Academic paper

Included below is my full academic paper for our idea, a pen-testing software named EzDetect included is the logo Madelene made for the project

EzDetect Academic Paper.

Fenton Clarke

Old Dominion University

CYSE 494

Prof. Akeyla Porcher

12/10/2023

Introduction

The Innovation that my group is pursuing is software that would fall into the pen-testing category. This is meant to solve specific problems in the business world. The innovation is going to increase a business’s knowledge of its vulnerabilities and suggest ways to fix them. Vulnerabilities as a whole will be defined as a problem, with subproblems for specific ones. The second problem is going to be education on these vulnerabilities. Vulnerabilities are defined as any system that can be exploited by an attacker to deliver an attack or payload. This unfortunately means the problem of vulnerabilities cannot be easily narrowed down. The costs of these attacks have only been increasing, so companies are seeking ways to protect themselves from attacks. IBM in its cost of a data breach report has stated that it will cost “4.45 million” dollars for the average data breach. With this average, a good incentive is set for companies to take attack prevention and training seriously. Our first problem, vulnerabilities, is divided into subproblems, based on each vulnerability. The most common types of attacks are phishing and ransomware. These attacks perform well, due to the vulnerability of people. Human error is a big vulnerability we will have to compensate for as it can affect all levels of a business. This can mean anything from staff clicking suspicious links to the use of weak passwords and poor cyber practices. Explaining these practices with social engineering and software attacks has become easy. The other side of this is going to be software vulnerabilities. These include the actual problems inside applications and systems. Bugs and exploits can allow easy access to systems, and software must be kept up to date to avoid falling behind on security regulations. These are not the only threats that use software vulnerabilities, as custom scripts and code have been used to break into systems, databases, and applications before. To reduce the chance of attacks happening software needs to be extensively tested, and understood to reduce the chance of attack. Unfortunately, the software is not where problems end either, as security already in place needs to be tested to ensure it can detect, or prevent these vulnerabilities from being exploited.

The innovation we have come up with is a way to reduce the prospect of an attack coming from an unknown angle. Our software falls largely into the category of pen-testing. Where an entity is hired or instructed to attempt to breach the systems of a business or group to look for vulnerabilities. Our innovation named EzDetection, is going to be a solution for small businesses, and groups who need access to the same security resources big companies have. The software is going to attempt to breach a system and create a report of the results. The report should provide the small businesses with the information they will need to fix the vulnerabilities. The EzDetect software is going to be a pen-testing software meant to be accessible to those not familiar with cybersecurity and the risks it poses. It is going to be able to find both vulnerabilities in the systems and human error. It will function like an antivirus scan, with users picking when and where they choose to scan. This will also play a part in the business side of things, as it can be used to track progress with clients. We are planning on launching EzDetect as a subscription-based model to allow for flexibility for the consumer. Ideally, the software will be able to detect multiple avenues of attack from vulnerabilities like SQL injection, phishing, or user error. These are some of the types it will simulate and attempt to gain access to data, as a goal. If that goal is met it means that the business is vulnerable to it. After the scan is done the software will produce a report that contains the list of detected vulnerabilities, and a small section explaining them and what can be done. This report is the basis for a business to start preparing itself for future cyber threats, as the aforementioned average cost will bankrupt most small businesses. Using EzDetect should allow a small business to begin seriously protecting their data, while also remaining affordable, and easy to use. Our innovation will also have to keep the data of our users safe so that they can trust both us and the product.

