office

Ways to protect information on the network. Information protection in computer networks

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

Introduction

1. Problems of information security in computer systems Oh

2. Ensuring the protection of information in networks

3. Security mechanisms

3.1 Cryptography

3.2 Electronic signature

3.3 Authentication

3.4 Network security

4. Requirements for modern means information protection

Conclusion

Literature

Introduction

In computing, the concept of security is very broad. It implies both the reliability of the computer, and the safety of valuable data, and the protection of information from making changes to it by unauthorized persons, and the preservation of the secrecy of correspondence in electronic communications. Of course, in all civilized countries, the security of citizens is guarded by laws, but in the field of computer technology, law enforcement practice is not yet sufficiently developed, and the legislative process does not keep pace with the development of computer systems, and largely relies on self-defense measures.

There is always a problem of choosing between the necessary level of protection and the efficiency of networking. In some cases, users or consumers may perceive security measures as restricting access and effectiveness. However, tools such as cryptography can significantly increase the degree of protection without restricting user access to data.

1. Problems of information security incomputersystems

Wide application computer technology in automated information processing and control systems has led to an aggravation of the problem of protecting information circulating in computer systems from unauthorized access. Information protection in computer systems has a number of specific features related to the fact that information is not rigidly associated with the media, it can be easily and quickly copied and transmitted over communication channels. A very large number of threats to information are known that can be implemented both by external intruders and by internal intruders.

A radical solution to security problems electronic information can be obtained only on the basis of the use of cryptographic methods that allow solving the most important problems of secure automated processing and transmission of data. At the same time, modern high-speed methods of cryptographic transformation make it possible to maintain the original performance of automated systems. Cryptographic data transformations are the most effective tool ensuring data confidentiality, integrity and authenticity. Only their use in conjunction with the necessary technical and organizational measures can provide protection against a wide range of potential threats.

Problems that arise with the security of information transmission when working in computer networks can be divided into three main types:

· interception of information - the integrity of information is preserved, but its confidentiality is violated;

· modification of information - the original message is changed or completely replaced by another and sent to the addressee;

· change of authorship of information. This problem can have serious consequences. For example, someone might send an email on your behalf (this kind of deception is commonly called spoofing) or the Web server might pretend to e-shop, accept orders, credit card numbers, but do not send any goods.

The needs of modern practical computer science have led to the emergence of non-traditional problems of protecting electronic information, one of which is the authentication of electronic information in conditions where the parties exchanging information do not trust each other. This problem is related to the creation of electronic digital signature systems. The theoretical basis for solving this problem was the discovery of two-key cryptography by American researchers Diffie and Hemiman in the mid-1970s, which was a brilliant achievement of the centuries-old evolutionary development of cryptography. The revolutionary ideas of two-key cryptography led to a sharp increase in the number of open research in the field of cryptography and showed new ways of developing cryptography, its new possibilities and unique value its methods in modern conditions of mass application of electronic information technologies.

The technical basis for the transition to the information society is modern microelectronic technologies that ensure the continuous growth of the quality of computer equipment and serve as the basis for maintaining the main trends in its development - miniaturization, reducing power consumption, increasing the volume random access memory(OP) and capacities of built-in and removable drives, performance and reliability growth, expansion of scopes and scales of application. These trends in the development of computer technology have led to the fact that at the present stage, the protection of computer systems from unauthorized access is characterized by an increase in the role of software and cryptographic protection mechanisms compared to hardware ones.

Increasing role of program and cryptographic means protection is manifested in the fact that emerging new problems in the field of protection computing systems from unauthorized access, require the use of mechanisms and protocols with a relatively high computational complexity and can be effectively solved by using computer resources.

One of the important social and ethical problems generated by the ever-expanding use of cryptographic information protection methods is the contradiction between the desire of users to protect their information and the transmission of messages and the desire of special government services to be able to access information of some other organizations and individuals in order to suppress illegal activities. . In developed countries, there is a wide range of opinions about approaches to the issue of regulating the use of encryption algorithms. Proposals are made from a complete ban on the widespread use of cryptographic methods to complete freedom of their use. Some proposals relate to allowing only weaker algorithms to be used, or to requiring the registration of encryption keys. It is extremely difficult to find an optimal solution to this problem. How to evaluate the ratio of losses of law-abiding citizens and organizations from the illegal use of their information and the losses of the state from the inability to gain access to encrypted information of certain groups hiding their illegal activities? How can you be sure to prevent the illegal use of cryptographic algorithms by persons who violate other laws? In addition, there are always ways of hidden storage and transmission of information. These questions have yet to be addressed by sociologists, psychologists, lawyers and politicians.

The emergence of global information networks such as INTERNET is an important achievement of computer technology, however, a lot of computer crimes are associated with INTERNET.

The result of the experience of using the INTERNET network is the revealed weakness of traditional information protection mechanisms and the lag in the application of modern methods. Cryptography provides an opportunity to ensure the security of information on the INTERNET, and work is now underway to introduce the necessary cryptographic mechanisms into this network. Not a rejection of progress in informatization, but the use of modern cryptography achievements is the strategically correct decision. The possibility of widespread use of global information networks and cryptography is an achievement and a sign of a democratic society.

Basic knowledge of cryptography information society Objectively, it cannot be the privilege of individual public services, but is an urgent need for the very broad layers of scientific and technical workers who use computer data processing or develop information systems, security personnel and the management of organizations and enterprises. Only this can serve as a basis for the effective implementation and operation of information security tools.

One single organization cannot provide sufficiently complete and effective control over information flows within the entire state and ensure proper protection of the national information resource. However, individual government agencies can create conditions for the formation of a market for high-quality security tools, training a sufficient number of specialists and mastering the basics of cryptography and information protection by mass users.

In Russia and other CIS countries in the early 1990s, there was a clear tendency to outpace the expansion of the scale and scope of information technology over the development of data protection systems. This situation to a certain extent was and is typical for the developed capitalist countries. This is natural: first a practical problem must arise, and then solutions will be found. The beginning of perestroika in the situation of a strong lag of the CIS countries in the field of informatization in the late 1980s created fertile ground for a sharp overcoming of the existing gap.

An example of developed countries, the possibility of purchasing system software and computer technology inspired domestic users. The inclusion of the mass consumer, interested in the operational processing of data and other advantages of modern information and computing systems, in solving the problem of computerization has led to a very high rate of development of this area in Russia and other CIS countries. However, the natural joint development of information processing automation tools and information protection tools has been largely disrupted, which has become the cause of massive computer crimes. It's no secret that computer crimes are currently one of the most pressing problems.

The use of foreign-made security systems cannot rectify this imbalance, since products of this type entering the Russian market do not meet the requirements due to existing export restrictions adopted in the United States - the main manufacturer of information security. Another aspect of paramount importance is that products of this type must pass the established certification procedure in organizations authorized to carry out such work.

Certificates of foreign firms and organizations cannot be a substitute for domestic ones. The very fact of using foreign system and application software creates an increased potential threat to information resources. The use of foreign means of protection without proper analysis of compliance with the functions performed and the level of protection provided can greatly complicate the situation.

Forcing the process of informatization requires adequate provision of consumers with means of protection. The lack of a sufficient number of means of protecting information circulating in computer systems on the domestic market did not allow for a significant amount of time to carry out data protection measures on the required scale. The situation was aggravated by the lack of a sufficient number of specialists in the field of information security, since the latter, as a rule, were trained only for special organizations. The restructuring of the latter, associated with the changes taking place in Russia, led to the formation of independent organizations specializing in the field of information security, which absorbed the released personnel, and as a result, the emergence of a spirit of competition, which has led to the emergence of a fairly large number of certified security tools by domestic developers.

One of the important features of the mass use of information technologies is that in order to effectively solve the problem of protecting the state information resource, it is necessary to disperse data protection measures among mass users. Information must be protected primarily where it is created, collected, processed and by those organizations that bear direct damage in case of unauthorized access to data. This principle is rational and effective: the protection of the interests of individual organizations is a component of the implementation of the protection of the interests of the state as a whole.

