Методика обоснования тестовых информационно -технических воздействий, обеспечивающих рациональную полноту аудита защищенности объекта критической информационной инфраструктуры

Abstract

Relevance. Security issues of information systems in critical infrastructure objects become important now. However, current tasks of information security audit of critical infrastructure objects are mainly limited to checking them for compliance with requirements of standards and documents. With this approach to the audit, security of these objects from real attacks by hackers remains unclear. Therefore, objects are subjected to a testing procedure, namely, penetration testing, in order to objectively verify their security. An analysis of publications in this area shows that there is not mathematical approaches to selection of test cyber attacks for penetration testing set. The goals of the paper is to form the selection method of test cyber attacks that ensure the rational completeness of the security audit of a critical information infrastructure object. Research methods. Methods of probability theory and mathematical statistics, methods of graph theory and set theory are used in the paper to achieve the research goals. Results. The Select Method of test cyber attacks for security audit of a critical information infrastructure object with rational completeness is presented in the paper. This method formalizes the selection process in the form of a two-stage procedure. At the first stage, based on the topological model of the object testing, a set of testing paths is formed, and these paths are ordered by the degree of weight increase. The path weight is the efficiency/cost indicator that takes in account the test resource for realized of a test cyber attack, the vulnerability of an object element, and the level of damage caused to the element by this test cyber attack. At the second stage of the method, from an ordered set of test paths are selected of such, which would ensure the maximization of the whole absolute cost of the detected damage, within the limits on the resource making of test cyber attacks. It is using of this method in audit practice will allow us to justify the most effective test cyber attacks according to the “efficiency/cost” criterion, as well as to form test sets that will ensure the rational completeness of the audit of the critical infrastructure object.