The more success humanity achieves in the fight against external cyber threats, the more decisively internal threats come to the fore, with which, according to statistics, more than 70% of all security incidents are associated. This article summarizes the experience of a Russian integrator company in the field of creating integrated systems to prevent the leakage of confidential information. Such complex systems are vital to the functioning of many modern enterprises and organizations. Companies use a whole arsenal of ways to control employees: they look through emails, listen in on telephone conversations, install surveillance cameras, monitor traffic to websites on the Internet. Are such actions legal? Currently, confidential information and personal data are processed in the AS of almost any enterprise. Naturally, such information needs to be protected. But here's how to protect it, what is the difference between the means of protecting a home computer and computers in corporate applications, what tasks of information protection and how should be solved in a complex to ensure effective protection of confidential information? No one is immune from IT infrastructure sabotage. Any employee can, even on the most trifling occasion, take offense at management or colleagues, and then commit real sabotage: destroy information that is extremely important for the company, send obscene letters to the company's clients, etc. Obviously, the damage in this case can vary from a spoiled working climate to direct multi-million dollar losses. Business concerns about internal IT security and the protection of their information assets are constantly confirmed by research from leading organizations. According to the 2005 FBI Computer Crime Survey, published in January 2006, 44% of US companies were affected during the year as a result of serious incidents that occurred in internal IT security, while insiders stole confidential documents of the employer, tried to distort information for the purpose of financial fraud, took out from office equipment, etc. Currently, there are several major underlying detection technologies in the market for systems designed to protect confidential information from leaks (DLP), including linguistic and contextual analysis, as well as digital fingerprints and tags. Many employees of commercial organizations are familiar with such a manifestation of corporate control as tapping office phones. Usually this is done by security officers of large and medium-sized organizations on behalf of the management, and eavesdropping can be both overt and covert. How to determine which of the employees of the organization and those entering the work cause or may cause damage to its interests? How to identify potential alcoholics, people who are prone to stealing and those who will never be productive at work? After all, they can all become employees of your company. Getting it right is no easy task. This article tells about the role of the human factor in ensuring the security of the organization, some potential sources of personnel risk and measures to protect the organization from them. Protecting corporate information from internal threats in recent years has grown from a fashionable trend for selected companies into a completely independent direction of information security. Top managers are gradually starting to reconsider their attitude to financing and consider protecting data from internal threats not only as a source of expenses, but also as a competitive advantage for the company. Many organizations have dedicated teams and departments to protect trade secrets, personal data, and other confidential information. The value of information as one of the components of any business can hardly be overestimated: according to experts, the loss of only a quarter of the information classified as a trade secret of an organization within a few months leads to the bankruptcy of half of the same organizations that leaked such information. In information technology, more than anywhere else, a company's success is often based entirely on good know-how, a technological move, a marketing strategy, or even just an original idea. Moreover, the most valuable information about these decisions, moves and ideas exists in the minds of the company's employees. One cannot but agree that the repository is far from the most reliable in terms of protecting confidential information from unauthorized or unwanted access by third parties, or from its unfair use by the employee himself, for example, to create his own competitive development. Below we will talk about how the employer can control the dissemination of commercially important information within the company and outside it, how the rights of the employee can be respected and what compensation he should receive for the known restriction of these rights. And also how the employee is responsible for disclosing the secret information of his employer. "Let this cup pass from me!" Driving away the most unpleasant thoughts from ourselves, we pronounce this secret spell at various moments of our life. Whether it's a trip to a pickpocket-infested clothing market or a late return home. We do not feel safe, sometimes even in our own apartment. Police reports are reminiscent of a chronicle of hostilities. According to statistics, every 3.5 minutes in Russia there is a burglary. It is usually not possible to detect intruders. But can such a nuisance be prevented? Specialists of the Promet company, the leading supplier and manufacturer of domestic safes and metal furniture, answer this question quite definitely: a safe will become a reliable protection for your savings. Recently, the problem of protection against internal threats has become a real challenge to the clear and well-established world of corporate information security. The press talks about insiders, researchers and analysts warn of possible losses and troubles, and news feeds are full of reports of another incident that led to the leak of hundreds of thousands of customer records due to an employee’s mistake or inattention. Let's try to figure out whether this problem is so serious, whether it should be dealt with, and what tools and technologies are available to solve it. Now more and more organizations are using DLP (Data Loss Prevention) class solutions to protect corporate information from leaks. Before implementing DLP, each company assesses risks and builds a threat model that describes the classes of protected information, data usage scenarios, and associated threats. In most cases, external drives, printers, corporate mail and various web services are recognized as potential data leakage channels, and few people think about protecting data recorded on magnetic tapes or other backup media, which, as a result, is stored and transported in an unprotected form. Studying the information security of enterprises and the effectiveness of measures to ensure it, currently being implemented in corporate information systems (CIS) of banks, one involuntarily draws attention to a survey conducted in 2011 by Sailpoint Technologies, in an aspect that is somewhat different from the definitions of “computer protection from unauthorized access” and “unauthorized access to computer information” (UAC) – analysts assessed the loyalty of company employees to corporate ethics in terms of working with restricted information. Today, the insider threat is a pressing issue for company security services. Organizations provide their temporary and permanent employees with access to critical information, which poses a serious threat to the organization's security. It is easier for company personnel to steal or misuse existing information than anyone else, since they have direct access to the information assets of the organization. According to a study by Trustwave, 80% of information security incidents result from the use of weak passwords. Insiders have been the main cause of recent incidents at the US Department of Health in Utah and South Carolina. The use of password authentication in the IS of enterprises and organizations is becoming obsolete. By continuing to apply this traditional access technique to their own information resources, companies are actually jeopardizing the profitability and, possibly, the very existence of the enterprise. One day, almost all organizations begin to understand that they need reliable protection of corporate information. One of the most effective ways to protect your data is to install a DLP system in your company. In most cases, the organization motivates its decision by the fact that these systems reliably protect confidential information and allow them to comply with the requirements of regulatory authorities. How many copies have been broken in the debate about whether insiders pose a real threat to business or not. The banking sector, being at the forefront of modern technologies, has always been one of the first to test the latest innovations in the IT world and in the field of information security in particular. Two-factor authentication, biometric systems and more. All this has resonated where practical people prefer to keep their savings. But our Slavic mentality is so arranged that "until the thunder breaks out." And according to this, let's dispel the main myths that are still found in the banking sector. Over the past couple of years, the operators of the "Big Three" have already twice majorly embarrassed on SMS messages. For the first time, Yandex “helped” and, in principle, the leak can be classified as a “negligent” leak. But this time… The Federal Security Service announced that a group of intruders had been discovered who had received archives of SMS correspondence from three high-ranking Moscow officials from employees of MTS and VimpelCom, after which VimpelCom confirmed the fact of the information leak, and MTS, on the contrary, refuted. Let's leave the search for the perpetrators to the investigation and pay attention to the materials of the case: unidentified employees of the technical centers of mobile operators transferred confidential information to third parties. Speaking in the language of "safeguards", there were actions of insiders. Prevention of information leaks, unauthorized access is one of the most important tasks of the information security service of any organization. If there is confidential information (state, commercial secrets, personal data), then there is the problem of its protection from theft, deletion, modification, viewing. With the growth of the company, the risk of information theft, including by employees, increases, financial and reputational risks increase, which leads to the tightening of policies and control systems. Nowadays, information is of great value. Possession of it provides tremendous opportunities in business, in the economy, in politics and other areas. No wonder they say who owns the information, he owns the world, and who owns someone else's information, he is much better prepared for competition than his rivals. There are many different file formats that store text information, including TXT, RTF, DOC, DOCX, HTML, PDF, and more. etc. However, not a single company, both in our country and around the world, offered protection for XML documentation. Let's take a closer look at what XML files are, why they need to be protected, and how protection for this format was first created.

