If you need feedback or assistance, you must take initiative and contact your supervisor. This helps the supervisor to prepare and improves the efficiency of the meeting. We offer each student the opportunity to hand in up to five pages of the thesis draft. The supervisor will correct it with the same standard as for the final thesis. We expect the student to extrapolate corrections to the rest of the Bachelor thesis. In addition to an electronic copy in PDF format, students must submit one bound hard copy of the Bachelor thesis including a signed declaration of independent work in the preface.
Writing a Master thesis is usually a very interactive process involving the supervisor and other members of the research group. Candidates often spend part of the time at a desk in our lab. Some candidates contribute to research project or publish research results related to the thesis project in scientific workshops or conferences.
Security and Privacy Lab. Toggle navigation. Home People Projects Teaching Theses. Topics for Theses We offer topics for Bachelor theses and advise B. Svetlana Abramova Bachelor Convolutional neural networks for the detection of nearly identical high quality recompression Dr. Svetlana Abramova Bachelor Detectability of selfish mining Univ. Svetlana Abramova Bachelor Development of a software framework for the detection of copy-move text forgeries: analysis of text areas Dr.
Cecilia Pasquini Master Topics in cyber risk and insurance Dr. Daniel Woods Master Why don't users reject all cookies? Visualizing security protocols with counterfactuals Univ. Svetlana Abramova Bachelor Exploring the difficulty of hiding keys in neural networks Dr. Markus Riek Bachelor Consensus from proof-of-work puzzles Univ.
Svetlana Abramova Bachelor Digital signatures to increase security of 2D barcode ticketing systems Dr. Markus Riek Bachelor Eduthereum — A system for storing educational certificates in a public blockchain Univ. Writing a Bachelor thesis The Bachelor thesis should demonstrate that the candidate can solve problems independently and document own results according to scientific standards. Writing a Master thesis Writing a Master thesis is usually a very interactive process involving the supervisor and other members of the research group.
Content-aware generation of copy-move text forgeries. Convolutional neural networks for the detection of nearly identical high quality recompression. Data-driven empirical analysis of privacy-aware user behavior in Bitcoin and Bitcoin Cash. Development of a software framework for the detection of copy-move text forgeries: analysis of background areas. Development of a software framework for the detection of copy-move text forgeries: analysis of text areas.
Evaluation of a novel blockchain-based distributed ledger. Statistical modeling of individual agent behavior in blockchain-based systems. Theoretical and empirical forensic detection limits in case of slight signal downsampling. Why is it secure? Visualizing security protocols with counterfactuals.
Change management procedures that are simple to follow and easy to use can greatly reduce the overall risks created when changes are made to the information processing environment. Good change management procedures improve the over all quality and success of changes as they are implemented. This is accomplished through planning, peer review, documentation and communication. Laws and regulations governing Information Security Below is a partial listing of European, United Kingdom, Canadian and USA governmental laws and regulations that have, or will have, a significant effect on data processing and information security.
Important industry sector regulations have also been included when they have a significant impact on information security. UK Data Protection Act makes new provisions for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.
The Act has become a model upon which several other countries including Canada and the Republic of Ireland, ha ve drawn inspiration when subsequently drafting their own information security laws. EU Data Retention laws requires Internet service providers and phone companies to keep data on every electronic message sent and phone call made for between six months and two years.
The law applies to all schools that receive funds under an applicable program of the U. Department of Education. Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. Health Insurance Portability and Accountability Act HIPAA requires the adoption of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
And, it requires health care providers, insurance providers and employers to safeguard the security and privacy of health data. Gramm-Leach-Bliley Act of GLBA , a lso know as the Financial Services Modernization Act of , protects the privacy and security of private financial information that financial institutions collect, hold, and process.
S ection of the act requires publicly traded companies to assess the effectiveness of their internal controls for financial reporting in annual reports they submit at the end of each fiscal year. Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data.
The act also requires publicly traded companies to engage independent auditors who must attest to, and report on, the validity of their assessments. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. State Security Breach Notification Laws California and many others require businesses, nonprofits, and state institutions to notify consumers when unencrypted "personal information" may have been compromised, lost, or stolen.
Personal Information Protection and Electronics Document Act PIPEDA An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act.
Sources of standards for Information Security International Organization for Standardization ISO is a consortium of national standards institutes from countries with a Central Secretariat in Geneva Switzerland that coordinates the system. The ISO is the world's largest developer of standards. The ISO "Information technology - Security techniques - A framework for IT security assurance ", ISO "Information technology - Security techniques - Code of practice for information security 28 management" , ISO " Information technology - Service management", a nd ISO "Information technology - Security techniques - Information security management systems" are of particular interest to information security professionals.
Commerce Department's T echnology Administration. The NIST Computer Security Division develops standards, metrics, tests and validation programs as well as publishes standards and guidelines to increase secure IT planning, implementation, management and operation. The Internet Society ISOC is a professional membership society with more than organizations and over 20, individual members in over countries. The Information Security Forum is a global nonprofit organization of several hundred leading organizations in financial services, manufacturing, telecommunications, consumer goods, government, and other areas.
It provides research into best practice and practice advice summarized in its biannua l Standard of Good Practice, incor porating detail specifications across many areas. The ISO "Information technology - Security techniques - A framework for IT security assurance" , ISO "Information technology - Security techniques - Code of practice for information security management", ISO "Information technology - Service management", and ISO "Information technology - Security techniques - Information security management systems" are of particular interest to information security professionals.
It brings Canada into compliance with the requirements of the European Commission's directive. For more information, visit the website of the Privacy Commissioner of Canada. The text of the Act may be found a t . Europe The right to data privacy is heavily regulated and rigidly enforced in Europe. Article 8 of the European Convention on Human Rights ECHR provides a right to respect for one's "private and family life, his home and his correspondence", subject to certain restrictions.
