Implementing the CoSaWoE models in a commercial workflow product
- Authors: Erwee, Carmen
- Date: 2005
- Subjects: Computers -- Access control , Workflow , Computer security , Data protection
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9732 , http://hdl.handle.net/10948/169 , Computers -- Access control , Workflow , Computer security , Data protection
- Description: Workflow systems have gained popularity not only as a research topic, but also as a key component of Enterprize Resource Planning packages and e- business. Comprehensive workflow products that automate intra- as well inter-organizational information flow are now available for commercial use. Standardization efforts have centered mostly around the interoperability of these systems, however a standard access control model have yet to be adopted. The research community has developed several models for access control to be included as part of workflow functionality. Commercial systems, however, are still implementing access control functionality in a proprietary manner. This dissertation investigates whether a comprehensive model for gain- ing context-sensitive access control, namely CoSAWoE, can be purposefully implemented in a commercial workflow product. Using methods such as an exploratory prototype, various aspects of the model was implemented to gain an understanding of the di±culties developers face when attempting to map the model to existing proprietary software. Oracle Workflow was chosen as an example of a commercial workflow product. An investigtion of the features of this product, together with the prototype, revealed the ability to affect access control in a similar manner to the model: by specifying access control constraints during administration and design, and then enforcing those constraints dynamically during run-time. However, only certain components within these two aspects of the model directly effected the commercial workflow product. It was argued that the first two requirements of context-sensitive access control, order of events and strict least privilege, addressed by the object design, role engineering and session control components of the model, can be simulated if such capabilities are not pertinently available as part of the product. As such, guidelines were provided for how this can be achieved in Oracle Workflow. However, most of the implementation effort focussed on the last requirement of context-sensitive access control, namely separation of duties. The CoSAWoE model proposes SoD administration steps that includes expressing various business rules through a set of conflicting entities which are maintained outside the scope of the workflow system. This component was implemented easily enough through tables which were created with a relational database. Evaluating these conflicts during run-time to control worklist generation proved more di±cult. First, a thorough understanding of the way in which workflow history is maintained was necessary. A re-usable function was developed to prune user lists according to user involvement in previous tasks in the workflow and the conflicts specified for those users and tasks. However, due to the lack of a central access control service, this re- usable function must be included in the appropriate places in the workflow process model. Furthermore, the dissertation utilized a practical example to develop a prototype. This prototype served a dual purpose: firstly, to aid the author's understanding of the features and principles involved, and secondly, to illustrate and explore the implementation of the model as described in the previous paragraphs. In conclusion the dissertation summarized the CoSAWoE model's compo- nents which were found to be product agnostic, directly or indirectly imple- mentable, or not implemented in the chosen workflow product. The lessons learnt and issues surrounding the implementation effort were also discussed before further research in terms of XML documents as data containers for the workfow process were suggested.
- Full Text:
- Date Issued: 2005
- Authors: Erwee, Carmen
- Date: 2005
- Subjects: Computers -- Access control , Workflow , Computer security , Data protection
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9732 , http://hdl.handle.net/10948/169 , Computers -- Access control , Workflow , Computer security , Data protection
- Description: Workflow systems have gained popularity not only as a research topic, but also as a key component of Enterprize Resource Planning packages and e- business. Comprehensive workflow products that automate intra- as well inter-organizational information flow are now available for commercial use. Standardization efforts have centered mostly around the interoperability of these systems, however a standard access control model have yet to be adopted. The research community has developed several models for access control to be included as part of workflow functionality. Commercial systems, however, are still implementing access control functionality in a proprietary manner. This dissertation investigates whether a comprehensive model for gain- ing context-sensitive access control, namely CoSAWoE, can be purposefully implemented in a commercial workflow product. Using methods such as an exploratory prototype, various aspects of the model was implemented to gain an understanding of the di±culties developers face when attempting to map the model to existing proprietary software. Oracle Workflow was chosen as an example of a commercial workflow product. An investigtion of the features of this product, together with the prototype, revealed the ability to affect access control in a similar manner to the model: by specifying access control constraints during administration and design, and then enforcing those constraints dynamically during run-time. However, only certain components within these two aspects of the model directly effected the commercial workflow product. It was argued that the first two requirements of context-sensitive access control, order of events and strict least privilege, addressed by the object design, role engineering and session control components of the model, can be simulated if such capabilities are not pertinently available as part of the product. As such, guidelines were provided for how this can be achieved in Oracle Workflow. However, most of the implementation effort focussed on the last requirement of context-sensitive access control, namely separation of duties. The CoSAWoE model proposes SoD administration steps that includes expressing various business rules through a set of conflicting entities which are maintained outside the scope of the workflow system. This component was implemented easily enough through tables which were created with a relational database. Evaluating these conflicts during run-time to control worklist generation proved more di±cult. First, a thorough understanding of the way in which workflow history is maintained was necessary. A re-usable function was developed to prune user lists according to user involvement in previous tasks in the workflow and the conflicts specified for those users and tasks. However, due to the lack of a central access control service, this re- usable function must be included in the appropriate places in the workflow process model. Furthermore, the dissertation utilized a practical example to develop a prototype. This prototype served a dual purpose: firstly, to aid the author's understanding of the features and principles involved, and secondly, to illustrate and explore the implementation of the model as described in the previous paragraphs. In conclusion the dissertation summarized the CoSAWoE model's compo- nents which were found to be product agnostic, directly or indirectly imple- mentable, or not implemented in the chosen workflow product. The lessons learnt and issues surrounding the implementation effort were also discussed before further research in terms of XML documents as data containers for the workfow process were suggested.
- Full Text:
- Date Issued: 2005
The cost of free instant messaging: an attack modelling perspective
- Authors: Du Preez, Riekert
- Date: 2006
- Subjects: Computer security , Instant messaging , Data protection
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9797 , http://hdl.handle.net/10948/499 , http://hdl.handle.net/10948/d1011921 , Computer security , Instant messaging , Data protection
- Description: Instant Messaging (IM) has grown tremendously over the last few years. Even though IM was originally developed as a social chat system, it has found a place in many companies, where it is being used as an essential business tool. However, many businesses rely on free IM and have not implemented a secure corporate IM solution. Most free IM clients were never intended for use in the workplace and, therefore, lack strong security features and administrative control. Consequently, free IM clients can provide attackers with an entry point for malicious code in an organization’s network that can ultimately lead to a company’s information assets being compromised. Therefore, even though free IM allows for better collaboration in the workplace, it comes at a cost, as the title of this dissertation suggests. This dissertation sets out to answer the question of how free IM can facilitate an attack on a company’s information assets. To answer the research question, the dissertation defines an IM attack model that models the ways in which an information system can be attacked when free IM is used within an organization. The IM attack model was created by categorising IM threats using the STRIDE threat classification scheme. The attacks that realize the categorised threats were then modelled using attack trees as the chosen attack modelling tool. Attack trees were chosen because of their ability to model the sequence of attacker actions during an attack. The author defined an enhanced graphical notation that was adopted for the attack trees used to create the IM attack model. The enhanced attack tree notation extends traditional attack trees to allow nodes in the trees to be of different classes and, therefore, allows attack trees to convey more information. During the process of defining the IM attack model, a number of experiments were conducted where IM vulnerabilities were exploited. Thereafter, a case study was constructed to document a simulated attack on an information system that involves the exploitation of IM vulnerabilities. The case study demonstrates how an attacker’s attack path relates to the IM attack model in a practical scenario. The IM attack model provides insight into how IM can facilitate an attack on a company’s information assets. The creation of the attack model for free IM lead to several realizations. The IM attack model revealed that even though the use of free IM clients may seem harmless, such IM clients can facilitate an attack on a company’s information assets. Furthermore, certain IM vulnerabilities may not pose a great risk by themselves, but when combined with the exploitation of other vulnerabilities, a much greater threat can be realized. These realizations hold true to what French playwright Jean Anouilh once said: “What you get free costs too much”.
- Full Text:
- Date Issued: 2006
- Authors: Du Preez, Riekert
- Date: 2006
- Subjects: Computer security , Instant messaging , Data protection
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9797 , http://hdl.handle.net/10948/499 , http://hdl.handle.net/10948/d1011921 , Computer security , Instant messaging , Data protection
- Description: Instant Messaging (IM) has grown tremendously over the last few years. Even though IM was originally developed as a social chat system, it has found a place in many companies, where it is being used as an essential business tool. However, many businesses rely on free IM and have not implemented a secure corporate IM solution. Most free IM clients were never intended for use in the workplace and, therefore, lack strong security features and administrative control. Consequently, free IM clients can provide attackers with an entry point for malicious code in an organization’s network that can ultimately lead to a company’s information assets being compromised. Therefore, even though free IM allows for better collaboration in the workplace, it comes at a cost, as the title of this dissertation suggests. This dissertation sets out to answer the question of how free IM can facilitate an attack on a company’s information assets. To answer the research question, the dissertation defines an IM attack model that models the ways in which an information system can be attacked when free IM is used within an organization. The IM attack model was created by categorising IM threats using the STRIDE threat classification scheme. The attacks that realize the categorised threats were then modelled using attack trees as the chosen attack modelling tool. Attack trees were chosen because of their ability to model the sequence of attacker actions during an attack. The author defined an enhanced graphical notation that was adopted for the attack trees used to create the IM attack model. The enhanced attack tree notation extends traditional attack trees to allow nodes in the trees to be of different classes and, therefore, allows attack trees to convey more information. During the process of defining the IM attack model, a number of experiments were conducted where IM vulnerabilities were exploited. Thereafter, a case study was constructed to document a simulated attack on an information system that involves the exploitation of IM vulnerabilities. The case study demonstrates how an attacker’s attack path relates to the IM attack model in a practical scenario. The IM attack model provides insight into how IM can facilitate an attack on a company’s information assets. The creation of the attack model for free IM lead to several realizations. The IM attack model revealed that even though the use of free IM clients may seem harmless, such IM clients can facilitate an attack on a company’s information assets. Furthermore, certain IM vulnerabilities may not pose a great risk by themselves, but when combined with the exploitation of other vulnerabilities, a much greater threat can be realized. These realizations hold true to what French playwright Jean Anouilh once said: “What you get free costs too much”.
