57 research outputs found
Hardening with Scapolite: a DevOps-based Approach for Improved Authoring and Testing of Security-Configuration Guides in Large-Scale Organizations
Security Hardening is the process of configuring IT systems to ensure the
security of the systems' components and data they process or store. In many
cases, so-called security-configuration guides are used as a basis for security
hardening. These guides describe secure configuration settings for components
such as operating systems and standard applications. Rigorous testing of
security-configuration guides and automated mechanisms for their implementation
and validation are necessary since erroneous implementations or checks of
hardening guides may severely impact systems' security and functionality. At
Siemens, centrally maintained security-configuration guides carry
machine-readable information specifying both the implementation and validation
of each required configuration step. The guides are maintained within git
repositories; automated pipelines generate the artifacts for implementation and
checking, e.g., PowerShell scripts for Windows, and carry out testing of these
artifacts on AWS images. This paper describes our experiences with our
DevOps-inspired approach for authoring, maintaining, and testing
security-configuration guides. We want to share these experiences to help other
organizations with their security hardening and, thus, increase their systems'
security.Comment: We submitted this article as a full-length paper. Unfortunately, the
CODASPY Program Committee decided that our paper can only be accepted in the
tool track. Thus, the published version only consists of 6 page
Automated Identification of Security-Relevant Configuration Settings Using NLP
To secure computer infrastructure, we need to configure all security-relevant
settings. We need security experts to identify security-relevant settings, but
this process is time-consuming and expensive. Our proposed solution uses
state-of-the-art natural language processing to classify settings as
security-relevant based on their description. Our evaluation shows that our
trained classifiers do not perform well enough to replace the human security
experts but can help them classify the settings. By publishing our labeled data
sets and the code of our trained model, we want to help security experts
analyze configuration settings and enable further research in this area.Comment: Peer-reviewed version accepted for publication in the Industry
Showcase track at the 37th IEEE/ACM International Conference on Automated
Software Engineering (ASE '22), October 10--14, 2022, Rochester, MI, US
Better Safe Than Sorry! Automated Identification of Functionality-Breaking Security-Configuration Rules
Insecure default values in software settings can be exploited by attackers to
compromise the system that runs the software. As a countermeasure, there exist
security-configuration guides specifying in detail which values are secure.
However, most administrators still refrain from hardening existing systems
because the system functionality is feared to deteriorate if secure settings
are applied. To foster the application of security-configuration guides, it is
necessary to identify those rules that would restrict the functionality.
This article presents our approach to use combinatorial testing to find
problematic combinations of rules and machine learning techniques to identify
the problematic rules within these combinations. The administrators can then
apply only the unproblematic rules and, therefore, increase the system's
security without the risk of disrupting its functionality. To demonstrate the
usefulness of our approach, we applied it to real-world problems drawn from
discussions with administrators at Siemens and found the problematic rules in
these cases. We hope that this approach and its open-source implementation
motivate more administrators to harden their systems and, thus, increase their
systems' general security.Comment: Peer-reviewed version accepted for publication at the 4th ACM/IEEE
International Conference on Automation of Software Test (AST 2023), May
15--16, 2023, Melbourne, A
Automated Implementation of Windows-related Security-Configuration Guides
Hardening is the process of configuring IT systems to ensure the security of
the systems' components and data they process or store. The complexity of
contemporary IT infrastructures, however, renders manual security hardening and
maintenance a daunting task.
In many organizations, security-configuration guides expressed in the SCAP
(Security Content Automation Protocol) are used as a basis for hardening, but
these guides by themselves provide no means for automatically implementing the
required configurations.
In this paper, we propose an approach to automatically extract the relevant
information from publicly available security-configuration guides for Windows
operating systems using natural language processing. In a second step, the
extracted information is verified using the information of available settings
stored in the Windows Administrative Template files, in which the majority of
Windows configuration settings is defined.
We show that our implementation of this approach can extract and implement
83% of the rules without any manual effort and 96% with minimal manual effort.
