Aas, Lars Mikkel

Usability and security in a messaging prototype for mobile phones

• Secure messages using a mobile phone (presentation)
• (thesis)

Messaging through todays GSM network is not secure. This thesis will try to make use of standard cryptography and Java2 Micro Edition to make a prototype for secure messaging using a modern mobile phone. This prototype will be tested in an operative real-life setting, in order to gain knowledge about usability and people's ability to successfully send and receive secure messages. These results will be analyzed and compared against other systems for other environments.

As is, SMS using a standard mobile phone is not particular secure. In an electronic mail setting there are many different systems for secure communications. How can one achieve similar functionality for messaging on mobile phones, using standard cryptography and mobile phones?

Why on a mobile phone?

Until now SMS messaging has been rather innocent and trivial in its use. But more and more of our business communications is based on SMS messages. Even the security systems at banks and intranets utilize SMS messages. The amount of SMS messages sent increases, and so does the range of use, but the security has not been adjusted accordingly.

It's time to bring security and privacy onto our mobile phones as well.

It is not likely to believe that mobile phones will be used for government and/or military crypto devices. These kind of organisations have the resources to manage this on their own. But, such devices are often big and clumsy, designed for one purpose only, based on relatively old technology, and there are as usual strict policies regulating the usage of them.

So, on one hand we have these expensive high-grade crypto devices, and on the other hand we have our standard GSM mobile phone. With this in mind, small agile devices, such as mobile phones, can fill the gap between the high grade crypto systems described above and the unsecure services of the GSM network.

Research questions

• Which solutions available offers secure messaging, and what are their costs, advantages and disadvantages?
• To which degree is it possible to make a prototype for mobile phones with satisfying level of security, and how is this best achieved?
• How well does a prototype perform compared to similar systems on other platforms?

Andersson, Line

Datakriminalitet i Norge

Masteroppgaven vil undersøke hvorfor norske virksomheter i liten grad anmelder datainnbrudd/sikkerhetshendelser. Det vil bli tatt utgangspunkt i Mørketallsundersøkelsen for 2006 – en informasjonssikkerhetsundersøkelse som har som fokus å avdekke hvor mange virksomheter som opplever datainnbrudd/sikkerhetshendelser uten at de anmelder disse hendelsene. Basert på denne vil det bli gjennomført to spørreundersøkelser. Den første vil være en undersøkelse fortatt blant medlemmer av ISF (IT-SikkerhetsForum) og vil være basert på en del av spørsmålene fra Mørketallsundersøkelsen. Denne gjennomføres for å undersøke i hvilken grad funnene fra Mørketallsundersøkelsen sammenfaller med resultater fra en undersøkelse fortatt blant ISF-medlemmer. Den andre spørreundersøkelsen vil fokusere på virksomheters oppfatning av Mørketallsundersøkelsen. Videre vil det bli gjennomført intervjuer med virksomheter som har anmeldt datainnbrudd/sikkerhetshendelser for å kartlegge deres erfaringer.

Oppgaven har som hovedformål å bidra til at norske virksomheter i fremtiden i større grad vil gå til anmeldelse av datainnbrudd/sikkerhetshendelser. Det er derfor planlagt å utarbeide blant annet en veiledning for anmeldelse av datainnbrudd/sikkerhetshendelser og en veiledning om hvordan man skal forholde seg dersom man har mistanke om at et datainnbrudd/en sikkerhetshendelse har skjedd.

Andreassen, Freddy Lønne

Are the Norwegian Internet users ready for the new threats to their information

• Informasjonssikkerhet i Norges kommuner (presentation)
• (thesis)

I lys av undersøkelser gjort av blant annet Riksrevisjonen[2-3] og Datatilsynet med flere[4-5], ser vi at det er til dels store mangler i arbeidet med informasjonssikkerhet i det offentlige. Vi ønsker å se på hva som er gjort på dette området i norske kommuner. Vi forventer også å finne forskjeller på hvor langt kommunene har kommet i dette arbeidet, avhengig av for eksempel størrelse, økonomi og lokasjon.

Dermed vil vi ut fra resulatene forhåpentligvis kunne identifisere suksessfaktorer for å lykkes med datasikkerhet i kommuner. Dette kan dreie seg om egenskaper ved kommunen som for eksempel størrelse, antall innbyggere, økonomi, lokasjon og så videre. Å lykkes med informasjonssikkerhet kan defineres som en forbedring over tid i for eksempel passordstyrke og antall sikkerhetshendelser. Det er jo naturlig å tro at økonomien spiller en stor rolle, men det er ikke nødvndigvis det eneste som spiller noen rolle. For selv om man skulle kunne bruke store ressurser på dette området, så er det ikke nødvendigvis en garanti for suksess.

Forskningspørsmål

1. Hva er status på arbeid med informasjonssikkerhet i Norges kommuner?
2. Spiller egenskaper ved en kommune en rolle for å lykkes i arbeidet med informasjonssikkerhet?
3. Brukes tilgjengelige veiledninger?

Borgen, Halvor

The effect of eye disease and aging of the eye on biometric authentication

• The effects of eye disease and aging of the eye on biometric authentication (presentation)
• (thesis)

Biometric authentication is based on the physiological and behavioral features of a human being, and these are used more and more to produce secure and reliable methods of authentication. There is very little information available, if any, about the effects of eye disease and aging of the human eye on biometric authentication - namely iris and retina recognition. Two of the few things that are absolute certain in this world: people get older, and people get sick, so these are important factors to look at.

The master thesis topic is eye disease and aging of the eye, and how this affects iris and retina recognition as means of biometric authentication.

