Hardening an Open-Source Governance Risk and Compliance Software: Eramba

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2020Lições históricas como Chernobyl, Fukushima ou o colapso da ponte de Mississípi revelam a vital importância da gestão de risco. Para além de saber gerir o risco, as empresas têm de desenvolver planos para se precaverem e oferecerem resiliência a qualquer ameaça que possam enfrentar, desde desastres naturais e terrorismo a ciberataques e propagação de vírus. Estes planos são denominados de planos de continuidade de negócio. A crucialidade destes planos e a introdução de novas leis como Lei Sarbanes-Oxley, Diretiva Europeia 2006/43/EC VIII e recentemente do Regulamento de Protecção de Dados geraram uma maior preocupação e sensibilidade nas empresas em aglomerar todos estes processos de governança, risco e conformidade (GRC). GRC integra a implementação da gestão de risco, planos de continuidade de negócio, conformidade com as leis e boas práticas de auditoria externa e interna. As empresas necessitam de uma ferramenta que ofereça uma visão global da Governança, Risco e Conformidade. No entanto, estas ferramentas são por norma dispendiosas, o que faz com que pequenas e médias empresas não tenham meios para suportar o custo. Consequentemente, estas empresas tendem a adoptar ferramentas de código aberto, como SimpleRisk, Envelop ou Eramba. Apesar de suportarem o GRC, existem vários problemas com as aplicações deste tipo, como a falta de manutenção, problemas de migração, dificuldade de escalabilidade, a necessidade constante de fazer atualizações e a grande curva de aprendizagem associada. A Ernst & Young agora conhecida como EY oferece serviços de Consulting, Assurance, Tax e de Strategy and Transaction para ajudar a resolver desafios mais difíceis dos seus clientes e criar valor. Para se preparar para uma futura auditoria, um cliente da EY pertencente ao sector bancário procura ser certificado em ISO/IEC 27001 e ISO/IEC 22301, referentes a Sistema de Gestão de Segurança de Informação (SGSI) e Sistema de Gestão de Continuidade de Negócio (SGCN), respectivamente. Adicionalmente, o cliente visa migrar a sua infraestrutura no local para uma infraestrutura na cloud. Com todos estes fatores em conta, a EY recomendou uma ferramenta de código aberto de GRC chamada Eramba. Esta tese propõe um estudo profundo das vulnerabilidades que o Eramba pode oferecer assim como uma solução para as resolver através de armazenamento em nuvem. Seguindo uma metodologia de pentesting chamada PTES para o estudo de vulnerabilidades foi possível identificar dez vulnerabilidades sendo quase todas de baixo nível. A metodologia PTES recomenda o uso de adoção de modelo de ameaças de modo a perceber como os processos estão correlacionados, onde estão armazenados dados importantes, quais são os principais ativos e como é processado um pedido na aplicação. Para fazer esta modelação foi seguido uma metodologia proposta pela Microsof nomeada de STRIDE, esta metodologia é uma mnemónica para Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service e Elevation of Privilege. A Microsoft propõe um modelo de ameaças em quatro passos: modelação do sistema através de Data Flow Diagrams; encontrar ameaças e consequentemente classificá-las através da nomenclatura STRIDE; endereçar ameaças mitigando e eliminando-as e validar se cada uma foi realmente endereçada com sucesso. De modo a endereçar estes dois últimos passos e para conjugar com os requisitos da empresa de migração para armazenamento na nuvem foi desenvolvido uma solução de tornar o Eramba num container para então usufruir da orquestração de containers que é o Kubernetes. Como resultado, a partir do trabalho desenvolvido é possível que qualquer organização adapte esta solução de GRC e consiga hospedar na nuvem sem enfrentar dificuldades. Este trabalho proporcionou analisar a viabilidade da ferramenta Eramba a longo prazo por qualquer organização e perceber se este é escalável.Historical lessons such as Chernobyl, Fukushima or the collapse of the Mississippi bridge showcase the vital importance of risk management. In addition to managing risk, companies must develop plans to safeguard against and offer resilience to any threat they may face, from natural disasters and terrorism to cyber-attacks and the spread of viruses. These plans are called business continuity plans. The cruciality of these plans and the introduction of new laws such as the Sarbanes-Oxley Act, European Directive 2006/43/EC VIII and recently the Data Protection Regulation have generated greater concern and sensitivity in companies, leading them to agglomerate all these governance, risk and compliance processes (GRC). GRC integrates the implementation of risk management, business continuity plans, law compliance and good external and internal auditory practices. Companies need a tool that provides an overall view of Governance, Risk and Compliance. However, such tools are usually expensive, which means that small and mediumsized companies cannot afford the cost. Consequently, these companies tend to adopt open source tools such as SimpleRisk, Envelop or Eramba. Despite being compliant with GRC, there are several problems with applications of this type, such as lack of maintenance, migration problems, difficulty in scalability, the constant need to make updates and the large learning curve associated. Ernst & Young now known as EY offers Consulting, Assurance, Tax and Strategy and Transaction services to help solve more difficult challenges for its clients and create value. To prepare for a future audit, an EY client within the banking sector seeks to be certified in Business Continuity and Information Security. Additionally, the client aims to migrate its onsite infrastructure to a cloud infrastructure. With all these factors in mind, EY has recommended an open source tool called Eramba. This thesis proposes an in-depth study of the vulnerabilities that Eramba can face as well as a solution to solve them through cloud storage. Following a pentesting methodology called PTES for the study of vulnerabilities it was possible to identify ten vulnerabilities, almost all of which are low level. The PTES methodology recommends the use of a threat model in order to understand how processes are correlated, where important data are stored, what are the main assets and how a request is processed in the application. To make this modeling was followed a methodology proposed by Microsoft named STRIDE, this methodology is a mnemonic for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege. Microsoft proposes a four-step threat model: modeling the system through Data Flow Diagrams; finding threats and consequently classifying them through STRIDE nomenclature; addressing threats by mitigating and reducing them and validating whether each one has actually been successfully addressed. In order to address these last two steps and to combine them with the company’s requirements for migration to cloud storage, a solution has been developed to turn Eramba into a container to then make use of orchestration that is the Kubernetes. As a result, from the work done it is possible for any organization that is an EY customer to adapt this solution and be able to host in the cloud without facing difficulties. This project also provided an overview to analyze if Eramba is secure and scalable