Furthermore, we conduct a study with 12 state-of-the-art guides consisting of
2014 rules with automatic checks and show that our tooling can implement at
least 97% of them correctly. We have thus significantly reduced the effort of
securing systems based on existing security-configuration guides
Triggers of change in sexual behavior among people with HIV: The Swiss U = U statement and Covid-19 compared.
We assessed changes in sexual behaviour among people with HIV (PWH) over 20 years. Condom use with stable partners steadily declined from over 90% to 29% since the Swiss U = U statement with similar trajectories between men who have sex with men (MSM) and heterosexuals. Occasional partnership remained higher among MSM compared to heterosexuals even during COVID-19 social distancing
Triggers of change in sexual behavior among people with HIV: The Swiss U = U statement and Covid-19 compared
We assessed changes in sexual behaviour among people with HIV (PWH) over 20 years. Condom use with stable partners steadily declined from over 90% to 29% since the Swiss U = U statement with similar trajectories between men who have sex with men (MSM) and heterosexuals. Occasional partnership remained higher among MSM compared to heterosexuals even during COVID-19 social distancing
Impact of Integrase Inhibitors on Cardiovascular Disease Events in People With Human Immunodeficiency Virus Starting Antiretroviral Therapy
BACKGROUND
Integrase strand transfer inhibitors (INSTIs) have been associated with an increased risk for cardiovascular disease (CVD) events. We investigated the impact of starting INSTI-based antiretroviral therapy (ART) on CVD events among treatment-naïve people with human immunodeficiency virus using a target trial framework, which reduces the potential for confounding and selection bias.
METHODS
We included Swiss HIV Cohort Study participants who were ART-naïve after May 2008, when INSTIs became available in Switzerland. Individuals were categorized according to their first ART regimen (INSTI vs other ART) and were followed from ART start until the first of CVD event (myocardial infarction, stroke, or invasive cardiovascular procedure), loss to follow-up, death, or last cohort visit. We calculated hazard ratios and risk differences using pooled logistic regression models with inverse probability of treatment and censoring weights.
RESULTS
Of 5362 participants (median age 38 years, 21% women, 15% of African origin), 1837 (34.3%) started INSTI-based ART, and 3525 (65.7%) started other ART. Within 4.9 years (interquartile range, 2.4-7.4), 116 CVD events occurred. Starting INSTI-based ART was not associated with an increased risk for CVD events (adjusted hazard ratio, 0.80; 95% confidence interval [CI], .46-1.39). Adjusted risk differences between individuals who started INSTIs and those who started other ART were -0.17% (95% CI, -.37 to .19) after 1 year, -0.61% (-1.54 to 0.22) after 5 years, and -0.71% (-2.16 to 0.94) after 8 years.
CONCLUSIONS
In this target trial emulation, we found no difference in short- or long-term risk for CVD events between treatment-naïve people with human immunodeficiency virus who started INSTI-based ART and those on other ART
Impact of integrase inhibitors on cardiovascular disease events in people with HIV starting antiretroviral therapy.
BACKGROUND
Integrase strand transfer inhibitors (INSTI) have been associated with an increased risk for cardiovascular disease (CVD) events. We investigated the impact of starting INSTI-based antiretroviral therapy (ART) on CVD events among treatment-naïve people with HIV (PWH) using a target trial framework, which reduces the potential for confounding and selection bias.
METHODS
We included Swiss HIV Cohort Study participants who were ART-naïve after 05/2008, when INSTI became available in Switzerland. Individuals were categorized according to their first ART regimen (INSTI vs. other ART) and were followed from ART start until the first of CVD event (myocardial infarction, stroke, or invasive cardiovascular procedure), loss to follow-up, death, or last cohort visit. We calculated hazard ratios and risk differences using pooled logistic regression models with inverse probability of treatment and censoring weights.
