April 6, 2012

Alsaleh, M., & van Oorschot, P. C. (2012). Revisiting network scanning detection using sequential hypothesis testing. Security and Communications Networks [in press]. doi:10.1002/sec.416 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Network scanning is a common, effective technique to search for vulnerable Internet hosts and to explore the topology and trust relationships between hosts in a target network. Given that the purpose of scanning is to search for responsive hosts and network services, behavior-based scanning detection techniques based on the state of inbound connection attempts remain effective against evasion. Many of today’s network environments, however, feature a dynamic and transient nature with several network hosts and services added or stopped (either permanently or temporarily) over time. In this paper, working with recent network traces from two different environments, we re-examine the Threshold Random Walk (TRW) scan detection algorithm, and we show that the number of false positives is proportional to the transiency of the offered services. To address the limitations found, we present a modified algorithm (Stateful Threshold Random Walk (STRW) algorithm) that utilizes active mapping of network services to take into account benign causes of failed connection attempts. The STRW algorithm eliminates a significant portion of TRW false positives (e.g., 29% and 77% in two datasets studied).

Bronk, C. (2012, March). A government switchboard: Scalability issues in international cyber policymaking [Baker Institute]. Retrieved from http://bakerinstitute.org/publications/ITP-pub-BronkCyberDialogue2012-031312.pdf

Twenty years ago, only a million computers were connected to the Internet, while today, perhaps as many as 2 billion people on the planet enjoy its use. What was once primarily a tool for scholarly communications has quickly become the key infrastructure for communicating at a distance. At the core of this growth is the remarkable scalability of Internet Protocol (IP). Whether YouTube videos and Twitter microblog posts or telephone calls and sensitive military communications, IP is the technological backbone of digital connectivity on planet Earth.

IP grants a standard for data communication that scales to almost every computing device on the planet. Because of this technology, and some exceptions notwithstanding, the last twenty years have been a period in which a message can be transmitted from one computer to another anywhere, in large part because the set of instructions for delivery have been open, understandable, and relatively easy to implement. The economic transformation ushered in by this connectivity is well underway, but its salient issues regarding politics, and more for the purposes of this paper, international politics, are sitll emerging. This is a newly constructed techno-informational space, often called “cyber” because there is something that clearly goes beyond just the delivery and receipt of data by IP.

Cheng, J. (2012, April 4). Flashback trojan reportedly controls half a million Macs and counting. Ars Technica. Retrieved from http://arstechnica.com/apple/news/2012/04/flashback-trojan-reportedly-controls-half-a-million-macs-and-counting.ars

Variations of the Flashback trojan have reportedly infected more than half a million Macs around the globe, according to Russian antivirus company Dr. Web. The company made an announcement on Wednesday—first in Russian and later in English—about the growing Mac botnet, first claiming 550,000 infected Macs. Later in the day, however, Dr. Web malware analyst Sorokin Ivan posted to Twitter that the count had gone up to 600,000, with 274 bots even checking in from Cupertino, CA, where Apple’s headquarters are located.

Chien, H., Yang, C., & Hou, H. (2012). Non-linearity cannot help RFID resist full-disclosure attacks and terrorist fraud attacks. Security and Communications Networks [in press]. doi:10.1002/sec.410 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

As the concept of radio-frequency identification (RFID) relay attack has been successfully implemented and demonstrated, the research of RFID distance-bounding protocols to deter RFID relay attacks has drawn much attention from both the industry and academia. Conventionally, researchers adopted linear composition of secrets to resist terrorist fraud attacks. Recently, Peris-Lopez et al. studied the weaknesses of previous RFID distance-bounding protocols and proposed that non-linear composition of secrets and inclusion of more random nonce could help RFID resist key disclosure attack and terrorist fraud attack. In this paper, we will show that non-linear composition of secrets cannot help enhance the security actually.

