The Experts below are selected from a list of 4137 Experts worldwide ranked by ideXlab platform
J. Mtsweni - One of the best experts on this subject based on the ideXlab platform.
-
ISSA - Analyzing the Security Posture of South African websites
2015 Information Security for South Africa (ISSA), 2015Co-Authors: J. MtsweniAbstract:Today, public-facing websites are virtually used across all different sectors by different types of organizations for information sharing and conducting core business activities. At the same time, the increasing use of mobile devices in Africa has also propelled the deployment and adoption of web-based applications. However, as the use of websites increases, so are the cyber-attacks. Web-based attacks are prevalent across the globe, and in South Africa an increase in such attacks is being observed. Research studies also suggest that over 80% of the active websites are vulnerable to a myriad of attacks. This paper reports on a study conducted to passively analyze and determine the Security Posture of over 70 South African websites from different sectors. The Security Posture of the local websites was thereafter compared against the top ten (10) global websites. The list of the websites was mainly chosen using the Amazon's Alexa service. The focus of the study was mainly on the Security defense mechanisms employed by the chosen websites. This approach was chosen because the client-side Security policies, which may give an indication of the Security Posture of a website, can be analyzed without actively scanning multiple websites. Consequently, relevant web-based vulnerabilities and Security countermeasures were selected for the analysis. The results of the study suggest that most of the 70 South African websites analyzed are vulnerable to cross-site scripting, injection vulnerabilities, clickjacking and man-in-middle attacks. Over 67% of the analyzed websites unnecessarily expose server information, approximately 50% of the websites do not protect session cookies, about 30% of the websites use secure communications, in particular for transmitting users' sensitive information, and some websites use deprecated Security policies. From the study, it was also determined that South African websites lag behind in adopting basic Security defense mechanisms when compared against top global websites.
-
Analyzing the Security Posture of South African websites
2015 Information Security for South Africa (ISSA), 2015Co-Authors: J. MtsweniAbstract:Today, public-facing websites are virtually used across all different sectors by different types of organizations for information sharing and conducting core business activities. At the same time, the increasing use of mobile devices in Africa has also propelled the deployment and adoption of web-based applications. However, as the use of websites increases, so are the cyber-attacks. Web-based attacks are prevalent across the globe, and in South Africa an increase in such attacks is being observed. Research studies also suggest that over 80% of the active websites are vulnerable to a myriad of attacks. This paper reports on a study conducted to passively analyze and determine the Security Posture of over 70 South African websites from different sectors. The Security Posture of the local websites was thereafter compared against the top ten (10) global websites. The list of the websites was mainly chosen using the Amazon's Alexa service. The focus of the study was mainly on the Security defense mechanisms employed by the chosen websites. This approach was chosen because the client-side Security policies, which may give an indication of the Security Posture of a website, can be analyzed without actively scanning multiple websites. Consequently, relevant web-based vulnerabilities and Security countermeasures were selected for the analysis. The results of the study suggest that most of the 70 South African websites analyzed are vulnerable to cross-site scripting, injection vulnerabilities, clickjacking and man-in-middle attacks. Over 67% of the analyzed websites unnecessarily expose server information, approximately 50% of the websites do not protect session cookies, about 30% of the websites use secure communications, in particular for transmitting users' sensitive information, and some websites use deprecated Security policies. From the study, it was also determined that South African websites lag behind in adopting basic Security defense mechanisms when compared against top global websites.
Solange Ghernaouti-hélie - One of the best experts on this subject based on the ideXlab platform.
-
Information Security Evaluation - A Holistic Approach
2011Co-Authors: Igli Tashi, Solange Ghernaouti-hélieAbstract:Information systems have become a critical element of every organization, emphasizing the need for a reliable and secure ICT infrastructure for companies whose principal asset and added value is information. This book proposes a global and systemic multidimensional integrated approach to the holistic evaluation of the information Security Posture of an organization. The Information Security Assurance Assessment Model (ISAAM) presented in this book is based on, and integrates, a number of information Security best practices, standards, methodologies and sources of research expertise, in order to provide a generic model that can be implemented in organizations of all kinds as part of their efforts towards better governing their information Security. This approach will contribute to improving the identification of Security requirements, measures and controls. At the same time, it provides a means of enhancing the recognition of evidence related to the assurance, quality and maturity levels of the organisation's Security Posture, thus driving improved Security effectiveness and efficiency.
-
A Security Assurance Model to Holistically Assess the Information Security Posture
Complex Intelligent Systems and Their Applications, 2010Co-Authors: Igli Tashi, Solange Ghernaouti-hélieAbstract:Managing Information Security (InfoSec) within an organization is becoming a very complex task. Currently, InfoSec Assessment is performed by using frameworks, methodologies, or standards which consider separately the elements related to Security. Unfortunately, this is not necessarily effective because it does not take into consideration the necessity of having a global and systemic, multidimensional approach to ICT Security evaluation. This is mainly because the overall Security level is only as strong as the weakest link. This chapter proposes a model aiming to holistically assess all dimensions of Security in order to minimize the likelihood that a given threat takes advantage of the weakest link. Then a formalized structure taking into account all Security elements is presented. The proposed model is based on, and integrates, a number of Security best practices and standards that permit the definition of a reliable InfoSec framework. At this point an assessment process should be undertaken, the result of which will be the assurance that InfoSec is adequately managed within the organization. The added value of this model is that it is simple to implement and responds to concrete needs in terms of reliance upon efficient and dynamic evaluation tools and through a coherent evaluation system.
-
A Security Management Assurance Model to Holistically Assess the Information Security Posture
2009 International Conference on Availability Reliability and Security, 2009Co-Authors: Igli Tashi, Solange Ghernaouti-hélieAbstract:Managing information Security within an organization is becoming a very complex task. The information Security Posture assessment is performed by using frameworks, methodologies or standards considering the subject separately. The model proposed within the paper aims to holistically consider all the Security dimension. This is because the Security level is as strong as the weakest link is. In order to minimize the likelihood that a given threat takes advantage of the weakest link a formalized structure taking into account all Security elements is needed. The proposed model is based on and integrates some Security best practices and standards in order to define an assured Information Security Categorization. From this point, an assessment process should be performed, giving the evidence that the information Security within a given organization, is thoroughly managed.
-
ARES - A Security Management Assurance Model to Holistically Assess the Information Security Posture
2009 International Conference on Availability Reliability and Security, 2009Co-Authors: Igli Tashi, Solange Ghernaouti-hélieAbstract:Managing information Security within an organization is becoming a very complex task. The information Security Posture assessment is performed by using frameworks, methodologies or standards considering the subject separately. The model proposed within the paper aims to holistically consider all the Security dimension. This is because the Security level is as strong as the weakest link is. In order to minimize the likelihood that a given threat takes advantage of the weakest link a formalized structure taking into account all Security elements is needed. The proposed model is based on and integrates some Security best practices and standards in order to define an assured Information Security Categorization. From this point, an assessment process should be performed, giving the evidence that the information Security within a given organization, is thoroughly managed.
Thomas P. Dover - One of the best experts on this subject based on the ideXlab platform.
-
Using NIST Special Publications (SP) 800-171r2 and 800-172 to assess and evaluate the Security Posture of Information Systems in the Healthcare sector which support Covered Entities and/or their Business Associates.
arXiv: Cryptography and Security, 2019Co-Authors: Thomas P. DoverAbstract:This paper describes how NIST Special Publications (SP) 800-171r2 (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations) and 800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information) can be used to evaluate the Security Posture of information systems and supporting frameworks relative to HIPAA and HITECH. It will demonstrate that the provisions and baseline Security requirements outlined in SP.800-171r2 and SP.800-172 for the protection of Controlled but Unclassified Information (CUI) can be applied to Electronic Protected Health Information (ePHI). An explanation of how both publications align with HIPAA and how this alignment suffices for evaluating IT environment Security will be given along with the process and procedure for performing such evaluation. Finally, the benefits of using this approach to support formal risk assessment will be described.
-
Using NIST Special Publication (SP) 800-171r2/171B to assess and evaluate the Information Security Posture of Technology Service Providers who support Covered Entities and/or their Business Associates in the Healthcare Sector.
arXiv: Cryptography and Security, 2019Co-Authors: Thomas P. DoverAbstract:This paper describes how NIST Special Publication (SP) 800.171r2 (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations) and 800.171B (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations, and Enhanced Security Requirements for Critical Programs and High Value Assets) can be used to evaluate the Security Posture of information systems and supporting frameworks relative to HIPAA and HITECH . It will be demonstrated that the provisions and baseline Security requirements outlined in 800.171r2 and 171B for the protection of Controlled but Unclassified Information (CUI) can be applied to Electronic Protected Health Information (ePHI). An explanation of how 800.171r2 and 171B align with HIPAA and how this alignment is sufficient for evaluating the Security of an IT environment which supports the healthcare sector will be detailed. The process for performing a Security analysis will be described and demonstrated. Finally, the benefits of using such an approach to support other forms of risk assessment will be described.
