Procena ranjivosti i testiranje otpornosti na upade u sistem u vojnom i kontekstu međunarodnog humanitarnog prava
Sažetak
Procena ranjivosti i testiranje otpornosti na upade u sistem su ključne aktivnosti upravljanja rizikom u informacionoj bezbednosti, sajber odbrani i obaveštajnom radu vojnih organizacija. Ove aktivnosti su značajne u kontekstu izvođenja vojnih operacija, ali i u kontekstu Međunarodnog humanitarnog prava (IHL) i sprovođenja zakona. Primena informacionih tehnologija u vojnom i civilnom okruženju povećava kompleksnost u oblasti upravljanja rizikom. Pored informacione bezbednosti, vojne organizacije imaju zadatak da preduzmu neophodne aktivnosti u oblasti sajber operacija, za svrhe odbrane i napada. Oni zavise od znanja i veština zasnovanih na tehnologiji i implementiraju ih specifične organizacije u okviru vojnih sistema. Procena ranjivosti za cilj ima otkrivanje prirode ranjivosti, bez razmatranja kako se one mogu koristiti za napad, dok testiranje otpornosti na upade u sistem koristi eksploite za upade u sisteme i tako procenjuje vrstu i stepen rizika koji ove ranjivosti predstavljaju za sistem. Međutim, čak i ako predstavljaju dve različite aktivnosti, sa različitim krajnjim ciljevima, oni su komplementarni i međuzavisni. Pošto je njihova zajednička odlika razvoj znanja i veština zasnovanih na istim tehnologijama, oni su od podjednake važnosti za upravljanje rizikom, vojne operacije u sajber prostoru i njihovu upotrebu za odbrambene i obaveštajne aktivnosti, kao i međunarodno humanitarno pravo.
Reference
Aid, M., 2013. Inside the NSA’s Ultra-Secret China Hacking Group. [Internet]. Foreign Policy. Available at: http://foreignpolicy.com/2013/06/10/inside-the-nsas-ultra-secret-china-hacking-group. Accessed: 12 Apr. 2015.
Charette, R., 2012. F-35 Program Continues to Struggle with Software. [Internet] IEEE Spectrum: Technology, Engineering, and Science News. Available at: http://spectrum.ieee.org/riskfactor/aerospace/military/f35-program-continues-to-struggle-with-software. Accessed: 12 Apr. 2015.
Committee on National Security Systems, 2015. National Information Assurance (IA) Glossary, CNSS Instruction No. 4009 April 6, 2015. Ft Meade: National Security Agency.
Cyber Intelligence Task Force, 2016. Strategic cyber intelligence. [Internet] Intelligence and National Security Alliance. Available at: http://www.insaonline.org/i/d/a/b/StrategicCyberWP.aspx. Accessed: 17 Apr. 2015.
Donohoe, M., 2012. A discussion on Supply Chain Risk and Mitigation. [online lecture]. Enterprise Information Security and Risk Management (ESS15-03), Week 9: Supply Chain Risk Management – Mitigation. Information Resources Management College, National Defense University.
Enterprise Risk Management: Integrated Framework, Executive Summary, 2004. [ebook]. Committee of Sponsoring Organizations of the Treadway Commission Enterprise. Available at: http://www.coso.org/documents/coso_erm_executivesummary.pdf. Accessed: 18 Apr. 2015.
Everetts, R., 2015. Risk Management: Foundation. [online lecture]. Enterprise Information Security and Risk Management (ESS15-03), Week 1: Introduction and Overview. Information Resources Management College, National Defense University.
Godwin, J., Kulpin, A., Rauscher, K., and Yaschenko, V., 2014. Critical Terminology Foundations 2. EastWest Institute and the Information Security Institute of Moscow State University. [Internet]. Available at: http://www.ewi.info/idea/critical-terminology-foundations-2. Accessed: 17 Apr. 2015.
Herrmann, D.S., 2007. Complete guide to security and privacy metrics, Measuring regulatory compliance, operational resilience, and ROI. Boca Raton: CRC Press.
Inquiry Board, 1996. ARIANE 5 Flight 501 Failure. [Internet]. Available at: http://sunnyday.mit.edu/accidents/Ariane5accidentreport.html. Accessed: 17 Jan. 2016.
International Committee of the Red Cross, 2015. Practice Relating to Rule 6. Civilians' Loss of Protection from Attack. Customary IHL Database. [Internet]. Available at: https://www.icrc.org/customary-ihl/eng/docs/v2_rul_rule6. Accessed: 17 Feb. 2016.
International Organization for Standardization, 2009. ISO 31000: 2009. Available at: https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-1:v1:en.
Kaspersky Labs, 2015. Inside the EquationDrug espionage platform. [Internet]. SecureList. Available at: http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform. Accessed: 22 Mar. 2016.
Mattern, R., 2015. Supply Chain Risk Management: Mitigation. [online lecture]. Enterprise Information Security and Risk Management (ESS15-03), Week 9: Supply Chain Risk Management: Mitigation. Information Resources Management College, National Defense University.
