Basic model of security threats to information systems. Information security threat models

Classification of unauthorized influences

A threat is understood as the potentially existing possibility of an accidental or intentional action (inaction), as a result of which the basic properties of information and its processing systems may be violated: availability, integrity and confidentiality.

Knowledge of the range of potential threats to protected information, the ability to skillfully and objectively assess the possibility of their implementation and the degree of danger of each of them is an important stage complex process organization and provision of protection. Determining the complete set of information security threats is almost impossible, but relatively Full description they, in relation to the object in question, can be achieved by detailed compilation of a threat model.

Remote attacks are classified according to the nature and purpose of the impact, the condition for the start of the impact and the presence feedback with the attacked object, by the location of the object relative to the attacked object and by the level of the reference interaction model open systems EMVOS on which the impact is carried out.

Classification characteristics of objects of protection and security threats to automated systems and possible methods of unauthorized access (UNA) to information in protected AS:

• 1) according to the NSD principle:
  • - physical. Can be implemented with direct or visual contact with the protected object;
  • - logical. It involves overcoming the security system using software by logical penetration into the structure of the AS;
• 2) along the NSD path:
  • - use of a direct standard access path. Weaknesses in established security policies and processes are exploited administrative management network. The result may be masquerading as an authorized user;
  • - use of hidden non-standard way access. Undocumented features (weaknesses) of the protection system are used (disadvantages of algorithms and components of the protection system, errors in the implementation of the protection system design);
  • - A special group in terms of the degree of danger is represented by information security threats carried out through the influence of an intruder, which allow not only to carry out unauthorized influence (II) on the information resources of the system and influence them through the use of special software and software-hardware influence, but also to provide IED to information .
• 3) according to the degree of automation:
  • - performed with constant human participation. Publicly available (standard) software can be used. The attack is carried out in the form of a dialogue between the attacker and the protected system;
  • - performed special programs without direct human participation. Special software is used, most often developed using virus technology. As a rule, this NSD method is preferable for implementing an attack;
• 4) according to the nature of the influence of the subject of the non-destructive activity on the object of protection:
  • - passive. Does not have a direct impact on the AS, but can violate the confidentiality of information. An example is control of communication channels;
  • - active. This category includes any unauthorized influence, the ultimate goal of which is to make any changes in the attacked system;
• 5) according to the condition of the beginning of the impact:
  • - attack on request from the attacked object. The subject of the attack is initially conditionally passive and awaits a request from the attacked AS. certain type, whose weaknesses are used to carry out an attack;
  • - an attack upon the occurrence of an expected event on the attacked object. The OS of the attack target is monitored. The attack begins when the AC is in a vulnerable state;
  • - unconditional attack. The subject of the attack makes an active impact on the object of attack, regardless of the state of the latter;
• 6) according to the purpose of influence. Security is considered as a set of confidentiality, integrity, resource availability and performance (stability) of AS, the violation of which is reflected in the conflict model;
• 7) based on the presence of feedback from the attacked object:
  • - with feedback. This implies bidirectional interaction between the subject and the target of the attack in order to obtain from the target of the attack any data that affects the further course of the attack;
  • - without feedback. Unidirectional attack. The subject of the attack does not need dialogue with the attacked AS. An example is the organization of a directed "storm" of requests. The goal is to disrupt the performance (stability) of the speaker system;
• 8) by type of security weaknesses used:
  • - shortcomings of the established security policy. The security policy developed for the AS is inadequate to the security criteria, which is what is used to perform the NSD:
  • - administrative errors;
  • - undocumented features of the security system, including those related to software, - errors, unrealized OS updates, vulnerable services, unprotected default configurations;
  • - disadvantages of protection algorithms. The security algorithms used by the developer to build an information security system do not reflect the real aspects of information processing and contain conceptual errors;
  • - errors in the implementation of the security system design. The implementation of the information security system project does not comply with the principles laid down by the system developers.

