07.01.2025
66 min
925
You will learn how to ensure effective data protection through modern information security services, and will also understand the importance of compliance with legal regulations in this area. The article will reveal key aspects of network protection and legal issues related to information security. This will help them realize how important it is to take a comprehensive approach to security, combining technical solutions with legal regulation.
The main security services are considered, the problem of information confidentiality, its integrity and availability in computer systems
Information security services are basic level services used to counter attacks. Each of these services is designed to combat a certain type of attack. The services that we will talk about in this article should not be confused with the real security mechanisms implemented in them.
The specifics of using information security services within a separate organization depends on the level of risk assessment in this organization and planning the security situation. Knowledge of basic security requirements allows you to competently use the appropriate pillar to counter attacks.
Confidentiality ensures the confidentiality of information. Properly configured, this service makes information available to authenticated users. Its reliable operation depends on the identification service and unique identification. The service must take into account different ways of submitting information – in the form of printouts, files or packets transmitted over networks.
Note
During the discussion, you will often encounter recommendations for the correct determination of the authenticity of faces. None of the services can work autonomously. Therefore, when implementing ready-made software products, failures in the operation of information security systems may occur.
Ensure file sensitivity
There are different ways to ensure the confidentiality of documents depending on their type. Paper documents must be stored in a separate place, access to the document is controlled by the youth service.
There are subtleties in working with electronic documents. First, files can be stored in several places at the same time: on external mass storage devices (hard drives or magnetic tapes), on floppy disks or jump disks. Second, physical access to the file storage location is not required. Maintaining the concentration of magnetic tapes and disks is similar to searching for documents and is associated with limiting physical access. Computer systems are implemented with access control systems (this may be the creation of a file image). The operation of these systems depends on reliable identification and authentication of users, as well as correct configuration, which eliminates the loophole of proprietary mechanisms due to system vulnerabilities. The following table lists the mechanisms for ensuring the juvenile nature of the dossier and the requirements for them.
It is not enough to obfuscate only the information that is stored in the form of files, because attackers can intercept it during transmission over a network connection. Therefore, it is necessary to ensure the confidentiality of information transmitted over communication channels. This is done by using thematic framing.
The mechanisms can be used for both a single connection and the entire traffic of a connection.
In the latter case, a reliable identification and authentication system is required to determine the authenticity of the remote recipient.
The service of ensuring the confidentiality of the data stream is very concerned with the very fact of transmitting information between two young points. Confidentiality of the data stream does not concern the preservation of the information transmitted. The presence of the data stream allows Traffic Analyzer to identify the organizations that are communicating. The volume of traffic transmitted from node to node is valuable information. For example, many news agencies monitor pizza deliveries to the White House and the Pentagon. The basic idea is that an increase in the number of pizzas indicates the occurrence of some unusual situation. There is a special term for this type of activity – traffc and pattern analysis.
Confidentiality of the data stream is ensured by hiding the information transmitted between two endpoints within a much larger volume of data traffic. The Armed Forces of Ukraine uses the following technique: two military units first establish communication, and then transmit a constant amount of data, regardless of the number of messages actually sent (the free space is filled with “Garbage” information). Thus, the traffic volume remains constant, and no changes in the intensity of message transmission can be detected.
Note
Most commercial organizations do not think about the youthful nature of the data flow. In some cases, the very fact of establishing a connection is secret information. Suppose two companies merge. In this case, the emergence of new information flows between them is secret information until the event is announced.
Attack prevention
A privacy service helps prevent access attacks. However, it will not completely eliminate the problem by itself. This service should work together with an identification service to determine the authenticity of individuals attempting to access information. In this case, the risk of an attacker gaining unprotected access is significantly reduced.
The integrity service ensures the authenticity of information. When properly organized, this service gives users confidence that the information is correct and has not been modified by someone else. The integrity service should work together with the identity service to provide reliable authentication. This pillar is a “shield” against modification attacks. The information it seeks can be in the form of paper printouts, files, or data transmitted over a network.