2. Ensuring the protection of information innetworks

The SC concentrates information, the exclusive right to use which belongs to certain individuals or groups of individuals acting on their own initiative or in accordance with official duties. Such information must be protected from all types of outside interference: reading by persons who do not have the right to access information, and deliberate changes to information. In addition, the CS should take measures to protect the computing resources of the network from their unauthorized use, i.e. access to the network of persons who do not have the right to do so should be excluded. The physical protection of the system and data can be carried out only in relation to working computers and communication nodes and is impossible for transmission facilities that have a large extent. For this reason, the AF must use means that exclude unauthorized access to data and ensure their secrecy.

Studies of the practice of functioning of data processing and computing systems have shown that there are quite a few possible directions for information leakage and ways of unauthorized access in systems and networks. Among them:

· reading residual information in the system memory after the execution of authorized requests;

· copying media and information files with overcoming protection measures;

· disguise as a registered user;

· disguise at the request of the system;

· use of software traps;

· exploiting the shortcomings of the operating system;

· illegal connection to equipment and communication lines;

· malicious incapacitation of protection mechanisms;

· implementation and use computer viruses.

Ensuring the security of information in the Armed Forces and in autonomously operating PCs is achieved by a set of organizational, organizational, technical, technical and software measures.

To organizational measures of information protection relate:

· restriction of access to the premises in which the preparation and processing of information takes place;

· admission to the processing and transfer of confidential information only to verified officials;

· storage of magnetic media and registration logs in safes closed for access by unauthorized persons;

· exclusion of viewing by unauthorized persons of the content of processed materials through a display, printer, etc.;

· the use of cryptographic codes in the transmission of valuable information through communication channels;

· destruction of ink ribbons, paper and other materials containing fragments of valuable information.

Organizational and technical measures to protect information include:

· supplying power to equipment that processes valuable information from an independent power source or through special network filters;

· installation of code locks on the doors of premises;

· the use of liquid crystal or plasma displays for displaying information during input-output, and for obtaining hard copies - inkjet printers and thermal printers, since the display gives such high-frequency electromagnetic radiation that the image from its screen can be taken at a distance of several hundred kilometers;

· destruction of information stored in ROM and on the hard drive when decommissioning or sending the PC for repair;

· installation of keyboards and printers on soft pads in order to reduce the possibility of removing information by acoustic means;

· limitation electromagnetic radiation by shielding the premises where information is processed with sheets of metal or special plastic.

Technical means of information protection- these are systems for the protection of territories and premises by shielding machine rooms and organizing access control systems. Protection of information in networks and computing facilities with the help of technical means is implemented on the basis of the organization of access to memory using:

· access control to different levels of computer memory;

· blocking data and entering keys;

· allocation of control bits for records for the purpose of identification, etc.

Information security software architecture includes:

· security control, including control of registration of entry into the system, fixation in the system log, control of user actions;

· reaction (including sound) to a violation of the protection system for controlling access to network resources;

· control of access credentials;

· formal security control of operating systems (basic system-wide and network);

· control of protection algorithms;

· verification and confirmation of the correct functioning of hardware and software.

For reliable protection of information and detection of cases of unauthorized actions, registration of the system operation is carried out: special diaries and protocols are created in which all actions related to the protection of information in the system are recorded. The time of receipt of the request, its type, the name of the user and the terminal from which the request is initialized are fixed. When selecting events to be logged, it should be borne in mind that with an increase in the number of logged events, it becomes more difficult to view the diary and detect attempts to overcome protection. In this case, you can apply program analysis and record dubious events. Special programs are also used to test the protection system. Periodically or at randomly selected points in time, they check the performance of hardware and software protection.

A separate group of measures to ensure the safety of information and identify unauthorized requests include programs for detecting violations in real time. Programs of this group generate a special signal when registering actions that can lead to illegal actions in relation to protected information. The signal may contain information about the nature of the violation, the location of its occurrence, and other characteristics. In addition, programs can prohibit access to protected information or simulate such a mode of operation (for example, instant loading of I / O devices), which will allow the intruder to be identified and detained by the appropriate service. information computer authentication protection

One of the common methods of protection is an explicit indication of the secrecy of the output information. In systems that support several levels of secrecy, the output to the screen of a terminal or printing device of any unit of information (for example, a file, a record, and a table) is accompanied by a special stamp indicating the level of secrecy. This requirement is implemented using appropriate software tools.

In a separate group allocated means of protection against unauthorized use of software. They are of particular importance due to the widespread use of PC.

3. Fursecurity anisms

3.1 Cryptography

To ensure secrecy, encryption, or cryptography, is used, which allows you to transform data into an encrypted form, from which you can extract the original information only if you have a key.

Encryption systems are as old as the written exchange of information.

“Cryptography” in Greek means “secret writing”, which fully reflects its original purpose. Primitive (from today's point of view) cryptographic methods have been known since ancient times and for a very long time they were considered more like a trick than a strict scientific discipline. The classical problem of cryptography is the reversible transformation of some intelligible source text (plaintext) into a seemingly random sequence of some characters, called a ciphertext or cryptogram. In this case, the cipher packet can contain both new and existing characters in the open message. The number of characters in the cryptogram and in the original text in the general case may differ. An indispensable requirement is that, using some logical substitutions of characters in the ciphertext, it is possible to unambiguously and completely restore the original text. The reliability of keeping information secret was determined in ancient times by the fact that the conversion method itself was kept secret.

Many centuries have passed, during which cryptography was the subject of the elite - priests, rulers, major military leaders and diplomats. Despite the low prevalence, the use of cryptographic methods and ways to overcome enemy ciphers had a significant impact on the outcome of important historical events. More than one example is known of how the reassessment of the used ciphers led to military and diplomatic defeats. Despite the application of cryptographic methods in important areas, the occasional use of cryptography could not bring it even close to the role and importance that it has in modern society. Cryptography owes its transformation into a scientific discipline to the needs of practice generated by electronic information technology.

The awakening of significant interest in cryptography and its development began in the 19th century, which is associated with the birth of telecommunications. In the 20th century, the secret services of most developed countries began to treat this discipline as a mandatory tool for their activities.

Encryption is based on two basic concepts: an algorithm and a key. Algorithm is a way to encode the original text, resulting in an encrypted message. The encrypted message can only be interpreted using key.

Obviously, an algorithm is enough to encrypt a message.

The Dutch cryptographer Kerckhoff (1835 - 1903) was the first to formulate the rule: the strength of the cipher, i.e. cryptosystem - a set of procedures controlled by some secret information of a small amount, should be provided in the case when the enemy cryptanalyst knows the entire encryption mechanism with the exception of the secret key - information that controls the process of cryptographic transformations. Apparently, one of the objectives of this requirement was the awareness of the need to test the developed crypto schemes under conditions that are more stringent compared to the conditions in which a potential violator could operate. This rule stimulated the emergence of better encryption algorithms. We can say that it contains the first element of standardization in the field of cryptography, since it is supposed to develop open methods of transformations. Currently, this rule is interpreted more broadly: all durable elements of the protection system must be assumed to be known to a potential attacker. The last formulation of the cryptosystem is included as a special case of protection systems. This formulation assumes that all elements of protection systems are divided into two categories - long-term and easily replaceable. Long-term elements include those elements that are related to the development of protection systems and require the intervention of specialists or developers to change. Easily replaceable elements include system elements that are intended for arbitrary modification or modification according to a predetermined rule, based on randomly selected initial parameters. Easily changeable elements include, for example, a key, a password, an identification, and the like. The rule under consideration reflects the fact that the proper level of secrecy can only be provided in relation to easily replaceable elements.

