Methods and means of information protection

Размещено на http://www.allbest.ru/

Размещено на http://www.allbest.ru/

SAINT-PETERSBURG UNIVERSITY OF MINISTRY OF THE INTERIOR OF RUSSIA

DEPARTMENT OF FOREIGN LANGUAGES

ESSAY

METHODS AND MEANS OF INFORMATION PROTECTION

Performed by cadet:

Mordovina Anastasiya

Faculty: 3

Group : 324

Supervised by

PhD Pugachova S.A.

Saint-Petersburg

2016



Introduction

Development of new information technologies and computerization have led to that information security is not only becomes mandatory, it also one of the characteristics of IP. There is quite a wide class of systems processing the information in the design safety factor which plays the primary role (eg, banking information systems).

Under Security ICs understood security system against accidental or intentional interference with the normal process of its operation, from attempted theft (unauthorized receipt) information, modification or physical destruction of its components. In other words, the ability to counteract various disturbing influences on IP.

Threatened the security of information refers to an event or action, which can lead to distortion or even unauthorized use the destruction of information resources of the controlled system, as well as software an hardware.

If we start from the classical treatment of any cybernetic model controlled system, the disturbing influence on it can be random character. Therefore, among the threats to the security of information should be made available as a of threats to casual or inadvertent. Their source may be the failure of hardware, misconduct of employees EC or its users, inadvertent errors in the software and etc. Such threats should also be kept in the account, since damage from them may be significant. However, in this chapter the most attention is paid to threats deliberate, which, unlike the random seek to harm managed system or users. This is done quite often in order to obtain personal gain.

Man trying to disrupt the system or get information unauthorized access to information, usually called the intruder and sometimes "Computer pirates" (hacker).

In their illegal actions aimed at mastering the secrets of others, cracks tend to find such sources of confidential information, which would give them the most accurate information to the maximum extent with minimal cost to receive it. With the help of various kinds of tricks and set of techniques and tools are selected ways and approaches to such sources. Here, the information source is meant a material object, having certain information of specific interest to hackers or competitors.

Protection against deliberate threats - is a kind of competition defense and attack: who knows more, provides for effective measures, and the wins.

Numerous publications in recent years show that the abuse information circulating in the IP or transmitted over communication channels improved no less intensively than protective measures. Currently time to protect information requires not just the development of private mechanisms for the protection and realization of the systems approach, including set of interrelated measures (use of special technical and software, organizational activities, legal acts, moral and ethical countermeasures, etc.). The comprehensive nature protection stems from the complex actions of intruders seeking any means to obtain important information for them.

Today, it can be argued that the new born modern technology - information protection technology in computer information systems and data networks. The implementation of this technology requires increasing costs and efforts. However, it avoids much superior loss or damage that may arise during the implementation of the real threats to IP and IT.



1. Definition of information security

Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical)

2. Methods of information security in the IP

Obstacle;

Access Control;

Encryption mechanisms;

Resistance to attacks by malicious programs;

Regulation;

Coercion;

Motivation.

Hurdle - method of physical Barriers to the attacker to the protected information (hardware, storage media, etc.).

Access Control - methods of information protection regulation of the use of all resources of IP and IT. These methods should resist all possible ways of unauthorized access to information.

Access Control includes the following features protection:

Identification of users, staff and system resources (assigning each object personal identifier);

Identification (authentication) object or subject to being charged with the identifier;

Credentials Committee (confirmatory test day of the week, time of day, the requested resources and procedures established by the regulations);

The resolution and the creation of conditions of work within the established regulations;

Registration (logging) accesses to protected resources;

Response (alarm, shutdown, delay work, denial of the request, etc.) when attempting unauthorized actions.

Encryption mechanisms - closing cryptographic information. These methods of protection are increasingly used as a processing and data storage on magnetic media. When transferring information via communication channels large extent this is the only reliable method.

Opposition to attacks by malicious programs involves a variety of complex arrangements and the use of anti-virus programs. The objectives of the measures - is to reduce the likelihood of infection AIS, revealing the facts of infection; reducing the impact of information infections, containment or eradication of viruses; recovery of information in the IP. Mastering this set of measures and tools requires familiarity with the special literature.

Regulation - to create conditions of automated processing, storage and transmission of information to be protected, in which the norms and standards for the protection of the most performed.

Coercion - a method of protection in which users and IS personnel are forced to comply with rules for processing, transmission and use of protected information under the threat of physical, administrative or criminal liability.

Motivation - a method of protection, encourages users and IS staff not to disturb the established order at the expense of compliance with the prevailing moral and ethical standards.

