Extending HARM to make Test Cases for Penetration Testing

Vegendla, Aparna; Søgaard, Thea Marie; Sindre, Guttorm

doi:10.1007/978-3-319-39564-7_24

Cited by 3 publications

(2 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A specific Web browser must be installed on their computers, known as the Safe Exam Browser (SEB) [1], which regulates access to websites, search engines, other applications and system calls, also referred to as browser lockdown. Vegendla et al (2016) report on a case study doing penetration testing on the SEB, identifying some vulnerabilities that could be used for cheating. However, it must be noted that this cheating is less likely today, as the software has since been improved.…”

Section: Case A: Digital Examsmentioning

confidence: 99%

An experimental evaluation of bow-tie analysis for security

Meland

Bernsmed

Frøystad

et al. 2019

ICS

Self Cite

View full text Add to dashboard Cite

Purpose Within critical-infrastructure industries, bow-tie analysis is an established way of eliciting requirements for safety and reliability concerns. Because of the ever-increasing digitalisation and coupling between the cyber and physical world, security has become an additional concern in these industries. The purpose of this paper is to evaluate how well bow-tie analysis performs in the context of security, and the study’s hypothesis is that the bow-tie notation has a suitable expressiveness for security and safety. Design/methodology/approach This study uses a formal, controlled quasi-experiment on two sample populations – security experts and security graduate students – working on the same case. As a basis for comparison, the authors used a similar experiment with misuse case analysis, a well-known technique for graphical security modelling. Findings The results show that the collective group of graduate students, inexperienced in security modelling, perform similarly as security experts in a well-defined scope and familiar target system/situation. The students showed great creativity, covering most of the same threats and consequences as the experts identified and discovering additional ones. One notable difference was that these naïve professionals tend to focus on preventive barriers, leading to requirements for risk mitigation or avoidance, while experienced professionals seem to balance this more with reactive barriers and requirements for incident management. Originality/value Our results are useful in areas where we need to evaluate safety and security concerns together, especially for domains that have experience in health, safety and environmental hazards, but now need to expand this with cybersecurity as well.

show abstract

Section: Case A: Digital Examsmentioning

confidence: 99%

An experimental evaluation of bow-tie analysis for security

Meland

Bernsmed

Frøystad

et al. 2019

ICS

Self Cite

View full text Add to dashboard Cite

show abstract

“…These scenarios can be divided in web-based applications and systems , web services [34][35][36][37][38][39] network protocols and devices [11,14,[40][41][42][43][44][45][46][47][48][49][50][51][52], software and desktop applications [61], and process control system [62]. Figure 4 shows the different target scenarios that have a diversity in relation to the number of studies, and as mentioned before, most of the studies are related to web-based applications, network devices, and protocols contexts.…”

Section: Rq2-what Are the Target-scenarios In Pentest?mentioning

confidence: 99%

Overview and open issues on penetration test

Bertoglio

Zorzo

2017

J Braz Comput Soc

View full text Add to dashboard Cite

Several studies regarding security testing for corporate environments, networks, and systems were developed in the past years. Therefore, to understand how methodologies and tools for security testing have evolved is an important task. One of the reasons for this evolution is due to penetration test, also known as Pentest. The main objective of this work is to provide an overview on Pentest, showing its application scenarios, models, methodologies, and tools from published papers. Thereby, this work may help researchers and people that work with security to understand the aspects and existing solutions related to Pentest. A systematic mapping study was conducted, with an initial gathering of 1145 papers, represented by 1090 distinct papers that have been evaluated. At the end, 54 primary studies were selected to be analyzed in a quantitative and qualitative way. As a result, we classified the tools and models that are used on Pentest. We also show the main scenarios in which these tools and methodologies are applied to. Finally, we present some open issues and research opportunities on Pentest.

show abstract

Mitigation of Cheating in Online Exams

Chirumamilla

Sindre

2019

Biometric Authentication in Online Learning Environments

View full text Add to dashboard Cite

E-exams have different cheating opportunities and mitigations than paper exams, and remote exams also have different cheating risks that on-site exams. It is important to understand these differences in risk and possible mitigations against them. Authenticating the candidate may be a bigger challenge for remote exams, and biometric authentication has emerged as a key solution. This chapter delivers a categorization of different types of high-stakes assessments, different ways of cheating, and what types of cheating are most relevant for what types of assessments. It further presents an analysis of which threats biometric authentication can be effective against and what types of threats biometric authentication is less effective against. Insecure aspects of various biometric authentication approaches also indicate that biometric authentication and surveillance should be combined with other types of approaches (e.g., how questions are asked, timing of the exam) to mitigate cheating.

show abstract

Extending HARM to make Test Cases for Penetration Testing

Cited by 3 publications

References 20 publications

An experimental evaluation of bow-tie analysis for security

An experimental evaluation of bow-tie analysis for security

Overview and open issues on penetration test

Mitigation of Cheating in Online Exams

Contact Info

Product

Resources

About