Finding the ’RITE’ Acquisition Environment for Navy C2 Software

DTIC Science & Technology

2015-05-01

Boiler plate contract language - Gov purpose Rights • Adding expectation of quality to contracting language • Template SOW’s created Pr...Debugger MCCABE IQ Static Analysis Cyclomatic Complexity and KSLOC. All Languages HP Fortify Security Scan STIG and Vulnerabilities Security & IA...GSSAT (GOTS) Security Scan STIG and Vulnerabilities AutoIT Automated Test Scripting Engine for Automation Functional Testing TestComplete Automated

Automated Software Vulnerability Analysis

NASA Astrophysics Data System (ADS)

Sezer, Emre C.; Kil, Chongkyung; Ning, Peng

Despite decades of research, software continues to have vulnerabilities. Successful exploitations of these vulnerabilities by attackers cost millions of dollars to businesses and individuals. Unfortunately, most effective defensive measures, such as patching and intrusion prevention systems, require an intimate knowledge of the vulnerabilities. Many systems for detecting attacks have been proposed. However, the analysis of the exploited vulnerabilities is left to security experts and programmers. Both the human effortinvolved and the slow analysis process are unfavorable for timely defensive measure to be deployed. The problem is exacerbated by zero-day attacks.

Food security and nutritional outcomes among urban poor orphans in Nairobi, Kenya.

PubMed

Kimani-Murage, Elizabeth W; Holding, Penny A; Fotso, Jean-Christophe; Ezeh, Alex C; Madise, Nyovani J; Kahurani, Elizabeth N; Zulu, Eliya M

2011-06-01

The study examines the relationship between orphanhood status and nutritional status and food security among children living in the rapidly growing and uniquely vulnerable slum settlements in Nairobi, Kenya. The study was conducted between January and June 2007 among children aged 6-14 years, living in informal settlements of Nairobi, Kenya. Anthropometric measurements were taken using standard procedures and z scores generated using the NCHS/WHO reference. Data on food security were collected through separate interviews with children and their caregivers, and used to generate a composite food security score. Multiple regression analysis was done to determine factors related to vulnerability with regards to food security and nutritional outcomes. The results show that orphans were more vulnerable to food insecurity than non-orphans and that paternal orphans were the most vulnerable orphan group. However, these effects were not significant for nutritional status, which measures long-term food deficiencies. The results also show that the most vulnerable children are boys, those living in households with lowest socioeconomic status, with many dependants, and female-headed and headed by adults with low human capital (low education). This study provides useful insights to inform policies and practice to identify target groups and intervention programs to improve the welfare of orphans and vulnerable children living in urban poor communities.

Engineering Safety- and Security-Related Requirements for Software-Intensive Systems

DTIC Science & Technology

2010-04-27

Requirements Negative (shall not) Requirements Hardware Requirements equ remen s System / Documentation Requirements eve oper Requirements Operational ...Validation Actual / Proposed Defensibility C li Operational Vulnerability Analysis VulnerabilityVulnerability Safety Vulnerability performs System ...including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson

6 CFR 27.240 - Review and approval of security vulnerability assessments.

Code of Federal Regulations, 2010 CFR

2010-01-01

... 6 Domestic Security 1 2010-01-01 2010-01-01 false Review and approval of security vulnerability... of security vulnerability assessments. (a) Review and Approval. The Department will review and approve in writing all Security Vulnerability Assessments that satisfy the requirements of § 27.215...

Security Investment in Contagious Networks.

PubMed

Hasheminasab, Seyed Alireza; Tork Ladani, Behrouz

2018-01-16

Security of the systems is normally interdependent in such a way that security risks of one part affect other parts and threats spread through the vulnerable links in the network. So, the risks of the systems can be mitigated through investments in the security of interconnecting links. This article takes an innovative look at the problem of security investment of nodes on their vulnerable links in a given contagious network as a game-theoretic model that can be applied to a variety of applications including information systems. In the proposed game model, each node computes its corresponding risk based on the value of its assets, vulnerabilities, and threats to determine the optimum level of security investments on its external links respecting its limited budget. Furthermore, direct and indirect nonlinear influences of a node's security investment on the risks of other nodes are considered. The existence and uniqueness of the game's Nash equilibrium in the proposed game are also proved. Further analysis of the model in a practical case revealed that taking advantage of the investment effects of other players, perfectly rational players (i.e., those who use the utility function of the proposed game model) make more cost-effective decisions than selfish nonrational or semirational players. © 2018 Society for Risk Analysis.

49 CFR 15.5 - Sensitive security information.

Code of Federal Regulations, 2010 CFR

2010-10-01

... requirements of Federal law. (5) Vulnerability assessments. Any vulnerability assessment directed, created... security requirements of Federal law that could reveal a security vulnerability, including the identity of... Guard responsible for conducting vulnerability assessments, security boardings, or engaged in operations...

Protocol vulnerability detection based on network traffic analysis and binary reverse engineering.

PubMed

Wen, Shameng; Meng, Qingkun; Feng, Chao; Tang, Chaojing

2017-01-01

Network protocol vulnerability detection plays an important role in many domains, including protocol security analysis, application security, and network intrusion detection. In this study, by analyzing the general fuzzing method of network protocols, we propose a novel approach that combines network traffic analysis with the binary reverse engineering method. For network traffic analysis, the block-based protocol description language is introduced to construct test scripts, while the binary reverse engineering method employs the genetic algorithm with a fitness function designed to focus on code coverage. This combination leads to a substantial improvement in fuzz testing for network protocols. We build a prototype system and use it to test several real-world network protocol implementations. The experimental results show that the proposed approach detects vulnerabilities more efficiently and effectively than general fuzzing methods such as SPIKE.

6 CFR 27.225 - Site security plans.

Code of Federal Regulations, 2010 CFR

2010-01-01

... meet the following standards: (1) Address each vulnerability identified in the facility's Security Vulnerability Assessment, and identify and describe the security measures to address each such vulnerability; (2... updates, revises or otherwise alters its Security Vulnerability Assessment pursuant to § 27.215(d), the...

The climate sensitivity of food security in Mali - a historical perspective on availability and access dimensions

NASA Astrophysics Data System (ADS)

Giannini, A.; Krishnamurthy, P. K.; Cousin, R.; Choularton, R. J.

2011-12-01

We present results based on an analysis of a 2005 livelihood survey of ~2000 rural households in ~200 villages scattered across Mali, a sparsely populated, large land-locked country in West Africa, to elucidate the role of climate variability and change in shaping availability and access dimensions of food security. The Comprehensive Food Security Vulnerability Analysis is a recurrent survey carried out by the World Food Programme and in-country partners to map out nutritional and socio-economic status during normal (~food secure) conditions in the hope of understanding underlying cause(s) and prevent the next food security crisis. We set the spatial characterization of food security that emerges from the CFSVA against the background of a varying climate, on intra-seasonal, interannual and multi-decadal time scales: through elucidation of the influence of climate on agricultural production we arrive at an interpretation of structural and conjunctural events affecting food security. We conclude with a discussion of possible interventions to reduce vulnerability.

Securing Digital Audio using Complex Quadratic Map

NASA Astrophysics Data System (ADS)

Suryadi, MT; Satria Gunawan, Tjandra; Satria, Yudi

2018-03-01

In This digital era, exchanging data are common and easy to do, therefore it is vulnerable to be attacked and manipulated from unauthorized parties. One data type that is vulnerable to attack is digital audio. So, we need data securing method that is not vulnerable and fast. One of the methods that match all of those criteria is securing the data using chaos function. Chaos function that is used in this research is complex quadratic map (CQM). There are some parameter value that causing the key stream that is generated by CQM function to pass all 15 NIST test, this means that the key stream that is generated using this CQM is proven to be random. In addition, samples of encrypted digital sound when tested using goodness of fit test are proven to be uniform, so securing digital audio using this method is not vulnerable to frequency analysis attack. The key space is very huge about 8.1×l031 possible keys and the key sensitivity is very small about 10-10, therefore this method is also not vulnerable against brute-force attack. And finally, the processing speed for both encryption and decryption process on average about 450 times faster that its digital audio duration.

77 FR 28894 - Maritime Vulnerability Self-Assessment Tool

Federal Register 2010, 2011, 2012, 2013, 2014

2012-05-16

... DEPARTMENT OF HOMELAND SECURITY Transportation Security Administration Maritime Vulnerability Self... maritime vulnerability self- assessment tool. SUMMARY: The Transportation Security Administration (TSA... conducting vulnerability assessments became available and usage of the TMSARM has dropped off considerably...

75 FR 18819 - Second DRAFT NIST Interagency Report (NISTIR) 7628, Smart Grid Cyber Security Strategy and...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-04-13

...-0143-01] Second DRAFT NIST Interagency Report (NISTIR) 7628, Smart Grid Cyber Security Strategy and... (NIST) seeks comments on the second draft of NISTIR 7628, Smart Grid Cyber Security Strategy and..., vulnerability categories, bottom-up analysis, individual logical interface diagrams, and the cyber security...

6 CFR 27.210 - Submissions schedule.

Code of Federal Regulations, 2010 CFR

2010-01-01

... in any subsequent Federal Register notice. (2) Security Vulnerability Assessment. Unless otherwise notified, a covered facility must complete and submit a Security Vulnerability Assessment within 90... Department's approval of the facility's Site Security Plan. (2) Security Vulnerability Assessment. Unless...

6 CFR 27.240 - Review and approval of security vulnerability assessments.

Code of Federal Regulations, 2014 CFR

2014-01-01

... CHEMICAL FACILITY ANTI-TERRORISM STANDARDS Chemical Facility Security Program § 27.240 Review and approval of security vulnerability assessments. (a) Review and Approval. The Department will review and... 6 Domestic Security 1 2014-01-01 2014-01-01 false Review and approval of security vulnerability...

6 CFR 27.240 - Review and approval of security vulnerability assessments.

Code of Federal Regulations, 2011 CFR

2011-01-01

... CHEMICAL FACILITY ANTI-TERRORISM STANDARDS Chemical Facility Security Program § 27.240 Review and approval of security vulnerability assessments. (a) Review and Approval. The Department will review and... 6 Domestic Security 1 2011-01-01 2011-01-01 false Review and approval of security vulnerability...

6 CFR 27.240 - Review and approval of security vulnerability assessments.

Code of Federal Regulations, 2013 CFR

2013-01-01

... CHEMICAL FACILITY ANTI-TERRORISM STANDARDS Chemical Facility Security Program § 27.240 Review and approval of security vulnerability assessments. (a) Review and Approval. The Department will review and... 6 Domestic Security 1 2013-01-01 2013-01-01 false Review and approval of security vulnerability...

6 CFR 27.240 - Review and approval of security vulnerability assessments.

Code of Federal Regulations, 2012 CFR

2012-01-01

... CHEMICAL FACILITY ANTI-TERRORISM STANDARDS Chemical Facility Security Program § 27.240 Review and approval of security vulnerability assessments. (a) Review and Approval. The Department will review and... 6 Domestic Security 1 2012-01-01 2012-01-01 false Review and approval of security vulnerability...

32 CFR 2001.40 - General.

Code of Federal Regulations, 2011 CFR

2011-07-01

... crucial nature of the information; analysis of known and anticipated threats; vulnerability; and... Defense Other Regulations Relating to National Defense INFORMATION SECURITY OVERSIGHT OFFICE, NATIONAL ARCHIVES AND RECORDS ADMINISTRATION CLASSIFIED NATIONAL SECURITY INFORMATION Safeguarding § 2001.40 General...

32 CFR 2001.40 - General.

Code of Federal Regulations, 2014 CFR

2014-07-01

... crucial nature of the information; analysis of known and anticipated threats; vulnerability; and... Defense Other Regulations Relating to National Defense INFORMATION SECURITY OVERSIGHT OFFICE, NATIONAL ARCHIVES AND RECORDS ADMINISTRATION CLASSIFIED NATIONAL SECURITY INFORMATION Safeguarding § 2001.40 General...

32 CFR 2001.40 - General.

Code of Federal Regulations, 2010 CFR

2010-07-01

... crucial nature of the information; analysis of known and anticipated threats; vulnerability; and... Defense Other Regulations Relating to National Defense INFORMATION SECURITY OVERSIGHT OFFICE, NATIONAL ARCHIVES AND RECORDS ADMINISTRATION CLASSIFIED NATIONAL SECURITY INFORMATION Safeguarding § 2001.40 General...

32 CFR 2001.40 - General.

Code of Federal Regulations, 2013 CFR

2013-07-01

... crucial nature of the information; analysis of known and anticipated threats; vulnerability; and... Defense Other Regulations Relating to National Defense INFORMATION SECURITY OVERSIGHT OFFICE, NATIONAL ARCHIVES AND RECORDS ADMINISTRATION CLASSIFIED NATIONAL SECURITY INFORMATION Safeguarding § 2001.40 General...

32 CFR 2001.40 - General.

Code of Federal Regulations, 2012 CFR

2012-07-01

... crucial nature of the information; analysis of known and anticipated threats; vulnerability; and... Defense Other Regulations Relating to National Defense INFORMATION SECURITY OVERSIGHT OFFICE, NATIONAL ARCHIVES AND RECORDS ADMINISTRATION CLASSIFIED NATIONAL SECURITY INFORMATION Safeguarding § 2001.40 General...

6 CFR 27.235 - Alternative security program.

Code of Federal Regulations, 2010 CFR

2010-01-01

... submit an ASP in lieu of a Security Vulnerability Assessment, Site Security Plan, or both. (2) Tier 1... Tier 3 facilities may not submit an ASP in lieu of a Security Vulnerability Assessment. (b) The... Security Vulnerability Assessment or using the procedure specified in § 27.245 if the ASP is intended to...

NV: Nessus Vulnerability Visualization for the Web

DOE Office of Scientific and Technical Information (OSTI.GOV)

Harrison, Lane; Spahn, Riley B; Iannacone, Michael D

2012-01-01

Network vulnerability is a critical component of network se- curity. Yet vulnerability analysis has received relatively lit- tle attention from the security visualization community. In this paper we describe nv, a web-based Nessus vulnerability visualization. Nv utilizes treemaps and linked histograms to allow system administrators to discover, analyze, and man- age vulnerabilities on their networks. In addition to visual- izing single Nessus scans, nv supports the analysis of sequen- tial scans by showing which vulnerabilities have been fixed, remain open, or are newly discovered. Nv was also designed to operate completely in-browser, to avoid sending sensitive data to outside servers.more » We discuss the design of nv, as well as provide case studies demonstrating vulnerability analysis workflows which include a multiple-node testbed and data from the 2011 VAST Challenge.« less

Risk Assessment for Mobile Systems Through a Multilayered Hierarchical Bayesian Network.

PubMed

Li, Shancang; Tryfonas, Theo; Russell, Gordon; Andriotis, Panagiotis

2016-08-01

Mobile systems are facing a number of application vulnerabilities that can be combined together and utilized to penetrate systems with devastating impact. When assessing the overall security of a mobile system, it is important to assess the security risks posed by each mobile applications (apps), thus gaining a stronger understanding of any vulnerabilities present. This paper aims at developing a three-layer framework that assesses the potential risks which apps introduce within the Android mobile systems. A Bayesian risk graphical model is proposed to evaluate risk propagation in a layered risk architecture. By integrating static analysis, dynamic analysis, and behavior analysis in a hierarchical framework, the risks and their propagation through each layer are well modeled by the Bayesian risk graph, which can quantitatively analyze risks faced to both apps and mobile systems. The proposed hierarchical Bayesian risk graph model offers a novel way to investigate the security risks in mobile environment and enables users and administrators to evaluate the potential risks. This strategy allows to strengthen both app security as well as the security of the entire system.

45 CFR 164.308 - Administrative safeguards.

Code of Federal Regulations, 2010 CFR

2010-10-01

..., contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the... vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). (C) Sanction policy (Required...

Analysis of Network Vulnerability Under Joint Node and Link Attacks

NASA Astrophysics Data System (ADS)

Li, Yongcheng; Liu, Shumei; Yu, Yao; Cao, Ting

2018-03-01

The security problem of computer network system is becoming more and more serious. The fundamental reason is that there are security vulnerabilities in the network system. Therefore, it’s very important to identify and reduce or eliminate these vulnerabilities before they are attacked. In this paper, we are interested in joint node and link attacks and propose a vulnerability evaluation method based on the overall connectivity of the network to defense this attack. Especially, we analyze the attack cost problem from the attackers’ perspective. The purpose is to find the set of least costs for joint links and nodes, and their deletion will lead to serious network connection damage. The simulation results show that the vulnerable elements obtained from the proposed method are more suitable for the attacking idea of the malicious persons in joint node and link attack. It is easy to find that the proposed method has more realistic protection significance.

33 CFR 105.405 - Format and content of the Facility Security Plan (FSP).

Code of Federal Regulations, 2010 CFR

2010-07-01

... Vulnerability and Security Measures Summary (Form CG-6025) in appendix A to part 105-Facility Vulnerability and... resubmission of the FSP. (c) The Facility Vulnerability and Security Measures Summary (Form CG-6025) must be completed using information in the FSA concerning identified vulnerabilities and information in the FSP...

Securing General Aviation

DTIC Science & Technology

2009-03-03

ajor vulnerabilities still exist in ... general aviation security ,”3 the commission did not further elaborate on the nature of those vulnerabilities...commercial operations may make them an attractive alternative to terrorists seeking to identify and exploit vulnerabilities in aviation security . In this...3, 2003, p. A7. 2 See Report of the Aviation Security Advisory Committee Working Group on General Aviation Airport Security (October 1, 2003); and

A Security Analysis of the 802.11s Wireless Mesh Network Routing Protocol and Its Secure Routing Protocols

PubMed Central

Tan, Whye Kit; Lee, Sang-Gon; Lam, Jun Huy; Yoo, Seong-Moo

2013-01-01

Wireless mesh networks (WMNs) can act as a scalable backbone by connecting separate sensor networks and even by connecting WMNs to a wired network. The Hybrid Wireless Mesh Protocol (HWMP) is the default routing protocol for the 802.11s WMN. The routing protocol is one of the most important parts of the network, and it requires protection, especially in the wireless environment. The existing security protocols, such as the Broadcast Integrity Protocol (BIP), Counter with cipher block chaining message authentication code protocol (CCMP), Secure Hybrid Wireless Mesh Protocol (SHWMP), Identity Based Cryptography HWMP (IBC-HWMP), Elliptic Curve Digital Signature Algorithm HWMP (ECDSA-HWMP), and Watchdog-HWMP aim to protect the HWMP frames. In this paper, we have analyzed the vulnerabilities of the HWMP and developed security requirements to protect these identified vulnerabilities. We applied the security requirements to analyze the existing secure schemes for HWMP. The results of our analysis indicate that none of these protocols is able to satisfy all of the security requirements. We also present a quantitative complexity comparison among the protocols and an example of a security scheme for HWMP to demonstrate how the result of our research can be utilized. Our research results thus provide a tool for designing secure schemes for the HWMP. PMID:24002231

A security analysis of the 802.11s wireless mesh network routing protocol and its secure routing protocols.

PubMed

Tan, Whye Kit; Lee, Sang-Gon; Lam, Jun Huy; Yoo, Seong-Moo

2013-09-02

Wireless mesh networks (WMNs) can act as a scalable backbone by connecting separate sensor networks and even by connecting WMNs to a wired network. The Hybrid Wireless Mesh Protocol (HWMP) is the default routing protocol for the 802.11s WMN. The routing protocol is one of the most important parts of the network, and it requires protection, especially in the wireless environment. The existing security protocols, such as the Broadcast Integrity Protocol (BIP), Counter with cipher block chaining message authentication code protocol (CCMP), Secure Hybrid Wireless Mesh Protocol (SHWMP), Identity Based Cryptography HWMP (IBC-HWMP), Elliptic Curve Digital Signature Algorithm HWMP (ECDSA-HWMP), and Watchdog-HWMP aim to protect the HWMP frames. In this paper, we have analyzed the vulnerabilities of the HWMP and developed security requirements to protect these identified vulnerabilities. We applied the security requirements to analyze the existing secure schemes for HWMP. The results of our analysis indicate that none of these protocols is able to satisfy all of the security requirements. We also present a quantitative complexity comparison among the protocols and an example of a security scheme for HWMP to demonstrate how the result of our research can be utilized. Our research results thus provide a tool for designing secure schemes for the HWMP.

6 CFR 27.400 - Chemical-terrorism vulnerability information.

Code of Federal Regulations, 2011 CFR

2011-01-01

... 6 Domestic Security 1 2011-01-01 2011-01-01 false Chemical-terrorism vulnerability information. 27.400 Section 27.400 Domestic Security DEPARTMENT OF HOMELAND SECURITY, OFFICE OF THE SECRETARY CHEMICAL FACILITY ANTI-TERRORISM STANDARDS Other § 27.400 Chemical-terrorism vulnerability information. (a...

6 CFR 27.400 - Chemical-terrorism vulnerability information.

Code of Federal Regulations, 2010 CFR

2010-01-01

... 6 Domestic Security 1 2010-01-01 2010-01-01 false Chemical-terrorism vulnerability information. 27.400 Section 27.400 Domestic Security DEPARTMENT OF HOMELAND SECURITY, OFFICE OF THE SECRETARY CHEMICAL FACILITY ANTI-TERRORISM STANDARDS Other § 27.400 Chemical-terrorism vulnerability information. (a...

6 CFR 27.400 - Chemical-terrorism vulnerability information.

Code of Federal Regulations, 2012 CFR

2012-01-01

... 6 Domestic Security 1 2012-01-01 2012-01-01 false Chemical-terrorism vulnerability information. 27.400 Section 27.400 Domestic Security DEPARTMENT OF HOMELAND SECURITY, OFFICE OF THE SECRETARY CHEMICAL FACILITY ANTI-TERRORISM STANDARDS Other § 27.400 Chemical-terrorism vulnerability information. (a...

6 CFR 27.400 - Chemical-terrorism vulnerability information.

Code of Federal Regulations, 2013 CFR

2013-01-01

... 6 Domestic Security 1 2013-01-01 2013-01-01 false Chemical-terrorism vulnerability information. 27.400 Section 27.400 Domestic Security DEPARTMENT OF HOMELAND SECURITY, OFFICE OF THE SECRETARY CHEMICAL FACILITY ANTI-TERRORISM STANDARDS Other § 27.400 Chemical-terrorism vulnerability information. (a...

6 CFR 27.400 - Chemical-terrorism vulnerability information.

Code of Federal Regulations, 2014 CFR

2014-01-01

... 6 Domestic Security 1 2014-01-01 2014-01-01 false Chemical-terrorism vulnerability information. 27.400 Section 27.400 Domestic Security DEPARTMENT OF HOMELAND SECURITY, OFFICE OF THE SECRETARY CHEMICAL FACILITY ANTI-TERRORISM STANDARDS Other § 27.400 Chemical-terrorism vulnerability information. (a...

Transformation-aware Exploit Generation using a HI-CFG

DTIC Science & Technology

2013-05-16

testing has many limitations of its own: it can require significant target -specific setup to perform well; it is unlikely to trigger vulnerabilities...check fails represents a potential vulnerability, but a conservative analysis can produce false positives , so we can use exploit generation to find...warnings that correspond to true positives . We can also find potentially vulnerable instructions in the course of a manual binary- level security audit

Livestock and food security: vulnerability to population growth and climate change

PubMed Central

Godber, Olivia F; Wall, Richard

2014-01-01

Livestock production is an important contributor to sustainable food security for many nations, particularly in low-income areas and marginal habitats that are unsuitable for crop production. Animal products account for approximately one-third of global human protein consumption. Here, a range of indicators, derived from FAOSTAT and World Bank statistics, are used to model the relative vulnerability of nations at the global scale to predicted climate and population changes, which are likely to impact on their use of grazing livestock for food. Vulnerability analysis has been widely used in global change science to predict impacts on food security and famine. It is a tool that is useful to inform policy decision making and direct the targeting of interventions. The model developed shows that nations within sub-Saharan Africa, particularly in the Sahel region, and some Asian nations are likely to be the most vulnerable. Livestock-based food security is already compromised in many areas on these continents and suffers constraints from current climate in addition to the lack of economic and technical support allowing mitigation of predicted climate change impacts. Governance is shown to be a highly influential factor and, paradoxically, it is suggested that current self-sufficiency may increase future potential vulnerability because trade networks are poorly developed. This may be relieved through freer trade of food products, which is also associated with improved governance. Policy decisions, support and interventions will need to be targeted at the most vulnerable nations, but given the strong influence of governance, to be effective, any implementation will require considerable care in the management of underlying structural reform. PMID:24692268

Vulnerability Discovery: Bridging the Gap Between Analysis and Engineering

DTIC Science & Technology

2006-01-01

work in selected technologies © 2006 Carnegie Mellon University 16 An Easy Target: ActiveX 1995 – OLE 2  COM  ActiveX 2000 – CERT/CC... ActiveX Security Workshop 2005 – VU#680526  New vector for exploiting COM vulnerabilities via Internet Explorer discovered 2006 – Dranzer, the COM Object

Genie: An Inference Engine with Applications to Vulnerability Analysis.

DTIC Science & Technology

1986-06-01

Stanford Artifcial intelligence Laboratory, 1976. 15 D. A. Waterman and F. Hayes-Roth, eds. Pattern-Directed Inference Systems. Academic Press, Inc...Continue an reverse aide It nlecessary mid Identify by block rnmbor) ; f Expert Systems Artificial Intelligence % Vulnerability Analysis Knowledge...deduction it is used wherever possible in data -driven mode (forward chaining). Production rules - JIM 0 g79OOFMV55@S I INCLASSTpnF SECURITY CLASSIFICATION OF

A Security Analysis on Kempf-Koodli's Security Scheme for Fast Mobile IPv6

NASA Astrophysics Data System (ADS)

You, Ilsun; Sakurai, Kouichi; Hori, Yoshiaki

Recently, the security scheme, proposed by Kempf and Koodli, has been adopted as a security standard for Fast handover for Mobile IPv6. But, it does not prevent denial of service attacks while resulting in high computation cost. More importantly, we find that it is still vulnerable to redirection attacks because it fails to secure the Unsolicited Neighbor Advertisement messages. In this paper, Kempf-Koodli's scheme is formally analyzed through BAN-logic and its weaknesses are demonstrated.

Cyber Security for the Spaceport Command and Control System: Vulnerability Management and Compliance Analysis

NASA Technical Reports Server (NTRS)

Gunawan, Ryan A.

2016-01-01

With the rapid development of the Internet, the number of malicious threats to organizations is continually increasing. In June of 2015, the United States Office of Personnel Management (OPM) had a data breach resulting in the compromise of millions of government employee records. The National Aeronautics and Space Administration (NASA) is not exempt from these attacks. Cyber security is becoming a critical facet to the discussion of moving forward with projects. The Spaceport Command and Control System (SCCS) project at the Kennedy Space Center (KSC) aims to develop the launch control system for the next generation launch vehicle in the coming decades. There are many ways to increase the security of the network it uses, from vulnerability management to ensuring operating system images are compliant with securely configured baselines recommended by the United States Government.

Information Assurance Study

DTIC Science & Technology

1998-01-01

usually written up by Logistics or Maintenance (4790 is the Maintenance “ Bible ”). If need be, and if resources are available, one could collect all...Public domain) SATAN (System Administration Tool for Analyzing Networks) (Public Domain) STAT ( Security Test and Analysis Tool) (Harris Corporation...Service-Filtering Tools 1. TCP/IP wrapper program • Tools to Scan Hosts for Known Vulnerabilities 1. ISS (Internet Security Scanner) 2. SATAN (Security

6 CFR 27.255 - Recordkeeping requirements.

Code of Federal Regulations, 2010 CFR

2010-01-01

... audit required under § 27.225(e)) or Security Vulnerability Assessment, a record of the audit, including... retain records of submitted Top-Screens, Security Vulnerability Assessments, Site Security Plans, and all...

Livestock and food security: vulnerability to population growth and climate change.

PubMed

Godber, Olivia F; Wall, Richard

2014-10-01

Livestock production is an important contributor to sustainable food security for many nations, particularly in low-income areas and marginal habitats that are unsuitable for crop production. Animal products account for approximately one-third of global human protein consumption. Here, a range of indicators, derived from FAOSTAT and World Bank statistics, are used to model the relative vulnerability of nations at the global scale to predicted climate and population changes, which are likely to impact on their use of grazing livestock for food. Vulnerability analysis has been widely used in global change science to predict impacts on food security and famine. It is a tool that is useful to inform policy decision making and direct the targeting of interventions. The model developed shows that nations within sub-Saharan Africa, particularly in the Sahel region, and some Asian nations are likely to be the most vulnerable. Livestock-based food security is already compromised in many areas on these continents and suffers constraints from current climate in addition to the lack of economic and technical support allowing mitigation of predicted climate change impacts. Governance is shown to be a highly influential factor and, paradoxically, it is suggested that current self-sufficiency may increase future potential vulnerability because trade networks are poorly developed. This may be relieved through freer trade of food products, which is also associated with improved governance. Policy decisions, support and interventions will need to be targeted at the most vulnerable nations, but given the strong influence of governance, to be effective, any implementation will require considerable care in the management of underlying structural reform. © 2014 The Authors. Global Change Biology Published by John Wiley & Sons Ltd.

33 CFR Appendix A to Part 105 - Facility Vulnerability and Security Measures Summary (Form CG-6025)

Code of Federal Regulations, 2010 CFR

2010-07-01

... 33 Navigation and Navigable Waters 1 2010-07-01 2010-07-01 false Facility Vulnerability and Security Measures Summary (Form CG-6025) A Appendix A to Part 105 Navigation and Navigable Waters COAST... Appendix A to Part 105—Facility Vulnerability and Security Measures Summary (Form CG-6025) ER22OC03.000...

Network Vulnerability Assessment of the U.S. Crude Pipeline Infrastructure

DTIC Science & Technology

2012-09-01

56 Clanton, “Oklahoma Oil Hub Helps Keep Oil Prices from Going Higher.” 57 Donald Furgeson, John Mahoney , and Brett Warfield...Vulnerability Assessment Matrix of the COTH.58 58 Furgeson, Mahoney , and Warfield, Security...Steinhäusler et al., “Security Risks to the Oil and Gas Industry: Terrorist Capabilities.” 71 Furgeson, Mahoney , and Warfield, Security Vulnerability

Vulnerability Analysis and Evaluation of Urban Road System in Tianjin

NASA Astrophysics Data System (ADS)

Liu, Y. Q.; Wu, X.

In recent years, with the development of economy, the road construction of our country has entered into a period of rapid growth. The road transportation network has been expanding and the risk of disasters is increasing. In this paper we study the vulnerability of urban road system in Tianjin. After analyzed many risk factors of the urban road system security, including road construction, road traffic and the natural environment, we proposed an evaluation index of vulnerability of urban road system and established the corresponding evaluation index system. Based on the results of analysis and comprehensive evaluation, appropriate improvement measures and suggestions which may reduce the vulnerability of the road system and improve the safety and reliability of the road system are proposed.

Cyber / Physical Security Vulnerability Assessment Integration

DOE Office of Scientific and Technical Information (OSTI.GOV)

MacDonald, Douglas G.; Simpkins, Bret E.

Abstract Both physical protection and cyber security domains offer solutions for the discovery of vulnerabilities through the use of various assessment processes and software tools. Each vulnerability assessment (VA) methodology provides the ability to identify and categorize vulnerabilities, and quantifies the risks within their own areas of expertise. Neither approach fully represents the true potential security risk to a site and/or a facility, nor comprehensively assesses the overall security posture. The technical approach to solving this problem was to identify methodologies and processes that blend the physical and cyber security assessments, and develop tools to accurately quantify the unaccounted formore » risk. SMEs from both the physical and the cyber security domains developed the blending methodologies, and cross trained each other on the various aspects of the physical and cyber security assessment processes. A local critical infrastructure entity volunteered to host a proof of concept physical/cyber security assessment, and the lessons learned have been leveraged by this effort. The four potential modes of attack an adversary can use in approaching a target are; Physical Only Attack, Cyber Only Attack, Physical Enabled Cyber Attack, and the Cyber Enabled Physical Attack. The Physical Only and the Cyber Only pathway analysis are two of the most widely analyzed attack modes. The pathway from an off-site location to the desired target location is dissected to ensure adversarial activity can be detected and neutralized by the protection strategy, prior to completion of a predefined task. This methodology typically explores a one way attack from the public space (or common area) inward towards the target. The Physical Enabled Cyber Attack and the Cyber Enabled Physical Attack are much more intricate. Both scenarios involve beginning in one domain to affect change in the other, then backing outward to take advantage of the reduced system effectiveness, before penetrating further into the defenses. The proper identification and assessment of the overlapping areas (and interaction between these areas) in the VA process is necessary to accurately assess the true risk.« less

NINJA: a noninvasive framework for internal computer security hardening

NASA Astrophysics Data System (ADS)

Allen, Thomas G.; Thomson, Steve

2004-07-01

Vulnerabilities are a growing problem in both the commercial and government sector. The latest vulnerability information compiled by CERT/CC, for the year ending Dec. 31, 2002 reported 4129 vulnerabilities representing a 100% increase over the 2001 [1] (the 2003 report has not been published at the time of this writing). It doesn"t take long to realize that the growth rate of vulnerabilities greatly exceeds the rate at which the vulnerabilities can be fixed. It also doesn"t take long to realize that our nation"s networks are growing less secure at an accelerating rate. As organizations become aware of vulnerabilities they may initiate efforts to resolve them, but quickly realize that the size of the remediation project is greater than their current resources can handle. In addition, many IT tools that suggest solutions to the problems in reality only address "some" of the vulnerabilities leaving the organization unsecured and back to square one in searching for solutions. This paper proposes an auditing framework called NINJA (acronym for Network Investigation Notification Joint Architecture) for noninvasive daily scanning/auditing based on common security vulnerabilities that repeatedly occur in a network environment. This framework is used for performing regular audits in order to harden an organizations security infrastructure. The framework is based on the results obtained by the Network Security Assessment Team (NSAT) which emulates adversarial computer network operations for US Air Force organizations. Auditing is the most time consuming factor involved in securing an organization's network infrastructure. The framework discussed in this paper uses existing scripting technologies to maintain a security hardened system at a defined level of performance as specified by the computer security audit team. Mobile agents which were under development at the time of this writing are used at a minimum to improve the noninvasiveness of our scans. In general, noninvasive scans with an adequate framework performed on a daily basis reduce the amount of security work load as well as the timeliness in performing remediation, as verified by the NINJA framework. A vulnerability assessment/auditing architecture based on mobile agent technology is proposed and examined at the end of the article as an enhancement to the current NINJA architecture.

78 FR 7334 - Port Authority Access to Facility Vulnerability Assessments and the Integration of Security Systems

Federal Register 2010, 2011, 2012, 2013, 2014

2013-02-01

... to Facility Vulnerability Assessments and the Integration of Security Systems AGENCY: Coast Guard...-sharing measures. Security System Integration Alternatives Require each MTSA-regulated facility owner or... other forms of security system integration. Information Requested 1. We request comments on the...

DOE Office of Scientific and Technical Information (OSTI.GOV)

MacDonald, Douglas G.; Clements, Samuel L.; Patrick, Scott W.

Securing high value and critical assets is one of the biggest challenges facing this nation and others around the world. In modern integrated systems, there are four potential modes of attack available to an adversary: • physical only attack, • cyber only attack, • physical-enabled cyber attack, • cyber-enabled physical attack. Blended attacks involve an adversary working in one domain to reduce system effectiveness in another domain. This enables the attacker to penetrate further into the overall layered defenses. Existing vulnerability assessment (VA) processes and software tools which predict facility vulnerabilities typically evaluate the physical and cyber domains separately. Vulnerabilitiesmore » which result from the integration of cyber-physical control systems are not well characterized and are often overlooked by existing assessment approaches. In this paper, we modified modification of the timely detection methodology, used for decades in physical security VAs, to include cyber components. The Physical and Cyber Risk Analysis Tool (PACRAT) prototype illustrates an integrated vulnerability assessment that includes cyber-physical interdependencies. Information about facility layout, network topology, and emplaced safeguards is used to evaluate how well suited a facility is to detect, delay, and respond to attacks, to identify the pathways most vulnerable to attack, and to evaluate how often safeguards are compromised for a given threat or adversary type. We have tested the PACRAT prototype on critical infrastructure facilities and the results are promising. Future work includes extending the model to prescribe the recommended security improvements via an automated cost-benefit analysis.« less

Hacking and securing the AR.Drone 2.0 quadcopter: investigations for improving the security of a toy

NASA Astrophysics Data System (ADS)

Pleban, Johann-Sebastian; Band, Ricardo; Creutzburg, Reiner

2014-02-01

In this article we describe the security problems of the Parrot AR.Drone 2.0 quadcopter. Due to the fact that it is promoted as a toy with low acquisition costs, it may end up being used by many individuals which makes it a target for harmful attacks. In addition, the videostream of the drone could be of interest for a potential attacker due to its ability of revealing confidential information. Therefore, we will perform a security threat analysis on this particular drone. We will set the focus mainly on obvious security vulnerabilities like the unencrypted Wi-Fi connection or the user management of the GNU/Linux operating system which runs on the drone. We will show how the drone can be hacked in order to hijack the AR.Drone 2.0. Our aim is to sensitize the end-user of AR.Drones by describing the security vulnerabilities and to show how the AR.Drone 2.0 could be secured from unauthorized access. We will provide instructions to secure the drones Wi-Fi connection and its operation with the official Smartphone App and third party PC software.

Performance Analysis of Cyber Security Awareness Delivery Methods

NASA Astrophysics Data System (ADS)

Abawajy, Jemal; Kim, Tai-Hoon

In order to decrease information security threats caused by human-related vulnerabilities, an increased concentration on information security awareness and training is necessary. There are numerous information security awareness training delivery methods. The purpose of this study was to determine what delivery method is most successful in providing security awareness training. We conducted security awareness training using various delivery methods such as text based, game based and a short video presentation with the aim of determining user preference delivery methods. Our study suggests that a combined delvery methods are better than individual secrity awareness delivery method.

Assessing the security vulnerabilities of correctional facilities

NASA Astrophysics Data System (ADS)

Spencer, Debra D.; Morrison, G. Steve

1998-12-01

The National Institute of Justice has tasked their satellite facility at Sandia National Laboratories and their Southeast Regional Technology Center in Charleston, South Carolina to devise new procedures and tools for helping correctional facilities to assess their security vulnerabilities. Thus, a team is visiting selected correctional facilities and performing vulnerability assessments. A vulnerability assessment helps identify the easiest paths for inmate escape, for introduction of contraband such as drugs or weapons, for unexpected intrusion from outside of the facility, and for the perpetration of violent acts on other inmates and correctional employees. In addition, the vulnerability assessment helps to quantify the security risks for the facility. From these assessments will come better procedures for performing vulnerability assessments in general at other correctional facilities, as well as the development of tools to assist with the performance of such vulnerability assessments.

Identifying Vulnerabilities and Hardening Attack Graphs for Networked Systems

DOE Office of Scientific and Technical Information (OSTI.GOV)

Saha, Sudip; Vullinati, Anil K.; Halappanavar, Mahantesh

We investigate efficient security control methods for protecting against vulnerabilities in networked systems. A large number of interdependent vulnerabilities typically exist in the computing nodes of a cyber-system; as vulnerabilities get exploited, starting from low level ones, they open up the doors to more critical vulnerabilities. These cannot be understood just by a topological analysis of the network, and we use the attack graph abstraction of Dewri et al. to study these problems. In contrast to earlier approaches based on heuristics and evolutionary algorithms, we study rigorous methods for quantifying the inherent vulnerability and hardening cost for the system. Wemore » develop algorithms with provable approximation guarantees, and evaluate them for real and synthetic attack graphs.« less

Cyber Security Threats to Safety-Critical, Space-Based Infrastructures

NASA Astrophysics Data System (ADS)

Johnson, C. W.; Atencia Yepez, A.

2012-01-01

Space-based systems play an important role within national critical infrastructures. They are being integrated into advanced air-traffic management applications, rail signalling systems, energy distribution software etc. Unfortunately, the end users of communications, location sensing and timing applications often fail to understand that these infrastructures are vulnerable to a wide range of security threats. The following pages focus on concerns associated with potential cyber-attacks. These are important because future attacks may invalidate many of the safety assumptions that support the provision of critical space-based services. These safety assumptions are based on standard forms of hazard analysis that ignore cyber-security considerations This is a significant limitation when, for instance, security attacks can simultaneously exploit multiple vulnerabilities in a manner that would never occur without a deliberate enemy seeking to damage space based systems and ground infrastructures. We address this concern through the development of a combined safety and security risk assessment methodology. The aim is to identify attack scenarios that justify the allocation of additional design resources so that safety barriers can be strengthened to increase our resilience against security threats.

Security risk assessment: applying the concepts of fuzzy logic.

PubMed

Bajpai, Shailendra; Sachdeva, Anish; Gupta, J P

2010-01-15

Chemical process industries (CPI) handling hazardous chemicals in bulk can be attractive targets for deliberate adversarial actions by terrorists, criminals and disgruntled employees. It is therefore imperative to have comprehensive security risk management programme including effective security risk assessment techniques. In an earlier work, it has been shown that security risk assessment can be done by conducting threat and vulnerability analysis or by developing Security Risk Factor Table (SRFT). HAZOP type vulnerability assessment sheets can be developed that are scenario based. In SRFT model, important security risk bearing factors such as location, ownership, visibility, inventory, etc., have been used. In this paper, the earlier developed SRFT model has been modified using the concepts of fuzzy logic. In the modified SRFT model, two linguistic fuzzy scales (three-point and four-point) are devised based on trapezoidal fuzzy numbers. Human subjectivity of different experts associated with previous SRFT model is tackled by mapping their scores to the newly devised fuzzy scale. Finally, the fuzzy score thus obtained is defuzzyfied to get the results. A test case of a refinery is used to explain the method and compared with the earlier work.

Cybersecurity and medical devices: A practical guide for cardiac electrophysiologists

PubMed Central

Kramer, Daniel B.; Foo Kune, Denis; Auto de Medeiros, Julio; Yan, Chen; Xu, Wenyuan; Crawford, Thomas; Fu, Kevin

2017-01-01

Abstract Medical devices increasingly depend on software. While this expands the ability of devices to perform key therapeutic and diagnostic functions, reliance on software inevitably causes exposure to hazards of security vulnerabilities. This article uses a recent high‐profile case example to outline a proactive approach to security awareness that incorporates a scientific, risk‐based analysis of security concerns that supports ongoing discussions with patients about their medical devices. PMID:28512774

Securing Information in the Healthcare Industry: Network Security, Incident Management, and Insider Threat

DTIC Science & Technology

2010-09-23

Chris, ―An Analysis of Breaches Affecting 500 or More Individuals in Healthcare‖, HITRUST, August 2010. 2. ―2009 Annual Study: Cost of a Data Breach ,‖ Ponemon...penalties for willful neglect • Loss of human life? — While many concerns focus on a data breach , some vulnerabilities can be more severe

SSL/TLS Vulnerability Detection Using Black Box Approach

NASA Astrophysics Data System (ADS)

Gunawan, D.; Sitorus, E. H.; Rahmat, R. F.; Hizriadi, A.

2018-03-01

Socket Secure Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols that provide data encryption to secure the communication over a network. However, in some cases, there are vulnerability found in the implementation of SSL/TLS because of weak cipher key, certificate validation error or session handling error. One of the most vulnerable SSL/TLS bugs is heartbleed. As the security is essential in data communication, this research aims to build a scanner that detect the SSL/TLS vulnerability by using black box approach. This research will focus on heartbleed case. In addition, this research also gathers information about existing SSL in the server. The black box approach is used to test the output of a system without knowing the process inside the system itself. For testing purpose, this research scanned websites and found that some of the websites still have SSL/TLS vulnerability. Thus, the black box approach can be used to detect the vulnerability without considering the source code and the process inside the application.

Homeland Security Vulnerabilities Of The US National Capital Region’s Bridges

DTIC Science & Technology

2016-06-10

THE HOMELAND SECURITY VULNERABILITIES OF THE US NATIONAL CAPITAL REGION’S BRIDGES A thesis presented to the Faculty of the U.S...AUG 2015 – JUNE 2016 4. TITLE AND SUBTITLE The Homeland Security Vulnerabilities of the US National Capital Region’s Bridges 5a. CONTRACT...degradation as the rest of the United States. The ground transportation infrastructure, especially the bridges , in the NCR presents an interesting case

A Systems Engineering Framework for Implementing a Security and Critical Patch Management Process in Diverse Environments (Academic Departments' Workstations)

NASA Astrophysics Data System (ADS)

Mohammadi, Hadi

Use of the Patch Vulnerability Management (PVM) process should be seriously considered for any networked computing system. The PVM process prevents the operating system (OS) and software applications from being attacked due to security vulnerabilities, which lead to system failures and critical data leakage. The purpose of this research is to create and design a Security and Critical Patch Management Process (SCPMP) framework based on Systems Engineering (SE) principles. This framework will assist Information Technology Department Staff (ITDS) to reduce IT operating time and costs and mitigate the risk of security and vulnerability attacks. Further, this study evaluates implementation of the SCPMP in the networked computing systems of an academic environment in order to: 1. Meet patch management requirements by applying SE principles. 2. Reduce the cost of IT operations and PVM cycles. 3. Improve the current PVM methodologies to prevent networked computing systems from becoming the targets of security vulnerability attacks. 4. Embed a Maintenance Optimization Tool (MOT) in the proposed framework. The MOT allows IT managers to make the most practicable choice of methods for deploying and installing released patches and vulnerability remediation. In recent years, there has been a variety of frameworks for security practices in every networked computing system to protect computer workstations from becoming compromised or vulnerable to security attacks, which can expose important information and critical data. I have developed a new mechanism for implementing PVM for maximizing security-vulnerability maintenance, protecting OS and software packages, and minimizing SCPMP cost. To increase computing system security in any diverse environment, particularly in academia, one must apply SCPMP. I propose an optimal maintenance policy that will allow ITDS to measure and estimate the variation of PVM cycles based on their department's requirements. My results demonstrate that MOT optimizes the process of implementing SCPMP in academic workstations.

Security and Vulnerability Assessment of Social Media Sites: An Exploratory Study

ERIC Educational Resources Information Center

Zhao, Jensen; Zhao, Sherry Y.

2015-01-01

While the growing popularity of social media has brought many benefits to society, it has also resulted in privacy and security threats. The authors assessed the security and vulnerability of 50 social media sites. The findings indicate that most sites (a) posted privacy and security policies but only a minority stated clearly their execution of…

Indirection and computer security.

DOE Office of Scientific and Technical Information (OSTI.GOV)

Berg, Michael J.

2011-09-01

The discipline of computer science is built on indirection. David Wheeler famously said, 'All problems in computer science can be solved by another layer of indirection. But that usually will create another problem'. We propose that every computer security vulnerability is yet another problem created by the indirections in system designs and that focusing on the indirections involved is a better way to design, evaluate, and compare security solutions. We are not proposing that indirection be avoided when solving problems, but that understanding the relationships between indirections and vulnerabilities is key to securing computer systems. Using this perspective, we analyzemore » common vulnerabilities that plague our computer systems, consider the effectiveness of currently available security solutions, and propose several new security solutions.« less

6 CFR 27.105 - Definitions.

Code of Federal Regulations, 2010 CFR

2010-01-01

..., Security Vulnerability Assessment, and Site Security Plan, through which the Department will collect and analyze key data from chemical facilities. Chemical-terrorism Vulnerability Information or CVI shall mean...

Practical Computer Security through Cryptography

NASA Technical Reports Server (NTRS)

McNab, David; Twetev, David (Technical Monitor)

1998-01-01

The core protocols upon which the Internet was built are insecure. Weak authentication and the lack of low level encryption services introduce vulnerabilities that propagate upwards in the network stack. Using statistics based on CERT/CC Internet security incident reports, the relative likelihood of attacks via these vulnerabilities is analyzed. The primary conclusion is that the standard UNIX BSD-based authentication system is by far the most commonly exploited weakness. Encryption of Sensitive password data and the adoption of cryptographically-based authentication protocols can greatly reduce these vulnerabilities. Basic cryptographic terminology and techniques are presented, with attention focused on the ways in which technology such as encryption and digital signatures can be used to protect against the most commonly exploited vulnerabilities. A survey of contemporary security software demonstrates that tools based on cryptographic techniques, such as Kerberos, ssh, and PGP, are readily available and effectively close many of the most serious security holes. Nine practical recommendations for improving security are described.

Protecting Database Centric Web Services against SQL/XPath Injection Attacks

NASA Astrophysics Data System (ADS)

Laranjeiro, Nuno; Vieira, Marco; Madeira, Henrique

Web services represent a powerful interface for back-end database systems and are increasingly being used in business critical applications. However, field studies show that a large number of web services are deployed with security flaws (e.g., having SQL Injection vulnerabilities). Although several techniques for the identification of security vulnerabilities have been proposed, developing non-vulnerable web services is still a difficult task. In fact, security-related concerns are hard to apply as they involve adding complexity to already complex code. This paper proposes an approach to secure web services against SQL and XPath Injection attacks, by transparently detecting and aborting service invocations that try to take advantage of potential vulnerabilities. Our mechanism was applied to secure several web services specified by the TPC-App benchmark, showing to be 100% effective in stopping attacks, non-intrusive and very easy to use.

Investigative Operations: Use of Covert Testing to Identify Security Vulnerabilities and Fraud, Waste, and Abuse

DTIC Science & Technology

2007-11-14

including evaluations of controls over radioactive materials and security at America’s borders, airport security , sales of sensitive and surplus...officers. The details of this March 2006 report are classified; however, TSA has authorized this limited discussion. Airport Security Testing Sale of...of covert security vulnerability testing of numerous airports across the country. During these covert tests, our investigators passed through airport

Design of a Forecasting Service System for Monitoring of Vulnerabilities of Sensor Networks

NASA Astrophysics Data System (ADS)

Song, Jae-Gu; Kim, Jong Hyun; Seo, Dong Il; Kim, Seoksoo

This study aims to reduce security vulnerabilities of sensor networks which transmit data in an open environment by developing a forecasting service system. The system is to remove or monitor causes of breach incidents in advance. To that end, this research first examines general security vulnerabilities of sensor networks and analyzes characteristics of existing forecasting systems. Then, 5 steps of a forecasting service system are proposed in order to improve security responses.

The hack attack - Increasing computer system awareness of vulnerability threats

NASA Technical Reports Server (NTRS)

Quann, John; Belford, Peter

1987-01-01

The paper discusses the issue of electronic vulnerability of computer based systems supporting NASA Goddard Space Flight Center (GSFC) by unauthorized users. To test the security of the system and increase security awareness, NYMA, Inc. employed computer 'hackers' to attempt to infiltrate the system(s) under controlled conditions. Penetration procedures, methods, and descriptions are detailed in the paper. The procedure increased the security consciousness of GSFC management to the electronic vulnerability of the system(s).

Analysis of Human Disturbance and Ecological Security Evolution in Oasis in Arid Area Based on LUCC: A Case Study of Oasis in the Northern Tianshan Mountain Slope Economic Zone

NASA Astrophysics Data System (ADS)

Song, W. J.; Chen, M. H.; Zhang, Q.; Liu, S. S.; Yang, J. N.

2017-07-01

Oases in arid areas are environmentally and economically vulnerable regions. Study on ecological security of oases in arid areas is of great significance to the stability and the economic development of oases. Based on Land Use/Land Cover data in 1965, 1980, 1995, 2005 and 2015, the study analyze the temporal and spatial changes in human disturbance and ecological security of oases in the Northern Tianshan Mountain Slope Economic Zone (NTMSEZ) in recent 50 years by establishing the ecological security index (ESI) through human disturbance index and landscape vulnerability index. The results showed that: in recent 50 years, the human disturbance of the NTMSEZ has been increased to current moderate human impacts. Urban construction, oasis expansion and farmland reclamation are the main factors of the increment. The human disturbance in Urumchi, Shihezi, Kuitun, Miquan and Changji is higher than that in other oases and that in core areas of oasis is higher than other areas. The ESI of the NTMSEZ increases firstly and then decreases. In most areas, the ESI is “relatively unsafe” and “critical”. However, there are increasingly more vulnerable areas, moving northwestwards and expanding southwards. The ESI gradually presents a “NW-SE” trend of zonal distribution pattern.

How to Perform a Security Audit: Is Your School's or District's Network Vulnerable?

ERIC Educational Resources Information Center

Dark, Melissa; Poftak, Amy

2004-01-01

In this article, the authors address the importance of taking a proactive approach to securing a school's network. To do this, it is first required to know the system's specific vulnerabilities and what steps to take to reduce them. The formal process for doing this is known as an information security risk assessment, or a security audit. What…

Using software security analysis to verify the secure socket layer (SSL) protocol

NASA Technical Reports Server (NTRS)

Powell, John D.

2004-01-01

nal Aeronautics and Space Administration (NASA) have tens of thousands of networked computer systems and applications. Software Security vulnerabilities present risks such as lost or corrupted data, information the3, and unavailability of critical systems. These risks represent potentially enormous costs to NASA. The NASA Code Q research initiative 'Reducing Software Security Risk (RSSR) Trough an Integrated Approach '' offers, among its capabilities, formal verification of software security properties, through the use of model based verification (MBV) to address software security risks. [1,2,3,4,5,6] MBV is a formal approach to software assurance that combines analysis of software, via abstract models, with technology, such as model checkers, that provide automation of the mechanical portions of the analysis process. This paper will discuss: The need for formal analysis to assure software systems with respect to software and why testing alone cannot provide it. The means by which MBV with a Flexible Modeling Framework (FMF) accomplishes the necessary analysis task. An example of FMF style MBV in the verification of properties over the Secure Socket Layer (SSL) communication protocol as a demonstration.

Security of BB84 with weak randomness and imperfect qubit encoding

NASA Astrophysics Data System (ADS)

Zhao, Liang-Yuan; Yin, Zhen-Qiang; Li, Hong-Wei; Chen, Wei; Fang, Xi; Han, Zheng-Fu; Huang, Wei

2018-03-01

The main threats for the well-known Bennett-Brassard 1984 (BB84) practical quantum key distribution (QKD) systems are that its encoding is inaccurate and measurement device may be vulnerable to particular attacks. Thus, a general physical model or security proof to tackle these loopholes simultaneously and quantitatively is highly desired. Here we give a framework on the security of BB84 when imperfect qubit encoding and vulnerability of measurement device are both considered. In our analysis, the potential attacks to measurement device are generalized by the recently proposed weak randomness model which assumes the input random numbers are partially biased depending on a hidden variable planted by an eavesdropper. And the inevitable encoding inaccuracy is also introduced here. From a fundamental view, our work reveals the potential information leakage due to encoding inaccuracy and weak randomness input. For applications, our result can be viewed as a useful tool to quantitatively evaluate the security of a practical QKD system.

