Gestión Automática de Incidentes e Inventarios GAII

Uno de los problemas que enfrentan los grandes ambientes informáticos es conocer en tiempo real el parque informático del cual dispone, el estado de cada componente, las condiciones en las cuales se encuentran, y si están en reparación o desuso. Actualmente, se han implementado algunas aplicaciones para inventariar los equipos y el software que forman parte del activo informático de diversos organismos. Estas aplicaciones permiten registrar en forma manual las distintas actualizaciones del inventario, ya sea por compras, bajas, reparaciones, etc. Frente a esta problemática se diseñará una aplicación que permitirá implementar en forma automatizada el registro y control del inventario del hardware en cualquier establecimiento tanto público como privado, pero fundamentalmente, alertar ante el reemplazo y/o sustracción no autorizada de piezas en los equipos. Dicho Sistema de Alertas, será un subsistema del Sistema creado por el proyecto ya desarrollado durante período 2008-2010, Seguridad en Ambientes Informáticos (SAI).Eje: Seguridad InformáticaRed de Universidades con Carreras en Informática (RedUNCI

Readiness of local authorities in implementing information security management system (ISMS)

Information Security Management System (ISMS) is an ICT Compliance Standards to provide specifications and controls for protecting information security assets and to increase the integrity and confidence of clients against the agencies, especially those involving the government delivery service. This certification is certified by a certification body of the Standards Industrial Research Institute of Malaysia (SIRIM) and a survey covering the problems faced by Local Authorities in ensuring the confidentiality, integrity and availability of information from any threat and risks that can cripple the agency services. The research process include factors such as threats and vulnerabilities, particularly in security management practices of the agency, which can cause loss of agencies' information and negative impact on the services provided by the Local Authority. Then with studying these factors it can measure the readiness of local authorities in implementing Information Security Management System (ISMS). The process of research studies using quantitative methods in gathering information to analyze the problems faced by the agency to ensure information security is protected such as assessment taxes is the largest contributor earning council. The final result of this research concluded that local authorities are still not ready in implementing Information Security Management System (ISMS)

Establishing, Implementing and Auditing Linux Operating System Hardening Standard for Security Compliance

Regulatsioonid loovad väljakutseid ettevõtetele, sest nad peavad igal aastal turvavastavuseks täitma turvastandardeid. Turvastandardite mitte järgimine teeb ettevõtted küberohtudele haavatavaks. Antud magistritöö pakub lahenduse, et täita ettevõtte operatsioonisüsteemi tugevdamise nõudeid luues, implementeerides ja auditeerides Linux (Debian) operatsioonisüsteemi tugevdamise turvastandardit. Magistritöö käsitleb tugevdatud virtuaalmasina tõmmise ehitamist Microsoft Azure pilveplatvormile, mis vastab operatsioonisüsteemi tugevdamise standardile. Kuna lihtsalt ettevõtte turvavastavuse nõuete täitmine ei ole piisav, siis tuleb tagada selle auditeeritavus, et turvavastavuse täitmist audiitoritele tõestada. Antud magistritöös on koostatud lahendus, mis automaatselt auditeerib operatsioonisüsteemi tugevdamise standardit ja võimaldab kinnitada erinevusi standardi ja tegelike virtuaalmasinate konfiguratsioonide vahel. Autor on analüüsinud virtuaalmasinate turvavastavust enne ja pärast uue operatsioonisüsteemi tugevdamise standardi rakendamist.Regulations create challenges to the companies as they must meet tough security standards for security compliance every year. Not following security standards are making companies more vulnerable to cyber threats. This paper provides a proof-of-concept solution for being compliant with operating system hardening requirements of the company by establishing, implementing and auditing Linux (Debian) operating system hardening standard. This work will focus on building a hardened virtual machine image for Microsoft Azure platform that is compliant with the hardening standard that is established in this thesis. As it is not enough to just meet the company security compliance requirements, then there is a need to ensure auditability of it, therefore a proof-of-concept solution is built for automatically auditing the operating system hardening standard that continuously allows to validate the gap between the standard and actual configurations on virtual machines. To demonstrate the result, the author analysed virtual machines compliance state before and after implementing the new operating system hardening standard