In the course of this MSc project, several diseases and aging-related effects are to be selected and investigated. These shall include but not be limited to glaucoma, macular degeneration (both wet and dry), cataracts, and pathological angiogenesis.

For each of these pathologies, a simulation of the typical disease pattern is to be designed and applied to a set of iris and retina images in such a way that a progression of the respective pathology can be applied and presented to sensors.

To ensure that the simulations are realistic, these shall be reviewed by subject matter experts (i.e. ophthalmologists) and a comparison with actual instances of the simulated pathology shall be effected.

To assess the impact of the pathology on recognition accuracy, an experimental protocol is to be designed in which a selected number of algorithms (including the Daugman algorithm for iris recognition) are presented with the results of the simulation. This experiment shall then be conducted, evaluating the recognition performance of the selected algorithms when confronted with the simulated disease and aging patterns.

Espedalen, Jeanne Hammer

Attack Trees Describing Security in Distributed Internet-Enabled Metrology

• The effects of eye disease and aging of the eye on biometric authentication (presentation)
• (thesis)

Security issues in a distributed Internet-enabled metrology system like iMET would be of vital importance, should the customers have enough confidence in the system to request the services offered. Accreditation authorities would also require a certain level of confidence in the systems security to accept it being used.

The system should have built in mechanisms to:

• Ensure traceability in calibrations, which comprises:
  • Correct and controlled measurement procedure
  • Correct measurement set-up
  • Correct calibration results
  • Control of measurement uncertainties
• Protect customers instruments in the measurement set-up
• Protect calibration authority’s measurement standards
• Protect customers data systems
• Protect calibration authority’s data systems

The security issues that have to be considered to ensure the above comprises data integrity for measurement procedure communication and calibration results, confidentiality for measurement data and data system, authentication of customer and calibration authority, authentication of measurement instruments and necessary real-time availability of the system.

The customers need to be certain that measurement data and customer related information is treated confidentially. They also need to be confidant that no one could cause damage to their instruments and that no additional threats are introduced to their data systems due to the introduction of the measurement system in their network.

Accreditation authorities are concerned about data integrity and measurement traceability and also about how the measurement procedures are performed, controlled and documented. Calibration laboratories are accredited by the standard ISO/IEC/EN 17025, and this standard states requirements regarding the calibration procedure, documentation and competence for parties involved in the calibration process. Calibration authorities (e.g. Justervesenet) would of course, as the part offering the service, be concerned with all these tasks, but in addition special concerns are with the safety of their travelling standards and the availability of all the necessary elements in the set-up. Another point of interest is whether the system could add extra uncertainties to the measurement results. In this thesis the focus on this should be limited to whether there could be any uncertainty components added due to the measurement software and communication system and we will not deal with measurement uncertainties components introduced by e.g. transportation of the standard. All these security issues should be considered, and if possible adequate levels of security should be defined, and the system should be evaluated against these.

Attack trees, as a concept for describing the security of systems, was first introduced in the literature by Bruce Schneier in 1999 [4]. They provide a semi-formal mechanism for identifying attack pathways for computer systems and networks. The basic idea of an attack tree is to visualize and to some extent quantify (in terms of cost for the attacker) different possible attacks against a system. This is done by defining the root node of the tree as the attack goal, and then identifying possible attack ways as leaf nodes. This gives us a picture of the overall risk of security breaches to the system, and makes it possible to identify the cheapest or most likely attacks, and thereby also where to put the effort.

In this thesis work we have chosen to use the attack tree method for the investigation of security in a distributed Internet-enabled metrology system, and part of the work will also be to analyse the suitability of such a method for this kind of systems.

There are several ongoing activities internationally, addressing Internet-enabled metrology, this is further addressed in chapter 2. The main idea in most of these works, as it is for the iMET-system (which will be the system focused on in this thesis), is that the unit under test (UUT) is not moved from the owner’s laboratory. Instead a calibrated standard, e.g. an electrical multimeter, is transferred to the laboratory from a reference laboratory (e.g. an national measurement institute, NMI), and the calibration process is then controlled directly by the reference laboratory.

There are many advantages to this approach. Since the UUT is never moved, the uncertainty associated with the transport of the UUT is eliminated. The reference laboratory often has much better understanding of the transport uncertainty of the calibrated standard, so the uncertainties due to transportation will presumably be smaller than for the traditional system

The calibrations are performed in the owner’s environment ensuring that measurement results accurately reflect the conditions relevant to the owner’s situation. Transportation cost could also be reduced, especially if using a scheme where the standard is transported to several customers successively. Up till now, the main focus in most of the ongoing activities has been on functionality of the systems. Security issues are addressed in some projects, but there is still a lack of understanding of several of the security issues that should be addressed.

The iMET system provides a flexible and general solution for an Internet-enabled application, and has been designed to support current and future requirements for flexibility in network architecture. In contrast with most of the ongoing activities in other countries, the iMET system is designed to support different metrological activities and not one specific service.

Several security concerns have been addressed in the design and implementation of the system, but for customers and accreditation authorities, an assessment of the security level would be of vital importance. The goal of this master thesis should be to contribute to the general acceptance of Internet-enabled metrology as a means of dissemination of calibration values. This should be done by demonstrating assessment of a system designed for distributed Internet-enabled metrology. This assessment should comprise an overall evaluation of different security concerns generally applicable for distributed Internet-enabled metrology systems, and hopefully give a better understanding of threats and vulnerabilities in such systems in general. For the iMET system, the assessment would lead to a better understanding of security concerns related to this specific system, and possibly suggest feasible mitigation strategies for the system. By using the attack trees method for describing and evaluating security issues in this system, we are also hoping to contribute to the understanding of suitability of this method in security assessment. In particular we hope to show how this method could provide an understanding based on cost-effort evaluation of where to put the effort to increase security in the system.