Dewri, R., Ray, I., Poolsappasit, N., & Whitley, D. (2012). Optimal security hardening on attack tree models of networks: A cost-benefit analysis. International Journal of Information Security [in press]. doi:10.1007/s10207-012-0160-y [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Researchers have previously looked into the problem of determining whether a given set of security hardening measures can effectively make a networked system secure. However, system administrators are often faced with a more challenging problem since they have to work within a fixed budget which may be less than the minimum cost of system hardening. An attacker, on the other hand, explores alternative attack scenarios to inflict the maximum damage possible when the security controls are in place, very often rendering the optimality of the controls invalid. In this work, we develop a systematic approach to perform a cost-benefit analysis on the problem of optimal security hardening under such conditions. Using evolutionary paradigms such as multi-objective optimization and competitive co-evolution, we model the attacker-defender interaction as an “arms race”, and explore how security controls can be placed in a network to induce a maximum return on investment.

Furman, S. M., Theofanos, M. F., Choong, Y., & Stanton, B. (2012, March-April). Basing cybersecurity training on user perceptions. IEEE Security and Privacy, 10(2), 40-49. [Full text available to UMUC students / faculty in IEEE Computer Society Digital Library database]. 

The National Initiative for Cybersecurity Education (NICE) will be conducting a nationwide awareness and outreach program to effect behavioral change. To be effective, an educational campaign must first understand users’ perceptions of computer and online security. The authors’ research objective was to understand users’ current knowledge base, awareness, and skills. They investigated users’ understanding of online security by conducting in-depth interviews with the goal of identifying existing correct perceptions, myths, and potential misperceptions. Their findings indicate that the participants were primarily aware of and concerned with online and computer security. However, they lacked a complete skill set to protect their computer systems, identities, and information online. Providing a skill set that lets them develop complete mental models will help them to correctly anticipate and adapt the appropriate behaviors when approaching online security.

[UPCOMING LARGO-AREA EVENT]: Surveillance, Security and the Net,  Goethe-Institut, Wed. 5/2/12, 12–2 pm. 

Each time we use the internet we leave traces. What are these traces, how long do they remain traceable, and who is interested in tracing them? The vast amount of information that circulates on the web is often less chaotic than might initially be expected, with thousands of companies and hundreds of governments collecting, selecting, and ordering data relevant to their particular interests. Does the data we supply regularly actually remain private and if so, what kind of “privacy” are we talking about here? How can personal data be protected? Should it also be secured when national security is at stake? Is our right to privacy enactable online? This edition of Lunch Bytes will examine the topic of surveillance and data security from the perspective of artists and experts who have addressed these themes in their work.  RSVP for this (free) event to rsvp@washington.goethe.org

Goodin, D. (2012, April 1). Coolest jobs in tech: Hackers for hire. Ars Technica. Retrieved from http://arstechnica.com/business/coolest-jobs-in-tech/2012/04/coolest-jobs-in-tech-hackers-for-hire.ars

One spring day in 2010, a hacker named Kevin Finisterre knew he had hit the jackpot. A network he had been casing finally broadcast the live video and audio feed of a police cruiser belonging to a US-based municipal government. His jaw dropped as a computer in his home office in Columbus, Ohio showed the vehicle—with flashing blue lights on and siren blaring—charging down a road of the unnamed city.

A burly 31-year-old with glasses and pork-chop sideburns, Finisterre has spent more than a decade applying his combination of street smarts and technical skills to pierce digital fortresses. For instance, he once accessed the work account of an engineer for a large utility company. Finisterre used a pilfered profile from Hotjewishgirls.com to trick the engineer into thinking he was interacting with a flirtatious 26-year-old woman, until the engineer finally coughed up enough personal information to make an attack on his corporate account successful. It’s not a bad way to earn a living.

Griffiths, M., & Brooks, D. J. (2012). Informing security through cultural cognition: The influence of cultural bias on operational security. Journal of Applied Security Research, 7(2), 218-238. doi:10.1080/19361610.2012.656256 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Cultural bias will influence risk perceptions and may breed “security complacency,” resulting in the decay of risk mitigation efficacy. Cultural Cognition theory provides a methodology to define how people perceive risks in a grid/group typology. In this study, the cultural perceptions of Healthcare professionals to access control measures were investigated. Collected data were analyzed for significant differences and presented on spatial maps. The results demonstrated correlation between cultural worldviews and perceptions of security risks, indicating that respondents had selected their risk perceptions according to their cultural adherence. Such understanding leads to improved risk management and reduced decay of mitigation strategies.