- Full Text:
- Date Issued: 2006
NeGPAIM : a model for the proactive detection of information security intrusions, utilizing fuzzy logic and neural network techniques
- Authors: Botha, Martin
- Date: 2003
- Subjects: Computer security , Fuzzy logic , Neural networks (Computer science)
- Language: English
- Type: Thesis , Doctoral , DTech (Computer Studies)
- Identifier: vital:10792 , http://hdl.handle.net/10948/142 , Computer security , Fuzzy logic , Neural networks (Computer science)
- Description: “Information is the lifeblood of any organisation and everything an organisation does involves using information in some way” (Peppard, 1993, p.5). Therefore, it can be argued that information is an organisation’s most precious asset and as with all other assets, like equipment, money, personnel, and so on, this asset needs to be protected properly at all times (Whitman & Mattord, 2003, pp.1-14). The introduction of modern technologies, such as e-commerce, will not only increase the value of information, but will also increase security requirements of those organizations that are intending to utilize such technologies. Evidence of these requirements can be observed in the 2001 CSI/FBI Computer Crime and Security Survey (Power, 2001). According to this source, the annual financial losses caused through security breaches in 2001 have increased by 277% when compared to the results from 1997. The 2002 and 2003 Computer Crime and Security Survey confirms this by stating that the threat of computer crime and other related information security breaches continues unabated and that the financial toll is mounting (Richardson, 2003). Information is normally protected by means of a process of identifying, implementing, managing and maintaining a set of information security controls, countermeasures or safeguards (GMITS, 1998). In the rest of this thesis, the term security controls will be utilized when referring to information protection mechanisms or procedures. These security controls can be of a physical (for example, door locks), a technical (for example, passwords) and/or a procedural nature (for example, to make back-up copies of critical files)(Pfleeger, 2003, pp.22-23; Stallings, 1995, p.1). The effective identification, implementation, management and maintenance of this set of security controls are usually integrated into an Information Security Management Program, the objective of which is to ensure an acceptable level of information confidentiality, integrity and availability within the organisation at all times (Pfleeger, 2003, pp.10-12; Whitman & Mattord, 2003, pp.1-14; Von Solms, 1993). Once the most effective security controls have been identified and implemented, it is important that this level of security be maintained through a process of continued control. For this reason, it is important that proper change management, measurement, audit, monitoring and detection be implemented (Bruce & Dempsey, 1997). Monitoring and detection are important functions and refer to the ability to identify and detect situations where information security policies have been compromised and/or breached or security violations have taken place (BS 7799, 1999; GMITS, 1998; Von Solms, 1993). The Information Security Officer is usually the person responsible for most of the operational tasks in the control process within an Information Security Management Program (Von Solms, 1993). In practice, these tasks could also be performed by a system administrator, network administrator, etc. In the rest of the thesis the person responsible for these tasks will be referred to as system administrator. These tasks have proved to be very challenging and demanding. The main reason for this is the rapid advancement of technology in the discipline of Information Technology, for example, the modern distributed computing environment, the Internet, the “freedom” of end-users, the introduction of e-commerce, and etc. (Whitman & Mattord, 2003, p.9; Sundaram, 2000, p.1; Moses, 2001, p.6; Allen, 2001, p.1). As a result of the importance of this control process, and especially the monitoring and detection tasks, it is vital that the system administrator has proper tools at his/her disposal to perform this task effectively. Many of the tools that are currently available to the system administrator, utilize technical controls, such as, audit logs and user profiles. Audit logs are normally used to record all events executed on a system. These logs are simply files that record security and non-security related events that take place on a computer system within an organisation. For this reason, these logs can be used by these tools to gain valuable information on security violations, such as intrusions and, therefore, are able to monitor the current actions of each user (Microsoft, 2002; Smith, 1989, pp. 116-117). User profiles are files that contain information about users` desktop operating environments and are used by the operating system to structure each user environment so that it is the same each time a user logs onto the system (Microsoft, 2002; Block, 1994, p.54). Thus, a user profile is used to indicate which actions the user is allowed to perform on the system. Both technical controls (audit logs and user profiles) are frequently available in most computer environments (such as, UNIX, Firewalls, Windows, etc.) (Cooper et al, 1995, p.129). Therefore, seeing that the audit logs record most events taking place on an information system and the user profile indicates the authorized actions of each user, the system administrator could most probably utilise these controls in a more proactive manner.
- Full Text:
- Date Issued: 2003
- Authors: Botha, Martin
- Date: 2003
- Subjects: Computer security , Fuzzy logic , Neural networks (Computer science)
- Language: English
- Type: Thesis , Doctoral , DTech (Computer Studies)
- Identifier: vital:10792 , http://hdl.handle.net/10948/142 , Computer security , Fuzzy logic , Neural networks (Computer science)
- Description: “Information is the lifeblood of any organisation and everything an organisation does involves using information in some way” (Peppard, 1993, p.5). Therefore, it can be argued that information is an organisation’s most precious asset and as with all other assets, like equipment, money, personnel, and so on, this asset needs to be protected properly at all times (Whitman & Mattord, 2003, pp.1-14). The introduction of modern technologies, such as e-commerce, will not only increase the value of information, but will also increase security requirements of those organizations that are intending to utilize such technologies. Evidence of these requirements can be observed in the 2001 CSI/FBI Computer Crime and Security Survey (Power, 2001). According to this source, the annual financial losses caused through security breaches in 2001 have increased by 277% when compared to the results from 1997. The 2002 and 2003 Computer Crime and Security Survey confirms this by stating that the threat of computer crime and other related information security breaches continues unabated and that the financial toll is mounting (Richardson, 2003). Information is normally protected by means of a process of identifying, implementing, managing and maintaining a set of information security controls, countermeasures or safeguards (GMITS, 1998). In the rest of this thesis, the term security controls will be utilized when referring to information protection mechanisms or procedures. These security controls can be of a physical (for example, door locks), a technical (for example, passwords) and/or a procedural nature (for example, to make back-up copies of critical files)(Pfleeger, 2003, pp.22-23; Stallings, 1995, p.1). The effective identification, implementation, management and maintenance of this set of security controls are usually integrated into an Information Security Management Program, the objective of which is to ensure an acceptable level of information confidentiality, integrity and availability within the organisation at all times (Pfleeger, 2003, pp.10-12; Whitman & Mattord, 2003, pp.1-14; Von Solms, 1993). Once the most effective security controls have been identified and implemented, it is important that this level of security be maintained through a process of continued control. For this reason, it is important that proper change management, measurement, audit, monitoring and detection be implemented (Bruce & Dempsey, 1997). Monitoring and detection are important functions and refer to the ability to identify and detect situations where information security policies have been compromised and/or breached or security violations have taken place (BS 7799, 1999; GMITS, 1998; Von Solms, 1993). The Information Security Officer is usually the person responsible for most of the operational tasks in the control process within an Information Security Management Program (Von Solms, 1993). In practice, these tasks could also be performed by a system administrator, network administrator, etc. In the rest of the thesis the person responsible for these tasks will be referred to as system administrator. These tasks have proved to be very challenging and demanding. The main reason for this is the rapid advancement of technology in the discipline of Information Technology, for example, the modern distributed computing environment, the Internet, the “freedom” of end-users, the introduction of e-commerce, and etc. (Whitman & Mattord, 2003, p.9; Sundaram, 2000, p.1; Moses, 2001, p.6; Allen, 2001, p.1). As a result of the importance of this control process, and especially the monitoring and detection tasks, it is vital that the system administrator has proper tools at his/her disposal to perform this task effectively. Many of the tools that are currently available to the system administrator, utilize technical controls, such as, audit logs and user profiles. Audit logs are normally used to record all events executed on a system. These logs are simply files that record security and non-security related events that take place on a computer system within an organisation. For this reason, these logs can be used by these tools to gain valuable information on security violations, such as intrusions and, therefore, are able to monitor the current actions of each user (Microsoft, 2002; Smith, 1989, pp. 116-117). User profiles are files that contain information about users` desktop operating environments and are used by the operating system to structure each user environment so that it is the same each time a user logs onto the system (Microsoft, 2002; Block, 1994, p.54). Thus, a user profile is used to indicate which actions the user is allowed to perform on the system. Both technical controls (audit logs and user profiles) are frequently available in most computer environments (such as, UNIX, Firewalls, Windows, etc.) (Cooper et al, 1995, p.129). Therefore, seeing that the audit logs record most events taking place on an information system and the user profile indicates the authorized actions of each user, the system administrator could most probably utilise these controls in a more proactive manner.
