- to understand the threats and vulnerabilities that have proliferated in the information system, as well as violators that are relevant to this information system, in order to launch the technical design process to neutralize them;
- for show, so that all the conditions of a certain project are met, for example, in the field of personal data (I am not saying that the threat model in the implementation of projects in the field of personal data is always done for show, but basically it is).
The threat model and the intruder model are inextricably linked. A lot of controversy arose on the topic of making these models different documents, or it would be more correct to do it in one document. In my opinion, for the convenience of building a threat model and an intruder model, it would be more correct to do this in one document. When transferring the threat model to engineers (if different departments in the company are engaged in modeling threats, intruders and designing), they need to see the situation in full, and not read 2 documents and spend time connecting them together. Thus, in this article I will describe the threat model and the intruder model (hereinafter referred to as the threat model) as a single indissoluble document.
Typical problems
From my own experience, I saw a large number of threat models that were written in so many different ways that it was simply unrealistic to bring them to one template. The person did not have a clear idea of what to write in such a document, for whom this document was and what its task was. Many people are interested in how many sheets the threat model should be, what to write in it, how best to do it.I found the following typical mistakes in compiling a threat model:
- lack of understanding for whom this document is:
- lack of understanding of the structure of the document;
- lack of understanding of the required content of the document;
- lack of conclusions necessary for the design.
Threat Model Plan
Since we, after drawing up the threat model, will transfer it to the engineers for analysis (not a prerequisite), the information will be grouped from the point of view of convenience for the developer of the threat model and the engineer, who will then analyze it.In compiling the threat model, I stick to the following plan (subsections not included):
Introduction
1. List of abbreviations
2. List of regulatory documents
3. Description of IS
4. Security threats
Conclusion.
Appendix A.
Appendix B.
Appendix B.
Looking ahead, the threat model is based on the principle - " It is not necessary to read the entire document to understand its meaning and draw the correct conclusions.". Let's take a look at each of the points. Introduction
A typical introduction describing the purpose of this document and what needs to be defined at the stage of writing.1. List of abbreviations
Why is it here? - you ask. And I will answer you:- the document can be read not only by an information security specialist;
- the document can be read by senior management who has some kind of technical education;
- when describing the Information System, some terms may be unknown to either the specialists or the management.
2. List of regulatory documents
This section is usually needed in projects where some documentation is used, in which some requirements or recommendations are assigned. For example, when working with personal data, regulatory documents of the FSTEC, FSB, etc. are written in this section.3. Description of IS
This section is one of the main parts of the threat model. The description of the Information System should lay it out on the shelves in as much detail as possible. Data should include:- used technical means, their purpose. As an example:
The identifier serves to quickly refer to the asset from the text of the document, the description serves to understand what kind of technical means is used, the note serves to clarify the data on the technical means and their purposes.
- detailed description of technical means. As an example: TS is a terminal server. Connecting remote clients via RDP protocol to work with the system. The connection takes place from hardware thin clients and personal computers. An application used to work with the database is installed on the terminal server.
- Connection diagram of technical means. This diagram should reflect the detailed architecture of the information system.
- Implemented protective measures. This information will allow the developer of the threat model to take into account the already implemented protection measures and assess their effectiveness, which will, with a certain degree of probability, reduce the cost of purchasing protection measures.
- Formation of a list of assets. It is necessary to define a list of assets, their importance to the company and an identifier for quick reference from the document. As an example:
Depending on the selected risk assessment methodology, section 3 of the threat model may contain additional information. For example, in the case of modeling threats to personal data, this section is supplemented by "indicators of the initial security of the ISPDN", "the main characteristics of the ISPDN".
4. Security threats
This section describes the results of threat modeling. The description includes:- the relevance of external or internal threats;
- list of actual violators;
- list of current threats to information security.
Here again, everything is simple, the identifier, the description of the threat and the assets that are affected by the threat. There is more than enough information.
