerability of the protection provided by such a system, it is necessary to take a closer look at their main functions and capabilities, as well as the methods used by these systems to implement content/contextual filtering.

All existing methods for recognizing confidential information are collectively based on a synthesis of several fundamentally different approaches.

Search for signatures. The simplest method of content filtering is to search a data stream for a certain sequence of characters. Sometimes a prohibited sequence of characters is called a "stop word". The technique only works for accurate detections and is easily accomplished by simply replacing characters in the analyzed text.

Search for regular expressions (mask method). Using some regular expression language, a “mask” is defined, a data structure that is considered confidential. Most often, this method is used to determine personal data (TIN, account numbers, documents, etc.). The disadvantage of the method is the presence of a large number of false positives; the method is also completely inapplicable to the analysis of unstructured information.

Digital fingerprinting method. A “fingerprint” is taken from the reference information using a hash function. Next, the fingerprint is compared with fragments of the analyzed information. The disadvantage is that when using a hash function, the technology only works for exact matches. There are algorithms that allow minor changes in the analyzed information compared to the reference (no more than 20%-30%). These algorithms are closed by the developers of leak protection systems.

Protection systems against internal threats are also characterized by compliance with a number of additional requirements (criteria for belonging to leak protection systems). The main requirements for this class of protection systems were put forward by the research agency Forrester Research:

 multichannel(ability to monitor multiple data leakage channels);

 unified management(availability of unified information security policy management tools, the ability to analyze events across all monitoring channels with the creation of detailed reports);

 active protection(the system must not only detect, but also prevent information security violations);

 combination of content and contextual analysis(in this case, contextual analysis, in addition to tags, should include analysis of user and application activity).

As you can see, the presented requirements do not include checking who exactly is working under the current account at a certain moment.

Today there are quite a lot of leak protection systems and products similar in functionality to them. The main characteristics and functions of some solutions (it was decided to take the 10 most popular) are presented in Table 1.

Leak protection systems on the market do not have the ability to identify a user using a “typical portrait of working in the system.” Existing solutions do not allow you to determine who is actually at the computer. To do this, it is necessary to resort to video surveillance, which is not always possible in practice.

The first leak protection systems mainly used content filtering methods. But their effectiveness turned out to be low, because in practice such methods produce a fairly large percentage of errors of the first and second types. According to Gartner, in the Hype Cycle of Information Security report for 2007, the maximum reliability of any existing content filtering methods is 80%, and in recent years there have been no significant changes in the direction of increasing the effectiveness of such algorithms. Thus, the maximum probability of correct recognition of confidential information using content filtering algorithms in an information flow (document, file, traffic, etc.) today does not exceed 0.8. And this probability can be achieved using all of the listed approaches to content analysis (regular expressions, signatures, linguistic methods, etc.). This indicator is low (much lower than the characteristics declared by the developer) and does not meet information security requirements.

Table 1 – Main functions of protection systems against internal threats

Name product	content filtering	contextual filtering (implying container- nal analysis)		Encryption	Criteria channeling, unification roved management, active protection,
Traffic Monitor +	signatures, morphology			protected containers
	morphology, digital prints		ontologies	containers
	digital prints
	signatures, digital prints			integrated encryption
	signatures, digital prints			integrated encryption
	signatures, digital prints			integrated encryption
Information systems SMAP and SKVT Jet Watch	signatures, regular expressions

Second generation leak protection systems use container analysis. This approach implies an unambiguous identification of confidential information in a stream by a file attribute (label). But, despite the apparent determinism, such a system will make the right decision provided that it correctly categorizes the data, which it has previously carried out using existing methods. But all existing categorization methods (probabilistic, linguistic, etc.) are also based on content filtering (content analysis) methods, which, as mentioned above, are far from perfect. It is necessary to provide and develop procedures for placing labels on new and incoming documents, as well as a system for countering the transfer of information from a marked container to an unmarked one and for placing labels when creating files from scratch. All this is a very complex task, and also dependent on the task of content analysis. As you can see, the concept of deterministic filtering cannot be used separately from content filtering, and content filtering methods cannot be eliminated even theoretically.

The new generation of leak protection systems (IAS RSKD, information and analytical systems for confidential data secrecy) promises to get rid of the shortcomings of content and contextual methods, using each of them in the case where it is most effective. But the combination of two imperfect and dependent technologies cannot produce significant improvement.

