Any documented information, misuse of which may cause damage to the Bank and/or the client who entrusted his information to the Bank, is subject to protection.

Such information includes:

1. All operations on personal accounts of appropriation managers.

2. Deadlines for the receipt of wages by institutions and organizations (under "salary" agreements).

3. Plans of control and revision work.

4. Acts of external and internal audits.

5. Information about the amounts received from a specific payer.

6. Correspondence with law enforcement agencies.

7. Information of an official nature, discussed during meetings held by managers.

8. Information constituting a commercial secret of enterprises, firms, banks and other economic entities.

9. Data about the software used to process the "trading day".

10. Scheme of the movement of documents of the "operational day".

11. The structure of automated systems, the procedure for administering the AU and information resources to be protected, lists of passwords and names of active equipment.

12. Description of information flows, topology of telecommunications Management, layouts of AS elements.

13. System information security.

14. Information about organizational and technical measures to protect information.

15. Staffing and number of bank employees.

16. Personal data about employees.

17. Information from the personal file of the employee, work book, card F. No. T-2.

18. Information about the income of a citizen and property belonging to him by right of ownership, data on wages and other employee benefits.

19. Materials of investigations on applications of citizens and violations of labor discipline.

20. Other information relating to the activities of the bank, the restrictions on the dissemination of which are dictated by business necessity.

AS resources include data, information, software, hardware, facilities and telecommunications.

Information protection mode is set

• regarding information containing state secrets by the information security department of the bank in accordance with the Law Russian Federation"On State Secrets";
• in relation to confidential documented information - by the owner of information resources on the basis of the Federal Law "On Information, Informatization and Information Protection";

1.4.2. Possible threats to protected information resources

The identified threats include:

1. Unauthorized access.

2. Intentional and unintentional failures in the operation of computer equipment, electrical equipment, etc., leading to the loss or distortion of information.

3. Interception, distortion or change of information transmitted through communication channels.

4. Illegal access to information.

1.4.3. Protection of information resources

Prevention of possible threats to protected information resources is carried out by:

1. From unauthorized access- creation of a system for protecting information from unauthorized access, which is a complex of software and hardware and organizational solutions.

Organizational decisions include:

· Ensuring the protection of the facility where the protected NPP is located in order to prevent the theft of SVT, information carriers, as well as UA to SVT and communication lines;

selection of the AS security class in accordance with the characteristics of information processing and the level of its confidentiality;

organization of accounting, storage and issuance of information media, passwords, keys, maintenance of official documentation, acceptance of new software included in the AS, as well as monitoring the progress of the technological process of processing confidential information;

· development of appropriate organizational and administrative documentation.

Connection to global computer networks is carried out only after establishing the actual need for such connection, the implementation of a full range of protective measures.

2. From intentional and unintentional failures in the operation of computer equipment, electrical equipment, etc., leading to loss or distortion of information.

The software (software) necessary for the functioning of information and telecommunication systems is drawn up in the form of a list and must be approved by the head for use.

Installation on workplaces of any programs is carried out only by IT specialists. Self-installation of the software is strictly prohibited.

In order to ensure the protection of confidential information from distortion or destruction in the event of failures in the operation of the computer and equipment, the protected information is backed up, and uninterruptible power supplies are also used. The frequency and order of backup is determined by the LAN administrator, based on the need to preserve information, database software.

3. Interception, distortion or change of information transmitted through communication channels.

Transfer of confidential information marked "For official use" through open communication channels using e-mail, facsimile and any other types of communication without the use of encryption is prohibited.

E-mail is used to carry out the bank's workflow with other organizations. After the working day, the places where the switching equipment is located are sealed, the doors are locked, access to them by unauthorized persons without the accompaniment of a responsible person is prohibited. (Strangers are also bank employees who, in their own way, functional duties are not related to the operation of this equipment).

Responsible persons regularly carry out visual control of all telecommunications in order to identify or timely prevent attempts to connect special devices for reading information.

4. Illegal access to information.

In order to prevent illegal access to information, access to premises where information subject to protection is processed should be limited.

When organizing his workplace, the employee arranges the display screen in such a way as to make it difficult for unauthorized persons to view the information displayed on the screen.

When leaving their workplace for any reason, the employee must log out of the network or lock the monitor screen.

1.4.4. Virus Protection

What should be the anti-virus protection?

In general, anti-virus protection of a banking information system should be built according to a hierarchical principle:

• corporate level services - 1st level of the hierarchy;
• services of subdivisions or branches - the 2nd level of the hierarchy;
• end user services - 3rd level of the hierarchy.

Services of all levels are combined into a single computer network (form a single infrastructure) through a local area network.

The company-wide services must operate continuously.

Management of all levels should be carried out by special personnel, for which centralized administration tools should be provided.

The anti-virus system should provide the following types of services at the corporate level:

• receiving software updates and anti-virus databases;
• managing the distribution of anti-virus software;
• managing anti-virus database updates;
• control over the operation of the system as a whole (receiving warnings about the detection of a virus, regular receipt of comprehensive reports on the operation of the system as a whole);

at the department level:

• updating anti-virus databases of end users;
• updating end-user antivirus software, managing local user groups;
• at the end user level:
• automatic anti-virus protection of user data.

Functional requirements

• Remote control. The ability to manage the entire system from one workstation (for example, from the administrator's workstation).
• Logging. Keeping work logs in a convenient customizable form.
• Alerts. The protection system should be able to send notifications about occurring events.
• System performance. It is necessary to regulate the level of load from anti-virus protection
• Protection against various types of viruses. It is necessary to ensure the possibility of detecting viruses in executable files, document macros. In addition, mechanisms for detecting viruses unknown to the software should be provided.
• Permanent protection of workstations. Workstations must run software that checks files when they are opened and written to disk.
• Automatic update of the anti-virus database. It should be possible to automatically receive updates to the anti-virus database and update the anti-virus database on clients.

