Protecting information from insiders using software. Insider threats: a new challenge for corporate information security services

According to various analytical companies, information leakage very often occurs not due to its theft from the outside, but due to the transfer of confidential information by their own employees to representatives of competing organizations. Today there are many different devices to which any documents stored on the organization’s local network can be copied. And this is not only external USB drives or CD/DVD drives. You can also copy information to mp3 players, cell phones, which may not be connected directly to a computer, to external equipment that can connect to a local network via Wi-Fi and other methods. In addition, this includes sending by e-mail, instant messaging programs, through forums, blogs, and chats. There are many options, is it possible to protect yourself from them?

For data protection from insiders They use various methods, including the use of special programs designed to control the use of peripheral devices. In this article we will look at several programs, both foreign and domestic, and try to determine where and when they should be used.

The program is intended for access restrictions to various peripheral devices, with the ability to create white lists, monitor user work, shadow copy files copied to or from controlled devices. It is possible to install tracking drivers either centrally or locally.

Installation of the program can be carried out either centrally or locally if access to the protected computer via the network is limited or impossible. A single distribution kit includes several modules: server module, installed on an office local network server, allows/prohibits certain actions, saves information to a database; client, implemented as a tracking driver; administrator and database, which uses SQLite.

Tracking drivers provide control various ports, including USB, CIM, LPT, WiFi, IR and others. Depending on the port type, you can deny access completely, allow reading, or allow full access to the device. There is no time distribution of access. It was also noted that when allowing read-only access to devices such as USB flash drives, the ability to edit ordinary text files on these devices with the ability to save them on the same media.

Shows USB devices connected to computers and keeps a log of user actions with external storage devices. Information about the time of connection/disconnection of devices and which files were read or written and when is saved in the database. Implemented shadow copying of files that were read or written to USB devices. There is no shadow copying of files sent to printers or other devices; they are only logged.

There is the concept of a “white list”, which includes USB devices, access to which must always be open on all computers (for example, USB keys). This list is the same for all computers; there are no individual lists for individual users.

provides configuration of access to various external devices, but does not distinguish printers connected to these ports from the general list of USB devices. At the same time, it distinguishes between removable media and can set different types of access for them. Removable media are automatically entered into the device database (the program will enter into the database all USB drives that have ever been connected to a specific computer), which allows you to apply the access rights assigned to them for any computers protected by the program.

It has the ability to use centralized installation of client parts using Active Directory Group Policy. At the same time, it remains possible to install them locally and through the program administrator panel. Access rights are differentiated based on access control policies; however, it is possible to create several policies that can be applied individually for different computers. In addition to the access control function, it allows you to log the use of devices on the local computer.

The program supports the shadow copy function - the ability to save an exact copy of files copied by the user to external storage devices. Exact copies of all files are stored in a special storage and can later be analyzed using the built-in analysis system. Shadow copying can be set for individual users and user groups. When you enable the "keep only log" function, when copying files, only information about them will be saved (without saving an exact copy of the file).

The program does not have the concept of a “white list” of devices. Instead, you can specify removable media in the general policy and allow access to it from any computer. Note that it does not allow you to apply the same settings to individual CD/DVD drives.

Company program GFI significantly exceeds in its capabilities and , and - it, for example, has much more controlled devices than previous programs (iPod media players, Creative Zen, mobile phones, digital cameras, archiving tools on magnetic tapes and Zip disks, Web cameras, scanners).

The program provides three standard settings for access rights - for servers, workstations and laptop computers. In addition to blocking devices, the program has the opportunity blocking access to files depending on their type. For example, you can allow read access to document files, but deny access to executable files. It is also possible to block access to devices not only by their type, but also by the physical port to which external devices are connected. Another one setting access rights is maintained using unique device identifiers.

The program administrator can maintain two types of device lists - those to which access is allowed by default ("white list"), and those to which access is prohibited ("black list"). An IT specialist can grant temporary permissions to access devices or groups of devices on a single computer (implemented by generating a special code that can be transmitted to the user even if his computer is disconnected from the network and the program agent is not able to connect to the server ).

The program supports the new encryption function used in Windows system 7, which is called BitLocker To Go. This feature is used to protect and encrypt data on removable devices. GFI EndPointSecurity can recognize such devices and provide access to files stored on them based on their types.

