Palabras clave
Kali Linux
Nessus
phishing
vulnerabilities
Kali Linux
Nessus
phishing
seguridad cibernética
vulnerabilidades
Cómo citar
Resumen
Este trabajo realiza un análisis exhaustivo de los sistemas de ciberseguridad en los ambientes académicos: “www.ups.edu.ec”, “cas.ups.edu.ec”, “virtual.ups.edu.ec” y “dspace.ups.edu.ec”, de la Universidad Politécnica Salesiana, con herramientas especializadas como Kali Linux y Nessus. Mediante estas tecnologías, se evalúan aspectos críticos de la seguridad de un sistema: cuánto puede resistir ataques, qué tan efectivos son sus mecanismos de defensa y qué tan capaces son de identificar puntos débiles que podrían ser explotados. Se utiliza una metodología novedosa para examinar la seguridad, con tecnologías emergentes y técnicas innovadoras.
Así, se identificaron vulnerabilidades en los cuatro dominios web estudiados. Estas fueron clasificadas según el protocolo de CVSS (Sistema Común de Puntuación de Vulnerabilidades: Common Vulnerability Scoring System), lo que permitió priorizar para abordar las más críticas. Además, se escanearon los puertos abiertos para identificar posibles puntos de acceso no autorizados. Igualmente, se realizó la simulación de un ataque de phishing mediante correo electrónico, clonando el sitio web de acceso de la Universidad Salesiana para evaluar la susceptibilidad de los usuarios ante esta amenaza.
El análisis reveló vulnerabilidades críticas, incluyendo una versión obsoleta de PHP y posibles ejecuciones remotas de código (CVSS 9.8-10) en “virtual.ups.edu.ec”. También, se detectaron problemas en SSL/TLS, como el uso de cifrados débiles y versiones desactualizadas de TLS (CVSS hasta 7.5). Asimismo, se identificaron riesgos medios relacionados con la falta de HSTS y vulnerabilidades en PHP y jQuery, junto con configuraciones SSH débiles de menor impacto (CVSS 2.6-3.7). Estos resultados indican la necesidad de realizar actualizaciones y mejoras en seguridad.
Citas
K. S. Tapiawala and X. Wang, “Knowledge Exploration: Teaching Cyber-Security Using Controlled Web-Based Laboratories,” in The 24th Annual Conference on Information Technology Education, New York, NY, USA, Oct. 2023, pp. 216–217, doi: 10.1145/3585059.3611443.
J. R. R. Kumar, D. G. Bhalke, S. Nikam, S. Chobe, S. Khidse, and K. Kale, “Evaluation of the extent and demanding roles of ethical hacking in cybersecurity,” Journal of Autonomous Intelligence, vol. 7, no. 1, pp. 1-10, Sep. 2023, doi: 10.32629/jai.v7i1.1246.
V. Vlachos, I. Katsidimas, E. Kerimakis, S. Nikoletseas, S. Panagiotou, and P. Spirakis, “ASPIDA: A client-oriented platform for assessing websites security practices adoption and reward,” in 2021 29th Telecommunications Forum (TELFOR), Belgrade, Serbia, Nov. 2021, pp. 1–4, doi: 10.1109/TELFOR52709.2021.9653275.
A. Aibekova and V. Selvarajah, “Offensive Security: Study on Penetration Testing Attacks, Methods, and their Types,” in 2022 IEEE International Conference on Distributed Computing and Electrical Circuits and Electronics (ICDCECE), Ballari, India, Apr. 2022, pp. 1–9, doi: 10.1109/ICDCECE53908.2022.9792772.
M. Liu, Z. Xue, X. Xu, C. Zhong, and J. Chen, “Host-Based Intrusion Detection System with System Calls,” ACM Comput Surv, vol. 51, no. 5, pp. 1–36, Sep. 2019, doi: 10.1145/3214304.
G. Vishnuram, K. Tripathi, and A. Kumar Tyagi, “Ethical Hacking: Importance, Controversies and Scope in the Future,” in 2022 International Conference on Computer Communication and Informatics (ICCCI), Coimbatore, India, Jan. 2022, pp. 01–06, doi: 10.1109/ICCCI54379.2022.9740860.
M. A. M. Nieto et al., “Web Service to Retrieve and Semantically Enrich Datasets for Theses From Open Educational Repositories,” IEEE Access, vol. 8, pp. 171933–171944, Sep. 2020, doi: 10.1109/ACCESS.2020.3024614.
L. Gallo, D. Gentile, S. Ruggiero, A. Botta, and G. Ventre, “The human factor in phishing: Collecting and analyzing user behavior when reading emails,” Comput. Secur., vol. 139, p. 103671, Apr. 2024, doi: 10.1016/j.cose.2023.103671.
Y. Zhang, “Uncovering threats from the surface web and darknet: A qualitative analysis of content relating to cybersecurity and critical infrastructure,” M.A. Thesis, Simon Fraser Univ., Burnaby, BC, Canada, 2022.
