A Review of Cyber-security Measuring and Assessment Methods for Modern Enterprises

Said F. Aboelfotoh - Mansoura University, Egypt
Noha A. Hikal - Mansoura University, Egypt


Citation Format:



DOI: http://dx.doi.org/10.30630/joiv.3.2.239

Abstract


Regarding the huge spread of technology among individuals and enterprises, technologies and electronic communications  become one of the most important pillars of the operation of small and large enterprises alike, and the source of education and entertainment for individuals, this led to thinking about the risks of reliance on this technology and the impact on the economic index of enterprises market, reputation and the safety of individuals and enterprises, these fears forced the  experts and decision-makers to think about information security and develop new methods to measure and assess the level of protection of information and data in enterprises and privacy of individuals. This paper introducing a review of recent cyber-security measuring and assessment methodologies and tools based on industry best practices for the measure and assesses of network security and protection of a modern enterprise data network. The analysis is based on a study the methods for the measurement and assessment of information security at the physical and technical level, penetration testing and identification of weaknesses in the cyber-security system followed and policies used in modern enterprises. A comprehensive description of the strengths, weaknesses, and licensing conditions for tools is presented. Moreover, major security requirements associated with modern enterprises is discussed and analyzed to discover vulnerability in the existing systems and explain the potential impact of this vulnerability.

Keywords


cyber security; performance measures; risk assessment; vulnerability scanner.

Full Text:

PDF

References


J. L. Bayuk, J. Healey, P. Rohmeyer, Marcus H. Sachs, Jeffrey Schmidt, Joseph Weiss. “Cyber Security Policy Guidebookâ€, First Edition. © 2012 John Wiley & Sons, Inc. Published by John Wiley & Sons, Inc )2012(.

Verzon Data Breach Investigations Report https://enterprise.verizon.com/resources/reports/DBIR_2018_Report_execsummary.pdf (2018)

IoD Policy Report, Cyber Security Underpinning the digital economy,https://www.iod.com/Portals/0/PDFs/Campaigns%20and%20Reports/Digital%20and%20Technology/Cyber%20Security%20-Underpinning%20the%20digital%20economy.pdf?ver=2016-09-13-171033-407, (2016)

R. Bronson, 4 Reasons Cybersecurity Is More Important Than Ever, https://www.techwell.com/techwell-insights/2018/12/4-reasons-cybersecurity-more-important-ever, (2018)

Sucuri security provider, Cryptocurrency Mining Malware Trends & Threat Predictions, https://sucuri.net/documentation/Sucuri-eBook-Cryptomining-Malware.pdf (2018)

Components of a Cyber Security Program at maricopa countyaz, USA, https://www.maricopa.gov/1948/Components-of-a-Cyber-Security-Program

Accenture company, “COST OF CYBER CRIME STUDY†Ponemon Institute LLC Attn: Research Department, 2308 US 31 North Traverse City, Michigan 49629 USA, 1.800.887.3118, [email protected] (2017).

D. Worth, negative impacts from cyber-attacks, University of Kent,https://phys.org/news/2018-10-negative-impacts-cyber-attacks.html, (2018)

M. Gerami, Impact of Cyber Threats on Business Profitability, ITU- ICT Faculty training on “Cybersecurityâ€, Iran, https://www.itu.int/en/ITU-D/Regional-Presence/AsiaPacific/SiteAssets/Pages/Events/2018/CybersecurityASPCOE/cybersecurity/Impact%20of%20Cyber%20Threats%20on%20Business%20Profitability.pdf, (2018)

Yang, Y., Littler, T., Sezer, S., McLaughlin, K., & Wang, H. F.. Impact of cyber-security issues on Smart Grid. 2nd IEEE PES International Conference and Exhibition on Innovative Smart Grid Technologies (2011).

Antiy CERT. Report on the Worm Stuxnet's Attack. Antiy Corp., Harbin, China. [Online]. Available: http://www.antiy.net/en/analysts/Report_On_the_Attacking_of_Worm_ Struxnet_by_antiy_labs.pdf . (2019).

W. Bhaya, M. Ebady Manaa†Review Clustering Mechanisms of Distributed Denial of Service Attacksâ€, Journal of Computer Science 10 (10): 2037-2046,ISSN: 1549-3636 (2014).

Scaife, N., Carter, H., Traynor, P., & Butler, K. R. B.. CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data. IEEE 36th International Conference on Distributed Computing Systems (ICDCS). doi:10.1109/icdcs.2016.46 (2016).

