Leakage channels of confidential information. methods of protecting confidential information: active and passive

Analytical article by Veniamin Levtsov, Information Security Development Director, LETA IT-company.

Not a week goes by without the news feeds mentioning yet another leak of confidential data. This generates an increased interest of the business community and IT professionals in protection systems against such actions of intruders. And the departments responsible for ensuring information security are increasingly required to build a system for tracking and blocking unauthorized information leaks.

However, business leaders, and sometimes technical staff, do not have a clear understanding of what constitutes a solution to counter information leakage. The purpose of this article is to help you understand what is meant by a leakage protection system, talk about related systems, determine what tasks should be solved by leakage control systems and what mechanisms are used in this case.

I. What are DLP systems?

Wikipedia ( http://ru.wikipedia.org) gives the following definition of a leakage protection system:

Data Leak Prevention (DLP) - technologies for preventing leakage of confidential information from the information system outside, as well as technical devices (software or firmware) for such prevention of leaks. DLP systems are based on the analysis of data streams crossing the perimeter of the protected information system. When confidential information is detected in this stream, an active component of the system is triggered and the transmission of a message (packet, stream, session) is blocked.

Note that in practice, a large number of companies sometimes use such systems for years. only in tracking (audit) mode, but not blocking.

An important addition to the definition is that a DLP system must cover all major channelsleakage of confidential information. This is the position that most experts in this field adhere to today. In addition, the DLP system must be sensitivein relation to the checked content (content) and provide automateda mechanism for tracking violations of specified rules, that is, without involving a significant number of controllers. With this in mind, the author proposes the following definition of a data loss protection system:
an automated tool that allows you to recognize and / or block the movement of confidential data outside the protected information system through all channels used in daily work.

So, the main task of technical leakage protection systems:

• get a description of confidential data;
• after that, be able to recognize them in the flow outward from the internal information field of the organization;
• react to detected attempts. This functionality is the core of any DLP solution.

II. Close or adjacent protection systems

Before continuing to consider systems for countering leaks, let us evaluate those close to them or related in functionality. Systems protection of confidential information from leakage through technical channelsserve to detect all sorts of bugs, "bookmarks", listening devices, etc. These systems have similar names, but this is where the similarities end - they solve different problems. Perhaps the only common element of the schemes for the implementation of such systems and DLP solutions lies in the management plane. In both cases, it is necessary to define a list of confidential information and form a process for assigning information to this category.

There is a class of systems tracking the actions of employees, which sometimes include detection of confidential information leakage channels. Typically, the functionality of such systems includes the total logging of all user actions, including opening pages on the Internet, working with documents, sending documents for printing, keyboard presses, etc.

Of course, the use of such systems can bring certain benefits in the fight against data leaks. But, firstly, a separate group of specially trained "overseers" will have to search in a huge volume of logs. Secondly, this is still a post-control of violations - such a product will not be able to block the leak itself.

Rights management systems(Rights Management Services) - allows you to limit the number of users and the set of allowed operations for a document. Control is carried out through centralized rights management, encryption and special plug-in "oB" for applications that work with documents.

Separation of rights systems are arguably the most powerful competitor to DLP, preventing many of the known information leakage scenarios. The separation of rights primarily protects not the content of the document, but its "container". So if the user does not have permission to work with the document, he simply cannot open it. In addition, such systems usually allow you to restrict a number of other operations with the protected document, its printing, taking a screen copy, copying its fragments through the Clipboard, sending via e-mail channels, etc. At the same time, there are many situations when rights management systems do not cover common leak scenarios. Judge for yourself ...

1. The document in its final version was classified as confidential, and it falls under the protection of the rights management system. But the servers and computers of employees continue to store it drafts and previous versions.They may be very similar to the final version, but there is no restriction on their transfer to the outside.
2. A user who is not authorized to send the document by email opens it and transcribes the contentinto another, unprotected document. The system does not support any restrictions on the movement of the document created by him outside.
3. In most cases, business sensitive information is contained in database records.The author is not aware of how it is possible to control access to such data by means of rights management systems.

Systems existing on the market monitoring and archiving mail messagesare very close in their ideology to DLP solutions. As a rule, they allow setting some restrictions on the context (size, type, location of the file) and the content of information leaving the protected information system. Moreover, the main emphasis is on the availability and productivity of the mail archive. But the mechanisms for determining keywords for recognizing confidential documents are not flexible and convenient. In addition, there are usually no mechanisms to control leaks from end devices.

There is also a class of solutions to control operations with external devices,the most common example of which is a removable USB drive. Such systems are insensitive to content. The device can be blocked altogether, attempts to write files of a certain size or format to it can be blocked. However, it is impossible to define actions depending on the content.

III. From information protection to risk management

Fortunately, the times when taking care of information protection was one of the items in a long list of tasks of the IT service are now in the past.Now, as a rule, the initiative to build an anti-leakage system belongs to the departments that manage the company's business and are responsible for its security. an argument in favor of introducing a system to counter the leakage of confidential information is a legal requirement. It was the emergence of the relevant regulations in the USA, Japan and Western Europe that was probably the main catalyst for the emergence of DLP as a class of solutions. There is no doubt that our interest in them would immediately grow if mandatory legal norms appeared in Russia, which unambiguously oblige companies to ensure the availability of technical means of protection from insiders. But so far, the main motives for initiating the process are either desire react to a factan already occurred leak, or intention reduce the likelihood of an offensivea similar event in the future As you can see, it was quite natural that we moved on to a conversation in terms of risk management.

Indeed, the first step in the process leading to the implementation of a DLP system is to assign the problem of information leaks to the area of \u200b\u200brisk management.

For almost any organization now there is a lot of data, the consequences of an unauthorized leak of which can cause significant damage to it. It is almost impossible to estimate the amount of this damage in advance. But in most cases, in order to realize the danger posed by information leaks, it is enough to imagine even the general consequences: loss of trust and customer churn, problems in competition, PR costs, leakage of software code, technologies, know-how, and much more. The borrower base of a medium-sized bank, which has spent a lot of money on creating an image of a “reliable” one, ends up at Gorbushka. I wonder if you would like to open a deposit in this bank? The internal analytics of the investment fund goes to a competitor or to the fund's clients (sometimes it is not known what could have more serious consequences). Now the competitor understands your strategy better, and the client has unpleasant questions. How much do you think this fund can potentially lose in such a situation? A large supermarket chain is seeking to obtain unique conditions for the delivery of goods. Of course, special prices are confidential. And so they end up with a competitor who works with the same supplier on much less attractive terms. Do you think special prices will remain for you? Will the relationship with the supplier get worse after all this?

It can be continued for a very long time, but there is no doubt that for any organization there are many situations associated with information leaks, the damage from which is very sensitive to business. There are 4 classic approaches to risk management: acceptance, exclusion, transfer, reduction. Let's consider the problem through the prism of these approaches.

■ Adoption. We assume that there is some probability of an event - information leakage. We estimate losses, prepare a list of measures in case of an offensive, but do not invest in the implementation of a solution to combat leaks. This approach is hardly applicable - the loss of a business can call into question its very existence.

■ An exception.In our case, it is practically impossible. Even the introduction of a modern DLP system will not save you from a number of atypical scenarios. For example, it is almost impossible to protect yourself from rewriting the text of a secret document on paper or from a phone with a built-in camera in the hands of an insider. Draconian sanctions against leaked personnel also do not guarantee risk exclusion.

■ Broadcast.It is difficult to imagine how the risk of information leakage can be transmitted to an external organization. As far as the author knows, such risks are not insured. It is also difficult to assume that an IT outsourcer will be able to take on some of the reimbursement. It is possible to outsource a DLP system only in terms of its technical operation, but how to transfer the entire volume of risks is not entirely clear.