With the ubiquity of all kinds of removable drives, the insider problem, which was quite relevant before, has acquired a truly global scale. And there is absolutely nothing surprising in this. Today, any employee who has access to confidential information can easily and, most importantly, discreetly copy it to themselves and use it in the future for various purposes. And it’s also good if behind this there is a desire to just work with contracts at home. Although, such an action, regardless of the intruder's intentions, still dramatically increases the risk of data compromise (home computers are usually less protected, different people can sit down on them, and the drive can be lost). But after all, an employee can copy information in order to transfer it to competitors or use it for their own personal purposes. The simplest and most obvious example of this is copying the customer base (or contracts with them) before leaving in order to lure them to another company.

The main problem is that it is impossible to protect against this method of information theft using standard means, that is, tools built into operating systems. Take, at least, USB flash drives. They are tiny, cheap and very capacious. With their help, employees can quietly "take out" gigabytes of information from the corporate information system. However, you cannot simply disable USB ports on workstations - today they are necessary to connect many devices: printers, keyboards, mice, software keys, etc. In addition, we should not forget about other options for stealing information, for example, using CD / DVDs, mobile phones, etc. Even a regular printer can become a threat. After all, the employee has the opportunity to print confidential information and take the printouts home. However, it will not be possible to turn them off either, because usually all these devices are necessary for employees to perform their official duties.

The only way to protect the company from theft of confidential information through various removable drives is to implement a system to limit and control their use. It is implemented using special software. For some reason, many companies believe that such products are very complex, and some special qualifications are needed to implement and maintain them. However, this is absolutely not the case. The system for delimiting access rights to external and internal devices of a computer is so simple that not only a qualified administrator, but even just an experienced PC user can handle it. And in confirmation of these words, today we will consider an example of the introduction of the Zlock product from SecurIT into a corporate IS. It is worth noting that it cannot protect against leakage of confidential information via the Internet (for example, by e-mail via ICQ, etc.), this requires other products with a completely different principle of operation (for example, Zgate from the same developer). But Zlock copes with the task of controlling all kinds of removable drives and printers successfully.

Zlock structure

Before starting a conversation about the installation procedure of the system in question, it is necessary to understand its structure. Zlock consists of five parts.

· Management Console. A program that allows the administrator to carry out full system management, including its installation on workstations, changing access policies, working with log and configuration servers, etc.

· Client module. A utility that is installed on workstations. It is she who controls and blocks access in accordance with the specified policies. In addition, the client module interacts with the log server, checks the integrity of Zlock, etc.

· Log Server. A system for receiving, storing and processing information about events transmitted by client modules. Provides convenient administrator access to all data.

· Configuration Server. Centralized configuration management system Zlock.

· Zlock Configuration Module via Group Policy. Module for installing and updating the system through group policies.

First of all, you need to figure out where which modules are installed. It is clear that the management console must be installed on the computer of an administrator or an employee responsible for the company's information security. This process is no different from installing any other software, and therefore we will not dwell on it in detail.

The log server and the configuration server are, in principle, not necessary for the system to work. Zlock can successfully cope with the tasks assigned to it and without them. However, the log server is very convenient for viewing events across all workstations at once. Well, the configuration server is indispensable in large corporate networks. With it, you can easily manage the settings of client modules on a large number of workstations. They are again installed like regular software. This procedure is performed locally from the distribution package included with Zlock.

The final stage of the installation of the system in question is the installation of client modules on all computers that need monitoring. This can be done in two ways (for obvious reasons, we do not consider the option with manual installation). The first one involves using the management console. After its launch, several groups are located in the left pane of the main window. You need to find among them and open the "Computers and Applications" tree, and then open the "No Applications" branch. It will provide a complete list of computers included in the local network that do not have the Zlock system installed.

To start the installation procedure of the client parts, the administrator must select the destination computer or computers (including an entire domain) and click the "Install or update Zlock ..." button located on the toolbar. In the window that opens, you should specify the folder with the distribution package of the program (the best option would be a network folder to which all users have access), and also select the installation option. There are three of them: with manual or forced reboot of computers, as well as without reboot. It is worth noting that the last, most convenient option cannot be used to update previously installed client parts. In conclusion, it remains only to select the PCs on which the installation will be carried out (perhaps you do not want to install Zlock on all computers on the network), and also specify a user with local administrator rights. Moreover, the program, in case of lack of authority, can request the input of data from another user.

Another option for deploying a protection system on corporate workstations is to use group policies. To do this, Zlock comes with a special installation package. The installation procedure itself is familiar to almost all system administrators. First of all, you need to create a network folder, copy the Zlock30 files to it. msi and Zlockmsi. ini file and make it accessible to all domain users. If you already have a configuration file, then you can place it in the same directory. In this case, it will be automatically applied to all installed client modules. If there is no such file, the system will apply the default policy, which will need to be configured in the future.

After that, in the properties of the corporate domain (accessed through the Active Directory console), you need to go to the "Group Policy" tab and create a new policy. In the window of this policy, you need to expand the "Computer Configuration" tree, select the "Install Software" item and create a new package, in the properties of which you specify the network path to the Zlock30 file. msi. As a result, the installation of the Zlock system is carried out using standard OS tools.

Configuring Access Policies

Perhaps the most important operation in the process of implementing the Zlock security system is setting up access policies. They determine the ability of all users to work with certain devices. Each policy has three parts. The first one is a list of devices or their groups, each of which has access rights for different users. The second part of the policy is the settings for shadow copying files copied to various drives. Well, the third part determines the settings for shadow copying documents printed on printers. In addition, each policy has a number of additional properties, which we will discuss below.

The principle of operation of the policy is as follows. Each workstation has one or more policies assigned by the administrator. Upon the occurrence of any event controlled by the protection system (connecting a device, attempting to copy a file to a removable drive, printing a document, etc.), the client module checks it for compliance with all policies in turn (the order is set by the priority system) and applies the first of those with which it matches. That is, Zlock does not have the usual system of exceptions. If you, for example, need to ban all USB flash drives except for one specific one, you need to use two policies. The first one with a low priority disables the use of removable drives. And the second, with a higher one, allows the use of a particular instance. In addition to those created by the administrator, there is also a default policy. It defines access rights to those devices that are not described in other policies.

Well, now let's look at the procedure for creating a policy. To launch it, you need to select the desired workstation in the management console tree and establish a connection to it. After that, select the "Add" item in the "Policy" menu. The resulting window consists of five tabs. The first one is called "Access". It specifies the name of the policy being created, its priority, and access rights to devices. Four options are available here: full access for all users, read-only access for all users, deny access to devices for all users, and individual device access rights for users and groups. The purposes of the first three are clear from their names. But the last option is worth noting separately. With it, you can set different rights for individual users, which is very convenient, since often different employees can work on the same computer. To enter access rights, you must click on the "Edit" button and add the necessary accounts (local computer or domain) in the window that opens, defining permissions for each of them.

After entering the basic settings, you must specify a list of devices and groups that will be covered by the policy. To do this, use the "Devices" tab. There are four ways to enter equipment into Zlock.

· Typical devices. This option involves selecting all devices of a certain type, for example, all removable drives, CD / DVD drives, hard drives, etc.

· A USB device with specified characteristics. Allows you to specify USB devices by type, manufacturer, product name, device serial number, and more.

· Printers. Used to enter specific local or network printers.

Using these methods, you can create a very precise and flexible list of devices. It is noteworthy that you can choose not only the equipment that is connected to the PC at the moment, but also the one that was once used on it (very important for removable drives). In addition, the administrator can create a so-called device catalog. This is a file that lists all devices connected to computers on a corporate network. It can be created both manually and automatically by scanning all workstations.