- Full Text:
- Date Issued: 2003
A multi-threading software countermeasure to mitigate side channel analysis in the time domain
- Authors: Frieslaar, Ibraheem
- Date: 2019
- Subjects: Computer security , Data encryption (Computer science) , Noise generators (Electronics)
- Language: English
- Type: text , Thesis , Doctoral , PhD
- Identifier: http://hdl.handle.net/10962/71152 , vital:29790
- Description: This research is the first of its kind to investigate the utilisation of a multi-threading software-based countermeasure to mitigate Side Channel Analysis (SCA) attacks, with a particular focus on the AES-128 cryptographic algorithm. This investigation is novel, as there has not been a software-based countermeasure relying on multi-threading to our knowledge. The research has been tested on the Atmel microcontrollers, as well as a more fully featured system in the form of the popular Raspberry Pi that utilises the ARM7 processor. The main contributions of this research is the introduction of a multi-threading software based countermeasure used to mitigate SCA attacks on both an embedded device and a Raspberry Pi. These threads are comprised of various mathematical operations which are utilised to generate electromagnetic (EM) noise resulting in the obfuscation of the execution of the AES-128 algorithm. A novel EM noise generator known as the FRIES noise generator is implemented to obfuscate data captured in the EM field. FRIES comprises of hiding the execution of AES-128 algorithm within the EM noise generated by the 512 Secure Hash Algorithm (SHA) from the libcrypto++ and OpenSSL libraries. In order to evaluate the proposed countermeasure, a novel attack methodology was developed where the entire secret AES-128 encryption key was recovered from a Raspberry Pi, which has not been achieved before. The FRIES noise generator was pitted against this new attack vector and other known noise generators. The results exhibited that the FRIES noise generator withstood this attack whilst other existing techniques still leaked out secret information. The visual location of the AES-128 encryption algorithm in the EM spectrum and key recovery was prevented. These results demonstrated that the proposed multi-threading software based countermeasure was able to be resistant to existing and new forms of attacks, thus verifying that a multi-threading software based countermeasure can serve to mitigate SCA attacks.
- Full Text:
- Date Issued: 2019
- Authors: Frieslaar, Ibraheem
- Date: 2019
- Subjects: Computer security , Data encryption (Computer science) , Noise generators (Electronics)
- Language: English
- Type: text , Thesis , Doctoral , PhD
- Identifier: http://hdl.handle.net/10962/71152 , vital:29790
- Description: This research is the first of its kind to investigate the utilisation of a multi-threading software-based countermeasure to mitigate Side Channel Analysis (SCA) attacks, with a particular focus on the AES-128 cryptographic algorithm. This investigation is novel, as there has not been a software-based countermeasure relying on multi-threading to our knowledge. The research has been tested on the Atmel microcontrollers, as well as a more fully featured system in the form of the popular Raspberry Pi that utilises the ARM7 processor. The main contributions of this research is the introduction of a multi-threading software based countermeasure used to mitigate SCA attacks on both an embedded device and a Raspberry Pi. These threads are comprised of various mathematical operations which are utilised to generate electromagnetic (EM) noise resulting in the obfuscation of the execution of the AES-128 algorithm. A novel EM noise generator known as the FRIES noise generator is implemented to obfuscate data captured in the EM field. FRIES comprises of hiding the execution of AES-128 algorithm within the EM noise generated by the 512 Secure Hash Algorithm (SHA) from the libcrypto++ and OpenSSL libraries. In order to evaluate the proposed countermeasure, a novel attack methodology was developed where the entire secret AES-128 encryption key was recovered from a Raspberry Pi, which has not been achieved before. The FRIES noise generator was pitted against this new attack vector and other known noise generators. The results exhibited that the FRIES noise generator withstood this attack whilst other existing techniques still leaked out secret information. The visual location of the AES-128 encryption algorithm in the EM spectrum and key recovery was prevented. These results demonstrated that the proposed multi-threading software based countermeasure was able to be resistant to existing and new forms of attacks, thus verifying that a multi-threading software based countermeasure can serve to mitigate SCA attacks.
- Full Text:
- Date Issued: 2019
File integrity checking
- Authors: Motara, Yusuf Moosa
- Date: 2006
- Subjects: Linux , Operating systems (Computers) , Database design , Computer security
- Language: English
- Type: Thesis , Masters , MSc
- Identifier: vital:4682 , http://hdl.handle.net/10962/d1007701 , Linux , Operating systems (Computers) , Database design , Computer security
- Description: This thesis looks at file execution as an attack vector that leads to the execution of unauthorized code. File integrity checking is examined as a means of removing this attack vector, and the design, implementation, and evaluation of a best-of-breed file integrity checker for the Linux operating system is undertaken. We conclude that the resultant file integrity checker does succeed in removing file execution as an attack vector, does so at a computational cost that is negligible, and displays innovative and useful features that are not currently found in any other Linux file integrity checker.
- Full Text:
- Date Issued: 2006
- Authors: Motara, Yusuf Moosa
- Date: 2006
- Subjects: Linux , Operating systems (Computers) , Database design , Computer security
- Language: English
- Type: Thesis , Masters , MSc
- Identifier: vital:4682 , http://hdl.handle.net/10962/d1007701 , Linux , Operating systems (Computers) , Database design , Computer security
- Description: This thesis looks at file execution as an attack vector that leads to the execution of unauthorized code. File integrity checking is examined as a means of removing this attack vector, and the design, implementation, and evaluation of a best-of-breed file integrity checker for the Linux operating system is undertaken. We conclude that the resultant file integrity checker does succeed in removing file execution as an attack vector, does so at a computational cost that is negligible, and displays innovative and useful features that are not currently found in any other Linux file integrity checker.
- Full Text:
- Date Issued: 2006
An investigation of issues of privacy, anonymity and multi-factor authentication in an open environment
- Authors: Miles, Shaun Graeme
- Date: 2012-06-20
- Subjects: Electronic data processing departments -- Security measures , Electronic data processing departments , Privacy, Right of , Computer security , Data protection , Computers -- Access control
- Language: English
- Type: Thesis , Masters , MSc
- Identifier: vital:4656 , http://hdl.handle.net/10962/d1006653 , Electronic data processing departments -- Security measures , Electronic data processing departments , Privacy, Right of , Computer security , Data protection , Computers -- Access control
- Description: This thesis performs an investigation into issues concerning the broad area ofIdentity and Access Management, with a focus on open environments. Through literature research the issues of privacy, anonymity and access control are identified. The issue of privacy is an inherent problem due to the nature of the digital network environment. Information can be duplicated and modified regardless of the wishes and intentions ofthe owner of that information unless proper measures are taken to secure the environment. Once information is published or divulged on the network, there is very little way of controlling the subsequent usage of that information. To address this issue a model for privacy is presented that follows the user centric paradigm of meta-identity. The lack of anonymity, where security measures can be thwarted through the observation of the environment, is a concern for users and systems. By an attacker observing the communication channel and monitoring the interactions between users and systems over a long enough period of time, it is possible to infer knowledge about the users and systems. This knowledge is used to build an identity profile of potential victims to be used in subsequent attacks. To address the problem, mechanisms for providing an acceptable level of anonymity while maintaining adequate accountability (from a legal standpoint) are explored. In terms of access control, the inherent weakness of single factor authentication mechanisms is discussed. The typical mechanism is the user-name and password pair, which provides a single point of failure. By increasing the factors used in authentication, the amount of work required to compromise the system increases non-linearly. Within an open network, several aspects hinder wide scale adoption and use of multi-factor authentication schemes, such as token management and the impact on usability. The framework is developed from a Utopian point of view, with the aim of being applicable to many situations as opposed to a single specific domain. The framework incorporates multi-factor authentication over multiple paths using mobile phones and GSM networks, and explores the usefulness of such an approach. The models are in tum analysed, providing a discussion into the assumptions made and the problems faced by each model. , Adobe Acrobat Pro 9.5.1 , Adobe Acrobat 9.51 Paper Capture Plug-in
- Full Text:
- Authors: Miles, Shaun Graeme
- Date: 2012-06-20
- Subjects: Electronic data processing departments -- Security measures , Electronic data processing departments , Privacy, Right of , Computer security , Data protection , Computers -- Access control
- Language: English
- Type: Thesis , Masters , MSc
- Identifier: vital:4656 , http://hdl.handle.net/10962/d1006653 , Electronic data processing departments -- Security measures , Electronic data processing departments , Privacy, Right of , Computer security , Data protection , Computers -- Access control
- Description: This thesis performs an investigation into issues concerning the broad area ofIdentity and Access Management, with a focus on open environments. Through literature research the issues of privacy, anonymity and access control are identified. The issue of privacy is an inherent problem due to the nature of the digital network environment. Information can be duplicated and modified regardless of the wishes and intentions ofthe owner of that information unless proper measures are taken to secure the environment. Once information is published or divulged on the network, there is very little way of controlling the subsequent usage of that information. To address this issue a model for privacy is presented that follows the user centric paradigm of meta-identity. The lack of anonymity, where security measures can be thwarted through the observation of the environment, is a concern for users and systems. By an attacker observing the communication channel and monitoring the interactions between users and systems over a long enough period of time, it is possible to infer knowledge about the users and systems. This knowledge is used to build an identity profile of potential victims to be used in subsequent attacks. To address the problem, mechanisms for providing an acceptable level of anonymity while maintaining adequate accountability (from a legal standpoint) are explored. In terms of access control, the inherent weakness of single factor authentication mechanisms is discussed. The typical mechanism is the user-name and password pair, which provides a single point of failure. By increasing the factors used in authentication, the amount of work required to compromise the system increases non-linearly. Within an open network, several aspects hinder wide scale adoption and use of multi-factor authentication schemes, such as token management and the impact on usability. The framework is developed from a Utopian point of view, with the aim of being applicable to many situations as opposed to a single specific domain. The framework incorporates multi-factor authentication over multiple paths using mobile phones and GSM networks, and explores the usefulness of such an approach. The models are in tum analysed, providing a discussion into the assumptions made and the problems faced by each model. , Adobe Acrobat Pro 9.5.1 , Adobe Acrobat 9.51 Paper Capture Plug-in
- Full Text:
A comparative study of CERBER, MAKTUB and LOCKY Ransomware using a Hybridised-Malware analysis
- Authors: Schmitt, Veronica
- Date: 2019
- Subjects: Microsoft Windows (Computer file) , Data protection , Computer crimes -- Prevention , Computer security , Computer networks -- Security measures , Computers -- Access control , Malware (Computer software)
- Language: English
- Type: text , Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/92313 , vital:30702
- Description: There has been a significant increase in the prevalence of Ransomware attacks in the preceding four years to date. This indicates that the battle has not yet been won defending against this class of malware. This research proposes that by identifying the similarities within the operational framework of Ransomware strains, a better overall understanding of their operation and function can be achieved. This, in turn, will aid in a quicker response to future attacks. With the average Ransomware attack taking two hours to be identified, it shows that there is not yet a clear understanding as to why these attacks are so successful. Research into Ransomware is limited by what is currently known on the topic. Due to the limitations of the research the decision was taken to only examined three samples of Ransomware from different families. This was decided due to the complexities and comprehensive nature of the research. The in depth nature of the research and the time constraints associated with it did not allow for proof of concept of this framework to be tested on more than three families, but the exploratory work was promising and should be further explored in future research. The aim of the research is to follow the Hybrid-Malware analysis framework which consists of both static and the dynamic analysis phases, in addition to the digital forensic examination of the infected system. This allows for signature-based findings, along with behavioural and forensic findings all in one. This information allows for a better understanding of how this malware is designed and how it infects and remains persistent on a system. The operating system which has been chosen is the Microsoft Window 7 operating system which is still utilised by a significant proportion of Windows users especially in the corporate environment. The experiment process was designed to enable the researcher the ability to collect information regarding the Ransomware and every aspect of its behaviour and communication on a target system. The results can be compared across the three strains to identify the commonalities. The initial hypothesis was that Ransomware variants are all much like an instant cake box consists of specific building blocks which remain the same with the flavouring of the cake mix being the unique feature.
