Classification of Cyber Cruise of Informational Resources of Automated Banking Systems
DOI:
https://doi.org/10.28925/2663-4023.2018.2.4767Keywords:
banking information resources, information security, hybrid cyber threats, automated banking systems, threat classifierAbstract
The modern development of high technologies and computer technology greatly enhanced the development of automated banking systems of banking sector organizations and allowed the synthesis of information and communication technologies for their formation. However, the era of high technology has increased the range of threats to banking information resources; threats have gained signs of hybridity and synergy. In these conditions, the current issue in shaping the information security management system in banking sector organizations is the formation and analysis of modern threats. In order to generalize the approach of classification of hybrid cyber threats to the components of security: information security, cybersecurity, security of information banking information resources in the work proposed an advanced classification of threats to banking information resources. The classifier takes into account ISO / OSI model levels in automated banking systems, the targeting of threats to security services and their criticality of damage. The article analyzes contemporary international standards and normative documents of the National Bank of Ukraine on security issues of banking information resources. On the basis of this analysis, we propose estimates of the level of danger to intruders and the degree of implementation of protective measures under the conditions of modern hybrid cyber threats.
Downloads
References
R. Hryshchuk, ta S. Yevseiev, “The synergetic approach for providing bank information security: the problem formulation”, Ukrainian scientific journal of information security, vol. 1, no. 22, pp. 64 – 74, 2016. (in English)
R. V. Grishhuk, ta Ju. G. Danik; za zag. red. prof. Ju. G. Danika, Osnovi kіberbezpeki, Zhitomir, Ukraina: ZhNAEU, 2016. (in Ukrainian)
S. Yevseiev, “Methodology for information technologies security evaluation for automated banking systems of Ukraine”, Naukovo-tehnichnij zhurnal “Zahist informacii, vol. 22, issue 3, pp. 297-309, 2016. (in Russian)
L. Sun, R. P. Srivastava, and T. J. Mock, “An Information Systems Security Risk Assessment Model under Dempster-Shafer Theory of Belief Functions”, Journal of Management Information Systems, vol. 22, рp. 3 – 28, 2006. (in English)
RS BR IBBS-2.2-2009. Metodika ocenki riskov narushenija informacionnoj bezopasnosti, 2009. [Online]. Available: http://www.cbr.ru/credit/gubzi_docs/st22_09.pdf. Accessed on: Des., 07.2017. (in Russian)
I. S. Ivanchenko, V. O. Horoshko, Ju. E.Hohlachova, ta D. V. Chyrkov pid zag. red. prof. V. O. Horoshka, Zabezpechennja informacijnoi' bezpeky derzhavy, Kyi'v, Ukraina: PVP “Zadruga”, 2013. (in Ukrainian)
A. O. Korchenko, L. M. Skachek, ta V. O. Horoshko, pid zag. red. prof. V. O. Horoshka, Bankivs'ka bezpeka, Kyi'v, Ukraina: PVP “Zadruga”, 2014. (in Ukrainian)
В. И. Ярочкин, “Безопасность банковских систем”, М.: Издательство: Ось-89, 416 с., 2012. V. I. Jarochkin, Bezopasnost' bankovskih sistem, Moskva, Rossija: Os'-89, 2012. (in Russian)
A. V. Potij, ta D. Ju. Pilipenko, “The concept of information security strategic management”, Radіoelektronnі і komp’juternі sistemi, vol. 47, no. 6, pp. 53 – 58, 2010. (in Russian)
