RESUMEN
Smart security devices, such as smart locks, smart cameras, and smart intruder alarms are increasingly popular with users due to the enhanced convenience and new features that they offer. A significant part of this convenience is provided by the device's companion smartphone app. Information on whether secure and ethical development practices have been used in the creation of these applications is unavailable to the end user. As this work shows, this means that users are impacted both by potential third-party attackers that aim to compromise their device, and more subtle threats introduced by developers, who may track their use of their devices and illegally collect data that violate users' privacy. Our results suggest that users of every application tested are susceptible to at least one potential commonly found vulnerability regardless of whether their device is offered by a known brand name or a lesser-known manufacturer. We present an overview of the most common vulnerabilities found in the scanned code and discuss the shortcomings of state-of-the-art automated scanners when looking at less structured programming languages such as C and C++. Finally, we also discuss potential methods for mitigation, and provide recommendations for developers to follow with respect to secure coding practices.
RESUMEN
The world has been afflicted by the rise of misinformation. The sheer volume of news produced daily necessitates the development of automated methods for separating fact from fiction. To tackle this issue, the computer science community has produced a plethora of approaches, documented in a number of surveys. However, these surveys primarily rely on one-dimensional solutions, i.e., deception detection approaches that focus on a specific aspect of misinformation, such as a particular topic, language, or source. Misinformation is considered a major obstacle for situational awareness, including cyber, both from a company and a societal point of view. This paper explores the evolving field of misinformation detection and analytics on information published in news articles, with an emphasis on methodologies that handle multiple dimensions of the fake news detection conundrum. We analyze and compare existing research on cross-dimensional methodologies. Our evaluation process is based on a set of criteria, including a predefined set of performance metrics, data pre-processing features, and domains of implementation. Furthermore, we assess the adaptability of each methodology in detecting misinformation in real-world news and thoroughly analyze our findings. Specifically, survey insights demonstrate that when a detection approach focuses on several dimensions (e.g., languages and topics, languages and sources, etc.), its performance improves, and it becomes more flexible in detecting false information across different contexts. Finally, we propose a set of research directions that could aid in furthering the development of more advanced and accurate models in this field.
Asunto(s)
Decepción , Medios de Comunicación Sociales , Concienciación , Comunicación , Solución de ProblemasRESUMEN
Cyber threat information sharing is an imperative process towards achieving collaborative security, but it poses several challenges. One crucial challenge is the plethora of shared threat information. Therefore, there is a need to advance filtering of such information. While the state-of-the-art in filtering relies primarily on keyword- and domain-based searching, these approaches require sizable human involvement and rarely available domain expertise. Recent research revealed the need for harvesting of business information to fill the gap in filtering, albeit it resulted in providing coarse-grained filtering based on the utilization of such information. This paper presents a novel contextualized filtering approach that exploits standardized and multi-level contextual information of business processes. The contextual information describes the conditions under which a given threat information is actionable from an organization perspective. Therefore, it can automate filtering by measuring the equivalence between the context of the shared threat information and the context of the consuming organization. The paper directly contributes to filtering challenge and indirectly to automated customized threat information sharing. Moreover, the paper proposes the architecture of a cyber threat information sharing ecosystem that operates according to the proposed filtering approach and defines the characteristics that are advantageous to filtering approaches. Implementation of the proposed approach can support compliance with the Special Publication 800-150 of the National Institute of Standards and Technology.
Asunto(s)
Seguridad Computacional , Ecosistema , Humanos , Difusión de la Información , TecnologíaRESUMEN
At present, sensors are increasingly used in all kinds of platforms, manned or unmanned, particularly in view of the emerging Internet of Things (IoT) [...].
RESUMEN
As the fastest growing segment of aviation, unmanned aerial systems (UAS) continue to increase in number, technical complexity and capabilities. Numerous civilian and commercial uses are drastically transforming civil protection, asset delivery, commercial and entertaining activities. However, UAS pose significant challenges in terms of safety, security and privacy within society. An increasing phenomenon, nowadays, is drone-related incidents near airport facilities, which are expected to proliferate in frequency, complexity and severity, as drones become larger and more powerful. Critical infrastructures need to be protected from such aerial attacks, through effective counteracting technologies, risk management and resilience plans. In this paper, we present a survey of drone incidents near airports and a literature review of sensor technologies, able to prevent, detect, identify and mitigate rogue drones. We exhibit the benefits and limitations of available counter-drone technologies (C-UAS); however, defending airports against misused drone activity is a hard problem. Therefore, we analyze three realistic attack scenarios from malicious drones and propose an effective C-UAS protection plan for each case. We discuss applicability limitations of C-UAS in the aviation context and propose a resilience action plan for airport stakeholders for defending against airborne threats from misused drones.
RESUMEN
Airports are at the forefront of technological innovation, mainly due to the fact that the number of air travel passengers is exponentially increasing every year. As a result, airports enhance their infrastructure intelligence and evolve as smart facilities to support growth, by offering an enjoyable travel experience. New challenges are coming up, which aviation has to deal with and adapt to, such as the integration of Industrial IoT (Internet of Things) in airport facilities and the increased use of smart devices from travelers and employees. Cybersecurity is becoming a key enabler for safety, which is paramount in the aviation context. Smart airports strive to provide optimal services in a reliable and sustainable manner, by working around the domains of growth, efficiency, safety and security. This article researches: (a) the implementation rate of cybersecurity measures in commercial airports; (b) malicious threats that evolve due to IoT and smart devices installed; (c) risk scenario analysis for IoT malicious attacks with threat mitigation actions. With the aim to enhance operational practices and develop robust cybersecurity governance in smart airports, we present a systematic and comprehensive analysis of malicious attacks in smart airports, to facilitate airport community comprehend risks and proactively act, by implementing cybersecurity best practices and resilience measures.