Despite the fact that, according to modern requirements for cryptosystems, they must withstand cryptanalysis based on a known algorithm, a large amount of known plaintext and its corresponding ciphertext, the ciphers used by special services are kept secret. This is due to the need to have an additional margin of safety, since at present the creation of cryptosystems with provable security is the subject of a developing theory and is a rather difficult problem. To avoid possible weaknesses, the encryption algorithm can be built on the basis of well-studied and tested principles and transformation mechanisms. No serious modern user will rely solely on the security of keeping their algorithm secret, since it is extremely difficult to guarantee a low probability that information about the algorithm will become known to an attacker.

The secrecy of information is ensured by the introduction of special keys (codes) into the algorithms. The use of a key in encryption provides two significant advantages. First, you can use one algorithm with different keys to send messages to different recipients. Secondly, if the key is compromised, it can be easily replaced without changing the encryption algorithm. Thus, the security of encryption systems depends on the secrecy of the key used, and not on the secrecy of the encryption algorithm. Many encryption algorithms are publicly available.

The number of possible keys for a given algorithm depends on the number of bits in the key. For example, an 8-bit key allows 256 (28) key combinations. The more possible combinations of keys, the more difficult it is to find the key, the more securely the message is encrypted. So, for example, if you use a 128-bit key, then you will need to enumerate 2128 keys, which is currently beyond the power of even the most powerful computers. It is important to note that the increasing productivity of technology leads to a decrease in the time required to open the keys, and security systems have to use longer and longer keys, which, in turn, leads to an increase in encryption costs.

Since such an important place in encryption systems is given to the secrecy of the key, the main problem similar systems is key generation and transmission. There are two main encryption schemes: symmetric encryption(also sometimes called traditional or secret key encryption) and public key encryption(sometimes this type of encryption is called asymmetric).

At symmetric encryption the sender and receiver share the same key (secret) with which they can encrypt and decrypt data. Symmetric encryption uses small keys, so you can quickly encrypt large amounts of data. Symmetric encryption is used, for example, by some banks in ATM networks. However, symmetric encryption has several disadvantages. First, it is very difficult to find a secure mechanism by which the sender and receiver can secretly choose a key from others. There is a problem of secure distribution of secret keys. Secondly, for each addressee it is necessary to store a separate secret key. Third, in a symmetric encryption scheme, it is impossible to guarantee the identity of the sender because two users share the same key.

In the scheme public key encryption two different keys are used to encrypt the message. With the help of one of them, the message is encrypted, and with the help of the second, it is decrypted. Thus, the required security can be achieved by making the first key public (public), and keeping the second key only with the recipient (private, private key). In this case, any user can encrypt the message using the public key, but only the owner of the private key can decrypt the message. In this case, there is no need to take care of the security of transferring the public key, and in order for users to exchange secret messages, it is enough that they have each other's public keys.

The disadvantage of asymmetric encryption is the need to use longer keys than with symmetric encryption to provide an equivalent level of security, which affects the computing resources required to organize the encryption process.

3.2 Electronic signature

If the message we want to secure is properly encrypted, it still remains possible to modify the original message or replace this message with another one. One way to solve this problem is for the user to send a short representation of the message being sent to the recipient. Such a concise representation is called a checksum, or message digest.

Checksums are used when creating fixed-length summaries to represent long messages. Checksum calculation algorithms are designed to be as unique as possible for each message. Thus, the possibility of replacing one message with another while maintaining the same checksum value is eliminated.

However, when using checksums, there is a problem of transferring them to the recipient. One of the possible ways to solve it is to include a checksum in the so-called electronic signature.

With the help of an electronic signature, the recipient can make sure that the message he received was sent not by a third party, but by a sender with certain rights. Electronic signatures are created by encrypting a checksum and additional information using the sender's private key. Thus anyone can decrypt the signature using public key, but only the owner of the private key can correctly create a signature. To protect against interception and reuse, the signature includes a unique number - a sequence number.

3.3 Authentication

Authentication is one of the most important components of the organization of information protection in the network. Before a user is granted the right to get a particular resource, it is necessary to make sure that he is really who he claims to be.

When a request is received to use a resource on behalf of a user, the server providing the resource passes control to the authentication server. After receiving a positive response from the authentication server, the requested resource is provided to the user.

Authentication uses, as a rule, the principle called “what he knows” - the user knows some secret word that he sends to the authentication server in response to his request. One authentication scheme is to use standard passwords. Password- a set of characters known to the subscriber connected to the network - is entered by him at the beginning of the session of interaction with the network, and sometimes at the end of the session (in particularly critical cases, the password for a normal exit from the network may differ from the input one). This scheme is the most vulnerable in terms of security - the password can be intercepted and used by another person. The most commonly used schemes use one-time passwords. Even if intercepted, this password will be useless on the next registration, and getting the next password from the previous one is an extremely difficult task. To generate one-time passwords, both software and hardware generators are used, which are devices inserted into a computer slot. Knowledge of the secret word is necessary for the user to activate this device.

One of the most simple systems, which do not require additional equipment costs, but at the same time provide a good level of protection, is S/Key, which can be used as an example to demonstrate the procedure for presenting one-time passwords.

There are two parties involved in the S/Key authentication process - a client and a server. When registering in a system that uses the S/Key authentication scheme, the server sends an invitation to the client machine containing the seed transmitted over the network in clear text, the current value of the iteration counter, and a request to enter a one-time password, which must correspond to the current value of the iteration counter. Having received a response, the server checks it and transfers control to the server of the service required by the user.

3.4 Network protection

Recently, corporate networks are increasingly connected to the Internet or even use it as their backbone. Considering the damage that an illegal intrusion into a corporate network can bring, it is necessary to develop methods of protection. Firewalls are used to protect corporate information networks. Firewalls- it is a system or combination of systems that allows you to divide the network into two or more parts and implement a set of rules that determine the conditions for the passage of packets from one part to another. As a rule, this boundary is drawn between the local network of the enterprise and INTERNETOM, although it can be drawn internally as well. However, it is not profitable to protect individual computers, so the entire network is usually protected. The firewall passes all traffic through itself and for each passing packet makes a decision whether to let it through or drop it. In order for the firewall to make these decisions, a set of rules is defined for it.

The firewall may be implemented as hardware (that is, as a separate physical device), and in the form of a special program running on a computer.

Typically, changes are made to the operating system that the firewall is running on to improve the security of the firewall itself. These changes affect both the OS kernel and the corresponding configuration files. On the firewall itself, it is not allowed to have user sections, and therefore potential holes - only the administrator section. Some firewalls work only in single-user mode, and many have a system for checking the integrity of program codes.

A firewall usually consists of several different components, including filters or screens that block some of the traffic.

All firewalls can be divided into two types:

· packet filters that filter IP packets using filtering routers;

· application layer servers that block access to certain services on the network.

Thus, a firewall can be defined as a set of components or a system that sits between two networks and has the following properties:

· all traffic from the internal network to the external and from the external network to the internal must go through this system;

· only traffic defined by the local security policy can pass through this system;

· the system is reliably protected from penetration.

4. Requirements for modern facilitiesprotection infformations

According to the requirements of the State Technical Commission of Russia, means of protecting information from unauthorized access (SZI NSD), meeting a high level of protection, must provide:

· discretionary and mandatory principle of access control;

· memory cleaning;

· isolation of modules;

· marking of documents;

· protection of input and output to the alienated physical media;

· association of the user with the device;

· identification and authentication;

· design guarantees;

· registration;

· user interaction with a set of protection tools;

· reliable recovery;

· the integrity of the complex of means of protection;

· modification control;

· distribution control;

· architecture guarantees;

Comprehensive information security information of NSD must be accompanied by a package of the following documents:

· guidance on GIS;

· user guide;

· test documentation;

· design (project) documentation.

Thus, in accordance with the requirements of the State Technical Commission of Russia, integrated information security tools of NSD should include basic set subsystems. The specific capabilities of these subsystems for the implementation of information security functions determine the level of security of computer equipment. The real efficiency of the SZI NSD is determined functionality not only basic, but also additional subsystems, as well as the quality of their implementation.