In principle, after that we already have a fully functional policy. However, Zlock provides a number of additional settings that expand the functionality of the protection system. So, for example, if a policy is created that should not be in effect all the time, then it is necessary to set a schedule for its operation. This is done on the tab of the same name. On it you can define the intervals during which the policy is valid. The administrator can enter the duration of the policy, the time, days of the week or days of the month that it will be active.

If the computer for which the policy is being created can disconnect from the corporate network and/or connect to it via the Internet, then you can define special settings for it. To do this, go to the "Application Rules" tab. It lists three points of possible PC status relative to the corporate domain: the domain is available locally, the domain is available via VPN, the domain is not available. In order to disable the policy action for any of them, simply deactivate the corresponding checkbox. For example, if you want to make it impossible to print something from a computer disconnected from the corporate network, it is enough to create a policy that prohibits the use of printers and activate the "Domain not available" and "Domain accessible via VPN" items in the application rules.

After creating one or more policies on one of the computers, you can quickly distribute them to other PCs. To do this, you need to establish a connection with all the necessary stations in the management console and select the "Propagate configuration" item in the "Service" menu. In the window that opens, check the boxes for the required policies and computers, activate the "Background policy propagation" checkbox, and select the action that the application should perform when it detects policies with matching names (ask whether to overwrite or not overwrite). After that, click on the "OK" button and wait for the process to complete.

Any policy can be changed in the future. To do this, just connect to the computer on which it was originally created, find it in the "tree" and double-click on it with the mouse. This will open a window already familiar from the procedure for creating a policy, in which you can change certain parameters. Please note that if the policy that you edited was once distributed to other computers, then before changing it, you must first establish a connection with all these PCs. In this case, when saving changes, the Zlock program itself will offer to synchronize outdated policies with the new one. Policies are deleted in the same way.

Setting up logging and shadow copying

Zlock has a logging system. Thanks to it, the administrator or other person responsible for information security can view and analyze all monitored events. To enable it, select the "Settings" item in the "Tools" menu and go to the "Journaling" tab in the window that opens. It lists all possible events (denying writing to the device, changing network access, changing configuration, applying access policies, etc.), as well as their status in terms of logging.

To enable logging for one or more events, click the plus sign and select the logging option: writing to a file (system Event Log or an arbitrary file in TXT or XML format), to a database on a SQL server or a log server, sending a letter via e-mail.

After that, in the window that opens, you need to configure the log parameters (they depend on the selected option: file name, database access parameters, etc.), mark the necessary events and click the "OK" button.

Logging of file operations is configured separately. They mean such actions as creating, modifying and editing files, creating and deleting directories, etc. It is clear that it makes sense to keep such logs only when using removable drives. Therefore, this type of logging is tied to access policies. To configure it, select "File Operations" from the "Tools" menu in the management console. In the window that opens, first of all, you need to select the policies for which logging will be performed. It makes sense to select those that control the use of removable drives: USB devices, CD / DVD drives, etc. After that, you need to enter the actions that the system will perform when file operations are detected. To add each of them, you need to click on the "plus" and select the desired option. Three actions are related to logging - writing event information to a file, to a database, or sending an email message. The last option is to run the specified program or script.

Next, you can proceed to setting up shadow copying. This is a very important function of the Zlock system, which should not be neglected. It provides duplication of copied or printed files to a special storage, imperceptible to the user. Shadow copying is necessary when employees need to use printers or removable drives to perform their professional duties. In such cases, it is almost impossible to prevent information leakage by technical means. But shadow copying will allow you to quickly respond to it and stop future incidents.

To set the parameters of shadow copying, select the item of the same name in the "Tools" menu. First of all, you can set up local storage. To do this, you need to specify the folder where the files will be saved, enter the available amount (in megabytes or percentage of free space on the hard disk), and also select the action in case of overflow (overwrite files in the storage, prohibit or allow copying and printing).

If necessary, you can configure shadow copying to network storage. To do this, go to the "Copy to server" tab and activate the checkbox "Transmit information about shadow copying and files to the server". If the transfer should be carried out immediately, then you should select the "Transfer files as soon as possible" option. Another option is also possible - the system will copy files at a specified frequency. After that, you need to select a network folder in which files will be written. Note that it makes sense to select a directory that only the administrator has access to. Otherwise, the employee will be able to enter it and delete or at least view the saved files. When choosing such a folder, you must enter the username and password of the user who has the authority to write information to it.

Well, at the end of the settings, it remains to go to the "Policies" tab and specify those policies under which shadow copying will work.

Temporary Permit System

In principle, we, dear readers, have already analyzed the Zlock implementation process. After its completion, the insider protection system will work, helping the company to avoid leakage of commercial and personal information. However, Zlock has another very interesting feature that makes life easier for the administrator. We are talking about a system for issuing temporary permits for the use of certain devices.

Why do you want to focus on this particular moment? Everything is very simple. Practice shows that quite often situations arise when one of the employees needs to use a device that is usually prohibited for them. Moreover, such a need may arise urgently. As a result, there is a panic, an administrator is urgently sought, who must change the access policy and, most importantly, do not forget to return it later. Of course, this is very inconvenient. It is much better to use a temporary permit system.

To use it, you first need to generate an administrator certificate. To do this, in the "Tools" menu, select the "Certificate ..." item, and in the window that opens, click on the "Change certificate" button. After that, in the wizard, select the "Create a new certificate" radio button and enter its name. Then it remains only to connect to remote computers, select the "Settings" item in the "Tools" menu, go to the "General" tab in the window that opens and click on the "Install" button.

In Zlock, temporary permissions can be used in two ways - via email and by phone. In the first case, the request is created as follows. The user must right-click on the Zlock icon in the system tray and select "Create Query" from the drop-down menu. In the window that opens, he needs to select the desired device and access rights (read-only or full access), enter the administrator's address and, if necessary, a brief comment. In this case, a letter with a request file attached to it will be generated in the mail client installed in the system by default. Having received it, the administrator should double-click on it with the mouse. This will open a window with information about the request. If the administrator agrees to process it, then he needs to click on the "Next" button. This will open a window for creating a new policy, in which the required device has already been entered. The administrator only needs to set the schedule for this policy. It can be either permanent or one-time. In the second case, the policy will be in effect only until the user ends the Windows session or until the device is removed (depending on the choice of the administrator). This policy can be sent to the employee's computer in the usual way, or via a special file via e-mail (it will be protected with an administrator certificate). Upon receiving it, the user simply needs to run it, after which he will have access to the desired device.

The telephone permit system works in a similar way. First, the user must create a request. This procedure is almost identical to the one we discussed above. Only at the last stage, not an email is formed, but a special code consisting of five blocks of numbers and letters. The employee must call the administrator and dictate this character set to him. The administrator is required to enter this code in a special window (it is called using the "Process request" item of the "Policy" menu). This will display detailed information about the request. Next, the administrator can create a policy in the way we are already familiar with. The only difference is that at the last stage the system will generate another code. Its administrator must dictate to an employee who, by entering it in a special field, can activate access to the device.

Summing up

So, as we can see, the procedure for putting into operation an insider protection system is, in principle, not complicated. To perform it, you do not need to have any special skills. Any system administrator with basic knowledge of network technologies can cope with it. However, it is worth noting that the effectiveness of protection entirely depends on how competently and fully the access policies are drawn up. It is at this moment that it is worth approaching with the utmost seriousness and a responsible employee should do this work.

Zlock: Control access to USB devices

Testing Zlock

The main expected advantages of the system, along with the main functional characteristics, should be ease of implementation and intuitiveness of the steps for setting up and configuring it.

