Source information is always propagated to the external environment. Information dissemination channels are objective, active and include: business, managerial, trade, scientific, communicative regulated communications; information networks; natural technical channels.

An information dissemination channel is a way of moving valuable information from one source to another in an authorized mode (permitted) or due to objective laws or due to objective laws.

The term "leakage" confidential information”, probably not the most euphonious, but it reflects the essence of the phenomenon more capaciously than other terms. It has long been entrenched in the scientific literature, regulatory documents. Leakage of confidential information constitutes an unlawful, i.e. unauthorized release of such information outside the protected zone of its operation or the established circle of persons entitled to work with it, if this exit led to the receipt of information (familiarization with it) by persons who do not have authorized access to it. Leakage of confidential information means not only its receipt by persons not working at the enterprise, unauthorized access to confidential information by persons of this enterprise also leads to leakage.

The loss and leakage of confidential documented information is due to the vulnerability of information. The vulnerability of information should be understood as the inability of information to independently resist destabilizing influences, i.e. influences that violate its established status. Violation of the status of any documented information consists in violation of its physical safety (in general or with this owner in full or in part), logical structure and content, accessibility for authorized users. Violation of the status of confidential documented information additionally includes a violation of its confidentiality (closeness to unauthorized persons). The vulnerability of documented information is a collective concept. It does not exist at all, but manifests itself in various forms. These include: theft of an information carrier or information displayed in it (theft); loss of information carrier (loss); unauthorized destruction of the information carrier or the information displayed in it (destruction, distortion of information (unauthorized change, unauthorized modification, forgery, falsification); blocking of information; disclosure of information (distribution, disclosure).

The term "destruction" is used mainly in relation to information on magnetic media. Existing Options names: modification, forgery, falsification are not entirely adequate to the term "distortion", they have nuances, but their essence is the same - an unauthorized partial or complete change in the composition of the original information.

Blocking information here means blocking access to it by legitimate users, not attackers.

Disclosure of information is a form of manifestation of the vulnerability of only confidential information.

This or that form of vulnerability of documented information can be realized as a result of a deliberate or accidental destabilizing effect. different ways on the carrier of information or on the information itself from the sources of influence. Such sources can be people, technical means of processing and transmitting information, means of communication, natural disasters, etc. Ways of a destabilizing effect on information are copying (photographing), recording, transferring, eating, infecting information processing programs with a virus, violating the processing and storage technology information, output (or failure) of the system and violation of the mode of operation technical means processing and transmission of information, physical impact on information, etc.

Vulnerability of documented information leads or can lead to the loss or leakage of information.

Theft and loss of information carriers, unauthorized destruction of information carriers or only the information displayed in them, distortion and blocking of information lead to the loss of documented information. The loss can be complete or partial, irretrievable or temporary (when information is blocked), but in any case it causes damage to the owner of the information.

Leakage of confidential documented information leads to its disclosure. As some authors note in the literature and even in regulatory documents, the term "leakage of confidential information" is often replaced or identified with the terms: "disclosure of confidential information", "dissemination of confidential information". Such an approach, from the point of view of experts, is illegal. Disclosure or dissemination of confidential information means its unauthorized communication to consumers who do not have the right to access it. At the same time, such bringing should be carried out by someone, come from someone. A leak occurs when confidential information is disclosed (unauthorized distribution), but is not limited to it. Leakage can also occur as a result of the loss of the carrier of confidential documented information, as well as theft of the carrier of information or the information displayed in it, while the carrier is kept by its owner (owner). It doesn't mean what will happen. The lost media may fall into the wrong hands, or it may be “grabbed” by a garbage truck and destroyed in the manner established for garbage. In the latter case, there is no leakage of confidential information. Theft of confidential documented information is also not always associated with its receipt by persons who do not have access to it. There are many examples when the theft of carriers of confidential information was carried out from colleagues at work by persons admitted to this information with the aim of “getting it”, causing harm to a colleague. Such carriers, as a rule, were destroyed by the persons who abducted them. But in any case, the loss and theft of confidential information, if they do not lead to its leakage, then always create a threat of leakage. Therefore, it can be said that disclosure of confidential information leads to the leakage of it, and theft and loss can lead to it. The difficulty lies in the fact that it is often impossible to divide, firstly, the very fact of disclosure or theft of confidential information while the information carrier is kept by its owner (owner), and secondly, whether the information got as a result of its theft or loss to unauthorized persons.

The holder of a trade secret is an individual or entity legally possessing information constituting a trade secret and the corresponding rights in full.

Information constituting a trade secret does not exist by itself. It is displayed in various media that can store, accumulate, and transmit it. They also use information.

Information carrier - individual or a material object, including a physical field, in which information is displayed in the form of symbols, images, signals, technical solutions and processes.

From this definition it follows, firstly, that material objects are not only what can be seen or touched, but also physical fields, as well as the human brain, and secondly, that information in media is displayed not only by symbols, i.e. . letters, numbers, signs, but also images in the form of drawings, drawings, diagrams, other iconic models, signals in physical fields, technical solutions in products, technical processes in product manufacturing technology.

The types of material objects as information carriers are different. They can be magnetic tapes, magnetic and laser disks, photo, film, video and audio tapes, different kinds industrial products, technological processes, etc. But the most widespread type are paper-based carriers. The information in them is recorded in handwritten, typewritten, electronic, typographical ways in the form of text, drawing, diagram, drawing, formula, graph, map, etc. In these media, information is displayed in the form of symbols and images. Such information of the Federal Law "On information ..." is classified as documented information and represents various types of documents.

