Microservices-based approach for Healthcare Cybersecurity

Unknown Date

Healthcare organizations, realizing the potential of the Internet of Things (IoT) technology, are rapidly adopting the technology to bring signi cant improvements in the quality and e ectiveness of the service. However, these smart and interconnected devices can act as a potential \back door" into a hospital's IT network, giving attack- ers access to sensitive information. As a result, cyber-attacks on medical IoT devices have been increasing since the last few years. It is a growing concern for all the stakeholders involved, as the impact of such attacks is not just monetary or privacy loss, but the lives of many patients are also at risk. Considering the various kinds of IoT devices one may nd connected to a hospital's network, traditional host-centric security solutions (e.g. antivirus, software patches) are at odds with realistic IoT infrastructure (e.g. constrained hardware, lack of proper built-in security measures). There is a need for security solutions which consider the challenges of IoT devices like heterogeneity of technology and protocols used, limited resources in terms of battery and computation power, etc. Accordingly, the goals of this thesis have been: (1) to provide an in-depth understanding of vulnerabilities of medical IoT devices; (2) to in- troduce a novel approach which uses a microservices-based framework as an adaptive and agile security solution to address the issue. The thesis focuses on OS Fingerprint- ing attacks because of its signi cance for attackers to understand a target's network. In this thesis, we developed three microservices, each one designed to serve a speci c functionality. Each of these microservices has a small footprint with RAM usage of approximately 50 MB. We also suggest how microservices can be used in a real-life scenario as a software-based security solution to secure a hospital's network consisting of di erent IoT devices. / Includes bibliography. / Thesis (M.S.)--Florida Atlantic University, 2018. / FAU Electronic Theses and Dissertations Collection

Cybersecurity

Healthcare

Internet of things--Security measures

Signature schemes in single and multi-user settings

Unknown Date

In the first chapters we will give a short introduction to signature schemes in single and multi-user settings. We give the definition of a signature scheme and explain a group of possible attacks on them. In Chapter 6 we give a construction which derives a subliminal-free RSA public key. In the construction we use a computationally binding and unconditionally hiding commitment scheme. To establish a subliminal-free RSA modulus n, we have to construct the secret primes p and q. To prove p and q are primes we use Lehmann's primality test on the commitments. The chapter is based on the paper, "RSA signature schemes with subliminal-free public key" (Tatra Mountains Mathematical Publications 41 (2008)). In chapter 7 a one-time signature scheme using run-length encoding is presented, which in the random oracle model offers security against chosen-message attacks. For parameters of interest, the proposed scheme enables about 33% faster verification with a comparable signature size than a construction of Merkle and Winternitz. The public key size remains unchanged (1 hash value). The main cost for the faster verification is an increase in the time required for signing messages and for key generation. The chapter is based on the paper "A one-time signature using run-length encoding" (Information Processing Letters Vol. 108, Issue 4, (2008)). / by Viktoria Villanyi. / Thesis (Ph.D.)--Florida Atlantic University, 2009. / Includes bibliography. / Electronic reproduction. Boca Raton, Fla., 2009. Mode of access: World Wide Web.

Cryptography

Coding theory

Data encryption (Computer science)

DIgital watermarking

A terahertz holography imaging system for concealed weapon detection application

Zhou, Min

January 2018

Many research groups have conducted the investigation into terahertz technology for various applications over the last decade. THz imaging for security screening has been one of the most important applications because of its superior performance of high resolution and not health hazardous. Due to increasing security requirements, it is desirable to devise a high-speed imaging system with high image quality for concealed weapon detection. Therefore, this thesis presents my research into a low-cost and fast THz imaging system for security application. This research has made a number of contributes to THz imaging, such as proposing the beam scanning imaging approach to reduce the scanning time; developing the simulation method of the scanned imaging system; investigating new reconstruction algorithms; studying the optimal spatial sampling criterion; and verifying the beam scanning scheme in experiment. Firstly, the beam scanning scheme is proposed and evaluated in both simulation and experiment, compared to the widely applied raster scanning scheme. A better mechanic rotation structure is developed to reduce the scanning time consumed and realise a more compact system. Then, a rotary Dragonian multi-reflector antenna subsystem, comprising two rotated reflectors is designed to form a similar synthetic aperture being realised in the raster scanned scheme. Thirdly, the simulation of the THz scanning imaging system is achieved by employing Physical Optics algorithm. The transposed convolution and partial inverse convolution reconstruction algorithms are investigated to speed up the image re-construction. Finally, two THz imaging systems based on the raster and beam scanning schemes are assessed and compared in the experiments. The back-propagation, transposed convolution and partial inverse convolution algorithms are applied in these experiments to reconstruct the images. The proposed beam scanning scheme can be further explored together with antenna arrays to provide a compact, fast and low-cost THz imaging system in the future.

