http://www.computer.org/security Organizations relying on the Internet face significant challenges to ensure that their networks operate safely. And that their systems continue to provide critical services even in the face of attacks. Denial of service, worms, DNS, and router attacks are increasing. To help you stay one step ahead of these and other threats, the IEEE Computer Society has published a new periodical in 2003, IEEE Security & Privacy magazine. en-us Wed, 4 Jan 2012 11:00:01 GMT http://csdl.computer.org/common/images/logos/security.gif List of recently published journal articles http://www.computer.org/security http://doi.ieeecomputersociety.org/10.1109/MSP.2011.180 The National Initiative for Cybersecurity Education (NICE) will be conducting a nationwide awareness and outreach program to effect behavioral change. To be effective, an educational campaign must first understand users’ perceptions of computer and online security. Our research objective was to understand user’s current knowledge base, awareness, and skills. We investigated their understanding of online security by conducting in-depth interviews with the goal of identifying existing correct perceptions, myths, and potential misperceptions. Our findings indicate that the participants were primarily aware of and concerned with online and computer security. However, the participants lacked a complete skill set to protect their computer systems, identities and information online. Providing a skill set that allows them to develop complete mental models will help them to correctly anticipate and adapt the appropriate behaviors when approaching online security. Future research should identify the skills that will assist users to build the appropriate cybersecurity mental models. http://doi.ieeecomputersociety.org/10.1109/MSP.2011.180 http://doi.ieeecomputersociety.org/10.1109/MSP.2011.128 This research was motivated by the question, “How do IT security managers make decisions in the absence of empirical data and how do they know these decisions are successful?” It seems that some security managers are more successful at making decisions than others. Are they guessing or is there some tacit knowledge being used for decision-making? To address this question, a qualitative research approach was used to explore security decision-making. Open-ended interviews were conducted with highly regarded, experienced security practitioners. The transcriptions were qualitatively analyzed from which two simultaneous and competing models of security decision processes were developed. The As-Is Process describes decisions in the current security environment, and the To-Be Process describes decisions to develop and evolve the security environment. Potential uses of these models include developing curricular materials and as a starting point in determining effective IT security and describing successful IT security decision-making. http://doi.ieeecomputersociety.org/10.1109/MSP.2011.128 http://doi.ieeecomputersociety.org/10.1109/MSP.2011.181 This article proposes a holistic approach to developing the cybersecurity workforce based on careful integration of workforce development strategies into a plan that involves educators, career professionals, employers, and policymakers. It motivates this by describing how other fields such as medicine have successfully done this and arguing that cyber security is inherently cross-disciplinary at multiple levels of expertise and performance, making it similar in complexity to the medical profession and thus a good candidate for some solutions developed there. It then focuses on one element of a holistic strategy – education -- and discusses the findings of a recent workshop on cybersecurity education. It then places those findings in the context of the broader discussion and suggests some practical steps. They encourage computer science educators, human resources professionals, and employers to think beyond their “stovepiped” fields and collaborate so that holistic, integrated solutions can be developed, accepted, and implemented. http://doi.ieeecomputersociety.org/10.1109/MSP.2011.181 http://doi.ieeecomputersociety.org/10.1109/MSP.2011.179 Online shoppers are targeted by many scams. User education on phishing to date has tried to persuade users to look for signs of bad sites - check URLs and a number of other indicators. We evaluated a new anti-phishing tool in a realistic setting - participants had to buy tickets under time pressure, and lost money if they bought from bad sites. Nobody bought from sites clearly identified as bad, but 40% of participants risked money with sites flagged as potentially risky which offered bargains. When tempted by good deals, users do not focus on warnings – they look for signs that confirm a site’s trustworthiness: familiar websites or brands, trust seals, ads, reference to social networking sites and professional-looking design. Users perceive those as reliable legitimacy indicators. We argue that user education needs to focus on correcting those misconceptions, and present an outline for a re-targeted user education approach. http://doi.ieeecomputersociety.org/10.1109/MSP.2011.179 http://doi.ieeecomputersociety.org/10.1109/MSP.2011.178 Biometric technology has been increasingly deployed in the last decade, offering greater security and convenience than traditional methods of personal recognition. But although the performance of biometric systems is heavily affected by the quality of biometric signals, prior work on quality evaluation is limited. Quality assessment is a critical issue in the security arena, especially in challenging scenarios (e.g. surveillance cameras, forensics, portable