Spelling suggestions: "subject:"computersystems security"" "subject:"computersysteme security""
1 |
A security model for a virtualized information environmentTolnai, Annette 15 August 2012 (has links)
D.Phil. / Virtualization is a new infrastructure platform whose trend is sweeping through IT like a blaze. Improving the IT industry by higher utilization from hardware, better responsiveness to changing business conditions and lower cost operations is a must have in the new generation of virtualization solutions. Virtualization is not just one more entry in the long line of “revolutionary” products that have hit the technology marketplace. Many parts of the technology ecosystem will be affected as the paradigm shifts from the old one-to-one correspondence between software and hardware to the new approach of software operating on any hardware that happens to be most suitable to use at the time. This brings along with it security concerns, which need to be addressed. Security evolving in and around the virtualized system will become more pertinent the more virtualization is employed into everyday IT technology and use. In this thesis, a security model for virtualization will be developed and presented. This model will cover the different facets needed to address virtualization security.
|
2 |
EPA-RIMM-V: Efficient Rootkit Detection for Virtualized EnvironmentsVibhute, Tejaswini Ajay 12 July 2018 (has links)
The use of virtualized environments continues to grow for efficient utilization of the available compute resources. Hypervisors virtualize the underlying hardware resources and allow multiple Operating Systems to run simultaneously on the same infrastructure. Since the hypervisor is installed at a higher privilege level than the Operating Systems in the software stack it is vulnerable to rootkits that can modify the environment to gain control, crash the system and even steal sensitive information. Thus, runtime integrity measurement of the hypervisor is essential. The currently proposed solutions achieve the goal by relying either partially or entirely on the features of the hypervisor itself, causing them to lack stealth and leaving themselves vulnerable to attack.
We have developed a performance sensitive methodology for identifying rootkits in hypervisors from System Management Mode (SMM) while using the features of SMI Transfer Monitor (STM). STM is a recent technology from Intel and it is a virtual machine manager at the firmware level. Our solution extends a research prototype called EPA-RIMM, developed by Delgado and Karavanic at Portland State University. Our solution extends the state of the art in that it stealthily performs measurements of hypervisor memory and critical data structures using firmware features, keeps performance perturbation to acceptable levels and leverages the security features provided by the STM. We describe our approach and include experimental results using a prototype we have developed for Xen hypervisor on Minnowboard Turbot, an open hardware platform.
|
3 |
Securing the 'Internet of Things' : decentralised security for wireless networks of embedded systemsKing-Lacroix, Justin January 2016 (has links)
The phrase 'Internet of Things' refers to the pervasive instrumentation of physical objects with sensors and actuators, and the connection of those sensors and actuators to the Internet. These sensors and actuators are generally based on similar hardware as, and have similar capabilities to, wireless sensor network nodes. However, they operate in a completely different network environment: wireless sensor network nodes all generally belong to a single entity, whereas Internet of Things endpoints can belong to different, even competing, ones. This difference has profound implications for the design of security mechanisms in these environments. Wireless sensor network security is generally focused on defence against attack by external parties. On the Internet of Things, such an insider/outsider distinction is impossible; every entity is both an endpoint for legitimate communications, and a possible source of attack. We argue that that under such conditions, the centralised models that underpin current networking standards and protocols for embedded systems are simply not appropriate, because they require such an insider/outsider distinction. This thesis serves as an exposition in the design of decentralised security mechanisms, applied both to applications, which must perform access control, and networks, which must guarantee communications security. It contains three main contributions. The first is a threat model for Internet of Things networks. The second is BottleCap, a capability-based access control module, and an exemplar of decentralised security architecture at the application layer. The third is StarfishNet, a network-layer protocol for Internet of Things wireless networks, and a similar exemplar of decentralised security architecture at the network layer. Both are evaluated with microbenchmarks on prototype implementations; StarfishNet's association protocol is additionally validated using formal verification in the protocol verification tool Tamarin.
