Keywords
Kali Linux
Nessus
phishing
vulnerabilities
Kali Linux
Nessus
phishing
seguridad cibernética
vulnerabilidades
How to Cite
Abstract
This paper addresses a comprehensive analysis of cybersecurity systems in academic environments taking as a case study the domains: “www.ups.edu.ec”, “cas.ups.edu.ec”, “virtual.ups.edu.ec” y “dspace.ups.edu.ec”, of the Salesian Polytechnic University, using specialized tools such as Kali Linux and Nessus. Through these technologies, critical aspects of the system’s security are evaluated: its ability to resist attacks, how effective its defense mechanisms are, and its capacity to identify exploitable weak points. A novel methodology is applied to evaluate the security of the system, using emerging technologies and innovative techniques.
During the research, several vulnerabilities were identified covering the four studied domains. These were classified using the CVSS (Common Vulnerability Scoring System) rating protocol, which allowed the most critical ones to be prioritized and addressed first. In addition, a scan of open ports was performed to recognize possible unauthorized access points. As part of the security testing, a simulation of an email phishing attack was carried out by cloning the Salesian University access website, in order to assess users' susceptibility to this threat.
Domain security analysis revealed critical vulnerabilities, including an outdated version of PHP and possible remote code execution (CVSS 9.8-10) in “virtual.ups.edu.ec”. SSL/TLS security issues were also detected, such as the use of weak ciphers and outdated versions of TLS (CVSS up to 7.5). In addition, medium risks related to lack of HSTS and vulnerabilities in PHP and jQuery were found, along with weaker SSH configurations of lesser impact (CVSS 2.6-3.7). These results show the need for security updates and improvements.
References
K. S. Tapiawala and X. Wang, “Knowledge Exploration: Teaching Cyber-Security Using Controlled Web-Based Laboratories,” in The 24th Annual Conference on Information Technology Education, New York, NY, USA, Oct. 2023, pp. 216–217, doi: 10.1145/3585059.3611443.
J. R. R. Kumar, D. G. Bhalke, S. Nikam, S. Chobe, S. Khidse, and K. Kale, “Evaluation of the extent and demanding roles of ethical hacking in cybersecurity,” Journal of Autonomous Intelligence, vol. 7, no. 1, pp. 1-10, Sep. 2023, doi: 10.32629/jai.v7i1.1246.
V. Vlachos, I. Katsidimas, E. Kerimakis, S. Nikoletseas, S. Panagiotou, and P. Spirakis, “ASPIDA: A client-oriented platform for assessing websites security practices adoption and reward,” in 2021 29th Telecommunications Forum (TELFOR), Belgrade, Serbia, Nov. 2021, pp. 1–4, doi: 10.1109/TELFOR52709.2021.9653275.
A. Aibekova and V. Selvarajah, “Offensive Security: Study on Penetration Testing Attacks, Methods, and their Types,” in 2022 IEEE International Conference on Distributed Computing and Electrical Circuits and Electronics (ICDCECE), Ballari, India, Apr. 2022, pp. 1–9, doi: 10.1109/ICDCECE53908.2022.9792772.
M. Liu, Z. Xue, X. Xu, C. Zhong, and J. Chen, “Host-Based Intrusion Detection System with System Calls,” ACM Comput Surv, vol. 51, no. 5, pp. 1–36, Sep. 2019, doi: 10.1145/3214304.
G. Vishnuram, K. Tripathi, and A. Kumar Tyagi, “Ethical Hacking: Importance, Controversies and Scope in the Future,” in 2022 International Conference on Computer Communication and Informatics (ICCCI), Coimbatore, India, Jan. 2022, pp. 01–06, doi: 10.1109/ICCCI54379.2022.9740860.
M. A. M. Nieto et al., “Web Service to Retrieve and Semantically Enrich Datasets for Theses From Open Educational Repositories,” IEEE Access, vol. 8, pp. 171933–171944, Sep. 2020, doi: 10.1109/ACCESS.2020.3024614.
L. Gallo, D. Gentile, S. Ruggiero, A. Botta, and G. Ventre, “The human factor in phishing: Collecting and analyzing user behavior when reading emails,” Comput. Secur., vol. 139, p. 103671, Apr. 2024, doi: 10.1016/j.cose.2023.103671.
Y. Zhang, “Uncovering threats from the surface web and darknet: A qualitative analysis of content relating to cybersecurity and critical infrastructure,” M.A. Thesis, Simon Fraser Univ., Burnaby, BC, Canada, 2022.
S. C. Sethuraman, D. P. V S, T. Reddi, M. S. T. Reddy, and M. K. Khan, “A comprehensive examination of email spoofing: Issues and prospects for email security,” Comput. Secur., vol. 137, p. 103600, Feb. 2024, doi: 10.1016/j.cose.2023.103600.
