908 resultados para Security-critical software
Resumo:
Gli impianti industriali moderni sono di tipo automatizzato, i processi sono cioè pilotati da un’unità di calcolo che fornisce i comandi necessari atti al corretto funzionamento dell’impianto. Queste tecnologie espongono le apparecchiature a problemi di Security, dunque attacchi volontari provenienti dall’esterno, al sistema di controllo. Esso può diventare la variabile manipolabile del terrorista informatico il quale può causare lo shut down del segnale o cambiare l’impostazione dei parametri di processo.Lo studio esposto si propone di identificare le possibili modalità di attacco e di individuare uno strumento sistematico che permetta di valutarne la vulnerabilità ad un possibile atto di sabotaggio. La procedura proposta è la PSC-SHaRP (Process System Cyber-Security Hazard Review Procedure) essa consta di due strutture chiamate rispettivamente Alpha e Beta. La metodologia è volta a individuare i potenziali pericoli posti dagli attacchi informatici piuttosto che a stimarne un profilo di rischio e/o probabilità di successo. La ShaRP Alpha, viene utilizzata per analizzare le conseguenze di deviazioni cyber su singole macchine presenti in impianto o sistemi modulari. La ShaRP Beta viene utilizzata per analizzare le conseguenze di attacchi cyber sul sistema costituito dall’impianto di processo. Essa è quindi in grado di analizzare le ripercussioni che manipolazioni su una o più apparecchiature possono avere sull’impianto nel suo complesso. Nell’ultima parte dell’elaborato sono state trattate le possibilità di accesso da parte del ‘’terrorista’’ al sistema di controllo e sicurezza, dunque i sistemi di gestione del DCS e del SIS e le barriere software e hardware che possono essere presenti.
Resumo:
The protection of cyberspace has become one of the highest security priorities of governments worldwide. The EU is not an exception in this context, given its rapidly developing cyber security policy. Since the 1990s, we could observe the creation of three broad areas of policy interest: cyber-crime, critical information infrastructures and cyber-defence. One of the main trends transversal to these areas is the importance that the private sector has come to assume within them. In particular in the area of critical information infrastructure protection, the private sector is seen as a key stakeholder, given that it currently operates most infrastructures in this area. As a result of this operative capacity, the private sector has come to be understood as the expert in network and information systems security, whose knowledge is crucial for the regulation of the field. Adopting a Regulatory Capitalism framework, complemented by insights from Network Governance, we can identify the shifting role of the private sector in this field from one of a victim in need of protection in the first phase, to a commercial actor bearing responsibility for ensuring network resilience in the second, to an active policy shaper in the third, participating in the regulation of NIS by providing technical expertise. By drawing insights from the above-mentioned frameworks, we can better understand how private actors are involved in shaping regulatory responses, as well as why they have been incorporated into these regulatory networks.
Resumo:
Transparency is an important concept in International Relations. The possibility of realizing transparency in practice operates as a central analytical axis defining distinct positions on core theoretical problems within the field, from the security dilemma to the function of international institutions and beyond. As a political practice the pursuit of transparent governance is a dominant feature of global politics, promoted by a wide range of actors across a vast range of issue areas, from nuclear proliferation to Internet governance to the politics of foreign aid. Yet, despite its importance, precisely what transparency means or how the concept is understood is frequently ill-defined by academics and policy-makers alike. As a result, the epistemological and ontological underpinnings of approaches to transparency in IR often sit in tension with their wider theoretical commitments. This article will examine the three primary understandings of transparency used in IR in order to unpack these commitments. It finds that while transparency is often explicitly conceptualized as a property of information, particularly within rationalist scholarship, this understanding rests upon an unarticulated set of sociological assumptions. This analysis suggests that conceptualizing ‘transparency-as-information’ without a wider sociology of knowledge production is highly problematic, potentially obscuring our ability to recognize transparent practices in global governance. Understanding transparency as dialogue, as a social practice rooted in shared cognitive capacities and epistemic frameworks, provides a firmer analytical ground from which to examine transparency in International Relations.
