KSZI Pantsir+

KSZI "Pantsir+" is created for protection of corporate information systems. Also it can be used for protection of computing objects in a guidance loop of an APCS.

The Pantsir+ - an end-to-end system of data protection for Windows OS. The information security facility NSD is not development of the previous product of company KSZI "Pantsir-K", it is essentially other system of protection having essentially new opportunities of data protection on which technical implementation more than 10 patents for inventions are taken out (some of which, to some extent, are used in other developers widely famous to the information security facility NSD that breaks the intellectual property of our company and that is one of the first-priority questions requiring the solution).

A number of methods of protection, for example, access control methods to the created objects (to file objects and to the data saved in a clipboard), allow to simplify essentially administration task, during creation difficult differentiating the politician of access within implementation of process model of access.

Each chapter in documentation on KSZI "Pantsir+" is preceded by the short description and justification of the implemented solutions that allows to consider, in a sense, this documentation and as the training materials. Also on a developer's site it is submitted the specification in which requirements are presented, on compliance to which KSZI undergoes certification as computer engineering means and as local ME. These requirements are correlated to 17 and 21 orders of FSTEC of Russia.

Information security system

• KSZI "Pantsir+" can be used together with OS of the Microsoft Windows family, beginning from Windows XP, and finishing Windows Server 2016.
• KSZI "Pantsir+" can be used for protection of workstations, servers, terminal servers, means of virtualization of Hyper-V, including protection of both guest machines, and a hypervisor.
• KSZI "Pantsir+" is the network system of data protection implementing the client-server architecture which part client parts are (are established on subjects to protection - directly solve problems of data protection), the security servers providing remote administration of client parts of KSZI "Pantsir+", an interactive mode of processing of magazines of audit of events of security, and audit servers (remote audit of events of security in real time).

Architectural features of implementation of network KSZI "Pantsir+" is the following:

• any client part can interact with any number of security servers and servers of audit;
• for security servers the possibility of creation of a full-fledged hierarchical system of remote administration of client parts of KSZI "Pantsir+" is implemented.

KSZI "Pantsir+" is the system of protection of the kernel level of OS. Protection at the kernel level of OS is a basis of security of any information system. Only having implemented effective protection at this level, already it makes sense to implement additional protection by different applied means, including, solving different problems of detecting.

KSZI "Pantsir+" allows to solve in a complex relevant problems of data protection from external and from internal threats.

1. Protection against internal threats (from the insider attacks):

• from the attacks from interactive users, it is authorized processing data in an information system;
• from the attacks from privileged users (administrators) solving these or those administration tasks in an information system.

2. Protection against external threats (hacker attacks), including, effective protection against the target (targeted) attacks.

Technology of protection

1. Computing means – subject to protection, can be characterized by hierarchy of the roles implemented in it:

• role of loading of a system (BIOS, OS loader);
• role "system" (System process, system drivers, services, processes and libraries);
• functional role of a subject to protection (workstation, server, terminal server, virtual machine and hypervisor, etc.);
• role of system administration of an object (system administrator and administrative tools);
• role of protection of an object (security administrator, means of protecting and their administrations);
• roles of users (interactive users and applications).

2. Each role is generally characterized by a set of subjects of access, necessary and sufficient for it (the user, process) and a necessary and sufficient set of access objects (resources) corresponding for a role.

3. Implementation of technology of protection generally consists in the solution of the following tasks:

• localization of data processing modes within the corresponding roles - on users, processes, access objects – within each role only subjects and access objects, necessary for it, on condition of prevention of an unauthorized possibility of change of their sets and modification should be used;
• isolation of data processing modes within different roles of one and different hierarchy levels – only opportunities, necessary and sufficient for its implementation, and methods of interaction with other roles, on condition of prevention of an unauthorized possibility of their change and modification should be provided for each role.

Basic principles of creation of protection

The basis of creation of protection is formed by implementation of access control of subjects to objects, for the purpose of localization of their access rights directed to the solution of the corresponding complex of problems of data protection. Any means of detecting something which are not allowing to implement protection in a general view are not used. Similar means can be applied in addition to KSZI "Pantsir+" on the protected objects of information systems.