■ Decrease.Measures are being taken to significantly reduce the likelihood of an undesirable event. In fact, the amount of required costs is associated with achieving an acceptable level of risk. It is this approach that leads us to the implementation of a DLP system. In reality, fighting insiders is far from the only area where you can only reduce risk and make it more manageable. Imagine that you are driving your car. It is serviceable, has undergone regular maintenance, tires - according to the season. Your documents are in order, you are sober, fastened with a seat belt, you know the route and are in no hurry, you have a full CASCO. So you have done everything in your power to reduce the risk of obstacles to your goal. But who said that a tired truck driver who flew into the oncoming lane is not waiting for you around the corner? Are you not waiting for a nail in the rut of the road along which you will move? By the way, has the fire extinguisher in your trunk expired? So the risks remain. But in the overwhelming majority of cases, under such conditions, you will safely reach your destination.

So, the adoption of measures will help to significantly reduce the risk, make the reaction to the onset of negative consequences manageable. But it is almost impossible to completely eliminate the possibility of information leakage.

IV. The main ways of information leakage

There are 3 main scenarios that lead to the removal of information outside the company's information environment: network, local and in connection with the loss of the medium.

Let's take a closer look at these scenarios.

Networkthe scenario involves sending information outside the "perimeter" of the controlled information field by means of e-mail, through instant messaging systems (ICQ, MSN, AOL), through web mail (mail.ru, gmail.com), through the use of an ftp connection, by printing document on a network printer. Detection of confidential information transmitted by network means requires mechanisms to intercept mail and Internet traffic, as well as control over network print servers.

Localthe information output path includes the use of external USB-drives and removable hard drives, CD / DVD recording and local printing.
Obviously, the only way to track this kind of activity is to install an agent program on the user's computer that can monitor potentially dangerous actions and respond to them in accordance with centrally controlled policies.

Illegal takeover of the carrier(laptop, smartphone) in reality is the most common case when confidential information becomes available to third parties. Laptops are lost and stolen - almost every company faces this risk, and it is impossible to reduce it to zero. Almost the only effective way to fight in this case is to encrypt the entire disk or individual files.

At present, there is no consensus among experts about whether encryption of portable devices should be considered a typical functionality of systems for combating data leaks. According to the author, since this leakage scenario is very common, a complete solution should also include cryptographic protection. By the way, manufacturers of many existing DLP systems (McAfee, Symantec, InfoWatch) already include end device encryption tools in their packages.

Within the framework of this article, I would not like to dwell on the description of specific cases of data leaks that have become public, and to discuss which of the channels
leaks are used most often. As a source of substantive and most relevant information on this matter, we can recommend the "Analytics" and "Threat News" sections of the InfoWatch website ( www. infowatch.ru), the pioneer and leader of the Russian market for DLP solutions, as well as the site of the Perimetrix company formed in 2007 ( www. perimetrix.ru).

On these sites, you can find many examples that convince of the seriousness of the danger posed by leaks of confidential information.

V. Methods of recognition of protected information

The core of any DLP solution is a mechanism that allows you to recognize confidential fragments in information leaving the protected system. Let's consider 6 main mechanisms that are used for these purposes in DLP products.

Manual content markup

This approach is also called contextual and morphological. The definition of confidential information is made on the basis of highlighting in it a set of meaningful words that determine the content, also called key.

For each of the words, a certain the weight, and each word is related to some subject category... For example, general accounting terms and some words specific to the business of a given company may fall into the category "Accounting report". In addition, each category usually has its own sensitivity threshold. The system is on "alert" looking in the outgoing documents for these very highlighted, key words. Since each keyword has a certain weight and category (a word can be included in several categories, each with its own weight), it is not difficult to calculate the total weight of keywords found in the document for each category. As a result, the document can be automatically recognized as confidential for those categories for which it was exceeded sensitivity threshold... The efficiency of the described mechanism can be significantly increased by connecting external software that allows you to track not only the specified keywords, but also their word forms.

pros

• You can provide very fine tuning for individual documents, as a result, even their fragments will be caught.
• Control over newly created documents is also possible if they contain the key terms highlighted earlier.

Minuses

• The preparation of a good, fine tuning requires manual work by a qualified technician. This can take a long time.
• Such a specialist will be involved in working with confidential information.
• In practice, it is difficult to quickly pilot the system.
• The false positive rate is relatively high.

Using the storage context

The parameters that are not related to the content, but to the file with confidential information are monitored. The format can be controlled (and not by the file extension, but by its signature), location, size, etc. Thus, you can set rules that prevent the movement of files, for example, of a certain format, outside.

pros

• Easy to implement and customize.

Minuses

• Although such control technologies are implemented in almost all DLP systems, they can only be used as a complement to the basic methods based on content analysis.

Using labels and agent software

This method is based on the approach described above, but significantly expands it. Initially, you need to mark the document in some way, either manually or by placing it in a specific folder on the network. After that, the system will begin to perceive it as confidential. Technically, to implement such a mechanism, it is necessary to have a special

An agent program that, in fact, could recognizedocument as confidential, "hang" the confidentiality mark on everything derivative documentsand blockindividual user actions with marked documents.

pros

• Ease of deployment and the ability to "quickly start" a real project.
• Control of operations when the computer is offline.

Minuses

• There is no control over drafts.
• Document transcript script does not close.

Regular expressions

Some regular expression language defines a "mask", a data structure that is confidential. In practice, there are many cases when the definition of tracking objects through their format is effective and reliable. Examples include credit card numbers, passport details, vehicle registration numbers, software activation codes, and more.

pros

• Minimum analysis time for the data being checked.
• High detection reliability.

Minuses

• Developing and debugging a regular expression requires the involvement of a qualified technician.
• Can only be applied to a narrow data class.

Statistical Methods

The use of statistical, probabilistic methods in DLP systems is of interest in some situations. For example, when analyzing large amounts of unstructured data or when analyzing implicit similarities. It can be assumed that these methods will be increasingly applied in practice, but as additional ones.

pros

• Uniquely effective in some cases, such as countering primitive reversible character substitutions.

Minuses

• Only applicable to a small class of scripts.
• Opaque algorithm of work.
• Potentially high rate of false positives.

Removing "digital prints"

This method is based on the construction of some source text identifier. As a rule, the following automatic algorithm is implemented:

1. The textual content is extracted from the document, the content of which is considered confidential.
2. The text is in some way broken up into fragments.
3. For each such fragment, the system creates a certain identifier, something like a "hash", "fingerprint" - as it is called in the documentation of many manufacturers.
4. A confidential document is presented in the system by a set of such "prints".

To compare the checked text with a set of confidential documents, a similar set of "fingerprints" is built for it on the fly using a similar algorithm. If both sets of prints show some similarity, the system diagnoses a leak attempt. As a rule, the “digitization” algorithm is implemented in such a way that it is impossible to restore the original document from the “fingerprints” created by the system.

pros

• The process of defining a confidential document is fully automated; no consultant is required to mark up the text.
• Quick system setup for new documents.
• Tracking drafts and document fragments.
• Monitoring of leaks of records from databases.
• Minimal latency when analyzing outgoing documents.
• Low false positive rate.

Minuses

• Storing digital fingerprints requires additional resources.
• The size of a reliably recognized fragment is usually half a page of text.

It should be noted that all DLP systems support several authentication mechanisms that complement each other in different scenarios.

V. How DLP System Works

Let's consider schematically how a DLP system works to counteract network and local scenarios of information leakage.

The core functionality of a DLP system can be conditionally divided into three blocks:

• customizationsystems for data identified as confidential;
• recognitionactions aimed at moving confidential data;
• formation of evidence baseto investigate incidents.

Setting up the system for data

First of all, it is necessary to determine the data, the movement of which will be controlled by the system, "present" them to the system using any of the methods described in the previous chapter, and determine the system's reaction to the detected incidents. The incident response parameters are also important. Does it imply blocking any operation: sending an e-mail, creating a screen copy of the protected document, writing data to a USB drive. Regardless of blocking, the most detailed subject information about the incident is almost always recorded in the system log. It is necessary to describe the rules for reporting the incident.

• an employee of the department responsible for ensuring information security;
• the person who is the owner of the information;
• the most suspected of attempting to organize a leak.

These are just the basic settings for the basic functionality of almost any DLP system.