Conclusion
In conclusion, it is necessary to describe what measures need to be taken to protect the Information System. Example:1. Protection against unauthorized connection of unregistered technical means:
2. Cryptographic protection of communication channels for access to the Information System (building a VPN network).
The information located in the above-described sections contains all the necessary data for the design of the information system protection system. All the information that contains the definition of the actual offenders, the calculation of the actual threats to information security are in the appendices. This allows you to get all the information you need on the first pages of the document. From experience, I can say that a threat model for a good project and a serious information system takes 100 pages or more. The information presented above usually takes no more than 30.
Appendix A
In Appendix A, I usually describe the intruder model. As a rule, it consists of:- descriptions of the types of offenders and their capabilities (internal, external);
- description of access channels in the IS (physical, public, technical)
- description of these types of violators with reference to the staff structure of the organization;
- a description of the capabilities of these offenders;
- determination of the relevance of each of the types of violators.
Exit plate:
| Intruder type |
Categories of offenders | Identifier |
| External intruder | Criminal structures, external actors (individuals) | N1 |
| Insider intruder | Persons with authorized access to the KZ, but not having access to the ISPD (technical and maintenance personnel) | N2 |
| Registered ISPD users with access to PD | N3 |
|
| Registered ISPDN users with the authority of a security administrator for the ISPDN segment | N4 |
|
| Registered users with the authority of a system administrator ISPDN | N5 |
|
| Registered users with the authority of the ISPDN security administrator | N6 |
|
| Programmers-developers (suppliers) of application software and persons providing its support at the protected object | N7 |
|
| Developers and persons providing the supply, maintenance and repair of technical means for ISPD | N8 |
Appendix B
This application is used to describe and calculate the relevance of threats. Depending on the choice of methodology for determining the relevance of information security threats, risk assessment, you can design this application (section) in different ways. I fill out each threat with the following sign:It didn't work out very well to format the plate in the habra editor, it looks much better in the document. The history of the formation of just this type of plate originates from the standards of the STO BR series. Then it was slightly modified for projects for Personal data, and now it is a means of describing threats for any of the projects. This plate fully allows you to calculate the relevance of the information security threat to the company's assets. If any risk assessment methodology is used, this plate will also work. This example is given for calculating the relevance of threats within the framework of work on a Personal Data protection project. The plate is read as follows: Threat -> Intruder -> Assets -> Violated properties -> Data for calculating relevance -> Conclusions.
Each threat is formalized with this sign, which fully describes it and on the basis of this sign, you can easily draw a conclusion about the relevance / irrelevance of the threat.
Appendix B
Appendix B is a reference. It describes methods for calculating relevance, or methods for assessing risks.As a result, when using this design technique, the threat model will be a readable and useful document that can be used in the organization.
Thanks for attention.
Classification of unauthorized influences
A threat is understood as a potentially existing possibility of accidental or deliberate action (inaction), as a result of which the basic properties of information and its processing systems may be violated: availability, integrity and confidentiality.
Knowledge of the range of potential threats to protected information, the ability to qualify and objectively assess the possibility of their implementation and the degree of danger of each of them, is an important stage in the complex process of organizing and ensuring protection. Determination of the full set of IS threats is almost impossible, but a relatively complete description of them, in relation to the object under consideration, can be achieved with a detailed compilation of a threat model.
Remote attacks are classified by the nature and purpose of the impact, by the condition of the beginning of the impact and the presence of feedback with the attacked object, by the location of the object relative to the attacked object and by the level of the reference model of interaction of open systems of the EMVOS on which the impact is carried out.
Classification signs of objects of protection and security threats to automated systems and possible ways of unauthorized access (NSD) to information in protected nuclear systems:
- 1) according to the NSD principle:
- - physical. It can be implemented with direct or visual contact with the protected object;
- - logical. It involves overcoming the protection system using software by logical penetration into the structure of the AU;
- 2) on the way of the NSD:
- - using a direct standard access path. Weaknesses in the established security policy and network administration process are exploited. The result can be masquerading as an authorized user;
- - using a hidden non-standard access path. Undocumented features (weaknesses) of the protection system are used (shortcomings of algorithms and components of the protection system, errors in the implementation of the project of the protection system);
- - A group of special danger is represented by IS threats, carried out by the actions of the intruder, which allow not only to carry out unauthorized influence (NSV) on the information resources of the system and influence them by using special software and software-technical influence, but also to provide NSD to information ...
