Cybersecurity Assessment and Vulnerability Modelling of Networks and Web Services in Nigerian Colleges of Education
Main Article Content
Abstract
Cybersecurity threats are among the most significant risks facing organizations and government today, and administrative boards have now been held accountable. This is an experimental research activity conducted to perform a holistic cybersecurity assessment and vulnerability modelling on the Information and Communication Technology (ICT) infrastructure and services of Colleges of Education in the six geopolitical zones. The study adopts an integrated bi-modal threat modelling and assessment (IBTMA) method by combining assessment and modelling approaches, which involves mixed-methods, along with computer-based experimentation to comprehensively evaluate and model cybersecurity threats, identify vulnerabilities, and propose effective mitigation strategies. Logistic regression data analysis was used to model the relationship between dependent variables (e.g., presence or absence of vulnerabilities or threats) and independent variables (e.g., cybersecurity practices, system configurations, policies, and staff training programs). This cybersecurity assessment provides the initial understanding of the security landscape and practices. The next step involves using the Microsoft Threat Modeling tool on the assets to identify specific threats. These threats are then prioritized based on their potential impact and likelihood. Assessment result of the vulnerability exposure is supported by the threat modelling report, which shows several threats: tampering, elevation of privilege, denial of service, privilege escalation, information disclosure, and spoofing. Findings from the study indicate that colleges face critical network and web vulnerabilities that need holistic solution.
Article Details
References
Cybercrime Ventures. (2023). Cybercrime To Cost the World $9.5 trillion USD annually in 2024. [Online]. Available: https://cybersecurityventures.com/cybercrime-to-cost-the-world-9-trillion-annually-in-2024. [Accessed: May. 7, 2024].
National Cybersecurity Policy and Strategy. (2021). National Cybersecurity Policy and Strategy 2021. [Online]. Available:https://cert.gov.ng/ngcert/resources/NATIONAL_CYBERSECURITY_POLICY_AND_STRATEGY_2021.pdf. [Accessed: Nov. 29, 2023].
Kshetri, N. (2019). Cybercrime and Cybersecurity in Africa. Journal of Global Information Technology Management, 22(2), 77–81. DOI: https://doi.org/10.1080/1097198X.2019.1603527
Ponemon Institute. (2019). The Cost of Cybercrime. [Online]. Available: https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf. [Accessed: Nov. 29, 2023]. DOI: https://doi.org/10.1016/S1353-4858(19)30032-7
Mbowe, E., Zlotnikova, I., Msanjila, S., & Oreku. G. (2014). A Conceptual Framework for Threat Assessment Based on Organization’s Information Security Policy. Journal of Information Security, 5, 166-177. DOI: https://doi.org/10.4236/jis.2014.54016
Deloitte. (2022). Nigeria Cybersecurity Outlook 2022. [Online]. Available: https://www2.deloitte.com/za/en/ghana/pages/risk/articles/nigeria-cybersecurity-outlook-2022.html. [Accessed: Nov. 29, 2023].
Bertino, E., Martino, L., Paci, F., & Squicciarini, A. (2010). Security for web services and service-oriented architectures. Heidelberg: Springer, 4,67. DOI: https://doi.org/10.1007/978-3-540-87742-4
Fischer, E.A. (2005). Creating a National Framework for Cybersecurity: An Analysis of Issues and Options. Congressional Research Service. [Online]. Available: https://fas.org/sgp/crs/natsec/RL32777.pdf. [Accessed: Sept. 05, 2023].
EC-Council (2011). Penetration Testing Procedures & Methodologies. Course Technology, Cengage Learning, Clifton Park, NY 12065-2919, USA
Da Veiga, A., & Martins, N. (2015). Information security culture and information protection culture: A validated assessment instrument. Computer Law & Security Review, 31(2), 243-256 DOI: https://doi.org/10.1016/j.clsr.2015.01.005
Umaro, S., Kaur, M., & Gupta, G. K. (2012). Vulnerability assessment and penetration testing. International Journal of Computer & Communication Technology, 3(6-8), 71-74.
NIST. (2014). Framework for Improving Critical Infrastructure Cybersecurity. [Online]. Available: https://www.nist.gov/sites/default/files/documents/cyberframework/nist-cybersecurity-framework-update-120514.pdf. [Accessed: May. 11, 2023].
NDV. (2022). Computer Security Resource Center. [Online]. Available: https://nvd.nist.gov/vuln/search/results?adv_search=false&form_type=basic&results_type=overview&search_type=all&query=MYSQL. [Accessed: Nov. 29, 2023].
Malwarebytes. (2023). 2023 State of Malware. [Online]. Available: https://go.malwarebytes.com/rs/805-USG-300/images/MWB_State_of_Malware_Report_2023.pdf. [Accessed: May. 2024].
Oriokot, L., Buwembo, W., Munabi, I., & Kijjambu, S. (2011). The introduction, methods, results and discussion (IMRAD) structure: A Survey of its use in different authoring partnerships in a students' journal. BMC research notes, 4(1), 1–5. DOI: https://doi.org/10.1186/1756-0500-4-250
OSV (2024). A distributed vulnerability database for Open Source. [Online]. Available: https://osv.dev. [Accessed: May. 11, 2024].
CVE (2024) Common Vulnerabilities and Exposures — CVE: The Standard for Information Security Vulnerability Names, 2024. [Online]. Available: https://cve.mitre.org/docs/cve-intro-handout.pdf. [Accessed: May. 11, 2024].
CVSS (2024). Common Vulnerability Scoring System. [Online]. Available: https://www.first.org/cvss. [Accessed: May. 11, 2024].
NVD (2023). NVD Dashboard. [Online]. Available: https://nvd.nist.gov/general/nvd-dashboard. [Accessed: May. 11, 2024].
Rao, U. H., Nayak, U., Rao, U. H., & Nayak, U. (2014). Intrusion detection and prevention systems. The InfoSec Handbook: An Introduction to Information Security, 225-243. DOI: https://doi.org/10.1007/978-1-4302-6383-8_11
Hasani, T., O’Reilly, N., Dehghantanha, A., Rezania, D., & Levallet, N. (2023). Evaluating the adoption of cybersecurity and its influence on organizational performance. SN Business & Economics, 3(5), 97. DOI: https://doi.org/10.1007/s43546-023-00477-6
Liu, C. W., Huang, P., & Lucas Jr, H. C. (2020). Centralized IT decision making and cybersecurity breaches: Evidence from US higher education institutions. Journal of Management Information Systems, 37(3), 758-787. DOI: https://doi.org/10.1080/07421222.2020.1790190
Ruefle, R., Dorofee, A., Mundie, D., Householder, A. D., Murray, M., & Perl, S. J. (2014). Computer security incident response team development and evolution. IEEE Security & Privacy, 12(5), 16-26. DOI: https://doi.org/10.1109/MSP.2014.89
AlMindeel, R., & Martins, J. T. (2021). Information security awareness in a developing country context: insights from the government sector in Saudi Arabia. Information Technology & People, 34(2), 770-788. DOI: https://doi.org/10.1108/ITP-06-2019-0269
Microsoft (2023). Threat Modeling. [Online]. Available: https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling. [Accessed: May. 11, 2024].
Juma, A. H., Arman, A. A., & Hidayat, F. (2023). Cybersecurity Assessment Framework: A Systematic Review. In 2023 10th International Conference on ICT for Smart Society (ICISS). IEEE, 1-6. DOI: https://doi.org/10.1109/ICISS59129.2023.10291832