Figure 1. Default access policy

After that, you need to think over the access policies for the Zlock service itself, which will also be distributed during installation to client sites. Edit the access policy for the settings of the client part of the application, allowing or disallowing users to see the icon and receive warnings about changing the access policy. On the one hand, these warnings are convenient, because by sending an access request to the administrator, the user will be notified if the changed policy is applied to his workstation. On the other hand, system administrators often prefer not to provide users with unnecessary visual confirmation of protection services running on the workstation.

Then the created policy (in this case, it remains local to the console workstation for now) is saved as a file named default. zcfg to the client distribution folder.

Everything. This completes the global preparation of the system for mass installation. The product impresses with the ease of creating policies associated with the use of the standard principle of creating user rights such as ACL.

To install on all computers, a pop-up message was sent to users with a request to turn on all network workstations that are nearby, but not currently in use. Having selected all network workstations from the list of computers to connect (or rather, selecting all and then excluding servers), I launched the connection process for further installation of the client part. Connection to such a number of computers (150), of course, took a relatively long time, since it is carried out sequentially, and if the computer is turned off, then the connection timeout is expected. However, the procedure will only have to be performed during the initial installation, further policies will be controlled based on the personal needs of users. When trying to "at once" install the client part on all 150 computers on the local network, I encountered minor problems on several workstations, but the system was installed automatically on most computers. There was only one problem in the installation - Zlock's incompatibility with outdated versions of the StarForce CD protection driver. For correct interaction, you need to update the StarForce driver by downloading it from the manufacturer's website. This was also done remotely using the remote installation service. The explanation of the reason for this incompatibility, in my opinion, has the right to life - after all, Zlock interacts with the I / O subsystem at a lower level than the application functions of the OS - just like CD copy protection.

After selecting workstations, you will be prompted to specify from where you want to run the installer distribution. It is this function that makes it possible to install other programs in this way without leaving the workplace. Be careful when choosing the installation option - "With reboot" or "Restart required". If you select "With reboot" - after the installation is completed, client workstations will reboot automatically without asking for user confirmation.

This completes the initial installation, and after a reboot, the Zlock client will begin to execute the prescribed security policy. At the same time, the Zlock service icon appears in the tray, giving users the ability to create access requests, as well as edit policies themselves, if, of course, this was allowed for them by the default policy we created.

Committed to complete privacy...

After that, in fact, the fine tuning of the Zlock system begins. If in your company employees often need to save something on removable media, and you would like to maintain the security policy at the strictest level, then coordinate your work schedule so that you can be at the workplace as often as possible in the week following the installation. To maintain the maximum strictness of the access policy, it is recommended to create rules for specific removable devices, since Zlock allows you to grant access to devices even based on its full characteristics, such as brand, model, serial number, etc. The situation is more complicated in IT firms, as employees constantly have to write all kinds of information to CD / DVD-R / RW discs. In this case, it can be recommended to use dedicated workstations with recording drives, on which rules will be created by system security policies that will not allow access to the network from these computers. However, such subtleties are beyond the scope of the Zlock article.

How does it work in practice?

Now let's see how it all looks in action. I remind you that the access policy I created allows users to read from all removable devices and prohibits writing to them. An employee of the service department comes to the office in order to submit reports and burn tasks to disk. When a removable device is connected, the system restricts access and issues a corresponding warning (see Fig. 2).

Figure 2. Access restriction warning

The employee reads the information brought from him, after which he unsuccessfully tries to write down the tasks received from the manager. If it is necessary to gain access, he either contacts the administrator by phone or generates an automatic request using the Zlock Tray Applet indicating the device to which he would like to access, names his account and motivates the need for such access.

The administrator, having received such a request, makes a decision on granting/not granting such access and, if the decision is positive, changes the policy for the given workstation. At the same time, the created request contains all information about the device, including the manufacturer, model, serial number, etc., and the Zlock system allows you to create any policies based on this data. Thus, we get the opportunity to grant write access to a specific user on the specified device, if necessary, logging all file operations (see Fig. 3).

Figure 3. Creating a policy based on a user request

Thus, the process of creating additional permissive policies is simplified to the limit for the administrator and comes down to the Check&Click principle, which is undoubtedly pleasing.

Problems

Unable to open firewall ports for Zlock remote administration?

For remote administration of Zlock in the firewall, it is enough to open one port. By default, this is port 1246, but it can be changed if this number is not suitable for any reason. By this, by the way, our product compares favorably with some analogues that use the Remote Procedure Calls (RPC) service for administration, which by default requires opening many ports and is quite vulnerable to external attacks. As you know, most modern viruses used RPC vulnerabilities to infiltrate a computer and gain administrative privileges in it.

2) Problem

We have the following situation. Two employees work on the same computer in the same department. Everyone has a flash drive. The task is to make the flash drive of the first employee readable, but the flash drive of the second one is not. The main problem is that these flash drives have the same numbers (VID_058F&PID_6387), Transcend 256Mb and 1Gb flash drives. Please tell me how to proceed in this situation? Many thanks.

The numbers you are talking about are Product IDs and Vendor IDs. To restrict access to devices with the same product and manufacturer IDs, you must specify their serial number in Zlock policies. It is worth noting that not all manufacturers of USB drives assign unique serial numbers to their products, usually noname manufacturers sin by the lack of serial numbers.

II. Overview of SecurITZgate

In this review, we begin a detailed story about SecurIT Zgate, a corporate solution designed to analyze Internet traffic at the gateway level in order to detect and block attempts to leak confidential data or other unauthorized actions of employees.

Introduction

According to the concept of comprehensive protection against internal threats promoted by SecurIT, the SecurIT Zgate gateway product is an important part of the IPC system. The IPC concept includes DLP (Data Loss Prevention) and data protection solutions at storage. For the first time, the combination of seemingly different technologies was proposed by IDC analyst Brian Burk in the Information Protection and Control Survey: Data Loss Prevention and Encryption Trends report.

IPC systems control the list of channels standard for DLP systems: e-mail, Web resources (Web mail, social networks, blogs), ICQ, USB devices and printers. In IPC, data encryption is added to these capabilities on servers, magnetic tapes, and at network endpoints - on PCs, laptops, and mobile drives. In addition to the list of controlled channels and encrypted media, IPC differ significantly in the set of methods for detecting confidential data.

Thus, the SecurIT Zgate system, which allows you to prevent leakage of confidential information through network channels, is an important, if not key, part of a single IPC system. SecurIT Zgate analyzes all data transmitted by employees outside the organization's information network. SecurIT Zgate uses modern automatic detection technologies that accurately determine the level of confidentiality of transmitted information, taking into account business features and the requirements of various industry standards.

1. System requirements

The minimum system requirements for the SecurIT Zgate solution are shown in the table below.

2. Main features of SecurIT Zgate:

Filtering incoming, outgoing and internal traffic.

Content analysis of transmitted messages and files using any combination of automatic categorization methods.

Compatibility with any mail system (MTA) running on the SMTP protocol: Microsoft Exchange Server, IBM Lotus Domino, Kerio MailServer, Communigate Pro, Sendmail, Postfix, etc.

Work in a passive monitoring mode with a copy of the transmitted data or in an active mode of blocking incidents in real time.

Flexible policies for checking, blocking and archiving data with the ability to configure up to 30 settings.

Apply policies based on transmission time, traffic direction, and user location.

Convenient tools for managing dictionaries describing various categories of documents.

Ability to manually scan suspicious messages and files.

Modification of messages and the ability to notify users about the results of filtering.

Integration with third-party applications for additional processing by antivirus and anti-spam systems.

Ability to maintain a complete archive of transferred data, including attachment files, in Microsoft SQL Server or Oracle Database.

Scalable and modular architecture to meet the most demanding performance requirements.

