ABSTRACT
A Vulnerability Management system is a disciplined, programmatic approach to discover and mitigate vulnerabilities in a system. While securing systems from data exploitation and theft, Vulnerability Management works as a cyclical practice of identifying, assessing, prioritizing, remediating, and mitigating security weaknesses. In this approach, root cause analysis is conducted to find solutions for the problematic areas in policy, process, and standards including configuration standards. Three major reasons make Vulnerability Assessment and Management a vital part in IT risk management. The reasons are, namely, 1. Persistent Threats - Attacks exploiting security vulnerabilities for financial gain and criminal agendas continue to dominate headlines, 2. Regulations - Many government and industry regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX), mandate rigorous vulnerability management practices, and 3. Risk Management - Mature organizations treat vulnerability assessment and management as a key risk management component [1]. Thus, as opposed to a reactive and technology-oriented approach, a well-organized and executed Vulnerability Management system is proactive and business-oriented. This research initially collects all the vulnerabilities associated with the Data Analytic Framework Implemented with MongoDB on Linux Containers (LXCs) by using the vulnerability analysis testbed with seven deferent analyzing tools. Thereafter, this research work first prioritizes all the vulnerabilities using "Low", "Medium", and "High" according to their severity level. Then, it discovers and analyzes the root cause of fifteen various vulnerabilities with different severities. Finally, according to each of the vulnerability root causes, this research proposes security techniques, to avoid or mitigate those vulnerabilities from the current system.
- Nigesecurityguy.wordpress.com. (2019). Risk | Nige the Security Guy. [Online] Available at: https://nigesecurityguy.wordpress.com/category/risk/ [Accessed 15 April 2019].Google Scholar
- Roshan Ramprasad Shetty, Akalanka Mailewa Dissanayaka, Susan Mengel, Lisa Gittner, Ravi Vadapalli, and Hafiz Khan. 2017. Secure NoSQL Based Medical Data Processing and Retrieval: The Exposome Project. In Companion Proceedings of the10th International Conference on Utility and Cloud Computing (UCC '17 Companion). ACM, New York, NY, USA, 99--105.Google Scholar
- L. S. Gittner, B. J. Kilbourne, R. Vadapalli, H. M. Khan, and M. A. Langston, "A multifactorial obesity model developed from nationwide public health exposome data and modern computational analyses," Obesity Research & Clinical Practice, 2017.Google Scholar
- Akalanka Mailewa Dissanayaka, Roshan Ramprasad Shetty, Samip Kothari, Susan Mengel, Lisa Gittner, and Ravi Vadapalli. 2017. A Review of MongoDB and Singularity Container Security in regards to HIPAA Regulations. In Companion Proceedings of the10th International Conference on Utility and Cloud Computing (UCC '17 Companion). ACM, New York, NY, USA, 91--97.Google ScholarDigital Library
- Akalanka Mailewa Dissanayaka, Susan Mengel, Lisa Gittner, and Hafiz Khan. 2018. Dynamic & portable vulnerability assessment testbed with Linux containers to ensure the security of MongoDB in Singularity LXCs. In Companion Conference of the Supercomputing-2018 (SC18).Google Scholar
- Johnson, Christopher, Mark Badger, David Waltermire, Julie Snyder, and Clem Skorupka. Guide to cyber threat information sharing. No. NIST Special Publication (SP) 800-150 (Draft). National Institute of Standards and Technology, 2016.Google ScholarCross Ref
- Sharma, Ruchi, and R. K. Singh. "An improved scoring system for software vulnerability prioritization." In Quality, IT and Business Operations, pp. 33--43. Springer, Singapore, 2018.Google ScholarCross Ref
- Raspotnig, Christian, and Andreas Opdahl. "Comparing risk identification techniques for safety and security requirements." Journal of Systems and Software 86, no. 4 (2013): 1124--1151.Google ScholarDigital Library
