An Info-Leak Resistant Kernel Randomization

[EN] Given the significance that the cloud paradigm has in modern society, it is extremely important to provide security to users at all levels, especially at the most fundamental ones since these are the most sensitive and potentially harmful in the event of an attack. However, the cloud computing paradigm brings new challenges in which security mechanisms are weakened or deactivated to improve profitability and exploitation of the available resources. Kernel randomization is an important security mechanism that is currently present in all main operating systems. Function-Granular Kernel Randomization is a new step that aims to be the future of the kernel randomization, because it provides much more security than current kernel randomization approaches. Unfortunately, function-granular kernel randomization also impacts significantly on the performance and potential benefits of memory deduplication. Both function-granular kernel randomization and memory deduplication are desired and beneficial; the first for the strong protection it gives, and the second for the reduction of costs in terms of memory consumption. In this paper, we analyse the impact of function-granular kernel randomization on memory deduplication revealing why it cannot offer maximum security and shareability of memory simultaneously. We also discuss the reasons why having a full position independent kernel code counter-intuitively does not solve the problem introducing a challenge to kernel randomization designers. To solve these problems, we propose a function-granular kernel randomization modification for cloud systems that enables full function-granular kernel randomization while reduces memory deduplication cancellations to almost zero. The proposed approach forces guest kernels of the same tenant to have the same random memory layout of memory regions with high impact on deduplication, ensuring a high rate of deduplicated pages while the kernel randomization is fully enabled. Our approach enables cloud providers to have both, high levels of security and an efficient use of resources.Vañó-García, F.; Marco-Gisbert, H. (2020). An Info-Leak Resistant Kernel Randomization. IEEE Access. 8:161612-161629. https://doi.org/10.1109/ACCESS.2020.3019774S161612161629

Standardizing Instructional Definition and Content Supporting Information Security Compliance Requirements

Information security (IS)-related risks affect global public and private organizations on a daily basis. These risks may be introduced through technical or human-based activities, and can include fraud, hacking, malware, insider abuse, physical loss, mobile device misconfiguration or unintended disclosure. Numerous and diverse regulatory and contractual compliance requirements have been mandated to assist organizations proactively prevent these types of risks. Two constants are noted in these requirements. The first constant is requiring organizations to disseminate security policies addressing risk management through secure behavior. The second constant is communicating policies through IS awareness, training and education (ISATE) programs. Compliance requirements direct that these policies provide instruction about making compliant and positive security decisions to reduce risk. Policy-driven and organizationally-relevant ISATE content is understood to be foundational and critical to prevent security risk. The problem identified for investigation is inconsistency of the terms awareness, training and education as found in security-related regulatory, contractual and policy compliance requirements. Organizations are mandated to manage a rapidly increasing portfolio of inconsistent ISATE compliance requirements generated from many sources. Since there is no one set of common guidance for compliance, organizations struggle to meet global, diverse and inconsistent compliance requirements. Inconsistent policy-related content and instructions, generated from differing sources, may cause incorrect security behavior that can present increased security risk. Traditionally, organizations were required to provide only internally-developed programs, with content left to business, regulatory/contractual, and cultural discretion. Updated compliance requirements now require organizations to disseminate externally-developed content in addition to internally-provided content. This real-world business requirement may cause compliance risks due to inconsistent instruction, guidance gaps and lack of organizational relevance. The problem has been experienced by industry practitioners within the last five years due to increased regulatory and contractual compliance requirements. Prior studies have not yet identified specific impacts of multiple and differing compliance requirements on organizations. The need for organizational relevance in ISATE content has been explored in literature, but the amount of organizationally-relevant content has not been examined in balance of newer compliance mandates.The goal of the research project was to develop a standard content definition and framework. Experienced practitioners responsible for ISATE content within their organizations participated in a survey to validate definitions, content, compliance and organizational relevance requirements imposed on their organizations. Fifty-five of 80 practitioners surveyed (68.75% participation rate) provided responses to one or more sections of the survey. This research is believed to be the first to suggest a standardized content definition for ISATE program activities based on literature review, assessment of existing regulatory, contractual, standard and framework definitions and information obtained from specialized practitioner survey data. It is understood to be the first effort to align and synthesize cross-industry compliance requirements, security awareness topics and organizational relevance within information security awareness program content. Findings validated that multiple and varied regulatory and contractual compliance requirements are imposed on organizations. A lower number of organizations were impacted by third party program requirements than was originally expected. Negative and positive impacts of third party compliance requirements were identified. Program titles and content definitions vary in respondent organizations and are documented in a variety of organizational methods. Respondents indicated high acceptance of a standard definition of awareness, less so for training and education. Organizationally-relevant program content is highly important and must contain traditional and contemporary topics. Results are believed to be an original contribution to information/cyber security practitioners, with findings of interest to academic researchers, standards/framework bodies, auditing/risk management practitioners and learning/development specialists

