September 29, 2011

Basin, D., Clavel, M., & Egea, M. (2011). A decade of model-driven security.  Paper presented at the 16th ACM Symposium on Access Control Models and Technologies, Innsbruck, Austria. [Full text available in the ACM Digital Library database.]

In model-driven development, system designs are specified using graphical modeling languages like UML and system artifacts such as code and configuration data are automatically generated from the models. Model-driven security is a specialization of this paradigm, where system designs are modeled together with their security requirements and security infrastructures are directly generated from the models. Over the past decade, we have explored different facets of model-driven security. This research includes different modeling languages, code generators, model analysis tools, and even model transformations. For example, in multi-tier systems, we used model transformations to transform a security policy, formulated for a system's data model, to a security policy governing the behavior of the system's graphical user interface. In this paper, we survey progress made, tool support, and case studies, which attest to the flexibility and power of such a multi-faceted approach to building secure systems. 

Mylonas, A., Tsoumas, B., Dritsas, S., & Gritzalis, D. (2011). A secure smartphone applications roll-out scheme.  Paper presented at the 8th International Conference on Trust, Privacy, and Security in Digital Business, Toulouse, France. Retrieved from http://goo.gl/So8Ym

The adoption of smartphones, devices transforming from simple communication devices to smart and multipurpose devices, is constantly increasing. Amongst the main reasons for their vast pervasiveness are their small size, their enhanced functionality, as well as their ability to host many useful and attractive applications. Furthermore, recent studies estimate that application installation in smartphones acquired from official application repositories, such as the Apple Store, will continue to increase. In this context, the official application repositories might become attractive to attackers trying to distribute malware via these repositories. The paper examines the security inefficiencies related to application distribution via application repositories. Our contribution focuses on surveying the application management procedures enforced during application distribution in the popular smartphone platforms (i.e. Android, Black-Berry, Apple iOS, Symbian, Windows Phone), as well as on proposing a scheme for an application management system suited for secure application distribution via application repositories.

Souppaya, M., & Scarfone, K. (2011, September). Guidelines for securing wireless local area networks (WLANs) (NIST Special Publication 800-153 - Draft). Retrieved from http://csrc.nist.gov/publications/drafts/800-153/Draft-SP800-153.pdf

The purpose of this publication is to provide organizations with recommendations for improving the security configuration and monitoring of their IEEE 802.11 wireless local area networks (WLANs) and their devices connecting to those networks. Recommendations . . .  cover topics such as standardized WLAN security configurations, dual connected WLAN client devices, and security assessments and continuous monitoring [this is one of four new cyber-related publications from NIST.]

September 23, 2011

Bertino, E., & Takahashi, K. (2011). Identity management: Concepts, technology, and systems. Boston, MA: Artech House. [Full text e-book available in the Books 24x7 database.]

Providing a comprehensive overview of current trends and future directions in identity management, this practical resource offers an in-depth understanding of how to design, deploy and assess identity management solutions. 

Rakes, T. R., Deane, J. K., & Rees, L. R. (2012). IT security planning under uncertainty for high-impact events.  Omega, 40(1), 79-88.  doi:10.1016/j.omega.2011.03.008 [Full text available in the ScienceDirect database.]

While many IT security incidents result in relatively minor operational disruptions or minimal recovery costs, occasionally high-impact security breaches can have catastrophic effects on the firm. Unfortunately, measuring security risk and planning for countermeasures or mitigation is a difficult task. Past research has suggested risk metrics which may be beneficial in understanding and planning for security incidents, but most of these metrics are aimed at identifying expected overall loss and do not directly address the identification of, or planning for, sparse events which might result in high-impact loss. The use of an upper percentile value or some other worst-case measure has been widely discussed in the literature as a means of stochastic optimization, but has not been applied to this decision domain. A key requirement in security planning for any threat scenario, expected or otherwise, is the ability to choose countermeasures optimally with regard to tradeoffs between countermeasure cost and remaining risk. Most of the planning models in the literature are qualitative, and none that we are aware of allow for the optimal determination of these tradeoffs. Therefore, we develop a model for optimally choosing countermeasures to block or mitigate security attacks in the presence of a given threat level profile. We utilize this model to examine scenarios under both expected threat levels and worst-case levels, and develop budget-dependent risk curves. These curves demonstrate the tradeoffs which occur if decision makers divert budgets away from planning for ordinary risk in an effort to mitigate the effects of potential high-impact outcomes.

