Assessing and Mitigating Risks in Computer Systems

Netland, Lars-Helge
Doctoral thesis
Thumbnail
View/Open
URI
https://hdl.handle.net/1956/4004
Date
2008-09-26
Metadata
Show full item record
Collections
Abstract
When it comes to non-trivial networked computer systems, bulletproof security is very hard to achieve. Over a system's lifetime new security risks are likely to emerge from e.g. newly discovered classes of vulnerabilities or the arrival of new threat agents. Given the dynamic environment in which computer systems are deployed, continuous evaluations and adjustments are wiser than one-shot e orts for perfection. Security risk management focuses on assessing and treating security risks against computer systems. In this thesis, elements from risk management are applied to two real-world systems to identify, evaluate, and mitigate risks. One of the pinpointed weaknesses is studied in-depth to produce an exploit against the a ected system. In addition, approaches to handle common software security problems are described.
Has parts
Paper I: IEEE security & privacy 6(4), Netland, L-H.; Espelid, Y.; Klingsheim, A. N.; Helleseth, H.; Henriksen, J. B:, Open Wireless Networks on University Campuses, pp. 14-20. Copyright 2008 IEEE. Reproduced with permission. Published version. The published version is also available at: http://dx.doi.org/10.1109/MSP.2008.92

Paper II: Hole, K. H.; Klingsheim, A. N.; Netland, L-H.; Espelid, Y.; Tjøstheim, T.; Moen, V., 2008, Risk Assessment of Services in a National Security Infrastructure. Full text not available in BORA.

Paper III: Financial Cryptography and Data Security, Lecture Notes in Computer Science, 5143, Espelid, Y.; Netland, L-H.; Klingsheim, A. N.; Hole, K. H., A Proof of Concept Attack against Norwegian Internet Banking Systems. Copyright 2008 Springer. Full text not available in BORA due to publisher restrictions. The published version is available at: http://dx.doi.org/ 10.1007/978-3-540-85230-8_18

Paper IV: Proceedings of The Ifip Tc 11 23rd International Information Security Conference 278, Espelid, Y.; Netland, L-H.; Klingsheim, A. N.; Hole, K. J., Robbing Banks with Their Own Software - an Exploit against Norwegian Online Banks. Copyright 2008 Springer. Full text not available in BORA due to publisher restrictions. The published version is available at: ttp://dx.doi.org/10.1007/978-0-387-09699-5_5

Paper V: Netland, L-H.; Espelid, Y.; Mughal, K. A., 2008, Security Pattern for Input Validation. Full text not available in BORA.

Paper VI: Espelid, Y.; Netland, L-H.; Mughal, K.; Hole, K. J., 2008, Simplifying Client-Server Application Development with Secure Reusable Components. Full text not available in BORA

Paper VII: Second International Conference on Availability, Reliability and Security, Netland, L-H.; Espelid, Y.; Mughal, K. A., A Reflection-Based Framework for Content Validation, pp697-706. Copyright 2007 IEEE. Reproduced with permission. Published version. The published version is also available at: http://dx.doi.org/10.1109/ARES.2007.19
Publisher
The University of Bergen
Copyright
The author
Copyright the author. All rights reserved