In KSZI "Pantsir+" the following three main groups of mechanisms of protection are implemented:

• mechanisms of control and differentiation of access rights of subjects to static objects – to the objects which are present at a system at the time of purpose of access rights of subjects to them the administrator. The local and separated in network file subjects, subjects of the register of OS, file drives determined by their identifiers taking into account serial numbers, network objects, local and network printers, etc. belong to such objects. The differentiating policy of access for subjects to objects is implemented by these mechanisms;
• mechanisms of control and differentiation of access rights of subjects to the created objects – to the objects which are absent in a system at the time of purpose of access rights of subjects to objects the administrator, created by users afterwards. The created files and data which are temporarily stored in a clipboard belong to such objects. The dividing policy between subjects of access is implemented by these mechanisms;
• mechanisms of protection against a bypass differentiating and dividing politician of access. These mechanisms also implement access control, but already in relation to system objects of OS – to services of an embodiment, to opportunities of direct access to disks and injecting of the code in processes, to the BIOS UEFI variables (NV RAM) and the OS loader, etc.

Development History

2017: The technology of an anti-phishing is included

On December 4, 2017 the "Information Technologies in Business" company announced implementation in KSZI "Pantsir+" of technology of data protection from phishing attacks.

The phishing attack in most cases is implemented through a mail investment in which or the infected file, or the link to the infected website is transferred. In the first case, the application, after reading of the harmful file, implements the actions put in it, in the second case, from the infected file the harmful active page therefore, the browser is allocated with the corresponding harmful functions is loaded into memory of the computer.

Basis of anti-phishing protection in KSZI "Armour" - the patented technical solution for access control to the created files. Each file during creation is automatically marked, in its alternative flow credentials of the subject of access who created the file, in this case process are located. Is defined by differentiating policy of access to what subject to the files created by what subject permits access, and what access – reading, record, execution, etc. The relevance of the mechanism of protection is caused by the fact that the processed data are stored in the created files, and in the created files the viruses written on the computer – the performed and command files are placed.

Implementation in KSZI "Pantsir+" of a dynamic sandbox is as follows:

• access to the created (marked) files, i.e. to the processed data is limited, when opening by the application with a high probability of the infected file (the critical file), for example, received by e-mail in the form of an investment.
• the process opening such file automatically is located in a sandbox – access to all including to them created earlier by all applications to the entrusted marked files is forbidden to it (to the processed data).
• when preserving the file processed in a sandbox, its marking does not change (at the following reading the corresponding process will be located besides in a sandbox). Thus, the application infected with reading of the critical file will not get access to the entrusted files.

The modes of processing of files in a sandbox

• When opening the critical file, access to the entrusted files becomes impossible. Critical files are processed separately – have access only to critical files.
• When opening of the entrusted file, as entrusted, and the critical file can be open further (these documents can be processed together, including to copy the text between documents). When opening critical, access to entrusted is forbidden, when preserving any open file, it will be offered to create the new file which will inherit a marking of the critical file.
• The application infected when reading a critical fall will not be able to get access to the processed entrusted data.

Implementation of access control to the created files allows to prevent access to the files created by interactive users (to the data processed by them) to the processes started both with the rights of the system administrator, and with the system rights (system processes and services).

2015

The certificate of conformity of FSTEC on KSZI "Pantsir+" is received

The NPP ITB LLC company announced in January, 2016 obtaining the FSTEC certificate of Russia.

"Pantsir+" it is compatible to eToken and JaCarta

On November 3, 2015 the NPP ITB company announced completion of tests on compatibility the end-to-end system of data protection (ETESDP) Pantsir+ with products of lines JaCarta and eToken of Aladdin R.D. company.

The certificates of compatibility signed "SCIENTIFIC PRODUCTION ENTERPRISE OF ITB" and Aladdin R.D., confirm correctness of work as an end-to-end system of data protection Pantsir+ for Microsoft Windows OS (KSZI "Pantsir+") intended for protection against unauthorized access to information with smart cards and USB- tokens JaCarta PKI, JaCarta of GOST and also with smart cards and USB tokens eToken PRO (Java).

The correctness of work of the specified models on all basic operation systems of family is confirmed Microsoft Windows.