|
4 |
Object detection in low resolution video sequencesUnknown Date (has links)
With augmenting security concerns and decreasing costs of surveillance and computing equipment, research on automated systems for object detection has been increasing, but the majority of the studies focus their attention on sequences where high resolution objects are present. The main objective of this work is the detection and extraction of information of low resolution objects (e.g. objects that are so far away from the camera that they occupy only tens of pixels) in order to provide a base for higher level information operations such as classification and behavioral analysis. The system proposed is composed of four stages (preprocessing, background modeling, information extraction, and post processing) and uses context based region of importance selection, histogram equalization, background subtraction and morphological filtering techniques. The result is a system capable of detecting and tracking low resolution objects in a controlled background scene which can be a base for systems with higher complexity. / by Diego F. Pava. / Thesis (M.S.C.S.)--Florida Atlantic University, 2009. / Includes bibliography. / Electronic reproduction. Boca Raton, Fla., 2009. Mode of access: World Wide Web.
|
5 |
Event detection in surveillance videoUnknown Date (has links)
Digital video is being used widely in a variety of applications such as entertainment, surveillance and security. Large amount of video in surveillance and security requires systems capable to processing video to automatically detect and recognize events to alleviate the load on humans and enable preventive actions when events are detected. The main objective of this work is the analysis of computer vision techniques and algorithms used to perform automatic detection of events in video sequences. This thesis presents a surveillance system based on optical flow and background subtraction concepts to detect events based on a motion analysis, using an event probability zone definition. Advantages, limitations, capabilities and possible solution alternatives are also discussed. The result is a system capable of detecting events of objects moving in opposing direction to a predefined condition or running in the scene, with precision greater than 50% and recall greater than 80%. / by Ricardo Augusto Castellanos Jimenez. / Thesis (M.S.C.S.)--Florida Atlantic University, 2010. / Includes bibliography. / Electronic reproduction. Boca Raton, Fla., 2010. Mode of access: World Wide Web.
|
6 |
Cyber-Physical Analysis and Hardening of Robotic Aerial Vehicle ControllersTaegyu Kim (10716420) 06 May 2021 (has links)
Robotic aerial vehicles (RAVs) have been increasingly deployed in various areas (e.g.,
commercial, military, scientific, and entertainment). However, RAVs’ security and safety
issues could not only arise from either of the “cyber” domain (e.g., control software) and
“physical” domain (e.g., vehicle control model) but also stem in their interplay. Unfortunately, existing work had focused mainly on either the “cyber-centric” or “control-centric”
approaches. However, such a single-domain focus could overlook the security threats caused
by the interplay between the cyber and physical domains.
<br>In this thesis, we present cyber-physical analysis and hardening to secure RAV controllers.
Through a combination of program analysis and vehicle control modeling, we first developed
novel techniques to (1) connect both cyber and physical domains and then (2) analyze
individual domains and their interplay. Specifically, we describe how to detect bugs after
RAV accidents using provenance (Mayday), how to proactively find bugs using fuzzing
(RVFuzzer), and how to patch vulnerable firmware using binary patching (DisPatch). As
a result, we have found 91 new bugs in modern RAV control programs, and their developers
confirmed 32 cases and patch 11 cases.