Literature Review

Detection and Prevention

Vulnerability is a large catch-all term when referring to cybersecurity. The problem goes much deeper than this definition with factors like exploits, bugs, and human error being present. The problem extends to almost every factor of the internet as well. Just being connected to the internet opens up risks to these threats. Attacks by extension will need to be covered, just as much as the vulnerabilities that let them happen. One method that is both common and damaging is SQL injection. SQL (sequel) is used on most databases in use in the world and has been since the 1960s. SQL still maintains its popularity today and continues to be used in databases. SQL injection is a type of attack that exploits the backends of databases to gain access to data.  SQL injections are going to be a problem vulnerability, especially for an automated system like EzDetect would be. Automatic pen-testing like EzDetect is noticeably worse than a dedicated cyber security team. A study by Antunes and Vieria (2009) found that  “An important observation is that none of the penetration-testing tools detected more than 51% of the vulnerabilities detected by the security experts”. An automatic tool will not find as much as a high-level cybersecurity team security. For the inexpensive cost of an automatic program though, they found half of the SQL vulnerabilities the team found. SQL presents itself as a hurdle to proving the program effective. Further mentioned in this study is a high rate of software generating false positive responses. While this is just covering SQL injection similar results will occur with other complex vulnerabilities, so our problem also relates to vulnerability detection. One of the methods employed by pen-testing software is code-scanning. This is done line by line with pen-testing software. The code is then tested, but not executed to determine its purpose and if it is dangerous. This method is also used in pen-testing with its own set of parameters, as it was also part of Antunes’s and Vieira’s study it was found that these static code analyzers could in some cases find the same amount of vulnerable lines as the experts did, with both having 28 lines detected. Unfortunately, the static analyzers also reported extra false positives. Detection is going to remain a point that needs attention due to the rate of false positives in both trials with all analyzers and automatic pen-testing software reporting at least one. Another study by Austin, Holmgreen, and Williams (2013) found similar results studying health record software, with the first software Tolven CHR having 22 vulnerabilities and 15 false positives.

Interestingly this study also proves an advantage of automatic pentesting. In the study, both a pen-testing team and automatic testing are used, and in the study, the team took 67 hrs in both planning and executing their plans. Comparably the automatic software only took 10 hours with 710 confirmed vulnerabilities being detected in OpenEMR’s test, and only 25 false positives. Static analysis was also a part of the study and found even higher rates of false positives with the same three systems, one reaching up to 98% false positives. Detection overall is going to have to be a focus of the EzDetect software to ensure that we can hit an acceptable rate of detection of vulnerabilities. If this is not met it is unlikely our program will find success as a solution to finding vulnerabilities. A possible way around this could be implementing both static analyses, and regular pen-test vulnerability scanning into one application. Being able to use both systems and compare the results of the two would allow EzDetect a better range of data to see if something is truly wrong or if it is merely picking up a false positive. Otherwise, data that cannot be confirmed as a vulnerability should be included in the end report as an area to inspect. 

After focusing on detection, prevention is the next area to move to. EzDetect plans to be able to recommend how to handle, or give a way to fix vulnerabilities it has detected.  Prevention is a constantly evolving topic in cybersecurity. For the previous focus of SQL, there are some methods to prevent injection attacks.  Shar and Tan (2013) found that most vulnerabilities in SQL come from developers’ coding mistakes. EzDetect will not be able to modify a user’s code for ethical and safety reasons, so a solution will need to be implemented for this. There is an effective way to attempt to simulate an SQL injection attack to expose vulnerabilities, or by using scans you can set rules similar to a firewall, to turn away tainted packets. For other vulnerabilities, Indre and Lemnaru (2016) proposed a similar architecture to the plan for EzDetect. Their plan was a modular architecture that checks itself with its connected modules, with static, binary, and malware detection.  This was used against common types of vulnerabilities and their exploits like Cache poisoning and port scanning. They also pointed out the idea that some researchers hold, that most attacks are variants of original attacks or signature attacks. Using their architecture they were able to intercept and reject packets coming between botnets, and botnets to controllers. This study provides a look into the potential a system similar to EzDetect can have, and how it can prevent multiple types of attacks and vulnerabilities. These complex systems can react to and isolate the same problems that security teams can. Potentially a system like EzDetect can run at the same level of detection, and increase the visibility of vulnerabilities while providing the path to preventing them. Fully insulating a system against an attack is going to require that our small business partners also participate in removing the vulnerabilities we detect. If we can’t ensure this participation these vulnerabilities will only get worse and be exploited. On the software side, EzDetect will need to keep its reports displayed in an easy-to-understand format so that our primary clientele can take what the report has produced and turn it into an actionable plan.

Awareness, outreach, education.

