Bridging the Security Gap between Software Developers and Penetration Testers: A Job Characteristic Theory Perspective

Building on Job Characteristics Theory (JCT), this article suggests that job characteristics differ between software developers and penetration testers; and subsequently, this generates different levels of job motivation related to information security protection between these groups. This study proposes a research model based on JCT to examine the differences in job motivation between software developers and penetration testers. Insights gained from the research model can be used to: (1) bridge the security gap between software development and penetration testing for alleviating software vulnerabilities and (2) propose viable suggestions to promote mutual understanding between both professional groups for improving software security. Moving beyond the propositions offered by the research model, this study will design and build a laboratory experiment to capture the actual behaviors related to job motivation

Аналіз та дослідження характеристик антивірусного програмного забезпечення, стандартизованого в Україні

The article is devoted to the problem of information security, namely the study of the characteristics of antivirus programs which are standardized in Ukraine. The study used statistical methods to analyze the characteristics of antivirus software and comparative methods of comparing the various types of such programs. Relying on researches in scientific literature, the main threats to information security in the field of information technology were analyzed. The emphasis is placed on the fact that antivirus software is the most effective protection against malicious software (malware). The basic methods of work of the antivirus – signature and heuristic – are described. The list of standardized in Ukraine antivirus programs is determined. The study was based on the quantitative and qualitative results which while testing had obtained by the independent testing laboratory AV-Comparatives (Austria), the independent Virus Bulletin (VB) laboratory for testing and certification in the field of security, the Center for antivirus protection information of the State Special Communication Service of Ukraine. The comparative analysis of the main characteristics of antivirus programs was carried out, namely: antivirus and anti-spyware; anti-phishing; anti-rootkit protection against exploits; Intrusion Prevention System; Real-time protection; parental control; host-based firewall; antispam; protection against network attacks; home network protection; anti-theft; password management.Широке поширення безпроводових технологій призводить до постійно зростання кількості користувачів і постійно функціонуючих пристроїв. Але зростання кількості безпроводових користувачів в обмеженому просторі і обмеженому частотному діапазоні призводить до зростання їх взаємного впливу, що в кінцевому підсумку негативно позначається на пропускній спроможності безпроводових каналів і навіть на працездатності системи в цілому. У статті наведено статистику і тенденції поширення безпроводових мереж систем стандарту IEEE 802.11, а також проаналізовано основні проблеми, що виникають в ході розширення їх використання. Обґрунтування і вибір шляхів подолання цих труднощів багато в чому залежить від об’єктивного контролю параметрів випромінювання точок доступу і абонентських коштів в конкретній обстановці. Наведено огляд штатних засобів контролю, передбачених розробниками обладнання, і запропоновані авторські варіанти експериментальних вимірювальних комплексів, що дозволяють контролювати сигнальні та інформаційні параметри систем Wi-Fi. Представлені отримані з використанням зазначених коштів експериментальні результати оцінки підвищення доступності та пропускної здатності на основі застосування прискорюючої металопластинчастої лінзи як додаткового автономного елементу для фокусування поля в тому числі і для систем MIMO, впливу прискорюючої металопластинчастої лінзи на просторовий розподіл поля, на спектральну структуру сигналу. Крім того, досліджувалися поляризаційні ефекти. Обговорюються можливі шляхи подальшого підвищення доступності, цілісності інформації та енергетичної ефективності систем безпроводового доступу. Автори пропонують більш прості і менш витратні варіанти підвищення спрямованості випромінювання на основі прискорюючої металопластинчастої лінзи, що випробувано експериментально, а також використання зонування простору на шляху ЕОМ

Network Penetration Testing and Research

This paper will focus the on research and testing done on penetrating a network for security purposes. This research will provide the IT security office new methods of attacks across and against a company's network as well as introduce them to new platforms and software that can be used to better assist with protecting against such attacks. Throughout this paper testing and research has been done on two different Linux based operating systems, for attacking and compromising a Windows based host computer. Backtrack 5 and BlackBuntu (Linux based penetration testing operating systems) are two different "attacker'' computers that will attempt to plant viruses and or NASA USRP - Internship Final Report exploits on a host Windows 7 operating system, as well as try to retrieve information from the host. On each Linux OS (Backtrack 5 and BlackBuntu) there is penetration testing software which provides the necessary tools to create exploits that can compromise a windows system as well as other operating systems. This paper will focus on two main methods of deploying exploits 1 onto a host computer in order to retrieve information from a compromised system. One method of deployment for an exploit that was tested is known as a "social engineering" exploit. This type of method requires interaction from unsuspecting user. With this user interaction, a deployed exploit may allow a malicious user to gain access to the unsuspecting user's computer as well as the network that such computer is connected to. Due to more advance security setting and antivirus protection and detection, this method is easily identified and defended against. The second method of exploit deployment is the method mainly focused upon within this paper. This method required extensive research on the best way to compromise a security enabled protected network. Once a network has been compromised, then any and all devices connected to such network has the potential to be compromised as well. With a compromised network, computers and devices can be penetrated through deployed exploits. This paper will illustrate the research done to test ability to penetrate a network without user interaction, in order to retrieve personal information from a targeted host

