Abstract
From information security point of view, an enterprise is considered as a collection of assets and their interrelationships. These interrelationships may be built into the enterprise information infrastructure, as in the case of connection of hardware elements in network architecture, or in the installation of software or in the information assets. As a result, access to one element may enable access to another if they are connected. An enterprise may specify conditions on the access of certain assets in certain mode (read, write etc.) as policies. The interconnection of assets, along with specified policies, may lead to managerial vulnerabilities in the enterprise information system. These vulnerabilities, if exploited by threats, may cause disruption to the normal functioning of information systems. This paper presents a formal methodology for detection of managerial vulnerabilities of, and threats to, enterprise information systems in linear time.
Similar content being viewed by others
References
Soanes, C., Stevenson, A. (eds.): Concise Oxford English Dictionary, 11th edn, p. 475. Oxford University Press, New York (2006)
The International Organization for Standardization, The International Electrotechnical Commission (ISO/IEC): ISO/IEC 27002:2005, Information technology–Security techniques—Code of practice for information security management. Edition 1. Germany (2005)
Federal office for information security: IT baseline protection manual. Germany (2007)
Sengupta, A., Mazumdar, C., Bagchi, A.: A formal methodology for detection of vulnerabilities in an enterprise information system. In: Proceedings of the Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 74–81. Toulouse, France (2009)
Peltier, T.R.: Information security policies, procedures, and standards: guidelines for effective security management. Auerbach Publications, Florida (2002)
National Institute of Standards and Technology (NIST): National vulnerability database (NVD). Version 2.2. http://nvd.nist.gov (2009). Accessed 31 August 2009
Top 10 Vulnerability Scanners. SECTOOLS.ORG. http://sectools.org/vuln-scanners.html (2009). Accessed 31 August 2009
New Survey Shows Damaging Attacks Against Internal Corporate Networks Continue Unabated; Companies’ Security Investment Shifting Inward. Business Wire. http://findarticles.com/p/articles/mi_m0EIN/is_2005_Feb_7/ai_n9494538 (2005). Accessed 28 August 2009
Zhang, Xiao-Song, Shao, L., Zheng, J.: A novel method of software vulnerability detection based on fuzzing technique. In: Proceedings of the International Conference on Apperceiving Computing and Intelligence Analysis (ICACIA), pp. 270–273. Chengdu, China (2008)
Ritchey, R.W., Ammann, P.: Using model checking to analyze network vulnerabilities. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, pp. 156–165. Oakland, California, USA (2000)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 273–284. Oakland, California, USA (2002)
Michalek, P., Thornton, R. (eds.): Enterprise vulnerability description language v0.1. OASIS Draft. http://www.oasis-open.org/committees/download.php/11497/EVDL-0.1-draft.doc (2005). Accessed 28 August 2009
Aib, I., Alsubhi, K., Francois, J., Boutaba, R.: Policy-based security configuration management application to intrusion detection and prevention. In: Proceedings of IEEE International Conference on Communications (ICC), pp. 1–6. Dresden, Germany (2009)
Onwubiko, C., Lenaghan, A.P.: An Evolutionary approach in threats detection for distributed security defence systems. In: Proceedings of IEEE International Conference on Intelligence and Security Informatics (ISI), LNCS 3975, pp. 696–698. San Diego, California, USA (2006)
Myers, J., Grimaila, M.R., Mills, R.F.: Towards insider threat detection using web server logs. In: Proceedings of the 5th annual workshop on cyber security and information intelligence research: cyber security and information intelligence challenges and strategies (CSIIRW). Oak Ridge, Tennessee, USA (2009)
Bejtlich, R.: Extrusion Detection: Security Monitoring for Internal Intrusions, 1st edn. Addison-Wesley Professional, Boston, Massachusetts (2005)
Clayton, R.: Stopping spam by extrusion detection. In: Proceedings of the 1st conference on Email and anti-spam (CEAS). Mountain view, California, USA. http://ceas.cc/2004/172.pdf (2004). Accessed 31 August 2009
Ammann, P., Sandhu, R.S.: Safety analysis for the extended schematic protection model. In: Proceedings of the IEEE symposium on security and privacy, pp. 87–97. Oakland, California, USA (1991)
Li, N., Mitchell, John C., Winsborough, W. H.: Beyond proof-of-compliance: Security analysis in trust management. JACM. 52(3), 474–514 (2005). (Preliminary version appeared in: Proceedings of IEEE Symposium on Security and Privacy, pp. 123–139. Berkeley, California, USA (2003))
Sandhu, R.S.: Undecidability of the safety problem for the schematic protection model with cyclic creates. J. Comput. System Sci. 44(1), 141–159 (1992)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: On protection in operating systems. Operating Syst Rev (ACM S1GOPS Newsletter). 9, 5, 14–24 (1975)
Lipton, R.J., Snyder, L.: A linear time algorithm for deciding subject security. JACM. 24(3), 455–464 (1977)
Koch, M., Mancini, Luigi V., Parisi-Presicce, F.: Decidability of safety in graph-based models for access control. In: Proceedings of 7th European symposium on research in computer security (ESORICS), LNCS 2502, pp. 229–243. Zurich, Switzerland (2002)
Roditty L., Zwick, U.: A fully dynamic reachability algorithm for directed graphs with an almost linear update time. In: Proceedings of 36th Annual ACM Symposium on Theory of Computing (STOC), pp. 184–191. Chicago, Illinois, USA (2004)
Wang, H., He, H., Yang, J., Yu, P.S., Yu, J.X.: Dual labeling: answering graph reachability queries in constant time. In: Proceedings of 22nd International Conference on Data Engineering (ICDE), pp. 75–86. Atlanta, Georgia, USA (2006)
Gligor, V.D., Gavrila, S.I., Ferraiolo, D.: On the formal definition of separation-of-duty policies and their composition. In: Proceedings of IEEE symposium on security and privacy, pp. 172–183. Oakland, California, USA (1998)
Acknowledgments
This research was partially supported from grants allocated by the Department of Information Technology, Govt. of India.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Sengupta, A., Mazumdar, C. & Bagchi, A. A Formal Methodology for Detecting Managerial Vulnerabilities and Threats in an Enterprise Information System. J Netw Syst Manage 19, 319–342 (2011). https://doi.org/10.1007/s10922-010-9180-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10922-010-9180-y