Fundamentals of risk and business-oriented information security: basic concepts and paradigm
In this publication, readers are invited to familiarize themselves with the basic terms and definitions in the field of information security, and will also consider the concept and paradigm of information security. The information in this and subsequent publications is based on generally accepted Russian and world approaches to information security.
With the development of information technologies and their comprehensive penetration into almost all spheres of activity of modern states and companies, information protection issues become key: the so-called fourth scientific revolution is unthinkable without the use of high-tech information technologies, which with all the advantages bring risks associated with them, since simultaneously with penetration IT in the life of states, companies and ordinary citizens is growing and multiplying threats to information security.
There is a constant evolution of both information technology and the sphere of information protection, as well as the attackers themselves: if, as early as the end of the 20th century, hacking computer systems were dealt with, as a rule, by enthusiastic enthusiasts from academic environments who did not aim to gain illegal profits and deception of companies and citizens, the number of financially motivated attackers has been growing every year lately. Moreover, in modern cyberspace, real hacker armies operate, supported and sponsored by governments of different countries. They carry out attacks on the resources and infrastructure of other states and large corporations in order to obtain intelligence information and, often, disable critical infrastructure facilities or even entire industries. At the same time, the state regulatory pressure is also growing: realizing the importance of protecting information and the information infrastructure, almost all developed countries adopt legislative norms that meet modern challenges. Thus, modern information security is “on the crossfire” of highly skilled attackers, IT needs of business and the state, as well as legal regulation. To win in these conditions, first of all, a solid foundation is needed, namely a clear understanding of the main phenomena, terms, as well as the very concept of information security.
The protection of information in the classical sense means ensuring the integrity, confidentiality, accessibility of information resources. In addition, the additional properties of information in a state of security are non-repudiation, authenticity, and accountability.
A threat to information security is understood as a potential cause of an undesirable information security incident that can damage assets and violate the state of information security; an incident may be preceded by an unauthorized change in the state of an asset called an information security event.
Threat modeling is the identification of all threats that can damage assets and attack vectors that can be used by threat sources to cause damage.
Information security risk refers to the potential use of asset vulnerabilities as a specific threat to harm an organization. As in the classical risk management, there are the following ways to handle cyber risk: ignore, accept, avoid, transfer, minimize. The choice of the last, most optimal risk treatment method in many cases precedes the development and implementation of information security systems and tools. At the same time, when choosing and implementing specific measures to ensure information security of assets, one should be guided by the appropriateness of applying these measures in the context of the business problem being solved, the value of the asset and the magnitude of the predicted damage, as well as the potential costs of the attackers. According to the generally accepted approach, the cost of protective measures should not exceed the value of the asset or the amount of the predicted damage, and the estimated reasonable costs of the attack for the attacker should be less than the expected profit from the implementation of this attack.
Damage from the implementation of an attack can be direct or indirect. Direct damage is the immediate obvious and easily predicted loss of the company, such as loss of intellectual property rights, disclosure of production secrets, reduction of the value of assets or their partial or complete destruction, legal costs and payment of fines and compensation, etc. Indirect damage can result in quality or indirect loss. Qualitative losses can be a suspension or decrease in the efficiency of a company, loss of customers, decrease in the quality of manufactured goods or rendered services. Indirect losses are, for example, lost profits, loss of business reputation, and additional expenses incurred.
A threat to information security arises when the following interconnected components are available: the source of the threat, the vulnerability of the asset, the way the threat is realized, the target of the exposure, and the harmful effect itself. Here is an example: a hacker (source of a threat) attacks an unpatched company’s web server (asset vulnerability) by injecting SQL injection (a way to implement a threat) into the DBMS serving this web server (target) and illegally receives confidential information (malicious impact).
Further, these components of information security threats will be considered in more detail.
1. The source of the threat may be external or internal (in relation to the subject of protection) violators, third parties, forces of nature.