Provides the administrator with a powerful reporting system. The statistics subsystem (GFI EndPointSecurity ReportPack) shows (in text and graphical form) a daily summary of device usage both for selected computers and for all computers in general. You can also obtain statistical data on user activity by day, week, month, broken down by applications used, devices, and file access paths.

One of the most common programs for protecting information from insiders in Russia today. published in Russia under the brand name "1C: Distribution"

The program provides control not only devices running under Windows control Mobile, but also devices running the iPhone OS and Palm OS operating systems. At the same time, shadow copying of all overwritten files and data is ensured, regardless of which port these devices are connected to the controlled network. Shadow copying can be configured not only by device, but also by file type, and the type will be determined not based on extensions, but based on their content.

It is possible to set read-only access to removable media, including tape drives. As an additional option - protection of media from accidental or intentional formatting. You can also keep a log of all user actions both with devices and with files (not only copying or reading, but also deleting, renaming, and so on).

Stream compression can be used to reduce network load when transmitting data received from agents and shadow copy files. Shadow copy data in large networks may be stored on multiple servers. The program automatically selects the optimal server, taking into account network bandwidth and server load.

Many organizations use disks protected by special programs encryption - ViPNet SafeDisk, PGP Whole Disk Encryption, DriveCrypt and TrueCrypt. For such disks, the program can set special “encryption policies”, which allows you to allow only encrypted data to be written to removable devices. It also supports work with Lexar JumpDrive SAFE S3000 and Lexar SAFE PSD flash drives, which support hardware data encryption. The next version will also support working with BitLocker To Go, a tool built into Windows 7 for encrypting data on removable media.

Shadow copying is intended not only for saving copies of files, but also for analyzing moved information. can perform full-text search of file contents, automatically recognizing and indexing documents in various formats.

It has already been announced the release of a new version of the program, in which, in addition to a full search, content filtering of files copied to removable storage devices of any type will be implemented, as well as control of the content of data objects transmitted from a computer through network communication channels, including email applications, interactive web -Services, social media, forums and conferences, the most popular instant messaging services (Instant Messengers), file exchanges via FTP, as well as Telnet sessions

Unique in the new version is the technology for filtering text data in the network and local document printing channel for jobs in PCL and PostScript formats, which allows you to block or allow the printing of documents depending on their information content.

conclusions


Remote client management
Management via MMC snap-in
Centralized policy installation, monitoring and recovery
Control of external devices	USB only
WiFi adapter control
Control of Palm OS devices. iPhone/iPod			Limited	Limited
Whitelist technology support
Support for media whitelisting technology
Support for external encrypted drives
Blocking keyloggers
Limiting the volume of copied data
Control of data by type
Centralized logging
Shadow copy	USB only	USB only	Partially
Shadow copying of print data
Graphical log and shadow copy reports
Full-text search in shadow data

The first two of the programs discussed can be used for information protection from theft, but their possibilities are limited. They “close” standard external devices to varying degrees, but their capabilities are limited – both in terms of settings and in terms of analyzing user performance. These programs can be recommended “for testing”, to understand the protection process itself. For large organizations that use a variety of peripheral equipment and require analysis of user activity, the above programs will be clearly insufficient.

For them, it is better to pay attention to the programs - and. These are professional solutions that can be used in companies with both small and large numbers of computers. Both programs provide monitoring of various peripheral devices and ports, and have powerful analysis and reporting systems. But there are significant differences between them, so the company’s program GFI in this case it can be taken as the basic one. can control not only devices and data handling, but also the use of software. This opportunity “pulls” it from the “Device Control” niche into the “Content-Aware Endpoint DLP” segment. New, announced capabilities allow it to sharply break away from its competitors due to the emergence of the ability to analyze content at the time the user performs various actions with data, including streaming, as well as by monitoring a number of parameters of the context of network communications, including email addresses, IP addresses, user IDs and network application resources, etc. Available from 1Soft partners.

Mikhail Abramzon

I think it is obvious to everyone that against the backdrop of the current crisis, a huge redistribution of property is taking place, especially in the financial sector. Competitors do not hesitate to use any means. In war, as in war, everything comes into play. Using insider information often becomes the key to victory, and for some, the source of defeat.