Automated ISMS control auditability

This thesis focuses on researching a possible reference model for automated ISMS’s (Information Security Management System) technical control auditability. The main objective was to develop a generic framework for automated compliance status monitoring of the ISO27001:2013 standard which could be re‐used in any ISMS system. The framework was tested with Proof of Concept (PoC) empirical research in a test infrastructure which simulates the framework target deployment environment. To fulfil the objective the thesis analysed first which ISO27001:2013 controls could be implemented using technical means and whether it would be possible to automate the measurement of the control compliance for these controls. After that different sources were used as input material to actually define how to fulfill, verify and measure the selected controls. The developed framework consists of three parts, Framework Selected Controls, Framework Architecture and guidance how to use the framework. It includes ISO27001:2013 controls which could be automatically audited, a methodology to do this and a framework how this could be fulfilled. The testing was performed using three different types of commercial tools to understand if they could fulfill a part of the developed framework. None of the tested tools was able to fulfill the framework as it is. Empirical research has showed the importance of the integrity assurance when reaching for automated security control compliance. This is the essential part and is somewhat lacking on the tested tools.Tässä opinnäytetyössä tutkitaan mahdollista viitekehysmallia tietoturvan hallintajärjestelmän (ISMS) teknisten kontrollien automaattisesta auditoitavuudesta. Päätavoitteena oli kehittää viitekehysmalli ISO27001:2013 standardin säännönmukaisuuden automaattisesta arvioinnista jota voitaisiin uudelleenkäyttää missä tahansa ISMS‐järjestelmässä. Viitekehysmalli testattiin empiirisellä tutkimuksella jossa ratkaisu pyrittiin todentamaan (Proof of concept). Tavoitteen saavuttamiseksi analysoitiin mitkä ISO27001:2013 kontrollit voitaisiin toteuttaa teknisesti ja olisiko niiden säännönmukaisuuden todennus tehtävissä automaattisesti. Useita eri lähteitä käytettiin hyväksi määriteltäessä miten kontrollit tulisi toteuttaa, todentaa ja miten niitten säännönmukaisuus voitaisiin mitata. Kehitetty viitekehys koostuu kolmesta osasta, viitekehykseen valituista kontrolleista, viitekehyksen arkkitehtuurista sekä käyttöohjeistuksesta ja se sisältää ISO27001:2013 kontrollit jotka voitaisiin automaattisesti auditoida, menetelmä tämän tekemiseen ja varsinaisen viitekehyksen automaattisen auditoitavuuden saavuttamiseen. Testauksessa käytettiin kolmea eri tyyppistä kaupallista työkalua jotta ymmärrettäisiin voisivatko ne toteuttaa osan kehitetystä viitekehyksestä. Mikään työkaluista ei pystynyt tähän suoraan. Empiirinen tutkimus on osoittanut eheyden varmistamisen tärkeyden tavoiteltaessa automaattista säännönmukaisuuden varmistamista. Tämä on olennainen osa joka näyttää puuttuvan testatuista työkaluista

Schaffung eines nachhaltigen IT-Security Managementkonzepts für kleine und mittlere Unternehmen

