Making the Business Case for Software Assurance

DTIC Science & Technology

2009-04-01

and Capability dEtermination-SPICE, ISO /IEC 15504, 1998. [ ISO 2007] International Organization for Standardization. " ISO /IEC 27001 & 27002 ...Implementing the Process Areas 6.2.7 Differences Between the CMMI and Software CMM Process Areas 6.3 The CMMI Appraisal Process 6.4 Adapting ISO 15504 to...Secure Software Assurance 6.4.1 Assessment and the Secure Life Cycle 6.4.2 ISO 15504 Capability Levels 6.5 Adapting the ISOIIEC 21287 Standard Approach to

Computer Security and the Data Encryption Standard. Proceedings of the Conference on Computer Security and the Data Encryption Standard.

ERIC Educational Resources Information Center

Branstad, Dennis K., Ed.

The 15 papers and summaries of presentations in this collection provide technical information and guidance offered by representatives from federal agencies and private industry. Topics discussed include physical security, risk assessment, software security, computer network security, and applications and implementation of the Data Encryption…

48 CFR 52.250-5 - SAFETY Act-Equitable Adjustment.

Code of Federal Regulations, 2011 CFR

2011-10-01

..., engineering services, software development services, software integration services, threat assessments... security, i.e., it will perform as intended, conforms to the seller's specifications, and is safe for use...

48 CFR 52.250-5 - SAFETY Act-Equitable Adjustment.

Code of Federal Regulations, 2014 CFR

2014-10-01

..., engineering services, software development services, software integration services, threat assessments... security, i.e., it will perform as intended, conforms to the seller's specifications, and is safe for use...

48 CFR 52.250-5 - SAFETY Act-Equitable Adjustment.

Code of Federal Regulations, 2013 CFR

2013-10-01

..., engineering services, software development services, software integration services, threat assessments... security, i.e., it will perform as intended, conforms to the seller's specifications, and is safe for use...

48 CFR 52.250-5 - SAFETY Act-Equitable Adjustment.

Code of Federal Regulations, 2012 CFR

2012-10-01

..., engineering services, software development services, software integration services, threat assessments... security, i.e., it will perform as intended, conforms to the seller's specifications, and is safe for use...

IT Security Support for the Spaceport Command Control Systems Development Ground Support Development Operations

NASA Technical Reports Server (NTRS)

Branch, Drew A.

2014-01-01

Security is one of the most if not the most important areas today. After the several attacks on the United States, security everywhere has heightened from airports to the communication among the military branches legionnaires. With advanced persistent threats (APT's) on the rise following Stuxnet, government branches and agencies are required, more than ever, to follow several standards, policies and procedures to reduce the likelihood of a breach. Attack vectors today are very advanced and are going to continue to get more and more advanced as security controls advance. This creates a need for networks and systems to be in an updated and secured state in a launch control system environment. FISMA is a law that is mandated by the government to follow when government agencies secure networks and devices. My role on this project is to ensure network devices and systems are in compliance with NIST, as outlined in FISMA. I will achieve this by providing assistance with security plan documentation and collection, system hardware and software inventory, malicious code and malware scanning, and configuration of network devices i.e. routers and IDS's/IPS's. In addition, I will be completing security assessments on software and hardware, vulnerability assessments and reporting, and conducting patch management and risk assessments. A guideline that will help with compliance with NIST is the SANS Top 20 Critical Controls. SANS Top 20 Critical Controls as well as numerous security tools, security software and the conduction of research will be used to successfully complete the tasks given to me. This will ensure compliance with FISMA and NIST, secure systems and a secured network. By the end of this project, I hope to have carried out the tasks stated above as well as gain an immense knowledge about compliance, security tools, networks and network devices, as well as policies and procedures.

IT Security Support for the Spaceport Command Control Systems Development Ground Support Development Operations

NASA Technical Reports Server (NTRS)

Branch, Drew

2013-01-01

Security is one of the most if not the most important areas today. After the several attacks on the United States, security everywhere was heightened from Airports to the communication among the military branches legionnaires. With advanced persistent threats (APTs) on the rise following Stuxnet, government branches and agencies are required, more than ever, to follow several standards, policies and procedures to reduce the likelihood of a breach. Attack vectors today are very advanced and are going to continue to get more and more advanced as security controls advance. This creates a need for networks and systems to be in an updated and secured state in a launch control system environment. FISMA is a law that is mandated by the government to follow when government agencies secure networks and devices. My role on this project is to ensure network devices and systems are in compliance with NIST, as outlined in FISMA. I will achieve this by providing assistance with security plan documentation and collection, system hardware and software inventory, malicious code and malware scanning and configuration of network devices i.e. routers and IDSsIPSs. In addition I will be completing security assessments on software and hardware, vulnerability assessments and reporting, conducting patch management and risk assessments. A guideline that will help with compliance with NIST is the SANS Top 20 Critical Controls. SANS Top 20 Critical Controls as well as numerous security tools, security software and the conduction of research will be used to successfully complete the tasks given to me. This will ensure compliance with FISMA and NIST, secure systems and a secured network. By the end of this project, I hope to have carried out stated above as well as gain an immense knowledge about compliance, security tools, networks and network devices, policies and procedures.

Teaching and Assessment of Mathematical Principles for Software Correctness Using a Reasoning Concept Inventory

ERIC Educational Resources Information Center

Drachova-Strang, Svetlana V.

2013-01-01

As computing becomes ubiquitous, software correctness has a fundamental role in ensuring the safety and security of the systems we build. To design and develop software correctly according to their formal contracts, CS students, the future software practitioners, need to learn a critical set of skills that are necessary and sufficient for…

48 CFR 50.201 - Definitions.

Code of Federal Regulations, 2010 CFR

2010-10-01

... requirements or such other requirements as defined and specified by the Secretary of Homeland Security: (1) Is... otherwise cause, for which a SAFETY Act designation has been issued. For purposes of defining a QATT..., engineering services, software development services, software integration services, threat assessments...

48 CFR 50.201 - Definitions.

Code of Federal Regulations, 2013 CFR

2013-10-01

... requirements or such other requirements as defined and specified by the Secretary of Homeland Security: (1) Is... otherwise cause, for which a SAFETY Act designation has been issued. For purposes of defining a QATT..., engineering services, software development services, software integration services, threat assessments...

48 CFR 50.201 - Definitions.

Code of Federal Regulations, 2012 CFR

2012-10-01

... requirements or such other requirements as defined and specified by the Secretary of Homeland Security: (1) Is... otherwise cause, for which a SAFETY Act designation has been issued. For purposes of defining a QATT..., engineering services, software development services, software integration services, threat assessments...

48 CFR 50.201 - Definitions.

Code of Federal Regulations, 2011 CFR

2011-10-01

... requirements or such other requirements as defined and specified by the Secretary of Homeland Security: (1) Is... otherwise cause, for which a SAFETY Act designation has been issued. For purposes of defining a QATT..., engineering services, software development services, software integration services, threat assessments...

48 CFR 50.201 - Definitions.

Code of Federal Regulations, 2014 CFR

2014-10-01

... requirements or such other requirements as defined and specified by the Secretary of Homeland Security: (1) Is... otherwise cause, for which a SAFETY Act designation has been issued. For purposes of defining a QATT..., engineering services, software development services, software integration services, threat assessments...

Assessment of the Combat Developer’s Role in Post-Deployment Software Support (PDSS) 30 June 1980 - 28 February 1981. Volume IV.

DTIC Science & Technology

1981-01-31

Intelligence and Security Command (INSCOM), the US Army Communications Command (USACC), and the US Army Computer Systems Command (USACSC). (3...responsibilities of the US-Army Intelligence and Security Command (INSCOM), the US Army Communications Command (USACC), and the US Army Computer Systems...necessary to sustain, modify, and improve a deployed system’s computer software, as defined by the User or his representative. It includes evaluation

Proceedings Second Annual Cyber Security and Information Infrastructure Research Workshop

DOE Office of Scientific and Technical Information (OSTI.GOV)

Sheldon, Frederick T; Krings, Axel; Yoo, Seong-Moo

2006-01-01

The workshop theme is Cyber Security: Beyond the Maginot Line Recently the FBI reported that computer crime has skyrocketed costing over $67 billion in 2005 alone and affecting 2.8M+ businesses and organizations. Attack sophistication is unprecedented along with availability of open source concomitant tools. Private, academic, and public sectors invest significant resources in cyber security. Industry primarily performs cyber security research as an investment in future products and services. While the public sector also funds cyber security R&D, the majority of this activity focuses on the specific mission(s) of the funding agency. Thus, broad areas of cyber security remain neglectedmore » or underdeveloped. Consequently, this workshop endeavors to explore issues involving cyber security and related technologies toward strengthening such areas and enabling the development of new tools and methods for securing our information infrastructure critical assets. We aim to assemble new ideas and proposals about robust models on which we can build the architecture of a secure cyberspace including but not limited to: * Knowledge discovery and management * Critical infrastructure protection * De-obfuscating tools for the validation and verification of tamper-proofed software * Computer network defense technologies * Scalable information assurance strategies * Assessment-driven design for trust * Security metrics and testing methodologies * Validation of security and survivability properties * Threat assessment and risk analysis * Early accurate detection of the insider threat * Security hardened sensor networks and ubiquitous computing environments * Mobile software authentication protocols * A new "model" of the threat to replace the "Maginot Line" model and more . . .« less

Software Security Practices: Integrating Security into the SDLC

DTIC Science & Technology

2011-05-01

Software Security Practices Integrating Security into the SDLC Robert A. Martin HS SEDI is a trademark of the U.S. Department of Homeland Security...2011 to 00-00-2011 4. TITLE AND SUBTITLE Software Security Practices Integrating Security into the SDLC 5a. CONTRACT NUMBER 5b. GRANT NUMBER 5c...SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. 4 y y w SDLC Integrating Security into a typical software development lifecycle

Security Code Red or Ready? Leaders Sharing--For Tech Leaders

ERIC Educational Resources Information Center

Hall, Don; Kelly, Pat

2005-01-01

Increasingly, teachers rely on computer software and networks to both enhance curriculum management and provide engaging learning opportunities in instruction. New software is enabling more frequent formative assessments to better focus day-to-day lessons on the unique needs of individual learners. Administrators use increasingly complex data…

78 FR 79564 - Discontinuance of Annual Financial Assessments-Delay in Implementation

Federal Register 2010, 2011, 2012, 2013, 2014

2013-12-30

... that due to delays in modifying computer software, VA is postponing implementation of this change. FOR... computer matching of income reported to the Internal Revenue Service (IRS) and Social Security... implemented by December 31, 2013. Due to delays in revising and updating supporting computer software, VA is...

Software security checklist for the software life cycle

NASA Technical Reports Server (NTRS)

Gilliam, D. P.; Wolfe, T. L.; Sherif, J. S.

2002-01-01

A formal approach to security in the software life cycle is essential to protect corporate resources. However, little thought has been given to this aspect of software development. Due to its criticality, security should be integrated as a formal approach in the software life cycle.

Secure it now or secure it later: the benefits of addressing cyber-security from the outset

NASA Astrophysics Data System (ADS)

Olama, Mohammed M.; Nutaro, James

2013-05-01

The majority of funding for research and development (R&D) in cyber-security is focused on the end of the software lifecycle where systems have been deployed or are nearing deployment. Recruiting of cyber-security personnel is similarly focused on end-of-life expertise. By emphasizing cyber-security at these late stages, security problems are found and corrected when it is most expensive to do so, thus increasing the cost of owning and operating complex software systems. Worse, expenditures on expensive security measures often mean less money for innovative developments. These unwanted increases in cost and potential slowing of innovation are unavoidable consequences of an approach to security that finds and remediate faults after software has been implemented. We argue that software security can be improved and the total cost of a software system can be substantially reduced by an appropriate allocation of resources to the early stages of a software project. By adopting a similar allocation of R&D funds to the early stages of the software lifecycle, we propose that the costs of cyber-security can be better controlled and, consequently, the positive effects of this R&D on industry will be much more pronounced.

Coordination and organization of security software process for power information application environment

NASA Astrophysics Data System (ADS)

Wang, Qiang

2017-09-01

As an important part of software engineering, the software process decides the success or failure of software product. The design and development feature of security software process is discussed, so is the necessity and the present significance of using such process. Coordinating the function software, the process for security software and its testing are deeply discussed. The process includes requirement analysis, design, coding, debug and testing, submission and maintenance. In each process, the paper proposed the subprocesses to support software security. As an example, the paper introduces the above process into the power information platform.

Genesis: A Framework for Achieving Software Component Diversity

DTIC Science & Technology

2007-01-01

correctly—the initial filters develop to fix the Hotmail vulnerability could be circumvented by using alternate character encodings4. Hence, we focus on...Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo, (March 2004); http://www.greymagic.com/security/advisories/gm005-mc/. 4...EyeonSecurity, Microsoft Passport Account Hijack Attack: Hacking Hotmail and More, Hacker’s Digest. 5. Y.-W. Huang et al., Web Application Security Assessment by

Using software security analysis to verify the secure socket layer (SSL) protocol

NASA Technical Reports Server (NTRS)

Powell, John D.

2004-01-01

nal Aeronautics and Space Administration (NASA) have tens of thousands of networked computer systems and applications. Software Security vulnerabilities present risks such as lost or corrupted data, information the3, and unavailability of critical systems. These risks represent potentially enormous costs to NASA. The NASA Code Q research initiative 'Reducing Software Security Risk (RSSR) Trough an Integrated Approach '' offers, among its capabilities, formal verification of software security properties, through the use of model based verification (MBV) to address software security risks. [1,2,3,4,5,6] MBV is a formal approach to software assurance that combines analysis of software, via abstract models, with technology, such as model checkers, that provide automation of the mechanical portions of the analysis process. This paper will discuss: The need for formal analysis to assure software systems with respect to software and why testing alone cannot provide it. The means by which MBV with a Flexible Modeling Framework (FMF) accomplishes the necessary analysis task. An example of FMF style MBV in the verification of properties over the Secure Socket Layer (SSL) communication protocol as a demonstration.

Software Development Life Cycle Security Issues

NASA Astrophysics Data System (ADS)

Kaur, Daljit; Kaur, Parminder

2011-12-01

Security is now-a-days one of the major problems because of many reasons. Security is now-a-days one of the major problems because of many reasons. The main cause is that software can't withstand security attacks because of vulnerabilities in it which are caused by defective specifications design and implementation. We have conducted a survey asking software developers, project managers and other people in software development about their security awareness and implementation in Software Development Life Cycle (SDLC). The survey was open to participation for three weeks and this paper explains the survey results.

Cross-Layer Damage Assessment for Cyber Situational Awareness

NASA Astrophysics Data System (ADS)

Liu, Peng; Jia, Xiaoqi; Zhang, Shengzhi; Xiong, Xi; Jhi, Yoon-Chan; Bai, Kun; Li, Jason

Damage assessment plays a very important role in securing enterprise networks and systems. Gaining good awareness about the effects and impact of cyber attack actions would enable security officers to make the right cyber defense decisions and take the right cyber defense actions. A good number of damage assessment techniques have been proposed in the literature, but they typically focus on a single abstraction level (of the software system in concern). As a result, existing damage assessment techniques and tools are still very limited in satisfying the needs of comprehensive damage assessment which should not result in any “blind spots”.

Final Technical Report on Quantifying Dependability Attributes of Software Based Safety Critical Instrumentation and Control Systems in Nuclear Power Plants

DOE Office of Scientific and Technical Information (OSTI.GOV)

Smidts, Carol; Huang, Funqun; Li, Boyuan

With the current transition from analog to digital instrumentation and control systems in nuclear power plants, the number and variety of software-based systems have significantly increased. The sophisticated nature and increasing complexity of software raises trust in these systems as a significant challenge. The trust placed in a software system is typically termed software dependability. Software dependability analysis faces uncommon challenges since software systems’ characteristics differ from those of hardware systems. The lack of systematic science-based methods for quantifying the dependability attributes in software-based instrumentation as well as control systems in safety critical applications has proved itself to be amore » significant inhibitor to the expanded use of modern digital technology in the nuclear industry. Dependability refers to the ability of a system to deliver a service that can be trusted. Dependability is commonly considered as a general concept that encompasses different attributes, e.g., reliability, safety, security, availability and maintainability. Dependability research has progressed significantly over the last few decades. For example, various assessment models and/or design approaches have been proposed for software reliability, software availability and software maintainability. Advances have also been made to integrate multiple dependability attributes, e.g., integrating security with other dependability attributes, measuring availability and maintainability, modeling reliability and availability, quantifying reliability and security, exploring the dependencies between security and safety and developing integrated analysis models. However, there is still a lack of understanding of the dependencies between various dependability attributes as a whole and of how such dependencies are formed. To address the need for quantification and give a more objective basis to the review process -- therefore reducing regulatory uncertainty -- measures and methods are needed to assess dependability attributes early on, as well as throughout the life-cycle process of software development. In this research, extensive expert opinion elicitation is used to identify the measures and methods for assessing software dependability. Semi-structured questionnaires were designed to elicit expert knowledge. A new notation system, Causal Mechanism Graphing, was developed to extract and represent such knowledge. The Causal Mechanism Graphs were merged, thus, obtaining the consensus knowledge shared by the domain experts. In this report, we focus on how software contributes to dependability. However, software dependability is not discussed separately from the context of systems or socio-technical systems. Specifically, this report focuses on software dependability, reliability, safety, security, availability, and maintainability. Our research was conducted in the sequence of stages found below. Each stage is further examined in its corresponding chapter. Stage 1 (Chapter 2): Elicitation of causal maps describing the dependencies between dependability attributes. These causal maps were constructed using expert opinion elicitation. This chapter describes the expert opinion elicitation process, the questionnaire design, the causal map construction method and the causal maps obtained. Stage 2 (Chapter 3): Elicitation of the causal map describing the occurrence of the event of interest for each dependability attribute. The causal mechanisms for the “event of interest” were extracted for each of the software dependability attributes. The “event of interest” for a dependability attribute is generally considered to be the “attribute failure”, e.g. security failure. The extraction was based on the analysis of expert elicitation results obtained in Stage 1. Stage 3 (Chapter 4): Identification of relevant measurements. Measures for the “events of interest” and their causal mechanisms were obtained from expert opinion elicitation for each of the software dependability attributes. The measures extracted are presented in this chapter. Stage 4 (Chapter 5): Assessment of the coverage of the causal maps via measures. Coverage was assessed to determine whether the measures obtained were sufficient to quantify software dependability, and what measures are further required. Stage 5 (Chapter 6): Identification of “missing” measures and measurement approaches for concepts not covered. New measures, for concepts that had not been covered sufficiently as determined in Stage 4, were identified using supplementary expert opinion elicitation as well as literature reviews. Stage 6 (Chapter 7): Building of a detailed quantification model based on the causal maps and measurements obtained. Ability to derive such a quantification model shows that the causal models and measurements derived from the previous stages (Stage 1 to Stage 5) can form the technical basis for developing dependability quantification models. Scope restrictions have led us to prioritize this demonstration effort. The demonstration was focused on a critical system, i.e. the reactor protection system. For this system, a ranking of the software dependability attributes by nuclear stakeholders was developed. As expected for this application, the stakeholder ranking identified safety as the most critical attribute to be quantified. A safety quantification model limited to the requirements phase of development was built. Two case studies were conducted for verification. A preliminary control gate for software safety for the requirements stage was proposed and applied to the first case study. The control gate allows a cost effective selection of the duration of the requirements phase.« less

Teaching and assessment of mathematical principles for software correctness using a reasoning concept inventory

NASA Astrophysics Data System (ADS)

Drachova-Strang, Svetlana V.

As computing becomes ubiquitous, software correctness has a fundamental role in ensuring the safety and security of the systems we build. To design and develop software correctly according to their formal contracts, CS students, the future software practitioners, need to learn a critical set of skills that are necessary and sufficient for reasoning about software correctness. This dissertation presents a systematic approach to both introducing these reasoning skills into the curriculum, and assessing how well the students have learned them. Specifically, it introduces a comprehensive Reasoning Concept Inventory (RCI) that captures the fine details of basic reasoning skills that are ideally learned across the undergraduate curriculum to reason about software correctness, to develop high quality software, and to understand why software works as specified. The RCI forms the basis for developing learning outcomes that help educators to assess the adequacy of current techniques and pinpoint necessary improvements. This dissertation contains results from experimentation and assessment over the past few years in multiple CS courses. The results show that the finer principles of mathematical reasoning of software correctness can be taught effectively and continuously improved with the help of the RCI using suitable teaching practices, and supporting methods and tools.

Software Security Knowledge: Training

DTIC Science & Technology

2011-05-01

eliminating those erro~rs. It can be found at http:ffcwe.mitre.org/top25. Any programmer who writes C’Ode \\r-Vith~out betng aware of those proble ~ms a·nd...time on security. Ultimately, these reasons stem from an underlying problem in the software market . B~cause software is essentially a black·box, it is...security of software and start to effect change in the software market . Nevertheless, we still frequently get pushback when we advocate for security

Software Security Assurance: A State-of-Art Report (SAR)

DTIC Science & Technology

2007-07-31

foes. Subversion or sabotage of a software-based temperature control in a nuclear power plant could result in a meltdown, while sabotage of avionic... resulting from research and development activities, and provide a comprehensive assessment of IA technologies. Topic areas for SOARs are solicited...243 6.1.11.1 Recent Research Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 6.2

Flexible and Secure Computer-Based Assessment Using a Single Zip Disk

ERIC Educational Resources Information Center

Ko, C. C.; Cheng, C. D.

2008-01-01

Electronic examination systems, which include Internet-based system, require extremely complicated installation, configuration and maintenance of software as well as hardware. In this paper, we present the design and development of a flexible, easy-to-use and secure examination system (e-Test), in which any commonly used computer can be used as a…

Demographic-Based Perceptions of Adequacy of Software Security's Presence within Individual Phases of the Software Development Life Cycle

ERIC Educational Resources Information Center

Kramer, Aleksey

2013-01-01

The topic of software security has become paramount in information technology (IT) related scholarly research. Researchers have addressed numerous software security topics touching on all phases of the Software Development Life Cycle (SDLC): requirements gathering phase, design phase, development phase, testing phase, and maintenance phase.…

A review of video security training and assessment-systems and their applications

DOE Office of Scientific and Technical Information (OSTI.GOV)

Cellucci, J.; Hall, R.J.

1991-01-01

This paper reports that during the last 10 years computer-aided video data collection and playback systems have been used as nuclear facility security training and assessment tools with varying degrees of success. These mobile systems have been used by trained security personnel for response force training, vulnerability assessment, force-on-force exercises and crisis management. Typically, synchronous recordings from multiple video cameras, communications audio, and digital sensor inputs; are played back to the exercise participants and then edited for training and briefing. Factors that have influence user acceptance include: frequency of use, the demands placed on security personnel, fear of punishment, usermore » training requirements and equipment cost. The introduction of S-VHS video and new software for scenario planning, video editing and data reduction; should bring about a wider range of security applications and supply the opportunity for significant cost sharing with other user groups.« less

Software Assurance in Acquisition: Mitigating Risks to the Enterprise. A Reference Guide for Security-Enhanced Software Acquisition and Outsourcing

DTIC Science & Technology

2009-02-01

management, available at <http://www.iso.org/ iso /en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39612&ICS1=35&ICS2=40 &ICS3=>. ISO /IEC 27001 . Information...Management of the Systems Engineering Process. [ ISO /IEC 27001 ] ISO /IEC 27001 :2005. Information technology -- Security techniques -- Information security...software life cycles [ ISO /IEC 15026]. Software assurance is a key element of national security and homeland security. It is critical because dramatic

Proactive Security Testing and Fuzzing

NASA Astrophysics Data System (ADS)

Takanen, Ari

Software is bound to have security critical flaws, and no testing or code auditing can ensure that software is flaw-less. But software security testing requirements have improved radically during the past years, largely due to criticism from security conscious consumers and Enterprise customers. Whereas in the past, security flaws were taken for granted (and patches were quietly and humbly installed), they now are probably one of the most common reasons why people switch vendors or software providers. The maintenance costs from security updates often add to become one of the biggest cost items to large Enterprise users. Fortunately test automation techniques have also improved. Techniques like model-based testing (MBT) enable efficient generation of security tests that reach good confidence levels in discovering zero-day mistakes in software. This technique is called fuzzing.

Automating Risk Analysis of Software Design Models

PubMed Central

Ruiz, Guifré; Heymann, Elisa; César, Eduardo; Miller, Barton P.

2014-01-01

The growth of the internet and networked systems has exposed software to an increased amount of security threats. One of the responses from software developers to these threats is the introduction of security activities in the software development lifecycle. This paper describes an approach to reduce the need for costly human expertise to perform risk analysis in software, which is common in secure development methodologies, by automating threat modeling. Reducing the dependency on security experts aims at reducing the cost of secure development by allowing non-security-aware developers to apply secure development with little to no additional cost, making secure development more accessible. To automate threat modeling two data structures are introduced, identification trees and mitigation trees, to identify threats in software designs and advise mitigation techniques, while taking into account specification requirements and cost concerns. These are the components of our model for automated threat modeling, AutSEC. We validated AutSEC by implementing it in a tool based on data flow diagrams, from the Microsoft security development methodology, and applying it to VOMS, a grid middleware component, to evaluate our model's performance. PMID:25136688

Automating risk analysis of software design models.

PubMed

Frydman, Maxime; Ruiz, Guifré; Heymann, Elisa; César, Eduardo; Miller, Barton P

2014-01-01

The growth of the internet and networked systems has exposed software to an increased amount of security threats. One of the responses from software developers to these threats is the introduction of security activities in the software development lifecycle. This paper describes an approach to reduce the need for costly human expertise to perform risk analysis in software, which is common in secure development methodologies, by automating threat modeling. Reducing the dependency on security experts aims at reducing the cost of secure development by allowing non-security-aware developers to apply secure development with little to no additional cost, making secure development more accessible. To automate threat modeling two data structures are introduced, identification trees and mitigation trees, to identify threats in software designs and advise mitigation techniques, while taking into account specification requirements and cost concerns. These are the components of our model for automated threat modeling, AutSEC. We validated AutSEC by implementing it in a tool based on data flow diagrams, from the Microsoft security development methodology, and applying it to VOMS, a grid middleware component, to evaluate our model's performance.

Cardiovascular imaging environment: will the future be cloud-based?

PubMed

Kawel-Boehm, Nadine; Bluemke, David A

2017-07-01

In cardiovascular CT and MR imaging large datasets have to be stored, post-processed, analyzed and distributed. Beside basic assessment of volume and function in cardiac magnetic resonance imaging e.g., more sophisticated quantitative analysis is requested requiring specific software. Several institutions cannot afford various types of software and provide expertise to perform sophisticated analysis. Areas covered: Various cloud services exist related to data storage and analysis specifically for cardiovascular CT and MR imaging. Instead of on-site data storage, cloud providers offer flexible storage services on a pay-per-use basis. To avoid purchase and maintenance of specialized software for cardiovascular image analysis, e.g. to assess myocardial iron overload, MR 4D flow and fractional flow reserve, evaluation can be performed with cloud based software by the consumer or complete analysis is performed by the cloud provider. However, challenges to widespread implementation of cloud services include regulatory issues regarding patient privacy and data security. Expert commentary: If patient privacy and data security is guaranteed cloud imaging is a valuable option to cope with storage of large image datasets and offer sophisticated cardiovascular image analysis for institutions of all sizes.

SHI(EL)DS: A Novel Hardware-Based Security Backplane to Enhance Security with Minimal Impact to System Operation

DTIC Science & Technology

2008-03-01

executables. The current roadblock to detecting Type I Malware consistantly is the practice of legitimate software , such as antivirus programs, using this... Software Security Systems . . 31 3.2.2 Advantages of Hardware . . . . . . . . . . . . . 32 3.2.3 Trustworthiness of Information . . . . . . . . . 33...Towards a Hardware Security Backplane . . . . . . . . . 42 IV. Review of State of the Art Computer Security Solutions . . . . . 46 4.1 Software

Interactive Programming Support for Secure Software Development

ERIC Educational Resources Information Center

Xie, Jing

2012-01-01

Software vulnerabilities originating from insecure code are one of the leading causes of security problems people face today. Unfortunately, many software developers have not been adequately trained in writing secure programs that are resistant from attacks violating program confidentiality, integrity, and availability, a style of programming…

Security Assessment Simulation Toolkit (SAST) Final Report

DOE Office of Scientific and Technical Information (OSTI.GOV)

Meitzler, Wayne D.; Ouderkirk, Steven J.; Hughes, Chad O.

2009-11-15

The Department of Defense Technical Support Working Group (DoD TSWG) investment in the Pacific Northwest National Laboratory (PNNL) Security Assessment Simulation Toolkit (SAST) research planted a technology seed that germinated into a suite of follow-on Research and Development (R&D) projects culminating in software that is used by multiple DoD organizations. The DoD TSWG technology transfer goal for SAST is already in progress. The Defense Information Systems Agency (DISA), the Defense-wide Information Assurance Program (DIAP), the Marine Corps, Office Of Naval Research (ONR) National Center For Advanced Secure Systems Research (NCASSR) and Office Of Secretary Of Defense International Exercise Program (OSDmore » NII) are currently investing to take SAST to the next level. PNNL currently distributes the software to over 6 government organizations and 30 DoD users. For the past five DoD wide Bulwark Defender exercises, the adoption of this new technology created an expanding role for SAST. In 2009, SAST was also used in the OSD NII International Exercise and is currently scheduled for use in 2010.« less

Susceptibility of SCADA systems and the energy sector

NASA Astrophysics Data System (ADS)

Goike, Lindsay

The research in this paper focused on analyzing SCADA systems in the energy sector for susceptibility to cyber attacks, in furtherance of providing suggestions to mitigate current and future cyber attacks. The research will be addressing the questions: how are SCADA systems susceptible to cyber attacks, and what are the suggested ways to mitigate both current and future cyber attacks. The five main categories of security vulnerabilities facing current SCADA systems were found to be: connectivity to the Internet, failure to plan, interdependency of sectors, numerous different types of threats, and outdated software. Some of the recommendations mentioned to mitigate current and future risks were: virtual private networks, risk assessments, increased physical security, updating of software, and firewalls.

Systems Security Engineering

DTIC Science & Technology

2010-08-22

Commission (IEC). “Information technology — Security techniques — Code of practice for information security management ( ISO /IEC 27002 ...Information technology — Security techniques — Information security management systems —Requirements ( ISO /IEC 27002 ),”, “Information technology — Security...was a draft ISO standard on Systems and software engineering, Systems and software assurance [18]. Created by systems engineers for systems

Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector

DTIC Science & Technology

2005-06-01

as a computer fraud case investigated by the Secret Service. Each case was analyzed from a behavioral and a technical perspective to identify...insider threat and address the issue from an approach that draws on human resources, corporate security, and information security perspectives. The ... Secret Service National Threat Assessment Center and the CERT Coordination Center of Carnegie Mellon University’s Software Engineering Institute joined

Secure software practices among Malaysian software practitioners: An exploratory study

NASA Astrophysics Data System (ADS)

Mohamed, Shafinah Farvin Packeer; Baharom, Fauziah; Deraman, Aziz; Yahya, Jamaiah; Mohd, Haslina

2016-08-01

Secure software practices is increasingly gaining much importance among software practitioners and researchers due to the rise of computer crimes in the software industry. It has become as one of the determinant factors for producing high quality software. Even though its importance has been revealed, its current practice in the software industry is still scarce, particularly in Malaysia. Thus, an exploratory study is conducted among software practitioners in Malaysia to study their experiences and practices in the real-world projects. This paper discusses the findings from the study, which involved 93 software practitioners. Structured questionnaire is utilized for data collection purpose whilst statistical methods such as frequency, mean, and cross tabulation are used for data analysis. Outcomes from this study reveal that software practitioners are becoming increasingly aware on the importance of secure software practices, however, they lack of appropriate implementation, which could affect the quality of produced software.

Users Do the Darndest Things: True Stories from the CyLab Usable Privacy and Security Laboratory

NASA Astrophysics Data System (ADS)

Cranor, Lorrie Faith

How can we make security and privacy software more usable? The first step is to study our users. Ideally, we would watch them interacting with security or privacy software in situations where they face actual risk. But everyday computer users don't sit around fiddling with security software, and subjecting users to actual security attacks raises ethical and legal concerns. Thus, it can be difficult to observe users interacting with security and privacy software in their natural habitat. At the CyLab Usable Privacy and Security Laboratory, we've conducted a wide variety of studies aimed at understanding how users think about security and privacy and how they interact with security and privacy software. In this talk I'll give a behind the scenes tour of some of the techniques we've used to study users both in the laboratory and in the wild. I'll discuss the trials and tribulations of designing and carrying out security and privacy user studies, and highlight some of our surprising observations. Find out what privacy-sensitive items you can actually get study participants to purchase, how you can observe users' responses to a man-in-the-middle attack without actually conducting such an attack, why it's hard to get people to use high tech cell phones even when you give them away, and what's actually in that box behind the couch in my office.

Evaluating Software Assurance Knowledge and Competency of Acquisition Professionals

DTIC Science & Technology

2014-10-01

of ISO 12207 -2008, both internationally and in the United States [7]. That standard documents a comprehensive set of activities and supporting...grows, organizations must ensure that their procurement agents acquire high quality, secure software. ISO 12207 and the Software Assurance Competency...cyberattacks grows, organizations must ensure that their procurement agents acquire high quality, secure software. ISO 12207 and the Software Assurance

Open source IPSEC software in manned and unmanned space missions

NASA Astrophysics Data System (ADS)

Edwards, Jacob

Network security is a major topic of research because cyber attackers pose a threat to national security. Securing ground-space communications for NASA missions is important because attackers could endanger mission success and human lives. This thesis describes how an open source IPsec software package was used to create a secure and reliable channel for ground-space communications. A cost efficient, reproducible hardware testbed was also created to simulate ground-space communications. The testbed enables simulation of low-bandwidth and high latency communications links to experiment how the open source IPsec software reacts to these network constraints. Test cases were built that allowed for validation of the testbed and the open source IPsec software. The test cases also simulate using an IPsec connection from mission control ground routers to points of interest in outer space. Tested open source IPsec software did not meet all the requirements. Software changes were suggested to meet requirements.

A Cyber Security Self-Assessment Method for Nuclear Power Plants

DOE Office of Scientific and Technical Information (OSTI.GOV)

Glantz, Clifford S.; Coles, Garill A.; Bass, Robert B.

2004-11-01

A cyber security self-assessment method (the Method) has been developed by Pacific Northwest National Laboratory. The development of the Method was sponsored and directed by the U.S. Nuclear Regulatory Commission. Members of the Nuclear Energy Institute Cyber Security Task Force also played a substantial role in developing the Method. The Method's structured approach guides nuclear power plants in scrutinizing their digital systems, assessing the potential consequences to the plant of a cyber exploitation, identifying vulnerabilities, estimating cyber security risks, and adopting cost-effective protective measures. The focus of the Method is on critical digital assets. A critical digital asset is amore » digital device or system that plays a role in the operation, maintenance, or proper functioning of a critical system (i.e., a plant system that can impact safety, security, or emergency preparedness). A critical digital asset may have a direct or indirect connection to a critical system. Direct connections include both wired and wireless communication pathways. Indirect connections include sneaker-net pathways by which software or data are manually transferred from one digital device to another. An indirect connection also may involve the use of instructions or data stored on a critical digital asset to make adjustments to a critical system. The cyber security self-assessment begins with the formation of an assessment team, and is followed by a six-stage process.« less

A taxonomy and discussion of software attack technologies

NASA Astrophysics Data System (ADS)

Banks, Sheila B.; Stytz, Martin R.

2005-03-01

Software is a complex thing. It is not an engineering artifact that springs forth from a design by simply following software coding rules; creativity and the human element are at the heart of the process. Software development is part science, part art, and part craft. Design, architecture, and coding are equally important activities and in each of these activities, errors may be introduced that lead to security vulnerabilities. Therefore, inevitably, errors enter into the code. Some of these errors are discovered during testing; however, some are not. The best way to find security errors, whether they are introduced as part of the architecture development effort or coding effort, is to automate the security testing process to the maximum extent possible and add this class of tools to the tools available, which aids in the compilation process, testing, test analysis, and software distribution. Recent technological advances, improvements in computer-generated forces (CGFs), and results in research in information assurance and software protection indicate that we can build a semi-intelligent software security testing tool. However, before we can undertake the security testing automation effort, we must understand the scope of the required testing, the security failures that need to be uncovered during testing, and the characteristics of the failures. Therefore, we undertook the research reported in the paper, which is the development of a taxonomy and a discussion of software attacks generated from the point of view of the security tester with the goal of using the taxonomy to guide the development of the knowledge base for the automated security testing tool. The representation for attacks and threat cases yielded by this research captures the strategies, tactics, and other considerations that come into play during the planning and execution of attacks upon application software. The paper is organized as follows. Section one contains an introduction to our research and a discussion of the motivation for our work. Section two contains a presents our taxonomy of software attacks and a discussion of the strategies employed and general weaknesses exploited for each attack. Section three contains a summary and suggestions for further research.

Process Improvement Should Link to Security: SEPG 2007 Security Track Recap

DTIC Science & Technology

2007-09-01

the Systems Security Engineering Capability Maturity Model (SSE- CMM / ISO 21827) and its use in system software developments ...software development life cycle ( SDLC )? 6. In what ways should process improvement support security in the SDLC ? 1.2 10BPANEL RESOURCES For each... project management, and support practices through the use of the capability maturity models including the CMMI and the Systems Security

Applying New Network Security Technologies to SCADA Systems.

DOE Office of Scientific and Technical Information (OSTI.GOV)

Hurd, Steven A; Stamp, Jason Edwin; Duggan, David P

2006-11-01

Supervisory Control and Data Acquisition (SCADA) systems for automation are very important for critical infrastructure and manufacturing operations. They have been implemented to work in a number of physical environments using a variety of hardware, software, networking protocols, and communications technologies, often before security issues became of paramount concern. To offer solutions to security shortcomings in the short/medium term, this project was to identify technologies used to secure "traditional" IT networks and systems, and then assess their efficacy with respect to SCADA systems. These proposed solutions must be relatively simple to implement, reliable, and acceptable to SCADA owners and operators.more » 4This page intentionally left blank.« less

An Architecture, System Engineering, and Acquisition Approach for Space System Software Resiliency

NASA Astrophysics Data System (ADS)

Phillips, Dewanne Marie

Software intensive space systems can harbor defects and vulnerabilities that may enable external adversaries or malicious insiders to disrupt or disable system functions, risking mission compromise or loss. Mitigating this risk demands a sustained focus on the security and resiliency of the system architecture including software, hardware, and other components. Robust software engineering practices contribute to the foundation of a resilient system so that the system "can take a hit to a critical component and recover in a known, bounded, and generally acceptable period of time". Software resiliency must be a priority and addressed early in the life cycle development to contribute a secure and dependable space system. Those who develop, implement, and operate software intensive space systems must determine the factors and systems engineering practices to address when investing in software resiliency. This dissertation offers methodical approaches for improving space system resiliency through software architecture design, system engineering, increased software security, thereby reducing the risk of latent software defects and vulnerabilities. By providing greater attention to the early life cycle phases of development, we can alter the engineering process to help detect, eliminate, and avoid vulnerabilities before space systems are delivered. To achieve this objective, this dissertation will identify knowledge, techniques, and tools that engineers and managers can utilize to help them recognize how vulnerabilities are produced and discovered so that they can learn to circumvent them in future efforts. We conducted a systematic review of existing architectural practices, standards, security and coding practices, various threats, defects, and vulnerabilities that impact space systems from hundreds of relevant publications and interviews of subject matter experts. We expanded on the system-level body of knowledge for resiliency and identified a new software architecture framework and acquisition methodology to improve the resiliency of space systems from a software perspective with an emphasis on the early phases of the systems engineering life cycle. This methodology involves seven steps: 1) Define technical resiliency requirements, 1a) Identify standards/policy for software resiliency, 2) Develop a request for proposal (RFP)/statement of work (SOW) for resilient space systems software, 3) Define software resiliency goals for space systems, 4) Establish software resiliency quality attributes, 5) Perform architectural tradeoffs and identify risks, 6) Conduct architecture assessments as part of the procurement process, and 7) Ascertain space system software architecture resiliency metrics. Data illustrates that software vulnerabilities can lead to opportunities for malicious cyber activities, which could degrade the space mission capability for the user community. Reducing the number of vulnerabilities by improving architecture and software system engineering practices can contribute to making space systems more resilient. Since cyber-attacks are enabled by shortfalls in software, robust software engineering practices and an architectural design are foundational to resiliency, which is a quality that allows the system to "take a hit to a critical component and recover in a known, bounded, and generally acceptable period of time". To achieve software resiliency for space systems, acquirers and suppliers must identify relevant factors and systems engineering practices to apply across the lifecycle, in software requirements analysis, architecture development, design, implementation, verification and validation, and maintenance phases.

Computing Legacy Software Behavior to Understand Functionality and Security Properties: An IBM/370 Demonstration

DOE Office of Scientific and Technical Information (OSTI.GOV)

Linger, Richard C; Pleszkoch, Mark G; Prowell, Stacy J

Organizations maintaining mainframe legacy software can benefit from code modernization and incorporation of security capabilities to address the current threat environment. Oak Ridge National Laboratory is developing the Hyperion system to compute the behavior of software as a means to gain understanding of software functionality and security properties. Computation of functionality is critical to revealing security attributes, which are in fact specialized functional behaviors of software. Oak Ridge is collaborating with MITRE Corporation to conduct a demonstration project to compute behavior of legacy IBM Assembly Language code for a federal agency. The ultimate goal is to understand functionality and securitymore » vulnerabilities as a basis for code modernization. This paper reports on the first phase, to define functional semantics for IBM Assembly instructions and conduct behavior computation experiments.« less

Capturing security requirements for software systems.

PubMed

El-Hadary, Hassan; El-Kassas, Sherif

2014-07-01

Security is often an afterthought during software development. Realizing security early, especially in the requirement phase, is important so that security problems can be tackled early enough before going further in the process and avoid rework. A more effective approach for security requirement engineering is needed to provide a more systematic way for eliciting adequate security requirements. This paper proposes a methodology for security requirement elicitation based on problem frames. The methodology aims at early integration of security with software development. The main goal of the methodology is to assist developers elicit adequate security requirements in a more systematic way during the requirement engineering process. A security catalog, based on the problem frames, is constructed in order to help identifying security requirements with the aid of previous security knowledge. Abuse frames are used to model threats while security problem frames are used to model security requirements. We have made use of evaluation criteria to evaluate the resulting security requirements concentrating on conflicts identification among requirements. We have shown that more complete security requirements can be elicited by such methodology in addition to the assistance offered to developers to elicit security requirements in a more systematic way.

Capturing security requirements for software systems

PubMed Central

El-Hadary, Hassan; El-Kassas, Sherif

2014-01-01

Security is often an afterthought during software development. Realizing security early, especially in the requirement phase, is important so that security problems can be tackled early enough before going further in the process and avoid rework. A more effective approach for security requirement engineering is needed to provide a more systematic way for eliciting adequate security requirements. This paper proposes a methodology for security requirement elicitation based on problem frames. The methodology aims at early integration of security with software development. The main goal of the methodology is to assist developers elicit adequate security requirements in a more systematic way during the requirement engineering process. A security catalog, based on the problem frames, is constructed in order to help identifying security requirements with the aid of previous security knowledge. Abuse frames are used to model threats while security problem frames are used to model security requirements. We have made use of evaluation criteria to evaluate the resulting security requirements concentrating on conflicts identification among requirements. We have shown that more complete security requirements can be elicited by such methodology in addition to the assistance offered to developers to elicit security requirements in a more systematic way. PMID:25685514

Code White: A Signed Code Protection Mechanism for Smartphones

DTIC Science & Technology

2010-09-01

analogous to computer security is the use of antivirus (AV) software . 12 AV software is a brute force approach to security. The software ...these users, numerous malicious programs have also surfaced. And while smartphones have desktop-like capabilities to execute software , they do not...11 2.3.1 Antivirus and Mobile Phones ............................................................... 11 2.3.2

Supporting the Use of CERT (registered trademark) Secure Coding Standards in DoD Acquisitions

DTIC Science & Technology

2012-07-01

Capability Maturity Model IntegrationSM (CMMI®) [Davis 2009]. SM Team Software Process, TSP, and Capability Maturity Model Integration are service...STP Software Test Plan TEP Test and Evaluation Plan TSP Team Software Process V & V verification and validation CMU/SEI-2012-TN-016 | 47...Supporting the Use of CERT® Secure Coding Standards in DoD Acquisitions Tim Morrow ( Software Engineering Institute) Robert Seacord ( Software

Tools for Administration of a UNIX-Based Network

NASA Technical Reports Server (NTRS)

LeClaire, Stephen; Farrar, Edward

2004-01-01

Several computer programs have been developed to enable efficient administration of a large, heterogeneous, UNIX-based computing and communication network that includes a variety of computers connected to a variety of subnetworks. One program provides secure software tools for administrators to create, modify, lock, and delete accounts of specific users. This program also provides tools for users to change their UNIX passwords and log-in shells. These tools check for errors. Another program comprises a client and a server component that, together, provide a secure mechanism to create, modify, and query quota levels on a network file system (NFS) mounted by use of the VERITAS File SystemJ software. The client software resides on an internal secure computer with a secure Web interface; one can gain access to the client software from any authorized computer capable of running web-browser software. The server software resides on a UNIX computer configured with the VERITAS software system. Directories where VERITAS quotas are applied are NFS-mounted. Another program is a Web-based, client/server Internet Protocol (IP) address tool that facilitates maintenance lookup of information about IP addresses for a network of computers.

Software Assurance Curriculum Project Volume 2: Undergraduate Course Outlines

DTIC Science & Technology

2010-08-01

Contents Acknowledgments iii Abstract v 1 An Undergraduate Curriculum Focus on Software Assurance 1 2 Computer Science I 7 3 Computer Science II...confidence that can be integrated into traditional software development and acquisition process models . Thus, in addition to a technology focus...testing throughout the software development life cycle ( SDLC ) AP Security and complexity—system development challenges: security failures

Addressing Software Security

NASA Technical Reports Server (NTRS)

Bailey, Brandon

2015-01-01

Historically security within organizations was thought of as an IT function (web sites/servers, email, workstation patching, etc.) Threat landscape has evolved (Script Kiddies, Hackers, Advanced Persistent Threat (APT), Nation States, etc.) Attack surface has expanded -Networks interconnected!! Some security posture factors Network Layer (Routers, Firewalls, etc.) Computer Network Defense (IPS/IDS, Sensors, Continuous Monitoring, etc.) Industrial Control Systems (ICS) Software Security (COTS, FOSS, Custom, etc.)

[Application of password manager software in health care].

PubMed

Ködmön, József

2016-12-01

When using multiple IT systems, handling of passwords in a secure manner means a potential source of problem. The most frequent issues are choosing the appropriate length and complexity, and then remembering the strong passwords. Password manager software provides a good solution for this problem, while greatly increasing the security of sensitive medical data. This article introduces a password manager software and provides basic information of the application. It also discusses how to select a really secure password manager software and suggests a practical application to efficient, safe and comfortable use for health care. Orv. Hetil., 2016, 157(52), 2066-2073.

Cyber / Physical Security Vulnerability Assessment Integration

DOE Office of Scientific and Technical Information (OSTI.GOV)

MacDonald, Douglas G.; Simpkins, Bret E.

Abstract Both physical protection and cyber security domains offer solutions for the discovery of vulnerabilities through the use of various assessment processes and software tools. Each vulnerability assessment (VA) methodology provides the ability to identify and categorize vulnerabilities, and quantifies the risks within their own areas of expertise. Neither approach fully represents the true potential security risk to a site and/or a facility, nor comprehensively assesses the overall security posture. The technical approach to solving this problem was to identify methodologies and processes that blend the physical and cyber security assessments, and develop tools to accurately quantify the unaccounted formore » risk. SMEs from both the physical and the cyber security domains developed the blending methodologies, and cross trained each other on the various aspects of the physical and cyber security assessment processes. A local critical infrastructure entity volunteered to host a proof of concept physical/cyber security assessment, and the lessons learned have been leveraged by this effort. The four potential modes of attack an adversary can use in approaching a target are; Physical Only Attack, Cyber Only Attack, Physical Enabled Cyber Attack, and the Cyber Enabled Physical Attack. The Physical Only and the Cyber Only pathway analysis are two of the most widely analyzed attack modes. The pathway from an off-site location to the desired target location is dissected to ensure adversarial activity can be detected and neutralized by the protection strategy, prior to completion of a predefined task. This methodology typically explores a one way attack from the public space (or common area) inward towards the target. The Physical Enabled Cyber Attack and the Cyber Enabled Physical Attack are much more intricate. Both scenarios involve beginning in one domain to affect change in the other, then backing outward to take advantage of the reduced system effectiveness, before penetrating further into the defenses. The proper identification and assessment of the overlapping areas (and interaction between these areas) in the VA process is necessary to accurately assess the true risk.« less

Situated Usability Testing for Security Systems

DOE Office of Scientific and Technical Information (OSTI.GOV)

Greitzer, Frank L.

