Model of a secure virtual environment for managing information exchange in scientific and educational organizations

In this paper, the authors highlight the issues of constructing a set-theoretic model for the administration of information exchange in a protected virtual environment in the interaction of scientific and educational organization

An access control system to improve security amongst randomly associated nodes in BYOD network

The growth of mobile devices both in variety and in computational abilities have given birth to a concept in the corporate world known as Bring Your Own Device (BYOD). Employees are allowed under this concept to bring personally owned mobile devices for official work. Though relatively new, it has gained up to 53% patronage among organisations, and it is expected to hit 88% in the near future. Its popularity is driven by the significant advantages it brings along such as reduced cost, employee satisfaction and improved productivity, to mention a few. However, as a relatively new concept, it also introduces new security challenges; for instance, the organisation looses the ownership of devices used for official work, to the employees. Implying that the employees own and manage the devices they use to work, including seeing to the security needs of such devices. With this development, protecting the corporate network becomes more challenging; outsmarting the usual traditional access control mechanisms, owing to the highly dynamic nature of mobile devices. Considering the fact that BYOD is also a type of pervasive/dynamic environment, this work studies similar dynamic environments, relating to how their security challenges are addressed, as bases to propose an algorithm for enhancing the security of BYOD via access control. Various access control mechanisms have also been adequately analyzed as a justification for the proposed approach

Interoperable Credentials Management for Wholesale Banking

A gap exists between wholesale-banking business practices and security best practices: wholesale banks operate within the boundaries of contract law, while security best practices often relies upon a benevolent trusted party outside the scope of straightforward contracts. While some business domains may be able to bridge this gap, the ultra-high-value transactions used in business-to-business banking substantially increase the size of the gap. The gap becomes most apparent when regarded from the perspective of interoperability. If a single user applies the same credential to sign high-value transactions at multiple banks, then the trusted-party model becomes overly cumbersome and conflicts with an acceptable concept of liability. This paper outlines the business complexities of wholesale banking and proposes a solution called Partner Key Management (PKM). PKM technology manages the credentials required to authenticate users and sign transactions. This paper presents PKM technology by describing an interoperable protocol, requisite data structures, and an interoperable XML definition. The paper uses formal methods to demonstrate a security equivalence between revocation options within PKM against the security offered by the traditional Public Key Infrastructure (PKI), a technology that features the benevolent trusted party

Analyzing And Assuring Missions and Systems by STORM: Introducing and analyzing Systems-Theoretic and Technical Operational Risk Management (STORM)

The complexity of today’s large, multi-component systems and missions presents a growing risk of failure because of emergent system-level properties. Furthermore, the interconnectivity of systems to other systems creates additional security problems. Yes- terday’s safety and security risk analysis methodologies are no longer effective. To manage this complexity, what is needed is a holistic, thorough, systematic, system-level, and for- mally verified approach to risk analysis to ensure stakeholder-required needs are met, asset losses are mitigated, and the system or mission operates with its intended function- ality. Furthermore, these system and mission risks need to be thoroughly documented to increase the visibility of risks so that decision makers have a solid foundation upon which to base risk-mitigating decisions. Finally, the results of the analysis and decisions need to be formally verified and documented for the purpose of auditing and accountability. This thesis presents a solution to this problem, System-theoretic and Technical Opera- tional Risk Management (STORM). STORM is a methodology for designing trustworthy systems and missions that conform to industry standards of trustworthiness, namely the NIST SP 800-160 System Security Engineering Framework. It is also comformable to the Risk Management Framework (NIST SP 800-37). Components of STORM have been successfully demonstrated on automated systems. But testing STORM on a non-automated, human-centered system has yet to be done. This paper demonstrates STORM analysis on the U.S. Army Ranger patrol base opera- tions, an example of such a system. Following the example, this thesis discusses STORM in light of conformance to NIST SP 800-160. It also discusses improvements to STORM that could extend it to a more comprehensive system and mission assurance methodology. This could be done by explicitly adding components of the risk management framework (RMF NIST SP 37 and 800-53) and upgrading its documentation requirements based on the Assurance Case (AC) Methodology [1]. These additions would strengthen STORM’s trustworthiness component

Protection Models for Web Applications

Early web applications were a set of static web pages connected to one another. In contrast, modern applications are full-featured programs that are nearly equivalent to desktop applications in functionality. However, web servers and web browsers, which were initially designed for static web pages, have not updated their protection models to deal with the security consequences of these full-featured programs. This mismatch has been the source of several security problems in web applications. This dissertation proposes new protection models for web applications. The design and implementation of prototypes of these protection models in a web server and a web browser are also described. Experiments are used to demonstrate the improvements in security and performance from using these protection models. Finally, this dissertation also describes systematic design methods to support the security of web applications

