Network Security Evaluation and Training Based on Real World Scenarios of Vulnerabilities Detected in Portuguese Municipalities’ Network Devices
Nowadays, public and private organizations have demonstrated some sensibility in maintenance and security updates of their equipment. However, their main focus are servers and workstations, leaving network devices, such as routers and switches often forgotten in this process. This research addresses the vulnerabilities on network equipment, intending to evaluate their dimension, in Portugal’s City Halls and, after that, analyze and rate their impact according to taxonomies, such as CAPEC. This study also aims to set of vulnerabilities to reply, elucidate and sensitize not just City Halls ITs, but also other type of public and private organizations about the risks related to outdate network devices. The vulnerability demonstrations were done through the design of different scenarios, with real devices, installed in a mobile rack, called “Hack Móvel” and using network simulators. Each scenario was documented with multimedia contents, allowing teaching hacking techniques in network devices. As methodology, the study adopts the quantitative method, through the application of questionnaires applied to each City Hall, in order to collect relevant information about the device models and brands, as well as the firmware version they are really using. It is also adopted the quantitative method in order to perform tests with real users and evaluate the scenarios that were designed. Results show a really good acceptance of the “Hack Móvel” by users and their motivation to increase their knowledge on the computer security and hacking techniques field.
KeywordsPentest Audits to information systems Network devices Network security Network vulnerabilities Security training
Thanks to “Fundação para a Ciência e a Tecnologia” for grant through “UID/CEC/04668/2016-LISP.
- 1.Seacord, R., Householder, A.: A Structures Approach to Classifying Security Vulnerabilities (2005). http://oai.dtic.mil/oai/oai?verb=getRecord&metadataPrefix=html&identifier=ADA430968. Accessed June 2018
- 2.CAPEC: Common Attack Pattern Enumeration and Classification. https://capec.mitre.org. Accessed Aug 2018
- 3.CWE: Common Weakness Enumeration. http://cwe.mitre.org. Accessed Aug 2018
- 4.CVE: Common Vulnerabilities and Exposures. https://cve.mitre.org. Accessed Aug 2018
- 5.CVSS: Common Vulnerability Scoring System. http://www.first.org/cvss. Accessed Aug 2018
- 6.Liebmann, L.: SNMP’s Real Vulnerability. Communication News, p. 50, April 2002Google Scholar
- 8.Shivamalini, L., Manjunath, S.: An approach to secure hierarchical network using joint security and routing analysis. Int. J. Comput. Appl. 28(8) (2011). http://www.ijcaonline.org/volume28/number8/pxc3874752.pdf. Accessed July 2018
- 9.Stasinopoulos, A., Ntantogian, C., Xenakis, C.: The weakest link on the network: exploiting ADSL routers to perform cyber-attacks. IEEE (2013). http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=6781868&sortType%3Dasc_p_Sequence%26filter%3DAND(p_IS_Number%3A6781844). Accessed July 2018
- 10.National Statistical Institute. https://www.ine.pt/xportal/xmain?xpid=INE&xpgid=ine_destaques&DESTAQUESdest_boui=83328022&DESTAQUESmodo=2&xlang=en. Accessed July 2018
- 11.WSilicon Week. http://www.siliconweek.es/noticias/y-los-fabricantes-mas-valorados-de-routers-y-switches-son-52916. Accessed July 2018
- 12.CVE Details: The Ultimate Security Vulnerability Datasource. http://www.cvedetails.com. Accessed June 2018
- 13.Akram, O.K., Mohammed Jamil, N.F., Franco, D.J., Graça, A., Ismail, S.: How to Guide Your Research Using ONDAS Framework (2018)Google Scholar