DIT of Moscow will invest 359.6 million rubles in the analysis of the security of IT systems

In early December, the Moscow Department for Competition Policy published a tender^[1] for the provision of services for analyzing the security of information systems and resources of the city of Moscow, offering 359.6 million rubles for them. In accordance with the documentation, this money is supposed to be paid to the winner of the tender within two years as he fulfills the tasks specified in the tender. The terms of reference were signed by the head of the Moscow DIT Eduard Lysenko. Application for participation in the competitive procedure will last until December 20.

The statement of work states that the check should be performed within 710 days from the date of signing the contract, although it may stop ahead of schedule in case of exhaustion of funding. It is assumed that the check is carried out in five main directions: a stress test from the point of view of an external offender ("black box"), on which it is proposed to spend 22.72% of the contract price; protection against internal intruder ("white box") - 71.66%; mobile application hazard analysis - 4.28%; data center safety - 0.71%; and the ability to attack over wireless networks - 0.54%. It is planned to spend another 0.09% of the project budget on the preparation of the entire process and coordination of ongoing work. Work should be carried out in both 2025 and 2026.

The objectives of this activity are to reduce the technical and reputational risks associated with the possible inaccessibility of Moscow's information resources, services and violation of the integrity of limited access information due to unauthorized access, as well as improving the efficiency of spending budget funds spent on the protection of restricted information, by forming a program of measures to increase the level of security of information resources based on the results of assessing the effectiveness of the measures used to ensure information security.

𝓲

Фото: Freepik

All works and their time are agreed with the customer. The Contractor first independently analyzes the security of the specified system, then offers methods for analyzing its security, which are consistent with the customer. Moreover, during the study, it allows the possibility of using several methods from the chain of attacks in series: launching, securing, elevating privileges, bypassing protection, obtaining credentials, collecting information, horizontal movement, outputting data and even causing damage.

For white box analysis, the Moscow DIT even allocates its own resources located inside its corporate network and allows you to install software on them to simulate attacks. White box research is one of the most resource-intensive, since it involves the use of the following security analysis methods: selection of credentials (identifiers, passwords, keys) both directly through direct attempts to access resources, and offline selection based on hash values; DDoS denial-of-service attacks; exploitation of one or more identified vulnerabilities and elevation of privileges; development of the attack up to obtaining maximum access to one or more critical resources, such as the Active Directory domain of the corporate network or DBMS.

It can be seen from the terms of reference that in the event of brute-force passwords or DDoS attacks, the load on the internal network can be greatly increased. True, it is assumed that these works will be agreed with the customer and carried out at night or on weekends, but citizens can use the mobile application or the Moscow portal at any time. However, in the requirements for the quality of the services provided, the customer prescribed not only compliance with the agreed deadlines for the study, but also the absence of cases of complete shutdown or refusal to service information resources and hardware.

It should be noted that previously similar contests have already been held. In particular, in October 2022, a similar tender was organized by the Moscow DIT itself in the amount of 284.6 million rubles. It involved the provision of services within 600 days and was won by Visum. In addition, in 2015, DIT of Moscow also held a tender^[2] to the choice of a provider of services for analyzing the security of information systems available from the Internet. Naturally, then the cost was much lower - only 9.5 million rubles - and the winner was CJSC National Innovation Center.

2022: DIT of Moscow chose a contractor for large-scale testing of the security of IT systems

DIT of Moscow signed a state contract with Vizum in the amount of about 284.6 million rubles for the provision of services for analyzing the security of information systems, which are under the jurisdiction of the Department^[3]Information about this was published at the end of October 2022 on the public procurement portal. The deadline for the work is 600 days, the work will be carried out in several stages in 2022-2024.

Within the framework of the project, a security analysis will be carried out using access to information resources and hardware, taking into account the capabilities of an external violator, as well as an internal violator - using access to information resources and hardware from local networks. In addition, an analysis of the security of a wireless network, information systems from applications for mobile devices and an analysis of the security of elements of the data center infrastructure are required.

