A service-oriented approach for assessing infrastructure security

IFIP Advances in Information and Communication Technology

Volumn 253, Issue , 2008, Pages 367-379

  Masera, Marcelo ^a   Fovino, Igor Nai ^a  

^a JOINT RESEARCH CENTRE   (Italy)

Author keywords

Attacks; Security assessment; Services; Systemof systems; Threats; Vulnerabilities

Indexed keywords

INFORMATION SERVICES; INFORMATION USE; PUBLIC WORKS; SECURITY OF DATA; SYSTEM OF SYSTEMS; CRITICAL INFRASTRUCTURES; MOBILE SECURITY;

ATTACKS; SECURITY ASSESSMENT; SERVICES; THREATS; VULNERABILITIES;

CRITICAL INFRASTRUCTURES; SECURITY OF DATA;

EID: 84902313318     PISSN: 18684238     EISSN: None     Source Type: Book Series    
DOI: None     Document Type: Conference Paper

References (25)

1. C. Alberts and A. Dorofee, Managing Information Security Risks: The OCTAVE (SM) Approach, Addison-Wesley, Boston, Massachusetts, 2002.
2. O. Alhazmi, Y. Malaiya and I. Ray, Security vulnerabilities in software systems: A quantitative perspective, in Data and Applications Security XIX (LNCS 3654), S. Jajodia and D. Wijesekera (Eds.), Springer, Berlin- Heidelberg, Germany, pp. 281-294, 2005.
3. A. Avizienis, J. Laprie, B. Randell and C. Landwehr, Basic concepts and taxonomy of dependable and secure computing, IEEE Transactions on Dependable and Secure Computing, vol. 1(1), pp 11-33, 2004.
4. E. Bertino, D. Bruschi, S. Franzoni, I. Nai Fovino and S. Valtolina, Threat modeling for SQL servers, Proceedings of the Eighth IFIP TC-6 TC-11 Conference on Communications and Multimedia Security, pp. 189-201, 2004.
5. M. Bishop, Computer Security: Art and Science, Addison-Wesley, Boston, Massachusetts, 2003.
6. Citicus, Citicus ONE (www.citicus.com).
7. F. den Braber, T. Dimitrakos, B. Gran, M. Lund, K. Stolen and J. Aagedal, The CORAS methodology: Model-based risk management using UML and UP, in UML and the Unified Process, L. Favre (Ed.), IGI Publishing, Hershey, Pennsylvania, pp. 332-357, 2003.
8. G. Dondossola, J. Szanto, M. Masera and I. Nai Fovino, Evaluation of the effects of intentional threats to power substation control systems, Proceedings of the International Workshop on Complex Network and Infrastructure Protection, 2006.
9. Institute of Electrical and Electronics Engineers, IEEE Standard Glossary of Software Engineering Terminology (IEEE Standard 610.12-1990), Piscataway, New Jersey, 1990.
10. International Organization for Standardization, Code of Practice for Information Security Management (ISO/IEC 17799:2000), Geneva, Switzerland, 2000.
11. A. Jones and D. Ashenden, Risk Management for Computer Security: Protecting Your Network and Information Assets, Elsevier Butterworth- Heinemann, Oxford, United Kingdom, 2005.
12. M. Keeney, E. Kowalski, D. Cappelli, A. Moore, T. Shimeall and S. Rogers, Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, Technical Report, U.S. Secret Service and CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, 2005.
13. M. Masera, Interdependencies and security assessment: A dependability view, Proceedings of the IEEE International Conference on Systems, Man and Cybernetics, Taipei, 2006.
14. M. Masera and I. Nai Fovino, A framework for the security assessment of remote control applications of critical infrastructures, Proceedings of the Twenty-Ninth ESReDA Seminar, 2005.
15. M. Masera and I. Nai Fovino, Emergent disservices in interdependent systems and systems-of-systems, Proceedings of the IEEE International Conference on Systems, Man and Cybernetics, 2006.
16. M. Masera and I. Nai Fovino, Modeling information assets for security risk assessment in industrial settings, Proceedings of the Fifteenth EICAR Annual Conference, 2006.
17. M. Masera and I. Nai Fovino, Models for security assessment and management, Proceedings of the International Workshop on Complex Network and Infrastructure Protection, 2006.
18. M. Masera and I. Nai Fovino, Through the description of attacks: A multidimensional view, Proceedings of the Twenty-Fifth International Conference on Computer Safety, Reliability and Security, pp. 15-28, 2006.
19. J. McDermott, Attack net penetration testing, Proceedings of the New Security Paradigms Workshop, pp. 15-22, 2002.
20. Microsoft Corporation, Microsoft Security Assessment Tool (www.securityguidance.com).
21. B. Schneier, Attack trees: Modeling security threats, Dr. Dobb's Journal, December 1999.
22. SecurityFocus, Bugtraq vulnerability database (securityfocus.com).
23. J. Steffan and M. Schumacher, Collaborative attack modeling, Proceedings of the ACM Symposium on Applied Computing, pp. 253-259, 2002.
24. G. Stoneburner, A. Goguen and A. Feringa, Risk Management Guide for Information Technology Systems, Special Publication 800-30, National Institute of Standards and Technology, U.S. Department of Commerce, Gaithersburg, Maryland, 2002.
25. F. Swiderski and W. Snyder, Threat Modeling, Microsoft Press, Redmond, Washington, 2004.