A cyber security strategy to mitigate cloud computing risks within the investment management sector in Cape Town
- Authors: Monareng, Glacier Jamela
- Date: 2024-04
- Subjects: Cloud computing , Computer security , Computer science
- Language: English
- Type: Master's theses , text
- Identifier: http://hdl.handle.net/10948/64717 , vital:73866
- Description: Adoption of cloud computing has become a transformative force in modern information technology, revolutionizing how organisations procure, manage, and deliver IT resources as well as IT services. This treatise explores the implementation of cloud computing in the investment management sector. It focuses on potential cloud security risks, broader implications for businesses and IT ecosystems, and subsequently the treatise conceptualises a strategy that may help in responding to these security risks. The study began by surveying the motivations behind cloud adoption in the investment sector, emphasising the potential cost savings, scalability, and flexibility cloud services offer. It then delves into the challenges faced during implementation, including security concerns, data privacy, compliance issues, and the intricacies of transitioning legacy systems to cloud environments. In response to these challenges, the treatise outlines strategies for successful cloud implementation within the investment sector, in Cape Town, South Africa. It highlights the significance of selecting appropriate cloud service models (for example, IaaS, PaaS, or SaaS) and deployment options (for example, public, private, hybrid, or multi-cloud) to align with organisational needs and objectives. The study followed a qualitative research study. In collecting data an open-ended online survey was sent to participants. The participants were from an investment company in Cape Town. The study employed the design science research paradigm with the aim of developing an artefact. The methodology used was the Nelson Mandela University-Design Science Strategy Methodology (NMU-DSSM) In conclusion, this treatise conceptualises a strategy that may help companies investing in cloud computing technologies to mitigate cyber security and cloud risks. It recommends practices that underscore cloud computing's transformative potential while acknowledging its complexity and challenges. The strategy may serve as a valuable resource for IT professionals, decision-makers, and organisations embarking on the cloud journey, offering guidance and perspectives to navigate the complexities and to realise the potential benefits of cloud technology. , Thesis (MPhil) -- Faculty of Engineering, the Built Environment and Technology, School of Information Technology, 2024
- Full Text:
- Date Issued: 2024-04
A strategic approach for handling information security incidents in higher education
- Authors: Khamali, Rethabile
- Date: 2024-04
- Subjects: Computer security -- Management , Computer security , Information resources management , Corporate governance -- South Africa
- Language: English
- Type: Master's theses , text
- Identifier: http://hdl.handle.net/10948/64588 , vital:73769
- Description: Information Security Management System (ISMS) is a set of processes to protect institution information assets and information and to preserve confidentiality, integrity, and availability of institutional information. In the world of computers, it is known that there is no silver bullet when it comes to protecting an IT infrastructure. At some point, an organisation will face a security breach, and how it deals with the information security incident depending on the robustness of its processes and the strategy for handling incidents. In today’s world, information communication and technology (ICT) is integral in automating manual tasks that can take hours and even days to execute. The more institutions depend on technology, the more they become vulnerable to cyber threats. This could result in an institution losing its competitive edge, facing legal issues, loss of reputation, customer confidence and productivity, and lastly, financial loss. Various information security standards, frameworks, and methodologies can be applied to protect information assets. Many of these best practices define the ‘what’ and not the ‘how’ making it even more complex for institutions such as Higher Education to implement ISMS. The study aims is to develop a strategy for handling information security incidents that Higher Education Institutions can follow to improve how incidents, cyber threats and breaches are handled. The primary research objective is addressed through several secondary research objectives, namely, to investigate current strategies that Higher Education Institutions can utilise for the handling of information security incidents, to understand various challenges that Higher Education Institutions encounter when handling information security incidents, to assess the current capacity of relevant personnel in handling information security incidents through semi-structured interviews. A detailed literature review was undertaken to delve into existing various information security standards, frameworks, and methodologies. In addition, an investigation was conducted on ISMS adoption and implementation by institutions and Higher Education Institutions in general and how modern best practices such as ISO2700x, COBIT, ITIL, NIST, etc, relate to ISMS. Furthermore, semi-structured interviews were conducted to determine information security incidents at South African Higher Education Institutions. Expert interviews are utilised to evaluate the proposed strategy and provide input. The literature review findings, together with results obtained from semi-structured and expert interviews, are used to develop a strategy evaluated for its robustness, effectiveness, and suitability for the purpose. The developed strategy can be considered a beneficial tool for Higher Education Institutions in South Africa for handling information security incidents. This study’s findings significantly contribute to ISMS research in Higher Education Institutions in South Africa. In conclusion, findings of the study can be summarized as follows. The first chapter, which is also an introduction, sets out the scene for the entire research study undertaken by first highlighting information technology as an integral part of any business nowadays. Higher education institutions collect, process and store sensitive information of current and prospective students and employees, which might be of value to hackers. An information security management system (ISMS) can minimise damage by ensuring information assets are protected from a wide range of threats and business resilience in case of a breach or an incident. Chapter 2 