Insider threats: the major challenge to security risk management

Security risk management is by definition, a subjective and complex exercise and it takes time to perform properly. Human resources are fundamental assets for any organization, and as any other asset, they have inherent vulnerabilities that need to be handled, i.e. managed and assessed. However, the nature that characterize the human behavior and the organizational environment where they develop their work turn these task extremely difficult, hard to accomplish and prone to errors. Assuming security as a cost, organizations are usually focused on the efficiency of the security mechanisms implemented that enable them to protect against external attacks, disregarding the insider risks, which are much more difficult to assess. All these demands an interdisciplinary approach in order to combine technical solutions with psychology approaches in order to understand the organizational staff and detect any changes in their behaviors and characteristics. This paper intends to discuss some methodological challenges to evaluate the insider threats and its impacts, and integrate them in a security risk framework, that was defined according to the security standard ISO/IEC_JTC1, to support the security risk management process.

An investigation into system security requirements and implementation in an Application Service Provider (ASP) environment

Although the ASP model has been around for over a decade, it has not achieved the expected high level of market uptake. This research project examines the past and present state of ASP adoption and identifies security as a primary factor influencing the uptake of the model. The early chapters of this document examine the ASP model and ASP security in particular. Specifically, the literature and technology review chapter analyses ASP literature, security technologies and best practices with respect to system security in general. Based on this investigation, a prototype to illustrate the range and types of technologies that encompass a security framework was developed and is described in detail. The latter chapters of this document evaluate the practical implementation of system security in an ASP environment. Finally, this document outlines the research outputs, including the conclusions drawn and recommendations with respect to system security in an ASP environment. The primary research output is the recommendation that by following best practices with respect to security, an ASP application can provide the same level of security one would expect from any other n-tier client-server application. In addition, a security evaluation matrix, which could be used to evaluate not only the security of ASP applications but the security of any n-tier application, was developed by the author. This thesis shows that perceptions with regard to fears of inadequate security of ASP solutions and solution data are misguided. Finally, based on the research conducted, the author recommends that ASP solutions should be developed and deployed on tried, tested and trusted infrastructure. Existing Application Programming Interfaces (APIs) should be used where possible and security best practices should be adhered to where feasible.

Evaluation of Paver Vibrator Frequency Monitoring and Concrete Consolidation, HR-1068, 1999

Identification of ways to enhance consistency and proper entrained air content in hardened concrete pavement has long been a goal of state highway agencies and the Federal Highway Administration. The work performed in this study was done under FHWA Work Order No: DTFH71-97-PTP-IA-47 and referred to as Project HR-1068 by the Iowa DOT. The results of this study indicate that the monitoring devices do provide both the contractor and contracting authority and are a good way of controlling the consistent rate of vibration to achieve a quality concrete pavement product. The devices allow the contractor to monitor vibrator operation effectively and consistently. The equipment proved to be reliable under all weather and paver operating conditions. This type of equipment adds one more way of improving the consistency and quality of the concrete pavement.

Evaluation of Gap-Graded Asphalt Concrete Mixtures, Vol. 1. Physical Properties (Part I: Mechanical Properties), HR-157, Volume 1, 1972 (1973)

This report presents the results of a comparative laboratory study between well- and gap-graded aggregates used in asphalt concrete paving mixtures. A total of 424 batches of asphalt concrete mixtures and 3,960 Marshall and Hveem specimens were examined. There is strong evidence from this investigation that, with proper-combinations of aggregates and asphalts, both continuous- and gap-graded aggregates can produce mixtures of high density and of qualities meeting current design criteria. There is also reason to believe that the unqualified acceptance of some supposedly desirable, constant, mathematical relationship between adjacent particle sizes of the form such as Fuller's curve p = 100(d/D)^n is not justified. It is recommended that the aggregate grading limits be relaxed or eliminated and that the acceptance or rejection of an aggregate for use in asphalt pavement be based on individual mixture evaluation. Furthermore, because of the potential attractiveness of gap-graded asphalt concrete in cost, quality, and skid and wear resistance, selected gap-graded mixtures are recommended for further tests both in the laboratory and in the field, especially in regard to ease of compaction and skid and wear resistance.

Evaluation of Gap-Graded Asphalt Concrete Mixtures Part II: Statistical Design and Analysis, HR-157, 1973

This report presents the results of a comparative laboratory study between well- and gap-graded aggregates used in asphalt concrete paving mixtures. A total of 424 batches of asphalt concrete mixtures and 3, 960 Marshall and Hveem specimens were examined. The main thrust of the statistical analysis conducted in this experiment was in the calibration study and in Part I of the experiment. In the former study, the compaction procedure between the Iowa State University Lab and the Iowa Highway Commission Lab was calibrated. By an analysis of the errors associated with the measurements we were able to separate the "preparation" and "determination" errors for both laboratories as well as develop the calibration curve which describes the relationship between the compaction procedures at the two labs. In Part I, the use of a fractional factorial design in a split plot experiment in measuring the effect of several factors on asphalt concrete strength and weight was exhibited. Also, the use of half normal plotting techniques for indicating significant factors and interactions and for estimating errors in experiments with only a limited number of observations was outlined,

Evaluation of Lightweight Profilers for Construction Smoothness Evaluation, MLR-02-02, 2004