Resumo:
The concept of ontological security has a remarkable echo in the current sociology to describe emotional status of men of late modernity. However, the concept created by Giddens in the eighties has been little used in empirical research covering various sources of risk or uncertainty. In this paper, a scale for ontological security is proposed. To do this, we start from the results of a research focused on the relationship between risk, uncertainty and vulnerability in the context of the economic crisis in Spain. These results were produced through nine focus groups and a telephone survey with standardized questionnaire applied to a national sample of 2,408 individuals over 18 years. This work is divided into three main sections. In the fi rst, a scale has been built from the results of the application of different items present in the questionnaire used. The second part explores the relationships of the scale obtained with the variables further approximate the emotional dimensions of individuals. The third part observes the variables that contribute to changes in the scale: These variables show the structural feature of the ontological security.
Resumo:
En los últimos años el término Economía Colaborativa se ha popularizado sin que, hasta el momento, haya sido definido de manera inequívoca. Bajo esta denominación se engloban experiencias tan diversas como bancos de tiempo, huertos urbanos, startups o grandes plataformas digitales. La proliferación de este tipo de iniciativas puede relacionarse con una multiplicidad de factores tales como el desarrollo tecnológico, la recesión económica y otras crisis superpuestas (medioambiental, de cuidados, de valores, de lo político) y un cierto cambio en los valores sociales. Entre 2014-2015 se han realizado dos investigaciones en Andalucía de manera casi paralela y con una metodología similar. La primera de ellas pretendía identificar prácticas de Economía Colaborativa en el entorno universitario. La segunda investigación identificaba experiencias de emprendimiento a nivel autonómico. A luz de los resultados obtenidos se plantea la siguiente cuestión sobre la naturaleza misma de la Economía Colaborativa: ¿nos encontramos ante prácticas postcapitalistas que abren el camino a una sociedad más justa e igualitaria o, más bien, estamos ante una respuesta del capital para, una vez más, seguir extrayendo de manera privada el valor que se genera socialmente? Este artículo, partiendo del análisis del conjunto de iniciativas detentadas en Andalucía, se centra en aquellas basadas en el software libre y la producción digital concluyendo cómo, gracias a la incorporación de ciertos aspectos de la ética hacker y las lógicas del conocimiento abierto, éstas pueden situarse dentro de un escenario de fomento de los comunes globales frente a las lógicas imperantes del capitalismo netárquico.
Resumo:
Cyber-physical systems tightly integrate physical processes and information and communication technologies. As today’s critical infrastructures, e.g., the power grid or water distribution networks, are complex cyber-physical systems, ensuring their safety and security becomes of paramount importance. Traditional safety analysis methods, such as HAZOP, are ill-suited to assess these systems. Furthermore, cybersecurity vulnerabilities are often not considered critical, because their effects on the physical processes are not fully understood. In this work, we present STPA-SafeSec, a novel analysis methodology for both safety and security. Its results show the dependencies between cybersecurity vulnerabilities and system safety. Using this information, the most effective mitigation strategies to ensure safety and security of the system can be readily identified. We apply STPA-SafeSec to a use case in the power grid domain, and highlight its benefits.
Resumo:
In recent years, the adaptation of Wireless Sensor Networks (WSNs) to application areas requiring mobility increased the security threats against confidentiality, integrity and privacy of the information as well as against their connectivity. Since, key management plays an important role in securing both information and connectivity, a proper authentication and key management scheme is required in mobility enabled applications where the authentication of a node with the network is a critical issue. In this paper, we present an authentication and key management scheme supporting node mobility in a heterogeneous WSN that consists of several low capabilities sensor nodes and few high capabilities sensor nodes. We analyze our proposed solution by using MATLAB (analytically) and by simulation (OMNET++ simulator) to show that it has less memory requirement and has good network connectivity and resilience against attacks compared to some existing schemes. We also propose two levels of secure authentication methods for the mobile sensor nodes for secure authentication and key establishment.
Resumo:
Software protection is an essential aspect of information security to withstand malicious activities on software, and preserving software assets. However, software developers still lacks a methodology for the assessment of the deployed protections. To solve these issues, we present a novel attack simulation based software protection assessment method to assess and compare various protection solutions. Our solution relies on Petri Nets to specify and visualize attack models, and we developed a Monte Carlo based approach to simulate attacking processes and to deal with uncertainty. Then, based on this simulation and estimation, a novel protection comparison model is proposed to compare different protection solutions. Lastly, our attack simulation based software protection assessment method is presented. We illustrate our method by means of a software protection assessment process to demonstrate that our approach can provide a suitable software protection assessment for developers and software companies.
