Vulnerability assessment of the system
When solving practical problems of information protection, a quantitative assessment of its vulnerability is of great importance.
A number of information security experts share methods and means of protection against accidental and intentional threats.
To protect against accidental threats, means are used to increase the reliability of automated systems, means to increase the reliability and backup of information.
When designing protection against intentional threats, a list and classification are determined by the nature, location, importance and lifetime of the data to be protected in a given information system. In accordance with the nature and importance of these data, the expected qualifications and behavior model of a potential violator are selected.
Let's consider a situation where a threat is realized through unauthorized access to information.
In accordance with the intruder's model, the types and number of possible channels of unauthorized access to protected data are identified in the designed system. These channels are divided into technically controlled and uncontrolled ones. For example, the input to the system from the keyboard can be controlled by a special program, and the communication channels of a geographically distributed system are not always.
Based on the analysis of channels, ready-made or new security tools are selected in order to block these channels.
To create a single permanent protection mechanism, security tools using specially allocated centralized management tools are combined into one automated information security system, which, by analyzing its composition and principles of construction, is checked for possible ways to circumvent it. If any are detected, they are covered by appropriate means, which are also included in the protective shell. As a result, a closed virtual information protection shell will be built.
The degree of protection is determined by the completeness of the overlap of information leakage channels and possible ways to bypass security measures, as well as the strength of protection. According to the accepted model of the violator's behavior, the strength of the protective shell is determined by the means of protection with the lowest strength value from among the means that make up this shell.
The strength of the protection (barrier) is understood as the magnitude of the probability of its overcoming by the violator.
The strength of a protective barrier is sufficient if the expected time for the violator to overcome it is longer than the lifetime of the object of protection or longer than the time for detecting and blocking access in the absence of ways to circumvent this barrier.
The protective shell should consist of security devices built on the same principle (control or prevention of unauthorized access) and placed on access channels of the same type (technically controlled or uncontrolled). On controlled channels, the violator risks being caught, and on uncontrolled channels he can work in comfortable conditions, not limited by time and means. The strength of the protection in the second case should be much higher. Therefore, it is advisable to have separate virtual protective shells in the information system: controlled and preventive.
In addition, it is necessary to take into account the use of organizational measures, which together can form their own protective shell.
The strategy and tactics of protection against deliberate unauthorized access consists in the application of means of control, blocking and warning of events on possible channels of access to information. Means of control and blocking are installed on possible access channels, where technically or organizationally possible, and means of prevention (preventive means) are used where such opportunities are not available.
When calculating the strength of a protective device, a time factor is taken into account, which allows to obtain a quantitative assessment of its strength — the expected value of the probability of its being overcome by a potential violator.
Let's consider the options for building a protective shell and evaluating its strength.
In the simplest case, the object of protection is placed in a closed homogeneous protective shell).
The strength of the protection depends on the properties of the barrier. It is considered that the strength of the created barrier is sufficient if the cost of the expected costs of overcoming it by a potential violator exceeds the cost of the protected information.
If we denote the probability of an obstacle being overcome by an intruder through Ph, the probability of an obstacle being overcome by an intruder through Rp, then according to probability theory Ph + Rp = 1.
In the real case, the barrier may have ways to bypass it.
Let's denote the probability of the intruder bypassing the barrier through the Po. An intruder acting alone will choose one of the ways: overcoming an obstacle or a workaround. Then, given the incompatibility of events, the formal expression of the strength of the barrier can be represented as Ph = min {(1 - Rp), (1 - Po)}.
Let's consider the most dangerous situation when the intruder knows and chooses the path with the highest probability of overcoming the obstacle. In this case, it can be assumed that the strength of the barrier is determined by the probability of its overcoming or circumventing by a potential intruder along the path with the highest value of this probability. That is, in the case of the actions of a single violator, the strength of the protection is determined by its weakest link.
An obstacle may have several ways around it. Then the last expression will take the form Ph - min {(1 - Rp), (1 - Po1), (1 - Po2), (1 - Po3), ... (1 - Rock)}, where k is the number of traversal paths.
For the case when there are more than one violators and they act simultaneously (an organized group) along each path, this expression, taking into account the compatibility of actions, will look like this: Ph - (1 - Rp) (1 - Po1) (1 - Po2) (1 - Po3) ... (1 - Rock).
This formula is applicable for an uncontrolled barrier.
Let's consider the features of calculating the ratios for a controlled barrier. When it is necessary and technically possible to provide access control to an object of protection that has a permanent value, a permanent barrier is usually applied that has the properties of detecting and blocking the intruder's access to the object or object of protection.
To analyze the situation, let's consider a time diagram of the process of monitoring and detecting unauthorized access.
It follows that the violator may not be detected in two cases:
a) when the violation time is less than the sensor polling period: Tnr < T;
b) when T < Tnr < Tob + Tb.
In case a), an additional condition is required - the time interval t falls into the interval T, i.e. it is necessary to synchronize the actions of the intruder with the frequency of polling of the detection sensors.
Formally, this task can be represented as follows. There is a sequential set of events in the form of control pulses with a distance T between them and there is a certain set of elementary events in the form of a segment of length Tnr, which is randomly superimposed on the first set. The task is to determine the probability of a Tnr segment hitting the control pulse if Tnr < T.
