Network Security Intelligence Centres for Information Security Incident Management

Programme: 6598 - Ph.D. on the Basis of Prior Published Works in Cyber SecurityIntensive IT development has led to qualitative changes in our living, which are driving current information security (IS) trends and require sophisticated structures and adequate approached to manage IS for different businesses. The wide range of threats is constantly growing in modern intranets; they have become not only numerous and diverse but more disruptive. In such circumstances, organizations realize that IS incidents’ timely detection and prevention in the future (what is more important) are not only possible but imperative. Any delay and only reactive actions to IS incidents put their assets under risk. A properly designed IS incident management system (ISIMS), operating as an integral part of the whole organization’s governance system, reduces IS incidents’ number and limits damage caused by them. To maximally automate IS incident management (ISIM) within one organization and to deepen its knowledge of IS level, this research proposes to unite together all advantages of a Security Intelligence Centre (SIC) and a Network Operations Centre (NOC) with their unique and joint toolkits and techniques in a unified Network SIC (NSIC). For this purpose the glossary of the research area was introduced, the taxonomy of IS threats, vulnerabilities, network attacks, and incidents was determined. Further, IS monitoring as one of the ISIM processes was described, the Security Information and Event Management (SIEM) systems’ role in it and their evolution were shown. The transition from Security Operations Centres (SOCs) to SICs was followed up. At least, modern network environment’s requirements for new protection solutions were formulated and it was proven that the NSIC proposed as a combination of a SIC and a NOC fully meets them. The NSIC’s zone security infrastructure with corresponding IS controls is proposed. Its implementation description at the Moscow Engineering Physics Institute concludes the research at this stage. In addition, some proposals for the training of highly qualified personnel for NSICs were formulated. The creation of an innovative NSIC concept, its interpretation, construction and initial implementation through original research presented are its main results. They contribute substantially to the modern networks’ security, as they extend the forefront of the SOCs and SICc used nowadays and generate significant new knowledge and understanding of network security requirements and solutions

TACTICAL BLOCKCHAIN TO PROVIDE DATA PROVENANCE IN SUPPORT OF INTERNET OF BATTLEFIELD THINGS AND BIG DATA ANALYTICS

This capstone project evaluated the use of blockchain technology to address a number of challenges with increasing amounts of disparate sensor data and an information-rich landscape that can quickly overwhelm effective decision-making processes. The team explored how blockchain can be used in a variety of defense applications to verify users, validate sensor data fed into artificial intelligence models, limit access to data, and provide an audit trail across the data life cycle. The team developed a conceptual design for implementing blockchain for tactical data, artificial intelligence, and machine learning applications; identified challenges and limitations involved in implementing blockchain for the tactical domain; described the benefits of blockchain for these various applications; and evaluated this project’s findings to propose future research into a wider set of blockchain applications. The team did this through the development of three use cases. One use case demonstrated the use of blockchain at the tactical edge in a “data light” information environment. The second use case explored the use of blockchain in securing medical information in the electronic health record. The third use case studied blockchain’s application in the use of multiple sensors collecting data for chemical weapons defense to support measurement and signature intelligence analysis using artificial intelligence and machine learning.Civilian, Department of the ArmyCivilian, Department of the ArmyCivilian, Department of the ArmyCivilian, Department of the ArmyCivilian, Department of the ArmyApproved for public release. Distribution is unlimited

Cybersecurity Risk in U.S. Critical Infrastructure: An Analysis of Publicly Available U.S. Government Alerts and Advisories

As threat actor operations become increasingly sophisticated and emphasize the targeting of critical infrastructure and services, the need for cybersecurity information sharing will continue to grow. Escalating demand for cyber threat intelligence and information sharing across the cybersecurity community has resulted in the need to better understand the information produced by reputable sources such as U.S. CISA Alerts and ICS-CERT advisories. The text analysis program, Profiler Plus, is used to extract information from 1,574 U.S. government alerts and advisories to develop visualizations and generate enhanced insights into different cyber threat actor types, the tactics which can be used for cyber operations, and sectors of critical infrastructure at risk of an attack. The findings of this study enhance cyber threat intelligence activities by enabling an understanding of the trends in public information sharing as well as identifying gaps in open-source reporting on cyber-threat information

Identity Management and Authorization Infrastructure in Secure Mobile Access to Electronic Health Records

