-
[show abstract]
[hide abstract]
ABSTRACT: A large part of computer security education is tackling myths that support much of the practice in the field. By examining these myths and the underlying truths or heuristics they reflect, we learn three things. First, students and practitioners learn to separate what is empirically and theoretically supported from what is supported solely by untested anecdotes or handeddown "best practices." Second, a key part of education is the human dimension of convincing others that stories that sound right aren't proven and might in fact be wrong. They aren't necessarily wrong-but this possibility must be considered. Finally, we can consider myths from the perspective of teaching stories, because many evolve from activities that at one time were true or that have some accurate elements.
IEEE Security and Privacy Magazine 07/2010; · 0.90 Impact Factor
-
[show abstract]
[hide abstract]
ABSTRACT: The insider threat problem is increasing, both in terms of the number of incidents and their financial impact. To date, solutions have been developed to detect specific instances of insider attacks (e.g., fraud detection) and therefore use very limited information for input. In this paper we describe an architecture for an enterprise-level solution that incorporates data from multiple sources. The unique aspects of this solution include the prioritization of resources based on the business value of the protected assets, and the use of psychological indicators and language affectation analysis to predict insider attacks. The goal of this architecture is not to detect that insider abuse has occurred, but rather to determine how to prioritize monitoring activities, giving priority to scrutinizing those whose background includes access to key combinations of assets as well as those psychological/other factors that have in the past been associated with malicious insiders.
Technologies for Homeland Security, 2009. HST '09. IEEE Conference on; 06/2009
-
[show abstract]
[hide abstract]
ABSTRACT: This paper presents the application of deception theory to improve the success of client honeypots at detecting malicious web page attacks from infected servers programmed by online criminals to launch drive-by-download attacks. The design of honeypots faces three main challenges: deception, how to design honeypots that seem real systems; counter-deception, techniques used to identify honeypots and hence defeating their deceiving nature; and counter counter-deception, how to design honeypots that deceive attackers. The authors propose the application of a deception model known as the deception planning loop to identify the current status on honeypot research, development and deployment. The analysis leads to a proposal to formulate a landscape of the honeypot research and planning of steps ahead.
Human Computer Interface (HCI) Conference, San Diego; 01/2009
-
[show abstract]
[hide abstract]
ABSTRACT: Client honeypot technology can find malicious web servers that attack web browsers and push malware, so called drive-by-downloads, to the client machine. Merely recording the network traffic is insufficient to perform an efficient forensic analysis of the attack. Custom tools need to be developed to access and examine the embedded data of the network protocols. Once the information is extracted from the network data, it cannot be used to perform a behavioral analysis on the attack, therefore limiting the ability to answer what exactly happened on the attacked system. Implementation of a record/ replay mechanism is proposed that allows the forensic examiner to easily extract application data from recorded network streams and allows applications to interact with such data for behavioral analysis purposes. A concrete implementation of such a setup for HTTP and DNS protocols using the HTTP proxy Squid and DNS proxy pdnsd is presented and its effect on digital forensic analysis demonstrated.
4th Annual IFIP WG 11.9 International Conference on Digital Forensics, Kyoto; 01/2008
-
[show abstract]
[hide abstract]
ABSTRACT: There are at least three key decision layers in cost-effective network defense to counter immediate threats: security policies, defense strategies, and real-time defense tactics. A layered decision model (LDM) has been developed to capture the essence of this decision process. The LDM helps decision-makers gain insight into the hierarchical relationships among interconnected entities and decision types that underlie defense goals, and supports the selection of cost-effective defense mechanisms to safeguard computer networks. To be effective as a business tool, it is necessary to validate the rationality of the model before applying it to real-world business cases. LDM rationality requires that a decision making process be consistent and free of blocked execution paths, and be able to produce cost-effective defense plans. This paper describes validation of LDM rationality.
Information Reuse and Integration, 2007. IRI 2007. IEEE International Conference on; 09/2007
-
[show abstract]
[hide abstract]
ABSTRACT: Network safeguarding practices involve decisions in at least three areas: identification of well-defined security policies, selection of cost-effective defense strategies and implementation of real-time defense tactics. Although choices made in each of these three affect the others, many existing decision models handle these three decision areas in isolation. There is no comprehensive tool that can integrate them to provide a single efficient model for safeguarding a network. In addition, there is no clear way to determine which particular combinations of defense decisions result in cost-effective solutions. To address these problems, this paper introduces a layered decision model (LDM) for use in deciding how to address defense decisions based on cost-effectiveness. To illustrate the technique, the LDM model is applied to the design of network defense for a sample e-commercial business. While there is a proliferation of tools for decision support, the connectivity between decisions about security policies, defense strategies and defense tactics is weak and there is no guarantee that these decisions are consistent. It is also hard to tell how a cost decision of one kind (e.g., about goals) affects cost outcomes at another level (e.g., regarding tactics). We present a layered decision model to support consistent, connected decisions at three layers: security policies, defense strategies, and defense tactics, and to balance costs at all layers. The layered decision model (LDM) integrates decisions about security policies, defense strategies and defense tactics in a uniform framework. In addition, this model provides an analytical framework that allows traceability of costs between layers. This framework combines risk assessment, business cost modeling, and cost-benefit analysis which uses return on investment (ROI) analysis. The work in this paper is preliminary, but should provide a good foundation for future work in this area.