Using Skills Profiling to Enable Badges and Micro-Credentials to be Incorporated into Higher Education Courses

Employers are increasingly selecting and developing employees based on skills rather than qualifications. Governments now have a growing focus on skilling, reskilling and upskilling the workforce through skills-based development rather than qualifications as a way of improving productivity. Both these changes are leading to a much stronger interest in digital badging and micro-credentialing that enables a more granular, skills-based development of learner-earners. This paper explores the use of an online skills profiling tool that can be used by designers, educators, researchers, employers and governments to understand how badges and micro-credentials can be incorporated within existing qualifications and how skills developed within learning can be compared and aligned to those sought in job roles. This work, and lessons learnt from the case study examples of computing-related degree programmes in the UK, also highlight exciting opportunities for educational providers to develop and accommodate personalised learning into existing formal education structures across a range of settings and contexts

Using skills profiling to enable badges and micro-credentials to be Incorporated into higher education courses

Employers are increasingly selecting and developing employees based on skills rather than qualifications. Governments now have a growing focus on skilling, reskilling and upskilling the workforce through skills-based development rather than qualifications as a way of improving productivity. Both these changes are leading to a much stronger interest in digital badging and micro-credentialing that enables a more granular, skills-based development of learner-earners. This paper explores the use of an online skills profiling tool that can be used by designers, educators, researchers, employers and governments to understand how badges and micro-credentials can be incorporated within existing qualifications and how skills developed within learning can be compared and aligned to those sought in job roles. This work, and lessons learnt from the case study examples of computing-related degree programmes in the UK, also highlights exciting opportunities for educational providers to develop and accommodate personalised learning into existing formal education structures across a range of settings and contexts

Security and Privacy Issues of Big Data

This chapter revises the most important aspects in how computing infrastructures should be configured and intelligently managed to fulfill the most notably security aspects required by Big Data applications. One of them is privacy. It is a pertinent aspect to be addressed because users share more and more personal data and content through their devices and computers to social networks and public clouds. So, a secure framework to social networks is a very hot topic research. This last topic is addressed in one of the two sections of the current chapter with case studies. In addition, the traditional mechanisms to support security such as firewalls and demilitarized zones are not suitable to be applied in computing systems to support Big Data. SDN is an emergent management solution that could become a convenient mechanism to implement security in Big Data systems, as we show through a second case study at the end of the chapter. This also discusses current relevant work and identifies open issues.Comment: In book Handbook of Research on Trends and Future Directions in Big Data and Web Intelligence, IGI Global, 201

Evaluation of machine learning algorithms for anomaly detection

Malicious attack detection is one of the critical cyber-security challenges in the peer-to-peer smart grid platforms due to the fact that attackers' behaviours change continuously over time. In this paper, we evaluate twelve Machine Learning (ML) algorithms in terms of their ability to detect anomalous behaviours over the networking practice. The evaluation is performed on three publicly available datasets: CICIDS-2017, UNSW-NB15 and the Industrial Control System (ICS) cyber-attack datasets. The experimental work is performed through the ALICE high-performance computing facility at the University of Leicester. Based on these experiments, a comprehensive analysis of the ML algorithms is presented. The evaluation results verify that the Random Forest (RF) algorithm achieves the best performance in terms of accuracy, precision, Recall, F1-Score and Receiver Operating Characteristic (ROC) curves on all these datasets. It is worth pointing out that other algorithms perform closely to RF and that the decision regarding which ML algorithm to select depends on the data produced by the application system

Networked world: Risks and opportunities in the Internet of Things

The Internet of Things (IoT) – devices that are connected to the Internet and collect and use data to operate – is about to transform society. Everything from smart fridges and lightbulbs to remote sensors and cities will collect data that can be analysed and used to provide a wealth of bespoke products and services. The impacts will be huge - by 2020, some 25 billion devices will be connected to the Internet with some studies estimating this number will rise to 125 billion in 2030. These will include many things that have never been connected to the Internet before. Like all new technologies, IoT offers substantial new opportunities which must be considered in parallel with the new risks that come with it. To make sense of this new world, Lloyd’s worked with University College London’s (UCL) Department of Science, Technology, Engineering and Public Policy (STEaPP) and the PETRAS IoT Research Hub to publish this report. ‘Networked world’ analyses IoT’s opportunities, risks and regulatory landscape. It aims to help insurers understand potential exposures across marine, smart homes, water infrastructure and agriculture while highlighting the implications for insurance operations and product development. The report also helps risk managers assess how this technology could impact their businesses and consider how they can mitigate associated risks