Risk assessment methodology based on penetration testing

S.E. Golikov


The digitalization of the economy is associated with an increase in threats to the security of individuals, society and the state in the information sphere.

Risk assessment is part of a comprehensive approach to cybersecurity and a requirement of most IT standards. The use of an integrated approach in the field of cybersecurity allows us to consider all the elements that are parts of cybersecurity as a complex, interconnected system. The ultimate goal of this approach to cybersecurity is to organize a continuous process of protection against any physical, software, hardware, network and human influences on the target system. The integration of various layers and means of protection provides a more complete understanding of vulnerabilities and more comprehensive protection against various threats.

Information security management is a subsidiary process of a broader risk management process: if an organization, after analyzing and evaluating all its business risks, makes a conclusion about the relevance of information security risks, then information security becomes a means of minimizing some of them.

In this paper, it is proposed to use penetration testing as a method of risk assessment, a comparative characteristic of various approaches to testing for assessing risk events is given, types of testing and assessment of their risks are described, advantages and disadvantages are shown, recommendations for testing are given, the use of which allows you to get the most objective result. 

Full Text:

PDF (Russian)


Holistic security. Dostupno po adresu: https://whatis.techtarget.com/definition/holistic-security

Professionalnoe testirovanie na proniknovenie: udel gikov-fanatov komandnoj stroke ili uzhe net? Dostupno po adresu: https://habr.com/ru/company/npoechelon/blog/337776/

GOST R ISO/MEK 27005-2010. Metody I sredstva obespechenija bezopasnosti. Menedjment riska informacionnoj bezopasnosti. Dostupno po adresu: https://docs.cntd.ru/document/1200084141

Metody I sredstva obespechenija bezopasnosti. Chast 1. Konzepzija I modeli menedzhmenta bezopasnosti informacionnych I telekommunikacionnych technologij. Dostupno po adresu: https://docs.cntd.ru/document/1200048398

SP 800-30 Rev. 1. Guide for Conducting Risk Assessments. Dostupno po adresu: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/ nistspecialpublication800-30r1.pdf

Managing Information Security Risk. Organization, Mission, and Information System View. Dostupno po adresu: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

UCSB. Pentesty dlja finansovych organizacij. Dostupno po adresu: https://www.ussc.ru/upload/iblock/a00/a005fa7faa6de6c05de8f0fb3b673eca.pdf

PTES. Dostupno po adresu: http://www.pentest-standard.org/index.php?title=Main_Page&action=edit

OWASP Web Application Penetration Checklist. Dostupno po adresu:https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Web_Application_Penetration_Checklist_v1_1.pdf

PCI Data Security Standard (PCI DSS). Dostupno po adresu: https://www.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf

A guide for running an effective Penetration Testing programme. Dostupno po adresu: https://www.crest-approved.org/wp-content/uploads/CREST-Penetration-Testing-Guide.pdf


  • There are currently no refbacks.

Abava  Absolutech Convergent 2020

ISSN: 2307-8162