devices or remote access through Internet). Different questions regarding the factors influencing biometric quality and how to overcome them, or the incorporation of quality measures in the context of biometric systems have to be analyzed first. In this paper, a review of the state-of-the-art in these matters is provided, giving an overall framework of the main factors related to the challenges associated with biometric quality. http://doi.ieeecomputersociety.org/10.1109/MSP.2011.178 http://doi.ieeecomputersociety.org/10.1109/MSP.2011.157 The unacceptable occurrence of information breaches demands a vigorous response. The traditional approach is by using policies to constrain and control. Information security policies inform employees about appropriate uses of information technology. Unfortunately, there is limited evidence of the effectiveness of policies in reducing losses. This paper explores the possible reasons for this, and reports on a survey carried out to detect the presence of these factors in an NHS health board. A plea is made for attention to be paid to the entire system, and not a myopic focus on individuals. The survey shows how the pressures and rules imposed by the policies often place staff in an impossible position. They sometimes feel this leaves them no option but to break the rules, simply to get their jobs done. The paper concludes by identifying areas where the policy formulation and implementation processes can be improved to alleviate these pressures. http://doi.ieeecomputersociety.org/10.1109/MSP.2011.157 http://doi.ieeecomputersociety.org/10.1109/MSP.2011.155 It is a common requirement in real world applications for untrusting parties to be able to share sensitive information securely. We describe a secure anonymous database search scheme (SADS) that provides exact match capability. Using a new primitive, re-routable encryption, and the ideas of Bloom Filters and deterministic encryption, SADS allows multiple parties to efficiently execute exact match queries over distributed encrypted database in a controlled manner. We further consider a more general search setting allowing similarity searches, going beyond existing work that considers similarity in terms of error-tolerance and Hamming distance by capturing semantic level similarity in our definition. Building on the cryptographic and privacy preserving guarantees of the SADS primitive, we then describe a general framework for engineering usable private secure search systems. http://doi.ieeecomputersociety.org/10.1109/MSP.2011.155 http://opac.ieeecomputersociety.org/opac?year=2011&volume=9&issue=06&acronym=security IEEE Security and Privacy http://www.computer.org/portal/site/security/ http://doi.ieeecomputersociety.org/10.1109/MSP.2011.154 Targeted malicious emails to enable computer network exploitation have become more insidious and more widely documented in recent years. Beyond spam or phishing designed to trick users into revealing personal information, targeted malicious email (TME) facilitates computer network exploitation and the gathering of sensitive information from targeted networks. These TMEs are not singular unrelated events, instead they are coordinated and persistent campaigns that can span years. We survey existing email filtering techniques, implement new techniques for detecting TME and compare these new techniques to two traditional detection methods, SpamAssassin and ClamAV. The new email filtering techniques are based on using persistent threat and recipient oriented features of email with a random forest classifier. Incorporating these features improves the detection of TME over SpamAssassin and ClamAV while maintaining reasonable false positive rates. During testing, the new techniques correctly classify 91% of TME as compared to the 16% identified by SpamAssassin+ClamAV. http://doi.ieeecomputersociety.org/10.1109/MSP.2011.154 http://doi.ieeecomputersociety.org/10.1109/MSP.2011.153 Many preventive security measures have been proposed to protect network from cyber intrusions. Many of the adopted measures generate a large amount of information that should be stored and analyzed to enable response actions to detected attacks. A Security Information and Event Manager (SIEM) has become an indispensable tool to collect all of a system´s security-related information in a central repository. This can then be used for trend analysis and adoption of appropriate actions. In this article, we present a collaborative work approach between SIEMs of different trusted domains that share alarms and the consequent adopted countermeasures. These have been based on traffic patterns related to offered online services. The concept of sharing alarms and adopted measures in domains with similar profiles, intends to enhance a global view of the security and, by this way, facilitate decision-making for security domain administrators. http://doi.ieeecomputersociety.org/10.1109/MSP.2011.153 http://doi.ieeecomputersociety.org/10.1109/MSP.2011.152 Governments, enterprises and consumers face a myriad of computer threats that are technically advanced and persistent. Commonly available cyber defenses such as firewalls, antivirus software, and automatic updates for security patches help reduce the risk from threats but they are not enough, especially since many consumers do not always follow the guidance provided and/or engage in other unsafe actions (e.g., downloading executable programs from unknown sources). Those with infected computers are not simply risking their own valuable information and data; they are putting others at risk too. This paper will look at addressing online security issues using a model similar to the one