Vulnerability Analysis against Natural and Technological Threats: A Comparative Assessment in Tehran Metropolis Gas Supply Network

Resilience as a counterpoint to vulnerability can reduce the vulnerability of various natural, man-made, and technological threats in complex technical systems. The present study was designed and conducted with the aim of comparative assessment of the vulnerability of a gas supply network to natural and technological threats. This descriptive-analytical and cross-sectional study was carried out in Tehran metropolis gas supply network including town board stations, gas supply, and distribution networks in 2019-2020. The study was based on the vulnerability analysis method including three factors of likelihood, severity of consequences, and the degree of preparedness for threats. Comparative vulnerability assessment in these three sections of the gas supply network was performed using IBM SPSS software v. 23.0. Out of eleven identified hazardous elements, the vulnerability index for three hazardous elements was estimated as a weak level threat; four hazardous elements as a medium level threat and the vulnerability index for four hazards were evaluated as a severe threat. The results of comparative vulnerability assessment based on three parts of gas supply network showed that the highest vulnerabilities related to the gas distribution network (133.66±24.63), gas supply network (115.0±35.35), and town board stations (79.49±68.51. In addition, the results of Kruskal-Wallis test showed that the vulnerability difference in these three sections was not significant (p>0.05). The findings of the comparative assessment of vulnerability between different parts of the gas supply network including town board stations (TBS), gas supply and distribution network indicated that the resilience of these parts is relatively low and requires special attention in order to reduce vulnerability in Tehran metropolis gas supply network.

Phát triển Framework ứng dụng AI hỗ trợ tự động khai thác lỗ hổng bảo mật

Tóm tắt—Hiện nay, nhiệm vụ đánh giá an toàn thông tin cho các hệ thống thông tin có ý nghĩa quan trọng trong đảm bảo an toàn thông tin. Đánh giá/khai thác lỗ hổng bảo mật cần được thực hiện thường xuyên và ở nhiều cấp độ khác nhau đối với các hệ thống thông tin. Tuy nhiên, nhiệm vụ này đang gặp nhiều khó khăn trong triển khai diện rộng do thiếu hụt đội ngũ chuyên gia kiểm thử chất lượng ở các cấp độ khác nhau. Trong khuôn khổ bài báo này, chúng tôi trình bày nghiên cứu phát triển Framework có khả năng tự động trinh sát thông tin và tự động lựa chọn các mã để tiến hành khai thác mục tiêu dựa trên công nghệ học tăng cường (Reinforcement Learning). Bên cạnh đó Framework còn có khả năng cập nhật nhanh các phương pháp khai thác lỗ hổng bảo mật mới, hỗ trợ tốt cho các cán bộ phụ trách hệ thống thông tin nhưng không phải là chuyên gia bảo mật có thể tự động đánh giá hệ thống của mình, nhằm giảm thiểu nguy cơ từ các cuộc tấn công mạng. Abstract—Currently, security assessment is one of the most important proplem in information security. Vulnerability assessment/exploitation should be performed regularly with different levels of complexity for each information system. However, this task is facing many difficulties in large-scale deployment due to the lack of experienced testing experts. In this paper, we proposed a Framework that can automatically gather information and automatically select suitable module to exploit the target based on reinforcement learning technology. Furthermore, our framework has intergrated many scanning tools, exploited tools that help pentesters doing their work. It also can be easily updated new vulnerabilities exploit techniques.

Vulnerability Assessment and Penetration Testing On The Xyz Website Using Nist 800-115 Standard

Currently the website has become an effective communication tool. However, it is essential to have vulnerabilities assessment and penetration testing using specific standards on released websites to the public for securing information. The problems raised in this research are conducting vulnerability testing on the XYZ website to analyze security gaps in the XYZ website, as well as conducting penetration testing on high vulnerabilities found. Testing was conducted using the NIST 800 – 115 Standard through 4 main stages: planning, discovery, attack, and report. Several tools were used: Nmap, OWASP ZAP, Burp Suite, and Foxy Proxy. This research results are presented and analyzed. There were seven vulnerabilities found, one high-level vulnerability, two medium-level vulnerabilities, and four low-level vulnerabilities. At the high level, SQL Injection types are found, at the medium level, Cross-Domains Misconfiguration and vulnerabilities are found, at the low level, Absence of Anti-CSRF Tokens, Incomplete or No Cache-control and Pragma HTTP Header Set, Server Leaks Information via “X-Powered-By” HTTP Response Header Field and X-Content-Type-Options Header Missing are found.