An Information Security Control Assessment Methodology for Organizations

Otero, Angel Rafael

01 January 2014

In an era where use and dependence of information systems is significantly high, the threat of incidents related to information security that could jeopardize the information held by organizations is more and more serious. Alarming facts within the literature point to inadequacies in information security practices, particularly the evaluation of information security controls in organizations. Research efforts have resulted in various methodologies developed to deal with the information security controls assessment problem. A closer look at these traditional methodologies highlights various weaknesses that can prevent an effective information security controls assessment in organizations. This dissertation develops a methodology that addresses such weaknesses when evaluating information security controls in organizations. The methodology, created using the Fuzzy Logic Toolbox of MATLAB based on fuzzy theory and fuzzy logic, uses fuzzy set theory which allows for a more accurate assessment of imprecise criteria than traditional methodologies. It is argued and evidenced that evaluating information security controls using fuzzy set theory addresses existing weaknesses found in the literature for traditional evaluation methodologies and, thus, leads to a more thorough and precise assessment. This, in turn, results in a more effective selection of information security controls and enhanced information security in organizations. The main contribution of this research to the information security literature is the development of a fuzzy set theory-based assessment methodology that provides for a thorough evaluation of ISC in organizations. The methodology just created addresses the weaknesses or limitations identified in existing information security control assessment methodologies, resulting in an enhanced information security in organizations. The methodology can also be implemented in a spreadsheet or software tool, and promote usage in practical scenarios where highly complex methodologies for ISC selection are impractical. Moreover, the methodology fuses multiple evaluation criteria to provide a holistic view of the overall quality of information security controls, and it is easily extended to include additional evaluation criteria factor not considered within this dissertation. This is one of the most meaningful contributions from this dissertation. Finally, the methodology provides a mechanism to evaluate the quality of information security controls in various domains. Overall, the methodology presented in this dissertation proved to be a feasible technique for evaluating information security controls in organizations.

assessment

design science

evaluation

fuzzy logic

fuzzy set theory

information security controls

Computer Sciences

Reducing the risk of e-mail phishing in the state of Qatar through an effective awareness framework

Al-Hamar, Mariam Khalid

January 2010

In recent years, cyber crime has focused intensely on people to bypass existing sophisticated security controls; phishing is one of the most common forms of such attack. This research highlights the problem of e-mail phishing. A lot of previous research demonstrated the danger of phishing and its considerable consequences. Since users behaviour is unpredictable, there is no reliable technological protective solution (e.g. spam filters, anti-viruses) to diminish the risk arising from inappropriate user decisions. Therefore, this research attempts to reduce the risk of e-mail phishing through awareness and education. It underlines the problem of e-mail phishing in the State of Qatar, one of world s fastest developing countries and seeks to provide a solution to enhance people s awareness of e-mail phishing by developing an effective awareness and educational framework. The framework consists of valuable recommendations for the Qatar government, citizens and organisations responsible for ensuring information security along with an educational agenda to train them how to identify and avoid phishing attempts. The educational agenda supports users in making better trust decisions to avoid phishing that could complement any technical solutions. It comprises a collection of training methods: conceptual, embedded, e-learning and learning programmes which include a television show and a learning session with a variety of teaching components such as a game, quizzes, posters, cartoons and a presentation. The components were tested by trial in two Qatari schools and evaluated by experts and a representative sample of Qatari citizens. Furthermore, the research proves the existence and extent of the e-mail phishing problem in Qatar in comparison with the UK where people were found to be less vulnerable and more aware. It was discovered that Qatar is an attractive place for phishers and that a lack of awareness and e-law made Qatar more vulnerable to the phishing. The research identifies the factors which make Qatari citizens susceptible to e-mail phishing attacks such as cultural, country-specific factors, interests and beliefs, religion effect and personal characteristics and this identified the need for enhancing Qatari s level of awareness on phishing threat. Since literature on phishing in Qatar is sparse, empirical and non-empirical studies involved a variety of surveys, interviews and experiments. The research successfully achieved its aim and objectives and is now being considered by the Qatari Government.

364.16

應用錯誤樹分析方法獲取組織資訊安全需求之研究 / A Study of Appling Fault Tree Analysis to Acquire the Security Requirements of An Information System

