Copyright (c) 2013 Edith Cowan University All rights reserved. http://ro.ecu.edu.au/ism Recent documents in Australian Information Security Management Conference en-us Tue, 16 Apr 2013 13:54:30 PDT 3600 http://ro.ecu.edu.au/ism/149 http://ro.ecu.edu.au/ism/149 Tue, 19 Feb 2013 00:31:47 PST This paper looks at the economics associated with botnets. This research can be used to calculate territorial sizes for online criminal networks. Looking at the types of systems we can compare the time required to maintain the botnet against the benefits received. In doing this it will be possible to formulate economic defence strategies that reduce the benefits received through the control of the botnet. We look at the decision to be territorial or not from the perspective of the criminal bot-herder. This is extended to an analysis of territorial size. The criminal running a botnet seeks to maximize profit. In doing this they need analyse the costs expended and benefits received against the territorial size. The result is a means to calculate the optimal size of the botnet and the expected returns. This information can be used to formulate security strategies that are designed to reduce the profitability of criminal botnets.

]]> Craig S. Wright http://ro.ecu.edu.au/ism/147 http://ro.ecu.edu.au/ism/147 Tue, 19 Feb 2013 00:31:46 PST Bring Your Own Device (BYOD) has become an established business practice, however the practice can increase an organisation’s information security risks. The implementation of a BYOD policy for laptops must consider how the information security risks can be mitigated or managed. The selection of an appropriate secure laptop software configuration is an important part of the information security risk mitigation/management strategy. This paper considers how a secure laptop software configuration, the Mobile Execution Environment (MEE) can be used to minimise risks when a BYOD policy for laptops is implemented. In this paper the security and business risks associated with the implementation of such a policy are identified and discussed before giving an overview of a range of laptop software configuration options suitable for the implementation of a secure BYOD policy. The design objectives and security requirements of the MEE are enumerated and its key features described. For each identified risk, the MEE features that mitigate/manage the risk are presented. The paper concludes by considering the type of work for which the MEE is most suited and also how the security features of the MEE can be enhanced when the MEE forms part of a secure portable execution and storage environment.

]]> Peter James et al. http://ro.ecu.edu.au/ism/148 http://ro.ecu.edu.au/ism/148 Tue, 19 Feb 2013 00:31:46 PST The Electronic Product Code standard for RFID systems plays a significant role in worldwide RFID implementations. A feature of the RFID standards has been the RFID Kill command which allows for the "permanent" destruction of an RFID tag through the issuing of a simple command. Whilst the inclusion of this command may be vital for user privacy it also opens up significant avenues for attack. Whilst such attacks may be well documented there has been little to no discussion of the efficacy of the differing mitigation approaches taken. A simple formula to calculate the full timing of such an attack on differing RFID setups is presented. The formula allows for users to model the effect that altering such aspects as timeout or transmission response time will have on RFID security.

]]> Christopher Bolan http://ro.ecu.edu.au/ism/146 http://ro.ecu.edu.au/ism/146 Tue, 19 Feb 2013 00:31:45 PST Attack models can be used to assess network security. Purely graph based attack representation models (e.g., attack graphs) have a state-space explosion problem. Purely tree-based models (e.g., attack trees) cannot capture the path information explicitly. Moreover, the complex relationship between the host and the vulnerability information in attack models create difficulty in adjusting to changes in the network, which is impractical for modern large and dynamic network systems. To deal with these issues, we propose hierarchical attack representation models (HARMs). The main idea is to use two-layer hierarchy to separate the network topology information (in the upper layer) from the vulnerability information of each host (in the lower layer). We compare the HARMs with existing attack models (including attack graph and attack tree) in model complexity in the phase of construction, evaluation and modification.

