Systems for protecting a computer from foreign intrusion are very diverse and can be classified into groups such as:
– self-protection means provided by the general software;
– protective equipment included computing system;
– means of protection with a request for information;
- facilities active protection;
– means of passive protection, etc.
These protection groups are presented in more detail in Fig. 12.
Rice. 12. Software protection tools
Main directions of use of software information protection
The following areas of using programs to ensure the security of confidential information can be distinguished, in particular such as:
– protection of information from unauthorized access;
– protection of information from copying;
– protection of programs from copying;
– protection of programs from viruses;
– protecting information from viruses;
– software protection of communication channels.
For each of these areas, there is a sufficient number of high-quality software products developed by professional organizations and distributed on the markets (Fig. 13).
Rice. 13.Software protection
Security software have the following types of special programs:
Identification of hardware, files and user authentication;
Registration and control of the operation of technical equipment and users;
Maintenance of restricted information processing modes;
Protection of computer operating facilities and application programs users;
Destruction of information in storage after use;
Signaling violations of resource use;
Auxiliary protection programs for various purposes (Fig. 14).
Rice. 14. Areas of software protection
Identification of hardware and files, carried out programmatically, is done on the basis of analyzing the registration numbers of various components and objects of the information system and comparing them with the values of addresses and passwords stored in the control system memory.
To ensure reliable protection using passwords, the operation of the security system is organized in such a way that the probability of disclosure secret password and establishing correspondence to one or another file or terminal identifier was as small as possible. To do this, you need to periodically change the password, and set the number of characters in it to be large enough.
Effective way identification of addressed elements and user authentication is a challenge-response type algorithm, according to which the security system issues a password request to the user, after which he must give a specific answer to it. Since the moments of entering a request and answering it are unpredictable, this makes it difficult to guess the password, thereby ensuring higher reliability of protection.
Obtaining permission to access certain resources can be achieved not only through the use of a secret password and subsequent authentication and identification procedures. This can be done in a more detailed way, taking into account various features user operating modes, their powers, categories of requested data and resources. This method is implemented by special programs that analyze the relevant characteristics of users, the content of tasks, parameters of hardware and software, memory devices, etc.
Specific data related to the request entering the security system is compared during the operation of the security programs with the data entered in the registration secret tables (matrices). These tables, as well as programs for their formation and processing, are stored in encrypted form and are under the special control of the information network security administrator(s).
To differentiate the access of individual users to a very specific category of information, individual security measures for these files and special control of user access to them are applied. The security classification can be formed in the form of three-digit code words, which are stored in the file itself or in a special table. The same table records: the identifier of the user who created this file; identifiers of terminals from which the file can be accessed; IDs of users who are allowed access to this file, as well as their rights to use the file (reading, editing, erasing, updating, executing, etc.). It is important to prevent user interference when accessing files. If, for example, several users have the right to edit the same record, then each of them needs to save exactly his version of the edit (several copies of the records are made for the purpose of possible analysis and establishment of authority).
Protection of information from unauthorized access
To protect against foreign intrusion, certain security measures are required. The main functions that must be performed by software are:
– identification of subjects and objects;
– differentiation (sometimes complete isolation) of access to computing resources and information;
– control and registration of actions with information and programs.
The identification and authentication procedure involves checking whether the subject accessing (or the object being accessed) is who he claims to be. Such checks can be one-time or periodic (especially in cases of long work sessions). Various methods are used in identification procedures:
– simple, complex or one-time passwords;
– exchange of questions and answers with the administrator;
– keys, magnetic cards, badges, tokens;
– tools for analyzing individual characteristics (voice, fingerprints, geometric parameters of hands, face);
– special identifiers or checksums for equipment, programs, data, etc.
The most common identification method is password identification.
Practice has shown that password protection of data is a weak link, since the password can be eavesdropped or spied on, the password can be intercepted, or even simply guessed.
To protect the password itself, certain recommendations have been developed on how to make the password strong:
– The password must contain at least eight characters. The fewer characters a password contains, the easier it is to guess;
– do not use an obvious set of characters as a password, for example, your name, date of birth, names of loved ones or the names of your programs. It is best to use an unknown formula or quotation for these purposes;
– if the cryptographic program allows, enter the password with at least one space, a non-alphabetic character, or an uppercase letter;
– do not tell anyone your password, do not write it down. If you had to break these rules, hide the sheet in a locked box;
– change your password more often;
– do not enter a password into a dialog establishment procedure or macro command.
Remember that the password you type on the keyboard is often stored in the automatic logon command sequence.
To identify programs and data, checksums are often used, however, as in the case of password identification, it is important to exclude the possibility of forgery while maintaining the correct checksum. This is achieved by using sophisticated checksumming techniques based on cryptographic algorithms. Data protection from counterfeiting (counterfeit resistance) can be ensured by using various encryption methods and methods. digital signature based on public key cryptographic systems.
After completing identification and authentication procedures, the user gains access to the computer system, and information protection is carried out at three levels:
– equipment;
– software;
– data.
Protection at the hardware and software level provides for access control to computing resources: individual devices, RAM, operating system, special service or personal programs user.
Protection of information at the data level is aimed at:
– to protect information when accessing it while working on a PC and performing only authorized operations on them;
– to protect information during its transmission through communication channels between different computers.
Managing access to information allows you to answer the questions:
– who can perform what operations;
– what data are allowed to perform operations on.
The object to which access is controlled can be a file, a record in a file, or a single field in a file record, and the factors that determine the order of access are a specific event, data values, system state, user permissions, access history, and other data.
Event-driven access involves blocking the user's request. For example, at certain time intervals or when accessed from a specific terminal. State-dependent access depends on the current state of the computer system, control programs, and security systems.
As for authority-dependent access, it involves the user accessing programs, data, and equipment depending on the mode provided. Such modes can be: “read only”, “read and write”, “execute only”, etc.
Most access control tools rely on some form of access matrix view.
Another approach to building access protection tools is based on controlling information flows and dividing access subjects and objects into confidentiality classes.
Registration means, like access control means, are effective measures of protection against unauthorized actions. However, if access controls are designed to prevent such actions, then the task of registration is to detect actions that have already been taken or attempts to do so.
In general, a set of software and hardware tools and organized (procedural) solutions to protect information from unauthorized access (UNA) is implemented by the following actions:
– access control;
– registration and accounting;
– use of cryptographic means;
– ensuring the integrity of information.
The following forms of access control and delimitation can be noted, which are widely used in practice.
1. Access prevention:
– to the hard drive;
– to individual sections;
- To separate files;
– to catalogues;
– to flexible disks;
– to removable storage media.
2. Setting access privileges to a group of files.
3. Modification protection:
– files;
– catalogues.
4. Anti-destruction protection:
– files;
– catalogues.
5.Copy Prevention:
– files;
– catalogues;
– application programs.
6. Dimming the screen after a time set by the user.
The data protection tools are summarized in Fig. 15.
Rice. 15. Data protection measures
Copy protection
Copy protection prevents the use of stolen copies of software and is currently the only reliable means of both protecting the copyright of programmers and stimulating market development. Copy protection means are means that ensure that a program performs its functions only when a unique non-copyable element is identified. Such an element (called a key) can be a floppy disk, a certain part of a computer, or a special device connected to a PC. Copy protection is implemented by performing a number of functions that are common to all protection systems:
– identification of the environment from which the program will be launched;
– authentication of the environment from which the program is launched;
– reaction to launch from an unauthorized environment;
– registration of authorized copying;
– opposition to the study of system operation algorithms.
The environment from which the program will be launched means either a floppy disk or a PC (if the installation takes place on a hard drive). Identification of the environment consists of naming the environment in some way for the purpose of further authentication. To identify an environment means to assign to it some specially created or measured, rarely repeated and difficult to falsify characteristics - identifiers. Floppy disk identification can be done in two ways.
The first is based on causing damage to some part of the floppy disk surface. A common method of such identification is the “laser hole”. With this method, the floppy disk is burned in a certain place with a laser beam. Obviously, making exactly the same hole in a copy floppy disk and in the same place as on the original floppy disk is quite difficult.
The second identification method is based on non-standard formatting of the floppy disk.
The response to a launch from an unauthorized environment usually boils down to issuing an appropriate message.
Protecting information from destruction
One of the tasks of ensuring security for all cases of using a personal computer is to protect information from destruction that can occur during the preparation and implementation of various recovery measures (reservation, creation and updating of the insurance fund, maintaining information archives, etc.). Since the reasons for the destruction of information are very diverse (unauthorized actions, software and equipment errors, computer viruses, etc.), taking safety measures is mandatory for everyone who uses personal computers.