- 3) according to the degree of automation:
- - performed with the constant participation of a person. Publicly available (standard) software can be used. The attack is carried out in the form of a dialogue between the intruder and the protected system;
- - carried out by special programs without direct human participation. Special software is used, most often developed using viral technology. As a rule, this method of unauthorized attack is preferable to implement an attack;
- 4) by the nature of the impact of the subject of an unauthorized person on the object of protection:
- - passive. It does not have a direct impact on the AU, but it can violate the confidentiality of information. An example is the control of communication channels;
- - active. This category includes any unauthorized influence, the ultimate goal of which is to implement any changes in the attacked speaker;
- 5) according to the condition of the beginning of the impact:
- - an attack on request from the attacked object. The subject of the attack is initially conditionally passive and expects from the attacked AS a request of a certain type, the weaknesses of which are used to carry out the attack;
- - an attack upon the occurrence of the expected event on the attacked object. The OS of the target is being monitored. The attack starts when the AC is in a vulnerable state;
- - unconditional attack. The subject of the attack makes an active impact on the object of the attack, regardless of the state of the latter;
- 6) by the purpose of the impact. Security is considered as a combination of confidentiality, integrity, availability of resources, and operability (stability) of the AU, the violation of which is reflected in the conflict model;
- 7) by the presence of feedback with the attacked object:
- - with feedback. This implies a bi-directional interaction between the subject and the object of the attack in order to obtain from the object of the attack any data that affects the further course of the NSD;
- - no feedback. Unidirectional attack. The subject of the attack does not need a dialogue with the attacked speaker. An example is the organization of a directed "storm" of requests. The goal is to disrupt the performance (stability) of the AU;
- 8) by the type of used defense weaknesses:
- - shortcomings of the established security policy. The safety policy developed for the NPP is inadequate to the safety criteria, which is used to implement the NDS:
- - administrative errors;
- - undocumented features of the security system, including those related to software, - errors, unrealized OS updates, vulnerable services, unprotected default configurations;
- - disadvantages of protection algorithms. The security algorithms used by the developer to build an information security system do not reflect the real aspects of information processing and contain conceptual errors;
- - errors in the implementation of the protection system project. The implementation of the information security system project does not comply with the principles laid down by the system developers.
Logical features of protected objects:
- 1) security policy. It is a set of documented conceptual solutions aimed at protecting information and resources, and includes goals, requirements for protected information, a set of information security measures, responsibilities of persons responsible for information security;
- 2) the process of administrative management. Includes management of the configuration and performance of the network, access to network resources, measures to improve the reliability of the network, restoring the system and data, monitoring the norms and correctness of the functioning of protection tools in accordance with the security policy;
- 3) components of the protection system:
- - system of cryptographic information protection;
- - Key information;
- - passwords;
- - information about users (identifiers, privileges, powers);
- - settings of the protection system;
- 4) protocols. As a set of functional and operational requirements for the components of network software and hardware, must have correctness, completeness, consistency;
- 5) functional elements of computer networks. In general, they must be protected from overloading and destruction of "critical" data.
Possible ways and methods of implementing unauthorized attacks (types of attacks):
- 1) analysis of network traffic, study of the LAN and protection means to find their weaknesses and study the algorithms for the functioning of the AS. In systems with a physically dedicated communication channel, messages are transmitted directly between the source and the receiver, bypassing other objects in the system. In such a system, in the absence of access to the objects through which the message is transmitted, there is no software capability for analyzing network traffic;
- 2) introduction of unauthorized devices into the network.
- 3) interception of transmitted data for the purpose of theft, modification or redirection;
- 4) substitution of a trusted object in the AS.
