Search

Your search keyword '"Security service"' showing total 185 results
Start Over Descriptor "Security service" Publisher springer us
185 results on '"Security service"'

1. Introduction

Author

Onieva, José A., Lopez, Javier, Zhou, Jianying, Onieva, José A., Lopez, Javier, and Zhou, Jianying

Published
2009
Full Text
View/download PDF

13. A Data-Centric Security Analysis Of ICGrid

Author

Angelos Bilas, Marios D. Dikaiakos, Manolis Marazakis, Michail D. Flouris, Jesus Luna, Theodoros Kyprianou, and K. Harald Gjermundrød

Subjects
Cloud computing security, Computer science, 0102 computer and information sciences, 02 engineering and technology, Information security, Computer security model, Asset (computer security), Computer security, computer.software_genre, 01 natural sciences, Security information and event management, Security service, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, Security convergence, Network security policy, 020201 artificial intelligence & image processing, computer
Published
2008
Full Text
View/download PDF

14. Introduction to Information Security

Author

Yuval Elovici, Asaf Shabtai, and Lior Rokach

Subjects
Security service, Certified Information Security Manager, Information security management, Computer science, Information security, Computer security model, Computer security, computer.software_genre, Asset (computer security), computer, Security information and event management, Threat
Abstract

The NIST Computer Security Handbook [NIST, 1995] defines the term computer security as “protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).” The security concepts of confidentiality, integrity and availability are also called the CIA triad.

Published
2012

15. Service Levels, Security, and Trust

Author

Wolfgang Theilmann, Stephen Dawson, Philip Robinson, Gabriel Serme, Florian Marienfeld, Jonas Pattberg, Matthias Flugge, Edzard Höfig, Michele Bezzi, and Achim D. Brucker

Subjects
Service (business), Engineering, Service-level agreement, Knowledge management, Security service, business.industry, Service delivery framework, Service level, Service design, Service level objective, Service level requirement, business
Abstract

This chapter covers the scientific background for the Service Level Module of the Unified Service Description Language (USDL). In addition to general service level concepts, we expand on two specific service level fields: security and trust. For that end we first review the state of the art in service level modeling, then we explain the design of the Service Level Module and position it among the rest of USDL. For security, two possible perspectives, a high level business view and a low level engineering approach, are introduced. With regards to trust, USDL is suitable to specify how a service can be rated by its consumers and to ensure that ratings of competing services are comparable, and hence to determine trustworthiness. Additionally, we present a description of non-security-related elements that can be exploited for trust estimation.

Published
2012

16. Automated Assessment Of Compliance With Security Best Practices

Author

Roy H. Campbell and Zahid Anwar

Subjects
Process management, Security service, Information security management, Computer science, Security convergence, Security management, Information security, Computer security model, Computer security, computer.software_genre, Security information and event management, computer, Security testing
Published
2010

17. Competition, Speculative Risks, and IT Security Outsourcing

Author

Asunur Cezar, Huseyin Cavusoglu, and Srinivasan Raghunathan

Subjects
Cloud computing security, ComputingMilieux_THECOMPUTINGPROFESSION, Certified Information Security Manager, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Asset (computer security), Computer security, computer.software_genre, Security information and event management, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Security service, Information security management, Security through obscurity, Security convergence, Business, computer
Abstract

Information security management is becoming a more critical and, simultaneously, a challenging function for many firms. Even though many security managers are skeptical about outsourcing of IT security, others have cited reasons that are used for outsourcing of traditional IT functions for why security outsourcing is likely to increase. Our research offers a novel explanation, based on competitive externalities associated with IT security, for firms' decisions to outsource IT security. We show that if competitive externalities are ignored, then a firm will outsource security if and only if the MSSP offers a quality (or a cost) advantage over in-house operations, which is consistent with the traditional explanation for security outsourcing. However, a higher quality is neither a prerequisite nor a guarantee for a firm to outsource security. The competitive risk environment and the nature of the security function outsourced, in addition to quality, determine firms' outsourcing decisions. If the reward from the competitor's breach is higher than the loss from own breach, then even if the likelihood of a breach is higher under the MSSP the expected benefit from the competitive demand externality may offset the loss from the higher likelihood of breaches, resulting in one or both firms outsourcing security. The incentive to outsource security monitoring is higher than that of infrastructure management because the MSSP can reduce the likelihood of breach on both firms and thus enhance the demand externality effect. The incentive to outsource security monitoring (infrastructure management) is higher (lower) if either the likelihood of breach on both firms is lower (higher) when security is outsourced or the benefit (relative to loss) from the externality is higher (lower). The benefit from the demand externality arising out of a security breach is higher when more of the customers that leave the breached firm switch to the non-breached firm.