The danger must be specifically noted computer viruses. Many computer users (PC) know about them well, and those who are not yet familiar with them will soon become acquainted. A computer virus is a small, rather complex, carefully composed and dangerous program that can independently reproduce, transfer itself to disks, attach itself to other people’s programs and be transmitted over information networks. A virus is usually created to disrupt the operation of a computer in various ways - from the “harmless” issuance of a message to erasing or destroying files.
The bulk of viruses are created by people, hooligan programmers, mainly to stroke their pride or make money by selling antiviruses. Antivirus is a program that detects or detects and removes viruses. Such programs can be specialized or universal. What is the difference between a universal antivirus and a specialized one? The specialized one is able to fight only against already written, working viruses, while the universal one can fight against viruses that have not yet been written.
Most antivirus programs are specialized: AIDSTEST, VDEATH, SERUM-3, ANTI-KOT, SCAN and hundreds of others. Each of them recognizes one or more specific viruses without reacting in any way to the presence of others.
Universal antiviruses are designed to combat entire classes of viruses. Universal antiviruses are quite different in purpose. Wide Application found by resident antiviruses and audit programs.
Both antivirus programs have certain capabilities - positive and negative (disadvantages) characteristics. Specialized ones, despite their simplicity, are too narrowly specialized. With a significant variety of viruses, an equal variety of antiviruses is required.
In addition to using antivirus programs to protect against viruses, organizational security measures are also widely used. To reduce the danger of viral attacks, it is possible to take certain actions, which can be reduced or expanded for each specific case. Here are some of these actions:
1. Inform all employees of the enterprise about the dangers and possible damage in the event of virus attacks.
2. Do not carry out official relations with other enterprises for the exchange (receipt) of software. Prohibit employees from bringing “outside” programs to install them in information processing systems. Only officially distributed programs should be used.
3. Prohibit employees from using computer games on PCs processing confidential information.
4. To reach third parties information networks allocate a separate special place.
5. Create an archive of copies of programs and data.
6. Periodically check by checksumming or comparison with “clean” programs.
7. Install information security systems on especially important PCs. Use special antivirus products.
Software protection information – This is a system of special programs included in the software that implement information security functions.
Information security tools- is a set of engineering, electrical, electronic, optical and other devices and devices, instruments and technical systems, as well as other material elements used to solve various problems of information protection, including preventing leaks and ensuring the security of protected information.
In general, the means of ensuring information security in terms of preventing intentional actions, depending on the method of implementation, can be divided into groups:
Software tools are distinguished according to the degree of distribution and availability; other tools are used in cases where it is necessary to provide an additional level of information protection.
| Firewalls | ||
|---|---|---|
| Free | Ashampoo FireWall Free Comodo Core Force Online Armor PC Tools PeerGuardian Sygate ZoneAlarm | |
| Proprietary | Ashampoo FireWall Pro AVG Internet Security CA Personal Firewall Jetico Kaspersky Microsoft ISA Server Norton Outpost Trend Micro Windows Firewall Sunbelt WinRoute | |
| Hardware | Fortinet Cisco Juniper Check Point | |
| FreeBSD | Ipfw IPFilter | |
| MacOS | NetBarrier X4 | |
| Linux | Netfilter (Iptables Firestarter Iplist NuFW Shorewall) | |
Hardware protection includes various electronic, electronic-mechanical, and electro-optical devices. To date, a significant number of hardware devices for various purposes have been developed, but the most widespread are the following:
To protect the perimeter of the information system, the following are created: security and fire alarm systems; digital video surveillance systems; access control and management systems (ACS). Protection of information from leakage by technical communication channels is ensured by the following means and measures: the use of shielded cable and the laying of wires and cables in shielded structures; installation of high-frequency filters on communication lines; construction of shielded rooms (“capsules”); use of shielded equipment; installation active systems noise; creation of controlled zones.
Financial Dictionary
Technical, cryptographic, software and other means designed to protect information constituting state secrets, the means in which they are implemented, as well as means of monitoring the effectiveness of information protection. EdwART.... ... Dictionary of emergency situations
Information security tools- technical, cryptographic, software and other means designed to protect information constituting state secrets, the means in which they are implemented, as well as means of monitoring the effectiveness of information protection...
Information security software means special programs, included in the CS software exclusively to perform protective functions.
The main software tools for information security include:
It must be understood that by identification, in relation to ensuring the information security of a computer system, we mean the unambiguous recognition of the unique name of the subject of the computer system. Authentication means confirming that the name presented corresponds to a given subject (confirming the authenticity of the subject)5.
Information security software also includes:
The advantages of information security software include:
Rice. 4
Rice. 5
The disadvantages of information security software include:
Security at the operating system level
The operating system is the most important software component of any computer, therefore the overall security of the information system largely depends on the level of implementation of the security policy in each specific OS.
Operating room family Windows systems 2000, Millenium - these are clones, initially aimed at working on home computers. These operating systems use protected mode privilege levels but do not do any additional checks and do not support security descriptor systems. As a result, any application can access the entire amount of available RAM with both read and write rights. Measures network security are present, however, their implementation is not up to par. Moreover, in Windows versions XP, a fundamental mistake was made that made it possible to remotely cause the computer to freeze in just a few packets, which also significantly undermined the reputation of the OS; in subsequent versions many steps were taken to improve the network security of this clone6.
Operating system generation Windows Vista, 7 is already a much more reliable development by MicroSoft. They are truly multi-user systems that reliably protect files of different users on the hard drive (however, data is not encrypted and the files can be read without problems by booting from the disk of another operating system - for example, MS-DOS). These operating systems actively use the capabilities of protected mode Intel processors, and can reliably protect the data and process code from other programs, unless the process itself wants to provide additional access to them from outside the process.
Over a long period of development, many different network attacks and security errors were taken into account. Corrections for them were released in the form of service packs.
Another branch of clones grows from the UNIX operating system. This OS was initially developed as a network and multi-user OS, and therefore immediately contained information security tools. Almost all widespread UNIX clones have gone through a long development process and, as they were modified, took into account all the attack methods discovered during this time. They have proven themselves quite well: LINUX (S.U.S.E.), OpenBSD, FreeBSD, Sun Solaris. Naturally, all of the above applies to latest versions these operating systems. The main errors in these systems no longer relate to the kernel, which works flawlessly, but to system and application utilities. The presence of errors in them often leads to the loss of the entire safety margin of the system.
Main components:
Local Security Administrator - responsible for unauthorized access, checks user permissions to log in, supports:
Audit - checking the correctness of user actions
Account Manager - database support for users of their actions and interactions with the system.
Security monitor - checks whether the user has sufficient access rights to the object
Audit log - contains information about user logins, records work with files and folders.
Authentication package - analyzes system files to ensure that they have not been replaced. MSV10 is the default package.
Windows XP added:
you can assign passwords for archived copies
File replacement protection tools
delimitation system ... by entering a password and creating an account of user records. Archiving can be carried out by a user who has such rights.
NTFS: access control to files and folders
In XP and 2000 there is a more complete and deeper differentiation of user access rights.
EFS - provides encryption and decryption of information (files and folders) to limit access to data.
Cryptographic protection methods
Cryptography is the science of ensuring data security. She is looking for solutions to four important security problems - confidentiality, authentication, integrity and participant control. Encryption is the transformation of data into an unreadable form using encryption-decryption keys. Encryption allows you to ensure confidentiality by keeping information secret from those to whom it is not intended.
Cryptography deals with the search and study of mathematical methods for transforming information (7).
Modern cryptography includes four major sections:
symmetric cryptosystems;
public key cryptosystems;
systems electronic signature;
key management.
The main areas of use of cryptographic methods are the transfer of confidential information via communication channels (for example, Email), establishing the authenticity of transmitted messages, storing information (documents, databases) on media in encrypted form.
Disk encryption
An encrypted disk is a container file that can contain any other files or programs (they can be installed and launched directly from this encrypted file). This disk is accessible only after entering the password for the container file - then another disk appears on the computer, recognized by the system as logical and working with it is no different from working with any other disk. After disconnecting the disk, the logical disk disappears; it simply becomes “invisible”.
Today, the most common programs for creating encrypted disks are DriveCrypt, BestCrypt and PGPdisk. Each of them is reliably protected from remote hacking.
Common features of the programs: (8)
User identification methods
Before gaining access to the computer, the user must identify himself, and network security mechanisms then authenticate the user, i.e., check whether the user is who he claims to be. In accordance with the logical model of the protection mechanism, the aircraft are located on a working computer, to which the user is connected through his terminal or in some other way. Therefore, identification, authentication and authorization procedures are performed at the beginning of the session on the local desktop computer.
In the future, when various network protocols and before gaining access to network resources, identification, authentication and authorization procedures may be re-enabled on some remote worker computers to host the required resources or network services.
When a user starts working on a computing system using a terminal, the system asks for his name and identification number. In accordance with the user's answers, the computer system identifies him. In a network, it is more natural for objects establishing mutual communication to identify each other.
