Intrusion Detection Algorithm for MANET

Mobile ad hoc networks (MANET) present the opportunity to connect transient nodes to the internet without having central control. This very design supports new nodes to join and leave the network based on their proximity to the MANET. Concurrently, it creates many security challenges for authenticating nodes that are not present in a traditional wired network. Much of the existing work on MANET security has focused on routing and mobility. In this paper, the authors present an algorithm that considers the neighboring nodes’ status to determine if a particular node is malicious or not. The authors used NS2 simulation tool to test the algorithm and present the results in the paper. The major benefits of this research work are in military applications.

Design and Implementation of a Zero-Knowledge Authentication Framework for Java Card

Zero-knowledge authentication protocols are an alternative to authentication protocols based on public key cryptography. Low processing and memory consumption make them especially suitable for implementation in smart card microprocessors, which are severely limited in processing power and memory space. This paper describes a design and implementation of a software library providing smart card application developers with a reliable authentication mechanism based on well-known zero-knowledge authentication schemes. Java Card is used as the target smart card platform implementation based on the evaluation of the Fiat-Shamir (F-S) and Guillou-Quisquater (G-Q) protocols under various performance criteria are presented to show the effectiveness of the implementation and that G-Q is a more efficient protocol.

A Mark-Up Language for the Specification of Information Security Governance Requirements

As enterprises become dependent on information systems, the need for effective Information Security Governance (ISG) assumes significance. ISG manages risks relating to the confidentiality, integrity and availability of information, and its supporting processes and systems, in an enterprise. Even a medium-sized enterprise contains a huge collection of information and other assets. Moreover, risks evolve rapidly in today’s connected digital world. Therefore, the proper implementation of ISG requires automation of the various monitoring, analysis, and control processes. This can be best achieved by representing information security requirements of an enterprise in a standard, structured format. This paper presents such a structured format in the form of Enterprise Security Requirement Markup Language (ESRML) Version 2.0. It is an XML-based language that considers the elements of ISO 27002 best practices.

Information Privacy

In the Web dependent world, companies must respect and protect individuals’ information privacy. Companies develop and implement corporate information privacy policies to comply with the domestic and international information privacy laws and regulations. This paper investigates: (a) the approach used by multinational and domestic companies to develop and implement corporate information privacy policies; and (b) the perception of corporate managers/professionals toward information privacy legislation and secondary use of personally identifiable information (PII) that organizations collect. A survey was conducted to collect data from corporate CEOs, managers, and technical professionals of national and multinational companies. Findings indicate the following: 1) Views regarding the practicality and effectiveness of information privacy legislations are similar for respondents from the national and multinational companies. 2) Respondents are undecided about whether the privacy laws of the United States and foreign countries are equally restrictive. 3) Multinational companies do not favor developing and implementing uniform information privacy policies or different information privacy policies across countries of operations. 4) Respondents strongly agreed that unauthorized secondary use of personal information is unacceptable.

A Mutual Authentication Protocol with Resynchronisation Capability for Mobile Satellite Communications

Many peer-to-peer security protocols proposed for wireless communications use one-time shared secrets for authentication purposes. This paper analyses online update mechanisms for one-time shared secrets. A new type of attack against update mechanisms, called desynchronisation attack, is introduced. This type of attack may lead to a permanent denial of service condition. A case study demonstrates the effectiveness of desynchronisation attacks against a security protocol for mobile satellite communications. A new mutual authentication protocol for satellite communications, incorporating a resynchronisation capability, is proposed to counter the disruptive effects of desynchronisation attacks. The new protocol has an esynchronisation phase that is initiated whenever desynchronisation is suspected. Thus, the possibility of causing permanent denial of service conditions by mounting desynchronisation attacks is eliminated. A security analysis of the proposed protocol establishes its resistance against attacks like replay attacks, dictionary attacks, and desynchronisation attacks.

Evaluating the Quality and Usefulness of Data Breach Information Systems

As the nation confronts a growing tide of security breaches, the importance of having quality data breach information systems becomes paramount. Yet too little attention is paid to evaluating these systems. This article draws on data quality scholarship to develop a yardstick that assesses the quality of data breach notification systems in the U.S. at both the state and national levels from the perspective of key stakeholders, who include law enforcement agencies, consumers, shareholders, investors, researchers, and businesses that sell security products. Findings reveal major shortcomings that reduce the value of data breach information to these stakeholders. The study concludes with detailed recommendations for reform.

A Privacy Agreement Negotiation Model in B2C E-Commerce Transactions

This article presents an alternate approach to effectively address the way privacy agreements are initiated through web services. In this new framework, the consumer and the service provider can mutually negotiate on the privacy terms. It contains a privacy model in which the transaction takes place after a negotiation between the service provider and the web user is completed. In addition, this framework would support various negotiation levels of the agreement lifecycle which is an important aspect of the dynamic environment of a B2C e-commerce scenario. A third party trusted agency and a privacy filter are included to handle privacy information of the web user. The author seeks to raise awareness of the issues surrounding privacy transactions and the potential ongoing impact to both service providers and clients as the use of web services accelerates.

An Integrated Security Governance Framework for Effective PCI DSS Implementation

This paper analyses relevant IT governance and security frameworks/standards used in IT assurance and security to propose an integrated framework for ensuring effective PCI DSS implementation. Merchants dealing with credit cards have to comply with the Payment Card Industry Data Security Standards (PCI DSS) or face penalties for non-compliance. With more transactions based on credit cards, merchants are finding it costly and increasingly difficult to implement and interpret the PCI standard. One of the top reasons cited for merchants to fail PCI audit, and a leading factor in data theft, is the failure to adequately protect stored cardholder data. Although implementation of the PCI DSS is not a guarantee for perfect protection, effective implementation of the PCI standards can be ensured through the divergence of the PCI standard into wider information security governance to provide a comprehensive overview of information security based not only on security but also security audit and control. The contribution of this paper is the development of an integrated comprehensive security governance framework for ‘information security’ (rather than data protection) incorporating Control Objectives for Information and related Technology (COBIT), Information Technology Infrastructure Library (ITIL) and ISO 27002.

E-Voting Risk Assessment

Approximately 25% (according to http://verifiedvoting.com/) of voting jurisdictions use direct recording electronic systems to record votes. Accurate tabulation of voter intent is critical to safeguard this fundamental act of democracy: voting. Electronic voting systems are known to be vulnerable to attack. Assessing risk to these systems requires a systematic treatment and cataloging of threats, vulnerabilities, technologies, controls, and operational environments. This paper presents a threat tree for direct recording electronic (DRE) voting systems. The threat tree is organized as a hierarchy of threat actions, the goal of which is to exploit a system vulnerability in the context of specific technologies, controls, and operational environment. As an abstraction, the threat tree allows the analyst to reason comparatively about threats. A panel of elections officials, security experts, academics, election law attorneys, representatives from governmental agencies, voting equipment vendors, and voting equipment testing labs vetted the DRE threat tree. The authors submit that the DRE threat tree supports both individual and group risk assessment processes and techniques.

On the Security of Self-Certified Public Keys

Many cryptosystems have been developed to solve the problem of information security, and some approaches are based on the self-certified public key proposed by Girault. In Girault’s scheme, the public key is computed cooperatively by both the system authority (SA) and the user. One of the advantages is that the public key is able to implicitly authenticate itself without any additional certificates. Another advantage is that the SA is not able to forge a public key without knowing the user’s secret key. Despite the advantages of Girault’s system, in this paper, the authors demonstrate that the system still suffers from two main weaknesses. As a result, the authors propose a slight improvement on Girault’s system.