General requirements

• The software and hardware components of the anti-virus protection system must ensure the formation of an integrated computing environment that meets the following general principles for creating automated systems:
• Reliability - the system as a whole must be able to continue to function regardless of the functioning of the individual nodes of the system and must have the means to recover from failure.
• Scalability - the anti-virus protection system should be formed taking into account the growth in the number of protected objects.
• Openness - the system should be formed taking into account the possibility of replenishing and updating its functions and composition, without disrupting the functioning of the computing environment as a whole.
• Compatibility - support by anti-virus software of the maximum possible number of network resources. The structure and functional features of the components should provide means of interaction with other systems.
• Uniformity (homogeneity) - components should be standard, industrial systems and tools that have a wide scope and are proven by repeated use.
• In addition, the system must provide regular updates of the anti-virus database used, contain mechanisms for searching for previously unknown viruses and macro viruses, as the most common and dangerous at present.

Requirements for the reliability and functioning of the system

• The anti-virus protection system should not violate the logic of other applications used.
• The system must provide the ability to return to the previous version of anti-virus databases.
• The system must operate in the operating mode of the object (workstation/server) on which it is installed.
• The system must provide notification to the system administrator in case of failures or detection of viruses.

1. At the first level, they protect the connection to the Internet or the network of the communication service provider - this is a firewall and mail gateways, since according to statistics, about 80% of viruses enter from there. It should be noted that no more than 30% of viruses will be detected in this way, since the remaining 70% will be detected only during execution.

The use of antiviruses for firewalls today is reduced to filtering Internet access while simultaneously checking passing traffic for viruses.

The anti-virus scanning carried out by such products is very slow and has a very inconvenience. high level detection, therefore, in the absence of the need to filter the websites visited by users, the use of such products is not appropriate.

2. As a rule, protect file servers, database servers and servers of collaborative work systems, since they contain the most important information. Antivirus is not a substitute for information backup tools, but without it, you may encounter a situation where backups are infected, and the virus becomes active six months after infection.

3. And finally, they protect workstations, although they do not contain important information, but protection can greatly reduce disaster recovery time.

In fact, all components of the banking information system related to the transportation of information and / or its storage are subject to anti-virus protection:

Ø File servers;

Ø Workstations;

Ø Workstations of mobile users;

Ø Backup server;

Ø E-mail server;

Ø Protection of workstations (including mobile users) should be carried out by anti-virus tools and firewalls of workstations.

Network shielding tools are designed primarily to protect mobile users when working over the Internet, as well as to protect company LAN workstations from internal security policy violators.

Main features of firewalls for workstations:

Control connections in both directions

Allow known applications to access the Internet without user intervention (autoconfig)

Configuration wizard per application (only installed applications may show network activity)

Make PC invisible on the Internet (hides ports)

Prevent known hacker attacks and Trojan horses

Notify the user of hacking attempts

Write connection information to a log file

Prevent data defined as sensitive from being sent without prior notice

Prevent servers from receiving information without the knowledge of the user (cookies)

Antivirus protection information systems- the most important and permanent function common system economic security of the bank. In this case, temporary relaxations and deviations from the standards are unacceptable. Regardless of the anti-virus protection solutions that already exist in the bank, it is always useful to conduct an additional audit and evaluate the system through the eyes of an independent and competent expert.

INFORMATION SECURITY OF THE BANK

S.S. MYTENKOV

As you know, from the time of their appearance, banks have invariably aroused criminal interest. And this interest was associated not only with the storage of funds in credit institutions, but also with the fact that banks concentrated important and often secret information about the financial and economic activities of many people, companies, organizations and even states.

Nowadays, in connection with the general informatization and computerization banking the importance of information security of banks has increased many times over. Even 30 years ago, the object of information attacks was data on bank customers or on the activities of the bank itself. Then such attacks were rare, the circle of their customers was very narrow, and the damage could be significant only in special cases. Nowadays, as a result of the ubiquity of electronic payments, plastic cards, computer networks, the rapidly growing popularity of services provided to customers through Internet technologies, the object of information attacks have become directly cash both banks and their clients. Anyone can attempt theft - all you need is a computer connected to the Internet. Moreover, this does not require physically entering the bank, you can “work” thousands of kilometers away from it.

For example, in August 1995, the 24-year-old Russian mathematician Vladimir Levin was arrested in the UK, who, using his home computer in St. According to the Moscow representative office of Citibank, until then no one had been able to do this. The Citibank security service found out that they tried to steal 2.8 million dollars from the bank, but the controlling systems detected this in time and blocked the accounts. Vladimir Levin managed to steal only

400 thousand dollars to receive which he went to England, where he was arrested.

The computerization of banking activities has made it possible to significantly increase the productivity of bank employees and introduce new financial products and technologies. However, progress in the technology of crimes was no less rapid than the development of banking technology.

Currently, over 90% of all crimes in this area are associated with the use of automated information processing systems of the bank (ASOIB). Therefore, when creating and modernizing ASOIB, banks need to pay close attention to ensuring its security.

It is this problem that is now the most relevant and, alas, the least studied. If in ensuring physical and classical information security1 long established approaches have been developed (although development is taking place here too), then due to frequent radical changes in computer technologies, ASOIB security methods require constant improvement and updating. As practice shows, there are no complex computer systems that do not contain errors. And since the ideology of building large ASOIBs changes regularly, fixing the errors and “holes” found in security systems does not last long, since a new computer system brings new problems and new errors, and adequate restructuring of security systems is also required.

This problem is especially relevant in Russia. In Western banks, software (SW) is developed specifically for each bank, and the ASOIB device is largely a trade secret. In Russia, they received

1 Classical information security is understood as a system of separation of access rights to information, measures to protect against eavesdropping, prevention of leaks by personnel and other measures not directly related to ASOIB.

distribution of "standard" banking packages, information about which is widely known, which facilitates unauthorized access to banking computer systems. Moreover, firstly, the reliability of "standard" software is lower due to the fact that the developer does not always have a good idea of ​​the specific conditions in which this software will have to work, and secondly, some Russian banking packages did not meet the security conditions. For example, early versions (which are still in use today in small banks) of the most popular Russian banking package required a PC drive and used a key floppy as a security tool. Such a solution, firstly, is technically unreliable, and secondly, one of the ASOIB security requirements is to close disk drives and input-output ports in the computers of employees who do not work with external data.

For banks (unlike other businesses), information security is critical. We should not forget about the development of banking information technologies(IT), since it is these technologies that largely determine the bank's information security system.

