162d PDF
162d PDF
162d PDF
ОБЗОРНЫЕ СТАТЬИ
VOJNOTEHNIČKI GLASNIK / MILITARY TECHNICAL COURIER, 2017., Vol. 65, Issue 2
REVIEW PAPERS
VULNERABILITY ASSESSMENT
AND PENETRATION TESTING
IN THE MILITARY AND IHL CONTEXT
Dragan D. Mladenović
Serbian Armed Forces, General Staff,
Department of Telecommunications and IT (J-6),
Belgrade, Republic of Serbia,
e-mail: dragan.mladenovic@vs.rs,
ORCID iD: http://orcid.org/0000-0003-4530-633X
https://dx.doi.org/10.5937/vojtehg65-10761
FIELD: Computer Sciences, International Humanitarian Law
ARTICLE TYPE: Review Paper
ARTICLE LANGUAGE: English
Abstract:
Vulnerability assessment and penetration testing are the key activities of
information security risk management and cyber defense and intelligence do-
ne by military organizations. These activities are significant not only in the con-
text of performing military operations, but also in the International Humanita-
rian Law (IHL) and law enforcement contexts. The application of information
technologies in the military and civilian environments increases complexity in
the field of risk management. Besides information security, military organizati-
ons have the task to undertake necessary activities in the fields of cyber ope-
rations, both for defense and offense purposes. They depend on
technologically based knowledge and skills and are implemented by specific
organizations within military systems. The goal of vulnerability assessment is
to discover and determine the nature of vulnerabilities, without considering
how they may be used for offense, while penetration testing uses exploits for
breaching into systems and thus estimates the type and degree of risk these
vulnerabilities represent to the system. However, even if they represent two
different activities, with different end goals but the same field of interest, they
are complimentary and inter-dependent. Since their common feature is deve-
lopment of knowledge and skills based on the same technologies, they are
equally important both for risk management, military operations in cyberspace
and their use for defense and intelligence activities as well as for IHL.
Key words: vulnerability assessment, penetration testing, cyber
attack, International Humanitarian Law.
464
Introduction
Mladenovic, D., Vulnerability assessment and penetration testing in the military and IHL context , pp. 464-480
Significance and influence of information technologies in all modern
organizational and technical systems is obvious and ever growing. Military
organizations require application of reliable and efficient technical systems
for performance of their basic function – defense, both in peace time and
during war. In modern armies, such characteristics are mostly enabled by
the application of independent and embedded information technologies.
No matter whether these technologies are used in military equipment and
armament or for establishing and functioning of military organizational
systems and their networks (command, control, and support), the use of
information technologies is significant, obvious and increasing.
Comprehensive applications of information technologies and abilities
of system and processes networking are so extensive that this caused a
creation of a completely new, fifth domain of military activities – cyber spa-
ce, which represents: “A global domain within the information environment
consisting of the interdependent networks of information technology infra-
structures and resident data, including the Internet, telecommunications
networks, computer systems, and embedded processors and controllers.“
(US Army Joint Staff, 2013, p.5). Within the information domain, cyber
space is characterized by the application of different types of information
technologies (analogous and digital electronic, opto-electronic and even
quantum technologies). The information domain consists of physical, in-
formation (including logical), and cognitive dimensions or layers (U.S.
Army Joint Staff, 2014). This means that within the complete cyberspace
there are different factors and elements which perform activities and they
represent the basis of the cyberspace infrastructure: people, hardware,
software, environment, power, networks, payload, and policy (Rauscher,
2004). These elements can be put into three key sets that constitute
cyberspace, including its part used by military organizations: people, pro-
cesses and systems (Godwin, et al, 2014).