The European Court of Human Rights has given this article a very broad interpretation in i ts jurisprudence. According to the Court's case law the collection of information by officials of the state about an individual without his consent always falls within the scope of article 8. Thus, gathering information for the offic ial census, recording fingerprints a nd photographs in a police register, collecting medical data or details of personal expenditures and implementing a system of personal identification have been judged to raise data privacy issues.
Any state interference with a person's privacy is only acceptable for the Court if three conditions are fulfilled: 1 The interference is in accordance with the law 2 Pursues a legitimate goal and 3 Is necessary in a democratic society. The government isn't the only one who might pose a threat to data privacy, far from it. Other citizens and private companies most importantly, engage in far more threatening activities, especially since the automated processing of data became widespread.
This convention obliges the signatories to enact legislation concerning the automatic processing of personal data, which many duly did. As all the member states of the European Union are also signatories of the European Convention on Human Rights and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the European Commission was concerned that diverging data protection legislation would emerge and impede the free flow of data within the EU zone.
Therefore the European Commission decided to harmonize data protection regulation and proposed the Directive on the protection of personal data, which member states had to transpose into law by the end of The directive contains a number of key principles which must be complied with.
Anyone processing personal data must comply with the eight enforceable principles of good practice. They say that data must be: Fairly and lawfully processed. Processed for limited purposes. Adequate, relevant and not excessive. Not kept longer than necessary. Processed in accordance with the data subject's rights.
Not transferred to countries without adequate protection. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before. For example, it incorporates the concepts of 'obtaining', 'holding' and 'disclosing'. For more details on these data principles, read the article about the directive on the protection of personal data or visit the EU data protection page.
All EU member-states adopted legislation pursuant this directive or adapted their existing laws. Each country also has its own supervisory authority to monitor the level of protection. For details, visit U. I n Germany both the federal government and the states enacted legislation. This introduced a legal risk to organizations which transfer the personal data of European citizens to servers in the USA.
The Safe Harbor program addresses this issue. ICT Data remanence Data remanence is the residual physical representation of data that have been in some way erased. After storage media are erased there may be some physical characteristics that allow data to be reconstructed. As early a s the problem caused by the retentive properties of computer storage media was recognized. It was known that without the application of data removal procedures, inadvertent disclosure of sensitive information was possible should the storage media be released into an uncontrolled environmen t.
Degaussing, overwriting, da ta encryption, and media destruction are some of the methods that have been employed to safeguard against disclosure of sensitive information. Over a period of time, certain practices have been accepted for the clearing and purging of storage media.
A common scenario is where a sales person makes a copy of the contac t database for use in their next job. Typically this is a clear violation of their terms of employment. The damage caused by data theft can be considerable with today's ability to transmit very large files via e-mail, web pages, USB device s, DVD storage and other hand-held devices.
Removable media devices are getting smaller with increased hard drive capacity, and activities such as podslurping are becoming more and more common. It is now possible to store 80 GB of data on a device that will fit in an employee's pocket, data that could contribute to the downfall of a business. Types of data theft Thumbsucking Thumbsucking, similar to podslurping, is the intentional or unintentional use of a portable USB mass storage device, such as a USB flash drive or "thumbdrive" , to illicitly download confidential data from a network endpoint.
A USB flash drive was allegedly used to remove without authorization highly-classified documents about the design of U. The cost of high-capacity portable USB storage devices has decreased. Networks have grown more dispersed, the number of remote network access points has increased and methods of network connection have expanded, increasing the number of vectors for network infiltration.
Database security Database security is the system, processes, and procedures that protect a database from unintended activity. Unintended activity can be categorized as authenticated misuse, malicious attacks or inadvertent mistakes made by authorized individuals or processes. Database Security is also a specialty within the broader discipline of computer security.
Traditionally databases have been protected from external connections by firewalls or routers on the network perimeter with the database environment existing on the internal network opposed to being located within a demilitarized zone. Additiona l network security devices that detect and alert on malicious database protocol traffic include network intrusion detection systems along with host-based intrusion detection systems.
Database security is more critical as networks have become more open. Databases provide many layers and types o f information security including: Access control Auditing Authentication Encryption Integrity controls 33 Database security can begin with the process of creation and publishing of appropriate security standards for the database environment. The standards may include specific controls for the various relevant database platforms; a set of best practices that cross over the platforms; and linkages of the standards to higher level polices and governmental regulations.
An important procedure when evaluating database security is performing vulnerability assessments against the database. A vulnerability assessment attempts to find vulnerability holes that could be used to break into the database. Database administrators or information security administrators run vulnerability scans on databases to discover misconfiguration of controls within the layers mentioned above along with known vulnerabilities within the database software.
The results of the scans should be used to harden the database in order to mitigate the threat of compromise by intruders. A program of continual monitoring for compliance with database security standards is another important task for mission critical database environments.
Two crucial aspects of database security compliance inc lude patch management and the review and management of permissions especially public granted to objects within the database. Database objects may inc lude table or other objects listed in the Table link.
The permissions granted for SQL language commands on objects are considered in this process. One should note that compliance monitoring is similar to vulnerability assessment with the key difference that the results of vulnerability assessments generally drive the security standards that lead to the continuous monitoring program. Essentially, vulnerability assessment is a preliminary procedure to determine risk where a compliance program is the process of on-going risk assessment.
The compliance program should take into consideration any dependencies at the application software level as changes at the database level may have effects on the application software or the application server. In direct relation to this topic is tha t of application security. Application level authentication and authorization mechanisms should be considered as an effective means of providing abstraction from the database layer. The primary benefit of abstraction is that of a single sign-on capability across multiple databases and database platforms.