2011-03-02

While usability testing is well established, assessing the usability of security software, tools, or methods deserves more careful consideration. It has been argued that dealing with security has become too difficult for individuals or organizations to manage effectively or to use conveniently. As difficult as it is for system administrators and developers to deal with, security is even more challenging for casual users. Indeed, it is much too easy for casual/home users to configure the security of their systems in non-optimal ways that leave their systems inadvertently insecure. This is exacerbated by the fact that casual users are focused onmore » matters other than security, and likely would prefer not even to think about security. This brief report argues that when security and/or privacy are part of the equation, traditional methods for usability testing should be re-considered. The purpose of this brief report is to argue for and outline a method associated with a new approach to usability testing for examining usable security issues.« less

Reinforcements, ammunition limits, and termination of neutralization engagements in ASSESS

DOE Office of Scientific and Technical Information (OSTI.GOV)

Paulus, W.K.; Mondragon, J.

1991-01-01

This paper reports on the ASSESS Neutralization Analysis module (Neutralization) which is part of Analytic system and Software for Evaluation of Safeguards and Security, ASSESS, a vulnerability assessment tool. Neutralization models a fire fight engagement between security inspectors (SIs) and adversaries. The model has been improved to represent more realistically the addition of reinforcements to an engagement, the criteria for declaring an engagement terminated, and the amount of ammunition which security forces can use. SI reinforcements must prevent adversaries from achieving their purpose even if an initial security force has been overcome. The reinforcements must be timely. A variety ofmore » reinforcement timeliness cases can be modeled. Reinforcements that are not timely are shown to be ineffective in the calculated results. Engagements may terminate before all combatants on one side are neutralized if they recognize that they are losing. A winner is declared when the number of survivors on one side is reduced to a user specified level. Realistically, the amount of ammunition that can be carried into an engagement is limited. Neutralization now permits the analyst to specify the number of rounds available to the security forces initially and the quantity of resupply that is introduced with reinforcements. These new capabilities all contribute toward more realistic modeling of neutralization engagements.« less

Moving Secure Software Assurance into Higher Education: A Roadmap for Change

DTIC Science & Technology

2011-06-02

Summarized: The Issue: 6/2/20118 Software defects are currently a fact of life Software defects are avenues of security vulnerabilities that cyber ... criminals , terrorists, or hostile nations can exploit. We (THE ENTIRE INDUSTY) need to change the way we build systems Decrease the number of defects

Sandia National Laboratories Advanced Simulation and Computing (ASC) software quality plan : ASC software quality engineering practices Version 3.0.

DOE Office of Scientific and Technical Information (OSTI.GOV)

Turgeon, Jennifer L.; Minana, Molly A.; Hackney, Patricia

2009-01-01

The purpose of the Sandia National Laboratories (SNL) Advanced Simulation and Computing (ASC) Software Quality Plan is to clearly identify the practices that are the basis for continually improving the quality of ASC software products. Quality is defined in the US Department of Energy/National Nuclear Security Agency (DOE/NNSA) Quality Criteria, Revision 10 (QC-1) as 'conformance to customer requirements and expectations'. This quality plan defines the SNL ASC Program software quality engineering (SQE) practices and provides a mapping of these practices to the SNL Corporate Process Requirement (CPR) 001.3.6; 'Corporate Software Engineering Excellence'. This plan also identifies ASC management's and themore » software project teams responsibilities in implementing the software quality practices and in assessing progress towards achieving their software quality goals. This SNL ASC Software Quality Plan establishes the signatories commitments to improving software products by applying cost-effective SQE practices. This plan enumerates the SQE practices that comprise the development of SNL ASC's software products and explains the project teams opportunities for tailoring and implementing the practices.« less

Statistics of software vulnerability detection in certification testing

NASA Astrophysics Data System (ADS)

Barabanov, A. V.; Markov, A. S.; Tsirlov, V. L.

2018-05-01

The paper discusses practical aspects of introduction of the methods to detect software vulnerability in the day-to-day activities of the accredited testing laboratory. It presents the approval results of the vulnerability detection methods as part of the study of the open source software and the software that is a test object of the certification tests under information security requirements, including software for communication networks. Results of the study showing the allocation of identified vulnerabilities by types of attacks, country of origin, programming languages used in the development, methods for detecting vulnerability, etc. are given. The experience of foreign information security certification systems related to the detection of certified software vulnerabilities is analyzed. The main conclusion based on the study is the need to implement practices for developing secure software in the development life cycle processes. The conclusions and recommendations for the testing laboratories on the implementation of the vulnerability analysis methods are laid down.

DEVELOPMENT AND APPLICATIONS OF CFD SIMULATIONS SUPPORTING URBAN AIR QUALITY AND HOMELAND SECURITY

EPA Science Inventory

Prior to September 11, 2001 developments of Computational Fluid Dynamics (CFD) were begun to support air quality applications. CFD models are emerging as a promising technology for such assessments, in part due to the advancing power of computational hardware and software. CFD si...

TH-A-12A-01: Medical Physicist's Role in Digital Information Security: Threats, Vulnerabilities and Best Practices

DOE Office of Scientific and Technical Information (OSTI.GOV)

McDonald, K; Curran, B

I. Information Security Background (Speaker = Kevin McDonald) Evolution of Medical Devices Living and Working in a Hostile Environment Attack Motivations Attack Vectors Simple Safety Strategies Medical Device Security in the News Medical Devices and Vendors Summary II. Keeping Radiation Oncology IT Systems Secure (Speaker = Bruce Curran) Hardware Security Double-lock Requirements “Foreign” computer systems Portable Device Encryption Patient Data Storage System Requirements Network Configuration Isolating Critical Devices Isolating Clinical Networks Remote Access Considerations Software Applications / Configuration Passwords / Screen Savers Restricted Services / access Software Configuration Restriction Use of DNS to restrict accesse. Patches / Upgrades Awareness Intrusionmore » Prevention Intrusion Detection Threat Risk Analysis Conclusion Learning Objectives: Understanding how Hospital IT Requirements affect Radiation Oncology IT Systems. Illustrating sample practices for hardware, network, and software security. Discussing implementation of good IT security practices in radiation oncology. Understand overall risk and threats scenario in a networked environment.« less

Use of the NetBeans Platform for NASA Robotic Conjunction Assessment Risk Analysis

NASA Technical Reports Server (NTRS)

Sabey, Nickolas J.

2014-01-01

The latest Java and JavaFX technologies are very attractive software platforms for customers involved in space mission operations such as those of NASA and the US Air Force. For NASA Robotic Conjunction Assessment Risk Analysis (CARA), the NetBeans platform provided an environment in which scalable software solutions could be developed quickly and efficiently. Both Java 8 and the NetBeans platform are in the process of simplifying CARA development in secure environments by providing a significant amount of capability in a single accredited package, where accreditation alone can account for 6-8 months for each library or software application. Capabilities either in use or being investigated by CARA include: 2D and 3D displays with JavaFX, parallelization with the new Streams API, and scalability through the NetBeans plugin architecture.

Guidelines for computer security in general practice.

PubMed

Schattner, Peter; Pleteshner, Catherine; Bhend, Heinz; Brouns, Johan

2007-01-01

As general practice becomes increasingly computerised, data security becomes increasingly important for both patient health and the efficient operation of the practice. To develop guidelines for computer security in general practice based on a literature review, an analysis of available information on current practice and a series of key stakeholder interviews. While the guideline was produced in the context of Australian general practice, we have developed a template that is also relevant for other countries. Current data on computer security measures was sought from Australian divisions of general practice. Semi-structured interviews were conducted with general practitioners (GPs), the medical software industry, senior managers within government responsible for health IT (information technology) initiatives, technical IT experts, divisions of general practice and a member of a health information consumer group. The respondents were asked to assess both the likelihood and the consequences of potential risks in computer security being breached. The study suggested that the most important computer security issues in general practice were: the need for a nominated IT security coordinator; having written IT policies, including a practice disaster recovery plan; controlling access to different levels of electronic data; doing and testing backups; protecting against viruses and other malicious codes; installing firewalls; undertaking routine maintenance of hardware and software; and securing electronic communication, for example via encryption. This information led to the production of computer security guidelines, including a one-page summary checklist, which were subsequently distributed to all GPs in Australia. This paper maps out a process for developing computer security guidelines for general practice. The specific content will vary in different countries according to their levels of adoption of IT, and cultural, technical and other health service factors. Making these guidelines relevant to local contexts should help maximise their uptake.

VoIP for Telerehabilitation: A Pilot Usability Study for HIPAA Compliance

PubMed Central

Watzlaf, Valerie R.; Ondich, Briana

2012-01-01

Consumer-based, free Voice and video over the Internet Protocol (VoIP) software systems such as Skype and others are used by health care providers to deliver telerehabilitation and other health-related services to clients. Privacy and security applications as well as HIPAA compliance within these protocols have been questioned by practitioners, health information managers, and other healthcare entities. This pilot usability study examined whether four respondents who used the top three, free consumer-based, VoIP software systems perceived these VoIP technologies to be private, secure, and HIPAA compliant; most did not. While the pilot study limitations include the number of respondents and systems assessed, the protocol can be applied to future research and replicated for instructional purposes. Recommendations are provided for VoIP companies, providers, and clients/consumers. PMID:25945194

Introduction: Cybersecurity and Software Assurance Minitrack

DOE Office of Scientific and Technical Information (OSTI.GOV)

Burns, Luanne; George, Richard; Linger, Richard C

Modern society is dependent on software systems of remarkable scope and complexity. Yet methods for assuring their security and functionality have not kept pace. The result is persistent compromises and failures despite best efforts. Cybersecurity methods must work together for situational awareness, attack prevention and detection, threat attribution, minimization of consequences, and attack recovery. Because defective software cannot be secure, assurance technologies must play a central role in cybersecurity approaches. There is increasing recognition of the need for rigorous methods for cybersecurity and software assurance. The goal of this minitrack is to develop science foundations, technologies, and practices that canmore » improve the security and dependability of complex systems.« less

77 FR 5864 - BluePoint Linux Software Corp., China Bottles Inc., Long-e International, Inc., and Nano...

Federal Register 2010, 2011, 2012, 2013, 2014

2012-02-06

... SECURITIES AND EXCHANGE COMMISSION [File No. 500-1] BluePoint Linux Software Corp., China Bottles Inc., Long-e International, Inc., and Nano Superlattice Technology, Inc.; Order of Suspension of... current and accurate information concerning the securities of BluePoint Linux Software Corp. because it...

Quality and security - They work together

NASA Technical Reports Server (NTRS)

Carr, Richard; Tynan, Marie; Davis, Russell

1991-01-01

This paper describes the importance of considering computer security as part of software quality assurance practice. The intended audience is primarily those professionals involved in the design, development, and quality assurance of software. Many issues are raised which point to the need ultimately for integration of quality assurance and computer security disciplines. To address some of the issues raised, the NASA Automated Information Security program is presented as a model which may be used for improving interactions between the quality assurance and computer security community of professionals.

IT Security Support for Spaceport Command and Control System

NASA Technical Reports Server (NTRS)

McLain, Jeffrey

2013-01-01

During the fall 2013 semester, I worked at the Kennedy Space Center as an IT Security Intern in support of the Spaceport Command and Control System under the guidance of the IT Security Lead Engineer. Some of my responsibilities included assisting with security plan documentation collection, system hardware and software inventory, and malicious code and malware scanning. Throughout the semester, I had the opportunity to work on a wide range of security related projects. However, there are three projects in particular that stand out. The first project I completed was updating a large interactive spreadsheet that details the SANS Institutes Top 20 Critical Security Controls. My task was to add in all of the new commercial of the shelf (COTS) software listed on the SANS website that can be used to meet their Top 20 controls. In total, there are 153 unique security tools listed by SANS that meet one or more of their 20 controls. My second project was the creation of a database that will allow my mentor to keep track of the work done by the contractors that report to him in a more efficient manner by recording events as they occur throughout the quarter. Lastly, I expanded upon a security assessment of the Linux machines being used on center that I began last semester. To do this, I used a vulnerability and configuration tool that scans hosts remotely through the network and presents the user with an abundance of information detailing each machines configuration. The experience I gained from working on each of these projects has been invaluable, and I look forward to returning in the spring semester to continue working with the IT Security team.

Software Assurance Best Practices for Air Force Weapon and Information Technology Systems - Are We Bleeding

DTIC Science & Technology

2008-03-01

in applications is software assurance. There are many subtle variations to the software assurance definition (Goertzel, et al ., 2007), but the DoD...Gary McGraw (2006), and Thorsten 18 Schneider (2006). Goertzel, et al . (2007), lists and compares several security-enhanced software development...detailed by Goertzel, et al ., is the Microsoft Trustworthy Computing Security Development Lifecycle (SDL), shown in the following figure: Figure 6

Non-developmental item computer systems and the malicious software threat

NASA Technical Reports Server (NTRS)

Bown, Rodney L.

1991-01-01

The following subject areas are covered: a DOD development system - the Army Secure Operating System; non-development commercial computer systems; security, integrity, and assurance of service (SI and A); post delivery SI and A and malicious software; computer system unique attributes; positive feedback to commercial computer systems vendors; and NDI (Non-Development Item) computers and software safety.

Secured Advanced Federated Environment (SAFE): A NASA Solution for Secure Cross-Organization Collaboration

NASA Technical Reports Server (NTRS)

Chow, Edward; Spence, Matthew Chew; Pell, Barney; Stewart, Helen; Korsmeyer, David; Liu, Joseph; Chang, Hsin-Ping; Viernes, Conan; Gogorth, Andre

2003-01-01

This paper discusses the challenges and security issues inherent in building complex cross-organizational collaborative projects and software systems within NASA. By applying the design principles of compartmentalization, organizational hierarchy and inter-organizational federation, the Secured Advanced Federated Environment (SAFE) is laying the foundation for a collaborative virtual infrastructure for the NASA community. A key element of SAFE is the Micro Security Domain (MSD) concept, which balances the need to collaborate and the need to enforce enterprise and local security rules. With the SAFE approach, security is an integral component of enterprise software and network design, not an afterthought.

Simulation of Attacks for Security in Wireless Sensor Network.

PubMed

Diaz, Alvaro; Sanchez, Pablo

2016-11-18

The increasing complexity and low-power constraints of current Wireless Sensor Networks (WSN) require efficient methodologies for network simulation and embedded software performance analysis of nodes. In addition, security is also a very important feature that has to be addressed in most WSNs, since they may work with sensitive data and operate in hostile unattended environments. In this paper, a methodology for security analysis of Wireless Sensor Networks is presented. The methodology allows designing attack-aware embedded software/firmware or attack countermeasures to provide security in WSNs. The proposed methodology includes attacker modeling and attack simulation with performance analysis (node's software execution time and power consumption estimation). After an analysis of different WSN attack types, an attacker model is proposed. This model defines three different types of attackers that can emulate most WSN attacks. In addition, this paper presents a virtual platform that is able to model the node hardware, embedded software and basic wireless channel features. This virtual simulation analyzes the embedded software behavior and node power consumption while it takes into account the network deployment and topology. Additionally, this simulator integrates the previously mentioned attacker model. Thus, the impact of attacks on power consumption and software behavior/execution-time can be analyzed. This provides developers with essential information about the effects that one or multiple attacks could have on the network, helping them to develop more secure WSN systems. This WSN attack simulator is an essential element of the attack-aware embedded software development methodology that is also introduced in this work.

Prototype software model for designing intruder detection systems with simulation

NASA Astrophysics Data System (ADS)

Smith, Jeffrey S.; Peters, Brett A.; Curry, James C.; Gupta, Dinesh

1998-08-01

This article explores using discrete-event simulation for the design and control of defence oriented fixed-sensor- based detection system in a facility housing items of significant interest to enemy forces. The key issues discussed include software development, simulation-based optimization within a modeling framework, and the expansion of the framework to create real-time control tools and training simulations. The software discussed in this article is a flexible simulation environment where the data for the simulation are stored in an external database and the simulation logic is being implemented using a commercial simulation package. The simulation assesses the overall security level of a building against various intruder scenarios. A series of simulation runs with different inputs can determine the change in security level with changes in the sensor configuration, building layout, and intruder/guard strategies. In addition, the simulation model developed for the design stage of the project can be modified to produce a control tool for the testing, training, and real-time control of systems with humans and sensor hardware in the loop.

Personal privacy, information assurance, and the threat posed by malware techology

NASA Astrophysics Data System (ADS)

Stytz, Martin R.; Banks, Sheila B.

2006-04-01

In spite of our best efforts to secure the cyber world, the threats posed to personal privacy by attacks upon networks and software continue unabated. While there are many reasons for this state of affairs, clearly one of the reasons for continued vulnerabilities in software is the inability to assess their security properties and test their security systems while they are in development. A second reason for this growing threat to personal privacy is the growing sophistication and maliciousness of malware coupled with the increasing difficulty of detecting malware. The pervasive threat posed by malware coupled with the difficulties faced when trying to detect its presence or an attempted intrusion make addressing the malware threat one of the most pressing issues that must be solved in order to insure personal privacy to users of the internet. In this paper, we will discuss the threat posed by malware, the types of malware found in the wild (outside of computer laboratories), and current techniques that are available for from a successful malware penetration. The paper includes a discussion of anti-malware tools and suggestions for future anti-malware efforts.

Application of advanced data collection and quality assurance methods in open prospective study - a case study of PONS project.

PubMed

Wawrzyniak, Zbigniew M; Paczesny, Daniel; Mańczuk, Marta; Zatoński, Witold A

2011-01-01

Large-scale epidemiologic studies can assess health indicators differentiating social groups and important health outcomes of the incidence and mortality of cancer, cardiovascular disease, and others, to establish a solid knowledgebase for the prevention management of premature morbidity and mortality causes. This study presents new advanced methods of data collection and data management systems with current data quality control and security to ensure high quality data assessment of health indicators in the large epidemiologic PONS study (The Polish-Norwegian Study). The material for experiment is the data management design of the large-scale population study in Poland (PONS) and the managed processes are applied into establishing a high quality and solid knowledge. The functional requirements of the PONS study data collection, supported by the advanced IT web-based methods, resulted in medical data of a high quality, data security, with quality data assessment, control process and evolution monitoring are fulfilled and shared by the IT system. Data from disparate and deployed sources of information are integrated into databases via software interfaces, and archived by a multi task secure server. The practical and implemented solution of modern advanced database technologies and remote software/hardware structure successfully supports the research of the big PONS study project. Development and implementation of follow-up control of the consistency and quality of data analysis and the processes of the PONS sub-databases have excellent measurement properties of data consistency of more than 99%. The project itself, by tailored hardware/software application, shows the positive impact of Quality Assurance (QA) on the quality of outcomes analysis results, effective data management within a shorter time. This efficiency ensures the quality of the epidemiological data and indicators of health by the elimination of common errors of research questionnaires and medical measurements.

Graphs for information security control in software defined networks

NASA Astrophysics Data System (ADS)

Grusho, Alexander A.; Abaev, Pavel O.; Shorgin, Sergey Ya.; Timonina, Elena E.

2017-07-01

Information security control in software defined networks (SDN) is connected with execution of the security policy rules regulating information accesses and protection against distribution of the malicious code and harmful influences. The paper offers a representation of a security policy in the form of hierarchical structure which in case of distribution of resources for the solution of tasks defines graphs of admissible interactions in a networks. These graphs define commutation tables of switches via the SDN controller.

Additional Security Considerations for Grid Management

NASA Technical Reports Server (NTRS)

Eidson, Thomas M.

2003-01-01

The use of Grid computing environments is growing in popularity. A Grid computing environment is primarily a wide area network that encompasses multiple local area networks, where some of the local area networks are managed by different organizations. A Grid computing environment also includes common interfaces for distributed computing software so that the heterogeneous set of machines that make up the Grid can be used more easily. The other key feature of a Grid is that the distributed computing software includes appropriate security technology. The focus of most Grid software is on the security involved with application execution, file transfers, and other remote computing procedures. However, there are other important security issues related to the management of a Grid and the users who use that Grid. This note discusses these additional security issues and makes several suggestions as how they can be managed.

A code inspection process for security reviews

DOE Office of Scientific and Technical Information (OSTI.GOV)

Garzoglio, Gabriele; /Fermilab

2009-05-01

In recent years, it has become more and more evident that software threat communities are taking an increasing interest in Grid infrastructures. To mitigate the security risk associated with the increased numbers of attacks, the Grid software development community needs to scale up effort to reduce software vulnerabilities. This can be achieved by introducing security review processes as a standard project management practice. The Grid Facilities Department of the Fermilab Computing Division has developed a code inspection process, tailored to reviewing security properties of software. The goal of the process is to identify technical risks associated with an application andmore » their impact. This is achieved by focusing on the business needs of the application (what it does and protects), on understanding threats and exploit communities (what an exploiter gains), and on uncovering potential vulnerabilities (what defects can be exploited). The desired outcome of the process is an improvement of the quality of the software artifact and an enhanced understanding of possible mitigation strategies for residual risks. This paper describes the inspection process and lessons learned on applying it to Grid middleware.« less

A code inspection process for security reviews

NASA Astrophysics Data System (ADS)

Garzoglio, Gabriele

2010-04-01

In recent years, it has become more and more evident that software threat communities are taking an increasing interest in Grid infrastructures. To mitigate the security risk associated with the increased numbers of attacks, the Grid software development community needs to scale up effort to reduce software vulnerabilities. This can be achieved by introducing security review processes as a standard project management practice. The Grid Facilities Department of the Fermilab Computing Division has developed a code inspection process, tailored to reviewing security properties of software. The goal of the process is to identify technical risks associated with an application and their impact. This is achieved by focusing on the business needs of the application (what it does and protects), on understanding threats and exploit communities (what an exploiter gains), and on uncovering potential vulnerabilities (what defects can be exploited). The desired outcome of the process is an improvement of the quality of the software artifact and an enhanced understanding of possible mitigation strategies for residual risks. This paper describes the inspection process and lessons learned on applying it to Grid middleware.

Rapidly Deployable Security System Final Report CRADA No. TC-2030-01

DOE Office of Scientific and Technical Information (OSTI.GOV)

Kohlhepp, V.; Whiteman, B.; McKibben, M. T.

The ultimate objective of the LEADER and LLNL strategic partnership was to develop and commercialize_a security-based system product and platform for the use in protecting the substantial physical and economic assets of the government and commerce of the United States. The primary goal of this project was to integrate video surveillance hardware developed by LLNL with a security software backbone developed by LEADER. Upon completion of the project, a prototype hardware/software security system that is highly scalable was to be demonstrated.

Simulation of Attacks for Security in Wireless Sensor Network

PubMed Central

Diaz, Alvaro; Sanchez, Pablo

2016-01-01

The increasing complexity and low-power constraints of current Wireless Sensor Networks (WSN) require efficient methodologies for network simulation and embedded software performance analysis of nodes. In addition, security is also a very important feature that has to be addressed in most WSNs, since they may work with sensitive data and operate in hostile unattended environments. In this paper, a methodology for security analysis of Wireless Sensor Networks is presented. The methodology allows designing attack-aware embedded software/firmware or attack countermeasures to provide security in WSNs. The proposed methodology includes attacker modeling and attack simulation with performance analysis (node’s software execution time and power consumption estimation). After an analysis of different WSN attack types, an attacker model is proposed. This model defines three different types of attackers that can emulate most WSN attacks. In addition, this paper presents a virtual platform that is able to model the node hardware, embedded software and basic wireless channel features. This virtual simulation analyzes the embedded software behavior and node power consumption while it takes into account the network deployment and topology. Additionally, this simulator integrates the previously mentioned attacker model. Thus, the impact of attacks on power consumption and software behavior/execution-time can be analyzed. This provides developers with essential information about the effects that one or multiple attacks could have on the network, helping them to develop more secure WSN systems. This WSN attack simulator is an essential element of the attack-aware embedded software development methodology that is also introduced in this work. PMID:27869710

Safe and Secure Partitioning with Pikeos: Towards Integrated Modular Avionics in Space

NASA Astrophysics Data System (ADS)

Almeida, J.; Prochazka, M.

2009-05-01

This paper presents our approach to logical partitioning of spacecraft onboard software. We present PikeOS, a separation micro-kernel which applies the state-of-the- art techniques and widely recognised standards such as ARINC 653 and MILS in order to guarantee safety and security properties of partitions executing software with different criticality and confidentiality. We provide an overview of our approach, also used in the Securely Partitioning Spacecraft Computing Resources project, an ESA TRP contract, which shifts spacecraft onboard software development towards the Integrated Modular Avionics concept with relevance for dual-use military and civil missions.

Security System Software

NASA Technical Reports Server (NTRS)

1993-01-01

C Language Integration Production System (CLIPS), a NASA-developed expert systems program, has enabled a security systems manufacturer to design a new generation of hardware. C.CURESystem 1 Plus, manufactured by Software House, is a software based system that is used with a variety of access control hardware at installations around the world. Users can manage large amounts of information, solve unique security problems and control entry and time scheduling. CLIPS acts as an information management tool when accessed by C.CURESystem 1 Plus. It asks questions about the hardware and when given the answer, recommends possible quick solutions by non-expert persons.

Key Points to Facilitate the Adoption of Computer-Based Assessments.

PubMed

Burr, S A; Chatterjee, A; Gibson, S; Coombes, L; Wilkinson, S

2016-01-01

There are strong pedagogical arguments in favor of adopting computer-based assessment. The risks of technical failure can be managed and are offset by improvements in cost-effectiveness and quality assurance capability. Academic, administrative, and technical leads at an appropriately senior level within an institution need to be identified, so that they can act as effective advocates. All stakeholder groups need to be represented in undertaking a detailed appraisal of requirements and shortlisting software based on core functionality, summative assessment life cycle needs, external compatibility, security, and usability. Any software that is a candidate for adoption should be trialed under simulated summative conditions, with all stakeholders having a voice in agreeing the optimum solution. Transfer to a new system should be carefully planned and communicated, with a programme of training established to maximize the success of adoption.

Key Points to Facilitate the Adoption of Computer-Based Assessments

PubMed Central

Burr, S.A.; Chatterjee, A.; Gibson, S.; Coombes, L.; Wilkinson, S.

2016-01-01

There are strong pedagogical arguments in favor of adopting computer-based assessment. The risks of technical failure can be managed and are offset by improvements in cost-effectiveness and quality assurance capability. Academic, administrative, and technical leads at an appropriately senior level within an institution need to be identified, so that they can act as effective advocates. All stakeholder groups need to be represented in undertaking a detailed appraisal of requirements and shortlisting software based on core functionality, summative assessment life cycle needs, external compatibility, security, and usability. Any software that is a candidate for adoption should be trialed under simulated summative conditions, with all stakeholders having a voice in agreeing the optimum solution. Transfer to a new system should be carefully planned and communicated, with a programme of training established to maximize the success of adoption. PMID:29349322

Performance evaluation of secured DICOM image communication with next generation internet protocol IPv6

NASA Astrophysics Data System (ADS)

Yu, Fenghai; Zhang, Jianguo; Chen, Xiaomeng; Huang, H. K.

2005-04-01

Next Generation Internet (NGI) technology with new communication protocol IPv6 emerges as a potential solution for low-cost and high-speed networks for image data transmission. IPv6 is designed to solve many of the problems of the current version of IP (known as IPv4) with regard to address depletion, security, autoconfiguration, extensibility, and more. We choose CTN (Central Test Node) DICOM software developed by The Mallinckrodt Institute of Radiology to implement IPv6/IPv4 enabled DICOM communication software on different operating systems (Windows/Linux), and used this DICOM software to evaluate the performance of the IPv6/IPv4 enabled DICOM image communication with different security setting and environments. We compared the security communications of IPsec with SSL/TLS on different TCP/IP protocols (IPv6/IPv4), and find that there are some trade-offs to choose security solution between IPsec and SSL/TLS in the security implementation of IPv6/IPv4 communication networks.

Insecurity on the Net.

ERIC Educational Resources Information Center

Brandt, D. Scott

1998-01-01

Examines Internet security risks and how users can protect themselves. Discusses inadvertent bugs in software; programming problems with Common Gateway Interface (CGI); viruses; tracking of Web users; and preventing access to selected Web pages and filtering software. A glossary of Internet security-related terms is included. (AEF)

Systemic Vulnerabilities

DTIC Science & Technology

2014-10-01

CRm CAL FA~WR£S Q I • Software Engineering Institute I Ccamt>gw l\\~llon Lniwndty 34 Basic attack tree Destroy Building Generate Sufficient...by computer-security company marketing literature that touts 11hacker proof software,11 11triple-DES security,11 and the like. In truth, unbreakable

SPCC- Software Elements for Security Partition Communication Controller

NASA Astrophysics Data System (ADS)

Herpel, H. J.; Willig, G.; Montano, G.; Tverdyshev, S.; Eckstein, K.; Schoen, M.

2016-08-01

Future satellite missions like Earth Observation, Telecommunication or any other kind are likely to be exposed to various threats aiming at exploiting vulnerabilities of the involved systems and communications. Moreover, the growing complexity of systems coupled with more ambitious types of operational scenarios imply increased security vulnerabilities in the future. In the paper we will describe an architecture and software elements to ensure high level of security on-board a spacecraft. First the threats to the Security Partition Communication Controller (SPCC) will be addressed including the identification of specific vulnerabilities to the SPCC. Furthermore, appropriate security objectives and security requirements are identified to be counter the identified threats. The security evaluation of the SPCC will be done in accordance to the Common Criteria (CC). The Software Elements for SPCC has been implemented on flight representative hardware which consists of two major elements: the I/O board and the SPCC board. The SPCC board provides the interfaces with ground while the I/O board interfaces with typical spacecraft equipment busses. Both boards are physically interconnected by a high speed spacewire (SpW) link.

Benchmarking Software Assurance Implementation

DTIC Science & Technology

2011-05-18

product The chicken#. (a.k.a. Process Focused Assessment ) – Management Systems ( ISO 9001, ISO 27001 , ISO 2000) – Capability Maturity Models (CMMI...Assurance PRM, RMM, Assurance for CMMI)) – Lifecycle Processes ( ISO /IEEE 15288, ISO /IEEE 12207) – COBIT, ITIL, MS SDL, OSAMM, BSIMM 5 The egg...a.k.a Product Focused Assessments) – SCAP - NIST-SCAP – ISO /OMG W3C – KDM, BPMN, RIF, XMI, RDF – OWASP Top 10 – SANS TOP 25 – Secure Code Check Lists

45 CFR 95.621 - ADP reviews.

Code of Federal Regulations, 2011 CFR

2011-10-01

... use; (C) Software and data security; (D) Telecommunications security; (E) Personnel security; (F... Federal review. (f) ADP System Security Requirements and Review Process—(1) ADP System Security Requirement. State agencies are responsible for the security of all ADP projects under development, and...

Economic Evaluation of the Information Security Levels Achieved by Electric Energy Providers in North Arctic Region

NASA Astrophysics Data System (ADS)

Sushko, O. P.; Kaznin, A. A.; Babkin, A. V.; Bogdanov, D. A.

2017-10-01

The study we are conducting involves the analysis of information security levels achieved by energy providers operating in the North Arctic Region. We look into whether the energy providers’ current information security levels meet reliability standards and determine what further actions may be needed for upgrading information security in the context of the digital transformation that the world community is undergoing. When developing the information security systems for electric energy providers or selecting the protection means for them, we are governed by the fact that the assets to be protected are process technologies. While information security risk can be assessed using different methods, the evaluation of the economic damage from these risks appears to be a difficult task. The most probable and harmful risks we have identified when evaluating the electric energy providers’ information security will be used by us as variables. To provide the evaluation, it is necessary to calculate the costs relating to elimination of the risks identified. The final stage of the study will involve the development of an operation algorithm for the North Arctic Region’s energy provider’s business information protection security system - a set of information security services, and security software and hardware.

Security Isn't Just for Techies Anymore

ERIC Educational Resources Information Center

Mills, Lane B.

2004-01-01

School district networks are particularly difficult to protect given the diverse types of users, software, equipment and connections that most school districts provide. Vulnerabilities to the security of school district's technology infrastructure can relate to users, data, software, hardware and transmission. This article discusses different…

Understanding How the "Open" of Open Source Software (OSS) Will Improve Global Health Security.

PubMed

Hahn, Erin; Blazes, David; Lewis, Sheri

2016-01-01

Improving global health security will require bold action in all corners of the world, particularly in developing settings, where poverty often contributes to an increase in emerging infectious diseases. In order to mitigate the impact of emerging pandemic threats, enhanced disease surveillance is needed to improve early detection and rapid response to outbreaks. However, the technology to facilitate this surveillance is often unattainable because of high costs, software and hardware maintenance needs, limited technical competence among public health officials, and internet connectivity challenges experienced in the field. One potential solution is to leverage open source software, a concept that is unfortunately often misunderstood. This article describes the principles and characteristics of open source software and how it may be applied to solve global health security challenges.

Application of Lightweight Formal Methods to Software Security

NASA Technical Reports Server (NTRS)

Gilliam, David P.; Powell, John D.; Bishop, Matt

2005-01-01

Formal specification and verification of security has proven a challenging task. There is no single method that has proven feasible. Instead, an integrated approach which combines several formal techniques can increase the confidence in the verification of software security properties. Such an approach which species security properties in a library that can be reused by 2 instruments and their methodologies developed for the National Aeronautics and Space Administration (NASA) at the Jet Propulsion Laboratory (JPL) are described herein The Flexible Modeling Framework (FMF) is a model based verijkation instrument that uses Promela and the SPIN model checker. The Property Based Tester (PBT) uses TASPEC and a Text Execution Monitor (TEM). They are used to reduce vulnerabilities and unwanted exposures in software during the development and maintenance life cycles.

Clinical software development for the Web: lessons learned from the BOADICEA project

PubMed Central

2012-01-01

Background In the past 20 years, society has witnessed the following landmark scientific advances: (i) the sequencing of the human genome, (ii) the distribution of software by the open source movement, and (iii) the invention of the World Wide Web. Together, these advances have provided a new impetus for clinical software development: developers now translate the products of human genomic research into clinical software tools; they use open-source programs to build them; and they use the Web to deliver them. Whilst this open-source component-based approach has undoubtedly made clinical software development easier, clinical software projects are still hampered by problems that traditionally accompany the software process. This study describes the development of the BOADICEA Web Application, a computer program used by clinical geneticists to assess risks to patients with a family history of breast and ovarian cancer. The key challenge of the BOADICEA Web Application project was to deliver a program that was safe, secure and easy for healthcare professionals to use. We focus on the software process, problems faced, and lessons learned. Our key objectives are: (i) to highlight key clinical software development issues; (ii) to demonstrate how software engineering tools and techniques can facilitate clinical software development for the benefit of individuals who lack software engineering expertise; and (iii) to provide a clinical software development case report that can be used as a basis for discussion at the start of future projects. Results We developed the BOADICEA Web Application using an evolutionary software process. Our approach to Web implementation was conservative and we used conventional software engineering tools and techniques. The principal software development activities were: requirements, design, implementation, testing, documentation and maintenance. The BOADICEA Web Application has now been widely adopted by clinical geneticists and researchers. BOADICEA Web Application version 1 was released for general use in November 2007. By May 2010, we had > 1200 registered users based in the UK, USA, Canada, South America, Europe, Africa, Middle East, SE Asia, Australia and New Zealand. Conclusions We found that an evolutionary software process was effective when we developed the BOADICEA Web Application. The key clinical software development issues identified during the BOADICEA Web Application project were: software reliability, Web security, clinical data protection and user feedback. PMID:22490389

Clinical software development for the Web: lessons learned from the BOADICEA project.

PubMed

Cunningham, Alex P; Antoniou, Antonis C; Easton, Douglas F

2012-04-10

In the past 20 years, society has witnessed the following landmark scientific advances: (i) the sequencing of the human genome, (ii) the distribution of software by the open source movement, and (iii) the invention of the World Wide Web. Together, these advances have provided a new impetus for clinical software development: developers now translate the products of human genomic research into clinical software tools; they use open-source programs to build them; and they use the Web to deliver them. Whilst this open-source component-based approach has undoubtedly made clinical software development easier, clinical software projects are still hampered by problems that traditionally accompany the software process. This study describes the development of the BOADICEA Web Application, a computer program used by clinical geneticists to assess risks to patients with a family history of breast and ovarian cancer. The key challenge of the BOADICEA Web Application project was to deliver a program that was safe, secure and easy for healthcare professionals to use. We focus on the software process, problems faced, and lessons learned. Our key objectives are: (i) to highlight key clinical software development issues; (ii) to demonstrate how software engineering tools and techniques can facilitate clinical software development for the benefit of individuals who lack software engineering expertise; and (iii) to provide a clinical software development case report that can be used as a basis for discussion at the start of future projects. We developed the BOADICEA Web Application using an evolutionary software process. Our approach to Web implementation was conservative and we used conventional software engineering tools and techniques. The principal software development activities were: requirements, design, implementation, testing, documentation and maintenance. The BOADICEA Web Application has now been widely adopted by clinical geneticists and researchers. BOADICEA Web Application version 1 was released for general use in November 2007. By May 2010, we had > 1200 registered users based in the UK, USA, Canada, South America, Europe, Africa, Middle East, SE Asia, Australia and New Zealand. We found that an evolutionary software process was effective when we developed the BOADICEA Web Application. The key clinical software development issues identified during the BOADICEA Web Application project were: software reliability, Web security, clinical data protection and user feedback.

The study on network security based on software engineering

NASA Astrophysics Data System (ADS)

Jia, Shande; Ao, Qian

2012-04-01

Developing a SP is a sensitive task because the SP itself can lead to security weaknesses if it is not conform to the security properties. Hence, appropriate techniques are necessary to overcome such problems. These techniques must accompany the policy throughout its deployment phases. The main contribution of this paper is then, the proposition of three of these activities: validation, test and multi-SP conflict management. Our techniques are inspired by the well established techniques of the software engineering for which we have found some similarities with the security domain.

A Security-façade Library for Virtual-observatory Software

NASA Astrophysics Data System (ADS)

Rixon, G.

2009-09-01

The security-façade library implements, for Java, IVOA's security standards. It supports the authentication mechanisms for SOAP and REST web-services, the sign-on mechanisms (with MyProxy, AstroGrid Accounts protocol or local credential-caches), the delegation protocol, and RFC3820-enabled HTTPS for Apache Tomcat. Using the façade, a developer who is not a security specialist can easily add access control to a virtual-observatory service and call secured services from an application. The library has been an internal part of AstroGrid software for some time and it is now offered for use by other developers.

Security Vulnerability Profiles of Mission Critical Software: Empirical Analysis of Security Related Bug Reports

NASA Technical Reports Server (NTRS)

Goseva-Popstojanova, Katerina; Tyo, Jacob

2017-01-01

While some prior research work exists on characteristics of software faults (i.e., bugs) and failures, very little work has been published on analysis of software applications vulnerabilities. This paper aims to contribute towards filling that gap by presenting an empirical investigation of application vulnerabilities. The results are based on data extracted from issue tracking systems of two NASA missions. These data were organized in three datasets: Ground mission IVV issues, Flight mission IVV issues, and Flight mission Developers issues. In each dataset, we identified security related software bugs and classified them in specific vulnerability classes. Then, we created the security vulnerability profiles, i.e., determined where and when the security vulnerabilities were introduced and what were the dominating vulnerabilities classes. Our main findings include: (1) In IVV issues datasets the majority of vulnerabilities were code related and were introduced in the Implementation phase. (2) For all datasets, around 90 of the vulnerabilities were located in two to four subsystems. (3) Out of 21 primary classes, five dominated: Exception Management, Memory Access, Other, Risky Values, and Unused Entities. Together, they contributed from 80 to 90 of vulnerabilities in each dataset.

Overview of the CERT Resilience Management Model (CERT-RMM)

DTIC Science & Technology

2014-01-23

Management Model (CERT®-RMM) Jim Cebula Technical Manager - Cyber Risk Management , CERT® Division Jim Cebula is the Technical Manager of the...Cyber Risk Management team in the Cyber Security Solutions Directorate of the CERT Division at the Software Engineering Institute (SEI), a unit of...Carnegie Mellon University. Cebula’s current activities include risk management methods along with assessment and management of operational

Assessment of Industry Attitudes on Collaborating with the U.S. Department of Defense in Research and Development and Technology Sharing

DTIC Science & Technology

2004-01-01

8 47 1 1 Security 1 1 Solar Control 1 Simulation Software 1 Structural Design 2 9 1 1 Thermal Design 3 11 1 3 APPENDIX III...e.g. diapers , trash bags) 3259 Plastic color concentrates and compounds 3261 ESD control flooring, wall base. Extruded thermoplastic sheet for

Cloud Security: Issues and Research Directions

DTIC Science & Technology

2014-11-18

4. Cloud Computing Security: What Changes with Software - Defined Networking ? Maur´ıcio Tsugawa, Andr´ea Matsunaga, and Jos´e A. B. Fortes 5...machine’s memory from an untrusted or malicious hypervisor. In Chapter 4, Tsugawa et al. discuss the security issues introduced when Software - Defined ... Networking ( SDN ) is deployed within and across clouds. Chapters 5-9 are focused on the protection of data stored in the cloud. In Chapter 5, Wang et

Cybersecurity and medical devices: A practical guide for cardiac electrophysiologists

PubMed Central

Kramer, Daniel B.; Foo Kune, Denis; Auto de Medeiros, Julio; Yan, Chen; Xu, Wenyuan; Crawford, Thomas; Fu, Kevin

2017-01-01

Abstract Medical devices increasingly depend on software. While this expands the ability of devices to perform key therapeutic and diagnostic functions, reliance on software inevitably causes exposure to hazards of security vulnerabilities. This article uses a recent high‐profile case example to outline a proactive approach to security awareness that incorporates a scientific, risk‐based analysis of security concerns that supports ongoing discussions with patients about their medical devices. PMID:28512774

Securing mobile code.

DOE Office of Scientific and Technical Information (OSTI.GOV)

Link, Hamilton E.; Schroeppel, Richard Crabtree; Neumann, William Douglas

2004-10-01

If software is designed so that the software can issue functions that will move that software from one computing platform to another, then the software is said to be 'mobile'. There are two general areas of security problems associated with mobile code. The 'secure host' problem involves protecting the host from malicious mobile code. The 'secure mobile code' problem, on the other hand, involves protecting the code from malicious hosts. This report focuses on the latter problem. We have found three distinct camps of opinions regarding how to secure mobile code. There are those who believe special distributed hardware ismore » necessary, those who believe special distributed software is necessary, and those who believe neither is necessary. We examine all three camps, with a focus on the third. In the distributed software camp we examine some commonly proposed techniques including Java, D'Agents and Flask. For the specialized hardware camp, we propose a cryptographic technique for 'tamper-proofing' code over a large portion of the software/hardware life cycle by careful modification of current architectures. This method culminates by decrypting/authenticating each instruction within a physically protected CPU, thereby protecting against subversion by malicious code. Our main focus is on the camp that believes that neither specialized software nor hardware is necessary. We concentrate on methods of code obfuscation to render an entire program or a data segment on which a program depends incomprehensible. The hope is to prevent or at least slow down reverse engineering efforts and to prevent goal-oriented attacks on the software and execution. The field of obfuscation is still in a state of development with the central problem being the lack of a basis for evaluating the protection schemes. We give a brief introduction to some of the main ideas in the field, followed by an in depth analysis of a technique called 'white-boxing'. We put forth some new attacks and improvements on this method as well as demonstrating its implementation for various algorithms. We also examine cryptographic techniques to achieve obfuscation including encrypted functions and offer a new application to digital signature algorithms. To better understand the lack of security proofs for obfuscation techniques, we examine in detail general theoretical models of obfuscation. We explain the need for formal models in order to obtain provable security and the progress made in this direction thus far. Finally we tackle the problem of verifying remote execution. We introduce some methods of verifying remote exponentiation computations and some insight into generic computation checking.« less

A coverage and slicing dependencies analysis for seeking software security defects.

PubMed

He, Hui; Zhang, Dongyan; Liu, Min; Zhang, Weizhe; Gao, Dongmin

2014-01-01

Software security defects have a serious impact on the software quality and reliability. It is a major hidden danger for the operation of a system that a software system has some security flaws. When the scale of the software increases, its vulnerability has becoming much more difficult to find out. Once these vulnerabilities are exploited, it may lead to great loss. In this situation, the concept of Software Assurance is carried out by some experts. And the automated fault localization technique is a part of the research of Software Assurance. Currently, automated fault localization method includes coverage based fault localization (CBFL) and program slicing. Both of the methods have their own location advantages and defects. In this paper, we have put forward a new method, named Reverse Data Dependence Analysis Model, which integrates the two methods by analyzing the program structure. On this basis, we finally proposed a new automated fault localization method. This method not only is automation lossless but also changes the basic location unit into single sentence, which makes the location effect more accurate. Through several experiments, we proved that our method is more effective. Furthermore, we analyzed the effectiveness among these existing methods and different faults.

Security Vulnerability Profiles of NASA Mission Software: Empirical Analysis of Security Related Bug Reports

NASA Technical Reports Server (NTRS)

Goseva-Popstojanova, Katerina; Tyo, Jacob P.; Sizemore, Brian

2017-01-01

NASA develops, runs, and maintains software systems for which security is of vital importance. Therefore, it is becoming an imperative to develop secure systems and extend the current software assurance capabilities to cover information assurance and cybersecurity concerns of NASA missions. The results presented in this report are based on the information provided in the issue tracking systems of one ground mission and one flight mission. The extracted data were used to create three datasets: Ground mission IVV issues, Flight mission IVV issues, and Flight mission Developers issues. In each dataset, we identified the software bugs that are security related and classified them in specific security classes. This information was then used to create the security vulnerability profiles (i.e., to determine how, why, where, and when the security vulnerabilities were introduced) and explore the existence of common trends. The main findings of our work include:- Code related security issues dominated both the Ground and Flight mission IVV security issues, with 95 and 92, respectively. Therefore, enforcing secure coding practices and verification and validation focused on coding errors would be cost effective ways to improve mission's security. (Flight mission Developers issues dataset did not contain data in the Issue Category.)- In both the Ground and Flight mission IVV issues datasets, the majority of security issues (i.e., 91 and 85, respectively) were introduced in the Implementation phase. In most cases, the phase in which the issues were found was the same as the phase in which they were introduced. The most security related issues of the Flight mission Developers issues dataset were found during Code Implementation, Build Integration, and Build Verification; the data on the phase in which these issues were introduced were not available for this dataset.- The location of security related issues, as the location of software issues in general, followed the Pareto principle. Specifically, for all three datasets, from 86 to 88 the security related issues were located in two to four subsystems.- The severity levels of most security issues were moderate, in all three datasets.- Out of 21 primary security classes, five dominated: Exception Management, Memory Access, Other, Risky Values, and Unused Entities. Together, these classes contributed from around 80 to 90 of all security issues in each dataset. This again proves the Pareto principle of uneven distribution of security issues, in this case across CWE classes, and supports the fact that addressing these dominant security classes provides the most cost efficient way to improve missions' security. The findings presented in this report uncovered the security vulnerability profiles and identified the common trends and dominant classes of security issues, which in turn can be used to select the most efficient secure design and coding best practices compiled by the part of the SARP project team associated with the NASA's Johnson Space Center. In addition, these findings provide valuable input to the NASA IVV initiative aimed at identification of the two 25 CWEs of ground and flight missions.

Information Systems Security Products and Services Catalogue.