]]> Jin Hong et al. http://ro.ecu.edu.au/ism/144 http://ro.ecu.edu.au/ism/144 Tue, 19 Feb 2013 00:31:44 PST Computational grids have become very popular in the recent times due to their capabilities and flexibility in handling large computationally intensive jobs. When it comes to the implementation of practical grid systems, security plays a major role due to the confidentiality of the information handled and the nature of the resources employed. Also due to the complex nature of the grid operations, grid systems face unique security threats compared to other distributed systems. This paper describes how to implement a secure grid system with special emphasis on the steps to be followed in obtaining, implementing and testing PKI certificates.

]]> Mohd Samsu Sajat et al. http://ro.ecu.edu.au/ism/145 http://ro.ecu.edu.au/ism/145 Tue, 19 Feb 2013 00:31:44 PST This paper investigates the Android permission system and its adequacy in alerting end-users of potential information privacy risks in an app. When an end-user seeks to install an app, they are presented with the required permissions and make a supposedly informed decision as to whether to install that app based on the permissions presented. The results from an analysis of ten popular apps indicate a number of permissions that pose potential information privacy risks of which most end-users are likely to be unaware. The Android permission system is complex and difficult for end-users to comprehend and effectively evaluate the potential information privacy and security risks in an app. Most end-users will install the app without evaluating the list of required permissions presented to them. Furthermore there is an inconsistent approach to informing end-users about the privacy policy and terms of use for Android apps. The findings of this paper indicate a need for better decision support apps so end-users can more easily make better decisions regarding privacy and security protection provided by apps. Future research should also examine the free market failure of mobile application market places to provide adequate privacy protection and the need for stronger privacy protection laws.

]]> Michael Lane http://ro.ecu.edu.au/ism/143 http://ro.ecu.edu.au/ism/143 Tue, 19 Feb 2013 00:31:43 PST The adaption of cloud computing is on a rise these days, due to the various effects that it has on enterprise. As it allows the users to have scalable infrastructure and economical benefits which indeed a way to boost any enterprise mind in opting for such service. Cloud Computing offers a whole new paradigm to allow the users to have high-end and scalable infrastructure at an affordable cost and without even the need of managing the inventory. The interesting part of cloud computing is it offers three platforms to choose from IaaS, PaaS, and SaaS, these three platforms together, form cloud computing. Out of these three platforms, the interesting one is IaaS (infrastructure as a service) that allows the users to have ‘on the fly’ infrastructure. Although IaaS offers great benefits to the users, the complexity in its structure, open doors to unseen and forcible threats to the security of the data and to cloud computing. In this paper, the authors have proposed countermeasures to secure cloud computing IaaS virtual platform by High Trust Zone. The solution proposed would minimize the threats to the virtualized infrastructure of the cloud by binding the VMs (Virtual Machines) in one trusted zone, irrespective of the Users applications and security policy, this zone will provide utmost protection to the other running VMs and devices of the physical host such as memory, hardware etc. The authors believe that by using the proposed solution, (High Trust Zone), it can offer pre-emptive protection words complex and dynamic cloud virtual infrastructure.

]]> Bhupesh Mansukhani et al. http://ro.ecu.edu.au/ism/141 http://ro.ecu.edu.au/ism/141 Tue, 19 Feb 2013 00:31:42 PST Social networks have formed the basis of many studies into large networks analysis. Whilst much is already known regarding efficient algorithms for large networks analysis, data mining, knowledge diffusion, anomaly detection, viral marketing, to mention. More recent research is focussing on new classes of efficient approximate algorithms that can scale to billion nodes and edges. To this end, this paper presents an extension of an algorithm developed originally to analyse large scale-free autonomic networks called the Global Observer Model. In this paper, the algorithm is studied in the context of monitoring large-scale information networks. Hence, taking into account the size of such networks, the proposed algorithm starts by partitioning the graph using structural network metrics. This is followed by a calculation of the graph nodes’ metrics, which are used in the selection from the original graph a subset of nodes to be monitored. The paper is organised as follows: it will outline the problem definition and algorithm, then will proceed to a brief description of an event and signature based model used to instrument monitored nodes. Finally, the paper will conclude with an evaluation using an infection detection scenario, which will be followed by a general discussion and proposed further work.