465
VOJNOTEHNIČKI GLASNIK / MILITARY TECHNICAL COURIER, 2017., Vol. 65, Issue 2
ir purpose (Godwin, et al 2014). The key factor for their safe operation is
protection from threats (internal or external) across all the mentioned
layers. This relates not only to military systems, whose basic function is
national defense, but also to all governmental and private organizations as
well as individuals. This is why violation of information security often
simultaneously relates to different legally regulated forms of security (nati-
onal defense, but also all types of crime, including terrorism and espiona-
ge). The circumstance that conflicts in cyberspace are based on discovery
and exploitation of vulnerabilities and deficiencies makes their legal regula-
tion significantly more complex. There are so many threats that entities in
charge of defense of a system cannot even perceive their total number
and scope. The existing threats are changing and evolving in time, along
with the development of the immediate and wider environment. They are
especially extensive in the field of information security, given the numbers
and variety of technologies in modern global environment, as well as mu-
tual connections between factors that influence all phases of the informa-
tion system life cycle (Donohoe, 2012). Threats are directly connected to
vulnerabilities and weaknesses of a system, whether they are known to its
defenders or not. In the field of information security, there is a constant and
endless race between attackers and defenders that consists of competing
who will be the first to discover vulnerabilities or weaknesses of a system,
across every layer of the information domain (physical, information and
logical and cognitive levels). Causes for these vulnerabilities are numerous
and can be found at all levels of creation, use and delayed effects of these
technologies; they can be grouped in several general categories:
a. Due to growing requirements for resource optimization, military
systems use the same or similar information technologies as
civilian structures. These commercial off-the-shelf (COTS)
technologies, whether proprietary or open source, are available to
everyone, defenders and attackers alike.
b. A complex supply chain of information technologies and
globalization make certain segments of these technologies so
connected and intertwined that causes of vulnerabilities in them
can be found even in technologies created specifically for military
systems (Mattern, 2015).
c. Number and scope of information technologies that oftentimes are
not harmonized with each other in all elements cause occurrence
of new vulnerabilities that appear during interaction between these
technologies.
d. General digitalization of everything and fast expansion of
information technologies cause an increasing number of
466
Mladenovic, D., Vulnerability assessment and penetration testing in the military and IHL context , pp. 464-480
information infrastructure parts or elements that influence this
infrastructure to become subject to the existing vulnerabilities.
These vulnerabilities cause asymmetry of conflict in cyberspace. Sin-
ce they are subject to (purposeful or accidental) revealing and exploitation
by any attacker, the number of potential conflict participants grows rapidly,
both attackers and defenders. The existence of vulnerabilities makes even
the biggest systems subject to actions of small groups, even individuals.
Today, there is a frequent situation where military forces of foreign go-
vernments can attack private companies in other countries, like in the case
of Sony (Nakashima, 2014), or that the biggest countries can take legal
and political measures against individuals as U.S. President Obama orde-
red in April 2015 (Executive Order: Blocking the Property of Certain Per-
sons Engaging in Significant Malicious Cyber-Enabled Activities) (Obama,
2015).The consequence of this is increasing the number of potential con-
flicting actors and extremely complex conflict environments.
467
VOJNOTEHNIČKI GLASNIK / MILITARY TECHNICAL COURIER, 2017., Vol. 65, Issue 2
468
Vulnerability assessment and penetration testing
Mladenovic, D., Vulnerability assessment and penetration testing in the military and IHL context , pp. 464-480
In the process of risk management assessment, in dealing with vulne-
rabilities, the process of vulnerability assessment should not be confused
with penetration testing. Although these two concepts are similar and
highly connected, they are different in their nature. The National Institute of
Standards and Technology describes penetration testing as “a test
methodology in which assessors, typically working under specific constra-
ints, attempt to circumvent or defeat the security features of an information
system“ (NIST, 2014, p.B-7). According to the same source, vulnerability
assessment (discovery and analysis) represents a systematic examination
of an information system for the purpose of determining adequacy of
security measures, determining deficiencies, and finding and undertaking
security measures to eliminate influence of threats and reduce risks (Nati-
onal Institute for Standards and Technology, 2013). Therefore, penetration
testing is a specific type of assessment of an information system (usually
technically oriented), implemented for the purpose of determining the exi-
stence of vulnerabilities. Penetration testing is an imitation of an
adversary’s activity on one’s own system for the purpose of pre-emptive
defense. This is why penetration testing is the one procedure that makes
vulnerability assessment common for both attack and defense. The deve-
lopment of the penetration testing methodology is connected to professio-
nal knowledge on technology and system organization and represents the
application of the information technology body of knowledge in the military
environment.