Computer systems and networks are exposed to a wide range of potential information threats, which makes it necessary to provide a large list of protection functions and subsystems. It is advisable first of all to ensure the protection of the most informative channels of information leakage, which are the following:

· the ability to copy data from machine media;

· data transmission channels;

· theft of computers or built-in drives.

The problem of overlapping these channels is complicated by the fact that data protection procedures should not lead to a noticeable decrease in the performance of computing systems. This problem can be effectively solved on the basis of the global information encryption technology discussed in the previous section.

A modern mass protection system should be ergonomic and have such properties that favor its widespread use, such as:

· complexity - the ability to set various modes of secure data processing, taking into account specific requirements different users and provide for a wide range of possible actions of the alleged intruder;

· compatibility - the system must be compatible with all programs written for a given operating system, and must provide a protected mode of computer operation in computer network;

· portability - the ability to install the system on various types of computer systems, including portable ones;

· ease of use - the system should be easy to operate and should not change the usual technology of users;

· real-time operation - information conversion processes, including encryption, must be performed at high speed;

· high level information protection;

· minimum cost of the system.

Conclusion

Following the massive use of modern information technologies, cryptography invades the life of a modern person. Application based on cryptographic methods electronic payments, the possibility of transferring secret information over open communication networks, as well as solving a large number of other problems of protecting information in computer systems and information networks. The needs of practice have led to the need for the mass application of cryptographic methods, and consequently to the need to expand open research and development in this area. Knowledge of the basics of cryptography is becoming important for scientists and engineers specializing in the development of modern information security tools, as well as in the areas of operation and design of information and telecommunication systems.

One of the urgent problems of modern applied cryptography is the development of high-speed block-type software ciphers, as well as high-speed encryption devices.

Currently, a number of encryption methods have been proposed, protected by patents of the Russian Federation and based on ideas of use:

· flexible connection sampling schedule;

· generating an encryption algorithm based on a secret key;

· substitutions that depend on the data being converted.

Literature

1. Ostreikovskiy V.A. Informatics: Proc. allowance for students. avg. prof. textbook establishments. - M.: Higher. school, 2001. - 319 pp.: ill.

2. Economic informatics / ed. P.V. Konyukhovsky and D.N. Kolesova. - St. Petersburg: Peter, 2000. - 560s.: ill.

3. Computer science: Basic course/ S.V. Simonovich and others - St. Petersburg: Peter, 2002. - 640 pp.: ill.

4. Moldovyan A.A., Moldovyan N.A., Sovetov B.Ya. Cryptography. - St. Petersburg: Publishing house "Lan", 2001. - 224 p., ill. - (Textbooks for universities. Special literature).

Hosted on Allbest.ru

Similar Documents

The problem of choosing between the necessary level of protection and the efficiency of the network. Mechanisms for ensuring the protection of information in networks: cryptography, electronic signature, authentication, network protection. Requirements for modern means of information protection.

term paper, added 01/12/2008

The problem of information security. Features of information protection in computer networks. Threats, attacks and information leakage channels. Classification of methods and means of ensuring security. Network architecture and its protection. Network security methods.

thesis, added 06/16/2012

Methods and means of protecting information from unauthorized access. Features of information protection in computer networks. Cryptographic protection and electronic digital signature. Methods for protecting information from computer viruses and hacker attacks.

abstract, added 10/23/2011

The concept of protecting intentional threats to the integrity of information in computer networks. Characteristics of information security threats: compromise, service disruption. Characteristics of OOO NPO "Mekhinstrument", the main ways and methods of information protection.

thesis, added 06/16/2012

The main provisions of the theory of information security. The essence of the main methods and means of protecting information in networks. general characteristics activity and corporate network of the enterprise "Vestel", analysis of its methods of information protection in telecommunication networks.

thesis, added 08/30/2010

Problems of information protection in information and telecommunication networks. The study of threats to information and ways of their impact on the objects of information protection. Concepts of information security of the enterprise. Cryptographic methods of information protection.

thesis, added 03/08/2013

Ways of unauthorized access, classification of methods and means of information protection. Analysis of information security methods in LAN. Identification and authentication, logging and auditing, access control. Concepts of security of computer systems.

thesis, added 04/19/2011

Methods and means of protecting information data. Protection against unauthorized access to information. Features of protection of computer systems by cryptographic methods. Criteria for evaluating the security of information computer technologies in European countries.

test, added 08/06/2010

Basic properties of information. Operations with data. Data is a dialectical component of information. Types of deliberate threats to information security. Malware classification. Basic methods and means of information protection in computer networks.

term paper, added 02/17/2010

The essence of the problem and the task of protecting information in information and telecommunication networks. Threats to information, ways of their impact on objects. The concept of information security of the enterprise. Cryptographic methods and means of information protection.

Data protection in computer networks is becoming one of the most acute problems in modern computer science. To date, three basic principles of information security have been formulated, which should provide:

Data integrity - protection against failures leading to the loss of information, as well as unauthorized creation or destruction of data;

Confidentiality of information and, at the same time,

It should also be noted that certain areas of activity (banking and financial institutions, information networks, public administration systems, defense and special structures) require special data security measures and impose increased requirements on the reliability of information systems.

When considering the problems of data protection in the network, the first question that arises is the classification of failures and violations of access rights that can lead to the destruction or unwanted modification of data. Potential threats include:

1. Hardware failures:

Cable system failures;

Power outages;

Disk system failures;

Failures of data archiving systems;

Failures of servers, workstations, network cards, etc.;

2. Loss of information due to incorrect operation of the software:

Loss or change of data due to software errors;

Losses when the system is infected with computer viruses;

3. Losses associated with unauthorized access:

Unauthorized copying, destruction or falsification of information;

Familiarization with confidential information constituting a secret, unauthorized persons;

4. Loss of information associated with improper storage of archived data.

5. Errors of service personnel and users.

Accidental destruction or alteration of data;

Incorrect use of software and hardware, leading to the destruction or alteration of data.

Depending on the possible types of network disruptions, numerous types of information protection are combined into three main classes:

Physical protection means, including cable system protection, power supply systems, archiving tools, disk arrays, etc.

Security software, including: anti-virus programs, systems of differentiation of powers, access control software.

Administrative safeguards, including access control to premises, development of a firm's security strategy, contingency plans, etc.

It should be noted that such a division is rather arbitrary, since modern technologies are developing in the direction of combining software and hardware protection.

Systems of archiving and duplication of information

The organization of a reliable and efficient data archiving system is one of the most important tasks for ensuring the safety of information on the network. In small networks where one or two servers are installed, the installation of the archiving system directly into the free slots of the servers is most often used. In large corporate networks, it is most preferable to organize a dedicated specialized archiving server.

Such a server automatically archives information from hard drives servers and workstations at the time specified by the administrator of the local area network, issuing a report on the backup. This provides control over the entire backup process from the administrator console, for example, you can specify specific volumes, directories, or individual files that you want to back up.

It is also possible to organize automatic archiving upon the occurrence of one or another event ("event driven backup"), for example, when receiving information that there is little free space left on the hard disk of a server or workstation, or when one of the "mirror" disks fails. disks on the file server.

To ensure data recovery in case of failure of magnetic disks, disk array systems are most often used recently - groups of disks operating as a single device that comply with the RAID (Redundant Arrays of Inexpensive Disks) standard.

Computer virus protection

To date, in addition to thousands of already known viruses, 100-150 new strains appear every month. To this day, various anti-virus programs remain the most common methods of protection against viruses.

However, in recent years, a combination of software and hardware protection methods has been increasingly used as a promising approach to protecting against computer viruses. Among the hardware devices of this kind, one can note special anti-virus boards that are inserted into standard computer expansion slots.

