This document discusses improving the security of a health care information system. It begins by describing vulnerabilities in software applications and how connected systems can be exploited. The document then proposes a 3-tier architecture with encryption and file replication to strengthen security. Database backups and regular vulnerability checks are also recommended to defend the system from attacks and allow recovery of data. The goal is to develop a secure electronic health records system that protects sensitive patient information.
Electronic Healthcare Record Security and Management in Healthcare Organizationsijtsrd
"This study aim sat identifying the current countermeasures used in protecting the Electronic Healthcare Record and how employees share their knowledge about the existence Electronic Healthcare Record security as well as countermeasures used in mitigating the threats and data breaches in healthcare organizations. A case study of Aminu Kano Teaching Hospital, Nigeria was used and qualitative research method was adopted where purposive and stratified random sampling was used. This led to construction of eleven relevant questions to four categories of staff. A conceptual frame work was proposed to quid the study and the findings we reevaluated using the proposed frame work. There sults revealed that there is lack of knowledge sharing among employees and some factors were found to be the resistance factors, this include educational background, behavior, low security awareness, personality differences and lack of management commitment. On the other hand, deterrent, preventive and organizational actions were partially practiced as countermeasures used to mitigate the threats and vulnerability of data breaches of Electronic Healthcare Records in Aminu Kano Teaching Hospital in Nigeria. Attahiru Saminu, CLN ""Electronic Healthcare Record Security and Management in Healthcare Organizations"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Special Issue | International Conference on Advanced Engineering and Information Technology , November 2018, URL: https://www.ijtsrd.com/papers/ijtsrd19124.pdf
Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/19124/electronic-healthcare-record-security-and-management-in-healthcare-organizations/attahiru-saminu-cln"
Understanding Cybersecurity in Medical Devices and ApplicationsEMMAIntl
One of the major pillars of the current Industry 4.0 is Automation. Indeed, technology is intervening in almost every domain to “automate” the workforce and make human life easier and better. In the present age, machines are getting integrated with the Internet of Things, Cloud Computing, and Artificial Intelligence with the data flow being transferred and processed via the Internet. These changes indeed catalyze the overall productivity, but also expose data to the public
domains.
In cases of continuous data transfers and exposition, Cybersecurity becomes a pivotal element where it not only protects the data but also proactively provides mechanisms to defend against malicious attacks and malware. In the case of medical devices that include sensitive medical data flows and software-controlled hardware devices like heart implants or Continuous Glucose Monitoring (CGM) devices, Cybersecurity becomes an important factor for contributing towards system safety and quality...
Electronic Healthcare Record Security and Management in Healthcare Organizationsijtsrd
"This study aim sat identifying the current countermeasures used in protecting the Electronic Healthcare Record and how employees share their knowledge about the existence Electronic Healthcare Record security as well as countermeasures used in mitigating the threats and data breaches in healthcare organizations. A case study of Aminu Kano Teaching Hospital, Nigeria was used and qualitative research method was adopted where purposive and stratified random sampling was used. This led to construction of eleven relevant questions to four categories of staff. A conceptual frame work was proposed to quid the study and the findings we reevaluated using the proposed frame work. There sults revealed that there is lack of knowledge sharing among employees and some factors were found to be the resistance factors, this include educational background, behavior, low security awareness, personality differences and lack of management commitment. On the other hand, deterrent, preventive and organizational actions were partially practiced as countermeasures used to mitigate the threats and vulnerability of data breaches of Electronic Healthcare Records in Aminu Kano Teaching Hospital in Nigeria. Attahiru Saminu, CLN ""Electronic Healthcare Record Security and Management in Healthcare Organizations"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Special Issue | International Conference on Advanced Engineering and Information Technology , November 2018, URL: https://www.ijtsrd.com/papers/ijtsrd19124.pdf
Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/19124/electronic-healthcare-record-security-and-management-in-healthcare-organizations/attahiru-saminu-cln"
Understanding Cybersecurity in Medical Devices and ApplicationsEMMAIntl
One of the major pillars of the current Industry 4.0 is Automation. Indeed, technology is intervening in almost every domain to “automate” the workforce and make human life easier and better. In the present age, machines are getting integrated with the Internet of Things, Cloud Computing, and Artificial Intelligence with the data flow being transferred and processed via the Internet. These changes indeed catalyze the overall productivity, but also expose data to the public
domains.
In cases of continuous data transfers and exposition, Cybersecurity becomes a pivotal element where it not only protects the data but also proactively provides mechanisms to defend against malicious attacks and malware. In the case of medical devices that include sensitive medical data flows and software-controlled hardware devices like heart implants or Continuous Glucose Monitoring (CGM) devices, Cybersecurity becomes an important factor for contributing towards system safety and quality...
A presentation by Tracy Rausch, CEO of DocBox and Chip Block of Evolver Inc. on medical device security & patient monitoring. Presented at The Security of Things Forum on Sept. 10, 2015.
For more course tutorials visit
www.tutorialrank.com
CSEC 610 Project 1 Information Systems and Identity Management
CSEC 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CSEC 610 Project 3 Assessing Information System Vulnerabilities and Risk
This is particularly the case on e Health monitoring applications for chronic patients, Where Patients
monitoring refers to a continuous observation of patient’s condition (physiological and physical) traditionally
performed by one or several body sensors. The architecture for this system is based on medical sensors which
measure patients’ physical parameters by using wireless sensor networks (WSNs). These sensors transfer data
from patients’ bodies over the wireless network to the cloud environment. The system is aimed to prevent delays
in the arrival of patients’ medical information to the healthcare providers, Therefore, patients will have a high
quality services because the e heath smart system supports medical staff by providing real-time data gathering,
eliminating manual data collection, enabling the monitoring of huge numbers of patients. We underline the
necessity of the analysis of data quality on e-Health applications, especially concerning remote monitoring and
assistance of patients with chronic diseases.
A comprehensive study on classification of passive intrusion and extrusion de...csandit
Cyber criminals compromise Integrity, Availability and Confidentiality of network resources in
cyber space and cause remote class intrusions such as U2R, R2L, DoS and probe/scan system
attacks .To handle these intrusions, Cyber Security uses three audit and monitoring systems
namely Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS). Intrusion
Detection System (IDS) monitors only inbound traffic which is insufficient to prevent botnet
systems. A system to monitor outbound traffic is named as Extrusion Detection System (EDS).
Therefore a hybrid system should be designed to handle both inbound and outbound traffic.
Due to the increased false alarms preventive systems do not suite to an organizational network.
