Reinforcement learning for efficient network penetration testing

Penetration testing (also known as pentesting or PT) is a common practice for actively assessing the defenses of a computer network by planning and executing all possible attacks to discover and exploit existing vulnerabilities. Current penetration testing methods are increasingly becoming non-standard, composite and resource-consuming despite the use of evolving tools. In this paper, we propose and evaluate an AI-based pentesting system which makes use of machine learning techniques, namely reinforcement learning (RL) to learn and reproduce average and complex pentesting activities. The proposed system is named Intelligent Automated Penetration Testing System (IAPTS) consisting of a module that integrates with industrial PT frameworks to enable them to capture information, learn from experience, and reproduce tests in future similar testing cases. IAPTS aims to save human resources while producing much-enhanced results in terms of time consumption, reliability and frequency of testing. IAPTS takes the approach of modeling PT environments and tasks as a partially observed Markov decision process (POMDP) problem which is solved by POMDP-solver. Although the scope of this paper is limited to network infrastructures PT planning and not the entire practice, the obtained results support the hypothesis that RL can enhance PT beyond the capabilities of any human PT expert in terms of time consumed, covered attacking vectors, accuracy and reliability of the outputs. In addition, this work tackles the complex problem of expertise capturing and re-use by allowing the IAPTS learning module to store and re-use PT policies in the same way that a human PT expert would learn but in a more efficient way

POINTER:a GDPR-compliant framework for human pentesting (for SMEs)

Penetration tests have become a valuable tool in any organisation’s arsenal, in terms of detecting vulnerabilities in their technical defences. Many organisations now also “penetration test” their employees, assessing their resilience and ability to repel human-targeted attacks. There are two problems with current frameworks: (1) few of these have been developed with SMEs in mind, and (2) many deploy spear phishing, thereby invading employee privacy, which could be illegal under the new European General Data Protection Regulation (GDPR) legislation. We therefore propose the PoinTER (Prepare TEst Remediate) Human Pentesting Framework. We subjected this framework to expert review and present it to open a discourse on the issue of formulating a GDPR- compliant Privacy-Respecting Employee Pentest for SMEs

Evaluating global e-government sites: A view using web diagnostics tools

This is the post-print version of the Article. The official published version can be accessed from the link below - Copyright @ 2004 The AuthorsSeveral governments across the world have embraced the digital revolution and continue to take advantage of the information and communication facilities offered by the Internet to offer public services. Conversely, citizens’ awareness and expectations of Internet based online-public-services have also increased in recent times. Although the numbers of the different national e-Government web portals have rapidly increased in the last three years, the success of these portals will largely depend on their accessibility, quality and privacy. This paper reports the results of an evaluative study of a cross-section of e-Government portals from these three perspectives, using a common set of performance metrics and Web diagnostic engines. Results show that not only are there wide variations in the spectrum of information and services provided by these portals, but that significant work still needs to be undertaken in order to make the portals examples of ‘best practice’ e-Government services

BlackWatch:increasing attack awareness within web applications

Web applications are relied upon by many for the services they provide. It is essential that applications implement appropriate security measures to prevent security incidents. Currently, web applications focus resources towards the preventative side of security. Whilst prevention is an essential part of the security process, developers must also implement a level of attack awareness into their web applications. Being able to detect when an attack is occurring provides applications with the ability to execute responses against malicious users in an attempt to slow down or deter their attacks. This research seeks to improve web application security by identifying malicious behaviour from within the context of web applications using our tool BlackWatch. The tool is a Python-based application which analyses suspicious events occurring within client web applications, with the objective of identifying malicious patterns of behaviour. This approach avoids issues typically encountered with traditional web application firewalls. Based on the results from a preliminary study, BlackWatch was effective at detecting attacks from both authenticated, and unauthenticated users. Furthermore, user tests with developers indicated BlackWatch was user friendly, and was easy to integrate into existing applications. Future work seeks to develop the BlackWatch solution further for public release

Mixed-method study of a conceptual model of evidence-based intervention sustainment across multiple public-sector service settings.

BackgroundThis study examines sustainment of an EBI implemented in 11 United States service systems across two states, and delivered in 87 counties. The aims are to 1) determine the impact of state and county policies and contracting on EBI provision and sustainment; 2) investigate the role of public, private, and academic relationships and collaboration in long-term EBI sustainment; 3) assess organizational and provider factors that affect EBI reach/penetration, fidelity, and organizational sustainment climate; and 4) integrate findings through a collaborative process involving the investigative team, consultants, and system and community-based organization (CBO) stakeholders in order to further develop and refine a conceptual model of sustainment to guide future research and provide a resource for service systems to prepare for sustainment as the ultimate goal of the implementation process.MethodsA mixed-method prospective and retrospective design will be used. Semi-structured individual and group interviews will be used to collect information regarding influences on EBI sustainment including policies, attitudes, and practices; organizational factors and external policies affecting model implementation; involvement of or collaboration with other stakeholders; and outer- and inner-contextual supports that facilitate ongoing EBI sustainment. Document review (e.g., legislation, executive orders, regulations, monitoring data, annual reports, agendas and meeting minutes) will be used to examine the roles of state, county, and local policies in EBI sustainment. Quantitative measures will be collected via administrative data and web surveys to assess EBI reach/penetration, staff turnover, EBI model fidelity, organizational culture and climate, work attitudes, implementation leadership, sustainment climate, attitudes toward EBIs, program sustainment, and level of institutionalization. Hierarchical linear modeling will be used for quantitative analyses. Qualitative analyses will be tailored to each of the qualitative methods (e.g., document review, interviews). Qualitative and quantitative approaches will be integrated through an inclusive process that values stakeholder perspectives.DiscussionThe study of sustainment is critical to capitalizing on and benefiting from the time and fiscal investments in EBI implementation. Sustainment is also critical to realizing broad public health impact of EBI implementation. The present study takes a comprehensive mixed-method approach to understanding sustainment and refining a conceptual model of sustainment

