Preemptive Security Through Information Analytics

ABSTRACT

Business security and threat actors continue to play a dangerous cat-and-mouse game with businesses intellectual property, customer data, and business reputations at stake. Businesses need to delve into a new way of doing business security to break out of this game. Businesses are sitting on repositories full of security-relevant data that is not being capitalized upon with the current information security and physical security organizations within businesses. This article poses the introduction of a data scientist role and a new supporting central data correlation technology platform based on big data predictive analytics into business security functions. The goal is to intelligently and autonomously identify, correlate and pinpoint normally innocuous or unnoticed security event attributes to allow security personnel to preemptively remediate physical and information risks before exploitation or loss of intellectual property occurs.     

Harnessing Mainframe Strengths for an Enterprisewide Backup Solution

Abstract

Businesses have learned that perimeter security is no longer enough to protect critical data, and many are now touting the benefits of encrypting the data held in storage and backup systems. Driven largely by the awareness of security breaches, lawmakers, credit card issuers, and consumers themselves are holding organizations accountable for the protection of personal data. Today, businesses that suffer a security breach in which customer data is lost or stolen face widespread negative publicity, lost business, lawsuits, and fines that can threaten their viability. Although it's easy to immediately think that the storage or backup systems were compromised, it's important to note that, in an analysis of 45 of the reported incidents of data theft that occurred in the first half of 2005, only a small percentage were due to theft or loss of backup tapes. Far more prevalent were incidents in which insiders or outside attackers gained access to sensitive information through application-level attacks — attacks storage-level encryption wouldn't have prevented. This is why it is important for businesses to encrypt data at the Web, application, or database layer. Encrypting data as it enters the business, rather than having it stay in a readable state while it is used in various applications throughout the network, protects that data from both internal and external threats.     

An iterative multiple sampling method for intrusion detection

ABSTRACT

Threats to network security increase with growing volumes and velocity of data across networks, and they present challenges not only to law enforcement agencies, but to businesses, families and individuals. The volume, velocity and veracity of shared data across networks entail accurate and reliable automated tools for filtering out useful from malicious, noisy or irrelevant data. While data mining and machine learning techniques have widely been adopted within the network security community, challenges and gaps in knowledge extraction from data have remained due to insufficient data sources on attacks on which to test the algorithms accuracy and reliability. We propose a data-flow adaptive approach to intrusion detection based on high-dimensional cyber-attacks data. The algorithm repeatedly takes random samples from an inherently bi-modal, high-dimensional dataset of 82,332 observations on 25 numeric and two categorical variables. Its main idea is to capture subtle information resulting from reduced data dimension of a large number of malicious flows and by iteratively estimating roles played by individual variables in construction of key components. Data visualization and numerical results provide a clear separation of a set of variables associated with attack types and show that component-dominating parameters are crucial in monitoring future attacks.     

SB1386: One Year Later

Abstract

This article represents a comprehensive review of California Senate Bill 1386 (SB1386) and its implications to businesses from both a legal and information security perspective. Technical requirements to comply with this legislation are set forth, including numerous proactive steps that can be taken by an organization to avoid the significant ramifications of non- compliance. This consumer protection legislation is precedent setting and not limited to California, as evidenced by the recent bill introduced in the U.S. Senate by Senator Diane Feinstein. SB1386 may become the benchmark for customer privacy information protection for the entire United States.     

How security fits in — a management view: Security is an essential for quality information

Today's businesses require quality information; that is, business operations management requires that information have qualities of reliability, integrity, and privacy. This fact makes selling the need for computer security easier, since security is one of the necessary elements for ensuring information quality. This report explains how quality information concepts were used as a basis for a presentation to the senior management people of a large business.     

Effectiveness of Security Control Risk Assessments for Enterprises: Assess on the Business Perspective of Security Risks

ABSTRACT

Today's businesses being IT enabled, the complexity of risks affecting the business has increased manifold and the need to gauge the Information Technology risks acting on the business operations has become paramount. The business managers who run business operations need to operate securely and seamlessly leveraging Information Technology and ability to recover and resume the business without any loss of confidentiality, integrity and availability of business information/data in any event of a security incident.

