Any documented information, misuse of which may cause damage to the Bank and/or the client who entrusted his information to the Bank, is subject to protection.

Such information includes:

1. All operations on personal accounts of appropriation managers.

2. Deadlines for the receipt of wages by institutions and organizations (under "salary" agreements).

3. Plans of control and revision work.

4. Acts of external and internal audits.

5. Information about the amounts received from a specific payer.

6. Correspondence with law enforcement agencies.

7. Information of an official nature, discussed during meetings held by managers.

8. Information constituting a commercial secret of enterprises, firms, banks and other economic entities.

9. Data about the software used to process the "trading day".

10. Scheme of the movement of documents of the "operational day".

11. The structure of automated systems, the procedure for administering the AU and information resources to be protected, lists of passwords and names of active equipment.

12. Description of information flows, topology of telecommunications Management, layouts of AS elements.

13. Information security system.

14. Information about organizational and technical measures to protect information.

15. Staffing and number of bank employees.

16. Personal data about employees.

17. Information from the personal file of the employee, work book, card F. No. T-2.

18. Information about the income of a citizen and property belonging to him by right of ownership, data on wages and other payments to employees.

19. Materials of investigations on applications of citizens and violations of labor discipline.

20. Other information relating to the activities of the bank, the restrictions on the dissemination of which are dictated by business necessity.

AS resources include data, information, software, hardware, facilities and telecommunications.

Information protection mode is set

• in relation to information containing state secrets by the information security department of the bank in accordance with the Law of the Russian Federation "On State Secrets";
• in relation to confidential documented information - by the owner of information resources on the basis of the Federal Law "On Information, Informatization and Information Protection";

1.4.2. Possible threats to protected information resources

The identified threats include:

1. Unauthorized access.

2. Intentional and unintentional failures in the operation of computer equipment, electrical equipment, etc., leading to the loss or distortion of information.

3. Interception, distortion or change of information transmitted through communication channels.

4. Illegal access to information.

1.4.3. Protection of information resources

Prevention of possible threats to protected information resources is carried out by:

1. From unauthorized access- creation of a system for protecting information from unauthorized access, which is a complex of software and hardware and organizational solutions.

Organizational decisions include:

· Ensuring the protection of the facility where the protected NPP is located in order to prevent the theft of SVT, information carriers, as well as UA to SVT and communication lines;

selection of the AS security class in accordance with the characteristics of information processing and the level of its confidentiality;

organization of accounting, storage and issuance of information media, passwords, keys, maintenance of official documentation, acceptance of new software included in the AS, as well as monitoring the progress of the technological process of processing confidential information;

· development of appropriate organizational and administrative documentation.

Connection to global computer networks is carried out only after establishing the actual need for such connection, the implementation of a full range of protective measures.

2. From intentional and unintentional failures in the operation of computer equipment, electrical equipment, etc., leading to loss or distortion of information.

The software (software) necessary for the functioning of information and telecommunication systems is drawn up in the form of a list and must be approved by the head for use.

Installation on workplaces of any programs is carried out only by IT specialists. Self-installation of the software is strictly prohibited.

In order to ensure the protection of confidential information from distortion or destruction in the event of failures in the operation of the computer and equipment, the protected information is backed up, and uninterruptible power supplies are also used. The frequency and order of backup is determined by the LAN administrator, based on the need to preserve information, database software.

3. Interception, distortion or change of information transmitted through communication channels.

Transfer of confidential information marked "For official use" through open communication channels using e-mail, facsimile and any other types of communication without the use of encryption is prohibited.

E-mail is used to carry out the bank's workflow with other organizations. After the working day, the places where the switching equipment is located are sealed, the doors are locked, access to them by unauthorized persons without the accompaniment of a responsible person is prohibited. (Strangers are also bank employees who, according to their functional duties, are not related to the operation of this equipment).

Responsible persons regularly carry out visual control of all telecommunications in order to identify or timely prevent attempts to connect special devices for reading information.

4. Illegal access to information.

In order to prevent illegal access to information, access to premises where information subject to protection is processed should be limited.

When organizing his workplace, the employee arranges the display screen in such a way as to make it difficult for unauthorized persons to view the information displayed on the screen.

When leaving their workplace for any reason, the employee must log off the network or lock the monitor screen.

1.4.4. Virus Protection

What should be the anti-virus protection?

In general, anti-virus protection of a banking information system should be built according to a hierarchical principle:

• corporate level services - 1st level of the hierarchy;
• services of subdivisions or branches - the 2nd level of the hierarchy;
• end user services - 3rd level of the hierarchy.

Services of all levels are combined into a single computer network (form a single infrastructure) through a local area network.

The company-wide services must operate continuously.

Management of all levels should be carried out by special personnel, for which centralized administration tools should be provided.

The anti-virus system should provide the following types of services at the corporate level:

• receiving software updates and anti-virus databases;
• managing the distribution of anti-virus software;
• managing anti-virus database updates;
• control over the operation of the system as a whole (receiving warnings about the detection of a virus, regular receipt of comprehensive reports on the operation of the system as a whole);

at the department level:

• updating anti-virus databases of end users;
• updating end-user antivirus software, managing local user groups;
• at the end user level:
• automatic anti-virus protection of user data.

Functional requirements

• Remote control. The ability to manage the entire system from one workstation (for example, from the administrator's workstation).
• Logging. Keeping work logs in a convenient customizable form.
• Alerts. The protection system should be able to send notifications about occurring events.
• System performance. It is necessary to regulate the level of load from anti-virus protection
• Protection against various types of viruses. It is necessary to ensure the possibility of detecting viruses in executable files, document macros. In addition, mechanisms for detecting viruses unknown to the software should be provided.
• Permanent protection of workstations. Workstations must run software that checks files when they are opened and written to disk.
• Automatic update of the anti-virus database. It should be possible to automatically receive updates to the anti-virus database and update the anti-virus database on clients.

General requirements

• The software and hardware components of the anti-virus protection system must ensure the formation of an integrated computing environment that meets the following general principles for creating automated systems:
• Reliability - the system as a whole must be able to continue to function regardless of the functioning of the individual nodes of the system and must have the means to recover from failure.
• Scalability - the anti-virus protection system should be formed taking into account the growth in the number of protected objects.
• Openness - the system should be formed taking into account the possibility of replenishing and updating its functions and composition, without disrupting the functioning of the computing environment as a whole.
• Compatibility - support by anti-virus software of the maximum possible number of network resources. The structure and functional features of the components should provide means of interaction with other systems.
• Uniformity (homogeneity) - components should be standard, industrial systems and tools that have a wide scope and are proven by repeated use.
• In addition, the system must provide regular updates of the anti-virus database used, contain mechanisms for searching for previously unknown viruses and macro viruses, as the most common and dangerous at present.