Installation and management through a single console for all SECURIT products.

Extensive opportunities to separate the roles of administrators.

Support for importing statistical information into various report designers, such as Crystal Reports or FastReport.

3. Installing SecurIT Zgate

Important! If you plan to use SecurIT Zgate mail processing tools inside Microsoft Exchange 2007/2010, the SecurIT Zgate server part must be installed on the same computer where Microsoft Exchange is installed.

SecurIT Zgate uses the standard InstallShield for installation. It is noteworthy that the entire installation is simple and does not cause difficulties.

Figure 1: Beginning the installation of SecurIT Zgate

Notice in Figure 2, the log server is not installed by default. It can be deployed to another computer. The event log can be stored in an XML file, use a separate log server, or use a database (MSSQL Server or Oracle Database).

Figure 2: Selecting modules to install SecurIT Zgate

Work with SecurIT Zgate is carried out through the management console. To communicate with the SecurIT Zgate server, the management console uses the TCP/IP protocol and port 1246. Don't forget to open this port in the firewall. You can change this port later if necessary.

If you want to use SecurIT Zgate in sniffer modes, then you need to install the WinPcap driver on a computer with an already installed SecurIT Zgate server. The WinPcap driver is bundled with the SecurIT Zgate distribution.

The management console can be installed on the same computer where SecurIT Zgate is already installed, or on a separate one.

So, let's get started with Zgate SecurIT.

4. Getting started and initial setup of SecurIT Zgate

Figure 3: General view of the SecurIT Zgate management console

To get started, you need to establish a connection with the computer on which the server part of the system is located. The list of computers is located on the left side of the management console in the "Without applications" tree element. In our example, we installed the SecurIT Zgate server on the VM-2003TEST computer, which we will choose.

After we have selected the computer we need, and the connection with it was successful, it is transferred from the "Without applications" section to the nodes of those applications that are installed on it (in our case, this is SecurIT Zgate) and a tree-like list of settings and features opens ( figure 4).

Figure 4: The connection to the computer was successful - new features are available

It should be noted that the list of computers in the domain is determined either through NetBIOS or loaded from Active Directory. If you have a large number of computers on the network, you can use the search option.

If the computer is not in the "No Applications" list, the connection can be established manually. To do this, open the "Connection" menu in the management console and select the "Create connection" item. In the window that opens, enter the computer name, IP address, port (1246 by default) and user information (Figure 5). By default, the access rights for configuring SecurIT Zgate are configured in such a way that users belonging to the local administrators group have full access to all system functions.

Figure 5: Creating a connection manually

So, let's take a look at the settings of the SecurIT Zgate server one by one.

Are common. This section (Figure 6) specifies the settings of the internal mail server, the port of the internal mail server, the server operation mode, the directory for temporary storage of processed messages, and specifies the maximum size of this directory.

Figure 6: General Server Settings for Mail Server in SecurIT Zgate

As you can see from the figure, the "Mail filtering inside Microsoft Exchange 2007/2010" and "Mail logging inside Microsoft Exchange 2007/2010" modes of operation are not available because we do not currently have Microsoft Exchange installed and configured. Mirroring mode (analysis of a copy of transmitted traffic) is available because the WinPcap driver is installed.

Mirroring of messages sent using encrypted SMTP traffic (created using the TLS protocol with the STARTTTLS command) and using the XEXCH50 extension of the Exchange ESMTP protocol is not supported.

Reception. In this section, you configure mail reception to work in various server operating modes (Figure 7).

Figure 7: Configuring Mail Reception to Work in Proxy Mode (Journaling)

When configuring filtering or logging in proxy mode, the network interface and port number (25 by default) are set for receiving mail from outside the SecurIT Zgate system; network interface and port number that is used to receive mail from the internal mail server; directory for incoming messages and its maximum size. The inbox directory stores messages received by SecurIT Zgate before they are processed or forwarded.

In the same tab, protection against Denial of Service attacks is configured. As you can see from Figure 7, protection against attacks in service consists of a number of conditions, if not met, the message is not accepted. These conditions can be enabled or disabled depending on the need or uselessness of a particular check.

If the SecurIT Zgate server works in the mirrored traffic analysis mode (enabled on the settings tab Are common), then tab Reception has the following form (Figure 8).

Figure 8: Configuring mail reception in mirrored traffic analysis mode

The settings for this mode of operation specify the network interface on which mirrored traffic is received, the IP address of the mirrored mail server, the ports that the mirrored server uses to receive and send mail, as well as the directory for storing incoming messages and its size.

Important! For SecurIT Zgate to work in mirroring mode, the network switch to which the computer with SecurIT Zgate is connected must support the mirroring function. Port Mirroring allows traffic to be copied to a control port so that it can be analyzed without interfering with the flow.

However, the presence of a switch with Port Mirroring capability is not required if SecurIT Zgate is installed on the organization's proxy server or if SecurIT Zgate is installed on the computer from which traffic is being monitored.

When selected on the tab Are common server operating modes Mail filtering inside Microsoft Exchange 2007/2010 or Mail journaling inside Microsoft Exchange 2007/2010, tabs Reception and Broadcast are replaced Microsoft Exchange tab.

On the tab Microsoft Exchange the catalogs of incoming and outgoing messages and their maximum volume are configured (the catalogs are designed to organize a queue of messages sent for processing or to the recipient's mail server). Also on this tab, you can select the option "Control internal mail". In this mode, internal messages between clients of the controlled mail server will also be scanned. This feature is very important, since it becomes possible to control the internal correspondence of employees.

The bottom of the tab displays information about errors or warnings.

Broadcast. Mail transfer settings do not depend on the server operation mode and are the same both for filtering and logging in proxy mode and for mirroring (Figure 9).

Figure 9: Mail Transfer Settings in SecurIT Zgate

The following parameters are configured here: the maximum number of simultaneous outgoing connections; connection attempt schemes; list of mail domains served by the internal mail server; delivery server, to which mail sent outward is transmitted (if the delivery server is not specified and the recipient's domain is not internal, then SecurIT Zgate itself delivers mail, connecting directly to the recipient's mail server); a smart host to which emails are forwarded for recipients from accepted domains, but not in the licensing lists; directory for outgoing messages and its maximum size. Also, emails are forwarded to the smart host for which SecurIT Zgate could not determine the mail server address via DNS, or the mail server reported that the recipient does not exist.

The connection scheme with the recipient's mail server consists of series. The series consists of a certain number of attempts to connect to the server of the recipient of the message and an interval in minutes between attempts. If it was not possible to establish a connection according to the scheme, then the message is deleted and a corresponding message is displayed in the log. In this case, an error message is sent to the sender.

Zgate Web Tab is designed to prevent information leaks over the Internet, such as when employees intentionally or accidentally send confidential data through their web mail, post on a forum or blog, or send via ICQ.

The operation of Zgate Web is provided by port mirroring on the switch or interception of network traffic on the computer on which SecurIT Zgate is installed. To use Zgate Web, the computer on which the SecurIT Zgate server is installed must have the WinPcap driver installed.

In the current version, Zgate Web intercepts traffic transmitted using the following protocols and resources:

AOL ICQ instant messaging protocol;

FTP File Transfer Protocol;

HTTP data transfer protocol;

mail services: Mail.ru, Yandex.ru, Pochta.ru, Rambler.ru, Hotmail.com, Google.com, Yahoo.com;

SMS/MMS messaging services: Megafon, Beeline, MTS, TELE2, SKYLINK, Web sms;

forums implemented on the basis of PhpBb, IpBoard, Vbulletin software.

As you can see, traffic control capabilities are impressive.

For each message, the Zgate Web interception module generates a letter containing information about the message and a set of additional parameters related to the service being used. This letter is placed in the incoming messages and processed by the SecurIT Zgate system in the same way as a regular letter received via the SMTP protocol.