The goal of this paper is to devise a taxonomy for cyber security and study the existing methods
of Intrusion and Extrusion Detection systems based on three primary characteristics. The
metrics used to evaluate IDS and EDS are also presented.
A Study of Intrusion Detection System Methods in Computer NetworksEditor IJCATR
Intrusion detection system (IDS) is an application system monitoring the network for malicious or intrusive activity. In these
systems, malicious or intrusive activities intrusion can be detected by using information like port scanning and detecting unusual traffic,
and then they can be reported to the network. Since intrusion detection systems do not involve predefined detection power and intrusion
detection, they require being intelligent. In this case, systems have the capability of learning. They can analyze packages entering the
network, and detect normal and unusual users. The common intelligent methods are neural networks, fuzzy logic, data mining techniques,
and genetic algorithms. In this research, the purpose is to study various intelligent methods.
The technology behind information systems in today’s world has been embedded in nearly every aspect of our lives. Thus, the idea of securing our information systems and/or computer networks has become very paramount. Owing to the significance of computer networks in transporting the information and knowledge generated by the increased diversity and sophistication of computational machinery, it would be very imperative to engage the services of network security professionals to manage the resources that are passed through the various terminals (end points) of the these network, so as to achieve a maximum reliability of the information passed, making sure that this is achieved without creating a discrepancy between the security and usability of such network. This paper examines the various techniques involved in securely maintaining the safe states of an active computer network, its resources and the information it carries. We examined techniques of compromising an information system by breaking into the system without authorised access (Hacking), we also looked at the various phases of digital analysis of an already compromised system, and then we investigated the tools and techniques for digitally analysing a compromised system in other to bring it back to a safe state.
For more classes visit
www.snaptutorial.com
CYB 610 Project 1 Information Systems and Identity Management
CYB 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CYB 610 Project 3 Assessing Information System Vulnerabilities and Risk
CYB 610 Project 4 Threat Analysis and Exploitation
CYB 610 Project 5 Cryptography
A BAYESIAN CLASSIFICATION ON ASSET VULNERABILITY FOR REAL TIME REDUCTION OF F...IJNSA Journal
IT assets connected on internetwill encounter alien protocols and few parameters of protocol process are exposed as vulnerabilities. Intrusion Detection Systems (IDS) are installed to alerton suspicious traffic or activity. IDS issuesfalse positives alerts, if any behavior construe for partial attack pattern or the IDS lacks environment knowledge. Continuous monitoring of alerts to evolve whether, an alert is false positive or not is a major concern. In this paper we present design of an external module to IDS,to identify false positive alertsbased on anomaly based adaptive learning model. The novel feature of this design is that the system updates behavior profile of assets and environment with adaptive learning process.A mixture model is used for behavior modeling from reference data. The design of the detection and learning process are based on normal behavior and of environment. The anomaly alert identification algorithm isbuiltonSparse Markov Transducers (SMT) based probability.The total process is presented using real-time data. The Experimental results are validated and presentedwith reference to lab environment.
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALIJNSA Journal
Most small to medium health care organizations do not have the capability to address cyber incidents within the organization. Those that do are poorly trained and ill equipped. These health care organizations are subject to various laws that address privacy concerns, proper handling of financial information, and Personally Identifiable Information. Currently an IT staff handles responses to these incidents in an Ad Hoc manner. A properly trained, staffed, and equipped Cyber Incident Response Team is needed to quickly respond to these incidents to minimize data loss, and provide forensic data for the purpose of notification, disciplinary action, legal action, and to remove the risk vector. This paper1 will use the proven Incident Command System model used in emergency services to show any sized agency can have an adequate CIRT.
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAMIJCSEA Journal
Information security is one of the most important aspects of technology, we cannot protect the best interests of our organizations' assets (be that personnel, data, or other resources), without ensuring that these assetsare protected to the best of their ability. Within the Defense Department, this is vital to the security of not just those assets but also the national security of the United States. Compromise insecurity could lead severe consequences. However, technology changes so rapidly that change has to be made to reflect these changes with security in mind. This article outlines a growing technological change (virtualization and cloud computing), and how to properly address IT security concerns within an operating environment. By leveraging a series of encrypted physical and virtual systems, andnetwork isolation measures, this paper delivered a secured high performance computing environment that efficiently utilized computing resources, reduced overall computer processing costs, and ensures confidentiality, integrity, and availability of systems within the operating environment
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGESIJNSA Journal
The natural or man-made disaster demands an efficient communication and coordination among first responders to save life and other community resources. Normally, the traditional communication infrastructures such as landline or cellular networks are damaged and don’t provide adequate communication services to first responders for exchanging emergency related information. Wireless ad hoc networks such as mobile ad hoc networks, wireless sensor networks and wireless mesh networks are the promising alternatives in such type of situations. The security requirements for emergency response communications include privacy, data integrity, authentication, key management, access control and availability. Various ad hoc communication frameworks have been proposed for emergency response situations. The majority of the proposed frameworks don’t provide adequate security services for reliable and secure information exchange. This paper presents a survey of the proposed emergency response
communication frameworks and the potential security services required by them to provide reliable and secure information exchange during emergency situations.
CYB 610 Project 1 Information Systems and Identity Management
CYB 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CYB 610 Project 3 Assessing Information System Vulnerabilities and Risk
CYB 610 Project 4 Threat Analysis and Exploitation
For more course tutorials visit
www.tutorialrank.com
CYB 610 Project 1 Information Systems and Identity Management
CYB 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CYB 610 Project 3 Assessing Information System Vulnerabilities and Risk
A presentation by Tracy Rausch, CEO of DocBox and Chip Block of Evolver Inc. on medical device security & patient monitoring. Presented at The Security of Things Forum on Sept. 10, 2015.
For more course tutorials visit
www.tutorialrank.com
CSEC 610 Project 1 Information Systems and Identity Management
CSEC 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CSEC 610 Project 3 Assessing Information System Vulnerabilities and Risk
This is particularly the case on e Health monitoring applications for chronic patients, Where Patients
monitoring refers to a continuous observation of patient’s condition (physiological and physical) traditionally
performed by one or several body sensors. The architecture for this system is based on medical sensors which
measure patients’ physical parameters by using wireless sensor networks (WSNs). These sensors transfer data
from patients’ bodies over the wireless network to the cloud environment. The system is aimed to prevent delays
in the arrival of patients’ medical information to the healthcare providers, Therefore, patients will have a high
quality services because the e heath smart system supports medical staff by providing real-time data gathering,
eliminating manual data collection, enabling the monitoring of huge numbers of patients. We underline the
necessity of the analysis of data quality on e-Health applications, especially concerning remote monitoring and
assistance of patients with chronic diseases.