Requirements for the reliability and functioning of the system

• The anti-virus protection system should not violate the logic of other applications used.
• The system must provide the ability to return to the previous version of anti-virus databases.
• The system must operate in the operating mode of the object (workstation/server) on which it is installed.
• The system must provide notification to the system administrator in case of failures or detection of viruses.

1. At the first level, they protect the connection to the Internet or the network of the communication service provider - this is a firewall and mail gateways, since according to statistics, about 80% of viruses enter from there. It should be noted that no more than 30% of viruses will be detected in this way, since the remaining 70% will be detected only during execution.

The use of antiviruses for firewalls today is reduced to filtering Internet access while simultaneously checking passing traffic for viruses.

The anti-virus scanning performed by such products is very slow and has an extremely low level of detection, therefore, in the absence of the need to filter the websites visited by users, the use of such products is not advisable.

2. As a rule, protect file servers, database servers and servers of collaborative work systems, since they contain the most important information. Antivirus is not a substitute for information backup tools, but without it, you may encounter a situation where backups are infected, and the virus becomes active six months after infection.

3. And finally, they protect workstations, although they do not contain important information, protection can greatly reduce disaster recovery time.

In fact, all components of the banking information system related to the transportation of information and / or its storage are subject to anti-virus protection:

Ø File servers;

Ø Workstations;

Ø Workstations of mobile users;

Ø Backup server;

Ø E-mail server;

Ø Protection of workplaces (including mobile users) should be carried out by anti-virus tools and firewalls of workstations.

Network shielding tools are designed primarily to protect mobile users when working over the Internet, as well as to protect company LAN workstations from internal security policy violators.

Main features of firewalls for workstations:

Control connections in both directions

Allow known applications to access the Internet without user intervention (autoconfig)

Per application configuration wizard (only installed applications can show network activity)

Make PC invisible on the Internet (hides ports)

Prevent known hacker attacks and Trojan horses

Notify the user of hacking attempts

Write connection information to a log file

Prevent data defined as sensitive from being sent without prior notice

Prevent servers from receiving information without the knowledge of the user (cookies)

Anti-virus protection of information systems is the most important and permanent function of the general economic security system of the bank. In this case, temporary relaxations and deviations from the standards are unacceptable. Regardless of the anti-virus protection solutions that already exist in the bank, it is always useful to conduct an additional audit and evaluate the system through the eyes of an independent and competent expert.

Since its inception, banks have consistently aroused interest from the underworld. And this interest was associated not only with the storage of funds in credit institutions, but also with the fact that banks concentrated important and often secret information about the financial and economic activities of many people, companies, organizations and even entire states. Currently, banking secrecy is protected by law along with state secrets.

In connection with the general informatization and computerization of banking activities, the importance of the information security of banks has increased many times over. Even 30 years ago, the object of information attacks was data on bank customers or on the activities of the bank itself. Such attacks were rare, the circle of their customers was very narrow, and the damage could be significant only in special cases. Currently, as a result of the widespread distribution of electronic payments, plastic cards, computer networks, the money of both banks and their customers has become the object of information attacks. Anyone can attempt theft - all you need is a computer connected to the Internet. Moreover, this does not require physically entering the bank, you can “work” thousands of kilometers away from it.

The services provided by banks today are largely based on the use of electronic means of interaction between banks, banks and their customers and trading partners. At present, access to banking services has become possible from various remote points, including home terminals and office computers. This fact makes us move away from the concept of "locked doors" that was typical for banks in the 1960s, when computers were used in most cases in batch mode as an auxiliary tool and had no connection with the outside world.

Computer systems, which no modern bank can do without, are a source of completely new, previously unknown threats. Most of them are due to the use of new information technologies in banking and are typical not only for banks.

The level of equipment with automation tools plays an important role in the bank's activities and, therefore, directly affects its position and income. Increasing competition between banks leads to the need to reduce the time for making settlements, increase the range and improve the quality of services provided.

The less time will take the settlements between the bank and customers, the higher will be the bank's turnover and, consequently, profit. In addition, the bank will be able to respond more quickly to changes in the financial situation. A variety of bank services (first of all, this refers to the possibility of non-cash payments between the bank and its customers using plastic cards) can significantly increase the number of its customers and, as a result, increase profits. At the same time, the bank's core banking system becomes one of the most vulnerable places in the entire organization, attracting attackers both from outside and from among the bank's own employees. In order to protect themselves and their customers, most banks take the necessary protection measures, among which ABS protection occupies one of the most important places. Protecting a bank's core banking system is an expensive and complex undertaking; it requires not only significant one-time investments, but also involves the costs of maintaining the protection system at the proper level. On average, banks currently spend more than $20 million annually to maintain a sufficient level of protection.

The information security strategy of banks is very different from similar strategies of other companies and organizations. This is primarily due to the specific nature of the threats, as well as the public activities of banks, which are forced to make access to accounts easy enough for the purpose of convenience for customers.

An ordinary company builds its information security based only on a narrow range of potential threats - mainly the protection of information from competitors (in Russian realities, the main task is to protect information from tax authorities and the criminal community in order to reduce the likelihood of an uncontrolled increase in tax payments and racketeering). Such information is of interest only to a narrow circle of interested persons and organizations and is rarely liquid, that is, convertible into money.

7.2. Bank information security requirements

The information security of the bank should take into account the following specific factors:

1. Information stored and processed in banking systems is real money. Based on computer information, payments can be made, loans can be opened, and significant amounts can be transferred. It is quite clear that illegal manipulation of such information can lead to serious losses. This feature dramatically expands the circle of criminals who encroach on banks specifically (unlike, for example, industrial companies, whose inside information is of little interest to anyone).
2. Information in banking systems affects the interests of a large number of people and organizations - bank customers. As a rule, it is confidential, and the bank is responsible for providing the required degree of secrecy to its customers. Naturally, customers have the right to expect that the bank should take care of their interests, otherwise it risks its reputation with all the ensuing consequences.
3. The competitiveness of a bank depends on how comfortable it is for the client to work with the bank, as well as how wide the range of services provided, including services related to remote access. Therefore, the client should be able to manage his money quickly and without tedious procedures. But this ease of access to money increases the likelihood of criminal intrusion into banking systems.
4. The information security of a bank (unlike most companies) must ensure high reliability of computer systems even in case of emergency situations, since the bank is responsible not only for its own funds, but also for the money of customers.
5. The bank stores important information about its customers, which expands the circle of potential intruders interested in stealing or damaging such information.