DTIC Science & Technology

1992-01-01

pricing information on the Motorola Portable DES Receiver Station and Portable DES Base Station, contact Motorola. The PX-300- S ranges in cost from...C2 Paul Smith (612) 482-2776 Tom Latterner (301) 220-3400 Jeffrey S . Bell (215) 986-6864 John Haggard (312) 714-7604 4-2d.2 GENERAL-PURPOSE...primary software security mechanism of the SCOMP system is the security kernel, based on the Center-approved Bell -LaPadula model of the software portion

Airport Viz - a 3D Tool to Enhance Security Operations

DOE Office of Scientific and Technical Information (OSTI.GOV)

Koch, Daniel B

2006-01-01

In the summer of 2000, the National Safe Skies Alliance (NSSA) awarded a project to the Applied Visualization Center (AVC) at the University of Tennessee, Knoxville (UTK) to develop a 3D computer tool to assist the Federal Aviation Administration security group, now the Transportation Security Administration (TSA), in evaluating new equipment and procedures to improve airport checkpoint security. A preliminary tool was demonstrated at the 2001 International Aviation Security Technology Symposium. Since then, the AVC went on to construct numerous detection equipment models as well as models of several airports. Airport Viz has been distributed by the NSSA to amore » number of airports around the country which are able to incorporate their own CAD models into the software due to its unique open architecture. It provides a checkpoint design and passenger flow simulation function, a layout design and simulation tool for checked baggage and cargo screening, and a means to assist in the vulnerability assessment of airport access points for pedestrians and vehicles.« less

Macintosh Computer Classroom and Laboratory Security: Preventing Unwanted Changes to the System.

ERIC Educational Resources Information Center

Senn, Gary J.; Smyth, Thomas J. C.

Because of the graphical interface and "openness" of the operating system, Macintosh computers are susceptible to undesirable changes by the user. This presentation discusses the advantages and disadvantages of software packages that offer protection for the Macintosh system. The two basic forms of software security packages include a…

On the Use of Software Metrics as a Predictor of Software Security Problems

DTIC Science & Technology

2013-01-01

models to determine if additional metrics are required to increase the accuracy of the model: non-security SCSA warnings, code churn and size, the...vulnerabilities reported by testing and those found in the field. Summary of Most Important Results We evaluated our model on three commercial telecommunications

75 FR 5156 - Ariel Corp., Classica Group, Inc., Commodore Environmental Services, Inc., Dupont Direct...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-02-01

... Environmental Services, Inc., Dupont Direct Financial Holdings, Inc., New Paradigm Software Corp. (n/k/a Brunton... concerning the securities of Commodore Environmental Services, Inc. because it has not filed any periodic... accurate information concerning the securities of New Paradigm Software Corp. (n/k/a Brunton Vineyards...

Environmental Assessment (EA): Proposed Software Facilities, Hill Air Force Base, Utah

DTIC Science & Technology

2011-04-19

retention facilities ; • connections to adjacent buried utilities consisting of water, electricity, natural gas, telephone/ data , sanitary sewer, and storm...engineering, development, and testing workloads for F-22 and F-35 aircraft. Military construction (MILCON) project data explain existing facilities ...Existing Facilities MILCON project data state there are no facilities on Hill AFB with adequate security to house the specialized laboratory space or

An Analysis of Security and Privacy Issues in Smart Grid Software Architectures on Clouds

DOE Office of Scientific and Technical Information (OSTI.GOV)

Simmhan, Yogesh; Kumbhare, Alok; Cao, Baohua

2011-07-09

Power utilities globally are increasingly upgrading to Smart Grids that use bi-directional communication with the consumer to enable an information-driven approach to distributed energy management. Clouds offer features well suited for Smart Grid software platforms and applications, such as elastic resources and shared services. However, the security and privacy concerns inherent in an information rich Smart Grid environment are further exacerbated by their deployment on Clouds. Here, we present an analysis of security and privacy issues in a Smart Grids software architecture operating on different Cloud environments, in the form of a taxonomy. We use the Los Angeles Smart Gridmore » Project that is underway in the largest U.S. municipal utility to drive this analysis that will benefit both Cloud practitioners targeting Smart Grid applications, and Cloud researchers investigating security and privacy.« less

Informatics in Radiology (infoRAD): personal computer security: part 2. Software Configuration and file protection.

PubMed

Caruso, Ronald D

2004-01-01

Proper configuration of software security settings and proper file management are necessary and important elements of safe computer use. Unfortunately, the configuration of software security options is often not user friendly. Safe file management requires the use of several utilities, most of which are already installed on the computer or available as freeware. Among these file operations are setting passwords, defragmentation, deletion, wiping, removal of personal information, and encryption. For example, Digital Imaging and Communications in Medicine medical images need to be anonymized, or "scrubbed," to remove patient identifying information in the header section prior to their use in a public educational or research environment. The choices made with respect to computer security may affect the convenience of the computing process. Ultimately, the degree of inconvenience accepted will depend on the sensitivity of the files and communications to be protected and the tolerance of the user. Copyright RSNA, 2004

75 FR 10439 - Cognitive Radio Technologies and Software Defined Radios

Federal Register 2010, 2011, 2012, 2013, 2014

2010-03-08

... Technologies and Software Defined Radios AGENCY: Federal Communications Commission. ACTION: Final rule. SUMMARY... concerning the use of open source software to implement security features in software defined radios (SDRs... ongoing technical developments in cognitive and software defined radio (SDR) technologies. 2. On April 20...

Software For Computer-Security Audits

NASA Technical Reports Server (NTRS)

Arndt, Kate; Lonsford, Emily

1994-01-01

Information relevant to potential breaches of security gathered efficiently. Automated Auditing Tools for VAX/VMS program includes following automated software tools performing noted tasks: Privileged ID Identification, program identifies users and their privileges to circumvent existing computer security measures; Critical File Protection, critical files not properly protected identified; Inactive ID Identification, identifications of users no longer in use found; Password Lifetime Review, maximum lifetimes of passwords of all identifications determined; and Password Length Review, minimum allowed length of passwords of all identifications determined. Written in DEC VAX DCL language.

Cyber Security Threats to Safety-Critical, Space-Based Infrastructures

NASA Astrophysics Data System (ADS)

Johnson, C. W.; Atencia Yepez, A.

2012-01-01

Space-based systems play an important role within national critical infrastructures. They are being integrated into advanced air-traffic management applications, rail signalling systems, energy distribution software etc. Unfortunately, the end users of communications, location sensing and timing applications often fail to understand that these infrastructures are vulnerable to a wide range of security threats. The following pages focus on concerns associated with potential cyber-attacks. These are important because future attacks may invalidate many of the safety assumptions that support the provision of critical space-based services. These safety assumptions are based on standard forms of hazard analysis that ignore cyber-security considerations This is a significant limitation when, for instance, security attacks can simultaneously exploit multiple vulnerabilities in a manner that would never occur without a deliberate enemy seeking to damage space based systems and ground infrastructures. We address this concern through the development of a combined safety and security risk assessment methodology. The aim is to identify attack scenarios that justify the allocation of additional design resources so that safety barriers can be strengthened to increase our resilience against security threats.

Evaluating the feasibility of using online software to collect patient information in a chiropractic practice-based research network.

PubMed

Kania-Richmond, Ania; Weeks, Laura; Scholten, Jeffrey; Reney, Mikaël

2016-03-01

Practice based research networks (PBRNs) are increasingly used as a tool for evidence based practice. We developed and tested the feasibility of using software to enable online collection of patient data within a chiropractic PBRN to support clinical decision making and research in participating clinics. To assess the feasibility of using online software to collect quality patient information. The study consisted of two phases: 1) Assessment of the quality of information provided, using a standardized form; and 2) Exploration of patients' perspectives and experiences regarding online information provision through semi-structured interviews. Data analysis was descriptive. Forty-five new patients were recruited. Thirty-six completed online forms, which were submitted by an appropriate person 100% of the time, with an error rate of less than 1%, and submitted in a timely manner 83% of the time. Twenty-one participants were interviewed. Overall, online forms were preferred given perceived security, ease of use, and enabling provision of more accurate information. Use of online software is feasible, provides high quality information, and is preferred by most participants. A pen-and-paper format should be available for patients with this preference and in case of technical difficulties.

Remote software upload techniques in future vehicles and their performance analysis

NASA Astrophysics Data System (ADS)

Hossain, Irina

Updating software in vehicle Electronic Control Units (ECUs) will become a mandatory requirement for a variety of reasons, for examples, to update/fix functionality of an existing system, add new functionality, remove software bugs and to cope up with ITS infrastructure. Software modules of advanced vehicles can be updated using Remote Software Upload (RSU) technique. The RSU employs infrastructure-based wireless communication technique where the software supplier sends the software to the targeted vehicle via a roadside Base Station (BS). However, security is critically important in RSU to avoid any disasters due to malfunctions of the vehicle or to protect the proprietary algorithms from hackers, competitors or people with malicious intent. In this thesis, a mechanism of secure software upload in advanced vehicles is presented which employs mutual authentication of the software provider and the vehicle using a pre-shared authentication key before sending the software. The software packets are sent encrypted with a secret key along with the Message Digest (MD). In order to increase the security level, it is proposed the vehicle to receive more than one copy of the software along with the MD in each copy. The vehicle will install the new software only when it receives more than one identical copies of the software. In order to validate the proposition, analytical expressions of average number of packet transmissions for successful software update is determined. Different cases are investigated depending on the vehicle's buffer size and verification methods. The analytical and simulation results show that it is sufficient to send two copies of the software to the vehicle to thwart any security attack while uploading the software. The above mentioned unicast method for RSU is suitable when software needs to be uploaded to a single vehicle. Since multicasting is the most efficient method of group communication, updating software in an ECU of a large number of vehicles could benefit from it. However, like the unicast RSU, the security requirements of multicast communication, i.e., authenticity, confidentiality and integrity of the software transmitted and access control of the group members is challenging. In this thesis, an infrastructure-based mobile multicasting for RSU in vehicle ECUs is proposed where an ECU receives the software from a remote software distribution center using the road side BSs as gateways. The Vehicular Software Distribution Network (VSDN) is divided into small regions administered by a Regional Group Manager (RGM). Two multicast Group Key Management (GKM) techniques are proposed based on the degree of trust on the BSs named Fully-trusted (FT) and Semi-trusted (ST) systems. Analytical models are developed to find the multicast session establishment latency and handover latency for these two protocols. The average latency to perform mutual authentication of the software vendor and a vehicle, and to send the multicast session key by the software provider during multicast session initialization, and the handoff latency during multicast session is calculated. Analytical and simulation results show that the link establishment latency per vehicle of our proposed schemes is in the range of few seconds and the ST system requires few ms higher time than the FT system. The handoff latency is also in the range of few seconds and in some cases ST system requires less handoff time than the FT system. Thus, it is possible to build an efficient GKM protocol without putting too much trust on the BSs.

Perpetual Model Validation

DTIC Science & Technology

2017-03-01

models of software execution, for example memory access patterns, to check for security intrusions. Additional research was performed to tackle the...considered using indirect models of software execution, for example memory access patterns, to check for security intrusions. Additional research ...deterioration for example , no longer corresponds to the model used during verification time. Finally, the research looked at ways to combine hybrid systems

NASA guidelines for assuring the adequacy and appropriateness of security safeguards in sensitive applications

NASA Technical Reports Server (NTRS)

Tompkins, F. G.

1984-01-01

The Office of Management and Budget (OMB) Circular A-71, transmittal Memorandum No. 1, requires that each agency establish a management control process to assure that appropriate administrative, physical and technical safeguards are incorporated into all new computer applications. In addition to security specifications, the management control process should assure that the safeguards are adequate for the application. The security activities that should be integral to the system development process are examined. The software quality assurance process to assure that adequate and appropriate controls are incorporated into sensitive applications is also examined. Security for software packages is also discussed.

DOE Office of Scientific and Technical Information (OSTI.GOV)

Lee, Hsien-Hsin S

The overall objective of this research project is to develop novel architectural techniques as well as system software to achieve a highly secure and intrusion-tolerant computing system. Such system will be autonomous, self-adapting, introspective, with self-healing capability under the circumstances of improper operations, abnormal workloads, and malicious attacks. The scope of this research includes: (1) System-wide, unified introspection techniques for autonomic systems, (2) Secure information-flow microarchitecture, (3) Memory-centric security architecture, (4) Authentication control and its implication to security, (5) Digital right management, (5) Microarchitectural denial-of-service attacks on shared resources. During the period of the project, we developed several architectural techniquesmore » and system software for achieving a robust, secure, and reliable computing system toward our goal.« less

TealLock 5.20 security software program for handheld devices.

PubMed

Tahil, Fatimah A

2004-07-01

The TealLock has a simple graphic interface, and the program is user-friendly with well thought out options to customize security settings. The program is inexpensive and works seamlessly with the Palm OS platform's built-in basic Security application. The developer offers a 30-day free trial version and there is no downside to trying it to see if it meets your needs. It seems to be an effective security software program for psychiatrists who keep confidential and sensitive patient information on their PDAs. In keeping with HIPAA regulations, the TealLock bolsters security for protected health information stored on PDAs or other handheld devices by providing safeguards that address authentication, access control, encryption, and selected aspects of transmission.

Evaluation of a mandatory quality assurance data capture in anesthesia: a secure electronic system to capture quality assurance information linked to an automated anesthesia record.

PubMed

Peterfreund, Robert A; Driscoll, William D; Walsh, John L; Subramanian, Aparna; Anupama, Shaji; Weaver, Melissa; Morris, Theresa; Arnholz, Sarah; Zheng, Hui; Pierce, Eric T; Spring, Stephen F

2011-05-01

Efforts to assure high-quality, safe, clinical care depend upon capturing information about near-miss and adverse outcome events. Inconsistent or unreliable information capture, especially for infrequent events, compromises attempts to analyze events in quantitative terms, understand their implications, and assess corrective efforts. To enhance reporting, we developed a secure, electronic, mandatory system for reporting quality assurance data linked to our electronic anesthesia record. We used the capabilities of our anesthesia information management system (AIMS) in conjunction with internally developed, secure, intranet-based, Web application software. The application is implemented with a backend allowing robust data storage, retrieval, data analysis, and reporting capabilities. We customized a feature within the AIMS software to create a hard stop in the documentation workflow before the end of anesthesia care time stamp for every case. The software forces the anesthesia provider to access the separate quality assurance data collection program, which provides a checklist for targeted clinical events and a free text option. After completing the event collection program, the software automatically returns the clinician to the AIMS to finalize the anesthesia record. The number of events captured by the departmental quality assurance office increased by 92% (95% confidence interval [CI] 60.4%-130%) after system implementation. The major contributor to this increase was the new electronic system. This increase has been sustained over the initial 12 full months after implementation. Under our reporting criteria, the overall rate of clinical events reported by any method was 471 events out of 55,382 cases or 0.85% (95% CI 0.78% to 0.93%). The new system collected 67% of these events (95% confidence interval 63%-71%). We demonstrate the implementation in an academic anesthesia department of a secure clinical event reporting system linked to an AIMS. The system enforces entry of quality assurance information (either no clinical event or notification of a clinical event). System implementation resulted in capturing nearly twice the number of events at a relatively steady case load. © 2011 International Anesthesia Research Society

Birds of a Feather: Supporting Secure Systems

DOE Office of Scientific and Technical Information (OSTI.GOV)

Braswell III, H V

2006-04-24

Over the past few years Lawrence Livermore National Laboratory has begun the process of moving to a diskless environment in the Secure Computer Support realm. This movement has included many moving targets and increasing support complexity. We would like to set up a forum for Security and Support professionals to get together from across the Complex and discuss current deployments, lessons learned, and next steps. This would include what hardware, software, and hard copy based solutions are being used to manage Secure Computing. The topics to be discussed include but are not limited to: Diskless computing, port locking and management,more » PC, Mac, and Linux/UNIX support and setup, system imaging, security setup documentation and templates, security documentation and management, customer tracking, ticket tracking, software download and management, log management, backup/disaster recovery, and mixed media environments.« less

Recognition and categorization considerations for information assurance requirements development and speficication

NASA Astrophysics Data System (ADS)

Stytz, Martin R.; May, Michael; Banks, Sheila B.

2009-04-01

Department of Defense (DoD) Information Technology (IT) systems operate in an environment different from the commercial world, the differences arise from the differences in the types of attacks, the interdependencies between DoD software systems, and the reliance upon commercial software to provide basic capabilities. The challenge that we face is determining how to specify the information assurance requirements for a system without requiring changes to the commercial software and in light of the interdependencies between systems. As a result of the interdependencies and interconnections between systems introduced by the global information grid (GIG), an assessment of the IA requirements for a system must consider three facets of a system's IA capabilities: 1) the IA vulnerabilities of the system, 2) the ability of a system to repel IA attacks, and 3) the ability of a system to insure that any IA attack that penetrates the system is contained within the system and does not spread. Each facet should be assessed independently and the requirements should be derived independently from the assessments. In addition to the desired IA technology capabilities of the system, a complete assessment of the system's overall IA security technology readiness level cannot be accomplished without an assessment of the capabilities required of the system for its capability to recover from and remediate IA vulnerabilities and compromises. To allow us to accomplish these three formidable tasks, we propose a general system architecture designed to separate the system's IA capabilities from its other capability requirements; thereby allowing the IA capabilities to be developed and assessed separately from the other system capabilities. The architecture also enables independent requirements specification, implementation, assessment, measurement, and improvement of a system's IA capabilities without requiring modification of the underlying application software.

An Assessment of Security Vulnerabilities Comprehension of Cloud Computing Environments: A Quantitative Study Using the Unified Theory of Acceptance and Use

ERIC Educational Resources Information Center

Venkatesh, Vijay P.

2013-01-01

The current computing landscape owes its roots to the birth of hardware and software technologies from the 1940s and 1950s. Since then, the advent of mainframes, miniaturized computing, and internetworking has given rise to the now prevalent cloud computing era. In the past few months just after 2010, cloud computing adoption has picked up pace…

Cost/benefit analysis for video security systems

DOE Office of Scientific and Technical Information (OSTI.GOV)

NONE

1997-01-01

Dr. Don Hush and Scott Chapman, in conjunction with the Electrical and Computer Engineering Department of the University of New Mexico (UNM), have been contracted by Los Alamos National Laboratories to perform research in the area of high security video analysis. The first phase of this research, presented in this report, is a cost/benefit analysis of various approaches to the problem in question. This discussion begins with a description of three architectures that have been used as solutions to the problem of high security surveillance. An overview of the relative merits and weaknesses of each of the proposed systems ismore » included. These descriptions are followed directly by a discussion of the criteria chosen in evaluating the systems and the techniques used to perform the comparisons. The results are then given in graphical and tabular form, and their implications discussed. The project to this point has involved assessing hardware and software issues in image acquisition, processing and change detection. Future work is to leave these questions behind to consider the issues of change analysis - particularly the detection of human motion - and alarm decision criteria. The criteria for analysis in this report include: cost; speed; tradeoff issues in moving primative operations from software to hardware; real time operation considerations; change image resolution; and computational requirements.« less

Execution of a self-directed risk assessment methodology to address HIPAA data security requirements

NASA Astrophysics Data System (ADS)

Coleman, Johnathan

2003-05-01

This paper analyzes the method and training of a self directed risk assessment methodology entitled OCTAVE (Operationally Critical Threat Asset and Vulnerability Evaluation) at over 170 DOD medical treatment facilities. It focuses specifically on how OCTAVE built interdisciplinary, inter-hierarchical consensus and enhanced local capabilities to perform Health Information Assurance. The Risk Assessment Methodology was developed by the Software Engineering Institute at Carnegie Mellon University as part of the Defense Health Information Assurance Program (DHIAP). The basis for its success is the combination of analysis of organizational practices and technological vulnerabilities. Together, these areas address the core implications behind the HIPAA Security Rule and can be used to develop Organizational Protection Strategies and Technological Mitigation Plans. A key component of OCTAVE is the inter-disciplinary composition of the analysis team (Patient Administration, IT staff and Clinician). It is this unique composition of analysis team members, along with organizational and technical analysis of business practices, assets and threats, which enables facilities to create sound and effective security policies. The Risk Assessment is conducted in-house, and therefore the process, results and knowledge remain within the organization, helping to build consensus in an environment of differing organizational and disciplinary perspectives on Health Information Assurance.

Internet: An Overview of Key Technology Policy Issues Affecting Its Use and Growth

DTIC Science & Technology

2004-12-29

Alliance OSS Open Source Software SSA Social Security Administration SSN Social Security Number TLD Top Level Domain UCE Unsolicited Commercial E-mail... Alliance General Types of Internet Services B2B Business-to-Business B2G Business-to-Government G2B Government-to-Business G2C Government-to-Citizen G2G...response. Such software is called “adware.” Software CRS-7 programs that include spyware can be sold or provided for free, on a disk (or other media ) or

Key Considerations of Community, Scalability, Supportability, Security, and Functionality in Selecting Open-Source Software in California Universities as Perceived by Technology Leaders

ERIC Educational Resources Information Center

Britton, Todd Alan

2014-01-01

Purpose: The purpose of this study was to examine the key considerations of community, scalability, supportability, security, and functionality for selecting open-source software in California universities as perceived by technology leaders. Methods: After a review of the cogent literature, the key conceptual framework categories were identified…

The informatics capability maturity of integrated primary care centres in Australia.

PubMed

Liaw, Siaw-Teng; Kearns, Rachael; Taggart, Jane; Frank, Oliver; Lane, Riki; Tam, Michael; Dennis, Sarah; Walker, Christine; Russell, Grant; Harris, Mark

2017-09-01

Integrated primary care requires systems and service integration along with financial incentives to promote downward substitution to a single entry point to care. Integrated Primary Care Centres (IPCCs) aim to improve integration by co-location of health services. The Informatics Capability Maturity (ICM) describes how well health organisations collect, manage and share information; manage eHealth technology, implementation, change, data quality and governance; and use "intelligence" to improve care. Describe associations of ICM with systems and service integration in IPCCs. Mixed methods evaluation of IPCCs in metropolitan and rural Australia: an enhanced general practice, four GP Super Clinics, a "HealthOne" (private-public partnership) and a Community Health Centre. Data collection methods included self-assessed ICM, document review, interviews, observations in practice and assessment of electronic health record data. Data was analysed and compared across IPCCs. The IPCCs demonstrated a range of funding models, ownership, leadership, organisation and ICM. Digital tools were used with varying effectiveness to collect, use and share data. Connectivity was problematic, requiring "work-arounds" to communicate and share information. The lack of technical, data and software interoperability standards, clinical coding and secure messaging were barriers to data collection, integration and sharing. Strong leadership and governance was important for successful implementation of robust and secure eHealth systems. Patient engagement with eHealth tools was suboptimal. ICM is positively associated with integration of data, systems and care. Improved ICM requires a health workforce with eHealth competencies; technical, semantic and software standards; adequate privacy and security; and good governance and leadership. Copyright © 2017 Elsevier B.V. All rights reserved.

The Management and Security Expert (MASE)

NASA Technical Reports Server (NTRS)

Miller, Mark D.; Barr, Stanley J.; Gryphon, Coranth D.; Keegan, Jeff; Kniker, Catherine A.; Krolak, Patrick D.

1991-01-01

The Management and Security Expert (MASE) is a distributed expert system that monitors the operating systems and applications of a network. It is capable of gleaning the information provided by the different operating systems in order to optimize hardware and software performance; recognize potential hardware and/or software failure, and either repair the problem before it becomes an emergency, or notify the systems manager of the problem; and monitor applications and known security holes for indications of an intruder or virus. MASE can eradicate much of the guess work of system management.

Nine Easy Steps to Avoiding Software Copyright Infringement.

ERIC Educational Resources Information Center

Gamble, Lanny R.; Anderson, Larry S.

1989-01-01

To avoid microcomputer software copyright infringement, administrators must be aware of the law, read the software agreements, maintain good records, submit all software registration cards, provide secure storage, post warnings, be consistent when establishing and enforcing policies, consider a site license, and ensure the legality of currently…

ICCE Policy Statement on Network and Multiple Machine Software.

ERIC Educational Resources Information Center

Computing Teacher, 1983

1983-01-01

Issued to provide guidance for the resolution of problems inherent in providing and securing good educational software, this statement outlines responsibilities of educators, hardware vendors, and software developers/vendors. Sample policy statements for school districts and community colleges, suggested format for software licenses, and technical…

Systems Security Engineering

DTIC Science & Technology

2010-08-22

practice for information security management ( ISO /IEC 27002 ),” “Information technology — Security techniques — Information security management...systems —Requirements ( ISO /IEC 27002 ),”, “Information technology — Security techniques — Information security risk management ( ISO /IEC 27005).” from...associated practice aids. Perhaps the most germane discovery from this effort was a draft ISO standard on Systems and software engineering, Systems and

PREMIX: PRivacy-preserving EstiMation of Individual admiXture.

PubMed

Chen, Feng; Dow, Michelle; Ding, Sijie; Lu, Yao; Jiang, Xiaoqian; Tang, Hua; Wang, Shuang

2016-01-01

In this paper we proposed a framework: PRivacy-preserving EstiMation of Individual admiXture (PREMIX) using Intel software guard extensions (SGX). SGX is a suite of software and hardware architectures to enable efficient and secure computation over confidential data. PREMIX enables multiple sites to securely collaborate on estimating individual admixture within a secure enclave inside Intel SGX. We implemented a feature selection module to identify most discriminative Single Nucleotide Polymorphism (SNP) based on informativeness and an Expectation Maximization (EM)-based Maximum Likelihood estimator to identify the individual admixture. Experimental results based on both simulation and 1000 genome data demonstrated the efficiency and accuracy of the proposed framework. PREMIX ensures a high level of security as all operations on sensitive genomic data are conducted within a secure enclave using SGX.

Reducing software security risk through an integrated approach research initiative model based verification of the Secure Socket Layer (SSL) Protocol

NASA Technical Reports Server (NTRS)

Powell, John D.

2003-01-01

This document discusses the verification of the Secure Socket Layer (SSL) communication protocol as a demonstration of the Model Based Verification (MBV) portion of the verification instrument set being developed under the Reducing Software Security Risk (RSSR) Trough an Integrated Approach research initiative. Code Q of the National Aeronautics and Space Administration (NASA) funds this project. The NASA Goddard Independent Verification and Validation (IV&V) facility manages this research program at the NASA agency level and the Assurance Technology Program Office (ATPO) manages the research locally at the Jet Propulsion Laboratory (California institute of Technology) where the research is being carried out.

A Theoretical Analysis: Physical Unclonable Functions and The Software Protection Problem

DOE Office of Scientific and Technical Information (OSTI.GOV)

Nithyanand, Rishab; Solis, John H.

2011-09-01

Physical Unclonable Functions (PUFs) or Physical One Way Functions (P-OWFs) are physical systems whose responses to input stimuli (i.e., challenges) are easy to measure (within reasonable error bounds) but hard to clone. This property of unclonability is due to the accepted hardness of replicating the multitude of uncontrollable manufacturing characteristics and makes PUFs useful in solving problems such as device authentication, software protection, licensing, and certified execution. In this paper, we focus on the effectiveness of PUFs for software protection and show that traditional non-computational (black-box) PUFs cannot solve the problem against real world adversaries in offline settings. Our contributionsmore » are the following: We provide two real world adversary models (weak and strong variants) and present definitions for security against the adversaries. We continue by proposing schemes secure against the weak adversary and show that no scheme is secure against a strong adversary without the use of trusted hardware. Finally, we present a protection scheme secure against strong adversaries based on trusted hardware.« less

Personal computer security: part 1. Firewalls, antivirus software, and Internet security suites.

PubMed

Caruso, Ronald D

2003-01-01

Personal computer (PC) security in the era of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involves two interrelated elements: safeguarding the basic computer system itself and protecting the information it contains and transmits, including personal files. HIPAA regulations have toughened the requirements for securing patient information, requiring every radiologist with such data to take further precautions. Security starts with physically securing the computer. Account passwords and a password-protected screen saver should also be set up. A modern antivirus program can easily be installed and configured. File scanning and updating of virus definitions are simple processes that can largely be automated and should be performed at least weekly. A software firewall is also essential for protection from outside intrusion, and an inexpensive hardware firewall can provide yet another layer of protection. An Internet security suite yields additional safety. Regular updating of the security features of installed programs is important. Obtaining a moderate degree of PC safety and security is somewhat inconvenient but is necessary and well worth the effort. Copyright RSNA, 2003

Security and privacy qualities of medical devices: an analysis of FDA postmarket surveillance.

PubMed

Kramer, Daniel B; Baker, Matthew; Ransford, Benjamin; Molina-Markham, Andres; Stewart, Quinn; Fu, Kevin; Reynolds, Matthew R

2012-01-01

Medical devices increasingly depend on computing functions such as wireless communication and Internet connectivity for software-based control of therapies and network-based transmission of patients' stored medical information. These computing capabilities introduce security and privacy risks, yet little is known about the prevalence of such risks within the clinical setting. We used three comprehensive, publicly available databases maintained by the Food and Drug Administration (FDA) to evaluate recalls and adverse events related to security and privacy risks of medical devices. Review of weekly enforcement reports identified 1,845 recalls; 605 (32.8%) of these included computers, 35 (1.9%) stored patient data, and 31 (1.7%) were capable of wireless communication. Searches of databases specific to recalls and adverse events identified only one event with a specific connection to security or privacy. Software-related recalls were relatively common, and most (81.8%) mentioned the possibility of upgrades, though only half of these provided specific instructions for the update mechanism. Our review of recalls and adverse events from federal government databases reveals sharp inconsistencies with databases at individual providers with respect to security and privacy risks. Recalls related to software may increase security risks because of unprotected update and correction mechanisms. To detect signals of security and privacy problems that adversely affect public health, federal postmarket surveillance strategies should rethink how to effectively and efficiently collect data on security and privacy problems in devices that increasingly depend on computing systems susceptible to malware.

Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance

PubMed Central

Kramer, Daniel B.; Baker, Matthew; Ransford, Benjamin; Molina-Markham, Andres; Stewart, Quinn; Fu, Kevin; Reynolds, Matthew R.

2012-01-01

Background Medical devices increasingly depend on computing functions such as wireless communication and Internet connectivity for software-based control of therapies and network-based transmission of patients’ stored medical information. These computing capabilities introduce security and privacy risks, yet little is known about the prevalence of such risks within the clinical setting. Methods We used three comprehensive, publicly available databases maintained by the Food and Drug Administration (FDA) to evaluate recalls and adverse events related to security and privacy risks of medical devices. Results Review of weekly enforcement reports identified 1,845 recalls; 605 (32.8%) of these included computers, 35 (1.9%) stored patient data, and 31 (1.7%) were capable of wireless communication. Searches of databases specific to recalls and adverse events identified only one event with a specific connection to security or privacy. Software-related recalls were relatively common, and most (81.8%) mentioned the possibility of upgrades, though only half of these provided specific instructions for the update mechanism. Conclusions Our review of recalls and adverse events from federal government databases reveals sharp inconsistencies with databases at individual providers with respect to security and privacy risks. Recalls related to software may increase security risks because of unprotected update and correction mechanisms. To detect signals of security and privacy problems that adversely affect public health, federal postmarket surveillance strategies should rethink how to effectively and efficiently collect data on security and privacy problems in devices that increasingly depend on computing systems susceptible to malware. PMID:22829874

Automated, Certified Program-rewriting for Software Security Enforcement

DTIC Science & Technology

2012-03-05

VLC ), pages 257-260, Oak Brook, Illinois, Oc- tober 2010. [14] Aditi A. Patwardhan. Security-aware program visualization for analyz- ing in-lined...January 2010. [17] Meera Sridhar and Kevin W. Hamlen. Flexible in-lined reference moni- tor certification: Challenges and future directions. In...pages 55-60, Austin, Texas, January 2011. [18] Bhavani Thuraisingham and Kevin W. Hamlen. Challenges and future directions of software technology

A Proven Methodology for Developing Secure Software and Applying It to Ground Systems

NASA Technical Reports Server (NTRS)

Bailey, Brandon

2016-01-01

Part Two expands upon Part One in an attempt to translate the methodology for ground system personnel. The goal is to build upon the methodology presented in Part One by showing examples and details on how to implement the methodology. Section 1: Ground Systems Overview; Section 2: Secure Software Development; Section 3: Defense in Depth for Ground Systems; Section 4: What Now?

The ESGF Software Stack: a Configurable and Extensible Framework for Enabling Access to Geospatial Data

NASA Astrophysics Data System (ADS)

Cinquini, L.; Bell, G. M.; Williams, D.; Harney, J.

2012-12-01

The Earth System Grid Federation (ESGF) is a multi-agency, international collaboration that aims at developing state-of-the-art services for the management and access of Earth system data. ESGF is currently used to serve the totality of the model output used for the forthcoming IPCC 5th assessment report on climate change, as well as supporting observational and reanalysis datasets. Also, it is been adopted by several other projects that focus on global, regional and local climate modeling. The ESGF software stack is composed of several modular applications that cover related but disjoint areas of functionality: data publishing, data search and discovery, data access, user management, security, and federation. Overall, the ESGF infrastructure offers a configurable end-to-end solution to the problem of enabling web-based access to large amounts of geospatial data. This talk will present the architectural and configuration options that are available to a data provider leveraging ESGF to serve their data: which services to expose, how to scale to larger data collections, how to establish access control, how to customize the user interface, and others. Additionally, the framework provides extension points that allow each site to plug in custom functionality such as crawling of specific metadata repositories, exposing domain-specific analysis and visualization services, developing custom access clients that interact with the system APIs. These configuration and extension capabilities are based on simple but effective domain-specific object models, that underpin the software applications: the data model, the security model, and the federation model. The ESGF software stack is developed collaboratively by software engineers at many institutions around the world, and is made freely available to the community under an open source license to promote adoption, reuse, inspection and continuous improvement.

Internetting tactical security sensor systems

NASA Astrophysics Data System (ADS)

Gage, Douglas W.; Bryan, W. D.; Nguyen, Hoa G.

1998-08-01

The Multipurpose Surveillance and Security Mission Platform (MSSMP) is a distributed network of remote sensing packages and control stations, designed to provide a rapidly deployable, extended-range surveillance capability for a wide variety of military security operations and other tactical missions. The baseline MSSMP sensor suite consists of a pan/tilt unit with video and FLIR cameras and laser rangefinder. With an additional radio transceiver, MSSMP can also function as a gateway between existing security/surveillance sensor systems such as TASS, TRSS, and IREMBASS, and IP-based networks, to support the timely distribution of both threat detection and threat assessment information. The MSSMP system makes maximum use of Commercial Off The Shelf (COTS) components for sensing, processing, and communications, and of both established and emerging standard communications networking protocols and system integration techniques. Its use of IP-based protocols allows it to freely interoperate with the Internet -- providing geographic transparency, facilitating development, and allowing fully distributed demonstration capability -- and prepares it for integration with the IP-based tactical radio networks that will evolve in the next decade. Unfortunately, the Internet's standard Transport layer protocol, TCP, is poorly matched to the requirements of security sensors and other quasi- autonomous systems in being oriented to conveying a continuous data stream, rather than discrete messages. Also, its canonical 'socket' interface both conceals short losses of communications connectivity and simply gives up and forces the Application layer software to deal with longer losses. For MSSMP, a software applique is being developed that will run on top of User Datagram Protocol (UDP) to provide a reliable message-based Transport service. In addition, a Session layer protocol is being developed to support the effective transfer of control of multiple platforms among multiple control stations.

45 CFR 95.621 - ADP reviews.

Code of Federal Regulations, 2013 CFR

2013-10-01

... requirements shall include the following components: (i) Determination and implementation of appropriate... use; (C) Software and data security; (D) Telecommunications security; (E) Personnel security; (F... reviews, together with pertinent supporting documentation, for HHS on-site review. [43 FR 44853, Sept. 29...

45 CFR 95.621 - ADP reviews.

Code of Federal Regulations, 2012 CFR

2012-10-01

... requirements shall include the following components: (i) Determination and implementation of appropriate... use; (C) Software and data security; (D) Telecommunications security; (E) Personnel security; (F... reviews, together with pertinent supporting documentation, for HHS on-site review. [43 FR 44853, Sept. 29...

45 CFR 95.621 - ADP reviews.

Code of Federal Regulations, 2014 CFR

2014-10-01

... requirements shall include the following components: (i) Determination and implementation of appropriate... use; (C) Software and data security; (D) Telecommunications security; (E) Personnel security; (F... reviews, together with pertinent supporting documentation, for HHS on-site review. [43 FR 44853, Sept. 29...

Development of an Automated Security Incident Reporting System (SIRS) for Bus Transit

DOT National Transportation Integrated Search

1986-12-01

The security incident reporting system (sirs) is a microcomputer-based software program demonstrated at the metropolitan transit commission (mtc) in Minneapolis, mn. Sirs is designed to provide convenient storage, update and retrieval of security inc...

Access Control Is More than Security.

ERIC Educational Resources Information Center

Fickes, Michael

2002-01-01

Describes the University of New Mexico's photo identification LOBO card system, which performs both security and validation tasks. It is used in conjunction with several C-CURE 800 Integrated Security Management Systems supplied by Software House of Lexington, Massachusetts. (EV)

Third-Party Software's Trust Quagmire.

PubMed

Voas, J; Hurlburt, G

2015-12-01

Current software development has trended toward the idea of integrating independent software sub-functions to create more complete software systems. Software sub-functions are often not homegrown - instead they are developed by unknown 3 rd party organizations and reside in software marketplaces owned or controlled by others. Such software sub-functions carry plausible concern in terms of quality, origins, functionality, security, interoperability, to name a few. This article surveys key technical difficulties in confidently building systems from acquired software sub-functions by calling out the principle software supply chain actors.

Software and the future of programming languages.

PubMed

Aho, Alfred V

2004-02-27

Although software is the key enabler of the global information infrastructure, the amount and extent of software in use in the world today are not widely understood, nor are the programming languages and paradigms that have been used to create the software. The vast size of the embedded base of existing software and the increasing costs of software maintenance, poor security, and limited functionality are posing significant challenges for the software R&D community.

Remotely Monitored Sealing Array Software

DOE Office of Scientific and Technical Information (OSTI.GOV)

2012-09-12

The Remotely Monitored Sealing Array (RMSA) utilizes the Secure Sensor Platform (SSP) framework to establish the fundamental operating capabilities for communication, security, power management, and cryptography. In addition to the SSP framework the RMSA software has unique capabilities to support monitoring a fiber optic seal. Fiber monitoring includes open and closed as well as parametric monitoring to detect tampering attacks. The fiber monitoring techniques, using the SSP power management processes, allow the seals to last for years while maintaining the security requirements of the monitoring application. The seal is enclosed in a tamper resistant housing with software to support activemore » tamper monitoring. New features include LED notification of fiber closure, the ability to retrieve the entire fiber optic history via translator command, separate memory storage for fiber optic events, and a more robust method for tracking and resending failed messages.« less

Metamorphic Testing for Cybersecurity.

PubMed

Chen, Tsong Yueh; Kuo, Fei-Ching; Ma, Wenjuan; Susilo, Willy; Towey, Dave; Voas, Jeffrey; Zhou, Zhi Quan

2016-06-01

Testing is a major approach for the detection of software defects, including vulnerabilities in security features. This article introduces metamorphic testing (MT), a relatively new testing method, and discusses how the new perspective of MT can help to conduct negative testing as well as to alleviate the oracle problem in the testing of security-related functionality and behavior. As demonstrated by the effectiveness of MT in detecting previously unknown bugs in real-world critical applications such as compilers and code obfuscators, we conclude that software testing of security-related features should be conducted from diverse perspectives in order to achieve greater cybersecurity.

Metamorphic Testing for Cybersecurity

PubMed Central

Chen, Tsong Yueh; Kuo, Fei-Ching; Ma, Wenjuan; Susilo, Willy; Towey, Dave; Voas, Jeffrey

2016-01-01

Testing is a major approach for the detection of software defects, including vulnerabilities in security features. This article introduces metamorphic testing (MT), a relatively new testing method, and discusses how the new perspective of MT can help to conduct negative testing as well as to alleviate the oracle problem in the testing of security-related functionality and behavior. As demonstrated by the effectiveness of MT in detecting previously unknown bugs in real-world critical applications such as compilers and code obfuscators, we conclude that software testing of security-related features should be conducted from diverse perspectives in order to achieve greater cybersecurity. PMID:27559196

Dual-surface dielectric depth detector for holographic millimeter-wave security scanners

NASA Astrophysics Data System (ADS)

McMakin, Douglas L.; Keller, Paul E.; Sheen, David M.; Hall, Thomas E.

2009-05-01

The Transportation Security Administration (TSA) is presently deploying millimeter-wave whole body scanners at over 20 airports in the United States. Threats that may be concealed on a person are displayed to the security operator of this scanner. "Passenger privacy is ensured through the anonymity of the image. The officer attending the passenger cannot view the image, and the officer viewing the image is remotely located and cannot see the passenger. Additionally, the image cannot be stored, transmitted or printed and is deleted immediately after being viewed. Finally, the facial area of the image has been blurred to further ensure privacy." Pacific Northwest National Laboratory (PNNL) originated research into this novel security technology which has been independently commercialized by L-3 Communications, SafeView, Inc. PNNL continues to perform fundamental research into improved software techniques which are applicable to the field of holographic security screening technology. This includes performing significant research to remove human features from the imagery. Both physical and software imaging techniques have been employed. The physical imaging techniques include polarization diversity illumination and reception, dual frequency implementation, and high frequency imaging at 100 GHz. This paper will focus on a software privacy technique using a dual surface dielectric depth detector method.

Evaluating the feasibility of using online software to collect patient information in a chiropractic practice-based research network

PubMed Central

Kania-Richmond, Ania; Weeks, Laura; Scholten, Jeffrey; Reney, Mikaël

2016-01-01

Background: Practice based research networks (PBRNs) are increasingly used as a tool for evidence based practice. We developed and tested the feasibility of using software to enable online collection of patient data within a chiropractic PBRN to support clinical decision making and research in participating clinics. Purpose: To assess the feasibility of using online software to collect quality patient information. Methods: The study consisted of two phases: 1) Assessment of the quality of information provided, using a standardized form; and 2) Exploration of patients’ perspectives and experiences regarding online information provision through semi-structured interviews. Data analysis was descriptive. Results: Forty-five new patients were recruited. Thirty-six completed online forms, which were submitted by an appropriate person 100% of the time, with an error rate of less than 1%, and submitted in a timely manner 83% of the time. Twenty-one participants were interviewed. Overall, online forms were preferred given perceived security, ease of use, and enabling provision of more accurate information. Conclusions: Use of online software is feasible, provides high quality information, and is preferred by most participants. A pen-and-paper format should be available for patients with this preference and in case of technical difficulties. PMID:27069272

Embedding Secure Coding Instruction into the IDE: Complementing Early and Intermediate CS Courses with ESIDE

ERIC Educational Resources Information Center

Whitney, Michael; Lipford, Heather Richter; Chu, Bill; Thomas, Tyler

2018-01-01

Many of the software security vulnerabilities that people face today can be remediated through secure coding practices. A critical step toward the practice of secure coding is ensuring that our computing students are educated on these practices. We argue that secure coding education needs to be included across a computing curriculum. We are…

76 FR 1059 - Publicly Available Mass Market Encryption Software and Other Specified Publicly Available...

Federal Register 2010, 2011, 2012, 2013, 2014

2011-01-07

.... 100108014-0121-01] RIN 0694-AE82 Publicly Available Mass Market Encryption Software and Other Specified Publicly Available Encryption Software in Object Code AGENCY: Bureau of Industry and Security, Commerce... encryption object code software with a symmetric key length greater than 64-bits, and ``publicly available...

Software Assurance: Five Essential Considerations for Acquisition Officials

DTIC Science & Technology

2007-05-01

May 2007 www.stsc.hill.af.mil 17 2 • address security concerns in the software development life cycle ( SDLC )? • Are there formal software quality...What threat modeling process, if any, is used when designing the software ? What analysis, design, and construction tools are used by your software design...the-shelf (COTS), government off-the-shelf (GOTS), open- source, embedded, and legacy software . Attackers exploit unintentional vulnerabil- ities or

Computer applications for the hospital security department--buying or developing a shift log reporting system.

PubMed

Gruber, T

1996-01-01

The author presents guidelines to help a security department select a computer system to track security activities--whether it's a commercial software product, an in-house developed program, or a do-it-yourself designed system. Computerized security activity reporting, he believes, is effective and beneficial.

Dynamic Construction Scheme for Virtualization Security Service in Software-Defined Networks

PubMed Central

Lin, Zhaowen; Tao, Dan; Wang, Zhenji

2017-01-01

For a Software Defined Network (SDN), security is an important factor affecting its large-scale deployment. The existing security solutions for SDN mainly focus on the controller itself, which has to handle all the security protection tasks by using the programmability of the network. This will undoubtedly involve a heavy burden for the controller. More devastatingly, once the controller itself is attacked, the entire network will be paralyzed. Motivated by this, this paper proposes a novel security protection architecture for SDN. We design a security service orchestration center in the control plane of SDN, and this center physically decouples from the SDN controller and constructs SDN security services. We adopt virtualization technology to construct a security meta-function library, and propose a dynamic security service composition construction algorithm based on web service composition technology. The rule-combining method is used to combine security meta-functions to construct security services which meet the requirements of users. Moreover, the RETE algorithm is introduced to improve the efficiency of the rule-combining method. We evaluate our solutions in a realistic scenario based on OpenStack. Substantial experimental results demonstrate the effectiveness of our solutions that contribute to achieve the effective security protection with a small burden of the SDN controller. PMID:28430155

Dynamic Construction Scheme for Virtualization Security Service in Software-Defined Networks.

PubMed

Lin, Zhaowen; Tao, Dan; Wang, Zhenji

2017-04-21

For a Software Defined Network (SDN), security is an important factor affecting its large-scale deployment. The existing security solutions for SDN mainly focus on the controller itself, which has to handle all the security protection tasks by using the programmability of the network. This will undoubtedly involve a heavy burden for the controller. More devastatingly, once the controller itself is attacked, the entire network will be paralyzed. Motivated by this, this paper proposes a novel security protection architecture for SDN. We design a security service orchestration center in the control plane of SDN, and this center physically decouples from the SDN controller and constructs SDN security services. We adopt virtualization technology to construct a security meta-function library, and propose a dynamic security service composition construction algorithm based on web service composition technology. The rule-combining method is used to combine security meta-functions to construct security services which meet the requirements of users. Moreover, the RETE algorithm is introduced to improve the efficiency of the rule-combining method. We evaluate our solutions in a realistic scenario based on OpenStack. Substantial experimental results demonstrate the effectiveness of our solutions that contribute to achieve the effective security protection with a small burden of the SDN controller.

Household food security status in the Northeast of Iran: a cross-sectional study.

PubMed

Gholami, Ali; Foroozanfar, Zohre

2015-01-01

An important issue the world faces today is ensuring that households living in different countries have access to enough food to maintain a healthy life. Food insecurity is prevalent in both developed and developing countries. The objective of this study was to assess the household food security status and related factors among different rural districts of Neyshabur (A city in northeast of Iran). Of 5000 selected rural households 4647 were studied in this cross-sectional study. A validated short questionnaire (with six questions) was used to measure food security. Chi-square test and logistic regression were used for data analysis through SPSS software. In total, 2747 households (59.1%) were identified as food secure. The highest prevalence of food security was observed in Central district (62.3%) and the lowest was in Miyanjolgeh district (52.9%). Backward multiple logistic regression revealed that car ownership, presence of chronic disease in household and household income (per month) were significantly associated with food security in all of surveyed districts (p< 0.05). According to results of this study, lower than 60% of Neyshabur rural households were food secure and economic variables were the most important factors. Therefore, a special attention should be paid to this health problem in these regions.

Achieving Better Buying Power through Acquisition of Open Architecture Software Systems. Volume 2 Understanding Open Architecture Software Systems: Licensing and Security Research and Recommendations

DTIC Science & Technology

2016-01-06

of- breed software components and software products lines (SPLs) that are subject to different IP license and cybersecurity requirements. The... commercially priced closed source software components, to be used in the design, implementation, deployment, and evolution of open architecture (OA... breed software components and software products lines (SPLs) that are subject to different IP license and cybersecurity requirements. The Department

Bigdata Driven Cloud Security: A Survey

NASA Astrophysics Data System (ADS)

Raja, K.; Hanifa, Sabibullah Mohamed

2017-08-01

Cloud Computing (CC) is a fast-growing technology to perform massive-scale and complex computing. It eliminates the need to maintain expensive computing hardware, dedicated space, and software. Recently, it has been observed that massive growth in the scale of data or big data generated through cloud computing. CC consists of a front-end, includes the users’ computers and software required to access the cloud network, and back-end consists of various computers, servers and database systems that create the cloud. In SaaS (Software as-a-Service - end users to utilize outsourced software), PaaS (Platform as-a-Service-platform is provided) and IaaS (Infrastructure as-a-Service-physical environment is outsourced), and DaaS (Database as-a-Service-data can be housed within a cloud), where leading / traditional cloud ecosystem delivers the cloud services become a powerful and popular architecture. Many challenges and issues are in security or threats, most vital barrier for cloud computing environment. The main barrier to the adoption of CC in health care relates to Data security. When placing and transmitting data using public networks, cyber attacks in any form are anticipated in CC. Hence, cloud service users need to understand the risk of data breaches and adoption of service delivery model during deployment. This survey deeply covers the CC security issues (covering Data Security in Health care) so as to researchers can develop the robust security application models using Big Data (BD) on CC (can be created / deployed easily). Since, BD evaluation is driven by fast-growing cloud-based applications developed using virtualized technologies. In this purview, MapReduce [12] is a good example of big data processing in a cloud environment, and a model for Cloud providers.

