A decision support system for corporations cyber security risk management

This thesis presents a decision aiding system named C3-SEC (Contex-aware Corporative Cyber Security), developed in the context of a master program at Polytechnic Institute of Leiria, Portugal. The research dimension and the corresponding software development process that followed are presented and validated with an application scenario and case study performed at Universidad de las Fuerzas Armadas ESPE – Ecuador. C3-SEC is a decision aiding software intended to support cyber risks and cyber threats analysis of a corporative information and communications technological infrastructure. The resulting software product will help corporations Chief Information Security Officers (CISO) on cyber security risk analysis, decision-making and prevention measures for the infrastructure and information assets protection. The work is initially focused on the evaluation of the most popular and relevant tools available for risk assessment and decision making in the cyber security domain. Their properties, metrics and strategies are studied and their support for cyber security risk analysis, decision-making and prevention is assessed for the protection of organization's information assets. A contribution for cyber security experts decision support is then proposed by the means of reuse and integration of existing tools and C3-SEC software. C3-SEC extends existing tools features from the data collection and data analysis (perception) level to a full context-ware reference model. The software developed makes use of semantic level, ontology-based knowledge representation and inference supported by widely adopted standards, as well as cyber security standards (CVE, CPE, CVSS, etc.) and cyber security information data sources made available by international authorities, to share and exchange information in this domain. C3-SEC development follows a context-aware systems reference model addressing the perception, comprehension, projection and decision/action layers to create corporative scale cyber security situation awareness

Information Assurance; Small Business and the Basics

Business is increasingly dependent on information systems to allow decision makers to gather process and disseminate information. As the information landscape becomes more interconnected, the threats to computing resources also increase. While the Internet has allowed information to flow, it has also exposed businesses to vulnerabilities. Whereas large businesses have information technology (IT) departments to support their security, small businesses are at risk because they lack personnel dedicated to addressing, controlling and evaluating their information security efforts. Further complicating this situation, most small businesses IT capabilities have evolved in an ad hoc fashion where few employees understand the scope of the network and fewer if any sat down and envisioned a secure architecture as capabilities were added. This paper examines the problem from the perspective that IT professionals struggle to bring adequate Information Assurance (IA) to smaller organizations where the tools are well known, but the organizational intent of the information security stance lacks a cohesive structure for system development and enforcement. This paper focuses on a process that will allow IT professionals to rapidly improve their organizations\u27 security stance with few changes using tools already in place or available at little or no cost. Starting with an initial risk assessment research provides the groundwork for the introduction of a secure system development life cycle (SSLDC) where continual evaluation improves the security stance and operation of a networked computer system

Continuous Monitoring in the Cloud Environment

The National Institute of Standards and Technology introduced a risk management framework that concludes with a process for continuous monitoring. Continuous monitoring is a way to gain near real-time insight into the security health of an information technology environment. The cloud environment is unique from other environments in the way that resources are virtualized and shared among many cloud tenants. This type of computing has been gaining popularity as a solution for organizations to purchase resources as an on-demand service in the same way that an organization purchases utilities today. In order to experience the benefits promised by the emergence of cloud computing the inherent security challenges in utilizing shared resources must be addressed. The proposed continuous monitoring program, based on recommendations from the National Institute of Standards and Technology Draft Special Publication 800-137 (Dempsey et al., 2010), is intended to address these security concerns. The program specifically addresses continuous monitoring activities for cloud providers to implement related to configuration management, patch and vulnerability management, antivirus/malicious software management, firewall management, and access management. This proposal does not address the shared responsibilities between the cloud tenant and cloud provider which is recommended as the next step in this research. The tenant and provider should have complementary controls and continuous monitoring programs to ensure the security of a cloud solution

Redesigning the Information Assurance Undergraduate Curriculum at Regis University

When Regis University created the eSecurity curriculum in 2003, the lessons were pertinent to the then-current threats. Although the curriculum has slightly changed since then, the courses needed a major facelift to meet the ever changing cyber threats. The question of can Information Assurance courses at Regis University be refreshed to include virtual labs so they are based on ethical standards will be answered in this paper. Utilizing the Design Science methodology and incorporating Bloom â„¢s Taxonomy and the Jesuit educational approach, curriculum was identified and developed for the classroom and online students. By working with the Regis Distance Learning department, the thesis project was submitted for publication as part of the Regis Computer Networking courses

Software Engineering Tools For Secure Application Development

Software security has become a crucial part of an organization’s overall security strategy due to increasingly sophisticated attacks at the application layer. One of the major concerns in software engineering is the inadequate use of secure software development methods and tools. Such deficiency is caused by a lack of knowledge and training on available secure tools among software developers. This project conducts a thorough investigation of the tools that can be used by developers throughout the software development life cycle to assist in the development of secure applications, including tools used by individuals and teams, classified by open-source or commercial, tools based on project size, etc. This paper also includes a summary table that provides a quick overview of all the tools listed for developers and individuals to use

Use of Service Oriented Architecture for Scada Networks

Supervisory Control and Data Acquisition (SCADA) systems involve the use of distributed processing to operate geographically dispersed endpoint hardware components. They manage the control networks used to monitor and direct large-scale operations such as utilities and transit systems that are essential to national infrastructure. SCADA industrial control networks (ICNs) have long operated in obscurity and been kept isolated largely through strong physical security. Today, Internet technologies are increasingly being utilized to access control networks, giving rise to a growing concern that they are becoming more vulnerable to attack. Like SCADA, distributed processing is also central to cloud computing or, more formally, the Service Oriented Architecture (SOA) computing model. Certain distinctive properties differentiate ICNs from the enterprise networks that cloud computing developments have focused on. The objective of this project is to determine if modern cloud computing technologies can be also applied to improving dated SCADA distributed processing systems. Extensive research was performed regarding control network requirements as compared to those of general enterprise networks. Research was also conducted into the benefits, implementation, and performance of SOA to determine its merits for application to control networks. The conclusion developed is that some aspects of cloud computing might be usefully applied to SCADA systems but that SOA fails to meet ICN requirements in a certain essential areas. The lack of current standards for SOA security presents an unacceptable risk to SCADA systems that manage dangerous equipment or essential services. SOA network performance is also not sufficiently deterministic to suit many real-time hardware control applications. Finally, SOA environments cannot as yet address the regulatory compliance assurance requirements of critical infrastructure SCADA systems