Vulnerability Assessment and Risk Mitigation: The Case of Vulcano Island, Italy

Galderisi, Adriana, Bonadonna, Costanza, Delmonaco, Giuseppe, Ferrara, Floriana Federica, Menoni, Scira, Ceudech, Andrea, Biass, Sebastien, Frischknecht, Corine, Manzella, Irene, Minucci, Guido, Gregg, Chris

01 January 2013

This paper reports on a comprehensive vulnerability analysis based on a research work developed within the EC ENSURE Project (7FP) dealing with the assessment of different volcanic phenomena and induced mass-movements on Vulcano Island (S Italy) as a key tool for proactive efforts for multi-risk mitigation. The work is mainly focused on tephra sedimentation and lahar hazards and related physical, systemic and mitigation capacities.

integrated vulnerability analysis

lahars

tephra

Vulnerability Assessment and Risk Mitigation: The Case of Vulcano Island, Italy

Galderisi, Adriana, Bonadonna, Costanza, Delmonaco, Giuseppe, Ferrara, Floriana Federica, Menoni, Scira, Ceudech, Andrea, Biass, Sebastien, Frischknecht, Corine, Manzella, Irene, Minucci, Guido, Gregg, Chris

01 January 2013

This paper reports on a comprehensive vulnerability analysis based on a research work developed within the EC ENSURE Project (7FP) dealing with the assessment of different volcanic phenomena and induced mass-movements on Vulcano Island (S Italy) as a key tool for proactive efforts for multi-risk mitigation. The work is mainly focused on tephra sedimentation and lahar hazards and related physical, systemic and mitigation capacities.

integrated vulnerability analysis

lahars

tephra

A host-based security assessment architecture for effective leveraging of shared knowledge

Rakshit, Abhishek

January 1900

Master of Science / Department of Computing and Information Sciences / Xinming (Simon) Ou / Security scanning performed on computer systems is an important step to identify and assess potential vulnerabilities in an enterprise network, before they are exploited by malicious intruders. An effective vulnerability assessment architecture should assimilate knowledge from multiple security knowledge sources to discover all the security problems present on a host. Legitimate concerns arise since host-based security scanners typically need to run at administrative privileges, and takes input from external knowledge sources for the analysis. Intentionally or otherwise, ill-formed input may compromise the scanner and the whole system if the scanner is susceptible to, or carries one or more vulnerability itself. It is not easy to incorporate new security analysis tools and/or various security knowlege- bases in the conventional approach, since this would entail installing new agents on every host in the enterprise network. This report presents an architecture where a host-based security scanner's code base can be minimized to an extent where its correctness can be verified by adequate vetting. At the same time, the architecture also allows for leveraging third-party security knowledge more efficiently and makes it easier to incorporate new security tools. In our work, we implemented the scanning architecture in the context of an enterprise-level security analyzer. The analyzer finds security vulnerabilities present on a host according to the third-party security knowledge specified in Open Vulnerability Assessment Language(OVAL). We empirically show that the proposed architecture is potent in its ability to comprehensively leverage third-party security knowledge, and is flexible to support various higher-level security analysis.

Vulnerability analysis

Network security

Computer Science (0984)

A Framework for Software Security Testing and Evaluation

Dutta, Rahul Kumar

January 2015

Security in automotive industry is a thought of concern these days. As more smart electronic devices are getting connected to each other, the dependency on these devices are urging us to connect them with moving objects such as cars, buses, trucks etc. As such, safety and security issues related to automotive objects are becoming more relevant in the realm of internet connected devices and objects. In this thesis, we emphasize on certain factors that introduces security vulnerabilities in the implementation phase of Software Development Life Cycle (SDLC). Input invalidation is one of them that we address in our work. We implement a security evaluation framework that allows us to improve security in automotive software by identifying and removing software security vulnerabilities that arise due to input invalidation reasons during SDLC. We propose to use this framework in the implementation and testing phase so that the critical deficiencies of software in security by design issues could be easily addressed and mitigated.

