Information security. Information and tools of its protection

Started by islamicvashikaran, Aug 10, 2022, 11:39 AM

Previous topic - Next topic

islamicvashikaranTopic starter

Information and its classification

Information can be classified into several types and, depending on the category of access to it, it is divided into public info, as well as information to which access is limited - confidential info and state secrets.



Information, depending on the order of its provision or distribution, is divided into information:

    freely redistributable
    Provided by agreement of the persons involved in the relevant relationship
    Which, in accordance with federal laws, is subject to provision or distribution
   

Purpose information is of the following types:

    Mass - contains trivial information and operates with a set of concepts that are understandable to most of the society.
    Special - contains a specific set of concepts that may not be understood by the bulk of community, but are necessary and understandable within a narrow social group where this information is used.
    Secret - access to which is provided to a narrow circle of people and through closed (secure) channels.
    Personal (private) - a set of info about a man that determines the social position and types of social interactions.


Information defence tools must be applied directly to information to which access is limited - this is a state secret and confidential data.



Confidential data is information to which access is restricted in accordance with the laws of the state and the rules that companies establish independently. The following types of confidential info can be distinguished:

    Personal confidential data: Information about the facts, events and circumstances of the private life of a citizen, allowing to identify his personality (private info), with the exception of information to be disseminated in the media in cases established by federal laws. The only exception is information that is distributed in the media.

    Judicial Confidential Data: On State Protection of Judges, Officials of Law Enforcement and Regulatory Agencies.
    Commercial confidential data: all types of information that is related to commerce (profit) and access to which is limited by law or information about the essence of an invention, utility model or industrial design before the official publication of information about them by the enterprise (secret developments, production technologies, etc.). ).


Personal data

The operator of personal data is a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal info to be processed, actions (operations ) committed with personal data.

Processing of private info - any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.


In order to ensure the security and confidentiality of information, it is necessary to regulate what are the media, access to which is open and closed. Accordingly, methods and means of defense are also selected depending on the type of media.

Main information carriers:

    Printed and electronic media, social networks, other resources on the Internet;
    Employees of the organization who have access to information based on their friendships, family, professional ties;
    Communication means that transmit or store information: telephones, automatic telephone exchanges, other telecommunications equipment;
    Documents of all types: private, official, state;
    Software as an independent information object, especially if its version was developed specifically for a particular company;
    Electronic storage media that process info automatically.


Having determined what information is subject to protection, information carriers and possible damage during its disclosure, you can choose the necessary means of defense.


The legal level ensures compliance with state standards in the field of information security and includes copyright, decrees, patents and job descriptions.
    A well-built protection system does not violate the rights of users and the norms of data processing.
    The organizational level allows you to create regulations for the production of users with confidential information, select personnel, organize work with documentation and info carriers.
    The rules for the production of users with confidential information are called access control rules. The rules are set by the company's management together with the security service and the supplier who implements the security system. The goal is to create conditions for access to information resources for each user, for instance, the right to read, edit, transfer a confidential document.
    Access control rules are developed at the organizational level and implemented at the stage of work with the technical component of the system.
    The technical level is conditionally divided into physical, hardware, software and mathematical (cryptographic).


Information security tools

Means of information protection are usually divided into normative (informal) and technical (formal).

Informal means of information security

Informal means of information defense are normative (legislative), administrative (organizational) and moral and ethical means, which include: documents, rules, events.

Also, some of the laws listed above were given and discussed by us above, as the legal foundations of information security. Failure to comply with these laws entails threats to information security, which can lead to significant consequences, which in turn is punishable in accordance with these laws, up to criminal liability.


Organizational measures play an essential role in creating a reliable information protection mechanism. Since the opportunity of unauthorized use of confidential information is largely determined not by technical aspects, but by malicious actions. For example negligence, negligence and negligence of users or defense staff.

To reduce the impact of these aspects, a set of organizational, legal and organizational and technical measures is needed that would exclude or minimize the possibility of threats to confidential information.

In this administrative and organizational activity to protect information for security personnel, there is room for creativity.