RESUMEN
PURPOSE: To investigate whether the long-term preservation of the authenticity of electronic healthcare records (EHR) is possible. To propose a mechanism that enables the secure validation of an EHR for long periods, far beyond the lifespan of a digital signature and at least as long as the lifetime of a patient. APPROACH: The study is based on the fact that although the attributes of data authenticity, i.e. integrity and origin verifiability, can be preserved by digital signatures, the necessary period for the retention of EHRs is far beyond the lifespan of a simple digital signature. It is identified that the lifespan of signed data is restricted by the validity period of the relevant keys and the digital certificates, by the future unavailability of signature-verification data, and by suppression of trust relationships. In this paper, the notarization paradigm is exploited, and a mechanism for cumulative notarization of signed EHR is proposed. RESULTS: The proposed mechanism implements a successive trust transition towards new entities, modern technologies, and refreshed data, eliminating any dependency of the relying party on ceased entities, obsolete data, or weak old technologies. The mechanism also exhibits strength against various threat scenarios. CONCLUSIONS: A future relying party will have to trust only the fresh technology and information provided by the last notary, in order to verify the authenticity of an old signed EHR. A Cumulatively Notarized Signature is strong even in the case of the compromise of a notary in the chain.
Asunto(s)
Almacenamiento y Recuperación de la Información , Sistemas de Registros Médicos Computarizados , Control de Calidad , Seguridad Computacional , Estudios de Evaluación como Asunto , Humanos , Registro Médico CoordinadoRESUMEN
Several hereditary and other chronic diseases necessitate continuous and complicated health care procedures, typically offered in different, often distant, health care units. Inevitably, the medical records of patients suffering from such diseases become complex, grow in size very fast and are scattered all over the units involved in the care process, hindering communication of information between health care professionals. Web-based electronic medical records have been recently proposed as the solution to the above problem, facilitating the interconnection of the health care units in the sense that health care professionals can now access the complete medical record of the patient, even if it is distributed in several remote units. However, by allowing users to access information from virtually anywhere, the universe of ineligible people who may attempt to harm the system is dramatically expanded, thus severely complicating the design and implementation of a secure environment. This paper presents a security architecture that has been mainly designed for providing authentication and authorization services in web-based distributed systems. The architecture has been based on a role-based access scheme and on the implementation of an intelligent security agent per site (i.e. health care unit). This intelligent security agent: (a). authenticates the users, local or remote, that can access the local resources; (b). assigns, through temporary certificates, access privileges to the authenticated users in accordance to their role; and (c). communicates to other sites (through the respective security agents) information about the local users that may need to access information stored in other sites, as well as about local resources that can be accessed remotely.
Asunto(s)
Seguridad Computacional , Sistemas de Registros Médicos Computarizados , Acceso a la Información , Continuidad de la Atención al Paciente , Control de Formularios y Registros , Humanos , Almacenamiento y Recuperación de la Información , Internet , Política Organizacional , Medidas de SeguridadRESUMEN
The design and implementation of a security policy for a healthcare organisation is by no means trivial but it is, at least, feasible, taking into account the wide range of information security and privacy enhancing technologies that are currently available. Considering, however, a shared care environment with the participation of many independent healthcare organisations and the requirement for exchanging electronic healthcare records, the situation becomes much more complex since the implementation of global security policy may turn out to be an over ambitious task. This paper aims to highlight the main sources of complexity and to provide pointers for managing or/and resolving them.
Asunto(s)
Seguridad Computacional/normas , Sistemas de Registros Médicos Computarizados/organización & administración , Acceso a la Información , Redes de Comunicación de Computadores/organización & administración , Redes de Comunicación de Computadores/normas , Confidencialidad/normas , Humanos , Sistemas de Información/organización & administración , Sistemas de Información/normas , Registro Médico Coordinado/normas , Sistemas de Registros Médicos Computarizados/normas , Talasemia beta/terapiaRESUMEN
In this paper the issue of security policy development for health information systems is addressed. Security policy development involves the definition of the policy content, the analysis of the social, organisational, and technical contexts, as well as the organisation of the policy development process. We present the structure of security policies, analyse the characteristics of the HIS context, and analyse the different categories of methodologies, which can be used towards this end.
Asunto(s)
Seguridad Computacional/legislación & jurisprudencia , Sistemas de Información/organización & administración , Informática Médica , Política Organizacional , Formulación de Políticas , Grecia , Guías como Asunto , Sistemas de Información/legislación & jurisprudenciaRESUMEN
This chapter presents the benefits resulting from standardisation in the field of Security in Healthcare Information Systems (HIS). Especially in the EU, standardisation appears as a key element for the effectiveness of the Single Market and the competitiveness of European industry.
Asunto(s)
Seguridad Computacional/normas , Sistemas de Información/normas , Unión Europea , Guías como Asunto/normas , Integración de SistemasRESUMEN
The intense need for Healthcare information exchange has revealed a lack of interoperability of systems and applications. Security controls, usually based on proprietary methods and techniques, aggravate the current situation. However, timely development of HIS security standards may improve the interoperability and enable the integration of systems. This chapter provides an overview of the standardisation work that is being done by official standardisation organisations in Europe and world-wide.