Dynamic risk assessment in IT environments: a decision guide

Security and reliability of information technologies have emerged as major concerns nowadays. Risk assessment, an estimation of negative impacts that might be imposed to a network by a series of potential sources, is one of the main tasks to ensure the security and is performed either statically or dynamically. Static risk assessment cannot satisfy the requirements of real-time and ubiquitous computing networks as it is pre-planned and does not consider upcoming changes such as the creation of new attack strategies. However, dynamic risk assessment (DRA) considers real-time evidences, being capable of diagnosing abnormal events in changing environments. Several DRA approaches have been proposed recently, but it is unclear which technique fits best into IT scenarios with different requirements. Thus, this chapter introduces recent trends in DRA, by analyzing 27 works and proposes a decision guide to help IT managers in choosing the most suitable DRA technique considering three illustrative scenarios – regular computer networks, internet of things, and industrial control systems

Métodos difusos y factores para la identificación del nivel de riesgos de TI en entidades gubernamentales: Una revisión sistemática de la literatura

En la actualidad la tecnología está tomando un rol muy importante en la automatización de procesos en las organizaciones, éstos son abastecidos por activos como: servidores y aplicaciones, donde se involucra todo tipo de información que pueda ser manejada y manipulada. Todo ello trae consigo riesgos de TI a los que se encuentran expuestos por falta de una gestión y análisis organizacional adecuado; los ciberataques cada día evolucionan conjuntamente con los avances tecnológicos, según reportes de dos grandes compañías de seguridad informática como ESET y Kaspersky muestra que la preocupación de las empresas en general se centra en el robo de la información y la infección con códigos maliciosos. Para poder realizar un análisis de riesgos es necesario clasificarlos por niveles a través de factores evaluados de manera cualitativa, así como también hacer uso de una metodología que permita obtener resultados en cuanto a las variables establecidas, para ello es necesario el uso de un modelo difuso adecuado que permita la graduación de los valores introducidos para el análisis. En este estudio se busca identificar métodos de lógica difusa, como también el reconocimiento de factores para la identificación de riesgos de las tecnologías de la información, para su determinación se realizó una revisión sistemática de la literatura utilizando bases de datos reconocidas, de un total de 352 artículos identificados se revisaron 31 artículos donde se puede concluir que existen distintos métodos difusos para la evaluación de riesgos de TI en base a factores como: probabilidad e impacto.LIMAEscuela Profesional de Ingeniería de SistemasIngeniería de Sistemas y Comunicacione

Nature-inspired survivability: Prey-inspired survivability countermeasures for cloud computing security challenges

As cloud computing environments become complex, adversaries have become highly sophisticated and unpredictable. Moreover, they can easily increase attack power and persist longer before detection. Uncertain malicious actions, latent risks, Unobserved or Unobservable risks (UUURs) characterise this new threat domain. This thesis proposes prey-inspired survivability to address unpredictable security challenges borne out of UUURs. While survivability is a well-addressed phenomenon in non-extinct prey animals, applying prey survivability to cloud computing directly is challenging due to contradicting end goals. How to manage evolving survivability goals and requirements under contradicting environmental conditions adds to the challenges. To address these challenges, this thesis proposes a holistic taxonomy which integrate multiple and disparate perspectives of cloud security challenges. In addition, it proposes the TRIZ (Teorija Rezbenija Izobretatelskib Zadach) to derive prey-inspired solutions through resolving contradiction. First, it develops a 3-step process to facilitate interdomain transfer of concepts from nature to cloud. Moreover, TRIZ’s generic approach suggests specific solutions for cloud computing survivability. Then, the thesis presents the conceptual prey-inspired cloud computing survivability framework (Pi-CCSF), built upon TRIZ derived solutions. The framework run-time is pushed to the user-space to support evolving survivability design goals. Furthermore, a target-based decision-making technique (TBDM) is proposed to manage survivability decisions. To evaluate the prey-inspired survivability concept, Pi-CCSF simulator is developed and implemented. Evaluation results shows that escalating survivability actions improve the vitality of vulnerable and compromised virtual machines (VMs) by 5% and dramatically improve their overall survivability. Hypothesis testing conclusively supports the hypothesis that the escalation mechanisms can be applied to enhance the survivability of cloud computing systems. Numeric analysis of TBDM shows that by considering survivability preferences and attitudes (these directly impacts survivability actions), the TBDM method brings unpredictable survivability information closer to decision processes. This enables efficient execution of variable escalating survivability actions, which enables the Pi-CCSF’s decision system (DS) to focus upon decisions that achieve survivability outcomes under unpredictability imposed by UUUR

Cyber-risks in the Industrial Internet of Things (IIoT): towards a method for continuous assessment.

Continuous risk monitoring is considered in the context of cybersecurity management for the Industrial Internet-of-Thing. Cyber risk management best practice is for security controls to be deployed and configured in order to bring down risk exposure to an acceptable level. However, threats and known vulnerabilities are subject to change, and estimates of risk are subject to many uncertainties, so it is important to review risk assessments and update controls when required. Risks are typically reviewed periodically (e.g. once per month), but the accelerating pace of change means that this approach is not sustainable, and there is a requirement for continuous monitoring of cybersecurity risks. The method described in this paper aims to alert security staff of significant changes or trends in estimated risk exposure to facilitate rational and timely decisions. Additionally, it helps predict the success and impact of a nascent security breach allowing better prioritisation of threats and selection of appropriate responses. The method is illustrated using a scenario based on environmental control in a data centre

Supply chain risk analysis

A new decision support system is proposed and developed that will help sustaining business in a high-risk business environment. The system is developed as a web application to better integrate the supply chain entities and to provide a common platform for performing risk analysis in a supply chain. The system performs a risk analysis and calculates risk factor with each activity in the supply considering its interrelationship with other activities. Bayesian networks along with fault tree structures are embedded in the system and logical rules are used to perform a qualitative fault tree analysis, as the data required to calculate the frequency of occurrence is rarely available. The developed system guides the risk assessment process: from asset identification to consequence analysis before estimating the risk factor associated with each activity in the supply chain. The system is tested with a sample case study on a highly explosive product. Results show that the system is capable of identifying high-risk threats. The system further needs to be developed to add a safeguard analysis module and to enable automatic data extraction from the enterprise resource planning and legacy databases. It is expected that the system on complete development and induction will help supply chain managers to manage business risks and operations more efficiently and effectively by providing a complete picture of the risk environment and safeguards required to reduce the risk level

Secure Cloud-Edge Deployments, with Trust

Assessing the security level of IoT applications to be deployed to heterogeneous Cloud-Edge infrastructures operated by different providers is a non-trivial task. In this article, we present a methodology that permits to express security requirements for IoT applications, as well as infrastructure security capabilities, in a simple and declarative manner, and to automatically obtain an explainable assessment of the security level of the possible application deployments. The methodology also considers the impact of trust relations among different stakeholders using or managing Cloud-Edge infrastructures. A lifelike example is used to showcase the prototyped implementation of the methodology