Crimes in the banking sector also have their own characteristics:

• Many crimes committed in the financial sector remain unknown to the general public due to the fact that bank managers do not want to alarm their shareholders, they are afraid of exposing their organization to new attacks, they are afraid of damaging their reputation as a reliable store of funds and, as a result, losing customers.
• As a rule, attackers use their own accounts to which the stolen amounts are transferred. Most criminals do not know how to launder stolen money. The ability to commit a crime and the ability to get money are not the same thing.
• Most computer crimes are petty. The damage from them lies in the range from $ 10,000 to 50,000.
• Successful computer crimes typically require a large number of bank transactions (up to several hundred). However, large amounts can be transferred in just a few transactions.
• Most of the attackers are low-level bank employees, clerks. Although senior bank personnel can also commit crimes and cause much more damage to the bank, such cases are rare.
• Computer crimes are not always high-tech. It is enough to falsify data, change the parameters of the ABS environment, etc., and these actions are also available to the maintenance personnel.
• Many attackers explain their actions by the fact that they just borrow from the bank with a subsequent return. However, "return", as a rule, does not occur.

The specifics of the protection of automated information processing systems of banks (ABS) is due to the peculiarities of the tasks they solve:

• ABS processes a large stream of constantly incoming requests in real time, each of which does not require many resources to process, but together they can only be processed by a high-performance system.
• The ABS stores and processes confidential information not intended for the general public. Its forgery or leakage can lead to serious (for the bank or its customers) consequences. Therefore, ABSs are doomed to remain relatively closed, running specific software and paying great attention to ensuring their security.
• Another feature of the ABS is the increased requirements for the reliability of hardware and software. Therefore, most modern ABSs are built using a fault-tolerant computer network architecture that allows continuous processing of information even in the face of various failures and failures.

There are two types of problems solved by ABS:

1. Analytical. This type includes tasks of planning, analysis of accounts, etc. They are not operational and may take a long time to solve, and their results may affect the policy of the bank in relation to a particular client or project. Therefore, the subsystem by which analytical tasks are solved must be reliably isolated from the main information processing system and, in addition, in view of the possible value of the results, their protection must be constant.
2. Operational. This type includes tasks that are solved in daily activities, primarily making payments and adjusting accounts. It is they who determine the size and power of the main system of the bank; their solution usually requires much more resources than analytical tasks. At the same time, the value of information processed in solving such problems is temporary. Gradually, the value of information, for example, about the execution of a payment, becomes irrelevant. Naturally, this depends on many factors, such as: the amount and time of payment, account number, additional characteristics, etc. Therefore, it is usually enough to protect the payment at the time of its execution. At the same time, the protection of the processing process itself and the final results must be constant.

7.3. Information security methods in automated data processing systems

The protection of information in information systems (IS) is understood as the regular use of means and methods in them, the adoption of measures and the implementation of measures in order to systematically ensure the required reliability of stored and processed information. Reliability of information is an integral indicator that characterizes the quality of information in terms of physical integrity (no distortion or destruction of information elements), trust in information (confidence in the absence of substitution) and security - the absence of its unauthorized receipt and copying.

Components of integral information security:

• organizational security measures;
• physical security measures: security and protection of buildings, premises, computers, transported documents, etc.
• hardware security: ensuring the reliable operation of computers and network equipment;
• ensuring the security of communication channels: protection of communication channels from external influences;
• ensuring the security of software and mathematical software: protection against viruses, hackers, malware that steals confidential information.

It is known that 80% of crimes related to theft, damage or distortion of information are committed with the participation of company employees. Therefore, the most important task of the management, the personnel department and the security service is the careful selection of employees, the distribution of powers and the construction of a system of access to information elements, as well as the control of discipline and behavior of employees, the creation of a good moral climate in the team.

Organizational means information protection are special organizational, technical and organizational and legal measures carried out in the process of creating and operating the system, aimed at ensuring the protection of information.

Legislative means of protecting information are defined as legislative acts that regulate the procedure for using and processing information, restricting access, and which establish liability and sanctions for violation of these rules.

Technical means are divided into physical(locks, bars, alarm systems, etc.) and hardware(locks, interlocks, alarms and other devices used directly on computer equipment and data transmission facilities). Software information protection means are special information protection tools built into the system software and performing independently or in combination with other means of protecting information in the system.

Software information security tools:

1. Software user identification and defining their powers.
2. Software terminal identification.
3. Software file protection.
4. Software OS protection, computer and user programs.
5. Auxiliary programs for various purposes.

Cryptographic tools information protection - methods of special encoding, encryption or other transformation of information as a result of which the content becomes inaccessible without presenting some special information and reverse transformation. The use of cryptographic methods has become especially relevant at the present time in connection with the transmission of large amounts of information of a state, military, commercial and private nature over the open Internet. Due to the high cost of damage from loss, disclosure and distortion of information stored in databases and transmitted over local networks, it is recommended to store and transmit information in encrypted form in modern IS.

Cryptographic system- a family of algorithms for converting plaintext into ciphertext.

Alphabet- a finite set of signs used to encode information. The following are examples of alphabets used in modern information systems:

• alphabet Z33 - 32 letters of the Russian alphabet and a space;
• alphabet Z256 - characters included in standard ASCII codes;
• binary alphabet - Z2 = (0,1).

Encryption involves the transformation of the plaintext T using the key K into the ciphertext t. Key- a replaceable element of the cipher, which is used to encrypt a particular message. When encrypting, the concept of "cipher gamma" is used - this is a pseudo-random numerical sequence generated according to a given algorithm to encrypt open data and decrypt ciphertexts.

According to the nature of the use of the key, known cryptosystems can be divided into two types: symmetrical(single-key, with secret key) and asymmetrical(with public key).

In the first case, the sender's encryptor and the recipient's decryptor use the same key. The encoder forms a ciphergram, which is a function of the plaintext, the specific type of encryption function is determined by the secret key. The decoder of the message receiver performs the reverse transformation in the same way. The secret key is kept secret and transmitted by the sender of the message to the recipient via a secure channel, which excludes the interception of the key by the enemy's cryptanalyst.

Encryption is carried out by methods of replacement and permutation. The simplest, but indecipherable encryption - with the replacement of text characters with random characters or numbers. In this case, the length of the key must match the length of the text, which is inconvenient for large amounts of information. The key is used once, then it is destroyed, which is why this method is called "Tear-off pad encryption".

In reality, encryption is performed in binary code using short keys - in the international DES (Data Encryption Standard), which works with data blocks of 64 bytes (1998), in GOST 28147 - 89 - 256 bytes, which provides significantly greater cryptographic strength . Based on the short key, the computer creates a long gamma key using one of several algorithms set forth in the DES or GOST encryption standards. The algorithms for creating a gamma - gamma - are based on a series of substitutions and shifts, possibly using a ciphertext. Encryption algorithms are not secret, only the keys are secret. To distribute keys over public networks, the following technology is used: first-rank keys are transmitted through couriers, on their basis, second-rank keys are encrypted and transmitted over networks, used to encrypt documents.