- 5) introduction of an unauthorized route (object) into the network by imposing a false route with redirecting the flow of messages through it;
- 6) the introduction of a false route (object) into the network by using the shortcomings of remote search algorithms;
- 7) exploitation of vulnerabilities of general system and application software.
- 8) cryptanalysis.
- 9) the use of shortcomings in the implementation of cryptoalgorithms and cryptographic programs.
- 10) interception, selection, substitution and prediction of generated keys and passwords.
- 11) assigning additional powers and changing the settings of the security system.
- 12) the introduction of software bookmarks.
- 13) disruption of the AU performance (stability) by introducing an overload, destroying "critical" data, performing incorrect operations.
- 14) access to a network computer that receives messages or performs routing functions;
Attackers classification
The possibility of carrying out harmful influences depends to a large extent on the status of the attacker in relation to the CC. An attacker could be:
- 1) the developer of the COP;
- 2) an employee from among the service personnel;
- 3) user;
- 4) an outsider.
The developer has the most complete information about the software and hardware of the CS. The user has a general idea about the structures of the COP, about the work of information protection mechanisms. He can collect data on the information security system using traditional espionage methods, as well as make attempts to unauthorized access to information. An outsider who has nothing to do with the COP is in the least advantageous position in relation to other attackers. If we assume that he does not have access to the COP facility, then he has at his disposal remote methods of traditional espionage and the possibility of sabotage activities. It can carry out harmful effects using electromagnetic radiation and interference, as well as communication channels if the COP is distributed.
Specialists who maintain these systems have great opportunities for harmful effects on the information of the COP. Moreover, specialists from different departments have different potential for malicious actions. The greatest harm can be inflicted by employees of the information security service. Next come system programmers, application programmers, and engineering staff.
In practice, the threat of an attacker also depends on the financial, material and technical capabilities and qualifications of the attacker.
At the moment I am engaged in revising the private policy on the risks of information security breaches and updating the information security threat model.
In the course of my work, I ran into some difficulties. How I solved them and developed a private threat model will be discussed further.
Previously, many banks used the Sectoral model of personal data security threats, taken from the Recommendation in the field of standardization of the Central Bank of the Russian Federation BR IBBS-2.4-2010 "Ensuring the information security of organizations in the banking system of the Russian Federation. Sectoral private model of threats to the security of personal data during their processing in information systems of personal data of organizations banking system of the Russian Federation "(RS BR IBBS-2.4-2010). But in connection with the publication of information from the Bank of Russia dated 05/30/2014, the document became invalid. Now you need to develop it yourself.
Not many people know that with the release of the Bank of Russia Standardization Recommendation "Ensuring Information Security of Organizations of the Banking System of the Russian Federation. Preventing Information Leaks" RS BR IBBS-2.9-2016 (RS BR IBBS-2.9-2016), the concepts were substituted. Now when defining a list of categories of information and a list of types of information assets it is recommended to focus on the content of clauses 6.3 and 7.2 of the RS BR IBBS-2.9-2016. Previously, it was clause 4.4 of the Recommendations in the field of standardization of the Bank of Russia "Ensuring information security of organizations in the banking system of the Russian Federation. Methodology for assessing information security risks" RS BR IBBS-2.2-2009 (RS BR IBBS-2.2-2009). I even turned to the Central Bank for clarification:
The main sources of threats listed in clause 6.6 of the Bank of Russia Standard “Ensuring information security of organizations in the banking system of the Russian Federation. General provisions "STO BR IBBS-1.0-2014 (STO BR IBBS-1.0-2014). Intruder potential can be taken from here.
In general, when determining actual information security threats it is necessary to take into account information security incidents that occurred in the organization, information from analytical reports of regulators and companies providing information security services, and the expert opinion of the company's specialists.
Also cybersecurity threats are determined in accordance with the Ordinance of the Bank of Russia dated December 10, 2015 N 3889-U "On the determination of threats to the security of personal data that are relevant when processing personal data in personal data information systems (3889-U), Appendix 1 of the RS BR IBBS-2.2-2009, table 1 RS BR IBBS-2.9-2016 (I made it a separate application), the FSTEC of Russia Information Security Threats Databank (BDU).
