Cybersecurity Vulnerabilities Assessment (A Systematic Review Approach)

Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 738)

Abstract

For analysis information technology and computer system vulnerabilities, this paper benefits from “systematic review analysis: 2000–2015” with two-time searches: One established using suitable keywords, the second performed inside references used by selected papers.

A detailed approach for analysis vulnerabilities of an organization includes physical and infrastructure of an organization, software, networks, policies, and information system vulnerabilities.

Our findings highlight the following to be the most important vulnerabilities of networks: buffer overruns, operating environment, resource exhaustion, race conditions, standardization of canonical form, and violation of trust, injection attacks, cross-site scripting, non-secure cryptography storage and failure to restrict URL access.

Keywords

Cyber-attack IT system vulnerability Software Network Systematic review Vulnerability assessment  

References

  1. 1.
    Elsevier: SCOPUS Database, www.scopus.com
  2. 2.
    P. Baybutt, Cyber security vulnerability analysis: an asset-based approach. Process. Saf. Prog. 22, 220–228 (2003)CrossRefGoogle Scholar
  3. 3.
    I. Linkov, D.A. Eisenberg, K. Plourde, T.P. Seager, J. Allen, A. Kott, Resilience metrics for cyber systems. Environ. Syst. Decis. 33, 471–476 (2013)CrossRefGoogle Scholar
  4. 4.
    H. Bidgoli, The Internet Encyclopedia (Wiley, Hoboken, NJ, 2004)CrossRefGoogle Scholar
  5. 5.
    C.A. Sennewald, J.H. Christman, Retail Crime, Security, and Loss Prevention: An Encyclopedic Reference (Butterworth-Heinemann, Burlington, MA, 2011)Google Scholar
  6. 6.
    E.E. Schultz, A framework for understanding and predicting insider attacks. Comput. Secur. 21, 526–531 (2002)CrossRefGoogle Scholar
  7. 7.
    H. Umberger, A. Gheorghe, Cyber security: threat identification, risk and vulnerability assessment, in NATO Science for Peace and Security Series C: Environmental Security, vol. 109, (2011), pp. 247–269Google Scholar
  8. 8.
    K. Stouffer, J. Falco, K. Scarfone, Guide to Industrial Control Systems (ICS) Security (NIST special publication, 2011), pp. 800–882Google Scholar
  9. 9.
    C. Wilson, Cyber threats to critical information infrastructure, in Cyberterrorism: Understanding, Assessment, and Response (2014), pp. 123–136Google Scholar
  10. 10.
    J. Viega, G. McGraw, Building Secure Software: How to Avoid Security Problems the Right Way (Pearson Education, Upper Saddle River, NJ, 2001)Google Scholar
  11. 11.
    P. Meunier, Resource exhaustion. in Secure Programming Educational Material (2004)Google Scholar
  12. 12.
    J. Viega, G. McGraw, Building Secure Software: How to Avoid Security Problems the Right Way (paperback) (Addison-Wesley Professional Computing Series, Addison-Wesley Professional, 2011)Google Scholar
  13. 13.
    M. Howard, D. LeBlanc, Writing Secure Code (Pearson Education, Upper Saddle River, NJ, 2003)Google Scholar
  14. 14.
    S.T. Redwine Jr., Software Assurance: A Guide to the Common Body of Knowledge to Produce, Acquire and Sustain Secure Software, version 1.1 (US Department of Homeland Security, Washington, DC, 2006)Google Scholar
  15. 15.
    M. Bishop, S. Engle, The software assurance CBK and university curricula, in Proceedings of the 10th Colloquium for Information Systems Security Education (2006)Google Scholar
  16. 16.
    H. Zare, M. Azadi, P. Olsen, Techniques for detecting and preventing denial of service attacks (a systematic review approach), in Information Technology-New Generations (Springer, 2018), pp. 151–157Google Scholar
  17. 17.
    P. Engebretson, The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy (Elsevier, 2013)Google Scholar
  18. 18.
    P. Watson, Slipping in the Window: TCP reset attacks. Presentation at (2004)Google Scholar
  19. 19.
    PCI-DSS, PCI Data Security Standard. Information Supplement: Best Practices for Implementing a Security Awareness Program (October 2014), https://www.pcisecuritystandards.org/documents/ PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awa reness_Program.pdf
  20. 20.
    T.D. Graham, J.C. Hudson, Dynamic File Access Control and Management (Google Patents, 2010)Google Scholar
  21. 21.
    NAS, National Academy of Sciences, Disaster resilience: a national imperative. Washington, DC (2012), http://www.nap.edu/catalog.php?record_id=13457
  22. 22.
    A. Amantini, M. Choraś, S. D’Antonio, E. Egozcue, D. Germanus, R. Hutter, The human role in tools for improving robustness and resilience of critical infrastructures. Cogn. Tech. Work 14, 143–155 (2012)CrossRefGoogle Scholar
  23. 23.
    G. Notoatmodjo, Exploring the ‘Weakest Link’: A Study of Personal Password Security (Citeseer, 2007)Google Scholar
  24. 24.
    K. Scarfone, M. Souppaya, Guide to Enterprise Password Management (Draft): Recommendations of the National Institute of Standards and Technology (US Dept of Commerce, Technology Administration, National Institute of Standards and Technology, Gaithersburg, MD, 2009)Google Scholar
  25. 25.
    WASC, Threat Classification, WASC-23: XML Injection (2015), http://projects.webappsec.org/w/page/13247004/XML%20Injection
  26. 26.
    WASC Threat Classification: WASC-31: OS Commanding (2015), http://projects.webappsec.org/w/page/13246950/OS%20Commanding
  27. 27.
    WASC Threat Classification. Category:OWASP Top Ten Project (2015), https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  28. 28.
    J.R. Vacca, S. Ellis, Firewalls: Jumpstart for Network and Systems Administrators (Elsevier, Burlington, MA, 2004)Google Scholar
  29. 29.
    E. Bompard, R. Napoli, F. Xue, Vulnerability of interconnected power systems to malicious attacks under limited information. Eur. T. Electr. Power 18, 820–834 (2008)CrossRefGoogle Scholar
  30. 30.
    J. Hall, Multi-Layer Network Monitoring and Analysis (University of Cambridge, Cambridge, 2003)Google Scholar
  31. 31.
    E.G. Amoroso, Cyber attacks: awareness. Netw. Secur. 2011, 10–16 (2011)CrossRefGoogle Scholar
  32. 32.
    M. Krotofil, A. Cárdenas, J. Larsen, D. Gollmann, Vulnerabilities of cyber-physical systems to stale data-Determining the optimal time to launch attacks. Int. J.Crit. Infrastruct. Prot. 7, 213–232 (2014)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Hossein Zare
    • 1
    • 2
  • Mohammad Jalal Zare
    • 1
    • 2
  • Mojgan Azadi
    • 1
    • 2
  1. 1.University of Maryland University CollegeUpper MarlboroUSA
  2. 2.The Johns Hopkins Center for Disparities Solution, Department of Health Policy and ManagementJohns Hopkins Bloomberg School of Public HealthBaltimoreUSA

Personalised recommendations