Published
2010

18. Secure Integrated Circuits and Systems

Author

Ingrid Verbauwhede

Subjects
Engineering, business.industry, Cryptography, Integrated circuit, Computer security model, Computer security, computer.software_genre, Security testing, law.invention, Security engineering, Security service, law, Security through obscurity, Systems design, business, computer
Abstract

On any advanced integrated circuit or "system-on-chip" there is a need for security. In many applications the actual implementation has become the weakest link in security rather than the algorithms or protocols. The purpose of the book is to give the integrated circuits and systems designer an insight into the basics of security and cryptography from the implementation point of view. As a designer of integrated circuits and systems it is important to know both the state-of-the-art attacks as well as the countermeasures. Optimizing for security is different from optimizations for speed, area, or power consumption. It is therefore difficult to attain the delicate balance between the extra cost of security measures and the added benefits.

Published
2010

19. Introduction to e-Healthcare Information Security

Author

Kudakwashe Dube, Fredrick Mtenzi, and Charles A. Shoniregun

Subjects
Security service, Information security management, Certified Information Security Manager, business.industry, Standard of Good Practice, Internet privacy, Security convergence, Information security, Business, Asset (computer security), Security information and event management
Abstract

The e-Healthcare information offers unique security, privacy and confidentiality challenges that require a fresh examination of the mainstream concepts and approaches to information security. The significance of security and privacy in e- Healthcare information raised the issues of individual consent, confidentiality and privacy, which are the main determinants in adopting and successful utilising the e-Healthcare information. Current trends in the domain of e-Healthcare information management point to the need for comprehensive incorporation of security, privacy and confidentiality safeguards within the review of e-Healthcare information management frameworks and approaches. This raises major challenges that demands holistic approaches spanning a wide variety of legal, ethical, psychological, information and security engineering. This introductory chapter explores information security and challenges facing e-Healthcare information management.

Published
2010

20. Modeling the Security Ecosystem - The Dynamics of (In)Security

Author

Stefan Frei, Dominik Schatzmann, Brian Trammell, and Bernhard Plattner

Subjects
Responsible disclosure, Cloud computing security, Security service, Computer science, business.industry, Network Access Control, Environmental resource management, Network security policy, Environmental economics, Computer security model, business, Security information and event management, Vulnerability (computing)
Abstract

The security of information technology and computer networks is effected by a wide variety of actors and processes which together make up a security ecosystem; here we examine this ecosystem, consolidating many aspects of security that have hitherto been discussed only separately. First, we analyze the roles of the major actors within this ecosystem and the processes they participate in, and the the paths vulnerability data take through the ecosystem and the impact of each of these on security risk. Then, based on a quantitative examination of 27,000 vulnerabilities disclosed over the past decade and taken from publicly available data sources, we quantify the systematic gap between exploit and patch availability. We provide the first examination of the impact and the risks associated with this gap on the ecosystem as a whole. Our analysis provides a metric for the success of the “responsible disclosure” process. We measure the prevalence of the commercial markets for vulnerability information and highlight the role of security information providers (SIP), which function as the “free press” of the ecosystem.

Published
2010

21. Network Infrastructure Security ’ Switching

Author

Angus Wong and Alan Yeung

Subjects
Converged infrastructure, Cloud computing security, Security service, Computer science, Network Access Control, Network security policy, Infrastructure security, Computer security, computer.software_genre, computer, Telecommunications network, Data link layer
Published
2009

22. Introduction to Network Infrastructure Security

Author

Angus Wong and Alan Yeung

Subjects
Cloud computing security, Information security management, Security service, Computer science, Network Access Control, Network security policy, Infrastructure security, Computer security, computer.software_genre, Security information and event management, computer, Critical infrastructure
Published
2009

23. The Direct Part of the Model – An Information Security Policy Architecture

Author

R von Solms and S.H. von Solms

Subjects
Enterprise architecture framework, Security service, Political science, Sherwood Applied Business Security Architecture, Network security policy, Enterprise information security architecture, Information security, Computer security model, Computer security, computer.software_genre, computer, Security information and event management
Published
2008