A comprehensive study on classification of passive intrusion and extrusion de...csandit
Cyber criminals compromise Integrity, Availability and Confidentiality of network resources in
cyber space and cause remote class intrusions such as U2R, R2L, DoS and probe/scan system
attacks .To handle these intrusions, Cyber Security uses three audit and monitoring systems
namely Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS). Intrusion
Detection System (IDS) monitors only inbound traffic which is insufficient to prevent botnet
systems. A system to monitor outbound traffic is named as Extrusion Detection System (EDS).
Therefore a hybrid system should be designed to handle both inbound and outbound traffic.
Due to the increased false alarms preventive systems do not suite to an organizational network.
The goal of this paper is to devise a taxonomy for cyber security and study the existing methods
of Intrusion and Extrusion Detection systems based on three primary characteristics. The
metrics used to evaluate IDS and EDS are also presented.
A Study of Intrusion Detection System Methods in Computer NetworksEditor IJCATR
Intrusion detection system (IDS) is an application system monitoring the network for malicious or intrusive activity. In these
systems, malicious or intrusive activities intrusion can be detected by using information like port scanning and detecting unusual traffic,
and then they can be reported to the network. Since intrusion detection systems do not involve predefined detection power and intrusion
detection, they require being intelligent. In this case, systems have the capability of learning. They can analyze packages entering the
network, and detect normal and unusual users. The common intelligent methods are neural networks, fuzzy logic, data mining techniques,
and genetic algorithms. In this research, the purpose is to study various intelligent methods.
The technology behind information systems in today’s world has been embedded in nearly every aspect of our lives. Thus, the idea of securing our information systems and/or computer networks has become very paramount. Owing to the significance of computer networks in transporting the information and knowledge generated by the increased diversity and sophistication of computational machinery, it would be very imperative to engage the services of network security professionals to manage the resources that are passed through the various terminals (end points) of the these network, so as to achieve a maximum reliability of the information passed, making sure that this is achieved without creating a discrepancy between the security and usability of such network. This paper examines the various techniques involved in securely maintaining the safe states of an active computer network, its resources and the information it carries. We examined techniques of compromising an information system by breaking into the system without authorised access (Hacking), we also looked at the various phases of digital analysis of an already compromised system, and then we investigated the tools and techniques for digitally analysing a compromised system in other to bring it back to a safe state.
For more classes visit
www.snaptutorial.com
CYB 610 Project 1 Information Systems and Identity Management
CYB 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CYB 610 Project 3 Assessing Information System Vulnerabilities and Risk
CYB 610 Project 4 Threat Analysis and Exploitation
CYB 610 Project 5 Cryptography
A BAYESIAN CLASSIFICATION ON ASSET VULNERABILITY FOR REAL TIME REDUCTION OF F...IJNSA Journal
IT assets connected on internetwill encounter alien protocols and few parameters of protocol process are exposed as vulnerabilities. Intrusion Detection Systems (IDS) are installed to alerton suspicious traffic or activity. IDS issuesfalse positives alerts, if any behavior construe for partial attack pattern or the IDS lacks environment knowledge. Continuous monitoring of alerts to evolve whether, an alert is false positive or not is a major concern. In this paper we present design of an external module to IDS,to identify false positive alertsbased on anomaly based adaptive learning model. The novel feature of this design is that the system updates behavior profile of assets and environment with adaptive learning process.A mixture model is used for behavior modeling from reference data. The design of the detection and learning process are based on normal behavior and of environment. The anomaly alert identification algorithm isbuiltonSparse Markov Transducers (SMT) based probability.The total process is presented using real-time data. The Experimental results are validated and presentedwith reference to lab environment.
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALIJNSA Journal
Most small to medium health care organizations do not have the capability to address cyber incidents within the organization. Those that do are poorly trained and ill equipped. These health care organizations are subject to various laws that address privacy concerns, proper handling of financial information, and Personally Identifiable Information. Currently an IT staff handles responses to these incidents in an Ad Hoc manner. A properly trained, staffed, and equipped Cyber Incident Response Team is needed to quickly respond to these incidents to minimize data loss, and provide forensic data for the purpose of notification, disciplinary action, legal action, and to remove the risk vector. This paper1 will use the proven Incident Command System model used in emergency services to show any sized agency can have an adequate CIRT.
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAMIJCSEA Journal
Information security is one of the most important aspects of technology, we cannot protect the best interests of our organizations' assets (be that personnel, data, or other resources), without ensuring that these assetsare protected to the best of their ability. Within the Defense Department, this is vital to the security of not just those assets but also the national security of the United States. Compromise insecurity could lead severe consequences. However, technology changes so rapidly that change has to be made to reflect these changes with security in mind. This article outlines a growing technological change (virtualization and cloud computing), and how to properly address IT security concerns within an operating environment. By leveraging a series of encrypted physical and virtual systems, andnetwork isolation measures, this paper delivered a secured high performance computing environment that efficiently utilized computing resources, reduced overall computer processing costs, and ensures confidentiality, integrity, and availability of systems within the operating environment
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGESIJNSA Journal
The natural or man-made disaster demands an efficient communication and coordination among first responders to save life and other community resources. Normally, the traditional communication infrastructures such as landline or cellular networks are damaged and don’t provide adequate communication services to first responders for exchanging emergency related information. Wireless ad hoc networks such as mobile ad hoc networks, wireless sensor networks and wireless mesh networks are the promising alternatives in such type of situations. The security requirements for emergency response communications include privacy, data integrity, authentication, key management, access control and availability. Various ad hoc communication frameworks have been proposed for emergency response situations. The majority of the proposed frameworks don’t provide adequate security services for reliable and secure information exchange. This paper presents a survey of the proposed emergency response
communication frameworks and the potential security services required by them to provide reliable and secure information exchange during emergency situations.
CYB 610 Project 1 Information Systems and Identity Management
CYB 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CYB 610 Project 3 Assessing Information System Vulnerabilities and Risk
CYB 610 Project 4 Threat Analysis and Exploitation
For more course tutorials visit
www.tutorialrank.com
CYB 610 Project 1 Information Systems and Identity Management
CYB 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CYB 610 Project 3 Assessing Information System Vulnerabilities and Risk
Cash Flow Valuation Mode Lin Discrete TimeIOSR Journals
This research consider the modelling of each cash flow valuation in discrete time. It is shown that
the value of cash flow can be modeled in three equivalent ways under same general assumptions. Also,
consideration is given to value process at a stopping time and/ or the cash flow process stopped at some
stopping times.
