2013 Information Security for South Africa最新文献

{"title":"A conceptual opportunity-based framework to mitigate the insider threat","authors":"Keshnee Padayachee","doi":"10.1109/ISSA.2013.6641060","DOIUrl":"https://doi.org/10.1109/ISSA.2013.6641060","url":null,"abstract":"The aim of this paper is to provide a conceptual framework to mitigate the insider threat from an opportunity-based perspective. Although motive and opportunity are required to commit maleficence, this paper focuses on the concept of opportunity. Opportunity is more tangible than motive, hence it is more pragmatic to reflect on opportunity-reducing measures. Opportunity theories from the field of criminology are considered to this end. The derived framework highlights several areas of research and may assist organisations in designing controls that are situationally appropriate to mitigate insider threat. Current information security countermeasures are not designed from an opportunity-reducing perspective.","PeriodicalId":300864,"journal":{"name":"2013 Information Security for South Africa","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122221029","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Forensic entropy analysis of microsoft windows storage volumes","authors":"Peter Weston, S. Wolthusen","doi":"10.1109/ISSA.2013.6641056","DOIUrl":"https://doi.org/10.1109/ISSA.2013.6641056","url":null,"abstract":"The use of file or volume encryption as a counter-forensic technique, particularly when combined with stegano-graphic mechanisms, depends on the ability to plausibly deny the presence of such encrypted data. Establishing the likely presence of encrypted data is hence highly desirable for forensic investigations, particularly if an automated heuristic can be devised. Similarly, forensic analysts must be able to identify whether a volume has been sanitised by re-installation and subsequent re-population with user data as otherwise significant information such as slack space contents and files of interest will be unavailable. We claim that the current or previous existence of encrypted volumes can be derived from studying file and volume entropy characteristics based on knowledge of the development of volume entropy over time. To validate our hypothesis, we have examined several versions of the Microsoft Windows operating system platform over a simulated installation life-cycle and established file and volume entropy metrics. Similarly, using the same mechanisms, we verified the hypothesis that the aging through regular use of an installation is identifiable through entropy fingerprint analysis. The results obtained allow the rapid identification of several volume-level operations including copying and wiping, but also to detect anomalous slack space entropy indicative of the use of encryption techniques. Similarly, entropy and randomness tests have been devised which provide heuristics for the differentiation of encrypted data from other high-entropy data such as compressed media data.","PeriodicalId":300864,"journal":{"name":"2013 Information Security for South Africa","volume":"108 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124686546","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Real-time distributed malicious traffic monitoring for honeypots and network telescopes","authors":"Samuel O. Hunter, B. Irwin, E. Stalmans","doi":"10.1109/ISSA.2013.6641050","DOIUrl":"https://doi.org/10.1109/ISSA.2013.6641050","url":null,"abstract":"Network telescopes and honeypots have been used with great success to record malicious network traffic for analysis, however, this is often done off-line well after the traffic was observed. This has left us with only a cursory understanding of malicious hosts and no knowledge of the software they run, uptime or other malicious activity they may have participated in. This work covers a messaging framework (rDSN) that was developed to allow for the real-time analysis of malicious traffic. This data was captured from multiple, distributed honeypots and network telescopes. Data was collected over a period of two months from these data sensors. Using this data new techniques for malicious host analysis and re-identification in dynamic IP address space were explored. An Automated Reconnaissance (AR) Framework was developed to aid the process of data collection, this framework was responsible for gathering information from malicious hosts through both passive and active fingerprinting techniques. From the analysis of this data; correlations between malicious hosts were identified based on characteristics such as Operating System, targeted service, location and services running on the malicious hosts. An initial investigation in Latency Based Multilateration (LBM), a novel technique to assist in host re-identification was tested and proved successful as a supporting metric for host re-identification.","PeriodicalId":300864,"journal":{"name":"2013 Information Security for South Africa","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130991513","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The identification of information sources to aid with Critical Information Infrastructure Protection","authors":"J. Mouton, Ian Ellefsen","doi":"10.1109/ISSA.2013.6641038","DOIUrl":"https://doi.org/10.1109/ISSA.2013.6641038","url":null,"abstract":"Providing Critical Information Infrastructure Protection (CIIP) has become an important focus area for countries across the world with the widespread adoption of computer systems and computer networks that handle and transfer large amounts of sensitive information on a daily basis. Most large organisations have their own security teams that provide some form of protection against