Android. Operating system. Multimedia. Social media. Instruments. Codecs. Graphics
Are you here: » »

Insider protection. Insider threats: a new challenge for corporate information security services


Today, there are two main channels for leaking confidential information: devices connected to a computer (all kinds of removable drives, including flash drives, CD / DVD drives, etc., printers) and the Internet (e-mail, ICQ, social networks, etc.). d.). And therefore, when a company is “ripening” to introduce a system of protection against them, it is advisable to approach this solution in a comprehensive manner. The problem is that different approaches are used to overlap different channels. In one case, the most effective way of protection will be control over the use of removable drives, and in the second, various options for content filtering, which allows you to block the transfer of confidential data to an external network. And so companies have to use two products to protect against insiders, which together form a comprehensive security system. Naturally, it is preferable to use the tools of one developer. In this case, the process of their implementation, administration, and training of employees is facilitated. An example is the products of SecurIT: Zlock and Zgate.

Zlock: leak protection through removable drives

The Zlock program has been on the market for a long time. And we already. In principle, there is no point in repeating. However, since the publication of the article, two new versions of Zlock have been released, which have a number of important features. It is worth talking about them, even if very briefly.

First of all, it is worth noting the possibility of assigning several policies to a computer, which are independently applied depending on whether the computer is connected to the corporate network directly, via VPN, or works offline. This allows, in particular, to automatically block USB ports and CD / DVD drives when the PC is disconnected from the local network. In general, this feature increases the security of information stored on laptops, which employees can take out of the office for travel or to work at home.

The second new feature is giving company employees temporary access to locked devices or even groups of devices over the phone. The principle of its operation is the exchange of secret codes generated by the program between the user and the employee responsible for information security. It is noteworthy that permission to use can be issued not only permanent, but also temporary (for a certain time or until the end of the session). This tool can be considered as some relief in the security system, but it allows you to increase the responsiveness of the IT department to business requests.

The next important innovation in the new versions of Zlock is the control over the use of printers. After setting it up, the protection system will record all user requests to printing devices in a special log. But that's not all. Zlock has a shadow copy of all printed documents. They are written in PDF format and are a complete copy of the printed pages, regardless of which file was sent to the printer. This prevents leaks of confidential information on paper sheets when an insider prints out the data in order to take it out of the office. Also in the protection system appeared shadow copying of information recorded on CD / DVD-disks.

An important innovation was the emergence of the server component Zlock Enterprise Management Server. It provides centralized storage and distribution of security policies and other program settings and greatly facilitates the administration of Zlock in large and distributed information systems. It is also impossible not to mention the emergence of its own authentication system, which, if necessary, allows you to refuse to use domain and local Windows users.

In addition, the latest version of Zlock has several not so noticeable, but also quite important functions: client module integrity control with the ability to block the user's login when intrusions are detected, advanced options for implementing a security system, support for Oracle DBMS, etc.

Zgate: Internet Leak Protection

So Zgate. As we have already said, this product is a system for protecting against the leakage of confidential information via the Internet. Structurally Zgate consists of three parts. The main component is the server component, which performs all data processing operations. It can be installed both on a separate computer and on nodes already operating in the corporate information system - an Internet gateway, a domain controller, a mail gateway, etc. This module, in turn, consists of three components: to control SMTP traffic, to control internal mail of the Microsoft Exchange 2007/2010 server, as well as Zgate Web (it is responsible for controlling HTTP, FTP and IM traffic).

The second part of the protection system is the logging server. It is used to collect information about events from one or more Zgate servers, process and store it. This module is especially useful in large and geographically distributed enterprise systems, as it provides centralized access to all data. The third part is the management console. It uses the standard console for SecurIT products, and therefore we will not dwell on it in detail. We only note that with the help of this module, you can manage the system not only locally, but also remotely.

Management Console

The Zgate system can operate in several modes. Moreover, their availability depends on the way the product is implemented. The first two modes involve working as a mail proxy server. To implement them, the system is installed between the corporate mail server and the "outside world" (or between the mail server and the sending server, if they are separated). In this case, Zgate can either filter traffic (detain infringing and questionable messages) or only log it (skip all messages, but keep them in the archive).

The second implementation method involves using the protection system in conjunction with Microsoft Exchange 2007 or 2010. To do this, you need to install Zgate directly on the corporate mail server. In this case, two modes are also available: filtering and logging. In addition, there is another implementation option. We are talking about logging messages in the mode of mirrored traffic. Naturally, in order to use it, it is necessary to ensure that the computer on which Zgate is installed receives this very mirrored traffic (usually this is done using network equipment).


Zgate operating mode selection

The Zgate Web component deserves a separate story. It is installed directly on the corporate Internet gateway. At the same time, this subsystem gets the ability to control HTTP, FTP, and IM traffic, that is, to process it in order to detect attempts to send confidential information through web mail interfaces and ICQ, publish it on forums, FTP servers, and social networks. etc. By the way, about "ICQ". The function of blocking IM-messengers is in many similar products. However, it is precisely “ICQ” that is not in them. Simply because it is in Russian-speaking countries that it has become most widespread.

The principle of operation of the Zgate Web component is quite simple. Each time information is sent to any of the controlled services, the system will generate a special message. It contains the information itself and some service data. It is sent to the main Zgate server and processed according to the given rules. Naturally, sending information in the service itself is not blocked. That is, Zgate Web only works in logging mode. With its help, it is impossible to prevent single data leaks, but on the other hand, you can quickly detect them and stop the activity of a free or unwitting attacker.


Configuring the Zgate Web Component

How information is processed in Zgate and the filtering order is determined by a policy that is developed by a security officer or other responsible employee. It is a series of conditions, each of which corresponds to a certain action. All incoming messages are "run" through them sequentially one after another. And if any of the conditions is met, then the action associated with it is launched.