]]> A. Taleb-Bendiab http://ro.ecu.edu.au/ism/142 http://ro.ecu.edu.au/ism/142 Tue, 19 Feb 2013 00:31:42 PST The usage of 128 bit addresses with hexadecimal representation in IPv6 poses significant potential privacy issues. This paper discusses the means of allocating IPv6 addresses, along with the implications each method may have upon privacy in different usage scenarios. The division of address space amongst the global registries in a hierarchal fashion can provide geographical information about the location of an address, and its originating device. Many IPv6 address configuration methods are available, including DHCPv6, SLAAC (with or without privacy extensions), and Manual assignment. These assignment techniques are dissected to expose the identifying characteristics of each technique. It is seen that use of the modified EUI-64 in SLAAC can allow agents to simply decipher an interface’s MAC address over layer 3 communications, whilst discernable patterns can be used to identify the presence of DHCPv6 or manual address assignment. Additionally, the frequency and lifetime of unique addresses originating from a single network prefix may allude to privacy addresses in use within the network. Together these issues pose a risk to the privacy of IPv6 users, as it may allow for tracking of users of portable network devices.

]]> Clinton Carpene et al. http://ro.ecu.edu.au/ism/140 http://ro.ecu.edu.au/ism/140 Tue, 19 Feb 2013 00:31:41 PST Wi-Fi Protected Setup (WPS) is a method of allowing a consumer to set up a secure wireless network in a user friendly way. However, in December 2011 it was discovered that a brute force attack exists that reduces the WPS key space from 108 to 104+103. This resulted in a proof of concept tool that was able to search all possible combinations of PINs within a few days.This research presents a methodology to test wireless devices to determine their susceptibility to the external registrar PIN authentication design vulnerability. A number of devices were audited, and the Linksys WRT160N v2 router was selected to be examined in detail. The results demonstrate that the router is highly susceptible to having its WPN PIN brute forced. It also details that even with WPS disabled in the router configuration, WPS was still active and the PIN was equally vulnerable.

]]> Symon Aked et al. http://ro.ecu.edu.au/ism/138 http://ro.ecu.edu.au/ism/138 Tue, 19 Feb 2013 00:31:40 PST Shafiq et al. (2009a) propose a non–signature-based technique for detecting malware which applies data mining techniques to features extracted from executable files. Their technique has a high level of accuracy, a low false positive rate, and a speed on par with commercial anti-virus products. One portion of their technique uses a multi-layer perceptron as a classifier, which provides little insight into the reasons for classification. Our experience is that network security analysts prefer tools which provide human-comprehensible reasons for a classification, rather than operating as “black boxes”. We therefore build on the results of Shafiq et al. by demonstrating a technique which uses decision trees to distinguish packed from non-packed files, producing a classification diagram which can be understood by analysts. We show that the resulting detector still provides high accuracy and classifies files rapidly.

]]> Anselm Teh et al. http://ro.ecu.edu.au/ism/139 http://ro.ecu.edu.au/ism/139 Tue, 19 Feb 2013 00:31:40 PST The advancement of the Internet has provided access to a wide variety of online services such as banking, e-commerce, social networking and entertainment. The wide availability and popularity of the Internet has also led to the rise in risks and threats to users, as criminals have taken an increasingly active role in abusing innocent users. Current risk analysis tools, techniques and methods available do not cater for home users but are tailored for large organisations. The tools require expertise to use them and they are expensive to purchase. What is available for home users are generic information portals that provide a whole-host of awareness raising information, much of which will have varying degrees of usefulness depending upon the particular individual, their technology usage and prior knowledge. As such a tool is required that can bridge the gap between bespoke risk assessment approaches that provide tailored information and broad-spectrum approaches that simply provide all information regardless of its relevance. The paper proposes a web-based risk analysis tool for home users that is simple to use, requires no prior knowledge or expertise of security and can provide bespoke and tailored guidance on improving a users security posture. The tool follows a simple step procedure for gathering key asset and behavioural information to inform the risk profiling process. A prototype was developed and evaluated by a sample of home users and 93% of the participants found the tool to be helpful and very informative.

