- What is artificial intelligence?
- Neural network intelligence myth or reality?
- Information access protection
- Life in the cloud
- Cloud computing
- Anonymizer as a means of protecting electronic money
- Creating a company blog
- Viruses on websites
- Endless expanses of the Internet. Email.
- Introduction to OpenCL
- Information security of a small organization
- Video conferencing systems
Kretov Nikolai Nikolaevich: Information security of a small organization
If you, at least occasionally, listen to news releases, then you have probably heard about the theft or destruction of important and confidential information in banks, government bodies and many other organizations. Perhaps you even have a telephone directory on your computer, which, according to an acquaintance, for a chocolate bar, was given by a good friend Petya, who works at a city automatic telephone exchange, from whose computers this directory was copied. These are all “bugs” related to ensuring information security in organizations. Unfortunately, this is possible even in your organization.
Don't believe? Here are some examples:In the staff of your organization there is a kind guy Kolya, who repairs printers, cleans computers, installs various programs that are vital for work, and can even sometimes set up 1C Accounting or Fireplace. But often he complains about the low salary, and when, in his opinion, the salary ceases to pay for his work, he leaves. And after a few days, your databases from 1C also “leave” into oblivion, which, due to some unimaginable coincidence, cannot be restored. Even worse, if this Kolya, in a fit of righteous revenge, as it seems to him, sends the bases to the tax office, or puts it somewhere on the Internet, and many economics students will have an excellent opportunity to practice drawing up various kinds of balance sheets using the example of your company.
It happens that the good guy Kolya does not even complain about his salary, and tries like St. Francis, but one fine day, a few gentlemen of fortune, opening the door, take away all the property of your organization acquired by overwork (along with computers) and your accountants swallow tons Validol, realizing that a report for the tax office cannot be made from pieces of paper. And if there is a fire in your organization (God forbid!), then there will not even be papers left. Surely, after reading everything that is written above, you thought: “Well! This is from a series of what is unlucky and how to deal with it! or yes! Yes! We will definitely consider how things are going with us, but in a week.” And a day later, something happens that leads to the death of your information and you are ready to tear your hair out, but as they say: "It's too late, my friend!"
Dark pictures, right? If you are familiar with all this from personal experience or the experience of friends, and you have drawn the appropriate conclusions, you are in luck! You are said to have minimized your risk of losing information. With those gentlemen and ladies who have not yet encountered such troubles (pah-pah), I want to share my experience.
So, it's time to consider practical methods of dealing with the dangers that threaten us. First. You need a normal, sane, system administrator. For simplicity, in the future, we will call him a system administrator. It is highly desirable to make inquiries from previous jobs about the person applying for the role of your system administrator. He can be, as they say "seven spans in the forehead", a jack of all trades, but be rogue and have a penchant for "left" part-time work, for example, transferring any data about your organization to your competitors, which causes direct damage to your organization. From my experience (it may seem paradoxical to you, but it is a fact) I can recommend looking for a system administrator among undergraduate students of technical universities. As a rule, there are 3-4 "bright" heads, from among which you can choose a person who is quite capable of coping with administrative tasks at the initial stage of the organization's formation. In addition, many senior students, at the initial stage of their careers, are “not tortured by life”, are not burdened by families and strive for something new. And the desire for something new in the work of a system administrator is an important quality, since the software with which he has to work changes very quickly.
In an employment contract (or other document, for example, a contract), it is imperative to stipulate liability for illegal actions in relation to your information on the part of your system administrator. Of course, the Criminal Code of the Russian Federation has relevant articles on this subject (given in Chapter 28 of the Criminal Code, which is called "Crimes in the field of computer information" and contains three articles: "Illegal access to computer information" (Article 272), "Creation, use and distribution of malicious programs for computers" (Article 273) and "Violation of the rules for the operation of computers, computer systems or their networks" (Article 274), but a mention in the contract of liability would not be superfluous. For if a person knows that he is directly responsible for something (and preferably financially), then he will think ten times before doing something wrong.
Naturally, with the above requirements, the remuneration of the system administrator should be adequate. At least not like a cleaning lady. Be prepared to pay your system administrator like a good accountant.