Logical characteristics of protected objects:

• 1) security policy. Represents a collection of documented conceptual solutions aimed at protecting information and resources, and includes goals, requirements for protected information, a set of information security measures, responsibilities of persons responsible for information security;
• 2) the administrative management process. Includes managing the configuration and performance of the network, access to network resources, measures to improve the reliability of the network, restoring the functionality of the system and data, monitoring the standards and correct functioning of security measures in accordance with the security policy;
• 3) protection system components:
  • - cryptographic information protection system;
  • - Key information;
  • - passwords;
  • - information about users (identifiers, privileges, powers);
  • - security system settings;
• 4) protocols. As a set of functional and operational requirements to network hardware and software components must be correct, complete, and consistent;
• 5) functional elements of computer networks. Must be protected in general case from overloads and destruction of “critical” data.

Possible ways and methods of carrying out unauthorized access (types of attacks):

• 1) analysis of network traffic, study of LANs and security measures to find their weaknesses and study algorithms for the functioning of AS. In systems with a physically dedicated communication channel, messages are transmitted directly between the source and the receiver, bypassing other system objects. In such a system, in the absence of access to the objects through which the message is transmitted, there is no software capabilities network traffic analysis;
• 2) introduction of unauthorized devices into the network.
• 3) interception of transmitted data for the purpose of theft, modification or redirection;
• 4) substitution of a trusted object in the AS.
• 5) introducing an unauthorized route (object) into the network by imposing a false route and redirecting the flow of messages through it;
• 6) introducing a false route (object) into the network by using the shortcomings of remote search algorithms;
• 7) exploitation of vulnerabilities in system-wide and application software.
• 8) cryptanalysis.
• 9) exploitation of shortcomings in the implementation of cryptographic algorithms and cryptographic programs.
• 10) interception, selection, substitution and prediction of generated keys and passwords.
• 11) assigning additional powers and changing the security system settings.
• 12) implementation of software bookmarks.
• 13) disruption of the performance (stability) of the AS by introducing an overload, destroying “critical” data, and performing incorrect operations.
• 14) access to a network computer that receives messages or performs routing functions;

Classification of attackers

The possibility of carrying out harmful influences largely depends on the status of the attacker in relation to the CC. The attacker could be:

• 1) CS developer;
• 2) an employee from among the service personnel;
• 3) user;
• 4) an outsider.

The developer owns the most complete information about CS software and hardware. The user has general idea about the structures of the CS, about the operation of information security mechanisms. It can collect data about the information security system using traditional espionage methods, as well as attempt unauthorized access to information. Outsider, not related to the CS, is in the least advantageous position in relation to other attackers. If we assume that he does not have access to the CS facility, then he has at his disposal remote methods of traditional espionage and the ability sabotage activities. It can carry out harmful effects using electromagnetic radiation and interference, as well as communication channels if the CS is distributed.

Specialists servicing these systems have great potential to exert harmful influences on CS information. Moreover, specialists different departments have different potential opportunities malicious actions. Greatest harm may be caused by information security workers. Next come systems programmers, application programmers and engineering staff.

In practice, the danger of an attacker also depends on the financial, logistical and technical capabilities and qualifications of the attacker.

Leakage of protected information usually becomes possible due to violations of the operating regime confidential information. Channels of information leakage in information systems processing of confidential data will be divided into groups.

The first group includes channels formed through remote covert video surveillance or photography, the use of listening devices, interception of electromagnetic radiation and interference, and so on.

The second group includes monitoring information during processing in order to memorize it, theft of its media, collection of industrial waste containing processed information, deliberate reading of data from the files of other users, reading residual information, that is, data remaining on magnetic media after completing tasks , and so on.

The third group includes the illegal connection of special recording equipment to system devices or communication lines, malicious modification of programs in such a way that these programs, along with the basic functions of information processing, also carry out unauthorized collection and registration of protected information, malicious disabling of security mechanisms.