Hoffman, L. J., Burley, D., & Toregas, C. (2012, March-April). Holistically building the cybersecurity workforce. IEEE Security and Privacy, 10(2), 33-39. [Full text available to UMUC students /  faculty in IEEE Computer Society Digital Library database].

This article proposes a holistic approach to developing the cybersecurity workforce based on careful integration of workforce development strategies into a plan that involves educators, career professionals, employers, and policymakers. Observations of the healthcare model, along with the findings of a recent workshop on cybersecurity education, suggest some practical steps for such an approach. Computer science educators, human resources professionals, and cybersecurity practitioners should seek to attract computer science graduates to think beyond their stovepiped fields and collaborate to develop, accept, and implement holistic, integrated solutions.

Hogben, G., & Dekker, M. (2012, April 2). Procure secure: A guide to monitoring of security service levels in cloud contracts [European Network and Information Security Agency]. Retrieved from http://www.enisa.europa.eu/activities/application-security/test/procure-secure-a-guide-to-monitoring-of-security-service-levels-in-cloud-contracts

A practical guide aimed at the procurement and governance of cloud services. This guide provides advice on questions to ask about the monitoring of security. The goal is to improve public sector customer understanding of the security of cloud services and the potential indicators and methods which can be used to provide appropriate transparency during service delivery. One-off or periodic provider assessments are a vital component of effective security management. However, they are insufficient without additional feedback in the intervals between assessments: they do not provide real-time information, regular checkpoints or threshold based alerting, as covered in this report.

Kavanagh, K. M. (2012, March 30). Research roundup for infrastructure protection, 4Q11 [Gartner].  [Full text available to UMUC students / faculty in Gartner database].

This roundup of Gartner research from 4Q11 provides security practitioners with advice on selecting, implementing and managing security technology for infrastructure protection.

Kim. D., Lee, T., Kang, J., Jeong, H., In, H. P. (2012). Adaptive pattern mining model for early detection of botnet-propagation scale. Security and Communications Networks [in press]. doi:10.1002/sec.366 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Botnets are a disastrous threat because they execute malicious activities such as distributed denial-of-service, spam email, malware downloads (such as eggdownloads), and spying by exploiting zombie PCs under their control. Botnets infect PCs on a huge scale by initially scanning the service ports of vulnerable applications for the purpose of propagation, which is leveraged as the size of the botnet increases. Therefore, it is of crucial importance to detect botnet-propagation activities early and to determine the expectedsize of the attack. To address this issue, this paper proposes to recreate botnets’ port-scanning patterns using a simple text classifier that represents these patterns as a kind of matrix. The patterns obtained are then used to train a hidden Markov model and to perform early detection using the trained model. Early detection is achievable by catching the onset of suspicious propagation immediately, and a size estimate is obtained by monitoring fluctuations in botnet size. With this approach, early-detection rates increased to more than 30.6% on average, with a low false negative rate (less than 6%) and an F-measure greater than 96%. This significant improvement in performance will contribute to preventing botnet propagation in its earliest stages.

Kwon, M., Jacobs, J. J., Cullinane, D., Ipsen, C. G., & Foley, J. (2012, March-April). Educating cyber professionals: A view from academia, the private sector, and government.  IEEE Security and Privacy, 10(2), 50-53. [Full text available to UMUC students / faculty in IEEE Computer Society Digital Library database].

How do we solve the workforce problem? Guest editor Mischel Kwon brought together a group of people from government, private-sector, and academic backgrounds to discuss the challenges in educating cyber professionals.

Lichtblau, E. (2012, March 31). Police are using phone tracking as a routine tool. New York Times. [Full text available to UMUC students / faculty in ProQuest Newspapers database].

Law enforcement tracking of cellphones, once the province mainly of federal agents, has become a powerful and widely used surveillance tool for local police officials, with hundreds of departments, large and small, often using it aggressively with little or no court oversight, documents show.

Liu, E., Stevens, G., Ruane, K. A., Dolan, A. M., Thompson, R. M. (2012, March 14). Cybersecurity: Selected legal issues [Congressional Research Service]. Retrieved from http://www.fas.org/sgp/crs/misc/R42409.pdf

The federal government’s role in protecting U.S. citizens and critical infrastructure from cyber attacks has been the subject of recent congressional interest. Critical infrastructure commonly refers to those entities that are so vital that their incapacitation or destruction would have a debilitating impact on national security, economic security, or the public health and safety. This report discusses selected legal issues that frequently arise in the context of recent legislation to address vulnerabilities of critical infrastructure to cyber threats, efforts to protect government networks from cyber threats, and proposals to facilitate and encourage sharing of cyber threat information amongst private sector and government entities. This report also discusses the degree to which federal law may preempt state law.

