Refining the PoinTER “human firewall” pentesting framework

PurposePenetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.MethodologyWe conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.FindingsDrawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.OriginalityPrevious work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature

Scenarios for the development of smart grids in the UK: literature review

Smart grids are expected to play a central role in any transition to a low-carbon energy future, and much research is currently underway on practically every area of smart grids. However, it is evident that even basic aspects such as theoretical and operational definitions, are yet to be agreed upon and be clearly defined. Some aspects (efficient management of supply, including intermittent supply, two-way communication between the producer and user of electricity, use of IT technology to respond to and manage demand, and ensuring safe and secure electricity distribution) are more commonly accepted than others (such as smart meters) in defining what comprises a smart grid. It is clear that smart grid developments enjoy political and financial support both at UK and EU levels, and from the majority of related industries. The reasons for this vary and include the hope that smart grids will facilitate the achievement of carbon reduction targets, create new employment opportunities, and reduce costs relevant to energy generation (fewer power stations) and distribution (fewer losses and better stability). However, smart grid development depends on additional factors, beyond the energy industry. These relate to issues of public acceptability of relevant technologies and associated risks (e.g. data safety, privacy, cyber security), pricing, competition, and regulation; implying the involvement of a wide range of players such as the industry, regulators and consumers. The above constitute a complex set of variables and actors, and interactions between them. In order to best explore ways of possible deployment of smart grids, the use of scenarios is most adequate, as they can incorporate several parameters and variables into a coherent storyline. Scenarios have been previously used in the context of smart grids, but have traditionally focused on factors such as economic growth or policy evolution. Important additional socio-technical aspects of smart grids emerge from the literature review in this report and therefore need to be incorporated in our scenarios. These can be grouped into four (interlinked) main categories: supply side aspects, demand side aspects, policy and regulation, and technical aspects.

Information Flow for Security in Control Systems

This paper considers the development of information flow analyses to support resilient design and active detection of adversaries in cyber physical systems (CPS). The area of CPS security, though well studied, suffers from fragmentation. In this paper, we consider control systems as an abstraction of CPS. Here, we extend the notion of information flow analysis, a well established set of methods developed in software security, to obtain a unified framework that captures and extends system theoretic results in control system security. In particular, we propose the Kullback Liebler (KL) divergence as a causal measure of information flow, which quantifies the effect of adversarial inputs on sensor outputs. We show that the proposed measure characterizes the resilience of control systems to specific attack strategies by relating the KL divergence to optimal detection techniques. We then relate information flows to stealthy attack scenarios where an adversary can bypass detection. Finally, this article examines active detection mechanisms where a defender intelligently manipulates control inputs or the system itself in order to elicit information flows from an attacker's malicious behavior. In all previous cases, we demonstrate an ability to investigate and extend existing results by utilizing the proposed information flow analyses

Robotics Software Engineering: A Perspective from the Service Robotics Domain

Robots that support humans by performing useful tasks (a.k.a., service robots) are booming worldwide. In contrast to industrial robots, the development of service robots comes with severe software engineering challenges, since they require high levels of robustness and autonomy to operate in highly heterogeneous environments. As a domain with critical safety implications, service robotics faces a need for sound software development practices. In this paper, we present the first large-scale empirical study to assess the state of the art and practice of robotics software engineering. We conducted 18 semi-structured interviews with industrial practitioners working in 15 companies from 9 different countries and a survey with 156 respondents (from 26 countries) from the robotics domain. Our results provide a comprehensive picture of (i) the practices applied by robotics industrial and academic practitioners, including processes, paradigms, languages, tools, frameworks, and reuse practices, (ii) the distinguishing characteristics of robotics software engineering, and (iii) recurrent challenges usually faced, together with adopted solutions. The paper concludes by discussing observations, derived hypotheses, and proposed actions for researchers and practitioners.Comment: 11 pages + 1 page for references, 3 figures, 3 tables, in proceedings of ESEC/FSE 202

On women, cyber-feminism and information security : assessing security threats by gender

