Validação e testes de um controle de segurança para defacement em sítios web

Autores

  • Oscar Mondragón Sikkerdata SAS
  • Andrés Felipe Mera Arcos Sikkerdata SAS
  • Christian Urcuqui Universidad Icesi, Cali
  • Andrés Navarro Cadavid Universidad Icesi, Cali

DOI:

https://doi.org/10.18046/syt.v15i41.2442

Palavras-chave:

Defacement, aplicação web, segurança, vulnerabilidade, segurança web, integridade.

Resumo

Os ciberataques em sites afetam constantemente a integridade e disponibilidade da informação, sendo necessária a implementação de salvaguardas que possam mitigar ou reduzir para níveis aceitáveis os riscos gerados. Os incidentes informáticos produzem impactos econômicos e de reputação em diferentes organizações. Foi identificado um aumento nos ataques cibernéticos em diferentes organizações, um deles com um alto impacto na reputação, o ataque defacement, que consiste na modificação não autorizada ou alteração de websites, o que afeta a integridade da informação. Este trabalho apresenta o desenvolvimento de um modelo para estabelecer um controle de segurança para fazer o confinamento e relatório deste tipo de ataque, que atualmente está focado nos sites dos órgãos governamentais. O modelo de desenvolvimento permite o controle em linha do ataque a sítios web através da leitura constante de certas partes do código fonte, permitindo a detecção e manutenção da integridade da informação.

Biografia do Autor

  • Oscar Mondragón, Sikkerdata SAS
    Engineer in Electronics and Telecommunication (Universidad del Cauca, Popayán-Colombia) and Master in Informatics and Telecommunications (Universidad Icesi, Cali-Colombia). He has participated in two projects focused in information security developed by the Universidad Icesi’s i2t research group. He is founder partner of Sikkerdata SAS, company dedicated to cyber security
  • Andrés Felipe Mera Arcos, Sikkerdata SAS
    Engineer in Electronics and Telecommunication (Universidad del Cauca, Popayán-Colombia) and Master in Informatics and Telecommunications (Universidad Icesi, Cali-Colombia). He has participated in two projects focused in information security developed by the Universidad Icesi’s i2t research group. He is founder partner of Sikkerdata SAS, company dedicated to cyber security
  • Christian Urcuqui, Universidad Icesi, Cali

    Systems Engineer (emphasis in Management and Computing) and Master in Informatics and Telecommunications from Universidad Icesi (Cali-Colombia). Member of Informatics and Telecommunications research group [i2t]. His areas of interest include: artificial intelligence, machine learning and security applied to informatics 

  • Andrés Navarro Cadavid, Universidad Icesi, Cali

    Full professor and Director of i2t (Informatics and Telecommunications research group) at the Universidad Icesi (Cali, Colombia). Electronics Engineer and Master in Technology Management (Universidad Pontificia Bolivariana de Medellín (Colombia), and Ph.D. in Telecommunications (Universidad Politécnica de Valencia, España). His main areas of interest are: spectrum management, radio propagation and m-health 

Referências

Aman, H., Yamashita, A., Sasaki, T., & Kawahara, M. (2014, August). Multistage growth model for code change events in open source software development: An example using development of Nagios. In Software Engineering and Advanced Applications (SEAA), 2014 40th EUROMICRO
Conference on, (pp. 207-212). IEEE.

Bartoli, A., Davanzo, G., & Medvet, E. (2010). A framework for large-scale detection of Web site defacements. ACM Transactions on Internet Technology (TOIT), 10(3), Art. 10. doi:10.1145/1852096.1852098

Caswell, B., Beale, J., & Baker, A. (2007). Snort intrusion detection and prevention toolkit. Burlington, MA: Syngress.

Cerf, V. G. & Quaynor, N. (2014). The Internet of everyone. IEEE Internet Computing, 18(3), 96-96.

Dalai, A. K. & Jena, S. K. (2011). Evaluation of web application security risks and secure design patterns. In Proceedings of the 2011 International Conference on Communication, Computing & Security, (pp. 565-568). New York, NY: ACM.

Fujimura, N. & Mei, J. (2007). Implementation of file interpolation detection system. In Proceedings of the 35th annual ACM SIGUCCS fall conference, (pp. 118-121). New York, NY: ACM.

Gross, G. (2015, June). US Army website defaced, then brought down. Retrieved from: http://www.pcworld.com/article/2932936/us-army-website-defaced-then-brought-down.html

Harper, A., Harris, S., Ness, J., Eagle, C., Lenkey, G., & Williams, T. (2015). Gray hat hacking: The ethical hackers handbook. New York, NY: McGraw-Hill.

Howard, G. M., Gutierrez, C. N., Arshad, F. A., Bagchi, S., & Qi, Y. (2014, June). pSigene: Webcrawling to generalize SQL injection signatures. In Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on, (pp. 45-56). IEEE.

Jericho & Munge. (2000). Hard-core web defacement statistics trends and analysis [video]. Retrieved from: https://www.youtube.com/watch?v=7nrDoH4GZV0

Kim, G. H. & Spafford, E. H. (1994, November). The design and implementation of tripwire: A file system integrity checker. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security, (pp. 18-29). New York, NY: ACM.

Kumar, M. (2015, May). Gaana.com hacked, 10 million user´s details exposed. Retrieved from: http://thehackernews.com/2015/05/gaanacom-hacked-10-million-users.html

Mohaisen, A. (2015, November). Towards automatic and lightweight detection and classification of malicious web contents. In Hot Topics in Web Systems and Technologies (HotWeb), 2015 Third IEEE Workshop on, (pp. 67-72). IEEE.

Roesch, M. (1999, November). Snort: Lightweight intrusion detection for networks. In LISA, 99(1), 229-238.

Stuttard, D. & Pinto, M. (2011). The web application hacker's handbook: Finding and exploiting security flaws. Indianapolis, IN: John Wiley & Sons.

Wei, W. (2015, November). Rise in website: Defacement attacks by hackers around the world. retrieved from: http://thehackernews.com/2013/11/rise-in-website-defacement-attacks-by.html

Zhong, Y., Asakura, H., Takakura, H., & Oshima, Y. (2015, July). Detecting malicious inputs of web application parameters using character class sequences. In Computer Software and Applications Conference (COMPSAC), 2015 IEEE 39th Annual, (Vol. 2, pp. 525-532). IEEE.

Zone-H [Web site]. Retrieved from: http://www.zone-h.org

Downloads

Publicado

2017-08-01

Edição

v. 15 n. 41 (2017)

Seção

Original Research

Licença

Esta publicação está licenciada sob os termos da licença CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/deed.pt_BR).