By the way, I noticed that some threats from 3889-U duplicate threats from the NOS:
- threat of exposure to malicious code external to the personal data information system - UBI.167, UBI.172, UBI.186, UBI.188, UBI.191;
- the threat of using social engineering methods to persons with powers in the personal data information system - UBI.175;
- the threat of unauthorized access to personal data by persons who do not have authority in the personal data information system, using vulnerabilities in the software of the personal data information system - UBI.192;
In this regard, I excluded duplicate threats from 3889-U in favor of UBI, since their description contains additional information that facilitates filling out tables with a threat model and an information security risk assessment.
Current threats source of threats "Adverse events of natural, man-made and social nature" statistics of the Ministry of Emergency Situations of the Russian Federation on emergency situations and fires.
Current threats source of threats "Terrorists and Criminals" can be determined based on the statistics of the Ministry of Internal Affairs of the Russian Federation on the state of crime and the newsletter "Crimes in the banking sector".
At this stage, we have identified the sources of information security threats and current information security threats. Now let's move on to creating a table with an IS threat model.
As a basis, I took the table "Industry model of personal data security threats" from the RS BR IBBS-2.4-2010. The columns "Threat source" and "Threat realization level" are filled in in accordance with the requirements of clauses 6.7 and 6.9 STO BR IBBS-1.0-2014. We are left with empty columns "Types of objects of the environment" and "Security threat". The latter I renamed as "Consequences of the threat implementation", as in the NDU (in my opinion, this is more correct). To fill them out, we need a description of our threats from the NOS.
As an example, consider "UBI.192: The threat of using vulnerable software versions":
Description of the threat: the threat lies in the possibility of a destructive effect on the system by an intruder by exploiting software vulnerabilities. This threat is caused by weaknesses in the mechanisms for analyzing software for vulnerabilities. The implementation of this threat is possible if the software is not checked for vulnerabilities before using the software.
Sources of threat: internal intruder with low potential; external intruder with low potential.
Object of influence: application software, network software, system software.
Consequences of threat realization: violation of confidentiality, violation of integrity, violation of availability.
For convenience, I have distributed types of environment objects(objects of influence) according to the levels of threat realization ( the levels of the bank's information infrastructure).
Scroll objects of the environment I compiled from clause 7.3 of the RS BR IBBS-2.9-2016, clause 4.5 of the RS BR IBBS-2.2-2009 and from the description of the UBI. Threat realization levels are presented in clause 6.2 STO BR IBBS-1.0-2014.
So This threat affects the following levels: the level of network applications and services; the level of banking technological processes and applications.
I did the same with other cybersecurity threats.
The result is such a table.
UDC 004.056
I. V. Bondar
PROCEDURE FOR BUILDING THE INFORMATION SECURITY THREAT MODEL FOR AUTOMATED SYSTEMS *
The technique of constructing a model of threats to information security is considered. The purpose of modeling is to control the level of security of the information system using risk analysis methods and to develop an effective information protection system that neutralizes perceived threats with appropriate protective measures.
Key words: threat model, information system, information security system model.
Currently, the development of a methodology that allows, within the framework of a unified approach, to solve the problems of designing automated systems in a secure design in compliance with the requirements of regulatory and methodological documents and automatic generation of a list of protective measures and the search for an optimal set of information security tools (SIS), corresponding to this list, is of particular relevance.
One of the main tasks of ensuring information security is to determine the list of threats and assess the risks of the impact of current threats, which makes it possible to substantiate the rational composition of the information protection system. Although tasks of this kind are already being solved (see, for example,), including within the framework of a unified methodology, all of them are not without limitations and are aimed at forming a threat model suitable for solving a particular problem. I would especially like to note the rarity of attempts to visualize threat models.