External violators are not company employees, legitimate users of internal information systems, outsourcers, contractors, suppliers, customers and other persons connected with legal relations with the organization in question. Such violators do not have legitimate access to the object of protection (information asset) and are classified according to their skills, capabilities and motivation. Examples of outsiders can be pro-government hackers-experts with state financial support or hired cybercriminals by competitors, as well as “hacktivists”, professional cyber-crooks or even teenagers armed with widely available hacker programs. Countermeasures against external intruders include almost the entire spectrum of “classical” methods of ensuring information security: development and implementation of internal regulatory documents, information protection tools, active countermeasures, response and investigation of cyber incidents, etc. Organizations should conduct regular assessments of their own exposure to the risk of attack by external attackers, which should take into account the scope of activity, dependence on information technology, publicity, attractiveness to attackers, and the breadth of potential attack. In general, it is external intruders that are the most unpredictable and uncontrolled factor in cyber risk, requiring the implementation of the most modern protection measures and methods.
Internal violators can be considered individuals - employees and company executives, as well as legal entities that have a contractual relationship with the company. Internal violators are classified according to the focus and maliciousness of their actions, and in order to carry out targeted unauthorized access, a malicious insider must have a motive, a way and an appropriate opportunity for an attack. Providers of services, equipment or personnel also carry information security risks - there are cases when IT service providers, manufacturers of auxiliary equipment and contractor employees became the causes of the leaks. Cloud service providers also fall into the category of potential internal intruders, which may be evidenced by a large number of data leaks from incorrectly configured cloud storages. It should be noted the recent trend in the form of standardization of methods for assessing and managing the risk of attracting third-party organizations: the CBR issued the standard STO BR IBBS-1.4-2018 “Information Security Risk Management in Outsourcing,” and the international standard ISO 27036 can be used to manage information security in interaction with service providers, including cloud service providers (guided by ISO 27036-4: 2016).
In addition to external and internal violators, one should not forget about other sources of threats: third parties and forces of nature can have a significant negative impact on the company's activities. So, third parties can be considered public authorities, the consequences of the intervention of which in the work of the company may be commensurate with the impact of a natural disaster. News of investigative measures may adversely affect the image and reputation of the company, and a written order to suspend operations for even a relatively short period of time may actually mean the company’s withdrawal from the market. The seizure of equipment, the sealing of server rooms, and the arrest of key company executives may also result in the same consequences. Measures to minimize the risks generated by the impact of third parties should be both rigorous implementation of all requirements of the current legislation and continuous internal compliance checks. Finally, natural forces in the context of categorizing the sources of threats are natural disasters, such as natural and man-made disasters, as well as social disasters: epidemics, military operations, terrorist attacks, revolutions, strikes and other force majeure. To minimize the risks of these incidents, large financial investments are often required in the systems of ensuring business continuity and restoration of working capacity, as well as taking these risks into account at the initial stages of the company’s development: you should carefully select the location of offices taking into account the location, proximity of other institutions and infrastructure, weather conditions, condition state and society, take into account forecasts of economic and social development of a particular region of presence. In addition to minimizing the risks of natural disasters in the ways described above, companies can choose another way of processing these risks - insurance. With a well-thought out and competently selected insurance payment scheme, you can mitigate the damage from the impact of force majeure on the business. However, any manager and employee should always remember that a person’s life is priceless compared to even the most profitable business, therefore, under any circumstances, saving lives and health should be the first priority.
2. Vulnerability is a lack of information system protection tools that can be used by an intruder (both external and internal) to implement threats to information security. Vulnerabilities in an information system can be caused by errors in the creation, implementation or operation of the system, or by the weakness of protective equipment and measures applied.
From a logical point of view, ideally protected and secure information systems cannot exist that are not located in an isolated space, but carry out their business function, so vulnerabilities can even be found in the most reliable and proven system. The Russian standard GOST R 56546-2015 identifies several possible types of vulnerabilities: code vulnerabilities, configurations, architectures, organizational vulnerabilities, multi-factor vulnerabilities. This standard also points to potential places of vulnerabilities: system-wide, application, special software, hardware, network equipment, and security tools. Vulnerability is characterized by its degree of danger, which is defined by GOST R 56546-2015 as a comparative value characterizing the vulnerability of the information system and the impact of this vulnerability on violation of information security properties (confidentiality, integrity, availability).