Most modern encryption systems use asymmetric algorithms with public and private keys, where there is no problem of secure key transport. Such systems include the rsa algorithm, named after the developers (rivest-shamir-adleman - developers of this system Ronald Rivest, Adi Shamir and Leonard Adleman, 1977), based on the factorization of large numbers.

IN asymmetric cryptosystems(public key cryptosystems) encryption and decryption algorithms use different keys, each of which cannot be obtained from the other with an acceptable cost of time and other resources. One key - public - is used to encrypt information, the other - secret - for decryption, i.e. only the person to whom it is intended can read the message, for example, the head of the company receiving messages from his many agents.

Electronic signature systems are based on asymmetric encryption, but the secret key is kept by the sender of the messages, and many have a public key created from the secret by mathematical transformation. The public key may be transmitted along with the message. But in this case, it is not the message itself that is encrypted, but its hash function, obtained from the message by converting it according to a certain algorithm and occupying only a few bytes. Changing at least one bit in the message text leads to a significant change in the hash function. The recipient of the message can decrypt the encrypted hash function transmitted with the message, create a hash function of the received message using a known algorithm, and compare the decrypted and reconstructed hash functions. Their coincidence guarantees the integrity of the received document, i.e., the absence of distortions in it. The recipient cannot make changes to the received document because it cannot encrypt the new hash function. Therefore, an electronic signature has the same legal effect as a regular signature and seal on paper. Secret and public keys, programs and equipment for electronic signature systems are supplied by companies licensed by the FSB, which, if necessary, can submit copies of the keys to the court.

There are two main ways to protect: software and hardware. The software method of data protection is good because, at a relatively small cost, you can get a program that provides the required reliability of information storage. But software tools have several significant drawbacks that you should be aware of when choosing this path:

• usually work slower than hardware ones;
• any program can be opened, it is only a matter of time and qualification of a specialist;
• when the storage medium is stolen, the program is also stolen.

Hardware also has a number of disadvantages: it is more expensive to develop, production and maintenance costs are added, the hardware system is more complex and also requires software in addition to the hardware.

But the advantages of using hardware are clear:

• fast work without involving system resources;
• it is impossible to get into the hardware program without stealing it;
• without the hardware, it is impossible to decrypt the protected data.

7.4. Legislative acts in the field of information protection

Measures are being taken in Russia to counter information weapons and computer crime. The State Duma of the Russian Federation has a deputy group "Electronic Russia", round tables on information security are held to develop relevant laws. The Law of the Russian Federation "On Security", the Law "On Electronic Signature" and "On Information, Informatization and Information Protection" were adopted, which stipulate that information is subject to protection in the same way as the owner's tangible property. Ensuring the secure transmission of government information was previously handled by the FAPSI, now by the FSB and the FSO, and the protection of the transmission of commercial information by firms licensed by the FSB. A guiding document of the State Technical Commission of the Russian Federation “Automated systems. Protection against unauthorized access to information. Classification of automated systems and requirements for information protection "and the relevant State standards:

GOST 28147-89. Information processing systems. Cryptographic protection. Cryptographic conversion algorithm;

GOST R 34. 10-94. Information technology. Cryptographic protection of information. Procedures for the development and verification of an electronic digital signature based on an asymmetric cryptographic algorithm;

GOST R 34. 11-94. Information technology. Cryptographic protection of information. hash function;

GOST R 50739-95. Computer facilities. Protection against unauthorized access to information. General technical requirements.

Since 2004, a new national security standard GOST / ISO IEC 15408 - 2002 has been in force. General criteria for assessing information technology security.

The year of birth of the standard can be considered 1990 - it was then that work began on the creation of a standard in the field of information technology (IT) security assessment under the auspices of the International Organization for Standardization (ISO). This document was translated and taken as a basis for the development of GOST / ISO IEC 15408 - 2002. The name of the standard has developed historically. Work on it was carried out with the assistance of state standardization organizations of the USA, Canada, Great Britain, France, Germany and Holland and pursued the following conceptual goals:

• unification of various national standards in the field of IT security assessment;
• increasing the level of confidence in IT security assessment;
• reducing the cost of IT security assessment based on mutual recognition of certificates.

The Russian standard is an exact translation of the international standard. It was adopted by the Decree of the State Standard of Russia of April 4, 2002 No. 133-st with the date of entry into force on January 1, 2004. The appearance of this GOST reflects not only the process of improving Russian standards using international experience, but also part of the government program for Russia's accession to the WTO (As you know, when joining this organization in the applicant country, duties, taxes, production standards, quality standards and some standards in the field of information security must be unified).

The new standard introduces the concepts of "threat" and "profile".

A security profile is an "implementation-independent set of security requirements for a category of products or IT systems that meets specific customer needs."

All of the security mechanisms described in the profile are called the entity security functions (TSFs). Only those security features that must protect against threats and comply with the security policy are included in the protection profile.

Security assumptions are a description of the specific conditions under which the system will be operated. A security policy is “one or more security policies, procedures, practices, or guidelines that an organization governs in its operations.” In the general case, such a set of rules is a certain functionality of the software product that is necessary for its use in a particular organization.

One of the most balanced and viable documents is the Bank of Russia intra-industry standard for information security. Its latest version (2006) testifies to the clear intention of the Central Bank to change the document's recommendatory nature to a mandatory status.

7.5. Information security standard in the field of bank cards

Payment Card Industry Data Security Standard (PCI DSS) is an information security standard in the payment card industry developed by the international payment systems Visa and MasterCard.

The decision to create this single standard was taken by international payment systems in connection with an increase in the number of companies reporting that confidential information they had about their clients' accounts was lost or stolen.

Objectives of the standard:

• increasing the security of electronic trading and payment systems;
• providing a secure environment for storing cardholder data;
• reducing inconsistency in security requirements in the payment card industry;
• modernization and rationalization of business processes and cost reduction.

The requirements of the PCI DSS standard apply to all companies working with the international payment systems Visa and MasterCard. Depending on the number of transactions processed, each company is assigned a certain level with a corresponding set of requirements that they must fulfill. As part of the requirements of the standard, annual audits of companies are provided, as well as quarterly network scans.

Since September 2006, the PCI Data Security Standard has been introduced by the international payment system VISA in the territory of the CEMEA region as a mandatory one; accordingly, its effect also applies to Russia. Therefore, service providers (processing centers, payment gateways, Internet providers) working directly with VisaNet must undergo an audit procedure for compliance with the requirements of the Standard. Otherwise, VISA will apply certain penalties to companies.

