Security hygiene is important, especially within the finance industry, as user privacy is a major priority for financial services. To ensure the highest levels of cybersecurity, security tests must be carried out regularly. Under normal conditions, security testing is carried out by humans. As such, it is time-consuming, costly, and difficult to carry out on a regular and frequent basis. The aim of this project is to combat these problems using machines to run the process automatically, allowing assessment to be undertaken more frequently. The system developed, Cyber Security Assessment Automated System (CSAAS), can run security tests at all hours of the day, making use of a black-box network vulnerability assessment technique and various open-source tools (Hydra, DIRB, Nmap, SQLmap, Amass, Searchsploit, and XSSsniper). A broker company should provide the endpoints for running security tests. After which the system will run all necessary tests, generating a report to send back to the broker company. This report includes general information (such as IP address, port, and OS) as well as the vulnerabilities of the given endpoints.
Application of best practices, and proper configuration of the broker system are necessary in order to effectively prevent cyber-attacks. The most important matter to be considered is the hiring of a specialized company able to perform regular and effective security testing for the system. Nevertheless, as this can be expensive and time-consuming, it is hard for many companies to hire and maintain their system using a security testing service. The consequent lack of maintenance could lead to various security vulnerabilities.
An alternative to security testing is network scanning. Scanning via the internet is not a highly complex scanning test option, when compared with a security test. On the contrary, it provides businesses with the convenience to scan regularly. Additionally, it can show the difference between the system hygiene of each scan. The aim of CSAAS is to provide an automated vulnerabilities assessment service which meets the following 2 objectives:
- The service can be run automatically with endpoints provided by the broker company.
- The broker company can access reports for any new scan as well as previous records for the purpose of auditing and improvement of the broker’s system.