Procurement Fraud Vulnerability: A Case Study

Abstract

In today’s digital dependent world, organizations struggle to mitigate a stealthy, well-resourced, and tenacious advanced persistent threat (APT) attacks by nefarious actors, organizations, and even nation-states with intent on gaining a foothold into an organization’s IT infrastructure. This onslaught of advanced attacks requires far more than baseline security practices. While most security professionals are APT-aware, many lack the experience, requisite skills, and the ability to integrate technology to counter APT attacks. The problem is exacerbated by a widening cybersecurity skills gap. Recent research by ISACA, the world’s largest information security professional association, reported more than 60% of applicants for entry level cybersecurity positions lack the skill and ability to perform the tasks associated with their potential new roles. Success against the APT is predicated on insight into APT attack stages and the integration of technology to enable organizational resilience; however, this is not possible in organizations do not have the workforce with the requisite knowledge, skills, and abilities to perform the technical tasks related to their functional roles. This article addresses a customized response strategy executed by a skilled workforce that mitigates and even counters attacks. The strategy recommends that a coordinated response based on organization risk management policies be implemented. In addition, it requires organizational insight into their information assets, control of administrator privileges, implementation of sound network segregation architecture, and a commitment to a balanced vulnerability management program. It is critical that a further discussion occur to outline skills acquisition based on skills-based training and performance-based assessments.     

What Makes an Effective Information Security Policy?

It is a well-known fact that the information security policy is one of the most important controls needed within an organization to manage the implementation and ensure the effectiveness of information security. The information security policy is essentially the direction-giving document in an organization and defines the broad boundaries of information security. Furthermore, it indicates management’s commitment to, and support for, information security in an organization and defines the role it has to play in reaching and supporting the organization’s vision and mission.     

Security? Who’s Got Time For Security?: I’m Trying to Get my Job Done

What would you do if you were stuck in one place, and everyday was exactly the same, and nothing you did mattered?”Phil Connor, Ground Hog Day

“That about sums it up for me,” answered Ralph, and I’m sure most system administrators, information system security officers (ISSOs), physical security, operations security, and other security professionals would agree. Everybody takes them for granted — until the network goes down or applications can’t be used. And that’s the problem: a totally wrong perception of what’s required for the serious business of properly doing full spectrum security. Security is not something extra. Security is a normal part of doing business.     

Performing a Successful Unix Audit

With today’s heightened awareness on internal Unix/Linux security, many enterprises have either created internal security audits, or hired external firms to audit existing practices and installations. Creating a comprehensive security policy requires a thorough understanding of the existing asset organization, applications, system and network infrastructure, and risk assessment. In today’s enterprises, the emergence of business security teams increasingly crosses traditional “org-chart” business dynamics to specifically address security issues.     

Information Security Policy Development and Implementation

ABSTRACT

Development of the information security policy is a critical activity. Credibility of the entire information security program of an organization depends upon a well-drafted information security policy. Most of the stakeholders do not have time or inclination to wade through a lengthy policy document. This article tries to formulate an approach to the information security policy development that will make the policy document capture the essentials of information security as applicable to a business. The document will also convey the urgency and importance of implementing the policy, not only in letter but also in spirit.     

Cognitive Risk Framework for Cybersecurity: Bounded Rationality

Cyber risk professionals face a formidable challenge in keeping pace with the asymmetric nature of today’s advanced threats in cyber security. Spending on cyber security has skyrocketed yet the threat continues to grow exponentially. This phenomenon is called the Cyber Paradox and describes what has become an entrenched battle for security professionals in defending against an increasingly sophisticated adversary that, to date, has adapted faster than defensive measures to prevent loss of data or access to sensitive information. Conventional security defenses have proven less than effective resulting in a virtual “Maginot’s Line” of increased fortification by hardening the enterprise yet resulting in greater vulnerability to achieving the goals of defending the organization from cyber threats (“Maginot’s Line”, n.d.). This article reviews the causes of these misperceptions in security defense and explores research in decision science, intelligence and security informatics, machine learning, and the role of simplicity in shaping a cognitive risk framework. The findings conclude that the human-machine interaction is the greatest threat in cyber space yet very few, if any, security professionals are well versed in strategies to close this gap. The purpose of this article is to bring to light evolving new strategies with promising success and to reveal a few surprises in how simplicity is an under-appreciated strategy in cyber security. Complete text of “Cognitive Hack: The New Battleground in Cybersecurity … the Human Mind” is available here: https://www.crcpress.com/Cognitive-Hack-The-New-Battleground-in-Cybersecurity--the-Human-Mind/Bone/p/book/9781498749817     