Trust Management and Security in Satellite Telecommand Processing

New standards and initiatives in satellite system architecture are moving the space industry to more open and efficient mission operations. Primarily, these standards allow multiple missions to share standard ground and space based resources to reduce mission development and sustainment costs. With the benefits of these new concepts comes added risk associated with threats to the security of our critical space assets in a contested space and cyberspace domain. As one method to mitigate threats to space missions, this research develops, implements, and tests the Consolidated Trust Management System (CTMS) for satellite flight software. The CTMS architecture was developed using design requirements and features of Trust Management Systems (TMS) presented in the field of distributed information systems. This research advances the state of the art with the CTMS by refining and consolidating existing TMS theory and applying it to satellite systems. The feasibility and performance of this new CTMS architecture is demonstrated with a realistic implementation in satellite flight software and testing in an emulated satellite system environment. The system is tested with known threat modeling techniques and a specific forgery attack abuse case of satellite telecommanding functions. The CTMS test results show the promise of this technique to enhance security in satellite flight software telecommand processing. With this work, a new class of satellite protection mechanisms is established, which addresses the complex security issues facing satellite operations today. This work also fills a critical shortfall in validated security mechanisms for implementation in both public and private sector satellite systems

Maksullisten ja ilmaisten virustorjuntaohjelmien suojauksen tehokkuuden vertailu

Opinnäytetyön tavoitteena oli verrata maksullisten ja ilmaisten virustorjuntaohjelmien suojauksen tehokkuutta ja ottaa selvää, kummat suojaisivat konetta paremmin. Aihe liittyy tietoturvaan, joka voidaan määritellä viidellä käsitteellä: luottamuksellisuus, eheys, käytettävyys, kiistämättömyys ja pääsynvalvonta. Käsitteillä pyritään esitte-lemään tietoturva mahdollisimman kattavasti. Virustorjuntaohjelmat suojaavat haittaohjelmilta, jotka yrittävät levitä koneesta toiseen internetin kautta. Pääs-tessään koneelle ne saattavat aiheuttaa uhrilleen vahinkoa. Yleisimpiä haittaohjelmia ovat troijalaiset ja Bot-verkot. Nykyään tietokoneissa täytyy olla myös palomuuri, joka estää epäilyttävän liikenteen tietokoneen lähi-verkon ja internetin väliltä. Muita hyödyllisiä ohjelmia ovat etsintäohjelmat ja selainlaajennukset. Työssä testattiin kolmea ilmaista ja kolme maksullista virustorjuntaohjelmaa. Testattavat ohjelmat olivat F-Secure Internet Security 2014, Norton Internet Security 2014, Kaspersky PURE 3.0, Avast! Free Anti-Virus, Avira Free Anti-Virus ja Microsoft Security Essential. Testaus tapahtui Oracle VM VirtualBox -ohjelman kautta ajettavassa virtuaalisessa tietokoneessa. Testausten jälkeen verrattiin saadut tuloksia keskenään. Vertailussa il-meni, ettei ilmaisten ja maksullisten ohjelmien suojauksen tehokkuudessa suuria eroja. Norton, Kaspersky ja Microsoft Security Essential torjuivat parhaiten testivirukset. Kuitenkin ilmaisilla ohjelmilla pystyy turvaamaan helposti kotikäyttöisen tietokoneen, mutta käyttäjän kannattaa ensiksi varmistua ohjelman luotettavuudesta.The aim of this thesis was to compare the protection effectiveness of paid and free anti-virus programs and find out which one is better for protecting computers. The topic is related to information security, which can be defined with five concepts: confidentiality, integrity, availability, non-repudiation, and access control. The aim is to present the concepts of security as comprehensively as possible. Anti-virus software protects against malware that tries to spread from one computer to another through the Internet. When malware gets into a computer, it may cause damage to it. The most common types of malware are Trojans and Bot networks. Nowadays computers must also have a firewall that blocks suspicious traffic between the computer’s local network and the Internet. Other useful programs are malware scanners and browser extensions. Three paid and three free anti-virus programs were used in the tests. The programs were tested with F -Secure Internet Security 2014, Norton Internet Security 2014, Kaspersky PURE 3.0, Avast! Free Anti- Virus, Avira Free Anti-Virus and Microsoft Security Essentials. The testing took place in a virtual computer executed by Oracle VM VirtualBox. After the testing the results were compared with each other. The comparison showed that there were no major differences between the free and paid programs in protection. Norton, Kaspersky and Microsoft Security Essential were the best for rejecting the test viruses. However, you can secure a home com-puter with free software, but the user should first ascertain the reliability of the program