The institutionalisation of an information security culture in a petroleum organisation in the Western Cape

Michiel, Michael

January 2018

Thesis (MTech (Information Technology))--Cape Peninsula University of Technology, 2018. / In today’s world, organisations cannot exist without having information readily available. The protection of information relies not only on technology but also on the behaviour of employees. The failure to institutionalise an information security culture inside an organisation will cause the continued occurrence of security breaches. The aim of the research is to explore how an information security culture can be institutionalised within a petroleum organisation in the Western Cape. The primary research question is posed as follows: “What are the factors affecting the institutionalisation of an information security culture?” To answer the research question, a study was conducted at a petroleum organisation in the Western Cape. A subjectivist ontological and interpretivist epistemological stance has been adopted and an inductive research approach was followed. The research strategy was a case study. Data for this study were gathered through interviews (12 in total) using semi-structured questionnaires. The data collected were transcribed, summarised, and categorised to provide a clear understanding of the data. For this study, twenty-four findings and seven themes were identified. The themes are: i) user awareness training and education; ii) user management; iii) compliance and monitoring; iv) change management; v) process simplification; vi) communication strategy; and vii) top management support. Guidelines are proposed, comprising four primary components. Ethical clearance to conduct the study was obtained from the Ethics committee of CPUT and permission to conduct the study was obtained from the Chief Information Officer (CIO) of the petroleum organisation. The findings point to collaboration between employees, the Information Security department, and management in order to institute a culture of security inside the organisation.

Corporations -- Security measures

Computer security

Corporate culture

Security systems

Information security risk management in the South African small, medium and micro enterprise environment

Van Niekerk, Liesel

07 July 2008

The small, medium and micro enterprise (SMME) environment of South Africa contributes 42% to the national gross domestic product. This is a high number for a largely under-regulated environment. The corporate governance and IT governance standards that apply to South African companies are not feasible for SMMEs, and neither are they enforced, although 80% of failures of SMMEs are attributable to lack of enterprise management skill. The first objective of this dissertation is to examine the South African SMME, and in so doing determine whether local regulatory standards can be used for this unique enterprise formation. The second objective of this dissertation is to determine whether international methodologies for information security risk management, as an inclusive of IT governance, may be used in the unique local SMME formation. The result of these two objectives creates a gap in a typical information security risk management methodology that is suitable for the South African regulatory and economic environment for SMMEs. A model has been created as a possible answer for filling the gap. The dissertation includes the Peculium Model, which answers the regulatory and economic requirements that resulted from the second objective. The Model allows the small enterprise a simple but effective method for managing risks to its information assets, with the control of corporate governance and IT governance included in its framework. The Model answers the methods for identifying and assessing risk in a tradition-based but feasible new qualitative technique. / Labuschagne, L., Prof.

Small business

Risk management

Computer security management

Information technology security measures

Information security in health-care systems: a new approach to IT risk management

Smith, Elmé

16 August 2012

Ph.D. / The present study originated from a realisation about the unique nature of the medical domain and about the limitations of existing risk-management methodologies with respect to incorporating the special demands and salient features of the said domain. A further incentive for the study was the long-felt need for proper Information Technology (IT) risk management for medical domains, especially in the light of the fact that IT is playing an ever-greater part in the rendering of health-care services. This part, however, introduces new information-security challenges every day, especially as far as securing sensitive medical information and ensuring patients' privacy are concerned. The study is, therefore, principally aimed at making a contribution to improving IT risk management in the medical domain and, for this reason, culminates in an IT risk-management model specifically developed for and propounded in the medical domain. While developing this model, special care was taken not only to take into consideration the special demands of the said domain when assessing IT risks but also that it would be suited to the concepts, terminology and standards used in and applied to this domain every day. The most important objectives of the study can be summarised as follows: A thorough investigation into modern trends in information security in the medical domain will soon uncover the key role IT is playing in this domain. Regrettably, however, this very trend also triggers a steep increase in IT riskincidence figures, which, in this domain, could often constitute the difference between life and death. The clamant need for effective risk-management methods to enhance the information security of medical institutions is, therefore, self-evident. After having explored the dynamic nature of the medical domain, the requirements were identified for a risk-management model aimed at effectively vi managing the IT risks to be incurred in a typical medical institution. Next, a critical evaluation of current risk-assessment techniques revealed that a fresh approach to IT risk management in medical domains is urgently necessary. An IT risk-management model, entitled "RiMaHCoF" (that is, "Risk Management in Health Care — using Cognitive Fuzzy techniques"), was developed and propounded specifically for the medical domain hereafter. The proposed model enhances IT risk management in the said domain in the sense that it proceeds on the assumption that the patient and his/her medical information constitute the primary assets of the medical institution.