Resumo:
The human factor is often recognised as a major aspect of cyber-security research. Risk and situational perception are identified as key factors in the decision making process, often playing a lead role in the adoption of security mechanisms. However, risk awareness and perception have been poorly investigated in the field of eHealth wearables. Whilst end-users often have limited understanding of privacy and security of wearables, assessing the perceived risks and consequences will help shape the usability of future security mechanisms. This paper present a survey of the the risks and situational awareness in eHealth services. An analysis of the lack of security and privacy measures in connected health devices is described with recommendations to circumvent critical situations.
Resumo:
Sustainability in software system is still a new practice that most software developers and companies are trying to incorporate into their software development lifecycle and has been largely discussed in academia. Sustainability is a complex concept viewed from economic, environment and social dimensions with several definitions proposed making sometimes the concept of sustainability very fuzzy and difficult to apply and assess in software systems. This has hindered the adoption of sustainability in the software industry. A little research explores sustainability as a quality property of software products and services to answer questions such as; How to quantify sustainability as a quality construct in the same way as other quality attributes such as security, usability and reliability? How can it be applied to software systems? What are the measures and measurement scale of sustainability? The Goal of this research is to investigate the definitions, perceptions and measurement of sustainability from the quality perspective. Grounded in the general theory of software measurement, the aim is to develop a method that decomposes sustainability in factors, criteria and metrics. The Result is a method to quantify and access sustainability of software systems while incorporating management and users concern. Conclusion: The method will empower the ability of companies to easily adopt sustainability while facilitating its integration to the software development process and tools. It will also help companies to measure sustainability of their software products from economic, environmental, social, individual and technological dimension.
Resumo:
Database schemas, in many organizations, are considered one of the critical assets to be protected. From database schemas, it is not only possible to infer the information being collected but also the way organizations manage their businesses and/or activities. One of the ways to disclose database schemas is through the Create, Read, Update and Delete (CRUD) expressions. In fact, their use can follow strict security rules or be unregulated by malicious users. In the first case, users are required to master database schemas. This can be critical when applications that access the database directly, which we call database interface applications (DIA), are developed by third party organizations via outsourcing. In the second case, users can disclose partially or totally database schemas following malicious algorithms based on CRUD expressions. To overcome this vulnerability, we propose a new technique where CRUD expressions cannot be directly manipulated by DIAs any more. Whenever a DIA starts-up, the associated database server generates a random codified token for each CRUD expression and sends it to the DIA that the database servers can use to execute the correspondent CRUD expression. In order to validate our proposal, we present a conceptual architectural model and a proof of concept.
Resumo:
Requirements specification has long been recognized as critical activity in software development processes because of its impact on project risks when poorly performed. A large amount of studies addresses theoretical aspects, propositions of techniques, and recommended practices for Requirements Engineering (RE). To be successful, RE have to ensure that the specified requirements are complete and correct what means that all intents of the stakeholders in a given business context are covered by the requirements and that no unnecessary requirement was introduced. However, the accurate capture the business intents of the stakeholders remains a challenge and it is a major factor of software project failures. This master’s dissertation presents a novel method referred to as “Problem-Based SRS” aiming at improving the quality of the Software Requirements Specification (SRS) in the sense that the stated requirements provide suitable answers to real customer ́s businesses issues. In this approach, the knowledge about the software requirements is constructed from the knowledge about the customer ́s problems. Problem-Based SRS consists in an organization of activities and outcome objects through a process that contains five main steps. It aims at supporting the software requirements engineering team to systematically analyze the business context and specify the software requirements, taking also into account a first glance and vision of the software. The quality aspects of the specifications are evaluated using traceability techniques and axiomatic design principles. The cases studies conducted and presented in this document point out that the proposed method can contribute significantly to improve the software requirements specification.