Zgate Web settings are shown in Figure 10.

Figure 10: Zgate Web Settings

On this tab, you can enable or disable Zgate Web, as well as specify the network interface from which traffic is copied, view and edit the list of address ranges for analyzed packets (it is possible to add your own ranges), select a directory for storing temporary files and its size, as well as select the analysis modules necessary for work.

In order to add your range of addresses for analyzed packets, you need to click on the "+" button, which is located to the right of the list of analyzed packets, such a window will open (Figure 11).

Figure 11: Adding a range of addresses for parsed packets to SecurIT Zgate

After specifying the addresses and ports we need, as well as choosing an action (analyze or exclude from analysis), press the OK button. The new range is ready to go.

archive. The archive is designed for centralized storage of copies of letters, their viewing and forwarding. In addition, quarantined messages are stored in the archive. An archive in the form of a database can be organized using Oracle or Microsoft SQL Server (Figure 12). Some of the settings related to archive settings are located on the Advanced tab (Settings item in the Tools menu).

Figure 12: Selecting a database and setting archive parameters in SecurIT Zgate

In order to use the archive, we need to install and configure MSSQL Express or Oracle (specified in the minimum system requirements).

After we have specified the necessary settings and the user for accessing the database, we can test the connection to the database itself. The "Check connection" button is intended for this (Figure 13). You can also specify the possibility of data compression. Choose the "golden mean" between the speed of work and the amount of data.

Figure 13: Everything is ready to work with the database - the connection is established

License. The purpose of the tab is clear from the name itself. It displays the number of licensed e-mail addresses, the license validity period, the list of licensed SecurIT Zgate modules - Email Control (Zgate Mail) and Web Traffic Control (Zgate Web). Licensed modules are marked with a green tick (Figure 14).

Figure 14: Viewing and managing licenses in SecurIT Zgate

Statistics. With this tab, too, everything is clear. It displays the statistics of the SecurIT Zgate server (Figure 15).

Figure 15: SecurIT Zgate server statistics

Additionally. This tab displays additional system settings (Figure 16). A detailed description of each of the options can be found in the product documentation.

Figure 16: SecurIT Zgate advanced settings

Access. The SecurIT Zgate system provides the ability to differentiate access rights for managing and working with the archive of messages between several users. On this tab, access to the system is configured (Figure 17).

Figure 17: Managing access to the SecurIT Zgate system

As we have already said, by default, the access rights for configuring SecurIT Zgate are configured in such a way that users belonging to the local administrators group have full access to all functions.

To add a user or group of users to the access list, click the "+" button and select the required account or group. Then, in the lower part of the window, specify the rights that you want to assign to the specified account. The "V" icon means that the user is entitled to this operation, "X" means that the user is denied access to this function. The rights of the user and the group to which he belongs are summarized similarly to the accepted access control system in Windows.

As an example, we selected the Guest user and gave him the right to view parameters and statistics (Figure 18).

Figure 18: Selecting a user and assigning the appropriate rights to him

Journaling. The SecurIT Zgate system allows you to implement additional processing of the operations performed by it through the event processing mechanism. One of the options for such processing is logging the operation of SecurIT Zgate to the Windows system log, to a file, or to Microsoft SQL Server.

By default, event logging is disabled (Figure 19). You can independently enable logging of an event and choose how the event logging will be carried out.

Figure 19: List of events to be monitored in SecurIT Zgate

Enabling logging for any event is very simple. To do this, select the event we need and click the "+" button to the right of the list of events, and then select the desired logging option. Let's take the "logging" option as an example (Figure 20).

Figure 20: Configuring event logging options to file or system log

It can be seen that in this case, you can choose the option of logging to the system log, and you can select any computer on the local network to store this log, or you can choose the option of logging to a file. Moreover, three options are available for the file format: text ANSI, text Unicode and XML. The difference between writing a log in XML format, in contrast to writing to a text file, is that the log file in XML format can be analyzed by means of the SecurIT Zgate system. For text files, this possibility is excluded.

You can also choose the location of the log file and the rights of the user on whose behalf the logging will be performed.

Figure 21: Selecting events to log in SecurIT Zgate

After selecting the necessary events, it remains only to click the "Finish" button. The result is shown in Figure 22. Appropriate icons appeared next to the logged events indicating the logging parameters and the location where the log will be written.

Figure 22: You can see three events that are logged to the XML file

You can also log to the log server and Microsoft SQL Server. Logging to a SQL server, recording information about an event is performed by the processing module in a database organized by means of Microsoft SQL Server.

When choosing logging on Microsoft SQL Server, you will need to select the server itself with MSSQL, specify user parameters and check the connection to the database. If everything is correct, then when checking the connection, you will be prompted to create a new database, the name is specified by the SecurIT Zgate system (Figure 23).

Figure 23: Selecting a database server and specifying parameters for connecting to it

Figure 24: Confirming the creation of the internal database structure for storing the log

Figure 25: Specifying the events to be logged

Figure 26: We see the events that will be logged to the specified SQL server

Scripts. Another type of additional processing of operations performed by SecurIT Zgate can be the execution of scripts (scripts) and the launch of executable files.

When the selected event fires, the specified application will be launched or the specified script will be executed. The list of events is similar to the list of events for logging.

This option can be used, for example, to send an SMS about an event or to block a workstation until a security officer arrives.

Figure 27: Selecting the executable

In the same window, you can specify the path to the script file, specify the user on whose behalf the file or script will be executed. Please note that by default, applications are launched under the SYSTEM account.

Figure 28: List of events that will trigger the application

This concludes the stage of preliminary configuration of the SecurIT system and proceeds to the configuration of filtering subsystems.

Setting up content analysis and filtering

Now let's look at the options for setting up a content analysis system.

Dictionaries. Dictionaries in Zgate are understood as groups of words united according to some attribute (category). As a rule, the presence in the letter of words from a specific dictionary with a high degree of probability allows us to attribute the letter to the category characterized by this dictionary. Dictionaries in the Zgate system are used for filtering in the "Dictionary analysis" and "Bayesian processing" methods.

Figure 29: Dictionary management window in SecurIT Zgate

Since SecurIT Zgate uses the same dictionaries both when analyzing a mail message and when processing it using the Bayesian method, when creating dictionaries, two parameters are always assigned to a word: weight in the category and weight in the anti-category. By default, both parameters are set to 50.

To add a dictionary, you need to press the "+" button in the dictionary management window, and in order to add words to the dictionary, you need to select the required dictionary and press the "pencil" button (Figure 30, 31).

Figure 30: Adding a dictionary to SecurIT Zgate

Figure 31: Adding a word to the dictionary in SecurIT Zgate

When entering words, you can use special characters:

any number of any letters or numbers;

Any one character (letter or number);

^ - one separator character (space, tab, line feed);

One separator or punctuation character;

# - one character-digit;

@ - one character-letter.

Valid characters for the dictionary are the characters (,),<, >, (, ), - , _, special characters and special characters as simple characters (any special character can be made a regular character by adding a backslash). For example, test* means that the dictionary contains the word test*. And test* means that the dictionary contains all the words that begin with test - test, tests, test, etc.

In addition to creating and filling a dictionary manually, you can create a dictionary by importing words from a previously prepared file, and there is also the possibility of automatically generating a dictionary.

When importing words from a file, each imported word will be assigned a weight in the default category and anti-category. Characters that are incorrect for the dictionary are replaced by default with a separator (space) during import.

Automatic generation of a dictionary from a file is possible using a specially prepared text file with the appropriate set of words, as well as real documents that belong or do not belong to one category or another.