Patch Management

Imagine this scenario. As a security manager for your organization, your responsibilities include analyzing and applying patches to all Windows servers across the enterprise. Your process is going to each machine and manually evaluating what patches are missing and installing the most critical security patches as soon as possible. How long does this take? One hour per server? Two hours? Maybe more? How many patches are critical? How often do you do it? And, how many servers do you have? It doesn’t take long to do the math to realize that your battle may be a futile one to keep up with the most critical, let alone every, patch that’s released.     

How To Secure An Office Wireless Network

Hackers have got a new trick and its worrying organizations with wireless networks. With numerous reports of user identities and passwords being grabbed out of thin air, the so-called ‘drive-by’ hack, where an attacker attempts to access data from outside an organization’s building, is causing a panic across the wireless industry. Here, we will evaluate the real risks associated with implementing a wireless office network and offer some practical tips for improving security.     

Building an Application Security Program

As security professionals we have a good handle on securing our perimeters, yet security compromises continue to rise. Hackers have found a new attack vector and are successfully exploiting it. Application exploits are to blame for this rise in security compromises and security professionals need to identify and secure the application.

While risk cannot be completely eliminated, a strong Application Security Program can identify and mitigate these risks to a more manageable level. Organizational support, framework selection, and adherence to compliance and regulatory requirements are vital to the success of the program and the security of your applications. If you lack any of these elements the program will fail. There are many frameworks to choose from, so careful consideration must be taken to ensure the right framework is chosen for your organization.

A successful Application Security Program will be fully integrated within the SDLC. It will enable your organization to identify and remediate risks with applications. If implanted and executed effectively it will also meet the requirements for FISMA compliance.     

A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps

Spread of wireless network technology has opened new doors to utilize sensor technology in various areas via Wireless Sensor Networks (WSNs). Many authentication protocols for among the service seeker users, sensing component sensor nodes (SNs) and the service provider base-station or gateway node (GWN) are available to realize services from WSNs efficiently and without any fear of deceit. Recently, Li et al. and He et al. independently proposed mutual authentication and key agreement schemes for WSNs. We find that both the schemes achieve mutual authentication, establish session key and resist many known attacks but still have security weaknesses. We show the applicability of stolen verifier, user impersonation, password guessing and smart card loss attacks on Li et al.’s scheme. Although their scheme employs the feature of dynamic identity, an attacker can reveal and guess the identity of a registered user. We demonstrate the susceptibility of He et al.’s scheme to password guessing attack. In both the schemes, the security of the session key established between user and SNs is imperfect due to lack of forward secrecy and session-specific temporary information leakage attack. In addition both the schemes impose extra computational load on resource scanty sensor-nodes and are not user friendly due to absence of user anonymity and lack of password change facility. To handle these drawbacks, we design a mutual authentication and key agreement scheme for WSN using chaotic maps. To the best of our knowledge, we are the first to propose an authentication scheme for WSN based on chaotic maps. We show the superiority of the proposed scheme over its predecessor schemes by means of detailed security analysis and comparative evaluation. We also formally analyze our scheme using BAN logic.     

Information Security Policy Compliance: Leadership and Trust

ABSTRACT

The purpose of this study was to examine the influence of trust variables (trust: competence, trust: benevolence, trust: integrity) on leadership regarding the organization’s information security policy (ISP) compliance. An instrument with four constructs was used to collect data from 474 non-management subjects from various organizations in the USA. Collected data were analyzed through multiple regression procedure. Results revealed that all trust variables (trust: competence, trust: benevolence, trust: integrity) were influential in predicting the leadership regarding the organization’s ISP compliance. The findings are discussed and implications for practice are outlined. Conclusion, limitations, and recommendations for future research are drawn.     