Information resources management

Computer security

Health facilities management

An investigation of ISO/IEC 27001 adoption in South Africa

Coetzer, Christo

January 2015

The research objective of this study is to investigate the low adoption of the ISO/IEC 27001 standard in South African organisations. This study does not differentiate between the ISO/IEC 27001:2005 and ISO/IEC 27001:2013 versions, as the focus is on adoption of the ISO/IEC 27001 standard. A survey-based research design was selected as the data collection method. The research instruments used in this study include a web-based questionnaire and in-person interviews with the participants. Based on the findings of this research, the organisations that participated in this study have an understanding of the ISO/IEC 27001 standard; however, fewer than a quarter of these have fully adopted the ISO/IEC 27001 standard. Furthermore, the main business objectives for organisations that have adopted the ISO/IEC 27001 standard were to ensure legal and regulatory compliance, and to fulfil client requirements. An Information Security Management System management guide based on the ISO/IEC 27001 Plan-Do-Check-Act model is developed to help organisations interested in the standard move towards ISO/IEC 27001 compliance.

ISO 27001 Standard

Computer security

Data protection

Information security awareness: generic content, tools and techniques

Mauwa, Hope

January 2007

In today’s computing environment, awareness programmes play a much more important role in organizations’ complete information security programmes. Information security awareness programmes are there to change behaviour or reinforce good security practices, and provide a baseline of security knowledge for all information users. Security awareness is a learning process, which changes individual and organizational attitudes and perceptions so that the importance of security and the adverse consequences of its failure are realized. Therefore, with proper awareness, employees become the most effective layer in an organization’s security defence. With the important role that these awareness programmes play in organizations’ complete information security programmes, it is a must that all organizations that are serious about information security must implement it. But though awareness programmes have become increasing important, the level of awareness in most organizations is still low. It seems that the current approach of developing these programmes does not satisfy the needs of most organizations. Therefore, another approach, which tries to meet the needs of most organizations, is proposed in this project as part of the solution of raising the level of awareness programmes in organizations.

Computer security

Data protection

Computers -- Safety measures

The computer incident response framework (CIRF)

Pieterse, Theron Anton

10 October 2014

M.Com. (Informatics) / A company’s valuable information assets face many risks from internal and external sources. When these risks are exploited and reports on information assets are made public, it is usually easy to determine which companies had a contingency plan to deal with the various aspects of these “computer incidents”. This study incorporates important factors of computer incidents into a framework which will assists the company in effectively dealing and managing computer incidents when they occur.

Computer networks - Security measures

Risk management

Computer security

Region aware DCT domain invisible robust blind watermarking for color images.

Naraharisetti, Sahasan

12 1900

The multimedia revolution has made a strong impact on our society. The explosive growth of the Internet, the access to this digital information generates new opportunities and challenges. The ease of editing and duplication in digital domain created the concern of copyright protection for content providers. Various schemes to embed secondary data in the digital media are investigated to preserve copyright and to discourage unauthorized duplication: where digital watermarking is a viable solution. This thesis proposes a novel invisible watermarking scheme: a discrete cosine transform (DCT) domain based watermark embedding and blind extraction algorithm for copyright protection of the color images. Testing of the proposed watermarking scheme's robustness and security via different benchmarks proves its resilience to digital attacks. The detectors response, PSNR and RMSE results show that our algorithm has a better security performance than most of the existing algorithms.

Digital watermarking

RMSE

PSNB

invisible robust blind

Digital watermarking.

Data protection.