Requirements and Recommendations for IoT/IIoT Models to automate Security Assurance through Threat Modelling, Security Analysis and Penetration Testing

The factories of the future require efficient interconnection of their physical machines into the cyber space to cope with the emerging need of an increased uptime of machines, higher performance rates, an improved level of productivity and a collective collaboration along the supply chain. With the rapid growth of the Internet of Things (IoT), and its application in industrial areas, the so called Industrial Internet of Things (IIoT)/Industry 4.0 emerged. However, further to the rapid growth of IoT/IIoT systems, cyber attacks are an emerging threat and simple manual security testing can often not cope with the scale of large IoT/IIoT networks. In this paper, we suggest to extract metadata from commonly used diagrams and models in a typical software development process, to automate the process of threat modelling, security analysis and penetration testing, without detailed prior security knowledge. In that context, we present requirements and recommendations for metadata in IoT/IIoT models that are needed as necessary input parameters of security assurance tools.Comment: 8 pages, Proceedings of the 14th International Conference on Availability, Reliability and Security (ARES 2019) (ARES '19), August 26-29, 2019, Canterbury, United Kingdo

When it comes to testing, is usability the closest analogy to security?

This speculative paper outlines an untested idea: it superficially compares security testing with usability testing. Looking for analogies between these fields may seem far-fetched, but the result is surprising. When it comes to testing, usability and security may be not as dissimilar as they seem. A closer look at usability testing may yield new insights for security testing

Testing production systems safely: Common precautions in penetration testing

Unlike testing in a laboratory or test bed situation, the testing of production systems requires precautions to avoid side effects that might damage or disturb the system, its environment, or its users. This paper outlines safety precautions to be taken when testing production systems. Specifically we discuss precautions for penetration testing aiming at identifying security vulnerabilities. We generalize and document experience we gained as penetration testers, describing how the risks of testing can be mitigated through selection of test cases and techniques, partial isolation of subsystems and organizational measures. Though some of the precautions are specific to security testing, our experience might be helpful to anyone testing production systems

Supporting security testers in discovering injection flaws

We present a platform for software security testing primarily designed to support human testers in discovering injection flaws in distributed systems. Injection is an important class of security faults, caused by unsafe concatenation of input into strings interpreted by other components of the system. Examples include two of the most common security issues in Web applications, SQL injection and cross site scripting. This paper briefly discusses the fault model, derives a testing strategy that should discover a large subset of the injection flaws present, and describes a platform that helps security testers to discover injection flaws through dynamic grey-box testing. Our platform combines the respective strengths of machines and humans, automating what is easily automated while leaving to the tester the artistic portion of security testing. Although designed with a specific fault model in mind, our platform may be useful in a wide range of security testing tasks

BitLocker Drive Encryption im mobilen und stationären Unternehmenseinsatz: Ein Leitfaden für Anwender

Der Leitfaden »BitLocker Drive Encryption im mobilen und stationären Unternehmenseinsatz« unterstützt Anwender von Microsoft Windows Vista dabei, die in einige Versionen integrierte Datenträgerverschlüsselung zu nutzen. Er wendet sich an IT -Verantwortliche, Sicherheitsbeauftragte und Administratoren in Unternehmen und Behörden. Der Leitfaden erläutert Funktionsweise, Fähigkeiten und Einsatzmöglichkeiten von BitLocker, zeigt das erzielbare Sicherheitsniveau, dessen Grenzen sowie mögliche Nebenwirkungen beim Einsatz und gibt Anwendern konkrete Handreichungen. BitLocker Drive Encryption (BDE) verschlüsselt Partitionen und sichert den Bootprozess des Systems gegen Manipulationen. Voraussetzung ist ein Trusted Platform Module (TPM) und das passende BIOS. BitLocker ist damit die erste Sicherheitskomponente in Windows, die sich auf das Trusted Computing stützt. Schlüssel lassen sich mit oder ohne PIN-Schutz im TPM speichern, als weiterer Sicherheitsanker kann ein USB-Speicher verwendet werden. Für Nutzer und Anwendungen ist die Verschlüsselung weitgehend transparent. Der Leitfaden geht vom Stand im Herbst 2007 aus. Er berücksichtigt jedoch auch voraussichtliche Änderungen in Service Pack 1 für Windows Vista sowie in Windows Server 2008, soweit sie zum Redaktionsschluss bekannt waren