The entire set of hardware is divided into hardware and physical.

Hardware - devices, embedded directly into computing, or device that is interfaced with it via a standard interface.

Physical agents include various engineering devices and structures that prevent physical penetration of malicious objects and protection of personnel engaged in the protection (personal security), material resources and finance, information on illegal activities. Examples of physical means: door locks, window bars, means of electronic security alarm system, etc.

Software - is special programs and software systems, designed to protect the information in the IP. As noted, many of them are fused to the IP software itself.

Means of software protection system to allocate another software implementing encryption mechanisms (cryptography). Cryptography - the science of ensuring the privacy and / or authenticity (authentication) transmitted messages.

Organizational measures carried out its complex regulation of industrial activity in the IP and the relationship of performers in the regulatory framework so that the disclosure, leakage and unauthorized access to confidential information becomes impossible or significantly impeded by carrying out organizational activities. The complex of measures implemented by a group of information security, but must be under the control of the first head.

Legal remedies are determined by legislative acts of the country, which regulates the rules for the use, processing and transmission of information with limited access and set penalties for violations of these rules.

Ethical remedies include all sorts of rules of conduct (which have traditionally been developed previously), down with the spread of IP and IT in the country and in the world, or specially designed. Moral and ethical standards may be unwritten (eg honesty) or decorated in a vault (charter) rules or regulations. These rules usually are not legally approved, but because of their non-compliance leads to a decline in the prestige of organization, they are considered binding. A typical example of such regulations is the Code of Professional Conduct of the Association of computer users USA.

3. Security technology

If you use any information technology should pay attention to the availability of data protection software, computer systems.

Data security involves ensuring the reliability of data and the protection of data and programs from unauthorized access, copy, modify.

The accuracy of the data is controlled at all stages of the process operation EIS. Distinguish visual and program control methods. Visual inspection is performed on domashinnom and final stage. Software - to intraengine stage. When this control is required when entering data, their adjustment, ie, wherever there is user intervention in the computational process. Controlled by the individual details, records, group records, files. Software controls the accuracy of data uploaded to the detailed design stage.

Protection of data and programs from unauthorized access, copying, modification implemented hardware and software methods and technological methods. For software and hardware protection include passwords, electronic keys, electronic ID, electronic signature, means of encoding, decoding data. For encoding, decoding data, programs, and e-signatures are used cryptographic techniques. For example, in the United States applies a cryptographic standard developed by a group of IETF. He is not subject to export. Developed including domestic electronic keys, for example, Novex Key to protect applications and data in the systems Windows, DOS, Netware. Remedies are similar, according to experts, door locks. Castles hacked, but no one removes them from the door, leaving the apartment open.

Process control is the organization of multi-level system of software protection and data as a means of checking passwords, electronic signatures, electronic keys, hidden tags file, use software products that meet the requirements of computer security, and visual methods and software control accuracy, integrity, completeness of the data. information ip access protection

Safety data depends on the security of computer systems. The computer system is a set of hardware and software, various types of physical media, data itself, as well as personnel servicing these components.

Currently, the United States developed a standard safety assessments of computer systems - fitness assessment criteria. It takes into account four types of computer system requirements:

Requirements for security policy - security policy;

Accounting of use of computer systems - accounts;

Trust in computer systems;

Documentation requirements.

Requirements for consistent security policy and accounting of computer systems depend on each other and provide the means laid down in the system, ie, security issues included in the hardware and software at the design stage.

Breach of trust to computer systems, as a rule, is caused by a breach of Culture program development: the rejection of structured programming, nonexclusion plugs uncertain input, etc. To test the confidence you need to know the application architecture, the rules of its maintain stability, the test case.

Documentation requirements mean that the user must have full information on all issues. In this case, the documentation should be concise and clear.

Only after the safety assessment of a computer system, it can be marketed.

During operation, the IP greatest harm and losses bring viruses. Protection against viruses can be arranged as well as protection against unauthorized access. Protection technology is layered and comprises:

1. Input control of new software or diskettes, which carried a group of specially selected detectors, auditors and filters. For example, the group can include Scan, Aidstest, TPU8CLS. You can spend a quarantine mode. This creates an accelerated computer calendar. Each subsequent experiment introduces a new date and a deviation in the old software. If the deviation is not present, no virus was detected.

2. Segmentation of the hard disk. In this case, a separate partition is assigned to the attribute Read Only. Can be used for segmentation, such as program, etc. Manager.