File integrity
As already mentioned, information can be presented in the form of mass printouts or in the form of files. Of course, it is easier to ensure the movement of paper documents, and it is much easier to establish the fact of changing the content of such a document. After all, an attacker needs a certain skill to make a fake document look authentic. And a file on a computer can be changed by anyone who has access to it. There are no ways to register paper documents from forgery. You can put a signature on each page, create documents in folders and make several copies of a document. Integrity mechanisms complicate document forgery. Although attackers have learned to litter signatures, it is still not easy to do this, it requires serious skill. Adding or removing a document from a general self-collection is quite difficult. And if the documents are sent to all interested parties, then replacing all documents at once is practically impossible.
And of course, the main method of forgery of documents is the complete exclusion of unauthorized access. For this, the same mechanisms are used that ensure the confidentiality of central security measures.
To change an electronic file, an attacker simply needs to open the document in a text editor and type the appropriate information. When saving, the new file will be locked over the old one. The main way to maintain integrity in this case is to control access to the file on the computer. Using the access control mechanism, you can set the “bare read” permission on the file and prohibit recording changes. who can make changes. An authentication service will help here. Control of access to files on the computer works reliably if the files are stored on a separate computer system or network controlled by the organization. What to do if the file needs to be copied to other departments? In this case, another mechanism for detecting unauthorized changes to the file is provided by a digital signature. A digital signature to a file makes it possible to determine that the file has changed since the signature was created. A digital signature must be associated with a specific user; Thus, the integrity service must include a combination of identification and authentication functions.
Ensuring the integrity of information during transmission
Data can be modified while passing through network connections, but this requires an eavesdropping attack. With strong identification and authentication mechanisms, eavesdropping attacks can be resisted, and imprinting technologies prevent a large number of types of modification attacks.
An information availability system maintains its availability, allows access to computer systems, data and applications stored in these systems. This service allows information to be transferred between two endpoints or computer systems. In this case, we are talking mainly about information submitted in electronic form (but it is also suitable for regular documents).
Backups
To save important information, the easiest way is to create a backup copy and place it in a safe place. These can be copies on paper or on electronic media (for example, magnetic tapes). Backup copies prevent complete loss of information in the event of accidental or intentional destruction of files.
A safe place to store backup IPPs are safes or isolated rooms to which physical access by individuals is limited. After all, backup funds must first be taken from a special store, delivered to the desired location, and then loaded into the system. In addition, it will take some time to restore each program or the entire system.
Recovery after failure
Failover provides data recovery and performance. Systems configured in this way are able to detect failures and restore the operating state (process execution, access to information, or connections) automatically using redundant equipment.
Failover is called direct recovery because it requires no configuration. The backup system is located at the same workstation as the primary system so that it can immediately begin operating if the primary system fails. This is the least expensive option for most fault-tolerant systems.
Disaster Recovery
The recovery of systems, information, and production equipment after natural disasters such as fire and flood in an emergency. This is a complex process that allows you to return an organization to a working state at a time when it becomes impossible to reach the main equipment or premises.
Attack Prevention
Availability mechanisms are used to restore systems after denial-of-service attacks. There are few reliable and effective ways to prevent DoS attacks, but this service will help reduce the effects of attacks and return systems and equipment to a working state.
The identity service is often forgotten when it comes to security. The main reason is that this service alone does not prevent attacks. It must work in conjunction with other services to increase their effectiveness. If we consider this service in isolation, we will see that it will add complexity to the security system and increase its cost. Without a single identity service, both the integrity service and the confidentiality service are doomed to failure.
Identification and Authentication
Identification and authentication serve the following functions. First, they establish the identity of an individual, and second, they prove that the individual is who they say they are. Authentication uses any combination of three things:
something you know (password or PIN);
something you have (smart card or badge);
something you are (fingerprint or retina scan).
You can choose one from this list, but it is better to use a combination of them, for example, a password and a smart card. This is called two-factor authentication. Two-factor authentication is much stronger than single-factor authentication, because each factor has its own weaknesses. For example, a password can be guessed, and a smart card can be stolen. Biometric authentication is more difficult to detect, but a person can be forced to put his hand through a scanner.
In real life, a security pass is used for authentication. This is considered sufficient for an employee to enter a building. Hand-held geometric scanners are used to establish the authenticity of individuals who wish to enter secret, guarded facilities. The recognition mechanism is directly related to the physical presence of the individual.