Consider several diagrams (Fig. 1-6) that illustrate the main trends in the development of information technology management in commercial bank based on specialized international source Forrester Research. Inc. These schemes are chosen at random, and are valuable because they really exist. Therefore, it is recommended to take them into account when choosing and shaping your own IT strategy.

The first trend that I would like to note is the increase in the value economic parameters when making decisions on the choice of projects (Fig. 1). The presented scheme shows that in 80% of cases, the formal justification for the start of a technological project is the return on investment parameters or the payback period of the project.

Other trends relate to the changing role of the bank's IT department (Figure 2). The presented data illustrates that the majority of respondents note an increase in cooperation with business units. There are also changes such as increased centralization and control, focus on business results and the introduction of new technologies and solutions. Only about 10% of respondents note the absence of any changes.

What formal justification process does your bank use to decide whether or not to start a technology project?

Payback period

Rice. 1. Trends in approaches to project justification

NATIONAL INTERESTS: Priorities and Security

Growth of cooperation with business

Strengthening centralized control

Increasing focus on business results

Increasing focus on new technologies

No change

Rice. 2. Changing the role of the IT department

The following graph (fig. 3) illustrates the increasing involvement of the top management of banks in the process of making IT decisions. According to 40% of respondents, any IT projects require mandatory justification and coordination with top management. And the need for such coordination for projects worth more than 100 thousand dollars. recognized by about 87% of respondents.

Recently, there has been a significant increase in the share of third-party services, organizations are increasingly using outsourcing. At the same time, they tend to transfer almost all non-key business functions to third parties (Fig. 4). Today, on average, 28% of the IT budget goes to third-party solution and service providers, which cannot but affect security in general. About 40% of respondents say that they have transferred (in whole or in part) to other vendors such technology functions as development, support and operation of applications.

The following diagram (Fig. 5) shows trends in the change in the structure of the IT service and baseline evaluation of its activities. Among the main trends are: an increase in centralization, the desire to better meet the interests of business, an increase in the number of used

□ What kind of infrastructure technological projects require justification for senior management?

Any $10,000 and $25,000 and $50,000 and $100,000 $250,000 $500,000 $1 million and $3 million and $5 million and $10 million and more projects more more and more and more and more more more more more more

Rice. 3. Involvement of senior management in the IT decision-making process

What percentage of your IT budget is dedicated to paying external technology providers?

P In the next 2 years - avg. 34% P Today - Avg. 28%

Technical supply

Development, support and operation of Leb applications

Development, support and operation of applications

users / workstations

Infrastructure / back office

What technology features do you provide to external vendors (at least in part)?

Rice. 4. Use of third party services (outsourcing)

How will the organizational structure of your IT division change in the next two years?

What metrics do you use to measure the success of IT activities and demonstrate their value?

Development of shared service centers

More control standards

No: we can't change anymore

Greater business fit

No way: existing structure fully meets the needs

Centralization will increase

Indicators focused on bank customers

Cost reduction

Business performance

Only tactical indicators

Rice. 5. Trends in the structure and evaluation of IT departments

standards for IT control purposes. In most banks, data processing is carried out centrally in order to reduce costs and improve the efficiency of processes. In addition, there are other arguments in favor of making such a decision: improving the efficiency of management and control, including the preparation of management reporting and the elimination of duplication of information

information, as well as the organization of information security, reducing the cost of equipment maintenance; staff reduction; standardization of system and accounting procedures.

From the point of view of assessing the activities of information technology management, the use of tactical indicators is noted by the majority as the most common approach,

about commercial banks note indicators of business efficiency and cost reduction.

Another significant trend in information technology management is the increase in the speed of decision-making in the purchase of IT solutions: the vast majority of all decisions in this area are made in less than three months (Figure 6).

As can be seen from the above, an IT strategy cannot be drawn up without an understanding of the business strategy and must be based on it. It is advisable to draw up a strategic plan in the form of two documents - a long-term strategy and a short-term one. A long-term strategy is drawn up for 3-5 years and includes relevant tasks and goals, a short-term one - for a period of 1 to 3 years.

Both documents should be updated regularly. For a long-term document, this can happen on a semi-annual basis, for a short-term document, on a quarterly basis. All updates are made in close cooperation with business managers and are agreed with the top management of the organization.

The IT strategy is approved by the top management of the bank based on the results of a joint preliminary study of the heads of IT and business units. Such work is possible in

within the framework of meetings of the information technology (or technical) committee of the bank.

Also, the most important element of strategic planning is control over execution. The strategy should not be a declarative document, and the main way to achieve this is to control its implementation, including by the top management of the bank, the information technology committee.

According to statistics, most of the crimes against banks are committed using insider information. In this regard, it is necessary to pay constant attention to ensuring information security in the field of work with personnel.

With the development and expansion of the scope of application of computer technology, the acuteness of the problem of ensuring the security of computer systems and protecting information stored and processed in them from various threats is increasing. For this there is whole line objective reasons.

The main one is the increased level of confidence in automated information processing systems. They are entrusted with the most responsible work, on the quality of which the life and well-being of many people depend. computer control

network hardware

Information accumulators

■ less than 1 year P less than 6 months 30% □ less than 3 months ] 31% □ less than a month R less than a week

Rice. 6. Speed ​​of IT decision-making NATIONAL INTERESTS: priorities and security

technological processes at enterprises and nuclear power plants, the movements of aircraft and trains, perform financial transactions, and process classified information.

Today, the problem of protecting computer systems is becoming even more significant in connection with the development and spread of computer networks. Distributed systems and systems with remote access have highlighted the issue of protecting processed and transmitted information.

The availability of computer technology, and primarily personal computers, has led to the spread of computer literacy among the general population. This, in turn, caused numerous attempts to interfere in the work of state and commercial, in particular banking, systems, both with malicious intent and out of purely “sporting interest”. Many of these attempts were successful and caused significant damage to the owners of information and computing systems.

To a large extent, this applies to various commercial structures and organizations, especially those who, by the nature of their activities, store and process valuable (in monetary terms) information, which also affects the interests of a large number of people. In banks, when it comes to electronic payments and automated account management, such information in some way represents money.

