A Domains Approach to Remote Access Logical Vulnerabilities Classification
Автор: Samuel Ndichu, Sylvester McOyowo, Henry Okoyo, Cyrus Wekesa
Журнал: International Journal of Computer Network and Information Security @ijcnis
Статья в выпуске: 11 vol.11, 2019 года.
Бесплатный доступ
Remote access facilitates collaboration and the creation of a seamless work environment. This technology enables employees to access the latest versions of data and resources from different locations other than the organization’s premises. These additional locations include home or untrusted networks not governed by the organization's security policy and baseline. Balancing between security and accessibility is a significant challenge. Remote access can be a high-security risk if not correctly safeguarded and monitored. This paper presents some technologies and methods for remote access. It then highlights security concerns, attack vectors, and logical vulnerabilities in remote access. To address these security concerns and weaknesses, we present a domains approach to logical vulnerabilities in remote access and vulnerability scoring using the Common Vulnerability Scoring System (CVSS). Domains simplify device and user authentication and separate the organization network into logical and discrete entities. The separation enables a unique security application to each domain. Vulnerability scoring enhances remediation efforts through prioritization of the logical vulnerabilities. The approach comprehensively covers all points of compromise during remote access and contributes to effective logical vulnerability management. The results of the experiments provide evidence that all remote access domains have a high severity rating of at least a 7.28 CVSS score. Our study highlights the drawbacks of the current remote access methods and technologies such as the Virtual Private Network (VPN) and shows the importance of securing all domains during remote access.
Remote access, logical vulnerabilities, domains, attack vectors, vulnerability scoring
Короткий адрес: https://sciup.org/15016999
IDR: 15016999 | DOI: 10.5815/ijcnis.2019.11.05
Список литературы A Domains Approach to Remote Access Logical Vulnerabilities Classification
- Scarfone, K., and Souppaya, M. (2007). User’s Guide to Securing External Devices for Telework and Remote Access, NIST Special Publication 800-114.
- Harbert, S. (2011). Trends in Remote and Mobile Information Access Technologies. Technology Focus, Volume 23, №3, Fall 2011.
- Blakemore, M. (2001). The Potential and Perils of Remote Access in Confidentiality, Disclosure, and Data Access. Theory and Practical Application for Statistical Agencies, Elsevier, Pp.315-340.
- Harrell, J. (2014) The Evolution of the Threat Landscape and the Need for a Live Intelligence-based Approach to Security. Norse-corp August 2014.
- Trustwave. (2018) Trustwave global security report. Seventh annual edition, Pp.8-27.
- Nedeltchev, P. (2003). Troubleshooting Remote Access Networks. Cisco Press.
- Robichaux, P. (1999). Remote Access Twenty-Four Seven. SYBEX, Network Press.
- Homeland Security. (2011) Configuring and Managing Remote Access for Industrial Control Systems. Control Systems Security Program, Center for the Protection of National Infrastructure, National Cyber Security Division, Pp.19-32, April 2011.
- Scarfone, K. (2009). Security for Enterprise Telework and Remote Access Solutions. Computer Security Division Information Technology Laboratory, National Institute of Standards and Technology, NIST.
- NIST SP 800-46 Guide to Enterprise Telework and Remote Access Security. Recommendations of the National Institute of Standards and Technology, Revision 1.
- CISA. (2016) Protection of Information Assets. CISA Review Manual 26Th Edition, Chapter 5, Pp.353-383.
- Scarfone, K., Souppaya, M. and Hoffman, P. (2009) Guide to Enterprise Telework and Remote Access Security. Recommendations of the National Institute of Standards and Technology, NIST SP 800-46 Revision 1, June 2009.
- Arconati, N. (2002) One Approach to Enterprise Security Architecture. SANS Security Essentials GSEC version 1.3, SANS Institute 2002.
- Chen, L. D., and Gong G. (2008). Communication System Security, Chapter 3, Chapman and Hall/CRC, Pp.1-2.
- Mell, P., Scarfone, K. and Romanosky, S. (2007) A Complete Guide to the Common Vulnerability Scoring System. Version 2.0, June 2007.
- Hanford, S. (2014) CVSS v3, Preview 1: Base, Temporal, and Environmental Metrics. CVSS Special Interest Group (CVSS-SIG), June 2014.