|
7 |
Análise do uso de novas tecnologias na troca e armazenamento de informações de saúde e o segredo profissional / Analysis of the use of new technologies in the exchange and storage of health information and in relation to the professional secrecyJacob, Carlos Henrique 26 February 2010 (has links)
O caráter privativo das informações de saúde, reconhecido e valorizado desde a antigüidade clássica, hoje é considerado como um dos fatores indispensáveis à manutenção da sociedade, das garantias constitucionais de liberdade e também, em última instância, à própria democracia. Essa importância é demonstrada pela existência do segredo profissional, que, para as profissões da área da saúde (como medicina, odontologia, psicologia, nutrição etc.) de um modo positivo, coloca aos profissionais a necessidade de se guardar segredo a respeito de todas as informações sobre as quais adquire-se conhecimento no exercício de suas profissões. No Brasil, a questão da manutenção do segredo profissional das profissões de saúde adquire um caráter dramático quando se leva em consideração a implementação da Troca de Informações em Saúde Suplementar por parte da Agência Nacional de Saúde Suplementar, autarquia especial que regula o setor de saúde suplementar. Pretendendo facilitar a troca de informações entre prestadores de serviços e operadoras, e também permitir e homogeneizar a obtenção de informação para o estabelecimento de políticas públicas, a Troca de Informações em Saúde Suplementar já é realizada desde 2008, envolvendo todas as informações de saúde de mais de 52 milhões de beneficiários. A utilização de tecnologias de troca de informação e a criação de bancos de dados, associados a um histórico de vazamento de dados sensíveis, criam dúvidas sobre a manutenção do segredo profissional e o caráter privado das informações de saúde. Neste trabalho, foi analisada a legislação estruturante da Troca de Informações em Saúde Suplementar no que diz respeito aos requisitos de segurança para a troca e armazenamento de informação sensível com o intuito de verificar se essa legislação supre, de modo eficaz, a exigência de proteção à manutenção do caráter privativo das informações de saúde que existe nos Códigos de Ética Profissionais e no Código Civil Brasileiro. Apesar das exigências para a segurança das informações ser, hoje, adequada à manutenção do segredo profissional enquanto essas informações são trocadas ou encontram-se armazenadas nas operadoras de planos de saúde, a norma se fia nos requisitos estabelecidos por um órgão privado cujas prioridades, naturalmente, podem, no futuro, não estar vinculadas exclusivamente ao maior bem social. Ademais, não se observa na legislação uma atenção ou recomendações dedicadas ao profissional em consultório isolado e que armazena os dados de seus pacientes em computadores pessoais previamente ao envio via internet. Além disso, em consultas realizadas à ANS em agosto e setembro de 2009 a respeito dos dados transmitidos pelas operadoras à Agência para o cumprimento do disposto nos artigos 20 e 32 da lei 9656/98, não se obteve resposta a respeito de quais dados são repassados pelas operadoras à ANS, nem sobre quais os padrões de segurança a que estes dados estão submetidos, nem, tampouco, sobre quais os indivíduos que têm acesso a estes dados, indicando falta da necessária transparência que é essencial a uma autarquia regulatória de um setor de interesse social. Estes fatos indicam claramente que a manutenção do segredo profissional está em risco nas atuais condições. / Health information is valued and recognized as sensible and private since ancient times. It is also considered one of the most important factors in maintaining and supporting the fabric of society, the constitutional guarantee of liberty and also, democracy itself. Health professionals have the duty to keep all their patients information private. In Brazil, this acquires a dramatic character when one considers the recently implemented Information Exchange in Suplementary Health (TISS) by the Agência Nacional de Saúde Suplementar, governments regulating bureau for the suplementary health sector. Intending to facilitate the information exchange between service providers and health operators, and also to standardize the process of obtaining and providing information for policy makers, the Information Exchange has been in use since 2008 and involves identifiable health information of more than 52 million users. Technologies to allow health information exchange and the creation of data banks associated with sensible information data leaks raise doubts over the ability to keep health information safe from prying eyes. In this study, the structural legislation of the Information Exchange in Suplementary Health was analysed regarding the safety requirements proposed for the health information exchange and storage, to verify if it addresses the demand that exists in professional codes of ethics and also in Brazils Código Civil to protect the privacy of health information. Although - by todays standards - the requirements for information security are deemed adequate for the safekeeping and in addressing the need for privacy and security while the information is exchanged or stored by the health plans operators, theres no dedicated attention to recomendations for the professionals on their small practice