Vulnerability Assessment for Applications Security Through Penetration Simulation and Testing

Authors

  • Petar Lachkov Director of the Cyber Engineering Technology/Cyber Security Research Center, Department of Computing and Cyber Security, Texas A&M University-San Antonio, One University Way, San Antonio, TX 78224, USA https://orcid.org/0000-0003-2361-9036
  • Lo’ai Tawalbeh Director of the Cyber Engineering Technology/Cyber Security Research Center, Department of Computing and Cyber Security, Texas A&M University-San Antonio, One University Way, San Antonio, TX 78224, USA https://orcid.org/0000-0002-2294-9829
  • Smriti Bhatt Director of the Cyber Engineering Technology/Cyber Security Research Center, Department of Computing and Cyber Security, Texas A&M University-San Antonio, One University Way, San Antonio, TX 78224, USA https://orcid.org/0000-0001-5376-4491

DOI:

https://doi.org/10.13052/jwe1540-9589.2178

Keywords:

Penetration testing, ethical hacking, applications security, firewall, IDS/IPS, server, client, privacy, vulnerability assessment

Abstract

Cybersecurity threats and attacks are a critical concern for computing systems as general and specifically in web applications. There are many types and categories of cyberattacks on web applications. Many of these attacks are made possible due to existing vulnerabilities in the networking environments and platforms that host these web applications. So, the vulnerability assessment and attacks simulations on these networking platforms are of extreme importance to protect and secure the top web applications that play a prime role in our daily life. One of the widely used mechanisms to identify vulnerabilities and defend against different attacks on systems and networks is Penetration Testing. It allows us to simulate real-world attacks on a network or a single device to determine the susceptibility and impact of cybersecurity attacks. Pen testing aims to secure a system or network by performing a full-blown attack against it. Several techniques have been used for that, from port scanning, service, and operating system detection to network enumeration, creating specially crafted packets, and modifying software to exploit vulnerabilities. However, while it is used widely as a defensive technique, some attackers also employ it for malicious intentions utilizing available open-source penetration testing tools. Penetration testing on internal networks such as networks that connect IoT/sensors/web cameras, can be utilized to find vulnerabilities and fix them to secure the networks. In this research, we present a detailed discussion on penetration testing and its seven phases of action and provide a step-by-step procedure with instructions using various open-source tools to conduct penetration testing and vulnerability assessments of a network. We finally demonstrate the process and results of simulated attacks on our network within the testing environment. This research provides a comprehensive introduction to penetration testing and testbed through real-world attack simulation. The IT administrator or security enthusiast can utilize them to secure networks, devices, clients, servers, and applications while enhancing the overall organization’s security.

Downloads

Download data is not yet available.

Author Biographies

Petar Lachkov, Director of the Cyber Engineering Technology/Cyber Security Research Center, Department of Computing and Cyber Security, Texas A&M University-San Antonio, One University Way, San Antonio, TX 78224, USA

Petar Lachkov Graduated from Department of computing and Cybersecurity at Texas A&M University with honors degree. His research interests include web applications security, Privacy, Cyber attacks simulations, vulnerabilities assessment.

Lo’ai Tawalbeh, Director of the Cyber Engineering Technology/Cyber Security Research Center, Department of Computing and Cyber Security, Texas A&M University-San Antonio, One University Way, San Antonio, TX 78224, USA

Lo’ai Tawalbeh (IEEE SM): Completed his PhD degree in Electrical & Computer Engineering from Oregon State University in 2004, and MSc in 2002 from the same university with GPA 4/4. Dr. Tawalbeh is currently a tenured Associate professor at the department of Computing and Cyber Security at Texas A&M University-San Antonio. He also worked as R&D engineer at the leading digital design company SYNOPSYS, OR, USA. Before that he was a visiting researcher at University of California-Santa Barbra. Since 2005 he taught/developed more than 30 courses in different disciplines of computer engineering and science with focus on cyber security for the undergraduate/graduate programs at: NewYork Institute of Technology (NYIT), DePaul’s University, and Jordan University of Science and Technology. Dr. Tawalbeh won many research grants and awards with over than 2 Million USD. He is supervised more than 30 Graduate students (PhD and MSc). He has over 130 research publications in refereed international Journals and conferences. https://orcid.org/0000-0002-2294-9829

Smriti Bhatt, Director of the Cyber Engineering Technology/Cyber Security Research Center, Department of Computing and Cyber Security, Texas A&M University-San Antonio, One University Way, San Antonio, TX 78224, USA

Smriti Bhatt is an Assistant Professor of Computer Science in the Department of Computing and Cyber Security at Texas A&M University-San Antonio. Dr. Bhatt is teaching cybersecurity and computer science courses in the department. She has received her Ph.D. in Computer Science from the University of Texas at San Antonio and did her doctoral research at the Institute for Cyber Security (ICS) and Center for Security and Privacy Enhanced Cloud Computing (C-SPECC). Dr. Bhatt’s research expertise is in the field of Cyber Security, mainly focused on Access Control and Communication Control models, and Security and Privacy in Cloud Computing and Internet of Things (IoT). Her current research projects focus on developing secure access control and communication control models for Cloud-Enabled Internet of Things architecture applicable to various IoT domains, such as Smart Home, Smart Health, and Wearable IoT.