顏小娟, Hsiao Chuan Yen

Unknown Date

根據研究報告調查發現，即使組織已經使用了安全機制仍無法完全阻止危害組織資訊安全事件的發生，這是因為組織的資訊安全管理是一個不斷改善的過程，並不是使用了安全防護措施之後，就可以高枕無憂，除了架構安全防護機制外，還需要去分析資訊的機密性、完整性或可得性等是否真能夠受到保護？所使用的安全機制是否真能解決組織的資訊安全問題？或是所提供的安全程度是否能接受等？ 為了解決上述等問題，本研究希望從管理的角度切入，應用錯誤樹分析方法在資訊安全管理的領域上，希望藉由此方法幫助管理者獲知組織的資訊安全需求，然後透過資訊安全管理不斷改善的過程，改善組織資訊安全的弱點，提高組織安全的可靠度。 依據研究架構，結合BS7799此資訊安全管理標準，並應用錯誤樹分析方法，將資訊安全政策轉換為資訊安全模型，由此資訊安全模型作進一步的定性與定量分析；本研究利用錯誤樹分析方法的六個步驟，實際模擬組織資訊安全需求獲得的過程，並透過分析的結果，幫助組織從中獲取資訊安全的需求，找出資訊安全的弱點，作為組織資訊安全改進的參考與依據。 / As the investigate report dictated, the degree of security of an information system does not only depend on the security mechanism installed by the organization. It is a continuous and recursive procedure. Most researches are technique-oriented currently. In order to adjust this bias, this research propose a new approach, which is from the management perspective. BS7799 is used for the information security policy reference. FTA is used to build up the information security model and acquire the requirements of an information system and verify its effectiveness. The result can promote the reliability of the information system and reduce the vulnerability of the system too.

資訊安全

錯誤樹分析

Information Security

Fault Tree Analysis

Perceptions Towards On-line Banking Security: An Empirical Investigation of a Developing Country`s Banking Sector, how secure is On-line Banking

Bongani Ngwenya, Khanyisa Malufu

01 December 2012

Information systems concentrate data in computer files that have the potential to be accessed by large numbers of people in and outside of organisations. While security breaches and damages of information systems still come from organisational insiders, security breaches are increasing, especially in developing countries because organisations are now open to outsiders through the internet. As a result, automated data are more susceptible to error, destruction, fraud and misuse. The banking sector in Zimbabwe has introduced, of late, on-line banking facilities and these are heavily dependent on the use of internet. / The increase in computer crime has led to scepticism about the move made by the banks to introduce on-line banking. Some view this as a noble move which has made the banking system more efficient, reliable and secure, while others view it as a risky and insecure way of banking. The aim of this study was to assess whether on-line banking in the developing countries is secure or not. The researcher chose a descriptive-quantitative research design. Data was collected using a self constructed questionnaire. Convenience sampling and stratified random sampling techniques were used to select the main subjects of the study. Generally on average there was no significant difference between the perceptions of management bank personnel and non-management bank personnel on the security of on-line banking. The study recommends further future studies on the security of on-line banking in developing countries based on the perceptions of the customers themselves, who are using on-line banking services, the Common Criteria for Information Technology Security and also a study of the latent dimensions of on-line banking security as extracted by factor analysis, how they differ from elements of information security as derived from the theoretical framework and literature.

on-line banking

on-line banking security

information security

network services

banking system

Utilizing Market Knowledge to Create Competitive Advantage in the Interface of Inter- and Intra-Organizational Coopetition : Case Study: An SME in the Information Security Industry

Kuusinen, Sara, Jokipii, Kirsi

January 2013

It has been widely acknowledged that today’s business world is characterized by severe competition. To remain competitive, firms have to employ alternative strategies to keep up with the fast paced development. One such strategy is coopetition; firms collaborate in some areas to combine their resources while competing in other areas. Thus, instead of trying to master everything within a company’s own walls, emphasis is towards gaining access to external resources and coordinating the wide array of expertise in the best possible way to achieve competitive advantage. In addition, growing requirements from the customer end force firms to combine their resources to be able to put together tailored solutions. This entails a notable customer input in product development and firm’s ability to utilize market knowledge can not be undermined. However, before the feedback gained from the market can act as a source of competitive edge, it has to be further processed into a form in which it offers strategic value for the company. This research aims to study how market knowledge is utilized to create competitive in the interface of inter- and intra-organizational coopetition. Even though competition is often considered to take place between firms, competitive elements can also be found within firms. For that reason, we include both inter- and intra-organizational coopetition in the research. In terms of the process involved in market knowledge utilization, three steps are appointed; transfer, translation and transformation of knowledge. To perform the research, we selected a high technology company belonging to SME category present in the information security business as case company. Six semi-structured interviews were conducted on three different occasions. Due to the sensitive nature of the research topic, the case company remains anonymous and is referred to as Case Company in the research. By ensuring respondents’ anonymity, the gained responses are more likely to be honest and thus more reliable and comprehensive. The empirical findings revealed differences in market knowledge utilization between inter- and intra-organizational coopetition. While coopetition taking place between firms was characterized with dominating competitive element and protection of one’s own assets, only preliminary stages of market knowledge utilization were found to be present. This entailed that knowledge transformation was absent in the inter-organizational context. On the other hand, on the intra-organizational level a collective approach to knowledge coordination was employed and attention had been paid on establishing sufficient structural conditions to support the knowledge utilization process. Thus, the process within the company was more efficient and it completed the knowledge utilization process at the inter-organizational level as knowledge transformation took place only within Case Company. While coopetition is a rather new field of study, we believe that the performed research provided information on inter- and intra-organizational coopetition in an SME present in the high technology industry and gave insights of the knowledge exchange both within and across companies. In the end, we have built up a model including the most important findings of the study. The figure entails the market knowledge utilization processes visualized in both inter- and intra-organizational contexts.