24. Security for Context-Aware ad-hoc Networking Applications

Author

Yeda Regina Venturini, Vlad Coroama, Tereza Cristina Melo de Brito Carvalho, Mats Näslund, and Makan Pourzandi

Subjects
Delay-tolerant networking, Ubiquitous computing, Cloud computing security, business.industry, Computer science, Web application security, Security policy, computer.software_genre, Computer security, Security service, Middleware (distributed applications), Network Access Control, business, computer
Abstract

With the rapid spreading of ubiquitous computing applications, the importance of security concepts coping with their needs is also growing. While the possible application areas are so vast that one all-purpose security middleware fitting all the different needs seems impossible to realize, it is undoubtedly meaningful to have security frameworks covering the needs of as many applications as possible. In this paper, we thus discuss a security middleware for context-aware ad-hoc networking applications in home and work environments. The article focuses on two novel issues: it shows that the solution is particularly well-suited for context-aware applications, an often-encountered type of applications within home and work environments; and it discusses the encountered, non-trivial trade-offs between ad-hoc networking, context-awareness, and strong security.

Published
2008

25. Policies and Security Aspects For Distributed Scientific Laboratories

Author

Mariagrazia Fugini, Nicoletta Dessì, and R. A. Balachandar

Subjects
Knowledge management, business.industry, Computer science, XACML, Access control, Computer security model, Web application security, Security policy, Engineering management, Security service, Management system, Network security policy, business, computer, computer.programming_language
Abstract

Web Services and the Grid allow distributed research teams to form dynamic, multi-institutional virtual organizations sharing high performance computing resources, large scale data sets and instruments for solving computationally intensive scientific applications, thereby forming Virtual Laboratories. This paper aims at exploring security issues of such distributed scientific laboratories and tries to extend security mechanisms by defining a general approach in which a security policy is used both to provide and regulate access to scientific services. In particular, we consider how security policies specified in XACML and WS-Policy can support the requirements of secure data and resource sharing in a scientific experiment. A framework is given where security policies are stated by the different participants in the experiment, providing a Policy Management system. A prototype implementation of the proposed framework is presented.

Published
2008

26. Feasibility of Automated Information Security Compliance Auditing

Author

Mark Branagan, Dennis Longley, William Caelli, and Lam-For Kwok

Subjects
Information security audit, Certified Information Security Manager, Risk analysis (engineering), Information security management, Security service, Information security standards, Computer science, Information security, Computer security, computer.software_genre, computer, Security information and event management, Information security management system
Published
2008

27. Insecure Flight: Broken Boarding Passes and Ineffective Terrorist Watch Lists

Author

Christopher Soghoian

Subjects
Engineering, Government, National security, Airport security, business.industry, Aviation, ComputerApplications_COMPUTERSINOTHERSYSTEMS, Denial-of-service attack, computer.software_genre, Computer security, Computer virus, Identification (information), Security service, business, computer
Abstract

This paper discusses a number of existing problems with the airport transportation security system in the United States. The paper discusses two separate, yet equally important issues: the ease with which a passenger can fly without any identification documents at all and the ease with which print-at-home boarding passes can be modified, tampered with, and faked. The significance of these vulnerabilities becomes clear when viewed in light of the United States (US) government's insistence on maintaining passenger watch lists, whose contents are secret and effectiveness depend upon the government being able to verify the identity of each flying passenger. The paper then introduces a method of determining if any particular name is on the no fly list, without ever having to step foot into an airport. The paper introduces a physical denial of service attack against the Transportation Security Administration (TSA) checkpoints at airports, distributed via an Internet virus. Finally, the paper proposes technical solutions to the user modifiable boarding pass problem, which also neutralize the physical denial of service attack. The solutions have the added benefit of meshing with TSA's publicly stated wish to assume responsibility for verifying passengers names against the watch lists, as well as enabling them to collect and store real time data on passengers as they pass through checkpoints, something they are not able to do under the existing system.