In den letzten Jahren entwickelte sich das Thema IT-Security zu einem immer essentielleren Bereich in Unternehmen weltweit. Ursprünglich als eine Sparte, die als nettes Add-On dient, angesehen, rückt IT-Security bei der Planung und Einrichtung von IT-Infrastrukturen innerhalb von Konzernen in das Zentrum. Diverse Umfragen in Medien zeigen, dass das Thema Sicherheit zu einer der Hauptprioritäten im Informations- und Kommunikationstechnologiebereich wird. Speziell Begriffe wie „Security Management“ und „Information Security“ rücken in den Mittelpunkt von IT-Experten in heutigen Unternehmen. Eine wesentliche Aufgabe besteht darin, adäquate IT-Architekturen, koordinierte Technologieführung und die Definition von Rollen und Verantwortungsbereichen über das ganze Unternehmen hinweg zu schaffen. Dies alles sollte unter Berücksichtigung von etablierten Security Richtlinien, Standards und Methoden ermöglicht werden. Stärken und Schwächen bestehender Systeme müssen analysiert werden, um notwendige Korrekturen durchzuführen und eine kontinuierliche Verbesserung sowohl der IT-Landschaft als auch des Sicherheitsbewusstseins innerhalb der Unternehmen zu gewährleisten. Zielsetzung dieser Masterarbeit ist die Schaffung eines nachhaltigen IT-Security Managementkonzepts für kleine und mittlere Unternehmen (KMU). Dies erfolgt unter Berücksichtigung der im deutschsprachigen Raum meistverbreiteten existierenden Planungsansätze der IT-Security. Zu diesen zählen die ISO-2700x Normreihe, der IT-Grundschutzkatalog bzw. die IT-Grundschutzvorgehensweise des Bundesamt für Sicherheit in der Informationstechnik (BSI), in Österreich das österreichische Informationssicherheitshandbuch, sowie der Common Criteria for Information Technology Security Evaluation Standard (CC) zur Bewertung der Sicherheit von Informationstechnologie. Aufbauend auf die existierenden Planungsansätze sowie die in der Arbeit identifizierten bestehenden und zukünftigen Herausforderungen für den Entwurf eines IT-Security Managementkonzepts für KMUs werden Anforderungen dafür abgeleitet. Diese werden in weiterer Folge in ein Konzept eingearbeitet, welches sicherstellt, dass mit vertretbarem Aufwand ein umfassender und nachhaltiger Beitrag zur Verbesserung der IT-Security in KMUs gewährleistet werden kann. Der nachhaltige Beitrag wird unter anderem dadurch garantiert, dass neben der Berücksichtigung existierender Planungsansätze und Best Practices, Trends hinsichtlich der IT-Security, die in den nächsten 3-4 Jahren immer mehr an Bedeutung gewinnen werden, ebenfalls berücksichtigt sind. Es wird kleinen und mittleren Unternehmen ein einfaches Vorgehenskonzept zur Verfügung gestellt, das ihnen ermöglicht, schnell effiziente Maßnahmen zur Einrichtung eines nachhaltigen IT-Security Managements auszuwählen und durchzuführen. Die Überprüfung auf Praxistauglichkeit des entwickelten Konzepts erfolgt anschließend in Kooperation mit der ViaDonau - Österreichische Wasserstraßen-Gesellschaft mbH.In recent years the subject of IT security has developed into an essential topic in companies worldwide. Originally viewed as a nice add-on, nowadays the field of IT security is in the center of planning- and establishment activities for IT-infrastructures of any organisation. Various surveys in the media indicate that the issue of security is increasingly growing to one of the main priorities in the information and communication technology sector. Especially terms like "Security Management" and "Information Security" are moving into the focus of IT professionals in today's businesses. An essential task is to create adequate IT architectures, coordinated technology management and the definition of roles and responsibilities throughout the enterprises. This has to be done under consideration of established security policies, standards and methods. Strengths and weaknesses of existing systems must be analyzed in order to carry out necessary adjustments and to ensure a continuous improvement of the IT environment, as well as security awareness within the companies. The objective of this thesis is to create a sustainable IT-Security Management Concept for small and medium enterprises (SMEs). It takes into account the most common existing planning approaches for IT security. These include the ISO 2700x standards, the IT-Baseline Protection Catalog (IT-Grundschutzkatalog des BSI), the IT-Baseline Protection Approach of the Federal Office for Information Security in Germany (IT-Grundschutzvorgehensweise des BSI), the Austrian Information Security Manual (Österreichisches Sicherheitshandbuch) and the Common Criteria for Information Technology Security Evaluation Standard (CC) for the security evaluation of information technology. Based on the established planning approaches mentioned before and the identified existing and future challenges concerning the design of an IT-Security Management Concept for SMEs, the requirements are derived. Subsequently they are incorporated into a concept, which will guarantee that, with justifiable effort, a comprehensive and lasting contribution for the improvement of SMEs IT security is ensured. Moreover the lasting contribution of this work should be guaranteed considering the trends of IT security, which will get more and more influence in the next 3-4 years. For small and medium-sized businesses a simple process concept is provided that allows them to quickly carry out effective measures for establishing a sustainable IT-Security Management. The verification of the concept on suitability for daily use is carried out in cooperation with the ViaDonau - Österreichische Wasserstraßen-Gesellschaft mbH

Enhancing Trust –A Unified Meta-Model for Software Security Vulnerability Analysis

Over the last decade, a globalization of the software industry has taken place which has facilitated the sharing and reuse of code across existing project boundaries. At the same time, such global reuse also introduces new challenges to the Software Engineering community, with not only code implementation being shared across systems but also any vulnerabilities it is exposed to as well. Hence, vulnerabilities found in APIs no longer affect only individual projects but instead might spread across projects and even global software ecosystem borders. Tracing such vulnerabilities on a global scale becomes an inherently difficult task, with many of the resources required for the analysis not only growing at unprecedented rates but also being spread across heterogeneous resources. Software developers are struggling to identify and locate the required data to take full advantage of these resources. The Semantic Web and its supporting technology stack have been widely promoted to model, integrate, and support interoperability among heterogeneous data sources. This dissertation introduces four major contributions to address these challenges: (1) It provides a literature review of the use of software vulnerabilities databases (SVDBs) in the Software Engineering community. (2) Based on findings from this literature review, we present SEVONT, a Semantic Web based modeling approach to support a formal and semi-automated approach for unifying vulnerability information resources. SEVONT introduces a multi-layer knowledge model which not only provides a unified knowledge representation, but also captures software vulnerability information at different abstract levels to allow for seamless integration, analysis, and reuse of the modeled knowledge. The modeling approach takes advantage of Formal Concept Analysis (FCA) to guide knowledge engineers in identifying reusable knowledge concepts and modeling them. (3) A Security Vulnerability Analysis Framework (SV-AF) is introduced, which is an instantiation of the SEVONT knowledge model to support evidence-based vulnerability detection. The framework integrates vulnerability ontologies (and data) with existing Software Engineering ontologies allowing for the use of Semantic Web reasoning services to trace and assess the impact of security vulnerabilities across project boundaries. Several case studies are presented to illustrate the applicability and flexibility of our modelling approach, demonstrating that the presented knowledge modeling approach cannot only unify heterogeneous vulnerability data sources but also enables new types of vulnerability analysis