Coopetition

market knowledge

market knowledge utilization process

market orientation

information security

Information security strategy in telemedicine and e-health systems : a case study of England’s shared electronic health record system

Mohammad, Yara Mahmoud

January 2010

Shared electronic health record (EHR) systems constitute an important Telemedicine and e-Health application. Successful implementation of shared health records calls for a satisfactory level of security. This is invariably achieved through applying and enforcing strict, and often quite complicated, rules and procedures in the access process. For this reason, information security strategy for EHR systems is needed to be in place. This research reviewed the definition of different terms that related to electronically stored and shared health records and delineated related information security terms leading to a definition of an information security strategy. This research also made a contribution to understanding information security strategy as a significant need in EHR systems. A major case study of the National Programme for IT (NPfIT) in England is used to be the container of other two sub-case studies in two different Acute Trusts. Different research methods used: participant observation and networking, semi-structured interviews, and documentary analysis. This research aimed to provide a comprehensive understanding to the information security strategy of England’s EHR system by presenting its different information security issues such as consent mechanisms, access control, sharing level, and related legal and regulatory documents. Six factors that influence the building of an information security strategy in EHR systems, were identified in this research, political, social, financial, technical, clinical and legal. Those factors are considered to be driving the strategy directly or indirectly. EHR systems are technical-clinical systems, but having other factors (than technical and clinical) that drive this technical-clinical system is a big concern. This research makes a significant contribution by identifying these factors, and in addition, this research shows not only how these factors can influence building the information security strategy, but also how they can influence each other. The study of the mutual influence among the six factors led to the argument that the most powerful factor is the political factor, as it directly or indirectly influences the remaining five factors. Finally, this research proposes guidelines for building an information security strategy in EHR systems. These guidelines are presented and discussed in the form of a framework. This framework was designed after literature analysis and after completing the whole research journey. It provides a tool to help putting the strategy in line by minimising the influence of various factors that may steer the strategy to undesirable directions.

020

An insider misuse threat detection and prediction language

Magklaras, Georgios Vasilios

January 2012

Numerous studies indicate that amongst the various types of security threats, the problem of insider misuse of IT systems can have serious consequences for the health of computing infrastructures. Although incidents of external origin are also dangerous, the insider IT misuse problem is difficult to address for a number of reasons. A fundamental reason that makes the problem mitigation difficult relates to the level of trust legitimate users possess inside the organization. The trust factor makes it difficult to detect threats originating from the actions and credentials of individual users. An equally important difficulty in the process of mitigating insider IT threats is based on the variability of the problem. The nature of Insider IT misuse varies amongst organizations. Hence, the problem of expressing what constitutes a threat, as well as the process of detecting and predicting it are non trivial tasks that add up to the multi- factorial nature of insider IT misuse. This thesis is concerned with the process of systematizing the specification of insider threats, focusing on their system-level detection and prediction. The design of suitable user audit mechanisms and semantics form a Domain Specific Language to detect and predict insider misuse incidents. As a result, the thesis proposes in detail ways to construct standardized descriptions (signatures) of insider threat incidents, as means of aiding researchers and IT system experts mitigate the problem of insider IT misuse. The produced audit engine (LUARM – Logging User Actions in Relational Mode) and the Insider Threat Prediction and Specification Language (ITPSL) are two utilities that can be added to the IT insider misuse mitigation arsenal. LUARM is a novel audit engine designed specifically to address the needs of monitoring insider actions. These needs cannot be met by traditional open source audit utilities. ITPSL is an XML based markup that can standardize the description of incidents and threats and thus make use of the LUARM audit data. Its novelty lies on the fact that it can be used to detect as well as predict instances of threats, a task that has not been achieved to this date by a domain specific language to address threats. The research project evaluated the produced language using a cyber-misuse experiment approach derived from real world misuse incident data. The results of the experiment showed that the ITPSL and its associated audit engine LUARM provide a good foundation for insider threat specification and prediction. Some language deficiencies relate to the fact that the insider threat specification process requires a good knowledge of the software applications used in a computer system. As the language is easily expandable, future developments to improve the language towards this direction are suggested.