Published
2008

28. An Analysis of Security Services in Grid Storage Systems

Author

L. Magnoni, Antonia Ghiselli, Federico Stagni, Angelos Bilas, Jesus Luna, Riccardo Zappi, A.C. Forti, Michail D. Flouris, and Manolis Marazakis

Subjects
Semantic grid, Cloud computing security, Grid computing, Data grid, Security service, Computer science, Computer security model, computer.software_genre, Computer security, computer, Security testing, Security information and event management
Abstract

With the wide-spread deployment of Data Grid installations, and rapidly increasing data volumes, storage services are becoming a critical aspect of the Grid infrastructure. Due to the distributed and shared nature of the Grid, security issues related with state of the art data storage services need to be studied thoroughly to identify potential vulnerabilities and attack vectors. In this paper, motivated by a typical use-case for Data Grid storage, we apply an extended framework for analyzing and evaluating its security from the point of view of the data and metadata, taking into consideration the security capabilities provided by both the underlying Grid infrastructure and commonly deployed Grid storage systems. For a comprehensive analysis of the latter, we identify three important elements: the players being involved, the underlying trust assumptions and the dependencies on specic security primitives. This analysis leads to the identication of a set of potential security gaps, risks, and even redundant security features found in a typical Data Grid. These results are now the starting point for our ongoing research on policies and mechanisms able to provide a fair balance between security and performance for Data Grid Storage Services.

Published
2008

29. Mapping Linux Security Targets to Existing Test Suites

Author

Ernesto Damiani, Fulvio Frati, N. El Ioini, Claudio Agostino Ardagna, P. Giovannini, and R. Tchokpon

Subjects
Matching (statistics), Settore INF/01 - Informatica, business.industry, Computer science, Computer security model, Security policy, Computer security, computer.software_genre, Test (assessment), Security service, Common Criteria, Software security assurance, Test suite, Software engineering, business, computer
Abstract

The Common Criteria standard provides an infrastructure for evaluating security functions of IT products and for certifying that security policies claimed by product suppliers are correctly enforced by the security functions themselves. Certifying Open Source software (OSS) can pave the way to OSS adoption in a number of security-conscious application environments. Recent experiences in certifying Linux distributions has pointed out the problem of finding a mapping between descriptions of OSS security functions and existingtest suites developed independently, such as the Linux Test Project. In this paper, we describe a mechanism, based on matching techniques, which semiautomatically associates security functions to existing test suite such as the ones developed by Open Source communities.

Published
2008

30. An Authenticated Key Management Scheme for Hierarchical Wireless Sensor Networks

Author

Ashraf Masood, Sajid Hussain, and Firdous Kausar

Subjects
Key distribution in wireless sensor networks, Authentication, Cryptographic primitive, Security service, Computer science, business.industry, Sensor node, business, Encryption, Key management, Wireless sensor network, Computer network
Abstract

Key Management is a critical security service in wireless sensor networks (WSNs). It is an essential cryptographic primitive upon which other security primitives are built. The most critical security requirements in WSNs include authentication and confidentiality. These security requirements can be provided by a key management but it is difficult due to the ad hoc nature, intermittent connectivity, and resource limitations of the sensor networks. In this paper we propose an authenticated key management (AKM) scheme for hierarchical networks based on the random key pre-distribution. Further, a secure cluster formation algorithm is proposed. The base station periodically refreshes the network key, which provides the following: a) the authenticated network communication, and b) a global and continuous authentication of each network entity. Multiple level of encryption is provided by using two keys: 1) a pair-wise shared key between nodes, and 2) a network key. The AKM scheme is more resilient to node capture as compared to other random key pre-distribution schemes. The proposed key management scheme can be applied for different routing and energy efficient data dissemination techniques for sensor networks.

Published
2008

31. A Model-based Analysis of Tunability in Privacy Services

Author

Reine Lundin, Stefan Lindskog, and Anna Brunstrom

Subjects
Service (business), Engineering, business.industry, End user, Conceptual model (computer science), Computer security, computer.software_genre, World Wide Web, Crowds, Security service, The Internet, business, computer, Anonymity
Abstract

In this paper, we investigate the tunable privacy features provided by Internet Explorer version 6 (IE6), Mix Net and Crowds, by using a conceptual model for tunable security services. A tunable security service is defined as a service that has been explicitly designed to offer various security configurations that can be selected at run-time. Normally, Mix Net and Crowds are considered to be static anonymity services, since they were not explicitly designed to provide tunability. However, as discussed in this paper, they both contain dynamic elements that can be used to utilize the trade-off between anonymity and performance. IE6, on the other hand, was indeed designed to allow end users to tune the level of privacy when browsing the Internet.

