The Grinch – the state exam thief

Our “favorite” section is to talk about an information security case for a very important system that no one except specialists knows about. And at the same time tell it in such a way as not to violate this information security. The GIS RIS GIA case is just one of these.

The abbreviation GIS RIS GIA could well hide some unusual Vietnamese dish, but it means state regional information system for those who have mastered the basic educational programs of basic general and secondary general education. If it doesn’t become clearer, then it can be even simpler – this is an information system for final school exams.

This year, digital technology provided information security for the RIS State Information Agency in St. Petersburg. This system is a segment of the federal information system and consists of two information systems independent of each other: RIS GIA-9 and RIS GIA-11. No, these are not serial numbers of versions, so you should not look for RIS GIA-1, -2, -3 and so on. The numbers 9 and 11 indicate basic general and secondary general education – that is, exams taken after grades 9 and 11. The operator of the regional system in the northern capital is the St. Petersburg Center for Assessment of the Quality of Education and Information Technologies.

It’s easy to talk about cases with unusual solutions and beautiful pictures. But what to do where all services are strictly regulated and prescribed by law, and the subject itself is incredibly boring? After all, you must admit, no one likes to take exams. And from our teaching experience, we can add that receiving them is just a pleasure. You'll have to introduce a character. In our case, let it be the Grinch – the thief of state exams.

Ensuring information security of RIS GIA is implemented in three stages:

1. Development of a draft threat model and a draft model of an information security violator, design of an information security system.

2. Setting up information security tools.

3. Carrying out certification.

Points No. 2 and No. 3 are the preparation of various acts of installation and configuration of protective equipment, as well as certification test reports. The biggest work lies in point No. 1.

What are threat models and adversary models? Let's return to our Grinch. For every little Cindy Lou from Whotown who passes the exam, there is a Grinch. There are many reasons why he might want to steal state exams (that is, gain unauthorized access to an information system):

• For example, the Grinch could also take exams – and pass them poorly because he did not prepare. But he studied computer science well and decided to use his knowledge to penetrate the system and correct the assessment. And at the same time correct other people’s A’s to D’s.

• Or the Grinch has grown up a long time ago, and he is not interested in your grades: he is just in a bad mood and he wants everyone to have a bad mood, so he decided to erase all the data.

• Perhaps the Grinch is a black market data merchant who wants to steal the personal data of schoolchildren in order to sell it at a higher price.

• Perhaps the Grinch doesn’t even want to harm anyone, but, on the contrary, decided to make a list of those who studied well for Christmas in order to prepare gifts for them. But even in this case, he will still be a violator and a criminal.

The development of threat models specifically involves describing the profiles of potential attackers, as well as a catalog of possible threats to the security of personal data (PD). According to the law, such threats include a whole host of issues that may create a risk of violation of confidentiality, integrity and availability of information. They, in turn, can lead to unauthorized access, partial loss or complete destruction of important data.

There are three types of threats to the personal data information system (PDIS):

• The most dangerous type are threats associated with the presence of undeclared capabilities in system software. For example, a loophole in the operating system.

• The average type of threats is when such undeclared capabilities are found not in the main software, but in the application software.

• The most secure type of threats is not associated with undeclared capabilities in the system.

Undeclared capabilities – software functionality that is not described or does not correspond to those described in the documentation. And they can be either a bug or a feature – that is, they can be accidental or left intentionally, for example, for future expansions of the system's capabilities. Finding such undeclared opportunities is like looking for Easter eggs in The Simpsons: you need to have a lot of observation, know where to look and be able to do it quickly.

How is this kind of work done?

• Step #1. Decomposition – you need to disassemble the software into its component parts and understand how it interacts with external objects – other applications and infrastructure. The work includes creating use cases, defining application entry points, etc.

• Step #2. Defining and ranking threats is a search for the same three types of threats described above.

• Step #3. Define countermeasures and risk mitigation measures – work plan in accordance with the basic threat model. They can accept, eliminate or mitigate. That is, either decide that the impact is acceptable and leave everything as it is; or remove components that make the vulnerability possible; or add elements that reduce the impact of the risk or the likelihood of its occurrence.

• Step #4. Testing, certification and regulatory documentation. All work performed must be checked, certified and documented.

As you can see, behind such an understandable and everyday part of our life as assessing the knowledge of graduates of general and secondary education, there is a lot of, but invisible, work by information security specialists. Let it remain that way, and let the Grinch keep his green paws away from state exams!