5,398 research outputs found
Refining the PoinTER âhuman firewallâ pentesting framework
PurposePenetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations âpentestâ their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.MethodologyWe conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.FindingsDrawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.OriginalityPrevious work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature
Bridging Information Security and Environmental Criminology Research to Better Mitigate Cybercrime
Cybercrime is a complex phenomenon that spans both technical and human
aspects. As such, two disjoint areas have been studying the problem from
separate angles: the information security community and the environmental
criminology one. Despite the large body of work produced by these communities
in the past years, the two research efforts have largely remained disjoint,
with researchers on one side not benefitting from the advancements proposed by
the other. In this paper, we argue that it would be beneficial for the
information security community to look at the theories and systematic
frameworks developed in environmental criminology to develop better mitigations
against cybercrime. To this end, we provide an overview of the research from
environmental criminology and how it has been applied to cybercrime. We then
survey some of the research proposed in the information security domain,
drawing explicit parallels between the proposed mitigations and environmental
criminology theories, and presenting some examples of new mitigations against
cybercrime. Finally, we discuss the concept of cyberplaces and propose a
framework in order to define them. We discuss this as a potential research
direction, taking into account both fields of research, in the hope of
broadening interdisciplinary efforts in cybercrime researc
Security, Privacy and Safety Risk Assessment for Virtual Reality Learning Environment Applications
Social Virtual Reality based Learning Environments (VRLEs) such as vSocial
render instructional content in a three-dimensional immersive computer
experience for training youth with learning impediments. There are limited
prior works that explored attack vulnerability in VR technology, and hence
there is a need for systematic frameworks to quantify risks corresponding to
security, privacy, and safety (SPS) threats. The SPS threats can adversely
impact the educational user experience and hinder delivery of VRLE content. In
this paper, we propose a novel risk assessment framework that utilizes attack
trees to calculate a risk score for varied VRLE threats with rate and duration
of threats as inputs. We compare the impact of a well-constructed attack tree
with an adhoc attack tree to study the trade-offs between overheads in managing
attack trees, and the cost of risk mitigation when vulnerabilities are
identified. We use a vSocial VRLE testbed in a case study to showcase the
effectiveness of our framework and demonstrate how a suitable attack tree
formalism can result in a more safer, privacy-preserving and secure VRLE
system.Comment: Tp appear in the CCNC 2019 Conferenc
Taxonomy of Attacks on Open-Source Software Supply Chains
The widespread dependency on open-source software makes it a fruitful target
for malicious actors, as demonstrated by recurring attacks. The complexity of
today's open-source supply chains results in a significant attack surface,
giving attackers numerous opportunities to reach the goal of injecting
malicious code into open-source artifacts that is then downloaded and executed
by victims.
This work proposes a general taxonomy for attacks on open-source supply
chains, independent of specific programming languages or ecosystems, and
covering all supply chain stages from code contributions to package
distribution. Taking the form of an attack tree, it covers 107 unique vectors,
linked to 94 real-world incidents, and mapped to 33 mitigating safeguards.
User surveys conducted with 17 domain experts and 134 software developers
positively validated the correctness, comprehensiveness and comprehensibility
of the taxonomy, as well as its suitability for various use-cases. Survey
participants also assessed the utility and costs of the identified safeguards,
and whether they are used
Measuring and Disrupting Malware Distribution Networks: An Interdisciplinary Approach
Malware Delivery Networks (MDNs) are networks of webpages, servers, computers, and computer files that are used by cybercriminals to proliferate malicious software (or malware) onto victim machines. The business of malware delivery is a complex and multifaceted one that has become increasingly profitable over the last few years. Due to the ongoing arms race between cybercriminals and the security community, cybercriminals are constantly evolving and streamlining their techniques to beat security countermeasures and avoid disruption to their operations, such as by security researchers infiltrating their botnet operations, or law enforcement taking down their infrastructures and arresting those involved. So far, the research community has conducted insightful but isolated studies into the different facets of malicious file distribution. Hence, only a limited picture of the malicious file delivery ecosystem has been provided thus far, leaving many questions unanswered. Using a data-driven and interdisciplinary approach, the purpose of this research is twofold. One, to study and measure the malicious file delivery ecosystem, bringing prior research into context, and to understand precisely how these malware operations respond to security and law enforcement intervention. And two, taking into account the overlapping research efforts of the information security and crime science communities towards preventing cybercrime, this research aims to identify mitigation strategies and intervention points to disrupt this criminal economy more effectively
Practical Attacks Against Graph-based Clustering
Graph modeling allows numerous security problems to be tackled in a general
way, however, little work has been done to understand their ability to
withstand adversarial attacks. We design and evaluate two novel graph attacks
against a state-of-the-art network-level, graph-based detection system. Our
work highlights areas in adversarial machine learning that have not yet been
addressed, specifically: graph-based clustering techniques, and a global
feature space where realistic attackers without perfect knowledge must be
accounted for (by the defenders) in order to be practical. Even though less
informed attackers can evade graph clustering with low cost, we show that some
practical defenses are possible.Comment: ACM CCS 201
The effects of security protocols on cybercrime at Ahmadu Bello University, Zaria, Nigeria.
Masters Degree. University of KwaZulu-Natal, Durban.The use of Information Communication Technology (ICT) within the educational
sector is increasing rapidly. University systems are becoming increasingly
dependent on computerized information systems (CIS) in order to carry out their
daily routine. Moreover, CIS no longer process staff records and financial data
only, as they once did. Nowadays, universities use CIS to assist in automating
the overall system. This automation includes the use of multiple databases, data
detail periodicity (i.e. gender, race/ethnicity, enrollment, degrees granted, and
program major), record identification (e.g. social security number âSSNâ), linking
to other databases (i.e. linking unit record data with external databases such as
university and employment data).
The increasing demand and exposure to Internet resources and infrastructure by
individuals and universities have made IT infrastructure easy targets for
cybercriminals who employ sophisticated attacks such as Advanced Persistent
Threats, Distributed Denial of Service attacks and Botnets in order to steal
confidential data, identities of individuals and money. Hence, in order to stay in
business, universities realise that it is imperative to secure vital Information
Systems from easily being exploited by emerging and existing forms of
cybercrimes. This study was conducted to determine and evaluate the various
forms of cybercrimes and their consequences on the university network at
Ahmadu Bello University, Zaria. The study was also aimed at proposing means
of mitigating cybercrimes and their effects on the university network. Hence, an
exploratory research design supported by qualitative research approach was
used in this study. Staff of the Institute of Computing, Information and
Communication technology (ICICT) were interviewed. The findings of the study
present different security measures, and security tools that can be used to
effectively mitigate cybercrimes. It was found that social engineering, denial of
service attacks, website defacement were among the types of cybercrimes
occurring on the university network. It is therefore recommended that behavioural
approach in a form of motivation of staff behaviour, salary increases, and cash
incentive to reduce cybercrime perpetrated by these staff
Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences
In this survey, we first briefly review the current state of cyber attacks,
highlighting significant recent changes in how and why such attacks are
performed. We then investigate the mechanics of malware command and control
(C2) establishment: we provide a comprehensive review of the techniques used by
attackers to set up such a channel and to hide its presence from the attacked
parties and the security tools they use. We then switch to the defensive side
of the problem, and review approaches that have been proposed for the detection
and disruption of C2 channels. We also map such techniques to widely-adopted
security controls, emphasizing gaps or limitations (and success stories) in
current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages.
Listing abstract compressed from version appearing in repor
- âŠ