Building a Secure Intranet

This thesis will explain the vulnerabilities of computers in a networking environment and demonstrate proper procedures for building a secure Intranet. The Internet is built around the concept of open communication. Data is shared around the globe just as easily as it is from one office or cubical to the next. Corporations are skeptical about putting company data on such a public transport mechanism as the Internet, but the tools used on the Internet are exciting and everyone wants to use them. Out of a desire for the best of both worlds, the Intranet was born. An intranet that has no connection to the Internet can safely make a significant amount of company data available to employees, but when hosts are connected to the Internet, things change. Each application on the Internet comes with a threat to a company\u27s data. More office managers would probably install and use an Intranet if they understood them better and trusted them more. The purpose of his paper is to educate the non-technical manager in the subject of Internet applications and security mechanisms so that he or she can make an informed decision about installing an Intranet. There is so much software available for building and securing a Web site that many feel overwhelmed at the prospect of getting started. The goal will be to define the terms and acronyms used in this technology, and to evaluate the services and software available for building a secure Intranet. Securing a Web site requires some knowledge of TCP/IP, routers, firewalls and data encryption. These subjects will be covered at an introductory level with the goal of enabling the reader to understand the issues involved. The work will terminate in a project that builds an Intranet that shares data with a selective audience while securing it from others. The hardware and software configuration will be documented as a sample that can be duplicated in any office environment. The Web site will be built using some HTML coding to demonstrate the complexity of the language and some high-level software that demonstrates the value of these new tools. Two security specialists evaluated the project. They agreed that an Intranet built with the specifications in the project would be functional and secure

Not invented here: Power and politics in public key infrastructure (PKI) institutionalisation at two global organisations.

This dissertation explores the impact of power and politics in Public Key Infrastructure (PKI) institutionalisation. We argue that this process can be understood in power and politics terms because the infrastructure skews the control of organisational action in favour of dominant individuals and groups. Indeed, as our case studies show, shifting power balances is not only a desired outcome of PKI deployment, power drives institutionalisation. Therefore, despite the rational goals of improving security and reducing the total cost of ownership for IT, the PKIs in our field organisations have actually been catalysts for power and politics. Although current research focuses on external technical interoperation, we believe emphasis should be on the interaction between the at once restrictive and flexible PKI technical features, organisational structures, goals of sponsors and potential user resistance. We use the Circuits of Power (CoP) framework to explain how a PKI conditions and is conditioned by power and politics. Drawing on the concepts of infrastructure and institution, we submit that PKIs are politically explosive in pluralistic, distributed global organisations because by limiting freedom of action in favour of stability and security, they set a stage for disaffection. The result of antipathy towards the infrastructure would not be a major concern if public key cryptography, which underpins PKI, had a centralised mechanism for enforcing the user discipline it relies on to work properly. However, since this discipline is not automatic, a PKI bereft of support from existing power arrangements faces considerable institutionalisation challenges. We assess these ideas in two case studies in London and Switzerland. In London, we explain how an oil company used its institutional structures to implement PKI as part of a desktop standard covering 105,000 employees. In Zurich and London, we give a power analysis of attempts by a global financial services firm to roll out PKI to over 70,000 users. Our dissertation makes an important contribution by showing that where PKI supporters engage in a shrewdly orchestrated campaign to knit the infrastructure with the existing institutional order, it becomes an accepted part of organisational life without much ceremony. In sum, we both fill gaps in information security literature and extend knowledge on the efficacy of the Circuits of Power framework in conducting IS institutionalisation studies

The Development of Digital Forensics Workforce Competency on the Example of Estonian Defence League

03.07.2014 kehtestati Vabariigi Valitsuse määrus nr. 108, mis reguleerib Kaitseliidu kaasamise tingimusi ja korda küberjulgeoleku tagamisel. Seega võivad Kaitseliidu küberkaitse üksuse (KL KKÜ edaspidi KKÜ) kutsuda olukorda toetama erinevad asutused: näiteks Riigi Infosüsteemide amet (RIA), infosüsteemi järelevalveasutus või kaitseministeerium või selle valitsemisala ametiasutused oma ülesannete raames. KKÜ-d saab kaasata info- ja sidetehnoloogia infrastruktuuri järjepidevuse tagamisel, turvaintsidentide kontrollimisel ja lahendamisel, rakendades nii aktiivseid kui passiivseid meetmeid. KKÜ ülesannete kaardistamisel täheldati, et KKÜ partnerasutused / organisatsioonid ei ole kaardistanud oma spetsialistide olemasolevaid pädevusi ja sellele lisaks puudub ülevaade digitaalse ekspertiisi kogukonnas vajaolevatest pädevustest. Leitut arvesse võttes seati ülesandeks vajadustest ja piirangutest (võttes arvesse digitaalse ekspertiisi kogukonda kujundavaid standardeid) ülevaatliku pildi loomine, et töötada välja digitaalse ekspertiisi kompetentsipõhine raamistik, mis toetab KKÜ spetsialistide arendamist palkamisest pensionini. Selleks uurisime KKÜ ja nende olemasolevate koolitusprogrammide hetkeolukorda ning otsustasime milliseid omadusi peab edasise arengu tarbeks uurima ja kaaluma. Võrreldavate tulemuste saa-miseks ja eesmärgi täitmiseks pidi koostatav mudel olema suuteline lahendama 5-t järgnevat ülesannet: 1. Oskuste kaardistamine, 2. Eesmärkide seadmine ja ümberhindamine, 3. Koolituskava planeerimine, 4. Värbamisprotsessi kiirendamine ning 5. Spetsialistide kestva arengu soodustamine. Raamistiku väljatöötamiseks võeti aluseks National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework) pädevusraamistik mida parendati digitaalse ekspertiisi spetsialistide, ja käesoleval juhul ka KKÜ, vajadusi silmas pidades. Täiendusi lisati nii tasemete, spetsialiseerumise kui ka ülesannete kirjelduste kujul. Parenduste lisamisel võeti arvesse töös tutvustatud digitaalse ekspertiisi piiranguid ja standardeid, mille lõpptulemusena esitati KKÜ-le Digitaalse Ekspertiisi Pädevuse ontoloogia, KKÜ struktuuri muudatuse ettepanek, soovitatavad õpetamisstrateegiad digitaalse ekspertiisi kasutamiseks (muudetud Bloomi taksonoomia tasemetega), uus digitaalse ekspertiisi standardi alajaotus – Mehitamata Süsteemide ekspertiis ja Digitaalse Ekspertiisi Pädevuse Mudeli Raamistik. Ülesannete ja oskuste loetelu koostati rahvusvaheliselt tunnustatud sertifitseerimis-organisatsioonide ja erialast pädevust pakkuvate õppekavade abil. Kavandatava mudeli hindamiseks kasutati mini-Delphi ehk Estimate-Talk-Estimate (ETE) tehnikat. Esialgne prognoos vajaduste ja prioriteetidega anti KKÜ partnerasutustele saamaks tehtud töö kohta ekspertarvamusi. Kogu tagasisidet silmas pidades tehti mudelisse korrektuurid ja KKÜ-le sai vormistatud ettepanek ühes edasise tööplaaniga. Üldiselt kirjeldab väljapakutud pädevusraamistik KKÜ spetsialistilt ooda-tavat pädevuse ulatust KKÜ-s, et suurendada nende rolli kiirreageerimisrühmana. Raamistik aitab määratleda digitaalse ekspertiisi eeldatavaid pädevusi ja võimekusi praktikas ning juhendab eksperte spetsialiseerumise valikul. Kavandatud mudeli juures on arvestatud pikaajalise mõjuga (palkamisest pensionini). Tulenevalt mudeli komplekssusest, on raamistikul pikk rakendusfaas – organisatsiooni arengule maksimaalse mõju saavutamiseks on prognoositud ajakava maksimaalselt 5 aastat. Antud ettepanekud on käesolevaks hetkeks KKÜ poolt heaks kiidetud ning planeeritud kava rakendati esmakordselt 2019 aasta aprillikuus.In 03.07.2014 Regulation No. 108 was introduced which regulates the conditions and pro-cedure of the involvement of the Estonian Defence League (EDL) Cyber Defence Unit (CDU) in ensuring cyber security. This means that EDL can be brought in by the Information System Authority, Ministry of Defence or the authorities of its area of government within the scope of either of their tasks e.g. ensuring the continuity of information and communication technology infrastructure and in handling and solving cyber security incidents while applying both active and passive measures. In January 2018 EDL CDU’s Digi-tal Evidence Handling Group had to be re-organized and, thus, presented a proposal for internal curriculum in order to further instruct Digital Evidence specialists. While describing the CDU's tasks, it was noted that the CDU's partner institutions / organizations have not mapped out their specialists’ current competencies. With this in mind, we set out to create a comprehensive list of needs and constraints (taking into account the community standards of DF) to develop a DF-based competence framework that supports the devel-opment of CDU professionals. Hence, we studied the current situation of CDU, their existing training program, and contemplated which features we need to consider and ex-plore for further development. In order to assemble comparable results and to achieve the goal the model had to be able to solve the 5 following tasks: 1. Competency mapping, 2. Goal setting and reassessment, 3. Scheduling the training plan, 4. Accelerating the recruitment process, and 5. Promoting the continuous development of professionals. The frame-work was developed on the basis of the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework), which was revised to meet the needs of DF specialists, including EDL CDU. Additions were supplemented in terms of levels, specialization, and job descriptions. The proposals included the DF limitations and standards introduced in the work, which ultimately resulted in a proposal for a Digital Forensics Competency ontology, EDL CDU structure change, Suggested Instruc-tional Strategies for Digital Forensics Use With Each Level of revised Bloom's Taxonomy, a new DF standard subdivision – Unmanned Systems Forensics, and Digital Forensic Competency Model Framework. The list of tasks and skills were compiled from international certification distribution organizations and curricula, and their focus on DF Special-ist Competencies. Mini-Delphi or Estimate-Talk-Estimate (ETE) techniques were applied to evaluate the proposed model. An initial estimation of competencies and priorities were given to the EDL CDU partner institutions for expert advice and evaluation. Considering the feedback, improvements were made to the model and a proposal was put forward to the CDU with a future work plan. In general, the proposed competence framework describes the expected scope of competence of an DF specialist in the EDL CDU to enhance their role as a rapid response team. The framework helps in defining the expected compe-tencies and capabilities of digital forensics in practice and offers guidance to the experts in the choice of specialization. The proposed model takes into account the long-term effect (hire-to-retire). Due to the complexity of the model, the framework has a long implementation phase — the maximum time frame for achieving the full effect for the organization is expected to be 5 years. These proposals were approved by EDL CDU and the proposed plan was first launched in April 2019