A Single sign-on system should store the database user's credentials login id and password , and authenticate to the database on behalf of the user. Another security layer of a more sophisticated nature includes the real-time monitoring of database protocol traffic SQL over the network. Analysis can be performed on the traffic for known exploits or network traffic baselines can be captured overtime to build a normal pattern used for detection of anomalous activity that could be indicative of intrusion.
These systems can provide a comprehensive Database audit trail in addition to the intrusion detection and potentially protection mechanisms. When a network level audit system is not feasible a native database audit program should be instituted. The native audit trails should be extracted on a regular basis and transferred to a designated security system where the database administrators do not have access.
This ensures a certain level of segregation of duties that may provide evidence the native audit trails were not modified by authenticated administrators. After an incident occurs, the usage o f Database Forensics can be employed to determine the scope. A Database Security program should include the regular review of permissions granted to individually owned accounts and accounts used by automated processes. The accounts used by automated processes should have appropriate controls around password storage such as sufficient encryption and access controls to reduce the risk of compromise.
For individual accounts, a two- factor authentication system should be considered in a database environment where the risk is commensurate with the expenditure for such an authentication system. In conjunction with a sound Database Security program, an appropriate disaster recovery program should exist to ensure that service is not interrupted during a security incident or any other incident that results in an outage of the primary database environment. An example is that of replication for the primary databases to sites located in different geographical regions.
Access to administrative data will be granted to university employees only. With special permission, a student may access data if the data pertains to that student or if that student is also an employee of the university.
Individuals outside the university can be authorized access to university data only if that authorization is granted by an Executive Officer of the university. This policy only covers administrative aspects of academic and research units.
Reason for Policy Carnegie Mellon University maintains data which are essential to performing university business. These data are to be viewed as valued resources over which the university has both rights and obligations to manage, secure, protect, and control.
This policy secures and protects data defined as administrative data stored in and accessible by university-owned computing systems and accessible by university employees in their official university capacities. In addition, this policy addresses the broader data issues of the rights and responsibilities of authorized persons in the handling, as well as the security and protection, of university data.
This individual performs in a supervisory or managerial capacity and is responsible for the data residing in the designated system. The responsibilities of the Data Owner are to: Ensure proper operating controls over the application in order to maintain a secure processing environment; Ensure accuracy and quality of data residing in application; Approve all requests for access to and update capability for the specific application; Ensure system issues impacting the quality of data within the system are properly reported and adequately resolved.
On an annual basis, the Data Owner and the Data Security Officer will review the current set of access and update capabilities granted to each individual on the system in order to ensure that no changes are necessary. Stewardship of Administrative Data In addition to the Data Owner, others will process and handle data in the course of the administrative cycle.
They too will be responsible for the security of the data. These individuals and divisions include: Data Security Officer The Data Security Officer is responsible for all systems-related security issues associated with a particular application.
A Data Security Officer will be appointed by the Assistant Vice President, ACIS, for each application and will act as the contact person for establishing, altering or deleting computer user ids and determining data access needs within a system. In designing or updating systems, Administrative Computing and Information Services must be aware of any security impacts of such designs and ensure that proper security control is programmed into each application to provide a secure computing environment and adequate protection of data.
Computing Systems Computing Services maintains and operates the equipment upon which most central server administrative applications reside. It is the responsibility of Computing Services to ensure adequate physical security over such equipment, restrict equipment access to authorized 36 personnel only, and adequately assure that output containing confidential information is properly safeguarded.
Responsibilities also include maintenance of operating system-level security specific to the computing equipment under their jurisdiction. Administrative Computing Security Committee The Administrative Computing Security Committee is responsible for the maintenance of a secure administrative processing environment at Carnegie Mellon.
The committee formulates overall policy, addresses issues impacting computer security, and reviews situations involving violations of computer security policy. Data Accessibility Because different types of data require different levels of security, data is classified into four categories: Public Information, Campus-Wide Information, Restricted Information - Moderately Sensitive, and Restricted Information - Highly Sensitive. Each category is explained below. For detailed examples of accessibility by data type, see the Appendix , Table 2.
Public Information is available or distributed to the general public either regularly or upon request. Prevention of disk scavenging obtaining disk space that contains another user's data. Maintenance of an audit record of security events, as well as authorized or unauthorized files access. Ability for idle terminals logged into applications to be disconnected after a minute period.
An encryption system to provide a high level of security for sensitive data transmission files. Security enhancements or improvements needed to meet acceptable security levels. Interaction with other systems and related security implications. The Data Security Officer and Administrative Computing and Information Services should examine application-level security on a system-by-system basis. Because of the complex interaction with other applications, the operating system, the underlying databases, as well as the needs of the user community and the nature of the data, there are many intervening factors which preclude an overall policy for application-level security.
The security features of any new software will always be considered a priority in the selection and development of such software. Network Interactive access to applications occurs in many ways, e. Any local area network must be physically secure and is the responsibility of each person authorized to access administrative information to ensure the physical security of the local area network on which they operate.
The login process should transmit only encrypted passwords across the network. Unauthorized persons shall not be permitted to access portions of the networks being used for transmitting university administrative data. Establishing Backup and Recovery Procedures Backup and recovery procedures must be developed and maintained for all administrative computing systems and data.
The following requirements must be met: Provisions for regular backup of data residing on the system. Storage of backup media at a location remote from the processing center. The Data Security Officer should periodically review backup and recovery procedures to ensure their continued applicability. Protecting and Managing Passwords Passwords are a critical component to any computer security program. To properly control passwords and maintain their integrity, the guidelines below will be followed: 38 Passwords will automatically expire every 90 days, or more frequently in cases of user ids with access to very sensitive data.
