What does the order require?

According to this order:

1. Security monitoring is carried out by the 8th Center of the FSB.
   

   It is the 8th Center. Not NKTSKI, not GosSOPKA. Talk about the fact that 8ka can attract some of the external companies for these purposes is not tenable – the order does not allow such a possibility. The order also refers to territorial security agencies, but do they have such competences?

2. Monitoring is limited to the perimeter of entities covered by Executive Order 250.
   

   I do not think that all 500+ thousand organizations will be evaluated. And even 100 thousand hardly. Most likely, they will focus on the most critical, owning significant CII facilities.

3. All organizations affected by the order must send information to the FSB about their domains, external IPs, as well as about their changes (as they are changed and added).
   

   On what basis 500+ thousand organizations that fell under the 250th Decree should send data to the FSB and how they find out about it is not entirely clear. I can’t say that this is some kind of difficult requirement for those who fell under the Decree (although not everyone knows everything that is required about their perimeter), but procedurally it does not look very clear yet. I would muddy some form for this, in order to automate the task easier. And so everyone will send this data to what much, and then go and rake it. And if everything is more or less clear with the subjects of the CII (although they interact not with the 8th Center, but with the NCCCA), then what should the rest do?

4. Monitoring is carried out continuously and consists in identifying publicly available services, vulnerabilities and assessing the security of organizations.
   

   The word “continuous” still needs to be treated with skepticism. Most likely, the checks will take place at some time intervals. Still, this is not about monitoring information security, but about monitoring security.

5. Blocking scanning is prohibited.
   

   This, of course, is interesting. What if my PT WAF and NGFW on the perimeter automatically block such attempts? Will this be seen as obstructing the work of the FSB? But I don’t know that it is the FSB that is scanning me (more on that below). And if I turn off the protections for the duration of the scan, then I thereby reduce my security for the sake of its assessment by the regulator. Or will the regulator still indicate the addresses from which it will scan? And if I disable scanning blocking, then I thereby demonstrate my inability to counter threats, and this leads to an instruction from the FSB (see below).

6. Security assessment is carried out without warning from the FSB.
   

   Interestingly, for a scanned organization, such a security assessment will look like an incident. We remember that according to FSB requirements scanning of an information resource, as well as attempts to exploit vulnerabilities, are incidents that must be reported to the State SOPCU. Maybe the FSB thus wants to check how well the process of monitoring incidents in companies is built, comparing those who were scanned with those who reported it? The main thing is that information resources should not be disabled during the scanning process, otherwise this is already Article 274.1 and the subject of the CII has every right to go to court. It will be inconvenient if, as part of the investigation, it turns out that the damage to the CII object was caused by those who are called upon to protect the CII.

7. Security assessment is carried out on the basis of a plan approved by the head of the 8th FSB Center. Extracts from them are sent to those who will be assessed. Notification 2 weeks before the start of the security assessment. Does it indicate the start date and end date of the scan (and the IP addresses from which it will be)?
   

   The plan, as usual, is not public. And it will be drawn up, it seems, once a year (once in the order it is called annual). If they warn me 2 weeks before the start of the security assessment (p. 12), then why write that scanning without warning (p. 10)?

8. If, as a result of the security assessment, the organization’s resources fail, this must be reported in the manner specified by the order.
   

   It is necessary to inform the FSB about the failure of the scanned resource in writing within two hours. But how do you understand – is it you DDoS or and the site went down, or was it 8ka that checked you and the site went down because of a clumsy config that did not pass the check (you are not warned about the check)?

9. If, based on the results of the security assessment, the inability of the organization’s resources to withstand IS threats is revealed, the FSB issues an instruction to ensure the security of information resources.
   

   I wonder what is the status of these guidelines (not even recommendations)? How does it compare with the FSTEC requirements for the protection of GIS/ISPDn/ZOKII/APCS/ISOPK? And what is the responsibility for ignoring or violating both this instruction and the order in general?

10. On the one hand, the identification of vulnerabilities is carried out remotely (clause 10 of the order), and on the other hand (clause 13), it is possible to use FSB hardware and software systems connected to the analyzed information resources. Moreover, the connection can be remote or at the facility of the analyzed organization.
    

    What are these PACKs? What are they doing? What is collected? So far, no information about these “black boxes” and how they are used. Perhaps these are NTA or COB/COA class solutions?

Why security monitoring?

