Quarterly journal published in SPbPU
and edited by prof. Dmitry Zegzhda
Peter the Great St. Petersburg Polytechnic University
Institute of computer sciences and technologies
information security of computer systems
Information Security Problems. Computer Systems
Published since 1999.
ISSN 2071-8217
THE SPECIFICS OF SOLVING THE PROBLEM OF INFORMATION SECURITY RISK MANAGEMENT WHEN DEVELOPING METHODS OF PROTECTION AGAINST HIDDEN STEGANOGRAPHIC INFORMATION EXCHANGE ON PUBLIC INTERNET RESOURCES
M. Yu. Fedosenko ITMO University
Annotation: This work contains a description of the stage of practical management of information security risks of a web resource as a result of its use as a medium and communication channel for steganographic information exchange. The possibility of using steganography on public Internet resources as a tool for attackers to exchange illegal data and carry out computer attacks has been established based on available research results. As a result, the relevance of developing methods to counter the malicious use of steganographic algorithms has been proven. The paper examines threats to information security when using steganography methods in accordance with the FSTEC IS BDU. Based on these threats, the 4-level model of threats to a web resource from user data has been developed. It including the risks of violating the integrity, accessibility, confidentiality and provisions of 374-FL (amendments to 149-FL “On information, information technologies and information protection"). The 374-FL demonstrated the problem of the inaccessibility of data to check for malicious nature when it is exchanged covertly. Based on the developed model, a practical assessment of the risks of a web resource was carried out using the Microsoft Security Assessment Tool (MSAT), as well as their theoretical assessment matrices FRAP, CRAMM in order to demonstrate the features of using a specific approach in solving the problem of countering a new type of attack. As a result, the necessary measures and components of mitigation were calculated using mathematical programming methods in order to identify the minimum and most optimal quantitative composition of the components of protection against the malicious use of steganography. These measures and components consist of specialists, their competencies, as well as software tools necessary for high-quality protection of a web resource within the framework of the scientific problem under study: the use by an offender of information security technologies when carrying out illegal activities and the further development of counteraction and analysis tools coming to the web resource data.
Keywords: steganography, steganographic attacks, hidden data exchange, information security risk management, Internet, information security threats, FRAP, CRAMM, OCTAVE
Pages 80–95