Filtration system

In total, the system provides 8 types of conditions, as they say, "for all occasions." The first one is the attachment file type. With it, you can detect attempts to send objects of one format or another. It should be noted that the analysis is carried out not by extension, but by the internal structure of the file, and you can specify both specific types of objects and their groups (for example, all archives, video recordings, etc.). The second type of conditions is verification by an external application. An application can be either a regular program launched from the command line or a script.


Conditions in the filtration system

But the next condition is worth dwelling on in more detail. We are talking about the content analysis of the transmitted information. First of all, it is necessary to note the "omnivorous" Zgate. The fact is that the program "understands" a large number of different formats. Therefore, it can analyze not only simple text, but also almost any attachment. Another feature of content analysis is its great potential. It can consist both in a simple search for an occurrence in the message text or any other field of a certain word, or in a full-fledged analysis, including taking into account grammatical word forms, stemming and transliteration. But that is not all. Special mention deserves the analysis system for patterns and regular expressions. With its help, you can easily detect the presence of data in a certain format in messages, for example, the series and numbers of a passport, phone number, contract number, bank account number, etc. This, among other things, allows you to strengthen the protection of personal data processed by the company.


Templates for identifying various sensitive information

The fourth type of conditions is the analysis of the addresses indicated in the letter. That is, search among them for certain strings. Fifth - analysis of encrypted files. When it is executed, the attributes of the message and/or nested objects are checked. The sixth type of conditions is to check various parameters of letters. The seventh is dictionary analysis. During it, the system detects the presence in the message of words from pre-created dictionaries. And, finally, the last, eighth type of condition is compound. It represents two or more other conditions combined with logical operators.

By the way, about the dictionaries mentioned by us in the description of the conditions, it is necessary to say separately. They are groups of words united by the same feature and are used in various filtering methods. It is most logical to create dictionaries that, with a high degree of probability, allow you to attribute the message to one category or another. Their content can be entered manually or imported from existing text files. There is another option for generating dictionaries - automatic. When using it, the administrator simply needs to specify the folder that contains the relevant documents. The program itself will analyze them, select the necessary words and arrange their weight characteristics. For high-quality compilation of dictionaries, it is necessary to indicate not only confidential files, but also objects that do not contain confidential information. In general, the process of automatic generation is most similar to learning anti-spam on promotional and regular emails. And this is not surprising, because both there and there similar technologies are used.


An example of a financial vocabulary

Speaking of dictionaries, one cannot fail to mention another technology for detecting confidential data implemented in Zgate. We are talking about digital prints. The essence of this method is as follows. The administrator can point the system to folders that contain sensitive data. The program will analyze all the documents in them and create "digital fingerprints" - data sets that allow you to determine the attempt to transfer not only the entire contents of the file, but also its individual parts. Please note that the system automatically monitors the status of the folders specified by it and independently creates "fingerprints" for all newly appeared objects in them.


Create a category with digital file fingerprints

Well, now it remains only to deal with the actions implemented in the protection system in question. In total, there are already 14 of them implemented in Zgate. However, the majority defines the actions that are performed with the message. These include, in particular, deleting without sending (that is, in fact, blocking the transmission of a letter), placing it in an archive, adding or deleting attachments, changing various fields, inserting text, etc. Among them, the quarantine of a letter is especially worth noting. This action allows you to "postpone" the message for manual verification by the security officer, who will decide on its future fate. Also very interesting is the action that allows you to block the IM connection. It can be used to instantly block the channel through which a message with confidential information was transmitted.

Two actions stand out somewhat - Bayesian processing and fingerprint processing. Both are designed to check messages for sensitive information. Only the first uses dictionaries and statistical analysis, while the second uses digital fingerprints. These actions can be performed when a certain condition is met, for example, if the recipient's address is not in the corporate domain. In addition, they (however, like any others) can be set for unconditional application to all outgoing messages. In this case, the system will analyze letters and classify them into certain categories (if, of course, this is possible). But for these categories, it is already possible to make conditions with the implementation of certain actions.


Actions in the Zgate system

Well, at the end of our today's conversation about Zgate, we can sum up a little. This protection system is based primarily on the content analysis of messages. This approach is the most common for protection against leakage of confidential information via the Internet. Naturally, content analysis does not provide a 100% degree of protection and is rather probabilistic. However, its use prevents most cases of unauthorized transfer of secret data. Should companies use it or not? Everyone should decide this for himself, evaluating the costs of implementation and possible problems in case of information leakage. It is worth noting that Zgate does an excellent job of "catching" regular expressions, which makes it a very effective means of protecting personal data that is being processed by the company.

Recent research in the field of information security, such as the annual CSI / FBI Computer Crime And Security Survey, has shown that the financial losses of companies from most threats are decreasing year by year. However, there are several risks, the losses from which are increasing. One of them is the deliberate theft of confidential information or violation of the rules for handling it by those employees whose access to commercial data is necessary for the performance of official duties. They are called insiders.

In the vast majority of cases, the theft of confidential information is carried out using mobile media: CDs and DVDs, ZIP devices and, most importantly, all kinds of USB drives. It was their mass distribution that led to the flourishing of insiders around the world. The leaders of most banks are well aware of what threatens, for example, if a database with personal data of their clients or, moreover, transactions on their accounts, falls into the hands of criminal structures. And they are trying to fight the possible theft of information with the organizational methods available to them.

However, organizational methods in this case are ineffective. Today it is possible to organize the transfer of information between computers using a miniature flash drive, a cell phone, a TRZ-plssra, a digital camera ... Of course, you can try to ban all these devices from being brought into the office, but this, firstly, will negatively affect relations with employees , and secondly, it is still very difficult to establish really effective control over people - the bank is not a "mailbox". And even disabling all devices on computers that can be used to write information to external media (FDD and ZIP drives, CD and DVD drives, etc.) and USB ports will not help. After all, the former are needed for work, and various peripherals are connected to the latter: printers, scanners, etc. And no one can prevent a person from turning off the printer for a minute, inserting a flash drive into the vacated port and copying important information to it. You can, of course, find original ways of protection. For example, in one bank they tried this method of solving the problem: they filled the junction of the USB port and the cable with epoxy resin, tightly “tying” the latter to the computer. But, fortunately, today there are more modern, reliable and flexible methods of control.