Recognition of suspicious user actions

In case of countering leaks using network scenarioThe DLP system intercepts (blocks) or mirrors (only audits) the submission, analyzes the contents of the submission in accordance with the used control mechanisms. Then, in case of detection of suspicious content, the responsible employee is informed, and the details of the incident are entered into the system log.

The sending itself can be suspended if the DLP module connection scheme allows it. It should be noted that most DLP-systems assume the implementation of "sending" previously delayed messages. The assigned employee assesses how adequate the system's verdict was and, if the alarm turns out to be false, manually gives the command to send the delayed message.

The DLP system that controls operations behaves in a similar way. with data on the user's computer... Local agent

• monitors the fact of access to confidential information (the tagging mechanism can be used);
• blocks all prohibited actions (print screen, printing, sending sending through communication channels, etc.);
• blocks access to the file through programs that are not included in the list of allowed for working with this file;
• generates "digital prints" of an open document and prevents sending confidential content "stuffed" into another file;
• generates an event log, which is transferred to the consolidated database of incidents during the next communication session.

It is important to understand that if there is a local agent with a database of labels and digital fingerprints, the verdict is accepted on the workstation itself. Thus, it is possible to quickly block prohibited actions online without wasting time accessing the network storage (including when the laptop is offline - on the road). So, the network interception mechanisms operate with already formed packets, while the agent solution monitors the actions themselves on the end workstation. It should be noted that most DLP solutions use a combined approach: both network intercept and a local agent.

Vi. Major market players

The individual product benefit assessments below are based on experience with real-world projects. All prices are for guidance only and are approximate. They assume the full cost of the project, including integration and analytical work. The specificity of projects for the implementation of anti-leakage systems is such that a real estimate of their cost can be prepared only based on the results of a study of a specific situation at the customer's site.

InfoWatch

Currently, InfoWatch maintains a leading position in the Russian market, which has made considerable efforts to popularize the ideas of fighting insiders. The main mechanism for recognizing confidential information in the products of this company uses content analysis (based on a unique linguistic "engine") and formal sending attributes. A detailed study of the "thin" linguistic markup allows achieving high recognition quality, but it should be noted that this process takes time and requires the provision of professional service.

InfoWatch provides advanced controls for network leak scenarios using corporate mail and web connections. In this regard, we can mention the appearance in the solution of a universal transparent proxy server that filters data. The application of this approach, along with the use of separate interceptors, allows you to choose the most optimal solution scheme for the customer.

Another important trend - the inclusion of encryption in the solution to protect against leaks - has also not gone unnoticed by the vendor. InfoWatch CryptoStorage product has already appeared in the line, designed to solve this problem. It should be noted that InfoWatch Traffic Monitor includes its own storage of shadow copies of intercepted data. In this case, the data is stored in a structured form with an indication of the category and with the preservation of the possibility of full-text search. This allows for retrospective analysis of data and facilitates the investigation of long-term incidents.

The clear advantages of a solution based on InfoWatch products also include an interface in Russian, a license from Russian regulatory authorities for a number of versions, solid implementation experience accumulated by the company and its partners, and, of course, the proximity of the development team. It is difficult to name the average fixed price of a project based on InfoWatch, since its implementation includes not only the supply of software, but also hardware, as well as the work of a consultant to prepare a content analysis database. On average, implementation of all InfoWatch Traffic Monitor components in a network for 1000 workplaces can range from $ 300,000 to $ 500,000.

Websense

Websense, the world leader in web filtering solutions, acquired PortAuthority Technologies in 2007, making it a market leader in confidential data leakage prevention systems. The Websense Data Security Suite (DSS) product line, which appeared on the Russian market in the second half of 2007, includes several modules that can be purchased separately. The main mechanism for recognizing confidential information in Websense DSS products is a "digital fingerprint" implemented in the patented PreciseID technology.

Other identification methods are also supported: rules, dictionaries, statistical analysis. The technology is resistant to paste-copy operations and partial changes of the document content, does not depend on the document language and supports Russian-language encodings. From experience with this technology, we can say that it really shows the highest recognition quality and a close to zero level of false positives, while maintaining efficiency even with some content changes. In this case, setting up the system for a newly connected document takes minutes. An important and demanded feature is the ability to counter leaks of relational database content, also implemented in PreciseID technology.

The solution provides ample opportunities to control the data of individual fields, their combinations, allows you to set threshold values \u200b\u200bfor the number of records forwarded, track the sending of this information in the body, subject or attachments of the letter, and much more. The Websense DSS solution monitors all major communication channels, including outbound and internal email, outbound web traffic, ftp, instant messaging applications, and network printing. It should also be noted that the Websense Data Discover module has the ability to control data at end stations and in network storages.

This mechanism allows for regular checks for the detection of confidential documents, their fragments and "drafts" using the capabilities of PreciseID technology. With regard to protection against local leakage scenarios, integration with solutions from other manufacturers is currently being used. But by the end of this year, the company plans to release its own Websense DSS agent, the functionality of which will cover almost all scenarios of leaks from the end workstation. The cost of a project to implement a leakage protection solution based on the Websense DSS line in a network for 1000 workplaces can average $ 100-150 thousand, with a license cost for a full set of modules about $ 70 thousand. The product is provided on a subscription basis, that is, an annual renewal of licenses.

McAfee

McAfee Host DLP leak protection solution appeared on the Russian market at the end of 2007. It is based on the use of an agent program that is managed from a single McAfee ePolicy Orchestrator console, installed on a computer, and monitors user operations with confidential information. Currently, along with DLP functionality, the McAfee Data Protection line also includes extensive data encryption and control of external devices. Accordingly, McAfee Data Protection can be successfully used to solve the problem of controlling policies for the use of external devices, for example, USB drives.

From experience using this product, we can say that it provides reliable protection through the mechanisms of tagging (in fact, setting tags) documents and removing "digital prints". The product demonstrates amazing sensitivity, reacting even to small fragments of protected documents - up to several lines. Along with the ability to monitor and block the sending of information through the corporate mail system, http, ftp, instant messaging systems, the product allows you to block such operations as copying fragments of a protected document through the clipboard and making a screen copy.

It is important that the agent continues to perform its protective functions even when the laptop with data is outside the corporate network - an unprepared user cannot disable the process. If a customer chooses McAfee products to build complete protection against both internal and external threats (viruses, network attacks, etc.), this opens up additional opportunities for him. In particular, the management of the information security system is simplified, additional control scenarios appear, overall costs are minimized, etc.

Leveraging McAfee ePolicy Orchestrator management system (one of the best in the antivirus industry) and successful implementation of the agent program, this solution is suitable for companies with distributed infrastructure and large fleets of laptops. Taking into account the relatively democratic licensing policy, the product will suit small businesses with a fleet of 50 computers or more. The estimated cost of implementing the most complete McAfee Total Protection for Data (TDA) solution, including McAfee DLP, McAfee Endpoint Encryption and McAfee Device Control per 1000 users, could be $ 100-130 thousand.

Vii. Where to begin?

This material could not cover many more interesting issues of using anti-leakage systems. How to choose a DLP system? How to build a feasibility study for its use? What can be included in the pilot implementation of a DLP system and what issues should be paid attention to? How is the implementation of a DLP system intertwined with the overall information security management scheme? What are the features of projects for the implementation of such systems?

The author hopes to continue the presentation of these topics in subsequent publications, and in conclusion I would like to answer the question: "So where to start?" Practice shows that a full-fledged implementation of an information leakage prevention system based on one of the DLP products is possible only with the active participation of a specialized system integrator. And the first thing you should probably start with is to contact a consultant. It may be an IT company with solid experience in implementing anti-leakage systems. Together, you have to go through three initial stages.

The first is to discuss with the consultant's group of experts the current situation and the goal of implementing a DLP system in the enterprise.

The second is to take part in a “live” demonstration of DLP systems proposed for implementation. As part of the demonstration, it is worth trying the systems, as they say, "to taste" and, together with experts, choose one of them for a pilot deployment.

And finally, the third one is to agree with the consultant the parameters of the pilot launch of the system, fix the expectations from its implementation and carry out the deployment.In fact, all these stages can be completed in two to three months, after which you can start the main project to implement the anti-leakage information.

