Professional Documents
Culture Documents
net/publication/327369940
CITATION READS
1 2,916
4 authors, including:
Sherif Mazen
Cairo University
33 PUBLICATIONS 43 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Sherif Mazen on 25 February 2019.
Sherif Elhennawy
Information Systems Auditing Consultant
Email: selhenawy@gmail.com
Abstract—In a time of growing threats and advancing circum- and liability if an incident occurs. The organizations go toward
stances, receiving and keeping up a strong cybersecurity profile in using the powerful technology which is cloud computing.
the enterprises are crucial. Important data and resources must be
For small organizations, one of the biggest problems can
protected. Nowadays, cybersecurity became a predominant issue
facing most organizations. It is recognized by organizations as be implementing effective cybersecurity controls, often due
an enterprise-wide issue requiring protection and detection from to the lack of awareness, experience, or simply because they
possible and malicious attacks to protect enterprise information are expensive. Also, sharing public cloud add challenge on
assets. Hence, enterprises are obligated to use multiple tools securing data and systems and keeping the organizations’ data
for covering most of the cybersecurity aspects through different
in independently servers. However, in larger organizations,
operations and for supporting different levels of users.
Information systems auditing is becoming more difficult due to many of these controls will have technical IT staff who can
the rapidly developing technological threats. Hence, having these deal with most cybersecurity incidents and many of them have
audits and reviews performed by independent functions increase their cloud, but still, suffer from the security issues.
the likelihood of detecting control weaknesses and provides Each organization needs to ensure the stability of its IT
further checks. These control issues are typically not due to the
operations and decrease escalating the incidents to above the
failure of the technology. However, they are mostly the result of
individuals not executing the process, or using a process that is level of supporting on cloud frontend. The lack of using
poorly defended. cybersecurity in the cloud by IS auditors to check and maintain
The main purpose of this research is to make a comparative the IT operations, motivated us to study the frameworks which
study of the capabilities of most of the available automated are relevant to cybersecurity control for IS auditors. Also, we
cybersecurity auditing tools for frontend cloud computing. The studied the cybersecurity tools that can be used to stop any
results of this comparative study lead to knowing how to secure
the enterprise’s assets by using automated tools and techniques. threats in different levels of management by IS auditors.
Also, it uses clear steps to gather the information to provide the Our target is to study the information systems auditing
evidence required in the final report of IS auditing. with cybersecurity considerations on cloud computing for
Index Terms—Cybersecurity, Penetration Testing, Vulnerabil- different enterprises. Using cybersecurity tools to check the
ity Assessments, Forensics daily IT operations by IS auditors is helping us to form the fit
framework for enterprises. To build cybersecurity framework,
I. I NTRODUCTION we must find the other cybersecurity frameworks that relevant
to IS auditing. No doubt the rise of cloud adoption has been
The governance and management of IT enterprise have phenomenal in the past few years and there are no signs of its
taken on a new meaning with the rapid growth of cybersecurity slowing down, the question of security and risk have become
and the multitude of best practices in the market. Cyberse- paramount.
curity is currently receiving an increased attention from the The remainder of this paper is organized as follows: an
management boards of many organizations due to the bad overview of cybersecurity and briefly discusses most of the
publicity generated from the recent data breaches incidents. issues and types of Cyberattacks in section II. Section III
Senior members of management and corporate boards have covers a discussion of related work. A comparative study of
lost their positions, and organizations had to spend valuable the most available cybersecurity tools that support IS auditor
resources in post-breach clean-up and to make their clients is discussed in section IV. Finally, we conclude the paper in
and customers safe. section V with an outlook for the future work.
Infrastructure spending has increased as organizations at-
tempt to prevent the breaches from occurring especially to II. C YBERSECURITY BACKGROUND
distribute data with cloud computing. Also, the investments,
in several security technologies that support incident detection Cybersecurity is utilized to be moderately basic [1]. Most
and response mechanisms, are climbing to limit the damage of the cyber threats were infections, worms, and Trojan
horse [2]. These cyber threats haphazardly attacked com- tal. Aloul [8] shows the need for security awareness programs
puters straightforwardly associated with the web, but still, in schools, universities, governments, and private organizations
they postured small enterprise risk. Enterprise systems use in the Middle East. It presents the results of several security
firewalls to protect against any threats from the outside and awareness studies conducted between students and profession-
use anti-virus security tools to protect against threats from the als in UAE in 2010. These studies include a comprehensive
inside. These enterprises appeared to be ensured and generally wireless security survey in which thousands of access points
secure. Occasionally, an occurrence would happen, and cyber were detected in Dubai and Sharjah. Most of these access
defenders would rally to eliminate it. Once the defenders points are either unprotected or use weak types of protection.