3. The systematic use of resident programs, auditors and filters for monitoring the integrity of information, such as Check21, SBM, Antivirus2 etc.

4. Archiving. Him to be, and system and application software. If one computer is used by several users, it is desirable daily backup. For archiving, you can use PKZIP and others.

The effectiveness of software protection depends on the validity of user actions that can be performed incorrectly or with malicious intent. Therefore, you should take the following organizational security measures:

General regulation of access, including system passwords and segmentation of the hard drive;

Training of the personnel protection;

Ensuring the physical security of your computer and magnetic media;

Development of rules archiving;

Storage of individual files in encrypted form;

Creation of a recovery plan hard drive and corrupted information.

To encrypt files and copy protection developed many programs, such as Catcher, Exeb and others. One method of protection is a hidden file label: label (password) is written in the sector on the disk that can not be read together with the file, and the file is placed with other sector, thus the file can not be opened without the knowledge of the mark.

Restoration of the information on your hard drive - a difficult task, accessible system programmers with high skills. It is therefore desirable to have multiple sets of floppy disks to archive the hard drive and maintain cyclic recording on these kits. For example, to record three diskettes can use the principle of "Week-Month-Year." Periodically to optimize the layout of files on your hard drive using a utility Speed Disk, etc., which greatly facilitates their recovery.

4. Methods and means of information protection

Creation of information security systems (SIS) in the IP and IT based on the following principles: Systematic approach to building security systems, means optimum combination of interrelated organizational software ,. hardware, and other physical properties confirmed the practice of creating domestic and foreign systems of protection and apply all stages of the processing cycle information.

The principle of continuous development of the system. This principle, which is one of fundamental to computer information systems, is even more relevant for NIB. Methods of threats of information in IT are continuously improved, and because IP security can not be a one-time act. Is This continuous process, which consists in the justification and implementation of the most rational methods, techniques and ways to improve the NIB, continuous monitoring, identifying its narrow and weaknesses of potential leakage paths information and new ways of unauthorized access.

Separation of powers and the minimization of access to the work information and procedures for processing, ie. e. to provide both users and the employees themselves ICs minimum strictly defined powers sufficient to the performance of their official duties.

Completeness of monitoring and recording unauthorized access, ie. e. the necessity of ascertaining the identity of each user and logging its actions for possible investigation, as well as impossibility of any operation in the information processing without its IT pre-registration.

Ensuring the reliability of the protection system, ie. E. The impossibility of reducing level of reliability in the event of a system failure, failures, intentional

Action cracker or unintentional errors users and service personnel. Monitoring the functioning of the system of protection, ie, creation means and methods of controlling health protection mechanisms. Providing all kinds of means to combat malware.

Ensuring the economic viability of the system. Protection resulting in possible damage exceeds IP and IT threats from the sale of cost of development and operation of the SIS. As a result, problem-solving information security IP and advanced IT must have the following key features:

the availability of information of varying degrees of confidentiality;

providing cryptographic protection of information developed

degree of personal privacy in data transmission;

hierarchical authority entities access to programs to

IP and IT components (file servers, communication channels, etc.); .

Be sure to control the flow of information both in local networks

and transmission via communication over long distances;

existence of a mechanism of registration and recording of unauthorized

access events in the IP and the documents being printed;

Always ensure the integrity of software and

information in IT;

availability of funds recovery system for information security; *

obligatory consideration of magnetic media;

the presence of physical security of computer and magnetic

carriers;

Availability of special services information system security.

When considering the possible structure of the CIB traditional approach - allocation of support subsystems.

System information security, as well as any IP should have certain types of proprietary software, based on which she will be able to fulfill its objective function.

1. Legal provision - a set of laws, legal documents, regulations, instructions, manuals, requirements which are mandatory within the scope of their activities in the protection of information.

2. Organizational support. It is understood that the implementation of information security is carried out certain structural units, such as for example security services firm and its components structure: mode, security, etc..

3. The provision of information, including the information, data, performance parameters underlying solving providing operation of the SIS. This may include as indicators of access, accounting, storage and information support of various computational problems nature relating to the activities of security.

4. Technical (hardware) software. Widely assumed the use of technical means for the protection of information and for support of the NIB.

5. Software. Refers to a variety of information, accounting, statistical and computational programs to ensure the presence and the danger of leakage of different channels and methods of unauthorized access information.

6. Mathematical Software. This - mathematical methods, used for various calculations related to technical hazard assessment means by which attackers zones and regulations necessary protection.

7. Linguistic support. Special set of linguistic resources communication specialists and users in the field of information security.