Veniamin Levtsov
Information Security Development Director
LETA IT-company

IT Manager magazine, August 2008

Source information is always distributed to the external environment. Channels for the dissemination of information are objective, active and include: business, management, trade, scientific, communicative regulated relations; information networks; natural technical channels.

The channel for the dissemination of information is a way of moving valuable information from one source to another in an authorized mode (permitted) or by virtue of objective laws or by virtue of objective laws.

The term “confidential information leakage” is probably not the most euphonious, but it reflects the essence of the phenomenon more succinctly than other terms. It has long been entrenched in scientific literature, regulatory documents. Leakage of confidential information is illegal, i.e. unauthorized exit of such information outside the protected area of \u200b\u200bits functioning or the established circle of persons entitled to work with it, if this exit led to the receipt of information (familiarization with it) by persons who do not have authorized access to it. Leakage of confidential information means not only its receipt by persons who do not work at the enterprise, but also the unauthorized acquaintance with the confidential information of the persons of this enterprise leads to the leak.

Loss and leakage of confidential documented information is caused by information vulnerability. Vulnerability of information should be understood as the inability of information to independently resist destabilizing influences, i.e. such influences that violate its established status. Violation of the status of any documented information is a violation of its physical safety (either in general or at the given owner in full or in part), the logical structure and content, and accessibility to authorized users. Violation of the status of confidential documented information additionally includes a violation of its confidentiality (closed to unauthorized persons). The vulnerability of documented information is a collective concept. It does not exist at all, but manifests itself in various forms. These include: theft of the information carrier or information displayed in it (theft); loss of information carrier (loss); unauthorized destruction of the information carrier or information displayed in it (destruction, distortion of information (unauthorized change, unauthorized modification, counterfeiting, falsification); blocking of information; disclosure of information (distribution, disclosure).

The term "destruction" is used mainly in relation to information on magnetic media. The existing variants of names: modification, forgery, falsification are not entirely adequate to the term "distortion", they have nuances, but their essence is the same - an unauthorized partial or complete change in the composition of the original information.

Blocking information here means blocking access to it by authorized users, not intruders.

Disclosure of information is a form of vulnerability manifestation only of confidential information.

One or another form of vulnerability of documented information can be realized as a result of deliberate or accidental destabilizing effects in various ways on the information carrier or on the information itself from the sources of influence. Such sources can be people, technical means of processing and transmitting information, communication facilities, natural disasters, etc. Ways of destabilizing information are copying (photographing), recording, transferring, downloading, infecting information processing programs with a virus, violation of processing and storage technology information, deactivation (or failure) and disruption of the operation of technical means of processing and transmission of information, physical impact on information, etc.

Vulnerability of documented information leads or may lead to loss or leakage of information.

Theft and loss of information carriers, unauthorized destruction of information carriers or only information displayed in them, distortion and blocking of information lead to the loss of documented information. Loss can be complete or partial, irrevocable or temporary (when information is blocked), but in any case it damages the owner of the information.

Leakage of confidential documented information is caused by its disclosure. As some authors note in the literature and even in regulatory documents, the term "leakage of confidential information" is often replaced or equated with the terms: "disclosure of confidential information", "dissemination of confidential information." Such an approach, from the point of view of specialists, is illegal. Disclosure or distribution of confidential information means unauthorized bringing it to consumers who do not have the right to access it. Moreover, such communication should be carried out by someone, come from someone. Leak occurs during disclosure (unauthorized distribution) of confidential information, but is not limited to it. A leak can also occur as a result of the loss of the carrier of confidential documented information, as well as theft of the carrier of information or information displayed in it, if the carrier is preserved by its owner (owner). This does not mean what will happen. The lost media can fall into the wrong hands, or it can be "grabbed" by a garbage truck and destroyed in the order established for garbage. In the latter case, no confidential information is leaked. Theft of confidential documented information is also not always associated with its receipt by persons who do not have access to it. There are many examples when the theft of confidential information carriers was carried out from colleagues at work by persons admitted to this information for the purpose of "backing", causing harm to a colleague. Such carriers, as a rule, were destroyed by the persons who kidnapped them. But in any case, the loss and theft of confidential information, even if it does not lead to its leakage, always creates a threat of leakage. Therefore, we can say that the leakage of confidential information is caused by its disclosure and can lead to theft and loss. The difficulty lies in the fact that it is often impossible to share, firstly, the very fact of disclosing or stealing confidential information while the information carrier is kept by its owner (owner), and secondly, whether the information got through to unauthorized persons as a result of its theft or loss.

The owner of a trade secret is a natural or legal person who legally possesses information constituting a trade secret and the corresponding rights in full.

Trade secret information does not exist on its own. It is displayed in various media that can save, accumulate, transfer. With their help, the use of information is also carried out.

Information carrier - an individual or a material object, including a physical field, in which information is displayed in the form of symbols, images, signals, technical solutions and processes.

From this definition it follows, firstly, that material objects are not only what can be seen or touched, but also physical fields, as well as the human brain, and secondly, that information in media is displayed not only by symbols, i.e. ... letters, numbers, signs, but also images in the form of pictures, drawings, diagrams, other iconic models, signals in physical fields, technical solutions in products, technical processes in production technology.

The types of material objects as information carriers are different. They can be magnetic tapes, magnetic and laser disks, photo, film, video and audio tapes, various types of industrial products, technological processes, etc. But the most widespread type is paper-based media. Information in them is recorded in handwritten, typewritten, electronic, typographic methods in the form of text, drawing, diagram, drawing, formula, graphic, map, etc. In these media, information is displayed in the form of symbols and images. Such information of the Federal Law "On Information ..." is classified as documented information and represents various types of documents.

Recently, there have been significant adjustments in the forms and means of obtaining confidential information in informal ways. Of course, this concerns mainly the impact on a person as a carrier of confidential information.

A person as an object of influence is more susceptible to informal influences than technical means and other carriers of confidential information, due to a certain legal insecurity at the moment, individual human weaknesses and life circumstances.

Such informal influence is, as a rule, hidden, illegal and can be carried out both individually and by a group of people.

On a person who is a bearer of confidential information, the following types of information leakage channels are possible: voice channel, physical channel and technical channel.

Leakage voice channel - information is transmitted from the owner of confidential information through words personally to an object interested in receiving this information.

Physical channel of leakage - information is transmitted from the owner of confidential information (carrier) through paper, electronic, magnetic (encrypted or open) or other means to an object interested in obtaining this information.

Technical leakage channel - information is transmitted through technical means.

The forms of influence on the person who is the bearer of the protected information can be open and hidden.

Open exposure to the owner (carrier) of confidential information to obtain an interested object implies direct contact.

Latent influence on the owner (carrier) of confidential information for its receipt by the interested object is carried out indirectly (indirectly).

The means of informal influence of the owner (carrier) of confidential information to obtain certain information from him through an open speech channel are - a person or a group of people who interact through: promises of something, requests, suggestions.

As a result, the owner (carrier) of confidential information is forced to change his behavior, his official obligations and transfer the required information.

Covert influence through a speech channel on the owner (carrier) of confidential information is carried out through indirect coercion - blackmail through a third party, unintentional or deliberate listening, etc.

The mentioned means of influence, in the end, teach the owner (carrier) of confidential information to his tolerance (tolerance) of the influences exerted on him.

The forms of influence on the owner (carrier) of confidential information through the physical channel of leakage can also be open and hidden.

Open influence is carried out through force (physical) intimidation (beatings) or forceful with a fatal outcome, after receiving (beatings) or forceful with a fatal outcome, after receiving information.

The hidden impact is more sophisticated and extensive in terms of the use of funds. This can be represented as the following impact structure. Interested object - interests and needs of the carrier of confidential information.

Consequently, the interested object acts covertly (indirectly) on the interests and needs of the person who owns confidential information.

Such hidden influence can be based on: fear, blackmail, manipulation of facts, bribery, bribery, intimacy, corruption, persuasion, provision of services, assurance about the future of the person who is the bearer of confidential information.

The form of influencing the owner (carrier) of confidential information through technical channels can also be open and hidden.