Information Security Behaviour Assessment In Software-As-A-Service Cloud Environment

This research aims at assessing the information security behaviour in Software as a Service (SaaS) cloud computing environment. Organisations are still struggling with information security breaches despite various technical protections to secure SaaS applications. This is due to the fact that human behaviour is the weakest link of the security chain. Security compromise causes substantial financial and nonfinancial losses to the organisations which jeopardise organisations' reputation. Technical protection alone is seemed insufficient to ensure information safety. Therefore, this research takes it from the soda-organisational perspective to strengthen information security. Many socio-organisational factors influence employees' security behavior in the organisation which gives impact to SaaS cloud adoption. Addressing these factors are significant to help successfully create a healthy security culture in the organisation. Nevertheless. human behaviour is subjective in nature. Their behaviour depends upon the way they think feel and act towards security issues which needs an in depth unders1anding towards their security behaviour. Hence, adapting the sequential exploratory mixed-method approach, through the theoretical lens of social cognitive theory, organisational culture theory as weJI as security control from extended deterrence theory, this study tlcvelops an information security behaviour model and validates the socio- organisational aspects of security behaviour. There were 396 useful data gathered from the survey. SPSS 20 and PLS-SEM software were utilised for descriptive and exploratory factor analysis respectively. The survey results indicate Lhat the security control management, personal values and behaviour were salient factors towards formation of good security behaviour. This research subsequently conducted a case study using the proposed model at one information technology department in a public university. The survey obtained 90 useful data. The case study revealed that organi sational security culture, personal values as well as behaviour have significant influence towards information security behaviour. There were slight differences in the quantitative results to which the follow-up interview with three infonnants supported the findings from the case study. It can be concluded that personal values and behavior clements arc the most significant factors which influence information security behaviour of employees working in SaaS cloud environment. However, the organisation culture and security control management factors are observed to be contextually dependent as these factors depend on how the organisation is run by the respective top management. This study contributes both theoretically and practically. The information security behaviour's body of knowledge is built up through conceptual model testing and accentuating new propositions. The infonnation security behaviour model was developed upon the integration of social cognitive theory, Wallach Organisational Culture Model as well as security control management from extended deterrence theory, and validated through a survey and a case study. The result helps the researcher to have better insight of employees' security behaviour in SaaS cloud environment in Malaysia generally and at the studied IT department specifically. The developed model. new accentuated propositions and other recommendations in this research may help other researchers to embark on related studies in the future

Shipboard ECDIS Cyber Security: Third-Party Component Threats

The Electronic Chart Display and Information System (ECDIS) plays a central role in safe navigation of ships. The ECDIS is basically a software package running on a general operating system that could be comprised of the third-party components. This paper presents an analysis of cyber security weaknesses of a shipboard ECDIS raising from the ECDIS software’s third-party components. The analysis is based on the cyber security testing of the shipboard ECDIS using an industry vulnerability scanner. Detected vulnerabilities are analysed regarding the protection measures implemented on the ship. The results suggest that even the type approved ECDIS system with maintained ECDIS software and the underlying operating system could be vulnerable due to weaknesses in the ECDIS software’s third-party components

Perancangan Sistem Informasi Pendataan Korban Bencana Alam Dan Bencana Sosial Di Dinas Sosial Kota Palembang Berbasis Website

Handling events that occur, by evacuating, meeting needs, protection are things that must be done by the government and local governments and emergency response. The Palembang City Social Service is a government institution that has many fields, one of which is PJS (Social Protection and Security) which has a Head of Social Protection for Natural and Social Disaster Victims (PSKBA / BS). In collecting data on victims of Natural and Social Disasters, the Social Service of Palembang City has used a computer in its data collection, but the data collection is still using MS Excel where the data can be lost at any time. Therefore, this study aims to design a web-based system that helps in collecting data on victims of natural and social disasters that can minimize data loss. In building information system software, the author uses an object-oriented method with a waterfall approach which consists of several stages, namely Requirements Analysis (requirements), System Design (design), System Implementation (implementation), System Testing (testing), and System Maintenance (maintenance). . The design of the Information System for Data Collection of Victims of Natural Disasters and Social Disasters at the Social Service of Palembang City is a system design process that can later be implemented in programming language which aims to make it easier for officers or admins to collect data and also recap reports quickly and accurately. The design of this system is based on the problems that exist at this time where the data collection process is still using Ms Excel which is considered to be still ineffective. The currently designed system is equipped with a menu of disaster data, command posts, victim data, officers, assistance, and a recap menu. Where these menus can support the system to be maximized and in accordance with user needs.Keywords : Information System, Waterfall, Web

