How To Write A Book On Cyber Security

Transcription

1

2 Cyber Security Standards, Practices and Industrial Applications: Systems and Methodologies Junaid Ahmed Zubairi State University of New York at Fredonia, USA Athar Mahboob National University of Sciences & Technology, Pakistan

3 Senior Editorial Director: Director of Book Publications: Editorial Director: Acquisitions Editor: Development Editor: Production Editor: Typesetters: Print Coordinator: Cover Design: Kristin Klinger Julia Mosemann Lindsay Johnston Erika Carter Michael Killian Sean Woznicki Adrienne Freeland Jamie Snavely Nick Newcomer Published in the United States of America by Information Science Reference (an imprint of IGI Global) 701 E. Chocolate Avenue Hershey PA Tel: Fax: Web site: Copyright 2012 by IGI Global. All rights reserved. No part of this publication may be reproduced, stored or distributed in any form or by any means, electronic or mechanical, including photocopying, without written permission from the publisher. Product or company names used in this set are for identification purposes only. Inclusion of the names of the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered trademark. Library of Congress Cataloging-in-Publication Data Cyber security standards, practices and industrial applications: systems and methodologies / Junaid Ahmed Zubairi and Athar Mahboob, editors. p. cm. Includes bibliographical references and index. Summary: This book details the latest and most important advances in security standards, introducing the differences between information security (covers the understanding of security requirements, classification of threats, attacks and information protection systems and methodologies) and network security (includes both security protocols as well as systems which create a security perimeter around networks for intrusion detection and avoidance) --Provided by publisher. ISBN (hbk.) -- ISBN (ebook) -- ISBN (print & perpetual access) 1. Computer networks--security measures. 2. Computer security. 3. Data protection. 4. Electronic data processing departments--security measures. I. Zubairi, Junaid Ahmed, II. Mahboob, Athar, TK C dc British Cataloguing in Publication Data A Cataloguing in Publication record for this book is available from the British Library. All work contributed to this book is new, previously-unpublished material. The views expressed in this book are those of the authors, but not necessarily of the publisher.

4 Editorial Advisory Board Kassem Saleh, Kuwait University, Kuwait Sajjad Madani, COMSATS Institute of Information Technology, Pakistan Badar Hussain, KCI Engineering, USA Omer Mahmoud, Int l Islamic University, Malaysia List of Reviewers Alfredo Pironti, Politecnico di Torino, Torino, Italy Athar Mahboob, National University of Sciences & Technology, Pakistan Badar Hussain, KCI Engineering, USA Davide Pozza, Politecnico di Torino, Italy Junaid Ahmed Zubairi, State University of New York at Fredonia, USA Junaid Hussain, National University of Sciences & Technology, Pakistan Kashif Latif, National University of Sciences & Technology, Pakistan Morgan Henrie, Morgan Henrie Inc., USA Omer Mahmoud, Int l Islamic University, Malaysia Riccardo Sisto, Politecnico di Torino, Italy Sajjad Ahmed Madani, COMSATS Institute of Information Technology, Pakistan Shakeel Ali, Cipher Storm Ltd., UK Sohail Sattar, NED University of Engineering & Technology, Pakistan Syed Ali Khayam, National University of Sciences & Technology, Pakistan Wen Chen Hu, University of North Dakota, USA

5 Table of Contents Foreword...xii Preface...xiii Acknowledgment...xviii Section 1 Mobile and Wireless Security Chapter 1 Securing Wireless Ad Hoc Networks: State of the Art and Challenges... 1 Victor Pomponiu, University of Torino, Italy Chapter 2 Smartphone Data Protection Using Mobile Usage Pattern Matching Wen-Chen Hu, University of North Dakota, USA Naima Kaabouch, University of North Dakota, USA S. Hossein Mousavinezhad, Idaho State University, USA Hung-Jen Yang, National Kaohsiung Normal University, Taiwan Chapter 3 Conservation of Mobile Data and Usability Constraints Rania Mokhtar, University Putra Malaysia (UPM), Malaysia Rashid Saeed, International Islamic University Malaysia (IIUM), Malaysia Section 2 Social Media, Botnets and Intrusion Detection Chapter 4 Cyber Security and Privacy in the Age of Social Networks Babar Bhatti, MutualMind, Inc., USA