We live in an age of the mobile paradigm of anytime/anywhere access, as the mobile device is the most ubiquitous device that people now hold. Due to their portability, availability, easy of use, communication, access and sharing of information within various domains and areas of our daily lives, the acceptance and adoption of these devices is still growing. However, due to their potential and raising numbers, mobile devices are a growing target for attackers and, like other technologies, mobile applications are still vulnerable. Health information systems are composed with tools and software to collect, manage, analyze and process medical information (such as electronic health records and personal health records). Therefore, such systems can empower the performance and maintenance of health services, promoting availability, readability, accessibility and data sharing of vital information about a patients overall medical history, between geographic fragmented health services. Quick access to information presents a great importance in the health sector, as it accelerates work processes, resulting in better time utilization. Additionally, it may increase the quality of care. However health information systems store and manage highly sensitive data, which raises serious concerns regarding patients privacy and safety, and may explain the still increasing number of malicious incidents reports within the health domain. Data related to health information systems are highly sensitive and subject to severe legal and regulatory restrictions, that aim to protect the individual rights and privacy of patients. Along side with these legislations, security requirements must be analyzed and measures implemented. Within the necessary security requirements to access health data, secure authentication, identity management and access control are essential to provide adequate means to protect data from unauthorized accesses. However, besides the use of simple authentication models, traditional access control models are commonly based on predefined access policies and roles, and are inflexible. This results in uniform access control decisions through people, different type of devices, environments and situational conditions, and across enterprises, location and time. Although already existent models allow to ensure the needs of the health care systems, they still lack components for dynamicity and privacy protection, which leads to not have desire levels of security and to the patient not to have a full and easy control of his privacy. Within this master thesis, after a deep research and review of the stat of art, was published a novel dynamic access control model, Socio-Technical Risk-Adaptable Access Control modEl (SoTRAACE), which can model the inherent differences and security requirements that are present in this thesis. To do this, SoTRAACE aggregates attributes from various domains to help performing a risk assessment at the moment of the request. The assessment of the risk factors identified in this work is based in a Delphi Study. A set of security experts from various domains were selected, to classify the impact in the risk assessment of each attribute that SoTRAACE aggregates. SoTRAACE was integrated in an architecture with requirements well-founded, and based in the best recommendations and standards (OWASP, NIST 800-53, NIST 800-57), as well based in deep review of the state-of-art. The architecture is further targeted with the essential security analysis and the threat model. As proof of concept, the proposed access control model was implemented within the user-centric architecture, with two mobile prototypes for several types of accesses by patients and healthcare professionals, as well the web servers that handles the access requests, authentication and identity management. The proof of concept shows that the model works as expected, with transparency, assuring privacy and data control to the user without impact for user experience and interaction. It is clear that the model can be extended to other industry domains, and new levels of risks or attributes can be added because it is modular. The architecture also works as expected, assuring secure authentication with multifactor, and secure data share/access based in SoTRAACE decisions. The communication channel that SoTRAACE uses was also protected with a digital certificate. At last, the architecture was tested within different Android versions, tested with static and dynamic analysis and with tests with security tools. Future work includes the integration of health data standards and evaluating the proposed system by collecting users’ opinion after releasing the system to real world.Hoje em dia vivemos em um paradigma móvel de acesso em qualquer lugar/hora, sendo que os dispositivos móveis são a tecnologia mais presente no dia a dia da sociedade. Devido à sua portabilidade, disponibilidade, fácil manuseamento, poder de comunicação, acesso e