Posted on February 23rd, 2007 by gernot.
Categories: Publications, Studies.
Tags: e-learning, it-security
Information technologies and society are highly interwoven nowadays, but in both, the private and business sector, users are often not aware of security issues or lack proper
security skills. The branch of information technology security is growing constantly but attacks against the vocational sector as well as the personal sector still cause great losses each day. Considering that the end-user is the weakest link of the security chain we aim to raise awareness, regarding IT security, and train and educate IT security skills by establishing a European-wide initiative and framework.
Posted on February 23rd, 2007 by gernot.
Categories: Publications, Studies.
Tags: common_criteria, it-security, mapping, ontology
The Common Criteria for Information Technology Security Evaluation (CC) describes an international standard regarding the criteria for the evaluation and certification of IT products and systems pertaining to data security and data privacy. Requirements for the security functions of IT products and systems as well as require-ments for assurance measures applied to the security functions during a security evaluation are provided by the CC [CC05]. The security functions of such products and systems and the applied assurance measures have to meet defined requirements to obtain a certain level of confidence during the evaluation process.
Raskin [Raskin01] is one of the first to introduce ontological semantic approaches to information security. He implies that one of the ultimate goals is the inclusion of natural language data sources to facilitate the specification and evaluation of information security certification by organizing and unifying the terminology.
Despite being a standard, the CC offers the flexibility to certify only requirements that are important to the customer. Protection Profiles state the desired requirements of a particular community in almost any combination desired [Olthoff00]. Other standards, such as the Orange Book, follow an “all-or-nothing” approach. If a product or system misses even just a single, perhaps for the customer irrelevant, requirement, it cannot be certified at the desired level. The CC’s flexibility therefore makes it harder both for the developer and evaluator to keep track of what is required for a certain level and which security functions are to be included.
The drawback of such a comprehensive standard is the fact that a certification process can be very time-consuming and expensive. Little commercial interest is driving the CC market; most evaluations and certifica-tions result from government regulation or government purchase [Hearn04].
Katzke suggested several ways to deal with CC’s problems and shortcomings [Katzke03]. The suggestions include better administration and management processes, long-term planning and budget processes, and accountability for meeting goals, milestones, and deliverables. We concentrate on the first of Katzke’s points because sophisticated support tools for management and administration of CC processes are still not available. Furthermore the CC include rather abstract verbalizations which do not provide sufficient information on the concrete measures a company has to fulfill and therefore often leads to conflicts during the evaluation process. To counter the abstract verbalizations, we align the CC ontology with the Security Ontology [Ekelhart07], [Ekelhart06], [Fenz06], and thus are able to offer concrete threat and countermeasure terminology for demanded security requirements.
Due to the OWL [Owl04] representation the CC domain is now available in a machine readable format and can be utilized in computer programs. Another important ad-vantage of our approach is the option to query the data structure in an efficient way, taking advantage of the well known RDF [Rdf06] - or OWL-based query languages such as SPARQL [Sparql06]. Due to the complexity of these languages it is nonetheless necessary to create an intermediate layer, which translates the user input into a valid query. Summarized, our contribution is:
Posted on September 14th, 2006 by gernot.
Categories: Publications, Studies.
Tags: e-learning, it-security
IRIS 2006 (Internationales Rechtsinformatik Symposion 2006)
E-Learning Systeme werden heutzutage an Universitäten sowie auch in Firmen immer häufiger in großen Dimensionen eingesetzt. Im gewerblichen Bereich ist die Grenze zwischen E-Learning und Wissensmanagement nicht mehr klar zu ziehen. An Universitäten dienen diese Systeme Professoren und Studenten als zentraler infrastruktureller Anlaufpunkt und sind als integraler Bestandteil heutiger Lehranstalten nicht mehr wegzudenken. Während jedoch IT Sicherheitskonzepte wie „Transaction Logging“, „Audit Trails“ oder Nichtabstreitbarkeit in IT Systemen zum Beispiel der Finanzindustrie schon lange eingesetzt werden, adressieren die meisten E-Learning Systeme diese Problembereiche nicht. Dieser Artikel zeigt einfache Wege um Konzepte wie das der Nichtabstreitbarkeit oder des Vertrauens („Trust“) im Bereich von E-Learning Systemen einzuführen.
Posted on January 22nd, 2006 by gernot.
Categories: Studies.
Tags: it-security, web_service
Im Zuge der LVA IT/EC wurde folgende Seminararbeit verfasst: Web Service Security.
Abstract: Am Beginn der Arbeit werden die Basiskonzepte von WS-Security, XML-Signature und XML-Encryption vorgestellt. XML-Signature ist ein Sicherheitsstandard der in erster Linie Integrität des Nachrichtenaustausches gewährleisten soll. Der Sender einer XML-Nachricht hängt eine digitale Signatur an die Nachricht an. Diese Signatur gibt dem Empfänger der Nachricht die Möglichkeit, diese auf Veränderung zu prüfen. XMLEncryption ist ein weiterer Sicherheitsstandard der es ermöglicht XML-Nachrichten beziehungsweise Teile von XML-Nachrichten zu verschlüsseln, um so die Inhalte vor unberechtigten Einblicken durch Dritte zu schützen. Im Anschluss daraen wird die praktische Anwendung des WS-Security Konzepts auf SOAP (Simple Object Access Protocol) behandelt. Hierfür wird kurz auf Aufbau und Funktionsweise von SAML (Security Assertion Markup Language) eingegangen, um die Authentifikation und Autorisation im WSSecurity Prozess zu ermöglichen. Ein weiterer wichtiger Bestandteil des angesprochenen Konzeptes ist WS-Policy, der es uns ermöglicht spezifische Richtlinien beziehungsweise Regelsets (Policies) für Web Services zu entwickeln. Abschließend wird anhand von WSS4J, einer Apache Implementierung, WS-Security in der Anwendung gezeigt.
Download: ec1_wssecurity_endabgabe.pdf
Posted on January 22nd, 2006 by gernot.
Categories: Studies.
Tags: it-security, java
Im SS 2005 durfte ich innerhalb der Lehrveranstaltung Fortgeschrittene Aspekte von Software Security einen Vortrag über Java Security halten: FASS_2.ppt