Published
2008

32. Security Issues in Wireless Sensor Networks Used in Clinical Information Systems

Author

Jelena Misic and Vojislav B. Misic

Subjects
Remote patient monitoring, business.industry, Computer science, Computer security, computer.software_genre, Key distribution in wireless sensor networks, Security service, Intensive care, Wireless network interface controller, Information system, Mobile wireless sensor network, business, computer, Wireless sensor network, Computer network
Abstract

High quality healthcare is an important aspect of the modern society. In this chapter we address the security and networking architecture of a healthcare information system comprised of patients ’ personal sensor networks, department/room networks, hospital network, and medical databases. Areas such as diagnosis, surgery, intensive care and treatment, and patient monitoring would greatly benefit from light untethered devices which can be unobtrusively mounted on patient ’s body in order to monitor and report health-relevant variables to the interconnection device mounted on the patient ’s bed. Interconnection device should also have larger range wireless interface which should communicate to the access point in the patient ’s room, operation room or to the access points within the healthcare institution. The results of measurements will then be stored in central medical database with appropriate provisions for protecting the patient privacy as well as the integrity of personal health records. We review confidentiality and integrity polices for clinical information systems and discuss the feasible enforcement mechanisms over the wireless hop. We also compare candidate technologies IEEE 802.15.1 and IEEE 802.15.4 from the aspect of resilience of MAC and PHY layers to jamming and denial-of-service attacks.

Published
2007

33. A Research on Issues Related to RFID Security and Privacy

Author

Chao Yang, Jongki Kim, and Jinhwan Jeon

Subjects
Information privacy, Supply chain management, Cloud computing security, Privacy software, business.industry, Computer security, computer.software_genre, Security information and event management, Identification (information), Security service, Hardware_GENERAL, Radio-frequency identification, business, computer
Abstract

Radio Frequency Identification (RFID) is a technology for automated identification of objects and people. RFID systems have been gaining more popularity in areas especially in supply chain management and automated identification systems. However, there are many existing and potential problems in the RFID systems which could threat the technology’s future. To successfully adopt RFID technology in various applications, we need to develop the solutions to protect the RFID system’s data information. This study investigates important issues related to privacy and security of RFID based on the recent literature and suggests solutions to cope with the problem.

Published
2007

34. A Service-Oriented Approach for Assessing Infrastructure Security

Author

Igor Nai Fovino and Marcelo Masera

Subjects
Cloud computing security, business.industry, Computer science, Service design, Infrastructure security, Information security, Computer security model, Computer security, computer.software_genre, Critical infrastructure, Security service, Information security management, business, computer
Abstract

The pervasive use of information and communication technologies (ICT) in critical infrastructures requires security assessment approaches that consider the highly interconnected nature of ICT systems. Several approaches incorporate the relationships between structural and functional descriptions and security goals, and associate vulnerabilities with known attacks. However, these methodologies are typically based on the analysis of local problems. This paper proposes a methodology that systematically correlates and analyzes structural, functional and security information. The security assessment of critical infrastructure systems is enhanced using a service-oriented perspective, which focuses the analysis on the concept of service, linking the interactions among services – modeled as service chains – with vulnerabilities, threats and attacks.

Published
2007

35. Security Strategies for SCADA Networks

Author

Tim Kilpatrick, Mauricio Papa, Sujeet Shenoi, Jesus Gonzalez, and Rodrigo Chandia

Subjects
SCADA, Security service, business.industry, Computer science, Network Access Control, Network security policy, Industrial control system, business, Computer security, computer.software_genre, computer, Data warehouse, Computer network
Published
2007

36. Basic Security Concepts

Author

Sushil Jajodia and Ting Yu

Subjects
Computer science, Covert channel, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Adversary, Computer security model, Computer security, computer.software_genre, Security testing, Logical security, Security information and event management, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Security service, Security through obscurity, computer
Abstract

The computer security problem is an adversary problem: there is an adversary who seeks to misuse the storage, processing, or transmittal of data to gain advantage. The misuse is classified as either unauthorized observation of data, unauthorized or improper modification of data, or denial of service. In denial of service misuse, the adversary seeks to prevent someone from using features of the computer system by monopolizing or tying up the necessary resources.