Security testing

fuzzing

static analysis

error propagation

vulnerability analysis

Consequences of False Data Injection on Power System State Estimation

January 2015

abstract: The electric power system is one of the largest, most complicated, and most important cyber-physical systems in the world. The link between the cyber and physical level is the Supervisory Control and Data Acquisition (SCADA) systems and Energy Management Systems (EMS). Their functions include monitoring the real-time system operation through state estimation (SE), controlling the system to operate reliably, and optimizing the system operation efficiency. The SCADA acquires the noisy measurements, such as voltage angle and magnitude, line power flows, and line current magnitude, from the remote terminal units (RTUs). These raw data are firstly sent to the SE, which filters all the noisy data and derives the best estimate of the system state. Then the estimated states are used for other EMS functions, such as contingency analysis, optimal power flow, etc. In the existing state estimation process, there is no defense mechanism for any malicious attacks. Once the communication channel between the SCADA and RTUs is hijacked by the attacker, the attacker can perform a man-in-middle attack and send data of its choice. The only step that can possibly detect the attack during the state estimation process is the bad data detector. Unfortunately, even the bad data detector is unable to detect a certain type of attack, known as the false data injection (FDI) attacks. Diagnosing the physical consequences of such attacks, therefore, is very important to understand system stability. In this thesis, theoretical general attack models for AC and DC attacks are given and an optimization problem for the worst-case overload attack is formulated. Furthermore, physical consequences of FDI attacks, based on both DC and AC model, are addressed. Various scenarios with different attack targets and system configurations are simulated. The details of the research, results obtained and conclusions drawn are presented in this document. / Dissertation/Thesis / Masters Thesis Electrical Engineering 2015

Electrical engineering

False Data Injection

State Estimation

Vulnerability Analysis

Static Vulnerability Analysis of Docker Images

Henriksson, Oscar, Falk, Michael

January 2017

Docker is a popular tool for virtualization that allows for fast and easy deployment of applications and has been growing increasingly popular among companies. Docker also include a large library of images from the repository Docker Hub which mainly is user created and uncontrolled. This leads to low frequency of updates which results in vulnerabilities in the images. In this thesis we are developing a tool for determining what vulnerabilities that exists inside Docker images with a Linux distribution. This is done by using our own tool for downloading and retrieving the necessary data from the images and then utilizing Outpost24's scanner for finding vulnerabilities in Linux packages. With the help of this tool we also publish statistics of vulnerabilities from the top downloaded images of Docker Hub. The result is a tool that can successfully scan a Docker image for vulnerabilities in certain Linux distributions. From a survey over the top 1000 Docker images it has also been shown that the amount of vulnerabilities have increased in comparison to earlier surveys of Docker images.

Docker

Containerization

Vulnerability analysis

Vulnerability scanning

Engineering and Technology

Teknik och teknologier

A quantitative measure of the security risk level of enterprise networks

Munir, Rashid, Pagna Disso, Jules F., Awan, Irfan U., Mufti, Muhammad R.

January 2013

No / Along with the tremendous expansion of information technology and networking, the number of malicious attacks which cause disruption to business processes has concurrently increased. Despite such attacks, the aim for network administrators is to enable these systems to continue delivering the services they are intended for. Currently, many research efforts are directed towards securing network further whereas, little attention has been given to the quantification of network security which involves assessing the vulnerability of these systems to attacks. In this paper, a method is devised to quantify the security level of IT networks. This is achieved by electronically scanning the network using the vulnerability scanning tool (Nexpose) to identify the vulnerability level at each node classified according to the common vulnerability scoring system standards (critical, severe and moderate). Probabilistic approach is then applied to calculate an overall security risk level of sub networks and entire network. It is hoped that these metrics will be valuable for any network administrator to acquire an absolute risk assessment value of the network. The suggested methodology has been applied to a computer network of an existing UK organization with 16 nodes and a switch.

Dimensão programática da vulnerabilidade ao HIV/Aids na fronteira no norte do Brasil com a Guiana Francesa / Programmatic dimension of vulnerability to HIV/Aids on the border in the north of Brazil with French Guiana