We are no longer talking about damage to the company’s reputation or some financial difficulties. Often we are talking about the banal survival of an enterprise.

The classic definition of an insider is a member of a limited circle of people who have access to important, non-public information. From the point of view of financial institutions, an insider is an attacker who uses his knowledge about the issuers of securities to play on the stock exchange or sells this information to third parties. Law enforcement agencies will consider an insider an operative who sells information about the operations of the Ministry of Internal Affairs to an organized criminal community.

Information security specialists consider company employees who have access to certain confidential data located on the enterprise’s local network to be insiders.

Employees may disclose this information voluntarily or involuntarily. In addition to outright theft of data for the purpose of further resale or disclosure to the detriment of the enterprise, there is a huge layer of cases when information fell into the wrong hands by mistake or misunderstanding. This could be a letter with important specifications, sent to the wrong place by a “stupid” secretary, or perhaps an insufficiently clear instruction from the authorities, as a result of which the “source codes” of a new software product are posted on the corporation’s website.

What data are most often of interest to attackers?

Oddly enough, according to statistics, insiders are most interested in personal data. 68% of respondents to the study “Insider Threats in Russia 2009” noted that it is this type of information that becomes the object of unhealthy attention from employees. This is despite the fact that such information does not bring such commercial benefits as technical specifications of new products, financial reports or business plans... This information also attracts the attention of insiders, but it is traditionally better protected in our country.

I would like to note that it is unrealistic to protect absolutely all information from leaks. According to our company’s experts, it makes sense to focus on protecting two main categories of data:

Information about the client base - company names, names and contact details of clients (telephones, addresses, email).
Information that may cause panic among clients or disruption of major transactions. This may be information about massive staff reductions, freezing of deposits, delays in payments, etc.

It should be noted that protection against unauthorized access (ATP) or distribution of rights (DRM) systems will help in this case to a very limited extent. This happens because it is people who have access and appropriate rights who, as a rule, become the source of information leakage. But the so-called DLP systems (Data Leakage Prevention) - leak prevention systems - will be very effective.

Customer information can be protected using formal database security techniques. This is the analysis of formal file attributes or tracking file fingerprints. Currently, these protection methods are supported by most DLP system developers.

Regarding leaks of “panic” information, we can say that they can only be tracked using so-called content filtering. This is a popular technology used by antivirus and spam filters. Its essence is to sort and classify the entire flow of information in the information infrastructure of an enterprise based on their content. These are very complex and specific products that must be configured by professionals.

A key function to prevent insider information leakage is to block the movement of information from the internal information system to the outside. This is, first of all, transmission via email and Internet channels (which is not available in all systems). Many enterprises settle on conventional information monitoring and subsequent analysis. This seems to be a simpler method than dealing with possible false positives of DLP systems on the fly. But it is worth noting that preventing the leakage of information that is truly important for the existence of an enterprise is much better than punishing the perpetrators after the fact. Therefore, the implementation and maintenance of DLP systems is the best investment to protect your business from insiders.

Automated systems for preventing information leaks based on content filtering are far from the only link in the protection chain. Effective protection of confidential data can only be created from a combination of technical, administrative and organizational measures! As an integral part of the fight against insider information, the enterprise must take the following measures:

Standardization of software with strict compliance with the requirements of security specialists. Through various non-standard software installed by users on their computers, a very decent percentage of information disappears.
Strict compliance with enterprise security rules, including organizational ones (restrictions on access to premises, restrictions on the use of portable storage devices, etc.)
Legally established responsibility of personnel for the disclosure of confidential information with a clear definition of what exactly is included in the list of such information.
Centralized and fully controlled by the IT and security service access to the Internet for employees of any rank.
Using user authentication methods when working in the enterprise information environment.
Training employees to work safely with information, computers and the Internet.

Recently, the problem of protection against internal threats has become a real challenge to the understandable and established world of corporate information security. The press talks about insiders, researchers and analysts warn about possible losses and troubles, and news feeds are full of reports about yet another incident that led to the leakage of hundreds of thousands of customer records due to an error or carelessness of an employee. Let's try to figure out whether this problem is so serious, whether it needs to be dealt with, and what available tools and technologies exist to solve it.

