Information Security Incidents Research Articles

Current Tasks in Identifying Invalid Events in Critical Information Infrastructure

The purpose of the study is to develop an approach for identifying and processing invalid events in critical information infrastructure (CII) based on the concepts of taxonomy and categorization. The approach aims to improve the efficiency of identifying, classifying, and managing information security (IS) incidents. The article addresses the current tasks of ensuring the required level of CII protection and minimizing the negative consequences of information security incidents resulting from invalid events. The identification of these events is associated with the complexity of detecting such events, the need to process large volumes of data, insufficient speed in detecting IS events, as well as technological limitations.The relevance of identifying and classifying invalid events in information security, especially for CII, is driven by the need for timely detection and response to incidents that could lead to negative consequences. Understanding the nature and characteristics of such events allows for effective system protection and prevention of significant damage. To enhance the effectiveness of ensuring security, it is necessary to identify the class of invalid events among the numerous information security events by considering the characteristics that define invalid events.The novelty of the proposed approach lies in solving the task of identifying the class of invalid information security events based on taxonomy methods, involving the use of event categorization tools with the attributes of invalid events.Materials and methods. The approach to identifying invalid events in CII, based on the principles of information security event taxonomy, was used to solve the task. It was shown that identifying invalid information security events is directly related to solving the problem of searching for and analyzing their attributes, which represent the characteristics or parameters used to describe and classify security incidents. Based on the key principles of taxonomy, a model of the structure of the set of invalid events was developed to determine the characteristics that can be the basis for classifying invalid events. The process of identifying invalid information security events includes a sequence of stages: taxonomy, categorization, and classification, with appropriate methods and tools implemented at each stage.Results. Approaches to identifying invalid events in CII have been analyzed. Problems related to large data volumes, the complexity of event processing, the considerable time required for their detection, and technological limitations were considered. It was shown that the concept of taxonomy and categorization allows for effective identification and classification of information security incidents, ensuring efficient processing and response. The feasibility of applying taxonomy for describing and identifying the attributes of invalid events was justified, contributing to the development of effective protection strategies and improving security levels. A generalized scheme for processing invalid events was proposed, including a set of interconnected stages of identification, categorization, impact assessment, response, documentation, and analysis. An algorithm for structured description and classification of incidents was developed, allowing for more accurate and timely responses to information security threats.Conclusion. The results obtained increase the effectiveness of solving the task of classifying information security incidents by identifying invalid events, which reduces the level of negative consequences of incidents and enhances the security of CII objects.

VIRTUAL SIMULATOR FOR PROCESSING CONFIDENTIAL INFORMATION ON PHYSICAL MEDIA

Acquiring digital competencies is an important area in modern education. Using and applying digital tools and technologies allows to increase the level of students' competencies. A modern digital solution based on virtual reality technology is proposed. The virtual simulator is a set of interactive models in a three-dimensional virtual space, allowing to implement scenarios of interaction between users and special software for the practical application of information security tasks. An overview of existing virtual simulators and justification for the choice of software and processes for processing confidential information on physical media are provided. Digital competencies are an important area in modern education. A modern digital solution based on virtual reality technology is proposed. The virtual simulator is designed and represents a set of interactive models in a three-dimensional virtual space, allowing to implement scenarios of interaction between users and special software for the practical application of information security tasks. Experimental studies were conducted on working with the virtual simulator. Testing of the simulator confirmed its operability. The virtual simulator can be used by both practitioners in the field of information security software operation. In the future, it is planned to refine the simulator in terms of developing augmented reality scenarios and modeling information security incidents. The implementation of the virtual simulator is described. Statistical data on the results of the experiment are provided. On average, the training result using the simulator increased by 35,8 %.

Architecture of the Information Security Incident Management System at Oil and Gas Enterprises

Architecture of the Information Security Incident Management System at Oil and Gas Enterprises

IDENTIFICATION OF ASSOCIATIVE RULES IN THE BEHAVIOUR OF AUTOMATED SYSTEMS INFORMATION SECURITY INTRUDERS

An approach based on the use of one of the varieties of affinity analysis – associative rule search, which allows to identify associative rules in the use of various methods of port scanning and operating system characterization by intruders of information security of automated systems is proposed. The mechanism of associative rule search using the scalable apriori algorithm is described. The basic concepts and an example of application of this mechanism with calculation of necessary characteristics such as support, confidence and lift were considered. The obtained associative rules will enable information protection specialists to be better oriented in the nature of actions of information security violators of automated systems and will become the basis for making informed managerial decisions on improving the existing or building a new information protection system, more effective response to information security incidents.

Criteria and indicators for assessing the quality of the investigation of an information security incident as part of a targeted cyberattack

Criteria and indicators for assessing the quality of the investigation of an information security incident as part of a targeted cyberattack

Evaluating the status of information security management in faculty libraries: a case study of Allameh Tabatabai University

ABSTRACT Aim This study aims to evaluate the status of Information Security Management in Faculty Libraries at Allameh Tabatabai University, Tehran, Iran. This study is based on the standard of ISO/IEC 27,002. Method The research method is a descriptive survey. Data was collected through a researcher-made questionnaire based on the ISO/IEC standard 27,002 which includes 11 main indicators and 39 sub-components. The statistical population of this study is 45 main and middle managers of faculties’ libraries of Allameh Tabatabai University located in Tehran (Faculties of Law, Psychology and Educational Sciences, Management and Accounting, Physical Education, Literature and Foreign Languages, Communication Sciences, Economics, Social Sciences, Mathematical and Computer Sciences). Due to the limited statistical population, sampling was not performed. Data analysis was done using descriptive statistics, inferential, and SPSS software. Findings The average score of information security management performance in the faculty libraries of Allameh Tabatabaei University located in Tehran according to ISO/IEC27002 is above average. Examination of the average scores of performance evaluation indicators of faculty libraries of Allameh Tabatabai University showed that four indicators including Information Security Management Policy, Information Security Incident Management, Cryptography, and Security Supplier Relationships are not in a favorable situation and need attention from the relevant managers. In other indicators, the performance of faculty libraries is at the desired level. Conclusion The results show a desirable level of information security management in the faculty libraries of Allameh Tabatabai in Tehran. However, some indicators, such as Information Security Policies, Information Security Incident Management, Cryptography, and Supplier Relationships, are still weaker. Therefore, to achieve security goals some suggestions are provided.

A framework for detection and mitigation of cyber criminal activities using university networks in Kazakhstan

Abstract. The increasing number of information security incidents in higher education underscores the urgent need for robust cybersecurity measures. This paper proposes a comprehensive framework designed to analyze the illegal use of internet resources in university networks in Kazakhstan. The subject of this article is the detection and mitigation of cybercriminal activities using university networks in Kazakhstan. The goal is to develop a comprehensive framework that integrates multiple educational organizations to enhance collaborative security efforts by monitoring network activity and categorizing texts using machine learning techniques. The tasks to be solved are: to formalize the procedure of integrating multiple educational organizations into a collaborative cybersecurity framework; developing a log analysis tool tailored for monitoring network activities within university networks; creating a novel dictionary of extremist terms in the Kazakh language for text categorization; to implement advanced machine learning models for network traffic classification. The methods used are: log analysis tools for real-time monitoring and anomaly detection in network activities, Natural language processing (NLP) techniques to develop a specialized dictionary of extremist terms in Kazakh, Machine learning models to classify network traffic and detect potential cyber threats, and collaborative architecture design to integrate network security efforts across multiple institutions. The following results were obtained: a comprehensive log analysis tool was developed and implemented, providing real-time monitoring of network activities in university networks; a dictionary of extremist terms in Kazakh was created, facilitating the categorization and analysis of texts related to potential security threats; advanced machine learning models were successfully applied to classify network traffic, enhancing the detection and mitigation of cyber threats; and an experimental architecture integrating multiple educational organizations was established, fostering collaborative efforts in cybersecurity. Conclusions. The scientific novelty of the results obtained is as follows: 1) a robust framework for collaborative cybersecurity in educational institutions was developed, leveraging log analysis and machine learning techniques; 2) the creation of a specialized dictionary of extremist terms in Kazakh significantly improved the accuracy of text categorization related to cybersecurity; 3) the application of advanced machine learning models to network traffic classification provided a methodological approach to effectively managing and securing network infrastructure effectively; 4) the experimental architecture demonstrated the potential for enhanced security through collaboration among educational organizations, offering strategic recommendations for improving information security in academic environments. The outcomes of this research contribute to the broader cybersecurity field by providing a structured approach to detecting and mitigating cyber threats in educational contexts. The proposed framework has potential applications extending to global security frameworks, aiming to foster a safer internet usage environment and reduce the risks associated with cyber threats and unauthorized data access.

Organization of response to information security incidents

Objective. Development of practical recommendations for creating an effective information security incident response system. Method. The article includes an analysis of existing methods and tools for detecting and analyzing information security incidents, as well as a study of the consequences of such incidents and their impact on the work of a company or organization. Result. Development of a set of practical recommendations aimed at creating an effective information security incident response system. During the analysis of existing methods and tools for the detection and analysis of information security incidents, the most effective and adapted approaches were identified. These methods include both technical means of detection and rapid incident response processes. The recommendations were created taking into account the characteristics of companies and organizations of various industries and are also intended for use by persons who do not have deep knowledge in the field of information security. The recommendations include clear step-by-step instructions, resources and tips that will allow companies to easily implement the proposed measures in their practice. Conclusion. The development of an effective information security incident response system is critically important for companies and organizations, as they face an increasing number of cyber-attacks and threats to information security. Creating an effective information security incident response system is an integral part of a successful business strategy. The developed practical recommendations have the potential to significantly reduce the risks and damage associated with information security, even for companies and organizations without prior experience in this field. These recommendations focus not only on technical aspects, but also on organizational measures to ensure timely detection, analysis and response to incidents.

Evaluating the Influence of Attitude versus Knowledge and Individual Factor versus Intervention Factor on Information Security Awareness in Local Government

Local government as a public organization that typically collects mass amounts of sensitive data is one of the vulnerable and targeted sectors for information security attacks. The human aspect is the most critical but weak link to information security incidents. Among government organizations, local governments usually have more limited human resources either in number and competencies including information security awareness. This study aims to validate the Information Security Awareness (ISA) model for local government, including confirming the influence of knowledge and attitude on information security behavior, evaluating the stronger predictor between knowledge and attitude toward information security behavior, and analyzing the influence of gender (as an individual factor) and training (as an intervention factor) on the information security behavior. Utilizing the HAIS-Q assessment tool, this study collected responses from 704 employees of 68 departments/units under the government of East Java Province, Indonesia. The results suggest that in the local government context, there is a significant direct relationship between Knowledge of information security and information security Behavior and its indirect relationship via Attitude toward information security behavior. However, Attitude toward information security behavior has a stronger effect on Behavior than Knowledge. This study also suggests significant differences in information security behavior between employees who have trained and those who have not, regardless of gender. The proposed model suggests that to improve Information Security Awareness among employees, local government should focus on improving employees’ Attitudes toward information security behavior, either by improving their Knowledge of Information Security via training or their affective attitude toward information security behavior.

СРАВНИТЕЛЬНЫЙ АНАЛИЗ РЕШЕНИЙ КЛАССА DDP ДЛЯ ЗАЩИТЫ ИНФРАСТРУКТУРЫ ПРЕДПРИЯТИЙ

The article considers the use and implementation of modern solutions in the field of deception technologies in the information infrastructure of critical industrial facilities. Their advantages and key features of use are analyzed, the principle of operation of the distributed infrastructure of false goals is considered. A comparative analysis of six different DDP class solutions of foreign and domestic manufacturers is carried out according to four criteria: the possibility of agentless placement of baits; types of traps and baits for industrial systems; information security systems with which the solution interacts; FulloS trapping possibilities. The approach to the implementation of DDP class solutions to ensure the information security of critical industrial facilities is substantiated. Within the framework of the considered approach, the implementation is proposed in the form of five major stages of setting up and implementing a distributed structure of false goals. The prospects of using DDP solutions to improve the safety of industrial enterprises are evaluated and an example of the effective use of the DDP class solution for an industrial facility is given. The prospects of using a distributed structure of false targets for critical industrial facilities are proposed to be assessed by the threat modeling, threat risk assessment and determination of the average number of information security incidents.

Разработка системы контроля инцидентов информационной безопасности

The purpose of this work is to develop an information security incident control sys-tem that meets the requirements for recorded information and information security incidents. the article raises the question of the need to create a system that will allow you to control information security incidents. Evaluation of existing solutions on the market, formation of requirements for the system. Selection and justification of technologies during development. After registering an incident, it is possible to interact with other network nodes, block the source IP address on the ME web server (iptables), close the network port, block domains on the proxy server. The functionality of viewing this information in the system web interface is also implemented. The article describes and substantiates the need to create and implement such a system in the information network. To achieve this goal, an analysis of the market for similar systems, as well as problems in their maintenance, was carried out. Based on the analysis, a technical task was developed with the subsequent implementation of the program code. The system was then tested and several work scenarios were implemented. In the work, an analysis of methodological documents related to information security incidents was made, a technical task was developed, a program code was implemented, and testing was carried out. As a result, the software "Information Security Incident Control System" was developed.