The generally accepted way to calculate vulnerability risk in quantitative terms is to use the Common Vulnerability Scoring System (CVSS) metric of the American National Institute of Standards and Technology (NIST). This metric allows you to describe the main features of the vulnerability and quantify its danger (on a scale from 0 to 10) depending on the complexity of the operation, the impact on the security properties of the asset, the availability of a ready-made exploit and its availability for an attacker, the ability to fix the vulnerability, and the level of reliability of the message indicating vulnerabilities, as well as in relation to the specific operating environment of the vulnerable system.
The idea of ​​centrally registering and classifying vulnerabilities has been implemented in several official vulnerability registers, such as MITER CVE (Common Vulnerabilities and Exposures), FSTEC Russian National Security Bureau (Information Security Threat Databank), NIST NVD (National Vulnerability Database), CERT / CC VND ( Vulnerability Notes Database).
The MITRE CVE registry has been maintained since 1999, and during that time data on more than 115 thousand vulnerabilities were stored in it. Information in this registry is entered by CNA (CVE Numbering Authorities) - registered organizations (such as state CERTs), software companies, as well as independent security researchers who are authorized to assign the identifier of the detected vulnerability type CVE-YYYY-NNNN, where YYYY - year of vulnerability discovery, and NNNN - its serial number. Currently, there are 98 organizations and individuals on the CNA list, among which there are two Russian companies - Yandex and Kaspersky Lab.
The Russian registry of BDUs is administered by the FSTEC of Russia and the SRII PTZI. Since 2015, it has been updated with information on more than 21 thousand vulnerabilities with identifiers of the BDU type: YYYY-IUUUU, where YYYY is the year of detection and IUUUI is the vulnerability serial number. This registry is characterized by the fact that it contains unique information about vulnerabilities in software developed in Russia, which is not presented in other registries, and also allows developers of domestic information protection tools to obtain up-to-date vulnerability data from a reliable state source. Any citizen or organization that finds a vulnerability can send information about it through a web form or by e-mail directly to the FSTEC of Russia.
In addition to the official ones, there are a large number of alternative vulnerability and exploit registries maintained by software developers (for example, Microsoft, Cisco, Oracle, IBM, Red Hat, Ubuntu, VMware and others), as well as by individual organizations and enthusiasts.
The cause of the vulnerability may be a mistake made during the development or configuration of software. The American National Institute of Standards and Technology classifies 124 types of errors in its CWE (Common Weakness Enumeration) list. Moreover, for each of the errors listed on the MITRE organization’s website, its detailed description is provided with examples of vulnerable code, instructions for detecting and eliminating such errors with reference to the software development stages, and with links to registered CVE vulnerabilities that were caused by this error, and CAPEC (Common Attack Pattern Enumeration and Classification) attack patterns, linking the error and possible attacks.
FSTEC of Russia has created a register of information security threats as a domestic alternative to the MITER CAPEC classifier. This registry on the current day contains 213 types of threats, with each type of threat has its own unique identifier (type of UBI. ***), a description of the threat, source, target, and consequences of its implementation. Search by name, source or consequences of the threat is available. At the same time, the registry contains not only purely technical threats, but also organizational ones, such as, for example, UBI.040 (threat of conflict between jurisdictions of various countries), UBI.056 (threat of poor infrastructure transfer to the cloud) or UBI.134 (risk of loss of trust to your cloud service provider).
To identify vulnerabilities, one can use both automated systems (vulnerability scanners, configuration and version management systems), and conduct security assessments and penetration tests, as a result of which the organization receives information about the presence of potentially exploited vulnerabilities. However, you need to remember that on average several dozens of new vulnerabilities appear on a daily basis, so you should not do episodic analysis, but rather build an ongoing process for managing vulnerabilities. , , , (///) , .
3. . , : , , , , , , , , , , , , , , .
MITRE ATT&CK , , (TTPs — Tactics, Techniques, Procedures), . MITRE ATT&CK MITRE CAPEC, . , , , , , «» TTPs, .
4. , , : , , , , , . , — , , — . , « » , .
5. , , , , , , , .
, Data Diddling ( — , ), Salami Fraud ( , — , 10 ), « » ( , / — , ).
, , , , «» — , IPO . - , , «» .
, , , , . WannaCry NotPetya, DDoS- . -, .
(, , ) , , , , . , , , , , , .
ISO/IEC 27001:2013 Information security management systems – Requirements (« – ») NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations (« »), . , , NIST SP 800-53, , , ISO/IEC 27001:2013.