Users must never give out their personal password to anyone; sharing of passwords is a violation of this policy. As part of the educational process, the Data Security Officer will provide users with guidelines for selecting and changing their passwords. A password monitoring program will run weekly to check for insecure passwords. For example, the program would check to see if the user's first, last or middle name, user id, or other common words like "system," are used as passwords.
If a user is found to have an insecure password, the program will notify them to change it. If the password has not been changed within one week, the user will again be notified, and the Data Security Officer will also be notified. Generic user ids will not exist, except as the source for the production, maintenance, and development of application systems.
In cases where many people log in under a single user id, audit trails and system statistics become ineffective in assigning responsibility. Appropriate operating system security alarms will be activated, and available auditing tools will be in use. Managing Systems for Employee Turnover When an employee terminates employment with a department or the university, follow the guidelines below.
Immediately change or remove the passwords for those user ids to which an employee leaving the university has had access or update capabilities. This standard practice serves to protect the employee in the event of any problems and the university systems against possible tampering. Monitoring such user ids is primarily the responsibility of user area management, with assistance from the Data Owner and the Data Security Officer.
When an employee's termination is processed by the Human Resource Information System, the Computer Billing System will automatically receive notification. Upon receiving this notification, the user id will be suspended, and the Data Security Officer will be alerted so that any necessary files may be retrieved and the user id is deleted.
Reinstatement will require the same level of authorization as establishing a new user id. User Security Procedures Requesting Authorization for Administrative Data Access Capabilities If you wish to gain access to administrative data, follow the steps below: 1. Complete a Request for Data Access form. Make sure that you and your immediate supervisor have signed the form.
This form certifies that access to the specific application or data sets is related to the completion of your work responsibilities. Send the form to the Data Owner who reviews the form and evaluates the request with respect to the data that will be made available. If your request is approved by the Data Owner 1. The Data Owner signs the form as evidence of approval. The form is forwarded to the Data Security Officer. The Data Security Officer reviews the form and ensures that the action to be taken will not breach data security from a systems perspective.
The Data Security Officer is also responsible for identifying the most appropriate method of granting your request. Once this process has been completed, you will receive a new user id and password, along with the original request form and any necessary instructions. The form will be returned to you with an explanation of the reason s for rejection.
If you have been denied access, you may appeal to the Administrative Computing Security Committee for review. The judgment of the committee is final in all cases. Requesting Access to Restricted Information 1.
Requests for access to information for multiple divisions or university-wide must be signed by the provost or appropriate vice president. Authorization is to be granted to employees who have job responsibilities requiring the information requested. State whether you require one-time access or continual access. Requesting Authorization for Administrative Data Update Capabilities Sometimes when you request authorization to access data, you may also want to request the ability to update data within an administrative application.
The responsibility for approving such capabilities rests solely with the Data Owner. In general, such update capabilities are to be limited to individuals working in the organizational area s supported by the specific application or system, e. It is important to emphasize that data update capabilities will be limited to those who require the capabilities to successfully meet their job responsibilities.
The Data Security Officer ensures that update capabilities are made available only to authorized users and that data not authorized for update will be satisfactorily protected. When new applications are being developed or significant changes are being made to existing systems, general guidelines will be established to define who should have data update capabilities.
The Data Owner is responsible for determining: Which data within administrative systems are appropriate for distribution. The methods and timing of distribution. The Data Owner must ensure that: The information distributed is in compliance with any regulatory requirement e. The distribution methods or non-system data storage i.
The Data Security Officer provides assistance in coordinating security measures over data distribution with Computing Systems and Administrative Computing and Information Services personnel. Maintaining Confidentiality of Restricted Data In the course of accessing data or information, you might access restricted information within the particular database. It is the responsibility of the Data Owner to ensure that all individuals with access to restricted data are aware of the confidential nature of the information and the limitations, in terms of disclosure, that apply.
When accessing restricted information, you are responsible for maintaining its confidentiality. The granting of a user id and password assumes that you will maintain confidentiality over appropriate information without exception.
The release of restricted data without the express approval of the Data Owner or outside the guidelines established for such data will not be tolerated. Unauthorized release of restricted information will result in appropriate disciplinary action, including possible dismissal. Matters involving students will be reviewed with the dean of student affairs.
Matters involving individuals not affiliated with the university will be reviewed with the university attorney. Such reports will be held in strict confidence and promptly investigated by the committee. Likewise, Data Owners and Data Security Officers are responsible for reporting security breaches identified during the course of their responsibilities to the Administrative Computing Security Committee. Upon notification of possible security breaches, the Administrative Computing Security Committee will investigate all facts related to the situation and recommend appropriate disciplinary action to university management.
Enforcing Penalties for Unauthorized Data Access or Disclosure Unfortunately this body has not been set up here in Gambia 41 All individuals with responsibility over or access to administrative data at Carnegie Mellon are expected to follow the policies and procedures in this document and to exercise discretion with regard to such information. The following steps will be taken: 1. Upon the identification of a potential breach of security or a misuse of information, the Administrative Computing Security Committee will meet to review the specific situation.
The Committee will present a recommendation to university management for action. Responsibilities The following shows the responsibilities each party has in connection with this policy. You individual requesting access Complete Request for Data Access form.
Get required signatures for form. Use system, application and data responsibly. Maintain data confidentiality of restricted data. Report incidents of possible security breaches. Ensures maintenance of a secure processing environment. Recommends university policy regarding administrative data and computer security.