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESijcsit
Increasingly, all kinds of organizations and institutions are adopting the E-business model to conduct their
activities and provide E-Services for their customers. In the process, whether they know it or not, those
organizations are also opening themselves up to the risk of information security breaches. Therefore
protecting an organization’s ICT infrastructure, IT systems, and Data is a vital issue that is often
underestimated. Research has shown that one of the most significant threats to information security comes
not from external attack but rather from the system's users, because they are familiar with the
infrastructure and have access to its resources, but may be unaware of the risks. Moreover, using only
technological solutions to protect an organization’s assets is not enough; there is a need to consider the
human factor by raising users’ security awareness. Our contribution to this problem is to propose an
Information Security Awareness Program that aims at raising and maintaining the level of users’ security
awareness. This paper puts forward a general model for an information security awareness program and
describes how it could be incorporated into an organization’s website through the process of development
life cycle.
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...IJNSA Journal
High-profile security breaches and attacks on many organization’s database have been on the increase and the consequences of this, are the adverse effect on the organizations in terms of financial loss and reputation. Many of the security breaches has been ascribed to the vulnerability of the organization’s networks, security policy and operations. Additionally, the emerging technology solutions like Internet-ofThings (IoT), Artificial Intelligence, and Cloud Computing, has extremely exposed many of the organizations to different forms of cyber-threats and attacks. Researchers and system designers have made attempts to proffer solution to some of these challenges. However, the efficacy of the techniques remains a great concern due to insufficient control mechanisms. For instance, many of the techniques are majorly based on a single mode encryption techniques which are not too robust to withstand the threats and attacks on organization’s database. To proffer solution to these challenges, the current research designed and integrated a hybridized data security model based on Secured Hash Analysis (SHA 512) and Salting Techniques to enhance the adeptness of the existing techniques. The Hash Analysis algorithm was used to map the data considered to a bit string of a fixed length and salt was added to the password strings essentially to hide its real hash value. The idea of adding salt to the end of the password is basically to complicate the password cracking process. The hybridized model was implemented in Windows environment using python 3.7 IDE platform and tested on a dedicated Local Area Network (LAN) that was exposed to threats from both internal and external sources. The results from the test show that the model performed well in terms of efficiency and robustness to attacks. The performance of the new model recorded a high level of improvement over the existing techniques with a recital of 97.6%.
A Proposed Security Architecture for Establishing Privacy Domains in Systems ...IJERA Editor
Information and communication technology (ICT) are becoming a natural part in healthcare. Instead of keeping patient information inside a written file, you can find all information stored in an organized database as well defined files using a specific system in almost every hospital. But those files sometimes got lost or information was split up in files in different hospitals or different departments so no one could see the whole picture from this point we come up with our idea. One of this paper targets is to keep that information available on the cloud so doctors and nurses can have an access to patient record everywhere, so patient history will be clear which helps doctors in giving the right decision. We present security architecture for establishing privacy domains in e-Health bases. In this case, we will improve the availability of medical data and provide the ability for patients to moderate their medical data. Moreover, e-Health system in cloud computing has more than one component to be attacked. The other target of this paper is to distinguish between different kinds of attackers and we point out several shortcomings of current e-Health solutions and standards, particularly they do not address the client platform security, which is a crucial aspect for the overall security of systems in cloud. To fill this gap, we present security architecture for establishing privacy domains in e-Health infrastructures. Our solution provides client platform security and appropriately combines this with network security concepts.
An Overview of Information Systems Security Measures in Zimbabwean Small and ...researchinventy
This paper reports on the Information Systems (IS) securitymeasures implemented by small and medium size enterprises (SMEs) in Zimbabwe. A survey questionnaire was distributed to 32 randomly selected participants in order to investigate the security measures and practices in their respective organisations. The results indicated that over 50% of the respondents had installed firewalls, while more than 80% carried out regular software updates and none of the respondents had intrusion detection systems. The researchers recommended that SMEs work to enhance their knowledge on the different IS threats in order to enable the implementation of preventive measures.
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
Running Head: SECURITY AWARENESS
Security Awareness 2
Final Project Security Awareness
Terri Y. Hudson
Southern New Hampshire University – IT 552
December 20, 2016
Agency-wide security awareness Program Proposal
Introduction
For the organization to comply with the current PCT DSS requirement version 12,6, a security awareness program must be in place. The CISCO of the organization has an immediate requirement of creating an agency-wide security awareness program. As a means of implementing security awareness program the organization has conducted a security gap analysis which is one of the component of security awareness program which showed the 10 security findings. As one of the means of conducting the program, I will submit awareness program proposal.
Objective
This SOW (Statement of Work) is being done on behalf of the senior information officer. He has requested for the creation of an agency-wide security awareness program by handing over the security gap analysis which was done prior to this process. Hence the major aim of this document is to set a security awareness program which shows ten major key security findings. The document will also include a risk assessment of the current security awareness practices, processes and practices. By having this document, the organization will be able to have a well-organized maintenance plan. It is also important in maintaining and establishing an information-security awareness program (United States, 2000).
Background
The mission of the organization is to provide efficient IT services with the best security program in place with an aim of protecting organizations assets.
1. Technical infrastructure
The organization is engaged in short-term effort aiming at modernizing its information-processing infrastructure. These efforts have incorporated software enhancements, installation of firewalls and high end network systems for an improved communication. The senior information officer is the one who is responsible top oversee modernization effort. He has of late completed conducting a security awareness program and deployment of the organization’s LAN (Local area Network). The hardware being used is of CISCO products.
2. Computing Environment
The organization’s desktop computers are of Windows 2007/ 98 and 95. The servers are of Pentium with over 1 GB RAM. The current NOS (Network operating system) are window based.
3. Security Posture of the Organization
The organization has a basic network structure with only one router which acts as a firewall. It has several working stations and switches to this working stations. In addition the organization has installed Kasperky’s antivirus in of their desktop machines with a motive of reducing external threats. The data server is highly secured with Kaspersky’s antivirus. The organization physical sec ...