Conclusion. Summarizing the above information, we can conclude that, despite the large number of available algorithms for identifying confidential information, all of them are not effective. The actualization of the problem of internal threats is caused by the vulnerability of organizations to them and the lack of an effective solution to combat them. Almost all enterprises use software and/or hardware protection tools that are designed to combat external threats (antiviruses, firewalls, IDS, etc.) and combat them quite effectively. As for means of protection against internal threats (leak protection systems), only a very small part of companies use them (Figure 4), although the need for these means objectively exists. The information security market cannot yet offer a complete solution for the effective protection of corporate information, and existing solutions do not provide a sufficient level of protection, and their cost is high (a license for 1000 computers costs approximately $100 - $500 thousand).

Figure 4. The most popular information security tools

It is necessary to improve content filtering technologies, developing new methods for identifying confidential information, conceptually changing approaches to its recognition. It is advisable to recognize not only the semantic content of the text, but also its authorship. By identifying the author of the text (when this text crosses the perimeter of the organization), typed by the user and containing confidential information, it becomes possible to identify the attacker. This approach can be implemented using content analysis methods in conjunction with biometric methods for identifying a user by keyboard handwriting. Taking into account not only the static characteristics of the text (meaning), but also the dynamics of text input, it becomes possible to identify the author of the text with high probability.

Personal data of clients and employees, trade secrets, correspondence and much more are the most important information for a business, access and use of which must be strictly regulated within the company. Unfortunately, no one is immune from fraud, collusion, use of production facilities for personal purposes and industrial espionage. Issues related to the protection of internal information should include both the development of documentation, regulatory procedures, and the implementation of technical means of protection. This program, developed by InfoWatch, will introduce students to the main areas of activity to ensure corporate information protection from internal threats, the regulatory framework governing this activity, the tasks of protecting information, tools, technologies and methods of their use to achieve these goals. The program is carried out using the company’s technologies in a laboratory equipped for this purpose.

Lesson mode Classes on Mondays (19:00-22:00) and Wednesdays (19:00-22:00)
Issued document Certificate of advanced training
Implementing division
Direction of training
Class location Moscow, st. Tallinskaya 34 and InfoWatch office

Admission

Target group

Documents for admission

Original and copy of passport or document replacing it

Original and copy of a document on education and qualifications or a certificate of training for persons receiving higher education

Original and copy of the document on changing the last name, first name, patronymic (if necessary)

1. Theoretical foundations of corporate protection against internal threats. Information and information flows. Internal and external information security threats. Information security threat models. Classification of corporate information security violators. Features of damage assessment.

2. Regulatory and legal aspects of corporate protection against internal threats. DLP systems and information security requirements. Categorization of information in the Russian Federation. Legal issues of using DLP systems: personal and family secrets; secret of communication; special technical means. Measures to ensure the legal validity of DLP (Pre-DLP). Review of the practice of the right to use in the investigation of incidents related to violations of the internal information security regime (Post-DLP).

3. Administrative and organizational aspects of corporate protection against internal threats. Formation of IS audit processes and procedures. Survey of corporate information systems. State of corporate information. Tools and technologies for providing corporate protection against internal threats. Criteria for the effectiveness of a project to ensure corporate protection against internal threats. Obstacles to the implementation of projects to ensure corporate protection against internal threats.

4. Protection of corporate information using an automated information flow control system. Purpose of the IW Traffic monitor (IW TM) system. Controlled data transmission channels. IW TM product architecture. Technologies for analyzing detected objects. Tasks and principles of operation of additional modules of the IW Device monitor (IW DM) and IW Crawler system.

Teachers

Andrey Zarubin

Head of the training and service quality control department of InfoWatch JSC, MBA, SixSigma Black Belt.

It's no secret that on average 82% of threats to companies' information resources come from the actions of their own employees, committed either through negligence or intentionally. According to experts, the danger of internal threats is trending upward and is still one of the most pressing problems. In a highly competitive environment, the task of maintaining data confidentiality is especially urgent. An erroneously sent email, ICQ message, or printed document may contain confidential information that is not intended for unauthorized persons. Trade or official secrets, personal data of clients, partners or employees, as well as other types of protected information may fall into the hands of third parties and cause irreparable damage to the business. It is necessary to take timely measures to prevent risks associated with leakage of confidential information.

Your business may be exposed to various risks, including:

Financial risks
The result of a confidential data leak may be a situation where a trade secret becomes known to third parties. If such information falls into the hands of competitors, there is a high probability of financial losses, often leading to bankruptcy of the company.
Legal risks
The uncontrolled release of a confidential document outside the corporate network may be the subject of close attention from regulatory authorities. Lawsuits and penalties for violation of laws governing the protection of personal data and other types of confidential information are not uncommon.
Reputational risks
A leak of confidential data can receive wide media coverage and lead to the destruction of the company's image in the eyes of its customers and partners, causing serious financial damage.

To ensure protection against leaks of confidential information, any company must have a DLP system.