Questions for self-examination

1. What is the main difference between the protection of banking computer systems and the protection of industrial computer systems?
2. What measures can be attributed to organizational protection measures?
3. What is the principle of "closed doors" in banks and why can't it be effectively applied at the moment?
4. What means of protection can be attributed to physical means?
5. Which systems, analytical or operational, require more thorough protection methods and why?
6. What are cryptographic text conversion methods?
7. What is a key?
8. Define "gamma". Why is it required?
9. What is "tear-off pad" coding and why isn't it used now?
10. What is the key length when encoded using the DES standard?
11. Does the key length differ according to Russian standards from international ones? What is she like?
Workshop name annotation

Presentations

Title of the presentation	annotation

Banking has always been associated with the processing and storage of a large amount of confidential data. First of all, this is personal data about customers, about their deposits and about all transactions carried out.

All commercial information stored and processed by credit institutions is exposed to a wide variety of risks associated with viruses, hardware failure, operating system failures, etc. But these problems are not capable of causing any serious damage. Daily backup of data, without which the operation of the information system of any enterprise is unthinkable, reduces the risk of irretrievable loss of information to a minimum. In addition, well developed and widely known methods of protection against these threats. Therefore, the risks associated with unauthorized access to confidential information (UAI) come to the fore.

Unauthorized access is a reality

To date, the most common three methods of stealing confidential information. First, physical access to the places of its storage and processing. There are many options here. For example, attackers can break into a bank office at night and steal hard drives with all the databases. Even an armed raid is possible, the purpose of which is not money, but information. It is possible that a bank employee himself can take the storage medium out of the territory.

Secondly, the use of backups. In most banks, backup systems for important data are based on tape drives. They record the copies they create on magnetic tapes, which are then stored in a separate location. Access to them is regulated much more gently. During their transportation and storage, a relatively large number of people can make copies of them. The risks associated with backing up sensitive data cannot be underestimated. For example, most experts are sure that the databases of postings of the Central Bank of the Russian Federation that appeared on sale in 2005 were stolen precisely thanks to the copies taken from magnetic tapes. In world practice, there are many such incidents. In September last year, Chase Card Services (a division of JPMorgan Chase & Co.), a credit card provider, mistakenly threw away five backup tapes containing information about 2.6 million Circuit City credit account holders.

Thirdly, the most likely way of leaking confidential information is unauthorized access by bank employees. When using only standard operating system tools to separate rights, users often have the opportunity to indirectly (using certain software) completely copy the databases they work with and take them outside the company. Sometimes employees do this without any malicious intent, just to work with information at home. However, such actions are a serious violation of security policy and they can become (and become!) the reason for the disclosure of confidential data.

In addition, in any bank there is a group of people with elevated privileges in the local network. We are talking about system administrators. On the one hand, they need it to perform their official duties. But, on the other hand, they have the opportunity to gain access to any information and "cover their tracks."

Thus, the system for protecting banking information from unauthorized access should consist of at least three subsystems, each of which provides protection against its own type of threats. These are the subsystem for protecting against physical access to data, the subsystem for ensuring the security of backups, and the subsystem for protecting against insiders. And it is advisable not to neglect any of them, since each threat can cause the disclosure of confidential data.

Banks the law is not written?

Currently, the activities of banks are regulated by the federal law "On Banks and Banking Activity". It, among other things, introduces the concept of "bank secrecy". According to it, any credit institution is obliged to ensure the confidentiality of all data on customer deposits. It is responsible for their disclosure, including compensation for the damage caused by the information leak. At the same time, there are no requirements for the security of banking information systems. This means that banks make all decisions on the protection of commercial data on their own, based on the experience of their specialists or third-party companies (for example, those conducting information security audits). The only recommendation is the standard of the Central Bank of the Russian Federation “Ensuring information security of organizations of the banking system of the Russian Federation. General Provisions". It first appeared in 2004, and in 2006 a new version was adopted. When creating and finalizing this departmental document, the current Russian and international standards in the field of information security were used.

The Central Bank of the Russian Federation can only recommend it to other banks, but cannot insist on mandatory implementation. In addition, there are few clear requirements in the standard that determine the choice of specific products. It is certainly important, but at the moment it has no serious practical significance. For example, about certified products, it says this: "...certified or authorized means of protecting information from unauthorized access can be used." There is no corresponding list.

The standard also lists the requirements for cryptographic means of protecting information in banks. And here there is already a more or less clear definition: "CIPF ... must be implemented on the basis of algorithms that comply with the national standards of the Russian Federation, the terms of the contract with the counterparty and (or) the standards of the organization." It is possible to confirm the compliance of the cryptographic module with GOST 28147-89 by certification. Therefore, when using encryption systems in a bank, it is desirable to use software or hardware crypto providers certified by the Federal Security Service of the Russian Federation, that is, external modules that connect to the software and implement the encryption process itself.

In July last year, the federal law of the Russian Federation "On Personal Data" was adopted, which came into force on January 1, 2007. Some experts associated with it the emergence of more specific requirements for banking security systems, since banks are organizations that process personal data. However, the law itself, which is certainly very important in general, is currently not applicable in practice. The problem lies in the lack of standards for the protection of private data and bodies that could control their implementation. That is, it turns out that at present banks are free to choose systems for protecting commercial information.

Physical access protection

Banks have traditionally placed a great deal of emphasis on the physical security of operating offices, custodians, and the like. All this reduces the risk of unauthorized access to commercial information through physical access. However, the offices of banks and the technical premises where the servers are located usually do not differ in terms of the degree of protection from the offices of other companies. Therefore, to minimize the described risks, it is necessary to use a cryptographic protection system.

Today, there are a large number of utilities that encrypt data on the market. However, the peculiarities of their processing in banks impose additional requirements on the corresponding software. First, the principle of transparent encryption must be implemented in the cryptographic protection system. When using it, the data in the main storage is always only in an encoded form. In addition, this technology allows you to minimize the cost of regular work with data. They do not need to be decrypted and encrypted every day. Access to information is carried out using special software installed on the server. It automatically decrypts information when it is accessed and encrypts it before it is written to the hard drive. These operations are carried out directly in the server's RAM.

Secondly, banking databases are very large. Thus, a cryptographic information protection system should work not with virtual, but with real hard drive partitions, RAID arrays and other server storage media, for example, SAN storages. The fact is that container files that can be connected to the system as virtual disks are not designed to work with large amounts of data. In the event that a virtual disk created from such a file is large, when even several people access it at the same time, you can observe a significant decrease in the speed of reading and writing information. The work of several dozen people with a large container file can turn into a real torment. Also, be aware that these objects are at risk of being corrupted by viruses, file system crashes, and so on. After all, in fact, they are ordinary files, but rather large in size. And even a slight change can lead to the impossibility of decoding all the information contained in it. Both of these mandatory requirements significantly narrow the range of products suitable for implementing protection. In fact, there are only a few such systems on the Russian market today.

There is no need to consider in detail the technical features of server systems for cryptographic information protection, since we have already compared these products in one of the previous issues. ( Stolyarov N., Davletkhanov M. UTM-protection.) But it is worth noting some features of such systems, the presence of which is desirable for banks. The first is related to the already mentioned certification of the used cryptographic module. The corresponding software or hardware is already available in most banks. Therefore, the server information protection system should provide for the possibility of their connection and use. The second special requirement for the information security system is the ability to integrate into the physical security system of the office and / or server room. This allows you to protect information from unauthorized access associated with theft, hacking, etc.