Mccarthy, A.C., 2007. Military Judge Dismisses Commission Charges Against Omar Khadr. [Internet]. National Review. Available at: http://www.nationalreview.com/article/221180/military-judge-dismisses-commission-charges-against-omar-khadr-andrew-c-mccarthy. Accessed: 12 Apr. 2016.
Mcconnell, S., 2004. Code complete: A practical handbook of software construction. Redmond: Microsoft Press.
Nakashima, E., 2014. U.S. attributes cyberattack on Sony to North Korea. [Internet]. Washington Post. Available at: http://www.washingtonpost.com/world/national-security/us-attributes-sony-attack-to-north-korea/2014/12/19/fc3aec60-8790-11e4-a702-fa31ff4ae98e_story.html. Accessed 17 Apr. 2016.
National Institute for Standards and Technology, 2003. Guide to Information Technology Security Services. U.S. Department of Commerce. Special Publication, pp.800-835.
National Institute for Standards and Technology, 1998. Information Technology Security Training Requirements: A Role- and Performance-Based Model. Gaithersburg, MD. U.S. Department of Commerce. Special Publication, 800-16.
National Institute for Standards and Technology, 2011. Managing Information Security Risk, Organization, Mission, and Information System View. Special Publication.800-39. Gaithersburg, MD.U.S. Department of Commerce.
National Institute for Standards and Technology, 2012. Guide for Conduct-ing Risk Assessments. U.S. Department of Commerce. Special Publication 800-30, Revision 1. Gaithersburg, MD.U.S. Department of Commerce.
National Institute for Standards and Technology, 2013. Security and Privacy Controls for Federal Information Systems and Organizations [includes updates as of 01-22-2015]. Special Publication 800-53, Revision 4. Gaithersburg, MD. U.S. Department of Commerce.
Netragard, 2015. Available at: https://www.netragard.com.
Obama, B., 2015. Executive Order: Blocking the Property of Certain Per-sons Engaging in Significant Malicious Cyber-Enabled Activities. Available from: https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m. Accessed 1 Mar. 2016.
Perlroth, N., & Sanger, D.E., 2013. Nations Buying as Hackers Sell Flaws in Computer Code. [online] New York Times. Available at: http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html. Accessed 11 Apr. 2016.
Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977 1949. Geneva. 1125 UNTS 3.
Rauscher, K.F., 2004. Protecting communications infrastructure. Bell Labs Tech. J., 9(2), pp.1-4.
Ray, B., Posnett, D., Filkov, V., & Devanbu, P., 2014. A large scale study of programming languages and code quality in Github. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. New York: ACM, pp.155-165.
Revuln, 2015. Available at: http://revuln.com.
Schmitt, M., 2004. Direct Participation in Hostilities and 21st Century Armed Conflict. In H. Fischer& et al Eds., Crisis Management and Humanitarian Protection: Festschrift fur Dieter Fleck. Berlin: BWV, pp.505-529.
Schmitt, M.N., 2013.Tallin Manual on the international law applicable to cyber warfare. Cambridge: Cambridge University Press.
Situation in Darfur, Sudan, in the Case of the Prosecutor v. Bahar Idriss Abu Garda, 2010. February 8, ICC-02/05-02/09 (Pre-Trial Chamber I Decision on the Confirmation of Charges).
The Wall Street Journal, 2014. China’s Cyber-Theft Jet Fighter, Available at: http://www.wsj.com/articles/chinas-cyber-theft-jet-fighter-1415838777. Accessed: 11 Apr. 2016.
U.S. Army Joint Staff, 2013. Cyberspace Operations3-12 (R). Joint Publication, pp.3-12.
US Army Joint Staff, 2014. Information Operations, 27 November 2012 Incorporating Change 1 20, pp.3-13
U.S. Department of the Army, 2010. Cyberspace Operations Concept Capability Plan 2016-2028, TRADOC Pamphlet 525-7-8. US Army Training and Doctrine Command (TRADOC).
Vupen Security, 2015. Available at: http://www.vupen.com/english.
Vojnotehnički glasnik omogućava otvoreni pristup i, u skladu sa preporukom CEON-a, primenjuje Creative Commons odredbe o autorskim pravima:
Autori koji objavljuju u Vojnotehničkom glasniku pristaju na sledeće uslove:
- Autori zadržavaju autorska prava i pružaju časopisu pravo prvog objavljivanja rada i licenciraju ga Creative Commons licencom koja omogućava drugima da dele rad uz uslov navođenja autorstva i izvornog objavljivanja u ovom časopisu.
- Autori mogu izraditi zasebne, ugovorne aranžmane za neekskluzivnu distribuciju rada objavljenog u časopisu (npr. postavljanje u institucionalni repozitorijum ili objavljivanje u knjizi), uz navođenje da je rad izvorno objavljen u ovom časopisu.
- Autorima je dozvoljeno i podstiču se da postave objavljeni rad onlajn (npr. u institucionalnom repozitorijumu ili na svojim internet stranicama) pre i tokom postupka prijave priloga, s obzirom da takav postupak može voditi produktivnoj razmeni ideja i ranijoj i većoj citiranosti objavljenog rada (up. Efekat otvorenog pristupa).