From Secure Memories to Smart Card Security

NASA Astrophysics Data System (ADS)

Handschuh, Helena; Trichina, Elena

Non-volatile memory is essential in most embedded security applications. It will store the key and other sensitive materials for cryptographic and security applications. In this chapter, first an overview is given of current flash memory architectures. Next the standard security features which form the basis of so-called secure memories are described in more detail. Smart cards are a typical embedded application that is very vulnerable to attacks and that at the same time has a high need for secure non-volatile memory. In the next part of this chapter, the secure memories of so-called flash-based high-density smart cards are described. It is followed by a detailed analysis of what the new security challenges for such objects are.

Barriers to Securing Data on Bluetooth®-Enabled Mobile Devices: A Phenomenological Study

ERIC Educational Resources Information Center

Hines, Natasha

2015-01-01

Company data on mobile devices is vulnerable and subject to unauthorized access. The general problem is that information security incidents compromise the integrity and authenticity of electronic data. The specific problem is that organizational security policies, procedures, and training do not adequately address the vulnerabilities associated…

Regulatory Guide on Conducting a Security Vulnerability Assessment

DOE Office of Scientific and Technical Information (OSTI.GOV)

Ek, David R.

This document will provide guidelines on conducting a security vulnerability assessment at a facility regulated by the Radiation Protection Centre. The guidelines provide a performance approach assess security effectiveness. The guidelines provide guidance for a review following the objectives outlined in IAEA NSS#11 for Category 1, 2, & 3 sources.

Lack of security of networked medical equipment in radiology.

PubMed

Moses, Vinu; Korah, Ipeson

2015-02-01

OBJECTIVE. There are few articles in the literature describing the security and safety aspects of networked medical equipment in radiology departments. Most radiologists are unaware of the security issues. We review the security of the networked medical equipment of a typical radiology department. MATERIALS AND METHODS. All networked medical equipment in a radiology department was scanned for vulnerabilities with a port scanner and a network vulnerability scanner, and the vulnerabilities were classified using the Common Vulnerability Scoring System. A network sniffer was used to capture and analyze traffic on the radiology network for exposure of confidential patient data. We reviewed the use of antivirus software and firewalls on the networked medical equipment. USB ports and CD and DVD drives in the networked medical equipment were tested to see whether they allowed unauthorized access. Implementation of the virtual private network (VPN) that vendors use to access the radiology network was reviewed. RESULTS. Most of the networked medical equipment in our radiology department used vulnerable software with open ports and services. Of the 144 items scanned, 64 (44%) had at least one critical vulnerability, and 119 (83%) had at least one high-risk vulnerability. Most equipment did not encrypt traffic and allowed capture of confidential patient data. Of the 144 items scanned, two (1%) used antivirus software and three (2%) had a firewall enabled. The USB ports were not secure on 49 of the 58 (84%) items with USB ports, and the CD or DVD drive was not secure on 17 of the 31 (55%) items with a CD or DVD drive. One of three vendors had an insecure implementation of VPN access. CONCLUSION. Radiologists and the medical industry need to urgently review and rectify the security issues in existing networked medical equipment. We hope that the results of our study and this article also raise awareness among radiologists about the security issues of networked medical equipment.

33 CFR 105.410 - Submission and approval.

Code of Federal Regulations, 2010 CFR

2010-07-01

... operational characteristics of each facility and must complete a separate Facility Vulnerability and Security Measures Summary (Form CG-6025), in appendix A to part 105—Facility Vulnerability and Security Measures...

Cognitive vulnerability to depression in young people in secure accommodation: the influence of ethnicity and current suicidal ideation.

PubMed

Woolgar, Matthew; Tranah, Troy

2010-10-01

Young people in secure accommodation are at high risk of depression and self-harm. This study investigates the relationship between depressive symptoms, negative self-schemas and the cognitive vulnerability to depression in 38 young people in secure accommodation. The impact of a) current suicidal ideation and b) a previous history of self-harm behaviour on latent negative self-schemas was examined using a mood induction task. The low mood condition indicated these young people had a latent cognitive vulnerability to depression. However, this vulnerability was exacerbated in the context of current suicidal ideation but not by a history of self-harm behaviours. An unexpected finding was the negative self-schemas of young people from ethnic minority backgrounds were particularly susceptible to the mood induction. The findings are discussed both in terms of the cognitive vulnerabilities of adolescents detained in secure accommodation and the role of participant characteristics on the validity of mood induction studies in adolescence.

Grid Transmission Expansion Planning Model Based on Grid Vulnerability

NASA Astrophysics Data System (ADS)

Tang, Quan; Wang, Xi; Li, Ting; Zhang, Quanming; Zhang, Hongli; Li, Huaqiang

2018-03-01

Based on grid vulnerability and uniformity theory, proposed global network structure and state vulnerability factor model used to measure different grid models. established a multi-objective power grid planning model which considering the global power network vulnerability, economy and grid security constraint. Using improved chaos crossover and mutation genetic algorithm to optimize the optimal plan. For the problem of multi-objective optimization, dimension is not uniform, the weight is not easy given. Using principal component analysis (PCA) method to comprehensive assessment of the population every generation, make the results more objective and credible assessment. the feasibility and effectiveness of the proposed model are validated by simulation results of Garver-6 bus system and Garver-18 bus.

UGV: security analysis of subsystem control network

NASA Astrophysics Data System (ADS)

Abbott-McCune, Sam; Kobezak, Philip; Tront, Joseph; Marchany, Randy; Wicks, Al

2013-05-01

Unmanned Ground vehicles (UGVs) are becoming prolific in the heterogeneous superset of robotic platforms. The sensors which provide odometry, localization, perception, and vehicle diagnostics are fused to give the robotic platform a sense of the environment it is traversing. The automotive industry CAN bus has dominated the industry due to the fault tolerance and the message structure allowing high priority messages to reach the desired node in a real time environment. UGVs are being researched and produced at an accelerated rate to preform arduous, repetitive, and dangerous missions that are associated with a military action in a protracted conflict. The technology and applications of the research will inevitably be turned into dual-use platforms to aid civil agencies in the performance of their various operations. Our motivation is security of the holistic system; however as subsystems are outsourced in the design, the overall security of the system may be diminished. We will focus on the CAN bus topology and the vulnerabilities introduced in UGVs and recognizable security vulnerabilities that are inherent in the communications architecture. We will show how data can be extracted from an add-on CAN bus that can be customized to monitor subsystems. The information can be altered or spoofed to force the vehicle to exhibit unwanted actions or render the UGV unusable for the designed mission. The military relies heavily on technology to maintain information dominance, and the security of the information introduced onto the network by UGVs must be safeguarded from vulnerabilities that can be exploited.

Security challenge to using smartphones for SHM

NASA Astrophysics Data System (ADS)

Abueh, Yeka; Liu, Hong

2016-04-01

Pervasive smartphones have demonstrated great potential in structural health monitoring (SHM) of civil infrastructures. Their sensing, processing, and communication capabilities along with crowdsourcing facility ease technical difficulties and reduce financial burdens of instrumentation and monitoring for SHM in civil infrastructures. However, smartphones are vulnerable to unintentional misuses and malicious attacks. This paper analyzes the vulnerabilities of smartphones in performing SHM and reveals the exploitation of those vulnerabilities. The work probes the attack surface of both devices and data. Device attack scenarios include hacking individual smartphones to modify the data stored on them and orchestrating smartphones to launch a distributed denial-of-service attack. Specifically, experiments are conducted to remotely access an Android smartphone and modify the sensing data of structural health stored on it. The work also presents a case study that reveals the sensitivity of a popular perturbation analysis method to faulty data delivered by a smartphone. The paper provides the direction of meeting the security challenge to using smartphones for SHM. As the first line of defense, device authentication is implemented in the smartphone to stop spoofing. Subsequently, message authentication is devised to maintain data integrity. There is a need to apply data science for the SHM immunity system against the sensitivity to data inaccuracy. The work also evaluates the cost-effectiveness of the proposed security measures, recommending varying levels of security to mitigate the adversaries to smartphones used in SHM systems. It calls for security solutions at the design stage of SHM systems rather than patching up after their implementations.

Execution of a self-directed risk assessment methodology to address HIPAA data security requirements

NASA Astrophysics Data System (ADS)

Coleman, Johnathan

2003-05-01

This paper analyzes the method and training of a self directed risk assessment methodology entitled OCTAVE (Operationally Critical Threat Asset and Vulnerability Evaluation) at over 170 DOD medical treatment facilities. It focuses specifically on how OCTAVE built interdisciplinary, inter-hierarchical consensus and enhanced local capabilities to perform Health Information Assurance. The Risk Assessment Methodology was developed by the Software Engineering Institute at Carnegie Mellon University as part of the Defense Health Information Assurance Program (DHIAP). The basis for its success is the combination of analysis of organizational practices and technological vulnerabilities. Together, these areas address the core implications behind the HIPAA Security Rule and can be used to develop Organizational Protection Strategies and Technological Mitigation Plans. A key component of OCTAVE is the inter-disciplinary composition of the analysis team (Patient Administration, IT staff and Clinician). It is this unique composition of analysis team members, along with organizational and technical analysis of business practices, assets and threats, which enables facilities to create sound and effective security policies. The Risk Assessment is conducted in-house, and therefore the process, results and knowledge remain within the organization, helping to build consensus in an environment of differing organizational and disciplinary perspectives on Health Information Assurance.

77 FR 67557 - Special Conditions: ATR-GIE Avions de Transport Regional, Models ATR42-500 and ATR72-212A...

Federal Register 2010, 2011, 2012, 2013, 2014

2012-11-13

... to, or access by, external systems and networks may result in security vulnerabilities to the... configuration may allow the exploitation of network security vulnerabilities resulting in intentional or..., Models ATR42-500 and ATR72-212A Airplanes; Aircraft Electronic System Security Protection From...

Summary of vulnerability related technologies based on machine learning

NASA Astrophysics Data System (ADS)

Zhao, Lei; Chen, Zhihao; Jia, Qiong

2018-04-01

As the scale of information system increases by an order of magnitude, the complexity of system software is getting higher. The vulnerability interaction from design, development and deployment to implementation stages greatly increases the risk of the entire information system being attacked successfully. Considering the limitations and lags of the existing mainstream security vulnerability detection techniques, this paper summarizes the development and current status of related technologies based on the machine learning methods applied to deal with massive and irregular data, and handling security vulnerabilities.

GIS Analysis of Changes in Ecological Vulnerability Using a SPCA Model in the Loess Plateau of Northern Shaanxi, China

PubMed Central

Kang, Hou; Xuxiang, Li; Jing, Zhang

2015-01-01

Changes in ecological vulnerability were analyzed for Northern Shaanxi, China using a geographic information system (GIS). An evaluation model was developed using a spatial principal component analysis (SPCA) model containing land use, soil erosion, topography, climate, vegetation and social economy variables. Using this model, an ecological vulnerability index was computed for the research region. Using natural breaks classification (NBC), the evaluation results were divided into five types: potential, slight, light, medium and heavy. The results indicate that there is greater than average optimism about the conditions of the study region, and the ecological vulnerability index (EVI) of the southern eight counties is lower than that of the northern twelve counties. From 1997 to 2011, the ecological vulnerability index gradually decreased, which means that environmental security was gradually enhanced, although there are still some places that have gradually deteriorated over the past 15 years. In the study area, government and economic factors and precipitation are the main reasons for the changes in ecological vulnerability. PMID:25898407

Cyber Incidents Involving Control Systems

DOE Office of Scientific and Technical Information (OSTI.GOV)

Robert J. Turk

2005-10-01

The Analysis Function of the US-CERT Control Systems Security Center (CSSC) at the Idaho National Laboratory (INL) has prepared this report to document cyber security incidents for use by the CSSC. The description and analysis of incidents reported herein support three CSSC tasks: establishing a business case; increasing security awareness and private and corporate participation related to enhanced cyber security of control systems; and providing informational material to support model development and prioritize activities for CSSC. The stated mission of CSSC is to reduce vulnerability of critical infrastructure to cyber attack on control systems. As stated in the Incident Managementmore » Tool Requirements (August 2005) ''Vulnerability reduction is promoted by risk analysis that tracks actual risk, emphasizes high risk, determines risk reduction as a function of countermeasures, tracks increase of risk due to external influence, and measures success of the vulnerability reduction program''. Process control and Supervisory Control and Data Acquisition (SCADA) systems, with their reliance on proprietary networks and hardware, have long been considered immune to the network attacks that have wreaked so much havoc on corporate information systems. New research indicates this confidence is misplaced--the move to open standards such as Ethernet, Transmission Control Protocol/Internet Protocol, and Web technologies is allowing hackers to take advantage of the control industry's unawareness. Much of the available information about cyber incidents represents a characterization as opposed to an analysis of events. The lack of good analyses reflects an overall weakness in reporting requirements as well as the fact that to date there have been very few serious cyber attacks on control systems. Most companies prefer not to share cyber attack incident data because of potential financial repercussions. Uniform reporting requirements will do much to make this information available to Department of Homeland Security (DHS) and others who require it. This report summarizes the rise in frequency of cyber attacks, describes the perpetrators, and identifies the means of attack. This type of analysis, when used in conjunction with vulnerability analyses, can be used to support a proactive approach to prevent cyber attacks. CSSC will use this document to evolve a standardized approach to incident reporting and analysis. This document will be updated as needed to record additional event analyses and insights regarding incident reporting. This report represents 120 cyber security incidents documented in a number of sources, including: the British Columbia Institute of Technology (BCIT) Industrial Security Incident Database, the 2003 CSI/FBI Computer Crime and Security Survey, the KEMA, Inc., Database, Lawrence Livermore National Laboratory, the Energy Incident Database, the INL Cyber Incident Database, and other open-source data. The National Memorial Institute for the Prevention of Terrorism (MIPT) database was also interrogated but, interestingly, failed to yield any cyber attack incidents. The results of this evaluation indicate that historical evidence provides insight into control system related incidents or failures; however, that the limited available information provides little support to future risk estimates. The documented case history shows that activity has increased significantly since 1988. The majority of incidents come from the Internet by way of opportunistic viruses, Trojans, and worms, but a surprisingly large number are directed acts of sabotage. A substantial number of confirmed, unconfirmed, and potential events that directly or potentially impact control systems worldwide are also identified. Twelve selected cyber incidents are presented at the end of this report as examples of the documented case studies (see Appendix B).« less

Nested archetypes of vulnerability in African drylands: where lies potential for sustainable agricultural intensification?

NASA Astrophysics Data System (ADS)

Sietz, D.; Ordoñez, J. C.; Kok, M. T. J.; Janssen, P.; Hilderink, H. B. M.; Tittonell, P.; Van Dijk, H.

2017-09-01

Food production is key to achieving food security in the drylands of sub-Saharan Africa. Since agricultural productivity is limited, however, due to inherent agro-ecological constraints and land degradation, sustainable agricultural intensification has been widely discussed as an opportunity for improving food security and reducing vulnerability. Yet vulnerability determinants are distributed heterogeneously in the drylands of sub-Saharan Africa and sustainable intensification cannot be achieved everywhere in cost-effective and efficient ways. To better understand the heterogeneity of farming systems’ vulnerability in order to support decision making at regional scales, we present archetypes, i.e. socio-ecological patterns, of farming systems’ vulnerability in the drylands of sub-Saharan Africa and reveal their nestedness. We quantitatively indicated the most relevant farming systems’ properties at a sub-national resolution. These factors included water availability, agro-ecological potential, erosion sensitivity, population pressure, urbanisation, remoteness, governance, income and undernourishment. Cluster analysis revealed eight broad archetypes of vulnerability across all drylands of sub-Saharan Africa. The broad archetype representing better governance and highest remoteness in extremely dry and resource-constrained regions encompassed the largest area share (19%), mainly indicated in western Africa. Moreover, six nested archetypes were identified within those regions with better agropotential and prevalent agricultural livelihoods. Among these patterns, the nested archetype depicting regions with highest erosion sensitivity, severe undernourishment and lower agropotential represented the largest population (30%) and area (28%) share, mainly found in the Sahel region. The nested archetype indicating medium undernourishment, better governance and lowest erosion sensitivity showed particular potential for sustainable agricultural intensification, mainly in western and some parts of southeastern and eastern Africa. Insights into the nestedness of archetypes allowed a more differentiated discussion of vulnerability and sustainable intensification opportunities, enhancing the evaluation of key interlinkages between land management and food security. The archetypes may support the transfer of successful intensification strategies based on similarities among the drylands in sub-Saharan Africa.

Improving the Automated Detection and Analysis of Secure Coding Violations

DTIC Science & Technology

2014-06-01

eliminating software vulnerabilities and other flaws. The CERT Division produces books and courses that foster a security mindset in developers, and...website also provides a virtual machine containing a complete build of the Rosecheckers project on Linux . The Rosecheckers project leverages the...Compass/ROSE6 project developed at Law- rence Livermore National Laboratory. This project provides a high-level API for accessing the abstract syntax tree

Transportation security research : coordination needed in selecting and implementing infrastructure vulnerability assessments

DOT National Transportation Integrated Search

2003-05-01

The Department of Transportation's (DOT) Research and Special Programs Administration (RSPA) began research in to assess the vulnerabilities of the nation's transportation infrastructure and develop needed improvements in security in June 2001. The g...

Space Station Program threat and vulnerability analysis

NASA Technical Reports Server (NTRS)

Van Meter, Steven D.; Veatch, John D.

1987-01-01

An examination has been made of the physical security of the Space Station Program at the Kennedy Space Center in a peacetime environment, in order to furnish facility personnel with threat/vulnerability information. A risk-management approach is used to prioritize threat-target combinations that are characterized in terms of 'insiders' and 'outsiders'. Potential targets were identified and analyzed with a view to their attractiveness to an adversary, as well as to the consequentiality of the resulting damage.

Security Vulnerability Profiles of NASA Mission Software: Empirical Analysis of Security Related Bug Reports

NASA Technical Reports Server (NTRS)

Goseva-Popstojanova, Katerina; Tyo, Jacob P.; Sizemore, Brian

2017-01-01

NASA develops, runs, and maintains software systems for which security is of vital importance. Therefore, it is becoming an imperative to develop secure systems and extend the current software assurance capabilities to cover information assurance and cybersecurity concerns of NASA missions. The results presented in this report are based on the information provided in the issue tracking systems of one ground mission and one flight mission. The extracted data were used to create three datasets: Ground mission IVV issues, Flight mission IVV issues, and Flight mission Developers issues. In each dataset, we identified the software bugs that are security related and classified them in specific security classes. This information was then used to create the security vulnerability profiles (i.e., to determine how, why, where, and when the security vulnerabilities were introduced) and explore the existence of common trends. The main findings of our work include:- Code related security issues dominated both the Ground and Flight mission IVV security issues, with 95 and 92, respectively. Therefore, enforcing secure coding practices and verification and validation focused on coding errors would be cost effective ways to improve mission's security. (Flight mission Developers issues dataset did not contain data in the Issue Category.)- In both the Ground and Flight mission IVV issues datasets, the majority of security issues (i.e., 91 and 85, respectively) were introduced in the Implementation phase. In most cases, the phase in which the issues were found was the same as the phase in which they were introduced. The most security related issues of the Flight mission Developers issues dataset were found during Code Implementation, Build Integration, and Build Verification; the data on the phase in which these issues were introduced were not available for this dataset.- The location of security related issues, as the location of software issues in general, followed the Pareto principle. Specifically, for all three datasets, from 86 to 88 the security related issues were located in two to four subsystems.- The severity levels of most security issues were moderate, in all three datasets.- Out of 21 primary security classes, five dominated: Exception Management, Memory Access, Other, Risky Values, and Unused Entities. Together, these classes contributed from around 80 to 90 of all security issues in each dataset. This again proves the Pareto principle of uneven distribution of security issues, in this case across CWE classes, and supports the fact that addressing these dominant security classes provides the most cost efficient way to improve missions' security. The findings presented in this report uncovered the security vulnerability profiles and identified the common trends and dominant classes of security issues, which in turn can be used to select the most efficient secure design and coding best practices compiled by the part of the SARP project team associated with the NASA's Johnson Space Center. In addition, these findings provide valuable input to the NASA IVV initiative aimed at identification of the two 25 CWEs of ground and flight missions.

National Vulnerability Database (NVD)

National Institute of Standards and Technology Data Gateway

National Vulnerability Database (NVD) (Web, free access)   NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard.

Three-factor anonymous authentication and key agreement scheme for Telecare Medicine Information Systems.

PubMed

Arshad, Hamed; Nikooghadam, Morteza

2014-12-01

Nowadays, with comprehensive employment of the internet, healthcare delivery services is provided remotely by telecare medicine information systems (TMISs). A secure mechanism for authentication and key agreement is one of the most important security requirements for TMISs. Recently, Tan proposed a user anonymity preserving three-factor authentication scheme for TMIS. The present paper shows that Tan's scheme is vulnerable to replay attacks and Denial-of-Service attacks. In order to overcome these security flaws, a new and efficient three-factor anonymous authentication and key agreement scheme for TMIS is proposed. Security and performance analysis shows superiority of the proposed scheme in comparison with previously proposed schemes that are related to security of TMISs.

Using cyber vulnerability testing techniques to expose undocumented security vulnerabilities in DCS and SCADA equipment

DOE Office of Scientific and Technical Information (OSTI.GOV)

Pollet, J.

2006-07-01

This session starts by providing an overview of typical DCS (Distributed Control Systems) and SCADA (Supervisory Control and Data Acquisition) architectures, and exposes cyber security vulnerabilities that vendors never admit, but are found through a comprehensive cyber testing process. A complete assessment process involves testing all of the layers and components of a SCADA or DCS environment, from the perimeter firewall all the way down to the end devices controlling the process, including what to look for when conducting a vulnerability assessment of real-time control systems. The following systems are discussed: 1. Perimeter (isolation from corporate IT or other non-criticalmore » networks) 2. Remote Access (third Party access into SCADA or DCS networks) 3. Network Architecture (switch, router, firewalls, access controls, network design) 4. Network Traffic Analysis (what is running on the network) 5. Host Operating Systems Hardening 6. Applications (how they communicate with other applications and end devices) 7. End Device Testing (PLCs, RTUs, DCS Controllers, Smart Transmitters) a. System Discovery b. Functional Discovery c. Attack Methodology i. DoS Tests (at what point does the device fail) ii. Malformed Packet Tests (packets that can cause equipment failure) iii. Session Hijacking (do anything that the operator can do) iv. Packet Injection (code and inject your own SCADA commands) v. Protocol Exploitation (Protocol Reverse Engineering / Fuzzing) This paper will provide information compiled from over five years of conducting cyber security testing on control systems hardware, software, and systems. (authors)« less

Cyber Security Assessment Report: Adventium Labs

DOE Office of Scientific and Technical Information (OSTI.GOV)

None

2007-12-31

Major control system components often have life spans of 15-20 years. Many systems in our Nation's critical infrastructure were installed before the Internet became a reality and security was a concern. Consequently, control systems are generally insecure. Security is now being included in the development of new control system devices; however, legacy control systems remain vulnerable. Most efforts to secure control systems are aimed at protecting network borers, but if an intruder gets inside the network these systems are vulnerable to a cyber attack.

A robust anonymous biometric-based authenticated key agreement scheme for multi-server environments

PubMed Central

Huang, Yuanfei; Ma, Fangchao

2017-01-01

In order to improve the security in remote authentication systems, numerous biometric-based authentication schemes using smart cards have been proposed. Recently, Moon et al. presented an authentication scheme to remedy the flaws of Lu et al.’s scheme, and claimed that their improved protocol supports the required security properties. Unfortunately, we found that Moon et al.’s scheme still has weaknesses. In this paper, we show that Moon et al.’s scheme is vulnerable to insider attack, server spoofing attack, user impersonation attack and guessing attack. Furthermore, we propose a robust anonymous multi-server authentication scheme using public key encryption to remove the aforementioned problems. From the subsequent formal and informal security analysis, we demonstrate that our proposed scheme provides strong mutual authentication and satisfies the desirable security requirements. The functional and performance analysis shows that the improved scheme has the best secure functionality and is computational efficient. PMID:29121050

A robust anonymous biometric-based authenticated key agreement scheme for multi-server environments.

PubMed

Guo, Hua; Wang, Pei; Zhang, Xiyong; Huang, Yuanfei; Ma, Fangchao

2017-01-01

In order to improve the security in remote authentication systems, numerous biometric-based authentication schemes using smart cards have been proposed. Recently, Moon et al. presented an authentication scheme to remedy the flaws of Lu et al.'s scheme, and claimed that their improved protocol supports the required security properties. Unfortunately, we found that Moon et al.'s scheme still has weaknesses. In this paper, we show that Moon et al.'s scheme is vulnerable to insider attack, server spoofing attack, user impersonation attack and guessing attack. Furthermore, we propose a robust anonymous multi-server authentication scheme using public key encryption to remove the aforementioned problems. From the subsequent formal and informal security analysis, we demonstrate that our proposed scheme provides strong mutual authentication and satisfies the desirable security requirements. The functional and performance analysis shows that the improved scheme has the best secure functionality and is computational efficient.

A coverage and slicing dependencies analysis for seeking software security defects.

PubMed

He, Hui; Zhang, Dongyan; Liu, Min; Zhang, Weizhe; Gao, Dongmin

2014-01-01

Software security defects have a serious impact on the software quality and reliability. It is a major hidden danger for the operation of a system that a software system has some security flaws. When the scale of the software increases, its vulnerability has becoming much more difficult to find out. Once these vulnerabilities are exploited, it may lead to great loss. In this situation, the concept of Software Assurance is carried out by some experts. And the automated fault localization technique is a part of the research of Software Assurance. Currently, automated fault localization method includes coverage based fault localization (CBFL) and program slicing. Both of the methods have their own location advantages and defects. In this paper, we have put forward a new method, named Reverse Data Dependence Analysis Model, which integrates the two methods by analyzing the program structure. On this basis, we finally proposed a new automated fault localization method. This method not only is automation lossless but also changes the basic location unit into single sentence, which makes the location effect more accurate. Through several experiments, we proved that our method is more effective. Furthermore, we analyzed the effectiveness among these existing methods and different faults.

Cyber and Physical Security Vulnerability Assessment for IoT-Based Smart Homes

PubMed Central

2018-01-01

The Internet of Things (IoT) is an emerging paradigm focusing on the connection of devices, objects, or “things” to each other, to the Internet, and to users. IoT technology is anticipated to become an essential requirement in the development of smart homes, as it offers convenience and efficiency to home residents so that they can achieve better quality of life. Application of the IoT model to smart homes, by connecting objects to the Internet, poses new security and privacy challenges in terms of the confidentiality, authenticity, and integrity of the data sensed, collected, and exchanged by the IoT objects. These challenges make smart homes extremely vulnerable to different types of security attacks, resulting in IoT-based smart homes being insecure. Therefore, it is necessary to identify the possible security risks to develop a complete picture of the security status of smart homes. This article applies the operationally critical threat, asset, and vulnerability evaluation (OCTAVE) methodology, known as OCTAVE Allegro, to assess the security risks of smart homes. The OCTAVE Allegro method focuses on information assets and considers different information containers such as databases, physical papers, and humans. The key goals of this study are to highlight the various security vulnerabilities of IoT-based smart homes, to present the risks on home inhabitants, and to propose approaches to mitigating the identified risks. The research findings can be used as a foundation for improving the security requirements of IoT-based smart homes. PMID:29518023

Cyber and Physical Security Vulnerability Assessment for IoT-Based Smart Homes.

PubMed

Ali, Bako; Awad, Ali Ismail

2018-03-08

The Internet of Things (IoT) is an emerging paradigm focusing on the connection of devices, objects, or "things" to each other, to the Internet, and to users. IoT technology is anticipated to become an essential requirement in the development of smart homes, as it offers convenience and efficiency to home residents so that they can achieve better quality of life. Application of the IoT model to smart homes, by connecting objects to the Internet, poses new security and privacy challenges in terms of the confidentiality, authenticity, and integrity of the data sensed, collected, and exchanged by the IoT objects. These challenges make smart homes extremely vulnerable to different types of security attacks, resulting in IoT-based smart homes being insecure. Therefore, it is necessary to identify the possible security risks to develop a complete picture of the security status of smart homes. This article applies the operationally critical threat, asset, and vulnerability evaluation (OCTAVE) methodology, known as OCTAVE Allegro, to assess the security risks of smart homes. The OCTAVE Allegro method focuses on information assets and considers different information containers such as databases, physical papers, and humans. The key goals of this study are to highlight the various security vulnerabilities of IoT-based smart homes, to present the risks on home inhabitants, and to propose approaches to mitigating the identified risks. The research findings can be used as a foundation for improving the security requirements of IoT-based smart homes.

Change Detection Algorithms for Information Assurance of Computer Networks

DTIC Science & Technology

2002-01-01

original document contains color images. 14. ABSTRACT see report 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT 18...number of computer attacks increases steadily per year. At the time of this writing the Internet Security Systems’ baseline assessment is that a new...across a network by exploiting security flaws in widely-used services offered by vulnerable computers. In order to locate the vulnerable computers, the

Continuous Security Metrics for Prevalent Network Threats: Introduction and First Four Metrics

DTIC Science & Technology

2012-05-22

cyber at- tack. Recently, high -prole successful attacks have been detected against the International Mon- etary Fund, Citibank, Lockheed Martin, Google...RSA Security, Sony, and Oak Ridge National Laboratory[13]. These and other attacks have heightened securing networks as a high priority for many...of high -severity vulnerabilities found by network vulnerability scanners (e.g., [40]) and the numbers or percentages of hosts that are are not

SPCC- Software Elements for Security Partition Communication Controller

NASA Astrophysics Data System (ADS)

Herpel, H. J.; Willig, G.; Montano, G.; Tverdyshev, S.; Eckstein, K.; Schoen, M.

2016-08-01

Future satellite missions like Earth Observation, Telecommunication or any other kind are likely to be exposed to various threats aiming at exploiting vulnerabilities of the involved systems and communications. Moreover, the growing complexity of systems coupled with more ambitious types of operational scenarios imply increased security vulnerabilities in the future. In the paper we will describe an architecture and software elements to ensure high level of security on-board a spacecraft. First the threats to the Security Partition Communication Controller (SPCC) will be addressed including the identification of specific vulnerabilities to the SPCC. Furthermore, appropriate security objectives and security requirements are identified to be counter the identified threats. The security evaluation of the SPCC will be done in accordance to the Common Criteria (CC). The Software Elements for SPCC has been implemented on flight representative hardware which consists of two major elements: the I/O board and the SPCC board. The SPCC board provides the interfaces with ground while the I/O board interfaces with typical spacecraft equipment busses. Both boards are physically interconnected by a high speed spacewire (SpW) link.

Risk assessment by dynamic representation of vulnerability, exploitation, and impact

NASA Astrophysics Data System (ADS)

Cam, Hasan

2015-05-01

Assessing and quantifying cyber risk accurately in real-time is essential to providing security and mission assurance in any system and network. This paper presents a modeling and dynamic analysis approach to assessing cyber risk of a network in real-time by representing dynamically its vulnerabilities, exploitations, and impact using integrated Bayesian network and Markov models. Given the set of vulnerabilities detected by a vulnerability scanner in a network, this paper addresses how its risk can be assessed by estimating in real-time the exploit likelihood and impact of vulnerability exploitation on the network, based on real-time observations and measurements over the network. The dynamic representation of the network in terms of its vulnerabilities, sensor measurements, and observations is constructed dynamically using the integrated Bayesian network and Markov models. The transition rates of outgoing and incoming links of states in hidden Markov models are used in determining exploit likelihood and impact of attacks, whereas emission rates help quantify the attack states of vulnerabilities. Simulation results show the quantification and evolving risk scores over time for individual and aggregated vulnerabilities of a network.

An Anonymous User Authentication and Key Agreement Scheme Based on a Symmetric Cryptosystem in Wireless Sensor Networks.

PubMed

Jung, Jaewook; Kim, Jiye; Choi, Younsung; Won, Dongho

2016-08-16

In wireless sensor networks (WSNs), a registered user can login to the network and use a user authentication protocol to access data collected from the sensor nodes. Since WSNs are typically deployed in unattended environments and sensor nodes have limited resources, many researchers have made considerable efforts to design a secure and efficient user authentication process. Recently, Chen et al. proposed a secure user authentication scheme using symmetric key techniques for WSNs. They claim that their scheme assures high efficiency and security against different types of attacks. After careful analysis, however, we find that Chen et al.'s scheme is still vulnerable to smart card loss attack and is susceptible to denial of service attack, since it is invalid for verification to simply compare an entered ID and a stored ID in smart card. In addition, we also observe that their scheme cannot preserve user anonymity. Furthermore, their scheme cannot quickly detect an incorrect password during login phase, and this flaw wastes both communication and computational overheads. In this paper, we describe how these attacks work, and propose an enhanced anonymous user authentication and key agreement scheme based on a symmetric cryptosystem in WSNs to address all of the aforementioned vulnerabilities in Chen et al.'s scheme. Our analysis shows that the proposed scheme improves the level of security, and is also more efficient relative to other related schemes.

Hazard-Specific Vulnerability Mapping for Water Security in a Shale Gas Context

NASA Astrophysics Data System (ADS)

Allen, D. M.; Holding, S.; McKoen, Z.

2015-12-01

Northeast British Columbia (NEBC) is estimated to hold large reserves of unconventional natural gas and has experienced rapid growth in shale gas development activities over recent decades. Shale gas development has the potential to impact the quality and quantity of surface and ground water. Robust policies and sound water management are required to protect water security in relation to the water-energy nexus surrounding shale gas development. In this study, hazard-specific vulnerability mapping was conducted across NEBC to identify areas most vulnerable to water quality and quantity deterioration due to shale gas development. Vulnerability represents the combination of a specific hazard threat and the susceptibility of the water system to that threat. Hazard threats (i.e. potential contamination sources and water abstraction) were mapped spatially across the region. The shallow aquifer susceptibility to contamination was characterised using the DRASTIC aquifer vulnerability approach, while the aquifer susceptibility to abstraction was mapped according to aquifer productivity. Surface water susceptibility to contamination was characterised on a watershed basis to describe the propensity for overland flow (i.e. contaminant transport), while watershed discharge estimates were used to assess surface water susceptibility to water abstractions. The spatial distribution of hazard threats and susceptibility were combined to form hazard-specific vulnerability maps for groundwater quality, groundwater quantity, surface water quality and surface water quantity. The vulnerability maps identify priority areas for further research, monitoring and policy development. Priority areas regarding water quality occur where hazard threat (contamination potential) coincide with high aquifer susceptibility or high overland flow potential. Priority areas regarding water quantity occur where demand is estimated to represent a significant proportion of estimated supply. The identification of priority areas allows for characterization of the vulnerability of water security in the region. This vulnerability mapping approach, using the hazard threat and susceptibility indicators, can be applied to other shale gas areas to assess vulnerability to shale gas activities and support water security.

Color image encryption using random transforms, phase retrieval, chaotic maps, and diffusion

NASA Astrophysics Data System (ADS)

Annaby, M. H.; Rushdi, M. A.; Nehary, E. A.

2018-04-01

The recent tremendous proliferation of color imaging applications has been accompanied by growing research in data encryption to secure color images against adversary attacks. While recent color image encryption techniques perform reasonably well, they still exhibit vulnerabilities and deficiencies in terms of statistical security measures due to image data redundancy and inherent weaknesses. This paper proposes two encryption algorithms that largely treat these deficiencies and boost the security strength through novel integration of the random fractional Fourier transforms, phase retrieval algorithms, as well as chaotic scrambling and diffusion. We show through detailed experiments and statistical analysis that the proposed enhancements significantly improve security measures and immunity to attacks.

Security Events and Vulnerability Data for Cybersecurity Risk Estimation.

PubMed

Allodi, Luca; Massacci, Fabio

2017-08-01

Current industry standards for estimating cybersecurity risk are based on qualitative risk matrices as opposed to quantitative risk estimates. In contrast, risk assessment in most other industry sectors aims at deriving quantitative risk estimations (e.g., Basel II in Finance). This article presents a model and methodology to leverage on the large amount of data available from the IT infrastructure of an organization's security operation center to quantitatively estimate the probability of attack. Our methodology specifically addresses untargeted attacks delivered by automatic tools that make up the vast majority of attacks in the wild against users and organizations. We consider two-stage attacks whereby the attacker first breaches an Internet-facing system, and then escalates the attack to internal systems by exploiting local vulnerabilities in the target. Our methodology factors in the power of the attacker as the number of "weaponized" vulnerabilities he/she can exploit, and can be adjusted to match the risk appetite of the organization. We illustrate our methodology by using data from a large financial institution, and discuss the significant mismatch between traditional qualitative risk assessments and our quantitative approach. © 2017 Society for Risk Analysis.

Climate smart agriculture, farm household typologies and food security: An ex-ante assessment from Eastern India.

PubMed

Lopez-Ridaura, Santiago; Frelat, Romain; van Wijk, Mark T; Valbuena, Diego; Krupnik, Timothy J; Jat, M L

2018-01-01

One of the great challenges in agricultural development and sustainable intensification is the assurance of social equity in food security oriented interventions. Development practitioners, researchers, and policy makers alike could benefit from prior insight into what interventions or environmental shocks might differentially affect farmers' food security status, in order to move towards more informed and equitable development. We examined the food security status and livelihood activities of 269 smallholder farm households (HHs) in Bihar, India. Proceeding with a four-step analysis, we first applied a multivariate statistical methodology to differentiate five primary farming system types. We next applied an indicator of food security in the form of HH potential food availability (PFA), and examined the contribution of crop, livestock, and on- and off-farm income generation to PFA within each farm HH type. Lastly, we applied scenario analysis to examine the potential impact of the adoption of 'climate smart' agricultural (CSA) practices in the form of conservation agriculture (CA) and improved livestock husbandry, and environmental shocks on HH PFA. Our results indicate that compared to livestock interventions, CA may hold considerable potential to boost HH PFA, though primarily for wealthier and medium-scale cereal farmers. These farm HH types were however considerably more vulnerable to food insecurity risks resulting from simulated drought, while part-time farmers and resource-poor agricultural laborers generating income from off-farm pursuits were comparatively less vulnerable, due in part to their more diversified income sources and potential to migrate in search of work. Our results underscore the importance of prior planning for development initiatives aimed at increasing smallholder food security while maintaining social equity, while providing a robust methodology to vet the implications of agricultural interventions on an ex ante basis.

The State-Society/Citizen Relationship in Security Analysis: Implications for Planning and Implementation of U.S. Intervention and Peace/State-Building Operations

DTIC Science & Technology

2015-04-01

of the state. Such threats may come into existence when 9 the organizing principles of two states contradict each other in a context where the...security is that the normal condition of actors in a market econ - omy is one of risk, competition, and uncertainty.12 In other words, the actors in the...liberal principles , federative states have no natural unifying principle and, consequently, are more vulnerable to dismemberment, separatism, and

Securing your Site in Development and Beyond

DOE Office of Scientific and Technical Information (OSTI.GOV)

Akopov, Mikhail S.

Why wait until production deployment, or even staging and testing deployment to identify security vulnerabilities? Using tools like Burp Suite, you can find security vulnerabilities before they creep up on you. Prevent cross-site scripting attacks, and establish a firmer trust between your website and your client. Verify that Apache/Nginx have the correct SSL Ciphers set. We explore using these tools and more to validate proper Apache/Nginx configurations, and to be compliant with modern configuration standards as part of the development cycle. Your clients can use tools like https://securityheaders.io and https://ssllabs.com to get a graded report on your level of compliancemore » with OWASP Secure Headers Project and SSLLabs recommendations. Likewise, you should always use the same sites to validate your configurations. Burp Suite will find common misconfigurations and will also perform more thorough security testing of your applications. In this session you will see examples of vulnerabilities that were detected early on, as well has how to integrate these practices into your daily workflow.« less

Preventing infant abductions: an infant security program transitioned into an interdisciplinary model.

PubMed

Hiner, Jacqueline; Pyka, Jeanine; Burks, Colleen; Pisegna, Lily; Gador, Rachel Ann

2012-01-01

Ensuring the safety of infants born in a hospital is a top priority and, therefore, requires a solid infant security plan. Using an interdisciplinary approach and a systematic change process, nursing leadership in collaboration with clinical nurses and security personnel analyzed the infant security program at this community hospital to identify vulnerabilities. By establishing an interdisciplinary approach to infant security, participants were able to unravel a complicated concept, systematically analyze the gaps, and agree to a plan of action. This resulted in improved communication and clarification of roles between the nursing and security divisions. Supply costs decreased by 17.4% after the first year of implementation. Most importantly, this project enhanced and strengthened the existing infant abduction prevention measures, hard wired the importance of infant security, and minimized vulnerabilities.

Vulnerability

NASA Technical Reports Server (NTRS)

Taback, I.

1979-01-01

The discussion of vulnerability begins with a description of some of the electrical characteristics of fibers before definiting how vulnerability calculations are done. The vulnerability results secured to date are presented. The discussion touches on post exposure vulnerability. After a description of some shock hazard work now underway, the discussion leads into a description of the planned effort and some preliminary conclusions are presented.

TH-A-12A-01: Medical Physicist's Role in Digital Information Security: Threats, Vulnerabilities and Best Practices

DOE Office of Scientific and Technical Information (OSTI.GOV)

McDonald, K; Curran, B

I. Information Security Background (Speaker = Kevin McDonald) Evolution of Medical Devices Living and Working in a Hostile Environment Attack Motivations Attack Vectors Simple Safety Strategies Medical Device Security in the News Medical Devices and Vendors Summary II. Keeping Radiation Oncology IT Systems Secure (Speaker = Bruce Curran) Hardware Security Double-lock Requirements “Foreign” computer systems Portable Device Encryption Patient Data Storage System Requirements Network Configuration Isolating Critical Devices Isolating Clinical Networks Remote Access Considerations Software Applications / Configuration Passwords / Screen Savers Restricted Services / access Software Configuration Restriction Use of DNS to restrict accesse. Patches / Upgrades Awareness Intrusionmore » Prevention Intrusion Detection Threat Risk Analysis Conclusion Learning Objectives: Understanding how Hospital IT Requirements affect Radiation Oncology IT Systems. Illustrating sample practices for hardware, network, and software security. Discussing implementation of good IT security practices in radiation oncology. Understand overall risk and threats scenario in a networked environment.« less

Beyond a series of security nets: Applying STAMP & STPA to port security

DOE PAGES

Williams, Adam D.

2015-11-17

Port security is an increasing concern considering the significant role of ports in global commerce and today’s increasingly complex threat environment. Current approaches to port security mirror traditional models of accident causality -- ‘a series of security nets’ based on component reliability and probabilistic assumptions. Traditional port security frameworks result in isolated and inconsistent improvement strategies. Recent work in engineered safety combines the ideas of hierarchy, emergence, control and communication into a new paradigm for understanding port security as an emergent complex system property. The ‘System-Theoretic Accident Model and Process (STAMP)’ is a new model of causality based on systemsmore » and control theory. The associated analysis process -- System Theoretic Process Analysis (STPA) -- identifies specific technical or procedural security requirements designed to work in coordination with (and be traceable to) overall port objectives. This process yields port security design specifications that can mitigate (if not eliminate) port security vulnerabilities related to an emphasis on component reliability, lack of coordination between port security stakeholders or economic pressures endemic in the maritime industry. As a result, this article aims to demonstrate how STAMP’s broader view of causality and complexity can better address the dynamic and interactive behaviors of social, organizational and technical components of port security.« less

Beyond a series of security nets: Applying STAMP & STPA to port security

DOE Office of Scientific and Technical Information (OSTI.GOV)

Williams, Adam D.

Port security is an increasing concern considering the significant role of ports in global commerce and today’s increasingly complex threat environment. Current approaches to port security mirror traditional models of accident causality -- ‘a series of security nets’ based on component reliability and probabilistic assumptions. Traditional port security frameworks result in isolated and inconsistent improvement strategies. Recent work in engineered safety combines the ideas of hierarchy, emergence, control and communication into a new paradigm for understanding port security as an emergent complex system property. The ‘System-Theoretic Accident Model and Process (STAMP)’ is a new model of causality based on systemsmore » and control theory. The associated analysis process -- System Theoretic Process Analysis (STPA) -- identifies specific technical or procedural security requirements designed to work in coordination with (and be traceable to) overall port objectives. This process yields port security design specifications that can mitigate (if not eliminate) port security vulnerabilities related to an emphasis on component reliability, lack of coordination between port security stakeholders or economic pressures endemic in the maritime industry. As a result, this article aims to demonstrate how STAMP’s broader view of causality and complexity can better address the dynamic and interactive behaviors of social, organizational and technical components of port security.« less

The experiences of security industry contractors working in Iraq: an interpretative phenomenological analysis.

PubMed

Messenger, Katy; Farquharson, Lorna; Stallworthy, Pippa; Cawkill, Paul; Greenberg, Neil

2012-07-01

To explore the occupational experiences of private security contractors working in a war zone and how it impacts on their mental health. Semistructured interviews were conducted with seven contractors employed by a large UK-based private security company. Interpretative phenomenological analysis was used to analyze the interview transcripts. Participants also completed the 12-item General Health Questionnaire and the Posttraumatic Stress Disorder Checklist. Four overarching themes emerged: the appeal of the job; vulnerability; keep going; and seeking help for stress in the workplace. No clinically significant levels of distress were reported. Contractors are frequently exposed to stressors known to increase risk of psychiatric difficulty in military personnel. A number of potential protective factors were identified. Only a minority of participants were open to seeking help for mental health difficulties.

An Anonymous User Authentication and Key Agreement Scheme Based on a Symmetric Cryptosystem in Wireless Sensor Networks

PubMed Central

Jung, Jaewook; Kim, Jiye; Choi, Younsung; Won, Dongho

2016-01-01

In wireless sensor networks (WSNs), a registered user can login to the network and use a user authentication protocol to access data collected from the sensor nodes. Since WSNs are typically deployed in unattended environments and sensor nodes have limited resources, many researchers have made considerable efforts to design a secure and efficient user authentication process. Recently, Chen et al. proposed a secure user authentication scheme using symmetric key techniques for WSNs. They claim that their scheme assures high efficiency and security against different types of attacks. After careful analysis, however, we find that Chen et al.’s scheme is still vulnerable to smart card loss attack and is susceptible to denial of service attack, since it is invalid for verification to simply compare an entered ID and a stored ID in smart card. In addition, we also observe that their scheme cannot preserve user anonymity. Furthermore, their scheme cannot quickly detect an incorrect password during login phase, and this flaw wastes both communication and computational overheads. In this paper, we describe how these attacks work, and propose an enhanced anonymous user authentication and key agreement scheme based on a symmetric cryptosystem in WSNs to address all of the aforementioned vulnerabilities in Chen et al.’s scheme. Our analysis shows that the proposed scheme improves the level of security, and is also more efficient relative to other related schemes. PMID:27537890

Leveraging Social Links for Trust and Privacy in Networks

NASA Astrophysics Data System (ADS)

Cutillo, Leucio Antonio; Molva, Refik; Strufe, Thorsten

Existing on-line social networks (OSN) such as Facebook suffer from several weaknesses regarding privacy and security due to their inherent handling of personal data. As pointed out in [4], a preliminary analysis of existing OSNs shows that they are subject to a number of vulnerabilities, ranging from cloning legitimate users to sybil attacks through privacy violations. Starting from these OSN vulnerabilities as the first step of a broader research activity, we came up with a new approach that is very promising in re-visiting security and privacy problems in distributed systems and networks. We suggest a solution that both aims at avoiding any centralized control and leverages on the real life trust between users, that is part of the social network application itself. An anonymization technique based on multi-hop routing among trusted nodes guarantees privacy in data access and, generally speaking, in all the OSN operations.

[Tuberculosis among the socially vulnerable populations; perspectives from human security concept].

PubMed

Ishikawa, Nobukatsu

2009-07-01

Tuberculosis (TB) has been and will continue to be the disease of the poor and the socially vulnerable. Current TB epidemiology in Japan shows increasing proportion of TB among the economically and socially poor or vulnerable populations. Though there is no universally recognized set of the definitions, the economically poor who are covered under the social security services including the homeless, foreign migrants, or the aged over 80 years may be considered as consisting the "socially vulnerable population" for TB in Japan. TB among the socially vulnerable has several characteristics, for example, patients are often detected with severe conditions due to delayed diagnosis, and have high defaulter rate during treatment, which causes immature death, or drug-resistant disease. Stop TB Strategy by WHO, responding to the Millennium Development Goals, proposes a new approach which focuses on empowering the patients and the community. Observations from various studies show that DOTS contributes to empowering the patients and the communities. Further effort will be needed to reorient TB programs towards the perspective of patients' empowerment. Solely relying on static analyses of TB among the socially vulnerable has its limitations. Dynamic approach, which utilizes human security concepts such as empowerment and patients' perspective, will be required not only to control TB among the socially vulnerable population but also to holistically tackle the problem of TB for Japan.

Evaluating Common Privacy Vulnerabilities in Internet Service Providers

NASA Astrophysics Data System (ADS)

Kotzanikolaou, Panayiotis; Maniatis, Sotirios; Nikolouzou, Eugenia; Stathopoulos, Vassilios

Privacy in electronic communications receives increased attention in both research and industry forums, stemming from both the users' needs and from legal and regulatory requirements in national or international context. Privacy in internet-based communications heavily relies on the level of security of the Internet Service Providers (ISPs), as well as on the security awareness of the end users. This paper discusses the role of the ISP in the privacy of the communications. Based on real security audits performed in national-wide ISPs, we illustrate privacy-specific threats and vulnerabilities that many providers fail to address when implementing their security policies. We subsequently provide and discuss specific security measures that the ISPs can implement, in order to fine-tune their security policies in the context of privacy protection.

Climate risk and food security in Mali: A historical perspective on adaptation

NASA Astrophysics Data System (ADS)

Giannini, Alessandra; Krishnamurthy, P. Krishna; Cousin, Rémi; Labidi, Naouar; Choularton, Richard J.

2017-02-01

We combine socioeconomic data from a large-scale household survey with historical climate data to map the climate sensitivity of availability and access dimensions of food security in Mali, and infer the ways in which at-risk communities may have been impacted by persistent climatic shift. Thirty years after 1982-1984, the period of most intense drought during the protracted late 20th century drying of the Sahel, the impact of drought on livelihoods and food security is still recognizable in the Sahelian center of Mali. This impact is expressed in the larger fraction of households in this Sahelian center of the country—the agro-ecological transition between pastoralism in the north, and sedentary agriculture in the south—who practice agriculture but not livestock raising, despite environmental conditions that are suitable to their combination. These households have lower food security and rely more frequently on detrimental nutrition-based coping strategies, such as reducing the quantity or quality of meals. In contrast, the more food secure households show a clear tendency toward livelihood diversification away from subsistence agriculture. These households produce less of what they consume, yet spend less on food in proportion. The analysis points to the value of interdisciplinary research—in this case bridging climate science and vulnerability analysis—to gain a dynamical understanding of complex systems, understanding which may be exploited to address real-world challenges, offering lessons about food security and local adaptation strategies in places among the most vulnerable to climate.

Prediction of soil water erosion risk within GIS-case study of Beni Amrane Dam catchment (North of Algeria)

NASA Astrophysics Data System (ADS)

Touahir, S.; Khenter, K.; Remini, B.; Saad, H.

2017-08-01

Isser River is one of North Algeria’s major resources. It is vulnerable to water soil erosion because of favourable conjunctions of different geomorphological, hydro-climatic and lithologic factors. This case study has been carried out on the Beni Amrane dam Catchment, which is located in the bottom of Isser River, in North Algeria. The study involves a mapping of main factors of water erosion: rainfall erosivity, soil erodibility, slope and land use. Essentially a data mapping specification analysis shows, on each factor, how to identify the areas that are prone to water erosion. 04 classes of multifactorial vulnerability to water erosion have been identified: areas with low vulnerability (10 per cent); area with middle vulnerability (49 per cent); areas with high and very high vulnerability (38 per cent and 3 per cent). This could be a first guidance document for a rational use of land in the region and better secure the Beni Amrane dam against reservoir siltation.

Development of an Audit Classification Index (ACI) for Federal E-Learning Systems Security Vulnerabilities

ERIC Educational Resources Information Center

Johnson, Gerald D.

2012-01-01

As U.S federal government agencies have increased the use of the Internet to utilize technologies such as e-learning, U.S. federal government information systems have become more exposed to security vulnerabilities that may contribute to system attacks and system exploitation. U.S. federal government agencies are required to come up with their own…

A Systems Engineering Framework for Implementing a Security and Critical Patch Management Process in Diverse Environments (Academic Departments' Workstations)

ERIC Educational Resources Information Center

Mohammadi, Hadi

2014-01-01

Use of the Patch Vulnerability Management (PVM) process should be seriously considered for any networked computing system. The PVM process prevents the operating system (OS) and software applications from being attacked due to security vulnerabilities, which lead to system failures and critical data leakage. The purpose of this research is to…

Evaluating the Generality and Limits of Blind Return-Oriented Programming Attacks

DTIC Science & Technology

2015-12-01

consider a recently proposed information disclosure vulnerability called blind return-oriented programming (BROP). Under certain conditions, this...implementation disclosure attacks 15. NUMBER OF PAGES 75 16. PRICE CODE 17. SECURITY CLASSIFICATION OF REPORT Unclassified 18. SECURITY CLASSIFICATION OF...Science iii THIS PAGE INTENTIONALLY LEFT BLANK iv ABSTRACT We consider a recently proposed information disclosure vulnerability called blind return

Design and development of a prototypical software for semi-automatic generation of test methodologies and security checklists for IT vulnerability assessment in small- and medium-sized enterprises (SME)

NASA Astrophysics Data System (ADS)

Möller, Thomas; Bellin, Knut; Creutzburg, Reiner

2015-03-01

The aim of this paper is to show the recent progress in the design and prototypical development of a software suite Copra Breeder* for semi-automatic generation of test methodologies and security checklists for IT vulnerability assessment in small and medium-sized enterprises.

An Empirical Measure of Computer Security Strength for Vulnerability Remediation

ERIC Educational Resources Information Center

Villegas, Rafael

2010-01-01

Remediating all vulnerabilities on computer systems in a timely and cost effective manner is difficult given that the window of time between the announcement of a new vulnerability and an automated attack has decreased. Hence, organizations need to prioritize the vulnerability remediation process on their computer systems. The goal of this…

On the security flaws in ID-based password authentication schemes for telecare medical information systems.

PubMed

Mishra, Dheerendra

2015-01-01

Telecare medical information systems (TMIS) enable healthcare delivery services. However, access of these services via public channel raises security and privacy issues. In recent years, several smart card based authentication schemes have been introduced to ensure secure and authorized communication between remote entities over the public channel for the (TMIS). We analyze the security of some of the recently proposed authentication schemes of Lin, Xie et al., Cao and Zhai, and Wu and Xu's for TMIS. Unfortunately, we identify that these schemes failed to satisfy desirable security attributes. In this article we briefly discuss four dynamic ID-based authentication schemes and demonstrate their failure to satisfy desirable security attributes. The study is aimed to demonstrate how inefficient password change phase can lead to denial of server scenario for an authorized user, and how an inefficient login phase causes the communication and computational overhead and decrease the performance of the system. Moreover, we show the vulnerability of Cao and Zhai's scheme to known session specific temporary information attack, vulnerability of Wu and Xu's scheme to off-line password guessing attack, and vulnerability of Xie et al.'s scheme to untraceable on-line password guessing attack.