Recently, there have been significant adjustments in the forms and means of obtaining confidential information by informal means. Of course, this mainly concerns the impact on a person as a carrier of confidential information.

A person as an object of influence is more susceptible to informal influences than technical means and other carriers of confidential information, due to a certain legal insecurity at the current moment, individual human weaknesses and life circumstances.

Such informal influence, as a rule, is of a hidden, illegal nature and can be carried out both individually and by a group of persons.

The following types of information leakage channels are possible for a person who is a carrier of confidential information: voice channel, physical channel and technical channel.

Leakage speech channel - information is transmitted from the owner of confidential information through words personally to the object interested in receiving this information.

Physical channel of leakage - information is transmitted from the owner of confidential information (carrier) by means of paper, electronic, magnetic (encrypted or open) or other means to an object interested in obtaining this information.

Technical leak channel - information is transmitted through technical means.

Forms of influence on a person who is a carrier of protected information can be open and hidden.

An open influence on the owner (carrier) of confidential information for obtaining by an interested object implies direct contact.

The hidden influence on the owner (carrier) of confidential information for its receipt by the interested object is carried out indirectly (indirectly).

The means of informal influence of the owner (carrier) of confidential information to obtain certain information from him through an open speech channel are a person or a group of people who interact through: promises of something, requests, suggestion.

As a result, the owner (carrier) of confidential information is forced to change his behavior, his official obligations and transfer the required information.

Hidden influence through the speech channel on the owner (carrier) of confidential information is carried out through indirect coercion - blackmail through a third party, unintentional or deliberate listening, etc.

The mentioned means of influence, in the end, accustom the owner (carrier) of confidential information to his tolerance (tolerance) of the influences exerted on him.

Forms of influence on the owner (carrier) of confidential information through a physical channel of leakage can also be open and hidden.

Open influence is carried out by means of force (physical) intimidation (beatings) or force with a fatal outcome, after receiving (beats) or force with a fatal outcome, after receiving information.

Covert action is more subtle and extensive in terms of the application of the means. This can be represented as the following impact structure. Interested object - the interests and needs of the carrier of confidential information.

Consequently, the interested object influences covertly (indirectly) on the interests and needs of the person who owns confidential information.

Such hidden influence can be based on: fear, blackmail, manipulation of facts, bribe, bribery, intimacy, corruption, persuasion, provision of services, assurance about the future of the person who is the bearer of confidential information.

The form of influence on the owner (carrier) of confidential information through technical channels can also be open and hidden.

Open (direct) means - fax, telephone (including mobile systems), Internet, radio communications, telecommunications, media.

Hidden means include: listening using technical means, viewing from the display screen and other means of displaying it, unauthorized access to a PC and software and hardware.

All considered means of influence, regardless of their forms, have an informal impact on the person who is the carrier of confidential information, and are associated with illegal and criminal methods of obtaining confidential information.

The possibility of manipulating the individual characteristics of the owner (carrier) of confidential information with his social needs in order to obtain it must be taken into account when placing, selecting personnel and conducting personnel policy when organizing work with confidential information.

It should always be remembered that the fact of documenting information (applying to any material carrier) increases the risk of information leakage. The material carrier is always easier to steal, while there is high degree the fact that the necessary information is not distorted, as is the case with the disclosure of information orally.

Threats to the safety, integrity and secrecy of confidentiality) of information of limited access are practically realized through the risk of formation of channels for unauthorized receipt (extraction) of valuable information and documents by an attacker. These channels are a collection of unprotected or weakly protected destinations by the organization. possible leakage information that an attacker uses to obtain the necessary information, deliberate illegal access to protected and guarded information.

Each specific enterprise has its own set of channels for unauthorized access to information; in this case, ideal firms do not exist.

This depends on many factors: the volume of protected and guarded information; types of protected and guarded information (constituting a state secret, or some other secret - official, commercial, banking, etc.); professional level of personnel, location of buildings and premises, etc.

The functioning of channels of unauthorized access to information necessarily entails the leakage of information, as well as the disappearance of its carrier.

If we are talking about the leakage of information through the fault of the personnel, the term "information disclosure" is used. A person can disclose information orally, in writing, by removing information using technical means (copiers, scanners, etc.), using gestures, facial expressions, and conditional signals. And transfer it personally, through intermediaries, through communication channels, etc.

Leakage (disclosure) of information is characterized by two conditions:

1. Information goes directly to the person interested in it, the attacker;
2. Information passes to a random, third party.

In this case, a third party is understood to be any third party who has received information due to circumstances beyond the control of this person, or the irresponsibility of the personnel, who does not have the right to possess information, and, most importantly, this person is not interested in this information. However, information from a third party can easily pass to an attacker. In this case, the third party, due to circumstances set up by the attacker, acts as a "blotter" to intercept the necessary information.

The transfer of information to a third party seems to be a fairly common occurrence, and it can be called unintentional, spontaneous, although the fact of disclosure of information takes place.