The Practice of Basic Informatics 2020

Version 2020/04/02Kyoto University provides courses on 'The Practice of Basic Informatics' as part of its Liberal Arts and Sciences Program. The course is taught at many schools and departments, and course contents vary to meet the requirements of these schools and departments. This textbook is made open to the students of all schools that teach these courses. As stated in Chapter 1, this book is written with the aim of building ICT skills for study at university, that is, ICT skills for academic activities. Some topics may not be taught in class. However, the book is written for self-study by students. We include many exercises in this textbook so that instructors can select some of them for their classes, to accompany their teaching plans. The courses are given at the computer laboratories of the university, and the contents of this textbook assume that Windows 10 and Microsoft Office 2016 are available in these laboratories. In Chapter 13, we include an introduction to computer programming; we chose Python as the programming language because on the one hand it is easy for beginners to learn, and on the other, it is widely used in academic research. To check the progress of students' self-study, we have attached assessment criteria (a 'rubric') of this course as an Appendix. Current ICT is a product of the endeavors of many people. The "Great Idea" columns are included to show appreciation for such work. Dr. Yumi Kitamura and Dr. Hirohisa Hioki wrote Chapters 4 and 13, respectively. The remaining chapters were written by Dr. Hajime Kita. In revision for 2018 edition and after, Dr. Hiroyuki Sakai has participated in the author group, and Dr. Donghui Lin has also joined for English edition 2019. The authors hope that this textbook helps you to improve your academic ICT skill set. The content included in this book is selected based on the reference course plan discussed in the course development team for informatics at the Institute for Liberal Arts and Sciences. In writing this textbook, we obtained advice and suggestions from staffs of the Network Section, Information Infrastructure Division, Department of Planning and Information Management Department, Kyoto University on Chapters 2 and 3, from Mr. Sosuke Suzuki, NTT Communications Corporation also on Chapter 3, Rumi Haratake, Machiko Sakurai and Taku Sakamoto of the User Support Division, Kyoto University Library on Chapter 4. Dr. Masako Okamoto of Center for the Promotion of Excellence in Higher Education, Kyoto University helped us in revision of 2018 Japanese Edition. The authors would like to express their sincere gratitude to the people who supported them

