In the article, a modification of Formal Model of Risk Analysis FoMRA was proposed. The Modified FoMRA (1) method takes into account the guidelines of ISO/IEC 27001 and ISO/IEC 27005 standards. The ...applied modification and abstraction by resources and security controls (also called countermeasures) significantly shortened the time of risk weight calculation in comparison with the MEHARI method. An attempt was also made to further reduce the time of risk analysis using agents collecting information and data from various network nodes, from operating systems and devices, and additional agents containing information on reports on security procedures, security services, security management and organizational activities related to the information systems (maintenance, insurance, outsourcing contracts, etc.) and transfer it to the local FoMRA1 database. The obtained results indicate that the proposed method together with agents installed in various nodes enable a quick reaction to the system threats and prevention of their impacts (quasi-real-time security monitoring system).
The way the internet is used by billions of users around the world has been revolutionized by mobile devices. The capabilities of smartphones are constantly growing, and the number of services ...available for mobile devices is also increasing. This undeniable trend makes smartphones terminals for accessing services that process confidential data, which make smartphones priceless targets of cyberattacks. Along with an increasing number of mobile services, the methods of securing the confidentiality, integrity and availability of systems used have also evolved and adapted to the capabilities of a mobile environment. One of the important security services is the user authentication process. This process often implements the postulates of strong authentication, multistage authentication based on factors from the knowledge, position and inherence categories. Unfortunately, the implementation of the factors belonging to these categories is not always possible due to the limitations of smartphones, such as the lack of interfaces for the implementation of biometrics or environmental factors - problems with network or internet access in various countries and regions. Therefore, there is a need to analyse the possibility of implementing a strong authentication process based on additional information about users, e.g., based on location data. The article analyses the requirements for the authentication process and authentication factors. Based on the performed analysis, the criteria that each authentication factor must meet were defined. This article presents a proposal for a user authentication protocol based on the location factor for a mobile environment. The method can be used in the case of problems with the implementation of strong authentication or as an additional authentication factor that increases the security of the user identity confirmation process. The presented protocol has been analysed in terms of performance, security and compliance with the requirements related to the authentication factors.
Supporting the execution of transactions through the use of electronic documents requires security. The scope of this security primarily involves ensuring the integrity, authenticity and ...non-repudiation of the origin of information. The signed XML document is a powerful tool that ensures the above features and the ease of processing and integration with various systems. An XML document may have many signatures, and each of them may sign different parts of the document. This feature is highly attractive, but in order to use it, the signature and structure of the document must be carefully designed. This article presents the existing risks associated with the use of XML signatures, focusing on XML signature wrapping vulnerability. This vulnerability is a consequence of the relationship between the XML signature and the signed document. The authors suggest that without neglecting the need for protection against the possibility of moving and replacing a fragment of the document, the use of secure XML signature references should also be considered and applied. The article proposes the use of secure signature templates as a countermeasure against the threat of an improper indication of the signed content defined in the signature reference. This threat is serious in automatic signature processing, where it is important to correctly indicate the signed content.
The implementation of services that process confidential data in a mobile environment requires an adequate level of security with the strictest possible mechanisms of information protection. The ...dominance of mobile devices as client applications of distributed systems has led to the development of new techniques that combine traditional methods of protection with protocols leveraging the potential of numerous interfaces available from a smartphone. For this reason, an upward trend in the use of biometrics-based methods and dynamically generated OTP secrets can be observed. Mobile devices are increasingly used in complex business processes that require strong user authentication methods, which, according to the European Commission (Regulation), must use at least two authentication factors belonging to different categories. Therefore, on the basis of the analysis of the solutions presented so far, a distributed protocol has been proposed. It enables user authentication using three authentication factors: possession, knowledge, and inherence. The described authentication scheme refers to the possibility of carrying out the process in the mobile environment of the Android platform with guaranteed authentication support.
This article discusses various ideas of deniable file systems, their advantages, drawbacks and use as a storage for sensitive data (e.g. private keys for the asymmetric algorithms). Also a design of ...such a new file system is presented. Its goal is to revive the concept and, in the future, popularize it by merging into Linux.