References

Bacudio, Aileen G., Xiaohong Yuan, Bei-Tseng Bill Chu, and Monique Jones. “An overview of penetration testing.” International Journal of Network Security & Its Applications 3, no. 6 (2011): 19.

Zaldivar, David, A. Tawalbeh Lo’ai, and Fadi Muheidat. “Investigating the security threats on networked medical devices.” In 2020 10th Annual Computing and Communication Workshop and Conference (CCWC), pp. 0488–0493. IEEE, 2020.

Al-Haija, Qasem Abu. “Autoregressive modeling and prediction of annual worldwide cybercrimes for cloud environments.” In 2019 10th International Conference on Information and Communication Systems (ICICS), pp. 47–51. IEEE, 2019.

“Current CVSS Score Distribution For All Vulnerabilities.” CVE Security Vulnerability Database. Security Vulnerabilities, Exploits, References and More. Last accessed April 6th, 2021. https://www.cvedetails.com/cve/CVE-2019-15107/

Lo’ai, A. Tawalbeh, Hala Tawalbeh, Houbing Song, and Yaser Jararweh. “Intrusion and attacks over mobile networks and cloud health systems.” In 2017 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 13–17. IEEE, 2017.

AlDairi, Anwaar. “Cyber security attacks on smart cities and associated mobile technologies.” Procedia Computer Science 109 (2017): 1086–1091.

“Seven Penetration Testing Phases to Achieve Amazing Results.” CyberX,. Last accessed April 9th, 2021. https://cyberx.tech/penetration-testing-phases/.

OSINT Framework.” OSINT Framework, https://osintframework.com/.

Jararweh, Yaser, Haythem A. Bany Salameh, Abdallah Alturani, Loai Tawalbeh, and Houbing Song. “Anomaly-based framework for detecting dynamic spectrum access attacks in cognitive radio networks.” Telecommunication Systems 67, no. 2 (2018): 217–229.

“NVD/NIST” CVE-2018-1160 Detail, 12/20/2018, https://nvd.nist.gov/vuln/detail/CVE-2018-1160

Arkin, Brad, Scott Stender, and Gary McGraw. “Software penetration testing.” IEEE Security & Privacy 3, no. 1 (2005): 84–87.

Thompson, Herbert H. “Application penetration testing.” IEEE Security & Privacy 3, no. 1 (2005): 66–69.

McDermott, James P. “Attack net penetration testing.” In Proceedings of the 2000 workshop on New security paradigms, pp. 15–21. 2001.

WEISSMAN, C. Penetration Testing. In Handbook for the Computer Security Certification of Trusted Systems. Naval Research Laboratory Technical Memorandum 5540:082a, 24 January 1995.

Geer, Daniel, and John Harthorne. “Penetration testing: A duet.” In 18th Annual Computer Security Applications Conference, 2002. Proceedings., pp. 185–195. IEEE, 2002.

McLaughlin, Stephen, Dmitry Podkuiko, Sergei Miadzvezhanka, Adam Delozier, and Patrick McDaniel. “Multi-vendor penetration testing in the advanced metering infrastructure.” In Proceedings of the 26th Annual Computer Security Applications Conference, pp. 107–116. 2010.

Epling, Lee, Brandon Hinkel, and Yi Hu. “Penetration testing in a box.” In Proceedings of the 2015 Information Security Curriculum Development Conference, pp. 1–4. 2015.

Security Focus Netatalk CVE-2018-1160 Arbitrary Code Execution Vulnerability, last accessed April 1st, 2021. https://www.securityfocus.com/bid/106301.

Petters, Jeff. “What Is Metasploit? The Beginner’s Guide – Varonis.” Inside Out Security, Last Accessed April 4th, 2021, https://www.varonis.com/blog/what-is-metasploit/.

H. H. Alsaadi, M. Aldwairi, M. Al Taei, M. AlBuainain and M. AlKubaisi, “Penetration and Security of OpenSSH Remote Secure Shell Service on Raspberry Pi 2,” 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS), 2018, pp. 1–5, doi: 10.1109/NTMS.2018.8328710.

Alsaadi H.H., Aldwairi M., Muller-Stuler EM. (2019) Analyzing D-Wave Quantum Macro Assembler Security. In: Latifi S. (eds) 16th International Conference on Information Technology-New Generations (ITNG 2019). Advances in Intelligent Systems and Computing, vol. 800. Springer, Cham. https://doi.org/10.1007/978-3-030-14070-0_19

AlEroud, Ahmed, and Izzat Alsmadi. “Identifying cyber-attacks on software defined networks: An inference-based intrusion detection approach.” Journal of Network and Computer Applications 80 (2017): 152–164.

Easttom C. (2020) Vulnerability Assessment and Management. In: The NICE Cyber Security Framework. Springer, Cham. https://doi.org/10.1007/978-3-030-41987-5_12

Published

2022-12-28

Issue

Section

Secure web applications based on Moving Target Defense: challenges, solutions an