The most effective means of minimizing the risks associated with insiders is special software that dynamically manages all devices and computer ports that can be used to copy information. The principle of their work is as follows. Permissions to use different ports and devices are set for each user group or for each user individually. The biggest advantage of such software is flexibility. You can enter restrictions for specific types of devices, their models and individual instances. This allows you to implement very complex policies for the distribution of access rights.

For example, some employees can be allowed to use any printers and scanners connected to USB ports. All other devices inserted into this port will remain inaccessible. If the bank uses a user authentication system based on tokens, then in the settings you can specify the key model used. Then users will be allowed to use only devices purchased by the company, and all others will be useless.

Based on the principle of operation of protection systems described above, you can understand what points are important when choosing programs that implement dynamic blocking of recording devices and computer ports. First, it's versatility. The protection system should cover the entire range of possible ports and information input-output devices. Otherwise, the risk of commercial information theft remains unacceptably high. Secondly, the software in question should be flexible and allow you to create rules using a large amount of various information about devices: their types, model manufacturers, unique numbers that each instance has, etc. And, thirdly, the insider protection system should be able to integrate with the bank's information system, in particular with Active Directory. Otherwise, the administrator or security officer will have to maintain two databases of users and computers, which is not only inconvenient, but also increases the risk of errors.

To effectively protect against insiders, first of all, it is necessary to ensure control over all communication channels - from an ordinary office printer to an ordinary flash drive and a mobile phone camera.

Insider Protection Methods:

  • * hardware authentication of employees (for example, using a USB key or smart card);
  • * audit of all actions of all users (including administrators) in the network;
  • * the use of powerful software and hardware to protect confidential information from insiders;
  • * training of employees responsible for information security;
  • * increasing the personal responsibility of employees;
  • * constant work with personnel who have access to confidential information (instruction, training, checking knowledge of the rules and obligations to comply with information security, etc.);
  • * Compliance of the level of salary with the level of confidentiality of information (within reasonable limits!);
  • * Encryption of confidential data;
  • * But the most important thing, of course, is the human factor: although a person is the weakest link in the security system, it is also the most important! The fight against insiders should not turn into total surveillance of everyone over everyone. The company must have a healthy moral climate, conducive to compliance with the corporate code of honor!

In an annual survey by the Computer Security Institute (CSI), in 2007, security professionals identified three main problems that they had to deal with during the year: 59% recognized insiders as the No. 1 threat, 52% - viruses and 50 % - loss of mobile media (laptop, flash drive). So, the problem of insiders in America for the first time began to prevail over the problem of viruses. Unfortunately, we do not have such information for Russia, but there is reason to believe that the situation in our country is at least similar. So, during a round table on the problem of information leakage due to insider actions, held in October at the annual Aladdin conference, the results of a survey of system administrators of public institutions, known to have a low level of income, were heard. When asked how much they could get confidential data for, only 10% of the respondents answered that they would never commit such an malfeasance, about half of the respondents were ready to take risks for big money, and about 40% were ready to do it for any reward. As they say, comments are superfluous. The main difficulty in organizing protection against an insider is that he is a legitimate user of the system and, on duty, has access to confidential information. It is very difficult to track how an employee manages this access within or outside of official authority. Consider the main tasks of combating insiders (see table).

Recently, the problem of protection against internal threats has become a real challenge to the clear and well-established world of corporate information security. The press talks about insiders, researchers and analysts warn of possible losses and troubles, and news feeds are full of reports of another incident that led to the leak of hundreds of thousands of customer records due to an employee’s mistake or inattention. Let's try to figure out whether this problem is so serious, whether it should be dealt with, and what tools and technologies are available to solve it.

First of all, it is worth determining that the threat to data confidentiality is internal if its source is an employee of the enterprise or any other person who has legal access to this data. Thus, when we talk about internal threats, we are talking about any possible actions of legal users, intentional or accidental, that can lead to the leakage of confidential information outside the corporate network of an enterprise. To complete the picture, it is worth adding that such users are often referred to as insiders, although this term has other meanings.

The relevance of the problem of internal threats is confirmed by the results of recent studies. In particular, in October 2008, the results of a joint study by Compuware and Ponemon Institue were announced, according to which insiders are the most common cause of data leaks (75% of incidents in the US), while hackers were only in fifth place. In the Computer Security Institute's (CSI) annual survey for 2008, the figures for insider threat incidents are as follows:

The percentage of incidents means that out of the total number of respondents, this type of incident occurred in the specified percentage of organizations. As can be seen from these figures, almost every organization is at risk of suffering from internal threats. For comparison, according to the same report, viruses hit 50% of the organizations surveyed, and only 13% faced the penetration of hackers into the local network.

Thus, internal threats are the reality of today, and not a myth invented by analysts and vendors. So those who, in the old fashioned way, believe that corporate information security is a firewall and antivirus, you need to take a broader look at the problem as soon as possible.

The law “On Personal Data” also increases the degree of tension, according to which organizations and officials will have to answer not only to their management, but also to their customers and before the law for improper handling of personal data.

Intruder Model

Traditionally, when considering threats and means of protection against them, one should begin with an analysis of the intruder model. As already mentioned, we will talk about insiders - employees of the organization and other users who have legal access to confidential information. As a rule, with these words, everyone comes to mind an office employee working on a computer in the corporate network, which in the process of work does not leave the organization's office. However, this representation is incomplete. It needs to be expanded to include other types of people with legal access to information who can leave the organization's office. These can be business travelers with laptops, or working both in the office and at home, couriers carrying media with information, primarily magnetic tapes with a backup, etc.

Such an extended consideration of the intruder model, firstly, fits into the concept, since the threats posed by these intruders are also internal, and secondly, it allows us to analyze the problem more broadly, considering all possible options for combating these threats.

