Information security with special reference to database interconnectivity.

Coetzee, Marijke

29 May 2008

Information can be considered a company’s most valued asset and should be protected as such. In the past, companies allowed very limited access to corporate information. Today, the rapid growth of the Internet increases the importance of connecting to existing databases. Access to such web-enabled databases, containing sensitive information such as credit card numbers must be made available only to those who need it. The security of web-enabled databases is challenged, as huge user populations access corporate information, past traditional perimeters. Providing a secure web-enabled database environment is not as simple as creating a few dynamic pages linked to a secured database. As a web-enabled database is very sophisticated, consisting of various applications in front of the database, it is vulnerable to attack. Furthermore, since most malicious intrusions occur from inside, defences such as firewalls, intrusion detection and virus scanning provide limited protection. The principle aim of this study was to consider security services and mechanisms that would provide protection to web-enabled databases. As database security has been a well-researched topic ever since the first databases were used, it was decided to investigate whether traditional database security could possibly provide a basic framework to be used when approaching the security of web-enabled databases. An investigation was made into nine current state database security services and their associated mechanisms. Additional services and mechanisms were identified, that could provide protection in the new environment. The integrated service provided by web-enabled databases was contrasted to the service provided by current state database security. A model was developed that illustrated how these services and mechanisms could be applied to create a secure web-enabled database. The study was brought to an end with a conclusion on the security that can be attained by web-enabled databases. Further problem areas, which could be researched in the future, were touched upon briefly. / Prof. J.H.P. Eloff

web database security measures

database security

A security model for a virtualized information environment

Tolnai, Annette

15 August 2012

D.Phil. / Virtualization is a new infrastructure platform whose trend is sweeping through IT like a blaze. Improving the IT industry by higher utilization from hardware, better responsiveness to changing business conditions and lower cost operations is a must have in the new generation of virtualization solutions. Virtualization is not just one more entry in the long line of “revolutionary” products that have hit the technology marketplace. Many parts of the technology ecosystem will be affected as the paradigm shifts from the old one-to-one correspondence between software and hardware to the new approach of software operating on any hardware that happens to be most suitable to use at the time. This brings along with it security concerns, which need to be addressed. Security evolving in and around the virtualized system will become more pertinent the more virtualization is employed into everyday IT technology and use. In this thesis, a security model for virtualization will be developed and presented. This model will cover the different facets needed to address virtualization security.

Computer security

Guidelines for cybersecurity education campaigns

Reid, Rayne

January 2017

In our technology- and information-infused world, cyberspace is an integral part of modern-day society. As the number of active cyberspace users increases, so too does the chances of a cyber threat finding a vulnerable target increase. All cyber users who are exposed to cyber risks need to be educated about cyber security. Human beings play a key role in the implementation and governing of an entire cybersecurity and cybersafety solution. The effectiveness of any cybersecurity and cybersafety solutions in a societal or individual context is dependent on the human beings involved in the process. If these human beings are either unaware or not knowledgeable about their roles in the security solution they become the weak link in these cybersecurity solutions. It is essential that all users be educated to combat any threats. Children are a particularly vulnerable subgroup within society. They are digital natives and make use of ICT, and online services with increasing frequency, but this does not mean they are knowledgeable about or behaving securely in their cyber activities. Children will be exposed to cyberspace throughout their lifetimes. Therefore, cybersecurity and cybersafety should be taught to children as a life-skill. There is a lack of well-known, comprehensive cybersecurity and cybersafety educational campaigns which target school children. Most existing information security and cybersecurity education campaigns limit their scope. Literature reports mainly on education campaigns focused on primary businesses, government agencies and tertiary education institutions. Additionally, most guidance for the design and implementation of security and safety campaigns: are for an organisational context, only target organisational users, and mostly provide high-level design recommendations. This thesis addressed the lack of guidance for designing and implementing cybersecurity and cybersafety educational campaigns suited to school learners as a target audience. The thesis aimed to offer guidance for designing and implementing education campaigns that educate school learners about cybersecurity and cybersafety. This was done through the implementation of an action research process over a five-year period. The action research process involved cybersecurity and cybersafety educational interventions at multiple schools. A total of 18 actionable guidelines were derived from this research to guide the design and implementation of cybersecurity and cybersafety education campaigns which aim to educate school children.

Computer security

Computer networks -- Security measures

Novel framework to support information security audit in virtual environment

Nagarle Shivashankarappa, A.