The fourth group includes unauthorized obtaining of information through bribery or blackmail officials relevant services, employees, acquaintances, service personnel or relatives who know about the type of activity.

It should also be noted that low level confidentiality is primarily associated with violations in the organization access control. These violations may be the result of the “Personnel Bribery” threat, which is implemented through the “Personnel Motivation to Perform Destructive Actions” vulnerability. The level of this vulnerability can be reduced by appropriate work with personnel and by strengthening control over the work of employees.

Damage to data transmission channels also has the greatest impact on the level of integrity and availability. These damages can be caused by a failure, which in turn can occur due to low reliability of the links. Reliability can be increased by strengthening the service technical support and by grounding the main and auxiliary equipment used in information processing.

These data will serve as the basis for developing recommendations to strengthen measures aimed at ensuring the confidentiality, integrity and availability of information. It is necessary to strengthen control over the work of employees, conduct trainings for employees on information security; ground the main and auxiliary equipment, used in information processing; strengthen technical support service specialists and make changes to job descriptions employees of this service.

The implementation of the specified preventive protection measures, as well as the elimination of existing damage, will increase the level of confidentiality, integrity and availability to the state of the aircraft.

Intruder model information security is inextricably linked with the information security threat model, because An information security violator is often both a source of threats and a consequence.

1. Insider

TO this type the offender may be attributed various categories personnel of the protection object itself, these include the following employees Chebanov A.S., Zhuk R.V., Vlasenko A.V., Sazonov S.Yu. Intruder model integrated system ensuring information security of protected objects // Izvestia South-West state university. Series: Management, Computer Engineering, Informatics. Medical instrumentation. 2013. No. 1. P. 171-173.:

• - persons who have authorized access to the maximum amount of information (authorized employees, such as superiors, management personnel). Almost all personnel of the protection facility fall under this category;
• - persons who have authorized access to a certain amount of information (employees of structural units);
• - persons with authorized access to the maximum volume (administrators automated systems) or a certain volume (department employees information technologies, programmers) information in the process of ensuring the operability and functioning of information systems.

It is necessary to understand that the information security administrator has various rights and capabilities compared to an information system administrator. It is worth considering the fact that, despite the type of offender “Internal”, all employees identified in it may have remote access to the resources of the informatization object.

Based on the methods of influence, the internal violator can be divided into two categories:

Accidental (unintentional).

This violator often does not even imagine the damage caused in the event of his actions. All personnel of the protected object may simultaneously fall under the category of an accidental violator, regardless of whether they have direct access to information or carry out indirect activities related to maintaining the functioning of the information systems of the protected object. There are several examples, such as:

• - premises maintenance personnel;
• -employees of one of the structural divisions;
• -personnel serving the information resources of the informatization object, etc.
• - Insider (interested person).

The danger that comes with it this category violator, in that the damage from his actions can reach quite impressive size. Unlike a random intruder, he is difficult to identify and can carry out his activities for a long time.

At the moment, there are various concepts for describing insiders in an enterprise, for dividing the composition of employees into risk groups, but most insiders are divided into employees Azhmukhamedov I.M. System analysis and assessment of the level of threats to information security // Issues of information security. 2013. No. 2 (101). pp. 81-87:

• - those interested in paying for the information provided about the object of protection;
• - having personal motives in relation to the company - the object of protection.

Along with this classification, there is another feature that applies to both internal and external violators - the presence of capabilities.

Capabilities of an Insider in a significant way depend on those operating within controlled area object of protection of security and organizational and technical measures of protection, including admission individuals With information resources and monitoring the order of work at the protection site.

2. External intruder

This is the most common type of offender. Most of the existing regulatory documents of the Russian Federation are aimed at regulating the construction of a comprehensive information security system and the use of information security tools.

Mainly to this species The following representatives can be included:

• -law enforcement agencies and authorities executive power Russian Federation;
• - competitors;
• -criminal structures;
• -individuals directly involved in the analysis of information security of the protected object.