One of the number one causes of cyber attacks is user error or human error. Humans are social creatures and prone to developing habits in life. For cybersecurity, this manifests most plainly in the use of passwords. The current password recommendations from NIST advocate for things like longer and more complex passwords, commonly the eight-character password with numbers, lower case, upper case, and special characters. People may not follow this due to the ease and habits they develop to start their devices quickly. This also extends to areas like updates, configuration, and policymaking. To prevent these habits from being exploited easily awareness needs to be built on both how to prevent vulnerabilities and the danger of them. This is part of the plan for EzDetect to be able to do and will need to rely on a concept Bruijn and Janssen (2017) point out in their article on cybersecurity awareness. Their article focuses on message framing as a way to raise awareness. Framing the message is just as important as the contents of the message itself. Placing an over-importance on the actual consequences of an attack or vulnerability may make us seem paranoid or less trustworthy to our clients. Frames were also easier to agree with than the more traditional ways of stating the importance of cyber threats. To make this effective for EzDetect we will need to take in the other aspects of a frame they recommend. Making the frame personalized towards our market and providing them a clear group to serve as villains will make the framed message more acceptable. A separate study by Quigley, Burns, & Stallard, (2015) found that the traditional ways of describing cyber threats are out of proportion, with many focusing on warfare and terrorism. These are too out of the way for the average person or business to focus on so shifting the message to something more realistic for them will make the message more meaningful and carry more weight.  Evidence-based framing was also recommended as a possible way to frame the message and avoid losing the attention of users. In the end for small businesses, it is important to use both social factors and cybersecurity to ensure that clients understand the threat vulnerabilities pose.

Connecting with clients is an important area of focus for those who work with the internet in general, this is even more apparent in Cybersecurity due to its complexity. In most cases, a small business has to combat the same threats a large business does with a fraction of the required resources and training, Bada and Nurse (2019), described some concerns of small businesses in a survey they sent out. The participants in the survey were asked about how they used the London Digital Security Center. Many were reporting only using parts of the center for benefits, like guidance, training, and security posture assessments. Further, a better process to streamline education programs for small businesses and enterprises was suggested. This focused more on communication with these groups. This could present an interesting theory for consumer outreach for EzDetect. Specifically things like visiting them and their locations or events focused around the target market. Using something like this and trying to personally connect with a client will also help improve the chances of clients following through on our recommendations. Bada and Nurse expanded on the usage of tools and third-party software in the construction of a cybersecurity program. Evaluation of any asset used was also an important point. It isn’t uncommon for some applications to fall behind on both content and practices in cybersecurity. Monitoring to make sure that small businesses get the best service will ensure both their safety and continued use of the service. This research is going to be important to assist in building a rapport with customers to get them in the door and to listen to the advice we give them. Employing methods to ensure our clients are aware of the threat they face in a language they can easily understand will allow them to make their own choices on what they need to focus on in education.

The time employees spend in training must be well-spent, and effective against the attacks they will commonly face. According to Bendovschi (2015), the common types of attacks were found to be denial of service, viruses, trojans, phishing, and social engineering. Bendovschi also found that of the attacks they studied less than 50% were solely from intended activity. Most attacks were due to a mix of human error and system vulnerabilities. This not only supports our previous ideas about how these attacks happen but also reinforces the idea of improving training.  If the most common attacks focus on some area of social engineering or exploiting human behavior, then focusing on changing how people approach that behavior would be a good starting point. This relates to the earlier studies on SQL where incorrect configurations and coding mistakes were mentioned as well. One of the most common factors apparent in any cyber attack is some degree of human error. To effectively combat vulnerabilities raising the awareness and education of small businesses we will work with is just as important as the discovery of vulnerabilities themselves. Bendovschi further recommended that companies should focus on their IT department’s health, authentication, internal commitments, and risk assessment.  With these places outlined for a business, EzDetect can be placed as a third party used in risk assessment, and commitments. Part of a risk assessment is determining what is most vulnerable, and what needs to be protected. This is where most pen-testing companies will be consulted or hired to help determine a business’s needs. Using an automatic tool like EzDetect will give the business a way to determine its risks with less cost than it would take to hire a regular penetration testing team. Then with the recommendation of a pen-testing team or application in mind, an effective policy can be made and carried out to enforce rules or training. Third-party materials could be used here to help construct a training regiment to ensure that staff keep up to date with problems and the rules they will follow.