discovered the malicious code, detecting it and defeating it is Another study focuses on evaluating the chances of general
becoming clear. At that point, continuously, a change started users to fall victims to phishing attacks like credit cards,
to take place and the Cyberattackers began getting inside the emails, bending files. These attacks can be used to steal bank
enterprise systems. Once they were inside, they worked in a and personal information. Moreover, a study of the users’
stealthy manner. awareness of protection issues when using RFID technology
Cyberattackers took control of tainted machines and con- is displayed. Its aim is to specify how to raise awareness for
nected them to inaccessible command and control frame- users in distinguishing sectors. Also, it mentions some threats
works [2]. They captured usernames and passwords and used that affect the business process, but no talents can deal with
them to associate to frameworks for taking information or these threats based on the user’s background. Users need clear
cash. Cyberattackers exploited vulnerabilities inside the en- plan and steps to overcome threats challenges.
terprise. They move along the side between computers on
the network and capture the credentials of increasingly people III. R ELATED W ORK
inside the enterprise.
This section focuses on the research covering four aims and
There are different kinds of attacks, such as Denial of directions: cloud computing, cybersecurity and cyberattacks,
Service (DOS), Keylogging, Pass-the-Hash, Malware, Identity information security maturity, and cybersecurity frameworks.
Theft, Industrial Espionage, Pickpocket, Bank Heist, Ran- It discusses the research done to assess the vulnerabilities
somware, Hijacking, Sabotage, Sniper, Smoke-out, Social En- through different methodologies and techniques. First, in the
gineering and Graffiti [3], [4]. Those threats need a strategy cloud computing direction, it observes and analyzes informa-
for detecting and protecting. There are different types of coun- tion systems auditing development to the organizations. Sec-
teraction that IT companies can take [5], [6]. The following ond, in the cybersecurity and cyberattacks direction, it studies
few concepts are about testing, ensuring quality, and auditing the level of user awareness of the security issues. Finally, it
the system. considers several trials to build models and frameworks to
• Penetration Testing: It is basically an information as- protect data and detect threats and their maturity level.
surance activity to decide if the information is suitably
secured. It is conducted by penetration testers, sometimes A. Cloud computing
called white hats or Ethical Hacking. These tests use Cloud computing is used as a solution for many organi-
the same tools and techniques as the bad user’s black zations to perform operations by using higher performance
hat hackers, but do it in a controlled way with the servers and networks, while reducing the cost and process
clear permission of the target organization. Penetration time. In [9], the authors discuss the security issues for cloud
testing, essentially Pen Testing or Security Testing is computing with big data applications, then divided to frontend
also known as ethical hacking [2], the technique is used and back-end. The frontend is represented by users computer
to discover vulnerabilities in network system before an and software that access the cloud, while the back-end is
attacker exploits. This type of testing checks for the represented by computers, servers and database systems that
information security at each stage in each area. However, create the cloud. They try to overcome the challenge of
major penetration test areas have discussed by Yaqoob detecting and preventing the threats by using big data analysis
[7]. in the early stages.
• Computer Forensics: Forensics are called for any systems The National Institute of Standards and Technology (NIST)
security or IS auditors specialists managing network [10] provided an overview of the typical characteristics, ser-
security. They must be aware of the legal implications of vice models, and deployment models of cloud computing,
their forensic works and activities. These specialists must Software as a Service (SaaS), Platform as a Service (PaaS),
consider their policy choices, technical responsibilities, and Infrastructure as a Service (IaaS). The deployment model
and activities in the setting of existing laws. For instance, consists of three models (1) public, (2) private, and (3) hybrid.
a security specialist must have authorization before s/he In [11], the authors analyzed the effect of the combination
monitors or conducts any form of forensic auditing, of cloud computing and Software-defined networking (SDN)
examination, and/or collect data related to a computer on Distributed Denial of Service (DDoS) attack, defense and
intrusion, detection. the SDN can be more effective and efficient on the cloud
The user awareness of information security has become vi- computing environment.
Moreover, in [12], the authors presented the data centre from various cyberattacks VAPT is a valued assurance assess-
challenge as the lack of security control, and the traditional ment tool that benefits both businesses and its operations. For
software security tools are not able to solve the security issues an organization to stay guaranteed of its security infrastructure,
of cloud computing. Also, they recommended the organiza- it must lead VAPT occasionally. It guarantees the security level
tions to adopt the public cloud because the security risks. of its part frameworks and assets. Also, it informs about any
In [13], the authors introduce the mostly security concern new vulnerabilities and exploits possible. This may lead to
like software security, infrastructure security, storage security, financial and data losses.
and network security. The organizations need the third-party Vulnerability assessment was shown in some approaches to
to manage the policy and service level agreement. Also, scan threats, such as [20]. The authors proposed an automated
they highlighted the role of forensic tools and techniques and proactive cyber-physical contingency analysis tool, CPIn-
to investigate the Cybercrime, gather and examining digital dex. It specifies the seriousness of the current threats and the
evidence by operating on forensic images, memory dumps, current system status. This analysis can further specify how
logs and network captures. to deal with these threats and decide their effects.