Published
2007

37. Security Associations Management (SAM) Model for IP Multimedia System (IMS)

Author

Thomas Magedanz and Muhammad Sher

Subjects
Cloud computing security, business.industry, Computer security model, Computer security, computer.software_genre, Internet security, Security information and event management, Security service, Security association, Network Access Control, Network security policy, business, computer, Computer network
Abstract

In this paper we propose Security Associations Management (SAM) model which consists of seven security associations & managements based on different technical specifications of Third Generation Partnership Project (3GPP) [1] to develop Secure Service Provisioning Framework (SSPF) [2] for IP Multimedia System (IMS) at IMS Playground within Third Generation beyond (3Gb) Testbed [3] at Fokus, Fraunhofer. The objective of this enhanced security management model is to combine all security associations into single article that deal with the mutual authentication of user and network; to provide security across different interfaces like Ut interface (for HTTP services), Gm interface (air contact) between IMS client and IMS Core, Cx and Dx interfaces (between Home Subscriber Server HSS and IMS core network). It also deals with security when the user is roaming or in home network and security considerations for access networks. The main emphasis of SAM is to propose complete security protection model for IMS network and to the user, therefore only brief description of each security association is provided to understand the architecture and conceptual security model.

Published
2007

38. Network and System Security

Author

Anoop Singhal

Subjects
Cloud computing security, Network security, business.industry, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Covert channel, Computer security model, Computer security, computer.software_genre, Internet security, Security information and event management, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Security service, Network Access Control, business, computer
Abstract

This chapter discusses the elements of computer security such as authorization, authentication and integrity. It presents threats against networked applications such as denial of service attacks and protocol attacks. It also presents a brief discussion on firewalls and intrusion detection systems

Published
2007

39. Building a Distributed Semantic-aware Security Architecture

Author

Rolf Schillinger, Jan Kolter, Günther Pernul, Venter, Hein, Eloff, Mariki, Labuschagne, Les, Eloff, Jan, and von Solms, Rossouw

Subjects
ddc:004, World Wide Web, Security service, Distributed System Security Architecture, Computer science, Applications architecture, Solution architecture, Sherwood Applied Business Security Architecture, Reference architecture, Enterprise information security architecture, 004 Informatik, Space-based architecture
Abstract

Enhancing the service-oriented architecture paradigm with semantic components is a new field of research and goal of many ongoing projects. The results lead to more powerful web applications with less development effort and better user support. While some of these advantages are without doubt novel, challenges and opportunities for the security arise. In this paper we introduce a security architecture built in a semantic service-oriented architecture. Focusing on an attributebased access control approach, we present an access control model that facilitates semantic attribute matching and ontology mapping. Furthermore, our security architecture is capable of distributing the Policy Decision Point (PDP) from the service provider to different locations in the platform, eliminating the need of disclosing privacy-sensitive user attributes to the service provider. With respect to privacy preferences of the user and trust settings of the service provider, our approach allows for dynamically selecting a PDP. With more advanced trusted computing technology in the future it is possible to place the PDP on user side, reaching a maximum level of privacy.

Published
2007

40. Toward User Evaluation of IT Security Certification Schemes: A Preliminary Framework

Author

Sharman Lichtenstein, Matthew Warren, and Nicholas J. A. Tate

Subjects
Security service, Certified Information Security Manager, Computer science, Risk management framework, Certified Information Systems Security Professional, Certification, Computer security model, Computer security, computer.software_genre, computer, Security information and event management, Information security management system
Abstract

This paper reports a preliminary framework that supports stakeholder evaluation, comparison and selection of IT Security Certification schemes. The framework may assist users in the selection of the most appropriate scheme to meet their particular needs.

Published
2007

41. Improving the Information Security Model by using TFI

Author

Rose-Mharie Åhlfeldt, Paolo Spagnoletti, and Guttorm Sindre

Subjects
Knowledge management, Certified Information Security Manager, Computer science, business.industry, Information security, Computer security model, Information security management, Security information and event management, Risk analysis (engineering), Security service, Information security standards, Security convergence, business, semiotic
Abstract

In the context of information systems and information technology, information security is a concept that is becoming widely used. The European Network of Excellence INTEROP classifies information security as a nonfunctional aspect of interoperability and as such it is an integral part of the design process for interoperable systems. In the last decade, academics and practitioners have shown their interest in information security, for example by developing security models for evaluating products and setting up security specifications in order to safeguard the confidentiality, integrity, availability and accountability of data. Earlier research has shown that measures to achieve information security in the administrative or organisational level are missing or inadequate. Therefore, there is a need to improve information security models by including vital elements of information security. In this paper, we introduce a holistic view of information security based on a Swedish model combined with a literature survey. Furthermore we suggest extending this model using concepts based on semiotic theory and adopting the view of an information system as constituted of the technical, formal and informal (TFI) parts. The aim is to increase the understanding of the information security domain in order to develop a well-founded theoretical framework, which can be used both in the analysis and the design phase of interoperable systems. Finally, we describe and apply the Information Security (InfoSec) model to the results of three different case studies in the healthcare domain. Limits of the model will be highlighted and an extension will be proposed.

