A.A. Azarov – Post-graduate Student, SPIIRAS, Saint Petersburg State University
Intensive introduction of information technologies in modern business processes leads to the need to ensure the security used in this information resources. In this connection the significant efforts of specialists in information security aimed at development and introduction of various models and methods of the information systems protection from program-technical attacks, that is currently the main sphere of the protection of confidential information is the program-technical section. Accordingly, there is sufficient not developed science-based framework for the preventive measures development and implementation, as well as a priori and a posteriori assessment of their effectiveness.
The purpose of this article is an introduction to the consideration of the user’s vulnerabilities profile as the analog of the program-technical vulnerabilities, used in the analysis of the security of the program-technical component of the information system, as well as the consideration of the four approaches to the analysis of the information systems’ users’ security from socio-engineering attacks (SI-attacks), which in combination with certain models profile vulnerabilities, provide an opportunity to automate the assessment of the degree of protection of the personnel of information systems and mission-critical documents from SEA attacks.
In the present work in the first place considered by the profile of the vulnerabilities of the user, which, on the one hand, it is the analogue of software vulnerabilities in software and hardware systems, and on the other hand, the content is a set of vulnerabilities user, built on the psychological characteristics of the person. Stated that the application of the model user vulnerabilities profile opens up the possibility of use in the modelling of social-engineering attacks, as well as analysis of their consequences (i.e. obtain an estimate for the degree of security of critical documents, stored in the information system) approaches such as probabilistic relational, analysis of attack trees, Bayesian networks, Markov random field.
The development of the proposed approaches and mathematical models to automate the analysis of the security of the complex «information system – personnel – critical documents» on the socio-engineering attacks the attacker.
Tulup'eva T.V., Fil'chenkov A.A., Tulup'ev A.L. Veroyatnostno-relyaczionny'j
podxod k predstavleniyu modeli kompleksa «Informaczionnaya sistema – personal –
kritichny'e dokumenty'» // Trudy' SPIIRAN. 2012. Vy'p. 20. S. 57 – 71.
Tulup'eva T.V., Tulup'ev A.L. Prototip kompleksa programm dlya analiza
zashhishhennosti personala informaczionny'x sistem postroenny'j na osnove
fragmenta profilya uyazvimostej pol'zovatelya. // Trudy' SPIIRAN. 2012. Vy'p.
21. S. 21 – 40.
Tulup'ev A.L., Tulup'eva T.V. SQL-predstavlenie relyaczionno-veroyatnostny'x
modelej soczio-inzhenerny'x atak v zadachax rascheta agregirovanny'x oczenok
zashhishhennosti personala informaczionnoj sistemy' // Trudy' SPIIRAN. 2012.
Vy'p. 22. S. 31 – 44.
Azarov A.A. Osnovy' monitoringa zashhishhennosti personala
informaczionny'x sistem ot socziotexnicheskix atak // Trudy' SPIIRAN. 2012. Vy'p. 4(23). S. 30 – 49.