Search results
1 – 10 of 688Helen Kapodistria, Sarandis Mitropoulos and Christos Douligeris
The purpose of this paper is to introduce a new tool which detects, prevents and records common web attacks that mainly result in web applications information leaking using…
Abstract
Purpose
The purpose of this paper is to introduce a new tool which detects, prevents and records common web attacks that mainly result in web applications information leaking using pattern recognition. It is a cross‐platform application, namely, it is not OS‐dependent or web server dependent. It offers a flexible attacks search engine, which scans http requests and responses during a webpage serving without affecting the web server performance.
Design/methodology/approach
The paper starts with a study of the most known web vulnerabilities and the way they can be exploited. Then, it focuses on those web attacks based on input validation, which are the ones the new tool detects through pattern recognition. This tool acts as a proxy server having a simple GUI for administration purposes. Patterns can be detected in both http requests and responses in an extensible and manageable way.
Findings
The new tool was compared to dotDefender, a commercial web application firewall, and ModSecurity, a widely used open source application firewall, using over 200 attack patterns. The new tool had satisfying results for every attack category examined having a high percentage of success. Results for stored XSS could not be achieved since the other tools are not able to search and detect them in http responses. The fact that the new tool is very extensible, it makes it possible for future work to be done.
Originality/value
This paper introduces a new web server plug‐in, which has some advanced web application firewall features with a flexible attacks search engine which scans http requests and responses. By scanning http responses, attacks such as stored XSS can be detected, a feature that cannot be found on other web application firewalls.
Details
Keywords
Hannes Holm and Mathias Ekstedt
The purpose of this paper is to estimate the effectiveness of web application firewalls (WAFs) at preventing injection attacks by professional penetration testers given presence…
Abstract
Purpose
The purpose of this paper is to estimate the effectiveness of web application firewalls (WAFs) at preventing injection attacks by professional penetration testers given presence or absence of four conditions: whether there is an experienced operator monitoring the WAF; whether an automated black box tool has been used when tuning the WAF; whether the individual tuning the WAF is an experienced professional; and whether significant effort has been spent tuning the WAF.
Design/methodology/approach
Estimates on the effectiveness of WAFs are made for 16 operational scenarios utilizing judgments by 49 domain experts participating in a web survey. The judgments of these experts are pooled using Cooke's classical method.
Findings
The results show that the median prevention rate of a WAF is 80 percent if all measures have been employed. If no measure is employed then its median prevention rate is 25 percent. Also, there are no strong dependencies between any of the studied measures.
Research limitations/implications
The results are only valid for the attacker profile of a professional penetration tester who prepares one week for attacking a WA protected by a WAF.
Practical implications
The competence of the individual(s) tuning a WAF, employment of an automated black box tool for tuning and the manual effort spent on tuning are of great importance for the effectiveness of a WAF. The presence of an operator monitoring it has minor positive influence on its effectiveness.
Originality/value
WA vulnerabilities are widely considered a serious concern. To manage them in deployed software, many enterprises employ WAFs. However, the effectiveness of this type of countermeasure under different operational scenarios is largely unknown.
Details
Keywords
Security assurance evaluation (SAE) is a well-established approach for assessing the effectiveness of security measures in systems. However, one aspect that is often overlooked in…
Abstract
Purpose
Security assurance evaluation (SAE) is a well-established approach for assessing the effectiveness of security measures in systems. However, one aspect that is often overlooked in these evaluations is the assurance context in which they are conducted. This paper aims to explore the role of assurance context in system SAEs and proposes a conceptual model to integrate the assurance context into the evaluation process.
Design/methodology/approach
The conceptual model highlights the interrelationships between the various elements of the assurance context, including system boundaries, stakeholders, security concerns, regulatory compliance and assurance assumptions and regulatory compliance.
Findings
By introducing the proposed conceptual model, this research provides a framework for incorporating the assurance context into SAEs and offers insights into how it can influence the evaluation outcomes.
Originality/value
By delving into the concept of assurance context, this research seeks to shed light on how it influences the scope, methodologies and outcomes of assurance evaluations, ultimately enabling organizations to strengthen their system security postures and mitigate risks effectively.
