M.I.D.A.S. : metrics identification of attack surfaces / Metrics identification of attack surfaces

Meek, Joshua A.

05 May 2012

This thesis endeavors to determine the feasibility of design metrics as a predictor of attack surface size by finding a positive correlation between one or more design metrics and an application’s attack surface measurement. An attack surface is the set of ways in which an adversary can enter a system and potentially cause damage. For an experimental setting, six open-source java-based projects were analyzed. For each project, the attack surface is assessed using Microsoft’s Attack Surface Analyzer, which takes a snapshot of a system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface. A collection of design metrics was collected from each open-source project as well. The goal is to find a metric or set of metrics that predicted the attack surface changes identified by the Attack Surface Analyzer. / Department of Computer Science

Cyberterrorism -- Prevention

Software measurement

Computer security -- Design

Microsoft Attack Surface Analyzer

Categorization of Security Design Patterns

Dangler, Jeremiah Y

01 May 2013

Strategies for software development often slight security-related considerations, due to the difficulty of developing realizable requirements, identifying and applying appropriate techniques, and teaching secure design. This work describes a three-part strategy for addressing these concerns. Part 1 provides detailed questions, derived from a two-level characterization of system security based on work by Chung et. al., to elicit precise requirements. Part 2 uses a novel framework for relating this characterization to previously published strategies, or patterns, for secure software development. Included case studies suggest the framework's effectiveness, involving the application of three patterns for secure design (Limited View, Role-Based Access Control, Secure State Machine) to a production system for document management. Part 3 presents teaching modules to introduce patterns into lower-division computer science courses. Five modules, integer over ow, input validation, HTTPS, les access, and SQL injection, are proposed for conveying an aware of security patterns and their value in software development.

Security

Design Patterns

Security Design Patterns

Computer and Systems Architecture

Other Computer Engineering

Design and evaluation of security mechanism for routing in MANETs : elliptic curve Diffie-Hellman cryptography mechanism to secure Dynamic Source Routing protocol (DSR) in Mobile Ad Hoc Network (MANET)

Almotiri, Sultan H.

January 2013

Ensuring trustworthiness through mobile nodes is a serious issue. Indeed, securing the routing protocols in Mobile Ad Hoc Network (MANET) is of paramount importance. A key exchange cryptography technique is one such protocol. Trust relationship between mobile nodes is essential. Without it, security will be further threatened. The absence of infrastructure and a dynamic topology changing reduce the performance of security and trust in mobile networks. Current proposed security solutions cannot cope with eavesdroppers and misbehaving mobile nodes. Practically, designing a key exchange cryptography system is very challenging. Some key exchanges have been proposed which cause decrease in power, memory and bandwidth and increase in computational processing for each mobile node in the network consequently leading to a high overhead. Some of the trust models have been investigated to calculate the level of trust based on recommendations or reputations. These might be the cause of internal malicious attacks. Our contribution is to provide trustworthy communications among the mobile nodes in the network in order to discourage untrustworthy mobile nodes from participating in the network to gain services. As a result, we have presented an Elliptic Curve Diffie-Hellman key exchange and trust framework mechanism for securing the communication between mobile nodes. Since our proposed model uses a small key and less calculation, it leads to a reduction in memory and bandwidth without compromising on security level. Another advantage of the trust framework model is to detect and eliminate any kind of distrust route that contain any malicious node or suspects its behavior.

004.6

Zavedení ISMS v podniku / Implementation of ISMS in a Company

Pospíchal, Jindřich

January 2016

The master’s thesis is aimed at proposing an implementation of information security management system in a company. It covers basic theoretical background and concepts of information system security and describes standards of ČSN ISO/IEC 27000. Specific provisioning of ISMS is then proposed based on the theoretical background and analysis of current state.