Teaching sustainability science from a systems analysis perspective: MSc course at Utrecht University

NASA Astrophysics Data System (ADS)

Santos, Maria J.; de Boer, Hugo; Dekker, Stefan

2017-04-01

Sustainability science has emerged as a key discipline that embraces both disciplinary depth and interdisciplinary breadth. The challenge is to design University courses that convey both properties without sacrificing either of them. Here we present the design of such course at Utrecht University (the Netherlands) for the MSC program 'Sustainable Development' and discuss the perceived learning and student evaluations. Our course (Sustainability Modelling and Indicators (SMI)) follows an introductory course on Sustainability Perspectives. SMI philosophy is that system thinking and system analysis is central to sustainability science. To convey this philosophy, we focus on four themes: the Anthropocene, Food security, Energy security and Agency and decision making. We developed four hands-on assignments with increasing complexity and make use of different software (Stella, Excel, IMAGE and Netlogo). The assignments aimed at: (1) teaching students the system components by using a pre-existing model in Stella, (2) challenge students to build their own coupled system in Excel, (3) assess outputs from the fully-coupled and dynamic model integrated assessment model IMAGE, and (4) understand emergent properties using an agent-based model in Netlogo. Based on detailed student evaluations (n = 95) we found that the mathematics presented a manageable challenge to a part of the students. The student pool identified a priori having higher experience with Excel in comparison with other software. Netlogo was the highest ranked software in the student evaluations and this was linked to its user-interface with moving agents. The Excel assignment received the highest and lowest scores, and students found it challenging, time consuming but also indicated that they learned the most from this assignment. Students graded what we considered 'easy' assignments with the highest grades. These results suggest that a systems analytical approach to sustainability science can be operationalized in diverse ways that relate to students background and making use of of-the-shelf software. The key challenge is to teach students all the concepts of systems analysis and the applied mathematics behind it. If the goal is to demonstrate process, this portfolio approach with of-the-shelf software can be very successful. This course can be complemented with programming that provides skills to modify and customize software to student needs.

Evaluation and selection of security products for authentication of computer software

NASA Astrophysics Data System (ADS)

Roenigk, Mark W.

2000-04-01

Software Piracy is estimated to cost software companies over eleven billion dollars per year in lost revenue worldwide. Over fifty three percent of all intellectual property in the form of software is pirated on a global basis. Software piracy has a dramatic effect on the employment figures for the information industry as well. In the US alone, over 130,000 jobs are lost annually as a result of software piracy.

Emerging Technologies for Software-Reliant Systems

DTIC Science & Technology

2011-02-24

needs • Loose coupling • Global distribution of hardware, software and people • Horizontal integration and convergence • Virtualization...Webinar– February 2011 © 2011 Carnegie Mellon University Global Distribution of Hardware, Software and People Globalization is an essential part of...University Required Software Engineering Emphasis Due to Emerging Technologies (2) Defensive Programming • Security • Auto-adaptation • Globalization

CrossTalk: The Journal of Defense Software Engineering. Volume 20, Number 3, March 2007

DTIC Science & Technology

2007-03-01

Capability Maturity Model ® Integration (CMMI®). CMU Software Engineering Institute <www.sei.cmu.edu/cmmi>. 5. ISO /IEC 27001 :2005. Information Security...international standards bodies – International Organization for Standardi- zation ( ISO ) and International Electro- technical Commission (IEC) – are working on a...number of projects that affect soft- ware security: • The ISO Technical Management Board (TMB) performs strategic planning and coordination for ISO

Design, Development, and Automated Verification of an Integrity-Protected Hypervisor

DTIC Science & Technology

2012-07-16

mechanism for implementing software virtualization. Since hypervisors execute at a very high privilege level, they must be secure. A fundamental security...using the CBMC model checker. CBMC verified XMHF?s implementation ? about 4700 lines of C code ? in about 80 seconds using less than 2GB of RAM. 15...Hypervisors are a popular mechanism for implementing software virtualization. Since hypervisors execute at a very high privilege level, they must be

Security Risks of Cloud Computing and Its Emergence as 5th Utility Service

NASA Astrophysics Data System (ADS)

Ahmad, Mushtaq

Cloud Computing is being projected by the major cloud services provider IT companies such as IBM, Google, Yahoo, Amazon and others as fifth utility where clients will have access for processing those applications and or software projects which need very high processing speed for compute intensive and huge data capacity for scientific, engineering research problems and also e- business and data content network applications. These services for different types of clients are provided under DASM-Direct Access Service Management based on virtualization of hardware, software and very high bandwidth Internet (Web 2.0) communication. The paper reviews these developments for Cloud Computing and Hardware/Software configuration of the cloud paradigm. The paper also examines the vital aspects of security risks projected by IT Industry experts, cloud clients. The paper also highlights the cloud provider's response to cloud security risks.

A survey of medical informatics in Belgium.

PubMed

Roger, F H; Behets, M; Andre, J; de Moor, G; Sevens, C; Willems, J L

1987-01-01

The Belgian Society for Medical Informatics (MIM) organized a survey in 1986 in order to assess the present state of development of medical informatics in Belgium. Questionnaires were sent to hospitals, laboratories, private practitioners and pharmacists, as well as to social security organizations and software industries. The response rate was higher in hospitals (93%) than in any other category. Results showed a large number of computerized hospitals (93% of general acute care hospitals and 91% of psychiatric hospitals). There has been a sharp increase (+ 15%) in computerization of the admission, accounting and billing procedures since 1985, most likely in relation with administrative rules issued by the Belgian Government. The same trend (+ 20%) has been observed for computer applications in clinical laboratories, between 1984 and 1985. There is almost one computer terminal for ten beds in the hospitals with more than 200 beds in 1986. This figure exemplifies the present trend to on-line access to data. Computerized instrumental aids to medicine such as text processing, imaging or computerized interpretation of signals have known a rapid extension during recent years, although less comprehensive than administrative applications in hospitals and in social security organizations. The present state of other applications in medicine (general practice, pharmacy, etc.) was more difficult to assess as those information systems remain more pinpointed. In all medical fields, there appears to be a new rise in computer programs offered by software companies.

PRESAGE: PRivacy-preserving gEnetic testing via SoftwAre Guard Extension.

PubMed

Chen, Feng; Wang, Chenghong; Dai, Wenrui; Jiang, Xiaoqian; Mohammed, Noman; Al Aziz, Md Momin; Sadat, Md Nazmus; Sahinalp, Cenk; Lauter, Kristin; Wang, Shuang

2017-07-26

Advances in DNA sequencing technologies have prompted a wide range of genomic applications to improve healthcare and facilitate biomedical research. However, privacy and security concerns have emerged as a challenge for utilizing cloud computing to handle sensitive genomic data. We present one of the first implementations of Software Guard Extension (SGX) based securely outsourced genetic testing framework, which leverages multiple cryptographic protocols and minimal perfect hash scheme to enable efficient and secure data storage and computation outsourcing. We compared the performance of the proposed PRESAGE framework with the state-of-the-art homomorphic encryption scheme, as well as the plaintext implementation. The experimental results demonstrated significant performance over the homomorphic encryption methods and a small computational overhead in comparison to plaintext implementation. The proposed PRESAGE provides an alternative solution for secure and efficient genomic data outsourcing in an untrusted cloud by using a hybrid framework that combines secure hardware and multiple crypto protocols.

Security. Review Software for Advanced CHOICE. CHOICE (Challenging Options in Career Education).

ERIC Educational Resources Information Center

Pitts, Ilse M.; And Others

CHOICE Security is an Apple computer game activity designed to help secondary migrant students memorize their social security numbers and reinforce job and role information presented in "Career Notes, First Applications." The learner may choose from four time options and whether to have the social security number visible on the screen or…

High Assurance Models for Secure Systems

ERIC Educational Resources Information Center

Almohri, Hussain M. J.

2013-01-01

Despite the recent advances in systems and network security, attacks on large enterprise networks consistently impose serious challenges to maintaining data privacy and software service integrity. We identify two main problems that contribute to increasing the security risk in a networked environment: (i) vulnerable servers, workstations, and…

Applying an MVC Framework for The System Development Life Cycle with Waterfall Model Extended

NASA Astrophysics Data System (ADS)

Hardyanto, W.; Purwinarko, A.; Sujito, F.; Masturi; Alighiri, D.

2017-04-01

This paper describes the extension of the waterfall model using MVC architectural pattern for software development. The waterfall model is the based model of the most widely used in software development, yet there are still many problems in it. The general issue usually happens on data changes that cause the delays on the process itself. On the other hand, the security factor on the software as well as one of the major problems. This study uses PHP programming language for implementation. Although this model can be implemented in several programming languages with the same concept. This study is based on MVC architecture so that it can improve the performance of both software development and maintenance, especially concerning security, validation, database access, and routing.

Security model for picture archiving and communication systems.

PubMed

Harding, D B; Gac, R J; Reynolds, C T; Romlein, J; Chacko, A K

2000-05-01

The modern information revolution has facilitated a metamorphosis of health care delivery wrought with the challenges of securing patient sensitive data. To accommodate this reality, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). While final guidance has not fully been resolved at this time, it is up to the health care community to develop and implement comprehensive security strategies founded on procedural, hardware and software solutions in preparation for future controls. The Virtual Radiology Environment (VRE) Project, a landmark US Army picture archiving and communications system (PACS) implemented across 10 geographically dispersed medical facilities, has addressed that challenge by planning for the secure transmission of medical images and reports over their local (LAN) and wide area network (WAN) infrastructure. Their model, which is transferable to general PACS implementations, encompasses a strategy of application risk and dataflow identification, data auditing, security policy definition, and procedural controls. When combined with hardware and software solutions that are both non-performance limiting and scalable, the comprehensive approach will not only sufficiently address the current security requirements, but also accommodate the natural evolution of the enterprise security model.

An Analysis of Mission Critical Computer Software in Naval Aviation

DTIC Science & Technology

1991-03-01

No. Task No. Work Unit Accesion Number 11. TITLE (Include Security Classification) AN ANALYSIS OF MISSION CRITICAL COMPUTER SOFTWARE IN NAVAL AVIATION...software development schedules were sustained without a milestone change being made. Also, software that was released to the fleet had no major...fleet contain any major defects? This research has revealed that only about half of the original software development schedules were sustained without a

Human-Technology Centric In Cyber Security Maintenance For Digital Transformation Era

NASA Astrophysics Data System (ADS)

Ali, Firkhan Ali Bin Hamid; Zalisham Jali, Mohd, Dr

2018-05-01

The development of the digital transformation in the organizations has become more expanding in these present and future years. This is because of the active demand to use the ICT services among all the organizations whether in the government agencies or private sectors. While digital transformation has led manufacturers to incorporate sensors and software analytics into their offerings, the same innovation has also brought pressure to offer clients more accommodating appliance deployment options. So, their needs a well plan to implement the cyber infrastructures and equipment. The cyber security play important role to ensure that the ICT components or infrastructures execute well along the organization’s business successful. This paper will present a study of security management models to guideline the security maintenance on existing cyber infrastructures. In order to perform security model for the currently existing cyber infrastructures, combination of the some security workforces and security process of extracting the security maintenance in cyber infrastructures. In the assessment, the focused on the cyber security maintenance within security models in cyber infrastructures and presented a way for the theoretical and practical analysis based on the selected security management models. Then, the proposed model does evaluation for the analysis which can be used to obtain insights into the configuration and to specify desired and undesired configurations. The implemented cyber security maintenance within security management model in a prototype and evaluated it for practical and theoretical scenarios. Furthermore, a framework model is presented which allows the evaluation of configuration changes in the agile and dynamic cyber infrastructure environments with regard to properties like vulnerabilities or expected availability. In case of a security perspective, this evaluation can be used to monitor the security levels of the configuration over its lifetime and to indicate degradations.

Key on demand (KoD) for software-defined optical networks secured by quantum key distribution (QKD).

PubMed

Cao, Yuan; Zhao, Yongli; Colman-Meixner, Carlos; Yu, Xiaosong; Zhang, Jie

2017-10-30

Software-defined optical networking (SDON) will become the next generation optical network architecture. However, the optical layer and control layer of SDON are vulnerable to cyberattacks. While, data encryption is an effective method to minimize the negative effects of cyberattacks, secure key interchange is its major challenge which can be addressed by the quantum key distribution (QKD) technique. Hence, in this paper we discuss the integration of QKD with WDM optical networks to secure the SDON architecture by introducing a novel key on demand (KoD) scheme which is enabled by a novel routing, wavelength and key assignment (RWKA) algorithm. The QKD over SDON with KoD model follows two steps to provide security: i) quantum key pools (QKPs) construction for securing the control channels (CChs) and data channels (DChs); ii) the KoD scheme uses RWKA algorithm to allocate and update secret keys for different security requirements. To test our model, we define a security probability index which measures the security gain in CChs and DChs. Simulation results indicate that the security performance of CChs and DChs can be enhanced by provisioning sufficient secret keys in QKPs and performing key-updating considering potential cyberattacks. Also, KoD is beneficial to achieve a positive balance between security requirements and key resource usage.

National Computer Security Conference (13th) Held in Washington, DC on 1-4 October, 1990. Procedings. Volume 1: Information Systems Security: Standards - The Key to the Future

DTIC Science & Technology

1990-10-04

methods Category 6: Cryptographic methods (hard/ software ) - Tested countermeasures and standard means - Acknowledgements As the number of antivirus ...Skulason), only our own antiviruses have been mentioned in the catalog. We hope to include the major antivirus packages in the future. The current...Center GTE SRI International Trusted Information Systems, Inc. Grumann Data Systems SRI International Software Engineering Institute Trusted

Evaluating a Service-Oriented Architecture

DTIC Science & Technology

2007-09-01

See the description on page 13. SaaS Software as a service ( SaaS ) is a software delivery model where customers don’t own a copy of the application... serviceability REST Representational State Transfer RIA rich internet application RPC remote procedure call SaaS software as a service SAML Security...Evaluating a Service -Oriented Architecture Phil Bianco, Software Engineering Institute Rick Kotermanski, Summa Technologies Paulo Merson

A Novel Survey to Examine the Relationship between Health IT Adoption and Nurse-Physician Communication.

PubMed

Holmgren, A Jay; Pfeifer, Eric; Manojlovich, Milisa; Adler-Milstein, Julia

2016-12-21

As EHR adoption in US hospitals becomes ubiquitous, a wide range of IT options are theoretically available to facilitate physician-nurse communication, but we know little about the adoption rate of specific technologies or the impact of their use. To measure adoption of hardware, software, and telephony relevant to nurse-physician communication in US hospitals. To assess the relationship between non-IT communication practices and hardware, software, and telephony adoption. To identify hospital characteristics associated with greater adoption of hardware, software, telephony, and non-IT communication practices. We conducted a survey of 105 hospitals in the National Nursing Practice Network. The survey captured adoption of hardware, software, and telephony to support nurse-physician communication, along with non-IT communication practices. We calculated descriptive statistics and then created four indices, one for each category, by scoring degree of adoption of technologies or practices within each category. Next, we examined correlations between the three technology indices and the non-IT communication practices index. We used multivariate OLS regression to assess whether certain types of hospitals had higher index scores. The majority of hospitals surveyed have a range of hardware, software, and telephony tools available to support nurse-physician communication; we found substantial heterogeneity across hospitals in non-IT communication practices. More intensive non-IT communication was associated with greater adoption of software (r=0.31, p=0.01), but was not correlated with hardware or telephony. Medium-sized hospitals had lower adoption of software (r =-1.14,p=0.04) in comparison to small hospitals, while federally-owned hospitals had lower software (r=-2.57, p=0.02) and hardware adoption (r=-1.63, p=0.01). The positive relationship between non-IT communication and level of software adoption suggests that there is a complementary, rather than substitutive, relationship. Our results suggest that some technologies with the potential to further enhance communication, such as CPOE and secure messaging, are not being utilized to their full potential in many hospitals.

An Empirical Examination of Fear Appeal's Effect on Behavioral Intention to Comply with Anti-Spyware Software Information Security Recommendations among College Students

ERIC Educational Resources Information Center

Brown, David A.

2017-01-01

Information security is a concern for managers implementing protection measures. Implementing information security measures requires communicating both the reason and remediation for the protection measure. Examining how an anti-spyware security communication affects an individual's intention to implement a protection measure could help improve…

Framework for Flexible Security in Group Communications

NASA Technical Reports Server (NTRS)

McDaniel, Patrick; Prakash, Atul

2006-01-01

The Antigone software system defines a framework for the flexible definition and implementation of security policies in group communication systems. Antigone does not dictate the available security policies, but provides high-level mechanisms for implementing them. A central element of the Antigone architecture is a suite of such mechanisms comprising micro-protocols that provide the basic services needed by secure groups.

25 CFR 543.7 - What are the minimum internal control standards for bingo?

Code of Federal Regulations, 2011 CFR

2011-04-01

... software upgrades, data storage media replacement, etc.). The information recorded must be used when...., draw objects and back-up draw objects); and (ii) Random number generator software. (Additional information technology security standards can be found in § 543.16 of this part.) (2) The game software...

25 CFR 543.7 - What are the minimum internal control standards for bingo?

Code of Federal Regulations, 2012 CFR

2012-04-01

... software upgrades, data storage media replacement, etc.). The information recorded must be used when...., draw objects and back-up draw objects); and (ii) Random number generator software. (Additional information technology security standards can be found in § 543.16 of this part.) (2) The game software...

Methods and Software for Building Bibliographic Data Bases.

ERIC Educational Resources Information Center

Daehn, Ralph M.

1985-01-01

This in-depth look at database management systems (DBMS) for microcomputers covers data entry, information retrieval, security, DBMS software and design, and downloading of literature search results. The advantages of in-house systems versus online search vendors are discussed, and specifications of three software packages and 14 sources are…

77 FR 46776 - Self-Regulatory Organizations; International Securities Exchange, LLC; Notice of Filing and...

Federal Register 2010, 2011, 2012, 2013, 2014

2012-08-06

... with greater ease. \\4\\ Trading Application Software fees include Installation fees, Software License... Application Software fees; \\4\\ Proposed Section VI contains Access Service fees; \\5\\ Proposed Section VII... the QCC and Solicitation Rebate, Index License Surcharge, Market Maker Tiers, Payment for Order Flow...

The security of patient identifiable information in doctors' homes.

PubMed

McLean, Iain; Anderson, C Mary

2004-08-01

Ethically and legally doctors bear a responsibility to ensure the security of patient identifiable information in their possession. Many doctors, especially those in forensic medicine, hold paper or computerised medical records at home. This survey was conducted to assess the level of security for these records and awareness of the issues. Fifty-six forensic physicians (30 male, 26 female) answered a questionnaire. Eighty-nine percent used a computer to write patient notes and reports, but only 26 of these were on the Data Protection Register, and only 24 password-protected their files. Few doctors took steps to protect data on old computers they had stopped using. Of those responding, 88% held paper records at home but only of these had lockable filing cabinets. Burglar alarms were fitted in 77% of homes, yet 36% of homes had been burgled. No participants had written instructions for disposal of records and reports after their death. Older participants were more likely to have been burgled, yet less likely to have antiviral software than their younger counterparts. Participants expressed the need for information, education and training in data security.

An Innovative Community College Program and Partnership in Information Security.

ERIC Educational Resources Information Center

Howard, Barbara C; Morneau, Keith A.

This report describes an innovative network security program initiated by Northern Virginia Community College and funded with a grant from the Northern Virginia Regional Partnership. The program educates and trains students in the instillation, configuration, and troubleshooting of the hardware and software infrastructure of information security.…

DOE Office of Scientific and Technical Information (OSTI.GOV)

Billings, Jay J.; Bonior, Jason D.; Evans, Philip G.

Securely transferring timing information in the electrical grid is a critical component of securing the nation's infrastructure from cyber attacks. One solution to this problem is to use quantum information to securely transfer the timing information across sites. This software provides such an infrastructure using a standard Java webserver that pulls the quantum information from associated hardware.

Network Security: What Non-Technical Administrators Must Know

ERIC Educational Resources Information Center

Council, Chip

2005-01-01

Now it is increasingly critical that community college leaders become involved in network security and partner with their directors of information technology (IT). Network security involves more than just virus protection software and firewalls. It involves vigilance and requires top executive support. Leaders can help their IT directors to…

Using SysML to model complex systems for security.

DOE Office of Scientific and Technical Information (OSTI.GOV)

Cano, Lester Arturo

2010-08-01

As security systems integrate more Information Technology the design of these systems has tended to become more complex. Some of the most difficult issues in designing Complex Security Systems (CSS) are: Capturing Requirements: Defining Hardware Interfaces: Defining Software Interfaces: Integrating Technologies: Radio Systems: Voice Over IP Systems: Situational Awareness Systems.

CrossTalk: The Journal of Defense Software Engineering. Volume 26, Number 6, November/December 2013

DTIC Science & Technology

2013-12-01

requirements during sprint planning. Automated scanning, which includes automated code-review tools, allows the expert to monitor the system... sprint . This enables the validator to leverage the test results for formal validation and verification, and perform a shortened “hybrid” style of IV&V...per SPRINT (1-4 weeks) 1 week 1 Month Up to four months Ø Deliverable product to user Ø Security posture assessed Ø Accredited to field/operate

Library Operations Policies and Procedures, Volume 2. Central Archive for Reusable Defense Software (CARDS)

DTIC Science & Technology

1994-02-28

improvements. Pare 10 ka•- V •DkI U Release Manager The Release Manager provides franchisees with media copies of existing libraries, as needed. Security...implementors, and potential library franchisees . Security Team The Security Team assists the Security Officer with security analysis. Team members are...and Franchisees . A Potential User is an individual who requests a Library Account. A User Recruit has been sent a CARDS Library Account Registration

Hardware-Enabled Security Through On-Chip Reconfigurable Fabric

DTIC Science & Technology

2016-02-05

SECURITY CLASSIFICATION OF: The goal of this project was to enable hardware-based security techniques on future microprocessors in a way that they... microprocessors in a way that they can be added and updated after fabrication, similar to software, while maintaining the efficiency and the security of...Progress The goal of this project was to enable hardware-based security techniques on future microprocessors in a way that they can be added and

Evaluating computer capabilities in a primary care practice-based research network.

PubMed

Ariza, Adolfo J; Binns, Helen J; Christoffel, Katherine Kaufer

2004-01-01

We wanted to assess computer capabilities in a primary care practice-based research network and to understand how receptive the practices were to new ideas for automation of practice activities and research. This study was conducted among members of the Pediatric Practice Research Group (PPRG). A survey to assess computer capabilities was developed to explore hardware types, software programs, Internet connectivity and data transmission; views on privacy and security; and receptivity to future electronic data collection approaches. Of the 40 PPRG practices participating in the study during the autumn of 2001, all used IBM-compatible systems. Of these, 45% used stand-alone desktops, 40% had networked desktops, and approximately 15% used laptops and minicomputers. A variety of software packages were used, with most practices (82%) having software for some aspect of patient care documentation, patient accounting (90%), business support (60%), and management reports and analysis (97%). The main obstacles to expanding use of computers in patient care were insufficient staff training (63%) and privacy concerns (82%). If provided with training and support, most practices indicated they were willing to consider an array of electronic data collection options for practice-based research activities. There is wide variability in hardware and software use in the pediatric practice setting. Implementing electronic data collection in the PPRG would require a substantial start-up effort and ongoing training and support at the practice site.

Reusable Software and Open Data Incorporate Ecological Understanding To Optimize Agriculture and Improveme Crops.

NASA Astrophysics Data System (ADS)

LeBauer, D.

2015-12-01

Humans need a secure and sustainable food supply, and science can help. We have an opportunity to transform agriculture by combining knowledge of organisms and ecosystems to engineer ecosystems that sustainably produce food, fuel, and other services. The challenge is that the information we have. Measurements, theories, and laws found in publications, notebooks, measurements, software, and human brains are difficult to combine. We homogenize, encode, and automate the synthesis of data and mechanistic understanding in a way that links understanding at different scales and across domains. This allows extrapolation, prediction, and assessment. Reusable components allow automated construction of new knowledge that can be used to assess, predict, and optimize agro-ecosystems. Developing reusable software and open-access databases is hard, and examples will illustrate how we use the Predictive Ecosystem Analyzer (PEcAn, pecanproject.org), the Biofuel Ecophysiological Traits and Yields database (BETYdb, betydb.org), and ecophysiological crop models to predict crop yield, decide which crops to plant, and which traits can be selected for the next generation of data driven crop improvement. A next step is to automate the use of sensors mounted on robots, drones, and tractors to assess plants in the field. The TERRA Reference Phenotyping Platform (TERRA-Ref, terraref.github.io) will provide an open access database and computing platform on which researchers can use and develop tools that use sensor data to assess and manage agricultural and other terrestrial ecosystems. TERRA-Ref will adopt existing standards and develop modular software components and common interfaces, in collaboration with researchers from iPlant, NEON, AgMIP, USDA, rOpenSci, ARPA-E, many scientists and industry partners. Our goal is to advance science by enabling efficient use, reuse, exchange, and creation of knowledge.

VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security, and HIPAA Compliance

PubMed Central

Watzlaf, Valerie J.M.; Moeini, Sohrab; Firouzan, Patti

2010-01-01

Voice over the Internet Protocol (VoIP) systems such as Adobe ConnectNow, Skype, ooVoo, etc. may include the use of software applications for telerehabilitation (TR) therapy that can provide voice and video teleconferencing between patients and therapists. Privacy and security applications as well as HIPAA compliance within these protocols have been questioned by information technologists, providers of care and other health care entities. This paper develops a privacy and security checklist that can be used within a VoIP system to determine if it meets privacy and security procedures and whether it is HIPAA compliant. Based on this analysis, specific HIPAA criteria that therapists and health care facilities should follow are outlined and discussed, and therapists must weigh the risks and benefits when deciding to use VoIP software for TR. PMID:25945172

VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security, and HIPAA Compliance.

PubMed

Watzlaf, Valerie J M; Moeini, Sohrab; Firouzan, Patti

2010-01-01

Voice over the Internet Protocol (VoIP) systems such as Adobe ConnectNow, Skype, ooVoo, etc. may include the use of software applications for telerehabilitation (TR) therapy that can provide voice and video teleconferencing between patients and therapists. Privacy and security applications as well as HIPAA compliance within these protocols have been questioned by information technologists, providers of care and other health care entities. This paper develops a privacy and security checklist that can be used within a VoIP system to determine if it meets privacy and security procedures and whether it is HIPAA compliant. Based on this analysis, specific HIPAA criteria that therapists and health care facilities should follow are outlined and discussed, and therapists must weigh the risks and benefits when deciding to use VoIP software for TR.

Secure Encapsulation and Publication of Biological Services in the Cloud Computing Environment

PubMed Central

Zhang, Weizhe; Wang, Xuehui; Lu, Bo; Kim, Tai-hoon

2013-01-01

Secure encapsulation and publication for bioinformatics software products based on web service are presented, and the basic function of biological information is realized in the cloud computing environment. In the encapsulation phase, the workflow and function of bioinformatics software are conducted, the encapsulation interfaces are designed, and the runtime interaction between users and computers is simulated. In the publication phase, the execution and management mechanisms and principles of the GRAM components are analyzed. The functions such as remote user job submission and job status query are implemented by using the GRAM components. The services of bioinformatics software are published to remote users. Finally the basic prototype system of the biological cloud is achieved. PMID:24078906

Secure encapsulation and publication of biological services in the cloud computing environment.

PubMed

Zhang, Weizhe; Wang, Xuehui; Lu, Bo; Kim, Tai-hoon

2013-01-01

Secure encapsulation and publication for bioinformatics software products based on web service are presented, and the basic function of biological information is realized in the cloud computing environment. In the encapsulation phase, the workflow and function of bioinformatics software are conducted, the encapsulation interfaces are designed, and the runtime interaction between users and computers is simulated. In the publication phase, the execution and management mechanisms and principles of the GRAM components are analyzed. The functions such as remote user job submission and job status query are implemented by using the GRAM components. The services of bioinformatics software are published to remote users. Finally the basic prototype system of the biological cloud is achieved.

A research on the security of wisdom campus based on geospatial big data

NASA Astrophysics Data System (ADS)

Wang, Haiying

2018-05-01

There are some difficulties in wisdom campus, such as geospatial big data sharing, function expansion, data management, analysis and mining geospatial big data for a characteristic, especially the problem of data security can't guarantee cause prominent attention increasingly. In this article we put forward a data-oriented software architecture which is designed by the ideology of orienting data and data as kernel, solve the problem of traditional software architecture broaden the campus space data research, develop the application of wisdom campus.

In Law We Trust? Trusted Computing and Legal Responsibility for Internet Security

NASA Astrophysics Data System (ADS)

Danidou, Yianna; Schafer, Burkhard

This paper analyses potential legal responses and consequences to the anticipated roll out of Trusted Computing (TC). It is argued that TC constitutes such a dramatic shift in power away from users to the software providers, that it is necessary for the legal system to respond. A possible response is to mirror the shift in power by a shift in legal responsibility, creating new legal liabilities and duties for software companies as the new guardians of internet security.

Telerehabilitation store and forward applications: a review of applications and privacy considerations in physical and occupational therapy practice.

PubMed

Peterson, Christopher; Watzlaf, Valerie

2014-01-01

An overview of store and forward applications commonly used in physical and occupational therapy practice is reviewed with respect to regulation, privacy, security, and clinical applications. A privacy and security checklist provides a clear reference of pertinent regulatory issues regarding these software applications. A case study format is used to highlight clinical applications of store and forward software features. Important considerations of successful implementation of store and forward applications are also identified and discussed.

Proceedings of the Center for National Software Studies Workshop on Trustworthy Software

DTIC Science & Technology

2004-05-10

just the de - velopment cost) to achieve a sustained level of software trustworthiness. • Reforming the procurement process. We could reform the...failure or breach of security. Some examples include software used in safety systems of nuclear power plants, transportation systems, medical devices...issue in many vital systems, including those found in transportation , telecommunications, utilities, health care, and financial services. Any lack of

Assurance Evaluation for OSS Adoption in a Telco Context

NASA Astrophysics Data System (ADS)

Ardagna, Claudio A.; Banzi, Massimo; Damiani, Ernesto; El Ioini, Nabil; Frati, Fulvio

Software Assurance (SwA) is a complex concept that involves different stages of a software development process and may be defined differently depending on its focus, as for instance software quality, security, or dependability. In Computer Science, the term assurance is referred to all activities necessary to provide enough confidence that a software product will satisfy its users’ functional and non-functional requirements.

The hobbyist phenomenon in physical security.

DOE Office of Scientific and Technical Information (OSTI.GOV)

Michaud, E. C.

Pro-Ams (professional amateurs) are groups of people who work on a problem as amateurs or unpaid persons in a given field at professional levels of competence. Astronomy is a good example of Pro-Am activity. At Galaxy Zoo, Pro-Ams evaluate data generated by professional observatories and are able to evaluate the millions of galaxies that have been observed but not classified, and report their findings at professional levels for fun. To allow the archiving of millions of galaxies that have been observed but not classified, the website has been engineered so that the public can view and classify galaxies even ifmore » they are not professional astronomers. In this endeavor, it has been found that amateurs can easily outperform automated vision systems. Today in the world of physical security, Pro-Ams are playing an ever-increasing role. Traditionally, locksmiths, corporations, and government organizations have been largely responsible for developing standards, uncovering vulnerabilities, and devising best security practices. Increasingly, however, nonprofit sporting organizations and clubs are doing this. They can be found all over the world, from Europe to the US and now South East Asia. Examples include TOOOL (The Open Organization of Lockpickers), the Longhorn Lockpicking Club, Sportsfreunde der Sperrtechnik - Deustcheland e.V., though there are many others. Members of these groups have been getting together weekly to discuss many elements of security, with some groups specializing in specific areas of security. When members are asked why they participate in these hobbyist groups, they usually reply (with gusto) that they do it for fun, and that they view defeating locks and other security devices as an interesting and entertaining puzzle. A lot of what happens at these clubs would not be possible if it weren't for 'Super Abundance', the ability to easily acquire (at little or no cost) the products, security tools, technologies, and intellectual resources traditionally limited to corporations, government organizations, or wealthy individuals. With this new access comes new discoveries. For example, hobbyist sport lockpicking groups discovered - and publicized - a number of new vulnerabilities between 2004 and 2009 that resulted in the majority of high-security lock manufacturers having to make changes and improvements to their products. A decade ago, amateur physical security discoveries were rare, at least those discussed publicly. In the interim, Internet sites such as lockpicking.org, lockpicking101.com and others have provided an online meeting place for people to trade tips, find friends with similar interests, and develop tools. The open, public discussion of software vulnerabilities, in contrast, has been going on for a long time. These two industries, physical security and software, have very different upgrade mechanisms. With software, a patch can typically be deployed quickly to fix a serious vulnerability, whereas a hardware fix for a physical security device or system can take upwards of months to implement in the field, especially if (as is often the case) hardware integrators are involved. Even when responding to publicly announced security vulnerabilities, manufacturers of physical security devices such as locks, intrusion detectors, or access control devices rarely view hobbyists as a positive resource. This is most unfortunate. In the field of software, it is common to speak of Open Source versus Closed Source. An Open Source software company may choose to distribute their software with a particular license, and give it away openly, with full details and all the lines of source code made available. Linux is a very popular example of this. A Close Source company, in contrast, chooses not to reveal its source code and will license its software products in a restrictive manor. Slowly, the idea of Open Source is now coming to the world of physical security. In the case of locks, it provides an alternative to the traditional Closed Source world of locksmiths. Now locks are physical objects, and can therefore be disassembled. As such, they have always been Open Source in a limited sense. Secrecy, in fact, is very difficult to maintain for a lock that is widely distributed. Having direct access to the lock design provides the hobbyist with a very open environment for finding security flaws, even if the lock manufacturer attempts to follow a Close Source model. It is clear that the field of physical security is going the digital route with companies such as Medeco, Mul-T-Lock, and Abloy manufacturing electromechanical locks. Various companies have already begun to add microcontrollers, cryptographic chip sets, solid-state sensors, and a number of other high-tech improvements to their product lineup in an effort to thwart people from defeating their security products.« less

Secure Internet video conferencing for assessing acute medical problems in a nursing facility.

PubMed Central

Weiner, M.; Schadow, G.; Lindbergh, D.; Warvel, J.; Abernathy, G.; Dexter, P.; McDonald, C. J.

2001-01-01

Although video-based teleconferencing is becoming more widespread in the medical profession, especially for scheduled consultations, applications for rapid assessment of acute medical problems are rare. Use of such a video system in a nursing facility may be especially beneficial, because physicians are often not immediately available to evaluate patients. We have assembled and tested a portable, wireless conferencing system to prepare for a randomized trial of the system s influence on resource utilization and satisfaction. The system includes a rolling cart with video conferencing hardware and software, a remotely controllable digital camera, light, wireless network, and battery. A semi-automated paging system informs physicians of patient s study status and indications for conferencing. Data transmission occurs wirelessly in the nursing home and then through Internet cables to the physician s home. This provides sufficient bandwidth to support quality motion images. IPsec secures communications. Despite human and technical challenges, this system is affordable and functional. Images Figure 1 PMID:11825286

An Overview of Public Access Computer Software Management Tools for Libraries

ERIC Educational Resources Information Center

Wayne, Richard

2004-01-01

An IT decision maker gives an overview of public access PC software that's useful in controlling session length and scheduling, Internet access, print output, security, and the latest headaches: spyware and adware. In this article, the author describes a representative sample of software tools in several important categories such as setup…

Error Reporting Logic

DTIC Science & Technology

2008-06-01

14] Mark Weiser. Program slicing. Trans. Software Engineering , July 1984. 17 ...entitled “Perpetually Available and Secure In- formation Systems”, the Software Industry Center at CMU and its sponsors, especially the Alfred P. Sloan...ERL In Acme, a software architect can choose to associate a handwritten error message to each specification. If the specification fails, for any

Development and testing for physical security robots

NASA Astrophysics Data System (ADS)

Carroll, Daniel M.; Nguyen, Chinh; Everett, H. R.; Frederick, Brian

2005-05-01

The Mobile Detection Assessment Response System (MDARS) provides physical security for Department of Defense bases and depots using autonomous unmanned ground vehicles (UGVs) to patrol the site while operating payloads for intruder detection and assessment, barrier assessment, and product assessment. MDARS is in the System Development and Demonstration acquisition phase and is currently undergoing developmental testing including an Early User Appraisal (EUA) at the Hawthorne Army Depot, Nevada-the world's largest army depot. The Multiple Resource Host Architecture (MRHA) allows the human guard force to command and control several MDARS platforms simultaneously. The MRHA graphically displays video, map, and status for each resource using wireless digital communications for integrated data, video, and audio. Events are prioritized and the user is prompted with audio alerts and text instructions for alarms and warnings. The MRHA also interfaces to remote resources to automate legacy physical devices such as fence gate controls, garage doors, and remote power on/off capability for the MDARS patrol units. This paper provides an overview and history of the MDARS program and control station software with details on the installation and operation at Hawthorne Army Depot, including discussions on scenarios for EUA excursions. Special attention is given to the MDARS technical development strategy for spiral evolutions.

A Secure and Robust Approach to Software Tamper Resistance

NASA Astrophysics Data System (ADS)

Ghosh, Sudeep; Hiser, Jason D.; Davidson, Jack W.

Software tamper-resistance mechanisms have increasingly assumed significance as a technique to prevent unintended uses of software. Closely related to anti-tampering techniques are obfuscation techniques, which make code difficult to understand or analyze and therefore, challenging to modify meaningfully. This paper describes a secure and robust approach to software tamper resistance and obfuscation using process-level virtualization. The proposed techniques involve novel uses of software check summing guards and encryption to protect an application. In particular, a virtual machine (VM) is assembled with the application at software build time such that the application cannot run without the VM. The VM provides just-in-time decryption of the program and dynamism for the application's code. The application's code is used to protect the VM to ensure a level of circular protection. Finally, to prevent the attacker from obtaining an analyzable snapshot of the code, the VM periodically discards all decrypted code. We describe a prototype implementation of these techniques and evaluate the run-time performance of applications using our system. We also discuss how our system provides stronger protection against tampering attacks than previously described tamper-resistance approaches.

Security Systems Commissioning: An Old Trick for Your New Dog

ERIC Educational Resources Information Center

Black, James R.

2009-01-01

Sophisticated, software-based security systems can provide powerful tools to support campus security. By nature, such systems are flexible, with many capabilities that can help manage the process of physical protection. However, the full potential of these systems can be overlooked because of unfamiliarity with the products, weaknesses in security…

Information Security in the 1990s: Keeping the Locks on.

ERIC Educational Resources Information Center

Kovac, Ron J.

1999-01-01

As the Internet proliferates, it drastically increases an institution's level of data insecurity. Hacker attacks can result in denial of service, data corruption or erasure, and passive theft (via spoofing, splicing, or session stealing). To ensure data security, a firewall (screening software program) and a security policy should be implemented.…

Web vulnerability study of online pharmacy sites.

PubMed

Kuzma, Joanne

2011-01-01

Consumers are increasingly using online pharmacies, but these sites may not provide an adequate level of security with the consumers' personal data. There is a gap in this research addressing the problems of security vulnerabilities in this industry. The objective is to identify the level of web application security vulnerabilities in online pharmacies and the common types of flaws, thus expanding on prior studies. Technical, managerial and legal recommendations on how to mitigate security issues are presented. The proposed four-step method first consists of choosing an online testing tool. The next steps involve choosing a list of 60 online pharmacy sites to test, and then running the software analysis to compile a list of flaws. Finally, an in-depth analysis is performed on the types of web application vulnerabilities. The majority of sites had serious vulnerabilities, with the majority of flaws being cross-site scripting or old versions of software that have not been updated. A method is proposed for the securing of web pharmacy sites, using a multi-phased approach of technical and managerial techniques together with a thorough understanding of national legal requirements for securing systems.

Autonomous Byte Stream Randomizer

NASA Technical Reports Server (NTRS)

Paloulian, George K.; Woo, Simon S.; Chow, Edward T.

2013-01-01

Net-centric networking environments are often faced with limited resources and must utilize bandwidth as efficiently as possible. In networking environments that span wide areas, the data transmission has to be efficient without any redundant or exuberant metadata. The Autonomous Byte Stream Randomizer software provides an extra level of security on top of existing data encryption methods. Randomizing the data s byte stream adds an extra layer to existing data protection methods, thus making it harder for an attacker to decrypt protected data. Based on a generated crypto-graphically secure random seed, a random sequence of numbers is used to intelligently and efficiently swap the organization of bytes in data using the unbiased and memory-efficient in-place Fisher-Yates shuffle method. Swapping bytes and reorganizing the crucial structure of the byte data renders the data file unreadable and leaves the data in a deconstructed state. This deconstruction adds an extra level of security requiring the byte stream to be reconstructed with the random seed in order to be readable. Once the data byte stream has been randomized, the software enables the data to be distributed to N nodes in an environment. Each piece of the data in randomized and distributed form is a separate entity unreadable on its own right, but when combined with all N pieces, is able to be reconstructed back to one. Reconstruction requires possession of the key used for randomizing the bytes, leading to the generation of the same cryptographically secure random sequence of numbers used to randomize the data. This software is a cornerstone capability possessing the ability to generate the same cryptographically secure sequence on different machines and time intervals, thus allowing this software to be used more heavily in net-centric environments where data transfer bandwidth is limited.

Open source system OpenVPN in a function of Virtual Private Network

NASA Astrophysics Data System (ADS)

Skendzic, A.; Kovacic, B.

2017-05-01

Using of Virtual Private Networks (VPN) can establish high security level in network communication. VPN technology enables high security networking using distributed or public network infrastructure. VPN uses different security and managing rules inside networks. It can be set up using different communication channels like Internet or separate ISP communication infrastructure. VPN private network makes security communication channel over public network between two endpoints (computers). OpenVPN is an open source software product under GNU General Public License (GPL) that can be used to establish VPN communication between two computers inside business local network over public communication infrastructure. It uses special security protocols and 256-bit Encryption and it is capable of traversing network address translators (NATs) and firewalls. It allows computers to authenticate each other using a pre-shared secret key, certificates or username and password. This work gives review of VPN technology with a special accent on OpenVPN. This paper will also give comparison and financial benefits of using open source VPN software in business environment.

Supporting secure programming in web applications through interactive static analysis.

PubMed

Zhu, Jun; Xie, Jing; Lipford, Heather Richter; Chu, Bill

2014-07-01

Many security incidents are caused by software developers' failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Supporting secure programming in web applications through interactive static analysis

PubMed Central

Zhu, Jun; Xie, Jing; Lipford, Heather Richter; Chu, Bill

2013-01-01

Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases. PMID:25685513

Secure electronic commerce communication system based on CA

NASA Astrophysics Data System (ADS)

Chen, Deyun; Zhang, Junfeng; Pei, Shujun

2001-07-01

In this paper, we introduce the situation of electronic commercial security, then we analyze the working process and security for SSL protocol. At last, we propose a secure electronic commerce communication system based on CA. The system provide secure services such as encryption, integer, peer authentication and non-repudiation for application layer communication software of browser clients' and web server. The system can implement automatic allocation and united management of key through setting up the CA in the network.

Hybrid architecture for building secure sensor networks

NASA Astrophysics Data System (ADS)

Owens, Ken R., Jr.; Watkins, Steve E.

2012-04-01

Sensor networks have various communication and security architectural concerns. Three approaches are defined to address these concerns for sensor networks. The first area is the utilization of new computing architectures that leverage embedded virtualization software on the sensor. Deploying a small, embedded virtualization operating system on the sensor nodes that is designed to communicate to low-cost cloud computing infrastructure in the network is the foundation to delivering low-cost, secure sensor networks. The second area focuses on securing the sensor. Sensor security components include developing an identification scheme, and leveraging authentication algorithms and protocols that address security assurance within the physical, communication network, and application layers. This function will primarily be accomplished through encrypting the communication channel and integrating sensor network firewall and intrusion detection/prevention components to the sensor network architecture. Hence, sensor networks will be able to maintain high levels of security. The third area addresses the real-time and high priority nature of the data that sensor networks collect. This function requires that a quality-of-service (QoS) definition and algorithm be developed for delivering the right data at the right time. A hybrid architecture is proposed that combines software and hardware features to handle network traffic with diverse QoS requirements.

Computer-Aided Sensor Development Focused on Security Issues.

PubMed

Bialas, Andrzej

2016-05-26

The paper examines intelligent sensor and sensor system development according to the Common Criteria methodology, which is the basic security assurance methodology for IT products and systems. The paper presents how the development process can be supported by software tools, design patterns and knowledge engineering. The automation of this process brings cost-, quality-, and time-related advantages, because the most difficult and most laborious activities are software-supported and the design reusability is growing. The paper includes a short introduction to the Common Criteria methodology and its sensor-related applications. In the experimental section the computer-supported and patterns-based IT security development process is presented using the example of an intelligent methane detection sensor. This process is supported by an ontology-based tool for security modeling and analyses. The verified and justified models are transferred straight to the security target specification representing security requirements for the IT product. The novelty of the paper is to provide a patterns-based and computer-aided methodology for the sensors development with a view to achieving their IT security assurance. The paper summarizes the validation experiment focused on this methodology adapted for the sensors system development, and presents directions of future research.

Computer-Aided Sensor Development Focused on Security Issues

PubMed Central

Bialas, Andrzej

2016-01-01

The paper examines intelligent sensor and sensor system development according to the Common Criteria methodology, which is the basic security assurance methodology for IT products and systems. The paper presents how the development process can be supported by software tools, design patterns and knowledge engineering. The automation of this process brings cost-, quality-, and time-related advantages, because the most difficult and most laborious activities are software-supported and the design reusability is growing. The paper includes a short introduction to the Common Criteria methodology and its sensor-related applications. In the experimental section the computer-supported and patterns-based IT security development process is presented using the example of an intelligent methane detection sensor. This process is supported by an ontology-based tool for security modeling and analyses. The verified and justified models are transferred straight to the security target specification representing security requirements for the IT product. The novelty of the paper is to provide a patterns-based and computer-aided methodology for the sensors development with a view to achieving their IT security assurance. The paper summarizes the validation experiment focused on this methodology adapted for the sensors system development, and presents directions of future research. PMID:27240360

Assuring Software Reliability

DTIC Science & Technology

2014-08-01

technologies and processes to achieve a required level of confidence that software systems and services function in the intended manner. 1.3 Security Example...that took three high-voltage lines out of service and a software fail- ure (a race condition3) that disabled the computing service that notified the... service had failed. Instead of analyzing the details of the alarm server failure, the reviewers asked why the following software assurance claim had

Building a Library Web Server on a Budget.

ERIC Educational Resources Information Center

Orr, Giles

1998-01-01

Presents a method for libraries with limited budgets to create reliable Web servers with existing hardware and free software available via the Internet. Discusses staff, hardware and software requirements, and security; outlines the assembly process. (PEN)

Interface of Science, Technology and Security: Areas of Most Concern, Now and Ahead

DTIC Science & Technology

2017-03-28

connectivity is creating new forms of security threats and exploitable instabilities. There is a need to develop secure software to reduce vulnerabilities...implications in the light of global population growth, industrialization and limited fossil fuel supplies. The continued improvement of generation, storage...national strategic concern is when the S&T-security nexus creates opportunities for misunderstanding. These opportunities assume two forms , rooted in

Preventing Chaos.

ERIC Educational Resources Information Center

Pineda, Ernest M.