Maimut, D., & Ouafi, K. (2012, March-April). Lightweight cryptography for RFID tags. IEEE Security and Privacy, 10(2), 75-79. [Full text available to UMUC students /  faculty in IEEE Computer Society Digital Library database].

RFID tags pose privacy risks that have only been somewhat addressed. Achieving acceptable levels of security and privacy will require a combination of software and hardware solutions.

Morris, N. (2012, April 3). Backlash over plans to monitor all internet use. Independent. Retrieved from http://www.independent.co.uk/news/uk/politics/backlash-over-plans-to-monitor-all-internet-use-7609010.html

Theresa May faced criticism from across the political spectrum and from civil liberties groups yesterday over her plans to give police and security services the power to monitor the email traffic and internet use of every person in Britain. [More from: The GuardianBBCNew York Times].

Ogun, M. N. (2012). Terrorist use of the internet: Possible suggestions to prevent the usage for terrorist purposes. Journal of Applied Security Research, 7(2), 203-217. doi:10.1080/19361610.2012.656252 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

As new developments occur everyday in technology, terrorists are easily adjusting themselves to this change. In this new age of terrorism, terrorism is transnational, institutionalized, technologically advanced, and global. In this respect, today’s terrorist organizations are using the Internet for different purposes. The Internet has become the new and main source of communication in terms of disseminating propaganda for terrorist activities. Almost all terrorist organizations are exploiting the Internet for their terrorist purposes and broadcasting propaganda through their Web sites. This study is focused on the exploitation of Internet by terrorist organizations for their activities and as a case study interviews were conducted to find out the solutions to overcome terrorist networks in terms of terrorist use of Internet. Terrorism in general, Internet, and propaganda terms were studied and some solutions were proposed in terms of Internet usage of terrorist organizations.

Pratap, K. (2012, April 4).  Five steps compliance and security pros can take to get a better IT audit experience [Gartner]. [Full text available to UMUC students / faculty in Gartner database].

IT compliance managers, chief information security officers (CISOs) and IT risk managers, along with their teams, invest significant time and effort in the IT audit process. These teams are increasingly audited as a result of tighter compliance and industry-specific obligations that affect IT. More time spent on the audit and its preparation results in less time spent fulfilling primary responsibilities. Gartner inquiries and other client interactions have indicated a growing interest in IT audit preparation.

Rohlf, C., & Ivnitsky, Y. (2012, March-April). The security challenges of client-side just-in-time engines. IEEE Security and Privacy, 10(2), 75-79. [Full text available to UMUC students /  faculty in IEEE Computer Society Digital Library database].

Any added complexity in a software system will increase the possible program states, introducing a larger attack surface and the possibility of more exploitable flaws. JIT engines, however, alter the environment in which they execute in far more interesting ways, not only through implementation flaws but also by their fundamental operation modes.

Rosenbaum, R. (2012, April). Richard Clarke on who was behind the Stuxnet attack. Smithsonian. Retrieved from http://goo.gl/eiQug

The story Richard Clarke spins has all the suspense of a postmodern geopolitical thriller. The tale involves a ghostly cyberworm created to attack the nuclear centrifuges of a rogue nation—which then escapes from the target country, replicating itself in thousands of computers throughout the world. It may be lurking in yours right now. Harmlessly inactive…or awaiting further orders.

A great story, right? In fact, the world-changing “weaponized malware” computer worm called Stuxnet is very real. It seems to have been launched in mid-2009, done terrific damage to Iran’s nuclear program in 2010 and then spread to computers all over the world. Stuxnet may have averted a nuclear conflagration by diminishing Israel’s perception of a need for an imminent attack on Iran. And yet it might end up starting one someday soon, if its replications are manipulated maliciously. And at the heart of the story is a mystery: Who made and launched Stuxnet in the first place?

Richard Clarke tells me he knows the answer.