Salem, M. B., & Stolfo, S. J. (2011). On the design and execution of cyber-security user studies: Lessons learned.  Paper presented at the Fourth Workshop on Cyber Security Experimentation and Test, San Francisco, CA.  Retrieved from http://www.usenix.org/events/cset11/tech/final_files/Salem.pdf

Real-world data collection poses an important challenge in the security field. Insider and masquerader attack data collection poses even a greater challenge. Very few organizations acknowledge such breaches because of liability concerns and potential implications on their market value. This caused the scarcity of real-world data sets that could be used to study insider and masquerader attacks. Moreover, user studies conducted to collect such data lack rigor in their design and execution. In this paper, we present the methodology followed to conduct a user study and build a data set for evaluating masquerade attack detection techniques. We discuss the design, technical, and procedural challenges encountered during our own masquerade data gathering project, and share some of the lessons learned from this several-year project.

September 16, 2011

Andress, J., & Winterfield, S. (2011). Cyber warfare: Techniques, Tactics, and Tools for Security Practitioners. Waltham, MA: Syngress. [Full text e-book available in the Safari Books Online database.]

This book is designed to cover the strategic, operational, and tactical aspects of the conflicts in cyberspace today. The perspectives of the two authors balance the view-points of what many are calling cyber warfare today. One comes from a commercial background and the other brings the military viewpoint. The book is designed to help anyone understand the essentials of what is happening today, as well as provide a strong background on the issues we are facing. This book is unique in that it provides the information in a manner that can be used to establish a strategic cybersecurity vision for an organization but it is also designed to contribute to the national debate on where cyber is going. 

Combating cybercriminals: Hearing before the Subcommittee on Financial Institutions and Consumer Credit, Committee on Financial Services, House of Representatives, 112th Cong. (2011). [Full text available via UMUC Library OneSearch: 1, 2, 3, 4, 5, 6, 7, 8, 9]

Testimony given on 9/14/11 by the Assistant Director of the FBI, the Deputy Under Secretary of the Dept. of Homeland Security, executives at Bank of America, Verizon, and Symantec, and others.

Intelligence and National Security Alliance. (2011, September). Cyber intelligence: Setting the agenda for an emerging discipline. Retrieved from https://images.magnetmail.net/images/clients/INSA/attach/INSA_CYBER_INTELLIGENCE_2011.pdf

This paper is the first in a series developed by the Intelligence and National Security Alliance’s Cyber Council. It is intended to broaden the vision of senior decision makers in government and industry. Our goal with this paper is to set the landscape for cyber intelligence by discussing why it is necessary and providing thoughts on how to approach the development of this function in the cyber domain. While there is a great deal of focus on current cyber security issues, there is little focus on defining and exploring the cyber threat environment at a higher level. Its unique dynamics and impact on our economy and national security are understudied. In this paper, we will focus primarily on defensive cyber activities. There is a rapidly increasing need to fully leverage cyber intelligence assets and capabilities on a national and global scale to address this ubiquitous, diverse, and evolving group of adversaries. There is also a need to clearly define an emerging cyber intelligence discipline that can be quickly and transparently shared with appropriate private and foreign partners.
 

Sheldon, F. T., & Vishik, C. (2011, September). Moving toward trustworthy systems: R&D essentials. Computer, 44(9), 31-40. Retrieved from http://www.computer.org [Full text available in the IEEE Computer Science Digital Library database.]

Under the game-change metaphor, strategies developed to address hard problems will potentially lead to breakthroughs in many different interrelated cybersecurity areas. For software assurance, a game change should focus on improving resiliency and hardening new technologies that implement moving-target defenses and tailored trustworthy spaces.

