The cost of free instant messaging: an attack modelling perspective

Du Preez, Riekert

January 2006

Instant Messaging (IM) has grown tremendously over the last few years. Even though IM was originally developed as a social chat system, it has found a place in many companies, where it is being used as an essential business tool. However, many businesses rely on free IM and have not implemented a secure corporate IM solution. Most free IM clients were never intended for use in the workplace and, therefore, lack strong security features and administrative control. Consequently, free IM clients can provide attackers with an entry point for malicious code in an organization’s network that can ultimately lead to a company’s information assets being compromised. Therefore, even though free IM allows for better collaboration in the workplace, it comes at a cost, as the title of this dissertation suggests. This dissertation sets out to answer the question of how free IM can facilitate an attack on a company’s information assets. To answer the research question, the dissertation defines an IM attack model that models the ways in which an information system can be attacked when free IM is used within an organization. The IM attack model was created by categorising IM threats using the STRIDE threat classification scheme. The attacks that realize the categorised threats were then modelled using attack trees as the chosen attack modelling tool. Attack trees were chosen because of their ability to model the sequence of attacker actions during an attack. The author defined an enhanced graphical notation that was adopted for the attack trees used to create the IM attack model. The enhanced attack tree notation extends traditional attack trees to allow nodes in the trees to be of different classes and, therefore, allows attack trees to convey more information. During the process of defining the IM attack model, a number of experiments were conducted where IM vulnerabilities were exploited. Thereafter, a case study was constructed to document a simulated attack on an information system that involves the exploitation of IM vulnerabilities. The case study demonstrates how an attacker’s attack path relates to the IM attack model in a practical scenario. The IM attack model provides insight into how IM can facilitate an attack on a company’s information assets. The creation of the attack model for free IM lead to several realizations. The IM attack model revealed that even though the use of free IM clients may seem harmless, such IM clients can facilitate an attack on a company’s information assets. Furthermore, certain IM vulnerabilities may not pose a great risk by themselves, but when combined with the exploitation of other vulnerabilities, a much greater threat can be realized. These realizations hold true to what French playwright Jean Anouilh once said: “What you get free costs too much”.

Computer security

Instant messaging

Data protection

A baseline for information security knowledge for end users

Boshoff, Ryno

January 2012

Information plays a vast contributing role to all resources within an organisation. Organisations should recognise the importance of information and implement information security controls to protect their information as this will ensure that the organisation‟s information retains its confidentiality, integrity and availability. Information security controls, which are the means of managing information risks, rely heavily on the user‟s knowledge regarding the use of these controls for their effectiveness, and as such, users should be educated in order to maximise effectiveness of these controls. Current information security educational programmes are created without necessarily taking into account the target audience, who comprises of all employees, stakeholders, suppliers, third parties, customers or other external parties or third party that requires access to the organisation‟s information. This results in programmes that are not linguistically appropriate; or that present knowledge at an inappropriate level for the target audience. This could leave users bored or confused, without successfully changing their behaviour or improving knowledge. This dissertation identifies a baseline for information security knowledge targeted at end users. This was done by means of a Delphi Study, where a profile of “generic” end users comprised of information security topics and concepts were rated by experts from the field of information security education. This resulted in the elimination of inappropriate topics and concepts and retaining the relevant and appropriate aspects. This baseline for information security knowledge can be characterised as a minimum standard that everybody should be educated on as an introductory or refresher course. This can also serve as the foundation phase to educate end users with knowledge of the basic topics and concepts to enable them to fulfil their responsibilities in order to protect information. If needed, topics and concepts could be added to the baseline for information security knowledge for specialised target audiences (e.g. specialised End Users, ICT Staff or Top Management).

Data protection -- Management

Computer security -- Management

Managing an information security policy architecture : a technical documentation perspective

Maninjwa, Prosecutor Mvikeli

January 2012

Information and the related assets form critical business assets for most organizations. Organizations depend on their information assets to survive and to remain competitive. However, the organization’s information assets are faced with a number of internal and external threats, aimed at compromising the confidentiality, integrity and/or availability (CIA) of information assets. These threats can be of physical, technical, or operational nature. For an organization to successfully conduct its business operations, information assets should always be protected from these threats. The process of protecting information and its related assets, ensuring the CIA thereof, is referred to as information security. To be effective, information security should be viewed as critical to the overall success of the organization, and therefore be included as one of the organization’s Corporate Governance sub-functions, referred to as Information Security Governance. Information Security Governance is the strategic system for directing and controlling the organization’s information security initiatives. Directing is the process whereby management issues directives, giving a strategic direction for information security within an organization. Controlling is the process of ensuring that management directives are being adhered to within an organization. To be effective, Information Security Governance directing and controlling depend on the organization’s Information Security Policy Architecture. An Information Security Policy Architecture is a hierarchical representation of the various information security policies and related documentation that an organization has used. When directing, management directives should be issued in the form of an Information Security Policy Architecture, and controlling should ensure adherence to the Information Security Policy Architecture. However, this study noted that in both literature and organizational practices, Information Security Policy Architectures are not comprehensively addressed and adequately managed. Therefore, this study argues towards a more comprehensive Information Security Policy Architecture, and the proper management thereof.

Computer security -- Management

Computer architecture

Data protection

Using agreements as an abstraction for access control administration

Reyneke, André

January 2007

The last couple of decades saw lots of changes in the business world. Not only did technology change at a rapid pace, but businesses' views with respect to the role that information plays also changed drastically. Information is now seen as a strategic resource. This change paved the way for the so-called knowledge worker that not only consumes information, but actively participates in creating new knowledge from information. Employees must therefore be empowered to fulfill their new role as knowledge workers. Empowerment happens through job redefinition and by ensuring that the appropriate information is at hand. Although information is more readily available to employees, appropriate access controls must still be implemented. However, there is conflict between the need to share information and the need to keep information confidential. These conflicting needs must be reflected in the administration of access control. In order to resolve these conflicts, a finer granularity of access controls must be implemented. However, to implement a finer granularity of access control, an increase in the number of access controls and, therefore, the administrative burden is inevitable. Access control administrators must cater for a potentially large number of systems. These systems can not only be heterogenous as far as architecture and technology are concerned, but also with respect to access control paradigms. Vendors have realized that human involvement must be minimized, giving birth to so-called "provisioning systems". Provisioning systems, in principle, automate certain parts of access control administration. However, currently implementations are done in an ad hoc manner, that is, without a systematic process of identifying the real access control needs. This study aims to address this problem by proposing the "agreement abstraction" as a possible vehicle for systematically analyzing the access control requirements in a business. In essence, the agreement abstraction allows us to identify opportunities where access control can be automated. A specific methodological approach is suggested whereby the business is analysed in terms of business processes, as opposed to the more traditional resource perspective. Various business processes are used as examples to explain and motivate the proposed agreement abstraction further. This dissertation therefore contributes to the field of discourse by presenting a new abstraction that can be used systematically to analyse access control administration requirements.

Information -- control and access

Computer security -- Management

An access control model based on time and events

Jaggi, Felix P.

January 1990

A new access control model incorporating the notion of time and events is introduced. It allows the specification of fine-grained and flexible security policies which are sensitive to the operating environment. The system constraints, expressed in terms of access windows and obligations, are stored in extended access control lists. The addition of a capability mechanism gives another dimension of protection and added flexibility, so that the flexibility and expressive power of the system constraints is fully supported by the underlying mechanism. The approach is compared to several existing models and its' expressive power is demonstrated by showing the new model can be used to specify different existing security models as well as some special problems. The model is then adapted to work in a distributed environment. / Science, Faculty of / Computer Science, Department of / Graduate

Computer security

Computers -- Access control

Data protection

A model to assess the Information Security status of an organization with special reference to the Policy Dimension.

Grobler, Cornelia Petronella

29 May 2008

Information Security is becoming a high-priority issue in most organizations. Management is responsible for the implementation of security in the organization. Information Security is a multi-dimensional discipline. A well-defined Information Security Management strategy will enable managers to manage security effectively and efficiently in the organization. Management must be able to assess the current security status of the organization. Currently, no comprehensive, integrated assessment tool or model exists to assess the total security posture of an organization. The study will address the problem by proposing a high-level integrated assessment model for Information Security. The study is divided into 4 parts. Part one: Introduction to Information Security Management consists of three chapters. Chapter 1 provides the user with an introduction and background to the study. In chapter 2, the study discusses Information Security as a multi-dimensional discipline. The dimensions identified are the Corporate Governance (Strategic and Operational), Policy, People, Risk Management, Legal, Compliance and Technology dimensions. Information Security is no longer a technical issue, it must be managed. The need for an Information Security Management strategy is discussed in chapter 3 of the study. A successful management strategy should be based on a well-defined Information Security Architecture. Part 2: Information Security Architectures, of the study consists of one chapter. Chapter 4 of the study discusses and compares different Information Security Architectures. The study uses the information gathered from the comparative study and best practices: CobiT and ISO17799, to propose a new Information Security Architecture: RISA. The study uses this architecture as a framework for the assessment model. Part 3: Assessing security consists of five chapters. Chapter 5 discusses the characteristics of assessment and proposes an assessment framework. The study recognizes that assessment on the different levels of an organization will be different, as the assessment requirements on management level will differ from the requirements on a technical level. It is important to use best practices in the assessment model as it enables organizations to prove their security readiness and status to business partners. Best practices and standards enable organizations to implement security in a structured way. Chapter 6 discusses the ISO17799 and CobiT as best practices and their role in the assessment process. Chapter 7 of the study discusses various factors that will influence security assessment in an organization. These factors are the size of the organization, the type of organization and the resources that need to be secured. The chapter briefly discusses the various dimensions of Information Security and identifies deliverables to assess for every dimension. The chapter proposes a high-level, integrated assessment plan for Information Security, using the deliverables identified for each dimension. The study refines the assessment plan for the Policy Dimension in chapter 8. The chapter proposes various checklists to determine the completeness of the policy set, correct format of every documented policy and if supporting documentation exist for every documented policy. A policy status result will be allocated to each policy that the organization needs. The status results of all the individual policies will be combined to determine the security status of the Policy dimension. The study proposes an integrated high-level assessment model in chapter 9 of the study. This model uses the RISA and assessment plan as proposed in chapter 7. It includes all the specified dimensions of Information Security. The assessment model will enable management to obtain a comprehensive high-level picture of the total security posture of an organization. Chapter 10 will summarize the research done and propose further research to be done. / Prof. S.H. von Solms

computer security

data protection

ISO 17799

Institutionalizing information security.

Von Solms, Elmarie

04 June 2008

Information security has become a much discussed subject all over the world in the last few years. This is because information security is no longer a luxury, but a necessity in all organisations. The securing of information is not an easy task because information security is flexible and always seems to be in a state of development. This means that information security has undergone different development changes due to new technologies in the past few years. Information security became prominent around 50 years ago and had a very strict technical approach. In this approach, industries mainly worked with mainframes, with little or no concept of management aspects such as security policies or awareness programmes. The technical approach thus included little or no management effort in terms of information security. The need to manage information security began when new technologies such as the Internet and the World Wide Web were introduced to the information security environment. This caused information security to shift from the technical to the more managerial approach. The move of information security from the technical to the managerial approach may be identified through different development trends. These development trends have occurred mainly to improve information security management in any organisation. The primary purpose of this dissertation is therefore to identify and investigate different development trends that have an influence on information security, especially from a managerial point of view. / Prof. J.H.P. Eloff

microcomputer access control

computer security

data protection

A secure steganographic file system with non-duplicating properties

Ellefsen, Ian David

11 September 2012

M.Sc. / This dissertation investigates the possibility of a steganographic file system which does not have to duplicate hidden data in order to avoid "collisions" between the hidden and non-hidden data. This will ensure the consistency of the hidden data, and avoid unnecessary data duplication while at the same time providing an acceptable level of information security. The dissertation will critically analyse a number of existing steganographic file systems in order to determine the problems which are faced by this field. These problems will then be addressed, which will allow for the definition of a possible solution. In order to provide a more complete understanding of the implementation discussed in the latter part of this dissertation, a number of background concepts are discussed. This includes a discussion of file systems, cryptography, and steganography, each of which contributes to the body of knowledge required for later chapters. The latter part of this dissertation outlines the Secure Steganographic File System (SSFS). This implementation will attempt to effectively manage the storage of hidden data which is embedded within a host file system. The dissertation will outline how SSFS will allow fragments of hidden data to exist in any physical location on a storage device, while still maintaining a consistent file system structure. The dissertation will then critically analyse the impact of such a system, by examining the impact on the host file system's performance. This will allow the feasibility of such a system to be demonstrated.

Cryptography

Computer security

Data encryption (Computer science)

Automated Defense Against Worm Propagation.

Patwardhan, Sudeep

12 1900

Worms have caused significant destruction over the last few years. Network security elements such as firewalls, IDS, etc have been ineffective against worms. Some worms are so fast that a manual intervention is not possible. This brings in the need for a stronger security architecture which can automatically react to stop worm propagation. The method has to be signature independent so that it can stop new worms. In this thesis, an automated defense system (ADS) is developed to automate defense against worms and contain the worm to a level where manual intervention is possible. This is accomplished with a two level architecture with feedback at each level. The inner loop is based on control system theory and uses the properties of PID (proportional, integral and differential controller). The outer loop works at the network level and stops the worm to reach its spread saturation point. In our lab setup, we verified that with only inner loop active the worm was delayed, and with both loops active we were able to restrict the propagation to 10% of the targeted hosts. One concern for deployment of a worm containment mechanism was degradation of throughput for legitimate traffic. We found that with proper intelligent algorithm we can minimize the degradation to an acceptable level.

Computer security.

worm

worm propagation

automated defense

Decentralizovaný komunikační nástroj s garancí anonymity / Decentralized communication tool with anonymity guarantee

Legéň, Michal

January 2010

Anonymity on the internet is becoming a actuall issue nowadays. There are several tools, that can be used to monitor user's activity and it can lead to lose privacy of users. The aim of this master's thesis is to describe different ways of working anonymous systems, especially the method called Onion Routing. The introduction of this work is devoted to the description of this method together with asymmetric cryptosystem RSA. The second part belongs to basics of socket programming and to the implementation of anonymous system in programming language C++. The final part is focussed on analysis of system in terms of security and time complexity. The conditions of anonymity and decentralization are accomplished. There is no presence of central server in the system and the management is handled by signalling messages.