RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2024/09/03 12:01:50

Requirements for information protection in state InformSystems

Content

2024: State sites in Russia began to close access to foreign search bots on the recommendation of the FSTEC

The Federal Service for Technical and Export Control (FSTEC) at the end of August 2024 recommended that Russian state bodies close access to their sites for foreign search bots. This measure is aimed at preventing the use of foreign robots, such as OpenAI's GPTBot, to collect information about possible vulnerabilities and personal data on government information resources. Some departments have already disconnected their resources from bots.

According to Kommersant FSTEC reports, I sent the relevant recommendations to the federal executive authorities. The document states that foreign search bots can use the collected data to train models abroad machine learning , which carries potential risks for. information security Russia The agency advises to restrict the access of these bots through the robots.txt file on sites state agencies and servers in order to prevent their indexing.

State sites in Russia have limited access to foreign search bots

Despite the recommendations of the FSTEC, by September 2, 2024, not all state sites followed these instructions. For example, on the website of the FSTEC itself, there was no ban for GPTBot in the robots.txt file, a similar situation is observed on the websites of the Ministry of Emergencies, the Ministry of Health and the Ministry of Digital Development. At the same time, the websites of the Ministry of Justice and the FSB completely blocked access for all Internet robots.

Earlier, in May 2024, Roskomnadzor also sent similar recommendations to hosting providers, offering to restrict access to Russian resources for foreign bots, including bots from Google, OpenAI and Apple.

Cybersecurity experts note that search bots can scan sites for outdated plugins, configuration errors and other vulnerabilities that could be exploited by attackers. Andrei Shomenko, head of the development department of the TI department of the Positive Technologies security expert center, explained that the main task of such robots is to collect information about network resources available for connection on the Internet. At the same time, he said, there are bots that purposefully search for vulnerable elements, such as unprotected forms of feedback, in order to embed malicious code into them.[1]

2022

FSTEC has developed a methodology for assessing cybersecurity for government agencies

The Federal Service for Technical Export Control (FSTEC) has developed a new methodology for assessing the degree of information security in government agencies and organizations with state participation, as well as in companies with critical information infrastructure (CII; these are banks, telecom operators, representatives of the fuel and energy complex, etc.). This became known on November 23, 2022.

As Kommersant writes with reference to the statement of the Deputy Director of FSTEC Vitaly Lyutikov, the new methodology at the initial stage will be advisory in nature, and after its testing, the transition to mandatory is possible.

FSTEC has developed a new methodology for assessing cybersecurity for government agencies

{{quote 'The goal is to form unified approaches for assessing the security of information in organizations, - said the FSTEC. }} The service distinguishes four levels of security - high, basic increased, basic and low, follows from the presentation of the department, which Kommersant got acquainted with. The result will consist of three main indicators: organization and management of information protection, implementation of protection measures, support of its level (for example, monitoring and response of the company to an incident, vulnerability management). In addition, staff training and employee awareness of cybersecurity issues will be taken into account.

The new FSTEC methodology is similar to the assessment of the "digital maturity" of organizations, which the office of Deputy Prime Minister Dmitry Chernyshenko applied to federal executive bodies as part of a digital transformation, the source in the government explained. According to him, the methodology is necessary for the authorities, because "now [by November 2022] it is very difficult to collect a picture of cybersecurity in KII."

The approach being developed by FSTEC should become a reference for both customers and developers, believes Roman Mylitsyn, head of research at Astra Group. In his opinion, the methodology will be clarified and worked out on real problems.[2]

Ministry of Digital Development ordered state corporations to conduct an audit of cybersecurity

In June 2022, the Ministry of Digital Development of the Russian Federation sent a letter to 58 key state corporations, in which it indicated the need to conduct an information security audit. According to the appeal, which Kommersant got acquainted with, any specialized organizations certified by the FSTEC and the FSB can be involved in assessing the level of security of IT systems.

According to the press service of the Ministry of Digital Development, companies need to hold information security audit events before July 1, 2022. The department stressed that the letter is not a Ministry of Digital Development requirement, but is sent in pursuance of the decree of the President of the Russian Federation "On additional measures to ensure information security of the Russian Federation."

The Ministry of Digital Development, Communications and Mass Media of the Russian Federation sent a letter to 58 key state corporations, in which it indicated the need to conduct an information security audit
File:Aquote1.png
As a result of the holding of events by companies, information will be sent to the government, which will be taken into account when developing and implementing measures aimed at ensuring the safety of the functioning of Russia's information resources, the ministry stressed.
File:Aquote2.png

According to the publication, state corporations need to identify vulnerabilities in their systems, shortcomings in protection tools against, cyber attacks as well as identify strategic risks - unacceptable events for each enterprise. These include, in particular, leaks of personal data and other important information, as well as fraudulent activity in banking systems.