Don’t Let Role of Information Security Policies in the Arthur Andersen/Enron Case Go Without Mention to your Chief Executive Officer

Us information security specialists have long been viewed by top management as technicians who should rightfully labour in the remote and isolated offices of the organization. This viewpoint is dangerously out of touch with the times. Information security is absolutely critical to every modern organization, and it is a multi-disciplinary, multi-departmental, and multi-organizational issue which must get top management’s personal attention.     

基于ZigBee技术的无线传感网的安全分析

无线通信技术和电子器件技术的快速发展，促进了由传感器组成的无线传感网（WSN）的应用。在大多数应用环境中，用户对WSN的安全性有很高的要求，因此，安全成为制约WSN进一步广泛应用的关键。然而，新兴的ZigBee技术在组网方面体现其安全性。本文对ZigBee技术在组网方式、安全结构、加密算法等安全方面进行了全面的剖析。     

Building E-Enterprise Security: A Business View

Abstract

Web technology has enabled many organizations to form an E-enterprise for effective communicating, collaborating, and information sharing. To gain competitive advantages, E-enterprises must integrate entire lines of business operations and critical business data with external organizations or individuals over the Web, which may introduce significant security risks to the organizations' critical assets and infrastructures. This article provides systems professionals with a multidimensional E-enterprise security view. The view puts forward practical steps and sustainable solutions for tackling the unique security challenges arising in an E-enterprise environment.     

Security policy update

This article reviews the recent spate of public policy initiatives which will impact on an organization’s approach towards the security of its data.     

Computer security policy: Important issues

A key success factor in implementing computer security is the much discussed and important issue of management commitment. Management commitment is demonstrated through the effective fostering of a computer security policy within the organization. Many textbooks provide guidelines on what to include or exclude in compiling a computer security policy. However, little is said about issues such as accountability, responsibility and the actual scope of computer security. This paper will address various issues of critical importance in compiling a computer security policy.     

A MAC protocol for low-rate UWB wireless sensor networks using directional antennas

Ultra-wideband (UWB) is a key solution for wireless connectivity, characterized by ultralow power consumption and a good degree of robustness to interference and multipath fading. Evidence of its significance, is its recent use in the IEEE 802.15.4a standard. UWB technology with joint consideration of directional antennas can benefit when compared to classical omni-directional antennas from the energy conservation viewpoint, which is of fundamental concern when it comes to wireless sensor networks (WSNs). However, exploiting directionality requires new approach in the design of a medium access control (MAC) protocol to be applied. In this work, idle nodes continuously rotate their receiving beams over 360° until a predefined preamble trailer is detected. The resulting scheme is a directional ultra-wideband MAC protocol, named DU-MAC, which deals effectively with the problem of deafness and the problem of determination of neighbors’ location. Simulation-based studies will demonstrate the effectiveness of the proposed protocol in many critical parameters, such as throughput and network lifetime.     

The value of the CIO in the top management team on performance in the case of information security breaches

This study investigates whether presence of a CIO in the top management team (TMT) is an important indicator for better management of information, especially when an organization is involved in an information security breach incident. Using Upper Echelons Theory, our study relates the status of the CIO in an organization to organizational performance in the case of information security breaches using Tobin’s q. We argue that when an organization experiences an information security breach, the organization that has the CIO in the TMT can recover any damages or losses from the security breach incident quicker than the organization that does not. We categorize security breach incidents using the confidentiality, integrity, and availability (CIA) triad (Solomon and Chapple 2005), and conclude that having the CIO in the TMT has a significant positive impact on firm performance in the aftermath of security breach incidents. However, the degree of impact on performance varies, depending on the type of security breach.     

Outsourcing Security: The Need,the Risks,the Providers,and the Process

Abstract

The securing of data and networks is vital for any organization, yet not all organizations have the resources to keep up with the latest security issues and threats. One option is to outsource the professionals needed to get the work done. Outsourcing is defined as contracting professionals from the outside to do services that are core or non-core to the business. Yet, outsourcing does have its risks. Allowing non-employees to manage key security operations can be scary. The decision is not an easy one, which is discussed here to allow security managers to make a more informed decision. This article discusses the need for outsourcing security, determining the risks, choosing a provider. and managing the process. The premise is that outsourcing can be used as a successful tool for saving an organization money by allowing outside providers to perform non-core competencies.