A Sustainable Approach to Security and Privacy in Health Information Systems

This paper identifies and discusses recent information privacy violations or weaknesses which have been found in national infrastructure systems in Australia, the United Kingdom (UK) and the United States of America (USA), two of which involve departments of health and social services. The feasibility of health information systems (HIS) based upon intrinsically more secure technological architectures than those in general use in today\u27s marketplace is investigated. We propose a viable and sustainable IT solution which addresses the privacy and security concerns at all levels in HIS with a focus on trustworthy access control mechanisms

Functionality-based application confinement: A parameterised and hierarchical approach to policy abstraction for rule-based application-oriented access controls

Access controls are traditionally designed to protect resources from users, and consequently make access decisions based on the identity of the user, treating all processes as if they are acting on behalf of the user that runs them. However, this user-oriented approach is insufficient at protecting against contemporary threats, where security compromises are often due to applications running malicious code, either due to software vulnerabilities or malware. Application-oriented access controls can mitigate this threat by managing the authority of individual applications. Rule-based application-oriented access controls can restrict applications to only allow access to the specific finely-grained resources required for them to carry out their tasks, and thus can significantly limit the damage that can be caused by malicious code. Unfortunately existing application-oriented access controls have policy complexity and usability problems that have limited their use. This thesis proposes a new access control model, known as functionality-based application confinement (FBAC). The FBAC model has a number of unique features designed to overcome problems with previous approaches. Policy abstractions, known as functionalities, are used to assign authority to applications based on the features they provide. Functionalities authorise elaborate sets of finely grained privileges based on high-level security goals, and adapt to the needs of specific applications through parameterisation. FBAC is hierarchical, which enables it to provide layers of abstraction and encapsulation in policy. It also simultaneously enforces the security goals of both users and administrators by providing discretionary and mandatory controls. An LSM-based (Linux security module) prototype implementation, known as FBAC-LSM, was developed as a proof-of-concept and was used to evaluate the new model and associated techniques. The policy requirements of over one hundred applications were analysed, and policy abstractions and application policies were developed. Analysis showed that the FBAC model is capable of representing the privilege needs of applications. The model is also well suited to automaiii tion techniques that can in many cases create complete application policies a priori, that is, without first running the applications. This is an improvement over previous approaches that typically rely on learning modes to generate policies. A usability study was conducted, which showed that compared to two widely-deployed alternatives (SELinux and AppArmor), FBAC-LSM had significantly higher perceived usability and resulted in significantly more protective policies. Qualitative analysis was performed and gave further insight into the issues surrounding the usability of application-oriented access controls, and confirmed the success of the FBAC model

Snake-Oil Security Claims the Systematic Misrepresentation of Product Security in the E-Commerce Arena

The modern commercial systems and software industry in the United States have grown up in a snake-oil salesman\u27s paradise. The largest sector of this industry by far is composed of standard commercial systems that are marketed to provide specified functionality (e.g. Internet web server, firewall, router, etc.) Such products are generally provided with a blanket disclaimer stating that the purchaser must evaluate the suitability of the product for use, and that the user assumes all liability for product behavior. In general, users cannot evaluate and cannot be expected to evaluate the security claims of a product. The ability to analyze security claims is important because a consumer may place unwarranted trust in the security abilities of a web server (or other computer device) to perform its stated purpose, thereby putting his own organization at risk, as well as third parties (consumers, business partners, etc.) All but the largest and most capable organizations lack the resources or expertise to evaluate the security claims of a product. More importantly, no reasonable and knowledgeable person would expect them to be able to do so. The normal legal presumptions of approximate equality of bargaining power and comparable sophistication in evaluating benefits and risks are grievously unjust in the context of software security. In these transactions, it is far wiser to view the general purchaser, even if that purchaser is a sizable corporation, as an ignorant consumer. Hence, often purchasers accept what appear to be either implied merchantability claims of the vendor or claims of salespersons\u27 made outside of the context of a written document. These claims frequently have little, if any, basis in fact. These standard commercial systems form the bulk of the critical infrastructure of existing Internet functionality and e-commerce systems. Often, these systems are not trustworthy, yet the use of these systems by misinformed purchasers created massive vulnerability for both purchasers and third parties (including a substantial fraction of both U.S. and international citizens). The frequent disclosure of individual credit card information from supposedly secure commercial systems illustrates an aspect of this vulnerability and raises serious questions concerning the merchantability of these systems. While it is impossible to avoid all risks, they can be reduced to a very small fraction of their current level. Vendors have willfully taken approaches and used processes that do not allow assurance of appropriate security properties, while simultaneously and recklessly misrepresenting the security properties of their products to their customers

Bibliography for computer security, integrity, and safety

A bibliography of computer security, integrity, and safety issues is given. The bibliography is divided into the following sections: recent national publications; books; journal, magazine articles, and miscellaneous reports; conferences, proceedings, and tutorials; and government documents and contractor reports