cyber attacks that are launched by cybercriminals. It is however often the case that smaller stakeholders such as schools, pharmacies and other SMEs might not have the required means to protect themselves against these cyber attacks. The distribution of relevant and focused information is an important part of providing effective protection against cyber attacks. In this paper some of the existing mechanisms and formats in which information related to software security vulnerabilities are provided to the public are discussed and reviewed. Providing focused and relevant information can enable smaller stakeholders such as SMEs that have a limited set of skills and expertise to limit their risk of exposure to cyber attacks.","PeriodicalId":300864,"journal":{"name":"2013 Information Security for South Africa","volume":"15 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122380759","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A high-level architecture for efficient packet trace analysis on GPU co-processors","authors":"Alastair Nottingham, B. Irwin","doi":"10.1109/ISSA.2013.6641052","DOIUrl":"https://doi.org/10.1109/ISSA.2013.6641052","url":null,"abstract":"This paper proposes a high-level architecture to support efficient, massively parallel packet classification, filtering and analysis using commodity Graphics Processing Unit (GPU) hardware. The proposed architecture aims to provide a flexible and efficient parallel packet processing and analysis framework, supporting complex programmable filtering, data mining operations, statistical analysis functions and traffic visualisation, with minimal CPU overhead. In particular, this framework aims to provide a robust set of high-speed analysis functionality, in order to dramatically reduce the time required to process and analyse extremely large network traces. This architecture derives from initial research, which has shown GPU co-processors to be effective in accelerating packet classification to up to tera-bit speeds with minimal CPU overhead, far exceeding the bandwidth capacity between standard long term storage and the GPU device. This paper provides a high-level overview of the proposed architecture and its primary components, motivated by the results of prior research in the field.","PeriodicalId":300864,"journal":{"name":"2013 Information Security for South Africa","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127729461","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Amber: A zero-interaction honeypot and network enforcer with modular intelligence","authors":"A. Schoeman","doi":"10.1109/ISSA.2013.6641053","DOIUrl":"https://doi.org/10.1109/ISSA.2013.6641053","url":null,"abstract":"For the greater part, security controls are based around the principle of Decision through Detection (DtD). The exception to this is a Honeypot, which analyses interactions between a third party and itself, while occupying a piece of unused information space. As honeypots are not located on productive information resources, any interaction with it can be assumed to be non-productive. This allows the honeypot to make decisions based simply on the presence of data, rather than on the behaviour of the data. But due to limited resources in human capital, honeypots' uptake in the South African market has been underwhelming. Amber attempts to change this by offering a zero-interaction security system, which will use the honeypot approach of Decision through Presence (DtP) to generate a blacklist of third parties, which can be passed on to a network enforcer. Empirical testing has been done proving the usefulness of this alternative and low cost approach in defending networks. The functionality of the system was also extended by installing nodes in different geographical locations, and streaming their detections into the central Amber hive.","PeriodicalId":300864,"journal":{"name":"2013 Information Security for South Africa","volume":"115 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124553914","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Visualization of a data leak","authors":"I. Swart, M. Grobler, B. Irwin","doi":"10.1109/ISSA.2013.6641046","DOIUrl":"https://doi.org/10.1109/ISSA.2013.6641046","url":null,"abstract":"The potential impact that data leakage can have on a country, both on a national level as well as on an individual level, can be wide reaching and potentially catastrophic. In January 2013, several South African companies became the target of a hack attack, resulting in the breach of security measures and the leaking of a claimed 700000 records. The affected companies are spread across a number of domains, thus making the leak a very wide impact area. The aim of this paper is to analyze the data released from the South African breach and to visualize the extent of the loss by the companies affected. The value of this work lies in its connection to and interpretation of related South African legislation. The data extracted during the analysis is primarily personally identifiable information, such as defined by the Electronic Communications and Transactions Act of 2002 and the Protection of Personal Information Bill of 2009.","PeriodicalId":300864,"journal":{"name":"2013 Information Security for South Africa","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132394781","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A compliant assurance model for assessing the trustworthiness of cloud-based e-commerce systems","authors":"Thembekile O. Mayayise, I. Osunmakinde","doi":"10.1109/ISSA.2013.6641042","DOIUrl":"https://doi.org/10.1109/ISSA.2013.6641042","url":null,"abstract":"Many cloud-based e-commerce stores aim to attract and retain customers in order to be