First of all, it is worth determining that a threat to data confidentiality is internal if its source is an employee of the enterprise or some other person who has legal access to this data. Thus, when we talk about insider threats, we are talking about any possible actions of legitimate users, intentional or accidental, that could lead to the leakage of confidential information outside the enterprise's corporate network. To complete the picture, it is worth adding that such users are often called insiders, although this term has other meanings.

The relevance of the problem of internal threats is confirmed by the results of recent studies. In particular, in October 2008, the results of a joint study by Compuware and Ponemon Institue were announced, according to which insiders are the most common cause of data leaks (75% of incidents in the United States), while hackers were only in fifth place. In the 2008 annual study by the Computer Security Institute (CSI), the numbers for the number of insider threat incidents are as follows:

The number of incidents as a percentage means that of the total number of respondents, this type of incident occurred in the specified percentage of organizations. As can be seen from these figures, almost every organization has a risk of suffering from internal threats. By comparison, according to the same report, viruses affected 50% of organizations surveyed, and with hackers infiltrating local network only 13% encountered it.

Thus, internal threats are a reality of today, and not a myth invented by analysts and vendors. So those who, in the old-fashioned way, believe that corporate information security is a firewall and antivirus, need to take a broader look at the problem as soon as possible.

The law “On Personal Data” is also increasing the degree of tension, according to which organizations and officials will have to answer not only to their management, but also to their clients and the law for improper handling of personal data.

Intruder model

Traditionally, when considering threats and defenses against them, one should start with an analysis of the adversary model. As already mentioned, we will talk about insiders - employees of the organization and other users who have legal access to confidential information. As a rule, with these words, everyone thinks of an office employee working on a computer as part of a corporate network, who does not leave the organization’s office while working. However, such a representation is incomplete. It is necessary to expand it to include other types of persons with legal access to information who can leave the organization’s office. These could be business travelers with laptops, or those working both in the office and at home, couriers transporting media with information, primarily magnetic tapes with a backup copy, etc.

Such an expanded consideration of the intruder model, firstly, fits into the concept, since the threats posed by these intruders are also internal, and secondly, it allows us to analyze the problem more broadly, considering all possible options for combating these threats.

The following main types of internal violators can be distinguished:

Disloyal/resentful employee.Violators belonging to this category may act purposefully, for example, by changing jobs and wanting to grab confidential information in order to interest a new employer, or emotionally, if they considered themselves offended, thus wanting to take revenge. They are dangerous because they are most motivated to cause damage to the organization in which they currently work. As a rule, the number of incidents involving disloyal employees is small, but it can increase in situations of unfavorable economic conditions and massive staff reductions.
An infiltrated, bribed or manipulated employee.In this case, we are talking about any targeted actions, usually for the purpose of industrial espionage in conditions of intense competition. To collect confidential information, they either introduce their own person into a competing company for certain purposes, or find a less than loyal employee and bribe him, or force a loyal but careless employee to hand over confidential information through social engineering. The number of incidents of this kind is usually even less than previous ones, due to the fact that in most segments of the economy in the Russian Federation, competition is not very developed or is implemented in other ways.
Negligent employee.This type of violator is a loyal, but inattentive or negligent employee who may violate the internal security policy of the enterprise due to ignorance or forgetfulness. Such an employee might mistakenly send an email with a sensitive file attached to the wrong person, or take home a flash drive with confidential information to work on over the weekend and lose it. This type also includes employees who lose laptops and magnetic tapes. According to many experts, this type of insider is responsible for the majority of leaks of confidential information.

Thus, the motives, and, consequently, the course of action of potential violators may differ significantly. Depending on this, you should approach the task of ensuring the internal security of the organization.

Technologies for protecting against insider threats

Despite the relative youth of this market segment, clients already have plenty to choose from depending on their goals and financial capabilities. It is worth noting that now there are practically no vendors on the market who specialize exclusively in internal threats. This situation has arisen not only due to the immaturity of this segment, but also due to the aggressive and sometimes chaotic policy of mergers and acquisitions carried out by manufacturers of traditional security products and other vendors interested in a presence in this segment. It is worth recalling the RSA Data Security company, which became a division of EMC in 2006, the purchase by NetApp of the startup Decru, which developed systems for protecting server storage and backup copies in 2005, the purchase by Symantec of the DLP vendor Vontu in 2007, etc.

