SELECTING THE MOST DANGEROUS VULNERABILITIES FOR PROSPECTIVE INFORMATION SYSTEMS FOR CRITICAL APPLICATIONS

Abstract

Abstract The development of information systems of critical application is ahead of changes in regulatory documents of regulators and educational programs of universities. Purpose of work: to determine the most dangerous vulnerabilities for promising information systems of critical application (IS CA). Research method: application of the analysis hierarcihes method to compile a hierarchy of alternatives, including the type of platform for a promising IS CA, aspects of information security, types of vulnerabilities. Conducting a survey of experts using a point assessment. Converting results to a matrix of pairwise comparisons. Getting local and global priorities of alternatives. Result of the study: 25 experts of different ages and with different work experience were interviewed. From the point of view of the interviewed specialists, the best type of platform for a prospective distributed information system of critical application is edge computing. Availability, authenticity and integrity are highlighted as the most important aspects of information security. The most dangerous are the vulnerabilities associated with: 1) incomplete verification of input (input) data, buffer overflow, the possibility of injections, injection of arbitrary code, cross-site scripting, injection of operating system commands, etc.; 2) identification, authentication, granting access and privilege escalation; 3) incorrect configuration of software parameters, management of system resources, access to service information. Less dangerous are vulnerabilities that use the health of hardware and reduce its resistance to the actions of technical means of reconnaissance and electronic warfare. The results can be used to prioritize the procurement of information security products, to update the regulatory framework of regulators and training programs for training information security specialists.