ELASPSD Data Acquisition and Signal Generator User Manual

The European Laboratory for Structural Assessment (ELSA) belongs to the Joint Research Centre (JRC) of the European Commission. It is one of the units of the Institute for the Protection and Security of the Citizen (IPSC) at the Ispra Site of the JRC. The main facility of ELSA is a large Reaction Wall‐Strong Floor system equipped with powerful servoactuators used to simulate the response of civil full‐size structures submitted to dynamic loads using the ELSAPSD testing system. During a test, the user may want some data to be displayed, analyzed or/and stored in the computer. This can be made through an acquisition object. This manual explains how to use an acquisition starting from the most simple case, which is using an acquisition node with an internal trigger. Each chapter adds new information to the previous one, so it is interesting to read the manual in a sequential order. This manuals refers to the acquisition software of ELSAPSD according to the versions PSDCYC03.DLL and M13.004 of the master controller software and acqui.exe???????

СУЧАСНІ ІНСТРУМЕНТИ ТЕСТУВАННЯ БЕЗПЕКИ OWASP

With the development of information technology, humanity is increasingly delving into the world of gadgets, cloud technology, virtual reality, and artificial intelligence. Through web applications, we receive and distribute information, including confidential. During the pandemic, most people switched to online work and study. As a result, most of the data stored on personal computers, company servers, and cloud storage needs protection from cyberattacks. The problem of cybersecurity at the moment is incredibly relevant due to the hacking of cryptocurrencies, websites of ministries, bitcoin wallets or social network accounts. It is necessary to conduct high-quality testing of developed applications to detect cyber threats, to ensure reliable protection of different information. The article states that when testing applications, it checks for vulnerabilities that could arise as a result of incorrect system setup or due to shortcomings in software products. The use of innovation is necessary to improve quality. Modern realities have become a challenge for the development of cybersecurity products. Improvement of technology requires modern companies to update their IT systems and conduct regular security audits. The research is devoted to the analysis of modern OWASP testing tools that contribute to data security, with a view to their further use. The Open Web Application Security Project is an open security project. The research revealed a list of the most dangerous vectors of attacks on Web-applications, in particular, OWASP ZAP performs analyzes the sent and received data system security scanning at the primary level, MSTG performs security testing of mobile applications iOS and Android mobile devices. The practical result of the work is to test a specially developed web-application and identify vulnerabilities of different levels of criticality.Анотація. Із розвитком інформаційних технологій людство все більше заглиблюється у світ гаджетів, хма-рних технологій, віртуальної реальності і штучного інтелекту. Через web-додатки отримуємо і поширюємо інформацію, в тому числі і конфіденційну. Під час пандемії велика частина людей перейшла в онлайн режим роботи і навчання. В результаті, більшість даних, які зберігаються на персональних комп’ютерах, серверах компаній, хмарних сховищах, потребують захисту від кібератак. Проблема кібербезпеки на цей час неймовірно актуальна через зламування криптобірж, сайтів міністерств, біткоїн-гаманців чи акаунтів соцмереж. Для забезпечення надійного захисту різної інформації потрібно проводити якісне тестування розроблених додатків на виявлення кі-берзагроз. В статті зазначено, що при тестуванні додатків виконується перевірка на вразливості, які могли б виникнути в результаті неправильного налаштування системи або через недоліки програмних продуктів. Важливим є питання використання інновацій для покращення якості, зокрема сучасні реалії стали викликом для розвитку продуктів забезпечення кібербезпеки. Розвиток технологій вимагає від сучасних компаній оновлення своїх ІТ систем і проведення регулярних перевірок безпеки. Дослідження в роботі присвячене аналізу сучасних інструментів тестування OWASP, які сприяють забезпеченню безпеки даних, з метою їх подальшого використання. Open Web Application Security Project є відкритим проєктом забезпечення безпеки. При дослідженнях виявлено список найбільш небезпечних векторів атак на Web-додатки, зокрема OWASP ZAP здійснює сканування безпеки системи на базовому рівні шляхом аналізу надісланих та отриманих даних, а тестування безпеки мобільних додатків та мобільних пристроїв iOS та Android здійснюється за MSTG. Практичним результатом роботи є проведення тестування спеціально розробленого web-додатку і виявлення вразливостей різного рівня критичності