This article presents a methodology for modeling threats to information security for automated systems based on a geometric model. This technique is interesting, first of all, by the versatility of taking into account negative effects, which was previously encountered only in the work where the model was built on the basis of perturbation theory, and by the possibility of visualizing the result. The usual way of visualization - the use of Kohonen maps with their inherent limitations and disadvantages - is not considered by the author, which increases the versatility of the solution.
Geometric model of GIS. Let P = (pb P2, ■ ■ -, p2) be the set of means of protection, and A = (ab a2, ..., an) be the set of attacks. Those attacks that cannot be expressed by combinations of attacks will be called independent. Their set A "is a subset of the set A - the basis of attacks. Let us choose the space K1 for constructing a geometric model of the DSS, the dimension of which coincides with the cardinality of the set A.
Any attack AeA is associated with certain means of protection (p "b p" 2, ..., p "k) with P. We denote this set (p" bp "2, ..., p" i) = Pn-.
If the agent does not belong to the set Pri, then the Аi attack is not dangerous for it.
The coordinate axes in the Kp space represent the classes of threats. The unit of measure on the coordinate axes is an independent attack that is assigned to a security device. For each attack, the values of the coordinates of the corresponding vector indicate the means of protection that are part of the system under study.
As an example, let us consider the attack “NSD against information stored on the AWS by an external intruder” in Cartesian space, where the x-axis is the threats associated with physical security; y - threats related to hardware and software protection; z - threats associated with organizational and legal protection (Fig. 1). The attack can be implemented in the event of failure to comply with three protection measures: "Intruder in the controlled area", "Unblocked OS session" and "Security violation".
Fig. 1. Attack model "NSD to information stored on the workstation by an external intruder"
This attack can be carried out in other ways, such as "Connecting to hardware and OI systems", "Using backbone tools", "Disguising as a registered user", "Software defects and vulnerabilities", "Programming bookmarks", "Application of viruses and other malicious program code ”,“ Theft of the protected information carrier ”,“ Violation of the functioning of the information processing TS ”(Fig. 2).
* The work was carried out within the framework of the Federal Target Program "Research and Development in Priority Areas of Development of the Scientific and Technological Complex of Russia for 2007-2013" (GK No. 07.514.11.4047 dated 06.10.2011).
Initially, each vector P1 is in the first coordinate octant. Let us construct a surface of a convex polytope ζ in H so that each of its vertices coincides with the end of one of the vectors p1, p2, p2. The surface of the polytope ζ together with the vectors p1, p2,., P2 will be considered as a geometric model of the SPS.
Fig. 2. Attack model "NSD to information stored on the workstation by an external intruder"
The result of the impact of any attack A (it is natural to formalize the reflection of a vector along the axis with an unfulfilled protection measure. Thanks to this modeling method, the vectors corresponding to the means for which this attack is not dangerous will not change their position (Fig. 3).
So, after the impact of the attack A ^, with the proposed method of modeling, only the i-th coordinate of the vectors p1, p2, ..., pr, included in the geometric model, will change, and all other coordinates will remain unchanged.
Based on the results of attack modeling, one can judge the sensitivity or insensitivity of the information system (IS) to disturbing influences. If the coordinates of the polyhedron belong
the first coordinate octant, then it is concluded that the IS is insensitive to the disturbing effect, otherwise it is concluded that the protective measures are insufficient. The measure of stability is reduced to carrying out such a number of iterations at which the IS remains unperturbed to the effects of combinations of attacks.
Threat model. The primary list of threats is formed by combinations of all sorts of factors affecting the protected information, categories of protection means, and levels of influence of violators (Fig. 4).
Identifying and accounting for factors that affect or may affect the protected information in specific conditions, form the basis for planning and conducting effective measures to ensure the protection of information at an informatization facility. The completeness and reliability of the identification of factors is achieved by considering the full set of factors affecting all elements of the object of informatization at all stages of information processing. The list of the main subclasses (groups, subgroups, etc.) of factors in accordance with their classification is presented in section 6 GOST 51275-2006 “Information security. Object of informatization. Factors affecting information. General Provisions ".