DLP systems (from the English Data Loss Prevention) are software or hardware and software designed to protect against leaks over network and local channels. The transmitted data is analyzed for its confidentiality and distributed into certain categories (public information, personal data, trade secrets, intellectual property, etc.). If confidential data is detected in the information flow, the DLP system performs one of the following actions: allows its transmission, blocks it, or sends it for additional verification to a security specialist in ambiguous cases. DLP systems cover a wide range of communication channels, allowing you to monitor email, instant messaging services and other Internet traffic, printers, Bluetooth devices, USB devices and other external media.

Existing DLP systems differ in their functionality. Firstly, DLP systems can be active (detect and block data leakage) or passive (detect data leakage and send an alert about the incident). Currently, the focus is on active DLP systems, the main task of which is to prevent data leakage in real time, and not to detect it after the fact. For such DLP systems, you can optionally configure a monitoring mode that allows you not to interfere with business processes and send a message about the incident to a security specialist. Secondly, DLP systems can solve a number of additional tasks related to monitoring the actions of employees, their working time and the use of corporate resources.

A significant advantage of DLP systems is that they allow you to maintain the continuity of business processes with virtually no impact on the work of end users. Thanks to all the above capabilities, DLP systems are currently one of the most popular solutions for ensuring business information security.

Correct implementation and configuration of a DLP system is a separate complex issue. It is impossible to do this without competent consulting. Highly qualified specialists of the Infozashchita company will help you choose a solution that suits the specifics of your enterprise.

The modern DLP market is one of the fastest growing, which clearly demonstrates the high demand for such protection systems. Developers of DLP solutions are constantly developing and improving new effective technologies to combat data leaks.

The Infozashchita company is ready to offer you a wide selection of advanced solutions from leading developers for protection against internal threats.

“Protection against internal threats in communications enterprises”

Introduction

1.The most notorious insider incidents in the field of telecommunications

2. Insiders

3. Laws in the field of protection against internal threats

3.1.Legal and regulatory regulation

3.2.Certification according to international standards

4.Statistical research

5.Methods for preventing internal leakage

Conclusion

List of used literature

INTRODUCTION

The relevance of the topic is due to the fact that due to the massive nature of the provision of communication services, records of millions and tens of millions of citizens can be accumulated in the databases of telecommunications companies. They are the ones who need the most serious protection. As practice has shown, as a result of neglecting the danger of a leak, businesses risk spending hundreds of millions of dollars on PR campaigns, legal costs and new means of protecting clients’ personal information.

The specificity of information protection in telecommunications companies is manifested in the nature of the data that needs to be protected. All information is stored in databases located in the operator’s IT infrastructure. Theft is fraught with several negative consequences at once. Firstly, this can damage the company's reputation, which manifests itself in the outflow of existing customers and difficulties in attracting new ones. Secondly, the company violates the requirements of the law, which can lead to revocation of the license, legal costs, and additional damage to the image.

The purpose of the work is to study protection against internal threats in communications enterprises.

The objectives of the work are:

Consideration of the most high-profile insider incidents in the field of telecommunications;

Analysis of internal violators;

Study of laws in the field of protection against internal threats: legal and regulatory regulation and certification according to international standards;

Study of statistical research;

Consider methods to prevent internal leaks.

The work consists of five chapters.

The first chapter examines the most notorious insider incidents in the field of telecommunications, the second chapter examines internal violators, the third chapter analyzes the legislative framework in the field of protection against internal threats, the fourth chapter examines statistical research, and the fifth chapter provides methods for preventing internal leaks.

The conclusion contains conclusions from the study.

1. The most notorious insider incidents in

telecommunications field

Real-life incidents provide the clearest illustration of the seriousness of the insider threat. Neglect of this danger in 2006 led to a major scandal in the United States. Journalists bought for $90 a list of incoming and outgoing calls of former US presidential candidate, General Wesley Clark, and the American public was surprised to discover that telephone records, firstly, are not protected by law at all, and, secondly, are very poorly protected by mobile operators communications.

In January 2007 news agencies reported one "non-obvious" leak. A database of mobile communications users from Corbina Telecom has appeared on the Internet: names, phone numbers, guarantee fees of almost 40 thousand subscribers, including several top managers of the company. Corbina's comments reassured customers to some extent. Most likely, under the guise of a new database, information from 4 years ago was offered. Then the insider programmer actually made information about the company’s subscribers publicly available, and during this time the information almost completely lost its relevance.

