Skip to main content
SpringerLink
Log in

A Formal Methodology for Detecting Managerial Vulnerabilities and Threats in an Enterprise Information System

  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

From information security point of view, an enterprise is considered as a collection of assets and their interrelationships. These interrelationships may be built into the enterprise information infrastructure, as in the case of connection of hardware elements in network architecture, or in the installation of software or in the information assets. As a result, access to one element may enable access to another if they are connected. An enterprise may specify conditions on the access of certain assets in certain mode (read, write etc.) as policies. The interconnection of assets, along with specified policies, may lead to managerial vulnerabilities in the enterprise information system. These vulnerabilities, if exploited by threats, may cause disruption to the normal functioning of information systems. This paper presents a formal methodology for detection of managerial vulnerabilities of, and threats to, enterprise information systems in linear time.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

References

  1. Soanes, C., Stevenson, A. (eds.): Concise Oxford English Dictionary, 11th edn, p. 475. Oxford University Press, New York (2006)

    Google Scholar 

  2. The International Organization for Standardization, The International Electrotechnical Commission (ISO/IEC): ISO/IEC 27002:2005, Information technology–Security techniques—Code of practice for information security management. Edition 1. Germany (2005)

  3. Federal office for information security: IT baseline protection manual. Germany (2007)

  4. Sengupta, A., Mazumdar, C., Bagchi, A.: A formal methodology for detection of vulnerabilities in an enterprise information system. In: Proceedings of the Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 74–81. Toulouse, France (2009)

  5. Peltier, T.R.: Information security policies, procedures, and standards: guidelines for effective security management. Auerbach Publications, Florida (2002)

    Google Scholar 

  6. National Institute of Standards and Technology (NIST): National vulnerability database (NVD). Version 2.2. http://nvd.nist.gov (2009). Accessed 31 August 2009

  7. Top 10 Vulnerability Scanners. SECTOOLS.ORG. http://sectools.org/vuln-scanners.html (2009). Accessed 31 August 2009

  8. New Survey Shows Damaging Attacks Against Internal Corporate Networks Continue Unabated; Companies’ Security Investment Shifting Inward. Business Wire. http://findarticles.com/p/articles/mi_m0EIN/is_2005_Feb_7/ai_n9494538 (2005). Accessed 28 August 2009

  9. Zhang, Xiao-Song, Shao, L., Zheng, J.: A novel method of software vulnerability detection based on fuzzing technique. In: Proceedings of the International Conference on Apperceiving Computing and Intelligence Analysis (ICACIA), pp. 270–273. Chengdu, China (2008)

  10. Ritchey, R.W., Ammann, P.: Using model checking to analyze network vulnerabilities. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, pp. 156–165. Oakland, California, USA (2000)

  11. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 273–284. Oakland, California, USA (2002)

  12. Michalek, P., Thornton, R. (eds.): Enterprise vulnerability description language v0.1. OASIS Draft. http://www.oasis-open.org/committees/download.php/11497/EVDL-0.1-draft.doc (2005). Accessed 28 August 2009

  13. Aib, I., Alsubhi, K., Francois, J., Boutaba, R.: Policy-based security configuration management application to intrusion detection and prevention. In: Proceedings of IEEE International Conference on Communications (ICC), pp. 1–6. Dresden, Germany (2009)

  14. Onwubiko, C., Lenaghan, A.P.: An Evolutionary approach in threats detection for distributed security defence systems. In: Proceedings of IEEE International Conference on Intelligence and Security Informatics (ISI), LNCS 3975, pp. 696–698. San Diego, California, USA (2006)

  15. Myers, J., Grimaila, M.R., Mills, R.F.: Towards insider threat detection using web server logs. In: Proceedings of the 5th annual workshop on cyber security and information intelligence research: cyber security and information intelligence challenges and strategies (CSIIRW). Oak Ridge, Tennessee, USA (2009)

  16. Bejtlich, R.: Extrusion Detection: Security Monitoring for Internal Intrusions, 1st edn. Addison-Wesley Professional, Boston, Massachusetts (2005)

    Google Scholar 

  17. Clayton, R.: Stopping spam by extrusion detection. In: Proceedings of the 1st conference on Email and anti-spam (CEAS). Mountain view, California, USA. http://ceas.cc/2004/172.pdf (2004). Accessed 31 August 2009

  18. Ammann, P., Sandhu, R.S.: Safety analysis for the extended schematic protection model. In: Proceedings of the IEEE symposium on security and privacy, pp. 87–97. Oakland, California, USA (1991)

  19. Li, N., Mitchell, John C., Winsborough, W. H.: Beyond proof-of-compliance: Security analysis in trust management. JACM. 52(3), 474–514 (2005). (Preliminary version appeared in: Proceedings of IEEE Symposium on Security and Privacy, pp. 123–139. Berkeley, California, USA (2003))

  20. Sandhu, R.S.: Undecidability of the safety problem for the schematic protection model with cyclic creates. J. Comput. System Sci. 44(1), 141–159 (1992)

    Article  MathSciNet  MATH  Google Scholar 

  21. Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: On protection in operating systems. Operating Syst Rev (ACM S1GOPS Newsletter). 9, 5, 14–24 (1975)

  22. Lipton, R.J., Snyder, L.: A linear time algorithm for deciding subject security. JACM. 24(3), 455–464 (1977)

    Article  MathSciNet  MATH  Google Scholar 

  23. Koch, M., Mancini, Luigi V., Parisi-Presicce, F.: Decidability of safety in graph-based models for access control. In: Proceedings of 7th European symposium on research in computer security (ESORICS), LNCS 2502, pp. 229–243. Zurich, Switzerland (2002)

  24. Roditty L., Zwick, U.: A fully dynamic reachability algorithm for directed graphs with an almost linear update time. In: Proceedings of 36th Annual ACM Symposium on Theory of Computing (STOC), pp. 184–191. Chicago, Illinois, USA (2004)

  25. Wang, H., He, H., Yang, J., Yu, P.S., Yu, J.X.: Dual labeling: answering graph reachability queries in constant time. In: Proceedings of 22nd International Conference on Data Engineering (ICDE), pp. 75–86. Atlanta, Georgia, USA (2006)

  26. Gligor, V.D., Gavrila, S.I., Ferraiolo, D.: On the formal definition of separation-of-duty policies and their composition. In: Proceedings of IEEE symposium on security and privacy, pp. 172–183. Oakland, California, USA (1998)

Download references

Acknowledgments

This research was partially supported from grants allocated by the Department of Information Technology, Govt. of India.

Author information

Authors and Affiliations

  1. Centre for Distributed Computing, Department of Computer Science and Engineering, Jadavpur University, Kolkata, West Bengal, 700032, India

    Anirban Sengupta & Chandan Mazumdar

  2. Indian Statistical Institute, 203 Barrackpore Trunk Road, Kolkata, West Bengal, 700108, India

    Aditya Bagchi

Authors
  1. Anirban Sengupta
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chandan Mazumdar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Aditya Bagchi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anirban Sengupta.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Sengupta, A., Mazumdar, C. & Bagchi, A. A Formal Methodology for Detecting Managerial Vulnerabilities and Threats in an Enterprise Information System. J Netw Syst Manage 19, 319–342 (2011). https://doi.org/10.1007/s10922-010-9180-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10922-010-9180-y

Keywords

Search

Navigation