1999-01-01

Discusses ways to help resolve the Y2K problem and avoid disruptions in school security and safety. Discusses computer software testing and validation to determine its functionality after year's end, and explores system remediation of non-compliant fire and security systems. (GR)

Bundle Security Protocol for ION

NASA Technical Reports Server (NTRS)

Burleigh, Scott C.; Birrane, Edward J.; Krupiarz, Christopher

2011-01-01

This software implements bundle authentication, conforming to the Delay-Tolerant Networking (DTN) Internet Draft on Bundle Security Protocol (BSP), for the Interplanetary Overlay Network (ION) implementation of DTN. This is the only implementation of BSP that is integrated with ION.

Software OT&E Guidelines. Volume 3. Software Maintainability Evaluator’s Handbook

DTIC Science & Technology

1980-04-01

SOFTWARE OT&E " 1 GUIDELINES . VOLUME III SOFTWARE MAINTAINABILITY EVALUATOR’S HANDBOOK APRIL 1980 AIR FORCE TEST AND EVALUATION CENTER KIRTLAND AIR...FORCE BASE NEW MEXICO 87117 C-, -j AfTECP 800-3 AF’r...........3 ...... UNCLASSIFIED SECURITY CLASSIFICATION OF THIS PAGE (When D.. Entered) RE:PORT...c -. 5 TY!aJ0. PERIOD COVERED SOFTWARE OT& . GUIDELINES, Volume III .of five). -1 softare-R.aintainability Evaluator’s P-IEFnook’ 4ina. i 1980

Network security system for health and medical information using smart IC card

NASA Astrophysics Data System (ADS)

Kanai, Yoichi; Yachida, Masuyoshi; Yoshikawa, Hiroharu; Yamaguchi, Masahiro; Ohyama, Nagaaki

1998-07-01

A new network security protocol that uses smart IC cards has been designed to assure the integrity and privacy of medical information in communication over a non-secure network. Secure communication software has been implemented as a library based on this protocol, which is called the Integrated Secure Communication Layer (ISCL), and has been incorporated into information systems of the National Cancer Center Hospitals and the Health Service Center of the Tokyo Institute of Technology. Both systems have succeeded in communicating digital medical information securely.

Analysis of Cisco Open Network Environment (ONE) OpenFlow Controller Implementation

DTIC Science & Technology

2014-08-01

Software - Defined Networking ( SDN ), when fully realized, offer many improvements over the current rigid and...functionalities like handshake, connection setup, switch management, and security. 15. SUBJECT TERMS OpenFlow, software - defined networking , Cisco ONE, SDN ...innovating packet-forwarding technologies. Network device roles are strictly defined with little or no flexibility. In Software - Defined Networks ( SDNs ),

25 CFR 547.12 - What are the minimum technical standards for downloading on a Class II gaming system?

Code of Federal Regulations, 2013 CFR

2013-04-01

... limited to software, files, data, and prize schedules. (2) Downloads must use secure methodologies that... date of the completion of the download; (iii) The Class II gaming system components to which software was downloaded; (iv) The version(s) of download package and any software downloaded. Logging of the...

25 CFR 547.12 - What are the minimum technical standards for downloading on a Class II gaming system?

Code of Federal Regulations, 2014 CFR

2014-04-01

... limited to software, files, data, and prize schedules. (2) Downloads must use secure methodologies that... date of the completion of the download; (iii) The Class II gaming system components to which software was downloaded; (iv) The version(s) of download package and any software downloaded. Logging of the...

Predicting Vulnerability Risks Using Software Characteristics

ERIC Educational Resources Information Center

Roumani, Yaman

2012-01-01

Software vulnerabilities have been regarded as one of the key reasons for computer security breaches that have resulted in billions of dollars in losses per year (Telang and Wattal 2005). With the growth of the software industry and the Internet, the number of vulnerability attacks and the ease with which an attack can be made have increased. From…

Protecting genomic data analytics in the cloud: state of the art and opportunities.

PubMed

Tang, Haixu; Jiang, Xiaoqian; Wang, Xiaofeng; Wang, Shuang; Sofia, Heidi; Fox, Dov; Lauter, Kristin; Malin, Bradley; Telenti, Amalio; Xiong, Li; Ohno-Machado, Lucila

2016-10-13

The outsourcing of genomic data into public cloud computing settings raises concerns over privacy and security. Significant advancements in secure computation methods have emerged over the past several years, but such techniques need to be rigorously evaluated for their ability to support the analysis of human genomic data in an efficient and cost-effective manner. With respect to public cloud environments, there are concerns about the inadvertent exposure of human genomic data to unauthorized users. In analyses involving multiple institutions, there is additional concern about data being used beyond agreed research scope and being prcoessed in untrused computational environments, which may not satisfy institutional policies. To systematically investigate these issues, the NIH-funded National Center for Biomedical Computing iDASH (integrating Data for Analysis, 'anonymization' and SHaring) hosted the second Critical Assessment of Data Privacy and Protection competition to assess the capacity of cryptographic technologies for protecting computation over human genomes in the cloud and promoting cross-institutional collaboration. Data scientists were challenged to design and engineer practical algorithms for secure outsourcing of genome computation tasks in working software, whereby analyses are performed only on encrypted data. They were also challenged to develop approaches to enable secure collaboration on data from genomic studies generated by multiple organizations (e.g., medical centers) to jointly compute aggregate statistics without sharing individual-level records. The results of the competition indicated that secure computation techniques can enable comparative analysis of human genomes, but greater efficiency (in terms of compute time and memory utilization) are needed before they are sufficiently practical for real world environments.

Creating a Clinical Video-Conferencing Facility in a Security-Constrained Environment Using Open-Source AccessGrid Software and Consumer Hardware

PubMed Central

Terrazas, Enrique; Hamill, Timothy R.; Wang, Ye; Channing Rodgers, R. P.

2007-01-01

The Department of Laboratory Medicine at the University of California, San Francisco (UCSF) has been split into widely separated facilities, leading to much time being spent traveling between facilities for meetings. We installed an open-source AccessGrid multi-media-conferencing system using (largely) consumer-grade equipment, connecting 6 sites at 5 separate facilities. The system was accepted rapidly and enthusiastically, and was inexpensive compared to alternative approaches. Security was addressed by aspects of the AG software and by local network administrative practices. The chief obstacles to deployment arose from security restrictions imposed by multiple independent network administration regimes, requiring a drastically reduced list of network ports employed by AG components. PMID:18693930

Creating a clinical video-conferencing facility in a security-constrained environment using open-source AccessGrid software and consumer hardware.

PubMed

Terrazas, Enrique; Hamill, Timothy R; Wang, Ye; Channing Rodgers, R P

2007-10-11

The Department of Laboratory Medicine at the University of California, San Francisco (UCSF) has been split into widely separated facilities, leading to much time being spent traveling between facilities for meetings. We installed an open-source AccessGrid multi-media-conferencing system using (largely) consumer-grade equipment, connecting 6 sites at 5 separate facilities. The system was accepted rapidly and enthusiastically, and was inexpensive compared to alternative approaches. Security was addressed by aspects of the AG software and by local network administrative practices. The chief obstacles to deployment arose from security restrictions imposed by multiple independent network administration regimes, requiring a drastically reduced list of network ports employed by AG components.

42 CFR 37.60 - Submitting required chest radiograph classification and miner identification documents.

Code of Federal Regulations, 2014 CFR

2014-10-01

... software and format specified by NIOSH either using portable electronic media, or a secure electronic file... forms shall be submitted with his or her name and social security account number on each. If any of the... containing the miner's name, address, social security number and place of employment. [43 FR 33715, Aug. 1...

Economic Analysis of Cyber Security

DTIC Science & Technology

2006-07-01

vulnerability databases and track the number of incidents reported by U.S. organizations. Many of these are private organizations, such as the security...VULNERABILITY AND ATTACK ESTIMATES Numerous organizations compile vulnerability databases and patch information, and track the number of reported incidents... database / security focus Databases of vulnerabilities identifying the software versions that are susceptible, including information on the method of

Elevating Virtual Machine Introspection for Fine-Grained Process Monitoring: Techniques and Applications

ERIC Educational Resources Information Center

Srinivasan, Deepa

2013-01-01

Recent rapid malware growth has exposed the limitations of traditional in-host malware-defense systems and motivated the development of secure virtualization-based solutions. By running vulnerable systems as virtual machines (VMs) and moving security software from inside VMs to the outside, the out-of-VM solutions securely isolate the anti-malware…

75 FR 25185 - Broadband Initiatives Program

Federal Register 2010, 2011, 2012, 2013, 2014

2010-05-07

..., excluding desktop or laptop computers, computer hardware and software (including anti-virus, anti-spyware, and other security software), audio or video equipment, computer network components... 10 desktop or laptop computers and individual workstations to be located within the rural library...

DOE Office of Scientific and Technical Information (OSTI.GOV)

The system is developed to collect, process, store and present the information provided by the radio frequency identification (RFID) devices. The system contains three parts, the application software, the database and the web page. The application software manages multiple RFID devices, such as readers and portals, simultaneously. It communicates with the devices through application programming interface (API) provided by the device vendor. The application software converts data collected by the RFID readers and portals to readable information. It is capable of encrypting data using 256 bits advanced encryption standard (AES). The application software has a graphical user interface (GUI). Themore » GUI mimics the configurations of the nucler material storage sites or transport vehicles. The GUI gives the user and system administrator an intuitive way to read the information and/or configure the devices. The application software is capable of sending the information to a remote, dedicated and secured web and database server. Two captured screen samples, one for storage and transport, are attached. The database is constructed to handle a large number of RFID tag readers and portals. A SQL server is employed for this purpose. An XML script is used to update the database once the information is sent from the application software. The design of the web page imitates the design of the application software. The web page retrieves data from the database and presents it in different panels. The user needs a user name combined with a password to access the web page. The web page is capable of sending e-mail and text messages based on preset criteria, such as when alarm thresholds are excceeded. A captured screen sample is attached. The application software is designed to be installed on a local computer. The local computer is directly connected to the RFID devices and can be controlled locally or remotely. There are multiple local computers managing different sites or transport vehicles. The control from remote sites and information transmitted to a central database server is through secured internet. The information stored in the central databaser server is shown on the web page. The users can view the web page on the internet. A dedicated and secured web and database server (https) is used to provide information security.« less

[Computer-assisted management of depots for blood products in health establishments].

PubMed

Carré, J

2008-11-01

To manage the filing of blood components at the hospital of the city of Bayeux, the laboratory uses Cursus, a dedicated software for haemovigilance. Benefits for using this software at different steps of the blood bank management are: simplification, security and harmonization of practices during receipt and issurance of blood components, securing recordings with the use of bar codes for patient identification and blood components listing, implementation of a computerized tracking system for transfusion, traceability, limitation of written documents and availability of statistics on the management of the depot.

CrossTalk: The Journal of Defense Software Engineering. Volume 18, Number 11

DTIC Science & Technology

2005-11-01

languages. Our discipline of software engineering has really experienced phenomenal growth right before our eyes. A sign that software design has...approach on a high level of abstraction. The main emphasis is on the identification and allocation of a needed functionality (e.g., a target tracker ), rather...messaging software that is the backbone of teenage culture. As increasing security constraints will increase the cost of developing and main- taining any

Achieving Better Buying Power for Mobile Open Architecture Software Systems Through Diverse Acquisition Scenarios

DTIC Science & Technology

2016-04-30

software (OSS) and proprietary (CSS) software elements or remote services (Scacchi, 2002, 2010), eventually including recent efforts to support Web ...specific platforms, including those operating on secured Web /mobile devices.  Common Development Technology provides AC development tools and common...transition to OA systems and OSS software elements, specifically for Web and Mobile devices within the realm of C3CB. OA, Open APIs, OSS, and CSS OA

The Development of Ada (Trademark) Software for Secure Environments

DTIC Science & Technology

1986-05-23

Telecommunications environment, This paper discusses software socurity and seeks to demostrate how the Ada programming language can be utilizec as a tool...complexity 4 . We use abstraction in our lives every day to control complexity; the principles of abstraction for software engineering are ro different...systems. These features directly sup,) )-t t.ie m odernp software engineering principles d1 s I , , 1 t, thne previous section. This is not surprising

Crosstalk: The Journal of Defense Software Engineering. Volume 22, Number 3

DTIC Science & Technology

2009-04-01

international standard for information security management systems like ISO /IEC 27001 :2005 [1] existed. Since that time, the organization has developed control...of ISO /IEC 27001 and the desire to make decisions based on business value and risk has prompted Ford’s IT Security and Controls organi- zation to begin...their conventional application security operation.u References 1. ISO /IEC 27001 :2005. “Information Technology – Security Techniques – Information

DICOM image secure communications with Internet protocols IPv6 and IPv4.

PubMed

Zhang, Jianguo; Yu, Fenghai; Sun, Jianyong; Yang, Yuanyuan; Liang, Chenwen

2007-01-01

Image-data transmission from one site to another through public network is usually characterized in term of privacy, authenticity, and integrity. In this paper, we first describe a general scenario about how image is delivered from one site to another through a wide-area network (WAN) with security features of data privacy, integrity, and authenticity. Second, we give the common implementation method of the digital imaging and communication in medicine (DICOM) image communication software library with IPv6/IPv4 for high-speed broadband Internet by using open-source software. Third, we discuss two major security-transmission methods, the IP security (IPSec) and the secure-socket layer (SSL) or transport-layer security (TLS), being used currently in medical-image-data communication with privacy support. Fourth, we describe a test schema of multiple-modality DICOM-image communications through TCP/IPv4 and TCP/IPv6 with different security methods, different security algorithms, and operating systems, and evaluate the test results. We found that there are tradeoff factors between choosing the IPsec and the SSL/TLS-based security implementation of IPv6/IPv4 protocols. If the WAN networks only use IPv6 such as in high-speed broadband Internet, the choice is IPsec-based security. If the networks are IPv4 or the combination of IPv6 and IPv4, it is better to use SSL/TLS security. The Linux platform has more security algorithms implemented than the Windows (XP) platform, and can achieve better performance in most experiments of IPv6 and IPv4-based DICOM-image communications. In teleradiology or enterprise-PACS applications, the Linux operating system may be the better choice as peer security gateways for both the IPsec and the SSL/TLS-based secure DICOM communications cross public networks.

Novel wavelength diversity technique for high-speed atmospheric turbulence compensation

NASA Astrophysics Data System (ADS)

Arrasmith, William W.; Sullivan, Sean F.

2010-04-01

The defense, intelligence, and homeland security communities are driving a need for software dominant, real-time or near-real time atmospheric turbulence compensated imagery. The development of parallel processing capabilities are finding application in diverse areas including image processing, target tracking, pattern recognition, and image fusion to name a few. A novel approach to the computationally intensive case of software dominant optical and near infrared imaging through atmospheric turbulence is addressed in this paper. Previously, the somewhat conventional wavelength diversity method has been used to compensate for atmospheric turbulence with great success. We apply a new correlation based approach to the wavelength diversity methodology using a parallel processing architecture enabling high speed atmospheric turbulence compensation. Methods for optical imaging through distributed turbulence are discussed, simulation results are presented, and computational and performance assessments are provided.

Lack of security of networked medical equipment in radiology.

PubMed

Moses, Vinu; Korah, Ipeson

2015-02-01

OBJECTIVE. There are few articles in the literature describing the security and safety aspects of networked medical equipment in radiology departments. Most radiologists are unaware of the security issues. We review the security of the networked medical equipment of a typical radiology department. MATERIALS AND METHODS. All networked medical equipment in a radiology department was scanned for vulnerabilities with a port scanner and a network vulnerability scanner, and the vulnerabilities were classified using the Common Vulnerability Scoring System. A network sniffer was used to capture and analyze traffic on the radiology network for exposure of confidential patient data. We reviewed the use of antivirus software and firewalls on the networked medical equipment. USB ports and CD and DVD drives in the networked medical equipment were tested to see whether they allowed unauthorized access. Implementation of the virtual private network (VPN) that vendors use to access the radiology network was reviewed. RESULTS. Most of the networked medical equipment in our radiology department used vulnerable software with open ports and services. Of the 144 items scanned, 64 (44%) had at least one critical vulnerability, and 119 (83%) had at least one high-risk vulnerability. Most equipment did not encrypt traffic and allowed capture of confidential patient data. Of the 144 items scanned, two (1%) used antivirus software and three (2%) had a firewall enabled. The USB ports were not secure on 49 of the 58 (84%) items with USB ports, and the CD or DVD drive was not secure on 17 of the 31 (55%) items with a CD or DVD drive. One of three vendors had an insecure implementation of VPN access. CONCLUSION. Radiologists and the medical industry need to urgently review and rectify the security issues in existing networked medical equipment. We hope that the results of our study and this article also raise awareness among radiologists about the security issues of networked medical equipment.

A Strategy for Improved System Assurance

DTIC Science & Technology

2007-06-20

Quality (Measurements Life Cycle Safety, Security & Others) ISO /IEC 12207 * Software Life Cycle Processes ISO 9001 Quality Management System...14598 Software Product Evaluation Related ISO /IEC 90003 Guidelines for the Application of ISO 9001:2000 to Computer Software IEEE 12207 Industry...Implementation of International Standard ISO /IEC 12207 IEEE 1220 Standard for Application and Management of the System Engineering Process Use in

Testing in Service-Oriented Environments

DTIC Science & Technology

2010-03-01

software releases (versions, service packs, vulnerability patches) for one com- mon ESB during the 13-month period from January 1, 2008 through...impact on quality of service : Unlike traditional software compo- nents, a single instance of a web service can be used by multiple consumers. Since the...distributed, with heterogeneous hardware and software (SOA infrastructure, services , operating systems, and databases). Because of cost and security, it

The interRAI Acute Care instrument incorporated in an eHealth system for standardized and web-based geriatric assessment: strengths, weaknesses, opportunities and threats in the acute hospital setting

PubMed Central

2013-01-01

Background The interRAI Acute Care instrument is a multidimensional geriatric assessment system intended to determine a hospitalized older persons’ medical, psychosocial and functional capacity and needs. Its objective is to develop an overall plan for treatment and long-term follow-up based on a common set of standardized items that can be used in various care settings. A Belgian web-based software system (BelRAI-software) was developed to enable clinicians to interpret the output and to communicate the patients’ data across wards and care organizations. The purpose of the study is to evaluate the (dis)advantages of the implementation of the interRAI Acute Care instrument as a comprehensive geriatric assessment instrument in an acute hospital context. Methods In a cross-sectional multicenter study on four geriatric wards in three acute hospitals, trained clinical staff (nurses, occupational therapists, social workers, and geriatricians) assessed 410 inpatients in routine clinical practice. The BelRAI-system was evaluated by focus groups, observations, and questionnaires. The Strengths, Weaknesses, Opportunities and Threats were mapped (SWOT-analysis) and validated by the participants. Results The primary strengths of the BelRAI-system were a structured overview of the patients’ condition early after admission and the promotion of multidisciplinary assessment. Our study was a first attempt to transfer standardized data between home care organizations, nursing homes and hospitals and a way to centralize medical, allied health professionals and nursing data. With the BelRAI-software, privacy of data is guaranteed. Weaknesses are the time-consuming character of the process and the overlap with other assessment instruments or (electronic) registration forms. There is room for improving the user-friendliness and the efficiency of the software, which needs hospital-specific adaptations. Opportunities are a timely and systematic problem detection and continuity of care. An actual shortage of funding of personnel to coordinate the assessment process is the most important threat. Conclusion The BelRAI-software allows standardized transmural information transfer and the centralization of medical, allied health professionals and nursing data. It is strictly secured and follows strict privacy regulations, allowing hospitals to optimize (transmural) communication and interaction. However, weaknesses and threats exist and must be tackled in order to promote large scale implementation. PMID:24007312

The interRAI Acute Care instrument incorporated in an eHealth system for standardized and web-based geriatric assessment: strengths, weaknesses, opportunities and threats in the acute hospital setting.

PubMed

Devriendt, Els; Wellens, Nathalie I H; Flamaing, Johan; Declercq, Anja; Moons, Philip; Boonen, Steven; Milisen, Koen

2013-09-05

The interRAI Acute Care instrument is a multidimensional geriatric assessment system intended to determine a hospitalized older persons' medical, psychosocial and functional capacity and needs. Its objective is to develop an overall plan for treatment and long-term follow-up based on a common set of standardized items that can be used in various care settings. A Belgian web-based software system (BelRAI-software) was developed to enable clinicians to interpret the output and to communicate the patients' data across wards and care organizations. The purpose of the study is to evaluate the (dis)advantages of the implementation of the interRAI Acute Care instrument as a comprehensive geriatric assessment instrument in an acute hospital context. In a cross-sectional multicenter study on four geriatric wards in three acute hospitals, trained clinical staff (nurses, occupational therapists, social workers, and geriatricians) assessed 410 inpatients in routine clinical practice. The BelRAI-system was evaluated by focus groups, observations, and questionnaires. The Strengths, Weaknesses, Opportunities and Threats were mapped (SWOT-analysis) and validated by the participants. The primary strengths of the BelRAI-system were a structured overview of the patients' condition early after admission and the promotion of multidisciplinary assessment. Our study was a first attempt to transfer standardized data between home care organizations, nursing homes and hospitals and a way to centralize medical, allied health professionals and nursing data. With the BelRAI-software, privacy of data is guaranteed. Weaknesses are the time-consuming character of the process and the overlap with other assessment instruments or (electronic) registration forms. There is room for improving the user-friendliness and the efficiency of the software, which needs hospital-specific adaptations. Opportunities are a timely and systematic problem detection and continuity of care. An actual shortage of funding of personnel to coordinate the assessment process is the most important threat. The BelRAI-software allows standardized transmural information transfer and the centralization of medical, allied health professionals and nursing data. It is strictly secured and follows strict privacy regulations, allowing hospitals to optimize (transmural) communication and interaction. However, weaknesses and threats exist and must be tackled in order to promote large scale implementation.

Automatic Response to Intrusion

DTIC Science & Technology

2002-10-01

Computing Corporation Sidewinder Firewall [18] SRI EMERALD Basic Security Module (BSM) and EMERALD File Transfer Protocol (FTP) Monitors...the same event TCP Wrappers [24] Internet Security Systems RealSecure [31] SRI EMERALD IDIP monitor NAI Labs Generic Software Wrappers Prototype...included EMERALD , NetRadar, NAI Labs UNIX wrappers, ARGuE, MPOG, NetRadar, CyberCop Server, Gauntlet, RealSecure, and the Cyber Command System

Engineering Software for Interoperability through Use of Enterprise Architecture Techniques

DTIC Science & Technology

2003-03-01

Response Home/ Business Security . To detect flood conditions (i.e. excess water levels) within the monitored area and alert authorities, as necessary...Response; Fire Detection & Response; and Flood Detection & Response. Functional Area Description Intruder Detection & Response Home/ Business ... Security . To monitor and detect unauthorized entry into the secured area and sound alarms/alert authorities, as necessary. Fire Detection

A preliminary cyber-physical security assessment of the Robot Operating System (ROS)

NASA Astrophysics Data System (ADS)

McClean, Jarrod; Stull, Christopher; Farrar, Charles; Mascareñas, David

2013-05-01

Over the course of the last few years, the Robot Operating System (ROS) has become a highly popular software framework for robotics research. ROS has a very active developer community and is widely used for robotics research in both academia and government labs. The prevalence and modularity of ROS cause many people to ask the question: "What prevents ROS from being used in commercial or government applications?" One of the main problems that is preventing this increased use of ROS in these applications is the question of characterizing its security (or lack thereof). In the summer of 2012, a crowd sourced cyber-physical security contest was launched at the cyber security conference DEF CON 20 to begin the process of characterizing the security of ROS. A small-scale, car-like robot was configured as a cyber-physical security "honeypot" running ROS. DEFFCON-20 attendees were invited to find exploits and vulnerabilities in the robot while network traffic was collected. The results of this experiment provided some interesting insights and opened up many security questions pertaining to deployed robotic systems. The Federal Aviation Administration is tasked with opening up the civil airspace to commercial drones by September 2015 and driverless cars are already legal for research purposes in a number of states. Given the integration of these robotic devices into our daily lives, the authors pose the following question: "What security exploits can a motivated person with little-to-no experience in cyber security execute, given the wide availability of free cyber security penetration testing tools such as Metasploit?" This research focuses on applying common, low-cost, low-overhead, cyber-attacks on a robot featuring ROS. This work documents the effectiveness of those attacks.

E-Control: First Public Release of Remote Control Software for VLBI Telescopes

NASA Technical Reports Server (NTRS)

Neidhardt, Alexander; Ettl, Martin; Rottmann, Helge; Ploetz, Christian; Muehlbauer, Matthias; Hase, Hayo; Alef, Walter; Sobarzo, Sergio; Herrera, Cristian; Himwich, Ed

2010-01-01

Automating and remotely controlling observations are important for future operations in a Global Geodetic Observing System (GGOS). At the Geodetic Observatory Wettzell, in cooperation with the Max-Planck-Institute for Radio Astronomy in Bonn, a software extension to the existing NASA Field System has been developed for remote control. It uses the principle of a remotely accessible, autonomous process cell as a server extension for the Field System. The communication is realized for low transfer rates using Remote Procedure Calls (RPC). It uses generative programming with the interface software generator idl2rpc.pl developed at Wettzell. The user interacts with this system over a modern graphical user interface created with wxWidgets. For security reasons the communication is automatically tunneled through a Secure Shell (SSH) session to the telescope. There are already successful test observations with the telescopes at O Higgins, Concepcion, and Wettzell. At Wettzell the software is already used routinely for weekend observations. Therefore the first public release of the software is now available, which will also be useful for other telescopes.

Secure Video Surveillance System Acquisition Software

DOE Office of Scientific and Technical Information (OSTI.GOV)

2009-12-04

The SVSS Acquisition Software collects and displays video images from two cameras through a VPN, and store the images onto a collection controller. The software is configured to allow a user to enter a time window to display up to 2 1/2, hours of video review. The software collects images from the cameras at a rate of 1 image per second and automatically deletes images older than 3 hours. The software code operates in a linux environment and can be run in a virtual machine on Windows XP. The Sandia software integrates the different COTS software together to build themore » video review system.« less

Development of the disable software reporting system on the basis of the neural network

NASA Astrophysics Data System (ADS)

Gavrylenko, S.; Babenko, O.; Ignatova, E.

2018-04-01

The PE structure of malicious and secure software is analyzed, features are highlighted, binary sign vectors are obtained and used as inputs for training the neural network. A software model for detecting malware based on the ART-1 neural network was developed, optimal similarity coefficients were found, and testing was performed. The obtained research results showed the possibility of using the developed system of identifying malicious software in computer systems protection systems

Information Security Controls against Cross-Site Request Forgery Attacks on Software Applications of Automated Systems

NASA Astrophysics Data System (ADS)

Barabanov, A. V.; Markov, A. S.; Tsirlov, V. L.

2018-05-01

This paper presents statistical results and their consolidation, which were received in the study into security of various web-application against cross-site request forgery attacks. Some of the results were received in the study carried out within the framework of certification for compliance with information security requirements. The paper provides the results of consolidating information about the attack and protection measures, which are currently used by the developers of web-applications. It specifies results of the study, which demonstrate various distribution types: distribution of identified vulnerabilities as per the developer type (Russian and foreign), distribution of the security measures used in web-applications, distribution of the identified vulnerabilities as per the programming languages, data on the number of security measures that are used in the studied web-applications. The results of the study show that in most cases the developers of web-applications do not pay due attention to protection against cross-site request forgery attacks. The authors give recommendations to the developers that are planning to undergo a certification process for their software applications.

Dynamic Reconfiguration of Security Policies in Wireless Sensor Networks

PubMed Central

Pinto, Mónica; Gámez, Nadia; Fuentes, Lidia; Amor, Mercedes; Horcas, José Miguel; Ayala, Inmaculada

2015-01-01

Providing security and privacy to wireless sensor nodes (WSNs) is very challenging, due to the heterogeneity of sensor nodes and their limited capabilities in terms of energy, processing power and memory. The applications for these systems run in a myriad of sensors with different low-level programming abstractions, limited capabilities and different routing protocols. This means that applications for WSNs need mechanisms for self-adaptation and for self-protection based on the dynamic adaptation of the algorithms used to provide security. Dynamic software product lines (DSPLs) allow managing both variability and dynamic software adaptation, so they can be considered a key technology in successfully developing self-protected WSN applications. In this paper, we propose a self-protection solution for WSNs based on the combination of the INTER-TRUST security framework (a solution for the dynamic negotiation and deployment of security policies) and the FamiWare middleware (a DSPL approach to automatically configure and reconfigure instances of a middleware for WSNs). We evaluate our approach using a case study from the intelligent transportation system domain. PMID:25746093

A Novel Survey to Examine the Relationship Between Health IT Adoption and Nurse-Physician Communication

PubMed Central

Pfeifer, Eric; Manojlovich, Milisa; Adler-Milstein, Julia

2016-01-01

Summary Background As EHR adoption in US hospitals becomes ubiquitous, a wide range of IT options are theoretically available to facilitate physician-nurse communication, but we know little about the adoption rate of specific technologies or the impact of their use. Objectives To measure adoption of hardware, software, and telephony relevant to nurse-physician communication in US hospitals. To assess the relationship between non-IT communication practices and hardware, software, and telephony adoption. To identify hospital characteristics associated with greater adoption of hardware, software, telephony, and non-IT communication practices. Methods We conducted a survey of 105 hospitals in the National Nursing Practice Network. The survey captured adoption of hardware, software, and telephony to support nurse-physician communication, along with non-IT communication practices. We calculated descriptive statistics and then created four indices, one for each category, by scoring degree of adoption of technologies or practices within each category. Next, we examined correlations between the three technology indices and the non-IT communication practices index. We used multivariate OLS regression to assess whether certain types of hospitals had higher index scores. Results The majority of hospitals surveyed have a range of hardware, software, and telephony tools available to support nurse-physician communication; we found substantial heterogeneity across hospitals in non-IT communication practices. More intensive non-IT communication was associated with greater adoption of software (r=0.31, p=0.01), but was not correlated with hardware or telephony. Medium-sized hospitals had lower adoption of software (r =-1.14,p=0.04) in comparison to small hospitals, while federally-owned hospitals had lower software (r=-2.57, p=0.02) and hardware adoption (r=-1.63, p=0.01). Conclusions The positive relationship between non-IT communication and level of software adoption suggests that there is a complementary, rather than substitutive, relationship. Our results suggest that some technologies with the potential to further enhance communication, such as CPOE and secure messaging, are not being utilized to their full potential in many hospitals. PMID:27999841

Integrated homeland security system with passive thermal imaging and advanced video analytics

NASA Astrophysics Data System (ADS)

Francisco, Glen; Tillman, Jennifer; Hanna, Keith; Heubusch, Jeff; Ayers, Robert

2007-04-01

A complete detection, management, and control security system is absolutely essential to preempting criminal and terrorist assaults on key assets and critical infrastructure. According to Tom Ridge, former Secretary of the US Department of Homeland Security, "Voluntary efforts alone are not sufficient to provide the level of assurance Americans deserve and they must take steps to improve security." Further, it is expected that Congress will mandate private sector investment of over $20 billion in infrastructure protection between 2007 and 2015, which is incremental to funds currently being allocated to key sites by the department of Homeland Security. Nearly 500,000 individual sites have been identified by the US Department of Homeland Security as critical infrastructure sites that would suffer severe and extensive damage if a security breach should occur. In fact, one major breach in any of 7,000 critical infrastructure facilities threatens more than 10,000 people. And one major breach in any of 123 facilities-identified as "most critical" among the 500,000-threatens more than 1,000,000 people. Current visible, nightvision or near infrared imaging technology alone has limited foul-weather viewing capability, poor nighttime performance, and limited nighttime range. And many systems today yield excessive false alarms, are managed by fatigued operators, are unable to manage the voluminous data captured, or lack the ability to pinpoint where an intrusion occurred. In our 2006 paper, "Critical Infrastructure Security Confidence Through Automated Thermal Imaging", we showed how a highly effective security solution can be developed by integrating what are now available "next-generation technologies" which include: Thermal imaging for the highly effective detection of intruders in the dark of night and in challenging weather conditions at the sensor imaging level - we refer to this as the passive thermal sensor level detection building block Automated software detection for creating initial alerts - we refer to this as software level detection, the next level building block Immersive 3D visual assessment for situational awareness and to manage the reaction process - we refer to this as automated intelligent situational awareness, a third building block Wide area command and control capabilities to allow control from a remote location - we refer to this as the management and process control building block integrating together the lower level building elements. In addition, this paper describes three live installations of complete, total systems that incorporate visible and thermal cameras as well as advanced video analytics. Discussion of both system elements and design is extensive.

State of the Art of Network Security Perspectives in Cloud Computing

NASA Astrophysics Data System (ADS)

Oh, Tae Hwan; Lim, Shinyoung; Choi, Young B.; Park, Kwang-Roh; Lee, Heejo; Choi, Hyunsang

Cloud computing is now regarded as one of social phenomenon that satisfy customers' needs. It is possible that the customers' needs and the primary principle of economy - gain maximum benefits from minimum investment - reflects realization of cloud computing. We are living in the connected society with flood of information and without connected computers to the Internet, our activities and work of daily living will be impossible. Cloud computing is able to provide customers with custom-tailored features of application software and user's environment based on the customer's needs by adopting on-demand outsourcing of computing resources through the Internet. It also provides cloud computing users with high-end computing power and expensive application software package, and accordingly the users will access their data and the application software where they are located at the remote system. As the cloud computing system is connected to the Internet, network security issues of cloud computing are considered as mandatory prior to real world service. In this paper, survey and issues on the network security in cloud computing are discussed from the perspective of real world service environments.

PLAYGROUND: Preparing Students for the Cyber Battleground

ERIC Educational Resources Information Center

Nielson, Seth James

2017-01-01

Attempting to educate practitioners of computer security can be difficult if for no other reason than the breadth of knowledge required today. The security profession includes widely diverse subfields including cryptography, network architectures, programming, programming languages, design, coding practices, software testing, pattern recognition,…

Eye Can See for Miles and Miles.

ERIC Educational Resources Information Center

School Planning & Management, 2002

2002-01-01

Describes how a New Hampshire school system eliminated internal school vandalism and bomb threats, and reduced the number of false alarms, by using video security software (WebEyeAlert security solution) that is accessible via a variety of methods from remote locations. (Author/EV)

Safeguarding Databases Basic Concepts Revisited.

ERIC Educational Resources Information Center

Cardinali, Richard

1995-01-01

Discusses issues of database security and integrity, including computer crime and vandalism, human error, computer viruses, employee and user access, and personnel policies. Suggests some precautions to minimize system vulnerability such as careful personnel screening, audit systems, passwords, and building and software security systems. (JKP)

Lock It Up! Computer Security.

ERIC Educational Resources Information Center

Wodarz, Nan

1997-01-01

The data contained on desktop computer systems and networks pose security issues for virtually every district. Sensitive information can be protected by educating users, altering the physical layout, using password protection, designating access levels, backing up data, reformatting floppy disks, using antivirus software, and installing encryption…

45 CFR 164.312 - Technical safeguards.

Code of Federal Regulations, 2012 CFR

2012-10-01

... REQUIREMENTS SECURITY AND PRIVACY Security Standards for the Protection of Electronic Protected Health... that maintain electronic protected health information to allow access only to those persons or software... specifications: (i) Unique user identification (Required). Assign a unique name and/or number for identifying and...

Executives' speech expressiveness: analysis of perceptive and acoustic aspects of vocal dynamics.

PubMed

Marquezin, Daniela Maria Santos Serrano; Viola, Izabel; Ghirardi, Ana Carolina de Assis Moura; Madureira, Sandra; Ferreira, Léslie Piccolotto

2015-01-01

To analyze speech expressiveness in a group of executives based on perceptive and acoustic aspects of vocal dynamics. Four male subjects participated in the research study (S1, S2, S3, and S4). The assessments included the Kingdomality test to obtain the keywords of communicative attitudes; perceptive-auditory assessment to characterize vocal quality and dynamics, performed by three judges who are speech language pathologists; perceptiveauditory assessment to judge the chosen keywords; speech acoustics to assess prosodic elements (Praat software); and a statistical analysis. According to the perceptive-auditory analysis of vocal dynamics, S1, S2, S3, and S4 did not show vocal alterations and all of them were considered with lowered habitual pitch. S1: pointed out as insecure, nonobjective, nonempathetic, and unconvincing with inappropriate use of pauses that are mainly formed by hesitations; inadequate separation of prosodic groups with breaking of syntagmatic constituents. S2: regular use of pauses for respiratory reload, organization of sentences, and emphasis, which is considered secure, little objective, empathetic, and convincing. S3: pointed out as secure, objective, empathetic, and convincing with regular use of pauses for respiratory reload and organization of sentences and hesitations. S4: the most secure, objective, empathetic, and convincing, with proper use of pauses for respiratory reload, planning, and emphasis; prosodic groups agreed with the statement, without separating the syntagmatic constituents. The speech characteristics and communicative attitudes were highlighted in two subjects in a different manner, in such a way that the slow rate of speech and breaks of the prosodic groups transmitted insecurity, little objectivity, and nonpersuasion.

Design and implementation of a privacy preserving electronic health record linkage tool in Chicago

PubMed Central

Cashy, John P; Jackson, Kathryn L; Pah, Adam R; Goel, Satyender; Boehnke, Jörn; Humphries, John Eric; Kominers, Scott Duke; Hota, Bala N; Sims, Shannon A; Malin, Bradley A; French, Dustin D; Walunas, Theresa L; Meltzer, David O; Kaleba, Erin O; Jones, Roderick C; Galanter, William L

2015-01-01

Objective To design and implement a tool that creates a secure, privacy preserving linkage of electronic health record (EHR) data across multiple sites in a large metropolitan area in the United States (Chicago, IL), for use in clinical research. Methods The authors developed and distributed a software application that performs standardized data cleaning, preprocessing, and hashing of patient identifiers to remove all protected health information. The application creates seeded hash code combinations of patient identifiers using a Health Insurance Portability and Accountability Act compliant SHA-512 algorithm that minimizes re-identification risk. The authors subsequently linked individual records using a central honest broker with an algorithm that assigns weights to hash combinations in order to generate high specificity matches. Results The software application successfully linked and de-duplicated 7 million records across 6 institutions, resulting in a cohort of 5 million unique records. Using a manually reconciled set of 11 292 patients as a gold standard, the software achieved a sensitivity of 96% and a specificity of 100%, with a majority of the missed matches accounted for by patients with both a missing social security number and last name change. Using 3 disease examples, it is demonstrated that the software can reduce duplication of patient records across sites by as much as 28%. Conclusions Software that standardizes the assignment of a unique seeded hash identifier merged through an agreed upon third-party honest broker can enable large-scale secure linkage of EHR data for epidemiologic and public health research. The software algorithm can improve future epidemiologic research by providing more comprehensive data given that patients may make use of multiple healthcare systems. PMID:26104741

Design and implementation of a privacy preserving electronic health record linkage tool in Chicago.

PubMed

Kho, Abel N; Cashy, John P; Jackson, Kathryn L; Pah, Adam R; Goel, Satyender; Boehnke, Jörn; Humphries, John Eric; Kominers, Scott Duke; Hota, Bala N; Sims, Shannon A; Malin, Bradley A; French, Dustin D; Walunas, Theresa L; Meltzer, David O; Kaleba, Erin O; Jones, Roderick C; Galanter, William L

2015-09-01

To design and implement a tool that creates a secure, privacy preserving linkage of electronic health record (EHR) data across multiple sites in a large metropolitan area in the United States (Chicago, IL), for use in clinical research. The authors developed and distributed a software application that performs standardized data cleaning, preprocessing, and hashing of patient identifiers to remove all protected health information. The application creates seeded hash code combinations of patient identifiers using a Health Insurance Portability and Accountability Act compliant SHA-512 algorithm that minimizes re-identification risk. The authors subsequently linked individual records using a central honest broker with an algorithm that assigns weights to hash combinations in order to generate high specificity matches. The software application successfully linked and de-duplicated 7 million records across 6 institutions, resulting in a cohort of 5 million unique records. Using a manually reconciled set of 11 292 patients as a gold standard, the software achieved a sensitivity of 96% and a specificity of 100%, with a majority of the missed matches accounted for by patients with both a missing social security number and last name change. Using 3 disease examples, it is demonstrated that the software can reduce duplication of patient records across sites by as much as 28%. Software that standardizes the assignment of a unique seeded hash identifier merged through an agreed upon third-party honest broker can enable large-scale secure linkage of EHR data for epidemiologic and public health research. The software algorithm can improve future epidemiologic research by providing more comprehensive data given that patients may make use of multiple healthcare systems. © The Author 2015. Published by Oxford University Press on behalf of the American Medical Informatics Association. All rights reserved. For Permissions, please email: journals.permissions@oup.com.

Use of a secure Internet Web site for collaborative medical research.

PubMed

Marshall, W W; Haley, R W

2000-10-11

Researchers who collaborate on clinical research studies from diffuse locations need a convenient, inexpensive, secure way to record and manage data. The Internet, with its World Wide Web, provides a vast network that enables researchers with diverse types of computers and operating systems anywhere in the world to log data through a common interface. Development of a Web site for scientific data collection can be organized into 10 steps, including planning the scientific database, choosing a database management software system, setting up database tables for each collaborator's variables, developing the Web site's screen layout, choosing a middleware software system to tie the database software to the Web site interface, embedding data editing and calculation routines, setting up the database on the central server computer, obtaining a unique Internet address and name for the Web site, applying security measures to the site, and training staff who enter data. Ensuring the security of an Internet database requires limiting the number of people who have access to the server, setting up the server on a stand-alone computer, requiring user-name and password authentication for server and Web site access, installing a firewall computer to prevent break-ins and block bogus information from reaching the server, verifying the identity of the server and client computers with certification from a certificate authority, encrypting information sent between server and client computers to avoid eavesdropping, establishing audit trails to record all accesses into the Web site, and educating Web site users about security techniques. When these measures are carefully undertaken, in our experience, information for scientific studies can be collected and maintained on Internet databases more efficiently and securely than through conventional systems of paper records protected by filing cabinets and locked doors. JAMA. 2000;284:1843-1849.

Security Issues for Mobile Medical Imaging: A Primer.

PubMed

Choudhri, Asim F; Chatterjee, Arindam R; Javan, Ramin; Radvany, Martin G; Shih, George

2015-10-01

The end-user of mobile device apps in the practice of clinical radiology should be aware of security measures that prevent unauthorized use of the device, including passcode policies, methods for dealing with failed login attempts, network manager-controllable passcode enforcement, and passcode enforcement for the protection of the mobile device itself. Protection of patient data must be in place that complies with the Health Insurance Portability and Accountability Act and U.S. Federal Information Processing Standards. Device security measures for data protection include methods for locally stored data encryption, hardware encryption, and the ability to locally and remotely clear data from the device. As these devices transfer information over both local wireless networks and public cell phone networks, wireless network security protocols, including wired equivalent privacy and Wi-Fi protected access, are important components in the chain of security. Specific virtual private network protocols, Secure Sockets Layer and related protocols (especially in the setting of hypertext transfer protocols), native apps, virtual desktops, and nonmedical commercial off-the-shelf apps require consideration in the transmission of medical data over both private and public networks. Enterprise security and management of both personal and enterprise mobile devices are discussed. Finally, specific standards for hardware and software platform security, including prevention of hardware tampering, protection from malicious software, and application authentication methods, are vital components in establishing a secure platform for the use of mobile devices in the medical field. © RSNA, 2015.

DOE Office of Scientific and Technical Information (OSTI.GOV)

MacDonald, Douglas G.; Clements, Samuel L.; Patrick, Scott W.

Securing high value and critical assets is one of the biggest challenges facing this nation and others around the world. In modern integrated systems, there are four potential modes of attack available to an adversary: • physical only attack, • cyber only attack, • physical-enabled cyber attack, • cyber-enabled physical attack. Blended attacks involve an adversary working in one domain to reduce system effectiveness in another domain. This enables the attacker to penetrate further into the overall layered defenses. Existing vulnerability assessment (VA) processes and software tools which predict facility vulnerabilities typically evaluate the physical and cyber domains separately. Vulnerabilitiesmore » which result from the integration of cyber-physical control systems are not well characterized and are often overlooked by existing assessment approaches. In this paper, we modified modification of the timely detection methodology, used for decades in physical security VAs, to include cyber components. The Physical and Cyber Risk Analysis Tool (PACRAT) prototype illustrates an integrated vulnerability assessment that includes cyber-physical interdependencies. Information about facility layout, network topology, and emplaced safeguards is used to evaluate how well suited a facility is to detect, delay, and respond to attacks, to identify the pathways most vulnerable to attack, and to evaluate how often safeguards are compromised for a given threat or adversary type. We have tested the PACRAT prototype on critical infrastructure facilities and the results are promising. Future work includes extending the model to prescribe the recommended security improvements via an automated cost-benefit analysis.« less

WPSS: watching people security services

NASA Astrophysics Data System (ADS)

Bouma, Henri; Baan, Jan; Borsboom, Sander; van Zon, Kasper; Luo, Xinghan; Loke, Ben; Stoeller, Bram; van Kuilenburg, Hans; Dijk, Judith

2013-10-01

To improve security, the number of surveillance cameras is rapidly increasing. However, the number of human operators remains limited and only a selection of the video streams are observed. Intelligent software services can help to find people quickly, evaluate their behavior and show the most relevant and deviant patterns. We present a software platform that contributes to the retrieval and observation of humans and to the analysis of their behavior. The platform consists of mono- and stereo-camera tracking, re-identification, behavioral feature computation, track analysis, behavior interpretation and visualization. This system is demonstrated in a busy shopping mall with multiple cameras and different lighting conditions.

Exploring machine-learning-based control plane intrusion detection techniques in software defined optical networks

NASA Astrophysics Data System (ADS)

Zhang, Huibin; Wang, Yuqiao; Chen, Haoran; Zhao, Yongli; Zhang, Jie

2017-12-01

In software defined optical networks (SDON), the centralized control plane may encounter numerous intrusion threatens which compromise the security level of provisioned services. In this paper, the issue of control plane security is studied and two machine-learning-based control plane intrusion detection techniques are proposed for SDON with properly selected features such as bandwidth, route length, etc. We validate the feasibility and efficiency of the proposed techniques by simulations. Results show an accuracy of 83% for intrusion detection can be achieved with the proposed machine-learning-based control plane intrusion detection techniques.

CrossTalk. The Journal of Defense Software Engineering. Volume 25, Number 6

DTIC Science & Technology

2012-12-01

Cyber Security Threat Definition Communicable Noncommunicable Based on Risky Behavior Coordinated Trojan horse programs Threats hidden in a...for Cyber Security Threats Cyber Security Threat Communicable Noncommunicable Risky Behaviors Coordinated Type of Intervention (at the System...types of data are breached. Further, educational materials on risky behaviors (e.g., for home Internet users) as well as recommended guide- lines for

Operation and Maintenance Manual, Ultrasonic Fish Deterrent System

DTIC Science & Technology

1991-07-01

PAGES Fishery management--Instruments 61 Ultrsonic transducers 16. PRICE CODE 17. SECURITY CLASSIFICATION 18. SECURITY CLASSIFICATION 19. SECURITY...compatible computer with a communications software package will be most convenient; however, any terminal will work. To begin operation, connect the...D. Next connect the communications cable (TC-4) between the RFPG and the terminal. An ONSET TC-4 cable must be used due to level shifting

Foundations for Security Aware Software Development Education

DTIC Science & Technology

2005-11-22

depending on the budget, that support robustness. We discuss the educational customer base, projected lifetime, and complexity of paradigm shift that should...in Honour of Sir Tony Hoar, [6] Cheetham, C. and Ferraiolo, K., "The Systems Security Millenial Perspectives in Computer Science, Engineering...Capability Maturity Model", 21st 2002, 229-246. National Information Systems Security Conference, [15] Schwartz, J., "Object Oriented Extensions to October 5

Study of Software Tools to Support Systems Engineering Management

DTIC Science & Technology

2015-06-01

Management 15. NUMBER OF PAGES 137 16. PRICE CODE 17. SECURITY CLASSIFICATION OF REPORT Unclassified 18. SECURITY CLASSIFICATION OF THIS...AVAILABILITY STATEMENT Approved for public release; distribution is unlimited 12b. DISTRIBUTION CODE 13. ABSTRACT (maximum 200 words) According to a...PAGE Unclassified 19. SECURITY CLASSIFICATION OF ABSTRACT Unclassified 20. LIMITATION OF ABSTRACT UU NSN 7540–01–280–5500 Standard Form 298

Finding the ’RITE’ Acquisition Environment for Navy C2 Software

DTIC Science & Technology

2015-05-01

Boiler plate contract language - Gov purpose Rights • Adding expectation of quality to contracting language • Template SOW’s created Pr...Debugger MCCABE IQ Static Analysis Cyclomatic Complexity and KSLOC. All Languages HP Fortify Security Scan STIG and Vulnerabilities Security & IA...GSSAT (GOTS) Security Scan STIG and Vulnerabilities AutoIT Automated Test Scripting Engine for Automation Functional Testing TestComplete Automated

Rearchitecting IT: Simplify. Simplify

ERIC Educational Resources Information Center

Panettieri, Joseph C.