There are other research that view the different challenges of
threats and solutions to security and privacy [14], [15]. Also, C. Information Security Maturity
they proposed a model for cloud computing security. In [15],
In [21], the authors have proposed the CHaracterizing
the authors highlighted continuous auditing concept to adopt
Organizations Information Security for Small and medium
cloud services and obtain a highly reliable on the operations.
enterprise (CHOISS) model. They relate measurable organiza-
Also, they recommended to use Computer Assisted Auditing
tional characteristics in four categories through 47 parameters
Techniques (CAAT), vulnerability scanning and penetration
to help Small and Medium Enterprises (SMEs) distinguish
tools depending on the auditor’s context to support corporate’s
and prioritize which risks to mitigate. The rationale and
efficiency. Also, in [16], the authors examined the tools to
action associated per identified organizational characteristics
secure the cloud through monitoring capability cloud opera-
into four categories: General, Insourcing and Outsourcing, IT
tional areas and classify these tools to two categories Cloud-
Dependency, and IT Complexity.
specific and non-Cloud-specific. Finally, in [17], the authors
CHOISS presents the distinction between a variety of dif-
discussed the intrusion detection techniques in a cloud envi-
ferent organizations. To reach a high IS maturity level, an
ronment. These techniques use the knowledge base systems
organization must implement a tailored set of focus areas and
or the machine learning algorithms to determine and detect
capabilities. The researchers have considered only the infor-
the attacks of behavioural profiles of the users or suspicious
mation security in the organization by Confidential, Integrated,
activities.
and Available (CIA), and escaped cybersecurity process for
B. Cyberattacks and Cybercrimes awareness assessing risks and vulnerabilities for each level of Capability
of Maturity Model (CMM). They considered just the data
According to [18], the authors discuss the current cyberse-
security in the association by CIA and got away digital security
curity beliefs and data security viewpoints. The researchers
process for appraisal risks and vulnerabilities for each level of
present a pattern where all these areas are connected to
CMM.
data assurance. They discuss data security engineering and
According to the C2M2 model presented in [22], it is used
the connected components considering data treatment on the
by an organization to evaluate its cybersecurity capabilities
internet.
consistently, communicate its capability levels in meaningful
Users need to be aware of few flow schema almost existing
terms, and inform the prioritization of its cybersecurity in-
Advanced Persistent Threats (APTs) and exploits. It does not
vestments. This model concentrates on dividing cybersecurity
get in profundity to realize cybersecurity forms through some
for the organization to the SMEs in three class maturity
practices. Moreover, there is a blend in the usage of the
indicator levels [MILs] 0–3 (MIL0, MIL1, MIL3) and divided
terms: cybersecurity, cybercrime, and cyberspace. However,
by 10 domains. Each domain is documented by the activities.
each term is distinctive in its behaviour and reaction to the
The model uses the evaluation to identify gaps in capability,
threats for frameworks and systems. For example, cybersecu-
prioritize those gaps and develop plans to address them, and
rity technique does not have the plan to prevent the threats
finally implement plans to address the gaps.
to the organization. Cybercrime is an attack on information
about individuals, corporations, or governments. Cyberspace
D. Cybersecurity Frameworks
refers to a block of data floating around a computer system or
network. There are several trials for providing frameworks that sup-
In [19], the authors present methodologies and techniques port cybersecurity, such as National Institute of Standards and
involved in Vulnerability Assessment and Penetration Testing Technology (NIST) [23], National Information Assurance and
(VAPT), along with its benefits and precautions. They aim at CyberSecurity Strategy (NIACSS) [24], and ISO 27001/27002
creating a high-level of cybersecurity awareness and impor- Version 2013 [25], [26].
tance at all levels of an organization, enabling them to adopt In [27], Barrett provide guidance on how the Framework
required-up-to date security measures and remain protected for Improving Critical Infrastructure Cybersecurity (known as
Cybersecurity Framework) can be used in the U.S. federal gov- from the available records to indicate the proper operation of
ernment in conjunction with the current and planned suite of the automated system or operational process.
National Institute of Standards and Technology NIST security There are other factors that affect every organization and
and privacy risk management publications. This framework add difficulties in securing its data. Some of these factors are
assists federal agencies in strengthening their cybersecurity the hardware used in the infrastructure, the supported oper-
risk management. It helps them decide an appropriate imple- ating systems, communication protocols, and the underlying
mentation of the Cybersecurity Framework. tools and techniques for handling threats. There are several
The relationship between the Cybersecurity Framework, the cybersecurity tools that support these domains; however, they
National Institute of Standards and Technology (NIST) and are out of our scope.