Particular attention in banks should be paid to the safety of information, since it is actually the money of customers. Therefore, the protection system should be provided with special features that minimize the risk of its loss. One of the most notable is the function of determining bad sectors on the hard drive. In addition, the ability to pause and cancel the processes of the initial encryption of the disk, its decryption and re-encryption is of great importance. These are quite lengthy procedures, any failure during which threatens with the complete loss of all data.

The human factor has a very large impact on the risks associated with unauthorized access to confidential information. Therefore, it is desirable that the protection system provides for the possibility of reducing this relationship. This is achieved by using reliable means of storing encryption keys - smart cards or USB keys. The inclusion of these tokens in the product is optimal, it allows not only to optimize costs, but also ensures full compatibility of software and hardware.

Another important function that allows minimizing the influence of the human factor on the reliability of the protection system is the quorum of keys. Its essence lies in the division of the encryption key into several parts, each of which is given to the use of one responsible employee. To connect a closed disk, a specified number of parts is required. Moreover, it may be less than the total number of parts of the key. This approach allows you to protect data from misuse by responsible employees, and also provides the flexibility necessary for the bank's work.

Backup protection

Regular backup of all information stored in the bank is an absolutely necessary measure. It allows you to significantly reduce losses in case of problems such as data corruption by viruses, hardware failure, etc. But at the same time, it increases the risks associated with unauthorized access. Practice shows that the media on which backups are written should not be stored in the server room, but in another room or even a building. Otherwise, in the event of a fire or other serious incident, both the data itself and its archives may be irretrievably lost. The only way to securely protect backups from unauthorized use is through cryptography. In this case, keeping the encryption key with him, the security officer can safely transfer media with archives to technical staff.

The main difficulty in organizing cryptographic protection of backups is the need to separate responsibilities for managing data archiving. The system administrator or other technical employee should configure and implement the backup process itself. Encryption of information should be managed by a responsible employee - a security officer. At the same time, it is necessary to understand that in the vast majority of cases reservation is carried out automatically. This problem can be solved only by "embedding" a cryptographic protection system between the backup management system and devices that record data (streamers, DVD drives, etc.).

Thus, to be used in banks, cryptographic products must also be able to work with various devices used to write backups to storage media: streamers, CD and DVD drives, removable hard drives, etc.

Today, there are three types of products designed to minimize the risks associated with unauthorized access to backups. The first includes special devices. Such hardware solutions have many advantages, including reliable encryption of information and high speed. However, they have three significant drawbacks that prevent their use in banks. First: very high cost (tens of thousands of dollars). Second: possible problems with import to Russia (we must not forget that we are talking about cryptographic tools). The third disadvantage is the inability to connect external certified crypto providers to them. These boards only work with encryption algorithms implemented in them at the hardware level.

The second group of protection systems for cryptographic protection of backups consists of modules that are offered to their customers by software and hardware developers for backup. They exist for all the most well-known products in this field: ArcServe, Veritas Backup Exec, etc. True, they also have their own characteristics. The most important thing is to work only with "your" software or drive. Meanwhile, the information system of the bank is constantly developing. And it is possible that replacing or expanding the backup system may require additional costs for modifying the protection system. In addition, most of the products in this group implement old slow encryption algorithms (for example, 3DES), there are no key management tools, and there is no possibility to connect external crypto providers.

All this forces us to pay close attention to cryptographic protection systems for backups from the third group. It includes specially designed software, firmware and hardware products that are not tied to specific data archiving systems. They support a wide range of information recording devices, which allows them to be used throughout the bank, including all its branches. This ensures the uniformity of the means of protection used and the minimization of operating costs.

True, it is worth noting that, despite all their advantages, there are very few products from the third group on the market. This is most likely due to the lack of great demand for cryptographic backup protection systems. As soon as the management of banks and other large organizations realizes the reality of the risks associated with the archiving of commercial information, the number of players in this market will grow.

Insider Protection

Recent research in the field of information security, such as the annual CSI / FBI Computer Crime And Security Survey, has shown that the financial losses of companies from most threats are decreasing year by year. However, there are several risks, the losses from which are increasing. One of them is the deliberate theft of confidential information or violation of the rules for handling it by those employees whose access to commercial data is necessary for the performance of their duties. They are called insiders.

In the vast majority of cases, the theft of confidential information is carried out using mobile media: CDs and DVDs, ZIP devices and, most importantly, all kinds of USB drives. It was their mass distribution that led to the flourishing of insider trading around the world. The leaders of most banks are well aware of what threatens, for example, if a database with personal data of their clients or, moreover, transactions on their accounts, falls into the hands of criminal structures. And they are trying to fight the possible theft of information with the organizational methods available to them.

However, organizational methods in this case are ineffective. Today, you can organize the transfer of information between computers using a miniature flash drive, cell phone, mp3 player, digital camera... Of course, you can try to ban all these devices from being brought into the office, but this, firstly, will negatively affect relations with employees , and secondly, it is still very difficult to establish really effective control over people - the bank is not a "mailbox". And even disabling all devices on computers that can be used to write information to external media (FDD and ZIP drives, CD and DVD drives, etc.) and USB ports will not help. After all, the former are needed for work, and various peripherals are connected to the latter: printers, scanners, etc. And no one can prevent a person from turning off the printer for a minute, inserting a flash drive into the vacated port and copying important information to it. You can, of course, find original ways of protection. For example, in one bank they tried this method of solving the problem: they filled the junction of the USB port and the cable with epoxy resin, tightly “tying” the latter to the computer. But, fortunately, today there are more modern, reliable and flexible methods of control.

The most effective means of minimizing the risks associated with insiders is special software that dynamically manages all devices and computer ports that can be used to copy information. The principle of their work is as follows. Permissions to use different ports and devices are set for each user group or for each user individually. The biggest advantage of such software is flexibility. You can enter restrictions for specific types of devices, their models and individual instances. This allows you to implement very complex policies for the distribution of access rights.

For example, some employees can be allowed to use any printers and scanners connected to USB ports. All other devices inserted into this port will remain inaccessible. If the bank uses a user authentication system based on tokens, then in the settings you can specify the key model used. Then users will be allowed to use only devices purchased by the company, and all others will be useless.

Based on the principle of operation of protection systems described above, you can understand what points are important when choosing programs that implement dynamic blocking of recording devices and computer ports. First, it's versatility. The protection system should cover the entire range of possible ports and information input-output devices. Otherwise, the risk of commercial information theft remains unacceptably high. Secondly, the software in question should be flexible and allow you to create rules using a large amount of various information about devices: their types, model manufacturers, unique numbers that each instance has, etc. And, thirdly, the insider protection system should be able to integrate with the bank's information system, in particular with Active Directory. Otherwise, the administrator or security officer will have to maintain two databases of users and computers, which is not only inconvenient, but also increases the risk of errors.