According to Ivan Melekhin, director of the center for monitoring and countering cyber attacks IZ: SOC "Informzaschita," it may take 40-50 days to solve the problem of one small company, depending on the number of employees involved, while specialists must be highly qualified. You will also have to use specialized software, for example vulnerability scanners, but not all domestic products meet the stated requirements, he added.

The list of companies ordered to conduct an information security audit includes Russian Post, Gazprom-Media Holding, Rosatom, Sibur, Sberbank, etc.[3]

Almost all regions of Russia have created headquarters for cybersecurity

On June 1, 2022, the Ministry of Digital Development of the Russian Federation reported that 99% of Russian regions and 85% of authorities created headquarters for information security. 76 out of 85 headquarters have been created and are functioning in full, eight are at the approval stage, TASS reports with reference to the press service of the department.

According to the Ministry of Digital Development, most of the regions were active and presented their proposals to improve the efficiency of work in the framework of cybersecurity. The ministry also added on June 1, 2022 that in the near future the tasks of the operational headquarters will be supplemented with measures to implement the presidential decree of May 1 "On additional measures to ensure the information security of the Russian Federation."

Almost all regions of Russia have created headquarters for cybersecurity

As specified in the Ministry of Digital Development, the program is being implemented at the maximum possible speed. By June 1, 2022, the overwhelming majority of authorities and almost all regions reported on the execution of orders.

As Kommersant writes with reference to the minutes of the meeting of Deputy Prime Minister Dmitry Chernyshenko with federal and regional leaders of the digital transformation, which took place on May 20, 2022, the Deputy Prime Minister of the Russian Federation instructed 18 federal ministries and departments to "immediately" complete the project to create headquarters in the regions to counter cyber threats. According to the publication, even where these structures are created, they work only on paper. The deadlines for the execution of orders are delayed by a shortage of specialized personnel and a long chain of approvals, experts interviewed by the newspaper say. In addition, they note, the creation of a headquarters in itself will not help much to protect against attacks, this will require additional measures and significant resources.[4][5]

Yandex, Sber Tech and other IT companies under the auspices of FSTEC have developed requirements for the protection of containerization tools

An expert group led by FSTEC has developed information security requirements for containerization tools . Dmitry Shevtsov, head of the FSTEC department, spoke about this at an industry conference in February 2022 . After their discussion and revision by the end of February, it is planned to begin assessing the regulatory impact, and then register the document with the Ministry of Justice.

The expert group that developed the requirements included representatives of Yandex, Sberbank, RusBITekha, Positive Technologies, RedSoft, ISP Sber Tech, BellSoft and several others. When forming the composition of participants, FSTEC was guided by those organizations that create solutions with containerization technologies and prepare for their certification, Shevtsov explained.

From the presentation of Dmitry Shevtsov "

Containerization technologies, which have gained great popularity around the world, are also used in state information systems in Russia. In the context of the development of requirements for the protection of containerization means, the FSTEC representative mentioned the Gostech platform, to which it is planned to transfer many IT systems of government agencies. According to the idea, it should become the main tool for digital transformation in the public sector.

The Gostech technology stack contains containerization (Docker) and orchestration (Kubernetes), and one of its elements is OpenShift, an open and extensible container application platform that allows you to use Docker and Kubernetes.

It is not yet possible for persons who are not involved in their development to familiarize themselves with the draft new requirements: the document will still have a restrictive mark "For official use," Dmitry Shevtsov specified. The document will become available to a wider range when it is fully ready, and when FSTEC notifies about its availability.

I must say that a few years ago, at one of the conferences, representatives of FSTEC said that they were working to create requirements for protecting virtualization tools. There was a draft of this document. According to Dmitry Shevtsov, now, in light of the work on the requirements for containerization means, FSTEC will try to update it.

File:Aquote1.png
And I hope that in the near foreseeable future we will work with an expert group on its publication, - said the representative of FSTEC.
File:Aquote2.png

2020

Russian encryption tools begin to be used in state systems

On July 3, 2020, it became known about the upcoming start of using Russian encryption in state IT systems. On July 15, an experiment will begin, the purpose of which is to prepare for the full implementation of domestic cryptographic systems, as well as for the transition of government agencies, organizations and citizens to electronic interaction using Russian solutions in the field of cryptographic protection.

The pilot project will last until March 1, 2021, reports TASS Information Agency of Russia with reference to the government decree, the text of which is posted on the portal of legal information.

A pilot project on the use of Russian encryption in state systems will begin on July 15

According to the document, they will ensure the implementation of the project, and Ministry of Digital Development, Communications and Mass Media FSB. FSTEC Russia Proposals for the implementation of the pilot project must be provided by operators by Ministry of Digital Development, Communications and Mass Media July 10, 2020, and the ministry itself, in agreement with the FSB, must develop and approve a pilot project plan by July 15.

