Derivation of metrics for effective evaluation of vulnerability assessment technology

Ammala, Darwin Edward

08 May 2004

Vulnerability in software receives constant attention in the media and in research. Yearly rates of disclosure of vulnerabilities in software have doubled. The discipline of Information Assurance lacks metrics that are useful in understanding vulnerability. In the problem of vulnerability assessment tool selection, users must make product choices based on results found in non-peer reviewed publications or subjective opinion. Users of vulnerability assessment tools must sift through volumes of data about their systems and are shown broad indications of the severity of the problems ? often a high-medium-low ranking, which varies between tools. A need exists for metrics and a selection model for tool quality assessment. This study addresses these needs by analysis of the discipline of vulnerability assessment and remediation from first principles, and presents an organized approach and a bestit metrics based model for selecting vulnerability assessment tools.

infosec

scanning tools

security audit

selection criteria

CHALLENGES IN SECURITY AUDITS IN OPEN SOURCE SYSTEMS / UTMANINGAR I SÄKERHETSREVISIONER I SYSTEM MED ÖPPEN KÄLLKOD

Nordberg, Pontus

January 2019

Today there is a heavy integration of information technology in almost every aspect of our lives and there is an increase in computer security that goes with it. To ensure this security, and that policies and procedures within an organisations related to this security are enforced; security audits are conducted. At the same time, use of open source software is also becoming increasingly common, becoming more a fact of life rather than an option. With these two trends in mind, this study analyses a selection of scientific literature on the topic and identifies the unique challenges a security audit in an open source environment faces, and aims to contribute on how to help alleviate the challenges. The study was performed in the form of a literature review, where the comparison and analysis revealed interesting information regarding the open source specific challenges, including both technical issues as well as challenges stemming from people’s perception and handling of open source software today. The answer to the question “What are the challenges when conducting security audits for open source systems and how can they be alleviated?” shows the main challenges to be too much trust is put in unverified binaries. The report offers suggestions and ideas on how to implement solutions in order to help diminish this challenge through the use and integration of Reproducible Builds, answering the second part of the question.

Security Audit

Open Source Software

Reproducible Builds

Computer Systems

Datorsystem

Automatizované ověřování konfigurace operačního systému MS Windows pomocí projektu OpenSCAP / Automated Security Compliance Scanning of MS Windows Operating System Using OpenSCAP Project

Černý, Jan

January 2018

This work deals with security compliance of computer systems, namely operating systems, applications and system services. Concept of security policies, their evaluation and their enforcement is described. Security compliance automation and the SCAP standard are presented. OpenSCAP project, which is used as an SCAP scanner, is described together with its tools and its usage. An idea to add support of Microsoft Windows within OpenSCAP, which was previously unsupported, is presented. The core part of the thesis is to identify necessary changes of OpenSCAP and to design an extension of this project. All these modifications are implemented. The solution is demonstrated on security policies for Windows. The solution is evaluated and further improvements are discussed.

A Vulnerability Assessment of the East Tennessee State University Administrative Computer Network.

Ashe, James Patrick

01 May 2004

A three phase audit of East Tennessee State University's administrative computer network was conducted during Fall 2001, Spring 2002, and January 2004. Nmap and Nessus were used to collect the vulnerability data. Analysis discovered an average of 3.065 critical vulnerabilities per host with a low of 2.377 in Spring 2001 to a high of 3.694 in Fall 2001. The number of unpatched Windows operating system vulnerabilities, which accounted for over 75% of these critical vulnerabilities, strongly argues for the need of an automated patch deployment system for the approximately 3,000 Windows-based systems at ETSU.

network security

system security

security audit

nmap

nessus

Computer Sciences

Physical Sciences and Mathematics

Design And Implementation Of An Unauthorized Internet Access Blocking System Validating The Source Information In Internet Access Logs

Uzunay, Yusuf

01 September 2006

Internet Access logs in a local area network are the most prominent records when the source of an Internet event is traced back. Especially in a case where an illegal activity having originated from your local area network is of concern, it is highly desirable to provide healthy records to the court including the source user and machine identity of the log record in question. To establish the validity of user and machine identity in the log records is known as source authentication. In our study, after the problem of source authentication in each layer is discussed in detail, we argue that the only way to establish a secure source authentication is to implement a system model that unifies low level and upper level defense mechanisms. Hence, in this thesis we propose an Unauthorized Internet Access Blocking System validating the Source Information in Internet Access Logs. The first version of our proposed system, UNIDES, is a proxy based system incorporating advanced switches and mostly deals with the low level source authentication problems. In the second version, we extend our system with SIACS which is an Internet access control system that deals with the user level source authentication problems. By supplementing the classical username-password authentication mechanism with SSL client authentication, SIACS integrates a robust user level authentication scheme into the proposed solution.