Rakennuksen käyttöjärjestelmän luonti: kokonaisvaltainen lähestymistapa

Purpose of this thesis is to examine requirements for a building operating system from a holistic perspective. To understand the context of the subject, an extensive literature review was carried out which explores the evolution of operating systems alongside the history of computing, unravelling the concept of an operating system. In addition, various building information systems, including building automation systems and internet of things systems are reviewed in order to understand modern and future trends of building technology. Furthermore, literature review investigates telecommunications and digital identity authentication through their evolution and standardisation towards interoperability, to provide knowledge on how to achieve interoperability in building systems. An interview study was conducted as the empirical part of the study in order to complement the theoretical framework of the thesis. A dozen building digitalisation experts were interviewed, inquiring their insights on the current and future situation of building systems. More closely, open systems, open data, platform ownership, disruption, killer applications, user-centredness, and Finland’s opportunities were discussed in respect of the building operating system. Building operating system requires connection between various technology inside a building, and collaboration between various parties who use and manage the building. The system should exploit open standards and enable open data. User-centred development should be encouraged for the benefits of end users. The system needs to expand globally to achieve critical mass and unleash its full potential as a platform. Each building with similar properties should have the same features, being able to use same services and applications in any building with an operating system, thus enabling portability. The system requires convenient software development kits, application programming interfaces and abstractions for the needs of software and service developers. A vibrant developer community is required to expand the platform and enable a wide range of services and applications.Tämän diplomityön tarkoituksena on tutkia rakennuksen käyttöjärjestelmän holistisia vaatimuksia. Laaja kirjallisuuskatsaus tehtiin aiheen ymmärtämiseksi, joka tutkii käyttöjärjestelmien evoluutiota rinnakkain tietojenkäsittelyn historian kanssa, tarkoituksena hahmottaa käyttöjärjestelmän käsitettä. Lisäksi, eri rakennusten tietojärjestelmiä, mukaan lukien rakennusautomaatiojärjestelmiä ja esineiden internet -järjestelmiä käytiin läpi ymmärtääkseen nykyisiä ja tulevia trendejä rakennusteknologiassa. Edelleen kirjallisuuskatsaus tutkii televiestintää ja sähköistä tunnistautumista niiden kehityksen ja standardisoinnin kautta kohti yhteentoimivuutta, tarjoten tietoa siitä, miten yhteentoimivuutta voitaisiin kehittää rakennusjärjestelmissä. Haastattelututkimus tehtiin diplomityön empiirisenä osuutena, jonka tarkoituksena oli laajentaa työn teoreettista viitekehystä. Tusina rakennusten digitalisaation asiantuntijaa haastateltiin, joilta kysyttiin rakennusjärjestelmien nykytilasta ja tulevaisuudesta. Lähemmin, keskustelut käsittelivät avoimia järjestelmiä, avointa dataa, alustan omistajuutta, disruptiota, menestyssovelluksia, käyttäjäkeskeisyyttä sekä Suomen kansainvälistä potentiaalia rakennuksen käyttöjärjestelmän näkökulmasta. Rakennuksen käyttöjärjestelmä vaatii rakennuksen sisällä olevien eri teknologioiden yhteenliittämisen, sekä yhteistyötä rakennusta käyttävien ja hallinnoivien osapuolten välillä. Järjestelmän pitäisi hyödyntää avoimia standardeja ja mahdollistaa avoimen datan käytön. Käyttäjäkeskeistä suunnittelua pitäisi kannustaa loppukäyttäjien etuja suosien. Järjestelmän täytyy levitä globaalisti saavuttaakseen kriittisen massan ja ottaakseen käyttöön sen koko potentiaalin. Jokaisella samankaltaisella rakennuksella täytyisi olla käytössään yhtäläiset ominaisuudet, mahdollistaen samojen palveluiden ja sovellusten käytön missä tahansa käyttöjärjestelmää käyttävässä rakennuksessa, täten mahdollistaen siirrettävyyden. Järjestelmä vaatii sopivat ohjelmointirajapinnat, abstraktiot ja ohjelmistokehykset sovellus- ja palvelukehittäjien tarpeita varten. Laaja kehitysyhteisö vaaditaan alustan levittämiseksi ja sovellustarjonnan laajentamiseksi

Security hardened remote terminal units for SCADA networks.

Remote terminal units (RTUs) are perimeter supervisory control and data acquisition (SCADA) devices that measure and control actual physical devices. Cyber security was largely ignored in SCADA for many years, and the cyber security issues that now face SCADA and DCS, specifically RTU security, are investigated in this research. This dissertation presents a new role based access control model designed specifically for RTUs and process control. The model is developed around the process control specific data element called a point, and point operations. The model includes: assignment constraints that limit the RTU operations that a specific role can be assigned and activation constraints that allow a security administrator to specify conditions when specific RTU roles or RTU permissions cannot be used. RTU enforcement of the new access control model depends on, and is supported by, the protection provided by an RTU\u27s operating system. This dissertation investigates two approaches for using minimal kernels to reduce potential vulnerabilities in RTU protection enforcement and create a security hardened RTU capable of supporting the new RTU access control model. The first approach is to reduce a commercial OS kernel to only those components needed by the RTU, removing any known or unknown vulnerabilities contained in the eliminated code and significantly reducing the size of the kernel. The second approach proposes using a microkernel that supports partitioning as the basis for an RTU specific operating system which isolates network related RTU software, the RTU attack surface, from critical RTU operational software such as control algorithms and analog and digital input and output. In experimental analysis of a prototype hardened RTU connected to real SCADA hardware, a reduction of over 50% was obtained in reducing a 2.4 Linux kernel to run on actual RTU hardware. Functional testing demonstrated that different users were able to carryout assigned tasks with the limited set of permissions provided by the security hardened RTU and a series of simulated insider attacks were prevented by the RTU role based access control system. Analysis of communication times indicated response times would be acceptable for many SCADA and DCS application areas. Investigation of a partitioning microkernel for an RTU identified the L4 microkernel as an excellent candidate. Experimental evaluation of L4 on real hardware found the IPC overhead for simulated critical RTU operations protected by L4 partitioning to be sufficiently small to warrant continued investigation of the approach