It is quite difficult to create a complete picture of all the possibilities of protection, since there is still no unified theory of protection of computer systems. There are many approaches and points of view on the methodology of its construction. Nevertheless, serious efforts are being made in this direction, both in practical and theoretical terms, the latest achievements of science are being used, and advanced technologies are being attracted. Moreover, leading computer and software firms, universities and institutes, as well as large banks and international corporations are dealing with this problem.

Various options for protecting information are known - from a guard at the entrance to mathematically verified methods of hiding data from acquaintance. In addition, we can talk about global protection and its certain aspects: protection of personal computers, networks, databases, etc.

It should be noted that there are no absolutely secure systems. We can talk about the reliability of the system, firstly, only with a certain probability, and secondly, about protection from a certain

categories of violators. Nevertheless, penetration into a computer system can be envisaged. Defense is a kind of competition between defense and attack: whoever knows more and provides for effective measures wins.

The organization of the ASOIB protection is a single set of measures that should take into account all the features of the information processing process. Despite the inconvenience caused to the user during operation, in many cases, protection measures may be absolutely necessary for the normal functioning of the system. The main disadvantages mentioned are:

1) additional difficulties of working with most secure systems;

2) increase in the cost of a secure system;

3) additional load on system resources, which will require an increase in working time to perform the same task due to slower access to data and execution of operations in general;

4) the need to attract additional personnel responsible for maintaining the health of the protection system.

It is difficult to imagine a modern bank without an automated information system. The computer on the desk of a bank employee has long become a familiar and necessary tool. The connection of computers with each other and with more powerful computers, as well as with computers of other banks, is also a necessary condition for the successful operation of the bank: the number of operations that must be performed in a short period of time is too large.

At present, a complex criminogenic situation is noted in the information sphere of the Russian Federation. The vulnerability of existing information systems and networks from various forms of undue influence has determined a wide range of areas of criminal activity. In the period from 2000 to 2004, the number of crimes registered in Russia, committed with the use of information technology, increased by more than 9 times and last year exceeded 13 thousand. Moreover, it is necessary to take into account not only the amount of direct damage, but also very expensive measures that conducted after successful attempts to hack into computer systems.

The services provided by banks today are largely based on the use of

means of electronic interaction between banks, banks and their customers and trading partners. At present, access to banking services has become possible from various remote points, including home terminals and office computers. This fact makes us move away from the concept of "locked doors" that was typical for banks in the 1960s, when computers were used in most cases in batch mode as an auxiliary tool and had no connection with the outside world.

Computer systems that no one can do without modern bank, is a source of completely new, previously unknown threats. Most of them are due to the use of new information technologies in banking and are typical not only for banks. At the same time, it should be remembered that in many countries, despite the ever-increasing role of electronic systems processing, the volume of operations with paper documents is 3-4 times higher than with their electronic counterparts.

The level of equipment with automation tools plays an important role in the bank's activities and, therefore, directly affects its position and income. Increasing competition between banks leads to the need to reduce the time for making settlements, increase the range and improve the quality of services provided.

The less time will take the settlements between the bank and customers, the higher will be the bank's turnover and, consequently, profit. In addition, the bank will be able to respond more quickly to changes in the financial situation. A variety of bank services (first of all, this refers to the possibility of non-cash payments between the bank and its customers using plastic cards) can significantly increase the number of its customers and, as a result, increase profits.

Several facts can be cited to support this thesis:

Losses of banks and others financial institutions from impacts on their information processing systems amount to about 3 billion dollars. in year;.

The amount of losses associated with the use plastic cards, is estimated at 2 billion dollars. per year, which is 0.03-2% of the total payments, depending on the system used;

27 million dollars pounds sterling was stolen from the London branch of the Union Bank of Switzerland;

5 million marks stolen from Chase Bank (Frankfurt); the clerk wired the money to a Hong Kong bank; they were taken from a large number of accounts ("salami" attack), the theft was successful;

3 million dollars - Bank of Stockholm, the theft was carried out using the privileged position of several employees in the bank's information system and was also successful.

To protect themselves and their customers, most banks take the necessary protection measures, among which the protection of ASOIB is not the last. At the same time, it should be taken into account that the protection of the bank's ASOIB is an expensive and complex undertaking. For example, Barclays Bank spends on protecting its automated system about 20 million dollars. annually.

In the first half of 1994, the Datapro Information Services Group conducted a mail survey among randomly selected information systems managers. The purpose of the survey was to find out the state of affairs in the field of protection. 1,153 questionnaires were received, on the basis of which the following results were obtained:

1) about 25% of all violations are natural disasters;

2) about half of the systems experienced sudden interruptions in power supply or communication, the causes of which were of an artificial nature;

3) about 3% of systems experienced external violations (penetration into the organization's system);

4) 70-75% - internal violations, of which:

10% were committed by offended and dissatisfied employees-users of the Bank's ASOIB; - 10%

Committed from selfish motives by the personnel of the system; - 50-55% - the result of unintentional errors of personnel and / or users of the system as a result of negligence, negligence or incompetence.

These data indicate that the most common violations, such as attacks by hackers or the theft of computers with valuable information, occur most often, but the most ordinary ones arising from daily activities. At the same time, it is intentional attacks on computer systems that cause the greatest one-time damage, and measures to protect against them are the most complex and expensive. In this regard, the problem of optimizing the protection of ASOIB is the most relevant in the field of information security of banks.

There are two aspects that distinguish banks from other commercial systems:

1. Information in banking systems is "live money" that can be received, transferred, spent, invested, etc.

2. It affects the interests of a large number of organizations and individuals.

Therefore, the information security of a bank is a critical condition for its existence. Because of this, increased requirements are imposed on banking systems regarding the security of storing and processing information. Domestic banks will also not be able to avoid the fate of total automation for the following reasons:

Increased competition between banks;

The need to reduce the time for making calculations;

Need to improve service.

In the USA, countries Western Europe and many others who have faced this problem for a long time, a whole industry of protection has now been created economic information, including the development and production of secure hardware and software, peripherals, scientific research, etc.

The sphere of information security is the most dynamic area of ​​development of the security industry as a whole. If the provision of physical security has a long tradition and well-established approaches, then information security constantly requires new solutions, because. computer and telecommunication technologies are constantly being updated, and computer systems are becoming increasingly responsible.

