Iran’s Cyber Capabilities and Assessing Security Standards for Popular Iranian Websites

Mohsen Abdollahzadeh Aghbolagh, Andrey I. Trufanov

Аннотация


The security of online users depends on various factors. One of the most important factors are to follow security standards and use of reliable and updated technology as well as the standards and technologies that have been created in recent years specifically to increase data and communication security on websites and various internet services. However numerous studies show that the current state of global web security is not desirable yet, and these standards and technologies are not being applied as fast as they are developed. Our research in CERTFA Lab on popular Iranian websites (414 websites) show that the security of Iranian websites is not different from the global level, and very few websites are fully utilizing the security standards and modern technologies. According to our investigation, only 7 websites from our assessed sites have been used CSP2 configuration, which the implementation of Cafebazaar.ir and Virgool.io have more detail and other 5 websites just use the upgrade-insecure-requests option as a default setting for CSP. In other cases, popular websites, not only did not use the CSP header, they have also forgotten to use the basic security header. Also, the results of modern standards analysis in this study (such as DNSSEC, CAA, DMARC, SPF, and Expect-CT), which is mandatory for most Internet businesses, indicate that just Eligasht.com, one of the Iranian popular websites, has properly used these standard configurations. Since these security standards and modern technologies are easy to use and cheap to implement, we could say that the reason for this undesirable situation might be the negligence of admins and service providers.

Ключевые слова


Online Security, Security Standards Requirements, Website Security.

Полный текст:

PDF (English)

Литература


[1] Yan Chen, Fatemeh Mariam Zahedi, Ahmed Abbasi, David Doboly, Trust calibration of automated security IT artifacts: A multi-domain study of phishing-website detection tools, Information & Management. January 2021,vol. 58, Issue 1, 103394.
DOI: http://dx.doi.org/10.1016/j.im.2020.103394.

[2] Nur Azimahbt Mohd, Zarul Fitri Zaaba. A Review of Usability and Security Evaluation Model of Ecommerce Website, Procedia Computer Science. 2019, vol. 161, p. 1199–1205.
DOI: http://dx.doi.org/10.1016/j.procs.2019.11.233.

[3] William Derrickson, Kartikeya Tripathi, Difference in risk perception of onboard security threats by aircrew and aviation security experts, Transportation Research Interdisciplinary Perspectives. December 2022, vol. 16, 100666.
DOI: http://dx.doi.org/10.1016/j.trip.2022.100666.

[4] Nandita Pattnaik, Shujun Li, Jason R.C.Nurse. Perspectives of Non-Expert Users on Cyber Security and Privacy: An Analysis of Online Discussions on Twitter, Computers & Security,Available online 9. November 2022, 103008, In Press.
DOI: http://dx.doi.org/10.1016/j.cose.2022.103008.

[5] Ferda ÖzdemirSönmez. Security Qualitative Metrics for Open Web Application Security Project Compliance, Procedia Computer Science. 2019, vol. 151, p. 998–1003.
DOI: http://dx.doi.org/10.1016/j.procs.2019.04.140.

[6] Navdeep S. Chahal, Preeti Bali, Praveen KumarKhosla. A Proactive Approach to assess web application security through the integration of security tools in a Security Orchestration Platform, Computers & Security. November 2022, vol. 122, 102886.
DOI: http://dx.doi.org/10.1016/j.cose.2022.102886.

[7] Defense Intelligence Agency (August 2019). Iran Military Power: Ensuring Regime Survival and Securing Regional Dominance. dia.mil. Accessed November 2, 2021.
URL: https://www.dia.mil/Portals/110/Images/News/Military_Powers_Publications/Iran_Military_Power_LR.pdf (accessed: 29.11.2022).

[8] Lewis James A. (June 25, 2019). Iran and Cyber Power. csis.org. Accessed November 2, 2021. URL: https://www.csis.org/analysis/iran-and-cyber-power (accessed: 29.11.2022).

[9] CISA. (September 15, 2020). Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities. us-cert.cisa.gov. Accessed November 2, 2021. URL: https://us-cert.cisa.gov/ncas/alerts/aa20-259a (accessed: 29.11.2022).

[10] CISA. (July 20, 2021). ICS Joint Security Awareness Report (JSAR-12-241-01B): Shamoon/DistTrack Malware (Update B). us-cert.cisa.gov. Accessed November 2, 2021.
URL: https://us-cert.cisa.gov/ics/jsar/JSAR-12-241-01B (accessed: 29.11.2022).

[11] CISA. (n.d.). Iran Cyber Threat Overview and Advisories. us-cert.cisa.gov. Accessed November 2, 2021. URL: https://us-cert.cisa.gov/iran (accessed: 29.11.2022).

[12] ThaiCert. (n.d.). Threat Group Cards: A Threat Actor Encyclopedia: APT group: Magic Hound, APT 35, Cobalt Gypsy, Charming Kitten. thaicert.or.th. Accessed November 2, 2021.
URL: https://apt.thaicert.or.th/cgibin/showcard.cgi?g=Magic%20Hound%2C%20APT%2035%2C%20Cobalt%20Gypsy%2C%20Charming%20Kitten (accessed: 29.11.2022).

[13] Analysis of the Alexa Top 1M sites by Mozilla Observatory – April 2019.
URL: https://s.certfa.com/RZVBwA (accessed: 29.11.2022).

[14] Content Security Policy. URL: https://s.certfa.com/cRh8um (accessed: 29.11.2022).

[15] Alexa Top 1 Million Analysis by Scott Helme - February 2019. URL: https://s.certfa.com/j2cRsk (accessed: 29.11.2022).




DOI: http://dx.doi.org/10.26583/bit.2023.1.04

Ссылки

  • На текущий момент ссылки отсутствуют.


Лицензия Creative Commons
Это произведение доступно по лицензии Creative Commons «Attribution» («Атрибуция») 4.0 Всемирная.