H. Ahmetoglu and R. Das, “A comprehensive review on detection of cyber-attacks: Data sets, methods, challenges, and future research directions,” Internet of Things, vol. 20, p. 100615, Nov. 2022, doi: 10.1016/j.iot.2022.100615.
A. Jones, “Security Posture: A Systematic Review of Cyber Threats and Proactive Security,” Senior Honors Thesis, Liberty Univ., Lynchburg, VA, USA, 2022.
J.P. A. Yaacoub, H. N. Noura, O. Salman, and A. Chehab, “Ethical hacking for IoT: Security issues, challenges, solutions and recommendations,” Internet of Things and Cyber-Physical Systems, vol. 3, pp. 280–308, 2023, doi: 10.1016/j.iotcps.2023.04.002.
O. Morozova, A. Nicheporuk, A. Tetskyi, and V. Tkachov, “Methods and technologies for ensuring cybersecurity of industrial and web-oriented systems and networks,” Radioelectronic and Computer Systems, no. 4, pp. 145–156, Nov. 2021, doi: 10.32620/reks.2021.4.12.
M. Walkowski, J. Oko, and S. Sujecki, “Vulnerability Management Models Using a Common Vulnerability Scoring System,” Applied Sciences, vol. 11, no. 18, p. 8735, Sep. 2021, doi: 10.3390/app11188735.
H. Santillán, M. Suárez, and D. Cárdenas, “Desarrollo de una herramienta IoT para optimizar el control de la humedad en el cultivo de cacao,” Memoria Investigaciones en Ingeniería, vol. 25, pp. 246–265, Dec. 2023, doi: 10.36561/ING.25.14.
Banco Interamericano de Desarrollo and Organización de Estados Americanos, “Reporte Ciberseguridad 2020: riesgos, avances y el camino a seguir en América Latina y el Caribe,” Washington, DC, USA, Jul. 2020, doi: 10.18235/0002513.
J. M. Aguilar Antonio, “La brecha de ciberseguridad en América Latina frente al contexto global de ciberamenazas,” Revista de Estudios en Seguridad Internacional, vol. 6, no. 2, pp. 17–43, Dec. 2020, doi: 10.18847/1.12.2.
J. M. Aguilar Antonio, “Retos y oportunidades en materia de ciberseguridad de América Latina frente al contexto global de ciberamenazas a la seguridad nacional y política exterior,” Estudios Internacionales, vol. 53, no. 198, p. 169, Apr. 2021, doi: 10.5354/0719-3769.2021.57067.
D. R. Denslin Brabin and S. Bojjagani, “A Secure Mechanism for Prevention of Vishing Attack in Banking System,” in 2023 International Conference on Networking and Communications (ICNWC), Chennai, India, Apr. 2023, pp. 1–5, doi: 10.1109/ICNWC57852.2023.10127561.
N. I. Daud, K. A. Abu Bakar, and M. S. Md Hasan, “A case study on web application vulnerability scanning tools,” in 2014 Science and Information Conference, London, UK, Aug. 2014, pp. 595–600, doi: 10.1109/SAI.2014.6918247.
M. Al Ismaili, “Enhancing Cybersecurity: Exploring Effective Ethical Hacking Techniques with Kali Linux,” in Research and Applications Towards Mathematics and Computer Science, vol. 5, E.M. Abo-Dahab Khedary, Ed. India: B P International, 2023, pp. 135–152, doi: 10.9734/bpi/ratmcs/v5/5118C.
Y. Alkhurayyif and Y. Saad Almarshdy, “Adopting Automated Penetration Testing Tools,” Journal of Information Security and Cybercrimes Research, vol. 7, no. 1, pp. 51–66, Jun. 2024, doi: 10.26735/RJJT2453.
A. O. Bryushinin, A. V. Dushkin, and M. A. Melshiyan, “Automation of the Information Collection Process by Osint Methods for Penetration Testing During Information Security Audit,” in 2022 Conference of Russian Young Researchers in Electrical and Electronic Engineering (ElConRus), Saint Petersburg, Russian Federation, Jan. 2022, pp. 242–246, doi: 10.1109/ElConRus54750.2022.9755812.
E. Chatzoglou, V. Kouliaridis, G. Kambourakis, G. Karopoulos, and S. Gritzalis, “A hands-on gaze on HTTP/3 security through the lens of HTTP/2 and a public dataset,” Comput. Secur., vol. 125, p. 103051, Feb. 2023, doi: 10.1016/j.cose.2022.103051.