- Full Text:
- Date Issued: 2019
- Authors: Schmitt, Veronica
- Date: 2019
- Subjects: Microsoft Windows (Computer file) , Data protection , Computer crimes -- Prevention , Computer security , Computer networks -- Security measures , Computers -- Access control , Malware (Computer software)
- Language: English
- Type: text , Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/92313 , vital:30702
- Description: There has been a significant increase in the prevalence of Ransomware attacks in the preceding four years to date. This indicates that the battle has not yet been won defending against this class of malware. This research proposes that by identifying the similarities within the operational framework of Ransomware strains, a better overall understanding of their operation and function can be achieved. This, in turn, will aid in a quicker response to future attacks. With the average Ransomware attack taking two hours to be identified, it shows that there is not yet a clear understanding as to why these attacks are so successful. Research into Ransomware is limited by what is currently known on the topic. Due to the limitations of the research the decision was taken to only examined three samples of Ransomware from different families. This was decided due to the complexities and comprehensive nature of the research. The in depth nature of the research and the time constraints associated with it did not allow for proof of concept of this framework to be tested on more than three families, but the exploratory work was promising and should be further explored in future research. The aim of the research is to follow the Hybrid-Malware analysis framework which consists of both static and the dynamic analysis phases, in addition to the digital forensic examination of the infected system. This allows for signature-based findings, along with behavioural and forensic findings all in one. This information allows for a better understanding of how this malware is designed and how it infects and remains persistent on a system. The operating system which has been chosen is the Microsoft Window 7 operating system which is still utilised by a significant proportion of Windows users especially in the corporate environment. The experiment process was designed to enable the researcher the ability to collect information regarding the Ransomware and every aspect of its behaviour and communication on a target system. The results can be compared across the three strains to identify the commonalities. The initial hypothesis was that Ransomware variants are all much like an instant cake box consists of specific building blocks which remain the same with the flavouring of the cake mix being the unique feature.
- Full Text:
- Date Issued: 2019
A cyber security awareness and education framework for South Africa
- Authors: Kortjan, Noloxolo
- Date: 2013
- Subjects: Computer networks -- Security measures , Computer crimes -- Prevention , Computer security
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9811 , http://hdl.handle.net/10948/d1014829
- Description: The Internet is becoming increasingly interwoven in the daily life of many individuals, organisations and nations. It has, to a large extent, had a positive effect on the way people communicate. It has also introduced new avenues for business and has offered nations an opportunity to govern online. Nevertheless, although cyberspace offers an endless list of services and opportunities, it is also accompanied by many risks. One of these risks is cybercrime. The Internet has given criminals a platform on which to grow and proliferate. As a result of the abstract nature of the Internet, it is easy for these criminals to go unpunished. Moreover, many who use the Internet are not aware of such threats; therefore they may themselves be at risk, together with businesses and governmental assets and infrastructure. In view of this, there is a need for cyber security awareness and education initiatives that will promote users who are well versed in the risks associated with the Internet. In this context, it is the role of the government to empower all levels of society by providing the necessary knowledge and expertise to act securely online. However, there is currently a definite lack in South Africa (SA) in this regard, as there are currently no government-led cyber security awareness and education initiatives. The primary research objective of this study, therefore, is to propose a cyber security awareness and education framework for SA that will assist in creating a cyber secure culture in SA among all of its users of the Internet.
- Full Text:
- Date Issued: 2013
- Authors: Kortjan, Noloxolo
- Date: 2013
- Subjects: Computer networks -- Security measures , Computer crimes -- Prevention , Computer security
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9811 , http://hdl.handle.net/10948/d1014829
- Description: The Internet is becoming increasingly interwoven in the daily life of many individuals, organisations and nations. It has, to a large extent, had a positive effect on the way people communicate. It has also introduced new avenues for business and has offered nations an opportunity to govern online. Nevertheless, although cyberspace offers an endless list of services and opportunities, it is also accompanied by many risks. One of these risks is cybercrime. The Internet has given criminals a platform on which to grow and proliferate. As a result of the abstract nature of the Internet, it is easy for these criminals to go unpunished. Moreover, many who use the Internet are not aware of such threats; therefore they may themselves be at risk, together with businesses and governmental assets and infrastructure. In view of this, there is a need for cyber security awareness and education initiatives that will promote users who are well versed in the risks associated with the Internet. In this context, it is the role of the government to empower all levels of society by providing the necessary knowledge and expertise to act securely online. However, there is currently a definite lack in South Africa (SA) in this regard, as there are currently no government-led cyber security awareness and education initiatives. The primary research objective of this study, therefore, is to propose a cyber security awareness and education framework for SA that will assist in creating a cyber secure culture in SA among all of its users of the Internet.
- Full Text:
- Date Issued: 2013
A framework to guide cybersecurity governance efforts in non-profit organisations
- Authors: le Roux, Wickus
- Date: 2019
- Subjects: Computer security , Information technology Nonprofit organizations -- security measures
- Language: English
- Type: Thesis , Masters , MPhil
- Identifier: http://hdl.handle.net/10948/44918 , vital:38188
- Description: The average non-profit organisation is faced with the same cybersecurity challenges as an international multi-corporation that generates income. However, it may lack the competencies or resources to fully utilise, implement, monitor, or evaluate cybersecurity governance to a satisfactory or acceptable level. A literature review revealed limited publicly accessible documents to guide NPOs in particular in the task of cybersecurity governance. Therefore, the problem addressed by this research is the lack of a framework to guide cybersecurity governance efforts in non-profit organisations. This real-world problem was approached using the design science paradigm. It was important to identify, firstly, factors unique to the general context of non-profit organisations, including the constraints and limitations faced by non-profit organisations. Secondly, the key cyber risks for non-profit organisations and how they can materialise through the use of emails, social media, and BYODs in the NPO context, were identified. As a third step, available cybersecurity governance guidelines were analysed to determine best practices. This investigation also revealed the people, process, and technology elements as the pillars of information security. This resulted in the development of a framework (the PotLer framework) to guide cybersecurity governance efforts in non-profit organisations based on the input of the three points mentioned above. The framework was constructed around four conceptual elements, namely information security governance; people, process, and technology; governance elements; and key risks. The PotLer framework expands the high-level generic constructs beyond the conceptual space and provides implementation guidance in the form of a questionnaire to be completed by NPOs. The questionnaire was developed as an interactive spreadsheet that requires “Yes” or “No” responses from participants and generates a recommendation based on these answers. To evaluate the PotLer framework, the aforementioned questionnaire was completed by four NPOs. An additional questionnaire obtained their input on the utility and comprehensiveness of the framework.