2006-01-01

Simplifying and securing an IT infrastructure is not easy. It frequently requires rethinking years of hardware and software investments, and a gradual migration to modern systems. Even so, writes the author, universities can take six practical steps to success: (1) Audit software infrastructure; (2) Evaluate current applications; (3) Centralize…

A Summary of the Naval Postgraduate School Research Program

DTIC Science & Technology

1989-08-30

5 Fundamental Theory for Automatically Combining Changes to Software Systems ............................ 6 Database -System Approach to...Software Engineering Environments(SEE’s) .................................. 10 Multilevel Database Security .......................... 11 Temporal... Database Management and Real-Time Database Computers .................................... 12 The Multi-lingual, Multi Model, Multi-Backend Database

15 CFR Supplement No. 5 to Part 742 - Encryption Registration

Code of Federal Regulations, 2013 CFR

2013-01-01

... registration, i.e., the information as described in this Supplement, submitted as a support documentation... (h) Smartcards or other identity management (i) Computer or network forensics (j) Software (i) Operating systems (ii) Applications (k) Toolkits/ASICs/components (l) Information security including secure...

15 CFR Supplement No. 5 to Part 742 - Encryption Registration

Code of Federal Regulations, 2011 CFR

2011-01-01

... registration, i.e., the information as described in this Supplement, submitted as a support documentation... (h) Smartcards or other identity management (i) Computer or network forensics (j) Software (i) Operating systems (ii) Applications (k) Toolkits/ASICs/components (l) Information security including secure...

15 CFR Supplement No. 5 to Part 742 - Encryption Registration

Code of Federal Regulations, 2014 CFR

2014-01-01

... registration, i.e., the information as described in this Supplement, submitted as a support documentation... (h) Smartcards or other identity management (i) Computer or network forensics (j) Software (i) Operating systems (ii) Applications (k) Toolkits/ASICs/components (l) Information security including secure...

15 CFR Supplement No. 5 to Part 742 - Encryption Registration

Code of Federal Regulations, 2012 CFR

2012-01-01

... registration, i.e., the information as described in this Supplement, submitted as a support documentation... (h) Smartcards or other identity management (i) Computer or network forensics (j) Software (i) Operating systems (ii) Applications (k) Toolkits/ASICs/components (l) Information security including secure...

Trust Management and Accountability for Internet Security

ERIC Educational Resources Information Center

Liu, Wayne W.

2011-01-01

Adversarial yet interacting interdependent relationships in information sharing and service provisioning have been a pressing issue of the Internet. Such relationships exist among autonomous software agents, in networking system peers, as well as between "service users and providers." Traditional "ad hoc" security approaches effective in…

Staying Secure for School Safety

ERIC Educational Resources Information Center

Youngkin, Minu

2012-01-01

Proper planning and preventive maintenance can increase school security and return on investment. Preventive maintenance begins with planning. Through careful planning, education institutions can determine what is working and if any equipment, hardware or software needs to be replaced or upgraded. When reviewing a school's safety and security…

Application Security Automation

ERIC Educational Resources Information Center

Malaika, Majid A.

2011-01-01

With today's high demand for online applications and services running on the Internet, software has become a vital component in our lives. With every revolutionary technology comes challenges unique to its characteristics; for online applications, security is one huge concern and challenge. Currently, there are several schemes that address…

45 CFR 164.312 - Technical safeguards.

Code of Federal Regulations, 2013 CFR

2013-10-01

... REQUIREMENTS SECURITY AND PRIVACY Security Standards for the Protection of Electronic Protected Health... persons or software programs that have been granted access rights as specified in § 164.308(a)(4). (2) Implementation specifications: (i) Unique user identification (Required). Assign a unique name and/or number for...

How Much Security Does Your Library Need?

ERIC Educational Resources Information Center

Banerjee, Kyle

2003-01-01

Explains how to keep library systems healthy and functioning by taking sensible security measures. Examines why hackers would target library systems and how library systems are compromised. Describes tools that can help, including: firewalls; antivirus software; alarms; network analysis tools; and encryption. Identifies several strategies for…

Application distribution model and related security attacks in VANET

NASA Astrophysics Data System (ADS)

Nikaein, Navid; Kanti Datta, Soumya; Marecar, Irshad; Bonnet, Christian

2013-03-01

In this paper, we present a model for application distribution and related security attacks in dense vehicular ad hoc networks (VANET) and sparse VANET which forms a delay tolerant network (DTN). We study the vulnerabilities of VANET to evaluate the attack scenarios and introduce a new attacker`s model as an extension to the work done in [6]. Then a VANET model has been proposed that supports the application distribution through proxy app stores on top of mobile platforms installed in vehicles. The steps of application distribution have been studied in detail. We have identified key attacks (e.g. malware, spamming and phishing, software attack and threat to location privacy) for dense VANET and two attack scenarios for sparse VANET. It has been shown that attacks can be launched by distributing malicious applications and injecting malicious codes to On Board Unit (OBU) by exploiting OBU software security holes. Consequences of such security attacks have been described. Finally, countermeasures including the concepts of sandbox have also been presented in depth.

Visual identification system for homeland security and law enforcement support

NASA Astrophysics Data System (ADS)

Samuel, Todd J.; Edwards, Don; Knopf, Michael

2005-05-01

This paper describes the basic configuration for a visual identification system (VIS) for Homeland Security and law enforcement support. Security and law enforcement systems with an integrated VIS will accurately and rapidly provide identification of vehicles or containers that have entered, exited or passed through a specific monitoring location. The VIS system stores all images and makes them available for recall for approximately one week. Images of alarming vehicles will be archived indefinitely as part of the alarming vehicle"s or cargo container"s record. Depending on user needs, the digital imaging information will be provided electronically to the individual inspectors, supervisors, and/or control center at the customer"s office. The key components of the VIS are the high-resolution cameras that capture images of vehicles, lights, presence sensors, image cataloging software, and image recognition software. In addition to the cameras, the physical integration and network communications of the VIS components with the balance of the security system and client must be ensured.

Internet-based monitoring and benchmarking in ambulatory surgery centers.

PubMed

Bovbjerg, V E; Olchanski, V; Zimberg, S E; Green, J S; Rossiter, L F

2000-08-01

Each year the number of surgical procedures performed on an outpatient basis increases, yet relatively little is known about assessing and improving quality of care in ambulatory surgery. Conventional methods for evaluating outcomes, which are based on assessment of inpatient services, are inadequate in the rapidly changing, geographically dispersed field of ambulatory surgery. Internet-based systems for improving outcomes and establishing benchmarks may be feasible and timely. Eleven freestanding ambulatory surgery centers (ASCs) reported process and outcome data for 3,966 outpatient surgical procedures to an outcomes monitoring system (OMS), during a demonstration period from April 1997 to April 1999. ASCs downloaded software and protocol manuals from the OMS Web site. Centers securely submitted clinical information on perioperative process and outcome measures and postoperative patient telephone interviews. Feedback to centers ranged from current and historical rates of surgical and postsurgical complications to patient satisfaction and the adequacy of postsurgical pain relief. ASCs were able to successfully implement the data collection protocols and transmit data to the OMS. Data security efforts were successful in preventing the transmission of patient identifiers. Feedback reports to ASCs were used to institute changes in ASC staffing, patient care, and patient education, as well as for accreditation and marketing. The demonstration also pointed out shortcomings in the OMS, such as the need to simplify hardware and software installation as well as data collection and transfer methods, which have been addressed in subsequent OMS versions. Internet-based benchmarking for geographically dispersed outpatient health care facilities, such as ASCs, is feasible and likely to play a major role in this effort.

Empirical Analysis and Automated Classification of Security Bug Reports

NASA Technical Reports Server (NTRS)

Tyo, Jacob P.

2016-01-01

With the ever expanding amount of sensitive data being placed into computer systems, the need for effective cybersecurity is of utmost importance. However, there is a shortage of detailed empirical studies of security vulnerabilities from which cybersecurity metrics and best practices could be determined. This thesis has two main research goals: (1) to explore the distribution and characteristics of security vulnerabilities based on the information provided in bug tracking systems and (2) to develop data analytics approaches for automatic classification of bug reports as security or non-security related. This work is based on using three NASA datasets as case studies. The empirical analysis showed that the majority of software vulnerabilities belong only to a small number of types. Addressing these types of vulnerabilities will consequently lead to cost efficient improvement of software security. Since this analysis requires labeling of each bug report in the bug tracking system, we explored using machine learning to automate the classification of each bug report as a security or non-security related (two-class classification), as well as each security related bug report as specific security type (multiclass classification). In addition to using supervised machine learning algorithms, a novel unsupervised machine learning approach is proposed. An ac- curacy of 92%, recall of 96%, precision of 92%, probability of false alarm of 4%, F-Score of 81% and G-Score of 90% were the best results achieved during two-class classification. Furthermore, an accuracy of 80%, recall of 80%, precision of 94%, and F-score of 85% were the best results achieved during multiclass classification.

Automated Theorem Proving in High-Quality Software Design

NASA Technical Reports Server (NTRS)

Schumann, Johann; Swanson, Keith (Technical Monitor)

2001-01-01

The amount and complexity of software developed during the last few years has increased tremendously. In particular, programs are being used more and more in embedded systems (from car-brakes to plant-control). Many of these applications are safety-relevant, i.e. a malfunction of hardware or software can cause severe damage or loss. Tremendous risks are typically present in the area of aviation, (nuclear) power plants or (chemical) plant control. Here, even small problems can lead to thousands of casualties and huge financial losses. Large financial risks also exist when computer systems are used in the area of telecommunication (telephone, electronic commerce) or space exploration. Computer applications in this area are not only subject to safety considerations, but also security issues are important. All these systems must be designed and developed to guarantee high quality with respect to safety and security. Even in an industrial setting which is (or at least should be) aware of the high requirements in Software Engineering, many incidents occur. For example, the Warshaw Airbus crash, was caused by an incomplete requirements specification. Uncontrolled reuse of an Ariane 4 software module was the reason for the Ariane 5 disaster. Some recent incidents in the telecommunication area, like illegal "cloning" of smart-cards of D2GSM handies, or the extraction of (secret) passwords from German T-online users show that also in this area serious flaws can happen. Due to the inherent complexity of computer systems, most authors claim that only a rigorous application of formal methods in all stages of the software life cycle can ensure high quality of the software and lead to real safe and secure systems. In this paper, we will have a look, in how far automated theorem proving can contribute to a more widespread application of formal methods and their tools, and what automated theorem provers (ATPs) must provide in order to be useful.

Failure Impact Analysis of Key Management in AMI Using Cybernomic Situational Assessment (CSA)

DOE Office of Scientific and Technical Information (OSTI.GOV)

Abercrombie, Robert K; Sheldon, Frederick T; Hauser, Katie R

2013-01-01

In earlier work, we presented a computational framework for quantifying the security of a system in terms of the average loss a stakeholder stands to sustain as a result of threats to the system. We named this system, the Cyberspace Security Econometrics System (CSES). In this paper, we refine the framework and apply it to cryptographic key management within the Advanced Metering Infrastructure (AMI) as an example. The stakeholders, requirements, components, and threats are determined. We then populate the matrices with justified values by addressing the AMI at a higher level, rather than trying to consider every piece of hardwaremore » and software involved. We accomplish this task by leveraging the recently established NISTR 7628 guideline for smart grid security. This allowed us to choose the stakeholders, requirements, components, and threats realistically. We reviewed the literature and selected an industry technical working group to select three representative threats from a collection of 29 threats. From this subset, we populate the stakes, dependency, and impact matrices, and the threat vector with realistic numbers. Each Stakeholder s Mean Failure Cost is then computed.« less

Self port scanning tool : providing a more secure computing Environment through the use of proactive port scanning

NASA Technical Reports Server (NTRS)

Kocher, Joshua E; Gilliam, David P.

2005-01-01

Secure computing is a necessity in the hostile environment that the internet has become. Protection from nefarious individuals and organizations requires a solution that is more a methodology than a one time fix. One aspect of this methodology is having the knowledge of which network ports a computer has open to the world, These network ports are essentially the doorways from the internet into the computer. An assessment method which uses the nmap software to scan ports has been developed to aid System Administrators (SAs) with analysis of open ports on their system(s). Additionally, baselines for several operating systems have been developed so that SAs can compare their open ports to a baseline for a given operating system. Further, the tool is deployed on a website where SAs and Users can request a port scan of their computer. The results are then emailed to the requestor. This tool aids Users, SAs, and security professionals by providing an overall picture of what services are running, what ports are open, potential trojan programs or backdoors, and what ports can be closed.

Global Situational Awareness with Free Tools

DTIC Science & Technology

2015-01-15

Client Technical Solutions • Software Engineering Measurement and Analysis • Architecture Practices • Product Line Practice • Team Software Process...multiple data sources • Snort (Snorby on Security Onion ) • Nagios • SharePoint RSS • Flow • Others • Leverage standard data formats • Keyhole Markup Language

The U.S./IAEA Workshop on Software Sustainability for Safeguards Instrumentation: Report to the NNSA DOE Office of International Nuclear Safeguards (NA-241)

DOE Office of Scientific and Technical Information (OSTI.GOV)

Pepper, Susan E.; Pickett, Chris A.; Queirolo, Al

The U.S Department of Energy (DOE) National Nuclear Security Administration (NNSA) Next Generation Safeguards Initiative (NGSI) and the International Atomic Energy Agency (IAEA) convened a workshop on Software Sustainability for Safeguards Instrumentation in Vienna, Austria, May 6-8, 2014. Safeguards instrumentation software must be sustained in a changing environment to ensure existing instruments can continue to perform as designed, with improved security. The approaches to the development and maintenance of instrument software used in the past may not be the best model for the future and, therefore, the organizers’ goal was to investigate these past approaches and to determine an optimalmore » path forward. The purpose of this report is to provide input for the DOE NNSA Office of International Nuclear Safeguards (NA-241) and other stakeholders that can be utilized when making decisions related to the development and maintenance of software used in the implementation of international nuclear safeguards. For example, this guidance can be used when determining whether to fund the development, upgrade, or replacement of a particular software product. The report identifies the challenges related to sustaining software, and makes recommendations for addressing these challenges, supported by summaries and detailed notes from the workshop discussions. In addition the authors provide a set of recommendations for institutionalizing software sustainability practices in the safeguards community. The term “software sustainability” was defined for this workshop as ensuring that safeguards instrument software and algorithm functionality can be maintained efficiently throughout the instrument lifecycle, without interruption and providing the ability to continue to improve that software as needs arise.« less

15 CFR Supplement No. 2 to Part 730 - Technical Advisory Committees

Code of Federal Regulations, 2011 CFR

2011-01-01

... (Continued) BUREAU OF INDUSTRY AND SECURITY, DEPARTMENT OF COMMERCE EXPORT ADMINISTRATION REGULATIONS GENERAL..., materials, or supplies, including technology, software, and other information, that are subject to export controls, or are being considered for such controls because of their significance to the national security...

Do You Lock Your Network Doors? Some Network Management Precautions.

ERIC Educational Resources Information Center

Neray, Phil

1997-01-01

Discusses security problems and solutions for networked organizations with Internet connections. Topics include access to private networks from electronic mail information; computer viruses; computer software; corporate espionage; firewalls, that is computers that stand between a local network and the Internet; passwords; and physical security.…

Protecting software agents from malicious hosts using quantum computing

NASA Astrophysics Data System (ADS)

Reisner, John; Donkor, Eric

2000-07-01

We evaluate how quantum computing can be applied to security problems for software agents. Agent-based computing, which merges technological advances in artificial intelligence and mobile computing, is a rapidly growing domain, especially in applications such as electronic commerce, network management, information retrieval, and mission planning. System security is one of the more eminent research areas in agent-based computing, and the specific problem of protecting a mobile agent from a potentially hostile host is one of the most difficult of these challenges. In this work, we describe our agent model, and discuss the capabilities and limitations of classical solutions to the malicious host problem. Quantum computing may be extremely helpful in addressing the limitations of classical solutions to this problem. This paper highlights some of the areas where quantum computing could be applied to agent security.

An adaptive cryptographic accelerator for network storage security on dynamically reconfigurable platform

NASA Astrophysics Data System (ADS)

Tang, Li; Liu, Jing-Ning; Feng, Dan; Tong, Wei

2008-12-01

Existing security solutions in network storage environment perform poorly because cryptographic operations (encryption and decryption) implemented in software can dramatically reduce system performance. In this paper we propose a cryptographic hardware accelerator on dynamically reconfigurable platform for the security of high performance network storage system. We employ a dynamic reconfigurable platform based on a FPGA to implement a PowerPCbased embedded system, which executes cryptographic algorithms. To reduce the reconfiguration latency, we apply prefetch scheduling. Moreover, the processing elements could be dynamically configured to support different cryptographic algorithms according to the request received by the accelerator. In the experiment, we have implemented AES (Rijndael) and 3DES cryptographic algorithms in the reconfigurable accelerator. Our proposed reconfigurable cryptographic accelerator could dramatically increase the performance comparing with the traditional software-based network storage systems.

Computer software tool REALM for sustainable water allocation and management.

PubMed

Perera, B J C; James, B; Kularathna, M D U

2005-12-01

REALM (REsource ALlocation Model) is a generalised computer simulation package that models harvesting and bulk distribution of water resources within a water supply system. It is a modeling tool, which can be applied to develop specific water allocation models. Like other water resource simulation software tools, REALM uses mass-balance accounting at nodes, while the movement of water within carriers is subject to capacity constraints. It uses a fast network linear programming algorithm to optimise the water allocation within the network during each simulation time step, in accordance with user-defined operating rules. This paper describes the main features of REALM and provides potential users with an appreciation of its capabilities. In particular, it describes two case studies covering major urban and rural water supply systems. These case studies illustrate REALM's capabilities in the use of stochastically generated data in water supply planning and management, modelling of environmental flows, and assessing security of supply issues.

Lawrence Livermore National Laboratory`s Computer Security Short Subjects Videos: Hidden Password, The Incident, Dangerous Games and The Mess; Computer Security Awareness Guide

DOE Office of Scientific and Technical Information (OSTI.GOV)

NONE

A video on computer security is described. Lonnie Moore, the Computer Security Manager, CSSM/CPPM at Lawrence Livermore National Laboratory (LLNL) and Gale Warshawsky, the Coordinator for Computer Security Education and Awareness at LLNL, wanted to share topics such as computer ethics, software piracy, privacy issues, and protecting information in a format that would capture and hold an audience`s attention. Four Computer Security Short Subject videos were produced which ranged from 1--3 minutes each. These videos are very effective education and awareness tools that can be used to generate discussions about computer security concerns and good computing practices.

MiMiR – an integrated platform for microarray data sharing, mining and analysis

PubMed Central

Tomlinson, Chris; Thimma, Manjula; Alexandrakis, Stelios; Castillo, Tito; Dennis, Jayne L; Brooks, Anthony; Bradley, Thomas; Turnbull, Carly; Blaveri, Ekaterini; Barton, Geraint; Chiba, Norie; Maratou, Klio; Soutter, Pat; Aitman, Tim; Game, Laurence

2008-01-01

Background Despite considerable efforts within the microarray community for standardising data format, content and description, microarray technologies present major challenges in managing, sharing, analysing and re-using the large amount of data generated locally or internationally. Additionally, it is recognised that inconsistent and low quality experimental annotation in public data repositories significantly compromises the re-use of microarray data for meta-analysis. MiMiR, the Microarray data Mining Resource was designed to tackle some of these limitations and challenges. Here we present new software components and enhancements to the original infrastructure that increase accessibility, utility and opportunities for large scale mining of experimental and clinical data. Results A user friendly Online Annotation Tool allows researchers to submit detailed experimental information via the web at the time of data generation rather than at the time of publication. This ensures the easy access and high accuracy of meta-data collected. Experiments are programmatically built in the MiMiR database from the submitted information and details are systematically curated and further annotated by a team of trained annotators using a new Curation and Annotation Tool. Clinical information can be annotated and coded with a clinical Data Mapping Tool within an appropriate ethical framework. Users can visualise experimental annotation, assess data quality, download and share data via a web-based experiment browser called MiMiR Online. All requests to access data in MiMiR are routed through a sophisticated middleware security layer thereby allowing secure data access and sharing amongst MiMiR registered users prior to publication. Data in MiMiR can be mined and analysed using the integrated EMAAS open source analysis web portal or via export of data and meta-data into Rosetta Resolver data analysis package. Conclusion The new MiMiR suite of software enables systematic and effective capture of extensive experimental and clinical information with the highest MIAME score, and secure data sharing prior to publication. MiMiR currently contains more than 150 experiments corresponding to over 3000 hybridisations and supports the Microarray Centre's large microarray user community and two international consortia. The MiMiR flexible and scalable hardware and software architecture enables secure warehousing of thousands of datasets, including clinical studies, from microarray and potentially other -omics technologies. PMID:18801157

MiMiR--an integrated platform for microarray data sharing, mining and analysis.

PubMed

Tomlinson, Chris; Thimma, Manjula; Alexandrakis, Stelios; Castillo, Tito; Dennis, Jayne L; Brooks, Anthony; Bradley, Thomas; Turnbull, Carly; Blaveri, Ekaterini; Barton, Geraint; Chiba, Norie; Maratou, Klio; Soutter, Pat; Aitman, Tim; Game, Laurence

2008-09-18

Despite considerable efforts within the microarray community for standardising data format, content and description, microarray technologies present major challenges in managing, sharing, analysing and re-using the large amount of data generated locally or internationally. Additionally, it is recognised that inconsistent and low quality experimental annotation in public data repositories significantly compromises the re-use of microarray data for meta-analysis. MiMiR, the Microarray data Mining Resource was designed to tackle some of these limitations and challenges. Here we present new software components and enhancements to the original infrastructure that increase accessibility, utility and opportunities for large scale mining of experimental and clinical data. A user friendly Online Annotation Tool allows researchers to submit detailed experimental information via the web at the time of data generation rather than at the time of publication. This ensures the easy access and high accuracy of meta-data collected. Experiments are programmatically built in the MiMiR database from the submitted information and details are systematically curated and further annotated by a team of trained annotators using a new Curation and Annotation Tool. Clinical information can be annotated and coded with a clinical Data Mapping Tool within an appropriate ethical framework. Users can visualise experimental annotation, assess data quality, download and share data via a web-based experiment browser called MiMiR Online. All requests to access data in MiMiR are routed through a sophisticated middleware security layer thereby allowing secure data access and sharing amongst MiMiR registered users prior to publication. Data in MiMiR can be mined and analysed using the integrated EMAAS open source analysis web portal or via export of data and meta-data into Rosetta Resolver data analysis package. The new MiMiR suite of software enables systematic and effective capture of extensive experimental and clinical information with the highest MIAME score, and secure data sharing prior to publication. MiMiR currently contains more than 150 experiments corresponding to over 3000 hybridisations and supports the Microarray Centre's large microarray user community and two international consortia. The MiMiR flexible and scalable hardware and software architecture enables secure warehousing of thousands of datasets, including clinical studies, from microarray and potentially other -omics technologies.

A Recommended Framework for the Network-Centric Acquisition Process

DTIC Science & Technology

2009-09-01

ISO /IEC 12207 , Systems and Software Engineering-Software Life-Cycle Processes  ANSI/EIA 632, Processes for Engineering a System. There are...engineering [46]. Some of the process models presented in the DAG are:  ISO /IEC 15288, Systems and Software Engineering-System Life-Cycle Processes...e.g., ISO , IA, Security, etc.). Vetting developers helps ensure that they are using industry best industry practices and maximize the IA compliance

Joint Logistics Commanders’ Biennial Software Workshop (4th) Orlando II: Solving the PDSS (Post Deployment Software Support) Challenge Held in Orlando, Florida on 27-29 January 87. Volume 2. Proceedings

DTIC Science & Technology

1987-06-01

described the state )f ruaturity of software engineering as being equivalent to the state of maturity of Civil Engineering before Pythagoras invented the...formal verification languages, theorem provers or secure configuration 0 management tools would have to be maintained and used in the PDSS Center to

Evolutionary Systems Design: Recognizing Changes in Security and Survivability Risks

DTIC Science & Technology

2006-09-01

Unlimited distribution subject to the copyright. Technical Note CMU/SEI-2006-TN-027 The Software Engineering Institute is a federally...CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF...created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software

Systems Engineering: From Dream to Reality

DTIC Science & Technology

2011-04-01

at the 23rd Systems and Software Technology Conference (SSTC), 16-19 May 2011, Salt Lake City, UT. Sponsored in part by the USAF. U.S. Government or...Simulation, and Enterprise Security. Prior to this, he was Senior Research Scientist and Principal Member of the Technical Staff at AEgis Technologies ...Software Professional Development Program at AFIT He was a consultant for . the Software Technology Support Center for six years. Dr. Cook has a

Strategic Mobility 21 Transition Plan: From Research Federation to Business Enterprise

DTIC Science & Technology

2010-12-31

Transportation Management System (GTMS), Service Oriented Architecture (SOA), Service -as-a- Software ( SaaS ), Joint Capability Technolgoy Demonstration...the Software -as-a- Service ( SaaS ) format, whereby users access the application with the appropriate Internet authorizations. Security is provided by...integrating best-of-breed dual-use systems deployed in the software as a service ( SaaS ) environment. It includes single sign-on capabilities and was

OpenCV and TYZX : video surveillance for tracking.

DOE Office of Scientific and Technical Information (OSTI.GOV)

He, Jim; Spencer, Andrew; Chu, Eric

2008-08-01

As part of the National Security Engineering Institute (NSEI) project, several sensors were developed in conjunction with an assessment algorithm. A camera system was developed in-house to track the locations of personnel within a secure room. In addition, a commercial, off-the-shelf (COTS) tracking system developed by TYZX was examined. TYZX is a Bay Area start-up that has developed its own tracking hardware and software which we use as COTS support for robust tracking. This report discusses the pros and cons of each camera system, how they work, a proposed data fusion method, and some visual results. Distributed, embedded image processingmore » solutions show the most promise in their ability to track multiple targets in complex environments and in real-time. Future work on the camera system may include three-dimensional volumetric tracking by using multiple simple cameras, Kalman or particle filtering, automated camera calibration and registration, and gesture or path recognition.« less

Securing Ground Data System Applications for Space Operations

NASA Technical Reports Server (NTRS)

Pajevski, Michael J.; Tso, Kam S.; Johnson, Bryan

2014-01-01

The increasing prevalence and sophistication of cyber attacks has prompted the Multimission Ground Systems and Services (MGSS) Program Office at Jet Propulsion Laboratory (JPL) to initiate the Common Access Manager (CAM) effort to protect software applications used in Ground Data Systems (GDSs) at JPL and other NASA Centers. The CAM software provides centralized services and software components used by GDS subsystems to meet access control requirements and ensure data integrity, confidentiality, and availability. In this paper we describe the CAM software; examples of its integration with spacecraft commanding software applications and an information management service; and measurements of its performance and reliability.

Structuring the Chief Information Security Officer Organization

DTIC Science & Technology

2015-09-07

GP9 Objectively Evaluate Adherence CERT-RMM HRM Human Resource Management CERT-RMM ID Identity Management CERT-RMM IMC Incident Management and...Detect, triage, analyze, respond to, and recover from suspicious events and security incidents Security incident management IMC IR IR-1, IR- 2, IR-3...2015-TN-007 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY 6 Table 2: Source Acronyms3 CERT-RMM NIST 800-53 C2M2 IMC Incident

CrossTalk: The Journal of Defense Software Engineering. Volume 19, Number 5

DTIC Science & Technology

2006-05-01

Coming Events Web Sites Call for Articles Visit CrossTalk at the SSTC BackTalk Transforming: Business , Security ,Warfighting CrossTalk 76 SMXG CO-SPONSOR...theme “Transforming: Business , Security , Warfighting.” Transformation is not just the current buzzword: Many industries and the military have...systems. Transforming: Business , Security ,Warfighting Characteristic edocfosenilnoillim001-01eziS Number of external interfaces 30-300 Number of

Security for safety critical space borne systems

NASA Technical Reports Server (NTRS)

Legrand, Sue

1987-01-01

The Space Station contains safety critical computer software components in systems that can affect life and vital property. These components require a multilevel secure system that provides dynamic access control of the data and processes involved. A study is under way to define requirements for a security model providing access control through level B3 of the Orange Book. The model will be prototyped at NASA-Johnson Space Center.

Security Requirements Management in Software Product Line Engineering

NASA Astrophysics Data System (ADS)

Mellado, Daniel; Fernández-Medina, Eduardo; Piattini, Mario

Security requirements engineering is both a central task and a critical success factor in product line development due to the complexity and extensive nature of product lines. However, most of the current product line practices in requirements engineering do not adequately address security requirements engineering. Therefore, in this chapter we will propose a security requirements engineering process (SREPPLine) driven by security standards and based on a security requirements decision model along with a security variability model to manage the variability of the artefacts related to security requirements. The aim of this approach is to deal with security requirements from the early stages of the product line development in a systematic way, in order to facilitate conformance with the most relevant security standards with regard to the management of security requirements, such as ISO/IEC 27001 and ISO/IEC 15408.

Security for decentralized health information systems.

PubMed

Bleumer, G

1994-02-01

Health care information systems must reflect at least two basic characteristics of the health care community: the increasing mobility of patients and the personal liability of everyone giving medical treatment. Open distributed information systems bear the potential to reflect these requirements. But the market for open information systems and operating systems hardly provides secure products today. This 'missing link' is approached by the prototype SECURE Talk that provides secure transmission and archiving of files on top of an existing operating system. Its services may be utilized by existing medical applications. SECURE Talk demonstrates secure communication utilizing only standard hardware. Its message is that cryptography (and in particular asymmetric cryptography) is practical for many medical applications even if implemented in software. All mechanisms are software implemented in order to be executable on standard-hardware. One can investigate more or less decentralized forms of public key management and the performance of many different cryptographic mechanisms. That of, e.g. hybrid encryption and decryption (RSA+DES-PCBC) is about 300 kbit/s. That of signing and verifying is approximately the same using RSA with a DES hash function. The internal speed, without disk accesses etc., is about 1.1 Mbit/s. (Apple Quadra 950 (MC 68040, 33 MHz, RAM: 20 MB, 80 ns. Length of RSA modulus is 512 bit).

Building a gateway with open source software for secure-DICOM communication over insecure networks

NASA Astrophysics Data System (ADS)

Emmel, Dirk; Ricke, Jens; Stohlmann, Lutz; Haderer, Alexander; Felix, Roland

2002-05-01

For Teleradiology the exchange of DICOM-images is needed for several purposes. Existing solutions often don't consider about the needs for data security and data privacy. Communication is done without any encryption over insecure networks or with encryption using proprietary solutions, which reduces the data communication possibilities to partners with the same equipment. Our goal was to build a gateway, which offers a transparent solution for secure DICOM-communication in a heterogeneous environment We developed a PC-based gateway system with DICOM-communication to the in-house network and secure DICOM communication for the communication over the insecure network. One gateway installed at each location is responsible for encryption/decryption. The sender just transfers the image data over the DICOM protocol to the local gateway. The gateway forwards the data to the gateway on the destination site using the secure DICOM protocol, which is part of the DICOM standard. The receiving gateway forwards the image data to the final destination again using the DICOM-Protocol. The gateway is based on Open Source software and runs under several operating systems. Our experience shows a reliable solution, which solves security issues for DICOM communication of image data and integrates seamless into a heterogeneous DICOM environment.

Discovering and Mitigating Software Vulnerabilities through Large-Scale Collaboration

ERIC Educational Resources Information Center

Zhao, Mingyi

2016-01-01

In today's rapidly digitizing society, people place their trust in a wide range of digital services and systems that deliver latest news, process financial transactions, store sensitive information, etc. However, this trust does not have a solid foundation, because software code that supports this digital world has security vulnerabilities. These…

Cyber Strategic Inquiry: Enabling Change through a Strategic Simulation and Megacommunity Concept

DTIC Science & Technology

2009-02-01

malicious software embedded in thumb drives and CDs that thwarted protections, such as antivirus software , on computers. In the scenario, these...Executives for National Security • The Carlyle Group • Cassat Corporation • Cisco Systems, Inc. • Cyveillance • General Dynamics • General Motors

77 FR 40863 - Privacy Act of 1974; System of Records

Federal Register 2010, 2011, 2012, 2013, 2014

2012-07-11

... DEPARTMENT OF DEFENSE Office of the Secretary [Docket ID: DOD-2012-OS-0085] Privacy Act of 1974... Register Liaison Officer, Department of Defense. QNRO-31 System name: Software Security Risk Evaluations... the Department of Defense; DoDD 5240.2, DoD Counterintelligence (CI); DoDI 5240.8, Security...

Computer Virus Bibliography, 1988-1989.

ERIC Educational Resources Information Center

Bologna, Jack, Comp.

This bibliography lists 14 books, 154 journal articles, 34 newspaper articles, and 3 research papers published during 1988-1989 on the subject of computer viruses, software protection and 'cures', virus hackers, and other related issues. Some of the sources listed include Computers and Security, Computer Security Digest, PC Week, Time, the New…

A Measured Approach to Microcomputer Lab Design.

ERIC Educational Resources Information Center

Duggan, Brian

1994-01-01

Explores design considerations for a functional microcomputer lab, including ergonomics and furnishings; access for the disabled; the use of other media; hardware security; and software security, including virus protection. A summary paragraph comments on the role of planning and forecasting. A bibliography of eight titles for further reading is…

Risk-Significant Adverse Condition Awareness Strengthens Assurance of Fault Management Systems

NASA Technical Reports Server (NTRS)

Fitz, Rhonda

2017-01-01

As spaceflight systems increase in complexity, Fault Management (FM) systems are ranked high in risk-based assessment of software criticality, emphasizing the importance of establishing highly competent domain expertise to provide assurance. Adverse conditions (ACs) and specific vulnerabilities encountered by safety- and mission-critical software systems have been identified through efforts to reduce the risk posture of software-intensive NASA missions. Acknowledgement of potential off-nominal conditions and analysis to determine software system resiliency are important aspects of hazard analysis and FM. A key component of assuring FM is an assessment of how well software addresses susceptibility to failure through consideration of ACs. Focus on significant risk predicted through experienced analysis conducted at the NASA Independent Verification & Validation (IV&V) Program enables the scoping of effective assurance strategies with regard to overall asset protection of complex spaceflight as well as ground systems. Research efforts sponsored by NASAs Office of Safety and Mission Assurance (OSMA) defined terminology, categorized data fields, and designed a baseline repository that centralizes and compiles a comprehensive listing of ACs and correlated data relevant across many NASA missions. This prototype tool helps projects improve analysis by tracking ACs and allowing queries based on project, mission type, domain/component, causal fault, and other key characteristics. Vulnerability in off-nominal situations, architectural design weaknesses, and unexpected or undesirable system behaviors in reaction to faults are curtailed with the awareness of ACs and risk-significant scenarios modeled for analysts through this database. Integration within the Enterprise Architecture at NASA IV&V enables interfacing with other tools and datasets, technical support, and accessibility across the Agency. This paper discusses the development of an improved workflow process utilizing this database for adaptive, risk-informed FM assurance that critical software systems will safely and securely protect against faults and respond to ACs in order to achieve successful missions.

Risk-Significant Adverse Condition Awareness Strengthens Assurance of Fault Management Systems

NASA Technical Reports Server (NTRS)

Fitz, Rhonda

2017-01-01

As spaceflight systems increase in complexity, Fault Management (FM) systems are ranked high in risk-based assessment of software criticality, emphasizing the importance of establishing highly competent domain expertise to provide assurance. Adverse conditions (ACs) and specific vulnerabilities encountered by safety- and mission-critical software systems have been identified through efforts to reduce the risk posture of software-intensive NASA missions. Acknowledgement of potential off-nominal conditions and analysis to determine software system resiliency are important aspects of hazard analysis and FM. A key component of assuring FM is an assessment of how well software addresses susceptibility to failure through consideration of ACs. Focus on significant risk predicted through experienced analysis conducted at the NASA Independent Verification Validation (IVV) Program enables the scoping of effective assurance strategies with regard to overall asset protection of complex spaceflight as well as ground systems. Research efforts sponsored by NASA's Office of Safety and Mission Assurance defined terminology, categorized data fields, and designed a baseline repository that centralizes and compiles a comprehensive listing of ACs and correlated data relevant across many NASA missions. This prototype tool helps projects improve analysis by tracking ACs and allowing queries based on project, mission type, domaincomponent, causal fault, and other key characteristics. Vulnerability in off-nominal situations, architectural design weaknesses, and unexpected or undesirable system behaviors in reaction to faults are curtailed with the awareness of ACs and risk-significant scenarios modeled for analysts through this database. Integration within the Enterprise Architecture at NASA IVV enables interfacing with other tools and datasets, technical support, and accessibility across the Agency. This paper discusses the development of an improved workflow process utilizing this database for adaptive, risk-informed FM assurance that critical software systems will safely and securely protect against faults and respond to ACs in order to achieve successful missions.

DOE Office of Scientific and Technical Information (OSTI.GOV)

Chen, K.; Tsai, H.; Liu, Y. Y.

Radio frequency identification (RFID) is one of today's most rapidly growing technologies in the automatic data collection industry. Although commercial applications are already widespread, the use of this technology for managing nuclear materials is only in its infancy. Employing an RFID system has the potential to offer an immense payback: enhanced safety and security, reduced need for manned surveillance, real-time access to status and event history data, and overall cost-effectiveness. The Packaging Certification Program (PCP) in the U.S. Department of Energy's (DOE's) Office of Environmental Management (EM), Office of Packaging and Transportation (EM-63), is developing an RFID system for nuclearmore » materials management. The system consists of battery-powered RFID tags with onboard sensors and memories, a reader network, application software, a database server and web pages. The tags monitor and record critical parameters, including the status of seals, movement of objects, and environmental conditions of the nuclear material packages in real time. They also provide instant warnings or alarms when preset thresholds for the sensors are exceeded. The information collected by the readers is transmitted to a dedicated central database server that can be accessed by authorized users across the DOE complex via a secured network. The onboard memory of the tags allows the materials manifest and event history data to reside with the packages throughout their life cycles in storage, transportation, and disposal. Data security is currently based on Advanced Encryption Standard-256. The software provides easy-to-use graphical interfaces that allow access to all vital information once the security and privilege requirements are met. An innovative scheme has been developed for managing batteries in service for more than 10 years without needing to be changed. A miniature onboard dosimeter is being developed for applications that require radiation surveillance. A field demonstration of the RFID system was recently conducted to assess its performance. The preliminary results of the demonstration are reported in this paper.« less

The myth of secure computing.

PubMed

Austin, Robert D; Darby, Christopher A

2003-06-01

Few senior executives pay a whole lot of attention to computer security. They either hand off responsibility to their technical people or bring in consultants. But given the stakes involved, an arm's-length approach is extremely unwise. According to industry estimates, security breaches affect 90% of all businesses every year and cost some $17 billion. Fortunately, the authors say, senior executives don't need to learn about the more arcane aspects of their company's IT systems in order to take a hands-on approach. Instead, they should focus on the familiar task of managing risk. Their role should be to assess the business value of their information assets, determine the likelihood that those assets will be compromised, and then tailor a set of risk abatement processes to their company's particular vulnerabilities. This approach, which views computer security as an operational rather than a technical challenge, is akin to a classic quality assurance program in that it attempts to avoid problems rather than fix them and involves all employees, not just IT staffers. The goal is not to make computer systems completely secure--that's impossible--but to reduce the business risk to an acceptable level. This article looks at the types of threats a company is apt to face. It also examines the processes a general manager should spearhead to lessen the likelihood of a successful attack. The authors recommend eight processes in all, ranging from deciding how much protection each digital asset deserves to insisting on secure software to rehearsing a response to a security breach. The important thing to realize, they emphasize, is that decisions about digital security are not much different from other cost-benefit decisions. The tools general managers bring to bear on other areas of the business are good models for what they need to do in this technical space.

Behavioral biometrics for verification and recognition of malicious software agents

NASA Astrophysics Data System (ADS)

Yampolskiy, Roman V.; Govindaraju, Venu

2008-04-01

Homeland security requires technologies capable of positive and reliable identification of humans for law enforcement, government, and commercial applications. As artificially intelligent agents improve in their abilities and become a part of our everyday life, the possibility of using such programs for undermining homeland security increases. Virtual assistants, shopping bots, and game playing programs are used daily by millions of people. We propose applying statistical behavior modeling techniques developed by us for recognition of humans to the identification and verification of intelligent and potentially malicious software agents. Our experimental results demonstrate feasibility of such methods for both artificial agent verification and even for recognition purposes.

New developments in technology-assisted supervision and training: a practical overview.

PubMed

Rousmaniere, Tony; Abbass, Allan; Frederickson, Jon

2014-11-01

Clinical supervision and training are now widely available online. In this article, three of the most accessible and widely adopted new developments in clinical supervision and training technology are described: Videoconference supervision, cloud-based file sharing software, and clinical outcome tracking software. Partial transcripts from two online supervision sessions are provided as examples of videoconference-based supervision. The benefits and limitations of technology in supervision and training are discussed, with an emphasis on supervision process, ethics, privacy, and security. Recommendations for supervision practice are made, including methods to enhance experiential learning, the supervisory working alliance, and online security. © 2014 Wiley Periodicals, Inc.

Integrating Top-down and Bottom-up Cybersecurity Guidance using XML

PubMed Central

Lubell, Joshua

2016-01-01

This paper describes a markup-based approach for synthesizing disparate information sources and discusses a software implementation of the approach. The implementation makes it easier for people to use two complementary, but differently structured, guidance specifications together: the (top-down) Cybersecurity Framework and the (bottom-up) National Institute of Standards and Technology Special Publication 800-53 security control catalog. An example scenario demonstrates how the software implementation can help a security professional select the appropriate safeguards for restricting unauthorized access to an Industrial Control System. The implementation and example show the benefits of this approach and suggest its potential application to disciplines other than cybersecurity. PMID:27795810

A resilient and secure software platform and architecture for distributed spacecraft

NASA Astrophysics Data System (ADS)

Otte, William R.; Dubey, Abhishek; Karsai, Gabor

2014-06-01

A distributed spacecraft is a cluster of independent satellite modules flying in formation that communicate via ad-hoc wireless networks. This system in space is a cloud platform that facilitates sharing sensors and other computing and communication resources across multiple applications, potentially developed and maintained by different organizations. Effectively, such architecture can realize the functions of monolithic satellites at a reduced cost and with improved adaptivity and robustness. Openness of these architectures pose special challenges because the distributed software platform has to support applications from different security domains and organizations, and where information flows have to be carefully managed and compartmentalized. If the platform is used as a robust shared resource its management, configuration, and resilience becomes a challenge in itself. We have designed and prototyped a distributed software platform for such architectures. The core element of the platform is a new operating system whose services were designed to restrict access to the network and the file system, and to enforce resource management constraints for all non-privileged processes Mixed-criticality applications operating at different security labels are deployed and controlled by a privileged management process that is also pre-configuring all information flows. This paper describes the design and objective of this layer.

Quality control, analysis and secure sharing of Luminex® immunoassay data using the open source LabKey Server platform

PubMed Central

2013-01-01

Background Immunoassays that employ multiplexed bead arrays produce high information content per sample. Such assays are now frequently used to evaluate humoral responses in clinical trials. Integrated software is needed for the analysis, quality control, and secure sharing of the high volume of data produced by such multiplexed assays. Software that facilitates data exchange and provides flexibility to perform customized analyses (including multiple curve fits and visualizations of assay performance over time) could increase scientists’ capacity to use these immunoassays to evaluate human clinical trials. Results The HIV Vaccine Trials Network and the Statistical Center for HIV/AIDS Research and Prevention collaborated with LabKey Software to enhance the open source LabKey Server platform to facilitate workflows for multiplexed bead assays. This system now supports the management, analysis, quality control, and secure sharing of data from multiplexed immunoassays that leverage Luminex xMAP® technology. These assays may be custom or kit-based. Newly added features enable labs to: (i) import run data from spreadsheets output by Bio-Plex Manager™ software; (ii) customize data processing, curve fits, and algorithms through scripts written in common languages, such as R; (iii) select script-defined calculation options through a graphical user interface; (iv) collect custom metadata for each titration, analyte, run and batch of runs; (v) calculate dose–response curves for titrations; (vi) interpolate unknown concentrations from curves for titrated standards; (vii) flag run data for exclusion from analysis; (viii) track quality control metrics across runs using Levey-Jennings plots; and (ix) automatically flag outliers based on expected values. Existing system features allow researchers to analyze, integrate, visualize, export and securely share their data, as well as to construct custom user interfaces and workflows. Conclusions Unlike other tools tailored for Luminex immunoassays, LabKey Server allows labs to customize their Luminex analyses using scripting while still presenting users with a single, graphical interface for processing and analyzing data. The LabKey Server system also stands out among Luminex tools for enabling smooth, secure transfer of data, quality control information, and analyses between collaborators. LabKey Server and its Luminex features are freely available as open source software at http://www.labkey.com under the Apache 2.0 license. PMID:23631706

Quality control, analysis and secure sharing of Luminex® immunoassay data using the open source LabKey Server platform.

PubMed

Eckels, Josh; Nathe, Cory; Nelson, Elizabeth K; Shoemaker, Sara G; Nostrand, Elizabeth Van; Yates, Nicole L; Ashley, Vicki C; Harris, Linda J; Bollenbeck, Mark; Fong, Youyi; Tomaras, Georgia D; Piehler, Britt

2013-04-30

Immunoassays that employ multiplexed bead arrays produce high information content per sample. Such assays are now frequently used to evaluate humoral responses in clinical trials. Integrated software is needed for the analysis, quality control, and secure sharing of the high volume of data produced by such multiplexed assays. Software that facilitates data exchange and provides flexibility to perform customized analyses (including multiple curve fits and visualizations of assay performance over time) could increase scientists' capacity to use these immunoassays to evaluate human clinical trials. The HIV Vaccine Trials Network and the Statistical Center for HIV/AIDS Research and Prevention collaborated with LabKey Software to enhance the open source LabKey Server platform to facilitate workflows for multiplexed bead assays. This system now supports the management, analysis, quality control, and secure sharing of data from multiplexed immunoassays that leverage Luminex xMAP® technology. These assays may be custom or kit-based. Newly added features enable labs to: (i) import run data from spreadsheets output by Bio-Plex Manager™ software; (ii) customize data processing, curve fits, and algorithms through scripts written in common languages, such as R; (iii) select script-defined calculation options through a graphical user interface; (iv) collect custom metadata for each titration, analyte, run and batch of runs; (v) calculate dose-response curves for titrations; (vi) interpolate unknown concentrations from curves for titrated standards; (vii) flag run data for exclusion from analysis; (viii) track quality control metrics across runs using Levey-Jennings plots; and (ix) automatically flag outliers based on expected values. Existing system features allow researchers to analyze, integrate, visualize, export and securely share their data, as well as to construct custom user interfaces and workflows. Unlike other tools tailored for Luminex immunoassays, LabKey Server allows labs to customize their Luminex analyses using scripting while still presenting users with a single, graphical interface for processing and analyzing data. The LabKey Server system also stands out among Luminex tools for enabling smooth, secure transfer of data, quality control information, and analyses between collaborators. LabKey Server and its Luminex features are freely available as open source software at http://www.labkey.com under the Apache 2.0 license.

Advanced fingerprint verification software

NASA Astrophysics Data System (ADS)

Baradarani, A.; Taylor, J. R. B.; Severin, F.; Maev, R. Gr.

2016-05-01

We have developed a fingerprint software package that can be used in a wide range of applications from law enforcement to public and private security systems, and to personal devices such as laptops, vehicles, and door- locks. The software and processing units are a unique implementation of new and sophisticated algorithms that compete with the current best systems in the world. Development of the software package has been in line with the third generation of our ultrasonic fingerprinting machine1. Solid and robust performance is achieved in the presence of misplaced and low quality fingerprints.