IOSR Journal of Electronics and Communication Engineering(IOSR-JECE) is an open access international journal that provides rapid publication (within a month) of articles in all areas of electronics and communication engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in electronics and communication engineering. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
An Empirical Study on the Security Measurements of Websites of Jordanian Publ...CSCJournals
Most of the Jordanian universities’ inquiries systems, i.e. educational, financial, administrative, and research systems are accessible through their campus networks. As such, they are vulnerable to security breaches that may compromise confidential information and expose the universities to losses and other risks. At Jordanian universities, security is critical to the physical network, computer operating systems, and application programs and each area has its own set of security issues and risks. This paper presents a comparative study on the security systems at the Jordanian universities from the viewpoint of prevention and intrusion detection. Robustness testing techniques are used to assess the security and robustness of the universities’ online services. In this paper, the analysis concentrates on the distribution of vulnerability categories and identifies the mistakes that lead to a severe type of vulnerability. The distribution of vulnerabilities can be used to avoid security flaws and mistakes.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
N018138696
1. IOSR Journal of Computer Engineering (IOSR-JCE)
e-ISSN: 2278-0661,p-ISSN: 2278-8727, Volume 18, Issue 1, Ver. III (Jan – Feb. 2016), PP 86-96
www.iosrjournals.org
DOI: 10.9790/0661-18138696 www.iosrjournals.org 86 | Page
Improving the Security Layer logic for a Health Care Information
System
Abdelghani El malhi1
, Mohamed Ahd1
, Abdelrhani Mokhtari2
, Rachida
Soulaymani Bencheik3,4
, Adil Echchelh1
,Abdelmajid Soulaymani2
1
Laboratory of electrical engineering and energetic systems Ibn Tofail University, Faculty of Sciences, Kenitra,
Morocco
2
Laboratory of Genetics and Biometry, Faculty of Sciences Ibn Tofail University, Faculty of Sciences, Kenitra,
Morocco
3
Moroccan Poison Control and Pharmacovigilance Center, Rabat, Morocco
4
Faculty of Medicine and Pharmacy, University Mohammed V, Rabat, Morocco
Abstract: In a previous paper we suggested an information system to store, manage and treat millions of the
gathered patient’s information. We were able to propose a reliable application, which is able to fulfill the most
important criterions, mainly measurement, monitoring, guidance, Data management and their analysis. The
introduction of the Internet and the related technologies are offering countless opportunities to build an efficient
healthcare system, but in the same time, Software-applications are facing adoption and securities challenges.In
the software development, end users often lack knowledge of vulnerabilities, attacks and threats. Application
designers, developers and testers are discovering and fixing constantly bugs, defects and flaws.The aim of this
paper is to highlight the importance of integrating and adding a high level of security to the previously
developed application by advocating a reliable and protected information system. To this end, we examine first
the several possible sources of vulnerability. Secondly, we will present a viewpoint explaining the fundamentals
principles that a secured health care system should possess. In a third part we will discuss the proposed
strategy and system architecture to defend against attacks. Today, the technology could contribute actively in
resolving some of problems. Connected computers are increasingly being introduced into safety-critical health
care systems and as consequence have being involved in the progress but also in some accidents. Concretely in
this study, the objective is to obtain a safely data management system by implementing an additional level of
logical and physical data security.To summarize, this paper presents a software development concept,
particularly with a web-based focus. It introduces a common application’s attacks and suggests methods to
defend against them.
Keywords; E-Health, data security, system vulnerability, database integration, e-health care system, attacks.
I. Introduction
During the last years, the health authorities collected patient’s data from the different regions in
Morocco, then stockpile it in several sheets in order to analyze the different statistics and collected data. In a
previous study we proposed a web application to handle and treat the patient’s data. This paper examines the
security aspect related to the program.
As per earlier researches, it turned out that information systems are often containing confidential data.
Therefore the vulnerability revision is an important milestone. Database and web interactions could be a source
of frustration and problems to the authorities. The networked E-health care system should be secure and support
basically measurement, monitoring, guidance, management of data and their analysis [1].
Rakesh and Christopher presented in 2007 an integrated set of technologies, known as the Hippocratic
Database, that enable healthcare enterprises to comply with privacy and security laws without impeding the
legitimate management, sharing, and analysis of personal health information.[2]
The stored data in the systemis very sensitive and should be thoroughly protected fromattackers with a
high level of security.
By Security or confidentiality we mean, informally, that the information can only be acquired by agents
or processes entitled to such access [3]. Today software is everywhere, the majority of devices become
networked and this forced us to care about security, confidentiality, integrity and privacy of the information that
floods between systems. In parallel the security problems continue to grow. Concerned are mainly: Web
browsers, web servers, database management systems and commonly used software.
Faults and Errors in a computer program produce incorrect and unexpected results, consequently the
application will behave in unintended way. They can be a possible source of penetration to the program by the
hackers either from inside sources or outside.
2. Improving The Security Layer Logic For A Health Care Information System
DOI: 10.9790/0661-18138696 www.iosrjournals.org 87 | Page
On Friday 2 June 1994 a Chinook helicopter ZD576 crashed in Kintyre killing 29 people. On
Wednesday 6 February 2002 the House of Lords committee report found that there is doubt about the cause of
the crash because of the possibility of a technical malfunction. Extracts from various press articles and reports
illustrate the broader issues related to the development of safety critical software [4].
Patients were given massive overdoses of radiation from Therac-25, Because of concurrent
programming errors, the therapy machine sometimes gave its patients radiation doses that were hundreds of
times greater than normal, resulting in death or serious injuries [5].
These accidents highlight the dangers of failures and defects in the software control of safety-critical
systems.
Rakesh and Christopher presented an integrated set of technologies, known as the Hippocratic
Database, that enable healthcare enterprises to comply with privacy and security laws without impeding the
legitimate management, sharing, and analysis of personal health information.
Statistics demonstrated that the number of vulnerabilities discovered has increased. For example, 7937
vulnerabilities were reported in 2014, whereas only 6608 were reported in 2006 and 246 in 1998 (Fig. 1).
Figure 1. NVD Software Vulnerability Statistics [6]
The consequences of a class of system failures, commonly known as software vulnerabilities, violate
security policies. They can cause the loss of information and reduce the value or us efulness of the system [7].
The developed information system provides an easy-to-navigate environment with the following
capabilities:
• Data extraction and analysis
• Reporting and distribution
• Decision-making helper
• Accessibility and robust
While all these elements are necessary to achieve success, the focus of this paper is on ensuring more
security and reliability.
Requirements are for the most stakeholders all about what the software should perform with an hyper-
focus on the functionality but what can go wrong must be considered as well. After finishing the conception and
the implementation, one of the most important tasks is to try finding the eventual gaps.