Effects on a business

The final topic for research is the effect a cyber attack has on a business. While not immediately important to the development of our project, this is a matter to consider as this worst-case scenario is what most businesses will come to us to avoid. This part of the research will also be from mainstream news as well due to their documentation of attacks. There are mistakes made by some of the biggest tech companies in the world that are easy for small businesses to fall into as well. As of writing a big breach occurred at 23 and me and is only the latest in the large cyber attacks that have happened. As of now, the attack is believed to have affected 6.9 million people’s ancestry data and came from a small pool of 14,000 previously compromised accounts. Similarly, Equifax underwent a breach in 2017 that affected 145 million people, and their personally identifiable information. The Equifax breach is a good example of how training and testing could prevent such massive losses. Equifax was informed of the vulnerability of Apache Struts CVE-2017-5638 in March 2017. This vulnerability was not patched until July even though it was available in early March to fix. Contrary to the resulting multimillion-dollar lawsuit Equifax faced, small businesses face their threats, with Tam, Rao, and Hall(2021) finding that the average small business in the US lost 14,000 dollars a year to cyber threats. Bendovschi also points out another aspect of these attacks, with common results being the loss of data, records, and personal data like names, finances, and medical records. Small businesses have a lot to lose in these situations. The disparity between accessible cybersecurity measures and pricing is going to be an important factor in the usage of programs like EzDetect to combat potential problems. With preventative measures in place, it will reduce the potential losses of the small businesses we are trying to market to. 

Outside major

Ethics is one of the most applicable subjects to our problem and innovation. Ethics can cover both the problem and our actions with the EzDetect software. Our problem can be best defined under the terms consequentialism or utilitarianism. These are two ethical ways of thinking that primarily deal with the consequences of actions. The only difference between the two is utilitarianism focuses on the good that comes from actions, whereas consequentialism focuses on the majority. Looking at our problem the ultimate goal of someone using a vulnerability is to breach a system and gain access to data. The consequences of this action are what our problem will relate to. The possible consequences for a breach are most often a loss of monetary value, data loss, and loss of trust. For these consequences, we do not see a lot of good being generated for people, as the majority of people involved will be working with victims, as employees or customers, versus the relatively small number of people involved in a breach. So by those two ethical metrics, we can classify most breaches as unethical. For EzDetect I would like to use contractarianism for its ethical metric. Contractarianism relies on a perceived social contract, or the accepted way to act. Ideas similar to this are most often used to see how companies that have cyberattacks or handle user data, react to threats to their users. For EzDetect, this means we would need to abide by the same things that most data companies follow. Without doing so, we would violate both contractarianism, consequentialism, and utilitarianism.

By violating the agreed social contract we would cause harm to many people. Just these three ethical metrics can be used to great effect on most of the tech field and vulnerability attacks. For a real example look at the Equifax breach in 2017. It is accepted that a company that handles sensitive data will keep its security up to date. Equifax made a decision that could be made by almost any business, keep some software out of date to save money. This decision had the potential consequence of a breach happening and harming consumers. In 2017 Equifax was breached due to unpatched vulnerabilities in old software, compromising one of America’s largest credit bureaus. By saving money Equifax caused a massive amount of harm and violated the social contract, and situations like this are more common among smaller businesses that do not have the resources to keep up to date. EzDetect would fit into this role so companies do not have to compromise on ethics for profit.

The second subject that has significant overlap is sociology. Sociology involves the study of human culture, and as such has some overlap with the culture of those who exploit vulnerabilities and small businesses and cybersecurity teams who face them. For software like EzDetect, it will be important to understand the people behind vulnerabilities and businesses, not just what we have designed it to do. A vulnerability for example is exploited by a hacker, but there is more than one type of hacker. For this, we primarily have to contend with Black hats, gray hats, and script kiddies, as these are the most common types of hackers. Black hats are criminal hackers who breach systems with malicious intent, similarly, script kiddies do the same, but rely on already-created software. These two are important to understand because they are a target group of our software since it’s meant to stop them from attacking small businesses. Grey hats are similar to black hats but only hack for fun, so we must be careful with them, due to the extreme difference from person to person. Our target market, small businesses, must also be understood since they have their values and our software needs to apply. Sociology is a useful tool for us to understand them and customize our app to their needs. Someone who focuses on online selling will need us to have more options, than someone whose website is more just to display themselves. Overall, ethics and sociology are important tools that overlap with our problem and innovation to combat it.