Unintentional transfer of information to a third party occurs as a result of:

1. Loss or improper destruction of a document on any medium, a package of documents, files, confidential records;
2. Ignoring or deliberate non-compliance by the employee with the requirements for the protection of documented information;
3. Excessive talkativeness of employees in the absence of an intruder - with work colleagues, relatives, friends, other persons in public places: cafes, transport, etc. (recently this has become noticeable with the spread of mobile communications);
4. Work with documented information with limited access organizations with unauthorized persons, unauthorized transfer of it to another employee;
5. Use of restricted information in open documents, publications, interviews, personal notes, diaries, etc.;
6. Absence of secrecy (confidentiality) information on documents, marking with the corresponding stamps on technical media;
7. The presence in the texts of open documents of excessive information with limited access;
8. Unauthorized copying (scanning) by an employee of documents, including electronic ones, for official or collection purposes.

Unlike a third party, an attacker or his accomplice purposefully obtain specific information and intentionally, illegally establish contact with the source of this information or transform the channels of its objective distribution into channels for its disclosure or leakage.

Organizational channels of information leakage are characterized by a wide variety of types and are based on the establishment of various, including legal, relationships between the attacker and the enterprise or employees of the enterprise for subsequent unauthorized access to the information of interest.

The main types of organizational channels can be:

1. An intruder is hired by an enterprise, usually in a technical or auxiliary position (computer operator, freight forwarder, courier, cleaner, janitor, security guard, driver, etc.);
2. Participation in the work of the enterprise as a partner, intermediary, client, the use of various fraudulent methods;
3. Search by an attacker for an accomplice (initiative assistant) working in an organization who becomes his accomplice;
4. Establishment by an attacker of a trusting relationship with an employee of an organization (according to joint interests, up to a joint drinking and love relationship) or a regular visitor, an employee of another organization who has information of interest to the attacker;
5. Use of the organization's communication links - participation in negotiations, meetings, exhibitions, presentations, correspondence, including electronic, with the organization or its specific employees, etc.;
6. Use of erroneous actions of personnel or deliberate provocation of these actions by an attacker;
7. Secret or fictitious documents penetration into the buildings of the enterprise and premises, criminal, forceful access to information, that is, theft of documents, diskettes, hard drives(hard drives) or the computers themselves, blackmailing and inducing cooperation of individual workers, bribing and blackmailing workers, creating extreme situations, etc.;
8. Receipt necessary information from a third (random) person.

Organizational channels are selected or formed by an attacker individually in accordance with his professional skills, a specific situation, and it is extremely difficult to predict them. Finding organizational channels requires serious research and analysis.

Ample opportunities for unauthorized obtaining of information with limited access create technical support for the organization's financial document management technologies. Any managerial and financial activity is always associated with the discussion of information in offices or via communication lines and channels (conducting video and conference calls), making calculations and analyzing situations on computers, preparing and duplicating documents, etc.

Technical channels of information leakage arise when using special technical means of industrial espionage, which allow obtaining protected information without direct contact with the organization's personnel, documents, files and databases.

The technical channel is physical path leakage of information from a source or channel of objective dissemination of information to an attacker. The channel arises when an attacker analyzes physical fields and radiations that appear during the operation of computer and other office equipment, intercepts information that has sound, visual or other form of display. The main technical channels are acoustic, visual-optical, electromagnetic, etc. These channels are predictable, they are of a standard nature and are interrupted standard means counteraction. For example, in accordance with GOST RV 50600-93. “Protection of classified information from technical intelligence. Document system. General Provisions".

A creative combination of channels of both types in the actions of an attacker is common and professionally literate, for example, establishing trusting relationships with employees of an organization and intercepting information through technical channels with the help of this employee.

There can be many options and combinations of channels, so the risk of losing information is always quite high. With an effective system of information protection, an attacker destroys individual elements of protection and forms the channel he needs to obtain information.

In order to implement the tasks set, the attacker determines not only the channels of unauthorized access to the information of the organization, but also a set of methods for obtaining this information.

In order to protect information at the proper level, it is necessary to “know the enemy” and the methods used to obtain information.

Legal methods are included in the content of the concepts and "own intelligence in business", are distinguished by legal security and, as a rule, determine the emergence of interest in the organization. In accordance with this, it may be necessary to use channels of unauthorized access to the required information. At the heart of "own intelligence" lies a painstaking analytical work attackers and competitors of specialist experts over the organization's published and publicly available materials. At the same time, the activities and services provided by the organization, advertising publications, information obtained in the process of official and unofficial conversations and negotiations with employees of the enterprise, materials from press conferences, presentations of the company and services, scientific symposiums and seminars, information obtained from information networks, including number from the Internet. Legal methods give the attacker the bulk of the information of interest to him and allow him to determine the composition of the missing information that will be obtained by illegal methods, and some no longer need to be obtained due to the painstaking analysis of open information.

Illegal methods of obtaining valuable information are always illegal and are used to access protected information that cannot be obtained by legal methods. The basis of illegal obtaining of information is the search by an attacker of the most effective unprotected organizational and technical channels of unauthorized access to information existing in the organization in specific conditions. Formation of such channels in their absence and implementation of a plan for the practical use of these channels.

Illegal methods include: theft, deliberate deception, eavesdropping, forgery of identifying documents, bribery, bribery, blackmail, staging or organizing extreme situations, the use of various criminal techniques, etc. In the process of implementing illegal methods, an undercover channel for obtaining valuable financial information is often formed. Illegal methods also include: interception of information objectively disseminated through technical channels, visual observation of the buildings and premises of the bank and personnel, analysis of objects containing traces of protected information, analysis architectural features objects of protection, analysis of paper waste taken out and taken out of the enterprise.

Thus, information leakage with restricted access can occur:

1. If there is an interest of organizations, individuals, competitors in specific information;
2. When there is a risk of a threat organized by an attacker or under random circumstances;
3. If there are conditions that allow the attacker to carry out the necessary actions and acquire information.

These conditions may include:

1. Lack of systemic analytical and control work to identify and study threats and channels of information leakage, the degree of risk of violations information security organizations;
2. Inefficient, poorly organized company information security system or the absence of this system;
3. Unprofessionally organized technology of closed (confidential) financial document management, including electronic, and office work on documented information with limited access;
4. Disorganized recruitment and staff turnover, difficult psychological climate in the team;
5. Lack of a system for training employees on the rules for working with documented information with restricted access;
6. Lack of control by the management of the enterprise over compliance with the requirements by the personnel normative documents on working with documented information with limited access;
7. Uncontrolled visits to the premises of the organization by unauthorized persons.

Channels of unauthorized access and information leakage can be of two types: organizational and technical. They are provided by legal and illegal methods.

Thus, obtaining documents or information with restricted access can be a single occurrence or a regular process that takes place over a relatively long time.

Therefore, any information resources of an organization are a very vulnerable category, and if an attacker becomes interested in them, the danger of their leakage becomes quite real.

Preliminary assessment by analysts of materials prepared for publication about the company, exhibition brochures, advertising publications, etc., their participation in presentations, exhibitions, meetings of shareholders, negotiations, as well as interviews and testing of candidates for positions is desirable. The latter is one of the main and most important duties of the information and analytical service, since it is at this stage that it is possible with a certain degree of probability to block one of the main organizational channels - the intruder's admission to work in the company.

At the end of June, the American research center ITRC (Identity Theft Resource Center) published information about information leaks for the first half of this year. According to ITRC, during this period in the United States there were 336 public information leaks, and the total number of victims reached 17 million people.

The frequency with which information leaks occur is growing incredibly fast: in the last three years alone, it has almost quadrupled (Figure 1). Every year, information leaks become an increasingly significant security problem, and the fight against them is the idee fixe of specialists in this field. However, to deal effectively with leaks, you first need to know how they happen and what tools are available to deal with them.

Rice. 1. The number of public information leaks,
fixed in the US
(source: ITRC, Perimetrix, 2008)

The Perimetrix report, published in the first quarter of this year, was chosen as the initial data for studying the problem. As part of the preparation of the report, Perimetrix specialists collected and analyzed information about a hundred different incidents that occurred in different parts of the globe. The resulting statistics can be trusted, since all the incidents considered took place in real organizations.

On fig. 2 shows the distribution of leaks by the main types of their causes. It is easy to see that the four main types of leaks accounted for the vast majority (84%) of incidents, with almost half of this share (40%) falling on the most popular threat - media theft. In this article, we will try to consider the specifics of each of the identified threats, as well as give recommendations on how to reduce their danger.

Rice. 2. Distribution of leaks by main types of threats
(source: Perimetrix, 2008)

Host theft (40%)

Media theft is the most common type of incident that occurs as a result of the theft or loss of various digital media of confidential information. Most of these leaks are due to the theft of laptops, but other scenarios are possible (Figure 3). “In our practice, there have been incidents caused by the theft of flash drives, backup magnetic tapes, hard drives and even obsolete floppy disks,” says Alexey Dolya, Development Director at Perimetrix.

Rice. 3. Frequently lost storage media
(source: Perimetrix, 2008)

From a security standpoint, it doesn't matter which media is stolen. Of course, reading data from a tape is more difficult than inserting a USB flash drive into a USB port, but an attacker will most likely be able to solve this problem - if there is a desire. The damage from leakage depends little on the type of media used, but each of them needs to be protected.

Today, there are several ways to minimize the risks of such leaks. The most elementary of them - limiting the use of mobile media - is inefficient from a business point of view. In addition, it does not avoid leaks associated with theft of office equipment.

The second method involves controlling the movement of confidential information and also does not protect against “office” leaks. Full-fledged protection is provided only by the mandatory encryption of all secret information, not only on mobile media, but also in places of stationary storage. Separately, we emphasize that all other protection methods (for example, various passwords and biometrics) are ineffective without encryption.

According to Perimetrix, the majority of carriers go missing from offices rather than the homes of certain employees (Figure 4). Thus, it makes sense for organizations to strengthen the physical security of offices, while not forgetting about the encryption of information.

Rice. 4. Location of missing equipment
(source: Perimetrix, 2008)

The abundance of leaks from offices once again shows that it is necessary to encrypt not only laptops and other mobile devices, but also other stationary carriers of confidential information. Of course, stealing a laptop unnoticed is much easier than taking out a server, but such a risk is also likely.

Nearly a third (29%) of reported incidents are related to leaks in transport: theft from trucks, theft of cars with laptops and other similar cases. Perimetrix experts note that "transport" leaks are specific - in most cases, services for the transportation of drives are carried out by third-party organizations that are extremely difficult to control. However, the same encryption allows you to minimize the risks of "transport" leaks.