The top ten most high-profile insider incidents included the theft of the customer base of the Japanese mobile operator KDDI. Under the threat of disclosing information about a major data leak, insiders demanded $90 thousand from the Japanese corporation KDDI, the second largest cellular operator in the country. To demonstrate the validity of their threats, in May 2006, the blackmailers presented KDDI representatives with CDs and USB flash drives with private data, planting them at the checkpoint. However, the company's management ignored the demands of the criminals and turned to law enforcement agencies. For two weeks, the police monitored the negotiations between the blackmailers and KDDI, and then arrested the suspects. The investigation showed that a database of private information about 4 million KDDI clients actually fell into the hands of blackmailers. Each database record contained the name, gender, date of birth, telephone numbers, and postal addresses of each client. All this data is ideal for identity theft. Top management is confident that one of the employees deliberately copied the information and took it outside the company.

In total, more than 200 employees had access to the stolen data.

An equally high-profile incident occurred closer to Russia: a leak of the database of the Belarusian mobile operator Velcom. Journalists purchased a text file with information about the phone numbers and names of 2 million of its subscribers. At the same time, the press notes that Velcom databases regularly become public knowledge: since 2002, at least six versions have been released, and each time the information has been supplemented. Meanwhile, MTS databases are still missing on the Belarusian Internet. Faced with a wave of criticism, Velcom stated that Belarusian laws do not protect the personal data of citizens, which means that there can be no legal claims against Velcom. The operator blamed the leak on the bank, to which the customer database was transferred “to enable [bank] employees to check the correctness of the specified details when paying for communication services.” After this, Velcom is “considering the possibility of filing a claim to protect its business reputation.” Time will tell what the proceedings will lead to, but so far insiders are too often avoiding responsibility.

October 2006 Insiders from the Indian telecom AcmeTelePower stole the results of innovative developments and transferred them to competitor LamdaPrivateLimited. According to Ernst & Young estimates, Acme's direct financial losses amounted to $116 million. It is curious that the intellectual property was “leaked” in the most common way - by email. After this, AcmeTelePower plans to move its business from India to Australia altogether.

2. internal offenders

Many organizations have conducted research in the field of internal leaks. The largest and most famous are the Uncertainty of Data Breach Detection studies conducted by the Ponemon Institute; research by Western analysts: CSI/FBIComputerCrimeandSecuritySurvey. Table 1 illustrates one such study.

Table 1. The most dangerous cybersecurity threats by total damage in dollars

Threats	Damage (in dollars)
Viruses	$ 15 691 460
Unauthorized access	$ 10 617 000
Laptop theft	$ 6 642 560
Information leak	$ 6 034 000
Denial of service	$ 2 992 010
Financial fraud	$ 2 556 900
Abuse of the network or email insiders	$ 1 849 810
Telecom fraud	$ 1 262 410
Zombie networks in the organization	$ 923 700
Hacking the system from the outside	$ 758 000
Phishing (on behalf of an organization)	$ 647 510
Wireless Network Abuse	$ 469 010
Abuse of Internet messengers by insiders	$ 291 510
Abuse of public web applications	$ 269 500
Sabotage of data and networks	$ 260 00

We can only add that in their comments on the amount of damage, analysts from the FBI and the Computer Security Institute are skeptical that respondents were able to more or less accurately determine the amount of damage due to the leak of personal data or trade secrets. Such incidents have many long-term negative consequences. For example, deterioration of public opinion, decline in reputation and reduction in customer base. All this happens gradually and takes weeks and months. And it takes at least a year to identify losses in the form of lost profits due to leakage. So the internal structure of financial losses due to information security threats cannot be precisely determined.

In general, information protection in organizations includes:

· a set of computers connected to each other in a network;

· communication channels implemented by arbitrary information transmission channels through which a network of logical connections is physically implemented;

· exchange of confidential information within the network in strict accordance with permissible logical connections

· integrated multi-level protection against unauthorized access and external influence

· strict centralized setting of the structure of logical connections and access control within the network

· independence of the logical structure of the network from the types of information transmission channels.

Most companies have long built protection against external threats, and now they need to protect their rear. Among internal threats, there are several most common ways of causing damage:

· storing or processing confidential information in a system not intended for this purpose;

· attempts to circumvent or breach security or audit systems without authorization (except in the context of security testing or similar research);

· other violations of internal network security rules and procedures.

There are several ways to leak confidential information:

o mail server (email);

o web server (open mail systems);

o printer (printing documents);

o FDD, CD, USB drive (copying to media).

Before moving on to analytical calculations, it is necessary to answer the question of what is called an internal threat. The importance of this definition is further enhanced by the fact that sabotage is only part of internal threats; one should distinguish between saboteurs and, for example, insiders who “leak” confidential information to competitors.

Corporate sabotage is actions harmful to the company committed by insiders due to wounded pride, desire for revenge, rage and any other emotional reasons. Note that the capacious term “insider” refers to former and current employees of the enterprise, as well as contract employees.

