Безопасность информационных технологий (May 2023)
Conceptual foundations for assessing the level of security of automated systems based on their vulnerability
Abstract
The paper presents the conceptual framework for assessing the level of security of automated systems based on their vulnerability. The analysis of regulatory standards, methodological recommendations and regulatory documents in the field of assessment and classification of vulnerabilities of information systems is carried out. According to the analysis of the draft update of regulatory documents, it was concluded that the terms automated system and information system are equal, which allows applying all the necessary requirements, recommendations, formal descriptions, and other standardized requirements applicable to information systems. The analysis of the process and causes of the detection of vulnerabilities of the automated system, the formation of sets of vulnerabilities, the definition of the basic vulnerability of the automated system, and the current vulnerability of the automated system, as well as the ways to eliminate these vulnerabilities are considered. The method of assessing the criticality of vulnerabilities of the FSTEC of Russia, based on the international CVSS 3.1 methodology, is considered. In order to make it easier to independently calculate the criticality of vulnerability, adaptation is made, and a thorough description of the process of assessing the criticality of vulnerability of the CVSS 3.1 standard is made. A methodology for assessing the level of security is proposed by analyzing the criticality of the vulnerability of an automated system (the totality of the criticality of vulnerabilities of an automated system). Conclusions are drawn about the direction of further research: the construction of a security assessment model based on vulnerability, as well as a vulnerability prediction model.
Keywords