Hacker attack (15%)

This broad group of incidents includes all leaks that occurred as a result of an external intrusion. Any attack technique can be used for an intrusion, be it the installation of malware, exploiting vulnerabilities, SQL injections, etc. The main difference between a hacker attack and all other types is that it occurs with the participation of external parties who take some kind of active action. Note that access to confidential information is not necessarily the main target of an attack. But if it was somehow obtained, then a leak has occurred.

Probably, not a single organization can fully protect itself from the hacker threat today. We consider this term in the broadest sense, which means that there is no single remedy in principle.

In general, the proportion of "external" or "hacker" leaks turned out to be less than initially expected. Most companies developing security solutions constantly say that hackers are becoming more professional and seek to access information, not format HDD user. According to Perimetrix analysts, this threat is somewhat exaggerated, although it certainly exists. Perhaps the low share of hacker intrusions is partly due to the fact that the intrusions themselves have become less noticeable.

In fairness, we note that the most large-scale incidents (for example, the famous TJX leak) often occur precisely as a result of external intrusions. However, leaks of a million scale are rare and it is wrong to draw any conclusions from isolated cases.

Inside (15%)

This category includes incidents caused by the actions of employees who had legal access to confidential information. All registered insider incidents were divided into two approximately equal parts:

the employee did not have access to the information, but managed to bypass the security systems;
the insider had access to the information and took it out of the organization.

An excellent example of the first type of insider is former Societe Generale employee Jérôme Kerviel, who has made headlines for months now. Recall that the 31-year-old trader ruined the bank for 5 billion euros by trading futures on European stock indices. It is obvious even to a person far from the banking sector that an ordinary trader could not have the rights to open stock positions in the amount of 50 billion euros, but Kerviel managed to do it.

Shortly after being released from prison
Jerome Kerviel got a job
to the LCA company, which specializes
on… information security

39 year old Dwight McPherson
worked as an agent for the Presbyterian
hospital in Brooklyn (New York).
The insider was engaged in trade in personal
information since 2006, and on his computer
50 thousand secret records were found.
For one social security number
McPherson asked for only 75 cents

However, insiders of the second type, who have legal access to confidential information, bear the greatest danger. Despite the lack of accurate data, Perimetrix analysts are convinced that most of the incidents of this kind remain outside the public eye. Moreover, such insiders are often not even known to their own employers.

Web leak (14%)

This category includes all leaks related to the publication of confidential information in public places. In most cases, this place is Global network(hence the name, web leak), but there are also similar leaks on the intranet. There are also very exotic variations on the same theme - for example, erroneous distribution of passwords for access to partners.

The vast majority of web leaks are due to human error or ignorance. Ignorance can be combated through training, but no one can completely avoid mistakes. The task of absolute protection against web leaks is very difficult - it involves the classification of all secret information and control of their placement on web servers or corporate network hosts and requires the introduction of special protection systems.

Regardless of the specific type of web leak, its key characteristic remains the duration of the publication of private data on the global or corporate network. Obviously, the longer this data is stored, the higher the risk of its compromise. On fig. Figure 5 shows the distribution of recorded web leaks depending on their duration.

Rice. 5. Duration of Web Leaks
(source: Perimetrix, 2008)

The results of the analysis showed that only a quarter (23%) of web leaks are discovered within a month or less. And more than half (58%) of incidents last more than a year. Given the development of search technologies, such results raise very serious concerns, since several hours are enough to compromise information on the Internet.

The huge number of leaks that last for a long time means that most companies do not regularly monitor the information stored on their web resources. Indeed, if such monitoring were carried out at least once a year, leaks would be detected faster. As a rule, web leaks pop up completely by accident, thanks to the attentiveness of ordinary site visitors who managed to find private information.

A typical case of a web leak

Consider a web leak that occurred in the state of Oklahoma, specifically on the website of the local department of corrections. To access confidential information, the site visitor only needed to slightly change the link, which was a standard SQL SELECT query.

http://docapp8.doc.state.ok.us/pls/portal30/url/page/sor_roster?sqlString=select distinct o.offender_id,doc_number,o.social_security_number.......

http://docapp8.doc.state.ok.us/pls/portal30/url/page/sor_roster?sqlString=select distinct o.offender_id,o.social_security_number doc_number......

Thus, in order to gain access to information, it was necessary to change only two request fields, one of which had the telling name o.social_security_number.

Note that it follows from the comments in the body of the HTML page that the data was in open access for at least three years. The leak was discovered completely by accident - it was noticed by The Dailly WTF journalist Alex Papadimoulis, who later wrote an article about this incident.

Paper leak (9%)

This category has managed to gain a significant share in the total volume of incidents. By definition, a paper leak is any leak that occurs as a result of the printing of confidential information on paper.

Unlike all other incidents, "paper" ones have less significant consequences for an extremely banal reason - paper theoretically cannot contain a lot of confidential information. The analytical center Perimetrix did not record a single paper leak, as a result of which more than 10 thousand people would have suffered. However, it is still necessary to control such incidents, since even a small leak can have serious material consequences.

The main way to deal with paper incidents is to control printed information - practice shows that in most cases it is enough to store confidential information in electronic form. If printing is necessary, it is required to ensure the safety of documents during transportation or forwarding. Most of the recorded incidents happened in this way: confidential papers were simply lost along the way.

The first quarter of 2008 opened another interesting problem relating specifically to paper leaks. It was caused, oddly enough, by the mortgage crisis in the United States, which brought thousands of different organizations to the brink of ruin. It turned out that bankrupt companies often throw papers into the trash, which in more prosperous times were required for doing business. Analytical center Perimetrix recorded three incidents of this kind at once.

