Internet-based electronic payment systems

Kortekaas, Birgit Friederike

01 January 2002

As today, the traditional payment systems of cash, cheques and credit cards are being supplemented by electronic cheques, electronic credit card-based systems, and token-based systems, online security is of utmost importance and one of the biggest criteria used for evaluating electronic payment systems. Electronic payment systems must guarantee the essential security requirements: confidentiality, privacy, integrity, availability. authentication, non-repudiation as well as anonymity and trust. This paper compares the various payment systems (both traditional and electronic) available today mainly according to their security aspects. Secure processing can be accomplished including access controls and detection techniques, such as, encrypted communication channels, user and/or message authentication, symmetric and asymmetric encryption, digital certificates and firewalls. These effective security measures, which are outlined in detail in this paper, will protect the information and payment systems against security risks that currently threaten the Internet / Computing / M.Sc. (Information Systems)

Internet

Electronic commerce

Electronic payment systems

Authentication

Confidentiality

Identification

Integrity

Privacy

Security

Cryptography

Certificates

Encryption

Digital signatures

Anonymity

Threats

Electronic cash

Electronic cheque

Smart cards

Electronic credit cards

658.478

Internet -- Economic aspects

Internet -- Security measures

Payment

Electronic commerce -- Security measures

Computer networks -- Security measures

Data encryption (Computer science)

Smart cards

An analysis of the relationship between security risk management and business continuity management : a case study of the United Nations Funds and Programmes

Van der Merwe, Johannes Jacobus

26 July 2015

Text in English / The goal of this research was to investigate the relationship between security risk management and business continuity management and to determine how these two methodologies are applied within United Nations Funds and Programmes. These United Nations (UN) agencies have been established to deliver humanitarian aid, economic and social development and reconstruction activities. The locations where these services are required are typically where security risks are also most prevalent. The staff of the UN, the International Red Cross and other humanitarian and development organisations have traditionally been treated as neutral parties and have not been targeted by belligerent groups. This study revealed that there has been an annual increase in security incidents against aid workers and employees of UN organisations. The changing security landscape worldwide and the increasing demand for aid and development services in especially fragile and post-conflict environments, require organisations working in these areas to maintain a high level of resilience. Their resilience can be strengthened by applying robust security risk and business continuity management methodologies. The study included an examination of the global risk environment as it pertains to UN agencies, as well as key risk management concepts such as risk management, operational risk management, security risk management, business continuity management and organisational resilience. For the purposes of this study, security risk management is defined as the systematic approach to assessing and acting on security risks, while ensuring the safety and security of the organisation's personnel and facilities and ensuring that organisational objectives are achieved. Business continuity is a management process that identifies potential threats to an organisation, it assesses the impact to business operations − should the threats materialise − and it furthermore assists in the development of strategies to continue operations in the event of a disruption. In addition to looking at these concepts individually, the relationship between security risk management and business continuity management was also reviewed. The specific objectives set out to achieve the goal of the study were the following:  Explore the perceptions of UN agencies about the link between security risk management and business continuity management.  Analyse the extent of integration between security risk management and business continuity management processes and oversight.  Make recommendations as to how security risk management and business continuity management can operate in an integrated manner with the goal of increasing the overall resilience of UN agencies. To answer the research questions a qualitative research approach was adopted. This enabled the researcher to collect data through interviewing participants and analysing their feedback. The research focused on UN Funds and Programmes as a sub-set of agencies within the UN family of organisations. Each one of these agencies has a specific mandate, such as providing assistance to refugees, promoting food security, poverty reduction, improving reproductive health and family planning services. They also operate in fragile states as well as in emergency and humanitarian crises situations where the security risks are often higher than in normal developing countries. Eight out of 12 UN Funds and Programmes agreed to participate in the study, including: United Nations Children's Fund; United Nations Relief and Works Agency for Palestine Refugees in the Near East; Office of the United Nations High Commissioner for Refugees; World Food Programme; United Nations Development Programme; United Nations Office on Drugs and Crime; United Nations Human Settlements Programme; and UN Women. Data were collected through conducting semi-structured telephone interviews with the security manager and/or business continuity manager serving in the headquarters of each participating organisation. Findings from the study indicated that security risk management within the UN system has evolved and that security has matured from a purely protective and defensive posture to following a risk management approach. The strength of the UN Security Management System lies in its Security Risk Management Model, which enables a thorough assessment of security risks and the implementation of commensurate mitigating security measures. In contrast to security risk management, the study revealed that business continuity as a management process is a fairly new initiative and has not yet been comprehensively adopted by all UN agencies. When combined, security risk management and business continuity management ensure the safety of staff, maximise the defence of the agencies’ reputation, minimise the impact of events on the agencies as well as their beneficiaries, protect the organisation’s assets, and very importantly, demonstrate effective governance. This can only be done through establishing an organisational risk management model by positioning security risk management and business continuity management within the UN agency’s organisational structure so that they can effectively work together and at the same time allow access to senior management. Good practices and apparent gaps were identified in how these two methodologies are implemented and five specific recommendations were made. The research confirmed the need for both security risk management and business continuity management and the role each function plays to enhance an organisation’s resilience. It also highlighted that while they are two separate management functions, both need to be implemented within a larger risk management framework and need to be closely aligned in order to be effective. The five recommendations are:  Incorporate security risk management and business continuity management functions and responsibilities into the larger agency-wide risk management governance framework.  Expand the scope of business continuity in those UN agencies where it currently sits in the domain of information technology or has not yet been comprehensively implemented across the organisation.  Establish a comprehensive crisis management framework spanning across the whole organisation from their headquarters to country offices.  Develop the capacity to gather risk data across their agency and aggregate the data to view the full spectrum of risks, including security risks and business continuity risks in a holistic manner.  Integrate security risk management and business continuity management processes to enhance their effectiveness. This study contributes to the existing body of knowledge in the field of risk management by gathering relevant information from participating UN Funds and Programmes, comparing the information with other academic sources and drawing conclusions to answer the research questions. While it is expected that each organisation will have its own view on how to implement security risk management and business continuity management, the findings and recommendations as a result of the study present a series of practical recommendations on how the two functions can operate in an integrated manner in order to increase the overall resilience of these UN agencies. Other non-UN organisations working in similar high risk environments could also benefit from the outcomes of the study, as it would allow them to compare their own approaches to security risk management and business continuity management with the information presented in this study. / Security Risk Management / M. Tech. (Security Management)

