62,872 research outputs found
Assessing database and network threats in traditional and cloud computing
Cloud Computing is currently one of the most widely-spoken terms in IT. While it offers a range of technological and financial benefits, its wide acceptance by organizations is not yet wide spread. Security concerns are a main reason for this and this paper studies the data and network threats posed in both traditional and cloud paradigms in an effort to assert in which areas cloud computing addresses security issues and where it does introduce new ones. This evaluation is based on Microsoft’s STRIDE threat model and discusses the stakeholders, the impact and recommendations for tackling each threat
The Effect of Security Education and Expertise on Security Assessments: the Case of Software Vulnerabilities
In spite of the growing importance of software security and the industry
demand for more cyber security expertise in the workforce, the effect of
security education and experience on the ability to assess complex software
security problems has only been recently investigated. As proxy for the full
range of software security skills, we considered the problem of assessing the
severity of software vulnerabilities by means of a structured analysis
methodology widely used in industry (i.e. the Common Vulnerability Scoring
System (\CVSS) v3), and designed a study to compare how accurately individuals
with background in information technology but different professional experience
and education in cyber security are able to assess the severity of software
vulnerabilities. Our results provide some structural insights into the complex
relationship between education or experience of assessors and the quality of
their assessments. In particular we find that individual characteristics matter
more than professional experience or formal education; apparently it is the
\emph{combination} of skills that one owns (including the actual knowledge of
the system under study), rather than the specialization or the years of
experience, to influence more the assessment quality. Similarly, we find that
the overall advantage given by professional expertise significantly depends on
the composition of the individual security skills as well as on the available
information.Comment: Presented at the Workshop on the Economics of Information Security
(WEIS 2018), Innsbruck, Austria, June 201
Recommended from our members
Evaluating the resilience and security of boundaryless, evolving socio-technical Systems of Systems
Disaster-Resilient Control Plane Design and Mapping in Software-Defined Networks
Communication networks, such as core optical networks, heavily depend on
their physical infrastructure, and hence they are vulnerable to man-made
disasters, such as Electromagnetic Pulse (EMP) or Weapons of Mass Destruction
(WMD) attacks, as well as to natural disasters. Large-scale disasters may cause
huge data loss and connectivity disruption in these networks. As our dependence
on network services increases, the need for novel survivability methods to
mitigate the effects of disasters on communication networks becomes a major
concern. Software-Defined Networking (SDN), by centralizing control logic and
separating it from physical equipment, facilitates network programmability and
opens up new ways to design disaster-resilient networks. On the other hand, to
fully exploit the potential of SDN, along with data-plane survivability, we
also need to design the control plane to be resilient enough to survive network
failures caused by disasters. Several distributed SDN controller architectures
have been proposed to mitigate the risks of overload and failure, but they are
optimized for limited faults without addressing the extent of large-scale
disaster failures. For disaster resiliency of the control plane, we propose to
design it as a virtual network, which can be solved using Virtual Network
Mapping techniques. We select appropriate mapping of the controllers over the
physical network such that the connectivity among the controllers
(controller-to-controller) and between the switches to the controllers
(switch-to-controllers) is not compromised by physical infrastructure failures
caused by disasters. We formally model this disaster-aware control-plane design
and mapping problem, and demonstrate a significant reduction in the disruption
of controller-to-controller and switch-to-controller communication channels
using our approach.Comment: 6 page
A New Role for Human Resource Managers: Social Engineering Defense
[Excerpt] The general risk of social engineering attacks to organizations has increased with the rise of digital computing and communications, while for an attacker the risk has decreased. In order to counter the increased risk, organizations should recognize that human resources (HR) professionals have just as much responsibility and capability in preventing this risk as information technology (IT) professionals.
Part I of this paper begins by defining social engineering in context and with a brief history pre-digital age attacks. It concludes by showing the intersection of HR and IT through examples of operational attack vectors. In part II, the discussion moves to a series of measures that can be taken to help prevent social engineering attacks
- …