Details
Keywords
Ali Katouzian Bolourforoush and Hamid Jahankhani
Banking traces back to 2000 BC in Assyria, India and Sumeria. Merchants used to give grain loans to farmers and traders to carry goods between cities. In ancient Greece and Roman…
Abstract
Banking traces back to 2000 BC in Assyria, India and Sumeria. Merchants used to give grain loans to farmers and traders to carry goods between cities. In ancient Greece and Roman Empire, lenders in temples, provided loans, and accepted deposits while performed change of money. The archaeological evidence uncovered in India and China corroborates this. The major development in banking came predominantly in the mediaeval, Renaissance Italy, with the major cities Florence, Venice and Genoa being the financial centres. Technology has become an inherent and integral part of our lives. We are generating a huge amount of data in transfer, storage and usage, with greater demands of ubiquitous accessibility, inducing an enormous impact on industry and society. With the emergence of smarter cities and societies, the security challenges pertinent to data become greater, impending impact on the consumer protection and security. The aim of this chapter is to highlight if SSI and passwordless authentication using FIDO-2 protocol assuage security concerns such as authentication and authorisation while preserving the individual's privacy.
Details
Keywords
The Kingdom of Saudi Arabia (KSA) is embracing digital transformation and e-government services, aiming to improve efficiency, accessibility and citizen-centricity. Nonetheless…
Abstract
Purpose
The Kingdom of Saudi Arabia (KSA) is embracing digital transformation and e-government services, aiming to improve efficiency, accessibility and citizen-centricity. Nonetheless, the country faces challenges such as evolving cyber threats. The purpose of this study is to investigate the factors influencing cybersecurity practices to ensure the reliability and security of e-government services.
Design/methodology/approach
This paper investigates the multifaceted dynamics of cybersecurity practices and their impact on the quality and effectiveness of e-government services. Five key factors explored include organizational culture, technology infrastructure, adherence to standards and regulations, employee training and awareness and financial investment in cybersecurity. This study used a quantitative method to gather data from 320 participants. The researcher collected 285 completed questionnaires, excluding unusable or incomplete responses, and analyzed the final data set using partial least squares structural equation modeling.
Findings
The findings show that financial investment in cybersecurity, employee training and awareness and adherence to cybersecurity regulations significantly influence the adoption of robust cybersecurity practices. However, the relationship between organizational culture and cybersecurity practices is less straightforward. The research establishes a strong positive correlation between cybersecurity practices and e-government service quality, highlighting the role of security in fostering public trust and user satisfaction and meeting the evolving needs of citizens and businesses.
Originality/value
This research contributes valuable empirical evidence to the fields of e-government and cybersecurity, offering insights that can inform evidence-based policy decisions and resource allocation. By understanding the nuanced dynamics at play, Saudi Arabia is better poised to fortify its digital governance infrastructure and provide secure, high-quality e-government services to its constituents.
Details
Keywords
The purpose of this paper is to identify and investigate the security issues an organisation operating in the “new” online environment is exposed to through Web 2.0 applications…
Abstract
Purpose
The purpose of this paper is to identify and investigate the security issues an organisation operating in the “new” online environment is exposed to through Web 2.0 applications, with specific focus on unauthorised access (encompassing hackers). The study aims to recommend possible safeguards to mitigate these incremental risks to an acceptable level.
Design/methodology/approach
An extensive literature review was performed to obtain an understanding of the technologies driving Web 2.0 applications. Thereafter, the technologies were mapped against Control Objectives for Information and Related Technology (CobiT) and Trust Service Principles and Criteria and associated control objectives relating to security risks, specifically to hacker risks. These objectives were used to identify relevant risks and formulate appropriate internal control measures.
Findings
The findings show that every organisation, technology and application is unique and the safeguards depend on the nature of the organisation, information at stake, degree of vulnerability and risks. A comprehensive security program, including a multi‐layer technological, as well as an administrative component, should be implemented. User training on acceptable practices should also be conducted.