- Contag, Moritz, Robert Gawlik, Andre Pawlowski, and Thorsten Holz. "On the weaknesses of function table randomization." In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 185--207. Springer, Cham, 2018.Google Scholar
- Tevis, Jay-Evan J., and John A. Hamilton. "Methods for the prevention, detection and removal of software security vulnerabilities." In Proceedings of the 42nd annual Southeast regional conference, pp. 197--202. ACM, 2004.Google Scholar
- Mardan, Azat. "Boosting Node. js and MongoDB with Mongoose." In Practical Node. js, pp. 239--276. Apress, Berkeley, CA, 2018.Google Scholar
- Doglio, Fernando. "Reactive Programming on the Back-end." In Reactive Programming with Node. js, pp. 47--66. Apress, Berkeley, CA, 2016.Google Scholar
- Ruhi Velasco, Enric. "Web Authorization and authentication for single page applications (SPAs)." Bachelor's thesis, Universitat Politècnica de Catalunya, 2018.Google Scholar
- Siekkinen, Matti, Guillaume Urvoy-Keller, Ernst W. Biersack, and Denis Collange. "A root cause analysis toolkit for TCP." Computer Networks 52, no. 9 (2008): 1846--1858.Google ScholarDigital Library
- Hernández, Miguel, Luis Baquero, and Celio Gil. "Ethical Hacking on Mobile Devices: Considerations and practical uses." International Journal of Applied Engineering Research 13, no. 23 (2018): 16637--16647.Google Scholar
- Razaghpanah, Abbas, Arian Akhavan Niaki, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Johanna Amann, and Phillipa Gill. "Studying TLS usage in Android apps." In Proceedings of the 13th International Conference on emerging Networking EXperiments and Technologies, pp. 350--362. ACM, 2017.Google Scholar
- Bhargavan, Karthikeyan, and Gaëtan Leurent. "On the practical (in-) security of 64-bit block ciphers: Collision attacks on HTTP over TLS and OpenVPN." In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 456--467. ACM, 2016.Google Scholar
- Ashawa, Moses. "Vulnerability Assessment and Evaluation of Associated Attacks on Physical and Virtual Networks." IUP Journal of Computer Sciences 12, no. 2 (2018).Google Scholar
- De Donno, Michele, Nicola Dragoni, Alberto Giaretta, and Angelo Spognardi. "DDoS-Capable IoT Malwares: Comparative Analysis and Mirai Investigation." Security and Communication Networks 2018 (2018).Google Scholar
- Briongos, Samira, Gorka Irazoqui, Pedro Malagón, and Thomas Eisenbarth. "CacheShield: Detecting Cache Attacks Through Self-Observation." In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, pp. 224--235. ACM, 2018.Google Scholar
- Cuzzocrea, Alfredo, and Hossain Shahriar. "Data masking techniques for NoSQL database security: A systematic review." In 2017 IEEE International Conference on Big Data (Big Data), pp. 4467--4473. IEEE, 2017.Google Scholar
- Constable, Scott D., Rob Sutton, Arash Sahebolamri, and Steve Chapin. "Formal Verification of a Modern Boot Loader." (2018).Google Scholar
- Deari, Raif, Xhemal Zenuni, Jaumin Ajdari, Florije Ismaili, and Bujar Raufi. "Analysis And Comparision of Document-Based Databases with Relational Databases: MongoDB vs MySQL." In 2018 International Conference on Information Technologies (InfoTech), pp. 1--4. IEEE, 2018.Google Scholar
- Ahmad, Khaleel, Mohammad S. Alam, and Nur Izura Udzir. "Security of NoSQL Database Against Intruders." Recent Patents on Engineering 13, no. 1 (2019): 5--12.Google ScholarCross Ref
- Sathyadevan, Shiju, Nandini Muraleedharan, and Sreeranga P. Rajan. "Enhancement of Data Level Security in MongoDB." In Intelligent Distributed Computing, pp. 199--212. Springer, Cham, 2015.Google Scholar
- Siekkinen, Matti, Guillaume Urvoy-Keller, Ernst W. Biersack, and Taoufik En-Najjary. "Root cause analysis for long-lived TCP connections." In Proceedings of the 2005 ACM conference on Emerging network experiment and technology, pp. 200--210. ACM, 2005.Google Scholar
- Polese, Michele, Marco Mezzavilla, Menglei Zhang, Jing Zhu, Sundeep Rangan, Shivendra Panwar, and Michele Zorzi. "milliProxy: A TCP proxy architecture for 5G mmWave cellular systems." In 2017 51st Asilomar Conference on Signals, Systems, and Computers, pp. 951--957. IEEE, 2017.Google Scholar