In addition to the software requirements, the operating Systems face escalating security challenges
because connectivity is growing and proportionally the overall number of incidents is increasing. CERT and
other databases keep track of reported vulnerabilities. An increasing number of individuals and organizations
depend on the internet for financial and other critical services. That has made potential exploitation of
vulnerabilities very attractive to criminals with suitable technical expertise. [8]
II. Material And Methods
We will discuss in this chapter the important guidelines to build a secured architecture within a tiered
Model concept and how can we defend against attacks.
3. Improving The Security Layer Logic For A Health Care Information System
DOI: 10.9790/0661-18138696 www.iosrjournals.org 88 | Page
The first section examines the system health Check that needs to be performed in regard to a web
oriented application. However the second part will discuss the various challenges to setup a secured system. It
includes the different development phases including the testing. At the end of this chapter we will propose a
concept to strengthen more the systemsecurity.
Kocher introduced the Trinity of Trouble to the world in 2004 in a paper about security as a new
dimension. It turns out that the Trinity conspires to make managing security risks in software a major challenge
[9].
Connectivity: is the software in Ethernet? The internet is everywhere and most software is on it.
Complexity: machines are often networked (client and server or even more distributed)
Extensibility: Systems evolve in unexpected ways and are changed on the fly.
Researches make significant progress, the trinity of trouble-connectivity, complexity, and extensibility-goes a
long way to making things difficult for systemanalysts, programmers and IT workers.
The trinity of trouble also makes the software more difficult. It’s business -critical and causes
significant impact when it fails to perform what was expected.
Three-tier Model
Organizations should employ a layered security strategy that provides necessary access to corporate
information while minimizing risk and maintaining compliance. When it comes to sensitive information, the
focus must go beyond authorized and unauthorized users and extend data protection from storage through
transport to delivery on the endpoint to prevent sensitive data loss [10].
The challenge is how to setup a secured design to ensure the expected level of security. We opted for
the 3-tier architecture. The application is organized into three major parts, each of which is distributed to a
separated location in the network (Fig. 2):
1. The client machine / browser /Graphic user interface
2. The application server which consists of business and data rules.
3. The database server to store and retrieve the required data.
IT security groups tend to not understand software development but architecture. They are neither able
to influence the end user to work with a specific browser nor to install the suitable security patches and
appropriate plug-ins. The IT people could participate actively by making the network more secure.
Figure 2. Three-TierArchitecture
The three-tier design has many advantages:
Separating the application from the database server makes the process of maintaining both systems easier.
Reusability and flexibility: the components can be distributed across the network as needed.
Security: when the middle-tier platform is separated physically, an extra level of indirection between the
client and the database is added. So no direct communication from the web application to the database
server.
HTTPS:
HTTP is the standard communication protocol that a browser uses to connect. It doesn’t possess an
encryption mechanism. Everything in the traffic (including passwords) is transparent to sniffers.
4. Improving The Security Layer Logic For A Health Care Information System
DOI: 10.9790/0661-18138696 www.iosrjournals.org 89 | Page
Sniffer is a packet analyzer that can intercept and log traffic that passes over a digital network. The connection
is established using either cable or wireless media. It is able to capture and record a variety of restricted personal
information in a data stream such as passwords.
In the below http form “adduser_submit” the administrator submits a user’s personal information to the
server in order to store the related credentials in the connected database (Fig. 3).
Figure 3. “adduser_submit” form
Inappropriately, even if the characters in the password field are masked (shown as black points), it is
transferred over the network in a clear text and can be captured by everyone connected to the systemnodes
(Fig. 4).
Figure 4. Fiddler session: password in clear text
Being able to send and receive data securely over a network is of growing importance. To that end,
many web applications force users to use SSL certificates to encrypt traffic between the client browser and the
server (application server). SSL is a secure method to encrypt data from your computer and send to the server,
keep information private and safe. In order to enable the encryption of the password and personal data, an SSL
certificate (containing your public key) and a server private key should be generated.
For the test purpose we do not need to buy a specific SSL certificate. Instead Apache offers "self-
signed" certificate for free. It might be possible that the browser gives a security warning like “server certificate
is not trusted” for using this particular certificate but this can be ignored as the test will be performed just
locally.
HTTP protocol uses by default the port 80 to communicate (Fig. 5). This can be changed by a simple
configuration in Apache httpd.conf file. The biggest benefit to changing the port number is to avoid being seen
by casual scans and script kiddie but a determined attacker can still find the port if they know your server’s IP
address. Changing the typical port number isn’t efficient enough and undoubtedly doesn't provide any serious
defense.
5. Improving The Security Layer Logic For A Health Care Information System
DOI: 10.9790/0661-18138696 www.iosrjournals.org 90 | Page
Figure 5. HTTP Default port
To setup an encrypted communication within the used web-server, below are the basic steps to create
Self-Signed Certificate:
i. Create a Private Key :
Open a command window
Change directory to apache
makecert
Create a Certificate Signing Request (CSR)
Create a Self-Sign certificate using the Private Key and the CSR
Alternatively, if the SSL is purchased form a provider, this step is accomplished by the certificate signing
authority
ii. Import the certificate into the browser for each client:
Since the generated certificate is just a self-signed one, by the first attempt to connect to the server, the
user may receive a warning by navigating in the protected pages. The certificate should be then imported as a
trusted CA into the browsers.
iii. Make Apache folders accessible with SSL encryption:
The web-server httpd.conf file will be edited and instructed to access the password protected folders
only with SSL encryption exclusively.
This is accomplished by putting the SSLRequireSSL directive inside of <Directory> listing in the
config file.
With this setting you will only be able to access the protected pages by typing https:// in the address.
iv. Redirect “http” to “https” for certain folders
This allows the automatically switch to https:// and encryption even if the user types http://. It is more
users friendly. The generic text below needs to be added to httpd-xampp.conf and make sure to enable
mod_rewrite in the apache config file.
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} FOLDER
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]
For a test purpose, we implemented the Self-Signed Certificate (Fig. 6):
6. Improving The Security Layer Logic For A Health Care Information System
DOI: 10.9790/0661-18138696 www.iosrjournals.org 91 | Page
Figure 6. Apache Self signed Certificate
File Replication:
We recognize the importance of multip le strategies for prevention, detection and recovery from cyber
security attacks. The administrator should be able at each time to recover the systemand make it back online.
Data replication is a key component of online-offline database model. It implements data synchronization
between the online database installations, used by the experiments control systems, and offline databases. Both
data sets are initially archived on the online databases and subsequently all changes to the data are propagated
with low latency to the offline databases by the database replication solutions [11].
The Application generates automatically patients’ files, which contains all related information, most
likely in form of PDF and images. By default, these documents are stored in the server itself.