658.47

United Nations Development Programme

Business planning

Risk management

Industries -- Security measures

Emergency management

A study regarding the effectiveness of game play as part of an information security awareness program for novices

Labuschagne, William Aubrey

09 1900

Technology has become intertwined into society daily life which is not only limited to personal life but also extending into the business world. Availability, integrity and confidentiality are critical information security factors to consider when interacting with technology. Conversely many unsuspecting users have fallen prey to cyber criminals. The majority of threats encountered could have been prevented by the victims if they had sufficient knowledge to first identify and then mitigate the threat. The use of information security awareness programs provides a platform whereby users are informed about such threats. The success of these programs is significantly reduced if the content is not transferred in the most effective method to improve understanding and result in a change of behaviour. This dissertation addresses the effectiveness of using a gaming platform within an information security awareness program. The use of games allows for the users to apply knowledge within a potential scenario as seen with pilots using flight simulators. End users who have no information security background should have a safe platform where threats can be identified and methods taught to mitigate the threats. A wide selection of security awareness frameworks exist, the most appropriate framework should be considered first. The different phases of the framework would be applied within the dissertation with the main objective to ultimately determine the effectiveness of games within security awareness programs. Data was collected during the implemented information security awareness program using quantitative instruments. These included questionnaires and a developed online game designed from the literature reviewed during the study. The analysed data highlighted the effects of extrinsic motivation on knowledge transfer and validated the positive impact of game play. / Computing / M. Tech. (Information Technology)

005.8

Data encryption (Computer science)

Data integrity

Computer crimes

L3-arpsec - módulo seguro para controle e proteção do protocolo de resolução de endereços em redes definidas por software

Oliveira, Rogério Leão Santos de [UNESP]