Published
2007

42. Critical Infrastructure Protection

Author

Sujeet Shenoi and Eric Goetz

Subjects
Control system security, Engineering, Cloud computing security, business.industry, Critical infrastructure protection, Infrastructure security, Computer security, computer.software_genre, Security information and event management, Security service, SCADA, Information infrastructure, business, computer, Computer network
Abstract

Themes And Issues.- On the Security Implications of Disruptive Technologies.- Cyber Security: Are Economic Incentives Adequate?.- Government Intervention in Information Infrastructure Protection.- Infrastructure Security.- Security of Information Flow in the Electric Power Grid.- Securing Positive Train Control Systems.- Lessons Learned from the Maroochy Water Breach.- Reducing Risk in Oil and Gas Production Operations.- Control Systems Security.- Securing Current and Future Process Control Systems.- Security Strategies for SCADA Networks.- Security Enhancements for Distributed Control Systems.- Security Challenges of Reconfigurable Devices in the Power Grid.- Intrusion Detection and Event Monitoring in SCADA Networks.- Passive Scanning in Modbus Networks.- Formal Modeling and Analysis of the Modbus Protocol.- Security Analysis of Multilayer SCADA Protocols.- Remote Forensic Analysis of Process Control Systems.- Creating a European SCADA Security Testbed.- Network Infrastructure Security.- Protecting Internet Services from Low-Rate DoS Attacks.- Detecting Wormhole Attacks in Wireless Sensor Networks.- Detecting Non-Discoverable Bluetooth Devices.- Infrastructure Interdependencies.- Risk Analysis in Interdependent Infrastructures.- Analysis of Interdependencies Between Italy's Economic Sectors.- The ISE Metamodel for Critical Infrastructures.- Multigraph Dependency Models for Heterogeneous Infrastructures.- Visualizing Cascading Failures in Critical Cyber Infrastructures.- Risk Assessment.- A Service-Oriented Approach for Assessing Infrastructure Security.- Analysis of Electrical Power and Oil and Gas Pipeline Failures.

Published
2007

43. Security and Privacy

Author

Harry Wechsler

Subjects
Information privacy, Cloud computing security, Security service, Computer science, Security through obscurity, Data security, Information security, Computer security, computer.software_genre, Asset (computer security), Personally identifiable information, computer
Published
2007

44. Security and Privacy in Dynamic Environments

Author

Kai Rannenberg, Louise Yngström, Stefan Lindskog, and Simone Fischer-Hübner

Subjects
Cloud computing security, Security service, Privacy software, Computer science, business.industry, Internet privacy, business, Computer security, computer.software_genre, computer
Published
2006

45. Tool Supported Management of Information Security Culture

Author

Stephanie Teufel and Thomas Schlienger

Subjects
Management information systems, Knowledge management, Information security audit, Security service, Certified Information Security Manager, Information security management, Information security standards, business.industry, Computer science, Information security, business, Security information and event management
Abstract

In this paper, we present a management process we have developed for an Information Security Culture. It is based theoretically on action research and practically on expert interviews and group discussions. A Decision Support System, which supports the process, allows quick survey of the existing Information Security Culture in an organization and analysis of the results, thus discovering strong and weak points. This tool recommends, based on stored measures and rules, actions to improve the weak points. It helps security officers to do their work and to improve the Information Security Culture in their organizations. The application of the process and the Decision Support System in a Private Bank is presented here and major findings are discussed.

Published
2005

46. Security in Mobile Ad-Hoc Networks

Author

Yongguang Zhang and Wenke Lee

Subjects
Cloud computing security, Security association, Security service, Computer science, Network Access Control, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Mobile computing, Network security policy, Mobile ad hoc network, Intrusion detection system, Computer security, computer.software_genre, computer
Abstract

Security is a paramount concern in mobile ad hoc network (MANET) because of its intrinsic vulnerabilities. These vulnerabilities are nature of MANET structure that cannot be removed. As a result, attacks with malicious intent have been and will be devised to exploit these vulnerabilities and to cripple MANET operations. In this chapter, we analyze the security problems in MANET and present a few promising research directions. On the prevention side, various key and trust management schemes have been developed to prevent external attacks from outsiders, and various secure MANET routing protocols have been proposed to prevent internal attacks originated from within the MANET system. On the intrusion detection side, a new intrusion detection framework has been studied especially for MANET. Both prevention and detection methods will work together to address the security concerns in MANET.