An empirical comparison of commercial and open‐source web vulnerability scanners

Web vulnerability scanners (WVSs) are tools that can detect security vulnerabilities in web services. Although both commercial and open-source WVSs exist, their vulnerability detection capability and performance vary. In this article, we report on a comparative study to determine the vulnerability detection capabilities of eight WVSs (both open and commercial) using two vulnerable web applications: WebGoat and Damn vulnerable web application. The eight WVSs studied were: Acunetix; HP WebInspect; IBM AppScan; OWASP ZAP; Skipfish; Arachni; Vega; and Iron WASP. The performance was evaluated using multiple evaluation metrics: precision; recall; Youden index; OWASP web benchmark evaluation; and the web application security scanner evaluation criteria. The experimental results show that, while the commercial scanners are effective in detecting security vulnerabilities, some open-source scanners (such as ZAP and Skipfish) can also be effective. In summary, this study recommends improving the vulnerability detection capabilities of both the open-source and commercial scanners to enhance code coverage and the detection rate, and to reduce the number of false-positives

Implementation-effectiveness trial of an ecological intervention for physical activity in ethnically diverse low income senior centers.

BackgroundAs the US population ages, there is an increasing need for evidence based, peer-led physical activity programs, particularly in ethnically diverse, low income senior centers where access is limited.Methods/designThe Peer Empowerment Program 4 Physical Activity' (PEP4PA) is a hybrid Type II implementation-effectiveness trial that is a peer-led physical activity (PA) intervention based on the ecological model of behavior change. The initial phase is a cluster randomized control trial randomized to either a peer-led PA intervention or usual center programming. After 18 months, the intervention sites are further randomized to continued support or no support for another 6 months. This study will be conducted at twelve senior centers in San Diego County in low income, diverse communities. In the intervention sites, 24 peer health coaches and 408 adults, aged 50 years and older, are invited to participate. Peer health coaches receive training and support and utilize a tablet computer for delivery and tracking. There are several levels of intervention. Individual components include pedometers, step goals, counseling, and feedback charts. Interpersonal components include group walks, group sharing and health tips, and monthly celebrations. Community components include review of PA resources, walkability audit, sustainability plan, and streetscape improvements. The primary outcome of interest is intensity and location of PA minutes per day, measured every 6 months by wrist and hip accelerometers and GPS devices. Secondary outcomes include blood pressure, physical, cognitive, and emotional functioning. Implementation measures include appropriateness & acceptability (perceived and actual fit), adoption & penetration (reach), fidelity (quantity & quality of intervention delivered), acceptability (satisfaction), costs, and sustainability.DiscussionUsing a peer led implementation strategy to deliver a multi-level community based PA program can enhance program adoption, implementation, and sustainment.Trial registrationClinicalTrials.gov, USA ( NCT02405325 ). Date of registration, March 20, 2015. This website also contains all items from the World Health Organization Trial Registration Data Set

Vulnerability Analysis and Prevention on Software as a Service (SaaS) of Archive Websites

Web Archive is a SaaS service that has an important role in providing better document storage and management. Good document management has a positive impact on optimizing business operations, increasing collaboration, reducing costs, and protecting sensitive information. Cybercrime, which has an increasingly high intensity, is a serious threat to the security of data stored in web archives. This research aims to improve data security on web archives by conducting ongoing testing. Testing was carried out on a server with a Linux operating system and web archives managed by a file manager system. This study tests the attack using the OWASP application method, and an XSS attack on a web archive with a Linux server and using a file management application. The testing phase includes Information Gathering, Vulnerability Assessment, Exploiting, and Reporting. Based on the results of the research, it was obtained that the first vulnerability test contained 9 vulnerabilities in 9 categories. The second vulnerability test obtained 7 vulnerabilities and the third test found no vulnerabilities. At the end of each test, recommendations for improvements to the web archive are made to the web archive manager and a re-testing process for vulnerabilities is carried out. This process is carried out repeatedly with continuous improvement. Testing the attack and repair of the web archive was carried out repeatedly and managed to get a vulnerability level of Level 0.1-3.9 points with Low status

MODERN SOLUTIONS FOR THE BANKING DISTRIBUTION CHANNELS: E-BANKING –STRATEGY, COST AND BENEFICTS

The banking industry is expected to be a leading player in ebusiness. Banks have established an Internet presence with various objectives. Most of them are using the Internet as a new distribution channel. Financial services, with the use of Internet, may be offered in an equivalent quantity with lower costs to the more potential customers. In the Romanian case, there have been identified some specific issues that restrain e-banking adoption: penetration and skills (PC, Internet), attitude towards technology, security and privacy concerns; trust in banking institutions, banking culture, e-banking culture, Internet banking.Internet banking, mobile banking, home banking, e-banking strategy,security.