ALGORITHM FOR AUTOMATIC SELECTION OF INFORMATION PROTECTION MEASURES DEPENDING ON THE RESULTS OF THE VULNERABILITY SCANNER REPORT
Abstract
Effective protection of information in an information system implies regular diagnostics and
monitoring of the network, computers, and applications to detect possible problems in the security
system. There are vulnerability scanners certified by the Federal Service for Technical and Export
Control for security scanning. As a result of scanning, vulnerabilities of the information system
can be identified, the elimination of which requires an immediate response, since attackers can
take advantage of the vulnerability of the information system and carry out an attack. However,
the selection of protection measures is a laborious process and requires a large amount of time,
then the problem of automating the selection of information protection measures arises. The development
of an algorithm for the automatic selection of information security measures is the main
goal in automating the work process of an information security specialist. The main tasks in the
development of the algorithm: selection of the fundamental characteristics of the vulnerability,
generation of a list of protection measures taking into account the security class of the information
system, comparison of protection measures with the selected characteristic. After analyzing the
information about vulnerabilities, the main indicator is chosen the vulnerability vector, which
includes the main metrics, the assessment of which allows the choice of protection measures. A set
of information protection measures was compared to each metric by means of expert assessment.
During the operation of the algorithm, the employee sets the vulnerability vector and the security
class of the information system as input parameters and as a result receives a list of necessary
protection measures. Thus, the automatic selection algorithm assumes a comparison of vulnerability
metrics with information protection measures, which will allow an employee to quickly select
measures based on the identified vulnerabilities.
References
obrabotke v informatsionnykh sistemakh personal'nykh dannykh [Methodology for determining
actual threats to the security of personal data during their processing in personal data information
systems]. Available at: https://fstec.ru/component/attachments/download/290 (accessed
01 December 2020).
2. Gosudarstvennyy reestr sertifitsirovannykh sredstv zashchity informatsii [State register of
certified information security]. Available at: https://fstec.ru/tekhnicheskaya-zashchitainformatsii/
dokumenty-po-sertifikatsii/153-sistema-sertifikatsii/591-gosudarstvennyj-reestrsertifitsirovannykh-
sredstv-zashchity-informatsii-n-ross-ru-0001-01bi00 (accessed 01 December
2020).
3. Sredstvo analiza zashchishchennosti «Skaner-VS» [Security analysis tool "Scanner-VS"].
Available at: URL: https://scaner-vs.ru/ (accessed 28 November 2020).
4. Setevoy skaner bezopasnosti XSpider 7.8.25 [Network security scanner XSpider 7.8.25].
Available at: URL: https://www.ptsecurity.com/ru-ru/products/xspider/ (accessed 28 November
2020).
5. Programmnyy kompleks skanera «SCADA-auditor» [Software complex of the scanner
"SCADA-auditor"]. Available at: http://ntcsiz.ru/stuff/products/prez_scada_auditor.pdf (accessed
28 November 2020).
6. Sistema analiza zashchishchennosti programmnogo i apparatnogo obespecheniya TCP/IP setey
(setevoy skaner Revizor Seti versiya 3.0) [System for analyzing the security of software and
hardware TCP / IP networks (network scanner Network Inspector version 3.0)]. Available at:
http://prp.su/files/support/rseti/rseti3.0_rukovodstvo_po_ustanovke_i_ekspluatatsii.pdf (accessed
28 November 2020).
7. Sistema kontrolya zashchishchennosti i sootvetstviya standartam MaxPatrol [Security control system
and compliance with standards MaxPatrol 8]. Available at: https://www.ptsecurity.com/ ruru/
products/mp8/ (accessed 28 November 2020).
8. Prikaz FSTEK RF ot 11 fevralya 2013 g. № 17 «Ob utverzhdenii trebovaniy o zashchite
informatsii, ne sostavlyayushchey gosudarstvennuyu taynu, soderzhashcheysya v
gosudarstvennykh informatsionnykh sistemakh» [Order of the FSTEC RF of February 11,
2013 No. 17 "On approval of requirements for the protection of information that does not constitute
a state secret contained in state information systems"]. Available at:
https://fstec.ru/component/attachments/download/566 (accessed 28 November 2020).
9. Prikaz FSTEK RF ot 18 fevralya 2013 g. № 21 «Ob utverzhdenii sostava i soderzhaniya
organizatsionnykh i tekhnicheskikh mer po obespecheniyu bezopasnosti personal'nykh
dannykh pri ikh obrabotke v informatsionnykh sistemakh personal'nykh dannykh» [Order of
the FSTEC RF dated February 18, 2013 No. 21 "On approval of the composition and content
of organizational and technical measures to ensure the security of personal data during their
processing in personal data information systems"]. Available at: https://fstec.ru/component/ attachments/
download/561 (accessed 28 November 2020).