In addition to linguistic analysis methods, you can use the "digital fingerprints" method, popular for this class of products - this is a method of searching for copies of controlled documents or parts of documents in a mail message. In this case, the desired text can be modified or only some part of it can be present in the letter.

The imprint method consists in the fact that all confidential documents are given their "digital fingerprints". The received prints are stored in an updated (in automatic mode) and replenished database. If it is necessary to check any document, a "digital fingerprint" is calculated for it, then a similar fingerprint is searched among the fingerprints of confidential documents stored in the database. If the fingerprint of the file being scanned is similar to the fingerprint stored in the database, then a corresponding warning (notification) is issued.

In order to start working with the database of fingerprints, you need to go to the "Tools" menu and execute the "Footprints" command.

Figure 32: Managing the fingerprint database in SecurIT Zgate

To add a new category of documents for fingerprinting, you must click

"+" button. To edit, press the "pencil" button and the "X" button to delete a category.

Figure 33: Creating a Document Category in SecurIT Zgate

Also, when creating a category, the time for updating the database of fingerprints is specified, the parameters of the user on whose behalf the files will be accessed are set, and files are added that contain commonly used words that are excluded from scanning.

You can use the following file formats to create fingerprints: . txt. doc. docx. xls. xlsx,. ppt. pptx,. pdf,.html,. rtf. odt. ods. odp. dbf. wps. xml* (the .xml format is parsed as a normal text document).

The created category can be subjected to a test check. The test file verification using the fingerprint method is designed to determine the correctness of the digital fingerprint settings and the correctness of the description of the categories. During the check, it is determined whether the digital imprint of the file (document) being checked is similar to the digital imprint of the document stored in the previously created database of a certain category. The search for similar documents is performed taking into account the fact that some or all of the Russian characters in the checked document could be replaced by English characters similar in spelling, and vice versa.

In order to check, you must click the "Check" button at the bottom of the fingerprint database management window and select the file to be checked, indicating the percentage of similarity probability.

Such an advanced categorization system allows you to create separate categories for different message content. In turn, this makes it possible to correctly categorize incident notifications in the log and allow the security officer to set priorities and quickly respond to events.

Figure 35: Setting traffic inspection parameters in SecurIT Zgate

Figure 36: Check result

Protection from insiders using a combination of Zgate and Zlock

Today, there are two main channels for leaking confidential information: devices connected to a computer (all kinds of removable drives, including flash drives, CD / DVD drives, etc., printers) and the Internet (e-mail, ICQ, social networks, etc.). ?d.). And therefore, when a company is "ripening" to introduce a system of protection against them, it is advisable to approach this solution in a comprehensive manner. The problem is that different approaches are used to overlap different channels. In one case, the most effective way of protection will be control over the use of removable drives, and in the second, various options for content filtering, which allows you to block the transfer of confidential data to an external network. And so companies have to use two products to protect against insiders, which together form a comprehensive security system. Naturally, it is preferable to use the tools of one developer. In this case, the process of their implementation, administration, and training of employees is facilitated. An example is the products of SecurIT: Zlock and Zgate.

Zlock: leak protection through removable drives

The Zlock program has been on the market for a long time. And we have already described its main features. In principle, there is no point in repeating. However, since the publication of the article, two new versions of Zlock have been released, which have a number of important features. It is worth talking about them, even if very briefly.

First of all, it is worth noting the possibility of assigning several policies to a computer, which are independently applied depending on whether the computer is connected to the corporate network directly, via VPN, or works offline. This allows, in particular, to automatically block USB ports and CD / DVD drives when the PC is disconnected from the local network. In general, this feature increases the security of information stored on laptops, which employees can take out of the office for travel or to work at home.

The second new feature is giving company employees temporary access to locked devices or even groups of devices over the phone. The principle of its operation is the exchange of secret codes generated by the program between the user and the employee responsible for information security. It is noteworthy that permission to use can be issued not only permanent, but also temporary (for a certain time or until the end of the session). This tool can be considered as some relief in the security system, but it allows you to increase the responsiveness of the IT department to business requests.

The next important innovation in the new versions of Zlock is the control over the use of printers. After setting it up, the protection system will record all user requests to printing devices in a special log. But that's not all. Zlock has a shadow copy of all printed documents. They are written in PDF format and are a complete copy of the printed pages, regardless of which file was sent to the printer. This prevents leaks of confidential information on paper sheets when an insider prints out the data in order to take it out of the office. Also in the protection system appeared shadow copying of information recorded on CD / DVD-disks.

An important innovation was the emergence of the server component Zlock Enterprise Management Server. It provides centralized storage and distribution of security policies and other program settings and greatly facilitates the administration of Zlock in large and distributed information systems. It is also impossible not to mention the emergence of its own authentication system, which, if necessary, allows you to refuse to use domain and local Windows users.

In addition, the latest version of Zlock has several not so noticeable, but also quite important functions: client module integrity control with the ability to block the user's login when intrusions are detected, advanced options for implementing a security system, support for the Oracle DBMS, etc.?

Zgate: Internet Leak Protection

So Zgate. As we have already said, this product is a system for protecting against the leakage of confidential information via the Internet. Structurally Zgate consists of three parts. The main component is the server component, which performs all data processing operations. It can be installed both on a separate computer and on nodes already operating in the corporate information system - an Internet gateway, a domain controller, a mail gateway, etc. This module, in turn, consists of three components: for controlling SMTP traffic, controlling internal mail of the Microsoft Exchange 2007/2010 server, and Zgate Web (it is responsible for controlling HTTP, FTP and IM traffic).

The second part of the protection system is the logging server. It is used to collect information about events from one or more Zgate servers, process and store it. This module is especially useful in large and geographically distributed enterprise systems, as it provides centralized access to all data. The third part is the management console. It uses the standard console for SecurIT products, and therefore we will not dwell on it in detail. We only note that with the help of this module, you can manage the system not only locally, but also remotely.

Management Console

The Zgate system can operate in several modes. Moreover, their availability depends on the way the product is implemented. The first two modes involve working as a mail proxy server. To implement them, the system is installed between the corporate mail server and the "outside world" (or between the mail server and the sending server, if they are separated). In this case, Zgate can either filter traffic (detain infringing and questionable messages) or only log it (skip all messages, but keep them in the archive).

The second implementation method involves using the protection system in conjunction with Microsoft Exchange 2007 or 2010. To do this, you need to install Zgate directly on the corporate mail server. In this case, two modes are also available: filtering and logging. In addition, there is another implementation option. We are talking about logging messages in the mode of mirrored traffic. Naturally, in order to use it, it is necessary to ensure that the computer on which Zgate is installed receives this very mirrored traffic (usually this is done using network equipment).

Zgate operating mode selection

The Zgate Web component deserves a separate story. It is installed directly on the corporate Internet gateway. At the same time, this subsystem gets the ability to control HTTP, FTP, and IM traffic, that is, to process it in order to detect attempts to send confidential information through web mail interfaces and ICQ, publish it on forums, FTP servers, and social networks. etc. By the way, about "ICQ". The function of blocking IM-messengers is in many similar products. However, it is precisely "ICQ" that is not in them. Simply because it is in Russian-speaking countries that it has become most widespread.

The principle of operation of the Zgate Web component is quite simple. Each time information is sent to any of the controlled services, the system will generate a special message. It contains the information itself and some service data. It is sent to the main Zgate server and processed according to the given rules. Naturally, sending information in the service itself is not blocked. That is, Zgate Web only works in logging mode. With its help, it is impossible to prevent single data leaks, but on the other hand, you can quickly detect them and stop the activity of a free or unwitting attacker.