In the computer world, identification mechanisms do not work. Here, a password is traditionally used to authenticate a user. Authentication is associated with a user ID that is assigned by the system administrator. It is assumed that the administrator has some evidence that the person receiving the ID is actually who they say they are. Passwords are the only factor in establishing the user’s identity and, as a result, are the “weak link”. Unlike in real life, there is no guarantee of the physical presence of a person. For this reason, it is recommended to use two-factor authentication, which provides a more reliable authentication mechanism.
Identification and authentication are used in the access control system for digital signatures in computer systems, which ensures the integrity and integrity of these files. Identification and authentication are very important for the operation of encryption and digital signature mechanisms. In this case, the identification data is transmitted to a remote user who confirms his identity locally, and then this information is delivered to the desired location. The user first confirms his authenticity using a signature lookup mechanism on his local computer. The local computer then sends a message signed with this digital signature. The recipient of the message uses the digital signature as proof that the sender is the author of the message.
The identification and authentication mechanism is key to other security services. If it fails, their reliable operation is compromised.
Audit
Auditing allows you to increase the scope of events that have occurred. Audit records link the user to the actions that he performs in the system. Without a reliable identification and authentication service, auditing becomes useless, since there is no guarantee that the recorded actions were actually performed by the specified person.
Auditing in real life is carried out using registration logs, video pass lists, video recordings. Its task is to report on the actions performed. The integrity service must ensure that the information in the audit log has not been changed, otherwise its reliability is questioned.
In computer systems, auditing is carried out using logs that record user actions. If the identification and authentication service is working properly, then these events can be identified with a specific user.
Attack prevention
The identification service cannot withstand attacks on its own, as it works in conjunction with other services. It keeps track of the actions performed by a registered user, thus allowing for the reconstruction of the picture of events in the event of an attack.
This article examines key legal issues related to information security. It examines the main legislative acts in this area that are in force in various countries around the world, including the USA, Australia, China, and others. Special attention is paid to the issues of bringing to justice for computer crimes and maintaining the confidentiality of personal information.
There are a large number of legal issues that arise in the field of information security. Each country has its own legislation. For example, in the USA, the basis for investigating computer crimes is federal legislation, in particular the Computer Fraud and Abuse Act (1030). This law defines unauthorized access to computers as a criminal offense. According to US law, perpetrators of such actions can be held liable if the amount of damage exceeds 5,000 US dollars.
After the adoption of the Patriot Act in 2001, significant changes were made to the law 1030. The maximum term of punishment for a first offense was increased to 10 years, and for a second offense – to 20 years. In addition, the process of bringing to justice was simplified, since now the crime includes not only physical hacking of the system, but also any damage caused to its operation or data.
Unauthorized use of computer systems to commit crimes is just one of the problems facing information security professionals. In addition, there are issues related to the protection of personal information and the civil liability of organizations in the event of a data leak. Organizations are required to implement appropriate information protection measures to avoid legal consequences and fines in case of violation of confidentiality standards.
Another important problem is the lack of protection of networks from external attacks. If an organization has not provided adequate protection and an attack has been carried out on other companies through its systems, it may be held liable for non-compliance with security standards. This issue is especially relevant in the light of international standards such as ISO 27001.
In different countries of the world, approaches to regulating information security vary significantly. In Australia, for example, unauthorized access to computers is punishable by up to two years in prison. In Brazil, entering false data into information systems and unauthorized modification of such data are considered crimes. Punishments range from fines to imprisonment for up to 12 years.
In India, a person is considered guilty of committing a computer crime if their actions lead to the loss, alteration, or deletion of information in the system. The penalty for such actions can be up to three years in prison.
China has some of the strictest cybersecurity laws. Decree 147 of the State Council of the PRC defines two main categories of computer crimes: the introduction of malicious software and the sale of unlicensed software. Depending on the severity of the crime, both a fine and imprisonment are possible.
A separate issue is network monitoring and data interception. According to US law 2511, it is illegal to intercept electronic communications without a warrant. However, organizations have the right to monitor their networks to ensure security. It is important that such actions comply with internal company policies and are agreed with the legal department.
In order to avoid legal problems, organizations are recommended to inform employees about the possibility of monitoring their network activities. This can be done by adding a corresponding message when logging into the system or by signing appropriate agreements with employees.