O. K. Judіn, Іnformacіjna bezpeka. Normativno-pravove zabezpechennja, Kyi'v, Ukraina: NAU, 2011. (in Ukrainian)
Trusted Computer Systems Evaluation criteria, US DoD 5200.28-STD, 1985. [Online]. Available: https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/dod85.pdf. . Accessed on: Dec. 7.2017. (in English)
Information Technology Security Evaluation Criteria, v. 1.2. Office for Official publications of the European Communities, 1991. [Online]. Available: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/ITSicherheitskriterien/itsec-en_pdf.pdf?__blob=publicationFile. Accessed on: Dec. 7.2017. (in English)
Canadian Trusted Computer Product Evaluation Criteria, v. 3.0. Canadian System Security Centre, Communications Security Establishment, Government of Canada, 1993. [Online]. Available: http://www.btb.termiumplus.gc.ca/tpv2alpha/alpha-eng.html?lang=eng&i=&index=alt&srchtxt=CANADIAN%20TRUSTED%20COMPUTER%20PRODUCT%20EVALUATION%20CRITERIA. Accessed on: Dec. 7.2017. (in English)
Federal Criteria for Information Technology security. – NIST, NSA, US Government, 1993. [Online]. Available: https://www.commoncriteriaportal.org/files/ccfiles/ccpart1v2.3.pdf. Accessed on: Dec. 7.2017. (in English)
ISO/IEC 15408-1:1999 – Information technology – Security techniques – Evaluation criteria for IT security – Part1: Introduction and general model. [Online]. Available: https://www.iso.org/ru/standard/27632.html. Accessed on: Dec. 7.2017. (in English)
ISO/IEC 15408-2:2005– Information technology – Security techniques – Evaluation criteria for IT security – Part 2: Security functional requirements. [Online]. Available: https://www.iso.org/ru/standard/40613.html. Accessed on: Dec. 7.2017. (in English)
ISO/IEC 15408-3:2008 – Information technology – Security techniques – Evaluation criteria for IT security – Part 3: Security assurance requirements. [Online]. Available: https://www.iso.org/ru/standard/46413.html. Accessed on: Dec. 7.2017. (in Eglish)
СЕМ-97/017. Common Evaluation Methodology for Information Technology Security – Part 1: Introduction and general model. (in English)
Metodychni rekomendacii' shhodo vprovadzhennja systemy upravlinnja informacijnoju bezpekoju ta metodyky ocinky ryzykiv vidpovidno do standartiv Nacional'nogo banku Ukrai'ny: lyst departamentu informatyzacii' Nacional'nogo banku Ukrai'ny bankam Ukrai'ny vid 03 bereznja 2011 r. № 24-112/365. – K.: Nacional'nyj bank Ukrai'ny, 2011. (in Ukrainian)
ISO/IEC 27005 – Information technology – Security techniques – Information security risk management. [Online]. Available: http://www.bank.gov.ua/doccatalog/document?id=72235https://exebit.files.wordpress.com/2013/11/iso-27005-2011-ru-v1.pdf. Accessed on: Dec. 09, 2017. (in English)
Rukovodjashhij dokument. Bezopasnost' informacionnyh tehnologij. Kriterii ocenki bezopasnosti informacionnyh tehnologij. GOST R ISO/MJeK 15408-2-2008, 2008. [Online]. Available: http://primorsky.ru/authorities/executive-agencies/departments/information-security/Documents/doki-po-ib/. Accessed on: Dec., 07.2017. (in Russian)
Rukovodjashhij dokument. Bezopasnost' informacionnyh tehnologij. Obshhaja metodologija ocenki bezopasnosti informacionnyh tehnologij. Proekt. [Online]. Available: http://fstec.ru/component/attachments/download/293. Accessed on: Dec., 07.2017. (in Russian)
Standart Ukrai'ny SOU N NBU 65.1 SUIB 1.0:2010. Metody zahystu v bankivs'kij dijal'nosti systema upravlinnja informacijnoju bezpekoju. Vymogy. (ISO/IEC 27001:2005, MOD). K: NBU., 2010. (in Ukrainian)
Postanova Pravlinnja Nacional'nogo banku Ukrai'ny vid 18 chervnja 2003 roku № 254 “ Pro zatverdzhennja Polozhennja pro organizaciju operacijnoi' dijal'nosti v bankah Ukrai'ny”, K: NBU., 2003. (in Ukrainian)
Doktrina informacijnoi' bezpeki Ukrai'ni, zatverdzheno Ukazom Prezidenta Ukrai'ni vid 25 ljutogo 2017 roku № 47/2017, 2017. [Online]. Available: http://zakon3.rada.gov.ua/laws/show/47/2017/paran2#n2. Accessed on: Dec., 07.2017. (in Ukrainian)
Ukaz Prezydenta Ukrai'ny vid 15 bereznja 2016 roku № 96 “Pro rishennja Rady nacional'noi' bezpeky i oborony Ukrai'ny vid 27 sichnja 2016 roku “Pro Strategiju kiberbezpeky. [Online]. Available: http://zakon3.rada.gov.ua/laws/show/96/2016/paran11#n11. Accessed on: Dec., 07.2017. (in Ukrainian)
Ukaz Prezydenta Ukrai'ny vid 12 ljutogo 2007 roku № 105 “Pro Strategiju nacional'noi' bezpeky Ukrai'ny”, 2007. [Online]. Available: http://zakon3.rada.gov.ua/laws/show/105/2007 Accessed on: Dec., 07.2017. (in Ukrainian)
D. Gorbenko, A. V. Potij, i P. I. Tereshhenko, “Kriterii i metodologija ocenki bezopasnosti informacionnyh tehnologij”, [Online]. Available: http://www.bezpeka.com/ru/lib/spec/infsys/art108.html. Accessed on: Dec., 07.2017. (in Ukrainian)
S. Yevseiev, “The model of access rights violator in an automated banking system based on a synergistic approach ”, Naukovo-tehnіchnij zhurnal “Іnformacіjna bezpeka”, vol. 26, no. 2, pp.110-120, 2017. (in Russian)
S. Yevseiev, “The synergetic approach for bank systems' security assesment”, Naukovo-tehnіchnij zhurnal “Іnformacіjna bezpeka”, vol. 24, no. 4, pp. 104-108, 2016. (in Russian)
R. Hryshchuk, ta S. Yevseiev, “Methodology of building a system for providing information security of bank information in automated banking systems”, Naukovo-tehnіchnij zhurnal “Іnformacіjna bezpeka”, vol. 3, no. 23, pp. 204-214, 2017. (in Ukrainian)
A.V. Potiy, D.J. Pilipenko, “Security metrics classification”, Sistemi obrobki іnformacіi, vol. 84, no. 3, pp. 53-56, 2010. (in Russian)
DSTU ISO/IEC TR 13335-1:2003 Informacijni tehnologii'. Nastanovy z keruvannja bezpekoju informacijnyh tehnologij. Chastyna 1. Koncepcii' ta modeli bezpeky informacijnyh tehnologij, 2003. [Online]. Available: http://lindex.net.ua/ua/shop/bibl/500/doc/11423. Accessed on: Dec., 07.2017. (in Ukrainian)
DSTU ISO/IEC TR 13335-2:2003 Informacijni tehnologii'. Chastyna 2. Nastanovy z keruvannja bezpekoju informacijnyh tehnologij, 2003. [Online]. Available: http://www.premier-hs.com.ua/ru/content/dstu-isoiec-tr-13335-22003-nastanovi-z-kieruvannia-biezpiekoiu informatsiinikh-tiekhnologhii. Accessed on: Dec., 07.2017. (in Ukrainian)
DSTU ISO/IEC TR 13335-3:2003 Informacijni tehnologii'. Nastanovy z keruvannja bezpekoju informacijnyh tehnologij. Chastyna 3. Metody keruvannja zahystom informacijnyh tehnologij, 2003. [Online]. Available: http://lindex.net.ua/ua/shop/bibl/500/doc/11425. Accessed on: Dec., 07.2017. (in Ukrainian)
DSTU ISO/IEC TR 13335-4:2005 Informacijni tehnologii'. Nastanovy z upravlinnja bezpekoju informacijnyh tehnologij. Chastyna 4. Vybyrannja zasobiv zahystu, 2005. [Online]. Available: http://metrology.com.ua/download/iso-iec-ohsas-i-dr/61-iso/290-dstu-iso-iec-tr-13335-4-2005. Accessed on: Dec., 07.2017. (in Ukrainian)