Despite the fact that a large number of such transactions indicate good prospects for the development of this segment, they do not always benefit the quality of products that come under the wing of large corporations. Products begin to develop more slowly, and developers do not respond as quickly to market demands compared to a highly specialized company. This is a well-known disease of large companies, which, as we know, lose in mobility and efficiency to their smaller brothers. On the other hand, the quality of service and availability of products for customers in different parts of the world is improving due to the development of their service and sales network.

Let's consider the main technologies currently used to neutralize internal threats, their advantages and disadvantages.

Document control

Document control technology is embodied in modern rights management products, such as Microsoft Windows Rights Management Services, Adobe LiveCycle Rights Management ES and Oracle Information Rights Management.

The operating principle of these systems is to assign usage rules for each document and control these rights in applications that work with documents of these types. For example, you can create a Microsoft Word document and set rules for who can view it, who can edit and save changes, and who can print. These rules are called a license in Windows RMS terms and are stored with the file. The contents of the file are encrypted to prevent unauthorized users from viewing it.

Now, if any user tries to open such a protected file, the application contacts a special RMS server, confirms the user's permissions, and, if access to this user is allowed, the server passes the key to the application to decrypt this file and information about the rights of this user. Based on this information, the application makes available to the user only those functions for which he has rights. For example, if a user is not allowed to print a file, the application's print feature will not be available.

It turns out that the information in such a file is safe even if the file gets outside the corporate network - it is encrypted. RMS functionality is already built into Microsoft Office 2003 Professional Edition applications. To embed RMS functionality into applications from other developers, Microsoft offers a special SDK.

Adobe's document control system is built in a similar way, but is focused on documents in PDF format. Oracle IRM is installed on client computers as an agent and integrates with applications at runtime.

Document control is an important part of the overall concept of insider threat protection, but the inherent limitations of this technology must be taken into account. Firstly, it is designed exclusively for monitoring document files. If we are talking about unstructured files or databases, this technology does not work. Secondly, if an attacker, using the SDK of this system, creates a simple application that will communicate with the RMS server, receive an encryption key from there and save the document in clear text, and launches this application on behalf of a user who has a minimum level of access to the document, then this system will be bypassed. In addition, one should take into account the difficulties when implementing a document control system if the organization has already created many documents - the task of initially classifying documents and assigning rights to use them may require significant effort.

This does not mean that document control systems do not fulfill the task, we just need to remember that information security is a complex problem, and, as a rule, it is not possible to solve it with the help of just one tool.

Leak protection

The term data loss prevention (DLP) appeared in the vocabulary of information security specialists relatively recently, and has already become, without exaggeration, the hottest topic in recent years. As a rule, the abbreviation DLP refers to systems that monitor possible leak channels and block them if an attempt is made to send any confidential information through these channels. In addition, in the function similar systems often includes the ability to archive information passing through them for subsequent audits, incident investigations and retrospective analysis of potential risks.

There are two types of DLP systems: network DLP and host DLP.

Network DLP work on the principle of a network gateway, which filters all data passing through it. Obviously, based on the task of combating internal threats, the main interest of such filtering lies in the ability to control data transmitted outside the corporate network to the Internet. Network DLPs allow you to monitor outgoing mail, http and ftp traffic, instant messaging services, etc. If sensitive information is detected, network DLPs can block the transmitted file. There are also options for manual processing of suspicious files. Suspicious files are placed in quarantine, which is periodically reviewed by a security officer and either allows or denies file transfer. However, due to the nature of the protocol, such processing is only possible for email. Additional opportunities for auditing and incident investigation are provided by archiving all information passing through the gateway, provided that this archive is periodically reviewed and its contents are analyzed in order to identify leaks that have occurred.

One of the main problems in the implementation and implementation of DLP systems is the method of detecting confidential information, that is, the moment of making a decision about whether the transmitted information is confidential and the grounds that are taken into account when making such a decision. As a rule, this involves analyzing the content of transmitted documents, also called content analysis. Let's consider the main approaches to detecting confidential information.