Summing up

So, today there are products on the market with the help of which any bank can organize a reliable system for protecting information from unauthorized access and misuse. True, when choosing them, you need to be very careful. Ideally, this should be done by in-house experts of the appropriate level. The use of third party services is allowed. However, in this case, a situation is possible when the bank will be skillfully imposed not with adequate software, but with one that is beneficial to the supplier company. In addition, the domestic information security consulting market is in its infancy.

Meanwhile, making the right choice is not difficult at all. It is enough to arm yourself with the criteria we have listed and carefully study the market for security systems. But there is a "pitfall" that must be remembered. Ideally, the bank's information security system should be unified. That is, all subsystems must be integrated into the existing information system and, preferably, have a common management. Otherwise, increased labor costs for protection administration and increased risks due to management errors are inevitable. Therefore, to build all three protection subsystems described today, it is better to choose products released by one developer. Today in Russia there are companies that create everything necessary to protect banking information from unauthorized access.

The information security strategy of banks is very different from similar strategies of other companies and organizations. This is primarily due to the specific nature of the threats, as well as the public activities of banks, which are forced to make access to accounts easy enough for the purpose of convenience for customers.

An ordinary company builds its information security based only on a narrow range of potential threats - mainly protecting information from competitors (in Russian realities, the main task is to protect information from tax authorities and the criminal community in order to reduce the likelihood of an uncontrolled increase in tax payments and racketeering). Such information is of interest only to a narrow circle of interested persons and organizations and is rarely liquid, i.e. convertible into cash.

The information security of the bank should take into account the following specific factors:

1. Information stored and processed in banking systems is real money. Based on computer information, payments can be made, loans can be opened, and significant amounts can be transferred. It is quite clear that illegal manipulation of such information can lead to serious losses. This feature dramatically expands the circle of criminals who encroach on banks specifically (unlike, for example, industrial companies, whose inside information is of little interest to anyone).

2. Information in banking systems affects the interests of a large number of people and organizations - bank customers. As a rule, it is confidential, and the bank is responsible for providing the required degree of secrecy to its customers. Naturally, customers have the right to expect that the bank should take care of their interests, otherwise it risks its reputation with all the ensuing consequences.

3. The competitiveness of the bank depends on how convenient it is for the client to work with the bank, as well as how wide the range of services provided, including services related to remote access. Therefore, the client should be able to manage his money quickly and without tedious procedures. But this ease of access to money increases the likelihood of criminal intrusion into banking systems.

4. The information security of a bank (unlike most companies) must ensure high reliability of computer systems even in case of emergency situations, since the bank is responsible not only for its own funds, but also for the money of customers.

5. The bank stores important information about its customers, which expands the circle of potential intruders interested in stealing or damaging such information.

Crimes in the banking sector also have their own characteristics:

Many crimes committed in the financial sector remain unknown to the general public due to the fact that bank managers do not want to disturb their shareholders, they are afraid to expose their organization to new attacks, they are afraid to damage their reputation as a reliable store of funds and, as a result, lose customers.

As a rule, attackers usually use their own accounts, to which the stolen amounts are transferred. Most criminals do not know how to launder stolen money. The ability to commit a crime and the ability to get money are not the same thing.

Most computer crimes are petty. The damage from them lies in the range from $10,000 to $50,000.

Successful computer crimes typically require a large number of bank transactions (up to several hundred). However, large amounts can be transferred in just a few transactions.

Most intruders are clerks. Although senior bank personnel can also commit crimes and cause much more damage to the bank, such cases are rare.

Computer crimes are not always high-tech. It is enough to falsify data, change the parameters of the ASOIB environment, etc., and these actions are also available to the maintenance personnel.

Many attackers explain their actions by the fact that they just borrow from the bank with a subsequent return. However, "return", as a rule, does not occur.

The specifics of the protection of automated information processing systems of banks (ASOIB) is due to the peculiarities of the tasks they solve:

As a rule, ASOIB processes a large stream of constantly arriving requests in real time, each of which does not require numerous resources to process, but all together they can only be processed by a high-performance system;

ASOIB stores and processes confidential information that is not intended for the general public. Its forgery or leakage can lead to serious (for the bank or its customers) consequences. Therefore, ASOIB are doomed to remain relatively closed, operate under the control of specific software and pay great attention to ensuring their security;

Another feature of ASOIB is the increased requirements for the reliability of hardware and software. Because of this, many modern ASOIBs gravitate towards the so-called fault-tolerant computer architecture, which allows continuous processing of information even in the face of various failures and failures.

There are two types of tasks solved by ASOIB:

1. Analytical. This type includes tasks of planning, analysis of accounts, etc. They are not immediate and may take a long time to resolve, and their results may affect the bank's policy in relation to a particular client or project. Therefore, the subsystem, with the help of which analytical tasks are solved, must be reliably isolated from the main information processing system. Solving such problems usually does not require powerful computing resources, usually 10-20% of the power of the entire system is sufficient. However, in view of the possible value of the results, their protection must be permanent.

2. Casual. This type includes tasks that are solved in daily activities, primarily making payments and adjusting accounts. It is they who determine the size and power of the main system of the bank; their solution usually requires much more resources than analytical tasks. At the same time, the value of information processed in solving such problems is temporary. Gradually, the value of information, for example, about the execution of a payment, becomes irrelevant. Naturally, this depends on many factors, such as: the amount and time of payment, account number, additional characteristics, etc. Therefore, it is usually sufficient to ensure payment protection at the moment of its execution. At the same time, the protection of the processing process itself and the final results must be constant.

What kind of protection measures for information processing systems do foreign experts prefer? This question can be answered using the results of a survey conducted by the Datapro Information Group in 1994 among banks and financial institutions:

82% of respondents have a formulated information security policy. Compared to 1991, the percentage of organizations with a security policy has increased by 13%.

Another 12% of those surveyed plan to develop a security policy. The following trend is clearly expressed: organizations with a large number of personnel prefer to have a developed security policy to a greater extent than organizations with a small number of personnel. For example, according to this survey, only 66% of organizations with less than 100 employees have a security policy, while for organizations with more than 5,000 employees, the share of such organizations is 99%.

In 88% of organizations that have an information security policy, there is a special unit that is responsible for its implementation. In those organizations that do not maintain such a unit, these functions are mainly assigned to the system administrator (29%), the information system manager (27%) or the physical security service (25%). This means that there is a tendency to separate employees responsible for computer security into a special unit.