D. Guaman, F. Guaman, D. Jaramillo, and M. Sucunuta, “Implementation of techniques and OWASP security recommendations to avoid SQL and XSS attacks using J2EE and WS-Security,” in 2017 12th Iberian Conference on Information Systems and Technologies (CISTI), Lisbon, Portugal, Jun. 2017, pp. 1–7, doi: 10.23919/CISTI.2017.7975981.
R. Palacios, A. F. Fernandez-Portillo, E. F. Sanchez-Ubeda, and P. Garcia-De-Zuniga, “HTB: A Very Effective Method to Protect Web Servers Against BREACH Attack to HTTPS,” IEEE Access, vol. 10, pp. 40381–40390, Apr. 2022, doi: 10.1109/ACCESS.2022.3166175.
V. Vlachos, Y. C. Stamatiou, and S. Nikoletseas, “The Privacy Flag Observatory: A Crowdsourcing Tool for Real Time Privacy Threats Evaluation,” Journal of Cybersecurity and Privacy, vol. 3, no. 1, pp. 26–43, Jan. 2023, doi: 10.3390/jcp3010003.
T. Wróbel, M. Kędziora, M. Szczepanik, P. P. Jóźwiak, A. M. Jóźwiak, and J. Mizera–Pietraszko, “Progressive Mobile Web Application Subresource Tampering During Penetration Testing,” in Proc. 35th International Conference on Advanced Information Networking and Applications (AINA-2021) Volume 1, Toronto, ON, Canada, May 2021, pp. 297–306, doi: 10.1007/978-3-030-75100-5_26.
S. Shukla, M. Misra, and G. Varshney, “HTTP header based phishing attack detection using machine learning,” Transactions on Emerging Telecommunications Technologies, vol. 35, no. 1, Jan. 2024, doi: 10.1002/ett.4872.
J. Rawat, I. Kumar, N. Mohd, A. Maheshwari, and N. Sharma, “Analysis of Top Vulnerabilities in Security of Web-Based Applications,” in Proc. International Conference on Innovative Computing and Communications (ICICC-2023) Volume 1, Delhi, India, Feb. 2023, pp. 723–736, doi: 10.1007/978-981-99-3315-0_55.
E. B. Setiawan and A. Setiyadi, “Web vulnerability analysis and implementation,” IOP Conf. Ser. Mater. Sci. Eng., vol. 407, p. 012081, Sep. 2018, doi: 10.1088/1757-899X/407/1/012081.
S. Sharma and N. S. Yadav, “A multilayer stacking classifier based on nature-inspired optimization for detecting cross-site scripting attack,” International Journal of Information Technology, vol. 15, no. 8, pp. 4283–4290, Dec. 2023, doi: 10.1007/s41870-023-01459-5.
T. Singh and A. Kumar, “Analyzing Security and Privacy issues for Multi-Cloud Service Providers Using Nessus,” in 2023 Fifth International Conference on Electrical, Computer and Communication Technologies (ICECCT), Erode, India, Feb. 2023, pp. 01–08, doi: 10.1109/ICECCT56650.2023.10179727.
G. Vishnuram, K. Tripathi, and A. Kumar Tyagi, “Ethical Hacking: Importance, Controversies and Scope in the Future,” in 2022 International Conference on Computer Communication and Informatics (ICCCI), Coimbatore, India, Jan. 2022, pp. 01–06, doi: 10.1109/ICCCI54379.2022.9740860.
M. Ashraf, A. Zahra, M. Asif, M. Bin Ahmad, and S. Zafar, “Ethical Hacking Methodologies: A Comparative Analysis,” in 2021 Mohammad Ali Jinnah University International Conference on Computing (MAJICC), Karachi, Pakistan, Jul. 2021, pp. 1–5, doi: 10.1109/MAJICC53071.2021.9526243.
Rodríguez Matías, “Análisis de Vulnerabilidades del Portal Web utilizando Metodologías de Hacking Ético para un GAD Municipal de la Provincia de Santa Elena,” Bachelor’s Thesis, Univ. Estatal de la Península de Santa Elena, La Libertad, Ecuador, 2021.
I. N. Coello Ochoa, “Análisis de ciberataques en organizaciones públicas del Ecuador y sus impactos administrativos,” Degree Thesis, Univ. Politécnica Salesiana, Guayaquil, Ecuador, 2021.
C. Artavia Madrigal, M. Guevara García, I. Mora Zumbado, T. Murillo Murillo, M. Ramírez González, and V. Solano Ruiz, “Un Análisis del sistema educativo costarricense: Desafío crítico para la ciberseguridad del país,” Rhombus, vol. 3, no. 2, pp. 1-19, Sep. 2023. [Online]. Available: https://revistas.ulacit.ac.cr/index.php/rhombus/article/view/89
Comments
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright (c) 2024 Holger Santillan, Julio Andrés Arévalo Satán , Peregrina Wong