RESULTS
Of 5362 participants (median age 38 years, 21% women, 15% of African origin), 1837 (34.3%) started INSTI-based ART, and 3525 (65.7%) started other ART. Within 4.9 years (IQR 2.4-7.4), 116 CVD events occurred. Starting INSTI-based ART was not associated with an increase in CVD events (adjusted hazard ratio 0.80, 95% confidence interval [CI] 0.46-1.39). Adjusted risk differences between individuals who started INSTI and those who started other ART were -0.17% (95% CI -0.37-0.19) after one year, -0.61% (-1.54-0.22) after 5 years, and -0.71% (-2.16-0.94) after 8 years.
CONCLUSIONS
In this target trial emulation, we found no difference in short or longer term risk for CVD events between treatment-naïve PWH who started INSTI-based and those on other ART
Brief Report: Switching From TDF to TAF in HIV/HBV-Coinfected Individuals With Renal Dysfunction-A Prospective Cohort Study.
Whereas tenofovir disoproxil fumarate (TDF) can lead to renal adverse events, tenofovir alafenamide (TAF) has a more favorable renal safety profile. However, the impact of replacing TDF with TAF on renal function and liver parameters among HIV/hepatitis B virus (HBV)-coinfected individuals with renal dysfunction remains unclear.
We included all participants from the Swiss HIV Cohort Study with an HIV/HBV coinfection who switched from TDF to TAF and had an estimated glomerular filtration rate (eGFR) <90 mL/min/1.73 m and a suppressed HIV viral load (<200 cp/mL). We assessed changes in eGFR, urine protein-to-creatinine ratio, and alanine aminotransferase (ALT) after 1 year using mixed-effect models with interrupted time series.
Among 106 participants (15.1% women, median age 53 years), eGFR was 60-89 mL/min/1.73 m in 84 (79.2%) and <60 mL/min/1.73 m in 22 (20.8%) individuals at the time of switch. One year after the switch from TDF to TAF, individuals with an eGFR between 60 and 89 mL/min/1.73 m experienced increases in eGFR of 3.2 mL/min/1.73 m (95% confidence interval [CI] 1.2 to 5.2), whereas those with an eGFR <60 mL/min/1.73 m experienced improvements of 6.2 mL/min/1.73 m (95% CI 2.4 to 10.0). Urine protein-to-creatinine ratio decreased overall (-6.3 mg/mmol, 95% CI -10.0 to -2.7), and ALT levels declined in patients with elevated baseline levels (-11.8 IU/L, 95% CI -17.3 to -6.4) 1 year after replacing TDF with TAF.
Switching from TDF to TAF among HIV/HBV-coinfected individuals with renal impairment led to improvements in eGFR, a decline in proteinuria, and to ALT normalization in those with elevated ALT levels
Long-term quantitative hepatitis B surface antigen (HBsAg) trajectories in persons with and without HBsAg loss on tenofovir-containing antiretroviral therapy
OBJECTIVES
Improving the understanding of the patterns of quantitative hepatitis B surface antigen (qHBsAg) trajectories associated with HBsAg loss is important in light of novel anti-hepatitis B virus agents being developed. We evaluated long-term qHBsAg trajectories in persons with HIV and HBV during tenofovir-containing antiretroviral therapy in the Swiss HIV Cohort Study.
METHODS
We included 29 participants with and 29 without HBsAg loss, defined as qHBsAg <0.05 IU/mL. We assessed qHBsAg decline during therapy in both groups and used agglomerative hierarchical clustering to identify different qHBsAg trajectory profiles in persons with HBsAg loss.
RESULTS
The median follow-up time was 11.9 years (IQR 8.4-14.1), and the median time to HBsAg loss was 48 months (IQR 12-96). Among participants with HBsAg loss, 79% had a qHBsAg decline ≥1 log IU/mL 2 years after starting tenofovir. The trajectories in qHBsAg levels during tenofovir therapy were heterogeneous, characterized by five distinct profiles. Among participants without HBsAg loss, only 7% had a qHBsAg decline ≥1 log IU/ml after 2 years.
CONCLUSIONS
Most persons with HIV who experienced HBsAg loss had an early decline in qHBsAg levels, with diverse trajectories during long-term tenofovir therapy. In persons without HBsAg loss, qHBsAg levels remained remarkably stable over time
- …