Laptop theft: a case study on effectiveness of security mechanisms in open organizations

Organizations rely on physical, technical and procedural mechanisms to protect their physical assets. Of all physical assets, laptops are the probably the most troublesome to protect, since laptops are easy to remove and conceal. Organizations open to the public, such as hospitals and universities, are easy targets for laptop thieves, since every day hundreds of people not employed by the organization wander in the premises. The problem security professionals face is how to protect the laptops in such open organizations. \ud \ud In this study, we look at the eectiveness of the security mechanisms against laptop theft in two universities. We analyze the logs from laptop thefts in both universities and complement the results with penetration tests. The results from the study show that surveillance cameras and access control have a limited role in the security of the organization and that the level of security awareness of the employees plays the biggest role in stopping theft. The results of this study are intended to aid security professionals in the prioritization of security mechanisms

Information security assurance model for an examination paper preparation process in a higher education institution

In today’s business world, information has become the driving force of organizations. With organizations transmitting large amounts of information to various geographical locations, it is imperative that organizations ensure the protection of their valuable commodity. Organizations should ensure that only authorized individuals receive, view and alter the information. This is also true to Higher Education Institutions (HEIs), which need to protect its examination papers, amongst other valuable information. With various threats waiting to take advantage of the examination papers, HEIs need to be prepared by equipping themselves with an information security management system (ISMS), in order to ensure that the process of setting examination papers is secure, and protects the examination papers within the process. An ISMS will ensure that all information security aspects are considered and addressed in order to provide appropriate and adequate protection for the examination papers. With the assistance of information security concepts and information security principles, the ISMS can be developed, in order to secure the process of preparing examination papers; in order to protect the examination papers from potential risks. Risk assessment form part of the ISMS, and is at the centre of any security effort; reason being that to secure an information environment, knowing and understanding the risks is imperative. Risks pertaining to that particular environment need to be assessed in order to deal with those appropriately. In addition, very important to any security effort is ensuring that employees working with the valuable information are made aware of these risks, and can be able to protect the information. Therefore, the role players (within the examination paper preparation process (EPPP)) who handle the examination papers on a daily basis have to be equipped with means of handling valuable information in a secure manner. Some of the role players’ behaviour and practices while handling the information could be seen as vulnerabilities that could be exploited by threats, resulting in the compromise in the CIA of the information. Therefore, it is imperative that role players are made aware of their practices and iv behaviour that could result in a negative impact for the institution. This awareness forms part and is addressed in the ISMS

An Investigation Into Rewriting a Security Policy for Loreto College

Computers as well as the networking environments in which they operate have evolved into highly sophisticated and complex systems. The intricacy of these systems and especially the relationship between them forms the greatest area of vulnerabilities for organizations. (Whitman and Mattord, 2004) Information needs to be transmitted to and from the organization, and thus may be vulnerable within certain stages along the communications line. If at any stage of the process, the information is compromised, it could have a negative impact on the entire organization. Protective measures such as disaster recover plans, encryption/ decryption, and information system security controls, can minimize or prevent the negative consequences. Therefore it is vital that management of information system assets take measures to protect their critical data and information from loss damage and misuse. The process of minimizing risks associated with information security includes the compilation of a detailed and standardized information security policy. Such a policy has to address issues such as threats and possible counter measures as well as defining roles and responsibilities. The aim of this study was to assess the status of the information security policy compiled and implemented by Loreto College Msongari. During the study, the status of security of the information systems assets at the college, existence and format of the security policy as well as the commitment of the college to address security issues was measured

Using security risk analysis: Is the bring your own device policy becoming a liability risk within healthcare?