partilha de informação referentes a várias áreas e domínios das nossas vidas, a aceitação e integração destes dispositivos é cada vez maior. No entanto, devido ao seu potencial e aumento do número de utilizadores, os dispositivos móveis são cada vez mais alvos de ataques, e tal como outras tecnologias, aplicações móveis continuam a ser vulneráveis. Sistemas de informação de saúde são compostos por ferramentas e softwares que permitem recolher, administrar, analisar e processar informação médica (tais como documentos de saúde eletrónicos). Portanto, tais sistemas podem potencializar a performance e a manutenção dos serviços de saúde, promovendo assim a disponibilidade, acessibilidade e a partilha de dados vitais referentes ao registro médico geral dos pacientes, entre serviços e instituições que estão geograficamente fragmentadas. O rápido acesso a informações médicas apresenta uma grande importância para o setor da saúde, dado que acelera os processos de trabalho, resultando assim numa melhor eficiência na utilização do tempo e recursos. Consequentemente haverá uma melhor qualidade de tratamento. Porém os sistemas de informação de saúde armazenam e manuseiam dados bastantes sensíveis, o que levanta sérias preocupações referentes à privacidade e segurança do paciente. Assim se explica o aumento de incidentes maliciosos dentro do domínio da saúde. Os dados de saúde são altamente sensíveis e são sujeitos a severas leis e restrições regulamentares, que pretendem assegurar a proteção dos direitos e privacidade dos pacientes, salvaguardando os seus dados de saúde. Juntamente com estas legislações, requerimentos de segurança devem ser analisados e medidas implementadas. Dentro dos requerimentos necessários para aceder aos dados de saúde, uma autenticação segura, gestão de identidade e controlos de acesso são essenciais para fornecer meios adequados para a proteção de dados contra acessos não autorizados. No entanto, além do uso de modelos simples de autenticação, os modelos tradicionais de controlo de acesso são normalmente baseados em políticas de acesso e cargos pré-definidos, e são inflexíveis. Isto resulta em decisões de controlo de acesso uniformes para diferentes pessoas, tipos de dispositivo, ambientes e condições situacionais, empresas, localizações e diferentes alturas no tempo. Apesar dos modelos existentes permitirem assegurar algumas necessidades dos sistemas de saúde, ainda há escassez de componentes para accesso dinâmico e proteção de privacidade , o que resultam em níveis de segurança não satisfatórios e em o paciente não ter controlo directo e total sobre a sua privacidade e documentos de saúde. Dentro desta tese de mestrado, depois da investigação e revisão intensiva do estado da arte, foi publicado um modelo inovador de controlo de acesso, chamado SoTRAACE, que molda as diferenças de acesso inerentes e requerimentos de segurança presentes nesta tese. Para isto, o SoTRAACE agrega atributos de vários ambientes e domínios que ajudam a executar uma avaliação de riscos, no momento em que os dados são requisitados. A avaliação dos fatores de risco identificados neste trabalho são baseados num estudo de Delphi. Um conjunto de peritos de segurança de vários domínios industriais foram selecionados, para classificar o impacto de cada atributo que o SoTRAACE agrega. O SoTRAACE foi integrado numa arquitectura para acesso a dados médicos, com requerimentos bem fundados, baseados nas melhores normas e recomendações (OWASP, NIST 800-53, NIST 800-57), e em revisões intensivas do estado da arte. Esta arquitectura é posteriormente alvo de uma análise de segurança e modelos de ataque. Como prova deste conceito, o modelo de controlo de acesso proposto é implementado juntamente com uma arquitetura focada no utilizador, com dois protótipos para aplicações móveis, que providênciam vários tipos de acesso de pacientes e profissionais de saúde. A arquitetura é constituída também por servidores web que tratam da gestão de dados, controlo de acesso e autenticação e gestão de identidade. O resultado final mostra que o modelo funciona como esperado, com transparência, assegurando a privacidade e o controlo de dados para o utilizador, sem ter impacto na sua interação e experiência. Consequentemente este modelo pode-se extender para outros setores industriais, e novos níveis de risco ou atributos podem ser adicionados a este mesmo, por ser modular. A arquitetura também funciona como esperado, assegurando uma autenticação segura com multi-fator, acesso e partilha de dados segura baseado em decisões do SoTRAACE. O canal de comunicação que o SoTRAACE usa foi também protegido com um certificado digital. A arquitectura foi testada em diferentes versões de Android, e foi alvo de análise estática, dinâmica e testes com ferramentas de segurança. Para trabalho futuro está planeado a integração de normas de dados de saúde e a avaliação do sistema proposto, através da recolha de opiniões de utilizadores no mundo real