The main criteria for dividing external violators into categories are:

• - the ability to access communication channels that extend beyond the boundaries of the controlled zone of the protected object (all kinds of radiation, optical channel, information transmission lines);
• - the ability to access the controlled area of ​​the protected object (authorized access, unauthorized access by masking, etc.);
• - availability of information about the object of protection;
• - available means of implementing attacks on the protected object (vulnerability scanners, signal suppressors, etc.).

Why is it needed and how to develop it?! You will find answers to these questions in this article.

Threat model is a list of possible threats.

Everything is simple and clear. Although GOST R 50922-2006 states “Information protection. Basic terms and definitions" a more comprehensive definition is given:

Threat model (information security)– physical, mathematical, descriptive representation of the properties or characteristics of threats to information security.

So, threat model is a document that in one way or another describes possible threats to the security of personal data.

Now let's figure out what it is threat to information security (personal data).

"Basic model" contains a systematic list of threats to the security of personal data during their processing in personal data information systems. Many information security experts are very skeptical about this document. The threats listed in the baseline model are outdated and far from comprehensive. However, for lack of anything better, we have to be content with the current edition of the document.

Document "Methodology for determining current threats» contains a threat assessment algorithm. The status of each probable threat is determined through simple calculations.

If you decide to develop a threat model yourself, we recommend that you use our online service for preparing a package of documents on the protection of personal data. This will avoid mistakes and reduce the time required to prepare documents.

Our service already contains all the security threats from the "Basic Model". You just need to put down their characteristics and General characteristics Your ISPDn. The algorithm for calculating the relevance of threats is fully automated. As a result you will receive finished document in RTF format

Greetings, readers!

• to understand the threats and vulnerabilities that have proliferated in the information system, as well as the violators that are relevant to this information system, in order to start the process technical design to neutralize them;
• just for show, so that all the conditions of a certain project are met, for example in the field of personal data (I’m not saying that the threat model when implementing projects in the field of personal data is always done for show, but this is basically the case).

Management also plays a big role here. Depending on what the Management wants, to competently design and build protection (our option), or to protect itself from certain regulatory authorities. But you can write a separate article on this topic; it will have something to say.

The threat model and the adversary model are inextricably linked. A lot of controversy arose on the topic of making these models different documents, or it would be more correct to do this in one document. In my opinion, for the convenience of constructing a threat model and an intruder model, it is more correct to do this in one document. When transferring a threat model to engineers (if threat modeling, intruder modeling and design are handled by different departments in the company), they need to see the situation in in full, rather than reading 2 documents and wasting time connecting them together. Thus, in this article I will describe the threat model and the intruder model (hereinafter referred to as the threat model) as a single inextricable document.

Typical problems

From my experience I have seen a large number of threat models that were written so differently that it was simply unrealistic to bring them to one template. The person did not have a clear idea of ​​what to write in such a document, for whom this document is and what its purpose is. Many people are interested in how many sheets a threat model should have, what to write in it, and how best to do it.

I have identified the following typical mistakes when creating a threat model:

• Lack of understanding of who this document is for:
• lack of understanding of the structure of the document;
• lack of understanding of the required content of the document;
• lack of conclusions necessary for design.

Threat Model Plan

Since we, after drawing up a threat model, will transfer it to engineers (not required condition), information will be grouped from the point of view of convenience for the developer of the threat model and the engineer who will then analyze it.
When compiling a threat model, I follow the following plan (subsections not included):

Introduction
1. List of abbreviations
2. List of regulatory documents
3. Description of the IP
4. Security threats
Conclusion.
Appendix A.
Appendix B
Appendix B

Looking ahead to the future, the threat model is based on the principle - " There is no need to read the entire document to understand its meaning and draw the right conclusions". Let's look at each of the points.

Introduction

Typical introduction describing the purpose of this document and what should be determined at the stage of its writing.

