Vulnerability Assessment for Applications Security Through Penetration Simulation and Testing
Keywords:Penetration testing, ethical hacking, applications security, firewall, IDS/IPS, server, client, privacy, vulnerability assessment
Cybersecurity threats and attacks are a critical concern for computing systems as general and specifically in web applications. There are many types and categories of cyberattacks on web applications. Many of these attacks are made possible due to existing vulnerabilities in the networking environments and platforms that host these web applications. So, the vulnerability assessment and attacks simulations on these networking platforms are of extreme importance to protect and secure the top web applications that play a prime role in our daily life. One of the widely used mechanisms to identify vulnerabilities and defend against different attacks on systems and networks is Penetration Testing. It allows us to simulate real-world attacks on a network or a single device to determine the susceptibility and impact of cybersecurity attacks. Pen testing aims to secure a system or network by performing a full-blown attack against it. Several techniques have been used for that, from port scanning, service, and operating system detection to network enumeration, creating specially crafted packets, and modifying software to exploit vulnerabilities. However, while it is used widely as a defensive technique, some attackers also employ it for malicious intentions utilizing available open-source penetration testing tools. Penetration testing on internal networks such as networks that connect IoT/sensors/web cameras, can be utilized to find vulnerabilities and fix them to secure the networks. In this research, we present a detailed discussion on penetration testing and its seven phases of action and provide a step-by-step procedure with instructions using various open-source tools to conduct penetration testing and vulnerability assessments of a network. We finally demonstrate the process and results of simulated attacks on our network within the testing environment. This research provides a comprehensive introduction to penetration testing and testbed through real-world attack simulation. The IT administrator or security enthusiast can utilize them to secure networks, devices, clients, servers, and applications while enhancing the overall organization’s security.
Bacudio, Aileen G., Xiaohong Yuan, Bei-Tseng Bill Chu, and Monique Jones. “An overview of penetration testing.” International Journal of Network Security & Its Applications 3, no. 6 (2011): 19.
Zaldivar, David, A. Tawalbeh Lo’ai, and Fadi Muheidat. “Investigating the security threats on networked medical devices.” In 2020 10th Annual Computing and Communication Workshop and Conference (CCWC), pp. 0488–0493. IEEE, 2020.
Al-Haija, Qasem Abu. “Autoregressive modeling and prediction of annual worldwide cybercrimes for cloud environments.” In 2019 10th International Conference on Information and Communication Systems (ICICS), pp. 47–51. IEEE, 2019.
“Current CVSS Score Distribution For All Vulnerabilities.” CVE Security Vulnerability Database. Security Vulnerabilities, Exploits, References and More. Last accessed April 6th, 2021. https://www.cvedetails.com/cve/CVE-2019-15107/
Lo’ai, A. Tawalbeh, Hala Tawalbeh, Houbing Song, and Yaser Jararweh. “Intrusion and attacks over mobile networks and cloud health systems.” In 2017 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 13–17. IEEE, 2017.
AlDairi, Anwaar. “Cyber security attacks on smart cities and associated mobile technologies.” Procedia Computer Science 109 (2017): 1086–1091.
“Seven Penetration Testing Phases to Achieve Amazing Results.” CyberX,. Last accessed April 9th, 2021. https://cyberx.tech/penetration-testing-phases/.
OSINT Framework.” OSINT Framework, https://osintframework.com/.
Jararweh, Yaser, Haythem A. Bany Salameh, Abdallah Alturani, Loai Tawalbeh, and Houbing Song. “Anomaly-based framework for detecting dynamic spectrum access attacks in cognitive radio networks.” Telecommunication Systems 67, no. 2 (2018): 217–229.
“NVD/NIST” CVE-2018-1160 Detail, 12/20/2018, https://nvd.nist.gov/vuln/detail/CVE-2018-1160
Arkin, Brad, Scott Stender, and Gary McGraw. “Software penetration testing.” IEEE Security & Privacy 3, no. 1 (2005): 84–87.
Thompson, Herbert H. “Application penetration testing.” IEEE Security & Privacy 3, no. 1 (2005): 66–69.
McDermott, James P. “Attack net penetration testing.” In Proceedings of the 2000 workshop on New security paradigms, pp. 15–21. 2001.
WEISSMAN, C. Penetration Testing. In Handbook for the Computer Security Certification of Trusted Systems. Naval Research Laboratory Technical Memorandum 5540:082a, 24 January 1995.
Geer, Daniel, and John Harthorne. “Penetration testing: A duet.” In 18th Annual Computer Security Applications Conference, 2002. Proceedings., pp. 185–195. IEEE, 2002.
McLaughlin, Stephen, Dmitry Podkuiko, Sergei Miadzvezhanka, Adam Delozier, and Patrick McDaniel. “Multi-vendor penetration testing in the advanced metering infrastructure.” In Proceedings of the 26th Annual Computer Security Applications Conference, pp. 107–116. 2010.
Epling, Lee, Brandon Hinkel, and Yi Hu. “Penetration testing in a box.” In Proceedings of the 2015 Information Security Curriculum Development Conference, pp. 1–4. 2015.
Security Focus Netatalk CVE-2018-1160 Arbitrary Code Execution Vulnerability, last accessed April 1st, 2021. https://www.securityfocus.com/bid/106301.
Petters, Jeff. “What Is Metasploit? The Beginner’s Guide – Varonis.” Inside Out Security, Last Accessed April 4th, 2021, https://www.varonis.com/blog/what-is-metasploit/.
H. H. Alsaadi, M. Aldwairi, M. Al Taei, M. AlBuainain and M. AlKubaisi, “Penetration and Security of OpenSSH Remote Secure Shell Service on Raspberry Pi 2,” 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS), 2018, pp. 1–5, doi: 10.1109/NTMS.2018.8328710.
Alsaadi H.H., Aldwairi M., Muller-Stuler EM. (2019) Analyzing D-Wave Quantum Macro Assembler Security. In: Latifi S. (eds) 16th International Conference on Information Technology-New Generations (ITNG 2019). Advances in Intelligent Systems and Computing, vol. 800. Springer, Cham. https://doi.org/10.1007/978-3-030-14070-0_19
AlEroud, Ahmed, and Izzat Alsmadi. “Identifying cyber-attacks on software defined networks: An inference-based intrusion detection approach.” Journal of Network and Computer Applications 80 (2017): 152–164.
Easttom C. (2020) Vulnerability Assessment and Management. In: The NICE Cyber Security Framework. Springer, Cham. https://doi.org/10.1007/978-3-030-41987-5_12