Protection against unauthorized access

The problem of protecting information from unauthorized access has become especially acute with the widespread use of local and, especially, global computer networks. It should also be noted that often the damage is done not because of "malicious intent", but because of the elementary mistakes of users who accidentally corrupt or delete vital data. In this regard, in addition to access control, a necessary element of information protection in computer networks is the delimitation of user powers.

In computer networks, when organizing access control and differentiation of user powers, the built-in tools of network operating systems are most often used.

There are many possible directions of information leakage and ways of unauthorized access in systems and networks. Among them:

reading residual information in the system memory after the execution of authorized requests;

copying media and information files with overcoming protection measures;

disguise as a registered user;

disguise under the request of the system;

use of software traps;

exploiting the shortcomings of the operating system;

Illegal connection to equipment and communication lines;

Malicious incapacitation of protection mechanisms;

introduction and use of computer viruses.

Ensuring the security of information is achieved by a set of organizational, organizational, technical, technical and program measures.

To organizational measures information security include:

Restriction of access to the premises in which the preparation and processing of information takes place;

admission to the processing and transfer of confidential information only to verified officials;

· storage of magnetic media and registration logs in safes closed for access by unauthorized persons;

exclusion of viewing by unauthorized persons of the content of processed materials through a display, printer, etc.;

The use of cryptographic codes in the transmission of valuable information through communication channels;

· destruction of ink ribbons, paper and other materials containing fragments of valuable information.

Organizational and technical measures information security include:

· supplying power to equipment that processes valuable information from an independent power source or through special network filters;

installation of code locks on the doors of the premises;

use of liquid crystal or plasma displays for displaying information during input-output, and for obtaining hard copies - inkjet printers and thermal printers, since the display gives such high-frequency electromagnetic radiation that the image from its screen can be taken at a distance of several hundred kilometers;

destruction of information when decommissioning or sending computers for repair;

· Installing keyboards and printers on soft pads to reduce the possibility of removing information by acoustic means;

limitation of electromagnetic radiation by shielding the premises where information is processed with sheets of metal or special plastic.

Technical means information security - these are systems for protecting territories and premises by shielding machine rooms and organizing access control systems. Protection of information in networks and computing facilities with the help of technical means is implemented on the basis of organizing access to memory using:

control of access to different levels of computer memory;

locking data and entering keys;

allocation of control bits for records for the purpose of identification, etc.

Software architecture information protection includes:

security control, including control of registration of entry into the system, fixation in the system log, control of user actions;

reaction (including sound) to a violation of the protection system for controlling access to network resources;

control of access credentials;

Formal security control of operating systems (basic system-wide and network);

control of protection algorithms;

Checking and confirming the correct functioning of hardware and software.

One of the common methods of protection is an explicit indication of the secrecy of the output information. This requirement is implemented using appropriate software tools.

By equipping a server or networked workstations, for example, with a smart card reader and special software, you can significantly increase the degree of protection against unauthorized access. In this case, to access the computer, the user must insert a smart card into the reader and enter their personal code.

Smart access control cards allow you to implement, in particular, such functions as access control, access to devices personal computer, access to programs, files and commands.

Remote access bridges and routers use packet segmentation - their separation and transmission in parallel over two lines - which makes it impossible to "intercept" data when a "hacker" illegally connects to one of the lines. In addition, the procedure for compressing the transmitted packets used in data transmission guarantees the impossibility of decrypting "intercepted" data. In addition, remote access bridges and routers can be programmed so that remote users will be limited in access to certain resources of the main office network.

Security mechanisms

1. Cryptography.

To ensure secrecy, encryption, or cryptography, is used, which allows you to transform data into an encrypted form, from which you can extract the original information only if you have a key.

Encryption is based on two basic concepts: an algorithm and a key. An algorithm is a way to encode the original text, resulting in an encrypted message. An encrypted message can only be interpreted using the key.

All elements of protection systems are divided into two categories - long-term and easily replaceable. Long-term elements include those elements that are related to the development of protection systems and require the intervention of specialists or developers to change. Easily replaceable elements include system elements that are intended for arbitrary modification or modification according to a predetermined rule, based on randomly selected initial parameters. Easily changeable elements include, for example, a key, a password, an identification, and the like.

It is important to note that the increasing productivity of technology leads to a decrease in the time required to open the keys, and security systems have to use longer and longer keys, which, in turn, leads to an increase in encryption costs.

Since such an important place in encryption systems is given to the secrecy of the key, the main problem of such systems is the generation and transmission of the key.

There are two main encryption schemes: symmetric encryption (also sometimes called traditional or private key encryption) and public key encryption (sometimes called asymmetric encryption).

With symmetric encryption, the sender and receiver share the same key (secret) with which they can encrypt and decrypt data.

Electronic signature

With the help of an electronic signature, the recipient can make sure that the message he received was sent not by a third party, but by a sender with certain rights. Electronic signatures are created by encrypting a checksum and additional information using the sender's private key. Thus, anyone can decrypt the signature using the public key, but only the owner of the private key can correctly create the signature. To protect against interception and reuse, the signature includes a unique number - a sequence number.

Authentication

Authentication is one of the most important components of organizing information security in a network. Before a user is granted the right to get a particular resource, it is necessary to make sure that he is really who he claims to be.

The most commonly used schemes use one-time passwords. Even if intercepted, this password will be useless on the next registration, and getting the next password from the previous one is an extremely difficult task. To generate one-time passwords, both software and hardware generators are used, which are devices inserted into a computer slot. Knowledge of the secret word is necessary for the user to activate this device.

Network protection

Recently, corporate networks are increasingly connected to the Internet or even use it as their backbone. Firewalls are used to protect corporate information networks. Firewalls are a system or combination of systems that allow you to divide a network into two or more parts and implement a set of rules that determine the conditions for packets to pass from one part to another. As a rule, this boundary is drawn between the local network of the enterprise and INTERNETOM, although it can be drawn internally as well. However, it is not profitable to protect individual computers, so the entire network is usually protected. The firewall passes all traffic through itself and for each passing packet makes a decision whether to let it through or drop it. In order for the firewall to make these decisions, a set of rules is defined for it.

A firewall can be implemented either in hardware (that is, as a separate physical device) or as a special program running on a computer.

Some firewalls work only in single-user mode, and many have a system for checking the integrity of program codes.

A firewall usually consists of several different components, including filters or screens that block some of the traffic.

All firewalls can be divided into two types:

Packet filters that filter IP packets using filtering routers;

Application layer servers that block access to certain services on the network.

Thus, a firewall can be defined as a set of components or a system that sits between two networks and has the following properties:

All traffic from the internal network to the external and from the external network to the internal must go through this system;

· only traffic defined by the local security policy can pass through this system;

In the first part of the Fundamentals of Information Security, we considered the main types of threats to information security. In order for us to start choosing information security tools, it is necessary to consider in more detail what can be attributed to the concept of information.

Information and its classification

There are many definitions and classifications of "Information". The most concise and at the same time capacious definition is given in the federal law of July 27, 2006 No. 149-FZ(as amended on July 29, 2017), article 2: Information is information (messages, data) regardless of the form of their presentation.

Information can be classified into several types and, depending on the category of access to it, is divided into public information, as well as information to which access is restricted - confidential data and state secrets.

Information, depending on the order of its provision or distribution, is divided into information:

freely redistributable
Provided by agreement of persons involved in the respective relationship
Which, in accordance with federal laws to be provided or distributed
Distribution, which in the Russian Federation restricted or prohibited

Purpose information is of the following types:

Bulk- contains trivial information and operates with a set of concepts understandable to most of the society.
Special- contains a specific set of concepts that may not be understood by the bulk of society, but are necessary and understandable within a narrow social group where this information is used.
Secret- access to which is provided to a narrow circle of people and through closed (secure) channels.
Personal (private)- a set of information about a person that determines the social position and types of social interactions.

