Conceptual approach to building a mobile place for a security administrator.
Conceptual approach to building a mobile place for a security administrator Conceptual approach to building a mobile place for a security administrator
Andrey Fadin
In the modern world, IT infrastructure has penetrated almost every organization, and all of them face a set of both external and internal threats in the field of information security. Depending on the size of this organization, the nature of its activities and other factors, the goals and objectives for ensuring the confidentiality, integrity and availability of processed information are defined in one form or another, and, accordingly, an information security policy is formed.
But this document will remain a meaningless piece of paper if there are no people responsible for monitoring its implementation and provision. Among them, one of the important roles is occupied by the information security administrator (not to be confused with the system administrator).
1. Information security (protection) administrator. Tasks and areas of activity. System administrator tools
In accordance with the definition given in the guideline document of the State Technical Commission of Russia “Protection from unauthorized access to information: Terms and definitions”, a security administrator is an access subject responsible for protecting an automated system (AS) from unauthorized access (UA) to information.
How to ensure this protection? If we are talking about technical protection of information, then here we are faced with a whole range of various software and hardware-software information protection tools.
In addition to such widely known and widespread tools as firewalls (FW), antiviruses, trusted boot and trusted environment tools, as well as intrusion detection systems (IDS), however, other types of tools are also required to ensure that all of the above products are checked. In special regulatory documents, such tools are interpreted as tools for testing and monitoring the effectiveness of information protection or security analysis tools.
In other words, there is a need for tools that the information security administrator can use to test the security of both the network and individual automated workstations (AWS).
Let's consider a typical set of methods related to the analysis of the security of the AS. The security administrator needs to:
receive operational information about the composition and structure of the network, open services;
conduct testing for known vulnerabilities (penetration testing);
monitor the strength of passwords used;
monitor the integrity of critical information;
monitor and, if necessary, study network traffic between selected network nodes;
test the guaranteed information cleaning system;
conduct a system audit of computers from the AS (hardware, software configuration, log).
2. Requirements for the position of information security administrator.
Let us list the main requirements for the environment and workplace of the system information security administrator:
1) Protection from unauthorized access to information processed by the security administrator at the workplace (passwords, keys, results of the AS audit, etc.)
This requirement can be ensured by a trusted environment in which the administrator works and the use of one of two mechanisms to protect this information — either guaranteed data clearing upon completion of work, or their encryption during storage.
2) Mobility (portability) of the security administrator's place (the ability to connect to any network segment and perform a local check of each automated workplace or a cross-check of the inter-segment connection).
3) Completeness of the toolkit — it is important when all the tools necessary for work are available «out of the box», and the operation of their deployment requires a minimum of time and effort on the part of the administrator.
4) Certification – to work in environments that process information with limited access, the security administrator must use certified means of protection and control over the effectiveness of information protection.
3. Example of implementation of a mobile workstation for a security administrator
Currently, there is no set of various certified tools for monitoring, inventory, integrity control, vulnerability scanning, and control of the strength of authentication systems that would ensure the construction of a mobile place for a security administrator, with the exception of the trusted bootable environment for a security administrator – “Scanner-VS” (developed and manufactured by ZAO NPO Echelon).
The Scanner-VS complex is a carrier, depending on the delivery, either a bootable CD (LiveCD) or a USB flash drive (LiveFlash), which launches its own operating environment, an operating system (a derivative of Linux), this approach allows us to meet the first two requirements, since this carrier can be installed in virtually any x86-compatible computer without violating the integrity of its software environment, and all information processed by the administrator is stored only in RAM, which guarantees its cleaning upon completion of work (at the administrator's request, reports and other data can be saved to an external carrier).
This product meets requirement No. 4, since it has certificates of conformity from the Russian Ministry of Defense and the FSTEC of Russia.
In accordance with paragraph 3, let's consider the functionality of «Scanner-VS», in addition to other products, it includes:
1) Network scanner.
A tool for inventory, monitoring the state and probing of the network. (provides various operating modes, including hidden ones for the firewall, allows you to save and compare «snapshots» of the local area network (LAN) for different periods of time).
2) Security scanner, a tool for searching for vulnerabilities in network resources.
Multifunctional tool for detecting software used on network nodes, penetration testing and detecting up to 17,000 different vulnerabilities).
«Scanner-VS» has mechanisms for updating via the Internet, including vulnerability databases for the security scanner.
3) Password Auditor.
A tool for analyzing and trying local and network passwords.
Allows you to inventory and try passwords for local and network records for Windows and Linux operating systems (including protected operating systems such as: MSVS, Linux XP and Astra Linux).
Provides various types of bruteforce and dictionary enumeration.
4) Monitoring the integrity of files, folders, disk sectors and other objects.
The tool allows you to remove and compare checksums of both files and folders, as well as disk sectors, using all popular hashing algorithms and generating the corresponding reports.
5) Traffic analyzer, a tool for intercepting (sniffering) network traffic and monitoring transmitted information.
The tool allows intercepting traffic between arbitrary machines of a switched network (if necessary, ARP spoofing technology is used), as a result, it is possible to analyze the intercepted traffic and extract important information from it (for example: passwords for authorization), it is possible to intercept and decrypt traffic with the substitution of certificates.
6) General system analyzer, a tool for taking a «snapshot» of the software and hardware configuration of the automated workplace and its event logs (for example, work with USB).
7) A tool for checking the guaranteed cleaning system (allows for a sector-by-sector search for residual important information not cleaned after a computer session; the search is possible by patterns from a generated dictionary, taking into account various encodings and file formats).
Conclusion
The analysis showed that virtually all typical, repetitive operations and methods for analyzing network security can be performed from a portable (in fact, virtual) place of the security administrator.
This approach has a number of advantages both in terms of resource use (no need to purchase new PCs, change the topology and network addressing) and in terms of security (ensuring a trusted environment protected from changes, quick access to all tools, ease of connection to virtualization tools), etc.
The studied certified solution (the security analysis tool «Scanner-VS») showed full compliance with these requirements.
Literature
1. Certification without problems: on the use of network security scanners in the certification of AS/Markov A.S., Mironov S.V., Tsirlov V.L. //Information Security — 2005 — No. 3.
2. Virtual place of the information security administrator in automated systems/Fadin A.A. and others //M.: BIT-2010 – Bauman Moscow State Technical University, 2010.
3. Dorofeev A.V. Penetration testing: demonstration of one vulnerability or objective assessment of security? //Information security. Inside, 2010. – No. 6 (November-December).