Research questions

1. How should one describe the security in distributed Internet-enabled metrology applications?
   • What are the threats and vulnerabilities to a distributed Internet-enabled metrology application system in a defined security environment?
   • What could be feasible mitigation strategies for the system?
2. Does the attack tree method provide a good presentation of the robustness of a distributed Internet-enabled metrology application system, and a sound basis for assessment of the security in the system?
   • Is the usability of the attack tree method satisfactory for this kind of analysis?

Hauge, Odd Chr.

An IDS system internal in an ERP system

• An IDS system internal in an ERP system (presentation)
• (thesis)

IDS typically deal with threats from sources external to the organizations computer networks. Still, it is common knowledge that organizations internal threats pose a greater risk and higher costs in lost revenue. External threats tend to get more publicity and focus since the internal problems in the organizations are typically kept confidential due to concerns with loss of reputation and good standing with the public or the market.

In addition to the risks involved with lack of internal control in computer networks, there are two main drivers for such a type of IDS. For one, the IS departments and IS consulting firms have to report deliveries of SLA (Service Level Agreements) to management. Parts of SLA status meetings can cover reporting of intrusions and misuse in the computer systems. Secondly, the concept of compliance has, in fact, become a major factor in computer systems management for larger organizations. The SOx (Sarbanes Oxley) legislation for corporations registered on the NYSE is a major initiator to this trend.

The largest share of assets in the industrialized world is managed in ERP systems. The most widely used ERP system, is SAP. This thesis presents a prototype IDS solution based on using SAP's own Security Audit Logging, in-house defined access roles, and the organizations own SOD matrix. The research for this new IDS solution includes ways to reduce the number of false positives and measures the systems efficiency in R/3, the update system, versus BW, the business warehouse.

Lazghab, Souheil

Single Sign-on Using Trusted Hardware Background

• Single Sign-on Using Trusted Hardware Background (presentation)
• (thesis)

Every internet service requires from its user private username and password, this resulted at most of the people today posses more than one password. It is quit a difficult task to remember all these passwords and usernames. Passwords are very difficult to remember, to manage this big number of passwords, users start using very easily passwords e.g. name of his wife, the date of his birthday or the model of his new car. Other users make use of only one single password for many applications. This situation resulted in making our networks system very vulnerable to many different attacks. There is a high demand for a secure single sign-on system (SSO) to mange all these passwords in a secure way. Many of the available SSO system in the market today are beyond the rich of common users or they are too much complicated and could not be used from every one.

The main goal of this thesis is to secure the previously developed SSO system. The system has a lot of weakness concerning the communication protocols used between its devices e.g. Bluetooth protocol. The channels where the confidential and sensitive data traverse through the system left without any protection. The system suffers too from bad secure password generation mechanism and doesn’t offer to its users any back up facilities. The main goal of this thesis is to design, analyze and implement the necessary protocols for turning the existing prototype in to secure SSO system and investigate the best levels of security that could be achieved without affecting the usability of the prototype. The work on this thesis would result on releasing a new prototype and a paper reporting all the activities that was done during the thesis.

While the practical section includes any work related to the SSO system implementation, the theoretical section includes suggestions about what adjustments and changes should be done on a more theoretical level to improve the overall security and usability of the system, such as security analysis and usability tests.

The Practical Work consists of:

• Designing and implementing the necessary security measures for the prototype.
• Porting the solution that I will achieve to different hardware.
• Implementing a secure Back up solution for the SSO System.
• Supporting different login screens. - Implementing a good secure passwords generating mechanism.

The Theoretical Work consists of:

• Conducting a more detailed security analysis.
• Conducting a new thorough user and practical penetration tests that will be dedicated more to test the security issues in the prototype, and in the same time testing its functionality and usability.

Myrmo, Halvar

Game consoles - are they secure?

• Game consoles - are they sercure? (presentation)
• (thesis)

The game consoles and handheld machines available on the market today are designed with Internet and multiplayer connectivity in mind. The goal of this thesis is to investigate whether or not these possibilities open for new and unforeseen security threats. The user base of game consoles has over the last decade had an explosive growth, and the PlayStation 2 alone has sold over 100 million units. The sixth generation of game consoles, including PlayStation 2, Xbox and GameCube, was not big on network connectivity. The seventh generation game consoles were all designed with this in mind, and therefore it is also perceivable that new security vulnerabilities are introduced into people’s lives.

The general public is slowly learning that they need to protect their computers from viruses, Trojans, spam and other malware. With the introduction of the seventh generation of game consoles we see that the consoles are reaching computing power and connectivity that resembles that of a modern desktop computer. But most people do not consider a game console to be a computer, and will therefore not consider protecting it the same way as a computer.

We will investigate whether or not these game consoles introduce new vulnerabilities and if this is the case we will try to give some general advice or develop some guidelines as to what can be done to protect yourself.

A new game console of today is designed to last for several years to come. They are also very uniform, as apposed to the computer world where there are a lot of different configurations. This opens up for viruses, Trojans and other malware being made for specific game consoles. By taking a serious look at this now, we might be able to get ahead of people wanting to misuse this potential in the consoles.

Research questions

1. Does the installation of a new gaming console in the home open for new vulnerabilities that we are not aware of?
2. Are there more potential vulnerabilities in a console that has been modified, than in an unmodified console?
3. Do we need to take special precautions when connecting a new game console to the home network?