Information security incident management using iso 27035 standard

The data and information management process at BMKG entails certain risks related to information security incidents. There needs to be more emphasis on addressing these incidents regarding policies, procedures, technology, and human resources. This research project aims to develop an incident management system by ISO 27035 standards. Qualitative research methods have been employed for BMKG Communication Network Center case studies. The approach involves aligning information security incident management with BMKG's business processes. The outcome of this research includes creating policies, documents, and standardized procedures designed to enhance BMKG's capabilities in effectively managing and mitigating incident threats.

Optimal Federation Method for Embedding Internet of Things in Software-Defined Perimeter

In the digital transformation (DX) era, the Internet is rapidly evolving, as represented by the Internet of Things (IoT) and artificial intelligence (AI). Accordingly, information security incidents are increasing and diversifying. An example of this diversification is the emergence of internal fraud in telework and other scenarios. As a countermeasure, the software-defined perimeter (SDP), a zero-trust model, is attracting attention. SDP ensures that users are always secure by authenticating and authorizing them each time a service is provided. SDP is expected to be integrated with the IoT in order to expand its application. However, it is difficult to ensure the security of the IoT itself due to the lack of resources such as CPU power and storage. Therefore, when embedding IoT devices into SDP, the main issue is how to ensure the reliability of the IoT itself, but this has not been sufficiently studied. In this paper, we propose a method to compensate for the lack of IoT resources so that it can be securely embedded into SDP. We investigated several federation methods and found through qualitative evaluation that the identity provider (IdP) is the most effective and can efficiently achieve authentication and authorization in SDP.

Ensuring Secure Data Exchange in Software-defined Local Network

Introduction. Protecting outer perimeter is not enough to ensure secure data communication in the information system of local area network. Analytical reports of leading information security companies confirm this fact. Usually, an attacker having overcome the outer perimeter conducts network reconnaissance before carrying out an attack. The success of a network attack depends on the completeness of the information collected. The constantly changing network topology does not provide an attacker with long-term network topology information, as a result, the attacker is forced to collect information more intensively thereby identifying himself. Otherwise, the effectiveness of the planned attack is reduced. The aim of this research is to increase the intra-network data transfer security level by means of network topology dynamic reconfiguration. The authors proposed a new solution for ensuring secure node interaction countering both internal and external attackers having overcome an outer perimeter.Materials and methods. The proposed solution is based on a software-defined network and VxLAN technology. The solution involves constant network reconfiguration both with a certain frequency and on the occurrence of certain events, so that an attacker could not have long-term information. If an intruder is detected or an information security incident occurs, the network is automatically reconfigured in such a way as to lessen or prevent possible consequences.Results. The obtained results show that periodic network changes do not allow an attacker to covertly collect complete information about the network, and the proposed solution may allow to detect and isolate the attacker.Discussion and conclusion. The obtained results show that it is possible to apply the proposed solution for organizing secure data communication within the local computer network of the information system.

Применение средств экспертизы Blue Team в процессе мониторинга информационных систем на примере платформы TI (Threat Intelligence)

The purpose of this scientific study is to analyze the possibilities of increasing the effectiveness of protection against cyber threats through the use of Blue Team expert systems. The paper provides an overview of various Blue Team expert systems, including advanced detection and response (XDR) systems, information security incident response platforms (IRPs), incident management, automation and response (SOAR) systems, as well as cyber intelligence systems for threat analysis (TI). Threat Intelligence processes are analyzed, including the collection, analysis and interpretation of information about cyber threats. Particular attention is paid to the cyber intelligence platform for threat analysis – TI MISP, including the analysis of the data model of this platform. An example of working with the CVE-2022-26134 vulnerability is provided, demonstrating the effectiveness of using the TI MISP platform to identify threats and take measures to prevent them. At the end of the work, conclusions were drawn about the advantages and disadvantages of using a cyber intelligence platform for threat analysis. In this regard, the use of Blue Team expert systems, including the TI platform, in the process of monitoring information systems can significantly increase the efficiency of identifying computer incidents and provide more reliable protection of information infrastructure, despite their shortcomings.

MODELS OF TEAM STRUCTURE IN INFORMATION SECURITY INCIDENT INVESTIGATION

This article discusses the models of the group structure in the investigation of information security incidents, contradictions in the investigation of information security incidents, methods for assessing information security incidents at the enterprise, processes for assessing information security incidents based on its factors.