The following main types of internal violators can be distinguished:

  • Disloyal / offended employee.Violators in this category may act purposefully, for example, by changing jobs and wanting to steal confidential information in order to interest a new employer, or emotionally, in case they felt offended, thus wanting revenge. They are dangerous because they are most motivated to cause damage to the organization in which they currently work. As a rule, the number of incidents involving disloyal employees is small, but it can increase in a situation of unfavorable economic conditions and massive staff reductions.
  • Embedded, bribed or manipulated employee.In this case, we are talking about any purposeful actions, as a rule, for the purpose of industrial espionage in a highly competitive environment. To collect confidential information in a competing company, either they introduce their own person for specific purposes, or they find an employee who is not the most loyal and bribe him, or a loyal, but not vigilant employee is forced to transfer confidential information by means of social engineering. The number of incidents of this kind is usually even less than the previous ones, due to the fact that in most segments of the economy in the Russian Federation, competition is not very developed or is implemented in other ways.
  • Rogue employee.This type of violator is a loyal, but inattentive or negligent employee who can violate the internal security policy of the enterprise due to ignorance or forgetfulness. Such an employee may mistakenly send an email with a secret file attached to the wrong person, or take a flash drive with confidential information home to work with on the weekend and lose it. The same type includes employees who lose laptops and magnetic tapes. According to many experts, this type of insider is responsible for most leaks of confidential information.

Thus, the motives, and, consequently, the course of action of potential violators may differ significantly. Depending on this, one should approach the solution of the problem of ensuring the internal security of the organization.

Insider Threat Defense Technologies

Despite the relative youth of this market segment, customers already have plenty to choose from depending on their tasks and financial capabilities. It should be noted that now there are practically no vendors on the market that would specialize exclusively in internal threats. This situation is not only due to the immaturity of this segment, but also due to aggressive and sometimes chaotic mergers and acquisitions pursued by manufacturers of traditional means of protection and other vendors interested in a presence in this segment. It is worth recalling RSA Data Security, which became a division of EMC in 2006, NetApp's purchase of Decru, a startup that developed server storage and backup protection systems, in 2005, Symantec's purchase of DLP vendor Vontu in 2007, etc.

Despite the fact that a large number of such transactions indicate good prospects for the development of this segment, they do not always benefit the quality of products that come under the wing of large corporations. Products begin to develop more slowly, and developers are not as responsive to market requirements as compared to a highly specialized company. This is a well-known disease of large companies, which, as you know, lose in mobility and efficiency to their smaller brothers. On the other hand, the quality of service and the availability of products for customers in different parts of the world are improving due to the development of their service and sales network.

Consider the main technologies currently used to neutralize internal threats, their advantages and disadvantages.

Document control

Document control technology is embodied in modern rights management products such as Microsoft Windows Rights Management Services, Adobe LiveCycle Rights Management ES, and Oracle Information Rights Management.

The principle of operation of these systems is to assign usage rules for each document and control these rights in applications that work with documents of these types. For example, you can create a Microsoft Word document and set rules for it, who can view it, who can edit and save changes, and who can print. These rules are called a license in Windows RMS terms and are stored with the file. The content of the file is encrypted to prevent an unauthorized user from viewing it.

Now, if any user tries to open such a protected file, the application contacts a special RMS server, confirms the user's authority, and if access to this user is allowed, the server passes the key to the application to decrypt this file and information about the rights of this user. Based on this information, the application makes available to the user only those functions for which he has rights. For example, if the user is not allowed to print a file, the application's printing functionality will not be available.

It turns out that the information in such a file is safe even if the file gets outside the corporate network - it is encrypted. RMS features are already built into Microsoft Office 2003 Professional Edition applications. To embed RMS functionality into third-party applications, Microsoft provides a special SDK.

Adobe's document control system is built in a similar way, but is focused on PDF documents. Oracle IRM is installed on client computers as an agent and integrates with applications at runtime.

Document control is an important part of the overall concept of insider threat protection, but the natural limitations of this technology must be considered. First, it is designed solely for the control of document files. When it comes to unstructured files or databases, this technology does not work. Secondly, if an attacker, using the SDK of this system, creates a simple application that will communicate with the RMS server, receive an encryption key from there and save the document in clear text and run this application on behalf of a user who has a minimum level of access to the document, then this system will be bypassed. In addition, one should take into account the difficulties in implementing a document control system if the organization has already created many documents - the task of initially classifying documents and assigning rights to use them can require significant effort.

This does not mean that document control systems do not fulfill the task, you just need to remember that information protection is a complex problem, and as a rule, it is not possible to solve it using only one tool.

Leak protection

The term data loss prevention (DLP) has appeared in the lexicon of information security specialists relatively recently, and has already managed to become, without exaggeration, the hottest topic of recent years. As a rule, the abbreviation DLP denotes systems that monitor possible leakage channels and block them in case of an attempt to send any confidential information through these channels. In addition, the functions of such systems often include the ability to archive information passing through them for subsequent audits, incident investigations and retrospective analysis of potential risks.

There are two types of DLP systems: network DLP and host DLP.

Network DLP work on the principle of a network gateway that filters all data passing through it. Obviously, based on the task of combating internal threats, the main interest of such filtering lies in the ability to control data transmitted outside the corporate network to the Internet. Network DLP allows you to control outgoing mail, http and ftp traffic, instant messaging services, etc. If sensitive information is detected, network DLP can block the file being transferred. There are also options for manually processing suspicious files. Suspicious files are placed in quarantine, which is periodically reviewed by a security officer and either allows the transfer of the file or prohibits it. True, such processing, due to the peculiarities of the protocol, is possible only for e-mail. Additional audit and incident investigation capabilities are provided by the archiving of all information passing through the gateway, provided that this archive is periodically reviewed and its contents analyzed in order to identify leaks that have taken place.