In addition, it is highly desirable to stipulate in the employment contract that all software products and source texts for them developed by your system administrator for the needs of the organization during the period of work in it are the property of the organization. You need this item in case your administrator decides to quit. It will be much easier for a new person to understand the affairs of an old system administrator. And this, in turn, will allow your company to work without failures associated with information technology.
Remember! A good system administrator is your left hand, if not your right hand, in the management of the company. He can help a lot in various critical, and even ordinary situations. Listen to his opinion! If the administrator is stupid, lazy and does not strive for development, then expect trouble!
Second. You need, together with your system administrator, to develop some kind of internal technological regulation, which must be followed strictly. The regulation should, at a minimum, include the following sections:
- How to back up important and critical information
- The procedure for verifying backups and restoring information in case of emergency
- User rights policy
Why do you need it? Let's consider the points:
The procedure for backing up important information should regulate when, how and where to back up your databases, which contain information necessary for the normal functioning of the organization. For example, every Friday at 17-00, after the end of the work of accountants, you take out a mobile hard drive or a large-capacity Flash Disk from your fireproof safe (popularly referred to as a “flash drive”), and your system administrator does it with the help of certain in your “order” programs, backup databases from your servers or workstations to this disk. There are a lot of backup programs now, and your system administrator may well decide which program to make copies of.
The drive to which backups are made should be private, meaning it should be kept only by you, preferably in a fireproof safe, or otherwise out of reach of all your employees. Remember! In case of emergency, this is the only thing that can help you avoid many troubles. This disk should only be in the hands of a system administrator while backing up or restoring data. You may have a question: “Why can’t you give access to it to the system administrator?” Because, someone else's soul is dark, and no matter how good your system administrator is, he overnight, being angry for some reason with the whole world or specifically with you, can ruin both the main database and its backup copy. In the end, you will be left with nothing!
So copies are made. What's next? Next, you need to provide in your regulatory document the procedure for restoring and verifying backups. What for? And who will guarantee that your system administrator did not just drink coffee, but conscientiously did what he was supposed to do? To find this out, you need to conduct a trial data recovery from your disk (of course, on another computer) and, for example, if this is accounting information, ask the accountant to check the balances for the number as of which the backup was made. If the remnants converge - the system administrator is on the alert. Otherwise, the system administrator should be punished for negligence. Remember! The lack of reconciliations (for example, once a month) can lead to the fact that the system administrator will inform you that everything is in order, but at a critical moment he will not be able to do anything.
It is also a good practice to burn a copy of the database being restored to CD/DVD discs after successful verification. These discs, like the mobile disc, must be stored in your safe. As information CDs/DVDs accumulate, they can be destroyed, but based on personal experience, discs that are a year old or older can be destroyed if they do not contain information that may be required in the future. The destruction of information should also be reflected in your "Regulations" and must be strictly observed. That is, not just take a disk or floppy disk and throw it into a bucket, thereby giving a competitor data about your organization, but burn it or cut it into several parts. It makes sense to prohibit all employees from simply throwing discs, floppy disks, and even papers with any information into the bin without first cutting them into pieces or passing them through a shredder. After all, if some attacker finds a floppy disk or other medium with information belonging to your organization, even the article of Art. 272 of the Criminal Code (Illegal access to information), because he just found it, and you just threw it away. And competitors do not sleep!
Understood with backup. Everything? Not! There is another threat. This time, it comes from computer users. If users are given the opportunity to uncontrollably surf the network, and even more so the Internet, then databases from backups will have to be, as system administrators say, “lifted” regularly. Why? Because users can freely erase files belonging to other users, they can bring a virus from the Internet into your network, they can finally see when the calculator calculated the salary there, and how much they paid to whom, followed by a discussion of salaries in the smoking room. In my practice, there was a case when one accountant A made entries for accountant B, and accountant B, who was not there that day, was fired under the article, because account transactions were carried out on behalf of accountant B. Unpleasant, right? That is why it is necessary to define a unique name for each user and the user must choose a password for access, which he (and only he) must change regularly (once a month is enough) and not write on a piece of paper tucked under the keyboard. The password must be "strong". That is, even an inexperienced hacker will pick up a password like 211281 in a couple of minutes. But even an experienced hacker will not be able to pick up the password "zgxv $ 123".