]]> R. T. Magaya et al. http://ro.ecu.edu.au/ism/137 http://ro.ecu.edu.au/ism/137 Tue, 19 Feb 2013 00:31:39 PST A lack of information security awareness within some parts of society as well as some organisations continues to exist today. Whilst we have emerged from the threats of late 1990s of viruses such as Code Red and Melissa, through to the phishing emails of the mid 2000’s and the financial damage some such as the Nigerian scam caused, we continue to react poorly to new threats such as demanding money via SMS with a promise of death to those who won’t pay. So is this lack of awareness translating into problems within the workforce? There is often a lack of knowledge as to what is an appropriate level of awareness for information security controls across an organisation. This paper presents the development of a theoretical framework and model that combines aspects of information security best practice standards as presented in ISO/IEC 27002 with theories of Situation Awareness. The resultant model is an information security awareness capability model (ISACM). A preliminary survey is being used to develop the Awareness Importance element of the model and will leverage the opinions of information security professionals. A subsequent survey is also being developed to measure the Awareness Capability element of the model. This will present scenarios that test Level 1 situation awareness (perception), Level 2 situation awareness (comprehension) and finally Level 3 situation awareness (projection). Is it time for awareness of information security to now hit the mainstream of society, governments and organisations?

]]> Robert Poepjes et al. http://ro.ecu.edu.au/ism/135 http://ro.ecu.edu.au/ism/135 Fri, 15 Jun 2012 00:29:09 PDT Security in the Software Development Life Cycle (SDLC) has become imperative due to the variety of threats posed during and after system design. In this paper we have studied the security in system design in general and software development in particular, and have proposed strategies for integration of security in the SDLC. The paper highlights the needs of embedding security right from the earlier processes in the SDLC because patches and controls after the software delivery are more expensive to fix. We propose Source Code EMbedded (SCEM) security framework to improve the design of security policies and standards for the software development process to ensure the security and reliability in government departments such as taxation, auditing, national security, social security, and immigration. It is also envisaged that the implementation of SCEM security framework will ensure commercial and public trust in the software development process within Australia and worldwide, saving enormous redevelopment costs.

]]> Tanveer A. Zia et al. http://ro.ecu.edu.au/ism/136 http://ro.ecu.edu.au/ism/136 Fri, 15 Jun 2012 00:29:09 PDT The concept of the security ceremony was introduced a few years ago to complement the concept of the security protocol with everything about the context in which a protocol is run. In particular, such context involves the human executors of a protocol. When including human actors, human protocols become the focus, hence the concept of the security ceremony can be seen as part of the domain of socio-technical studies. This paper addresses the problem of ceremony analysis lacking the full view of human protocols. This paper categorises existing security ceremony analysis work and illustrates how the ceremony picture could be extended to support a more comprehensive analysis. The paper explores recent weaknesses found on the Amazon's web interface to illustrate different approaches to the analysis of the full ceremony picture.

]]> Giampaolo Bella et al. http://ro.ecu.edu.au/ism/134 http://ro.ecu.edu.au/ism/134 Fri, 15 Jun 2012 00:29:07 PDT Designing a fully secure (adaptive-predicate unforgeable and perfectly private) attribute-based signature (ABS), which allows a signer to choose a set of attributes in stead of a single string representing the signer‘s identity, under standard cryptographic assumption in the standard model is a challenging problem. Existing schemes are either too complicated or only proved in the generic group model. In this paper, we present an efficient fully secure ABS scheme in the standard model based on q-parallel BDHE assumption which is more practical than the generic group model used in the previous scheme. To the best of our knowledge, our scheme is the most efficient one among all the previous ABS schemes in the standard model. Moreover, our proposed scheme is highly expressive since it allows any signer to specify claim-predicates in terms of any predicate consists of AND, OR, and Threshold gates over the attributes in the system. ABS has found many important applications in secure communications, such as anonymous authentication system and attribute based messaging system.