Originality/value
Obtaining an understanding of Web 2.0 and Web 2.0 security is important, as Web 2.0 is a new, poorly understood technology and with the growing mobility of users, the potential surface area of attack increases and should be managed. The paper will help organisations, information repository managers, information technology (IT) professionals, librarians and internal and external auditors to understand the “new” risks relating to unauthorised access, which previously did not exist in an on‐line environment, and will assist the development of a framework to limit the most significant risks.
Details
Keywords
Aims to establish a basic conceptual framework for understanding extranet implementation guidelines. Provides a specific case using VF Playwear, Inc.’s HealthTexbtob.com, a…
Abstract
Aims to establish a basic conceptual framework for understanding extranet implementation guidelines. Provides a specific case using VF Playwear, Inc.’s HealthTexbtob.com, a business‐to‐business extranet for linking VF with its customers. Owing to the heavy pressure to create a Web presence in the digital marketspace, some firms have found it beneficial to work with e‐business solution providers that can assist them through the critical points of the development life cycle. VF Playwear, Inc. manufactures children’s clothing and is part of the VF Corporation umbrella that supplies such well‐known clothing brands as Wrangler, Lee, Rustler, Vanity Fair, and Vassarette, among others. Lessons learned by VF Playwear, Inc., in close collaboration with MERANT E‐Solutions (enterprise solutions) and Egility I‐Solutions (infrastructure solutions), are featured in this case study.
Details
Keywords
Victoria Skoularidou and Diomidis Spinellis
Enumerates and compares a number of security‐enabling architectures for network clients. These architectures, either proposed as methodologies or currently implemented in software…
Abstract
Enumerates and compares a number of security‐enabling architectures for network clients. These architectures, either proposed as methodologies or currently implemented in software and/or hardware, are capable of protecting the client’s software integrity and its environment. The most important methodologies include the reference monitor model, firewalls, and virtual machines. Software implementations are the Java Sandbox, and the code signing concept. Hardware that can be used includes smart cards, and the TCPA/Palladium security initiative. Describes their most important features and provide a review and comparative study based on a number of criteria. Believes that ongoing research can empower these mechanisms for protecting network clients in a more effective way.
Details
Keywords
H. Joseph Wen and Jyh‐Horng Michael Tarn
The Internet itself was not designed with security in mind. It was originally designed for research purposes, with open access to willing and able participants. Only recently…
Abstract
The Internet itself was not designed with security in mind. It was originally designed for research purposes, with open access to willing and able participants. Only recently, with the influx of thousands, if not millions, of users, have the stakes been raised and very serious security concerns brought to light. Following an overview of the threats of Internet‐based electronic commerce, this paper discusses two Internet firewall architectures and seven Internet access control technologies. A case study of how a small company, SunCom Int’l Corporation (SIC), selected its Internet firewall is presented. Finally, this paper concludes with a summary and the future of the Internet firewall.
Details
Keywords
Tim Finin, Li Ding, Lina Zhou and Anupam Joshi
Aims to investigate the way that the semantic web is being used to represent and process social network information.
Abstract
Purpose
Aims to investigate the way that the semantic web is being used to represent and process social network information.
Design/methodology/approach
The Swoogle semantic web search engine was used to construct several large data sets of Resource Description Framework (RDF) documents with social network information that were encoded using the “Friend of a Friend” (FOAF) ontology. The datasets were analyzed to discover how FOAF is being used and investigate the kinds of social networks found on the web.
Findings
The FOAF ontology is the most widely used domain ontology on the semantic web. People are using it in an open and extensible manner by defining new classes and properties to use with FOAF.
Research limitations/implications
RDF data was only obtained from public RDF documents published on the web. Some RDF FOAF data may be unavailable because it is behind firewalls, on intranets or stored in private databases. The ways in which the semantic web languages RDF and OWL are being used (and abused) are dynamic and still evolving. A similar study done two years from now may show very different results.
Originality/value
This paper describes how social networks are being encoded and used on the world wide web in the form of RDF documents and the FOAF ontology. It provides data on large social networks as well as insights on how the semantic web is being used in 2005.
Details