Database protection model based on security system with full overlap
DOI:
https://doi.org/10.30837/rt.2021.3.206.08Keywords:
security model, full overlap security system, covered security system, databaseAbstract
Security is one of the most important characteristics of the quality of information systems in general and databases, as their main component, in particular. Therefore, the presence of an information protection system, as a complex of software, technical, cryptographic, organizational and other methods, means and measures that ensure the integrity, confidentiality, authenticity and availability of information in conditions of exposure to natural or artificial threats, is an integral feature of almost any modern information system and database. At the same time, in order to be able to verify the conclusions about the degree of security, it must be measured in some way. The paper considers a database security model based on a full overlap security model (a covered security system), which is traditionally considered the basis for a formal description of security systems. Thanks to expanding the Clements-Hoffman model by including a set of vulnerabilities (as a separately objectively existing category necessary to describe a weakness of an asset or control that can be exploited by one or more threats), which makes it possible to assess more adequately the likelihood of an unwanted incident (threat realization) in a two-factor model (in which one of the factors reflects the motivational component of the threat, and the second takes into account the existing vulnerabilities); a defined integral indicator of database security (as a value inverse to the total residual risk, the constituent components of which are represented in the form of the corresponding linguistic variables); the developed technique for assessing the main components of security barriers and the security of the database as a whole, based on the theory of fuzzy sets and risk, it becomes possible to use the developed model to conduct a quantitative assessment of the security of the analyzed database.
References
ISO/IEC 25010:2011 Systems and software engineering. Systems and software Quality Requirements and Evaluation (SQuaRE). System and software quality models. URL: https://www.iso.org/standard/35733.html/. (accessed on 12 August 2021).
Смирнов С. Н. Безопасность систем баз данных. Москва : Гелиос АРВ, 2007. – 352 с.
Tanenbaum A. S., Bos H. Modern Operating Systems. Fourth edition. Pearson, 2015. 1136 p.
Хоффман, Л. Дж. Современные методы защиты информации. Москва : Сов. радио, 1980. 264 с.
Hoffman L. J., Clements D. Fuzzy computer security metrics: A preliminary report. Memorandum No. ERL-M77/6 27 January 1977. Electronics research laboratory. College of Engineering University of California, Berkeley. 20 p. https://www2.eecs.berkeley.edu/Pubs/TechRpts/1977/ERL-m-77-6.pdf. (accessed on 12 August 2021).
Committee on National Security Systems (CNSS) Glossary. CNSSI No. 4009, 2015. URL: h https://rmf.org/wp-content/uploads/2017/10/CNSSI-4009.pdf. (accessed on 12 August 2021).
Щербаков А. Ю. Современная компьютерная безопасность. Теоретические основы. Практические аспекты. Москва : Книжный мир, 2009. 352 с.
Астахов А. Анализ защищенности корпоративных систем // Открытые системы. 2002. № 7-8. URL: https://www.osp.ru/os/2002/07-08/181720. (accessed on 12 August 2021).
Аверченков В. И., Рытов М. Ю., Гайнулин Т. Р. Оптимизация выбора состава средств инженерно-технической защиты информации на основе модели Клементса – Хоффмана // Вестн. Брянск. гос. техн. ун-та. 2008. № 1(17). С. 61-66.
Карпычев В. Ю. Экономический анализ нормативно-технического обеспечения информационной безопасности // Экономический анализ: теория и практика. 2011. №35 (242). С. 2-18.
ISO/IEC 27000:2018 Information technology. Security techniques. Information security management systems. Overview and vocabulary. URL: https://www.iso.org/standard/73906.html. (accessed on 12 August 2021).
Астахов А. М. Искусство управления информационными рисками. Москва : ДМК Пресс, 2010. 312 с.
Скиба А. В., Архипов А. Е. Информационные риски: модели рисков, исследование и использование // Інвестиції: практика та досвід. 2016. № 1. С. 51-60.
Архипов А. Е. Экспертно-аналитическое оценивание информационных рисков и уровня эффективности системы защиты информации // Радіоелектроніка. Інформатика. Управління. 2009. № 2. С. 111-115.
DB-Engines Ranking. URL: https://db-engines.com/en/ranking. (accessed on 12 August 2021).
TOPDB Top Database index. URL: https://pypl.github.io/DB.html. (accessed on 12 August 2021).
Gartner, Magic Quadrant for Operational Database Management Systems, Merv Adrian, Donald Feinberg, Nick Heudecker, 25 November 2019 – ID G00376881. URL: https://www.gartner.com/en/documents/3975492/magic-quadrant-for-operational-database-management-syste. (accessed on 12 August 2021).
Critical Capabilities for Cloud Database Management Systems for Operational Use Cases. Published 24 November 2020 – ID G00468197. Merv Adrian, Donald Feinberg, Rick Greenwald, Adam Ronthal, Henry Cook, https://www.oracle.com/explore/adw-ocom/gartner-cloud-database-management/?source=:ow:o:p:mt:::RC_WWMK200720P00100:Gartnerdatabase&intcmp=:ow:o:p:mt:::RC_WWMK200720P00100:Gartnerdatabase&lb-mode=overlay; https://www.oracle.com/database/gartner-dbms.html. (accessed on 12 August 2021).
Sandhu R. S., Jajodia S. Data and database security and controls // Handbook of information security management, Auerbach Publishers. 1993. P. 481-499.
Groff J., Weinberg P., Oppel A. SQL. The Complete Reference. 3rd ed. New York, NY, USA: McGraw-Hill, Inc.; 2010. – 912 p.
