Content |
On October 18 To Moscow TAdviser , he held a conference on - information security TADVISER SUMMIT CYBERSECURITY. The representative Ministry of Digital Development spoke here about the results Bug Bounty of the program, business speakers shared their vision of the nature of new information security threats and experience in using information security products of different classes, methodological developments in risk management and the creation of quantitative metrics, and vendors described the possibilities of their solutions.
The conference was attended by representatives of such organizations as, Ministry of Energy of the Russian Federation, Central Bank of the Russian Federation the Russian State Archive of NTD,,,, Treasury of Russia X5 Group",", ",", "MetallinvestbankSberbank TsNIIOIZ, Aeroflot GBU "Small Business of Moscow" Ministry of Health Russia the prefecture of Zelenograd JSC, and Moscow Penza State Technological University many others. The event was hosted by Alexey Voronin.
Reward for error
About the results state of the Bug Bounty program ("reward for error") - a search vulnerabilities in two GIS for a reward - said Evgeny Khasin, Deputy Director of the Support Department,. cyber security Ministry of Digital Development Russia This program was launched in 2023, and about 8 thousand third-party researchers who tested two GIS part in its work: "" and.Public services UIAS
As a result, 37 vulnerabilities were found, including critical ones related to architecture and logic. The program was implemented on the basis of two domestic platforms: BI.Zone Bug Bounty and Standoff 365 - the total amount of payments to researchers amounted to slightly less than two million rubles.
Based on the results of the program:
- Increased security of the GIS;
- a formalized and legitimate process of transmitting information about vulnerabilities has been worked out;
- Reduced the lifetime of the vulnerability;
- Reduced vulnerability detection costs
- checked the operation of the information security monitoring center in combat conditions;
- compliance with legal requirements.
 | Information security begins with an inventory of information systems, - said Yevgeny Khasin. - The pentest is also important, but this is a one-time event and moreover expensive, since it is paid regardless of the result of the study, which may not give anything. Bug Bounty also makes it possible to attract an unlimited number of independent researchers with the payment of remuneration for the achieved result. |  |
The rapporteur stressed that regulatory legislation needs to be refined, in particular, in order for independent researchers involved in the legal search for vulnerabilities to feel more protected from possible claims from law enforcement agencies.
Gleb Ligachev, IT Director, System Operator of the Unified Energy System (SO UES), recalled that this company is fully owned by the state and operates as a single dispatch center for all power plants that are connected by dedicated communication channels.
In large companies, information security issues were paid attention until February 2022. Information security processes were built, tools were introduced, and a regulatory framework was approved. But in small and medium-sized companies, according to the speaker, only "either a crazy or a visionary shareholder" could afford information security processes. However, in 2022, they also had a need for information security tools. At the same time, it is believed that contractors are also engaged in information security, but most often they have a "complete mess" in this regard, Gleb Ligachev is sure, so one of the most common ways to attack the organization is through contractors or suppliers.
The speaker warned that even in cooperation with well-known information security vendors, it is necessary to check its specific representatives for compliance with information security rules. He spoke about a case when one specialist stored on an external disk combat settings for the firewalls of Gazprom and other large structures - clients of the information security vendor - of which he was a representative.
Finally, the speaker listed the new information security calls. For example, it is necessary to protect not only the company, but also its external contractors (as well as subsidiaries and partners). It is worth suspecting "bad" not only updates of foreign software, but also domestic software. More and more believable phishing comes to the mail, so employees should be accustomed to information security cleanliness. In addition, purely technically, "any prematurity," as the speaker put it, can now attack, so strengthening the perimeter is required to automatically repel attacks.
Refusal of convenient foreign solutions in favor of domestic ones, often with a significant decrease in functionality.
{{quote 'Russian solutions lack the complexity so that when using them, you can do a lot, quickly and with small forces, - says Gleb Ligachev. - At the same time, Russian vendors often sell not what they have, but a "picture of the future," announcing the creation of the necessary functionality in a year or two. }}
According to the speaker, the variety of new manufacturers and the unpredictability of their products makes it reasonable to unite in professional communities. For example, such as the Digital power Association.