Here, of course, the history of the relationship between our regulators in the field of information security emerges again. Historically, the issues of control (analysis) of security have been and are being dealt with by the FSTEC. This requirement is spelled out starting from the 17th order for the protection of GIS, and then it got into all regulatory acts of the regulator. FSTEC in general has been very actively engaged in security assessment in recent years. One of these days, out, they approved “Guidelines for organizing the process of managing vulnerabilities in an organ (organization)”. That is, I would consider the FSTEC as the main regulator in the field of establishing requirements for assessing security. But…

It is one thing to set requirements, and quite another to ensure that these requirements are implemented and that customers actually reduce the number of vulnerabilities in systems, which would lead to an increase in the level of security. And this topic was recently picked up by the Ministry of Digital Development, which in the 250th Decree first demanded to assess the real security of 72 large companies, then introduced a similar requirement in the 860th Government Decree. And even developed posted to the site a typical terms of reference for the performance of work on assessing the level of security of the information infrastructure. Then the Ministry of Digital Development showed everyone an example by posting public services portal And ESIA on bugbounty platforms. True, so far it has stopped there – to include the requirement for a bugbounty in PP-676 of the Ministry of Digital Development for the time being does not plan .

But what the Ministry of Digital Development is doing on a public plane so far is a one-time or discrete story, but with a long period between assessments of the level of security. Still, it is necessary to regularly / continuously monitor the level of security of organizations, to identify unpatched vulnerabilities and unclosed and poorly configured services at least on the perimeter. Organizations do not really want to do this on their own; either they don’t know how, or they say that there is no problem. Therefore, in order not to rely on the companies themselves, the Ministry of Digital Development wanted to saddle this topic – at the recent CISO Forum, Vladimir Bengin, Director of the Cybersecurity Department of the Ministry of Digital Development, just mentioned about the “Russian Shodan”, which will scan the Russian address space in search of vulnerable resources. And such a “Russian Shodan” appeared – about him spoke on PHDays. CyberOK developed the Rooster scanner, which was supposed to perform this task – to look for vulnerabilities on the perimeter, identify incorrectly configured services, etc.

But since the GosSOPKU is entrusted with the task of monitoring security by law, it is logical that the FSB was involved in this task, and now we see the result – a new order that does not speak of establishing requirements for security analysis, not for a one-time check, and continuous monitoring. At the same time, the FSB will not wait for data from the organizations themselves, but will “probe” them on their own initiative and without warning.

It turns out that the three regulators in this case do not contradict or conflict with each other, but complement. If you do not want instructions from the FSB for low security, follow the recommendations of the FSTEC. If you want to receive budget funds from the Ministry of Digital Development, please follow the digitalization practices of the regulator. Everything seems to be logical. Although the regulators themselves may not consider it; each of them would like to be the top security reviewer. But for now we have a three-headed dragon. The main thing is that he knows how to soar, and not crawl on the ground, and his arms were long enough 🙂

What to do?

Legitimate question. Since regulators have taken security analysis seriously, there are two things worth doing:

1. Estimate your current vulnerability management process. For comparison, you can look at the results of a study of this issue in Russian companies in 2020 and 2022 (see below).
2. Conduct security analysis before you are checked by the FSB, FSTEC and Mintsifra. You can use, at a minimum, security scanners or BAS class solutions, or you can order a pentest.
3. Do so that the security analysis does not show the deplorable state of your perimeter (at least). That is, updating and securely configuring the website and perimeter network equipment, installing WAF and NGFW on the perimeter, and that’s it.
4. line up the process of managing vulnerabilities in the organization.

I think many of the issues raised in the note to the FSB order will be removed in the process of law enforcement.

Summarizing

A year ago I

wrote a note about the lessons of cyber warfare and the fact that despite the start of a special operation, including in cyberspace, our regulators live like they did in the last century. It’s time to admit that the situation has moved off the dead center and our security is becoming more and more practical, not paper. Yes, not all regulators can boast of this. Yes, paper mandatory requirements are not yet abandoned. But there is a movement towards practical cyber-freedom. Increasingly, it is not about protection measures, but about the processes for their implementation. It remains for the local regulators to realize this and for the customers themselves to start thinking proactively about their safety. Until the FSB, FSTEC and Mintsifra did not think for them.

useful links

The note From paper IS to practical. New order of the FSB on security monitoring was first published on Business without danger .