Statistics show that the vast majority of large organizations have a plan with information access rules, as well as a plan

recovery after accidents. The security of electronic banking systems depends on a large number of factors that must be taken into account at the design stage of this system. However, for each individual type banking operations and electronic payments or other ways of exchanging confidential information have their own specific security features. Thus, the organization of the protection of banking systems is a whole range of measures that should take into account both general concepts and specific features.

Obviously, the automation and computerization of banking (and monetary circulation in general) continue to increase. The main changes in the banking industry over the past decades are associated with the development of information technology. It is possible to predict a further decrease in the turnover of cash and a gradual transition to non-cash payments using plastic cards, the Internet and remote terminals for managing accounts of legal entities.

Based on the fact that the factors that determine the trends in the development of crime in the field of information technology may not undergo significant changes in the near future, it is obvious that we should not expect fundamental changes in the criminal situation in the information field. While maintaining the annual growth rate of the number of recorded crimes at a level not exceeding 30%, by 2015 their number may exceed 200 thousand crimes per year. However, the forecast may not come true if adequate measures are taken using foreign experience?

Banks and everything with them
connected - have always been a target for everyone
kind of scammers. In our time these
email related scams
crime. And I'm like a person who
trying to prevent them, would like a little
to shed light on this issue and debunk the myth of
lone hacker - penetrating bank accounts
system and receiving FULL access to its
information resources.

To begin, consider
security issue
computing complex. Under
understand the security of the system -
ability to resist attempts
penetration, unauthorized access, obtaining rights and
privileges, as well as the destruction or
distortion of information. We are the most
interested in internal security, i.e.
ensuring the functioning of the system in
normal operation and ensuring integrity,
safety and confidentiality
information.

Analyzing the List
existing threats - can be identified
the main directions of protection of banking
systems:

1. Physical protection. Those.
   protection of equipment from mechanical
   damage, theft, installation of special
   equipment for electromagnetic
   pickup.
2. Protection against unauthorized access.
3. Electronic protection
   workflow. Those. encryption with
   public key of all significant
   email correspondence.
4. Antivirus protection.
   Installation of the complex
   specialized software
   prevention
   penetration into a computer network
   malware.

Having dealt with what
such security and having decided in
the importance of the issue of its provision, let's move on
to the coverage of means of protection of electronic
systems.

To protective equipment
includes software, hardware and
hardware - software systems.

According to its characteristics
the most reliable protection system
implement only hardware and hardware -
software. This is related to the fact
that these systems are most often
specialized, that is, performing
certain features, which is great
advantage, because protect or
test specialized
device is much simpler than
universal. Another advantage
specialized systems is that
they allow physically and logically
isolate blocks with critical
information. In addition, software
hardware systems provide reliable
protection against modification, deletion or theft
information by system programmers or
highly qualified personnel.
Usually in software/hardware
security
erase function provided
secret information when trying
physical penetration into the hardware
part of the system.

Considering also
economic efficiency of the system
security, more often used
only software tools, because price
specialized hardware modules -
high enough. Using
software tools, you get very
flexible, providing a sufficient level
protection, and at the same time insignificant
software maintenance costs
complexes, (in comparison with hardware,
system. Another important
advantage of software implementation
protection - is the possibility of changing it
in the direction of complication or simplification, in
depending on the needs of support
security.

With the help of software
means can be realized by the following
protection methods:

• Cryptographic
  transformation .
  Those. information encryption. by the most
  common methods are DES
  and RSA. DES- DATA ENCRIPTION STANDART - this standard
  cryptographic conversion
  data developed by IBM for
  own needs, but later became
  federal standard USA. DES algorithm
  widely used all over the world,
  is open and has been published. He
  easy to understand, uses the method
  protection, which is based on a key and not
  depends on the degree of secrecy
  algorithm. RSA- for now
  is the most promising method, because
  does not require the transfer of a key for
  encryption to other users.
  Cryptographic data modification
  carried out by the first public key,
  and information is restored
  with a second private key.
  The main application of RSA at the moment is -
  protection of electronic document management. IN
  as an example, one can cite
  SSL (Secure Sockets Layer) protocol, which guarantees
  secure data transmission over the network. SSL
  combines cryptographic system
  public key and block encryption
  data. The only downside
  RSA algorithm is that it is not up to
  the end is studied and there is no 100% guarantee
  its reliability.
• Authentication
  users .
  Those. checking the correctness of the entered
  registration user
  login information.
  Used to force
  application of voting rights of access to
  information resources and rights to
  performing operations in the system.
• delimitation
  user rights and privileges
  access to information resources .
• Control
  information integrity, anti-virus
  protection, audit. Those.
  activity tracking
  users and software working in the system
  by registering predefined
  types of events in the system log
  security, as well as the implementation
  certain responses or
  prohibition of execution.
• Watching
  operation of information security systems,
  both software and hardware .
  Those. implementation of controls and
  control of protective mechanisms
  security systems.
• Reserve
  copying and then
  information recovery .
• Firewall (firewall)
  - a system or combination of systems,
  creating a protective barrier between two
  or more networks and
  preventing invasion of privacy
  net. Firewalls serve as virtual
  barriers to transmit packets from one
  networks to another.

The main disadvantage
protection systems built on the basis of only
software systems, is
the possibility of their analysis in NSD. IN
which cannot be excluded
the possibility of developing methods
overcoming a complex of software tools
security or
modifications.

To be continued...

Banking has always been associated with the processing and storage of a large amount of confidential data. First of all, this is personal data about customers, about their deposits and about all transactions carried out.

All commercial information stored and processed by credit institutions is exposed to a wide variety of risks associated with viruses, hardware failure, operating system failures, etc. But these problems are not capable of causing any serious damage. Daily backup of data, without which the operation of the information system of any enterprise is unthinkable, reduces the risk of irretrievable loss of information to a minimum. In addition, well developed and widely known methods of protection against these threats. Therefore, the risks associated with unauthorized access to confidential information (UAI) come to the fore.

Unauthorized access is a reality

To date, the most common three methods of stealing confidential information. First, physical access to the places of its storage and processing. There are many options here. For example, attackers can break into a bank office at night and steal hard drives with all the databases. Even an armed raid is possible, the purpose of which is not money, but information. It is possible that a bank employee himself can take the storage medium out of the territory.