- Le Malécot, Erwan, and Daisuke Inoue. "The carna botnet through the lens of a network telescope." In International Symposium on Foundations and Practice of Security, pp. 426--441. Springer, Cham, 2013.Google Scholar
- Ding, Lai Qiang, C. H. E. N. Ziliang, H. A. O. Junqing, and Ting Wang. "Automatically adjusting timestamps from remote systems based on time zone differences." U.S. Patent Application 14/889, 764, filed July 13, 2017.Google Scholar
- Kurtzer, Gregory M., Vanessa Sochat, and Michael W. Bauer. "Singularity: Scientific containers for mobility of compute." PloS one 12, no. 5 (2017): e0177459.Google ScholarCross Ref
- Garg, Surya Kant, and J. Lakshmi. "Workload performance and interference on containers." In 2017 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI), pp. 1--6. IEEE, 2017.Google Scholar
- Jawi, Suhairi Mohd, and Fakariah Hani Mohd Ali. "Non-intrusive SSL/TLS proxy implementation and issues." In 2015 IEEE Student Conference on Research and Development (SCOReD), pp. 684--689. IEEE, 2015.Google Scholar
- Fiebig, Tobias, Franziska Lichtblau, Florian Streibelt, Thorben Krüger, Pieter Lexis, Randy Bush, and Anja Feldmann. "Learning from the Past: Designing Secure Network Protocols." In Cybersecurity Best Practices, pp. 585--613. Springer Vieweg, Wiesbaden, 2018.Google Scholar
- Edward, Shakuntala Gupta, and Navin Sabharwal. "Administering MongoDB." In Practical MongoDB, pp. 191--212. Apress, Berkeley, CA, 2015.Google Scholar
- Edward, Shakuntala Gupta, and Navin Sabharwal. "MongoDB Architecture." In Practical MongoDB, pp. 95--157. Apress, Berkeley, CA, 2015.Google Scholar
- Mailewa, Akalanka, and Jayantha Herath. "Operating Systems Learning Environment with VMware." In The Midwest Instruction and Computing Symposium. Retrieved from http://www.micsymposium.org/mics2014/ProceedingsMICS_2014/mics2014_submission_14.pdf. 2014.Google Scholar
- Clark, Jeremy, and Paul C. Van Oorschot. "SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements." In 2013 IEEE Symposium on Security and Privacy, pp. 511--525. IEEE, 2013.Google Scholar
- Kambourakis, Georgios, and Stefanos Gritzalis. "Key Management in 802.16 e." WiMAX Security and Quality of Service (2010): 63.Google Scholar
- Krovetz, Ted, and Phillip Rogaway. "The software performance of authenticated-encryption modes." In International Workshop on Fast Software Encryption, pp. 306--327. Springer, Berlin, Heidelberg, 2011.Google Scholar
- Oktay, Ucman, and Ozgur Koray Sahingoz. "Proxy network intrusion detection system for cloud computing." In 2013 the international conference on technological advances in electrical, electronics and computer engineering (TAEECE), pp. 98--104. IEEE, 2013.Google Scholar
- Petullo, W. Michael, and Jon A. Solworth. "Simple-to-use, secure-by-design networking in Ethos." In Proceedings of the Sixth European Workshop on System Security. ACM, 2013.Google Scholar
- Ren, Yufei. "Scalable End-to-End Data I/O over Enterprise and Data-Center Networks." PhD diss., The Graduate School, Stony Brook University: Stony Brook, NY., 2015.Google Scholar
- Jia, Yunhan Jack, Qi Alfred Chen, Yikai Lin, Chao Kong, and Z. Morley Mao. "Open doors for bob and mallory: Open port usage in android apps and security implications." In 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 190--203. IEEE, 2017.Google Scholar
- Deka, Ganesh Chandra. "Cloud database security issues and challenges." In Cloud Security: Concepts, Methodologies, Tools, and Applications, pp. 165--187. IGI Global, 2019.Google ScholarCross Ref
- Dindoliwala, Vaishali J., and Rustom D. Morena. "Survey on Security Mechanisms In NoSQL Databases." International Journal of Advanced Research in Computer Science 8, no. 5 (2017).Google Scholar
- Horton, Michael, Biswanath Samanta, Christopher Reid, Lei Chen, and Christopher Kadlec. "Development of a Secure, Heterogeneous Cloud Robotics Infrastructure: Implementing a Mesh VPN and Robotic File System Security Practices." In SoutheastCon 2018, pp. 1--8. IEEE, 2018.Google Scholar