Using computer simulation modeling, this research examined the problems contributing to data breaches within healthcare industry. The study attempted to answer two questions: 1) is the Bring Your Own Device policy becoming a liability risk within hospitals causing an increase in data breaches and 2) is there a lower risk compared to using wired desktops. An iPad was the primary focused device as one of many Bring Your Own Devices. The study used a randomly generated sample of an approximate 2,700 patients, one nurse and doctor on a eight hour work-day within the clinic (eight A.M five P.M) considering a one hour lunch break in between. The outcome of the study revealed that the Bring Your Own Policy has a lower risk than using wired desktops within hospitals

Remote booting in a hostile world: to whom am I speaking? [Computer security]

“This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder." “Copyright IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.”Today's networked computer systems are very vulnerable to attack: terminal software, like that used by the X Window System, is frequently passed across a network, and a trojan horse can easily be inserted while it is in transit. Many other software products, including operating systems, load parts of themselves from a server across a network. Although users may be confident that their workstation is physically secure, some part of the network to which they are attached almost certainly is not secure. Most proposals that recommend cryptographic means to protect remotely loaded software also eliminate the advantages of remote loading-for example, ease of reconfiguration, upgrade distribution, and maintenance. For this reason, they have largely been abandoned before finding their way into commercial products. The article shows that, contrary to intuition, it is no more difficult to protect a workstation that loads its software across an insecure network than to protect a stand-alone workstation. In contrast to prevailing practice, the authors make essential use of a collision-rich hash function to ensure that an exhaustive off-line search by the opponent will produce not one, but many candidate pass words. This strategy forces the opponent into an open, on-line guessing attack and offers the user a defensive strategy unavailable in the case of an off-line attack.Peer reviewe

Implicit Sensor-based Authentication of Smartphone Users with Smartwatch

Smartphones are now frequently used by end-users as the portals to cloud-based services, and smartphones are easily stolen or co-opted by an attacker. Beyond the initial log-in mechanism, it is highly desirable to re-authenticate end-users who are continuing to access security-critical services and data, whether in the cloud or in the smartphone. But attackers who have gained access to a logged-in smartphone have no incentive to re-authenticate, so this must be done in an automatic, non-bypassable way. Hence, this paper proposes a novel authentication system, iAuth, for implicit, continuous authentication of the end-user based on his or her behavioral characteristics, by leveraging the sensors already ubiquitously built into smartphones. We design a system that gives accurate authentication using machine learning and sensor data from multiple mobile devices. Our system can achieve 92.1% authentication accuracy with negligible system overhead and less than 2% battery consumption.Comment: Published in Hardware and Architectural Support for Security and Privacy (HASP), 201

Information security awareness amongst students joining higher academic institutions in developing countries: Evidence from Kenya

Although there is a steady use of information technology in institutions of higher learning, little is known about the level of information security awareness (ISA) amongst students joining universities in developing countries and more specifically Africa. The purpose of this study was to investigate ISA amongst undergraduate students at a higher education institution in Kenya. The study made use of a quantitative survey approach. Overall, the study findings indicate that majority of the students surveyed did not possess adequate understanding of ISA. Consequently, we submit that there is a strong need to cultivate ISA culture amongst students joining universities in developing countries. We further recommend that ISA needs to be incorporated in the undergraduate curriculum to help enhance such awareness. Equally, it would be useful for universities to have ISA program as part of the wider university information security management strategy

All Integrated Model for Improving Security Management in the E-Commerce Environment

Security issues and threats in the e-commerce environment are varied and can be caused intentionally and unintentionally by insiders and outsiders. Many experts believe that insiders create the majority of the security threats and issues. Security issues and threats related to ecommerce environment can be categorized as controllable, partially controllable and uncontrollable. This article presents an integrated model that identifies various security issues and threats in the e-commerce environment and then offers a comprehensive e-commerce security plan. The integrated model includes six steps: identification of basic e-commerce security safeguards, identification of e-commerce general security threats, identification of intentional e-commerce threats, identification of e-commerce security measures and enforcements, identification of computer emergency response team services and formation of a comprehensive e-commerce security plan. The integrated model, if carefully followed, should significantly improve the chances of success in keeping the e-commerce hackers and crackers at bay (Bidgoli, 2002)