1. List of abbreviations

Why is it here? - you ask. And I will answer you:

• The document can be read not only by an information security specialist;
• the document can be read by senior management with some technical education;
• When describing the Information System, some terms may be unknown to either specialists or management.

2. List of regulatory documents

This section is usually necessary in projects that use some kind of documentation that contains certain requirements or recommendations. For example, when working with personal data, this section records regulations FSTEC, FSB, etc.

3. Description of the IP

This section is one of the main parts of the threat model. The description of the Information System should break it down into as much detail as possible. Data should include:

• the technical means used and their purpose. As an example:

The identifier is used to quickly access an asset from the document text, the description is used to understand what kind of technical tool is used, the note is used to clarify data about technical means ah and their purposes.

• detailed description of technical means. As an example: TS – terminal server. Connecting remote clients via RDP to work with the system. Connection occurs from hardware thin clients and personal computers. The terminal server has an application installed that is used to work with the database.
• Connection diagram of technical equipment. This scheme should reflect the detailed architecture of the information system.
• Implemented protective measures. This information will allow the developer of the threat model to take into account already implemented security measures and evaluate their effectiveness, which will, with some degree of probability, reduce the cost of purchasing security products.
• Formation of a list of assets. It is necessary to determine the list of assets, their significance for the company and an identifier for quick reference from the document. As an example:

Depending on the chosen risk assessment methodology, section 3 of the threat model may contain Additional information. For example, in the case of modeling threats to personal data, this section is supplemented with “indicators initial security ISPDn", "main characteristics of ISPDn".

4. Security threats

IN this section the results of threat modeling are described. Description includes:

• the relevance of external or internal threats;
• list of current violators;
• list of current threats to information security.

It is convenient to present the list of current threats in the form of the following sign:

Here again, everything is simple, an identifier, a description of the threat and the assets that are affected by the threat. There is more than enough information.

Conclusion

In conclusion, it is necessary to describe what measures need to be taken to protect the Information System. Example:

1. Protection against unauthorized connection of unregistered technical equipment:

• DBMS servers;
• application servers.

2. Cryptographic protection communication channels for access to the Information system (building a VPN network).

The information located in the sections described above contains all the necessary data for designing a security system for the Information System. All information that contains the identification of current violators and the calculation of current threats to information security are contained in the appendices. This allows you to get all necessary information on the first pages of the document. From experience I can say that the threat model for good project and a serious information system takes from 100 pages. The information presented above usually takes no more than 30.

Appendix A

In Appendix A, I usually describe the intruder model. Typically it consists of:

• descriptions of types of violators and their capabilities (internal, external);
• description of access channels in the IS (physical, public, technical)
• description of these types of violators with reference to staffing structure organizations;
• description of the capabilities of these violators;
• determining the relevance of each type of violator.

Exit sign:

Appendix B

This application is used to describe and calculate the relevance of threats. Depending on the choice of methodology for determining the relevance of information security threats and risk assessment, this application (section) can be designed in different ways. I label each threat with the following sign:

It didn’t work out very well to format the plate in HabraEditor; it looks much better in the document. The history of the formation of this particular type of plate originates from the standards of the STO BR series. Then it was slightly modified for projects dedicated to Personal Data, and now it is a means of describing threats for any of the projects. This plate fully allows you to calculate the relevance of the information security threat to the company’s assets. If any risk assessment technique is used, this plate is also suitable. This example is given to calculate the relevance of threats within the framework of work on the Personal Data Protection Project. The sign is read as follows: Threat -> Violator -> Assets -> Violated properties -> Data for calculating relevance -> Conclusions.

Each threat is represented by this sign, which fully describes it, and based on this sign you can easily draw a conclusion about the relevance/irrelevance of the threat.

Appendix B

Appendix B is for reference. It describes methods for calculating relevance or methods for assessing risks.

As a result, when using this design technique, the threat model will be readable and useful document, which can be used in an organization.

Thank you for your attention.