- Full Text:
- Date Issued: 2019
- Authors: le Roux, Wickus
- Date: 2019
- Subjects: Computer security , Information technology Nonprofit organizations -- security measures
- Language: English
- Type: Thesis , Masters , MPhil
- Identifier: http://hdl.handle.net/10948/44918 , vital:38188
- Description: The average non-profit organisation is faced with the same cybersecurity challenges as an international multi-corporation that generates income. However, it may lack the competencies or resources to fully utilise, implement, monitor, or evaluate cybersecurity governance to a satisfactory or acceptable level. A literature review revealed limited publicly accessible documents to guide NPOs in particular in the task of cybersecurity governance. Therefore, the problem addressed by this research is the lack of a framework to guide cybersecurity governance efforts in non-profit organisations. This real-world problem was approached using the design science paradigm. It was important to identify, firstly, factors unique to the general context of non-profit organisations, including the constraints and limitations faced by non-profit organisations. Secondly, the key cyber risks for non-profit organisations and how they can materialise through the use of emails, social media, and BYODs in the NPO context, were identified. As a third step, available cybersecurity governance guidelines were analysed to determine best practices. This investigation also revealed the people, process, and technology elements as the pillars of information security. This resulted in the development of a framework (the PotLer framework) to guide cybersecurity governance efforts in non-profit organisations based on the input of the three points mentioned above. The framework was constructed around four conceptual elements, namely information security governance; people, process, and technology; governance elements; and key risks. The PotLer framework expands the high-level generic constructs beyond the conceptual space and provides implementation guidance in the form of a questionnaire to be completed by NPOs. The questionnaire was developed as an interactive spreadsheet that requires “Yes” or “No” responses from participants and generates a recommendation based on these answers. To evaluate the PotLer framework, the aforementioned questionnaire was completed by four NPOs. An additional questionnaire obtained their input on the utility and comprehensiveness of the framework.
- Full Text:
- Date Issued: 2019
A model for integrating information security into the software development life cycle
- Authors: Futcher, Lynn Ann
- Date: 2007
- Subjects: Computer security , Software maintenance
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9737 , http://hdl.handle.net/10948/506 , Computer security , Software maintenance
- Description: It is within highly integrated technology environments that information security is becoming a focal point for designing, developing and deploying software applications. Ensuring a high level of trust in the security and quality of these applications is crucial to their ultimate success. Therefore, information security has become a core requirement for software applications, driven by the need to protect critical assets and the need to build and preserve widespread trust in computing. However, a common weakness that is inherent in the traditional software development methodologies is the lack of attention given to the security aspects of software development. Most of these methodologies do not explicitly include a standardised method for incorporating information security into their life cycles. Meaningful security can be achieved when information security issues are considered as part of a routine development process, and security safeguards are integrated into the software application throughout its life cycle. This, in turn, will lead to users being more confident to use software applications, and to entrust today's computer systems with their personal information. To build better or more secure software, an improved software development process is required. Security of a software application must be based on the risk associated with the application. In order to understand this risk, the relevant information assets need to be identified together with their threats and vulnerabilities. Therefore, security considerations provide input into every phase of the Software Development Life Cycle (SDLC), from requirements gathering to design, implementation, testing and deployment. This research project presents a Secure Software Development Model (SecSDM) for incorporating information security into all phases of the SDLC, from requirements gathering to systems maintenance. The SecSDM is based on many of the recommendations provided by relevant international standards and best practices, for example, the ISO 7498-2 (1989) standard which addresses the underlying security services and mechanisms that form an integral part of the model.
- Full Text:
- Date Issued: 2007
- Authors: Futcher, Lynn Ann
- Date: 2007
- Subjects: Computer security , Software maintenance
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9737 , http://hdl.handle.net/10948/506 , Computer security , Software maintenance
- Description: It is within highly integrated technology environments that information security is becoming a focal point for designing, developing and deploying software applications. Ensuring a high level of trust in the security and quality of these applications is crucial to their ultimate success. Therefore, information security has become a core requirement for software applications, driven by the need to protect critical assets and the need to build and preserve widespread trust in computing. However, a common weakness that is inherent in the traditional software development methodologies is the lack of attention given to the security aspects of software development. Most of these methodologies do not explicitly include a standardised method for incorporating information security into their life cycles. Meaningful security can be achieved when information security issues are considered as part of a routine development process, and security safeguards are integrated into the software application throughout its life cycle. This, in turn, will lead to users being more confident to use software applications, and to entrust today's computer systems with their personal information. To build better or more secure software, an improved software development process is required. Security of a software application must be based on the risk associated with the application. In order to understand this risk, the relevant information assets need to be identified together with their threats and vulnerabilities. Therefore, security considerations provide input into every phase of the Software Development Life Cycle (SDLC), from requirements gathering to design, implementation, testing and deployment. This research project presents a Secure Software Development Model (SecSDM) for incorporating information security into all phases of the SDLC, from requirements gathering to systems maintenance. The SecSDM is based on many of the recommendations provided by relevant international standards and best practices, for example, the ISO 7498-2 (1989) standard which addresses the underlying security services and mechanisms that form an integral part of the model.
- Full Text:
- Date Issued: 2007
An exploratory investigation into an Integrated Vulnerability and Patch Management Framework
- Authors: Carstens, Duane
- Date: 2021-04
- Subjects: Computer security , Computer security -- Management , Computer networks -- Security measures , Patch Management , Integrated Vulnerability
- Language: English
- Type: thesis , text , Masters , MSc
- Identifier: http://hdl.handle.net/10962/177940 , vital:42892
- Description: In the rapidly changing world of cybersecurity, the constant increase of vulnerabilities continues to be a prevalent issue for many organisations. Malicious actors are aware that most organisations cannot timeously patch known vulnerabilities and are ill-prepared to protect against newly created vulnerabilities where a signature or an available patch has not yet been created. Consequently, information security personnel face ongoing challenges to mitigate these risks. In this research, the problem of remediation in a world of increasing vulnerabilities is considered. The current paradigm of vulnerability and patch management is reviewed using a pragmatic approach to all associated variables of these services / practices and, as a result, what is working and what is not working in terms of remediation is understood. In addition to the analysis, a taxonomy is created to provide a graphical representation of all associated variables to vulnerability and patch management based on existing literature. Frameworks currently being utilised in the industry to create an effective engagement model between vulnerability and patch management services are considered. The link between quantifying a threat, vulnerability and consequence; what Microsoft has available for patching; and the action plan for resulting vulnerabilities is explored. Furthermore, the processes and means of communication between each of these services are investigated to ensure there is effective remediation of vulnerabilities, ultimately improving the security risk posture of an organisation. In order to effectively measure the security risk posture, progress is measured between each of these services through a single averaged measurement metric. The outcome of the research highlights influencing factors that impact successful vulnerability management, in line with identified themes from the research taxonomy. These influencing factors are however significantly undermined due to resources within the same organisations not having a clear and consistent understanding of their role, organisational capabilities and objectives for effective vulnerability and patch management within their organisations. , Thesis (MSc) -- Faculty of Science, Computer Science, 2021
- Full Text:
- Date Issued: 2021-04
- Authors: Carstens, Duane
- Date: 2021-04
- Subjects: Computer security , Computer security -- Management , Computer networks -- Security measures , Patch Management , Integrated Vulnerability
- Language: English
- Type: thesis , text , Masters , MSc
- Identifier: http://hdl.handle.net/10962/177940 , vital:42892
- Description: In the rapidly changing world of cybersecurity, the constant increase of vulnerabilities continues to be a prevalent issue for many organisations. Malicious actors are aware that most organisations cannot timeously patch known vulnerabilities and are ill-prepared to protect against newly created vulnerabilities where a signature or an available patch has not yet been created. Consequently, information security personnel face ongoing challenges to mitigate these risks. In this research, the problem of remediation in a world of increasing vulnerabilities is considered. The current paradigm of vulnerability and patch management is reviewed using a pragmatic approach to all associated variables of these services / practices and, as a result, what is working and what is not working in terms of remediation is understood. In addition to the analysis, a taxonomy is created to provide a graphical representation of all associated variables to vulnerability and patch management based on existing literature. Frameworks currently being utilised in the industry to create an effective engagement model between vulnerability and patch management services are considered. The link between quantifying a threat, vulnerability and consequence; what Microsoft has available for patching; and the action plan for resulting vulnerabilities is explored. Furthermore, the processes and means of communication between each of these services are investigated to ensure there is effective remediation of vulnerabilities, ultimately improving the security risk posture of an organisation. In order to effectively measure the security risk posture, progress is measured between each of these services through a single averaged measurement metric. The outcome of the research highlights influencing factors that impact successful vulnerability management, in line with identified themes from the research taxonomy. These influencing factors are however significantly undermined due to resources within the same organisations not having a clear and consistent understanding of their role, organisational capabilities and objectives for effective vulnerability and patch management within their organisations. , Thesis (MSc) -- Faculty of Science, Computer Science, 2021
- Full Text:
- Date Issued: 2021-04
Applying a framework for IT governance in South African higher education institutions
- Authors: Viljoen, Stephen
- Date: 2005
- Subjects: Computer security , Universities and colleges -- Computer networks -- Security measures -- South Africa , Data protection
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9739 , http://hdl.handle.net/10948/416 , Computer security , Universities and colleges -- Computer networks -- Security measures -- South Africa , Data protection
- Description: Background: Higher Education (HE), through HE Institutions, plays a very important role in society. There is thus a need for this sector to be well managed, especially with regards to planning, organising, and controlling. Corporate Governance has received a lot of attention in recent times, especially to engender trust on the part of the stakeholders. There are many similarities, but also significant differences in the governance of HE institutions and public companies. Information Technology (IT) plays an extremely important role in the modern organisation, creating huge opportunities, but also increasing the risk to the organisation. Therefore, effective governance of IT in HE Institutions is of great importance.
- Full Text:
- Date Issued: 2005
- Authors: Viljoen, Stephen
- Date: 2005
- Subjects: Computer security , Universities and colleges -- Computer networks -- Security measures -- South Africa , Data protection
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9739 , http://hdl.handle.net/10948/416 , Computer security , Universities and colleges -- Computer networks -- Security measures -- South Africa , Data protection
- Description: Background: Higher Education (HE), through HE Institutions, plays a very important role in society. There is thus a need for this sector to be well managed, especially with regards to planning, organising, and controlling. Corporate Governance has received a lot of attention in recent times, especially to engender trust on the part of the stakeholders. There are many similarities, but also significant differences in the governance of HE institutions and public companies. Information Technology (IT) plays an extremely important role in the modern organisation, creating huge opportunities, but also increasing the risk to the organisation. Therefore, effective governance of IT in HE Institutions is of great importance.
