Page 12 - bookofabstract_vj5_final(1)
P. 12

Security Assessment of Libyan Government Websites




                                         Abdullah Ahmed Ali & Mohd Zamri Murah


                                                          Abstract



               Many  governments  organizations  in  Libya  have  started  transferring  traditional
               government services to e- government. These e-services  will benefit a wide range of
               public.  However,  deployment  of  e-government  bring  many  new  security  issues.
               Attackers  would  take  advantages  of  vulnerabilities  in  these  e-services  and  would
               conduct cyber attacks that would result in data loss, services interruptions, privacy loss,
               financial  loss,  and  other  significant  loss.  The  number  of  vulnerabilities  in  e-services
               have  increase  due  to  the  complexity  of  the  e-  services  system,  a  lack  of  secure
               programming  practices,  miss-  configuration  of  systems  and  web  applications
               vulnerabilities, or not staying up-to-date with security patches. Unfortunately, there is a
               lack  of  study  being  done  to  assess  the  current  security  level  of  Libyan  government
               websites. Therefore, this study aims to assess the current security of 16 Libyan gov-
               ernment websites using penetration testing framework. In this assessment, no exploits
               were committed or tried on the websites. In penetration testing framework (pen test),
               there  are  four  main  phases:  Reconnaissance,  Scanning,  Enumeration,  Vulnerability
               Assessment  and,  SSL  encryption  evaluation.  The  aim  of  a  security  assessment  is to
               discover  vulnerabilities  that  could  be  exploited  by  attackers.  We  also  conducted  a
               Content  Analysis phase  for all  websites.  In  this phase,  we  searched for security  and
               privacy policies implementation information on the government websites. The aim is to
               determine whether the websites are aware of current accepted standard for security and
               privacy. From our security assessment results of 16 Libyan government websites, we
               compared the websites based on the number of vulnerabilities found and the level of
               security policies. We only found 9 websites with high and medium vulnerabilities. Many
               of these vulnerabilities are due to outdated software and systems, miss-configuration of
               systems  and  not  applying  the  latest  security  patches.  These  vulnerabilities  could  be
               used  by  cyber  hackers  to  attack  the  systems  and  caused  damages  to  the  systems.
               Also, we found 5 websites didn’t implement any SSL encryption for data transactions.
               Lastly, only 2 websites have published security and privacy policies on their websites.
               This seems to indicate that these websites were not concerned with current standard in
               security and privacy. Finally, we classify the 16 websites into 4 safety categories: highly

                                                                                                            8
   7   8   9   10   11   12   13   14   15   16   17