Databases of vulnerabilities generally include information from active vulnerability repositories, such as the United States Computer Emergency Readiness Team (US-CERT) (http://www.kb.cert.org/vuls/), or vendor advisories, such as BugTraq (http://www.securityfocus.com/archive/1).

Cynthia K. Veitch, Susan Wade, and John T. Michalski, Cyber Security Assessment Tools and Methodologies for the Evaluation of Secure Network Design at Nuclear Power Plants, Sandia National Laboratories P.O. Box 5800 Albuquerque, New Mexico 87185 (2012)

Kavita S.Kumavat, Ranjana P. Dahake, Dr.M.U.Kharat, Overview of Vulnerability Analysis, International Journal of Emerging Technology and Advanced Engineering, ISSN 2250-2459, ISO 9001:2008 Certiï¬ed Journal, Volume 3, Issue 10,October (2013)

K. Williams,Vulnerability list, VISTA Penetration Study Internet and inter-nal network security testing, Available at: http://www.internetbankingaudits.com/list_of_vulnerabilities.htm.

John Matherly. Shodan official Website. hps://www.shodan.io/

S. Lee, S. H. Shin, and B. h. Roh. Abnormal Behavior-Based Detection of Shodan and Censys-Like Scanning. In 2017 Ninth International Conference on Ubiquitous and Future Networks (ICUFN). 1048–1052. DOI:hp://dx.doi.org/10. 1109/ICUFN.2017.7993960, (2017)

Censys, official Website: https://www.censys.io/

Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. Alex Halderman.†A Search Engine Backed by Internet-Wide Scanning†In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, USA, (2015).

The Zmap Project, official Website https://zmap.io/

zoomeye official Website. www.zoomeye.org

Google Hacking Database (GHDB). [Online]. Available: https://www.exploit-db.com/google-hacking-database/

Toffalini, F., Abbà , M., Carra, D., & Balzarotti, D. Google Dorks: Analysis, Creation, and New Defenses. Lecture Notes in Computer Science, 255–275.doi:10.1007/978-3-319-40667-1_13, (2016)

pentest-tools official Website. https://pentest-tools.com

Lee, N. M. Z., Ooi, S. Y., & Pang, Y. H.. Vulnerability Reports Consolidation for Network Scanners. Computational Science and Technology, 11–20.doi:10.1007/978-981-10-8276-4_2, (2018)

N. JHALA Network Scanning and Vulnerability Assessment with Report Generation, CSE-INS,IT,Nirma University May 13, 2014 CSE Department CSE-INS,IT,Nirma University, (2014)

Security tools https://sectools.org

Imperva official Website www.imperva.com

Retina Network Security Scanner official Website: https://www.beyondtrust.com/products/retina-network-security-scanner/

Acunetix Network Security Scanner official Website: https://www.acunetix.com/

Kindsight Security Labs, The Case for Network-based Malware Detection https://www.tmcnet.com/tmc/whitepapers/documents/whitepapers/2014/9599-case-network-based-malware-detection.pdf, (2014)

R. Sihwail, K. Omar, K. Akram Zainol Ariffin. A Survey on Malware Analysis Techniques: Static, Dynamic, Hybrid and Memory Analysi, DOI: http://dx.doi.org/10.18517/ijaseit.8.4-2.6827, (2018).

Damodaran, A., Troia, F. D., Visaggio, C. A., Austin, T. H., & Stamp, M. A comparison of static, dynamic, and hybrid analysis for malware detection. Journal of Computer Virology and Hacking Techniques, 13(1), 1–12. doi:10.1007/s11416-015-0261-z, (2015).

Best Antivirus Software of 2019 https://www.toptenreviews.com/software/security/best-antivirus-software/

D. P. Tshilombo , V. V. Gopala Rao, Two Way Authentication for Analytics as a Service in Cloud, ISSN (Online): 2581-5792, (2019)

G.Johansen, L.Allen, T.Heriyanto, S.Ali, Kali Linux 2 Assuring Security by Penetration Testing, Copyright © 2016 Packt Publishing,(2016)

R. Singh Patel, Kali Linux Social Engineering, Ref: 1171213,(2013)

A.KOYUN, E.Al Janabi, Social Engineering Attacks, Journal of Multidisciplinary Engineering Science and Technology (JMEST) (2017)

M. Corpuz, Enterprise Information Security Policy Assessment - An Extended Framework for Metrics Development Utilising the Goal-Question-Metric Approach, IS Institute, Queensland University of Technology, Brisbane, Queensland/4000, Australia, (â€2011).

Key Elements of an Information Security Policy, https://resources.infosecinstitute.com/key-elements-information-security-policy/#gref , (2018)