Reproducible modelling and simulating security vulnerability scanners evaluation framework towards risk management assessment of small and medium enterprises business networks

Ilias Chalvatzis; Dimitrios A Karras; Rallis C Papademetriou

doi:10.17485/IJST/v13i37.868

Article

Reproducible modelling and simulating security vulnerability scanners evaluation framework towards risk management assessment of small and medium enterprises business networks

VIEWS 943
PDF 2149

Indian Journal of Science and Technology

DOI: 10.17485/IJST/v13i37.868

Year: 2020, Volume: 13, Issue: 37, Pages: 3910-3943

Original Article

Reproducible modelling and simulating security vulnerability scanners evaluation framework towards risk management assessment of small and medium enterprises business networks

Ilias Chalvatzis¹, Dimitrios A Karras^2*, Rallis C Papademetriou¹

¹University of Portsmouth, UK, School of Energy & Electronic Engineering, Anglesea Building, Anglesea Road, Portsmouth (UK), PO1 3DJ
²School of Science, General Department, National and Kapodistrian University of Athens, Athens

*Corresponding Author
Email: [email protected]

Received Date:09 July 2020, Accepted Date:01 August 2020, Published Date:16 October 2020

This work is licensed under a Creative Commons Attribution 4.0 International License.

Abstract

Objectives: Risk Management has been recognized as a critical issue in computer infrastructures, especially in medium to large scale organizations and enterprises. The goal of this research report is to provide a practical comprehensive virtual machine based framework for assessing the performance of vulnerability scanners applied to such enterprises, focused to small and medium size ones towards a risk evaluation analysis. Moreover, the purpose of this paper is to compare three of the most well-known free vulnerability scanners (Nessus, OpenVAS, Nmap Scripting Engine) with regards to how they can be used to systematise the process of Risk Assessment in an enterprise, based on the herein presented experimental evaluation framework involving virtual machine testing. Method: The proposed methodology is based on developing a framework for suitable setup and usage of virtual machines making risk analysis practical and being capable of comparing different vulnerability scanners. Findings: The herein developed framework is shown to be efficient with regards to comparison and selection of candidate risk analysis software with easily accessed and affordable infrastructure. Novelty: Although there might be few other similar comparisons of vulnerability scanners in the literature, the main herein contribution is the provision of a practical and above all easily reproducible framework for small business enterprises to establish proper selection procedures of such security software without spending a lot of money for expensive testing infrastructure.

Keywords: Vulnerability Scanning; risk assessment; nessus; OpenVAS; Nmap scripting engine

References

Chalvatzis I, Karras DA, Papademetriou RC. Evaluation of security vulnerability scanners for small and medium enterprises business networks resilience towards risk assessment. In: International Conference on Artificial Intelligence and Computer Applications. IEEE. p. 52–58.
Manson S, Anderson D. Cybersecurity for Protection and Control Systems: An Overview of Proven Design Solutions. Institute of Electrical and Electronics Engineers (IEEE). 2019. doi: 10.1109/mias.2018.2875175
Humayed A, Lin J, Li F, Luo B. Cyber-Physical Systems Security—A Survey. IEEE Internet of Things Journal. 2017;4(6):1802–1831. doi: 10.1109/jiot.2017.2703172
Furnell SM, Clarke N, Werlinger R, Muldner K, Hawkey K, Beznosov K. Preparation, detection, and analysis: the diagnostic work of IT security incident response. Information Management & Computer Security. 2010.
Holm H, Sommestad T, Almroth J, Persson M. A quantitative evaluation of vulnerability scanning. . Information Management & Computer Security. 2011. doi: 10.1108/09685221111173058
Holm H. Performance of automated network vulnerability scanning at remediating security issues. . Computers & Security. 2012;31:164–175.
Badawy MA, El-Fishawy N, Elshakankiry O. Vulnerability scanners capabilities for detecting windows missed patches: Comparative study. In: International Conference on Security of Information and Communication Networks. Berlin, Heidelberg. Springer. p. 185–195.
Tripathy BK. Risk Assessment in IT Infrastructure. In: Ethics, Laws, and Policies for Privacy, Security, and Liability. .

Copyright

© 2020 Chalvatzis et al.This is an open-access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited. Published By Indian Society for Education and Environment (iSee).