Corporate sabotage is always committed for emotional, sometimes irrational, reasons. A saboteur is never driven by a desire to make money or pursue financial gain. This, in fact, is what distinguishes sabotage from other insider threats.

A US Secret Service study found that in 98% of cases the saboteur is a man. However, these motives are the consequences of earlier events that unsettled the employee (Table 2). According to analysts, in most cases, sabotage is preceded by an unpleasant incident at work or a series of such incidents.

Table 2 Events preceding sabotage

Source CE RT

Many saboteurs at the time of sabotage are already former employees of the victim company, who retained access to its information resources for some reason (probably an oversight by the administrator). Note that this is almost half of all cases.

As the CERT study showed, almost all corporate saboteurs are specialists in one way or another connected with information technology.

Table 3 Portrait of a typical saboteur

Source CE RT

Thus, of the most reliable features of a saboteur, only two can be identified: he is a man, an employee of the technical department. Nine out of ten sabotages are committed by people in one way or another connected with information technology. According to experts at InfoWatch, a developer of systems for protecting confidential information from insiders, the reason for this professional affiliation lies in the psychological characteristics of these employees. Two examples from life will allow us to understand the problem in more detail, most clearly illustrating the typical character traits of IT professionals.

“I worked for a mid-sized software company. I had administrator privileges when accessing the main servers. Just to stretch my mind, I thought about how this access could be used maliciously, and came up with the following plan. First, hack the backup system... Second, wait a year or longer. Third, erase all information on the servers, including hacked software for encrypting/decrypting backup data. Thus, the enterprise will only have encrypted backup copies (without a key). Fourthly, offer the company to buy the keys that were obtained in the first step. If the company refuses, it will lose years of its work. This is, of course, just a hypothetical plan. I didn't try to implement it, so I don't know if it would have worked or not...” - Filias Cupio. “Most IT professionals I know, even juniors, install a rootkit into the corporate system as soon as they start working. It's a reflex. The guys don't want to harm anyone and aren't making malicious plans, they just want reliable access to the system so they can work safely from home or college,” Ben.

The deep psychological underlying nature of the act of sabotage often leads a disgruntled employee to threaten his superiors or co-workers. Sometimes he even shares his thoughts with one of his colleagues. In other words, not only the saboteur has information about the impending sabotage. Analysts have calculated that in 31% of cases other people have information about the saboteur’s plans. Of these, 64% are colleagues, 21% are friends, 14% are family members, and another 14% are accomplices.

In 47% of cases, saboteurs carry out preparatory actions (for example, stealing backup copies of confidential data). In 27%, they design and test an attack mechanism (preparing a logic bomb in the corporate network, additional hidden logins, etc.). At the same time, in 37% of cases, the activity of employees can be noticed: of this number, 67% of preparatory actions are noticeable online, 11% - offline, 22% - both at once.

It should also be taken into account that the vast majority of attacks are carried out by saboteurs during non-working hours and using remote access to the corporate network.

3. Laws in the field of protection against insider threats

Legal and regulatory regulation

The specifics of the telecommunications sector (compared to other industries) are also reflected in regulatory issues. Firstly, companies in this industry are often focused on providing services to individuals, and therefore accumulate huge amounts of subscriber personal data in their corporate network. Hence the close attention of the management of IT and information security departments to the Federal Law “On Personal Data”, which imposes a number of requirements for the security of citizens’ private information . Secondly, telecom recently acquired its own standard called “Basic level of information security for telecom operators.” It represents a minimum set of recommendations, the implementation of which should guarantee a certain level of information security of communication services, allowing for a balance of interests of operators, users and the state. The development of this standard is due to the development of the telecommunications industry: telecom operators are forced to combine their networks in order to provide the necessary set of services, but the operators themselves do not know who they are dealing with and whom they can trust in order to avoid cybersecurity threats. Some provisions of this document directly relate to internal information security risks and problems of storing personal data. For example, the operator is recommended to “ensure the confidentiality of transmitted and/or stored information from control systems and automated payment systems for communication services (billing), information about subscribers (personal data of individuals) and the communication services provided to them, which have become known to telecom operators due to the execution of contracts for provision of communication services." Companies are required to keep logs of information security events and store them in accordance with the statute of limitations (in Russia – 3 years). Moreover, “to filter the flow of primary events, it is recommended to use technical means of event correlation that optimize entries in information security incident logs.” We cannot ignore the point that reads: “An operator who has allowed the loss of databases of subscribers (clients) of other (interacting) operators is recommended to inform the latter about this as soon as possible.” Thus, the Russian telecommunications sector is gradually approaching best practices - in the US and EU, companies have long been held liable for leaks of private data and are required by law to notify victims of the leak. Over time, such a norm should appear in Russia.

True, it is not yet possible to say that regulatory regulation plays a decisive role in the telecommunications sector. Nevertheless, management today should think about the compliance of IT and information security with existing standards and laws in case supervisory authorities finally begin to act. In addition, large telecommunications companies whose shares are listed on stock exchanges are required to satisfy the requirements of the stock markets. In Russia, for example, this is the optional Code of Corporate Conduct of the FFMS (Federal Service for Financial Markets), in Britain - the Joint Code of Corporate Governance (semi-mandatory), and in the USA - the SOX law (Sarbanes-Oxley Act of 2002). The Federal Law “On Personal Data” and “Basic Level...” are of direct interest to Russian telecommunications companies.

Federal Law “On Communications” (Article 46, clause 1) assigns to the operator such information security functions as protecting communication facilities, communication facilities and information transmitted through them from unauthorized access; ensuring the safe operation of the telecom operator’s internal infrastructure.

These requirements must be implemented in the communication network functioning system, monitor their performance, support their operation, prepare and submit statistical reports to higher authorities. However, due to the lack of coordinating regulations, there is no uniform approach to information security. There is no common approach to the composition of IT and information security departments. This, as a rule, depends on the volume of tasks performed by the operator, and functional responsibilities between IT and IS are distributed based on the previous experience of the heads of these departments.

Certification according to international standards

The most famous certification in the world is according to the requirements of the ISO 27001:2005 standard. In Russia, to date, six companies have officially certified their information security management systems (ISMS); four of them work in the IT sector. ISO/IEC27001:2005, released by the British Standards Institute in 2005, is based on global best practice. It clearly defines the key processes that need to be managed by the manager responsible for providing information security in the organization. According to this standard, the final stage of confirming the effectiveness of the information security system is an independent audit by an accredited certification body. A positive conclusion from such a body indicates the effective and correct provision of information security management processes, a positive image of the company, and serves as a convincing argument for its management that the enterprise’s information system uses modern information security means with the maximum level of efficiency. The verification process itself by an external certification body increases the degree of management’s trust in information security departments, being an indicator of the quality and professionalism of the employees of this service.

The decision to implement an ISMS in an organization should be made at the highest level of management, ideally by the CEO. Without management support, such projects are often doomed to failure, or, at best, to ineffective functioning in conditions of non-acceptance of the processes by the company's employees.

1) The requirements for policies define the need for a security policy recorded (approved) by the internal procedures of the communications enterprise, based on the best practices in risk assessment and management, meeting the needs of business activities and complying with national legislation. Security policies must be published and communicated to carrier personnel and external stakeholders (customers, interacting carriers, other interested parties).

2) The functionality requirements describe the requirements only for existing certified technical means and describe the procedures for event logging.

3) The interaction requirements describe the procedure for identifying one’s own clients and other operators. The subsection indicates the need for a 24-hour security incident response service (or the use of such a service on an outsourcing basis).

There is also a requirement to ensure the confidentiality of transmitted and/or stored information for management systems and automated payment systems for communication services (billing), information about subscribers (personal data of individuals) and the communication services provided to them. At the same time, it must be observed even if this information became known to the telecom operator due to the execution of contracts for the provision of communication services.

4. Statistics scientific research

One of the largest and most interesting works in the field of protection against internal threats was a study of 275 telecommunications companies conducted by the InfoWatch analytical center. According to its results, insider risks prevail over external threats in a ratio of 6:4. Let us analyze the structure of these risks and the influence of various factors on them: the information security tools used, regulatory regulation, etc.

The list of the most dangerous internal threats to information security (Table 4) is headed by violation of information confidentiality (85%) and distortion of information (64%). Both of these threats can be summarized by the concept of “information leakage”.

In third and fourth positions are fraud (49%) and sabotage (41%). Interestingly, in an industry-wide study, the threat of sabotage outpaced the risk of fraud by almost 15%. Apparently, due to the specifics of providing communication services, fraud is recognized as one of the most dangerous threats.

Table 4 The most dangerous cybersecurity threats

Administrative work with personnel

According to InfoWatch experts, the best way to prevent corporate sabotage is preventative measures. First of all, companies need to check the references and previous places of work of hired employees. Another extremely effective method is regular trainings or seminars at which information is brought to the staff about IT security threats and sabotage as such. With this approach, management relies on those employees who interact with the saboteur in the office, see his nervous behavior, receive threats against them, etc. Authorized persons should be immediately notified of such incidents.