The main difficulty here is that no one is responsible for the leak, since the company that allowed it went bankrupt and ceased operations. How to deal with such a threat is still not very clear.

Other (7%)

The remaining 7% of leaks had a variety of and often very exotic causes. An example is the leak at HSBC Bank, which occurred due to the fact that one of the branches forgot to close for the weekend. This category includes incidents, the exact cause of which could not be determined, as well as leaks that became known after the fact, after the use of personal information for illegal purposes.

Conclusion: such different leaks

Leaks are very different. In this article, they are divided into five main groups depending on the cause. However, within one cause there can be many different aspects. Most likely, it will not work to protect against all threats at once - this task requires continuous investment in information security and a great desire on the part of management.

The second conceptual complexity of protection is the lack of unified integrated systems that could provide protection for all possible leakage options. Most solutions that belong to the modern DLP class can only provide protection against insider information and certain types of web leaks, and with a rather low probability. As a result, customers have to purchase additional encryption products, which is very inconvenient, unprofitable and, frankly, unnatural.

Mikhail Bashlykov, Head of Information Security at CROC

At the present stage of development of society, information is the same asset of the company as its products and services, technologies and processes, financial and labor resources. In many companies, most information is stored and processed electronically. Of course, this significantly increases the convenience of work and the speed of interaction, and also allows you to automate business processes, etc. However, the risks associated with violation of the established status of information (confidentiality, integrity, availability) grow in proportion to the benefit.

PREVENTION Leakage of information is essentially the provision of one of its integral properties - confidentiality. Disclosure of confidential information leads to direct material losses, loss of intellectual property, a decrease in the reputation of the organization and the level of trust of customers and partners. In addition, the risk of financial liability of the company for violation of legal regulations governing the processing of confidential data increases. In most cases, it is impossible to prevent leakage and reduce the risks of confidentiality violation only by technical means or only by organizational methods - an integrated approach is needed. Each owner of information should be able to answer the following questions: where is confidential data stored, who has access to it, by whom and how is it used, where are they moved?

Approaches to the choice of solutions and protection technologies

The best technical option to prevent data leakage is to use DLP (Data Loss/Leakage Prevention) class systems. They control all the most likely channels of leakage (e-mail, the Internet, removable media, printing, instant messaging (IM), etc.), allow information to be identified by the most in modern ways, which provides the least number of false positives.

Also, IRM (Information Right Management) class systems are used to ensure the confidentiality of information. In this case, protection is carried out at the content level, that is, the information itself is protected, for example, inside email or document, and becomes available only to those employees who are allowed access by the security policy.

In addition to those listed, there are point solutions for leakage protection (for example, control only removable media or only mobile devices). They can justify themselves if the company has an acute problem with one or two specific channels of leakage. These solutions, as a rule, do not analyze the information itself; protection is only at the level of access control to certain devices and ports, which is not so convenient and flexible. And in the future, if there is a need for comprehensive leakage protection, the costs associated with the integration of previously implemented solutions for monitoring individual channels will unpleasantly surprise.

However, do not forget about other methods used by insiders to disclose confidential information, such as photographing the monitor screen, copying to paper, etc. DLP, IRM and other technical means are powerless here, but organizational measures come to the rescue - employee training, creation corporate culture of information security, etc.

DLP class systems

Let's take a closer look at DLP systems. The concept of DLP (Data Loss/Leakage Prevention) appeared a long time ago and characterizes systems of this class. Initially, this is a marketing name that the manufacturers came up with. similar systems. Therefore, there is some confusion in terminology: for example, the hard drive encryption system also ensures the confidentiality of stored information, that is, it prevents the leakage of this information, but no one calls encryption systems DLP systems. Or, for example, if mail server just knows how to filter outgoing messages and, depending on the presence of keywords in them, decides to send the letter outside, can such a decision be called a DLP system? I think no.

A modern DLP class system is a technical solution that, in conjunction with organizational methods (regulations, guidelines, policies, reporting, employee training), provides comprehensive protection from information leakage. The system has the following main characteristics:

controls almost all technical channels of leakage from the information system;
has the ability to search for information in the information system (file storage, databases, document management systems, etc.);
has a single management interface with role-based access control capabilities;
can respond to emerging incidents in real time and apply automated rules (block, move to quarantine, notify an information security officer, etc.);
has powerful and flexible tools for building and reporting on emerging incidents;
can recognize information in several ways ( keywords, digital prints, file types, etc.).

On this moment There are a sufficient number of manufacturers of DLP systems on the Russian market, the market is relatively young and, despite the crisis, continues to grow. When building an information leakage protection solution, we use leading products - Symantec, Websense, RSA, which have proven themselves well and have extensive experience in installations around the world. These manufacturers have a clear product development plan, understand the needs and specifics of the market. The choice of a product at the design stage primarily depends on the needs of the customer and the characteristics of his existing infrastructure.

Implementation of the DLP system. Experience and approach of CROC

Building a leak prevention system is a complex project that can involve both technical specialists and auditors, as well as representatives of the customer's business units. In general, the stages of the project can be divided into two components: the organizational part and the technical part.