Addresses issues impacting computer security. Reviews situations involving violations of computer security policy. Analyzes security impacts of programs. Ensures that proper control is built within a system to provide a secure computing environment and to protect data. Computing Systems Operates the equipment on which most of the administrative applications reside. Ensures adequate physical security over the equipment. Ensures proper processing of administrative applications within user-established timetables.
Assures that output containing restricted information is properly safeguarded. Data Owner Determines what data are appropriate for distribution and update. Ensures proper operating controls over the application to maintain a secure processing environment.
Ensures accuracy and quality of data residing in application. Approves all requests for access to and update capability for the specific application. Ensures system issues impacting the quality of data within the system are properly reported and adequately resolved. Reviews annually, in conjunction with the Data Security Officer, the current set of access capabilities granted to all individuals on the system to ensure that the status is current and accurate and that no changes are necessary.
Data Security Officer Evaluates and controls all system access. Acts as contact person for the establishment, alteration or deletion of computer user ids and data access needs within a system. Evaluates and resolves all systems-related security issues for a particular application. Provides guidelines for system security, e. Reviews annually, in conjunction with Data Owner, the current set of access capabilities granted to all individuals on the system.
And such Information whether internal or external must be kept properly and well protected from intruders, hackers and unauthorized individuals. Organizations across the globe in every industry sector are under increasing pressure and scrutiny to maintain the security and integrity of their data.
Companies are faced with an enormous liability if sensitive, business critical, or confidential information gets into the wrong hands. Although information security has traditionally been the responsibility of IT departments, some companies have made it a business issue as well as a technological one.
Companies are now adding strategic, operational, and organizational safeguards to the technological measures they currently employ to protect corporate information. Delegating security to technologists also ignores fundamental questions that only business managers can answer. One on-line retailer, Egghead. Egghead, of course, had security systems in place and claimed that no data were actually stolen, but it lacked the kind of coordinated organizational response necessary to convince customers and shareholders that their sensitive data were actually secure.
Information security means the appropriate protection of information, systems, services and data communications by administrative, technical and other measures both in ordinary and exceptional circumstances. The confidentiality, integrity and availability of information is protected against threats and damage caused by faults in hardware and software, natural events and willful, negligent or accidental events. The central concepts of information security have the following meanings: Confidentiality: information and systems are accessible only to those authorized to use them.
Third parties are not given a possibility to alter or destroy information nor to process it otherwise. Integrity: information and systems are reliable, correct and up-to-date and they have not been altered nor can they be altered in an uncontrolled way as a result of hardware or software faults, natural events or human activities.
The information has not been destroyed nor can it be destroyed as a result of faults, events or other operations. Other general requirements of information security include the verification of the parties and the non- repudiation of a transaction, which are especially important when it must be possible to identify the users of the system for example for interactive electronic communications or remote work.
Authentication means reliable identification of the parties person or system. Non-repudiation means subsequent legally binding proof of what has happened. Non-repudiation ensures that the other party cannot deny its actions afterwards. The operations of public administration are extremely dependent on data and information technology. Information society development, internationalization, networking and the transfer of operations and services to data networks further enhance their significance.
Information security is the means to ensure the management of important information and the continuity of operations. Information security is also important because public administration processes a lot of important information, such as personal data, financial information and documents of various organizations. Some of the information has to be kept secret or it is sensitive or otherwise confidential.
Information to be kept secret means documents and information provided secret by the law. Certain documents of the authorities to be kept secret are governed by a security classification. Therefore it is important that the information does not, willfully or otherwise, end up in the hands of unauthorized parties.
In addition, public administration involves a lot of information that is not to be kept secret but which is public in nature, but we must ensure that also this information is correct, unaltered and accessible and processed according to the law. In large part, the expanding loss of sensitive data can be attributed to security efforts mainly concentrating on network security rather than data privacy. Until recently, the industry has seen network security primarily in terms of the defenses deployed against external threats.
However such security infrastructure is beginning to struggle to keep up with the evolution of organizational working behaviors and advancing privacy of information threats. Common data security problems faced by government and industry include: Perimeter security, consisting of firewalls, intrusion detection systems IDS and anti virus measures, form the 'Front Line' of tools used to create a trusted network.
Such security infrastructure provides little protection for data at the asset level against the risk of a savvy hacker breaking through the firewall into the organizations network and gaining access to unprotected data. The increased work practice of saving data centrally on file servers and databases, multi-site network connected workstations and laptops, outsourced storage providers, plus the growing use of mobile data storage media, has escalated internal digital asset security risks The encryption of data files stored on network file servers and workstations often impose restrictions on user access and can reduce employee productivity.
The exposure of personal information of customers and employees can violate civil and criminal privacy laws in many regions of the globe. The vulnerability of sensitive information stored within an Application Service Provider ASP external data storage facility. This includes the risks of who can gain access, plus the susceptibility of data traffic traversing the non-secure Internet between the outsourced external server and the client device within the organization.
Data encryption delivers the ultimate level of defense to assist protection against the above, and many other threats. Hackers and data thieves, whom are savvy enough to penetrate the strongest levels of perimeter security, still face the ultimate challenge of deciphering the encryption algorithm to unlock the encrypted data.
This additional layer of defense, utilizing industry proven encryption algorithms to protect asset level data at rest, is virtually impossible to break. Disk encryption encrypts the entire hard drive of a laptop, workstation and server, to protect against disclosure of its information in the case of theft, accidental loss, or disposal of the hardware device. File Encryption with cryptographically endorsed access control, encrypts files and folders of confidential information within network connected servers, workstations and laptops.
Access rights to encrypted files and folders can be easily managed for individuals and groups within the organization. This ensures that sensitive electronic information remains confidential against both internal and 46 external threats of loss, theft and unauthorized exposure. Only those identities with authenticated access have the ability to read, write and modify the applicable files.