Hackers give commands in voice
Sergei Demidov, Director of the Department of Operational Risks, Information Security, Moscow Exchange Group of Companies, spoke about how the nature of cyber threats changed during 2022-2023 and what exactly became the main challenges for the Russian information security industry. Information security threats have transformed, the intensity and complexity of attacks have increased, new types of actions have appeared that threaten security.
In 2022, many attacks that were previously considered not dangerous, for example, DDoS, shifted to the "red zone," became critical. Additional threats have appeared: update problems or malicious bookmarks in open source. The speaker acknowledged the impossibility of abandoning the use of open source code and called for a balance between security and the necessary business development.
Sergey Demidov also attributed to the new threats artificial intelligence, which is able to coordinate attacks, make them even more massive.
| | Of the new threats to information security is artificial intelligence, "he said. - The attackers now lack coordination to make truly massive attacks. Artificial intelligence allows you to analyze a large amount of infrastructures, giving out key vulnerabilities. It became possible to give a voice to the task, that is, to say "collect the most common vulnerability for the financial sector," and get a tool to attack financial organizations. | |
The speaker recalled that the transfer of all government departments to the Gostech platform will lead to the fact that vulnerabilities will appear simultaneously in all government departments, and there is something to reflect on. Then he went through topical challenges, including:
- regulatory regulation - the need to comply with specific requirements, GOSTs, general cybersecurity requirements, FSTEC orders;
- import substitution - replacement of protective equipment, improvement of efficiency, adaptation to new threats;
- culture - until employees begin to perceive information security as an element of business, nothing will change;
- cybersecurity transparency for business - the need to explain to business what money is spent on until the information security incident occurs;
- Information security risk management.
We are guided by risks
The practice of providing corporate information security with the use of risk-oriented approaches was shared by Andrey Abashev, Head of Methodology and Development of Information Security, Department of Information Protection and IT Infrastructure, Norilsk Nickel. The company has been developing a risk-oriented approach to information security management since 2018.
| | The global goal is to increase transparency and justify decisions made within information security for business, he said. | |
With a risk-based approach, there can be three main goals:
- Identify and quantify the risk of cyber attacks on IT infrastructure, and minimize these risks through a balanced approach to selecting protection mechanisms.
- optimization and balancing of information security requirements so that they do not increase the time and cost of initiatives being implemented;
- development of economic justification of information security expenses.
Andrei Abashev dwelled in more detail on the ways to achieve each of the three goals. Thus, in order to identify and quantify risks, it is necessary to determine the expected scenarios of attacks on the infrastructure, to calculate the likely financial consequences. After a quantitative assessment of the risks, the procedure for their insurance becomes possible, the speaker noted.
To optimize the information security requirements, a qualitative assessment can be used using the classic "heat map." When planning investments for key information security projects, the possible consequences of transferring or completely abandoning the project should be assessed.
If other cross-functional areas are involved in the process of calculating losses from business downtime in the event of the implementation of information security risks, the conclusions will be more accurate and realistic, says Andrei Abashev.
Alexander Lugantsev, Head of Information Security, VTB Specialized Depository, spoke about the stages of implementing a risk-oriented approach to ensuring business information security. In the implementation of this approach, he outlined three stages.
At the initial stage, you need to understand what the company is doing, what its organizational structure is, highlight the main and auxiliary business processes, and, accordingly, the main and auxiliary information systems. At the second stage, you need to find out which information systems are involved in all processes: both basic and auxiliary. To do this, the relationships between departments, information flows and nodes that need to be protected are studied. In the third step, the process and business processes are described, relationships are defined.
| | The main source of information in production is interviews with chief engineers and technologists. The latter are most useful, - Alexander Lugantsev supplemented the picture. - In the financial sector, communication with employees of the operating room is also useful. | |
Based on the results of the work, a table is compiled that gives an idea of the consequences of a negative event with the failure of each IE, the need to back up each information system, and the time required for their recovery.
Integrated approach
Andrey Nuikin, Head of Information Systems Security, Evraz, shared the results of a small study of the effectiveness of EDR (Endpoint Detection and Responded) products. He immediately warned that the research conducted, which provided the material for the speech, is not final and is not intended to discredit any decisions or approaches to ensuring information security.