The next method involves using the principle of least privilege and a clear separation of functions. Regular office employees should not have administrative powers. It is also clear that the person responsible for the backups should not be able to delete the data in the original source. In addition, this employee should be responsible for informing his superiors if another employee encroaches on the backup copies. In general, the problem of protecting backup copies can be solved by creating duplicates of them. Due to the fact that a company, as a rule, does not have much truly critical data, creating several backup copies seems advisable.

Effective password and account management is extremely important.

The best preventive measure can be called monitoring, not only passive (event logs), but also active (protecting valuable information). In this case, only the top manager will be able to cause real damage to the company, since other employees with access to the company’s digital assets simply will not have the right to delete valuable information. There are already specialized solutions on the market for protecting data from internal threats, including corporate sabotage.

InfoWatch Enterprise Solution

The InfoWatch Enterprise Solution (IES) is supplied by the Russian company InfoWatch, a developer of anti-insider protection systems. It allows you to provide comprehensive control over all ways of leaking confidential information: mail channel and web traffic, communication resources of workstations, etc. Today, IES is already used by government (Ministry of Economic Development, Customs Service), telecommunications (VimpelCom), financial (Vneshtorgbank ) and fuel and energy companies (HydroOGK, Transneft).

The IES architecture can be divided into two parts: monitors that monitor network traffic, and monitors that monitor user operations at the workstation level. The former are installed on a corporate network as gateways and filter email and web traffic, while the latter are deployed on personal computers and laptops and monitor operations at the operating system level. Network monitors IWM and IMM can also be implemented as a hardware device - InfoWatch Security Appliance. Thus, the customer is offered a choice of either software or hardware implementation of mail and web traffic filters. The benefits of this approach are best demonstrated when protecting a complex computer network covering geographically distributed branches.

Workstation-level monitors include Info-Watch Net Monitor (INM) and InfoWatch Device Monitor (IDM). The INM module monitors file operations (reading, changing, copying, printing, etc.), controls the user’s work in Microsoft Office and Adobe Acrobat, and carefully records all actions with confidential documents.

All this functionality is logically complemented by the capabilities of the IDM module, which controls access to removable drives, drives, ports (COM, LPT, USB, FireWire), wireless networks (Wi-Fi, Bluetooth, IrDA), etc.

In addition, INM and IDM components are able to run on laptops, and the security administrator has the ability to set special policies that apply to the period of offline work of the employee. The next time you connect to the corporate network, the monitors will immediately notify the security officer if the user has attempted to violate established rules while working remotely.

All monitors included in IES are capable of blocking leaks in real time and immediately notifying a security officer of the incident. The solution is managed through a central console, which allows you to configure corporate policies. An automated security officer workstation is also provided, with the help of which a special employee can quickly and adequately respond to incidents. Thus, a comprehensive IES solution addresses all aspects of protecting confidential information from insiders.

Lumigent Entegra and LogExplorer

Lumigent's Entegra and Log Explorer products provide passive protection of information stored in databases. They allow you to audit databases and restore information in them.

The Entegra product monitors user activity when working with databases and audits the databases themselves. It allows you to determine who, when and how viewed or modified records in the database, as well as changed the structure or user rights to access it. It is worth noting that the product is not able to prevent any malicious impact, it can only send information about this operation for logging. Log Explorer maintains a redundant log of all transactions made with the database, which allows, in case of any problems, to analyze and audit the transactions performed and restore lost or changed records without using a backup copy. However, we are not really talking about recovery; Log Explorer allows you to roll back transactions. Thus, this module is not able to prevent leakage, but it can reduce the risks of corrupted records.

PC Acme

PC Activity Monitor (Acme) allows passive monitoring of user activity at the workstation level. The solution consists of two parts: a centralized management tool and multiple agents deployed on workstations throughout the organization. Using the first component of the product, you can centrally distribute agents throughout the corporate network and then manage them. Agents are software modules that are very deeply embedded in Windows 2000 or Windows XP. The developers report that the agents are located in the kernel of the operating system, and it is almost impossible for the user to illegally remove them from there or disable them. The agents themselves carefully log all user actions: launching applications, pressing keys, etc. It can be said that the resulting event log, in terms of its level of detail, resembles the results of vigilant video surveillance of a computer screen. However, the resulting log is naturally presented in text form. The central management console allows you to collect logged data on a single computer and analyze it there. However, difficulties may arise at this stage. Firstly, a security officer has to manually analyze hundreds of thousands of records of certain system events in order to identify those that are a violation of IT security policy, led to a leak, etc. But even if the security officer manages to detect the fact of a leak, then he won't be able to prevent it anyway. Thus, PC Acme is suitable for passive monitoring of all user actions at the workstation level.