One of the main problems in the implementation and implementation of DLP systems is the method of detecting confidential information, that is, the moment of deciding whether the transmitted information is confidential and the reasons that are taken into account when making such a decision. As a rule, this is done by analyzing the content of transmitted documents, also called content analysis. Let's consider the main approaches to detecting confidential information.

  • Tags. This method is similar to the document control systems discussed above. Labels are embedded in documents that describe the degree of confidentiality of information, what can be done with this document, and to whom it should be sent. Based on the results of the label analysis, the DLP system decides whether the given document can be sent outside or not. Some DLP systems are initially made compatible with rights management systems to use the labels that these systems set, other systems use their own label format.
  • Signatures. This method consists in specifying one or more character sequences, the presence of which in the text of the transferred file should tell the DLP system that this file contains confidential information. A large number of signatures can be organized into dictionaries.
  • Bayes method. This method, used in the fight against spam, can be successfully applied in DLP systems. To apply this method, a list of categories is created, and a list of words is specified with the probabilities that if a word occurs in a file, then the file belongs or does not belong to the specified category with a given probability.
  • Morphological analysis.The method of morphological analysis is similar to the signature method, the difference lies in the fact that it is not 100% matching with the signature that is analyzed, but single-root words are also taken into account.
  • Digital prints.The essence of this method is that for all confidential documents some hash function is calculated in such a way that if the document is slightly changed, the hash function will remain the same, or also change slightly. Thus, the process of detecting confidential documents is greatly simplified. Despite the enthusiastic praise of this technology from many vendors and some analysts, its reliability leaves much to be desired, and given the fact that vendors under various pretexts prefer to keep the details of the implementation of the digital fingerprint algorithm in the shade, its credibility does not increase.
  • Regular expressions.Known to all who have dealt with programming, regular expressions make it easy to find pattern data in text, such as phone numbers, passport details, bank account numbers, social security numbers, and so on.

It is easy to see from the above list that detection methods either do not guarantee 100% detection of confidential information, since the level of errors of both the first and second kind in them is quite high, or they require constant vigilance of the security service to update and maintain the list of signatures or assignments up to date. labels for confidential documents.

In addition, traffic encryption can create a certain problem in the operation of network DLP. If for security reasons it is necessary to encrypt e-mail messages or use the SSL protocol when connecting to any web resources, the problem of determining the presence of confidential information in transmitted files can be very difficult to resolve. Do not forget that some instant messaging services, such as Skype, have encryption built in by default. You will have to refuse to use such services or use host DLP to control them.

However, despite all the difficulties, if properly configured and taken seriously, network DLP can significantly reduce the risk of confidential information leakage and provide an organization with a convenient means for internal control.

Host DLP are installed on every host in the network (on client workstations and, if necessary, on servers) and can also be used to control Internet traffic. However, host DLPs have become less widespread in this capacity, and are currently used mainly to control external devices and printers. As you know, an employee who brings to work from a flash drive or from an MP3 player poses a much greater threat to the information security of an enterprise than all hackers combined. These systems are also called endpoint security tools, although this term is often used more widely, for example, this is sometimes called antivirus tools.

As you know, the problem of using external devices can be solved without using any means, by disabling the ports either physically, or by means of the operating system, or administratively, by prohibiting employees from bringing any media into the office. However, in most cases, the "cheap and cheerful" approach is unacceptable, since the proper flexibility of information services, which is required by business processes, is not provided.

Because of this, there was a certain demand for special tools with which you can more flexibly solve the problem of using external devices and printers by company employees. Such tools allow you to configure access rights for users to various types of devices, for example, for one group of users to prohibit working with media and allow printers, and for another group to allow working with media in read-only mode. If it is necessary to record information on external devices for individual users, shadow copy technology can be used, which ensures that all information that is stored on an external device is copied to the server. The copied information can be subsequently analyzed to analyze user actions. This technology copies everything, and currently there are no systems that allow content analysis of saved files in order to block the operation and prevent leakage, as network DLP does. However, a shadow copy archive will provide incident investigation and retrospective analysis of events on the network, and having such an archive means that a potential insider can be caught and punished for their actions. This may turn out to be a significant obstacle for him and a weighty reason to abandon hostile actions.

It is also worth mentioning the control of the use of printers - hard copies of documents can also become a source of leakage. Host DLP allows you to control user access to printers in the same way as to other external devices, and save copies of printed documents in graphic format for later analysis. In addition, the technology of watermarks (watermarks), which implements the printing on each page of a document of a unique code, by which it is possible to determine exactly who, when and where printed this document, has gained some distribution.

Despite the undoubted advantages of host DLP, they have a number of disadvantages associated with the need to install agent software on each computer that is supposed to be monitored. First, it can cause certain difficulties in terms of deployment and management of such systems. Secondly, a user with administrator rights can try to disable this software to perform any actions not allowed by the security policy.

Nevertheless, for reliable control of external devices, host DLP is indispensable, and the problems mentioned are not unsolvable. Thus, we can conclude that the DLP concept is now a full-fledged tool in the arsenal of corporate security services in the face of ever-increasing pressure on them to ensure internal control and protection against leaks.

IPC concept

In the process of inventing new means of combating internal threats, the scientific and engineering thought of modern society does not stop, and, given certain shortcomings of the means discussed above, the market for information leakage protection systems has come to the concept of IPC (Information Protection and Control). This term appeared relatively recently, it is believed that it was first used in a review by the analytical company IDC in 2007.

The essence of this concept is to combine DLP and encryption methods. In this concept, DLP controls information that leaves the corporate network through technical channels, and encryption is used to protect data carriers that physically fall or may fall into the hands of unauthorized persons.

Consider the most common encryption technologies that can be used in the IPC concept.

