Model of Security Audit of a Critical Information Infrastructure Object with Use the Test Cyber Attacks

 The article presents a model for auditing the security of a critical information infrastructure object by test information and technical influences. This model formalizes an object in the form audit process of a multilevel topological model, the individual levels of which correspond to: resource costs for impacts, test information and technical impacts, vulnerabilities, object elements and damage levels. The use of this model in audit practice will make it possible to substantiate the most effective impacts on the basis of the “efficiency / cost” criterion, as well as form test suites that will ensure the rational completeness of the audit of a critical infrastructure facility. 

1. Makarenko S.I. Audit of Information Security - the Main Stages, Conceptual Framework, Classification of Types. Systems of Control, Communication and Security. 2018;1:1-29 (in Russ.) DOI:10.24411/2410-9916-2018-10101

2. Makarenko S.I. Security audit of critical infrastructure with special information impacts. Monograph. Saint Petersburg: Naukoemkie tehnologii Publ.; 2018. 122 p. (in Russ.)

3. Kashaev T.R. Algorithms for Active Audit of the Information System Based on Artificial Immune System Technologies. PhD Thesis. Ufa: Ufa State Aviation Technical University Publ.; 2008. 19 p. (in Russ.)

4. Markov A.S., Tsirlov V.L., Barabanov A.V. Methods of Compliance of Information Security. Moscow: Radio i Sviaz Publ.; 2012. 192 p. (in Russ.)

5. Skabtsov N. Security Audit of Information Systems. Saint Petersburg: Piter Publ.; 2018. 272 p. (in Russ.) 6. Penetration Testing. Procedures & Methodologies. EC-Council Press; 2011. 237 p.

6. Kennedy D., O’Gorman J., Kearns D., Aharoni M. Metasploit. The Penetration Tester’s Guide. San Francisco: No Starch Press; 2011. 299 p.

7. Makan K. Penetration Testing with the Bash shell. Birmingham: Pact Publishing; 2014. 133 p.

8. Cardwell K. Building Virtual Pentesting Labs for Advanced Penetration Testing. Birmingham: Pact Publishing; 2016. 518 p.

9. Makarenko S.I. Information Weapon in Technical Area – Terminology, Classification and Examples. Systems of Control, Communication and Security. 2016;3:292-376. (in Russ.) DOI:10.24411/2410-9916-2016-10311

10. Makarenko S.I. Problems and Prospects for the Use of Cyber Weapons in Today's Network-Centric Warfare. Specialized Machinery and Communication. 2011;3:41‒47. (in Russ.)

11. Makarenko S.I., Smirnov G.E. Analysis of Penetration Testing Standards and Methodologies. Systems of Control, Communication and Security. 2020;4:44‒72. (in Russ.) DOI:10.24411/2410-9916-2020-10402

12. Klimov S.M. Imitating Models of Testing the Critically Important Information Objects in the Conditions of Computer Attacks. Izvestiya SFedU. Engineering Sciences. 2016;181(8):27‒36. (in Russ.)

13. Klimov S.M., Sychev M.P. Poster polygon for training and testing facilities in the field of information security. Information counteraction to the terrorism threats. 2015;24:206‒213. (in Russ.)

14. Petrenko A.A., Petrenko S.A. Cyber education: methodical recommendations ENISA. Voprosy kiberbezopasnosti. 2015;11(3):2‒14. (in Russ.)

15. Boyko A.A., Djakova A.V. Method of Developing Test Remote Information-Technical Impacts on Spatially Distributed Systems of Information-Technical Tools. Informatsionno-upravliaiushchie sistemy. 2014;70(3):84‒92. (in Russ.)

16. Boyko A.A., Djakova A.V. Hramov V.Ju. Methodological Approach to the Development of Test Methods for Remote Information Technology Impact on Spatially Distributed Systems of Information Technology Tools. Cybernetics and high technologies of the XXI century XV international scientific and technical conference. Voronezh: SAKVOEE Publ.; 2014. p.386‒395 (in Russ.)

17. Boyko A.A., Obushenko E.Y., Shcheglov A.V. About synthesis of a full set of test methods of remote information-technical impacts on spatially distributed systems of information-technical tools. Proceedings of Voronezh State University. Series: Systems analysis and information technologies. 2017;2:33‒45. (in Russ.)

18. Baranova E.K., Hudyshkin A.A. Features of Information System Security Analysis by Penetration Testing. Proceedings of the international scientific school on Modeling and analysis of security and risk in complex systems, MABR-2015]. 2015. p.200‒205 (in Russ.)

19. Baranova E.K., Chernova M.V. Comparative analysis of programming tools for cybersecurity risk assessment. Information Security Problems. Computer Systems. 2014;4:160‒168 (in Russ.)

