Imed El Fray

A comparative study of risk assessment methods, MEHARI & CRAMM with a new formal model of risk assessment (FoMRA) in information systems

In this article, we present a comparative study of a developed new formal mathematical model of risk assessment (FoMRA) with expert methods of risk assessment in the information systems (IS). Proposed analysis verified the correctness of theoretical assumptions of developed model. In the paper, the examples of computations illustrating the application of FoMRA and known and accepted throughout the world methods of risk assessment: MEHARI and CRAMM were presented and related to a specific unit of the public administration operating in Poland.

Practical Authentication Protocols for Protecting and Sharing Sensitive Information on Mobile Devices

Mobility of users and information is an important feature of IT systems that must be considered during design of sensitive information protection mechanisms. This paper describes an architecture of MobInfoSec system for sharing documents with sensitive information using fine-grained access rules described by general access structures. However, the proper usage of general access structures requires trusted components and strong authentication protocols. They allow to establish secure communication channels between different system components. In the paper we propose a conference protocol based on Boyd’s ideas with key transport and key establishment mechanisms. We show that the protocol achieves three goals: (a) the key and participants’ mutual authentication, (b) the common secure communication channel, and (c) the personal secure communication channels between the protocol initializer and other protocol participants.

An Electronic Document for Distributed Electronic Services

The paper presents the role of documents in the implementation of various types of transactions. The main features of the document determining its usefulness in the effective exchange of legal information, ensuring the authenticity, integrity and non-repudiation of origin are presented. Considering the general background of the document, the concept of an electronic document having significant (in terms of legal effectiveness) features of traditional document as well as those features that allow its operation and processing in the virtual space has been presented. An example of the use of an electronic document in the implementation of typical transactions, which are reflecting traditional electronic transaction will be discussed as well.

Protection Profile for Secure Sensitive Information System on Mobile Devices

The mobility of the user and information is a factor that should be taken into account during the design and development of mechanisms protecting the sensitive stored, exchanged and processed information on mobile devices. This paper discusses the security profiles for the user and dispatcher subsystems protecting sensitive information on the mobile device called MobInfoSec. MobInfoSec is a system providing users with secure sensitive documents by using the specialized class SP cryptographic module, which protects directly the trusted system components through implementing ORCON access control rules. Protection Profile defines the security functional requirements for MobInfoSec system executing the encryption/decryption of documents based on addressed access policies. The article includes a general description of MobInfoSec system, including assets, assumptions, threats, policies and functional requirements necessary for the evaluation of security functions developed in accordance with requirements of the standard ISO/IEC 15408 (called the Common Criteria).

Model of Secure Data Storage in the Cloud for Mobile Devices

Storing data in the cloud environment becomes more and more popular for users and also for entrepreneurs. It offers high scalability, efficiency and good price. However, it’s not always secure, even if providers ensures about high security of their service. “Arms race” never stops, attackers have sophisticated tools and often specialized knowledge. Combination of these two may result in danger for data stored in clouds. Furthermore, by uploading data on cloud, we’re giving away control about them. Rapid technological progress and popularity of mobile devices results with users increasing awareness about threats. On the other hand, there’s not as many solutions for mobile devices as for desktop devices. Also their quality is not always very high. Proposed model reduces the role of “third-parties”, offering much more control for user, the owner of stored data.

Load-balanced Integrated Information Security Monitoring System

Monitoring is the last step of the information security management process. It is intended to evaluate not the state of security itself, but rather the accuracy and quality of prior security evaluation and risk treatment applied. In other words, it is supposed to provide the answer, whether chosen countermeasures and all other decisions based on the security assessment and evaluation results were accurate, proper and sufficient. If during this phase of the security management process, any significant anomaly is found within the system, it means that either one of the accepted ‘as is’ risks occurred, or that the applied countermeasures did not provide assumed protection in some point of the system. In such a case it is necessary to identify all the areas that require security audit repeat. As information systems grow in complexity, an integrated solution for security monitoring that will prevent system overload caused by monitoring is proposed in this paper.

The Implementation of Electronic Document in Transaction Execution

The article presents the implementation of an electronic document in the form of electronic forms that can be used in legally binding way in transactions execution regardless of the field of application, the type of entity involved in the transaction or their local information systems. Paper also presents the concept of the form in which the data layer, the presentation and the logic is encapsulated in a one single XML file, whose syntax is described using XML schema (XSD). Presentation of the document is done on the background of the discussion about the general concept of the document and the transaction. Authors present also the ways of implementation a few basic types of transactions, from which more complex solutions can be composed. The vision of the further research and development of the electronic document towards the use of crypto - currency, smart contracts, block chains and distributed autonomous organization is outlined in this paper.

Data Scheme Conversion Proposal for Information Security Monitoring Systems

Information security monitoring in a highly distributed environment requires gathering and processing data describing state of its components. To allow successful interpretation of that data, they cannot be acquired in any form – numerous meta languages and description schemes are available, but usually only one or few of them is supported by a given data source. A set of those schemes supported by a given device or program is defined by its manufacturer, and because of utilization of proprietary formats, usually it is impossible to apply a single scheme to all data sources. As a consequence, it is necessary to apply data conversion scheme, transforming various incompatible messages to a chosen data scheme, supported by the main repository and the analytic subsystem. Only then it is possible to process data to determine the current state of security of the whole information system.

Verification of Mutual Authentication Protocol for MobInfoSec System

This paper presents a detailed analysis of the mutual authentication protocol developed especially for the system MobInfoSec - for a mobile device to share and protect classified information. MobInfoSec uses fine-grained access rules described by general access structures. In this paper we describe the architecture and functioning of the system, and the requirements imposed on cryptographic authentication protocols, resulting from both: standards, the collection of good practices, as well as directly from the vision of the system. The article contains a description of the protocol’s parts and formal analysis of its security.