: - , , , - . , «» - , , , .
, . , , , . , -, . , - , , .
With the development of information technologies and their comprehensive penetration into almost all spheres of activity of modern states and companies, information protection issues become key: the so-called fourth scientific revolution is unthinkable without the use of high-tech information technologies, which with all the advantages bring risks associated with them, since simultaneously with penetration IT in the life of states, companies and ordinary citizens is growing and multiplying threats to information security.
There is a constant evolution of both information technology and the sphere of information protection, as well as the attackers themselves: if, as early as the end of the 20th century, hacking computer systems were dealt with, as a rule, by enthusiastic enthusiasts from academic environments who did not aim to gain illegal profits and deception of companies and citizens, the number of financially motivated attackers has been growing every year lately. Moreover, in modern cyberspace, real hacker armies operate, supported and sponsored by governments of different countries. They carry out attacks on the resources and infrastructure of other states and large corporations in order to obtain intelligence information and, often, disable critical infrastructure facilities or even entire industries. At the same time, the state regulatory pressure is also growing: realizing the importance of protecting information and the information infrastructure, almost all developed countries adopt legislative norms that meet modern challenges. Thus, modern information security is “on the crossfire” of highly skilled attackers, IT needs of business and the state, as well as legal regulation. To win in these conditions, first of all, a solid foundation is needed, namely a clear understanding of the main phenomena, terms, as well as the very concept of information security.
The protection of information in the classical sense means ensuring the integrity, confidentiality, accessibility of information resources. In addition, the additional properties of information in a state of security are non-repudiation, authenticity, and accountability.
A threat to information security is understood as a potential cause of an undesirable information security incident that can damage assets and violate the state of information security; an incident may be preceded by an unauthorized change in the state of an asset called an information security event.
Threat modeling is the identification of all threats that can damage assets and attack vectors that can be used by threat sources to cause damage.
Information security risk refers to the potential use of asset vulnerabilities as a specific threat to harm an organization. As in the classical risk management, there are the following ways to handle cyber risk: ignore, accept, avoid, transfer, minimize. The choice of the last, most optimal risk treatment method in many cases precedes the development and implementation of information security systems and tools. At the same time, when choosing and implementing specific measures to ensure information security of assets, one should be guided by the appropriateness of applying these measures in the context of the business problem being solved, the value of the asset and the magnitude of the predicted damage, as well as the potential costs of the attackers. According to the generally accepted approach, the cost of protective measures should not exceed the value of the asset or the amount of the predicted damage, and the estimated reasonable costs of the attack for the attacker should be less than the expected profit from the implementation of this attack.
Damage from the implementation of an attack can be direct or indirect. Direct damage is the immediate obvious and easily predicted loss of the company, such as loss of intellectual property rights, disclosure of production secrets, reduction of the value of assets or their partial or complete destruction, legal costs and payment of fines and compensation, etc. Indirect damage can result in quality or indirect loss. Qualitative losses can be a suspension or decrease in the efficiency of a company, loss of customers, decrease in the quality of manufactured goods or rendered services. Indirect losses are, for example, lost profits, loss of business reputation, and additional expenses incurred.
A threat to information security arises when the following interconnected components are available: the source of the threat, the vulnerability of the asset, the way the threat is realized, the target of the exposure, and the harmful effect itself. Here is an example: a hacker (source of a threat) attacks an unpatched company’s web server (asset vulnerability) by injecting SQL injection (a way to implement a threat) into the DBMS serving this web server (target) and illegally receives confidential information (malicious impact).
Further, these components of information security threats will be considered in more detail.
1. The source of the threat may be external or internal (in relation to the subject of protection) violators, third parties, forces of nature.
External violators are not company employees, legitimate users of internal information systems, outsourcers, contractors, suppliers, customers and other persons connected with legal relations with the organization in question. Such violators do not have legitimate access to the object of protection (information asset) and are classified according to their skills, capabilities and motivation. Examples of outsiders can be pro-government hackers-experts with state financial support or hired cybercriminals by competitors, as well as “hacktivists”, professional cyber-crooks or even teenagers armed with widely available hacker programs. Countermeasures against external intruders include almost the entire spectrum of “classical” methods of ensuring information security: development and implementation of internal regulatory documents, information protection tools, active countermeasures, response and investigation of cyber incidents, etc. Organizations should conduct regular assessments of their own exposure to the risk of attack by external attackers, which should take into account the scope of activity, dependence on information technology, publicity, attractiveness to attackers, and the breadth of potential attack. In general, it is external intruders that are the most unpredictable and uncontrolled factor in cyber risk, requiring the implementation of the most modern protection measures and methods.