- Full Text:
- Date Issued: 2005
Phishing within e-commerce: reducing the risk, increasing the trust
- Authors: Megaw, Gregory M
- Date: 2010
- Subjects: Phishing , Identity theft -- Prevention , Electronic commerce , Computer security , Internet -- Safety measures
- Language: English
- Type: Thesis , Masters , MCom (Information Systems)
- Identifier: vital:11131 , http://hdl.handle.net/10353/376 , Phishing , Identity theft -- Prevention , Electronic commerce , Computer security , Internet -- Safety measures
- Description: E-Commerce has been plagued with problems since its inception and this study examines one of these problems: The lack of user trust in E-Commerce created by the risk of phishing. Phishing has grown exponentially together with the expansion of the Internet. This growth and the advancement of technology has not only benefited honest Internet users, but has enabled criminals to increase their effectiveness which has caused considerable damage to this budding area of commerce. Moreover, it has negatively impacted both the user and online business in breaking down the trust relationship between them. In an attempt to explore this problem, the following was considered: First, E-Commerce’s vulnerability to phishing attacks. By referring to the Common Criteria Security Model, various critical security areas within E-Commerce are identified, as well as the areas of vulnerability and weakness. Second, the methods and techniques used in phishing, such as phishing e-mails, websites and addresses, distributed attacks and redirected attacks, as well as the data that phishers seek to obtain, are examined. Furthermore, the way to reduce the risk of phishing and in turn increase the trust between users and websites is identified. Here the importance of Trust and the Uncertainty Reduction Theory plus the fine balance between trust and control is explored. Finally, the study presents Critical Success Factors that aid in phishing prevention and control, these being: User Authentication, Website Authentication, E-mail Authentication, Data Cryptography, Communication, and Active Risk Mitigation.
- Full Text:
- Date Issued: 2010
- Authors: Megaw, Gregory M
- Date: 2010
- Subjects: Phishing , Identity theft -- Prevention , Electronic commerce , Computer security , Internet -- Safety measures
- Language: English
- Type: Thesis , Masters , MCom (Information Systems)
- Identifier: vital:11131 , http://hdl.handle.net/10353/376 , Phishing , Identity theft -- Prevention , Electronic commerce , Computer security , Internet -- Safety measures
- Description: E-Commerce has been plagued with problems since its inception and this study examines one of these problems: The lack of user trust in E-Commerce created by the risk of phishing. Phishing has grown exponentially together with the expansion of the Internet. This growth and the advancement of technology has not only benefited honest Internet users, but has enabled criminals to increase their effectiveness which has caused considerable damage to this budding area of commerce. Moreover, it has negatively impacted both the user and online business in breaking down the trust relationship between them. In an attempt to explore this problem, the following was considered: First, E-Commerce’s vulnerability to phishing attacks. By referring to the Common Criteria Security Model, various critical security areas within E-Commerce are identified, as well as the areas of vulnerability and weakness. Second, the methods and techniques used in phishing, such as phishing e-mails, websites and addresses, distributed attacks and redirected attacks, as well as the data that phishers seek to obtain, are examined. Furthermore, the way to reduce the risk of phishing and in turn increase the trust between users and websites is identified. Here the importance of Trust and the Uncertainty Reduction Theory plus the fine balance between trust and control is explored. Finally, the study presents Critical Success Factors that aid in phishing prevention and control, these being: User Authentication, Website Authentication, E-mail Authentication, Data Cryptography, Communication, and Active Risk Mitigation.
- Full Text:
- Date Issued: 2010
An investigation of ISO/IEC 27001 adoption in South Africa
- Authors: Coetzer, Christo
- Date: 2015
- Subjects: ISO 27001 Standard , Information technology -- Security measures , Computer security , Data protection
- Language: English
- Type: Thesis , Masters , MSc
- Identifier: vital:4720 , http://hdl.handle.net/10962/d1018669
- Description: The research objective of this study is to investigate the low adoption of the ISO/IEC 27001 standard in South African organisations. This study does not differentiate between the ISO/IEC 27001:2005 and ISO/IEC 27001:2013 versions, as the focus is on adoption of the ISO/IEC 27001 standard. A survey-based research design was selected as the data collection method. The research instruments used in this study include a web-based questionnaire and in-person interviews with the participants. Based on the findings of this research, the organisations that participated in this study have an understanding of the ISO/IEC 27001 standard; however, fewer than a quarter of these have fully adopted the ISO/IEC 27001 standard. Furthermore, the main business objectives for organisations that have adopted the ISO/IEC 27001 standard were to ensure legal and regulatory compliance, and to fulfil client requirements. An Information Security Management System management guide based on the ISO/IEC 27001 Plan-Do-Check-Act model is developed to help organisations interested in the standard move towards ISO/IEC 27001 compliance.
- Full Text:
- Date Issued: 2015
- Authors: Coetzer, Christo
- Date: 2015
- Subjects: ISO 27001 Standard , Information technology -- Security measures , Computer security , Data protection
- Language: English
- Type: Thesis , Masters , MSc
- Identifier: vital:4720 , http://hdl.handle.net/10962/d1018669
- Description: The research objective of this study is to investigate the low adoption of the ISO/IEC 27001 standard in South African organisations. This study does not differentiate between the ISO/IEC 27001:2005 and ISO/IEC 27001:2013 versions, as the focus is on adoption of the ISO/IEC 27001 standard. A survey-based research design was selected as the data collection method. The research instruments used in this study include a web-based questionnaire and in-person interviews with the participants. Based on the findings of this research, the organisations that participated in this study have an understanding of the ISO/IEC 27001 standard; however, fewer than a quarter of these have fully adopted the ISO/IEC 27001 standard. Furthermore, the main business objectives for organisations that have adopted the ISO/IEC 27001 standard were to ensure legal and regulatory compliance, and to fulfil client requirements. An Information Security Management System management guide based on the ISO/IEC 27001 Plan-Do-Check-Act model is developed to help organisations interested in the standard move towards ISO/IEC 27001 compliance.
- Full Text:
- Date Issued: 2015
A process maturity framework of information security policy development life cycle
- Authors: Tuyikeze, Tite
- Date: 2014-12
- Subjects: Computer security , Information technology , Computer crimes
- Language: English
- Type: Doctoral theses , text
- Identifier: http://hdl.handle.net/10353/26797 , vital:66010
- Description: Information security policy development involves more than policy formulation and implementation. Unless organisations explicitly recognise the various steps required in the development of a security policy, they run the risk of developing policies that are poorly thought out, incomplete, redundant and, irrelevant and which will not be fully supported by the users. This study argues that an information security policy has an entire life cycle through which it must pass through during its useful lifetime. A content analysis on information security policy development methods was conducted using secondary sources in the relevant literature. The outcome of the content analysis resulted in the proposal of a framework of information security policy development and implementation. The proposed framework outlines the various steps required in the development, implementation and enforcement of an effective information security policy. A survey of 400 security professionals was conducted in order to evaluate the concepts contained in the framework.This study also emphasises the importance of integrating a security maturity assessment process into the information security policy development life cycle. A key finding of this study is the proposed maturity assessment framework which offers a structured methodology for evaluating the maturity level of an information security policy. The framework presents an integrated and holistic approach to ensure the incremental process maturity of the organisation’s information security policy development process. In addition, organisations using the proposed framework will be able both to determine the current maturity levels of their information security policy development process and also to plan enhancements in the correct sequence. , Thesis (PhD) -- Faculty of Management and Commerce, 2014
- Full Text:
- Date Issued: 2014-12
- Authors: Tuyikeze, Tite
- Date: 2014-12
- Subjects: Computer security , Information technology , Computer crimes
- Language: English
- Type: Doctoral theses , text
- Identifier: http://hdl.handle.net/10353/26797 , vital:66010
- Description: Information security policy development involves more than policy formulation and implementation. Unless organisations explicitly recognise the various steps required in the development of a security policy, they run the risk of developing policies that are poorly thought out, incomplete, redundant and, irrelevant and which will not be fully supported by the users. This study argues that an information security policy has an entire life cycle through which it must pass through during its useful lifetime. A content analysis on information security policy development methods was conducted using secondary sources in the relevant literature. The outcome of the content analysis resulted in the proposal of a framework of information security policy development and implementation. The proposed framework outlines the various steps required in the development, implementation and enforcement of an effective information security policy. A survey of 400 security professionals was conducted in order to evaluate the concepts contained in the framework.This study also emphasises the importance of integrating a security maturity assessment process into the information security policy development life cycle. A key finding of this study is the proposed maturity assessment framework which offers a structured methodology for evaluating the maturity level of an information security policy. The framework presents an integrated and holistic approach to ensure the incremental process maturity of the organisation’s information security policy development process. In addition, organisations using the proposed framework will be able both to determine the current maturity levels of their information security policy development process and also to plan enhancements in the correct sequence. , Thesis (PhD) -- Faculty of Management and Commerce, 2014
- Full Text:
- Date Issued: 2014-12
Educating users about information security by means of game play
- Authors: Monk, Thomas Philippus
- Date: 2011
- Subjects: Computer security , Educational games -- Design , Computer networks -- Security measures
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9748 , http://hdl.handle.net/10948/1493 , Computer security , Educational games -- Design , Computer networks -- Security measures
- Description: Information is necessary for any business to function. However, if one does not manage one’s information assets properly then one’s business is likely to be at risk. By implementing Information Security controls, procedures, and/or safeguards one can secure information assets against risks. The risks of an organisation can be mitigated if employees implement safety measures. However, employees are often unable to work securely due to a lack of knowledge. This dissertation evaluates the premise that a computer game could be used to educate employees about Information Security. A game was developed with the aim of educating employees in this regard. If people were motivated to play the game, without external motivation from an organisation, then people would also, indirectly, be motivated to learn about Information Security. Therefore, a secondary aim of this game was to be self-motivating. An experiment was conducted in order to test whether or not these aims were met. The experiment was conducted on a play test group and a control group. The play test group played the game before completing a questionnaire that tested the information security knowledge of participants, while the control group simply completed the questionnaire. The two groups’ answers were compared in order to obtain results. This dissertation discusses the research design of the experiment and also provides an analysis of the results. The game design will be discussed which provides guidelines for future game designers to follow. The experiment indicated that the game is motivational, but perhaps not educational enough. However, the results suggest that a computer game can still be used to teach users about Information Security. Factors that involved consequence and repetition contributed towards the educational value of the game, whilst competitiveness and rewards contributed to the motivational aspect of the game.