Effectiveness

The effectiveness of the EzDetect software is going to be measured in two ways. The first is going to be by a survey, and the second will be by the software performance itself.  The survey will be available from the application as a survey and bug report feature. This will allow a small business the flexibility to suggest both feedback and problems when they need to. These surveys can then be read and the feedback can be cataloged to improve the service further. Using these surveys we can receive more meaningful information directly from the target audience and how to improve it for them. The Second way is going to be more mechanical. The performance of the software shouldn’t change. If the clients and small businesses we are working with have taken action against known vulnerabilities then the software should have fewer vulnerabilities detected. If the software shows more vulnerabilities it will be easy to know it isn’t as effective. That effectiveness should also be compared with the surveys to see if a business may have some outlying factors that weren’t considered.

Outside of these two factors, Another measure of effectiveness should be what the software catches. The more complex a vulnerability or attack is, the harder it is to detect or replicate. Suppose the software can replicate these attacks, like SQL injections, or social engineering, its effectiveness for businesses should be worth more as an alternative to traditional pen-testing. Being able to recognize these attacks is only the beginning. EzDetect will need to not only recognize these threats but do so consistently to ensure the effectiveness of the product. If this effectiveness is lacking then businesses will be able to report, via surveys and bug reports, any problems or false flagging from the software. Finally, the last measure of effectiveness is going to be recommendations or sales, as a product that gets recommended by others is more likely to be used than just one with good reviews. If EzDetect satisfies most of these goals, it will be a successful launch and project by our measurement, and if it gets all of them it will exceed all expectations.

Launch Requirements

First and foremost to turn this project into reality funding and development will be needed. It will cost money to make and maintain both the app and its services to customers. With funding more things can be brought into the initial launch, and we can respond to the needs of both staff and customers. Funding will also allow for more marketing and outreach to businesses. This money will also be used to further the app’s design and features so that it will be able to do more in its scans or add new features entirely. Development will need to be the second highest priority as both improvement and background work for the software will need to be carried out. Improving the software is going to be an important task to keep the software in line with cybersecurity standards, new attacks, and vulnerabilities. If not the software could risk becoming a point vulnerability itself, and begin posing a risk to users. Furthering that time for development will allow us to ensure the storage of both our application and user data is safe and can be used.  A separate development team from the software is going to be needed to set up the front end of the project, as a website and application will need to be built for use by the clientele. This development portion will be needed to make users as comfortable as possible. Ease of use and accessibility will be great factors in retaining users. We will need to retain early users to have a successful business model, especially since it is being offered as a subscription service. This model will need a good website among other things to help with both client acquisition and retention. 

Customer retention is going to be another factor that is going to massively affect EzDetect. A subscription-based model needs a consistent base to maintain itself, and a growing one to profit. It is crucial that both old business clients and new ones are satisfied with the software to keep paying for it. This will also mean that the prices for the subscriptions will have to be adjusted to fit the average small business’s needs. The average cost will also have to compensate for the maintenance and running of the website, business, and development. To help with this the basics of a loyalty or consumer outreach program should be implemented in the launch to gain users, and retain them with items like discounts and referrals. Building connections with the clients will also increase the odds that they come back and continue to use our service. Customer trust will be another factor we will have to gain to make EzDetect real and effective. Trust is important for every business, and can have catastrophic consequences if lost. A loss of trust will incur heavy damage to both the software and the business, so the EzDetect software will need to prove to users it will not be a danger to them. Ideally, this will be achieved with performance, but we will also need to have a method of showing transparency for any collected data. Unclear practices will hamper our ability to make sales and build trust. It will also be important to understand our target audience here, as a small business will differ in behavior from a bigger business. This difference will need to be taken into account, as a small business should be more careful about its decisions than a larger business.

Finally, the last thing we will need to make EzDetect a reality is the staff. Staff are going to be required to help make the software, and manage the business. We will need people with both experience in operating systems, and coding languages like SQL to build software capable of detecting vulnerabilities in a client’s systems. Development staff will also be needed for plans to upgrade the software to be more proactive in its duties. Front-end and customer support staff will be needed to ensure the website is running fine and all inquiries from clients, and their reports get handled correctly. Additional teams will be needed for customer support alone to handle nighttime hours. Office staff will need to be hired to help internal staff with problems, as well as management and accounting. Staffing the project is going to be a heavy drain on resources, but it will need to be done for EzDetect to work and grow. 