The essence of the experiment is as follows. computer OS Windows Four with and different settings, a different set of information security products were placed on the test bench, namely:
- a computer with Windows and factory settings, Kaspersky Lab antivirus is installed;
- Windows computer with factory settings, KEDR installed;
- Windows Hardening Admin computer (account has administrative access);
- Windows Hardening NoAdmin computer (account has no administrative access).
Andrei Nuikin noted that the choice of a product EDR solution from Kaspersky Lab as a means of protection was not fundamental, the result is interesting with any EDR product.
30 hacker attacks were used on computers configured in this way. A computer with Windows Hardening NoAdmin repelled 8 types of attacks, the antivirus solution closed 18, and in total both configurations repelled 20 different attacks (several techniques were blocked by both solutions). The EDR product added 4 more identified techniques, in addition to previous solutions. Thus, the EDR product increased security, but not dramatically.
| | Protection should be a layered and provided complex of solutions that complement each other, "said Andrey Nuikin. - As for EDR, we came to the conclusion: it is advisable to put on critical directions, on non-critical ones it is enough to configure Windows correctly. | |
The current methods of attack in cyberspace and ways to protect information security were described by the Alexander Ovodov director of the department, information security a processing company. Uniteller Among the current methods, he cyber attacks named the use of viral (ON ransomware, spies, etc.), social engineering exploitation of vulnerabilities, compromise of accounts, as well as supply chains or trusted communication channels DDoS , and attacks on. API
To protect the company's open loop, you must use an API-protected Web Application Firewall (WAF). Measures to protect the closed loop: next-generation firewall (NGFW), internal network segmentation, antispam for mail. In both cases, vulnerability management is required.
Alexander Ovodov drew the attention of the conference participants to the importance of developing personnel in order to ensure information security, and in this context the following actions must be taken:
- carry out an inventory of information assets: who, with which systems works, what information circulates in them;
- Identify violators;
- Identify invalid events
- assess the role of personnel in creating unacceptable events;
- Develop and apply cyberhygiene measures.
| | When the employees explained their possible role in allowing unacceptable information security events, they began to comply with information security on their own and with greater eagerness. The number of incidents decreased by 30%. We have been doing this for more than a year, - added Alexander Ovodov. | |
Alexey Pleshkov, an independent expert, stopped at various aspects of ensuring the information security of KII facilities: the development of the legislative framework, the experience of successful projects, the possibilities of replicating best practices. The speaker emphasized the constant development of the legislative framework in the field of KII, presenting to the audience, including a selection of regulatory documents for industry and the transport region.
From the initiatives of the regulator, Alexey Pleshkov highlighted the creation of a new technical committee for standardization TK167 "Software and hardware complexes for critical information infrastructure and software for them," as well as the recent initiative of the FSTEC to develop a single classifier of protection measures specified in orders No. 17, 21, 31 and 239. The speaker and order of the Ministry of Industry and Trade dated 31.05.2023 No. 1981 "On approval of the Procedure for conducting in relation to subjects of the critical information infrastructure of the Russian Federation engaged in activities in the field of defense, metallurgical and chemical industries, assessing the relevance and reliability of information specified in paragraph 17 of the Rules for categorizing critical information infrastructure facilities of the Russian Federation" were highlighted.
| | Now you should be more careful about the categorization of the company, - said Alexey Pleshkov. - Even companies with minimal state participation can be classified as objects of CII. | |
"DLP is not 100% functional"
KPI as the basis of security support at the required level was identified by Andrey Minaev, Head of Information Security, Fuelup. He is sure that conducting an information security audit is not enough - it is necessary to highlight the metrics of corporate security processes and determine KPIs.
The developed metrics must be applied to the following processes:
- management of access, assets;
- Network security
- End device protection
- Data security;
- management of information security incidents, vulnerabilities;
- Corporate security training;
- secure development.
The speaker believes that metrics can be developed for each process. "We know when information security auditors will come to us, and we are preparing for this. But when they leave, what happens to security? - asked Andrei Minaev. "It's coming down. In order to maintain information security at the required level, information security metrics - KPI - and regular calculations and reports on them are needed. "
Types of metrics are as follows: MPS coating, process coating, MPS quality, process quality. As an example, Andrei Minaev took the process of "endpoint security" in terms of antivirus protection. Its metrics are:
- share of AWS with installed antivirus ("coverage" metric);
- percentage of antivirus functioning without errors ("quality");
- percentage of incidents processed by antivirus ("coverage");
- percentage of incidents processed on time ("quality").