Passwords are just one way to verify authenticity. There are other ways:
If someone wishes to log into a computing system through a terminal or execute a batch job, the computing system must authenticate the user. The user himself, as a rule, does not verify the authenticity of the computer system. If the authentication procedure is one-sided, such a procedure is called one-way object authentication (9).
Specialized information security software.
Specialized software tools for protecting information from unauthorized access generally have better capabilities and characteristics than built-in network OS tools. In addition to encryption programs, there are many other external information security tools available. Of the most frequently mentioned, the following two systems should be noted that allow limiting information flows.
Firewalls - firewalls (literally firewall - fire wall). Special intermediate servers are created between the local and global networks, which inspect and filter all network/transport level traffic passing through them. This allows you to dramatically reduce the threat of unauthorized access from outside to corporate networks, but does not eliminate this danger completely. A more secure version of the method is the masquerading method, when all traffic originating from the local network is sent on behalf of the firewall server, making the local network practically invisible.
Proxy-servers (proxy - power of attorney, trusted person). All network/transport layer traffic between the local and global networks is completely prohibited - there is simply no routing as such, and calls from the local network to the global network occur through special intermediary servers. It is obvious that with this method, access from the global network to the local one becomes impossible in principle. It is also clear that this method does not provide sufficient protection against attacks at higher levels - for example, at the application level (viruses, Java and JavaScript code).
Let's take a closer look at how the firewall works. This is a method of protecting a network from security threats posed by other systems and networks by centralizing access to the network and controlling it through hardware and software. A firewall is a protective barrier made up of several components (for example, a router or gateway that runs the firewall software). The firewall is configured in accordance with the organization's access control policy. internal network. All incoming and outgoing packets must pass through the firewall, which allows only authorized packets to pass through.
A packet filtering firewall is a router or computer running software configured to reject certain types of incoming and outgoing packets. Packet filtering is carried out based on the information contained in the TCP and IP headers of packets (sender and recipient addresses, their port numbers, etc.).
Expert level firewall - checks the contents of received packets at three levels of the OSI model - network, session and application. To accomplish this task, special packet filtering algorithms are used to compare each packet with a known pattern of authorized packets.
Creating a firewall relates to solving the problem of shielding. The formal formulation of the screening problem is as follows. Let there be two sets of information systems. A screen is a means of delimiting access of clients from one set to servers from another set. The screen carries out its functions by controlling all information flows between two sets of systems (Fig. 6). Stream control consists of filtering them, possibly performing some transformations.
At the next level of detail, it is convenient to think of a screen (semi-permeable membrane) as a series of filters. Each of the filters, having analyzed the data, can delay (not miss) it, or can immediately “throw” it off the screen. In addition, it is possible to transform data, transfer a portion of data to the next filter to continue analysis, or process data on behalf of the recipient and return the result to the sender (Fig. 7).
Rice. 7
In addition to access control functions, screens record information exchange.
Usually the screen is not symmetrical; the concepts of “inside” and “outside” are defined for it. In this case, the shielding task is formulated as protecting the internal area from a potentially hostile external one. Thus, firewalls (FiW) are most often installed to protect the corporate network of an organization that has access to the Internet.
Shielding helps maintain the availability of internal domain services by reducing or eliminating the load caused by external activity. The vulnerability of internal security services is reduced, since the attacker must initially overcome the screen where the protective mechanisms are configured especially carefully. In addition, the shielding system, in contrast to the universal one, can be designed in a simpler and, therefore, safer way.
Shielding also makes it possible to control information flows directed to the external area, which helps maintain the confidentiality regime in the organization's information system.
Shielding can be partial, protecting certain information services (for example, email shielding).
A limiting interface can also be thought of as a type of shielding. An invisible target is difficult to attack, especially with a fixed set of weapons. In this sense, the Web interface has natural security, especially when hypertext documents are generated dynamically. Each user sees only what he is supposed to see. An analogy can be drawn between dynamically generated hypertext documents and representations in relational databases, with the significant caveat that in the case of the Web, the possibilities are much wider.
The screening role of a Web service is clearly manifested when this service performs intermediary (more precisely, integrating) functions when accessing other resources, for example, database tables. This not only controls the flow of requests, but also hides the real organization of the data.
Architectural Security Aspects
It is not possible to combat the threats inherent in the network environment using universal operating systems. The Universal OS is a huge program that most likely contains, in addition to obvious errors, some features that can be used to illegally gain privileges. Modern programming technology does not allow you to do this large programs safe. In addition, an administrator dealing with a complex system is not always able to take into account all the consequences of the changes made. Finally, in a universal multi-user system, security holes are constantly created by the users themselves (weak and/or rarely changed passwords, unsuccessful established rights access, unattended terminal, etc.). The only promising path is associated with the development of specialized security services, which, due to their simplicity, allow formal or informal verification. A firewall is just such a tool, allowing further decomposition associated with servicing various network protocols.
The firewall is located between the protected (internal) network and the external environment (external networks or other segments of the corporate network). In the first case we talk about external ME, in the second - about internal ME. Depending on your point of view, an external firewall can be considered the first or last (but not the only) line of defense. The first is if you look at the world through the eyes of an external attacker. The latter - if we strive to protect all components of the corporate network and suppress illegal actions of internal users.
The firewall is an ideal place to embed active auditing capabilities. On the one hand, at both the first and last defensive line, identifying suspicious activity is important in its own way. On the other hand, ME is capable of implementing an arbitrarily powerful reaction to suspicious activity, up to and including breaking the connection with the external environment. However, you need to be aware that connecting two security services could, in principle, create a gap that could facilitate accessibility attacks.
It is advisable to entrust the firewall with the identification/authentication of external users who need access to corporate resources (supporting the concept of single sign-on to the network).
Due to the principles of defense echelons for defense external connections Usually two-component shielding is used (see Fig. 8). Primary filtering (for example, blocking packets of the SNMP control protocol, which is dangerous due to accessibility attacks, or packets with certain IP addresses included in the “black list”) is carried out by the border router (see also the next section), behind which there is a so-called demilitarized zone ( a network with moderate security trust, where the organization’s external information services are located - Web, email, etc.) and the main firewall that protects the internal part of the corporate network.
Theoretically, a firewall (especially an internal one) should be multi-protocol, but in practice the dominance of the TCP/IP protocol family is so great that supporting other protocols seems like an overkill that is detrimental to security (the more complex the service, the more vulnerable it is).
Rice. 8
Generally speaking, both external and internal firewalls can become a bottleneck as the volume of network traffic tends to grow rapidly. One approach to solving this problem involves dividing the firewall into several hardware parts and organizing specialized intermediary servers. The primary firewall can roughly classify incoming traffic by type and delegate filtering to appropriate intermediaries (for example, an intermediary that analyzes HTTP traffic). Outgoing traffic is first processed by an intermediary server, which can also perform functionally useful actions, such as caching pages of external Web servers, which reduces the load on the network in general and the main firewall in particular.
Situations where a corporate network contains only one external channel are the exception rather than the rule. On the contrary, a typical situation is when a corporate network consists of several geographically dispersed segments, each of which is connected to the Internet. In this case, each connection must be protected by its own shield. More precisely, we can consider that the corporate external firewall is composite, and it is necessary to solve the problem of consistent administration (management and auditing) of all components.
The opposite of composite corporate firewalls (or their components) are personal firewalls and personal shielding devices. The first are software products that are installed on personal computers and only protect them. The latter are implemented on individual devices and protect a small local network, such as a home office network.
When deploying firewalls, you should adhere to the principles of architectural security we discussed earlier, first of all taking care of simplicity and manageability, the echelon of defense, and the impossibility of transitioning into an insecure state. In addition, not only external but also internal threats should be taken into account.
Archiving and duplication systems
Organizing a reliable and efficient data archiving system is one of the most important tasks in ensuring the safety of information on the network. IN small networks where one or two servers are installed, the most common method is to install an archiving system directly into the free slots of the servers. In large corporate networks It is most preferable to organize a dedicated specialized archiving server.
Such a server automatically archives information from hard drives servers and workstations at the time specified by the administrator of the local computer network, issuing a report on the backup performed.
Storage of archival information of particular value must be organized in a special secured room. Experts recommend storing duplicate archives of your most valuable data in another building, in case of fire or natural disaster. To ensure data recovery in the event of magnetic disk failures, disk array systems have recently been most often used - groups of disks operating as single device compliant with the RAID (Redundant Arrays of Inexpensive Disks) standard. These arrays provide the highest speed of writing/reading data, the ability to completely restore data and replace failed disks in “hot” mode (without disconnecting the remaining disks of the array).
The organization of disk arrays provides for various technical solutions implemented at several levels:
RAID Level 0 simply divides the data stream between two or more drives. The advantage of this solution is that the I/O speed increases in proportion to the number of disks used in the array.
RAID level 1 consists of organizing so-called “mirror” disks. During data recording, the information on the main disk of the system is duplicated on the mirror disk, and if the main disk fails, the “mirror” disk immediately comes into operation.
RAID levels 2 and 3 provide for the creation of parallel disk arrays, when written to which data is distributed across disks at the bit level.
RAID levels 4 and 5 are a modification zero level, in which the data stream is distributed across the array disks. The difference is that at level 4 a special disk is allocated to store redundant information, and at level 5 the redundant information is distributed across all disks of the array.
Increasing reliability and protecting data on a network, based on the use of redundant information, is implemented not only at the level of individual network elements, such as disk arrays, but also at the level of network operating systems. For example, Novell implements fault-tolerant versions of the Netware operating system - SFT (System Fault Tolerance):
Security analysis
The security analysis service is designed to identify vulnerabilities in order to quickly eliminate them. This service itself does not protect against anything, but it helps to detect (and eliminate) security gaps before an attacker can exploit them. First of all, we do not mean architectural ones (they are difficult to eliminate), but “operational” gaps that appeared as a result of administration errors or due to inattention to updating software versions.
Security analysis systems (also called security scanners), like the active audit tools discussed above, are based on the accumulation and use of knowledge. IN in this case This means knowledge about security gaps: how to look for them, how serious they are and how to fix them.
Accordingly, the core of such systems is a database of vulnerabilities, which determines the available range of capabilities and requires almost constant updating.
In principle, gaps of a very different nature can be identified: the presence of malware (in particular, viruses), weak user passwords, poorly configured operating systems, insecure network services, uninstalled patches, vulnerabilities in applications, etc. However, the most effective are network scanners(obviously due to the dominance of the TCP/IP protocol family), as well as antivirus tools (10). Antivirus protection We classify it as a security analysis tool, without considering it a separate security service.
Scanners can identify vulnerabilities both through passive analysis, that is, studying configuration files, involved ports, etc., and by simulating the actions of an attacker. Some detected vulnerabilities can be eliminated automatically (for example, disinfection of infected files), others are reported to the administrator.
The control provided by security analysis systems is reactive, delayed in nature, it does not protect against new attacks, however, it should be remembered that defense must be layered, and security control as one of the boundaries is quite adequate. It is known that the vast majority of attacks are routine in nature; they are only possible because known security holes remain unfixed for years.
Information security software are special programs and software packages designed to protect information in an information system.
Software tools include programs for user identification, access control, removal of residual (working) information such as temporary files, test control of the security system, and others. The advantages of software are versatility, flexibility, reliability, ease of installation, ability to be modified and developed.
Disadvantages - use of part of the resources of the file server and workstations, high sensitivity to accidental or intentional changes, possible dependence on the types of computers (their hardware).
Software protection software includes:
· built-in information security tools are tools that implement authorization and authentication of users (login to the system using a password), differentiation of access rights, software copy protection, correct data entry in accordance with a given format, and so on.
In addition, this group of tools includes built-in operating system tools to protect against the influence of the work of one program on the work of another program when the computer is operating in multi-program mode, when several programs can be simultaneously running in its memory, alternately receiving control as a result of interrupts that occur . In each of these programs, failures (errors) are possible, which may affect the performance of functions by other programs. The operating system handles interrupts and manages multiprogramming mode. Therefore, the operating system must protect itself and other programs from such influence, using, for example, a memory protection mechanism and distribution of program execution in privileged or user mode;
· security system management.
In order to create an optimal set of software and hardware information security tools, it is necessary to go through the following stages:
· identification of information and technical resources to be protected;
· identifying the full range of potential threats and information leakage channels;
· conducting an assessment of the vulnerability and risks of information in the presence of many threats and leakage channels;
· determination of requirements for the protection system;
· selection of information security tools and their characteristics;
· implementation and organization of the use of selected measures, methods and means of protection;
· monitoring integrity and managing the security system.
Information today is expensive and must be protected. Information is owned and used by all people without exception. Each person decides for himself what information he needs to receive and what information should not be available to others. To prevent the loss of information, various methods of technical protection are being developed, which are used at all stages of working with it, protecting it from damage and external influences.
Ministry of Education of the Saratov Region
Graduate work
Software and hardware information protection tools
Engels, 2014
Introduction
Rapidly developing computer information technologies are making significant changes in our lives. Information has become a commodity that can be purchased, sold, and exchanged. Moreover, the cost of information is often hundreds of times greater than the cost of the computer system in which it is stored.
The well-being and sometimes the lives of many people currently depend on the degree of security of information technologies. This is the price to pay for the increasing complexity and widespread distribution of automated information processing systems.
Information security refers to the security of an information system from accidental or intentional interference that harms owners or users of information.
In practice, three aspects of information security are most important:
· accessibility (the ability to obtain the required information service within a reasonable time);
· integrity (relevance and consistency of information, its protection from destruction and unauthorized changes);
· confidentiality (protection from unauthorized reading).
Violations of the availability, integrity and confidentiality of information can be caused by various dangerous impacts on computer information systems.
A modern information system is a complex system consisting of a large number of components of varying degrees of autonomy that are interconnected and exchange data. Almost every component can be exposed to external influences or fail. The components of an automated information system can be divided into the following groups:
hardware - computers and their components (processors, monitors, terminals, peripheral devices - disk drives, printers, controllers, cables, communication lines, etc.);
software - purchased programs, source, object, load modules; operating systems and system programs (compilers, linkers, etc.), utilities, diagnostic programs, etc.;
data - stored temporarily and permanently, on magnetic media, printed, archives, system logs, etc.;
personnel - maintenance personnel and users.
Hazardous effects on computer information system can be divided into accidental and intentional. An analysis of experience in the design, manufacture and operation of information systems shows that information is subject to various random influences at all stages of the system’s life cycle.
1. Information security software
Data protection tools that operate as part of software are called software. Among them are the following:
data archiving tools
antivirus programs
cryptographic means
means of identification and authentication of users
access controls
logging and auditing
Examples of combinations of the above measures include:
database protection
protection of information when working in computer networks.
1 Information archiving tools
Sometimes backups information processing has to be carried out with a general limitation of data hosting resources, for example, owners of personal computers.
In these cases, software archiving is used. Archiving is the merging of several files and even directories into a single file - an archive, while simultaneously reducing the total volume of source files by eliminating redundancy, but without loss of information, i.e. with the ability to accurately restore source files.
Most archiving tools are based on the use of compression algorithms proposed in the 80s.
Abraham Lempel and Jacob Ziv. The most well-known and popular archive formats are:
ZIP (Fig. 1.1), ARJ for DOS and Windows operating systems,
TAR for the Unix operating system,
cross-platform JAR format (Java ARchive),
Rice. 1.1. General form WinZip archiver.
RAR (Fig. 1.2) is used in DOS, Windows and Unix operating systems.
Rice. 1.2. General view of the WinRar archiver.
The user only needs to choose for himself suitable program, ensuring work with the selected format by assessing its characteristics - speed, compression ratio, compatibility with a large number of formats, user-friendliness of the interface, choice of operating system, etc.
It is also very important to establish a regular schedule for performing such data archiving work or to perform it after a major data update.
2 Antivirus programs
2.1 Computer viruses
Inexperienced users usually believe that a computer virus is a specially written small program that can “attribute” itself to other programs (i.e., “infect” them), as well as perform various unwanted actions on the computer. Computer virology specialists determine that the property of a virus is the ability to create its own duplicates (not necessarily identical to the original) and introduce them into computer networks and/or files, system areas of the computer and other executable objects. At the same time, duplicates retain the ability to further spread. It should be noted that this condition is not sufficient, i.e. final. That is why there is still no exact definition of the virus, and it is unlikely to appear in the foreseeable future.
Consequently, there is no precisely defined law by which “good” files can be distinguished from “viruses”. Moreover, sometimes even for a specific file it is quite difficult to determine whether it is a virus or not.
Based on their habitat, viruses can be divided into:
file;
boot;
macroviruses;
File viruses (Fig. 1.3) either inject themselves into executable files in various ways (the most common type of virus), or create duplicate files (companion viruses), or use organizational features file system(link-viruses).
Rice. 1.3. Virus in the MOUSE.COM file.
There are viruses that infect files that contain the source code of programs, library or object modules. It is also possible for a virus to be recorded in data files, but this happens either as a result of a virus error or when its aggressive properties manifest themselves. Macro viruses also write their code into data files - documents or spreadsheets - but these viruses are so specific that they are classified as a separate group.