Military systems are specifically security oriented, since their purpose
is defense of their own systems (by military means and methods) and di-
sabling and destruction of enemy systems. In this military business, diffe-
rent areas of security are simultaneously planned, applied and analyzed so
that vulnerability assessment and penetration testing, (that are especially
characteristic for information security in contemporary organizations), are
used in all other security-related areas, from physical to information
security. Having in mind the already mentioned fact that in modern times
all human activities depend on information technologies and cyberspace,
as well as that the information area consists of wide infrastructure in a
physical, information, logical and cognitive sense, it is clear that penetra-
tion testing can be undertaken for hardware, software, people and proces-
ses and it can relate to different types of security controls (physical, orga-
nizational, and technical) (NIST, 2013).
Penetration testing relates to finding vulnerabilities in proprietary or
other systems, as well as to estimating a degree of resistance that infor-
469
VOJNOTEHNIČKI GLASNIK / MILITARY TECHNICAL COURIER, 2017., Vol. 65, Issue 2
470
Mladenovic, D., Vulnerability assessment and penetration testing in the military and IHL context , pp. 464-480
ver, no international regulations strictly forbid civilians to take direct partici-
pation in hostilities. A group of experts in the field of international humani-
tarian law at the invitation of The NATO Cooperative Cyber Defence Cen-
tre of Excellence in Tallinn gave their expert opinion on participation of civi-
lians in cyber warfare, where “Civilians are not prohibited from directly par-
ticipating in cyber operations amounting to hostilities but forfeit their protec-
tion from attacks for such time as they so participate“ (Schmitt, 2013, p.90).
However, according to various national laws and military rules of en-
gagement and manuals, participation of civilians in hostilities is unlawful
(for example in Canada, Côte d’Ivoire, Germany, Indonesia, Italy, Nigeria,
Peru, Spain, United Kingdom, and other) (International Committee of the
Red Cross, 2015). In some countries with common law tradition, such as
the U.S, there are cases where in different stages of a case court decisi-
ons were made according to which participation of alien civilians in hostili-
ties was treated as unlawful (McCarthy, 2007), because they were civilians
who took part in hostilities, therefore, they were neither lawful combatants
nor lawful civilians.
It is, nevertheless, necessary to point out that there is still no universal
international consensus on this issue, since no treaty law nor customary
law precisely define what represents direct participation in hostilities, as
pointed out in the Pre-Trial Chamber of the International Criminal Court in
the Case of the Prosecutor v. Bahar Idriss Abu Garda (ICC-02/05-02/09,
2010). Also, it is necessary to take into consideration the complexities of a
situation where development of technology and its application in hostilities
is an important factor of additional complexity of international legal regula-
tions of conflicts in which civilians participate in one of possible ways
(Schmitt, 2004). Even without this dominant factor today, the existing pro-
visions and rules of International Humanitarian Law, some of which are
more than a hundred years old, are imprecisely and unclearly defined be-
cause they were adopted through consensus of all international parties
(states), which is an almost impossible task in practice due to their different
interests and traditions.
The already mentioned legal reasons and requirements to achieve
confidential military information secrecy in military organizations require
that vulnerability assessment and penetration testing be done by members
and groups from the military itself. To achieve this, it is necessary to
systematically train members of the military who perform these activities.
In doing this, there should be no compromises, because their training and
qualifications are what key activities in cyber defense and warfare depend
on. Besides requirements for top achievements, their training should be
continuous, since search for vulnerabilities is a constant process that must
471
VOJNOTEHNIČKI GLASNIK / MILITARY TECHNICAL COURIER, 2017., Vol. 65, Issue 2
be improved and developed all the time. The focus during training should
be put on education in relation to gaining awareness and training, since
this activity is considered to be a key one within the Information
Technology Security Learning Continuum for the creation of appropriate
information technology security specialists and professionals (NIST, 2003;
1998). However, since these are top experts, no form of professional im-
provement and development should be neglected, such as advanced trai-
ning and even research activities.
