The article deals with information security risks in accordance with the basis of the type of impact on equipment and systems, The legal basis for the second direction of information security, protection of information, information resources, information systems, information security are governed, Protection of information systems against potential threats "fifth column". Thus, to ensure effective protection against internal information security violators. The use of non-certified information systems, databases and data banks, as well as non-certified means of information protection.
should the current situation. What is the State of affairs in the industry? First of all, the information technology industry is growing. According to Forrester Research, the number of Internet-connected devices in 2010 year 14 million. According to Information Week today 35 million already exists. remote users and 65% found Netcraft the number of web sites.
Let us now see the industry through the prism of it security. According to well-known organizations by the FBI, CSI (Computer Security Institute) and 90% of CERT: systems proved to be vulnerable; timely detected only 85% of malicious code entering the system; 95% of all security breaches are caused by incorrect configuration.
There is a question: "what to do with the configuration in this case?". Let's again turn to statistics, this time statistics of vulnerabilities. The market has already formed an opinion, that the largest number of vulnerabilities is contained in the Microsoft. Bet this is difficult, but it is not so easy.
Here are a number of vulnerabilities in various operating systems during the first 6 months of 2003 year.
If to be exact to the end, you should remember that the 2003 year has brought a very powerful epidemic malicious codes (Code Red, SQL Slammer, etc.), so the representatives of corporate business, built its infrastructure at Microsoft, have suffered multibillion-dollar losses. Thus, users of Microsoft consider the task of ensuring it security as a primary, and availability-as secondary.Statistics are presented for the year 2003, since at this point the number of vulnerabilities in Microsoft Windows, almost brought the number of security holes in Linux, and sometimes (or, according to some methods of calculation) even less. It is logical to assume that this is a direct effect of the Trustworthy Computing initiative (more on this below, we'll also encourage you to read the complete article on this topic/online.shtml? articles/software/os/12461).
Look now at more recent data. For example, the statistics for SANS summarizing the most dangerous exploits in the first quarter of the year 2005:
Windows License Logging Service Overflow (MS05-010)
Microsoft Server Message Block (SMB) Vulnerability (MS05-011)
Internet Explorer Vulnerabilities (MS05-014 and MS05-008)
Microsoft HTML Help ActiveX Control Vulnerability (MS05-001)
Microsoft DHTML Edit ActiveX control Remote Code Execution (MS05-013)
Microsoft Cursor and Icon Handling Overflow (MS05-002)
Microsoft PNG File Processing Vulnerabilities (MS05-009)
Computer Associates License Manager Buffer Overflows
Dns Cache Poisoning Vulnerability
Multiple Antivirus Buffer Overflow Vulnerabilities In The Products
Oracle Critical Patch Update
Multiple Media Player Buffer Overflows (RealPlayer, Winamp and iTunes)
It's easy to see that more than half of all vulnerabilities (and this is the most dangerous representatives) fall into Microsoft products. However, we recommend you to remember the old adage "there is truth, there is a lie, and there are statistics", and of all the above data to make the following point. Virtually all operating systems and server products, in varying degrees, vulnerable, but it is not necessary to shift the blame for it on a specific product; You should learn to use the solution effectively and to ensure its own security.
When we say that try to provide complete security or working on ensuring the security of information systems, the mean of three components: technology, processes and people.
should the current situation. What is the State of affairs in the industry? First of all, the information technology industry is growing. According to Forrester Research, the number of Internet-connected devices in 2010 year 14 million. According to Information Week today 35 million already exists. remote users and 65% found Netcraft the number of web sites.
Let us now see the industry through the prism of it security. According to well-known organizations by the FBI, CSI (Computer Security Institute) and 90% of CERT: systems proved to be vulnerable; timely detected only 85% of malicious code entering the system; 95% of all security breaches are caused by incorrect configuration.
There is a question: "what to do with the configuration in this case?". Let's again turn to statistics, this time statistics of vulnerabilities. The market has already formed an opinion, that the largest number of vulnerabilities is contained in the Microsoft. Bet this is difficult, but it is not so easy.
Here are a number of vulnerabilities in various operating systems during the first 6 months of 2003 year.
If to be exact to the end, you should remember that the 2003 year has brought a very powerful epidemic malicious codes (Code Red, SQL Slammer, etc.), so the representatives of corporate business, built its infrastructure at Microsoft, have suffered multibillion-dollar losses. Thus, users of Microsoft consider the task of ensuring it security as a primary, and availability-as secondary.
Most people, in one way or another it-related industry, know what is "technology". We buy products (hardware or software) that implement the technology, and use them. However, technologies are problems: lack of certain safety features, holes and errors in products, difficulties in ensuring interaction between two or more components, and also some details not covered by the relevant standard.
With people all in the clear. It is difficult to dispute the fact that the actions of people depends on the security of your IT infrastructure. Meanwhile, known for a term such as "the human factor", faced with incompetence, incompetence and lack of experience.
While ensuring it security is often forgotten third component processes, which, in fact, necessary for the effective interaction between technology and people, as well as to create a secure it infrastructure. To processes could include designing applications taking into account the requirements of the it security audit, validation, role, responsibility, etc.
Summing up the first chapter can be summarized that ensuring it security must include proper use of all three components (technology + people + processes), at the same time shift the blame for the gaps in its infrastructure at the manufacturer alone. Let us now see how Microsoft addresses the issue of it security.