Addressing Challenges in the Acquisition of Secure Software Systems With Open Architectures

DTIC Science & Technology

2012-04-30

as a “broker” to market specific research topics identified by our sponsors to NPS graduate students. This three-pronged approach provides for a...breaks, and the day-ending socials. Many of our researchers use these occasions to establish new teaming arrangements for future research work. In the...software (CSS) and open source software (OSS). Federal government acquisition policy, as well as many leading enterprise IT centers, now encourage the use

Commonality and Variability Analysis for Xenon Family of Separation Virtual Machine Monitors (CVAX)

DTIC Science & Technology

2017-07-18

technical approach is a systematic application of Software Product Line Engineering (SPLE). A systematic application requires describing the family and... engineering Software family September 2016 – October 2016 OSD/OUSD/ATL/ASD(R&E)/RDOffice of Information Systems & Cyber Security RD / ASD(R&E) / AT&L...by the evolving open-source Xen hypervisor. The technical approach is a systematic application of Software Product Line Engineering (SPLE). A

CrossTalk: The Journal of Defense Software Engineering. Volume 21, Number 9

DTIC Science & Technology

2008-09-01

including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson...SEP 2008 2. REPORT TYPE 3. DATES COVERED 00-00-2008 to 00-00-2008 4. TITLE AND SUBTITLE CrossTalk: The Journal of Defense Software Engineering...The Journal of Defense Software Engineering September 2008 4 10 15 19 24 26 Securing Legacy C Applications Using Dynamic Data Flow Analysis This

Operationalizing Cyberspace for Today’s Combat Air Force

DTIC Science & Technology

2010-04-01

rootkit techniques to run inside common Windows services (sometimes bundled with fake antivirus software ) or in Windows safe mode, and it can hide...has shifted to downloading other malware, with its main focus on fake alerts and rogue antivirus software . 5. TR/Dldr.Agent.JKH - Compromised U.S...patch, software update, or security breech away from failure. In short, what works AU/ACSC/SIMMONS/AY10 5 today, may not work tomorrow; this fact

CyberTerrorism: Cyber Prevention vs Cyber Recovery

DTIC Science & Technology

2007-12-01

appropriate available security measures (i.e. appropriate level of spy ware, IDS, and antivirus protection software installed) are unaffected by worm attacks...a worm is a form of a virus designed to copy itself by utilizing e-mail or other software applications. The main goal of using this technique is...to permeate the network or portions of the Internet with malicious code that will affect the performance of certain software applications or will

State of the Practice of Intrusion Detection Technologies

DTIC Science & Technology

2000-01-01

security incident response teams ) - the role of IDS in threat management, such as defining alarm severity, monitoring, alerting, and policy-based...attacks in an effort to sneak under the radar of security specialists and intrusion detection software, a U.S. Navy network security team said today...to get the smoking gun," said Stephen Northcutt, head of the Shadow intrusion detection team at the Naval Surface Warfare Center. "To know what’s

An Examination of an Information Security Framework Implementation Based on Agile Values to Achieve Health Insurance Portability and Accountability Act Security Rule Compliance in an Academic Medical Center: The Thomas Jefferson University Case Study

ERIC Educational Resources Information Center

Reis, David W.

2012-01-01

Agile project management is most often examined in relation to software development, while information security frameworks are often examined with respect to certain risk management capabilities rather than in terms of successful implementation approaches. This dissertation extended the study of both Agile project management and information…

Evaluation of the Efficiency of Liquid Cooling Garments using a Thermal Manikin

DTIC Science & Technology

2005-05-01

temperatures. The software also calculates thermal resistances and evaporative resistances. TM tests were run dry (i.e. no sweating ) and wet (i.e...REPORT DOCUMENTATION PAGE Form ApprovedOMB No . 0704-0188 SECURITY CLASSIFICATION OF REPORT SECURITY CLASSIFICATION OF THIS PAGE SECURITY CLASSIFICATION...OF ABSTRACT 8. M05-17 1. AGENCY USE ONLY (Leave blank) 4. TITLE AND SUBTITLE EVALUATION OF THE EFFICIENCY OF LIQUID COOLING GARMENTS USING A THERMAL

Secure Multiparty AES

NASA Astrophysics Data System (ADS)

Damgård, Ivan; Keller, Marcel

We propose several variants of a secure multiparty computation protocol for AES encryption. The best variant requires 2200 + {{400}over{255}} expected elementary operations in expected 70 + {{20}over{255}} rounds to encrypt one 128-bit block with a 128-bit key. We implemented the variants using VIFF, a software framework for implementing secure multiparty computation (MPC). Tests with three players (passive security against at most one corrupted player) in a local network showed that one block can be encrypted in 2 seconds. We also argue that this result could be improved by an optimized implementation.

Reducing software security risk through an integrated approach

NASA Technical Reports Server (NTRS)

Gilliam, D.; Powell, J.; Kelly, J.; Bishop, M.

2001-01-01

The fourth quarter delivery, FY'01 for this RTOP is a Property-Based Testing (PBT), 'Tester's Assistant' (TA). The TA tool is to be used to check compiled and pre-compiled code for potential security weaknesses that could be exploited by hackers. The TA Instrumenter, implemented mostly in C++ (with a small part in Java), parsels two types of files: Java and TASPEC. Security properties to be checked are written in TASPEC. The Instrumenter is used in conjunction with the Tester's Assistant Specification (TASpec)execution monitor to verify the security properties of a given program.

Design and Implementation of a Secure Modbus Protocol

NASA Astrophysics Data System (ADS)

Fovino, Igor Nai; Carcano, Andrea; Masera, Marcelo; Trombetta, Alberto

The interconnectivity of modern and legacy supervisory control and data acquisition (SCADA) systems with corporate networks and the Internet has significantly increased the threats to critical infrastructure assets. Meanwhile, traditional IT security solutions such as firewalls, intrusion detection systems and antivirus software are relatively ineffective against attacks that specifically target vulnerabilities in SCADA protocols. This paper describes a secure version of the Modbus SCADA protocol that incorporates integrity, authentication, non-repudiation and anti-replay mechanisms. Experimental results using a power plant testbed indicate that the augmented protocol provides good security functionality without significant overhead.

A Secure Architecture to Provide a Medical Emergency Dataset for Patients in Germany and Abroad.

PubMed

Storck, Michael; Wohlmann, Jan; Krudwig, Sarah; Vogel, Alexander; Born, Judith; Weber, Thomas; Dugas, Martin; Juhra, Christian

2017-01-01

The ongoing fragmentation of medical care and mobility of patients severely restrains exchange of lifesaving information about patient's medical history in case of emergencies. Therefore, the objective of this work is to offer a secure technical solution to supply medical professionals with emergency-relevant information concerning the current patient via mobile accessibility. To achieve this goal, the official national emergency data set was extended by additional features to form a patient summary for emergencies, a software architecture was developed and data security and data protection issues were taken into account. The patient has sovereignty over his/her data and can therefore decide who has access to or can change his/her stored data, but the treating physician composes the validated dataset. Building upon the introduced concept, future activities are the development of user-interfaces for the software components of the different user groups as well as functioning prototypes for upcoming field tests.

Software assurance standard

NASA Technical Reports Server (NTRS)

1992-01-01

This standard specifies the software assurance program for the provider of software. It also delineates the assurance activities for the provider and the assurance data that are to be furnished by the provider to the acquirer. In any software development effort, the provider is the entity or individual that actually designs, develops, and implements the software product, while the acquirer is the entity or individual who specifies the requirements and accepts the resulting products. This standard specifies at a high level an overall software assurance program for software developed for and by NASA. Assurance includes the disciplines of quality assurance, quality engineering, verification and validation, nonconformance reporting and corrective action, safety assurance, and security assurance. The application of these disciplines during a software development life cycle is called software assurance. Subsequent lower-level standards will specify the specific processes within these disciplines.

Selecting, Evaluating and Creating Policies for Computer-Based Resources in the Behavioral Sciences and Education.

ERIC Educational Resources Information Center

Richardson, Linda B., Comp.; And Others

This collection includes four handouts: (1) "Selection Critria Considerations for Computer-Based Resources" (Linda B. Richardson); (2) "Software Collection Policies in Academic Libraries" (a 24-item bibliography, Jane W. Johnson); (3) "Circulation and Security of Software" (a 19-item bibliography, Sara Elizabeth Williams); and (4) "Bibliography of…

A Risk-based, Practice-centered Approach to Project Management for HPCMP CREATE

DTIC Science & Technology

2015-10-05

form of videoconferencing. These impediments have been mitigated to some extent by using browser-based Software as a Service ( SaaS ) access to CREATE...one-time password (OTP), and OpenID. Security is managed within the DREN, as opposed to every desktop. As a “Software as a Service” ( SaaS

Evaluation of a proximity card authentication system for health care settings.

PubMed

Fontaine, Jacqueline; Zheng, Kai; Van De Ven, Cosmas; Li, Huiyang; Hiner, James; Mitchell, Kathy; Gendler, Stephen; Hanauer, David A

2016-08-01

Multiple users access computer workstations in busy clinical settings, requiring many logins throughout the day as users switch from one computer to another. This can lead to workflow inefficiencies as well as security concerns resulting from users sharing login sessions to save time. Proximity cards and readers have the potential to improve efficiency and security by allowing users to access clinical workstations simply by bringing the card near the reader, without the need for manual entry of a username and password. To assess the perceived impact of proximity cards and readers for rapid user authentication to clinical workstations in the setting of an existing electronic health record with single sign-on software already installed. Questionnaires were administered to clinical faculty and staff five months before and three months after the installation of proximity card readers in an inpatient birthing center and an outpatient obstetrics clinic. Open-ended feedback was also collected and qualitatively analyzed. There were 71 and 33 responses to the pre- and post-implementation surveys, respectively. There was a significant increase in the perceived speed of login with the proximity cards, and a significant decrease in the self-reported occurrence of shared login sessions between users. Feedback regarding the system was mostly positive, although several caveats were noted, including minimal benefit when used with an obstetric application that did not support single sign-on. Proximity cards and readers, along with single sign-on software, have the potential to enhance workflow efficiency by allowing for faster login times and diminish security concerns by reducing shared logins on clinical workstations. The positive feedback was used by our health system leadership to support the expanded implementation of the proximity card readers throughout the clinical setting. Copyright © 2016 Elsevier Ireland Ltd. All rights reserved.

Scalable and Precise Abstraction of Programs for Trustworthy Software

DTIC Science & Technology

2017-01-01

calculus for core Java. • 14 months: A systematic abstraction of core Java. • 18 months: A security auditor for core Java. • 24 months: A contract... auditor for full Java. • 42 months: A web-deployed service for security auditing. Approved for Public Release; Distribution Unlimited 4 4.0 RESULTS

Cybersecurity Education: Bridging the Gap between Hardware and Software Domains

ERIC Educational Resources Information Center

Lukowiak, Marcin; Radziszowski, Stanislaw; Vallino, James; Wood, Christopher

2014-01-01

With the continuous growth of cyberinfrastructure throughout modern society, the need for secure computing and communication is more important than ever before. As a result, there is also an increasing need for entry-level developers who are capable of designing and building practical solutions for systems with stringent security requirements.…

A New Look at Security Education: YouTube as YouTool

ERIC Educational Resources Information Center

Werner, Laurie A.; Frank, Charles E.

2010-01-01

Teaching a computer security course which includes network administration and protection software is especially challenging because textbook tools are out of date by the time the text is published. In an effort to use lab activities that work effectively, we turned to the internet. This paper describes several resources for teaching computer…

Safeguarding Your Technology: Practical Guidelines for Electronic Education Information Security.

ERIC Educational Resources Information Center

Szuba, Tom

This guide was developed specifically for educational administrators at the building, campus, district, system, and state levels, and is meant to serve as a framework to help them better understand why and how to effectively secure their organization's information, software, and computer and networking equipment. This document is organized into 10…

Practical Pocket PC Application w/Biometric Security

NASA Technical Reports Server (NTRS)

Logan, Julian

2004-01-01

I work in the Flight Software Engineering Branch, where we provide design and development of embedded real-time software applications for flight and supporting ground systems to support the NASA Aeronautics and Space Programs. In addition, this branch evaluates, develops and implements new technologies for embedded real-time systems, and maintains a laboratory for applications of embedded technology. The majority of microchips that are used in modern society have been programmed using embedded technology. These small chips can be found in microwaves, calculators, home security systems, cell phones and more. My assignment this summer entails working with an iPAQ HP 5500 Pocket PC. This top-of-the-line hand-held device is one of the first mobile PC's to introduce biometric security capabilities. Biometric security, in this case a fingerprint authentication system, is on the edge of technology as far as securing information. The benefits of fingerprint authentication are enormous. The most significant of them are that it is extremely difficult to reproduce someone else's fingerprint, and it is equally difficult to lose or forget your own fingerprint as opposed to a password or pin number. One of my goals for this summer is to integrate this technology with another Pocket PC application. The second task for the summer is to develop a simple application that provides an Astronaut EVA (Extravehicular Activity) Log Book capability. The Astronaut EVA Log Book is what an astronaut would use to report the status of field missions, crew physical health, successes, future plans, etc. My goal is to develop a user interface into which these data fields can be entered and stored. The applications that I am developing are created using eMbedded Visual C++ 4.0 with the Pocket PC 2003 Software Development Kit provided by Microsoft.

Outsourcing Security Services for Low Performance Portable Devices

NASA Astrophysics Data System (ADS)

Szentgyörgyi, Attila; Korn, András

The number of portable devices using wireless network technologies is on the rise. Some of these devices are incapable of, or at a disadvantage at using secure Internet services, because secure communication often requires comparatively high computing capacity. In this paper, we propose a solution which can be used to offer secure network services for low performance portable devices without severely degrading data transmission rates. We also show that using our approach these devices can utilize some secure network services which were so far unavailable to them due to a lack of software support. In order to back up our claims, we present performance measurement results obtained in a test network.

Software To Secure Distributed Propulsion Simulations

NASA Technical Reports Server (NTRS)

Blaser, Tammy M.

2003-01-01

Distributed-object computing systems are presented with many security threats, including network eavesdropping, message tampering, and communications middleware masquerading. NASA Glenn Research Center, and its industry partners, has taken an active role in mitigating the security threats associated with developing and operating their proprietary aerospace propulsion simulations. In particular, they are developing a collaborative Common Object Request Broker Architecture (CORBA) Security (CORBASec) test bed to secure their distributed aerospace propulsion simulations. Glenn has been working with its aerospace propulsion industry partners to deploy the Numerical Propulsion System Simulation (NPSS) object-based technology. NPSS is a program focused on reducing the cost and time in developing aerospace propulsion engines

Using OpenSSH to secure mobile LAN network traffic

NASA Astrophysics Data System (ADS)

Luu, Brian B.; Gopaul, Richard D.

2002-08-01

Mobile Internet Protocol (IP) Local Area Network (LAN) is a technique, developed by the U.S. Army Research Laboratory, which allows a LAN to be IP mobile when attaching to a foreign IP-based network and using this network as a means to retain connectivity to its home network. In this paper, we describe a technique that uses Open Secure Shell (OpenSSH) software to ensure secure, encrypted transmission of a mobile LAN's network traffic. Whenever a mobile LAN, implemented with Mobile IP LAN, moves to a foreign network, its gateway (router) obtains an IP address from the new network. IP tunnels, using IP encapsulation, are then established from the gateway through the foreign network to a home agent on its home network. These tunnels provide a virtual two-way connection to the home network for the mobile LAN as if the LAN were connected directly to its home network. Hence, when IP mobile, a mobile LAN's tunneled network traffic must traverse one or more foreign networks that may not be trusted. This traffic could be subject to eavesdropping, interception, modification, or redirection by malicious nodes in these foreign networks. To protect network traffic passing through the tunnels, OpenSSH is used as a means of encryption because it prevents surveillance, modification, and redirection of mobile LAN traffic passing across foreign networks. Since the software is found in the public domain, is available for most current operating systems, and is commonly used to provide secure network communications, OpenSSH is the software of choice.

Final Technical Report. Project Boeing SGS

DOE Office of Scientific and Technical Information (OSTI.GOV)

Bell, Thomas E.

Boeing and its partner, PJM Interconnection, teamed to bring advanced “defense-grade” technologies for cyber security to the US regional power grid through demonstration in PJM’s energy management environment. Under this cooperative project with the Department of Energy, Boeing and PJM have developed and demonstrated a host of technologies specifically tailored to the needs of PJM and the electric sector as a whole. The team has demonstrated to the energy industry a combination of processes, techniques and technologies that have been successfully implemented in the commercial, defense, and intelligence communities to identify, mitigate and continuously monitor the cyber security of criticalmore » systems. Guided by the results of a Cyber Security Risk-Based Assessment completed in Phase I, the Boeing-PJM team has completed multiple iterations through the Phase II Development and Phase III Deployment phases. Multiple cyber security solutions have been completed across a variety of controls including: Application Security, Enhanced Malware Detection, Security Incident and Event Management (SIEM) Optimization, Continuous Vulnerability Monitoring, SCADA Monitoring/Intrusion Detection, Operational Resiliency, Cyber Range simulations and hands on cyber security personnel training. All of the developed and demonstrated solutions are suitable for replication across the electric sector and/or the energy sector as a whole. Benefits identified include; Improved malware and intrusion detection capability on critical SCADA networks including behavioral-based alerts resulting in improved zero-day threat protection; Improved Security Incident and Event Management system resulting in better threat visibility, thus increasing the likelihood of detecting a serious event; Improved malware detection and zero-day threat response capability; Improved ability to systematically evaluate and secure in house and vendor sourced software applications; Improved ability to continuously monitor and maintain secure configuration of network devices resulting in reduced vulnerabilities for potential exploitation; Improved overall cyber security situational awareness through the integration of multiple discrete security technologies into a single cyber security reporting console; Improved ability to maintain the resiliency of critical systems in the face of a targeted cyber attack of other significant event; Improved ability to model complex networks for penetration testing and advanced training of cyber security personnel« less

MediaTracker system

DOE Office of Scientific and Technical Information (OSTI.GOV)

Sandoval, D. M.; Strittmatter, R. B.; Abeyta, J. D.

2004-01-01

The initial objectives of this effort were to provide a hardware and software platform that can address the requirements for the accountability of classified removable electronic media and vault access logging. The Media Tracker system software assists classified media custodian in managing vault access logging and Media Tracking to prevent the inadvertent violation of rules or policies for the access to a restricted area and the movement and use of tracked items. The MediaTracker system includes the software tools to track and account for high consequence security assets and high value items. The overall benefits include: (1) real-time access tomore » the disposition of all Classified Removable Electronic Media (CREM), (2) streamlined security procedures and requirements, (3) removal of ambiguity and managerial inconsistencies, (4) prevention of incidents that can and should be prevented, (5) alignment with the DOE's initiative to achieve improvements in security and facility operations through technology deployment, and (6) enhanced individual responsibility by providing a consistent method of dealing with daily responsibilities. In response to initiatives to enhance the control of classified removable electronic media (CREM), the Media Tracker software suite was developed, piloted and implemented at the Los Alamos National Laboratory beginning in July 2000. The Media Tracker software suite assists in the accountability and tracking of CREM and other high-value assets. One component of the MediaTracker software suite provides a Laboratory-approved media tracking system. Using commercial touch screen and bar code technology, the MediaTracker (MT) component of the MediaTracker software suite provides an efficient and effective means to meet current Laboratory requirements and provides new-engineered controls to help assure compliance with those requirements. It also establishes a computer infrastructure at vault entrances for vault access logging, and can accommodate several methods of positive identification including smart cards and biometrics. Currently, we have three mechanisms that provide added security for accountability and tracking purposes. One mechanism consists of a portable, hand-held inventory scanner, which allows the custodian to physically track the items that are not accessible within a particular area. The second mechanism is a radio frequency identification (RFID) consisting of a monitoring portal, which tracks and logs in a database all activity tagged of items that pass through the portals. The third mechanism consists of an electronic tagging of a flash memory device for automated inventory of CREM in storage. By modifying this USB device the user is provided with added assurance, limiting the data from being obtained from any other computer.« less

NASA's Approach to Software Assurance

NASA Technical Reports Server (NTRS)

Wetherholt, Martha

2015-01-01

NASA defines software assurance as: the planned and systematic set of activities that ensure conformance of software life cycle processes and products to requirements, standards, and procedures via quality, safety, reliability, and independent verification and validation. NASA's implementation of this approach to the quality, safety, reliability, security and verification and validation of software is brought together in one discipline, software assurance. Organizationally, NASA has software assurance at each NASA center, a Software Assurance Manager at NASA Headquarters, a Software Assurance Technical Fellow (currently the same person as the SA Manager), and an Independent Verification and Validation Organization with its own facility. An umbrella risk mitigation strategy for safety and mission success assurance of NASA's software, software assurance covers a wide area and is better structured to address the dynamic changes in how software is developed, used, and managed, as well as it's increasingly complex functionality. Being flexible, risk based, and prepared for challenges in software at NASA is essential, especially as much of our software is unique for each mission.

Natural language processing-based COTS software and related technologies survey.

DOE Office of Scientific and Technical Information (OSTI.GOV)

Stickland, Michael G.; Conrad, Gregory N.; Eaton, Shelley M.

Natural language processing-based knowledge management software, traditionally developed for security organizations, is now becoming commercially available. An informal survey was conducted to discover and examine current NLP and related technologies and potential applications for information retrieval, information extraction, summarization, categorization, terminology management, link analysis, and visualization for possible implementation at Sandia National Laboratories. This report documents our current understanding of the technologies, lists software vendors and their products, and identifies potential applications of these technologies.

Air Force and the Cyberspace Mission: Defending the Air Force’s Computer Network in the Future

DTIC Science & Technology

2007-12-01

computers, their operating systems and software purchased by the Air Force are commercial off-the-shelf (COTS) components, often manufactured abroad due...crystal clear 2003 information security report: “The U.S. Department of Defense (DOD) relies too much on commercial software , doesn’t know who is...creating the software , and faces other significant cybersecurity problems.”11 This paper explores the topic of defense of the cyberspace domain by

Modeling and Analyzing Intrusion Attempts to a Computer Network Operating in a Defense in Depth Posture

DTIC Science & Technology

2004-09-01

protection. Firewalls, Intrusion Detection Systems (IDS’s), Anti-Virus (AV) software , and routers are such tools used. In recent years, computer security...associated with operating systems, application software , and computing hardware. When IDS’s are utilized on a host computer or network, there are two...primary approaches to detecting and / or preventing attacks. Traditional IDS’s, like most AV software , rely on known “signatures” to detect attacks

Enhanced optical security by using information carrier digital screening

NASA Astrophysics Data System (ADS)

Koltai, Ferenc; Adam, Bence

2004-06-01

Jura has developed different security features based on Information Carrier Digital Screening. Substance of such features is that a non-visible secondary image is encoded in a visible primary image. The encoded image will be visible only by using a decoding device. One of such developments is JURA's Invisible Personal Information (IPI) is widely used in high security documents, where personal data of the document holder are encoded in the screen of the document holder's photography and they can be decoded by using an optical decoding device. In order to make document verification fully automated, enhance security and eliminate human factors, digital version of IPI, the D-IPI was developed. A special 2D-barcode structure was designed, which contains sufficient quantity of encoded digital information and can be embedded into the photo. Other part of Digital-IPI is the reading software, that is able to retrieve the encoded information with high reliability. The reading software developed with a specific 2D structure is providing the possibility of a forensic analysis. Such analysis will discover all kind of manipulations -- globally, if the photography was simply changed and selectively, if only part of the photography was manipulated. Digital IPI is a good example how benefits of digital technology can be exploited by using optical security and how technology for optical security can be converted into digital technology. The D-IPI process is compatible with all current personalization printers and materials (polycarbonate, PVC, security papers, Teslin-foils, etc.) and can provide any document with enhanced security and tamper-resistance.

A Dedicated Computational Platform for Cellular Monte Carlo T-CAD Software Tools

DTIC Science & Technology

2015-07-14

computer that establishes an encrypted Virtual Private Network ( OpenVPN [44]) based on the Secure Socket Layer (SSL) paradigm. Each user is given a...security certificate for each device used to connect to the computing nodes. Stable OpenVPN clients are available for Linux, Microsoft Windows, Apple OSX...platform is granted by an encrypted connection base on the Secure Socket Layer (SSL) protocol, and implemented in the OpenVPN Virtual Personal Network

Focus on Resiliency: A Process-Oriented Approach to Security

DTIC Science & Technology

2005-11-01

by ANSI Std Z39-18 © 2005 Carnegie Mellon University CSI v1.0 2 Agenda About the SEI Characterizing the problem Security, resiliency, and risk A...2005 Carnegie Mellon University CSI v1.0 5 SEI Technical Programs Product Line Systems Dynamic Systems Software Engineering Process Management...University CSI v1.0 7 What is the problem? Is your organization’s security capability sufficient to identify and manage risks that result from failed

[Our experience with mini tapes (TVT Secur and MiniArc) in the surgery for stress urinary incontinence].

PubMed

Jiménez Calvo, J; Hualde Alfaro, A; Raigoso Ortega, O; Cebrian Lostal, J L; Alvarez Bandres, S; Jiménez Parra, J; Montesino Semper, M; Santiago Gonzalez de Garibay, A

2008-01-01

The purpose of this publication is to describe the surgical technique, assess complications and short-term results of TVT secur and MiniArc tapes. From October 2006 to August 2007 it was carried out the surgical correction with TVT Secur,Women's Health & Urology, Ethicon, Johnson & Johnson, placing the tape as a hammock, to 51 patients, 38 of them with pure stress incontinence and 13 with mixed incontinence and with an average age of 57 years. From September 2007 to February 2008 41 patients, 33 of them with pure stress incontinence and 8 with mixed incontinence, with an average of age of 58 years were operated with AMS Miniarc swing system tape, posted on hammock. All procedures were performed with sedoanalgesia and Ambulatory Surgery regime. Patients were monitored in outpatient visits one month, 3 months and one year after surgical procedure. Medical history and questionnaire and ICIQ-SF, to which we added a question to quantify the degree of satisfaction, as well as physical examination, were done. We compared the results of both technical procedures and statistical survey was conducted by Student test. [Analysis with SPSS software (V14.0)]. The median follow-up in TVT secur group was 328 days (range 163-522 days) and 101 days (range 41-209 days) inthe MiniArc group. We only had one (TVT secur group) surgical complication in all the series (92 patients) being a bladder perforation. Taking into account that we read a negative test effort as an objective cure in the TVT secur group, 80.4% patients are cured and 90.2% inthe MiniArc group without significant difference between both groups (p 0095). To assess the subjective healing we utilized the ICIQ-SF test and the satisfaction extra-question and we noted that there is no significant difference between the first and third month controls. (90% of patients satisfied). 80% of patients were completely satisfied in the first year control that was only performed to TVT secur group. These new tapes show fewer complications that the TVT-O and TOT tapes and allow the possibility of placement with local anesthesia but further studies are needed.

33 CFR 103.410 - Persons involved in the Area Maritime Security (AMS) Assessment.

Code of Federal Regulations, 2014 CFR

2014-07-01

... Maritime Security (AMS) Assessment. 103.410 Section 103.410 Navigation and Navigable Waters COAST GUARD, DEPARTMENT OF HOMELAND SECURITY MARITIME SECURITY MARITIME SECURITY: AREA MARITIME SECURITY Area Maritime Security (AMS) Assessment § 103.410 Persons involved in the Area Maritime Security (AMS) Assessment. The...

33 CFR 103.410 - Persons involved in the Area Maritime Security (AMS) Assessment.

Code of Federal Regulations, 2011 CFR

2011-07-01

... Maritime Security (AMS) Assessment. 103.410 Section 103.410 Navigation and Navigable Waters COAST GUARD, DEPARTMENT OF HOMELAND SECURITY MARITIME SECURITY MARITIME SECURITY: AREA MARITIME SECURITY Area Maritime Security (AMS) Assessment § 103.410 Persons involved in the Area Maritime Security (AMS) Assessment. The...

33 CFR 103.410 - Persons involved in the Area Maritime Security (AMS) Assessment.

Code of Federal Regulations, 2013 CFR

2013-07-01

... Maritime Security (AMS) Assessment. 103.410 Section 103.410 Navigation and Navigable Waters COAST GUARD, DEPARTMENT OF HOMELAND SECURITY MARITIME SECURITY MARITIME SECURITY: AREA MARITIME SECURITY Area Maritime Security (AMS) Assessment § 103.410 Persons involved in the Area Maritime Security (AMS) Assessment. The...

33 CFR 103.410 - Persons involved in the Area Maritime Security (AMS) Assessment.

Code of Federal Regulations, 2010 CFR

2010-07-01

... Maritime Security (AMS) Assessment. 103.410 Section 103.410 Navigation and Navigable Waters COAST GUARD, DEPARTMENT OF HOMELAND SECURITY MARITIME SECURITY MARITIME SECURITY: AREA MARITIME SECURITY Area Maritime Security (AMS) Assessment § 103.410 Persons involved in the Area Maritime Security (AMS) Assessment. The...

33 CFR 103.410 - Persons involved in the Area Maritime Security (AMS) Assessment.

Code of Federal Regulations, 2012 CFR

2012-07-01

... Maritime Security (AMS) Assessment. 103.410 Section 103.410 Navigation and Navigable Waters COAST GUARD, DEPARTMENT OF HOMELAND SECURITY MARITIME SECURITY MARITIME SECURITY: AREA MARITIME SECURITY Area Maritime Security (AMS) Assessment § 103.410 Persons involved in the Area Maritime Security (AMS) Assessment. The...

Analyzing Cyber-Physical Threats on Robotic Platforms.

PubMed

Ahmad Yousef, Khalil M; AlMajali, Anas; Ghalyon, Salah Abu; Dweik, Waleed; Mohd, Bassam J

2018-05-21

Robots are increasingly involved in our daily lives. Fundamental to robots are the communication link (or stream) and the applications that connect the robots to their clients or users. Such communication link and applications are usually supported through client/server network connection. This networking system is amenable of being attacked and vulnerable to the security threats. Ensuring security and privacy for robotic platforms is thus critical, as failures and attacks could have devastating consequences. In this paper, we examine several cyber-physical security threats that are unique to the robotic platforms; specifically the communication link and the applications. Threats target integrity, availability and confidential security requirements of the robotic platforms, which use MobileEyes/arnlServer client/server applications. A robot attack tool (RAT) was developed to perform specific security attacks. An impact-oriented approach was adopted to analyze the assessment results of the attacks. Tests and experiments of attacks were conducted in simulation environment and physically on the robot. The simulation environment was based on MobileSim; a software tool for simulating, debugging and experimenting on MobileRobots/ActivMedia platforms and their environments. The robot platform PeopleBot TM was used for physical experiments. The analysis and testing results show that certain attacks were successful at breaching the robot security. Integrity attacks modified commands and manipulated the robot behavior. Availability attacks were able to cause Denial-of-Service (DoS) and the robot was not responsive to MobileEyes commands. Integrity and availability attacks caused sensitive information on the robot to be hijacked. To mitigate security threats, we provide possible mitigation techniques and suggestions to raise awareness of threats on the robotic platforms, especially when the robots are involved in critical missions or applications.

Analyzing Cyber-Physical Threats on Robotic Platforms †

PubMed Central

2018-01-01

Robots are increasingly involved in our daily lives. Fundamental to robots are the communication link (or stream) and the applications that connect the robots to their clients or users. Such communication link and applications are usually supported through client/server network connection. This networking system is amenable of being attacked and vulnerable to the security threats. Ensuring security and privacy for robotic platforms is thus critical, as failures and attacks could have devastating consequences. In this paper, we examine several cyber-physical security threats that are unique to the robotic platforms; specifically the communication link and the applications. Threats target integrity, availability and confidential security requirements of the robotic platforms, which use MobileEyes/arnlServer client/server applications. A robot attack tool (RAT) was developed to perform specific security attacks. An impact-oriented approach was adopted to analyze the assessment results of the attacks. Tests and experiments of attacks were conducted in simulation environment and physically on the robot. The simulation environment was based on MobileSim; a software tool for simulating, debugging and experimenting on MobileRobots/ActivMedia platforms and their environments. The robot platform PeopleBotTM was used for physical experiments. The analysis and testing results show that certain attacks were successful at breaching the robot security. Integrity attacks modified commands and manipulated the robot behavior. Availability attacks were able to cause Denial-of-Service (DoS) and the robot was not responsive to MobileEyes commands. Integrity and availability attacks caused sensitive information on the robot to be hijacked. To mitigate security threats, we provide possible mitigation techniques and suggestions to raise awareness of threats on the robotic platforms, especially when the robots are involved in critical missions or applications. PMID:29883403

Perceptions of health care professionals on the safety and security at Odi District Hospital, Gauteng, South Africa

PubMed Central

Okeke, Sunday O.

2017-01-01

Background For optimum delivery of service, an establishment needs to ensure a safe and secure environment. In 2011, the South African government promulgated the National Core Standards for Health Establishments for safety and security for all employees in all establishments. Little is known about whether these standards are being complied to. Aim and setting: To assess the perceptions of health care professionals (HCPs) on safety and security at Odi District Hospital. Methodology A sample of 181 out of a total of 341 HCPs was drawn through a systematic sampling method from each HCP category. Data were collected through a self-administered questionnaire. The SPSS® statistical software version 22 was used for data analysis. The level of statistical significance was set at < 0.05. Results There were more female respondents than male respondents (136; 75.10%). The dominant age group was 28–47 years (114; 57.46%). Perceptions on security personnel, their efficiency and the security system were significantly affirmed (p = 0.0001). The hospital infrastructure, surroundings and plan in emergencies were perceived to be safe (p < 0.0001). The hospital lighting system was perceived as inadequate (p = 0.0041). Only 36 (20.2%) HCPs perceived that hospital authorities were concerned about employees’ safety (p < 0.0001). Conclusion HCPs had positive perceptions regarding the hospital’s security system. Except for the negative perceptions of the lighting system and the perceived lack of hospital authorities’ concern for staff safety, perceptions of the HCPs on the hospital working environment were positive. The hospital authorities need to establish the basis of negative perceptions and enforce remedial measures to redress them. PMID:29113444

A novel 6-DOF parallel robot and its pose errors compensation

NASA Astrophysics Data System (ADS)

Shi, Zhixin; Ye, Meiyan; Luo, Yufeng

2011-10-01

In the traditional security solution conditions, software firewall cannot intercept and respond the invasion before being attacked. And because of the high cost, the hardware firewall does not apply to the security strategy of the end nodes, so we have designed a kind of solution of embedded firewall with hardware and software. With ARM embedding Linux operating system, we have designed packet filter module and intrusion detection module to implement the basic function of firewall. Experiments and results show that that firewall has the advantages of low cost, high processing speed, high safety and the application of the computer terminals. This paper focuses on packet filtering module design and implementation.

Design and implement of pack filter module base on embedded firewall

NASA Astrophysics Data System (ADS)

Tian, Libo; Wang, Chen; Yang, Shunbo

2011-10-01

In the traditional security solution conditions, software firewall cannot intercept and respond the invasion before being attacked. And because of the high cost, the hardware firewall does not apply to the security strategy of the end nodes, so we have designed a kind of solution of embedded firewall with hardware and software. With ARM embedding Linux operating system, we have designed packet filter module and intrusion detection module to implement the basic function of firewall. Experiments and results show that that firewall has the advantages of low cost, high processing speed, high safety and the application of the computer terminals. This paper focuses on packet filtering module design and implementation.

C-C1-04: Building a Health Services Information Technology Research Environment

PubMed Central

Gehrum, David W; Jones, JB; Romania, Gregory J; Young, David L; Lerch, Virginia R; Bruce, Christa A; Donkochik, Diane; Stewart, Walter F

2010-01-01

Background: The electronic health record (EHR) has opened a new era for health services research (HSR) where information technology (IT) is used to re-engineer care processes. While the EHR provides one means of advancing novel solutions, a promising strategy is to develop tools (e.g., online questionnaires, visual display tools, decision support) distinct from, but which interact with, the EHR. Development of such software tools outside the EHR offers an advantage in flexibility, sophistication, and ultimately in portability to other settings. However, institutional IT departments have an imperative to protect patient data and to standardize IT processes to ensure system-level security and support traditional business needs. Such imperatives usually present formidable process barriers to testing novel software solutions. We describe how, in collaboration with our IT department, we are creating an environment and a process that allows for routine and rapid testing of novel software solutions. Methods: We convened a working group consisting of IT and research personnel with expertise in information security, database design/management, web design, EHR programming, and health services research. The working group was tasked with developing a research IT environment to accomplish two objectives: maintain network/ data security and regulatory compliance; allow researchers working with external vendors to rapidly prototype and, in a clinical setting, test web-based tools. Results: Two parallel solutions, one focused on hardware, the second on oversight and management, were developed. First, we concluded that three separate, staged development environments were required to allow external vendor access for testing software and for transitioning software to be used in a clinic. In parallel, the extant oversight process for approving/managing access to internal/external personnel had to be altered to reflect the scope and scale of discrete research projects, as opposed to an enterpriselevel approach to IT management. Conclusions: Innovation in health services software development requires a flexible, scalable IT environment adapted to the unique objectives of a HSR software development model. In our experience, implementing the hardware solution is less challenging than the cultural change required to implement such a model and the modifications to administrative and oversight processes to sustain an environment for rapid product development and testing.

Climate tools in mainstream Linux distributions

NASA Astrophysics Data System (ADS)

McKinstry, Alastair

2015-04-01

Debian/meterology is a project to integrate climate tools and analysis software into the mainstream Debian/Ubuntu Linux distributions. This work describes lessons learnt, and recommends practices for scientific software to be adopted and maintained in OS distributions. In addition to standard analysis tools (cdo,, grads, ferret, metview, ncl, etc.), software used by the Earth System Grid Federation was chosen for integraion, to enable ESGF portals to be built on this base; however exposing scientific codes via web APIs enables security weaknesses, normally ignorable, to be exposed. How tools are hardened, and what changes are required to handle security upgrades, are described. Secondly, to enable libraries and components (e.g. Python modules) to be integrated requires planning by writers: it is not sufficient to assume users can upgrade their code when you make incompatible changes. Here, practices are recommended to enable upgrades and co-installability of C, C++, Fortran and Python codes. Finally, software packages such as NetCDF and HDF5 can be built in multiple configurations. Tools may then expect incompatible versions of these libraries (e.g. serial and parallel) to be simultaneously available; how this was solved in Debian using "pkg-config" and shared library interfaces is described, and best practices for software writers to enable this are summarised.

Surveillance systems for intermodal transportation

NASA Astrophysics Data System (ADS)

Jakovlev, Sergej; Voznak, Miroslav; Andziulis, Arunas

2015-05-01

Intermodal container monitoring is considered a major security issue in many major logistic companies and countries worldwide. Current representation of the problem, we face today, originated in 2002, right after the 9/11 attacks. Then, a new worldwide Container Security Initiative (CSI, 2002) was considered that shaped the perception of the transportation operations. Now more than 80 larger ports all over the world contribute to its further development and integration into everyday transportation operations and improve the regulations for the developing regions. Although, these new improvements allow us to feel safer and secure, constant management of transportation operations has become a very difficult problem for conventional data analysis methods and information systems. The paper deals with a proposal of a whole new concept for the improvement of the Containers Security Initiative (CSI) by virtually connecting safety, security processes and systems. A conceptual middleware approach with deployable intelligent agent modules is proposed to be used with possible scenarios and a testbed is used to test the solution. Middleware examples are visually programmed using National Instruments LabView software packages and Wireless sensor network hardware modules. An experimental software is used to evaluate he solution. This research is a contribution to the intermodal transportation and is intended to be used as a means or the development of intelligent transport systems.

Consumer Security Perceptions and the Perceived Influence on Adopting Cloud Computing: A Quantitative Study Using the Technology Acceptance Model

ERIC Educational Resources Information Center

Paquet, Katherine G.

2013-01-01

Cloud computing may provide cost benefits for organizations by eliminating the overhead costs of software, hardware, and maintenance (e.g., license renewals, upgrading software, servers and their physical storage space, administration along with funding a large IT department). In addition to the promised savings, the organization may require…

CrossTalk: The Journal of Defense Software Engineering. Volume 22, Number 7, Nov/Dec 2009

DTIC Science & Technology

2009-12-01

an MBA, and is a Certified Corporate Trainer. Booz Allen Hamilton AF PKI SPO 4241 E Piedras DR STE 210 San Antonio,TX 78228 Phone: (210) 925-9129...Certified Secure Software Lifecycle Professional, and a Project Management Professional. General Dynamics C4 Systems AF PKI SPO 4241 E Piedras DR STE 210

TypingSuite: Integrated Software for Presenting Stimuli, and Collecting and Analyzing Typing Data

ERIC Educational Resources Information Center

Mazerolle, Erin L.; Marchand, Yannick

2015-01-01

Research into typing patterns has broad applications in both psycholinguistics and biometrics (i.e., improving security of computer access via each user's unique typing patterns). We present a new software package, TypingSuite, which can be used for presenting visual and auditory stimuli, collecting typing data, and summarizing and analyzing the…

Software Documentation for the Bartlesville Public Schools: Part One. The Bartlesville System Total Guidance Information Support System.

ERIC Educational Resources Information Center

Roberts, Tommy L.; And Others

The Total Guidance Information Support System (TGISS), is an information storage and retrieval system for counselors. The total TGISS, including hardware and software, extends the counselor's capabilities by providing ready access to student information under secure conditions. The hardware required includes: (1) IBM 360/50 central processing…

School Security Solutions: Bringing Corporate Safety to Schools and Colleges with EasyLobbyTM Software.

ERIC Educational Resources Information Center

Pendzick, Richard E.; Downs, Robert L.

2002-01-01

Describes software for electronic visitor management (EVM) called EasyLobbyTM, currently in use in thousands of federal and corporate installations throughout the world and its application for school and campus environments. Explains EasyLobbyTM's use to replace visitor logs, capture and store visitor data electronically, and provide badges that…

Information Technology and the Evolution of the Library

DTIC Science & Technology

2009-03-01

Resource Commons/ Repository/ Federated Search ILS (GLADIS/Pathfinder - Millenium)/ Catalog/ Circulation/ Acquisitions/ Digital Object Content...content management services to help centralize and distribute digi- tal content from across the institution, software to allow for seamless federated ... search - ing across multiple databases, and imaging software to allow for daily reimaging of ter- minals to reduce security concerns that otherwise

Software for Information Storage and Retrieval Tested, Evaluated and Compared: Part VI--Various Additional Programs.

ERIC Educational Resources Information Center

Sieverts, Eric G.; And Others

1993-01-01

Reports on tests evaluating nine microcomputer software packages designed for information storage and retrieval: BRS-Search, dtSearch, InfoBank, Micro-OPC, Q&A, STN-PFS, Strix, TINman, and ZYindex. Tables and narrative evaluations detail results related to security, hardware, user features, search capability, indexing, input, maintenance of files,…

49 CFR 1548.15 - Access to cargo: Security threat assessments for individuals having unescorted access to cargo.

Code of Federal Regulations, 2010 CFR

2010-10-01

... 49 Transportation 9 2010-10-01 2010-10-01 false Access to cargo: Security threat assessments for... SECURITY CIVIL AVIATION SECURITY INDIRECT AIR CARRIER SECURITY § 1548.15 Access to cargo: Security threat... must successfully complete a security threat assessment or comparable security threat assessment...

33 CFR 105.305 - Facility Security Assessment (FSA) requirements.

Code of Federal Regulations, 2014 CFR

2014-07-01

... 33 Navigation and Navigable Waters 1 2014-07-01 2014-07-01 false Facility Security Assessment (FSA... SECURITY MARITIME SECURITY MARITIME SECURITY: FACILITIES Facility Security Assessment (FSA) § 105.305 Facility Security Assessment (FSA) requirements. (a) Background. The facility owner or operator must ensure...

33 CFR 105.305 - Facility Security Assessment (FSA) requirements.

Code of Federal Regulations, 2011 CFR

2011-07-01

... 33 Navigation and Navigable Waters 1 2011-07-01 2011-07-01 false Facility Security Assessment (FSA... SECURITY MARITIME SECURITY MARITIME SECURITY: FACILITIES Facility Security Assessment (FSA) § 105.305 Facility Security Assessment (FSA) requirements. (a) Background. The facility owner or operator must ensure...

33 CFR 105.305 - Facility Security Assessment (FSA) requirements.

Code of Federal Regulations, 2012 CFR

2012-07-01

... 33 Navigation and Navigable Waters 1 2012-07-01 2012-07-01 false Facility Security Assessment (FSA... SECURITY MARITIME SECURITY MARITIME SECURITY: FACILITIES Facility Security Assessment (FSA) § 105.305 Facility Security Assessment (FSA) requirements. (a) Background. The facility owner or operator must ensure...

33 CFR 105.305 - Facility Security Assessment (FSA) requirements.

Code of Federal Regulations, 2013 CFR

2013-07-01

... 33 Navigation and Navigable Waters 1 2013-07-01 2013-07-01 false Facility Security Assessment (FSA... SECURITY MARITIME SECURITY MARITIME SECURITY: FACILITIES Facility Security Assessment (FSA) § 105.305 Facility Security Assessment (FSA) requirements. (a) Background. The facility owner or operator must ensure...

33 CFR 105.305 - Facility Security Assessment (FSA) requirements.

Code of Federal Regulations, 2010 CFR

2010-07-01

... 33 Navigation and Navigable Waters 1 2010-07-01 2010-07-01 false Facility Security Assessment (FSA... SECURITY MARITIME SECURITY MARITIME SECURITY: FACILITIES Facility Security Assessment (FSA) § 105.305 Facility Security Assessment (FSA) requirements. (a) Background. The facility owner or operator must ensure...

KSOS Computer Program Development Specifications (Type B-5). (Kernelized Secure Operating System). I. Security Kernel (CDRL 0002AF). II. UNIX Emulator (CDRL 0002AG). III. Security-Related Software (CDRL 0002AH).

DTIC Science & Technology

1980-12-01

Commun- ications Corporation, Palo Alto, CA (March 1978). g. [Walter at al. 74] Walter, K.G. et al., " Primitive Models for Computer .. Security", ESD-TR...discussion is followed by a presenta- tion of the Kernel primitive operations upon these objects. All Kernel objects shall be referenced by a common...set of sizes. All process segments, regardless of domain, shall be manipulated by the same set of Kernel segment primitives . User domain segments

Transparent Proxy for Secure E-Mail

NASA Astrophysics Data System (ADS)

Michalák, Juraj; Hudec, Ladislav

2010-05-01

The paper deals with the security of e-mail messages and e-mail server implementation by means of a transparent SMTP proxy. The security features include encryption and signing of transported messages. The goal is to design and implement a software proxy for secure e-mail including its monitoring, administration, encryption and signing keys administration. In particular, we focus on automatic public key on-the-fly encryption and signing of e-mail messages according to S/MIME standard by means of an embedded computer system whose function can be briefly described as a brouter with transparent SMTP proxy.

Towards improving software security by using simulation to inform requirements and conceptual design

DOE PAGES

Nutaro, James J.; Allgood, Glenn O.; Kuruganti, Teja

2015-06-17

We illustrate the use of modeling and simulation early in the system life-cycle to improve security and reduce costs. The models that we develop for this illustration are inspired by problems in reliability analysis and supervisory control, for which similar models are used to quantify failure probabilities and rates. In the context of security, we propose that models of this general type can be used to understand trades between risk and cost while writing system requirements and during conceptual design, and thereby significantly reduce the need for expensive security corrections after a system enters operation

Science of Security Lablet - Scalability and Usability

DTIC Science & Technology

2014-12-16

mobile computing [19]. However, the high-level infrastructure design and our own implementation (both described throughout this paper) can easily...critical and infrastructural systems demands high levels of sophistication in the technical aspects of cybersecurity, software and hardware design...Forget, S. Komanduri, Alessandro Acquisti, Nicolas Christin, Lorrie Cranor, Rahul Telang. "Security Behavior Observatory: Infrastructure for Long-term

Algorithm Diversity for Resilent Systems

DTIC Science & Technology

2016-06-27

data structures. 15. SUBJECT TERMS computer security, software diversity, program transformation 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18...systematic method for transforming Datalog rules with general universal and existential quantification into efficient algorithms with precise complexity...worst case in the size of the ground rules. There are numerous choices during the transformation that lead to diverse algorithms and different

CMMI(Registered) for Acquisition, Version 1.3. CMMI-ACQ, V1.3

DTIC Science & Technology

2010-11-01

and Software Engineering – System Life Cycle Processes [ ISO 2008b] ISO /IEC 27001 :2005 Information technology – Security techniques – Information...International Organization for Standardization and International Electrotechnical Commission. ISO /IEC 27001 Information Technology – Security Techniques...International Organization for Standardization/International Electrotechnical Commission ( ISO /IEC) body of standards. CMMs focus on improving processes

Asbestos: Securing Untrusted Software with Interposition

DTIC Science & Technology

2005-09-01

consistent intelligible interfaces to different types of resource. Message-based operating systems, such as Accent, Amoeba, Chorus, L4 , Spring...control on self-authenticating capabilities, precluding policies that restrict delegation. L4 uses a strict hierarchy of interpositions, useful for...the OS de- sign space amenable to secure application construction. Similar effects might be possible with message-passing microkernels , or unwieldy

Secondary Use of Claims Data from the Austrian Health Insurance System with i2b2: A Pilot Study.

