RADIOELECTRONIC AND COMPUTER SYSTEMS

Changes in the legislation of Ukraine lead to a gradual transition to international standards in the field of ensuring the protection of information in information and communication systems of government authorities. However, the latest regulatory framework is based on the regulatory documents of the past. In this regard, it became necessary to develop new approaches to assessing the security of information and communication systems. One of the options for solving this problem is the use of penetration testing methods. During this procedure, the parameters of the complex protection tools are tested using publicly available tools used by cybercriminals. After completing this procedure, three options for the results are possible, which are described by fuzzy terms: the system meets the requirements of regulatory documents, the system does not comply with the requirements of regulatory documents, the system partially meets the requirements of regulatory documents and needs to be improved. As a result, the problem arises of developing a model that allows obtaining an integral indicator of security based on a fuzzy knowledge base. The article analyzes international documents in the field of cybersecurity and normative documentation of the system of technical protection of information in Ukraine. As the criteria for evaluating the system, the criteria of security against unauthorized access were selected, which in turn are defined in the existing national regulatory documents. A model of a fuzzy hierarchical system for assessing the security profile has been developed, which sets a set of assessment criteria and the sequence of their use. The proposed hierarchical model makes it possible to present the assessment process in an explicit form and implement the process of checking the criteria, indicating the degree of confidence of the expert in the relevance of the assessment criteria. The system was implemented in the Fuzzy Logic Toolbox environment of the Matlab application package. Computer experiments have shown the possibility of applying the developed model in practice.

cybersecurity, security criteria, fuzzy logic, security profile

Law of Ukraine. On information protection in information and telecommunication systems, No. 80/94-ВР, Revision on July 4, 2020. Available at: https://zakon.rada.gov.ua/laws/show/80/94-%D0%B2%D1%80#Text (accessed 26.08.2020).

Resolution of the Cabinet of Ministers of Ukraine. On approval of the General requirements for cyber protection of critical infrastructure No. 518-2019-n, Adoption on June 19, 2019. Available at: https://zakon.rada.gov.ua/laws/show/518-2019-%D0%BF#Text (accessed 26.08.2020).

Yudin, O., Strel'bits'kyy, M. Pidkhody do otsinyuvannya efektyvnosti zakhystu informatsiyi v informatsiyno-telekomunikatsiynykh systemakh na stadiyi modernizatsiyi [Approaches to evaluating the effectiveness of information protection in information and telecommunication systems at the stage of modernization]. Naukoemkye tekhnolohyy v ynfo-kommunyka¬tsyyakh: obrabotka ynformatsyy, kyberbezopasnost', ynformatsyonnaya bor'ba, Kharkiv, Lider Publ., 2017, pp. 582-599.

Klymovych, O. Metodychni osnovy otsinky kontrolyu zakhyshchenosti informatsiyno-telekomuni-katsiynoyi merezhi cpetsial'noho pryznachennya [Methodical bases of an estimation of control of protection of an information and telecommunication network of a special purpose]. Teoretychni osnovy rozrobky ta ekspluatatsiyi system ozbroyennya, 2018, vol. 1, no. 53, pp. 143-147. DOI: 10.30748/soivt.2018.53.20.

Kutsayev, V. V. at al. Metodyka otsinky kibernetychnoyi zakhyshchenosti informatsiyno-telekomunikatsiynoho vuzla zv"yazku [Methods for assessing the cyber security of information and telecommunications nodes]. Zbirnyk naukovykh prats' VITI, 2018, vol. 2, pp. 67-76.

Kraynov, O. V., Malanchuk, M. F., Hrozovs'kyy, R. I. Metodyka otsinky efektyvnosti kompleksnoyi systemy zakhystu informatsiyi avtomatyzovanykh informatsiynykh system orhaniv viys'kovoho upravlinnya [Methods for assessing the effectiveness of a comprehensive system of information protection of automated information systems of military authorities]. Modern Information Technologies in the Sphere of Security and Defence, 2020, vol. 37, no. 1, pp. 103-106. DOI: 10.33099/2311-7249/2020-37-1-103-106.

