Vulnerability assessment and penetration testing in the military and IHL context
Abstract
Vulnerability assessment and penetration testing are the key activities of information security risk management and cyber defense and intelligence done by military organizations. These activities are significant not only in the context of performing military operations, but also in the International Humanitarian Law (IHL) and law enforcement contexts. The application of information technologies in the military and civilian environments increases complexity in the field of risk management. Besides information security, military organizations have the task to undertake necessary activities in the fields of cyber operations, both for defense and offense purposes. They depend on technologically based knowledge and skills and are implemented by specific organizations within military systems. The goal of vulnerability assessment is to discover and determine the nature of vulnerabilities, without considering how they may be used for offense, while penetration testing uses exploits for breaching into systems and thus estimates the type and degree of risk these vulnerabilities represent to the system. However, even if they represent two different activities, with different end goals but the same field of interest, they are complimentary and inter-dependent. Since their common feature is development of knowledge and skills based on the same technologies, they are equally important both for risk management, military operations in cyberspace and their use for defense and intelligence activities as well as for IHL.
References
Aid, M., 2013. Inside the NSA’s Ultra-Secret China Hacking Group. [Internet]. Foreign Policy. Available at: http://foreignpolicy.com/2013/06/10/inside-the-nsas-ultra-secret-china-hacking-group. Accessed: 12 Apr. 2015.
Charette, R., 2012. F-35 Program Continues to Struggle with Software. [Internet] IEEE Spectrum: Technology, Engineering, and Science News. Available at: http://spectrum.ieee.org/riskfactor/aerospace/military/f35-program-continues-to-struggle-with-software. Accessed: 12 Apr. 2015.
Committee on National Security Systems, 2015. National Information Assurance (IA) Glossary, CNSS Instruction No. 4009 April 6, 2015. Ft Meade: National Security Agency.
Cyber Intelligence Task Force, 2016. Strategic cyber intelligence. [Internet] Intelligence and National Security Alliance. Available at: http://www.insaonline.org/i/d/a/b/StrategicCyberWP.aspx. Accessed: 17 Apr. 2015.
Donohoe, M., 2012. A discussion on Supply Chain Risk and Mitigation. [online lecture]. Enterprise Information Security and Risk Management (ESS15-03), Week 9: Supply Chain Risk Management – Mitigation. Information Resources Management College, National Defense University.
Enterprise Risk Management: Integrated Framework, Executive Summary, 2004. [ebook]. Committee of Sponsoring Organizations of the Treadway Commission Enterprise. Available at: http://www.coso.org/documents/coso_erm_executivesummary.pdf. Accessed: 18 Apr. 2015.
Everetts, R., 2015. Risk Management: Foundation. [online lecture]. Enterprise Information Security and Risk Management (ESS15-03), Week 1: Introduction and Overview. Information Resources Management College, National Defense University.
Godwin, J., Kulpin, A., Rauscher, K., and Yaschenko, V., 2014. Critical Terminology Foundations 2. EastWest Institute and the Information Security Institute of Moscow State University. [Internet]. Available at: http://www.ewi.info/idea/critical-terminology-foundations-2. Accessed: 17 Apr. 2015.
Herrmann, D.S., 2007. Complete guide to security and privacy metrics, Measuring regulatory compliance, operational resilience, and ROI. Boca Raton: CRC Press.
Inquiry Board, 1996. ARIANE 5 Flight 501 Failure. [Internet]. Available at: http://sunnyday.mit.edu/accidents/Ariane5accidentreport.html. Accessed: 17 Jan. 2016.
International Committee of the Red Cross, 2015. Practice Relating to Rule 6. Civilians' Loss of Protection from Attack. Customary IHL Database. [Internet]. Available at: https://www.icrc.org/customary-ihl/eng/docs/v2_rul_rule6. Accessed: 17 Feb. 2016.
International Organization for Standardization, 2009. ISO 31000: 2009. Available at: https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-1:v1:en.
Kaspersky Labs, 2015. Inside the EquationDrug espionage platform. [Internet]. SecureList. Available at: http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform. Accessed: 22 Mar. 2016.
Mattern, R., 2015. Supply Chain Risk Management: Mitigation. [online lecture]. Enterprise Information Security and Risk Management (ESS15-03), Week 9: Supply Chain Risk Management: Mitigation. Information Resources Management College, National Defense University.