Open (direct) means - fax, telephone (including mobile systems), Internet, radio communications, telecommunications, media.

Hidden means include: wiretapping using technical means, viewing from the display screen and other means of displaying it, unauthorized access to a PC and software and hardware.

All considered means of influence, regardless of their form, have an informal effect on the person who is the carrier of confidential information and are associated with illegal and criminal methods of obtaining confidential information.

The possibility of manipulating the individual characteristics of the owner (carrier) of confidential information by his social needs in order to obtain it must be taken into account when placing, selecting personnel and conducting personnel policy when organizing work with confidential information.

It should always be remembered that the fact of documenting information (applying to any material medium) increases the risk of the threat of information leakage. The material carrier is always easier to steal, while there is a high degree of the fact that the required information is not distorted, as is the case when information is disclosed orally.

Threats to the safety, integrity and secrecy of confidentiality) of information of limited access are practically realized through the risk of the formation of channels for the unauthorized receipt (extraction) of valuable information and documents by an attacker. These channels are a set of unprotected or weakly protected areas of possible information leakage, which an attacker uses to obtain the necessary information, deliberate illegal access to protected and protected information.

Each specific enterprise has its own set of channels for unauthorized access to information, in this case there are no ideal firms.

This depends on many factors: the amount of protected and protected information; types of protected and protected information (constituting a state secret, or any other secret - official, commercial, banking, etc.); professional level of personnel, location of buildings and premises, etc.

The functioning of channels of unauthorized access to information necessarily entails information leakage, as well as the disappearance of its carrier.

When it comes to information leakage due to the fault of personnel, the term "information disclosure" is used. A person can divulge information verbally, in writing, by removing information using technical means (copiers, scanners, etc.), using gestures, facial expressions, conventional signals. And transfer it personally, through intermediaries, through communication channels, etc.

Leakage (disclosure) of information is characterized by two conditions:

• 1. The information goes directly to the person interested in it, the attacker;
• 2. The information is transferred to a random, third party.

In this case, a third party means any outside person who received information due to circumstances beyond the control of this person, or the irresponsibility of personnel, who does not have the right to own the information, and, most importantly, this person is not interested in this information. However, information from a third party can easily pass to an attacker. In this case, the third party, due to circumstances set up by the attacker, acts as a "blotter" to intercept the necessary information.

The transfer of information to a third party seems to be a fairly frequent phenomenon, and it can be called unintentional, spontaneous, although the fact of disclosure of information takes place.

Unintentional transfer of information to a third party occurs as a result of:

• 1. Loss or incorrect destruction of a document on any medium, a package of documents, a case, confidential records;
• 2. Ignoring or deliberate non-fulfillment by the employee of the requirements for the protection of documented information;
• 3. Excessive talkativeness of employees in the absence of an intruder - with colleagues at work, relatives, friends, other persons in public places: cafes, transport, etc. (recently this has become noticeable with the spread of mobile communications);
• 4. Work with documented information with limited access of the organization in front of unauthorized persons, unauthorized transfer of it to another employee;
• 5. Use of information with limited access in open documents, publications, interviews, personal notes, diaries, etc .;
• 6. Absence of confidentiality (confidentiality) labels of information on documents, marking with appropriate labels on technical media;
• 7. The presence in the texts of open documents of unnecessary information with limited access;
• 8. Unauthorized copying (scanning) by an employee of documents, including electronic ones, for official or collection purposes.

Unlike a third party, an attacker or his accomplice purposefully obtain specific information and deliberately, illegally establish contact with the source of this information or convert the channels of its objective dissemination into channels of its disclosure or leakage.

Organizational channels of information leakage differ in a wide variety of types and are based on the establishment of various, including legal, relationships between an attacker and an enterprise or enterprise employees for subsequent unauthorized access to information of interest.

The main types of organizational channels can be:

• 1. Admission to work of an attacker at an enterprise, as a rule, in a technical or auxiliary position (as a computer operator, forwarder, courier, cleaner, janitor, security guard, driver, etc.);
• 2. Participation in the work of the enterprise as a partner, intermediary, client, using a variety of fraudulent methods;
• 3. The search by the malefactor of an accomplice (initiative assistant) working in the organization, who becomes his accomplice;
• 4. Establishment of a trusting relationship by an attacker with an employee of the organization (in common interests, up to joint drinking and love relationships) or a regular visitor, an employee of another organization who has information of interest to the attacker;
• 5. Use of the organization's communication links - participation in negotiations, meetings, exhibitions, presentations, correspondence, including electronic, with the organization or its specific employees, etc .;
• 6. Use of erroneous actions of personnel or deliberate provocation of these actions by the attacker;
• 7. Secret or by fictitious documents penetration into enterprise buildings and premises, criminal, forceful access to information, that is, theft of documents, floppy disks, hard disks (hard drives) or computers themselves, blackmail and persuading individual employees to cooperate, bribery and blackmail of employees, creation of extreme situations, etc .;
• 8. Obtaining the necessary information from a third (random) person.

Organizational channels are selected or formed by an attacker individually in accordance with his professional skill, a specific situation, and it is extremely difficult to predict them. Finding organizational channels requires a lot of research and analysis.

Ample opportunities for unauthorized obtaining of information with limited access create technical support for the organization's financial document management technologies. Any managerial and financial activity is always associated with the discussion of information in offices or through lines and communication channels (video and conference calls), calculations and analysis of situations on computers, production, duplication of documents, etc.

Technical channels of information leakage arise when special technical means of industrial espionage are used, which make it possible to obtain protected information without direct contact with the organization's personnel, documents, files and databases.

A technical channel is a physical path of information leakage from a source or channel of objective dissemination of information to an attacker. The channel arises when an attacker analyzes physical fields and radiations that appear during the operation of computing and other office equipment, intercepting information that has a sound, visual or other form of display. The main technical channels are acoustic, visual-optical, electromagnetic, etc. These channels are predictable, they are of a standard nature and are interrupted by standard countermeasures. For example, in accordance with GOST RV 50600-93. “Protection of classified information from technical intelligence. System of documents. General provisions ".

It is common and professionally competent to creatively combine both types of channels in an attacker's actions, for example, establishing trust relationships with employees of the organization and intercepting information through technical channels with the help of this employee.

There can be many options and combinations of channels, so the risk of losing information is always quite high. With an effective information protection system, an attacker destroys individual security elements and forms the channel he needs to receive information.

In order to accomplish the tasks set, the attacker determines not only the channels of unauthorized access to the organization's information, but also the set of methods for obtaining this information.

In order to protect information at the proper level, it is necessary to "know the enemy" and the methods used to extract information.

Legal methods are included in the content of concepts and "their intelligence in business", are distinguished by legal security and, as a rule, determine the emergence of interest in the organization. Accordingly, it may be necessary to use channels of unauthorized access to the required information. At the heart of "their intelligence" is the painstaking analytical work of cybercriminals and competitors of expert experts on published and publicly available materials of the organization. At the same time, the activities and services provided by the organization, advertising publications, information obtained in the process of official and unofficial conversations and negotiations with employees of the enterprise, materials of press conferences, presentations of the company and services, scientific symposia and seminars, information obtained from information networks, including number from the Internet. Legal methods provide the attacker with the bulk of the information he is interested in and make it possible to determine the composition of the missing information that has to be obtained by illegal methods, and some no longer need to be obtained in connection with the painstaking analysis of open information.

Illegal methods of obtaining valuable information are always illegal and are used in order to access protected information that cannot be obtained by legal methods. Illegal obtaining of information is based on the search by an attacker of the organization's most effective unprotected organizational and technical channels of unauthorized access to information in specific conditions. Formation of such channels in their absence and implementation of a plan for the practical use of these channels.

Illegal methods involve theft, deliberate deception, eavesdropping on conversations, forgery of identification documents, bribery, bribery, blackmail, staging or organizing extreme situations, the use of various criminal methods, etc. In the process of implementing illegal methods, an undercover channel for obtaining valuable financial information is often formed. Illegal methods also include: interception of information objectively distributed through technical channels, visual observation of buildings and premises of the bank and personnel, analysis of objects containing traces of protected information, analysis of the architectural features of protected objects, analysis of paper waste taken out and taken out of the enterprise.

