More and more often, the media reports breaches in the databases of large companies all over the world that result in millions of users accounts getting compromised, or several hour long unavailability of vital services. Similarly, disinformation through the hacking of trusted news portals can have serious effects on our lives, even if indirectly. One of the most fundamental ways of preventing such incidents is performing a full scale security assessment of such critical information systems by simulating real attacks.
In my diploma thesis, I will point out the most significant threats to widely used types of IT systems, as well as the necessity and means to actually handle those threats. My work starts with the introduction of the terminology used in the field of vulnerability analysis, then it goes on with the detailed discussion of an internationally accepted and widely used methodology of performing such analyses, as it is taught in the accredited course of Kürt Academy, as well.
Through a practical example, using the above mentioned methodology, I will show how much information can be accessed by anyone attacking from the direction of the Internet, how interesting targets are usually identified, and the means to explore their vulnerabilities. Afterwards, we will take a look at another angle, exposing the threats arising from the possible presence of an internal attacker, i.e. someone with (either limited or privileged) access to the system.
The practical example used is the vulnerability assessment of the computer network serving the Faculty of Electrical Engineering and Informatics of the Budapest University of Technology and Economics. In my assessment, a number of identified security threats to that network are exposed, and suggestions to eliminate these threats are made. The technical details of the identified threats are attached to my thesis in the Appendices part, but a significant amount of information, esp. the raw output of the performed analyses, is made available on a password protected, public storage server, as the amount of raw data is much more than what could be included in this thesis.