Risk Management Framework are discussed in eight use cases In general, cybersecurity tools are widespread in different
[27]. However, these cases tend to consider risk management, fields of computer countermeasures and address the attacks.
procedures and evaluate organizations cybersecurity. The result Some tools carry out in networks, applications, operating
of these cases includes benefits to achieve them, typical systems, and web-based applications. We aim to determine
participants and a summary of the number of incidents solving the main tools for IS auditor through four different phases and
as sequence steps. how IS auditor can explore the source of threats and evaluate
In [24], the authors apply the National Information Assur- the possible risks.
ance and Cybersecurity Strategy (NIACSS) of Jordan. Jorda- The importance of using cybersecurity tools by IS auditors
nian Government organizations and private division are for the in four tasks can be explained in sequential steps to guarantee
most part essential, not efficient. The weaknesses in the previ- and achieve the enterprise operations. In the first information
ous approaches, coupled with fast progressions in technology gathering task, the information must be collected to illustrate
place the National systems and the Basic National Framework enterprises tendency and assess the possibility of attacks [29].
Critical National Infrastructure (CNI) at risk. The key goals There are a lot of tools in the process of gathering infor-
aim to: (1) strengthen national security, (2) reduce risks to mation. Then, scanning task obtains the target ports weakness
CNI, (3) reduce harm and recovery time, (4) improve the that boosts the full image for IS auditor by specifying the gaps
economy and national success, and (5) increase cybersecurity that happen in daily operations [30]. After that, examinations
and awareness. task helps IS auditor to form an awareness for expecting risks
The International Organization for Standardization (ISO) and find out the steps to put the operations on the safe side
created the ISO 27000 series of standards. ISO 27001 is the and acceptable mode [31]. Lastly, forensic investigations and
specification for an enterprise information security manage- aggregation evidence task [32]. It captures the source and the
ment system (ISMS) [26], and ISO 27002 is the code of main details of the attack to make a summary report about the
practice for information security controls [25]. Enterprises can enterprise’s current situation, in case of receiving external or
be accredited for ISO 27001 by following a formal audit internal threats.
process that requires independent accreditation by an outside The chosen tools aid the IS auditor to evaluate the risks
auditor. The 2013 version of this standard reduces the number and threats in the enterprises, from insider or outsider, by
of controls, but it adds additional domains for cryptography, checking the previous steps. The investigation leads to using
operations security, and supplier relationships. information security as an auditing tool to analyze and report
Another recent framework proposition in [28], the authors on an organization’s strengths, weaknesses, and needs.
have built a cybersecurity framework (SHIELD) that acts as In Table I, we compare some of the recent cybersecurity
Security as a Service (SecaaS). They are targeting real-time tools that hackers can misuse to perform cyberattacks and
incident detection and mitigation in the big data environment. cause serious damages. These tools are adapted of EC Coun-
SHIELD framework combines three concepts (1) Network cil1 organization and community. They provide the users with
Functions Virtualization (NFV), (2) SecaaS, and (3) Big Data cybersecurity knowledge and tools to cover the security issues
Analytics and Trusted Computing (TC). Then, it provides a in different domains of cybersecurity control and auditing.
cybersecurity solution based on user requirements and use They are divided into four main tasks (1) information gathering
cases. They used use cases, user stories, and online surveys to (i.e. understand the target domain and collect valuable infor-
map and rank user requirements. mation), (2) scanning (i.e. scan target IP addresses for possible
vulnerabilities), (3) exploitation (i.e. attack the possible vulner-
IV. AUTOMATED C YBERSECURITY AUDITING T OOLS abilities to detect and prevent hack them from other sources),
and (4) forensics (i.e. collect the evidence and investigate the
The fundamental challenge with a cybersecurity audit is to available resources) [1].
get the relevant tools that cover the threats to the operations Within each task, there are different tools, each has a
[2]. These tools aid in solving the problems without escalating brief description of the supported functions, limitations and
them to the higher level of support. The IS auditor intends to supported Operating Systems (OS). Tools are ordered in the
collect evidence that proves nothing malicious or unexpected table by their release date. It states the main technology tools
incidents occurred during the auditing time. In general, audits
work in a similar manner. It starts with collecting evidence 1 https://www.eccouncil.org/, accessed 18/Jul/2018
TABLE I
C OMPARATIVE A NALYSIS OF AVAILABLE AUTOMATED AUDITING T OOLS .
Serial
Task
Macintoch
Windows
Linux
- Extracts valuable data
Information
1 Netcraft [33] - Targets websites; e.g. IP address, OS used, DNS server Relies solely on a blacklist X X
Gathering