By December, the Ministry of Telecom and Mass Communications will have to submit to the government a report on the progress of the pilot project, specified in a decree signed by Prime Minister Mikhail Mishustin.

As part of the experiment, the Cabinet plans to work out a mechanism for using the infrastructure of the so-called head certification center in order to further put it into commercial operation in accordance with the plans of the federal project "Information Security" within the framework of the national project "Digital Economy."

Among the participants in the pilot project were the State Information System of Housing and Communal Services, the Unified Register of Russian Programs for Electronic Computers and Databases, the Public Services Portal and the Unified State Information System of Social Security.

 The Ministry of Telecom and Mass Communications was instructed to submit draft acts to the government by March 1, 2021 to create a legislative framework for the subsequent introduction of domestic cryptographic encryption tools.[6]

2019

Software manufacturers who do not disclose the source will be left without government orders in Russia

On September 20, 2019, it became known that IT companies were complicated by certification rules in Russia, as a result of which software manufacturers who refuse to disclose the source code of the software may be left without government orders.

On June 1, 2019, the Federal Service for Technical and Export Control (FSTEC) introduced rules according to which developers of information protection tools must use special laboratories to assess whether their funds meet new requirements and submit data to the FSTEC for re-registration of the certificate.

From January 1, 2019, a number of IT companies may lose the right to work with government agencies due to the complication of certification rules

As several IT market participants explained to RBC, the new requirements provide for full access to the source code of the product to check for undeclared features (the so-called bookmarks or hidden functions, which, for example, lead to a violation of privacy).

File:Aquote1.png
To start the certification process, any vendor will have to provide the source code of their products for analysis, but not all vendors can afford it due to their own security policies, "Karina Nadazovskaya, head of the Kaspersky Lab certification group, confirmed to the publication.
File:Aquote2.png

According to Alexander Buravtsov, head of the information security service of New Cloud Technologies, by September 20, 2019, there are no funds certified under the new rules in the register of information protection tools. From the moment the application is submitted to the register, it can take from six months to several years, and even certificates issued at the end of August 2019 were issued according to the old requirements,  he said.

Earlier, FSTEC warned that from January 1, 2020, it could suspend certificates of compliance with information protection tools if developers and manufacturers of these tools do not reassess their compliance with trust levels. This means that such solutions cannot be used in government IT systems.[7]

Publication of changes to the requirements for information protection in state InformSystems

On September 17, 2019, it became known that Federal Service for Technical and Export Control it published amendments to the Requirements for the Protection of Non-Secret Information state Contained in State Information Systems[8]These requirements were approved at the beginning of 2013, and now a number of changes have been made to them.

FSTEC

The document was approved on May 28, 2019, but the order was published only in September 2019.

In total, changes are made to 18 points of the requirements, and most of the innovations are additions or specifics of the previously stated provisions.

The changes that come into force are primarily of interest to data centers that intend to host government information systems, as well as to operators of such systems who may wish to mark them up in the data center.

For example, it is emphasized that if an information system is created on the basis of the data center's information and telecommunication infrastructure, then such an infrastructure must be certified for compliance with the FSTEC requirements.

At the same time, the certificate of conformity is now issued for the entire service life of the information system, but the operator must "provide support for the compliance of the information protection system with the certificate of conformity within the framework of the implementation of the measures provided for in paragraph 18 of these requirements."

The updated version of the Requirements lists the following measures: analysis of threats to information security, management of the information security system, management of the configuration of the information system and its information security system, incident response, personnel informing and training and control over ensuring the level of information security contained in the IE. It is also understood that a plan is being prepared in advance for all these activities.

Section 18 has also been supplemented with three paragraphs - 18.5-18.7. They regulate procedures for responding to information security incidents, including analysis, taking measures to eliminate incidents, restoring systems and preventing relapses; training of personnel, control over their awareness and practical exercises; as well as measures to control and ensure the level of information security in the IE.

Training for the personnel is supposed to be carried out at least 1 times every two years, measures to control the level of information security in the IE - at least once a year.

{{quote 'author '= believes Oleg Galushkin, director of information security at SEQ (formerly SEC Consult Services)'|By and large, such events should be held much more often. The landscape of cyber threats is constantly changing, in order for staff to be ready to cope with threats, they need to be trained much more regularly, }}

Measures to control the level of security The FSTEC requirements are proposed to the operator to carry out independently or with the involvement of an organization that has a license for the technical protection of confidential information.

Also, the Requirements exempt operators from taking any additional security measures if the data center's security systems already provide adequate blocking of threats to the information system operating on its basis. At the same time, it is stipulated that when designing newly created or modernized information systems that have access to the Internet, only routers certified in the Russian Federation for compliance with information security requirements should be used.

Notes