Boot viruses (Fig. 1.4) infect the boot sector of a floppy disk and the boot sector or Master Boot Record (MBR) of a hard drive. The operating principle of boot viruses is based on algorithms for starting the operating system when the computer is turned on or rebooted - after the necessary tests of the installed hardware (memory, disks, etc.), the system boot program reads the first physical sector of the boot disk.
Rice. 1.4. Virus in boot record.
In the case of a floppy disk or CD, control is received by the boot sector, which analyzes the table of disk parameters and calculates addresses system files operating system, reads them into memory and launches them for execution.
In the case of a hard drive, control is received by a program located in the MBR of the hard drive. This program analyzes the Disk Partition Table, calculates the address of the active boot sector, loads it into memory and transfers control to it. Having received control, the active boot sector of the hard drive performs the same actions as the boot sector of a floppy disk.
Macro viruses infect document files and spreadsheets of several popular editors. Macro viruses are programs written in languages (macro languages) built into some data processing systems (text editors, spreadsheets, etc.).
Network viruses include viruses that actively use the protocols and capabilities of local and global networks to spread. The main operating principle of a network virus is the ability to independently transfer its code to a remote server or workstation. “Full-fledged” network viruses also have the ability to run their code on a remote computer or, at least, “push” the user to run an infected file. An example of network viruses is the so-called IRC worms.
There are a large number of combinations - for example, file-boot viruses that infect both files and boot sectors of disks. Such viruses, as a rule, have a rather complex operating algorithm, often use original methods of penetrating the system, and use stealth and polymorphic technologies. Another example of such a combination is a network macro virus, which not only infects documents being edited, but also sends copies of itself by email.
In addition to viruses, it is customary to distinguish several other types malware. This Trojans, logic bombs and worms. There is no clear distinction between them: Trojans can contain viruses, viruses can have logic bombs built into them, etc.
For their main purpose, Trojan programs (Fig. 1.5) are completely harmless or even useful. But when the user writes the program into his computer and runs it, it can silently perform malicious functions. Most often, Trojan programs are used to initially distribute viruses, to gain remote access to a computer via the Internet, to steal data or destroy it.
Rice. 1.5. Trojan program in Windows.
Worms are aimed at performing a specific function, such as infiltrating a system and modifying data. You can, say, create a worm program that sniffs the password to access the banking system and changes the database.
The widely known worm was written by Cornell University student Robert Morris. The Morris worm was launched onto the Internet on November 2, 1988 and was able to penetrate more than 6,000 computers within 5 hours.
Some worm viruses (for example, Code Red) do not exist inside files, but as processes in the memory of the infected computer. This prevents them from being detected by antiviruses that scan files and ignore the computer’s RAM.
2.2 Methods for detecting and removing computer viruses
Methods to counteract computer viruses can be divided into several groups: preventing viral infection and reducing the expected damage from such infection; methods of using antivirus programs, including neutralization and removal of known viruses; methods for detecting and removing an unknown virus.
Preventing computer infection.
Restoring damaged objects.
Antivirus programs.
2.2.1 Preventing computer infection
One of the main methods of combating viruses is, as in medicine, timely prevention. Computer prevention involves following a small number of rules, which can significantly reduce the likelihood of getting a virus and losing any data.
In order to determine the basic rules of computer hygiene, it is necessary to find out the main ways a virus penetrates a computer and computer networks.
The main source of viruses today is the global Internet. The largest number of virus infections occurs when exchanging letters. The user of an editor infected with a macro virus, without knowing it, sends infected letters to recipients, who in turn send new infected letters, etc. Conclusions - you should avoid contact with suspicious sources of information and use only legitimate (licensed) software products. Unfortunately, in our country this is not always possible.
2.2.2 Restoring affected objects
In most cases of virus infection, the procedure for restoring infected files and disks comes down to running a suitable antivirus that can neutralize the system. If the virus is unknown to any antivirus, then it is enough to send the infected file to antivirus manufacturers and after some time (usually several days or weeks) receive a cure - an “update” against the virus. If time does not wait, then you will have to neutralize the virus yourself. For most users, it is necessary to have backups of their information.
2.2.3 Classification of antivirus programs
Antivirus programs are the most effective in fighting computer viruses. However, I would like to immediately note that there are no antiviruses that guarantee one hundred percent protection against viruses, and statements about the existence of such systems can be regarded as either false advertising or unprofessionalism. Such systems do not exist, since for any antivirus algorithm it is always possible to propose a counter-algorithm for a virus that is invisible to this antivirus (the reverse, fortunately, is also true: for any virus algorithm it is always possible to create an antivirus).
The most popular and effective antivirus programs are antivirus scanners. They are followed in terms of efficiency and popularity by CRC scanners. Often both of these methods are combined into one universal antivirus program, which significantly increases its power. Various types of blockers and immunizers are also used.
2.2.4 Anti-virus scanners
The operating principle of anti-virus scanners is based on checking files, sectors and system memory and searching for known and new (unknown to the scanner) viruses. To search for known viruses, so-called “masks” are used. The mask of a virus is some constant sequence of code specific to this particular virus. If the virus does not contain a permanent mask, or the length of this mask is not long enough, then other methods are used.
Scanners can also be divided into two categories - “universal” and “specialized”. Universal scanners are designed to search for and neutralize all types of viruses, regardless of the operating system in which the scanner is designed to work. Specialized scanners are designed to neutralize a limited number of viruses or only one class of viruses, for example macro viruses. Specialized scanners designed only for macro viruses often turn out to be the most convenient and reliable solution for protecting document management systems in MS Word and MS Excel.
Scanners are also divided into “resident” (monitors, guards), which perform on-the-fly scanning, and “non-resident”, which scan the system only upon request. As a rule, "resident" scanners provide more reliable system protection, since they immediately respond to the appearance of a virus, while a "non-resident" scanner is able to identify the virus only during its next launch. On the other hand, a resident scanner can somewhat slow down the computer, including due to possible false positives.
The advantages of scanners of all types include their versatility; the disadvantages are the relatively low speed of virus scanning. The following programs are most common in Russia:
AVP - Kaspersky (Fig. 1.6),
Rice. 1.6. Kaspersky Anti-Virus 2010.
Dr.Weber - Danilova,
Norton Antivirus from Semantic.
1.2.2.5 CRC scanners
The operating principle of CRC scanners is based on calculating CRC sums (checksums) for files/system sectors present on the disk. These CRC sums are then stored in the antivirus database, as well as some other information: file lengths, dates of their last modification, etc. When subsequently launched, CRC scanners compare the data contained in the database with the actual calculated values. If the file information recorded in the database does not match the real values, then CRC scanners signal that the file has been modified or infected with a virus. CRC scanners using anti-stealth algorithms are quite a powerful weapon against viruses: almost 100% of viruses are detected almost immediately after they appear on the computer. However, this type of antivirus has an inherent flaw that significantly reduces their effectiveness. This disadvantage is that CRC scanners are not able to catch a virus at the moment it appears in the system, but do this only some time later, after the virus has spread throughout the computer. CRC scanners cannot detect a virus in new files (in email, on floppy disks, in files restored from a backup or when unpacking files from an archive), because their databases do not contain information about these files. Moreover, viruses periodically appear that take advantage of this “weakness” of CRC scanners and only infect again created files and thus remain invisible to them. The most used programs of this kind in Russia are ADINF and AVP Inspector.
2.2.6 Blockers
Anti-virus blockers are resident programs that intercept “virus-dangerous” situations and notify the user about it. “Virus-dangerous” include calls to open for writing to executable files, writing to boot sectors of disks or the MBR of a hard drive, attempts by programs to remain resident, etc., that is, calls that are typical for viruses at the moment of reproduction. Sometimes some blocker functions are implemented in resident scanners.
The advantages of blockers include their ability to detect and stop a virus at the earliest stage of its reproduction, which, by the way, can be very useful in cases where a long-known virus constantly “creeps out of nowhere.” The disadvantages include the existence of ways to bypass the protection of blockers and a large number of false positives, which, apparently, was the reason for the almost complete refusal of users of this kind of anti-virus programs.
It is also necessary to note such a direction of anti-virus tools as anti-virus blockers, made in the form of computer hardware components (“hardware”). The most common is built-in BIOS protection from writing to the MBR of the hard drive. However, as in the case of software blockers, such protection can be easily bypassed by direct writing to the disk controller ports, and launching the DOS utility FDISK immediately causes a “false positive” of the protection.
3 Cryptographic protection methods
The problem of protecting information by transforming it so that it cannot be read by an outsider has worried the human mind since ancient times. The history of cryptography is coeval with the history of human language. Moreover, writing itself was originally a cryptographic system, since in ancient societies only a select few mastered it. The sacred books of Ancient Egypt and Ancient India are examples of this.