DSTU ISO/IEC TR 13335-5:2005 Informacijni tehnologii'. Nastanovy z upravlinnja bezpekoju informacijnyh tehnologij. Chastyna 5. Nastanova z upravlinnja merezhnoju bezpekoju, 2005. [Online]. Available: http://lindex.net.ua/ua/shop/bibl/500/doc/11427. Accessed on: Dec., 07.2017. (in Ukrainian)
Standart Ukrai'ny SOU N NBU 65.1 SUIB 1.0:2010. Informacijni tehnologii'. Metody zahystu. Zvid pravyl dlja upravlinnja informacijnoju bezpekoju (ISO/IEC 27002:2005, MOD), 2010[Online]. Available: http://s-byte.com/useful/27002.pdf. Accessed on: Dec., 07.2017. (in Ukrainian)
Standart Ukrai'ny SOU N NBU 65.1 SUIB 1.0:2010. Metody zahystu v bankivs'kij dijal'nosti. Systema upravlinnja informacijnoju bezpekoju. Vymogy (ISO/IEC 27001:2005, MOD), 2005. [Online]. Available: https://kyianyn.files.wordpress.com/2010/12/nbu-27001.pdf. Accessed on: Dec. 7.2017. (in Ukrainian)
ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Req. [Online]. Available: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=54534. Accessed on: Dec. 7.2017.
ISO/IEC 27002:2013 – Information technology – Security techniques – Code of practice for information security controls. [Online]. Available: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=54533. Accessed on: Dec. 7.2017. (in English)
O. K. Judin, S. S. Buchik, Derzhavni informacijni resursy. Metodologija pobudovy klasyfikatora zagroz. Kyi'v, Ukraina: NAU, 2015. (in Ukrainian)
O. K. Judіn, S. S. Buchik, A. V. Chunar'ova, ta O. І. Varchenko, “Technique of constructing a classification of threats to state information resources”, Naukojemni tehnologii, vol, 22, no. 2, pp. 200-210, 2014. (in Ukrainian)
O. K. Judіn, S. S. Buchik, “Classification of threats to state informative resources of normatively-legal aspiration. methodology of construction of classifier”, Zahyst informacii', vol. 17, no. 2, pp. 108-116, 2015. (in Ukrainian)
S. S. Buchik, “Theoretical basis of the analysis of the risks of the tree of identifiers of state information resources”, Naukojemni tehnologii', vol. 29, no. 1, pp. 70-77, 2016. (in Ukrainian)
S. S. Buchik, “ Methodology of risk analysis of the tree of identifiers of state information resources”, Zahyst informacii', vol. 18, no. 1, pp. 81 – 89, 2016. (in Ukrainian)
D. Domarjev, V. Domarjev ta S. Prokopenko, “Method of information system’s security level estimation using ISMS "Matrix", Zahyst informacii', vol. 15, no. №1, pp. 80 – 86, 2013. (in Ukrainian)
S. V. Pavlenko, “Method of estimation of protected of informative systems”, Systemy ozbrojennja i vijs'kova tehnika, vol. 4, no. 20, pp. 149-154, 2009. (in Ukrainian)
S. S. Buchyk, “Estimation of functional types of threats to state informative resources”, Otkrytye informacionnye i komp'juternye integrirovannye tehnologii, no. 70, pp. 271-280, 2015. (in Ukrainian)
R. A. Nurdinov, T. N. Batova, “Approaches and methods of rationale choosing of information protection facilities”, Sovremennye problemy nauki i obrazovanija, no. 2, 2013. [Online]. Available: http://elibrary.ru/item.asp?id=21285749. Accessed on: Des. 07, 2017. (in Russian)
ISO/IEC 18045:2014 Information technology – Security techniques – Guidelines for cybersecurity. [Online]. Available: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=46412. Accessed on: Des. 09, 2017. (in English)