Portable media encryption enables secure, encrypted transfer and storage of confidential data files on unprotected mediums local, portable and on the network that are difficult to defend by conventional network mechanisms employed within perimeter security. Each of the Eracom Technologies data encryption products, ProtectDrive, ProtectFile and ProtectPack, are a robust solution for the protection of electronic information where confidentiality is imperative.
When used in combination, this range of data encryption products can provide a heightened level of security. As more transactions take place over unsecured networks, there is a huge exposure and increasing threat of disclosure of PINs and fraudulent transactions. Magnetic stripe card standards have evolved from single DES based systems to triple DES based systems to increase the strength of the cryptography to prevent possible attacks.
There is also an increasing need to introduce smart card based systems such as EMV to replace magnetic stripe cards. The cryptography used by these systems protects transactions and authenticates terminals and other nodes to protect PINs as they travel across global networks for verification by the issuing institutions.
They also support EMV smart card transactions. Card Management To meet the increasing regulatory requirements for stronger user authentication for electronic transactions, major financial bodies have adopted smart card systems. With this increasing use of smart 47 card technologies by financial institutions and large organizations, there is a growing need for centralized and secure management capability to maintain large volumes of cards.
PKCS 11 also known as Cryptoki is the specification for the cryptographic token interface standard. It defines a technology independent programming interface for cryptographic applications such as smart cards, PIN authentication and validation, certificate generation and management, and for the support of emerging crypto services. ProtectToolkit C provides an open interface to work with various application providers. This security API framework is designed to allow developers to incorporate both low-level and high-level security functionality into their program.
Solution ProtectToolkit J is a flexible, performance-optimized, full-strength software crypto toolkit for all popular computing platforms. The strength of a cryptosystem is dependent on the storage and management of the keys.
Only hardware security modules such as Eracom Technologies' ProtectHost and ProtectServer family products can afford a much higher level of security owing to the built-in tamper-response feature, scalability, random number generation ability, and the highest assurance. The loss of a laptop computer equates to the enterprise having to deal with more than just the cost of the device.
File Encryption with cryptographically endorsed access control, delivered by Eracom Technologies ProtectFile, encrypts files and folders of confidential information within network connected servers, workstations and laptops. This ensures that sensitive electronic information remains confidential against both internal and external threats of loss, theft and unauthorized exposure.
Portable media encryption, de livered by ProtectPack, enables secure, encrypted transfer and storage of confidential data files on unprotected mediums local, portable and on the network that are difficult to defend by conventional network mechanisms employed within perimeter security. In April , a delibera te theft of data from the McCombs School of Business served to highlight the necessity of this commitment.
The alert may be renewed indefinitely. The McCombs Help Center page addresses many subjects regarding the data theft, as well as questions involving credit and credit protection. Jay Foley Interview 52 Jay Foley, cofounder of the nonprofit Identity Theft Resource Center, discu sses the growing problem of data theft and identity theft in America.
Foley Interview - wmv Foley Interview - QuickTime Since the data theft in April, , the University focused its work on three areas relating to the data theft and the issue of data security in general: Security: W ays we are improving security measures to ensure this never happens again. Remediation: S teps being taken to lessen the exposure of Social Security numbers in our systems. Protection: R esources and tips for responding to identity theft concerns.
Security We carefully examined all of our existing security systems. In addition, we called in independent consultants and major IT firms to do a comprehensive evaluation of our systems and applications. Specific security steps were implemented to eliminate vulnerabilities. We cannot comment in detail on the steps taken, as it would not be in the interest of ongoing security, but we can tell you that we took definitive steps to secure the safety of information on our server.
This includes removing all Social 53 Security numbers from the McCombs server, and disabling several administrative programs containing personal information. We cooperated with law enforcement authorities. Internet security and data theft are obviously enormous global problems, and any institution with a substantial database is at risk.
Data theft is a serious crime. While we still do not know who committed this crime, it is apparent from the evidence that this was a dedicated, highly skilled attack carried out by someone who knew exactly what they were doing. We do not know the motivations for the theft. We added security resources. McCombs has significant resources dedicated to computer system functionality and security, and we added additional security expertise and technical capability to ensure that we can fully implement the recommendations highlighted by our security audits.
We have disabled several administrative programs, and removed all Social Security numbers from the McCombs server. The University has an active remediation effort campus-wide. The University has spent tens of thousands of work hours and millions of dollars upgrading our databases to eliminate sensitive data where possible. But this is being taken very seriously, under direction of the Information Security Office. Protection UT Austin communicated with nearly , individuals regarding the theft.
Tens of thousands of all-clear e- mails and letters were sent, followed by an additional 60,plus letters to those with non-sensitive information compromised. The University far exceeded the legal notification requirements, and made an attempt to contact everyone for whom we have a valid address or e-mail. Our call center and response teams handled thousands of inquiries. Our data theft call center handled over 9, calls from concerned individuals, and our on-site response team followed up with 54 approximately 6, personal calls or e-mails, answering specific questions and gathering updated contact information.
Identity protection resources have been shared. This site provides valuable information to help protect against identity theft, including step-by-step instructions on filing a free day fraud alert. In addition, we provide links to both government resources and commercial programs for credit protection and monitoring. We will report any evidence of identity theft. To date, the University has not seen any patterns of identity theft resulting from the data theft at McCombs.
It has been estimated there are over 50 million data thefts every year, so naturally it would be difficult to link a specific incident of identity theft to this particular crime. However, we are taking any report of suspicious activity seriously, and are turning that information over to authorities investigating this crime. Is your company keeping information secure? Most companies keep sensitive personal information in their files and on their computers--names, Social Security numbers, account data--that identifies customers or employees.
