Безопасность информационных технологий (Sep 2022)

Methodological aspects of penetration testing automation for significant objects of critical information infrastructure

  • Victor S. Gorbatov,
  • Dmitriy A. Dyatlov,
  • Aleksander N. Ryzhikov

DOI
https://doi.org/10.26583/bit.2022.3.08
Journal volume & issue
Vol. 29, no. 3
pp. 94 – 104

Abstract

Read online

The paper deals with the existing regulatory and methodological framework that determines the importance of the problem of penetration testing as well as the main methods of testing significant objects of critical information infrastructure (CII). Ensuring the security of significant CII facilities for the purpose of their sustainable operation is the high priority task of state regulation in the field of information security of Russia. Currently, a separate direction of organizational and legal support for the safety of CII has been formed on the basis of the corresponding new regulatory framework. Much less attention is paid to the issues of instrumental (technical) support of this direction, since the objects of CII from a technological point of view are traditional means of information technology. Taking into account the current uneasy international situation, timely instrumental detection and identification of numerous vulnerabilities allows improving the security of critical information infrastructure. Existing methods of conducting a security audit, as well as testing the protection of CII objects from penetration threats, have certain drawbacks, such as laboriousness, large time and material costs, as well as an acute shortage of qualified specialists. A fairly obvious, although very complex, way to solve this problem is to automate the penetration testing process as an important part of measures to ensure the safety of significant CII objects. Methodological aspects of creating an automated software complex for penetration testing are the main purpose of the study conducted on the basis of an analytical review of the main approaches and ways to implement the above task. As a result of this study the main methodological aspects of this problem have been determined, including specific features for CII objects. The obtained results can be used to develop similar security software systems for any objects of informatization.

Keywords