reviews the existing literature for these frameworks, standards, and methods. In addition, various ISMS challenges and limitations within Higher Education Institutions were explored. The third chapter outlines the research design process and an emphasises that it must be based on real-world or tangible challenges. The fourth chapter presented and discussed results that were obtained from semi-structured interviews. The study’s analysis and findings vividly show that there is a need to implement a strategy to handle information security incidents for South African higher education institutions. The strategic management approach used to formulate a strategy to address the identified real problem is discussed in detail in chapter 5. The strategy is developed based on the information gathered from the literature review and semi-structured interviews. The results of the assessment of the proposed strategy carried out by the experts are presented in Chapter 6.The chapter also includes recommendations made by the experts to improve the proposedstrategy. , Thesis (MPhil) -- Faculty of Engineering, the Built Environment and Technology, School of Information Technology, 2024
- Full Text:
- Date Issued: 2024-04
Investigating the use of nudging to dissuade online banking fraud
- Authors: Mutyavariri, Takudzwa Stanley
- Date: 2023-03-31
- Subjects: Electronic commerce Security measures , Bank fraud , Computer security , Behavioral cybersecurity , Decision making Data processing
- Language: English
- Type: Academic theses , Master's theses , text
- Identifier: http://hdl.handle.net/10962/419462 , vital:71646
- Description: Online banking is a service offered by most modern banks to provide their clients with a convenient means to access their bank accounts remotely. However, such convenience comes at a cost and has the potential to expose clients to online banking fraud. To mitigate such forms of fraud, banks make extensive use of traditional cybersecurity measures such as firewalls, intrusion detection systems, as well as personal identification numbers (PINs) and passwords. However, despite the use of such traditional cybersecurity measures, online banking fraud still occurs. In particular, traditional cybersecurity measures have difficulties detecting the unauthorised use of a customer’s online banking credentials. For this reason, this study’s main objective was to investigate the effectiveness of nudges when used to dissuade the unauthorised use of clients’ online banking credentials. The study also had two secondary objectives: firstly, to identify where the deployment of nudges would be most effective; and secondly, to identify the rationalisations an individual may use to justify committing online banking fraud. Although previous research has sought to understand the use of nudges in various online contexts, none have done so within the context of online banking. Using a recontextualised version of the COM-B (capability, opportunity, motivation – behaviour) model of behaviour change, nudges were deployed in three versions of a fictitious online banking website. Following this, 15 semi-structured interviews were conducted with online banking users from the United States of America to understand how a third party may behave and rationalise their choices when they have unauthorised access to a customer’s online banking credentials. The transcripts of these interviews were analysed using thematic analysis. The findings revealed that the most dissuasive nudges focused on encouraging individuals to empathise with the account holder. Nudges that increased the perception of an online banking website’s security were also particularly dissuasive. The findings also indicated that the most effective place to deploy these nudges was after a user had logged in. Several rationalisations that enabled individuals to commit online baking fraud were found. The three most common were crime of opportunity, down on their luck, and sunk cost fallacy and curiosity. Together, the findings provide evidence to suggest that, if used effectively, nudges could prove useful as a means of dissuading online banking fraud, and even more so when combined with traditional cybersecurity measures. , Thesis (MCom) -- Faculty of Commerce, Information Systems, 2023
- Full Text:
- Date Issued: 2023-03-31
Remote fidelity of Container-Based Network Emulators
- Authors: Peach, Schalk Willem
- Date: 2021-10-29
- Subjects: Computer networks Security measures , Intrusion detection systems (Computer security) , Computer security , Host-based intrusion detection systems (Computer security) , Emulators (Computer programs) , Computer network protocols , Container-Based Network Emulators (CBNEs) , Network Experimentation Platforms (NEPs)
- Language: English
- Type: Master's theses , text
- Identifier: http://hdl.handle.net/10962/192141 , vital:45199
- Description: This thesis examines if Container-Based Network Emulators (CBNEs) are able to instantiate emulated nodes that provide sufficient realism to be used in information security experiments. The realism measure used is based on the information available from the point of view of a remote attacker. During the evaluation of a Container-Based Network Emulator (CBNE) as a platform to replicate production networks for information security experiments, it was observed that nmap fingerprinting returned Operating System (OS) family and version results inconsistent with that of the host Operating System (OS). CBNEs utilise Linux namespaces, the technology used for containerisation, to instantiate \emulated" hosts for experimental networks. Linux containers partition resources of the host OS to create lightweight virtual machines that share a single OS kernel. As all emulated hosts share the same kernel in a CBNE network, there is a reasonable expectation that the fingerprints of the host OS and emulated hosts should be the same. Based on how CBNEs instantiate emulated networks and that fingerprinting returned inconsistent results, it was hypothesised that the technologies used to construct CBNEs are capable of influencing fingerprints generated by utilities such as nmap. It was predicted that hosts emulated using different CBNEs would show deviations in remotely generated fingerprints when compared to fingerprints generated for the host OS. An experimental network consisting of two emulated hosts and a Layer 2 switch was instantiated on multiple CBNEs using the same host OS. Active and passive fingerprinting was conducted between the emulated hosts to generate fingerprints and OS family and version matches. Passive fingerprinting failed to produce OS family and version matches as the fingerprint databases for these utilities are no longer maintained. For active fingerprinting the OS family results were consistent between tested systems and the host OS, though OS version results reported was inconsistent. A comparison of the generated fingerprints revealed that for certain CBNEs fingerprint features related to network stack optimisations of the host OS deviated from other CBNEs and the host OS. The hypothesis that CBNEs can influence remotely generated fingerprints was partially confirmed. One CBNE system modified Linux kernel networking options, causing a deviation from fingerprints generated for other tested systems and the host OS. The hypothesis was also partially rejected as the technologies used by CBNEs do not influence the remote fidelity of emulated hosts. , Thesis (MSc) -- Faculty of Science, Computer Science, 2021
- Full Text:
- Date Issued: 2021-10-29
An exploratory investigation into an Integrated Vulnerability and Patch Management Framework
- Authors: Carstens, Duane
- Date: 2021-04
- Subjects: Computer security , Computer security -- Management , Computer networks -- Security measures , Patch Management , Integrated Vulnerability
- Language: English
- Type: thesis , text , Masters , MSc
- Identifier: http://hdl.handle.net/10962/177940 , vital:42892
- Description: In the rapidly changing world of cybersecurity, the constant increase of vulnerabilities continues to be a prevalent issue for many organisations. Malicious actors are aware that most organisations cannot timeously patch known vulnerabilities and are ill-prepared to protect against newly created vulnerabilities where a signature or an available patch has not yet been created. Consequently, information security personnel face ongoing challenges to mitigate these risks. In this research, the problem of remediation in a world of increasing vulnerabilities is considered. The current paradigm of vulnerability and patch management is reviewed using a pragmatic approach to all associated variables of these services / practices and, as a result, what is working and what is not working in terms of remediation is understood. In addition to the analysis, a taxonomy is created to provide a graphical representation of all associated variables to vulnerability and patch management based on existing literature. Frameworks currently being utilised in the industry to create an effective engagement model between vulnerability and patch management services are considered. The link between quantifying a threat, vulnerability and consequence; what Microsoft has available for patching; and the action plan for resulting vulnerabilities is explored. Furthermore, the processes and means of communication between each of these services are investigated to ensure there is effective remediation of vulnerabilities, ultimately improving the security risk posture of an organisation. In order to effectively measure the security risk posture, progress is measured between each of these services through a single averaged measurement metric. The outcome of the research highlights influencing factors that impact successful vulnerability management, in line with identified themes from the research taxonomy. These influencing factors are however significantly undermined due to resources within the same organisations not having a clear and consistent understanding of their role, organisational capabilities and objectives for effective vulnerability and patch management within their organisations. , Thesis (MSc) -- Faculty of Science, Computer Science, 2021
- Full Text:
- Date Issued: 2021-04
Towards a capability maturity model for a cyber range
- Authors: Aschmann, Michael Joseph
- Date: 2020
- Subjects: Computer software -- Development , Computer security
- Language: English
- Type: text , Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/163142 , vital:41013
- Description: This work describes research undertaken towards the development of a Capability Maturity Model (CMM) for Cyber Ranges (CRs) focused on cyber security. Global cyber security needs are on the rise, and the need for attribution within the cyber domain is of particular concern. This has prompted major efforts to enhance cyber capabilities within organisations to increase their total cyber resilience posture. These efforts include, but are not limited to, the testing of computational devices, networks, and applications, and cyber skills training focused on prevention, detection and cyber attack response. A cyber range allows for the testing of the computational environment. By developing cyber events within a confined virtual or sand-boxed cyber environment, a cyber range can prepare the next generation of cyber security specialists to handle a variety of potential cyber attacks. Cyber ranges have different purposes, each designed to fulfil a different computational testing and cyber training goal; consequently, cyber ranges can vary greatly in the level of variety, capability, maturity and complexity. As cyber ranges proliferate and become more and more valued as tools for cyber security, a method to classify or rate them becomes essential. Yet while a universal criteria for measuring cyber ranges in terms of their capability maturity levels becomes more critical, there are currently very limited resources for researchers aiming to perform this kind of work. For this reason, this work proposes and describes a CMM, designed to give organisations the ability to benchmark the capability maturity of a given cyber range. This research adopted a synthesised approach to the development of a CMM, grounded in prior research and focused on the production of a conceptual model that provides a useful level of abstraction. In order to achieve this goal, the core capability elements of a cyber range are defined with their relative importance, allowing for the development of a proposed classification cyber range levels. An analysis of data gathered during the course of an expert review, together with other research, further supported the development of the conceptual model. In the context of cyber range capability, classification will include the ability of the cyber range to perform its functions optimally with different core capability elements, focusing on the Measurement of Capability (MoC) with its elements, namely effect, performance and threat ability. Cyber range maturity can evolve over time and can be defined through the Measurement of Maturity (MoM) with its elements, namely people, processes, technology. The combination of these measurements utilising the CMM for a CR determines the capability maturity level of a CR. The primary outcome of this research is the proposed level-based CMM framework for a cyber range, developed using adopted and synthesised CMMs, the analysis of an expert review, and the mapping of the results.
- Full Text:
- Date Issued: 2020
A comparative study of CERBER, MAKTUB and LOCKY Ransomware using a Hybridised-Malware analysis
- Authors: Schmitt, Veronica
- Date: 2019
- Subjects: Microsoft Windows (Computer file) , Data protection , Computer crimes -- Prevention , Computer security , Computer networks -- Security measures , Computers -- Access control , Malware (Computer software)
- Language: English
- Type: text , Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/92313 , vital:30702
- Description: There has been a significant increase in the prevalence of Ransomware attacks in the preceding four years to date. This indicates that the battle has not yet been won defending against this class of malware. This research proposes that by identifying the similarities within the operational framework of Ransomware strains, a better overall understanding of their operation and function can be achieved. This, in turn, will aid in a quicker response to future attacks. With the average Ransomware attack taking two hours to be identified, it shows that there is not yet a clear understanding as to why these attacks are so successful. Research into Ransomware is limited by what is currently known on the topic. Due to the limitations of the research the decision was taken to only examined three samples of Ransomware from different families. This was decided due to the complexities and comprehensive nature of the research. The in depth nature of the research and the time constraints associated with it did not allow for proof of concept of this framework to be tested on more than three families, but the exploratory work was promising and should be further explored in future research. The aim of the research is to follow the Hybrid-Malware analysis framework which consists of both static and the dynamic analysis phases, in addition to the digital forensic examination of the infected system. This allows for signature-based findings, along with behavioural and forensic findings all in one. This information allows for a better understanding of how this malware is designed and how it infects and remains persistent on a system. The operating system which has been chosen is the Microsoft Window 7 operating system which is still utilised by a significant proportion of Windows users especially in the corporate environment. The experiment process was designed to enable the researcher the ability to collect information regarding the Ransomware and every aspect of its behaviour and communication on a target system. The results can be compared across the three strains to identify the commonalities. The initial hypothesis was that Ransomware variants are all much like an instant cake box consists of specific building blocks which remain the same with the flavouring of the cake mix being the unique feature.
- Full Text:
- Date Issued: 2019
A framework to guide cybersecurity governance efforts in non-profit organisations
- Authors: le Roux, Wickus
- Date: 2019
- Subjects: Computer security , Information technology Nonprofit organizations -- security measures
- Language: English
- Type: Thesis , Masters , MPhil
- Identifier: http://hdl.handle.net/10948/44918 , vital:38188
- Description: The average non-profit organisation is faced with the same cybersecurity challenges as an international multi-corporation that generates income. However, it may lack the competencies or resources to fully utilise, implement, monitor, or evaluate cybersecurity governance to a satisfactory or acceptable level. A literature review revealed limited publicly accessible documents to guide NPOs in particular in the task of cybersecurity governance. Therefore, the problem addressed by this research is the lack of a framework to guide cybersecurity governance efforts in non-profit organisations. This real-world problem was approached using the design science paradigm. It was important to identify, firstly, factors unique to the general context of non-profit organisations, including the constraints and limitations faced by non-profit organisations. Secondly, the key cyber risks for non-profit organisations and how they can materialise through the use of emails, social media, and BYODs in the NPO context, were identified. As a third step, available cybersecurity governance guidelines were analysed to determine best practices. This investigation also revealed the people, process, and technology elements as the pillars of information security. This resulted in the development of a framework (the PotLer framework) to guide cybersecurity governance efforts in non-profit organisations based on the input of the three points mentioned above. The framework was constructed around four conceptual elements, namely information security governance; people, process, and technology; governance elements; and key risks. The PotLer framework expands the high-level generic constructs beyond the conceptual space and provides implementation guidance in the form of a questionnaire to be completed by NPOs. The questionnaire was developed as an interactive spreadsheet that requires “Yes” or “No” responses from participants and generates a recommendation based on these answers. To evaluate the PotLer framework, the aforementioned questionnaire was completed by four NPOs. An additional questionnaire obtained their input on the utility and comprehensiveness of the framework.
- Full Text:
- Date Issued: 2019
A framework to implement information security awareness, education and training within the Limpopo economic development agency group
- Authors: Mokobane, Ntsewa Benjamin
- Date: 2019
- Subjects: Computer security , Computer networks -- Security measures Data protection
- Language: English
- Type: Thesis , Masters , MPhil
- Identifier: http://hdl.handle.net/10948/42063 , vital:36622
- Description: Cybersecurity awareness, education and training of employees is key in reducing and preventing cyber-attack opportunities. The ignorance and/or lack of understanding of employees about the information security risks around them might expose the LEDA Group to cyber-attacks. This led to the problem that the level of awareness of employees regarding information security was not known. The implication of this not knowing was that an argument for the nature of an intervention to ensure awareness, as well as to educate and train employees regarding information security was not possible. The aim of this treatise was to develop a framework as an effective guideline for the implementation of cybersecurity awareness, education and training of employees. In the study, the LEDA Group employees were surveyed to determine their cybersecurity knowledge gap. An online questionnaire was randomly sent to 314 LEDA Group employees. The survey was voluntary and confidential. One hundred and thirty seven (137) employees completed the survey. The results of the survey were analysed to determine the gap between the current cybersecurity knowledge of the LEDA Group employees and state-of-the-art cybersecurity knowledge. The gap was used in the development of the framework for the implementation of the cybersecurity awareness, education and training (F-CSAET). Central to F-CSAET is the governance principles guided by best practices such as King IV, COBIT5, ISO27001, ISO27005, ISO27008 and ISO27032 and the compliance requirements to POPIA, the Copyright Act and the Cybercrimes and Cybersecurity Bill. The F-CSAET has six steps, namely Assess, Analyse, Create, Plan, Implement and Reinforce. The framework was evaluated for applicability by the team called the cyber security interest team, which was established specifically for the purpose of the F-CSAET.
- Full Text:
- Date Issued: 2019
A multi-threading software countermeasure to mitigate side channel analysis in the time domain
- Authors: Frieslaar, Ibraheem
- Date: 2019
- Subjects: Computer security , Data encryption (Computer science) , Noise generators (Electronics)
- Language: English
- Type: text , Thesis , Doctoral , PhD
- Identifier: http://hdl.handle.net/10962/71152 , vital:29790
- Description: This research is the first of its kind to investigate the utilisation of a multi-threading software-based countermeasure to mitigate Side Channel Analysis (SCA) attacks, with a particular focus on the AES-128 cryptographic algorithm. This investigation is novel, as there has not been a software-based countermeasure relying on multi-threading to our knowledge. The research has been tested on the Atmel microcontrollers, as well as a more fully featured system in the form of the popular Raspberry Pi that utilises the ARM7 processor. The main contributions of this research is the introduction of a multi-threading software based countermeasure used to mitigate SCA attacks on both an embedded device and a Raspberry Pi. These threads are comprised of various mathematical operations which are utilised to generate electromagnetic (EM) noise resulting in the obfuscation of the execution of the AES-128 algorithm. A novel EM noise generator known as the FRIES noise generator is implemented to obfuscate data captured in the EM field. FRIES comprises of hiding the execution of AES-128 algorithm within the EM noise generated by the 512 Secure Hash Algorithm (SHA) from the libcrypto++ and OpenSSL libraries. In order to evaluate the proposed countermeasure, a novel attack methodology was developed where the entire secret AES-128 encryption key was recovered from a Raspberry Pi, which has not been achieved before. The FRIES noise generator was pitted against this new attack vector and other known noise generators. The results exhibited that the FRIES noise generator withstood this attack whilst other existing techniques still leaked out secret information. The visual location of the AES-128 encryption algorithm in the EM spectrum and key recovery was prevented. These results demonstrated that the proposed multi-threading software based countermeasure was able to be resistant to existing and new forms of attacks, thus verifying that a multi-threading software based countermeasure can serve to mitigate SCA attacks.
- Full Text:
- Date Issued: 2019
A study of malicious software on the macOS operating system
- Authors: Regensberg, Mark Alan
- Date: 2019
- Subjects: Malware (Computer software) , Computer security , Computer viruses , Mac OS
- Language: English
- Type: text , Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/92302 , vital:30701
- Description: Much of the published malware research begins with a common refrain: the cost, quantum and complexity of threats are increasing, and research and practice should prioritise efforts to automate and reduce times to detect and prevent malware, while improving the consistency of categories and taxonomies applied to modern malware. Existing work related to malware targeting Apple's macOS platform has not been spared this approach, although limited research has been conducted on the true nature of threats faced by users of the operating system. While macOS focused research available consistently notes an increase in macOS users, devices and ultimately in threats, an opportunity exists to understand the real nature of threats faced by macOS users and suggest potential avenues for future work. This research provides a view of the current state of macOS malware by analysing and exploring a dataset of malware detections on macOS endpoints captured over a period of eleven months by an anti-malware software vendor. The dataset is augmented with malware information provided by the widely used Virus. Total service, as well as the application of prior automated malware categorisation work, AVClass to categorise and SSDeep to cluster and report on observed data. With Windows and Android platforms frequently in the spotlight as targets for highly disruptive malware like botnets, ransomware and cryptominers, research and intuition seem to suggest the threat of malware on this increasingly popular platform should be growing and evolving accordingly. Findings suggests that the direction and nature of growth and evolution may not be entirely as clear as industry reports suggest. Adware and Potentially Unwanted Applications (PUAs) make up the vast majority of the detected threats, with remote access trojans (RATs), ransomware and cryptocurrency miners comprising a relatively small proportion of the detected malware. This provides a number of avenues for potential future work to compare and contrast with research on other platforms, as well as identification of key factors that may influence its growth in the future.
- Full Text:
- Date Issued: 2019
An analysis of the use of DNS for malicious payload distribution
- Authors: Dube, Ishmael
- Date: 2019
- Subjects: Internet domain names , Computer networks -- Security measures , Computer security , Computer network protocols , Data protection
- Language: English
- Type: text , Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/97531 , vital:31447
- Description: The Domain Name System (DNS) protocol is a fundamental part of Internet activities that can be abused by cybercriminals to conduct malicious activities. Previous research has shown that cybercriminals use different methods, including the DNS protocol, to distribute malicious content, remain hidden and avoid detection from various technologies that are put in place to detect anomalies. This allows botnets and certain malware families to establish covert communication channels that can be used to send or receive data and also distribute malicious payloads using the DNS queries and responses. Cybercriminals use the DNS to breach highly protected networks, distribute malicious content, and exfiltrate sensitive information without being detected by security controls put in place by embedding certain strings in DNS packets. This research undertaking broadens this research field and fills in the existing research gap by extending the analysis of DNS being used as a payload distribution channel to detection of domains that are used to distribute different malicious payloads. This research undertaking analysed the use of the DNS in detecting domains and channels that are used for distributing malicious payloads. Passive DNS data which replicate DNS queries on name servers to detect anomalies in DNS queries was evaluated and analysed in order to detect malicious payloads. The research characterises the malicious payload distribution channels by analysing passive DNS traffic and modelling the DNS query and response patterns. The research found that it is possible to detect malicious payload distribution channels through the analysis of DNS TXT resource records.
- Full Text:
- Date Issued: 2019
Towards understanding and mitigating attacks leveraging zero-day exploits
- Authors: Smit, Liam
- Date: 2019
- Subjects: Computer crimes -- Prevention , Data protection , Hacking , Computer security , Computer networks -- Security measures , Computers -- Access control , Malware (Computer software)
- Language: English
- Type: text , Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/115718 , vital:34218
- Description: Zero-day vulnerabilities are unknown and therefore not addressed with the result that they can be exploited by attackers to gain unauthorised system access. In order to understand and mitigate against attacks leveraging zero-days or unknown techniques, it is necessary to study the vulnerabilities, exploits and attacks that make use of them. In recent years there have been a number of leaks publishing such attacks using various methods to exploit vulnerabilities. This research seeks to understand what types of vulnerabilities exist, why and how these are exploited, and how to defend against such attacks by either mitigating the vulnerabilities or the method / process of exploiting them. By moving beyond merely remedying the vulnerabilities to defences that are able to prevent or detect the actions taken by attackers, the security of the information system will be better positioned to deal with future unknown threats. An interesting finding is how attackers exploit moving beyond the observable bounds to circumvent security defences, for example, compromising syslog servers, or going down to lower system rings to gain access. However, defenders can counter this by employing defences that are external to the system preventing attackers from disabling them or removing collected evidence after gaining system access. Attackers are able to defeat air-gaps via the leakage of electromagnetic radiation as well as misdirect attribution by planting false artefacts for forensic analysis and attacking from third party information systems. They analyse the methods of other attackers to learn new techniques. An example of this is the Umbrage project whereby malware is analysed to decide whether it should be implemented as a proof of concept. Another important finding is that attackers respect defence mechanisms such as: remote syslog (e.g. firewall), core dump files, database auditing, and Tripwire (e.g. SlyHeretic). These defences all have the potential to result in the attacker being discovered. Attackers must either negate the defence mechanism or find unprotected targets. Defenders can use technologies such as encryption to defend against interception and man-in-the-middle attacks. They can also employ honeytokens and honeypots to alarm misdirect, slow down and learn from attackers. By employing various tactics defenders are able to increase their chance of detecting and time to react to attacks, even those exploiting hitherto unknown vulnerabilities. To summarize the information presented in this thesis and to show the practical importance thereof, an examination is presented of the NSA's network intrusion of the SWIFT organisation. It shows that the firewalls were exploited with remote code execution zerodays. This attack has a striking parallel in the approach used in the recent VPNFilter malware. If nothing else, the leaks provide information to other actors on how to attack and what to avoid. However, by studying state actors, we can gain insight into what other actors with fewer resources can do in the future.
- Full Text:
- Date Issued: 2019
Guidelines for the protection of stored sensitive information assets within small, medium and micro enterprises
- Authors: Scharnick, Nicholas
- Date: 2018
- Subjects: Computer security , Information technology -- Security measures Data protection Business -- Data processing -- Security measures Small business -- Data processing -- Security measures -- South Africa
- Language: English
- Type: Thesis , Masters , MIT
- Identifier: http://hdl.handle.net/10948/34799 , vital:33452
- Description: Technology has become important in the business environment as it ensures that a business is competitive and it also drives the business processes. However, in the era of mobile devices, easy access to the internet and a wide variety of other communication mechanisms; the security of the business from a technological perspective is constantly under threat. Thus, the problem that this research aims to address is that there is currently a lack of understanding by SMMEs in protecting their stored sensitive information assets. This study intends to assist small businesses, such as those within the Small Medium and Micro Enterprises (SMME) on how to protect and secure information while it is in storage. SMMEs usually do not have available resources to fully address information security related concerns that could pose a threat to the well being and success of the business. In order to address the problem identified, and assist SMMEs with better protecting their stored information assets, the outcomes of this research is to develop guidelines to assist SMMEs in protecting stored sensitive information assets. Through the use of a qualitative content analysis, a literature review, a number of information security standards, best practices, and frameworks, including the ISO27000 series of standards, COBIT, ITIL, and various NIST publications were analysed to determine how these security approaches address security concerns that arise when considering the storage of sensitive information. Following the literature analysis, a survey was developed and distributed to a wide variety of SMMEs in order to determine what their information security requirements might be, as well as how they address information security. The results obtained from this, coupled with the literature analysis, served as input for the development of a number of guidelines that can assist SMMEs in protecting stored sensitive information assets.
- Full Text:
- Date Issued: 2018
NetwIOC: a framework for the automated generation of network-based IOCS for malware information sharing and defence
- Authors: Rudman, Lauren Lynne
- Date: 2018
- Subjects: Malware (Computer software) , Computer networks Security measures , Computer security , Python (Computer program language)
- Language: English
- Type: text , Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/60639 , vital:27809
- Description: With the substantial number of new malware variants found each day, it is useful to have an efficient way to retrieve Indicators of Compromise (IOCs) from the malware in a format suitable for sharing and detection. In the past, these indicators were manually created after inspection of binary samples and network traffic. The Cuckoo Sandbox, is an existing dynamic malware analysis system which meets the requirements for the proposed framework and was extended by adding a few custom modules. This research explored a way to automate the generation of detailed network-based IOCs in a popular format which can be used for sharing. This was done through careful filtering and analysis of the PCAP hie generated by the sandbox, and placing these values into the correct type of STIX objects using Python, Through several evaluations, analysis of what type of network traffic can be expected for the creation of IOCs was conducted, including a brief ease study that examined the effect of analysis time on the number of IOCs created. Using the automatically generated IOCs to create defence and detection mechanisms for the network was evaluated and proved successful, A proof of concept sharing platform developed for the STIX IOCs is showcased at the end of the research.
- Full Text:
- Date Issued: 2018
Towards a collection of cost-effective technologies in support of the NIST cybersecurity framework
- Authors: Shackleton, Bruce Michael Stuart
- Date: 2018
- Subjects: National Institute of Standards and Technology (U.S.) , Computer security , Computer networks Security measures , Small business Information technology Cost effectiveness , Open source software
- Language: English
- Type: text , Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/62494 , vital:28199
- Description: The NIST Cybersecurity Framework (CSF) is a specific risk and cybersecurity framework. It provides guidance on controls that can be implemented to help improve an organisation’s cybersecurity risk posture. The CSF Functions consist of Identify, Protect, Detect, Respond, and Recover. Like most Information Technology (IT) frameworks, there are elements of people, processes, and technology. The same elements are required to successfully implement the NIST CSF. This research specifically focuses on the technology element. While there are many commercial technologies available for a small to medium sized business, the costs can be prohibitively expensive. Therefore, this research investigates cost-effective technologies and assesses their alignment to the NIST CSF. The assessment was made against the NIST CSF subcategories. Each subcategory was analysed to identify where a technology would likely be required. The framework provides a list of Informative References. These Informative References were used to create high- level technology categories, as well as identify the technical controls against which the technologies were measured. The technologies tested were either open source or proprietary. All open source technologies tested were free to use, or have a free community edition. Proprietary technologies would be free to use, or considered generally available to most organisations, such as components contained within Microsoft platforms. The results from the experimentation demonstrated that there are multiple cost-effective technologies that can support the NIST CSF. Once all technologies were tested, the NIST CSF was extended. Two new columns were added, namely high-level technology category, and tested technology. The columns were populated with output from the research. This extended framework begins an initial collection of cost-effective technologies in support of the NIST CSF.
- Full Text:
- Date Issued: 2018
A model to address factors that could influence the information security behaviour of computing graduates
- Authors: Mabece, Thandolwethu , Thomson, Kerry-Lynn
- Date: 2017
- Subjects: Information technology -- Security measures , Computer security , Cyber intelligence (Computer security)
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: http://hdl.handle.net/10948/7355 , vital:21339
- Description: The fact that information is ubiquitous throughout most modern organisations cannot be denied. Information is not merely used as an enabler in modern organisations today, but is also used to gain a competitive advantage over competitors. Thus, information has become one of the most important business assets. It is, therefore, imperative that organisations protect information assets as they would protect other business assets. This is typically achieved through implementing various security measures.Technological and procedural security measures are largely dependent on humans. However, the incorrect behaviour of humans poses a significant threat to the protection of these information assets. Thus, it is vital to understand how human behaviour may impact the protection of information assets. While the focus of much literature is on organisations, the focus of this research is on higher education institutions and the factors of information security, with a specific focus on influencing the information security behaviour of computing graduates. Typically, computing graduates would be employed in organisations in various careers such as software developers, network administrators, database administrators and information systems analysts. Employment in these careers means that they would be closely interacting with information assets and information systems. A real problem, as identified by this research, is that currently, many higher education institutions are not consciously doing enough to positively influence the information security behaviour of their computing graduates. This research presents a model to address various factors that could influence the information security behaviour of computing graduates. The aim of this model is to assist computing educators in influencing computing graduates to adopt more secure behaviour, such as security assurance behaviour. A literature review was conducted to identify the research problem. A number of theories such as the Theory of Planned Behaviour, Protection Motivation Theory and Social Cognitive Theory were identified as being relevant for this research as they provided a theoretical foundation for factors that could influence the information security behaviour of computing graduates. Additionally, a survey was conducted to gather the opinions and perceptions of computing educators relating to information security education in higher education institutions. Results indicated that information security is not pervasively integrated within the higher education institutions surveyed. Furthermore, results revealed that most computing students were perceived to not be behaving in a secure manner with regard to information security. This could negatively influence their information security behaviour as computing graduates employed within organisations. Computing educators therefore require assistance in influencing the information security behaviour of these computing students. The proposed model to provide this assistance was developed through argumentation and modelling.
- Full Text:
- Date Issued: 2017
Amber : a aero-interaction honeypot with distributed intelligence
- Authors: Schoeman, Adam
- Date: 2015
- Subjects: Security systems -- Security measures , Computer viruses , Intrusion detection systems (Computer security) , Computer security
- Language: English
- Type: Thesis , Masters , MSc
- Identifier: vital:4716 , http://hdl.handle.net/10962/d1017938
- Description: For the greater part, security controls are based on the principle of Decision through Detection (DtD). The exception to this is a honeypot, which analyses interactions between a third party and itself, while occupying a piece of unused information space. As honeypots are not located on productive information resources, any interaction with it can be assumed to be non-productive. This allows the honeypot to make decisions based simply on the presence of data, rather than on the behaviour of the data. But due to limited resources in human capital, honeypots’ uptake in the South African market has been underwhelming. Amber attempts to change this by offering a zero-interaction security system, which will use the honeypot approach of decision through Presence (DtP) to generate a blacklist of third parties, which can be passed on to a network enforcer. Empirical testing has proved the usefulness of this alternative and low cost approach in defending networks. The functionality of the system was also extended by installing nodes in different geographical locations, and streaming their detections into the central Amber hive.
- Full Text:
- Date Issued: 2015
An investigation of ISO/IEC 27001 adoption in South Africa
- Authors: Coetzer, Christo
- Date: 2015
- Subjects: ISO 27001 Standard , Information technology -- Security measures , Computer security , Data protection
- Language: English
- Type: Thesis , Masters , MSc
- Identifier: vital:4720 , http://hdl.handle.net/10962/d1018669
- Description: The research objective of this study is to investigate the low adoption of the ISO/IEC 27001 standard in South African organisations. This study does not differentiate between the ISO/IEC 27001:2005 and ISO/IEC 27001:2013 versions, as the focus is on adoption of the ISO/IEC 27001 standard. A survey-based research design was selected as the data collection method. The research instruments used in this study include a web-based questionnaire and in-person interviews with the participants. Based on the findings of this research, the organisations that participated in this study have an understanding of the ISO/IEC 27001 standard; however, fewer than a quarter of these have fully adopted the ISO/IEC 27001 standard. Furthermore, the main business objectives for organisations that have adopted the ISO/IEC 27001 standard were to ensure legal and regulatory compliance, and to fulfil client requirements. An Information Security Management System management guide based on the ISO/IEC 27001 Plan-Do-Check-Act model is developed to help organisations interested in the standard move towards ISO/IEC 27001 compliance.
- Full Text:
- Date Issued: 2015
Pseudo-random access compressed archive for security log data
- Authors: Radley, Johannes Jurgens
- Date: 2015
- Subjects: Computer security , Information storage and retrieval systems , Data compression (Computer science)
- Language: English
- Type: Thesis , Masters , MSc
- Identifier: vital:4723 , http://hdl.handle.net/10962/d1020019
- Description: We are surrounded by an increasing number of devices and applications that produce a huge quantity of machine generated data. Almost all the machine data contains some element of security information that can be used to discover, monitor and investigate security events.The work proposes a pseudo-random access compressed storage method for log data to be used with an information retrieval system that in turn provides the ability to search and correlate log data and the corresponding events. We explain the method for converting log files into distinct events and storing the events in a compressed file. This yields an entry identifier for each log entry that provides a pointer that can be used by indexing methods. The research also evaluates the compression performance penalties encountered by using this storage system, including decreased compression ratio, as well as increased compression and decompression times.
- Full Text:
- Date Issued: 2015