Proofpoint Messaging Security

Proofpoint's hardware solution allows you to provide complete control over your email. Using this device, you can check messages for viruses and spam, prevent misuse of email resources and leakage of confidential information in emails. Protection against confidential data leakage is based on a content filtering mechanism. If the transmitted message contains confidential information, the product is able to block the leak. Proofpoint is a classic example of a product designed to protect one specific communication channel: email. Such a product can be used in cases where the main functionality is spam filtering and virus detection, and leak prevention is just a nice addition.

How insiders are caught

An example of a victory over insiders was demonstrated in mid-February 2006 by the Russian company LETA IT-company. Thanks to a competent approach to internal IT security, the company was able to neutralize an insider convicted of abuse of official position. An internal investigation showed that one of the account managers attempted to negotiate contracts for the supply of software not through his legitimate employer, but through a shell company created by him. The abuse was quickly and early identified using InfoWatch Mail Monitor.

CONCLUSION

Thus, in the US and EU, companies have long been held liable for leaks of private data and are required by law to notify victims of the leak. We hope that over time such a norm will appear in Russia. Positive trends can already be noted. The number of organizations that have protected themselves from leaks is constantly growing and will continue to increase.

Organizations are becoming increasingly aware of the growing threat to their own staff, yet they are taking few steps to protect themselves. Not everyone included in their lists of priority tasks training and advanced training of employees in the field of information security, regular assessment of the work of their IT service providers in order to monitor their compliance with information security policies, relying solely on trust. Few people today view information security as a management priority.

As business models of organizations evolve towards decentralization, some functions are delegated to external contractors, therefore, it becomes increasingly difficult to control the security of their information and assess the level of risks. Companies can delegate work, but should not delegate responsibility for safety.

Insufficient attention from senior management, irregular risk assessments, as well as insufficient or complete lack of investment in efforts to reduce risks associated with the human factor (inappropriate behavior of employees, oversights, violation of established rules or standards). The main attention is still paid only to external threats such as viruses, and the seriousness of internal threats is underestimated: there is a willingness to buy technological tools (firewalls, anti-virus protection, etc.), but there is no desire to solve personnel security problems.

Many incidents involving employees remain undetected. According to the authors of the studies, telecommunications companies can and should change their view of information security only as a cost item for doing business: treat it as one of the ways to increase competitiveness and maintain the company's cost potential.

A number of large companies are subject to various regulations that oblige them to protect private information. Overall, demand for insider and leak protection solutions is expected to grow steadily for at least the next five years.

List of USED literature

1. InfoWatch. News. How difficult it is to identify a leak - Corbina Telecom. 2007

2. Sbiba V.Yu, Kurbatov V.A. Guide to protecting against insider threats to information security. St. Petersburg: Peter, 2008.

3. “KNS INFOTEKS” http://home.tula.net/insider/001b.htm.

4. Zenkin, D. Insiders are 75 times more dangerous than hackers. C-News. Analytics. http://www.cnews.ru/reviews/index.shtml?2008/10/22/324142.

5. Share, A. CitCity. Insiders are coming. http://citcity.ru/14874/

6. InfoWatch: Internal threats: in the face of common danger. http://www.infowatch.ru/threats?chapter=147151398&id=153017335

7. Share, A. Sabotage in the corporate environment. http://www.directum-journal.ru/card.aspx?ContentID=1717301.

8. Basic level of information security of telecom operators. [On the Internet] http://www.ccin.ru/treb_baz_u.doc.

9. Share A. Telecom security. http://citcity.ru/15562

10. Share A.V. Internal information security threats in telecommunications. 2007. http://www.iks-navigator.ru/vision/456848.html.

11. Kostrov, D.V. Information security in recommendations, requirements, standards. 2008

http://www.iks-navigator.ru/vision/2390062.html.

12. Communications Bulletin: Protection from insiders in telecommunications companies.

http://www.vestnik-sviazy.ru/t/e107_plugins/content/content.php?content.39.

13. A stranger among his own: minutes of the round table meeting. Communication Bulletin. - No. 7. 2006 http://www.vestnik-sviazy.ru/t/e107_plugins/content/content.php?content.59.

Many organizations have conducted research in the field of internal leaks. The largest and most famous are the Uncertainty of Data Breach Detection studies conducted by the Ponemon Institute; research by Western analysts: CSI/FBI Computer Crime and Security Survey. Table 1 illustrates one such study.

Table 1. The most dangerous cybersecurity threats by total damage in dollars

Threats	Damage (in dollars)


Laptop theft
Information leak
Denial of service
Financial fraud
Abuse of the network or email insiders
Telecom fraud
Zombie networks in the organization
Hacking the system from the outside
Phishing (on behalf of an organization)
Wireless Network Abuse
Abuse of Internet messengers by insiders
Abuse of public web applications
Sabotage of data and networks