10. Metodicheskiy dokument «Mery zashchity informatsii v gosudarstvennykh informatsionnykh
sistemakh», utverzhdennyy FSTEK Rossii 11 fevralya 2014 g. [Methodological document
"Measures of information protection in state information systems", approved by the FSTEC of Russia
on February 11, 2014] Available at: https://fstec.ru/component/attachments/download/675 (accessed
28 November 2020).
11. Analiz «gromkikh» intsidentov v sfere informatsionnoy bezopasnosti v 2019 godu [Analysis
of "high-profile" incidents in the field of information security in 2019]. Available at:
https://www.tadviser.ru/index.php/Stat'ya:Analiz_gromkikh_intsidentov_v_sfere_informatsion
noy_bezopasnosti_v_2019_godu (accessed 01 December 2020).
12. Security Vision Cyber Risk System (CRS). Available at: https://www.securityvision.ru/ products/
crs/ (accessed 01 December 2020).
13. Mezhdunarodnyy standart ISO/IEC 27000:2014 «Informatsionnye tekhnologii – Metody i
sredstva obespecheniya bezopasnosti – Sistemy menedzhmenta informatsionnoy bezopasnosti
– Obshchie svedeniya i slovar'». [International standard ISO / IEC 27000: 2014 "Information
technology - Methods and means of ensuring security – Information security management systems
– General information and vocabulary"]. Available at: http://pqm-online.com/assets/
files/pubs/translations/std/iso-mek-27000-2014.pdf (accessed 01 December 2020).
14. Postanovlenie Pravitel'stva RF ot 01.11.2012 №1119 «Ob utverzhdenii trebovaniy k zashchite
personal'nykh dannykh pri ikh obrabotke v informatsionnykh sistemakh personal'nykh
dannykh» [Decree of the Government of the Russian Federation of 01.11.2012 No. 1119 "On
approval of requirements for the protection of personal data when processing them in personal
data information systems"]. Available at: http://base.garant.ru/70252506/ (accessed 01 December
2020).
15. Bank dannykh ugroz bezopasnosti informatsii [Databank of threats to information security].
Available at: https://bdu.fstec.ru/ (accessed 01 December 2020).
16. Prikaz Federal'noy sluzhby bezopasnosti Rossiyskoy Federatsii ot 10 iyulya 2014 g. N 378 g.
Moskva «Ob utverzhdenii Sostava i soderzhaniya organizatsionnykh i tekhnicheskikh mer po
obespecheniyu bezopasnosti personal'nykh dannykh pri ikh obrabotke v informatsionnykh
sistemakh personal'nykh dannykh s ispol'zovaniem sredstv kriptograficheskoy zashchity
informatsii, neobkhodimykh dlya vypolneniya ustanovlennykh Pravitel'stvom Rossiyskoy
Federatsii trebovaniy k zashchite personal'nykh dannykh dlya kazhdogo iz urovney
zashchishchennosti» [Order of the Federal Security Service of the Russian Federation of July
10, 2014 N 378, Moscow "On approval of the composition and content of organizational and
technical measures to ensure the security of personal data during their processing in personal
data information systems using cryptographic information protection tools required to fulfill
the requirements established by the Government of the Russian Federation for the protection
of personal data for each of the security levels"], Rossiyskaya gazeta [Rossiyskaya Gazeta],
2014, 17 sentyabrya, N 6483(211).
17. Metodicheskiy dokument FSTEK Rossii «Metodika opredeleniya ugroz bezopasnosti
informatsii v informatsionnykh sistemakh» [Methodological document of FSTEC of Russia
"Methodology for determining threats to information security in information systems"]. Available
at: https://fstec.ru/component/attachments/download/812 (accessed 01 December 2020).
18. Rukovodyashchiy dokument ot 30.03.1992 «Avtomatizirovannye sistemy. Zashchita ot
nesanktsionirovannogo dostupa k informatsii. Klassifikatsiya avtomatizirovannykh sistem i
trebovaniya po zashchite informatsii» [Guidance document dated 30.03.1992 “Automated systems.
Protection against unauthorized access to information. Classification of automated systems
and requirements for information protection”. Available at: https://fstec.ru/ component/
attachments/download/296 (accessed 01 December 2020).
19. Audit informatsionnoy bezopasnosti [Audit of information security]. Available at:
https://studref.com/431893/informatika/audit_informatsionnoy_bezopasnosti (accessed 01 December
2020).
20. Audit setevoy i telekommunikatsionnoy infrastruktury [Audit of the network and telecommunications
infrastructure]. Available at: http://www.nestor.minsk.by/sr/2005/07/sr50714.html
(accessed 01 December 2020).