Secondly, the use backups. In most banks, backup systems for important data are based on tape drives. They record the copies they create on magnetic tapes, which are then stored in a separate location. Access to them is regulated much more gently. During their transportation and storage, a relatively large number of people can make copies of them. The risks associated with backing up sensitive data cannot be underestimated. For example, most experts are sure that posting databases that appeared on sale in 2005 Central Bank The RF was stolen precisely thanks to the copies taken from magnetic tapes. In world practice, there are many such incidents. In particular, in September last year, employees of Chase Card Services (a division of JPMorgan Chase & Co.), a supplier credit cards, mistakenly threw away five backup tapes containing information about 2.6 million Circuit City credit account holders.

Thirdly, the most likely way of leaking confidential information is unauthorized access by bank employees. When using only standard operating system tools to separate rights, users often have the opportunity to indirectly (using certain software) completely copy the databases they work with and take them outside the company. Sometimes employees do this without any malicious intent, just to work with information at home. However, such actions are a serious violation of security policy and they can become (and become!) the reason for the disclosure of confidential data.

In addition, in any bank there is a group of people with elevated privileges in the local network. We are talking about system administrators. On the one hand, they need it to perform their official duties. But, on the other hand, they have the opportunity to gain access to any information and "cover their tracks."

Thus, the system for protecting banking information from unauthorized access should consist of at least three subsystems, each of which provides protection against its own type of threats. These are the subsystem for protecting against physical access to data, the subsystem for ensuring the security of backups, and the subsystem for protecting against insiders. And it is advisable not to neglect any of them, since each threat can cause the disclosure of confidential data.

Banks the law is not written?

Currently, the activities of banks are regulated by the federal law "On Banks and Banking Activity". It, among other things, introduces the concept of "bank secrecy". According to it, any credit institution is obliged to ensure the confidentiality of all data on customer deposits. It is responsible for their disclosure, including compensation for the damage caused by the information leak. At the same time, there are no requirements for the security of banking information systems. This means that banks make all decisions on the protection of commercial data independently, based on the experience of their specialists or third party companies(for example, performing information security audits). The only recommendation is the standard of the Central Bank of the Russian Federation “Ensuring information security of organizations of the banking system of the Russian Federation. General provisions". It first appeared in 2004, and in 2006 a new version was adopted. When creating and finalizing this departmental document, the current Russian and international standards in the field of information security.

The Central Bank of the Russian Federation can only recommend it to other banks, but cannot insist on mandatory implementation. In addition, there are few clear requirements in the standard that determine the choice of specific products. It is certainly important, but at the moment it has no serious practical significance. For example, about certified products, it says this: "...certified or authorized means of protecting information from unauthorized access can be used." There is no corresponding list.

The standard also lists the requirements for cryptographic means of protecting information in banks. And here there is already a more or less clear definition: "CIPF ... must be implemented on the basis of algorithms that comply with the national standards of the Russian Federation, the terms of the contract with the counterparty and (or) the standards of the organization." It is possible to confirm the compliance of the cryptographic module with GOST 28147-89 by certification. Therefore, when using encryption systems in a bank, it is desirable to use software or hardware crypto providers certified by the Federal Security Service of the Russian Federation, that is, external modules that connect to the software and implement the encryption process itself.

Adopted in July last year the federal law of the Russian Federation “On Personal Data”, which entered into force on January 1, 2007. Some experts associated with it the emergence of more specific requirements for banking security systems, since banks are organizations that process personal data. However, the law itself, which is certainly very important in general, is currently not applicable in practice. The problem lies in the lack of standards for the protection of private data and bodies that could control their implementation. That is, it turns out that at present banks are free to choose systems for protecting commercial information.

Physical access protection

Banks have traditionally placed a great deal of emphasis on the physical security of operating offices, custodians, and the like. All this reduces the risk of unauthorized access to commercial information through physical access. However, the offices of banks and the technical premises where the servers are located usually do not differ in terms of the degree of protection from the offices of other companies. Therefore, to minimize the described risks, it is necessary to use a cryptographic protection system.

Today, there are a large number of utilities that encrypt data on the market. However, the peculiarities of their processing in banks impose additional requirements on the corresponding software. First, the principle of transparent encryption must be implemented in the cryptographic protection system. When using it, the data in the main storage is always only in an encoded form. In addition, this technology allows you to minimize the cost of regular work with data. They do not need to be decrypted and encrypted every day. Access to information is carried out using special software installed on the server. It automatically decrypts information when it is accessed and encrypts it before it is written to the hard drive. These operations are carried out directly in the server's RAM.

Secondly, banking bases data is very large. Thus, a cryptographic information protection system should work not with virtual, but with real hard drive partitions, RAID arrays and other server storage media, for example, SAN storages. The fact is that container files that can be connected to the system as virtual disks are not designed to work with large amounts of data. In the event that a virtual disk created from such a file is large, when even several people access it at the same time, you can observe a significant decrease in the speed of reading and writing information. The work of several dozen people with a large container file can turn into a real torment. Also, be aware that these objects are at risk of being corrupted by viruses, file system crashes, and so on. After all, in fact, they are ordinary files, but rather large in size. And even a slight change can lead to the impossibility of decoding all the information contained in it. Both of these mandatory requirements significantly narrow the range of products suitable for implementing protection. In fact, today Russian market there are only a few such systems.

There is no need to consider in detail the technical features of server systems for cryptographic information protection, since we have already compared these products in one of the previous issues. ( Stolyarov N., Davletkhanov M. UTM-protection.) But it is worth noting some features of such systems, the presence of which is desirable for banks. The first is related to the already mentioned certification of the used cryptographic module. The corresponding software or hardware is already available in most banks. Therefore, the server information protection system should provide for the possibility of their connection and use. The second special requirement for the information security system is the ability to integrate into the physical security system of the office and / or server room. This allows you to protect information from unauthorized access associated with theft, hacking, etc.

Particular attention in banks should be paid to the safety of information, since it is actually the money of customers. Therefore, the protection system should be provided with special features that minimize the risk of its loss. One of the most notable is the function of determining bad sectors on the hard drive. In addition, the ability to pause and cancel the processes of the initial encryption of the disk, its decryption and re-encryption is of great importance. These are quite lengthy procedures, any failure during which threatens the complete loss of all data.