Visum should identify vulnerabilities in Moscow DIT information systems related to information security and configuration errors of IT infrastructure components, assess the current level of security of IT systems available from the Internet, and analyze the current state of security of the data center perimeter.

An analysis of the security of Moscow's DIT systems will be carried out in 2022-2024. "(photo - RIA Novosti/Alexey Maishev)"

The means and methods of security analysis used by the contractor should be previously agreed with the DIT of Moscow and provide for testing for the intruder's penetration into information systems, including by social engineering methods, if necessary, the terms of reference says.

Intrusion testing by an external intruder will be a practical demonstration of possible attack scenarios that allow an attacker to bypass the protection mechanisms of the system and gain maximum privileges in its critical components. And intruder penetration testing should show the highest possible level of access in critical infrastructure components.

The terms of reference say that the Moscow DIT IT systems security analysis is carried out in order to reduce the reputation and technical risks associated with the possible inaccessibility of services and the integrity of limited access information that does not contain information constituting state secrets due to unauthorized access.

The goals of the work are also indicated to increase the efficiency of spending budget funds on information protection by assessing the effectiveness of information security measures used and to form a program of measures to increase the level of security of urban information systems operated by DIT of Moscow.

The largest amount of expenses under the contract is provided for security analysis using access to information resources and hardware from local networks, i.e. from the internal violator. It accounts for more than 60% of the cost of the entire state contract.

Moscow also purchased similar DIT services in 2020 and 2021, but then the deadlines for the provision of services prescribed in the terms of reference were shorter - 345 and 300 days, respectively. And the initial price of these contracts was about 150 and 167 million rubles, respectively.

In both previous cases, state contracts following the results of tenders were also concluded with Visum, follows from the information on the public procurement portal. Subsequently, additional agreements were concluded to them, according to which the volume of services and the final prices of contracts were increased.

According to the database of legal entities Kontur.Fokus, "" Visum "was formed in 2015. It also contains information about 33 state contracts with a total volume of about 2.1 billion rubles concluded with Visum by various organizations for the entire time.

In 2021, the company's revenue amounted to about 409 million rubles, and its largest state contract in the same year was an agreement with DIT for services for analyzing the security of information systems. In 2022, Vizum entered into a state contract with the Ministry of Digital Development in the amount of about 337 million rubles for an independent analysis of the security of state information systems. And in 2018, she participated in ensuring the cybersecurity of the World Cup facilities.

The founders of Visum are individuals, Russian citizens are Tamara Ikonnikova and Margarita Khokhlova. The general director of the company is Alexander Ikonnikov. He was previously an employee of Jet Infosystems, where he worked with authorities.

Alexander Ikonnikov told TAdviser that the backbone of the Visum team is made up of information security experts with many years of experience in the industry. He calls the researchers of the security analysis department "the special pride of the company, top-level professionals who were included in the Visum team from various organizations."

The general director of Visum told TAdviser that the company has enough resources (security analysis engineers, analysts, methodologists, administrative employees) to fulfill contracts with DIT of Moscow and the Ministry of Digital Development. According to him, as of the end of October, the company employs 110 people, and the staff is actively growing.

Alexander Ikonnikov says that Visum mainly works with the public sector. There are contracts with private structures, however, due to the specifics of the business, the company does not disclose the details of its cooperation with them. Also, according to him, the company never sought publicity and self-promotion.

The general director of Visum assesses the current level of threats to the country's computing infrastructure and information systems as high. Hackers are becoming more sophisticated, attacks are ongoing both from far abroad and from the territory of neighboring states and from all time zones. Social engineering, remote infection of end devices are actively used. Since the weakest link in any security, including information, is a person, all hacks are focused on him.

The statistics are specific - how much the number of cyber attacks has increased - it is quite difficult to give, since we can operate only with those attacks that were detected and repelled or prevented. But even what we see is that since February 2022, the growth has been significant, multiple, - notes Alexander Ikonnikov. - That is why the operational search for vulnerabilities, their elimination, intelligence and investigation of incidents, as well as raising the level of awareness of the state and the main economic operators about the nature of current threats to information security are now coming to the fore.

Notes