6 Chapter 5 Botnets and Cyber Security: Battling Online Threats Ahmed Mansour Manasrah, National Advanced IPv6 Center, Malaysia Omar Amer Abouabdalla, National Advanced IPv6 Center, Malaysia Moein Mayeh, National Advanced IPv6 Center, Malaysia Nur Nadiyah Suppiah, National Advanced IPv6 Center, Malaysia Chapter 6 Evaluation of Contemporary Anomaly Detection Systems (ADSs) Ayesha Binte Ashfaq, National University of Sciences & Technology (NUST), Pakistan Syed Ali Khayam, National University of Sciences & Technology (NUST), Pakistan Section 3 Formal Methods and Quantum Computing Chapter 7 Practical Quantum Key Distribution Sellami Ali, International Islamic University Malaysia (IIUM), Malaysia Chapter 8 Automated Formal Methods for Security Protocol Engineering Alfredo Pironti, Politecnico di Torino, Italy Davide Pozza, Politecnico di Torino, Italy Riccardo Sisto, Politecnico di Torino, Italy Section 4 Embedded Systems and SCADA Security Chapter 9 Fault Tolerant Remote Terminal Units (RTUs) in SCADA Systems Syed Misbahuddin, Sir Syed University of Engineering and Technology, Pakistan Nizar Al-Holou, University of Detroit Mercy, USA Chapter 10 Embedded Systems Security Muhammad Farooq-i-Azam, COMSATS Institute of Information Technology, Pakistan Muhammad Naeem Ayyaz, University of Engineering and Technology, Pakistan

7 Section 5 Industrial and Applications Security Chapter 11 Cyber Security in Liquid Petroleum Pipelines Morgan Henrie, MH Consulting, Inc., USA Chapter 12 Application of Cyber Security in Emerging C4ISR Systems and Related Technologies Ashfaq Ahmad Malik, National University of Sciences & Technology, Pakistan Athar Mahboob, National University of Sciences & Technology, Pakistan Adil Khan, National University of Sciences & Technology, Pakistan Junaid Zubairi, State University of New York at Fredonia, USA Chapter 13 Practical Web Application Security Audit Following Industry Standards and Compliance Shakeel Ali, Cipher Storm Ltd., UK Compilation of References About the Contributors Index

8 Detailed Table of Contents Foreword...xii Preface...xiii Acknowledgment...xviii Section 1 Mobile and Wireless Security Chapter 1 Securing Wireless Ad Hoc Networks: State of the Art and Challenges... 1 Victor Pomponiu, University of Torino, Italy In this chapter, first authors introduce the main wireless technologies along with their characteristics. Then, a description of the attacks that can be mounted on these networks is given. A separate section will review and compare the most recent intrusion detection techniques for wireless ad hoc networks. Finally, based on the current state of the art, the conclusions, and major challenges are discussed. Chapter 2 Smartphone Data Protection Using Mobile Usage Pattern Matching Wen-Chen Hu, University of North Dakota, USA Naima Kaabouch, University of North Dakota, USA S. Hossein Mousavinezhad, Idaho State University, USA Hung-Jen Yang, National Kaohsiung Normal University, Taiwan This research proposes a set of novel approaches to protecting handheld data by using mobile usage pattern matching, which compares the current handheld usage pattern to the stored usage patterns. If they are drastic different, a security action such as requiring a password entry is activated. Various algorithms of pattern matching can be used in this research. Two of them are discussed in this chapter. Chapter 3 Conservation of Mobile Data and Usability Constraints Rania Mokhtar, University Putra Malaysia (UPM), Malaysia Rashid Saeed, International Islamic University Malaysia (IIUM), Malaysia