A Review on the Mechanism Mitigating and Eliminating Internet Crimes using Modern Technologies

There is no doubting that contemporary technology creates new hazards, and these threats are many and significant, directly harming people's lives and threatening their stability. Because of the increased use of computers and Internet-connected cellphones in recent years, the problem of cybercrime has expanded substantially. Unquestionably, this kind of crime is now a reality that jeopardizes people's reputations and lives, therefore we must be aware of it to prevent being a victim. The exponential growth in internet connectedness is closely tied to a rise in cyberattack incidences, frequently with significant consequences. Malware is the weapon of choice for carrying out malicious intent in cyberspace, whether by exploiting pre-existing flaws or exploiting the unique properties of new technology. There is an urgent need in the cybersecurity area to develop more inventive and effective virus defense techniques. To do this, we first give an overview of the most often exploited vulnerabilities in the current hardware, software, and network layers. This follows criticism of the most recent mitigation efforts and the reasons why they may or may not be helpful. Following that, We'll talk about new attack methods for cutting-edge technologies including social networking, cloud computing, mobile technology, as well as critical infrastructure. We conclude by sharing our speculative findings on potential future research avenues

From Conventional to State-of-the-Art IoT Access Control Models

open access articleThe advent in Online Social Networks (OSN) and Internet of Things (IoT) has created a new world of collaboration and communication between people and devices. The domain of internet of things uses billions of devices (ranging from tiny sensors to macro scale devices) that continuously produce and exchange huge amounts of data with people and applications. Similarly, more than a billion people are connected through social networking sites to collaborate and share their knowledge. The applications of IoT such as smart health, smart city, social networking, video surveillance and vehicular communication are quickly evolving people’s daily lives. These applications provide accurate, information-rich and personalized services to the users. However, providing personalized information comes at the cost of accessing private information of users such as their location, social relationship details, health information and daily activities. When the information is accessible online, there is always a chance that it can be used maliciously by unauthorized entities. Therefore, an effective access control mechanism must be employed to ensure the security and privacy of entities using OSN and IoT services. Access control refers to a process which can restrict user’s access to data and resources. It enforces access rules to grant authorized users an access to resources and prevent others. This survey examines the increasing literature on access control for traditional models in general, and for OSN and IoT in specific. Challenges and problems related to access control mechanisms are explored to facilitate the adoption of access control solutions in OSN and IoT scenarios. The survey provides a review of the requirements for access control enforcement, discusses several security issues in access control, and elaborates underlying principles and limitations of famous access control models. We evaluate the feasibility of current access control models for OSN and IoT and provide the future development direction of access control for the sam

Health IT Security: An Examination of Modern Challenges in Maintaining HIPAA and HITECH Compliance

This work describes an undergraduate honors research project into some of the challenges modern healthcare providers face in maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA) and HITECH (Health Information Technology for Economic and Clinical Health) Act. An overview of the pertinent sections of both the HIPAA and HITECH Acts regarding health information security is provided, along with a discussion of traditionally weak points in information security, including: people susceptible to social engineering, software that is not or cannot be regularly updated, and targeted attacks (including advanced persistent threats, or APTs). Further, the paper examines potential violations of HIPAA involving vulnerabilities in commonly-used enterprise health records systems. Finally, we compare these challenges to the challenges of the United States healthcare system prior to 1995, specifically looking at information handling procedures, how procedures have changed, and how effective those changes have been

System call interface for Asbestos labels

Thesis (M. Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2005.Includes bibliographical references (p. 53-55).Acetone is a secure operating system kernel that uses a shared address space and supports Asbestos labels. Acetone uses Asbestos labels to enable a wide variety of security policies including ones that prevent untrusted applications from being able to disclose private data. All threads run in the same address space, but have different memory access privileges. Acetone uses standard memory protection mechanisms to ensure that all memory accesses are consistent with label rules. The performance results show that these checks have a relatively low cost.by Clifford A. Frey.M.Eng

WinLomac: Low Water Mark integrity protection for Windows 2000

Computer security has long been one of the most important research areas in computer science. In recent years, the rapid growth in Internet based industry has raised the importance of computer security to an unprecedented level. However, at the same time, profit driven commercial software development always leaves security concerns behind the quick incorporation of new functionalities. Therefore, the need to improve the security of these products is very urgent now. Microsoft Windows 2000, as one of the most popular operating systems, also needs to be improved. Especially, because of the unavailability of the necessary documentation and source code, few third party research and development have been done for Windows 2000 operating system kernel. In this paper, we introduce WinLomac, a prototype security enhancement software for Windows 2000 operating system that enforces Low Water Mark integrity model based Mandatory Access Control in the kernel