Information Reuse and Integration, Conf, 2005. IRI -2005 IEEE International Conference on.; 09/2005
-
[show abstract]
[hide abstract]
ABSTRACT: As the fall term begins, computer security students expect to buy heavy textbooks filled with equations, information theory, and programs that sort, encipher, and route network packets. Yet, nontechnical classes also have much to offer todays security students. In addition to satisfying general education requirements, such classes provide core background material that explains aspects of computer security that most technical courses overlook.
IEEE Security and Privacy Magazine 08/2005; · 0.90 Impact Factor
-
[show abstract]
[hide abstract]
ABSTRACT: NIST special publication 800-50 outlines standards for the development and implementation of security awareness training by Wilson, M. and Hash, J. (2003). Recognizing that the "peoplefactor" is the weakest link, NIST recommends that all users of any information system be made aware of their roles and responsibilities in maintaining security by Wilson, M. and Hash, J. (2003). Further, to be effective, any awareness event should be designed for the intended audience, built around a message and desired outcomes and gain attention by Wilson, M. and Hash, J. (2003). Such a security awareness event was conducted for the business community leadership in Seattle, Washington. The purpose was to alert them to the risks of identity theft through misuse of online search engines. The means adopted for focusing attention, was a Google-hacking contest. Based on observations of this trial, the authors suggest that a security awareness program, based on NIST standards, can be effective, not only for organizations, but for specifically defined communities, as well. This paper describes the event, the outcomes and the authors' conclusions. The approach presented in this paper could be repeatable in any community for a variety of purposes.
Information Assurance Workshop, 2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC; 07/2005
-
[show abstract]
[hide abstract]
ABSTRACT: Active response is a sequence of actions performed specifically to mitigate a detected threat. Response decisions always follow detection: a decision to take 'no action' remains a response decision. However, active response is a complex subject that has received insufficient formal attention. To facilitate discussion, this paper provides a framework that proposes a common definition, describes the role of response and the major issues surrounding response choices, and finally, provides a model for the process of response. This provides a common starting point for discussion of the full response continuum as an integral part of contemporary computer security.
Information Assurance Workshop, 2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC; 07/2005
-
[show abstract]
[hide abstract]
ABSTRACT: We ask how one should invest one's time and money in a lifelong learning program, and if hiring personnel, what training and expertise should be looked for. In this article, we discuss general professional certifications and compare and contrast them with a bachelor's degree to help decide which is most appropriate.
IEEE Security and Privacy Magazine 12/2004; · 0.90 Impact Factor
-
[show abstract]
[hide abstract]
ABSTRACT: A major emerging trend in security education is in curriculum development. We begin with a high-level view of community venues for gatherings within and between the security and privacy community and its supporters.
IEEE Security and Privacy Magazine 10/2004; · 0.90 Impact Factor
-
[show abstract]
[hide abstract]
ABSTRACT: As summer draws to an end, faculty and students turn their attention to academic planning. This used to be a very tough task - faculty developed most of their materials from scratch. Now, rather than a handful of items to draw on when planning a security and privacy course, there is a plethora of sample syllabi, textbooks, and other supportive materials. The question is: where are they? For all the busy academics out there readying their courses, and the students who are about to join you, we have written the article, with help from the Centers of Excellence in Information Assurance Education, in the hope that it will make your preparations a trifle less hectic.
IEEE Security and Privacy Magazine 08/2004; · 0.90 Impact Factor
-
[show abstract]
[hide abstract]
ABSTRACT: In the emerging discipline of survivability, defined as the "ability of a system to fulfil its mission, in a timely manner, in the presence of attacks, failures and accidents", the CERT Coordination Center has implicitly institutionalized the concept of a never-ending, escalating computer security arms race. While previous point solutions - such as PKIs, VPNs and firewalls - focused on blocking attacks, survivability reflects the inevitability of experiencing attacks and the need to recover quickly. CERT's 3 R model - resistance, recognition, and recovery - describes survivability strategies. Increasing intruder accountability by increasing legal consequences will inhibit the escalation of the hacker arms race. This is reflected in CERT's model for computer security strategies by adding a 4th R, redress, to CERT's 3R model.
Information Assurance Workshop, 2004. Proceedings from the Fifth Annual IEEE SMC; 07/2004
-
B. Endicott-Popovsky,
D. Dittrich,
A. Phillips, D. Frincke,
J. Chavez,
W.J. Gibbons,
D. Nguyen,
C. Seifert,
A. Shephard,
C. Abate,
S. Loveland
[show abstract]
[hide abstract]
ABSTRACT: During 2003-2004, the University of Washington (UW) and Seattle University (SU) collaborated to build a system for cataloging compromised system images under the auspices of the Pacific Northwest Honeynet (PNW-honeynet) which is a Honeynet Project Research Alliance member group. The idea grew from the Honeynet Project's 'Forensic Challenge', a project designed to raise awareness, teach and inform those tasked with responding to threats of malicious network intrusion. Since teaching from evidence of actual incidents is far more powerful than the traditional approach of using contrived workbook exercises, the Manuka project called for the creation of a database that would store compromised system images for use in incident response and computer forensic courses. This is a case study of that development process, identifying the unique challenges overcome in completing Manuka by June, 2004. As an open source product that will be made available to the research and teaching community, it is hoped that through this paper interest will be stimulated to provide these researchers further ideas for use and enhancement.