Published
2005

47. ERPSEC - A Reference Framework to Enhance Security in ERP Systems

Author

M. P. Hertenberger and S. H. Von Solms

Subjects
Cloud computing security, Process management, Security service, Certified Information Security Manager, Computer science, Security convergence, Computer security model, Database security, Asset (computer security), Computer security, computer.software_genre, Security information and event management, computer
Abstract

This paper proposes a method of integrating the concept of information ownership in an Enterprise Resource Planning (ERP) system for enhanced security. In addition to providing enhanced security, the reference framework ERPSEC developed for this study provides better manageability and eases implementation of security within ERP software packages. The results of this study indicate that central administration, control and management of security within the ERP systems under investigation for this study weaken security. It was concluded that central administration of security should be replaced by a model that distributes the responsibility for security to so-called information owners. Such individuals hold the responsibility for processes and profitability within an organization. Thus, they are best suited to decide who has access to their data and how their data may be used. Information ownership, coupled with tight controls can significantly enhance information security within an ERP system.

Published
2005

48. A Responsibility Framework for Information Security

Author

Rossouw von Solms and Shaun Posthumus

Subjects
Security service, Information security management, Certified Information Security Manager, Information security standards, Security convergence, Business, Information security, Asset (computer security), Computer security, computer.software_genre, computer, Security information and event management
Abstract

This paper demonstrates that information security is more than a technical issue, through the development of an information security responsibility framework that shows consideration for strategic and legal issues as well. It is important that information security be viewed as both a governance challenge and a management responsibility. In order to achieve this this paper addresses information security governance and the board’s participation in directing and controlling security efforts. Furthermore information security management is addressed in order to demonstrate how information security should be implemented. Once a comprehensive picture of the information security function has been established, the roles of various individuals in terms of information security are discussed and mapped out in the responsibility framework in order to demonstrate the true scope of an organizations information security function.

Published
2005

49. Assignment of Security Clearances in an Organization

Author

Victor Portougal and Lech J. Janczewski

Subjects
Cloud computing security, Security service, Computer science, Security convergence, Information security, Computer security model, Asset (computer security), Computer security, computer.software_genre, computer, Security information and event management, Logical security
Abstract

The paper discusses the assignment of security clearances to employees in a security conscious organization. New approaches are suggested for solving two major problems. First, full implementation of the ‘need-to-know’ principle is provided by the introduction of Data Access Statements (DAS) as part of employee’s job description. Second, for the problem of setting up border points between different security clearances, the paper introduces a fuzzy set model. This model helps to solve this problem, effectively connecting it with the cost of security. Finally, a method is presented for calculating security values of objects security clearances for employees when the information objects are connected to each other in a network structure.

Published
2005

50. Semantics-Aware Perimeter Protection

Author

Ernesto Damiani, Pierangela Samarati, and Marco Cremonini

Subjects
business.industry, computer.internet_protocol, SOAP, Access control, Computer security, computer.software_genre, Security policy, Security service, Network security policy, Web service, business, WS-Policy, computer, XML
Abstract

Web services security is becoming a critical concern for any organization adopting the XML-based Web services approach to application integration. While many access control techniques for Web services are becoming available, several issues still need to be solved in order to correctly split the burden of securing Web services between the perime-tral and the service level. In this paper, a technique is presented able to make perimetral defences semantics-aware. Application-level semantics-aware firewalls enforce filtering rules directly on SOAP messages based on the nature of the services they request. Our semantics-aware firewalls rules are written using a flexible XML-based syntax that allows sharing metadata concepts with service level access control policies, supporting complex security policies that integrate perimetral defences with access control. Moreover, they can be quickly integrated into organizations’ existing infrastructure, deployed rapidly and scaled as needed. Also, they integrate easily with existing infrastructure and can be operated by current staff, potentially achieving a low total cost of ownership with respect to service level solutions.

Published
2004

Catalog

Books, media, physical & digital resources
See catalog results