An MDA Compliant Approach for Designing Secure Data Warehouses

This chapter presents an approach for designing secure Data Warehouses (DWs) that accomplish the conceptual modeling of secure DWs independently from the target platform where the DW has to be implemented, because our complete approach follows the Model Driven Architecture (MDA) and the Model Driven Security (MDS). In most of real world DW projects, the security aspects are issues that usually rely on the DBMS administrators. We argue that the design of these security aspects should be considered together with the conceptual modeling of DWs from the early stages of a DW project, and being able to attach user security information to the basic structures of a Multidimensional (MD) model. In this way, we would be able to generate this information in a semi or automatic way into a target platform and the final DW will better suits the user security requirements.

Security Awareness

This chapter outlines advanced options for security training. It builds on previous publications (Weippl 2005, 2006) and expands them by including aspects of European-wide cooperation efforts in security awareness. Various examples will show what characterizes successful programs. The authors cooperate with ENISA (http://www. enisa.eu.int/) to create a new multi-language awareness training program that uses virtual environments to allow users to train on real systems without any danger. We describe the design and the proposed implementation of the system. In cooperation with the Austrian Computer Society (http://www.ocg.at) we lay the basis for an ECDLmodule on IT security awareness training. Companies are obliged to reasonably secure their IT systems and user awareness training is one of the most important and effective means of increasing security. If claims are filed against a company, it is in the interest of management to provide proof that all users completed IT security training. Moreover, advanced and experienced users need a training environment that lets them try complex scenarios in a safe environment.

Guarding Corporate Data from Social Engineering Attacks

The threat of social engineering attacks is prevalent in today’s society. Even with the pervasiveness of mass media’s coverage of hackers and security intrusions, the general population is not aware of the possible damage that could occur should they be subjected to a social engineering attack. In order to show the damage caused by these attacks, we will discuss the results of a social engineering attack based on a survey conducted in the downtown area of a large financial center in the United States. The authors make suggestions companies can incorporate into their policies in order to protect their employees, as well as systems from intrusions based on social engineering attacks.

A Guide to Non-Disclosure Agreements for Researchers

This chapter provides a set of guidelines to assist information assurance and security researchers in creating, negotiating, and reviewing non-disclosure agreements, in consultation with appropriate legal counsel. It also reviews the use of non-disclosure agreements in academic research environments from multiple points of view. Active academic researchers, industry practitioners, and corporate legal counsel all provided input into the compiled guidelines. An annotated bibliography and links are provided for further review.

Enterprise Access Control Policy Engineering Framework

This chapter outlines the overall access control policy engineering framework in general and discusses the subject of validation of access control mechanisms in particular. Requirements of an access control policy language are introduced and their underlying organizational philosophy is discussed. Next, a number of access control models are discussed and a brief outline of various policy verification approaches is presented. A methodology for validation of access control implementations is presented along with two approaches for test suite generation, that is, complete FSM based and heuristics based. This chapter is aimed at providing an overview of the access control policy engineering activity and in-depth view of one approach to device test cases for an access control implementation mechanism.

Design and Implementation of a Distributed Firewall

This chapter presents the design and the implementation of a decentralized firewall. The latter uses autonomous agents to coordinately control the traffic on the network. The proposed framework includes a set of controllers’ agents that ensure the packets filtering services, a proxy agent that plays a role of a proxy server and an identifier agent which is responsible for user authentication. The decentralization of the different agents’ activities is managed by an administrator agent which is a core point for launching the most important operations of the access control. A prototype has been designed and implemented. Furthermore, the authors hope that the underlying framework will inform researchers of a possible way to implement a decentralized firewall to improve the current solution, and will help readers understand the need for techniques and tools such as firewalls that are useful to protect their network traffic.

Information Systems Risk Management

Organizations worldwide recognize the importance of a comprehensive, continuously evolving risk assessment process, built around a solid risk strategy that properly manages internal and external threats. A comprehensive enterprise risk management strategy must ideally contribute to the protection of the organizations’ assets, operations, shareholder’s value, and customer satisfaction while meeting imposed regulatory requirements and standards. As IT represents an integral part of the process required to achieve the aforementioned objectives, managing the risks associated with the information technology infrastructure of an organization is critical. The goal of this chapter is to review the most common risks and threat agents for a typical organizations’ information technology infrastructure and to discuss how systematic risk management procedures and controls can manage and minimize these risks.

An Integrative Framework for the Study of Information Security Management Research

A number of academic studies that focus on various aspects of information security management (ISM) have emerged in recent years. This body of work ranges from the technical, economic, and behavioral aspects of ISM to the effect of industry standards, regulations, and best practices. The purpose of this chapter is to review the current state of ISM research, while providing an integrative framework for future studies. Using the proposed framework as a guide, we identify areas of depth within current ISM literature and areas where research is underdeveloped. Finally, we call for a more comprehensive approach to ISM research that considers multiple dimensions of our framework and their interrelationships.

Evolution of Enterprise Security Federation

In this chapter, we discuss the evolution of the enterprise security federation, including why the framework should be evolved and how it has been developed and applied to real systems. Furthermore, we analyze the remaining vulnerabilities and weaknesses in current approaches and propose new approaches to resolve those problems. Then, to overcome those weaknesses and vulnerabilities, we propose the PSM (Policy-based Security Management) architecture for an integrated security framework, and the PM (Packet-Marking) architecture for a cooperative security framework. The PSM architecture is able to efficiently realize the security purposes of an organization by controlling, operating, and managing various kinds of security systems consistently based on security policies. The PM architecture is able to effectively deal with suspicious network traffic without requiring new protocol, while reducing the false-positive problem and perfectly protecting QoS for innocent traffic from attacks. We simulated the PSM and PM architectures to evaluate their performance. The simulation result shows that the PSM architecture can automatically detect and respond against network attacks, and the PM architecture can effectively handle suspicious traffic, such as DDoS traffics.

A Strategy for Enterprise VoIP Security

Voice over Internet Protocol (VoIP) networks signal an evolution in telecommunications that is accelerating the convergence of the Internet and the public switched telephone network (PSTN). Offering decreased costs and other benefits, VoIP is poised to transform telecommunications and the organizations that use them. However, some consider VoIP a security nightmare, combining the worst vulnerabilities of IP networks and voice networks. DOS attacks, crash attacks, packet spoofing, buffer overflow attacks, spam over Internet telephony (SPIT), and word injection all pose threats to commercial enterprise networks and the mission critical operations that they support.