DOE Office of Scientific and Technical Information (OSTI.GOV)

Harris, L.; Owel, W.R.

This paper discusses the VISA (Vulnerability of Integrated Safeguards Analysis) method, developed in 1976-77 for the Nuclear Regulatory Commission, and which has been adapted more recently to a broader range of uses. The performance of VISA systems is evaluated in terms of how they perform as an integrated safeguards/security system. The resulting method has been designated VISA-2. 7 refs.

U.S. Patent Pending, Information Security Analysis Using Game Theory and Simulation, U.S. Patent Application No.: 14/097,840

DOE Office of Scientific and Technical Information (OSTI.GOV)

Abercrombie, Robert K; Schlicher, Bob G

Vulnerability in security of an information system is quantitatively predicted. The information system may receive malicious actions against its security and may receive corrective actions for restoring the security. A game oriented agent based model is constructed in a simulator application. The game ABM model represents security activity in the information system. The game ABM model has two opposing participants including an attacker and a defender, probabilistic game rules and allowable game states. A specified number of simulations are run and a probabilistic number of the plurality of allowable game states are reached in each simulation run. The probability ofmore » reaching a specified game state is unknown prior to running each simulation. Data generated during the game states is collected to determine a probability of one or more aspects of security in the information system.« less

MAC layer security issues in wireless mesh networks

NASA Astrophysics Data System (ADS)

Reddy, K. Ganesh; Thilagam, P. Santhi

2016-03-01

Wireless Mesh Networks (WMNs) have emerged as a promising technology for a broad range of applications due to their self-organizing, self-configuring and self-healing capability, in addition to their low cost and easy maintenance. Securing WMNs is more challenging and complex issue due to their inherent characteristics such as shared wireless medium, multi-hop and inter-network communication, highly dynamic network topology and decentralized architecture. These vulnerable features expose the WMNs to several types of attacks in MAC layer. The existing MAC layer standards and implementations are inadequate to secure these features and fail to provide comprehensive security solutions to protect both backbone and client mesh. Hence, there is a need for developing efficient, scalable and integrated security solutions for WMNs. In this paper, we classify the MAC layer attacks and analyze the existing countermeasures. Based on attacks classification and countermeasures analysis, we derive the research directions to enhance the MAC layer security for WMNs.

78 FR 43863 - Proposed Collection; Comment Request

Federal Register 2010, 2011, 2012, 2013, 2014

2013-07-22

... verifying that cleared contractors mitigate and ensuring identified security vulnerabilities. This public... information in ISFD. In turn, this will allow DSS to better tailor vulnerability assessments and other..., prior to annual vulnerability assessments, so that accurate information is continually maintained in...

Efficiency vs. Security: Information Technology Consolidations - Resilience, Complexity, and Monoculture

DTIC Science & Technology

infrastructure. This may result in vulnerabilities not typically considered by policymakers, due to concentration and homogenization of critical...Resilience of a system is counter-proportional to the product of vulnerability and spectral radius; therefore, any increase in vulnerability, spectral

Secure ICCP Final Report

DOE Office of Scientific and Technical Information (OSTI.GOV)

Rice, Mark J.; Bonebrake, Christopher A.; Dayley, Greg K.

Inter-Control Center Communications Protocol (ICCP), defined by the IEC 60870-6 TASE.2 standard, was developed to enable data exchange over wide area networks between electric system entities, including utility control centers, Independent System Operators (ISOs), Regional Transmission Operators (RTOs) and Independent Power Producers (IPP) also known as Non-Utility Generators (NUG). ICCP is an unprotected protocol, and as a result is vulnerable to such actions as integrity violation, interception or alteration, spoofing, and eavesdropping. Because of these vulnerabilities with unprotected ICCP communication, security enhancements, referred to as Secure ICCP, have been added and are included in the ICCP products that utilities havemore » received since 2003 when the standard was defined. This has resulted in an ICCP product whose communication can be encrypted and authenticated to address these vulnerabilities.« less

Do You Ignore Information Security in Your Journal Website?

PubMed

Dadkhah, Mehdi; Borchardt, Glenn; Lagzian, Mohammad

2017-08-01

Nowadays, web-based applications extend to all businesses due to their advantages and easy usability. The most important issue in web-based applications is security. Due to their advantages, most academic journals are now using these applications, with papers being submitted and published through their websites. As these websites are resources for knowledge, information security is primary for maintaining their integrity. In this opinion piece, we point out vulnerabilities in certain websites and introduce the potential for future threats. We intend to present how some journals are vulnerable and what will happen if a journal can be infected by attackers. This opinion is not a technical manual in information security, it is a short inspection that we did to improve the security of academic journals.

One Step Quantum Key Distribution Based on EPR Entanglement.

PubMed

Li, Jian; Li, Na; Li, Lei-Lei; Wang, Tao

2016-06-30

A novel quantum key distribution protocol is presented, based on entanglement and dense coding and allowing asymptotically secure key distribution. Considering the storage time limit of quantum bits, a grouping quantum key distribution protocol is proposed, which overcomes the vulnerability of first protocol and improves the maneuverability. Moreover, a security analysis is given and a simple type of eavesdropper's attack would introduce at least an error rate of 46.875%. Compared with the "Ping-pong" protocol involving two steps, the proposed protocol does not need to store the qubit and only involves one step.

Report: Information Security Series: Security Practices Comprehensive Environmental Response, Compensation, and Liability Information System

EPA Pesticide Factsheets

Report #2006-P-00019, March 28, 2006. OSWER’s implemented practices to ensure production servers were being monitored for known vulnerabilities and personnel with significant security responsibility completed the Agency’s recommended security training.

Contextualizing Secure Information System Design: A Socio-Technical Approach

ERIC Educational Resources Information Center

Charif, Abdul Rahim

2017-01-01

Secure Information Systems (SIS) design paradigms have evolved in generations to adapt to IS security needs. However, modern IS are still vulnerable and are far from secure. The development of an underlying IS cannot be reduced to "technological fixes" neither is the design of SIS. Technical security cannot ensure IS security.…

Research on offense and defense technology for iOS kernel security mechanism

NASA Astrophysics Data System (ADS)

Chu, Sijun; Wu, Hao

2018-04-01

iOS is a strong and widely used mobile device system. It's annual profits make up about 90% of the total profits of all mobile phone brands. Though it is famous for its security, there have been many attacks on the iOS operating system, such as the Trident apt attack in 2016. So it is important to research the iOS security mechanism and understand its weaknesses and put forward targeted protection and security check framework. By studying these attacks and previous jailbreak tools, we can see that an attacker could only run a ROP code and gain kernel read and write permissions based on the ROP after exploiting kernel and user layer vulnerabilities. However, the iOS operating system is still protected by the code signing mechanism, the sandbox mechanism, and the not-writable mechanism of the system's disk area. This is far from the steady, long-lasting control that attackers expect. Before iOS 9, breaking these security mechanisms was usually done by modifying the kernel's important data structures and security mechanism code logic. However, after iOS 9, the kernel integrity protection mechanism was added to the 64-bit operating system and none of the previous methods were adapted to the new versions of iOS [1]. But this does not mean that attackers can not break through. Therefore, based on the analysis of the vulnerability of KPP security mechanism, this paper implements two possible breakthrough methods for kernel security mechanism for iOS9 and iOS10. Meanwhile, we propose a defense method based on kernel integrity detection and sensitive API call detection to defense breakthrough method mentioned above. And we make experiments to prove that this method can prevent and detect attack attempts or invaders effectively and timely.

Threat driven modeling framework using petri nets for e-learning system.

PubMed

Khamparia, Aditya; Pandey, Babita

2016-01-01

Vulnerabilities at various levels are main cause of security risks in e-learning system. This paper presents a modified threat driven modeling framework, to identify the threats after risk assessment which requires mitigation and how to mitigate those threats. To model those threat mitigations aspects oriented stochastic petri nets are used. This paper included security metrics based on vulnerabilities present in e-learning system. The Common Vulnerability Scoring System designed to provide a normalized method for rating vulnerabilities which will be used as basis in metric definitions and calculations. A case study has been also proposed which shows the need and feasibility of using aspect oriented stochastic petri net models for threat modeling which improves reliability, consistency and robustness of the e-learning system.

Climate challenges, vulnerabilities, and food security

PubMed Central

Nelson, Margaret C.; Ingram, Scott E.; Dugmore, Andrew J.; Streeter, Richard; Peeples, Matthew A.; McGovern, Thomas H.; Hegmon, Michelle; Arneborg, Jette; Brewington, Seth; Spielmann, Katherine A.; Simpson, Ian A.; Strawhacker, Colleen; Comeau, Laura E. L.; Torvinen, Andrea; Madsen, Christian K.; Hambrecht, George; Smiarowski, Konrad

2016-01-01

This paper identifies rare climate challenges in the long-term history of seven areas, three in the subpolar North Atlantic Islands and four in the arid-to-semiarid deserts of the US Southwest. For each case, the vulnerability to food shortage before the climate challenge is quantified based on eight variables encompassing both environmental and social domains. These data are used to evaluate the relationship between the “weight” of vulnerability before a climate challenge and the nature of social change and food security following a challenge. The outcome of this work is directly applicable to debates about disaster management policy. PMID:26712017

Climate challenges, vulnerabilities, and food security.

PubMed

Nelson, Margaret C; Ingram, Scott E; Dugmore, Andrew J; Streeter, Richard; Peeples, Matthew A; McGovern, Thomas H; Hegmon, Michelle; Arneborg, Jette; Kintigh, Keith W; Brewington, Seth; Spielmann, Katherine A; Simpson, Ian A; Strawhacker, Colleen; Comeau, Laura E L; Torvinen, Andrea; Madsen, Christian K; Hambrecht, George; Smiarowski, Konrad

2016-01-12

This paper identifies rare climate challenges in the long-term history of seven areas, three in the subpolar North Atlantic Islands and four in the arid-to-semiarid deserts of the US Southwest. For each case, the vulnerability to food shortage before the climate challenge is quantified based on eight variables encompassing both environmental and social domains. These data are used to evaluate the relationship between the "weight" of vulnerability before a climate challenge and the nature of social change and food security following a challenge. The outcome of this work is directly applicable to debates about disaster management policy.

Exploring the impact of the 2008 global food crisis on food security among vulnerable households in rural South Africa

PubMed Central

Nawrotzki, Raphael J.; Robson, Kristin; Gutilla, Margaret J.; Hunter, Lori M.; Twine, Wayne; Norlund, Petra

2015-01-01

Recurring food crises endanger the livelihoods of millions of households in developing countries around the globe. Owing to the importance of this issue, we explore recent changes in food security between the years 2004 and 2010 in a rural district in Northeastern South Africa. Our study window spans the time of the 2008 global food crises and allows the investigation of its impacts on rural South African populations. Grounded in the sustainable livelihood framework, we examine differences in food security trajectories among vulnerable sub populations. A unique panel data set of 8,147 households, provided by the Agincourt Health and Demographic Surveillance System (Agincourt HDSS), allows us to employ a longitudinal multilevel modeling approach to estimate adjusted growth curves for the differential change in food security across time. We observe an overall improvement in food security that leveled off after 2008, most likely resulting from the global food crisis. In addition, we discover significant differences in food security trajectories for various sub populations. For example, female-headed households and those living in areas with better access to natural resources differentially improved their food security situation, compared to male-headed households and those households with lower levels of natural resource access. However, former Mozambican refugees witnessed a decline in food security. Therefore, poverty alleviation programs for the Agincourt region should work to improve the food security of vulnerable households, such as former Mozambican refugees. PMID:26594259

6 CFR 27.220 - Tiering.

Code of Federal Regulations, 2014 CFR

2014-01-01

... 6 Domestic Security 1 2014-01-01 2014-01-01 false Tiering. 27.220 Section 27.220 Domestic Security DEPARTMENT OF HOMELAND SECURITY, OFFICE OF THE SECRETARY CHEMICAL FACILITY ANTI-TERRORISM STANDARDS Chemical... Risk-Based Tiering. Following review of a covered facility's Security Vulnerability Assessment, the...

6 CFR 27.220 - Tiering.

Code of Federal Regulations, 2013 CFR

2013-01-01

... 6 Domestic Security 1 2013-01-01 2013-01-01 false Tiering. 27.220 Section 27.220 Domestic Security DEPARTMENT OF HOMELAND SECURITY, OFFICE OF THE SECRETARY CHEMICAL FACILITY ANTI-TERRORISM STANDARDS Chemical... Risk-Based Tiering. Following review of a covered facility's Security Vulnerability Assessment, the...

6 CFR 27.220 - Tiering.

Code of Federal Regulations, 2011 CFR

2011-01-01

... 6 Domestic Security 1 2011-01-01 2011-01-01 false Tiering. 27.220 Section 27.220 Domestic Security DEPARTMENT OF HOMELAND SECURITY, OFFICE OF THE SECRETARY CHEMICAL FACILITY ANTI-TERRORISM STANDARDS Chemical... Risk-Based Tiering. Following review of a covered facility's Security Vulnerability Assessment, the...

6 CFR 27.220 - Tiering.

Code of Federal Regulations, 2012 CFR

2012-01-01

... 6 Domestic Security 1 2012-01-01 2012-01-01 false Tiering. 27.220 Section 27.220 Domestic Security DEPARTMENT OF HOMELAND SECURITY, OFFICE OF THE SECRETARY CHEMICAL FACILITY ANTI-TERRORISM STANDARDS Chemical... Risk-Based Tiering. Following review of a covered facility's Security Vulnerability Assessment, the...

A secure biometrics-based authentication scheme for telecare medicine information systems.

PubMed

Yan, Xiaopeng; Li, Weiheng; Li, Ping; Wang, Jiantao; Hao, Xinhong; Gong, Peng

2013-10-01

The telecare medicine information system (TMIS) allows patients and doctors to access medical services or medical information at remote sites. Therefore, it could bring us very big convenient. To safeguard patients' privacy, authentication schemes for the TMIS attracted wide attention. Recently, Tan proposed an efficient biometrics-based authentication scheme for the TMIS and claimed their scheme could withstand various attacks. However, in this paper, we point out that Tan's scheme is vulnerable to the Denial-of-Service attack. To enhance security, we also propose an improved scheme based on Tan's work. Security and performance analysis shows our scheme not only could overcome weakness in Tan's scheme but also has better performance.

Defining Resilience and Vulnerability Based on Ontology Engineering Approach

NASA Astrophysics Data System (ADS)

Kumazawa, T.; Matsui, T.; Endo, A.

2014-12-01

It is necessary to reflect the concepts of resilience and vulnerability into the assessment framework of "Human-Environmental Security", but it is also in difficulty to identify the linkage between both concepts because of the difference of the academic community which has discussed each concept. The authors have been developing the ontology which deals with the sustainability of the social-ecological systems (SESs). Resilience and vulnerability are also the concepts in the target world which this ontology covers. Based on this point, this paper aims at explicating the semantic relationship between the concepts of resilience and vulnerability based on ontology engineering approach. For this purpose, we first examine the definitions of resilience and vulnerability which the existing literatures proposed. Second, we incorporate the definitions in the ontology dealing with sustainability of SESs. Finally, we focus on the "Water-Energy-Food Nexus Index" to assess Human-Environmental Security, and clarify how the concepts of resilience and vulnerability are linked semantically through the concepts included in these index items.

75 FR 71721 - Pittsburgh Area Maritime Security Committee; Vacancies

Federal Register 2010, 2011, 2012, 2013, 2014

2010-11-24

...: Identifying critical port infrastructure and operations; Identifying risks (threats, vulnerabilities, and... considering consequences and vulnerabilities, how they may change over time, and what additional mitigation...

Exploring the Public Health Impacts of Private Security Guards on People Who Use Drugs: a Qualitative Study.

PubMed

Markwick, Nicole; McNeil, Ryan; Small, Will; Kerr, Thomas

2015-12-01

Private security guards occupy an increasingly prominent role in the policing of private and public spaces. There are growing concerns regarding security guards' potential to shape violence, discrimination, and adverse health outcomes among vulnerable populations, including people who use drugs (PWUD). This is relevant in Vancouver, Canada, where private security guards have increasingly been employed by private organizations to manage public and private spaces, including those within urban drug scenes. This qualitative study sought to understand interactions between PWUD and private security guards and explore their impacts on health care access, risks, and harms among PWUD. Semi-structured interviews were conducted with 30 PWUD recruited from two ongoing prospective cohort studies. Interviews were transcribed and analyzed using a coding framework comprised of a priori and emergent categories. Study data indicate that participants experience pervasive, discriminatory profiling and surveillance by security guards, which exacerbates existing social marginalization and structural vulnerability, particularly among PWUD of Aboriginal ancestry. Participants reported that security guards restrict PWUD's access to public and private spaces, including pharmacies and hospitals. PWUD also reported that their interactions with security guards often involved interpersonal violence and aggression, experiences that served to increase their vulnerability to subsequent risks and harms. Our findings highlight that private security forces contribute significantly to the everyday violence experienced by PWUD within drug scenes and elsewhere and do so in a manner very similar to that of traditional police forces. These findings point to the urgent need for greater oversight and training of private security guards in order to protect the health and safety of PWUD.

Impact of Security Awareness Programs on End-User Security Behavior: A Quantitative Study of Federal Workers

ERIC Educational Resources Information Center

Smith, Gwendolynn T.

2012-01-01

The increasing dependence on technology presented more vulnerability to security breaches of information and the need to assess security awareness levels in federal organizations, as well as other organizations. Increased headlines of security breaches of federal employees' security actions prompted this study. The research study reviewed the…

Perceptions of randomized security schedules.

PubMed

Scurich, Nicholas; John, Richard S

2014-04-01

Security of infrastructure is a major concern. Traditional security schedules are unable to provide omnipresent coverage; consequently, adversaries can exploit predictable vulnerabilities to their advantage. Randomized security schedules, which randomly deploy security measures, overcome these limitations, but public perceptions of such schedules have not been examined. In this experiment, participants were asked to make a choice between attending a venue that employed a traditional (i.e., search everyone) or a random (i.e., a probability of being searched) security schedule. The absolute probability of detecting contraband was manipulated (i.e., 1/10, 1/4, 1/2) but equivalent between the two schedule types. In general, participants were indifferent to either security schedule, regardless of the probability of detection. The randomized schedule was deemed more convenient, but the traditional schedule was considered fairer and safer. There were no differences between traditional and random schedule in terms of perceived effectiveness or deterrence. Policy implications for the implementation and utilization of randomized schedules are discussed. © 2013 Society for Risk Analysis.

An Enhanced Secure Identity-Based Certificateless Public Key Authentication Scheme for Vehicular Sensor Networks.

PubMed

Li, Congcong; Zhang, Xi; Wang, Haiping; Li, Dongfeng

2018-01-11

Vehicular sensor networks have been widely applied in intelligent traffic systems in recent years. Because of the specificity of vehicular sensor networks, they require an enhanced, secure and efficient authentication scheme. Existing authentication protocols are vulnerable to some problems, such as a high computational overhead with certificate distribution and revocation, strong reliance on tamper-proof devices, limited scalability when building many secure channels, and an inability to detect hardware tampering attacks. In this paper, an improved authentication scheme using certificateless public key cryptography is proposed to address these problems. A security analysis of our scheme shows that our protocol provides an enhanced secure anonymous authentication, which is resilient against major security threats. Furthermore, the proposed scheme reduces the incidence of node compromise and replication attacks. The scheme also provides a malicious-node detection and warning mechanism, which can quickly identify compromised static nodes and immediately alert the administrative department. With performance evaluations, the scheme can obtain better trade-offs between security and efficiency than the well-known available schemes.

A Complex Systems Approach to More Resilient Multi-Layered Security Systems

DOE Office of Scientific and Technical Information (OSTI.GOV)

Brown, Nathanael J. K.; Jones, Katherine A.; Bandlow, Alisa

In July 2012, protestors cut through security fences and gained access to the Y-12 National Security Complex. This was believed to be a highly reliable, multi-layered security system. This report documents the results of a Laboratory Directed Research and Development (LDRD) project that created a consistent, robust mathematical framework using complex systems analysis algorithms and techniques to better understand the emergent behavior, vulnerabilities and resiliency of multi-layered security systems subject to budget constraints and competing security priorities. Because there are several dimensions to security system performance and a range of attacks that might occur, the framework is multi-objective for amore » performance frontier to be estimated. This research explicitly uses probability of intruder interruption given detection (P I) as the primary resilience metric. We demonstrate the utility of this framework with both notional as well as real-world examples of Physical Protection Systems (PPSs) and validate using a well-established force-on-force simulation tool, Umbra.« less

75 FR 60133 - Detroit Area Maritime Security Committee (AMSC); Vacancies

Federal Register 2010, 2011, 2012, 2013, 2014

2010-09-29

... (threats, vulnerabilities, and consequences); Determining mitigation strategies and implementation methods... consequences and vulnerabilities, how they may change over time, and what additional mitigation strategies can...

75 FR 24961 - Pittsburgh Area Maritime Security Committee; Vacancies

Federal Register 2010, 2011, 2012, 2013, 2014

2010-05-06

... critical port infrastructure and operations; Identifying risks (threats, vulnerabilities, and consequences... and vulnerabilities, how they may change over time, and what additional mitigation strategies can be...

Benefit adequacy among elderly Social Security retired-worker beneficiaries and the SSI federal benefit rate.

PubMed

Rupp, Kalman; Strand, Alexander; Davies, Paul; Sears, Jim

2007-01-01

Both target effectiveness and administrative simplicity are desirable properties in the design of minimum benefit packages for public retirement programs. The federal benefit rate (FBR) of the Supplemental Security Income (SSI) program has been proposed by some analysts as a potentially attractive basis of establishing a new minimum benefit for Social Security on both of these grounds. This type of proposal is related to a broader array of minimum benefit proposals that would establish a Social Security benefit floor based on the poverty rate. In contrast to Social Security, the SSI program is means tested, including both an income and asset screen and also a categorical eligibility screen (the requirement to qualify as aged or disabled). The SSI FBR provides an inflation-adjusted, guaranteed income floor for aged and disabled people with low assets. The FBR has been perceived by proponents as a minimal measure of Social Security benefit adequacy because it represents a subpoverty income level for a family of one or two depending on marital status. For this same reason it has been seen as a target-effective tool of designing a minimum Social Security benefit. An FBR-based minimum benefit has also been viewed as administratively simple to implement; the benefit can be calculated from Social Security administrative records using a completely automated electronic process. Therefore-in contrast to the SSI program itself-an FBR-based minimum benefit would incur virtually no ongoing administrative costs, would not require a separate application for a means-tested program, and would avoid the perception of welfare stigma. While these ideas have been discussed in the literature and among policymakers in the United States over the years, and similar proposals have been considered or implemented in several foreign countries, there have been no previous analyses measuring the size of the potentially affected beneficiary population. Nor has there been any systematic assessment of the FBR as a measure of benefit adequacy or the tradeoffs between potential target effectiveness and administrative simplicity. Based on a series of simulations, we assess the FBR as a potential foundation for minimum Social Security benefits and we examine the tradeoffs between administrative simplicity and target effectiveness using microdata from the 1996 panel of the Survey of Income and Program Participation (SIPP). Our empirical analysis is limited to Social Security retired-worker beneficiaries aged 65 or older. We start with the assessment of the FBR as a measure of benefit adequacy. We are particularly concerned about two types of error: (1) incorrectly identifying some Social Security beneficiaries as "economically vulnerable," and (2) incorrectly identifying others as "not economically vulnerable." Operationally we measure economic vulnerability by two alternative standards. One of our measures considers beneficiaries with family income below the official poverty threshold as vulnerable. Our second measure is more restrictive; it uses a family income threshold equal to 75 percent of the official poverty threshold. We find that a substantial minority of retired workers have Social Security benefits below the FBR. The results also show that the FBR-based measure of Social Security benefit adequacy is very imprecise in terms of identifying economically vulnerable people. We estimate that the vast majority of beneficiaries with Social Security benefits below the FBR are not economically vulnerable. Conversely, an FBR-level Social Security benefit threshold fails to identify some beneficiaries who are economically vulnerable. Thus an FBR-level minimum benefit would be poorly targeted in terms of both types of errors we are concerned about. An FBR-level minimum benefit would provide minimum Social Security benefits to many people who are clearly not poor. Conversely, an FBR-level minimum benefit would not provide any income relief to some who are poor. The administrative simplicity behind these screening errors also results in additional program cost that may be perceived as substantial. We estimate that an FBR-level minimum benefit would increase aggregate program cost for retired workers aged 65 or older by roughly 2 percent. There are two fundamental reasons for these findings. First, the concept of an FBR-level minimum benefit looks at the individual or married couple in artificial isolation; however, the family is the main consumption unit in our society. The income of an unmarried partner or family members other than a married spouse is ignored. Second, individuals and couples may also have income from sources other than Social Security or SSI, which is also ignored by a simple FBR-based minimum benefit concept. The substantial empirical magnitude of measurement error arising from these conceptual simplifications naturally leads to the assessment of the tradeoff between target effectiveness and administrative simplicity. To facilitate this analysis, we simulate the potential effect of alternative screening methods designed to increase target effectiveness; while reducing program cost, such alternatives also may increase administrative complexity. For example, considering the combined Social Security benefit of a married couple (rather than looking at the husband and wife in isolation) might substantially increase target effectiveness with a relatively small increase in administrative complexity. Adding a family income screen might increase administrative complexity to a greater degree, but also would increase target effectiveness dramatically. The results also suggest that at some point adding new screens-such as a comprehensive asset test-may drastically increase administrative complexity with diminishing returns in terms of increased target effectiveness and reduced program cost. Whether a broad-based minimum benefit concept that is not tied to previous work experience is perceived by policymakers as desirable or not may depend on several factors not addressed in this article. However, to the extent that this type of minimum benefit design is regarded as potentially desirable, the tradeoffs between administrative simplicity and target effectiveness need to be considered.

A Methodology for Dynamic Security Risk Quantification and Optimal Resource Allocation of Security Assets

DOE Office of Scientific and Technical Information (OSTI.GOV)

Brigantic, Robert T.; Betzsold, Nick J.; Bakker, Craig KR

In this presentation we overview a methodology for dynamic security risk quantification and optimal resource allocation of security assets for high profile venues. This methodology is especially applicable to venues that require security screening operations such as mass transit (e.g., train or airport terminals), critical infrastructure protection (e.g., government buildings), and largescale public events (e.g., concerts or professional sports). The method starts by decomposing the three core components of risk -- threat, vulnerability, and consequence -- into their various subcomponents. For instance, vulnerability can be decomposed into availability, accessibility, organic security, and target hardness and each of these can bemore » evaluated against the potential threats of interest for the given venue. Once evaluated, these subcomponents are rolled back up to compute the specific value for the vulnerability core risk component. Likewise, the same is done for consequence and threat, and then risk is computed as the product of these three components. A key aspect of our methodology is dynamically quantifying risk. That is, we incorporate the ability to uniquely allow the subcomponents and core components, and in turn, risk, to be quantified as a continuous function of time throughout the day, week, month, or year as appropriate.« less

Examining the Impact of Non-Technical Security Management Factors on Information Security Management in Health Informatics

ERIC Educational Resources Information Center

Imam, Abbas H.

2013-01-01

Complexity of information security has become a major issue for organizations due to incessant threats to information assets. Healthcare organizations are particularly concerned with security owing to the inherent vulnerability of sensitive information assets in health informatics. While the non-technical security management elements have been at…

Detection and Prevention of Insider Threats in Database Driven Web Services

NASA Astrophysics Data System (ADS)

Chumash, Tzvi; Yao, Danfeng

In this paper, we take the first step to address the gap between the security needs in outsourced hosting services and the protection provided in the current practice. We consider both insider and outsider attacks in the third-party web hosting scenarios. We present SafeWS, a modular solution that is inserted between server side scripts and databases in order to prevent and detect website hijacking and unauthorized access to stored data. To achieve the required security, SafeWS utilizes a combination of lightweight cryptographic integrity and encryption tools, software engineering techniques, and security data management principles. We also describe our implementation of SafeWS and its evaluation. The performance analysis of our prototype shows the overhead introduced by security verification is small. SafeWS will allow business owners to significantly reduce the security risks and vulnerabilities of outsourcing their sensitive customer data to third-party providers.

Healthcare Blockchain System Using Smart Contracts for Secure Automated Remote Patient Monitoring.

PubMed

Griggs, Kristen N; Ossipova, Olya; Kohlios, Christopher P; Baccarini, Alessandro N; Howson, Emily A; Hayajneh, Thaier

2018-06-06

As Internet of Things (IoT) devices and other remote patient monitoring systems increase in popularity, security concerns about the transfer and logging of data transactions arise. In order to handle the protected health information (PHI) generated by these devices, we propose utilizing blockchain-based smart contracts to facilitate secure analysis and management of medical sensors. Using a private blockchain based on the Ethereum protocol, we created a system where the sensors communicate with a smart device that calls smart contracts and writes records of all events on the blockchain. This smart contract system would support real-time patient monitoring and medical interventions by sending notifications to patients and medical professionals, while also maintaining a secure record of who has initiated these activities. This would resolve many security vulnerabilities associated with remote patient monitoring and automate the delivery of notifications to all involved parties in a HIPAA compliant manner.

Negative emotionality moderates associations among attachment, toddler sleep, and later problem behaviors.

PubMed

Troxel, Wendy M; Trentacosta, Christopher J; Forbes, Erika E; Campbell, Susan B

2013-02-01

Secure parent-child relationships are implicated in children's self-regulation, including the ability to self-soothe at bedtime. Sleep, in turn, may serve as a pathway linking attachment security with subsequent emotional and behavioral problems in children. We used path analysis to examine the direct relationship between attachment security and maternal reports of sleep problems during toddlerhood and the degree to which sleep serves as a pathway linking attachment with subsequent teacher-reported emotional and behavioral problems. We also examined infant negative emotionality as a vulnerability factor that may potentiate attachment-sleep-adjustment outcomes. Data were drawn from 776 mother-infant dyads participating in the National Institute of Child and Human Development Study of Early Child Care. After statistically adjusting for mother and child characteristics, including child sleep and emotional and behavioral problems at 24 months, we found no evidence for a statistically significant direct path between attachment security and sleep problems at 36 months; however, there was a direct relationship between sleep problems at 36 months and internalizing problems at 54 months. Path models that examined the moderating influence of infant negative emotionality demonstrated significant direct relationships between attachment security and toddler sleep problems and between sleep problems and subsequent emotional and behavioral problems, but only among children characterized by high negative emotionality at 6 months. In addition, among this subset, there was a significant indirect path between attachment and internalizing problems through sleep problems. These longitudinal findings implicate sleep as one critical pathway linking attachment security with adjustment difficulties, particularly among temperamentally vulnerable children. PsycINFO Database Record (c) 2013 APA, all rights reserved.

Negative Emotionality Moderates Associations among Attachment, Toddler Sleep, and Later Problem Behaviors

PubMed Central

Troxel, Wendy M.; Trentacosta, Christopher J.; Forbes, Erika E.; Campbell, Susan B.

2013-01-01

Secure parent-child relationships are implicated in children’s self-regulation, including the ability to self-soothe at bedtime. Sleep, in turn, may serve as a pathway linking attachment security with subsequent emotional and behavioral problems in children. We used path analysis to examine the direct relationship between attachment security and maternal-reports of sleep problems during toddlerhood, and the degree to which sleep serves as a pathway linking attachment with subsequent teacher-reported emotional and behavioral problems. We also examined infant negative emotionality as a vulnerability factor that may potentiate attachment-sleep-adjustment outcomes. Data were drawn from 776 mother-infant dyads participating in the NICHD Study of Early Child Care (SECC). In the full sample, after statistically adjusting for mother and child characteristics, including child sleep and emotional and behavioral problems at 24 months, we did not find evidence for a statistically significant direct path between attachment security and sleep problems at 36 months; however, there was a direct relationship between sleep problems at 36 months and internalizing problems at 54 months. Path models that examined the moderating influence of infant negative emotionality demonstrated significant direct relationships between attachment security and toddler sleep problems, and sleep problems and subsequent emotional and behavioral problems, but only among children characterized by high negative emotionality at 6 months of age. In addition, among this subset, there was a significant indirect path between attachment and internalizing problems through sleep problems. These longitudinal findings implicate sleep as one critical pathway linking attachment security with adjustment difficulties, particularly among temperamentally vulnerable children. PMID:23421840

Hydropower and sustainability: resilience and vulnerability in China's powersheds.

PubMed

McNally, Amy; Magee, Darrin; Wolf, Aaron T

2009-07-01

Large dams represent a whole complex of social, economic and ecological processes, perhaps more than any other large infrastructure project. Today, countries with rapidly developing economies are constructing new dams to provide energy and flood control to growing populations in riparian and distant urban communities. If the system is lacking institutional capacity to absorb these physical and institutional changes there is potential for conflict, thereby threatening human security. In this paper, we propose analyzing sustainability (political, socioeconomic, and ecological) in terms of resilience versus vulnerability, framed within the spatial abstraction of a powershed. The powershed framework facilitates multi-scalar and transboundary analysis while remaining focused on the questions of resilience and vulnerability relating to hydropower dams. Focusing on examples from China, this paper describes the complex nature of dams using the sustainability and powershed frameworks. We then analyze the roles of institutions in China to understand the relationships between power, human security and the socio-ecological system. To inform the study of conflicts over dams China is a particularly useful case study because we can examine what happens at the international, national and local scales. The powershed perspective allows us to examine resilience and vulnerability across political boundaries from a dynamic, process-defined analytical scale while remaining focused on a host of questions relating to hydro-development that invoke drivers and impacts on national and sub-national scales. The ability to disaggregate the affects of hydropower dam construction from political boundaries allows for a deeper analysis of resilience and vulnerability. From our analysis we find that reforms in China's hydropower sector since 1996 have been motivated by the need to create stability at the national scale rather than resilient solutions to China's growing demand for energy and water resource control at the local and international scales. Some measures that improved economic development through the market economy and a combination of dam construction and institutional reform may indeed improve hydro-political resilience at a single scale. However, if China does address large-scale hydropower construction's potential to create multi-scale geopolitical tensions, they may be vulnerable to conflict - though not necessarily violent - in domestic and international political arenas. We conclude with a look toward a resilient basin institution for the Nu/Salween River, the site of a proposed large-scale hydropower development effort in China and Myanmar.

Aviation security : vulnerabilities still exist in the aviation security system

DOT National Transportation Integrated Search

2000-04-06

The testimony today discusses the Federal Aviation Administration's (FAA) efforts to implement and improve security in two key areas: air traffic control computer systems and airport passenger screening checkpoints. Computer systems-and the informati...

Safe teleradiology: information assurance as project planning methodology.

PubMed

Collmann, Jeff; Alaoui, Adil; Nguyen, Dan; Lindisch, David

2005-01-01

The Georgetown University Medical Center Department of Radiology used a tailored version of OCTAVE, a self-directed information security risk assessment method, to design a teleradiology system that complied with the regulation implementing the security provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The system addressed threats to and vulnerabilities in the privacy and security of protected health information. By using OCTAVE, Georgetown identified the teleradiology program's critical assets, described threats to the assurance of those assets, developed and ran vulnerability scans of a system pilot, evaluated the consequences of security breaches, and developed a risk management plan to mitigate threats to program assets, thereby implementing good information assurance practices. This case study illustrates the basic point that prospective, comprehensive planning to protect the privacy and security of an information system strategically benefits program management as well as system security.

Protecting water and wastewater infrastructure from cyber attacks

NASA Astrophysics Data System (ADS)

Panguluri, Srinivas; Phillips, William; Cusimano, John

2011-12-01

Multiple organizations over the years have collected and analyzed data on cyber attacks and they all agree on one conclusion: cyber attacks are real and can cause significant damages. This paper presents some recent statistics on cyber attacks and resulting damages. Water and wastewater utilities must adopt countermeasures to prevent or minimize the damage in case of such attacks. Many unique challenges are faced by the water and wastewater industry while selecting and implementing security countermeasures; the key challenges are: 1) the increasing interconnection of their business and control system networks, 2) large variation of proprietary industrial control equipment utilized, 3) multitude of cross-sector cyber-security standards, and 4) the differences in the equipment vendor's approaches to meet these security standards. The utilities can meet these challenges by voluntarily selecting and adopting security standards, conducting a gap analysis, performing vulnerability/risk analysis, and undertaking countermeasures that best meets their security and organizational requirements. Utilities should optimally utilize their limited resources to prepare and implement necessary programs that are designed to increase cyber-security over the years. Implementing cyber security does not necessarily have to be expensive, substantial improvements can be accomplished through policy, procedure, training and awareness. Utilities can also get creative and allocate more funding through annual budgets and reduce dependence upon capital improvement programs to achieve improvements in cyber-security.

33 CFR 103.310 - Responsibilities of the Area Maritime Security (AMS) Committee.

Code of Federal Regulations, 2010 CFR

2010-07-01

... (threats, vulnerabilities, and consequences); (3) Determine mitigation strategies and implementation... consequences and vulnerabilities, how they may change over time, and what additional mitigation strategies can...

Alexa, Can I Trust You?

PubMed Central

Chung, Hyunji; Iorga, Michaela; Voas, Jeffrey; Lee, Sangjin

2017-01-01

Security diagnostics expose vulnerabilities and privacy threats that exist in commercial Intelligent Virtual Assistants (IVA) – diagnostics offer the possibility of securer IVA ecosystems. PMID:29213147

Development of Indonesia-Papua New Guinea border, Muara Tami District, Jayapura City through agropolitan concept

NASA Astrophysics Data System (ADS)

Subagiyo, A.; Dwiproborini, F.; Sari, N.

2017-06-01

The border of RI-PNG Muara Tami district is located on the eastern part of Jayapura city, which has agricultural potential. The past paradigm put the border as the backyard caused underdevelopment in border RI-PNG Muara Tami district, so that needed acceleration development through agropolitan concept. The purpose of the research is to define the aspect of physical, social, economic and border security to support agropolitan concept in border RI-PNG Muara Tami district. The analytical research method are border interactionan analysis, border security analysis, land capability analysis, land availability analysis, schallogram analysis, institutional analysis, leading comodity analysis (LQ and Growth Share), agribusiness linkage system analysis, accessibility analysis and A’WOT analysis. The result shown that mobilization from PNG to Muara Tami district could increase the economic opportunities with agricultural based. Border security of RI-PNG Muara Tami district is vulnerable, yet still condusive to mobilization. There is 12.977,94 Ha potensial land for agricultural (20,93%). There are six leading commodities to developed are rice, watermelon, banana, coconut, areca nut and cocoa. The border of RI-PNG Muara Tami district is ready enough to support agropolitan concept, but still have problems in social and economy aspect.

AR.Drone: security threat analysis and exemplary attack to track persons

NASA Astrophysics Data System (ADS)

Samland, Fred; Fruth, Jana; Hildebrandt, Mario; Hoppe, Tobias; Dittmann, Jana

2012-01-01

In this article we illustrate an approach of a security threat analysis of the quadrocopter AR.Drone, a toy for augmented reality (AR) games. The technical properties of the drone can be misused for attacks, which may relate security and/or privacy aspects. Our aim is to sensitize for the possibility of misuses and the motivation for an implementation of improved security mechanisms of the quadrocopter. We focus primarily on obvious security vulnerabilities (e.g. communication over unencrypted WLAN, usage of UDP, live video streaming via unencrypted WLAN to the control device) of this quadrocopter. We could practically verify in three exemplary scenarios that this can be misused by unauthorized persons for several attacks: high-jacking of the drone, eavesdropping of the AR.Drones unprotected video streams, and the tracking of persons. Amongst other aspects, our current research focuses on the realization of the attack of tracking persons and objects with the drone. Besides the realization of attacks, we want to evaluate the potential of this particular drone for a "safe-landing" function, as well as potential security enhancements. Additionally, in future we plan to investigate an automatic tracking of persons or objects without the need of human interactions.

E-mail security. An overview of threats and safeguards.

PubMed

Stine, Kevin; Scholl, Matthew

2010-04-01

Not everyone in the organization needs to know how to secure the e-mail service, but anyone who handles patient information must understand e-mail's vulnerabilities and recognize when a system is secure enough to transmit sensitive information.

Security: Progress and Challenges

ERIC Educational Resources Information Center

Luker, Mark A.

2004-01-01

The Homepage column in the March/April 2003 issue of "EDUCAUSE Review" explained the national implication of security vulnerabilities in higher education and the role of the EDUCAUSE/Internet2 Computer and Network Security Task Force in representing the higher education sector in the development of the National Strategy to Secure Cyberspace. Among…

Threats and risks to information security: a practical analysis of free access wireless networks

NASA Astrophysics Data System (ADS)

Quirumbay, Daniel I.; Coronel, Iván. A.; Bayas, Marcia M.; Rovira, Ronald H.; Gromaszek, Konrad; Tleshova, Akmaral; Kozbekova, Ainur

2017-08-01

Nowadays, there is an ever-growing need to investigate, consult and communicate through the internet. This need leads to the intensification of free access to the web in strategic and functional points for the benefit of the community. However, this open access is also related to the increase of information insecurity. The existing works on computer security primarily focus on the development of techniques to reduce cyber-attacks. However, these approaches do not address the sector of inexperienced users who have difficulty understanding browser settings. Two methods can solve this problem: first the development of friendly browsers with intuitive setups for new users and on the other hand, by implementing awareness programs on essential security without deepening on technical information. This article addresses an analysis of the vulnerabilities of wireless equipment that provides internet service in the open access zones and the potential risks that could be found when using these means.

A Security Audit Framework to Manage Information System Security

NASA Astrophysics Data System (ADS)

Pereira, Teresa; Santos, Henrique

The widespread adoption of information and communication technology have promoted an increase dependency of organizations in the performance of their Information Systems. As a result, adequate security procedures to properly manage information security must be established by the organizations, in order to protect their valued or critical resources from accidental or intentional attacks, and ensure their normal activity. A conceptual security framework to manage and audit Information System Security is proposed and discussed. The proposed framework intends to assist organizations firstly to understand what they precisely need to protect assets and what are their weaknesses (vulnerabilities), enabling to perform an adequate security management. Secondly, enabling a security audit framework to support the organization to assess the efficiency of the controls and policy adopted to prevent or mitigate attacks, threats and vulnerabilities, promoted by the advances of new technologies and new Internet-enabled services, that the organizations are subject of. The presented framework is based on a conceptual model approach, which contains the semantic description of the concepts defined in information security domain, based on the ISO/IEC_JCT1 standards.

Securing America’s Passenger-Rail Systems

DTIC Science & Technology

2007-01-01

around the world highlight the vulnerability of rail travel and the importance of rail security for these passengers. The use of passenger rail and...take to U.S. railways. Recent attacks on passenger-rail systems around the world highlight the vulnerability of rail travel and the importance of rail...rails (Boardman, 2005), making more than 3.5 billion trips (APTA, 2006).1 And these estimates do not count the passengers traveling on the National

Intentional cargo disruption by nefarious means: Examining threats, systemic vulnerabilities and securitisation measures in complex global supply chains.

PubMed

McGreevy, Conor; Harrop, Wayne

2015-01-01

Global trade and commerce requires products to be securely contained and transferred in a timely way across great distances and between national boundaries. Throughout the process, cargo and containers are stored, handled and checked by a range of authorities and authorised agents. Intermodal transportation involves the use of container ships, planes, railway systems, land bridges, road networks and barges. This paper examines the the nefarious nature of intentional disruption and nefarious risks associated with the movement of cargo and container freight. The paper explores main threats, vulnerabilities and security measures relevant to significant intermodal transit risk issues such as theft, piracy, terrorism, contamination, counterfeiting and product tampering. Three risk and vulnerability models are examined and basic standards and regulations that are relevant to safe and secure transit of container goods across international supply networks are outlined.

On the security of a simple three-party key exchange protocol without server's public keys.

PubMed

Nam, Junghyun; Choo, Kim-Kwang Raymond; Park, Minkyu; Paik, Juryon; Won, Dongho

2014-01-01

Authenticated key exchange protocols are of fundamental importance in securing communications and are now extensively deployed for use in various real-world network applications. In this work, we reveal major previously unpublished security vulnerabilities in the password-based authenticated three-party key exchange protocol according to Lee and Hwang (2010): (1) the Lee-Hwang protocol is susceptible to a man-in-the-middle attack and thus fails to achieve implicit key authentication; (2) the protocol cannot protect clients' passwords against an offline dictionary attack; and (3) the indistinguishability-based security of the protocol can be easily broken even in the presence of a passive adversary. We also propose an improved password-based authenticated three-party key exchange protocol that addresses the security vulnerabilities identified in the Lee-Hwang protocol.

On the Security of a Simple Three-Party Key Exchange Protocol without Server's Public Keys

PubMed Central

Nam, Junghyun; Choo, Kim-Kwang Raymond; Park, Minkyu; Paik, Juryon; Won, Dongho

2014-01-01

Authenticated key exchange protocols are of fundamental importance in securing communications and are now extensively deployed for use in various real-world network applications. In this work, we reveal major previously unpublished security vulnerabilities in the password-based authenticated three-party key exchange protocol according to Lee and Hwang (2010): (1) the Lee-Hwang protocol is susceptible to a man-in-the-middle attack and thus fails to achieve implicit key authentication; (2) the protocol cannot protect clients' passwords against an offline dictionary attack; and (3) the indistinguishability-based security of the protocol can be easily broken even in the presence of a passive adversary. We also propose an improved password-based authenticated three-party key exchange protocol that addresses the security vulnerabilities identified in the Lee-Hwang protocol. PMID:25258723

One Step Quantum Key Distribution Based on EPR Entanglement

PubMed Central

Li, Jian; Li, Na; Li, Lei-Lei; Wang, Tao

2016-01-01

A novel quantum key distribution protocol is presented, based on entanglement and dense coding and allowing asymptotically secure key distribution. Considering the storage time limit of quantum bits, a grouping quantum key distribution protocol is proposed, which overcomes the vulnerability of first protocol and improves the maneuverability. Moreover, a security analysis is given and a simple type of eavesdropper’s attack would introduce at least an error rate of 46.875%. Compared with the “Ping-pong” protocol involving two steps, the proposed protocol does not need to store the qubit and only involves one step. PMID:27357865

Metrics for the National SCADA Test Bed Program

DOE Office of Scientific and Technical Information (OSTI.GOV)

Craig, Philip A.; Mortensen, J.; Dagle, Jeffery E.

2008-12-05

The U.S. Department of Energy Office of Electricity Delivery and Energy Reliability (DOE-OE) National SCADA Test Bed (NSTB) Program is providing valuable inputs into the electric industry by performing topical research and development (R&D) to secure next generation and legacy control systems. In addition, the program conducts vulnerability and risk analysis, develops tools, and performs industry liaison, outreach and awareness activities. These activities will enhance the secure and reliable delivery of energy for the United States. This report will describe metrics that could be utilized to provide feedback to help enhance the effectiveness of the NSTB Program.

Vulnerabilities in GSM technology and feasibility of selected attacks

NASA Astrophysics Data System (ADS)

Voznak, M.; Prokes, M.; Sevcik, L.; Frnda, J.; Toral-Cruz, Homer; Jakovlev, Sergej; Fazio, Peppino; Mehic, M.; Mikulec, M.

2015-05-01

Global System for Mobile communication (GSM) is the most widespread technology for mobile communications in the world and serving over 7 billion users. Since first publication of system documentation there has been notified a potential safety problem's occurrence. Selected types of attacks, based on the analysis of the technical feasibility and the degree of risk of these weaknesses, were implemented and demonstrated in laboratory of the VSB-Technical University of Ostrava, Czech Republic. These vulnerabilities were analyzed and afterwards possible attacks were described. These attacks were implemented using open-source tools, software programmable radio USRP (Universal Software RadioPeripheral) and DVB-T (Digital Video Broadcasting - Terrestrial) receiver. GSM security architecture is being scrutinized since first public releases of its specification mainly pointing out weaknesses in authentication and ciphering mechanisms. This contribution also summarizes practically proofed and used scenarios that are performed using opensource software tools and variety of scripts mostly written in Python. Main goal of this paper is in analyzing security issues in GSM network and practical demonstration of selected attacks.

Street-level Bureaucracy and Social Policy in Brazil.

PubMed

Costa, Nilson do Rosário

2017-11-01

This paper describes the Brazilian central government bureaucracy and people with disabilities' access to the Continuous Cash Benefit (BPC). This access depends on the Ministry of Social Security bureaucracy's evaluation of the condition of vulnerability. We performed a literature review, analysis of secondary data from time series and cross-sectional data to describe street-level federal bureaucracy. Legal documents and indicators describe the expert evaluation regimen of the Ministry of Social Security (MPS). This paper shows the uneven growth of the number of career public servants of the central government in the last two decades. The Brazilian central government has adopted the international concept of person with disabilities in the evaluation of BPC applicants. Despite this decision, it is shown that the Brazilian central government expanded selectively the career bureaucracy to work in the social area. It was found that the result of the evaluation process was quite strict, favoring applicants in conditions of extreme biomedical vulnerability. Despite adopting the social model, BPC eligibility is tied to medical diagnosis.

Security Analysis and Improvement of an Anonymous Authentication Scheme for Roaming Services

PubMed Central

Lee, Youngsook; Paik, Juryon

2014-01-01

An anonymous authentication scheme for roaming services in global mobility networks allows a mobile user visiting a foreign network to achieve mutual authentication and session key establishment with the foreign-network operator in an anonymous manner. In this work, we revisit He et al.'s anonymous authentication scheme for roaming services and present previously unpublished security weaknesses in the scheme: (1) it fails to provide user anonymity against any third party as well as the foreign agent, (2) it cannot protect the passwords of mobile users due to its vulnerability to an offline dictionary attack, and (3) it does not achieve session-key security against a man-in-the-middle attack. We also show how the security weaknesses of He et al.'s scheme can be addressed without degrading the efficiency of the scheme. PMID:25302330

Security analysis and improvement of an anonymous authentication scheme for roaming services.

PubMed

Lee, Youngsook; Paik, Juryon

2014-01-01

An anonymous authentication scheme for roaming services in global mobility networks allows a mobile user visiting a foreign network to achieve mutual authentication and session key establishment with the foreign-network operator in an anonymous manner. In this work, we revisit He et al.'s anonymous authentication scheme for roaming services and present previously unpublished security weaknesses in the scheme: (1) it fails to provide user anonymity against any third party as well as the foreign agent, (2) it cannot protect the passwords of mobile users due to its vulnerability to an offline dictionary attack, and (3) it does not achieve session-key security against a man-in-the-middle attack. We also show how the security weaknesses of He et al.'s scheme can be addressed without degrading the efficiency of the scheme.

[Vulnerability and health problems while traveling: the viewpoint of the tourist in the city of Rio de Janeiro].

PubMed

Matos, Vanina; Barcellos, Christovam; Camargo, Luiz Octávio de Lima

2013-01-01

This article examines how a group of tourists perceives health issues related to safety, prevention and health care during their travels. Interviews were conducted with Brazilian tourists visiting the city of Rio de Janeiro, as well as local residents leaving the city on trips. The interviews were analyzed in accordance with the dimensions of vulnerability, information, prevention and health care, from which vulnerability emerged as a category of analysis. The reports of the trajectory of the tourists made it possible to identify problems and opportunities that could be used by the health sector for actions of prevention and promotion. The means of transport determines the trajectory of tourists and their security alternatives. Traveling in groups and visiting tourist attractions are seen as protective factors, which reinforces the role of information and social support networks as resources used by tourists in the absence of specific policies geared to this highly mobile and vulnerable population group.

32 CFR 2001.48 - Loss, possible compromise or unauthorized disclosure.

Code of Federal Regulations, 2010 CFR

2010-07-01

... governments normally will not be advised of any security system vulnerabilities that contributed to the... INFORMATION SECURITY OVERSIGHT OFFICE, NATIONAL ARCHIVES AND RECORDS ADMINISTRATION CLASSIFIED NATIONAL SECURITY INFORMATION Safeguarding § 2001.48 Loss, possible compromise or unauthorized disclosure. (a...

Trust-Based Security Level Evaluation Using Bayesian Belief Networks

NASA Astrophysics Data System (ADS)

Houmb, Siv Hilde; Ray, Indrakshi; Ray, Indrajit; Chakraborty, Sudip

Security is not merely about technical solutions and patching vulnerabilities. Security is about trade-offs and adhering to realistic security needs, employed to support core business processes. Also, modern systems are subject to a highly competitive market, often demanding rapid development cycles, short life-time, short time-to-market, and small budgets. Security evaluation standards, such as ISO 14508 Common Criteria and ISO/IEC 27002, are not adequate for evaluating the security of many modern systems for resource limitations, time-to-market, and other constraints. Towards this end, we propose an alternative time and cost effective approach for evaluating the security level of a security solution, system or part thereof. Our approach relies on collecting information from different sources, who are trusted to varying degrees, and on using a trust measure to aggregate available information when deriving security level. Our approach is quantitative and implemented as a Bayesian Belief Network (BBN) topology, allowing us to reason over uncertain information and seemingly aggregating disparate information. We illustrate our approach by deriving the security level of two alternative Denial of Service (DoS) solutions. Our approach can also be used in the context of security solution trade-off analysis.

Study on the Groundwater Vulnerability Assessment in Sanjiang Plain in Northeast China

NASA Astrophysics Data System (ADS)

Tang, Y.; Tang, W. K.; Liu, C.

2012-12-01

The Sanjiang Plain is located in eastern part of China's Heilongjiang Province.It's total area is 109 000 km2, with cultivated land area being 3.6677 million hm2. It is a major national commodity grain base. Rice planting area in Sanjiang Plain has been increasing year by year. Groundwater exploitation is increasing rapidly as a result of rapid increase of paddy field area. It is necessary to research and analyze spatial diversity of groundwater pollution vulnerability for Sanjiang Plain, so as to fulfill the goal of integrated planning, rational utilization of land and water resource, avoiding or minimizing groundwater contamination, and protecting grain security of China. Based on the commonly used DRASTIC method internationally, and according to hydrogeology, land use and other characteristics of Sanjiang Plain, this paper establishes groundwater vulnerability assessment index system. Since the Sanjiang Plain is an area that gives priority to agriculture, and impact of agricultural land and agricultural activity on groundwater vulnerability can not be ignored. Two indicators of agricultural land use rate (L) and population density (P) are increased in the DRASTC index system, the remaining 5 indicators are groundwater depth (D), aquifer net recharge(R), aquifer media type (A), soil type(S), aquifer hydraulic conductivity (C). Taking ArcGis as a calculation analysis platform to assess groundwater vulnerability of the Sanjiang Plain, by using hierarchical analysis method of the fuzzy mathematics method to calculate each index weigh of evaluation vulnerability. This paper applies 6 levels of assessment standard as follows: vulnerability index DI <2 stands for not vulnerable; 2 8 stands for extremely vulnerable. Groundwater vulnerably contaminated area is delineated based on the groundwater vulnerability spatial distribution of Sanjiang Plain. Reasonable land use plan should be made, and strictly groundwater protection measures should be taken to reduce the risk of groundwater contamination.