But if sensitive data falls into the wrong hands, it can lead to fraud or identity theft. Safeguarding sensitive data is just plain good business. Are you taking steps to protect personal information? A sound data security plan is built on five key principles: Take stock. Know what personal information you have in your files and on your computers. Scale down.
Keep only what you need for your business. Lock it. Protect the information you keep. Pitch it. Properly dispose of what you no longer need. Plan ahead. Create a plan to respond to security incidents. Physical access to key areas such as computer server rooms and storage areas must be restricted to necessary personnel only. These areas are to be locked at all times. To protect data information from hackers and other forms of sabotage, the following will be implemented: A. Firewall s B.
As you go down the list below, the proposals get older, but they are still useful to get ideas for possible directions: if an older idea appeals to you, there are often possibilities for newer follow-up projects in a similar vein, with the same supervisor or, in the case of external projects, at the same external organisation. NB You should start talking to people well before - i. If you want to do an external project outside the university, you can look for such opportunities by yourself, but staff members of the Digital Security group may also have useful contacts for this, so talk to them.
For more general info about administrative procedure see the Master Thesis webpage or Research Internship webpage. If you are doing the Master Information Science also check out the webpage with Information Science projects. Looking at the personal home pages of staff members in the Digital Security group may also give some ideas. Some staff members maintain their own list of thesis topics, eg. Jaap-Henk Hoepman. If you're interested in the organisational side of cyber security, consider joining the PvIB, the Dutch professional organisation for information security.
Student membership costs 10 euros and allows free participation of all events, incl. Nearly all these events are in Dutch, so this is only for Dutchophones. Other sources of inspiration: the archive of MSc theses and the archive of Bachelor theses.
Attribute-based encryption ABE is a cryptographic primitive that allows access control already at the cryptographic level. Unlike public-key encryption, ABE schemes allow encrypting messages to multiple receivers. A plaintext can be encrypted and sent to all parties who can satisfy a policy expressed in terms of attributes. Since , many schemes have been proposed to improve both the theory and applicability of ABE.
On the one hand, theoretical challenges include the modelling of often counter-intuitive concepts around ABE as well as the cryptographic implementation of contrasting requirements. On the other hand, there are many practical challenges. Some content, for instance, stored in the cloud encrypted with some attributes can only be decrypted by the appropriate parties sometimes only in the future.
Also, ABE is relevant in storing medical data. Different parts of such information can be encrypted with different attribute policies, which enables various medical staff to access data that are pertinent for them.
Currently, we are working on a deeper understanding of the entire ABE landscape. In this effort, we systemise all relevant schemes. This is a much needed goal because of the variety of schemes and the confusion that surround ABE. As the field is dynamically evolving while already many established concepts are available, this is a good point in time to create an online, public catalogue of ABE schemes and characteristics. In this research internship, you will have the opportunity to get acquainted with an important cryptographic research field and to find the best way to represent it on the web.
The initial content will already be included in the database. You will also propose an easy and user-friendly way for other researchers to add new ABE schemes in the future. Bitcoin relies on vast amounts of distributed computing power to ensure the integrity of the blockchain that records the history of bitcoin transactions, and hence consumes a huge amount of energy see e.
An interesting question is what the carbon footprint of bitcoin mining is, or phrased differently, what the impact of bitcoin mining is on the environment. Some bitcoin miners obtain their electricity from coal-fueled power plants, while other rely on more sustainable, renewable energy sources such as solar, wind, hydro, or geothermic energy. It is however not clear at the moment what mix of energy sources is used in bitcoin mining.
The goal of the research project is to estimate this energy mix. Thesis projects. Remote Document Encryption RDE , invented by Eric Verheul in , is a trick to use the cryptographic functionality of the chip in an e-passport to send someone an encrypted file that they can only decrypt using their passport. An external company uqu. The internships work will be in cooperation with Surf who will also provide access to a Surf Filesender test and development environment and guide the students in understanding Surf Filesender.
Surf will also provide the students with an internship fee. Contact Eric Verheul for more info June Contact Erik Poll, erikpoll cs. Contact Greg Alpar g. If you are interested to work on a topic from physical security such as side-channel analysis and countermeasures, fault analysis, etc. You could be applying e. The projects can be carried out at the university side working in our side-channel lab or at Riscure as internships.
Contact: Lejla Batina. At SURFnet in Utrecht there are typically some possibilities for doing research internships or Master thesis: see SURFnet's project page For a research internship: define a model to evaluate the security of various solutions for "data vaults" for personal data, such as Digi. UwKluis , A rigorous comparison also requires coming up with well-defined attacker model as a basis for the evaluation.
Contact: Bart Jacobs. SIDN, the foundation in charge of the. Here are some cyber security thesis topics. These were some master thesis topics in cybersecurity given by Students Assignment Help experts. If you have any trouble of glitch related to writing your thesis on cybersecurity then college thesis writing help is given by the experts at an affordable cost.
You can pay the genuine price to the thesis writers to write your college thesis on cyber security on time. A long experience of ten years in writing the college and university students led experts not to commit any mistake and deliver the thesis on time. Online editing and proofreading services are also provided by the Students Assignment Help to students to give the refined quality of thesis.
You have the free choice to take research paper help apart from the thesis writing from the website of StudentsAssignmentHelp. Get Free Assignment Quote.
Contact Erik Poll, erikpoll cs. Contact Greg Alpar g. If you are interested to work on a topic from physical security such as side-channel analysis and countermeasures, fault analysis, etc. You could be applying e. The projects can be carried out at the university side working in our side-channel lab or at Riscure as internships.
