173,771 research outputs found

    Assessing The Security Posture Of Openemr Using Capec Attack Patterns

    Get PDF
    Attack patterns describe the common methods of exploiting software. Good software engineering practices and principles alone are not enough to produce secure software. It is also important to know how software it attacked and to guard against it. Knowledge of attack patterns provides a good perspective of an attacker, thus enabling developers and testers to build secure software. CAPEC list is a taxonomy of attack patterns which we believe can enhance security testing. This research seeks to assess the security posture of OpenEMR 4.1.1, an open source Electronic Medical Record (EMR) system, based on CAPEC attack patterns. Five categories of CAPEC attack patterns were analyzed to find their relevance and applicability to OpenEMR. Whereas inapplicable attack patterns were not further considered, applicable attack patterns were further tested to assess OpenEMR vulnerability to them. Various security testing tools were used to carry out the tests. Attack patterns helped to focus black-box and white-box testing procedures on what and where to test. OpenEMR was found to be vulnerable to a number of vulnerabilities such as cross site scripting, authentication bypass, session sidejacking, among others. A number of exploitations were carried out based on the vulnerabilities discovered

    Environmental uncertainty and end-user security behaviour:a study during the COVID-19 pandemic

    Get PDF
    The COVID-19 pandemic has forced individuals to adopt online applications and technologies, as well as remote working patterns. However, with changes in technology and working patterns, new vulnerabilities are likely to arise. Cybersecurity threats have rapidly evolved to exploit uncertainty during the pandemic, and users need to apply careful judgment and vigilance to avoid becoming the victim of a cyber-attack. This paper explores the factors that motivate security behaviour, considering the current environmental uncertainty. An adapted model, primarily based on the Protection Motivation Theory (PMT), is proposed and evaluated using data collected from an online survey of 222 respondents from a Higher Education institution. Data analysis was performed using Partial Least Squares Structural Equation Modelling (PLS-SEM). The results confirm the applicability of PMT in the security context. Respondents’ behavioural intention, perceived threat vulnerability, response cost, response efficacy, security habits, and subjective norm predicted self-reported security behaviour. In contrast, environmental uncertainty, attitude towards policy compliance, self-efficacy and perceived threat severity did not significantly impact behavioural intention. The results show that respondents were able to cope with environmental uncertainty and maintain security behaviour

    Revision of Security Risk-oriented Patterns for Distributed Systems

    Get PDF
    Turvariskide haldamine on oluline osa tarkvara arendusest. Arvestades, et enamik tĂ€napĂ€eva ettevĂ”tetest sĂ”ltuvad suuresti infosĂŒsteemidest, on turvalisusel oluline roll sujuvalt toimivate Ă€riprotsesside tagamisel. Paljud inimesed kasutavad e-teenuseid, mida pakuvad nĂ€iteks pangad ja haigekassa. Ebapiisavatel turvameetmetel infosĂŒsteemides vĂ”ivad olla soovimatud tagajĂ€rjed nii ettevĂ”tte mainele kui ka inimeste eludele.\n\rTarkvara turvalisusega tuleb tavaliselt tegeleda kogu tarkvara arendusperioodi ja tarkvara eluea jooksul. Uuringute andmetel tegeletakse tarkvara turvakĂŒsimustega alles tarkvara arenduse ja hooldus etappidel. Kuna turvariskide vĂ€hendamine kaasneb tavaliselt muudatustena informatsioonisĂŒsteemi spetsifikatsioonis, on turvaanalĂŒĂŒsi mĂ”istlikum teha tarkvara vĂ€ljatöötamise algusjĂ€rgus. See vĂ”imaldab varakult vĂ€listada ebasobivad lahendused. Lisaks aitab see vĂ€ltida hilisemaid kulukaid muudatusi tarkvara arhitektuuris.\n\rKĂ€esolevas töös kĂ€sitleme turvalise tarkvara arendamise probleemi, pakkudes lahendusena vĂ€lja turvariskidele orienteeritud mustreid. Need mustrid aitavad leida turvariske Ă€riprotsessides ja pakuvad vĂ€lja turvariske vĂ€hendavaid lahendusi. Turvamustrid pakuvad analĂŒĂŒtikutele vahendit turvanĂ”uete koostamiseks Ă€riprotsessidele. Samuti vĂ€hendavad nad riskianalĂŒĂŒsiks vajalikku töömahtu. Oma töös joondame me turvariskidele orienteeritud mustrid vastu hajussĂŒsteemide turvaohtude mustreid. See vĂ”imaldab meil tĂ€iustada olemasolevaid turvariski mustreid ja vĂ”tta kasutusele tĂ€iendavaid mustreid turvariskide vĂ€hendamiseks hajussĂŒsteemides.\n\rTurvariskidele orienteeritud mustrite kasutatavust on kontrollitud lennunduse Ă€riprotsessides. Tulemused nĂ€itavad, et turvariskidele orienteeritud mustreid saab kasutada turvariskide vĂ€hendamiseks hajussĂŒsteemides.Security risk management is an important part of software development. Given that majority of modern organizations rely heavily on information systems, security plays a big part in ensuring smooth operation of business processes. Many people rely on e-services offered by banks and medical establishments. Inadequate security measures in information systems could have unwanted effects on an organization’s reputation and on people’s lives. Security concerns usually need to be addressed throughout the development and lifetime of a software system. Literature reports however, that security is often considered during implementation and maintenance stages of software development. Since security risk mitigation usually results with changes to an IS’s specification, security analysis is best done at an early phase of the development process. This allows an early exclusion of inadequate system designs. Additionally, it helps prevent the need for fundamental and expensive design changes later in the development process. In this thesis, we target the secure system development problem by suggesting application of security risk-oriented patterns. These patterns help find security risk occurrences in business processes and present mitigations for these risks. They provide business analysts with means to elicit and introduce security requirements to business processes. At the same time, they reduce the efforts needed for risk analysis. We confront the security risk-oriented patterns against threat patterns for distributed systems. This allows us to refine the collection of existing patterns and introduce additional patterns to mitigate security risks in processes of distributed systems. The applicability of these security risk-oriented patterns is validated on business processes from aviation turnaround system. The validation results show that the security risk-oriented patterns can be used to mitigate security risks in distributed systems

    Patterns of information security postures for socio-technical systems and systems-of-systems

    Get PDF
    This paper describes a proposal to develop patterns of security postures for computer based socio-technical systems and systems-of-systems. Such systems typically span many organisational boundaries, integrating multiple computer systems, infrastructures and organisational processes. The paper describes the motivation for the proposed work, and our approach to the development, specification, integration and validation of security patterns for socio-technical and system-of-system scale systems
    • 

    corecore