  • Encryption of magnetic tapes.Despite the archaism of this type of media, it continues to be actively used for backup and for transferring large amounts of information, since it still has no equal in terms of the unit cost of a stored megabyte. Accordingly, lost tape leaks continue to delight front-page news editors and frustrate CIOs and enterprise security officers who are the subject of such reports. The situation is aggravated by the fact that such tapes contain very large amounts of data, and, consequently, a large number of people can become victims of scammers.
  • Encryption of server storages.Despite the fact that server storage is very rarely transported, and the risk of losing it is immeasurably lower than that of magnetic tape, a separate hard drive from storage can fall into the wrong hands. Repair, disposal, upgrade - these events occur with sufficient regularity to write off this risk. And the situation of penetration into the office of unauthorized persons is not a completely impossible event.

Here it is worth making a small digression and mentioning the common misconception that if a disk is part of a RAID array, then supposedly you don't have to worry about it falling into unauthorized hands. It would seem that the striping of data written to multiple hard drives that RAID controllers perform provides an unreadable appearance to data that is on any one hard drive. Unfortunately, this is not entirely true. Interleaving does take place, but in most modern devices it is done at the 512-byte block level. This means that, despite the violation of the structure and file formats, confidential information can still be extracted from such a hard drive. Therefore, if there is a requirement to ensure the confidentiality of information when it is stored in a RAID array, encryption remains the only reliable option.

  • Encryption of laptops.This has been said countless times already, but still, the loss of laptops with confidential information has been in the top five hit parade of incidents for many years now.
  • Removable media encryption.In this case, we are talking about portable USB devices and, sometimes, recordable CDs and DVDs if they are used in the business processes of the enterprise. Such systems, as well as the laptop hard drive encryption systems mentioned above, can often act as a component of host DLP systems. In this case, one speaks of a kind of crypto-perimeter, which provides automatic transparent encryption of media inside, and the inability to decrypt data outside of it.

Thus, encryption can significantly enhance the capabilities of DLP systems and reduce the risk of confidential data leakage. Despite the fact that the IPC concept has taken shape relatively recently, and the choice of integrated IPC solutions on the market is not too wide, the industry is actively developing this area and it is quite possible that after some time this concept will become the de facto standard for solving problems of internal security and internal control.

conclusions

As can be seen from this review, internal threats are a fairly new area in information security, which, nevertheless, is actively developing and requires increased attention. The considered document control technologies, DLP and IPC, make it possible to build a fairly reliable internal control system and reduce the risk of leakage to an acceptable level. Without a doubt, this area of ​​information security will continue to develop, newer and more advanced technologies will be offered, but today many organizations are choosing one or another solution, since carelessness in information security issues can be too expensive.

Alexey Raevsky
CEO of SecurIT

In the field of information security, organizations tend to pay the most attention to protection against external attacks, so almost all funds allocated for security are directed to protecting vulnerable points of the enterprise network perimeter. The current situation has found a corresponding reflection in the IT security solutions market - in recent years, a wide range of different means of protection against viruses, worms, Trojans and other external threats has been offered.
Gradually, however, enterprises begin to realize a new danger. It does not come from hackers, not from spam or random viruses, but from our own employees. Insiders are inside the organization itself and are endowed with completely legal powers, so it is much easier for them to gain access to the information they are interested in than for any attacker from the outside. To better understand the problem, let's turn to the study conducted in 2006 by the American analytical company Aberdeen Group "The Insider Threat Benchmark Report - Strategies for Data Protection", during which 88 large American corporations were surveyed.

Main results of the survey of large corporations

The threat from insiders is growing. Modern business can no longer ignore this danger and is intensively preparing to counter it. Companies that choose not to notice it or skimp on the introduction of new security systems suffer serious losses. Many of the companies mentioned in the study suffered severely from data breaches and only then took care of preventive measures. Their example should serve as a lesson for other firms.

Businesses that want to protect themselves from leaks of confidential information should take a responsible approach to solving the problem. Irrational savings on security means will result in solid losses in the near future. The best option would be to enlist the help of professionals who specialize in insider protection systems. Such systems can be easily integrated into existing infrastructure. In addition, vendors will not only ensure that the solution works, but also guarantee its high efficiency.

As such, there is no remedy against insiders. Only the application of a whole range of measures and solutions will help to reliably protect information. Despite the inertia of large suppliers, there are a sufficient number of ready-made complexes on the market that provide protection against insiders and leaks.

One of the most important modern information security technologies is network traffic filtering (already implemented by 53% of respondents). Another 28% plan to install similar filters this year. In addition, data classification is a very promising technology. Although today only 42% of corporations use it, this year their number will increase by 44% (that is, up to 86%). However, it is a matter of serious concern that an unreasonably low number of respondents use other effective solutions to protect against leaks and insiders, such as monitoring the actions of employees.

For many enterprises, one of the main obstacles (44%) to the introduction of additional means of protection against information leaks is the limited IT resources. At the same time, the introduction of such protection tools can not only significantly reduce the risk of losing important data, but also significantly (by 17.5%) reduce the costs of IT departments.

current position

There is nothing surprising in the fact that the consequences of insider incidents are often much more deplorable than even a successful hacker attack. There are many reasons for this. The ease of access to various information resources alone cannot explain everything. The fact is that the information stolen by insiders is usually more important than that which hackers can get. One of the biggest reasons behind the rise in insider threat and the ease with which they commit illegal acts is the negligence of internal IT security services (if any exist). Organizations are not ready to resist insiders, because they simply do not have the appropriate tools. Even if the threat is identified, the workers in the sphere without danger still cannot properly resist it, since they have not gained the necessary experience in this area. In general, complex solutions for protecting confidential information from insiders can already be found on the market. Unfortunately, often responsible leaders do not understand the gravity of the threat. By inertia, they continue to build up efforts to protect the perimeter of their organization from external danger.

Meanwhile, news agencies and the media are paying more and more attention to the problem of insiders. Experts talk about an increase in the number of leaks of confidential information and their sad consequences: loss of time, financial losses and a blow to reputation. In addition, there is a global trend that business is starting to switch to the problem of internal IT security.

