Search results

Penetration tests have become a valuable tool in the cyber security defence strategy in terms of detecting vulnerabilities. Although penetration testing has traditionally focussed on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyberattacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper, the authors reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. This paper aims to propose improvements to refine the framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny

The authors conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet the requirements to have an ethical human pentesting framework, the authors compiled a list of ethical principles from the research literature which they used to filter out techniques deemed unethical.

Drawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, the authors propose the refined GDPR-compliant and privacy respecting PoinTER framework. The list of ethical principles, as suggested, could also inform ethical technical pentests.

Previous work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature.

Cybersecurity competitions can effectively develop skills, but engaging a wide learner spectrum is challenging. This study aims to investigate the perceptions of cybersecurity competitions among Reddit users. These users constitute a substantial demographic of young individuals, often participating in communities oriented towards college students or cybersecurity enthusiasts. The authors specifically focus on novice learners who showed an interest in cybersecurity but have not participated in competitions. By understanding their views and concerns, the authors aim to devise strategies to encourage their continuous involvement in cybersecurity learning. The Reddit platform provides unique access to this significant demographic, contributing to enhancing and diversifying the cybersecurity workforce.

The authors propose to mine Reddit posts for information about learners’ attitudes, interests and experiences with cybersecurity competitions. To mine Reddit posts, the authors developed a text mining approach that integrates computational text mining and qualitative content analysis techniques, and the authors discussed the advantages of the integrated approach.

The authors' text mining approach was successful in extracting the major themes from the collected posts. The authors found that motivated learners would want to form a strategic way to facilitate their learning. In addition, hope and fear collide, which exposes the learners’ interests and challenges.

The authors discussed the findings to provide education and training experts with a thorough understanding of novice learners, allowing them to engage them in the cybersecurity industry.

Wireless technologies have enhanced applications mobility in no small way. They have created new and increasing number of human‐related challenges particularly in the areas of wireless‐based applications such as Mobile Marketing (Marketing). Bluetooth wireless technology is a completely new method through which devices within a short radius can communicate effectively. This paper explores wireless technologies world for marketing purposes, focusing on Bluetooth as an example to build a system that provides an interactive Bluetooth station for marketing purposes. The Bluetooth station includes Bluetooth profile (OBEX), server, and client applications.

Nowadays, there are billions interconnected devices forming Cyber-Physical Systems (CPS), Internet of Things (IoT) and Industrial Internet of Things (IIoT) ecosystems. With an increasing number of devices and systems in use, amount and the value of data, the risks of security breaches increase. One of these risks is posed by open data sources, which are databases that are not properly protected. These poorly protected databases are accessible to external actors, which poses a serious risk to the data holder and the results of data-related activities such as analysis, forecasting, monitoring, decision-making, policy development, and the whole contemporary society. This chapter aims at examining the state of the security of open data databases representing both relational databases and NoSQL, with a particular focus on a later category.

Cyber resilience in cyber supply chain (CSC) systems security has become inevitable as attacks, risks and vulnerabilities increase in real-time critical infrastructure systems with little time for system failures. Cyber resilience approaches ensure the ability of a supply chain system to prepare, absorb, recover and adapt to adverse effects in the complex CPS environment. However, threats within the CSC context can pose a severe disruption to the overall business continuity. The paper aims to use machine learning (ML) techniques to predict threats on cyber supply chain systems, improve cyber resilience that focuses on critical assets and reduce the attack surface.

The approach follows two main cyber resilience design principles that focus on common critical assets and reduce the attack surface for this purpose. ML techniques are applied to various classification algorithms to learn a dataset for performance accuracies and threats predictions based on the CSC resilience design principles. The critical assets include Cyber Digital, Cyber Physical and physical elements. We consider Logistic Regression, Decision Tree, Naïve Bayes and Random Forest classification algorithms in a Majority Voting to predicate the results. Finally, we mapped the threats with known attacks for inferences to improve resilience on the critical assets.

The paper contributes to CSC system resilience based on the understanding and prediction of the threats. The result shows a 70% performance accuracy for the threat prediction with cyber resilience design principles that focus on critical assets and controls and reduce the threat.

Therefore, there is a need to understand and predicate the threat so that appropriate control actions can ensure system resilience. However, due to the invincibility and dynamic nature of cyber attacks, there are limited controls and attributions. This poses serious implications for cyber supply chain systems and its cascading impacts.

ML techniques are used on a dataset to analyse and predict the threats based on the CSC resilience design principles.

There are no social implications rather it has serious implications for organizations and third-party vendors.

The originality of the paper lies in the fact that cyber resilience design principles that focus on common critical assets are used including Cyber Digital, Cyber Physical and physical elements to determine the attack surface. ML techniques are applied to various classification algorithms to learn a dataset for performance accuracies and threats predictions based on the CSC resilience design principles to reduce the attack surface for this purpose.

The proliferation of mobile phones with integrated sensors makes large scale sensing possible at low cost. During mobile sensing, data mostly contain sensitive information of users such as their real-time location. When such information are not effectively secured, users’ privacy can be violated due to eavesdropping and information disclosure. In this paper, we demonstrated the possibility of unauthorized access to location information of a user during sensing due to the ineffective security mechanisms in most sensing applications. We analyzed 40 apps downloaded from Google Play Store and results showed a 100% success rate in traffic interception and disclosure of sensitive information of users. As a countermeasure, a security scheme which ensures encryption and authentication of sensed data using Advanced Encryption Standard 256-Galois Counter Mode was proposed. End-to-end security of location and motion data from smartphone sensors are ensured using the proposed security scheme. Security analysis of the proposed scheme showed it to be effective in protecting Android based sensor data against eavesdropping, information disclosure and data modification.