Information Assurance Workshop, 2004. Proceedings from the Fifth Annual IEEE SMC; 07/2004
-
[show abstract]
[hide abstract]
ABSTRACT: Robust programming aims to prevent abnormal termination or unexpected actions and requires code to handle bad (invalid or absurd) inputs in a way that is consistent with the developer's intent. For example, if an internal error occurs, the program might terminate gracefully rather than simply failing, providing enough information for the programmer to debug the program and avoiding giving the user additional access or information. This article focuses on teaching these principles.
IEEE Security and Privacy Magazine 04/2004; 2(2):54- 57. · 0.90 Impact Factor
-
Endicott-Popovsky,
D. B. Dittrich,
A. Phillips, D. Frincke,
Chavez,
W. J. J. Gibbons,
D. Nguyen,
C Seifert,
A. Shephard,
C. Abate,
S. Loveland
[show abstract]
[hide abstract]
ABSTRACT: During 2003-2004, the University of Washington (UW) and Seattle University (SU) collaborated to build a system for cataloging compromised system images under the auspices of the Pacific Northwest Honeynet (PNW-honeynet) which is a Honeynet Project Research Alliance member group. The idea grew from the Honeynet Project's 'Forensic Challenge,' a project designed to raise awareness, teach and inform those tasked with responding to threats of malicious network intrusion. Since teaching from evidence of actual incidents is far more powerful than the traditional approach of using contrived workbook exercises, the Manuka project called for the creation of a database that would store compromised system images for use in Incident Response and Computer Forensic courses. This is a case study of that development process, identifying the unique challenges overcome in completing Manuka by June, 2004. As an open source product that will be made available to the research and teaching community, it is hoped that through this paper interest will be stimulated to provide these researchers further ideas for use and enhancement.
IEEE Workshop on Information Assurance, West Point; 01/2004
-
D. Frincke
[show abstract]
[hide abstract]
ABSTRACT: Security knowledge in all fields has historically been a double-edged sword. The information that makes it possible to protect a system, an activity, or a person, is also the information that can be used to harm that system, chat activity, that person. How knowledge is used, and the opinions of who ever is judging that use, makes the difference. The debate regarding appropriate teaching philosophies for security educators is a longstanding one, with modern battle lines drawn primarily around two philosophies <sub>e</sub>fense assurance and attack understanding. Most educators fall somewhere in between these perspectives.
IEEE Security and Privacy Magazine 06/2003; · 0.90 Impact Factor
-
[show abstract]
[hide abstract]
ABSTRACT: Redundancy, on which fault tolerance is based, can be achieved
through hardware, software, information and time. With respect to
different version outputs from redundant software versions, voting
strategies are separated into two classes. Voting strategies are either
based on output classification, partitioning of the outputs, or on
convergence functions. The traditional equivalence relation does not
enable gradual comparisons below the fixed threshold. Fuzzy extension of
classical numerical equivalence relation, proposed in the paper,
overcomes those potential problems. Test examples are graphically
illustrated
Industrial Electronics Society, 2001. IECON '01. The 27th Annual Conference of the IEEE; 02/2001
-
[show abstract]
[hide abstract]
ABSTRACT: The Internet is quickly becoming entrenched in the communication
and commercial sectors of everyday life. With this movement away from
traditional fixed infrastructure we are also moving away from the
traditional securities placed within fixed infrastructure. This has led
to increasing numbers of attacks designed to infiltrate or disrupt the
activities being performed by companies and individuals on the Internet.
We are exploring the applicability of visualization techniques in
conjunction with a well-known intrusion detection system (Hummer) for
the detection and analysis of misuse of computer systems connected to
the Internet. The visualization techniques will allow users to identify
the behavior of users connecting to the system and identify those whose
intentions are unwelcome
Information Visualization, 2000. Proceedings. IEEE International Conference on; 02/2000
-
[show abstract]
[hide abstract]
ABSTRACT: The development of user interfaces has become easier with the advent of graphical layout systems. Such systems allow a developer to locate and size predefined interactive objects directly in the interface he is developing. However, the objects provided in graphical layout systems have restricted forms and behaviors. Thus, the developer has limited flexibility in the kinds of interfaces he can create. DEMO is a user interface development system (UIDS) that allows interface objects to be created from scratch. Using a drawing editor, the developer specifies the interactive behavior of the objects by stimulus-response demonstration. DEMO generalizes from the demonstrations, and automatically generates an implementation of the interface
System Sciences, 1992. Proceedings of the Twenty-Fifth Hawaii International Conference on; 02/1992