offices, who hold their patients information on their personal computers. Also, the law establishes that a private agency is responsible for dictating the requirements that keep the information safe, a measure that is not entirely risk-safe as the interests of the private sector may shift with the market, leaving the social needs/interests behind. Besides these facts, when consulting the Agência Nacional de Saúde Suplementar in august and september 2009 regarding what kind of data is transmitted by the Health Plans operators and what kind of security measures are undertaken to protect this data, no answer was obtained, indicating a lack of transparency that is apalling in a regulatory bureau that serves the society. These facts clearly indicate that the maintenance of professional secrecy and patient privacy is threatened in current conditions. Keywords: computer systems security management, professional secrecy, information accountability, Agência Nacional de Saúde Suplementar (Brazil)
|
8 |
Análise do uso de novas tecnologias na troca e armazenamento de informações de saúde e o segredo profissional / Analysis of the use of new technologies in the exchange and storage of health information and in relation to the professional secrecyCarlos Henrique Jacob 26 February 2010 (has links)
O caráter privativo das informações de saúde, reconhecido e valorizado desde a antigüidade clássica, hoje é considerado como um dos fatores indispensáveis à manutenção da sociedade, das garantias constitucionais de liberdade e também, em última instância, à própria democracia. Essa importância é demonstrada pela existência do segredo profissional, que, para as profissões da área da saúde (como medicina, odontologia, psicologia, nutrição etc.) de um modo positivo, coloca aos profissionais a necessidade de se guardar segredo a respeito de todas as informações sobre as quais adquire-se conhecimento no exercício de suas profissões. No Brasil, a questão da manutenção do segredo profissional das profissões de saúde adquire um caráter dramático quando se leva em consideração a implementação da Troca de Informações em Saúde Suplementar por parte da Agência Nacional de Saúde Suplementar, autarquia especial que regula o setor de saúde suplementar. Pretendendo facilitar a troca de informações entre prestadores de serviços e operadoras, e também permitir e homogeneizar a obtenção de informação para o estabelecimento de políticas públicas, a Troca de Informações em Saúde Suplementar já é realizada desde 2008, envolvendo todas as informações de saúde de mais de 52 milhões de beneficiários. A utilização de tecnologias de troca de informação e a criação de bancos de dados, associados a um histórico de vazamento de dados sensíveis, criam dúvidas sobre a manutenção do segredo profissional e o caráter privado das informações de saúde. Neste trabalho, foi analisada a legislação estruturante da Troca de Informações em Saúde Suplementar no que diz respeito aos requisitos de segurança para a troca e armazenamento de informação sensível com o intuito de verificar se essa legislação supre, de modo eficaz, a exigência de proteção à manutenção do caráter privativo das informações de saúde que existe nos Códigos de Ética Profissionais e no Código Civil Brasileiro. Apesar das exigências para a segurança das informações ser, hoje, adequada à manutenção do segredo profissional enquanto essas informações são trocadas ou encontram-se armazenadas nas operadoras de planos de saúde, a norma se fia nos requisitos estabelecidos por um órgão privado cujas prioridades, naturalmente, podem, no futuro, não estar vinculadas exclusivamente ao maior bem social. Ademais, não se observa na legislação uma atenção ou recomendações dedicadas ao profissional em consultório isolado e que armazena os dados de seus pacientes em computadores pessoais previamente ao envio via internet. Além disso, em consultas realizadas à ANS em agosto e setembro de 2009 a respeito dos dados transmitidos pelas operadoras à Agência para o cumprimento do disposto nos artigos 20 e 32 da lei 9656/98, não se obteve resposta a respeito de quais dados são repassados pelas operadoras à ANS, nem sobre quais os padrões de segurança a que estes dados estão submetidos, nem, tampouco, sobre quais os indivíduos que têm acesso a estes dados, indicando falta da necessária transparência que é essencial a uma autarquia regulatória de um setor de interesse social. Estes fatos indicam claramente que a manutenção do segredo profissional está em risco nas atuais condições. / Health information is valued and recognized as sensible and private since ancient times. It is also considered one of the most important factors in maintaining and supporting the fabric of society, the constitutional guarantee of liberty and also, democracy itself. Health professionals have the duty to keep all their patients information private. In Brazil, this acquires a dramatic character when one considers the recently implemented Information Exchange in Suplementary Health (TISS) by the Agência Nacional de Saúde Suplementar, governments regulating bureau for the suplementary health sector. Intending to facilitate the information exchange between service providers and health operators, and also to standardize the process of obtaining and providing information for policy makers, the Information Exchange has been in use