Internet of Things and Intelligent Technologies for Efficient Energy Management in a Smart Building Environment

Internet of Things (IoT) is attempting to transform modern buildings into energy efficient, smart, and connected buildings, by imparting capabilities such as real-time monitoring, situational awareness and intelligence, and intelligent control. Digitizing the modern day building environment using IoT improves asset visibility and generates energy savings. This dissertation provides a survey of the role, impact, and challenges and recommended solutions of IoT for smart buildings. It also presents an IoT-based solution to overcome the challenge of inefficient energy management in a smart building environment. The proposed solution consists of developing an Intelligent Computational Engine (ICE), composed of various IoT devices and technologies for efficient energy management in an IoT driven building environment. ICE’s capabilities viz. energy consumption prediction and optimized control of electric loads have been developed, deployed, and dispatched in the Real-Time Power and Intelligent Systems (RTPIS) laboratory, which serves as the IoT-driven building case study environment. Two energy consumption prediction models viz. exponential model and Elman recurrent neural network (RNN) model were developed and compared to determine the most accurate model for use in the development of ICE’s energy consumption prediction capability. ICE’s prediction model was developed in MATLAB using cellular computational network (CCN) technique, whereas the optimized control model was developed jointly in MATLAB and Metasys Building Automation System (BAS) using particle swarm optimization (PSO) algorithm and logic connector tool (LCT), respectively. It was demonstrated that the developed CCN-based energy consumption prediction model was highly accurate with low error % by comparing the predicted and the measured energy consumption data over a period of one week. The predicted energy consumption values generated from the CCN model served as a reference for the PSO algorithm to generate control parameters for the optimized control of the electric loads. The LCT model used these control parameters to regulate the electric loads to save energy (increase energy efficiency) without violating any operational constraints. Having ICE’s energy consumption prediction and optimized control of electric loads capabilities is extremely useful for efficient energy management as they ensure that sufficient energy is generated to meet the demands of the electric loads optimally at any time thereby reducing wasted energy due to excess generation. This, in turn, reduces carbon emissions and generates energy and cost savings. While the ICE was tested in a small case-study environment, it could be scaled to any smart building environment

Smart Grid Metering Networks: A Survey on Security, Privacy and Open Research Issues

Smart grid (SG) networks are newly upgraded networks of connected objects that greatly improve reliability, efficiency and sustainability of the traditional energy infrastructure. In this respect, the smart metering infrastructure (SMI) plays an important role in controlling, monitoring and managing multiple domains in the SG. Despite the salient features of SMI, security and privacy issues have been under debate because of the large number of heterogeneous devices that are anticipated to be coordinated through public communication networks. This survey paper shows a brief overview of real cyber attack incidents in traditional energy networks and those targeting the smart metering network. Specifically, we present a threat taxonomy considering: (i) threats in system-level security, (ii) threats and/or theft of services, and (iii) threats to privacy. Based on the presented threats, we derive a set of security and privacy requirements for SG metering networks. Furthermore, we discuss various schemes that have been proposed to address these threats, considering the pros and cons of each. Finally, we investigate the open research issues to shed new light on future research directions in smart grid metering networks

Cybersecurity, our digital anchor: A European perspective

The Report ‘Cybersecurity – Our Digital Anchor’ brings together research from different disciplinary fields of the Joint Research Centre (JRC), the European Commission's science and knowledge service. It provides multidimensional insights into the growth of cybersecurity over the last 40 years, identifying weaknesses in the current digital evolution and their impacts on European citizens and industry. The report also sets out the elements that potentially could be used to shape a brighter and more secure future for Europe’s digital society, taking into account the new cybersecurity challenges triggered by the COVID-19 crisis. According to some projections, cybercrime will cost the world EUR 5.5 trillion by the end of 2020, up from EUR 2.7 trillion in 2015, due in part to the exploitation of the COVID-19 pandemic by cyber criminals. This figure represents the largest transfer of economic wealth in history, more profitable than the global trade in all major illegal drugs combined, putting at risk incentives for innovation and investment. Furthermore, cyber threats have moved beyond cybercrime and have become a matter of national security. The report addresses relevant issues, including: - Critical infrastructures: today, digital technologies are at the heart of all our critical infrastructures. Hence, their cybersecurity is already – and will become increasingly – a matter of critical infrastructure protection (see the cases of Estonia and Ukraine). - Magnitude of impact: the number of citizens, organisations and businesses impacted simultaneously by a single attack can be huge. - Complexity and duration of attacks: attacks are becoming more and more complex, demonstrating attackers’ enhanced planning capabilities. Moreover, attacks are often only detected post-mortem . - Computational power: the spread of malware also able to infect mobile and Internet of Things (IoT) devices (as in the case of Mirai botnet), hugely increases the distributed computational power of the attacks (especially in the case of denial of services (DoS)). The same phenomenon makes the eradication of an attack much more difficult. - Societal aspects: cyber threats can have a potentially massive impact on society, up to the point of undermining the trust citizens have in digital services. As such services are intertwined with our daily life, any successful cybersecurity strategy must take into consideration the human and, more generally, societal aspects. This report shows how the evolution of cybersecurity has always been determined by a type of cause-and-effect trend: the rise in new digital technologies followed by the discovery of new vulnerabilities, for which new cybersecurity measures must be identified. However, the magnitude and impacts of today's cyber attacks are now so critical that the digital society must prepare itself before attacks happen. Cybersecurity resilience along with measures to deter attacks and new ways to avoid software vulnerabilities should be enhanced, developed and supported. The ‘leitmotiv’ of this report is the need for a paradigm shift in the way cybersecurity is designed and deployed, to make it more proactive and better linked to societal needs. Given that data flows and information are the lifeblood of today’s digital society, cybersecurity is essential for ensuring that digital services work safely and securely while simultaneously guaranteeing citizens’ privacy and data protection. Thus, cybersecurity is evolving from a technological ‘option’ to a societal must. From big data to hyperconnectivity, from edge computing to the IoT, to artificial intelligence (AI), quantum computing and blockchain technologies, the ‘nitty-gritty’ details of cybersecurity implementation will always remain field-specific due to specific sectoral constraints. This brings with it inherent risks of a digital society with heterogeneous and inconsistent levels of security. To counteract this, we argue for a coherent, cross-sectoral and cross-societal cybersecurity strategy which can be implemented across all layers of European society. This strategy should cover not only the technological aspects but also the societal dimensions of ‘behaving in a cyber-secure way’. Consequently, the report concludes by presenting a series of possible actions instrumental to building a European digital society secure by design.JRC.E.3-Cyber and Digital Citizens' Securit