Mccarthy, A.C., 2007. Military Judge Dismisses Commission Charges Against Omar Khadr. [Internet]. National Review. Available at: http://www.nationalreview.com/article/221180/military-judge-dismisses-commission-charges-against-omar-khadr-andrew-c-mccarthy. Accessed: 12 Apr. 2016.
Mcconnell, S., 2004. Code complete: A practical handbook of software construction. Redmond: Microsoft Press.
Nakashima, E., 2014. U.S. attributes cyberattack on Sony to North Korea. [Internet]. Washington Post. Available at: http://www.washingtonpost.com/world/national-security/us-attributes-sony-attack-to-north-korea/2014/12/19/fc3aec60-8790-11e4-a702-fa31ff4ae98e_story.html. Accessed 17 Apr. 2016.
National Institute for Standards and Technology, 2003. Guide to Information Technology Security Services. U.S. Department of Commerce. Special Publication, pp.800-835.
National Institute for Standards and Technology, 1998. Information Technology Security Training Requirements: A Role- and Performance-Based Model. Gaithersburg, MD. U.S. Department of Commerce. Special Publication, 800-16.
National Institute for Standards and Technology, 2011. Managing Information Security Risk, Organization, Mission, and Information System View. Special Publication.800-39. Gaithersburg, MD.U.S. Department of Commerce.
National Institute for Standards and Technology, 2012. Guide for Conduct-ing Risk Assessments. U.S. Department of Commerce. Special Publication 800-30, Revision 1. Gaithersburg, MD.U.S. Department of Commerce.
National Institute for Standards and Technology, 2013. Security and Privacy Controls for Federal Information Systems and Organizations [includes updates as of 01-22-2015]. Special Publication 800-53, Revision 4. Gaithersburg, MD. U.S. Department of Commerce.
Netragard, 2015. Available at: https://www.netragard.com.
Obama, B., 2015. Executive Order: Blocking the Property of Certain Per-sons Engaging in Significant Malicious Cyber-Enabled Activities. Available from: https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m. Accessed 1 Mar. 2016.
Perlroth, N., & Sanger, D.E., 2013. Nations Buying as Hackers Sell Flaws in Computer Code. [online] New York Times. Available at: http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html. Accessed 11 Apr. 2016.
Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977 1949. Geneva. 1125 UNTS 3.
Rauscher, K.F., 2004. Protecting communications infrastructure. Bell Labs Tech. J., 9(2), pp.1-4.
Ray, B., Posnett, D., Filkov, V., & Devanbu, P., 2014. A large scale study of programming languages and code quality in Github. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. New York: ACM, pp.155-165.
Revuln, 2015. Available at: http://revuln.com.
Schmitt, M., 2004. Direct Participation in Hostilities and 21st Century Armed Conflict. In H. Fischer& et al Eds., Crisis Management and Humanitarian Protection: Festschrift fur Dieter Fleck. Berlin: BWV, pp.505-529.
Schmitt, M.N., 2013.Tallin Manual on the international law applicable to cyber warfare. Cambridge: Cambridge University Press.
Situation in Darfur, Sudan, in the Case of the Prosecutor v. Bahar Idriss Abu Garda, 2010. February 8, ICC-02/05-02/09 (Pre-Trial Chamber I Decision on the Confirmation of Charges).
The Wall Street Journal, 2014. China’s Cyber-Theft Jet Fighter, Available at: http://www.wsj.com/articles/chinas-cyber-theft-jet-fighter-1415838777. Accessed: 11 Apr. 2016.
U.S. Army Joint Staff, 2013. Cyberspace Operations3-12 (R). Joint Publication, pp.3-12.
US Army Joint Staff, 2014. Information Operations, 27 November 2012 Incorporating Change 1 20, pp.3-13
U.S. Department of the Army, 2010. Cyberspace Operations Concept Capability Plan 2016-2028, TRADOC Pamphlet 525-7-8. US Army Training and Doctrine Command (TRADOC).
Vupen Security, 2015. Available at: http://www.vupen.com/english.
Proposed Creative Commons Copyright Notices
Proposed Policy for Military Technical Courier (Journals That Offer Open Access)
Authors who publish with this journal agree to the following terms:
Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).