Method for Determining the Potential of an Information Security Intruder and Realizable Software Vulnerabilities

Currently, many methodological documents have been developed that regulate approaches to the development of models of threats to information security. for information systems that process information of a different nature. There are different methods of threat development and intruder model building proposed by information security regulators, depending on the direction of their activity. To support decision-making in the process of threat modeling, a databank of information security threats has been developed. However, there are a number of contradictions in existing approaches, while the methods for identifying threats and building a model of an intruder, in most cases, involve the involvement of experts to assess the factors and conditions for the emergence of threats. In the existing methods, there is no relationship between the violator of information security. and software vulnerabilities in information systems, which does not allow building an adequate threat model without the involvement of qualified experts. The purpose of this work is to determine the potential of an information security violator. depending on its capabilities and assessing the impact of this potential on the implementation of software vulnerabilities in information systems.

1. Federal Law No. 152-FZ of 27.07.2006 "On Personal Data". (in Russ.)

2. Order of the Federal Service for Technical and Export Control of Russia No. 17 of 11.02.2013 "On Approval of Requirements for the Protection of Information that Does Not Constitute a State Secret Contained in State Information Systems" (in Russ.)

3. Order of the Federal Service for Technical and Export Control of Russia No. 31 of 14.03.2014 "On Approval of Requirements for Ensuring the Protection of information in automated control systems for Production and Technological Processes at Critical Facilities, Potentially Dangerous Facilities, as well as Objects that pose an Increased danger to Human Life and health and to the environment" (in Russ.)

4. Order of the Federal Service for Technical and Export Control of Russia № 21 of 18.02.2013 "On Approval of Composition and Content of Organizational and Technical Measures for Ensuring Personal Data Security During their Processing in Personal Data Information Systems" (in Russ.)

5. The Basic Model of Threats to Personal Data During their Processing in Personal Data Information Systems. Moscow, 2008. Available from: https://fstec.ru/tekhnicheskaya-zashchita-informatsii/dokumenty/114-spetsialnye-normativnye-dokumenty/379-bazovaya-model-ugroz-bezopasnosti-personalnykh-dannykh-pri-ikh-obrabotke-v-informatsionnykh-sistemakh-personalnykh-dannykh-vypiska-fstek-rossii-2008-god [Accessed 6th January 2021] (in Russ.)

6. Methodological document of the Federal Service for Technical and Export Control of Russia "Methodology for Determining Information Security Threats in Information Systems". Available from: https://fstec.ru/normotvorcheskaya/poisk-podokumentam/114-tekhnicheskaya-zashchita-informatsii/dokumenty/spetsialnye-normativnye-dokumenty/380-metodika-opredeleniya-aktualnykh-ugroz-bezopasnosti-personalnykh-dannykh-pri-ikh-obrabotke-v-informatsionnykh-sistemakh-personalnykh-dannykh-fstek-rossii-2008-god [Accessed 6th January 2021] (in Russ.)

7. Methodological document of the Federal Service for Technical and Export Control of Russia "Methodology for Modeling Information Security Threats" Available from: https://fstec.ru/tekhnicheskaya-zashchita-informatsii/dokumenty/149-proekty/2070-metodicheskij-dokument [Accessed 6th January 2021] (in Russ.)

8. Methodological Recommendations for the Development of Regulatory Legal Acts Defining Threats to the Security of Personal Data that are Relevant in the Processing of Personal Data in Personal Data Information Systems Operated in the Implementation of Relevant Activities. No. 149/7/2/6-432 of 31.03.2015 (in Russ.)

9. Savchenko S.O., Kapchuk N.V. Algorithm for Constructing the Intruder Model in the Information Security System Using Game Theory. Dynamics of Systems, Mechanisms and Machines. 2017;5(4):84–89 (in Russ.). DOI:10.25206/2310-9793-20175-4-84-89

10. Zhukov V.G., Zhukova M.N., Stefarov A.P. Model of an Access Rights Intruder in an Automated System. Programmnye produkty i sistemy. 2012;2:75–78 (in Russ.)

11. Maximova E. Cognitive Modeling of Destructive Malicious Impacts on Critical Information Infrastructure Objects. Proc. of Telecom. Universities. 2020;6(4):91‒103 (in Russ.) DOI:10.31854/1813-324X-2020-6-4-91-103

12. Saati T. Decision Making. Hierarchy Analysis Method. Translated from English. Moscow: Radio i sviaz Publ.; 1993. 278 p. (in Russ.)

13. Vulnerability Metrics Calculator. URL: https://www.first.org/cvss/calculator/cvsscalc30.js (Accessed 8 January 2020)

14. Khomonenko A.D., Bubnov V.P., Basyrov A.G. Models and Research Methods for Information Systems. St. Petersburg: Lan Publishing House; 2019. 204 p. (in Russ.)