Security Assessment Using Nessus Tool to Determine Security Gaps on the Repository Web Application in Educational Institutions

Chayadi Oktomy Noto Susanto, Kauka Noor Fathur Rizko, Dwijoko Purbohadi

Abstract


This research aims to determine security holes and risks that may arise in the educational institution’s repository web application. The repository web application contains research data, journals, articles, and papers from lecturers and students at the institution. This web application does not yet have documentation about security holes and risks in it. It causes a sense of concern on the part of educational institutions. Therefore, it is necessary to have a security assessment to conduct a risk-oriented assessment that might occur if an attack is attempted. The Vulnerability Assessment and Penetration Testing (VAPT) method was utilized to conduct a security assessment and test educational institutions’ repository web application. Several vulnerabilities found with the Nessus tool could still be exploited and resulted in findings in legal access rights when the researchers performed a test simulation on the repository web application. This research was used as a report to the educational institution, particularly as a material for the evaluation process to increase its web application security. This research was carried out within the educational institution environment. Hence, it did not fully describe the possibility of actual attacks originating from outside the educational institution environment.


Keywords


Security Assessment, Vulnerability Assessment and Penetration Testing, and Nessus

Full Text:

PDF

References


E. Indrayani, “Pengelolaan Sistem Informasi Berbasis Teknologi Informasi dan Komunikasi (TIK ) [Management of Information Systems Based on Information and Communication Technology],” vol. 12, no. 1, pp. 45–60, 2011.

A. Abdel-Aziz, “Scoping Security Assessments - A Project Management Approach,” Security, 2011.

D. Dalalana Bertoglio and A. F. Zorzo, “Overview and open issues on penetration test,” J. Brazilian Comput. Soc., vol. 23, no. 1, pp. 1–16, 2017.

J. N. Goel and B. M. Mehtre, “Vulnerability Assessment & Penetration Testing as a Cyber Defence Technology,” Procedia Comput. Sci., vol. 57, pp. 710–715, 2015.

P. S. Shinde and S. B. Ardhapurkar, “Cyber Security Analysis Using Vulnerability Assessment and Penetration Testing,” IEEE Spons. World Conf. Futur. Trends Res. Innov. Soc. Welf. (Startup Conclave), pp. 1–5, 2016.

H. Kumar, Learning Nessus for Penetration Testing. 2014.

I. Mukhopadhyay, S. Goswami, and E. Mandal, “Web Penetration Testing using Nessus and Metasploit Tool,” IOSR J. Comput. Eng., vol. 16, no. 3, pp. 126–129, 2014.

B. C. Hidayanto, “Evaluasi Keamanan Aplikasi Sistem Informasi Menggunakan Framework VAPT (Studi Kasus : SISTER Universitas Jember) [Information System Application Security Evaluation Using VAPT Framework (Case Study: SISTER, University of Jember)],” 2017.

A. M. A. Yuhaz, “Risk Management Aset Teknologi Informasi Menggunakan Framework OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) dan FMEA (Failure Mode and Effect Analysis) di Institusi Pendidikan [Information Technology Asset Risk Management Using the OCTAVE Framework (Operationally Critical Threat, Asset and Vulnerability Evaluation) and FMEA (Failure Mode and Effect Analysis) in educational institutions],” Universitas Muhammadiyah Yogyakarta, 2018.

M. Oni, “Analisis Penggunaan Kriptografi dalam Online Banking [Analysis of the Use of Cryptography in Online Banking],” Anal. Pengguna. Kriptografi dalam Online Bank., no. 13508031, pp. 1–8, 2011.

S. Puangpronpitag and N. Masusai, “An efficient and feasible solution to ARP Spoof problem,” 2009 6th Int. Conf. Electr. Eng. Comput. Telecommun. Inf. Technol., vol. 02, pp. 910–913, 2009.

A. Karawash, S. Ontario, S. Computing, I. Platform, I. C. View, and A. Karawash, “Brute Force Attack,” no. November 2015, 2016.

S. Land and M. Breininger, “United States Patent,” vol. 1, no. 16, 2002.

S. Granger, “Social Engineering Fundamentals, Part I: Hacker Tactics | Symantec Connect,” Soc. Eng. Fundam., vol. 1527, 2001.




DOI: https://doi.org/10.18196/eist.128

Refbacks

  • There are currently no refbacks.



Editorial Office:

EMERGING INFORMATION SCIENCE AND TECHNOLOGY

Department of Information Technology, Faculty of Engineering,

Universitas Muhammadiyah Yogyakarta.

Jln. Brawijaya Tamantirto Kasihan Bantul 55183 Indonesia

Telp:(62)274-387656, Fax.:(62)274-387656

Website: http://journal.umy.ac.id/index.php/eist