Testing Against Independence with an Eavesdropper

We study a distributed binary hypothesis testing (HT) problem with communication and security constraints, involving three parties: a remote sensor called Alice, a legitimate decision centre called Bob, and an eavesdropper called Eve, all having their own source observations. In this system, Alice conveys a rate R description of her observation to Bob, and Bob performs a binary hypothesis test on the joint distribution underlying his and Alice's observations. The goal of Alice and Bob is to maximise the exponential decay of Bob's miss-detection (type II-error) probability under two constraints: Bob's false alarm-probability (type-I error) probability has to stay below a given threshold and Eve's uncertainty (equivocation) about Alice's observations should stay above a given security threshold even when Eve learns Alice's message. For the special case of testing against independence, we characterise the largest possible type-II error exponent under the described type-I error probability and security constraints.Comment: submitted to ITW 202

Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces

Embedded devices are becoming more widespread, interconnected, and web-enabled than ever. However, recent studies showed that these devices are far from being secure. Moreover, many embedded systems rely on web interfaces for user interaction or administration. Unfortunately, web security is known to be difficult, and therefore the web interfaces of embedded systems represent a considerable attack surface. In this paper, we present the first fully automated framework that applies dynamic firmware analysis techniques to achieve, in a scalable manner, automated vulnerability discovery within embedded firmware images. We apply our framework to study the security of embedded web interfaces running in Commercial Off-The-Shelf (COTS) embedded devices, such as routers, DSL/cable modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement a scalable framework for discovery of vulnerabilities in embedded web interfaces regardless of the vendor, device, or architecture. To achieve this goal, our framework performs full system emulation to achieve the execution of firmware images in a software-only environment, i.e., without involving any physical embedded devices. Then, we analyze the web interfaces within the firmware using both static and dynamic tools. We also present some interesting case-studies, and discuss the main challenges associated with the dynamic analysis of firmware images and their web interfaces and network services. The observations we make in this paper shed light on an important aspect of embedded devices which was not previously studied at a large scale. We validate our framework by testing it on 1925 firmware images from 54 different vendors. We discover important vulnerabilities in 185 firmware images, affecting nearly a quarter of vendors in our dataset. These experimental results demonstrate the effectiveness of our approach

BEGINNING THE INFORMATION SECURITY JOURNEY FOR SMALL AND MEDIUM ENTERPRISES THROUGH BUSINESS CONTINUITY PLANNING AND INFRASTRUCTURE AUTOMATION

Technology has become an essential component of enterprises, driving productivity, innovation, and defining entire processes and product categories. However, these advances come with additional risk; the devices that drive an enterprise can fail at any time or be attacked by malicious actors. Larger enterprises have learned to deal with these risks, but small and medium-sized enterprises (SMEs) have been largely left behind. This project sought to investigate the cybersecurity-related problems SMEs experience and what SMEs can do to solve them. In addition, the project examines the types of information security incidents that occur within SMEs and their financial preparedness for such security incidents. The literature findings are that SMEs lack financial preparedness for information security and natural disasters, lack an effective company culture that generates and keeps, and need a more technical or operational approach to improve information security performance. Given these observations, cost-effective solutions are presented for Incident Response Testing, Business Continuity Planning, Employee Training, and DevSecOps Automation. Suggested areas of future research include developing Infrastructure Automation strategies for SMEs, focusing on employee training and validation processes. Additional real-world data about information security breaches must also be brought forward and analyzed to assess business risk correctly

Perancangan Sistem Informasi Inventaris Barang Berbasis Web Secara Online Pada Universitas Prima Indonesia

The importance of inventory management for business success and how technology can help improve inventory management. The design of an online web-based inventory information system at Prima Indonesia University is discussed in this article. The research aims to improve inventory management business profitability at Prima Indonesia University. One of the approaches used to collect data for this project is the waterfall system development process, which also includes interviews, observations, documentation, and literature studies. Blackbox testing is a technique used to test the system in publication. Functional testing verifies that the system can operate according to the functional requirements established during the analysis and design stages. Testing the system's ability to meet non-functional criteria, such as security, speed, and performance, is known as non-functional testing. After testing, the author makes improvements and fixes to the system found during testing. The support and maintenance stages are carried out regularly to ensure the system runs well and meets user needs. The results showed that the web-based online inventory system developed for Prima Indonesia University using the waterfall model can help improve inventory management and business profitability. The system can reduce errors in inventory management and speed up the process of searching and retrieving inventory data. System testing shows that the system can function properly and meet the requirements at the analysis and design stages

Observation-Based Modeling for Testing and Verifying Highly Dependable Systems – A Practitioner’s Approach

Model-based testing (MBT) can reduce the cost of making test cases for critical applications significantly. Depending on the formality of the models, they can also be used for verification. Once the models are available model-based test case generation and verification can be seen as "push-button solutions." However, making the models is often perceived by practitioners as being extremely difficult, error prone, and overall daunting. This paper outlines an approach for generating models out of observations gathered while a system is operating. After refining the models with moderate effort, they can be used for verification and test case generation. The approach is illustrated with a concrete system from the safety and security domain