Американский Научный Журнал AUDIT AS A MEANS OF ENSURING INFORMATION SECURITY OF WEB APPLICATIONS AND USED COMPUTER SYSTEMS (54-57)

When ensuring information security (IS) of web applications using computer systems, control processes and protection tools, as well as identifying vulnerabilities in the existing system, are of particular importance. IS audit allows you to control processes and identify vulnerabilities. In most works, very little attention is paid to the systemic classification of audit activities and testing as one of the main types of information security audit. Activities related to testing existing systems are considered one-sided only as penetration testing or instrumental audits. This type of audit is not regulated by any systematic approach. The aim of the work is to systematize the basic information about the stages, theoretical and practical approaches to IS audit, classification of audit activities. Скачать в формате PDF
54 American Scientific Journal № ( 40) / 2020
УДК 004.7 71
ГРНТИ 20.53.01

АУДИТ КАК СРЕДСТВО ОБЕСПЕЧЕНИЯ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТИ ВЕБ -
ПРИЛОЖЕНИЙ И ИСПОЛЬЗУЕМЫХ КОМПЬЮТЕРНЫХ СИСТЕМ

Сенькив Д. А.
магистр, аспиран т-соискатель
Нижегородский государственный технический университет им. Р.Е. Алексеева
(ул . Минина, 24, Нижний Новгород, Нижегородская обл., 603950 )

AUDIT AS A MEANS OF ENSURING INFORMATION SECURITY OF WEB APPLICATIONS AND
USED COMPUTER SYSTEMS

Senkiv D. A.
Master degree
Nizhny Novgorod State Technical University n.a. R.E. Alekseev
(Minin St., 24, Nizhny Novgorod, 603950)

Аннотация . При обеспечении информационной безопасности (ИБ) веб -приложений с
использованием компьютерных систем особое значение имеют про цессы контроля и средства защиты, а
также выявление уязвимостей в су ществующей системе. А удит ИБ по зволяет осуществить контроль
процессов и выявление уязвимостей. В большинстве работ очень мало внимания уделяется системной
классификации мероприятий аудита и тестированию как одному из основных типов аудита ИБ.
Мероприятия, связанные с тестирова нием сущес твующих систем, рассматриваются в однобоком виде
лишь в качестве тестирования на проникновение или инструментального аудита. Проведение такого типа
аудита не регламентируется каким -либо системным подходом. Целью работы являет ся систематизация
осн овных свед ений об этапах, теоретических и практических подходах к аудиту ИБ, классификации
мероприятий аудита.
Abstract. When ensuring information security (IS) of web applications using computer systems, control
processes and protecti on tools, as well as identifyin g vulnerabilities in the existing system, are of particular
importance. IS audit allows you to control processes and identify vulnerabilities. In most works, very little attention
is paid to the systemic classification of aud it activities and tes ting as on e of the main types of information security
audit. Activities related to testing existing systems are considered one -sided only as penetration testing or
ins trumental audits. This type of audit is not regulated by any systema tic approach. The aim of the wo rk is to
systematize the basic information about the stages, theoretical and practical approaches to IS audit, classification
of audit activities.
Ключевые с лова: информационная безопасность, аудит, тестирование на проникнове ние, аудит
информацио нной безоп асности, тестирование, информационно -технические меры, защита информации,
превентивный анализ
Keywords: information security, audit, penetration testing, inf ormation security audit, testing, information
technology measures, i nformation protection , preventi ve analysis

Introduction
New information technologies are being
introduced into all spheres of life and ensuring IS is an
indispensable part of this process . The use of computer
technology and telecommunication systems, as w ell as
an increase in the amoun t of processed information,
contribute to the expansion of the possibilities of
unauthorized access to resources and data of computer
systems.
IS is the proc ess of ensuring the availability,
integrity and confidentiality of i nformation.
The proce ss of ensu ring IS is constantly becoming
more complex. This is due to the increasing complexity
of computer systems and their security systems,
heterogeneous networks and an increase in the number
of thin clients, wearable electronics - smartphones,
smart watches, t ablets.
Hacks into computer systems are becoming more
sophisticated and often have irreversible consequences
for companies and organizations.
Usually people think about ensuring IS of
resources in three cases:
• when developing / designing the syst em;
• after development / design of the system;
• after an incident of IS, which caused the user
or the company losses - financial, reputation,
temporary.
First of all, th e goal is to ensure IS, for example,
to give guarantees to users and ensure the protectio n of
their systems and data, obtaining a certificate of
conformity (for example, PSI DSS - Payment Card
Industry Data Security Standard), compliance with the
IS standa rd ISO / IEC 27001.
Based on the goals and tasks performed in the
computer system, variou s measures and degrees of
protection will be developed.
For example, if a computer system is used only as
a means of surfing the Internet, then of the necessary
means for ensuring security, first of all, will be the use