Детектирование и классификация сетевых атак с помощью Splunk Machine Learning Toolkit

In modern conditions of digital technologies implementation in various sectors of the economy, the digitalization of public administration, healthcare, education, and science, the growth in the number of Internet services and mobile devices the issues of ensuring the security of cellular communication systems are becoming increasingly relevant. It is becoming increasingly difficult to detect multiple and complex cyber security threats as the sources and methods ofcyber-attacks evolve and expand. Classic network attack detection approaches that rely heavily on static matching, such as signature analysis, blacklisting, or regular expression patterns, are limited in flexibility and are ineffective for early anomaly detection and rapid response to information security incidents. To solve this problem, the use of machine learning (ML) algorithms is proposed. ML methods can provide new approaches and higher rates of detection of malicious activity on the network. In this work, the Splunk Enterprise data analysis platform and the Splunk Machine Learning Toolkit for creating, training, testing, and validating a network attack classifier are used. The performance of the proposed model was evaluatedby applying four machine learning algorithms such as a decision tree, a support vector machine, a random forest, and adouble random forest. Experimental results show that all used ML algorithms can be effectively used to detect network attacks, and the double random forest method has the best accuracy in detecting distributed denial-of-service attacks.

Разработка системы сбора, обработки, анализа, идентификации корреляции событий информационной инфраструктуры предприятия

A system for collecting, processing, analyzing, and identifying correlation of events of the enterprise information infrastructure known as SIEM, is proposed for consideration. With the development of corporate information systems, the number of threats related to the violation of accessibility, integrity, and confidentiality in them has increased tenfold. Ensuring information security is a complex task of responding, investigating, and eliminating the consequences of information security incidents (IS). The paper proposes a formalized description of the data that the proposed system uses. In addition, the general architecture and algorithm of functioning are highlighted. Special attention is paid to a detailed description of one of the main parts of the system (data collection agents). The information collection subsystem is characterized by the type of information collected: data on the operation of the application, host, and network or on inter-network interactions. A subsystem of this class accumulates heterogeneous data on a system or network to further analyze them for signs of computer attacks. To collect data, special modules -sensors and agents -are used, Tthe former are usually used to monitor network activity, and the latter are used to monitor and analyze actions in a particular system. The practical application of the improved model is possible both in the framework of research work and in automated information security control systems. The results obtained will be used in the further design of a complex system of continuous monitoring of the enterprise infrastructure. It is planned to consider the data storage subsystem. Subsequent work on the topic will allow us to specify the architecture and algorithm of functioning.

The Reliability Analysis for Information Security Metrics in Academic Environment

Today, academic institution involves digital data to support the educational process. It has advantages, especially related to ease of access and process. However, security problems appear related to digital data. There were several information security incidents in the academic environment. In order to mitigate the problem, metrics identification is required to determine the risk of incidents. There are many risks model and metrics to estimate the risk, such as DREAD, OWASP, CVSS, etc. However, specific metrics are required to obtain appropriate risk values. Therefore, this study aims to define metrics for an academic institution. The proposed metrics are obtained from The Family Educational Rights and Privacy Act (FERPA) regulation. It consists of directory information, educational information, personally identifiable information, and risk of information leakage. In order to achieve the objective, this study involves survey and reliability analysis to result in output. The survey is conducted by involving 90 respondents with various levels of education and jobs. The Cronbach's alpha and Test-retest are methods to determine this study's reliability. According to reliability analysis, the Cronbach's alpha method results in coefficients for the metrics between 0.730 - 0.911, while the Test-retest method results in coefficients between 0.630 - 0.797. These coefficients have a reliable category, so the proposed metrics are adequate for determining risk of information security incidents in academic environments. The reliable metrics will be developed as variables of the risk assessment model for the academic environment in the future study.Â

Methods of Identifying Vulnerabilities in the Information Security Incident Management Process

"The application of tools and methods to improve the effectiveness of the information security management system by detecting and neutralizing cyber attacks, monitoring and blocking DDoS attacks, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), blocking TOR Exit Nodes, blocking Layer 7 Regular Expression attacks, web filtering, blocking malware attacks, ransomware, spammers and spam servers has become a sine-qua-non requirement in the management of information security incidents in order to minimize their impact on IT systems. The paper provides insight into the impact of integrating much-needed security requirements for information technology users in military systems. The collection of information was carried out on a statistical sample of 128 students from military academies in Romania, Bulgaria, Poland. The research methods are complemented by cross-sectional (questionnaire, survey, observation) and observational methods."