- Sianipar, Johannes Harungguan, Christian Willems, and Christoph Meinel. "Virtual Machine Integrity Verification in Crowd-Resourcing Virtual Laboratory." In 2018 IEEE 11th Conference on Service-Oriented Computing and Applications (SOCA), pp. 169--176. IEEE, 2018.Google ScholarCross Ref
- Akintaro, Mojolaoluwa, Teddy Pare, and Akalanka Mailewa Dissanayaka. "DARKNET AND BLACK MARKET ACTIVITIES AGAINST THE CYBERSECURITY: A SURVEY.", In The Midwest Instruction and Computing Symposium. (MICS), North Dakota State University, Fargo, ND, April 5-6 2019.Google Scholar
- Ibrahim, Jabir Muhammad, Amin Karami, and Fahimeh Jafari. "A Secure Smart Home using Internet-of-Things." In Proceedings of the 9th International Conference on Information Management and Engineering, pp. 69--74. ACM, 2017.Google ScholarDigital Library
- George, Vathalloor Merin, and Qusay H. Mahmoud. "Claimsware: A claims-based middleware for securing iot services." In 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), vol. 1, pp. 649--654. IEEE, 2017.Google Scholar
- Wang, Xin, Aastha Madaan, Eugene Siow, and Thanassis Tiropanis. "Sharing databases on the Web with Porter Proxy." In Proceedings of the 26th International Conference on World Wide Web Companion, pp. 1673--1676. International World Wide Web Conferences Steering Committee, 2017.Google Scholar
- Shahriar, Hossain, and Hisham M. Haddad. "Security Vulnerabilities of NoSQL and SQL Databases for MOOC Applications." Int. J. Digital Society 8, no. 1 (2017).Google ScholarCross Ref
- Bajtoš, Tomáš, Pavol Sokol, and Terézia Mézešová. "Virtual honeypots and detection of telnet botnets." In Proceedings of the Central European Cybersecurity Conference 2018, p. 2. ACM, 2018.Google Scholar
- Fee, Gregory D., Aaron Goldfeder, John M. Hawkins, Jamie L. Cool, Sebastian Lange, and Sergey Khorun. "Evidence-based application security." U.S. Patent 7,669,238, issued February 23, 2010.Google Scholar
- Mailewa, Akalanka, Jayantha Herath, and Susantha Herath. "A Survey of Effective and Efficient Software Testing." In The Midwest Instruction and Computing Symposium. (MICS), Grand Forks, ND, April 10-11 2015.Google Scholar
- Satapathy, Ashutosh, and Jenila Livingston LM. "A Comprehensive Survey on SSL/TLS and their Vulnerabilities." International Journal of Computer Applications 153, no. 5 (2016): 31--38.Google ScholarCross Ref
- Simkhada, Emerald, Elisha Shrestha, Sujan Pandit, Upasana Sherchand, and Akalanka Mailewa Dissanayaka. "SECURITY THREATS/ATTACKS VIA BOTNETS AND BOTNET DETECTION & PREVENTION TECHNIQUES IN COMPUTER NETWORKS: A REVIEW, In The Midwest Instruction and Computing Symposium. (MICS), North Dakota State University, Fargo, ND, April 5-6 2019.Google Scholar
Index Terms
- Vulnerability Prioritization, Root Cause Analysis, and Mitigation of Secure Data Analytic Framework Implemented with MongoDB on Singularity Linux Containers
Recommendations
Security assurance of MongoDB in singularity LXCs: an elastic and convenient testbed using Linux containers to explore vulnerabilities
AbstractIt is essential to ensure the data security of data analytical frameworks as any security vulnerability existing in the system can lead to a data loss or data breach. This vulnerability may occur due to attacks from live attackers as well as ...
From information security to cyber security
The term cyber security is often used interchangeably with the term information security. This paper argues that, although there is a substantial overlap between cyber security and information security, these two concepts are not totally analogous. ...
Integrating the Escaping Technique in Preventing Cross Site Scripting in an Online Inventory System
ICISS '19: Proceedings of the 2nd International Conference on Information Science and SystemsThis paper discusses the implementation of the Escaping Technique in an Online Inventory System to prevent the Cross Site Scripting (XSS) attack. It also covers discussion about XSS described as a kind of injection attack that injects malicious scripts ...
Comments