There is a need to quantify the impact of the IT security risk on the critical business processes, and provide the business-level insight at the management level. It is critical to classifying the Risk Ratings as per the impact on the business operations. This approach allows the organizations to understand and prioritize the security risk management activities that make the most sense for their organization to secure the business operations instead of trying to protect against every conceivable threat.     

Content Analysis of Web Privacy Policies in the GCC Countries

Abstract

Privacy has long been defined as the right of a person to be left alone and to be able to have control over the flow and disclosure of information about him- or herself (Warren and Brandeis, 1890). Worries about privacy are not new, although businesses have gathered information about their customers for years. However, privacy issues often come about because of new information technologies that have improved the collection, storage, use, and sharing of personal information.     

Corporate Expectations of the IT Department in an Age of Terrorism: Ensuring “Battle Readiness”

ABSTRACT

Contemporary businesses face many new and unprecedented challenges including the threat of terrorism. The impact of a terrorist attack can undermine an organization's success and survival. A significant area of organizational vulnerability to acts of terrorism involves the information systems infrastructure of the organization. This article discusses the mission-critical expectations that corporate executives have for their information technology departments with respect to securing and protecting these essential resources.     

Information Security Policy Development and Implementation

ABSTRACT

Development of the information security policy is a critical activity. Credibility of the entire information security program of an organization depends upon a well-drafted information security policy. Most of the stakeholders do not have time or inclination to wade through a lengthy policy document. This article tries to formulate an approach to the information security policy development that will make the policy document capture the essentials of information security as applicable to a business. The document will also convey the urgency and importance of implementing the policy, not only in letter but also in spirit.     

A Containment-Based Security Model for Cycle-Stealing P2P Applications

ABSTRACT

P2P networks and the computations they enable hold great potential in creating the next generation of large-scale distributed applications. However, the P2P phenomenon has largely left untouched large organizations and businesses that have stringent security requirements and are uncomfortable with the anonymity and lack of centralized control/censorship which are the features of P2P systems. Hence, there is an urgent need to address the security concerns in deploying P2P systems which can leverage the underutilized compute resources in organizations across the world. This article proposes a containment-based security model (CBSM) for cycle-stealing P2P applications, based on the Secure Linux (SE Linux) Operating System, which alleviates existing security concerns, allowing peers to host untrusted or even hostile applications. Our approach is suitable for pure P2P applications and requires no message exchanges or trust computations in ensuring security. Testing via deployment of potentially malicious remote code proves the effectiveness of the proposed system.     

Seven Highly Successful Habits of Enterprise Email Managers: Ensuring that your employees' email usage is not putting your company at risk

Abstract

The rise of regulatory oversight and privacy concerns, the exponential growth in the amount of email, the lack of email discipline by employees, and the ubiquity of email as a primary communications mechanism have created new risks for companies and businesses of every size. It is not only the disgruntled worker you should be worried about—it is likely your star performers who are unknowingly placing your company at risk while just trying to do their jobs. They are emailing data to their personal accounts and/or to customers or partners, all in the clear and often without anyone knowing until it is too late to stop the security or ethical breach.     

Information Centers: A Survey of Services,Decisions, Problems,and Successes

Abstract

As end-user computing becomes increasingly important in all kinds of businesses, many organizations are responding by installing information centers. This study, based on a survey of 25 diverse organizations within a large metropolitan area, investigates the services, user decisions, problems, and successes of their information centers. The results should prove useful to information center managers and MIS executives attempting to cope with the growth of end-user computing in their organizations.     

