Abstract
For analysis information technology and computer system vulnerabilities, this paper benefits from “systematic review analysis: 2000–2015” with two-time searches: One established using suitable keywords, the second performed inside references used by selected papers.
A detailed approach for analysis vulnerabilities of an organization includes physical and infrastructure of an organization, software, networks, policies, and information system vulnerabilities.
Our findings highlight the following to be the most important vulnerabilities of networks: buffer overruns, operating environment, resource exhaustion, race conditions, standardization of canonical form, and violation of trust, injection attacks, cross-site scripting, non-secure cryptography storage and failure to restrict URL access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Elsevier: SCOPUS Database, www.scopus.com
P. Baybutt, Cyber security vulnerability analysis: an asset-based approach. Process. Saf. Prog. 22, 220–228 (2003)
I. Linkov, D.A. Eisenberg, K. Plourde, T.P. Seager, J. Allen, A. Kott, Resilience metrics for cyber systems. Environ. Syst. Decis. 33, 471–476 (2013)
H. Bidgoli, The Internet Encyclopedia (Wiley, Hoboken, NJ, 2004)
C.A. Sennewald, J.H. Christman, Retail Crime, Security, and Loss Prevention: An Encyclopedic Reference (Butterworth-Heinemann, Burlington, MA, 2011)
E.E. Schultz, A framework for understanding and predicting insider attacks. Comput. Secur. 21, 526–531 (2002)
H. Umberger, A. Gheorghe, Cyber security: threat identification, risk and vulnerability assessment, in NATO Science for Peace and Security Series C: Environmental Security, vol. 109, (2011), pp. 247–269
K. Stouffer, J. Falco, K. Scarfone, Guide to Industrial Control Systems (ICS) Security (NIST special publication, 2011), pp. 800–882
C. Wilson, Cyber threats to critical information infrastructure, in Cyberterrorism: Understanding, Assessment, and Response (2014), pp. 123–136
J. Viega, G. McGraw, Building Secure Software: How to Avoid Security Problems the Right Way (Pearson Education, Upper Saddle River, NJ, 2001)
P. Meunier, Resource exhaustion. in Secure Programming Educational Material (2004)
J. Viega, G. McGraw, Building Secure Software: How to Avoid Security Problems the Right Way (paperback) (Addison-Wesley Professional Computing Series, Addison-Wesley Professional, 2011)
M. Howard, D. LeBlanc, Writing Secure Code (Pearson Education, Upper Saddle River, NJ, 2003)
S.T. Redwine Jr., Software Assurance: A Guide to the Common Body of Knowledge to Produce, Acquire and Sustain Secure Software, version 1.1 (US Department of Homeland Security, Washington, DC, 2006)
M. Bishop, S. Engle, The software assurance CBK and university curricula, in Proceedings of the 10th Colloquium for Information Systems Security Education (2006)
H. Zare, M. Azadi, P. Olsen, Techniques for detecting and preventing denial of service attacks (a systematic review approach), in Information Technology-New Generations (Springer, 2018), pp. 151–157
P. Engebretson, The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy (Elsevier, 2013)
P. Watson, Slipping in the Window: TCP reset attacks. Presentation at (2004)
PCI-DSS, PCI Data Security Standard. Information Supplement: Best Practices for Implementing a Security Awareness Program (October 2014), https://www.pcisecuritystandards.org/documents/ PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awa reness_Program.pdf
T.D. Graham, J.C. Hudson, Dynamic File Access Control and Management (Google Patents, 2010)
NAS, National Academy of Sciences, Disaster resilience: a national imperative. Washington, DC (2012), http://www.nap.edu/catalog.php?record_id=13457
A. Amantini, M. Choraś, S. D’Antonio, E. Egozcue, D. Germanus, R. Hutter, The human role in tools for improving robustness and resilience of critical infrastructures. Cogn. Tech. Work 14, 143–155 (2012)
G. Notoatmodjo, Exploring the ‘Weakest Link’: A Study of Personal Password Security (Citeseer, 2007)
K. Scarfone, M. Souppaya, Guide to Enterprise Password Management (Draft): Recommendations of the National Institute of Standards and Technology (US Dept of Commerce, Technology Administration, National Institute of Standards and Technology, Gaithersburg, MD, 2009)
WASC, Threat Classification, WASC-23: XML Injection (2015), http://projects.webappsec.org/w/page/13247004/XML%20Injection
WASC Threat Classification: WASC-31: OS Commanding (2015), http://projects.webappsec.org/w/page/13246950/OS%20Commanding
WASC Threat Classification. Category:OWASP Top Ten Project (2015), https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
J.R. Vacca, S. Ellis, Firewalls: Jumpstart for Network and Systems Administrators (Elsevier, Burlington, MA, 2004)
E. Bompard, R. Napoli, F. Xue, Vulnerability of interconnected power systems to malicious attacks under limited information. Eur. T. Electr. Power 18, 820–834 (2008)
J. Hall, Multi-Layer Network Monitoring and Analysis (University of Cambridge, Cambridge, 2003)
E.G. Amoroso, Cyber attacks: awareness. Netw. Secur. 2011, 10–16 (2011)
M. Krotofil, A. Cárdenas, J. Larsen, D. Gollmann, Vulnerabilities of cyber-physical systems to stale data-Determining the optimal time to launch attacks. Int. J.Crit. Infrastruct. Prot. 7, 213–232 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Zare, H., Zare, M.J., Azadi, M. (2018). Cybersecurity Vulnerabilities Assessment (A Systematic Review Approach). In: Latifi, S. (eds) Information Technology - New Generations. Advances in Intelligent Systems and Computing, vol 738. Springer, Cham. https://doi.org/10.1007/978-3-319-77028-4_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-77028-4_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-77027-7
Online ISBN: 978-3-319-77028-4
eBook Packages: EngineeringEngineering (R0)