Internal violators can be considered individuals - employees and company executives, as well as legal entities that have a contractual relationship with the company. Internal violators are classified according to the focus and maliciousness of their actions, and in order to carry out targeted unauthorized access, a malicious insider must have a motive, a way and an appropriate opportunity for an attack. Providers of services, equipment or personnel also carry information security risks - there are cases when IT service providers, manufacturers of auxiliary equipment and contractor employees became the causes of the leaks. Cloud service providers also fall into the category of potential internal intruders, which may be evidenced by a large number of data leaks from incorrectly configured cloud storages. It should be noted the recent trend in the form of standardization of methods for assessing and managing the risk of attracting third-party organizations: the CBR issued the standard STO BR IBBS-1.4-2018 “Information Security Risk Management in Outsourcing,” and the international standard ISO 27036 can be used to manage information security in interaction with service providers, including cloud service providers (guided by ISO 27036-4: 2016).
In addition to external and internal violators, one should not forget about other sources of threats: third parties and forces of nature can have a significant negative impact on the company's activities. So, third parties can be considered public authorities, the consequences of the intervention of which in the work of the company may be commensurate with the impact of a natural disaster. News of investigative measures may adversely affect the image and reputation of the company, and a written order to suspend operations for even a relatively short period of time may actually mean the company’s withdrawal from the market. The seizure of equipment, the sealing of server rooms, and the arrest of key company executives may also result in the same consequences. Measures to minimize the risks generated by the impact of third parties should be both rigorous implementation of all requirements of the current legislation and continuous internal compliance checks. Finally, natural forces in the context of categorizing the sources of threats are natural disasters, such as natural and man-made disasters, as well as social disasters: epidemics, military operations, terrorist attacks, revolutions, strikes and other force majeure. To minimize the risks of these incidents, large financial investments are often required in the systems of ensuring business continuity and restoration of working capacity, as well as taking these risks into account at the initial stages of the company’s development: you should carefully select the location of offices taking into account the location, proximity of other institutions and infrastructure, weather conditions, condition state and society, take into account forecasts of economic and social development of a particular region of presence. In addition to minimizing the risks of natural disasters in the ways described above, companies can choose another way of processing these risks - insurance. With a well-thought out and competently selected insurance payment scheme, you can mitigate the damage from the impact of force majeure on the business. However, any manager and employee should always remember that a person’s life is priceless compared to even the most profitable business, therefore, under any circumstances, saving lives and health should be the first priority.
2. Vulnerability is a lack of information system protection tools that can be used by an intruder (both external and internal) to implement threats to information security. Vulnerabilities in an information system can be caused by errors in the creation, implementation or operation of the system, or by the weakness of protective equipment and measures applied.
From a logical point of view, ideally protected and secure information systems cannot exist that are not located in an isolated space, but carry out their business function, so vulnerabilities can even be found in the most reliable and proven system. The Russian standard GOST R 56546-2015 identifies several possible types of vulnerabilities: code vulnerabilities, configurations, architectures, organizational vulnerabilities, multi-factor vulnerabilities. This standard also points to potential places of vulnerabilities: system-wide, application, special software, hardware, network equipment, and security tools. Vulnerability is characterized by its degree of danger, which is defined by GOST R 56546-2015 as a comparative value characterizing the vulnerability of the information system and the impact of this vulnerability on violation of information security properties (confidentiality, integrity, availability).
The generally accepted way to calculate vulnerability risk in quantitative terms is to use the Common Vulnerability Scoring System (CVSS) metric of the American National Institute of Standards and Technology (NIST). This metric allows you to describe the main features of the vulnerability and quantify its danger (on a scale from 0 to 10) depending on the complexity of the operation, the impact on the security properties of the asset, the availability of a ready-made exploit and its availability for an attacker, the ability to fix the vulnerability, and the level of reliability of the message indicating vulnerabilities, as well as in relation to the specific operating environment of the vulnerable system.