Cryptographic methods of information protection are special methods of encrypting, encoding or otherwise transforming information, as a result of which its content becomes inaccessible without presentation of the cryptogram key and reverse transformation. The cryptographic method of protection is, of course, the most reliable method of protection, since the information itself is protected, and not access to it (for example, an encrypted file cannot be read even if the media is stolen). This protection method is implemented in the form of programs or software packages
Modern cryptography includes four major sections:
Symmetric cryptosystems. In symmetric cryptosystems, the same key is used for both encryption and decryption. (Encryption is a transformation process: the original text, which is also called plaintext, is replaced by ciphertext, decryption is the reverse process of encryption. Based on the key, the ciphertext is converted to the original)
Public key cryptosystems. Public key systems use two keys, a public key and a private key, that are mathematically related to each other. Information is encrypted using a public key, which is available to everyone, and decrypted using a private key, known only to the recipient of the message. (The key is the information necessary for the smooth encryption and decryption of texts.)
Electronic signature (Fig. 1.7). Electronic signature system. is called a cryptographic transformation attached to the text, which allows, when the text is received by another user, to verify the authorship and authenticity of the message.
Rice. 1.7. Electronic digital signature.
Key management. This is the process of information processing systems, the content of which is the compilation and distribution of keys between users.
The main areas of use of cryptographic methods are the transfer of confidential information through communication channels (for example, e-mail), establishing the authenticity of transmitted messages, storing information (documents, databases) on media in encrypted form.
4 Identification and authentication
Identification allows an entity - a user or process acting on behalf of a specific user - to identify itself by giving its name. Through authentication, the second party ensures that the subject is who he claims to be. The word "authentication" is sometimes used as a synonym for "authentication". A subject can prove their identity by presenting at least one of the following entities:
something he knows: a password, a personal identification number, cryptographic key and so on.,
something that he owns: a personal card or other device of a similar purpose,
something associated with it, such as coordinates
The main advantage of password authentication is simplicity and familiarity. Passwords have long been built into operating systems and other services. When used correctly, passwords can provide an acceptable level of security for many organizations. Nevertheless, based on the totality of their characteristics, they should be recognized as the weakest means of authentication. The strength of passwords is based on the ability to remember them and keep them secret. You can spy on your password entry. The password can be guessed using brute force, perhaps using a dictionary. If the password file is encrypted but readable, you can download it to your computer and try to guess the password by programming a brute force search.
Passwords are vulnerable to electronic interception - this is the most fundamental flaw that cannot be compensated for by improved administration or user training. Almost the only solution is to use cryptography to encrypt passwords before transmission over communication lines.
However, the following measures can significantly improve the reliability of password protection:
imposing technical restrictions (the password should not be too short, it should contain letters, numbers, punctuation marks, etc.);
managing password expiration dates and changing them periodically;
restricting access to the password file;
limiting the number of failed login attempts, which will make it more difficult to use brute force methods;
training and education of users;
the use of software password generators, which, based on simple rules, can generate only euphonious and, therefore, memorable passwords.
It is advisable to always apply the listed measures, even if, along with passwords, other authentication methods are used, based, for example, on the use of tokens.
A token (Fig. 1.8) is an item or device, the possession of which confirms the user’s authenticity. There are tokens with memory (passive, which only store but do not process information) and smart tokens (active).
The most common type of memory token is a card with a magnetic stripe. To use such tokens, you need a reader equipped with a keyboard and processor. Typically, the user types his personal identification number on this keyboard, after which the processor checks that it matches what is written on the card, as well as the authenticity of the card itself. Thus, a combination of two protection methods is actually used here, which significantly complicates the actions of an attacker.
It is necessary to process authentication information by the reader itself, without transferring it to a computer - this eliminates the possibility of electronic interception.
Sometimes (usually for physical access control) cards are used on their own, without requiring a personal identification number.
As you know, one of the most powerful tools in the hands of an attacker is to change the authentication program, in which passwords are not only checked, but also remembered for subsequent unauthorized use.
Smart tokens are characterized by the presence of their own computing power. They are divided into smart cards, ISO standardized and other tokens. Cards require an interface device; other tokens usually have a manual interface (display and keyboard) and resemble calculators in appearance. For the token to work, the user must enter their personal identification number.
Based on their operating principle, smart tokens can be divided into the following categories.
Dynamic password generation: the token generates passwords by periodically changing them. The computer system must have a synchronized password generator. Information from the token is received via an electronic interface or typed by the user on the terminal keyboard.
Challenge-response systems: The computer produces a random number, which is converted by a cryptographic mechanism built into the token, after which the result is returned to the computer for verification. It is also possible to use an electronic or manual interface here. In the latter case, the user reads the request from the terminal screen, types it on the token keyboard (perhaps a personal number is also entered at this time), and sees the answer on the token display and transfers it to the terminal keyboard.
5 Access control
Access controls allow you to specify and control the actions that subjects - users and processes - can perform on objects - information and other computer resources. It's about about logical access control, which is implemented by software. Logical access control is a fundamental mechanism in multi-user systems designed to ensure the confidentiality and integrity of objects and, to some extent, their availability by denying service to unauthorized users. The task of logical access control is to determine for each pair (subject, object) a set of permissible operations, depending on some additional conditions, and control the execution of the established order. A simple example of the implementation of such access rights is that some user (subject) logged into the information system received the right of access to read information from some disk (object), the right of access to modify data in some directory (object) and the absence of any rights access to other resources of the information system.
Access rights are controlled by different components software environment- operating system kernel, additional security features, database management system, intermediary software (such as transaction monitor), etc.
archiving information protection antivirus
2. Hardware information security
Hardware protection includes various electronic, electronic-mechanical, and electro-optical devices. To date, a significant number of hardware devices for various purposes have been developed, but the most widespread are the following:
· special registers for storing security details: passwords, identification codes, stamps or security levels;
· devices for measuring individual characteristics of a person (voice, fingerprints) for the purpose of his identification.
1 Hardware protection keys
For many years now, so-called hardware protection keys (Dongles) have been available on the market for protecting programs from unauthorized replication. Of course, companies selling such devices present them, if not as a panacea, then as a reliable means of countering computer piracy. But how serious of an obstacle can hardware keys be? Hardware protection keys can be classified according to several criteria. If we consider possible connection types, there are, for example, keys to a printer port (LPT), a serial port (COM), a USB port, and keys connected to a special board inserted inside the computer.
When comparing keys, you can analyze the convenience and functionality of the accompanying software. For example, for some families of hardware keys, automatic protectors have been developed that allow you to protect the program “in one click,” but for some there are no such protectors.
Keys with memory. This is probably the simplest type of key. Memory keys have a certain number of cells from which reading is permitted. Some of these cells can also be written to. Typically, non-writable locations store a unique key identifier.
Once upon a time, there were keys in which there was no rewritable memory at all, and only the key identifier was available to the programmer for reading. But it is obvious that it is simply impossible to build serious protection on keys with such functionality. True, keys with memory are not able to withstand emulation. It is enough to read all the memory once and save it in the emulator. After this, it will not be difficult to correctly emulate responses to all requests to the key.
Thus, hardware keys with memory under given conditions are not capable of providing any advantages over purely software systems.
Keys with an unknown algorithm. Many modern hardware keys contain a secret data conversion function, on which the key's secrecy is based. Sometimes the programmer is given the opportunity to select constants that are the parameters of the transformation, but the algorithm itself remains unknown.
Checking for the presence of a key should be done as follows. When developing protection, the programmer makes several requests to the algorithm and remembers the responses received. These responses are encoded in some form in the program. During execution, the program repeats the same queries and compares the responses received with the stored values. If a mismatch is detected, it means that the program is not receiving a response from the original key.
This scheme has one significant drawback. Since a secure program is finite in size, the number of correct answers it can store is also finite. This means that it is possible to build a spreadsheet emulator that will know the correct answers to all queries, the results of which can be checked by the program.
Keys with timer. Some hardware key manufacturers offer models that have a built-in timer. But in order for the timer to work while the key is not connected to the computer, a built-in power source is required. The average life of the battery powering the timer is 4 years, and once it is discharged the key will no longer function properly. Perhaps it is precisely because of the relatively short lifetime that keys with a timer are used quite rarely. But how can a timer help improve security?
HASP Time keys provide the ability to find out the current time set on the clock built into the key. And the protected program can use the key to track the end of the test period. But it is obvious that the emulator allows you to return any timer readings, i.e. the hardware does not in any way increase the strength of the protection. A good combination is an algorithm associated with a timer. If the algorithm can be disabled at a certain day and time, it will be very easy to implement time-limited demo versions of programs.
But, unfortunately, neither of the two most popular hardware key developers in Russia provides such an opportunity. HASP keys produced by Aladdin do not support algorithm activation and deactivation. And Sentinel SuperPro keys, developed by Rainbow Technologies, do not contain a timer.