Saliieva, O., Yaremchuk, Yu. Vyznachennya rivnya zakhyshchenosti systemy zakhystu informatsiyi na osnovi kohnityvnoho modelyuvannya [Determining the level of security of the information security system based on cognitive modeling]. Bezpeka ìnformacìì – Ukrainian Scientific Journal of Information Security, 2020, vol. 26, no. 1, pp. 42-49. DOI: 10.18372/2225-5036.26.14669.

Search Vulnerability Database [online]. Available at: https://nvd.nist.gov/vuln/search (accessed 26.08.2020).

Shi, Pengfei. at al. The Penetration Testing Framework for Large-scale Network Based on Network Fingerprint. Information System and Computer Engineering (CISCE), 2019, pp. 378–381. DOI: 10.1109/CISCE.2019.00089.

NIST Special Publication 800-53A. Revision 4. Assessing Security and Privacy Controls in Federal Information Systems and Organizations. Building Effective Assessment Plans. Available at: https://doi.org/10.6028/NIST.SP.800-53Ar4 (accessed 26.08.2020).

BSI Standard 200-1. Federal Office for Information Security. Information Security Management Systems (ISMS). Available at: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/International/bsi-standard-2001_en_pdf.pdf?__blob=publicationFile&v=3 (accessed 26.08.2020).

PCI Security Standards Council. Requirements and Security Assessment Procedures. Available at: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time

=1606415382301 (accessed 26.08.2020).

Buryachok, V., Kozachok, V., Buryachok, L. and Skladannyy, P. Pentestinh yak instrument kompleksnoyi otsinky efektyvnosti zakhystu informatsiyi v rozpodilenykh korporatyvnykh merezhakh [Pentesting as a tool for comprehensive assessment of the effectiveness of information security in distributed corporate networks]. Suchasnyy zakhyst informatsiyi, 2015, vol. 3, pp. 4–12.

Kyrychok, R., Skladannyy, P., Buryachok, V., Hulak, H. and Kozachok, V. Problemy zabezpechennya kontrolyu zakhyshchenosti korporatyvnykh merezh ta shlyakhy yikh vyrishennya [Problems of ensuring security control of corporate networks and ways to solve them] Naukovi zapysky Ukrayins'koho naukovo-doslidnoho instytutu zv"yazku, 2016, vol. 3, no. 43, pp. 48–61.

Resolution of the National Bank of Ukraine. On approval of the Regulations on the organization of measures to ensure information security in the banking system of Ukraine, No. 95, 28 September 2017. Available at: https://zakon.rada.gov.ua/laws/show/v0095500-17#n12 (accessed 26.08.2020).

Order of State Service of Special Communication and Information Protection of Ukraine. About the statement of the Procedure for an assessment of a condition of protection of the state information resources in information, telecommunication and information-telecommunication systems, No. 660, 2 December 2014. Available at: https://zakon.rada.gov.ua/laws/show/z0090-15#Text (accessed 26.08.2020).

Order of State Service of Special Communication and Information Protection of Ukraine. On approval of the Regulations on state expertise in the field of technical protection of information, No. 93, 16 May 2007. Available at: https://zakon.rada.gov.ua/laws/show/z0820-07#Text (accessed 26.08.2020).

Rotshteyn, O., Shtovba, S. and Kozachko, O. Modelyuvannya ta optymizatsiya nadiynosti bahatovymirnykh alhorytmichnykh protsesiv [ Modeling and optimization of reliability of multidimensional algorithmic processes]. Vinnytsia, UNIVERSUM-Vinnytsya, 2007. 212 p.

Lavrov, E., Kupenko, O., Lavryk, T., Barchenko, N. Organizational Approach to the Ergonomic Examination of E-Learning Modules. Informatics in education, 2013, vol. 12, no. 1, pp. 107-124. DOI: 10.15388/infedu.013.08.