In the course of the study "The Insider Threat Benchmark Report - Strategies for Data Pro tection", analysts managed to find out that over the past year, many suppliers and distributors of IT systems have qualitatively changed the range of proposed solutions. At the same time, the share of products designed specifically to combat insiders has increased. However, at the same time, the largest IT vendors continue to expand their traditional range, keeping the proportions of solutions at the same level. This indicates either an underestimation of the potential of the corresponding product line, or a small current demand. Nevertheless, 41% of American respondents have already implemented security measures in their IT infrastructure that solve the problem of insiders in one way or another.

Note that Russian customers can see for themselves that the interest in systems to combat leaks and insiders from suppliers and system integrators has greatly increased. For example, Kaspersky Lab has separated its business in the field of internal IT security into a separate company - InfoWatch, and almost all Russian system integrators have included solutions from this company in their product line. According to Denis Zenkin, marketing director of InfoWatch, in 2005 the company's profit increased by 120% and in 2006 a similar picture was observed. And this is despite the fact that Russian companies lag significantly behind American companies in using systems to protect against insiders. According to the study "Internal IT Threats in Russia 2005", during which InfoWatch surveyed more than 300 domestic organizations, only 2% of respondents use systems to combat insiders and leaks. However, the growth of suppliers' profits clearly indicates that this situation is gradually changing.

In addition, another major anti-virus company, McAfee, has recently shown interest in systems to combat insiders. In October 2006, it bought Israeli firm Onigma, whose only solution is to detect and prevent leaks. According to the press release, McAfee will integrate Onigma technologies into its own solution and thus begin its expansion into the internal IT security market.

It is possible that in the near future the largest IT security company, Symantec, will appear on the market for leak protection products. In general, we can safely say that the inclusion of products to combat insiders in your range is an extremely promising direction for diversification for all links in the distribution chain of IT security solutions.

View from the other side

Let's return now to the results of the study "The Insider Threat Benchmark Report - Strategies for Data Protection" and look at the systems of protection against insiders and leaks through the eyes of the customer. All American companies can be conditionally divided into three unequal groups: laggards (30%), middling (50%) and leaders (20%). The performance indicators of the lagging enterprises are generally lower than the industry average, while those of the leaders are correspondingly higher. It turns out that absolutely all successful organizations (100% of respondents) consider the protection of confidential data the most important area in the fight against insiders. In addition, the best companies use identification and access control policies much more widely (75%). The characteristics of different groups in the field of internal IT security are presented in the figure.

It can be seen from the charts that leading companies prefer to consider the project of introducing an insider protection system as a full-fledged business task. At the same time, they attach special importance to the complex of accompanying services. This allows you to build the most effective internal security system and not shift atypical tasks onto the shoulders of your own employees. In addition, the best companies in their industry are trying to minimize the human factor through the use of fully automated processes. Finally, leaders prioritize the integration of products into a single and manageable system, so they appreciate the flexibility of the implemented insider protection solution.

Let's try to evaluate the problem of internal security in terms of technology (Table 1). After studying several industries, it turned out that the main technologies used are: passwords, identification systems, biometrics, network traffic scanning and user access control to confidential information.

Table 1. Security protection technologies: current state and forecast

Technology

Share of respondents using the technology now, %

Share of respondents planning to introduce technology in the next 12 months, %

Complex passwords

Access Control Lists

Network traffic filtering

Perimeter Scan

Automatic monitoring of employee access

Data classification (according to the degree of confidentiality)

Single point of entry

Identification with challenge and confirmation

Authentication via callback to mobile phone

Exactly 50% of the industry's best firms use complex passwords, network traffic filtering, and access control lists. Moreover, companies intend to significantly increase the use of these technologies. Thus, the share of complex passwords will increase by 26% and reach 93%; the popularity of access control lists will increase by 24% and reach the mark of 90%, and the share of network traffic filtering will increase from 53 to 81%. Meanwhile, the use of ID-cards, despite their prevalence at the present time, can hardly be considered a popular trend. Only 13% of respondents plan to implement this technology this year.

Curiously, the most promising technologies are automatic monitoring of employees' access to important data (up to 72% is expected) and data classification (from 42% in 2006 to 86% today). Here the results of the study coincide with the opinion of domestic experts in the field of information security. The InfoWatch analytical center believes that companies have paid unfairly little attention to the automatic monitoring of insider actions and data classification in recent years. Meanwhile, without this, it is simply impossible to build a reliable protection system.

Further, according to the survey, the same 53% who use traffic filtering believe that perimeter protection alone is not sufficient for internal security. It is necessary, among other things, to develop virtual private networks so as not to reduce the level of security when communicating with external partners.

These technologies provide a layered approach and improve the security of sensitive data. However, in addition to the technological side, one should not forget about the banal physical safety of information. There are many examples of how important documents fell into the hands of intruders after breaking into an office and stealing computer equipment. What's more, backup tapes and mobile media with sensitive content are often lost in transit or on business trips.

Insider Protection

Currently, there is no single established point of view on how to regulate user access. This forces organizations to provide centralized data management in a distributed environment. Technology can make governability, accountability, and data security possible, but it needs to be applied properly. In turn, the methods of use depend on the specifics of the activity of the customer enterprise. Therefore, it is required to conduct a deep and comprehensive analysis of the IT infrastructure on which the security system is supposed to be deployed. Many customers absolutely rightly entrust the task of evaluating and selecting technologies to specially created groups, which include specialists from various fields.

Modern technologies and methods of counteracting insiders differ significantly. The fact is that suppliers cannot offer a universal remedy from insiders. They provide a range of solutions for identifying outliers, classifying data by degree of confidentiality, and restricting access.

While only 51% of companies surveyed in the survey believe that comprehensive insider protection solutions are critically important, the remaining 49% do not value their role as highly. However, the significance of this result lies in the fact that at least half of the respondents prefer complex solutions. This suggests that they are really concerned about this problem and understand the importance of joint measures.

In addition, in some industries, members are required to be more sensitive to the confidentiality of customer data. Constantly changing legislation at the federal and regional levels pays more and more attention to the protection of personal information (such as full name, date of birth, home address, credit card numbers, medical policy, etc.).