Threats of information leakage through technical channels are unambiguously described by the characteristics of the information source, the medium (path) of propagation and the receiver of the informative signal, i.e., they are determined by the characteristics of the technical information leakage channel.
The formation of the secondary list of threats is due to its replenishment based on statistics on incidents that have taken place and on the basis of the conditional degree of their destructive impact.
The degree of disturbance can be determined:
The likelihood of a threat;
Loss from threat realization;
System recovery time.
Fig. 3. Simulation results
Impact level of violators
Fig. 4. BL model of the threat model database in Chen's notation
Disturbing effects can lead to:
Violation of the confidentiality of information (copying or unauthorized distribution), when the implementation of threats does not directly affect the content of information;
Unauthorized, including accidental, influence on the content of information, as a result of which the information is changed or destroyed;
Unauthorized, including accidental, impact on software or software and hardware elements of the IS, as a result of which information is blocked;
Loss of accountability of users of the system or actors acting on behalf of the user, which is especially dangerous for distributed systems;
Loss of data authenticity;
Loss of systems reliability.
A risk measure that allows one to compare threats and rank them by priority can be determined by the total damage from each type of problem.
The result of the risk assessment of each threat should be:
Complex application of appropriate means of information protection;
Reasonable and targeted risk acceptance, ensuring full satisfaction of the requirements of the organization's policies and its criteria for accepting risks;
The maximum possible rejection of risks, the transfer of related business risks to other parties, for example, to insurers, suppliers, etc.
The considered method of constructing a threat model makes it possible to solve the problems of developing particular models of threats to information security in specific systems, taking into account their purpose, conditions and features of functioning. The purpose of such modeling is to control the level of IP security using risk analysis methods and to develop an effective information protection system that neutralizes perceived threats.
In the future, this technique can serve as the basis for the development of universal algorithmic and then mathematical security models that effectively combine the requirements of regulatory and methodological documents, a methodology for constructing threat models, intruder models, etc. The presence of such methodological support
will allow you to move to a qualitatively higher level of design, development and security assessment of information security systems.
1. Kobozeva AA, Khoroshko VA Analysis of information security: monograph. Kiev: Publishing house of the State. University of Information and Communication technologies, 2009.
2. Vasiliev VI, Mashkina IV, Stepanova ES Development of a threat model based on the construction of a fuzzy cognitive map for numerical assessment of the risk of information security violations // Izv. South. Feder. un-that. Technical science. 2010. T. 112, No. 11. S. 31-40.
3. Operationally Critical Threat, Asset, and Vulnerability Evaluation (Octave) Framework: Techn. Rep. CMU / SEI-SS-TR-017 / C. J. Alberts, S. G. Behrens, R. D. Pethia, and W. R. Wilson; Carnegie Mellon Univ. Pittsburgh, PA, 2005.
4. Burns S. F. Threat Modeling: a Process to Ensure Application Security // GIAC Security Essentials
Certification Practical Assignment. Version 1.4c / SANS Inst. Bethesola, Md, 2005.
5. Popov AM, Zolotarev VV, Bondar IV Methodology for assessing the security of an information system in accordance with the requirements of information security standards. / Pacific Ocean. state un-t. Khabarovsk, 2010. No. 4 (26). S. 3-12.
6. Analysis of reliability and risk of special systems: monograph / MN Zhukova, VV Zolotarev, IA Panfilov and others; Sib. state aerospace un-t. Krasnoyarsk, 2011.
7. Zhukov V.G., Zhukova M.N., Stefarov A.P.
Model of the violator of access rights in an automated system // Program. products and systems / Research Institute Centerprogrammsystem. Tver, 2012. Issue. 2.
8. Decision support system for information protection "OASIS" / IV Bondar, VV Zolotarev, AV Gumennikova, AM Popov // Program. products and systems / Research Institute Centerprogrammsystem. Tver, 2011. Issue. 3.S. 186-189.