The replication concept allows the administrator to copy the content of a specific directory from one location to
another one or even to an external device in the network. The replication process can be scheduled to start and
stop at specified times. The purpose of the file replication is to facilitate recovering by any eventual attack.
In Fig. 7 below, We illustrated the algorithm used to replicate the existing files:
Replication Workflow
VerificationInitializationReplicationDecisionOutput
Start
Replication
Variables
Include Headers
Include modules and classes
Is the source folder
empty?
YesNo
Cancel and pop
up a message
indicating the
failure
Match the names /
ids for the existing
files in the source
with the ones from
the destination
Cancel the
replication
Are
identiques ?
Yes
get the list of
the new files
No
Throw a message in
the GUI and liste the
repliacted files
Update the
Databse
Replicate the
files in the new
location
Figure 7. Replication Workflow
7. Improving The Security Layer Logic For A Health Care Information System
DOI: 10.9790/0661-18138696 www.iosrjournals.org 92 | Page
Results are looking like the following (Fig. 8):
Figure 8. List of replicated files
Database storage (Backup and strategy)
Techniques for data integrity and availability specifically tailored to database systems must be adopted.
In this respect, over the years, the database security community has developed a number of different techniques
and approaches to assure data confidentiality, integrity, and availability [12].
The system administrator should work in conjunction with the DBA team to establish the appropriate
and adequate backup strategy to answer the needs of the organization or the establishment. Backup frequency,
database Recovery model and other related settings can be discussed further with the database vendor.
Researches confirm that policies concerning the disclosure of electronic health records can be reliably and
efficiently enforced and audited at the database level [2].
We implemented the simplest scenario by establishing a Snapshot replication where the available data is solely
copied to another server in the network (Fig. 9). The benefit of such implementation is the performance gain and
protection of the application availability, this offers an alternate data access options.
Replication server
Application server
Database replication
Active directory server
Firewall
Client machines
Figure 9. Application backup scenario
Web application Challenges:
The browser security Model is designed to prevent the client from any eventual attacks. We propose to
verify the system to report any vulnerability. Below are the most popular checks for detecting gaps in the
developed application such as SQL injections, Header Manipulation, Hidden Field Manipulation and Improper
Access Controls. These vulnerabilities stem from unchecked input, which is widely recognized as the most
common source of security weaknesses.
SQL Injection:
An SQL Injection can destroy a database. Users are allowed to enter their inputs in the dedicated fields
in order to display data, this is done mainly by querying the corresponding tables where the information is
stored. SQL statements are texts only and with a little piece of code, the database could be dramatically
damaged. The data integrity can be affected by adding, modifying and deleting records.
Integrity, roughly speaking, will mean that the correctness of data is ensured: i.e., it can only be
established or modified by agents or processes entitled to influence the values of the data [3]. To prevent this to
happen, we defined a "blacklist" of words and characters (such as : drop, update, delete, “, =,…). Additionally
and for more insurance we used SQL parameters which will be added to an SQL query first on the execution
time.
8. Improving The Security Layer Logic For A Health Care Information System
DOI: 10.9790/0661-18138696 www.iosrjournals.org 93 | Page
Header Manipulation:
Headers are control information delivered from web clients to web servers on HTTP requests or vice-
versa on HTTP responses. The manipulation consists of the insertion of malicious data, which has not been
validated, into a header through an untrusted source (most frequently an HTTP)
The best solution is to avoid using unsecured communication protocols and protecting the headers
cryptographically by implementing the SSL.
Hidden Field Manipulation:
Hidden fields are represented in HTML page as <input type=”hidden”>. Some web applications embed
hidden fields to pass state information between the web server and the client side. Hidden fields often contain
confidential information that should be stored normally only in a back-end database. Hidden fields aren’t
transparent to the end users, but the curious attacker can discover and manipulate them. Unlike regular fields,
hidden fields cannot be modified directly by typing values into an HTML form. However, since the hidden field
is part of the page source, saving the HTML page, editing the hidden field value, and reloading the page will
cause the Web application to receive the newly updated value of the hidden field [13].
To be in the safe side no hidden fields are integrated in the established application. This prevents the
attackers from exploiting the weakness in the server's trust of client-side processing by modifying the originally
sent data.
Improper Access Controls:
This will introduce security problems when the application doesn’t restrict or inaccurately restricts
access to a user from an unauthorized action. Access control mechanism involves the use of several protections
like the authentication and should ensure that a resource have the right and correct access. When the access
control mechanism fails or not correctly applied, attackers can inappropriately gain privileges and permissions,
accessing and manipulating sensitive data, setting a password, etc.
The developed information system is sufficiently tested to prevent attackers from exploiting possible
weaknesses in the configuration of access controls or being able to bypass the intended protection. Many
scenarios are intensively tested.
III. Results And Discussion
An information system is secure when it fulfills 3 criteria: integrity, confidentiality and availability.
Integrity means that data and information cannot be modified without authorization, confidentiality ensures that
unauthorized users shouldn’t have access to the data however the availability defined the continued service by
preventing the disruption of service.
Though a number of security models, such as electronic signatures and encryption, are currently
available to secure the transition of data across applications and sites, the Information systems face several new
challenges in the conception, realization and testing.
Also, due to limited time and resources, web software engineers need support in identifying vulnerable code. A
practical approach to predicting vulnerable code would enable them to prioritize security auditing efforts [14].
Below are some guidelines on handling data with a web browser (Avoidance techniques):
The input texts should never be interpreted as a code (HTML Tags, sql requests, scripts, headers…)
For a better security and performance all inputs need to be validate first in the client side but then also in the
server.
Store and process data using the safest mode.
Never connect to the database as a root or owner. Use always customized users with only the necessarily
privileges.
Use SQL variables within the statements
Verify and validate the inputs if the expected data type is entered (Regular Expressions can be used).
The browser security model should satisfy the insurance need, in the most recent browsers, scripts can interact if
the two origins are the same if and only if all the following match:
Protocol: (http or https)
Domain: (example.com)
Port number
Content fromdifferent domains can’t interact straightforwardly.
1.1 Encoding and decoding:
Encoding is the process of putting a sequence of characters into a specialized format often by using an
encryption algorithm (such as MD5 and SHA1 hashes) for a secured transmission and storage. Decoding is the
opposite process and will be needed to convert an encoded format back into the original information.
9. Improving The Security Layer Logic For A Health Care Information System
DOI: 10.9790/0661-18138696 www.iosrjournals.org 94 | Page
For more security and to maintain the confidentiality, we implemented the encryption of passwords in the
database using the SHA1 encryption algorithm (Fig. 10).