Information security tools must be applied directly to information to which access is limited - this state secrets and confidential data.

According to the law of the Russian Federation of 21.07.1993 N 5485-1 (as amended on 03/08/2015) “On State Secrets” Article 5. "List of information constituting a state secret" applies to:

Information in the military area.
Information in the field of economics, science and technology.
Information in the field of foreign policy and economy.
Information in the field of intelligence, counterintelligence and operational-search activities, as well as in the field of countering terrorism and in the field of ensuring the security of persons in respect of whom a decision has been made to apply state protection measures.

A list of information that may constitute confidential information is contained in presidential decree March 6, 1997 №188 (as amended on July 13, 2015) "On approval of the list of confidential information".

Confidential Data- this is information, access to which is limited in accordance with the laws of the state and the norms that companies establish independently. The following types of confidential data can be distinguished:

Personal sensitive data: Information about the facts, events and circumstances of the private life of a citizen, allowing to identify his personality (personal data), with the exception of information to be disseminated in the media in cases established by federal laws. The only exception is information that is distributed in the media.
Service sensitive data: Official information, access to which is restricted by public authorities in accordance with the Civil Code of the Russian Federation and federal laws (official secret).
Forensic confidential data: On state protection of judges, officials of law enforcement and regulatory bodies. On state protection of victims, witnesses and other participants in criminal proceedings. Information contained in the personal files of convicts, as well as information on the enforcement of judicial acts, acts of other bodies and officials, except for information that is publicly available in accordance with the Federal Law of October 2, 2007 N 229-FZ "On Enforcement Proceedings" .
Commercial sensitive data: all types of information that is related to commerce (profit) and access to which is limited by law or information about the essence of an invention, utility model or industrial design before the official publication of information about them by the enterprise (secret developments, production technologies, etc.).
Professional confidential data: Information related to professional activities, access to which is restricted in accordance with the Constitution of the Russian Federation and federal laws (medical, notarial, attorney-client, correspondence, telephone conversations, postal items, telegraphic or other messages, etc.)

Figure 1. Classification of types of information.

Personal Information

Separately, it is worth paying attention to and consider personal data. According to the federal law of July 27, 2006 No. 152-FZ(as amended on 07/29/2017) "On Personal Data", article 4: Personal Information- this is any information relating directly or indirectly to a specific or identifiable natural person (subject of personal data).

The personal data operator is- state body, municipal body, legal or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data.

Processing of personal data- any action (operation) or set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

The right to process personal data is enshrined in regulations on state bodies, federal laws, licenses for working with personal data issued by Roskomnadzor or FSTEC.

Companies that professionally work with personal data of a wide range of people, for example, virtual server hosting companies or telecom operators, must enter the register maintained by Roskomnadzor.

For example, our hosting of virtual servers VPS.HOUSE operates within the framework of the legislation of the Russian Federation and in accordance with licenses Federal Service on supervision in the field of communications, information technology and mass communications No. 139322 dated December 25, 2015 (Telematic communication services) and No. 139323 dated December 25, 2015 (Communication services for data transmission, with the exception of communication services for data transmission for the purposes of transmitting voice information) .

Based on this, any site that has a user registration form, which indicates and subsequently processes information related to personal data, is a personal data operator.

Considering Article 7 of the law No. 152-FZ“On Personal Data”, operators and other persons who have gained access to personal data are obliged not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law. Accordingly, any operator of personal data is obliged to ensure the necessary security and confidentiality of this information.

In order to ensure the security and confidentiality of information, it is necessary to determine what are the media, access to which is open and closed. Accordingly, methods and means of protection are also selected depending on the type of media.

Main information carriers:

Printed and electronic media, social networks, other resources on the Internet;
Employees of the organization who have access to information based on their friendships, family, professional ties;
Communication means that transmit or store information: telephones, automatic telephone exchanges, other telecommunications equipment;
Documents of all types: personal, official, state;
Software as an independent information object, especially if its version was developed specifically for a particular company;
Electronic storage media that process data automatically.

Having determined what information is subject to protection, information carriers and possible damage during its disclosure, you can choose the necessary means of protection.

Classification of information security tools

In accordance with the federal law of July 27, 2006 No. 149-FZ(as amended on July 29, 2017) "On Information, Information Technologies and Information Protection", Article 7, paragraph 1. and paragraph 4:

1. Information security represents adoption of legal, organizational and technical measures, aimed at:

Security protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to such information;
Compliance confidentiality of restricted information;
Implementation the right to access information.

4. Information owner, information system operator in cases established by the legislation of the Russian Federation, are obliged to provide:

Prevention unauthorized access to information and (or) its transfer to persons who do not have the right to access information;
timely detection facts of unauthorized access to information;
A warning the possibility of adverse consequences of violation of the order of access to information;
Prevention impact on the technical means of information processing, as a result of which their functioning is disrupted;
Possibility of immediate recovery information modified or destroyed due to unauthorized access to it;
Constant the control for ensuring the level of information security;
Finding on the territory of the Russian Federation of information databases that are used to collect, record, systematize, accumulate, store, clarify (update, change), extract personal data of citizens of the Russian Federation (clause 7 was introduced by the Federal Law of 07/21/2014 No. 242-FZ).

Based on the law No. 149-FZ Information security can also be divided into several levels:

Legal level ensures compliance with state standards in the field of information security and includes copyright, decrees, patents and job descriptions.
A well-built protection system does not violate the rights of users and the norms of data processing.
Organizational level allows you to create rules for the work of users with confidential information, select personnel, organize work with documentation and data carriers.
The rules for the work of users with confidential information are called access control rules. The rules are set by the company's management together with the security service and the supplier who implements the security system. The goal is to create conditions for access to information resources for each user, for example, the right to read, edit, transfer a confidential document.
Access control rules are developed at the organizational level and implemented at the stage of work with the technical component of the system.
Technical level conditionally divided into physical, hardware, software and mathematical (cryptographic).

Information security tools

Information security tools taken to be divided into normative (informal) and technical (formal).

Informal means of information security

Informal information security tools– are normative (legislative), administrative (organizational) and moral and ethical means, which include: documents, rules, events.

legal framework ( legislative means) information security is provided by the state. Information protection is regulated by international conventions, the Constitution, federal laws "On Information, Information Technologies and Information Protection", the laws of the Russian Federation "On Security", "On Communications", "On State Secrets" and various by-laws.

Also, some of the laws listed above were given and discussed by us above, as the legal foundations of information security. Failure to comply with these laws entails threats to information security, which can lead to significant consequences, which in turn is punishable in accordance with these laws, up to criminal liability.

The state will also determine the measure of responsibility for violating the provisions of the legislation in the field of information security. For example, Chapter 28 "Crimes in the field of computer information" in the Criminal Code of the Russian Federation includes three articles:

Article 272 "Illegal access to computer information»;
Article 273 "Creation, use and distribution of malicious computer programs";
Article 274 "Violation of the rules for the operation of means of storage, processing or transmission of computer information and information and telecommunication networks."

Administrative (organizational) measures play an essential role in creating a reliable information protection mechanism. Since the possibility of unauthorized use of confidential information is largely determined not by technical aspects, but by malicious actions. For example negligence, negligence and negligence of users or protection personnel.

To reduce the impact of these aspects, a set of organizational, legal and organizational and technical measures is needed that would exclude or minimize the possibility of threats to confidential information.

In this administrative and organizational activity to protect information for security personnel, there is room for creativity.

These are architectural and planning solutions that allow you to protect meeting rooms and executive offices from eavesdropping, and the establishment of various levels of access to information.

From the point of view of regulating the activities of personnel, it will be important to design a system of requests for access to the Internet, external e-mail, other resources. separate element will be the receipt of an electronic digital signature to enhance the security of financial and other information that is transmitted to government agencies via e-mail channels.

to moral and ethical The means can be attributed to the moral norms or ethical rules that have developed in a society or a given team, the observance of which contributes to the protection of information, and their violation is equated to non-compliance with the rules of behavior in a society or team. These norms are not obligatory, as legally approved norms, however, their non-compliance leads to a drop in the authority, prestige of a person or organization.