HI-Risk: a socio-technical method for the identification and monitoring of healthcare information security risks in the information society

This thesis describes the development of the HI-risk method to assess socio-technical information security risks. The method is based on the concept that related organisations experience similar risks and could benefit from sharing knowledge in order to take effective security measures. The aim of the method is to predict future risks by combining knowledge of past information security incidents with forecasts made by experts. HI-risks articulates the view that information security risk analysis should include human, environmental, and societal factors, and that collaboration amongst disciplines, organisations and experts is essential to improve security risk intelligence in today’s information society. The HI-risk method provides the opportunity for participating organisations to register their incidents centrally. From this register, an analysis of the incident scenarios leads to the visualisation of the most frequent scenario trees. These scenarios are presented to experts in the field. The experts express their opinions about the expected frequency of occurrence for the future. Their expectation is based on their experience, their knowledge of existing countermeasures, and their insight into new potential threats. The combination of incident and expert knowledge forms a risk map. The map is the main deliverable of the HI-risk method, and organisations could use it to monitor their information security risks. The HI-risk method was designed by following the rigorous process of design science research. The empirical methods used included qualitative and quantitative techniques, such as an analysis of historical security incident data from healthcare organisations, expert elicitation through a Delphi study, and a successful test of the risk forecast in a case organisation. The research focused on healthcare, but has potential to be further developed as a knowledge-based system or expert system, applicable to any industry. That system could be used as a tool for management to benchmark themselves against other organisations, to make security investment decisions, to learn from past incidents and to provide input for policy makers

HI-Risk: a socio-technical method for the identification and monitoring of healthcare information security risks in the information society

This thesis describes the development of the HI-risk method to assess socio-technical information security risks. The method is based on the concept that related organisations experience similar risks and could benefit from sharing knowledge in order to take effective security measures. The aim of the method is to predict future risks by combining knowledge of past information security incidents with forecasts made by experts. HI-risks articulates the view that information security risk analysis should include human, environmental, and societal factors, and that collaboration amongst disciplines, organisations and experts is essential to improve security risk intelligence in today’s information society. The HI-risk method provides the opportunity for participating organisations to register their incidents centrally. From this register, an analysis of the incident scenarios leads to the visualisation of the most frequent scenario trees. These scenarios are presented to experts in the field. The experts express their opinions about the expected frequency of occurrence for the future. Their expectation is based on their experience, their knowledge of existing countermeasures, and their insight into new potential threats. The combination of incident and expert knowledge forms a risk map. The map is the main deliverable of the HI-risk method, and organisations could use it to monitor their information security risks. The HI-risk method was designed by following the rigorous process of design science research. The empirical methods used included qualitative and quantitative techniques, such as an analysis of historical security incident data from healthcare organisations, expert elicitation through a Delphi study, and a successful test of the risk forecast in a case organisation. The research focused on healthcare, but has potential to be further developed as a knowledge-based system or expert system, applicable to any industry. That system could be used as a tool for management to benchmark themselves against other organisations, to make security investment decisions, to learn from past incidents and to provide input for policy makers