Thus, a leak of information with limited access can occur:

• 1. If there is an interest of organizations of persons, competitors to specific information;
• 2. In the event of a risk of a threat organized by an intruder or in accidental circumstances;
• 3. If there are conditions that allow an attacker to take the necessary actions and seize information.

These terms may include:

• 1. Lack of systematic analytical and control work to identify and study threats and channels of information leakage, the degree of risk of violations of the organization's information security;
• 2. Ineffective, poorly organized system for protecting the information of the company or the absence of this system;
• 3. Unprofessionally organized technology of closed (confidential) financial document flow, including electronic, and paperwork on documented information with limited access;
• 4. Disordered recruitment and staff turnover, difficult psychological climate in the team;
• 5. Lack of a system for training employees in the rules of working with documented information with limited access;
• 6. Lack of control on the part of the management of the enterprise over the observance by the personnel of the requirements of normative documents for working with documented information with limited access;
• 7. Uncontrolled visits to the premises of the organization by unauthorized persons.

Channels for unauthorized access and information leakage can be of two types: organizational and technical. They are provided by legal and illegal methods.

Thus, obtaining documents or information with limited access can be a single occurrence or a regular process that occurs over a relatively long time.

Therefore, any information resources of an organization are a very vulnerable category, and if the attacker is interested in them, the danger of their leakage becomes quite real.

Preliminary assessment by analysts of materials prepared for publication about the company, exhibition brochures, advertising publications, etc., their participation in presentations, exhibitions, meetings of shareholders, negotiations, as well as interviews and testing of candidates for positions is desirable. The latter is one of the main and most important responsibilities of the information and analytical service, since it is at this stage that one of the main organizational channels can be blocked with a certain degree of probability - the admission of an attacker to work in a company.

With the development of market relations, the risk associated with the desire of competitors to take possession of modern technologies, know-how and other valuable information that constitutes a commercial secret increases. The fact of obtaining such information can seriously harm the organization;

Distribution channels are the means of exchange of information between the subjects of business and personal relations, which are expediently divided into formal and informal (in accordance with Figure 2).

Figure 2 - Channels of possible leakage of information constituting a trade secret

TO formal include business meetings, meetings, negotiations; exchange of official documents (contracts, technical documentation); means of transmission of official information (mail, telephone, telegraph, fax, computer networks, etc.).

TO informal should include: personal communication; exhibitions, seminars, conferences, presentations; mass media (newspapers, radio, television, interviews);

Sources of disclosure commercial information constituting a trade secret are: people, documents, publications, advertisements, technical media, technical means of ensuring production and labor activities, including computers, products, industrial and production waste.

Actions leading to illegal seizure of commercial information include the following areas:

• - disclosure of information;
• - a leak;
• - unauthorized access (Figure 3).

Methods for disclosing commercial secrets can be:

• - message, transfer, provision of it to persons not admitted to it;
• - shipment;
• - publications (open and closed);
• - loss;
• - disclosure at conferences, negotiations, symposia, etc.

Leaked trade secrets - illegal exit of the protected information outside the organization, enterprise or circle of persons to whom it was entrusted.

Leakage of information constituting a commercial secret should be considered as an illegal output (verbally, in writing or otherwise) of such information from a specific employee of the company to whom this information was communicated or became known through service or work. The transition to a competitor of information constituting a commercial secret, from the person to whom they were communicated by the nature of his work, can be carried out as a result of a violation by this person of the rules of circulation, or as a result of forced official actions of representatives of the company associated with the need to carry out production, scientific technical, commercial and other operations of the organization.

Moving on to the analysis of information carriers, there are four main types of them:

• 1 person;
• 2. document;
• 3. product (object, material);
• 4. process.

Such division of information carriers is made according to the principle of their functional purpose. protection trade secret information

Personoccupies a special place in this series. In the process of intellectual activity, he produces new knowledge and creates new carriers of information. He is also a consumer of information and a user of its other carriers.

Documentit is distinguished by the fact that its functional purpose is entirely exhausted by the property of the information carrier. During its existence, the document goes through certain stages: compilation and execution, reproduction, transmission, use, storage, destruction. At present, documents are known on paper carriers, on microforms, on magnetic carriers, on punched carriers, etc.

Product has the property of an information carrier as an auxiliary side effect, which is perceived directly by a person or special devices. The main functional purpose of the product is to meet other non-informational needs of society.

Process the same as a storage medium has properties inherent in both a document and a product. For example, radio communication, carried out by means of radio waves, is designed specifically for receiving and transmitting information. At the same time, due to objective laws, the distribution in space, the information carried by them, in addition to the consumer, to whom it is directly intended, can be received by your competitor, who has the technical means to intercept it.

Unauthorized access methods are shown in Figure 4.

Opinion polls show that bribery of employees takes the first place among the methods of illegal seizure of commercial secrets. human factor. This is followed by espionage: copying documents, breaking into databases, stealing documents, eavesdropping.

Figure 4 - Methods of unauthorized access to trade secrets

At present, technical means of penetration are widely used, which requires special protection measures.

The types of channels and sources of leakage of confidential information at the enterprise, established by the legislation of the Republic of Belarus, are given in the Appendix "Sources and channels of leakage of confidential information".

Today, most enterprises use multilevel information processing systems - computers, cloud storage, corporate networks, etc. All these systems not only transmit data, but are also a medium for their possible leakage. Leakage of classified information is a process of uncontrolled disclosure of key data for a company.

Trade secrets are information about the organization of an enterprise's activities, product development technologies, data on cash flows, intellectual property and other information that the firm receives financially from owning.

Reason 1 - Personnel

Every employee in an enterprise is a potential threat to information security. Often people take work home - they move work files to their flash drives, transfer them over insecure connection channels, and discuss information with employees of competing companies.

Staff actions can be deliberate or unintentional. Unintentional actions are the result of ignorance of the rules for working with commercial information.

There is always a risk of information leakage from personnel, and it cannot be completely excluded. The security service can take measures that limit the interaction of employees with confidential information:

• Development of access control rules. The rules are a list of clear rights and restrictions that must be respected by each employee. Their basic principle is that each employee interacts only with the data that is necessary for his work. Thus, a simple manager will not be able to find out the product development technology and other important data that an attacker wants to know.
• Compliance with the standards of documenting information that contains trade secrets.
• Prompt identification of employees who pose a threat of data disclosure.

Research of the level of information security in Russian and foreign companies, whichSearchInform conducted in In 2018, it showed: ordinary employees are to blame for 74% of information security incidents. ...

How to identify an employee who divulges data to a competitor?

An authorized employee or security department should be responsible for the control of personnel's work with classified materials. Their task is to monitor the activities of employees throughout the working day and promptly identify all cases of information leakage.

In practice, you can detect a person leaking a commercial secret by the following signs:

• An employee is delayed without warning after work at his workplace. In this case, there is a possibility that he is trying to gain access to classified information at a time when there are no supervisors nearby.

You need to pay attention to such a worker and see if his goal is to find out secret information. Special access accounting systems help to control the time spent by personnel at the workplace. It is necessary to start an investigation only if specific facts of leakage of protected information become known.

• An employee saves too many electronic company documents to his personal computer or smartphone.

This type of leak can be traced to companies that use file system protection systems. The essence of their work is to create a common server that operates within the same corporate or Wi-Fi network. During each opening, copying and movement of data on the service PC, all information about the processes goes to the server. Thus, the security administrator can identify from which PC and in what quantity the classified information was moved.

• The employee unnecessarily copies paper documentation, information in which is intended for official use only.

According to the documentation standards, all physical folders and files with trade secrets must be stored in the protected part of the archive. Access to documents is only possible for authorized employees. All data on the receipt of a document with a secret in hand must be documented (indicating the name of the employee and the exact time of issue of the document).

If a secret document fell into the hands of an unscrupulous employee, you can track its unauthorized copying on a scanner or copier, which stores a report on the latest actions. There are also fax machines that can be accessed only after the correct user ID-password pair is entered.