S. C. Sethuraman, D. P. V S, T. Reddi, M. S. T. Reddy, and M. K. Khan, “A comprehensive examination of email spoofing: Issues and prospects for email security,” Comput. Secur., vol. 137, p. 103600, Feb. 2024, doi: 10.1016/j.cose.2023.103600.
H. Ahmetoglu and R. Das, “A comprehensive review on detection of cyber-attacks: Data sets, methods, challenges, and future research directions,” Internet of Things, vol. 20, p. 100615, Nov. 2022, doi: 10.1016/j.iot.2022.100615.
A. Jones, “Security Posture: A Systematic Review of Cyber Threats and Proactive Security,” Senior Honors Thesis, Liberty Univ., Lynchburg, VA, USA, 2022.
J.P. A. Yaacoub, H. N. Noura, O. Salman, and A. Chehab, “Ethical hacking for IoT: Security issues, challenges, solutions and recommendations,” Internet of Things and Cyber-Physical Systems, vol. 3, pp. 280–308, 2023, doi: 10.1016/j.iotcps.2023.04.002.
O. Morozova, A. Nicheporuk, A. Tetskyi, and V. Tkachov, “Methods and technologies for ensuring cybersecurity of industrial and web-oriented systems and networks,” Radioelectronic and Computer Systems, no. 4, pp. 145–156, Nov. 2021, doi: 10.32620/reks.2021.4.12.
M. Walkowski, J. Oko, and S. Sujecki, “Vulnerability Management Models Using a Common Vulnerability Scoring System,” Applied Sciences, vol. 11, no. 18, p. 8735, Sep. 2021, doi: 10.3390/app11188735.
H. Santillán, M. Suárez, and D. Cárdenas, “Desarrollo de una herramienta IoT para optimizar el control de la humedad en el cultivo de cacao,” Memoria Investigaciones en Ingeniería, vol. 25, pp. 246–265, Dec. 2023, doi: 10.36561/ING.25.14.
Banco Interamericano de Desarrollo and Organización de Estados Americanos, “Reporte Ciberseguridad 2020: riesgos, avances y el camino a seguir en América Latina y el Caribe,” Washington, DC, USA, Jul. 2020, doi: 10.18235/0002513.
J. M. Aguilar Antonio, “La brecha de ciberseguridad en América Latina frente al contexto global de ciberamenazas,” Revista de Estudios en Seguridad Internacional, vol. 6, no. 2, pp. 17–43, Dec. 2020, doi: 10.18847/1.12.2.
J. M. Aguilar Antonio, “Retos y oportunidades en materia de ciberseguridad de América Latina frente al contexto global de ciberamenazas a la seguridad nacional y política exterior,” Estudios Internacionales, vol. 53, no. 198, p. 169, Apr. 2021, doi: 10.5354/0719-3769.2021.57067.
D. R. Denslin Brabin and S. Bojjagani, “A Secure Mechanism for Prevention of Vishing Attack in Banking System,” in 2023 International Conference on Networking and Communications (ICNWC), Chennai, India, Apr. 2023, pp. 1–5, doi: 10.1109/ICNWC57852.2023.10127561.
N. I. Daud, K. A. Abu Bakar, and M. S. Md Hasan, “A case study on web application vulnerability scanning tools,” in 2014 Science and Information Conference, London, UK, Aug. 2014, pp. 595–600, doi: 10.1109/SAI.2014.6918247.
M. Al Ismaili, “Enhancing Cybersecurity: Exploring Effective Ethical Hacking Techniques with Kali Linux,” in Research and Applications Towards Mathematics and Computer Science, vol. 5, E.M. Abo-Dahab Khedary, Ed. India: B P International, 2023, pp. 135–152, doi: 10.9734/bpi/ratmcs/v5/5118C.
Y. Alkhurayyif and Y. Saad Almarshdy, “Adopting Automated Penetration Testing Tools,” Journal of Information Security and Cybercrimes Research, vol. 7, no. 1, pp. 51–66, Jun. 2024, doi: 10.26735/RJJT2453.
A. O. Bryushinin, A. V. Dushkin, and M. A. Melshiyan, “Automation of the Information Collection Process by Osint Methods for Penetration Testing During Information Security Audit,” in 2022 Conference of Russian Young Researchers in Electrical and Electronic Engineering (ElConRus), Saint Petersburg, Russian Federation, Jan. 2022, pp. 242–246, doi: 10.1109/ElConRus54750.2022.9755812.
E. Chatzoglou, V. Kouliaridis, G. Kambourakis, G. Karopoulos, and S. Gritzalis, “A hands-on gaze on HTTP/3 security through the lens of HTTP/2 and a public dataset,” Comput. Secur., vol. 125, p. 103051, Feb. 2023, doi: 10.1016/j.cose.2022.103051.