Abstract: The continued rise in information security threats has created a sustained risk to the competitiveness of businesses using computerised technology, particularly in Africa. It is posited that employees are the weakest link to the security of information systems across African businesses. The persistent affirmative campaigns in the fields of science, technology, engineering, and mathematics (STEM) has seen a steady rise of women employees entering the Information Technology (IT) industry. On one hand, this has presented new opportunities for women to play a more meaningful and significant contribution to IT in the advent of cyberfeminism. On the other hand, women now constitute great risk to the security of information systems. This emergent trend in Africa challenges the traditional paradigms where men accounted for higher percentages of sophisticated use of and threat to IT systems. The study applied the descriptive research design to describe the level of efficacy presented by women working in South African organisations. The intention was neither to formulate nor to test any hypothesis, but to use descriptive statistics to understand women’s efficacy, and the potential insider threat women could pose. A total number of 155 closed-ended questionnaires were distributed to women and men working in businesses operating in South Africa. 150 responses were obtained. A computerised statistical analysis software was used to analyse data. Results show that while both women and men had a reasonable understanding of information security tenets, women were perceived to be more cautious regarding how they expressed this understanding. The work is of significance to those in business practice in Africa because of the understanding that men will no longer be seen as the primary malefactors for information security threats. The implication for this study is that as more women are encouraged to pursue STEM disciplines, they will equally become weak links to the security of information systems. It is theorised that gender will no longer be a factor in determining security threat

from pss to cps design a real industrial use case toward industry 4 0

Abstract During the last 10 years, manufacturing companies have faced new challenges for improving their value proposition and being more efficient and effective on the market, satisfying the customer needs. According to this trend, several technologies have been developed and applied in different sectors and with different aims, in order to support such the companies in their reconfiguration. For example, the recent advances in Information and Communications Technologies (ICT) could give also to manufacturing industries the competences required to develop novel sustainable products embedded with a dedicated infrastructure able to provide more service functionalities to customer. In this context, the application of Internet of Things (IoT) have allowed developing the so named Product Service Systems (PSSs). Moreover, the cross-fertilization between such the technologies with the development of other ones have fostered the application of these novel ICT technologies inside the manufacturing companies also at process level. This approach has encouraged the study and development of Cyber-Physical Systems (CPSs). The present paper deals with a real industrial use case, where the application of ICT technologies and specifically the adoption of IoT at a plant of plastic extrusion pipes have allowed optimizing the production process in terms of energy efficiency

Reciprocal Learning in Production and Logistics

Integration of AI technologies and learnable systems in production and logistics transforms the concepts of work organization and task assignments to human and machine agents. Thus, the question arises of what intelligent machines and human workers may be able to achieve as teammates. One answer may be guiding and training the workforce at the workplace to cope with emerging skill mismatches, emphasized by concepts of work-based learning. The extension of cyber-physical production systems towards becoming human-centered and social systems enabling human-machine interaction, creates opportunities for human-machine symbiosis by complementing each other's strengths. In this way, the concept of “Reciprocal Learning” (RL) between humans and intelligent machines has emerged, which is still rather ambiguous and lacks a profound knowledge base. Especially in production and logistics, literature is fragmented. Hence, the objective of this paper is to conduct a systematic literature review to elicit and cluster the knowledge base in RL represented by adjacent interdisciplinary fields of research, such as social and computer sciences. This work contributes to the literature by developing a comprehensive knowledge base on the concept of RL enabling to pursue future research directions towards the realization of human-machine symbiosis through RL in production and logistics

Supporting the Discovery, Reuse, and Validation of Cybersecurity Requirements at the Early Stages of the Software Development Lifecycle

The focus of this research is to develop an approach that enhances the elicitation and specification of reusable cybersecurity requirements. Cybersecurity has become a global concern as cyber-attacks are projected to cost damages totaling more than $10.5 trillion dollars by 2025. Cybersecurity requirements are more challenging to elicit than other requirements because they are nonfunctional requirements that requires cybersecurity expertise and knowledge of the proposed system. The goal of this research is to generate cybersecurity requirements based on knowledge acquired from requirements elicitation and analysis activities, to provide cybersecurity specifications without requiring the specialized knowledge of a cybersecurity expert, and to generate reusable cybersecurity requirements. The proposed approach can be an effective way to implement cybersecurity requirements at the earliest stages of the system development life cycle because the approach facilitates the identification of cybersecurity requirements throughout the requirements gathering stage. This is accomplished through the development of the Secure Development Ontology that maps cybersecurity features and the functional features descriptions in order to train a classification machine-learning model to return the suggested security requirements. The SD-SRE requirements engineering portal was created to support the application of this research by providing a platform to submit use case scenarios and requirements and suggest security requirements for the given system. The efficacy of this approach was tested with students in a graduate requirements engineering course. The students were presented with a system description and tasked with creating use case scenarios using the SD-SRE portal. The entered models were automatically analyzed by the SD-SRE system to suggest the security requirements. The results showed that the approach can be an effective approach to assist in the identification of security requirements