These are architectural and planning solutions that allow you to protect meeting rooms and executive offices from eavesdropping, and the establishment of various levels of access to information.

From the point of view of regulating the activities of staff, it will be important to design a system of requests for access to the Internet, external e-mail, and other resources. A separate element will be the receipt of an electronic digital signature to enhance the security of financial and other information that is transmitted to government agencies via email channels.

Moral and ethical means include the moral norms or ethical rules that have developed in a community or a given team, the observance of which contributes to the defense of information, and their violation is equated to non-compliance with the rules of behavior in a society or team. These norms are not obligatory, as legally approved norms, however, their non-compliance leads to a drop in the authority, prestige of a man  or organization.

Formal means of information protection

Formal defense means are special technical means and software that can be divided into material, hardware, software and cryptographic ones.

Physical means of information protection are any mechanical, electrical and electronic mechanisms that operate independently of information systems and create barriers to access to them.

Locks, including electronic ones, screens, blinds are designed to create obstacles for the contact of destabilizing factors with systems. The group is supplemented by means of security systems, for instance, video cameras, video recorders, sensors that detect movement or an excess of the degree of electromagnetic radiation in the area where technical means for recording information are located.


Information security hardware means any electrical, electronic, optical, laser and other devices that are built into information and telecommunication systems: special computers, employee monitoring systems, server and corporate network defense. They prevent access to information, including by masking it.

Hardware includes: noise generators, network filters, scanning radios, and many other devices that "block" potential information leakage channels or allow them to be detected.

Information security software is a simple and composite program designed to solve problems related to information security.

An instance of complex solutions are DLP systems and SIEM systems.

DLP-systems ("Data Leak Prevention" literally "prevention of info leakage"), respectively, serve to prevent leakage, reformatting information and redirecting information flows.

SIEM-systems ("Security Information and Event Management", which means "Event Management and Information Security") provide real-time analysis of security events (alarms) coming from network devices and applications. SIEM is represented by applications, devices or services, and is also used for data logging and reporting for compatibility with other business data.

Software tools are demanding on the power of hardware devices, and additional reserves must be provided during installation.


Mathematical (cryptographic) - the implementation of cryptographic and shorthand info defense methods for secure transmission over a corporate or global network.

Cryptography is considered one of the most reliable ways to protect data, because it protects the information itself, and not access to it. Cryptographically converted information has a high degree of protection.

The introduction of cryptographic information defense means the creation of a software and hardware composite, the architecture and composition of which is regulated based on the needs of a particular customer, legal requirements, tasks and necessary methods, and encryption algorithms.

This may include software components of encryption (crypto providers), VPN organization tools, identity tools, tools for generating and verifying keys and digital signatures.

Encryption tools can support GOST encryption algorithms and provide the necessary cryptographic protection classes depending on the required degree of protection, regulatory framework and compatibility requirements with other, including external systems. At the same time, encryption tools provide defense for the entire set of information components, including files, directories with files, material and virtual storage media, entire servers and info storage systems.

Having briefly considered the main methods and means of protecting information, as well as the classification of info, we can say the following: The fact that the well-known thesis is once again confirmed that ensuring information security is a whole range of measures that includes all aspects of defense information, the creation and provision of which must be approached most carefully and gravely .

It is necessary to strictly observe and under no circumstances should the Golden Rule be violated - this is an integrated approach.

For a more observable representation of information security tools, precisely as an indivisible set of measures, are presented below in Figure 2, each of the bricks of which represents the defense of info in a certain segment, remove one of the bricks and a security threat will arise.
  •  

Рупорт

Generally, as practice shows, protecting info by erecting fences is a dead number. Information has the property of convolution. Whatever the size of the hole, everything flows through it at once.
In that inhuman conditions, noise tactics work much better. If, for instance, the client was treated for gonorrhea, then you can hide it by carefully stuffing anywhere information that he also had syphilis, AIDS, hepatitis, hemorrhoids, ringworm, psoriasis and bipolar.

Against the background of all this wealth, gonorrhea is easily lost. Sadly, the massive use of this tactic by a large number of players turns the info space into a garbage dump.
  •