Главная страница
Навигация по странице:

  • №4. 2020 Systems of Control, Communication and Security

  • Статья поступила 02 октября 2020 г. Информация об авторах

  • Системы управления, связи и безопасности №4. 2020 Systems of Control, Communication and Security

  • Analysis of penetration testing standards and methodologies S. I. Makarenko, G. E. Smirnov Relevance

  • The purpose of this paper

  • Practical significance

  • Information about Authors

    		•

    Системы управления, связи и безопасности 4. 2020 Systems of Control, Communication and Security


    Скачать 1.07 Mb.
    НазваниеСистемы управления, связи и безопасности 4. 2020 Systems of Control, Communication and Security
    Дата06.06.2022
    Размер1.07 Mb.
    Формат файлаpdf
    Имя файла02-Makarenko.pdf
    ТипАнализ
    #573108
    страница5 из 5
    1   2   3   4   5
    Системы управления, связи и безопасности
    №4. 2020
    Systems of Control, Communication and Security
    ISSN 2410-9916
    DOI: 10.24411/2410-9916-2020-10402
    URL: http://sccs.intelgr.com/archive/2020-04/02-Makarenko.pdf
    71 30. Kravchuk A. V. The model of process of remote security analysis of information systems and methods of improving it's performance. SPIIRAS
    Proceedings, 2015, vol. 38, no. 1, pp. 75-93 (in Russian).
    31. Gorbatov V. S., Meshcheryakov A. A. Comparative analysis of computer network security scanners. IT Security, 2013, vol. 20, no. 1, pp. 43-48 (in Russian).
    32. Herzog P. OSSTMM – The Open Source Security Testing Methodology
    Manual.
    New
    York,
    2006.
    129 p.
    Available at: https://www.isecom.org/OSSTMM.3.pdf (accessed 20 September 2020).
    33. ISSAF - Information System Security Assesment Framework. 2006. 1264 p.
    Available at: http://www.oissg.org/issaf02/issaf0.1-5.pdf (accessed 20 September 2020).
    34. OSWAP
    Testing
    Guide.
    Version
    4.
    2014.
    Available at: https://www.owasp.org/index.php/OWASP_Testing_Project (accessed 20 September
    2020).
    35. PTES – The Penetration Testing Execution Standard. 30 April 2012.
    Available at: http://www.pentest- standard.org/index.php/PTES_Technical_Guidelines (accessed 20 September 2020).
    36. NIST Special Publications 800-115. Technical Guide to Information
    Security Testing and Assessment. USA, Gaithersburg, 2008. 80 p. Available at: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
    (accessed 20 September 2020).
    37. BSI – Study A Penetration Tesing Model. Germany, Bonn, 2008 111 p.
    Available at: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Penet ration/penetration_pdf (accessed 20 September 2020).
    38. Klíma T. PETA: Methodology of information systems security penetration testing. Acta Informatica Pragensia, 2016, vol. 5, no. 2, pp. 98-117.
    39. Orrey K. Penetration Test Framework. Vulnerability Assessment, 2014.
    Available at: http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
    (accessed 20 September 2020).
    40. Testy na proniknovenie [Penetration tests]. Positive Technologies, 2018.
    Available at: https://www.ptsecurity.com/ru-ru/services/pentest/ (accessed 20 Sep- tember 2020).
    41. Avetisyan A. I., Belevantsev A. A., Chucklyaev I. I. The technologies of static and dynamic analyses detecting vulnerabilities of software. Voprosy kiber-
    bezopasnosti, 2014, vol. 4, no. 3, pp. 20-28 (in Russian).
    Статья поступила 02 октября 2020 г.
    Информация об авторах
    Макаренко Сергей Ивановичдоктор технических наук, доцент. Веду- щий научный сотрудник. Санкт-Петербургский Федеральный исследователь- ский центр РАН. Профессор кафедры информационной безопасности. Санкт-
    Петербургский государственный электротехнический университет «ЛЭТИ» имени В.И. Ульянова (Ленина). Область научных интересов: сети и системы

    Системы управления, связи и безопасности
    №4. 2020
    Systems of Control, Communication and Security
    ISSN 2410-9916
    DOI: 10.24411/2410-9916-2020-10402
    URL: http://sccs.intelgr.com/archive/2020-04/02-Makarenko.pdf
    72 связи; радиоэлектронная борьба; информационное противоборство. E-mail: mak-serg@yandex.ru
    Адрес: 199178, Россия, Санкт-Петербург, 14 линия, д. 39.
    Смирнов Глеб Евгеньевич – соискатель ученой степени кандидата наук.
    Преподаватель кафедры информационной безопасности. Санкт-Петербургский государственный электротехнический университет
    «ЛЭТИ» имени
    В.И. Ульянова (Ленина). Область научных интересов: информационная без- опасность. E-mail: science.cybersec@yandex.ru
    Адрес: 197376, Россия, Санкт-Петербург, ул. Профессора Попова, д. 5.
    ______________________________________________________
    Analysis of penetration testing standards and methodologies
    S. I. Makarenko, G. E. Smirnov
    Relevance. At present, the issues of security of information systems of critical infrastructure objects
    are becoming important. At the same time, the current tasks of the audit of information security (IS) of criti-
    cal infrastructure objects, as a rule, are limited to checking them for compliance with IS requirements. How-
    ever, with this approach to auditing, it often remains unclear the resistance of these objects to real attacks by
    malefactors. To check such stability, objects are subjected to a testing procedure, namely, penetration test-
    ing.
    Analysis of domestic publications in this area shows that there is no systematic approach to penetration
    testing in domestic practice. In this regard, it is relevant to analyze and systematize the best foreign ap-
    proaches and practices for penetration testing.
    The purpose of this paper is a comparative analysis of exist-
    ing foreign and domestic penetration testing techniques and standards. Results. The article presents the re-
    sults of the analysis of the following foreign standards and methods: OSSTMM, ISSAF, OWASP, PTES, NIST
    SP 800-115, BSI, PETA, PTF, as well as the domestic method Positive Technology. The elements of novelty
    of the paper are the identified features, advantages, disadvantages and the scope of applicability of existing
    standards and penetration testing methods.
    Practical significance. The material of the article can be used to
    form the initial data, the sequence of stages and their content, in a practical audit of the security of infor-
    mation systems of critical information infrastructure objects by penetration testing.
    Key words: penetration testing, standard, methodology, audit, information security, critical infor-
    mation infrastructure, information technology impact, information and psychological impact, OSSTMM,
    ISSAF, OWASP, PTES, NIST SP 800-115, BSI, PETA, PTF, Positive Technology.
    Information about Authors
    Sergey Ivanovich Makarenko – Dr. habil. of Engineering Sciences, Docent.
    Leading Researcher. St. Petersburg Federal Research Center of the Russian Academy of Sciences. Professor of Information Security Department. Saint Petersburg Electro- technical University 'LETI'. Field of scientific research: stability of network against the purposeful destabilizing factors; electronic warfare; information struggle. E-mail: mak-serg@yandex.ru
    Address: Russia, 197376, Saint Petersburg, 14th Linia, 39.
    Gleb Evgenevich Smirnov – doctoral candidate. Lecturer at the Department of
    Information Security. Saint Petersburg Electrotechnical University "LETI". Field of scientific research: information security. E-mail: science.cybersec@yandex.ru
    Address: Russia, 197376, Saint Petersburg, Professor Popov street 5.
    1   2   3   4   5

    написать администратору сайта