Compliance Based Penetration Testing as a Service

The current penetration testing method practiced in the information systems domain is insufficient to protect information systems. Penetration testing is done as a part of the final acceptance criteria before the system is released into a production environment. Once the system is in production, the environment and configuration are bound to change for various reasons, especially in cloud environments. This change has the potential to create vulnerabilities, and hackers take advantage of them. In cloud service models like PaaS, security is a shared responsibility of tenant and provider, and it is challenging to perform penetration testing. This paper introduces a new method called Compliance Based Penetration Testing (CBPT). The CBPT method is targeted specifically for PaaS environments to identify critical issues in cloud-based environments. As the cloud is the way moving forward, this approach will be beneficial and save effort and cost for all cloud consumers

Compliance Based Penetration Testing as a Service

The current penetration testing method practiced in the information systems domain is insufficient to protect information systems. Penetration testing is part of the final acceptance criteria before the system is released into a production environment. Once the system is in production, the environment and configuration are bound to change for various reasons, especially in cloud environments. This change can create vulnerabilities, and hackers take advantage of them. In cloud service models like PaaS, security is a shared responsibility of tenant and provider, and it is challenging to perform penetration testing. This paper introduces a new method called Compliance Based Penetration Testing (CBPT). The CBPT method explicitly targets PaaS environments to identify critical issues in cloud-based environments. As the cloud is the way moving forward, this approach will be beneficial and save effort and cost for all cloud consumers

Improving the Effectiveness of Security Controls to Prevent APT Attacks

An advanced persistent threat (APT) is a prolonged, aimed attack on a specific target. Cyber attackers gain access to a system or network and remain there for an extended period without being detected. The goal of APT attackers is generally stealing data and intellectual property. Despite all the awareness, technological advancements, and massiveinvestment, the fight against APTs is a losing battle. A false sense of security is a belief that the organization is safer than it is . We researched whether organizations have a false sense of security against APT attacks and what contributes to that belief. Our research indicated that employees were not confident about organizations’ cybersecurity posture. In this paper, we discuss one of our research contributions, which suggests remediation strategies that organizations can employ to increase the effectiveness of security controls against APT attacks

Improving the Effectiveness of Security Controls to Prevent APT Attacks

An advanced persistent threat (APT) is a prolonged, aimed attack on a specific target. Cyber attackers gain access to a system or network and remain there for an extended period without being detected. The goal of APT attackers is generally stealing data and intellectual property. Despite all the awareness, technological advancements, and massive investment, the fight against APTs is a losing battle. A false sense of security is a belief that the organization is safer than it is. We researched whether organizations have a false sense of security against APT attacks and what contributes to that belief. Our research indicated that employees were not confident about organizations’ cybersecurity posture. In this paper, we discuss one of our research contributions, which suggests remediation strategies that organizations can employ to increase the effectiveness of security controls against APT attacks

A False Sense of Security — Organizations Need a Paradigm Shift on Protecting Themselves against APTs

Advanced Persistent Threats (APTs) are among the most complex cyberattacks and are generally executed by cyber-attackers linked to nation-states. An organization may have security strategies to prevent APTs. However, a false sense of security may exist when the focus is on implementing security strategies but not on the effectiveness of implemented security strategies. This research aims to find out 1) if organizations are in a false sense of security while preventing APT attacks, 2) what factors influence the false sense of security, and 3) whether organizational culture influence factors contributing to the false sense of security. A theoretical model is developed to evaluate the sense of security to answer the three research questions. The initial model includes seven independent variables, one moderator variable, and one dependent variable. We designed and conducted a survey among cybersecurity professionals to test 14 hypotheses on the sense of security. We further refined and finalized the model based on the data analysis from the survey data. This research confirms that employees are not confident about organizations‟ cybersecurity posture despite all the awareness training, technological advancements, and massive investment. We also identified key factors which influence the employee perception of cybersecurity posture. Based on the research findings, we provided recommendations that can be followed to improve the effectiveness of implemented security strategies

A False Sense of Security - Organizations Need a Paradigm Shift on Protecting Themselves against APTs

Organizations Advanced persistent threats (APTs) are the most complex cyberattacks and are generally executed by cyber attackers linked to nation-states. The motivation behind APT attacks is political intelligence and cyber espionage. Despite all the awareness, technological advancements, and massive investment, the fight against APTs is a losing battle for organizations. An organization may implement a security strategy to prevent APTs. However, the benefits to the security posture might be negligible if the measurement of the strategy’s effectiveness is not part of the plan. A false sense of security exists when the focus is on implementing a security strategy but not its effectiveness. This research verifies whether organizations are in a false sense of security while preventing APT attacks, what factors influence the false sense of security, and whether organizational culture influences factors contributing to the false sense of security. The research method utilized was survey-based quantitative research. Confirmatory Factor Analysis (CFA) and Structural Equation Modeling (SEM) were employed in the research model evaluation and hypotheses testing. The data analysis found that the sense of security value among the employees is low, which proves that employees are not confident about their organization’s cybersecurity posture and organizations are in a false sense of security. Since Security Awareness and Training, Security Controls, Redundant IDS/IPS, and Cybersecurity Insurance positively influence the sense of security, recommendations were provided to enhance their effectiveness. The research study highlighted that sense of security of the employees is low when the security controls are ineffective. The contribution of this research is to highlight the paradigm shift required for organizations while setting up defenses against APTs. While organizations focus on setting up security controls to satisfy the compliance requirements, the research study outcome emphasizes the importance of the effectiveness of security controls. The dissertation includes limitations of the research and suggestions for further study

Compliance Based Penetration Testing as a Service

The current penetration testing method practiced in the information systems domain is insufficient to protect information systems. Penetration testing is done as a part of the final acceptance criteria before the system is released into a production environment. Once the system is in production, the environment and configuration are bound to change for various reasons, especially in cloud environments. This change has the potential to create vulnerabilities, and hackers take advantage of them. In cloud service models like PaaS, security is a shared responsibility of tenant and provider, and it is challenging to perform penetration testing. This paper introduces a new method called Compliance Based Penetration Testing (CBPT). The CBPT method is targeted specifically for PaaS environments to identify critical issues in cloud-based environments. As the cloud is the way moving forward, this approach will be beneficial and save effort and cost for all cloud consumers

Towards Automated Policy Generation for Dynamic Access Control in the Internet of Things

Access control is one of the frontline security measures that any information system should adopt. The dynamic nature of the Internet of Things and autonomous vehicles requires access control policies should be able to adapt to their environments. However, it is very challenging to specify access control policies manually because of their dynamic nature. In this paper, we propose a Long-Short-Term-Memory based automated policy generation for dynamic access control in the Internet of Things. We will evaluate the performance of the proposed solution using two datasets. We expect the proposed solution will be able to generate synthetic access control policies by training from the datasets which can potentially be used for dynamic access provisioning in IoT systems

Improving the Effectiveness of Security Controls to Prevent APT Attacks

An advanced persistent threat (APT) is a prolonged, aimed attack on a specific target. Cyber attackers gain access to a system or network and remain there for an extended period without being detected. The goal of APT attackers is generally stealing data and intellectual property. Despite all the awareness, technological advancements, and massiveinvestment, the fight against APTs is a losing battle. A false sense of security is a belief that the organization is safer than it is . We researched whether organizations have a false sense of security against APT attacks and what contributes to that belief. Our research indicated that employees were not confident about organizations’ cybersecurity posture. In this paper, we discuss one of our research contributions, which suggests remediation strategies that organizations can employ to increase the effectiveness of security controls against APT attacks