-
using nist special publication sp 800 171r2 171b to assess and evaluate the information Security Posture of technology service providers who support covered entities and or their business associates in the healthcare sector
arXiv: Cryptography and Security, 2019Co-Authors: Thomas P. DoverAbstract:This paper describes how NIST Special Publication (SP) 800.171r2 (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations) and 800.171B (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations, and Enhanced Security Requirements for Critical Programs and High Value Assets) can be used to evaluate the Security Posture of information systems and supporting frameworks relative to HIPAA and HITECH . It will be demonstrated that the provisions and baseline Security requirements outlined in 800.171r2 and 171B for the protection of Controlled but Unclassified Information (CUI) can be applied to Electronic Protected Health Information (ePHI). An explanation of how 800.171r2 and 171B align with HIPAA and how this alignment is sufficient for evaluating the Security of an IT environment which supports the healthcare sector will be detailed. The process for performing a Security analysis will be described and demonstrated. Finally, the benefits of using such an approach to support other forms of risk assessment will be described.
Igli Tashi - One of the best experts on this subject based on the ideXlab platform.
-
Information Security Evaluation - A Holistic Approach
2011Co-Authors: Igli Tashi, Solange Ghernaouti-hélieAbstract:Information systems have become a critical element of every organization, emphasizing the need for a reliable and secure ICT infrastructure for companies whose principal asset and added value is information. This book proposes a global and systemic multidimensional integrated approach to the holistic evaluation of the information Security Posture of an organization. The Information Security Assurance Assessment Model (ISAAM) presented in this book is based on, and integrates, a number of information Security best practices, standards, methodologies and sources of research expertise, in order to provide a generic model that can be implemented in organizations of all kinds as part of their efforts towards better governing their information Security. This approach will contribute to improving the identification of Security requirements, measures and controls. At the same time, it provides a means of enhancing the recognition of evidence related to the assurance, quality and maturity levels of the organisation's Security Posture, thus driving improved Security effectiveness and efficiency.
-
A Security Assurance Model to Holistically Assess the Information Security Posture
Complex Intelligent Systems and Their Applications, 2010Co-Authors: Igli Tashi, Solange Ghernaouti-hélieAbstract:Managing Information Security (InfoSec) within an organization is becoming a very complex task. Currently, InfoSec Assessment is performed by using frameworks, methodologies, or standards which consider separately the elements related to Security. Unfortunately, this is not necessarily effective because it does not take into consideration the necessity of having a global and systemic, multidimensional approach to ICT Security evaluation. This is mainly because the overall Security level is only as strong as the weakest link. This chapter proposes a model aiming to holistically assess all dimensions of Security in order to minimize the likelihood that a given threat takes advantage of the weakest link. Then a formalized structure taking into account all Security elements is presented. The proposed model is based on, and integrates, a number of Security best practices and standards that permit the definition of a reliable InfoSec framework. At this point an assessment process should be undertaken, the result of which will be the assurance that InfoSec is adequately managed within the organization. The added value of this model is that it is simple to implement and responds to concrete needs in terms of reliance upon efficient and dynamic evaluation tools and through a coherent evaluation system.
-
A Security Management Assurance Model to Holistically Assess the Information Security Posture
2009 International Conference on Availability Reliability and Security, 2009Co-Authors: Igli Tashi, Solange Ghernaouti-hélieAbstract:Managing information Security within an organization is becoming a very complex task. The information Security Posture assessment is performed by using frameworks, methodologies or standards considering the subject separately. The model proposed within the paper aims to holistically consider all the Security dimension. This is because the Security level is as strong as the weakest link is. In order to minimize the likelihood that a given threat takes advantage of the weakest link a formalized structure taking into account all Security elements is needed. The proposed model is based on and integrates some Security best practices and standards in order to define an assured Information Security Categorization. From this point, an assessment process should be performed, giving the evidence that the information Security within a given organization, is thoroughly managed.