Recent research in the field of information security, such as the annual CSI / FBI Computer Crime And Security Survey, has shown that the financial losses of companies from most threats are decreasing year by year. However, there are several risks, the losses from which are increasing. One of them is the deliberate theft of confidential information or violation of the rules for handling it by those employees whose access to commercial data is necessary for the performance of official duties. They are called insiders.

In the vast majority of cases, the theft of confidential information is carried out using mobile media: CDs and DVDs, ZIP devices and, most importantly, all kinds of USB drives. It was their mass distribution that led to the flourishing of insiders around the world. The leaders of most banks are well aware of what threatens, for example, if a database with personal data of their clients or, moreover, transactions on their accounts, falls into the hands of criminal structures. And they are trying to fight the possible theft of information with the organizational methods available to them.

However, organizational methods in this case are ineffective. Today it is possible to organize the transfer of information between computers using a miniature flash drive, cell phone, trz-plssra, digital camera ... Of course, you can try to ban all these devices from being brought into the office, but this, firstly, will negatively affect relations with employees , and secondly, it is still very difficult to establish really effective control over people - the bank is not a "mailbox". And even disabling all devices on computers that can be used to write information to external media (FDD and ZIP drives, CD and DVD drives, etc.) and USB ports will not help. After all, the former are needed for work, and various peripherals are connected to the latter: printers, scanners, etc. And no one can prevent a person from turning off the printer for a minute, inserting a flash drive into the vacated port and copying important information to it. You can, of course, find original ways of protection. For example, in one bank they tried this method of solving the problem: they filled the junction of the USB port and the cable with epoxy resin, tightly “tying” the latter to the computer. But, fortunately, today there are more modern, reliable and flexible methods of control.

The most effective means of minimizing the risks associated with insiders is special software that dynamically manages all devices and computer ports that can be used to copy information. The principle of their work is as follows. Permissions to use different ports and devices are set for each user group or for each user individually. The biggest advantage of such software is flexibility. You can enter restrictions for specific types of devices, their models and individual instances. This allows you to implement very complex policies for the distribution of access rights.

For example, some employees can be allowed to use any printers and scanners connected to USB ports. All other devices inserted into this port will remain inaccessible. If the bank uses a user authentication system based on tokens, then in the settings you can specify the key model used. Then users will be allowed to use only devices purchased by the company, and all others will be useless.

Based on the principle of operation of protection systems described above, you can understand what points are important when choosing programs that implement dynamic blocking of recording devices and computer ports. First, it's versatility. The protection system should cover the entire range of possible ports and information input-output devices. Otherwise, the risk of commercial information theft remains unacceptably high. Secondly, the software in question should be flexible and allow you to create rules using a large amount of various information about devices: their types, model manufacturers, unique numbers that each instance has, etc. And, thirdly, the insider protection system should be able to integrate with the bank's information system, in particular with Active Directory. Otherwise, the administrator or security officer will have to maintain two databases of users and computers, which is not only inconvenient, but also increases the risk of errors.

To effectively protect against insiders, first of all, it is necessary to ensure control over all communication channels - from an ordinary office printer to an ordinary flash drive and a mobile phone camera.

Insider Protection Methods:

• * hardware authentication of employees (for example, using a USB key or smart card);
• * audit of all actions of all users (including administrators) in the network;
• * the use of powerful software and hardware to protect confidential information from insiders;
• * training of employees responsible for information security;
• * increasing the personal responsibility of employees;
• * constant work with personnel who have access to confidential information (instruction, training, checking knowledge of the rules and obligations to comply with information security, etc.);
• * Compliance of the level of salary with the level of confidentiality of information (within reasonable limits!);
• * Encryption of confidential data;
• * But the most important thing, of course, is the human factor: although a person is the weakest link in the security system, it is also the most important! The fight against insiders should not turn into total surveillance of everyone over everyone. The company must have a healthy moral climate, conducive to compliance with the corporate code of honor!

In an annual survey by the Computer Security Institute (CSI), in 2007, security professionals identified three main problems that they had to deal with during the year: 59% recognized insiders as the No. 1 threat, 52% - viruses and 50 % - loss of mobile media (laptop, flash drive). So, the problem of insiders in America for the first time began to prevail over the problem of viruses. Unfortunately, we do not have such information for Russia, but there is reason to believe that the situation in our country is at least similar. So, during a round table on the problem of information leakage due to insider actions, held in October at the annual Aladdin conference, the results of a survey of system administrators of public institutions, known to have a low level of income, were announced. When asked how much they could get confidential data for, only 10% of the respondents answered that they would never commit such an malfeasance, about half of the respondents were ready to take risks for big money, and about 40% were ready to do it for any reward. As they say, comments are superfluous. The main difficulty in organizing protection against an insider is that he is a legitimate user of the system and, on duty, has access to confidential information. It is very difficult to track how an employee manages this access within or outside of official authority. Consider the main tasks of combating insiders (see table).

Recent studies in the field of information security, such as the annual CSI/FBI ComputerCrimeAndSecuritySurvey, have shown that the financial losses of companies from most threats are decreasing year by year. However, there are several risks, the losses from which are increasing. One of them is the deliberate theft of confidential information or violation of the rules for handling it by those employees whose access to commercial data is necessary for the performance of official duties. They are called insiders.

In the vast majority of cases, the theft of confidential information is carried out using mobile media: CDs and DVDs, ZIP devices and, most importantly, all kinds of USB drives. It was their mass distribution that led to the flourishing of insider trading around the world. The leaders of most banks are well aware of what threatens, for example, if a database with personal data of their clients or, moreover, transactions on their accounts, falls into the hands of criminal structures. And they are trying to fight the possible theft of information with the organizational methods available to them.

However, organizational methods in this case are ineffective. Today it is possible to organize the transfer of information between computers using a miniature flash drive, a cell phone, an mp3 player, a digital camera... Of course, you can try to ban all these devices from being brought into the office, but this, firstly, will negatively affect relations with employees , and secondly, it is still very difficult to establish really effective control over people - the bank is not a "mailbox". And even disabling all devices on computers that can be used to write information to external media (FDD and ZIP drives, CD and DVD drives, etc.) and USB ports will not help. After all, the former are needed for work, and various peripherals are connected to the latter: printers, scanners, etc. And no one can prevent a person from turning off the printer for a minute, inserting a flash drive into the vacated port and copying important information to it. You can, of course, find original ways of protection. For example, in one bank they tried this method of solving the problem: they filled the junction of the USB port and the cable with epoxy resin, tightly “tying” the latter to the computer. But, fortunately, today there are more modern, reliable and flexible methods of control.

The most effective means of minimizing the risks associated with insiders is special software that dynamically manages all devices and computer ports that can be used to copy information. The principle of their work is as follows. Permissions to use different ports and devices are set for each user group or for each user individually. The biggest advantage of such software is flexibility. You can enter restrictions for specific types of devices, their models and individual instances. This allows you to implement very complex policies for the distribution of access rights.

For example, some employees can be allowed to use any printers and scanners connected to USB ports. All other devices inserted into this port will remain inaccessible. If the bank uses a user authentication system based on tokens, then in the settings you can specify the key model used. Then users will be allowed to use only devices purchased by the company, and all others will be useless.

Based on the principle of operation of protection systems described above, you can understand what points are important when choosing programs that implement dynamic blocking of recording devices and computer ports. First, it's versatility. The protection system should cover the entire range of possible ports and information input-output devices. Otherwise, the risk of commercial information theft remains unacceptably high. Secondly, the software in question should be flexible and allow you to create rules using a large amount of various information about devices: their types, model manufacturers, unique numbers that each instance has, etc. And, thirdly, the insider protection system should be able to integrate with the bank's information system, in particular with ActiveDirectory. Otherwise, the administrator or security officer will have to maintain two databases of users and computers, which is not only inconvenient, but also increases the risk of errors.