The human factor has a very large impact on the risks associated with unauthorized access to confidential information. Therefore, it is desirable that the protection system provides for the possibility of reducing this relationship. This is achieved by using reliable means of storing encryption keys - smart cards or USB keys. The inclusion of these tokens in the product is optimal, it allows not only to optimize costs, but also ensures full compatibility of software and hardware.

Another important function that allows minimizing the influence of the human factor on the reliability of the protection system is the quorum of keys. Its essence lies in the division of the encryption key into several parts, each of which is given to the use of one responsible employee. To connect a closed disk, a specified number of parts is required. Moreover, it may be less than the total number of parts of the key. This approach allows you to protect data from misuse by responsible employees, and also provides the flexibility necessary for the bank's work.

Backup protection

Regular backup of all information stored in the bank - absolutely necessary measure. It allows you to significantly reduce losses in case of problems such as data corruption by viruses, hardware failure, etc. But at the same time, it increases the risks associated with unauthorized access. Practice shows that the media on which backups are written should not be stored in the server room, but in another room or even a building. Otherwise, in the event of a fire or other serious incident, both the data itself and its archives may be irretrievably lost. The only way to securely protect backups from unauthorized use is through cryptography. In this case, keeping the encryption key with him, the security officer can safely transfer media with archives to technical staff.

The main difficulty in organizing cryptographic protection of backups is the need to separate responsibilities for managing data archiving. The system administrator or other technical employee should configure and implement the backup process itself. Encryption of information should be managed by a responsible employee - a security officer. At the same time, it is necessary to understand that in the vast majority of cases reservation is carried out automatically. This problem can only be solved by "embedding" a cryptographic protection system between the backup management system and devices that record data (streamers, DVD drives, etc.).

Thus, to be used in banks, cryptographic products must also be able to work with various devices used to write backups to storage media: streamers, CD and DVD drives, removable hard drives, etc.

Today, there are three types of products designed to minimize the risks associated with unauthorized access to backups. The first includes special devices. Such hardware solutions have many advantages, including reliable encryption of information and high speed. However, they have three significant drawbacks that prevent their use in banks. First: very high cost (tens of thousands of dollars). Second: possible problems with import to Russia (we must not forget that we are talking about cryptographic tools). The third disadvantage is the inability to connect external certified crypto providers to them. These boards only work with encryption algorithms implemented in them at the hardware level.

The second group of protection systems for cryptographic protection of backups consists of modules that are offered to their customers by software and hardware developers for backup. They exist for all the most well-known products in this field: ArcServe, Veritas Backup Exec, etc. True, they also have their own characteristics. The most important thing is to work only with "your" software or drive. Meanwhile, the information system of the bank is constantly developing. And it is possible that replacing or expanding the backup system may require additional costs for modifying the protection system. In addition, most of the products in this group implement old slow encryption algorithms (for example, 3DES), there are no key management tools, and there is no possibility to connect external crypto providers.

All this forces us to pay close attention to cryptographic protection systems for backups from the third group. It includes specially designed software, firmware and hardware products that are not tied to specific data archiving systems. They support a wide range of information recording devices, which allows them to be used throughout the bank, including all its branches. This ensures the uniformity of the means of protection used and the minimization of operating costs.

True, it is worth noting that, despite all their advantages, there are very few products from the third group on the market. This is most likely due to the lack of great demand for cryptographic backup protection systems. As soon as the management of banks and other large organizations realizes the reality of the risks associated with the archiving of commercial information, the number of players in this market will grow.

Insider Protection

Recent research in the field of information security, such as the annual CSI / FBI Computer Crime And Security Survey, has shown that the financial losses of companies from most threats are decreasing year by year. However, there are several risks, the losses from which are increasing. One of them is the deliberate theft of confidential information or violation of the rules for handling it by those employees whose access to commercial data is necessary for the performance of their duties. They are called insiders.

In the vast majority of cases, the theft of confidential information is carried out using mobile media: CDs and DVDs, ZIP devices and, most importantly, all kinds of USB drives. It was their mass distribution that led to the flourishing of insider trading around the world. The leaders of most banks are well aware of what threatens, for example, if a database with personal data of their clients or, moreover, transactions on their accounts, falls into the hands of criminal structures. And they are trying to fight the possible theft of information with the organizational methods available to them.

However, organizational methods in this case are ineffective. Today it is possible to organize the transfer of information between computers using a miniature flash drive, a cell phone, an mp3 player, a digital camera... Of course, you can try to ban all these devices from being brought into the office, but this, firstly, will negatively affect relations with employees , and secondly, it is still very difficult to establish really effective control over people - the bank is not a "mailbox". And even disabling all devices on computers that can be used to write information to external media (FDD and ZIP drives, CD and DVD drives, etc.) and USB ports will not help. After all, the former are needed for work, and various peripherals are connected to the latter: printers, scanners, etc. And no one can prevent a person from turning off the printer for a minute, inserting a flash drive into the vacated port and copying important information to it. You can, of course, find original ways of protection. For example, in one bank they tried this method of solving the problem: they filled the junction of the USB port and the cable with epoxy resin, tightly “tying” the latter to the computer. But, fortunately, today there are more modern, reliable and flexible methods of control.

by the most effective tool to minimize the risks associated with insiders is a special software that dynamically manages all devices and computer ports that can be used to copy information. The principle of their work is as follows. Permissions to use different ports and devices are set for each user group or for each user individually. The biggest advantage of such software is flexibility. You can enter restrictions for specific types of devices, their models and individual instances. This allows you to implement very complex policies for the distribution of access rights.

For example, some employees can be allowed to use any printers and scanners connected to USB ports. All other devices inserted into this port will remain inaccessible. If the bank uses a user authentication system based on tokens, then in the settings you can specify the key model used. Then users will be allowed to use only devices purchased by the company, and all others will be useless.

Based on the principle of operation of protection systems described above, you can understand what points are important when choosing programs that implement dynamic blocking of recording devices and computer ports. First, it's versatility. The protection system should cover the entire range of possible ports and information input-output devices. Otherwise, the risk of commercial information theft remains unacceptably high. Secondly, the software in question should be flexible and allow you to create rules using a large amount of various information about devices: their types, model manufacturers, unique numbers that each instance has, etc. And, thirdly, the insider protection system should be able to integrate with the bank's information system, in particular with Active Directory. Otherwise, the administrator or security officer will have to maintain two databases of users and computers, which is not only inconvenient, but also increases the risk of errors.