10 CFR 1017.5 - Requesting a deviation.

Code of Federal Regulations, 2010 CFR

2010-01-01

... create a potential or real vulnerability); or (3) An exception (i.e., an approved deviation from a requirement in these regulations for which DOE accepts the risk of a safeguards and security vulnerability...

Methods to Secure Databases Against Vulnerabilities

DTIC Science & Technology

2015-12-01

for several languages such as C, C++, PHP, Java and Python [16]. MySQL will work well with very large databases. The documentation references...using Eclipse and connected to each database management system using Python and Java drivers provided by MySQL , MongoDB, and Datastax (for Cassandra...tiers in Python and Java . Problem MySQL MongoDB Cassandra 1. Injection a. Tautologies Vulnerable Vulnerable Not Vulnerable b. Illegal query

The biological threat to U.S. water supplies: Toward a national water security policy.

PubMed

Nuzzo, Jennifer B

2006-01-01

In addition to providing potable drinking water, U.S. water systems are critical to the maintenance of many vital public services, such as fire suppression and power generation. Disruption of these systems would produce severe public health and safety risks, as well as considerable economic losses. Thus, water systems have been designated as critical to national security by the U.S. government. Previous outbreaks of waterborne disease have demonstrated the vulnerability of both the water supply and the public's health to biological contamination of drinking water. Such experiences suggest that a biological attack, or even a credible threat of an attack, on water infrastructure could seriously jeopardize the public's health, its confidence, and the economic vitality of a community. Despite these recognized vulnerabilities, protecting water supplies from a deliberate biological attack has not been sufficiently addressed. Action in this area has suffered from a lack of scientific understanding of the true vulnerability of water supplies to intentional contamination with bioweapons, insufficient tools for detecting biological agents, and a lack of funds to implement security improvements. Much of what is needed to address the vulnerability of the national water supply falls outside the influence of individual utilities. This includes developing a national research agenda to appropriately identify and characterize waterborne threats and making funds available to implement security improvements.

CONFU: Configuration Fuzzing Testing Framework for Software Vulnerability Detection

PubMed Central

Dai, Huning; Murphy, Christian; Kaiser, Gail

2010-01-01

Many software security vulnerabilities only reveal themselves under certain conditions, i.e., particular configurations and inputs together with a certain runtime environment. One approach to detecting these vulnerabilities is fuzz testing. However, typical fuzz testing makes no guarantees regarding the syntactic and semantic validity of the input, or of how much of the input space will be explored. To address these problems, we present a new testing methodology called Configuration Fuzzing. Configuration Fuzzing is a technique whereby the configuration of the running application is mutated at certain execution points, in order to check for vulnerabilities that only arise in certain conditions. As the application runs in the deployment environment, this testing technique continuously fuzzes the configuration and checks “security invariants” that, if violated, indicate a vulnerability. We discuss the approach and introduce a prototype framework called ConFu (CONfiguration FUzzing testing framework) for implementation. We also present the results of case studies that demonstrate the approach’s feasibility and evaluate its performance. PMID:21037923

An index to determine vulnerability of communities in a coastal zone: a case study of Baler, Aurora, Philippines.

PubMed

Orencio, Pedcris M; Fujii, Masahiko

2013-02-01

A coastal community vulnerability index (CCVI) was constructed to evaluate the vulnerability of coastal communities (Buhangin, Pingit, Reserva, Sabang, and Zabali) in the municipality of Baler, Aurora, Philippines. This index was composed of weighted averages of seven vulnerability factors namely geographical, economic and livelihood, food security, environmental, policy and institutional, demographic, and capital good. Factor values were computed based on scores that described range of conditions that influence communities' susceptibility to hazard effects. Among the factors evaluated, economic and livelihood, policy and institutional and food security contributed to CCVI across communities. Only small variations on CCVI values (i.e., 0.47-0.53) were observed as factor values cancelled out one another during combination process. Overall, Sabang received the highest CCVI, which was contributed mainly by geographical and demographic factors. This technique to determine factors that influenced communities' vulnerability can provide information for local governments in enhancing policies on risk mitigation and adaptation.

Embedding Secure Coding Instruction into the IDE: Complementing Early and Intermediate CS Courses with ESIDE

ERIC Educational Resources Information Center

Whitney, Michael; Lipford, Heather Richter; Chu, Bill; Thomas, Tyler

2018-01-01

Many of the software security vulnerabilities that people face today can be remediated through secure coding practices. A critical step toward the practice of secure coding is ensuring that our computing students are educated on these practices. We argue that secure coding education needs to be included across a computing curriculum. We are…

Evaluation of socio-spatial vulnerability of citydwellers and analysis of risk perception: industrial and seismic risks in Mulhouse

NASA Astrophysics Data System (ADS)

Glatron, S.; Beck, E.

2008-10-01

Social vulnerability has been studied for years with sociological, psychological and economical approaches. Our proposition focuses on perception and cognitive representations of risks by city dwellers living in a medium size urban area, namely Mulhouse (France). Perception, being part of the social vulnerability and resilience of the society to disasters, influences the potential damage; for example it leads to adequate or inadequate behaviour in the case of an emergency. As geographers, we assume that the spatial relationship to danger or hazard can be an important factor of vulnerability and we feel that the spatial dimension is a challenging question either for better knowledge or for operational reasons (e.g. management of preventive information). We interviewed 491 people, inhabitants and workers, regularly distributed within the urban area to get to know their opinion on hazards and security measures better. We designed and mapped a vulnerability index on the basis of their answers. The results show that the social vulnerability depends on the type of hazard, and that the distance to the source of danger influences the vulnerability, especially for hazards with a precise location (industrial for example). Moreover, the effectiveness of the information campaigns is doubtful, as the people living close to hazardous industries (target of specific preventive information) are surprisingly more vulnerable and less aware of industrial risk.

Safer stops for vulnerable customers

DOT National Transportation Integrated Search

2003-03-01

This synthesis report presents a brief synopsis of the current literature and technologies being used in the development of safer and more secure bus stops. While the focus is more specifically with regard to vulnerable populations - women, children,...

Chemical facility vulnerability assessment project.

PubMed

Jaeger, Calvin D

2003-11-14

Sandia National Laboratories, under the direction of the Office of Science and Technology, National Institute of Justice, conducted the chemical facility vulnerability assessment (CFVA) project. The primary objective of this project was to develop, test and validate a vulnerability assessment methodology (VAM) for determining the security of chemical facilities against terrorist or criminal attacks (VAM-CF). The project also included a report to the Department of Justice for Congress that in addition to describing the VAM-CF also addressed general observations related to security practices, threats and risks at chemical facilities and chemical transport. In the development of the VAM-CF Sandia leveraged the experience gained from the use and development of VAs in other areas and the input from the chemical industry and Federal agencies. The VAM-CF is a systematic, risk-based approach where risk is a function of the severity of consequences of an undesired event, the attack potential, and the likelihood of adversary success in causing the undesired event. For the purpose of the VAM-CF analyses Risk is a function of S, L(A), and L(AS), where S is the severity of consequence of an event, L(A) is the attack potential and L(AS) likelihood of adversary success in causing a catastrophic event. The VAM-CF consists of 13 basic steps. It involves an initial screening step, which helps to identify and prioritize facilities for further analysis. This step is similar to the prioritization approach developed by the American Chemistry Council (ACC). Other steps help to determine the components of the risk equation and ultimately the risk. The VAM-CF process involves identifying the hazardous chemicals and processes at a chemical facility. It helps chemical facilities to focus their attention on the most critical areas. The VAM-CF is not a quantitative analysis but, rather, compares relative security risks. If the risks are deemed too high, recommendations are developed for measures to reduce the risk. This paper will briefly discuss the CFVA project and VAM-CF process.

Food Security, Institutional Framework and Technology: Examining the Nexus in Nigeria Using ARDL Approach

PubMed Central

Osabohien, Romanus; Osabuohien, Evans; Urhie, Ese

2018-01-01

Background: Growth in agricultural science and technology is deemed essential for in-creasing agricultural output; reduce the vulnerability of rural poverty and in turn, food security. Food security and growth in agricultural output depends on technological usages, which enhances the pro-ductive capacity of the agricultural sector. The indicators of food security utilised in this study in-clude: dietary energy supply, average value of food production, prevalence of food inadequacy, among others. Objective: In this paper, we examined the level of technology and how investment in the agriculture and technology can improve technical know-how in Nigeria with a view to achieving food security. Method: We carried out the analysis on how investment in technology and institutional framework can improve the level of food availability (a key component of food security) in Nigeria using econ-ometric technique based on Autoregressive Distribution Lag (ARDL) framework. Results: The results showed, inter alia, that in Nigeria, there is a high level of food insecurity as a result of low attention on food production occasioned by the pervasive influence of oil that become the major export product. Conclusion: It was noted that the availability of arable land was one of the major factors to increase food production to solve the challenge of food insecurity. Thus, the efforts of reducing the rate of food insecurity are essential in this regards. This can also be achieved, among others, by active interactions between government and farmers, to make contribution to important planning issues that relate to food production in the country and above all, social protection policies should be geared or channelled to agricultural sector to protect farmers who are vulnerable to shocks and avert risks associated with agriculture. PMID:29853816

Food Security, Institutional Framework and Technology: Examining the Nexus in Nigeria Using ARDL Approach.

PubMed

Osabohien, Romanus; Osabuohien, Evans; Urhie, Ese

2018-04-01

Growth in agricultural science and technology is deemed essential for in-creasing agricultural output; reduce the vulnerability of rural poverty and in turn, food security. Food security and growth in agricultural output depends on technological usages, which enhances the pro-ductive capacity of the agricultural sector. The indicators of food security utilised in this study in-clude: dietary energy supply, average value of food production, prevalence of food inadequacy, among others. In this paper, we examined the level of technology and how investment in the agriculture and technology can improve technical know-how in Nigeria with a view to achieving food security. We carried out the analysis on how investment in technology and institutional framework can improve the level of food availability (a key component of food security) in Nigeria using econ-ometric technique based on Autoregressive Distribution Lag (ARDL) framework. The results showed, inter alia, that in Nigeria, there is a high level of food insecurity as a result of low attention on food production occasioned by the pervasive influence of oil that become the major export product. It was noted that the availability of arable land was one of the major factors to increase food production to solve the challenge of food insecurity. Thus, the efforts of reducing the rate of food insecurity are essential in this regards. This can also be achieved, among others, by active interactions between government and farmers, to make contribution to important planning issues that relate to food production in the country and above all, social protection policies should be geared or channelled to agricultural sector to protect farmers who are vulnerable to shocks and avert risks associated with agriculture.

Predicting Vulnerability Risks Using Software Characteristics

ERIC Educational Resources Information Center

Roumani, Yaman

2012-01-01

Software vulnerabilities have been regarded as one of the key reasons for computer security breaches that have resulted in billions of dollars in losses per year (Telang and Wattal 2005). With the growth of the software industry and the Internet, the number of vulnerability attacks and the ease with which an attack can be made have increased. From…

78 FR 42101 - Boston Area Maritime Security Advisory Committee; Vacancies

Federal Register 2010, 2011, 2012, 2013, 2014

2013-07-15

...: Identifying critical port infrastructure and operations; Identifying risks (threats, vulnerabilities, and... years of experience related to maritime or port security operations. AMSC Membership The Boston AMSC has... security industries. In support of the USCG policy on gender and ethnic nondiscrimination, we encourage...

77 FR 39249 - Boston Area Maritime Security Advisory Committee; Vacancies

Federal Register 2010, 2011, 2012, 2013, 2014

2012-07-02

...: Identifying critical port infrastructure and operations; Identifying risks (threats, vulnerabilities, and... years of experience related to maritime or port security operations. AMSC Membership The Boston AMSC has... security industries. In support of the USCG policy on gender and ethnic diversity, we encourage qualified...

Interactive Programming Support for Secure Software Development

ERIC Educational Resources Information Center

Xie, Jing

2012-01-01

Software vulnerabilities originating from insecure code are one of the leading causes of security problems people face today. Unfortunately, many software developers have not been adequately trained in writing secure programs that are resistant from attacks violating program confidentiality, integrity, and availability, a style of programming…

High Assurance Models for Secure Systems

ERIC Educational Resources Information Center

Almohri, Hussain M. J.

2013-01-01

Despite the recent advances in systems and network security, attacks on large enterprise networks consistently impose serious challenges to maintaining data privacy and software service integrity. We identify two main problems that contribute to increasing the security risk in a networked environment: (i) vulnerable servers, workstations, and…

VMSoar: a cognitive agent for network security

NASA Astrophysics Data System (ADS)

Benjamin, David P.; Shankar-Iyer, Ranjita; Perumal, Archana

2005-03-01

VMSoar is a cognitive network security agent designed for both network configuration and long-term security management. It performs automatic vulnerability assessments by exploring a configuration"s weaknesses and also performs network intrusion detection. VMSoar is built on the Soar cognitive architecture, and benefits from the general cognitive abilities of Soar, including learning from experience, the ability to solve a wide range of complex problems, and use of natural language to interact with humans. The approach used by VMSoar is very different from that taken by other vulnerability assessment or intrusion detection systems. VMSoar performs vulnerability assessments by using VMWare to create a virtual copy of the target machine then attacking the simulated machine with a wide assortment of exploits. VMSoar uses this same ability to perform intrusion detection. When trying to understand a sequence of network packets, VMSoar uses VMWare to make a virtual copy of the local portion of the network and then attempts to generate the observed packets on the simulated network by performing various exploits. This approach is initially slow, but VMSoar"s learning ability significantly speeds up both vulnerability assessment and intrusion detection. This paper describes the design and implementation of VMSoar, and initial experiments with Windows NT and XP.

An Enhanced Secure Identity-Based Certificateless Public Key Authentication Scheme for Vehicular Sensor Networks

PubMed Central

Li, Congcong; Zhang, Xi; Wang, Haiping; Li, Dongfeng

2018-01-01

Vehicular sensor networks have been widely applied in intelligent traffic systems in recent years. Because of the specificity of vehicular sensor networks, they require an enhanced, secure and efficient authentication scheme. Existing authentication protocols are vulnerable to some problems, such as a high computational overhead with certificate distribution and revocation, strong reliance on tamper-proof devices, limited scalability when building many secure channels, and an inability to detect hardware tampering attacks. In this paper, an improved authentication scheme using certificateless public key cryptography is proposed to address these problems. A security analysis of our scheme shows that our protocol provides an enhanced secure anonymous authentication, which is resilient against major security threats. Furthermore, the proposed scheme reduces the incidence of node compromise and replication attacks. The scheme also provides a malicious-node detection and warning mechanism, which can quickly identify compromised static nodes and immediately alert the administrative department. With performance evaluations, the scheme can obtain better trade-offs between security and efficiency than the well-known available schemes. PMID:29324719

Assessing the Impacts of Decadal Socio-Agro-Hydro Climatic Variations on Agricultural Vulnerability over India

NASA Astrophysics Data System (ADS)

Mohanty, M. P.; Sharma, T.; Ghosh, S.; Karmakar, S.

2017-12-01

Among both rice and wheat producing countries, India holds one of the major global shares in terms of production. However, with rising population, economic variability, and increasing food demand, it has become indispensable to strategically assess the food security of the nation, particularly under changing climatic conditions. This can be achieved by improving knowledge on the impacts of climate change on crop growth and yield through understanding the current status of agricultural vulnerability and quantifying its decadal changes. The present research focuses on assessing the observed decadal changes in agricultural vulnerability over India, at a district-scale. In the study, the deliberation of multiple climatic, hydrologic, agricultural indicators will majorly facilitate evaluating their direct/indirect influence on the crop production. In addition, a set of socio-economic indicators will also be considered to understand the attribution of these factors on the change in agricultural vulnerability. Here, these indicators will be integrated into a multivariate data envelopment analysis (DEA) framework to derive relative efficiency of each unit or district in crop production, which will be further transformed into a well-grounded agricultural vulnerability map. It has become essential to understand the influence of these indicators on agriculture, given that the extended periods of excessive/no rainfall or high/low temperature can alter the water cycle and hence cause stress on the agroecosystem. Likewise, change in the population density, main and marginal cultivators, main and marginal agriculture labours, improvement in management practices, or increase in power supply for agricultural use, can directly affect the food security of the region. Hence, this study will undoubtedly assist the decision-makers/strategists by highlighting the agriculturally vulnerable regions over India. Consequently, it will reassure the farmers to define bottom-up approaches in terms of different management practices, to cope with the adverse climatic impacts.

Feature-based alert correlation in security systems using self organizing maps

NASA Astrophysics Data System (ADS)

Kumar, Munesh; Siddique, Shoaib; Noor, Humera

2009-04-01

The security of the networks has been an important concern for any organization. This is especially important for the defense sector as to get unauthorized access to the sensitive information of an organization has been the prime desire for cyber criminals. Many network security techniques like Firewall, VPN Concentrator etc. are deployed at the perimeter of network to deal with attack(s) that occur(s) from exterior of network. But any vulnerability that causes to penetrate the network's perimeter of defense, can exploit the entire network. To deal with such vulnerabilities a system has been evolved with the purpose of generating an alert for any malicious activity triggered against the network and its resources, termed as Intrusion Detection System (IDS). The traditional IDS have still some deficiencies like generating large number of alerts, containing both true and false one etc. By automatically classifying (correlating) various alerts, the high-level analysis of the security status of network can be identified and the job of network security administrator becomes much easier. In this paper we propose to utilize Self Organizing Maps (SOM); an Artificial Neural Network for correlating large amount of logged intrusion alerts based on generic features such as Source/Destination IP Addresses, Port No, Signature ID etc. The different ways in which alerts can be correlated by Artificial Intelligence techniques are also discussed. . We've shown that the strategy described in the paper improves the efficiency of IDS by better correlating the alerts, leading to reduced false positives and increased competence of network administrator.

Climate change vulnerability to agrarian ecosystem of small Island: evidence from Sagar Island, India

NASA Astrophysics Data System (ADS)

Mandal, S.; Satpati, L. N.; Choudhury, B. U.; Sadhu, S.

2018-04-01

The present study assessed climate change vulnerability in agricultural sector of low-lying Sagar Island of Bay of Bengal. Vulnerability indices were estimated using spatially aggregated biophysical and socio-economic parameters by applying principal component analysis and equal weight method. The similarities and differences of outputs of these two methods were analysed across the island. From the integration of outputs and based on the severity of vulnerability, explicit vulnerable zones were demarcated spatially. Results revealed that life subsistence agriculture in 11.8% geographical area (2829 ha) of the island along the western coast falls under very high vulnerable zone (VHVZ VI of 84-99%) to climate change. Comparatively higher values of exposure (0.53 ± 0.26) and sensitivity (0.78 ± 0.14) subindices affirmed that the VHV zone is highly exposed to climate stressor with very low adaptive capacity (ADI= 0.24 ± 0.16) to combat vulnerability to climate change. Hence, food security for a population of >22 thousands comprising >3.7 thousand agrarian households are highly exposed to climate change. Another 17% area comprising 17.5% population covering 20% villages in north-western and eastern parts of the island also falls under high vulnerable (VI= 61%-77%) zone. Findings revealed large spatial heterogeneity in the degree of vulnerability across the island and thus, demands devising area specific planning (adaptation and mitigation strategies) to address the climate change impact implications both at macro and micro levels.

Aviation Security: Vulnerabilities in, and Alternatives for, Preboard Screening Security Operations

DTIC Science & Technology

2001-09-25

establishing the certification program. This regulation is particularly significant because it is to include requirements mandated by the Airport Security Improvement...Assessment of Airport Security Screener Performance and Retention, Sept. 15, 2000. Page 8 GAO-01-1171T Criteria for Assessing Shifting responsibility for...airline and airport security officials to assess each option for reassigning screening responsibility against the key criteria- Specifically, we asked

Moving Target Techniques: Leveraging Uncertainty for CyberDefense

DTIC Science & Technology

2015-12-15

cyberattacks is a continual struggle for system managers. Attackers often need only find one vulnerability (a flaw or bug that an attacker can exploit...additional parsing code itself could have security-relevant software bugs . Dynamic  Network   Techniques in the dynamic network domain change the...evaluation of MT techniques can benefit from a variety of evaluation approaches, including abstract analysis, modeling and simulation, test bed

Better Safe than Sorry: Panic Buttons as a Security Measure in an Academic Medical Library

ERIC Educational Resources Information Center

McMullen, Karen D.; Kane, Laura Townsend

2008-01-01

In the wake of recent tragedies, campus security has become a hot issue nationwide. Campus libraries, as traditional meeting spots for varied groups of people, are particularly vulnerable to security issues. Safety and security problems that can occur at any library generally include theft, vandalism, arson, antisocial behavior, and assaults on…

Information Technology Security Professionals' Knowledge and Use Intention Based on UTAUT Model

ERIC Educational Resources Information Center

Kassa, Woldeloul

2016-01-01

Information technology (IT) security threats and vulnerabilities have become a major concern for organizations in the United States. However, there has been little research on assessing the effect of IT security professionals' knowledge on the use of IT security controls. This study examined the unified theory of acceptance and use of technology…

Mixed-Method Quasi-Experimental Study of Outcomes of a Large-Scale Multilevel Economic and Food Security Intervention on HIV Vulnerability in Rural Malawi.

PubMed

Weinhardt, Lance S; Galvao, Loren W; Yan, Alice F; Stevens, Patricia; Mwenyekonde, Thokozani Ng'ombe; Ngui, Emmanuel; Emer, Lindsay; Grande, Katarina M; Mkandawire-Valhmu, Lucy; Watkins, Susan C

2017-03-01

The objective of the Savings, Agriculture, Governance, and Empowerment for Health (SAGE4Health) study was to evaluate the impact of a large-scale multi-level economic and food security intervention on health outcomes and HIV vulnerability in rural Malawi. The study employed a quasi-experimental non-equivalent control group design to compare intervention participants (n = 598) with people participating in unrelated programs in distinct but similar geographical areas (control, n = 301). We conducted participant interviews at baseline, 18-, and 36-months on HIV vulnerability and related health outcomes, food security, and economic vulnerability. Randomly selected households (n = 1002) were interviewed in the intervention and control areas at baseline and 36 months. Compared to the control group, the intervention led to increased HIV testing (OR 1.90; 95 % CI 1.29-2.78) and HIV case finding (OR = 2.13; 95 % CI 1.07-4.22); decreased food insecurity (OR = 0.74; 95 % CI 0.63-0.87), increased nutritional diversity, and improved economic resilience to shocks. Most effects were sustained over a 3-year period. Further, no significant differences in change were found over the 3-year study period on surveys of randomly selected households in the intervention and control areas. Although there were general trends toward improvement in the study area, only intervention participants' outcomes were significantly better. Results indicate the intervention can improve economic and food security and HIV vulnerability through increased testing and case finding. Leveraging the resources of economic development NGOs to deliver locally-developed programs with scientific funding to conduct controlled evaluations has the potential to accelerate the scientific evidence base for the effects of economic development programs on health.

Lightweight and confidential data discovery and dissemination for wireless body area networks.

PubMed

He, Daojing; Chan, Sammy; Zhang, Yan; Yang, Haomiao

2014-03-01

As a special sensor network, a wireless body area network (WBAN) provides an economical solution to real-time monitoring and reporting of patients' physiological data. After a WBAN is deployed, it is sometimes necessary to disseminate data into the network through wireless links to adjust configuration parameters of body sensors or distribute management commands and queries to sensors. A number of such protocols have been proposed recently, but they all focus on how to ensure reliability and overlook security vulnerabilities. Taking into account the unique features and application requirements of a WBAN, this paper presents the design, implementation, and evaluation of a secure, lightweight, confidential, and denial-of-service-resistant data discovery and dissemination protocol for WBANs to ensure the data items disseminated are not altered or tampered. Based on multiple one-way key hash chains, our protocol provides instantaneous authentication and can tolerate node compromise. Besides the theoretical analysis that demonstrates the security and performance of the proposed protocol, this paper also reports the experimental evaluation of our protocol in a network of resource-limited sensor nodes, which shows its efficiency in practice. In particular, extensive security analysis shows that our protocol is provably secure.

Secure method for biometric-based recognition with integrated cryptographic functions.

PubMed

Chiou, Shin-Yan

2013-01-01

Biometric systems refer to biometric technologies which can be used to achieve authentication. Unlike cryptography-based technologies, the ratio for certification in biometric systems needs not to achieve 100% accuracy. However, biometric data can only be directly compared through proximal access to the scanning device and cannot be combined with cryptographic techniques. Moreover, repeated use, improper storage, or transmission leaks may compromise security. Prior studies have attempted to combine cryptography and biometrics, but these methods require the synchronization of internal systems and are vulnerable to power analysis attacks, fault-based cryptanalysis, and replay attacks. This paper presents a new secure cryptographic authentication method using biometric features. The proposed system combines the advantages of biometric identification and cryptographic techniques. By adding a subsystem to existing biometric recognition systems, we can simultaneously achieve the security of cryptographic technology and the error tolerance of biometric recognition. This method can be used for biometric data encryption, signatures, and other types of cryptographic computation. The method offers a high degree of security with protection against power analysis attacks, fault-based cryptanalysis, and replay attacks. Moreover, it can be used to improve the confidentiality of biological data storage and biodata identification processes. Remote biometric authentication can also be safely applied.

Network Security Is Manageable

ERIC Educational Resources Information Center

Roberts, Gary

2006-01-01

An effective systems librarian must understand security vulnerabilities and be proactive in preventing problems. Specifics of future attacks or security challenges cannot possibly be anticipated, but this paper suggests some simple measures that can be taken to make attacks less likely to occur: program the operating system to get automatic…

A data protection scheme for a remote vital signs monitoring healthcare service.

PubMed

Gritzalis, D; Lambrinoudakis, C

2000-01-01

Personal and medical data processed by Healthcare Information Systems must be protected against unauthorized access, modification and withholding. Security measures should be selected to provide the required level of protection in a cost-efficient manner. This is only feasible if specific characteristics of the information system are examined on a basis of a risk analysis methodology. This paper presents the results of a risk analysis, based on the CRAMM methodology, for a healthcare organization offering a patient home-monitoring service through the transmission of vital signs, focusing on the identified security needs and the proposed countermeasures. The architectural and functional models of this service were utilized for identifying and valuating the system assets, the associated threats and vulnerabilities, as well as for assessing the impact on the patients and on the service provider, should the security of any of these assets is affected. A set of adequate organizational, administrative and technical countermeasures is described for the remote vital signs monitoring service, thus providing the healthcare organization with a data protection framework that can be utilized for the development of its own security plan.

Shall we trust WDDL?

NASA Astrophysics Data System (ADS)

Guilley, Sylvain; Chaudhuri, Sumanta; Sauvage, Laurent; Graba, Tarik; Danger, Jean-Luc; Hoogvorst, Philippe; Vong, Vinh-Nga; Nassar, Maxime; Flament, Florent

Security is not only a matter of cryptographic algorithms robustness but becomes also a question of securing their implementation. P. Kocher’s differential power analysis (DPA) is one of the many side-channel attacks that are more and more studied by the security community. Indeed, side-channel attacks (SCA) have proved to be very powerful on cryptographic algorithms such as DES and AES, customarily implemented in a wide variety of devices, ranging from smart-cards or ASICs to FPGAs. Among the proposed countermeasures, the “dual-rail with precharge logic” (DPL) aims at hiding information leaked by the circuit by making the power consumption independent of the calculation. However DPL logic could be subject to second order attacks exploiting timing difference between dual nets. In this article, we characterize by simulation, the vulnerability due to timing unbalance in the eight DES substitution boxes implemented in DPL WDDL style. The characterization results in a classification of the nodes according to their timing unbalance. Our results show that the timing unbalance is a major weakness of the WDDL logic, and that it could be used to retrieve the key using a DPA attack. This vulnerability has been experimentally observed on a full DES implementation using WDDL style for Altera Stratix EP1S25 FPGA.

Defining the Synthetic Biology Supply Chain.

PubMed

Frazar, Sarah L; Hund, Gretchen E; Bonheyo, George T; Diggans, James; Bartholomew, Rachel A; Gehrig, Lindsey; Greaves, Mark

Several recent articles have described risks posed by synthetic biology and spurred vigorous discussion in the scientific, commercial, and government communities about how to best detect, prevent, regulate, and respond to these risks. The Pacific Northwest National Laboratory's (PNNL) deep experience working with dual-use technologies for the nuclear industry has shown that analysis of supply chains can reveal security vulnerabilities and ways to mitigate security risk without hindering beneficial research and commerce. In this article, a team of experts in synthetic biology, data analytics, and national security describe the overall supply chain surrounding synthetic biology to illustrate new insights about the effectiveness of current regulations, the possible need for different screening approaches, and new technical solutions that could help identify or mitigate risks in the synthetic biology supply chain.

Security proof of counterfactual quantum cryptography against general intercept-resend attacks and its vulnerability

NASA Astrophysics Data System (ADS)

Zhang, Sheng; Wang, Jian; Tang, Chao-Jing

2012-06-01

Counterfactual quantum cryptography, recently proposed by Noh, is featured with no transmission of signal particles. This exhibits evident security advantages, such as its immunity to the well-known photon-number-splitting attack. In this paper, the theoretical security of counterfactual quantum cryptography protocol against the general intercept-resend attacks is proved by bounding the information of an eavesdropper Eve more tightly than in Yin's proposal [Phys. Rev. A 82 042335 (2010)]. It is also shown that practical counterfactual quantum cryptography implementations may be vulnerable when equipped with imperfect apparatuses, by proving that a negative key rate can be achieved when Eve launches a time-shift attack based on imperfect detector efficiency.

Enhancement of A5/1 encryption algorithm

NASA Astrophysics Data System (ADS)

Thomas, Ria Elin; Chandhiny, G.; Sharma, Katyayani; Santhi, H.; Gayathri, P.

2017-11-01

Mobiles have become an integral part of today’s world. Various standards have been proposed for the mobile communication, one of them being GSM. With the rising increase of mobile-based crimes, it is necessary to improve the security of the information passed in the form of voice or data. GSM uses A5/1 for its encryption. It is known that various attacks have been implemented, exploiting the vulnerabilities present within the A5/1 algorithm. Thus, in this paper, we proceed to look at what these vulnerabilities are, and propose the enhanced A5/1 (E-A5/1) where, we try to improve the security provided by the A5/1 algorithm by XORing the key stream generated with a pseudo random number, without increasing the time complexity. We need to study what the vulnerabilities of the base algorithm (A5/1) is, and try to improve upon its security. This will help in the future releases of the A5 family of algorithms.

Human-Technology Centric In Cyber Security Maintenance For Digital Transformation Era

NASA Astrophysics Data System (ADS)

Ali, Firkhan Ali Bin Hamid; Zalisham Jali, Mohd, Dr

2018-05-01

The development of the digital transformation in the organizations has become more expanding in these present and future years. This is because of the active demand to use the ICT services among all the organizations whether in the government agencies or private sectors. While digital transformation has led manufacturers to incorporate sensors and software analytics into their offerings, the same innovation has also brought pressure to offer clients more accommodating appliance deployment options. So, their needs a well plan to implement the cyber infrastructures and equipment. The cyber security play important role to ensure that the ICT components or infrastructures execute well along the organization’s business successful. This paper will present a study of security management models to guideline the security maintenance on existing cyber infrastructures. In order to perform security model for the currently existing cyber infrastructures, combination of the some security workforces and security process of extracting the security maintenance in cyber infrastructures. In the assessment, the focused on the cyber security maintenance within security models in cyber infrastructures and presented a way for the theoretical and practical analysis based on the selected security management models. Then, the proposed model does evaluation for the analysis which can be used to obtain insights into the configuration and to specify desired and undesired configurations. The implemented cyber security maintenance within security management model in a prototype and evaluated it for practical and theoretical scenarios. Furthermore, a framework model is presented which allows the evaluation of configuration changes in the agile and dynamic cyber infrastructure environments with regard to properties like vulnerabilities or expected availability. In case of a security perspective, this evaluation can be used to monitor the security levels of the configuration over its lifetime and to indicate degradations.

Breaking Megrelishvili protocol using matrix diagonalization

NASA Astrophysics Data System (ADS)

Arzaki, Muhammad; Triantoro Murdiansyah, Danang; Adi Prabowo, Satrio

2018-03-01

In this article we conduct a theoretical security analysis of Megrelishvili protocol—a linear algebra-based key agreement between two participants. We study the computational complexity of Megrelishvili vector-matrix problem (MVMP) as a mathematical problem that strongly relates to the security of Megrelishvili protocol. In particular, we investigate the asymptotic upper bounds for the running time and memory requirement of the MVMP that involves diagonalizable public matrix. Specifically, we devise a diagonalization method for solving the MVMP that is asymptotically faster than all of the previously existing algorithms. We also found an important counterintuitive result: the utilization of primitive matrix in Megrelishvili protocol makes the protocol more vulnerable to attacks.

Information Assurance as a System of Systems in the Submarine Force

DTIC Science & Technology

2013-09-01

cause and effect on overall ship mission and vulnerabilities . Organizational governance must raise the level of awareness as to network security...understand the cause and effect on overall ship mission and vulnerabilities . Organizational governance must raise the level of awareness as to network...Table 2. Assessment Scale– Vulnerability Severity (After NIST 800–30 Rev1 2012, F-2

Combatting Inherent Vulnerabilities of CFAR Algorithms and a New Robust CFAR Design

DTIC Science & Technology

1993-09-01

elements of any automatic radar system. Unfortunately, CFAR systems are inherently vulnerable to degradation caused by large clutter edges, multiple ...edges, multiple targets, and electronic countermeasures (ECM) environments. 20 Distribution, Availability of Abstract 21 Abstract Security...inherently vulnerable to degradation caused by large clutter edges, multiple targets and jamming environments. This thesis presents eight popular and studied

Traditional and alternative community food security interventions in Montréal, Québec: different practices, different people.

PubMed

Roncarolo, Federico; Adam, Caroline; Bisset, Sherri; Potvin, Louise

2015-04-01

Food insecurity is steadily increasing in developed countries. Traditional interventions adopted to tackle food insecurity, like food banks, address the urgent need for food. By contrast, alternative interventions, such as community gardens and kitchens, are oriented towards social integration and the development of mutual aid networks. The objective of this paper is to examine whether the populations served by traditional and alternative interventions in food security differ according to measures of vulnerability. We studied newly registered participants to food security interventions. Participants were selected from a random sample of food security community organizations in a two-stage cluster sampling frame. The categorizing variable was participation in a community organization providing either traditional interventions or alternative interventions. Seven measures of vulnerability were used: food security; perceived health; civic participation; perceived social support of the primary network, social isolation, income and education. Regression multilevel models were used to assess associations. 711 participants in traditional interventions and 113 in alternative interventions were enrolled in the study. Between group differences were found with respect to food insecurity, health status perception, civic participation, education and income, but not with respect to social isolation or perceived social support from primary social network. Traditional and alternative food security interventions seem to reach different populations. Participants in traditional interventions were found to have less access to resources, compared to those in alternative interventions. Thus, new participants in traditional interventions may have higher levers of vulnerability than those in alternative interventions.

Modeling rain-fed maize vulnerability to droughts using the standardized precipitation index from satellite estimated rainfall—Southern Malawi case study

USGS Publications Warehouse

Funk, Christopher C.; Verdin, James; Adams Chavula,; Gregory J. Husak,; Harikishan Jayanthi,; Tamuka Magadzire,

2013-01-01

During 1990s, disaster risk reduction emerged as a novel, proactive approach to managing risks from natural hazards. The World Bank, USAID, and other international donor agencies began making efforts to mainstream disaster risk reduction in countries whose population and economies were heavily dependent on rain-fed agriculture. This approach has more significance in light of the increasing climatic hazard patterns and the climate scenarios projected for different hazard prone countries in the world. The Famine Early Warning System Network (FEWS NET) has been monitoring the food security issues in the sub-Saharan Africa, Asia and in Haiti. FEWS NET monitors the rainfall and moisture availability conditions with the help of NOAA RFE2 data for deriving food security status in Africa. This paper highlights the efforts in using satellite estimated rainfall inputs to develop drought vulnerability models in the drought prone areas in Malawi. The satellite RFE2 based SPI corresponding to the critical tasseling and silking phases (in the months of January, February, and March) were statistically regressed with drought-induced yield losses at the district level. The analysis has shown that the drought conditions in February and early March lead to most damage to maize yields in this region. The district-wise vulnerabilities to drought were upscaled to obtain a regional maize vulnerability model for southern Malawi. The results would help in establishing an early monitoring mechanism for drought impact assessment, give the decision makers additional time to assess seasonal outcomes, and identify potential food-related hazards in Malawi.

Identifying and tracking attacks on networks: C3I displays and related technologies

NASA Astrophysics Data System (ADS)

Manes, Gavin W.; Dawkins, J.; Shenoi, Sujeet; Hale, John C.

2003-09-01

Converged network security is extremely challenging for several reasons; expanded system and technology perimeters, unexpected feature interaction, and complex interfaces all conspire to provide hackers with greater opportunities for compromising large networks. Preventive security services and architectures are essential, but in and of themselves do not eliminate all threat of compromise. Attack management systems mitigate this residual risk by facilitating incident detection, analysis and response. There are a wealth of attack detection and response tools for IP networks, but a dearth of such tools for wireless and public telephone networks. Moreover, methodologies and formalisms have yet to be identified that can yield a common model for vulnerabilities and attacks in converged networks. A comprehensive attack management system must coordinate detection tools for converged networks, derive fully-integrated attack and network models, perform vulnerability and multi-stage attack analysis, support large-scale attack visualization, and orchestrate strategic responses to cyber attacks that cross network boundaries. We present an architecture that embodies these principles for attack management. The attack management system described engages a suite of detection tools for various networking domains, feeding real-time attack data to a comprehensive modeling, analysis and visualization subsystem. The resulting early warning system not only provides network administrators with a heads-up cockpit display of their entire network, it also supports guided response and predictive capabilities for multi-stage attacks in converged networks.

Biometric template transformation: a security analysis

NASA Astrophysics Data System (ADS)

Nagar, Abhishek; Nandakumar, Karthik; Jain, Anil K.

2010-01-01

One of the critical steps in designing a secure biometric system is protecting the templates of the users that are stored either in a central database or on smart cards. If a biometric template is compromised, it leads to serious security and privacy threats because unlike passwords, it is not possible for a legitimate user to revoke his biometric identifiers and switch to another set of uncompromised identifiers. One methodology for biometric template protection is the template transformation approach, where the template, consisting of the features extracted from the biometric trait, is transformed using parameters derived from a user specific password or key. Only the transformed template is stored and matching is performed directly in the transformed domain. In this paper, we formally investigate the security strength of template transformation techniques and define six metrics that facilitate a holistic security evaluation. Furthermore, we analyze the security of two wellknown template transformation techniques, namely, Biohashing and cancelable fingerprint templates based on the proposed metrics. Our analysis indicates that both these schemes are vulnerable to intrusion and linkage attacks because it is relatively easy to obtain either a close approximation of the original template (Biohashing) or a pre-image of the transformed template (cancelable fingerprints). We argue that the security strength of template transformation techniques must consider also consider the computational complexity of obtaining a complete pre-image of the transformed template in addition to the complexity of recovering the original biometric template.

Quantum attack-resistent certificateless multi-receiver signcryption scheme.

PubMed

Li, Huixian; Chen, Xubao; Pang, Liaojun; Shi, Weisong

2013-01-01

The existing certificateless signcryption schemes were designed mainly based on the traditional public key cryptography, in which the security relies on the hard problems, such as factor decomposition and discrete logarithm. However, these problems will be easily solved by the quantum computing. So the existing certificateless signcryption schemes are vulnerable to the quantum attack. Multivariate public key cryptography (MPKC), which can resist the quantum attack, is one of the alternative solutions to guarantee the security of communications in the post-quantum age. Motivated by these concerns, we proposed a new construction of the certificateless multi-receiver signcryption scheme (CLMSC) based on MPKC. The new scheme inherits the security of MPKC, which can withstand the quantum attack. Multivariate quadratic polynomial operations, which have lower computation complexity than bilinear pairing operations, are employed in signcrypting a message for a certain number of receivers in our scheme. Security analysis shows that our scheme is a secure MPKC-based scheme. We proved its security under the hardness of the Multivariate Quadratic (MQ) problem and its unforgeability under the Isomorphism of Polynomials (IP) assumption in the random oracle model. The analysis results show that our scheme also has the security properties of non-repudiation, perfect forward secrecy, perfect backward secrecy and public verifiability. Compared with the existing schemes in terms of computation complexity and ciphertext length, our scheme is more efficient, which makes it suitable for terminals with low computation capacity like smart cards.

Breaking the cyber-security dilemma: aligning security needs and removing vulnerabilities.

PubMed

Dunn Cavelty, Myriam

2014-09-01

Current approaches to cyber-security are not working. Rather than producing more security, we seem to be facing less and less. The reason for this is a multi-dimensional and multi-faceted security dilemma that extends beyond the state and its interaction with other states. It will be shown how the focus on the state and "its" security crowds out consideration for the security of the individual citizen, with detrimental effects on the security of the whole system. The threat arising from cyberspace to (national) security is presented as possible disruption to a specific way of life, one building on information technologies and critical functions of infrastructures, with relatively little consideration for humans directly. This non-focus on people makes it easier for state actors to militarize cyber-security and (re-)assert their power in cyberspace, thereby overriding the different security needs of human beings in that space. Paradoxically, the use of cyberspace as a tool for national security, both in the dimension of war fighting and the dimension of mass-surveillance, has detrimental effects on the level of cyber-security globally. A solution out of this dilemma is a cyber-security policy that is decidedly anti-vulnerability and at the same time based on strong considerations for privacy and data protection. Such a security would have to be informed by an ethics of the infosphere that is based on the dignity of information related to human beings.

A Blue/Green Water-based Accounting Framework for Assessment of Water Security

NASA Astrophysics Data System (ADS)

Rodrigues, D. B.; Gupta, H. V.; Mendiondo, E. M.

2013-12-01

A comprehensive assessment of water security can incorporate several water-related concepts, including provisioning and support for freshwater ecosystem services, water footprint, water scarcity, and water vulnerability, while accounting for Blue and Green Water (BW and GW) flows defined in accordance with the hydrological processes involved. Here, we demonstrate how a quantitative analysis of provisioning and demand (in terms of water footprint) for BW and GW ecosystem services can be conducted, so as to provide indicators of water scarcity and vulnerability at the basin level. To illustrate the approach, we use the Soil and Water Assessment Tool (SWAT) to model the hydrology of an agricultural basin (291 sq.km) within the Cantareira water supply system in Brazil. To provide a more comprehensive basis for decision-making, we compute the BW provision using three different hydrological-based methods for specifying monthly Environmental Flow Requirements (EFRs) for 23 year-period. The current BW-Footprint was defined using surface water rights for reference year 2012. Then we analyzed the BW- and GW-Footprints against long-term series of monthly values of freshwater availability. Our results reveal clear spatial and temporal patterns of water scarcity and vulnerability levels within the basin, and help to distinguish between human and natural reasons (drought) for conditions of insecurity. The Blue/Green water-based accounting framework developed here can be benchmarked at a range of spatial scales, thereby improving our understanding of how and where water-related threats to human and aquatic ecosystem security can arise. Future investigation will be necessary to better understand the intra-annual variability of blue water demand and to evaluate the impacts of uncertainties associated with a) the water rights database, b) the effects of climate change projections on blue and green freshwater provision.

Climate change and nutrition: creating a climate for nutrition security.

PubMed

Tirado, M C; Crahay, P; Mahy, L; Zanev, C; Neira, M; Msangi, S; Brown, R; Scaramella, C; Costa Coitinho, D; Müller, A

2013-12-01

Climate change further exacerbates the enormous existing burden of undernutrition. It affects food and nutrition security and undermines current efforts to reduce hunger and promote nutrition. Undernutrition in turn undermines climate resilience and the coping strategies of vulnerable populations. The objectives of this paper are to identify and undertake a cross-sectoral analysis of the impacts of climate change on nutrition security and the existing mechanisms, strategies, and policies to address them. A cross-sectoral analysis of the impacts of climate change on nutrition security and the mechanisms and policies to address them was guided by an analytical framework focused on the three 'underlying causes' of undernutrition: 1) household food access, 2) maternal and child care and feeding practices, 3) environmental health and health access. The analytical framework includes the interactions of the three underlying causes of undernutrition with climate change,vulnerability, adaptation and mitigation. Within broad efforts on climate change mitigation and adaptation and climate-resilient development, a combination of nutrition-sensitive adaptation and mitigation measures, climate-resilient and nutrition-sensitive agricultural development, social protection, improved maternal and child care and health, nutrition-sensitive risk reduction and management, community development measures, nutrition-smart investments, increased policy coherence, and institutional and cross-sectoral collaboration are proposed as a means to address the impacts of climate change to food and nutrition security. This paper proposes policy directions to address nutrition in the climate change agenda and recommendations for consideration by the UN Framework Convention on Climate Change (UNFCCC). Nutrition and health stakeholders need to be engaged in key climate change adaptation and mitigation initiatives, including science-based assessment by the Intergovernmental Panel on Climate Change (IPCC), and policies and actions formulated by the UN Framework Convention on Climate Change (UNFCCC). Improved multi-sectoral coordination and political will is required to integrate nutrition-sensitive actions into climate-resilient sustainable development efforts in the UNFCCC work and in the post 2015 development agenda. Placing human rights at the center of strategies to mitigate and adapt to the impacts of climate change and international solidarity is essential to advance sustainable development and to create a climate for nutrition security.

Surface transportation vulnerability assessment : general distribution version

DOT National Transportation Integrated Search

2001-10-25

The United States possesses an effective and efficient surface transportation infrastructure that : promotes both the well-being of its citizens as well as important economic and national security : goals. The level of security afforded this infrastr...

Aviation security : terrorist acts illustrate severe weaknesses in aviation security

DOT National Transportation Integrated Search

2001-09-20

This is the statement of Gerald L. Dillingham, Director, Physical Infrastructure Issues before the Subcommittee on Transportation, Senate and House Committees on Appropriations regarding vulnerabilities to terrorist attacks of the nation's aviation s...

Vulnerability mitigation : technology assessment and deployment

DOT National Transportation Integrated Search

2003-01-01

Because of the new terrorist threats since the September 11, 2001 attacks, rapid development, prototyping, and deployment of systems has been necessary. A well integrated physical security system that combines state of the art security and informatio...

Data management for geospatial vulnerability assessment of interdependencies in US power generation

DOE Office of Scientific and Technical Information (OSTI.GOV)

Shih, C.Y.; Scown, C.D.; Soibelman, L.

2009-09-15

Critical infrastructures maintain our society's stability, security, and quality of life. These systems are also interdependent, which means that the disruption of one infrastructure system can significantly impact the operation of other systems. Because of the heavy reliance on electricity production, it is important to assess possible vulnerabilities. Determining the source of these vulnerabilities can provide insight for risk management and emergency response efforts. This research uses data warehousing and visualization techniques to explore the interdependencies between coal mines, rail transportation, and electric power plants. By merging geospatial and nonspatial data, we are able to model the potential impacts ofmore » a disruption to one or more mines, rail lines, or power plants, and visually display the results using a geographical information system. A scenario involving a severe earthquake in the New Madrid Seismic Zone is used to demonstrate the capabilities of the model when given input in the form of a potentially impacted area. This type of interactive analysis can help decision makers to understand the vulnerabilities of the coal distribution network and the potential impact it can have on electricity production.« less

A lightweight and secure two factor anonymous authentication protocol for Global Mobility Networks.

PubMed

Baig, Ahmed Fraz; Hassan, Khwaja Mansoor Ul; Ghani, Anwar; Chaudhry, Shehzad Ashraf; Khan, Imran; Ashraf, Muhammad Usman

2018-01-01

Global Mobility Networks(GLOMONETs) in wireless communication permits the global roaming services that enable a user to leverage the mobile services in any foreign country. Technological growth in wireless communication is also accompanied by new security threats and challenges. A threat-proof authentication protocol in wireless communication may overcome the security flaws by allowing only legitimate users to access a particular service. Recently, Lee et al. found Mun et al. scheme vulnerable to different attacks and proposed an advanced secure scheme to overcome the security flaws. However, this article points out that Lee et al. scheme lacks user anonymity, inefficient user authentication, vulnerable to replay and DoS attacks and Lack of local password verification. Furthermore, this article presents a more robust anonymous authentication scheme to handle the threats and challenges found in Lee et al.'s protocol. The proposed protocol is formally verified with an automated tool(ProVerif). The proposed protocol has superior efficiency in comparison to the existing protocols.

A lightweight and secure two factor anonymous authentication protocol for Global Mobility Networks

PubMed Central

2018-01-01

Global Mobility Networks(GLOMONETs) in wireless communication permits the global roaming services that enable a user to leverage the mobile services in any foreign country. Technological growth in wireless communication is also accompanied by new security threats and challenges. A threat-proof authentication protocol in wireless communication may overcome the security flaws by allowing only legitimate users to access a particular service. Recently, Lee et al. found Mun et al. scheme vulnerable to different attacks and proposed an advanced secure scheme to overcome the security flaws. However, this article points out that Lee et al. scheme lacks user anonymity, inefficient user authentication, vulnerable to replay and DoS attacks and Lack of local password verification. Furthermore, this article presents a more robust anonymous authentication scheme to handle the threats and challenges found in Lee et al.’s protocol. The proposed protocol is formally verified with an automated tool(ProVerif). The proposed protocol has superior efficiency in comparison to the existing protocols. PMID:29702675

Towards a Standard for Highly Secure SCADA Systems

DOE Office of Scientific and Technical Information (OSTI.GOV)

Carlson, R.

1998-09-25

The critical energy inkstructures include gas, OL and electric power. These Mrastructures are complex and interdependent nmvorks that are vital to the national secwiy and social well being of our nation. Many electric power systems depend upon gas and oil, while fossil energy delive~ systems depend upon elecnic power. The control mechanisms for these Mrastructures are often referred to as SCADA (Supmivry CkmdandDaU Ac@itz&z) systems. SCADA systems provide remote monitoring and centralized control for a distributed tmnsportation infmsmucture in order to facilitate delivery of a commodi~. AIthough many of the SCADA concepts developed in this paper can be applied tomore » automotive mmsponation systems, we will use transportation to refer to the movement of electrici~, gas, and oil. \\ Recently, there have been seveml reports suggesting that the widespread and increasing use of SCADA for control of energy systems provides an increasing opportuni~ for an advers~ to cause serious darnage to the energy inbstmcturei~. This damage could arise through cyber infiltration of the SCADA networks, by physically tampering with the control networks, or through a combination of both means. SCADA system threats decompose into cyber and physical threats. One solution to the SCADA security problem is to design a standard for a highly secure KA.DA system that is both cyber, and physdly secure. Not all-physical threats are possible to guard again% but of those threats that are, high security SCADA provides confidence that the system will continue to operate in their presence. One of the most important problems in SCADA securi~ is the relationship between the cyber and physical vulnerabilities. Cyber intrusion increases physical Vulnerabilities, while in the dual problem physical tampering increases cyber vulnerabilit.ies. There is potential for feedback and the precise dynamics need to be understood. As a first step towards a stan~ the goal of this paper is to facilitate a discussion of the requirements analysis for a highly secure SCADA system. The fi-arnework for the discussion consists of the identification of SCADA security investment areas coupled with the tradeoffs that will force compromises in the solution. For example, computational and bandwidth requirements of a security standard could force the replacement of entire SCADA systems. The requirements for a real-time response in a cascading electric power failure could pose limitations on authentication and encryption mechanisms. The shortest path to the development of a high securi~ SC.ADA standard will be achieved by leveraging existing standards efforts and ensuring that security is being properly addressed in those standards. The Utility Communications Architecture 2.o (UC@, for real-time utili~ decision control, represents one such standard. The development of a SCADA secwiy specification is a complex task that will benefit from a systems engineering approach.« less

Building a Practical Framework for Enterprise-Wide Security Management

DTIC Science & Technology

2004-04-28

management. They have found that current efforts to manage security vulnerabilities and security risks only take an enterprise so far, with results...analyzed reports to determine the cause of the increase. Slide 5 © 2004 by Carnegie Mellon University Version 1.0 Secure IT 2004 - page 5 Attack...Nearly 1 in 5 of those surveyed reported that none of their IT staff have any formal security training. [A survey of 896 Computing Technology

Securing Information with Complex Optical Encryption Networks

DTIC Science & Technology

2015-08-11

Network Security, Network Vulnerability , Multi-dimentional Processing, optoelectronic devices 16. SECURITY CLASSIFICATION OF: 17. LIMITATION... optoelectronic devices and systems should be analyzed before the retrieval, any hostile hacker will need to possess multi-disciplinary scientific...sophisticated optoelectronic principles and systems where he/she needs to process the information. However, in the military applications, most military

Examining the Relationship of Business Operations and the Information Security Culture in the United States

ERIC Educational Resources Information Center

Wynn, Cynthia L.

2017-01-01

An increase in information technology has caused and increased in threats towards information security. Threats are malware, viruses, sabotage from employees, and hacking into computer systems. Organizations have to find new ways to combat vulnerabilities and threats of internal and external threats to protect their information security and…

CIOs Uncensored: Security Smarts.

DOE Office of Scientific and Technical Information (OSTI.GOV)

Johnson, Gerald R.

2008-02-25

This commentary for the CIOs Uncensored section of InformationWeek will discuss PNNL’s “defense in depth” approach to cyber security. It will cover external and internal safeguards, as well as the all-important role of employees in the cyber security equation. For employees are your greatest vulnerability – and your last line of defense.

Information Security Issues in Higher Education and Institutional Research

ERIC Educational Resources Information Center

Custer, William L.

2010-01-01

Information security threats to educational institutions and their data assets have worsened significantly over the past few years. The rich data stores of institutional research are especially vulnerable, and threats from security breaches represent no small risk. New genres of threat require new kinds of controls if the institution is to prevent…

Developing measurement indices to enhance protection and resilience of critical infrastructure and key resources.

PubMed

Fisher, Ronald E; Norman, Michael

2010-07-01

The US Department of Homeland Security (DHS) is developing indices to better assist in the risk management of critical infrastructures. The first of these indices is the Protective Measures Index - a quantitative index that measures overall protection across component categories: physical security, security management, security force, information sharing, protective measures and dependencies. The Protective Measures Index, which can also be recalculated as the Vulnerability Index, is a way to compare differing protective measures (eg fence versus security training). The second of these indices is the Resilience Index, which assesses a site's resilience and consists of three primary components: robustness, resourcefulness and recovery. The third index is the Criticality Index, which assesses the importance of a facility. The Criticality Index includes economic, human, governance and mass evacuation impacts. The Protective Measures Index, Resilience Index and Criticality Index are being developed as part of the Enhanced Critical Infrastructure Protection initiative that DHS protective security advisers implement across the nation at critical facilities. This paper describes two core themes: determination of the vulnerability, resilience and criticality of a facility and comparison of the indices at different facilities.