20. Begaev A.N., Begaev S.N., Fedotov V.A. Penetration testing. Saint Petersburg: Saint Petersburg National Research University of Information Technologies Mechanics and Optics Publ.; 2018. 45 p. (in Russ.)

21. Bogoras A.G., Peskova O.Y. Methodology for testing and assessment of firewalls. Izvestiya SFedU. Engineering Sciences. 2013;149(12):148‒156. (in Russ.)

22. Dorofeev A. Penetration Testing: Demonstration of One Vulnerability or an Objective Security Assessment? Zaŝita informacii. Inside. 2010;36(6):72‒73. (in Russ.)

23. Umnitsyn M.Y. Approach to semi-natural security evaluation of information system. Izvestia VSTU. 2018;218(8): 112‒116 (in Russ.)

24. Borodin M. K., Borodina P. Ju. VGATE R2 Information Security Penetration Testing. Regional'naja informatika i informacionnaja bezopasnost [Regional Informatics and information security]. Saint Petersburg, 2017. p.264‒268 (in Russ.)

25. Poltavtseva M.A., Pechenkin A.I. Data mining methods in penetration tests decision support system. Information Security Problems. Computer Systems. 2017;3:62‒69. (in Russ.)

26. Kadan A.M., Doronin A.K. Cloud infrastructure solutions for penetration testing. Uchenye zapiski ISGZ. 2016;14(1): 296‒302. (in Russ.) 28. Eremenko N.N., Kokoulin A.N. Research of methods of penetration testing in information systems. Master's Journal. 2016;2:181‒186 (in Russ.)

27. Tumanov S.A. Penetration testing tools for information systems. Proceedings of Tomsk State University of Control Systems and Radioelectronics. 2015;36(2):73‒79. (in Russ.)

28. Kravchuk A. V. The model of process of remote security analysis of information systems and methods of improving it's performance. SPIIRAS Proceedings. 2015;38(1):75‒93. (in Russ.)

29. Gorbatov V.S., Meshcheryakov A.A. Comparative analysis of computer network security scanners. IT Security. 2013;20(1):43‒48. (in Russ.)

30. Pfleeger C.P., Pfleeger S.L., Theofanos M.F. A methodology for penetration testing. Computers & Security. 1989;8(7): 613‒620.

31. McDermott J. P. Attack net penetration testing. NSPW. 2000:15‒21.

32. Alisherov F., Sattarova F. Methodology for penetration testing. International Journal of Grid and Distributed Computing. 2009:43‒50.

33. Ami P., Hasan A. Seven phrase penetration testing model. International Journal of Computer Applications. 2012;59(5):16‒20.

34. Holik F., Horalek J., Marik O., Neradova S., Zitta S. Effective penetration testing with Metasploit framework and methodologies. 2014 IEEE 15th International Symposium on Computational Intelligence and Informatics (CINTI). IEEE; 2014. p.237‒242. DOI:10.1109/CINTI.2014.7028682

35. Herzog P. Open-source security testing methodology manual. Institute for Security and Open Methodologies (ISECOM). 2003. Available from: https://untrustednetwork.net/files/osstmm.en.2.1.pdf [Accessed 12th February 2021]

36. Makarenko S.I. Stability method of telecommunication network with using topological redundancy. Systems of Control, Communication and Security. 2018;3:14‒30. (in Russ.) DOI:10.24411/2410-9916-2018-10302

37. Tsvetcov K.U., Makarenko S.I., Mikhailov R.L. Forming of Reserve Paths Based on Dijkstra‘s Algorithm in the Aim of the Enhancement of the Stability of Telecommunication Networks. Informatsionno-upravliaiushchie sistemy. 2014:69(2):71–78. (in Russ.)

38. Makarenko S.I., Kvasov M.N. Modified Bellman-Ford Algorithm with Finding the Shortest and Fallback Paths and its Application for Network Stability Improvement. Infocommunikacionnye tehnologii. 2016;14(3):264–274. (in Russ.) DOI:10.18469/ikt.2016.14.3.06

39. Makarenko S.I. Hierarchical Clustering of Telecommunication Network to the Independent Routing Areas for the Purposes to Ensure Stability. Proceedings of Telecommunication Universities. 2018;4(4):54-67. (in Russ.) DOI:10.31854/1813324X-2018-4-4-54-67

40. Makarenko S.I. Area localization of destabilizing factors influence in communication network on the basis of LanceWilliams algorithm of hierarchical clustering. Radio and telecommunication systems. 2014;4:70‒77. (in Russ.)

41. Avetisyan A.I., Belevantsev A.A., Chucklyaev I.I. The technologies of static and dynamic analyses detecting vulnerabilities of software. Voprosy kiberbezopasnosti. 2014;4(3):20‒28 (in Russ.).

42. Myasnikov A.V. Building information system model for application in penetration testing automation problem. Information Security Problems. Computer Systems. 2020;3:32‒39 (in Russ.).