• The employee regularly violates general safety requirements when working with trade secrets.

If personnel regularly try to bypass the ban system by viewing prohibited resources, or use personal technology to process sensitive data, additional user control systems must be implemented. For example, DLP systems. Their task is to monitor all user correspondence from commercial mail and other electronic mailboxes that are registered in the system. The protection module also prohibits the installation of third-party software, and all actions of the employee at the computer are visible to the security administrator.

• The employee was caught in contact with employees of competing companies.

In large companies, employees often communicate outside of working hours. Thus, they get more information about each other and can learn about the connections of a colleague and an employee of a competing organization. The likelihood of ordinary friendly relations between people is also possible, but it is better to notify the company management about this in order to avoid unnecessary suspicion.

Reason 2 - Problems in recruiting

Frequent personnel changes, large-scale changes in the organization of the company's work, lower wages, layoffs - all this is part of the "turnover" of personnel. This phenomenon often becomes the reason for the leakage of classified information.

The crisis, the lack of funds for the issuance of salaries force the management to worsen the working conditions of the personnel. As a result, employee discontent increases, who may leave or simply start spreading classified information to competitors. The problem of staff turnover is especially important for management positions, because all managers must have access to classified documents.

The threat of spreading secrets can be carried not only by employees who have already left, but also by current employees whose level of motivation is lowered.

To prevent the problem, create the most comfortable working conditions for employees. In the event of a serious crisis, it is recommended to gather staff to discuss possible ways out of a difficult situation. It is important to notify employees of all payroll changes in advance, rather than upon payment of the salary.

Sometimes one employee creates an unfavorable atmosphere in the team. analyzes the correspondence of employees in e-mail and instant messengers and compiles their psychological portraits. The system determines the positive and negative aspects of a person's character, which allows you to make the right management decisions.

To eliminate the “turnover”, it is important to follow these recommendations:

• Establish a recruitment system. All leading organizations have a dedicated department that deals with hiring, firing and supporting employees. You should not look for an employee for a vacant position as quickly as possible. A good HR (recruiting specialist) is obliged to listen to several applicants for the position, disseminate information about a vacancy on all popular Internet sites, and hold a final competition, the results of which will determine the most suitable candidate.
• Implementation of a reward system. For success in work, overfulfillment of plans and the conclusion of lucrative contracts, employees should be encouraged. Examples of incentives include raising wages, improving working conditions, and moving up the career ladder.
• Providing all employees with opportunities for professional growth, advanced training. Good companies always send their employees to professional development courses or buy online trainings for more convenient training. It is also recommended to organize trainings from leading industry professionals.

Reason 3 - Business trips

The working process of the company implies business meetings, trips to other branches of the company, countries. Employees who travel frequently can inadvertently become the main cause of the leakage of classified information of the enterprise.

When traveling, such an employee always has a personal or corporate laptop / smartphone with him, which processes the protected documents. Equipment can be left in a public place, broken or stolen. If an employee is under surveillance or meets with a rival company executive, a lost laptop can become a major source of inside information.

To prevent such cases, it is important to use encryption systems for the hard disk of those PCs that are issued to employees during business meetings. Even as a result of theft and unauthorized access, information will be reliably protected, and it will be impossible to crack it without knowing the key.

Reason 4 - Cooperation with other companies

Most automated security systems are able to restrict access to service information only within one building or one enterprise (if several branches use a common storage server).

In the process of joint implementation of a project by several firms, the security services cannot fully track how access to the official secrets of each of the enterprises is realized.

As in the previous case, the use of cryptocontainers (hard disk encryption systems) will help protect secret information from hacking.

Reason 5 - Using complex IT infrastructures

Large corporations use complex proprietary information protection systems. Automated systems imply the presence of several security departments and the work of more than five system administrators, whose task is only to maintain the safety of trade secrets.

The complexity of the system is also a risk of leakage, because the simultaneous work of several people is not well organized. For example, one administrator may introduce or remove access control rules, while another may forget to enter the data of access rights to servers.

When using complex information protection systems, it is important to correctly separate all responsibilities and monitor their timely implementation. Otherwise, the created system can harm the company.

In it is possible to differentiate the access of security personnel to certain reports and operations in the system. It is safer to entrust the maximum number of powers to the head of the information security service.

Reason 6 - Equipment breakdowns

Errors in the software

All kinds of software malfunctions occur all the time. When a vulnerability appears, the protected files risk becoming intercepted by a hacker. It is important to promptly identify all malfunctions in the installed software and hardware components. The security administrator is responsible for the operability and interaction of all protection modules.

A significant amount of important documentation is lost as a result of a database crash. Recovering hard drives is a complex task that does not guarantee the return of lost information.

Server hardware failures

It is safer to store all information using cloud computing. Cloud platforms increase the speed of information processing. With their help, each employee will be able to access the desired file from any device. The encryption system is used by the remote server, so there is no need to secure transmission channels.

Service provider's servers can crash due to natural disasters or massive hacker attacks. As a rule, owners of cloud platforms always keep archived backups of the contents of user accounts, so failures are quickly resolved without losing important documents.

Breakdown of technical means of protection

For the safety of trade secrets, it is recommended to protect not only operating systems and gadgets, but also the entire perimeter of the office premises, as well as the control area of \u200b\u200bstreet communications. For these purposes, window caps, seals of architectural structures (to prevent wiretapping), devices for shielding and noise pollution (to make it impossible to intercept radio waves) and other gadgets are used.

Due to the breakdown of one of these devices, an information leakage channel arises, which becomes available to an attacker to intercept classified data.

If computers and other data processing equipment break down, they must be repaired at a service center. Taking the gadget outside the premises and handing it over to an outsider (even if he is not interested in obtaining official secrets) is a possible reason for the leak. The company's security department cannot control the gadgets while they are outside the firm.

Reason 7 - Leakage through technical transmission channels

A data leakage channel is a physical environment within which the distribution of secret information is not controlled. Any enterprise that uses computers, server racks, networks has leakage channels. With their help, an attacker can gain access to trade secrets.

The following leakage channels exist:

• Speech. Competitors often use wiretaps and other bookmarks, with the help of which secrets are stolen.
• Vibroacoustic. This leakage channel occurs when sound collides with architectural structures (walls, floors, windows). Vibration waves can be read and translated into speech text. Using directional microphones at a distance of up to 200 meters from the room, an attacker can read a conversation in which service information appears.
• Electromagnetic. As a result of the operation of all technical means, a magnetic field arises. Signals are transmitted between hardware elements, which can be read by special equipment over long distances and receive secret data.
• Visual. An example of the emergence of a visual theft channel is holding meetings and conferences with uncovered windows. From a nearby building, an attacker can easily view everything producing. There are also options for using video bookmarks, which convey a picture of what is happening to competitors.

• Thermal imager. With the help of such a device, you can scan all walls and parts of the interior for the presence of embedded devices (bugs, video cameras).
• Devices that muffle radio frequency signals.
• Protective equipment for architectural structures - seals for windows, doorways, floors and ceilings. They isolate sound and make it impossible to read vibration waves from the building surface.
• Devices for shielding and noise reduction. They are used to protect the electromagnetic leakage channel.

You should also ground all communications that go outside the premises and controlled area (pipes, cables, communication lines).

How to minimize the risk of leakage?

There are several effective methods that can help reduce the risk of information leakage and disclosure. The enterprise can use all methods of protection, or only a few of them, because the security system must be economically viable. Losses from the loss of classified information cannot be less than the cost of implementing and maintaining a security system.

Encryption

Encryption is a simple and effective method of protecting trade secrets. Modern encryption algorithms use world standards in the field of cryptography (AES, GOST ciphers), two-way key exchange (with its help a hacker will not be able to break the cipher even after gaining access to the transmission channel), elliptic curves for generating protection. This approach makes cracking the encrypted message impossible for standard computers.