472
Mladenovic, D., Vulnerability assessment and penetration testing in the military and IHL context , pp. 464-480
far, mostly done in C and C++ languages, and their numbers continue to
grow as new systems and requirements are added (Charette, 2012). In
such a number of code lines, it is to be expected that there is a number of
errors and lack of process coordination that might be used in the future for
a cyber attack. Even before the initial exploitation of the aircraft, industrial
espionage in cyberspace enabled penetration testing experts of a potential
future enemy to find suitable exploits whose application might achieve ki-
netic consequences to combat systems in a potential future conflict (The
Wall Street Journal, 2014).
473
VOJNOTEHNIČKI GLASNIK / MILITARY TECHNICAL COURIER, 2017., Vol. 65, Issue 2
Conclusion
Vulnerability assessment and penetration testing are a central part of
all defensive and offensive military activities in cyberspace. At the same
time, they are a key part of a comprehensive process of risk management,
without which compliance requirements of any information organization
system cannot be achieved. Information security risk management repre-
sents organizational management of people, processes and systems.
Vulnerability assessment and penetration testing are primarily oriented to
information technologies and the way people interact with them. Even tho-
ugh these activities have the same focus, same technologies and proces-
ses, their goals are different but complementary. There are defects, flaws
and weaknesses in every information system. Their nature varies widely
and the number is always increasing. Information on vulnerabilities is the
goal, both for the system’s author and defenders and attackers and there
is always a competition between these sides who will obtain the valuable
474
Mladenovic, D., Vulnerability assessment and penetration testing in the military and IHL context , pp. 464-480
information first. Owning the same information on vulnerabilities enables
the prevention of threats (external and internal), but at the same time it
enables exploiting adversary’s weaknesses. Due to this characteristic,
vulnerability assessment and penetration testing are equally important for
the risk management process, offensive and defensive military and intelli-
gence operations in cyberspace. If, by a process of elimination, different
activities in the mentioned fields of information security are removed, it is
clear that its tasks cannot be achieved without vulnerability assessment
and penetration testing. Their activities can be outsourced to organizations
outside the military, but having in mind the confidentiality requirement and
limitations set by International Humanitarian Law, it is necessary for units
working on these activities to be a component of military organizations.
Nevertheless, having in mind the need for specific knowledge and skills,
and requirements for constant research, their organizations must be speci-
fic and set in a way so as not to be disturbed by the traditional military ver-
tical organizational hierarchy.
References
Aid, M., 2013. Inside the NSA’s Ultra-Secret China Hacking Group. [Inter-
net]. Foreign Policy. Available at: http://foreignpolicy.com/2013/06/10/inside-the-
nsas-ultra-secret-china-hacking-group. Accessed: 12 Apr. 2015.
Charette, R., 2012. F-35 Program Continues to Struggle with Software. [In-
ternet] IEEE Spectrum: Technology, Engineering, and Science News. Available
at: http://spectrum.ieee.org/riskfactor/aerospace/military/f35-program-continues-
to-struggle-with-software. Accessed: 12 Apr. 2015.
Committee on National Security Systems, 2015. National Information Assu-
rance (IA) Glossary, CNSS Instruction No. 4009 April 6, 2015. Ft Meade: Natio-
nal Security Agency.
Cyber Intelligence Task Force, 2016. Strategic cyber intelligence. [Internet]
Intelligence and National Security Alliance. Available at:
http://www.insaonline.org/i/d/a/b/StrategicCyberWP.aspx. Accessed: 17 Apr. 2015.
Donohoe, M., 2012. A discussion on Supply Chain Risk and Mitigation. [on-
line lecture]. Enterprise Information Security and Risk Management (ESS15-03),
Week 9: Supply Chain Risk Management – Mitigation. Information Resources
Management College, National Defense University.