An architecture for automatically developing secure OLAP applications from models

ContextDecision makers query enterprise information stored in Data Warehouses (DW) by using tools (such as On-Line Analytical Processing (OLAP) tools) which use specific views or cubes from the corporate DW or Data Marts, based on the multidimensional modeling. Since the information managed is critical, security constraints have to be correctly established in order to avoid unauthorized accesses.ObjectiveIn previous work we have defined a Model-Driven based approach for developing a secure DWs repository by following a relational approach. Nevertheless, is also important to define security constraints in the metadata layer that connects the DWs repository with the OLAP tools, that is, over the same multidimensional structures that final users manage. This paper defines a proposal to develop secure OLAP applications and incorporates it into our previous approach.MethodOur proposal is composed of models and transformations. Our models have been defined using the extension capabilities from UML (conceptual model) and extending the OLAP package of CWM with security (logical model). Transformations have been defined by using a graphical notation and implemented into QVT and MOFScript. Finally, this proposal has been evaluated through case studies.ResultsA complete MDA architecture for developing secure OLAP applications. The main contributions of this paper are: improvement of a UML profile for conceptual modeling; definition of a logical metamodel for OLAP applications; and definition and implementation of transformations from conceptual to logical models, and from logical models to the secure implementation into a specific OLAP tool (SSAS).ConclusionOur proposal allows us to develop secure OLAP applications, providing a complete MDA architecture composed of several security models and automatic transformations towards the final secure implementation. Security aspects are early identified and fitted into a most robust solution that provides us a better information assurance and a saving of time in maintenance.     

On the Importance of an Effective Quality Improvement Program

Abstract

Strong businesses are built on teams of people working together to get the job done. The team metaphor is the model on which to base future computing solutions. Applications for communication and routing, information exchange, process management, collaboration, and meetings are discussed.     

2014 Top Security Topics

Abstract

Recent data breaches at major retailers have created an extra awareness of information security risks within the IT internal auditors. This article focuses on top security topics which every internal auditor must consider before they finalize their audit plans     

Information Security Awareness Status of Business College: Undergraduate Students

Abstract

Because end users are often the weakest link in a security chain, students need to practice security controls properly to improve information security on campus. This study surveyed undergraduate students in a business college to investigate their understanding and attitudes toward information security. Survey findings show that college students understand most information security topics suggested by National Institute of Standards and Technology (NIST) Special Report 800-50. Universities should provide easily accessible security training programs for students. Practical suggestions are provided to encourage students to participate in security training to enhance their security awareness level.     

A Transaction Cost Model of Electronic Trust: Transactional Return, Incentives for Network Security and Optimal Risk in the Digital Economy

Transaction cost economics can explain the mechanism by which network security technologies may reduce the interexchange costs between businesses in the supply chain and between businesses and customers in the digital economy. This paper develops the construct of technology-based electronic trust, where interpersonal, or “real” trust between people can be amplified and enhanced with the use of network security information technologies. The paper formally models an electronic commerce trust typology based on minimizing the cost of establishing trust in transactions, balanced against maximizing the potential user value from successfully completing transactions in the digital economy, suggesting that there is an optimal amount of acceptable risk in electronic commerce transactions. Sophisticated deployments of security information technologies may increase levels of interpersonal trust while lowering transaction costs in electronic commerce, thus promoting the long run development of neutral, interorganizational electronic markets and growth in the digital economy.     

Security Through Deception

ABSTRACT

For each layer of information security there is a number of techniques and tools that can be used to ensure information superiority. Indeed some experts would argue that you cannot have the former without the latter. In today's technological & interconnected world, however, information superiority is very hard to achieve and almost impossible to maintain. This paper will argue that the art of deception is a reliable and cost effective technique that can assure the security of an infrastructure. The paper will conclude by presenting a technical solution of the above statement.     

Disclosure of Information Theft: The ChoicePoint Security Breach

Abstract

In recent months, the media have reported several major security breaches. Hackers have stolen the personal information of thousands of individuals from leading banks, credit bureaus, and insurance companies. In other cases, computers and disks with highly confidential data have simply vanished at the airport security counter or from vehicles parked in the company lot. Stolen data may include such sensitive information as Social Security and driver's license numbers, financial history, and bank account numbers and balances.     

Information security: why the future belongs to the quants

Although most businesses say information security is a primary concern, few have adequate systems in place because securing information requires a risk-management approach with dependable, quantifiable metrics. Simple questions, readily answered in any other business context, are met by information security experts with embarrassed silence. These questions include: Is my security better this year? What am I getting for my security dollars? How do I compare with my peers? Answering such questions requires rigorous security metrics; and a risk-management framework in which to compare them.