You may object, but how to remember this meaningless jumble of letters and numbers? I recommend the following method. Take any rhyme that you remember from childhood, for example, “From a smile it will become brighter for everyone.” We type the first letters of the words of the rhyme in the English keyboard layout. We get a string like "jecdc". Let's add the password to 7 characters, for example, the numbers 12. If we add another $ or # sign, then we will get a password like "jecdc12#", which will be too tough even for an experienced hacker.
In addition, your system administrator must differentiate users using access rights (he knows how to do this), give access only to the directories (folders) necessary for work on your server, close the Internet to anyone who is not supposed to (because the Internet is now a hotbed of viruses) , to give access to the Internet to whom it is necessary. All this should be spelled out in your "User Rights Policy". Remember! It is very important that your computer users enter the operating system of the computer (the same Windows) and various programs (if they have the corresponding function) under their "names" and with their "passwords". Do not allow the use of "foreign" passwords or usernames by employees. Respond to messages from the system administrator about the use of non-your usernames by employees by instilling them. Only with strict adherence to the policy of using passwords and usernames is it possible to quickly establish who, how and when corrupted certain files, documents, databases. These measures simplify the recovery of corrupted data, and reduce downtime in case of failures in the information provision of the organization. If all employees enter different programs under the name "Administrator" with the password "1", then the perpetrators of failures and errors will not be found!
Third. Never store electronic digital signatures (EDS), passwords from Bank-Client systems, plastic cards, programs for transferring data to the Federal Tax Service and other organizations on the hard drives of your computers. You do not want to see zeros on your accounts at one fine moment? I think no. Therefore, all critical information must be stored on a removable medium in your personal safe. (For example, on a personal flash drive) NOBODY except you should have access to this media. In addition to the risk of using your EDS or your password to transfer money in the Bank-Client systems by employees of your organization (by malicious intent or by mistake), there is a possibility of these data being stolen by viruses or other programs that got on your computer via the Internet. In the latter case, you may find out that the money was debited from the accounts yesterday, and even attempts to find out who did it will be unsuccessful. The tragedy will also be that the same Bank will execute the order to transfer money, since the correct password or correct EDS will be entered, and it will be impossible to prove that it was not you who entered the signature or password. The same requirements should apply to the EDS of accountants working with the Bank, the Federal Tax Service and other agents. Accountants must have personal media with information of this kind.
In case of suspicion, even the slightest, that someone could find out even part of the password or at least for a second could use (even just hold) the media with EDS - block it immediately and subsequently change passwords or EDS.
Fourth. Use licensed software (software). Saving on software can lead both to the risk of being prosecuted and to the fact that unlicensed software can be a source of damage to your data or transfer of your data to attackers on the Internet (hackers make software "free" not only for the love of art). In the case of software, your system administrator will tell you what is needed to ensure the performance of your organization. At a minimum, in addition to programs for performing the main work of employees, all workstations and servers without exception must have a licensed operating system with the latest set of updates and a licensed antivirus with the latest antivirus databases installed. However, try to avoid newfangled "trinkets", because untested programs, as a rule, are unstable and can damage your data.
These are just a few, but important recommendations based on the author's experience as a system administrator and head of a system administrator in various organizations. Listen, and even if something happens to your data, the incident will not be a disaster.
P.S. By the time the article was written, the author, at the request of a friend, had to deal with the consequences of a fire in one organization, just before the New Year. They strictly observed the requirements listed above, made backups, but ... once every six months. No, before they did everything as expected, once a week, but since nothing terrible happened, the organization waved their hand and relaxed. There was a fire, burned all the reporting on paper, including the issuance of salaries and inventory accounting. And at the beginning of the year, as many accountants probably know, reporting to the Federal Tax Service is required ...
Unfortunately, the hard disk of the server could not be restored. And the backup that was restored was dated July 3, 2009.