]]> Piyi Yang et al. http://ro.ecu.edu.au/ism/133 http://ro.ecu.edu.au/ism/133 Fri, 15 Jun 2012 00:29:06 PDT The more routine a task is we see the greater the need for a checklist. Even the smartest of us can forget where we parked our cars on returning from a long flight. So, the question is, why not create a straightforward checklist that will improve system management and security? In Information Technology operations, the vast majority of skilled people have re-built servers, but in an incident response situation, it can be unforgivable to overlook a serious security configuration simply because in the stress of the environment causes one to lose track of which stage they were on while being interrupted and multitasking. We show that the use of standard checklists and flowcharts created by the individual make for better results even in daily tasks. This paper presents the results of an experiment into the use of checklists by incident responders. It demonstrates how basic checklists can improve an organisation’s security.

]]> Craig S. Wright et al. http://ro.ecu.edu.au/ism/132 http://ro.ecu.edu.au/ism/132 Fri, 15 Jun 2012 00:29:05 PDT The protection of patient information is now more important as a national e-health system approaches reality in Australia. The major challenge for health care providers is to understand the importance information security whilst also incorporating effective protection into established workflow and daily activity. Why then, when it is difficult for IT and security professionals to navigate through and apply the myriad of information security standards, do we expect small enterprises such as primary health care providers to also be able to do this. This is an onerous and impractical task without significant assistance. In the development of the new Computer and Information Security Standards (CISS) for Australian General Practice, a consistent and iterative process for the interpretation and application of international standards was used. This involved both the interpretation of the standards and the application of knowledge to create a practical but acceptable level of security for the primary healthcare environment. From a security perspective such practical application of standards poses the dichotomous challenge (and criticism) of how much security is sufficient versus how much can the primary healthcare environment manage. This paper describes the path of development from standards to implementation using the CISS as an example. It is concluded that more practical assistance is required by the security profession to support the national e-health initiative if Australia is to provide a safe and secure healthcare environment.

]]> Patricia A H Williams http://ro.ecu.edu.au/ism/131 http://ro.ecu.edu.au/ism/131 Fri, 15 Jun 2012 00:29:04 PDT Social networking systems (SNS’s) such as Facebook are an ever evolving and developing means of social interaction, which is not only being used to disseminate information to family, friends and colleagues but as a way of meeting and interacting with "strangers" through the advent of a large number of social applications. The attractiveness of such software has meant a dramatic increase in the number of frequent users of SNS’s and the threats which were once common to the Internet have now been magnified, intensified and altered as the potential for criminal behaviour on SNS’s increases. Social networking sites including Facebook contain a vast amount of personal information, that if obtained could be used for other purposes or to carry out other crimes such as identity theft. This paper will focus on the security threats posed to social networking sites and gain an understanding of these risks by using a security approach known as “attack trees”. This will allow for a greater understanding of the complexity associated with protecting Social Networking systems with a particular focus on Facebook.

]]> Matthew Warren et al. http://ro.ecu.edu.au/ism/130 http://ro.ecu.edu.au/ism/130 Fri, 15 Jun 2012 00:29:03 PDT An abbreviation for Domain Name System, DNS is a system employed for naming computers and network services. This system is organized into a hierarchical scheme of domains. Naming service provided by DNS is used in TCP/IP networks, such as the Internet, to easily locate computers and services like mail exchanger servers, through user-friendly names. When a user enters a DNS name in an application, DNS services resolves this name to other information associated with the name, such as an IP address. This paper presents the evaluation of a DNS server performance in the experimental backgrounds to establish the fact that frequent caching of results will improve the response time of the queries. It also simulates the client –server DNS model on OPNET. It thus proposes a performance-enhancing model for its better throughput keeping in mind, the various execution measures of DNS server like parallel requests, traffic distribution and least response time, which were tested on the DNS server.

]]> Ananya Tripathi et al.