475
VOJNOTEHNIČKI GLASNIK / MILITARY TECHNICAL COURIER, 2017., Vol. 65, Issue 2
476
Mladenovic, D., Vulnerability assessment and penetration testing in the military and IHL context , pp. 464-480
National Institute for Standards and Technology, 2003. Guide to Informa-
tion Technology Security Services. U.S. Department of Commerce. Special Pu-
blication, pp.800-835.
National Institute for Standards and Technology, 1998. Information Technology
Security Training Requirements: A Role- and Performance-Based Model. Gaithers-
burg, MD. U.S. Department of Commerce. Special Publication, 800-16.
National Institute for Standards and Technology, 2011. Managing Informa-
tion Security Risk, Organization, Mission, and Information System View. Special
Publication.800-39. Gaithersburg, MD.U.S. Department of Commerce.
National Institute for Standards and Technology, 2012. Guide for Conducting
Risk Assessments. U.S. Department of Commerce. Special Publication 800-30, Re-
vision 1. Gaithersburg, MD.U.S. Department of Commerce.
National Institute for Standards and Technology, 2013. Security and
Privacy Controls for Federal Information Systems and Organizations [includes
updates as of 01-22-2015]. Special Publication 800-53, Revision 4. Gaithers-
burg, MD. U.S. Department of Commerce.
Netragard, 2015. Available at: https://www.netragard.com.
Obama, B., 2015. Executive Order: Blocking the Property of Certain Per-
sons Engaging in Significant Malicious Cyber-Enabled Activities. Available from:
https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-
blocking-property-certain-persons-engaging-significant-m. Accessed 1 Mar. 2016.
Perlroth, N., & Sanger, D.E., 2013. Nations Buying as Hackers Sell Flaws
in Computer Code. [online] New York Times. Available at:
http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-
sell-computer-flaws.html. Accessed 11 Apr. 2016.
Protocol Additional to the Geneva Conventions of 12 August 1949, and re-
lating to the Protection of Victims of International Armed Conflicts (Protocol I), 8
June 1977 1949. Geneva. 1125 UNTS 3.
Rauscher, K.F., 2004. Protecting communications infrastructure. Bell Labs
Tech. J., 9(2), pp.1-4.
Ray, B., Posnett, D., Filkov, V., & Devanbu, P., 2014. A large scale study of
programming languages and code quality in Github. In: Proceedings of the 22nd
ACM SIGSOFT International Symposium on Foundations of Software Engineer-
ing. New York: ACM, pp.155-165.
Revuln, 2015. Available at: http://revuln.com.
Schmitt, M., 2004. Direct Participation in Hostilities and 21st Century Ar-
med Conflict. In H. Fischer& et al Eds., Crisis Management and Humanitarian
Protection: Festschrift fur Dieter Fleck. Berlin: BWV, pp.505-529.
Schmitt, M.N., 2013.Tallin Manual on the international law applicable to cy-
ber warfare. Cambridge: Cambridge University Press.
Situation in Darfur, Sudan, in the Case of the Prosecutor v. Bahar Idriss
Abu Garda, 2010. February 8, ICC-02/05-02/09 (Pre-Trial Chamber I Decision
on the Confirmation of Charges).
477
VOJNOTEHNIČKI GLASNIK / MILITARY TECHNICAL COURIER, 2017., Vol. 65, Issue 2
The Wall Street Journal, 2014. China’s Cyber-Theft Jet Fighter, Available
at: http://www.wsj.com/articles/chinas-cyber-theft-jet-fighter-1415838777.
Accessed: 11 Apr. 2016.
U.S. Army Joint Staff, 2013. Cyberspace Operations3-12 (R). Joint Publica-
tion, pp.3-12.
US Army Joint Staff, 2014. Information Operations, 27 November 2012 In-
corporating Change 1 20, pp.3-13
U.S. Department of the Army, 2010. Cyberspace Operations Concept
Capability Plan 2016-2028, TRADOC Pamphlet 525-7-8. US Army Training and
Doctrine Command (TRADOC).