Keys with a known algorithm. In some keys, the programmer implementing the protection is given the opportunity to select one specific transformation from the many possible data transformations implemented by the key. Moreover, it is assumed that the programmer knows all the details of the selected transformation and can repeat the reverse transformation in a purely software system. For example, a hardware key implements a symmetric encryption algorithm, and the programmer has the ability to choose the encryption key to use. Of course, no one should be able to read the encryption key value from the hardware key.
In such a scheme, the program can transmit data to the input of the hardware key and receive in response the result of encryption on the selected key. But here a dilemma arises. If the program does not have an encryption key, then the returned data can only be checked in a tabular manner, and therefore to a limited extent. In fact, we have a hardware key with an algorithm unknown to the program. If the encryption key is known to the program, then you can check the correct processing of any amount of data, but it is also possible to extract the encryption key and build an emulator. And if such an opportunity exists, the enemy will definitely try to take advantage of it.
Keys with a programmable algorithm. A very interesting solution from the point of view of the strength of protection are hardware keys in which an arbitrary algorithm can be implemented. The complexity of the algorithm is limited only by the amount of memory and the key command system. In this case, to protect the program, an important part of the calculations is transferred to the key, and the adversary will not have the opportunity to record the correct answers to all queries or restore the algorithm from the verification function. After all, the check as such may not be performed at all - the results returned by the key are intermediate values in the calculation of some complex function, and the values supplied to the input depend not on the program, but on the data being processed.
The main thing is to implement such a function in the key so that the enemy cannot guess from the context exactly what operations are performed in the key.
2.2 Biometric security
Biometrics is a scientific discipline that studies methods of measuring various parameters of a person in order to establish similarities or differences between people and distinguish one specific person from many other people, or, in other words, a science that studies methods for recognizing a specific person based on his individual parameters.
Modern biometric technologies can and are used not only in serious security institutions, but also in everyday life. Why do we need smart cards, keys, passwords and other similar things if they can be stolen, lost, forgotten? The new information society requires us to remember many PIN codes, passwords, numbers for email, access to the Internet, to a website, to a phone... The list can be continued almost endlessly. Perhaps only your unique personal biometric pass - finger, hand or eye - can come to the rescue. And in many countries - an identity identifier, i.e. a chip with your individual biometric parameters, already embedded in your identity documents.
A biometric system, regardless of which technology it is built on, works on the following principle: first, a sample of a person’s biometric characteristics is recorded, and for greater accuracy, several samples are often taken. The collected data is processed and converted into digital code.
During identification and verification, the characteristics of the person being verified are entered into the system. They are then digitized and then compared with stored samples. Using some algorithm, the system identifies whether they match or not, and makes a decision on whether it was possible to identify the person based on the data presented or not.
Biometric systems can use physiological or behavioral characteristics. Physiological ones include fingerprints, the shape of the hand, facial characteristics, and the pattern of the iris. Behavioral characteristics include features or characteristic features of a person’s behavior that are acquired or appear over time; these can be the dynamics of a signature, the timbre of a voice, the dynamics of pressing keys, and even a person’s gait. Biometric systems are assessed according to two main parameters: errors of the first type - the probability of admitting a “stranger”, and errors of the second type - the probability of refusing a “friend”. Modern systems can provide a probability of error of the first type in the region of 0.001%, of the second - about 1-5%.
One of the most important criteria, along with the accuracy of identification and verification when developing systems, is the “friendliness” of each technology. The process should be quick and simple: for example, stand in front of a video camera, say a few words into the microphone, or touch the fingerprint scanner. The main advantage of biometric technologies is fast and simple identification without causing much inconvenience to a person.
Fingerprint identification is the most common and developed biometric technology. Up to 60% of biometric devices use it. The advantages here are obvious: each person’s fingerprints are unique in their pattern, even for twins they do not match. Scanners of the latest generations have become reliable, compact and very affordable. To take a fingerprint and further recognize a sample, three main technologies are used: optical, semiconductor and ultrasonic.
2.2.1 Optical scanners
Their work is based on optical imaging methods. - FTIR scanners (Fig. 2.1) use the effect of broken total internal reflection. In this case, the finger is illuminated, and a special camera is used to receive the light image.
Rice. 2.1. FTIR scanners.
Fiber optic scanners consist of a fiber optic matrix, each fiber of which is equipped with a photocell. The principle of obtaining a pattern is the recording of residual light passing through the finger to the scanner surface.
Electro-optical scanners (Fig. 2.2). A special electro-optical polymer uses a light-emitting layer to illuminate the fingerprint, which is captured using a special camera.
Rice. 2.2. Electro-optical scanners.
Non-contact scanners (Fig. 2.3). The finger is placed on a special hole in the scanner, and several light sources illuminate it from below. The reflected light is projected onto the camera through a converging lens. There is no contact with the surface of the reading device.
Rice. 2.3. Contactless scanners.
Roller-Style Scanners. When scanning, the user rolls a small transparent cylinder with their finger. It contains a static light source, a lens and a camera. As the finger moves, a series of photographs are taken of the papillary pattern in contact with the surface.
2.2 Semiconductor scanners
Their action is based on the use of the properties of semiconductors that change at the points of contact with the ridges of the papillary pattern. All semiconductor scanners use a matrix of sensitive microelements.
Capacitive scanners (Fig. 2.4) are based on the effect of changing the capacitance of the pn junction semiconductor device upon contact of the ridge of the papillary pattern and the element of the semiconductor matrix.
Rice. 2.4. Capacitive scanners.
Pressure scanners. When a finger is applied to the scanning surface, the protrusions of the papillary pattern exert pressure on a number of sensors of the matrix of piezoelectric elements, respectively, the depressions do not exert any pressure. The resulting stress matrix is converted into an image of the finger surface.
Thermal scanners - use sensors consisting of pyroelectric elements to record temperature differences and convert them into voltage. When you place your finger on the sensor, based on the difference in temperature between the protrusions of the papillary pattern and the temperature of the air in the depressions, a temperature map of the surface of the finger is built, which is converted into a digital image.
Radio frequency scanners (Fig. 2.5) - a matrix of sensitive elements is used, each of which works like a small antenna. A weak radio signal is sent to the scanned surface of the finger, each of the sensitive elements of the matrix receives the signal reflected from the papillary pattern. The magnitude of the EMF induced in each microantenna depends on the presence or absence of a papillary pattern ridge near it. The stress matrix thus obtained is converted into a digital fingerprint image.
Rice. 2.5. RF scanners
3. Protecting information when working on networks
Currently, data security issues in distributed computer systems very much attention is paid. Many information security tools have been developed for use on various computers with different operating systems. One of the areas is firewalls, designed to control access to information by users of external networks.
1 Firewalls and requirements for them
Firewalls (Fig. 3.1) can be thought of as a set of filters that analyze the information passing through them and make a decision: to let the information through or to block it. At the same time, events are recorded and alarms are generated if a threat is detected. Typically, shielding systems are made asymmetrical. For screens, the concepts of “inside” and “outside” are defined, and the task of the screen is to protect the internal network from a potentially hostile environment. In addition, the ME can be used as a corporate open part of the network, visible from the Internet. For example, many organizations use MEs to store open access data, such as information about products and services, files from FTP databases, error messages, and so on.
Rice. 3.1. Firewall.
When configuring firewalls, the main design decisions are predetermined by the security policy adopted by the organization. In the described case, it is necessary to consider two aspects of the security policy: the network service access policy and the firewall policy. When forming a policy for access to network services, the rules for user access to various services used in the organization must be formulated. The rule base for users describes when, which user (user group) can use which service and on which computer. The working conditions of users outside the organization’s local network, as well as the conditions for their authentication, are separately determined. The rule base for services describes the set of services passing through the firewall, as well as valid server client addresses for each service (service group). Firewall policies may favor security over ease of use, or vice versa. There are two main ones:
Everything that is not permitted is prohibited. Everything that is not prohibited is permitted.
In the first case, the firewall must be configured to block everything, and its operation must be ordered based on a thorough analysis of the danger and risk. This has a direct impact on users and they may generally view the screen as simply a nuisance. This situation forces increased demands on the performance of shielding systems and increases the relevance of such a property as the “transparency” of the firewall from the point of view of users. The first approach is more secure because it assumes that the administrator does not know which services or ports are safe, or what "holes" may exist in the kernel or software developer's application. Given that many software vendors are slow to publish discovered security-related flaws (as is typical for so-called proprietary software vendors, the largest of which is Microsoft), this approach is undoubtedly more conservative. In essence, it is an acknowledgment of the fact that ignorance can cause harm. In the second case, System Administrator works in a reactive mode, predicting what actions that could be taken by users or intruders that negatively impact security, and prepares protection against such actions. This essentially pits the firewall administrator against the users in an endless "arms race" that can be quite exhausting. The user may violate the security of the information system if he is not sure of the need for measures aimed at ensuring security
But in any case, a well-configured firewall is able to stop most known computer attacks.