Integration of Software Security Design Analysis to the Agile Development Process / Integracija bezbednosne analize dizajna softverau proces agilnog razvoja

Luburić Nikola

18 January 2020

<p>This thesis presents research in the field of secure<br />software engineering. Two methods are<br />developed that, when combined, facilitate the<br />integration of software security design analysis<br />into the agile development workflow. The first<br />method is a training framework for creating<br />workshops aimed at teaching software engineers<br />on how to perform security design analysis. The<br />second method is a process that expands on the<br />security design analysis method to facilitate better<br />integration with the needs of the organization. The<br />first method is evaluated through a controlled<br />experiment, while the second method is evaluated<br />through comparative analysis and case study<br />analysis, where the process is tailored and<br />implemented for two different software vendors.</p> / <p>U sklopu disertacije izvr&scaron;eno je istraživanje u<br />oblasti razvoja bezbednog softvera. Razvijene su<br />dve metode koje zajedno omogućuju integraciju<br />bezbednosne analize dizajna softvera u proces<br />agilnog razvoja. Prvi metod predstavlja radni okvir<br />za konstruisanje radionica čija svrha je obuka<br />inženjera softvera kako da sprovode bezbednosnu<br />analizu dizajna. Drugi metod je proces koji<br />pro&scaron;iruje metod bezbednosne analize dizajna<br />kako bi podržao bolju integraciju spram potreba<br />organizacije. Prvi metod je evaluiran kroz<br />kontrolisan eksperiment, dok je drugi metod<br />evaluiran upotrebom komparativne analize i<br />analize studija slučaja, gde je proces<br />implementiran u kontekstu dve organizacije koje<br />se bave razvojem softvera.</p>

The Human Error : En analys av forskningsläget kring mänskliga faktorer som sårbarhet inom IT-säkerhet / The Human Error : An analysis of the current research on human factors as vulnerabilities in IT security

Olofsson, Emilia, Rasaratnam, Sangeetha

January 2024

Ett samhälle som snabbt förändras av digitaliseringens transformerande kraft är en omfattande och debatterad fråga i vår nutid. Trots de möjligheter den ger, kvarstår utmaningar, särskilt inom IT-säkerhet. Befintlig forskning betonar främst de tekniska aspekterna och försummar det avgörande mänskliga inslaget inom IT-säkerhet. Det rådande forskningsgapet belyser det mänskliga elementet som en betydande sårbarhet för att upprätthålla säkra digitala miljöer. Medan teknologiska skydd är nödvändiga visar de sig ofta otillräckliga utan hänsyn till mänskliga faktorer. Den tänkta studien syftar till att undersöka forskningsläget kring mänskliga faktorer inom IT-säkerhet. Genom en kvalitativ litteraturstudie som primär forskningsstrategi granskas och analyseras vetenskaplig forskning och litteratur systematiskt inom det valda ämnesområdet. Resultatet presenterar i vilken omfattning olika koncept relaterade till mänskliga faktorer inom IT-säkerhet undersöks. Studien bidrar således till en teoretisk kunskapsutveckling för att stärka och skydda digital information och infrastruktur genom att identifiera områden som forskningen är begränsad kring. Denna studie strävar efter att fylla forskningsgapet genom att belysa mänskliga sårbarheter inom IT-säkerhet och vilka koncept som bör undersökas vidare. På så sätt kan studien bidra till en holistisk förståelse av IT-säkerhet, med en balans mellan teknologiska och människocentrerade tillvägagångssätt. / A society rapidly transformed by the transformative power of digitization is a comprehensive and debated issue in our contemporary times. Despite the opportunities it presents, challenges persist, particularly in IT security. Existing research primarily emphasizes the technical aspects while neglecting the crucial human element within IT security. The current research gap highlights the human element as a significant vulnerability in maintaining secure digital environments. While technological safeguards are necessary, they often prove insufficient without consideration of human factors. The intended study aims to investigate the current state of research on human factors in IT security. Through a qualitative literature review as the primary research strategy, scientific research and literature within the chosen subject area are systematically examined and analyzed. The findings present the extent to which various concepts related to human factors in IT security are explored. Thus, the study contributes to theoretical knowledge development to strengthen and protect digital information and infrastructure by identifying areas where research is limited. This study seeks to fill the research gap by highlighting human vulnerabilities in IT security and which concepts should be further investigated. In doing so, the study may contribute to a holistic understanding of IT security, balancing technological and human-centered approaches.

human factors

human error

user error

IT-security

vulnerabilities

risks

prevention measures

security design

user context

mänskliga faktorer

mänskliga fel

användarfel

IT-säkerhet

sårbarheter

risker

förebyggande åtgärder

säkerhetsdesign

användarkontexter

Information Systems, Social aspects