PubMed

Endel, Florian; Duftschmid, Georg

2016-01-01

In conformity with increasing international efforts to reuse routine health data for scientific purposes, the Main Association of Austrian Social Security Organisations provides pseudonymized claims data of the Austrian health care system for clinical research. We aimed to examine, whether an integration of the corresponding database into i2b2 would be possible and provide benefits. We applied docker-based software containers and data transformations to set up the system. To assess the benefits of i2b2 we plan to reenact the task of cohort formation of an earlier research project. The claims database was successfully integrated into i2b2. The docker-based installation approach will be published as git repository. The assessment of i2b2's benefits is currently work in progress and will be presented at the conference. Docker enables a flexible, reproducible, and resource-efficient installation of i2b2 within the restricted environment implied by our highly secured target system. First preliminary tests indicated several potential benefits of i2b2 compared to the methods applied during the earlier research project.

From Research to Operations: Integrating Components of an Advanced Diagnostic System with an Aspect-Oriented Framework

NASA Technical Reports Server (NTRS)

Fletcher, Daryl P.; Alena, Richard L.; Akkawi, Faisal; Duncavage, Daniel P.

2004-01-01

This paper presents some of the challenges associated with bringing software projects from the research world into an operationa1 environment. While the core functional components of research-oriented software applications can have great utility in an operational setting, these applications often lack aspects important in an operational environment such as logging and security. Furthermore, these stand-alone applications, sometimes developed in isolation from one another, can produce data products useful to other applications in a software ecosystem.

FLOWER IPv4/IPv6 Network Flow Summarization software

DOE Office of Scientific and Technical Information (OSTI.GOV)

Nickless, Bill; Curtis, Darren; Christy, Jason

FLOWER was written as a refactoring/reimplementation of the existing Flo software used by the Cooperative Protection Program (CPP) to provide network flow summaries for analysis by the Operational Analysis Center (OAC) and other US Department of Energy cyber security elements. FLOWER is designed and tested to operate at 10 gigabits/second, nearly 10 times faster than competing solutions. FLOWER output is optimized for importation into SQL databases for categorization and analysis. FLOWER is written in C++ using current best software engineering practices.

Software-Based Visual Loan Calculator For Banking Industry

NASA Astrophysics Data System (ADS)

Isizoh, A. N.; Anazia, A. E.; Okide, S. O. 3; Onyeyili, T. I.; Okwaraoka, C. A. P.

2012-03-01

industry is very necessary in modern day banking system using many design techniques for security reasons. This paper thus presents the software-based design and implementation of a Visual Loan calculator for banking industry using Visual Basic .Net (VB.Net). The fundamental approach to this is to develop a Graphical User Interface (GUI) using VB.Net operating tools, and then developing a working program which calculates the interest of any loan obtained. The VB.Net programming was done, implemented and the software proved satisfactory.

Fault Tolerant Software Technology for Distributed Computer Systems

DTIC Science & Technology

1989-03-01

RAY.) &-TR-88-296 I Fin;.’ Technical Report ,r 19,39 i A28 3329 F’ULT TOLERANT SOFTWARE TECHNOLOGY FOR DISTRIBUTED COMPUTER SYSTEMS Georgia Institute...GrfisABN 34-70IiWftlI NO0. IN?3. NO IACCESSION NO. 158 21 7 11. TITLE (Incld security Cassification) FAULT TOLERANT SOFTWARE FOR DISTRIBUTED COMPUTER ...Technology for Distributed Computing Systems," a two year effort performed at Georgia Institute of Technology as part of the Clouds Project. The Clouds

MODIS. Volume 1: MODIS level 1A software baseline requirements

NASA Technical Reports Server (NTRS)

Masuoka, Edward; Fleig, Albert; Ardanuy, Philip; Goff, Thomas; Carpenter, Lloyd; Solomon, Carl; Storey, James

1994-01-01

This document describes the level 1A software requirements for the moderate resolution imaging spectroradiometer (MODIS) instrument. This includes internal and external requirements. Internal requirements include functional, operational, and data processing as well as performance, quality, safety, and security engineering requirements. External requirements include those imposed by data archive and distribution systems (DADS); scheduling, control, monitoring, and accounting (SCMA); product management (PM) system; MODIS log; and product generation system (PGS). Implementation constraints and requirements for adapting the software to the physical environment are also included.

Introduction to the Security Engineering Risk Analysis (SERA) Framework

DTIC Science & Technology

2014-11-01

military aircraft has increased from 8% to 80%. At the same time, the size of software in military aircraft has grown from 1,000 lines of code in the F...4A to 1.7 million lines of code in the F-22. This growth trend is expected to con- tinue over time [NASA 2009]. As software exerts more control of...their root causes can be traced to the software’s requirements, architecture, design, or code . Studies have shown that the cost of addressing a software

Land-Use Portfolio Modeler, Version 1.0

USGS Publications Warehouse

Taketa, Richard; Hong, Makiko

2010-01-01

Natural hazards pose significant threats to the public safety and economic health of many communities throughout the world. Community leaders and decision-makers continually face the challenges of planning and allocating limited resources to invest in protecting their communities against catastrophic losses from natural-hazard events. Public efforts to assess community vulnerability and encourage loss-reduction measures through mitigation often focused on either aggregating site-specific estimates or adopting standards based upon broad assumptions about regional risks. The site-specific method usually provided the most accurate estimates, but was prohibitively expensive, whereas regional risk assessments were often too general to be of practical use. Policy makers lacked a systematic and quantitative method for conducting a regional-scale risk assessment of natural hazards. In response, Bernknopf and others developed the portfolio model, an intermediate-scale approach to assessing natural-hazard risks and mitigation policy alternatives. The basis for the portfolio-model approach was inspired by financial portfolio theory, which prescribes a method of optimizing return on investment while reducing risk by diversifying investments in different security types. In this context, a security type represents a unique combination of features and hazard-risk level, while financial return is defined as the reduction in losses resulting from an investment in mitigation of chosen securities. Features are selected for mitigation and are modeled like investment portfolios. Earth-science and economic data for the features are combined and processed in order to analyze each of the portfolios, which are then used to evaluate the benefits of mitigating the risk in selected locations. Ultimately, the decision maker seeks to choose a portfolio representing a mitigation policy that maximizes the expected return-on-investment, while minimizing the uncertainty associated with that return-on-investment. The portfolio model, now known as the Land-Use Portfolio Model (LUPM), provided the framework for the development of the Land-Use Portfolio Modeler, Version 1.0 software (LUPM v1.0). The software provides a geographic information system (GIS)-based modeling tool for evaluating alternative risk-reduction mitigation strategies for specific natural-hazard events. The modeler uses information about a specific natural-hazard event and the features exposed to that event within the targeted study region to derive a measure of a given mitigation strategy`s effectiveness. Harnessing the spatial capabilities of a GIS enables the tool to provide a rich, interactive mapping environment in which users can create, analyze, visualize, and compare different

ViPAR: a software platform for the Virtual Pooling and Analysis of Research Data.

PubMed

Carter, Kim W; Francis, Richard W; Carter, K W; Francis, R W; Bresnahan, M; Gissler, M; Grønborg, T K; Gross, R; Gunnes, N; Hammond, G; Hornig, M; Hultman, C M; Huttunen, J; Langridge, A; Leonard, H; Newman, S; Parner, E T; Petersson, G; Reichenberg, A; Sandin, S; Schendel, D E; Schalkwyk, L; Sourander, A; Steadman, C; Stoltenberg, C; Suominen, A; Surén, P; Susser, E; Sylvester Vethanayagam, A; Yusof, Z

2016-04-01

Research studies exploring the determinants of disease require sufficient statistical power to detect meaningful effects. Sample size is often increased through centralized pooling of disparately located datasets, though ethical, privacy and data ownership issues can often hamper this process. Methods that facilitate the sharing of research data that are sympathetic with these issues and which allow flexible and detailed statistical analyses are therefore in critical need. We have created a software platform for the Virtual Pooling and Analysis of Research data (ViPAR), which employs free and open source methods to provide researchers with a web-based platform to analyse datasets housed in disparate locations. Database federation permits controlled access to remotely located datasets from a central location. The Secure Shell protocol allows data to be securely exchanged between devices over an insecure network. ViPAR combines these free technologies into a solution that facilitates 'virtual pooling' where data can be temporarily pooled into computer memory and made available for analysis without the need for permanent central storage. Within the ViPAR infrastructure, remote sites manage their own harmonized research dataset in a database hosted at their site, while a central server hosts the data federation component and a secure analysis portal. When an analysis is initiated, requested data are retrieved from each remote site and virtually pooled at the central site. The data are then analysed by statistical software and, on completion, results of the analysis are returned to the user and the virtually pooled data are removed from memory. ViPAR is a secure, flexible and powerful analysis platform built on open source technology that is currently in use by large international consortia, and is made publicly available at [http://bioinformatics.childhealthresearch.org.au/software/vipar/]. © The Author 2015. Published by Oxford University Press on behalf of the International Epidemiological Association.

Adapting Rational Unified Process (RUP) approach in designing a secure e-Tendering model

NASA Astrophysics Data System (ADS)

Mohd, Haslina; Robie, Muhammad Afdhal Muhammad; Baharom, Fauziah; Darus, Norida Muhd; Saip, Mohamed Ali; Yasin, Azman

2016-08-01

e-Tendering is an electronic processing of the tender document via internet and allow tenderer to publish, communicate, access, receive and submit all tender related information and documentation via internet. This study aims to design the e-Tendering system using Rational Unified Process approach. RUP provides a disciplined approach on how to assign tasks and responsibilities within the software development process. RUP has four phases that can assist researchers to adjust the requirements of various projects with different scope, problem and the size of projects. RUP is characterized as a use case driven, architecture centered, iterative and incremental process model. However the scope of this study only focusing on Inception and Elaboration phases as step to develop the model and perform only three of nine workflows (business modeling, requirements, analysis and design). RUP has a strong focus on documents and the activities in the inception and elaboration phases mainly concern the creation of diagrams and writing of textual descriptions. The UML notation and the software program, Star UML are used to support the design of e-Tendering. The e-Tendering design based on the RUP approach can contribute to e-Tendering developers and researchers in e-Tendering domain. In addition, this study also shows that the RUP is one of the best system development methodology that can be used as one of the research methodology in Software Engineering domain related to secured design of any observed application. This methodology has been tested in various studies in certain domains, such as in Simulation-based Decision Support, Security Requirement Engineering, Business Modeling and Secure System Requirement, and so forth. As a conclusion, these studies showed that the RUP one of a good research methodology that can be adapted in any Software Engineering (SE) research domain that required a few artifacts to be generated such as use case modeling, misuse case modeling, activity diagram, and initial class diagram from a list of requirements as identified earlier by the SE researchers

Mission operations concepts for Earth Observing System (EOS)

NASA Technical Reports Server (NTRS)

Kelly, Angelita C.; Taylor, Thomas D.; Hawkins, Frederick J.

1991-01-01

Mission operation concepts are described which are being used to evaluate and influence space and ground system designs and architectures with the goal of achieving successful, efficient, and cost-effective Earth Observing System (EOS) operations. Emphasis is given to the general characteristics and concepts developed for the EOS Space Measurement System, which uses a new series of polar-orbiting observatories. Data rates are given for various instruments. Some of the operations concepts which require a total system view are also examined, including command operations, data processing, data accountability, data archival, prelaunch testing and readiness, launch, performance monitoring and assessment, contingency operations, flight software maintenance, and security.

Strengthening Software Authentication with the ROSE Software Suite

DOE Office of Scientific and Technical Information (OSTI.GOV)

White, G

2006-06-15

Many recent nonproliferation and arms control software projects include a software authentication regime. These include U.S. Government-sponsored projects both in the United States and in the Russian Federation (RF). This trend toward requiring software authentication is only accelerating. Demonstrating assurance that software performs as expected without hidden ''backdoors'' is crucial to a project's success. In this context, ''authentication'' is defined as determining that a software package performs only its intended purpose and performs said purpose correctly and reliably over the planned duration of an agreement. In addition to visual inspections by knowledgeable computer scientists, automated tools are needed to highlightmore » suspicious code constructs, both to aid visual inspection and to guide program development. While many commercial tools are available for portions of the authentication task, they are proprietary and not extensible. An open-source, extensible tool can be customized to the unique needs of each project (projects can have both common and custom rules to detect flaws and security holes). Any such extensible tool has to be based on a complete language compiler. ROSE is precisely such a compiler infrastructure developed within the Department of Energy (DOE) and targeted at the optimization of scientific applications and user-defined libraries within large-scale applications (typically applications of a million lines of code). ROSE is a robust, source-to-source analysis and optimization infrastructure currently addressing large, million-line DOE applications in C and C++ (handling the full C, C99, C++ languages and with current collaborations to support Fortran90). We propose to extend ROSE to address a number of security-specific requirements, and apply it to software authentication for nonproliferation and arms control projects.« less

Web Application Software for Ground Operations Planning Database (GOPDb) Management

NASA Technical Reports Server (NTRS)

Lanham, Clifton; Kallner, Shawn; Gernand, Jeffrey

2013-01-01

A Web application facilitates collaborative development of the ground operations planning document. This will reduce costs and development time for new programs by incorporating the data governance, access control, and revision tracking of the ground operations planning data. Ground Operations Planning requires the creation and maintenance of detailed timelines and documentation. The GOPDb Web application was created using state-of-the-art Web 2.0 technologies, and was deployed as SaaS (Software as a Service), with an emphasis on data governance and security needs. Application access is managed using two-factor authentication, with data write permissions tied to user roles and responsibilities. Multiple instances of the application can be deployed on a Web server to meet the robust needs for multiple, future programs with minimal additional cost. This innovation features high availability and scalability, with no additional software that needs to be bought or installed. For data governance and security (data quality, management, business process management, and risk management for data handling), the software uses NAMS. No local copy/cloning of data is permitted. Data change log/tracking is addressed, as well as collaboration, work flow, and process standardization. The software provides on-line documentation and detailed Web-based help. There are multiple ways that this software can be deployed on a Web server to meet ground operations planning needs for future programs. The software could be used to support commercial crew ground operations planning, as well as commercial payload/satellite ground operations planning. The application source code and database schema are owned by NASA.

Remote Sensing and Capacity Building to Improve Food Security

NASA Astrophysics Data System (ADS)

Husak, G. J.; Funk, C. C.; Verdin, J. P.; Rowland, J.; Budde, M. E.

2012-12-01

The Famine Early Warning Systems Network (FEWS NET) is a U.S. Agency for International Development (USAID) supported project designed to monitor and anticipate food insecurity in the developing world, primarily Africa, Central America, the Caribbean and Central Asia. This is done through a network of partners involving U.S. government agencies, universities, country representatives, and partner institutions. This presentation will focus on the remotely sensed data used in FEWS NET activities and capacity building efforts designed to expand and enhance the use of FEWS NET tools and techniques. Remotely sensed data are of particular value in the developing world, where ground data networks and data reporting are limited. FEWS NET uses satellite based rainfall and vegetation greenness measures to monitor and assess food production conditions. Satellite rainfall estimates also drive crop models which are used in determining yield potential. Recent FEWS NET products also include estimates of actual evapotranspiration. Efforts are currently underway to assimilate these products into a single tool which would indicate areas experiencing abnormal conditions with implications for food production. FEWS NET is also involved in a number of capacity building activities. Two primary examples are the development of software and training of institutional partners in basic GIS and remote sensing. Software designed to incorporate rainfall station data with existing satellite-derived rainfall estimates gives users the ability to enhance satellite rainfall estimates or long-term means, resulting in gridded fields of rainfall that better reflect ground conditions. Further, this software includes a crop water balance model driven by the improved rainfall estimates. Finally, crop parameters, such as the planting date or length of growing period, can be adjusted by users to tailor the crop model to actual conditions. Training workshops in the use of this software, as well as basic GIS and remote sensing tools, are routinely conducted by FEWS NET representatives at host country meteorological and agricultural services. These institutions are then able to produce information that can more accurately inform food security decision making. Informed decision making reduces the risk associated with a given hazard. In the case of FEWS NET, this involves identification of shocks to food availability, allowing for the pre-positioning of aid to be available when a hazard strikes. Developing tools to incorporate better information in food production estimates and working closely with local staff trained in state-of-the-practice techniques results in a more informed decision making process, reducing the impacts of food security hazards.

Using cyber vulnerability testing techniques to expose undocumented security vulnerabilities in DCS and SCADA equipment

DOE Office of Scientific and Technical Information (OSTI.GOV)

Pollet, J.

2006-07-01

This session starts by providing an overview of typical DCS (Distributed Control Systems) and SCADA (Supervisory Control and Data Acquisition) architectures, and exposes cyber security vulnerabilities that vendors never admit, but are found through a comprehensive cyber testing process. A complete assessment process involves testing all of the layers and components of a SCADA or DCS environment, from the perimeter firewall all the way down to the end devices controlling the process, including what to look for when conducting a vulnerability assessment of real-time control systems. The following systems are discussed: 1. Perimeter (isolation from corporate IT or other non-criticalmore » networks) 2. Remote Access (third Party access into SCADA or DCS networks) 3. Network Architecture (switch, router, firewalls, access controls, network design) 4. Network Traffic Analysis (what is running on the network) 5. Host Operating Systems Hardening 6. Applications (how they communicate with other applications and end devices) 7. End Device Testing (PLCs, RTUs, DCS Controllers, Smart Transmitters) a. System Discovery b. Functional Discovery c. Attack Methodology i. DoS Tests (at what point does the device fail) ii. Malformed Packet Tests (packets that can cause equipment failure) iii. Session Hijacking (do anything that the operator can do) iv. Packet Injection (code and inject your own SCADA commands) v. Protocol Exploitation (Protocol Reverse Engineering / Fuzzing) This paper will provide information compiled from over five years of conducting cyber security testing on control systems hardware, software, and systems. (authors)« less

A Model for Assessing the Liability of Seemingly Correct Software

NASA Technical Reports Server (NTRS)

Voas, Jeffrey M.; Voas, Larry K.; Miller, Keith W.

1991-01-01

Current research on software reliability does not lend itself to quantitatively assessing the risk posed by a piece of life-critical software. Black-box software reliability models are too general and make too many assumptions to be applied confidently to assessing the risk of life-critical software. We present a model for assessing the risk caused by a piece of software; this model combines software testing results and Hamlet's probable correctness model. We show how this model can assess software risk for those who insure against a loss that can occur if life-critical software fails.

Network Security Validation Using Game Theory

NASA Astrophysics Data System (ADS)

Papadopoulou, Vicky; Gregoriades, Andreas

Non-functional requirements (NFR) such as network security recently gained widespread attention in distributed information systems. Despite their importance however, there is no systematic approach to validate these requirements given the complexity and uncertainty characterizing modern networks. Traditionally, network security requirements specification has been the results of a reactive process. This however, limited the immunity property of the distributed systems that depended on these networks. Security requirements specification need a proactive approach. Networks' infrastructure is constantly under attack by hackers and malicious software that aim to break into computers. To combat these threats, network designers need sophisticated security validation techniques that will guarantee the minimum level of security for their future networks. This paper presents a game-theoretic approach to security requirements validation. An introduction to game theory is presented along with an example that demonstrates the application of the approach.

Design and Development of a Flight Route Modification, Logging, and Communication Network

NASA Technical Reports Server (NTRS)

Merlino, Daniel K.; Wilson, C. Logan; Carboneau, Lindsey M.; Wilder, Andrew J.; Underwood, Matthew C.

2016-01-01

There is an overwhelming desire to create and enhance communication mechanisms between entities that operate within the National Airspace System. Furthermore, airlines are always extremely interested in increasing the efficiency of their flights. An innovative system prototype was developed and tested that improves collaborative decision making without modifying existing infrastructure or operational procedures within the current Air Traffic Management System. This system enables collaboration between flight crew and airline dispatchers to share and assess optimized flight routes through an Internet connection. Using a sophisticated medium-fidelity flight simulation environment, a rapid-prototyping development, and a unified modeling language, the software was designed to ensure reliability and scalability for future growth and applications. Ensuring safety and security were primary design goals, therefore the software does not interact or interfere with major flight control or safety systems. The system prototype demonstrated an unprecedented use of in-flight Internet to facilitate effective communication with Airline Operations Centers, which may contribute to increased flight efficiency for airlines.

Improving Security in Software Acquisition and Runtime Integration With Data Retention Specifications

DTIC Science & Technology

2016-04-30

Data Retention Specifications Daniel Smullen, Research Assistant, Carnegie Mellon University Travis Breaux, Assistant Professor, Carnegie Mellon... Carnegie Mellon University Travis Breaux, Assistant Professor, Carnegie Mellon University Cybersecurity Figure of Merit CAPT Brian Erickson, USN, SPAWAR...Integration With Data Retention Specifications Daniel Smullen—is a Research Assistant enrolled in the software engineering PhD program at Carnegie Mellon

Moving Target Techniques: Leveraging Uncertainty for Cyber Defense

DTIC Science & Technology

2015-08-24

vulnerability (a flaw or bug that an attacker can exploit to penetrate or disrupt a system) to successfully compromise systems. Defenders, however...device drivers, numerous software applications, and hardware components. Within the cyberspace, this imbalance between a simple, one- bug attack...parsing code itself could have security-relevant software bugs . Dynamic  Network   Techniques in the dynamic network domain change the properties

Multiplex Quantitative Histologic Analysis of Human Breast Cancer Cell Signaling and Cell Fate

DTIC Science & Technology

2010-05-01

Breast cancer, cell signaling, cell proliferation, histology, image analysis 15. NUMBER OF PAGES - 51 16. PRICE CODE 17. SECURITY CLASSIFICATION...revealed by individual stains in multiplex combinations; and (3) software (FARSIGHT) for automated multispectral image analysis that (i) segments...Task 3. Develop computational algorithms for multispectral immunohistological image analysis FARSIGHT software was developed to quantify intrinsic

A Method of Retrospective Computerized System Validation for Drug Manufacturing Software Considering Modifications

NASA Astrophysics Data System (ADS)

Takahashi, Masakazu; Fukue, Yoshinori

This paper proposes a Retrospective Computerized System Validation (RCSV) method for Drug Manufacturing Software (DMSW) that relates to drug production considering software modification. Because DMSW that is used for quality management and facility control affects big impact to quality of drugs, regulatory agency required proofs of adequacy for DMSW's functions and performance based on developed documents and test results. Especially, the work that explains adequacy for previously developed DMSW based on existing documents and operational records is called RCSV. When modifying RCSV conducted DMSW, it was difficult to secure consistency between developed documents and test results for modified DMSW parts and existing documents and operational records for non-modified DMSW parts. This made conducting RCSV difficult. In this paper, we proposed (a) definition of documents architecture, (b) definition of descriptive items and levels in the documents, (c) management of design information using database, (d) exhaustive testing, and (e) integrated RCSV procedure. As a result, we could conduct adequate RCSV securing consistency.

Vulnerabilities in GSM technology and feasibility of selected attacks

NASA Astrophysics Data System (ADS)

Voznak, M.; Prokes, M.; Sevcik, L.; Frnda, J.; Toral-Cruz, Homer; Jakovlev, Sergej; Fazio, Peppino; Mehic, M.; Mikulec, M.

2015-05-01

Global System for Mobile communication (GSM) is the most widespread technology for mobile communications in the world and serving over 7 billion users. Since first publication of system documentation there has been notified a potential safety problem's occurrence. Selected types of attacks, based on the analysis of the technical feasibility and the degree of risk of these weaknesses, were implemented and demonstrated in laboratory of the VSB-Technical University of Ostrava, Czech Republic. These vulnerabilities were analyzed and afterwards possible attacks were described. These attacks were implemented using open-source tools, software programmable radio USRP (Universal Software RadioPeripheral) and DVB-T (Digital Video Broadcasting - Terrestrial) receiver. GSM security architecture is being scrutinized since first public releases of its specification mainly pointing out weaknesses in authentication and ciphering mechanisms. This contribution also summarizes practically proofed and used scenarios that are performed using opensource software tools and variety of scripts mostly written in Python. Main goal of this paper is in analyzing security issues in GSM network and practical demonstration of selected attacks.

Wireless local area network for the dental office.

PubMed

Mupparapu, Muralidhar

2004-01-01

Dental offices are no exception to the implementation of new and advanced technology, especially if it enhances productivity. In a rapidly transforming digital world, wireless technology has a special place, as it has truly "retired the wire" and contributed to the ease and efficient access to patient data and other software-based applications for diagnosis and treatment. If the office or the clinic is networked, access to patient management software, imaging software and treatment planning tools is enhanced. Access will be further enhanced and unrestricted if the entire network is wireless. As with any new, emerging technology, there will be issues that should be kept in mind before adapting to the wireless environment. Foremost is the network security involved in the installation and use of these wireless networks. This short, technical manuscript deals with standards and choices in wireless technology currently available for implementation within a dental office. The benefits of each network security protocol available to protect patient data and boost the efficiency of a modern dental office are discussed.

Equity in access to health care provision under the medicare security for small scale entrepreneurs in Dar es Salaam.

PubMed

Urassa, J A E

2012-03-01

The main objective of this study was to assess equity in access to health care provision under the Medicare Security for Small Scale Entrepreneurs (SSE). Methodological triangulation was used to an exploratory and randomized cross- sectional study in order to supplement information on the topic under investigation. Questionnaires were administered to 281 respondents and 6 Focus Group Discussions (FGDs) were held with males and females. Documentary review was also used. For quantitative aspect of the study, significant associations were measured using confidence intervals (95% CI) testing. Qualitative data were analyzed with assistance of Open code software. The results show that inequalities in access to health care services were found in respect to affordability of medical care costs, distance from home to health facilities, availability of drugs as well as medical equipments and supplies. As the result of existing inequalities some of clients were not satisfied with the provided health services. The study concludes by drawing policy and research implications of the findings.

A Systems Engineering Framework for Implementing a Security and Critical Patch Management Process in Diverse Environments (Academic Departments' Workstations)

ERIC Educational Resources Information Center

Mohammadi, Hadi

2014-01-01

Use of the Patch Vulnerability Management (PVM) process should be seriously considered for any networked computing system. The PVM process prevents the operating system (OS) and software applications from being attacked due to security vulnerabilities, which lead to system failures and critical data leakage. The purpose of this research is to…

Software Quality and Security in Teachers' and Students' Codes When Learning a New Programming Language

ERIC Educational Resources Information Center

Boutnaru, Shlomi; Hershkovitz, Arnon

2015-01-01

In recent years, schools (as well as universities) have added cyber security to their computer science curricula. This topic is still new for most of the current teachers, who would normally have a standard computer science background. Therefore the teachers are trained and then teaching their students what they have just learned. In order to…

Freeware Versus Commercial Office Productivity Software

DTIC Science & Technology

2016-12-01

adapting Google’s widely popular freeware for government agency usage. This study analyzes the proposed benefits of using freeware, specifically... computing , ESI 15. NUMBER OF PAGES 73 16. PRICE CODE 17. SECURITY CLASSIFICATION OF REPORT Unclassified 18. SECURITY CLASSIFICATION OF...announced the launch of Google Apps for Government, adapting Google’s widely popular freeware for government agency usage. This study analyzes the

6 CFR 27.215 - Security vulnerability assessments.

Code of Federal Regulations, 2010 CFR

2010-01-01

... 6 Domestic Security 1 2010-01-01 2010-01-01 false Security vulnerability assessments. 27.215... FACILITY ANTI-TERRORISM STANDARDS Chemical Facility Security Program § 27.215 Security vulnerability...-risk, the facility must complete a Security Vulnerability Assessment. A Security Vulnerability...

78 FR 37371 - Wassenaar Arrangement 2012 Plenary Agreements Implementation: Commerce Control List, Definitions...

Federal Register 2010, 2011, 2012, 2013, 2014

2013-06-20

...The Bureau of Industry and Security (BIS) maintains, as part of its Export Administration Regulations (EAR), the Commerce Control List (CCL), which identifies certain of the items subject to Department of Commerce jurisdiction. This final rule revises the CCL to implement changes made to the Wassenaar Arrangement's List of Dual-Use Goods and Technologies (Wassenaar List) maintained and agreed to by governments participating in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (Wassenaar Arrangement, or WA) at the December 2012 WA Plenary Meeting (the Plenary). The Wassenaar Arrangement advocates implementation of effective export controls on strategic items with the objective of improving regional and international security and stability. This rule harmonizes the CCL with the changes made to the WA List at the Plenary by revising ECCNs controlled for national security reasons in each category of the CCL, except category 8, as well as amending the General Software Note, WA reporting requirements, and definitions section in the EAR. BIS is adding unilateral controls to the CCL for specific software and technology for aviation control systems, which the WA agreements removed from the WA List, i.e., EAR national security controls.

Device interoperability and authentication for telemedical appliance based on the ISO/IEEE 11073 Personal Health Device (PHD) Standards.

PubMed

Caranguian, Luther Paul R; Pancho-Festin, Susan; Sison, Luis G

2012-01-01

In this study, we focused on the interoperability and authentication of medical devices in the context of telemedical systems. A recent standard called the ISO/IEEE 11073 Personal Health Device (X73-PHD) Standards addresses the device interoperability problem by defining common protocols for agent (medical device) and manager (appliance) interface. The X73-PHD standard however has not addressed security and authentication of medical devices which is important in establishing integrity of a telemedical system. We have designed and implemented a security policy within the X73-PHD standards. The policy will enable device authentication using Asymmetric-Key Cryptography and the RSA algorithm as the digital signature scheme. We used two approaches for performing the digital signatures: direct software implementation and use of embedded security modules (ESM). The two approaches were evaluated and compared in terms of execution time and memory requirement. For the standard 2048-bit RSA, ESM calculates digital signatures only 12% of the total time for the direct implementation. Moreover, analysis shows that ESM offers more security advantage such as secure storage of keys compared to using direct implementation. Interoperability with other systems was verified by testing the system with LNI Healthlink, a manager software that implements the X73-PHD standard. Lastly, security analysis was done and the system's response to common attacks on authentication systems was analyzed and several measures were implemented to protect the system against them.

Service-oriented Software Defined Optical Networks for Cloud Computing

NASA Astrophysics Data System (ADS)

Liu, Yuze; Li, Hui; Ji, Yuefeng

2017-10-01

With the development of big data and cloud computing technology, the traditional software-defined network is facing new challenges (e.g., ubiquitous accessibility, higher bandwidth, more flexible management and greater security). This paper proposes a new service-oriented software defined optical network architecture, including a resource layer, a service abstract layer, a control layer and an application layer. We then dwell on the corresponding service providing method. Different service ID is used to identify the service a device can offer. Finally, we experimentally evaluate that proposed service providing method can be applied to transmit different services based on the service ID in the service-oriented software defined optical network.

49 CFR 1540.203 - Security threat assessment.

Code of Federal Regulations, 2011 CFR

2011-10-01

... 49 Transportation 9 2011-10-01 2011-10-01 false Security threat assessment. 1540.203 Section 1540... Security Threat Assessments § 1540.203 Security threat assessment. (a) Each operator subject to this subpart must ensure that each of the following undergoes a security threat assessment or a comparable...

33 CFR 104.305 - Vessel Security Assessment (VSA) requirements.

Code of Federal Regulations, 2013 CFR

2013-07-01

... security; (ii) Structural integrity; (iii) Personnel protection systems; (iv) Procedural policies; (v... 33 Navigation and Navigable Waters 1 2013-07-01 2013-07-01 false Vessel Security Assessment (VSA... SECURITY MARITIME SECURITY MARITIME SECURITY: VESSELS Vessel Security Assessment (VSA) § 104.305 Vessel...

33 CFR 104.305 - Vessel Security Assessment (VSA) requirements.

Code of Federal Regulations, 2011 CFR

2011-07-01

... security; (ii) Structural integrity; (iii) Personnel protection systems; (iv) Procedural policies; (v... 33 Navigation and Navigable Waters 1 2011-07-01 2011-07-01 false Vessel Security Assessment (VSA... SECURITY MARITIME SECURITY MARITIME SECURITY: VESSELS Vessel Security Assessment (VSA) § 104.305 Vessel...

33 CFR 104.305 - Vessel Security Assessment (VSA) requirements.

Code of Federal Regulations, 2014 CFR

2014-07-01

... security; (ii) Structural integrity; (iii) Personnel protection systems; (iv) Procedural policies; (v... 33 Navigation and Navigable Waters 1 2014-07-01 2014-07-01 false Vessel Security Assessment (VSA... SECURITY MARITIME SECURITY MARITIME SECURITY: VESSELS Vessel Security Assessment (VSA) § 104.305 Vessel...

33 CFR 104.305 - Vessel Security Assessment (VSA) requirements.

Code of Federal Regulations, 2012 CFR

2012-07-01

... security; (ii) Structural integrity; (iii) Personnel protection systems; (iv) Procedural policies; (v... 33 Navigation and Navigable Waters 1 2012-07-01 2012-07-01 false Vessel Security Assessment (VSA... SECURITY MARITIME SECURITY MARITIME SECURITY: VESSELS Vessel Security Assessment (VSA) § 104.305 Vessel...

33 CFR 104.305 - Vessel Security Assessment (VSA) requirements.

Code of Federal Regulations, 2010 CFR

2010-07-01

... security; (ii) Structural integrity; (iii) Personnel protection systems; (iv) Procedural policies; (v... 33 Navigation and Navigable Waters 1 2010-07-01 2010-07-01 false Vessel Security Assessment (VSA... SECURITY MARITIME SECURITY MARITIME SECURITY: VESSELS Vessel Security Assessment (VSA) § 104.305 Vessel...

Technical Reference Suite Addressing Challenges of Providing Assurance for Fault Management Architectural Design

NASA Technical Reports Server (NTRS)

Fitz, Rhonda; Whitman, Gerek

2016-01-01

Research into complexities of software systems Fault Management (FM) and how architectural design decisions affect safety, preservation of assets, and maintenance of desired system functionality has coalesced into a technical reference (TR) suite that advances the provision of safety and mission assurance. The NASA Independent Verification and Validation (IV&V) Program, with Software Assurance Research Program support, extracted FM architectures across the IV&V portfolio to evaluate robustness, assess visibility for validation and test, and define software assurance methods applied to the architectures and designs. This investigation spanned IV&V projects with seven different primary developers, a wide range of sizes and complexities, and encompassed Deep Space Robotic, Human Spaceflight, and Earth Orbiter mission FM architectures. The initiative continues with an expansion of the TR suite to include Launch Vehicles, adding the benefit of investigating differences intrinsic to model-based FM architectures and insight into complexities of FM within an Agile software development environment, in order to improve awareness of how nontraditional processes affect FM architectural design and system health management. The identification of particular FM architectures, visibility, and associated IV&V techniques provides a TR suite that enables greater assurance that critical software systems will adequately protect against faults and respond to adverse conditions. Additionally, the role FM has with regard to strengthened security requirements, with potential to advance overall asset protection of flight software systems, is being addressed with the development of an adverse conditions database encompassing flight software vulnerabilities. Capitalizing on the established framework, this TR suite provides assurance capability for a variety of FM architectures and varied development approaches. Research results are being disseminated across NASA, other agencies, and the software community. This paper discusses the findings and TR suite informing the FM domain in best practices for FM architectural design, visibility observations, and methods employed for IV&V and mission assurance.

49 CFR 1540.209 - Fees for security threat assessment.

Code of Federal Regulations, 2010 CFR

2010-10-01

... 49 Transportation 9 2010-10-01 2010-10-01 false Fees for security threat assessment. 1540.209...: GENERAL RULES Security Threat Assessments § 1540.209 Fees for security threat assessment. This section describes the payment process for completion of the security threat assessments required under subpart. (a...

Security Protection on Trust Delegated Data in Public Mobile Networks

NASA Astrophysics Data System (ADS)

Weerasinghe, Dasun; Rajarajan, Muttukrishnan; Rakocevic, Veselin

This paper provides detailed solutions for trust delegation and security protection for medical records in public mobile communication networks. The solutions presented in this paper enable the development of software for mobile devices that can be used by emergency medical units in urgent need of sensitive personal information about unconscious patients. In today's world, technical improvements in mobile communication systems mean that users can expect to have access to data at any time regardless of their location. This paper presents a token-based procedure for the data security at a mobile device and delegation of trust between a requesting mobile unit and secure medical data storage. The data security at the mobile device is enabled using identity based key generation methodology.

Software Acquisition in the Age of Cyber Warfare

DTIC Science & Technology

2011-05-01

s c h o o l o f S Y S T E M S a n d L O G I S T I C S education service research Software Acquisition in the Age of Cyber Warfare Maj...DATE MAY 2011 2. REPORT TYPE 3. DATES COVERED 00-00-2011 to 00-00-2011 4. TITLE AND SUBTITLE Software Acquisition in the Age of Cyber Warfare 5a...AFIT Cyber 200/300 Courses Cyber Warfare IDE Program 34 Special Emphasis On… Enterprise Integration (Active Directory, PKI) Security

The Many Faces of a Software Engineer in a Research Community

DOE Office of Scientific and Technical Information (OSTI.GOV)

Marinovici, Maria C.; Kirkham, Harold

2013-10-14

The ability to gather, analyze and make decisions based on real world data is changing nearly every field of human endeavor. These changes are particularly challenging for software engineers working in a scientific community, designing and developing large, complex systems. To avoid the creation of a communications gap (almost a language barrier), the software engineers should possess an ‘adaptive’ skill. In the science and engineering research community, the software engineers must be responsible for more than creating mechanisms for storing and analyzing data. They must also develop a fundamental scientific and engineering understanding of the data. This paper looks atmore » the many faces that a software engineer should have: developer, domain expert, business analyst, security expert, project manager, tester, user experience professional, etc. Observations made during work on a power-systems scientific software development are analyzed and extended to describe more generic software development projects.« less

Rhinoplasty perioperative database using a personal digital assistant.

PubMed

Kotler, Howard S

2004-01-01

To construct a reliable, accurate, and easy-to-use handheld computer database that facilitates the point-of-care acquisition of perioperative text and image data specific to rhinoplasty. A user-modified database (Pendragon Forms [v.3.2]; Pendragon Software Corporation, Libertyville, Ill) and graphic image program (Tealpaint [v.4.87]; Tealpaint Software, San Rafael, Calif) were used to capture text and image data, respectively, on a Palm OS (v.4.11) handheld operating with 8 megabytes of memory. The handheld and desktop databases were maintained secure using PDASecure (v.2.0) and GoldSecure (v.3.0) (Trust Digital LLC, Fairfax, Va). The handheld data were then uploaded to a desktop database of either FileMaker Pro 5.0 (v.1) (FileMaker Inc, Santa Clara, Calif) or Microsoft Access 2000 (Microsoft Corp, Redmond, Wash). Patient data were collected from 15 patients undergoing rhinoplasty in a private practice outpatient ambulatory setting. Data integrity was assessed after 6 months' disk and hard drive storage. The handheld database was able to facilitate data collection and accurately record, transfer, and reliably maintain perioperative rhinoplasty data. Query capability allowed rapid search using a multitude of keyword search terms specific to the operative maneuvers performed in rhinoplasty. Handheld computer technology provides a method of reliably recording and storing perioperative rhinoplasty information. The handheld computer facilitates the reliable and accurate storage and query of perioperative data, assisting the retrospective review of one's own results and enhancement of surgical skills.

DOE Office of Scientific and Technical Information (OSTI.GOV)

AISL-CRYPTO is a library of cryptography functions supporting other AISL software. It provides various crypto functions for Common Lisp, including Digital Signature Algorithm, Data Encryption Standard, Secure Hash Algorithm, and public-key cryptography.

Study of the Use of Ada in Trusted Computing Bases (TCBs) to be Certified at, or Below, the B3 Level

DTIC Science & Technology

1989-04-01

of th . Each M class, fran Cl throh B3, is described. nTe tor ajor steadings of TcBs, Security policy , Acxntability, Ass-ranre, and D Mnt.Iticn, am...the system’s security policy . Data - Information with a specific physical representation. Discreticnary A C Itrol - A means of restricting access to...including hardware firmware, and software - the cambination of which is responsible for enforcing a security policy . A TCB consists of one or more

Using a Prediction Model to Manage Cyber Security Threats.

PubMed

Jaganathan, Venkatesh; Cherurveettil, Priyesh; Muthu Sivashanmugam, Premapriya

2015-01-01

Cyber-attacks are an important issue faced by all organizations. Securing information systems is critical. Organizations should be able to understand the ecosystem and predict attacks. Predicting attacks quantitatively should be part of risk management. The cost impact due to worms, viruses, or other malicious software is significant. This paper proposes a mathematical model to predict the impact of an attack based on significant factors that influence cyber security. This model also considers the environmental information required. It is generalized and can be customized to the needs of the individual organization.

Using a Prediction Model to Manage Cyber Security Threats

PubMed Central

Muthu Sivashanmugam, Premapriya

2015-01-01

Cyber-attacks are an important issue faced by all organizations. Securing information systems is critical. Organizations should be able to understand the ecosystem and predict attacks. Predicting attacks quantitatively should be part of risk management. The cost impact due to worms, viruses, or other malicious software is significant. This paper proposes a mathematical model to predict the impact of an attack based on significant factors that influence cyber security. This model also considers the environmental information required. It is generalized and can be customized to the needs of the individual organization. PMID:26065024

Connecting to the Internet Securely; Protecting Home Networks CIAC-2324

DOE Office of Scientific and Technical Information (OSTI.GOV)

Orvis, W J; Krystosek, P; Smith, J

2002-11-27

With more and more people working at home and connecting to company networks via the Internet, the risk to company networks to intrusion and theft of sensitive information is growing. Working from home has many positive advantages for both the home worker and the company they work for. However, as companies encourage people to work from home, they need to start considering the interaction of the employee's home network and the company network he connects to. This paper discusses problems and solutions related to protection of home computers from attacks on those computers via the network connection. It does notmore » consider protection of those systems from people who have physical access to the computers nor does it consider company laptops taken on-the-road. Home networks are often targeted by intruders because they are plentiful and they are usually not well secured. While companies have departments of professionals to maintain and secure their networks, home networks are maintained by the employee who may be less knowledgeable about network security matters. The biggest problems with home networks are that: Home networks are not designed to be secure and may use technologies (wireless) that are not secure; The operating systems are not secured when they are installed; The operating systems and applications are not maintained (for security considerations) after they are installed; and The networks are often used for other activities that put them at risk for being compromised. Home networks that are going to be connected to company networks need to be cooperatively secured by the employee and the company so they do not open up the company network to intruders. Securing home networks involves many of the same operations as securing a company network: Patch and maintain systems; Securely configure systems; Eliminate unneeded services; Protect remote logins; Use good passwords; Use current antivirus software; and Moderate your Internet usage habits. Most of these items do not take a lot of work, but require an awareness of the risks involved in not doing them or doing them incorrectly. The security of home networks and communications with company networks can be significantly improved by adding an appropriate software or hardware firewall to the home network and using a protected protocol such as Secure Sockets Layer (SSL), a Virtual Private Network (VPN), or Secure Shell (SSH) for connecting to the company network.« less

Security and Privacy Assurance Research (SPAR) Pilot Final Report

DTIC Science & Technology

2015-11-30

for a single querier interacting with a single encrypted database. In order to deploy the technology, the underlying cryptography must support multiple...underlying cryptography . A full SPAR system should be evaluated too including the software itself. Software should be checked for consistency with...ESPADA included cryptography libraries (e.g., gnutls, nettle, and openssl). Consider a hypothetical scenario in which a vulnerability is discovered in

Using Honeynets and the Diamond Model for ICS Threat Analysis

DTIC Science & Technology

2016-05-11

TR-006 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY Distribution Statement A: Approved for Public Release; Distribution is...Unlimited Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by Department of Homeland Security under Contract...No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and

15 CFR 740.10 - License Exception Servicing and replacement of parts and equipment (RPL).

Code of Federal Regulations, 2014 CFR

2014-01-01

... repaired is an “aircraft” (as defined in § 772.1 of the EAR) or is controlled for national security (NS... detection equipment classified under ECCN 2A983 or related software classified under ECCN 2D983. (vi) No... equipment classified under ECCN 2A984 or related software classified under ECCN 2D984. (vii) The conditions...

Secure Enclaves: An Isolation-centric Approach for Creating Secure High Performance Computing Environments

DOE Office of Scientific and Technical Information (OSTI.GOV)

Aderholdt, Ferrol; Caldwell, Blake A.; Hicks, Susan Elaine

High performance computing environments are often used for a wide variety of workloads ranging from simulation, data transformation and analysis, and complex workflows to name just a few. These systems may process data at various security levels but in so doing are often enclaved at the highest security posture. This approach places significant restrictions on the users of the system even when processing data at a lower security level and exposes data at higher levels of confidentiality to a much broader population than otherwise necessary. The traditional approach of isolation, while effective in establishing security enclaves poses significant challenges formore » the use of shared infrastructure in HPC environments. This report details current state-of-the-art in virtualization, reconfigurable network enclaving via Software Defined Networking (SDN), and storage architectures and bridging techniques for creating secure enclaves in HPC environments.« less

Secure Embedded System Design Methodologies for Military Cryptographic Systems

DTIC Science & Technology

2016-03-31

Fault- Tree Analysis (FTA); Built-In Self-Test (BIST) Introduction Secure access-control systems restrict operations to authorized users via methods...failures in the individual software/processor elements, the question of exactly how unlikely is difficult to answer. Fault- Tree Analysis (FTA) has a...Collins of Sandia National Laboratories for years of sharing his extensive knowledge of Fail-Safe Design Assurance and Fault- Tree Analysis

Automatic Inference of Cryptographic Key Length Based on Analysis of Proof Tightness

DTIC Science & Technology

2016-06-01

within an attack tree structure, then expand attack tree methodology to include cryptographic reductions. We then provide the algorithms for...maintaining and automatically reasoning about these expanded attack trees . We provide a software tool that utilizes machine-readable proof and attack metadata...and the attack tree methodology to provide rapid and precise answers regarding security parameters and effective security. This eliminates the need

A Survey on Security Isolation of Virtualization, Containers, and Unikernels

DTIC Science & Technology

2017-05-01

this report are not to be construed as an official Department of the Army position unless so designated by other authorized documents. Citation of...characteristics is necessary to understand the potential threats. Each of these technologies contains subtle differences in the methodology and...technologies contains subtle differences in the methodology and software architecture to provide secure isolation between guests. All 3 of these

United States Homeland Security and National Biometric Identification

DTIC Science & Technology

2002-04-09

security number. Biometrics is the use of unique individual traits such as fingerprints, iris eye patterns, voice recognition, and facial recognition to...technology to control access onto their military bases using a Defense Manpower Management Command developed software application. FACIAL Facial recognition systems...installed facial recognition systems in conjunction with a series of 200 cameras to fight street crime and identify terrorists. The cameras, which are

Specification and Verification of Secure Concurrent and Distributed Software Systems

DTIC Science & Technology

1992-02-01

primitive search strategies work for operating systems that contain relatively few operations . As the number of operations increases, so does the the...others have granted him access to, etc . The burden of security falls on the operating system , although appropriate hardware support can minimize the...Guttag, J. Horning, and R. Levin. Synchronization primitives for a multiprocessor: a formal specification. Symposium on Operating System Principles

High Speed Oblivious Random Access Memory (HS-ORAM)

DTIC Science & Technology

2015-09-01

Bryan Parno, “Non-interactive verifiable computing: Outsourcing computation to untrusted workers”, 30th International Cryptology Conference, pp. 465...holder or any other person or corporation; or convey any rights or permission to manufacture , use, or sell any patented invention that may relate to...secure outsourced data access protocols. HS-ORAM deploys a number of server- side software components running inside tamper-proof secure coprocessors