AN ANALYSIS ON THE WEB SECURITY THREATS OF SMALL & MEDIUM ENTERPRISE THROUGH WEB VULNERABILITY INSPECTION

Published 31 Aug 2019 •  vol 129  • 


Authors:

 

Yong-joon Lee, Defense Security Institute, 89-10, Seosomun-ro, Jung-gu, Seoul 03742, Republic of Korea
Sung-su Choi, F1 Security, Seoul, Republic of Korea
Kwang-je Yeon, IT Nomads, Seoul, Republic of Korea

Abstract:

 

The attacks using the vulnerability of web applications have been constantly increasing each year, and the companies have been making continuous efforts to find the causes of vulnerabilities and block intrusions to protect their system and key information. Due to the nature of web applications of processing user-inserted information and data, unspecified individuals can easily make use of them, and they are always exposed to external attacks. Therefore, there is a high risk of being under cyber attacks. An analysis on 730 cases of hacking occurred in Korea in the last two years showed that web vulnerability-related hacking cases were the most common attacks that accounted for 33.4% of all the attacks, and 27.9% of the victims were concentrated on companies. Thus, this study analyzed the results of web vulnerability inspections made for 9 months, targeting 1,242 companies for the empirical research. Also, a web vulnerability-based security threat evaluation index and security threat level measures has been drawn based on the OWASP vulnerability evaluation method to assess the companies' security threat levels in terms of web vulnerability. The findings showed that 72.1% (895) companies had vulnerabilities, and the five most common types of web vulnerabilities were cross-site scripting (XSS, 41%), phishing through frame (20%), SQL injection (15%), link injection (13%), blind SQL injection (7%), and others (4%). In addition, 48% of all the web vulnerabilities found in the companies were found to have high security threat levels, such as cross-site scripting, blind SQL injection, and PHP remote file inclusion.

Keywords:

 

Small & Medium Enterprise, Hacking Attack, Web Vulnerability Inspection, Web Service, Website

References:

 

[1] T. Vieira and C. Serrão, “Web Applications Security and Vulnerability Analysis Financial Web Applications Security Audit – A Case Study”, International Journal of Innovative Business Strategies (IJIBS), 3 (2016): 86-94.
[2] K. H. Lee and J. P. Park, “A Software Vulnerability Analysis System using Learning for Source Code Weakness History”, Journal of The Korea Academia Industrial cooperation Society, 18 (2017): 46-52, https://doi.org/10.5762/KAIS.2017.18.11.46.
[3] N. Provos, D. McNamee, P. Mavrommatis, K. Wang and N. Modadugu, “The ghost in the browser analysis of web-based malware”, In Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, (2007): 4-13.
[4] S. Wagner, D. M. Fernandez, S. Islam and K. Lochmann, “A Security Requirements Approach for Web Systems”, In Proceedings of Quality Assessment in Web (QAW2009), CEUR, (2009): 1-10.
[5] Korea Information & Security Agency (KISA), Recent Cyber Attack Trend, Information Sharing Seminar Report, (2014): 10-18.
[6] Korea Information & Security Agency (KISA), Large-scale malicious code distribution trend analysis report, (2014): 1-15.
[7] S. Y. Min, C. S. Jung, K. H. Lee, E. S. Cho, T. B. Yoon and S. H. You, “Design of Comprehensive Security Vulnerability Analysis System through Efficient Inspection Method according to Necessity of Upgrading System Vulnerability”, Journal of The Korea Academia Industrial cooperation Society, 18 (2017): 1-8, https://doi.org/10.5762/KAIS.2017.18.7.1.
[8] S. H. Oh, T. E. Kim and H. K. Kim, “Technology Analysis on Automatic Detection and Defense of SW Vulnerabilities”, Journal of The Korea Academia Industrial cooperation Society, 18 (2017), 94-103, https://doi.org/10.5762/KAIS.2017.18.11.94.
[9] Korea Information & Security Agency (KISA), October trends: Cyber Security Issue, (2013): 31-42.
[10] The Open Web Application Security Project (OWASP), Available Online at http://www.owasp.org. Accessed in Sep. (2018).
[11] G Sai Asritha, “Security for files in Operating System” International Journal of Security Technology for Smart Device 3.2(2016): 1-6, http://dx.doi.org/10.21742/IJSTSD.2016.3.2.01.
[12] Vempati Sudheshna, “Adhoc Network Infrastructure Security” International Journal of Wireless and Mobile Communication for Industrial Systems 3.1(2016): 21-34, http://dx.doi.org/ 10.21742/IJWMCIS.2016.3.1.03.
[13] Asish Vardhan and M. Murali Krishna, “DGD: An Intrusion Detection System for Providing Security to Web Applications” Journal of Statistical Computing and Algorithm 1.1(2017): 27-32, http://dx.doi.org/10.21742/JSCA.2017.1.1.03.
[14] Lalit Mohan Joshi, and Dr. Rajendra Bharti, “A Research Paper on Online Security Issue with Data Tempering” International Journal of Security Technology for Smart Device 4.1(2017): 1-8, http://dx.doi.org/10.21742/IJSTSD.2017.4.1.01.
[15] SeongMuk, Choi, JoongHyo, Bok, HyungTaek, Lee, Jong Bae, Kim and Gwang Yong, Gim, “An Empirical Study on Crawler-based Security Control Systems” International Journal of Reliable Information and Assurance 5.2(2017): 7-12, http://dx.doi.org/10.21742/IJRIA.2017.5.2.02.

Citations:

 

APA:
Lee, Y.-J., Choi, S.-S., & Yeon, K.-J. (2019). An Analysis on the Web Security Threats of Small & Medium Enterprise Through Web Vulnerability Inspection. International Journal of Advanced Science and Technology (IJAST), ISSN: 2005-4238(Print); 2207-6360 (Online), NADIA, 129, 171-182. doi: 10.33832/ijast.2019.129.15.

MLA:
Lee, Yong-Joon, et al “An Analysis on the Web Security Threats of Small & Medium Enterprise through Web Vulnerability Inspection.” International Journal of Advanced Science and Technology, ISSN: 2005-4238(Print); 2207-6360 (Online), NADIA, vol. 129, 2019, pp. 171-182. IJAST, http://article.nadiapub.com/IJAST/Vol129/15.html.

IEEE:
[1] Y.-J. Lee, S.-S .Choi, and K.-J. Yeon, “An Analysis on the Web Security Threats of Small & Medium Enterprise through Web Vulnerability Inspection.” International Journal of Advanced Science and Technology (IJAST), ISSN: 2005-4238(Print); 2207-6360 (Online), NADIA, vol. 129, pp. 171-182, Aug. 2019.