9 The goal of this chapter is to examine and raise awareness about cyber security threats from social media, to describe the state of technology to mitigate security risks introduced by social networks, to shed light on standards for identity and information sharing or lack thereof, and to present new research and development. The chapter will serve as a reference to students, researchers, practitioners, and consultants in the area of social media, cyber security, and Information and Communication technologies (ICT). Section 2 Social Media, Botnets and Intrusion Detection Chapter 4 Cyber Security and Privacy in the Age of Social Networks Babar Bhatti, MutualMind, Inc., USA The goal of this chapter is to examine and raise awareness about cyber security threats from social media, to describe the state of technology to mitigate security risks introduced by social networks, to shed light on standards for identity and information sharing or lack thereof, and to present new research and development. The chapter will serve as a reference to students, researchers, practitioners, and consultants in the area of social media, cyber security, and Information and Communication technologies (ICT). Chapter 5 Botnets and Cyber Security: Battling Online Threats Ahmed Mansour Manasrah, National Advanced IPv6 Center, Malaysia Omar Amer Abouabdalla, National Advanced IPv6 Center, Malaysia Moein Mayeh, National Advanced IPv6 Center, Malaysia Nur Nadiyah Suppiah, National Advanced IPv6 Center, Malaysia This chapter provides a brief overview of the botnet phenomena and its pernicious aspects. Current governmental and corporate efforts to mitigate the threat are also described, together with the bottlenecks limiting their effectiveness in various countries. The chapter concludes with a description of lines of investigation that could counter the botnet phenomenon. Chapter 6 Evaluation of Contemporary Anomaly Detection Systems (ADSs) Ayesha Binte Ashfaq, National University of Sciences & Technology (NUST), Pakistan Syed Ali Khayam, National University of Sciences & Technology (NUST), Pakistan Due to the rapidly evolving nature of network attacks, a considerable paradigm shift has taken place with focus now on Network-based Anomaly Detection Systems (NADSs) that can detect zero-day attacks. At this time, it is important to evaluate existing anomaly detectors to determine and learn from their strengths and weaknesses. Thus, the authors aim to evaluate the performance of eight prominent network-based anomaly detectors under malicious portscan attacks.

10 Section 3 Formal Methods and Quantum Computing Chapter 7 Practical Quantum Key Distribution Sellami Ali, International Islamic University Malaysia (IIUM), Malaysia The central objective of this chapter is to study and implement practical systems for quantum cryptography using decoy state protocol. In particular we seek to improve dramatically both the security and the performance of practical QKD system (in terms of substantially higher key generation rate and longer distance). Chapter 8 Automated Formal Methods for Security Protocol Engineering Alfredo Pironti, Politecnico di Torino, Italy Davide Pozza, Politecnico di Torino, Italy Riccardo Sisto, Politecnico di Torino, Italy The objective of this chapter is to give a circumstantial account of the state-of-the-art reached in this field, showing how formal methods can help in improving quality. Since automation is a key factor for the acceptability of these techniques in the engineering practice, the chapter focuses on automated techniques and illustrates in particular how high-level protocol models in the Dolev-Yao style can be automatically analyzed and how it is possible to automatically enforce formal correspondence between an abstract high-level model and an implementation. Section 4 Embedded Systems and SCADA Security Chapter 9 Fault Tolerant Remote Terminal Units (RTUs) in SCADA Systems Syed Misbahuddin, Sir Syed University of Engineering and Technology, Pakistan Nizar Al-Holou, University of Detroit Mercy, USA This chapter proposes a fault tolerant scheme to untangle the RTU s failure issue. According to the scheme, every RTU will have at least two processing elements. In case of either processor s failure, the surviving processor will take over the tasks of the failed processor to perform its tasks. With this approach, an RTU can remain functional despite the failure of the processor inside the RTU. Chapter 10 Embedded Systems Security Muhammad Farooq-i-Azam, COMSATS Institute of Information Technology, Pakistan Muhammad Naeem Ayyaz, University of Engineering and Technology, Pakistan Whereas a lot of research has already been done in the area of security of general purpose computers and software applications, hardware and embedded systems security is a relatively new and emerging area