For each metric, an algorithm of calculations is determined, the speaker emphasized, that is, how we think exactly where we get the values. At the same time, the metrics themselves do not give anything. For each metric, you need to define thresholds below which - high risks, above - low. Not all metrics should be 100%, it is necessary to determine the target value at which the risks are low, and it is also important to appoint a person responsible for the process.
Andrey Minaev also listed the advantages of introducing metrics and reporting on them:
- improvement of corporate security indicators;
- setting goals for employees;
- identification of information security problems and risks;
- demonstration of the scope of work;
- justification of budgets and procurement: we see where metrics deteriorate and where people are needed, investments;
- Management decision-making.
Data protection at all stages of the life cycle, especially when transferred for processing to the external environment, requires close attention, according to Vyacheslav Kasimov, Director of the Information Security Department, ICD. He recalled the stages of the life cycle of any data: input, transfer, use, storage, deletion.
The speaker defined data protection as the ability to carry out all transitions defined by the life cycle, in the absence of illegitimate actions - data distortion, data leakage, etc. At the same time, DLP solutions do not successfully cope with their tasks. Data must be protected in other ways (at the stages of input and deletion), for example, by automating its input, and if the input is still manual, then it needs increased control. In addition, the deletion must be reliable and authorized.
The necessary actions when using data are as follows. Firstly, it is better to minimize the use of data, since in this case the need for transmission and storage will automatically decrease. Secondly, you need not forget about the control of access and uploaded data, at the level of rights and logs. Thirdly, the screen can always be photographed, and the stored in the heads can be stated in the document, so you need constant training, an increase in the information security literacy of employees.
| | Nowhere does DLP work on 100% of the functionality, - stated Vyacheslav Kasimov. - You can control the leakage channels, but you need to continuously inventory them, chase the vendor, and seek to obtain preventive functionality. And if manufacturers of DLP solutions do not start making full-fledged DLP, then everyone will go into the model of isolated environments. | |
Network security
Kira Malukhina, head of the key project development department, "Security Code," stopped at providing network security with the means of the Russian NGFW class firewall. She spoke about the network product "Continent 4" - a multifunctional firewall (NGFW/UTM) with support for GOST algorithms, which solves the following problems:
- Centralized enterprise network perimeter protection
- Prevent network intrusions
- control of users' access to the Internet;
- Secure remote access.
The speaker outlined the architecture of the solution, the network technologies used (dynamic routing, NAT support, Multi-WAN, QoS, security node clustering), and also listed the use cases of the device (integrated firewall, high-performance firewall, attack detector) and other capabilities of Continent 4.
| | We have implemented centralized device management from a single window, with the configuration of group policies, - said Kira Malukhina. | |
She stressed that in the context of import substitution, direct import into "Continent 4" of Check Point policies versions 77.30, 80.X, 81.X is available. Migration from Palo Alto Networks, Cisco, Juniper and FortiGate is carried out through an intermediate import to Check Point, and then to Continent 4.1.7 using a special utility.
The options for using the search and analytical platform IQPLATFORM were highlighted in his report by Vladimir Bazylev, head of the business development department, Aikumen IBS (part of Rostelecom). He emphasized that the platform has a set of connectors that allow you to integrate with any data source.
Using IQPLATFORM, you can:
- collection and analysis of information about the counterparty in order to check its trustworthiness, analysis of assets, identification of suspicious environment, possible conflict of interest;
- monitoring the situation in the region with automatic monitoring of a large number of information sources in the network for events, with automatic determination of the degree of their criticality, while event data can be displayed on the map, converted into reports;
- maintaining a security passport (anti-terrorist security) of the facility, automatic monitoring of the information field and analysis of events occurring in geographical proximity to the security facilities;
- monitoring of the reputational background around the event, etc.
| | The objects of research of the IQPLATFORM platform can be a region, object, organization, specific person or network device and logs associated with this device, - Vladimir Bazylev listed. | |
During the break and at the end of the conference, the participants talked informally, and also had the opportunity to familiarize themselves with the solutions and services of IT suppliers at the stands deployed in the event hall.
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |