Social Engineering and Internal Threats in Organizations

Arenas, Miguel Tames

January 2008

Organizations are taking computer security more seriously every day, investing huge amounts of money in creating stronger defenses including firewalls, anti-virus software, biometrics and identity access badges. These measures have made the business world more effective at blocking threats from the outside, and made it increasingly difficult for hackers or viruses to penetrate systems. But there are still threats that put organizations at risk , this threats are not necessary from external attackers, in this paper we will analyze what are the internal threats in organizations, why are we vulnerable and the best methods to protect our organizations from inside threats.

social engineering

computer security

risks

threats

Computer Sciences

Datavetenskap (datalogi)

A control model for the evaluation and analysis of control facilities in a simple path context model in a MVS/XA environment

Damianides, Marios

28 July 2014

M.Com. (Computer Auditing) / The need to evaluate today's complex computer environments from an audit perspective has increased, particularly in viewof the disappearance of a paper audit trail and the inefficiencies of auditing "around" the computer in these environments. By making use of the Access Path and the Path Context Models, it was possible to carry out an evaluation of the MVS/XA environment. This evaluation was carried out using the methodology developed in this research essay. This methodology may have universal applicability in the evaluation of computer security. The concept of each layer in the access path being a "net", which only allows authorised users to drop to the next layer, was applied. It was found that each systems software component had sufficient facilities to meet the control objectives. The operating system itself, however, was found to present the installation with more risk factors than controls. It was therefore concluded that an external access control software package needs to be implemented to supplement the controls in this environment, if the control objectives are to be met. It was also concluded that the implementation of this package would not, in itself, solve all the security issues, and that the matrices developed should be used in the implementation of this package. This is a further indication of the usefulness of the model and the methodology. The applicability of the Access Path and the Path Context Models in the evaluation of the predefined environment has therefore been established.

Computer security

Computers - Access control

Auditing - Data processing

A model for the dynamic delegation of authorization rights in a secure workflow management system.

Venter, Karin

04 June 2008

Businesses are continually striving to become more efficient. In an effort to achieve optimal efficiency, many companies have been forced to re-evaluate the efficiency of their business processes. Consequently, the term “business process re-engineering” (BPR) has been given to the activity of restructuring organizational policies and methods for conducting business. The refinement of business processes is the primary motivation behind the development of automated work- flow systems that ensure the secure and efficient flow of information between activities and participants that constitute the business process. A workflow is an automated business process that comprises a number of related tasks. When these tasks are executed in a systematic way, they contribute to the fulfilment of some goal. The order in which workflow tasks execute is of great significance because these tasks are typically dependent on each other. A workflow management system (WFMS) is responsible for scheduling the systematic execution of workflow tasks whilst considering the dependencies that exist between them. Businesses are realizing the necessity of information management in the functioning and general management of a company. They are recognizing the important role that information security has to play in ensuring that accurate information that is relevant is gathered, applied and maintained to enhance the company’s service to its customers. In a workflow context, information security primarily involves the implementation of access control security mechanisms. These mechanisms help ensure that task dependencies are coordinated and that tasks are performed by authorized subjects only. In doing so, they also assist in the maintenance of object integrity. TheWorkflow Authorization Model (WAM) was developed by Atluri and Huang [AH96b, HA99] with the specific intention of addressing the security requirements of workflow environments. It primarily addresses the granting and revoking of authorizations in a WFMS. TheWAM satisfies most criteria that are required of an optimal access control model. These criteria are the enforcement of separation of duties, the handling of temporal constraints, a role-based application and the synchronization of workflow with authorization flow. Some of these conditions cannot be met through pure role-based access control (RBAC) mechanisms. This dissertation addresses the delegation of task authorizations within a work- flow process by subject roles in the organizational structure. In doing this, a role may have the authority to delegate responsibility for task execution to another individual in a role set. This individual may potentially belong to a role other than the role explicitly authorized to perform the task in question. The proposed model will work within the constraints that are enforced by the WAM. Therefore, the WAM will play a part in determining whether delegation may be approved. This implies that the delegation model may not override any dynamically defined security constraints. The Delegation Authorization Model (DAM) proposed assists in distributing workloads amongst subject roles within an organization, by allowing subjects to delegate task responsibilities to other subjects according to restrictions imposed by security policies. As yet, this area of research has not received much attention. / Prof. M.S. Olivier

delegation of authority

workflow

computer security

computer access control

Information security risk management: a holistic framework.

Bornman, Werner George

22 April 2008

Information security risk management is a business principle that is becoming more important for organisations due to external factors such as governmental regulations. Since due diligence regarding information security risk management (ISRM) is necessitated by law, organisations have to ensure that risk information is adequately communicated to the appropriate parties. Organisations can have numerous managerial levels, each of which has specific functions related to ISRM. The approaches of each level differ and this makes a cohesive ISRM approach throughout the organisation a daunting task. This task is compounded by strategic and tactical level management having specific requirements imposed on them regarding risk management. Tactical level management has to meet these requirements by instituting processes that can deliver on what is required. Processes in turn should be executed by operational level management. However, the available approaches of each managerial level make it impossible to communicate and consolidate information from the lower organisational levels to top level management due to the differing terminology, concepts and scope of each approach. This dissertation addresses the ISRM communication challenge through a systematic and structured solution. ISRM and related concepts are defined to provide a solid foundation for ISRM communication. The need for and institutions that impose risk management requirements are evaluated. These requirements are used to guide the solution for ISRM communication. At strategic level, governmental requirements from various countries are evaluated. These requirements are used as the goals of the communication processes. Different approaches at tactical and operational level are evaluated to determine if they can meet the strategic level requirements. It was found that the requirements are not met by most of the evaluated approaches. The Bornman Framework for ISRM Methodology Evaluation (BFME) is presented. It allows organisations to evaluate ISRM methodologies at operational level against the requirements of strategic management. This framework caters for the ability of ISRM methodologies to be adapted to organisational requirements. Developed scales allow for a qualitative comparison between different methodologies. The BFME forms the basis of the Bornman Framework for ISRM Information Communication (BFIC). This communication framework communicates the status of each ISRM component. This framework can be applied to any ISRM methodology after it has been evaluated by the BFME. The Bornman Risk Console (BRC) provides a practical implementation of the BFIC. The prototype utilises an existing ISRM methodology’s approach and provides decision-enabling risk information to top level management. By implementing the BRC and following the processes of the BFME and BFIC the differences in the approaches at each managerial level in different organisational structures are negated. These frameworks and prototype provide a holistic communication framework that can be implemented in any organisation. / Prof. L. Labuschagne

risk management

information technology security measures

computer security management

Socio-organisational influences on information security during ERP implementation

Ngozwana, Khanyisa Nonesi

09 December 2013

M.Tech. (Information Technology) / This study conceptualises the effects of socio-organisational factors during Enterprise Resource Planning (ERP) implementations and the impact these have towards ERP system security. Social Exchange Theory (SET) is applied in the study. SET is premised on the notion that there is a reward exchange between actors, the main purpose being to maximise benefits and minimise costs to the different actors involved in the ERP implementation. The study looks at SET‟s three independent socio-constructive factors: exchange relations, dependency and power in relation to ERP system security. Pertinent discourse dwells on power and exchange relations that occur during an ERP implementation and how these relations influence information security. Potential benefits and risks towards information security are examined across these relations. The research is quantitative in nature and a survey was directed to people involved in ERP implementations. The study contributes to the discipline by developing a framework for conceptualising the relationship between power, dependency and exchange relations applicable during an ERP implementation. The main goal would be for such a model to be useful for ERP system security. The main findings from this study are that some of the socio-organisational factors like Expert Power, Referent Power, Coercive Power and Exchange Relations influence the implementation of Information Security during ERP implementations. Socio-organisational factors like Reward Power, Positional Power and Dependency were found to have no influence or minimal influence on the implementation of Information Security during ERP implementations.

Computer security - Management

A framework for ethical information security.

Trompeter, Colette

06 May 2008

Organisations are under constant pressure to comply with information security requirements. However, this seldom happens. Information security is like a patchwork quilt - the protection it provides is only as good as its weakest stitch. The electronic business revolution has compounded this situation, as millions of dollars are being tossed about, and rules and regulations have yet to be written. Another problem is that information has to be protected over a geographically dispersed network. It stands to reason then that instances of unethical, even criminal, behaviour are growing exponentially. The principal aim of this research was to consider information security from an ethical perspective. Information security has been a well researched topic for several years. Therefore an investigation was carried out as to whether information security conforms to what individuals and organisations deem as being morally and behaviourally correct. An investigation was carried out into the age-old philosophy of ethically correct behaviour. This was then applied to information security and three ethical information security controls were identified that could provide protection in this e-business environment. A framework was developed to illustrate how a “pillar of strength” can be established in organisations to create an awareness of ethically correct behaviour in securing information. This framework was applied to recently accepted information security standards to test their applicability to the creation of ethical awareness. The research concludes by determining the ability of organisations to adhere to ethically correct behavioural patterns in information security. / Prof. J.H.P. Eloff

computer security

data protection

information technology

business ethics

Template protecting algorithms for face recognition system

Feng, Yicheng

01 January 2007

No description available.

Algorithms

Biometric identification

Computer security

Pseudo-random access compressed archive for security log data

Radley, Johannes Jurgens

January 2015

We are surrounded by an increasing number of devices and applications that produce a huge quantity of machine generated data. Almost all the machine data contains some element of security information that can be used to discover, monitor and investigate security events.The work proposes a pseudo-random access compressed storage method for log data to be used with an information retrieval system that in turn provides the ability to search and correlate log data and the corresponding events. We explain the method for converting log files into distinct events and storing the events in a compressed file. This yields an entry identifier for each log entry that provides a pointer that can be used by indexing methods. The research also evaluates the compression performance penalties encountered by using this storage system, including decreased compression ratio, as well as increased compression and decompression times.

Computer security

Data compression (Computer science)

Governing information security within the context of "bring your own device" in small, medium and micro enterprises

Fani, Noluvuyo

January 2017

Throughout history, information has been core to the communication, processing and storage of most tasks in the organisation, in this case in Small-Medium and Micro Enterprises (SMMEs). The implementation of these tasks relies on Information and Communication Technology (ICT). ICT is constantly evolving, and with each developed ICT, it becomes important that organisations adapt to the changing environment. Organisations need to adapt to the changing environment by incorporating innovative ICT that allows employees to perform their tasks with ease anywhere and anytime, whilst reducing the costs affiliated with the ICT. In this modern, performing tasks with ease anywhere and anytime requires that the employee is mobile whilst using the ICT. As a result, a relatively new phenomenon called “Bring Your Own Device” (BYOD) is currently infiltrating most organisations, where personally-owned mobile devices are used to access organisational information that will be used to conduct the various tasks of the organisation. The use of BYOD in organisations breeds the previously mentioned benefits such as performing organisational tasks anywhere and anytime. However, with the benefits highlighted for BYOD, organisations should be aware that there are risks to the implementation of BYOD. Therefore, the implementation of BYOD deems that organisations should implement BYOD with proper management thereof.

Data protection

Computer security -- Management

Computer networks -- Security measures

Implementing the CoSaWoE models in a commercial workflow product

Erwee, Carmen

January 2005

Workflow systems have gained popularity not only as a research topic, but also as a key component of Enterprize Resource Planning packages and e- business. Comprehensive workflow products that automate intra- as well inter-organizational information flow are now available for commercial use. Standardization efforts have centered mostly around the interoperability of these systems, however a standard access control model have yet to be adopted. The research community has developed several models for access control to be included as part of workflow functionality. Commercial systems, however, are still implementing access control functionality in a proprietary manner. This dissertation investigates whether a comprehensive model for gain- ing context-sensitive access control, namely CoSAWoE, can be purposefully implemented in a commercial workflow product. Using methods such as an exploratory prototype, various aspects of the model was implemented to gain an understanding of the di±culties developers face when attempting to map the model to existing proprietary software. Oracle Workflow was chosen as an example of a commercial workflow product. An investigtion of the features of this product, together with the prototype, revealed the ability to affect access control in a similar manner to the model: by specifying access control constraints during administration and design, and then enforcing those constraints dynamically during run-time. However, only certain components within these two aspects of the model directly effected the commercial workflow product. It was argued that the first two requirements of context-sensitive access control, order of events and strict least privilege, addressed by the object design, role engineering and session control components of the model, can be simulated if such capabilities are not pertinently available as part of the product. As such, guidelines were provided for how this can be achieved in Oracle Workflow. However, most of the implementation effort focussed on the last requirement of context-sensitive access control, namely separation of duties. The CoSAWoE model proposes SoD administration steps that includes expressing various business rules through a set of conflicting entities which are maintained outside the scope of the workflow system. This component was implemented easily enough through tables which were created with a relational database. Evaluating these conflicts during run-time to control worklist generation proved more di±cult. First, a thorough understanding of the way in which workflow history is maintained was necessary. A re-usable function was developed to prune user lists according to user involvement in previous tasks in the workflow and the conflicts specified for those users and tasks. However, due to the lack of a central access control service, this re- usable function must be included in the appropriate places in the workflow process model. Furthermore, the dissertation utilized a practical example to develop a prototype. This prototype served a dual purpose: firstly, to aid the author's understanding of the features and principles involved, and secondly, to illustrate and explore the implementation of the model as described in the previous paragraphs. In conclusion the dissertation summarized the CoSAWoE model's compo- nents which were found to be product agnostic, directly or indirectly imple- mentable, or not implemented in the chosen workflow product. The lessons learnt and issues surrounding the implementation effort were also discussed before further research in terms of XML documents as data containers for the workfow process were suggested.

Computers -- Access control

Workflow

Computer security

Data protection