Cyber Hygiene for Control System Security

DOE PAGES

Oliver, David

2015-10-08

There are many resources from government and private industry available to assist organizations in reducing their attack surface and enhancing their security posture. Furthermore, standards are being written and improved upon to make the practice of securing a network more manageable. And while the specifics of network security are complex, most system vulnerabilities can be mitigated using fairly simple cyber hygiene techniques like those offered above.

Cyber-Physical Security Assessment (CyPSA) Toolset

DOE Office of Scientific and Technical Information (OSTI.GOV)

Garcia, Luis; Patapanchala, Panini; Zonouz, Saman

CyPSA seeks to organize and gain insight into the diverse sets of data that a critical infrastructure provider must manage. Specifically CyPSA inventories, manages, and analyzes assets and relations among those assets. A variety of interfaces are provided. CyPSA inventories assets (both cyber and physical). This may include the cataloging of assets through a common interface. Data sources used to generate a catalogue of assets include PowerWorld, NPView, NMap Scans, and device configurations. Depending upon the role of the person using the tool the types of assets accessed as well as the data sources through which asset information is accessedmore » may vary. CyPSA allows practitioners to catalogue relations among assets and these may either be manually or programmatically generated. For example, some common relations among assets include the following: Topological Network Data: Which devices and assets are connected and how? Data sources for this kind of information include NMap scans, NPView topologies (via Firewall rule analysis). Security Metrics Outputs: The output of various security metrics such as overall exposure. Configure Assets:CyPSA may eventually include the ability to configure assets including relays and switches. For example, a system administrator would be able to configure and alter the state of a relay via the CyPSA interface. Annotate Assets: CyPSA also allows practitioners to manually and programmatically annotate assets. Sources of information with which to annotate assets include provenance metadata regarding the data source from which the asset was loaded, vulnerability information from vulnerability databases, configuration information, and the output of an analysis in general.« less

The public transportation system security and emergency preparedness planning guide

DOT National Transportation Integrated Search

2003-01-01

Recent events have focused renewed attention on the vulnerability of the nation's critical infrastructure to major events, including terrorism. The Public Transportation System Security and Emergency Preparedness Planning Guide has been prepared to s...

78 FR 9951 - Excepted Service

Federal Register 2010, 2011, 2012, 2013, 2014

2013-02-12

...) Not to exceed 3000 positions that require unique cyber security skills and knowledge to perform cyber..., distributed control systems security, cyber incident response, cyber exercise facilitation and management, cyber vulnerability detection and assessment, network and systems engineering, enterprise architecture...

U.S. Patent Pending, Cyberspace Security System for Complex Systems, U.S. Patent Application No.: 14/134,949

DOE Office of Scientific and Technical Information (OSTI.GOV)

Abercrombie, Robert K; Sheldon, Frederick T; Mili, Ali

A computer implemented method monetizes the security of a cyber-system in terms of losses each stakeholder may expect to lose if a security break down occurs. A non-transitory media stores instructions for generating a stake structure that includes costs that each stakeholder of a system would lose if the system failed to meet security requirements and generating a requirement structure that includes probabilities of failing requirements when computer components fails. The system generates a vulnerability model that includes probabilities of a component failing given threats materializing and generates a perpetrator model that includes probabilities of threats materializing. The system generatesmore » a dot product of the stakes structure, the requirement structure, the vulnerability model and the perpetrator model. The system can further be used to compare, contrast and evaluate alternative courses of actions best suited for the stakeholders and their requirements.« less

[A systemic risk analysis of hospital management processes by medical employees--an effective basis for improving patient safety].

PubMed

Sobottka, Stephan B; Eberlein-Gonska, Maria; Schackert, Gabriele; Töpfer, Armin

2009-01-01

Due to the knowledge gap that exists between patients and health care staff the quality of medical treatment usually cannot be assessed securely by patients. For an optimization of safety in treatment-related processes of medical care, the medical staff needs to be actively involved in preventive and proactive quality management. Using voluntary, confidential and non-punitive systematic employee surveys, vulnerable topics and areas in patient care revealing preventable risks can be identified at an early stage. Preventive measures to continuously optimize treatment quality can be defined by creating a risk portfolio and a priority list of vulnerable topics. Whereas critical incident reporting systems are suitable for continuous risk assessment by detecting safety-relevant single events, employee surveys permit to conduct a systematic risk analysis of all treatment-related processes of patient care at any given point in time.

Method and tool for network vulnerability analysis

DOEpatents

Swiler, Laura Painton [Albuquerque, NM; Phillips, Cynthia A [Albuquerque, NM

2006-03-14

A computer system analysis tool and method that will allow for qualitative and quantitative assessment of security attributes and vulnerabilities in systems including computer networks. The invention is based on generation of attack graphs wherein each node represents a possible attack state and each edge represents a change in state caused by a single action taken by an attacker or unwitting assistant. Edges are weighted using metrics such as attacker effort, likelihood of attack success, or time to succeed. Generation of an attack graph is accomplished by matching information about attack requirements (specified in "attack templates") to information about computer system configuration (contained in a configuration file that can be updated to reflect system changes occurring during the course of an attack) and assumed attacker capabilities (reflected in "attacker profiles"). High risk attack paths, which correspond to those considered suited to application of attack countermeasures given limited resources for applying countermeasures, are identified by finding "epsilon optimal paths."

Tensions of network security and collaborative work practice: understanding a single sign-on deployment in a regional hospital.

PubMed

Heckle, Rosa R; Lutters, Wayne G

2011-08-01

Healthcare providers and their IT staff, working in an effort to balance appropriate accessibility with stricter security mandates, are considering the use of a single network sign-on approach for authentication and password management. Single sign-on (SSO) promises to improve usability of authentication for multiple-system users, increase compliance, and help curb system maintenance costs. However, complexities are introduced when SSO is placed within a collaborative environment. These complexities include unanticipated workflow implications that introduce greater security vulnerability for the individual user. OBJECTIVES AND METHODOLOGY: In this work, we examine the challenges of implementing a single sign-on authentication technology in a hospital environment. The aim of the study was to document the factors that affected SSO adoption within the context of use. The ultimate goal is to better inform the design of usable authentication systems within collaborative healthcare work sites. The primary data collection techniques used are ethnographically informed - observation, contextual interviews, and document review. The study included a cross-section of individuals from various departments and varying rolls. These participants were a mix of both clinical and administrative staff, as well as the Information Technology group. The field work revealed fundamental mis-matches between the technology and routine work practices that will significantly impact its effective adoption. While single sign-on was effective in the administrative offices, SSO was not a good fit for collaborative areas. The collaborative needs of the clinical staff unearthed tensions in its implementation. An analysis of the findings revealed that the workflow, activities, and physical environment of the clinical areas create increased security vulnerabilities for the individual user. The clinical users were cognizant of these vulnerabilities and this created resistance to the implementation due to a concern for privacy. From a preliminary analysis of our on-going field study at a community hospital, there appears to be a number of mismatches between the SSO vision and the realities of routine work. While we cannot conclusively say if a SSO adoption will be effective in meeting its goals in a hospital environment, we do know that it will affect the work practice and that will make the management of the SSO system problematic. Copyright © 2011 Elsevier Ireland Ltd. All rights reserved.

Methods and protocol of a mixed method quasi-experiment to evaluate the effects of a structural economic and food security intervention on HIV vulnerability in rural Malawi: The SAGE4Health Study.

PubMed

Weinhardt, Lance S; Galvao, Loren W; Mwenyekonde, Thokozani; Grande, Katarina M; Stevens, Patricia; Yan, Alice F; Mkandawire-Valhmu, Lucy; Masanjala, Winford; Kibicho, Jennifer; Ngui, Emmanuel; Emer, Lindsay; Watkins, Susan C

2014-01-01

Poverty and lack of a predictable, stable source of food are two fundamental determinants of ill health, including HIV/AIDS. Conversely, episodes of poor health and death from HIV can disrupt the ability to maintain economic stability in affected households, especially those that rely on subsistence farming. However, little empirical research has examined if, and how, improvements in people's economic status and food security translate into changes in HIV vulnerability. In this paper, we describe in detail the methods and protocol of an academic-NGO collaboration on a quasi-experimental, longitudinal study of the mechanisms and magnitude of the impact of a multilevel economic and food security program (Support to Able-Bodied Vulnerable Groups to Achieve Food Security; SAFE), as implemented by CARE. Primary outcomes include HIV vulnerability (i.e., HIV risk behaviors, HIV infection), economic status (i.e., income, household assets) and food security (including anthropometric measures). We recruited participants from two types of areas of rural central Malawi: traditional authorities (TA) selected by CARE to receive the SAFE program (intervention group) and TAs receiving other unrelated CARE programming (controls). In the intervention TAs, we recruited 598 program participants (398 women, 200 men) and interviewed them at baseline and 18- and 36-month follow-ups; we interviewed 301 control households. In addition, we conducted random surveys (n = 1002) in the intervention and control areas with a 36-month assessment interval, prior to and after implementation of SAFE. Thus, we are examining intervention outcomes both in direct SAFE program participants and their larger communities. We are using multilevel modeling to examine mediators and moderators of the effects of SAFE on HIV outcomes at the individual and community levels and determine the ways in which changes in HIV outcomes feed back into economic outcomes and food security at later interviews. Finally, we are conducting a qualitative end-of-program evaluation consisting of in-depth interviews with 90 SAFE participants. In addition to examining pathways linking structural factors to HIV vulnerability, this research will yield important information for understanding the impact of a multilevel environmental/structural intervention on HIV, with the potential for other sustainable long-term public health benefits.

The impact of the 2008 financial crisis on food security and food expenditures in Mexico: a disproportionate effect on the vulnerable.

PubMed

Vilar-Compte, Mireya; Sandoval-Olascoaga, Sebastian; Bernal-Stuart, Ana; Shimoga, Sandhya; Vargas-Bustamante, Arturo

2015-11-01

The present paper investigated the impact of the 2008 financial crisis on food security in Mexico and how it disproportionally affected vulnerable households. A generalized ordered logistic regression was estimated to assess the impact of the crisis on households' food security status. An ordinary least squares and a quantile regression were estimated to evaluate the effect of the financial crisis on a continuous proxy measure of food security defined as the share of a household's current income devoted to food expenditures. Setting Both analyses were performed using pooled cross-sectional data from the Mexican National Household Income and Expenditure Survey 2008 and 2010. The analytical sample included 29,468 households in 2008 and 27,654 in 2010. The generalized ordered logistic model showed that the financial crisis significantly (P<0·05) decreased the probability of being food secure, mildly or moderately food insecure, compared with being severely food insecure (OR=0·74). A similar but smaller effect was found when comparing severely and moderately food-insecure households with mildly food-insecure and food-secure households (OR=0·81). The ordinary least squares model showed that the crisis significantly (P<0·05) increased the share of total income spent on food (β coefficient of 0·02). The quantile regression confirmed the findings suggested by the generalized ordered logistic model, showing that the effects of the crisis were more profound among poorer households. The results suggest that households that were more vulnerable before the financial crisis saw a worsened effect in terms of food insecurity with the crisis. Findings were consistent with both measures of food security--one based on self-reported experience and the other based on food spending.

Semantic policy and adversarial modeling for cyber threat identification and avoidance

NASA Astrophysics Data System (ADS)

DeFrancesco, Anton; McQueary, Bruce

2009-05-01

Today's enterprise networks undergo a relentless barrage of attacks from foreign and domestic adversaries. These attacks may be perpetrated with little to no funding, but may wreck incalculable damage upon the enterprises security, network infrastructure, and services. As more services come online, systems that were once in isolation now provide information that may be combined dynamically with information from other systems to create new meaning on the fly. Security issues are compounded by the potential to aggregate individual pieces of information and infer knowledge at a higher classification than any of its constituent parts. To help alleviate these challenges, in this paper we introduce the notion of semantic policy and discuss how it's use is evolving from a robust approach to access control to preempting and combating attacks in the cyber domain, The introduction of semantic policy and adversarial modeling to network security aims to ask 'where is the network most vulnerable', 'how is the network being attacked', and 'why is the network being attacked'. The first aspect of our approach is integration of semantic policy into enterprise security to augment traditional network security with an overall awareness of policy access and violations. This awareness allows the semantic policy to look at the big picture - analyzing trends and identifying critical relations in system wide data access. The second aspect of our approach is to couple adversarial modeling with semantic policy to move beyond reactive security measures and into a proactive identification of system weaknesses and areas of vulnerability. By utilizing Bayesian-based methodologies, the enterprise wide meaning of data and semantic policy is applied to probability and high-level risk identification. This risk identification will help mitigate potential harm to enterprise networks by enabling resources to proactively isolate, lock-down, and secure systems that are most vulnerable.

An Architecture, System Engineering, and Acquisition Approach for Space System Software Resiliency

NASA Astrophysics Data System (ADS)

Phillips, Dewanne Marie

Software intensive space systems can harbor defects and vulnerabilities that may enable external adversaries or malicious insiders to disrupt or disable system functions, risking mission compromise or loss. Mitigating this risk demands a sustained focus on the security and resiliency of the system architecture including software, hardware, and other components. Robust software engineering practices contribute to the foundation of a resilient system so that the system "can take a hit to a critical component and recover in a known, bounded, and generally acceptable period of time". Software resiliency must be a priority and addressed early in the life cycle development to contribute a secure and dependable space system. Those who develop, implement, and operate software intensive space systems must determine the factors and systems engineering practices to address when investing in software resiliency. This dissertation offers methodical approaches for improving space system resiliency through software architecture design, system engineering, increased software security, thereby reducing the risk of latent software defects and vulnerabilities. By providing greater attention to the early life cycle phases of development, we can alter the engineering process to help detect, eliminate, and avoid vulnerabilities before space systems are delivered. To achieve this objective, this dissertation will identify knowledge, techniques, and tools that engineers and managers can utilize to help them recognize how vulnerabilities are produced and discovered so that they can learn to circumvent them in future efforts. We conducted a systematic review of existing architectural practices, standards, security and coding practices, various threats, defects, and vulnerabilities that impact space systems from hundreds of relevant publications and interviews of subject matter experts. We expanded on the system-level body of knowledge for resiliency and identified a new software architecture framework and acquisition methodology to improve the resiliency of space systems from a software perspective with an emphasis on the early phases of the systems engineering life cycle. This methodology involves seven steps: 1) Define technical resiliency requirements, 1a) Identify standards/policy for software resiliency, 2) Develop a request for proposal (RFP)/statement of work (SOW) for resilient space systems software, 3) Define software resiliency goals for space systems, 4) Establish software resiliency quality attributes, 5) Perform architectural tradeoffs and identify risks, 6) Conduct architecture assessments as part of the procurement process, and 7) Ascertain space system software architecture resiliency metrics. Data illustrates that software vulnerabilities can lead to opportunities for malicious cyber activities, which could degrade the space mission capability for the user community. Reducing the number of vulnerabilities by improving architecture and software system engineering practices can contribute to making space systems more resilient. Since cyber-attacks are enabled by shortfalls in software, robust software engineering practices and an architectural design are foundational to resiliency, which is a quality that allows the system to "take a hit to a critical component and recover in a known, bounded, and generally acceptable period of time". To achieve software resiliency for space systems, acquirers and suppliers must identify relevant factors and systems engineering practices to apply across the lifecycle, in software requirements analysis, architecture development, design, implementation, verification and validation, and maintenance phases.

An Enhanced Lightweight Anonymous Authentication Scheme for a Scalable Localization Roaming Service in Wireless Sensor Networks.

PubMed

Chung, Youngseok; Choi, Seokjin; Lee, Youngsook; Park, Namje; Won, Dongho

2016-10-07

More security concerns and complicated requirements arise in wireless sensor networks than in wired networks, due to the vulnerability caused by their openness. To address this vulnerability, anonymous authentication is an essential security mechanism for preserving privacy and providing security. Over recent years, various anonymous authentication schemes have been proposed. Most of them reveal both strengths and weaknesses in terms of security and efficiency. Recently, Farash et al. proposed a lightweight anonymous authentication scheme in ubiquitous networks, which remedies the security faults of previous schemes. However, their scheme still suffers from certain weaknesses. In this paper, we prove that Farash et al.'s scheme fails to provide anonymity, authentication, or password replacement. In addition, we propose an enhanced scheme that provides efficiency, as well as anonymity and security. Considering the limited capability of sensor nodes, we utilize only low-cost functions, such as one-way hash functions and bit-wise exclusive-OR operations. The security and lightness of the proposed scheme mean that it can be applied to roaming service in localized domains of wireless sensor networks, to provide anonymous authentication of sensor nodes.

An Enhanced Lightweight Anonymous Authentication Scheme for a Scalable Localization Roaming Service in Wireless Sensor Networks

PubMed Central

Chung, Youngseok; Choi, Seokjin; Lee, Youngsook; Park, Namje; Won, Dongho

2016-01-01

More security concerns and complicated requirements arise in wireless sensor networks than in wired networks, due to the vulnerability caused by their openness. To address this vulnerability, anonymous authentication is an essential security mechanism for preserving privacy and providing security. Over recent years, various anonymous authentication schemes have been proposed. Most of them reveal both strengths and weaknesses in terms of security and efficiency. Recently, Farash et al. proposed a lightweight anonymous authentication scheme in ubiquitous networks, which remedies the security faults of previous schemes. However, their scheme still suffers from certain weaknesses. In this paper, we prove that Farash et al.’s scheme fails to provide anonymity, authentication, or password replacement. In addition, we propose an enhanced scheme that provides efficiency, as well as anonymity and security. Considering the limited capability of sensor nodes, we utilize only low-cost functions, such as one-way hash functions and bit-wise exclusive-OR operations. The security and lightness of the proposed scheme mean that it can be applied to roaming service in localized domains of wireless sensor networks, to provide anonymous authentication of sensor nodes. PMID:27739417

Analysis and solutions of security issues in Ethernet PON

NASA Astrophysics Data System (ADS)

Meng, Yu; Jiang, Tao; Xiao, Dingzhong

2005-02-01

Ethernet Passive Optical Network (EPON), which combines the low cost Ethernet equipment and economic fiber infrastructure, is being considered as a promising solution for Fiber-To-The-Home (FTTH). However, since EPON is an optical shared medium network, some unique features make it more vulnerable to security attacks. In this paper, the key security threats of EPON are firstly analyzed. And then, considering some specific properties which might be utilized for security, such as the safety of transmissions in upstream direction, some novel methods are presented to solve security problems. Firstly, based on some modification about registration, the mechanism of access control is achieved. Secondly, we implement an AES-128 symmetrical encryption and decryption in the EPON system. The AES-128 algorithm can process data blocks of 128 bits, but the length of Ethernet frame is variable. How to deal with the last block, which is not up to 128 bits, is discussed in detail. Finally, key update is accomplished through a vendor specific OAM frame in order to enhance the level of security. The proposed mechanism will remain in conformance with P2MP specification defined by 802.3ah TF, and can supply a complete security solution for EPON.

Security systems engineering overview

NASA Astrophysics Data System (ADS)

Steele, Basil J.

1997-01-01

Crime prevention is on the minds of most people today. The concern for public safety and the theft of valuable assets are being discussed at all levels of government and throughout the public sector. There is a growing demand for security systems that can adequately safeguard people and valuable assets against the sophistication of those criminals or adversaries who pose a threat. The crime in this country has been estimated at 70 billion dollars in direct costs and up to 300 billion dollars in indirect costs. Health insurance fraud alone is estimated to cost American businesses 100 billion dollars. Theft, warranty fraud, and counterfeiting of computer hardware totaled 3 billion dollars in 1994. A threat analysis is a prerequisite to any security system design to assess the vulnerabilities with respect to the anticipated threat. Having established a comprehensive definition of the threat, crime prevention, detection, and threat assessment technologies can be used to address these criminal activities. This talk will outline the process used to design a security system regardless of the level of security. This methodology has been applied to many applications including: government high security facilities; residential and commercial intrusion detection and assessment; anti-counterfeiting/fraud detection technologies; industrial espionage detection and prevention; security barrier technology.

A study on agricultural drought vulnerability at disaggregated level in a highly irrigated and intensely cropped state of India.

PubMed

Murthy, C S; Yadav, Manoj; Mohammed Ahamed, J; Laxman, B; Prawasi, R; Sesha Sai, M V R; Hooda, R S

2015-03-01

Drought is an important global hazard, challenging the sustainable agriculture and food security of nations. Measuring agricultural drought vulnerability is a prerequisite for targeting interventions to improve and sustain the agricultural performance of both irrigated and rain-fed agriculture. In this study, crop-generic agricultural drought vulnerability status is empirically measured through a composite index approach. The study area is Haryana state, India, a prime agriculture state of the country, characterised with low rainfall, high irrigation support and stable cropping pattern. By analysing the multiyear rainfall and crop condition data of kharif crop season (June-October) derived from satellite data and soil water holding capacity and groundwater quality, nine contributing indicators were generated for 120 blocks (sub-district administrative units). Composite indices for exposure, sensitivity and adaptive capacity components were generated after assigning variance-based weightages to the respective input indicators. Agricultural Drought Vulnerability Index (ADVI) was developed through a linear combination of the three component indices. ADVI-based vulnerability categorisation revealed that 51 blocks are with vulnerable to very highly vulnerable status. These blocks are located in the southern and western parts of the state, where groundwater quality is saline and water holding capacity of soils is less. The ADVI map has effectively captured the spatial pattern of agricultural drought vulnerability in the state. Districts with large number of vulnerable blocks showed considerably larger variability of de-trended crop yields. Correlation analysis reveals that crop condition variability, groundwater quality and soil factors are closely associated with ADVI. The vulnerability index is useful to prioritise the blocks for implementation of long-term drought management plans. There is scope for improving the methodology by adding/fine-tuning the indicators and by optimising the weights.

U.S. Military Technology Dependence: The Hidden Vulnerability to National Security

DTIC Science & Technology

2016-06-10

10-06-2016 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER U.S. MILITARY TECHNOLOGY DEPENDENCE : THE HIDDEN Sb. GRANT NUMBER VULNERABILITY TO NATIONAL...14. ABSTRACT Because the U.S. has a technological culture, the U.S. military has become technology dependent . This dependence has made the military...technology dependent that the organization no longer recognizes that technology has made it more vulnerable strategically, operationally, and tactically. The

The Role of the Appropriate Adult in Supporting Vulnerable Adults in Custody: Comparing the Perspectives of Service Users and Service Providers

ERIC Educational Resources Information Center

Jessiman, Tricia; Cameron, Ailsa

2017-01-01

Background: Police custody sergeants have a duty to secure an AA to safeguard the rights and welfare of vulnerable people detained or questioned by the police. This study focuses on the role of the AA in supporting vulnerable adults and seeks to examine what stakeholders would expect from an effective AA service. Methods: This was a qualitative…

E-SAP: Efficient-Strong Authentication Protocol for Healthcare Applications Using Wireless Medical Sensor Networks

PubMed Central

Kumar, Pardeep; Lee, Sang-Gon; Lee, Hoon-Jae

2012-01-01

A wireless medical sensor network (WMSN) can sense humans’ physiological signs without sacrificing patient comfort and transmit patient vital signs to health professionals’ hand-held devices. The patient physiological data are highly sensitive and WMSNs are extremely vulnerable to many attacks. Therefore, it must be ensured that patients’ medical signs are not exposed to unauthorized users. Consequently, strong user authentication is the main concern for the success and large scale deployment of WMSNs. In this regard, this paper presents an efficient, strong authentication protocol, named E-SAP, for healthcare application using WMSNs. The proposed E-SAP includes: (1) a two-factor (i.e., password and smartcard) professional authentication; (2) mutual authentication between the professional and the medical sensor; (3) symmetric encryption/decryption for providing message confidentiality; (4) establishment of a secure session key at the end of authentication; and (5) professionals can change their password. Further, the proposed protocol requires three message exchanges between the professional, medical sensor node and gateway node, and achieves efficiency (i.e., low computation and communication cost). Through the formal analysis, security analysis and performance analysis, we demonstrate that E-SAP is more secure against many practical attacks, and allows a tradeoff between the security and the performance cost for healthcare application using WMSNs. PMID:22438729

E-SAP: efficient-strong authentication protocol for healthcare applications using wireless medical sensor networks.

PubMed

Kumar, Pardeep; Lee, Sang-Gon; Lee, Hoon-Jae

2012-01-01

A wireless medical sensor network (WMSN) can sense humans' physiological signs without sacrificing patient comfort and transmit patient vital signs to health professionals' hand-held devices. The patient physiological data are highly sensitive and WMSNs are extremely vulnerable to many attacks. Therefore, it must be ensured that patients' medical signs are not exposed to unauthorized users. Consequently, strong user authentication is the main concern for the success and large scale deployment of WMSNs. In this regard, this paper presents an efficient, strong authentication protocol, named E-SAP, for healthcare application using WMSNs. The proposed E-SAP includes: (1) a two-factor (i.e., password and smartcard) professional authentication; (2) mutual authentication between the professional and the medical sensor; (3) symmetric encryption/decryption for providing message confidentiality; (4) establishment of a secure session key at the end of authentication; and (5) professionals can change their password. Further, the proposed protocol requires three message exchanges between the professional, medical sensor node and gateway node, and achieves efficiency (i.e., low computation and communication cost). Through the formal analysis, security analysis and performance analysis, we demonstrate that E-SAP is more secure against many practical attacks, and allows a tradeoff between the security and the performance cost for healthcare application using WMSNs.

Toward Synthesis, Analysis, and Certification of Security Protocols

NASA Technical Reports Server (NTRS)

Schumann, Johann

2004-01-01

Implemented security protocols are basically pieces of software which are used to (a) authenticate the other communication partners, (b) establish a secure communication channel between them (using insecure communication media), and (c) transfer data between the communication partners in such a way that these data only available to the desired receiver, but not to anyone else. Such an implementation usually consists of the following components: the protocol-engine, which controls in which sequence the messages of the protocol are sent over the network, and which controls the assembly/disassembly and processing (e.g., decryption) of the data. the cryptographic routines to actually encrypt or decrypt the data (using given keys), and t,he interface to the operating system and to the application. For a correct working of such a security protocol, all of these components must work flawlessly. Many formal-methods based techniques for the analysis of a security protocols have been developed. They range from using specific logics (e.g.: BAN-logic [4], or higher order logics [12] to model checking [2] approaches. In each approach, the analysis tries to prove that no (or at least not a modeled intruder) can get access to secret data. Otherwise, a scenario illustrating the &tack may be produced. Despite the seeming simplicity of security protocols ("only" a few messages are sent between the protocol partners in order to ensure a secure communication), many flaws have been detected. Unfortunately, even a perfect protocol engine does not guarantee flawless working of a security protocol, as incidents show. Many break-ins and security vulnerabilities are caused by exploiting errors in the implementation of the protocol engine or the underlying operating system. Attacks using buffer-overflows are a very common class of such attacks. Errors in the implementation of exception or error handling can open up additional vulnerabilities. For example, on a website with a log-in screen: multiple tries with invalid passwords caused the expected error message (too many retries). but let the user nevertheless pass. Finally, security can be compromised by silly implementation bugs or design decisions. In a commercial VPN software, all calls to the encryption routines were incidentally replaced by stubs, probably during factory testing. The product worked nicely. and the error (an open VPN) would have gone undetected, if a team member had not inspected the low-level traffic out of curiosity. Also, the use secret proprietary encryption routines can backfire, because such algorithms often exhibit weaknesses which can be exploited easily (see e.g., DVD encoding). Summarizing, there is large number of possibilities to make errors which can compromise the security of a protocol. In today s world with short time-to-market and the use of security protocols in open and hostile networks for safety-critical applications (e.g., power or air-traffic control), such slips could lead to catastrophic situations. Thus, formal methods and automatic reasoning techniques should not be used just for the formal proof of absence of an attack, but they ought to be used to provide an end-to-end tool-supported framework for security software. With such an approach all required artifacts (code, documentation, test cases) , formal analyses, and reliable certification will be generated automatically, given a single, high level specification. By a combination of program synthesis, formal protocol analysis, certification; and proof-carrying code, this goal is within practical reach, since all the important technologies for such an approach actually exist and only need to be assembled in the right way.

6 CFR 27.105 - Definitions.

Code of Federal Regulations, 2013 CFR

2013-01-01

... Security DEPARTMENT OF HOMELAND SECURITY, OFFICE OF THE SECRETARY CHEMICAL FACILITY ANTI-TERRORISM... analyze key data from chemical facilities. Chemical-terrorism Vulnerability Information or CVI shall mean... or terrorist incident shall mean any incident or attempt that constitutes terrorism or terrorist...

6 CFR 27.105 - Definitions.

Code of Federal Regulations, 2014 CFR

2014-01-01

... Security DEPARTMENT OF HOMELAND SECURITY, OFFICE OF THE SECRETARY CHEMICAL FACILITY ANTI-TERRORISM... analyze key data from chemical facilities. Chemical-terrorism Vulnerability Information or CVI shall mean... or terrorist incident shall mean any incident or attempt that constitutes terrorism or terrorist...

6 CFR 27.105 - Definitions.

Code of Federal Regulations, 2012 CFR

2012-01-01

... Security DEPARTMENT OF HOMELAND SECURITY, OFFICE OF THE SECRETARY CHEMICAL FACILITY ANTI-TERRORISM... analyze key data from chemical facilities. Chemical-terrorism Vulnerability Information or CVI shall mean... or terrorist incident shall mean any incident or attempt that constitutes terrorism or terrorist...

6 CFR 27.105 - Definitions.

Code of Federal Regulations, 2011 CFR

2011-01-01

... Security DEPARTMENT OF HOMELAND SECURITY, OFFICE OF THE SECRETARY CHEMICAL FACILITY ANTI-TERRORISM... analyze key data from chemical facilities. Chemical-terrorism Vulnerability Information or CVI shall mean... or terrorist incident shall mean any incident or attempt that constitutes terrorism or terrorist...

The role of hazardous material placards in transportation safety and security

DOT National Transportation Integrated Search

2004-01-15

Following the events of September 11, 2001, the U.S. Department of Transportation (DOT) has taken steps to reduce vulnerabilities of hazardous materials in transportation through security enhancing initiatives directed at reducing their potential use...

Aviation security : vulnerabilities in, and alternatives for, pre-board screening security operations

DOT National Transportation Integrated Search

2001-09-25

This is the statement of Gerald L. Dillingham, Director, Physical Infrastructure Issues before the Committee on Governmental Affairs and Its Subcommittee on Oversight of Governmental Management, Restructuring and the District of Columbia, U.S. Senate...

78 FR 16694 - Chemical Security Assessment Tool (CSAT)

Federal Register 2010, 2011, 2012, 2013, 2014

2013-03-18

... information provided. Comments that include trade secrets, confidential commercial or financial information... secrets, confidential commercial or financial information, CVI, SSI, or PCII should be appropriately... Department make the instruments (e.g., Top-Screen, Security Vulnerability Assessment [SVA]/ Alternative...

Aviation security : vulnerabilities in, and alternatives for, preboard screening security operations

DOT National Transportation Integrated Search

2001-09-25

This is the statement of Gerald L. Dillingham, Director, Physical Infrastructure Issues before the Committee on Governmental Affairs and Its Subcommittee on Oversight of Governmental Management, Restructuring and the District of Columbia, U.S. Senate...

Report: EPA Needs to Strengthen Financial Database Security Oversight and Monitor Compliance

EPA Pesticide Factsheets

Report #2007-P-00017, March 29, 2007. Weaknesses in how EPA offices monitor databases for known security vulnerabilities, communicate the status of critical system patches, and monitor the access to database administrator accounts and privileges.

Secure Method for Biometric-Based Recognition with Integrated Cryptographic Functions

PubMed Central

Chiou, Shin-Yan

2013-01-01

Biometric systems refer to biometric technologies which can be used to achieve authentication. Unlike cryptography-based technologies, the ratio for certification in biometric systems needs not to achieve 100% accuracy. However, biometric data can only be directly compared through proximal access to the scanning device and cannot be combined with cryptographic techniques. Moreover, repeated use, improper storage, or transmission leaks may compromise security. Prior studies have attempted to combine cryptography and biometrics, but these methods require the synchronization of internal systems and are vulnerable to power analysis attacks, fault-based cryptanalysis, and replay attacks. This paper presents a new secure cryptographic authentication method using biometric features. The proposed system combines the advantages of biometric identification and cryptographic techniques. By adding a subsystem to existing biometric recognition systems, we can simultaneously achieve the security of cryptographic technology and the error tolerance of biometric recognition. This method can be used for biometric data encryption, signatures, and other types of cryptographic computation. The method offers a high degree of security with protection against power analysis attacks, fault-based cryptanalysis, and replay attacks. Moreover, it can be used to improve the confidentiality of biological data storage and biodata identification processes. Remote biometric authentication can also be safely applied. PMID:23762851

Interface of Science, Technology and Security: Areas of Most Concern, Now and Ahead

DTIC Science & Technology

2017-03-28

connectivity is creating new forms of security threats and exploitable instabilities. There is a need to develop secure software to reduce vulnerabilities...implications in the light of global population growth, industrialization and limited fossil fuel supplies. The continued improvement of generation, storage...national strategic concern is when the S&T-security nexus creates opportunities for misunderstanding. These opportunities assume two forms , rooted in

Aviation Security-Related Findings and Recommendations of the 9/11 Commission

DTIC Science & Technology

2005-03-30

The 9/11 Commission found that al Qaeda operatives exploited known weaknesses in U.S. aviation security to carry out the terrorist attacks of...September 11, 2001. While legislation and administration actions after September 11, 2001 were implemented to strengthen aviation security , the 9/11...Commission concluded that several weaknesses continue to exist. These include perceived vulnerabilities in cargo and general aviation security as well as

Final Report: Computer-aided Human Centric Cyber Situation Awareness

DTIC Science & Technology

2016-03-20

logs, OS audit trails, vulnerability reports, and packet dumps ), weeding out the false positives, grouping the related indicators so that different...short time duration of each visual stimulus in an fMRI study, we have designed “network security analysis cards ” that require the subject to...determine whether alerts in the cards indicate malicious events. Two types of visual displays of alerts (i.e., tabular display and node-link display) are

A Combinatorial Geometry Computer Description of the MEP-021A Generator Set

DTIC Science & Technology

1979-02-01

Generator Computer Description Gasoline Generator GIFT MEP-021A 20. ABSTRACT fCbntteu* an rararaa eta* ft namamwaay anal Identify by block number) This... GIFT code is also stored on magnetic tape for future vulnerability analysis. 00,] 󈧚*7,1473 EDITION OF • NOV 65 IS OBSOLETE UNCLASSIFIED SECURITY...the Geometric Information for Targets ( GIFT ) computer code. The GIFT code traces shotlines through a COM-GEOM description from any specified attack

CrossTalk: The Journal of Defense Software Engineering. Volume 19, Number 9

DTIC Science & Technology

2006-09-01

it does. Several freely down- loadable methodologies have emerged to support the developer in modeling threats to applications and other soft...SECURIS. Model -Driven Develop - ment and Analysis of Secure Information Systems <www.sintef.no/ content/page1_1824.aspx>. 10. The SECURIS Project ...By applying these methods to the SDLC , we can actively reduce the number of known vulnerabilities in software as it is developed . For

Automated Information Security Will Not Improve until Effectively Supported by IRM.

ERIC Educational Resources Information Center

Chick, Morey J.

1989-01-01

The first of two articles on the nature of the growing problem of automated information systems security, especially in the federal government, this article presents a brief history of the problem and describes the need for integrating security activities into overall policies and programs to help reduce system vulnerabilities and risks. (23…

Environmental security as related to scale mismatches of disturbance patterns in a panarchy of social-ecological landscapes

Treesearch

Giovanni Zurlini; Irene Petrosillo; Nicola Zaccarelli; Kurt Riitters

2008-01-01

Environmental security, as the opposite of environmental fragility (vulnerability), is multilayered, multi-scale and complex, existing in both the objective realm of biophysics and society, and the subjective realm of individual human perception. For ecological risk assessments (ERAs), the relevant objects of environmental security are social-ecological landscapes (...

Elevating Virtual Machine Introspection for Fine-Grained Process Monitoring: Techniques and Applications

ERIC Educational Resources Information Center

Srinivasan, Deepa

2013-01-01

Recent rapid malware growth has exposed the limitations of traditional in-host malware-defense systems and motivated the development of secure virtualization-based solutions. By running vulnerable systems as virtual machines (VMs) and moving security software from inside VMs to the outside, the out-of-VM solutions securely isolate the anti-malware…

Vulnerability to food insecurity in urban slums: experiences from Nairobi, Kenya.

PubMed

Kimani-Murage, E W; Schofield, L; Wekesah, F; Mohamed, S; Mberu, B; Ettarh, R; Egondi, T; Kyobutungi, C; Ezeh, A

2014-12-01

Food and nutrition security is critical for economic development due to the role of nutrition in healthy growth and human capital development. Slum residents, already grossly affected by chronic poverty, are highly vulnerable to different forms of shocks, including those arising from political instability. This study describes the food security situation among slum residents in Nairobi, with specific focus on vulnerability associated with the 2007/2008 postelection crisis in Kenya. The study from which the data is drawn was nested within the Nairobi Urban Health and Demographic Surveillance System (NUHDSS), which follows about 70,000 individuals from close to 30,000 households in two slums in Nairobi, Kenya. The study triangulates data from qualitative and quantitative sources. It uses qualitative data from 10 focus group discussions with community members and 12 key-informant interviews with community opinion leaders conducted in November 2010, and quantitative data involving about 3,000 households randomly sampled from the NUHDSS database in three rounds of data collection between March 2011 and January 2012. Food security was defined using the Household Food Insecurity Access Scale (HFIAS) criteria. The study found high prevalence of food insecurity; 85% of the households were food insecure, with 50% being severely food insecure. Factors associated with food security include level of income, source of livelihood, household size, dependence ratio; illness, perceived insecurity and slum of residence. The qualitative narratives highlighted household vulnerability to food insecurity as commonplace but critical during times of crisis. Respondents indicated that residents in the slums generally eat for bare survival, with little concern for quality. The narratives described heightened vulnerability during the 2007/2008 postelection violence in Kenya in the perception of slum residents. Prices of staple foods like maize flour doubled and simultaneously household purchasing power was eroded due to worsened unemployment situation. The use of negative coping strategies to address food insecurity such as reducing the number of meals, reducing food variety and quality, scavenging, and eating street foods was prevalent. In conclusion, this study describes the deeply intertwined nature of chronic poverty and acute crisis, and the subsequent high levels of food insecurity in urban slum settings. Households are extremely vulnerable to food insecurity; the situation worsening during periods of crisis in the perception of slum residents, engendering frequent use of negative coping strategies. Effective response to addressing vulnerability to household food insecurity among the urban poor should focus on both the underlying vulnerabilities of households due to chronic poverty and added impacts of acute crises.

A spatial evaluation of global wildfire-water risks to human and natural systems.

PubMed

Robinne, François-Nicolas; Bladon, Kevin D; Miller, Carol; Parisien, Marc-André; Mathieu, Jérôme; Flannigan, Mike D

2018-01-01

The large mediatic coverage of recent massive wildfires across the world has emphasized the vulnerability of freshwater resources. The extensive hydrogeomorphic effects from a wildfire can impair the ability of watersheds to provide safe drinking water to downstream communities and high-quality water to maintain riverine ecosystem health. Safeguarding water use for human activities and ecosystems is required for sustainable development; however, no global assessment of wildfire impacts on water supply is currently available. Here, we provide the first global evaluation of wildfire risks to water security, in the form of a spatially explicit index. We adapted the Driving forces-Pressure-State-Impact-Response risk analysis framework to select a comprehensive set of indicators of fire activity and water availability, which we then aggregated to a single index of wildfire-water risk using a simple additive weighted model. Our results show that water security in many regions of the world is potentially vulnerable, regardless of socio-economic status. However, in developing countries, a critical component of the risk is the lack of socio-economic capability to respond to disasters. Our work highlights the importance of addressing wildfire-induced risks in the development of water security policies; the geographic differences in the components of the overall risk could help adapting those policies to different regional contexts. Crown Copyright © 2017. Published by Elsevier B.V. All rights reserved.

511, America's traveler information number. Deployment assistance report #3, 511 and homeland security.

DOT National Transportation Integrated Search

2002-06-01

Today, transportation agencies are beginning to address the need for threat and vulnerability assessments, and re-examine how existing emergency management plans will be implemented during a homeland security emergency or alert. Travel information is...

State of Maryland Intelligent Transportation Systems: Security and Implementation Recommendations.

DOT National Transportation Integrated Search

1997-11-01

At the direction of the Volpe National Transportation Systems Center of the US Department of Transportation (US DOT), a two-phase study of the security vulnerability of Maryland Intelligent Transportation Systems (ITS) was conducted from July until N...

Security analysis and improvements of two-factor mutual authentication with key agreement in wireless sensor networks.

PubMed

Kim, Jiye; Lee, Donghoon; Jeon, Woongryul; Lee, Youngsook; Won, Dongho

2014-04-09

User authentication and key management are two important security issues in WSNs (Wireless Sensor Networks). In WSNs, for some applications, the user needs to obtain real-time data directly from sensors and several user authentication schemes have been recently proposed for this case. We found that a two-factor mutual authentication scheme with key agreement in WSNs is vulnerable to gateway node bypassing attacks and user impersonation attacks using secret data stored in sensor nodes or an attacker's own smart card. In this paper, we propose an improved scheme to overcome these security weaknesses by storing secret data in unique ciphertext form in each node. In addition, our proposed scheme should provide not only security, but also efficiency since sensors in a WSN operate with resource constraints such as limited power, computation, and storage space. Therefore, we also analyze the performance of the proposed scheme by comparing its computation and communication costs with those of other schemes.

A Multiserver Biometric Authentication Scheme for TMIS using Elliptic Curve Cryptography.

PubMed

Chaudhry, Shehzad Ashraf; Khan, Muhammad Tawab; Khan, Muhammad Khurram; Shon, Taeshik

2016-11-01

Recently several authentication schemes are proposed for telecare medicine information system (TMIS). Many of such schemes are proved to have weaknesses against known attacks. Furthermore, numerous such schemes cannot be used in real time scenarios. Because they assume a single server for authentication across the globe. Very recently, Amin et al. (J. Med. Syst. 39(11):180, 2015) designed an authentication scheme for secure communication between a patient and a medical practitioner using a trusted central medical server. They claimed their scheme to extend all security requirements and emphasized the efficiency of their scheme. However, the analysis in this article proves that the scheme designed by Amin et al. is vulnerable to stolen smart card and stolen verifier attacks. Furthermore, their scheme is having scalability issues along with inefficient password change and password recovery phases. Then we propose an improved scheme. The proposed scheme is more practical, secure and lightweight than Amin et al.'s scheme. The security of proposed scheme is proved using the popular automated tool ProVerif.

Security Analysis and Improvements of Two-Factor Mutual Authentication with Key Agreement in Wireless Sensor Networks

PubMed Central

Kim, Jiye; Lee, Donghoon; Jeon, Woongryul; Lee, Youngsook; Won, Dongho

2014-01-01

User authentication and key management are two important security issues in WSNs (Wireless Sensor Networks). In WSNs, for some applications, the user needs to obtain real-time data directly from sensors and several user authentication schemes have been recently proposed for this case. We found that a two-factor mutual authentication scheme with key agreement in WSNs is vulnerable to gateway node bypassing attacks and user impersonation attacks using secret data stored in sensor nodes or an attacker's own smart card. In this paper, we propose an improved scheme to overcome these security weaknesses by storing secret data in unique ciphertext form in each node. In addition, our proposed scheme should provide not only security, but also efficiency since sensors in a WSN operate with resource constraints such as limited power, computation, and storage space. Therefore, we also analyze the performance of the proposed scheme by comparing its computation and communication costs with those of other schemes. PMID:24721764

A user anonymity preserving three-factor authentication scheme for telecare medicine information systems.

PubMed

Tan, Zuowen

2014-03-01

The telecare medicine information system enables the patients gain health monitoring at home and access medical services over internet or mobile networks. In recent years, the schemes based on cryptography have been proposed to address the security and privacy issues in the telecare medicine information systems. However, many schemes are insecure or they have low efficiency. Recently, Awasthi and Srivastava proposed a three-factor authentication scheme for telecare medicine information systems. In this paper, we show that their scheme is vulnerable to the reflection attacks. Furthermore, it fails to provide three-factor security and the user anonymity. We propose a new three-factor authentication scheme for the telecare medicine information systems. Detailed analysis demonstrates that the proposed scheme provides mutual authentication, server not knowing password and freedom of password, biometric update and three-factor security. Moreover, the new scheme provides the user anonymity. As compared with the previous three-factor authentication schemes, the proposed scheme is more secure and practical.

Homeland security and virtual reality: building a Strategic Adaptive Response System (STARS).

PubMed

Swift, Christopher; Rosen, Joseph M; Boezer, Gordon; Lanier, Jaron; Henderson, Joseph V; Liu, Alan; Merrell, Ronald C; Nguyen, Sinh; Demas, Alex; Grigg, Elliot B; McKnight, Matthew F; Chang, Janelle; Koop, C Everett

2005-01-01

The advent of the Global War on Terrorism (GWOT) underscored the need to improve the U.S. disaster response paradigm. Existing systems involve numerous agencies spread across disparate functional and geographic jurisdictions. The current architecture remains vulnerable to sophisticated terrorist strikes. To address these vulnerabilities, we must continuously adapt and improve our Homeland Security architecture. Virtual Reality (VR) technologies will help model those changes and integrate technologies. This paper provides a broad overview of the strategic threats, together with a detailed examination of how specific VR technologies could be used to ensure successful disaster responses.

Quantum Attack-Resistent Certificateless Multi-Receiver Signcryption Scheme

PubMed Central

Li, Huixian; Chen, Xubao; Pang, Liaojun; Shi, Weisong

2013-01-01

The existing certificateless signcryption schemes were designed mainly based on the traditional public key cryptography, in which the security relies on the hard problems, such as factor decomposition and discrete logarithm. However, these problems will be easily solved by the quantum computing. So the existing certificateless signcryption schemes are vulnerable to the quantum attack. Multivariate public key cryptography (MPKC), which can resist the quantum attack, is one of the alternative solutions to guarantee the security of communications in the post-quantum age. Motivated by these concerns, we proposed a new construction of the certificateless multi-receiver signcryption scheme (CLMSC) based on MPKC. The new scheme inherits the security of MPKC, which can withstand the quantum attack. Multivariate quadratic polynomial operations, which have lower computation complexity than bilinear pairing operations, are employed in signcrypting a message for a certain number of receivers in our scheme. Security analysis shows that our scheme is a secure MPKC-based scheme. We proved its security under the hardness of the Multivariate Quadratic (MQ) problem and its unforgeability under the Isomorphism of Polynomials (IP) assumption in the random oracle model. The analysis results show that our scheme also has the security properties of non-repudiation, perfect forward secrecy, perfect backward secrecy and public verifiability. Compared with the existing schemes in terms of computation complexity and ciphertext length, our scheme is more efficient, which makes it suitable for terminals with low computation capacity like smart cards. PMID:23967037

Measuring Poverty for Food Security Analysis: Consumption- Versus Asset-Based Approaches.

PubMed

Hjelm, Lisa; Mathiassen, Astrid; Wadhwa, Amit

2016-06-22

Poverty and food insecurity are intrinsically linked as poor households often lack the resources required to access sufficient nutritious food to live an active and healthy life. Consumption and expenditure surveys are typically used to identify poor versus nonpoor households but are detailed and costly. Measures of wealth based on asset ownership and housing characteristics can be generated from lighter, less costly surveys. To examine whether indices based on asset ownership and housing characteristics (stock) complement household consumption (flow) when used to analyze inequalities in food security outcomes. Comprehensive data from Nepal, Malawi, Tanzania, Uganda, and Madagascar are used to examine correlations and overlaps in classification between indices of household wealth and consumption per capita. Inequality in food security indicators representing quantity, quality, and vulnerability is examined across wealth and consumption per capita quintiles. Wealth indices are correlated with consumption per capita, with coefficients between 0.5 and 0.6. The prevalence of food insecurity decreases from poorer to wealthier quintiles for all variables and for all food security measures in all countries. Energy deficiency varies much more across consumption quintiles than wealth index quintiles. Interestingly, inequalities in the share of consumption of food are more pronounced across the wealth index quintiles than per capita consumption. Although wealth indices and consumption per capita are related and both are drivers of food security, they cannot be used interchangeably for food security analysis. Each inequality measure is important for describing different aspects of food security. © The Author(s) 2016.

Model based verification of the Secure Socket Layer (SSL) Protocol for NASA systems

NASA Technical Reports Server (NTRS)

Powell, John D.; Gilliam, David

2004-01-01

The National Aeronautics and Space Administration (NASA) has tens of thousands of networked computer systems and applications. Software Security vulnerabilities present risks such as lost or corrupted data, information theft, and unavailability of critical systems. These risks represent potentially enormous costs to NASA. The NASA Code Q research initiative 'Reducing Software Security Risk (RSSR) Trough an Integrated Approach' offers formal verification of information technology (IT), through the creation of a Software Security Assessment Instrument (SSAI), to address software security risks.

Purposefully Manufactured Vulnerabilities in U.S. Government Technology Microchips: Risks and Homeland Security Implications

DTIC Science & Technology

2012-12-01

2. REPORT DATE December 2012 3. REPORT TYPE AND DATES COVERED Master’s Thesis 4 . TITLE AND SUBTITLE PURPOSEFULLY MANUFACTURED VULNERABILITIES...31  Figure 4 .  FPGA Application Uses...21  Table 4 .  Top Foundries Worldwide: Headquarter Location and Manufacturing Location

Discovering and Mitigating Software Vulnerabilities through Large-Scale Collaboration

ERIC Educational Resources Information Center

Zhao, Mingyi

2016-01-01

In today's rapidly digitizing society, people place their trust in a wide range of digital services and systems that deliver latest news, process financial transactions, store sensitive information, etc. However, this trust does not have a solid foundation, because software code that supports this digital world has security vulnerabilities. These…

Security Analysis and Improvement of 'a More Secure Anonymous User Authentication Scheme for the Integrated EPR Information System'.

PubMed

Islam, S K Hafizul; Khan, Muhammad Khurram; Li, Xiong

2015-01-01

Over the past few years, secure and privacy-preserving user authentication scheme has become an integral part of the applications of the healthcare systems. Recently, Wen has designed an improved user authentication system over the Lee et al.'s scheme for integrated electronic patient record (EPR) information system, which has been analyzed in this study. We have found that Wen's scheme still has the following inefficiencies: (1) the correctness of identity and password are not verified during the login and password change phases; (2) it is vulnerable to impersonation attack and privileged-insider attack; (3) it is designed without the revocation of lost/stolen smart card; (4) the explicit key confirmation and the no key control properties are absent, and (5) user cannot update his/her password without the help of server and secure channel. Then we aimed to propose an enhanced two-factor user authentication system based on the intractable assumption of the quadratic residue problem (QRP) in the multiplicative group. Our scheme bears more securities and functionalities than other schemes found in the literature.

Security Analysis and Improvement of ‘a More Secure Anonymous User Authentication Scheme for the Integrated EPR Information System’

PubMed Central

Islam, SK Hafizul; Khan, Muhammad Khurram; Li, Xiong

2015-01-01

Over the past few years, secure and privacy-preserving user authentication scheme has become an integral part of the applications of the healthcare systems. Recently, Wen has designed an improved user authentication system over the Lee et al.’s scheme for integrated electronic patient record (EPR) information system, which has been analyzed in this study. We have found that Wen’s scheme still has the following inefficiencies: (1) the correctness of identity and password are not verified during the login and password change phases; (2) it is vulnerable to impersonation attack and privileged-insider attack; (3) it is designed without the revocation of lost/stolen smart card; (4) the explicit key confirmation and the no key control properties are absent, and (5) user cannot update his/her password without the help of server and secure channel. Then we aimed to propose an enhanced two-factor user authentication system based on the intractable assumption of the quadratic residue problem (QRP) in the multiplicative group. Our scheme bears more securities and functionalities than other schemes found in the literature. PMID:26263401

Transportation security : federal action needed to help address security challenges

DOT National Transportation Integrated Search

2003-06-30

The economic well being of the U.S. is dependent on the expeditious flow of people and goods through the transportation system. The attacks on September 11, 2001, illustrate the threats and vulnerabilities of the transportation system. Prior to Septe...

76 FR 81516 - Homeland Security Advisory Council

Federal Register 2010, 2011, 2012, 2013, 2014

2011-12-28

... security; and provide information on the threat of an electromagnetic pulse attack and its associated... Operational Update. Electromagnetic Pulse (EMP) Threat--Lessons Learned and Areas of Vulnerability, and... and the potential threat of an electromagnetic pulse attack. Both will include lessons learned and...

Security Assessment Of A Turbo-Gas Power Plant

NASA Astrophysics Data System (ADS)

Masera, Marcelo; Fovino, Igor Nai; Leszczyna, Rafal

Critical infrastructures are exposed to new threats due to the large number of vulnerabilities and architectural weaknesses introduced by the extensive use of information and communication technologies. This paper presents the results of an exhaustive security assessment for a turbo-gas power plant.

Safeguarding Databases Basic Concepts Revisited.

ERIC Educational Resources Information Center

Cardinali, Richard

1995-01-01

Discusses issues of database security and integrity, including computer crime and vandalism, human error, computer viruses, employee and user access, and personnel policies. Suggests some precautions to minimize system vulnerability such as careful personnel screening, audit systems, passwords, and building and software security systems. (JKP)

Systemic Vulnerabilities

DTIC Science & Technology

2014-10-01

CRm CAL FA~WR£S Q I • Software Engineering Institute I Ccamt>gw l\\~llon Lniwndty 34 Basic attack tree Destroy Building Generate Sufficient...by computer-security company marketing literature that touts 11hacker proof software,11 11triple-DES security,11 and the like. In truth, unbreakable

On the security of two remote user authentication schemes for telecare medical information systems.

PubMed

Kim, Kee-Won; Lee, Jae-Dong

2014-05-01

The telecare medical information systems (TMISs) support convenient and rapid health-care services. A secure and efficient authentication scheme for TMIS provides safeguarding patients' electronic patient records (EPRs) and helps health care workers and medical personnel to rapidly making correct clinical decisions. Recently, Kumari et al. proposed a password based user authentication scheme using smart cards for TMIS, and claimed that the proposed scheme could resist various malicious attacks. However, we point out that their scheme is still vulnerable to lost smart card and cannot provide forward secrecy. Subsequently, Das and Goswami proposed a secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. They simulated their scheme for the formal security verification using the widely-accepted automated validation of Internet security protocols and applications (AVISPA) tool to ensure that their scheme is secure against passive and active attacks. However, we show that their scheme is still vulnerable to smart card loss attacks and cannot provide forward secrecy property. The proposed cryptanalysis discourages any use of the two schemes under investigation in practice and reveals some subtleties and challenges in designing this type of schemes.

Information Security Controls against Cross-Site Request Forgery Attacks on Software Applications of Automated Systems

NASA Astrophysics Data System (ADS)

Barabanov, A. V.; Markov, A. S.; Tsirlov, V. L.