TA Systems Engineering 168

Penetrační testování bezpečnosti informačních systémů / Information systems security penetration testing

Klíma, Tomáš

January 2012

The aim of this dissertation thesis is to develop new methodology of information systems penetration testing based on analysis of current methodologies and the role of penetration tests in context of IS/IT governance. Integral part of this aim is evaluation of the methodology. The first part of the thesis is devoted to the presentation of history and current state of research in selected area, definiton of basic terms and introduction of role of the penetration tests. This part is followed by the review of relevant sources and comparative study of current methodologies with a goal to identify their weaknesses. Results from this study are further used as a basis for new methodology development. Classification of IS penetration tests types and testing scenarios are also included. The second part includes design of new methodology, at first its history, structure and principles are presented, then its framework is decribed in high level of detail. In the third part the reader can find (theoretical and practical) validation. The biggest scientific contribution is the methodology itself focused on managment of penetration tests (which is the area currently not sufficiently descibed). Secondary contribution is the extensive review and the comparative analysis of current methodologies. Contribution to the economic and technical (practical) application we can mainly see in the development of new methodology which enables companies to improve management of penetration tests (especially planning, operational management and implementation of countermeasures).

Statistický výstup z asistovaných zhodnocení / Statistical output of security audits

Hrubešová, Gabriela

January 2019

The subject of this diploma thesis is a statistical analysis of security audits. The theoretical part describes key terms in the field of cyber and information security, basic background for this area and important regulations. The next part focuses on the description of security audit, its course, necessary conditions and content. The last part is devoted to statistical analysis of obtained samples. We analyse samples from several points of view, compare and look for features and information that could be helpful to the auditor’s assessment.

The Challenges of Network Security Remediation at a Regional University.

Simons, William R

07 May 2005

This thesis describes challenges encountered during a year-long effort to improve the security of the 3,300 node administrative computer network at East Tennessee State University. The key remediation strategies used included employing the vulnerability scanner Nessus to profile the network, analyzing the scan results, and attempting to remove the most critical vulnerabilities found. The project succeeded in decreasing known “high” criticality vulnerabilities on campus by 26.1%, and confirmed four standard observations about the challenges of network administration: Vulnerability scanning is a lengthy task best performed in parallel and supported by automated data analysis.Securing a network is like trying to hit a moving target, due to an ever-increasing proliferation of networked hosts, services enabled by default install and lists of vulnerabilities to address.Failures of common sense are still among the primary threats to network security.Failing to retain management support for the security hardening process can jeopardize the project.

Nmap

Nessus

security hardening

security audit

network security

system security

computer

vulnerability remediation

Computer Sciences

Physical Sciences and Mathematics

Testování bezpečnosti bezdrátových sítí / Wireless networks security assessment

Klíma, Tomáš

January 2010

Main focus of this thesis is on wireless networks security auditing. Author's goal is to create new penetration testing methodology for wireless networks WIPE and prove its usability in real terms. This new methodology is based on currently used methodologies, approaches and tools, which are introduced and tested further in the work.

Security Auditing and Testing of two Android Client-Server Applications

Engström Ericsson, Matilda

January 2020

How secure is your application? How can you evaluate if it is secure? The threats are many and may be hard to find. In a world where things are more and more automated; how does manual labour contribute to security auditing applications? This study aims to assess two proof of concept Android client-server applications, developed by students to suit the needs of a fictitious Police Department and Fire Department, respectively. The approach is unconventional yet supported by well-established theory. The gist of a vulnerability assessment methodology initially developed to assess the security of middleware is followed and applied to the entire architecture of these client-server applications. How the manual labour contributed to the end results, in comparison to the use of automated tools and a list of known threats, is then evaluated.   It is concluded that the applications encompass multiple of the Open Web Application Security Project (OWASP) Top 10 Mobile Risks and that automated tools find most of those vulnerabilities. However, relying on automation may lead to a false sense of security, which in effect may cause developers to lose understanding of why vulnerabilities occur and how they should be mitigated. Understanding how the design and architecture of the application influence its security is key.   As of Android 9.0+, default is that applications use SSL encrypted communication. Only 40% of Android users are in 2020 affected by this change according to Android studio developer information, leaving a majority of users unaware of if or how their data is being protected, also observed in analysis results from this thesis work. One should consider if or how to inform users of how their data is being handled, not only in newer Android versions or regarding SSL communication.    This work also shows that developers' decisions may be greatly affected by time pressed situations, which is reflected upon in the last chapter. Another important finding was that the third-party software Sinch, which enabled the use of voice and video communication in one of the applications, sent IP addresses and usernames of the users in clear text during the binding request, when the Session Traversal Utilities for NAT (STUN) protocol was used.

Security audit

Security testing

Android Client-Server

OWASP Top 10 Mobile Risks

Automated tools

MITM attack

SSL

Authorization

Computer Sciences

Datavetenskap (datalogi)