September 9, 2011

Fried, S. (2010). Mobile device security: A comprehensive guide to securing your information in a moving world.  New York, NY: Auerbach Publications.  Retrieved from http://www.auerbach-publications.com [Full text e-book available in Books 24x7 database.]

Supplying real-life examples and authoritative guidance, this complete resource walks you through the process of creating an effective mobile security program and provides the understanding required to develop a customized approach to securing your information.

Roman, R., Najera, P., & Lopez, J. (2011, September). Securing the internet of things.  Computer, 44(9), 51-58. doi:10.1109/MC.2011.291 [Full text available in the IEEE Computer Science Digital Library database.

In the Internet of Things vision, every physical object has a virtual component that can produce and consume services. Such extreme interconnection will bring unprecedented convenience and economy, but it will also require novel approaches to ensure its safe and ethical use.  

Symantec. 2011 Norton cybercrime report.  Retrieved from http://us.norton.com/content/en/us/home_homeoffice/html/cybercrimereport  

IEEE summary: Norton says that it calculates that a total of 431 million adults living in the surveyed 24 countries have been cyber crime victims within the past 12 months. This equates, it says, to 14 cyber crime victims every second; 820 cyber crime victims every minute; or almost 50,000 per hour.  Some 74 million US residents were cyber crime victims last year, the report states. The Norton report also says that the direct cost of this cyber crime activity was approximately $114 billion - with another $274 billion in indirect costs related to lost time/productivity. This total of $388 billion "... costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288 billion).

September 2, 2011

Begin, F. (2011, August). BYOB: Build your own botnet. Retrieved from http://www.sans.org/reading_room/whitepapers/covert/byob-build-botnet_33729

Botnets represent a clear and present danger to information systems. They have evolved from simple spam factories to underpinning massive criminal operations. Botnets are involved in credit card and identity theft, various forms of espionage, denial of service attacks and other unsavory by-­products of the new digital lifestyle that is prevalent in  modern societies and emerging economies. Security professionals at any level cannot ignore this new threat. Having a better understanding of the inner workings of a botnet\  can lead to more efficient and judicious application of mitigation techniques. While other papers have a tendency to drive deeply into complex bot and botnet code, this paper\ takes a pedagogical approach rather than a highly technical one. Following  a brief historical overview, it presents a simple working example of a botnet dubbed FrankenB implemented in Java and PHP. The implementation includes a command and control infrastructure as well as botnet tracking and reporting capability. The FrankenB bots are also capable of eavesdropping on network traffic, scanning subnets and sending spam. All of these capabilities are demonstrated in this paper. Following this introduction, FrankenB is then used as a backdrop for discussing mitigation techniques and for framing the botnet threat in a more global context. 

Howard, D., & Prince, K. (2011). Security 2020: Reduce security risks this decade.  Hoboken, NJ: John Wiley and Sons. Retrieved from http://www.wiley.com [Full text e-book available via Books 24x7 database.]

This book gives application developers, networking and security professionals, those that create standards, and CIOs a straightforward look at the reality of today’s IT security and a sobering forecast of what to expect in the next decade. It debunks the media hype and unnecessary concerns while focusing on the knowledge you need to combat and prioritize the actual risks of today and beyond. 

In the “year of the hack,” survey reveals enterprises are most concerned about “advanced persistent threat” attacks by wide margin. (2011, August 30.) Business Wire.  Retrieved from http://www.businesswire.com [Full text available via UMUC Library OneSearch.]

Sixty percent of the respondents said they are concerned about APT attacks, more than double the next closest response, showing the growing anxiety among IT executives around modern threats. The second biggest hacking concern among IT executives, at 28 percent, is having one of their own employees steal company data and post it online, much like what happened at the Department of Defense (DoD) with WikiLeaks. In third place, at 26 percent, are concerns around a vendor partner being hacked, much like what happened to Epsilon earlier this year. And in fourth place, at 25 percent, are concerns over a cloud application breach, much like what happened with Sony.