Summing up

So, today there are products on the market with the help of which any bank can organize a reliable system for protecting information from unauthorized access and misuse. True, when choosing them, you need to be very careful. Ideally, this should be done by in-house experts of the appropriate level. The use of third party services is allowed. However, in this case, a situation is possible when the bank will be skillfully imposed not with adequate software, but with one that is beneficial to the supplier company. In addition, the domestic information security consulting market is in its infancy.

Meanwhile, making the right choice is not difficult at all. It is enough to arm yourself with the criteria we have listed and carefully study the market for security systems. But there is a "pitfall" that must be remembered. Ideally, the bank's information security system should be unified. That is, all subsystems must be integrated into the existing information system and, preferably, have a common management. Otherwise, increased labor costs for protection administration and increased risks due to management errors are inevitable. Therefore, to build all three protection subsystems described today, it is better to choose products released by one developer. Today in Russia there are companies that create everything necessary to protect banking information from unauthorized access.

IN banking Initially, there was a problem related to the confidentiality of information, its storage and protection. Data security banking institutions plays an important role in business, since competitors and criminals are always interested in such information and make every effort to achieve it. To avoid this kind of problems, you need to learn how to protect banking data. In order for the protection of banking information to be effective, it is necessary, first of all, to take into account all possible ways information leaks. Namely: carefully check the data of people in the selection of personnel, check their biographical data and previous jobs.

Information security of banking institutions

All information data processed by banking and credit institutions are at risk. This is both customer data and data on the direct work of banks, their databases, and so on. The fact is that such information can be useful both to competitors and individuals engaged in criminal activities. Their actions, compared with the problems that arise due to a virus infection of equipment or failures of operating systems, bring really enormous damage to organizations of this kind.

Protection of banking servers and local networks from intruders and unauthorized access to company materials is simply necessary in today's highly competitive society.

The information security of the systems of banking institutions is important because it guarantees the confidentiality of data about bank customers. Conducting daily backups, which is carried out by organizations, reduces the risk of complete loss of important information. In addition, methods have been developed to protect data from threats related to unauthorized access. A leak of this kind of information can occur as a result of the work of both spy services specially sent to the organization, and employees who have been working for a long time and decided to make money on the theft of the bank's information property. Safety is ensured thanks to the work of professionals and specialists who know their business.

Customer protection is one of the most important indicators affecting the reputation of the bank as a whole, including the organization's income. Since only good reviews will help the bank reach a high level of service and outperform competitors.

Unauthorized access to information of banking systems

One of the most common ways to steal banking information is to use backups, remove data from storage media, or simulate hacking, but not to steal material assets, but to gain access to information on the server. Since backups are usually stored in separate locations on tape drives, copies can be made while they are being transported to their destination. That is why employees who are hired for such work are carefully screened through various government bodies for a criminal record, problems with the law in the past, including the reliability of the information provided about yourself. Therefore, do not underestimate the possibility of theft of banking information, because world practice replete with such cases.

For example, in 2005, databases of postings of the Central Bank of the Russian Federation were put up for sale. It is possible that this information was leaked outside the banking organization precisely because of the insufficient security of banking systems. A similar situation happened more than once in the world famous companies in the United States of America, whose information security suffered greatly from this.

Interview with the head of bank security:

Moreover, another way that information can be leaked from systems is through bank employees eager to make money on it. Despite the fact that in most cases unauthorized access to information of banking systems is done only in order to be able to work at home, they are the reason for the dissemination of information that is confidential. In addition, this is a direct violation of the security policy of the systems of banking organizations.

It should also be taken into account that in any bank there are people who have significant privileges for access to such data. These are usually system administrators. On the one hand, it is a production necessity, which makes it possible to carry out job responsibilities, and on the other hand, they can use it for their own purposes and at the same time they are able to professionally “cover their tracks”.

Ways to reduce the risk of information leakage

Protection of banking information from unauthorized access usually includes at least 3 components. Each of these components helps to ensure the safety of banks in the area where it is used. This includes protection from physical access, backups and protection from insiders.

Since banks pay special attention to physical access and try to fundamentally exclude the possibility of unauthorized access, they have to use special tools and methods for encrypting and encoding important information. Since banks have similar systems and tools for protecting data, it is better to use cryptographic protections. They help to preserve commercial information, as well as reduce the risks of such situations. It is best to store information in encrypted form, using the principle of transparent encryption, which helps to reduce the cost of protecting information, and also eliminates the need to constantly decrypt and encrypt data.

Considering the fact that all data of banking systems is actually the money of clients, due attention should be paid to their safety. One way is to determine if there are bad sectors on the hard drive. The function of canceling or pausing the process plays an important role in the initial encryption, encryption, decryption and re-encryption of the disk. Such a procedure has a long duration, and therefore any failure can lead to a complete loss of information. Most reliable way storage of encryption keys and systems are smart cards or USB keys.

The protection of information systems is carried out more efficiently due to the use of not only streamers, but also removable hard drives, DVD media, and other things. The complex use of means of protection against physical penetration to information sources increases the chances of its safety and inviolability from competitors and intruders.

Watch this video to learn about the steps you should take:

Methods for protecting information systems from insiders

Basically, the theft of information occurs with the help of mobile media, various kinds of USB devices, disk drives, memory cards and other mobile devices. Therefore, one of the right decisions is to ban the use of such devices in the workplace. Everything that is needed is contained on servers and carefully monitored where and from where information is transmitted in the banking environment. In addition, in extreme cases, only those media purchased by the company are allowed to be used. You can set special restrictions that prevent the computer from recognizing third-party media and memory cards.

Information protection is one of the most important tasks of banking organizations, necessary for effective functioning. The modern market has great opportunities to carry out these plans. Blocking computers and ports is the most important condition that must be observed in order to make systems more reliable.

We should not forget that data theft individuals are also familiar with a set of systems that protect commercial information, and can bypass them with the help of specialists. To prevent the occurrence of such risks, you need to constantly work on improving security and try to use improved protection systems.