2018-05-01

This paper presents statistical results and their consolidation, which were received in the study into security of various web-application against cross-site request forgery attacks. Some of the results were received in the study carried out within the framework of certification for compliance with information security requirements. The paper provides the results of consolidating information about the attack and protection measures, which are currently used by the developers of web-applications. It specifies results of the study, which demonstrate various distribution types: distribution of identified vulnerabilities as per the developer type (Russian and foreign), distribution of the security measures used in web-applications, distribution of the identified vulnerabilities as per the programming languages, data on the number of security measures that are used in the studied web-applications. The results of the study show that in most cases the developers of web-applications do not pay due attention to protection against cross-site request forgery attacks. The authors give recommendations to the developers that are planning to undergo a certification process for their software applications.

Design of a Secure Authentication and Key Agreement Scheme Preserving User Privacy Usable in Telecare Medicine Information Systems.

PubMed

Arshad, Hamed; Rasoolzadegan, Abbas

2016-11-01

Authentication and key agreement schemes play a very important role in enhancing the level of security of telecare medicine information systems (TMISs). Recently, Amin and Biswas demonstrated that the authentication scheme proposed by Giri et al. is vulnerable to off-line password guessing attacks and privileged insider attacks and also does not provide user anonymity. They also proposed an improved authentication scheme, claiming that it resists various security attacks. However, this paper demonstrates that Amin and Biswas's scheme is defenseless against off-line password guessing attacks and replay attacks and also does not provide perfect forward secrecy. This paper also shows that Giri et al.'s scheme not only suffers from the weaknesses pointed out by Amin and Biswas, but it also is vulnerable to replay attacks and does not provide perfect forward secrecy. Moreover, this paper proposes a novel authentication and key agreement scheme to overcome the mentioned weaknesses. Security and performance analyses show that the proposed scheme not only overcomes the mentioned security weaknesses, but also is more efficient than the previous schemes.

Security analysis for biometric data in ID documents

NASA Astrophysics Data System (ADS)

Schimke, Sascha; Kiltz, Stefan; Vielhauer, Claus; Kalker, Ton

2005-03-01

In this paper we analyze chances and challenges with respect to the security of using biometrics in ID documents. We identify goals for ID documents, set by national and international authorities, and discuss the degree of security, which is obtainable with the inclusion of biometric into documents like passports. Starting from classical techniques for manual authentication of ID card holders, we expand our view towards automatic methods based on biometrics. We do so by reviewing different human biometric attributes by modality, as well as by discussing possible techniques for storing and handling the particular biometric data on the document. Further, we explore possible vulnerabilities of potential biometric passport systems. Based on the findings of that discussion we will expand upon two exemplary approaches for including digital biometric data in the context of ID documents and present potential risks attack scenarios along with technical aspects such as capacity and robustness.

Ethical Guidelines for Computer Security Researchers: "Be Reasonable"

NASA Astrophysics Data System (ADS)

Sassaman, Len

For most of its existence, the field of computer science has been lucky enough to avoid ethical dilemmas by virtue of its relatively benign nature. The subdisciplines of programming methodology research, microprocessor design, and so forth have little room for the greater questions of human harm. Other, more recently developed sub-disciplines, such as data mining, social network analysis, behavioral profiling, and general computer security, however, open the door to abuse of users by practitioners and researchers. It is therefore the duty of the men and women who chart the course of these fields to set rules for themselves regarding what sorts of actions on their part are to be considered acceptable and what should be avoided or handled with caution out of ethical concerns. This paper deals solely with the issues faced by computer security researchers, be they vulnerability analysts, privacy system designers, malware experts, or reverse engineers.

Why and How the Dairy Farmers of India are Vulnerable to the Impacts of Climate Variability and Change?

NASA Astrophysics Data System (ADS)

Radhakrishnan, A.; Gupta, J.

2017-12-01

Climate change and variability has added many atrociousness to India's food security challenges and the relationship between the asset components of farmers and climate change is always complex. In India, dairy farming substantially contributes towards the food security and always plays a supportive role to agriculture from the adversities. This study provides an overview of the socio economic and livelihood vulnerability of small holder dairy farmers of India to climate change and variability in three dimensions — sensitivity, exposure and adaptive capacity by combining 70 indicators and 12 major components. The livelihood and socio economic vulnerability of dairy farmers to climate change and variability is assessed at taluka level in India through detailed house hold level data of livelihoods of Western Ghats region of India collected by several levels of survey and through Participatory Rural Appraisal (PRA) techniques from selected farmers complemented by thirty years of gridded weather data and other secondary data sources. The index score of dairy based livelihoods of Maharashtra was highly negative compared to other states with about 50 percent of farmers having high level of vulnerability with significant tradeoff between milk productivity and health, food, natural disasters-climate variability components. It finds that ensuring food security in the scenario of climate change will be a dreadful challenge and recommends identification of different potential options depending on local contexts at grass root level, the adoption of sustainable agricultural practices, focusing on improving the adaptive capacity component, provision of livelihood security, preparing the extensionists of Krishi Vigyan Kendras (KVKs)- universities to deal with the risks through extensive training programmes, long-term relief measures in the event of natural disasters, workshops on climate science and communication and promoting farmer centric extension system.

Understanding security failures of two authentication and key agreement schemes for telecare medicine information systems.

PubMed

Mishra, Dheerendra

2015-03-01

Smart card based authentication and key agreement schemes for telecare medicine information systems (TMIS) enable doctors, nurses, patients and health visitors to use smart cards for secure login to medical information systems. In recent years, several authentication and key agreement schemes have been proposed to present secure and efficient solution for TMIS. Most of the existing authentication schemes for TMIS have either higher computation overhead or are vulnerable to attacks. To reduce the computational overhead and enhance the security, Lee recently proposed an authentication and key agreement scheme using chaotic maps for TMIS. Xu et al. also proposed a password based authentication and key agreement scheme for TMIS using elliptic curve cryptography. Both the schemes provide better efficiency from the conventional public key cryptography based schemes. These schemes are important as they present an efficient solution for TMIS. We analyze the security of both Lee's scheme and Xu et al.'s schemes. Unfortunately, we identify that both the schemes are vulnerable to denial of service attack. To understand the security failures of these cryptographic schemes which are the key of patching existing schemes and designing future schemes, we demonstrate the security loopholes of Lee's scheme and Xu et al.'s scheme in this paper.

Performance Impact of Connectivity Restrictions and Increased Vulnerability Presence on Automated Attack Graph Generation

DTIC Science & Technology

2007-03-01

results (Ingols 2005). 2.4.3 Skybox - Skybox view Skybox View is a commercially available tool developed by Skybox Security that can automatically...generate attack graphs through the use of host-based agents, management interfaces, and an analysis server located on the target network ( Skybox 2006... Skybox , an examination of recent patents submitted by Skybox identified the algorithmic complexity of the product as n4, where n represents the number

Hunger mapping: food insecurity and vulnerability information.

PubMed

1997-12-01

Save the Children Foundation (SCF), a nongovernmental organization (NGO), developed the "household food economy analysis" to assess the needs of an area or population facing acute food insecurity. This method considers all of the ways people secure access to food and illustrates the distribution of various food supplies in pie charts that allow comparison of the percentage contribution of each option during a normal year and a "bad" year. Data are gathered through the use of key informants, and the analysis permits identification of ways to support local initiatives and to target assistance. As a result of this work, SCF and another NGO, Helen Keller International, attended a March 1997 expert consultation organized by the UN Food and Agriculture Organization (FAO) to create a workplan for the Food Insecurity and Vulnerability Information and Mapping System (FIVIMS) called for in the World Food Summit Plan of Action. The consultation adopted use of the FAO's food and balance sheet approach, despite its limitations, and determined that indicators should be location- and time-specific as well as 1) simple and reliable, 2) readily available, 3) social and anthropometric, and 4) found at all levels. The consultation also recommended combination of the key informant and the indicator approach to data collection. Finally, the consultation identified appropriate actions that should be accomplished before the 1998 meeting of the FAO's Committee on World Food Security.

7 CFR 1730.20 - General.

Code of Federal Regulations, 2010 CFR

2010-01-01

..., individually or regionally performing a system security Vulnerability and Risk Assessment (VRA), establishing... electrical condition and security of its electric system and for the quality of services provided to its... sufficient resources to operate and maintain its system and annually exercise its ERP in accordance with the...

Security Isn't Just for Techies Anymore

ERIC Educational Resources Information Center

Mills, Lane B.

2004-01-01

School district networks are particularly difficult to protect given the diverse types of users, software, equipment and connections that most school districts provide. Vulnerabilities to the security of school district's technology infrastructure can relate to users, data, software, hardware and transmission. This article discusses different…

A New Privacy-Preserving Handover Authentication Scheme for Wireless Networks

PubMed Central

Wang, Changji; Yuan, Yuan; Wu, Jiayuan

2017-01-01

Handover authentication is a critical issue in wireless networks, which is being used to ensure mobile nodes wander over multiple access points securely and seamlessly. A variety of handover authentication schemes for wireless networks have been proposed in the literature. Unfortunately, existing handover authentication schemes are vulnerable to a few security attacks, or incur high communication and computation costs. Recently, He et al. proposed a handover authentication scheme PairHand and claimed it can resist various attacks without rigorous security proofs. In this paper, we show that PairHand does not meet forward secrecy and strong anonymity. More seriously, it is vulnerable to key compromise attack, where an adversary can recover the private key of any mobile node. Then, we propose a new efficient and provably secure handover authentication scheme for wireless networks based on elliptic curve cryptography. Compared with existing schemes, our proposed scheme can resist key compromise attack, and achieves forward secrecy and strong anonymity. Moreover, it is more efficient in terms of computation and communication. PMID:28632171

A New Privacy-Preserving Handover Authentication Scheme for Wireless Networks.

PubMed

Wang, Changji; Yuan, Yuan; Wu, Jiayuan

2017-06-20

Handover authentication is a critical issue in wireless networks, which is being used to ensure mobile nodes wander over multiple access points securely and seamlessly. A variety of handover authentication schemes for wireless networks have been proposed in the literature. Unfortunately, existing handover authentication schemes are vulnerable to a few security attacks, or incur high communication and computation costs. Recently, He et al. proposed a handover authentication scheme PairHand and claimed it can resist various attacks without rigorous security proofs. In this paper, we show that PairHand does not meet forward secrecy and strong anonymity. More seriously, it is vulnerable to key compromise attack, where an adversary can recover the private key of any mobile node. Then, we propose a new efficient and provably secure handover authentication scheme for wireless networks based on elliptic curve cryptography. Compared with existing schemes, our proposed scheme can resist key compromise attack, and achieves forward secrecy and strong anonymity. Moreover, it is more efficient in terms of computation and communication.

Performance Analysis of Physical Layer Security of Opportunistic Scheduling in Multiuser Multirelay Cooperative Networks

PubMed Central

Shim, Kyusung; Do, Nhu Tri; An, Beongku

2017-01-01

In this paper, we study the physical layer security (PLS) of opportunistic scheduling for uplink scenarios of multiuser multirelay cooperative networks. To this end, we propose a low-complexity, yet comparable secrecy performance source relay selection scheme, called the proposed source relay selection (PSRS) scheme. Specifically, the PSRS scheme first selects the least vulnerable source and then selects the relay that maximizes the system secrecy capacity for the given selected source. Additionally, the maximal ratio combining (MRC) technique and the selection combining (SC) technique are considered at the eavesdropper, respectively. Investigating the system performance in terms of secrecy outage probability (SOP), closed-form expressions of the SOP are derived. The developed analysis is corroborated through Monte Carlo simulation. Numerical results show that the PSRS scheme significantly improves the secure ability of the system compared to that of the random source relay selection scheme, but does not outperform the optimal joint source relay selection (OJSRS) scheme. However, the PSRS scheme drastically reduces the required amount of channel state information (CSI) estimations compared to that required by the OJSRS scheme, specially in dense cooperative networks. PMID:28212286

Edgeware Security Risk Management: A Three Essay Thesis on Cloud, Virtualization and Wireless Grid Vulnerabilities

ERIC Educational Resources Information Center

Brooks, Tyson T.

2013-01-01

This thesis identifies three essays which contribute to the foundational understanding of the vulnerabilities and risk towards potentially implementing wireless grid Edgeware technology in a virtualized cloud environment. Since communication networks and devices are subject to becoming the target of exploitation by hackers (e.g. individuals who…

SPAR: a security- and power-aware routing protocol for wireless ad hoc and sensor networks

NASA Astrophysics Data System (ADS)

Oberoi, Vikram; Chigan, Chunxiao

2005-05-01

Wireless Ad Hoc and Sensor Networks (WAHSNs) are vulnerable to extensive attacks as well as severe resource constraints. To fulfill the security needs, many security enhancements have been proposed. Like wise, from resource constraint perspective, many power aware schemes have been proposed to save the battery power. However, we observe that for the severely resource limited and extremely vulnerable WAHSNs, taking security or power (or any other resource) alone into consideration for protocol design is rather inadequate toward the truly "secure-and-useful" WAHSNs. For example, from resource constraint perspective, we identify one of the potential problems, the Security-Capable-Congestion (SCC) behavior, for the WAHSNs routing protocols where only the security are concerned. On the other hand, the design approach where only scarce resource is concerned, such as many power-aware WAHSNs protocols, leaves security unconsidered and is undesirable to many WAHSNs application scenarios. Motivated by these observations, we propose a co-design approach, where both the high security and effective resource consumption are targeted for WAHSNs protocol design. Specifically, we propose a novel routing protocol, Security- and Power- Aware Routing (SPAR) protocol based on this co-design approach. In SPAR, the routing decisions are made based on both security and power as routing criteria. The idea of the SPAR mechanism is routing protocol independent and therefore can be broadly integrated into any of the existing WAHSNs routing protocols. The simulation results show that SPAR outperforms the WAHSNs routing protocols where security or power alone is considered, significantly. This research finding demonstrates the proposed security- and resource- aware co-design approach is promising towards the truly "secure-and-useful" WAHSNs.

Security and SCADA protocols

DOE Office of Scientific and Technical Information (OSTI.GOV)

Igure, V. M.; Williams, R. D.

2006-07-01

Supervisory control and data acquisition (SCADA) networks have replaced discrete wiring for many industrial processes, and the efficiency of the network alternative suggests a trend toward more SCADA networks in the future. This paper broadly considers SCADA to include distributed control systems (DCS) and digital control systems. These networks offer many advantages, but they also introduce potential vulnerabilities that can be exploited by adversaries. Inter-connectivity exposes SCADA networks to many of the same threats that face the public internet and many of the established defenses therefore show promise if adapted to the SCADA differences. This paper provides an overview ofmore » security issues in SCADA networks and ongoing efforts to improve the security of these networks. Initially, a few samples from the range of threats to SCADA network security are offered. Next, attention is focused on security assessment of SCADA communication protocols. Three challenges must be addressed to strengthen SCADA networks. Access control mechanisms need to be introduced or strengthened, improvements are needed inside of the network to enhance security and network monitoring, and SCADA security management improvements and policies are needed. This paper discusses each of these challenges. This paper uses the Profibus protocol as an example to illustrate some of the vulnerabilities that arise within SCADA networks. The example Profibus security assessment establishes a network model and an attacker model before proceeding to a list of example attacks. (authors)« less

Low photon count based digital holography for quadratic phase cryptography.

PubMed

Muniraj, Inbarasan; Guo, Changliang; Malallah, Ra'ed; Ryle, James P; Healy, John J; Lee, Byung-Geun; Sheridan, John T

2017-07-15

Recently, the vulnerability of the linear canonical transform-based double random phase encryption system to attack has been demonstrated. To alleviate this, we present for the first time, to the best of our knowledge, a method for securing a two-dimensional scene using a quadratic phase encoding system operating in the photon-counted imaging (PCI) regime. Position-phase-shifting digital holography is applied to record the photon-limited encrypted complex samples. The reconstruction of the complex wavefront involves four sparse (undersampled) dataset intensity measurements (interferograms) at two different positions. Computer simulations validate that the photon-limited sparse-encrypted data has adequate information to authenticate the original data set. Finally, security analysis, employing iterative phase retrieval attacks, has been performed.

Quantitative Risk Analysis

DOE Office of Scientific and Technical Information (OSTI.GOV)

Helms, J.

2017-02-10

The US energy sector is vulnerable to multiple hazards including both natural disasters and malicious attacks from an intelligent adversary. The question that utility owners, operators and regulators face is how to prioritize their investments to mitigate the risks from a hazard that can have the most impact on the asset of interest. In order to be able to understand their risk landscape and develop a prioritized mitigation strategy, they must quantify risk in a consistent way across all hazards their asset is facing. Without being able to quantitatively measure risk, it is not possible to defensibly prioritize security investmentsmore » or evaluate trade-offs between security and functionality. Development of a methodology that will consistently measure and quantify risk across different hazards is needed.« less

Analysis of information security management systems at 5 domestic hospitals with more than 500 beds.

PubMed

Park, Woo-Sung; Seo, Sun-Won; Son, Seung-Sik; Lee, Mee-Jeong; Kim, Shin-Hyo; Choi, Eun-Mi; Bang, Ji-Eon; Kim, Yea-Eun; Kim, Ok-Nam

2010-06-01

The information security management systems (ISMS) of 5 hospitals with more than 500 beds were evaluated with regards to the level of information security, management, and physical and technical aspects so that we might make recommendations on information security and security countermeasures which meet both international standards and the needs of individual hospitals. The ISMS check-list derived from international/domestic standards was distributed to each hospital to complete and the staff of each hospital was interviewed. Information Security Indicator and Information Security Values were used to estimate the present security levels and evaluate the application of each hospital's current system. With regard to the moderate clause of the ISMS, the hospitals were determined to be in compliance. The most vulnerable clause was asset management, in particular, information asset classification guidelines. The clauses of information security incident management and business continuity management were deemed necessary for the establishment of successful ISMS. The level of current ISMS in the hospitals evaluated was determined to be insufficient. Establishment of adequate ISMS is necessary to ensure patient privacy and the safe use of medical records for various purposes. Implementation of ISMS which meet international standards with a long-term and comprehensive perspective is of prime importance. To reflect the requirements of the varied interests of medical staff, consumers, and institutions, the establishment of political support is essential to create suitable hospital ISMS.

Connecting the Spots: Combating Transnational Terrorist Groups Through Leveraging Indigenous Security Forces

DTIC Science & Technology

2009-04-01

terrorist social networks are quite vulnerable to penetration and exploitation by indigenous personnel working in the communities where the groups operate...LEVERAGING INDIGENOUS SECURITY FORCES by Mack-Jan H. Spencer, Maj, USAF A Research Report Submitted to the Faculty In Partial Fulfillment of the...4. TITLE AND SUBTITLE Connecting the Spots: Combating Transnational Terrorist Groups Through Leveraging Indigenous Security Forces 5a. CONTRACT

Data security issues arising from integration of wireless access into healthcare networks.

PubMed

Frenzel, John C

2003-04-01

The versatility of having Ethernet speed connectivity without wires is rapidly driving adoption of wireless data networking by end users across all types of industry. Designed to be easy to configure and work among diverse platforms, wireless brings online data to mobile users. This functionality is particularly useful in modern clinical medicine. Wireless presents operators of networks containing or transmitting sensitive and confidential data with several new types of security vulnerabilities, and potentially opens previously protected core network resources to outside attack. Herein, we review the types of vulnerabilities, the tools necessary to exploit them, and strategies to thwart a successful attack.

Design of Provider-Provisioned Website Protection Scheme against Malware Distribution

NASA Astrophysics Data System (ADS)

Yagi, Takeshi; Tanimoto, Naoto; Hariu, Takeo; Itoh, Mitsutaka

Vulnerabilities in web applications expose computer networks to security threats, and many websites are used by attackers as hopping sites to attack other websites and user terminals. These incidents prevent service providers from constructing secure networking environments. To protect websites from attacks exploiting vulnerabilities in web applications, service providers use web application firewalls (WAFs). WAFs filter accesses from attackers by using signatures, which are generated based on the exploit codes of previous attacks. However, WAFs cannot filter unknown attacks because the signatures cannot reflect new types of attacks. In service provider environments, the number of exploit codes has recently increased rapidly because of the spread of vulnerable web applications that have been developed through cloud computing. Thus, generating signatures for all exploit codes is difficult. To solve these problems, our proposed scheme detects and filters malware downloads that are sent from websites which have already received exploit codes. In addition, to collect information for detecting malware downloads, web honeypots, which automatically extract the communication records of exploit codes, are used. According to the results of experiments using a prototype, our scheme can filter attacks automatically so that service providers can provide secure and cost-effective network environments.

Multiple stressors in Southern Africa: the link between HIV/AIDS, food insecurity, poverty and children's vulnerability now and in the future

PubMed Central

Drimie, Scott; Casale, Marisa

2009-01-01

Several countries in Southern Africa now see large numbers of their population barely subsisting at poverty levels in years without shocks, and highly vulnerable to the vagaries of the weather, the economy and government policy. The combination of HIV/AIDS, food insecurity and a weakened capacity for governments to deliver basic social services has led to the region experiencing an acute phase of a long-term emergency. “Vulnerability” is a term commonly used by scientists and practitioners to describe these deteriorating conditions. There is particular concern about the “vulnerability” of children in this context and implications for children's future security. Through a review of literature and recent case studies, and using a widely accepted conceptualisation of vulnerability as a lens, we reflect on what the regional livelihoods crisis could mean for children's future wellbeing. We argue that an increase in factors determining the vulnerability of households — both through greater intensity and frequency of shocks and stresses (“external” vulnerability) and undermined resilience or ability to cope (“internal” vulnerability) — are threatening not only current welfare of children, but also their longer-term security. The two specific pathways we explore are (1) erosive coping strategies employed by families and individuals; and (2) their inability to plan for the future. We conclude that understanding and responding to this crisis requires looking at the complexity of these multiple stressors, to try to comprehend their interconnections and causal links. Policy and programme responses have, to date, largely failed to take into account the complex and multi-dimensional nature of this crisis. There is a misfit between the problem and the institutional response, as responses from national and international players have remained relatively static. Decisive, well-informed and holistic interventions are needed to break the potential negative cycle that threatens the future security of Southern Africa's children. PMID:22380976

The Impact of Terrorism on School Safety Planning.

ERIC Educational Resources Information Center

Trump, Kenneth S.

2002-01-01

Discusses why history and "thinking outside of the box" should encourage schools to acknowledge that they are potentially vulnerable targets of terrorism. Presents new safety and security issues raised by the threat of terrorism, including anthrax scares, cell phone use, and field trips. Describes "heightened security"…

Report: Survey Results on Information Used by Water Utilities to Conduct Vulnerability Assessments

EPA Pesticide Factsheets

Report #2004-M-0001, November 21, 2003. EPA developed a Strategic Plan for Homeland Security (Plan), dated Sept 2002, which states that EPA will work with the States, tribes, drinking water utilities, and others to enhance the security of water utilities.

DOE/DHS INDUSTRIAL CONTROL SYSTEM CYBER SECURITY PROGRAMS: A MODEL FOR USE IN NUCLEAR FACILITY SAFEGUARDS AND SECURITY

DOE Office of Scientific and Technical Information (OSTI.GOV)

Robert S. Anderson; Mark Schanfein; Trond Bjornard

2011-07-01

Many critical infrastructure sectors have been investigating cyber security issues for several years especially with the help of two primary government programs. The U.S. Department of Energy (DOE) National SCADA Test Bed and the U.S. Department of Homeland Security (DHS) Control Systems Security Program have both implemented activities aimed at securing the industrial control systems that operate the North American electric grid along with several other critical infrastructure sectors (ICS). These programs have spent the last seven years working with industry including asset owners, educational institutions, standards and regulating bodies, and control system vendors. The programs common mission is tomore » provide outreach, identification of cyber vulnerabilities to ICS and mitigation strategies to enhance security postures. The success of these programs indicates that a similar approach can be successfully translated into other sectors including nuclear operations, safeguards, and security. The industry regulating bodies have included cyber security requirements and in some cases, have incorporated sets of standards with penalties for non-compliance such as the North American Electric Reliability Corporation Critical Infrastructure Protection standards. These DOE and DHS programs that address security improvements by both suppliers and end users provide an excellent model for nuclear facility personnel concerned with safeguards and security cyber vulnerabilities and countermeasures. It is not a stretch to imagine complete surreptitious collapse of protection against the removal of nuclear material or even initiation of a criticality event as witnessed at Three Mile Island or Chernobyl in a nuclear ICS inadequately protected against the cyber threat.« less

Software Development Life Cycle Security Issues

NASA Astrophysics Data System (ADS)

Kaur, Daljit; Kaur, Parminder

2011-12-01

Security is now-a-days one of the major problems because of many reasons. Security is now-a-days one of the major problems because of many reasons. The main cause is that software can't withstand security attacks because of vulnerabilities in it which are caused by defective specifications design and implementation. We have conducted a survey asking software developers, project managers and other people in software development about their security awareness and implementation in Software Development Life Cycle (SDLC). The survey was open to participation for three weeks and this paper explains the survey results.

Security engineering: systems engineering of security through the adaptation and application of risk management

NASA Technical Reports Server (NTRS)

Gilliam, David P.; Feather, Martin S.

2004-01-01

Information Technology (IT) Security Risk Management is a critical task in the organization, which must protect its resources and data against the loss of confidentiality, integrity, and availability. As systems become more complex and diverse, and more vulnerabilities are discovered while attacks from intrusions and malicious content increase, it is becoming increasingly difficult to manage IT security. This paper describes an approach to address IT security risk through risk management and mitigation in both the institution and in the project life cycle.

The impact of the 2008 financial crisis on food security and food expenditures in Mexico: a disproportionate effect on the vulnerable

PubMed Central

Vilar-Compte, Mireya; Sandoval-Olascoaga, Sebastian; Bernal-Stuart, Ana; Shimoga, Sandhya; Vargas-Bustamante, Arturo

2015-01-01

Objective The present paper investigated the impact of the 2008 financial crisis on food security in Mexico and how it disproportionally affected vulnerable households. Design A generalized ordered logistic regression was estimated to assess the impact of the crisis on households’ food security status. An ordinary least squares and a quantile regression were estimated to evaluate the effect of the financial crisis on a continuous proxy measure of food security defined as the share of a household’s current income devoted to food expenditures. Setting Both analyses were performed using pooled cross-sectional data from the Mexican National Household Income and Expenditure Survey 2008 and 2010. Subjects The analytical sample included 29 468 households in 2008 and 27 654 in 2010. Results The generalized ordered logistic model showed that the financial crisis significantly (P < 0·05) decreased the probability of being food secure, mildly or moderately food insecure, compared with being severely food insecure (OR = 0·74). A similar but smaller effect was found when comparing severely and moderately food-insecure households with mildly food-insecure and food-secure households (OR = 0·81). The ordinary least squares model showed that the crisis significantly (P < 0·05) increased the share of total income spent on food (β coefficient of 0·02). The quantile regression confirmed the findings suggested by the generalized ordered logistic model, showing that the effects of the crisis were more profound among poorer households. Conclusions The results suggest that households that were more vulnerable before the financial crisis saw a worsened effect in terms of food insecurity with the crisis. Findings were consistent with both measures of food security – one based on self-reported experience and the other based on food spending. PMID:25428800

Climate Change and Water Security in South Africa; Assessing Conflict and Coping Strategies in KwaZulu-Natal

NASA Astrophysics Data System (ADS)

Hosea, P. O.

2017-12-01

The focus on the security implication of climate change was intensified after the 2007 United Nations Security Council debate on climate change as a threat multiplier. In the light of this, Africa is identified as the continent highly vulnerable to climate change impacts due to its high dependence on climate sensitive economy, high poverty prevalence rate, weak institutional coping capacity as well as poor social infrastructure. In the past decades, the peculiarity of South Africa vis-à-vis climate change vulnerability, especially water scarcity, has become an issue of political and economic concern. The country is water stressed due to its arid and semi-arid conditions. In light of this, the Council for Scientific and Industrial Research (CSIR) (2010) assert that while global temperature increased by 0.80C over the last century, the surface temperature around the Southern Africa region increased by 2.00C over the same period. This connotes that climate change and its impact is inevitable for the region. This will further exacerbate the already stress water resources within South Africa. Owing to Cilliers (2009) and the Council on Foreign Relations (2016) argument that most conflict in Africa are largely driven by resource competition which are masqueraded as issues based on politics, religion or ethnicity, this study investigates the propensity of conflict dynamics in relation to climate change and water security. Using eco-violence theory as a theoretical framework and on the premises of human security, the study assess the security implications triggered by the impact of climate change on water security of rural communities in uMkhanyakude District Municipality, KwaZulu-Natal, South Africa. It focused on the extent to which this might trigger conflict as a coping mechanism among rural dwellers to water insecurity in order to inform policy options. Data for the were sourced using a mixed method paradigm where 385 survey questionnaire were distributed using simple random sampling method, 28 in-depth interview using specific sampling as well as 8 focus group discussion. The data generated were analyzed using descriptive statistic with SPSS, as well as thematic content analysis for the quantitative and qualitative data respectively.

Drivers and Pattern of Social Vulnerability to Flood in Metropolitan Lagos, Nigeria

NASA Astrophysics Data System (ADS)

Fasona, M.

2016-12-01

Lagos is Africa's second largest city and a city-state in southwest Nigeria. Population and economic activities in the city are concentrated in the greater Lagos metropolitan area - a group of barrier islands less than a thousand square kilometer. Several physical factors and critical human-environmental conditions contribute to high flood vulnerability across the city. Flood impact is highly denominated and the poor tend to suffer more due to higher risk of exposure and poor adaptive capacity. In this study we present the pattern of social vulnerability to flooding across the Lagos metropolis and argued that the pattern substantially reflects the pattern and severity of flooding impact on people across the metropolis. Twenty nine social indicators and experiences including poverty profile, housing conditions, education, population and demography, social network, and communication, among others, were considered. The data were collated through field survey and subjected to principal component analysis. The results were processed into raster surfaces using GIS for social vulnerability characterization at neighborhood levels. The results suggest the social status indicators, neighborhood standing and social networks indictors, the indicators of emergency responses and security, and the neighborhood conditions, in that order, are the most important determinants of social vulnerability. Six of the 16 LGAs in metropolitan Lagos have high social vulnerability. Neighborhoods that combine poor social status indicators and poor neighborhood standing and social networks are found to have high social vulnerability whereas other poor neighborhoods with strong social networks performed better. We conclude that improved human living condition and social network and communication in poor urban neighborhoods are important to reducing social vulnerability to flooding in the metropolis.

Research and application of ARP protocol vulnerability attack and defense technology based on trusted network

NASA Astrophysics Data System (ADS)

Xi, Huixing

2017-03-01

With the continuous development of network technology and the rapid spread of the Internet, computer networks have been around the world every corner. However, the network attacks frequently occur. The ARP protocol vulnerability is one of the most common vulnerabilities in the TCP / IP four-layer architecture. The network protocol vulnerabilities can lead to the intrusion and attack of the information system, and disable or disable the normal defense function of the system [1]. At present, ARP spoofing Trojans spread widely in the LAN, the network security to run a huge hidden danger, is the primary threat to LAN security. In this paper, the author summarizes the research status and the key technologies involved in ARP protocol, analyzes the formation mechanism of ARP protocol vulnerability, and analyzes the feasibility of the attack technique. Based on the summary of the common defensive methods, the advantages and disadvantages of each defense method. At the same time, the current defense method is improved, and the advantage of the improved defense algorithm is given. At the end of this paper, the appropriate test method is selected and the test environment is set up. Experiment and test are carried out for each proposed improved defense algorithm.

Protection of data carriers using secure optical codes

NASA Astrophysics Data System (ADS)

Peters, John A.; Schilling, Andreas; Staub, René; Tompkin, Wayne R.

2006-02-01

Smartcard technologies, combined with biometric-enabled access control systems, are required for many high-security government ID card programs. However, recent field trials with some of the most secure biometric systems have indicated that smartcards are still vulnerable to well equipped and highly motivated counterfeiters. In this paper, we present the Kinegram Secure Memory Technology which not only provides a first-level visual verification procedure, but also reinforces the existing chip-based security measures. This security concept involves the use of securely-coded data (stored in an optically variable device) which communicates with the encoded hashed information stored in the chip memory via a smartcard reader device.

Warfighter Information Network - Tactical (WIN-T) Increment 2: Second Follow-on Operational Test and Evaluation

DTIC Science & Technology

2015-05-01

HNW line-of-sight network is mounted on a 10-meter telescoping mast located just aft of the TCN’s cab. The flat plate Range Throughput Extension Kit... TAC – Tactical Command Post ATH – At-the-Halt PoP – Point of Presence SNE – Soldier Network Extension NOSC – Network Operations & Security...Survivability/Lethality Analysis Directorate (ARL/SLAD) conducted a Cooperative Vulnerability and Penetration Assessment on WIN-T Increment 2. The Army

77 FR 74685 - Chemical Facility Anti-Terrorism Standards (CFATS) Chemical-Terrorism Vulnerability Information...

Federal Register 2010, 2011, 2012, 2013, 2014

2012-12-17

... Programs Directorate (NPPD), Office of Infrastructure Protection (IP), Infrastructure Security Compliance... questions about this Information Collection Request should be forwarded to DHS/NPPD/IP/ISCD CFATS Program... to the DHS/NPPD/IP/ISCD CFATS Program Manager at the Department of Homeland Security, 245 Murray Lane...

Moving Secure Software Assurance into Higher Education: A Roadmap for Change

DTIC Science & Technology

2011-06-02

Summarized: The Issue: 6/2/20118 Software defects are currently a fact of life Software defects are avenues of security vulnerabilities that cyber ... criminals , terrorists, or hostile nations can exploit. We (THE ENTIRE INDUSTY) need to change the way we build systems Decrease the number of defects

76 FR 4123 - Homeland Security Advisory Council

Federal Register 2010, 2011, 2012, 2013, 2014

2011-01-24

.... The closed portions of the meeting will address threats to our homeland security, results of a cyber... designed to keep our country safe. A briefing on the Cyber Storm III Exercise will include lessons learned and vulnerabilities of cyber assets, as well as potential methods to improve a Federal response to a...

Security of Personal Computer Systems: A Management Guide.

ERIC Educational Resources Information Center

Steinauer, Dennis D.

This report describes management and technical security considerations associated with the use of personal computer systems as well as other microprocessor-based systems designed for use in a general office environment. Its primary objective is to identify and discuss several areas of potential vulnerability and associated protective measures. The…

77 FR 38467 - Special Conditions: Gulfstream Aerospace LP (GALP), Model Gulfstream G280 Airplane; Isolation or...

Federal Register 2010, 2011, 2012, 2013, 2014

2012-06-28

... network security vulnerabilities and increased risks potentially resulting in unsafe conditions for the... Gulfstream G280 Airplane; Isolation or Aircraft Electronic System Security Protection From Unauthorized... connectivity of the passenger service computer systems to the airplane critical systems and data networks. The...

Surface transportation security : TSA has taken actions to manage risk, improve coordination, and measure performance, but additional actions would enhance its efforts, April 21, 2010.

DOT National Transportation Integrated Search

2010-04-21

Terrorist attacks on surface transportation facilities in Moscow, Mumbai, London, and Madrid caused casualties and highlighted the vulnerability of such systems. The Transportation Security Administration (TSA), within the Department of Homeland Secu...

Designing, Implementing, and Evaluating Secure Web Browsers

ERIC Educational Resources Information Center

Grier, Christopher L.

2009-01-01

Web browsers are plagued with vulnerabilities, providing hackers with easy access to computer systems using browser-based attacks. Efforts that retrofit existing browsers have had limited success since modern browsers are not designed to withstand attack. To enable more secure web browsing, we design and implement new web browsers from the ground…

National Counterintelligence Strategy of the United States of America 2016

DTIC Science & Technology

2015-01-01

including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson...while protecting sensitive information and assets from FIE theft , manipulation, or exploitation;  Identify vulnerabilities and threats to...process into supply chain operations to secure the supply chain from exploitation and reduce its vulnerability to disruption;  Expand partnerships

URBAN-NET: A Network-based Infrastructure Monitoring and Analysis System for Emergency Management and Public Safety

DOE Office of Scientific and Technical Information (OSTI.GOV)

Lee, Sangkeun; Chen, Liangzhe; Duan, Sisi

Abstract Critical Infrastructures (CIs) such as energy, water, and transportation are complex networks that are crucial for sustaining day-to-day commodity flows vital to national security, economic stability, and public safety. The nature of these CIs is such that failures caused by an extreme weather event or a man-made incident can trigger widespread cascading failures, sending ripple effects at regional or even national scales. To minimize such effects, it is critical for emergency responders to identify existing or potential vulnerabilities within CIs during such stressor events in a systematic and quantifiable manner and take appropriate mitigating actions. We present here amore » novel critical infrastructure monitoring and analysis system named URBAN-NET. The system includes a software stack and tools for monitoring CIs, pre-processing data, interconnecting multiple CI datasets as a heterogeneous network, identifying vulnerabilities through graph-based topological analysis, and predicting consequences based on what-if simulations along with visualization. As a proof-of-concept, we present several case studies to show the capabilities of our system. We also discuss remaining challenges and future work.« less

A framework for sea level rise vulnerability assessment for southwest U.S. military installations

USGS Publications Warehouse

Chadwick, B.; Flick, Reinhard; Helly, J.; Nishikawa, Tracy; Pei, Fang Wang; O'Reilly, W.; Guza, R.; Bromirski, Peter; Young, A.; Crampton, W.; Wild, B.; Canner, I.

2011-01-01

We describe an analysis framework to determine military installation vulnerabilities under increases in local mean sea level as projected over the next century. The effort is in response to an increasing recognition of potential climate change ramifications for national security and recommendations that DoD conduct assessments of the impact on U.S. military installations of climate change. Results of the effort described here focus on development of a conceptual framework for sea level rise vulnerability assessment at coastal military installations in the southwest U.S. We introduce the vulnerability assessment in the context of a risk assessment paradigm that incorporates sources in the form of future sea level conditions, pathways of impact including inundation, flooding, erosion and intrusion, and a range of military installation specific receptors such as critical infrastructure and training areas. A unique aspect of the methodology is the capability to develop wave climate projections from GCM outputs and transform these to future wave conditions at specific coastal sites. Future sea level scenarios are considered in the context of installation sensitivity curves which reveal response thresholds specific to each installation, pathway and receptor. In the end, our goal is to provide a military-relevant framework for assessment of accelerated SLR vulnerability, and develop the best scientifically-based scenarios of waves, tides and storms and their implications for DoD installations in the southwestern U.S.

Genesis: A Framework for Achieving Software Component Diversity

DTIC Science & Technology

2007-01-01

correctly—the initial filters develop to fix the Hotmail vulnerability could be circumvented by using alternate character encodings4. Hence, we focus on...Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo, (March 2004); http://www.greymagic.com/security/advisories/gm005-mc/. 4...EyeonSecurity, Microsoft Passport Account Hijack Attack: Hacking Hotmail and More, Hacker’s Digest. 5. Y.-W. Huang et al., Web Application Security Assessment by

Comment on "Secure quantum private information retrieval using phase-encoded queries"

NASA Astrophysics Data System (ADS)

Shi, Run-hua; Mu, Yi; Zhong, Hong; Zhang, Shun

2016-12-01

In this Comment, we reexamine the security of phase-encoded quantum private query (QPQ). We find that the current phase-encoded QPQ protocols, including their applications, are vulnerable to a probabilistic entangle-and-measure attack performed by the owner of the database. Furthermore, we discuss how to overcome this security loophole and present an improved cheat-sensitive QPQ protocol without losing the good features of the original protocol.

Security Risk Assessment Process for UAS in the NAS CNPC Architecture

NASA Technical Reports Server (NTRS)

Iannicca, Dennis C.; Young, Dennis P.; Thadani, Suresh K.; Winter, Gilbert A.

2013-01-01

This informational paper discusses the risk assessment process conducted to analyze Control and Non-Payload Communications (CNPC) architectures for integrating civil Unmanned Aircraft Systems (UAS) into the National Airspace System (NAS). The assessment employs the National Institute of Standards and Technology (NIST) Risk Management framework to identify threats, vulnerabilities, and risks to these architectures and recommends corresponding mitigating security controls. This process builds upon earlier work performed by RTCA Special Committee (SC) 203 and the Federal Aviation Administration (FAA) to roadmap the risk assessment methodology and to identify categories of information security risks that pose a significant impact to aeronautical communications systems. A description of the deviations from the typical process is described in regards to this aeronautical communications system. Due to the sensitive nature of the information, data resulting from the risk assessment pertaining to threats, vulnerabilities, and risks is beyond the scope of this paper.

Security Risk Assessment Process for UAS in the NAS CNPC Architecture

NASA Technical Reports Server (NTRS)

Iannicca, Dennis Christopher; Young, Daniel Paul; Suresh, Thadhani; Winter, Gilbert A.

2013-01-01

This informational paper discusses the risk assessment process conducted to analyze Control and Non-Payload Communications (CNPC) architectures for integrating civil Unmanned Aircraft Systems (UAS) into the National Airspace System (NAS). The assessment employs the National Institute of Standards and Technology (NIST) Risk Management framework to identify threats, vulnerabilities, and risks to these architectures and recommends corresponding mitigating security controls. This process builds upon earlier work performed by RTCA Special Committee (SC) 203 and the Federal Aviation Administration (FAA) to roadmap the risk assessment methodology and to identify categories of information security risks that pose a significant impact to aeronautical communications systems. A description of the deviations from the typical process is described in regards to this aeronautical communications system. Due to the sensitive nature of the information, data resulting from the risk assessment pertaining to threats, vulnerabilities, and risks is beyond the scope of this paper

Augmenting Traditional Static Analysis With Commonly Available Metadata

DOE Office of Scientific and Technical Information (OSTI.GOV)

Cook, Devin

Developers and security analysts have been using static analysis for a long time to analyze programs for defects and vulnerabilities with some success. Generally a static analysis tool is run on the source code for a given program, flagging areas of code that need to be further inspected by a human analyst. These areas may be obvious bugs like potential bu er over flows, information leakage flaws, or the use of uninitialized variables. These tools tend to work fairly well - every year they find many important bugs. These tools are more impressive considering the fact that they only examinemore » the source code, which may be very complex. Now consider the amount of data available that these tools do not analyze. There are many pieces of information that would prove invaluable for finding bugs in code, things such as a history of bug reports, a history of all changes to the code, information about committers, etc. By leveraging all this additional data, it is possible to nd more bugs with less user interaction, as well as track useful metrics such as number and type of defects injected by committer. This dissertation provides a method for leveraging development metadata to find bugs that would otherwise be difficult to find using standard static analysis tools. We showcase two case studies that demonstrate the ability to find 0day vulnerabilities in large and small software projects by finding new vulnerabilities in the cpython and Roundup open source projects.« less

Work and Health among Latina Mothers in Farmworker Families

PubMed Central

Arcury, Thomas A.; Trejo, Grisel; Suerken, Cynthia K.; Grzywacz, Joseph G.; Ip, Edward H.; Quandt, Sara A.

2014-01-01

Background Work organization is important for the health of vulnerable workers, particularly women. This analysis describes work organization for Latinas in farmworker families and delineates the associations of work organization with health indicators. Methods 220 Latino women in farmworker families completed interviews from October 2012 - July 2013. Interviews addressed job structure, job demand, job control, and job support. Health measures included stress, depressive symptoms, physical activity, family conflict, and family economic security. Results Three-fifths of the women were employed. Several work organization dimensions, including shift, psychological demand, work safety climate, and benefits, were associated with participant health as expected, based on the work organization and job demands-control-support models. Conclusions Research should address women's health and specific work responsibilities. Occupational safety policy must consider the importance of work organization in the health of vulnerable workers. PMID:25742536

An Improved and Secure Anonymous Biometric-Based User Authentication with Key Agreement Scheme for the Integrated EPR Information System.

PubMed

Jung, Jaewook; Kang, Dongwoo; Lee, Donghoon; Won, Dongho

2017-01-01

Nowadays, many hospitals and medical institutes employ an authentication protocol within electronic patient records (EPR) services in order to provide protected electronic transactions in e-medicine systems. In order to establish efficient and robust health care services, numerous studies have been carried out on authentication protocols. Recently, Li et al. proposed a user authenticated key agreement scheme according to EPR information systems, arguing that their scheme is able to resist various types of attacks and preserve diverse security properties. However, this scheme possesses critical vulnerabilities. First, the scheme cannot prevent off-line password guessing attacks and server spoofing attack, and cannot preserve user identity. Second, there is no password verification process with the failure to identify the correct password at the beginning of the login phase. Third, the mechanism of password change is incompetent, in that it induces inefficient communication in communicating with the server to change a user password. Therefore, we suggest an upgraded version of the user authenticated key agreement scheme that provides enhanced security. Our security and performance analysis shows that compared to other related schemes, our scheme not only improves the security level, but also ensures efficiency.

An Improved and Secure Anonymous Biometric-Based User Authentication with Key Agreement Scheme for the Integrated EPR Information System

PubMed Central

Kang, Dongwoo; Lee, Donghoon; Won, Dongho

2017-01-01

Nowadays, many hospitals and medical institutes employ an authentication protocol within electronic patient records (EPR) services in order to provide protected electronic transactions in e-medicine systems. In order to establish efficient and robust health care services, numerous studies have been carried out on authentication protocols. Recently, Li et al. proposed a user authenticated key agreement scheme according to EPR information systems, arguing that their scheme is able to resist various types of attacks and preserve diverse security properties. However, this scheme possesses critical vulnerabilities. First, the scheme cannot prevent off-line password guessing attacks and server spoofing attack, and cannot preserve user identity. Second, there is no password verification process with the failure to identify the correct password at the beginning of the login phase. Third, the mechanism of password change is incompetent, in that it induces inefficient communication in communicating with the server to change a user password. Therefore, we suggest an upgraded version of the user authenticated key agreement scheme that provides enhanced security. Our security and performance analysis shows that compared to other related schemes, our scheme not only improves the security level, but also ensures efficiency. PMID:28046075

Data privacy considerations in Intensive Care Grids.

PubMed

Luna, Jesus; Dikaiakos, Marios D; Kyprianou, Theodoros; Bilas, Angelos; Marazakis, Manolis

2008-01-01

Novel eHealth systems are being designed to provide a citizen-centered health system, however the even demanding need for computing and data resources has required the adoption of Grid technologies. In most of the cases, this novel Health Grid requires not only conveying patient's personal data through public networks, but also storing it into shared resources out of the hospital premises. These features introduce new security concerns, in particular related with privacy. In this paper we survey current legal and technological approaches that have been taken to protect a patient's personal data into eHealth systems, with a particular focus in Intensive Care Grids. However, thanks to a security analysis applied over the Intensive Care Grid system (ICGrid) we show that these security mechanisms are not enough to provide a comprehensive solution, mainly because the data-at-rest is still vulnerable to attacks coming from untrusted Storage Elements where an attacker may directly access them. To cope with these issues, we propose a new privacy-oriented protocol which uses a combination of encryption and fragmentation to improve data's assurance while keeping compatibility with current legislations and Health Grid security mechanisms.

Approach to estimation of level of information security at enterprise based on genetic algorithm

NASA Astrophysics Data System (ADS)

V, Stepanov L.; V, Parinov A.; P, Korotkikh L.; S, Koltsov A.

2018-05-01

In the article, the way of formalization of different types of threats of information security and vulnerabilities of an information system of the enterprise and establishment is considered. In a type of complexity of ensuring information security of application of any new organized system, the concept and decisions in the sphere of information security are expedient. One of such approaches is the method of a genetic algorithm. For the enterprises of any fields of activity, the question of complex estimation of the level of security of information systems taking into account the quantitative and qualitative factors characterizing components of information security is relevant.

SPAN security policies and guidelines

NASA Technical Reports Server (NTRS)

Sisson, Patricia L.; Green, James L.

1989-01-01

A guide is provided to system security with emphasis on requirements and guidelines that are necessary to maintain an acceptable level of security on the network. To have security for the network, each node on the network must be secure. Therefore, each system manager, must strictly adhere to the requirements and must consider implementing the guidelines discussed. There are areas of vulnerability within the operating system that may not be addressed. However, when a requirement or guideline is discussed, implementation techniques are included. Information related to computer and data security is discussed to provide information on implementation options. The information is presented as it relates to a VAX computer environment.

Water resources vulnerability assessment in the Adriatic Sea region: the case of Corfu Island.

PubMed

Kanakoudis, Vasilis; Tsitsifli, Stavroula; Papadopoulou, Anastasia; Cencur Curk, Barbara; Karleusa, Barbara

2017-09-01

Cross-border water resources management and protection is a complicated task to achieve, lacking a common methodological framework. Especially in the Adriatic region, water used for drinking water supply purposes pass from many different countries, turning its management into a hard task to achieve. During the DRINKADRIA project, a common methodological framework has been developed, for efficient and effective cross-border water supply and resources management, taking into consideration different resources types (surface and groundwater) emphasizing in drinking water supply intake. The common methodology for water resources management is based on four pillars: climate characteristics and climate change, water resources availability, quality, and security. The present paper assesses both present and future vulnerability of water resources in the Adriatic region, with special focus on Corfu Island, Greece. The results showed that climate change is expected to impact negatively on water resources availability while at the same time, water demand is expected to increase. Water quality problems will be intensified especially due to land use changes and salt water intrusion. The analysis identified areas where water resources are more vulnerable, allowing decision makers develop management strategies.

Public views on multiple dimensions of security : nuclear waepons, terrorism, energy, and the environment : 2007.

DOE Office of Scientific and Technical Information (OSTI.GOV)

Herron, Kerry Gale; Jenkins-Smith, Hank C.

2008-01-01

We analyze and compare findings from identical national surveys of the US general public on nuclear security and terrorism administered by telephone and Internet in mid-2007. Key areas of investigation include assessments of threats to US security; valuations of US nuclear weapons and nuclear deterrence; perspectives on nuclear proliferation, including the specific cases of North Korea and Iran; and support for investments in nuclear weapons capabilities. Our analysis of public views on terrorism include assessments of the current threat, progress in the struggle against terrorism, preferences for responding to terrorist attacks at different levels of assumed casualties, and support formore » domestic policies intended to reduce the threat of terrorism. Also we report findings from an Internet survey conducted in mid 2007 that investigates public views of US energy security, to include: energy supplies and reliability; energy vulnerabilities and threats, and relationships among security, costs, energy dependence, alternative sources, and research and investment priorities. We analyze public assessments of nuclear energy risks and benefits, nuclear materials management issues, and preferences for the future of nuclear energy in the US. Additionally, we investigate environmental issues as they relate to energy security, to include expected implications of global climate change, and relationships among environmental issues and potential policy options.« less

IT Security Support for the Spaceport Command Control System Development

NASA Technical Reports Server (NTRS)

Varise, Brian

2014-01-01

My job title is IT Security support for the Spaceport Command & Control System Development. As a cyber-security analyst it is my job to ensure NASA's information stays safe from cyber threats, such as, viruses, malware and denial-of-service attacks by establishing and enforcing system access controls. Security is very important in the world of technology and it is used everywhere from personal computers to giant networks ran by Government agencies worldwide. Without constant monitoring analysis, businesses, public organizations and government agencies are vulnerable to potential harmful infiltration of their computer information system. It is my responsibility to ensure authorized access by examining improper access, reporting violations, revoke access, monitor information request by new programming and recommend improvements. My department oversees the Launch Control System and networks. An audit will be conducted for the LCS based on compliance with the Federal Information Security Management Act (FISMA) and The National Institute of Standards and Technology (NIST). I recently finished analyzing the SANS top 20 critical controls to give cost effective recommendations on various software and hardware products for compliance. Upon my completion of this internship, I will have successfully completed my duties as well as gain knowledge that will be helpful to my career in the future as a Cyber Security Analyst.

Security and Privacy Grand Challenges for the Internet of Things

DOE Office of Scientific and Technical Information (OSTI.GOV)

Fink, Glenn A.; Zarzhitsky, Dimitri V.; Carroll, Thomas E.

Abstract— The growth of the Internet of Things (IoT) is driven by market pressures, and while security is being considered, the relationship between the unintended consequences of billions of such devices connecting to the Internet cannot be described with existing mathematical methods. The possibilities for illicit surveillance through lifestyle analysis, unauthorized access to information, and new attack vectors will continue to increase by 2020, when up-to 50 billion devices may be connected. This paper discusses various kinds of vulnerabilities that can be expected to arise, and presents a research agenda for mitigating the worst of the impacts. We hope tomore » draw research attention to the potential dangers of IoT so that many of these problems can be avoided.« less

Minimizing Expected Maximum Risk from Cyber-Attacks with Probabilistic Attack Success

DOE Office of Scientific and Technical Information (OSTI.GOV)

Bhuiyan, Tanveer H.; Nandi, Apurba; Medal, Hugh

The goal of our work is to enhance network security by generating partial cut-sets, which are a subset of edges that remove paths from initially vulnerable nodes (initial security conditions) to goal nodes (critical assets), on an attack graph given costs for cutting an edge and a limited overall budget.

On the Use of Software Metrics as a Predictor of Software Security Problems

DTIC Science & Technology

2013-01-01

models to determine if additional metrics are required to increase the accuracy of the model: non-security SCSA warnings, code churn and size, the...vulnerabilities reported by testing and those found in the field. Summary of Most Important Results We evaluated our model on three commercial telecommunications

Report: EPA Needs to Assess the Quality of Vulnerability Assessments Related to the Security of the Nation’s Water Supply

EPA Pesticide Factsheets

Report #2003-M-00013, September 24, 2003. In connection with our ongoing evaluation of the Environmental Protection Agency’s (EPA’s) activities to enhance the security of the Nation’s water supply, we noted an issue that requires your immediate attention.

75 FR 14429 - Agency Information Collection Activities; Submission for Office of Management and Budget Review...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-03-25

... regular security audits and have been certified for operation. The CPSC observes all industry and Federal government best practices for network security. CPSC staff regularly analyzes its systems for vulnerabilities and malware, and monitor the network for real-time intrusion attempts. B. Estimated Burden The CPSC...

A Framework For Analyzing And Mitigating The Vulnerabilities Of Complex Systems Via Attack And Protection Trees

DTIC Science & Technology

2007-07-01

Systems, Ciudad Real, Spain, 2002. [Ame00] "Metamorphosis," in American Heritage Dictionary of the English Language Fourth ed: Houghton Mifflin Company...Beyond Fear: Thinking Sensibly About Security in an Uncertain World. New York: Copernicus Books, 2003. [Sch99] Schneier, B. "Modeling Security

A Vulnerability Assessment of the U.S. Small Business B2C E-Commerce Network Systems

ERIC Educational Resources Information Center

Zhao, Jensen J.; Truell, Allen D.; Alexander, Melody W.; Woosley, Sherry A.

2011-01-01

Objective: This study assessed the security vulnerability of the U.S. small companies' business-to-consumer (B2C) e-commerce network systems. Background: As the Internet technologies have been changing the way business is conducted, the U.S. small businesses are investing in such technologies and taking advantage of e-commerce to access global…

Food Vulnerability and Alluvial Farming for Food Security in Central Dry Zone Area of Myanmar

NASA Astrophysics Data System (ADS)

Boori, M. S.; Choudhary, K.; Evers, M.; Kupriyanov, A.