Resumo:
Context. Within the core accretion scenario of planetary formation, most simulations performed so far always assume the accreting envelope to have a solar composition. From the study of meteorite showers on Earth and numerical simulations, we know that planetesimals must undergo thermal ablation and disruption when crossing a protoplanetary envelope. Thus, once the protoplanet has acquired an atmosphere, not all planetesimals reach the core intact, i.e. the primordial envelope (mainly H and He) gets enriched in volatiles and silicates from the planetesimals. This change of envelope composition during the formation can have a significant effect on the final atmospheric composition and on the formation timescale of giant planets. Aims. We investigate the physical implications of considering the envelope enrichment of protoplanets due to the disruption of icy planetesimals during their way to the core. Particular focus is placed on the effect on the critical core mass for envelopes where condensation of water can occur. Methods. Internal structure models are numerically solved with the implementation of updated opacities for all ranges of metallicities and the software Chemical Equilibrium with Applications to compute the equation of state. This package computes the chemical equilibrium for an arbitrary mixture of gases and allows the condensation of some species, including water. This means that the latent heat of phase transitions is consistently incorporated in the total energy budget. Results. The critical core mass is found to decrease significantly when an enriched envelope composition is considered in the internal structure equations. A particularly strong reduction of the critical core mass is obtained for planets whose envelope metallicity is larger than Z approximate to 0.45 when the outer boundary conditions are suitable for condensation of water to occur in the top layers of the atmosphere. We show that this effect is qualitatively preserved even when the atmosphere is out of chemical equilibrium. Conclusions. Our results indicate that the effect of water condensation in the envelope of protoplanets can severely affect the critical core mass, and should be considered in future studies.
Resumo:
This paper researches the information security value in e-entrepreneurship by revising the literature that establishes the entrepreneurial domain and by relating it with the development of technological resources that create value for the customer in an online business. It details multiple paradigms regarding consumer’s values of information security, while relating them with common practices and previous researches in technological entrepreneurship. This research presents and discusses the benefits of information security standards in e-entrepreneurship. It details and discusses the ISO 27001 and PCI-DSS information security standards that can be used to differentiate security initiatives to achieve competitive advantage, while preserving information leadership as a critical resource for online business success. Based on the literature review, a theoretical research model is presented and research hypotheses are discussed. This model believes that information security affects information leadership and that information leadership, as a unique resource in e-business, contributes to e-entrepreneurship success. The adoption of information security standards affects customer’s trust in e-business, which also benefits e-entrepreneurial strategy.
Resumo:
With wireless vehicular communications, Vehicular Ad Hoc Networks (VANETs) enable numerous applications to enhance traffic safety, traffic efficiency, and driving experience. However, VANETs also impose severe security and privacy challenges which need to be thoroughly investigated. In this dissertation, we enhance the security, privacy, and applications of VANETs, by 1) designing application-driven security and privacy solutions for VANETs, and 2) designing appealing VANET applications with proper security and privacy assurance. First, the security and privacy challenges of VANETs with most application significance are identified and thoroughly investigated. With both theoretical novelty and realistic considerations, these security and privacy schemes are especially appealing to VANETs. Specifically, multi-hop communications in VANETs suffer from packet dropping, packet tampering, and communication failures which have not been satisfyingly tackled in literature. Thus, a lightweight reliable and faithful data packet relaying framework (LEAPER) is proposed to ensure reliable and trustworthy multi-hop communications by enhancing the cooperation of neighboring nodes. Message verification, including both content and signature verification, generally is computation-extensive and incurs severe scalability issues to each node. The resource-aware message verification (RAMV) scheme is proposed to ensure resource-aware, secure, and application-friendly message verification in VANETs. On the other hand, to make VANETs acceptable to the privacy-sensitive users, the identity and location privacy of each node should be properly protected. To this end, a joint privacy and reputation assurance (JPRA) scheme is proposed to synergistically support privacy protection and reputation management by reconciling their inherent conflicting requirements. Besides, the privacy implications of short-time certificates are thoroughly investigated in a short-time certificates-based privacy protection (STCP2) scheme, to make privacy protection in VANETs feasible with short-time certificates. Secondly, three novel solutions, namely VANET-based ambient ad dissemination (VAAD), general-purpose automatic survey (GPAS), and VehicleView, are proposed to support the appealing value-added applications based on VANETs. These solutions all follow practical application models, and an incentive-centered architecture is proposed for each solution to balance the conflicting requirements of the involved entities. Besides, the critical security and privacy challenges of these applications are investigated and addressed with novel solutions. Thus, with proper security and privacy assurance, these solutions show great application significance and economic potentials to VANETs. Thus, by enhancing the security, privacy, and applications of VANETs, this dissertation fills the gap between the existing theoretic research and the realistic implementation of VANETs, facilitating the realistic deployment of VANETs.
