A Taxonomy of Metrics for Hosted Databases

Abstract The past three years has seen exponential growth in the number of organizations who have elected to entrust core information technology functions to application service providers. Of particular interest is the outsourcing of critical systems such as corporate databases. Major banks and financial service firms are contracting with third party organizations, sometimes overseas, for their database needs. These sophisticated contracts require careful supervision by both parties. Due to the complexities of web-based applications and the complicated nature of databases, an entire class of software suites has been developed to measure the quality of service the database is providing. This article investigates the performance metrics which have evolved to satisfy this need and describes a taxonomy of performance metrics for hosted databases

Natural Language Processing as a Weapon

Natural Language Processing (NLP) is a science aimed at computationally interpreting written language. This field is maturing at an extraordinary pace. It is creating significant value and advancing a number of key research fronts. However, it also enables highly sophisticated phishing attacks. Given a large enough text sample, an NLP algorithm can identify and replicate defining characteristics of an individual’s communication patterns. This facilitates programmatic impersonation of trusted individuals. A natural language processor could interpret incoming text messages or email and improvise responses which approximate the language of a known contact. The recipient could be tricked into sharing sensitive information. Just how vulnerable are we? This paper reviews the state of the art of natural language processing and social engineering. It also describes a test which empirically assesses our ability to discern legitimate communications from algorithmically-produced forgeries

A New Approach to Mobile Device Authentication

The effectiveness of primary and secondary authentication systems on mobile devices leaves room for improvement. Device manufacturers provide security features which require users to memorize long, complex passwords and/or provide biometric information. These approaches have drawbacks which make their continued usage untenable. Users are already inundated with passwords and regularly forget answers to security challenges. People are growing resistant to sharing their biometrics with device manufacturers. An authentication solution which overcome these limitations are essential. This research addresses this need by proposing a new method for mobile device authentication. First, it reviews past and current approaches to authentication. It then identifies design goals for future mobile device authentication systems. Finally, it describes a new model for backup mobile device authentication. The proposed model integrates video with social authentication for asynchronous secondary verification

A Structured Approach to Effective Access Control List Tuning

Access control lists (ACLs) are rule sets that govern the passing of data packets through network devices such as routers and firewalls. In order to maximize data throughput and minimize security risks, they must be adjusted. The tuning process involves the reconciliation of changed access requirements with the existing rule set, identification of vulnerabilities or performance-degrading rules, and implementation of changes. Informal approaches to this complex task often involve multitasking, a strategy that leads to an increased rate of misconfiguration. To mitigate the impact of perceived task complexity, this research proposes a structured approach to the ACL refinement process. The formalized approach is meant to reduce cognitive overload among information security analysts by sequentially ordering the steps through which an access control list is modified. This work-in-progress also describes an experiment for evaluating the artifact. If supported, it will help IT professionals better secure their infrastructure

Training Wheels: A New Approach to Teaching Mobile Device Security

Despite massive investments in cyber security education, training, and awareness programs, most people retain unsafe mobile computing habits. They not only jeopardize their own data, but also risk the security of their associated organizations. It appears that conventional training programs are not ingraining sound security practices on trainees. This research questions the efficacy of legacy SETA frameworks and proposes a new cyber training tool for mobile devices. The tool is called Training Wheels. Training Wheels stands a number of cyber security training practices on their heads: instead of using punitive methods of reinforcement it provides rewards to encourage good behavior, instead of summary measures of security compliance it gives real-time feedback, and instead of isolating participants it displays participants’ performance relative to their peers. These changes are grounded in established psychological theory. They are incorporated as key features of Training Wheels. Besides introducing the new training tool, this study also provides recommendations for its usage and implications for research

Container and VM Visualization for Rapid Forensic Analysis

Cloud-hosted software such as virtual machines and containers are notoriously difficult to access, observe, and inspect during ongoing security events. This research describes a new, out-of-band forensic tool for rapidly analyzing cloud based software. The proposed tool renders two-dimensional visualizations of container contents and virtual machine disk images. The visualizations can be used to identify container / VM contents, pinpoint instances of embedded malware, and find modified code. The proposed new forensic tool is compared against other forensic tools in a double-blind experiment. The results confirm the utility of the proposed tool. Implications and future research directions are also described

Establishing the IT Disaster Recovery Planning Construct

The concept of IT disaster recovery planning is receiving an increasing amount of attention from IT practitioners and business managers due to its importance in averting disasters and ensuring the continuity of organizations. Surprisingly, little research has been aimed at providing a comprehensive definition of this topic. Thus, this manuscript describes the process by which conceptual definition of IT disaster recovery planning is developed and an exhaustive listing of the construct’s dimensions is derived via content analysis. In this meta-study, 72 articles were found to yield 572 individual planning recommentations related to IT disaster recovery planning. The data were analyzed using a clustering technique and formed into 7 dimensions and 16 sub-dimensions. The results can be used to guide organizations’ IT disaster recovery planning processes