Features of modern firewalls and their comparative characteristics are presented in Appendix 1.
Conclusion
You need to clearly understand that no hardware, software or any other solutions can guarantee absolute reliability and security of data in any organization. At the same time, the risk of losses can be significantly reduced with an integrated approach to security issues. Information security measures should not be designed, purchased or installed until appropriate analysis has been carried out by specialists. The analysis should provide an objective assessment of many factors (susceptibility to the occurrence of a malfunction, the likelihood of a malfunction, damage from commercial losses, etc.) and provide information to determine suitable means of protection - administrative, hardware, software, and others.
It is also worth paying great attention to internal threats. Even the most honest and dedicated employee can be a source of information leakage.
In my work, I reviewed the main software and hardware information security tools and their technical characteristics. In addition, we will conduct comparative analysis firewalls.
Bibliography
1. Galatenko V.A. "Information security standards. 2nd edition. Course of lectures. Textbook", publishing house: INTUIT.RU, 2009.
Tsirlov Valentin "Fundamentals of Information Security", publishing house: Phoenix, 2008.
Anin B. Protection of computer information. Series "Master". - St. Petersburg: BHV-Petersburg, 2009
Sklyarov D.V. Hardware protection keys // The art of protecting and hacking information. - St. Petersburg: BHV-Petersburg, 2009
Khorev P.B. "Software and hardware protection of information. Textbook", publishing house: FORUM, 2009.
Vorona V.A., Tikhonov V.A., “Access control and management systems”, publishing house: Politekhnika, 2009.
Kukharev G.A., “Methods and means of identifying a person,” publishing house: Politekhnika, 2008.
Terekhov A.A. Cryptographic information protection, Phoenix Publishing, 2009.
Ryabko B.Ya., Fionov A.N. - Cryptographic methods of information protection, publishing house: Hotline- Telecom, 2008
Babash A.V., Shankin G.L. Cryptography. - M.: Publishing house "SOLON-Press", 2009.
Laponina O.R. Cryptographic fundamentals of security. - M.: Publishing house "Internet University of Information Technologies - INTUIT.ru", 2008.
http://www.biometrics.ru
http://ru.wikipedia.org
14. Vlad Maksimov. Firewalls. Methods of organizing protection.
Application
Table 1.
Features of firewalls
|
Firewall type |
Principle of operation |
Advantages |
Flaws |
|
Shielding routers (packet filtering firewalls) |
Packet filtering is carried out in accordance with the IP header of the packet according to the criterion: what is not explicitly prohibited is allowed. The information analyzed is: - sender's address; - address of the recipient; - information about the application or protocol; - source port number; - recipient port number. |
Low cost Minimal impact on network performance Easy to configure and install Software transparent |
Vulnerability of the protection mechanism for various types network attacks, such as spoofing packet source addresses, unauthorized modification of packet contents Lack of event log support and audit tools in a number of products |
|
Screening gateway (ESG) |
Information exchange occurs through a bastion host installed between the internal and external networks, which makes decisions about the possibility of routing traffic. There are two types of ES: session and application level |
Lack of end-to-end transmission of packets in case of failures Enhanced, compared to EM, protection mechanisms that allow the use additional funds authentication, both software and hardware · Using the address translation procedure, which allows hiding the addresses of hosts in a closed network |
Use of only powerful bastion hosts due to the large volume of calculations Lack of “transparency” due to the fact that ES introduce delays in the transmission process and require authentication procedures from the user |
|
Shielding subnets (ES) |
An isolated subnet is created between the internal and public networks. Messages from the open network are processed by the application gateway and end up in the electronic signature. After successfully passing control at the electronic signature, they enter a closed network. Requests from a closed network are processed through the electronic signature in the same way. Filtering is based on the principle: what is not allowed is prohibited |
Possibility of hiding the address of the internal network · Increased reliability of protection · Possibility of creating large traffic between internal and open networks when using several bastion hosts in the electronic signature · "transparency" of work for any network services and any internal network structure |
Use of only powerful bastion hosts due to the large volume of calculations Maintenance (installation, configuration) can only be carried out by specialists |
Table 2.
Comparative characteristics of modern firewalls
|
Platform |
Company |
Peculiarities |
||
|
Solstice Firewall - 1 |
Integrated screen |
SunOS, UNIX, Solaris |
Sun Microsystems |
Implements a security policy: all data that does not have explicit permission is discarded. During operation, packet filters on gateways and servers generate records of all events and trigger alarm mechanisms that require an administrator's response. |
|
Milkyway Networks Corporation |
Does not use a packet filtering mechanism. Operating principle: that which is not expressly permitted is prohibited. Logs everything server actions, warns of possible violations. Can be used as a bidirectional gateway. |
|||
|
BorderWare Firewall Server |
Application Level Screening Gateway |
UNIX, Windows, DOS |
Secure Computing Corporation |
Security software that ensures operation under OS control (our own development). Allows you to record addresses, times, attempts, protocol used. |
|
ALF (Application Layer Filter) |
Application Level Screening Gateway |
SOS Corporation |
Can filter IP packets by addresses, port ranges, protocols and interfaces. An incoming package can be missed, eliminated, or sent to its address. |
|
|
ANS InterLock Service |
Application Level Screening Gateway |
ANS CO + RE Systems |
Uses intermediary programs for Telnet, FTR, HTTR services. Supports encryption of point-to-point connections, and hardware can be used as authentication means. |
|
|
Integrated screen |
SunOS, BSDI on Intel, IRIX on INDY and Challenge |
Uses time, date, address, port, etc. for analysis. Includes application layer middleware for Telnet, FTR, SMTP, X11, HTTP, Gopher, and other services. Supports most hardware authentication packages. |
||
|
Application Level Screening Gateway |
SunOS, BSDI, Solaris, HP-UX, AIX |
Global Internet |
A closed network is seen from the outside as a single host. It has intermediary programs for services: email, FTR protocol, etc. Registers all server actions and warns about violations. |
|
|
Application Level Screening Gateway |
Sterling Software |
It is a software product that protects information from unauthorized access when connecting closed and open networks. Allows you to record all server actions and warn about possible violations. |
||
|
CyberGuard Firewall |
Bi-directional end-to-end gateway (host-to-bastion as filter, application-level gateway or end-to-end screen) |
RISC platform, OS UNIX |
Harris Computer Systems Corporation |
Complex solutions were used, including UNIX OS security mechanisms and integrated network tools designed for RISC computers. The source address, destination address, etc. are used for analysis. |
|
Digital Firewall for UNIX |
Integrated screen |
Digital Equipment Corporation |
Pre-installed on Digital Alpha systems and providing shielding filter and application gateway capabilities. |
|
|
Eagle Enterprise |
Application Level Screening Gateway |
Implementation of Virtual Private Networking technology |
Includes application-level intermediary programs for FTR, HTTP, Telnet services. Registers all server actions and warns about violations. |
|
|
Firewall IRX Router |
Shielding router |
DOS, MS-Windows |
Allows you to analyze the network in order to optimize network traffic, securely connect the local network with remote networks based on open networks. |
|
|
Comprehensive firewall |
Intel x86, Sun Sparc, etc. |
Provides protection against hacker attacks such as address-spoofing (forgery of packet addresses) and represents a combination of network and application level protection tools. |
||
|
Firewall-1/VPN-1 |
Comprehensive firewall |
Intel x86, Sun Sparc, etc. |
Check Point Software Technologies |
Represents the open OPSEC API application interface. Provides: - identification of computer viruses; - URL scanning; - blocking Java and ActiveX; - support SMTP protocol; - HTTP filtering; - FTP protocol processing |
|
TIS Firewall Toolkit |
A set of programs for creating and managing firewall systems |
Trusted Information Systems |
Distributed in source code, all modules are written in C. The set is intended for expert programmers. |
|
|
Gauntlet Internet Firewall |
Application Level Screening Gateway |
UNIX, Secured BSD |
Trusted Information Systems |
Supports services: email, Web service, terminal services, etc. Features: encryption at the network level, protection against hacker attacks such as address-spoofing, protection against attempts to change routing. |
|
Multi-protocol firewall |
Various hardware platforms |
Network-1 Software and Technology |
Control is implemented at the frame, packet, channel and application level (for each protocol). Allows you to work with more than 390 protocols, makes it possible to describe any filtering conditions for subsequent work. |
|
|
Zastava-Jet |
Comprehensive firewall |
SPARC, Solaris, UNIX |
Jet Infosystems |
Implements a security policy: all data that does not have explicit permission is discarded. Has a Russian certificate for the second class of protection |