Benefits of using encryption to prevent leakage of business information:

• Ease of use. The encryption is implemented with special software. The program must be installed on all computers and mobile devices in which classified information circulates. The operation of the application is configured by the system administrator or security administrator. Thus, the average speaker user does not need to learn how to use the protection system. All files are encrypted and decrypted automatically within the corporate network.
• If it is necessary to transfer important electronic documents outside the commercial network, they will be stored on a flash drive, cloud drive or in client mail only in encrypted form. Disadvantage - without special software, the employee will not be able to view the contents of the file.
• High degree of reliability. Using powerful computational cryptography algorithms, it is difficult for an attacker to intercept secret messages or company traffic, and decryption is impossible without knowledge of the public and private keys.

Note that encryption is not the only way to protect secrets from all possible attacks. Employees are able to read the contents of electronic documents within the commercial network without any problems, so the risk of unauthorized disclosure to third parties remains. The use of cryptography is an integral part of the functionality of every complex security system.

Personnel control

If hardware is easy to control, then personnel are one of the most dangerous sources of leakage. The human factor is always present, and even security personnel cannot always determine which employee may pose a threat.

As a rule, the search for an intruder among the staff is carried out already when the first cases of data transmission to competitors became known. Security administrators check the possibility of interception of information through technical leakage channels, and if all channels are reliably protected, the suspicion falls on workers.

The activities of the organization's employees are monitored using time tracking systems. This is a complex hardware and software that documents the exact time of arrival at work, the time of leaving, the activities of personnel at the computer, records corporate mail correspondence, conducts video surveillance and transmits all this data to the company's management or the head of the security department. Further, all the information received is analyzed and the number of employees who could spread commercial secrets is identified.

Norms for documenting and transferring trade secrets

Protect not only electronic documents, but also all printed documents that contain classified information. According to the Law on the storage and processing of statements that contain commercial secrets, the following requirements must be met:

• Store all documents with trade secrets exclusively in separate closed rooms, which are guarded around the clock by video surveillance systems or security guards.
• Only employees who need it in the course of work can have access to official secrets.
• A record of the withdrawal of a document from the archive is entered into the registration log. The exact date, stamp of the document and the initials of the person who received the copy of the file are indicated. Similar actions are performed when returning an object.
• A document that contains a trade secret cannot be taken out of the office without notifying the head of the security department about this action.
• For the transfer of secret documents between the branches of the enterprise, courier mail is used - a secure courier transfer of documents of particular importance.

Currently, information for organizations is one of the sources of wealth. Almost all information related to the activities of the organization is confidential. In this regard, there is a need to protect such information, but not infrequently, managers are quite careless about maintaining the confidentiality of information and the result is its leak. Taking measures to protect the confidentiality of information is a set of measures aimed at ensuring information security.

Failure to comply with measures to protect trade secrets or an incorrect policy in the field of information security leads to the emergence of a threat to information resources. Under the threat of information resources, a set of influences of factors of the external and internal environment of the organization is assumed, aimed at illegal or malicious obstruction or difficulty in its functioning in accordance with the statutory, long-term and short-term goals and objectives, as well as alienation of the results of its activities.

Each threat, regardless of its content, leads to a violation of the confidentiality of information, a violation of the regime of such information, that is, it causes certain damage to the owner of a trade secret. Protecting confidential information and taking measures to eliminate threats is undertaken in order to eliminate the threat altogether, or at least reduce the possible damage from such actions.

One of the most significant types of threats to information resources is the leak of confidential information. Leakage of confidential information is the release of information outside the organization or the circle of people to whom it was known. Information leakage can be carried out through various technical channels. Under information leakage channel it is customary to understand a certain path from a source of confidential information to a certain person who wants to take possession of such information. For the formation of a channel of information leakage, certain spatial, energy and temporal conditions are required, as well as the presence on the side of the attacker of the appropriate equipment for receiving, processing and fixing information.

The main channels of information leakage are employees of the organization, documents (for example, reports), and technical channels of information leakage.

In addition, a leak can occur in the course of joint work with other firms (for example, the creation of joint ventures), consultations from outside specialists who gain access to the documentation and production activities of the firm, fictitious requests about the possibility of concluding transactions with the organization, etc.

Technical channels of confidential information leakage are visual-optical channels; acoustic channels; electromagnetic channels; personal computer networks; telephone, cellular and paging communication channels.

Currently, one of the main ways of transmitting a large amount of confidential information is by telephone. Therefore, as an example, let us consider technical methods of protecting confidential information transmitted over telephone lines.

All kinds of listening devices, microphones built into the telephone receiver, microphone amplifier, electronic switch and other technical means are used to listen to telephone conversations.

There are active and passive methods and means of protecting the telephone from information leakage through the electroacoustic channel and from interception by electronic devices. The most common passive protection methods include:

Limitation of dangerous signals;

Filtration of dangerous signals;

Disable sources of dangerous signals.

The most effective method of protecting information is to disconnect telephones from the line when conducting confidential conversations in the room where they are installed. The simplest way to implement this method is to install a special switch in the body of a telephone or telephone line, which disconnects the telephone from the line either manually or automatically when the handset is on.

Active methods of protection against information leakage through an electroacoustic channel are reduced to the use of a masking low-frequency noise signal. To protect information from interception by electronic devices, there is another method (the method of high-frequency broadband masking interference), which consists in supplying a masking high-frequency broadband noise signal to the telephone line when the handset is on.

Wiretapping is possible thanks to electronic devices for intercepting voice information connected to telephone lines in one of three ways: sequentially (by breaking one of the wires), in parallel (simultaneously to two wires) and using an induction sensor (contactless connection). In the case of the first two connections, the electronic interception devices are powered from the telephone line, with the last - from an autonomous power source. The activation of the radio transmitting device occurs only for the duration of the telephone conversation, while the received speech information can be recorded. It is also possible to wiretap by connecting a second telephone set in the next room.

There are several active methods to protect telephone conversations by suppressing electronic interception devices.

The method of high-frequency masking interference consists in supplying a broadband masking interference signal to the line during a telephone conversation, the frequency of which is selected so that after passing through the microphone amplifier of the recorder, its level is sufficient to suppress the speech signal, but the quality of telephone conversations does not deteriorate. The efficiency of the interference signal increases with decreasing its frequency, i.e. the lower its frequency, the more interfering effect it has on the useful (speech) signal.

The "zeroing" method consists in the fact that at the time of a telephone conversation, a constant voltage is applied to the line, which with reverse polarity corresponds to the voltage in the line when the telephone receiver is off-hook. This method is applicable to disable electronic devices for intercepting voice information with a contact connection to the telephone line, using it for power supply. Such devices include parallel telephones and telephone radio bookmarks.

The compensation method consists in the fact that when a voice message is transmitted on the receiving side using a special generator, a masking interference is applied to the telephone line and to one of the inputs of the two-channel adaptive filter, an adaptive mixture of the received useful (speech) and the same interference signals is supplied to the other input of the filter ... Then the adaptive filter extracts the useful signal by compensating for the noise component and sends it to the telephone set or recorder. This method is highly effective for suppressing all known means of unauthorized information retrieval from the telephone line and is widely used for masking and hiding voice messages transmitted by the subscriber.

The "burn-out" method consists in applying high-voltage pulses to the telephone line. The telephone set is disconnected from the line if this method is used. Pulses are sent to the telephone line twice. Once when the telephone line is open (for "burning out" the electronic devices connected to it in parallel), and the second time when it is short-circuited (for "burning out" the devices connected in series). The telephone set is disconnected from the line if this method is used.

Currently, to protect telephone lines, not only simple devices are used that implement one of the protection methods, but also complex ones that provide comprehensive protection of lines by combining several methods, including information protection against leakage through an electroacoustic channel.

Information protection from leakage through an acoustic channel is a set of measures that exclude or reduce the possibility of confidential information leaving the controlled area due to acoustic fields.

CONCLUSION

So, we examined in the lecture the concept of "commercial secret" and "commercial secret regime", as well as the main provisions of the Federal Law of the Russian Federation "On commercial secrets". In addition, the lecture covers issues related to the leakage channels of confidential information and methods of its protection.

LITERATURE

1. Stepanov A.G., Sherstneva O.O. Trade secret protection. - M .: Publishing house "Alfa-Press", 2006. - 180 p.