January 2013

Over the years, the focus of information security has evolved from technical issue to business issue. Heightened competition from globalization compounded by emerging technologies such as cloud computing has given rise to new threats and vulnerabilities which are not only complex but unpredictable. However, there are enormous opportunities which can bring value to business and enhance stakeholders’ wealth. Enterprises in Oman are compelled to embark e-Oman strategy which invariably increases the complexity due to integration of heterogeneous systems and outsourcing with external business partners. This implies that there is a need for a comprehensive model that integrates people, processes and technology and provides enterprise information security focusing on organizational transparency and enhancing business value. It was evident through interviews with security practitioners that existing security models and frameworks are inadequate to meet the dynamic nature of threats and challenges inherent in virtualization technology which is a catalyst to cloud computing. Hence the intent of this research is to evaluate enterprise information security in Oman and explore the potential of building a balanced model that aligns governance, risk management and compliance with emphasis to auditing in virtual environment. An integrated enterprise governance, risk and compliance model was developed where enterprise risk management acts as a platform, both mitigating risk on one hand and as a framework for defining cost controls and quantifying revenue opportunities on the other. Further, security standards and frameworks were evaluated and some limitations were identified. A framework for implementing IT governance focusing on critical success factors was developed after analysing and mapping the four domains of COBIT with various best practices. Server virtualization using bare metal architecture was practically tested which provides fault-tolerance and automated load balancing with enhanced security. Taxonomy of risks inherent in virtual environments was identified and an audit process flow was devised that provides insight to auditors to assess the adequacy of controls in a virtual environment. A novel framework for a successful audit in virtual environment is the contribution of this research that has changed some of the security assumptions and audit controls in virtual environment.

005.8

An information security perspective on XML web services.

Chetty, Jacqueline

29 May 2008

The Internet has come a long way from its humble beginnings of being used as a simple way of transporting data within the US army and other academic organizations. With the exploding growth of the Internet and the World Wide Web or WWW more and more people and companies are not only providing services via the WWW but are also conducting business transactions. In today’s Web-based environment where individuals and organizations are conducting business online, it is imperative that the technologies that are being utilized are secure in every way. It is important that any individual or organization that wants to protect their data in one form or another adhere to the five (5) basic security services. These security services are Identification and Authentication, Authorization, Confidentiality, Integrity and Non-repudiation This study looks at two Web-based technologies, namely XML and XML Web services and provides an evaluation of whether or not the 5 security services form part of the security surrounding these Web-based technologies. Part 1 is divided into three chapters. Chapter 1, is an Introduction and roadmap to the dissertation. This chapter provides an introduction to the dissertation. Chapter 2 provides an Overview of XML. The reader must not view this chapter as a technical chapter. It is simply a chapter that provides the reader with an understanding of XML so that the reader is able to understand the chapter surrounding XML security. Chapter 3 provides an Overview of Web services. Again the reader must not view this chapter as a technical chapter and as in chapter 2 this chapter must be seen as an overview providing the reader with a broad picture of what Web services is. A lot of technical background and know how has not been included in these two chapters. Part 2 is divided into a further three chapters. Chapter 4 is titled Computer Security and provides the reader with a basic understanding surrounding security in general. The 5 security services are introduced in more detail and the important mechanisms and aspects surrounding security are explained. Chapter 5 looks at how XML and Web services are integrated. This is a short chapter with diagrams that illustrate how closely XML and Web services are interwoven. Chapter 6 is the most important chapter of the dissertation. This chapter is titled XML and Web services security. This chapter provides the reader with an understanding of the various XML mechanisms that form part of the Web services environment, thus providing security in the form of the 5 security services. Each XML mechanism is discussed and each security service is discussed in relation to these various mechanisms. This is all within the context of the Web services environment. The chapter concludes with a table that summarizes each security service along with its corresponding XML mechanism. Part 3 includes one chapter. Chapter 7 is titled Mapping XML and Web services against the 5 security services. This chapter makes use of the information from the previous chapter and provides a summary in the form of a table. This table identifies each security service and looks at the mechanisms that provide that service within a Web services environment. Part 4 provides a conclusion to the dissertation. Chapter 8 is titled Conclusion and provides a summary of each preceding chapter. This chapter also provides a conclusion and answers the question of whether or not the 5 information security services are integrated into XML and Web services. / von Solms, S.H., Prof.

Computer security

World Wide Web security measures

Biometriese enkelaantekening tot IT stelsels

Tait, Bobby Laubscher

21 April 2009

M.Comm.

Computer security

Access control

Security measures

Biometry

Assessing program code through static structural similarity

Naude, Kevin Alexander

January 2007

Learning to write software requires much practice and frequent assessment. Consequently, the use of computers to assist in the assessment of computer programs has been important in supporting large classes at universities. The main approaches to the problem are dynamic analysis (testing student programs for expected output) and static analysis (direct analysis of the program code). The former is very sensitive to all kinds of errors in student programs, while the latter has traditionally only been used to assess quality, and not correctness. This research focusses on the application of static analysis, particularly structural similarity, to marking student programs. Existing traditional measures of similarity are limiting in that they are usually only effective on tree structures. In this regard they do not easily support dependencies in program code. Contemporary measures of structural similarity, such as similarity flooding, usually rely on an internal normalisation of scores. The effect is that the scores only have relative meaning, and cannot be interpreted in isolation, ie. they are not meaningful for assessment. The SimRank measure is shown to have the same problem, but not because of normalisation. The problem with the SimRank measure arises from the fact that its scores depend on all possible mappings between the children of vertices being compared. The main contribution of this research is a novel graph similarity measure, the Weighted Assignment Similarity measure. It is related to SimRank, but derives propagation scores from only the locally optimal mapping between child vertices. The resulting similarity scores may be regarded as the percentage of mutual coverage between graphs. The measure is proven to converge for all directed acyclic graphs, and an efficient implementation is outlined for this case. Attributes on graph vertices and edges are often used to capture domain specific information which is not structural in nature. It has been suggested that these should influence the similarity propagation, but no clear method for doing this has been reported. The second important contribution of this research is a general method for incorporating these local attribute similarities into the larger similarity propagation method. An example of attributes in program graphs are identifier names. The choice of identifiers in programs is arbitrary as they are purely symbolic. A problem facing any comparison between programs is that they are unlikely to use the same set of identifiers. This problem indicates that a mapping between the identifier sets is required. The third contribution of this research is a method for applying the structural similarity measure in a two step process to find an optimal identifier mapping. This approach is both novel and valuable as it cleverly reuses the similarity measure as an existing resource. In general, programming assignments allow a large variety of solutions. Assessing student programs through structural similarity is only feasible if the diversity in the solution space can be addressed. This study narrows program diversity through a set of semantic preserving program transformations that convert programs into a normal form. The application of the Weighted Assignment Similarity measure to marking student programs is investigated, and strong correlations are found with the human marker. It is shown that the most accurate assessment requires that programs not only be compared with a set of good solutions, but rather a mixed set of programs of varying levels of correctness. This research represents the first documented successful application of structural similarity to the marking of student programs.

Computer networks -- Security measures

Internet -- Security measures

Security in International Relations: International cooperation to prevent non-states threats. / Security in International Relations: International cooperation to prevent non-states threats.

Klykova, Ekaterina

January 2012

Thesis is focusing on the analysis of the situation in Syria in the period since 2011 till present times. First part will present main theoretical thoughts on the international security such as Realist school, Liberalist school, Human and Collective security concepts and the most modern theoretical school of security- Copenhagen school. That was done in case to have a clear notion of the international security development and to chose the one theory which will reflect the best the situation in Syria. In the practical part I analyzing the actions and inter actions of the main international security actors, such as United Nations plus important actors in the region of the Middle East -- Arab League, and of course Syrian government and opposition. Also I will try to apply Copenhagen school of Security on the Syrian situation and to find out if that theory is good or not for that kind of analysis. After browsing actions taken by actors and opposition in the conclusion I found out that nowadays international security system cannot be called very successful and that Copenhagen school of Security its good explanatory theory but it pretty useless in case of conflict resolution.

The Effectiveness of Remote Wipe as a Valid Defense for Enterprises Implementing a BYOD Policy

Uz, Ali

January 2014

In today’s work place where corporations allow employees to use their own smart phones to access their company’s network and sensitive data, it is essential to ensure the security of said data. When an employee smart phone is compromised, companies will rely on the remote wipe command that attempts to remove sensitive data. In this thesis, we analyze the effectiveness of remote wipe commands on the Apple iPhone and Android model devices and demonstrate how data can be recovered following a remote wipe procedure. We conduct two experiments on each device to verify whether remote wipe is a viable defense mechanism or not. Furthermore, we touch on the subject of mobile forensics used by law enforcement and review methods and techniques used to recover data for use as evidence in criminal cases.

security

mobile security

BYOD

mobile forensics

forensics

Security analysis of bytecode interpreters using Alloy

Reynolds, Mark Clifford

January 2012

Thesis (Ph.D.)--Boston University / Security of programming languages, particularly programming languages used for network applications, is a major issue at this time. Despite the best efforts of language designers and implementers, serious security vulnerabilities continue to be discovered at an alarming rate. Thus, development of analysis tools that can be used to uncover insecure or malicious code is an important area of research. This thesis focuses on the use of the lightweight formal method tool Alloy to perform static analysis on binary code, Byte-compiled languages that run on virtual machines are of particular interest because of their relatively small instruction sets, and also because they are well represented on the Internet. This thesis describes a static analysis methodology in which desired security properties of a language are expressed as constraints in Alloy, while the actual bytes being analyzed are expressed as Alloy model initializers. The combination of these two components yields a complete Alloy model in which any model counterexample represents a constraint violation, and hence a security vulnerability. The general method of expressing security requirements as constraints is studied, and results are presented for Java bytecodes running on the Java Virtual Machine, as well as for Adobe Flash SWF files containing ActionScript bytecodes running on the Action Script Virtual Machine. It is demonstrated that many examples of malware are detected by this technique. In addition, analysis of benign software is shown to not produce any counterexamples. This represents a significant departure from standard methods based on signatures or anomaly detection.

Programming languages

Security analysis

Digital security