Palm, Kai Gustav

Kartlegging av sikkerhetsmekanismer i og hyppigheten av trådløse LAN

• Kartlegging av sikkerhetsmekanismer i og hyppigheten av trådløse LAN (presentation)
• (thesis)

Alle moderne virksomheter har i dag effektiv skallsikring av sitt nettverk. Med arbeidsstokkens mobilitet har imidlertid trusselbildet blitt mer komplekst, legitime brukere hopper ut og inn av nettverk, og omgår således den tradisjonelle perimetersikringen.

At brukerne i seg selv er autentisert som legitime er imidlertid ingen garanti for at sikkerhetstilstanden på enheten de bringer med seg er tilfredsstillende.

Det synes ikke å eksistere en objektiv og leverandøruavhengig metode for å kategorisere en sikkerhetstilstand for en gitt enhet på et gitt tidspunkt. En slik metode ville kunne avgjort om en mobil brukers enhet oppfyller de kravene som til enhver tid stilles for å gi tilgang til virksomhetens informasjonssystemer.

Gjennom bruk av kommersielle systemer er det mulig å sette en del regler, for hvilke krav som skal stilles før tilgang gis, og hvordan man skal håndtere avvik. Det samme er tilfellet for hvilke rettigheter og tilgangsnivå noden og brukeren skal gis ut i fra dette, såkalte karanteneløsninger. Det ville vært formålstjenlig med en leverandøruavhengig metodikk for å håndtere dette.

For å kunne måle og kategorisere sikkerhetsnivå må man ha en metode, et sett av måleparametere eller metrikker, som til sammen danner et instrument for å måle sikkerhet.

Instrumentet skal ligge til grunn for klassifisering av nivå. Nivået vil kunne vise klientens sikkerhetsnivå på et gitt tidspunkt for slik å ha et grunnlag for å avgjøre hvilket aksessnivå denne skal ha. Det bør også utarbeides rutiner for avvikshåndtering.

Aktuelle problemstillinger å undersøke i denne sammenheng vil være

• Identifisere tidligere arbeid som er gjort på området
• Identifisere hvordan dette er implementert i eksisterende teknologi
• I hvilken grad er slike løsninger er tatt i bruk
• Identifisere nødvendige parametere for å ha grunnlag til å utvikle metrikker
• Utvikle metrikker for klassifisering av et sikkerhetsnivå på en enhet
• Hvordan håndtere avvik

Reed-Mohn, Anders

Incident response system

• Incident reporting systems (presentation)
• (thesis)

Systematic collection of safety incident / accident data has been common in many industries for decades. An equivalent effort has not been made in the area of information security, exclusive perhaps of highly specialized organizations with such needs.

The systematic collection of incident data allows scientific research and investigation into their causes, ultimately leading organizations to introduce more effective safeguards. Several authors have suggested that incident reporting systems should be used to collect information security incident data.

We propose this project to develop a system dynamics model of an information security incident reporting system, based on a generic model previously developed by other researchers. The model will then be compared to how an existing organization collects incident data. The thesis will analyze to which extent the organizations existing procedures are adequate, and suggest improvements to these based on the developed system dynamics model.

The model is though developed both as a qualitative model, but also a quantitative simulation model. The latter can be used for testing scenarios, predicting system behaviour in given situations (for drills), or tuning / improving the original model or incident reporting system.

The purpose of the developed model(s) is to help organizations in developing or improving incident reporting systems for information security, being an aid in evaluating their (planned or existing) procedures and tools. Whilst this might have had relevance to only a limited group of organizations in the past, when fewer worked with information security, we see today that any organization that works with information systems must also deal with information security in some degree. An organization does not need to grow very large before no individual can easily keep oversight of all its workings. Thus a need for structured management arises, just as much in information security as in other business processes.

The project will accordingly need some metric to evaluate the usefulness of the model. This metric could be found in the candidate origanization, which might have certain infosec metrics in place, or it might have to be developed in the project.

Answers to the following research questions will be explored, to support or refute the hypothesis that an organization's information security can benefit from an incident reporting system:

• Can the original generic model be mapped to information security?
• Is it possible to implement an incident reporting system corresponding to the model?
• Can we measure (prove) the performance of the observed / implemented system, to evaluate the model?

Rundhaug, Fred Erlend N.

Keystroke dynamics - Can attackers learn someone's typing characteristics?

• Key stroke dynamics and authentication (presentation)
• (thesis)

The master thesis is going to be about keystroke dynamics in authentication situations. There are written many reports on keystroke dynamics, with varying results when it comes to false acceptance rate (FAR) and false rejection rate (FRR). All reports believe that keystroke dynamics can be used to authenticate users. Some of the reports have tried to imitate legitimate users typing characteristics, they used shoulder sniffing or video tape as the attack technique. Their conclusion was that keystroke dynamics are resistant against attacks. We know that it is difficult to learn sports without training and proper feedback, we assume it is the same for keystroke dynamics. We are going to find a suitable authentication method with keystroke dynamics. And we are going to imitate legitimate users typing using a more advanced attack. By having attackers use a program that helps them learn other’s typing characteristics, we find an answer to the important question; is it possible to imitate legitimate users typing characteristics? The usability of keystroke dynamics depends on the answer.

In computer security we are interested in methods that securely identify and or authenticate users. Identification is when we try to find the identity of an unknown user, this is done by checking if the unknown user matches any of the known users identities. Authentication is when the unknown user gives us his or her identity, and we check if it is true or not. Username and password is one widely know authentication method. The user claims an identity the username and gives his or her password to prove the identity. Authentication is one to one verification, we check if this is the claimed user or not. Identification is one to many verification, like in forensics when a fingerprint is checked with a fingerprint database. Users can be authenticated with three authentication factors. The three authentication factors are:

1. Know Some secret that only the user knows, like password, pin, pass phrase, etc.
2. Have Something the user possesses, like token, certificate, passport, etc.
3. Are Some biometric features of the user, like fingerprint, face, iris, retina, palm, voice, signature, keystroke dynamics, etc.

With biometrics it is possible to authenticate and identify users based on who they are, not what they possess or what they know. With biometrics users are authenticated on something they are. Biometric can be divided in two categories, physiological and behavioural. Physiological means features that are physically related to the user, like fingerprint, face, iris, hand, etc. Physiological features are used in both computer world and in real world. We identify (recognize) people when we see their face. Behaviour means how people do things, like gait, voice, signature, fingerprint, etc. When a close friend calls we can easily identify him or her by their voice. And when a distant friend calls we authenticate (recognize) him or her after the identity (name) is given.

Keystroke dynamics is in the behavioural category, we can identify and authenticate people by the way they type on their keyboard. Under WWII telegraph operators could identify the other operator by the way he or she were typing. The telegraph operators used one button and one finger, when we type a PIN code we use ten buttons and up to four fingers, with a password we use about 50 buttons and up to ten fingers. Due to the much higher number of buttons and fingers we can probably distinguish more accurately between various people, but the drawback is that the system will be much more complex.

Although biometrics is popular, they are seldom used in computer systems, the obstacle has often been price, installation problems, and the fact that users are negative against authentication methods that reduce their efficiency/comfort. Some users are afraid of using the systems, one example is that users are afraid of eye damage during iris or retina scans. Systems that capture biometric features often need special equipment, like fingerprint reader, camera, hand scanner, and so on. Keystroke dynamics on the other hand uses the computer keyboard or the numerical keyboard on an ATM machine. There is no need for new equipment, and the keystroke dynamic system could be almost unnoticeable to the users.

When users are being authenticated with keystroke dynamics, their typing features are compared, which are finger placement, where on the button (center, left, top, etc), typing pressure, finger angle, and so on. But these features require a camera or a special keyboard and are probably only interesting for high security environments, future keyboard/computer designs could make this available for cost important environments. A normal keyboard can register latency between keystrokes, how long a key is pressed (duration) and which key is pressed. We are going to use these standard keyboards.

The features are compared using a distance metric, which is a function that compares two samples and outputs a value for how close or far they are apart. A real life example is when we ask someone how far is placeA, we really ask what the distance between here and placeA is. Depending on the person asked we will get different answers, like 150 kilometres, two hours, etc. It is the same with distance metrics, their results will be different although the inputs are the same. Many distance metrics have been tested, and none of them are perfect. Finding a suitable one is a big task in the master thesis. Another big task is finding which features that gives the most unique values for people. The goal is to have a low false acceptance rate (FAR), and a low false rejection rate (FRR). FRR is the percentage of legitimate users who are incorrectly denied access. FAR is the percentage of persons who incorrectly gets accepted by the system.We must look at intra-class distance and inter-class distance when we want to find a good distance metric. In keystroke dynamics intra-class distance is the distance between typing sessions for one user, inter-class distance is the distance between different users. Our aim is to find a distance metric that gives a small intra-class distance and a large inter-class distance. The new typing sample is compared with a stored typing template. The template is created in the enrolment phase, when the user is added to the system. A template could be something like the average of five samples. The template could adapt to new typing characteristics of the user, example is if the ten last successful login samples are used as the template.

A high FRR makes the system unusable, since legitimate users have to authenticate themselves several times before they are accepted, if they are accepted at all. A high FAR makes the system insecure. Designers adjust the system to have suitable FAR and FRR values for the specific situation, this is achieved by adjusting the threshold and/or deciding which features is best suited. The result from the distance metric is checked against the chosen threshold, a value below means that the user is accepted, and otherwise denied. A small threshold means that we get a high FRR and a low FAR, a large threshold gives a small FRR and a large FAR. By varying the threshold we can draw a Receiver Operating Characteristic (ROC) curve, a ROC curve shows the relation between FAR and FRR. We especially interested in the point where FAR equals FRR, this point is called Equal Error Rate (EER). We want the EER for our authentication system to be as low as possible.

Many reports have tested their distance metrics by checking how easy it is to imitate users. Most of them have done this by using keystroke dynamics for identification, that is comparing the typed text against all user templates, and if the typed text is similarly to the template of the wrong user, then that is one false acceptance. Others have tried to see how legitimate users type, and then trying to imitate that. A few have tried to videotape legitimate users, and then replicate their typing. None of the test has resulted in a large FAR rate, but we are going to perform a new and possibly better attack on keystroke dynamics. People only learn the basics of snowboarding by watching others doing it, and will not become good without feedback. We are going to teach attackers to imitate the keystroke dynamics of legitimate users, by giving them feedback on their performance.

Skar, Tom-Andre

Opplæring, tilsyn, regelverk - gir det bedre informasjonssikerhet

• Opplæring av informasjonssikkerhet - virker det? (presentation)
• (thesis)

Mange bransjer og enkeltbedrifter gjennomfører, på eget initiativ eller etter pålegg, opplæring og informasjon om informasjonssikkerhet. Mørketallsundersøkelsen[7] og andre undersøkelser indikerer at man ikke alltid lykkes med slike tiltak. Vi vil i denne oppgaven ta for oss faktorer som påvirker effektiviteten av slike tiltak. For å belyse dette vil vi ta for oss energibransjen, som er et godt eksempel på en bransje som bruker opplæring og pålegg i informasjonssikkerhet.

Det finnes mange sårbare informasjonssystemer som et resultat av økende bruk av IT. I dag brukes IT-baserte systemer for flere typer arbeidsoppgaver, kontroll, overvåkning, styring osv. Fokus på informasjonssikkerhet er derfor viktig. De fleste virksomheter, offentlig og private, løser dette problemet ved å gjennomføre opplæring innen informasjonssikkerhet. Noen bransjer og virksomhet går så langt som å pålegge sine ansatte opplæring. Det kan være i form av lover og forskrifter eller ved et regelverk. Er dette en effektiv vei å gå? Dette vil bli belyst gjennom energibransjen.

NVE fører tilsyn og holder kurs innenfor informasjonssikkerhet og bevisstgjøring. Slike sikkerhetstiltak bør føre til holdningsendringer i energibransjen slik at tilfredsstillende sikkerhet blir opprettholdt. Som beskrevet i Beredskapsveiledningen § 6-1[16] jf Bfk § 4-1 skal det utnevnes en IT sikkerhetsleder, en mann. Muligheten for at disse ikke ser på seg selv som et "verktøy" for noe kriminelt er til stedet, fokuset er muligens rettet mot kun å levere for eksempel strøm.

Med undersøkelser av forhold knyttet til energibransjen vil denne oppgaven prøve å finne svar på om forskrifter, regelverk og tilsyn som pålegger opplæring gir bedre informasjonssikkerhet.

Informasjonssikkerhet kan ses på som en kostnadsfaktor, men det er nødvendig for å opprettholde konfidensialitet, integritet, tilgjengelighet. Forebygging vil være mye billigere enn hvis ulykken først skulle inntreffe.

Økonomisk innsparing og økt effektivitet er sentrale begreper for å beskrive dagens samfunnsutvikling innen bedrifter, virksomheter og organisasjoner, noe som ikke vil stoppe i framtiden. Motivasjonen ligger i å få gjennomført en analyse for å se om sikkerheten bedres med bevisstgjøring og opplæring.

Rapporten vil samtidig avdekke situasjonen innefor informasjonssikkerhet hos energibransjen som anses å være viktig for samfunnet, det være seg befolkningen som unngår å sette liv og helse i fare, det kan være trafikk- og kloakksystemer som ikke fungerer uten strøm. Samtidlig vil man finne ut om informasjon i form av bevisstgjøring, opplæring og tilsyn vil forbedre informasjonssikkerheten. Vi kan da bruke disse resultatene for å trekke slutninger, ikke bare i energibransjen, men også i andre bransjer og enkeltbedrifter generelt.

Forskningsspørsmål

• Ved å pålegge opplæring gjennom et regelverk, vil dette forbedre informasjonssikkerheten?
• Viser energibransjen en forbedring i forhold til resultatene i Mørketallsundersøkelsen?
  • Har de færre sikkerhetshendelser?
  • Er flere sikringstiltak gjennomført?
  • Er sikkerheten bedre hos de store virksomhetene i forhold til de små?
• Bør sammenlignbare bransjer og enkeltbedrifter gjennomføre lignede tilltak?

Skjølsvik, Stian

Framework for generating IDS benchmarking Data sets

• Generating IDS benchmarking data sets by means of event sequencing (presentation)
• (thesis)

Topic covered by this thesis Benchmarking Intrusion Detection Systems, IDS, is needed for determine how good a system is, and to test different systems against each other. For testing these systems data sets are provided, which contains different attack profiles amongst benign traffic. Different methods have been proposed to test these systems, by either simulating network traffic or extracting data sets based on real network flow. Both measures have advantages and disadvantages. There has been some critique of using simulated network flow, since it is not certain that it accurately represents the real world. The main advantage of using simulated traffic is that we know all aspects of the environment and no unknown attacks can occur, it eliminates the problem of identifying unseen attacks when using real traffic. Sometimes it is favorable to use data that are as close to the real world as possible for generating benchmarking data sets. This master thesis will look into common attack features gathered from a real network environment, as well as what factors are relevant for generating IDS data sets. Detection of common attack features will be based on event sequencing.

As mention above, there is a need to generate test data sets for IDS benchmarking, which are based on real data and can be shared openly between organizations. In this thesis we will look into what features of traffic are relevant for Intrusion Detection Systems, based on gathered traffic from an academic network. The challenge is to analyze network logs/traffic and try to extract different characteristics that constitute an attack. These data will be analyzed and processed by a method called sequencing of events to find the appropriate features that should be included in a benchmarking data set. Sequences of events can be defined as data describing behavior and actions of users or systems. The master thesis will try to collect these sequences and categorize them into either frequent or generalized episodes. These episodes will then be used in a methodology intended to produce data sets for IDS benchmarking.

Smedstad, Ingar

Incident reporting systems - A case for the Norwegian offshore

• (presentation)
• (thesis)

Industries such as chemical processing, aviation, railway, shipping and nuclear have for many years systematically collected safety incident / accident data. Systematic collection allows scientific research and investigation into causes of incidents / accidents, ultimately allowing organizations to introduce more effective safeguards. Several authors, including Schneier and Gonzalez, have suggested that similar incident reporting systems should be used to collect information security incident data. In other words, an information security reporting system.

A recent paper by Rich, Sveen and Jager, “Identifying Organizational Challenges to Secure Knowledge Management”, presents a system dynamics model, of a (safety) incident reporting system. The paper suggests that an incident reporting system is subject to many forces that govern whether the system is going to be successful. This includes factors that either dissuade or encourage reporting of incidents. Preliminary studies show that many of the same factors will affect a security incident reporting system

System dynamics is a powerful methodology and computer simulation modelling technique for framing, understanding, and discussing complex issues and problems. Originally developed as a decision making tool corporate managers, it soon became apparent that it had uses beyond the corporate board rooms.

The thesis will investigate the incident reporting system implemented by Hydro. Since Integrated Operations (IO) depends on high levels of information security, the IO pilot projects Brage and Oseberg are well suited as objects of enquiry. The aim of the project is to determine the state of information security incident reporting at either Brage or Oseberg, and find policies that can lead to improvement.The main focus of the data gathering effort will be on:

1. formal guidelines
2. informal guidelines
3. stories about incidents and how they where discovered, reported and handled

The information gathered from the three points above will be compared with the model by Rich et al. and incident reporting literature to determine the quality of the implemented reporting system and guidelines. For a satisfactory comparison with the model of Rich et al. to take place it is necessary to construct a System Dynamics model of the information security incident reporting systems at the chosen sites. The model of Rich et al. serves as a useful starting point. The modelling work will involve first the development of a qualitative model, followed by a formal simulation model.

Stang, Øyvind

Gait analysis - Is it easy to learn to walk like someone else?

• Gait analysis: Is it possible to learn to walk like someone else? (presentation)
• (thesis)

In information security, it is very important to be assured that only authorized individuals are allowed to get access to a system. There are many ways of identifying or authenticating who an individual is. An acquaintance who knows how a specific person looks like can verify whether a person is who he claims to be or not, just by taking a short look at him. This is probably the most basic method. However, in a modern society, most technologies are based on computers and require high speed. Hence, there should exist algorithmic routines that can perform such authentication processes automatically. Different ways of authenticating a person are to look at something he has, e.g. a token or a smart card, something he knows, e.g. a password or a pass phrase, or something he is, e.g. by his fingerprint or iris. In this report, we will study a biometric authentication technique, i.e. something a person is. We will look at gait analysis, or more precisely, whether there is possible to learn to walk like another person in such a way that one can be authenticated as the other person. How long time does it take to learn this?

In this project, we will look at gait authentication, i.e. verifying a claimed identity based on how a person walks. A vision is that there will be possible in the future to give people access to e.g. a building or a secured room based on their gait. A hypothesis is that every individual has it’s own unique way to walk.

Our problem is that we don’t really know whether our gait is as unique as we might believe it is in the first place. Will special conditions make your gait different, e.g. your temper the specific day or your health? Is it possible to act as if you are another person, and in that way get access to a place where you are not really authorized to be? These are questions that should be answered before authentication using gait can be implemented to the same degree as e.g. fingerprint verification and iris scans have been. According to Davrondzhon Gafurov, Einar Snekkenes, and Tor Erik Buvarp's article "Robustness of biometric gait authentication against impersonation attack", when a person submits his own biometric feature in order to match against another person’s biometric in a template, this is called a non-genuine attempt. These non-genuine attempts can be subdivided into three groups which are ”passive impostor attempts”, ”active impostor attempts” and ”non-passive and non-active impostor attempts”. A passive impostor attempt is an attempt where an individual submits his own biometric feature as if he was attempting successful verification against his own template, but in fact is being compared against non-self template. An active impostor attempt is when an individual changes his biometrics in order to match a targeted person. A non-passive and non-active impostor attempt is when an active impostor trial is not compared against a targeted person, but in general another person’s template. This project is about active impostor attempts, where a person tries to learn another person’s gait, in order to be authenticated as the other person. According to Jani Mäntyjärvi, Mikko Lindholm, Elena Vildjiounaite, Satu-Marja Mäkelä, and Heikki Ailisto, deliberate imitation of other person’s walking style is difficult. However, it should be possible to learn this given enough time. If it turns out that the process of learning this takes a short time, e.g. a few weeks, then we should conclude that gait authentication is a rather weak authentication method to use, while if it takes a long time (or if it turns out to be close to impossible) to learn, then we can conclude that faking another person’s gait by impersonation is difficult.

The main reason why this problem is important, is because the answer to it will show how strong gait authentication is as an authentication method. If our conclusion is that it is difficult to learn how to walk more or less exactly like another person, then there might be a business for gait authentication. It is easier to authenticate yourself using gait, than to e.g. remember a password. People will probably also feel it more comforting to use gait as authentication rather than fingerprint or iris, because some people don’t like to have an iris scanner scanning their eyes, and some feel that it is little hygienic to press their finger on the same plate where maybe hundreds of other people have done so before them.

In order to solve this problem, there are some research questions that need to be considered:

• How effective is interactive feedback when learning a specific gait?
• What equipments exist to gather gait information?
• What techniques and algorithms exist that can be used in gait authentication?
• Does a person walk the same way (more or less) all the time?

Storløkken, Roger

Labelling clusters in an anomaly based IDS by means of cluster quality indexes

• Labelling clusters in an anomaly based IDS by means of cluster quality indexes (presentation)
• Storløkken - Labelling clusters in an anomaly based IDS by means of clustering quality indexes (thesis)

A major problem in anomaly detection systems based on clustering is to determine the nature of the obtained clusters. Clustering algorithms used to group the activity data into clusters, do not have the knowledge needed to determine whether the content of the clusters are benign or malicious. We therefore need a labelling algorithm to properly label the obtained clusters. A classical approach for labelling clusters is to measure the cardinality of the clusters, and label some percentage of the smallest clusters as malicious. This approach does, however, have some limitations, and does not detect massive Denial-of-Service attacks properly.