In case b), when T < Tnr < Tob + T, unauthorized access is recorded for sure and the probability of detecting the actions of the violator will be determined by the ratio between Tnr and (Tob + Tb).
The magnitude of the expected Tnr depends on many factors:
the nature of the violation task,
the method and method of violation,
the technical capabilities and qualifications of the violator,
and the technical capabilities of the automated system.
Therefore, we can talk about the probabilistic nature of the Tnr value.
For a more complete formal representation of the strength of the barrier in the form of a system for detecting and blocking unauthorized access, it is necessary to take into account the reliability of its functioning and ways of possible circumvention by the violator.
The probability of system failure is determined by the formula Rotc (t) = e–t, where is the failure rate of the group of technical means that make up the detection and blocking system; t is the considered time interval for the operation of the detection and blocking system.
Based on the most dangerous situation, we believe that the failure of the control system and the NSD may be joint events. Therefore, taking into account this situation, the formula for the strength of the controlled barrier will take the form Ph = min {P2 (1 - Rotc), (1 - Ro1), (1 - Ro2), (1 - Ro3), ... (1 - Roc)}, where Ro and the number of bypass paths k are determined by expert analysis on based on the analysis of the principles of building a specific control system and blocking unauthorized access.
If the value of information decreases over time, the excess of time spent on overcoming the barrier by the violator over the lifetime of the information can be taken as a condition of sufficient protection. Cryptographic transformation of information can be used as such protection. Possible ways to circumvent the cryptographic barrier may be cryptanalysis of the source text of the encrypted message or access to the actual values of the encryption keys during storage and transmission.
In practice, in most cases, the protective contour (shell) consists of several interconnected barriers with different strengths.
An example of this type of protection is the room in which the equipment is stored. Walls, ceiling, floor, windows and a lock on the door can serve as barriers with different strengths.
The formal description of the strength of a multi-link protection shell almost completely coincides with a single-link one, since the presence of several ways to bypass one obstacle that do not meet the specified requirements will require their overlap with other obstacles, which eventually form a multi-link protection shell.
The strength of a multi-link defense of uncontrolled barriers, built to resist a single intruder, is determined by the formula Ri = min {Rszi1, Rszi2, Rszii, (1 - Po1), (1 - Po2), (1 - Po3), ... (1 - Rock)}, where Rszii is the strength of the i-th barrier; Rock is the probability of bypassing an obstacle along the k-th path.
The strength of a multi-link protective shell from a single intruder is equal to the strength of its weakest link. This rule is also valid for protection against an unorganized group of violators acting independently.
The strength of the multi-link protection, built of uncontrolled barriers to protect against an organized group of qualified violators, is calculated as follows: Rzi0 = Rszi1 • Rszi2 • ...Rszii (1 - Po1) (1 - Po2) (1 - Po3) ... (1 - Rock).
The strength of a multi-link defense against an organized group of violators is equal to the product of the probabilities that a potential violator will not overcome each of the links that make up this protection.
The calculation of the strength of a multi-link protection with controlled barriers is similar.
Calculations of the final protection strengths for uncontrolled and controlled barriers should be separate, since the initial data for them are different and, therefore, there should be different solutions for different tasks - two different protection shells of the same level.
If the strength of the weakest link of protection meets the requirements of the protection shell as a whole, the question arises about the redundancy of strength on the remaining links of this shell. It follows that it is economically feasible to use equal-strength barriers in a multi-link protection shell.
If the protection link does not meet the requirements, the barrier in this link should be replaced with a stronger one, or this barrier is duplicated by another barrier, and sometimes two or more. Additional barriers should block the same number or more possible channels of unauthorized access as the first one.
In this case, if we denote the strength of overlapping obstacles, respectively, through Rd1, Rd2, Rd3, ..., Rdi, then the probability of overcoming each of them is defined as the probability of the opposite event: (1 - Rd1), (1 - Rd2), (1 - Rd3), ... (1 - Rdi).
We believe that the facts of overcoming these obstacles by the violator are joint events. This allows the probability of overcoming the total obstacle by the violator to be represented in the form of Rp = (1 - Rd1) (1 - Rd2) (1 - Rd3) ... (1 - Rdi).
In critical cases, with increased requirements for protection, multilevel protection is applied.
When calculating the total strength of multi-level protection, the strengths of individual levels are summed up.
The information security system should provide protection against all types of accidental and intentional influences: natural disasters and accidents, failures and failures of technical means, errors of personnel and users, errors in programs and from deliberate actions of intruders.
There is a wide range of options for ways and methods of accessing data and interfering in the processing and exchange of information. An analysis of all vulnerabilities of the system, an assessment of possible damage will allow you to correctly identify information protection measures. The calculation of the effectiveness of protective measures can be performed using various methods, depending on the properties of the protected information and the intruder's model.
A properly constructed (adequate to reality) model of the violator, which reflects his practical and theoretical capabilities, a priori knowledge, time and place of action and other characteristics, is an important component of a successful risk analysis and determination of requirements for the composition and characteristics of the protection system.