2017-10-01

The central dry zone area of Myanmar is the most water stressed and also one of the most food insecure regions in the country. In the Dry Zone area, the total population is 10.1 million people in 54 townships, in which approximately 43 % live in below poverty line and 40-50 % of the rural population is landless. Agriculture is the most important economic sector in Myanmar as it is essential for national food security and a major source of livelihood for its people. In this region the adverse effects of climate change such as late or early onset of monsoon season, longer dry spells, erratic rainfall, increasing temperature, heavy rains, stronger typhoons, extreme spatial-temporal variability of rainfall, high intensities, limited rainfall events in the growing season, heat stress, drought, flooding, sea water intrusion, land degradation, desertification, deforestation and other natural disasters are believed to be a major constraint to food insecurity. For food vulnerability, we use following indicators: slope, precipitation, vegetation, soil, erosion, land degradation and harvest failure in ArcGIS software. The erosion is influenced by rainfall and slope, while land degradation is directly related to vegetation, drainage and soil. While harvest failure can be generate by rainfall and flood potential zones. Results show that around 45 % study area comes under very high erosion danger level, 70 % under average harvest failure, 59 % intermediate land degradation area and the overall around 45 % study area comes under insecure food vulnerability zone. Our analysis shows an increase in alluvial farming by 1745.33 km2 since 1988 to reduce the insecure food vulnerability. Food vulnerability map is also relevant to increased population and low income areas. The extreme climatic events are likely increase in frequency and magnitude of serious drought periods and extreme floods. Food insecurity is an important thing that must be reviewed because it relates to the lives of many people. This paper is helpful for identifying the areas of food needs in central dry zone area of Myanmar.

Livelihood Cycle and Vulnerability of Rural Households to Climate Change and Hazards in Bangladesh.

PubMed

Alam, G M Monirul

2017-05-01

Rural riverine households in Bangladesh are confronted with many climate-driven hazards, including riverbank erosion, which results in loss of productive land and other natural resources of the riverine households, and thus threatens their livelihoods and food security. This study assesses the main drivers of vulnerability and livelihood cycle of vulnerable riparian households in Bangladesh. The study utilises the IPCC framework of vulnerability and develops a weighted approach by employing the livelihood vulnerability index and the climate vulnerability index. The results reveal that the livelihood vulnerability index and the climate vulnerability index differ across locations, however, a high index value for both measures indicates the households' high livelihood vulnerability to climate change and hazards. The main drivers that influence the vulnerability dimensions are livelihood strategies and access to food, water and health facilities. These hazard-prone households are also vulnerable due to their existing low livelihood status that leads to a vicious cycle of poverty. The findings of this study are crucial for policymakers to formulate and implement effective strategies and programs to minimise vulnerability and to enhance the local adaptation processes in order to improve such households' livelihood across Bangladesh.

Livelihood Cycle and Vulnerability of Rural Households to Climate Change and Hazards in Bangladesh

NASA Astrophysics Data System (ADS)

Alam, G. M. Monirul

2017-05-01

Rural riverine households in Bangladesh are confronted with many climate-driven hazards, including riverbank erosion, which results in loss of productive land and other natural resources of the riverine households, and thus threatens their livelihoods and food security. This study assesses the main drivers of vulnerability and livelihood cycle of vulnerable riparian households in Bangladesh. The study utilises the IPCC framework of vulnerability and develops a weighted approach by employing the livelihood vulnerability index and the climate vulnerability index. The results reveal that the livelihood vulnerability index and the climate vulnerability index differ across locations, however, a high index value for both measures indicates the households' high livelihood vulnerability to climate change and hazards. The main drivers that influence the vulnerability dimensions are livelihood strategies and access to food, water and health facilities. These hazard-prone households are also vulnerable due to their existing low livelihood status that leads to a vicious cycle of poverty. The findings of this study are crucial for policymakers to formulate and implement effective strategies and programs to minimise vulnerability and to enhance the local adaptation processes in order to improve such households' livelihood across Bangladesh.

Cyber threat model for tactical radio networks

NASA Astrophysics Data System (ADS)

Kurdziel, Michael T.

2014-05-01

The shift to a full information-centric paradigm in the battlefield has allowed ConOps to be developed that are only possible using modern network communications systems. Securing these Tactical Networks without impacting their capabilities has been a challenge. Tactical networks with fixed infrastructure have similar vulnerabilities to their commercial counterparts (although they need to be secure against adversaries with greater capabilities, resources and motivation). However, networks with mobile infrastructure components and Mobile Ad hoc Networks (MANets) have additional unique vulnerabilities that must be considered. It is useful to examine Tactical Network based ConOps and use them to construct a threat model and baseline cyber security requirements for Tactical Networks with fixed infrastructure, mobile infrastructure and/or ad hoc modes of operation. This paper will present an introduction to threat model assessment. A definition and detailed discussion of a Tactical Network threat model is also presented. Finally, the model is used to derive baseline requirements that can be used to design or evaluate a cyber security solution that can be scaled and adapted to the needs of specific deployments.

An evaluation of security measures implemented to address physical threats to water infrastructure in the state of Mississippi.

PubMed

Barrett, Jason R; French, P Edward

2013-01-01

The events of September 11, 2001, increased and intensified domestic preparedness efforts in the United States against terrorism and other threats. The heightened focus on protecting this nation's critical infrastructure included legislation requiring implementation of extensive new security measures to better defend water supply systems against physical, chemical/biological, and cyber attacks. In response, municipal officials have implemented numerous safeguards to reduce the vulnerability of these systems to purposeful intrusions including ongoing vulnerability assessments, extensive personnel training, and highly detailed emergency response and communication plans. This study evaluates fiscal year 2010 annual compliance assessments of public water systems with security measures that were implemented by Mississippi's Department of Health as a response to federal requirements to address these potential terrorist threats to water distribution systems. The results show that 20 percent of the water systems in this state had at least one security violation on their 2010 Capacity Development Assessment, and continued perseverance from local governments is needed to enhance the resiliency and robustness of these systems against physical threats.

A code inspection process for security reviews

DOE Office of Scientific and Technical Information (OSTI.GOV)

Garzoglio, Gabriele; /Fermilab

2009-05-01

In recent years, it has become more and more evident that software threat communities are taking an increasing interest in Grid infrastructures. To mitigate the security risk associated with the increased numbers of attacks, the Grid software development community needs to scale up effort to reduce software vulnerabilities. This can be achieved by introducing security review processes as a standard project management practice. The Grid Facilities Department of the Fermilab Computing Division has developed a code inspection process, tailored to reviewing security properties of software. The goal of the process is to identify technical risks associated with an application andmore » their impact. This is achieved by focusing on the business needs of the application (what it does and protects), on understanding threats and exploit communities (what an exploiter gains), and on uncovering potential vulnerabilities (what defects can be exploited). The desired outcome of the process is an improvement of the quality of the software artifact and an enhanced understanding of possible mitigation strategies for residual risks. This paper describes the inspection process and lessons learned on applying it to Grid middleware.« less

A code inspection process for security reviews

NASA Astrophysics Data System (ADS)

Garzoglio, Gabriele

2010-04-01

In recent years, it has become more and more evident that software threat communities are taking an increasing interest in Grid infrastructures. To mitigate the security risk associated with the increased numbers of attacks, the Grid software development community needs to scale up effort to reduce software vulnerabilities. This can be achieved by introducing security review processes as a standard project management practice. The Grid Facilities Department of the Fermilab Computing Division has developed a code inspection process, tailored to reviewing security properties of software. The goal of the process is to identify technical risks associated with an application and their impact. This is achieved by focusing on the business needs of the application (what it does and protects), on understanding threats and exploit communities (what an exploiter gains), and on uncovering potential vulnerabilities (what defects can be exploited). The desired outcome of the process is an improvement of the quality of the software artifact and an enhanced understanding of possible mitigation strategies for residual risks. This paper describes the inspection process and lessons learned on applying it to Grid middleware.

2006 Homeland Security Symposium and Exposition. Held in Arlington, VA on 29-31 March 2006

DTIC Science & Technology

2006-03-31

Consequences , Vulnerabilities, and Threats) Prioritize Implement Protective Programs Measure Effectiveness 9March 2006 Major NIPP Theme: Sector Partnership... effect of exposure • Full understanding of the levels of exposure that mark the onset of miosis • Refined human operational exposure standard for GB...Untitled Document 2006 Homeland Security Symposium and Exposition.html[7/7/2016 11:38:26 AM] 2006 Homeland Security Symposium and Exposition

Illegal Immigration in the United States: Implications for Rule of Law and National Security

DTIC Science & Technology

2012-02-15

AIR WAR COLLEGE AIR UNIVERSITY ILLEGAL IMMIGRATION IN THE UNITED STATES: IMPLICATIONS FOR RULE OF LAW AND NATIONAL SECURITY By Paul A...government’s failure to strictly enforce immigration laws presents national security vulnerabilities and is subversive to the rule of law . Without...the rule of law , serious social tensions will occur that impel states and localities to fill the void left by the lack of immigration enforcement. In

Analysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds

PubMed Central

Park, Woo-Sung; Son, Seung-Sik; Lee, Mee-Jeong; Kim, Shin-Hyo; Choi, Eun-Mi; Bang, Ji-Eon; Kim, Yea-Eun; Kim, Ok-Nam

2010-01-01

Objectives The information security management systems (ISMS) of 5 hospitals with more than 500 beds were evaluated with regards to the level of information security, management, and physical and technical aspects so that we might make recommendations on information security and security countermeasures which meet both international standards and the needs of individual hospitals. Methods The ISMS check-list derived from international/domestic standards was distributed to each hospital to complete and the staff of each hospital was interviewed. Information Security Indicator and Information Security Values were used to estimate the present security levels and evaluate the application of each hospital's current system. Results With regard to the moderate clause of the ISMS, the hospitals were determined to be in compliance. The most vulnerable clause was asset management, in particular, information asset classification guidelines. The clauses of information security incident management and business continuity management were deemed necessary for the establishment of successful ISMS. Conclusions The level of current ISMS in the hospitals evaluated was determined to be insufficient. Establishment of adequate ISMS is necessary to ensure patient privacy and the safe use of medical records for various purposes. Implementation of ISMS which meet international standards with a long-term and comprehensive perspective is of prime importance. To reflect the requirements of the varied interests of medical staff, consumers, and institutions, the establishment of political support is essential to create suitable hospital ISMS. PMID:21818429

A Mathematical Framework for the Analysis of Cyber-Resilient Control Systems

DOE Office of Scientific and Technical Information (OSTI.GOV)

Melin, Alexander M; Ferragut, Erik M; Laska, Jason A

2013-01-01

The increasingly recognized vulnerability of industrial control systems to cyber-attacks has inspired a considerable amount of research into techniques for cyber-resilient control systems. The majority of this effort involves the application of well known information security (IT) techniques to control system networks. While these efforts are important to protect the control systems that operate critical infrastructure, they are never perfectly effective. Little research has focused on the design of closed-loop dynamics that are resilient to cyber-attack. The majority of control system protection measures are concerned with how to prevent unauthorized access and protect data integrity. We believe that the abilitymore » to analyze how an attacker can effect the closed loop dynamics of a control system configuration once they have access is just as important to the overall security of a control system. To begin to analyze this problem, consistent mathematical definitions of concepts within resilient control need to be established so that a mathematical analysis of the vulnerabilities and resiliencies of a particular control system design methodology and configuration can be made. In this paper, we propose rigorous definitions for state awareness, operational normalcy, and resiliency as they relate to control systems. We will also discuss some mathematical consequences that arise from the proposed definitions. The goal is to begin to develop a mathematical framework and testable conditions for resiliency that can be used to build a sound theoretical foundation for resilient control research.« less

Complex interactions among climate change, sanitation, and groundwater quality: A case study from Ramotswa, Botswana

NASA Astrophysics Data System (ADS)

McGill, B. M.; Altchenko, Y.; Kenabatho, P. K.; Sylvester, S. R.; Villholth, K. G.

2017-12-01

With population growth, rapid urbanization, and climate change, groundwater is becoming an increasingly important source of drinking water around the world, including southern Africa. This is an investigation into the coupled human and natural system linking climate change, droughts, sanitation, and groundwater quality in Ramotswa, a town in the semi-arid southeastern Botswana. During the recent drought from 2013-2016, water shortages from reservoirs that supply the larger city of Gaborone resulted in curtailed water supply to Ramotswa, forcing people with flush toilets to use pit latrines. Pit latrines have been suspected as the cause of elevated nitrate in the Ramotswa groundwater, which also contributes to the town's drinking water supply. The groundwater pollution paradoxically makes Ramotswa dependent on Gaborone's water, supplied in large part by surface reservoirs, which are vulnerable to drought. Analysis of long-term rainfall records indicates that droughts like the one in 2013-2016 are increasing in likelihood due to climate change. Because of the drought, many more people used pit latrines than under normal conditions. Analysis of the groundwater for nitrate and using caffeine as an indicator, human waste leaching from pit latrines is implicated as the major culprit for the nitrate pollution. The results indicate a critical indirect linkage between climate change, sanitation, groundwater quality and water security in this area of rapid urbanization and population growth. Recommendations are offered for how Ramotswa's water security could be made less vulnerable to climate change.

Quantitative analysis of Indonesia's reserves and energy security as an evaluation by the nation in facing global competition

NASA Astrophysics Data System (ADS)

Wiratama, Hadi; Yerido, Hezron; Tetrisyanda, Rizki; Ginting, Rizqy R.; Wibawa, Gede

2015-12-01

Energy security has become a serious concern for all countries in the world and each country has its own definiton for measuring its energy security. The objective of this study was to measure energy security of Indonesia quantitatively by comparing it with other countries and provide some recommendations for enhancing the energy security. In this study, the database was developed from various sources and was cross-checked to confirm validity of the data. Then the parameters of energy security were defined, where all of data will be processed towards the selected parameters. These parameters (e.g. Primary Energy mix, TPES/capita, FEC/capita, Self Sufficiency, Refining capacity, Overseas Energy Resources, Resources diversification) are the standards used to produce an analysis or evaluation of national energy management. Energy balances for Indonesia and 10 selected countries (USA, Germany, Russia, England, Japan, China, South Korea, Singapore, Thailand and India) were presented from 2009 to 2013. With a base index of 1.0 for Indonesia, calculated energy security index capable of representing Indonesia energy security compared relatively to other countries were also presented and discussed in detail. In 2012, Indonesia security index is ranked 11 from 11 countries, while USA and South Korea are the highest with security index of 3.36 and 2.89, respectively. According to prediction for 2025, Indonesia energy security is ranked 10 from 11 countries with only Thailand has lower security index (0.98). This result shows that Indonesia energy security was vulnerable to crisis and must be improved. Therefore this study proposed some recommendations to improve Indonesia energy security. Indonesia need to increase oil production by constructing new refinery plants, developing infrastructure for energy distribution to reduce the potential of energy shortage and accelerating the utilization of renewable energy to reduce the excessive use of primary energy. From energy policy proposed in this study, Indonesia energy security for 2025 could be improved to ranked 8 of 11 countries, better than Malaysia, Thailand and Singapore.

Quantitative analysis of Indonesia’s reserves and energy security as an evaluation by the nation in facing global competition

DOE Office of Scientific and Technical Information (OSTI.GOV)

Wiratama, Hadi; Yerido, Hezron; Tetrisyanda, Rizki

Energy security has become a serious concern for all countries in the world and each country has its own definiton for measuring its energy security. The objective of this study was to measure energy security of Indonesia quantitatively by comparing it with other countries and provide some recommendations for enhancing the energy security. In this study, the database was developed from various sources and was cross-checked to confirm validity of the data. Then the parameters of energy security were defined, where all of data will be processed towards the selected parameters. These parameters (e.g. Primary Energy mix, TPES/capita, FEC/capita, Selfmore » Sufficiency, Refining capacity, Overseas Energy Resources, Resources diversification) are the standards used to produce an analysis or evaluation of national energy management. Energy balances for Indonesia and 10 selected countries (USA, Germany, Russia, England, Japan, China, South Korea, Singapore, Thailand and India) were presented from 2009 to 2013. With a base index of 1.0 for Indonesia, calculated energy security index capable of representing Indonesia energy security compared relatively to other countries were also presented and discussed in detail. In 2012, Indonesia security index is ranked 11 from 11 countries, while USA and South Korea are the highest with security index of 3.36 and 2.89, respectively. According to prediction for 2025, Indonesia energy security is ranked 10 from 11 countries with only Thailand has lower security index (0.98). This result shows that Indonesia energy security was vulnerable to crisis and must be improved. Therefore this study proposed some recommendations to improve Indonesia energy security. Indonesia need to increase oil production by constructing new refinery plants, developing infrastructure for energy distribution to reduce the potential of energy shortage and accelerating the utilization of renewable energy to reduce the excessive use of primary energy. From energy policy proposed in this study, Indonesia energy security for 2025 could be improved to ranked 8 of 11 countries, better than Malaysia, Thailand and Singapore.« less

Managing vulnerabilities and achieving compliance for Oracle databases in a modern ERP environment

NASA Astrophysics Data System (ADS)

Hölzner, Stefan; Kästle, Jan

In this paper we summarize good practices on how to achieve compliance for an Oracle database in combination with an ERP system. We use an integrated approach to cover both the management of vulnerabilities (preventive measures) and the use of logging and auditing features (detective controls). This concise overview focusses on the combination Oracle and SAP and it’s dependencies, but also outlines security issues that arise with other ERP systems. Using practical examples, we demonstrate common vulnerabilities and coutermeasures as well as guidelines for the use of auditing features.

Cyber Security: Assessing Our Vulnerabilities and Developing an Effective Defense

NASA Astrophysics Data System (ADS)

Spafford, Eugene H.

The number and sophistication of cyberattacks continues to increase, but no national policy is in place to confront them. Critical systems need to be built on secure foundations, rather than the cheapest general-purpose platform. A program that combines education in cyber security, increasing resources for law enforcement, development of reliable systems for critical applications, and expanding research support in multiple areas of security and reliability is essential to combat risks that are far beyond the nuisances of spam email and viruses, and involve widespread espionage, theft, and attacks on essential services.

Secure Transportation of HEU in Romania

DOE Office of Scientific and Technical Information (OSTI.GOV)

None

2009-07-06

The National Nuclear Security Administration has announced the final shipments of Russian-origin highly enriched uranium (HEU) nuclear fuel from Romania. The material was removed and returned to Russia by air for storage at two secure nuclear facilities, making Romania the first country to remove all HEU since President Obama outlined his commitment to securing all vulnerable nuclear material around the world within four years. This was also the first time NNSA has shipped spent HEU by airplane, a development that will help accelerate efforts to meet the Presidents objective.

Design and Implementation of a Secure Modbus Protocol

NASA Astrophysics Data System (ADS)

Fovino, Igor Nai; Carcano, Andrea; Masera, Marcelo; Trombetta, Alberto

The interconnectivity of modern and legacy supervisory control and data acquisition (SCADA) systems with corporate networks and the Internet has significantly increased the threats to critical infrastructure assets. Meanwhile, traditional IT security solutions such as firewalls, intrusion detection systems and antivirus software are relatively ineffective against attacks that specifically target vulnerabilities in SCADA protocols. This paper describes a secure version of the Modbus SCADA protocol that incorporates integrity, authentication, non-repudiation and anti-replay mechanisms. Experimental results using a power plant testbed indicate that the augmented protocol provides good security functionality without significant overhead.

Addressing the vulnerabilities of pass-thoughts

NASA Astrophysics Data System (ADS)

Fernandez, Gabriel C.; Danko, Amanda S.

2016-05-01

As biometrics become increasingly pervasive, consumer electronics are reaping the benefits of improved authentication methods. Leveraging the physical characteristics of a user reduces the burden of setting and remembering complex passwords, while enabling stronger security. Multi-factor systems lend further credence to this model, increasing security via multiple passive data points. In recent years, brainwaves have been shown to be another feasible source for biometric authentication. Physically unique to an individual in certain circumstances, the signals can also be changed by the user at will, making them more robust than static physical characteristics. No paradigm is impervious however, and even well-established medical technologies have deficiencies. In this work, a system for biometric authentication via brainwaves is constructed with electroencephalography (EEG). The efficacy of EEG biometrics via existing consumer electronics is evaluated, and vulnerabilities of such a system are enumerated. Impersonation attacks are performed to expose the extent to which the system is vulnerable. Finally, a multimodal system combining EEG with additional factors is recommended and outlined.

Power politics: National energy strategies of the nuclear newly independent states of Armenia, Lithuania and Ukraine

NASA Astrophysics Data System (ADS)

Sabonis-Chafee, Theresa Marie

The successor states of Armenia, Lithuania and Ukraine arrived at independence facing extraordinary challenges in their energy sectors. Each state was a net importer, heavily dependent on cheap energy supplies, mostly from Russia. Each state also inherited a nuclear power complex over which it had not previously exercised full control. In the time period 1991--1996, each state attempted to impose coherence on the energy sector, selecting a new course for the pieces it had inherited from a much larger, highly integrated energy structure. Each state attempted to craft national energy policies in the midst of severe supply shocks and price shocks. Each state developed institutions to govern its nuclear power sector. The states' challenges were made even greater by the fact that they had few political or economic structures necessary for energy management, and sought to create those structures at the same time. This dissertation is a systematic, non-quantitative examination of how each state's energy policies developed during the 1991--1996 time period. The theoretical premise of the analysis (drawn from Statist realism) is that systemic variables---regional climate and energy vulnerability---provide the best explanations for the resulting energy policy decisions. The dependent variable is defined as creation and reform of energy institutions. The independent variables include domestic climate, regional climate, energy vulnerability and transnational assistance. All three states adopted rhetoric and legislation declaring energy a strategic sector. The evidence suggests that two of the states, Armenia and Lithuania, which faced tense regional climates and high levels of energy vulnerability, succeeded in actually treating energy strategically, approaching energy as a matter of national security or "high politics." The third state, Ukraine, failed to do so. The evidence presented suggests that the systemic variables (regional climate and energy vulnerability) provided a more favorable environment for Ukraine, one in which the state attempted reform of the sector, but not as a concerted national security issue.

The Impacts of Water Quality and Food Availability on Children's Health in West Africa: A Spatial Analysis Using Remotely Sensed Data and Small-Scale Water Quality Data and Country-level Health Data

NASA Astrophysics Data System (ADS)

Frederick, L.; Grace, K.; Lloyd, B.

2014-12-01

As the global climate changes and the populations of many African countries grow, ensuring clean drinking water and food has become a pressing concern. Because of their vulnerability to malnutrition and food insecurity, children face the greatest risk for adverse health outcomes related to climate change. Vulnerability, however, is highly variable, with some children in food insecure communities showing healthy growth, while some children in food secure communities show signs of malnutrition. In West Africa, Burkina Faso faces high levels of child malnutrition, loses to farmland and a large share of the population have no access to clean water. Because the overwhelming majority of children rely on locally grown, rainfed agriculture and well/surface water, the combined impact of climate change and population growth decreases water availability and farmland per person. However, there is notable community and individual variation in malnutrition levels suggesting that there are important coping strategies that vulnerable families may use to secure their children's health. No spatially relevant analysis of water and food insecurity and children's health exists for Burkina Faso. The goal of this research is to identify and quantify the combined and inter-related impact of unsafe drinking water and community-level food availability on the physical health outcomes of Burkinabe children under five years of age. To accomplish this goal we rely on a publically available highly detailed, geo-referenced data set (Demographic and Health Survey (DHS)) to provide information on measures of childhood malnutrition and details on parental characteristics related to children's health. Information on water source (covered/uncovered well, piped water, etc.) and water quality (measures of arsenic and pollution) comes from DHS along with a recently collected geo-referenced US Agency for International Development (USAID) data set. Critical information on food production, environmental characteristics and population density come from high resolution remotely sensed data.

The Impacts of Water Quality and Food Availability on Children's Health in West Africa: A Spatial Analysis Using Remotely Sensed Data and Small-Scale Water Quality Data and Country-level Health Data

NASA Astrophysics Data System (ADS)

Frederick, L.; Grace, K.; Lloyd, B.

2015-12-01

As the global climate changes and the populations of many African countries grow, ensuring clean drinking water and food has become a pressing concern. Because of their vulnerability to malnutrition and food insecurity, children face the greatest risk for adverse health outcomes related to climate change. Vulnerability, however, is highly variable, with some children in food insecure communities showing healthy growth, while some children in food secure communities show signs of malnutrition. In West Africa, Burkina Faso faces high levels of child malnutrition, loses to farmland and a large share of the population have no access to clean water. Because the overwhelming majority of children rely on locally grown, rainfed agriculture and well/surface water, the combined impact of climate change and population growth decreases water availability and farmland per person. However, there is notable community and individual variation in malnutrition levels suggesting that there are important coping strategies that vulnerable families may use to secure their children's health. No spatially relevant analysis of water and food insecurity and children's health exists for Burkina Faso. The goal of this research is to identify and quantify the combined and inter-related impact of unsafe drinking water and community-level food availability on the physical health outcomes of Burkinabe children under five years of age. To accomplish this goal we rely on a publically available highly detailed, geo-referenced data set (Demographic and Health Survey (DHS)) to provide information on measures of childhood malnutrition and details on parental characteristics related to children's health. Information on water source (covered/uncovered well, piped water, etc.) and water quality (measures of arsenic and pollution) comes from DHS along with a recently collected geo-referenced US Agency for International Development (USAID) data set. Critical information on food production, environmental characteristics and population density come from high resolution remotely sensed data.

Chemical plants remain vulnerable to terrorists: a call to action.

PubMed

Lippin, Tobi Mae; McQuiston, Thomas H; Bradley-Bull, Kristin; Burns-Johnson, Toshiba; Cook, Linda; Gill, Michael L; Howard, Donna; Seymour, Thomas A; Stephens, Doug; Williams, Brian K

2006-09-01

U.S. chemical plants currently have potentially catastrophic vulnerabilities as terrorist targets. The possible consequences of these vulnerabilities echo from the tragedies of the Bhopal incident in 1984 to the terrorist attacks on 11 September 2001 and, most recently, Hurricanes Katrina and Rita. Findings from a 2004 nationwide participatory research study of 125 local union leaders at sites with very large volumes of highly hazardous chemicals suggest that voluntary efforts to achieve chemical plant security are not succeeding. Study respondents reported that companies had only infrequently taken actions that are most effective in preventing or in preparing to respond to a terrorist threat. In addition, companies reportedly often failed to involve key stakeholders, including workers, local unions, and the surrounding communities, in these efforts. The environmental health community thus has an opportunity to play a key role in advocating for and supporting improvements in prevention of and preparation for terrorist attacks. Policy-level recommendations to redress chemical site vulnerabilities and the related ongoing threats to the nation's security are as follows: a) specify detailed requirements for chemical site assessment and security ; b) mandate audit inspections supported by significant penalties for cases of noncompliance ; c) require progress toward achieving inherently safer processes, including the minimizing of storage of highly hazardous chemicals ; d) examine and require additional effective actions in prevention, emergency preparedness, and response and remediation ; e) mandate and fund the upgrading of emergency communication systems ; and f) involve workers and community members in plan creation and equip and prepare them to prevent and respond effectively to an incident.

Chemical Plants Remain Vulnerable to Terrorists: A Call to Action

PubMed Central

Lippin, Tobi Mae; McQuiston, Thomas H.; Bradley-Bull, Kristin; Burns-Johnson, Toshiba; Cook, Linda; Gill, Michael L.; Howard, Donna; Seymour, Thomas A.; Stephens, Doug; Williams, Brian K.

2006-01-01

U.S. chemical plants currently have potentially catastrophic vulnerabilities as terrorist targets. The possible consequences of these vulnerabilities echo from the tragedies of the Bhopal incident in 1984 to the terrorist attacks on 11 September 2001 and, most recently, Hurricanes Katrina and Rita. Findings from a 2004 nationwide participatory research study of 125 local union leaders at sites with very large volumes of highly hazardous chemicals suggest that voluntary efforts to achieve chemical plant security are not succeeding. Study respondents reported that companies had only infrequently taken actions that are most effective in preventing or in preparing to respond to a terrorist threat. In addition, companies reportedly often failed to involve key stakeholders, including workers, local unions, and the surrounding communities, in these efforts. The environmental health community thus has an opportunity to play a key role in advocating for and supporting improvements in prevention of and preparation for terrorist attacks. Policy-level recommendations to redress chemical site vulnerabilities and the related ongoing threats to the nation’s security are as follows: a) specify detailed requirements for chemical site assessment and security; b) mandate audit inspections supported by significant penalties for cases of noncompliance; c) require progress toward achieving inherently safer processes, including the minimizing of storage of highly hazardous chemicals; d) examine and require additional effective actions in prevention, emergency preparedness, and response and remediation; e) mandate and fund the upgrading of emergency communication systems; and f) involve workers and community members in plan creation and equip and prepare them to prevent and respond effectively to an incident. PMID:16966080

Security systems engineering overview

DOE Office of Scientific and Technical Information (OSTI.GOV)

Steele, B.J.

Crime prevention is on the minds of most people today. The concern for public safety and the theft of valuable assets are being discussed at all levels of government and throughout the public sector. There is a growing demand for security systems that can adequately safeguard people and valuable assets against the sophistication of those criminals or adversaries who pose a threat. The crime in this country has been estimated at $70 billion in direct costs and up to $300 billion in indirect costs. Health insurance fraud alone is estimated to cost American businesses $100 billion. Theft, warranty fraud, andmore » counterfeiting of computer hardware totaled $3 billion in 1994. A threat analysis is a prerequisite to any security system design to assess the vulnerabilities with respect to the anticipated threat. Having established a comprehensive definition of the threat, crime prevention, detection, and threat assessment technologies can be used to address these criminal activities. This talk will outline the process used to design a security system regardless of the level of security. This methodology has been applied to many applications including: government high security facilities; residential and commercial intrusion detection and assessment; anti-counterfeiting/fraud detection technologies (counterfeit currency, cellular phone billing, credit card fraud, health care fraud, passport, green cards, and questionable documents); industrial espionage detection and prevention (intellectual property, computer chips, etc.); and security barrier technology (creation of delay such as gates, vaults, etc.).« less

Enhancing LoRaWAN Security through a Lightweight and Authenticated Key Management Approach.

PubMed

Sanchez-Iborra, Ramon; Sánchez-Gómez, Jesús; Pérez, Salvador; Fernández, Pedro J; Santa, José; Hernández-Ramos, José L; Skarmeta, Antonio F

2018-06-05

Luckily, new communication technologies and protocols are nowadays designed considering security issues. A clear example of this can be found in the Internet of Things (IoT) field, a quite recent area where communication technologies such as ZigBee or IPv6 over Low power Wireless Personal Area Networks (6LoWPAN) already include security features to guarantee authentication, confidentiality and integrity. More recent technologies are Low-Power Wide-Area Networks (LP-WAN), which also consider security, but present initial approaches that can be further improved. An example of this can be found in Long Range (LoRa) and its layer-two supporter LoRa Wide Area Network (LoRaWAN), which include a security scheme based on pre-shared cryptographic material lacking flexibility when a key update is necessary. Because of this, in this work, we evaluate the security vulnerabilities of LoRaWAN in the area of key management and propose different alternative schemes. Concretely, the application of an approach based on the recently specified Ephemeral Diffie⁻Hellman Over COSE (EDHOC) is found as a convenient solution, given its flexibility in the update of session keys, its low computational cost and the limited message exchanges needed. A comparative conceptual analysis considering the overhead of different security schemes for LoRaWAN is carried out in order to evaluate their benefits in the challenging area of LP-WAN.

Identifying security checkpoints locations to protect the major U.S. urban areas

DOE Office of Scientific and Technical Information (OSTI.GOV)

Cuellar-Hengartner, Leticia; Watkins, Daniel; Kubicek, Deborah A.

Transit networks are integral to the economy and to society, but at the same time they could allow terrorists to transport weapons of mass destruction into any city. Road networks are especially vulnerable, because they lack natural checkpoints unlike air networks that have security measures in place at all major airports. One approach to mitigate this risk is ensuring that every road route passes through at least one security checkpoint. Using the Ford-Fulkerson maximum-flow algorithm, we generate a minimum set of checkpoint locations within a ring-shaped buffer area surrounding the 50 largest US urban areas. We study how the numbermore » of checkpoints changes as we increase the buffer width to perform a cost-benefit analysis and to identify groups of cities that behave similarly. The set of required checkpoints is surprisingly small (10-124) despite the hundreds of thousands of road arcs in those areas, making it feasible to protect all major cities.« less

Identifying security checkpoints locations to protect the major U.S. urban areas

DOE PAGES

Cuellar-Hengartner, Leticia; Watkins, Daniel; Kubicek, Deborah A.; ...

2015-09-01

Transit networks are integral to the economy and to society, but at the same time they could allow terrorists to transport weapons of mass destruction into any city. Road networks are especially vulnerable, because they lack natural checkpoints unlike air networks that have security measures in place at all major airports. One approach to mitigate this risk is ensuring that every road route passes through at least one security checkpoint. Using the Ford-Fulkerson maximum-flow algorithm, we generate a minimum set of checkpoint locations within a ring-shaped buffer area surrounding the 50 largest US urban areas. We study how the numbermore » of checkpoints changes as we increase the buffer width to perform a cost-benefit analysis and to identify groups of cities that behave similarly. The set of required checkpoints is surprisingly small (10-124) despite the hundreds of thousands of road arcs in those areas, making it feasible to protect all major cities.« less

A more secure parallel keyed hash function based on chaotic neural network

NASA Astrophysics Data System (ADS)

Huang, Zhongquan

2011-08-01

Although various hash functions based on chaos or chaotic neural network were proposed, most of them can not work efficiently in parallel computing environment. Recently, an algorithm for parallel keyed hash function construction based on chaotic neural network was proposed [13]. However, there is a strict limitation in this scheme that its secret keys must be nonce numbers. In other words, if the keys are used more than once in this scheme, there will be some potential security flaw. In this paper, we analyze the cause of vulnerability of the original one in detail, and then propose the corresponding enhancement measures, which can remove the limitation on the secret keys. Theoretical analysis and computer simulation indicate that the modified hash function is more secure and practical than the original one. At the same time, it can keep the parallel merit and satisfy the other performance requirements of hash function, such as good statistical properties, high message and key sensitivity, and strong collision resistance, etc.

An integrated water-energy-food-livelihoods approach for assessing environmental livelihood security

NASA Astrophysics Data System (ADS)

Biggs, E. M.; Duncan, J.; Boruff, B.; Bruce, E.; Neef, A.; McNeill, K.; van Ogtrop, F. F.; Haworth, B.; Duce, S.; Horsley, J.; Pauli, N.; Curnow, J.; Imanari, Y.

2015-12-01

Environmental livelihood security refers to the challenges of maintaining global food security and universal access to freshwater and energy to sustain livelihoods and promote inclusive economic growth, whilst sustaining key environmental systems' functionality, particularly under variable climatic regimes. Environmental security is a concept complementary to sustainable development, and considers the increased vulnerability people have to certain environmental stresses, such as climatic change. Bridging links between the core component concepts of environmental security is integral to future human security, and in an attempt to create this bridge, the nexus approach to human protection has been created, where water resource availability underpins food, water and energy security. The water-energy-food nexus has an influential role in attaining human security, yet little research has made the link between the nexus and livelihoods. In this research we provide a critical appraisal of the synergies between water-energy-food nexus framings and sustainable livelihoods approaches, both of which aim to promote sustainable development. In regions where livelihoods are dependent on environmental conditions, the concept of sustainable development is critical for ensuring future environmental and human security. Given our appraisal we go on to develop an integrated framework for assessing environmental livelihood security of multiscale and multi-level systems. This framework provides a tangible approach for assessing changes in the water-energy-food-livelihood indicators of a system. Examples of where system applications may occur are discussed for the Southeast Asia and Oceania region. Our approach will be particularly useful for policy-makers to inform evidence-based decision-making, especially in localities where climate change increases the vulnerability of impoverished communities and extenuates environmental livelihood insecurity.

Auditing Albaha University Network Security using in-house Developed Penetration Tool

NASA Astrophysics Data System (ADS)

Alzahrani, M. E.

2018-03-01

Network security becomes very important aspect in any enterprise/organization computer network. If important information of the organization can be accessed by anyone it may be used against the organization for further own interest. Thus, network security comes into it roles. One of important aspect of security management is security audit. Security performance of Albaha university network is relatively low (in term of the total controls outlined in the ISO 27002 security control framework). This paper proposes network security audit tool to address issues in Albaha University network. The proposed penetration tool uses Nessus and Metasploit tool to find out the vulnerability of a site. A regular self-audit using inhouse developed tool will increase the overall security and performance of Albaha university network. Important results of the penetration test are discussed.

Assessing uncertainties in surface water security: An empirical multimodel approach

NASA Astrophysics Data System (ADS)

Rodrigues, Dulce B. B.; Gupta, Hoshin V.; Mendiondo, Eduardo M.; Oliveira, Paulo Tarso S.

2015-11-01

Various uncertainties are involved in the representation of processes that characterize interactions among societal needs, ecosystem functioning, and hydrological conditions. Here we develop an empirical uncertainty assessment of water security indicators that characterize scarcity and vulnerability, based on a multimodel and resampling framework. We consider several uncertainty sources including those related to (i) observed streamflow data; (ii) hydrological model structure; (iii) residual analysis; (iv) the method for defining Environmental Flow Requirement; (v) the definition of critical conditions for water provision; and (vi) the critical demand imposed by human activities. We estimate the overall hydrological model uncertainty by means of a residual bootstrap resampling approach, and by uncertainty propagation through different methodological arrangements applied to a 291 km2 agricultural basin within the Cantareira water supply system in Brazil. Together, the two-component hydrograph residual analysis and the block bootstrap resampling approach result in a more accurate and precise estimate of the uncertainty (95% confidence intervals) in the simulated time series. We then compare the uncertainty estimates associated with water security indicators using a multimodel framework and the uncertainty estimates provided by each model uncertainty estimation approach. The range of values obtained for the water security indicators suggests that the models/methods are robust and performs well in a range of plausible situations. The method is general and can be easily extended, thereby forming the basis for meaningful support to end-users facing water resource challenges by enabling them to incorporate a viable uncertainty analysis into a robust decision-making process.

Analysis of key technologies for virtual instruments metrology

NASA Astrophysics Data System (ADS)

Liu, Guixiong; Xu, Qingui; Gao, Furong; Guan, Qiuju; Fang, Qiang

2008-12-01

Virtual instruments (VIs) require metrological verification when applied as measuring instruments. Owing to the software-centered architecture, metrological evaluation of VIs includes two aspects: measurement functions and software characteristics. Complexity of software imposes difficulties on metrological testing of VIs. Key approaches and technologies for metrology evaluation of virtual instruments are investigated and analyzed in this paper. The principal issue is evaluation of measurement uncertainty. The nature and regularity of measurement uncertainty caused by software and algorithms can be evaluated by modeling, simulation, analysis, testing and statistics with support of powerful computing capability of PC. Another concern is evaluation of software features like correctness, reliability, stability, security and real-time of VIs. Technologies from software engineering, software testing and computer security domain can be used for these purposes. For example, a variety of black-box testing, white-box testing and modeling approaches can be used to evaluate the reliability of modules, components, applications and the whole VI software. The security of a VI can be assessed by methods like vulnerability scanning and penetration analysis. In order to facilitate metrology institutions to perform metrological verification of VIs efficiently, an automatic metrological tool for the above validation is essential. Based on technologies of numerical simulation, software testing and system benchmarking, a framework for the automatic tool is proposed in this paper. Investigation on implementation of existing automatic tools that perform calculation of measurement uncertainty, software testing and security assessment demonstrates the feasibility of the automatic framework advanced.

Analysis to determine the maximum dimensions of flexible apertures in sensored security netting products.

DOE Office of Scientific and Technical Information (OSTI.GOV)

Murton, Mark; Bouchier, Francis A.; vanDongen, Dale T.

2013-08-01

Although technological advances provide new capabilities to increase the robustness of security systems, they also potentially introduce new vulnerabilities. New capability sometimes requires new performance requirements. This paper outlines an approach to establishing a key performance requirement for an emerging intrusion detection sensor: the sensored net. Throughout the security industry, the commonly adopted standard for maximum opening size through barriers is a requirement based on square inchestypically 96 square inches. Unlike standard rigid opening, the dimensions of a flexible aperture are not fixed, but variable and conformable. It is demonstrably simple for a human intruder to move through a 96-square-inchmore » opening that is conformable to the human body. The longstanding 96-square-inch requirement itself, though firmly embedded in policy and best practice, lacks a documented empirical basis. This analysis concluded that the traditional 96-square-inch standard for openings is insufficient for flexible openings that are conformable to the human body. Instead, a circumference standard is recommended for these newer types of sensored barriers. The recommended maximum circumference for a flexible opening should be no more than 26 inches, as measured on the inside of the netting material.« less

Nuclear Power Plant Cyber Security Discrete Dynamic Event Tree Analysis (LDRD 17-0958) FY17 Report

DOE Office of Scientific and Technical Information (OSTI.GOV)

Wheeler, Timothy A.; Denman, Matthew R.; Williams, R. A.

Instrumentation and control of nuclear power is transforming from analog to modern digital assets. These control systems perform key safety and security functions. This transformation is occurring in new plant designs as well as in the existing fleet of plants as the operation of those plants is extended to 60 years. This transformation introduces new and unknown issues involving both digital asset induced safety issues and security issues. Traditional nuclear power risk assessment tools and cyber security assessment methods have not been modified or developed to address the unique nature of cyber failure modes and of cyber security threat vulnerabilities.more » iii This Lab-Directed Research and Development project has developed a dynamic cyber-risk in- formed tool to facilitate the analysis of unique cyber failure modes and the time sequencing of cyber faults, both malicious and non-malicious, and impose those cyber exploits and cyber faults onto a nuclear power plant accident sequence simulator code to assess how cyber exploits and cyber faults could interact with a plants digital instrumentation and control (DI&C) system and defeat or circumvent a plants cyber security controls. This was achieved by coupling an existing Sandia National Laboratories nuclear accident dynamic simulator code with a cyber emulytics code to demonstrate real-time simulation of cyber exploits and their impact on automatic DI&C responses. Studying such potential time-sequenced cyber-attacks and their risks (i.e., the associated impact and the associated degree of difficulty to achieve the attack vector) on accident management establishes a technical risk informed framework for developing effective cyber security controls for nuclear power.« less

Application of the API/NPRA SVA methodology to transportation security issues.

PubMed

Moore, David A

2006-03-17

Security vulnerability analysis (SVA) is becoming more prevalent as the issue of chemical process security is of greater concern. The American Petroleum Institute (API) and the National Petrochemical and Refiner's Association (NPRA) have developed a guideline for conducting SVAs of petroleum and petrochemical facilities in May 2003. In 2004, the same organizations enhanced the guidelines by adding the ability to evaluate transportation security risks (pipeline, truck, and rail). The importance of including transportation and value chain security in addition to fixed facility security in a SVA is that these issues may be critically important to understanding the total risk of the operation. Most of the SVAs done using the API/NPRA SVA and other SVA methods were centered on the fixed facility and the operations within the plant fence. Transportation interfaces alone are normally studied as a part of the facility SVA, and the entire transportation route impacts and value chain disruption are not commonly considered. Particularly from a national, regional, or local infrastructure analysis standpoint, understanding the interdependencies is critical to the risk assessment. Transportation risks may include weaponization of the asset by direct attack en route, sabotage, or a Trojan Horse style attack into a facility. The risks differ in the level of access control and the degree of public exposures, as well as the dynamic nature of the assets. The public exposures along the transportation route need to be carefully considered. Risks may be mitigated by one of many strategies including internment, staging, prioritization, conscription, or prohibition, as well as by administrative security measures and technology for monitoring and isolating the assets. This paper illustrates how these risks can be analyzed by the API/NPRA SVA methodology. Examples are given of a pipeline operation, and other examples are found in the guidelines.

The new world of retirement income security in America.

PubMed

Quinn, Joseph F; Cahill, Kevin E

2016-01-01

We have entered a new world of retirement income security in America, with older individuals more exposed to market risk and more vulnerable to financial insecurity than prior generations. This reflects an evolution that has altered the historical vision of a financially secure retirement supported by Social Security, a defined-benefit pension plan, and individual savings. Today, 2 of these 3 retirement income sources-pensions and savings-are absent or of modest importance for many older Americans. Retirement income security now often requires earnings from continued work later in life, which exacerbates the economic vulnerability of certain segments of the population, including persons with disabilities, the oldest-old, single women, and individuals with intermittent work histories. Because of the unprecedented aging of our society, further changes to the retirement income landscape are inevitable, but policymakers do have options to help protect the financial stability of older Americans. We can begin by promoting savings at all (especially younger) ages and by removing barriers that discourage work later in life. For individuals already on the cusp of retirement, more needs to be done to educate the public about the value of delaying the receipt of Social Security benefits. Inaction now could mean a return to the days when old age and poverty were closely linked. The negative repercussions of this would extend well beyond traditional economic measures, as physical and mental health outcomes are closely tied to financial security. (PsycINFO Database Record (c) 2016 APA, all rights reserved).

Finding Malicious Cyber Discussions in Social Media

DTIC Science & Technology

2016-02-02

the author and are not necessarily endorsed by the United States Government. media discussions). This process is labor intensive and some- times...Twitter tweets [Twit- ter, 2016] provides some useful evidence that a vulnerability listed in the National Vulnerability Database (NVD) [NIST, 2017] base ...sifiers, we used a keyword- based approach that had been developed by security analysts to detect cyber discussions. This approach searches for 200

Vulnerability Assessment Using a Fuzzy Logic Based Method

DTIC Science & Technology

1993-12-01

evaluating computer security vulnerabilities is very labor intensive. To help ease this workload, this thesis presents two automated methods possibly...eal 3n, 0 e) 0 n It -f0 . nts reg"roreg Iths OU raen estre -tte In Vt )thef awfict Of this ~.,i~t 14,-, A I’ K1- 2 3" toe 17 %1d3.rV. ~ 0 C .~ Ats ,glt

Research on information security system of waste terminal disposal process

NASA Astrophysics Data System (ADS)

Zhou, Chao; Wang, Ziying; Guo, Jing; Guo, Yajuan; Huang, Wei

2017-05-01

Informatization has penetrated the whole process of production and operation of electric power enterprises. It not only improves the level of lean management and quality service, but also faces severe security risks. The internal network terminal is the outermost layer and the most vulnerable node of the inner network boundary. It has the characteristics of wide distribution, long depth and large quantity. The user and operation and maintenance personnel technical level and security awareness is uneven, which led to the internal network terminal is the weakest link in information security. Through the implementation of security of management, technology and physics, we should establish an internal network terminal security protection system, so as to fully protect the internal network terminal information security.

Ffuzz: Towards full system high coverage fuzz testing on binary executables.

PubMed

Zhang, Bin; Ye, Jiaxi; Bi, Xing; Feng, Chao; Tang, Chaojing

2018-01-01

Bugs and vulnerabilities in binary executables threaten cyber security. Current discovery methods, like fuzz testing, symbolic execution and manual analysis, both have advantages and disadvantages when exercising the deeper code area in binary executables to find more bugs. In this paper, we designed and implemented a hybrid automatic bug finding tool-Ffuzz-on top of fuzz testing and selective symbolic execution. It targets full system software stack testing including both the user space and kernel space. Combining these two mainstream techniques enables us to achieve higher coverage and avoid getting stuck both in fuzz testing and symbolic execution. We also proposed two key optimizations to improve the efficiency of full system testing. We evaluated the efficiency and effectiveness of our method on real-world binary software and 844 memory corruption vulnerable programs in the Juliet test suite. The results show that Ffuzz can discover software bugs in the full system software stack effectively and efficiently.

A blue/green water-based accounting framework for assessment of water security

NASA Astrophysics Data System (ADS)

Rodrigues, Dulce B. B.; Gupta, Hoshin V.; Mendiondo, Eduardo M.

2014-09-01

A comprehensive assessment of water security can incorporate several water-related concepts, while accounting for Blue and Green Water (BW and GW) types defined in accordance with the hydrological processes involved. Here we demonstrate how a quantitative analysis of provision probability and use of BW and GW can be conducted, so as to provide indicators of water scarcity and vulnerability at the basin level. To illustrate the approach, we use the Soil and Water Assessment Tool (SWAT) to model the hydrology of an agricultural basin (291 km2) within the Cantareira Water Supply System in Brazil. To provide a more comprehensive basis for decision making, we analyze the BW and GW-Footprint components against probabilistic levels (50th and 30th percentile) of freshwater availability for human activities, during a 23 year period. Several contrasting situations of BW provision are distinguished, using different hydrological-based methodologies for specifying monthly Environmental Flow Requirements (EFRs), and the risk of natural EFR violation is evaluated by use of a freshwater provision index. Our results reveal clear spatial and temporal patterns of water scarcity and vulnerability levels within the basin. Taking into account conservation targets for the basin, it appears that the more restrictive EFR methods are more appropriate than the method currently employed at the study basin. The blue/green water-based accounting framework developed here provides a useful integration of hydrologic, ecosystem and human needs information on a monthly basis, thereby improving our understanding of how and where water-related threats to human and aquatic ecosystem security can arise.

Encryption Characteristics of Two USB-based Personal Health Record Devices

PubMed Central

Wright, Adam; Sittig, Dean F.

2007-01-01

Personal health records (PHRs) hold great promise for empowering patients and increasing the accuracy and completeness of health information. We reviewed two small USB-based PHR devices that allow a patient to easily store and transport their personal health information. Both devices offer password protection and encryption features. Analysis of the devices shows that they store their data in a Microsoft Access database. Due to a flaw in the encryption of this database, recovering the user’s password can be accomplished with minimal effort. Our analysis also showed that, rather than encrypting health information with the password chosen by the user, the devices stored the user’s password as a string in the database and then encrypted that database with a common password set by the manufacturer. This is another serious vulnerability. This article describes the weaknesses we discovered, outlines three critical flaws with the security model used by the devices, and recommends four guidelines for improving the security of similar devices. PMID:17460132

An Analysis of Automated Solutions for the Certification and Accreditation of Navy Medicine Information Assets

DTIC Science & Technology

2005-09-01

discovery of network security threats and vulnerabilities will be done by doing penetration testing during the C&A process. This can be done on a...2.1.1; Appendix E, J COBR -1 Protection of Backup and Restoration Assets Availability 1.3.1; 2.1.3; 2.1.7; 3.1; 4.3; Appendix J, M CODB-2 Data... discovery , inventory, scanning and loading of C&A information in its central database, (2) automatic generation of the SRTM , (3) automatic generation

Working to eat: Vulnerability, food insecurity, and obesity among migrant and seasonal farmworker families.

PubMed

Borre, Kristen; Ertle, Luke; Graff, Mariaelisa

2010-04-01

Food insecurity and obesity have potential health consequences for migrant and seasonal farm workers (MSFW). Thirty-six Latino MSFW working in eastern North Carolina whose children attended Migrant Head Start completed interviews, focus groups and home visits. Content analysis, nutrient analysis, and non-parametric statistical analysis produced results. MSFW (63.8%) families were food insecure; of those, 34.7% experienced hunger. 32% of pre-school children were food insecure. Food secure families spent more money on food. Obesity was prevalent in adults and children but the relationship to food insecurity remains unclear. Strategies to reduce risk of foods insecurity were employed by MSFW, but employer and community assistance is needed to reduce their risk. Food insecurity is rooted in the cultural lifestyle of farmwork, poverty, and dependency. MSFW obesity and food insecurity require further study to determine the relationship with migration and working conditions. Networking and social support are important for MSFW families to improve food security. Policies and community/workplace interventions could reduce risk of food insecurity and improve the health of workers. (c) 2010 Wiley-Liss, Inc.

Consistent Condom Use by Female Sex Workers in Kolkata, India: Testing Theories of Economic Insecurity, Behavior Change, Life Course Vulnerability and Empowerment.

PubMed

Fehrenbacher, Anne E; Chowdhury, Debasish; Ghose, Toorjo; Swendeman, Dallas

2016-10-01

Consistent condom use (CCU) is the primary HIV/STI prevention option available to sex workers globally but may be undermined by economic insecurity, life-course vulnerabilities, behavioral factors, disempowerment, or lack of effective interventions. This study examines predictors of CCU in a random household survey of brothel-based female sex workers (n = 200) in two neighborhoods served by Durbar (the Sonagachi Project) in Kolkata, India. Multivariate logistic regression analyses indicated that CCU was significantly associated with perceived HIV risk, community mobilization participation, working more days in sex work, and higher proportion of occasional clients to regular clients. Exploratory analyses stratifying by economic insecurity indicators (i.e., debt, savings, income, housing security) indicate that perceived HIV risk and community mobilization were only associated with CCU for economically secure FSW. Interventions with FSW must prioritize economic security and access to social protections as economic insecurity may undermine the efficacy of more direct condom use intervention strategies.

Augmenting Probabilistic Risk Assesment with Malevolent Initiators

DOE Office of Scientific and Technical Information (OSTI.GOV)

Curtis Smith; David Schwieder

2011-11-01

As commonly practiced, the use of probabilistic risk assessment (PRA) in nuclear power plants only considers accident initiators such as natural hazards, equipment failures, and human error. Malevolent initiators are ignored in PRA, but are considered the domain of physical security, which uses vulnerability assessment based on an officially specified threat (design basis threat). This paper explores the implications of augmenting and extending existing PRA models by considering new and modified scenarios resulting from malevolent initiators. Teaming the augmented PRA models with conventional vulnerability assessments can cost-effectively enhance security of a nuclear power plant. This methodology is useful for operatingmore » plants, as well as in the design of new plants. For the methodology, we have proposed an approach that builds on and extends the practice of PRA for nuclear power plants for security-related issues. Rather than only considering 'random' failures, we demonstrated a framework that is able to represent and model malevolent initiating events and associated plant impacts.« less

A security vulnerabilities assessment tool for interim storage facilities of low-level radioactive wastes.

PubMed

Bible, J; Emery, R J; Williams, T; Wang, S

2006-11-01

Limited permanent low-level radioactive waste (LLRW) disposal capacity and correspondingly high disposal costs have resulted in the creation of numerous interim storage facilities for either decay-in-storage operations or longer term accumulation efforts. These facilities, which may be near the site of waste generation or in distal locations, often were not originally designed for the purpose of LLRW storage, particularly with regard to security. Facility security has become particularly important in light of the domestic terrorist acts of 2001, wherein LLRW, along with many other sources of radioactivity, became recognized commodities to those wishing to create disruption through the purposeful dissemination of radioactive materials. Since some LLRW materials may be in facilities that may exhibit varying degrees of security control sophistication, a security vulnerabilities assessment tool grounded in accepted criminal justice theory and security practice has been developed. The tool, which includes dedicated sections on general security, target hardening, criminalization benefits, and the presence of guardians, can be used by those not formally schooled in the security profession to assess the level of protection afforded to their respective facilities. The tool equips radiation safety practitioners with the ability to methodically and systematically assess the presence or relative status of various facility security aspects, many of which may not be considered by individuals from outside the security profession. For example, radiation safety professionals might not ordinarily consider facility lighting aspects, which is a staple for the security profession since it is widely known that crime disproportionately occurs more frequently at night or in poorly lit circumstances. Likewise, the means and associated time dimensions for detecting inventory discrepancies may not be commonly considered. The tool provides a simple means for radiation safety professionals to assess, and perhaps enhance in a reasonable fashion, the security of their interim storage operations. Aspects of the assessment tool can also be applied to other activities involving the protection of sources of radiation as well.