High-speed non-contact laser profilers have become the standard testing equipment for pavement management ride quality testing. The same technology used in the high-speed profilers is now being used in lightweight profilers for construction smoothness testing. The lightweight profilers have many advantages over the California 25-ft profilograph. Despite the many advantages of the lightweight profilers, there is resistance from the contracting industry toward eliminating the 25-ft profilograph for construction ride testing. One way to reduce or overcome the resistance is to evaluate and demonstrate the advantages/disadvantages of the lightweight profiler in actual field use in Iowa. The objective of the study was to purchase a lightweight profiler and to evaluate its suitability for construction smoothness quality verification and quality acceptance on Iowa projects. A lightweight profiler, an Ames Engineering, Inc. LISA single laser unit, was received in February 2003 for the study. Based on the work done during the 2003 construction season, the following conclusions can be made: (1) For hot mix asphalt surfaces, the LISA correlated well with the contractors' profilographs; (2) LISA results are significantly affected by longitudinal tining on portland cement concrete pavements, requiring a laser system upgrade to give accurate results; (3) A significant timesaving was realized by using the LISA; (4) Increasing visibility and reducing time in the construction zone improved safety; (5) One person with limited lifting capabilities could set up and operate the LISA; and (6) With the current Iowa Department of Transportation specification, the LISA cannot totally replace the profilograph, since bridges and short segments with no adjoining pavement would still require a profilograph.

Software Security Design and Testing

Elektroninen kaupankäynti ja pankkipalvelut ovat herättäneet toiminnan jatkuvuuden kannalta erittäin kriittisen kysymyksen siitä, kuinka näitä palveluja pystytään suojaamaan järjestäytynyttä rikollisuutta ja erilaisia hyväksikäyttöjä vastaan.

Complete Analysis of Configuration Rules to Guarantee Reliable Network Security Policies

Peer-reviewed

Parasitic Order Machine. A Sociology and Ontology of Information Securing

This study examines information security as a process (information securing) in terms of what it does, especially beyond its obvious role of protector. It investigates concepts related to ‘ontology of becoming’, and examines what it is that information securing produces. The research is theory driven and draws upon three fields: sociology (especially actor-network theory), philosophy (especially Gilles Deleuze and Félix Guattari’s concept of ‘machine’, ‘territory’ and ‘becoming’, and Michel Serres’s concept of ‘parasite’), and information systems science (the subject of information security). Social engineering (used here in the sense of breaking into systems through non-technical means) and software cracker groups (groups which remove copy protection systems from software) are analysed as examples of breaches of information security. Firstly, the study finds that information securing is always interruptive: every entity (regardless of whether or not it is malicious) that becomes connected to information security is interrupted. Furthermore, every entity changes, becomes different, as it makes a connection with information security (ontology of becoming). Moreover, information security organizes entities into different territories. However, the territories – the insides and outsides of information systems – are ontologically similar; the only difference is in the order of the territories, not in the ontological status of entities that inhabit the territories. In other words, malicious software is ontologically similar to benign software; they both are users in terms of a system. The difference is based on the order of the system and users: who uses the system and what the system is used for. Secondly, the research shows that information security is always external (in the terms of this study it is a ‘parasite’) to the information system that it protects. Information securing creates and maintains order while simultaneously disrupting the existing order of the system that it protects. For example, in terms of software itself, the implementation of a copy protection system is an entirely external addition. In fact, this parasitic addition makes software different. Thus, information security disrupts that which it is supposed to defend from disruption. Finally, it is asserted that, in its interruption, information security is a connector that creates passages; it connects users to systems while also creating its own threats. For example, copy protection systems invite crackers and information security policies entice social engineers to use and exploit information security techniques in a novel manner.

Enhancing Security of Linux OS against Administrators

Inside cyber security threats by system administrators are some of the main concerns of organizations about the security of systems. Since operating systems are controlled and managed by fully trusted administrators, they can negligently or intentionally break the information security and privacy of users and threaten the system integrity. In this thesis, we propose some solutions for enhancing the security of Linux OS by restricting administrators’ access to superuser’s privileges while they can still manage the system. We designed and implemented an interface for administrators in Linux OS called Linux Admins’ User Interface (LAUI) for managing the system in secure ways. LAUI along with other security programs in Linux like sudo protect confidentiality and integrity of users’ data and provide a more secure system against administrators’ mismanagement. In our model, we limit administrators to perform managing tasks in secure manners and also make administrators accountable for their acts. In this thesis we present some scenarios for compromising users’ data and breaking system integrity by system administrators in Linux OS. Then we evaluate how our solutions and methods can secure the system against these administrators’ mismanagement.

Use of Novel Algorithms MAJE4 and MACJER-320 for Achieving Confidentiality and Message Authentication in SSL & TLS

Extensive use of the Internet coupled with the marvelous growth in e-commerce and m-commerce has created a huge demand for information security. The Secure Socket Layer (SSL) protocol is the most widely used security protocol in the Internet which meets this demand. It provides protection against eaves droppings, tampering and forgery. The cryptographic algorithms RC4 and HMAC have been in use for achieving security services like confidentiality and authentication in the SSL. But recent attacks against RC4 and HMAC have raised questions in the confidence on these algorithms. Hence two novel cryptographic algorithms MAJE4 and MACJER-320 have been proposed as substitutes for them. The focus of this work is to demonstrate the performance of these new algorithms and suggest them as dependable alternatives to satisfy the need of security services in SSL. The performance evaluation has been done by using practical implementation method.