In terms of protection, special attention is paid to protecting computer networks (90%), large computers (82%), recovering information after accidents and disasters (73%), protecting against computer viruses (72%), protecting personal computers (69%).

We can draw the following conclusions about the features of information protection in foreign financial systems:

The main thing in protecting financial organizations is prompt and, if possible, complete recovery of information after accidents and failures. About 60% of the surveyed financial institutions have a recovery plan, which is reviewed annually in more than 80% of them. Basically, the protection of information from destruction is achieved by creating backups and storing them externally, using uninterruptible power supplies and organizing a “hot” reserve of hardware.

The next most important problem for financial institutions is managing user access to stored and processed information. Various access control software systems are widely used here, which can sometimes replace anti-virus software. Mostly purchased access control software is used. Moreover, in financial institutions, special attention is paid to such user management in the network. However, certified access controls are extremely rare (3%). This can be explained by the fact that certified software is difficult to work with and extremely expensive to operate. This is due to the fact that certification parameters were developed taking into account the requirements for military systems.

The differences in the organization of the protection of computer networks in financial organizations include the widespread use of standard (i.e. adapted, but not specially developed for a particular organization) commercial software for network access control (82%), protection of points of connection to the system through dial-up lines communications (69%). Most likely this is due to the greater prevalence of telecommunications in the financial sector and the desire to protect themselves from outside interference. Other methods of protection, such as the use of anti-virus tools, end-to-end and channel encryption of transmitted data, message authentication, are used in approximately the same way and, basically (with the exception of anti-virus tools), in less than 50% of the surveyed organizations.

Much attention in financial institutions is paid to the physical protection of the premises in which computers are located (about 40%). This means that the protection of computers from access by unauthorized persons is solved not only with the help of software, but also organizational and technical (security, combination locks, etc.).

Local information encryption is used by just over 20% of financial institutions. The reasons for this are the complexity of distributing keys, strict requirements for system performance, as well as the need for prompt recovery of information in case of failures and equipment failures.

Significantly less attention in financial organizations is paid to the protection of telephone lines (4%) and the use of computers designed to meet the requirements of the Tempest standard (protection against information leakage through electromagnetic radiation and interference channels). In state organizations, much more attention is paid to solving the problem of counteracting the receipt of information using electromagnetic radiation and pickups.

An analysis of statistics allows us to draw an important conclusion: the protection of financial organizations (including banks) is built somewhat differently than ordinary commercial and government organizations. Therefore, to protect ASOIB, the same technical and organizational solutions that were developed for standard situations cannot be applied. You can not mindlessly copy other people's systems - they were developed for other conditions.

Banks and everything with them
connected - have always been a target for everyone
kind of scammers. In our time these
email related scams
crime. And I'm like a person who
trying to prevent them, would like a little
to shed light on this issue and debunk the myth of
lone hacker - penetrating bank accounts
system and receiving FULL access to its
information resources.

To begin, consider
security issue
computing complex. Under
understand the security of the system -
ability to resist attempts
penetration, unauthorized access, obtaining rights and
privileges, as well as the destruction or
distortion of information. We are the most
interested in internal security, i.e.
ensuring the functioning of the system in
normal operation and ensuring integrity,
safety and confidentiality
information.

Analyzing the List
existing threats - can be identified
the main directions of protection of banking
systems:

1. Physical protection. Those.
   protection of equipment from mechanical
   damage, theft, installation of special
   equipment for electromagnetic
   pickup.
2. Protection against unauthorized access.
3. Electronic protection
   workflow. Those. encryption with
   public key of all significant
   email correspondence.
4. Antivirus protection.
   Installation of the complex
   specialized software
   prevention
   penetration into a computer network
   malware.

Having dealt with what
such security and having decided in
the significance of the issue of its provision, let's move on
to the coverage of means of protection of electronic
systems.

To protective equipment
includes software, hardware and
hardware - software systems.

According to its characteristics
the most reliable protection system
implement only hardware and hardware -
software. This is related to the fact
that these systems are most often
specialized, that is, performing
certain features, which is great
advantage, because protect or
test specialized
device is much simpler than
universal. Another advantage
specialized systems is that
they allow physically and logically
isolate blocks with critical
information. In addition, software
hardware systems provide reliable
protection against modification, deletion or theft
information by system programmers or
highly qualified personnel.
Usually in software/hardware
security
erase function provided
secret information when trying
physical penetration into the hardware
part of the system.

Considering also
economic efficiency of the system
security, more often used
only software tools, because price
specialized hardware modules -
high enough. Using
software tools, you get very
flexible, providing a sufficient level
protection, and at the same time insignificant
software maintenance costs
complexes, (in comparison with hardware,
system. Another important
advantage of software implementation
protection - is the possibility of changing it
in the direction of complication or simplification, in
depending on the needs of support
security.

With the help of software
means can be realized by the following
protection methods:

• Cryptographic
  transformation .
  Those. information encryption. by the most
  common methods are DES
  and RSA. DES- DATA ENCRIPTION STANDART - this standard
  cryptographic conversion
  data developed by IBM for
  own needs, but later became
  US federal standard. DES algorithm
  widely used all over the world,
  is open and has been published. He
  easy to understand, uses the method
  protection, which is based on a key and not
  depends on the degree of secrecy
  algorithm. RSA- for now
  is the most promising method, because
  does not require the transfer of a key for
  encryption to other users.
  Cryptographic data modification
  carried out by the first public key,
  and information is restored
  with a second private key.
  The main application of RSA at the moment is -
  protection of electronic document management. IN
  as an example, one can cite
  SSL (Secure Sockets Layer) protocol, which guarantees
  secure data transmission over the network. SSL
  combines cryptographic system
  public key and block encryption
  data. The only downside
  RSA algorithm is that it is not up to
  the end is studied and there is no 100% guarantee
  its reliability.
• Authentication
  users .
  Those. checking the correctness of the entered
  registration user
  login information.
  Used to force
  application of voting rights of access to
  information resources and rights to
  performing operations in the system.
• delimitation
  user rights and privileges
  access to information resources .
• Control
  information integrity, anti-virus
  protection, audit. Those.
  activity tracking
  users and software working in the system
  by registering predefined
  types of events in the system log
  security, as well as the implementation
  certain responses or
  prohibition of execution.
• Watching
  operation of information security systems,
  both software and hardware .
  Those. implementation of controls and
  control of protective mechanisms
  security systems.
• Reserve
  copying and then
  information recovery .
• Firewall (firewall)
  - a system or combination of systems,
  creating a protective barrier between two
  or more networks and
  preventing invasion of privacy
  net. Firewalls serve as virtual
  barriers to transmit packets from one
  networks to another.

The main disadvantage
protection systems built on the basis of only
software systems, is
the possibility of their analysis in NSD. IN
which cannot be excluded
the possibility of developing methods
overcoming a complex of software tools
security or
modifications.

To be continued...