Legal issues of information security are a complex and multifaceted area that requires attention from both technical specialists and lawyers. Studying international experience, implementing security standards and constantly updating internal policies will help organizations ensure not only effective information protection, but also compliance with all legal requirements. In the event of questions or incidents related to computer crime, it is important to act together with the legal department and law enforcement agencies.
Today, the issue of protecting personal information on the Internet has become one of the central issues. A similar situation has already been discussed in the context of personal rights of employees, but it is not the only one and requires careful study and resolution. In recent years, governments of various countries, including the United States, have adopted a number of laws to protect privacy in banking and other institutions.
Customer information is not the property of the organization – it belongs to the customers themselves. Organizations must take the necessary measures to protect this information from unauthorized access. This means that the information can only be used in compliance with all confidentiality requirements and exclusively for its intended purpose. In particular, many sites warn users about the possibility of using their data for mailings and provide the opportunity to refuse this.
Particular attention should be paid to the issue of access to personal information in the event of a system hack. Even if the organization has taken all possible protection measures, it should cooperate with the general counsel to analyze the situation and determine the appropriate response.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted on August 21, 1996. This law requires the U.S. Department of Health and Human Services to develop and implement standards for the protection of health information. The main provisions of HIPAA are to standardize the processing of health information, implement unique patient identifiers, and ensure the confidentiality of information.
On February 20, 2003, the U.S. Department of Health and Human Services published the HIPAA security rules, which took effect on April 20, 2003. The following implementation deadlines were set for various organizations:
Health Planning Organizations – April 20, 2005;
Information Centers – April 20, 2005;
Medical Services – April 20, 2005.
The HIPAA Security Rule contains both mandatory and addressable components. The mandatory components must be implemented by all organizations, while the addressable components can be tailored to the specifics of a particular organization. If an organization chooses not to implement a particular component, it must document its decision and propose an alternative protection mechanism.
The security rule covers five key areas:
Administrative security measures.
Physical security measures.
Technical security measures.
Organizational requirements.
Policies, procedures and documentation requirements.
The main goal of these measures is to ensure the confidentiality, integrity, and availability of protected health information (PHI) through effective risk management.
HIPAA requires organizations to adhere to the following administrative measures:
Security management: regular risk analysis, development of security policies, monitoring compliance.
Designation of responsible persons: each organization should designate an employee responsible for security issues.
Information access management: definition of authorization procedures, access levels and data modification control.
Staff training: regular updating of employees’ knowledge of security measures.
Emergency plans: the organization should have a disaster recovery and data backup plan.
These measures are designed to protect workstations and servers that handle PHI. Key requirements include:
Control access to server rooms.
Protect workstations used to work with PHI.
Media management: securely delete data before reusing media.
Organizations must implement technical measures to ensure data protection, including:
Access control: providing unique identifiers to users, implementing emergency access procedures.
Audit management: maintaining audit logs and investigating incidents.
User authentication.
Data protection in transit: ensuring data integrity during transmission over the network.
HIPAA establishes requirements for contracting with partners and sponsors. All contracts must include security provisions that both parties are required to follow.
Each organization must develop policies and procedures to ensure compliance with HIPAA requirements. All documentation must be retained for at least six years. Policies and procedures must be updated regularly to reflect changes in the external environment or operational processes.
The Graham-Leach-Bliley Act (GLBA), published on November 12, 1999, establishes requirements for protecting the confidentiality of customer information in financial institutions. Section 502 of this act prohibits the disclosure of personal information without the consent of the customer and requires organizations to protect that data from unauthorized access.
In addition, the GLBA establishes requirements for financial institutions’ information security programs, including:
Development of a comprehensive information security program.
Risk assessment and management.
Training personnel in security measures.
Information access control and physical protection of systems.
Incident response and disaster recovery.
The GLBA requires financial institutions to be careful when selecting third-party service providers who may have access to sensitive information. Organizations must:
Conduct supplier due diligence before awarding contracts.
Require suppliers to comply with security measures.
Monitor supplier activities to ensure compliance.
Protecting personal information is a key task for any organization that works with sensitive data. Compliance with international security standards, such as HIPAA and GLBA, allows you to minimize risks and ensure compliance with legal requirements. Interaction between the information security department, the legal department and external consultants is critical to the successful implementation of security programs and response to possible incidents.