11 of research. This chapter provides details of various types of existing attacks against hardware devices and embedded systems, analyzes existing design methodologies for their vulnerability to new types of attacks, and along the way describes solutions and countermeasures against them for the design and development of secure systems. Section 5 Industrial and Applications Security Chapter 11 Cyber Security in Liquid Petroleum Pipelines Morgan Henrie, MH Consulting, Inc., USA The world s critical infrastructure includes entities such as the water, waste water, electrical utilities, and the oil and gas industry. In many cases, these rely on pipelines that are controlled by supervisory control and data acquisition (SCADA) systems. SCADA systems have evolved to highly networked, common platform systems. This evolutionary process creates expanding and changing cyber security risks. The need to address this risk profile is mandated from the highest government level. This chapter discusses the various processes, standards, and industry based best practices that are directed towards minimizing these risks. Chapter 12 Application of Cyber Security in Emerging C4ISR Systems and Related Technologies Ashfaq Ahmad Malik, National University of Sciences & Technology, Pakistan Athar Mahboob, National University of Sciences & Technology, Pakistan Adil Khan, National University of Sciences & Technology, Pakistan Junaid Zubairi, State University of New York at Fredonia, USA The C4ISR system is a system of systems and it can also be termed as network of networks and works on similar principles as the Internet. Hence it is vulnerable to similar attacks called cyber attacks and warrants appropriate security measures to save it from these attacks or to recover if the attack succeeds. All of the measures put in place to achieve this are called cyber security of C4ISR systems. This chapter gives an overview of C4ISR systems focusing on the perspective of cyber security warranting information assurance. Chapter 13 Practical Web Application Security Audit Following Industry Standards and Compliance Shakeel Ali, Cipher Storm Ltd., UK Today, nearly 80% of total applications are web-based and externally accessible depending on the organization policies. In many cases, number of security issues discovered not only depends on the system configuration but also the application space. Rationalizing security functions into the application is a common practice but assessing their level of resiliency requires structured and systematic approach to test the application against all possible threats before and after deployment. The application security

12 assessment process and tools presented here are mainly focused and mapped with industry standards and compliance including PCI-DSS, ISO27001, GLBA, FISMA, SOX, and HIPAA, in order to assist the regulatory requirements. Compilation of References About the Contributors Index

13 xii Foreword The role of cyber infrastructure in the global economy is becoming increasing dominant as this infrastructure has enabled global business and social interaction across cultural and societal boundaries. However, the benefits of this infrastructure can be significantly overshadowed by widespread cyber security incidents as adversarial activities are increasingly international in scope. Online marketplaces for stolen IDs and financial data could be run by criminals maintaining servers across international boundaries and impacting financial enterprises all over the globe. The denial of service (DoS) attack in Estonia is a sobering revelation of how an attack on the cyber infrastructure can severely affect the functioning of an entire nation. With the growing capability of spreading worms over the Internet, the deployment of heterogeneous operating systems, growing number of software patches, sporadic usage of client software (e.g., growing usage of VoIP services with vulnerabilities), and networking technologies (e.g., the on-going aggressive migration towards IPv6) are some of the leading examples diversely impacting the security of the global cyber infrastructure. The phenomenal adaptation of social networking in the cyberspace is also providing opportunities for attackers. In addition, diverse perspectives and policies adopted by various segments of the cyber infrastructure exacerbate security risks, and further hamper our understanding of security/privacy concerns and the choice of technological and policy measures. To build a secure cyber infrastructure, we need to understand how to design various components of this infrastructure securely. Over the years, we have learned that cyber security needs to be viewed in terms of security of all its components and best practices and standards need to be adopted globally. This understanding has several facets and a holistic approach is required to address security challenges from all the dimensions. Cyber security has a long way to go, and covering the complete spectrum of this topic is a daunting task. We need not only to learn how to achieve it but also need to realize that it is essential to pursue it. Addressing this need, this book provides a balanced and comprehensive treatment to this vast topic. We expect the readers will greatly benefit from this book and practice the knowledge provided in it. Arif Ghafoor Purdue University, USA