Trindade, João Farias da

18 May 2017

A infecção pelo vírus da imunodeficiência humana (HIV) e a aids caracterizam-se como problemas de saúde pública, com incidências e prevalências elevadas em populações chaves. No Brasil a principal via de transmissão em indivíduos com 13 anos ou mais de idade é a sexual, porém, há uma tendencia de aumento na proporção de casos em homens que fazem sexo com homens nos últimos dez anos. Há escassa literaura sobre a vulnerabilidade ao HIV nas populações que vivem em região de fronteira, particularmente nas do Brasil e, mais ainda, na fronteira do Brasil com a Guiana Francesa. O estudo teve como objetivo analisar a vulnerabilidade ao HIV/Aids na dimensão programática em um município de fronteira do Brasil com a Guiana Francesa. Trata-se de um estudo descritivo, estudo de caso, tendo sido entrevistados dez depoentes: os gerentes e profissionais de saúde de Unidades Básicas de Saúde, os coordenadores das ações em DST/HIV do município de Oiapoque, o gestor local do hospital estadual, do laboratório de fronteira, os coordenadores municipal e estadual do Programa de DST/Aids e um representante de organização não governamental local envolvida com a prevenção e assistência ao portador do HIV/Aids. Também foram analisados os planos estadual e municipal de saúde, as atas de reuniões da comissão transfronteiriça Brasil-Guiana Francesa, os acordos internacionais e financiamentos para a região de Oiapoque no contexto do HIV/Aids, no período de 2012-2015. Os instrumentos de coleta de dados foram roteiros de entrevistas semiestruturadas, com questões norteadoras aos participantes, e roteiro para análise documental. As entrevistas foram gravadas, mediante consentimento dos participantes, realizadas pelo pesquisador nos meses de março a abril de 2016. Os conteúdos transcritos das entrevistas e obtidos nos documentos foram estudados pela análise de conteúdo, orientada pelo conceito da vulnerabilidade, com ênfase à dimensão programática. Como resultados se destacaram seis categorias: Expressão do compromisso dos governos; Participação e controle social; Atuações dos trabalhadores na atenção em HIV; Articulações multissetoriais das ações; Acesso aos serviços e insumos e Composição da rede de serviços. Conclui-se que há vulnerabilidade programática na medida em que o compromisso dos governos estadual e municipal no combate ao HIV é limitado, evidenciado nos planos de saúde estadual e municipal e pela escassez de investimentos financeiros no combate a doença; a participação e o controle social no enfrentamento da epidemia não têm ocorrido de forma eficiente, pois somente uma organização não governamental mantida com recurso externo tem ação efetiva em Oiapoque nas ações de prevenção; que o envolvimento dos profissionais das unidades básicas não se efetiva, com concentração de atividades na figura do profissional enfermeiro; que a articulação multissetorial para o desenvolvimento de ações de combate ao HIV não tem se concretizado, pois o setor saúde tem atuando isoladamente; que preservativos e testes diagnósticos são oferecidos, mas o tratamento e o acompanhamento dos casos não são realizados no município, sendo estes realizados em Macapá ou em Saint Georges e, por fim, a rede de serviços na atenção ao HIV e à aids não está plenamente organizada. / Human immunodeficiency virus (HIV) infection and AIDS are characterized as public health problems, with high incidence and prevalence in key populations. In Brazil, the main route of transmission in individuals aged 13 years and over is sexual, but there is a tendency to increase the proportion of cases in men who have sex with other men in the last ten years. There is little literature on the vulnerability to HIV in populations living in the border region, particularly in Brazil, and even more on the Brazilian border with French Guiana. The study aimed to analyze the vulnerability to HIV/Aids in the programmatic dimension in a border municipality of Brazil with French Guiana. It is a descriptive study, a case study, and ten deponents were interviewed: managers and health professionals from Basic Health Units, coordinators of STD / HIV actions in the municipality of Oiapoque, the local manager of the state hospital, the border laboratory, the municipal and state coordinators of the STD / Aids program and a representative of a local non-governmental organization involved in HIV/Aids prevention and care. It has also been analyzed the state and municipal health plans, the minutes of meetings of the cross-border commission Brazil-French Guiana, the international agreements and funding for the region of Oiapoque in the context of HIV/Aids in the period 2012-2015. The data collection instruments were semi-structured interview scripts, with questions guided to the participants, and a script for documentary analysis. The interviews were recorded with the consent of the participants, carried out by the researcher from March to April, 2016. The transcribed contents of the interviews and obtained in the documents were studied by content analysis, guided by the concept of vulnerability, with emphasis on the programmatic dimension. As a result, six categories were highlighted: Expression of the commitment of governments; Participation and social control; Workers\' actions on HIV care; Multisector articulation of actions; Access to services and inputs and Composition of the service network. It was concluded there is programmatic vulnerability to the extent that the commitment of state and municipal governments in the action against HIV is limited, evidenced in the state and municipal health plans and by the scarcity of financial investments in actions against the disease; the participation and social control to face up the epidemic have not occurred efficiently, because only a non-governmental organization keeping with external resources has effective action in Oiapoque in the prevention actions; that the involvement of the professionals of the basic units isnt effective, with concentration of activities in the figure of the professional nurse; that the multi sector articulation for the development of actions to combat HIV hasnt materialized, because the health sector has been working in isolation; that condoms and diagnostic tests are offered, but the treatment and follow-up of the cases are not done in the municipality, these are being realized in Macapá or in Saint Georges and, finally, the service network in HIV and aids care isnt fully organized.