Another approach for labelling clusters, which solves the Denial-of-Service limitation, is to combine clustering quality indexes with different clustering parameters, e.g. the cluster diameter, to extract some characteristics from the clusters. Based on these cluster characteristics, labelling algorithms are developed to properly label the content of the clusters. The main idea behind this approach is that clustering evaluation techniques can indicate the existence of a massive Denial-of-Service attack and, if a cluster is very compact, this may indicate that the cluster is an attack cluster [7, 8, 9]. Only a few of the clustering quality indexes have previously been used in this labelling approach. Other indexes, in combination with different cluster parameters, might give better performance of the IDS.

Accuracy and efficiency are very important performance measures for an IDS. High accuracy is necessary for giving valuable information to the IDS analyst monitoring the systems. Too high false positive rates (The rate of (false) alarms triggered by benign activities) will leave the analyst frustrated, and then important alarms may be ignored. It is also important that an IDS works in real-time, or as close to real-time as possible. Real-time operation is necessary to be able to take countermeasures against attacks in progress, before they can do much harm.

Research questions

1. Which clustering quality index is best suited for labelling activity clusters in a clustering based intrusion detection system, regarding accuracy and efficiency?
2. Which combinations of clustering parameters and/or methods, and the clustering quality indexes, give the best performance of the IDS?

Svendsen, Katrine Aam

Secure Off Site Backup at CERN

• Secure Off Site Backup at CERN (presentation)
• (thesis)

CERN – The European Organization for Nuclear Research – is the world's largest particle physics centre. It was founded in 1954, as one of Europe's first joint ventures, and do now have 20 member states. At the moment, just under 3000 people are employed by CERN, this being everything from physicists to secretaries. In addition to this, there are about 6500 visiting scientists, that come to CERN to do their research.

Currently, the main focus is on completing and starting the LHC, the Large Hadron Collider. This is a particle accelerator that will accelerate particles to almost the speed of light. Different detectors are built to make the particles visible. The goal of the accelerator is to recreate the environment as it was at the origin of our Universe, and answer such questions as "why do elementary particles have mass?" and "why is their masses different?".

CERN is located on the border between Switzerland and France, with its main site (Meyrin site) in Switzerland, near Geneva. This is where the main computer centre is located. There are also a site in France (Prevessin site), a couple of kilometers from the border, where, among other things, the control centre to the accelerators is located.

The computer facilities at CERN hold a lot of information that is fundamental for the day-to-day run of the organization, such as personnel information and databases holding information about different experiments. This is backed up in a central network backup system (IBM's Tivoli Storage Manager). Additionally, and for total disaster recovery purposes, the most vital part of this data is backed up to an off site server, located in Prevessin.

The services supported by the off site backup system are:

• automatic backups
• interactive backups
• management of the existing backups

This can be done without contacting an administrator, except when a new user profile is needed. Also, the users are able to access the backed up data at any time, to retrieve the information stored there.

Since the backup server may hold some sensitive information, it is desirable to implement encryption of the stored data. This is the first task for this project. The data should be encrypted/decrypted transparently on the server side, with as little user inconvenience as possible, and the same features should be supported as before the encryption was implemented. We will use TrueCrypt to enable this, and adapt this to meet the system and users requirements.

In addition to the implementation and testing of TrueCrypt, the tasks of this project will be to:

• enable automatic installation and configuration of TrueCrypt within the Quattor framework (System administration toolkit used at CERN)
• design policies and guidelines:
  • key management: generation, distribution, storage, etc. This must be as simple and automated as possible.
  • disaster recovery
  • guidelines to the use of the system
• develop web interfaces for:
  • services available to the user
  • administrative services: creation of new TrueCrypt volumes – key generation, key distribution, backing up of volume headers etc., administration of existing volumes
• evaluate the overall security of the system
• get feedback from the users.

It is a requirement from CERN that the process is continuously documented on the CERN TWiki pages.

Syvertsen, Jon Petter

Insider Threat

• Insider Threat (presentation)
• (thesis)

Angrepene mot dagens datasystemer blir mer og mer utbredt og avanserte. Det brukes mye penger på tekniske løsninger for å skire seg mot de mange truslene på utsiden av organisasjonen. I den store fokuseringen på sikkerhet mot utsiden, så blir sikkerheten på innsiden nedprioritert. Grunnen til dette er ofte at ledelsen har for lite kunnskap om denne type trussel, og dermed blir det ikke satt av nok midler til slike tiltak. "Insider threat" er, og vil bli et økende problem som kan rammer små og store bedrifter. I tillegg er skadeomfanget ofte mye større enn et angrep utenfra. De kan være vanskelighere å oppdage og bevise at en hendelse har skjedd.

For å undersøke problemet i Norge, så vil vi i denne masteroppgaven utføre en spørreundersøkelse mot 2-3 ulike sektorer i Norge. Dataene vi får inn fra spørreundersøkelsen vil bli brukt for å diskutere ”insider threat” problemet i Norge, og sammenligne resultatene med resultatene fra CERT. For å beskrive hovedfunnene, så vil disse arrangeres hierarkisk i et influensdiagram for å demonstrere gjensidige avhengigheter og effekt på risikoen. Vi håper med dette å kunne se et mønster på hvorfor slike handlinger blir utført og av hvem.