8. Regulatory and methodological support. This includes rules and regulations the activities of, services, facilities, realizing functions of information security; different kinds of techniques that provide users with activity performance of the work under tight compliance requirements Privacy. Normative and methodological support can be merged with the legal.

It should be noted that all of the protective measures currently playing a leading role arrangements. This raises the question of the organization of service security. The implementation of security policies require security setting, management system protection and control operation of IP.

As a rule, task management and control are solved administrative group, composition and size of which depends on the specific conditions. Very often, this group includes security administrator, security manager and operators. As the world's largest Internet network attacks on computer systems rolled like a tsunami, knowing neither national boundaries nor racial or social differences. Is a constant struggle of intelligence, as well as organization system administrators and ingenuity of hackers.

Developed by Microsoft in the operating system Windows.NT as the basis of IP is becoming more common. And of course, hackers all over the world pay attention to it.

As more reports of vulnerabilities in Windows NT Corporation Microsoft quickly creates first patch (hotfixes), and then packs (Service packs), to help protect the operating system. As a result, Windows NT is constantly changing for the better. In particular, it appears more more opportunities, networking, really protected unauthorized access to information. Methods and tools of information security:

Hurdle - method of physical Barriers to the attacker to protected information (the hardware, storage media, etc.).

Access Control - methods of information protection regulation Use all the resources of IP and IT. These methods should resist all possible ways of unauthorized access to information.

Access control includes the following security features:

* identification of users, staff and system resources (assignment each object personal identifier);

* identification (authentication) object or subject to ID against them;

* authorization check (checking compliance with the day of the week, time of day; requested resources and procedures established by the regulations);

* resolution and the creation of conditions of work within the established regulations;

* registration (logging) appeals to protected resources;

* response (alarm, shutdown, delay work, the denial of the request etc.) when attempting unauthorized actions.

Encryption mechanisms - closing cryptographic information. These methods

Protection is being increasingly used as a processing and storage of information on magnetic media. When transmitting information through communication channels large the length of this method is the only reliable.

Opposition to attacks by malicious programs involves complex various institutional arrangements and the use of anti-virus programs. The objectives of the measures - is to reduce the likelihood of infection AIS Revealing the facts of infection; reducing the impact of information infections, containment or eradication of viruses; recovery of information in the IP.

Regulation - to create conditions of automated processing, storage and transmission of information to be protected, in which norms and standards Protection carried out the most.

Coercion - a method of protection in which users and IS staff forced to comply with rules for processing, transmission and use of the protected information under the threat of physical, administrative or criminal responsibility.

Motivation - a method of protection, encourages users and IS personnel are not violate the established procedures due to the prevailing moral and compliance ethical standards.

The entire set of hardware is divided into hardware and physical.

Hardware - devices built directly into computer equipment, or devices that are interfaced with her standard interface. Physical agents include various engineering and devices structures that prevent physical intruders objects protection and the protection of personnel engaged (personal funds security), material resources and finance, information from unlawful action. Examples of physical means: door locks, window bars, means of electronic security alarm system, etc.

Software - is special programs and software systems, designed to protect information in the IP. As noted, many of them are merged with at the IP. Means of software protection system is necessary to allocate more software means of implementing encryption mechanisms (cryptography) Cryptography - is the science of ensuring privacy and / or authenticity (authentication) transmitted messages.

Organizational measures carried out its complex regulation production activities in the IP and the relationship of performers in the regulatory framework so that the disclosure of, and leakage unauthorized access to confidential information becomes impossible or substantially more difficult due to the realization of organizational activities. The complex of measures implemented by a group of information security, but must be under the control of the first head.

Legal remedies are determined by legislative acts Countries that are governed by rules for the use, processing and transmission restricted information and establishes penalties for violation of these rules. Ethical remedies include all sorts of rules of conduct, which have traditionally been developed earlier, are formed with the spread of IP and IT in the country and in the world, or specially designed. Moral and ethical standards may be unwritten (eg, honesty) or decorated with a set of (Charter) rules or regulations. These rules typically are not legislative approval, but because of their non-compliance leads to a drop prestige of the organization, they are considered binding. Characteristic an example of such regulations is the Code of Professional Conduct for members Association of the US computer users.

Conclusions

Statistics show that in all countries the losses from malicious acts continuously increasing. And the main reasons for the losses associated not so much with lack of safety features such as, but with the absence of relationship therebetween, i.e. with the lack of implementation of the system approach. That Is Why need faster pace improve comprehensive protection

Размещено на Allbest.ru

...