The hobbyist phenomenon in physical security.

DOE Office of Scientific and Technical Information (OSTI.GOV)

Michaud, E. C.

Pro-Ams (professional amateurs) are groups of people who work on a problem as amateurs or unpaid persons in a given field at professional levels of competence. Astronomy is a good example of Pro-Am activity. At Galaxy Zoo, Pro-Ams evaluate data generated by professional observatories and are able to evaluate the millions of galaxies that have been observed but not classified, and report their findings at professional levels for fun. To allow the archiving of millions of galaxies that have been observed but not classified, the website has been engineered so that the public can view and classify galaxies even ifmore » they are not professional astronomers. In this endeavor, it has been found that amateurs can easily outperform automated vision systems. Today in the world of physical security, Pro-Ams are playing an ever-increasing role. Traditionally, locksmiths, corporations, and government organizations have been largely responsible for developing standards, uncovering vulnerabilities, and devising best security practices. Increasingly, however, nonprofit sporting organizations and clubs are doing this. They can be found all over the world, from Europe to the US and now South East Asia. Examples include TOOOL (The Open Organization of Lockpickers), the Longhorn Lockpicking Club, Sportsfreunde der Sperrtechnik - Deustcheland e.V., though there are many others. Members of these groups have been getting together weekly to discuss many elements of security, with some groups specializing in specific areas of security. When members are asked why they participate in these hobbyist groups, they usually reply (with gusto) that they do it for fun, and that they view defeating locks and other security devices as an interesting and entertaining puzzle. A lot of what happens at these clubs would not be possible if it weren't for 'Super Abundance', the ability to easily acquire (at little or no cost) the products, security tools, technologies, and intellectual resources traditionally limited to corporations, government organizations, or wealthy individuals. With this new access comes new discoveries. For example, hobbyist sport lockpicking groups discovered - and publicized - a number of new vulnerabilities between 2004 and 2009 that resulted in the majority of high-security lock manufacturers having to make changes and improvements to their products. A decade ago, amateur physical security discoveries were rare, at least those discussed publicly. In the interim, Internet sites such as lockpicking.org, lockpicking101.com and others have provided an online meeting place for people to trade tips, find friends with similar interests, and develop tools. The open, public discussion of software vulnerabilities, in contrast, has been going on for a long time. These two industries, physical security and software, have very different upgrade mechanisms. With software, a patch can typically be deployed quickly to fix a serious vulnerability, whereas a hardware fix for a physical security device or system can take upwards of months to implement in the field, especially if (as is often the case) hardware integrators are involved. Even when responding to publicly announced security vulnerabilities, manufacturers of physical security devices such as locks, intrusion detectors, or access control devices rarely view hobbyists as a positive resource. This is most unfortunate. In the field of software, it is common to speak of Open Source versus Closed Source. An Open Source software company may choose to distribute their software with a particular license, and give it away openly, with full details and all the lines of source code made available. Linux is a very popular example of this. A Close Source company, in contrast, chooses not to reveal its source code and will license its software products in a restrictive manor. Slowly, the idea of Open Source is now coming to the world of physical security. In the case of locks, it provides an alternative to the traditional Closed Source world of locksmiths. Now locks are physical objects, and can therefore be disassembled. As such, they have always been Open Source in a limited sense. Secrecy, in fact, is very difficult to maintain for a lock that is widely distributed. Having direct access to the lock design provides the hobbyist with a very open environment for finding security flaws, even if the lock manufacturer attempts to follow a Close Source model. It is clear that the field of physical security is going the digital route with companies such as Medeco, Mul-T-Lock, and Abloy manufacturing electromechanical locks. Various companies have already begun to add microcontrollers, cryptographic chip sets, solid-state sensors, and a number of other high-tech improvements to their product lineup in an effort to thwart people from defeating their security products.« less

A Hash Based Remote User Authentication and Authenticated Key Agreement Scheme for the Integrated EPR Information System.

PubMed

Li, Chun-Ta; Weng, Chi-Yao; Lee, Cheng-Chi; Wang, Chun-Cheng

2015-11-01

To protect patient privacy and ensure authorized access to remote medical services, many remote user authentication schemes for the integrated electronic patient record (EPR) information system have been proposed in the literature. In a recent paper, Das proposed a hash based remote user authentication scheme using passwords and smart cards for the integrated EPR information system, and claimed that the proposed scheme could resist various passive and active attacks. However, in this paper, we found that Das's authentication scheme is still vulnerable to modification and user duplication attacks. Thereafter we propose a secure and efficient authentication scheme for the integrated EPR information system based on lightweight hash function and bitwise exclusive-or (XOR) operations. The security proof and performance analysis show our new scheme is well-suited to adoption in remote medical healthcare services.

Fully integrated automated security surveillance system: managing a changing world through managed technology and product applications

NASA Astrophysics Data System (ADS)

Francisco, Glen; Brown, Todd

2012-06-01

Integrated security systems are essential to pre-empting criminal assaults. Nearly 500,000 sites have been identified (source: US DHS) as critical infrastructure sites that would suffer severe damage if a security breach should occur. One major breach in any of 123 U.S. facilities, identified as "most critical", threatens more than 1,000,000 people. The vulnerabilities of critical infrastructure are expected to continue and even heighten over the coming years.

A New Operating System for Security Tagged Architecture Hardware in Support of Multiple Independent Levels of Security (MILS) Compliant System

DTIC Science & Technology

2014-04-01

important data structures of RTEMS are introduced. Section 3.2.2 discusses the problems we found in RTEMS that may cause security vulnerabilities...the important data structures in RTEMS: Object, which is a critical data structure in the SCORE, tasks threads. Approved for Public Release...these important system codes. The example code shows a possibility that a user can delete a system thread. Therefore, in order to protect system

The study and implementation of the wireless network data security model

NASA Astrophysics Data System (ADS)

Lin, Haifeng

2013-03-01

In recent years, the rapid development of Internet technology and the advent of information age, people are increasing the strong demand for the information products and the market for information technology. Particularly, the network security requirements have become more sophisticated. This paper analyzes the wireless network in the data security vulnerabilities. And a list of wireless networks in the framework is the serious defects with the related problems. It has proposed the virtual private network technology and wireless network security defense structure; and it also given the wireless networks and related network intrusion detection model for the detection strategies.

Reinforcements, ammunition limits, and termination of neutralization engagements in ASSESS

DOE Office of Scientific and Technical Information (OSTI.GOV)

Paulus, W.K.; Mondragon, J.

1991-01-01

This paper reports on the ASSESS Neutralization Analysis module (Neutralization) which is part of Analytic system and Software for Evaluation of Safeguards and Security, ASSESS, a vulnerability assessment tool. Neutralization models a fire fight engagement between security inspectors (SIs) and adversaries. The model has been improved to represent more realistically the addition of reinforcements to an engagement, the criteria for declaring an engagement terminated, and the amount of ammunition which security forces can use. SI reinforcements must prevent adversaries from achieving their purpose even if an initial security force has been overcome. The reinforcements must be timely. A variety ofmore » reinforcement timeliness cases can be modeled. Reinforcements that are not timely are shown to be ineffective in the calculated results. Engagements may terminate before all combatants on one side are neutralized if they recognize that they are losing. A winner is declared when the number of survivors on one side is reduced to a user specified level. Realistically, the amount of ammunition that can be carried into an engagement is limited. Neutralization now permits the analyst to specify the number of rounds available to the security forces initially and the quantity of resupply that is introduced with reinforcements. These new capabilities all contribute toward more realistic modeling of neutralization engagements.« less

Does employment security modify the effect of housing affordability on mental health?

PubMed

Bentley, Rebecca; Baker, Emma; LaMontagne, Anthony; King, Tania; Mason, Kate; Kavanagh, Anne

2016-12-01

This paper uses longitudinal data to examine the interrelationship between two central social determinants of mental health - employment security and housing affordability. Data from ten annual waves of the longitudinal Household, Income and Labour Dynamics in Australia (HILDA) survey (which commenced in 2000/1 and is ongoing) were analysed using fixed-effects longitudinal linear regression. Change in the SF-36 Mental Component Summary (MCS) score of working age individuals (25-64 years) (51,885 observations of 10,776 people), associated with changes in housing affordability was examined. Models were adjusted for income, age, survey year, experience of serious injury/illness and separation/divorce. We tested for an additive interaction between the security of a household's employment arrangements and housing affordability. People in insecurely employed households appear more vulnerable than people in securely employed households to negative mental health effects of housing becoming unaffordable. In adjusted models, people in insecurely employed households whose housing became unaffordable experienced a decline in mental health (B=-1.06, 95% CI -1.75 to -0.38) while people in securely employed households experienced no difference on average. To progress our understanding of the Social Determinants of Health this analysis provides evidence of the need to bridge the (largely artificial) separation of social determinants, and understand how they are related.

Survey of Malware Threats and Recommendations to Improve Cybersecurity for Industrial Control Systems Version 1.0

DTIC Science & Technology

2015-02-01

not normally blocked by enterprise firewalls . • Some malware exploited zero-day vulnerabilities as well as attempted to exploit vulnerabilities for...servers, receiving updates, and exfiltrating data. Firewalls are routinely configured to block incoming connections while malware within a target...implemented with layers of technical security controls (e.g., ICS-aware firewalls ) to control network traffic and prevent the spread of malware . Intrusion

Jordan Water Project: an interdisciplinary evaluation of freshwater vulnerability and security

NASA Astrophysics Data System (ADS)

Gorelick, S.; Yoon, J.; Rajsekhar, D.; Muller, M. F.; Zhang, H.; Gawel, E.; Klauer, B.; Klassert, C. J. A.; Sigel, K.; Thilmant, A.; Avisse, N.; Lachaut, T.; Harou, J. J.; Knox, S.; Selby, P. D.; Mustafa, D.; Talozi, S.; Haddad, Y.; Shamekh, M.

2016-12-01

The Jordan Water Project, part of the Belmont Forum projects, is an interdisciplinary, international research effort focused on evaluation of freshwater security in Jordan, one of the most water-vulnerable countries in the world. The team covers hydrology, water resources systems analysis, economics, policy evaluation, geography, risk and remote sensing analyses, and model platform development. The entire project team communally engaged in construction of an integrated hydroeconomic model for water supply policy evaluation. To represent water demand and allocation behavior at multiple levels of decision making,the model integrates biophysical modules that simulate natural and engineered hydrologic phenomena with human behavioral modules. Hydrologic modules include spatially-distributed groundwater and surface-water models for the major aquifers and watersheds throughout Jordan. For the human modules, we adopt a multi-agent modeling approach to represent decision-making processes. The integrated model was developed in Pynsim, a new open-source, object-oriented platform in Python for network-based water resource systems. We continue to explore the impacts of future scenarios and interventions.This project had tremendous encouragement and data support from Jordan's Ministry of Water and Irrigation. Modeling technology is being transferred through a companion NSF/USAID PEER project awarded toJordan University of Science and Technology. Individual teams have also conducted a range of studies aimed at evaluating Jordanian and transboundary surface water and groundwater systems. Surveys, interviews, and econometric analyses enabled us to better understandthe behavior of urban households, farmers, private water resellers, water use pattern of the commercial sector and irrigation water user associations. We analyzed nationwide spatial and temporal statistical trends in rainfall, developed urban and national comparative metrics to quantify water supply vulnerability, improved remote sensing methods to estimate crop-water use, and evaluated the impacts of climate change on future drought severity.

Migrant women domestic workers in Hong Kong, Singapore and Taiwan: a comparative analysis.

PubMed

Cheng, S J

1996-01-01

This article discusses the legal systems in Hong Kong, Singapore, and Taiwan and the protection of migrant domestic workers who are vulnerable to domestic violence and abuse. Migration in the last 10 years in Asia has increasingly included female migrants who are usually employed in domestic services, the entertainment industry, and health care services. This work places women migrants in a vulnerable position in the isolation of households, away from public oversight. Labor laws are not applied to domestic workers, who are considered of low societal value. In Hong Kong, domestic work is covered under the labor laws, but the societal perception is that housework is not really work. Employer-employee relationships are more clear cut in institutional settings. Most domestic workers live with their employers. They are outsiders to families and must maintain professional relationships within an intimate environment. The isolation within a household discourages development of support systems and contacts with women doing similar work. There is a power struggle between women of unequal stature concerning the operation of the household and the interrelationships with family members. The power dynamic, the nature of the family structure, and culture are all interrelated. The first year's income covers the cost of securing foreign employment, and workers are vulnerable in this first year due to their debts. Employers protect their investment by working them to capacity or using fear and physical confinement to secure obedience. Workers are humiliated and immobilized. The comparison between the three countries illustrates the potential for protecting migrant domestic workers. Singapore and Taiwan lack sufficient legal and social support for migrant women, and Hong Kong must use a more comprehensive approach for integrating power dynamics, employment, work regulations, and labor status.

49 CFR 1503.3 - Reports by the public of security problems, deficiencies, and vulnerabilities.

Code of Federal Regulations, 2012 CFR

2012-10-01

... 1503.3 Reports; 601 South 12th Street; Arlington, VA 20598-6002; (2) Internet at http://www.tsa.gov/contact, selecting “Security Issues”; or (3) Telephone (toll-free) at 1-866-289-9673. (b) Reports submitted by mail will receive a receipt through the mail, reports submitted by the Internet will receive an...

49 CFR 1503.3 - Reports by the public of security problems, deficiencies, and vulnerabilities.

Code of Federal Regulations, 2013 CFR

2013-10-01

... 1503.3 Reports; 601 South 12th Street; Arlington, VA 20598-6002; (2) Internet at http://www.tsa.gov/contact, selecting “Security Issues”; or (3) Telephone (toll-free) at 1-866-289-9673. (b) Reports submitted by mail will receive a receipt through the mail, reports submitted by the Internet will receive an...

49 CFR 1503.3 - Reports by the public of security problems, deficiencies, and vulnerabilities.

Code of Federal Regulations, 2014 CFR

2014-10-01

... 1503.3 Reports; 601 South 12th Street; Arlington, VA 20598-6002; (2) Internet at http://www.tsa.gov/contact, selecting “Security Issues”; or (3) Telephone (toll-free) at 1-866-289-9673. (b) Reports submitted by mail will receive a receipt through the mail, reports submitted by the Internet will receive an...

49 CFR 1503.3 - Reports by the public of security problems, deficiencies, and vulnerabilities.

Code of Federal Regulations, 2011 CFR

2011-10-01

... 1503.3 Reports; 601 South 12th Street; Arlington, VA 20598-6002; (2) Internet at http://www.tsa.gov/contact, selecting “Security Issues”; or (3) Telephone (toll-free) at 1-866-289-9673. (b) Reports submitted by mail will receive a receipt through the mail, reports submitted by the Internet will receive an...

National Summit on Campus Public Safety. Strategies for Colleges and Universities in a Homeland Security Environment

ERIC Educational Resources Information Center

US Department of Justice, 2005

2005-01-01

The aftermath of September 11, 2001 prompted the reexamination of the nation's defenses and vulnerabilities in light of new realities. Every sector of society, particularly those who protect the well being of communities, required change. Safety and security operations on the nation's college and university campuses are no exception. The nation's…

The Security of Machine Learning

DTIC Science & Technology

2008-04-24

Machine learning has become a fundamental tool for computer security, since it can rapidly evolve to changing and complex situations. That...adaptability is also a vulnerability: attackers can exploit machine learning systems. We present a taxonomy identifying and analyzing attacks against machine ...We use our framework to survey and analyze the literature of attacks against machine learning systems. We also illustrate our taxonomy by showing

Workshop on Education in Computer Security (WECS6) (6th): Avoiding Fear, Uncertainty and Doubt Through Effective Security Education, Held in Monterey, California on 12-16 July 2004

DTIC Science & Technology

2004-07-01

Melissa ) is created in the controlled environment and propagated. The students learn how viruses are written, how they are propagated via mediums like...vulnerabilities and threats, establishing disaster response and recovery procedures. Joseph Giordano , Technical Advisor, Information Warfare Branch, AFRL 60 The

Qualitative Case Study Exploring Operational Barriers Impeding Small and Private, Nonprofit Higher Education Institutions from Implementing Information Security Controls

ERIC Educational Resources Information Center

Liesen, Joseph J.

2017-01-01

The higher education industry uses the very latest technologies to effectively prepare students for their careers, but these technologies often contain vulnerabilities that can be exploited via their connection to the Internet. The complex task of securing information and computing systems is made more difficult at institutions of higher education…

Collaboration using roles. [in computer network security

NASA Technical Reports Server (NTRS)

Bishop, Matt

1990-01-01

Segregation of roles into alternative accounts is a model which provides not only the ability to collaborate but also enables accurate accounting of resources consumed by collaborative projects, protects the resources and objects of such a project, and does not introduce new security vulnerabilities. The implementation presented here does not require users to remember additional passwords and provides a very simple consistent interface.

Are Vulnerability Disclosure Deadlines Justified?

DOE Office of Scientific and Technical Information (OSTI.GOV)

Miles McQueen; Jason L. Wright; Lawrence Wellman

2011-09-01

Vulnerability research organizations Rapid7, Google Security team, and Zero Day Initiative recently imposed grace periods for public disclosure of vulnerabilities. The grace periods ranged from 45 to 182 days, after which disclosure might occur with or without an effective mitigation from the affected software vendor. At this time there is indirect evidence that the shorter grace periods of 45 and 60 days may not be practical. However, there is strong evidence that the recently announced Zero Day Initiative grace period of 182 days yields benefit in speeding up the patch creation process, and may be practical for many software products.more » Unfortunately, there is also evidence that the 182 day grace period results in more vulnerability announcements without an available patch.« less

Topological Vulnerability Evaluation Model Based on Fractal Dimension of Complex Networks.

PubMed

Gou, Li; Wei, Bo; Sadiq, Rehan; Sadiq, Yong; Deng, Yong

2016-01-01

With an increasing emphasis on network security, much more attentions have been attracted to the vulnerability of complex networks. In this paper, the fractal dimension, which can reflect space-filling capacity of networks, is redefined as the origin moment of the edge betweenness to obtain a more reasonable evaluation of vulnerability. The proposed model combining multiple evaluation indexes not only overcomes the shortage of average edge betweenness's failing to evaluate vulnerability of some special networks, but also characterizes the topological structure and highlights the space-filling capacity of networks. The applications to six US airline networks illustrate the practicality and effectiveness of our proposed method, and the comparisons with three other commonly used methods further validate the superiority of our proposed method.

An Improved and Secure Biometric Authentication Scheme for Telecare Medicine Information Systems Based on Elliptic Curve Cryptography.

PubMed

Chaudhry, Shehzad Ashraf; Mahmood, Khalid; Naqvi, Husnain; Khan, Muhammad Khurram

2015-11-01

Telecare medicine information system (TMIS) offers the patients convenient and expedite healthcare services remotely anywhere. Patient security and privacy has emerged as key issues during remote access because of underlying open architecture. An authentication scheme can verify patient's as well as TMIS server's legitimacy during remote healthcare services. To achieve security and privacy a number of authentication schemes have been proposed. Very recently Lu et al. (J. Med. Syst. 39(3):1-8, 2015) proposed a biometric based three factor authentication scheme for TMIS to confiscate the vulnerabilities of Arshad et al.'s (J. Med. Syst. 38(12):136, 2014) scheme. Further, they emphasized the robustness of their scheme against several attacks. However, in this paper we establish that Lu et al.'s scheme is vulnerable to numerous attacks including (1) Patient anonymity violation attack, (2) Patient impersonation attack, and (3) TMIS server impersonation attack. Furthermore, their scheme does not provide patient untraceability. We then, propose an improvement of Lu et al.'s scheme. We have analyzed the security of improved scheme using popular automated tool ProVerif. The proposed scheme while retaining the plusses of Lu et al.'s scheme is also robust against known attacks.

An Improvement of Robust and Efficient Biometrics Based Password Authentication Scheme for Telecare Medicine Information Systems Using Extended Chaotic Maps.

PubMed

Moon, Jongho; Choi, Younsung; Kim, Jiye; Won, Dongho

2016-03-01

Recently, numerous extended chaotic map-based password authentication schemes that employ smart card technology were proposed for Telecare Medical Information Systems (TMISs). In 2015, Lu et al. used Li et al.'s scheme as a basis to propose a password authentication scheme for TMISs that is based on biometrics and smart card technology and employs extended chaotic maps. Lu et al. demonstrated that Li et al.'s scheme comprises some weaknesses such as those regarding a violation of the session-key security, a vulnerability to the user impersonation attack, and a lack of local verification. In this paper, however, we show that Lu et al.'s scheme is still insecure with respect to issues such as a violation of the session-key security, and that it is vulnerable to both the outsider attack and the impersonation attack. To overcome these drawbacks, we retain the useful properties of Lu et al.'s scheme to propose a new password authentication scheme that is based on smart card technology and requires the use of chaotic maps. Then, we show that our proposed scheme is more secure and efficient and supports security properties.

Security-Enhanced Push Button Configuration for Home Smart Control.

PubMed

Han, Junghee; Park, Taejoon

2017-06-08

With the emergence of smart and converged home services, the need for the secure and easy interplay of various devices has been increased. Push Button Configuration (PBC) is one of the technologies proposed for easy set-up of a secure session between IT and consumer devices. Although the Wi-Fi Direct specification explicitly states that all devices must support the PBC method, its applicability is very limited. This is because the security vulnerability of PBC can be maliciously exploited so that attackers can make illegitimate sessions with consumer devices. To address this problem, this paper proposes a novel Security-enhanced PBC (SePBC) scheme with which we can uncover suspicious or malicious devices. The proposed mechanism has several unique features. First, we develop a secure handshake distance measurement protocol by preventing an adversary sitting outside the region from maliciously manipulating its distance to be fake. Second, it is compatible with the original Wi-Fi PBC without introducing a brand-new methodology. Finally, SePBC uses lightweight operations without CPU-intensive cryptography computation and employs inexpensive H/W. Moreover, it needs to incur little overhead when there is no attack. This paper also designs and implements the proposed SePBC in the real world. Our experimental results and analysis show that the proposed SePBC scheme effectively defeats attacks on PBC while minimizing the modification of the original PBC equipment.

Security-Enhanced Push Button Configuration for Home Smart Control †

PubMed Central

Han, Junghee; Park, Taejoon

2017-01-01

With the emergence of smart and converged home services, the need for the secure and easy interplay of various devices has been increased. Push Button Configuration (PBC) is one of the technologies proposed for easy set-up of a secure session between IT and consumer devices. Although the Wi-Fi Direct specification explicitly states that all devices must support the PBC method, its applicability is very limited. This is because the security vulnerability of PBC can be maliciously exploited so that attackers can make illegitimate sessions with consumer devices. To address this problem, this paper proposes a novel Security-enhanced PBC (SePBC) scheme with which we can uncover suspicious or malicious devices. The proposed mechanism has several unique features. First, we develop a secure handshake distance measurement protocol by preventing an adversary sitting outside the region from maliciously manipulating its distance to be fake. Second, it is compatible with the original Wi-Fi PBC without introducing a brand-new methodology. Finally, SePBC uses lightweight operations without CPU-intensive cryptography computation and employs inexpensive H/W. Moreover, it needs to incur little overhead when there is no attack. This paper also designs and implements the proposed SePBC in the real world. Our experimental results and analysis show that the proposed SePBC scheme effectively defeats attacks on PBC while minimizing the modification of the original PBC equipment. PMID:28594370

Privacy Protection for Telecare Medicine Information Systems Using a Chaotic Map-Based Three-Factor Authenticated Key Agreement Scheme.

PubMed

Zhang, Liping; Zhu, Shaohui; Tang, Shanyu

2017-03-01

Telecare medicine information systems (TMIS) provide flexible and convenient e-health care. However, the medical records transmitted in TMIS are exposed to unsecured public networks, so TMIS are more vulnerable to various types of security threats and attacks. To provide privacy protection for TMIS, a secure and efficient authenticated key agreement scheme is urgently needed to protect the sensitive medical data. Recently, Mishra et al. proposed a biometrics-based authenticated key agreement scheme for TMIS by using hash function and nonce, they claimed that their scheme could eliminate the security weaknesses of Yan et al.'s scheme and provide dynamic identity protection and user anonymity. In this paper, however, we demonstrate that Mishra et al.'s scheme suffers from replay attacks, man-in-the-middle attacks and fails to provide perfect forward secrecy. To overcome the weaknesses of Mishra et al.'s scheme, we then propose a three-factor authenticated key agreement scheme to enable the patient to enjoy the remote healthcare services via TMIS with privacy protection. The chaotic map-based cryptography is employed in the proposed scheme to achieve a delicate balance of security and performance. Security analysis demonstrates that the proposed scheme resists various attacks and provides several attractive security properties. Performance evaluation shows that the proposed scheme increases efficiency in comparison with other related schemes.

Water security - Nation state and international security implications

USGS Publications Warehouse

Tindall, James A.; Andrew A. Campbell,

2009-01-01

A terrorist attack such as poisoning and sabotage of the national water supply and water-quality infrastructure of the continental United States or any country, could disrupt the delivery of vital human services, threaten both public health and the environment, potentially cause mass casualties and pose grave public concern for homeland security. Most significantly, an attack on water resources would weaken social cohesion and trust in government. A threat to continuity of services is a potential threat to continuity of government since both are necessary for continuity of operations. Water infrastructure is difficult to protect, as it extends over vast areas across the U.S. and for which ownership is overwhelmingly nonfederal (approximately 85 percent). Since the 9111 attacks, federal dam operators and water and wastewater utilities have established counter measures. Similar measures have been taken in countries around the world. These include enhanced physical security, improved coordination between corporate ownership, Department of Homeland Security, and local law enforcement, and research into risk assessment and vulnerability analysis to ensure greater system safety. A key issue is the proportionate additional resources directed at public and private sector specific priorities. Agencies that have the scientific and technological ability to leverage resources, exploit integrated science approaches, focus on interdisciplinary practices, utilize informatics expertise and employ a wide use of evolving technologies should play a key role in water security and related issues.

Cybersecurity and Optimization in Smart “Autonomous” Buildings

DOE Office of Scientific and Technical Information (OSTI.GOV)

Mylrea, Michael E.; Gourisetti, Sri Nikhil Gup

Significant resources have been invested in making buildings “smart” by digitizing, networking and automating key systems and operations. Smart autonomous buildings create new energy efficiency, economic and environmental opportunities. But as buildings become increasingly networked to the Internet, they can also become more vulnerable to various cyber threats. Automated and Internet-connected buildings systems, equipment, controls, and sensors can significantly increase cyber and physical vulnerabilities that threaten the confidentiality, integrity, and availability of critical systems in organizations. Securing smart autonomous buildings presents a national security and economic challenge to the nation. Ignoring this challenge threatens business continuity and the availability ofmore » critical infrastructures that are enabled by smart buildings. In this chapter, the authors address challenges and explore new opportunities in securing smart buildings that are enhanced by machine learning, cognitive sensing, artificial intelligence (AI) and smart-energy technologies. The chapter begins by identifying cyber-threats and challenges to smart autonomous buildings. Then it provides recommendations on how AI enabled solutions can help smart buildings and facilities better protect, detect and respond to cyber-physical threats and vulnerabilities. Next, the chapter will provide case studies that examine how combining AI with innovative smart-energy technologies can increase both cybersecurity and energy efficiency savings in buildings. The chapter will conclude by proposing recommendations for future cybersecurity and energy optimization research for examining AI enabled smart-energy technology.« less

Sustainable Food Security Measurement: A Systemic Methodology

NASA Astrophysics Data System (ADS)

Findiastuti, W.; Singgih, M. L.; Anityasari, M.

2017-04-01

Sustainable food security measures how a region provides food for its people without endangered the environment. In Indonesia, it was legally measured in Food Security and Vulnerability (FSVA). However, regard to sustainable food security policy, the measurement has not encompassed the environmental aspect. This will lead to lack of environmental aspect information for adjusting the next strategy. This study aimed to assess Sustainable Food security by encompassing both food security and environment aspect using systemic eco-efficiency. Given existing indicator of cereal production level, total emission as environment indicator was generated by constructing Causal Loop Diagram (CLD). Then, a stock-flow diagram was used to develop systemic simulation model. This model was demonstrated for Indonesian five provinces. The result showed there was difference between food security order with and without environmental aspect assessment.

Network Security Risk Assessment System Based on Attack Graph and Markov Chain

NASA Astrophysics Data System (ADS)

Sun, Fuxiong; Pi, Juntao; Lv, Jin; Cao, Tian

2017-10-01

Network security risk assessment technology can be found in advance of the network problems and related vulnerabilities, it has become an important means to solve the problem of network security. Based on attack graph and Markov chain, this paper provides a Network Security Risk Assessment Model (NSRAM). Based on the network infiltration tests, NSRAM generates the attack graph by the breadth traversal algorithm. Combines with the international standard CVSS, the attack probability of atomic nodes are counted, and then the attack transition probabilities of ones are calculated by Markov chain. NSRAM selects the optimal attack path after comprehensive measurement to assessment network security risk. The simulation results show that NSRAM can reflect the actual situation of network security objectively.

The role of minimum supply and social vulnerability assessment for governing critical infrastructure failure: current gaps and future agenda

NASA Astrophysics Data System (ADS)

Garschagen, Matthias; Sandholz, Simone

2018-04-01

Increased attention has lately been given to the resilience of critical infrastructure in the context of natural hazards and disasters. The major focus therein is on the sensitivity of critical infrastructure technologies and their management contingencies. However, strikingly little attention has been given to assessing and mitigating social vulnerabilities towards the failure of critical infrastructure and to the development, design and implementation of minimum supply standards in situations of major infrastructure failure. Addressing this gap and contributing to a more integrative perspective on critical infrastructure resilience is the objective of this paper. It asks which role social vulnerability assessments and minimum supply considerations can, should and do - or do not - play for the management and governance of critical infrastructure failure. In its first part, the paper provides a structured review on achievements and remaining gaps in the management of critical infrastructure and the understanding of social vulnerabilities towards disaster-related infrastructure failures. Special attention is given to the current state of minimum supply concepts with a regional focus on policies in Germany and the EU. In its second part, the paper then responds to the identified gaps by developing a heuristic model on the linkages of critical infrastructure management, social vulnerability and minimum supply. This framework helps to inform a vision of a future research agenda, which is presented in the paper's third part. Overall, the analysis suggests that the assessment of socially differentiated vulnerabilities towards critical infrastructure failure needs to be undertaken more stringently to inform the scientifically and politically difficult debate about minimum supply standards and the shared responsibilities for securing them.

Airport Managers' Perspectives on Security and Safety Management Systems in Aviation Operations: A Multiple Case Study

NASA Astrophysics Data System (ADS)

Brown, Willie L., Jr.

Global terrorism continues to persist despite the great efforts of various countries to protect and safely secure their citizens. As airports form the entry and exit ports of a country, they are one of the most vulnerable locations to terror attacks. Managers of international airports constantly face similar challenges in developing and implementing airport security protocols. Consequently, the technological advances of today have brought both positive and negative impacts on security and terrorism of airports, which are mostly managed by the airport managers. The roles of the managers have greatly increased over the years due to technological advances. The developments in technology have had different roles in security, both in countering terrorism and, at the same time, increasing the communication methods of the terrorists. The purpose of this qualitative multiple case study was to investigate the perspectives of airport managers with regard to societal security and social interactions in the socio-technical systems of the National Terrorism Advisory System (NTAS). Through the data gained regarding managers' perception and experiences, the researcher hoped to enable the development of security measures and policies that are appropriate for airports as socio-technical systems. The researcher conducted interviews with airport managers to gather relevant data to fulfill the rationale of the study. Ten to twelve airport managers based in three commercial aviation airports in Maryland, United States participated in the study. The researcher used a qualitative thematic analysis procedure to analyze the data responses of participants in the interview sessions.

Research on the information security system in electrical gis system in mobile application

NASA Astrophysics Data System (ADS)

Zhou, Chao; Feng, Renjun; Jiang, Haitao; Huang, Wei; Zhu, Daohua

2017-05-01

With the rapid development of social informatization process, the demands of government, enterprise, and individuals for spatial information becomes larger. In addition, the combination of wireless network technology and spatial information technology promotes the generation and development of mobile technologies. In today’s rapidly developed information technology field, network technology and mobile communication have become the two pillar industries by leaps and bounds. They almost absorbed and adopted all the latest information, communication, computer, electronics and so on new technologies. Concomitantly, the network coverage is more and more big, the transmission rate is faster and faster, the volume of user’s terminal is smaller and smaller. What’s more, from LAN to WAN, from wired network to wireless network, from wired access to mobile wireless access, people’s demand for communication technology is increasingly higher. As a result, mobile communication technology is facing unprecedented challenges as well as unprecedented opportunities. When combined with the existing mobile communication network, it led to the development of leaps and bounds. However, due to the inherent dependence of the system on the existing computer communication network, information security problems cannot be ignored. Today’s information security has penetrated into all aspects of life. Information system is a complex computer system, and it’s physical, operational and management vulnerabilities constitute the security vulnerability of the system. Firstly, this paper analyzes the composition of mobile enterprise network and information security threat. Secondly, this paper puts forward the security planning and measures, and constructs the information security structure.

Improvement of a uniqueness-and-anonymity-preserving user authentication scheme for connected health care.

PubMed

Xie, Qi; Liu, Wenhao; Wang, Shengbao; Han, Lidong; Hu, Bin; Wu, Ting

2014-09-01

Patient's privacy-preserving, security and mutual authentication between patient and the medical server are the important mechanism in connected health care applications, such as telecare medical information systems and personally controlled health records systems. In 2013, Wen showed that Das et al.'s scheme is vulnerable to the replay attack, user impersonation attacks and off-line guessing attacks, and then proposed an improved scheme using biometrics, password and smart card to overcome these weaknesses. However, we show that Wen's scheme is still vulnerable to off-line password guessing attacks, does not provide user's anonymity and perfect forward secrecy. Further, we propose an improved scheme to fix these weaknesses, and use the applied pi calculus based formal verification tool ProVerif to prove the security and authentication.

Cryptanalysis on a scheme to share information via employing a discrete algorithm to quantum states

NASA Astrophysics Data System (ADS)

Amellal, H.; Meslouhi, A.; El Baz, M.; Hassouni, Y.; El Allati, A.

2017-03-01

Recently, Yang and Hwang [Int. J. Theor. Phys. 53, 224 (2014)] demonstrated that the scheme to share information via employing discrete algorithm to quantum states presented by Kang and Fang [Commun. Theor. Phys. 55, 239 (2011)] suffers from a major vulnerability allowing an eavesdropper to perform a measurement and resend attack. By introducing an additional checking state framework, the authors have proposed an improved protocol to overcome this weakness. This work calls into question the invoked vulnerability in order to clarify a misinterpretation in the same protocol stages also introduce a possible leakage information strategy, known as a faked state attack, despite the proposed improvement, which means that the same security problem may persist. Finally, an upgrading technic was introduced in order to enhance the security transmission.

Security breaches: tips for assessing and limiting your risks.

PubMed

Coons, Leeanne R

2011-01-01

As part of their compliance planning, medical practices should undergo a risk assessment to determine any vulnerability within the practice relative to security breaches. Practices should also implement safeguards to limit their risks. Such safeguards include facility access controls, information and electronic media management, use of business associate agreements, and education and enforcement. Implementation of specific policies and procedures to address security incidents is another critical step that medical practices should take as part of their security incident prevention plan. Medical practices should not only develop policies and procedures to prevent, detect, contain, and correct security violations, but should make sure that such policies and procedures are actually implemented in their everyday operations.

Critical field-exponents for secure message-passing in modular networks

NASA Astrophysics Data System (ADS)

Shekhtman, Louis M.; Danziger, Michael M.; Bonamassa, Ivan; Buldyrev, Sergey V.; Caldarelli, Guido; Zlatić, Vinko; Havlin, Shlomo

2018-05-01

We study secure message-passing in the presence of multiple adversaries in modular networks. We assume a dominant fraction of nodes in each module have the same vulnerability, i.e., the same entity spying on them. We find both analytically and via simulations that the links between the modules (interlinks) have effects analogous to a magnetic field in a spin-system in that for any amount of interlinks the system no longer undergoes a phase transition. We then define the exponents δ, which relates the order parameter (the size of the giant secure component) at the critical point to the field strength (average number of interlinks per node), and γ, which describes the susceptibility near criticality. These are found to be δ = 2 and γ = 1 (with the scaling of the order parameter near the critical point given by β = 1). When two or more vulnerabilities are equally present in a module we find δ = 1 and γ = 0 (with β ≥ 2). Apart from defining a previously unidentified universality class, these exponents show that increasing connections between modules is more beneficial for security than increasing connections within modules. We also measure the correlation critical exponent ν, and the upper critical dimension d c , finding that ν {d}c=3 as for ordinary percolation, suggesting that for secure message-passing d c = 6. These results provide an interesting analogy between secure message-passing in modular networks and the physics of magnetic spin-systems.

The Predictive Validity of the Short-Term Assessment of Risk and Treatability (START) for Multiple Adverse Outcomes in a Secure Psychiatric Inpatient Setting.

PubMed

O'Shea, Laura E; Picchioni, Marco M; Dickens, Geoffrey L

2016-04-01

The Short-Term Assessment of Risk and Treatability (START) aims to assist mental health practitioners to estimate an individual's short-term risk for a range of adverse outcomes via structured consideration of their risk ("Vulnerabilities") and protective factors ("Strengths") in 20 areas. It has demonstrated predictive validity for aggression but this is less established for other outcomes. We collated START assessments for N = 200 adults in a secure mental health hospital and ascertained 3-month risk event incidence using the START Outcomes Scale. The specific risk estimates, which are the tool developers' suggested method of overall assessment, predicted aggression, self-harm/suicidality, and victimization, and had incremental validity over the Strength and Vulnerability scales for these outcomes. The Strength scale had incremental validity over the Vulnerability scale for aggressive outcomes; therefore, consideration of protective factors had demonstrable value in their prediction. Further evidence is required to support use of the START for the full range of outcomes it aims to predict. © The Author(s) 2015.

Assessing Uncertainties in Surface Water Security: A Probabilistic Multi-model Resampling approach

NASA Astrophysics Data System (ADS)

Rodrigues, D. B. B.

2015-12-01

Various uncertainties are involved in the representation of processes that characterize interactions between societal needs, ecosystem functioning, and hydrological conditions. Here, we develop an empirical uncertainty assessment of water security indicators that characterize scarcity and vulnerability, based on a multi-model and resampling framework. We consider several uncertainty sources including those related to: i) observed streamflow data; ii) hydrological model structure; iii) residual analysis; iv) the definition of Environmental Flow Requirement method; v) the definition of critical conditions for water provision; and vi) the critical demand imposed by human activities. We estimate the overall uncertainty coming from the hydrological model by means of a residual bootstrap resampling approach, and by uncertainty propagation through different methodological arrangements applied to a 291 km² agricultural basin within the Cantareira water supply system in Brazil. Together, the two-component hydrograph residual analysis and the block bootstrap resampling approach result in a more accurate and precise estimate of the uncertainty (95% confidence intervals) in the simulated time series. We then compare the uncertainty estimates associated with water security indicators using a multi-model framework and provided by each model uncertainty estimation approach. The method is general and can be easily extended forming the basis for meaningful support to end-users facing water resource challenges by enabling them to incorporate a viable uncertainty analysis into a robust decision making process.

The relationship between vulnerable attachment style, psychopathology, drug abuse, and retention in treatment among methadone maintenance treatment patients.

PubMed

Potik, David; Peles, Einat; Abramsohn, Yahli; Adelson, Miriam; Schreiber, Shaul

2014-01-01

The relationship between vulnerable attachment style, psychopathology, drug abuse, and retention in treatment among patients in methadone maintenance treatment (MMT) was examined by the Vulnerable Attachment Style Questionnaire (VASQ), the Symptom Checklist-90 (SCL-90), and drug abuse urine tests. After six years, retention in treatment and repeated urine test results were studied. Patients with vulnerable attachment style (a high VASQ score) had higher rates of drug abuse and higher psychopathology levels compared to patients with secure attachment style, especially on the interpersonal sensitivity, anxiety, hostility, phobic anxiety, and paranoid ideation scales. Drug abstinence at baseline was related to retention in treatment and to higher rates of drug abstinence after six years in MMT, whereas a vulnerable attachment style could not predict drug abstinence and retention in treatment. Clinical Implications concerning treatment of drug abusing populations and methodological issues concerning the VASQ's subscales are also discussed.

Cyber Security: Critical Infrastructure Controls Assessment Framework

DTIC Science & Technology

2011-05-01

the threats to and 3 • Patch and configuration management • Vulnerability and incident t 2 vulnerabilities • Recommendations to reduce 4 managemen 5... Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other...unclassified c. THIS PAGE unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 Purpose P id i t hrov e an overv ew on assessmen

Supervisory Control and Data Acquisition (SCADA) Security Awareness In a Resource Constrained Learning Environment

DTIC Science & Technology

2014-06-16

SCADA systems. These professionals should be aware of the vulnerabilities so they can take intelligent precautions to mitigate attacks. SCADA...vulnerabilities • Describe mitigation options for protecting a system from SCADA attacks For students that go on to pursue a degree in Computer...from SCADA attacks For students who do not remain in the IT realm, this introduction provides an awareness to help them mitigate threats for their

Final Technical Report. Project Boeing SGS

DOE Office of Scientific and Technical Information (OSTI.GOV)

Bell, Thomas E.

Boeing and its partner, PJM Interconnection, teamed to bring advanced “defense-grade” technologies for cyber security to the US regional power grid through demonstration in PJM’s energy management environment. Under this cooperative project with the Department of Energy, Boeing and PJM have developed and demonstrated a host of technologies specifically tailored to the needs of PJM and the electric sector as a whole. The team has demonstrated to the energy industry a combination of processes, techniques and technologies that have been successfully implemented in the commercial, defense, and intelligence communities to identify, mitigate and continuously monitor the cyber security of criticalmore » systems. Guided by the results of a Cyber Security Risk-Based Assessment completed in Phase I, the Boeing-PJM team has completed multiple iterations through the Phase II Development and Phase III Deployment phases. Multiple cyber security solutions have been completed across a variety of controls including: Application Security, Enhanced Malware Detection, Security Incident and Event Management (SIEM) Optimization, Continuous Vulnerability Monitoring, SCADA Monitoring/Intrusion Detection, Operational Resiliency, Cyber Range simulations and hands on cyber security personnel training. All of the developed and demonstrated solutions are suitable for replication across the electric sector and/or the energy sector as a whole. Benefits identified include; Improved malware and intrusion detection capability on critical SCADA networks including behavioral-based alerts resulting in improved zero-day threat protection; Improved Security Incident and Event Management system resulting in better threat visibility, thus increasing the likelihood of detecting a serious event; Improved malware detection and zero-day threat response capability; Improved ability to systematically evaluate and secure in house and vendor sourced software applications; Improved ability to continuously monitor and maintain secure configuration of network devices resulting in reduced vulnerabilities for potential exploitation; Improved overall cyber security situational awareness through the integration of multiple discrete security technologies into a single cyber security reporting console; Improved ability to maintain the resiliency of critical systems in the face of a targeted cyber attack of other significant event; Improved ability to model complex networks for penetration testing and advanced training of cyber security personnel« less

Chemical Accident Prevention: Site Security

EPA Pesticide Factsheets

This chemical safety alert assists facilities that routinely handle extremely hazardous substances, along with SERCs, LEPCs, and emergency responders, in their efforts to reduce criminally caused releases and vulnerability to terrorist activity.

The Global Threat Reduction Initiative's Orphan Source Recovery Project in the Russian Federation

DOE Office of Scientific and Technical Information (OSTI.GOV)

Russell, J. W.; Ahumada, A. D.; Blanchard, T. A.

After 9/11, officials at the United States Department of Energy (DOE), National Nuclear Security Administration (NNSA) grew more concerned about radiological materials that were vulnerable to theft and illicit use around the world. The concern was that terrorists could combine stolen radiological materials with explosives to build and detonate a radiological dispersal device (RDD), more commonly known as a “dirty bomb.” In response to this and other terrorist threats, the DOE/NNSA formed what is now known as the Global Threat Reduction Initiative (GTRI) to consolidate and accelerate efforts to reduce and protect vulnerable nuclear and radiological materials located at civilianmore » sites worldwide. Although a cooperative program was already underway in the Russian Federation to secure nuclear materials at a range of different facilities, thousands of sealed radioactive sources remained vulnerable at medical, research, and industrial sites. In response, GTRI began to focus efforts on addressing these materials. GTRI’s Russia Orphan Source Recovery Project, managed at the Nevada National Security Site’s North Las Vegas facility, was initiated in 2002. Throughout the life of the project, Joint Stock Company “Isotope” has served as the primary Russian subcontractor, and the organization has proven to be a successful partner. Since the first orphan source recovery of an industrial cobalt-60 irradiator with 647 curies (Ci) at an abandoned facility in Moscow in 2003, the GTRI Orphan Source Recovery Project in the Russian Federation has accomplished substantial levels of threat reduction. To date, GTRI has recovered and securely disposed of more than 5,100 sources totaling more that 628,000 Ci. This project serves as an extraordinary example of how international cooperation can be implemented by partners with mutual interests to achieve significant goals.« less

Risk Assessment Methodology for Water utilities (RAM-W) : the foundation for emergency response planning.

DOE Office of Scientific and Technical Information (OSTI.GOV)

Danneels, Jeffrey John

2005-03-01

Concerns about acts of terrorism against critical infrastructures have been on the rise for several years. Critical infrastructures are those physical structures and information systems (including cyber) essential to the minimum operations of the economy and government. The President's Commission on Critical Infrastructure Protection (PCCIP) probed the security of the nation's critical infrastructures. The PCCIP determined the water infrastructure is highly vulnerable to a range of potential attacks. In October 1997, the PCCIP proposed a public/private partnership between the federal government and private industry to improve the protection of the nation's critical infrastructures. In early 2000, the EPA partnered withmore » the Awwa Research Foundation (AwwaRF) and Sandia National Laboratories to create the Risk Assessment Methodology for Water Utilities (RAM-W{trademark}). Soon thereafter, they initiated an effort to create a template and minimum requirements for water utility Emergency Response Plans (ERP). All public water utilities in the US serving populations greater than 3,300 are required to undertaken both a vulnerability assessment and the development of an emergency response plan. This paper explains the initial steps of RAM-W{trademark} and then demonstrates how the security risk assessment is fundamental to the ERP. During the development of RAM-W{trademark}, Sandia performed several security risk assessments at large metropolitan water utilities. As part of the scope of that effort, ERPs at each utility were reviewed to determine how well they addressed significant vulnerabilities uncovered during the risk assessment. The ERP will contain responses to other events as well (e.g. natural disasters) but should address all major findings in the security risk assessment.« less

A Preliminary Assessment of Social Vulnerability in Ganga-Brahmaputra-Meghna Delta

NASA Astrophysics Data System (ADS)

Hazra, Sugata; Islam, Nabiul

2017-04-01

The Ganga-Brahmaputra-Meghna (GBM) Delta has a high population density and is exposed to rapid environmental changes making it one of the most stressed deltas in the world. The low-lying coastal areas of the Ganga-Brahmaputra-Meghna (GBM) Delta comprise 19 coastal districts of Bangladesh and two districts in India with significant land areas within 5 meters of sea level has a population of more than 50 million people at an average population density of 1100 people/km2. This population is exposed to a range of hazards such as severe cyclones, coastal erosion, and salinization, exacerbated by climate change and subsidence which imply severe stress on the resource dependent community of this region. This situation is further complicated by poverty and limited social well-being such as poor access to education/ health/ drinking water/ sanitation facilities, and lack of food and energy security. Thus assessing social vulnerability can help to understand which communities are susceptible to environmental change and guide adaptation actions to address these threats. This preliminary study aims to construct a socio-economic index by assessing the social vulnerability of coastal communities of GBM Delta taking consistent and common secondary data from the Census of India and the Bangladesh Bureau of Statisticsand applyinga Principle Component Analysis(PCA) methodology. Several statistical tests like Kaiser-Meyer-Olkin (KMO) have also been used to assess the appropriateness of using PCA. Among the selected common indicators, five major components are found to explain majority of the total variation of social vulnerability across the delta: (1) poverty, (2) dependency ratio, (3) agriculture dependency, (4) lack of sanitation and (5) existence of mud houses. The most important observation is the existence of a social vulnerability gradient across the coast. In other words, socially marginalised and vulnerable communities are found on the Delta margin in both India and Bangladesh. Several coastal sub-districts(Blocks in India, Upazila in Bangladesh) like Manpura, Basanti, Koyra, Teknaf, Sandeshkhali-II have maximum social vulnerability and have the potential to be adversely affected by environmental change, whereas several more inland sub-districts like Barrackpur-I, II, Panchlaish, Kotwali, Double Mooring have a comparatively low social vulnerability.This preliminary analysis of spatial variation of social vulnerability in the GBM delta suggests that a more intensive study of vulnerability and risk is required under a range of scenarios of climatic and socio-economic changes. The present study is a part of joint GBM delta study taken up by DECCMA (Deltas, Vulnerability & Climate Change: Migration & Adaptation) project as part of the Collaborative ADAPTATION Research Initiative in Africa and Asia (CARIAA), with financial support from the UK Government's Department for International Development (DFID) and the International Development Research Centre (IDRC), Canada.

Livelihood Vulnerability Approach to Assess Climate Change Impacts to Mixed Agro-Livestock Smallholders Around the Gandaki River Basin of Nepal

NASA Astrophysics Data System (ADS)

Panthi, J., Sr.

2014-12-01

Climate change vulnerability depends upon various factors and differs between places, sectors and communities. People in developing countries whose subsistence livelihood depends upon agriculture and livestock are identified as particularly vulnerable. Nepal, where the majority of people are in a mixed agro-livestock system, is identified as the world's fourth most vulnerable country to climate change. However, there are few studies on how vulnerable mixed agro-livestock smallholders are and how their vulnerability differs across different ecological regions. This study aims to test two vulnerability assessment indices, livelihood vulnerability index (LVI) and IPCC vulnerability index (VI-IPCC), around the Gandaki river basin of Nepal. A total of 543 households practicing mixed agro-livestock were surveyed from three districts (Dhading, Syangja and Kapilvastu) representing the mountain, mid-hill and lowland altitudinal belts respectively. Data on socio-demographics, livelihoods, social networks, health, food and water security, natural disasters and climate variability were collected. Both indices differed across the three districts, with mixed agro-livestock smallholders of Dhading district found to be the most vulnerable and that of Syangja least vulnerable. This vulnerability index approach may be used to monitor rural vulnerability and/or evaluate potential program/policy effectiveness in poor countries like Nepal. The present findings are intended to help in designing intervention strategies to reduce vulnerability of mixed agro-livestock smallholders and other rural people in developing countries to climate change.

A rhythm-based authentication scheme for smart media devices.

PubMed

Lee, Jae Dong; Jeong, Young-Sik; Park, Jong Hyuk

2014-01-01

In recent years, ubiquitous computing has been rapidly emerged in our lives and extensive studies have been conducted in a variety of areas related to smart devices, such as tablets, smartphones, smart TVs, smart refrigerators, and smart media devices, as a measure for realizing the ubiquitous computing. In particular, smartphones have significantly evolved from the traditional feature phones. Increasingly higher-end smartphone models that can perform a range of functions are now available. Smart devices have become widely popular since they provide high efficiency and great convenience for not only private daily activities but also business endeavors. Rapid advancements have been achieved in smart device technologies to improve the end users' convenience. Consequently, many people increasingly rely on smart devices to store their valuable and important data. With this increasing dependence, an important aspect that must be addressed is security issues. Leaking of private information or sensitive business data due to loss or theft of smart devices could result in exorbitant damage. To mitigate these security threats, basic embedded locking features are provided in smart devices. However, these locking features are vulnerable. In this paper, an original security-locking scheme using a rhythm-based locking system (RLS) is proposed to overcome the existing security problems of smart devices. RLS is a user-authenticated system that addresses vulnerability issues in the existing locking features and provides secure confidentiality in addition to convenience.

A Rhythm-Based Authentication Scheme for Smart Media Devices

PubMed Central

Lee, Jae Dong; Park, Jong Hyuk

2014-01-01

In recent years, ubiquitous computing has been rapidly emerged in our lives and extensive studies have been conducted in a variety of areas related to smart devices, such as tablets, smartphones, smart TVs, smart refrigerators, and smart media devices, as a measure for realizing the ubiquitous computing. In particular, smartphones have significantly evolved from the traditional feature phones. Increasingly higher-end smartphone models that can perform a range of functions are now available. Smart devices have become widely popular since they provide high efficiency and great convenience for not only private daily activities but also business endeavors. Rapid advancements have been achieved in smart device technologies to improve the end users' convenience. Consequently, many people increasingly rely on smart devices to store their valuable and important data. With this increasing dependence, an important aspect that must be addressed is security issues. Leaking of private information or sensitive business data due to loss or theft of smart devices could result in exorbitant damage. To mitigate these security threats, basic embedded locking features are provided in smart devices. However, these locking features are vulnerable. In this paper, an original security-locking scheme using a rhythm-based locking system (RLS) is proposed to overcome the existing security problems of smart devices. RLS is a user-authenticated system that addresses vulnerability issues in the existing locking features and provides secure confidentiality in addition to convenience. PMID:25110743

Sun-Burned: Space Weather's Impact on United States National Security

NASA Astrophysics Data System (ADS)

Stebbins, B.

2014-12-01

The heightened media attention surrounding the 2013-14 solar maximum presented an excellent opportunity to examine the ever-increasing vulnerability of US national security and its Department of Defense to space weather. This vulnerability exists for three principal reasons: 1) a massive US space-based infrastructure; 2) an almost exclusive reliance on an aging and stressed continental US power grid; and 3) a direct dependence upon a US economy adapted to the conveniences of space and uninterrupted power. I tailored my research and work for the national security policy maker and military strategists in an endeavor to initiate and inform a substantive dialogue on America's preparation for, and response to, a major solar event that would severely degrade core national security capabilities, such as military operations. Significant risk to the Department of Defense exists from powerful events that could impact its space-based infrastructure and even the terrestrial power grid. Given this ever-present and increasing risk to the United States, my work advocates raising the issue of space weather and its impacts to the level of a national security threat. With the current solar cycle having already peaked and the next projected solar maximum just a decade away, the government has a relatively small window to make policy decisions that prepare the nation and its Defense Department to mitigate impacts from these potentially catastrophic phenomena.