competitive. However, they are all faced with a challenge regarding gaining and maintaining consumer trust in a volatile cloud-based e-commerce environment where risks pertaining to information security, privacy of information and inadequate monitoring of compliance to applicable laws are prevalent. The pervasiveness of these risks has indirectly propelled the development of web assurance models, which were designed in an attempt to encourage online consumer trust. Regrettably, many of these models have been inadequate in certain areas, such as being unable to provide online real-time assurance on a comprehensive set of attributes, which include a check of compliance to the applicable e-commerce legislation or standards in a cloud-based environment. The aim of this research was to examine whether the integration of the attributes of adaptive legislation, adaptive ISO standards, policies, advanced user security and website availability can be used to develop a compliant assurance model. The model uses an intelligent cooperative rating based on the analytical hierarchy process and page ranking techniques to improve the level of cloud-based trustworthiness. We illustrated in an empirical explanatory survey conducted with 15 test samples from IEEE, Science Direct databases and real life data captured from E-commerce sites that the proposed compliant model strongly contributes to the improvement of cloud-based sites, as well as enhancing the trustworthiness of these websites. The findings of this research study can be used as a reference guide to understand the effectiveness of cloud-based e-commerce assurance models, as well as to enhance the trustworthiness of these models.","PeriodicalId":300864,"journal":{"name":"2013 Information Security for South Africa","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116681540","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Towards a framework for enhancing potential digital evidence presentation","authors":"Nickson M. Karie, H. Venter","doi":"10.1109/ISSA.2013.6641039","DOIUrl":"https://doi.org/10.1109/ISSA.2013.6641039","url":null,"abstract":"In the case of digital forensic investigations, the potential digital evidence captured, the analysis, interpretation, and attribution must ultimately be presented in the form of expert reports, depositions, and testimony in any legal proceedings. If the presentation and interpretation of the potential digital evidence is conducted correctly, it is much easier and useful in apprehending the attacker and stands a much greater chance of being admissible in the event of a prosecution. Wrongly presented and interpreted potential digital evidence data might create loopholes for perpetrators to exploit, thus, making it hard to convict and prosecute them. Existing digital forensic investigation process models have provided guidelines for identifying and preserving potential digital evidence captured from a crime scene. However, the extent to which such potential digital evidence may be admissible in a court of law remains a challenge to investigators. This is backed up by the fact that there are currently no standardised guidelines for even presenting the most common representations of digital forensic evidence. Therefore, in the authors' opinion, methodologies and specifications need to be developed in the field of digital forensics with the ability to effectively enhance the potential digital evidence presentation and interpretation in any legal proceedings. In this paper, therefore, we present a step-by-step framework in an attempt to propose high-level guidelines for enhancing the potential digital evidence presentation in any legal proceedings. Such a framework will be helpful to digital forensic experts, for example, in structuring investigation findings as well as in identifying relevant patterns of events to be incorporated during the presentation of potential digital evidence. The framework will also assist law enforcement agencies, for example, to determine, with less effort, the validity, weight and admissibility of any potential digital evidence presented. However, it should be noted that the purpose of this paper is not to replace any of the extensive and known evidence presentation principles, but serves as a survey of the state of the art of the research area while proposing harmonised and high-level guidelines for enhancing the presentation of potential digital evidence in legal proceedings.","PeriodicalId":300864,"journal":{"name":"2013 Information Security for South Africa","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130707253","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Toward risk-driven security measurement for Android smartphone platforms","authors":"R. Savola, T. Väisänen, Antti Evesti, Pekka T. Savolainen, Juha Kemppainen, Marko Kokemaki","doi":"10.1109/ISSA.2013.6641049","DOIUrl":"https://doi.org/10.1109/ISSA.2013.6641049","url":null,"abstract":"Security for Android smartphone platforms is a challenge arising in part from their openness. We analyse the security objectives of two distinct envisioned public safety and security mobile network systems utilising the Android platform. The analysis is based on an industrial risk analysis activity. In addition, we propose initial heuristics for security objective decomposition aimed at security metrics definition. Systematically defined and applied security metrics can be used for informed risk-driven security decision-making, enabling higher security effectiveness.","PeriodicalId":300864,"journal":{"name":"2013 Information Security for South Africa","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127053434","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}