Formal means of information protection

Formal remedies are special technical devices and software, which can be divided into physical, hardware, software and cryptographic.

Physical means of information protection- these are any mechanical, electrical and electronic mechanisms that function independently of information systems and create barriers to access to them.

Locks, including electronic ones, screens, blinds are designed to create obstacles for the contact of destabilizing factors with systems. The group is supplemented by means of security systems, for example, video cameras, video recorders, sensors that detect movement or an excess of the degree of electromagnetic radiation in the area where technical means for recording information are located.

Hardware information security- these are any electrical, electronic, optical, laser and other devices that are built into information and telecommunication systems: special computers, employee control systems, server protection and corporate networks. They prevent access to information, including by masking it.

Hardware includes: noise generators, network filters, scanning radios, and many other devices that “block” potential information leakage channels or allow them to be detected.

Information security software- these are simple and complex programs designed to solve problems related to ensuring information security.

An example integrated solutions serve as DLP-systems and SIEM-systems.

DLP systems("Data Leak Prevention" literally "prevention of data leakage"), respectively, serve to prevent leakage, reformatting information and redirecting information flows.

SIEM systems("Security Information and Event Management", which means "Event Management and Information Security") provide real-time analysis of security events (alarms) from network devices and applications. SIEM is represented by applications, devices or services, and is also used for data logging and reporting for compatibility with other business data.

Software tools are demanding on the power of hardware devices, and additional reserves must be provided during installation.

Mathematical (cryptographic)– implementation of cryptographic and shorthand data protection methods for secure transmission over a corporate or global network.

Cryptography is considered one of the most reliable ways to protect data, because it protects the information itself, and not access to it. Cryptographically converted information has a high degree of protection.

The introduction of cryptographic information protection means the creation of a software and hardware complex, the architecture and composition of which is determined based on the needs of a particular customer, legal requirements, tasks and necessary methods, and encryption algorithms.

This may include software components of encryption (cryptoproviders), VPN organization tools, identity tools, tools for generating and verifying keys and digital signatures.

Encryption tools can support GOST encryption algorithms and provide the necessary cryptographic protection classes depending on the required degree of protection, regulatory framework and compatibility requirements with other, including external systems. At the same time, encryption tools provide protection for the entire set information components including files, directories with files, physical and virtual storage media, entire servers and data storage systems.

In conclusion of the second part, having briefly considered the main methods and means of protecting information, as well as the classification of information, we can say the following: The fact that the well-known thesis is once again confirmed that ensuring information security is a whole range of measures that includes all aspects of protection information, the creation and provision of which must be approached most carefully and seriously.

It is necessary to strictly observe and under no circumstances should the Golden Rule be violated - this is an integrated approach.

For a more visual representation of the means of protecting information, namely as an indivisible set of measures, are presented below in Figure 2, each of the bricks of which represents the protection of information in a certain segment, remove one of the bricks and there will be a security threat.

Figure 2. Classification of information security tools.

Information protection software are special programs and software systems designed to protect information in an information system.

Software tools include programs for user identification, access control, deletion of residual (working) information such as temporary files, test control of the protection system, and others. The advantages of software tools are versatility, flexibility, reliability, ease of installation, the ability to modify and develop.

Disadvantages - the use of part of the resources of the file server and workstations, high sensitivity to accidental or deliberate changes, possible dependence on the types of computers (their hardware).

Software protection tools include:

built-in information security tools - these are tools that implement user authorization and authentication (login with a password), access rights differentiation, software copy protection, correct data entry in accordance with a given format, and so on.

In addition, this group of tools includes built-in operating system tools to protect against the influence of the operation of one program on the operation of another program when the computer is operating in multiprogram mode, when several programs can be simultaneously running in its memory, alternately receiving control as a result of interruptions. . In each of these programs, failures (errors) are likely that may affect the performance of functions by other programs. The operating system handles interrupts and manages multiprogramming. So operating system should protect itself and other programs from such influence, using, for example, a memory protection mechanism and distribution of program execution in privileged or user mode;

management of the security system.

In order to form an optimal set of software and hardware information protection tools, it is necessary to go through the following steps:

definition of information and technical resources to be protected;

identification of the full set of potential threats and information leakage channels;

· assessment of the vulnerability and risks of information in the presence of many threats and leakage channels;

Determination of requirements for the protection system;

selection of information security tools and their characteristics;

introduction and organization of the use of selected measures, methods and means of protection;

Implementation of integrity control and management of the protection system.

Information today is expensive and must be protected. Information is owned and used by all people without exception. Each person decides for himself what information he needs to receive, what information should not be available to others. To prevent the loss of information and developed various methods of its technical protection, which are used at all stages of working with it, protecting it from damage and external influences.

Under information security software understand special programs included in the CS software solely to perform protective functions.

The main information security software includes:

Programs for identification and authentication of CS users;

Programs for delimiting user access to CS resources;

Information encryption programs;

Programs for protecting information resources (system and application software, databases, computer training tools, etc.) from unauthorized modification, use and copying.

Note that under identification, in relation to ensuring the information security of the CS, they understand the unambiguous recognition of the unique name of the subject of the CS. Authentication means confirmation that the presented name matches the subject (subject authentication).

Examples of auxiliary information security software:

Programs for the destruction of residual information (in blocks of RAM, temporary files, etc.);

Audit programs (registration logs) of events related to the security of the COP, to ensure the possibility of recovery and evidence of the occurrence of these events;

Programs for imitation of work with the offender (distracting him to receive supposedly confidential information);

Programs for test control of CS security, etc.

The benefits of information security software include:

Ease of replication;

Flexibility (the ability to adjust to various conditions of use, taking into account the specifics of threats to information security of specific CS);

Ease of use - some software tools, such as encryption, work in a "transparent" (invisible to the user) mode, while others do not require any new (compared to other programs) skills from the user;

Virtually unlimited possibilities for their development by making changes to take into account new threats to information security.

Rice. 1.1 Example of docked security software

Rice. 1.2. An example of a built-in information security tool

The disadvantages of information security software include:

Reducing the effectiveness of the CS due to the consumption of its resources required for the functioning of protection programs;

Lower performance (compared to similar hardware protections such as encryption);

The docking of many software protection tools (and not their built-in into the CS software, Fig. 1.1 and 1.2), which creates a fundamental possibility for the intruder to bypass them;

Possibility of malicious modification of software protection tools during CS operation.

2.2.4 "User authentication"

User authentication based on passwords and a handshake model

When choosing passwords, CS users should be guided by two, in fact, mutually exclusive rules - passwords should be difficult to select and easy to remember (since the password should not be written anywhere under any circumstances, since in this case it will be necessary to additionally solve the problem of protecting the password carrier).

The complexity of password selection is determined, first of all, by the power of the set of characters used when choosing a password (N) and the minimum possible password length (to). In this case, the number of different passwords can be estimated from below as C p \u003d N k. For example, if the set of password characters form lowercase Latin letters, and the minimum password length is 3, then C p = 26 3 \u003d 17576 (which is quite a bit for software selection). If the set of password characters consists of lowercase and uppercase Latin letters, as well as numbers, and the minimum password length is 6, then C p = 62 6 = 56800235584.

The complexity of passwords chosen by CS users must be set by the administrator when implementing the security policy established for this system. Other account policy settings when using password authentication should be:

Maximum password age (any secret cannot be kept secret forever);

The password does not match the logical username under which he is registered in the CS;

The uniqueness of passwords for one user.

The requirement of non-repeatability of passwords can be implemented in two ways. First, you can set a minimum password age (in otherwise a user who is forced to change his password after the expiration of his password will be able to immediately change the password to the old one). Secondly, you can keep a list of passwords already used by this user (the maximum length of the list can be set by the administrator).