STATIC ENFORCEMENT OF TERMINATION-SENSITIVE NONINTERFERENCE USING THE C++ TEMPLATE TYPE SYSTEM

A side channel is an observable attribute of program execution other than explicit communication, e.g., power usage, execution time, or page fault patterns. A side-channel attack occurs when a malicious adversary observes program secrets through a side channel. This dissertation introduces Covert C++, a library which uses template metaprogramming to superimpose a security-type system on top of C++’s existing type system. Covert C++ enforces an information-flow policy that prevents secret data from influencing program control flow and memory access patterns, thus obviating side-channel leaks. Formally, Covert C++ can facilitate an extended definition of the classical noninterference property, broadened to also cover the dynamic execution property of memory-trace obliviousness. This solution does not require any modifications to the compiler, linker, or C++ standard. To verify that these security properties can be preserved by the compiler (i.e., by compiler optimizations), this dissertation introduces the Noninterference Verification Tool (NVT). The NVT employs a novel dynamic analysis technique which combines input fuzzing with dynamic memory tracing. Specifically, the NVT detects when secret data influences a program’s memory trace, i.e., the sequence of instruction fetches and data accesses. Moreover, the NVT signals when a program leaks secret data to a publicly-observable storage channel. The Covert C++ library and the NVT are two components of the broader Covert C++ toolchain. The toolchain also provides a collection of refactoring tools to interactively transform legacy C or C++ code into Covert C++ code. Finally, the dissertation introduces libOblivious, a library to facilitate high-performance memory-trace oblivious computation with Covert C++

Implementación de un sistema de acceso a la red de datos para mejorar el control de acceso de los dispositivos microinformáticos en una empresa de fabricación y comercialización de alimentos de consumo masivo - 2021

La presente tesis expone la problemática con respecto a la falta de un sistema de acceso a la red centralizado de los dispositivos microinformáticos, debido al crecimiento geográfico de oficinas ubicadas a nivel nacional y al aumento de dispositivos finales que son usados por los usuarios. Por consecuente se desconoce de conexiones no autorizadas en tiempo real el cual puede ocasionar accesos a recursos no autorizados, amenazas y vulnerabilidades en la red de datos. De tal manera el objetivo de la siguiente investigación es implementar un sistema de acceso a la red de datos para mejorar el control de acceso de los dispositivos microinformáticos en la empresa de fabricación y comercialización de alimentos de consumo masivo. Por lo cual, se empleó la metodología PPDIOO de Cisco, la cual consta de 6 fases solidas que se emplean para ejecutar la implementación del sistema de acceso de red. Esto produjo que los resultados obtenidos en la toma de datos sean analizada y entendida para poder realizar la confrontación de los resultados, ante ello se pudo demostrar que la implementación de un sistema de acceso a la red integrada con un servicio externo de autenticación como es el Active Director y mejoró la autenticación de dispositivos autorizados y no autorizados. Además cumpliendo con ciertas políticas de autenticación y por medio de esta puedan acceder a recursos permitidos. A los cual, se resuelve y recomienda que para obtener una mejora en el control de acceso de dispositivos microinformaticos en la red de datos se implemente un sistema de acceso a la red, así como se realizó en este trabajo de investigación.Campus Lima Centr

Análise da Gestão de Palavras-Chave

Gradualmente, tem-se vindo a verificar que a informação pertencente aos diversos utilizadores da Internet está cada vez mais exposta a ataques. Estas invasões comprometem os seus dados, e, para isso, têm surgido algumas respostas, tais como a segurança da informação. Um dos fatores que se destaca e que está relacionado com esta é a autenticidade. Técnicas de biometria e chaves eletrónicas são exemplos usados para a assegurar, na informação. Porém, o mecanismo que mais sobressai é a utilização de um par constituído por nome de utilizador e palavra-chave. Contudo, este tem revelado alguns problemas associados. Ora, se é usado um único segredo para salvaguardar todos os recursos privados, e este é descoberto, a informação do utilizador estará inteiramente comprometida. Já no caso de serem empregues múltiplas passwords, corre-se o risco de haver o esquecimento das credenciais de acesso. Por outro lado, existem inconvenientes se estas são curtas (facilmente encontradas) ou longas (difíceis de memorizar). Dadas as situações relatadas, têm vindo a ser aplicados gestores de palavras-chave. Tais métodos permitem o armazenamento dos segredos, bem como a sua criação, podendo estes ter vários tipos de resoluções, variando entre técnicas locais, móveis, ou até mesmo baseadas na web. Todas elas possuem vantagens (dependendo do cenário), assim como desvantagens comuns. De forma a verificar se estas ferramentas disponibilizam a segurança prometida, foi executada uma análise intensiva a alguns programas, escolhidos pelo seu desempenho e notoriedade, que já se encontram no mercado. Caso não se mostrassem eficazes, seria proposta uma aplicação, com vista a resolver os problemas descobertos. Porém, concluiu-se que já existe um mecanismo que oferece a salvaguarda pretendida. Assim, foi feito unicamente um estudo sobre as abordagens que podem ser adotadas, destacando a que se apresentou como mais adequada.It has been verified, gradually, that information belonging to different Internet users, is increasingly exposed to attacks. These invasions compromise their data, and so, some answers have arisen, such as information security. One of the most important factors, related to this concept, is authenticity. Biometrics and security tokens are examples used to ensure it. However, the mechanism that stands out more, is the pair composed by a username and password. Nevertheless, this has revealed some problems. If a single secret is used to protect all the websites, and it’s discovered, users’ information will be fully compromised. If there are used multiple passwords, there may be a risk of forgetting access credentials. On the other hand, there are drawbacks if they are short (easily found) or long (hard to remember). Considering the reported statements, password managers have been applied. Such methods allow to store and generate passwords, and can have different types of solutions, ranging between local, mobile or even web-based. All of these have advantages (depending on the scenario), as well as common disadvantages. In order to check if these tools offer the promised security, it was performed an intensive analysis to some programs, chosen by their performance and reputation, that are already on the market. If they proved to be ineffective, an application to solve the discovered problems would be proposed. However, it was concluded that a mechanism providing the desired protection, already exists. Thereby, it was only conducted a study about the approaches that can be adopted, pointing out the one that was presented as more appropriate