since 2008 and involves identifiable health information of more than 52 million users. Technologies to allow health information exchange and the creation of data banks associated with sensible information data leaks raise doubts over the ability to keep health information safe from prying eyes. In this study, the structural legislation of the Information Exchange in Suplementary Health was analysed regarding the safety requirements proposed for the health information exchange and storage, to verify if it addresses the demand that exists in professional codes of ethics and also in Brazils Código Civil to protect the privacy of health information. Although - by todays standards - the requirements for information security are deemed adequate for the safekeeping and in addressing the need for privacy and security while the information is exchanged or stored by the health plans operators, theres no dedicated attention to recomendations for the professionals on their small practice offices, who hold their patients information on their personal computers. Also, the law establishes that a private agency is responsible for dictating the requirements that keep the information safe, a measure that is not entirely risk-safe as the interests of the private sector may shift with the market, leaving the social needs/interests behind. Besides these facts, when consulting the Agência Nacional de Saúde Suplementar in august and september 2009 regarding what kind of data is transmitted by the Health Plans operators and what kind of security measures are undertaken to protect this data, no answer was obtained, indicating a lack of transparency that is apalling in a regulatory bureau that serves the society. These facts clearly indicate that the maintenance of professional secrecy and patient privacy is threatened in current conditions. Keywords: computer systems security management, professional secrecy, information accountability, Agência Nacional de Saúde Suplementar (Brazil)
|
9 |
In pursuit of a perfect system : Balancing usability and security in computer system developmentMatras, Omolara January 2015 (has links)
Our society is dependent on information and the different technologies and artifacts that gives us access to it. However, the technologies we have come to depend on in different aspects of our lives are imperfect and during the past decade, these imperfections have been the target of identity thieves, cyber criminals and malicious persons within and outside the organization. These malicious persons often target networks of organizations such as hospitals, banks and other financial organizations. Access to these networks are often gained by sidestepping security mechanisms of computer-systems connected to the organization’s network. Often, the goal of computer-systems security mechanisms is to prevent or detect threats; or recover from an eventual attack. However, despite huge investments in IT-security infrastructure and Information security, over 95% of banks, hospitals and government agencies have at least 10 malicious infections bypass existing security mechanisms and enter their network without being detected. This has resulted in the loss of valuable information and substantial sums of money from banks and other organizations across the globe. From early research in this area, it has been discovered that the reason why security mechanisms fail is because it is often used incorrectly or not used at all. Specifically, most users find the security mechanisms on their computers too complicated and they would rather not use it. Therefore, previous research have focused on making computer-systems security usable or simplifying security technology so that they are “less complicated” for all types users, instead of designing computers that are both usable and secure. The problem with this traditional approach is that security is treated as an “add-on” to a finished computer-system design. This study is an attempt to change the traditional approach by adjusting two phases of a computer-system design model to incorporate the collection of usability as well as security requirements. Guided by the exploratory case study research design, I gained new insights into a situation that has shocked security specialists and organizational actors alike. This study resulted in the creation of a methodology for designing usable and secure computer-systems. Although this method is in its rudimentary stage, it was tested using an online questionnaire. Data from the literature study was sorted using a synthesis matrix; and analyzed using qualitative content analysis. Some prominent design and security models and methodologies discussed in this report include User-Centered System Design (UCSD), Appropriate and Effective Guidance for Information Security (AEGIS) and Octave Allegro. / Vårt samhälle är beroende av information och olika tekniker och artefakter som ger oss tillgång till den. Men tekniken vi förlitar oss på i olika aspekter av våra liv är ofullkomliga och under det senaste decenniet, har dessa brister varit föremål för identitetstjuvar, cyberbrottslingar och illvilliga personer inom och utanför organisationen. Dessa illvilliga personer riktar ofta sig till nätverk av organisationer såsom sjukhus, banker och andra finansiella organisationer. Tillgång till dessa nätverk uppnås genom att kringgå