-
ARES - A Security Management Assurance Model to Holistically Assess the Information Security Posture
2009 International Conference on Availability Reliability and Security, 2009Co-Authors: Igli Tashi, Solange Ghernaouti-hélieAbstract:Managing information Security within an organization is becoming a very complex task. The information Security Posture assessment is performed by using frameworks, methodologies or standards considering the subject separately. The model proposed within the paper aims to holistically consider all the Security dimension. This is because the Security level is as strong as the weakest link is. In order to minimize the likelihood that a given threat takes advantage of the weakest link a formalized structure taking into account all Security elements is needed. The proposed model is based on and integrates some Security best practices and standards in order to define an assured Information Security Categorization. From this point, an assessment process should be performed, giving the evidence that the information Security within a given organization, is thoroughly managed.
Dong Seong Kim - One of the best experts on this subject based on the ideXlab platform.
-
Security modelling and assessment of modern networks using time independent Graphical Security Models
Journal of Network and Computer Applications, 2019Co-Authors: Simon Yusuf Enoch, Jin B. Hong, Dong Seong KimAbstract:Graphical Security Models (GSMs), such as an Attack Graph, are used to assess the Security of networks, but they are often limited to assess the Security of the given network state (i.e., a snapshot at the current time). To address this issue, we develop a GSM named Time-independent Hierarchical Attack Representation Model (TI-HARM), which analyses the Security of multiple network states combined taking into account the time duration of each network state and the visibility of the network components (e.g., hosts and edges). Also, we develop a new Security rating system for dynamic networks to evaluate the changing Security Posture. Lastly, we present an approach that utilises the functionalities of the TI-HARM to compute global optimal defence solutions for dynamic networks. Our experimental results show that the TI-HARM can model and analyse the Security of multiple states of dynamic networks, which the existing GSMs mostly assumed that it is static. Also, we found that the TI-HARM can be used to effectively compute the global optimal Security solutions compared to existing models that only focus on local optimal solutions. Therefore, our proposed approach could be used to aid Security administrators to understand the Security Posture of dynamic networks better and be able to enhance the Security taking into account multiple changes in dynamic networks.
-
TrustCom/BigDataSE/ICESS - Evaluating the Effectiveness of Security Metrics for Dynamic Networks
2017 IEEE Trustcom BigDataSE ICESS, 2019Co-Authors: Simon Enoch Yusuf, Jin B. Hong, Hani Alzaid, Dong Seong KimAbstract:It is difficult to assess the Security of modern enterprise networks because they are usually dynamic with configuration changes (such as changes in topology, firewall rules, etc). Graphical Security models (e.g., Attack Graphs and Attack Trees) and Security metrics (e.g., attack cost, shortest attack path) are widely used to systematically analyse the Security Posture of network systems. However, there are problems using them to assess the Security of dynamic networks. First, the existing graphical Security models are unable to capture dynamic changes occurring in the networks over time. Second, the existing Security metrics are not designed for dynamic networks such that their effectiveness to the dynamic changes in the network is still unknown. In this paper, we conduct a comprehensive analysis via simulations to evaluate the effectiveness of Security metrics using a Temporal Hierarchical Attack Representation Model. Further, we investigate the varying effects of Security metrics when changes are observed in the dynamic networks. Our experimental analysis shows that different Security metrics have varying Security Posture changes with respect to changes in the network.
-
A Systematic Approach to Threat Modeling and Security Analysis for Software Defined Networking
IEEE Access, 2019Co-Authors: Taehoon Eom, Jin B. Hong, Jong Sou Park, Dong Seong KimAbstract:Software Defined Networking (SDN) extends capabilities of existing networks by providing various functionalities, such as flexible networking controls. However, there are many Security threat vectors in SDN, including existing and emerging ones arising from new functionalities, that may hinder the use of SDN. To tackle this problem, many countermeasures have been developed to mitigate various threats faced in SDN. However, their effectiveness must be analyzed and compared to fully understand how Security Posture of SDN changes when the countermeasure is adopted. Also, it becomes difficult to optimize the Security of SDN without using a systematic approach to evaluate the Security Posture of SDN. In this paper, we propose a novel framework to systematically model and analyze the Security Posture of SDN. We develop a novel graphical Security model formalism named Threat Vector Hierarchical Attack Representation Model (TV-HARM), which provides a systematic approach to evaluate threats, attacks and countermeasures for SDN. The TV-HARM captures different threats and their combinations, enabling Security risk assessment of SDN. In addition, we define three new Security metrics to represent Security of SDN. Our experimental results showed that the proposed Security assessment framework can capture and evaluate various Security threats to SDN, demonstrating the applicability and feasibility of the proposed framework.