Муханова А., Ревнивых А. В., Федотов А. М. Классификация угроз и уязвимостей информационной безопасности в корпоративных системах // Вестн. Новосибир. гос. ун-та. Сер.: Информационные технологии. 2013. Т. 11, № 2. С. 55-72.
Kulkarni S., Urolagin S. Review of attacks on databases and database security techniques // International Journal of Emerging Technology and Advanced Engineering. 2012. Vol. 2, Issue 11. P. 2250-2459.
Rohilla S., Mittal P. K. Database Security: Threads and Challenges // International Journal of Advanced Research in Computer Science and Software Engineering. 2013, Vol. 3, Issue 5. P. 810–813.
Pfleeger C. P., Pfleeger S. L., Margulies J. Security in Computing. Fifth Edition. Prentice Hall. 2015. 944 p.
Imperva Whitepaper. Top ten database security threats. 2015. – URL: https://files.meetup.com/5631682/WP_TopTen_Database_Threats.pdf. (accessed on 12 August 2021).
Imperva Whitepaper. Top 5 Database Security Threats. 2016. URL: https://www.imperva.com/docs/gated/WP_Top_5_Database_Security_Threats.pdf. (accessed on 12 August 2021).
Вілігура В. В. Систематизація загроз і вразливостей характерних для баз даних і СУБД // Праці 7-ої Міжнар. конф. «Комп'ютерне моделювання в наукоємних технологіях (КМНТ-2021), 21-23 квітня 2021 р. Харків : Харк. нац. ун-т імені В. Н. Каразіна, 2021. С. 83-86.
MITRE. CVE. Common Vulnerabilities and Exposures. URL: https://cve.mitre.org/data/downloads/allitems.html. (accessed on 12 August 2021).
MITRE. CWE Version 4.2. 2020-08-20. URL: https://cwe.mitre.org/data/published/cwe_v4.2.pdf. (accessed on 12 August 2021).
MITRE. Common Weakness Enumeration. CWE List Version 4.2. URL: https://cwe.mitre.org/data/index.html. (accessed on 12 August 2021).
ГОСТ Р 56546-2015 Защита информации. Уязвимости информационных систем. Классификация уязвимостей информационных систем. URL: https://docs.cntd.ru/document/1200123702. (accessed on 12 August 2021).
Марков А. С., Фадин А. А. Систематика уязвимостей и дефектов безопасности программных ресурсов // Защита информации. Инсайд. 2013. № 3. С. 2-7.
MITRE. CWE VIEW: Research Concepts. URL: https://cwe.mitre.org/data/definitions/1000.html. (accessed on 12 August 2021).
Zadeh L. A. The concept of a linguistic variable and its application to approximate reasoning – I // Information sciences. 1975. Vol. 8, Issue 3. P. 199-249.
NIST Special Publication 800-30 Revision 1. September 2012. URL: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf. (accessed on 12 August 2021).
Нестеров С. А. Анализ и управление рисками в информационных системах на базе операционных систем Microsoft. Москва : Национальный Открытый Университет "ИНТУИТ", 2016. 251 с.
Петренко С. А., Симонов С. В. Управление информационными рисками. Экономически оправданная безопасность. Москва : Академия АйТи : ДМК Пресс, 2004. – 384 с.
Корниенко А. А., Никитин А. Б., Диасамидзе С. В., Кузьменкова Е. Ю. Моделирование компьютер-ных атак на распределенную информационную систему // Изв. Петербург. ун-та путей сообщения. 2018. Т. 15. № 4. С. 613-628.
Talabis M., Martin J. Information Security Risk Assessment Toolkit Practical Assessments through Data Collection and Data Analysis. Waltham, MA, USA : Syngress, 2012. 258 p.
Hajek A. Interpretations of probability. In The Stanford Encyclopedia of Philosophy. URL: https://plato.stanford.edu/entries/probability-interpret/. (accessed on 12 August 2021).
Методика определения актуальных угроз безопасности персональных данных при их обработке в информационных системах персональных данных. 2008. URL: https://fstec.ru/tekhnicheskaya-zashchita-informatsii/dokumenty/114-spetsialnye-normativnye-dokumenty/380-metodika-opredeleniya-aktualnykh-ugroz-bezopasnosti-personalnykh-dannykh-pri-ikh-obrabotke-v-informatsionnykh-sistemakh-personalnykh-dannykh-fstek-rossii-2008-god. (accessed on 12 August 2021).
Леоненков А. В. Нечеткое моделирование в среде MATLAB и fuzzyTECH. СПб. : БХВ Петербург, 2005. 736 с.
Круглов В. В., Дли М. И., Голунов Р. Ю. Нечеткая логика и искусственные нейронные сети. Москва : Физматлит, 2001. 201 с.
Piegat A. Fuzzy Modeling and Control. Heidelberg ; New York: Physica-Verlag, 2001. 733 p.
Talabis M., Martin J. Information Security Risk Assessment Toolkit Practical Assessments through Data Collection and Data Analysis. Waltham, MA, USA : Syngress, 2012. 258 p.
Whitman M. E., Mattord H. J. Principles of Information Security, 6th Edition. Boston, MA, USA : Cengage Learning, 2017. 656 p.
NIST Special Publication 800-53 Revision 5. (2020). Security and Privacy Controls for Information Systems and Organizations. URL: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf. (https://doi.org/10.6028/NIST.SP.800-53r5). (accessed on 12 August 2021).
ISO/IEC 27002:2013 Information technology. Security techniques. Code of practice for information security controls. URL: https://www.iso.org/standard/54533.html. (accessed on 12 August 2021).
Downloads
Published
How to Cite
Issue
Section
License
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
