47,396 research outputs found
Predicting Exploitation of Disclosed Software Vulnerabilities Using Open-source Data
Each year, thousands of software vulnerabilities are discovered and reported
to the public. Unpatched known vulnerabilities are a significant security risk.
It is imperative that software vendors quickly provide patches once
vulnerabilities are known and users quickly install those patches as soon as
they are available. However, most vulnerabilities are never actually exploited.
Since writing, testing, and installing software patches can involve
considerable resources, it would be desirable to prioritize the remediation of
vulnerabilities that are likely to be exploited. Several published research
studies have reported moderate success in applying machine learning techniques
to the task of predicting whether a vulnerability will be exploited. These
approaches typically use features derived from vulnerability databases (such as
the summary text describing the vulnerability) or social media posts that
mention the vulnerability by name. However, these prior studies share multiple
methodological shortcomings that inflate predictive power of these approaches.
We replicate key portions of the prior work, compare their approaches, and show
how selection of training and test data critically affect the estimated
performance of predictive models. The results of this study point to important
methodological considerations that should be taken into account so that results
reflect real-world utility
Risk mitigation decisions for it security
Enterprises must manage their information risk as part of their larger operational risk management program. Managers must choose how to control for such information risk. This article defines the flow risk reduction problem and presents a formal model using a workflow framework. Three different control placement methods are introduced to solve the problem, and a comparative analysis is presented using a robust test set of 162 simulations. One year of simulated attacks is used to validate the quality of the solutions. We find that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment when compared to heuristics that would typically be used by managers to solve the problem. The contribution of this research is to provide managers with methods to substantially reduce information and security risks, while obtaining significantly better returns on their security investments. By using a workflow approach to control placement, which guides the manager to examine the entire infrastructure in a holistic manner, this research is unique in that it enables information risk to be examined strategically. © 2014 ACM
A Survey on Wireless Security: Technical Challenges, Recent Advances and Future Trends
This paper examines the security vulnerabilities and threats imposed by the
inherent open nature of wireless communications and to devise efficient defense
mechanisms for improving the wireless network security. We first summarize the
security requirements of wireless networks, including their authenticity,
confidentiality, integrity and availability issues. Next, a comprehensive
overview of security attacks encountered in wireless networks is presented in
view of the network protocol architecture, where the potential security threats
are discussed at each protocol layer. We also provide a survey of the existing
security protocols and algorithms that are adopted in the existing wireless
network standards, such as the Bluetooth, Wi-Fi, WiMAX, and the long-term
evolution (LTE) systems. Then, we discuss the state-of-the-art in
physical-layer security, which is an emerging technique of securing the open
communications environment against eavesdropping attacks at the physical layer.
We also introduce the family of various jamming attacks and their
counter-measures, including the constant jammer, intermittent jammer, reactive
jammer, adaptive jammer and intelligent jammer. Additionally, we discuss the
integration of physical-layer security into existing authentication and
cryptography mechanisms for further securing wireless networks. Finally, some
technical challenges which remain unresolved at the time of writing are
summarized and the future trends in wireless security are discussed.Comment: 36 pages. Accepted to Appear in Proceedings of the IEEE, 201
Subnational Environmental Constitutionalism and Reform in New York State
The State of New York’s constitution was perhaps the first in the world to embody environmental constitutionalism, most directly in what is known as its “Forever Wild” mandate from 1894. In contrast to many subnational environmental provisions, courts in New York have regularly enforced Forever Wild. New York’s Constitution also contains a remarkable mandate that every twenty years voters decide whether to hold elections for delegates to convene a convention to amend the state’s constitution, with the next such opportunity on November 7, 2017. This article explores how subnational constitutionalism from around the world informs discussions about whether and how to amend the charter, and has three parts. Part I provides a primer to the field of subnational environmental constitutionalism. Part II explores the opportunities and challenges in enforcing existing subnational environmental provisions. Part III then examines a case study involving language to consider at a constitutional convention for the State of New York
A framework for cost-sensitive automated selection of intrusion response
In recent years, cost-sensitive intrusion response has gained
significant interest due to its emphasis on the balance between
potential damage incurred by the intrusion and cost of the response.
However, one of the challenges in applying this approach is defining a
consistent and adaptable measurement framework to evaluate the expected
benefit of a response. In this thesis we present a model and framework
for the cost-sensitive assessment and selection of intrusion response.
Specifically, we introduce a set of measurements that characterize the
potential costs associated with the intrusion handling process, and
propose an intrusion response evaluation method with respect to the risk
of potential intrusion damage, the effectiveness of the response action
and the response cost for a system. The proposed framework has the
important quality of abstracting the system security policy from the
response selection mechanism, permitting policy adjustments to be made
without changes to the model. We provide an implementation of the
proposed solution as an IDS-independent plugin tool, and demonstrate its
advantages over traditional static response systems and an existing
dynamic response system
The Impact of Persuasive Response Sequence and Consistency when IT Service Providers Address Auditor-Identified Issues in SOC2 Reports
We examine how an IT service provider’s persuasive communication related to SOC2 report findings influences management’s (i.e., user-entities’) perceptions of the outsourced services. Within SOC2 reports, service providers can attempt to influence management’s impressions of auditor-identified issues and, due to the report’s limited audience, also follow-up with management about these issues. Using dual-process theories of persuasion, we predict the type of persuasion used by a service provider in a SOC2 report (contend or concede), and its consistency with follow-up persuasive appeals (contend or concede), will influence management’s perceptions of the services provided. In an experiment, only when the service provider first contends the auditor’s findings does a follow-up concession (rather than contention) result in more favorable perceptions. Persuasion tactics also influence management’s processing of risk factors, which impact their trust in the service. Thus, IT service providers’ initial and follow-up persuasive communications influence management’s assessment of SOC2 auditor-identified issues
Security Limitations with Cloud Computing: Well-defined Security Measures Using Cloud Computing
Due to the ever-growing threat of security breaches that information technology (IT) organizations continually face, protecting customer information stored in the cloud is critical to ensure data integrity. Research shows that new categories of data breaches frequently emerge; thus, security strategies that build trust in consumers and improve system performance are crucial. The purpose of this qualitative multiple case study was to explore and analyze the strategies used by database administrators (DBAs) to secure data in a private infrastructure as a service (IaaS) cloud environment. The participants comprised of six DBAs from two IT companies in Baltimore, Maryland, with experience and knowledge of security strategies to secure data in private IaaS clouds. The disruptive innovation theory was the foundational framework for this study. Data were collected using semistructured interviews and a review of seven organizational documents. A thematic analysis was used to analyze the data. Two key themes are addressed in this article: importance of well-defined security measures in cloud computing and limitations of existing security controls in cloud computing. The findings of well-defined security strategies may benefit DBAs and IT organizations by providing strategies that may prevent future data breaches. Well-defined security strategies may protect an individual’s data which, in turn, may promote individual well-being and build strong communities. Keywords: cloud computing, security strategies, data breaches DOI: 10.7176/JIEA/11-2-05 Publication date: June 30th 202
- …