24 July 2015

Made available in DSpace on 2015-10-06T13:03:18Z (GMT). No. of bitstreams: 0 Previous issue date: 2015-07-24. Added 1 bitstream(s) on 2015-10-06T13:18:39Z : No. of bitstreams: 1 000849444.pdf: 1836624 bytes, checksum: d3b670920a0ae185565104f5315bef2a (MD5) / O protocolo de resolução de endereços (ARP) é usado para mapear endereços IP a endereços MAC em redes locais. Este protocolo possui algumas vulnerabilidades de segurança e uma delas é ataque Man-in-the-Middle (MITM), em que o cache ARP permite a um host interceptar pacotes trocados entre dois outros hosts. O conceito de Redes Definidas por Software (SDNs) representam uma abordagem inovadora na área de redes de computadores, uma vez que propõe um novo modelo para o controle de repasse e roteamento dos pacotes de dados que navegam na Internet. Uma das principais características deste novo paradigma é a capacidade de programar funcionalidades nos controladores de rede para gerenciar o tráfego. Este trabalho apresenta o modulo L3-ARPSec, um conjunto de instruções escritas em linguagem de programação Python que propõe uma maneira de controlar a troca de mensagens ARP e também mitigar o ataque MITM em redes locais. O módulo gerencia as requisições e respostas ARP entre todos dispositivos da rede e não permite o envenenamento do cache ARP. Depois de apresentados alguns conceitos do paradigma SDN, a estrutura do protocolo ARP e como o ataque MITM ocorre, o modulo L3-ARPSec é explicado em detalhes e os resultados de diversos testes executados são mostrados / The Address Resolution Protocol (ARP) is used to map IP addresses to MAC addresses in local area networks. This protocol has some security vulnerabilities and one of them is the Man-in-the-Middle (MITM) attack, a way to poisoning the ARP cache that allows a host to intercept packets switched between two other hosts. Software-Defined Networks (SDNs) represent an innovative approach in the area of computer networks, since they propose a new model to control forwarding and routing data packets that navigate the World Wide Web. One of the main features of this new paradigm is the ability to program functionalities in network controllers to manage the traffic. This study presents the module L3-ARPSec, a set of instructions written in the Python programming language that proposes a way to control the switching of ARP messages and also mitigates the MITM attack in local area networks. The module manages the ARP request, reply messages between all network devices and does not permit the ARP cache poisoning. After presenting some concepts of the SDN paradigm, the ARP protocol structure and how MITM attacks occurs, the L3-ARPSec module is explained in detail and the results of several tests performed are displayed

Internet - Sistemas de segurança

Redes de computadores - Protocolos

Internet - Security measures

Segurança em redes sem fio: estudo sobre o desenvolvimento de conjuntos de dados para comparação de IDS

Vilela, Douglas Willer Ferrari Luz [UNESP]

05 December 2014

Made available in DSpace on 2015-07-13T12:10:14Z (GMT). No. of bitstreams: 0 Previous issue date: 2014-12-05. Added 1 bitstream(s) on 2015-07-13T12:25:33Z : No. of bitstreams: 1 000836349.pdf: 1934096 bytes, checksum: c3f7c0657f64390bf9abd2cc13136962 (MD5) / O crescimento vertiginoso da tecnologia de redes sem fio tem sido muito significativo nos últimos anos, sua utilização ocorre em diversos setores da sociedade. O padrão IEEE 802.11 destaca-se nesse cenário. No entanto, os mecanismos de proteção empregados por este padrão de rede sem fio não tem apresentado eficiência no combate a ataques de negação de serviço. Os sistemas de detecção de intrusão são vistos como uma forma eficaz de minimizar essas ameaças. Nesta pesquisa foi proposta a construção de três conjuntos de dados que represente de forma significativa o tráfego de rede sem fio. Os conjuntos gerados têm finalidade de auxiliar na avaliação de algoritmos de detecção de intrusos para redes sem fio. Para a construção dos conjuntos de dados foram implementados três cenários de redes sem fio, todos em ambientes reais e operacionais. Em cada cenário foi habilitado um mecanismo de segurança: cenário 1 protocolo WEP, cenário 2 foi utilizado IEEE 802.11i e cenário 3 o IEEE 802.11i associada à emenda IEEE 802.11w. A escolha por cenários diferentes e divisão dos conjuntos de acordo com os ambientes tem a finalidade analisar a evolução dos mecanismos de segurança. Com isto é possível categorizar cada ambiente. Após a construção dos ambientes de rede sem fio foi inoculado tráfego de rede normal e anômalo, com isto iniciou-se a coleta dos dados. Com os dados coletados foi realizado um pré-processamento de cada conjunto capturando apenas os quadros do cabeçalho Media Access Control - MAC do IEEE 802.11. A escolha foi definida em virtude de este quadro possuir características especifica das redes sem fio. Para validar os conjuntos de dados foram empregadosalgoritmos de classificação e reconhecimento de padrões. Os algoritmos empregados na validação foram Multilayer Perceptron - MLP, Radial Basis Function - RBF e Bayes Net. Os resultados obtidos com a avaliação dos conjuntos de dados gerados... / The fast growth of wireless network technology has been very significant lately, its occurs in diverse sectors of society. The standard IEEE 802.11 stands out in this scenario. However, the protection mechanisms employed by this standard wireless network has not shown effectiveness in combating denial of service attacks. The intrusion detection systems are seen as an effective way to minimize these threats. We proposed in this research to build three data sets, which represent traffic wireless network. The sets are generated auxiliary purpose in assessing intrusion detection algorithms for wireless networks. For the construction of the data sets three scenarios of wireless networks, all in real operational environments and have been implemented. In each scenario was one enabled security mechanisms: WEP protocol scenario 1, scenario 2 was used IEEE 802.11i scenario 3 the associated IEEE 802.11i amendment to the IEEE 802.11w. The choice of different sets of scenarios and divide according to the environments aims to analyze the evolution of the security mechanisms. This makes it possible to categorize each environment. After the construction of wireless network environments normal and anomalous traffic were inoculated and thus collect the data. With the collected data pre-processing each set only extracting the frames from the MAC header was conducted. The choice was defined as this has specific characteristics of wireless networks. To validate the data sets and sorting algorithms were employed pattern recognition. The algorithms were used in the validation MLP, RBF and Bayes Net. The results obtained from the evaluation of the generated data sets demonstrate that the proposed approach is quite promising