Shirley, B., Babu, L., & Mano, C. (2012). Bot detection evasion: a case study on local-host alert correlation bot detection methods. Security and Communications Networks [in press]. doi:10.1002/sec.401 [Full text can be requested by UMUC students / faculty from DocumentExpress.]

Botnets have continuously evolved since their inception as a malicious entity. Attackers come up with new botnet designs that exploit the weaknesses in existing defense mechanisms and continue to evade detection. It is necessary to analyze the weaknesses of existing defense mechanisms to find out the lacunae in them. This research exposes a weakness found in an existing bot detection method (BDM) by implementing a specialized P2P botnet model and carrying out experiments on it. Weaknesses that are found and validated can be used to predict the development path of botnets, and as a result, detection and mitigation measures can be implemented in a proactive fashion. The main contribution of this work is to demonstrate the exploitation pattern of an inherent weakness in local-host alert correlation (LHAC) based methods and to assert that current LHAC implementations could allow pockets of cooperative bots to hide in an enterprise size network. This work suggests that additional monitoring capabilities must be added to current LHAC-based methods in order for them to remain a viable bot detection mechanism.

Silver-Greenberg, J. (2012, April 1). After data breach, Visa removes a service provider. New York Times. [Full text available to UMUC students / faculty in ProQuest Newspapers database].

Visa removed Global Payments, an Atlanta company that helps the payment giant process transactions for merchants, from its list of “compliant service providers.”  A security breach at Global Payments reported on Friday was thought to have compromised up to three million credit card accounts. It is among a group of companies that act as the plumbing in the electronic transaction chain, authorizing millions of transactions a day. That makes the companies prime targets for data thieves looking to steal richly detailed financial information.

Sommestad, T., Holm, H., & Ekstedt, M. (2012). Estimates of success rates of remote arbitrary code execution attacks.  Information Management and Computer Security20(2). [Full text available to UMUC students / faculty in Emerald database].

Purpose: To identify the importance of the factors that influence the success rate of remote arbitrary code execution attacks. In other words, attacks which use software vulnerabilities to execute the attacker’s own code on targeted machines. Both attacks against servers and attacks against clients are studied.

Design/methodology/approach: The success rates of attacks are assessed for 24 scenarios: 16 scenarios for server-side attacks and 8 for client-side attacks. The assessment is made through domain experts and is synthesized using Cooke’s classical method, an established method for weighting experts’ judgments. The variables included in the study were selected based on the literature, a pilot study, and interviews with domain experts.

Findings: Depending on the scenario in question, the expected success rate varies between 15 and 67 percent for server-side attacks and between 43 and 67 percent for client-side attacks. Based on these scenarios, the influence of different protective measures is identified.

United States. Department of Homeland Security. Risk Self Assessment Tool (RSAT). Retrieved from https://rsat.anl.gov/RSAT-Registration/,DanaInfo=.artcwvjm9–JxprNxqtuSx3CWyA.a8FN,SSO=U+

The Risk Self Assessment Tool (RSAT) is a secure, Web-based application designed to assist managers of commercial facilities with the identification and management of security vulnerabilities to reduce risk to their facilities. The RSAT application was developed in partnership with the Department of Homeland Security (DHS) Office of Infrastructure Protection’s Sector Specific Agency Executive Management Office and the Infrastructure Information Collection Division.   The RSAT application uses facility input in combination with threat and consequence estimates to conduct a comprehensive risk assessment and provides users with options for consideration on improving the security posture of their facility.

Workman, M. (2012). Validation of biases model in strategic security decision-making. Information Management and Computer Security20(2). [Full text available to UMUC students / faculty in Emerald database].

Funding agencies such as the Office of Naval Research, Department of Homeland Security, and others, have
reduced funding for non-tactical operations. Simultaneously, organizations are squeezing their overhead budgets (where security initiatives fall) and are focusing more on revenue generation given current economic climates. Thus in both governmental sectors and in commercial settings, there are reasons to believe that strategic security initiatives are being sacrificed, and those that survive must be compelling. To assist organizational leaders with these difficult choices, it is critical to understand biases that affect decisions about strategic security initiatives. Our research validates and empirically tests the predictability of a theoretical model, from which implications can be made for research and practice.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: