S.M. Furnell, P.S. Dowland and P.W. Sanders
Twelve years ago, a text was written within the hacking community which is widely referred to as the “Hacker Manifesto”. This text, and the opinions that it offers, have since…
Abstract
Twelve years ago, a text was written within the hacking community which is widely referred to as the “Hacker Manifesto”. This text, and the opinions that it offers, have since been widely embraced by the hacker community and the document is referenced from numerous sites on the Internet. This paper sets out to examine the content of the Manifesto and considers the validity of many of the messages that it imparts. The Manifesto is considered to present an undoubtedly pro‐hacker message, without acknowledging other perspectives or the wider implications of the activities that it is advocating. The paper explores some of these issues, examining both the consequences of the Manifesto’s dissemination and ways in which security professionals and society at large should respond. It is concluded that whilst the Manifesto obviously cannot bear the sole responsibility for promoting and encouraging hacker activity, it at best sends out an incomplete message that should be balanced with appropriate counter‐argument.
Details
Keywords
I. Irakleous, S.M. Furnell, P.S. Dowland and M. Papadaki
The paper presents a comparative study of software‐based user authentication techniques, contrasting the use of traditional password and personal identifier numbers (PIN) against…
Abstract
The paper presents a comparative study of software‐based user authentication techniques, contrasting the use of traditional password and personal identifier numbers (PIN) against alternative methods involving question and answer responses and graphical representation. All methods share the common basis of some secret knowledge and rely upon the user’s ability to recall it in order to achieve authentication. An experimental trial is described, along with the results based upon 27 participants. The alternative methods are assessed in terms of practical effectiveness (in this context relating to the participant’s ability to authenticate themselves a significant time after initial use of the methods), as well as the perceived levels of user friendliness and security that they provide. The investigation concludes that while passwords and PIN approaches garner good ratings on the basis of their existing familiarity to the participants, other methods based upon image recall and cognitive questions also achieved sufficiently positive results to suggest them as viable alternatives in certain contexts.
Details
Keywords
A. Al‐Ayed, S.M. Furnell, D. Zhao and P.S. Dowland
This paper aims to look at unpatched software which represents a significant problem for internet‐based systems, with a myriad malware incidents and hacker exploits taking…
Abstract
Purpose
This paper aims to look at unpatched software which represents a significant problem for internet‐based systems, with a myriad malware incidents and hacker exploits taking advantage of vulnerable targets. Unfortunately, vulnerability management is a non‐trivial task, and is complicated by an increasing number of vulnerabilities and the workload implications associated with handling the associated security advisories and updates.
Design/methodology/approach
As a step towards addressing the problem, this paper presents an automated framework that is designed to provide a vendor‐independent means of vulnerability notification and rectification for system administrators.
Findings
In the proposed framework, incoming vulnerability advisory messages may be obtained from multiple sources, and then filtered and prioritised according to the specific requirements of the target environment (as determined by the security administrator). In addition to notification management, the framework provides an automated facility for the download and deployment of any associated patches. The framework has been implemented in prototype form, with particular focus on the notification manager.
Originality/value
This paper presents an automated framework, providing a valuable and comprehensive solution for managing vulnerabilities in terms of notification and rectification systems.
Details
Keywords
S.M. Furnell, I. Papadopoulos and P. Dowland
Modern IT systems have a continued requirement for reliable user authentication at login. However, the majority of systems are still using username/password combinations, in spite…
Abstract
Modern IT systems have a continued requirement for reliable user authentication at login. However, the majority of systems are still using username/password combinations, in spite of a variety of recognised weaknesses. Identifies the need for improved login authentication, and investigates the suitability of two alternative methods, using cognitive questions and an image‐based PIN. The effectiveness of these techniques has already been evaluated in an earlier study, which assessed users' ability to recall the necessary information after a prolonged period of inactivity. Here, the evaluation is focused on the perceived acceptability of the techniques, based upon users' longer‐term opinions arising from a period of regular usage. Discovers that 56 per cent of the participants would support the use of such techniques as a replacement for traditional password or numeric PIN‐based authentication. However, also discovers that some users have the potential to compromise the security of the methods by using them inappropriately. As such, concludes that, although the use of alternative authentication techniques is viable, further research is needed to refine the approaches and identify the best combination of methods across a larger base of users.
Details
Keywords
M.Z. Jali, S.M. Furnell and P.S. Dowland
The purpose of this paper is to assess the usability of two image‐based authentication methods when used in the web‐based environment. The evaluated approaches involve clicking…
Abstract
Purpose
The purpose of this paper is to assess the usability of two image‐based authentication methods when used in the web‐based environment. The evaluated approaches involve clicking secret points within a single image (click‐based) and remembering a set of images in the correct sequence (choice‐based).
Design/methodology/approach
A “one‐to‐one” usability study was conducted in which participants had to complete three main tasks; namely authentication tasks (register, confirm and login), spot the difference activity and provide feedback.
Findings
From analysing the results in terms of timing, number of attempts, user feedback, accuracy and predictability, it is found that the choice‐based approach is better in terms of usability, whereas the click‐based method performed better in terms of timing and is rated more secure against social engineering.
Research limitations/implications
The majority of participants are from the academic sector (students, lecturers, etc.) and had up to seven years' IT experience. To obtain more statistically significant results, it is proposed that participants should be obtained from various sectors, having a more varied IT experience.
Practical implications
The results suggest that in order for image‐based authentication to be used in the web environment, more work is needed to increase the usability, while at the same time maintaining the security of both techniques.
Originality/value
This paper enables a direct comparison of the usability of two alternative image‐based techniques, with the studies using the same set of participants and the same set of environment settings.
Details
Keywords
S.M. Furnell, M. Gennatou and P.S. Dowland
Information systems security is a critical issue for all organisations with a significant dependence upon information technology. However, it is a requirement that is often…
Abstract
Information systems security is a critical issue for all organisations with a significant dependence upon information technology. However, it is a requirement that is often difficult to address, particularly within small organisations, as a result of a lack of resources and expertise. This paper identifies the need for security awareness and describes the prototype implementation of a software tool that enables individuals to pursue self‐paced security training. The tool provides an environment that permits the user to simulate the introduction of security into a number of pre‐defined case study scenarios. This enables staff to become familiar with the types of countermeasures available, the situations in which they are appropriate and any constraints that they may impose. This would be particularly valuable in small organisations where specialist knowledge is often scarce and issues need to be addressed by existing staff.
Details
Keywords
Steven M. Furnell and Paul S. Dowland
The detection and prevention of authorised activities, by both external parties and internal personnel, is an important issue within IT systems. Traditional methods of user…
Abstract
The detection and prevention of authorised activities, by both external parties and internal personnel, is an important issue within IT systems. Traditional methods of user authentication and access control do not provide comprehensive protection and offer opportunities for compromise by various classes of abuser. A potential solution is provided in the form of intrusion detection systems, which are able to provide proactive monitoring of system activity and apply automatic responses in the event of suspected problems. This paper presents the principles of intrusion monitoring and then proceeds to describe the conceptual architecture of the Intrusion Monitoring System (IMS), an approach that is the focus of current research and development by the authors. The main functional elements of the IMS architecture are described, followed by thoughts regarding the practical implementation and the associated advantages (and potential disadvantages) that this would deliver. It is concluded that whilst an IMS‐type approach would not represent a total replacement for conventional controls, it would represent an effective means to complement the protection already provided.
Details
Keywords
The main objective of the paper is to investigate the existence and adequacy of implemented Computerized Accounting Information Systems (CAIS) security controls to prevent, detect…
Abstract
Purpose
The main objective of the paper is to investigate the existence and adequacy of implemented Computerized Accounting Information Systems (CAIS) security controls to prevent, detect and correct security breaches in Saudi Arabian organizations. This is the first part of a two‐part paper on the subject.
Design/methodology/approach
This paper presents and examines the literature review related to CAIS security controls.
Findings
Finds that the results of the study will enable managers and practitioners to better secure their CAIS and to champion IT development for the success of their business.
Originality/value
This paper fills a vacuum by conducting research in Saudi Arabia, a developing country, whereas previous research has mainly involved developed countries.
Details
Keywords
Oleksiy Mazhelis, Jouni Markkula and Jari Veijalainen
To report the work on the design of an integrated identity verification system architecture aimed at approaching high verification accuracy, continuous security, and…
Abstract
Purpose
To report the work on the design of an integrated identity verification system architecture aimed at approaching high verification accuracy, continuous security, and user‐friendliness.
Design/methodology/approach
The reported research corresponds to the building process in the design science research paradigm. The requirements to an identity verification system are defined and used in the selection of architecture components. Furthermore, various issues affecting the suitability of component distribution between a terminal and a remote server are considered.
Findings
In order to meet the stated requirements, in the proposed architecture static and dynamic identity verification is combined. The use of the dynamic part enables continuous and user‐friendly verification, while the static part is responsible for accurate verification. A suitable distribution of architecture components between the terminal and the remote server is proposed.
Research limitations/implications
The proposed architecture represents a specification that corresponds to the computational viewpoint of the reference model for open distributed processing. Other specifications, such as engineering or technological specifications, which are needed for successful implementation of the system, are not provided in the paper.
Practical implications
The paper provides a specification of the integrated identify verification system architecture that can be utilised during further design and subsequent implementation of the system.
Originality/value
While available approaches to identity verification in a mobile environment concentrate mainly on connectivity identity verification (employed in accessing communication services), the proposed architecture focuses on application‐level identity verification needed to access application‐level resources, remotely or locally on the terminal.