Vupen Security, 2015. Available at: http://www.vupen.com/english.
Драган Д. Младенович
Вооруженные силы Республики Сербия, Генштаб, Управление
телекоммуникаций и информатики (J-6), г. Белград, Республика Сербия
Резюме:
Оценка уязвимости и тестирование на взломявляются
ключевой деятельностью управления информационной
безопасностью и рисками киберобороны, а также разведки,
проводимой военными организациями. Эти мероприятия имеют
важное значение не только в контексте выполнения военных
операций, но и в международном гуманитарном праве (МГП) и
правоохранительных контекстах. Применение информационных
технологий в военных и гражданских условиях увеличивает
сложность в области управления рисками. Помимо информационной
безопасности, военные организации должны проводить
необходимые мероприятия в области киберопераций, как для
защиты, так для нападения целей.
Они зависят от технологических знаний и навыков и
реализуются конкретными подразделениями в рамках военных
систем. Цель оценки уязвимости заключается воткрытии
характера уязвимости, не анализируя, как они могут быть
использованы приатаках. В то время как тестирование на
проникновение использует эксплойт-вторженияво время атаки на
системуи таким образом производит классификациютипа и
степенириска уязвимости для системы.
478
Тем не менее, хотя они и представляют собой два различных
Mladenovic, D., Vulnerability assessment and penetration testing in the military and IHL context , pp. 464-480
вида деятельности с разнымицелями, их взаимодействие
неразделимо, так как они взаимосвязаны и дополняют друг друга.
Общей чертой данных мероприятий является развитие знаний и
навыков, основанных на тех же технологиях, и они одинаково важны
как для управления рисками в военных операциях в киберпространстве,
так и в области обороны, разведки и международного гуманитарного
права.
Ключевые слова: oценка уязвимости, тестирование на
проникновение, кибератаки, Международное гуманитарное право.
Драган Д. Младеновић
Војска Србије, Генералштаб, Управа за телекомуникације и информатику
(Ј-6), Београд, Република Србија
ОБЛАСТ: рачунарске науке, међународно хуманитарно право
ВРСТА ЧЛАНКА: прегледни чланак
ЈЕЗИК ЧЛАНКА: енглески
Сажетак:
Процена рањивости и тестирање отпорности на упаде у
систем су кључне активности управљања ризиком у информа-
ционој безбедности, сајбер одбрани и обавештајном раду војних
организација. Ове активности су значајне у контексту извође-
ња војних операција, али и у контексту Међународног хумани-
тарног права (IHL) и спровођења закона. Примена информацио-
них технологија у војном и цивилном окружењу повећава ком-
плексност у области управљања ризиком. Поред информационе
безбедности, војне организације имају задатак да предузму нео-
пходне активности у области сајбер операција, за сврхе одбра-
не и напада. Они зависе од знања и вештина заснованих на тех-
нологији и имплементирају их специфичне организације у оквиру
војних система. Процена рањивости за циљ има откривање при-
роде рањивости, без разматрања како се оне могу користити
за напад, док тестирање отпорности на упаде у систем кори-
сти експлоите за упаде у системе и тако процењује врсту и
степен ризика који ове рањивости представљају за систем. Ме-
ђутим, чак и ако представљају две различите активности, са
различитим крајњим циљевима, они су комплементарни и међу-
зависни. Пошто је њихова заједничка одлика развој знања и ве-
штина заснованих на истим технологијама, они су од подједнаке
важности за управљање ризиком, војне операције у сајбер про-
479
VOJNOTEHNIČKI GLASNIK / MILITARY TECHNICAL COURIER, 2017., Vol. 65, Issue 2
© 2017 Аутор. Објавио Војнотехнички гласник / Vojnotehnički glasnik/ Military Technical Courier
(www.vtg.mod.gov.rs, втг.мо.упр.срб).Ово је чланак отвореног приступа и дистрибуира се у
складу са Creative Commons licencom (http://creativecommons.org/licenses/by/3.0/rs/).
480