Unfortunately, it is practically impossible to ensure the real uniqueness of each newly selected password by the user using the above measures. The user can, without violating the established restrictions, choose passwords "Al", "A2", ... where A1 is the first user password that meets the complexity requirements.

It is possible to ensure an acceptable degree of complexity of passwords and their real uniqueness by assigning passwords to all users by the CS administrator while simultaneously prohibiting the user from changing the password. To generate passwords, the administrator can use a software generator that allows you to create passwords of varying complexity.

However, with this method of assigning passwords, there are problems associated with the need to create a secure channel for transferring the password from the administrator to the user, the difficulty of checking that the user does not save the selected password only in his memory, and the potential for an administrator who knows the passwords of all users to abuse his powers. Therefore, it is most expedient to choose a password by the user based on the rules set by the administrator, with the possibility for the administrator to set a new password for the user in case he forgot his password.

Another aspect of the CS user account policy should be the determination of the system's counteraction to attempts to guess passwords.

The following rules may apply:

Limiting the number of login attempts;

Hiding the logical name of the last logged in user (knowing the logical name can help the intruder guess or guess his password);

Account for all login attempts (successful and unsuccessful) in the audit log.

The reaction of the system to an unsuccessful user login attempt can be:

Blocking the account under which the login attempt is being made, if the maximum possible number of attempts is exceeded (for a specified time or until the block is manually unlocked by the administrator);

An incremental increase in the time delay before the user is granted the next login attempt.

When entering or changing a user's password for the first time, two classic rules usually apply:

The characters of the entered password are not displayed on the screen (the same rule applies to the user entering a password when he logs into the system);

To confirm the correctness of the password entry (taking into account the first rule), this entry is repeated twice.

To store passwords, it is possible to pre-encrypt or hash them.

Password encryption has two disadvantages:

Since it is necessary to use a key for encryption, it is required to ensure its secure storage in the CS (knowledge of the password encryption key will allow it to be decrypted and unauthorized access to information carried out);

There is a danger of decrypting any password and getting it in the clear.

Hashing is an irreversible transformation and knowing the hash value of the password will not give the attacker the possibility of obtaining it in clear text (he will only be able to try to guess the password with a known hashing function). Therefore, it is much more secure to store passwords in a hashed form. The disadvantage is that there is not even a theoretical possibility to recover a password forgotten by the user.

The second example is authentication based on handshake patterns. When registering in the CS, the user is offered a set of small images (for example, pictograms), among which he must choose a given number of images. The next time he logs in, he is presented with a different set of images, some of which he saw during registration. For correct authentication, the user must mark the pictures that he chose during registration.

Advantages of handshake-based authentication over password authentication:

No confidential information is transferred between the user and the system that needs to be kept secret, I

Each subsequent user logon session is different from the previous one, so even long-term monitoring of these sessions will not give anything to the intruder.

The disadvantages of authentication based on the "handshake" model include the long duration of this procedure compared to password authentication.

Authentication of users by their biometric characteristics

The main biometric characteristics of CS users that can be used for their authentication include:

Fingerprints;

The geometric shape of the hand;

The pattern of the iris of the eye;

Drawing of the retina;

Geometric shape and dimensions of the face;

The geometric shape and size of the ear, etc.

The most common are hardware and software for user authentication based on their fingerprints. To read these fingerprints, keyboards and mice equipped with special scanners are usually used. The presence of sufficiently large data banks with fingerprints) of citizens is the main reason for the fairly widespread use of such authentication tools in government agencies, as well as in large commercial organizations. The disadvantage of such tools is the potential use of users' fingerprints to control their privacy.

If for objective reasons (for example, due to the pollution of the premises in which authentication is carried out) it is impossible to obtain a clear fingerprint, then authentication based on the geometric shape of the user's hand can be used. In this case, the scanners can be installed on the wall of the room.

The most reliable (but also the most expensive) are user authentication tools based on the characteristics of the eye (iris pattern or retinal pattern). The probability of recurrence of these features is estimated at 10 -78 .

The cheapest (but also the least reliable) are authentication tools based on the geometric shape and size of the user's face or on the timbre of his voice. This allows you to use these tools for authentication when remote access users to the CS.

The main advantages of user authentication based on their biometric characteristics;

Difficulty falsifying these signs;

High authentication reliability due to the uniqueness of such features;

The inseparability of biometric features from the user's identity.

To compare user authentication based on certain biometric characteristics, estimates of the probabilities of errors of the first and second kind are used. The probability of an error of the first kind (denial of access to the CS to a legal user) is 10 -6 ... 10 -3 . The probability of an error of the second kind (admission to work in the CS of an unregistered user) in modern systems biometric authentication is 10 -5 ... 10 -2 .

A common disadvantage of CS user authentication tools based on their biometric characteristics is their higher cost compared to other authentication tools, which is primarily due to the need to purchase additional hardware. Authentication methods based on the features of the keyboard handwriting and mouse painting of users do not require the use of special equipment.

Authentication of users by their keyboard handwriting and mouse painting

S.P. Rastorguev was one of the first who proposed the idea of user authentication according to the peculiarities of their work with the keyboard and mouse. When developing mathematical model authentication based on the keyboard handwriting of users, it was assumed that the time intervals between pressing adjacent characters of the passphrase and between pressing specific key combinations in it obey the normal distribution law. essence this method authentication is to test the hypothesis about the equality of distribution centers of two normal general populations (obtained when setting up the system for user characteristics and during authentication).

Let's consider a variant of user authentication by a set of key phrases (the same in the configuration and authentication modes).

The procedure for adjusting to the characteristics of a user registered in the CS:

1) user selection of a key phrase (its symbols must be evenly spaced across the keyboard);

2) typing a key phrase several times;

3) exclusion of gross errors (according to a special algorithm);

4) calculation and storage of estimates of mathematical expectations, variances and number, observations for time intervals between sets of each pair of adjacent symbols of the key phrase.

Authentication reliability based on the user's keyboard handwriting is lower than when using its biometric characteristics.

However, this authentication method also has its advantages:

Possibility to hide the fact of using additional user authentication, if the passphrase is entered by the user passphrase;

The possibility of implementing this method only with the help of software (reducing the cost of authentication tools).

Now consider an authentication method based on mouse painting(with the help of this manipulator, of course, it is impossible to perform a real painting by the user, so this painting will be a fairly simple stroke). Let's call a painting line a broken line obtained by connecting points from the beginning of the painting to its completion (neighboring points should not have the same coordinates). We calculate the length of the painting line as the sum of the lengths of the segments connecting the painting points.

Like authentication based on keyboard handwriting, the authenticity of a user by scribbling with a mouse is confirmed primarily by the pace of his work with this input device.

The advantages of authenticating users by scribbling them with the mouse, like using keyboard handwriting, include the possibility of implementing this method only with the help of software; the disadvantages are the lower authentication reliability compared to the use of the user's biometric characteristics, as well as the need for the user to be sufficiently confident in the skills of working with the mouse.

A common feature of authentication methods based on keyboard handwriting and mouse painting is the instability of their characteristics for the same user, which can be caused by:

1) natural changes associated with the improvement of the user's skills in working with the keyboard and mouse, or, conversely, with their deterioration due to aging of the body;

2) changes associated with an abnormal physical or emotional state of the user.

Changes in user characteristics caused by causes of the first kind are not abrupt, therefore, can be neutralized by changing the reference characteristics after each successful user authentication.

Changes in user characteristics caused by reasons of the second kind can be abrupt and lead to the rejection of his attempt to enter the CS. However, this feature of authentication based on keyboard handwriting and mouse painting can also become an advantage if we are talking about users of CSs for military, energy and financial purposes.

A promising direction in the development of methods for authenticating CS users based on their personal characteristics can be confirmation of the user's authenticity based on his knowledge and skills that characterize the level of education and culture.