Figure 10 Encoding and Decoding Processes
SHA-1 stands for the Secure Hash Algorithm 1 which is a popular one-way cryptographic hash
algorithm. The hash value is 40 digits long and rendered as a hexadecimal number. SHA-1 is also frequently
used in environments where the need for data integrity is high. Even if you have access to the tables in the
database you won’t be able to view the passwords in clear texts.
The users table looks like the following (Fig. 11):
Figure 11. Password encryption in the database
1.2 Availability & accessibility:
This is developed based on a simple user sign up form with proper field validations using the regular
expressions. After a successful login the user will maintain the logged-in status throughout the different pages in
the same session.
After registration the user will receive an email to activate his proper account. He will get registered only and
after his confirmation. Beside from that and to ensure more privacy it’s possible to reset or update a password to
a new one either by the user itself or by the administrator.
As the system is an extensible one and for more security the user’s credentials and information can be stored
within a separated active directory server. The password can be then more complicated by the use of policy
algorithms.
From a security perspective the user’s form does the basic checks of the given type and length. More
importantly however is the setting of the token in the form itself and as a session variable. This will ensure
identifying correctly the form that is being posted and will ensure that it’s in fact the truthful form and not a
foreign malicious one. In addition to that, it prevents multiple postings so the database is not flooded by
somebody hitting the refresh button.
The application availability is calculated based on the percentage of time the software is accessible and
available for use.
Availability % = (Uptime ÷ (Uptime + Downtime))*100.
1.3 Efficiency
The goal is to replace the informal methods we used in the past to design and develop applications with
precise software and security engineering. The ability to extend, customize and re-design the framework is an
enormous advantage. To develop an E-Health information system, the multidisciplinary collaboration is
essential. A standard model can be used for general purpose but depends on the use case the systemis extensible
and it can be customized to fulfill the need.
The achievement to have a networked server platform can help enormously the health care
professionals to measure and monitor the daily progress. The application is offering a timely guidance in order
to uptake the satisfactory decision by evaluating the entered patient’s information [15] [AJASR]. To ensure a
high quality and reliability during the realization process, the developers, architects and testers should focus
constantly on the following:
Password :
Test1
SHA1 Encoding
(virtual
machine)
21 54 A1 25
5B 2F 14 20
00 25 5C 6B
4A .. .. .. ..
SHA1 Decoding
10. Improving The Security Layer Logic For A Health Care Information System
DOI: 10.9790/0661-18138696 www.iosrjournals.org 95 | Page
Usability: The ability to make the information system features more friendly and easy to use. On the same
time the needs and requirements requested by specified users to achieve specified goals are guaranteed with
a high level of effectiveness, efficiency and satisfaction.
Maintainability: This defines how is it easy and rapid to restore the service to an operational status
following a failure and based on prescribed procedures.
Scalability: The capability of the application to continue functioning well even if it has been increased in
size or volume. The objective is to meet the user need and to handle a growing amount of work and tasks or
even increase its level of performance and efficiency
Portability: The web-program can be used in different operating systems and browsers without requiring
any major change or rework.
IV. Conclusion
The proposed approach to defend against attacks approves the need to secure the developed health care
information system.
Security and privacy are implicit and shouldn’t be considered as additional negative costs.
An increased understanding of the nature of vulnerabilities, their manifestations, and the mechanisms
that can be used to eliminate and prevent them can be achieved when this will be considered from the beginning
of the conception and implementation.
Security reviews generally are executed at the end of Software development lifecycle but in order to
obtain high quality software, we did in this approach the focus on quality and testability fromthe beginning.
That way, product managers, business analysts, developers, testers must behave similarly in the roles.
Bugs can be statically discovered and require a fix in the source code but flaws should be remedied
dipper in the architecture level. Often bugs are easier to fix but flaws may require significant engineering to
ensure that the design is fixed without causing other problems in the system.
Human, organization and technology are the essential components of Information Systems. Those three
evaluation factors can be evaluated throughout the whole system development life cycle namely planning,
analysis, design, implementation, operation and maintenance.” [16].
To this topic, there are a variety of methods we worked with in order to ensure the security of critical
systems.
Eliminating security flaws, bugs & defects causing vulnerabilities in systems
Identifying and proactively preventing intrusions fromoccurring
Preserving essential services when systems have been penetrated
Providing decision makers with information required for defense strategy.
In the worst case thanks the replication procedure we will be able to recover in a very short time.
As the system holds sensitive data, a restricted and limited entrance is indispensible; it was ensured in
different layers:
Physical Layer: enforced by restricting the entrance to the server itself (application and / or database). The
Operating Systems offer several access control technics. In addition to that the Three-tier Model presents a
useful structural approach.
Restricted access to the application: each user needs his own credential information to login in the software,
usually a username and a password. The login request is sent to the database or active directory and based
on the response the systemwill define the permissions and the allowed actions.
In the web application it’s often required to use a secured communication protocols like HTTPS /SSL
instead of HTTP.
There are several reasons for placing a high value on caring the privacy, confidentiality, and security of
health information system. All these 3 above conditions are fulfilled by the developed applications. This implies
a real milestone in the efficiency of the system.
References
[1] Abdelghani El Malhi, Adil Echchelh, Nesma Nekkal, Rassam Ahmed, Abdelrhani Mokhtari, Rachida Soulaymani Bencheikh,
Abdelmajid Soulaymani “Modelingof actionsto take after a scorpion sting and developing a web based information system to track
the different indicators systematically”. ESJ - April 2014.
[2] Rakesh Agrawal and Christopher Johnson “Securing electronic health records without impeding the flow of information”
International journal of medical informaticsVolume 76, Issues 5-6, Pages 471–479 May–June, 2007
[3] Riccardo Focardi & Roberto Gorrieri “Foundations of Security Analysis andDesign” ISBN: 978-3-540-42896-1 - Springer - 2001
[4] Simon Rogerson “The Chinook Helicopter Disaster” ETHIcol in the IMIS Journal Volume 12 No 2 (April 2002)
[5] Leveson, Nancy G.; Turner, Clark S. "An Investigation of the Therac-25 Accidents" (PDF). IEEE Computer 26 (7): 18–41. (July
1993).
[6] Statistics Results Page National vulnerability Database (NIST) - Last updated: 1/19/2016 at
https://web.nvd.nist.gov/view/vuln/statistics-results?adv_search=true&cves=on
[7] Ivan Victor Krsul “software vulnerability analysis” AThesis Submittedtothe Faculty of Purdue University May 1998