USBWall: A Novel Security Mechanism to Protect Against Maliciously Reprogrammed USB Devices

Universal Serial Bus (USB) is a popular choice of interfacing computer systems with peripherals. With the increasing support of modern operating systems, it is now truly plug-and-play for most USB devices. However, this great convenience comes with a risk which can allow a device to perform arbitrary actions at any time while it is connected. Researchers have confirmed that a simple USB device such as a mass storage device can be disguised to have an additional function such as a keyboard. An unauthorized keyboard attachment can compromise the security of the host by allowing arbitrary keystrokes to enter the host. This undetectable threat differs from traditional virus that spreads via USB devices due to the location it is stored and the way it behaves. Therefore, it is impossible for current file-level antivirus to be aware of such risk. Currently, there is no commercially available protection for USB devices other than mass storage devices. We propose a novel way to protect the host via a software/hardware solution we named a USBWall. USBWall uses BeagleBoard Black (BBB), a low-cost open-source computer, to act as a middleware to enumerate the devices on behalf of the host. We developed a program to assist the user to identify the risk of a device. We present a simulated USB device with malicious firmware to the USBWall. Based on the results, we confirm that using the USBWall to enumerate USB devices on behalf of the host eliminates risks to the hosts

End-User Awareness of and Adherence to Crisis Preparedness of the Information Systems in New Zealand Organisations

A crisis is a specific, unanticipated, and non-routine event that generates high levels of uncertainty and jeopardizes high value priorities such as life, economic well-being, or physical infrastructures. Some scholars observe that our computing environment has dramatically changed and is now defined by greater use and dependence on technology, while simultaneously it is hampered by technological failures and security vulnerability, which have perhaps led to an increase in the incidence of organisational crises. Because of the high occurrence of crises and the increased dependence on information systems (IS) in organisations, one would assume that most firms would have established measures to counteract these events, however the literature indicated otherwise. The purpose of this research was to explore and understand the factors that contribute to crisis preparedness of the information systems. A comprehensive review of the literature indicated that the IS field has a large volume of publications on information systems disaster recovery, business continuity, information systems risk management and information systems security but little on crisis preparedness of the information systems. This study comprehensively reviewed relevant literature on the nature of crises, crisis preparedness and information systems. The literature review established groundwork necessary for the development of the research hypotheses which were tested during this investigation. A quantitative positivist research approach was proposed. The study utilized a web-based survey to collect quantifiable information on the subject matter from study participants. The survey instrument was developed based on seven research dimensions. From these dimensions descriptive questions were created which formed part of the survey instrument. The collected data was analysed using three different approaches: descriptive statistics, correlation and percentage responses. From the data, facts about crisis preparedness of the information systems in New Zealand organisations were revealed. In total 90 responses were received, 72 of which were eligible for data analyses. The study findings indicate some degree of end-user awareness of and adherence to crisis preparedness of the information systems in New Zealand organisations. However, more emphasis is needed in the understanding of the processes that bring about successful CPIS strategies across varying organisation structures. The academic value of this research is the review of discourse in the fields of crisis preparedness and Information Systems, and the application of some of the theoretical concepts from those fields. These were necessary to test the research hypotheses and their findings can be used to explain the crisis-preparedness phenomenon in future studies. The practical value of this research is the development of a tool that can be used by managers and senior executives to undertake informed decisions with regard to the status or progress of the crisis preparedness of the information systems initiatives in their respective organisations from the end-user perspective