Plans

There are a couple of options the EzDetect dev team has as future additions or upgrades. One of the plans we have is to expand on the abilities of EzDetect to make it more proactive. This is planned to be achieved with the implementation of a 24/7 app that scans for vulnerabilities in real-time. It is also planned for the software to be able to auto-update some applications if they have updates available, but this feature may have some unintended backlash. Another plan was to have a modular classroom system to go with the reports so that businesses could have a flexible option to set up cybersecurity training. This would mean that what is taught can be shifted to suit a business’s needs. Workers who only handle customer support or front-end mechanics can be taught about passwords and the common types of phishing and ransomware attacks, and how they are vulnerable to them. Users who work in more complex areas like IT or management need to be aware of more threats so their course could cover more areas like SQL injections, or known exploits. Expanding to multiple locations would also be good to allow for more staff as we grow. Further than that an ideal goal should be a possible international launch to attempt to break into the market in areas like the European Union or areas like Japan and Korea. All of the areas as mentioned earlier have technical needs that something like EzDetect could fill. 

Overall the plans for EzDetect would mean that it will expand past its current target market once it is ready. This project was a good learning experience, importantly I learned to take a step back and consider what to include and what not to. Primarily though I would change how the beginning of the project went if anything. By working closer as a group in the beginning the project could have come together much smoother, and things wouldn’t have been so detached between members. The biggest lesson learned is about communication because the project became clearer once the group got together and talked through a large part of our content.

References.

Austin, A., Holmgreen, C., & Williams, L. (2013). A comparison of the efficiency and effectiveness of vulnerability Discovery Techniques. Information and Software Technology, 55(7), 1279–1288. https://doi.org/10.1016/j.infsof.2012.11.007 

Antunes, N., & Vieira, M. (2009). Comparing the effectiveness of penetration testing and static code analysis on the detection of SQL injection vulnerabilities in web services. 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing. https://doi.org/10.1109/prdc.2009.54 

Bada, M., & Nurse, J. R. C. (2019). Developing cybersecurity education and awareness programmes for small- and medium-sized enterprises (smes). Information & Computer Security, 27(3), 393–410. https://doi.org/10.1108/ics-07-2018-0080 

Bendovschi, A. (2015). Cyber-attacks – trends, patterns and security countermeasures. Procedia Economics and Finance, 28, 24–31. https://doi.org/10.1016/s2212-5671(15)01077-1

Carballo, R. (2023, December 5). Data breach at 23andMe affects 6.9 million profiles, Company says. The New York Times. https://www.nytimes.com/2023/12/04/us/23andme-hack-data.html  

Center, E. P. I. (n.d.). Epic – Equifax Data Breach. Electronic Privacy Information Center. https://archive.epic.org/privacy/data-breach/equifax/ 

Cost of a data breach 2023. IBM. (n.d.). https://www.ibm.com/reports/data-breach 

de Bruijn, H., & Janssen, M. (2017). Building Cybersecurity Awareness: The need for evidence-based framing strategies. Government Information Quarterly, 34(1), 1–7. https://doi.org/10.1016/j.giq.2017.02.007 

Indre, I., & Lemnaru, C. (2016). Detection and prevention system against Cyber Attacks and botnet malware for information systems and internet of things. 2016 IEEE 12th International Conference on Intelligent Computer Communication and Processing (ICCP). https://doi.org/10.1109/iccp.2016.7737142 

Quigley, K., Burns, C., & Stallard, K. (2015). ‘cyber gurus’: A rhetorical analysis of the language of cybersecurity specialists and the implications for security policy and critical infrastructure protection. Government Information Quarterly, 32(2), 108–117. https://doi.org/10.1016/j.giq.2015.02.001 

Tam, T., Rao, A., & Hall, J. (2021). The good, the bad and the missing: A narrative review of cyber-security implications for Australian Small Businesses. Computers & Security, 109, 102385. https://doi.org/10.1016/j.cose.2021.102385