The organizational part includes the following main stages:

audit of the current state of the information system and information flows, probable channels of leakage;
definition and classification of information assets;
highlighting the most critical of them in terms of confidentiality (trade secrets, personal data, intellectual property, etc.), determining the role and place of these assets in the company's business processes, as well as the possible consequences of their disclosure;
development of policies for processing protected information assets;
development of incident response methods;
development of a training program for employees in the technologies of working with the system and the rules for working with confidential information.

The main stages of the technical part:

choice of product on the basis of which the solution will be implemented;
system design, development of manuals, instructions and regulations;
system implementation, integration with the existing IT infrastructure;
implementation of the developed rules and policies.

Based on CROC's experience in implementing DLP systems, I can note that the success of a project and the effective return on system implementation largely depend on the following factors:

the interest of both parties in a quality result, constant interaction and coherence of the work of the project team with representatives of the customer;
phased implementation of the system, starting from working in a passive mode (only audit of incidents) with a further transition to blocking prohibited actions (this approach will not allow to drastically disrupt the existing habitual information processing processes, even if they are incorrect);
experience of the project team in the implementation of infrastructure solutions (corporate mail, Internet access, etc.), without which the integration of the DLP system is simply impossible;
experience in auditing an information system, developing accompanying and reporting documentation;
experience in effective training of employees operating the system, as well as training users in working with confidential information.

In conclusion, I would like to add that the introduction of a DLP system in itself is not a panacea and instant protection against all internal threats associated with a violation of confidentiality. The current system eliminates almost all possibilities of accidental information leakage (for example, the information is publicly available on a file server, the employee did not know that the information was confidential and tried to send it to a friend). And in conjunction with such protection methods as information encryption, access control, auditing and monitoring of information security events, organizational and legal methods, it will significantly complicate the deliberate theft of confidential information.

Sources of confidential information (information leakage channels), threats to the security of confidential information, sources of threats, goals and methods for implementing threats

Confidential information circulating in an enterprise plays an important role in its functioning. Confidential information is documented information, access to which is restricted by law Russian Federation. Accordingly, this data can become an object of interest to intruders. Therefore, it is necessary to create conditions under which the possibility of leakage of confidential information will be minimized.

A leak is an uncontrolled release of confidential information outside the organization or circle of people to whom it was entrusted. Information leakage can be carried out through various channels. An information leakage channel is a communication channel that allows a process to transmit information in a way that violates the security of the system. Information leakage can occur in three forms:

disclosure of information;
leakage through technical channels;
unauthorized access to information.

All channels of penetration into the system and channels of information leakage are divided into direct and indirect. Indirect channels are understood as such channels, the use of which does not require penetration into the premises where the system components are located (for example, loss of information media, remote listening, interception of PEMI). In order to use direct channels, penetration is necessary (this may be the actions of insiders, unauthorized copying, etc.).

Leakage of confidential information can occur if there is an interest in it from a competing organization, as well as if there are conditions that allow an attacker to get hold of the information.

The occurrence of such conditions is possible both due to an accidental combination of circumstances, and due to deliberate actions of the enemy. The main sources of confidential information are:

personnel of the enterprise admitted to confidential information;
material carriers of confidential information (documents, products);
technical means that store and process confidential information;
means of communication used to transfer confidential information;
messages transmitted over communication channels containing confidential information.

Therefore, confidential information may become available to third parties as a result of:

loss or improper destruction of a document on any medium, a package of documents, confidential records;
non-compliance by the employee with the requirements for the protection of confidential information;
excessive talkativeness of staff in common areas;
work with confidential information in the presence of unauthorized persons;
unauthorized transfer of confidential information to another employee;
lack of secrecy stamps on documents, marking on media.

In a highly competitive environment, the attention of competing organizations, of course, attracts confidential information. After all, the more information is available, the more likely it is to find the opponent's vulnerabilities. Therefore, channels for the transmission and exchange of confidential information in the course of their operation can be subjected to attacks by intruders, which, in turn, can lead to the emergence of channels for leaking confidential information.

Currently, the Internet is actively used. Of course, the Internet provides great opportunities and conveniences, but it becomes another reason for the leakage of confidential information. In most cases, a leak occurs when confidential information is handled carelessly when it is transmitted or published on websites. Most of the incidents occur in email. The next most dangerous channel for leaking confidential information is communication systems (mainly IM clients and Skype). Also now very popular social media, in which it became possible not only to exchange messages, but also to publish files, which after that can become the property of a large number of users. And of course, the Internet channel can be subjected to a hacker attack, which also poses a great danger.

There are special technical means that allow you to obtain information without direct contact with personnel, documents, databases. When using them, technical channels of information leakage arise. Under the technical channel of information leakage, it is customary to understand the physical path from the source of confidential information to the attacker, through which the latter can gain access to protected information. For the formation of a technical channel for information leakage, certain spatial, energy and temporal conditions are required, as well as the presence on the attacker's side of the appropriate equipment for receiving, processing and fixing information. The main technical channels for information leakage are electromagnetic, electrical, acoustic, visual-optical, etc. Such channels are predictable and interrupted by standard countermeasures.

The main threats to confidential information include disclosure, leakage, unauthorized access. The threat to the security of confidential information is understood as a set of conditions and factors that create a potential or real danger associated with the leakage of information and (or) unauthorized and (or) unintentional influences on it.

The result of illegal actions can be a violation of confidentiality, reliability, completeness of information, which, in turn, can cause material damage to the organization.