Tags. This method is similar to the document control systems discussed above. Labels are embedded in documents that describe the degree of confidentiality of information, what can be done with this document, and to whom it should be sent. Based on the results of the analysis of the tags, the DLP system decides whether a given document can be sent outside or not. Some DLP systems are initially made compatible with rights management systems to use the labels that these systems install; other systems use their own label format.
Signatures. This method consists of specifying one or more sequences of characters, the presence of which in the text of the transferred file should tell the DLP system that this file contains confidential information. A large number of signatures can be organized into dictionaries.
Bayes method. This method, used to combat spam, can also be successfully used in DLP systems. To apply this method, a list of categories is created, and a list of words is indicated with the probabilities that if the word occurs in a file, then the file with a given probability belongs or does not belong to the specified category.
Morphological analysis.The method of morphological analysis is similar to the signature one, the difference is that not 100% match with the signature is analyzed, but similar root words are also taken into account.
Digital prints.The essence of this method is that a hash function is calculated for all confidential documents in such a way that if the document is slightly changed, the hash function will remain the same or also change slightly. Thus, the process of detecting confidential documents is greatly simplified. Despite the enthusiastic praises of this technology from many vendors and some analysts, its reliability leaves much to be desired, and given the fact that vendors, under various pretexts, prefer to leave details of the implementation of the digital fingerprint algorithm in the shadows, trust in it does not increase.
Regular expressions.Known to anyone who has dealt with programming, regular expressions make it easy to find template data in text, for example, telephone numbers, passport information, bank account numbers, social security numbers, etc.

From the above list it is easy to see that detection methods either do not guarantee 100% identification of confidential information, since the level of errors of both the first and second types in them is quite high, or require constant vigilance of the security service to update and maintain an up-to-date list of signatures or assignments labels for confidential documents.

In addition, traffic encryption can create a certain problem in the operation of network DLP. If security requirements require you to encrypt email messages or use SSL when connecting to any web resources, the problem of determining the presence of confidential information in transferred files can be very difficult to resolve. Don't forget that some instant messaging services, such as Skype, have encryption built in by default. You will have to refuse to use such services or use host DLP to control them.

However, despite all the complexities, when properly configured and taken seriously, network DLP can significantly reduce the risk of leaking confidential information and provide an organization with a convenient means of internal control.

Host DLP are installed on each host on the network (on client workstations and, if necessary, on servers) and can also be used to control Internet traffic. However, host-based DLPs have become less widespread in this capacity and are currently used mainly for monitoring external devices and printers. As you know, an employee who brings a flash drive or an MP3 player to work poses a much greater threat to the information security of an enterprise than all hackers combined. These systems are also called endpoint security tools, although this term is often used more broadly, for example, this is what anti-virus tools are sometimes called.

As you know, the problem of using external devices can be solved without using any means by disabling the ports either physically or using the operating system, or administratively by prohibiting employees from bringing any storage media into the office. However, in most cases, the “cheap and cheerful” approach is unacceptable, since the required flexibility of information services required by business processes is not provided.

Because of this, a certain demand has arisen for special tools that can be used to more flexibly solve the problem of using external devices and printers by company employees. Such tools allow you to configure access rights for users to various types of devices, for example, for one group of users to prohibit work with media and allow them to work with printers, and for another - to allow work with media in read-only mode. If it is necessary to record information on external devices for individual users, shadow copy technology can be used, which ensures that all information that is saved on an external device is copied to the server. The copied information can be subsequently analyzed to analyze user actions. This technology copies everything, and currently there are no systems that allow content analysis of stored files in order to block the operation and prevent leakage, as network DLPs do. However, an archive of shadow copies will provide incident investigations and retrospective analysis of events on the network, and the presence of such an archive means that a potential insider can be caught and punished for their actions. This may turn out to be a significant obstacle for him and a significant reason to abandon hostile actions.

It is also worth mentioning control over the use of printers - hard copies of documents can also become a source of leakage. Hosted DLP allows you to control user access to printers in the same way as other external devices, and save copies of printed documents in a graphical format for later analysis. In addition, the technology of watermarks has become somewhat widespread, which prints a unique code on each page of a document, which can be used to determine exactly who, when and where printed this document.

Despite the undoubted advantages of host-based DLP, they have a number of disadvantages associated with the need to install agent software on each computer that is supposed to be monitored. Firstly, this can cause certain difficulties in terms of deploying and managing such systems. Secondly, a user with administrator rights may try to disable this software to perform any actions not permitted by the security policy.