Organizations must recognize the importance of legislative provisions in the area of ​​personal protection. According to the survey participants, in order to improve management, it is necessary to automate authorized access. Companies that do not automate access control lists, data preparation, and classification can face serious problems. Thus, 78% of respondents consider information protection the most important reason for building insider protection. So, businesses are just beginning to recognize the threat from insiders and, for various reasons, try to downplay the importance of internal incidents. However, it is impossible to hide the trend of increasing danger from insiders.

Challenges to Implementing Insider Protection

Consider two more interesting results of the study. In table. Table 2 shows the five most serious, according to the respondents, problems that arise when implementing a system of protection against internal threats, as well as options for their solution. Tab. 3 is similar to table. 2 in terms of structure, but compiled on the basis of answers from respondents belonging to the group of leading companies. Comparing the data obtained, it is easy to notice the differences in the approach to this problem of the middle peasants and the most successful business representatives. If for leaders the main problem is the imposition of the implemented solution on already used technologies (75%), then for all respondents in general it is the limited IT resources (44%). In the course of the study, it turned out that advanced organizations have already implemented comprehensive protection of their IT infrastructure and thus covered the network itself, and also secured themselves at the application level. Now these companies are looking for ways to strengthen the established security system. Organizations, for which the main problem is limited IT resources, are seriously limited in their actions. This is worrisome, as saving on security can lead to much larger losses. Obviously, IT services, like IT security services, must receive full funding. After all, they are preparing a base on which all other units will successfully function.

Table 2. The most serious problems in the implementation of insider protection systems
and their possible solution (based on all respondents)

Problem

Share of responses, %

Solution to the problem

Share of responses, %

Limited IT resources to implement and manage the solution

Determine requirements prior to implementation

The complexity of the software solution

Determine the owners of data and processes

Overlay solution on existing processes

Provide training on the use of new processes and procedures

Analyzing the tables, we can also note the following rather interesting fact: the personnel of leading companies show their dissatisfaction with innovations much more often than employees of medium-sized enterprises (50 vs. 38%). However, there is nothing surprising in this. In the field of IT security, the human factor is at least half the problem. If, for example, an organization allows contractors, partners or suppliers to use its network, but does not care about the procedures for regulating access to information, then we can safely say that it will definitely have problems in this direction.

Table 3. The most serious problems in the implementation of insider protection systems
and their possible solution (based on leading companies)

Problem

Share of responses, %

Solution to the problem

Share of responses, %

Overlaying the solution on already implemented technologies

Focus on short projects with quick returns

Employee resistance to innovation

Gradually phase out and slowly distribute new solutions to users

Lack of funds for activities

Implement top-down, from the technical and IT department to all other departments

Limited IT resources to implement and manage the solution

Demonstrate the capabilities and features of solutions to the heads of departments

Poor knowledge of risk assessment tools

Provide training on the use of new processes and procedures

In general, lagging companies and middle-class companies, unlike leaders, use automation and integration of solutions to a lesser extent, and in addition, they have inexperienced employees on their staff. All this affects the effectiveness of the analysis of security procedures and the interpretation of its results. Often, only the introduction of automated processes and staff development leads to overcoming the human factor. According to the study, about 25% of the best enterprises use fully automated systems. At the same time, only 9% of automation cases can be attributed to the industrial one.

Information security increases as new technologies are used in accordance with business requirements. Continuous improvement of protection systems will bring undoubted benefits. According to the study, organizations that implemented insider protection systems experienced the following effects on average:

  • complaints and appeals to IT departments and support service decreased by 3.5%;
  • the number of IT security incidents decreased by 13%;
  • reduced labor costs in IT departments - by 17.5%.

Thus, analysts come to the conclusion that organizations that deal only with external protection are doomed to failure. Indeed, security at the perimeter of an organization helps to repel hackers, while companies that implement leak and insider protection systems actually manage to reduce the number of incidents and reduce IT costs.

Conclusion

Based on the results of the research and assessment of the situation, the following conclusions arise. First, there is no single technology for protecting against insiders. Only a set of measures can ensure security properly. Disparate products, no matter how good they are, certainly will not solve the problems that arise when building comprehensive protection. Yes, it is possible to close one of the directions, but the difficulty lies in the fact that there are a huge number of different threats. Attackers act in various ways, and just in order to eliminate all possible loopholes, it is necessary to create a multi-level system.

Secondly, the responsibility for the safety of confidential information cannot be assigned to one person or even to a unit. In this direction, employees of the IT service and the IT security department should work closely. An even more effective way is to involve specialists with extensive experience in the field of leak protection. The latter offer a deep analysis of the existing situation and provide the customer with specific solutions. A reliable system is being built, which can be maintained by the company's personnel with the necessary support of the integrator.

Thirdly, the data available in the organization needs to be carefully studied and structured according to the degree of confidentiality. Then, based on this classification, you should build an access restriction system. Users should not have access to data that they do not need to perform their official duties. In addition, it is necessary to periodically review access rights to keep the system of differentiation up to date.

Fourthly, the human factor is one of the critical ones in the information security system. Unfortunately, people are the weakest link in the chain. Often, insiders are employees responsible, if not for protecting confidential information, then at least for maintaining the confidentiality of information. Out of ignorance or distraction, with or without malicious intent, but it is they who can bring significant harm to their employers. Much more dangerous is the situation when the insider is a person from the IT department or from the IT security service. His authority, of course, is much broader than that of most other employees, and he has sufficient knowledge and capabilities to quietly “merge” data. It is for these reasons that for the successful conduct of business it is required to use professional systems for monitoring the actions of employees. They should be as automated as possible, not dependent on a person, so that it is possible to control the employee. Software solutions and complexes are the most effective method of protection against the increased threat from insiders. Of course, we should not forget about the methods of working with employees. They should be educated about the need to comply with security standards and require them to comply with existing privacy directives. However, only software and hardware is able to prevent possible cases of internal theft.

Heading: Gadgets
Share