Improving security of websites using vulnerability assessment
Abstract
The web is now an important means of transacting business. Without security, websites cannot thrive in today’s complex computer ecosystem as there are new threats emerging as old ones are being tackled. Vulnerability assessment is one of the means by which security can be improved on websites. The aim of this study was to use vulnerability assessment to improve security by identifying vulnerabilities and proposing solutions to solve the security issues. Assessment was done on 5 web hosts belonging to different entities. Two of the web host had recently been compromised so this assessment was important to them. Nmap, Nikto and Nessus were the tools used for the assessment. The first stage in the vulnerability assessement was information planning which involved activities and configurations performed before the actual assessement. The second stage was information gathering which involved obtaining information about the targets necessary to help identify vulnerabilities. This was followed by vulnerability scanning to identify vulnerabilities on the target hosts. The results indicated all the five hosts had security flaws which needed to be addressed. 16 vulnerabilities were identified on host 1, 8 vulnerabilities were identified on host 2, 15 vulnerabilities on host 3, 4 vulnerabilities on host 4 and 10 vulnerabilities on host 5. After the vulnerabilities were identified, a solution was proposed to mitigate the security flaws identified. The solution involved three steps which were encryption, network monitoring and update and upgrade. At the end of the study reports were sent to the web managers of the hosts on which the assessments were done. The study was beneficial to the respective managers of the website because they discovered security flaws which they were not aware of even though there had been recent upgrade of their infrastructures.
Description
A Thesis submitted to the Department of Computer Science,
Kwame Nkrumah University of Science and
Technology
in partial fulfilment of the requirements for the degree of Master of Science in Information Technology,