society uses to address human illness. http://doi.ieeecomputersociety.org/10.1109/MSP.2011.152 http://doi.ieeecomputersociety.org/10.1109/MSP.2011.151 The transition from today’s power systems to the smart grid will be a long evolutionary process. While it might introduce new vulnerabilities, it will also open up for opportunities for improving system security. In this article we consider various facets of power system security. We discuss the difficulty of achieving all-encompassing component level security in power system IT infrastructures due to its cost and potential performance implications. We then outline a framework for modeling system-wide security, which facilitates the assessment of the system’s security despite its complexity by capturing the interaction between system components. We use the example of power system state estimation to illustrate how the security of the system can potentially be improved by leveraging the knowledge of the physical processes and the significant amount of redundant information. Finally, we touch upon the problem of information availability, a key security requirement in power system control and operation systems. http://doi.ieeecomputersociety.org/10.1109/MSP.2011.151 http://doi.ieeecomputersociety.org/10.1109/MSP.2011.150 Despite countless attempts and near-universal desire to replace them, passwords are more widely used and firmly entrenched than ever. Our exploration of this leads us to argue that no silver bullet will meet all requirements, and not only will passwords be with us for some time, but in many instances they are the solution which best fits the scenario of use. Among broad authentication research directions to follow, we first suggest better means to concretely identify actual requirements (surprisingly overlooked to date) and weight their relative importance in target scenarios; this will support approaches aiming to identify best-fit mechanisms in light of requirements. Second, for scenarios where indeed passwords appear to be the best-fit solution, we suggest designing better means to support passwords themselves. We highlight the need for more systematic research, and how the premature conclusion that passwords are dead has lead to the neglect of important research questions. http://doi.ieeecomputersociety.org/10.1109/MSP.2011.150 http://doi.ieeecomputersociety.org/10.1109/MSP.2011.148 Electronic identity (eID) cards promise to supply a universal, nation-wide mechanism for user authentication. Most European countries have started to deploy eID for government and private sector applications. Are government- issued electronic ID cards the proper way to authenticate users of online services? We use the German eID project as a showcase to discuss eID from an application perspective. The new German ID card has interesting design features: it is contactless, it aims to protect people’s privacy to the extent possible, and it supports cryptographically strong mutual authentication between users and services. Privacy features include support for pseudonymous authentication and per-service controlled access to individual data items. The article discusses key concepts, the eID infrastructure, observed and expected problems, and open questions. The core technology seems ready for prime time and government projects deploy it to the masses. But application issues may hamper eID adoption for online applications. http://doi.ieeecomputersociety.org/10.1109/MSP.2011.148 http://doi.ieeecomputersociety.org/10.1109/MSP.2011.147 Computers are known to have been used in attacking other computers, and they also have been target of Denial of Service (DoS) attacks themselves. The two popular computers namely Apple’s iMac with SnowLeopard and Microsoft Windows 7, both claim to provide the users a more safer and more reliable operating sytems. In this experimental paper, we evaluate and compare the security offered by the latest Windows7 operating systems with that of iMac computers with its latest operating system SnowLeopard under DoS attacks in a Gigabit LAN environment. It was discovered that unlike Microsoft’s Windows 7 operating system, the Apple’s iMac computer using its latest SnowLeopard operating system crashed even under low bandwidth of ARP-based attack traffic, requiring forced reboot of the computer. Furthermore, Windows 7 was found to consume less computing resource when compared to that of SnowLeopard for the same hardware platform and under same attack conditions. http://doi.ieeecomputersociety.org/10.1109/MSP.2011.147 http://doi.ieeecomputersociety.org/10.1109/MSP.2011.129 We present the results of a long-term user study of site-based login mechanisms which force and train users to login safely. We found that interactive site-identifying images received 70\% detection rates, which is \emph{significantly better} than the 20\% received by the typical login ceremony. We also found that combining login bookmarks with interactive images and `non-working' buttons/links (which we refer to as \emph{negative training functions}) achieved the best detection rates (82\%) and overall resistance rates (93\%). As interactive custom images provide effective user-training against phishing, we extended its authentication usages. We present an adaptive authentication mechanism based on recognition of multiple custom images, which can be used for different web and mobile authentication scenarios. The mechanism relies on memorization of the custom images on each primary login, adaptively increasing the authentication difficulty upon detecting impersonation attacks, and recognizing all images for fallback authentication. http://doi.ieeecomputersociety.org/10.1109/MSP.2011.129