Mobile Security and Penetration Testing

This document offers data involving mobile security exploitation penetration testing. Compared to desktop computers the expansion of mobile devices is tremendous in this years. Mobile de- vices are integrated into daily activities of people’s life. Mobile Applications became a part of our daily lives in order that virtually each internet or desktop application may be executed from a smartphone i.e. social networking, online banking, gaming applications and many others. This document also includes about different types of Mobile security threats, Types of penetration testing, Phases of penetrating testing, Principles of testing and Security risk assessment model. Due to the expansion of mobile devices now a days, it opens vast scope for attackers to steal sensitive information or to perform other kinds of attacks on these devices . The main purpose is to know the vulnerability and technics that ac- customed to find vulnerabilities in mobile applications. In the paper we have studied differing kinds of security risks concerned in mobile devices and mobile applications and regarding varied defensive mechanism to stop these security risk in mobile devices.

Giải pháp đánh giá và quản lý rủi ro an toàn thông tin trong Chính phủ điện tử

Tóm tắt—Bài báo này trình bày kết quả nghiên cứu xây dựng giải pháp đánh giá và quản lý rủi ro an toàn hệ thống thông tin trong Chính phủ điện tử. Trong bài toán này, chúng tôi tập chung vào xây dựng (i) quy trình đánh giá, quản lý rủi ro an toàn thông tin (ATTT), và (ii) hệ thống phần mềm UET.SRA (Security Risk Assessment System) hỗ trợ đánh giá, quản lý rủi ro theo quy trình đã xây dựng. Việc quản lý và đánh giá rủi ro ATTT được kết hợp theo các tiêu chuẩn trong nước và quốc tế bao gồm các quy trình trong ISO/IEC 27005:2011 và NIST SP 800-39, nhưng được tuỳ biến để phù hợp với thực tiễn của các cơ quan chính phủ. Hệ thống phần mềm UET.SRA đánh giá rủi ro ATTT dựa theo phương pháp kiểm tra các lỗ hổng và sự phơi nhiễm phổ biến (Common Vulnerabilities and Exposures – CVE); việc ước lượng rủi ro định lượng theo Hệ thống chấm điểm lỗ hổng phổ biến (Common Vulnerability Scoring System - CVSS) và Dự án mở về bảo mật ứng dụng web (Open Web Application Security Project - OWASP). Ngoài ra, UET.SRA còn cung cấp chức năng phân tích, phát hiện các lỗ hổng, các đoạn mã độc trong mã nguồn ứng dụng Web sử dụng công nghệ học sâu (deep learning). Kết quả thử nghiệm giải pháp UET.SRA tại Bộ Tài nguyên và Môi trường (TN&MT) bước đầu đã minh chứng được ý nghĩa thực tiễn và cho phép quản lý được các rủi ro ATTT đối với một số hệ thống trọng yếu của Bộ TN&MT. Abstract—This article presents the results of building a solution to access and manage security risks for the e-Government information system. We focus on building a process and software system UET.SRA to manage and assess security risks. The process was developed using a combination of international and domestic standards including ISO/IEC 27005:2011 and NIST SP 800-39, but customized to match the practice of government agencies. UET.SRA evaluates security risks based on CVEs vulnerability testing; quantitative risk based on CVSS and OWASP standards. In addition, UET.SRA also provides the function of detecting vulnerabilities and webshell in the source code of web applications using deep learning algorithms. The experimental results of UET.SRA at the Ministry of Natural Resources and Environment have initially demonstrated practical effectiveness in managing security risks for a number of critical systems.

Cyber Physical Systems Security for Maritime Assets

The integration of IT, OT, and human factor elements in maritime assets is critical for their efficient and safe operation and performance. This integration defines cyber physical systems and involves a number of IT and OT components, systems, and functions that involve multiple and diverse communication paths that are technologically and operationally evolving along with credible cyber security threats. These cyber security threats and risks as well as a number of known security breach scenarios are described in this paper to highlight the evolution of cyber physical systems in the maritime domain and their emerging cyber vulnerabilities. Current industry and governmental standards and directives related to cyber security in the maritime domain attempt to enforce the regulatory compliance and reinforce asset cyber security integrity for optimum and safe performance with limited focus, however, in the existing OT infrastructure and systems. The use of outside-of-the-maritime industry security risk assessment tools and processes, such the API STD 780 Security Risk Assessment (SRA) and the Bow Tie Analysis methodologies, can assist the asset owner to assess its IT and OT infrastructure for cyber and physical security vulnerabilities and allocate proper mitigation measures assuming their similarities to ICS infrastructure. The application of cyber security controls deriving from the adaptation of the NIST CSF and the MITRE ATT&CK Threat Model can further increase the cyber security integrity of maritime assets, assuming they are periodically evaluated for their effectiveness and applicability. Finally, the improvement in communication among stakeholders, the increase in operational and technical cyber and physical security resiliency, and the increase in operational cyber security awareness would be further increased for maritime assets by the convergence of the distinct physical and cyber security functions as well as onshore- and offshore-based cyber infrastructure of maritime companies and asset owners.