- Full Text:
- Date Issued: 2011
- Authors: Monk, Thomas Philippus
- Date: 2011
- Subjects: Computer security , Educational games -- Design , Computer networks -- Security measures
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9748 , http://hdl.handle.net/10948/1493 , Computer security , Educational games -- Design , Computer networks -- Security measures
- Description: Information is necessary for any business to function. However, if one does not manage one’s information assets properly then one’s business is likely to be at risk. By implementing Information Security controls, procedures, and/or safeguards one can secure information assets against risks. The risks of an organisation can be mitigated if employees implement safety measures. However, employees are often unable to work securely due to a lack of knowledge. This dissertation evaluates the premise that a computer game could be used to educate employees about Information Security. A game was developed with the aim of educating employees in this regard. If people were motivated to play the game, without external motivation from an organisation, then people would also, indirectly, be motivated to learn about Information Security. Therefore, a secondary aim of this game was to be self-motivating. An experiment was conducted in order to test whether or not these aims were met. The experiment was conducted on a play test group and a control group. The play test group played the game before completing a questionnaire that tested the information security knowledge of participants, while the control group simply completed the questionnaire. The two groups’ answers were compared in order to obtain results. This dissertation discusses the research design of the experiment and also provides an analysis of the results. The game design will be discussed which provides guidelines for future game designers to follow. The experiment indicated that the game is motivational, but perhaps not educational enough. However, the results suggest that a computer game can still be used to teach users about Information Security. Factors that involved consequence and repetition contributed towards the educational value of the game, whilst competitiveness and rewards contributed to the motivational aspect of the game.
- Full Text:
- Date Issued: 2011
Towards understanding and mitigating attacks leveraging zero-day exploits
- Authors: Smit, Liam
- Date: 2019
- Subjects: Computer crimes -- Prevention , Data protection , Hacking , Computer security , Computer networks -- Security measures , Computers -- Access control , Malware (Computer software)
- Language: English
- Type: text , Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/115718 , vital:34218
- Description: Zero-day vulnerabilities are unknown and therefore not addressed with the result that they can be exploited by attackers to gain unauthorised system access. In order to understand and mitigate against attacks leveraging zero-days or unknown techniques, it is necessary to study the vulnerabilities, exploits and attacks that make use of them. In recent years there have been a number of leaks publishing such attacks using various methods to exploit vulnerabilities. This research seeks to understand what types of vulnerabilities exist, why and how these are exploited, and how to defend against such attacks by either mitigating the vulnerabilities or the method / process of exploiting them. By moving beyond merely remedying the vulnerabilities to defences that are able to prevent or detect the actions taken by attackers, the security of the information system will be better positioned to deal with future unknown threats. An interesting finding is how attackers exploit moving beyond the observable bounds to circumvent security defences, for example, compromising syslog servers, or going down to lower system rings to gain access. However, defenders can counter this by employing defences that are external to the system preventing attackers from disabling them or removing collected evidence after gaining system access. Attackers are able to defeat air-gaps via the leakage of electromagnetic radiation as well as misdirect attribution by planting false artefacts for forensic analysis and attacking from third party information systems. They analyse the methods of other attackers to learn new techniques. An example of this is the Umbrage project whereby malware is analysed to decide whether it should be implemented as a proof of concept. Another important finding is that attackers respect defence mechanisms such as: remote syslog (e.g. firewall), core dump files, database auditing, and Tripwire (e.g. SlyHeretic). These defences all have the potential to result in the attacker being discovered. Attackers must either negate the defence mechanism or find unprotected targets. Defenders can use technologies such as encryption to defend against interception and man-in-the-middle attacks. They can also employ honeytokens and honeypots to alarm misdirect, slow down and learn from attackers. By employing various tactics defenders are able to increase their chance of detecting and time to react to attacks, even those exploiting hitherto unknown vulnerabilities. To summarize the information presented in this thesis and to show the practical importance thereof, an examination is presented of the NSA's network intrusion of the SWIFT organisation. It shows that the firewalls were exploited with remote code execution zerodays. This attack has a striking parallel in the approach used in the recent VPNFilter malware. If nothing else, the leaks provide information to other actors on how to attack and what to avoid. However, by studying state actors, we can gain insight into what other actors with fewer resources can do in the future.
- Full Text:
- Date Issued: 2019
- Authors: Smit, Liam
- Date: 2019
- Subjects: Computer crimes -- Prevention , Data protection , Hacking , Computer security , Computer networks -- Security measures , Computers -- Access control , Malware (Computer software)
- Language: English
- Type: text , Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/115718 , vital:34218
- Description: Zero-day vulnerabilities are unknown and therefore not addressed with the result that they can be exploited by attackers to gain unauthorised system access. In order to understand and mitigate against attacks leveraging zero-days or unknown techniques, it is necessary to study the vulnerabilities, exploits and attacks that make use of them. In recent years there have been a number of leaks publishing such attacks using various methods to exploit vulnerabilities. This research seeks to understand what types of vulnerabilities exist, why and how these are exploited, and how to defend against such attacks by either mitigating the vulnerabilities or the method / process of exploiting them. By moving beyond merely remedying the vulnerabilities to defences that are able to prevent or detect the actions taken by attackers, the security of the information system will be better positioned to deal with future unknown threats. An interesting finding is how attackers exploit moving beyond the observable bounds to circumvent security defences, for example, compromising syslog servers, or going down to lower system rings to gain access. However, defenders can counter this by employing defences that are external to the system preventing attackers from disabling them or removing collected evidence after gaining system access. Attackers are able to defeat air-gaps via the leakage of electromagnetic radiation as well as misdirect attribution by planting false artefacts for forensic analysis and attacking from third party information systems. They analyse the methods of other attackers to learn new techniques. An example of this is the Umbrage project whereby malware is analysed to decide whether it should be implemented as a proof of concept. Another important finding is that attackers respect defence mechanisms such as: remote syslog (e.g. firewall), core dump files, database auditing, and Tripwire (e.g. SlyHeretic). These defences all have the potential to result in the attacker being discovered. Attackers must either negate the defence mechanism or find unprotected targets. Defenders can use technologies such as encryption to defend against interception and man-in-the-middle attacks. They can also employ honeytokens and honeypots to alarm misdirect, slow down and learn from attackers. By employing various tactics defenders are able to increase their chance of detecting and time to react to attacks, even those exploiting hitherto unknown vulnerabilities. To summarize the information presented in this thesis and to show the practical importance thereof, an examination is presented of the NSA's network intrusion of the SWIFT organisation. It shows that the firewalls were exploited with remote code execution zerodays. This attack has a striking parallel in the approach used in the recent VPNFilter malware. If nothing else, the leaks provide information to other actors on how to attack and what to avoid. However, by studying state actors, we can gain insight into what other actors with fewer resources can do in the future.
- Full Text:
- Date Issued: 2019
Guidelines for the protection of stored sensitive information assets within small, medium and micro enterprises
- Authors: Scharnick, Nicholas
- Date: 2018
- Subjects: Computer security , Information technology -- Security measures Data protection Business -- Data processing -- Security measures Small business -- Data processing -- Security measures -- South Africa
- Language: English
- Type: Thesis , Masters , MIT
- Identifier: http://hdl.handle.net/10948/34799 , vital:33452
- Description: Technology has become important in the business environment as it ensures that a business is competitive and it also drives the business processes. However, in the era of mobile devices, easy access to the internet and a wide variety of other communication mechanisms; the security of the business from a technological perspective is constantly under threat. Thus, the problem that this research aims to address is that there is currently a lack of understanding by SMMEs in protecting their stored sensitive information assets. This study intends to assist small businesses, such as those within the Small Medium and Micro Enterprises (SMME) on how to protect and secure information while it is in storage. SMMEs usually do not have available resources to fully address information security related concerns that could pose a threat to the well being and success of the business. In order to address the problem identified, and assist SMMEs with better protecting their stored information assets, the outcomes of this research is to develop guidelines to assist SMMEs in protecting stored sensitive information assets. Through the use of a qualitative content analysis, a literature review, a number of information security standards, best practices, and frameworks, including the ISO27000 series of standards, COBIT, ITIL, and various NIST publications were analysed to determine how these security approaches address security concerns that arise when considering the storage of sensitive information. Following the literature analysis, a survey was developed and distributed to a wide variety of SMMEs in order to determine what their information security requirements might be, as well as how they address information security. The results obtained from this, coupled with the literature analysis, served as input for the development of a number of guidelines that can assist SMMEs in protecting stored sensitive information assets.