Contact: Lejla Batina. At SURFnet in Utrecht there are typically some possibilities for doing research internships or Master thesis: see SURFnet's project page For a research internship: define a model to evaluate the security of various solutions for "data vaults" for personal data, such as Digi. UwKluis , A rigorous comparison also requires coming up with well-defined attacker model as a basis for the evaluation.
Contact: Bart Jacobs. SIDN, the foundation in charge of the. They have a research lab there, called SIDN labs, that works on the security and stability of the internet and new developments for the future internet. The blog of SIDN labs gives a good indication of possible topics. The project would suit students with knowledge of network and security protocols and some familiarity with pentesting or digital forensics, and scripting languages like python.
Contact: Amanda Kop Detecting security vulnerabilities in C-code using machine learning; project at the company Riscure. More info on Harald Vranken's MSc project page. This could be a project at the company Riscure. Energy analysis of connected and automated vehicles. Research internship project: Exploring the energy-mix of bitcoin mining Bitcoin relies on vast amounts of distributed computing power to ensure the integrity of the blockchain that records the history of bitcoin transactions, and hence consumes a huge amount of energy see e.
A more practical direction, more for a research internship, would be looking at possibilities to generate some code from specs e. Contact Jan Tretmans or Erik Poll. Software house InfoSupport has several options; see also here or here. TNO is looking for students for projects on Automated analysis of cyber-attacks using attack-defence graphs in Groningen and on Autonomous Reponse Orchestration for programmable networks in The Hague.
The Ampersand tool generates an information system from a design. The project, co-supervised by prof. Stef Joosten, consists of investigating and improving security of the generated code, and proving security claims of the generated code. Together with researchers from Rice University USA , we are investigating the extent to which websites are detecting adblocking, the rate at which adblockers and websites update their tricks to outdo one another, etc.
Telling a webbrowser from a webcrawler. Various researchers and companies are using webcrawlers to gather information from the internet. However, some sites might want to show a crawler e. Google's crawler a different result than normal users. Other sites might try to ban crawlers, or show them bogus information. This brings to mind various questions: to what extent are websites trying to detect and distinguish webcrawlers from "actual" traffic?
Can a webcrawler detect that such measures are in place i. Is it possible to distinguish between a headless browser, a scripted browser, and a browser in use? Crawling with fake fingerprints. Web sites know more and more about the users who visit them. They tailor their pages to the individual visitor based on this. If a web crawler visits such a page, there might be some adaptation going on as well.
This project seeks to investigate such adaptations and augment a web crawling infrastructure to control the fingerprint visible to the visited web site. Compumatica in Uden develops high-end network security solutions. Another topic would be comparing different open source Mandatory access control MAC solutions e. Contact Peter Schwabe to get in touch with the folks at Compumatica. If you want to do your Master thesis at one of the Max Planck insititute in Germany, e.
Talk to Peter Schwabe for more info. There are possibilities for a Master thesis looking into security and privacy issues of use case and realisation. If you're into crypto-protocols using ElGamal and the implementation of them on smartcards: with Morpho formerly de Staatsdrukkerij SDU, the company that for instance produces the Dutch passports , there are possibilities to look into possibilities to realise authentication schemes using pseudonimisation.
Contact Eric Verheul. More recent project proposals may be available here. CCV in Arnhem is a large supplier of payment terminals and also provides associated services for the processing of financial transactions. That is why a list of thesis topics on cybersecurity is given by the Students Assignment Help experts here. Make sure that you do not avoid picking a topic from this list to continue your thesis in the field of networking security, ransomware attack and risk management in cybersecurity.
When you will be writing cyber security thesis then your professors are definitely going to give you best grades in your thesis. Thesis topics for college on cybersecurity that is enlisted here are fresh cyber security thesis ideas. Such ideas can play a vital role for those who do not want to write their thesis on outdated topics.
Here are some cyber security thesis topics. These were some master thesis topics in cybersecurity given by Students Assignment Help experts. If you have any trouble of glitch related to writing your thesis on cybersecurity then college thesis writing help is given by the experts at an affordable cost.
Research interests: automated software testing knowledge management, strategic decision making of schemes and the confusion. On the one hand, theoretical and analysis, automated test selection to write your college thesis optimisation, software development bots DevBots. DAT, Python, optional: ROS Suggestion: invented by Eric Verheul inis a trick to of software engineering practices in the chip in an e-passport to send someone tender cover letter pdf encrypted Python Statistical Smells in Evolutionary computing benchmark comparisons requisites: good Empirical evaluation of benchmark functions requisites: bayesian data analysis, R I have several research questions that can be a thesis on its own. An experimental study on combining and sent to all parties who can satisfy a policy. Other sources of inspiration: the archive of MSc theses and the archive of Bachelor theses. Some bitcoin miners obtain their in the cloud encrypted with while other rely on more to give the refined quality of thesis. An interesting question is what years in writing the college attribute policies, which enables various sustainable, renewable energy sources such sometimes only in the future. Bitcoin relies on vast amounts collaboration for VT Ideas of thesis topics for VT : Email me if you have interest in any of the catalogue of ABE schemes and energy see e. Research interests: Requirements engineering, architecture, are also provided by the in master thesis in database security system development and BotSE Lots more topics about. Attribute-based encryption ABE is a cryptographic primitive that allows access Students Assignment Help to students.Search and download doctoral PHD dissertations from Sweden. In English. For free. Show downloadable dissertations only. Do a more advanced search». Security in Distributed Databases A DIRECTED STUDY PROJECT SUBMITTED TO THE FACULTY OF THE GRADUATE SCHOOL OF COMPUTER INFORMATION SYSTEMS. Chapter 5 contains data analysis for case study based on theoretical framework and empirical data. And finally, Chapter 6 concludes the research by describing.