However, for reliable control of external devices, host-based DLP is indispensable, and the problems mentioned are not unsolvable. Thus, we can conclude that the concept of DLP is now a full-fledged tool in the arsenal of corporate security services in the face of ever-increasing pressure on them to ensure internal control and protection against leaks.

IPC concept

In the process of inventing new means of combating internal threats, the scientific and engineering thought of modern society does not stop, and, taking into account certain shortcomings of the means that were discussed above, the market for information leak protection systems has come to the concept of IPC (Information Protection and Control). This term appeared relatively recently; it is believed that it was first used in a review by the analytical company IDC in 2007.

The essence of this concept is to combine DLP and encryption methods. In this concept, with the help of DLP, information leaving the corporate network through technical channels is controlled, and encryption is used to protect data media that physically fall or may fall into the hands of unauthorized persons.

Let's look at the most common encryption technologies that can be used in the IPC concept.

Encryption of magnetic tapes.Despite the archaic nature of this type of media, it continues to be actively used for backup and for transferring large volumes of information, since it still has no equal in terms of the unit cost of a stored megabyte. Accordingly, tape leaks continue to delight the newswire editors who put them on the front page, and frustrate the CIOs and security teams of the enterprises who become the heroes of such reports. The situation is aggravated by the fact that such tapes contain very large amounts of data, and, therefore, a large number of people can become victims of scammers.
Encryption of server storages.Despite the fact that server storage is very rarely transported, and the risk of its loss is immeasurably lower than that of magnetic tape, a separate HDD from storage may fall into the hands of criminals. Repair, disposal, upgrade - these events occur with sufficient regularity to write off this risk. And the situation of unauthorized persons entering the office is not a completely impossible event.

Here it is worth making a small digression and mentioning the common misconception that if a disk is part of a RAID array, then, supposedly, you don’t have to worry about it falling into the wrong hands. It would seem that the alternation of recorded data into several hard drives, which RAID controllers perform, provides an unreadable appearance to the data that is located on any one hard type. Unfortunately, this is not entirely true. Alternation does occur, but in most modern devices it runs at the 512-byte block level. This means that, despite the violation of file structure and formats, confidential information can be extracted from such hard drive It's still possible. Therefore, if there is a requirement to ensure the confidentiality of information when stored in a RAID array, encryption remains the only reliable option.

Encryption of laptops.This has already been said countless times, but still, the loss of laptops with confidential information has not been out of the top five of the hit parade of incidents for many years now.
Encryption of removable media.In this case, we are talking about portable USB devices and, sometimes, recordable CDs and DVDs if they are used in the business processes of the enterprise. Such systems, as well as the aforementioned laptop hard drive encryption systems, can often act as components of host DLP systems. In this case, they talk about a kind of cryptographic perimeter, which ensures automatic transparent encryption of media inside, and the inability to decrypt data outside of it.

Thus, encryption can significantly expand the capabilities of DLP systems and reduce the risk of leakage of confidential data. Despite the fact that the concept of IPC took shape relatively recently, and the choice of complex IPC solutions on the market is not very wide, the industry is actively exploring this area and it is quite possible that after some time this concept will become the de facto standard for solving problems of internal security and internal security. control.

conclusions

As can be seen from this review, internal threats are a fairly new area in information security, which, nevertheless, is actively developing and requires increased attention. The considered document control technologies, DLP and IPC make it possible to build a fairly reliable internal control system and reduce the risk of leakage to an acceptable level. Without a doubt, this area of information security will continue to develop, newer and more advanced technologies will be offered, but today many organizations are opting for one solution or another, since carelessness in matters of information security can be too expensive.

Alexey Raevsky
CEO of SecurIT

Recent studies in the field of information security, such as the annual CSI/FBI Computer Crime And Security Survey, have shown that financial losses to companies from most threats are decreasing year over year. However, there are several risks from which losses are increasing. One of them is the deliberate theft of confidential information or violation of the rules for handling it by those employees whose access to commercial data is necessary to perform their official duties. They are called insiders.

In the vast majority of cases, the theft of confidential information is carried out using mobile media: CDs and DVDs, ZIP devices and, most importantly, all kinds of USB drives. It was their mass distribution that led to the flourishing of insiderism around the world. The heads of most banks are well aware of the dangers of, for example, a database with personal data of their clients or, moreover, transactions on their accounts falling into the hands of criminal structures. And they are trying to combat the possible theft of information using organizational methods available to them.