D. Guaman, F. Guaman, D. Jaramillo, and M. Sucunuta, “Implementation of techniques and OWASP security recommendations to avoid SQL and XSS attacks using J2EE and WS-Security,” in 2017 12th Iberian Conference on Information Systems and Technologies (CISTI), Lisbon, Portugal, Jun. 2017, pp. 1–7, doi: 10.23919/CISTI.2017.7975981.
R. Palacios, A. F. Fernandez-Portillo, E. F. Sanchez-Ubeda, and P. Garcia-De-Zuniga, “HTB: A Very Effective Method to Protect Web Servers Against BREACH Attack to HTTPS,” IEEE Access, vol. 10, pp. 40381–40390, Apr. 2022, doi: 10.1109/ACCESS.2022.3166175.
V. Vlachos, Y. C. Stamatiou, and S. Nikoletseas, “The Privacy Flag Observatory: A Crowdsourcing Tool for Real Time Privacy Threats Evaluation,” Journal of Cybersecurity and Privacy, vol. 3, no. 1, pp. 26–43, Jan. 2023, doi: 10.3390/jcp3010003.
T. Wróbel, M. Kędziora, M. Szczepanik, P. P. Jóźwiak, A. M. Jóźwiak, and J. Mizera–Pietraszko, “Progressive Mobile Web Application Subresource Tampering During Penetration Testing,” in Proc. 35th International Conference on Advanced Information Networking and Applications (AINA-2021) Volume 1, Toronto, ON, Canada, May 2021, pp. 297–306, doi: 10.1007/978-3-030-75100-5_26.
S. Shukla, M. Misra, and G. Varshney, “HTTP header based phishing attack detection using machine learning,” Transactions on Emerging Telecommunications Technologies, vol. 35, no. 1, Jan. 2024, doi: 10.1002/ett.4872.
J. Rawat, I. Kumar, N. Mohd, A. Maheshwari, and N. Sharma, “Analysis of Top Vulnerabilities in Security of Web-Based Applications,” in Proc. International Conference on Innovative Computing and Communications (ICICC-2023) Volume 1, Delhi, India, Feb. 2023, pp. 723–736, doi: 10.1007/978-981-99-3315-0_55.
E. B. Setiawan and A. Setiyadi, “Web vulnerability analysis and implementation,” IOP Conf. Ser. Mater. Sci. Eng., vol. 407, p. 012081, Sep. 2018, doi: 10.1088/1757-899X/407/1/012081.
S. Sharma and N. S. Yadav, “A multilayer stacking classifier based on nature-inspired optimization for detecting cross-site scripting attack,” International Journal of Information Technology, vol. 15, no. 8, pp. 4283–4290, Dec. 2023, doi: 10.1007/s41870-023-01459-5.
T. Singh and A. Kumar, “Analyzing Security and Privacy issues for Multi-Cloud Service Providers Using Nessus,” in 2023 Fifth International Conference on Electrical, Computer and Communication Technologies (ICECCT), Erode, India, Feb. 2023, pp. 01–08, doi: 10.1109/ICECCT56650.2023.10179727.
G. Vishnuram, K. Tripathi, and A. Kumar Tyagi, “Ethical Hacking: Importance, Controversies and Scope in the Future,” in 2022 International Conference on Computer Communication and Informatics (ICCCI), Coimbatore, India, Jan. 2022, pp. 01–06, doi: 10.1109/ICCCI54379.2022.9740860.
M. Ashraf, A. Zahra, M. Asif, M. Bin Ahmad, and S. Zafar, “Ethical Hacking Methodologies: A Comparative Analysis,” in 2021 Mohammad Ali Jinnah University International Conference on Computing (MAJICC), Karachi, Pakistan, Jul. 2021, pp. 1–5, doi: 10.1109/MAJICC53071.2021.9526243.
Rodríguez Matías, “Análisis de Vulnerabilidades del Portal Web utilizando Metodologías de Hacking Ético para un GAD Municipal de la Provincia de Santa Elena,” Bachelor’s Thesis, Univ. Estatal de la Península de Santa Elena, La Libertad, Ecuador, 2021.
I. N. Coello Ochoa, “Análisis de ciberataques en organizaciones públicas del Ecuador y sus impactos administrativos,” Degree Thesis, Univ. Politécnica Salesiana, Guayaquil, Ecuador, 2021.
C. Artavia Madrigal, M. Guevara García, I. Mora Zumbado, T. Murillo Murillo, M. Ramírez González, and V. Solano Ruiz, “Un Análisis del sistema educativo costarricense: Desafío crítico para la ciberseguridad del país,” Rhombus, vol. 3, no. 2, pp. 1-19, Sep. 2023. [Online]. Available: https://revistas.ulacit.ac.cr/index.php/rhombus/article/view/89
Comentarios
Esta obra está bajo una licencia internacional Creative Commons Atribución-NoComercial-CompartirIgual 4.0.
Derechos de autor 2024 Holger Santillan, Julio Andrés Arévalo Satán , Peregrina Wong