Sistemas de comunicação sem fio

Sistemas de segurança

Algoritmos

Computer networks -- Security measures

Encryption-based security for public networks : technique and application

Fernandez, Irma Becerra

10 October 1994

This dissertation describes the development of a new system whereby the Public Switch Telephone Network (PSTN), which is not secure, can perform like a private network. Integrated Services Digital Network (ISDN) forms a technical platform for other communication technologies, such as frame relay and Switched Megabit Data Service (SMDS). This is an original and innovative hardware and software design which can be embedded into the ISDN Customer Premises Equipment (CPE) to privatize the public ISDN without the need to upgrade the existing switching equipment. This research incorporates original design and development of the following hardware and software modules to provide real-time encryption and decryption of images and data in the ISDN medium: 1. ISDN Communications Module with customized Caller-ID access. 2. Token Access Control module for secure log-in. 3. A Hybrid Cryptographic Module, public key for key management and authentication, and private key for privacy. This Cryptographic module, the Security Extension Module to the Terminal Adapter (SEMTA), was implemented in software, and then optimized in hardware. This work proves that medical images and legal documents can be transmitted through the PSTN without any security breach, guaranteeing the privacy, confidentiality, and authenticity of the data.

Integrated services digital networks

Data transmission systems

Security measures

Electrical and Computer Engineering

Electrical and Electronics

Engineering

Analysis of a South African cyber-security awareness campaign for schools using interdisciplinary communications frameworks

Leppan, Claudette

January 2017

To provide structure to cyber awareness and educational initiatives in South Africa, Kortjan and Von Solms (2014) developed a five-layer cyber-security awareness and education framework. The purpose of the dissertation is to determine how the framework layers can be refined through the integration of communication theory, with the intention to contribute towards the practical implications of the framework. The study is approached qualitatively and uses a case study for argumentation to illustrate how the existing framework can be further developed. Drawing on several comprehensive campaign planning models, the dissertation illustrates that not all important campaign planning elements are currently included in the existing framework. Proposed changes in the preparation layer include incorporating a situational and target audience analysis, determining resources allocated for the campaign, and formulating a communication strategy. Proposed changes in the delivery layer of the framework are concerned with the implementation, monitoring and adjustment, as well as reporting of campaign successes and challenges. The dissertation builds on, and adds to, the growing literature on the development of campaigns for cyber-security awareness and education aimed at children.