säkerhetsmekanismer av datorsystem anslutna till organisationens nätverk. Målet med datorsystemsäkerhet är att förhindra eller upptäcka hot; eller återhämta sig från eventuella attacker. Trots stora investeringar i IT-säkerhet infrastruktur och informationssäkerhet, över 95 % av banker, sjukhus och myndigheter har minst 10 skadliga infektioner kringgå befintliga säkerhetsmekanismer och träda in i sitt nätverk utan att upptäckas. Detta har lett till förlust av värdefulla informationer och stora summor av pengar från banker och andra organisationer över hela världen. Från tidigare forskning inom detta område, har det visat sig att anledningen till att säkerhetsmekanismer misslyckas beror ofta på att den används på ett felaktigt sätt eller används inte alls. I synnerhet menar de flesta användare att säkerhetsmekanismer på sina datorer är alltför komplicerat. Därför har tidigare forskning fokuserat på att göra datorsystemsäkerhet användbar så att den är "mindre komplicerat" för alla typer av användare, i stället för att designa datorer som både är användbara och säkra. Problemet med detta traditionella synsätt är att säkerheten behandlas som ett "tillägg" till en färdig datorsystemdesign. Denna studie är ett försök att ändra det traditionella synsättet genom att justera två faser av en datorsystemdesign modell för att integrera insamlingen av användbarhets- samt säkerhetskrav. Styrd av den explorativ fallstudie forskningsdesignen, fick jag nya insikter i en situation som har gäckat säkerhetsspecialister och organisatoriska aktörer. Denna studie resulterade i skapande av en designmetodik för användbara och säkra datorsystem. Även om denna metod är ännu i sin rudimentära fas, testades den med hjälp av en webbenkät. Data från litteraturstudien sorterades med hjälp av en syntesmatris; och analyserades med kvalitativ innehållsanalys. Några framstående design- och säkerhetsmodeller samt metoder som diskuterades i denna uppsats inkludera Användarcentrerad System Design (UCSD), Ändamålsenligt och Effektivt Vägledning för Informationssäkerhet (AEGIS) och Octave Allegro.
|
10 |
An investigation of information security policies and practices in MauritiusSookdawoor, Oumeshsingh 30 November 2005 (has links)
With the advent of globalisation and ever changing technologies, the need for increased attention to information security is becoming more and more vital. Organisations are facing all sorts of risks and threats these days. It therefore becomes important for all business stakeholders to take the appropriate proactive measures in securing their assets for business survival and growth. Information is today regarded as one of the most valuable assets of an organisation. Without a proper information security framework, policies, procedures and practices, the existence of an organisation is threatened in this world of fierce competition.
Information security policies stand as one of the key enablers to safeguarding an organisation from risks and threats. However, writing a set of information security policies and procedures is not enough. If one really aims to have an effective security framework in place, there is a need to develop and implement information security policies that adhere to established standards such as BS 7799 and the like. Furthermore, one should ensure that all stakeholders comply with established standards, policies and best practices systematically to reap full benefits of security measures.
These challenges are not only being faced in the international arena but also in countries like Mauritius. International researches have shown that information security policy is still a problematic area when it comes to its implementation and compliance. Findings have shown that several major developed countries are still facing difficulties in this area.
There was a general perception that conditions in Mauritius were similar. With the local government's objective to turn Mauritius into a "cyber-island" that could act as an Information Communication & Technology (ICT) hub for the region, there was a need to ensure the adoption and application of best practices specially in areas of information security.
This dissertation therefore aims at conducting a research project in Mauritius and assessing whether large Mauritian private companies, that are heavily dependent on IT, have proper and reliable security policies in place which comply with international norms and standards such as British Standard Organisation (BSO) 7799/ ISO 17799/ ISO 27001. The study will help assess the state of, and risks associated with, present implementation of information security policies and practices in the local context. Similarities and differences between the local security practices and international ones have also been measured and compared to identify any specific characteristics in local information security practices.
The findings of the study will help to enlighten the security community, local management and stakeholders, on the realities facing corporations in the area of information security policies and practices in Mauritius. Appropriate recommendations have been formulated in light of the findings to improve the present state of information security issues while contributing to the development of the security community / Computing / M.Sc. (Information Systems)
|
Page generated in 0.0649 seconds