Penetration Testing in Accordance with NIST SP 800-115 Standard

Abstract

Relevance. Security issues of information systems in critical infrastructure objects become important now. However, current tasks of information security audit of critical infrastructure objects are mainly limited to checking them for compliance with requirements of standards and documents. With this approach to the audit, security of these objects from real attacks by hackers remains unclear. Therefore, objects are subjected to a testing procedure, namely, penetration testing, in order to objectively verify their security. For example, there are instructions of the Bank of Russia to carry out such testing when the information security of banking systems are checked. However, there is no formal national standard for conducting penetration testing in Russia. This is the deterrent factor to testing critical infrastructure objects. The goal of the paper is to analysis of the American testing standard – NIST SP 800-115 to estimate the possibility of its used for development of the Russian national penetration testing standard. Research methods. Methods of analysis and decomposition from the theory of system analysis are used in the paper to achieve the research goal. Results. In-depth analysis of the NIST SP 800-115 standard is provided in the paper. The following are considered: types of information security assessment measures; stages of information security assessment; methods of analysis and testing which used in the assessment of information security; types and sequence of penetration testing; tested vulnerabilities; recommended tools for analysis and testing, are presented in NIST SP 800-11. Conclusions about the strengths and weaknesses of the NIST SP 800-115 standard are made. Recommendations about as NIST SP 800-115 is used in the development of the national Russian standard of penetration testing are presented.