005.8

Malware Analysis and Privacy Policy Enforcement Techniques for Android Applications

Ali-Gombe, Aisha Ibrahim

19 May 2017

The rapid increase in mobile malware and deployment of over-privileged applications over the years has been of great concern to the security community. Encroaching on user’s privacy, mobile applications (apps) increasingly exploit various sensitive data on mobile devices. The information gathered by these applications is sufficient to uniquely and accurately profile users and can cause tremendous personal and financial damage. On Android specifically, the security and privacy holes in the operating system and framework code has created a whole new dynamic for malware and privacy exploitation. This research work seeks to develop novel analysis techniques that monitor Android applications for possible unwanted behaviors and then suggest various ways to deal with the privacy leaks associated with them. Current state-of-the-art static malware analysis techniques on Android-focused mainly on detecting known variants without factoring any kind of software obfuscation. The dynamic analysis systems, on the other hand, are heavily dependent on extending the Android OS and/or runtime virtual machine. These methodologies often tied the system to a single Android version and/or kernel making it very difficult to port to a new device. In privacy, accesses to the database system’s objects are not controlled by any security check beyond overly-broad read/write permissions. This flawed model exposes the database contents to abuse by privacy-agnostic apps and malware. This research addresses the problems above in three ways. First, we developed a novel static analysis technique that fingerprints known malware based on three-level similarity matching. It scores similarity as a function of normalized opcode sequences found in sensitive functional modules and application permission requests. Our system has an improved detection ratio over current research tools and top COTS anti-virus products while maintaining a high level of resiliency to both simple and complex obfuscation. Next, we augment the signature-related weaknesses of our static classifier with a hybrid analysis system which incorporates bytecode instrumentation and dynamic runtime monitoring to examine unknown malware samples. Using the concept of Aspect-oriented programming, this technique involves recompiling security checking code into an unknown binary for data flow analysis, resource abuse tracing, and analytics of other suspicious behaviors. Our system logs all the intercepted activities dynamically at runtime without the need for building custom kernels. Finally, we designed a user-level privacy policy enforcement system that gives users more control over their personal data saved in the SQLite database. Using bytecode weaving for query re-writing and enforcing access control, our system forces new policies at the schema, column, and entity levels of databases without rooting or voiding device warranty.

Hybrid Analysis

Instrumentation

AspectJ

Similarity Matching

Privacy

Security

Information Security

Towards Real-Time Volatile Memory Forensics: Frameworks, Methods, and Analysis

Sylve, Joseph T

19 May 2017

Memory forensics (or memory analysis) is a relatively new approach to digital forensics that deals exclusively with the acquisition and analysis of volatile system memory. Because each function performed by an operating system must utilize system memory, analysis of this memory can often lead to a treasure trove of useful information for forensic analysts and incident responders. Today’s forensic investigators are often subject to large case backlogs, and incident responders must be able to quickly identify the source and cause of security breaches. In both these cases time is a critical factor. Unfortunately, today’s memory analysis tools can take many minutes or even hours to perform even simple analysis tasks. This problem will only become more prevalent as RAM prices continue to drop and systems with very large amounts of RAM become more common. Due to the volatile nature of data resident in system RAM it is also desirable for investigators to be able to access non-volatile copies of system RAM that may exist on a device’s hard drive. Such copies are often created by operating systems when a system is being suspended and placed into a power safe mode. This dissertation presents work on improving the speed of memory analysis and the access to non-volatile copies of system RAM. Specifically, we propose a novel memory analysis framework that can provide access to valuable artifacts orders of magnitude faster than existing tools. We also propose two new analysis techniques that can provide faster and more resilient access to important forensic artifacts. Further, we present the first analysis of the hibernation file format used in modern versions of Windows. This work allows access to evidence in non-volatile copies of system RAM that were not previously able to be analyzed. Finally, we propose future enhancements to our memory analysis framework that should address limitations with the current design. Taken together, this dissertation represents substantial work towards advancing the field of memory forensics.

Information Security

Development of Peer Instruction Material for a Cybersecurity Curriculum

Johnson, William

19 May 2017

Cybersecurity classes focus on building practical skills alongside the development of the open mindset that is essential to tackle the dynamic cybersecurity landscape. Unfortunately, traditional lecture-style teaching is insufficient for this task. Peer instruction is a non-traditional, active learning approach that has proven to be effective in computer science courses. The challenge in adopting peer instruction is the development of conceptual questions. This thesis presents a methodology for developing peer instruction questions for cybersecurity courses, consisting of four stages: concept identification, concept trigger, question presentation, and development. The thesis analyzes 279 questions developed over two years for three cybersecurity courses: introduction to computer security, network penetration testing, and introduction to computer forensics. Additionally, it discusses examples of peer instruction questions in terms of the methodology. Finally, it summarizes the usage of a workshop for testing a selection of peer instruction questions as well as gathering data outside of normal courses.

Information Security