Determining cost-effective intrusion detection approaches for an advanced metering infrastructure deployment using advise

Utilities responsible for Advanced Metering Infrastructure (AMI) networks must be able to defend themselves from a variety of potential attacks so they may achieve the goals of delivering power to consumers and maintaining the integrity of their equipment and data. Intrusion detection systems (IDSes) can play an important part in the defense of such networks. Utilities should carefully consider the strengths and weaknesses of different IDS deployment strategies to choose the most cost-effective solution. Models of adversary behavior in the presence of different IDS deployments can help with making this decision as we demonstrate through a case study that uses a model created in the ADversary VIew Security Evaluation (ADVISE) formalism (which calculates metrics used to compare different IDSes). We show how these metrics give valuable insight into the selection of the appropriate IDS architecture for an AMI network

MobiMed: Framework for Rapid Application Development of Medical Mobile Apps

In the medical field images obtained from high definition cameras and other medical imaging systems are an integral part of medical diagnosis. The analysis of these images are usually performed by the physicians who sometimes need to spend long hours reviewing the images before they are able to come up with a diagnosis and then decide on the course of action. In this dissertation we present a framework for a computer-aided analysis of medical imagery via the use of an expert system. While this problem has been discussed before, we will consider a system based on mobile devices. Since the release of the iPhone on April 2003, the popularity of mobile devices has increased rapidly and our lives have become more reliant on them. This popularity and the ease of development of mobile applications has now made it possible to perform on these devices many of the image analyses that previously required a personal computer. All of this has opened the door to a whole new set of possibilities and freed the physicians from their reliance on their desktop machines. The approach proposed in this dissertation aims to capitalize on these new found opportunities by providing a framework for analysis of medical images that physicians can utilize from their mobile devices thus remove their reliance on desktop computers. We also provide an expert system to aid in the analysis and advice on the selection of medical procedure. Finally, we also allow for other mobile applications to be developed by providing a generic mobile application development framework that allows for access of other applications into the mobile domain. In this dissertation we outline our work leading towards development of the proposed methodology and the remaining work needed to find a solution to the problem. In order to make this difficult problem tractable, we divide the problem into three parts: the development user interface modeling language and tooling, the creation of a game development modeling language and tooling, and the development of a generic mobile application framework. In order to make this problem more manageable, we will narrow down the initial scope to the hair transplant, and glaucoma domains

Safety and Reliability - Safe Societies in a Changing World

The contributions cover a wide range of methodologies and application areas for safety and reliability that contribute to safe societies in a changing world. These methodologies and applications include: - foundations of risk and reliability assessment and management - mathematical methods in reliability and safety - risk assessment - risk management - system reliability - uncertainty analysis - digitalization and big data - prognostics and system health management - occupational safety - accident and incident modeling - maintenance modeling and applications - simulation for safety and reliability analysis - dynamic risk and barrier management - organizational factors and safety culture - human factors and human reliability - resilience engineering - structural reliability - natural hazards - security - economic analysis in risk managemen

Social work with airports passengers

Social work at the airport is in to offer to passengers social services. The main methodological position is that people are under stress, which characterized by a particular set of characteristics in appearance and behavior. In such circumstances passenger attracts in his actions some attention. Only person whom he trusts can help him with the documents or psychologically

IV Міжнародний науковий конгрес "Society of Ambient Intelligence - 2021" (ISCSAI 2021). Кривий Ріг, Україна, 12-16 квітня 2021 року

IV Міжнародний науковий конгрес "Society of Ambient Intelligence - 2021" (ISCSAI 2021). Кривий Ріг, Україна, 12-16 квітня 2021 року - матеріали.IV International Scientific Congress “Society of Ambient Intelligence – 2021” (ISCSAI 2021). Kryvyi Rih, Ukraine, April 12-16, 2021 - proceedings

Друга міжнародна конференція зі сталого майбутнього: екологічні, технологічні, соціальні та економічні питання (ICSF 2021). Кривий Ріг, Україна, 19-21 травня 2021 року

Second International Conference on Sustainable Futures: Environmental, Technological, Social and Economic Matters (ICSF 2021). Kryvyi Rih, Ukraine, May 19-21, 2021.Друга міжнародна конференція зі сталого майбутнього: екологічні, технологічні, соціальні та економічні питання (ICSF 2021). Кривий Ріг, Україна, 19-21 травня 2021 року