- Full Text:
- Date Issued: 2018
- Authors: Scharnick, Nicholas
- Date: 2018
- Subjects: Computer security , Information technology -- Security measures Data protection Business -- Data processing -- Security measures Small business -- Data processing -- Security measures -- South Africa
- Language: English
- Type: Thesis , Masters , MIT
- Identifier: http://hdl.handle.net/10948/34799 , vital:33452
- Description: Technology has become important in the business environment as it ensures that a business is competitive and it also drives the business processes. However, in the era of mobile devices, easy access to the internet and a wide variety of other communication mechanisms; the security of the business from a technological perspective is constantly under threat. Thus, the problem that this research aims to address is that there is currently a lack of understanding by SMMEs in protecting their stored sensitive information assets. This study intends to assist small businesses, such as those within the Small Medium and Micro Enterprises (SMME) on how to protect and secure information while it is in storage. SMMEs usually do not have available resources to fully address information security related concerns that could pose a threat to the well being and success of the business. In order to address the problem identified, and assist SMMEs with better protecting their stored information assets, the outcomes of this research is to develop guidelines to assist SMMEs in protecting stored sensitive information assets. Through the use of a qualitative content analysis, a literature review, a number of information security standards, best practices, and frameworks, including the ISO27000 series of standards, COBIT, ITIL, and various NIST publications were analysed to determine how these security approaches address security concerns that arise when considering the storage of sensitive information. Following the literature analysis, a survey was developed and distributed to a wide variety of SMMEs in order to determine what their information security requirements might be, as well as how they address information security. The results obtained from this, coupled with the literature analysis, served as input for the development of a number of guidelines that can assist SMMEs in protecting stored sensitive information assets.
- Full Text:
- Date Issued: 2018
A framework to evaluate usable security in online social networking
- Authors: Yeratziotis, Alexandros
- Date: 2011
- Subjects: Online social networks -- Security measures , Computer security , Data protection
- Language: English
- Type: Thesis , Doctoral , PhD
- Identifier: vital:9807 , http://hdl.handle.net/10948/d1012933
- Description: It is commonly held in the literature that users find security and privacy difficult to comprehend. It is also acknowledged that most end-user applications and websites have built-in security and privacy features. Users are expected to interact with these in order to protect their personal information. However, security is generally a secondary goal for users. Considering the complexity associated with security in combination with the notion that it is not users’ primary task, it makes sense that users tend to ignore their security responsibilities. As a result, they make poor security-related decisions and, consequently, their personal information is at risk. Usable Security is the field that investigates these types of issue, focusing on the design of security and privacy features that are usable. In order to understand and appreciate the complexities that exist in the field of Usable Security, the research fields of Human-Computer Interaction and Information Security should be examined. Accordingly, the Information Security field is concerned with all aspects pertaining to the security and privacy of information, while the field of Human-Computer Interaction is concerned with the design, evaluation and implementation of interactive computing systems for human use. This research delivers a framework to evaluate Usable Security in online social networks. In this study, online social networks that are particular to the health domain were used as a case study and contributed to the development of a framework consisting of three components: a process, a validation tool and a Usable Security heuristic evaluation. There is no existing qualitative process that describes how one would develop and validate a heuristic evaluation. In this regard a heuristic evaluation is a usability inspection method that is used to evaluate the design of an interface for any usability violations in the field of Human-Computer Interaction. Therefore, firstly, a new process and a validation tool were required to be developed. Once this had been achieved, the process could then be followed to develop a new heuristic evaluation that is specific to Usable Security. In order to assess the validity of a new heuristic evaluation a validation tool is used. The development of tools that can improve the design of security and privacy features on end-user applications and websites in terms of their usability is critical, as this will ensure that the intended users experience them as usable and can utilise them effectively. The framework for evaluating Usable Security contributes to this objective in the context of online social networks.
- Full Text:
- Date Issued: 2011
- Authors: Yeratziotis, Alexandros
- Date: 2011
- Subjects: Online social networks -- Security measures , Computer security , Data protection
- Language: English
- Type: Thesis , Doctoral , PhD
- Identifier: vital:9807 , http://hdl.handle.net/10948/d1012933
- Description: It is commonly held in the literature that users find security and privacy difficult to comprehend. It is also acknowledged that most end-user applications and websites have built-in security and privacy features. Users are expected to interact with these in order to protect their personal information. However, security is generally a secondary goal for users. Considering the complexity associated with security in combination with the notion that it is not users’ primary task, it makes sense that users tend to ignore their security responsibilities. As a result, they make poor security-related decisions and, consequently, their personal information is at risk. Usable Security is the field that investigates these types of issue, focusing on the design of security and privacy features that are usable. In order to understand and appreciate the complexities that exist in the field of Usable Security, the research fields of Human-Computer Interaction and Information Security should be examined. Accordingly, the Information Security field is concerned with all aspects pertaining to the security and privacy of information, while the field of Human-Computer Interaction is concerned with the design, evaluation and implementation of interactive computing systems for human use. This research delivers a framework to evaluate Usable Security in online social networks. In this study, online social networks that are particular to the health domain were used as a case study and contributed to the development of a framework consisting of three components: a process, a validation tool and a Usable Security heuristic evaluation. There is no existing qualitative process that describes how one would develop and validate a heuristic evaluation. In this regard a heuristic evaluation is a usability inspection method that is used to evaluate the design of an interface for any usability violations in the field of Human-Computer Interaction. Therefore, firstly, a new process and a validation tool were required to be developed. Once this had been achieved, the process could then be followed to develop a new heuristic evaluation that is specific to Usable Security. In order to assess the validity of a new heuristic evaluation a validation tool is used. The development of tools that can improve the design of security and privacy features on end-user applications and websites in terms of their usability is critical, as this will ensure that the intended users experience them as usable and can utilise them effectively. The framework for evaluating Usable Security contributes to this objective in the context of online social networks.
- Full Text:
- Date Issued: 2011
A framework to implement information security awareness, education and training within the Limpopo economic development agency group
- Authors: Mokobane, Ntsewa Benjamin
- Date: 2019
- Subjects: Computer security , Computer networks -- Security measures Data protection
- Language: English
- Type: Thesis , Masters , MPhil
- Identifier: http://hdl.handle.net/10948/42063 , vital:36622
- Description: Cybersecurity awareness, education and training of employees is key in reducing and preventing cyber-attack opportunities. The ignorance and/or lack of understanding of employees about the information security risks around them might expose the LEDA Group to cyber-attacks. This led to the problem that the level of awareness of employees regarding information security was not known. The implication of this not knowing was that an argument for the nature of an intervention to ensure awareness, as well as to educate and train employees regarding information security was not possible. The aim of this treatise was to develop a framework as an effective guideline for the implementation of cybersecurity awareness, education and training of employees. In the study, the LEDA Group employees were surveyed to determine their cybersecurity knowledge gap. An online questionnaire was randomly sent to 314 LEDA Group employees. The survey was voluntary and confidential. One hundred and thirty seven (137) employees completed the survey. The results of the survey were analysed to determine the gap between the current cybersecurity knowledge of the LEDA Group employees and state-of-the-art cybersecurity knowledge. The gap was used in the development of the framework for the implementation of the cybersecurity awareness, education and training (F-CSAET). Central to F-CSAET is the governance principles guided by best practices such as King IV, COBIT5, ISO27001, ISO27005, ISO27008 and ISO27032 and the compliance requirements to POPIA, the Copyright Act and the Cybercrimes and Cybersecurity Bill. The F-CSAET has six steps, namely Assess, Analyse, Create, Plan, Implement and Reinforce. The framework was evaluated for applicability by the team called the cyber security interest team, which was established specifically for the purpose of the F-CSAET.
- Full Text:
- Date Issued: 2019
- Authors: Mokobane, Ntsewa Benjamin
- Date: 2019
- Subjects: Computer security , Computer networks -- Security measures Data protection
- Language: English
- Type: Thesis , Masters , MPhil
- Identifier: http://hdl.handle.net/10948/42063 , vital:36622
- Description: Cybersecurity awareness, education and training of employees is key in reducing and preventing cyber-attack opportunities. The ignorance and/or lack of understanding of employees about the information security risks around them might expose the LEDA Group to cyber-attacks. This led to the problem that the level of awareness of employees regarding information security was not known. The implication of this not knowing was that an argument for the nature of an intervention to ensure awareness, as well as to educate and train employees regarding information security was not possible. The aim of this treatise was to develop a framework as an effective guideline for the implementation of cybersecurity awareness, education and training of employees. In the study, the LEDA Group employees were surveyed to determine their cybersecurity knowledge gap. An online questionnaire was randomly sent to 314 LEDA Group employees. The survey was voluntary and confidential. One hundred and thirty seven (137) employees completed the survey. The results of the survey were analysed to determine the gap between the current cybersecurity knowledge of the LEDA Group employees and state-of-the-art cybersecurity knowledge. The gap was used in the development of the framework for the implementation of the cybersecurity awareness, education and training (F-CSAET). Central to F-CSAET is the governance principles guided by best practices such as King IV, COBIT5, ISO27001, ISO27005, ISO27008 and ISO27032 and the compliance requirements to POPIA, the Copyright Act and the Cybercrimes and Cybersecurity Bill. The F-CSAET has six steps, namely Assess, Analyse, Create, Plan, Implement and Reinforce. The framework was evaluated for applicability by the team called the cyber security interest team, which was established specifically for the purpose of the F-CSAET.
- Full Text:
- Date Issued: 2019