The idea of ​​centrally registering and classifying vulnerabilities has been implemented in several official vulnerability registers, such as MITER CVE (Common Vulnerabilities and Exposures), FSTEC Russian National Security Bureau (Information Security Threat Databank), NIST NVD (National Vulnerability Database), CERT / CC VND ( Vulnerability Notes Database).
The MITRE CVE registry has been maintained since 1999, and during that time data on more than 115 thousand vulnerabilities were stored in it. Information in this registry is entered by CNA (CVE Numbering Authorities) - registered organizations (such as state CERTs), software companies, as well as independent security researchers who are authorized to assign the identifier of the detected vulnerability type CVE-YYYY-NNNN, where YYYY - year of vulnerability discovery, and NNNN - its serial number. Currently, there are 98 organizations and individuals on the CNA list, among which there are two Russian companies - Yandex and Kaspersky Lab.
The Russian registry of BDUs is administered by the FSTEC of Russia and the SRII PTZI. Since 2015, it has been updated with information on more than 21 thousand vulnerabilities with identifiers of the BDU type: YYYY-IUUUU, where YYYY is the year of detection and IUUUI is the vulnerability serial number. This registry is characterized by the fact that it contains unique information about vulnerabilities in software developed in Russia, which is not presented in other registries, and also allows developers of domestic information protection tools to obtain up-to-date vulnerability data from a reliable state source. Any citizen or organization that finds a vulnerability can send information about it through a web form or by e-mail directly to the FSTEC of Russia.
In addition to the official ones, there are a large number of alternative vulnerability and exploit registries maintained by software developers (for example, Microsoft, Cisco, Oracle, IBM, Red Hat, Ubuntu, VMware and others), as well as by individual organizations and enthusiasts.
The cause of the vulnerability may be a mistake made during the development or configuration of software. The American National Institute of Standards and Technology classifies 124 types of errors in its CWE (Common Weakness Enumeration) list. Moreover, for each of the errors listed on the MITRE organization’s website, its detailed description is provided with examples of vulnerable code, instructions for detecting and eliminating such errors with reference to the software development stages, and with links to registered CVE vulnerabilities that were caused by this error, and CAPEC (Common Attack Pattern Enumeration and Classification) attack patterns, linking the error and possible attacks.
FSTEC of Russia has created a register of information security threats as a domestic alternative to the MITER CAPEC classifier. This registry on the current day contains 213 types of threats, with each type of threat has its own unique identifier (type of UBI. ***), a description of the threat, source, target, and consequences of its implementation. Search by name, source or consequences of the threat is available. At the same time, the registry contains not only purely technical threats, but also organizational ones, such as, for example, UBI.040 (threat of conflict between jurisdictions of various countries), UBI.056 (threat of poor infrastructure transfer to the cloud) or UBI.134 (risk of loss of trust to your cloud service provider).
To identify vulnerabilities, one can use both automated systems (vulnerability scanners, configuration and version management systems), and conduct security assessments and penetration tests, as a result of which the organization receives information about the presence of potentially exploited vulnerabilities. However, you need to remember that on average several dozens of new vulnerabilities appear on a daily basis, so you should not do episodic analysis, but rather build an ongoing process for managing vulnerabilities. , , , (///) , .
3. . , : , , , , , , , , , , , , , , .
MITRE ATT&CK , , (TTPs — Tactics, Techniques, Procedures), . MITRE ATT&CK MITRE CAPEC, . , , , , , «» TTPs, .
4. , , : , , , , , . , — , , — . , « » , .
5. , , , , , , , .
, Data Diddling ( — , ), Salami Fraud ( , — , 10 ), « » ( , / — , ).
, , , , «» — , IPO . - , , «» .
, , , , . WannaCry NotPetya, DDoS- . -, .
(, , ) , , , , . , , , , , , .
ISO/IEC 27001:2013 Information security management systems – Requirements (« – ») NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations (« »), . , , NIST SP 800-53, , , ISO/IEC 27001:2013.
: - , , , - . , «» - , , , .
, . , , , . , -, . , - , , .
All Articles