American Scientific Journal № ( 40 ) / 2020 55

of an ti-virus protection, as well as complianc e with
basic safety rules when working on the Internet [1].
In another case, if a selling site or a game server is
located on a computer system, then the nec essary
protection measures will be completely different.
Knowledge of the potential threa ts, as wel l as the
security vulnerabilities that these threats typically
exploit, is essential in order to select the most
appropriate security controls.
Before you st art organizing IS, you need to answer
three questions:
1. What needs to be protected? User
workstation s or remote server?
2. From whom to protect, which threats will be
predominant - external or internal? Which scenario is
more dangerous - employee data theft or system
hacking?
3. How to protect, by what methods and me ans?
Use proprietary software or f ree softwa re? Protect your
system in real time or conduct regular scans and audits?
After answering these questions, you can draw up
a more clear strategy for protect ing a certain type of
system, select the most optimal a nd effective protection
methods.
Then it is necessary to audit the current solution,
system.
Information security audit
IS audit - an independent assessment of the current
state of the IS system, esta blishing the level of its
compliance with certain crite ria, and providing the
results in the form o f recommendations.
IS audit allows you to get the most complete and
objective assessment of the security of a computer
system [2], localize existing problems and develop an
effective program for building an organ ization's IS
system. As part of an IS audit or as a separate project,
penetration testing can be carried out to test the ability
of a company's information system to resist attempts to
penetrate the ne twork and improperly influence
information.
Audit goals can be divided into:
• preventive - aimed at proactive identification
of threats and vulnerabilities and prevention of IS
incidents;
• detecting - aimed at detecting new or
clarifying the features of exis ting threats and security
vulnerabilities during or after IS incidents;
• corrective - aime d at the f ormation of a set of
measures to improve the effectiveness of the existing
protection system after IS incidents, taking into account
newly identified threats and vulnerabilities.
The audit is divided into several conventional
categories:
1. Web appl ication se curity audit
The site is tested for vulnerabilities by testing for
resistance to combined attack methods [3] and is based
on OWASP (Open Web Application Secu rity), WASC
(The Web Appli cation Security Consortium),
OSSTMM (Open Source Security Testi ng
Methodo logy Manual), PTES (Penetration Testing
Execution Standard) methodologies ) and PCI DSS best
practices and recommendations. All work is supported
by extensiv e practical experience of specialists.
In most cases, vulnerabilities from the OWASP
TOP 10 list ar e identified; in 80% of cases, the detected
vulnerabilities are critical, allowing unauthorized
access to confidential information or to the server.
An audit of a resource (web compon ents and web
environment), as a rule, is performed using the
«B lackBox» m ethod and includes the following stages:
• passive collection of information;
• definition of the web environment;
• platform definition;
• CMS type definition;
• port scanning;
• collection / search for public exploits;
• automatic scanning;
• data analysis;
• identificati on of resource bottlenecks;
• collection and analysis of the information
received;
• analysis of attack vectors;
• confirmation of the received vectors;
• compilatio n of a repo rt.
Site audit in «BlackBox» mode simulates a real
hacker attack on the custom er's site without destructive
consequences.
During the site audit, the following actions are
performed on the tested resource:
• search for vulnerabilities of server
com ponents;
• search for vulnerabilities in the server web
environment;
• check for remote execu tion of ar bitrary code;
• checking for overflows;
• checking for injections (code injection);
• attempts to bypass the web resource
authentication system;
• checking a web res ource for X SS / CSRF
vulnerabilities;
• attempts to intercept privileged accounts (or
sessi ons of suc h accounts);
• attempts to make Remote File Inclusion /
Local File Inclusion;
• search for components with known
vulnerabilities;
• check for redirection to other sites and o pen
redirects;
• scanning directories and files using brute
force;
• analysis of s earch form s, registration forms,
authorization forms, etc .;
• race condition attacks;
• guessing passwords.
At the end of the audit, a detailed report is
provided with th e identified vulnerabilities,
recommendations for elimination, examples of attacks
and de scriptions of possible penetration scenarios.
2. Penetration testing of the network perimeter
Penetration testing is a popular worldwide way to
assess the security status of a network perimeter. The
essence of such tests is an authorized attempt to bypass
the existing complex of information system protection
means. During testing, a security analyst plays the role
of an attacker motivated to violate the IS of the
customer' s network. The provision of penetration