All threats to confidential information in relation to an object can be divided into internal and external. Internal violators can be the administration, employees of the enterprise with access to the information system, personnel servicing the building. The sources of external threats are customers, visitors, representatives of competitive organizations, persons who have violated the access control of the enterprise, as well as any persons outside the controlled territory.

Statistics show that the majority of threats are carried out by the organization's own employees, while the share of external threats is relatively small (Fig. 3.26).

Rice. 3.26. Information security threat statistics

The most frequent and dangerous in terms of damage are unintentional errors of users of information systems. Of particular danger are "offended employees", whose actions are associated with a desire to harm the organization. These can be both current and former employees. Therefore, it is necessary to ensure that when an employee leaves, his access to information resources stopped.

Natural sources of threats are very diverse and unpredictable. The emergence of such sources is difficult to foresee and difficult to counteract. These include fires, earthquakes, hurricanes, floods and other natural disasters. The occurrence of such events can lead to a disruption in the functioning of the enterprise and, accordingly, to a violation of information security in the organization.

To protect the information stored on your computer, you must use software and hardware protection tools. It is recommended to use these types software tools protection personal computer:

means providing protection against unauthorized access to the computer;
means of protecting the disk from unauthorized writing and reading;
disk access controls;
means of removing the remnants of secret information.

The main measures to prevent NSD to PC are

physical protection of PCs and storage media, user authentication, access control to protected information, cryptographic protection, registration of access to protected information. Since there is a possibility of computer infection with viruses, do not forget to equip each PC with special anti-virus programs.

When processing confidential information in information systems enterprises there is a possibility of its leakage. Leakage of confidential information can cause serious material damage. Therefore, it is necessary to take measures to prevent it. To do this, it is necessary to analyze all possible sources and threats and, in accordance with this, make a decision on the integrated use of information protection tools.

The term "leakage of confidential information" is probably not the most euphonious, but it reflects the essence of the phenomenon more capaciously than other terms, and besides, it has long been entrenched in scientific literature and regulatory documents. Leakage of confidential information is an unlawful, i.e., unauthorized release of such information outside the protected zone of its operation or the established circle of persons who have the right to work with it, if this exit led to the receipt of information (familiarization with it) by persons who do not have access to it. authorized access. Leakage of confidential information means not only its receipt by persons not working at the enterprise, unauthorized access to confidential information by persons of this enterprise also leads to leakage.

The vulnerability of documented information is a collective concept. It does not exist at all, but manifests itself in various forms. Such forms, expressing the results of a destabilizing effect on information, include (existing variants of the names of the forms are indicated in brackets):

theft of an information carrier or information displayed in it (theft);

loss of information carrier (loss);

unauthorized destruction of the information carrier or the information displayed in it (destruction);

distortion of information (unauthorized change, unauthorized modification, forgery, falsification);

information blocking;

disclosure of information (distribution, disclosure).

The term "destruction" is used mainly in relation to information on magnetic media.

The existing variants of names: modification, forgery, falsification are not entirely adequate to the term "distortion", they have nuances, but their essence is the same - an unauthorized partial or complete change in the composition of the original information.

Blocking information in this context means blocking access to it by authorized users, not attackers.

Disclosure of information is a form of manifestation of the vulnerability of only confidential information.

One or another form of vulnerability of documented information can be realized as a result of intentional or accidental destabilizing effects in various ways on the information carrier or on the information itself from the sources of influence. Such sources can be people, technical means of processing and transmitting information, means of communication, natural disasters, etc. Ways of a destabilizing effect on information are copying (photographing), recording, transferring, eating, infecting information processing programs with a virus, violating the processing and storage technology information, incapacitation (or failure) and violation of the mode of operation of technical means for processing and transmitting information, physical impact on information, etc.

The implementation of forms of manifestation of the vulnerability of documented information leads or can lead to two types of vulnerability - the loss or leakage of information.

Leakage of confidential documented information leads to its disclosure. In the literature and even in regulatory documents, the term "leakage of confidential information" is often replaced or identified with the terms: "disclosure of confidential information", "dissemination of confidential information". This approach is not legal. Disclosure or dissemination of confidential information means its unauthorized communication to consumers who do not have the right to access it. At the same time, such bringing should be carried out by someone, come from someone. A leak occurs when confidential information is disclosed (unauthorized distribution), but is not limited to it. Leakage can also occur as a result of the loss of the carrier of confidential documented information, as well as theft of the carrier of information or the information displayed in it, while the carrier is kept by its owner (owner). "May happen" does not mean that it will happen. Lost media can fall into the wrong hands, or maybe “picked up” by a garbage truck and destroyed in the manner established for garbage. In the latter case, there is no leakage of confidential information. Theft of confidential documented information is also not always associated with its receipt by persons who do not have access to it. There were many cases when the theft of carriers of confidential information was carried out from colleagues at work by persons admitted to this information with the aim of “getting it”, causing harm to a colleague. Such carriers, as a rule, were destroyed by the persons who abducted them. But in any case, the loss and theft of confidential information, if they do not lead to its leakage, then always create a threat of leakage. Therefore, it can be said that disclosure of confidential information leads to the leakage of it, and theft and loss can lead to it. The difficulty lies in the fact that it is often impossible to determine, firstly, the very fact of disclosure or theft of confidential information while the information carrier is kept by its owner (owner), and secondly, whether the information got as a result of its theft or loss to unauthorized persons.