Internet -- Safety measures

Computer networks -- Security measures

Mass media and technology

Mass media -- Social aspects

User-centred design to engender trust in e-commerce

Obioha, Chinonye Leuna

January 2016

Thesis (MTech (Information Technology))--Cape Peninsula University of Technology, 2016. / Consumer trust is a core element for any e-commerce website. This study aimed to explore attributes of business-to-consumers (B2C) e-commerce websites that can communicate and engender trust from the users’ perspective using user-centred design. E-commerce websites are known to have features such as security certificates and encryption methods to ensure trust, but this requires technical knowhow to understand. The technologies used to develop websites have improved so far, but it has little effect on improving the trust of the users of e-commerce mostly in developing countries (Africa in particular). E-commerce users do not realise that these features have been put in place for the trustworthiness of the websites which contributes to their reluctance to conduct business transactions online, thus reducing their buying intentions. There is a need to design e-commerce websites to communicate/ convey trust from the users’ perspective. The study explored various sources of data to obtain insight and understanding of the research problem—user-centred design (UCD) group activity with users, interviews with developers, and secondary prior literature. Using UCD as the main methodology, an intensive UCD workshop activity with a group of eight e-commerce users was carried out. Furthermore, to obtain the view of experts (developers) on what is currently done to engender trust in B2C e-commerce websites, interviews with four respondents were also carried out. These interviews were intended to reduce any prejudice or bias and to obtain a clearer understanding of the phenomenon being studied. The findings from the study revealed six main attributes to engender trust, namely aesthetics design, security and information privacy, functionality design, trustworthiness based on content, development process, and vendor attributes. Proposed guidelines for each of the attributes were outlined. The findings from the users showed that those who were acquainted with the e-commerce technologies were those whose backgrounds are computer and technology related. Most users focused on aesthetics design, functionality, and security of their privacy and private details. Less emphasis was placed on the technology behind the e-commerce websites. Users use their aesthetic and cognitive value in their judgement for trust. The findings from the research were further validated using the Domestication of Technology Theory (DTT), which resulted in the development of a user-centred e-commerce trust model.

Electronic commerce

Consumer protection

Consumer confidence

Consumers -- Attitudes

A framework for software patch management in a multi-vendor environment

Hughes, Grant Douglas

January 2016

Thesis (MTech (Information Technology))--Cape Peninsula University of Technology, 2016. / Software often requires patches to be installed post-implementation for a variety of reasons. Organisations and individuals, however, do not always promptly install these patches as and when they are released. This study investigated the reasons for the delay or hesitation, identified the challenges, and proposed a model that could assist organisations in overcoming the identified challenges. The research investigated the extent to which the integration of software patch management and enterprise data security is an important management responsibility, by reviewing relevant documents and interviewing key role players currently involved in the patch management process. The current challenges and complexities involved in patch management at an enterprise level could place organisations at risk by compromising their enterprise-data security. This research primarily sought to identify the challenges causing the management of software patches to be complex, and further attempted to establish how organisations currently implement patch management. The aim of the study was to explore the complexities of software patch management in order to enhance enterprise data security within organisations. A single case study was used, and data were obtained from primary sources and literature. The study considered both technological and human factors, and found that both factors play an equally important role with regard to the successful implementation of a patch management program within an organisation.

Software maintenance

Software configuration management

Computer networks -- Security measures

Managing infrastructure risks in information communication technology outsourced projects : a case study at Transnet, South Africa

Basson, Delton Jade

January 2017

Thesis (MTech (Information Technology))--Cape Peninsula University of Technology, 2017. / The balance between the dependency on Information and Communications Technology (ICT) and reducing costs has led to an increase in ICT outsourcing in many organisations. ICT outsourcing has benefits, but organisations have limited knowledge on information security and risks when outsourcing these functions. A lack of information security knowledge or a poor organisational risk culture carries the risk of project failure and security breaches. It is unclear how to manage information risks through the usage of ICT infrastructure risk management when outsourcing ICT projects, and this exposes organisations to ICT security risks. The aim of the study is to explore how a selected transport organisation can manage information risks through the usage of infrastructure risk management when outsourcing ICT projects. Two primary research questions are posed namely, “what information risks does the ICT department manage when outsourcing ICT projects?”, and “how can the ICT department protect their information through the usage of infrastructure risk management against ICT security threats when outsourcing ICT?” To answer these two questions, a study was conducted at a transport organisation in South Africa. A subjective ontological and interpretivist epistemological stance has been adopted and an inductive research approach was followed. The research strategy was a case study. Data for this study was gathered through interviews (17 in total) using semi-structured questionnaires. Data collected were transcribed, summarised, and categorised to provide a clear understanding of the data. For this study, forty findings and eight themes were identified. The themes are ICT outsourcing, information risks, costs, ICT vendor dependency, vendor access and management, risk management, user awareness, and frameworks. Guidelines are proposed, comprising six primary components. The results point to gaps that need to be addressed to ensure that information is protected when outsourcing ICT projects. Measures need to be put in place and communication has to be improved among operating divisions. The findings lead to questions such as, ““how does business create an ICT security culture to ensure that information is protected at all times”, and “does vendor access management really get the necessary attention it requires?” Further studies on human behaviour towards ICT security is needed to ensure the protection of organisations against security risks.