56 American Scientific Journal № ( 40) / 2020
testing services is based on OSSTMM, PTES
methodo logies and includes:
• passive collection of information;
• port scanning;
• determination of types and types of network
equipment;
• definition of types and types of operatin g
systems in the network infrastructure;
• definition of types and types of adjacent
periph erals in t he network infrastructure;
• definition of types and types of specialized
devices or their combination;
• collecting banners and searching for public
exploits;
• collection and analysis of the information
received;
• definition of «entry points »;
• descrip tion of at tack vectors;
• attempts to exploit;
• confirmation of the received vectors;
• compilation of a report.
3. Stress Testing
Stress testing («load -testing») - is necessa ry to
determine or collect performance indicators and
response time of a software and har dware syst em or
device in response to an external request in order to
establish compliance with the requirements for this
system (device) [4].
To investigate the respo nse time of the system at
high or peak loads, «stress testing» is performed, in
which the load plac ed on the system exceeds the normal
scenarios of its use. A modern IT infrastructure must
provide the required level of performa nce. Any
disruptions, delays and rejections can lead to the loss of
customers, both current and potential. The main
pu rpose of l oad testing is to monitor the system
performance by creating a certain expected load on the
system (for example, through virtual users).
When conducting stre ss testing, it is necessary to
define test scenarios containing the values of the desig n
and expe cted peak performance of the system. Each
scenario is based on the following data:
• object of testing;
• testing objectives;
• the pu rpose of testing;
• requirement s;
• specifications;
• regulations.
Any software or server software must run under
load for a long time . System failures and failures can
lead to losses, loss of customers and other unpleasant
consequences [5]. Load testing allows you to determine
how and at w hat speed an application is performing
under a certain load. Through load testing, the
compliance o f the product's performance with the
requirements formulated in the specification and design
documentation is assessed.
4. Complian ce with PSI DSS standard
To o btain a PCI DSS certificate of compliance,
companies working with international payment
systems Vis a and Mastercard must comply with the
requirements of the standard. Such requirements
include the following procedures:
• monthly check of security components;
• monthly check of system components of
servers;
• monthly external ASV scan;
• quarterly anal ysis of wi reless networks;
• quarterly internal scanning;
• annual internal and external penetration test;
• annual identification of new threats and
revision of IS policies ;
• annual briefing of IS department employees;
• annual analysis of publicly available web
application s;
• every six months revision of the rules for
firewalls and routers;
• annual review and monitoring of the
performance of video surveillance systems;
• annual te sting of the IS incident response plan.
After the audit, it is necessary to comply with a s
many of the received recommendations as possible and
initiate a re -audit [6]. When the required level of
security is achieved, conduct an audit in the future with
a certain frequency (for example, once a month).
Conclusion
The concept of IS, its componen ts and pro cedures
necessary to determine the current level of security,
ways to increase it were considered.
Audit is one of the basic actions aimed at ensuring
IS. An independent assessment of the current state of
the IS system establishes the level of it s complian ce
with certain criteria, and provides the results in the form
of recommendations.
An audit allows you to reduce the risk of
confidential information leakage , increase control over
IT and IS departments, as well as build the necessary
level of pr otection f or sensitive company information.
An audit is a basic procedure for ensuring the level
of IS of a compute r system and allows you to identify
and eliminate ob vious and gross errors made in the
design and configuration of a computer system. The use
of audit is advisable in a computer system of any scale.
Together with other basic procedures, audit can prevent
most cases of penetration into the system.

List of re ferences
1. Бондарев В. В. Введение в
информационную безопасность
автоматизированных систем: учебное п особие – М.:
МГТУ им. Н . Э. Баумана , 2018. [Bondarev V. V.
Introduction to information security of automated
systems: schoolbook - M.: BMSTU n. a. N.E.Bauman ,
2018; (In Russ).]
2. Бирюков А. А. Информационная
безопасность. Защита и нападение/А. А. Б ирюков -
М. :ДМК Пресс, 2017. [Biryukov A. A. Information
security. Defense and attack - M .: DMK Press, 2017
(In Russ).]
3. Кочешков А. А., Сенькив Д. А.
Информационная безопасность публичных
облачных сервисов /А. А. Кочешков , Д. А. Сенькив
// Научно -Техническ ий Вестник Поволжья , Казань .
– 2020. – № 7 – c. 70 – 72 [Kocheshkov A. A., Sen'kiv
D. A. Informacionnaja bezo pasnost' publichnyh

American Scientific Journal № ( 40 ) / 2020 57

oblachnyh servisov - Nauchno -Tehniches kij Vestnik
Povolzh'ja, Kazan, 2020;7:70 -72. (In Russ).]
4. Boyce G. Linux Networking Cookbo ok/G.
Boyc e - Packt Publishing. – 2016 .
5. Астахов А. Введение в аудит
информационной безопасности / GlobalTrust
Solutions . URL: http://globaltrust.ru [ Astakhov A.
Vvedeni e v audit informatsionnoi
bezopasnosti/ GlobalTrust Solutions. URL:
http://globaltrust.ru]
6. Скабцов. Н. Аудит безопасности
информационных систем — СПб.: Питер, 2018.[
Skabtsov. N. Audit be zopasnosti informatsionnykh
sistem — SPb.: Piter, 2018 (In Russ).]