SEACON

The extent methods largely ignore the importance of integrating security requirements with business requirements and providing built-in steps for dealing with these requirements seamlessly. To address this problem, a new approach to secure network analysis and design is presented. The proposed method, called the SEACON method, provides an integrated approach to use existing principles of information systems analysis and design with the unique requirements of distributed secure network systems. We introduce several concepts including security adequacy level, process-location-security matrix, datalocation- security matrix, and secure location model to provide built-in mechanisms to capture security needs and use them seamlessly throughout the steps of analyzing and designing secure networks. This method is illustrated and compared to other secure network design methods. The SEACON method is found to be a useful and effective method.

A Secure and Trustful e-Ordering Architecture (TOES) for Small and Medium Size Enterprises (SMEs)

Although various European Union (EU) directives have established the proper legal framework for the provision of a trustful, legally accepted cross border transaction via electronic means, the consumers are still hesitant to use e-commerce. Lack of confidence with regard to the protection of privacy and security of electronic transactions is among the main reasons. This chapter attempts to form the appropriate confidence framework describing a set of privacy and security requirements that must be taken into account for e-ordering systems. In addition, it presents a trustful e-ordering architecture (TOES) that achieves to address these requirements based on extensible markup language (XML), XML cryptography, public key infrastructure (PKI), Web services policy language (WSPL), and Web services. TOES is an open, secure, interoperable, and affordable e-ordering system that respects the EU legislation.

Trust-Based Usage Control in Collaborative Environment

Most access control models have formal access control rules to govern the authorization of a request from a principal. In pervasive and collaborative environments, the behaviors of a principal are uncertain due to partial information. Moreover, the attributes of a principal, requested objects, and contexts of a request are mutable during the collaboration. A variety of such uncertainty and mutability pose challenges when resources sharing must happen in the collaborative environment. In order to address the above challenges, we propose a framework to integrate trust management into a usage control model in order to support decision making in an ever-changing collaborative environment. First, a trust value of a principal is evaluated based on both observed behaviors and peer recommendations. Second, the usage-based access control rules are checked to make decisions on resource exchanges. Our framework handles uncertainty and mutability by dynamically disenrolling untrusted principals and revoking granted on-going access if access control rules are no longer met. We have applied our trust-based usage control framework to an application of file sharing.

Using Statistical Texture Analysis for Medical Image Tamper Proofing

This chapter discusses an approach for both authentication of medical images and confidentiality for the related textual data in an online medical application paradigm. The image authentication is achieved in a soft manner through a feature-based digital signature while the confidentiality of the related patient information is achieved through reversible data hiding. The selected features are robust towards geometric transformations, while fragile towards texture alterations that are characteristic of medical images. The processing scheme is done in a block by block basis to permit the localization of tampered image’s regions. The effectiveness of the scheme, proven through experiments on a sample of medical images, enables us to argue that implementing mechanisms lying on this approach will help to maintain personal patient privacy and medical image integrity.

Spam Classification Based on E-Mail Path Analysis

Email spam is the most effective form of online advertising. Unlike telephone marketing, email spamming does not require huge human or financial resources investment. Most existing spam filtering techniques concentrate on the emails’ content. However, most spammers obfuscate their emails’ content to circumvent content-based spam filters. An integrated solution for restricting spam emails is needed as content analyses alone might not provide a solution for filtering unsolicited emails. Here we present a new method for isolating unsolicited emails. Though spammers obfuscate their emails’ content, they do not have access to all the fields in the email header. Our classification method is based on the path an email traverses instead of content. Overall, our classifier produced fewer false positives when compared to current filters such as SpamAssassin. We achieved a precision of 98.65% which compares well with the precisions achieved by SPF, DNSRBL blacklists.

Design and Implementation of a Framework for Assured Information Sharing Across Organizational Boundaries

In this chapter we have designed and developed a framework for sharing data in an assured manner in case of emergencies. We focus especially on a need to share environment. It is often required to divulge information when an emergency is flagged and then take necessary steps to handle the consequences of divulging information. This procedure involves the application of a wide range of policies to determine how much information can be divulges in case of an emergency depending on how trustworthy the requester of the information is.

Life Cycle Pattern Study of Malicious Codes

This chapter investigates the patterns of malicious code attacks based on monthly data of the top 10 virus shares from 1998 to 2005. Three parameters were identified for study, overall pattern of the attack, the number reentries into the top 10 most prevalent attacks, and the maximum percentage share. The dataset was validated by comparing it to an independent dataset that measured the same parameters for a subset of the period of the primary dataset. The effects of malicious code that started before or disappeared outside the collection period were found to not have a significant effect. A multivariate regression analysis showed that the number of entries and the maximum share had a strong relationship with the visible life span. Multivariate cluster analysis was conducted on the reentry parameters and yielded six virus clusters classifications. The high impact viruses, 43 of the 230, are identified and further grouped.

Protecting Patient Information in Outsourced Telehealth Services

Hospitals have increasingly employed outsourcing to lower the cost of healthcare delivery and improve efficiency and quality, thereby, enabling more focus on core competencies of patient care, teaching, and research. Outsourcing presents a challenge for protecting patient information when new services are implemented or integrated into an existing healthcare information system. Enabling new outsourced telehealth services often requires “bolting on” security to legacy systems rather than “baking” it into the system. This chapter addresses security practices necessary for healthcare organizations implementing new telehealth services as part of an outsourced relationship. While a number of recommendations are available for security readiness assessments pursuant to HIPAA compliance, none directly addresses the challenge of implementing security for outsourced clinical services. A case study is presented for a recent implementation of teleradiology services within a large regional hospital. Using the case, system vulnerabilities are demonstrated and relevant best practices to mitigate exposing patient information are discussed.

A Decentralized Security Framework for Web-Based Social Networks

The wide diffusion and usage of social networking Web sites in the last years have made publicly available a huge amount of possible sensitive information, which can be used by third-parties with purposes different from the ones of the owners of such information. Currently, this issue has been addressed by enforcing into Web-based Social Networks (WBSNs) very simple protection mechanisms, or by using anonymization techniques, thanks to which it is possible to hide the identity of WBSN members while performing analysis on social network data. However, we believe that further solutions are needed, to allow WBSN members themselves to decide who can access their personal information and resources. To cope with this issue, in this chapter we illustrate a decentralized security framework for WBSNs, which provide both access control and privacy protection mechanisms. In our system, WBSN members can denote who is authorized to access the resources they publish and the relationships they participate in, in terms of the type, depth, and trust level of the relationships existing between members of a WBSN. Cryptographic techniques are then used to provide a controlled sharing of resources while preserving relationship privacy.

Computer Security Practices and Perceptions of the Next Generation of Corporate Computer Users

The purpose of this chapter is to present the results of an empirical study of the computer security practices and perceptions of the next generation of corporate computer users, undergraduate university students. The authors surveyed undergraduate university students who represented 42 different majors. The findings relate to the students’ usage of antivirus programs, firewalls, password security, and security patches. Student perceptions of computer security and its importance are also reported. Research in this area is important for two reasons. First, potential employers may find the results useful in assessing their vulnerability to unsafe practices from entry level employees. Secondly, research in this area can give those responsible for providing computer security education a better understanding of students’ computer security training needs.