Análise da vulnerabilidade

Área de fronteira

Border area

Case study

Enfermagem

Estudo de caso

HIV

HIV

Nursing

Vulnerability analysis

Unwanted Traffic and Information Disclosure in VoIP Networks : Threats and Countermeasures

Zhang, Ge

January 2012

The success of the Internet has brought significant changes to the telecommunication industry. One of the remarkable outcomes of this evolution is Voice over IP (VoIP), which enables realtime voice communications over packet switched networks for a lower cost than traditional public switched telephone networks (PSTN). Nevertheless, security and privacy vulnerabilities pose a significant challenge to hindering VoIP from being widely deployed. The main object of this thesis is to define and elaborate unexplored security and privacy risks on standardized VoIP protocols and their implementations as well as to develop suitable countermeasures. Three research questions are addressed to achieve this objective: Question 1:  What are potential unexplored threats in a SIP VoIP network with regard to availability, confidentiality and privacy by means of unwanted traffic and information disclosure? Question 2:  How far are existing security and privacy mechanisms sufficient to counteract these threats and what are their shortcomings? Question 3:  How can new countermeasures be designed for minimizing or preventing the consequences caused by these threats efficiently in practice? Part I of the thesis concentrates on the threats caused by "unwanted traffic", which includes Denial of Service (DoS) attacks and voice spam. They generate unwanted traffic to consume the resources and annoy users. Part II of this thesis explores unauthorized information disclosure in VoIP traffic. Confidential user data such as calling records, identity information, PIN code and data revealing a user's social networks might be disclosed or partially disclosed from VoIP traffic. We studied both threats and countermeasures by conducting experiments or using theoretical assessment. Part II also presents a survey research related to threats and countermeasures for anonymous VoIP communication.

SIP

VoIP

security

Denial of Service

Vulnerability analysis

timing attacks

Spam

DTMF

SIP

RTP

Community vulnerability and capacity in post-disaster recovery: the cases of Mano and Mikura neighbourhoods in the wake of the 1995 Kobe earthquake

Yasui, Etsuko

05 1900

This is a study of how two small neighbourhoods, Mano and Mikura, recovered from the 1995 Kobe (Japan) earthquake, with a particular focus on the relationship between community vulnerability and capacity. Few studies have examined these interactions, even though vulnerability reduction is recognized to be a vital component of community recovery. Drawing from literature on disaster recovery, community development, vulnerability analysis, community capacity building and the Kobe earthquake, a community vulnerability and capacity model is elaborated from Blaikie et al.’s Pressure and Release Model (1994) to analyze the interactions. The Mano and Mikura cases are analyzed by applying this model and relating outcomes to the community’s improved safety and quality of community lives. Based on the experience of Mano, appropriate long-term community development practices as well as community capacity building efforts in the past can contribute to the reduction of overall community vulnerability in the post-disaster period, while it is recovering. On the other hand, the Mikura case suggests that even though the community experiences high physical and social vulnerability in the pre-disaster period, if the community is able to foster certain conditions, including active CBOs, adequate availability and accessibility to resources, and a collaborative working relationship with governments, the community can make progress on recovery. Although both Mano and Mikura communities achieved vulnerability reduction as well as capacity building, the long-term sustainability of the two communities remains uncertain, as issues and challenges, such as residual and newly emerging physical vulnerability, negative or slow population growth and aging, remained to create vulnerability to future disasters. The case studies reveal the interactions of community vulnerability and capacity to be highly complex and contingent on many contextual considerations.

disaster recovery

vulnerability analysis

capacity building

community planning

1995 Kobe earthquake

community development