However, organizational methods in this case are ineffective. Today you can organize the transfer of information between computers using a miniature flash drive, a cell phone, a TZ-plssr, a digital camera... Of course, you can try to prohibit all these devices from being brought into the office, but this, firstly, will negatively affect relations with employees , and secondly, it is still very difficult to establish really effective control over people - a bank is not a “mailbox”. And even disabling all devices on computers that can be used to write information to external media (FDD and ZIP disks, CD and DVD drives, etc.) and USB ports will not help. After all, the former are needed for work, and the latter are connected to various peripherals: printers, scanners, etc. And no one can stop a person from turning off the printer for a minute, inserting a flash drive into the free port and copying important information to it. You can, of course, find original ways to protect yourself. For example, one bank tried this method of solving the problem: they filled the junction of the USB port and the cable with epoxy resin, tightly “tying” the latter to the computer. But, fortunately, today there are more modern, reliable and flexible control methods.

The most effective means of minimizing the risks associated with insiders is special software that dynamically manages all devices and computer ports that can be used to copy information. The principle of their work is as follows. Permissions to use various ports and devices are set for each user group or for each user individually. The biggest advantage of such software is flexibility. You can enter restrictions for specific types of devices, their models and individual instances. This allows you to implement very complex access rights distribution policies.

For example, you might want to allow some employees to use any printers or scanners connected to USB ports. However, all other devices inserted into this port will remain inaccessible. If the bank uses a user authentication system based on tokens, then in the settings you can specify the key model used. Then users will be allowed to use only devices purchased by the company, and all others will be useless.

Based on the principle of operation of protection systems described above, you can understand what points are important when choosing programs that implement dynamic blocking of recording devices and computer ports. Firstly, it is versatility. The protection system must cover the entire range of possible ports and input/output devices. Otherwise, the risk of theft of commercial information remains unacceptably high. Secondly, the software in question must be flexible and allow you to create rules using a large amount of various information about devices: their types, model manufacturers, unique numbers that each instance has, etc. And thirdly, the system of protection against insiders should be able to integrate with information system bank, in particular with Active Directory. Otherwise, the administrator or security officer will have to maintain two databases of users and computers, which is not only inconvenient, but also increases the risk of errors.

Recent information security studies, such as the annual CSI/FBI ComputerCrimeAndSecuritySurvey, have shown that financial losses to companies from most threats are decreasing year over year. However, there are several risks from which losses are increasing. One of them is the deliberate theft of confidential information or violation of the rules for handling it by those employees whose access to commercial data is necessary to perform their official duties. They are called insiders.

However, organizational methods in this case are ineffective. Today you can organize the transfer of information between computers using a miniature flash drive, cell phone, mp3 player, digital camera... Of course, you can try to prohibit all these devices from being brought into the office, but this, firstly, will negatively affect relations with employees , and secondly, it is still very difficult to establish really effective control over people - a bank is not a “mailbox”. And even disabling all devices on computers that can be used to write information to external media (FDD and ZIP disks, CD and DVD drives, etc.) and USB ports will not help. After all, the former are needed for work, and the latter are connected to various peripherals: printers, scanners, etc. And no one can stop a person from turning off the printer for a minute, inserting a flash drive into the free port and copying important information to it. You can, of course, find original ways to protect yourself. For example, one bank tried this method of solving the problem: they filled the junction of the USB port and the cable with epoxy resin, tightly “tying” the latter to the computer. But, fortunately, today there are more modern, reliable and flexible control methods.

Based on the principle of operation of protection systems described above, you can understand what points are important when choosing programs that implement dynamic blocking of recording devices and computer ports. Firstly, it is versatility. The protection system must cover the entire range of possible ports and input/output devices. Otherwise, the risk of theft of commercial information remains unacceptably high. Secondly, the software in question must be flexible and allow you to create rules using a large amount of various information about devices: their types, model manufacturers, unique numbers that each instance has, etc. And thirdly, the insider protection system must be able to integrate with the bank’s information system, in particular with ActiveDirectory. Otherwise, the administrator or security officer will have to maintain two databases of users and computers, which is not only inconvenient, but also increases the risk of errors.