CONSTRUCTION METHOD FOR INFORMATION SECURITY THREAT MODELS
OF AUTOMATED SYSTEMS
The authors consider a technique of threat models constructing. The purpose of modeling is to control the information system security level with risk analysis methods and describe the development of an effective information security system that ensures the neutralization of the supposed threats with appropriate security measures.
Keywords: threat model, information system, information security system model.
© Bondar I.V., 2012
V. V. Buryachenko
VIDEO STABILIZATION FOR STATIC SCENE BASED ON MODIFIED BLOCK MATCHING METHOD
The main approaches to stabilization of video materials are considered, in particular, finding the global motion of the frame caused by external influences. An algorithm for stabilizing video materials is built on the basis of a modified method of block matching for sequential frames.
Keywords: video stabilization, block matching method, Gaussian distribution.
The digital image stabilization system first evaluates unwanted movements, and then corrects the image sequences to compensate for the influence of external factors: shooting instability, weather conditions, etc. It is likely that hardware motion capture systems will include image stabilization, so this study focuses on modeling and implementing algorithms that can run efficiently on hardware platforms.
There are two main approaches to solving the problem of video stabilization: a mechanical approach (optical stabilization) and digital image processing. The mechanical approach is used in optical systems for adjusting motion sensors during camera shake and means using a stable installation of a video camera or the presence of gyroscopic stabilizers. Although this approach may work well in practice, it is almost never used due to the high cost of stabilization devices and the availability of
when processing them in the personal data information system
1. General Provisions
This particular model of threats to the security of personal data during their processing in the personal data information system "ACS" in ___________ (hereinafter - ISPDN) was developed on the basis of:
1) "The basic model of threats to the security of personal data during their processing in personal data information systems", approved on February 15, 2008 by the Deputy Director of FSTEC of Russia;
2) "Methods for determining current threats to the security of personal data during their processing in personal data information systems", approved on February 14, 2008 by the Deputy Director of FSTEC of Russia;
3) GOST R 51275-2006 “Information security. Factors affecting information. General Provisions ".
The model identifies threats to the security of personal data processed in the personal data information system "ACS".
2. The list of threats that pose a potential danger to personal data processed in ISP
Potential danger for personal data (hereinafter - PD) during their processing in ISPD is represented by:
threats of information leakage through technical channels;
physical threats;
threats of unauthorized access;
personnel threats.
Determination of current threats to the security of personal data during processing in the personal data
3.1. Determination of the level of initial security of the ISDN
The level of initial security of the ISPD was determined by an expert method in accordance with the "Methodology for determining actual threats to the security of personal data during their processing in personal data information systems" (hereinafter - the Methodology), approved on February 14, 2008 by the Deputy Director of FSTEC of Russia. The results of the initial security analysis are shown in Table 1.
Table 1. Level of initial security
|
Technical and operational characteristics of ISPDN |
Security level |
||
|
Tall |
Middle |
Low |
|
|
1. By territorialplacement |
|||
|
Local ISPDN deployed within one building |
|||
|
2. By the presence of a connection to public networks |
|||
|
ISPDN, physically separated from public networks. |
|||
|
3. On built-in (legal) operations with PD database records |
|||
|
Read, write, delete |
|||
|
4. On the differentiation of access to personal data |
|||
|
ISPD, to which a certain list of employees of the organization that is the owner of the ISPD, or the subject of PD has access |
|||
|
5. By the presence of connections with other PD databases of other ISPDN |
|||
|
ISPD, in which one PD database is used, owned by the organization - the owner of this ISPD |
|||
|
6. By the level of generalization (depersonalization) of personal data |
|||
|
PDIS, in which the data provided to the user is not impersonal (i.e. there is information that allows you to identify the PD subject) |
|||
|
7. By the volume of personal data, whichare provided to third-party ISPD users without preliminary processing |
|||
|
ISPD, providing part of the PD |
|||
|
ISPDN characteristics |
|||
Thus, ISPDN has middle (Y 1 =5 ) the level of initial security, since more than 70% of the ISPD characteristics correspond to the security level not lower than "average", but less than 70% of the ISPD characteristics correspond to the "high" level.
